USB armory Mk II

by F-Secure Foundry

A tiny, open source USB computer for security applications

$88,300 raised

of $20,000 goal

441% Funded! Order Below

Product Choices

$149

USB armory Mk II w/ Enclosure

A tiny, open source USB computer in an injection-molded enclosure.


$35

Mk II Debug Board

This board breaks out Mk II UART, SPI, I²C, and GPIO connections to/from its application processor.


$30

32 GB microSD Card w/ Debian Image

A 32 GB microSD card pre-imaged with Debian. USB armory Mk II has a built-in flash, which is unprovisioned by default, so a microSD is not strictly necessary for booting an OS.

Details

Recent Updates


As Featured In

Hackster News

"Can be used... as a Tor Bridge, VPN router, Hardware Security Module (HSM), OpenSSH client and agent for untrusted hosts, portable penetration testing platform, automatically encrypted mass storage device, password manager, digital wallet..."

LinuxGizmos.com

"The device can be operated as a standalone SBC or as a security peripheral." to a connected computer."

Hackaday

Hackaday

"The Mk II promises to be the last word in secure mobile computing."

seguridadprofesionalhoy

"Este nuevo ordenador USB de código abierto para aplicaciones de seguridad denominado USB armory Mk II tiene un formato diminuto y requiere una mínima personalización para su uso profesional."

(Important note for backers outside the US)

A security-minded USB-C stick computer that runs Linux

The USB armory Mk II is a full featured computer (900 MHz ARM® processor, 512 MB RAM, Bluetooth, USB-C) in a tiny form-factor, designed from the ground up with information security applications in mind.

Hardware

  • SoC: NXP i.MX6ULZ ARM® Cortex™-A7 900 MHz
  • RAM: 512 MB DDR3
  • Storage: internal 16 GB eMMC + external microSD
  • Bluetooth module: u-blox ANNA-B112 BLE
  • USB-C ports: DRP (Dual Role Power) receptacle + UFP (Upstream Facing Port) plug, USB 2.0 only (no video support)
  • LEDs: two
  • Slide switch: for boot mode selection between eMMC and microSD
  • External security elements: Microchip ATECC608A + NXP A71CH
  • Physical size: 66 mm x 19 mm x 8 mm (without enclosure, including USB-C connector)
  • Enclosure: included with all units for device protection

Software

The USB armory Mk II hardware is supported by standard software environments and requires very little customization. In fact, vanilla Linux kernels and standard distributions run seamlessly on the tiny board:

Connectivity

  • USB 2.0 over USB-C plug to host with full device emulation
  • USB 2.0 over USB-C receptacle for the additional devices or as a connection to host
  • Full TCP/IP connection to/from USB armory via USB CDC Ethernet emulation
  • Flash drive functionality via USB mass storage device emulation
  • Serial communication over USB or physical UART using the Debug Board
  • Wireless connectivity over BLE

Note: only the USB 2.0 protocol is supported over both USB-C ports, therefore it should be emphasized that HDMI video over USB-C is not supported.

Applications

The following example security application ideas illustrate the flexibility of the USB armory Mk II concept:

  • Mass storage device with advanced features such as automatic encryption, virus scanning, host authentication, and data self-destruct
  • Hardware Security Module (HSM)
  • OpenSSH client and agent for untrusted hosts (e.g., Internet kiosks)
  • Router for end-to-end VPN tunnelling
  • Tor bridge
  • Password manager with integrated web server
  • Electronic wallet
  • Authentication token
  • Portable penetration testing platform
  • Low-level USB security testing

Security Features

High Assurance Boot (HABv4)

The HAB feature enables on-chip internal Boot ROM authentication of the initial bootloader (i.e., Secure Boot) with a digital signature, establishing the first trust anchor for code authentication. See Secure Boot) for more information and usage instructions.

True Random Number Generator (TRNG)

The RNGB driver is included and operational in modern Linux kernels. Once loaded, it enables the component within the Linux hw_random framework.

Data Co-Processor (DCP)

From the i.MX6ULZ datasheet:

This module provides support for general encryption and hashing functions typically used for security functions.

The DCP module driver is included and operational in modern Linux kernels. Once loaded, it exposes its algorithms through the Crypto API interface.

Secure Non-Volatile Storage (SNVS)

From the i.MX6ULZ datasheet:

Secure Non-Volatile Storage, including Secure Real Time Clock, Security State Machine, Master Key Control, and Violation/Tamper Detection and reporting.

A device-specific random 256-bit OTPMK key is fused in each SoC at manufacturing time. This key is unreadable and can only be used by the DCP for AES encryption/decryption of user data, through the Secure Non-Volatile Storage (SNVS) companion block.

ARM® TrustZone®

The i.MX6 SoC family features an ARM® TrustZone® implementation in its CPU core and internal peripherals. From the ARM® website:

At the heart of the TrustZone® approach is the concept of secure and non-secure worlds that are hardware separated, with non-secure software blocked from accessing secure resources directly. Within the processor, software either resides in the secure world or the non-secure world; a switch between these two worlds is accomplished via software referred to as the secure monitor.

This concept of secure (trusted) and non-secure (non-trusted) worlds extends beyond the processor to encompass memory, software, bus transactions, interrupts, and peripherals within an SoC.

External cryptographic co-processors (ATECC & A71CH)

The Microchip ATECC608A and NXP AT71CH feature hardware acceleration for elliptic-curve cryptography, as well as hardware-based key storage. The ATECC608A also features symmetric AES-128-GCM encryption. Both components provide high-endurance monotonic counters, useful for external verification of firmware downgrade/rollback attacks. Both components communicate on the I²C bus and feature authenticated and encrypted sessions for host communication.

eMMC Replay Protected Memory Blocks (RPMB)

The eMMC RPMB features replay-protected authenticated access to flash memory partition areas, using a shared secret between the host and the eMMC.

Communication Interfaces

USB

USB armory Mk II features two USB-C ports. Using USB-C allows us to have a plug for traditional USB-based host communication, along with an integrated receptacle to act as a host (or device).

The USB-C current mode ensures that adequate current is requested on the plug side, to enable connection of additional devices on the receptacle side. This design enables new use cases for the USB armory Mk II. It can act as a USB firewall without the need for additional hardware, and it can be natively expanded with USB peripherals (e.g., storage and network adapters).

Additionally, the integrated receptacle also allows its role to be changed to device, simplifying scenarios such as controlled USB fuzzing from one side and interactive console/control on the other.

Only the USB 2.0 protocol is supported over both USB-C ports, therefore it should be emphasized that HDMI video over USB-C is not supported.

Bluetooth

The Mk II includes a u-blox ANNA-B112 Bluetooth module for out-of-band (in relation to USB interfaces) interaction with a wireless client (e.g., mobile applications).

The addition of a Bluetooth module opens up a variety of new use cases for the USB armory Mk II, greatly enhancing its security applications in terms of authentication, isolation, and limiting trust of the host.

The ANNA-B112 module supports an "OpenCPU" option to allow arbitrary firmware, replacing the built-in u-blox firmware, on its Nordic Semiconductor nRF52832 SoC. This allows provisioning of the SoC with Nordic SDK, Wirepas mesh, ARM® Mbed, or arbitrary user firmware. The nRF52832 SoC features an ARM® Cortex-M4 CPU with 512 KB of internal Flash and 64 KB of RAM.

Storage Media

Apart from the traditional microSD slot (now with a spring-loaded push-to-insert, push-to-eject mechanism), the USB armory Mk II includes a 16 GB eMMC flash memory chip on the board.

This makes provisioning easier, allows for factory pre-imaging without the burden of microSD card installation, and enables additional security features.

Additionally a slide switch allows selection of the boot mode (microSD vs eMMC), which makes it easy to select the boot media for dual boot purposes (e.g., full Linux OS vs INTERLOCK protected image).

Comparing Mk I and Mk II

USB armory Mk II USB armory Mk I
HARDWARE
SoCNXP i.MX6ULZ ARM® Cortex™-A7 Freescale i.MX53 ARM® Cortex™-A8
Operating frequency900 MHz 800 MHz
RAM512 MB 512 MB
On-board storage16 GB eMMC None
External storagemicroSD microSD
Wireless capabilitiesBluetooth 5, BLE, BT Mesh None
Host connector (USB 2.0)USB-C USB A
Peripheral connector (USB 2.0)USB-C USB A via external adapter
LEDs2 1
GPIO8 via Debug Board 5 on board
GPIO interfacesUART, SPI, I²C UART, SPI, I²C
SECURITY
Open hardwareYes Yes
Secure BootHABv4.2.6 HABv4.0.4 (insecure)
True Random Number GeneratorYes Unsupported
SoC cryptographic accelerationDCP SAHARAv4 Lite
Secure storage handlingSNVS SCCv2
ARM® TrustZone®Yes Yes
External cryptographic co-processorsATECC & A71CH No
Protected flash memory regionRPMB No

New USB armory Mk II

Original USB armory Mk I

Enclosure

To keep your USB armory Mk II protected and preserved, we've developed a custom enclosure in cooperation with TEKO, an Italian company that specializes in high-quality enclosures.

The enclosure provides proper access to the USB-C ports as well as the microSD card slot and boot-select switch. It also features a slot for attaching a lanyard.

Enclosure with USB dongle and attached lanyard (items not included in pledge levels)

USB armory Mk II Debug Board

The USB armory Mk II exposes a USB-C receptacle, which allows the so-called 'debug accessory mode' to route analog/debug signals over its connector. The USB armory Mk II design leverages this to break out UART, SPI, I²C, and GPIO connections to/from its application processor.

The debug accessory board allows access to UART and GPIO signals through USB, without requiring probes, through an FTDI FT4232H. This allows, for example, access to the USB armory Mk II serial console without wires or probes, natively using only USB cables. All other interfaces can be accessed through dedicated breakout through-holes.

The board measures 22 mm x 57 mm x 12 mm, including the length of the USB-C connector.

Documentation

Fulfillment & Logistics

All USB armory Mk II units will be delivered to Crowd Supply's fulfillment partner (Mouser Electronics) for final distribution to backers worldwide. For more information, please see the Crowd Supply Guide section about ordering, paying, and shipping.

International Shipping, VAT, and Customs

All orders shipped to the EU, Australia, Canada, and Switzerland will ship with VAT pre-paid and customs pre-cleared. EU orders will primarily be shipped by FedEx through France. For details, see the Crowd Supply Guide section on international shipping, VAT, and customs.

Manufacturing Plan

In order to control quality and timelines, a local Italian manufacturer will assemble the first production batch of the USB armory Mk II. The same manufacturer has been used to produce a pre-production batch of 100 "beta" units for testing the final design and ensuring the correctness of all production processes.

Manufacturing will start as soon as the campaign ends or even before in case a sufficient number of pre-orders is achieved. The lead time for the first production batch is estimated to be on the order of a few weeks. Accounting for fulfillment and testing we hope to ship out all orders by the end of 2019 or in January 2020 at the latest.

Enclosure design is complete, and pre-production work is currently being done. These will be manufactured by a local Italian company, as well.

Risks & Challenges

USB armory Mk II has been thoroughly designed for manufacturing. After several rounds of prototyping, the boards are ready for mass production. Previously used and trusted manufacturers are lined up and ready to go, and supply chains have been established.

Of course, as is the case with any hardware project regardless of preparation, component supplies can dwindle and shipments can arrive late. Having produced the USB armory Mk I, as well as other hardware items, we're confident in our ability to adjust to any change in circumstances. And should any issues arise, we'll keep backers informed via project updates.

The pre-production boards are currently undergoing FCC/CE certification. Given that a pre-certified BLE module is used, and also considering the low power and frequency specifications of the device, an uneventful process is expected. There is only a small chance for certification findings to cause delays, in case their nature and lack of mitigation requires changing the PCB design.


Credits

F-Secure Foundry

F-Secure Foundry combines decades of experience in hardware, firmware, and software security testing with mission-critical security engineering. Led by the F-Secure Hardware Security team, founded as Inverse Path in 2005, we provide industry-leading services to secure hardware ranging from consumer electronics to safety-critical industrial systems. With a vast breadth of experience in security design, testing and engineering, we are trusted by companies across the globe to assess as well as build from the ground up all kind of products and processes.


Andrea Barisani

Andrej Rosano

Daniele Bianco


TEKO

Enclosure design partner & manufacturer

Subscribe to the Crowd Supply newsletter, highlighting the latest creators and projects: