Louis-Philippe Véronneau - tomuhttps://veronneau.org/2018-08-08T00:00:00-04:00I am Tomu!2018-08-08T00:00:00-04:002018-08-08T00:00:00-04:00Louis-Philippe Véronneautag:veronneau.org,2018-08-08:/i-am-tomu.html<p>While I was away for DebConf18, I received the <a href="http://tomu.im/">Tomu boards</a> I ordered on
Crowdsupply a while ago while the project was still going through crowdfunding.</p>
<p><img src="/media/blog/2018-08-08/tomu.jpg" title="A Tomu board next to a US cent for size comparison" alt="A Tomu board next to a US cent for size comparison" height="30%" width="30%" style="float:left"></p>
<p>For those of you who don't know what the Tomu is, it's a tiny ARM microprocessor
board which fits in your USB port. There …</p><p>While I was away for DebConf18, I received the <a href="http://tomu.im/">Tomu boards</a> I ordered on
Crowdsupply a while ago while the project was still going through crowdfunding.</p>
<p><img src="/media/blog/2018-08-08/tomu.jpg" title="A Tomu board next to a US cent for size comparison" alt="A Tomu board next to a US cent for size comparison" height="30%" width="30%" style="float:left"></p>
<p>For those of you who don't know what the Tomu is, it's a tiny ARM microprocessor
board which fits in your USB port. There are a bunch of neat stuff you can do
with it, but I use it as a <a href="https://en.wikipedia.org/wiki/Universal_2nd_Factor">U2F token</a>.</p>
<p>The design is less sleek than a <a href="https://www.yubico.com/product/yubikey-4-series/#yubikey-4-nano">YubiKey nano</a> and it can't be used as
a GPG smartcard (<a href="https://github.com/im-tomu/tomu-samples/issues/4">yet!</a>), but it runs free software on open hardware
and everything can be built using a free software toolchain.</p>
<p>It also cost me a fraction of the price of a Yubico device (14 CAD with shipping
vs 70+ CAD for the YubiKey nano) so I could literally keep 1 for me and give
away 4 Tomus to my friends and family for the price of a YubiKey nano.</p>
<p>But yeah, the deal breaker really is the openness of the device. I don't see how
I could trust a proprietary device that <a href="https://www.yubico.com/keycheck">tells me it's very secure</a> when I
can't see what it's doing with my U2F private key...</p>
<h2>Flashing the board</h2>
<p>The Tomu can be used as a U2F token by flashing <a href="https://github.com/im-tomu/chopstx/tree/efm32/u2f">chopstx</a> on it, the
same software used in the <a href="https://www.fsij.org/category/gnuk.html">gnuk project</a> lead by awesome Niibe-san.</p>
<p>Although I had a gnuk token a while ago, I ended up giving it away since I found
the flashing process painful and I didn't really have a use case for a GPG
smartcard at the time.</p>
<p><img src="/media/blog/2018-08-08/toboot.gif" title="A Tomu board in the bootloader" alt="The Tomu board in the bootloader" height="30%" width="30%" style="float:right"></p>
<p>On the contrary, flashing the Tomu was a walk in the park. The Tomu's bootloader
supports <code>dfu-util</code> so it was only a matter of installing it on my computer,
building the software and pushing it on the board.</p>
<p>I did encounter a few small problems during the process, but I sent
<a href="https://github.com/im-tomu/chopstx/pull/6">a series</a> <a href="https://github.com/im-tomu/im-tomu.github.io/pull/13">of patches</a> <a href="https://github.com/Yubico/libu2f-host/pull/104">upstream</a> to try to fix that
and make the whole experience smoother.</p>
<p>Here's a few things you should look out for while flashing a Tomu for to be used
as a U2F token.</p>
<ul>
<li>Make sure you are running the latest version of the bootloader. You can find
it <a href="https://github.com/im-tomu/tomu-bootloader#installing-or-upgrading-toboot">here</a>.</li>
<li>Your U2F private key will be erased if you update the firmware. Be sure to
<a href="https://github.com/im-tomu/chopstx/tree/efm32/u2f#injecting-private-key">generate it on your host computer</a> and keep an encrypted copy of it
somewhere.</li>
<li>For now, the readout protection is not enabled by default. Be sure to use
<code>make ENFORCE_DEBUG_LOCK=1</code> when building the <code>chopstx</code> binary.</li>
<li>Firefox doesn't support U2F out of the box on Debian. You have to enable a
few options in <code>about:config</code> and use a plugin for it to work properly.</li>
<li>You need to <a href="https://github.com/im-tomu/chopstx/tree/efm32/u2f#update-udev-rules">add a new udev rule</a> for the Tomu to be seen as a U2F
device by your system.</li>
</ul>