Skip to Content.
Sympa Menu

coq-club - Re: [Coq-Club] A verified bootstrapping computer (academic curiousity)

coq-club AT inria.fr

Subject: The Coq mailing list

List archive

Re: [Coq-Club] A verified bootstrapping computer (academic curiousity)


Chronological Thread 
    < Chronological >      < Thread >
  • From: Sam Kuper <sampablokuper AT posteo.net>
  • To: coq-club AT inria.fr
  • Subject: Re: [Coq-Club] A verified bootstrapping computer (academic curiousity)
  • Date: Tue, 11 Jan 2022 14:03:49 +0000
  • Authentication-results: mail2-smtp-roc.national.inria.fr; spf=None smtp.pra=sampablokuper AT posteo.net; spf=Pass smtp.mailfrom=sampablokuper AT posteo.net; spf=None smtp.helo=postmaster AT mout01.posteo.de
  • Ironport-data: A9a23:SLFRR6g2iFWSnukdPV6q9Fb/X161MBEKZh0ujC45NGQNrF6WrkUPz2YXXzzXO63eYGKgKN4nb97gpE1TucLXmtNlGQI6pFhgHilAwSbnLYTAfx2oZ0t+DeWaERk5t51GAjX4wXFdokb0/n9BCZC86yksvU20buCkUrScY3koHVUMpBoJ0HqPpcZp2uaEvvDiW2thifuqyyHuEAfNNwxcagr42IrfwP9bh8kejRtD1rAIiV+ni3eF/5UdJMp3yahctBIUSKEMdgKxb76rIL1UYgrkExkR5tONyt4Xc2UPRaPOZVHIkn1NR6WlxBRPzsAw+v9rabxCNgEM1XPXwridy/0V3XC0YRwgO7XFkuAaUARAHjtWJapd5LLAZ36yraR/ymWfLiOznKs2UinaOqVBpbcsWTsQnRACExgGaQnGjOarypqgW+x0j4IiKtPqNcURoBldIZvxGa5zGtaeV/yfvZkAyG1l3oYUQKiAc5FMMXwyeEuVSgNpEVIxJJIave6OumPZZ2QA/QrR/b5fD3P7yQtszOC0dsLSYcCHQoNZky6lSqv91zyRKnkn2Ba3kFJpM05Ah9MjWQv+X58OTOT+7vlxnFCUgGAeYPHTfTNXvtHh4nNSmfoGQ6DXxsbqhbA171CmSZ/7UgHQTLusoEsHQ9QJewElwFjl90cXijp1wkAcSSVdZdtgssIqLdDv/jdlgPuxbQFSXHappb5xO1taQf5e+cTYEIPaWRI5cA==
  • Ironport-hdrordr: A9a23:PiUA5Kk5ss/FPoaQck/iE0TMtWHpDfLJ3DAbv31ZSRFFG/Fw8PrAoB1773LJYVkqKRIdcLy7WZVoIkmxyXcW2/hyAV7KZmCP0wGVxepZg7cKrQeBJwTOss9wkZppfcFFeabNJGk/ttzi6A20V+49zMWKtICk7N2uqEtFfEVQcbhp6wo8MAqBDUFsLTM2YaYRJd6n6tBcpzymPVQ7B/7LfkUtbqz4q8fQlJTgJToPHBwq82C1/EqVAaDBYn6l9yZbaS5G3PMZ8WbDmxHk/anLiYDf9iPh
  • Ironport-phdr: A9a23:JORxFhInfKwhdi05dtmcuNZmWUAX0o4c3iYr45Yqw4hDbr6kt8y7ehCFvLM00QaCDN2TwskHotKei7rnV20E7MTJm1E5W7sIaSU4j94LlRcrGs+PBB6zBvfraysnAJYKDwc9rDm0PkdPBcnxeUDZrGGs4j4OABX/Mhd+KvjoFoLIgMm7yf2+94fObwhImTaxbrd/IAmrpgjNq8cahpdvJLwswRXTuHtIfOpWxWJsJV2Nmhv3+9m98p1+/SlOovwt78FPX7n0cKQ+VrxYES8pM3sp683xtBnMVhWA630BWWgLiBVIAgzF7BbnXpfttybxq+Rw1DWGMcDwULs7Xims77pwSB/wligIKyI5/m/Qisx1lq1boRShrAF7z4PbZIyZMfxzdb7fc9wHX2pMRshfWSxfDI2hbIUPAeUOMvpFoIfypVQDtge+CAq2Ce/z1jNEmmL60Ksn2OohCwHG2wkgEsoTvnvOqdX+KaIcUf2tzKbW1zXIcvRb2Szn54jNahAuu+qDXbZ3ccrS1EkvDx3Kjk+LpIz9ODOVzfgNvHac7+Z6U+KglXInphh3rzOyycgilpPHiZgJylDY6yp52oA1KMW3RUN1YdOpE5Veui6UOoV5Qs4sTH9ktScnx7MItpC2fTQHxZYoyRPBa/KKc4qF7xbjWuiRLzp1h3Zoda6xihuz90Wr1+PyVs6x0FlQrypFlMHBt34M1xzQ68iHUuVy8Vqg2TmVzQzT7ftEIU8smarFMZIhzaM/m5wOukrABi/7gFj6gayWe0k+++Wl6f7rb7vnq5OGNoJ5ihnyP6cql8ClHOg1PQkDU3KF9eiiyLHv51D1TbtWgvAwj6LXqorVJd4Bqa68GwJV0pgs6xK4Dzq+1dQYmmQHLE5ZdB6alYTpI1bOIOvkDfihhFSgiipkyO7eMr3gBJXCMGTDna/8cbt+60NQ0gs+wNJF659aC7wNOvP+V0/puNzdFBA5Mgi0w+j9CNV604MTQXmPDbWcMKPKq1CH/eYvI+6PZI8IoDbyNeIl6uX2jX8+gl8dYbem3ZwNZHC+APtmP12VYWDwjdcZDWcKog0+QfT2h12FSD5ffmq9X6Yh5j4gE4+mFofCRoW1gLObxiu7H5tWZnpHCl+WC3voeZ+ECL8wb3eZJdYkmTgZX5CgTZUg3FegrlzU0b1ie9Hd/2U7qIruzpAh/OTWjRg48Tt3EtyQyUmVSHpok2ROQTIqivMs6Xdhw0uOhPAry8dTEsZesq8YOu/VHYbb1PB3DJb0Vx6TJ79hrX6+Rc66DDZ3SN8tkYdmi6dVHtK/kkiamTKtGKMYkPqHCc5smp8=
On Tue, Jan 11, 2022 at 01:50:16PM +1100, Jeremy Dawson wrote:
> On 11/1/22 12:49, Robert Solovay wrote:
>> What, precisely,  does TCB mean in these letters?
>
> I presume, trusted computing base.

Almost certainly.

https://en.wikipedia.org/wiki/Trusted_computing_base


> The bit that has got to work right.

The TCB has been variously defined.

I tend to think of it in the following terms, inspired by e.g. Joanna
Rutkowska, but others think of it differently:

The key point in understanding what a TCB is, is to make a
distinction between "trustworthy" and "trusted".

- "Trustworthy" hardware or software is formally verified to be
correct and secure (for appropriate definitions of those
terms...). As such, no leap of faith needs to be made in order
for a person to trust that it will perform accordingly.

Shrinking the *trustworthy* computing base may be sensible from
an efficiency perspective, but is not necessary from a security
or correctness perspective.

The TCB is not *trustworthy*.

- "Trusted" hardware/software - the TCB - by contrast, is not
formally verified to be correct. As such, a leap of faith is
required in order for a person to trust that it will perform
securely and correctly.

To the extent that a person trusts the TCB, this is by necessity
(e.g. not having access to a more trustworthy computing device)
or by ignorance, not by justification.

As such, eliminating (or at least shrinking) the TCB is
desirable from a security and correctness perspective. The
smaller it is, the fewer places for incompetent or malicious
properties to hide within it - and the lower the risk to its
users.

Projects like Sandsifter (an x86 processor fuzzer) illustrate just how
huge and hellish the TCB can be in today's computers.


> You design your software to make this as small and simple as possible.

Yes, and preferably your hardware too, cf. Talia's question.

Sam

--
A: When it messes up the order in which people normally read text.
Q: When is top-posting a bad thing?

() ASCII ribbon campaign. Please avoid HTML emails & proprietary
/\ file formats. (Why? See e.g. https://v.gd/jrmGbS ). Thank you.

Archive powered by MHonArc 2.6.19+.

Top of Page