Looking Beyond X86 for Privacy and Security

Jan 06, 2021 · 6 mins read
Looking Beyond X86 for Privacy and Security
Share this

I’ve used x86 my entire life, having started on a Pentium II machine with Windows 95, going towards the latest generation core processors on my work laptops. Not that I had much of a choice, but it’s always been fast, reliable, and affordable enough to not considering anything else. Even machines from 2006 can still put up a fight with modern software. So what’s the big deal?

Spectre and Meltdown are just the beginning of revelations to come on how Intel/Microsoft do not respect our privacy nor security. You have a customized embedded MINIX running in the background of most computers through the Intel Management Engine, something that even Coreboot cannot strip out completely.

The average person doesn’t care, as long as they use Word and the latest triple-A computer games, they are happy. For me, it’s unacceptable.

Within the next few months, I have to ponder hard on buying a machine that I have complete control over, while still retaining the ability to do my work.

RISC-V

RISC-V is an open-sourced architecture from the ground-up, but it’s always been stuck in virtual machines rather than usable hardware.

The closest I can find to a ready-to-go RISC-V computer is the HiFive Unmatched by SiFive. Boards still have yet to reach consumers, so I would have to wait to reviews & audits to appear before considering such a board.

But while the processor architecture is open, there are other components on the board that are questionable. Although, it’s a good sign that the full firmware stack is available on Github.

Besides, this board does not have the computing power I need in a workstation, so I will leave it on the backburner until there is more on the market.

Using Old PowerPC

PowerPC 601 The PowerPC 601 chip, which recently lost support in Linux 5.10

An old PowerMac is less swampy than x86, and the later G4 and G5 processors of PowerMacs are still useable for some modern applications. The G5 (processor number) (look into this) is said to be comparable to the Core 2 Quad series, albeit with a massive power consumption difference.

The primary concern is that Spectre-like attacks still affect the later high-speed PowerPC processors. According to a test ran by Talo Space, only the ….

Another concern is being cornered into either using the antiguated Mac OSX 10.5 just to have a useable web browser. While Linux and OpenBSD still have half-way decent support for these old MACs, software repositories are lacking.

Power9/Power10

Thanks to the OpenPOWER Foundation and Raptor Computing Systems, using a Power 9/10 processor may be the most viable platform for a high-powered workstation or server. These processors are well supported by Linux and FreeBSD with all of the familiar packages one would need.

The Raptor Talos II is a four-core Sforza POWER9 processor on a 14nm die at 3.2/3.8GHz with 512K of L2 cache and 10MB of L3 cache per core. If you don’t know what any of that means, it’s a powerhouse of a processor that can really content with modern server-grade Intel processors.

I have no problem being confined to the POWER architecture as this processor is powerful enough to emulate x86 and other architectures via QEMU to manage the virtual machines that I need for work.

The reason why I probably won’t be moving onto this platform is due to the sheer cost obtain such hardware. For a bare-minimum motherboard with just a single CPU slot will set me back $1,500, and I’m on my own to come up with the GPU, power supply, and other parts needed for a complete workstation. A fully configured machine comes out at US$7200.

A used, x86 server motherboard with Coreboot could match the performance for a tiny fraction of the cost.

Libreboot & Sticking with x86 (for now).

Virtualizing x86 virtual machines would be quite taxing on other architectures, so using x86 on a liberated motherboard is still on the table. Libreboot IS Coreboot, but the project is quite handy since they’ve done the gruntwork in finding & liberated motherboards that can be stripped of proprietary drivers and doesn’t have Intel ME (or AMD’s equivilant) running in the background.

One would still be vulnerable to Spectre and Meltdown, but it still is better than having a backdoor pre-installed.

The ASUS KFSN4-DRE is the easiest board to flash as it can be done directly from the operating system. If you mess up, it has LPC flash chips that are easily replaceable using a PLCC chip extractor, and I’ve even found pre-flashed chips for sale on Ebay. The downside is you’ll be stuck with quite an old platform using registered DDR2 Ram, and processors that barely put up a fight against Gen1 Intel Core processors.

The board I am eying is the KGPE-D16, which supports the Opteron 6200-6300 series, but I would only stick with the 6200 series as I can get along without microcode updates. Besides, there isn’t much of a difference in terms of performance nor power consumption to justify opening up my compter to swampy microcode.


You can check out which processors require microcode to remain secure below:*

Processor sold by AMD Part Number Cores Requires microcode updates for secure operation (ref) Notes
Opteron 6386SE (fast) OS6386YETGGHK 16 Yes
Opteron 6328 OS6328WKT8GHK or OS6328WKT8GHKWOF 8 Yes
Opteron 6287SE (2nd fastest)  ? 16 No
Opteron 6284SE ecx-Off-US-917385 16 No
Opteron 6282SE OS6282YETGGGU 16 No

Dual Opteron 6287SE processors would be the ideal best configuration, which is a little over half the performance of an entry-level EPYC processor. With all things considered, this is still the best option I have for native x86 performance.

Any old processor will indeed have old microcode from around 2011. I don’t see it a big deal compared to the Intel Management Engine + outdated proprietary firmware when using a stock motherboard.

Still, it wouldn’t be a perfect solution as I need to find an irregular-shaped case (or build my own) to stuff the motherboard into. I would also need to purchase discreet PCI-Express video cards that have 100% open source drivers. If anyone with this board has a video card recommendation, please feel free to get in touch with me.

Sponsors

Best VPN
Join Newsletter
Get the latest post right in your inbox.