Tomu
The Tomu is a family of open-source FIDO2 security keys. This article describes how to set up and use it. So far this page is limited to "the original tomu" – help to expand it.
The original Tomu
Install necessary software
To build tomu images you will need arm-none-eabi-gcc and arm-none-eabi-newlib. To flash software on the tomu you use dfu-util.
Check Tomu with dfu-util
Your tomu should arrive with dfu-util installed. If you insert tomu into the usb port and toboot starts, the green and red led should flash alternating. To check if your tomu is running the bootloader toboot and which version run:
# dfu-util --list
[...] Found DFU: [1209:70b1] ver=0101, devnum=19, cfg=1, intf=0, path="1-1.2", alt=0, name="Tomu Bootloader (5) v2.0-rc7", serial="UNKNOWN"
TOBOOT_CONFIG_FLAG_AUTORUN
flag, and start running immediately. They will then not (nessecary) blink in this way and they will not be found by dfu-util! To enter Toboot on these devices, short out the two outer pins with tweezers while inserting Tomu into the usb-port (image).Update the bootloader (toboot)
If the bootloader of your tomu is not the newest version (currently v2.0-rc7, june 2020), you should update it. You can compile it yourself, or download a prebuilt version from GitHub (direct link). Install the update like this:
# dfu-util -d 1209:70b1 -D toboot-booster.dfu
Installing other software
If you do not want to use tomu as U2F token but use it for different purposes, you can find example applications here. They can be installed with df-util:
# dfu-util -d 1209:70b1 -D application.dfu
Installing U2F firmware (chopstx port)
The code for the U2F firmware for tomu can be found here. Clone it from git and compile it:
$ git clone https://github.com/im-tomu/chopstx.git $ cd chopstx/u2f $ make
You have two options:
- Flash it without a key. If flashed without a key, the firmware generates EC private key on its first boot and erases it when it enters the bootloader! You cannot create a backup. But this has the advantage that the key will never exist outside tomu. Make sure to have an alternative second factor or recovery possibility. You cannot update the software without losing the private key.
- Inject a private key. Generate a key on your computer, inject it into the firmware and flash them together to the tomu.
Injecting a private key (optional, see above!)
Generate your private key:
$ openssl ecparam -name prime256v1 -genkey -noout -outform der -out key.der
You may want to back it up encrypted and/or offline. Inject it to the build
$ ./inject_key.py --key key.der
Flashing
You can flash the software to the device:
# dfu-util -v -d 1209:70b1 -D build/u2f.bin
When the flashing was successful the LEDs should have stopped flashing. Remove it and plug it in again – with the U2f software the red LED should flash only very shortly & quickly.
Updating/Restoring an u2f tomu
If you have the injected a private key you can again build the software and inject the key. You must however set the counter to a value at least 1 higher than it was on the tomu:
$ ./inject_key.py --key key.der --ctr 1001
If you still have the original tomu (i.e. you want to update) you can find out the counter in the Yubikey demo site. Otherwise, set it to a value "big enough".
Testing, Using
You can use webauthn.io or the Yubikey demo site to test you u2f key or with pamu2fcfg on terminal (see below).
To use the key:
Plug it in. When the application (for example your browser) asks you to press the button, the red LED on the tomu starts to blink. You have now to press the "lower button". The capacitive buttons are the four contact areas on the end of the tomu. The "lower" one is from watching at it from the side with the chip on it. Press it with your finger – it can be tricky to reach – in worst case use a metal screwdriver or similar. When you pressed it, the red LED stays on for a few seconds then the application receives the answer.