librekeys/pico-fido2
1
0
Fork 0
mirror of https://github.com/librekeys/pico-fido2.git synced 2026-03-18 15:10:25 +00:00
Code Issues Projects Releases Packages Wiki Activity
Pico Fido + Pico OpenPGP
48 commits 3 branches 2 tags 170 KiB
Find a file
Exact
Fabrice Bellamy c5aecd8eea update pico-keys-sdk to v8.5.2-librekeys
2026-03-03 11:06:21 +01:00
.github Add simple CI build flow for push requests 2026-03-02 20:55:07 +01:00
pico-fido@1b5342ba3c update pico-keys-sdk to v8.5.2-librekeys 2026-03-03 11:06:21 +01:00
pico-keys-sdk@fcb453f459 update pico-keys-sdk to v8.5.2-librekeys 2026-03-03 11:06:21 +01:00
pico-openpgp@f60ac70238 update pico-keys-sdk to v8.5.2-librekeys 2026-03-03 11:06:21 +01:00
src/fido2 Management must be from fido2, as it includes caps for fido & openpgp. 2025-12-07 20:35:29 +01:00
workflows Stick with Espressif v5.5 2025-08-12 00:52:53 +02:00
.gitignore chore(cmake): cleanup CMakeLists, add .gitignore 2026-02-17 01:48:38 +01:00
.gitmodules Add necessary submodules. 2025-05-24 14:21:59 +02:00
build_pico_fido2.sh Add support for RP2350 autobuild. 2025-07-05 00:28:42 +02:00
CMakeLists.txt Merge pull request #6 from gxcreator/cleanup_cmakelists 2026-03-03 00:36:04 +01:00
CONTRIBUTING.md update licensing info for this fork of the community edition (#2) 2026-02-27 19:36:35 +05:30
LICENSE update licensing info for this fork of the community edition (#2) 2026-02-27 19:36:35 +05:30
pico_sdk_import.cmake Add pico_sdk_import 2025-05-24 14:51:25 +02:00
README.md Merge pull request #4 from gxcreator/patch-1 2026-03-02 16:20:14 +01:00
sdkconfig.defaults Update sdkconfig.defaults 2025-10-15 23:46:30 +08:00

README.md

Pico FIDO2

This project transforms your Raspberry RP235x or ESP32 microcontroller into an integrated FIDO Passkey and OpenPGP smartcard, functioning like a standard USB Passkey for authentication and as a smartcard for cryptographic operations.

This is a fork of the last community edition version of the pico-fido2 firmware, from December 9th 2025, that was available on https://github.com/polhenarejos/pico-fido2 before that repository was deleted and replaced by something else.

Supported platforms

RP2040 RP2350 ESP32-S2 ESP32-S3
CPU 2x Cortex-M0+ 2x Cortex-M33 1x Xtensa 2x Xtensa
Core pinning Yes Yes No Yes
RTOS No (Pico SDK) No (Pico SDK) FreeRTOS FreeRTOS
MCU ID 0 1 2 2

Security

Currently most secure features are supported and implemented only for RP2350.

RP2350 RP2040 ESP32-S2 ESP32-S3
Secure Boot Full (boot key hash, CRIT1 flags, debug disable, glitch detector) No HW support No (// TODO) No (// TODO)
Secure Lock Yes (key invalidation, page locking) No No No
MKEK in OTP/eFuse Yes (OTP rows with ECC, chaff, page locking) No (plaintext flash) Yes (eFuse BLK_KEY3, write-locked) Yes (eFuse BLK_KEY3, write-locked)
Device key in OTP/eFuse Yes (OTP + chaff + migration) No Yes (eFuse BLK_KEY4) Yes (eFuse BLK_KEY4)
cmd_secure APDU Available Not available Available Available
Firmware signing Yes (pico_sign_binary) No No No
Rollback protection Yes No No No
HW crypto SHA-256 No SHA-256 + AES-GCM + ECDSA/ECDH SHA-256 + AES-GCM + ECDSA/ECDH

Features

Pico FIDO2 includes the following features:

FIDO2 / U2F / WebAuthn

  • CTAP 2.1 / CTAP 1
  • WebAuthn
  • U2F
  • HMAC-Secret extension
  • CredProtect extension
  • User presence enforcement through physical button
  • User verification with PIN
  • Discoverable credentials (resident keys)
  • Credential management
  • ECDSA and EDDSA authentication
  • Support for SECP256R1, SECP384R1, SECP521R1, SECP256K1 and Ed25519 curves
  • App registration and login
  • Device selection
  • Support for vendor configuration
  • Backup with 24 words
  • Secure lock to protect the device from flash dumps
  • Permissions support (MC, GA, CM, ACFG, LBW)
  • Authenticator configuration
  • minPinLength extension
  • Self attestation
  • Enterprise attestation
  • credBlobs extension
  • largeBlobKey extension
  • Large blobs support (2048 bytes max)
  • OATH (based on YKOATH protocol specification)
  • TOTP / HOTP
  • Yubikey One Time Password
  • Challenge-response generation
  • Emulated keyboard interface
  • Button press generates an OTP that is directly typed
  • Yubico YKMAN compatible
  • Nitrokey nitropy and nitroapp compatible
  • Secure Boot and Secure Lock in RP2350 and ESP32-S3 MCUs
  • One Time Programming to store the master key that encrypts all resident keys and seeds.
  • Rescue interface to allow recovery of the device if it becomes unresponsive or undetectable.
  • LED customization with Pico Commissioner.

OpenPGP Smartcard

  • OpenPGP card specification v3.4
  • 3 key slots (Signature, Encryption, Authentication)
  • RSA (2048, 3072, 4096), Ed25519, Curve25519, ECDSA (NIST P-256, P-384, P-521)
  • Key generation on device
  • Key import/export
  • PIN and Admin PIN protection
  • Reset and Unblock functions
  • Works with GnuPG, SSH, S/MIME, and compatible tools
  • CCID over USB
  • Compatible with major OS (Linux, Windows, macOS)
  • Touch button for user presence confirmation (optional)
  • Open source

Security Considerations

Microcontrollers RP2350 and ESP32-S3 are designed to support secure environments when Secure Boot is enabled, and optionally, Secure Lock. These features allow a master key encryption key (MKEK) to be stored in a one-time programmable (OTP) memory region, which is inaccessible from outside secure code. This master key is then used to encrypt all private and secret keys on the device, protecting sensitive data from potential flash memory dumps.

However, the RP2040 microcontroller lacks this level of security hardware, meaning that it cannot provide the same protection. Data stored on its flash memory, including private or master keys, can be easily accessed or dumped, as encryption of the master key itself is not feasible. Consequently, if an RP2040 device is stolen, any stored private or secret keys may be exposed.

Build for Raspberry Pico

Before building, ensure you have installed the toolchain for the Pico and that the Pico SDK is properly located on your drive.

git clone https://github.com/youruser/pico-fido2
git submodule update --init --recursive
cd pico-fido2
mkdir build
cd build
PICO_SDK_PATH=/path/to/pico-sdk cmake .. -DPICO_BOARD=board_type -DUSB_VID=0x1D50 -DUSB_PID=0x619B
make

Note that PICO_BOARD, USB_VID and USB_PID are optional. If not provided, pico board and VID/PID 1D50:619B will be used.

Additionally, you can pass the VIDPID=value parameter to build the firmware with a known VID/PID. The supported values are:

  • NitroHSM
  • NitroFIDO2
  • NitroStart
  • NitroPro
  • Nitro3
  • Yubikey5
  • YubikeyNeo
  • YubiHSM
  • Gnuk
  • GnuPG

You can use whatever VID/PID for your own personal use. But remember that you are not authorized to distribute the binary with a VID/PID that you do not own. The VID/PID 1D50:619B is provided to the project by OpenMoko. It can only be used for builds distributed under a free and open source license.

After running make, the binary file pico_fido2.uf2 will be generated. To load this onto your Pico board:

  1. Put the Pico board into loading mode by holding the BOOTSEL button while plugging it in.
  2. Copy the pico_fido2.uf2 file to the new USB mass storage device that appears.
  3. Once the file is copied, the Pico mass storage device will automatically disconnect, and the Pico board will reset with the new firmware.
  4. A blinking LED will indicate that the device is ready to work.

To configure your device you can use the picoforge desktop application .

Drivers

Pico FIDO2 uses the HID driver for FIDO and CCID for OpenPGP, both present in all major operating systems. It should be detected by all OS and browser/applications just like normal USB FIDO keys and smartcards.

License

This project is released under the GNU Affero General Public License v3 (AGPLv3). A copy of the AGPLv3 license is available in the LICENSE file.

Credits

This project uses libraries and portion of code from other projects that are detailed in the LICENSE file.