Skip to content

Support Tillitis TKey as a signer#1149

Draft
jku wants to merge 3 commits into
secure-systems-lab:mldsafrom
jku:tkey
Draft

Support Tillitis TKey as a signer#1149
jku wants to merge 3 commits into
secure-systems-lab:mldsafrom
jku:tkey

Conversation

@jku

@jku jku commented Jun 26, 2026

Copy link
Copy Markdown
Collaborator

This includes support for a hardware key that supports ML-DSA. I'm leaving it as DRAFT for now:

  • The used device binary may be a little rough still
  • This PR is against the ML-DSA branch
  • The implementation depends on https://github.com/jku/keylet that I just created
  • Untested on windows and mac

Tests are ai generated, otherwise this is my work.

Links:
https://www.tillitis.se/
https://github.com/tillitis/tkey-pq-device-signer

Design

  • TKey is interesting in that it has no long term memory to store a signing key (or even a signing application). The process is
    • USB device is plugged in, host application loads a device app into the device
    • host application can also provide a passphrase given by the user
    • device application constructs a private key by combining a device secret, device app and the passphrase (if any of these change, the key changes). the key can then be used for signing
    • when the device is unplugged, the key is wiped
  • This means the device binary is critical: a user must be able to keep using the same binary "forever". But upgrading the device binary must be possible as well
  • So the binaries must be "pinned" by the securesystemslib private key uri... but they are actually provided in the keylet project (so will not balloon the git repo here)
  • keylet library supports ed25519 as well... but the 4K payload limit makes it unsuitable for our use

This supports a Tillitis TKey hardware signer via a new python
library 'keylet' that I just released.

The hardware key is somewhat unique in that the key is not stored long term:
it's always generated from device id, passphrase and the signer binary (that
always uploaded to device). This is why the private key uri encodes the
device binary hash: The signing key can only be used with the exact same
device binary and passphrase.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
jku added 2 commits June 29, 2026 13:05
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
* Remove old TODO
* Remove unnecessary check
* formatting

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant