原文
Gabriel L. Somlo , 2019-07-04 ⎯ 2020-05-08
More importantly, I need all the compilers and associated toolchains involved in building the overall system (from HDL and Software sources) to be Free/OpenSource, and to be themselves buildable and runnable on the computer system being described. In other words, I need a self-hosting Free/OpenSource hardware+software stack! I don't own or otherwise control a silicon foundry, and therefore can't fabricate my own ASICs, so I will build the "hardware" component of this computer on an FPGA, ensuring that any programming of (and bitstream generation for) the FPGA happens with Free/OpenSource tools. I consider the tradeoff to be worthwhile and advantageous from a trustworthiness standpoint:
NEW: latest build process at https://github.com/litex-hub/linux-on-litex-rocket;
Or skip directly to the self-hosting demo.
1. Motivation
My goal is to build a Free/OpenSource computer from the ground up, so I may completely trust that the entire hardware+software system's behavior is 100% attributable to its fully available HDL (Hardware Description Language) and Software sources.More importantly, I need all the compilers and associated toolchains involved in building the overall system (from HDL and Software sources) to be Free/OpenSource, and to be themselves buildable and runnable on the computer system being described. In other words, I need a self-hosting Free/OpenSource hardware+software stack! I don't own or otherwise control a silicon foundry, and therefore can't fabricate my own ASICs, so I will build the "hardware" component of this computer on an FPGA, ensuring that any programming of (and bitstream generation for) the FPGA happens with Free/OpenSource tools. I consider the tradeoff to be worthwhile and advantageous from a trustworthiness standpoint:
- The chip foundry wouldn't know what the FPGA will be used for, and where the proverbial "privilege bit" will end up being laid out on the chip, which mitigates against Privilege Escalation hardware backdoors. Exposure is limited to DoS attacks being planted into the silicon during FPGA fabrication, which yields a significantly improved level of assurance (i.e., the computer may stop working altogether, but can't betray its owner to an adversary while pretending to operate correctly).
- The FPGA is a regular grid of identical components, so (destructive) visual inspection (i.e., chemical ablation and TEM imaging) is more feasible than with a dedicated ASIC that has much less visual regularity and repeatability.
- Having thus constrained the fabrication-stage attack surface, I can cover the remaining hardware attack vectors (malicious sources and/or toolchain) by insisting on buildable sources to everything, resulting in a finished product (i.e., deployed hardware+software computer) that is as trustowrthy as its openly auditable HDL+Software sources.