Software Signing

" Signing should be easy, but not too easy "

Hot Private Keys

All hot private keys used for signing are stored on Hardware Security Modules (HSM).

Meaningful Signing

Excessive signing increases your supply chain's attack surface. We help you sign only what matters.

Access Control

Signing software means vouching for its integrity. We help you manage who has this authority.

Made in Sweden

All our devices are located in Sweden with Swedish made Hardware Security Modules.

Private Key Management

Private Key Environment (PKE)

There are scenarios when a Private Key needs to be handled in its raw unencrypted format. For example when creating a new key , provisioning a Hardware Security Module (HSM) or verifying the keys integrity. This needs to be done in a secure environment. Our Private Key Environment (PKE) is purpose-built to securely handle unencrypted private keys.

Hardware Write Protect

Devices in the PKE runs our custom Operating System PkOS which can be loaded from write protected physical media. This ensures all storage is volatile and there is no scenario where the unencrypted private key can be stored persistently.

Physical Data Diode

All devices in our PKE are physically air gapped (MSB1309). Our bitfrost data diod ensures data from within the PKE cannot be leaked, while allowing software updates and security patches to be ingressed.

" I think Alex has a copy of the key on a thumb drive somewhere "

Take Control Over Your Keys

Our Custody

We create and manage your keys. All you have to do is click sign. This is ideal for smaller projects.

Shared Custody

We help you safeguard your private keys. This provides great redundancy and allows you use our signing portal.

Your Custody

We provision a Hardware Security Module (HSM) together. You can use our signing portal while keeping your private keys.

Secure Boot

/dev/ttyS0

root@bit42>console

Implementation in Hardware

Implementing secure boot in hardware can be challenging, with complex documentation and the risk of damaging circuit boards during trial-and-error.

We guide you through the process, helping you avoid common pitfalls and secure your hardware effectively.

picture_as_pdf

Ref Manual Rev B.pdf

Page 0 of 2 181

" Here's the pile of circuit boards from the secure boot POC "

Linux Driver

Accessing hardware keys from higher-level software like the OS is crucial. For instance, it enables verification of bootloader upgrades using hardware keys, ensuring Secure Boot systems will boot again.

~/linux-mainline$

Author: Richard Alpe <richard@bit42.se>

Committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Commit: 0861110bb421...

nvme: add new NXP QorIQ eFuse driver

Add SFP (Security Fuse Processor) read support for NXP (Freescale) QorIQ series SOC's.

This patch adds support for the T1023 SOC using the SFP offset from the existing T1023 device tree. In theory this should also work for T1024, T1014, and T1013 which uses the same SFP base offset.

Signed-off-by: Richard Alpe <richard@bit42.se>

Reviewed-by: Niklas Söderlund <niklas.soderlund@ragnatech.se>

Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Swedish Software Integrity