On Wed, Apr 15, 2015 at 10:05:30AM +0100, Cathal (Phone) wrote:
The SOC in a raspi is probably no worse than the rest,
I contest this claim. BRCM SoCs are probably not the *worst* SoCs in the market (that distinction probably belongs to Mediatek or a chinese vendor we've never heard of) but they are almost certainly not in the first ranks. Unfortunately I can't make a strong argument as to which SoCs are in the first rank. I'd give some of the TI chips a higher chance, but brand-hunting is not the route to safety -- some of the TI chips are almost certainly as bad or worse. I am concerned about the following -- 1. existing SoCs CPUs certainly have errata (known errors or undocumented "features") that are not disclosed to the public, and never fixed in patched chip releases. Some of these are likely to cause security issues. Previous SoCs (circa 2008) have had undisclosed bugs in instruction decode allowing privilege elevation, for example. Even Intel and AMD, who have a *much* larger team working on these systems than places like Broadcom and Mediatek, still manage to ship security bugs from time to time... I don't give BRCM much of a chance of shipping bug-free silicon. 2. SoCs contain a multitude of "Intellectual Property Blocks" such as a DRAM controller, an Ethernet controller, USB, SATA, AC97 Audio, etc. These are all connected together by an interconnect bus. Each block comes from a different development group, often purchased from a different company. The company that sells you the SoC often doesn't even know what the features and bugs of their purchased IP cores *are*... and that undocumented ethernet core may well have a "feature" that would allow arbitrary access to the interconnect. 3. SoC interconnects don't have much in the way of security. When the Ethernet controller bug lets a Evil Packet onto the interconnect, it's probably just a hop skip and a jump to main memory. -andy