Louis-Philippe Véronneau - u2fhttps://veronneau.org/2023-06-18T00:00:00-04:00Solo V2: nice but flawed2023-06-18T00:00:00-04:002023-06-18T00:00:00-04:00Louis-Philippe Véronneautag:veronneau.org,2023-06-18:/solo-v2-nice-but-flawed.html<p><strong>EDIT:</strong> One of my 2 keys has died. There are what seems like golden bubbles
under the epoxy, over one of the chips and those were not there before. I've
emailed SoloKeys and I'm waiting for a reply, but for now, I've stopped using
the Solo V2 altogether :(</p>
<p>I recently …</p><p><strong>EDIT:</strong> One of my 2 keys has died. There are what seems like golden bubbles
under the epoxy, over one of the chips and those were not there before. I've
emailed SoloKeys and I'm waiting for a reply, but for now, I've stopped using
the Solo V2 altogether :(</p>
<p>I recently received the two Solo V2 hardware tokens I ordered as part of their
crowdfunding campaign, back in March 2022. It did take them longer than
advertised to ship me the tokens, but that's hardly unexpected from such
small-scale, crowdfunded undertaking.</p>
<p>I'm mostly happy about my purchase and I'm glad to get rid of the aging <a href="https://veronneau.org/i-am-tomu.html">Tomu
boards</a> I was using as U2F tokens<sup id="fnref:fido"><a class="footnote-ref" href="#fn:fido">1</a></sup>. Still, beware: I am not sure
it's a product I would recommend if what you want is simply something that
works. If you do not care about open-source hardware, the Solo V2 is not for
you.</p>
<h2>The Good</h2>
<p><img src="/media/blog/2023-06-18/side_by_side.jpg" width="70%" style="margin-left:15%" title="A side-by-side view of the Solo V2's top and back sides" alt="A side-by-side view of the Solo V2's top and back sides"></p>
<p>I first want to mention I find the Solo V2 gorgeous. I really like the black and
gold color scheme of the USB-A model (which is reversible!) and it seems like a
well built and solid device. I'm not afraid to have it on my keyring and I fully
expect it to last a long time.</p>
<p><img src="/media/blog/2023-06-18/solo2_shell.webp" width="70%" style="margin-left:15%" title="An animation of the build process, showing how the PCB is assembled and then slotted into the shell" alt="An animation of the build process, showing how the PCB is assembled and then slotted into the shell"></p>
<p>I'm also very impressed by the modular design: the PCB sits inside a shell,
which decouples the logic from the USB interface and lets them manufacture a
single board for both the USB-C and USB-A models. The clear epoxy layer on top
of the PCB module also looks very nice in my opinion.</p>
<p><img src="/media/blog/2023-06-18/capacitive.jpg" width="70%" style="margin-left:15%" title="A picture of the Solo V2 with its silicone case on my keyring, showing the 3 capacitive buttons" alt="A picture of the Solo V2 with its silicone case on my keyring, showing the 3 capacitive buttons"></p>
<p>I'm also very happy the Solo V2 has capacitive touch buttons instead of
physical "clicky" buttons, as it means the device has no moving parts. The
token has three buttons (the gold metal strips): one on each side of the device
and a third one near the keyhole.</p>
<p>As far as I've seen, the FIDO2 functions seem to work well via the USB
interface and do not require any configuration on a Debian 12 machine. I've
already migrated to the Solo V2 for web-based 2FA and I am in the process of
migrating to an SSH <code>ed25519-sk</code> key. <a href="https://blog.frehi.be/2022/08/04/using-the-solo-v2-fido2-security-key/">Here is a guide</a> I recommend if
you plan on setting those up with a Solo V2.</p>
<h2>The Bad and the Ugly</h2>
<p>Sadly, the Solo V2 is far from being a perfect project. First of all, since the
crowdfunding campaign is still being fulfilled, it is not currently
commercially available. Chances are you won't be able to buy one directly
before at least Q4 2023.</p>
<p>I've also hit what seems to be a pretty big firmware bug, or at least, one that
affects my use case quite a bit. Invoking <code>gpg</code> crashes the Solo V2 completely
if you also have <code>scdaemon</code> installed. Since <code>scdaemon</code> is necessary to use
<code>gpg</code> with an OpenPGP smartcard, this means you cannot issue any <code>gpg</code> commands
(like signing a git commit...) while the Solo V2 is plugged in.</p>
<p>Any <code>gpg</code> commands that queries <code>scdaemon</code>, such as <code>gpg --edit-card</code> or <code>gpg
--sign foo.txt</code> times out after about 20 seconds and leaves the token
unresponsive to both touch and CLI commands.</p>
<p>The way to "fix" this issue is to make sure <code>scdaemon</code> does not interact with
the Solo V2 anymore, using the <code>reader-port</code> argument:</p>
<ol>
<li>
<p>Plug both your Solo V2 and your OpenPGP smartcard</p>
</li>
<li>
<p>To get a list of the tokens <code>scdaemon</code> sees, run the following command: <code>$
echo scd getinfo reader_list | gpg-connect-agent --decode | awk '/^D/ {print
$2}'</code></p>
</li>
<li>
<p>Identify your OpenPGP smartcard. For example, my Nitrokey Start is listed as
<code>20A0:4211:FSIJ-1.2.15-43211613:0</code></p>
</li>
<li>
<p>Create a file in <code>~/.gnupg/scdaemon.conf</code> with the following line
<code>reader-port $YOUR_TOKEN_ID</code>. For example, in my case I have: <code>reader-port
20A0:4211:FSIJ-1.2.15-43211613:0</code></p>
</li>
<li>
<p>Reload <code>scdaemon</code>: <code>$ gpgconf --reload scdaemon</code></p>
</li>
</ol>
<p>Although this is clearly a firmware bug<sup id="fnref:trussed"><a class="footnote-ref" href="#fn:trussed">2</a></sup>, I do believe GnuPG is also
partly to blame here. Let's just say I was not very surprised to have to battle
<code>scdaemon</code> again, as I've had <a href="https://veronneau.org/preventing-an-openpgp-smartcard-from-caching-the-pin-eternally.html">previous issues with it</a>.</p>
<p>Which leads me to my biggest gripe so far: it seems SoloKeys (the company)
isn't really fixing firmware issues anymore and doesn't seems to care. The last
firmware release is about a year old.</p>
<p>Although people are experiencing serious bugs, there is <a href="https://github.com/solokeys/solo2/discussions/124#discussioncomment-3584059">no official way to
report them</a>, which leads to issues being seemingly ignored. For
example, <a href="https://github.com/solokeys/solo2/discussions/138">the NFC feature is apparently killing keys</a> (!!!), but no one
from the company seems to have acknowledged the issue. The same goes for my
GnuPG bug, which <a href="https://github.com/solokeys/solo2/discussions/141#discussion-4423876">was flagged in September 2022</a>.</p>
<p>For a project that mainly differentiates itself from its (superior) competition
by being "Open", it's not a very good look... Although “<em>SoloKeys is still an
unprofitable open source side business of its creators</em>”<sup id="fnref:side"><a class="footnote-ref" href="#fn:side">3</a></sup>, this kind of
attitude certainly doesn't help foster trust.</p>
<h2>Conclusion</h2>
<p>If you want to have a nice, durable FIDO2 token, I would suggest you get one of
the many models Yubico offers. They are similarly priced, are readily
commercially available, are part of a nice and maintained software ecosystem
and have more features than the Solo V2 (OpenPGP support being the one I miss
the most). Yubikeys are the <em>practical</em> option.</p>
<p>What they are not is open-source hardware, whereas <a href="https://certification.oshwa.org/us001100.html">the Solo V2 is</a>. As
bunnie <a href="https://www.bunniestudios.com/blog/?p=5706">very well explained on his blog in 2019</a>, it does not mean
the later is inherently more trustable than the former, but it does make the
Solo V2 the <em>ideological</em> option. Knowledge is power and it should be free.</p>
<p>As such, tread carefully with SoloKeys, but don't dismiss them altogether: the
Solo V2 is certainly functioning well enough for me.</p>
<div class="footnote">
<hr>
<ol>
<li id="fn:fido">
<p>Although U2F is still part of the FIDO2 specification, the Tomus
predate this standard and were thus not fully compliant with FIDO2. So long
and thanks for all the fish little boards, you've served me well! <a class="footnote-backref" href="#fnref:fido" title="Jump back to footnote 1 in the text">↩</a></p>
</li>
<li id="fn:trussed">
<p>It appears the Solo V2 <a href="https://github.com/solokeys/solo2/discussions/141#discussion-4423876">shares its firmware</a> with the
Nitrokey 3, which had <a href="https://github.com/Nitrokey/nitrokey-3-firmware/issues/22">a similar issue</a> a while back. <a class="footnote-backref" href="#fnref:trussed" title="Jump back to footnote 2 in the text">↩</a></p>
</li>
<li id="fn:side">
<p>This is a <a href="https://github.com/solokeys/solo2/discussions/124#discussioncomment-3584059">direct quote</a> from one of the Solo V2 firmware
maintainers. <a class="footnote-backref" href="#fnref:side" title="Jump back to footnote 3 in the text">↩</a></p>
</li>
</ol>
</div>I am Tomu!2018-08-08T00:00:00-04:002018-08-08T00:00:00-04:00Louis-Philippe Véronneautag:veronneau.org,2018-08-08:/i-am-tomu.html<p>While I was away for DebConf18, I received the <a href="http://tomu.im/">Tomu boards</a> I ordered on
Crowdsupply a while ago while the project was still going through crowdfunding.</p>
<p><img src="/media/blog/2018-08-08/tomu.jpg" title="A Tomu board next to a US cent for size comparison" alt="A Tomu board next to a US cent for size comparison" height="30%" width="30%" style="float:left"></p>
<p>For those of you who don't know what the Tomu is, it's a tiny ARM microprocessor
board which fits in your USB port. There …</p><p>While I was away for DebConf18, I received the <a href="http://tomu.im/">Tomu boards</a> I ordered on
Crowdsupply a while ago while the project was still going through crowdfunding.</p>
<p><img src="/media/blog/2018-08-08/tomu.jpg" title="A Tomu board next to a US cent for size comparison" alt="A Tomu board next to a US cent for size comparison" height="30%" width="30%" style="float:left"></p>
<p>For those of you who don't know what the Tomu is, it's a tiny ARM microprocessor
board which fits in your USB port. There are a bunch of neat stuff you can do
with it, but I use it as a <a href="https://en.wikipedia.org/wiki/Universal_2nd_Factor">U2F token</a>.</p>
<p>The design is less sleek than a <a href="https://www.yubico.com/product/yubikey-4-series/#yubikey-4-nano">YubiKey nano</a> and it can't be used as
a GPG smartcard (<a href="https://github.com/im-tomu/tomu-samples/issues/4">yet!</a>), but it runs free software on open hardware
and everything can be built using a free software toolchain.</p>
<p>It also cost me a fraction of the price of a Yubico device (14 CAD with shipping
vs 70+ CAD for the YubiKey nano) so I could literally keep 1 for me and give
away 4 Tomus to my friends and family for the price of a YubiKey nano.</p>
<p>But yeah, the deal breaker really is the openness of the device. I don't see how
I could trust a proprietary device that <a href="https://www.yubico.com/keycheck">tells me it's very secure</a> when I
can't see what it's doing with my U2F private key...</p>
<h2>Flashing the board</h2>
<p>The Tomu can be used as a U2F token by flashing <a href="https://github.com/im-tomu/chopstx/tree/efm32/u2f">chopstx</a> on it, the
same software used in the <a href="https://www.fsij.org/category/gnuk.html">gnuk project</a> lead by awesome Niibe-san.</p>
<p>Although I had a gnuk token a while ago, I ended up giving it away since I found
the flashing process painful and I didn't really have a use case for a GPG
smartcard at the time.</p>
<p><img src="/media/blog/2018-08-08/toboot.gif" title="A Tomu board in the bootloader" alt="The Tomu board in the bootloader" height="30%" width="30%" style="float:right"></p>
<p>On the contrary, flashing the Tomu was a walk in the park. The Tomu's bootloader
supports <code>dfu-util</code> so it was only a matter of installing it on my computer,
building the software and pushing it on the board.</p>
<p>I did encounter a few small problems during the process, but I sent
<a href="https://github.com/im-tomu/chopstx/pull/6">a series</a> <a href="https://github.com/im-tomu/im-tomu.github.io/pull/13">of patches</a> <a href="https://github.com/Yubico/libu2f-host/pull/104">upstream</a> to try to fix that
and make the whole experience smoother.</p>
<p>Here's a few things you should look out for while flashing a Tomu for to be used
as a U2F token.</p>
<ul>
<li>Make sure you are running the latest version of the bootloader. You can find
it <a href="https://github.com/im-tomu/tomu-bootloader#installing-or-upgrading-toboot">here</a>.</li>
<li>Your U2F private key will be erased if you update the firmware. Be sure to
<a href="https://github.com/im-tomu/chopstx/tree/efm32/u2f#injecting-private-key">generate it on your host computer</a> and keep an encrypted copy of it
somewhere.</li>
<li>For now, the readout protection is not enabled by default. Be sure to use
<code>make ENFORCE_DEBUG_LOCK=1</code> when building the <code>chopstx</code> binary.</li>
<li>Firefox doesn't support U2F out of the box on Debian. You have to enable a
few options in <code>about:config</code> and use a plugin for it to work properly.</li>
<li>You need to <a href="https://github.com/im-tomu/chopstx/tree/efm32/u2f#update-udev-rules">add a new udev rule</a> for the Tomu to be seen as a U2F
device by your system.</li>
</ul>