Turtles all the way down: Integrated circuits

Jan 23, 2014

The next phase of the trusted open computer project is actually manufacturing usable integrated circuits that you can plug into a circuit board, apply power to, and use to do whatever it is that you do. In other words, processing information.

I hate to be a killjoy, but this is really hard. A vital question that we have to ask at this point is whether or not this is the point at which the project is pwnable by a determined third party. Fabbing integrated circuitry on silicon wafers is, to be gentle, a nontrivial process. Here are a couple of links on how the process can go:
Even Jeri Ellsworth, who is somebody for whom I have the utmost of admiration and respect, spent two years building a semiconductor foundry in her home and as far as I know (and I'd love to hear different) she's only up to fabbing her own discrete transistors. I think says something for how far we are from fabbing our own ICs at home. In case you're curious here's her photo album for her home semiconductor fab. It's a breakthrough, to be sure, and I have no doubt that she will one day fabricate her own CMOS and NMOS chips. However I think that day is a considerable period of time in the future and, for the purpose of practically implementing a computer system from the ground up, doing so is not an option yet. But what can we do that will get us results?

A more commonly used method of implementing custom chips is compiling the design into an FPGA (field programmable gate array), which is a chip that you can load code into to turn it into whatever you want, like a CPU, a math coprocessor, a communications controller, a graphics comtroller, or something more unusual (like a signal processor). The nature of FPGAs is that they are slower than fabbed chips (but they're getting better, and some high-end Xilinx FPGAs run at speeds practically indistinguishable from ASICs) but if you don't have your own chip foundry they're probably the only realistic option open unless you feel up to the task of building functional versions of the ICs out of discrete components. Which you can do, as the following examples depict:
By their very nature they'll be orders of magnetude larger than the originals and will probably have unusual quirks due to the constraints of macroscale electrical engineering. So, if you're the sort of person who is not willing to sacrifice some speed just to have a working system, you're out of luck at this point.

FPGAs also notably differ in the number of logic gates they are constructed out of. Some have enough hardware on board - microprocessors, clocks, and other stuff - that they can be used to fabricate full Systems-On-A-Chip, which I'll talk about later. Some designs may require FPGAs of a minimum number of gates, speed, or other onboard functionality so a hacker would have to be mindful of the specifications of the FPGAs acquired and match them to their intended purpose. Additionally, the un-flashable onboard subsystems of some FPGAs may be subvertable somewhere along the supply line, certainly at the factory but possibly closer to home. I don't feel comfortable speculating any farther beyond that due to my comparative lack of hands-on knowledge of FPGA technology. Then there is the argument of open source versus closed source FPGA synthesis and programming software. The few times I've mentioned using FPGAs to construct computers while doing research for this article the discussion rapidly turned into a debate over the ethics of using closed source software to build open source integrated circuitry. I'm not going to restart that debate, plenty of people already do so every day. This is one of those pain points where you have to decide how far you're willing to go to achieve your goals. This might put you out of the game, it might change your direction, or it might not.

After doing some research I found that there are several HDL's out there, but there are not many open source software packages that take the synthesized binaries and load them onto the FPGA chips. Such applications are often manufacturer (and sometimes FPGA model) specific, often expensive, and sometimes have EULAs that have disuaded many people from reverse engineering them to write their own versions. However, I found a couple of non-proprietary applications which carry out the same tasks. xc3sprog is quite handy, though you really need to study the documentation (and play around with it a little) before using it for anything moderately complex. xilprg has been around for a while but it hasn't been updated since 2006, which is a bad sign for an open source project. jwrt is an FPGA programmer of more recent vintage. Qflow is a very active software project for turning HDL code into an FPGA bitstream or ASIC fabrication circuit layout (interestingly). The Qflow project mentions another open source FPGA synthesis package called Yosys, which would also be of interest in the context of this project. An outfit called Qi Hardware, which specializes in free and libre hardware, maintains some public domain software called fpgatools which can be used to flash bitstreams into a couple of models of FPGA.

Knowing that the above tools exist, they sort of dictate the hardware one could use in a ground-up computing stack effort. Not all of these applications work with all FPGAs, which seems as if it might limit the applications certain FPGAs could be put to. Additionally, when most FPGAs are powered off they go back to their default blank state and must be reprogrammed when next powered on. The firmware needs to be reloaded from some other storage medium, like an EEPROM, an SD card, or another computer via some interface (such as serial or point-to-point Ethernet). When an FPGA is powered up it reaches over a particular bus or into a particular region of memory (make and model dependent, of course), pulls its bitstream over, and then goes into execution mode. Some FPGAs seem to have internal flash-like memory for storing bitstreams on a semipermanent basis, which is implied by the existence of open source software which is capable of flashing bitstreams into FPGAs over a programming interface but not attendent storage media if I'm reading the docs correctly. Some FPGAs seem to be permanently flashable - upload a bitstream and it permanently becomes that kind of chip.

Incidentally, a couple of years ago HacDC offered a course on FPGA design - here's the wiki page with lots of links to resources, and if video is available, I'll link to it.

FPGAs tend to be on the expensive side, sometimes costing a significant percentage of the cost of a new laptop. A list of higher-end FPGA development boards can be found here. Such development kits can, of course, be acquired through other means depending upon one's basic proclivities. I leave this as an exercise to the reader. I would be remiss in not pointing out that there are also some remarkably inexpensive FPGA experimenters' boards available on the open market, on the order of $70us apiece. The Papilio seems reasonably popular among hardware hackers and can be purchased from Sparkfun at very reasonable prices. They also sell another, similar board called the Mojo). Ztex FPGA boards are also designed for people to hack around on and with, and their toolchain is open source (GPLv3), which is a plus. Unfortunately, this means that you now have to trust the manufacturer of the FPGA chips (and/or the reference boards) to not have backdoored them, or the board, or any firmware of other chips on the board...

There are only a couple of strategies for hopefully getting not-backdoored FPGAs because we do not yet live in a world in which there are black market chip foundries run by criminal cartels, the products of which are less likely to have nasty surprises embedded in them. Probably the best thing that a determined hacker can do is find functionally equvalent FPGAs from multiple manufacturers that are suitably complex to carry out the tasks at hand. Try to source them at different times from different vendors in as many jurisdictions as possible to ensure that it is difficult to predict which batches are going where and when and hope that you get a shipment that hasn't been intercepted and modified. If possible, source them by driving to the stores personally, buy as randomly as possible from the lots available to try to evade targeted attacks with compromised chips. Then pick the FPGAs you want to use randomly from all of the ones that you acquired.

Tip-of-the fedora to my cypherpunk cow-orkers for helping me figure that acquisition strategy out. It is by no means the only possible strategy.

This work by The Doctor [412/724/301/703][ZS] is published under a Creative Commons By Attribution / Noncommercial / Share Alike v3.0 License.