• Wang Chenxu - Author of StrongBox / Cage [1,2]

• Jinsoo Jang - Author of MyTEE [3]

Arm responded that they had discussed this issue and decided to start providing checksums for any binary image made available outside of their secure partner delivery hub soon.

Rockchip acknowledged the possibility of firmware containing malicious code, but they believe it is the user's responsibility to distinguish between authoritative and malicious sources.

Moreover, although Rockchip claims that they do not use GitHub to distribute their firmware, there are 41 downstream references to their GitHub, where the GPU MCU firmware is hosted.

We're currently discussing with Rockchip about the risks of someone creating a deceptively similar name (e.g., JeffyCN v.s. JefffyCN, the former is Rockchip's official account hosting MCU firmware)

MediaTek responded that it should be Arm's responsibility to provide an authoritative way to verify the GPU MCU firmware.