[fefe23]

"cryptographically secure bootloader" is a meaningless phrase.

They mean a boot loader that validates cryptographic public key signatures of the loaded component. That would be a secure cryptographic bootloader. AFTER they have proven that it is, in fact, secure.

You can't just write some code and then say it must be secure because Rust was involved.

[Aurornis]

> You can't just write some code and then say it must be secure because Rust was involved.

The article doesn't claim that at all.

The cryptographically secure part comes from doing cryptographic verification of the code before running it.

The article talks about using Rust to improve memory safety.

[RsmFz]

> You can't just write some code and then say it must be secure because Rust was involved

Did they say that?

[fefe23]

Yes. They call it "secure" and have zero arguments to back up that claim except Rust's memory safety guarantees.

Which, by the way, do not apply, since the SHA256-Code is marked unsafe.

[AlotOfReading]

Unsafe blocks do not imply equivalence with C. They imply that if there are memory safety issues, the issue originates in one of the unsafe blocks. Usually there are few enough lines of code in unsafe blocks doing small enough tasks that you can feasibly to rule out issues by thinking hard enough.

Contrast that with C, where every line may be a source of safety issues. It's a meaningful difference.

[bangaladore]

The original commenter is correct, though.

Any "unsafe" block within a rust source code potentially corrupts the entire application as undefined behavior has no bound and will/may leak right out of the unsafe block.

You are arguing something else. Enumerating all unsafe code is a good feature, but when one of the fundamental building blocks of your security is marked unsafe, it raises questions about its overall benefit.

[AlotOfReading]

I'm not addressing that because I don't think it's an interesting discussion. There's excellent tooling for validating crypto code.

I'm emphasizing the difference between rust and C here because unlike Martin, I don't agree that it's meaningfully possible to eliminate UB in C by careful analysis. You're able to do this in Rust in large part because those issues are all concentrated in a few tightly scoped blocks with clear responsibilities.

Unsafe also gives you a massive hint where to look when you're debugging.

[uecker]

Well, not every construct in C can have safety issue. Saying that every line in C may be the source of memory safety issues is as accurate as saying that every line of Rust may be a source of memory safety issues, because it could make use of unsafe.

There is another issue: Unsafe code in Rust could violate assumptions that could cause other code in Rust to be unsafe. So it needs more care to write than regular C.

But I agree that it still a huge net benefit with respect to memory safety, but let's not exaggerate.

[itishappy]

Those unsafe lines in C could be anywhere in your program. In Rust they cannot exist outside of unsafe blocks. This is not a trivial distinction! For all intents and purposes, each and every line of C must be treated as potentially unsafe.

[adgjlsfhk1]

The really big difference is the searchability and frequency of possibly unsafe operations. If you want to audit all possible unsafe lines of code in a Rust project, you can grep for "unsafe" and find all of them (and in most projects there will be very few if any). In C, on the other hand, you need to look at literally every indexing operation, every pointer dereference, every use of a variable (to make sure it isn't potentially used after free or before initialization), every cast, and probably some extras that I've forgotten. As such, rather than having a low double digit number of cases to look at, you have to look at the vast majority of lines of code.

[uecker]

While true, my point is that you can write C in a way that many functions are also obviously free of UB, and you only need to carefully vet the pointer arithmetic in some low-level functions.

So I agree with the point in principle, I just do not like the "spin" of "every line of C is time bomb nobody can understand" while in Rust you just have to look at some lines of "unsafe" and all is good.

[wyldfire]

> You can't just write some code and then say it must be secure because Rust was involved.

I have a feeling that the qualifier is there in the headline to distinguish from the potential security improvements that come from replacing a C bootloader implementation with a feature -parity Rust one.

[creshal]

How does it know what keys to trust? TPM?