nitrokey-storage-firmware icon indicating copy to clipboard operation
nitrokey-storage-firmware copied to clipboard

Published 20 hours ago verified publisher icon Nitrokey

Distribute via “Linux Vendor Firmware Service” (LVFS)

Open rugk opened this issue 6 years ago • 20 comments

As I elaborated in this forum thread it would be great to have this distributed with LVFS, which enables Linux users across many distros to do firmware updates of your device in their system's graphical tool rather than on the command line.

See: https://fwupd.org/vendors

AFAIK they also offer a way to show a message before the upgrade, where you can hint users to set the Nitrokey into "update mode" first. So I see no technical reasons preventing easy firmware upgrades on Linux via this great service! :smiley:

/cc @hughsie

rugk avatar Jan 13 '19 17:01 rugk

Confirmed. Current firmware on fwupd is v0.50, while the latest is v0.53.

szszszsz avatar Jan 14 '19 10:01 szszszsz

It's also marked as testing, while the description says it is stable. See also my forum thread.

rugk avatar Jan 14 '19 10:01 rugk

@szszszsz BTW, why did you add the "invalid" label?

rugk avatar Jan 14 '19 10:01 rugk

Last time I remember it was meant to be stable, I wonder why it stayed testing. Will check.

Invalid label is to mark issues, which are not actions from the source code POV (e.g. not bugs, features, compatibility changes etc). This is a custom, which is used in reporting tools. It sounds a bit negatively though; perhaps task label would be sufficient to show that instead. Will add description to this label nevertheless.

szszszsz avatar Jan 14 '19 10:01 szszszsz

@szszszsz let me know as soon as you updated the files and settings upstream. I can test the procedure if you like.

alex-nitrokey avatar Jan 14 '19 10:01 alex-nitrokey

While you are at it, also look at that "security" labels on LVFS. As I've explained in my forum post, they are kinda wrong.

rugk avatar Jan 14 '19 10:01 rugk

Registered this issue on the fwupd main site.

szszszsz avatar Jan 18 '19 16:01 szszszsz

Main issue with the fwupd-based updating is fixed! Two tasks left:

  • to test updates from the older firmwares to current (I have tested v0.53->v0.53);
  • to fix the firmware version reading plugin, which shows 0.0 at the moment, and might confuse users. It will be shipped with the next release of the fwupd, so it must be done before that. Edit: registered as https://github.com/hughsie/fwupd/issues/960.

I have asked as well about the security labels. Waiting for response.

szszszsz avatar Jan 23 '19 15:01 szszszsz

Also about the "verify upgrade" batch, that would also be a useful feature, I guess.☺

rugk avatar Jan 23 '19 21:01 rugk

Right. We have talked about that, and automatic verification should be feasible to do.

Regarding the fwupd-based update, plugin for it is fixed now (https://github.com/hughsie/fwupd/pull/961). Waiting until its next release (should be next month, first half).

szszszsz avatar Jan 30 '19 13:01 szszszsz

Release should be on the 1st. You can depend on fwupd 1.2.4 in the interim if that helps.

hughsie avatar Jan 30 '19 13:01 hughsie

Hi, I find this issue very worth supporting, thank you for working on it!

However, I have a practical question: What does it look like if I have a Nitrokey storage and want to update it using fwupd?

  • My Nitrokey is never permanently plugged in and therefore part of my system. How does my system recognize that an update is available? For example, if my Software Center was already looking for updates, but my Nitrokey was not mounted at that moment.
  • I also wonder if the update means that all information and keys on the Nitrokey will be overwritten by the update.
  • Can I use fwupd to scrape my Nitrokey with an update? Is there a risk?

4jNsY6fCVqZv avatar Oct 05 '19 11:10 4jNsY6fCVqZv

Also there is already v0.54 released, but fwupd/LVFS is still at v0.5.3. So can you please also update it on LVFS?

rugk avatar Oct 05 '19 15:10 rugk

When I look at https://fwupd.org/lvfs/device/com.nitrokey.storage.firmware, two questions also arise for me:

  1. Is it possible that the Nitrokey updates are automatically imported from the GitHub repository into LVFS so that the packages are always up to date?

  2. The overview shows that the Nitrokey package does not meet two security requirements: a) Update is not cryptographically signed b) Firmware cannot be verified after flashing Would it make sense and be possible for you to fulfill them?

4jNsY6fCVqZv avatar Oct 05 '19 15:10 4jNsY6fCVqZv

  1. Yes, this has been discussed in the forum already. At least the automatic test (b) should be possible, as it has been confirmed before.

rugk avatar Oct 05 '19 15:10 rugk

If it helps, the LVFS has an account type for automated "robot" uploads. It's how a few of the big OEMs manage all the uploads to the LVFS.

hughsie avatar Oct 05 '19 19:10 hughsie

@hughsie Could you please share a link where the setup of such a feature is documented?

4jNsY6fCVqZv avatar Oct 05 '19 20:10 4jNsY6fCVqZv

It's not documented, it's the kind of thing I help the vendor with as required. Obviously there are a few authentication-type things to set up.

hughsie avatar Oct 05 '19 20:10 hughsie

Thank you, it would be wonderful if you could support the developers of Nitrokey! What do you say, @szszszsz?

4jNsY6fCVqZv avatar Oct 05 '19 20:10 4jNsY6fCVqZv

…also would possibly be a good idea to "standardize" it (?) and document it… (undocumented features are usually not good)

rugk avatar Oct 06 '19 17:10 rugk