On Mon, Jan 8, 2018 at 7:41 PM, Vít Šesták < [email protected]> wrote:
> > You could use POWER-KVM and have an assortment of VM's with shared > > folders, you can replicate all the other stuff via various methods and > > have a better security level it simply wouldn't look as slick. > > Not sure about that. Qubes is not just set of tools. It is also a set of > careful choices of configuration (e.g., strictly using HVMs with stubdoms). > I might be wrong, but I don't think you can get a comparable level of > security easily. You would have to take similar choices and maybe even to > make a new decisions that affect security. > > > Qubes isn't virtualization, it is simply a collection of tools that can > > theoretically be compiled for POWER although currently the qubes VMM is > > xen which isn't yet available for POWER (the xen devs are ignoring > > requests to assist with porting efforts). > > It is not just the collection of tools. > > You are right that QubesOS can be probably ported to KVM. Even if this is > a solution (not 100% convinced), it is not there yet. At best, TALOS 2 > might be some solution for future, not something you can buy and use just > now (for those purposes). > > > If T2 is successful (ie: enough people buy it) there are plans for a > > POWER laptop. > > Cool. > > But at the moment, it does not make me sense to buy a workstation I don't > need and hope that some time later, they will release a laptop and someone > else will port QubesOS for it. I could somewhat support efforts of porting > QubesOS to POWER9, it makes me more sense. > > > > * It is quite expensive for needs of most people. > > It fills the very high performance sector that previously had no libre > > hardware, it isn't meant for those like you and me who would be > > satisfied with the performance of one of the various libre firmware > > available boards such as the KGPE-D16, KCMA-D8 ($300 MSRP) etc... > > You are right. It is rather a good special-purpose workstation. > > > No one ever found money or success trying to sell to the average yokel. > > I could argue that selling to average yokel for low price can bring both > success and money, because there are plenty of yokels. > > I understand this is not for masses in the same scale as Windows. This is > not necessary for success. But I am also afraid this is not suitable even > for 1 % of Qubes user base. (Maybe it will be successful elsewhere, but it > does not matter much in this discussion.) > > > That option simply removes the PCI device and the Option ROM menu, it > > doesn't disable PSP - like ME it is integral to the x86-64 boot process > > so it simply can't be disabled. > > OK, good to know. > > > > But it is still matter of trust. Not having PSP/IME does not mean > there cannot be any backdoor. > > On an owner controlled system that has libre hardware, firmware and > > software it is incredibly difficult to add a backdoor function, one > > truly could trust their computer in that case. > > Not 100%. First, you cannot be 100% sure your CPU matches the design. > Second, some backdoors can look like a regular vulnerability. Those are > even worse. Good backdoor can be abused by few people, maybe it requires > digital signature. That's not good, but regular (pseudo-)vulnerabilities > are even worse, because they can be abused by much broader set of people. > > But I agree that having open CPU design can be a good start. > > Very interesting, it may happen that in a couple of years Qubes will be ported to it and I'll have to change my passwords. So it may be better to wait before buying a new laptop. best Fran -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAPzH-qCDO%2BF-BVN12ABFLWiYy4BaDAGO9HqRSAQnnLJiEskjAA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
