While I was away for DebConf18, I received the Tomu boards I ordered on Crowdsupply a while ago while the project was still going through crowdfunding.
For those of you who don't know what the Tomu is, it's a tiny ARM microprocessor board which fits in your USB port. There are a bunch of neat stuff you can do with it, but I use it as a U2F token.
It also cost me a fraction of the price of a Yubico device (14 CAD with shipping vs 70+ CAD for the YubiKey nano) so I could literally keep 1 for me and give away 4 Tomus to my friends and family for the price of a YubiKey nano.
But yeah, the deal breaker really is the openness of the device. I don't see how I could trust a proprietary device that tells me it's very secure when I can't see what it's doing with my U2F private key...
Flashing the board
Although I had a gnuk token a while ago, I ended up giving it away since I found the flashing process painful and I didn't really have a use case for a GPG smartcard at the time.
On the contrary, flashing the Tomu was a walk in the park. The Tomu's bootloader
dfu-util so it was only a matter of installing it on my computer,
building the software and pushing it on the board.
Here's a few things you should look out for while flashing a Tomu for to be used as a U2F token.
- Make sure you are running the latest version of the bootloader. You can find it here.
- Your U2F private key will be erased if you update the firmware. Be sure to generate it on your host computer and keep an encrypted copy of it somewhere.
- For now, the readout protection is not enabled by default. Be sure to use
make ENFORCE_DEBUG_LOCK=1when building the
- Firefox doesn't support U2F out of the box on Debian. You have to enable a
few options in
about:configand use a plugin for it to work properly.
- You need to add a new udev rule for the Tomu to be seen as a U2F device by your system.