The Google H1 Fritz Chip
loper-os.orgFact: The Snowden leaks confirmed the long suspicion that governments work to backdoor software and hardware at an insane level. Related fact: Governments also try crazy hard to bust into insecure, vulnerable devices to compromise them.
So we have this really annoying catch 22, where people like this author report on real security and tamper protection systems as bad -- yet without them, the device would actually be prone to different actors attempting to own devices remotely.
Every security mechanism in place on modern computing hardware can be viewed as being either cryptographically important or encumbered against users. The fact of the matter is that it's extremely hard to build a platform that's resistant to all types of attack without also encumbering real users and real benefits of device ownership.
At some point, I just want to throw my hands up and ask why people continue to buy these devices if they dislike them so much. I can understand wanting to tinker and wanting to hack. But voluntarily forking over money just to complain about why that platform isn't an open box amazes me. It's plenty easier to buy a hackable and open by default platform than it is to buy a closed one and try to turn it into an open one.
And given the extreme asymmetry of defense vs offense there is only one possible outcome :
Backdoors for every state actor ...
It is incredibly easy to make ridiculously hard to find backdoors in both software and even more so in hardware, and early versions have been caught (including the US and Chinese governments). The odds of finding "v2" or, more likely "v50" backdoors are bad. Very bad.
Google, quite untypically for large manufacturers, put their golden key backdoor in plain sight, inside published source. (Apparently, "only a terrorist!" would read it?)
Let's track the RMA flow (the challenge/response mechanism you've tried out before it refused access because you're not a factory employee doing RMA repairs):
common/rma_auth.c:rma_challenge_response() calls process_response(), which on success calls common/factory_mode.c:enable_ccd_factory_mode()
That one calls factory_enable_deferred(), which resets the system before flushing all TPM data, and only on successfully removing all that proceeds to enable factory mode.
Therefore: gaining access through that venue also removes all secrets established on the system, including the TPM-part of the key used to encrypt the disk (the other part being derived from the account credentials, which isn't stored persistently anywhere).
(Disclosure: I'm part of the Chrome OS firmware team. If you find anything we forgot to do to protect user data, I'd _really_ love to know)
You are quite right, I do not work at your factory (TBH, I'd rather work for, e.g., Monsanto...)
Instead, I'm a reluctant purchaser of your hardware (the market is completely devoid of alternatives, if I go to buy a 6-core ARM64 laptop with a IPS display, it's the Chromebook or the highway). A purchaser who would like to actually use what he paid for. And this means the removal of all golden-key backdoor garbage, in the AP, EC, and Cr50 ROMs.
And yes this includes the FBI-subpoena-keyed "upgrade" capability, the AP ROM write-protect override, the I2C/SPI bus mastering, the locked-from-all-but-the-anointed-few console, etc.
I couldn't care less about user-installed "TPM secrets", disk encryption, etc. I get these boxes brand-new. What I want is to wipe the Cr50 and install a routine that simply handles the power button, 3.3v bringup and whatever else is absolutely required for the box to run, under full owner control like the old Chromebooks that had no Cr50.
> It's plenty easier to buy a hackable and open by default platform...
Pray tell, where can I buy a laptop (of new, rather than vintage, manufacture) without blobs and master keys?
Sure thing! I'm not entirely sure if this is 100% open, but it's worth checking out: https://puri.sm/
Intel. No thanks.
>To my knowledge, there has been no detailed public discussion of this NSA-imposed atrocity anywhere on the Net,
This blog post asserts that it was imposed by the NSA. Where is the evidence for that? The only source seems to be what appears to be speculation by some person on IRC.
>20:23 <asciilifeform> from my pov, it's nsa rootkit
It's hard to take this post very seriously when there's disinformation like this.
Why do people think it makes so much of a difference if a happy new planetary order is initially installed by alphabet agencies or Alphabet companies?
If the NSA is forcing Google to install chips in Chromebooks, then that's a sign that one group (the NSA) is getting a ton of power, since they likely also compelled chips in Android, Windows, iOS, Mac, and even Linux computers.
Whereas if Google is putting chips into their Chromebooks of their own initiative, that is no indication that Google is getting power over Windows, iOS, Mac, or Linux computers.
Do you particularly care whether the backdoor was installed at Google's initiative, or Trump's ?
The golden key exists, and will be used.
Yes, I do care. Because if Trump ordered it, then likely Linux, Windows, Android, Mac, and iOS also were ordered to have these, and nothing is safe.
But if Google decided to put a chip in their computers of their own initiative, then that's not an indication that the other computers have a chip. So I feel I'm much safer.
I care about my rights. If computer manufacturers lose their right to design their products as they see fit (i.e. they're forced to install chips against their will), that means the government is severely limiting its citizens' rights. There is likely no hope for my freedom. But if a manufacturer puts a chip in of their own free will, that's not really infringing my rights. I can simply buy computers from a different manufacturer.
> The only source seems to be what appears to be speculation by some person on IRC.
It's not just some person on IRC, it's the author. He's citing himself.
From the article this is part of any modern Chromebook:
The Cr50 device is a classic “Fritz chip” — i.e. a hardware “policeman”, built into a computing device [...], so as to specifically and deliberately act against the purchaser’s interests, by subverting the Laws of Sane Computing in these three ways:
Prevention of the full control of the machine by its physical owner, typically by inhibiting attempts to install modified firmware. [...]
Enablement of one or more types of “NOBUS” back door (Official NSA terminology! “No One But US“, [...]
Prevention of a clueful hardware owner’s attempts to “jailbreak” — to disable, remove, or circumvent the Fritz chip itself.
> typically by inhibiting attempts to install modified firmware
This also inhibits attempts by malicious third parties to install modified firmware on your machines.
For Chromebooks we traditionally tried to find a middle route: locked down by default, since most people care more about nobody tampering with their device than about the ability to do so themselves. For the others, there's dev mode (easy to get at, but with scary notifications, to make tampering obvious) and the write-protect screw (hard to get at, no tamper notification).
Hooking up cr50 into the write-protect line allows to develop a best-of-all-worlds approach:
* still locked down by default for people who don't want to think about their device's firmware security.
* simple to get at (but complicated enough that drive-by attacks remain infeasible), even with form factors that aren't service friendly (eg. glued chassis - firmware folks have no voice in these decisions).
* the ability to implement tamper evidence checks through remote attestation, even if the scary screens were disabled.
Compared to everything else on the market, I think it's a very user friendly set of trade-offs, both for power users and computers-are-appliances folks.
(disclosure: Chrome OS firmware developer)
Why lie to the public ? Pulling the battery does enable rewrite, by the user, of the AP ROM, but not the Cr50 -- the latter remains Tivoized. And every owner of this machine can verify this with his own hands, it is not even necessary to build the USB debug cable.
The Cr50 accepts firmware updates at all times, but only when signed with Google's RSA key.
> Why lie to the public?
I don't, and TBH I don't find your writing style (of which this is an example) very engaging.
Cr50 is a replacement for the old TPM. It has approximately the same constraints as the Infineon TPM used in the past: firmware updateable, but not for you.
[edit to add: would a mechanism to disable the update mechanisms, at the price of "no warranty" since RMA becomes impossible be acceptable to you? Or would you suspect that there's another update mechanism anyway?]
> Pulling the battery does enable rewrite
Pulling the battery is non-trivial on a device like Pixel C, hence a new mechanism.
My current alternative appears to be to desolder the Cr50 and fabricate harmless replacements (to e.g. init 3.3v rail).
So naturally voids warranties.
> firmware updateable, but not for you
Finally, honesty. It's a Tivo.
The Infineon couldn't force a boot ROM update via USB-C.
> firmware updateable, but not for you
Like the Infineon before it.
The author’s writing style makes them a little difficult to follow, but the details I can find seem to check out.
Does anyone know which Google/ChromeOS features this chip is used for, or what the justification for it is?
It's the new TPM? The old one had a (now patched) firmware bug, which newer Chromebooks like the Pixelbook don't seem to be vulnerable to:
https://www.chromium.org/chromium-os/tpm_firmware_update
Edit: this is what Chrome devices use it for https://www.chromium.org/developers/design-documents/tpm-usa...
Cr50 has replaced the old Infineon TPM, which the above link concerns.
Seriously. The hardware aspects are interesting, but the author's insistence on interpreting the situation as some sort of grand conspiracy theory, and using derogatory terms like "open sores" at every opportunity, makes the article nigh-unreadable.
Beyond the rethoric, the substance is not very different from RMS' arguments against TPMs, which must be some 15 years old now. You'll have a hard time buying a device today without such a chip.
I think it's worth noting that the TPM plans of 2003 differ a bit from TPM-as-of-2018.
What was called Trusted Computing, Palladium, TCPA, etc. in 2003 and became known in geek circles as "TPM" is now implemented as TPM + Intel Boot Guard + Intel SGX + Authenticated Code Modules + various other things (and other vendors' equivalents).
The TPM is the most benign part of it all: a slow, passive crypto chip with a small storage that it can hide away from the CPU unless the right system state and keys are presented (although the presented system state might be 100% fake).
The Cr50 does not limit itself to user key storage.
It turns the USB-C ports into always-on NSA-keyed backdoors (anyone in possession of the private RSA key, can reflash all three flash ROMs in the machine with whatever he likes, via the external ports, which cannot even be cemented shut, as the machine charges exclusively from USB-C.)
Cr50 is quite different from the Infineon et al TPM item commonly found in x86 boxes. It is able to rewrite AP and EC firmware, overriding the advertised write-protect feature; access the microphone; etc.
No reason to take my word for it: I recommend to read Google's source, I have linked to the most interesting routines.
Author of linked article speaking (supposing anyone is still reading, thread already marked as spam?)
I recommend to actually read Google's published Cr50 sources -- no reason to take my word for it. All of the functionality I described -- and more -- is there, plain as daylight, with comments. Including the backdoor pubkeys.
Off Topic — the author forgot to upgrade their reCaptcha integration.
Any calls to Google reCaptcha v1 API will not work after March 31, 2018 [1].
[1] https://developers.google.com/recaptcha/docs/faq#what-happen...
If this turns out to be accurate it would be _quite_ the stain on the otherwise very nice Cross ecosystem.
I would like to see some more details.
The details are openly published in Google's Cr50 sources, linked from the article.
How can I avoid or circumvent this type of technology when purchasing a new computer or phone?
You can't. Thank 20 years of apathetic consumers, such as the people in this comment thread.
I thought the h1 chip was in their cloud servers, not their Chromebooks or anywhere else?