Hacker News new | ask | show | jobs
by brucehoult 1704 days ago
When you have the complete verilog source code for the CPU core it's pretty hard to hide anything.

Following the source code for the C910 core upload 24 hours ago, Olof Kindgren is live-tweeting getting it going in an FPGA using the existing FuseSoC framework. He made significant progress in the first session before going to bed. It would not surprise me if it's working in the next 24 hours.
2 comments
rhn_mk1 1704 days ago
> When you have the complete verilog source code for the CPU core

That's a big "when". The road from an ISA to a core is long, and unless the core is copylefted (this isn't), then you aren't going to get the source code for something someone else manufactured either.

link
bildung 1704 days ago
Copyleft won't help you there either if the license issuer is also the producer of the physical chip: Licenses are regulating what third parties can do with the source, they don't restrict the issuer.
link
keonix 1704 days ago
They do actually restrict issuer in most cases. Linus can't just strip Linux of other developers parts because they are tightly interconnected. He could relicense 30 year old version of Linux, but it would be useless
link
bildung 1704 days ago
I just have been more precise and say copyright holder instead of issuer. Linus doesn't hold the copyright for most of the Linux source, hence he can't relicense without explicit oks from the other developers.
link
jmnicolas 1704 days ago
But how can I be sure the chip I have in my hand is built upon this code and that no blob has been added?
link
gnramires 1704 days ago
By (1) purchasing anonymously from retail sources, and

(2) having researchers with anonymous retail samples verify through decapping and inspection. I believe der8auer in Germany does die shots -- it would not be a bad idea to kick start this kind of research for community assurance purposes.

It's difficult to prove there's no hidden logic, but it's also not trivial to hide complex logic needed to introduce covert undetectable vulnerabilities (probably around things the RNG source or crypto).

Also assuming you're a high value target, otherwise this is mostly going too far.

link