mirrors/pico-hsm
1
0
Fork 0
mirror of https://github.com/polhenarejos/pico-hsm.git synced 2026-01-17 09:28:05 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Update reamde & usage.

Browse source 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
This commit is contained in:
Pol Henarejos 2025-12-13 23:36:43 +01:00
parent 9dbd764c8c
commit 710eb70af7
No known key found for this signature in database
GPG key ID: C0095B7870A4CCD3
2 changed files with 4 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
README.md
View file

@ -162,10 +162,10 @@ Secure Lock restricts the device to the manufacturers firmware only, locking
Pico HSM also supports ESP32-S3 boards, which add secure storage, flash encryption and secure boot. Pico HSM also supports ESP32-S3 boards, which add secure storage, flash encryption and secure boot.
### > Dynamic VID/PID ### > Dynamic VID/PID
Supports setting VID & PID on-the-fly. Use `pico-hsm-tool.py` or [Pico Commissioner](https://www.picokeys.com/pico-commissioner/ "Pico Commissioner") for specify VID/PID values and reboot the device. Supports setting VID & PID on-the-fly. U
### > Rescue Pico HSM Tool and Commissioner ### > Rescue Pico HSM Tool and Commissioner
Pico HSM Tool implements a new CCID stack to rescue the Pico HSM in case it has wrong VID/PID values and it is not recognized by the OS. It can be accessed through `pico-hsm-tool.py` or [Pico Commissioner](https://www.picokeys.com/pico-commissioner/ "Pico Commissioner"). Pico HSM Tool implements a new CCID stack to rescue the Pico HSM in case it has wrong VID/PID values and it is not recognized by the OS.
## Security considerations ## Security considerations
All secret keys (both asymmetric and symmetric) are encrypted and stored in the flash memory. The MKEK, a 256-bit AES key, is used to protect these private and secret keys. Keys are held in RAM only during signature and decryption operations, and are loaded and cleared each time to avoid potential security vulnerabilities. All secret keys (both asymmetric and symmetric) are encrypted and stored in the flash memory. The MKEK, a 256-bit AES key, is used to protect these private and secret keys. Keys are held in RAM only during signature and decryption operations, and are loaded and cleared each time to avoid potential security vulnerabilities.
@ -345,12 +345,6 @@ Communication with the Pico HSM follows the same protocols and methods used with
For advanced usage scenarios, refer to the documentation and examples provided. Additionally, the Pico HSM supports the SCS3 tool for more sophisticated operations and includes features like multiple key domains. For detailed information on SCS3 usage, refer to [SCS3 documentation](/doc/scs3.md). For advanced usage scenarios, refer to the documentation and examples provided. Additionally, the Pico HSM supports the SCS3 tool for more sophisticated operations and includes features like multiple key domains. For detailed information on SCS3 usage, refer to [SCS3 documentation](/doc/scs3.md).
### Important
OpenSC relies on PCSC driver, which reads a list (`Info.plist`) that contains a pair of VID/PID of supported readers. In order to be detectable, you have several options:
- Use `pico-hsm-tool.py` to modify VID/PID on-the-fly.
- Use the pure-browser online [Pico Commissioner](https://www.picokeys.com/pico-commissioner/ "Pico Commissioner") that commissions the Pico Key on-the-fly without external tools.
- Build and configure the project with the proper VID/PID with `USB_VID` and `USB_PID` parameters in `CMake` (see [Build section](#build "Build section")). Note that you cannot distribute the patched/compiled binary if you do not own the VID/PID or have an explicit authorization.
## License and Commercial Use ## License and Commercial Use
This project is available under two editions: This project is available under two editions:

4
doc/usage.md
View file

@ -28,9 +28,9 @@ PIN=648219
[^1]: `openssl version -a` will return the `OPENSSLDIR`, which contains `openssl.cnf` file and `ENGINESDIR`, which contains the p11 engine. [^1]: `openssl version -a` will return the `OPENSSLDIR`, which contains `openssl.cnf` file and `ENGINESDIR`, which contains the p11 engine.
## Initialization ## Initialization
The first step is to initialize the HSM. To do so, use the `pico-hsm-tool.py` in `tools` folder: The first step is to initialize the HSM. To do so, use:
``` ```
$ python3 tools/pico-hsm-tool.py --pin 648219 initialize --so-pin 57621880 $ sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 648219
``` ```
The PIN number is used to manage all private keys in the device. It supports three attemps. After the third PIN failure, it gets blocked. The PIN number is used to manage all private keys in the device. It supports three attemps. After the third PIN failure, it gets blocked.
The PIN accepts from 6 to 16 characters. The PIN accepts from 6 to 16 characters.