F-Secure USB armory Mk II

Security Features

• High Assurance Boot (HABv4)
  The HAB feature enables on-chip internal Boot ROM authentication of the initial bootloader (i.e., Secure Boot) with a digital signature, establishing the first trust anchor for code authentication.
  
  
• True Random Number Generator (TRNG)
  The RNGB driver is included and operational in modern Linux kernels. Once loaded, it enables the component within the Linux hw_random framework.
  
  
• Data Co-Processor (DCP)
  The DCP module driver is included and operational in modern Linux kernels. Once loaded, it exposes its algorithms through the Crypto API interface.
  
  
• Secure Non-Volatile Storage (SNVS)
  A device-specific random 256-bit OTPMK key is fused in each SoC at manufacturing time. This key is unreadable and can only be used by the DCP for AES encryption/decryption of user data through the Secure Non-Volatile Storage (SNVS) companion block.
  
  
• Arm TrustZone
  The i.MX6 SoC family features an Arn TrustZone implementation in its CPU core and internal peripherals.
  
  
• External Cryptographic Co-Processors
  The NXP EdgeLock SE050 features hardware acceleration for elliptic-curve cryptography, as well as hardware-based key storage. It also provides high-endurance monotonic counters, useful for external verification of firmware downgrade/rollback attacks.
  
  
• eMMC Replay Protected Memory Blocks (RPMB)
  The eMMC RPMB features replay-protected authenticated access to flash memory partition areas, using a shared secret between the host and the eMMC.

Software

The USB armory Mk II hardware is supported by standard software environments and requires very little customization. In fact, vanilla Linux kernels and standard distributions run seamlessly on the tiny board:

• Boots from onboard eMMC, microSD, or via USB serial downloader
• Native Linux support
• Supported by the TamaGo framework for bare metal Go applications
• Precompiled images are available for Debian 9 (Stretch) and Arch Linux, with more on the way
• USB device emulation (CDC Ethernet, mass storage, HID, etc.)

Connectivity

• USB 2.0 over USB-C plug to host with full device emulation
• USB 2.0 over USB-C receptacle for the additional devices or as a connection to a host
• Full TCP/IP connection to/from USB armory via USB CDC Ethernet emulation
• Flash drive functionality via USB mass storage device emulation
• Serial communication over USB or physical UART using the Debug Board
• Wireless connectivity over BLE

Note: Only the USB 2.0 protocol is supported over both USB-C ports. HDMI video over USB-C is not supported.

• Debug Accessory Board (CS-ARMORY-02)
  The Debug Accessory Board breaks out the USB armory Mk II's UART, SPI, I²C, and GPIO connections to and from its application processor.
  
  
• 32GB MicroSD Card (CS-ARMORY-03)
  32 GB MicroSD card pre-imaged with Debian for quick boot-up.