Googulator
commented
4 months ago This ties in to my plan to support a "verbose" or "auditing" mode, for environments with the highest security/trust requirements, where any source code compiled and/or executed before the first Bash shell would be available is printed to the console, before it has a chance to execute. The console can then be securely recorded for later auditing, preferably by analog means, to ensure that the recording itself can't be compromised.
This way, it's guaranteed that any backdoor code that slips through and attempts to compromise auditing gets printed early enough not to be able to influence its own printing, protecting against e.g. malware that patches the "cat" program to prevent its source code from being examined faithfully.
To do this, I plan to add a "Src" or "SRC" command to builder-hex0's shell, which behaves just like "src", except that it prints what it reads. Passing a "-v" or "--verbose" option to rootfs.py will then cause it to store any file that's not a tarball as a "Src" record, while tarballs remain "src". The ungz, unbz2 and unxz utilities are then extended with their own "-v" option, to print out what they decompress on the fly.
Then, once bash is built, we can pause the bootstrap and drop to an auditing shell, where the rest of the source code can be examined - trust in this shell is ensured by the analog record of it being bootstrapped, containing all the source code that went into it.
Once the auditor is satisfied that the remaining sources are clean, the bootstrap can then proceed from known good source code, with no path for infiltration apart from the 512-byte boot sector, which necessarily executes before it can print anything. The small size of the boot sector prevents any significant payload from being included in it, provided we can make sure that genuinely no more than 512 bytes are read and executed before source code printing begins - see #347 for how to achieve this.
For all of this to work, it's necessary that the srcfs consists entirely of source tarballs and loose source code files. Since bootstrap-seeds contains binaries (by definition), and is unnecessary for kernel bootstrap, it's best to just exclude it from the srcfs.
In kernel bootstrap mode, the kernel (builder-hex0) includes the ability to assemble hex0 source code, and to execute basic commands, obviating the need for the bootstrap-seeds subdirectory. With the bootstrap-seeds directory excluded, the image consists of purely source code, with the exception of the boot sector, which is assembled from hex0 code by rootfs.py, and delivered ready for BIOS to boot.