Version 6.0

Release Notes

This is a major release that brings multiple improvements. Support for OTP for RP2350 and ESP32-S3 MCUs is added, which is used to store the MKEK for further security. It also enables Secure Boot and Secure Lock optionally. It also brings the new Pico Commissioner to initialize and configure the Pico HSM without external tools, just directly through the browser.

New

• Upgrade Pico Keys SDK to v7.0.
• Add compiler flags for optimized builds in ESP32.
• Add PICO_PRODUCT.
• Add command to reset device via management app.
• Add rescue app to communicate via webUSB.
• Added support to configure LED GPIO, LED brightness, and LED dimming.
• Add support to LED_GPIO and LED_BTNESS vendor options.
• Add support for commissioning.
• Add autobuild for ESP32.
• Add support for dynamic VIDPID via PHY.
• Add OTP support and SHA256 hardware acceleration.
• Add command to enable secure boot and secure lock via rescue.
• Add product and MCU information in rescue mode.
• Add DEV key to OTP.
• Enable OTP to store a permanent secret key.
• Add json file to enable Secure Boot in RP2350.
• Add macro to parse version file and set pico_binary_version accordingly.
• Add new LED module for color control when available.

Enhancements

• Refactor PHY for a more flexible and scalable architecture.
• Always enable WCID interface.
• Compact PHY configuration.
• Improve LED driver support.
• Specify LED driver for each board.
• Let detect macOS target.
• Added flags for secure boot and secure lock in firmware.
• Use internal TRNG of Pico.
• Upgrade to MbedTLS 3.6.1.

Changes

• Rename CCID_ codes to PICOKEY_ for naming consistency.
• Remove Secure Boot build flags, now added to rescue mode.
• No options on secure boot and lock in PHY.
• Move debug to dedicated header.
• Harmonize build workflow with other repositories.

Bug Fixes

• Fix esp32 build with WCID.
• Fix USB initialization for emulation.
• Fix version header.
• Fix nightly build.
• Fix emulation build.
• Fix ESP & emulation build.
• Fix autobuild for ESP32.
• Fix permissions.
• Fix nightly build.
• Fix build for WS2812 boards.
• Fix header in Linux. Fixes #63.
• Fix SSH-keygen creation. Fixes #59.
• Fix ESP32 GPIO LED issue.
• Fix HID report descriptors.
• Fix PHY for LED neopixel.
• Fix USB descriptor when only HID is enabled.
• Fix LED blink on ON/OFF.
• Fix BOOT press with RP2350.
• Fix maxPower and dwProtocols (recover T=0).
• Fix float casting.
• Do not pack file_t to avoid misalignments.

Full Changelog: v5.12...v6.0

Version 6.0 EdDSA 1

This release brings EdDSA to version 6.0.

Important: EdDSA cannot work in ESP32, since Espressif uses its own MbedTLS fork.

This is an experimental release. It adds support for EdDSA with Ed25519 curves.

Since EdDSA is not officially approved by MbedTLS, it is considered experimental and in beta stage. Though it is deeply tested, it might contain bugs.

Use with caution.

Nightly Stable

This is a stable nightly build.

Nightly Development

This is a development nightly automatic build.

Version 5.12

This is a release which solves some bugs and adds enhancements.

New

• Add support to ESP32-S3.
• Add support to RP2350 MCU.
• Add support to multiple boards with RP2350.

Enhancements

• Add EF.DIR list AID.
• Emulation uses pthread thread synchronization for a reliable integration.
• CCID interface is better thread synchronized.
• Upgrade to Pico SDK 2.0.

Changes

• Rewritten HID interface to minimize the number of memcpy's. Now, it uses a single internal buffer, which speeds notably the overall performance.
• HID manages thread synchronicity more precisely.
• RP2350 boards use partitions to prevent data space be overwritten by firmware.
• Emulation does not use crt_dbrg since it is not reliable.

Bugfixes

• Fix Windows compatibility.
• Fix potential infinite loop when bad ASN1 is processed.
• Fix idVendor, idProduct allocation for Pico Patcher.
• Fix memory boundary check.
• Fix non-freed context.
• Fix TinyUSB vendor interface numbering.
• Fix thread cancellation in ESP32.
• Fix CBOR encoding.
• Fix OATH selection.
• Fix OTP crash.
• Fix U2F/FIDO app selection.

Full Changelog: v5.10...v5.12

Version 5.12 EdDSA 1

This release brings EdDSA to version 5.12.

Important: EdDSA cannot work in ESP32, since Espressif uses its own MbedTLS fork.

This is an experimental release. It adds support for EdDSA with Ed25519 curves.

Since EdDSA is not officially approved by MbedTLS, it is considered experimental and in beta stage. Though it is deeply tested, it might contain bugs.

Use with caution.

Full Changelog: v5.10...v5.12-eddsa1

v5.10

This release is a maintenance release to fix the following bugs:

Enhancements

• Upgrade to MbedTLS 3.6.
• Increase internal number of memory pages.
• Added support for WebCCID.
• Added support for ESP32 boards.
• Added support for APDU chaining.
• Added -DVIDPID= for easier build.

Bug fixes

• Fix Pico Patcher.
• Fix potential infinite ASN1 loop.
• Fix EF.DIR.
• Fix BCD for Windows.
• Fix potential overflow.
• Add support for PHY file.
• Upgrade internal page buffer.
• Fix X509 generation.
• Added 3DES for compatibility (NOT RECOMMENDED!)
• Fix chained responses.
• Fix ASN1 initialization.
• Fix HID buffer sizes.
• Fix Windows emulation.
• Fix wrapped APDU.
• Fix byte chain for long RAPDU.
• Fix SM verification.
• Fix ATR overwrite.
• Fix Apple emulation.

Full Changelog: v5.8...v5.10

Version 5.8

This release includes the following enhancements:

• Added support for Pico W LED.
• Added backfall compatibility.
• Added Windows/Linux backend for backup/restore python utility.
• Added support for --pin flag in Pico-fido tool.

and fixes:

• Fix FIDO app selection.
• Fix Pico W build.
• Fix memory leak.
• Fix potential crash with button.
• Fix OTP reading through HID.
• Fix config vendor command with python-fido2.
• Fix secure key generation in macOS.
• Use new Pico Keys SDK.
• Fix max length of OTP static passwords.

What's Changed

• Update pico-fido-patch-vidpid.sh by @sylvainpelissier in #26

New Contributors

• @sylvainpelissier made their first contribution in #26

Full Changelog: v5.4...v5.8

Version 5.8 Eddsa 1

This release includes release 5.8 and EdDSA support.

Full Changelog: v5.6-eddsa1...v5.8-eddsa1

Version 5.6

This new release includes the following enhancements:

• Added support for Secp256k1 curve, in the form of ES256K algorithm.
• Added support for ES256K algorithm.
• Added support for thirdPartyPayment extension.
• Added support for management via Yubikey Manager to enable/disable specific interfaces individually.
• Added support to Nitrokey's nitropy tool.
• Added support for ssh-keygen.

and the following bug fixes:

• Added tests for ES256K algorithm.
• Fixed pubKeyCredParams verification.
• Fixed return errors for pubKeyCredParams verification.
• Fixed Secp521r1 key load.
• Fixed credential creation for ES512 algorithm.
• Fixed chained response.
• Fixed OTP applet selection.
• Fixed signature computation for ES384 and ES512 algorithms.
• Fixed enabled capabilities detection.
• Fixed enabled cap detection when applet is already selected.
• Fixed OTP slot deletion.
• Fixed return error when no applet is selected.
• Fixed return error of CBOR.
• Fix credential creation when not supported algorithm is provided.

Full Changelog: v5.4...v5.6