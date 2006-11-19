from the trust-must-be-earned dept.
OpenTitan – an open-source blueprint for a Root of Trust (RoT) system-on-chip based on RISC-V and managed by a team in Cambridge, UK – was teased by Google along with several partners today.
Hardware RoT is a means of verifying the firmware and system software in a computing device has not been tampered with, enabling features such as secure boot. Hardware RoT can also verify the integrity and authenticity of software updates, and prevent a system from being rolled back to an earlier version with known vulnerabilities. It is the lowest-level security piece in a trustworthy system.
But can you trust the RoT itself? The goal of OpenTitan is to provide an open-source design for RoT silicon so that it is (as far as possible) open for inspection.
The OpenTitan SoC will use the RISC-V open-source CPU instruction set architecture, and will be managed by lowRISC, a nonprofit in Cambridge, which has "an open-source hardware roadmap in collaboration with Google and other industry partners," we're told.
Today's announcement comes from Google, Western Digital, the ETH Zurich university, chip maker Nuvoton Technology, and friends.
The Apache 2.0-licensed OpenTitan SoC will include the lowRISC Ibex microprocessor design, cryptographic coprocessors, a hardware random-number generator, volatile and non-volatile storage, IO peripherals, and additional defensive mechanisms. It can be used in any kind of device, from servers and smartphones to Internet-of-Things gadgets.
(Score: 2) by ikanreed on Wednesday November 06, @04:31PM (4 children)
But it's only ever going to be used to enforce walled gardens and I hate it due to that reality.
(Score: 2) by takyon on Wednesday November 06, @04:39PM (1 child)
That's not necessarily true. There are many computers that have secure boot features that can't be described as walled gardens. Throw this in there in place of whatever closed Management Engine they use, and you have (probably) improved the situation.
Best case scenario, this gets paired with AMD, ARM (not by Softbank/ARM itself), or high performance RISC-V cores. Worst case scenario, nobody uses it and Google sends their own implementations to the graveyard.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by captain normal on Wednesday November 06, @05:04PM
What if you want to root your phone? Or your computer, or your IOT devices? A lot of us have rooted our devices just to get rid of OEM crapware. I guess if it's really open source maybe we can still hack to improve our own devices...or will we be able to?
(Score: 2) by DannyB on Wednesday November 06, @05:03PM (1 child)
Yes. But it also can be used to secure your own systems against others. To prevent walled gardens. To prevent corporate injection of crapware. Remember the 2005 SONY Rootkit on an audio CD that installed if you put the CD into your computer?
Console: (verb) To comfort someone in a time of grief because they are forced to use the command line.
(Score: 2) by ikanreed on Wednesday November 06, @05:06PM
To this day, it's still not clear to me what they thought they were going to accomplish with that one.
(Score: 1) by fustakrakich on Wednesday November 06, @04:41PM (2 children)
Don't trust anything with the word "Cambridge" in it, much less Google!
That is not my dog.
(Score: 0) by Anonymous Coward on Wednesday November 06, @04:54PM
Beat me to it!
(Score: 0) by Anonymous Coward on Wednesday November 06, @05:01PM
I'm not sure why "Cambridge" is untrustworthy, but i mostly agree, if they're in a five eyes country, their silicon is less trustworthy.
Google/Doubleclick is a huge red flag to me personally.
Do they plan on releasing toolchain to build and sign custom firmware for this?
I don't see how one can ever validate that this device is under one's control.
Also seems as if there is no validating if the published design matches whats on the chip.
Also the heretical language they use - "root of trust", "Anchoring trust in silicon", "Provide authoritative, tamper-evident audit records and other runtime security services".
Provide to whom, shirley not to the shmuck that buys it?
Fuck Doubleclick. Fucking economics cultists.