@swiley they usually let you import keys into the chip but no way to get them out of the chip.
So you need more than a SoC where all you'd have to do is update the OS and you could get the key out.
@freemo Most modern SoCs let you burn a hash of the second stage bootloader into OTP on chip memory. You can use that to prevent OS updates.
@swiley There are all sorts of potential attacks I wouldnt want to mitigate with my own. I'd much rather use something that has been tested by a large number of people using known approaches. Not that I trust it either, the NSA probably have some backdoors in a lot of shit. But I'd trust it more than something I just whipped up where I am the only consumer.
@freemo I'm more worried about backdoors the developer themselves put in than the NSA.
@swiley Yea but those are probably much easier to catch too.
@freemo Aren't those "security chips" just CPUs that sign things and don't let you import/export the keys?
The only difference here is how big the hardware holding the keys is.