The Google H1 Fritz Chip(loper-os.org) |
The Google H1 Fritz Chip(loper-os.org) |
So we have this really annoying catch 22, where people like this author report on real security and tamper protection systems as bad -- yet without them, the device would actually be prone to different actors attempting to own devices remotely.
Every security mechanism in place on modern computing hardware can be viewed as being either cryptographically important or encumbered against users. The fact of the matter is that it's extremely hard to build a platform that's resistant to all types of attack without also encumbering real users and real benefits of device ownership.
At some point, I just want to throw my hands up and ask why people continue to buy these devices if they dislike them so much. I can understand wanting to tinker and wanting to hack. But voluntarily forking over money just to complain about why that platform isn't an open box amazes me. It's plenty easier to buy a hackable and open by default platform than it is to buy a closed one and try to turn it into an open one.
Backdoors for every state actor ...
It is incredibly easy to make ridiculously hard to find backdoors in both software and even more so in hardware, and early versions have been caught (including the US and Chinese governments). The odds of finding "v2" or, more likely "v50" backdoors are bad. Very bad.
Pray tell, where can I buy a laptop (of new, rather than vintage, manufacture) without blobs and master keys?
This blog post asserts that it was imposed by the NSA. Where is the evidence for that? The only source seems to be what appears to be speculation by some person on IRC.
>20:23 <asciilifeform> from my pov, it's nsa rootkit
It's hard to take this post very seriously when there's disinformation like this.
Whereas if Google is putting chips into their Chromebooks of their own initiative, that is no indication that Google is getting power over Windows, iOS, Mac, or Linux computers.
It's not just some person on IRC, it's the author. He's citing himself.
The Cr50 device is a classic “Fritz chip” — i.e. a hardware “policeman”, built into a computing device [...], so as to specifically and deliberately act against the purchaser’s interests, by subverting the Laws of Sane Computing in these three ways:
Prevention of the full control of the machine by its physical owner, typically by inhibiting attempts to install modified firmware. [...]
Enablement of one or more types of “NOBUS” back door (Official NSA terminology! “No One But US“, [...]
Prevention of a clueful hardware owner’s attempts to “jailbreak” — to disable, remove, or circumvent the Fritz chip itself.
This also inhibits attempts by malicious third parties to install modified firmware on your machines.
For Chromebooks we traditionally tried to find a middle route: locked down by default, since most people care more about nobody tampering with their device than about the ability to do so themselves. For the others, there's dev mode (easy to get at, but with scary notifications, to make tampering obvious) and the write-protect screw (hard to get at, no tamper notification).
Hooking up cr50 into the write-protect line allows to develop a best-of-all-worlds approach:
* still locked down by default for people who don't want to think about their device's firmware security.
* simple to get at (but complicated enough that drive-by attacks remain infeasible), even with form factors that aren't service friendly (eg. glued chassis - firmware folks have no voice in these decisions).
* the ability to implement tamper evidence checks through remote attestation, even if the scary screens were disabled.
Compared to everything else on the market, I think it's a very user friendly set of trade-offs, both for power users and computers-are-appliances folks.
(disclosure: Chrome OS firmware developer)
The Cr50 accepts firmware updates at all times, but only when signed with Google's RSA key.
Does anyone know which Google/ChromeOS features this chip is used for, or what the justification for it is?
https://www.chromium.org/chromium-os/tpm_firmware_update
Edit: this is what Chrome devices use it for https://www.chromium.org/developers/design-documents/tpm-usa...
I recommend to actually read Google's published Cr50 sources -- no reason to take my word for it. All of the functionality I described -- and more -- is there, plain as daylight, with comments. Including the backdoor pubkeys.
Any calls to Google reCaptcha v1 API will not work after March 31, 2018 [1].
[1] https://developers.google.com/recaptcha/docs/faq#what-happen...
I would like to see some more details.
common/rma_auth.c:rma_challenge_response() calls process_response(), which on success calls common/factory_mode.c:enable_ccd_factory_mode()
That one calls factory_enable_deferred(), which resets the system before flushing all TPM data, and only on successfully removing all that proceeds to enable factory mode.
Therefore: gaining access through that venue also removes all secrets established on the system, including the TPM-part of the key used to encrypt the disk (the other part being derived from the account credentials, which isn't stored persistently anywhere).
(Disclosure: I'm part of the Chrome OS firmware team. If you find anything we forgot to do to protect user data, I'd _really_ love to know)
Instead, I'm a reluctant purchaser of your hardware (the market is completely devoid of alternatives, if I go to buy a 6-core ARM64 laptop with a IPS display, it's the Chromebook or the highway). A purchaser who would like to actually use what he paid for. And this means the removal of all golden-key backdoor garbage, in the AP, EC, and Cr50 ROMs.
And yes this includes the FBI-subpoena-keyed "upgrade" capability, the AP ROM write-protect override, the I2C/SPI bus mastering, the locked-from-all-but-the-anointed-few console, etc.
I couldn't care less about user-installed "TPM secrets", disk encryption, etc. I get these boxes brand-new. What I want is to wipe the Cr50 and install a routine that simply handles the power button, 3.3v bringup and whatever else is absolutely required for the box to run, under full owner control like the old Chromebooks that had no Cr50.
What was called Trusted Computing, Palladium, TCPA, etc. in 2003 and became known in geek circles as "TPM" is now implemented as TPM + Intel Boot Guard + Intel SGX + Authenticated Code Modules + various other things (and other vendors' equivalents).
The TPM is the most benign part of it all: a slow, passive crypto chip with a small storage that it can hide away from the CPU unless the right system state and keys are presented (although the presented system state might be 100% fake).
It turns the USB-C ports into always-on NSA-keyed backdoors (anyone in possession of the private RSA key, can reflash all three flash ROMs in the machine with whatever he likes, via the external ports, which cannot even be cemented shut, as the machine charges exclusively from USB-C.)
No reason to take my word for it: I recommend to read Google's source, I have linked to the most interesting routines.
The golden key exists, and will be used.
But if Google decided to put a chip in their computers of their own initiative, then that's not an indication that the other computers have a chip. So I feel I'm much safer.
I care about my rights. If computer manufacturers lose their right to design their products as they see fit (i.e. they're forced to install chips against their will), that means the government is severely limiting its citizens' rights. There is likely no hope for my freedom. But if a manufacturer puts a chip in of their own free will, that's not really infringing my rights. I can simply buy computers from a different manufacturer.
I don't, and TBH I don't find your writing style (of which this is an example) very engaging.
Cr50 is a replacement for the old TPM. It has approximately the same constraints as the Infineon TPM used in the past: firmware updateable, but not for you.
[edit to add: would a mechanism to disable the update mechanisms, at the price of "no warranty" since RMA becomes impossible be acceptable to you? Or would you suspect that there's another update mechanism anyway?]
> Pulling the battery does enable rewrite
Pulling the battery is non-trivial on a device like Pixel C, hence a new mechanism.
So naturally voids warranties.
> firmware updateable, but not for you
Finally, honesty. It's a Tivo.
Like the Infineon before it.