From what I'm seeing, I think assuming that RISC-V CPUs being blob free and open, just because the ISA is open is illusory at best and wilfully lying at worst.
When you have the complete verilog source code for the CPU core it's pretty hard to hide anything.
Following the source code for the C910 core upload 24 hours ago, Olof Kindgren is live-tweeting getting it going in an FPGA using the existing FuseSoC framework. He made significant progress in the first session before going to bed. It would not surprise me if it's working in the next 24 hours.
> When you have the complete verilog source code for the CPU core
That's a big "when". The road from an ISA to a core is long, and unless the core is copylefted (this isn't), then you aren't going to get the source code for something someone else manufactured either.
Copyleft won't help you there either if the license issuer is also the producer of the physical chip: Licenses are regulating what third parties can do with the source, they don't restrict the issuer.
They do actually restrict issuer in most cases. Linus can't just strip Linux of other developers parts because they are tightly interconnected. He could relicense 30 year old version of Linux, but it would be useless
I just have been more precise and say copyright holder instead of issuer. Linus doesn't hold the copyright for most of the Linux source, hence he can't relicense without explicit oks from the other developers.
By (1) purchasing anonymously from retail sources, and
(2) having researchers with anonymous retail samples verify through decapping and inspection. I believe der8auer in Germany does die shots -- it would not be a bad idea to kick start this kind of research for community assurance purposes.
It's difficult to prove there's no hidden logic, but it's also not trivial to hide complex logic needed to introduce covert undetectable vulnerabilities (probably around things the RNG source or crypto).
Also assuming you're a high value target, otherwise this is mostly going too far.
It still removes a serious obstacle to getting a blob free cpu where user can have control over what it does. The ISA is no more a "magic sauce" to be protected and patented and therefore hidden behind closed source.
Well, if they wind up with blobs I think they will at least be more limited. The "Management Engine" style ones are the most egregious. Ones for the sake of hardware video encode/decode are a bit more forgivable, though still regrettable.
And there is certainly growing interest in blob-free computing [1], so some at least will exist to fill that demand. There is some hope for video with Linux landing blob-free hardware encode/decode very quickly the last couple of years [2].
But the open ISA levels the playing field and allows for upstart hardware designers to make compatible hardware that is royalty and/or blob free.