Tomu

From ArchWiki
Jump to navigation Jump to search

The Tomu is a family of open-source FIDO2 security keys. This article describes how to set up and use it. So far this page is limited to "the original tomu" – help to expand it.

The original Tomu

Install necessary software

To build tomu images you will need arm-none-eabi-gcc and arm-none-eabi-newlib. To flash software on the tomu you use dfu-util.

Check Tomu with dfu-util

Your tomu should arrive with dfu-util installed. If you insert tomu into the usb port and toboot starts, the green and red led should flash alternating. To check if your tomu is running the bootloader toboot and which version run:

# dfu-util --list
[...]
Found DFU: [1209:70b1] ver=0101, devnum=19, cfg=1, intf=0, path="1-1.2", alt=0, name="Tomu Bootloader (5) v2.0-rc7", serial="UNKNOWN"
Note: Some tomu programs – including the u2f code – set the TOBOOT_CONFIG_FLAG_AUTORUN flag, and start running immediately. They will then not (nessecary) blink in this way and they will not be found by dfu-util! To enter Toboot on these devices, short out the two outer pins with tweezers while inserting Tomu into the usb-port (image).

Update the bootloader (toboot)

If the bootloader of your tomu is not the newest version (currently v2.0-rc7, june 2020), you should update it. You can compile it yourself, or download a prebuilt version from GitHub (direct link). Install the update like this:

# dfu-util -d 1209:70b1 -D toboot-booster.dfu

Installing other software

If you do not want to use tomu as U2F token but use it for different purposes, you can find example applications here. They can be installed with df-util:

# dfu-util -d 1209:70b1 -D application.dfu

Installing U2F firmware (chopstx port)

The code for the U2F firmware for tomu can be found here. Clone it from git and compile it:

$ git clone https://github.com/im-tomu/chopstx.git
$ cd chopstx/u2f
$ make

You have two options:

  • Flash it without a key. If flashed without a key, the firmware generates EC private key on its first boot and erases it when it enters the bootloader! You cannot create a backup. But this has the advantage that the key will never exist outside tomu. Make sure to have an alternative second factor or recovery possibility. You cannot update the software without losing the private key.
  • Inject a private key. Generate a key on your computer, inject it into the firmware and flash them together to the tomu.

Injecting a private key (optional, see above!)

Generate your private key:

$ openssl ecparam -name prime256v1 -genkey -noout -outform der -out key.der

You may want to back it up encrypted and/or offline. Inject it to the build

$ ./inject_key.py --key key.der

Flashing

You can flash the software to the device:

# dfu-util -v -d 1209:70b1 -D build/u2f.bin

When the flashing was successful the LEDs should have stopped flashing. Remove it and plug it in again – with the U2f software the red LED should flash only very shortly & quickly.

Updating/Restoring an u2f tomu

If you have the injected a private key you can again build the software and inject the key. You must however set the counter to a value at least 1 higher than it was on the tomu:

$ ./inject_key.py --key key.der --ctr 1001

If you still have the original tomu (i.e. you want to update) you can find out the counter in the Yubikey demo site. Otherwise, set it to a value "big enough".

Testing, Using

You can use webauthn.io or the Yubikey demo site to test you u2f key or with pamu2fcfg on terminal (see below).

To use the key:
Plug it in. When the application (for example your browser) asks you to press the button, the red LED on the tomu starts to blink. You have now to press the "lower button". The capacitive buttons are the four contact areas on the end of the tomu. The "lower" one is from watching at it from the side with the chip on it. Press it with your finger – it can be tricky to reach – in worst case use a metal screwdriver or similar. When you pressed it, the red LED stays on for a few seconds then the application receives the answer.