Skip to content
  • Pico HSM
Portada » Blog » Pico HSM 6.6

Pico HSM 6.6

We’re releasing Pico HSM v6.6, with a strong focus on security hardening, platform support, and build/runtime reliability.

Compared to v6.4, this release also includes important updates from the bundled Pico Keys SDK stack.

Highlights

  • Secure Boot support for ESP32 (beta integration path).
  • ESP32 LED HIGH/LOW support and ESP32-S2 support.
  • Upgrade to Pico Keys SDK 8.6.
  • Upgrade to Mbed TLS 3.6.6.
  • New security regression tests (including PKCS#11 regression coverage).
  • Added SDK BULK command support to reduce communication bandwidth.
  • Added SDK OpenSSL backend for emulation flows.

Security and Hardening Improvements

This release tightens several sensitive paths:

  • Improved ACL setup and ACL macro usage.
  • Private objects are now protected from read access without authentication.
  • PIN/MKEK handling migrated to a newer internal system.
  • Secure messaging validation strengthened (including MAC-length checks).
  • Anti-rollback and secure-boot/OTP internals updated.

Reliability and Build Fixes

We fixed multiple issues reported across environments and toolchains:

  • cyw43 and LED-related build issues.
  • MLKEM build fixes.
  • Include/link fixes (including mbedtls/OpenSSL backend linkage).
  • Strict non-prototype declaration warnings.
  • Secure Boot enable/check integration issues.
  • Bounds checking fixes in UPDATE EF.
  • secp521r1 compatibility fixes with newer OpenSSL.
  • Rare SDK race-condition fix.
  • Better handling for sc-hsm-tool false-negative exit codes.

Behavioral Changes

  • Removed legacy debug/unused code.
  • Removed legacy session PIN command/path.
  • OTP FIDO is no longer exposed through CCID when unavailable.
  • Memory layout and tests were updated accordingly.

Upgrade Notes

If you are upgrading from v6.4:

  1. Rebuild with the updated SDK/toolchain settings.
  2. Re-run your integration and PKCS#11 regression tests.
  3. Validate secure-boot and ACL-related behavior in your target environment.
  4. Review CCID behavior if your setup relied on OTP FIDO exposure.

Closing

v6.6 is a hardening and maturity release: better security defaults, broader ESP32 support, and a cleaner foundation for future features.

As always, feedback from production and lab deployments is welcome.

Tags:

About me

This is another project, as many I started.

Copyright