VT-d is intels marketing term for IOMMU, you can buy an AMD system that
has IOMMU (AMD-Vi) (but not FM2/AM4 as that has PSP). Qubes needs IOMMU
not "VT-d"
You can use a VMM with a pfsense VM and separate driver domains for the
network interfaces, qubes isn't a router operating system...
There is no getting around ME, on the coreboot list there is some talk
of nerfing the binary (thanks Trammel Hudson!) but other than that
you're still supporting a company that makes insecure technology if you
buy their products.
Things you may want to look in to (5K is a great deal for the level of
juice this has)
https://www.crowdsupply.com/raptorcs/talos
x86/wintel is only a small subsection of the computing world, you can
buy for instance an IBM OPOWER8 workstation or the Tyan Palmetto (also
OPOWER8) - they have open source firmware and no ME type stuff. - OPOWER
has an IOMMU equivalent.
The newish and readily available blob free x86 amd boards are high
performance level (kgpe-d16) I don't know what your connection is like
so if you want something lower power you could go with a coreboot board
with the features you want and simply not include the blobs (which could
mean no video, no fan control and no USB3 - but none of those are needed
on a passively cooled router anyways and you can install/control via serial)
There is the apu2 from pcengines, which has no blobs (AFIAK, ask them)
although it doesn't have an IOMMU.
I find it ironic that you apparently value your privacy but you are
using gmail - if you do not pay for a service YOU are the product.
On 11/13/2016 03:39 PM, entr0py wrote:
[email protected]:
Ideally you would want a blob free coreboot system with no Intel ME or AMD PSP
type backdoors.
https://www.coreboot.org/Binary_situation
Intel is actively trying to nerf free software with Boot Guard/ME, if you buy a
computer with those features it isn't really your computer.
A backdoor in a modem is irrelevant, it is post WAN and should be considered part of the
"internet".
Right, I've always followed the advice to secure each pc as if it were
connected directly to the internet and not to rely on the router for any
security.
But now I'm interested in actually building a secure router. One reason is what
you mentioned regarding Intel ME. Since Qubes 4.0 will require VT-d (and
unavoidably Intel ME) and the fact that it's cool to use new hardware, I'd like
to place a physical barrier to block ME signals.
I had always imagined repurposing a Qubes PC to serve as a router, especially
because of the flexibility it has with chaining and branching multiple
transparent proxy VMs. But obviously now, it doesn't make any sense to use an
ME equipped machine as a router.
So if I had a budget (for argument's sake) of $2000 to build a secure router
for 10-15 clients in a small business environment where maximum throughput is
not really an issue, what would you all advise? A libreboot machine? but then
what kind of OS could it run that could meaningfully isolate sys-net and
provide similar routing capabilities?
TIA.
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/b3e9d105-c0aa-72cd-ef25-1b9fde8c7add%40gmx.com.
For more options, visit https://groups.google.com/d/optout.
