Distribution of binary

Peter Lebbing peter at digitalbrains.com
Mon Dec 10 16:29:53 CET 2018

Hello Gniibe and list,

TL;DR: Is it okay to give people gnuk-no-vidpid.elf along with the
script to insert a VID:PID?

In Debian bug #903163, Guilhem Moulin mentioned he cannot test code for
multi-card-reader GnuPG setups since he has only one reader. Chris Lamb
offered to get him a reader, but I also replied[1] since I know how to
put GnuK on a 3 dollar Maple Mini clone and both Guilhem and I will be
at the 35C3 in two weeks.

In fact, I thought, why not bring ten, for anyone interested. They're
cheap as dirt, might as well hand them out.

The Maple Mini loses a lot of the desirable properties of the FST-01, in
regard to form factor, supply chain trustworthiness etcetera.  Guilhem
would not be using it to keep secrets, but just for development.  And of
course people only have my word that I myself didn't do bad stuff. I
could write paragraph after paragraph about all the tradeoffs possible,
with ideally people building their own binary and using an SWD- or
JTAG-programmer to flash the Maple Mini. But let's not write that mail

I quickly realized I had for a moment forgotten about the stipulations
regarding the FSIJ VID:PID of 234b:0000. I cannot just hand out GnuK's
fully programmed and functional.

One of the tradeoffs possible is that I put a GnuK with the illegal
VID:PID 0000:0000 on the Maple Mini, and give that to someone. I also
give them a pre-built gnuk-no-vidpid.elf and the shell scripts to put
the proper FSIJ VID:PID in it, and they use reGNUal to flash the Maple
Mini. This works since you can actually upload reGNUal to a Maple Mini
that has GnuK with VID:PID 0000:0000 on Linux, I tested it. GnuPG was
less willing to work with such a GnuK; it reports:
> ccid-driver: usb_open failed: LIBUSB_ERROR_IO

Is it legally OK if I give people gnuk-no-vidpid.elf and the shell
scripts to change the VID:PID? This for people who, after hearing me
explain the pros and cons, decides they want to have that to avoid
having to build the firmware themselves.



PS: Before you reply "you need arm-none-eabi-objdump for
binary-edit.sh", let me point out that 1) x86_64-linux-gnu-objdump works
as well for this purpose and 2) I could edit the script to directly
refer to a binary offset specific to the .elf I hand out.

[1] <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903163#270>

I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnuk-users/attachments/20181210/b286bcea/attachment.sig>

More information about the Gnuk-users mailing list