18 KiB
GNU Mes \smaller[2]{– Scheme-only bootstrap}
- Introduction
- Reproducibility
- Carl Dong – bitcoin build system security
- Reproducible-Builds.org
- What is a Bootstrap?
- How to Bootstrap: An Old Recipe…
- How to Bootstrap: Create your second GCC
- Pour milk
- Add yoghurt
- We're reproducible
- Add evil yoghurt
- We're reproducible
- Evil yoghurt
- We're reproducibly malicous
- Reproducibility is not enough
- Reproducibility plus clean source code is not enough
- Bootstrappability
- Guix pronounced geeks
- Long path: Reduced Binary Seed bootstrap
- GCC mesboot0
- NLnet Foundation
- Long path: Scheme-only bootstrap
- Scheme-only bootstrap: Gash Core Utils
- GCC core-mesboot0-scheme-only
- GCC mesboot0-scheme-only
- Cross distro reproducibility
- The holy grail
- Full Source Bootstrap
- Long path: Full Source Bootstrap
- Trusted Computing Base
- Trusted Computing Base
- Raising the bar on auditibility
- Won't your life be boring?
- Joy of Source
- Thanks
- legalese
#+DATE:2020-02-02
#+LATEX_HEADER:∈stitute{FOSDEM'20} #+LATEX_HEADER:\def\ahref#1#2{\htmladdnormallink{#2}{#1}}
Introduction
Scheme-only bootstrap: Why?
#+LATEX:\begin{center} Why bootstrapping is important to you.
or
Why bootstrapping is something you wish to ignore. #+LATEX:\end{center}
Scheme-only bootstrap: GNU Mes
GNU Mes
- A Scheme interpreter written in ~5,000LOC of simple C.
- A C compiler written in Scheme.
- Built on LISP: eval/apply, the Maxwell Equations of Software.
LOGO
#+LATEX:\rightskip=2cm∈cludegraphics[width=0.7\textwidth]{mes.png}
Auditable Elegance
#+LATEX:\tiny
(define (apply fn x a)
(cond
((atom fn)
(cond
((eq fn CAR) (caar x))
((eq fn CDR) (cdar x))
((eq fn CONS) (cons (car x) (cadr x)))
((eq fn ATOM) (atom (car x)))
((eq fn EQ) (eq (car x) (cadr x)))
(#t (apply (eval fn a) x a))))
((eq (car fn) LAMBDA)
(eval (caddr fn) (pairlis (cadr fn) x a)))
((eq (car fn) LABEL)
(apply (caddr fn) x
(cons (cons (cadr fn) (caddr fn)) a)))))
(define (eval e a)
(cond
((atom e) (cdr (assoc e a)))
((atom (car e))
(cond ((eq (car e) QUOTE) (cadr e))
((eq (car e) COND) (evcon (cdr e) a))
(#t (apply (car e) (evlis (cdr e) a) a))))
(#t (apply (car e) (evlis (cdr e) a) a))))
#+LATEX:\normalsize
eval
and apply
are mutual recursing functions that—using
a few helper functions—describe the universe of computing.
Long path: Best Practice
#+LATEX:\Large
GNU Mes
#+LATEX:\normalfont
- 500+ MB: no bootstrap
#+LATEX:\vskip 10cm
LOGO
#+LATEX:∈cludegraphics[height=0.7cm]{logos/debian.png} #+LATEX:\vskip 10cm #+LATEX:\normalsize
Guix pronounced geeks
#+LATEX:{\hspace{-1.2cm}\begin{frame}[plain] #+LATEX:{{\vskip-2.8cm\includegraphics[width=1.1\paperwidth,height=1.1\paperheight]{guix-pronounced-geeks.png}}} #+LATEX:\end{frame}}
Reduce binary seeds to bare minimum
These big chunks of binary code are practically non-auditable which breaks the source to binary transparency that we get in the rest of the package dependency graph.
Every unauditable binary leaves us vulnerable to compiler backdoors as described by Ken Thompson in the 1984 paper Reflections on Trusting Trust.
Thus, our goal is to reduce the set of bootstrap binaries to the bare minimum. – Ludovic Courtès (GNU Guix documentation, December 2017)
A big problem, predicted 40y ago
#+LATEX:{\hspace{-1.2cm}\begin{frame}[plain] #+LATEX:{{\vskip-2.8cm\includegraphics[width=1.1\paperwidth,height=1.1\paperheight]{ken-thompson.png}}} #+LATEX:\end{frame}}
Long path: Ignoring the Problem
#+LATEX:\Large
GNU Mes
#+LATEX:\normalfont
- 500+ MB: no bootstrap
LOGO
#+LATEX:∈cludegraphics[height=0.7cm]{logos/debian.png} #+LATEX:\normalsize
FOO
#+LATEX:∈cludegraphics[width=2cm]{logos/android.png} #+LATEX:{∈cludegraphics[height=0.8cm]{logos/apple.png}∈cludegraphics[width=1.2cm]{logos/macos.png}} #+LATEX:∈cludegraphics[height=1cm]{logos/debian.png} #+LATEX:∈cludegraphics[width=2cm]{logos/fedora.png} #+LATEX:∈cludegraphics[height=0.8cm]{logos/freebsd.png} #+LATEX:∈cludegraphics[height=0.8cm]{logos/netbsd.png} #+LATEX:∈cludegraphics[height=1cm]{logos/openbsd.png} #+LATEX:∈cludegraphics[height=0.7cm]{logos/opensuse.png} #+LATEX:∈cludegraphics[width=2cm]{logos/redhat.png} #+LATEX:∈cludegraphics[width=2cm]{logos/ubuntu.png} #+LATEX:∈cludegraphics[width=2.2cm]{logos/windows.png} #+LATEX:\vskip 5cm #+LATEX:\normalsize
Long path: GNU Guix System v1.0
#+LATEX:\Large
GNU Mes
#+LATEX:\normalfont
- 500+ MB: no bootstrap
- 252 MB: GNU Guix System v1.0
#+LATEX:\vskip 6cm
LOGO
#+LATEX:∈cludegraphics[height=0.7cm]{logos/debian.png} #+LATEX:∈cludegraphics[height=0.7cm]{logos/guix.png}∈cludegraphics[height=0.4cm]{logos/nixos.png}\\[0.4cm] #+LATEX:\vskip 5.5cm #+LATEX:\normalsize
Reproducibility
Carl Dong – bitcoin build system security
#+LATEX:{\hspace{-1.2cm}\begin{frame}[plain] #+LATEX:{{\vskip-2.8cm\includegraphics[width=1.1\paperwidth,height=1.1\paperheight]{bitcoin-carl-dong.png}}} #+LATEX:\end{frame}}
Reproducible-Builds.org
#+LATEX:{\hspace{-1.2cm}\begin{frame}[plain] #+LATEX:{{\vskip-2.8cm\includegraphics[width=1.1\paperwidth,height=1.1\paperheight]{reproducible-builds.png}}} #+LATEX:\end{frame}}
What is a Bootstrap?
Impossible task: pull yourself up on your boot straps
#+LATEX:\rightskip=2cm∈cludegraphics[width=0.3\textwidth]{boot-strap.png}
Software: to create your first: kernel, shell, C compiler, …
#+LATEX:∈cludegraphics[width=0.15\textwidth]{gcc.png} #+LATEX:{\fontsize{20}{10}\selectfont source\normalsize} #+LATEX:{\fontsize{40}{20}\selectfont + ?? =} #+LATEX:∈cludegraphics[width=0.15\textwidth]{gcc.png} #+LATEX:{\fontsize{20}{10}\selectfont binary\normalsize}
How to Bootstrap: An Old Recipe…
#+LATEX:\rightskip=2cm∈cludegraphics[width=0.3\textwidth]{yoghurt.png}\\
Recipe for yoghurt: Add yoghurt to milk – Anonymous
How to Bootstrap: Create your second GCC
IGNORE
Traditional recipe: like yoghurt #+LATEX:\\[1cm] #+LATEX:∈cludegraphics[width=0.15\textwidth]{gcc.png} #+LATEX:{\fontsize{10}{5}\selectfont source\normalsize} #+LATEX:{\fontsize{40}{20}\selectfont +} #+LATEX:∈cludegraphics[width=0.15\textwidth]{gcc.png} #+LATEX:{\fontsize{10}{5}\selectfont binary - 1\normalsize} #+LATEX:{\fontsize{40}{10}\selectfont = \normalsize} #+LATEX:∈cludegraphics[width=0.15\textwidth]{gcc.png} #+LATEX:{\fontsize{10}{5}\selectfont binary\normalsize} #+LATEX:\\[1cm]
IGNORE
… and done!
Pour milk
#+LATEX:{\begin{frame}[plain] #+LATEX:{\vskip-2cm\includegraphics[width=1.1\paperwidth,height=1.1\paperheight]{pour-milk.png}} #+LATEX:\end{frame}}
Add yoghurt
#+LATEX:{\begin{frame}[plain] #+LATEX:{\vskip-2cm\includegraphics[width=1.1\paperwidth,height=1.1\paperheight]{add-yoghurt.png}} #+LATEX:\end{frame}}
We're reproducible
#+LATEX:{\hspace{-1.2cm}\begin{frame}[plain] #+LATEX:{{\vskip-2.8cm\includegraphics[width=1.1\paperwidth,height=1.1\paperheight]{we-are-reproducible.png}}} #+LATEX:\end{frame}}
Add evil yoghurt
#+LATEX:{\begin{frame}[plain] #+LATEX:{\vskip-2.5cm\includegraphics[width=1.1\paperwidth,height=1.1\paperheight]{add-evil-yoghurt.png}} #+LATEX:\end{frame}}
We're reproducible
#+LATEX:{\hspace{-1.2cm}\begin{frame}[plain] #+LATEX:{{\vskip-2.8cm\includegraphics[width=1.1\paperwidth,height=1.1\paperheight]{we-are-reproducible.png}}} #+LATEX:\end{frame}}
Evil yoghurt
#+LATEX:{\hspace{-1.2cm}\begin{frame}[plain] #+LATEX:{{\vskip-2cm\includegraphics[width=1.1\paperwidth,height=1.1\paperheight]{evil-yoghurt-rect-black.png}}} #+LATEX:\end{frame}}
We're reproducibly malicous
#+LATEX:{\hspace{-1.2cm}\begin{frame}[plain] #+LATEX:{{\vskip-2.8cm\includegraphics[width=1.1\paperwidth,height=1.1\paperheight]{we-are-reproducibly-malicious.png}}} #+LATEX:\end{frame}}
Reproducibility is not enough
#+LATEX:{\hspace{-1.2cm}\begin{frame}[plain] #+LATEX:{{\vskip-2.8cm\includegraphics[width=1.1\paperwidth,height=1.1\paperheight]{reproducibility-is-not-enough.png}}} #+LATEX:\end{frame}}
Reproducibility plus clean source code is not enough
#+LATEX:{\hspace{-1.2cm}\begin{frame}[plain] #+LATEX:{{\vskip-2.8cm\includegraphics[width=1.1\paperwidth,height=1.1\paperheight]{reproducibility+clean-source-code.png}}} #+LATEX:\end{frame}}
Bootstrappability
Guix pronounced geeks
#+LATEX:{\hspace{-1.2cm}\begin{frame}[plain] #+LATEX:{{\vskip-2.8cm\includegraphics[width=1.1\paperwidth,height=1.1\paperheight]{guix-pronounced-geeks.png}}} #+LATEX:\end{frame}}
Long path: Reduced Binary Seed bootstrap
#+LATEX:\Large
GNU Mes
#+LATEX:\normalfont
- 500+ MB: no bootstrap
- 252 MB: GNU Guix System v1.0
-
145 MB: Reduced Binary Seed
- master branch
GCC,GLIBC,Binutils-
- MesCC-Tools, + Mes
#+LATEX:\vskip 5cm
LOGO
#+LATEX:∈cludegraphics[height=0.7cm]{logos/debian.png} #+LATEX:∈cludegraphics[height=0.7cm]{logos/guix.png}∈cludegraphics[height=0.4cm]{logos/nixos.png}\\[0.4cm] #+LATEX:∈cludegraphics[height=0.7cm]{logos/guix.png}\\[1cm] #+LATEX:\vskip 4.75cm #+LATEX:\normalsize
GCC mesboot0
#+LATEX:{\hspace{-0.55cm}\begin{frame}[plain] #+LATEX:{{\vskip-1.9cm\includegraphics[width=1\paperwidth,height=1\paperheight]{gcc-mesboot0-unversioned.png}}} #+LATEX:\end{frame}}
NLnet Foundation
#+LATEX:\begin{center} #+LATEX:\includegraphics[width=0.5\paperwidth,height=0.5\paperheight]{nl-net.png} #+LATEX:\end{center}
Long path: Scheme-only bootstrap
#+LATEX:\Large
GNU Mes
#+LATEX:\normalfont
- 500+ MB: no bootstrap
- 252 MB: GNU Guix System v1.0
-
145 MB: Reduced Binary Seed
- master branch
GCC,GLIBC,Binutils-
- MesCC-Tools, + Mes
-
57 MB: Scheme-only
- wip-bootstrap branch
Awk,Bash,Bzip2,GNU Core Utilities,Grep,Gzip,Make,Patch,Sed,Tar, andXZ.-
- Gash (source only!)
#+LATEX:\vskip 3cm
LOGO
#+LATEX:∈cludegraphics[height=0.7cm]{logos/debian.png}
#+LATEX:∈cludegraphics[height=0.7cm]{logos/guix.png}∈cludegraphics[height=0.4cm]{logos/nixos.png}\\[0.4cm]
#+LATEX:∈cludegraphics[height=0.7cm]{logos/guix.png}\\[1cm]
#+LATEX:∈cludegraphics[height=0.7cm]{logos/guix.png}
#+LATEX:\vskip 4.75cm
#+LATEX:\normalsize
Scheme-only bootstrap: Gash Core Utils
awk cp gash mv sleep uname
basename cut grep pwd sort uniq
bash diff gzip reboot tar wc
cat dirname head rm test which
chmod expr ln rmdir touch
cmp false ls sed tr
compress find mkdir sh true
GCC core-mesboot0-scheme-only
#+LATEX:{\hspace{-0.55cm}\begin{frame}[plain] #+LATEX:{{\vskip-1.9cm\includegraphics[width=1\paperwidth,height=1\paperheight]{gcc-core-mesboot0-scheme-only-unversioned.png}}} #+LATEX:\end{frame}}
GCC mesboot0-scheme-only
#+LATEX:{\hspace{-0.55cm}\begin{frame}[plain] #+LATEX:{{\vskip-1.9cm\includegraphics[width=1\paperwidth,height=1\paperheight]{gcc-mesboot0-scheme-only-unversioned.png}}} #+LATEX:\end{frame}}
Cross distro reproducibility
The sha256sum for bin/mes-mescc on x86 shall be
#+LATEX:\scriptsize
722790ed261954eb53cf2cd2906c89c7589ef72b66171bbe2a9dce0f0af20232 v0.22
9e0bcb1633c58e7bc415f6ea27cee7951d6b0658e13cdc147e992b31a14625fb v0.21
#+LATEX:\normalsize
only differing in the version number string.
#+LATEX:\begin{center} #+LATEX:\begin{minipage}{0.8\paperwidth} #+LATEX:$\vcenter{\hbox{\includegraphics[height=1.5cm]{logos/debian.png}}}$ #+LATEX:$\vcenter{\hbox{\includegraphics[height=0.5cm]{chain.png}}}$ #+LATEX:$\vcenter{\hbox{\includegraphics[height=1.5cm]{logos/guix.png}}}$ #+LATEX:$\vcenter{\hbox{\includegraphics[height=0.5cm]{chain.png}}}$ #+LATEX:$\vcenter{\hbox{\includegraphics[height=0.8cm]{logos/nixos.png}}}$ #+LATEX:\end{minipage} #+LATEX:\end{center}
For v0.21 this has been verified on Guix System, Debian GNU/Linux and NixOS.
The holy grail
The holy grail of bootstrappability will be connecting mes to hex0.
– Carl Dong, Chaincode Labs
Full Source Bootstrap
#+LATEX:\begin{center} #+LATEX:\includegraphics[width=0.6\textwidth]{fsb-logo-guile-guix-mes.png} #+LATEX:\end{center}
Long path: Full Source Bootstrap
#+LATEX:\Large
GNU Mes
#+LATEX:\normalfont
- 500+ MB: no bootstrap
- 252 MB: GNU Guix System v1.0
-
145 MB: Reduced Binary Seed
- master branch
GCC,GLIBC,Binutils-
- MesCC-Tools, + Mes
-
57 MB: Scheme-only
- wip-bootstrap branch
Awk,Bash,Bzip2,GNU Core Utilities,Grep,Gzip,Make,Patch,Sed,Tar, andXZ.-
- Gash (source only!)
-
357 bytes: Full Source
MesCC-Tools,Mes-
- Stage0: 357 bytes (x86)
#+LATEX:\vskip 1cm
LOGO
#+LATEX:∈cludegraphics[height=0.7cm]{logos/debian.png}
#+LATEX:∈cludegraphics[height=0.7cm]{logos/guix.png}∈cludegraphics[height=0.4cm]{logos/nixos.png}\\[0.4cm]
#+LATEX:∈cludegraphics[height=0.7cm]{logos/guix.png}\\[1cm]
#+LATEX:∈cludegraphics[height=0.7cm]{logos/guix.png}
#+LATEX:\vskip 4.2cm
#+LATEX:\normalsize
Trusted Computing Base
#+LATEX:{\hspace{-1.2cm}\begin{frame}[plain] #+LATEX:{{\vskip-2.8cm\includegraphics[width=1.1\paperwidth,height=1.1\paperheight]{bowl-empty-spoon.png}}} #+LATEX:\end{frame}}
Trusted Computing Base
- Source code
- Binary seeds
- Guix System
- Linux
Raising the bar on auditibility
I want code easy to reason about at the heart of this bootstrap, so that everyone will be able to sit down in the morning and be done by lunch time; understanding how every piece of it works. – Jeremiah Orians
Won't your life be boring?
MesCC should optimize for the ease of convincing us of its correctness. – Mark H Weaver
Joy of Source
#+LATEX:\large
Vulnerability to a trusting trust attack is a symptom of an unauditable or missing bootstrap story. – janneke
#+LATEX:\normalsize
Thanks
Thanks
- Carl Dong
- Danny Milosavljevic
- David Terry
- Jeremiah Orians
- Ludovic Courtès
- Matt Wette
- Pjotr Prins
- Rutger van Beusekom
- Timothy Sample
- Vagrant Cascadian
Want to join?
You can help
- make Guix run on Mes
- write a bootstrappable syntax-case
- simplify MesCC and target GCC-4.6
- bootstrap NixOS, Debian
- port MesCC to the Hurd, FreeBSD
- spread the message
- retweet
@janneke_gnu
janneke@octodon.social
Connect
- irc freenode.net #bootstrappable #guix
- mail bug-mes@gnu.org guix-devel@gnu.org
- git https://git.savannah.gnu.org/git/mes.git
- web bootstrappable.org
legalese
Copyright © 2020 Jan (janneke) Nieuwenhuizen <janneke@gnu.org>
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts.
By Debian - www.debian.org/logos/, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=3330975 By Canonical Ltd. - http://design.ubuntu.com/wp-content/uploads/logo-ubuntu_no%C2%AE-black_orange-hex.svg, Public Domain, https://commons.wikimedia.org/w/index.php?curid=18296544 By Source, Fair use, https://en.wikipedia.org/w/index.php?curid=60635229 By Original: Apple Inc.Vectorization: Totie - https://www.apple.com/macos/high-sierra/, Public Domain, https://commons.wikimedia.org/w/index.php?curid=59644704 By Original: Rob Janoff - https://www.apple.com/ac/globalnav/2.0/en_US/images/ac-globalnav/globalnav/apple/image_large.svg, Public Domain, https://commons.wikimedia.org/w/index.php?curid=10472152
By Source, Fair use, https://en.wikipedia.org/w/index.php?curid=26987122 By Source (WP:NFCC#4), Fair use, https://en.wikipedia.org/w/index.php?curid=38767733 By Source, Fair use, https://en.wikipedia.org/w/index.php?curid=13822991 By Microsoft - File:Windows Server 2012 logo.svg, Public Domain, https://commons.wikimedia.org/w/index.php?curid=45931123 By Source, Fair use, https://en.wikipedia.org/w/index.php?curid=28200444