Oddbean new post about | logout
Semisol | 6 days ago (raw) | root | parent | reply | flag 
 still, a pointless attempt.

coldcard for example has a dedicated privileged flash segment (the “boot ROM” which is not ROM at all) that handles retrieving the key and could store the PIN/root key in its small flash segment

it is not truly verifiable without ripping out the chip and faulting it
Semisol | 6 days ago (raw) | root | parent | reply | flag +1 
 the goals of security and verifiability are inherently conflicting as to verify you need a chip that anyone can check the content of, but for security you want a chip that no one can see the content of

the MCU may have open source code but the moment it is compromised it could log your PIN on next attempt
LeoWandersleb | 6 days ago (raw) | root | parent | reply | flag 
 That is why I came to like the combination of SE and MCU where the SE is oblivious to what the MCU stores but the MCU stores all secrets with a key only the SE knows. What's wrong with that? Now the auditor can treat the SE as a black box that yields a key encryption key only if provided with a secret but bricks itself if the secret cannot be provided in x attempts.

You say, Coldcard could do something shady in their not-a-ROM boot ROM? But that's MCU side, right? So can we audit it? Or are you talking about the hardware not being what they claim it is?
Semisol | 6 days ago (raw) | root | parent | reply | flag 
 Yes, MCU side.

We cannot audit the MCU because there’s code protection measures unless you were to have equipment to do a fault attack on it, and this needs to apply to every user.
roostertail | 4 days ago (raw) | root | parent | reply | flag 
 How about the OpenTitan project? It's FOSS and being used in Google's Titan chips