At Tillitis, we don’t just develop a security key; we are creating an open source security key with the collaboration and feedback of the open source community, for the open source community.
Thus, it’s great to announce that we sponsor and attend this year's Open Source Firmware Conference, OSFC (https://osfc.io), in Sunnyvale, California.
We will present an update on where we stand, compared to our presentation last year at OSFC. We will also hold a workshop on how to develop with and for TKey. Check out the schedule at https://www.osfc.io/2023/schedule/
Going to OSFC this year from Tillitis are Michael Cardell Widerkrantz, Daniel Hansson, Fredrik Strömberg and Sasko Simonovski.
We look forward to meeting you all there!
The Tillitis team
Posted at https://tillitis.se/2023/09/12/tillitis-are-proud-sponsors-of-osfc-2023/
Today we’re announcing two new products
– TKey Unlocked
– TKey Programmer
What are they?
Tkey Unlocked is a non-provisioned TKey (https://tillitis.se/tkey) for advanced users that want to provision their TKeys themselves, experiment with new hardware designs, or change the bootloader firmware.
Tkey Programmer is a circuit board designed to aid the provisioning and programming process of TKey Unlocked.
Whom are they for?
– High-security organisations or individuals that do not want to trust Tillitis in the provisioning of the device
– Hardware designers who want to expand or replace our FPGA design
– Software developers who want to change or replace our bootloader firmware
Note: You do not need a TKey Unlocked if you want to develop TKey apps. You can do that just fine with a regular TKey.
What are the main features of Tkey Unlocked?
– Choose your own Unique Device Secret (UDS), the base secret of measurements and key material (read more in this tech post)
– Choose your own Unique Device Identifier (UDI), the serial number
– Empty FPGA (except for production test design in SPI flash)
– Full control of the firmware running on the TKey
– Experiment with the full capacity of the Lattice ICE40 UltraPlus
Get started with TKey Unlocked
To get started, you need a TKey Unlocked, but remember that you also need a TKey Programmer. Then you just follow our instructions in the Tillitis Developer Handbook, https://dev.tillitis.se. You can choose to either “lockdown” the device by programming the FPGA’s NVCM, or you can test your design and/or firmware by programming the SPI flash again and again.
Be aware that you only have one chance to program the NVCM; whatever you write is what you will live with.
Tkey Unlocked is available in our webshop, https://shop.tillitis.se.
The Homebrew package for tkey-ssh-agent has been updated to include:
- man page, i.e., man tkey-ssh-agent
- default to promt for the USS input (User Supplied Secret)
Since this is only an update to the service, and not the tkey-ssh-agent program, this won’t be flagged as an update in Brew; hence, you need to reinstall the tkey-ssh-agent manually.
Note this poses no changes to the software running on the TKey. As such, it will not change the derived private/public keys used for SSH Public Key Authentication, unless you enter a USS in the dialogue when prompted.
Instructions to reinstall
Run these commands to reinstall the agent and restart the service.
$ brew reinstall tkey-ssh-agent
$ brew services restart tkey-ssh-agent
Test the installation
To test and ensure the installation is correct, simply run a regular SSH command that requires authentication from your TKey, remembering to re-insert your TKey if it already has an application loaded (the LED should be steady white). You should then be prompted to input your USS – just press enter to continue without a USS, i.e. with the same keys as before the reinstall.
You can also read the man page using the command:
$ man tkey-ssh-agent
Start using the USS
Using the USS is recommended for increased security, as your SSH keys will be protected by both something you have (the TKey) and something you know (the USS).
If you start to use the USS, you will need to update your public key at the locations you desire to authenticate. Find the instructions at: https://tillitis.se/app/tkey-ssh-agent/
Blog post: https://www.tillitis.se/2023/08/23/homebrew-tkey-ssh-agent-update/
Tillitis is expanding its reseller network.
Besides selling via our own web shop (https://shop.tillitis.se), we actively seek cooperation with resellers around the world to simplify and make it easier for individuals to buy TKey locally. This will shorten shipping time (vs e.g. export deliveries directly from us) and also lower shipping cost for customers.
Currently we have resellers in Denmark, Finland, Germany, Norway, Sweden and USA.
Read more and find direct links to the online stores at https://www.tillitis.se/resellers/
For anyone interested in reselling our products, please drop a mail to hello(a)tillits.se
Please note that the TKey currently for sale in the web shop is a
provisioned and locked-down version meant for end-users. It's
immediately ready for use.
This means you can't change the bitstream or even read out the bitstream
(or the Unique Device Secret, UDS) from the TKey FPGA configuration
memory even if you break the case and insert it into a programmer board.
We have updated the text on the web shop and will immediately update
other documentation to reflect this.
Even if you can't read out the bitstream from the FPGA you can verify
the TKey you got through the mail with the tkey-verification program
which we point to in:
https://tillitis.se/getstarted/
On Github:
https://github.com/tillitis/tkey-verification
This won't verify the bitstream itself but it will verify that the
computed CDI is the same as when we provisioned it (thus proving the
presence of the same UDS in the bitstream) and that the firmware is
unchanged.
--
Michael "MC" Cardell Widerkrantz
https://tillitis.se/
We are pleased to announce the revised Tillitis TKey SSH Agent.
The revised agent:
- runs as a daemon all the time (as systemd user unit, if you want).
- autodetects TKey removal and insertion with the help of udev rules
(or just send it a SIGHUP yourself to make it look for a TKey
again).
- spawns a graphical pinentry program to enter the User-Supplied
Secret.
The first iteration of this revision of the SSH agent is focused on
Linux distributions and has an install target geared at Linux
distributions with systemd and an Ubuntu/Debian package available.
The agent is available on Github at:
https://github.com/tillitis/tillitis-key1-apps
and as a release with a Ubuntu/Debian package here:
https://github.com/tillitis/tillitis-key1-apps/releases/tag/v0.0.1
The package has so far only been tested on Ubuntu 20.10 (Kinetic Kudu)
and Debian Sid.
See the man page tkey-ssh-agent(1) for usage.
Happy hacking,
MC.
--
Michael "MC" Cardell Widerkrantz
https://tillitis.se/
