Systems are organized as layers to limit complexity. A common layering principle is the use of levels of abstraction to mark layer boundaries. A computer system is organized in a series of levels of abstraction, each of which defines a ``virtual machine'' upon which higher levels of abstraction are constructed. Each of the virtual machines presupposes that it is operating in an environment where the abstractions of underlying layers can be treated as axiomatic. When these suppositions are true, the system is said to possess integrity. Without integrity, no system can be made secure.
Thus, any system is only as secure as the foundation upon which it is built. For example, a number of attempts were made in the 1960s and 1970s to produce secure computing systems, using a secure operating system environment as a basis [20]. An essential presumption of the security arguments for these designs was that system layers underpinning the operating system, whether hardware, firmware, or both, are trusted. We find it surprising, given the great attention paid to operating system security [13] [8] that so little attention has been paid to the underpinnings required for secure operation, e.g., a secure bootstrapping phase for these operating systems.
Without such a secure bootstrap the operating system kernel cannot be trusted since it is invoked by an untrusted process. Designers of trusted systems often avoid this problem by including the boot components in the trusted computing base (TCB) [6]. That is, the bootstrap steps are explicitly trusted. We believe that this provides a false sense of security to the users of the operating system, and more important, is unnecessary.