betrusted-soc reviews and mentions

• Precursor – Xous Release v0.9.9: “Vault” Authentication App
  1 project | news.ycombinator.com | 22 Jul 2022

  It’s a good question - the analysis seems to ignore the need for non-free software to properly build the FPGA bitstream files from source.

  We have no way to know the Xilinx tools are safe. None of those papers address the tool chain question AFAIK. Additionally, it is difficult to know if a user has downloaded the real Xilinx software tool chain; the git repo ( https://github.com/betrusted-io/betrusted-soc ) from has no verification step for step 7. There is a public key and a hash, they could include this in the repo and at least it would make a targeted attack a little more difficult.

  Additionally they could use a git sub module for step 6 and have a better risc-v supply chain security story. It seems trivial to fix that detail, so I am sure it will be fixed if they’re alerted.

  These setup steps are trivial security issues, simple to fix, and possibly only theoretically an issue for a targeted attack. What isn’t theoretical is that the we cannot trust the non-free Xilinx tool chain as we can’t see the sources, so we don’t know that they’re not currently doing something bad (bugs or backdoors) or won’t later be doing something we don’t want.

  Frustrating!