I don't think you understand what the HSM does. By design, the HSM's secret keys cannot be extracted. Not by the physical possessor of the HSM, nor the manufacturer, nor designer. That is the whole point of using an HSM for this. A subpoena cannot compel the impossible.
Nearly all HSMs that store an arbitrary number of keys can be compelled to dump those keys via a special firmware update from the manufacturer of the HSM, or at very least remove checks to allow it to be used as a decryption oracle.
Apple was able to say no, because they weren't in physical possession of the HSM, which meant that they couldn't be subpoenaed for information that wasn't actually in their possession, but a judge wouldn't look as highly on google's case.
The firmware on these chips erases the keys before applying firmware updates. I encourage you to read the detailed information available rather than just making assumptions about it, or even just the short blog post I linked which states this explicitly.
In the San Bernadino case the FBI had physical possession of the HSM, so Apple could have attacked it physically. That's not related to the reasons why the FBI gave up on that case.
> The firmware on these chips erases the keys before firmware updates. I encourage you to read the detailed information available rather than just making assumptions about it, or even just the short blog post I linked which states this explicitly.
I read the blog post _and_ the third party security audit. The audit only documents that rogue actors within Google would leave a attestation trail if they tried to push malicious firmware and be noticed by Google proper. My concern isn't rogue actors but Google itself. Additionally the Titan chip in my pixel has received firmware updates without wiping it's storage.
> In the San Bernadino case the FBI had physical possession of the HSM, so Apple could have attacked it physically. That's not related to the reasons why the FBI gave up on that case.
Right, so the legal distinction between "we want a piece of information in your possession that you have decided to lock from yourself" versus "we want your help receiving information that we have in our possession but can't access" is a very very big difference from a warrant perspective.
The audit report does not explicitly state that the keys are erased on firmware update, but malicious firmware updates were specifically in scope for the audit, and this specific attack was not raised as an issue, and the blog post explains why. The Titan chip in your Pixel is not running the mentioned custom firmware that erases the keys on update (and malicious firmware updates to the HSM in the phone were not in scope for the audit).
It is not at all clear that the FBI would have lost if they had continued to pursue Apple in the San Bernadino case. The distinction you are drawing is not as clear cut as you think it is.
When a core piece of their security model isn't backed up by the third party audit that they literally are presenting as "don't trust us, we have a audit covering this" (and the auditors did look at how google protects against malicious firmware updates, hence their attestation comments), _and_ when that would leave them being unable to update these modules without wiping everyone's backups, _and_ the auditors found security bugs that required a firmware update, _and_ literally the same chips are updated without wiping when against a threat model that has a better argument for wipes on update, I'm sorry I just don't believe the blog post.
Bringing this back to the original point though, just using an HSM doesn't automatically mean that the manufacturer of the HSM can't access the keys.
