Talos Secure Workstation Crowdfunding
74 views
Skip to first unread message
Jeremy Rand
Dec 16, 2016, 12:14:36 AM12/16/16
to qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi everyone,
As those of you who've read Joanna's paper "Intel x86 Considered
Harmful" are well aware, the Intel ME and other closed-source firmware
pose a threat to trustworthy computing. We can do all the awesome
hypervisor and isolation stuff we want (e.g. Qubes OS), but this
doesn't help when the firmware is evil (and closed-source firmware
should probably be assumed to be evil).
x86 is not likely to improve much on this front (although Trammel
Hudson's recent work is pretty cool), which means we should seriously
be looking into alternative architectures. POWER8 is probably the
best contender for a serious alternative to x86. As you may have
heard, Raptor Engineering is doing a crowdfund campaign on Crowd
Supply to produce the Talos Secure Workstation, a POWER8
desktop/workstation with fully libre firmware that is comparable in
performance to current Intel hardware. In addition, most of the
mainboard logic is implemented using FPGA's with libre bitstreams and
libre toolchains instead of ASICs, which adds to the auditability and
control by the user.
Features particularly of interest to people who use Qubes include HVM,
IOMMU, and TPM, as well as some very interesting engineering relating
to preventing evil maid attacks. Raptor has done an excellent writeup
of the latter; see the following links:
https://www.crowdsupply.com/raptor-computing-systems/talos-secure-workst
ation/updates/talos-fpga-functions-and-responsibilities-part-1
https://www.crowdsupply.com/raptor-computing-systems/talos-secure-workst
ation/updates/talos-fpga-functions-and-responsibilities-part-2
(People who enjoy reading Joanna's technical writeups are likely to
enjoy the above Raptor writeups too.)
And of course, as a workstation class machine, Talos supports plenty
of RAM for running lots of VM's simultaneously, as Qubes users tend to
do.
Raptor Engineering already has a solid track record of Coreboot and
Libreboot development (among other relevant areas of expertise), so
unlike most of the projects that have done crowdfunding in this space,
Raptor has an understanding of the tasks involved and is likely to
actually deliver.
Fedora and Debian already support POWER8, so the Qubes dom0 and AppVM
components shouldn't be hard to port. Xen does not support POWER8 at
the moment, so Qubes won't run on Talos when the Talos ships.
However, there is interest in adding POWER8 support to Xen, and POWER8
support for Xen is much more likely to happen, and much faster, if
Talos meets their funding goal.
Yes, the price for a Talos is sadly quite high. Note that it is much
more powerful than most consumer PC's (e.g. the low-end "Desktop
Edition" comes with 128 GiB of RAM), and that small production runs
are naturally more expensive. If they meet their funding goal, it is
likely that price decreases will happen later in the product
lifecycle, as well as producing a new version based on POWER9.
If you're in a financial position to order a mainboard (or a complete
system), please support them. For the far greater number of you who
are not (I definitely can't afford a mainboard), please consider the
$250 SSH option, and if you can't do that, please consider donating
$10. If you have friends who understand that closed firmware is a
threat, tell them about Talos. If you have friends who ideologically
are aligned (e.g. who support privacy rights) but who aren't aware of
the technical concerns about x86 and closed firmware, explain the
issue to them. There are industry players watching to see how this
campaign goes and how diverse the support is; every $10 donation is a
vote that signals "We want this to happen." $10 really does make a
difference here.
The crowdfund campaign ends in 29 days on Jan 14.
You can support them here:
https://www.crowdsupply.com/raptor-computing-systems/talos-secure-workst
ation
Cheers,
- -Jeremy Rand
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYU3gOAAoJELPy0WV4bWVwO+IQAIr+UtgNk+29oFRjvd+UKMUF
QkWkXrn+PqWDYs63NSX4LWnyO3apo1wY/yjmBkSiKKvEnK+1v3nDOAxGxPSKyWC1
9DWhESfBzM1dagy2spGEB7YpuAM4yrp1Ih58PxT1e/mRRca14NomwzNiNiqDpw94
rZWQXxQ/igMQ8VTLivFosjB6aMKB2TyM8xFYMDg8+yefumG5wGrDKhSacM21L7MM
uLilg0eTJLkttYXNnnZOATcIsymuT3Wi84hCkGzbDWekNen2/ZJfZO5+K39tzUXo
xsK+ndi6RSU2khOJ2+/laU37aDV0iKAKRlWi0T40fmTaO/skedZSNIJ2Br7iXwGh
UyUSAnhy26oH1wYJ8Y+oAd+liJStlxCRf5TCDWo4SsojR1IYV9qoIjfFOjPmUxT6
pLNhuEKP5UdP1yDvCjF+DLr+LtCjmkP63hCz+Asj0sesO7zcO4EYQEwyATx2b60S
Uonczt9QFznxLy9wQdo8qi3beBDY3ap2dTvikvQydSMSSsh9kP3yVDhRkAxHMCn6
2u68jSUVszRQv5C15PG96bZa3cZ2oR570RJ9Yb+PfrOjRxd7z0e3+ApqIWyu68kf
hMQeJCkPpI/GKOqjnJaweu9cuoMfh0mGYGRs1tIfDuJBFFzt5A/8RA10O+aViZMO
h0OR5a2svxdfqY97t74y
=pROL
-----END PGP SIGNATURE-----
Hash: SHA512
Hi everyone,
As those of you who've read Joanna's paper "Intel x86 Considered
Harmful" are well aware, the Intel ME and other closed-source firmware
pose a threat to trustworthy computing. We can do all the awesome
hypervisor and isolation stuff we want (e.g. Qubes OS), but this
doesn't help when the firmware is evil (and closed-source firmware
should probably be assumed to be evil).
x86 is not likely to improve much on this front (although Trammel
Hudson's recent work is pretty cool), which means we should seriously
be looking into alternative architectures. POWER8 is probably the
best contender for a serious alternative to x86. As you may have
heard, Raptor Engineering is doing a crowdfund campaign on Crowd
Supply to produce the Talos Secure Workstation, a POWER8
desktop/workstation with fully libre firmware that is comparable in
performance to current Intel hardware. In addition, most of the
mainboard logic is implemented using FPGA's with libre bitstreams and
libre toolchains instead of ASICs, which adds to the auditability and
control by the user.
Features particularly of interest to people who use Qubes include HVM,
IOMMU, and TPM, as well as some very interesting engineering relating
to preventing evil maid attacks. Raptor has done an excellent writeup
of the latter; see the following links:
https://www.crowdsupply.com/raptor-computing-systems/talos-secure-workst
ation/updates/talos-fpga-functions-and-responsibilities-part-1
https://www.crowdsupply.com/raptor-computing-systems/talos-secure-workst
ation/updates/talos-fpga-functions-and-responsibilities-part-2
(People who enjoy reading Joanna's technical writeups are likely to
enjoy the above Raptor writeups too.)
And of course, as a workstation class machine, Talos supports plenty
of RAM for running lots of VM's simultaneously, as Qubes users tend to
do.
Raptor Engineering already has a solid track record of Coreboot and
Libreboot development (among other relevant areas of expertise), so
unlike most of the projects that have done crowdfunding in this space,
Raptor has an understanding of the tasks involved and is likely to
actually deliver.
Fedora and Debian already support POWER8, so the Qubes dom0 and AppVM
components shouldn't be hard to port. Xen does not support POWER8 at
the moment, so Qubes won't run on Talos when the Talos ships.
However, there is interest in adding POWER8 support to Xen, and POWER8
support for Xen is much more likely to happen, and much faster, if
Talos meets their funding goal.
Yes, the price for a Talos is sadly quite high. Note that it is much
more powerful than most consumer PC's (e.g. the low-end "Desktop
Edition" comes with 128 GiB of RAM), and that small production runs
are naturally more expensive. If they meet their funding goal, it is
likely that price decreases will happen later in the product
lifecycle, as well as producing a new version based on POWER9.
If you're in a financial position to order a mainboard (or a complete
system), please support them. For the far greater number of you who
are not (I definitely can't afford a mainboard), please consider the
$250 SSH option, and if you can't do that, please consider donating
$10. If you have friends who understand that closed firmware is a
threat, tell them about Talos. If you have friends who ideologically
are aligned (e.g. who support privacy rights) but who aren't aware of
the technical concerns about x86 and closed firmware, explain the
issue to them. There are industry players watching to see how this
campaign goes and how diverse the support is; every $10 donation is a
vote that signals "We want this to happen." $10 really does make a
difference here.
The crowdfund campaign ends in 29 days on Jan 14.
You can support them here:
https://www.crowdsupply.com/raptor-computing-systems/talos-secure-workst
ation
Cheers,
- -Jeremy Rand
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYU3gOAAoJELPy0WV4bWVwO+IQAIr+UtgNk+29oFRjvd+UKMUF
QkWkXrn+PqWDYs63NSX4LWnyO3apo1wY/yjmBkSiKKvEnK+1v3nDOAxGxPSKyWC1
9DWhESfBzM1dagy2spGEB7YpuAM4yrp1Ih58PxT1e/mRRca14NomwzNiNiqDpw94
rZWQXxQ/igMQ8VTLivFosjB6aMKB2TyM8xFYMDg8+yefumG5wGrDKhSacM21L7MM
uLilg0eTJLkttYXNnnZOATcIsymuT3Wi84hCkGzbDWekNen2/ZJfZO5+K39tzUXo
xsK+ndi6RSU2khOJ2+/laU37aDV0iKAKRlWi0T40fmTaO/skedZSNIJ2Br7iXwGh
UyUSAnhy26oH1wYJ8Y+oAd+liJStlxCRf5TCDWo4SsojR1IYV9qoIjfFOjPmUxT6
pLNhuEKP5UdP1yDvCjF+DLr+LtCjmkP63hCz+Asj0sesO7zcO4EYQEwyATx2b60S
Uonczt9QFznxLy9wQdo8qi3beBDY3ap2dTvikvQydSMSSsh9kP3yVDhRkAxHMCn6
2u68jSUVszRQv5C15PG96bZa3cZ2oR570RJ9Yb+PfrOjRxd7z0e3+ApqIWyu68kf
hMQeJCkPpI/GKOqjnJaweu9cuoMfh0mGYGRs1tIfDuJBFFzt5A/8RA10O+aViZMO
h0OR5a2svxdfqY97t74y
=pROL
-----END PGP SIGNATURE-----
J. Eppler
Dec 16, 2016, 10:29:59 AM12/16/16
to qubes-users, jer...@veclabs.net, jerem...@airmail.cc
Hello,
here is the correct link:
https://www.crowdsupply.com/raptor-computing-systems/talos-secure-workstation
regards
Jeremy Rand
Dec 16, 2016, 11:12:18 AM12/16/16
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
J. Eppler:
Hash: SHA512
> Hello,
>
> here is the correct link:
Looks like Enigmail's line breaks in combination with Google Groups
>
> here is the correct link:
may have broken the link I provided. Apologies (and thanks for
correcting) if that's the case.
Cheers,
- -Jeremy
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYVBJTAAoJELPy0WV4bWVwmuUP/0isdqGXH2xLPgY9q7QAwVlM
II/5Y7LdQ0HHk2r0tme/27BmThsVv7MYZIwkZg4AlxEqUTKMTSVXqvZAafqo5wl3
56Zms6ZF1LHUgjpuRo7YV0c/F+MR86jUnPY6WKkSmsqvUkeVfk8PJ2o8zJO8MyXh
Lh46nd5TJ4ZwsJiV/7YiWwIwpidlP0DfLGkFbCZ9zyUUcm+NvKUYPxHcQrHIozRd
ZEBs83iZGMy3PzxDPThujqa+BWkUAqxzuMeidsXZgY61IyDYpKiE9pAaBKkdmsrD
LNpoeyjdsE2gMZwXDU9YGZkZAICH5vB7y4Tg6K2UiVYk9AP1/nRToFJZof8E+pDy
R5xrkw2FcJH2DI8fkZ1q4Vnn7rYjRegS/7Tg1hF1z5uTxkAtI5Z9f4GCVm+B/5op
PZZRnC3Kx3whNOi6wABz70wJY/V9hQ1nvG6aXYQpRDAJ00ppjxdvS7zmwTP0pFZm
0d+OpHF9WB4ncHIVtYrqGF8+vsAaQLPIFpw9HMnzCoWYgUS1CtIqVx221Iftiimu
N7xJTbLr0nnWTmVYwxR/6JKz11gtcWJzB3VhxfwVHszUeoLd9mJnlHV8ZlX8B6l1
ybC/uGzFAdYnh+BXDEnhFH/e+jzPsPPGi5fPCBiblaZqVIwTwMGnilOeiL00mFXU
Jsqrrlbl2E8nK8aToFNH
=lyjA
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages