> You could use POWER-KVM and have an assortment of VM's with shared > folders, you can replicate all the other stuff via various methods and > have a better security level it simply wouldn't look as slick.
Not sure about that. Qubes is not just set of tools. It is also a set of careful choices of configuration (e.g., strictly using HVMs with stubdoms). I might be wrong, but I don't think you can get a comparable level of security easily. You would have to take similar choices and maybe even to make a new decisions that affect security. > Qubes isn't virtualization, it is simply a collection of tools that can > theoretically be compiled for POWER although currently the qubes VMM is > xen which isn't yet available for POWER (the xen devs are ignoring > requests to assist with porting efforts). It is not just the collection of tools. You are right that QubesOS can be probably ported to KVM. Even if this is a solution (not 100% convinced), it is not there yet. At best, TALOS 2 might be some solution for future, not something you can buy and use just now (for those purposes). > If T2 is successful (ie: enough people buy it) there are plans for a > POWER laptop. Cool. But at the moment, it does not make me sense to buy a workstation I don't need and hope that some time later, they will release a laptop and someone else will port QubesOS for it. I could somewhat support efforts of porting QubesOS to POWER9, it makes me more sense. > > * It is quite expensive for needs of most people. > It fills the very high performance sector that previously had no libre > hardware, it isn't meant for those like you and me who would be > satisfied with the performance of one of the various libre firmware > available boards such as the KGPE-D16, KCMA-D8 ($300 MSRP) etc... You are right. It is rather a good special-purpose workstation. > No one ever found money or success trying to sell to the average yokel. I could argue that selling to average yokel for low price can bring both success and money, because there are plenty of yokels. I understand this is not for masses in the same scale as Windows. This is not necessary for success. But I am also afraid this is not suitable even for 1 % of Qubes user base. (Maybe it will be successful elsewhere, but it does not matter much in this discussion.) > That option simply removes the PCI device and the Option ROM menu, it > doesn't disable PSP - like ME it is integral to the x86-64 boot process > so it simply can't be disabled. OK, good to know. > > But it is still matter of trust. Not having PSP/IME does not mean there > > cannot be any backdoor. > On an owner controlled system that has libre hardware, firmware and > software it is incredibly difficult to add a backdoor function, one > truly could trust their computer in that case. Not 100%. First, you cannot be 100% sure your CPU matches the design. Second, some backdoors can look like a regular vulnerability. Those are even worse. Good backdoor can be abused by few people, maybe it requires digital signature. That's not good, but regular (pseudo-)vulnerabilities are even worse, because they can be abused by much broader set of people. But I agree that having open CPU design can be a good start. Regards, Vít Šesták 'v6ak' -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/89dc0d5d-6997-4aa5-a107-fe447c15ac02%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
