I’d be wary about firmware signing. Yes, I am all for signing fw. No, I am against forcing signatures - that would prohibit users from tampering with their own stuff.
I’d have a similar but different requirement:
Make the firmware accessible, via JTAG or other mechanism. That will allow easy integrity checks, while preserving the users’ flexibility.
Optionally, provide firmware source codes so they can be audited and compiled and loaded as a known-good firmware by the end user.
Ideally, leverage opensource hardware; the openness has great advantages, including but not limited to security-wise.
Firmware Must Be Signed! What? By certificates issued through an x.509 CA/RA infrastructure, verified through DNS - to servers backed by HSM with private-key access controls authenticated by Gemalto smart cards?
Turtles! Yes my friend. Once again, all the way down.
A SHA256 hash published on the vendor’s web, possibly with the hash in a blockchain with older versions to establish its history, and backed up in search engine caches and on archive.org and a million other places, sprinkled with GPG signatures of multiple trusted persons, should be good enough. No need for the stinkin’ PKI with corruptible CAs and holey software.
What if the firmware is signed by the manufacturer under duress?
That’s why the source code should be released too.
YES! Let us demand DRM for our hardware! It’s the only way for us to be safe! Think of the CHILDREN!
No. Just no. Signing is evil. Being able to check checksums should be sufficient, without having to dick with code signing which is expensive and designed to deter small businesses, and doesn’t even do what it’s supposed to. It’s supposed to establish an unbroken web of trust, but in truth, that web is as strong as only its weakest link, and there is no earthly reason to “trust” anyone in that web, and very good reasons to believe that they have massive incentives to be untrustworthy, and massive incentives for others to subvert that misplaced trust…
If someone has physical access to your hardware, they can make it insecure anyway, whatever kind of faux security you try to have: that’s the reality of DRM-style “protections”. If someone has remote access to your hardware, and is able to write to it, then either 1) they can write to the bit that checks the signature or checksum or whatever, in which case there’s no security, or 2) they cannot, which means that certificates can never be added or revoked, which means there is no security.
So I vastly prefer the “JTAG and open source” idea.
Having Cheap, usable, open-source JTAG software and hardware, and either open source or at least published checksums, would be a big jump in the right direction. Requiring code-signing of firmware would be barking up the wrong tree. If you want to rely on some “web of trust” nonsense, then by all means, publish your checksums on an HTTPS page.
Checksums good. Signing bad and counterproductive and chilling to development.
It’d probably be easier to just get people to be nice and stop trying to fuck with other people’s stuff. That’ll happen before hard drive manufacturers open up their firmware. Especially when that firmware probably contains code they feel gives them a competitive edge.
Leverage open hardware.
We need some Really Good reverse-engineering tools. Make it easier to get to the secret sauces; that will make the information more available, act as a (mild, but…) disincentive against keeping them secret, and allow finding the unwanted sauces (built-in backdoors).
Making hardware in bulk amounts for cheap is not so easy. We can leave it on the existing vendors. But we should have what OpenWRT is for SOHO routers, in many more contexts.
This topic was automatically closed after 5 days. New replies are no longer allowed.
