Path: ...!news.mixmin.net!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: Don Y <blockedofcourse@foo.invalid>
Newsgroups: sci.electronics.design
Subject: Re: Offshore firmware management
Date: Sun, 26 May 2024 09:42:54 -0700
Organization: A noiseless patient Spider
Lines: 93
Message-ID: <v2voqr$3fs2u$1@dont-email.me>
References: <v2ts06$333m5$1@dont-email.me>
 <kbv45jt7q50qedejctj6f30h23hukoepdk@4ax.com> <v2u8n8$38jkf$1@dont-email.me>
 <7ld65j55ogderkv4r18jrgshlirkbtcluk@4ax.com> <v2vg5a$3eene$1@dont-email.me>
 <8cm65jl2t7tfbaf46l88aue2vbdaeks7gs@4ax.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Sun, 26 May 2024 18:43:08 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="e324dc6d5a27212bf284568b86948ba2";
	logging-data="3666014"; mail-complaints-to="abuse@eternal-september.org";	posting-account="U2FsdGVkX18ebtG4fy88OvUbjVIzedcQ"
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:102.0) Gecko/20100101
 Thunderbird/102.2.2
Cancel-Lock: sha1:IOm6+V/wIjix+RSQzgmQLF8v7G0=
In-Reply-To: <8cm65jl2t7tfbaf46l88aue2vbdaeks7gs@4ax.com>
Content-Language: en-US
Bytes: 5788

On 5/26/2024 9:01 AM, Joe Gwinn wrote:
>> Hardware "unit" costs are reasonably insignificant; they are designed to be
>> easy/inexpensive to produce.  No precision components, manufacturing
>> tolerances, etc.  If you are committed to "copying at scale", then there
>> is little standing in your way (i.e., molds, boards, packaging, etc.
>> are just "costs of doing business")
>>
>> *ALL* of the value lies in the software.
>
> [good summary, but big snip]
> 
> It sound like you really have only one kind of possible solution.
> 
> First, as Phil H suggests, do not provide the firmware to the contract
> manufacturer at all, instead install it back home.

That's been SOP for many decades, now.  The "manufacturer" is given
an "image" that contains manufacturing diagnostics.  This, coupled with
an explanation for what is being tested (and how) -- along with
schematics -- lets them troubleshoot and validate units before
acceptance.  (silly to try to "hide" schematics as the gerbers and
stuffing list already tell *that* story)

You support ISP and then just "reprogram" the image later, at YOUR
facility.  This gives you control of the image as well as JIT to
bind an image to *a* delivery (important if you want to customize
the product for specific customers and don't want to have to commit
to keeping a specific number of each variant "in stock", risking
overestimating some demands and underestimating others)

But, there's a fair bit of "cost" to performing these operations.
For a DM+DL of $10-20, that can represent a big piece of the "cost".
(EASY to ignore if DM+DL is $100-1000!)

> Now "install" can mean a number of things.  If you just install a
> common firmware image, that contract manufacturer can simply buy a
> copy in the US, and reverse engineer it, so that isn't going to work
> for very long.

Exactly.  You have to rely on "secure" storage to keep it hidden.

> If the hardware has a unique and large hardware serial number (there
> are chips that do this), the installed firmware can be adjusted to
> know its target serial number, and refuse to work anywhere else.  This
> is done with a crypto checksum scheme of some kind, complicating and
> delaying reverse engineering.

Yes.  If you further tie that SN to an "activation" procedure, then
only the first unit bearing a particular SN can ever see use.  if the
"SN-space" is sparse, an adversary has to rely on finding a valid
SN to copy.  But, only AT MOST the first of those copies will ever see
an activation.

E.g., a TRULY counterfeit iPhone can only replace exactly one legitimate
iPhone as Apple controls which ones "work" and which WON'T -- based on
its own mechanisms (imagine what it would be like trying to argue
with Apple that YOUR iphone is genuine and any other previous
activation was the counterfeit??)

Activation can further be tied to sales records so those counterfeit
"sales" are never recognized (by the legitimate vendor).

[This also has an obvious tie-in for upgrades; even if you manage
to get a hold of an upgrade image, the device doesn't have to
accept it -- unless you further modify the images involved to
avoid any such dependencies.  (But, one should eschew upgrades,
on principle, as they increase the cost to the user)]

> Next stronger is to also require the product to contact the mother
> ship to complete the serial number.

Yes, as above.  Note that the image installed can also VARY with the SN.
The SN disclosed to the "mothership" (activation server) can be a
one-way hash of the real SN so an MITM can't do anything with that
observation.

> How far to go is an economic decision - all you need to do is to make
> cloning your product economically pointless.  It is not necessary for
> the locking scheme to be bulletproof.

There are lots of similar schemes but all come with some "labor" cost.
You're outsourcing the manufacture, presumably, to minimize costs...

The economic aspect is always the kicker.  With high product costs,
its easy to add a significant effort/cost to protect a design.
But, when things get "dirt cheap", everything you add SOLELY to
protect your IP is pure overhead; it adds no VALUE to your product!
It's akin to throwing money at lawyers to try to get injunctions
against adversaries (the product doesn't IMPROVE as a result of
those actions.  and, you're attention has been diverted from
adding new functionality to *defending* your existing design)