6.5.12 · D5Advanced & Emerging Architectures
Question bank — Open hardware ecosystem (OpenRISC, OpenTitan)
Before we start, one word we lean on: a black box means a component you can use but not read — you see its inputs and outputs but not its internal design. "Open" is the opposite: you can read the design source (RTL) itself.
True or false — justify
Open ISA implies the chip built from it is open.
False. An ISA is only a specification (the software–hardware contract, like the rules of chess); a fully proprietary, closed core can implement an open ISA, so ISA-openness never guarantees silicon-openness.
If OpenTitan's RTL is public, then its secret keys are public too.
False. Only the design is published; the per-device secret keys live in fuses burned at manufacture, never in the RTL — this is exactly the "keys secret, design open" split from Kerckhoffs's Principle.
Publishing a security chip's design makes it less secure.
False. Attackers reverse-engineer chips anyway (decap plus electron microscopy), so secrecy buys almost nothing; publishing lets defenders audit for backdoors, so transparency is a fire alarm while obscurity is only a speed bump.
OpenRISC and RISC-V are the same ISA with two names.
False. They are two different, incompatible ISAs — OpenRISC/ORBIS came first (~2000), RISC-V (Berkeley, ~2010) later, and their binaries are not interchangeable; OpenTitan actually uses RISC-V (Ibex), not OpenRISC.
A hash alone in secure boot proves the boot image came from the real vendor.
False. A hash proves integrity (the image wasn't altered) but not authenticity; an attacker who swaps both image and its stored hash defeats it, which is why a signature binding the hash to a vendor-only private key is required.
Every RISC-V phone SoC is open hardware.
False. Such an SoC is typically open only at the ISA layer; its microarchitecture, RTL and layout are usually proprietary — openness is per-layer (ISA / RTL / toolchain), and most commercial parts open only the first.
In OpenRISC, the address of the next instruction can be computed without decoding the current one.
True. Because every instruction is a fixed 32 bits, the fetch unit sets unconditionally, so no decode is needed just to find the next instruction's start (unlike variable-length x86).
A Root of Trust can be trusted even if it's a black box, as long as it's from a big vendor.
False. Everything above the Root of Trust trusts it implicitly, so a hidden backdoor there invalidates all higher layers — and you cannot verify the absence of a backdoor in a design you can't read; auditability is the whole point.
Spot the error
"OpenTitan is secure because its circuit design is kept secret from attackers."
The error is "kept secret" — OpenTitan's RTL is published. Its security rests on secret keys in fuses and on collision-resistant hashing, not on hiding the design (Kerckhoffs's Principle).
"Since SHA-256 outputs 256 bits, an attacker needs about tries to forge a colliding boot image."
The error is the exponent. Collision-finding follows the birthday bound for , not — still infeasible, but the correct reasoning is half the bit-length.
"The public key that anchors secure boot is stored in normal rewritable flash so it can be updated."
The error is "rewritable flash." The anchoring key sits in one-time-programmable fuses precisely so an attacker cannot rewrite it and substitute their own trust anchor.
"OpenTitan runs the mor1kx core."
The error is the core name. OpenTitan's CPU is Ibex, a small RISC-V core; mor1kx is the flagship OpenRISC core — different ISA family entirely.
"A 6-instruction OpenRISC routine occupies 24 bytes, and one of those instructions could be 2 bytes to save space."
The second clause is wrong. OpenRISC is fixed-width: every instruction is exactly 4 bytes, so all six are 4 bytes and there is no variable-length shrinking as in x86; holds only because the width is uniform.
"Because RISC-V is an open ISA, anyone can fabricate the Ibex core royalty-free."
The error conflates ISA-openness with RTL-openness. You can fabricate Ibex royalty-free because Ibex's RTL is open-licensed — the openness of the ISA alone would not grant you any implementation to build.
"Linus's Law (many eyes find bugs) can't apply to hardware because chips are physical."
The error is "can't apply." The law operates on the design source (RTL), which is text like software; publishing RTL lets many reviewers find flaws before fabrication, so the principle transfers directly.
Why questions
Why is hiding the design especially harmful for a Root of Trust, more than for other chips?
Because everything booted afterward trusts the RoT unconditionally, an undetected backdoor there compromises the entire system, and you cannot audit for it in a black box — so for the most trust-bearing part, transparency is a necessity, not a luxury.
Why must secure boot use a signature rather than storing the whole trusted image inside the chip?
Storing every future image is impossible (they get updated after manufacture and are far too large for fused storage), so instead the chip stores only a small vendor public key and verifies each new image's signature against it — trust is anchored in a key, not in a copy.
Why does a fixed instruction width make the fetch stage cheaper?
With every instruction the same size, the address of the next one is a constant addition (), needing no decode of the current instruction; variable-length designs must partly decode an instruction just to learn where the next begins.
Why does open hardware improve longevity of a design?
Because the RTL is freely licensed and published, the design survives even if its originating company folds — anyone can keep maintaining, re-fabricating or forking it, so it is not tied to one vendor's lifespan.
Why is the birthday bound and not the relevant number for boot-image collisions?
An attacker seeking any two images with the same hash exploits pairwise matches among many trials, so the expected first collision appears at about candidates — far fewer than the needed to hit one specific target hash.
Why isn't "open ISA" enough to let you audit a shipping chip for backdoors?
The ISA only specifies behaviour (what instructions mean), not the implementation; a backdoor lives in the microarchitecture/RTL and layout, so you must have the RTL and layout open — not just the spec — to audit the silicon.
Edge cases
If a hash function's output were only 1 bit wide, would a boot-image collision still need effort?
Yes by the formula (), meaning ~1–2 tries — which correctly signals that tiny hashes are useless: security depends on being large (256), so the birthday bound becomes astronomically big.
What happens to the chain of trust if verification of stage 's signature fails?
The Root of Trust refuses to hand off control to stage , so the boot halts (or falls back to recovery) rather than running unverified code — the chain is only as long as the last successfully verified link.
Can a chip be open at the toolchain layer but closed at the RTL layer?
Yes — the three layers are independent, so you might have an open compiler/simulator targeting a completely proprietary core; openness of one layer says nothing about the others.
Is it possible to build a fully closed chip that still runs standard RISC-V software?
Yes. Because RISC-V is only a specification, a vendor can implement it with secret RTL and layout; the software runs fine (the ISA contract is honoured) while the silicon remains a black box.
What if an attacker replaces the fused public key itself?
They can't on a properly built device — the key sits in one-time-programmable fuses that physically cannot be rewritten after burning, so the trust anchor is immutable; this is the boundary condition that makes the whole chain rest on hardware, not software.
If two different boot images happened to share the same hash (a collision existed), would secure boot still catch a swap?
No — the measurement would be identical for both, so the signature check would pass for the malicious image too; this is exactly why collision-resistance of the hash is a hard requirement, not a nicety.
Recall One-line self-test before you leave
Where does the security of an open RoT ultimately live? ::: In the secret keys held in one-time-programmable fuses, plus collision-resistant hashing and vendor signatures — never in secrecy of the published design.