Beta Program (for firmware v1.1.1 update) #113
Description
Announcement
We have prereleased our first second official update of the Solo firmware: https://github.com/solokeys/solo/releases/tag/1.1.0 🍾
https://github.com/solokeys/solo/releases/tag/1.1.1 🍾 🍾
TLDR: pip install -U solo-python; solo key update [--secure|--hacker]
Invitation
Prior to announcing this update more widely, we invite anyone interested to test the firmware and its update procedure: you can take part in our beta testing program!
Please proceed at your own risk! We will of course provide help in case of any issues.
Changes
The changes are listed in our https://github.com/solokeys/solo/blob/master/CHANGELOG.md
We will strongly recommend everyone to update, as this fixes a bug in the U2F functionality (FIDO2 functionality was not affected) causing the signature counter to cycle after 255 uses of a given credential.
The firmware release goes hand in hand with the release of solo-python, our Python3.6+ library and tool to interact with your Solo. It lives in the repository https://github.com/solokeys/solo-python and can easily be installed via pip install -U solo-python. The existing solotool.py will be deprecated.
While the official roll-out may use a web-based update procedure for simplicity, by using the Python CLI tool you will be working with a more mature interface.
Additionally, with this release we move to verifiable Docker builds of the firmware, details below.
How To Update?
- install the Python tool:
pip install -U solo-python - update one key at time
- insert the key you wish to update, keeping the button pressed until the LED flashes yellow
- if it is a Solo Secure key ("regular" version): type
solo key update --secure - if it is a Solo Hacker key: type
solo key update --hacker
Please do not flash the secure firmware onto a hacker key -- while it will work, this will activate ROP (flash readout protection) level 2, and you will irreversibly lose access to the ST DFU interface.
In both cases, the key will automatically be updated. You can verify everything worked by checking the output of the following commands:
solo key version # should show `1.1.1`
solo key verify # asks you to press the button, checks that the key attests properly
Verifiability
The firmware you will flash by updating is pulled from the v1.1.1 release assets:
- https://github.com/solokeys/solo/releases/download/1.1.1/firmware-secure-1.1.1.json
- https://github.com/solokeys/solo/releases/download/1.1.1/firmware-hacker-1.1.1.hex
The firmware for the secure build is embedded in a JSON containing a signature that the Solo Secure bootloader verifies before enabling. The private key to generate this signature is our "proprietary secret": this secrecy is what keeps a Solo Secure key safe from "evil maid" attacks, as only firmware approved by us can be flashed onto it. Together with the Solo Secure attestation key, these are the only secrets our company has 👐.
Everything else is 100% verifiable by you, if you wish to do so! Here's how:
- update your checkout of this repository (github.com/solokeys/solo)
- run
make docker-build SOLO_VERSIONISH=1.1.1(should work on Linux and Windows) - you will find the following files in the
build/subdirectory:
bootloader-nonverifying-1.1.1.hex
bootloader-nonverifying-1.1.1.sha2
bootloader-verifying-1.1.1.hex
bootloader-verifying-1.1.1.sha2
firmware-hacker-1.1.1.hex
firmware-hacker-1.1.1.sha2
firmware-secure-1.1.1.hex
firmware-secure-1.1.1.sha2
- confirm that the assets in https://github.com/solokeys/solo/releases/tag/1.1.1 coincide with your build
- note that the
solo key updateprocedure verifies the sha256sums of what will be flashed (including the websafe-encoded version of the secure build.hexcontained in the signed.jsonasset): https://github.com/solokeys/solo-python/blob/9b5c65db839e28ce5a7a5e526375dc9bc54c259a/solo/cli/update.py#L129
Bundle Update for Solo Hacker
If you have a hacker key, you can update the bundle of both bootloader + firmware:
- download https://github.com/solokeys/solo/releases/download/1.1.1/bundle-hacker-1.1.1.hex
- alternatively, build your own as above, and run
solo mergehex bootloader-nonverifying-1.1.1.hex firmware-hacker-1.1.1.hex bundle-hacker-1.1.1.hex
- insert key
- run the following commands:
solo program aux enter-bootloader
solo program aux enter-dfu
# powercycle the key (remove and plug in again)
solo program dfu bundle-hacker-1.1.1.hex
solo program aux leave-dfu
# powercycle the key (remove and plug in again)
solo ls
In time, the mode changes (between firmware, bootloader and dfu) may be automated, but they can be a little finicky. In particular, when entering or leaving ST DFU mode, a hard reboot (powercycle) can be necessary. Here is a diagram explaining the solo program subcommands: https://whimsical.co/YHmbripdnGn9DtBA8YrrdL
Bug Reports
In case of any issues, please report by commenting in this GitHub issue, so we can fix them
Thank you!