Whether a HWW is open source or not does not matter. It is inherently impossible to prove that it is running the published source code for the same reason you cannot extract the private keys.
Discussion
All actually good SEs are under NDA and they cannot give you the code either even if they want to.
What? Surely you don't need me to tell you about reproducible builds and open source software?
How do you know the HWW is not lying about the software it is running?
You trust it to report the correct hash… but it doesn’t have to so reproducible builds are useless
Build it from source, sign it with your own PubKey and then install it if you think that's a risk.
And then you realize that most HWWs don’t allow you to do that even if “open source”.
And how do you still not know there isn’t code running on the HWW that was loaded from factory? The update process doesn’t have to replace all of the code.
Good HWW absolutely do allow you to do that.
And you can't, but that's why good HWW have extra protections like air gaps.
So what’s the point? Basically “trust the chip bro” security when you already have protections like airgap and what a majority of the userbase doesn’t care abour
You're right. Let's abandon FOSS and all move to closed source ecosystems and trust the big tech companies with our private keys.
It’s good to have options. I get it from a security standpoint, open source, airgapped and all that, and have my own security wallets for that reason. It’s good to have options available. If we wanted performance in cars, every vehicle would be a Porsche, and this is all anyone would recommend, but there are tradeoffs. Bitkey has a brand and reputation to uphold, so I don’t expect to get rugged.
You’re just dodging my question.
What benefit does open source truly have to an HWW?
It’s a black box you can’t really inspect and anything it tells you about the code it is running is “trust me bro”.
For all you know there is a segment of the firmware not overwritten by the update process that tampers with the code to steal your keys.
Of course, having open source code would be good for security auditing, but it doesn’t prevent any actual malicious code. And there’s some vendors that just can’t due to NDAs.
Not dodging anything, already answered that question above. You can't verify 100% of everything running on the device 100% of the time. There are no good/suitable open source SE's, that's why good HWW manufacturers use the secret splitting architecture that they do today.
Being able to install auditable + reproducible open source code, signed by either yourself or the HWW manufacturer, to an entirely air gapped device is a HUGE improvement over something entirely black box.
Can't believe the notion of this is even being contested.
It’s not. Because in the end it’s still a black box and you only can “control” (if the device is not malicious) part of the firmware.