This newsletter is also published on our blog:
https://www.tillitis.se/blog/2025/12/23/newsletter-december-2025/
Usually at this time of year we look back and summarize what has
happened during the year. We will do the same this year and also start
a new tradition by publishing a newsletter. The idea is to have more
frequent updates on what is happening at Tillitis by writing a
newsletter 3-4 times per year. The newsletter will be published on our
blog and sent out on the mailing list, Tillitis announce (https://lists.tillitis.se).
Let's start!
## Where we went 2025
Some of the conferences we attended this year are (in chronological
order): FOSDEM (https://archive.fosdem.org/2025/), a booth at
Elektronikmässan (https://www.elektronikmassan.se/en/),
foss-north (https://foss-north.se/),
SecurityFest (https://securityfest.com) and Transparency Dev Summit
2025 (https://transparency.dev/summit2025/).
It's worth mentioning a bit more about Transparency Dev Summit. The
summit is a conference about transparency logging and its different
applications. We showed a prototype of a Tillitis Hardware Security
Module (HSM) that can be used in transparency logging and witnessing.
It's early yet but stay tuned for more about this.
As preparation for Transparency Dev Summit 2025 we spent some time
working on Glasklar teknik's (https://glasklarteknik.se/) Sigsum
transparency log (https://sigsum.org/). We now have a Sigsum
witness (https://github.com/tillitis/tillitis.se-tillitis-witness-1/blob/main/about.…)
in production. Let us know if you'd like our witness to cosign your
log.
## Development
Our main focus has been on developing the next generation of the TKey
platform, codename Castor, and devloping a FIDO2 device app.
### Castor platform and FIDO2
Castor is compatible with the Bellatrix hardware, so if you have a
TKey Unlocked or buy one now you can try out Castor without buying a
new TKey. We tagged an alpha
version (https://github.com/tillitis/tillitis-key1/releases/tag/TK1-Castor-alpha-3)
back in June, head over to Github and read the release
note (https://github.com/tillitis/tillitis-key1/blob/TK1-Castor-alpha-3/doc/relea…)
and how to use a TKey Unlocked for testing the alpha version.
The new Castor platform will feature the following updates:
- App on flash, with a FIDO2 app pre-loaded[^1].
- App storage per app, isolated per app and identity (CDI)[^2].
- System calls for e.g. reading from and writing to flash.
- Faster client communication.
- More USB endpoints: HID, CCID, separate debug output endpoint, as
well as the old CDC.
- Hardware reset support.
- Firmware support for chaining apps and forwarding data between apps.
- Firmware support for verified boot.
[^1]: pre-loaded means two things; 1) the app is programmed in flash
at provisioning by Tillitis and 2) FIDO2 starts automatically with
no need for supporting client app. With the reset feature, other
apps will be able to reset TKey to load its desired device app.
[^2]: the same device app used with a different USS will create
different identity and get its own storage area.
We made a FIDO2 demo app (https://github.com/tillitis/fido2-demo)
which runs on the Castor alpha
release (https://github.com/tillitis/tillitis-key1/releases/tag/TK1-Castor-alpha-1).
We showcased this at SecurityFest (https://securityfest.com) in June.
Current work is focused on finalizing the
firmware (https://github.com/tillitis/tillitis-key1/),
boot-verifier (https://github.com/tillitis/tkey-boot-verifier),
tkey-mgt (https://github.com/tillitis/tkey-boot-verifier) and FIDO2
As ever, we welcome reviews, discussion and feedback.
## Sigsum
Sigsum has been created by our friends at Glasklar
teknik (https://glasklarteknik.se/) to be a very simple transparency
log of signed checksums, meaning you can log digests of arbitrary
data.
We took a break for a while on our Castor and FIDO2 work to focus on
learning about and using the Sigsum transparency
log (https://sigsum.org/) before attending the transparency.dev
summit 2025 (https://transparency.dev/summit2025/) in October.
The first we did was to try to setup a witness, and we documented the
work in the form of a
Guide (https://www.tillitis.se/guide-tkey-sigsum-lab-witness-howto/).
As mentioned above(#where-we-went-2025), we then setup a
production witness.
We will also use Sigsum ourselves going forward. One way we will use
it is with Castor by adding Sigsum support to
tkey-verification (https://github.com/tillitis/tkey-verification).
tkey-verification contains our tools to verify that a TKey has the
same identity when testing as it did when Tillitis provisioned it.
## Trivia
Ending with some trivia.
During the year we closed 124 issues and 177 PR's (134 were merged).
180 issues were opened during the year, 15 from external users. 171
PR's where opened, 18 from external users.
Until next time...
