> You could use POWER-KVM and have an assortment of VM's with shared 
> folders, you can replicate all the other stuff via various methods and 
> have a better security level it simply wouldn't look as slick.

Not sure about that. Qubes is not just set of tools. It is also a set of 
careful choices of configuration (e.g., strictly using HVMs with stubdoms). I 
might be wrong, but I don't think you can get a comparable level of security 
easily. You would have to take similar choices and maybe even to make a new 
decisions that affect security.

> Qubes isn't virtualization, it is simply a collection of tools that can 
> theoretically be compiled for POWER although currently the qubes VMM is 
> xen which isn't yet available for POWER (the xen devs are ignoring 
> requests to assist with porting efforts).

It is not just the collection of tools.

You are right that QubesOS can be probably ported to KVM. Even if this is a 
solution (not 100% convinced), it is not there yet. At best, TALOS 2 might be 
some solution for future, not something you can buy and use just now (for those 
purposes).

> If T2 is successful (ie: enough people buy it) there are plans for a 
> POWER laptop.

Cool.

But at the moment, it does not make me sense to buy a workstation I don't need 
and hope that some time later, they will release a laptop and someone else will 
port QubesOS for it. I could somewhat support efforts of porting QubesOS to 
POWER9, it makes me more sense.

> > * It is quite expensive for needs of most people.
> It fills the very high performance sector that previously had no libre 
> hardware, it isn't meant for those like you and me who would be 
> satisfied with the performance of one of the various libre firmware 
> available boards such as the KGPE-D16, KCMA-D8 ($300 MSRP) etc...

You are right. It is rather a good special-purpose workstation.

> No one ever found money or success trying to sell to the average yokel.

I could argue that selling to average yokel for low price can bring both 
success and money, because there are plenty of yokels.

I understand this is not for masses in the same scale as Windows. This is not 
necessary for success. But I am also afraid this is not suitable even for 1 % 
of Qubes user base. (Maybe it will be successful elsewhere, but it does not 
matter much in this discussion.)

> That option simply removes the PCI device and the Option ROM menu, it 
> doesn't disable PSP - like ME it is integral to the x86-64 boot process 
> so it simply can't be disabled.

OK, good to know.

> > But it is still matter of trust. Not having PSP/IME does not mean there 
> > cannot be any backdoor.
> On an owner controlled system that has libre hardware, firmware and 
> software it is incredibly difficult to add a backdoor function, one 
> truly could trust their computer in that case.

Not 100%. First, you cannot be 100% sure your CPU matches the design. Second, 
some backdoors can look like a regular vulnerability. Those are even worse. 
Good backdoor can be abused by few people, maybe it requires digital signature. 
That's not good, but regular (pseudo-)vulnerabilities are even worse, because 
they can be abused by much broader set of people.

But I agree that having open CPU design can be a good start.

Regards,
Vít Šesták 'v6ak'

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/89dc0d5d-6997-4aa5-a107-fe447c15ac02%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to