Re: Closed black box firmware
This is a ridiculous argument and leads right back to "trusting trust".
If you don't trust the manufacturer, the shipper, the prepper, or the administrator of the system, then OF COURSE you don't trust the system. That point should be obvious.
We have had a policy in the unit I was in previously (and now I have brought it to my current company) that "physical access is the final barrier". And that's it. TCM concepts and whatnot are simply never, ever workable. Even the classic "evil maid" attack isn't actually mitigated by UEFI or TCM because the firmware itself can be replaced with physical access (whether or not root on a running system). The softness of software makes it impossible to know anything about any mutual trustworthiness scheme where two soft modules verify one another.
Go write a package manager. Or a "secure" compiler suite. Have fun figuring out where a reasonable "bottom" lies as you start digging into issues about trusting trust.
This was CLEARLY a hit piece on AMD. I don't know if Intel funded it -- it seems highly plausible but unlikely because it could probably be easily traced back to them -- but whoever did certainly had an anti-AMD agenda and picked their moment to counteract the slew of recent Intel flaws.
Biting the hand that feeds IT
