A few weeks ago, when I thought the ‘golden image’ in NIST SP800-147’s Provisioning phase required source access to the firmware, the below story would be an example of the only way vendors would get access to the source code to their closed-source firmware:
However, as clarified in email ‘interview'[1] with Andrew of NIST, the ‘golden image’ can also be a closed-source blob, in which case we’re supposed to *TRUST* the vendor. Now that “cyberwar” is a mainstream topic, governments will likely not trust closed-source blobs from foreign countries much anymore, at the firmware, operating system, or application level. But consumers don’t have the pressure that governments do, so we get to continue to *TRUST* the vendor, and the PKI backing the firmware, most of the keys of which we cannot verify, no acts of good faith from vendors to non-government players. 😦
[1] https://firmwaresecurity.com/2015/10/13/interview-with-andrew-regenscheid-of-nist/
Firmware Security 