[prev in list] [next in list] [prev in thread] [next in thread] 

List:       qubes-devel
Subject:    Re: [qubes-devel] Re: Running (or not) Xen during installation
From:       Chris Laprise <tasket () openmailbox ! org>
Date:       2016-11-06 23:14:24
Message-ID: c9871047-d12c-abea-9145-028c65a273df () openmailbox ! org
[Download RAW message or body]

On 11/05/2016 04:46 AM, Joanna Rutkowska wrote:
> 
> In the long term, we would like to maintain *full* isolation of most of the PCIe
> devices (so DMA and MSI capable) from the TCB (perhaps except for the MCH pseudo
> devs).
> 
> This should be maintained throughout the whole boot process, starting from the
> reset vector. I don't think running Linux would allow us to achieve that. So, we
> should aim at keeping Xen, and in the future, when we have better firmware to
> work with (Coreboot?) make sure that at no point in time any of the untrusted
> PCIe, such as your WiFi NIC, can interfere with the boot process.
> 
> joanna.

Speaking of long-term, it would be interesting to know if ITL could 
consider specifying a hardware platform where Qubes or a Qubes-like OS 
could operate with greater consistency. The Qubes community currently 
spends most of its time and effort trying to reconcile the OS with the 
whims and priorities of Windows PC vendors.

Even if its not realistic to build such a PC in the near term, having a 
hardware (and firmware) specification that supports the objectives of 
Qubes could be educational and garner interest from more 
hardware-focused people and projects. It would also serve as a reminder 
of how (comparatively) problematic most PCs are.

Chris

-- 
You received this message because you are subscribed to the Google Groups \
"qubes-devel" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to qubes-devel+unsubscribe@googlegroups.com. To post to this group, \
send email to qubes-devel@googlegroups.com. To view this discussion on the web visit \
https://groups.google.com/d/msgid/qubes-devel/c9871047-d12c-abea-9145-028c65a273df%40openmailbox.org.
 For more options, visit https://groups.google.com/d/optout.


[prev in list] [next in list] [prev in thread] [next in thread]