Mk II Roadmap

The USB armory from WithSecure Foundry is an open source hardware design, implementing a compact secure computer.

The USB armory Mk II is the successor of the previous Mk I model.

Mk II Top Mk II Bottom

Purchasing

See Ordering information for USB armory Mk II variants, accessories and purchase options.

The USB armory Mk II can be purchased at the following resellers:

Custom/bulk order inquiries can be placed directly by contacting usbarmory@withsecure.com.

System-on-Chip

The USB armory Mk II default System-on-Chip (SoC) is the NXP i.MX6ULZ, P/N MCIMX6Z0DVM09AB (900 MHz).

An SoC variant using the pin-to-pin compatible i.MX6UL, P/N MCIMX6G3DVM05AB (528 MHz) is available, for custom orders, to provide additional security features such as OTF DRAM encryption (features comparison), with the trade-off of a slower clock rate.

Security features

See a detailed description here.

Communication interfaces

USB

The USB armory Mk II features Type-C USB ports, a Type-A variant is available for custom/bulk orders.

Using Type-C USB allows the Mk II to have a plug for traditional USB based host communication along with an integrated receptacle to act as a host (or device) (without requiring a host adapter like the Mk I used to).

The USB Type-C current mode allows to ensure that adequate current is requested on the plug side, to enable connection of additional devices on the socket side.

This design enables new use cases for the USB armory Mk II, which can act as a USB firewall without the need of additional hardware as well as being natively expanded with USB peripherals (e.g. drive, network adapters).

Additionally the integrated receptacle also allows its role to be changed to device, easing scenarios such as controlled USB fuzzing from one side and interactive console/control on the other.

Bluetooth

The Mk II includes a u-blox ANNA-B112 Bluetooth module for out-of-band (in relation to USB interfaces) interaction with a wireless client (e.g. mobile application).

The addition of a Bluetooth module opens up a variety of new use cases for the USB armory Mk II, greatly enhancing its security applications in terms of authentication, isolation and limiting trust towards the host.

The ANNA-B112 module supports an "OpenCPU" option to allow arbitrary firmware, replacing the built-in u-blox one, on its Nordic Semiconductor nRF52832 SoC. This allows provisioning of the SoC with Nordic SDK, Wirepas mesh, ARM Mbed or arbitrary user firmware. The nRF52832 SoC features an ARM Cortex-M4 CPU with 512 kB of internal Flash and 64 kB of RAM.

See additional information here.

Storage media

Apart from the traditional microSD slot (now with a push/pull mechanism) the USB armory Mk II includes a 16 GB eMMC flash memory on the board.

This allows easier provisioning procedures, factory pre-imaging without the burden of microSD card installation and enables additional security features.

Additionally a slide switch allows selection of the boot mode (microSD vs eMMC), supporting easy selection of boot media for dual boot purposes (e.g. full Linux OS vs INTERLOCK protected image).

Software

A wide variety of Linux distributions is available, the main one supported by WithSecure is a Debian image.
The TamaGo bare metal Go compiler includes imx6 drivers and Mk II board support.
A Linux kernel driver for the DCP (i.MX6ULZ), which takes advantage of the OTPMK released by the SNVS, is available at https://github.com/usbarmory/mxs-dcp.
A Linux kernel driver for the CAAM (i.MX6UL), which takes advantage of the OTPMK released by the SNVS, is available at https://github.com/usbarmory/caam-keyblob.
The INTERLOCK file encryption front-end supports both CAAM and DCP through such drivers.
The crucible utility provides user space support for reading, and writing, One-Time-Programmable (OTP) fuses.
The habtool utility provides support for Secure Boot provisioning and executable signing.
The armoryctl tool provides user space support for communicating with the Mk II internal peripherals.
The TamaGo framework has been used to create the following USB armory Mk II applications:
- GoKey - OpenPGP/U2F smartcard.
- GoTEE - Trusted Execution Environment w/ TrustZone.
- armory-drive - USB encrypted drive.
- armory-boot - secure primary boot loader.

Accessory mode

USB Type-C allows a 'debug accessory mode' to route analog/debug signals over its connector, the USB armory Mk II leverages on this to break out UART, SPI, I²C, GPIOs.

A dedicated debug accessory board allows access to UART and GPIO signals through USB, without requiring probes, through an FTDI FT4232H. This allows, for example, accessing the USB armory Mk II serial console without wires or probes, natively using only USB cables.

Mk II debug accessory

Home
USB armory Mk II
- Datasheet
- USB model
- LAN model
- Bill of materials: LAN, USB
- Security features
- Secure boot
- Benchmarks
- Power consumption
- Internal Boot ROM
- Enclosures
- JTAG
- Debug accessory
- Boot modes
- Bluetooth
- I²C
- armoryctl
- Errata
TamaGo unikernels
USB armory Mk I
- Bill of materials
- Security features
- Secure boot
- Host adapter
- Stand-alone mode
- Benchmarks
- Power consumption
- X-ray
- Internal Boot ROM
- Enclosures
- JTAG
- GPIOs
- I²C
- SPI
- Errata
Legal

Provide feedback

Saved searches

Use saved searches to filter your results more quickly