[coreboot] RISC-V HiFive Unleashed board added to coreboot - has PCI-e slots via exp board

Shawn citypw at gmail.com
Tue Jun 26 06:24:11 CEST 2018 

On Tue, Jun 26, 2018 at 12:01 AM, Nico Huber <nico.h at gmx.de> wrote:
> On 25.06.2018 09:55, Shawn wrote:> Hi Ron,
>> On Sun, Jun 24, 2018 at 12:55 AM, ron minnich <rminnich at gmail.com> wrote:
>>> On Wed, Jun 20, 2018 at 11:03 PM Taiidan at gmx.com <Taiidan at gmx.com> wrote:
>>>> Whats the deal with SMM? What a shame they thought to add it.
>>>
>>> It's a huge disappointment. I made some effort a few years ago to try to
>>> convince folks this was a bad idea and failed.
>>>
>>>  I'm no longer as optimistic as I was about RISC-V. There seems to be a real
>>> push to be "just like x86".
>>
>> IIRC, Machine mode in RISC-V is just looking similar to SMM in x86.
>> But it can do more than what SMM does. It helps to enclave-based
>> solution. I'm looking forward to see the open solution, e.g: Sanctum,
>> Keystone, etc to land into production environment.
>
> IMO, putting enclaves on the same silicon as the code you want to
> protect them from is a failed concept. And more, it's bullshit, it
> means two separate entities have to own the same physical chip. And
> SGX proves that it doesn't work (they can't protect the OS from being
> spied upon from the enclave (see Spectre), how can they ever hope to
> protect the enclave from the much more powerful OS?).
>
SGX get rids of the major attack surfaces but a few left(
unfortunately, side-channel is one of them). Speaking of "two separate
entities have to own the same physical chip", yes and no, IIRC SGX is
highly rely on some ME code modules( EPID?) which supposed to be
running in another chip. IMOHO, what SGX's problem is that it's not an
open solution and it can't be audited properly. It doesn't mean we(
RSIC-V?) can't learn anything from it.

> IMHO, not RISC-V but the whole industry is at least 20 years away from
> getting that going (software separation in one piece of silicon, with-
> out help from the software).
>
> So, no, no marketing false-security tech* that doesn't provide what it
> promises can justify to pollute an architecture like RISC-V.
>
> Nico
>
> * I know there is a lot of honest research around enclaves, but they
>   all seem to ignore the reality of today's processors.
>
Well, diff ppl has different requirements. The current status of
enclave is not good as expected. It may or may not improve in the
future.



-- 
GNU powered it...
GPL protect it...
God blessing it...

regards
Shawn

More information about the coreboot mailing list