Description of product
Description
Crowd Supply USB armory Mk II is a full-featured, security-minded computer, based on an NXP Semiconductors i.MX6ULZ Microcontroller, in a tiny USB form-factor. Designed with information security applications in mind, the USB armory Mk II incorporates features such as High Assurance Boot (HABv4), Arm® TrustZone®, and external cryptographic co-processors.
Features
- SoC: NXP Semiconductors i.MX6ULZ Arm® Cortex™-A7 900MHz
- RAM: 512MB DDR3
- Storage: Internal 16GB eMMC + external microSD
- BLUETOOTH® Module: u-blox ANNA-B112 BLE
- USB-C Ports: DRP (Dual Role Power) receptacle + UFP (Upstream Facing Port) plug, USB 2.0 only
- LEDs: Two
- Slide Switch: For boot mode selection between eMMC and microSD
- External Security Elements: Microchip Technology ATECC608A and NXP Semiconductors A71CH
- Physical Size: 66mm x 19mm x 8mm (without enclosure, including USB-C connector)
- Enclosure: Included with all units for device protection
Security features
- High Assurance Boot (HABv4)
The HAB feature enables on-chip internal Boot ROM authentication of the initial bootloader (i.e., Secure Boot) with a digital signature, establishing the first trust anchor for code authentication. - True Random Number Generator (TRNG)
The RNGB driver is included and operational in modern Linux kernels. Once loaded, it enables the component within the Linux hw_random framework. - Data Co-Processor (DCP)
The DCP module driver is included and operational in modern Linux kernels. Once loaded, it exposes its algorithms through the Crypto API interface. - Secure Non-Volatile Storage (SNVS)
A device-specific random 256-bit OTPMK key is fused in each SoC at manufacturing time. This key is unreadable and can only be used by the DCP for AES encryption/decryption of user data, through the Secure Non-Volatile Storage (SNVS) companion block. - Arm TrustZone
The i.MX6 SoC family features an Arn TrustZone implementation in its CPU core and internal peripherals. - External Cryptographic Co-Processors
The Microchip ATECC608A and NXP AT71CH feature hardware acceleration for elliptic-curve cryptography, as well as hardware-based key storage. The ATECC608A also features symmetric AES-128-GCM encryption. Both components provide high-endurance monotonic counters, useful for external verification of firmware downgrade/rollback attacks. - eMMC Replay Protected Memory Blocks (RPMB)
The eMMC RPMB features replay-protected authenticated access to flash memory partition areas, using a shared secret between the host and the eMMC.
Software
The USB armory Mk II hardware is supported by standard software environments and requires very little customization. In fact, vanilla Linux kernels and standard distributions run seamlessly on the tiny board:
- Boots from onboard eMMC, microSD, or via USB serial downloader
- Native Linux support
- Precompiled images are available for Debian 9 (Stretch) and Arch Linux, with more on the way
- USB device emulation (CDC Ethernet, mass storage, HID, etc.)
Connectivity
- USB 2.0 over USB-C plug to host with full device emulation
- USB 2.0 over USB-C receptacle for the additional devices or as a connection to a host
- Full TCP/IP connection to/from USB armory via USB CDC Ethernet emulation
- Flash drive functionality via USB mass storage device emulation
- Serial communication over USB or physical UART using the Debug Board
- Wireless connectivity over BLE
Note: Only the USB 2.0 protocol is supported over both USB-C ports. HDMI video over USB-C is not supported.
Applications
- Mass storage device with advanced features such as automatic encryption, virus scanning, host authentication, and data self-destruct
- Hardware Security Module (HSM)
- OpenSSH client and agent for untrusted hosts (e.g., Internet kiosks)
- Router for end-to-end VPN tunneling
- Tor bridge
- Password manager with integrated webserver
- Electronic wallet
- Authentication token
- Portable penetration testing platform
- Low-level USB security testing
