Using SoloKey2 under GNU/Linux

2025-04-01 11:01

Detlev Zundel

Tags:

As I used the i.MX8M Mini SoC in previous blog posts, I decided to explain the "magic" going on with the default boot settings in U-Boot. Understanding this gives us a solid foundation to efficiently work with the eval board during early development.

Of course it is also possible to reuse the framework for your own embedded Linux project, so it is even more important to understand the functional implications of it.

Solokeys Solo 2 monorepo SoloKeys FAQ https://docs.solokeys.io/udev/ An In-depth Guide to FIDO Protocols: U2F, UAF, and WebAuthn (FIDO2) Nitrokey Desktop Login And Linux User Authentication rules/50-udev-default.rules udevadm monitor –environment –udev | grep DEVNAME Using U2F at Linux Login How to configure SSH with YubiKey Security Keys U2F Authentication on Ubuntu

udev rules

dzu@krikkit:/etc/udev/rules.d$ cat 70-solo2.rules 
# NXP LPC55 ROM bootloader (unmodified)
SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1fc9", ATTRS{idProduct}=="0021", TAG+="uaccess"
# NXP LPC55 ROM bootloader (with Solo 2 VID:PID)
SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="b000", TAG+="uaccess"
# Solo 2
SUBSYSTEM=="tty", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="beee", TAG+="uaccess"
# Solo 2
SUBSYSTEM=="usb", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="beee", TAG+="uaccess"
dzu@krikkit:/etc/udev/rules.d$

Command Line Tool

dzu@krikkit:~$ cargo install solo2
    Updating crates.io index
  Downloaded solo2 v0.2.1
  Downloaded 1 crate (68.5 KB) in 0.52s
  Installing solo2 v0.2.1
[...]

Update firmware

dzu@krikkit:~$ solo2 list
Solo 2 D92A73C51D7F835CBC994E4E2639864A (CTAP+PCSC, firmware 1:20200101.9)
dzu@krikkit:~$ solo2 update
Downloading latest release from https://github.com/solokeys/solo2/
Fetched firmware version 2:20220822.0 (2.964.0)
Warning: This is is major update and it could risk breaking any current credentials on your key.
Check latest release notes here to double check: https://github.com/solokeys/solo2/releases
If you haven't used your key for anything yet, you can ignore this.

✔ Continue? · yes
Continuing
Tap button on key to confirm, or replug to abort...
LPC55 Bootloader detected. The LED should be off.
Writing new firmware...
Done. Rebooting key. The LED should turn back on.
dzu@krikkit:~$

Configure libpamu2f

--- common-auth.pam-old	2021-11-10 16:52:22.646652586 +0100
+++ common-auth	2022-08-25 10:11:05.047495506 +0200
@@ -14,7 +14,8 @@
 # pam-auth-update(8) for details.

 # here are the per-package modules (the "Primary" block)
-auth	[success=1 default=ignore]	pam_unix.so nullok
+auth	sufficient pam_u2f.so cue prompt # debug
+auth	[success=1 default=ignore]	pam_unix.so nullok try_first_pass
 # here's the fallback if no module succeeds
 auth	requisite			pam_deny.so
 # prime the stack with a positive return value if there isn't one already;

Enroll key for libpamu2f

dzu@krikkit:~$ pamu2fcfg -opam://krikkit -ipam://krikkit > ~/.config/Yubico/u2f_keys 
dzu@krikkit:~$

Test with sudo

dzu@krikkit:~$ sudo -K
dzu@krikkit:~$ sudo uname -a
Please touch the device.
Linux krikkit 5.18.0-4-amd64 #1 SMP PREEMPT_DYNAMIC Debian 5.18.16-1 (2022-08-10) x86_64 GNU/Linux
dzu@krikkit:~$