
Talos Secure Workstation - edwintorok
https://raptorengineeringinc.com/TALOS/prerelease.php
======
nickpsecurity
I like it as competition to Intel in the desktop space for power users.
Workstation market used to be fun with interesting machines from SGI, IBM,
Sun, HP, Compaq, and so on. SGI's blew people away with graphics & NUMA
architectures. DEC/Compaq's Alpha's could be microcoded for concurrency or
performance using regular assembly via a scheme called PALcode. HP PA-RISC and
SGI's Itanium systems have memory keying scheme for access control, originally
in IBM mainframes, that constrains attackers a bit if used well. The RISC
systems supported more programming models without the efficiency hit of x86's
that assumed stacks and had little registers. Unfortunately, x86 was very good
at running C and x86 code becoming more prevalent. Plus the Microsoft
partnership. So, everything else pretty much disappeared.

Anyway, it would be cool to have options. Especially with security extensions
for code in the CPU and/or open CPU's. Unfortunately, this really ain't it.
People are better off licensing or directly using Gaisler's 4-core SPARCs with
security extensions a la Cambridge's CHERI, SecureCore, or Hardbound. We'd
have fast, open CPU's w/ open firmware w/ open OS's w/ support at CPU level
for confidentiality and/or integrity. _That_ is how you _begin_ on a secure
workstation. ;)

~~~
nullc
I'm super excited about CHERI. ... But the fastest CHERI implementation now or
likely in the next couple years is orders of magnitude slower than the
offerings from AMD and Intel. (Not fundamentally-- but primarily as a product
of maturity and development)

There are many applications where I'd gladly take a 100 fold performance (or
energy efficiency loss) for the kind of security improvement that CHERI gives.
But there are also many applications where I (and importantly, other people
who care less about security than I do) cannot afford those sorts of
reductions.

Meanwhile, the fast machines available to us all have opaque,
cryptographically locked, and seemingly often vulnerable supervisory code
running on them.

To make an impact OpenPower solutions need merely be better in some respect
(avoiding the secret supervisory code) and not too worse in others. It might
be a tougher call if MPX were already a practical reality or if SGX weren't
being held back by ridiculous licensing.

~~~
nickpsecurity
"But the fastest CHERI implementation now or likely in the next couple years
is orders of magnitude slower than the offerings from AMD and Intel. (Not
fundamentally-- but primarily as a product of maturity and development)"

That's due to a lack of demand. The ultimate problem for high security.
Gaisler's stuff is already implemented. The RISC-V Rocket core is 1.4Ghz.
Basic checks like in SAFE's atomic groups have single-digit, percentage
effects on performance. The mods can be tweaked to give desire performance.
Worst I've seen was 70-80% loss on a prototype designed for research rather
than performance on most memory-intensive stuff. Not 100x or anything.

"Meanwhile, the fast machines available to us all have opaque,
cryptographically locked, and seemingly often vulnerable supervisory code
running on them."

Definitely improvements to be had in things with open firmware and such. POWER
and SPARC have had that for quite a while via Open Firmware standard. SPARC
and MIPS have open _implementations_ with SPARC not requiring an ISA license.
Not sure about availability of server-grade POWER implementations or licensing
costs. Definitely need more to work with in that area.

"To make an impact OpenPower solutions need merely be better in some respect
(avoiding the secret supervisory code) and not too worse in others."

I hope that's true. What killed it before was legacy effect: key apps or
capabilities that worked on x86 didn't on alternatives. Even Apple abandoned
PPC. Only one doing it on desktops are the Amiga systems.

For common use-cases, we need to port Flash, JS JIT's, ASM-optimized codecs...
all sorts of things to POWER to achieve parity. I've always liked POWER better
than x86. It's just that users use apps not ISA's. That's why x86 has holding
power.

So, it's literally gotta be users who don't need games, fast browsers, CAD,
etc. It has to be people using native apps written in portable code leveraging
components written similarly. Even better if it's multi-threaded or benefits
from POWER's accelerated instructions. How many use-cases does that represent
for desktop users?

~~~
chei0aiV
Flash is dying, so ignore that.

Debian has more than 96% of packages compiled for POWER and IBM is working on
porting the reset and optimising things.

[https://buildd.debian.org/stats/](https://buildd.debian.org/stats/)
[https://wiki.debian.org/ppc64el](https://wiki.debian.org/ppc64el)

It isn't hard to create new ports, you just have to have the source code, but
everyone uses proprietary software so new ports have zero chance outside the
open source world.

~~~
nickpsecurity
So, there's nothing critical for modern desktop use that isn't on POWER? What
about graphics and sound cards? Printers? They got it all these days?

That would be cool because one of my disposables is an old Mac laptop with G4
CPU. Getting modern Linux distro on it would be cool.

~~~
dmm
The in kernel, free radeon drivers are good and supported by amd. They should
work on little-endian systems, which all of the newer POWER systems are[0].

Unforunately big-endian amd/radeon support seems to have bit rotted. So if
that g4 laptop has an amd device accelerated video might not work. I'm not
sure how well nouveau works for nvidia devices.

There have been some discussions about this problem on the debian-powerpc
mailing list so check out the archives if you're interested. Some of us also
hang out on OFTC/#debianppc.

Sound support should be the same as intel and printers are handled by userland
so that shouldn't be a problem with most printers that work with linux.

JIT support for ppc64el is good because of IBM support. It has jdk and v8
ports.

[0] [https://wiki.debian.org/ppc64el](https://wiki.debian.org/ppc64el)

~~~
nickpsecurity
The graphics situation sounds rough. Good on printers and sound. And this...

"JIT support for ppc64el is good because of IBM support. It has jdk and v8
ports."

...I didn't even think about. Of course IBM's components might be usable for
the desktop. ("Doh!") Thanks for the info.

------
throwaway7767
I'd like to know that they consider to be sufficient interest to justify a
production run. This is a really niche project, and $3000 seems quite low for
a one-off motherboard made in a couple of hundred units.

Hopefully these guys have worked out the math, I've just noticed that most
people, especially software people, seriously underestimate the cost of
producing hardware in small quantities.

~~~
ryao
The number is 1500. I know because I have been talking to them about this
since last year.

~~~
throwaway7767
Thanks, that sounds a lot more realistic than what I had in mind. Hopefully
they'll get enough interested people to commit, it'd be great to have a choice
in workstation architecture again.

------
patcheudor
Define "secure". In too many cases it is a marketing buzzword. At some point
those of us who are security professionals really need to get serious about
pushing for some standard language and certification in this space. I'd love
to see a rating system which makes it clear which attacks this platform can
defend agains. As an example, is it only secure if locked in a secure
facility, protected from physical access or can it exist in a physically
hostile environment? How much of it can be exposed to an attack surface before
it's not secure? At this moment I'm aware of several physical layer attacks
that this would absolutely fail to protect against so I question why exactly
this gets me anything more than any other hardware platform.

~~~
7952
In a world of millions of networked devices it seems redundant to classify any
one single element as "secure". The secure device cannot possibly trust any
other device, and those devices in turn cannot trust the secure device. By
necessity we use a combination of different systems, and any one rogue system
could undermine the rest. The only way to make that safe is to understand how
different systems interact and ensure they are sand boxed from one another.
This is particularly difficult when a single machine can have several
processors running their own platform.

------
mendocino
> NO signing keys preventing firmware modification

Not really a "secure" workstation if you can't have a secure bootchain. An
open, secure platform would allow you to fuse your own root key.

~~~
throwaway7767
This seems to be an unfortunate relic from the fight against the clipper chip.

Buying hardware that you don't own and control is a big problem, but that
doesn't mean all methods of securing the boot process are evil. The important
bit is that it's the owner of the hardware that's in control of the keys, and
that (s)he can retain sole control of the signing keys if desired.

~~~
ryao
Intel controls the keys for the management engine and other bits that are
vectors for back doors:

[https://libreboot.org/faq/#intel](https://libreboot.org/faq/#intel)

The Snowden leak claimed that the NSA had special Intel chips, but no one has
ever claimed Intel did a special production run. However, if they stole
Intel's signing keys and internal documentation, they could just reflash the
existing chips and Intel would not need to know a thing about it. Anyone who
gets their hands on that information would be able to do the same and there is
not a thing you can do about it beside using hardware where that is not
possible.

~~~
throwaway7767
I think we're in agreement then. Intel's system does not meet the criteria I
set forth in the post you're replying to (since there is only one key, and
it's generated out of the owners control). So that's a bad solution. If there
were some way for a physically present user to set a new firmware signing key,
that would get the benefit without having to throw out any attempt to secure
the boot process.

Of course, intel's microcode is not open for scrutiny, so the point is moot
there (what would you sign instead?)

The linked project states that having no way to lock the boot process is a
benefit. I disagree that it's a feature to advertise, because it's possible to
implement in such a way that the user retains complete control. Pointing out
bad implementations is not a good answer to that.

~~~
ryao
The ME is an embedded device that has its own independent CPU and operating
system. Whether Secure Boot is possible is tangential to that. Secure Boot is
as relevant to security here as lowering the anchor on the titanic after
hitting that iceberg. Whether the measure is in place or not does not actually
fix things.

------
creshal
Any details on the graphics chip it apparently uses to drive the HDMI (so much
for "workstation grade"…) output?

Libre graphics hardware is quite rare, virtually everything on the market
requires binary firmware blobs.

(As do all mass storage devices…)

~~~
pgeorgi
The brand is Aspeed, blob-free operation but 2d acceleration only, found in
server boards. This is not an SGI-style Iris GL workstation.

~~~
creshal
Ah, shame.

~~~
rbanffy
It has 4 x8 PCIe slots.

~~~
creshal
I've seen that. But where would I find a completely blob-free graphics card to
plug in there? Neither AMD nor Nvidia offer any right now.

~~~
rbanffy
Not sure if it'd work but if the blob is to be loaded on the card, it would be
just like a x86 setup - it should work as long as the host part is compilable
for POWER.

~~~
dmm
Radeons work without kernel blobs, just binary firmwares that are loaded on
the card.

------
mappu
There are preliminary benchmarks from Phoronix available here:

[http://www.phoronix.com/scan.php?page=article&item=talos-
wor...](http://www.phoronix.com/scan.php?page=article&item=talos-
workstation&num=1)

TL;DR Performs similarly to current E3/E5 xeon CPUs, and the 64 cores (57
tested) are great for parallel workloads. There's some applications (OpenSSL)
missing POWER8-specific optimization.

~~~
edwintorok
The open-toolchain FPGA sounds interesting too, is there any more information
on that?

~~~
chei0aiV
Some resources are listed here (including an open source FPGA):

[https://wiki.debian.org/FPGA](https://wiki.debian.org/FPGA)

------
korethr
So, honest question, what kind of workloads and tasks would a box built from
this motherboard be good for? Video or audio editing? CAD? 3d Rendering?
Programming? Assuming the hardware is up to the task, cool, now what about the
software?

In my years working IT, it seems to me that by and large, the professional
software for tasks you'd throw an expensive workstation at (CAD, 3d rendering,
etc) has by and large migrated to being targeted for x86 Windows boxen,
because that's what their clients have. For some tasks (audio/video
production) some software still targets macs, but that's about it from what
I've seen.

I'm tempted to try to pick up a couple of these to see if I can turn them into
something useful, but the rare power user or hobbyist doesn't seem like enough
demand to sustain development of a product like this, as cool as it might be.
Is there some niche somewhere that I am not aware of where something like this
would be useful? Enough for someone to buy enough of these to sustain further
development and production?

~~~
whorleater
I'm actually pretty interested in this as a potential form of cheap(ish) HPC.
I do a lot of stellar simulations and other computational astrophysics stuff,
I think a couple of these might be able to stand in when I don't necessarily
feel like dealing with the campus supercomputer for a small task. Although in
terms of marketability, I'd say that products like these might fulfill the gap
between traditional farms <-> giant supercomputers.

------
viraptor
Interesting... but I see only two reasons I'd get it at that price. If I
actually expect cover channel data exfiltration, or really don't trust in
generating crypto keys on standard Intel architecture. But the second one is
solved by HSMs too.

So does anyone know why one would prefer this board?

~~~
ajdlinux
The IBM OpenPOWER firmware is all open source. (disclaimer: I work for IBM
Systems)

~~~
ryao
The microcode is not, although I heard that it is under consideration for
POWER9 depending on how well Talos does.

------
edude03
I have a secret dream of having a secure "big data in a box" solution based on
Linux / GPUs (likely nVidia) and lots of storage (like 8 6TB drives in Raid
z2). This processor and motherboard would be fine if it had more IO (4-6 16x
slots) and onboard 10Gbe. Right now seems like this is still a pipe dream.

------
tempodox
I might be interested, but I'm not hardware buff enough to build a computer
myself. And what kind of software would run on that CPU?

~~~
keithpeter
Some form of Linux, then compile as needed I imagine.

[https://www-01.ibm.com/support/knowledgecenter/linuxonibm/li...](https://www-01.ibm.com/support/knowledgecenter/linuxonibm/liaam/liaamdistros.htm)

The page above lists RHEL, SLES (the commercial variant of OpenSUSE), Ubuntu
in the context of servers.

~~~
ajdlinux
Debian as well. IIRC there is a FreeBSD porting effort which hasn't made that
much progress as yet.

~~~
chei0aiV
Link to the Debian port:

[https://wiki.debian.org/ppc64el](https://wiki.debian.org/ppc64el)

More than 96% of Debian is compiled for it and hopefully works ;)

~~~
ajdlinux
I've personally run a KDE environment on ppc64el Debian, and it pretty much
works straight out of the box :D

------
akhilcacharya
What sort of work could this be used for?

~~~
ryao
> What sort of work could this be used for?

Computer hardware can be used to run computer software.

~~~
akhilcacharya
..such as..?

------
djrogers
I realize they are two differ et domains of expertise, but if I'm paying
someone $3000 for a computer, shouldn't they at least be able to _hire_ a
competent web designer?

This is atrocious - floating menus and text blocks that move and cover over
the main text when you try to zoom, and no responsive design so you have to
zoom in mobile. Sorry, I'm not going through the hat much work to read your
site.

~~~
keithpeter
Personally, I'd rather they just went with plain html and no attempt at
presentation of any kind. Cheaper and the viewer gets to decide on font
size/styles &c.

But, no, with hardware this specialised, those who have a need for it won't
mind what the page looks like.

------
l3m0ndr0p
LOL - It's only secure until they hand over the back door keys to one or more
of the US 3 letter agencies...

