Project update 1 of 38
Why do we trust our computers? I’ve done a lot of thinking on this question. The answer, it turns out, is that we trust our computers mostly because we have no other choice. Most of us wouldn’t know how to check if a computer is constructed correctly; and those of us who do are overwhelmed by the millions of lines of source code and billions of transistors packed into a typical computer.
If you’re like me, this answer is dissatisfying. We want an evidence-based reason to trust a computer. Our private matters, finances, and personal safety should not be a matter of faith in entities who view us as monetization opportunities or as potential political enemies. Time and time again, corporations and governments have demonstrated their inability to put our interests before theirs; personal conversations and intimate moments inevitably become advertizing targets or, worse yet, blackmail.
Precursor is the first step on a journey toward an evidence-based trust relationship with technology. It is a hardware development platform designed from the ground-up to facilitate easy inspection while frustrating attempts to bury backdoors deep in the hardware. Despite being lab-friendly, it’s also pocket-ready: the system is fully integrated and can be carried around for every day use. Precursor is not merely a theoretical statement about openness, security and trust: it’s about translating first-principles into everyday practice.
Precursor embodies the principles of transparency, simplicity, completeness, and self-sealing. Let’s take a look at how each of these principles are reflected in the design of Precursor.
Transparency is the bedrock of trust. Understanding what makes a thing tick gives us an evidence-based reason to trust that it works as intended. Precursor is unique in that, instead of a CPU, it uses reconfigurable hardware – an FPGA – for computation. This means you can compile our reference CPU design from source, instead of simply having to accept on faith that this black epoxy rectangle contains precisely the circuits it advertises. Furthermore, we are at liberty to introduce countermeasures against known and future threats in the silicon supply chain by re-designing and re-compiling our CPUs.
Simplicity addresses the reality of only having 24 hours in a day. Even though the full source code for the Linux kernel and Firefox is published, nobody has the time to personally review every release for potential security problems; we simply trust that others have done a good job, because we have no other choice. Precursor rolls the clock back to the early 2000’s, when mobile computers were powerful enough to be useful for single tasks, while simple enough that individuals or small teams could build them from scratch. But don’t worry, despite its simplicity, Precursor’s computational capability exceeds that of the Palm Pilot series. It’s more on par with a Nintendo DS: sufficient for core security tasks such as authentication, instant messaging, crypto wallets, and even end-to-end encrypted voice calls.
Trust should begin at your fingertips and end at your eyes. Screen grabbers and keyboard loggers mean that chip-only trust solutions, such as TPMs, SGX, and secure enclaves are insufficient; we need a complete, end-to-end solution. Private keys are not the same as our private matters, and until we can encrypt data directly to and from our brains, the "analog hole" will be a real problem. With Precursor, the complete loop of components from the keyboard to the display has been curated for transparency and simplicity, thus minimizing those attack surfaces that cannot be cryptographically secured.
“Three can keep a secret, if two of them are dead”. As Benjamin Franklin acutely observed, relying on trusted third parties to provision our keys is imprudent: self-sealing is the only way to keep a secret. Precursor requires no special tools, NDAs, or third-party expertise to provision the system with secrets: it can generate and seal its own private keys on-chip in a transparent and open manner. For an extra layer of tamper-resistance, the trusted elements of Precursor were explicitly designed to be potted underneath an RF shield with a specific two-part transparent epoxy. Requiring no specialized equipment and only a few minutes of effort, this process seals up all the test access ports while reducing side-channel emissions at the same time. Done properly, the potting process raises the bar for key extraction by making it depend on a tamper-evident modification of the hardware that requires specialized equipment and/or training.
Precursor is the end result of navigating a bewildering array of security and supply chain trade-offs. It is an embodiment of the principles of transparency, simplicity, completeness, and self-sealing. Precursor transforms the difficult problem of evidence-based trust in computers into a "simple" matter of programming: all that’s missing is your application code. To learn more about Precursor’s specifications, please visit our campaign’s pre-launch page, and subscribe to updates so you can take advantage of the early-bird pricing we will offer when the campaign goes live.