From mboxrd@z Thu Jan  1 00:00:00 1970
From: David Craven <david@craven.ch>
Subject: Re: [GNU-linux-libre] Free firmware - A redefinition of the term and
	a new metric for it's measurement.
Date: Mon, 13 Feb 2017 23:48:19 +0100
Message-ID: <CAL1_immeBBHK0NAXQ_hJ3m9wry5QQ7fA+=eUXnC43Xaeribe1g@mail.gmail.com>
References: <CAL1_im=_R__Cp2aOAEAne7dveu6aYkg17zu0Pftg+pKAv_JbuA@mail.gmail.com>
	<87tw8bjhqm.fsf@gmail.com>
	<CAL1_imnr2tk9rNK2NyTX4sn8P07cR8x2Ge84M4c=hLYV4Bmy2Q@mail.gmail.com>
	<2c7ae911-863f-4831-f024-060e5f899d3a@alaskasi.com>
	<87k2948d2q.fsf@gmail.com>
	<CAL1_immGW1dj0QnOROOZCuBbiMvN5R6c8JdsVq8QKcQZ1KLVCA@mail.gmail.com>
	<06cfad8d-0222-1c63-522d-013ecd2e6ce8@alaskasi.com>
	<874lzy4lq2.fsf@gmail.com> <20170213084231.GA16213@jocasta.intra>
	<CAL1_imnUL51WCtVQ99FgiSa3AYdQNYSpL__6Ep087+7uXF9Kyw@mail.gmail.com>
	<58A22341.7010001@crazy-compilers.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:43254)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <david@craven.ch>) id 1cdPQ1-0008FM-7n
	for guix-devel@gnu.org; Mon, 13 Feb 2017 17:48:26 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <david@craven.ch>) id 1cdPPx-0008W8-AT
	for guix-devel@gnu.org; Mon, 13 Feb 2017 17:48:25 -0500
Received: from mail-qt0-x231.google.com ([2607:f8b0:400d:c0d::231]:34571)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <david@craven.ch>) id 1cdPPx-0008W4-58
	for guix-devel@gnu.org; Mon, 13 Feb 2017 17:48:21 -0500
Received: by mail-qt0-x231.google.com with SMTP id w20so96497128qtb.1
	for <guix-devel@gnu.org>; Mon, 13 Feb 2017 14:48:20 -0800 (PST)
In-Reply-To: <58A22341.7010001@crazy-compilers.com>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Hartmut Goebel <h.goebel@crazy-compilers.com>
Cc: guix-devel <guix-devel@gnu.org>

> Is the vendor always trustworthy?

I agree with you. But the thing is that we already bought the device.
It says on the label that the device does A and only A at time x when
we bought the device. The question is do we need to add more trust
than that to the equation.

If we look at security as a function we are trying to maximize, we
already introduced one axiom, that device does A and only A at time x.
By putting the firmware in ROM instead of fixing it with a hash we are
introducing a new axiom. That our previous axiom is time invariant.

Also consider this:
Device comes with firmware A 2015. The vendor creates an update B. In
2016 the same device comes with firmware B. You were happy with the
device in 2015 but your laptop was stolen or broke. So you buy the
same device in 2016. That is a hidden firmware update. How is that
different than knowing that you updated your firmware? In this case
you simply pretend that you have not updated your device, but the
truth is - you really don't know.

So the more axioms (assumptions) our security is based on - the weaker
is the house of cards we are building.

But I'm totally fine with burring this discussion.