Skip to Content.
Sympa Menu

coq-club - Re: [Coq-Club] A verified bootstrapping computer (academic curiousity)

coq-club AT inria.fr

Subject: The Coq mailing list

List archive

Re: [Coq-Club] A verified bootstrapping computer (academic curiousity)


Chronological Thread 
    < Chronological >      < Thread >
  • From: Adam Chlipala <adamc AT csail.mit.edu>
  • To: coq-club AT inria.fr
  • Subject: Re: [Coq-Club] A verified bootstrapping computer (academic curiousity)
  • Date: Sat, 8 Jan 2022 14:12:40 -0500
  • Authentication-results: mail3-smtp-sop.national.inria.fr; spf=None smtp.pra=adamc AT csail.mit.edu; spf=Pass smtp.mailfrom=adamc AT csail.mit.edu; spf=None smtp.helo=postmaster AT outgoing-stata.csail.mit.edu
  • Ironport-data: A9a23:TqQIhKr0Iak/JTcoUbSgut0J5m1eBmJqZBIvgKrLsJaIsI5as4F+vmYXXD/XaPrYYTOmeognYYWy8kkOscWHmtcyGgtqpHs0Zn8b8sCt6faxfh6hZXvKRiHgZBs6tJtGMoGowPjZ/xYwnz/1WlTahSQ6hfHgqobUUraeYHgoHV88Ek/NtDo68wIHqt4w6TSGK1jV0T/Ci5W31G6Ng1aYAEpMg06wgE8HUMDJhd8tlgdWicanE7PpvyJ94Jo3fcldJpZjK2VeNrbSq+3rlNlV8o5FlirBBO9Jkp6jGqELarnPIQeJi3xZHrO+iwRL4Ccp26c/cv8ddQFahyjhc9JZkY8d88foD11vZPSU8Agee0Ew/yVWNKFP/bTvKmO2sMjVykzaNXbg3p2CCWlsZdZCor4paY1J3aVFcWtWBvyZvMq9x6v+Qe1xjOw4PczzNcUevGthxHfXF54brTrrV/2fuJkCyG5l3oYWCayLP4xAOWQxeE+VO1sSLghCIYwYt+KOqnnZUjR+lEizsfNvtjCXlBgZPKPFN8fJdduLQ8oQhVqRumuA9H/wAxVcMd2DjzeJ7xqRaib0tXuTcOov+HeQr5aGQWF/x1D/zDURSEe0pvi/hQulR9tDIgof4SMvqe439VDtQ9XgN/F9iBZooTZEM+e80cVjgO1O9kYQyw2CD2kACDtAdJoruNJeqfkCyAqSh92wbdBwmOT9dJ9en4t4aRu5IiEUKSkHZDNCQAcYizUmiOnfkTqXJute/GWJYhEZ1N0+L/1mbMTzulnLsfM26g==
  • Ironport-hdrordr: A9a23:la+z76p/5ND9TqdvQhGS+icaV5qQeYIsimQD101hICG9vPb4qynIpoV86faUskd3ZJhEo7q90ca7LE80maQY3WBVB8bAYOEJ0FHYUL2KrrGSvgEJIkXFh5FgPN5bAtZD4b/LbWSS/PyKhDVQSOxQueVvmZrA7YzjJjVWPGNXgsdbgDuRYTzrd3GeKjMpOXMRLuvs2uN34xShZFUKZYCBCnEeWe+rnaywqLvWJTAHGj864020gTmp8b73FAXw5GZkbxp/hZkj7EnYmEjD6q+iqvG2zQKZ/2Lf9JhNgrLau6t+Lf3JpMgJCynmzjylY4lsQNS5zUgInN0=
  • Ironport-phdr: A9a23:jvcUDR8OVAqLUv9uWc68ngc9DxPPW53KNwIYoqAql6hJOvz6uci4ZQqGuagm3QGBdL6YwsoMs/DRvaHkVD5Iyre6m1dGTqZxUQQYg94dhQ0qDZ3NI0T6KPn3c35yR5waBxdq8H6hLEdaBtv1aUHMrX2u9z4SHQj0ORZoKujvFYPekdm72/qv95DcYwhEiz6wbLJvJxiqsAvdsdUbj5F/Iagr0BvJpXVIe+VSxWx2IF+Yggjx6MSt8pN96ipco/0u+dJOXqX8ZKQ4UKdXDC86PGAv5c3krgfMQA2S7XYBSGoWkx5IAw/Y7BHmW5r6ryX3uvZh1CScIMb7S60/Vza/4KdxUBLmlTkJNzA5/m/UhMJ/gq1UrxC9qBFk2YHYfJuYOeBicq7Tf94XQ3dKUMZLVyxGB4Oxd5cCAPcbMuZdsoLwuVsOrR+/BQm0HuzvziVHjWLx0KIgzusuCwTG0xA7Et0Sq3TbttT1NKMIXeCwzanI0S/PYO1L1jfg8YXFdA0qrv6QU7xqa8XR1VUvGB3fjlWWsYHoPTCY2/oTv2WH8eZuVf6ihm05pgxwrDaixNkhh5TGiIwVyF3J+jh1zYY6KNO4R0N2ZcOpHIVRuiyYOIV7QswvTmd1syg50r0LoYO3cDYJxZg9yRPTd+aLf5aS7h79SeqdPS90iXBrdb6lmRq+7Eytxvf9W8S0ylpGszRJnsXKu3sQzRLc8NKHReF4/kq52TaAyQTT6uZcLEAziKrbN5EhwrkxlpoVvkTPBzT2mFnsg6+KbEoo4PSn6//9bbXnop+QLYp0igDiMqg0hMOwHPk4PhAPX2id5+u8yKXu8VDnTLhJlPE7nLXVvIrEKcgBuKK1HhNZ3p4m6xmlDjem1NoYnWMALFJAYB+IlZXmNEvLIP/kFvqwn0+sny1qx/DCJLHhB5TNLmTZnLj/YLl99lZQyBAvwtBH+5JUFrYBLervVU/2rdzUFwM2Mwipw+n8E9h9zYMfWWeXAqCDKq/SsFmI5vguI+aWfoMVtiz9eLAZ4KvlimZ8klsAd4Go24EWYTa2BKdIOUKcNFPgi9JJOmcOvxI3SOWi3FSOWDtYT32pVqM4oDQ6FMSrAZqVFdPlu6CIwCruRs4eXWtBEF3ZSR8AmK2PQP4NbGSXI9MnnzAZB+HJo2oJ3gqntQu8zrt7aOfY539A3XoC/N9o++LUlBc9sCdoBtiUlWqWRmBw2GYJW3k70L0t+SRA

Thanks for drawing attention to a worthy goal, which I think at least a few different research groups already have in mind, at least philosophically.

For such an effort, setting the goals properly can have a big effect on where it winds up.  I'm not sure it makes sense to ask to "minimize the TCB as much as possible at each step."  Rather, I'd expect that earlier stages are discarded as they are used to produce later stages, and the final stage can be used independently for self-validation.  So, shrinking the TCB in an earlier stage isn't necessarily a good deal, if it delays the completion of later stages.

There are plenty of high-impact proof-assistant developments that never could have been completed so soon if e.g. the original Coq team had decided to wait 20 additional years for the first release, to shrink the TCB as much as they could think up in brainstorming a project roadmap!

Also, I don't think this question has zero practical motivation.  I would hope that, 50 years from now, everyone takes for granted the existence of a repeatable process like you describe, leading to the systems they depend on.  And, even sooner, we should be able to run undergraduate courses that follow such processes toward more modest endpoints.

On 1/8/22 1:41 PM, Talia Ringer wrote:
Something that nerd-sniped me today: Suppose you are building a computer from the ground up, starting with building the hardware. You cannot use any other computers to build or verify anything; this is the only computer in the world, and you have only what you've built at each step. You have no languages, no operating systems, no compilers, no verification tools. All you can do is bootstrap.

Suppose you'd like to verify every single part of the hardware and software stack to the degree possible. It's OK (inevitable I guess) to start with unverified hardware, though, and replace it later with hardware you verify (has anyone done that? It sounds cool). You have two additional goals:

1) verify as much as possible at each each, and
2) minimize the TCB as much as possible at each step.

How would you go about this? What are the biggest conceptual barriers to this, if any? What is the smallest you can get the TCB at any step of the process, and in the end?

This is a purely academic and open-ended question, with zero practical motivation. It just sounds fun to think about and try, and like thinking about it might reveal interesting subproblems that actually have practical motivation.

Talia


Archive powered by MHonArc 2.6.19+.

Top of Page