doc: inform users that fuses are blown *before* shipping #119
Conversation
Signed-off-by: Joachim Strömbergson <joachim@assured.se>
Signed-off-by: Daniel Lublin <daniel@lublin.se>
Signed-off-by: Joachim Strömbergson <joachim@assured.se>
Signed-off-by: Joachim Strömbergson <joachim@assured.se>
Signed-off-by: Daniel Lublin <daniel@lublin.se>
Signed-off-by: Daniel Lublin <daniel@lublin.se>
Signed-off-by: Joachim Strömbergson <joachim@assured.se>
ghost
mentioned this pull request
The documentation is extremely vague about exactly *who* blows the fuses on the Tillitis. Based on your pre-release hardware and common sense about user-controlled hardware, I and several others assumed that the customer is the one who does this. It was quite a rude surprise to discover that this is not the case. You should be more hoenst about this, particularly at the time that orders are placed from your shop.
|
Also, isn't this a significant security risk for postal interception attacks? A postal interception attacker can order the same FPGA off of digikey and either swap it onto your boards with a hot air gun or simply have their own boards made (the board files are on github after all). Replacing or replicating the plastic casing isn't hard. If users don't expect to load the bitstream and blow the fuse themselves, the attack cost is well below $500. If users expect to load the bitstream and blow the fuse themselves, the attacker needs to fab their own chip that's capable of imitating an ICE40 yet still betraying the customer. If you add a simple "exercise the FPGA with a few general-purpose bitstreams which look nothing like a pico-RiscV" step to the setup process the attacker really does need to fab their own backdoored FPGA (with NVRAM!) -- and now we're talking about an attack cost in the ~$1million range. This kind of "leverage" -- being able to jack up the interdiction attack cost by orders of magnitude -- is a unique feature of user-programmed FPGAs. I can't imagine why Tillitis would suddenly abandon this wonderful feature of the strategy it had until three weeks ago. What's up? According to Lattice's docs1 the "security fuse" that you blow out not only prevents loading new bitstreams, but also prevents reading back the written bitstream. So users can't even verify that the bitstream on their devices is what they expect it to be. Footnotes
|
|
We will update the documentation and the shop to state very clearly Empty TKeys and a programmer board similar to the ones we handed out That this hasn't been clear is our mistake. Regarding the postal interception attack: You can verify the TKey you https://tillitis.se/getstarted/ https://github.com/tillitis/tkey-verification This won't verify the bitstream but it will verify that the computed This means that to succeed an attacker has to somehow get the UDS out On the other hand, if we don't lock the NVCM with the security fuse |
|
First, thanks amjoseph-nixpkgs for the feedback. I will update the threat model to clarify what locked into NVCM means in the given release. |
|
I've tried to reword the text for the Bellatrix release to (hopefully) better explain what locked down means and how the UDS and UDI comes from: |
... and the cost of attacking that infrastructure is very considerably smaller than the cost of fabricating a custom NVRAM FPGA that can pass the ICE40 test vectors. Also -- trying to put things delicately here -- there is of course another attack, and ever since the events on April 18th at your parent company I think perhaps that possibility should not be treated so dismissively? After giving a lot of thought to my disappointment at how things have turned out, it's become clear that TKey is merely a prototype -- you're now likely working on raising funds to push the RTL through some synthesis tools and buy a maskset. If so, then good luck and godspeed. That's become a very crowded space lately -- everyone and their dog seems to be doing a "secure element" design this year. Unfortunately the rest of us are now back where we started, without a stable, long-term reliable source for a product with the unique security properties of a user-programmed FPGA-based token. |
|
Tillitis will start selling unlocked TKey devices, as a complement to the provisioned TKey end user version we are selling today. |
|
There has been an unfortunate misunderstanding. A few persons have already reached out though email and we will send unlocked TKey's to all those persons that emails us and present a valid order number. We will honor orders placed during April and send the same amount of unlocked TKey's, free of charge. |
ghost
closed this by deleting the head repository
|
Hey, I want to thank you guys for following through on this and offering unlocked TKeys through your web store: Thank you so much for doing this; I ordered ten of them and will be recommending them to several other people, including a client. It was gracious of you to offer free unlocked keys to those of us who ordered before the clarification, but being able to order unlocked TKeys -- and being able to tell others where they can buy their own unlocked TKeys -- is what really counts. It makes it worthwhile to invest effort into this ecosystem, which is something I would not be able to justify if there were only a handful of unlocked keys in existence. Thank you once again for adding this to your webshop! |
|
Thanks for putting a good word out for us, and we are happy to hear that you want to invest time into the TKey ecosystem! |
The documentation is extremely vague about exactly who blows the fuses on the Tillitis. Based on your pre-release hardware and common sense about user-controlled hardware, I and several others assumed that the customer is the one who does this.
It was quite a rude surprise to discover that this is no longer the case as of ~three weeks ago.
You should be more honest about this, particularly at the time that orders are placed from your shop.