Hacker News new | past | comments | ask | show | jobs | submit login

>OpenPOWER systems allow you to keep your valuable assets and proprietary engine code safe and secure through full owner control

What does it mean? It's some form of DRM pitch?




Yes. It's about not having anything like Intel's ME running code you can't audit or control that has full access to your hardware. It's basically the same pitch as for Libreboot https://libreboot.org/.


I.e. it's DRM-free pitch? That's the opposite of what I first took it for.


Yes, it's a DRM-free pitch. I suppose “Keep your … proprietary code safe” could seem DRM-related but “full owner control” is an FSF-y anti-DRM catchphrase.


It's a very odd mix, pitching user freedom with "proprietary engine code" as the example of data that is protected.


There's a blurb at the bottom of the Talos machine's page (same page, hit the link on the bottom left) about how they can't divulge certain details of the PCIe system.

Plenty of room for backdoors and other shenanigans in there. Which kind of undermines the entire claim...


OpenPOWER is really open, including the chip's firmware (https://github.com/open-power), and there's no embedded management chip as found in Intel or AMD CPUs.


People may be overselling this; all the current Power8 machines are servers that have BMCs.


The BMC's firmware is also open: https://github.com/open-power/hostboot

Here's a blog post with some details: https://blog.jms.id.au/2015/07/openpower-firmware-stack/


Hostboot (and skiboot) is loaded from the BMC, but it's not the BMC firmware - hostboot and skiboot run entirely on the host.

The BMC firmware we're currently working on at IBM (based off some work by Facebook) is at https://github.com/openbmc/openbmc.

[Disclosure: IBM Power Systems. Opinions my own.]


Parent posts are likely referring to on-CPU management features (on the IC itself), not on-board ones like BMCs.


The problem with DRM like Intel's is that you have to trust Intel. And the DRM is meant to protect other people's code running on consumer machines. The pitch here is that you can run your own custom DRM, that only you control.

To use CAs as an analogy. Intel, and most chip manufactures, when they describe DRM, they mean generalized consumer DRM, so basically how your browser or OS comes with a list of CAs pre-installed. The DRM pitch here is the ability to write your own DRM, e.g. like having your own internal CA.

This has a use case. DRM can be useful for things like governments and companies. While dangerous from a civil liberty perspective on consumer hardware, it's perfectly reasonable for an organization to want a DRM solution that they control entirely. As an example such a solution could prevent the IT guy (re: Snowden) from stealing your files.


In this case I'd call it InfoSec features, not DRM. They can be conflated because both can rely on encryption, but they have different purposes, or I'd say premises.


InfoSec is the goal, and DRM is the process by which the goal is reached. DRM refers to digital data that some people can't copy, or view, etc. often at a hardware level. That's a tool in doing InfoSec.


"What does it mean? It's some form of DRM pitch?"

It's a BS claim. IBM has only developed one CPU for high-assurance security:

https://domino.research.ibm.com/library/cyberdig.nsf/papers/...

POWER is an insecure processor like the rest. The software on it will likewise have the same problems as the rest. The difference they're advertising is that there's more open code. This reduces the unknowns for users, gives them more control over their own boxes, and improves security a bit. There's still black boxes in there including one I didn't know about per one commenter in this thread. You can trust the hardware and any firmware left about as much as you can trust IBM's management in that division. Yeah, it gave me pause too.

So, let's change it to "less DRM" and "more open than x86." If you want an open ISA, looked at RISC-V or SPARC (esp Leon3 or OpenSPARC T2). If you want a more secure ISA, look at crash-safe.org, Cambridge's CHERI processor (also open), System/38 (still exists), or even old Burroughs B5000 from 1961. In such light, "Open"POWER is neither truly open nor secure even if better than x86.


I think its important to consider the context, which is clearly stated on the frontpage of Talos: "POWER is the only open, owner-controllable architecture that is competitive in performance".

There are other architectures that could be candidates for an owner-controllable system (see https://www.raptorengineering.com/TALOS/op_twbx86.php for a review of some other alternatives), but POWER8 is currently the one that can be competitive with x86-64 and could realistically build today.


It's called a "Talos Secure Workstation" "designed for security-conscious users." Then they mention the ownership and openness differentiators but nothing else. Other "secure" workstations were CMW's, separation kernels, hypervisor schemes, and so on that protect the system from attack.

So, I think it's a misleading label. "Secure" workstation has a meaning that goes way back. In isolation, it has an established meaning. They should just say open and/or DRM-free as that's intended meaning.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: