– that is, make a product look like it is proprietary, and keep people from knowing you used open source. “At the very least don't advertise so someone can't find it on GitHub,” Richardson said, also strongly suggesting that designers remove the debug features and change the default identifiers on their open source hardware.
The other big key is in UEFI itself and providing secure field updates to firmware. “You really want to have firmware update in the field,” Richardson said. “The risk is someone can drop the wrong thing on the platform, such as hacked firmware or a slight variation that could brick a product by accident. The reward is if there's a bug or security hole on the platform you can patch it.”
Richardson advocated the use of the UEFI Capsule function being embraced by Intel and other organizations that allows for remote firmware updates without using third-party or OS-based utilities that could be hacked. In this model the firmware is responsible for authenticating its own updates – checking new versions of the firmware against the firmware already in place.
|UEFI Capsule Update offers several benefits for designers. (Image source: Brian Richardson / Intel)|
“If I trust the firmware then we can let the firmware be the root of trust,” Richardson said. “If you can't trust version 1 of your firmware not to be exploited you have a bigger problem than anyone can help you with.” Richardson also pointed to groups like Tianocore, a community built around the open-source implementation of UEFI, as a great resource for developers.
Ultimately it will be up to developers to decide if using open source is the right move. With the open-source hardware space growing and companies even beginning to offer open-source SoCs , it's likely that a lot more designers, particularly at the DIY and startup level, will be opting to leverage some sort of open source hardware and software to help bring their product to market. “This is the Internet of Things, not the Internet of Thing,” Richardson said. So the question for developers is then, how do you propagate over the field? It's possible, as long as everyone keeps security first in mind.
Chris Wiltz is the Managing Editor of Design News.