Comment by R0b0t1
6 years ago
The FPGAs could still be backdoored, and the WiFi chipset should receive a fair bit of suspicion. But I guess it is a good first step.
6 years ago
The FPGAs could still be backdoored, and the WiFi chipset should receive a fair bit of suspicion. But I guess it is a good first step.
It’d be a pretty gargantuan task to backdoor the FPGA silicon itself. You’d have to have compromised Xilinx’s software and had some idea of what signals you want to tap. Kinda interesting to think about... I suppose that’s were open source tools for FPGAs would be nice.
The image? Sure, could easily be backdoored, but that’s what open source is for; auditability.
Edit: FPGA silicon is kinda backdoored by definition thanks to JTAG configurability/readability. (Barring cases where keys are used.) So I think the really interesting thing would be addition of nefarious logic by the design tools.
Well, yes, but in the past this type of device would be floated as an attempt to fight state-level actors. And... it can't do that. That's all I'm pointing out.
Either the silicon, the synthesis software, or both could be compromised. Per leaked documents usually what gets attacked is random number generation, but there are more avenues I am sure.
You can usually turn off JTAG, but having JTAG or other debug interface not be permanently disabled is actually an exploit class.
What’s stopping the toolchain for your micro from being backdoored as well? The chain of trust has to start somewhere.
4 replies →
the iCE40 chip used is supported by icestorm/yosys/nextpnr stack.
But I do not know if the Xilinx reversing effort supports the Xilinx chip. That project is in a much earlier state of development.
And I do have to wonder if an ecp5 (supported by trellis project) wouldn't have been able to do the job.
That could be true even if you sourced and programmed them yourself, no? We already know that AMD/PSP and Intel/ME are back footed, for example.
How deep do you want to go down the rabbit hole? Are you capable of fabbing your own silicon?
interestingly, bunnie's previous take has been that fabbing your own silicon is likely less secure than using an fpga due to supply chain security
if your asic if compromised in tranist, it's a total game over. if your fpga is compromised in transit, the attacker has to have some knowledge of target bitstream
it has been argued that by making it easy for end users to rearrange the bitstream, an fpga can be more secure than an asic
https://www.bunniestudios.com/blog/?p=5706
I looked through the link and that does not seem to be what he says. He is just talking about how much verification you need to do, like I am trying to do.
It is shortsighted to view making your own ASIC as less secure. The supply chain weaknesses exist whether or not you make your own hardware. Making your own hardware can potentially limit your exposure to systemic baked in vulnerabilities. Additionally, after-manufacture exploits (as in the NSA interdiction of Cisco router shipments) are easier for mass produced goods.
There are likely edge cases involving small, easier to bribe manufacturers, but I'm not sure you can make broad generalizations on that possibility alone.
2 replies →
The article actually posted to this HN thread contradicts that or at least would imply a change of stance:
> We are also using the FPGA in Precursor to validate our SoC design, which will eventually give us the confidence we need to tape out a full-custom Betrusted ASIC, thereby lowering production costs while raising the bar on hardware security.
2 replies →
There's a small-scale IC fabrication system under development. It costs $5-30M, fits in an office, and can manufacture 0.5-inch wafers with CMOS and MEMS. The company provides training and rents out time on the machines.
https://news.ycombinator.com/item?id=24540562