Comment by WalterBright
2 years ago
The extra hardware registers might have been discovered by examining the chip itself. One could find where the registers were on it, and notice some extra registers, then do some experimenting to see what they did.
Maybe, but chips already have vast, vast, quantities of physical registers in a big blob.
Assuming it wasn't a lucky guess, timing attacks are often used to find this stuff.
Isn't it easier just to pay to one of hundreds employees having access to chip design? Or even get it without paying by appealing to patriotism?
How many ex-Apple employees work(ed) at NSA? It may just have been the right person doing their regular 9-5 job, with no subterfuge. The list of employers for Hardware security folks is likely a couple of dozen companies, and Apple and NSA are among the most prestigious of them. I expect some employees to move in both directions.
I know of two, one from my team. Don't know how long they stayed there, though.
Or just covertly tell Apple to hand over its documentation / to knowingly leave gaps in the defenses for NSA to exploit.
> The extra hardware registers might have been discovered by examining the chip itself.
Perhaps. But it's easier to phone the technical librarian and say "Hi! I'm Bob from the password inspection department. Can you verify your current password for me?"
Do you know how this is possible? Would decapping the SoC or taking an xray of it provide a physical map of the registers?
You can find the register file relatively easily because it's a block of memory that's the same on each core but isn't cache, but it isn't a 1:1 map from architectural registers that we would recognize: the chip is designed to find an optimal allocation of slots in the register file to runtime values.
These particular registers aren't part of the CPU proper anyway, so not in the register file in that sense -- they're mmio mapped, and https://securelist.com/operation-triangulation-the-last-hard... concludes that they are "a block of CoreSight MMIO debug registers for the GPU coprocessor".
1 reply →
That’s where the GPRs would live. There’s no reason you have to put weird MMIO there too.
Maybe, or somebody talked.