I looked at the Tropic Square datasheet and it would not be able to offer the StrongBox keystore protection level, throttling, or support for insider attack protection. So basically not usable for this purpose.
It would be possible to do it with what Iām working on, along with some custom eSE applet-like functionality (sandboxed).
Considering it is a Trezor offshoot, no surprise. I would imagine their goal is to use it for their HWWs firstly. It's why they started it.
The chip also is too expensive for what it does. They had some preliminary pricing but that is it.
I feel like it is a huge wasted opportunity, but oh well.
Was just writing my reply when you sent yours.
With this, there would have to be a closed and immutable boot code of the secure element, otherwise the rest could be mostly open, allowing stronger firmware verification.
Insider attack protection would be implemented as system-controlled flag that decides whether data transfer is allowed across applet upgrades. This could require the owner to authenticate, so it would fulfill that requirement.
Requiring the KeyStore applet be signed by a trusted party + issuing an attestation certificate to it would also tick that box.
