VT-d is intels marketing term for IOMMU, you can buy an AMD system that has IOMMU (AMD-Vi) (but not FM2/AM4 as that has PSP). Qubes needs IOMMU not "VT-d"

You can use a VMM with a pfsense VM and separate driver domains for the network interfaces, qubes isn't a router operating system...

There is no getting around ME, on the coreboot list there is some talk of nerfing the binary (thanks Trammel Hudson!) but other than that you're still supporting a company that makes insecure technology if you buy their products.

Things you may want to look in to (5K is a great deal for the level of juice this has)
https://www.crowdsupply.com/raptorcs/talos

x86/wintel is only a small subsection of the computing world, you can buy for instance an IBM OPOWER8 workstation or the Tyan Palmetto (also OPOWER8) - they have open source firmware and no ME type stuff. - OPOWER has an IOMMU equivalent.

The newish and readily available blob free x86 amd boards are high performance level (kgpe-d16) I don't know what your connection is like so if you want something lower power you could go with a coreboot board with the features you want and simply not include the blobs (which could mean no video, no fan control and no USB3 - but none of those are needed on a passively cooled router anyways and you can install/control via serial)

There is the apu2 from pcengines, which has no blobs (AFIAK, ask them) although it doesn't have an IOMMU.


I find it ironic that you apparently value your privacy but you are using gmail - if you do not pay for a service YOU are the product.
On 11/13/2016 03:39 PM, entr0py wrote:
taii...@gmx.com:
Ideally you would want a blob free coreboot system with no Intel ME or AMD PSP 
type backdoors.
https://www.coreboot.org/Binary_situation
Intel is actively trying to nerf free software with Boot Guard/ME, if you buy a 
computer with those features it isn't really your computer.

A backdoor in a modem is irrelevant, it is post WAN and should be considered part of the 
"internet".

Right, I've always followed the advice to secure each pc as if it were 
connected directly to the internet and not to rely on the router for any 
security.

But now I'm interested in actually building a secure router. One reason is what 
you mentioned regarding Intel ME. Since Qubes 4.0 will require VT-d (and 
unavoidably Intel ME) and the fact that it's cool to use new hardware, I'd like 
to place a physical barrier to block ME signals.

I had always imagined repurposing a Qubes PC to serve as a router, especially 
because of the flexibility it has with chaining and branching multiple 
transparent proxy VMs. But obviously now, it doesn't make any sense to use an 
ME equipped machine as a router.

So if I had a budget (for argument's sake) of $2000 to build a secure router 
for 10-15 clients in a small business environment where maximum throughput is 
not really an issue, what would you all advise? A libreboot machine? but then 
what kind of OS could it run that could meaningfully isolate sys-net and 
provide similar routing capabilities?

TIA.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b3e9d105-c0aa-72cd-ef25-1b9fde8c7add%40gmx.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to