Introduction
Note: For affected users seeking immediate guidance, please refer to Dasharo Security Bulletin DSB-001. This blog post provides additional technical context and details.
This report serves as a disclosure and post-mortem analysis of a critical incident identified on 5th December 2025 affecting Dasharo firmware for NovaCustom V540TU and V560TU platforms. A release engineering error resulted in firmware binaries signed with an ephemeral testing key being published for the Dasharo TrustRoot fusing operation instead of binaries signed with the production key.
Users who performed the fusing operation between 24th October and 5th December 2025 may have irreversibly written the wrong cryptographic key hash into their SoC’s Field Programmable Fuses (FPF). Because these fuses are One-Time Programmable and the ephemeral key’s private component is no longer accessible, affected devices cannot receive future firmware updates.
This document provides a technical breakdown of what happened, why software recovery is impossible, and the corrective measures implemented to prevent recurrence.
The Dasharo Tools Suite (DTS) is the vehicle for delivering and maintaining Dasharo firmware updates. Built as a minimal Linux distribution based on the Yocto Project, DTS boots directly on the target hardware to perform low-level maintenance tasks that are often impossible from within a standard operating system. It interfaces with the SPI flash controller, the Embedded Controller (EC), and the Intel Management Engine.
One of the recently added DTS features is fusing the device vendor keys.
The fusing operation involves writing to One-Time Programmable (OTP) registers within the chipset. The design of DTS aims to abstract the immense complexity of this operation, wrapping the complex and potentially dangerous tasks into a user-friendly workflow. In this incident, DTS executed the fusing operation correctly according to its design, but the firmware binary it was instructed to use had been incorrectly selected by the release engineer.
The concept of owner-controlled security
The incident highlights the inherent risks of owner-controlled security. In a traditional firmware deployment model, the vendor manages the keys, the fusing, and the updates. In the Dasharo model, the user has the ability to choose. When a user chooses to fuse their platform, they are essentially performing a final assembly factory procedure on their own desk. They are instructing the silicon to reject any code that does not match the cryptographic signature of the vendor (in this case: NovaCustom). This places a large burden of reliability on the supply chain delivering the payload for that operation. The failure discussed here was a breach of that reliability.
... continue reading