On Wed, Jun 17, 2015 at 8:59 AM, Tim Beelen <tim@diffalt.com> wrote:

Has anyone ever established or tried building trust model with any of these producers? It's rather hard to invent that wheel. I've heard that setting up a foundry is quite a bit of work. And in today's environment it is a significant advantage to produce community vetted hardware. So we might be able to get a solid business model behind this.

On 6/17/2015 3:27 AM, grarpamp wrote:

On Wed, Jun 17, 2015 at 12:25 AM, Troy Benjegerdes <hozer@hozed.org> wrote:

PCB layout of the server(s) that got hacked.

The gate counts in the chips moots the PCB.

'IP' and such
...
because there will be more than just me talking about why we need
full-disclosure hardware that you can X-ray and compare to an image
signed and hosted by multiple independent and competing nation-state
or multinational-corporate level security agencies.
...
If your Intel motherboard matches the image signed by IBM,

Private xraying to validate an individual chip is fine, but does
nothing for everyone else. If you already have and are validating
the [somehow open] image, you might as well open-source and
open-up the entire fab. That way you know everything rolling off
the line is good. While you may trust the chip to image in your
hand, do you trust Intel, Huawei, Qualcomm, TSMC?

https://en.wikipedia.org/wiki/Foundry_model

OK, yes - being able to verify first and foremost that the PCB you have matches some reference is an important first step for guaranteed hardware security.

Perhaps building an accessible verifier might be the logical first step.

How effective is this X-Ray method for detecting hardware modifications [what is the resolution?] How do you process two different X-Ray images, remove the noise (normalize) to compare two different documents?

-Travis

Twitter | LinkedIn | GitHub | TravisBiehn.com | Google Plus