Welcome to Feitian OpenSK USB Dongle¶
OpenSK was announced by Google on January 30, 2020. It is a fully open-source FIDO security key implementation, include hardware and software.
In that announcement, Google said
By opening up OpenSK as a research platform, our hope is that it will be used by researchers, security key manufacturers, and enthusiasts to help develop innovative features and accelerate security key adoption.
To help and accelerate FIDO security key adoption, FEITIAN improves the housing and makes new designs of OpenSK USB Dongle, removes unused PCB components, public the design. Users can build firmware from the source code of Google OpenSK Github repository without changing anything, provision it to this OpenSK hardware, to experience and try FIDO authentications.
Before you try to program firmware to OpenSK, please read the original OpenSK guide at first. The following documents are most like additional remarks.
Before you try or buy Feitian OpenSK Dongle, please be sure that you have read the important caution message.
We have two models of OpenSK USB Dongle, V1 and V2. They are designed according to the nRF52840 USB dongle, which is used by Google OpenSK firmware. The difference between V1 and V2 is the method to enter bootloader mode.
To OpenSK V1, user should insert a paper clip or a SIM-eject tool to the RESET button hole to enter bootloader mode. This is similar to user push the RESET button on the nRF52840 USB dongle.
To OpenSK V2, after user connects the device to a computer, he should push and hold on to the user button for more than 10 seconds, then OpenSK will be in bootloader mode.
For detailed information, please refer to the hardware description page.
- The OpenSK USB Dongle V1 or V2.
Before you program the firmware to OpenSK USB Dongle, you should switch it to mode. Please refer to the Hardware Page to learn how to switch OpenSK to mode. You can check to make sure it is in bootloader according to this section .
- Read the Original OpenSK guide.
Before you perform the following operations, please read OpenSK and its installation guide to learn how to customize your security key, for example, to change the signature counter mechanism and Attestation Certificate.
- Install nrfutil tool. (
sudo pip3 install nrfutilor
sudo pip3 install nrfutil --user)
This tool allows you to directly flash firmware to OpenSK over USB without additional hardware.
Please find right version nrfutil and python. Make sure you have noted that nrfutil 6.x requires: Python >=3.6, <3.9 .
- Apply udev rule (Linux only).
If you are using Linux, you should add a udev rule to make OpenSK work well with FIDO applications and browsers.Then unplug and replug the key for the rule to trigger.
sudo cp rules.d/55-opensk.rules /etc/udev/rules.d/ sudo udevadm control --reload
2. Development Environment and configuration¶
- Prepare a Development environment.
You should prepare a Development environment by yourself according to this section. The scripts provided in this project have been tested under Linux and macOS. We haven't tested them on Windows and other platforms.
$ git clone --recursive https://github.com/google/OpenSK.git
If you just cloned this repository, you need to run the following script:
- Configure the OpenSK security parameter.
Please follow the description to change the Attestation Certificate as you want. If you are not familiar with OpenSK and FIDO, we recommend you do not change anything.
3. Flashing the firmware¶
Although you can download the firmware to our OpenSK V1 and V2 by using J-LINK as described in OpenSK installation guide, we recommend you program the firmware through the USB interface, it is more convenient.
- Switch OpenSK to bootloader mode.
Please refer to OpenSK Model or hardware page to learn how to switch OpenSK to bootloader mode.
The LEDs show different behavior in different mode. Please refer to the hardware page to see LED status of OpenSK V1 and V2.
- Program the OpenSK USB dongle.
If your USB dongle can not work well, you can erase the storage at first.
./deploy.py --board=nrf52840_dongle_dfu --programmer=nordicdfu --erase_storage
$ ./deploy.py --board=nrf52840_dongle_dfu --programmer=nordicdfu --opensk
Press [ENTER] when ready.
When the progress bar reaches 100%, OpenSK USB Dongle will be in working mode automatically.
deploy.py returns error "Permission denied: /dev/ttyxxxx",
please change access permission of this device
sudo chmod 666 /dev/ttyxxxx
Please provision Attestation Certificate and Private Key before you test your OpenSK.
4. Configure Attestation Certificate and Private Key¶
You need to inject the cryptographic material if you enabled batch attestation or CTAP1/U2F compatibility (which is the case by default), otherwise, it can not work well.
./tools/configure.py \ --certificate=crypto_data/opensk_cert.pem \ --private-key=crypto_data/opensk.key
Now you can test your OpenSK.
Test FIDO functions¶
Please refer to Test Page.