Of course.

That applies to any silicon unless you fab it yourself.

But even if they did they allow them to use all this open source to forbid installing software the user wants in hardware the user owns.

They just install proper free software and a public key in the hardware they sell you and keep the private key secret (if they can, they become a more attractive target than you, and defectors, spies, attackers or bribers get more bang for their steal, while the vendor's current or future government or dictator can possibly obtain their private key anyway).

The fact that the owner of the private key (hardware vendor) is using free software does not mean that the system will let you install
the free software you want. You could (if you believe them that they're really using the published sources, as Anux et al. said) at most study, share and modify their free software, but you could not install it with your (or the community) modifications or run it in the device you use. Tivoization with free software is still evil.

Or they can allow it but then allow your bank to refuse you connecting with their web server because the software you trust is not the software they trust.
And the organization hosting the media you watch or listen, and the government, and your health provider, and ...

The fundamental problem under tivoization is that they want to sell trust and security to people who don't want to understand trust or security, so they end up not trusting their customer (because if the customer had the power to do their will, scammers can trick the customer to do what the vendor or the customer don't want). Any scheme in which computers control people instead of people control computers ends up in abuse, because since the computers have no free will, it's always someone else who controls the computer that controls the user.

Yes, but if you buy a AMD CPU you have no chance to check if they really implemented it like they say it is. So it's still a black box.

linuxgeex your arguments are really intriguing. Though you must understand that some people really cannot see the bigger picture and/or the implication of this open source project. Most people see the backing and thinking "yeah, because I can trust these ones for anything else right?" and they are right in their skeptical attitude.

People usually see that open source means that everyone can see thus manipulate, yeah there are always bad actors among humans but the opposite is also the case (since there are literally paid people working on it). This problem of bad actors will manipulate code is natural as a human needs air to breath, but it's the most ironic argument the big companies has been using not so far back in the past to prevent open source to come to light in the first place (basically, not to change anything, cannot trust the public for anything...).

But then comes the natural concept, to bring change you have to change, and open source as a basis (than before on this level for such a project) is a change. Those that has read the history of system development (or development in IoT in general) understand the gratification of this. Those that just consume article headlines like it's some daily routine will regurgitate what other people has said before (a/the change of things).

You're entitled to your opinion, of course. Colleagues of mine felt the same way about protected memory, dynamic link libraries, network storage, and the doom of civilisation when all trust in information was lost due to everyone becoming a publisher with the advent of the Internet. And indeed, there are negatives to all the above.

I read recently that a girl was led from WhatsApp to Discord, encouraged to post nudes, then extorted into prostitution. Some people inhaled air to enable that sequence of events. Taking away inhaling globally would certainly solve the problem... but I think I'd like to leave inhaling available to those who will use it responsibly. ;-)

Yeah, with such companies, I would consider double-checking the code for something hidden there.

Maybe you prefer the Spectre and Meltdown words, they sound jazzy, unlike trust and secure?

i mean, these companies probably just love us and want us to be safe, right?

From the article:
"Caliptra is fully open-source down to the RTL being made public along with the firmware."