Le dim. 25 mars 2018 14:08, Taiidan(a)gmx.com <Taiidan(a)gmx.com> a écrit :
On 03/25/2018 11:12 AM, thierry.laurion(a)gmail.com
For the KGPE-D16, an integration effort was made
in Heads to support
* OpenBMC support merged into coreboot so the server can boot
* Flashrom support to flash OpenBMC directly from within Heads
* Flashrom support to reflash Heads internally
* Multiboot support, QubesOS support
Thanks Timothy for all the great work that was accomplished on that
board in the past years.
TPM2 integration is still missing though. Don't hesitate to collaborate
onto heads to integrate VBOOT changes. 16Mb of SPI flash is more then
enough to support it.
Talos II cannot actually fulfill most of the threat models that the
KGPE-D16 can with Heads + QubesOS combined.
The TALOS 2 has libre firmware,
POWER-KVM, POWER-IOMMU and *it isn't a
dead platform* - it is definitely worth a purchase.
There isn't a POWER-qubes or a POWER-heads because no one has POWER
computers and because there aren't those and "you can just get a *some
x86 machine*" then not many will buy one and it will be the end of
The facts are that x86_64 is a dead platform and there
will never again
be another owner controlled x86_64 device. - people need to understand
True. Reluctance to change is another terrain reality though.
and realize that things like qubes for POWER is a
situation that will never be solved unless people have POWER machines
and use them for their other virtualization needs until then.
That's a geeky path and unfortunately not accessible for a lot of use cases
and threat models. Even Qubes is still geeky for the masses. Getting easier
to use, true. But teaching to whom needs it the most is already a big
challenge in itself.
What I mean here is that cooperation should be the path taken. The
virtualization abstraction layer in Qubes is there, thanks to libvirt.
Helper scripts are missing though. If there is a response from early
programmers adopters out there, willing to contribute to Qubes (Timothy's
friends and partners?) that could really ease adoption. People want it.
There is a need to have an alternative to x86, i think everyone
knowledgeable agrees to that. The thing is to easy that move. Xen won't do
thee move until pushed a little. KVM could be used for HVM in Qubes. I'm
pretty sure that if a couple of Talos II were borrowed to Qubes enhousiast
developers, the helper scripts would be written pretty quickly.
Meanwhile, I'll encourage willing customers who desires private cloud
solutions in their organization to buy Talos II. But it won't fulfill the
threat models of others until easier compartmentalization is available.
Btw whats better about TPM2 vs TPM1? (Is there anything useful? AFAIK
the only difference is the addition of more microsoft sponsored
non-owner controlled features that could be potentially used for DRM)
Mostly true. But TPM2 comes now in all recent hardware for different
sockets and can be used for measured boot/trusted boot. Its support got
included in Grub and vboot. Linux kernel integrated a scheduler recently to
properly deal with concurrent requests.
Watch this talk.
KGPE-D16 has a 19 pin header. I'm not aware of any TPMv1 that fits that
connector. Is there any? For measured boot and user ownability of hardware,
there is no specific need for TPMv2 but largest and stronger algorithms
including curves. Other then that, it was just pushed by DRM needs, I
I always thought a useful TPM feature to prevent it from being used for
DRM is to have a fuse one can set to enable a
"secure" mode otherwise
one is able to freely read back anything on the chip.
Can be used two times. Once in the BIOS and then reused in the OS for other
means. No, the secrets kept in there are useful for a lot of uses from a
user perspective. You should watch the talk linked above.