I don't follow this - the software must necessarily run on some hardware, so while the software may be provably secure that doesn't help if an attacker can just pull key material off the bus?

▲

formerly_proven 3 days ago | parent [-]

Soldering wires to LPC is not a software threat model

▲

immibis 2 days ago | parent [-]

but it is a threat model. "This system is unhackable, if the user doesn't do the thing that hacks it" is not very useful.

	▲	bccdee 2 days ago \| parent [-]
		Okay, nothing is secure against every threat model. The only way to secure against rubber hose cryptanalysis is by hiring a team of bodyguards, and even that won't protect you from LEOs or nation-state actors. Your threat model should be broad enough to provide some safety, but it also needs to be narrow enough that you can do something about it. At a software level, there's only so much you can do to deal with hardware integrity problems. The rest, you delegate to the security team at your data centre. > "This system is unhackable, if the user doesn't do the thing that hacks it" is not very useful. It's the best you're gonna get, bud. Nothing's "unhackable"—you just gotta make "the thing that hacks it" hard to do.