Secure, fault-tolerant distributed systems are difficult to build, to validate, and to operate. Conservative design for such systems dictates that their security and fault tolerance depend on a very small number of assumptions taken on faith; such assumptions are typically called the “trusted computing base” (TCB) of a system. However, a rich trade-off exists between larger TCBs and more secure, more faulttolerant, or more efficient systems. In our recent work, we have explored this trade-off by defining “small,” generic trusted primitives—for example, an attested, monotonically sequenced FIFO buffer of a few hundred machine words guaranteed to hold appended words until eviction—and showing how such primitives can improve the performance, fault tolerance, and security of systems using them. In this article, we review our efforts in generating simple trusted primitives such as an attested circular buffer (called Attested Appendonly Memory), and an attested human activ...