How is the authenticity and integrity of the various chips inside laptops and mobile phones ensured by their vendors?
Modern laptops and mobile phone platforms are built around a main, beefy SoC, which generally supports Secure Boot for its firmware and also has a unique hardware identity that is used to attest to a remote management system that it is genuine and not tampered. Yet there are a plethora of chips, many coming from a 3rd party compared to the SoC vendor or platform vendor, that may be tampered in the supply chain, or in a repair shop, either by replacing their firmware with a malicious one, or by replacing the chip altogether. Such examples could be NVRAM chips, chipsets, 4G (5G) modems, DSPs, audio chips etc., and I won't even mention the PC-world mainstays of GPUs, SSDs, network cards etc.
There are a few industry initiatives that promote or require that such chips are authenticated and preferably their firmware integrity attested, such as OCP Cerberus, Google Titan, DMTF SPDM, NIST SP800-193 etc. but it seems they are more common for the server domain. Some vendors even interpose the loading of these 3rd party components' firmware by a platform Root of Trust (RoT) they control, to make sure no unverified firmware can even reach them.
Searching online for the approaches of top smartphone and laptop vendors, I noticed they largely focus only on the integrity of the main SoC (e.g. based on Google Titan mobile, Apple T2, HP ESC, Microsoft Pluton etc.), and don't verify much the other chips, especially if they're soldered to the motherboard.
So I would like to know if such chip authenticity solutions are deployed also in consumer devices, ideally with some real-world examples to understand their working principle. And if not, why not? Are the threats of replacement/tampering the 3rd party chips not that high?
