Descriptions of the tagged TKey releases.
This is an official release of the "Bellatrix" version of the Tillitis' TKey. This version is ready for general use.
Using OCI image ghcr.io/tillitis/tkey-builder:4
, built from
../contrib/Dockerfile
, and the generic
../hw/application_fpga/data/uds.hex
and
../hw/application_fpga/data/udi.hex
, a clean build should generate
the following digest:
321924aa3b26507f2a02325750e63c83b306c7831f8e2c87e8d198cecf8cc1c1 application_fpga.bin
- Security Monitor now prevents access to RAM outside of the physical memory. If it detects an access outside of the RAM address space, it will halt the CPU.
- CPU Monitor changes name to Security monitor, which CPU Monitor is a part of. Prepare for more functions in the future.
- Support incremental builds for the bitstream, when changing UDS/UDI between builds. Requires tkey-builder:3 or higher.
- Update Verilog linter to Verilog-2005 and fixed warnings.
- Complete testbenches and add 9 tests for the FPGA cores.
- Protect zeroisation against compiler optimisation by using secure_wipe(), fixing a memset() that was removed during compilation.
- Make memeq() function side channel silent.
- Change memory constants to defines instead of an enum, to be compatible with ISO C.
- Deprecate TK1_MMIO_TK1_RAM_ASLR and introduce TK1_MMIO_TK1_RAM_ADDR_RAND instead to distinguish from OS-level ASLR.
- Use pedantic warnings while building firmware and fixed warnings.
- Use clang-tidy in CI.
- Fix warnings from splint.
- New plastic clip o and update of BOM.
- Build TP1 firmware in CI.
- Fixed a bug where a byte of data could in some rare circumstances be dropped, causing a client app to hang.
- General clean-up of code, translated all comments to English.
- New injection moulded plastic case
- Updated to version 3. Bumping Ubuntu to 23.10, Yosys to 0.36 and nextpnr to 0.6.
- Updated to version 4. Bumping pico-sdk to 1.5.1, adding clang-tidy and splint.
- Fixing broken links, cleaning up docs and READMEs.
- Clarify warm boot attack mitigations and scope for Bellatrix in threat model.
For full change log see
This is the official release of the "Bellatrix" version of the Tillitis TKey device. This version is ready for general use.
This release only contains a hardware update to tk1. Capacitor C8 is not populated. A PCB spring contact, U11, is insted placed on the footprint of C8.
This is the official release of the "Bellatrix" version of the Tillitis TKey device. This version is ready for general use.
Given the OCI image ghcr.io/tillitis/tkey-builder:2
built from
../contrib/Dockerfile
and the generic UDS.hex and UDI.hex, a clean
build should generate the following digest:
sha256sum application_fpga.bin
d2970828269b3ba7f09fb73b8592b08814dfe8c8087b00b0659feb516bb00f33 application_fpga.bin
This bug fix release contains the following changes:
- Change the firmware protocol max frame size back to 128 bytes
- Correct a bug with the reading out of UDS
This is the official release of the "Bellatrix" version of the Tillitis TKey device. This version is ready for general use.
Given the OCI image ghcr.io/tillitis/tkey-builder:1
built from
contrib/Dockerfile
and the generic UDS.hex and UDI.hex, a clean
build should generate the following digest:
shasum -a256 application_fpga.bin
f11d6b0f57c5405598206dcfea284008413391a2c51f124a2e2ae8600cb78f0b application_fpga.bin
-
(ALL) The TKey HW design, FW, protocol and first applications has been audited by a third party. No major issues was found, but the audit has lead to several updates, changes and fixes to improve the security and robustness. The third party report will be published when completed.
-
(APPS) Applications can now use the whole 128 kByte RAM.
-
(FW) The firmware now use the
FW_RAM
for the stack. It keeps no .bss or .data segments and only uses RAM for loading the application. -
(FW) The firmware has been hardened and the state machine simplified to reduce the number of commands that can be used and in which order. It exits early on failure to a fail state indicated by the RGB LED blinking red on error in an eternal loop.
-
(FW) Steady white LED while waiting for initial commands. LED off while loading app.
-
(HW) The memory system now has an execution monitor. The monitor detects attempts at reading instructions from the firmware ram. The execution monitor can also, when enabled by an application, detect attempts at reading instructions from the application stack. If any such attempt is detected, the memory system will force the CPU to read an illegal instruction, triggering the trap state in the CPU.
Note that the execution monitor can only be enabled, not disabled. The address range registers defining the region protected by the monitor can only be set when the monitor has not yet been enabled.
-
(HW) The CPU trap signal is now connected to an illegal instruction trap indicator. When an illegal instruction is detected, the RGB LED will start flashing red. Note that the CPU will stay in the trap state until the TKey device is disconnected.
-
(HW) The RAM memory now includes an address randomisation and data scrambling mechanism to make it harder for someone outside of the CPU to find assets generated by and stored in the RAM by applications. This randomisation and scrambling is set up by firmware before the application is loaded, and does not affect how applications executes.
-
(HW) The UART Rx FIFO now allows applications to read out the number of bytes received and not yet consumed by the application.
-
(HW) The FPGA bitstream can now be stored in the non volatile configuration memory (NVCM). This is done using of a new icestorm tool developed partly in the project and sponsored by Tillitis and Mullvad. The tool supports locking down NVCM access after writing the FPGA bitstream to the memory.
-
(TOOLS) There is now an OCI image (
ghcr.io/tillitis/tkey-builder:1
) and Dockerfile setting up all tools as needed to build the bitstream. -
(TOOLS) There is now a version of iceprog able to write to the FPGA bitstream to the NVCM and lock the NVCM from external access
- No known bugs have been fixed. Numerous issues has been closed.
- The RAM address and data scrambling in this release is not cryptographically secure. It his however randomized every time a TKey device is powered up.
-
(HW) The rosc TRNG has now been completed and tested. The TRNG can now be used to generate seeds by applicaitons.
-
(HW) The main clock frequency has been increased to 18 MHz.
-
(HW) The FW now has a separate RAM used during loading and measurement of applications.
-
(HW) The UART Rx FIFO is now able to handle 512 bytes.
-
(HW) The UART default bitrate has been increased to 62500 bps.
-
(HW) Support for division instruction (div) was removed from PicoRV32. Please compile your programs with the Zmmul extension,
-march=rv32iczmmul
forclang
. -
(HW) The UDI is locked down and can only be accessed by firmware, to prevent applications from tracking a particular TKey.
-
(HW) The timer MMIO API now takes separate start and stop bits for triggering the respective action, mitigating a time-of-check to time-of-use (TOCTOU) issue.
-
(FW) The firmware has been restructured to be a Finite State Machine (FSM) with defined states for booting, loading applications, measure applications, calculate the CDI and start the loaded application.
This change also changes the firmware protocol which now accepts a request to load a binary with an optional USS and automatically returns its digest and start the program when the last data chunk is received.
-
(FW) A BLAKE2s hash function present in firmware is now exposed for use by TKey apps (through a function pointer located in MMIO
BLAKE2S
). See software.md for more information. -
(FW) To make warm boot attacks harder, the firmware sleeps for a random number of cycles before reading out the sensitive UDS into FW RAM.
-
The entropy generated by the TRNG has not yet been thoroughly tested, and the generator has not been adjusted to generate good, unbiased randomness. Any application that wants to use the entropy source SHOULD NOT use the output directly, but only as seed to a Digital Random Bit Generator (DRBG), such as Hash_DRBG.
-
The UART is currently running at 38400 bps. Future releases will increase the bitrate when communication at higher bitrates has been verified as stable and error free.
-
The internal clock frequency is currently limited to 12 MHz. Future releases will increase the clock frequency to provide improved performance.
-
The functionality in the firmware is currently not exposed to the applications via a stable name space, API. Future releases will provide access to FW functions such as the BLAKE2s hash function.
-
The timer currently does not include a timeout interrupt. Applications using the timer must check the status in order to detect a timeout event.
-
The timer currently does not provide a set of typical settings. Applications using the timer must set timer and prescaler as needed to get the desired time given the current clock speed.