Firmware validation fails randomly

James Pond james+onernglist at cipher.host
Wed Mar 3 22:14:50 GMT 2021


> Could be the reason - try plugging direct into a port and see if it resolves your issue. Years ago I had a OneRNG plugged into a 3 ft. usb extension and had errors. They disappeared after I removed the extension so give it a shot.

> I guess I can say that at least *some* usb hubs in monitors do lead to some instability for some devices and not others; but the frequency I observed doesn't sound like it's often enough to account for your observations completely.

Yeah, I will run a few tests today with the device connected directly to a regular USB port and see if I notice any difference. This particular system is also pretty starved as far as bandwidth goes, which may or may not play into this.

> Also you have your device hard coded as ttyACM0 in your sandboxed service script. OneRNG can be recognized as ttyACM0, ttyACM1, etc. - just an observation.

That is a temporary solution I am using while testing, I will probably change the gotrng script to accept "auto" as an argument that tries to automatically figure out the device path for OneRNG.

> So although we have included a validate-every-startup step in the scripts, it's not adding much value to your security posture. If you have no other worries about the device in operation, perhaps the convenience value of the monitor's hub outweighs the need to validate the firmware on an ongoing basis?

My main intention with running the verification is not a supply chain attack, since like you said, once it is in my possession and has been verified once, I should be golden, but to check if the device is damaged or not, especially because the monitor sits in front of a window with has direct sunlight at random parts of the day.

Although, I also have monnit checking on the systemd service to alert me if it fails, so this use case may not be required either.

Still, I would rather resolve the issue itself at some point, and was mostly wondering if maybe I missed something in the implementation of the verification function.


More information about the Discuss mailing list