No. This can be done with a ROM programmer. Trust is now reduced to hardware and people who checked the software. Assuming many people can check it, it can be considered safe. As I said, trust now depends on hardware and many people being compromised. Trusting software is no longer needed.

Type-in a bootloader is how it was done on old PDPs [0] and on the altair. I can't see how those bootloaders could be compromised except if the hardware was compromised too.

[0] https://www.youtube.com/watch?v=M94p5EIC9vQ

But suppose I grant that the ROM programmer software is trusted. I still don't see how that sidesteps the problem of needing to trust the OS environment. Once your assembler is running, how will it get its input and write its output? How will you obtain the output of the the assembler and run it in a subsequent step? How will that subsequent program get its input and write its output?

Take a look on the video I posted. There, the memory is programmed bit-by-bit. Fully through hardware, directly on the memory, the processor is not used when the ROM is programmed. In other words: the ROM programmer is 100% hardware. There is no ROM programmer software.

> How can you verify that the software you are running is the same as the software that others checked?

The ROM programmer can read any cell of the memory and display it. It can be checked visually if wanted or required.

Other hardware features can be implemented for this specific feature, but I don't think that is required.

The hardware still can be compromised, but such a simple hardware would need a very complicated way to be compromised and hide it from the user. For chips that don't need fast clocks, I think, it can even be built using only resistors and capacitors.

I once built a programmer (for RAM chips) myself using an arduino and resistors. It is reasonably safe to assume that the arduino was not carefully compromised to circumvent this very specific use case.

> But suppose I grant that the ROM programmer software is trusted.

There is no ROM programmer software!

> I still don't see how that sidesteps the problem of needing to trust the OS environment.

There is no OS until that point! Everything to that point will run on bare metal. See the link to stage0 I posted: "The stage0 is the ultimate lowest level of bootstrap that is useful for systems without firmware, operating systems nor any other provided software functionality"

> Once your assembler is running, how will it get its input and write its output?

Directly from hardware.

> How will you obtain the output of the the assembler and run it in a subsequent step?

Directly from hardware. The output of the assembler can go directly to RAM. Running it is just a matter of jumping to its entry point.

> How will that subsequent program get its input and write its output?

These can come from trusted libs or a trusted kernel which I compiled with a trusted compiler on my trusted system. AFAICS, until that point every software running on such system can be said to be trusted if at least one person who checked such software is trusted. If the software is checked by many people it is a reasonable assumption.

Vulnerabilities can still exist, but those are another kind of problem, they are bugs which may be discovered and fixed later but not built into the system by the tools. Cases like intentional vulnerabilities can still exist but would have to pass all the checkers, human or automated.

Look, the system now can only be compromised if people who checked the software are compromised or the hardware is compromised. Before mes and stage0, I had to trust the people who checked the software and the system (hardware and software) were software I run was built. If the compiler was compromised, all software generated from it could be compromised.

To illustrate it, suppose I trust GCC code as published by FSF. This is an entirely reasonable assumption. Now, if I use GCC compiled from my distro repositories, I'm trusting not only the packagers, but I'm also trusting the tools these packagers used. With stage0 and mes I don't need to trust any pre-existing binary tool that I can't check myself or be checked by other people or static analyzers. An entire huge chain would have to be compromised for my software to be compromised.

Reasonably, the system can only be compromised if hardware is compromised or all the people and tools which checked the code are compromised. Considering many people can check the code and vulnerabilities are hard to hide in the source code of a compiler, assuming not all of the people who checked the code are compromised is reasonable.

Trust is now reduced to hardware only. Without boostrapable, I had to trust the software tools that were used to build the software I use.

This was a misunderstanding on my part, when you wrote:

> This can be done with a ROM programmer. Trust is now reduced to hardware and people who checked the software.

I thought you were referring to software related to the ROM programmer (some ROM programmers do have software). I see now that you meant the software of the assembler, etc, and your scenario involves a pure-hardware ROM programmer.

stage0 looks cool. I still maintain that it will need to be including OS-like functionality along the way, to have a way to invoke the desired programs with the desired inputs and outputs, allocate memory dynamically, etc. If you're dealing with the hardware directly, it just means you're implementing the OS functionality yourself. But stage0 is cool in the way that it bootstraps from such a small binary payload.

> Trust is now reduced to hardware only.

This is true, as long as you can get hardware that doesn't have any software underneath. That rules out any CPU with microcode, etc.

Thank you!