If I'm reading the statement correctly, they are unable to release the source due to an NDA with their hardware provider, which is at least a reason other than "it's not software under the Free Software definition".
What would be the purpose of an NDA with the hardware provider? Surely not to hide it from GCHQ/NSA?! I imagine a company like Yubico has all of its employees on GCHQ/NSA lists and may even have cell tower simulators outside of its offices.
The NDA makes this even more suspicious. Who's the hardware provider? Huawei?
NXP makes you sign an NDA to use their secure stuff.
The purpose is anti-competitive, preventing NXP's competitors from learning how the devices work. These devices often have advanced hardware and firmware countermeasures.
The secure modules are considered weapons technology if they're allowed to be updated after sale; the company is responsible for tracking each one, they're impossible to ship overseas, etc.
It's not suspicious, it's SOP. Choose between open and secure, or make your own silicon.
Pretty much all of the providers of secure hardware are like this because they're all reliant on security by obscurity. They rely on keeping secret things like their instruction set, register locations, what countermeasures against intrusion they have, etc in order to make it harder for a hacker to compromise them.
> in order to make it harder for a hacker to compromise them
Keeping implementation details secret DOES make it harder for a hacker to compromise them. When used as a defence on top of a decent security infrastructure. "Security through obscurity" is when a company only uses the secrecy as a defence. This is not true:
> they're all reliant on security by obscurity
They're generally reliant on some secure and proven methods of security, with a layer of design obscurity over the top (and in practice as others have pointed out, they don't keep the design secret for security reasons, they do it for commercial ones).
