Images are a false simplification

Posted Nov 6, 2025 2:46 UTC (Thu) by intelfx (subscriber, #130118)
In reply to: Images are a false simplification by Nahor
Parent article: A security model for systemd

> Plenty of people will argue you can't ("blabla manufacturing blabla China blabla" and "blabla NSA blabla backdoor blabla")

That's the point of the GP, which I believe you have missed.

If you don't trust your CPU vendor enough to believe that their root of trust implementation is not subverted by your malicious actor of choice, then why would you trust *anything* that comes out of that CPU against the same malicious actor? The only logical choice of action would be to throw the CPU away immediately.

And if you haven't done that, then it necessarily follows that you *do* trust the CPU vendor, so it's fine if they implement a root of trust too.

Images are a false simplification

Posted Nov 6, 2025 10:29 UTC (Thu) by excors (subscriber, #95769) [Link]

I think there are subtly different definitions of "trust". In normal English it means "I believe this person won't harm me", but in a computer security context it often means "I am allowing this person to harm me". Under the first definition, it's best if you can correctly trust as many people as possible. Under the second, it's best to trust as few as possible.

Ideally the people you trust under the second definition are also trusted under the first definition, but in practice you can rarely have that level of belief in anyone, so you're knowingly opening yourself up to some risk of harm.

You can't prevent your CPU vendor harming you, so you do trust them under the second definition. The best you can do is minimise risk by ensuring they're the only people who can harm you.