Conversation
Replying to
Trezor Model T has open source firmware, passphrase protection based on a passphrase entered on the device and supports U2F, SSH and GPG in addition to being a Bitcoin wallet. Passphrases are dynamically mixed with the main seed protected by the hardware so there's deniability.
3
1
1
Replying to
1
Replying to
Using a full blown Linux environment would be dramatically less secure from having far larger attack surface and wouldn't resolve hardware attacks based on physical access. This is an attack that needs to be hardened against at the hardware level and can't ever truly be solved.
2
3
4
Ledger doesn't meet your criteria of open source since it relies on a proprietary secure element. It still has a general purpose CPU just as vulnerable to hardware attacks, but the secrets aren't directly accessible to it. They've had their own more severe security issues anyway.
1
I think it's better to have a proprietary secure element than not having one, but I can understand why they prefer having open source firmware including the implementation of cryptographic primitives. Ideally, there would be hardware with tamper resistance *and* open firmware.
The Titan M in the Pixel 3 will have open source firmware with reproducible builds: android-developers.googleblog.com/2018/10/buildi. I don't think there's an existing example of a secure element with that much of the design open source. I don't think it can be expected any would be fully open hardware.
1
The post you linked is referring to any normal general purpose CPU / SoC as non-secure which is overly dramatic. Secure elements can raise the cost of physical attacks but can't resolve them. The SoC has embedded memory and decent security features so it's not a terrible choice.
1
Show replies