SoylentNews is people
SoylentNews
Arthur T Knackerbracket has found the following story:
OpenTitan – an open-source blueprint for a Root of Trust (RoT) system-on-chip based on RISC-V and managed by a team in Cambridge, UK – was teased by Google along with several partners today.
Hardware RoT is a means of verifying the firmware and system software in a computing device has not been tampered with, enabling features such as secure boot. Hardware RoT can also verify the integrity and authenticity of software updates, and prevent a system from being rolled back to an earlier version with known vulnerabilities. It is the lowest-level security piece in a trustworthy system.
But can you trust the RoT itself? The goal of OpenTitan is to provide an open-source design for RoT silicon so that it is (as far as possible) open for inspection.
The OpenTitan SoC will use the RISC-V open-source CPU instruction set architecture, and will be managed by lowRISC, a nonprofit in Cambridge, which has "an open-source hardware roadmap in collaboration with Google and other industry partners," we're told.
Today's announcement comes from Google, Western Digital, the ETH Zurich university, chip maker Nuvoton Technology, and friends.
The Apache 2.0-licensed OpenTitan SoC will include the lowRISC Ibex microprocessor design, cryptographic coprocessors, a hardware random-number generator, volatile and non-volatile storage, IO peripherals, and additional defensive mechanisms. It can be used in any kind of device, from servers and smartphones to Internet-of-Things gadgets.
-- submitted from IRC
(Score: 3, Insightful) by ikanreed on Wednesday November 06 2019, @04:31PM (10 children)
But it's only ever going to be used to enforce walled gardens and I hate it due to that reality.
(Score: 4, Insightful) by takyon on Wednesday November 06 2019, @04:39PM (6 children)
That's not necessarily true. There are many computers that have secure boot features that can't be described as walled gardens. Throw this in there in place of whatever closed Management Engine they use, and you have (probably) improved the situation.
Best case scenario, this gets paired with AMD, ARM (not by Softbank/ARM itself), or high performance RISC-V cores. Worst case scenario, nobody uses it and Google sends their own implementations to the graveyard.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 3, Interesting) by captain normal on Wednesday November 06 2019, @05:04PM (5 children)
What if you want to root your phone? Or your computer, or your IOT devices? A lot of us have rooted our devices just to get rid of OEM crapware. I guess if it's really open source maybe we can still hack to improve our own devices...or will we be able to?
Everyone is entitled to his own opinion, but not to his own facts"- --Daniel Patrick Moynihan--
(Score: 2) by takyon on Wednesday November 06 2019, @05:15PM (1 child)
"We'll see."
My guess is that it would never be used in any smartphone except something niche like PinePhone or a crowdfunded phone.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 0) by Anonymous Coward on Wednesday November 06 2019, @06:51PM
That 'non-volatile storage' they mention will have a stage0 bootloader permanently fused into it, like the bootblocks in most ARM SoCs and that per device signatures and checksum/signing of all running code will be required on next generation software and media.
Long story short; This will be the end of open computing even if every piece of hardware and every piece of software is 'open source', because 'blank' Trust chips will be unavailable to all but the moneyed few.
(Score: 2) by darkfeline on Thursday November 07 2019, @06:44AM (2 children)
What if your maid wants to root your phone? Root == compromise. Instead of buying a device just to compromise it, why not secure it with your own trusted key? This allows you to do that.
Join the SDF Public Access UNIX System today!
(Score: 2) by captain normal on Thursday November 07 2019, @06:52PM (1 child)
First of all if you have a maid, you are likely living way above my pay grade. I do not find it demeaning to help clean up around the house, do laundry, wash dishes, cook or serve meals. If you do have servants in your household, then you are at their mercy when it comes to guarding your secrets.
Second, how does having a device that I do not have control over make it more secure?
Everyone is entitled to his own opinion, but not to his own facts"- --Daniel Patrick Moynihan--
(Score: 0) by Anonymous Coward on Thursday November 07 2019, @09:41PM
A device with a trust root that you have control over can be made more secure than one without it. You could replace all the trust keys with your own at which point no software you have not personally signed can be loaded or run.
(Score: 2) by DannyB on Wednesday November 06 2019, @05:03PM (2 children)
Yes. But it also can be used to secure your own systems against others. To prevent walled gardens. To prevent corporate injection of crapware. Remember the 2005 SONY Rootkit on an audio CD that installed if you put the CD into your computer?
When trying to solve a problem don't ask who suffers from the problem, ask who profits from the problem.
(Score: 2) by ikanreed on Wednesday November 06 2019, @05:06PM (1 child)
To this day, it's still not clear to me what they thought they were going to accomplish with that one.
(Score: 2) by DannyB on Wednesday November 06 2019, @06:36PM
These are copyright maximalist people. They have their own delusional world.
I believe they thought they could get their rootkit onto many PCs and then prevent copyright infringement. The rootkit was intended to prevent ripping audio CDs -- not just SONY's.
When trying to solve a problem don't ask who suffers from the problem, ask who profits from the problem.
(Score: 1) by fustakrakich on Wednesday November 06 2019, @04:41PM (4 children)
Don't trust anything with the word "Cambridge" in it, much less Google!
La politica e i criminali sono la stessa cosa..
(Score: 0) by Anonymous Coward on Wednesday November 06 2019, @04:54PM
Beat me to it!
(Score: 0) by Anonymous Coward on Wednesday November 06 2019, @05:01PM (2 children)
I'm not sure why "Cambridge" is untrustworthy, but i mostly agree, if they're in a five eyes country, their silicon is less trustworthy.
Google/Doubleclick is a huge red flag to me personally.
Do they plan on releasing toolchain to build and sign custom firmware for this?
I don't see how one can ever validate that this device is under one's control.
Also seems as if there is no validating if the published design matches whats on the chip.
Also the heretical language they use - "root of trust", "Anchoring trust in silicon", "Provide authoritative, tamper-evident audit records and other runtime security services".
Provide to whom, shirley not to the shmuck that buys it?
Fuck Doubleclick. Fucking economics cultists.
(Score: 2) by takyon on Wednesday November 06 2019, @05:17PM
If it is actually open, it could be created by other companies without any involvement from Google.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 0) by Anonymous Coward on Wednesday November 06 2019, @06:10PM
Because Chinese (PRC *and* ROC), Russian, Korean and Japanese silicon is so much *more* trustworthy, right?
You have to grade on a curve, otherwise it's back to slide rules and abacuses for you!
(Score: 2) by progo on Wednesday November 06 2019, @06:15PM (2 children)
I live in New York City. We used to have leather or rubber straps to hold onto while standing on a train. Now we have steel bars. Literally no one who lives and works in New York City calls MTA riders "straphangers", but for some reason some of the local media insist on using that word. It makes them sound completely out of touch.
I have a feeling the situation is exactly the same with The Register and "boffins".
(Score: 4, Informative) by takyon on Wednesday November 06 2019, @06:43PM
Take a swig of hooch and you'll feel better about it.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by Pino P on Friday November 08 2019, @02:02PM
I personally encountered "Boffin" as a surname for HOBBIT® characters [halloftimelibrary.com] in J. R. R. Tolkien's The Lord of the Rings before I encountered it in El Reg.