You are not the only developer in the world. You need a RP2350 with the security issues fixed, which is fine. For many others, the errata mitigations and requirement for physical access mean the current stepping is good enough. It's also good enough for the CRA which requires security when the devices are online, and there are no issues with the security in that area as of right now.It seems that is where we have differing perspectives.The requirement isn't to be bulletproof against physical access
For products I was involved in developing, which were sold to the public and industry, it was always physical access attack which was the greatest threat, that clone manufacturers would extract our software, sell a cloned product cheaper than we could, and put us out of business.
FTDI and Saleae are notable victims of cloning and I am sure others have been too. Arduino, being open source, almost folded because it was so easy to produce cheaper clone products and that's what most chose to buy.
There have also been those products which were sold below costs with the hope of subscriptions or post-sales purchases allowing break-even who found those products being hacked by owners to do something else, received lower revenue than expected.
Then there's the more esoteric threat of 'take it away, hack it, then put it back' for other products, or replace it with an already hacked version.
So I do see being secure given physical access as a necessity. "Secure so long as no one gains physical access" is not a level of secureness those I was working for would accept for the products I developed.
Statistics: Posted by jamesh — Thu Mar 20, 2025 12:09 pm