For Nitrokey Storage our plan is to build the firmware with a high optimization (high compression), fill all remaining flash storage with random but known data. The flash capacity is 256 KB so that the exported firmware will be 256 KB including the random data. The entire 256 KB blob would be compared to a known valid firmware image. Ideally the user would remove the MicroSD card before performing the export so that no storage is available to hide a malicious firmware. This way we make it much harder for a malicious firmware to hide itself.
For Nitrokey Storage our plan is to build the firmware with a high optimization (high compression), fill all remaining flash storage with random but known data. The flash capacity is 256 KB so that the exported firmware will be 256 KB including the random data. The entire 256 KB blob would be compared to a known valid firmware image. Ideally the user would remove the MicroSD card before performing the export so that no storage is available to hide a malicious firmware. This way we make it much harder for a malicious firmware to hide itself.