v2.5.0 - Nitropad NV41 / NS50 / NS70 / X230 / T430

This release includes all Nitropad variants.

Important: The firmware binary for updating is .zip from now on. For some releases we will also provide the old .npf images. For updating the firmware from < v2.4 you will need the .npf, starting from v2.4 please use the .zip

Major Changes / Fixes:

• This update addresses a potential security issue related to the re-creation of HOTP secrets on the Nitrokey 3 device. This update ensures that re-creating HOTP secrets on the Nitrokey 3 always requires both User Verification (entering the user PIN) and User Presence (touching the Nitrokey 3). To work correctly with HEADS v2.5, the Nitrokey 3 firmware has also been updated to version v1.7.1. With previous firmware versions, re-creating HOTP secrets only required User Presence, but did not verify the user PIN, which was a less strict security policy than intended. The TOTP mechanism is unaffected by this issue - so in doubt you can still rely on this to verify the HEADS firmware is unmodified.

• Please be sure to always update HEADS together with the Nitrokey 3. The v1.7.1 NK3 firmware won't work with older HEADS versions

• Enables autoboot. Heads will now autoboot if all checks are correct. This can be stop by pressing any key during the startup.

Known Issues:

• after flashing the new firmware the NV41 might need more than one power-cycle to properly boot
• the NV41 and NS50/NS70 will not reboot after a firmware upgrade and needed to be restarted manual

Signature

Verify the detached signature using:

gpg --verify sha256sum.sig sha256sum

You expect an output like this one:

gpg: Signature made Wed 05 Jun 2024 02:09:22 PM CEST
gpg:                using RSA key C7E32619E2F71736F5910BB144CB2D868DD16BDA
gpg: Good signature from "Markus Meissner <[email protected]>" [ultimate]
gpg:                 aka "Markus Meissner <[email protected]>" [ultimate]

If you don't have the key yet, you can get it like this:

gpg2 --keyserver keyserver.ubuntu.com --recv-keys 44CB2D868DD16BDA

Feel free to cross-validate the main-key fingerprint on this profile.

v2.4.1 - Nitropad NV41 / NS50 / NS70 / X230 / T430

This release includes all Nitropad variants.

Important: The firmware binary for updating is .zip from now on. For some releases we will also provide the old .npf images. For updating the firmware from < v2.4 you will need the .npf, starting from v2.4 please use the .zip

Major Changes / Fixes:

• ME is now correctly disabled again across all variants

Known Issues:

• after flashing the new firmware the NV41 might need more than one power-cycle to properly boot

Signature

Verify the detached signature using:

gpg --verify sha256sum.sig sha256sum

You expect an output like this one:

gpg: Signature made Tue 23 Jan 2024 01:57:00 PM CET
gpg:                using RSA key C7E32619E2F71736F5910BB144CB2D868DD16BDA
gpg: Good signature from "Markus Meissner <[email protected]>" [ultimate]
gpg:                 aka "Markus Meissner <[email protected]>" [ultimate]

If you don't have the key yet, you can get it like this:

gpg2 --keyserver keyserver.ubuntu.com --recv-keys 44CB2D868DD16BDA

Feel free to cross-validate the main-key fingerprint on this profile.

v2.4 - Nitropad NV41 / NS50 / NS70 / X230 / T430

This release includes all Nitropad variants.

Important: The firmware binary for updating is .zip from now on. For some releases we will also provide the old .npf images. For updating the firmware from < v2.4 you will need the .npf, starting from v2.4 please use the .zip

Major Changes / Fixes:

• Suspend now works as expected for the both NV41 & NS50
  • NV41: S3 suspend is used for both QubesOS & Ubuntu
  • NS50: S0ix suspend is used for Ubuntu, QubesOS suspend does not work as of now
• Compatibility with Nitrokey 3 >= v1.6
• NV41 / NS50: igfx / i915 works now as intended (QubesOS 4.1.2 not yet, QubesOS 4.2 reported good)
• Updated coreboot to Dasharo 1.7.2 (noise reduction, various fixes)
• Fix compatibility with Nitrokey Storage + gpg >= 2.4
• For the NS70, please use the NS50 firmware images
• Compatibility with the latest Ubuntu Kernels

Known Issues:

• after flashing the new firmware the NV41 might need more than one power-cycle to properly boot
• ME is not properly disabled on NV41/NS50/NS70 ( #39 )

Signature

Verify the detached signature using:

gpg --verify sha256sum.sig sha256sum

You expect an output like this one:

gpg: Signature made Fri 05 Jan 2024 10:27:14 AM CET
gpg:                using RSA key C7E32619E2F71736F5910BB144CB2D868DD16BDA
gpg: Good signature from "Markus Meissner <[email protected]>" [ultimate]
gpg:                 aka "Markus Meissner <[email protected]>" [ultimate]

v2.3 - Nitropad NV41 / NS50 / X230 / T430

This release includes all Nitropad variants.

Major Changes / Fixes:

• ifgx / i915 can now be properly initialized by the OS. this solves various cpu load and temperature issues and allows using the igfx properly
• fixed an issue, which did lead to an incomplete OEM-Factory-Reset in combination with a Nitrokey Storage

Known Issues:

• after flashing the new firmware the NV41 might need more than one power-cycle to properly boot

Signature

Verify the detached signature using:

gpg --verify sha256sum.sig sha256sum

You expect an output like this one:

gpg: Signature made Sat 18 Nov 2023 12:45:24 PM CET
gpg:                using RSA key C7E32619E2F71736F5910BB144CB2D868DD16BDA
gpg: Good signature from "Markus Meissner <[email protected]>" [ultimate]
gpg:                 aka "Markus Meissner <[email protected]>" [ultimate]

v2.2 - Nitropad NV41 / NS50 / X230 / T430

This release includes all Nitropad variants.

Major Changes / Fixes:

• S3 sleep now works as expected for the NV41
• Added bootsplash to all variants

Known Issues:

• igfx / i915 cannot be properly initialized by the kernel, this means direct-rendering goes through llvm-pipe instead of the internal grafics - this has an negative impact for cpu & rendering performance
• after flashing the new firmware the NV41 might need more than one power-cycle to properly boot
• Nitrokey Pro & Nitrokey Storage are reported to not work properly with this version - please wait with updating if you have one of these devices

Signature

Verify the detached signature using:

gpg --verify sha256sum.sig sha256sum

You expect an output like this one:

gpg: Signature made Wed 04 Oct 2023 11:00:21 PM CEST
gpg:                using RSA key C7E32619E2F71736F5910BB144CB2D868DD16BDA
gpg: Good signature from "Markus Meissner <[email protected]>" [ultimate]
gpg:                 aka "Markus Meissner <[email protected]>" [ultimate]

v2.1 - Nitropad NV41 / NS50 / X230 / T430

This release includes all Nitropad variants. This will be the last time we release legacy firmware images, the next releases will only contain maximized images. See our documentation about updating to maximized.

Major changes

• Flashing progress is working again
• Support for all Nitropads

Signature

Verify the detached signature using:

gpg --verify sha256sum.sig sha256sum

You expect an output like this one:

❯ gpg --verify sha256sum.sig sha256sum
gpg: Signature made Wed 05 Jul 2023 04:30:34 PM CEST
gpg:                using RSA key C7E32619E2F71736F5910BB144CB2D868DD16BDA
gpg: Good signature from "Markus Meissner <[email protected]>" [ultimate]
gpg:                 aka "Markus Meissner <[email protected]>" [ultimate]

v2.0 - Nitropad NS50 / NV41

This release is only for the Nitropad NS50 and the Nitropad NV41. Another release including the T430 and X230 will follow soon.

Major changes:

• Support the new Nitropads NS50 & NV41
• Nitrokey 3 support
• TPM2 support

Known Issues:

• Flashing progress visualization is not working, please be patient and do not switch off the laptop during any flashing process
• No firmware images for X230 and T430 are provided

Signature

Verify the detached signature using:

gpg --verify sha256sum.sig sha256sum

You expect an output like this one:

❯ gpg --verify sha256sum.sig sha256sum
gpg: Signature made Tue 27 Jun 2023 01:41:45 PM CEST
gpg:                using RSA key C7E32619E2F71736F5910BB144CB2D868DD16BDA
gpg: Good signature from "Markus Meissner <[email protected]>" [ultimate]
gpg:                 aka "Markus Meissner <[email protected]>" [ultimate]

NitroPad X230 and T430 v1.4

Main Changes

• Coreboot version 4.13
• Support QubesOS >= 4.1
• Reduced Heads menu for non maximized images

Important Notes

For all operating systems except for QubesOS this firmware update is not necessary! Please be aware that installing this update will replace the graphical dialogues with text-only dialogues.

To update your existing Nitropad T430 or X230 use the .npf files only! If the .npf is not accepted by Heads, this means your Heads version is not 1.3.1, so either update to this version first or simply unzip the .npf file and use the .rom inside.

The -maximized images include a reduced ME and therefore the original, graphical HEADS menu. It is not possible to update your Nitropad from the running system using a -maximized image. If you try to update your Nitropad from a running system using a -maximized image, YOU WILL BRICK YOUR NITROPAD. The -maximized image must only be used with an external flasher device.

Please read the documentation for further details.

Signature

Verify the detached signature using:

gpg --verify sha256sum.sig sha256sum

You expect an output like this one:

❯ gpg --verify sha256sum.sig sha256sum
gpg: Signature made Wed 23 Mar 2022 02:55:11 PM CET
gpg:                using RSA key C7E32619E2F71736F5910BB144CB2D868DD16BDA
gpg: Good signature from "Markus Meissner <[email protected]>" [ultimate]
gpg:                 aka "Markus Meissner <[email protected]>" [ultimate]

NitroPad X230 and T430 v1.3.1

Solved Bugs

• gracefully handle checksum failure

New Features

• add build for NitroPad T430 (Thinkpad T430 devices)

Known problems

• keyboard sometimes fails after reboot inside of Heads (thus, hard poweroff via button is necessary, afterwards working fine)

Planned features for next release

• Luks passphrase change via menu - slowed down by missing cryptsetup 2.3 support
• EV of NK Storage is formatted after factory-reset (something like nitrocli probably needed)
• consolidation of terminology (gpg card vs. USB security dongle etc.)
• check signed firmware before flashing

Signed Binary

All files is signed indirectly (via sha256sum.txt) by PGP key:

79D0526BD96AE6338E6257BD A8853020E8EE6FBA Alexander Paetzelt | Nitrokey <[email protected]>

The .npf file can be used for integrity checked flashing since version 1.2 and should be preferred over .rom file.

NitroPad X230 v1.2

Solved Bugs

• Suspend issue fixed

New Features

• NitroPad release information and git hashes are now included in system info (fixes #4 )
• Firmware integrity will be checked if .npf file is provided (fixes #3 )

Known problems

• keyboard sometimes fails after reboot inside of Heads (thus, hard poweroff via button is necessary, afterwards working fine)

Planned features for next release

• Luks passphrase change via menu - slowed down by missing cryptsetup 2.3 support
• EV of NK Storage is formatted after factory-reset (something like nitrocli probably needed)
• consolidation of terminology (gpg card vs. USB security dongle etc.)
• recovery console started if checksum signing failed first time - shouldn't be the case
• check signed firmware before flashing

Signed Binary

The nitropad_x230-v1.2-fdbc6a4.rom is signed indirectly (via sha256sum.txt) by PGP key:

79D0526BD96AE6338E6257BD A8853020E8EE6FBA Alexander Paetzelt | Nitrokey <[email protected]>

The .npf file can be used for integrity checked flashing since version 1.2 and should be preferred over .rom file.