Ive read that lenovo thinkpad x200 or t60 with Libreboot is the safest system to run Qubes OS on. Is ths Raptor computing systems, blackbird or thalos motherboard, with IBM power9 as good as the libreboot thinkpads? I think these motherboards run libreboot too? They are extremely expensive, is it possible to justify the price other than it might be more secure, but again you have to trust IBM instead of Intel, amd or arm? Am I right? Atleast it seems like it is possible to get a modern computer with no binary blobs
GM45 (x200) and earlier CPU chipsets(t60) are not providing security features needed for QubesOS virtualization(vt-x) nor isolation (vt-d second version).
I wrote a note here, which led to Sandy/Ivy bridge testing and my participation to Heads development after that moment: https://github.com/QubesOS/qubes-issues/issues/1594#issuecomment-209213917
Talos II is getting ported to coreboot by 3mdeb now under my sponsorship. No, there is no libreboot as of now on that platfrom, where that might change, since libreboot is basically a coreboot distribution without blobs. There would be no philosophical issue nor anything preventing libreboot to support that platform once it is merged under coreboot. Coreboot replaces Hostboot, where petitboot can be replaced by Heads. One TPM support lands into coreboot (Talos II doesn’t have a functional physical TPM implementation) thrn Heads will be useable on that platform.
There is no Xen support of Power architecture as of now, where the work as started from Timothy Pearson (RaptorEngineering) under bounty payment from the community enthusiasts. More funding will be needed to reach a point where Xen will be stable enough to be included into Qubes, and will require Qubes to package dom0 software and templates to support PPC64LE and create a new ISO as the final testable deliverable.
Once ISO is released, end users will be able to have Qubes over Talos/Blackbird, with or without coreboot+Heads.
Until then, nothing freer then Ivy bridge/Sandy bridge with coreboot native initializing graphics, ram and platform is currently acceasible, with ME being neutered. But then again, EC controller is still closed source there. And as noted in other threads here, those Ivy/Sandy are not receiving any more support from Intel nor Lenovo, which means no more EC firmware updates nor microcode updates.
Newer platforms are of course existing, but those, even running coreboot, will come with FSP/Agesa and at best a deactivated ME/equivalent to come with microcode updates.
With the Meltdown/Spectre fiasco, Power was also vulnerable. Since they do not have this concept of microcode updates, CPU consumers had to chamge their CPUs to newer version. Of course trust is needed on those. But again, with enough money here, nothing stops anyone to replace IBM in that chain to produce a drop in replacement for those CPU, the ISA being completely open with documentation not needing NDA to be read.
Hope this shed some lights on the state of users controllable, ownable platforms and the security challenges we are facing today to have better tomorrows on those levels.
This update was probably a scam. Everyone had to buy new computers. You have to trust them since everything is closed source. How can i tell if cpu is not slow due to this update. Can I prevent it from making this update?
What I meant to say here is that users/cloud providers had to buy new CPUs, since microcode updates is not a concept that exists on IBM’s Power CPUs.
- DD 2.3 is an updated revision of Nimbus, adding Ultravisor functionality, Hardware watchpoint support, and improved Meltdown and Spectre mitigations. DD 2.3 parts are sold by RCS as “POWER9 v2”.
Src: POWER9 - RCS Wiki
I’m not sure what you mean here.
Again, in that case, as all precedent posts and other discussions in other posts and threads, i’m always uncomfortable with those reasonings.
Microcode updates are patching software that is to be ran on die. If one trusts what is running on die, one should also trust signed code produced to patch known CPU issues post-manufacture. Otherwise the reasoning is to mistrust CPU manufacturer? There are a bunch of microcode updates that were released to fix instabilities. Most of the updates are to fix those issues. Actually not applying those microcode updates is normally a big cause of experienced issues.
Qubes applies those by default. Coreboot downloads them and also includes them by default. Of course, users can opt out of those, but this is more a philosophical debate then anything else here, where we would love to have microcode updates if they were available.
Mitigations can most of the time be applied, and Xen and kernel developers do a great job applying what is possible there. But as a result, platforms are getting slower and slower, doing what they were doing before. Past years vulns resulted in massive drawbacks for older platforms. For Ivy particularly, that meant losing hyperthreading, CPU provided randomization extensions. Mitigations are slowing down processors, that is a known drawback.
I’m replying here simply to remind everyone of the debate at stake here for fully user controllable and ownable platforms and long term support and winning thr fight against programmed obsolescence.
Microcode updates are not an enemy. The fact that those are not auditable is the problem. That they are signed solely by single external entity that can decide to drop support is another problem. And that to fix later on found issues requires to buy new silicon is another problem.
Software is everywhere. And no part should ideally be closed source otherwise one day or another it will be obsolete. Not because the hardware doesn’t work anymore. But because mitigations will not be possible or be too costly in performance to actually be usable for certain use cases. It is always better to apply fixes at the source then workaround later on.
For XSA-404 we are not there yet on Ivy. But eventually, there might be a vulnerability which workaround/mitigation costs on conviviality and performance will be really high as compared to platforms benefiting from microcode updates. There will be losses of functionalities, just like before. We lost hyperthreading. We lost CPU supported randomization.
Unfortunately, those platforms won’t be usable forever with increasing mitigation costs, unless users opt out of added feature sets. Older platforms also means less maximum available memory. To opt in to sys-gui, sys-audio and other improvements, that will eventually mean users of actual platforms will need to lower the number of qubes they run in parallel. Agreed? Then on top of that, slower performances of the same CPU because disabled CPU extensions, and mitigations in software that lowers the actual speed of execution of the same processor. We are not there yet, but one day will come. Thinking of the x200/t90 today is like thinking of the x230 in 10 years from now. Some CPU extensions exist in newer CPUs that didn’t exist before. Some of them have vulns. The older platforms not having them are not impacted. But some older platforms lack features that are needed today that were not required yesterday.
The real question, really, is how will we unite to manufacture hardware that really fits our needs, without others defining those needs for us and pulling the plug when its convenient for them and inconvenient for us.
they are just fucking with us. They could have fixed all of it, but they dont, because they can. They will just keep fucking us
I read and read again, and i can’t find anything constructive leading to a possible plan into taking user’s power back.
Say again? What would you do if you were they?
Interesting post, how long do you think x230 will be able to remain a suitable/robust/reliable/secure choice to run qubes on? 10 years? Less?
If not x230, then what? Purism? I read that many here do not like them. What is the best modern alternative to the x230 in terms of security and freedom?
I am indeed getting increasingly concerned about hardware, the future does not seem very promising.
Realistically, what could the qubes community do regarding hardware? I would be willing to help fund it but even if most of us in the community make an effort to fund such an endeavor with our paychecks, would it be enough? I have no idea how much something like that would cost.
Many questions I know, hope you do not mind.
Hard to tell @joaanaa. The more people tapping in the reserves of x230/t430/w530/t440p, the higher the prices and the lower the reserves… The pandemic made it hard to have proper sources as well. Refurbishing became cheaply made on once stable sources as well… everything got complicated on the supply chain level. At least this is my local Canadian story.
As for the secure part of the question, I already replied indirectly and more specifically on XSA-404 that hit us recently. That will depend on workarounds that can be applied, and what kind of vulnerabilities that will be found that can be mitigated without microcode updates. I would say again 10 years, but do not quote me on that. We all do not know on that. What we all know is that we need something better, though. And i’m not talking about another x86 here. We needed to build something else years ago. But that is hard.
Last time I checked, creating a Power based laptop (with a custom CPU based on OpenPower ISA) would have costed 1M USD.
That again, goes with the endeavor of already, or in parallel, having full Xen support on Power… to have Qubes support on it. That work has started, funded by community members (thanks again @Rudd-O @rspigler) and can be followed here: https://github.com/QubesOS/qubes-issues/issues/4318. I push for this for years, and now slow steps are happening. This is rejoicing. But that needs to continue.
And yet again, open source firmware doesn’t mean auditable (Reading hostboot, skiboot, skiroot and other parts of OpenPower made firmware shows this and documentation produced by 3mdeb while porting Power9 to coreboot is a real gem on that level. The port of coreboot on Power9 (Talos II) is still ongoing (Thanks to 3mdeb for the work and my past sweat (and blood?) for funding it), with a lot of unexpected problems along this crazy journey. The latest being the realization that Talos II doesn’t have a fully functional TPM connector… Who would have known. So no fully functional Heads as of today, but that will change soon enough.
Progress happening under Dasharo. Testers needed here for current Talos II owners: https://github.com/osresearch/heads/issues/1018 and progress can be followed from the documentation section here that points to their code repositories: Building manual - Dasharo Universe . Also conferences here: Conference materials - Dasharo Universe. And yes, you do not even need to flash your Talos II to test it: Installation manual - Dasharo Universe. Isn’t it totally amazing? No risk of bricking whtsoever. That is the power of open firmware and open hardware: not being locked down to anything. But that means community needs to make alternatives, right?
As said above in previous posts, if we do not do a politic move as a community to make that happen, I’m really not sure how we will get away of X86, ARM licenses for implementation (Core accelerated AES instruction set costing 1M in royalties, what? Even if RPI5 will allegedly have 16GB of ram (criticism for X230 being that its not enough on Qubes…), and that a Xen port exists for RPI4… That is not a good target either, no IOMMU as of now) and Risc-V is simply not a good candidate to create powerful machines. Again, OpenPower is the best candidate we have now being an Open ISA, open documentation (again, Thnaks to 3mdeb for their amazing low level documentations produced in the coreboot port: https://github.com/3mdeb/openpower-coreboot-docs/).
Anybody being able to assemble a team with proper expertise and money, organizing things properly could create the CPU (bypassing IBM) and create real Open Hardware and defeat proprietary market in the long run…
It’s kind of a time to stop waiting for it to happen magically and invest in the world we all want to live in. I’m personally waiting for others to jump also in that ship and collaborate the same way I did in the past years, without receiving enough support to make it happen together now. But maybe the time was not right but it’s becoming now?
The question here again, is how to organize to make this happen quickly, sustainably and for good. Otherwise we should all remember OpenMoko/Neo73, One laptop per Child and PhoneBloks and other really nice projects/ideas that were too good for their times, were bought/corrupted/put back on the shelves and did not thrive.
We do not want to do the same errors this time, don’t we? Who can pilot this? I don’t know. But I would gladly be part of that team, though.
Thank you for your detailed reply, it is at times like this that I wish I was rich so I could contribute with more than small donations. Regardless, if someone is willing to lead the charge to fund/make all this happen all this I will be sure to contribute in a small way, hopefully if many contribute in a small way it will have an effect big enough to get us to where we want to be. After all, an ocean is also a collection of small drops of water.
Also thanks for bringing awareness to questions like this, it is extremely important that more people in the community become informed of this.
That is exactly the point.
If those stats are right, and Qubes OS community base is really 40 000 users, that would mean each user would have to pitch 25$USD to get to that 1M I’m talking about.
Is the community ready to pitch that in? Who as experience in crowdfunding? Who can pilot this? Those are the unknowns that need to be filled in.
Now imagine where we could be if everyone pledged 50$USD. We would have Xen, Qubes and advanced security measures on the laptop, at launch! Imagine if that effort was backed up by organizations needing better UX, journalism organizations. To me the steps are clear; and start by making OpenPower CPUs and motherboards fitting that socket type, being real Open Hardware. Then happy joy joy to whoever improves that open design, and collaboration into making things better for everyone. But that needs to happen first to get out of the the status quo we accepted for way too long already.
This could be the power of Qubes community. But how to make that happen… That is unfortunately not my realm. @michael (Carbone?) ? @adw? How to make this happen? Like… Really? Bounties don’t really work, even if they do.
I would give those 50 dollars right away and know several other qubes users who would as well. Maybe we could get some funding from organizations like OSTIF and OTF as well?
Actually just remembered that I know a guy that works for an organization that relies on qubes os for their security, I feel confident that they would contribute. I just do not know how to pitch it in a way that will convey the importance of what we are trying to achieve, it can not be something too technical. They are not a tech company or anything.
This will make sense only if the other 39999 Qubes users would chip in.
This is the real problem to get to the 39999 actual Qubes users and others to agree they need tech that yet do not exist…
Is it realistic to reduce the power consumption of the POWER9 CPU by 50% or more and only spend $1M on development/test and have it ready for production?
No one else is going to use that CPU, it’s going to be a custom ASIC with a very limited production run, what is the unit cost going to be?
Are we talking a first revision +$5000 laptop with a custom CPU?
And this is not even touching the software issues.
Sounds a lot like you are asking 40000 people to spend $50 to crowdsource a laptop that they need to spend a lot more to beta test.
ppl dont invest without getting a return. You cant invest in a open source project because then everything is free and there is nothing to sell. Asking for donations to support such a project sounds like a scam
For the moment, i’m not asking anything other then how to make this happen, pointing to Qubes user base as being the target for such platform. I’m not either a finance person, have zero crowdfunding knowledge, and not a silicon person nor hardware maker myself. This is why I’m saying that this will need collaboration to even have numbers you are asking for.
Power9 CPU is targeted at servers, and used in workstation. Doing a CPU for laptop/mobiles will definitely be a custom design. The point here is: would there be interest. Enough for lets say Raptor to dig into those, and come out with something more precise to get some funding without having to cover all the design and engineering from their own profits, and or, launch a crowd funding effort (let’s remember that Talos I crowd funding didn’t fly and failed.)
No clue, but that CPU could be used in other open source hardware designs. It all depends on what is desired there. I’m pretty sure the idea there would be to have a CPU to be sold on other SOC and platforms, not only one motherboard otherwise the cost would be too high. There is no such thing as doing limited productions of CPUs… That would be suicidal investment. This is probably why nobody is doing it.
I have no idea how to make this work. What I know is that 3BTC were offered by community members that wanted to see Qubes supported on PPC64LE, referred in past post. That Xen port is now happening. But slowly (inflation, recession, some of those funds having gone to KVM port which was easier then doing a whole Xen port for unsupported architecture).
I know that I was crazy enough to fund the first coreboot port for Power9 on Talos II Talos Lite.
My question here is who is next doing crazy moves to have the future we want to have? Or is everyone else just magically waiting for others to do the work?
Exactly the problem and reasoning for why we are still stuck in a nearly exclusive x86 world for global market computing. You pay a higher price, but in more hidden ways right now, in terms of freedom and user xonttollable ways. With more and more locking of platforms and security mechanisms. Donating/ reinvesting to Xen port, Qubes port requires a really long term vision as of now, agreed. Investing into alternative OpenPower CPU would permit some return on investment if the intention after that is to create platforms and selling them. Again long term. Investing in coreboot port means having additional services/customizations offer in mind based on open source. We do not consider firmware as an investment as of now because we think of coreboot and seabios/grub payloads. But Dasharo is slowly changing that. Having prime services, prime support, a say in the development of features. Firmware as a service.
An example here could be to have, directly in firmware, the possibility to restore your Qubes installation from a remote SSH server, at the condition that your public key is recognized by that server. So here, a service offered directly from the pre-boot environment. the end-user dream of having trustable and revertible states could be offered as a service. Deploying new templates, like Windows. Deploying templates oriented to specific use cases, like redaction, communication. Without any contradiction with the idea of open source. But paying for services and support, added value. See?.
Coreboot may be free, but cannot magically natively initialize hardware anymore without depending on FSP blobs. Coreboot is more like a shimboot now, basically using FSP to do most of the hardware init, and does some glue to be able totune what it can prior of passing control to payloads. There is not much open sourceness there anymore. Same applies to Agesa for AMD, PSP/CSME(ME) to pass control to main CPU etc.
Those are the current costs, which is the actual scam. But that is a perspective game. Why are there only old 2012-2013 platforms certified right now? Because those are the last platforms coreboot natively initializes. You go one generation further on x86 with Haswell (t440p) and you need MRC blob to init ram. And if we had native initialization of that ram, we could have 32gb of ram on that board. With TXT, and also SRTM (meaning that ACM blobs could be used at user’s advantage to use the main CPU instruction to measure the bootblock and have a real Root of Trust into hardware, without having Intel’s FSP blobs).
Each and every single platforms after that requires FSP, MRC blobs, MCSE(ME blobs) and more and more are added in flash, or hidden on additional flash chips on the motherboard. This is the scam that is actually happening since 2008 with the addition of another non-user controller CPU in our machines, controlling the main CPU. And things are just going faster and faster. Ivy bridge (2012) is the last platform not needing blobs to initialize the platform from a coreboot perspective. Ivy is the last platform permitting to neuter ME, removing its kernel and syslibs in flash. After that generation of platform, Intel understood and decided to put more modules under signature check, adding kernel and syslibs into the ME(now CSME) flash (ME descriptor region under flash).
On the other hand, Power9 doesn’t require any of those. Talos (Raptor) reversed all the blobs and upstreamed open versions, including the ASpeed BMC. But the problem there is that only IBM is producing the processors. Power10 requires blobs on memory controller. They, as everybody else, took a turn to decide for us what is best for us. Let it be a economy based direction (pandemic hit us all) to survive or whatever other reason (they also had a legal fiasco with their foundry for CPU production as well for Power10) it seems that they needed to reduce costs for production. And unfortunately, decided to use patent/blob based components for the moment to produce their next gen (Power 10). I’m not the most knowledgeable in the area, and learning my way testing coreboot on my Talos II to attempt to push things farther there.
But as I said before, nobody here (Qubes community) will get interested to buy a Talos II if Qubes cannot run on it? And like I said earlier as wel, the path to have Qubes running on Talos II (Power whatever version) requires Xen to have Qubes supported, and tested… This is a long run before user consumable product. Who funds this?
People that want o have this happen. The more people who will want to see this happen, the more chances it has to happen. And again, other then understanding what is missing to have this happen and doing what I can to make it happen, I do not know how to make this happen faster. And writing those lines to see who wants this to happen, and how. Outside of just passively waiting for someone else to make it happen. I have invested a lot personally in this journey, without a clear view of how to make it economically viable. Because it needs to happen. In the hope that the community would jump in. I’m still waiting for the community to jump in.
And this post is about two platforms, right? Two platforms without FSP, without ME, user controllable. But the funny part of this is that both those platforms won’t have Qubes OS fly. X200 is too old. Its virtualization extension (vtx) requires microcode updates (so no libreboot here, because politics) and doesn provide vt-d2 nor interrupt remapping, while Raptor Talos II (Power 9) doesn’t have Xen support, because Xen dropped support (politics, economics) on PowerPC a while back because KVM had a bigger ecosystem and bigger community (if I recall well). But here, KVM is not really desired for Qubes (not the subject).
So again. How would you resolve this chicken egg problem? Every manufacturer will go into designing boards that has the most userbase (x86, AMD/Intel), paying royalties to pay for chipsets already existing and buy already existing matching CPUs to sell at the lowest cost possible. But we know, in accelerating pace since 2008 that this path is locking the platforms we use more and more, and once we open the can of worms of what blobs we depend on, every security cautious person will be worried on what we currently depend on for computing. We compartmentalize, yes, and decide to live in denial about the components in each of our computers that have access to all RAM, accept SMM existence on x86 etc, just because we lack other, better choices. But when its time to talk about what it would take to create such better alternatives, people expect some other rich person to pay for all the R&D, testing and manufacturing prior of having a return on investment. Do you realize that this limit the possibility of creating such alternatives only by the present rich companies? Investing for years to have a coreboot port on Power without having it yet released because not enough tested is not providing any return on investment, and I am no billionaire here. I’m just doing my best. And I expect others to do the same to see alternatives happening in the future. Otherwise, they won’t happen. cost of alternative platforms will not become cheap and accessible. They will stay niche.
Do we all understand the mechanics at play here?
If the Raptor hardware is any indication of the price, there is no chance of POWER9 being the future, it’s simply too expensive for the waste majority of users. Even if you could buy a $2000 system, it would still be too expensive for many.
Everything , hardware and software, has to be open source and documented so that the average user can understand it. I think it is a huge marked if ppl can learn about the flaws, but it is not talked about anywhere. If u make it open source and you sell it, the buissniss would have to not make money at all and there would be nothing left for further development.
What is the stuff he, “Level1Techs”, is talking about in this youtube video " Forget x86; OpenPower is it! Talos II Secure Workstation!" at min 2:20. “remote managment platform”, Is that somethin different from managment engine? I feel like I have a wireless remote managment platform talking to skynet or other wifi even when im disconnected from the internett, ethernet cable unplugged.
It actually is, a management engine. While Open Source. It is actually OpenBMC. Talos II is the first Power based platform to be used as a workstation. Normally, Power are more for the server ecosystem.
Just like ME, the BMC is powered on when your computer is off. It replaces some roles of a laptop Embedded Controller(EC) for fans and monitoring as well. It also provides a basic 2d framebuffer (a graphical card, routed to the vga connector). But in this case, you have total control over it here as opposed to ME.
In an industry first, Talos™ II ships with fully open and auditable BMC firmware, based on the Open BMC project. Gone are the days when you had to carefully isolate the buggy, insecure BMC port from threats at the firewall level. With Talos™ II, the BMC is just another Linux system that can be maintained as part of normal workflow. Find a bug or vulnerability? No problem; just patch, recompile, and install.
Just like with Heads server board config for the kgpe-d16, you can connect remotely to BMC, and from BMC to a console on your operating system. You can boot, reboot, halt, flash firmware, see performance of your machine…
On the Talos II it goes even further; you can test new firmware without even flashing it: Installation manual - Dasharo Universe
That is basically what the Talos II is, actually. And they are doing further development, infirming precedent point here.
Their boards come with schematics and deployed source code. OpenPower provides Open ISA, open docs, their hostboot firmware is open source as well, while not easy to audit and customize.
The coreboot port goes further with its documentation : https://github.com/3mdeb/openpower-coreboot-docs
Talos II/ Talos Lite are the last RYF certified hardware Talos II Mainboard and Talos II Lite Mainboard now FSF-certified to Respect Your Freedom — Free Software Foundation — Working together for free software
And continues in their R&D to create open source hardware as well…
It is not an open source hardware licensed as such, but nobody is really stopped from creating another board here.
That is the hardest. And honestly, if we see Qubes documentation, the fact that it is so good and getting better is because of the community driven pull requests over it. Documentation directed at users, in this case, would be the Talos II user guide?
So, what would be more secure as a home system. libreboot/osboot laptop with ME neutered (or a motherboard with ME disabled using a non intel NIC) or a raptor power9 (such as blackbird)
specifically against government actors, not so much rogue blackhats.