Hardware secure element for Agent Vault Protocol
FIPS 140-3 Level 3 · Tamper resistant · Keys never leave silicon
avp-hardware provides firmware and hardware designs for AVP-compatible secure elements. Keys are generated, stored, and used entirely within tamper-resistant silicon — they never touch the host computer's memory.
| Threat | File | Keychain | Hardware |
|---|---|---|---|
| Infostealer malware | ✗ | ✓ | ✓ |
| Credential phishing | ✗ | ✓ | ✓ |
| Full host compromise | ✗ | ✗ | ✓ |
| Memory dump | ✗ | ✗ | ✓ |
| Physical device theft | — | — | ✓ |
| Supply chain attack | ✗ | ✗ | ✓ |
| Insider threat | ✗ | ⚠ | ✓ |
Only hardware protects against all seven threat categories.
| Device | Secure Element | Interface | Status |
|---|---|---|---|
| AVP-SE1 | ATECC608B | USB-C | 🔨 In development |
| AVP-SE2 | Infineon SLE97 | USB-C | 📋 Planned |
| Device | Notes |
|---|---|
| YubiKey 5 | Via FIDO2/PIV (limited operations) |
| Nitrokey 3 | Full AVP support (community firmware) |
| OnlyKey | Full AVP support (community firmware) |
The AVP Hardware extension adds three operations:
Verify the device is genuine and untampered:
avp hw-challenge
# Challenge: 0x7f3a...
# Response: 0x9c2b...
# Verified: true
# Manufacturer: AVP Reference
# Model: SE1
# Firmware: 1.0.0Sign data without the key ever leaving the device:
echo "payload" | avp hw-sign signing_key
# Signature: 0x3d7e...Generate cryptographic proof that a secret is stored in hardware:
avp hw-attest anthropic_api_key
# Attestation Certificate:
# -----BEGIN CERTIFICATE-----
# ...
# -----END CERTIFICATE-----
#
# This proves the secret "anthropic_api_key" is stored in
# FIPS 140-3 Level 3 certified hardware and has never been exported.The reference firmware is written in Rust (no_std) and runs on ARM Cortex-M microcontrollers.
cd firmware
cargo build --release --target thumbv7em-none-eabihfcargo flash --chip ATSAME54P20A --release- Secure boot — Firmware signature verification
- Anti-tamper — Zeroization on physical intrusion
- Side-channel resistance — Constant-time operations
- Memory protection — MPU isolation of key material
- Watchdog — Automatic reset on fault
The reference schematic is available in KiCad format:
hardware/
├── avp-se1/
│ ├── avp-se1.kicad_sch # Schematic
│ ├── avp-se1.kicad_pcb # PCB layout
│ ├── avp-se1-bom.csv # Bill of materials
│ └── avp-se1-gerbers.zip # Manufacturing files
| Component | Part Number | Purpose |
|---|---|---|
| MCU | ATSAME54P20A | Main controller |
| Secure Element | ATECC608B | Key storage & crypto |
| USB | USB-C connector | Host interface |
| ESD | TPD2E2U06 | Protection |
Gerber files and BOM are ready for JLCPCB/PCBWay. Estimated cost: ~$15/unit at 100 qty.
- FIPS 140-3 Level 3 — In progress (ATECC608B is FIPS certified)
- Common Criteria EAL5+ — Planned
- PCI PTS — Planned
The hardware communicates using the AVP protocol over USB CDC (serial):
Host Device
│ │
│──── DISCOVER ───────────────>│
│<─── capabilities ────────────│
│ │
│──── AUTHENTICATE (PIN) ─────>│
│<─── session_id ──────────────│
│ │
│──── STORE (encrypted) ──────>│
│<─── ok ──────────────────────│
│ │
│──── HW_SIGN (payload) ──────>│
│<─── signature ───────────────│
We need:
- Hardware engineers — Review schematic, suggest improvements
- Firmware developers — Rust embedded experience
- Security researchers — Audit firmware and protocol
- Beta testers — Test pre-production units
See CONTRIBUTING.md.
- Firmware: Apache 2.0
- Hardware: CERN Open Hardware License Version 2 - Strongly Reciprocal (CERN-OHL-S-2.0)