What is the actual risk of closed baseband with it's own cpu? Does it have access to the same memory as the OS kernel? If so, is it not possible to design SoCs/boards that have dedicated memory for the baseband so that the main OS can treat the baseband and data in its memory as untrusted?
The risk is that the baseband could be implementing similar features that this userland adds to the "distro" running on the modem (call, data, and SMS recording), and these features could be driven by signals from the cell network. Unless you have a tap on the data egress path to the RF section, it would be difficult to know if data like this was being exfiltrated from your device as it completely bypasses the host's stack.
I am not sure I fully understand what you mean, but my question was that if all important data/metadata is encrypted when it leaves the hardware that is trusted then why does it matter if there was a hostile malware on the baseband hardware? A sibling comment mentioned the pinephone has only usb and i2c to the baseband, so barring 0 days over the USB, unless USB also means whatever the equivalent of DMA on mobile is, then it can't impact trusted code.
This is kind if like my home ISP router. I don't care if it is compromised because I don't manage it and I don't trust it with any of my important data or expose it directly to trusted devices.
But isn't all this something the carrier can do anyway on their side? What do they gain by controlling the modem that they can't already get just from their own equipment?
This expands the pool of actors beyond network operators. If you can just interact with the cell directly by sending signals to it, you can interfere with the cell without involving the network operator.
