A day before I have been experimenting with the GnuPG keycard and found out it is working well with the smart card reader on my trusty T470. The card I have ordered comes with the Mifare DESFire EV1 compatible RFID/NFC chip inside. Very plainly, NFC is the RFID with encrypted communication, increasing the security of the humble RFID. The sad part is that nor the RFID neither the NFC is in any way connected to the GnuPG circuitry inside the card. It is basically a keycard that happens to have a NFC compatible tag included in its form factor. I am not sure why such product even exists, as it cannot be used for the OpenPGP purposes with a smartphone (readily equipped with an NFC), only with the computer (some models, including mine have the smartcard reader available). Maybe it is a precursor for some further version of this card, where the functionality will be finally fused together.
Keycard is a good way to store a copy of the OpenPGP keys, including the private one, as that key cannot be retrieved out of it by any conventional means. Key's readable backup still should be stored somewhere safe and touched only on a few rare occasions, but keycard is meant to not pose much threat to the security when lost or stolen, as data on the keycard are completely lost after inputting any wrong password a few times. Note that this specific product can do much more than just OpenPGP, for instance generate TOTP tokens, but for the sake of this article, I am discussing the OpenPGP functionality exclusively here.
My plan was to use the card on both the laptop and the Android phone, where OpenKeychain app would read the keys from the card over NFC, so they would not be stored in the phone's filesystem. Nor the laptop's one, for that matter, which is good as both of these devices could be lost. I know that there is a Yubikey NEO that has both the USB and the NFC, so it can work on both my devices, but I simply like the smartcard form-factor far better.
State of the NFC with ThinkPads on Linux
Somehow I have stumbled upon the thread on Reddit mentioning some T470 models ship with an NFC module as well. Looking around on the ArchWiki forum, there is not too much information on using NFC. Almost all I could find is a note, that NFC on Linux on ThinkPad X1 Carbon is not supported as of August 2020, which is sad, again, as similar stance probably exists against other ThinkPad models (NFC is not officially supported on Linux as there is no user demand). There is one very important thread mentioning NFC for ThinkPad P52s, however:
The thread discusses specifically the same device my ThinkPad possesses,
058f:9540 Alcor Micro Corp. AU9540 Smartcard Reader. Yeah, it is
handling the smartcard functionality, but at the same time it appears to
also handle the NFC. Lenovo
T470 Hardware Maintenance Manual
describes NFC module on the page 58. A page above it also states that the
connectors for a smartcard module is physically next to the NFC module
(connectors 14 and 13 respectively). Their close proximity next to each
other supports the idea that the same Alcor AU9540 chip is handling both.
The thread further mentions commands to interact with the NFC. Specifically
nfctool available from the
neard service and
libnfc package. There is also a loosely somewhat related
libfreefare-git available from AUR, probably worth mentioning.
On my machine, when the
pcscd.service is started,
nfc-list gives the
nfc-list uses libnfc 1.8.0 NFC device: Alcor Micro AU9540 00 00 opened
Sadly, no tag was read. Yet since
libnfc found some compatible device and
with the knowledge that on Linux it is probably not supported out of the
box, I have also tested booting Windows 10, installing the
NXP NFC Driver for Windows 10.
All the programs there reported something along the lines, that no NFC
reader could be found.
ThinkPad T470 User Guide
mentions on the page 81 that there is a setting in the BIOS under
Security > I/O Port Access > NFC device. I had no NFC device in the
list, supporting the idea the module might not be present on my model after
There is no better way of making sure the module is missing, that seeing with own eyes. Since I was already in the BIOS, I selected the option to disconnect the internal battery, as this is a recommended step for servicing.
After opening, I could see the connector belonging to he NFC module is empty, so no further proof was needed. With the internal battery already disconnected, I took that battery out as well just to examine the compartment for the whole NFC part, as it is physically located below the internal battery.
Market availability and the future
Searching around common electronics supply channels led me to the discovery of a three-piece set under the label 01AX745, costing around 35 EUR. The set contains:
- A flex cable connecting the module to the motherboard
- The NFC module itself
- An antenna
I consider ordering the whole set, but there are multiple questions worth discussing before I am sure it is even remotely worth the investment:
Will the module work with Linux? Some users in the
reported it does. It might require some kernel patching, however. The exact
details are still scarce.
If yes, will it serve me any purpose? Right now, I can think of some automation, like do some task when a tag is placed on the laptop. But this does not appear terribly useful.
Will it communicate with my phone? Some use cases on the laptop refer to using the NFC for a communication with a phone. This might be interesting, but I'm still not sure what kind of data exactly would such communication transfer. For the files, I have already set up Syncthing. I have written about it on this blog extensively already, and I am pretty happy about the setup. It is fast, does not not need a physical proximity, only Wi-fi. So, using NFC for a file transfer would be useful only when there is no wireless router around. Given the fact, that a common charging cable could be used for this, I would not bother with NFC. The maximum data transfer rate via NFC is also slower than Bluetooth v2, around 2.1Mbit/s. Not worth the hassle.
Could it be used for security purposes? File transfer dismissed, communicating securely with a phone could be used as one of the factors in Multi-Factor Authentication. I have already written about it a little bit as well. I could imagine just placing my phone on the laptop, instead of, for instance re-writing the 6 numbers the phone is displaying into the computer, as it still quite a norm these days with Timed One-Time Passwords (TOTP). However, given the fact the NFC driver is not even readily supported on Linux, combined with the slow adoption rate of NFC on the laptops overall, I suspect that it would require a great deal of hacking to pull something like this off. As a side note, I did not do any research in this area yet, maybe someone has solved it elegantly already.
Could it work with NFC based GnuPG security token? This is the most important question to me. There is a Fidesmo Card and Fidesmo Card 2.0 (not sure about the difference at this point). But it is a my beloved smartcard format. Fidesmo reportedly works with OpenKeychain. If not already done, porting the code to work on the laptop should not be too hard, if the actual chipset requirements are met. Using an OpenPGP keycard costing around 15 EUR on both laptop and a phone at the same time appeals to me. Not to mention other features such devices offer, including, but not limited to secure Bitcoin storage, U2F two-factor authentication, PGP email encryption, secure One-Time Password generation and git commit signing, I have discussed here.
I will do some more research before deciding about ordering, but at this point I am very excited.
This is a 49th post of #100daystooffload.