I read in another thread that this can cause issues and should be avoided. Is that still correct ?
Is "Intel vPro" a real no-go or can Qubes still work with it?
Or can having vPro support even have positive effects ?
Thanks for your advice.
Marek
Wow, thank you very much for your in-depth reply!
I never really considered buying a server mainboard yet.
Until know, I had planned to buy an Asrock Q170M vPro mainboard + Intel i7-7700 CPU.
I did quite a bit of research on Intel chipsets and Intel CPUs and only few seem to tick all the boxes for Qubes.
I especially looked for Intel VT-x (including EPT), Intel VT-d, and Intel TXT.
The Asrock Q170M vPro also supports AEM in theory. Last but not least it's very cheap and supports current CPUs (LGA1151).
Can you elaborate a bit on the performance of the Asus KCMA-D8 + AMD Opteron 4386 ?
I had a look at performance benchmarks of the AMD Opteron 4386 (dual CPU) and it seems even a single Intel i7-7700 outperforms the 4386 CPU. Nontheless, its an Octacore CPU (2012) compared to the Intel CPU which is a Quadcore (2017). I have little knowledge about server hardware performance, so that makes the comparison a bit difficult for me. Would you say the KCMA-D8 + 4386 are on the same level or at least have more than enough power to run 8-10+ VMs (including 1-2 Windows HVMs) at the same time with 32GB RAM?
> The board is only $250 for a variety of independent sellers (not
> overpriced/evil newegg/amazon) and you can get a nice cpu for $100
> (4386) or a budget one for $30 (4280)
>
> I offer free tech support for libre motherboard purchasers, I am skilled
> using coreboot and it runs on a many of my computers - don't hesitate to
> ask me questions :D
The reason I asked about the performance is that it would only be a good option for me if the performance is really good (hopefully comparable to current Intel i7 desktop CPUs).
Because where I live in Europe, the Asus KCMA-D8 + AMD Opteron 4386 are way more expensive and hard to get. The mobo costs roughly 360 USD and one (!) 4386 CPU costs about 560 USD. So if I'd go that route I would probably have to buy them abroad (US, China, etc) from the offers I have seen with more reasonable prices :/
TALOS2 also seems promising, although it's not in my budged ;)
Before I decide what to do: Do you maybe know some other mainboards that you can recommend for Qubes 4.0 that are relatively cheap + high performance and ship without vPro / AMT / ME + support for libre BIOS ?
Kind regards!
Marek
> TXT is a marketing feature, it isn't really relevant.
> Doing kernel code signing via coreboot with grub payload is a much
> better security feature, if you lock your flash chip the only way to
> flash will be externally (with a tester clip) so it is very secure.
Okay good to know, then I'll discard TXT from now on ;)
> * You'd be able to play new video games at high settings in a VM, run a
> bunch of VMs or do both at the same time with dual 4386 CPU's.
> * You could use it as a gigabit vpn router with a router distro.
> Another option for more juice is the pricier KGPE-D16 (same featureset
> but with more RAM slots, support for socket g34 16 core cpu's and more
> PCI-e lanes/slots) and get 16 core CPU's you would be able to have 32
> cores total with the opteron 6386 (best G34 cpu) and thus for instance
> have three people playing games at high settings on the same PC plus
> many VM's.
Sounds perfect! I think you actually convinced me to go for the KGPE-D16 + Opteron 6386 + 64GB RAM then :)
Now I only need to find a trusted seller where I can buy the mainboard (new/affordable price) with EU shipping. Everything except mainboard can be used (RAM, CPU, AMD GPU).
It would be awesome if you could tell me where to buy the hardware cheap.
Preferably via e-mail (marek....@openmailbox.org) for privacy or in your reply over here if you don't want to reveal your e-mail address.
(No worries, this is just one of my "throw-away" email-addresses)
> You will need to buy a video card as the onboard video sucks, I advise
> AMD as they are friendlier to open source and virtualization compared
> with nvidia who adds "bugs" to their drivers to try and stop you from
> using a geforce card in a VM to play games (see code 43 error)
Do you maybe know a AMD card that would work ?
Kind regards,
Marek
Is one better than the other for Qubes OS ?
Probably true ;) I just thought I spend a little bit more now to have a solution that serves me well for the next couple of years to come :D I plan to use the machine for video rendering, gaming and running quite a few VMs + HVMs in parallel.
> Although an advantage of the KGPE-D16 is that it includes the $50 module
> needed to run OpenBMC - your choice.
I looked it up, but I don't really understand the purpose of the OpenBMC module. Was it for TPE/AEM support ?
> Usual retail:
> KGPE-D16 - $400
> KCMA-D8 - $250-300
>
> CPU:
> 4386 - $100-130
> 6386 - $100-200
Thanks for the overview.
Do you by any chance know for sure, if the 6386 works with Coreboot ?
Because on the Coreboot website they advise to avoid the whole 63xx series, due to the "microcode update" issue. I initially also wanted to go for a 63xx CPU but due to their advise I thought about switching to 62xx to avoid all those problems.
Maybe that can be solved ? Because the 63xx is only insignificantly more expensive than the 62xx CPUs...
PS: I will also switch off Google very soon, I didn't know they were doing such advanced things in regards to tracking..
Thanks for the clarification! I probably won't really need the remote access feature, but hardware fan control is always good. Even better when libre.
> > Do you by any chance know for sure, if the 6386 works with Coreboot ?
> Yeah it does.
> > Because on the Coreboot website they advise to avoid the whole 63xx series, due to the "microcode update" issue.
> No that's what the libreboot site says, I maintain the kgpe-d16 article
> on the coreboot wiki and I would never state that.
Cool, I didn't expect that - great to get so much support first-hand :) Initially, my plan was also to get a 63xx CPU but then I stumbled on Libreboot's wiki, where they state one should "AVOID [the 63xx series] LIKE THE PLAGUE". Seemed a bit hysterical to me as well, but then again, I thought they know their stuff (no offence) :D (Source: https://libreboot.org/docs/hardware/kgpe-d16.html)
I'm really glad the 63xx CPUs are also supported by Coreboot. I don't really mind about Libreboot' philosophical issues - if it works on Coreboot I'm happy. And now as I have checked the Coreboot Wiki page again I actually realized you openly state the 63xx series works fine ;)
By the way, I also finally managed to compile the Coreboot .rom file yesterday, with the help of the wiki (https://www.coreboot.org/Build_HOWTO). It was just for testing purposes, and I didn't really change much during the setup. I simply chose the ASUS KGPE-D16 mainboard and compiled it as a i386 ROM (AMD chipset). Basically like this:
1. $ make menuconfig (ASUS KGPE-D16, PS/2 init, SeaBios)
2. $ make crossgcc-i386 CPUS=8
3. $ make
Is that all it takes to compile the .rom correctly ? Does SeaBios work out-of-the-box with Qubes ? Also, would it be best to simply clone the latest working config for the KGPE-D16 from the Coreboot website (https://www.coreboot.org/Supported_Motherboards), which can be downloaded here for example:
- https://review.coreboot.org/cgit/coreboot.git/commit/?id=3f09b0ffef990286ecca344cf73023b35be42406
- https://review.coreboot.org/cgit/board-status.git/tree/asus/kgpe-d16/4.6-1125-g3f09b0f/2017-08-21T04_40_02Z/config.txt
Regarding Coreboot, IOMMU and security :
On your wiki page it says "The 63xx "Piledriver" series processors require microcode updates to enable IOMMU (Errata) and may require microcode updates for safe operation due to the 2016 gain-root-via-NMI exploit."
I found some details about the 63xx microcode security updates on the Debian mailing list, but I'm not really sure if the same manual update procedure applies to our use case (Qubes/Xen/Coreboot) since dom0 is based on Fedora. (Source: https://lists.debian.org/debian-user/2016/03/msg01044.html)
Would you generally agree, that "Microcode update" is just a fancy name for fetching + installing a certain AMD package from a repository that patches the security vulnerability in the CPU? Or what is the approach I need to follow to enable IOMMU and fix the security vulnerability when running a 63xx CPU under Qubes/Xen?
> Get a 63xx/43xx, they're slightly faster.
Yes definitely.
> > PS: I will also switch off Google very soon, I didn't know they were doing such advanced things in regards to tracking..
> They are truly the worlds most powerful corporation, they are even
> putting cameras and mics around urban centers now to help with their AI
> research and of course advertising.
Yes it's really crazy and a bit alarming how much data they gather :/ That's also the main reason why I want to keep my browsing in different VMs (work, banking, music/streaming, etc). I mean know one knows, what they will really do with all the personal data in the future.. they sure sell the data or use it for advertising purposes. Besides that, the added security of Qubes against malware was another great thing that convinced me to switch.
Best regards!
Marek
Yes I've had a look, TALOS II is definitely a great project! Unfortunately, my budget doesn't really allow to spend 5-6k on a workstation. Nontheless, I really appreciate their efforts and can imagine privacy/security-conscious companies do so as well. I don't even think it's that expensive, given that they have to do a lot of development/research and probably only manufacture in relatively small quantities (yet).
> > Is that all it takes to compile the .rom correctly ? Does SeaBios work out-of-the-box with Qubes ? Also, would it be best to simply clone the latest working config for the KGPE-D16 from the Coreboot website (https://www.coreboot.org/Supported_Motherboards), which can be downloaded here for example:
> >
> > - https://review.coreboot.org/cgit/coreboot.git/commit/?id=3f09b0ffef990286ecca344cf73023b35be42406
> > - https://review.coreboot.org/cgit/board-status.git/tree/asus/kgpe-d16/4.6-1125-g3f09b0f/2017-08-21T04_40_02Z/config.txt
> That should be what was included, no need to do that.
Yes true, I just thought I might reverse-engineer the correct settings for the KGPE-D16 from that config.txt file. Now as I have learned that the default settings are fine, that idea doesn't really make sense anymore. I initially expected each motherboard/chipset would require a custom setup to work. (Besides specifying motherboard/chipset).
> > Would you generally agree, that "Microcode update" is just a fancy name for fetching + installing a certain AMD package from a repository that patches the security vulnerability in the CPU? Or what is the approach I need to follow to enable IOMMU and fix the security vulnerability when running a 63xx CPU under Qubes/Xen?
> You need it in the firmware to enable IOMMU and avoid the NMI issue, by
> default coreboot includes it as I said so no worries. (check just to
> make sure of course)
Okay fine, I'll simply go with Coreboot default settings then.
> > Yes it's really crazy and a bit alarming how much data they gather :/ That's also the main reason why I want to keep my browsing in different VMs (work, banking, music/streaming, etc).
> That doesn't do anything if you use an identical browser fingerprint.
Seems I really need to learn a bit more about this as soon as Qubes OS is up and running. I thought if I separate the cookies and use an adblock addon in Firefox I'd avoid most of those tracking problems.
> > I mean know one knows, what they will really do with all the personal data in the future.
> Being denied a job because your politics differ from your bosses -
> removing 50% of job options.
> Having creepy people scan your face in public and then harrass you for
> whatever reason.
> Someone robbing your house because statistically they can get away with
> it at exactly that time (their robber research tool told them what the
> best time was to rob you: when you are far from home, when the local
> cops take a donut break, when your neighbors are otherwise occupied, etc)
Scary stuff, but very likely if I think about it! I once also read that insurance companies increasingly attempt to track/profile people (and their habits) on social media to determine insurance premiums. In other words, sometime in the future your insurance premium could depend on what you post/share online (or what not). Can't believe all those things are legal.
Any updates in 2018?