I think it would be nice to have a system security checker in dom0 that would provide the user with a way to inspect and verify the security of their system and provide a lettered score with the A+ best meaning a fully blob free system with the latest cpu related updates, a quality IOMMU and no insecure remote access stuff like proprietary BMC's. For instance the kcma-d8/kgpe-d16. The G505s would be a non-plus A since it has a few blobs but still features open cpu/ram init via coreboot, has no ME/PSP and has a quality IOMMU.
What I mean by quality IOMMU is that the first gen stuff from intel didn't support interrupt remapping and a few other things leaving it with a massive security hole and inferior performance. This would abstract the vulns folder for users that don't know about it. On 05/16/2019 05:41 AM, Chris Laprise wrote: > On 5/15/19 6:24 PM, Marek Marczykowski-Górecki wrote: >> Only Intel processors are affected. > > I think the pattern showing AMD to be more conscientious in their > processor designs is now undeniable. Even if its only a matter of > degree, the difference appears to be rather substantial. > > You should consider recommending a switch to AMD processors as a > short-term mitigation against CPU vulnerabilities. > The new ones are just as problematic due to having the PSP (AMD's ME) and all the problems that come with that. The future is OpenPOWER (and RISC-V once they make a RISCV-IOMMU) and Xen/qubes needs to be ported to that for it to have a secure future as soon pre-PSP boards and cpus will no longer be available. POWER has an IOMMU with graphics support. In the meantime I suggest if you want a secure pre-PSP freedom firmware qubes machine to get a G505S laptop (with A10 cpu) or a KCMA-D8 workstation desktop (with 4386 or a 4284 for no mcode updates req) and install coreboot, the kcma-d8 supports blob free coreboot-libre and OpenBMC but of course is significantly slower than the RaptorCS OpenPOWER stuff so if one wants to do non-qubes virt computing it is better to get OpenPOWER which is price and feature equivilant to non-free new x86 stuff. The blackbird and talos 2 have the IBM version of OpenBMC which is better than the less powerful facebook fork that was ported to the D8/D16 although both are much more secure than the average off the shelf x86 non-free BMC that never sees security updates. Note that coreboot doesn't always mean open source firmware there are a few companies that sell computers with an entirely blobbed Intel FSP hw init as "coreboot open firmware" vs the D8/D16's native 100% blob free coreboot and the g505's open cpu/ram init. -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/21e722cb-9523-3379-2856-132446898d63%40gmx.com. For more options, visit https://groups.google.com/d/optout.
0xDF372A17.asc
Description: application/pgp-keys
