On Mon, Jan 8, 2018 at 7:41 PM, Vít Šesták <
[email protected]> wrote:

> > You could use POWER-KVM and have an assortment of VM's with shared
> > folders, you can replicate all the other stuff via various methods and
> > have a better security level it simply wouldn't look as slick.
>
> Not sure about that. Qubes is not just set of tools. It is also a set of
> careful choices of configuration (e.g., strictly using HVMs with stubdoms).
> I might be wrong, but I don't think you can get a comparable level of
> security easily. You would have to take similar choices and maybe even to
> make a new decisions that affect security.
>
> > Qubes isn't virtualization, it is simply a collection of tools that can
> > theoretically be compiled for POWER although currently the qubes VMM is
> > xen which isn't yet available for POWER (the xen devs are ignoring
> > requests to assist with porting efforts).
>
> It is not just the collection of tools.
>
> You are right that QubesOS can be probably ported to KVM. Even if this is
> a solution (not 100% convinced), it is not there yet. At best, TALOS 2
> might be some solution for future, not something you can buy and use just
> now (for those purposes).
>
> > If T2 is successful (ie: enough people buy it) there are plans for a
> > POWER laptop.
>
> Cool.
>
> But at the moment, it does not make me sense to buy a workstation I don't
> need and hope that some time later, they will release a laptop and someone
> else will port QubesOS for it. I could somewhat support efforts of porting
> QubesOS to POWER9, it makes me more sense.
>
> > > * It is quite expensive for needs of most people.
> > It fills the very high performance sector that previously had no libre
> > hardware, it isn't meant for those like you and me who would be
> > satisfied with the performance of one of the various libre firmware
> > available boards such as the KGPE-D16, KCMA-D8 ($300 MSRP) etc...
>
> You are right. It is rather a good special-purpose workstation.
>
> > No one ever found money or success trying to sell to the average yokel.
>
> I could argue that selling to average yokel for low price can bring both
> success and money, because there are plenty of yokels.
>
> I understand this is not for masses in the same scale as Windows. This is
> not necessary for success. But I am also afraid this is not suitable even
> for 1 % of Qubes user base. (Maybe it will be successful elsewhere, but it
> does not matter much in this discussion.)
>
> > That option simply removes the PCI device and the Option ROM menu, it
> > doesn't disable PSP - like ME it is integral to the x86-64 boot process
> > so it simply can't be disabled.
>
> OK, good to know.
>
> > > But it is still matter of trust. Not having PSP/IME does not mean
> there cannot be any backdoor.
> > On an owner controlled system that has libre hardware, firmware and
> > software it is incredibly difficult to add a backdoor function, one
> > truly could trust their computer in that case.
>
> Not 100%. First, you cannot be 100% sure your CPU matches the design.
> Second, some backdoors can look like a regular vulnerability. Those are
> even worse. Good backdoor can be abused by few people, maybe it requires
> digital signature. That's not good, but regular (pseudo-)vulnerabilities
> are even worse, because they can be abused by much broader set of people.
>
> But I agree that having open CPU design can be a good start.
>
>
Very interesting, it may happen that in a couple of years Qubes will be
ported to it and I'll have to change my passwords.  So it may be better to
wait before buying a new laptop.
best
Fran

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAPzH-qCDO%2BF-BVN12ABFLWiYy4BaDAGO9HqRSAQnnLJiEskjAA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to