The main thing you need is for the lowest-level code to be open and replaceable/patchable because it's the only part which is actually specific to the device. Windows running on Core Boot is a better place to be than custom Linux running on opaque blob, because in the first case you can pretty easily get to newer Windows, vanilla Linux or anything else you want running on Core Boot after the original version of Windows goes out of support, and you can update Core Boot, whereas the latter often can't even get you to a newer version of Linux.
Modern coreboot depends on opaque blobs on CPU (FSP/ACM on Intel) and auxiliary processors (ME/PSP), but AMD is moving in the right direction with OpenSIL host firmware. Arm devices have their own share of firmware blobs.
A decade of security updates for routers would require stable isolation between low-level device security and IoT vendor userspace. In Sphere, the business model for 10 years of paid updates was backed by hardware isolation. Anyone know why it didn't get market traction? There was a dev board, but no products shipped.
Oh gee. Maybe because no one sane looks at an industrial product adversarially built to confine and prevent the end user from doing anything to it and wants anything to do with it? It isn't rocket science. If I can't buy it and get a damn manual and programming tools to twiddle all the bits, I'm not adopting. Not even at gunpoint, or if you're the last supplier on Earth. I won't be held voluntarily hostage because a bunch of corporate types, and bureaucrats decided to work together to normalize adversarial silicon. Multiply by everyone I know, and anyone with enough braincells to rub together to pattern match "regulatory capture" and "capitalist rent seeking". You can call me a bore if you want. The incentives are completely unaligned, as this place is so fond of saying. End user adoption is built on faith in product. End user capacity to have faith in the product is based on the capability of the technically savvy purchaser to keep the thing running, repair, understand, and explain it to the non-technically savvy. I look at adversarial silicon isolating me from the hardware; I have to sound off-my-rocker to my non tech-savvy friends family to actually explain that yes, there are industrial cabals out to keep you from doing things with the thing you bought.
It doesn't make any business sense, or practical sense whatsoever. Don't bother quoting regulations that demand the isolation (baseband processors and radio emission regulations) at me. Yeah. I know. I've read those too.
Get over business models that require normalized game theory, and we can talk. Until then, enjoy never having nice things catch on. Hint: your definition of "nice" (where I can't control how it works after purchase) is mutually exclusive with things I'm willing to syndicate as "nice". Nice people don't manipulate others.
> If I can't buy it and get a damn manual and programming tools to twiddle all the bits, I'm not adopting.
Hence the isolated device security hardware should be an open standard with FRAND licensing. If devices ship with a prepaid commercial license for 10 years of device security updates from BIG_CO, the default commercial baseline would be raised independent of IoT vendors. Tech-savvy users could then have the option to replace the device security layer with the OSS _or_ competing commercial stack of their choice.
