On Thu, Jul 30, 2015 at 12:11 AM, Steve Kinney <admin@pilobilus.net> wrote:
staff, with particular attention to choke points where
That's not what I have in mind at all. Everything that touches the production process would have to be isolated and audited. In practical terms, that would mean bringing the computers in question in from offsite, with relevant software already installed and validated.
People talk a lot about refitting and auditing existing setups. There's a lot of inbred friction there so the cost to successfully do that vs. a complete ground up trusted rebuild may be roughly equivalent. Therefore if so why not just choose the latter?
In the context at hand, watching the whole thing play out would consist of directing the whole process one step at a time, per a procedure created in collaboration with the contractor's engineering and QA departments. Optical masks and/or equivalent data files would be handled by client personnel and retained for validation. The chips that pop out would be under very stringent property control, and quite a lot of them would be torn down and thoroughly analyzed "at home" to validate the run.
Still sounds like untrusted base, chicken and egg. http://s12.postimg.org/n93g4udql/DSCF0431_who_came_first.jpg
depends on how reliable the post-production tear down and analysis of end product components is considered.
A quote to the effect of "I do not care who votes, I only care who counts the votes" comes to mind
And how do you propose to count the votes when your ballots are measured in square nanometers and your counting machines are all made by one secretive company and composed of anywhere between 1B and 6B untrusted logic gates? Did you ever hear Intel say "our own designs and fabs have no backdoors and we're not subject to backdooring"? Did you ever hear GlobalF say "we don't inject backdoors in customer silicon and we're not subject to backdooring"? Would it mean anything to you if they did? Would it make any difference if they offered you a field trip? Do independants actually think their oneoff decap validation project proves or gives odds on the entire line and distribution chain? And when was any Intel / AMD CPU last publicly decapped and fully audited? 8088? Never?
This is old school TCSEC / CC applied to manufacturing.
then it is not possible to build a trusted CPU.
You watch while... I collect wood and ore and smelt into axe, you trust axe. I split tree and assemble hut, you trust hut. I put wheel in water and make mill, you trust flour. I give you magical computer before I make abacus, you throw in river and order me make abacus first. Eventually trusted CPU is made.
I think that in the engineering and business worlds, trust is always a point on a cost curve.
I'd have more trust in some kid to not destroy my lawn with the mower for $10 than some company for $50. Govt contracts seem to deliver more debt than trust and are prime example that trust and cost are separate. If not, then the HUNDREDS OF BILLIONS governments spend a year would have resulted in 5 9's of trust decades ago. But no, they can't even keep OPM secure from crackers, let alone backdoored cpu's they import from Malay fabs. Put well under 1/100 of that pie a year for a few years into a trusted open fab project and I'd bet you can get "Beyond A1" consumer gear out the other end at tolerable prices. Don't forget to charge 10+ times more for government jobs :)