1. 13
  1. 15

    Bruce, unfortunately, is showing a complete lack of understanding of how IC fabrication works here. My favourite example here is a proof-of-concept of a TrustZone vulnerability in a formally verified small Arm core. Everything in the Verilog was verified to be correct with respect to the security invariants of TrustZone but during the final layout stage they ran a wire that contained the TrustZone secure-mode flag next to a wire carrying untrusted data and they ran them just sufficiently close together that you could induce bit flips in the secure state by running the exact correct sequence of instructions in insecure mode. The end result was a chip where the Verilog could have been open sourced and audited by hardware security experts and would have been secure in cycle-accurate simulation but where, post fabrication, a malicious userspace process could elevate privilege.

    An open ISA does nothing to help there and neither does an open implementation unless everything down to the transistor level is open. Most fabs keep the details of the implementations of their cell libraries private because they contain trade secrets about their fabrication process. Given that a fab now costs upwards of $10bn, that’s not exactly a market that encourages new players to enter the market. This is very different from a world where you can audit source code and audit an open source compiler.

    I also find it amusing that Bruce complains about there being 5 different Arm ISAs. The core RISC-V ISA is tiny. Any real RISC-V chip includes a load of extensions. There are a dozen or so standard extensions and I’ve lost track of the number of non-standard extensions (some of which use overlapping encoding space). RISC-V is the combinatorial result of all of the possible sets of extensions that may coexist.

    Also, posting a ‘Reply to’ without including a link to the original is just plain rude. I have no idea whether he even comes close to refuting the original points.

    1. 3

      Agree re: the lack of link. Hypertext, people!

      I googled the original post and submitted it. It will probably be folded in here later.

      1. 2

        Do you have a reference to the TrustZone vulnerability PoC?

      2. 9

        Intel CPUs are also known to have an opaque CPU and Intel’s variant of MINIX in the management engine on board their chips, which is a total security disaster.

        How does an open ISA (RISC-V) prevent somebody from doing the same in his implementation?

        (open ISA != open implementation)

        1. 6

          I don’t think the argument is that every RISC-V core will be inspectable, but rather that it’s possible. You won’t ever get a truly open x86 from the license holders, and you can’t ever make a truly open ARM chip even if you wanted and paid for the license (or so the argument goes I think, I’m not qualified to know whether that’s true or not).

          1. 1

            (open ISA != open implementation)

            Even more so when aiming for high performance implementations: A memory controller isn’t complicated per-se (AFAIK it’s an FPGA project in a fair amount of CS degrees), but a good one that can deal with whatever fancy trick current JEDEC standards exploit so that they can get a few more bits moved per cycle despite physics, very much so.

            And so, unless you’re aiming for a very small design with little concern for performance, these controllers are licensed - under terms that usually prevent them to be open. Often the code to configure it must also remain closed, thanks to weird agreements (much to the chagrin of us coreboot developers).

            Same for other high performance controllers, although memory is especially annoying because you can’t circumvent it by just deferring the feature to some external standard bus (as with USB, SATA or whatever where you could say “take a plugin card” to make their licensing Someone Else’s Problem)

          2. 2

            @pushcx, feel free to fold into https://lobste.rs/s/vutw59/reply_kevin_xu_s_some_bearish_thoughts_on, I wanted to have the 2 entries connected.