April 2024 Released Thistle Features
In April 2024, Thistle Control Center (TCC, Thistle's web application) and Thistle Update Client (TUC) have received two major feature updates:
Releasing over-the-air (OTA) updates from the TCC
Firmware signing service for Thistle Verified Boot
Releasing OTA updates from the TCC
Prior to the April 2024 release, OTA updates can be prepared and released from a user's local machine using the Thistle Release Helper (TRH) command-line tool. After the April 2024 release, a user is able to make an OTA update release from the Thistle Control Center, without going to the command line.
In a Thistle project's "Releases" menu, an OTA update release can be made from a zip archive of "update artifacts", in just a few button clicks.
OTA update release from a zip archive
The OTA update release is signed with an ECDSA signing key inside GCP KMS, where no one, including Thistle, can access the private key. The associated public key is exported from GCP KMS, and made available in a Thistle project's "Settings/General/Access" menu to allow OTA update verification by the the update agent, TUC, on the device side.
OTA update verification key
Firmware signing service
Thistle Verified Boot (TVB) is a device boot-time firmware authorization solution we have developed that provides a hardware root of trust based on the OPTIGA™ Trust M secure element chip.
In the April 2024 release, we have added the TVB payload/firmware signing support in Thistle Control Center, providing easy and secure signing key management.
TVB firmware signing
Signing a TVB payload (e.g., a Linux kernel image) can be done in a few button clicks. The signing key is created inside GCP KMS, where no one, including Thistle, can access the private key. The public key is exported from GCP KMS, and made available in a Thistle project's "Settings/General/Access" menu to allow TVB verification on the device side.
TVB verification key
Signed firmware can be downloaded from the Thistle Control Center to a user's machine to flash onto the device, or can be included directly to an OTA update release using the "+ Create Release" button on the top-right corner of the page. All downloads require appropriate user or device credentials that are associated with the Thistle project where artifacts belong.
TVB signed artifacts
Stay Tuned
Command-line support is coming soon to allow further automation of OTA update releasing and firmware signing operations described above. We will provide a GitHub action to make it easy to release OTA updates in a CI/CD pipeline.
