| "Attests the software version is the version that is valid and shipped by the Oxide Computer Company" this makes "Oxide Computer Company" the primary target and point of vulnerability in multiple ways. 1) rogue employees (state-sponsored, corporate espionage) could replace the software. customers could do nothing about it, and might not even be told. 2) sale of the company by the VCs or a Corporate take-over gives no guarantee that what is safe now will be safe in future, no matter what the VCs or the company says right now. 3) whatever expertise "Oxide Computer Company" thinks they have, they're the single-point-of-failure. the larger the number of customers, the less likely that a given vulnerability will be immediately fixed and distributed out. this is just some of the possibilities. sorry to say that there's so many things wrong with this idea it's really hard to hold back and not say anything. now, if the full source code right to the bedrock is available, and the CUSTOMER is given FULL CONTROL, THEN we do not have a problem. by "full control", that includes: * all DRM keys including TPM signing private keys
* all peripheral initialisation source code
(including DDR4 firmware, PCIe firmware and USB3 firmware)
* BMC (Boot Management Console) source code
* BIOS source code
* Operating system source code
* full source code for all tools and toolchains for the above
to avoid vendor lock-in and the possibility of the toolchain
itself introducing rogue code. this is one hell of a list and it's almost impossible to fulfil with today's "NDA'd proprietary firmware 3rd party licensing" mindset. the only company in this secure server space to my knowledge that's achieved this is Raptor Engineering with the TALOS-II, when running with the Kestrel BMC replacement, on the Lattice ECP5 FPGA. |