Is there a process for secure firmware install/upgrade for device made offshore? - Page 3

Do you have a question? Post it now! No Registration Necessary

Translate This Thread From English to

Threaded View
Re: Is there a process for secure firmware install/upgrade for device made offshore?
Quoted text here. Click to load it

I read about anti evil maid at
https://blog.invisiblethings.org/2011/09/07/anti-evil-maid.html
and they make it clear that if BIOS is compromised, then all this signature/hash/TPM scheme will not work.

This brings us back to square one: how to prevent bootloader from being compromised?
To summarize: so far I heard about secure boot loaders only in 2 chip families: Microsemi FPGA and Maxim Cortex MCU with Secure Boot loader.

Re: Is there a process for secure firmware install/upgrade for device made offshore?
On 07/08/17 00:09, snipped-for-privacy@gmail.com wrote:
Quoted text here. Click to load it

One queston to ask is: do you really need to ship the firmware to
China ?. The reason might be so that the finished item can be tested,
but why not ship e minimal firmware, just enough to show that
the hardware works ?. Them do the final programming at this side of
the pond.

If you don't send it, they can't copy it...

Chris

Re: Is there a process for secure firmware install/upgrade for device made offshore?
Am 17.07.2017 um 20:52 schrieb Chris:

Quoted text here. Click to load it

That will only get you back to the issue I described 3 weeks ago:  
installing the secret yourself is not a solution either, because then  
you will effectively no longer be manufacturing in China.

If you have to ship all the stuff back to home base, unwrap it, open it  
up far enough to get at the internal programming interface to install  
firmware, then put it all back together again, and re-package for final  
delivery.  The overhead in terms of both delay and money will be  
considerable.  You'll effectively be manufacturing at home.

And anyway: how do you know you can actually trust your local employees  
so much further than your overseas contractors?

And of course a criminal at the Chinese end could still side-track to  
the black market devices with the testing-only software still on them.  
Good luck explaining to "your" customers why apparently genuine devices  
do not work _at_all_.

Re: Is there a process for secure firmware install/upgrade for device made offshore?
Quoted text here. Click to load it

iPhones and most other consumer devices these days are made in China and sh
ipped straight from China to final customers. Most companies do not have ev
en distribution nor manufacturing facilities in US anymore.


Quoted text here. Click to load it
er than your overseas contractors?

Well, US based employees and contractors can be sued, arrested, etc, Chines
e contractors are completely unpunishable. It is just your brain and skills
 versus theirs.

Quoted text here. Click to load it
o not work _at_all_.

I think if we will solve my original problem - how to securely install some
 secret code and/or key on our devices, then it will be trivial to determin
e which devices are genuine and which are fake.

Re: Is there a process for secure firmware install/upgrade for device made offshore?
snipped-for-privacy@gmail.com writes:
Quoted text here. Click to load it

I know of a company that got its stuff built at two different Chinese
manufacturers, in a way that both manufacturers would have had to
collude to get the keys out.  I guess that's a start.

Site Timeline