[rb-general] Crowdfunded 8086 audit
danielsh at apache.org
Mon Apr 1 12:24:25 CEST 2019
Orians, Jeremiah (DTMB) wrote on Mon, Apr 01, 2019 at 09:13:31 +0000:
> > Ultimately, nice though reproducible builds may be, if we are to avoid RoTT attacks we must have audited, verified hardware as well.
> Actually you need full lithography process control, which is what libresilicon is doing.
Of course! There will always be one more layer which we, to paraphrase
the adage, trust but do not verify. The goal of the exercise is not to
_extinguish_ the assumed-trustworthy base, but merely to reduce its
size. Ultimately, however, we _will_ need to audit the next layer as
well, just to keep up with attacks. I prophesy a vertical arms race
down the rabbit hole, culminating in an Internet wherein "heisenbugs"
will mean "bugs caused by Heisenberg's Uncertainty Principle".
> > Auditing the 8086 is a first step towards auditing modern-day CPUs derived from it, and will be separately useful as a "trusted platform" which can cross-compile reproducible binaries in order to establish trust in other platforms (see John Gilmore's post²'s footnote and David Wheeler's "Diverse Double-Computing" thesis³, for two).
> Not even true; Modern x86 processors have more in common with VLIW architecture than they have with 8086.
As you may have guessed, I'm not an expert on x86's ancestry — but I'm
open to instructions. If some other progenitor would be a better
starting point, we'll re-plan to use that one.
> > See the write-up⁴ for more details, but in a nutshell, for this to happen (and be useful), we need:
> > - To have native and cross builds produce the same output as each other.
> Already being done in MesCC, M2-Planet and mescc-tools
I know it's not a novel concept. I was just saying that old, dusted,
Web 1.0-ey concept will be separately useful here, in addition to the
uses we already know of for it.
> > - To acquire 8086s and have means of non-destructively auditing them.
> Not possible
Of course it's possible. The output of `date +%b\ %d` gives a complete
More information about the rb-general