> Is the vendor always trustworthy? I agree with you. But the thing is that we already bought the device. It says on the label that the device does A and only A at time x when we bought the device. The question is do we need to add more trust than that to the equation.
If we look at security as a function we are trying to maximize, we already introduced one axiom, that device does A and only A at time x. By putting the firmware in ROM instead of fixing it with a hash we are introducing a new axiom. That our previous axiom is time invariant. Also consider this: Device comes with firmware A 2015. The vendor creates an update B. In 2016 the same device comes with firmware B. You were happy with the device in 2015 but your laptop was stolen or broke. So you buy the same device in 2016. That is a hidden firmware update. How is that different than knowing that you updated your firmware? In this case you simply pretend that you have not updated your device, but the truth is - you really don't know. So the more axioms (assumptions) our security is based on - the weaker is the house of cards we are building. But I'm totally fine with burring this discussion.
