From 7fa51162884b3b28367e0d96a03742cdd38c1d07 Mon Sep 17 00:00:00 2001 From: Adam Joseph Date: Mon, 14 Nov 2022 12:03:21 -0800 Subject: [PATCH] doc/owner-controlled.md: mention debian and gnuk --- doc/owner-controlled.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/doc/owner-controlled.md b/doc/owner-controlled.md index 43dbac3..4ec868c 100644 --- a/doc/owner-controlled.md +++ b/doc/owner-controlled.md @@ -20,8 +20,16 @@ By using a chip as your CPU you are, of course, trusting that its manufacturer h A hardware backdoor or bugdoor can be publicly demonstrated to exist once discovered, and is "perfectly undiscoverable" only if it is never used. Immutable proof of crime or incompetence is in the hands of every customer. Discovery would be catastrophic for the manufacturer, both reputationally and financially. I can easily trust that my hardware manufacturers are existentially terrified of this outcome, even in the face of government pressure. Properly-designed *software* bugdoors, on the other hand, are practically risk-free (especially when designed in coordination with hardware) and cost little to remediate. -Trust, but deblobbify. +*Trust, but deblobbify.* + +### Related + +Debian prefers that its developers keep their code signing keys on commodity microcontrollers (such as the stm32 used in [gnuk][gnuk]) rather than commercial fixed-purpose HSMs like Yubikeys. Ian Jackson's [explanation][debian-dongle] for this preference uses similar reasoning. ## What if I don't care about security, trust, or power? Instead, you can be awed at the kind of [amazing things people discover](https://www.devever.net/~hl/power9tags#where-are-the-tags-stored) when "maybe the cpu traps out to some software I don't control" can be ruled out as an explanation. Care about science, and being able to do it instead of accepting unknowability. + + +[gnuk]: https://lwn.net/Articles/736231/ +[debian-dongle]: https://lists.debian.org/debian-project/2017/08/msg00135.html