原文：中文版

致我们尊敬的客户：

最近，有报道称某些Cavium产品包含了“后门”，供美国国家安全局（NSA）使用。我们向您保证，无论是Cavium还是Marvell，我们从未故意在我们的产品中加入或保留任何漏洞或后门。

我们的产品实现了一套基于标准的安全算法，如AES、3DES、SHA等。在2014年之前，我们的一些软件库包括一种称为Dual_EC_DRGB的随机数生成算法。当时，该算法是美国国家标准与技术研究院（NIST）正式推荐的四种算法之一，我们的产品实现了该算法。然而，在2013年，据《纽约时报》、《卫报》和ProPublica报道，该算法被指出存在供美国国家安全局（NSA）使用的后门。在我们得知这个潜在问题后，Cavium从其软件库中移除了该算法，并且再也没有将其包含在任何此后发货的产品中。

重要的是，Dual_EC_DRGB算法被包含在Cavium某些芯片产品的软件库中，但并不包含在芯片本身中。因此，尽管Cavium提供了该算法库（如同许多其他算法），但对所使用算法的最终选择和控制是由将我们的产品集成到其系统级产品中的设备供应商管理的。不仅Cavium，许多公司都实现了包括该算法在内的NIST标准算法。实际上，根据NIST的历史验证数据，在该算法被移除前，包含来自不同供应商半导体的大约80种不同的产品，通过某种硬件、软件和固件组合实现了该算法。

LiquidSecurity，Marvell的云优化硬件安全模块（HSM）适配器，是由Marvell以及之前的Cavium提供的系统级产品，这些产品从未包括或实现Dual_EC_DRGB算法。

在Marvell，以及之前在Cavium，维护我们产品的完整性和安全性至关重要，我们不断投资于严格的验证和更新。尽管我们相信我们的行动消除了这个特定的漏洞，但新的漏洞可能会被创建和利用。因此，我们已经建立了强大的流程，用于识别和解决我们芯片设计和固件中的潜在漏洞。

我们向您和我们的其他合作伙伴保证，我们的产品经过了严格的设计和测试，以提供出类拔萃的安全性和性能。

原文：英文版

To our Valued Customers:

Recently, reports have surfaced alleging that certain Cavium products included a “backdoor” for the National Security Agency (NSA). We assure you that neither Cavium nor Marvell have ever knowingly incorporated or retained any vulnerability or backdoor in our products.

Our products implement a suite of standards-based security algorithms like AES, 3DES, SHA etc. Prior to 2014, some of our software libraries included an algorithm for random number generation called Dual_EC_DRGB. This algorithm was one of four officially recommended at the time by the US National Institute for Standards and Technology (NIST) that our products implemented. In 2013, this algorithm was reported by the New York Times, The Guardian, and ProPublica to include a backdoor for the NSA. After we learned of the potential issue, Cavium removed this algorithm from its software libraries and has not included it in any product shipped since then. 

Importantly, the Dual_EC_DRGB algorithm was included in some of Cavium’s software libraries for our chip-level products, but not in the chips themselves.  As a result, while Cavium provided this algorithm (among many), the ultimate choice and control over the algorithms being used was managed by the equipment vendors integrating our products into their system level products. Many companies, not just Cavium, implemented the NIST standard algorithms including this algorithm. In fact, according to NIST’s historical validation data, approximately 80 different products with semiconductors from different vendors implemented this algorithm in some combination of hardware, software, and firmware before it was removed.

LiquidSecurity, Marvell’s cloud-optimized Hardware Secure Module (HSM) adapter, is a system-level product provided by Marvell, and previously Cavium, and these products have never included or implemented the Dual_EC_DRGB algorithm.

At Marvell, and previously at Cavium, maintaining the integrity and security of our products is paramount, and we continually invest in rigorous validations and updates. Although we believe our actions eliminated this particular vulnerability, new vulnerabilities may be created and exploited. Therefore, we have created robust processes to identify and address potential vulnerabilities in our chip designs and firmware. 

We assure you and our other partners that our products have been rigorously designed and tested to deliver unparalleled security and performance. 

Sincerely,

Raghib Hussain

President, Products & Technologies

(Previously co-founder of Cavium)

Marvell 躺枪

2018年花费60亿收购Cavium

当年即调整放弃Xpliant交换产品线

没想到5年后又因ARM多核处理器受牵连