Nitrokey Start v13.0 - OpenSSH 9.0 support

This release contains:

• The long awaited support for the OpenSSH 9.0 #67.
• Memory management fixes

Notes:

• Update from the previous firmware releases on HW4 might result in non-working LED.
• "Green" branch firmware (an upgrade from RTM.1) is not provided in this release.

Binaries are available in prebuilt/RTM.13/ directory:

• https://github.com/Nitrokey/nitrokey-start-firmware/tree/gnuk1.2-regnual-fix/prebuilt/RTM.13

Update should be as easy as calling:

pipx run pynitrokey start update

See https://docs.nitrokey.com/start/linux/firmware-update for more information.

---

Technical details:

• Rebases to GNUK 1.2.19
• Stack memory increased for the main and openpgp-card tasks

Tested RTM.13-RC3 tag on paths:

• hw3-flashed
• hw3-update-10-to-13.rc3
• hw5-flashed
• hw5-update-12.0-to-13.rc3
• hw5-update-12.1-to-13.rc3
• hw5-update-13-to-13 (just update operation)
• hw5-update-13-to-12.1 - reverting update (just update operation)

The failing test is related to the default state for the OpenPGP compatibility, and does not influence day to day use.

Built in isolated Docker environment with:

• arm-none-eabi-gcc (15:8-2019-q3-1+b1) 8.3.1 20190703 (release) [gcc-8-branch revision 273027]

Current regions/sections usage:

Memory region         Used Size  Region Size  %age Used
          flash0:          4 KB         4 KB    100.00%
           flash:      124944 B       124 KB     98.40%
             ram:       11440 B        20 KB     55.86%

build/gnuk.elf  :
section                   size         addr
.sys                    0x1000    0x8000000
.startup                  0xf0    0x8001000
.text                  0x18ce0    0x80010f0
.textalign                 0x0    0x8019dd0
.stacks                 0x1f90   0x20000000
.data                      0x0   0x20001f90
.bss                     0xd20   0x20001f90
.gnuk_ch_certificate    0x1630    0x8019dd0
.gnuk_flash             0x4400    0x801b400
.gnuk_final               0x10    0x801f800
.debug_info            0x459af          0x0
.debug_abbrev           0x998a          0x0
.debug_loc             0x278ab          0x0
.debug_aranges          0x10c8          0x0
.debug_ranges           0x46d0          0x0
.debug_line            0x19577          0x0
.debug_str              0x4ef9          0x0
.comment                  0x9f          0x0
.ARM.attributes           0x2b          0x0
.debug_frame            0x3950          0x0
Total                  0xc06c6

Nitrokey Start v12.1 - New serial number for HW5

Fixes serial number issue on the GD32-based hardware (HW5) #70

Planned as a maintenance release. There is no need for an update in case of having a single NK Start device.

Update from the previous firmware releases on HW4 might result in non-working LED.
"Green" branch firmware (an upgrade from RTM.1) is not provided in this release.

Binaries available in prebuilt/RTM.12/ directory:

• https://github.com/Nitrokey/nitrokey-start-firmware/tree/gnuk1.2-regnual-fix/prebuilt/RTM.12.1

All tests pass on HW5.

RTM.12.1-RC2 Serial number on HW5

Fixes serial number issue on the GD32-based hardware (HW5) #70

Planned as a maintenance release. There is no need for an update in case of having a single NK Start device.

$ gpg2 --verify RTM.12.1-RC2-0-gbeacc47.zip.sig
gpg: assuming signed data in 'RTM.12.1-RC2-0-gbeacc47.zip'
gpg: Signature made Sat 05 Nov 2022 02:56:39 PM CET
gpg:                using RSA key 868184069239FF65DE0BCD7DD9BAE35991DE5B22
gpg: Good signature from "Szczepan Zalega <szczepan.zalega@gmail.com>" [ultimate]
gpg:                 aka "Szczepan Zalega (Nitrokey) <szczepan@nitrokey.com>" [ultimate]

RTM.12.1-RC1 Serial number on HW5

Fixes serial number issue on the GD32-based hardware (HW5) #70

$ gpg2 --verify RTM.12.1-rc.1-0-g1d8d970.zip.sig 
gpg: assuming signed data in 'RTM.12.1-rc.1-0-g1d8d970.zip'
gpg: Signature made Thu 03 Nov 2022 08:24:53 AM CET
gpg:                using RSA key 868184069239FF65DE0BCD7DD9BAE35991DE5B22
gpg: Good signature from "Szczepan Zalega <szczepan.zalega@gmail.com>" [ultimate]
gpg:                 aka "Szczepan Zalega (Nitrokey) <szczepan@nitrokey.com>" [ultimate]

RTM.13-RC2 OpenSSH 9.0 support

Updates to GNUK 1.2.19. Release candidate mainly to fix OpenSSH support:

• #67

Some behavior can change. MI might not work. Might require newer chopstx implementation. To be tested.
This release should be preferred over RTM.13-RC1 if possible, as long as the expected features work.

$ gpg2 --verify RTM.13-RC2-0-g72825e0.zip.sig 
gpg: assuming signed data in 'RTM.13-RC2-0-g72825e0.zip'
gpg: Signature made Thu 07 Jul 2022 07:23:40 PM CEST
gpg:                using RSA key 868184069239FF65DE0BCD7DD9BAE35991DE5B22
gpg: Good signature from "Szczepan Zalega <szczepan.zalega@gmail.com>" [ultimate]
gpg:                 aka "Szczepan Zalega (Nitrokey) <szczepan@nitrokey.com>" [ultimate]

RTM.13-RC1 OpenSSH 9.0 support

Updates to GNUK 1.2.16. Release candidate mainly to fix OpenSSH support:

• #67

Some behavior can change. MI might not work. To be tested.

Nitrokey Start v12 - Support new hardware - HW5

Add support for the HW5 to the unified firmware.
Maintenance release - no need to update.
Update from the previous firmware releases on HW4 might result in non-working LED.
"Green" branch firmware (an upgrade from RTM.1) is not provided in this release.

Detailed description:

• Update chopstx for the HW5 support (GD32 based).
• Include BOARD_ID in the application config string.
• Allow to get original board name from the SYS page through USB strings.
• Move AES first forward table FT0 to the application page, to make space
  for the additional hardware detection code in the SYS page.
• Add helper for review of the final listing (lss file).
• Add RNG tests helper, and results for the RTM.12 firmware.

Binaries available in prebuilt/RTM.12/ directory:

• https://github.com/Nitrokey/nitrokey-start-firmware/tree/gnuk1.2-regnual-fix/prebuilt/RTM.12

Built in isolated Docker environment with:

• arm-none-eabi-gcc (15:8-2019-q3-1+b1) 8.3.1 20190703 (release) [gcc-8-branch revision 273027]

All tests pass on HW3-5.

Nitrokey Start v11 - Support new hardware

Support new hardware platform HW4.
Maintenance release - no need to update.
Tested:

• both HW3 and HW4 platforms;
• firmware update for the "red" branch.

"Green" branch firmware (an upgrade from RTM.1) is not provided in this release.

Nitrokey Start v10 - Serial number update for MI

This release corrects the serial number (change added in RTM.9) to be the same for the first identity as in previous firmware releases, to avoid breaking current setups: #41 .

Edit 31.07.2020: see the following links for automatic update procedure (support for Windows is in development).

• https://github.com/Nitrokey/pynitrokey#windows
• https://github.com/Nitrokey/pynitrokey#firmware-update-1

---

See previous release for the update procedure.

Reference log using update tool (click)

sz@stumpy:~/work/nitrokey-start-firmware/tool$ ./upgrade_by_passwd.py
Nitrokey Start firmware update tool
System: Linux, is_linux: True
Python: 3.7.7
Saving run log to: upgrade.log
Admin password:
Firmware data to be used:
- FirmwareType.REGNUAL: 4504, hash: ...b'65ac82a1' valid (from ...built/RTM.10/regnual.bin)
- FirmwareType.GNUK: 131072, hash: ...b'f85da8f7' valid (from ...prebuilt/RTM.10/gnuk.bin)
Currently connected device strings:
Device:
    Vendor: Nitrokey
   Product: Nitrokey Start
    Serial: FSIJ-1.2.15-43144852
  Revision: RTM.10
    Config: NITROKEY_START:dfu=no:debug=no:pinpad=no:certdo=yes:factory_reset=yes
       Sys: 3.0
Please note:
- Latest firmware available is: RTM.10 (published: 2020-06-04T12:34:14Z),
 provided firmware: None
- All data will be removed from the device
- Do not interrupt the update process, or the device will not run properly
- Whole process should not take more than 1 minute
Do you want to continue? [yes/no]: yes
Entered: "yes"
...
*** Starting bootloader upload procedure
Device:
Configuration: 1
Interface: 0
*** Connected to the device
*** Running update. Do NOT remove the device from the USB slot, until further notice.
Downloading flash upgrade program...
Run flash upgrade program...
Waiting for device to appear:
  Wait 20 seconds....

Downloading the program
Protecting device
Finish flashing
Resetting device
Update procedure finished. Device could be removed from USB slot.

Currently connected device strings (after upgrade):

Device:
    Vendor: Nitrokey
   Product: Nitrokey Start
    Serial: FSIJ-1.2.15-43144852
  Revision: RTM.10
    Config: NITROKEY_START:dfu=no:debug=no:pinpad=no:certdo=yes:factory_reset=yes
       Sys: 3.0
Log saved to: upgrade.log

Nitrokey Start v9 - Multiple identities feature

Multiple identities support #33 - can be handled with tool/set_identity.py.
Fixed buffer over-read on certificate read attempt #38.

See previous release for the update procedure.