Version 3.0

This is a major release that brings multiple improvements. Support for OTP for RP2350 and ESP32-S3 MCUs is added, which is used to store the MKEK for further security. It also enables Secure Boot and Secure Lock optionally. It also brings the new Pico Commissioner to initialize and configure the Pico HSM without external tools, just directly through the browser.

New

• Add PICO_PRODUCT.
• Add sdkdefaults for esp32.
• Add error if a non-supported key is attempted to be imported.
• Add management support for YKMAN.
• Add bullseye dockerfile.
• Add support to ESP32.
• Add macro to make checks.
• Add product and mcu to info in rescue mode.
• Add DEV key to OTP.
• Add command to enable secure boot and secure lock via rescue.
• Add function to enable secure boot and secure lock.
• Add macro to parse version file and set pico_binary_version accordingly.
• Add new led module to use colors whenever possible.
• Add partitions to RP2350.
• Add support to RP2350.
• Add sha256_alt to use sha256 hardware in RP2350.
• Add LED compatibility for other boards.
• Add json file to enable Secure Boot in RP2350.
• Add signature and copy_to_ram if supported.
• Add OTP read raw.
• Add parse phy byte string.
• Add OTP read raw.
• Add tinycbor to ESP32 build.
• Add usb.h declarations.
• Add compile flags for optimization build in ESP32.
• Add cmake scripts.

Enhancements

• Upgrade pico keys sdk.
• Upgrade Pico Keys SDK to add support for OTP.
• Upgrade to v3.6.2.
• Upgrade Pico Keys SDK to v7.0.
• Add LED compatibility for other boards.
• Add flags to enable secure boot and secure boot lock via firmware on boot.
• Fix emulation build.
• Improve multicore synchronization.
• Increase vStack depending on the number of interfaces.
• Increase vStack of core0 of ESP32.
• Increase vStack in core1 of ESP32.
• Fix partition 0 boot.
• Upgrade to MbedTLS 3.6.1.
• Specify led driver for each board.
• Merge pull request #5 from benallard/led.
• Add brightness to the LED mode.

Changes

• Update autobuild for local and esp32.
• Fix ESP32 support.
• Fix build.
• Fix TLV when returning the public key in get metadata.
• Fix return error when missing metadata.
• Fix returning error code when no object is found on GET DATA.
• Fix GET METADATA when ref is CARDMGM.
• Remove Secure boot build flags, since they are added to rescue.
• Fix secure otp build for non rp2350.
• No options on secure boot and lock in PHY.
• Fix write offset.
• Free x509 cert on finish.
• Use bullseye for tests.
• WCID interface is always enabled.
• Fix version header.
• Rename CCID_ codes to PICOKEY_.
• Add rescue app to communicate via webUSB.
• Increase number of hosted apps to 8.
• Fix HID report descriptors.
• Fix usb initialization for emulation.
• Fix PHY for led neopixel.
• Fix flash initialization for RP2350.
• Fix vendord usb tx buffer size.
• Fix long writes.
• Fix emulation write offset.
• Fix ccid write with offset.
• Fix emulation build without HID.
• Init low flash in core1 in emulation mode.
• Fix emulation build.
• Fix warnings.
• Fix windows build.
• Major refactor of USB CCID and USB HID interfaces.
• Fix when receiving a packet in the middle of a transmission.
• Fix when a keepalive packet collides with an ongoing transmission.
• select_app now invokes U2F or FIDO depending on the message.
• keepalive should be sent without conditions and without resetting any buffer.
• Fix thread cancel in ESP32.
• Rewritten continuous flow for HID.
• TinyUSB uses interface argument for that driver.
• Add usb.h declarations.
• thread management is now in usb stuff.
• driver_exec_finished_cont_hid() now accepts an itf argument.
• Fix LED blink when ON/OFF.
• Fix ESP32 GPIO led no.
• Fix BOOT press with RP2350.
• Fix USB descriptor in case only HID is enabled.
• Fix emulation build.

Bugfixes

• Fix macos alignment.
• Fix uninitialized var.
• Fix select aid to new callback.
• Fix write offset.
• Fix PHY missing headers.
• Fix uninitialized var.
• Fix secure otp build for non-rp2350.
• Fix maxPower and dwProtocols (recover T=0).
• In Windows, report ID shall start from 1.
• Fix float casting, otherwise, it is always 0.
• Fix ESP32 build with wcid.
• Fix ESP32 build with wcid.
• Fix PHY missing headers.
• Fix version header.
• Fix flash initialization for RP2350.
• Fix secure otp build for non-rp2350.
• Fix emulation build for ESP32.
• Fix uninitialized var.
• Fix write offset.
• Fix build.
• Fix long writes.
• Fix emulation write offset.

Full Changelog: v2.2...v3.0

Version 3.0 EdDSA 1

This release brings EdDSA to version 3.0.

Important: EdDSA cannot work in ESP32, since Espressif uses its own MbedTLS fork.

This is an experimental release. It adds support for EdDSA with Ed25519 and Ed448 curves.

Since EdDSA is not officially approved by MbedTLS, it is considered experimental and in beta stage. Though it is deeply tested, it might contain bugs.

Use with caution.

Full Changelog: v2.2...v3.0-eddsa1

v2.2

Enhancements

• MbedTLS 3.6
• Added PHY for dynamic VID/PID and WCID.
• Pico Keys SDK 6.0
• Extend number of pages

Bug fixes

• Fix potential infinite ASN.1 loop
• Fix EF.DIR selection
• Fix Windows compatibility
• Fix potential overflow
• Fix placeholders for Pico Patcher

What's Changed

• Fix conditional error resetting has_pw1 variable by @imkuang in #17

New Contributors

• @imkuang made their first contribution in #17

Full Changelog: v2.0...v2.2

Version 2.0

This version adds a major feature: PIV support.

With PIV support, your Pico device can be an OpenPGP card and PIV simultaneously.

This release also fixes:

• Fixed #12 when importing large keys.

Full Changelog: v1.12...v2.0

Version 1.12

This version is a maintenance version which includes some bug fixes:

• Upgraded to Pico Keys SDK 5.0.
• Updated dockerfile.
• Fixed Curve25519 key import.
• Fixed DEK initialization for pw3.
• Fixed pw1 test status.

Full Changelog: v1.10...v1.12

Version 1.10

This version includes a test suite taken from Gnuk and ported to Pico 2040. Thanks to it, many bugs have been fixed:

• Upgraded to version 3.4 of HSM SDK.
• Fix importing large keys.
• Fix TERMINATE check.
• Fix signature counter storage.
• Added test suite, ported from Gnuk.
• Fix sex default value.
• Fix return DO data.
• Fix size of some DO.
• Fix public key generation on key import.
• Fix RC CHANGE.
• Added emulation support.
• Fix DEK loading when RC is used (RESET RETRIES).
• Fix signature counter call.
• Fix returning ECDSA response.
• Fix computing public point on key import.
• Fix returning ECDSA response for keys >= 512 bits.
• Fix returning signature in some cases.
• Fix computing length of algorithm attributes.
• Fix algorithm attributes for authentication key.
• Fix length check for ECDH.

Full Changelog: v1.8...v1.10

Version 1.8

This is a maintenance release to fix some bugs:

• Upgraded to Pico SDK 1.4
• Fixed VID/PID patcher.
• Built for new boards.
• Upgraded to Pico HSM SDK v3.0 with lots of enhancements.
• Bugfix when multiple cardPowerOff are sent (#2)

Full Changelog: v1.6...v1.8

Version 1.6

This version contains the following enhancements:

• Added support for key import.
• Added PSO:DECIPHER for RSA and ECDSA.
• Added AES key generation when DEC generation is called.
• Added AES encrypt and decrypt to PSO:DECIPHER and PSO:ENCIPHER.
• Added cardholder certificate support (DO 7F21).
• Added support for GET NEXT DATA INS.
• Added INS F1 to retrieve software version.

Full Changelog: v1.4...v1.6

Version 1.4

This version contains the following enhancements:

• Press-to-confirm button
• User Interaction Flag
• KDF for PIN
• Manage Security Environment
• DEK internal ciphering for safe storage.

Full Changelog: v1.2...v1.4

Version 1.2

This release includes the following enhancements:

• INTERNAL AUTHENTICATE
• Access control (PW1 & PW2) (sect 5)
• Signature counter
• Encrypt keys in flash with DEK
• Life status of PW1
• Bugfixes

Full Changelog: v1.0...v1.2