Hi,
I ordered Trezor few days ago directly from shop.trezor.io. Before I ordered I did quite a lot of research and I am confident the device is secure and probably the best we can do to protect ourselves against 3rd parties. However I still didn’t quite catch how can we be sure if we don’t trust SatoshiLabs. Here is what I understood so far so please let me know if this makes sense and if I miss something (good or bad).
So there is the bootloader and firmware. They are both open source and we can compile the code and once we compile it we can get hash signature for the binary. When we first get the device it is without firmware and with bootloader from SatoshiLabs which is write protected. Write protection is achieved by MPU as hardware has a bug in write only part. So write protection is also part of the bootloader (not sure if this is still the case in 2021).
So when I get my new Trezor I connect it to USB and open SatoshiLabs application which detects it and writes the latest firmware to it. Bootloader is doing the write and it checks the signature of the firmware. When firmware is loaded it checks the signature of bootloader and only if both are ok, device proceeds with the boot without warning.
Now some questions:
- Bootloader doesn’t know the signature of future firmwares because it is read only. It only checks that firmware is signed by SatoshiLabs private key, that doesn’t guarantee us it is the same as the one in source code repository since binary hash is not compared. So basically it only guarantees the firmware comes from SatoshiLabs and we can check if the firmware is the same as source code one by verifying it’s hash before uploading it. Does this sound ok?
- When firmware checks if bootloader is ok does it have some code in it which it compares current device bootloader hash with all bootloader hashes released so far? If there is such code then we could compile our version of bootloader and check if it’s hash is in the firmware code and be sure it is ok. This assumes we can also check the code of the firmware which calculates the hash of current device bootloader which is I guess also available in the source?
- When I want to update my device can I first download firmware and check its signature and then upload that same firmware to my device? If that’s correct than above points should guarantee that I am sure I have booth bootloader and the firmware as it is in source code even if I don’t trust SatoshiLabs.
Also I guess things like bootloader saving firmware in another memory block and when booting actually starting hidden firmware are all guaranteed not to happen since we have the source code and if we can 100% be sure they are actual binaries in the device then there is no fear (hopefully it is guaranteed by above points). Makes me wonder how can anyone trust any hardware device which has any part of the code non open source, including Ledger.
Sorry if this post is too long but if someone explains a bit it would be useful to everyone who has similar suspicions about trusting the manufacturer.
Thanks