Bootloader, firmware and certificate infrastructure finalised
As so often it took us longer than we planned, we wanted to be there before December but we ended up before the holiday vacations started. One of the reasons were that we raised the bar on what we wanted to achieve until then: Now the board bootloader config is prepared for A/B firmware updates -- thats when one has two partitions one is active, the other can be updated. Then there is a option to boot the other partition once and only after this is successful and certain tests in the new partitions pass (e.g. successful connection to a backend for long enough) it sets itself to permanent.
The System on Module (SoM) that we use in GRiSP2 come with Barebox which is quite advanced -- its a more modern fork of the widely used Uboot with greatly extended possibilities. But this power has a price: we need to program boot scripts and configure variable state storage etc. Also the bootloader version that comes on the SoMs has not all features we need so we needed to build our own and upgrade this too.
By doing all this before we ship we are confident that almost all of our users don't need to update the bootloader on their board to unlock its potential. Updating a bootloader is always a bit dangerous and has the potential to brick boards. They can be unbricked but that procedure is a bit complex so we rather avoid it. OTOH if advanced users want to tinker with the bootloader they probably are not shy to unbrick a board when its bootloader is messed up.
A very important feature we can only set up before shipping is the secure element. We are shipping with a individual certificate signed by us safely stored in the secure element. With this certificate we will offer some extra free services on the IoT platform SaaS we are currently building for owners of GRiSP2 boards (and future boards and devices we will build). Secure storage of secrets is a important problem to solve in IoT security. So to make a secure IoT device one has to start when designing the hardware already. Then the manufacturing process needs to be built around that, because these certificates can only be created and signed for individual boards and the signing secret should be protected against loss.
For that we built a GRISP Public Key Infrastructure (PKI) which needed a bit of thought. The fun bit is that the PKI consists of GRiSP2 boards too (GRiSP boards all the way down). For this PKI we wanted a root certificate that is only used to sign a intermediate certificate and this intermediate certificate is used at the manufacturer to sign all the manufactured boards during the end-test.
All these certificates need to be protected against theft -- especially un-noticed theft i.e. copying. So we can't just put them on a SD-card but need to protect them too. There are devices called HSM avaliable in various form factors. But we already have a kind of HSM: a GRISP2 board with its secure element! So there is one GRISP2 locked away (the root certificate) and one signed by that gets delivered to the manufacturer (the intermediate manufacturer certificate) to sign the other boards. The final installation application which is a Erlang release on a SD-card connects via Erlang distribution to the intermedia certificate board (running its own release) creates a kind of certificate signing request with the secret in its secure element and the board metadata which are already store in a EEPROM on the board and sends it to be signed and set back.
BTW in case one doesn't want to use our future SaaS but needs ones own certificates in the secure element: it can be overwritten any time, it can't be read but erased, so other uses are not prevented. However once erased one looses the advantages we offer with it.
The final software is already released to Hex as 2.0.0rc and we will publish this as 2.0.0 as soon as we start shipping.
That gets me to the most important part: when do we finally start shipping? We had hoped to get the first batches out before the holidays so everyone could use the free time to tinker with it but alas the manufacturer had no capacity free after we were done. Here in Germany business will usually restart at January 10th and thats when we expect them to finalise the boards and deliver them to us to be shipped. Boxes and packaging long ready (we have a new box design BTW) and we will start shipping right away.
TIP
Make sure you have filled out the Backerkit survey so we can be sure we have your current address!
This is already a lengthy update so I will save writing about the new things we are already cooking in a later update.
Happy New Year and thanks for your patience!