[rwmj]

There are fully reverse-engineered FPGAs and open source toolchains to drive them.

The real question is: Is there anything hidden in the silicon? That's something you can only solve by owning your own fab - the US military approach.

[fest]

The argument here usually is: with a fixed silicon chip, vendor can hide the backdoor in various locations and be it triggered by various events (e.g. a particular sequence of incoming ICMP packets would overwrite the first byte of response with content of some register). With FPGA, the vendor can't really know where a particular register is located, or where incoming packets are processed, as it is highly dependent on the synthesised CPU design and can even be non-deterministic.

This does not mean that there is no way vendor can backdoor the chip you are getting, but it does narrow the possibilities significantly.

[eeZah7Ux]

Good luck hiding an effective backdoor in an FPGA. The attacker (the FPGA fab) has no idea of how it's going to be programmed.

[rwmj]

The usual thing the military worries about is a "kill switch" (a very unlikely sequence of bits) which disables the hardware completely. The idea is that at the beginning of a war, the kill signal is broadcast by the enemy by every means possible which brings all your electronics to a halt.

This can be hidden in an FPGA - for example attached to the input pins or SERDES - without needing to know anything about the application.

(Article: https://spectrum.ieee.org/semiconductors/design/the-hunt-for...)

[eeZah7Ux]

Triggering a malfunction is incredibly easy compared to a proper backdoor. A kill signal could also be injected through side channels e.g. a power line, and the kill mechanism could be implemented in many other semiconductors than an FPGA.