foss-north 2025
In April, some of us attended the foss-north 2025 conference in Gothenburg. We had a very good time, listened to interesting talks, and met many friends.
Updated Website
While we are working on updating TKey and adding new features, we also take the opportunity to update the design and platform on our websites; tillitis.se and bugbounty.tillitis.se. Both sites are now statically generated with Hugo.
2024 - Retrospective
As the year draws to a close, it’s natural to reflect on the past 12 months. 2024 marked the second full year of operations for Tillitis, and while it had its challenges, it was also a year of progress and learning.
Tillitis Sponsors Advent of Code
For third year in row, Tillitis sponsors Advent of Code . Advent of Code is an Advent calendar of small programming puzzles for a variety of skill levels that can be solved in any programming language you like. It’s made by Eric Wastl .
Change of Source Code License
Tillitis has always been committed to open source. As we promised earlier, we continue to be committed to open licenses. We originally chose “GPLv2-only” as the license for our Verilog and source code. We are now changing to the more permissive BSD 2-clause license for all Verilog and source code. The hardware (PCB, PCBA) license remains the same: CERN Open Hardware License Version 2 - Strongly Reciprocal.
sec-t community day
We will be at sec-t in Stockholm this year and MC from our development team will speak on the community day about verifying the TKey. MC will explain how we during the the end-phase of production run a device app, where the TKey automatically creates a unique identity inspired by TCG DICE and then sign and publish data about this identity. The identity and the signature can be independently verified at any time by a user to help verify that the TKey hasn’t been tampered with.
High quality noise in a FPGA - How the TKey TRNG works
What is a TRNG, what is its purpose, and how does it work? These are the questions we try to answer in this blog post.
Tillitis village sponsor @ Security Fest
This year, Tillitis is one of the sponsors of Security Fest. Tillitis is a village sponsor, meaning we will be there coding on new functionality for TKey. The village concept also means anyone participating at the conference can join us in the village and code together with us.
Vulnerability in tkey-device-signer & verisigner
A vulnerability has been found in tkey-device-signer and verisigner that makes it possible to disclose portions of the TKey’s data in RAM over the USB interface. To exploit the vulnerability an attacker needs to use a custom client application and to touch the TKey.
New Firmware Release
On January 15 we received a potential vulnerability report about the TKey firmware through our bug bounty program. The reporter had discovered that code that should erase memory where sensitive data is stored, is optimised away by the compiler. We deem the firmware problem a fairly benign bug because no sensitive data is leaked and the memory is erased and hardware protected anyway.