On Wed, Jun 17, 2015 at 8:59 AM, Tim Beelen <[1]tim@diffalt.com> wrote: Has anyone ever established or tried building trust model with any of these producers? It's rather hard to invent that wheel. I've heard that setting up a foundry is quite a bit of work. And in today's environment it is a significant advantage to produce community vetted hardware. So we might be able to get a solid business model behind this. On 6/17/2015 3:27 AM, grarpamp wrote: On Wed, Jun 17, 2015 at 12:25 AM, Troy Benjegerdes <[2]hozer@hozed.org> wrote: PCB layout of the server(s) that got hacked. The gate counts in the chips moots the PCB. 'IP' and such ... because there will be more than just me talking about why we need full-disclosure hardware that you can X-ray and compare to an image signed and hosted by multiple independent and competing nation-state or multinational-corporate level security agencies. ... If your Intel motherboard matches the image signed by IBM, Private xraying to validate an individual chip is fine, but does nothing for everyone else. If you already have and are validating the [somehow open] image, you might as well open-source and open-up the entire fab. That way you know everything rolling off the line is good. While you may trust the chip to image in your hand, do you trust Intel, Huawei, Qualcomm, TSMC? [3]https://en.wikipedia.org/wiki/Foundry_model OK, yes - being able to verify first and foremost that the PCB you have matches some reference is an important first step for guaranteed hardware security. Perhaps building an accessible verifier might be the logical first step. How effective is this X-Ray method for detecting hardware modifications [what is the resolution?] How do you process two different X-Ray images, remove the noise (normalize) to compare two different documents? -Travis -- [4]Twitter | [5]LinkedIn | [6]GitHub | [7]TravisBiehn.com | [8]Google Plus References 1. mailto:tim@diffalt.com 2. mailto:hozer@hozed.org 3. https://en.wikipedia.org/wiki/Foundry_model 4. https://twitter.com/tbiehn 5. http://www.linkedin.com/in/travisbiehn 6. http://github.com/tbiehn 7. http://www.travisbiehn.com/ 8. https://plus.google.com/+TravisBiehn