Firmware file consistency verification #3
Comments
|
I am not sure if this is best adresses in osresearch/heads instead. I am not sure yet if this is necessary, though. |
|
Let's discuss it here first, and it can later be moved to upstream. Why do you think its not needed? Is there any firmware file verification implemented already? |
|
Okay, at first I was wondering if flashrom itself would complain about a incomplete file, but even then it would not detect bitwise errors. I am not sure how severe this issue is, but in my opinion it is a valid point. To keep it simple I would recommend a solution in which the checksum is only checked if a checksum file is present and ignored otherwise so that users could flash without the check if they want. Furthermore, I think this is something that we might be able to provide ourselves and creating a PR upstream afterwards. Only finding some time would be vital 😬 |
|
Exactly. PR possible, but time is scarce. I would not agree with the hash sum check being optional - support side this will be a nightmare to troubleshoot, if any of that will happen. And 1 in 1000 will probably do. |
|
I see, I missed the tar part. Sound like a valid idea, just wanted to avoid letting the user store multiple files. Actually, now that I think about it I pretty much like it 👍 |
|
Tar and zip are AFAIR :-) |
|
I added a simple file integrity check here What do you think about including yours and mine PGP key in the built and adding signing checks as well? Otherwise, I think this can be closed by next release. |
|
Are you sure? Actually, I like the fact that it is a plain .zip archive 🤔
I will add a warning.
I mean having our key pairs already included in the trustdb of the gnupg folder in the rom an checking the signatures of a sha256sum.txt.gpg in the archive. On the other hand this would mean that we would be two people able to manipulate the machine. On the other hand this would make it much more difficult to flash roms of the bad guys... And some trust in Nitrokey needs to be taken for granted anyway. |
What about using .tar instead? Less likely confusion. But I am fine with arbitrary file endings as well 🤷 |
I do not see how that would help :-) Let's not be afraid of the custom extension. We have a format with a structure we expect in the software, hence we are fully entitled to have one. From the UX perspective I think it would be better. |
It would be nice to have this but for informative purposes only, as long as the firmware is not planned to be locked. If time will come, the proper key will be established and handled with care. Now the decision to execute firmware update is on the user, and obligation to confirm the authenticy. |
Of course, the user shall always have the possibility to shoot herself in the foot :) No, seriously, I am pretty much against any kind of restriction of flashing just some random file! There should be a fat warning though. |
|
change .zip to .npf and added warning for *.rom users. |
|
Looks good! |
|
Fixed in |
At the moment firmware file consistency check is not made before the flashing. This could result in hard to debug issues, or complete "bricking" of the hardware on the user side, shall the data transfer to the USB drive be interrupted.
This should be automated. The firmware binary and metadata (hash,signature) should be packed to a single .tar archive, which would be then checked by the Heads during the update execution.
For now we instruct users to do it by hand:
The text was updated successfully, but these errors were encountered: