[yitosda]

I'd be interested in further details about the testing. If any manufacturer actively wants to backdoor their hardware I'm skeptical that anything but an extremely expensive teardown of an infected device would find it.

It is simply incorrect to imply that reading vendor provided source can usefully decrease the possibility of a targeted attack. Comparing (hardware provided?) software checksums is not a real improvement. Juxtaposed with your "interest" in the topic, such an argument naturally arouses suspicion (sorry).

There is obviously nothing "wrong" with being interested in this fascinating clash of powerful interests, the amount of interest each discussion gets shows you are not alone.

So I'm not just hammering at what you've said, I'll make my own statement: There's absolutely nothing you can do to defend against a motivated attacker providing you with complex computer hardware (let's say anything that has software/firmware). Corollary: It's a fool's game to use hardware from those whose interests conflict with your own.

China and the US have a massive conflict of their interests. Each should not use hardware provided by the other. The risk for each is real and unavoidable.

[majia]

Hardware testing is much more than firmware checksum comparison. Once you have the blueprint, you can physically compare it against samples using various methods such as x-ray, acoustic and electric profiling to detect any differences. Furthermore, hardware is generally retained for a long time and can be checked with future anti-tampering technologies.

These measures does not offer perfect security. It simply makes the cost of hacking and chance of being caught very high, even for state actors. We could achieve fairly strong security at an affordable cost for most civilian uses. At least, tested Huawei hardware may be a good alternative to untested hardware from another vendor (which is probably manufactured in China too) at an inflated price.

Of course, if you are still concerned, why not take a course on microprocessor and build your own CPU? ;)

[yitosda]

It looks like you're moving the verification goalposts away from what is actually running on the hardware and simultaneously walking this back from government to civilian uses. These are completely different discussions (though I might add that governments rely heavily on the private sector, so some pressure there is expected).

Another completely different line of discussion is whether I personally am concerned at all (I'm not), and what I should do about it (nothing, but governments certainly should build their own CPU).

> We could achieve fairly strong security at an affordable cost

No. We cannot achieve strong security in a device that comes with software. You also cannot (at the time of this writing) prove that the actual hardware you personally are running is trustworthy without spending enough that the "affordable cost" becomes a moot point.

A wide swath of civilian uses can probably come out on top of the cost/benefit analysis just because their interests don't get in the way of governmental conflicts (or they can make enough money in the meantime). It's only from the perspective of a government that this conversation makes any sense at all.