
The Google H1 Fritz Chip - erikj
http://www.loper-os.org/?p=2433
======
Shank
Fact: The Snowden leaks confirmed the long suspicion that governments work to
backdoor software and hardware at an insane level. Related fact: Governments
also try crazy hard to bust into insecure, vulnerable devices to compromise
them.

So we have this really annoying catch 22, where people like this author report
on real security and tamper protection systems as bad -- yet without them, the
device would actually be prone to different actors attempting to own devices
remotely.

Every security mechanism in place on modern computing hardware can be viewed
as being either cryptographically important or encumbered against users. The
fact of the matter is that it's extremely hard to build a platform that's
resistant to all types of attack without also encumbering real users and real
benefits of device ownership.

At some point, I just want to throw my hands up and ask why people continue to
buy these devices if they dislike them so much. I can understand wanting to
tinker and wanting to hack. But voluntarily forking over money just to
complain about why that platform isn't an open box amazes me. It's plenty
easier to buy a hackable and open by default platform than it is to buy a
closed one and try to turn it into an open one.

~~~
candiodari
And given the extreme asymmetry of defense vs offense there is only one
possible outcome :

Backdoors for every state actor ...

It is incredibly easy to make ridiculously hard to find backdoors in both
software and even more so in hardware, and early versions have been caught
(including the US and Chinese governments). The odds of finding "v2" or, more
likely "v50" backdoors are bad. Very bad.

~~~
asciilifeform
Google, quite untypically for large manufacturers, put their golden key
backdoor in plain sight, inside _published_ source. (Apparently, "only a
terrorist!" would read it?)

~~~
pgeorgi
Let's track the RMA flow (the challenge/response mechanism you've tried out
before it refused access because you're not a factory employee doing RMA
repairs):

common/rma_auth.c:rma_challenge_response() calls process_response(), which on
success calls common/factory_mode.c:enable_ccd_factory_mode()

That one calls factory_enable_deferred(), which resets the system before
flushing all TPM data, and only on successfully removing all that proceeds to
enable factory mode.

Therefore: gaining access through that venue also removes all secrets
established on the system, including the TPM-part of the key used to encrypt
the disk (the other part being derived from the account credentials, which
isn't stored persistently anywhere).

(Disclosure: I'm part of the Chrome OS firmware team. If you find anything we
forgot to do to protect user data, I'd _really_ love to know)

~~~
asciilifeform
You are quite right, I do not work at your factory (TBH, I'd rather work for,
e.g., Monsanto...)

Instead, I'm a reluctant purchaser of your hardware (the market is completely
devoid of alternatives, if I go to buy a 6-core ARM64 laptop with a IPS
display, it's the Chromebook or the highway). A purchaser who would like to
_actually use what he paid for_. And this means the removal of all golden-key
backdoor garbage, in the AP, EC, _and_ Cr50 ROMs.

And yes this includes the FBI-subpoena-keyed "upgrade" capability, the AP ROM
write-protect override, the I2C/SPI bus mastering, the locked-from-all-but-
the-anointed-few console, etc.

I couldn't care less about user-installed "TPM secrets", disk encryption, etc.
I get these boxes brand-new. What I want is to wipe the Cr50 and install a
routine that simply handles the power button, 3.3v bringup and whatever else
is absolutely required for the box to run, _under full owner control_ like the
old Chromebooks that had no Cr50.

------
Buge
>To my knowledge, there has been no detailed public discussion of this NSA-
imposed atrocity anywhere on the Net,

This blog post asserts that it was imposed by the NSA. Where is the evidence
for that? The only source seems to be what appears to be speculation by some
person on IRC.

>20:23 <asciilifeform> from my pov, it's nsa rootkit

It's hard to take this post very seriously when there's disinformation like
this.

~~~
YouAreGreat
Why do people think it makes so much of a difference if a happy new planetary
order is initially installed by alphabet agencies or Alphabet companies?

~~~
Buge
If the NSA is forcing Google to install chips in Chromebooks, then that's a
sign that one group (the NSA) is getting a ton of power, since they likely
also compelled chips in Android, Windows, iOS, Mac, and even Linux computers.

Whereas if Google is putting chips into their Chromebooks of their own
initiative, that is no indication that Google is getting power over Windows,
iOS, Mac, or Linux computers.

~~~
asciilifeform
Do you particularly care whether the backdoor was installed at Google's
initiative, or Trump's ?

The golden key exists, and will be used.

~~~
Buge
Yes, I do care. Because if Trump ordered it, then likely Linux, Windows,
Android, Mac, and iOS also were ordered to have these, and nothing is safe.

But if Google decided to put a chip in their computers of their own
initiative, then that's not an indication that the other computers have a
chip. So I feel I'm much safer.

I care about my rights. If computer manufacturers lose their right to design
their products as they see fit (i.e. they're forced to install chips against
their will), that means the government is severely limiting its citizens'
rights. There is likely no hope for my freedom. But if a manufacturer puts a
chip in of their own free will, that's not really infringing my rights. I can
simply buy computers from a different manufacturer.

------
Gys
From the article this is part of any modern Chromebook:

The Cr50 device is a classic “Fritz chip” — i.e. a hardware “policeman”, built
into a computing device [...], so as to specifically and deliberately act
against the purchaser’s interests, by subverting the Laws of Sane Computing in
these three ways:

Prevention of the full control of the machine by its physical owner, typically
by inhibiting attempts to install modified firmware. [...]

Enablement of one or more types of “NOBUS” back door (Official NSA
terminology! “No One But US“, [...]

Prevention of a clueful hardware owner’s attempts to “jailbreak” — to disable,
remove, or circumvent the Fritz chip itself.

~~~
pgeorgi
> typically by inhibiting attempts to install modified firmware

This also inhibits attempts by malicious third parties to install modified
firmware on your machines.

For Chromebooks we traditionally tried to find a middle route: locked down by
default, since most people care more about nobody tampering with their device
than about the ability to do so themselves. For the others, there's dev mode
(easy to get at, but with scary notifications, to make tampering obvious) and
the write-protect screw (hard to get at, no tamper notification).

Hooking up cr50 into the write-protect line allows to develop a best-of-all-
worlds approach:

* still locked down by default for people who don't want to think about their device's firmware security.

* simple to get at (but complicated enough that drive-by attacks remain infeasible), even with form factors that aren't service friendly (eg. glued chassis - firmware folks have no voice in these decisions).

* the ability to implement tamper evidence checks through remote attestation, even if the scary screens were disabled.

Compared to everything else on the market, I think it's a very user friendly
set of trade-offs, both for power users and computers-are-appliances folks.

(disclosure: Chrome OS firmware developer)

~~~
asciilifeform
Why lie to the public ? Pulling the battery _does_ enable rewrite, by the
user, of the AP ROM, but _not_ the Cr50 -- the latter remains Tivoized. And
every owner of this machine can verify this with his own hands, it is not even
necessary to build the USB debug cable.

The Cr50 accepts firmware updates at all times, _but only when signed with
Google 's RSA key._

~~~
pgeorgi
> Why lie to the public?

I don't, and TBH I don't find your writing style (of which this is an example)
very engaging.

Cr50 is a replacement for the old TPM. It has approximately the same
constraints as the Infineon TPM used in the past: firmware updateable, but not
for you.

[edit to add: would a mechanism to disable the update mechanisms, at the price
of "no warranty" since RMA becomes impossible be acceptable to you? Or would
you suspect that there's another update mechanism anyway?]

> Pulling the battery does enable rewrite

Pulling the battery is non-trivial on a device like Pixel C, hence a new
mechanism.

~~~
asciilifeform
My current alternative appears to be to desolder the Cr50 and fabricate
harmless replacements (to e.g. init 3.3v rail).

So naturally voids warranties.

 _> firmware updateable, but not for you_

Finally, honesty. It's a Tivo.

~~~
asciilifeform
The Infineon couldn't force a boot ROM update via USB-C.

------
confounded
The author’s writing style makes them a little difficult to follow, but the
details I can find seem to check out.

Does anyone know which Google/ChromeOS features this chip is used for, or what
the justification for it is?

~~~
puzzle
It's the new TPM? The old one had a (now patched) firmware bug, which newer
Chromebooks like the Pixelbook don't seem to be vulnerable to:

[https://www.chromium.org/chromium-
os/tpm_firmware_update](https://www.chromium.org/chromium-
os/tpm_firmware_update)

Edit: this is what Chrome devices use it for
[https://www.chromium.org/developers/design-documents/tpm-
usa...](https://www.chromium.org/developers/design-documents/tpm-usage)

~~~
asciilifeform
Cr50 has replaced the old Infineon TPM, which the above link concerns.

------
asciilifeform
Author of linked article speaking (supposing anyone is still reading, thread
already marked as spam?)

I recommend to actually read Google's _published_ Cr50 sources -- no reason to
take my word for it. All of the functionality I described -- and more -- is
there, plain as daylight, with comments. Including the backdoor pubkeys.

------
guessmyname
Off Topic — the author forgot to upgrade their reCaptcha integration.

Any calls to Google reCaptcha v1 API will not work after March 31, 2018 [1].

[1] [https://developers.google.com/recaptcha/docs/faq#what-
happen...](https://developers.google.com/recaptcha/docs/faq#what-happens-to-
recaptcha-v1)

------
robert_foss
If this turns out to be accurate it would be _quite_ the stain on the
otherwise very nice Cross ecosystem.

I would like to see some more details.

~~~
asciilifeform
The details are openly published in Google's Cr50 sources, linked from the
article.

------
pmiller2
How can I avoid or circumvent this type of technology when purchasing a new
computer or phone?

~~~
asciilifeform
You can't. Thank 20 years of apathetic consumers, such as the people in this
comment thread.

------
sofaofthedamned
I thought the h1 chip was in their cloud servers, not their Chromebooks or
anywhere else?

