The Full-Source Bootstrap: Building from source all the way down (adressing Ken Thompsons "Trusting Trust" problem)
2d 9h ago by feddit.org/u/HaraldvonBlauzahn in programming@programming.dev from guix.gnu.org
Here by the way is Ken Thompsons original paper:
https://css.csail.mit.edu/6.5660/2024/readings/trusting-trust.pdf
This is not a theoretical concept. He proved that by building a compiler that subverted Unix' login command.
Ultimately, you need to build your own CPU (and everything else) from discrete components (assuming the universe is not a malicious simulation, of course) and bootstrap on it by writing you first assembler in machine code (You ought to come up with everything from scratch, any exisiting designs might have subtle deliberate vulnerabilities). The actual question is at which point you're willing to risk a compromised supply chain, i.e. how far does your, quite warranted, paranoia go.
Ultimately, you need to build your own CPU
That's what RISC V is for.
And yes, there exist FLOSS BIOSes.
Yes and no. Buying a RiscV CPU has the same issues as buying an arm or x86_64, and building one from discrete components (which is absolutelt feasible, there's multiple people that have done it) still means you might recreate some subtle and deliberate flaw in the spec (How sure are you there is none? That is the whole question). And trusting a FLOSS BIOS over a proprietary one is just accepting a different trust level/anchor. My whole point was that ultimately you cannot perfectly trust anything you haven't designed and built yourself (and even that depends on this reality not being a malicious simulation; I am being serious), so you'll need to consciously decide what trade-offs, if any, you're willing to make.
While reproducible builds are a good thing, for a bunch of reasons the whole stack is built on top of someone else's microcode running on someone's CPU, running someone's BIOS, etc.
During an Linux Conf in Australia I attended a talk discussing the chain of trust and the point was made that when you buy something from a manufacturer, it is assumed that it comes to you unaltered, but the question is, how would you know?
In other words, you need to trust something somewhere and build on that.
If you'd like to see a working example of a backdoored compiler, because to compile something, you need to also trust your compiler, here's a good discussion and show and tell: