Announcement

**stormcrow** · 18 October 2022, 05:20 PM

Originally posted by dp_alvarez View Post

That is the core of the problem, hardware roots of trust, remote attestation, etc aren't necessarily evil by themselves.
But they do create all the necessary foundations for corporations to take away any control users have over their devices.
Google already started enforcing this with SafetyNet, Apple also has their mobiles very well locked down.
Microsoft is very likely to be the next to try it, given they are developing Pluton.

So in practical terms, new hardware-backed "security measures" are very likely to be bad news for user freedom.

Pluton as hyped is pretty much DOA. I believe even AMD who announced support for it, has quietly dropped it from upcoming iterations.

But, the thing about "root of trust" is that you must be able to verify from source code to deployment to execution. AND you have to be able to verify that the root is actually authentic - it hasn't been usurped. Unless there is a method of verifying all the way from source code to actual execution then it doesn't matter if the whole thing is open source because you can't verify that source revision is actually what's running on the hardware. The devil, as usual, will be in the details and generally speaking none of these companies have been particularly good at transparency. In fact, outside of AMD possibly, they're all particularly bad at it, especially Microsoft and Nvidia. And then there's Google who never met a project they didn't want to kill.

We'll have to wait and see.

**timofonic** · 18 October 2022, 05:47 PM

Oh no, all this again...

**sdack** · 18 October 2022, 07:33 PM

Originally posted by linuxgeex View Post

Open source isn't a magical fix, but at least it makes problems visible enough that they can be recognised and addressed without years-long reverse-engineering projects, like happened with Intel ME.

You go ahead and tell yourself whatever you want. Building a nuclear bomb and painting the red cross onto it does not change what it will do. You only took the bait, mate.

**Jabberwocky** · 18 October 2022, 08:40 PM

Originally posted by jabl View Post

How does this compare to https://opentitan.org/ ?

I would like to know too.

It's funny that Google is on both Caliptra and opentitan

**dp_alvarez** · 18 October 2022, 08:45 PM

stormcrow Has Pluton been dropped? Do you have a link to that? AMD has indeed been very silent about it since the announcement.
That would be relieving. fTPM is still very much enabled and active on most systems so there is still a way to implement remote attestation (which is the biggest threat), but much less dangerous.

**Teggs** · 18 October 2022, 09:28 PM

Originally posted by Phoronix

AMD, Google, Microsoft & NVIDIA

I'd be interested if it was developed by Jason Donenfeld, not this rogue's gallery.

**agd5f** · 18 October 2022, 10:24 PM

Originally posted by Anux View Post

The hardware part is still a blackbox. I couldn't see if it includes saving cryptokeys in the hardware but I would assume so. And that bends the word trust a little to far for me.

From the article:
"Caliptra is fully open-source down to the RTL being made public along with the firmware."

**quaz0r** · 18 October 2022, 10:33 PM

i mean, these companies probably just love us and want us to be safe, right?

**MartinN** · 18 October 2022, 11:49 PM

Originally posted by Danny3 View Post

Another hardware backdoor?
Every time I see the word "trust", "secure", whatever, I know something is fishy!

Maybe you prefer the Spectre and Meltdown words, they sound jazzy, unlike trust and secure?

**lorenzo321** · 19 October 2022, 12:04 AM

Yeah, with such companies, I would consider double-checking the code for something hidden there.

Announcement

AMD, Google, Microsoft & NVIDIA Announce "Caliptra" Open-Source Root of Trust

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment