April 2024 Released Thistle Features

In April 2024, Thistle Control Center (TCC, Thistle's web application) and Thistle Update Client (TUC) have received two major feature updates:

Releasing OTA updates from the TCC

Prior to the April 2024 release, OTA updates can be prepared and released from a user's local machine using the Thistle Release Helper (TRH) command-line tool. After the April 2024 release, a user is able to make an OTA update release from the Thistle Control Center, without going to the command line.

In a Thistle project's "Releases" menu, an OTA update release can be made from a zip archive of "update artifacts", in just a few button clicks.

OTA update release from a zip archive

The OTA update release is signed with an ECDSA signing key inside GCP KMS, where no one, including Thistle, can access the private key. The associated public key is exported from GCP KMS, and made available in a Thistle project's "Settings/General/Access" menu to allow OTA update verification by the the update agent, TUC, on the device side.

OTA update verification key

Firmware signing service

Thistle Verified Boot (TVB) is a device boot-time firmware authorization solution we have developed that provides a hardware root of trust based on the OPTIGA™ Trust M secure element chip.

In the April 2024 release, we have added the TVB payload/firmware signing support in Thistle Control Center, providing easy and secure signing key management.

TVB firmware signing

Signing a TVB payload (e.g., a Linux kernel image) can be done in a few button clicks. The signing key is created inside GCP KMS, where no one, including Thistle, can access the private key. The public key is exported from GCP KMS, and made available in a Thistle project's "Settings/General/Access" menu to allow TVB verification on the device side.

TVB verification key

Signed firmware can be downloaded from the Thistle Control Center to a user's machine to flash onto the device, or can be included directly to an OTA update release using the "+ Create Release" button on the top-right corner of the page. All downloads require appropriate user or device credentials that are associated with the Thistle project where artifacts belong.

TVB signed artifacts

Stay Tuned

Command-line support is coming soon to allow further automation of OTA update releasing and firmware signing operations described above. We will provide a GitHub action to make it easy to release OTA updates in a CI/CD pipeline.

Previous
Previous

Release OTA Updates from A CI/CD Pipeline with Thistle

Next
Next

Integration tests and code coverage in Rust