Replying to Avatar semisol

You’re just dodging my question.

What benefit does open source truly have to an HWW?

It’s a black box you can’t really inspect and anything it tells you about the code it is running is “trust me bro”.

For all you know there is a segment of the firmware not overwritten by the update process that tampers with the code to steal your keys.

Of course, having open source code would be good for security auditing, but it doesn’t prevent any actual malicious code. And there’s some vendors that just can’t due to NDAs.
Avatar
QnA 1y ago

Not dodging anything, already answered that question above. You can't verify 100% of everything running on the device 100% of the time. There are no good/suitable open source SE's, that's why good HWW manufacturers use the secret splitting architecture that they do today.

Being able to install auditable + reproducible open source code, signed by either yourself or the HWW manufacturer, to an entirely air gapped device is a HUGE improvement over something entirely black box.

Can't believe the notion of this is even being contested.

Reply to this note

Please Login to reply.

Discussion

Avatar
semisol 1y ago

It’s not. Because in the end it’s still a black box and you only can “control” (if the device is not malicious) part of the firmware.