From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Craven Subject: Re: [GNU-linux-libre] Free firmware - A redefinition of the term and a new metric for it's measurement. Date: Mon, 13 Feb 2017 23:48:19 +0100 Message-ID: References: <87tw8bjhqm.fsf@gmail.com> <2c7ae911-863f-4831-f024-060e5f899d3a@alaskasi.com> <87k2948d2q.fsf@gmail.com> <06cfad8d-0222-1c63-522d-013ecd2e6ce8@alaskasi.com> <874lzy4lq2.fsf@gmail.com> <20170213084231.GA16213@jocasta.intra> <58A22341.7010001@crazy-compilers.com> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:43254) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cdPQ1-0008FM-7n for guix-devel@gnu.org; Mon, 13 Feb 2017 17:48:26 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cdPPx-0008W8-AT for guix-devel@gnu.org; Mon, 13 Feb 2017 17:48:25 -0500 Received: from mail-qt0-x231.google.com ([2607:f8b0:400d:c0d::231]:34571) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1cdPPx-0008W4-58 for guix-devel@gnu.org; Mon, 13 Feb 2017 17:48:21 -0500 Received: by mail-qt0-x231.google.com with SMTP id w20so96497128qtb.1 for ; Mon, 13 Feb 2017 14:48:20 -0800 (PST) In-Reply-To: <58A22341.7010001@crazy-compilers.com> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Hartmut Goebel Cc: guix-devel > Is the vendor always trustworthy? I agree with you. But the thing is that we already bought the device. It says on the label that the device does A and only A at time x when we bought the device. The question is do we need to add more trust than that to the equation. If we look at security as a function we are trying to maximize, we already introduced one axiom, that device does A and only A at time x. By putting the firmware in ROM instead of fixing it with a hash we are introducing a new axiom. That our previous axiom is time invariant. Also consider this: Device comes with firmware A 2015. The vendor creates an update B. In 2016 the same device comes with firmware B. You were happy with the device in 2015 but your laptop was stolen or broke. So you buy the same device in 2016. That is a hidden firmware update. How is that different than knowing that you updated your firmware? In this case you simply pretend that you have not updated your device, but the truth is - you really don't know. So the more axioms (assumptions) our security is based on - the weaker is the house of cards we are building. But I'm totally fine with burring this discussion.