On 02/04/2015 08:59 PM, Brian Minton wrote:
> Showing a hash wouldn't prevent a malicious entity from making a
> fake token that prints whatever hash the user expects. There's no
> way to verify that the hash is if code actually on the device, or
> that the hashed code is the only code on the device.
Thank you for your insight. Yes, if "show"-ing is by its program, it
could be also fake.
I meant, something in a JTAG/SWD protocol layer (not by user
program), built-in _hardware_ feature by semiconductor manufacturer to
show hash of flash blocks.
Scenario is like:
(1) Firmware is written to flash ROM on MCU, by a firmware author.
Possibly it's protected to be read.
(2) It is possible for an end-user to send command to MCU by
JTAG/SWD channel (even if flash ROM is protected). Like:
show_hash <BLOCK_NUM_START> <BLOCK_NUM_END>
(3) An end user can confirm that the hash is the correct one as the
firmware author says.
Does it make sense?
Sorry, I should have written down clearly, in the previous mail.
--
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
