Qubes OS: A reasonably secure operating system

(www.qubes-os.org)

441 points ploggingdev | 1 comments | 19 Nov 17 16:06 UTC | HN request time: 0.215s | source

Show context

snvzz ◴[19 Nov 17 17:00 UTC] No.15734641[source]▶

Their weakest point is the hypervisor, Xen, which while a better choice than Linux/KVM, is still extremely bloated and has a poor security history.

Thankfully, better designs such as seL4's VMM do exist, although it might need a little more work [1] until usable for the purpose.

[1] https://sel4.systems/Info/Roadmap/

replies(6): >>15734676 #>>15734739 #>>15734803 #>>15734841 #>>15734956 #>>15735067 #

jjawssd ◴[19 Nov 17 18:16 UTC] No.15735067[source]▶

>>15734641 #

Is it possible to run secure code on any Intel microprocessor which supports the x86 instruction set?

I do not think so.

replies(1): >>15735619 #

1. morganvachon ◴[19 Nov 17 19:59 UTC] No.15735619[source]▶

>>15735067 #

Pre-2006 systems, maybe. I have a PIII based laptop that I'm reasonably sure doesn't contain any malicious microcode or BIOS shenanigans. It certainly doesn't have IME or equivalent. However, that was the CPU that started Intel's serial number controversy, and while I do have a BIOS setting to turn it off, is it really off?

It's a pretty deep rabbit hole if you really want to go down it. You can make a case for not trusting any CPU that you didn't design and fab yourself, and even then you have to watch out for your own mistakes and bugs that can be used against you.

↑