The Risk of RISC-V: What's Going on at SiFive?
The Risk of RISC-V: What's Going on at SiFive?
A quick one for you. I have received reports, now from multiple sources, that the major torch bearer of the RISC-V platform, a company known as SiFive and formed from the original architects of the RISC-V instruction set, has gone through some major changes.
Ian Cutress muses upon rumors around SiFive, the forerunner of high-performance RISC-V cores.
I was expecting this to go into the direction of "China has inserted itself as a state level actor into the development of RISC-V, don't use it". That would've been ridiculous as the US has been meddling with chips for a long time and we still use their stuff. Having chip designs or instruction set architecture out in the open would give me much more confidence in a chip that anything AMD, ARM, Nvidia, qualcomm or whatever out there release.
Of course open ISA doesn't mean the resulting chip will be open, but it's a step in the right direction.
Indeed. We should also develop ways to detect sabotage in the design and manufacturing stages so a user can verify their chip doesn't have a backdoor
maintains the open-ness and customization that RISC-V offers
Thinking about cybersecurity: does this kind of open-ness mean that some evil guys could now design some evil behaviour into the hardware, and no scanner software will ever be able to detect it, because it is only a software scanner?
That sounds like lots of extra work, when current CPU manufacturers built that hidden space in already. Intel Management Engine is a great example.
security through obscurity is a bad practice.
it's better to be transparent and let everyone analyze your design. the more eyes on it, the better. even the proprietary and obscured Intel CPUs have had security vulnerabilities in the past.
I don't think it's so much "security by obscurity" as it's an issue of a much lower bar for chip production. Intentional back doors or malware represent a huge risk for a product line, so manufacturers won't put them in without someone like the NSA leaning on them. It's a simple risk/benefit calculation.
But the risk is much lower if you can snag a processor design off the 'net, make your modifications, send it off to a fab and sell it under a fly-by-night operation. If it's ever discovered, you take the money and run.
Do you mean that someone can take the design, place a hardware vulnerability and sell it? Sure, but this does not require RISC V to be possible, there are already vulnerable CPUs sold on the market. People have found such vulnerabilities already in reputable Intel CPUs for example (look up Spectre).
Dell iDRAC comes to mind as well.
Don't downvote this person, they're just asking a question.