On 03/25/2018 11:12 AM, thierry.laurion@gmail.com wrote:
For the KGPE-D16, an integration effort was made in Heads to support such board.
https://github.com/osresearch/heads/issues/134
- OpenBMC support merged into coreboot so the server can boot
- Flashrom support to flash OpenBMC directly from within Heads
- Flashrom support to reflash Heads internally
- Multiboot support, QubesOS support
Thanks Timothy for all the great work that was accomplished on that board in the past years.
TPM2 integration is still missing though. Don't hesitate to collaborate onto heads to integrate VBOOT changes. 16Mb of SPI flash is more then enough to support it.
Talos II cannot actually fulfill most of the threat models that the KGPE-D16 can with Heads + QubesOS combined.
The TALOS 2 has libre firmware, POWER-KVM, POWER-IOMMU and *it isn't a dead platform* - it is definitely worth a purchase. There isn't a POWER-qubes or a POWER-heads because no one has POWER computers and because there aren't those and "you can just get a *some x86 machine*" then not many will buy one and it will be the end of freedom computing...
The facts are that x86_64 is a dead platform and there will never again be another owner controlled x86_64 device. - people need to understand that and realize that things like qubes for POWER is a catch-22 situation that will never be solved unless people have POWER machines and use them for their other virtualization needs until then.
Btw whats better about TPM2 vs TPM1? (Is there anything useful? AFAIK the only difference is the addition of more microsoft sponsored non-owner controlled features that could be potentially used for DRM) I always thought a useful TPM feature to prevent it from being used for DRM is to have a fuse one can set to enable a "secure" mode otherwise one is able to freely read back anything on the chip.