On Wed, Jun 7, 2017 at 8:37 AM, Johnysecured88 via coreboot coreboot@coreboot.org wrote:
What I don't understand is how this will matter. Releasing the source code won't mean that is the source code they are using for PSP. Think of it like an open source program with a compiled binary available. The only way to ensure the code is the code of the binary is to do your own compiling. But for a CPU that would mean..... something much more difficult.
Does the PSP not load its code from SPI ROM (like the Intel ME)? If it did, and you could recompile the SPI image yourself, you could be reasonably sure that that's what it's executing after you flash it.
Even if the code is stored on the PSP itself and you have to upload it there through some runtime interface, releasing the source would be a start. Sure, you won't know whether the image you're uploading is really the one it's executing... but assuming they would release the whole source code and they use the same interface for official updates, it would at least be very difficult to hide some trickery there (in a way that still allows them to update the hidden parts without anybody noticing).