Upgrading the Cryptech Alpha HSM
This page explains how to upgrade the Cryptech Alpha firmware, bootloader, and FPGA bitstream (as needed).
All of the operations here use the Alpha's "management" (MGMT) port, so that cable must be connected to your Linux or OSX host machine.
Upgrading from the stock firmware (Berlin workshop or CrowdSupply)
The main feature of the 3.0 firmware release is a completely new HSM keystore implementation, which makes better use of the Alpha's keystore flash, allows a much larger number of keys, and removes the need for an SQL database on the host. (See ReleaseNotes.)
We did not attempt to provide any sort of backwards compatability to the original minimalistic keystore implementation, so this upgrade process will wipe your keystore. Sorry. More importantly (from the limited viewpoint of the upgrade process), it will change how the HSM stores its PINs, which complicates the upgrade process.
Because we use the bootloader to upgrade the firmware, and the firmware to upgrade the bootloader, both use the PINs stored in the keystore to login, so both need to understand the new keystore, so both need to be upgraded.
Because of the tricky nature of this particular upgrade, you must perform these steps, in the specified order:
- Install the new host software package using APT or Homebrew.
- Wipe the HSM keystore to reset PINs back to the "factory" state.
- Upgrade the main HSM firmware.
- Upgrade the HSM bootloader.
- Log in to upgraded HSM to set PINs, etc.
Upgrading the bootloader before the main firmware will brick your Alpha. So don't do that.
If something goes horribly wrong and you do somehow manage to brick your Alpha, see DisasterRecovery.
Upgrading from 'ksng'
A few intrepid users are already testing the 'ksng' development branch, using the instructions at UpgradeToKSNG. In this case, and with future upgrades, it it not necessary to either wipe the keystore or upgrade the bootloader.
- Install the new host software package using APT or Homebrew.
- Upgrade the main HSM firmware.
Install the cryptech-alpha package
using apt-get on Debian or Ubuntu Linux
$ sudo apt-get update
$ sudo apt-get install cryptech-alpha
Yes, you have to install it even if you already had it installed, because APT wants permission before accepting the new package dependencies.
Or you could instead run:
$ sudo apt-get upgrade --with-new-pkgs
but that might upgrade unrelated stuff.
If you had the '-ksng' package installed, you might then want to run:
$ sudo apt-get remove cryptech-alpha-ksng
$ sudo apt-get autoclean
but nothing terrible is likely to happen if you omit those steps.
If you're running on Debian Jessie, you may need to enable jessie-backports
and make sure you're getting the python-serial
and python-tornado
dependencies from the backports (the versions of those packages in the base Debian Jessie distribution are too old).
using Homebrew on OSX
If you're upgrading from the original firmware (have not installed the -ksng
package), a normal Homebrew upgrade cycle
should suffice:
$ brew update
$ brew upgrade
If you have the -ksng
package installed, you need to tell Homebrew that you want to switch back:
$ brew update
$ brew migrate cryptech-alpha-ksng
$ brew update
In either case, you might then want to do something like:
$ brew cleanup
but nothing terrible is likely to happen if you omit that step.
If you've tried doing this and nothing happens, you might be hitting a known old bug in Homebrew itself. Make sure your copy of Homebrew is up to date, and if that still doesn't work, try deinstalling whichever cryptech-alpha*
package you have installed and reinstalling cryptech-alpha
.
Set usual CRYPTECH_* environment variables
The upgrade process uses the CRYPTECH_CTY_CLIENT_SERIAL_DEVICE
environment variable. The easiest way to set it is by using the
cryptech_probe
script, just as you would for other usage of the
Alpha.
$ eval `cryptech_probe`
(Note: you can use the new cryptech_muxd
and cryptech_console
, but
these instructions assume you are familiar with cryptech_miniterm
. Or
you could be using picocom
or kermit
or something else. Doesn't matter
to us.)
Clear the keystore flash
If you are upgrading from the original firmware, you will need to wipe the keystore, to avoid confusing the new keystore code.
The good news is that we have a utility to back up and restore the new keystore. The bad news is that we don't have a way to back up the old keystore.
$ cryptech_miniterm
Username: wheel
Password: <your-wheel-pin-goes-here>
cryptech> keystore erase YesIAmSure
^]
Upgrade the main HSM firmware
$ cryptech_upload --firmware --user wheel
PIN: YouReallyNeedToChangeThisPINRightNowWeAreNotKidding
Upgrade the bootloader
$ cryptech_upload --bootloader --user wheel --simon-says-whack-my-bootloader
PIN: YouReallyNeedToChangeThisPINRightNowWeAreNotKidding
(Optional) Upgrade the FPGA bitstream
This upgrade includes an experimental ECDSA point multiplier in hardware, which the firmware will use if present.
$ cryptech_upload --fpga --user wheel
PIN: YouReallyNeedToChangeThisPINRightNowWeAreNotKidding
Log in and set PINs, masterkey, etcetera
$ cryptech_miniterm
Username: wheel
PIN: YouReallyNeedToChangeThisPINRightNowWeAreNotKidding
cryptech> keystore set pin wheel fnord
cryptech> keystore set pin so fnord
cryptech> keystore set pin user fnord
cryptech> masterkey set
^]