Nightly

This is a nightly automatic build.

Version 4.0

This is a major release that brings support to PicoKey App, adds support to freshly new RP2354 MCU, adds enhancements to rescue interface and bug fixes.

New

• Add reboot bootsel command
• Add read secure boot status
• Add support for reading memory status
• Add support for PHY read
• Add support for RP2354
• Add autobuild for RP2350
• Add compatibility for non-pico boards
• Add dummy LED driver for unsupported boards
• Add support for LED driver in PHY
• Add set of secure functions to derive keys using OTP + pico_serial
• Add pico_serial_hash (unique 32-byte source)
• Add OTP chaff to mitigate PVC attacks
• Add hash functions using OTP as feed
• Add app_exists() to validate AID loading
• Add support for EdDSA/Ed448
• Add card personalize v2 tests
• Add template for pull requests

Enhancements

• Upgrade to mbedtls v3.6.5
• Upgrade to Pico SDK 2.2
• Upgrade tinycbor to 0.6.1
• Use max frequency on ESP32
• Flash size obtained dynamically at runtime
• Major OTP security improvements
• Improve touch policy handling
• Improve VendorConfig support
• Improve NK compatibility
• Update license model (dual licensing)
• Move PRODUCT definition to dedicated file
• Rename scan_files → scan_files_openpgp
• Rename commands for clarity (cmd_version_openpgp, wait_button_pressed_fid)
• Update README and add Pico Fido link

Bug Fixes

• Fix AID selection (supports shorter matches)
• Fix startup test script
• Fix cross-build issues
• Fix PIV default keys indication
• Fix touch policy on management key change (#38)
• Fix data checks
• Fix reset retry when OTP enabled
• Fix change PIN with no previous PIN (#32)
• Fix key generation on RP2040
• Fix bug in FIDO+OpenPGP+CCID combined usage
• Fix VID/PID PHY read
• Fix OTP alignment programming
• Fix phy_data idVendor/idProduct missing
• Fix conditional build for non-pico platforms
• Fix HID processing only for CTAP_HID
• Fix descriptor description with disabled interfaces
• Fix uint16 endianness affecting chained RAPDUs
• Fix crash on unaligned 16-bit response buffers
• Fix silent authentication with resident keys
• Fix APDU crash with CBOR
• Fix build for rp2350
• Fix interface descriptor when HID disabled (#95)
• Fix ESP32 build regressions
• Fix change in debug messages / remove debug
• Fix conditional interfaces logic
• Fix silent authentication with new resident key system
• Fix missing header / missing files
• Fixed MSOS/BOS descriptor
• Fixed GET_DATA response depending on the client (GnuPG or ykman)

Changed

• Relicense to AGPLv3 + add Enterprise/Commercial license
• Do not use secboot in PHY
• Revert card personalize v2 tests (then re-added)
• Remove workaround for packet multiples of 64 bytes
• Merge remote-tracking branches
• Update license model
• Update scan file naming

What's Changed

• ESP32 Optimization by @MageDelfador in #43

New Contributors

• @MageDelfador made their first contribution in #43

Full Changelog: v3.6...v4.0

Version 4.0 EdDSA 1

This release brings EdDSA to version 4.0.

Important: EdDSA cannot work in ESP32, since Espressif uses its own MbedTLS fork.

This is an experimental release. It adds support for EdDSA with Ed25519 and Ed448 curves.

Since EdDSA is not officially approved by MbedTLS, it is considered experimental and in beta stage. Though it is deeply tested, it might contain bugs.

Use with caution.

Version 3.6

This release introduces extensive improvements in USB interface management, PHY flexibility, EdDSA support, and LED handling. It also updates key dependencies and stabilizes the build system across platforms.

New

• Define MCU for emulation builds.
• USB descriptors are now created dynamically.
• Each USB interface can be independently enabled based on PHY parameters.
• Added PHY option to enable specific curves (managed from the application side).
• Added get led mode command.
• Added support for slot selection.
• Added Git auto-pull when switching branches.
• Added EdDSA support as a conditional build.
• Build and sign release firmware.
• Upgrade to Pico Keys SDK.

Enhancements

• Restore LED mode after button press.
• Use TLV format for PHY serialization and unserialization.
• Always build CCID if defined.
• Pin only to core in ESP32-S3 for multicore optimization.
• Build EdDSA tests and cyw43 driver for RP2350.
• Upgrade TinyUSB for ESP32.
• Upgrade mbedTLS to v3.6.3.
• Update build script to automate EdDSA builds.
• Fix build name and EdDSA output folder handling.

Bug Fixes

• Fix ne parameter when using secure messaging.
• Fix ESP32 dynamic USB interfaces.
• Fix emulation build compatibility.
• Fix ESP32 build.
• Fix LED driver build for Pimoroni boards.
• Fix LED behavior for ESP32 and ESP32-S3.
• Fix autobuild process.
• Fix cyw43 build issues.

Full Changelog: Compare v3.4...v3.6

Version 3.6 EdDSA 1

This release brings EdDSA to version 3.6.

Important: EdDSA cannot work in ESP32, since Espressif uses its own MbedTLS fork.

This is an experimental release. It adds support for EdDSA with Ed25519 and Ed448 curves.

Since EdDSA is not officially approved by MbedTLS, it is considered experimental and in beta stage. Though it is deeply tested, it might contain bugs.

Use with caution.

Version 3.4

This release brings some enhancements and bugfixes.

New

• Added an option to keep LED steady.
• Added support for ESP32-S2.
• Added fastest clock (200 MHz) for RP2040.
• Added support for the following boards: sparkfun_iotnode_lorawan_rp2350, waveshare_pico_cam_a, waveshare_rp2040_ble, waveshare_rp2040_eth, waveshare_rp2040_geek, waveshare_rp2040_matrix, waveshare_rp2040_pizero, waveshare_rp2040_power_management_hat_b, waveshare_rp2040_tiny, waveshare_rp2040_touch_lcd_1.28, waveshare_rp2350_eth, waveshare_rp2350_geek, waveshare_rp2350_lcd_0.96, waveshare_rp2350_lcd_1.28, waveshare_rp2350_one, waveshare_rp2350_plus_4mb, waveshare_rp2350_plus_16mb, waveshare_rp2350_tiny, waveshare_rp2350_touch_lcd_1.28, waveshare_rp2350_zero

Enhancements

• Led blink limits.
• Led driver is taken on build.
• Upgrade to Pico SDK 2.1.1.

Bug Fixes

• Fix multiple CCID displayed interfaces in older PCSC versions and Linux.
• Fix USB keyboard descriptor in Windows.
• Fix potential stack overflow on serializing PHY.

Full Changelog: v3.2...v3.4

Version 3.4 EdDSA 1

This release brings EdDSA to version 3.4.

Important: EdDSA cannot work in ESP32, since Espressif uses its own MbedTLS fork.

This is an experimental release. It adds support for EdDSA with Ed25519 and Ed448 curves.

Since EdDSA is not officially approved by MbedTLS, it is considered experimental and in beta stage. Though it is deeply tested, it might contain bugs.

Use with caution.

Version 3.2

This is maintenance release.

New

• Added support for rollback versions in boards with RP2350 MCU.
• Added nightly builds.
• Added support for SET_DATA_RET_AND_CLOCK CCID command.
• Added support for variable timeout push button press.
• Added support for variable USB product name.
• Added flash memory statistics.

Enhancements

• Increased ESP32 stack size.
• Added support for TinyUSB 0.17 in ESP32 boards.
• Packed structures for less footprint.
• Set ESP32 stack size depending on the number of enabled interfaces.
• Update CCID descriptor to reflect the max USB packet size.
• Reduce data partition to 2K starting at the half of the flash.
• Compute flash memory bounds depending on the partition if available.

Bug fixes

• Fix change PIN in RP2350.
• Fix build for Pico SDK 2.1.0.
• Use customizable LED PIO number in WS2812, Pico and Cyw43 leds.

Full Changelog: v3.0...v3.2

Version 3.2 EdDSA 1

This release brings EdDSA to version 3.2.

Important: EdDSA cannot work in ESP32, since Espressif uses its own MbedTLS fork.

This is an experimental release. It adds support for EdDSA with Ed25519 and Ed448 curves.

Since EdDSA is not officially approved by MbedTLS, it is considered experimental and in beta stage. Though it is deeply tested, it might contain bugs.

Use with caution.

Full Changelog: v3.0-eddsa1...v3.2-eddsa1

Version 3.0

This is a major release that brings multiple improvements. Support for OTP for RP2350 and ESP32-S3 MCUs is added, which is used to store the MKEK for further security. It also enables Secure Boot and Secure Lock optionally. It also brings the new Pico Commissioner to initialize and configure the Pico HSM without external tools, just directly through the browser.

New

• Add PICO_PRODUCT.
• Add sdkdefaults for esp32.
• Add error if a non-supported key is attempted to be imported.
• Add management support for YKMAN.
• Add bullseye dockerfile.
• Add support to ESP32.
• Add macro to make checks.
• Add product and mcu to info in rescue mode.
• Add DEV key to OTP.
• Add command to enable secure boot and secure lock via rescue.
• Add function to enable secure boot and secure lock.
• Add macro to parse version file and set pico_binary_version accordingly.
• Add new led module to use colors whenever possible.
• Add partitions to RP2350.
• Add support to RP2350.
• Add sha256_alt to use sha256 hardware in RP2350.
• Add LED compatibility for other boards.
• Add json file to enable Secure Boot in RP2350.
• Add signature and copy_to_ram if supported.
• Add OTP read raw.
• Add parse phy byte string.
• Add OTP read raw.
• Add tinycbor to ESP32 build.
• Add usb.h declarations.
• Add compile flags for optimization build in ESP32.
• Add cmake scripts.

Enhancements

• Upgrade pico keys sdk.
• Upgrade Pico Keys SDK to add support for OTP.
• Upgrade to v3.6.2.
• Upgrade Pico Keys SDK to v7.0.
• Add LED compatibility for other boards.
• Add flags to enable secure boot and secure boot lock via firmware on boot.
• Fix emulation build.
• Improve multicore synchronization.
• Increase vStack depending on the number of interfaces.
• Increase vStack of core0 of ESP32.
• Increase vStack in core1 of ESP32.
• Fix partition 0 boot.
• Upgrade to MbedTLS 3.6.1.
• Specify led driver for each board.
• Merge pull request #5 from benallard/led.
• Add brightness to the LED mode.

Changes

• Update autobuild for local and esp32.
• Fix ESP32 support.
• Fix build.
• Fix TLV when returning the public key in get metadata.
• Fix return error when missing metadata.
• Fix returning error code when no object is found on GET DATA.
• Fix GET METADATA when ref is CARDMGM.
• Remove Secure boot build flags, since they are added to rescue.
• Fix secure otp build for non rp2350.
• No options on secure boot and lock in PHY.
• Fix write offset.
• Free x509 cert on finish.
• Use bullseye for tests.
• WCID interface is always enabled.
• Fix version header.
• Rename CCID_ codes to PICOKEY_.
• Add rescue app to communicate via webUSB.
• Increase number of hosted apps to 8.
• Fix HID report descriptors.
• Fix usb initialization for emulation.
• Fix PHY for led neopixel.
• Fix flash initialization for RP2350.
• Fix vendord usb tx buffer size.
• Fix long writes.
• Fix emulation write offset.
• Fix ccid write with offset.
• Fix emulation build without HID.
• Init low flash in core1 in emulation mode.
• Fix emulation build.
• Fix warnings.
• Fix windows build.
• Major refactor of USB CCID and USB HID interfaces.
• Fix when receiving a packet in the middle of a transmission.
• Fix when a keepalive packet collides with an ongoing transmission.
• select_app now invokes U2F or FIDO depending on the message.
• keepalive should be sent without conditions and without resetting any buffer.
• Fix thread cancel in ESP32.
• Rewritten continuous flow for HID.
• TinyUSB uses interface argument for that driver.
• Add usb.h declarations.
• thread management is now in usb stuff.
• driver_exec_finished_cont_hid() now accepts an itf argument.
• Fix LED blink when ON/OFF.
• Fix ESP32 GPIO led no.
• Fix BOOT press with RP2350.
• Fix USB descriptor in case only HID is enabled.
• Fix emulation build.

Bugfixes

• Fix macos alignment.
• Fix uninitialized var.
• Fix select aid to new callback.
• Fix write offset.
• Fix PHY missing headers.
• Fix uninitialized var.
• Fix secure otp build for non-rp2350.
• Fix maxPower and dwProtocols (recover T=0).
• In Windows, report ID shall start from 1.
• Fix float casting, otherwise, it is always 0.
• Fix ESP32 build with wcid.
• Fix ESP32 build with wcid.
• Fix PHY missing headers.
• Fix version header.
• Fix flash initialization for RP2350.
• Fix secure otp build for non-rp2350.
• Fix emulation build for ESP32.
• Fix uninitialized var.
• Fix write offset.
• Fix build.
• Fix long writes.
• Fix emulation write offset.

Full Changelog: v2.2...v3.0