First of all, I've always thought that Thompson's paper was
excessively defeatist. It should be possible to bootstrap an open
source C++ compiler from a simple C subset and then have several
grouts independently produce subset C compilers in assembler code. Or
compile it on ancient machines, e.g. PDP-11 using original compilers.
The bad guys can't have anticipated that far ahead.
[You sound like Hilbert, hoping that the consistency and completeness
of the Principia could be proven using "only" finitistic
methods. --Perry]
Having said that, perhaps the Open CPU requires open CAD software as
well. It should be possible to verify masks against the design and
physical chips against the mask.
Finally, I wonder if it might be possible to implement a RISC CPU on
an FPGA. It might even be possible to write a CPU generator that made
layout choices at random so that it would be unlikely that any two
FPGA CPU would have the same layout. This would make it hard to build
a trap door into the FPGA itself.
Arnold Reinhold
At 6:58 PM -0700 9/19/99, John Gilmore wrote:
> > On the other hand, having the actual CPU source, we could stop worrying
> > about Intel's ID gaffs, and RNG support, and "know" it is built correctly.
>
>Even if you designed the chip and contracted out the fabrication,
>you will not know that it is built correctly. Even if you ran the fab
>and shuttled the wafers from machine to machine yourself.
>
>I have done design verification for complex chips (in the SPARCstation-1
>and -2). You can certainly test that it does everything you designed it
>to do. You can't test for the *absence* of backdoors or trojan horses.
>If someone jiggered your CAD software to insert circuitry that turns on
>the supervisor bit for one instruction if you execute seventeen ADDs in
>a row, you'll never find it unless someone points you at it. (And it
>won't be in your "source code", only in your physical circuitry. You
>could find it in the photographic masks, or in a chip, nowhere else.)
>
>Remember Ken Thompson's _Reflections on Trusting Trust_:
>
> http://www.acm.org/classics/sep95/
>
>It's a very short paper, readable by everyone on the list. Read it now!
>You'll be shocked.
>
> John
