This is your chance to chat with Colin O'Flynn about Hardware Hacking

Make sure to watch Colin's talk: https://www.embeddedonlineconference.com/session/Hardware_Hacking_Hands_On

13:15:32	 From  Stephane Boucher : Feel free to use the chat system to ask your questions if you'd rather not go 'live'..
13:15:40	 From  Glenn : My microphone is not working today, so am sending this question by text instead:   There's been a lot of marketing of TrustZone for ARMv8M (Cortex M) recently by ARM and its licensees such as NXP, Microchip, Nuvoton, etc. This has included webinars, sample code, etc.   I think TZ for v8M is great, but the training materials by ARM and their licensees often promote TZ as being easy to program when it is actually quite difficult to do correctly. You really need security experts on your team to do a good job with implementing TZ correctly. Without that expertise, I'm worried the TZ marketing and training will give a false sense of security to developers who think they're adopting TZ but actually have implementation bugs.  I'm curious what the panel thinks about this, and what can we do as a community to provide more training resources for the embedded community to teach security at a more in-depth level ?  Thanks!
13:23:45	 From  David Long : I think TrustZone and PSA are part of a solution to designing in better security but they are not the complete solution. You can still create an insecure system if you not understand what you are doing! For example, doing AES in software can still be susceptible to side channel attack
13:23:54	 From  Glenn : Thanks for the answer, and cute baby sound! :-)
13:24:42	 From  mehdi : Hey. I have two questions:
1- I saw some videos of Colin opening ECUs. So my question is targeted at the automotive cybersecurity: What do you see as the most important secure hardware design best practices for an ECU?
From simple things (like disabling certain interfaces in the production version, like JTAG or any other read-only interfaces) to more advanced (like using a TPM)

2- How would you envision implementing hardware supply chain security in a company? I mean it would be impossible to make sure all the sourced devices are secure/safe/trusted (or not tampered with).
What practical method or solution would you suggest for a small company?

Thank you
13:33:07	 From  David Long : How significant do you think the new ETSI EN 303 645 standard for consumer IoT Security will be? The UK government today announced a forthcoming law to implement some of its features. Will this prevent the most common security issues in the next generation of IoT products?
13:33:28	 From  mehdi : Thank you very much.
One more question if I may: have you seen successful use of formal verification in hardware companies for commercial products?
Like verification of FPGA code (as an example)
13:41:20	 From  Alex Phone Cam : holy crap
13:41:30	 From  Colin O'Flynn : https://en.wikipedia.org/wiki/Muddy_Waters_Research
13:44:26	 From  Philippe Teuwen : Hi Colin, any new hw tools in your R&D pipeline to show ? (I jumped in the middle, just ignore me if you already talked about it) 
13:48:36	 From  mehdi : What about your upcoming book? Is it still planned for December 2020?
13:49:22	 From  mehdi : Amazon Germany says December :)
13:50:09	 From  Remco Stoutjesdijk : Loving the products you make available. Looks like lots of time went into it. Did it make any money for in the end, or was it only good for exposure?
13:58:38	 From  Phil Martel : thanks!
13:58:41	 From  Colin O'Flynn : On secure deivces - https://www.nccgroup.trust/globalassets/our-research/uk/whitepapers/2015/09/secure-device-manufacturing-supply-chain-security-resilience-whitepaper.pdf
13:58:44	 From  Glenn : great!
13:58:46	 From  David Long : Thanks!
13:58:47	 From  Philippe Teuwen : Thanks!! bye
13:58:51	 From  Alex Phone Cam : thanks Colin!
13:58:58	 From  Colin O'Flynn : https://www.youtube.com/watch?v=fNw1IMKWwjI
13:59:05	 From  mehdi : Thanks