|
||||
Why Talos™ II? |
||||
An In-Depth Interview with Timothy Pearson, Director of Research and Development at Raptor Engineering |
||||
|
||||
Why did Raptor Engineering make the Talos™ II System a top development priority? | ||||
|
||||
With more and more data being permanently stored in computers all over the world—from research and development to established product lines and client data—centralization and homogeneous systems have enabled a new breed of high-value cyberattack. Much of this centralization is fundamentally required for modern services to function, and is slowly being shaped into a more responsible form via the EU's GDPR and similar legislation, but behind the scenes an unnecessary and dangerous centralization of hardware and firmware control also has occurred. With modern x86 and even some modern ARM hardware, it no longer matters what operating system or applications you choose to run, you remain potentially vulnerable to unauthorized remote and local access via the increasingly complex, vendor-controlled, unauditable platform firmware.
Here at Raptor Engineering, we don't think that final control of the world's computing resources should reside in the hands of two major vendors, or even several vendors; understanding the extreme danger of this situation has catalyzed our development efforts toward creating truly secure, individually owned computing platforms, such as the Talos™ II. |
||||
|
||||
Talos™ II claims a high level of security compared to other computing systems. What makes it more secure? | ||||
|
||||
Unlike any x86 machine on the market today, Talos™ II does not contain any unauditable, hidden "black boxes" in its platform firmware stack. We don't try to hide DRM modules inside the platform firmware, or try to keep basic power management a secret. We don't require firmware network access for the platform to power on.
Furthermore, the POWER9 architecture allows an owner-controlled signing key to be written to the processor module itself. Unlike other platforms, this means the entire boot firmware is controlled by a signing key unknown to external parties, such as the processor vendor or system manufacturer. With application of basic key-control methods and disk encryption—as should be standard in the IT world today—no one is capable, by design, of remotely accessing data on a Talos™ II system, except where such access has been explicitly granted by the machine owner. This decentralized security model, upon which Talos™ II™ is built, stands in stark contrast to the pseudo-leased, centralized security model of other platforms; it is inherently stronger since exfiltrating, or breaking, one or two keys (the centralized model) is far easier than trying to exfiltrate thousands of keys across thousands of organizations (the decentralized model). |
||||
|
||||
Why are you sold on the POWER architecture? | ||||
|
||||
POWER9 sits in a unique position in the computing world today. Here at Raptor Engineering, we know firsthand that there exists a minimum of computing power required to perform creative tasks within a reasonable time and with reasonable cost and effort; as expected, this minimum continues to increase year over year. The only major architectures shipping CPUs powerful enough for many of these tasks are currently x86 and POWER9.
As I mentioned earlier, x86 has become too large of a security risk for us to ignore. The upcoming POWER9 CPUs have other compelling advantages, even outside of security, including CAPI technology for accelerators, massive caches, and very high I/O bandwidth. These traits are a perfect match for the computationally expensive engineering tasks we execute every day, and they also find a home in the cloud data center, where these same features allow more VMs (virtual machines) to be stuffed into a single machine than otherwise would be possible. |
||||
|
||||
As an open-source advocate, why should I be excited about this Talos system? | ||||
|
||||
Why be excited about Talos™ II? Two words: open firmware. An unfortunate trend in computing is to move most kernel and hypervisor functions into the platform firmware. As an open-source advocate, this trend should be very concerning, given that these functions are moving out of an open-source realm, and into a permanently closed-source realm.
Due to cryptographic signing on all modern x86 platforms, vast areas of firmware are completely off-limits for open source—even if an individual or organization could otherwise write a replacement for that firmware. Talos™ II has none of these issues because your signing key, not the vendor's key, grants low-level access to the hardware. |
||||
|
||||
What are some of the current needs in open-source computing that this system addresses? | ||||
|
||||
Open source computing is at a crossroads right now. Do we continue to embrace the "userspace is enough" model, where you are permitted to run open-source applications on an otherwise fully vendor- and third-party-controlled machine—or do we push for continued access to a fully open stack, as we have previously enjoyed?
Sadly, far too many have acquiesced to a userspace-only model for cost reasons; however, what these individuals don't see is the long-term, real cost of this approach. From environmental damage due to prematurely obsolete hardware (i.e., hardware that contains unpatchable firmware bugs that render it useless), to loss of knowledge of how computing systems function outside the application layer, to complete loss of privacy and self-actualization, the true costs of consumer-only computing are staggering. By contrast, the Talos™ II system answers the call for "tools that can make more tools"—a libre-friendly computer capable of driving new research forward, and on which the next generation of powerful, even mobile, libre-computing products can be designed. |
||||
|
||||
Why is Raptor Computing Systems bringing Talos™ II to market now? Why is the time right for this computing system? | ||||
|
||||
Many things have shifted in the market since this time last year. From the scheduled implementation (May 25, 2018) of the GDPR, to the predicted—and actual—lock down of x86 CPUs, to the slow but steady erosion of human rights around the world, we believe there is now significant demand for a computing platform that respects you and your desire for productivity and privacy.
Additionally, for the first time in many years, major improvements to both RAM and PCIe bandwidth truly justify upgrading to a new platform. Currently, IBM's POWER9 is the only CPU available with these improvements, such as PCIe 4.0. |
||||
|
||||
What markets are being targeted with the Talos™ II product line? | ||||
|
||||
Raptor Computing Systems is targeting anyone needing significant computing horsepower in a standard EATX format, with a focus on those already using Linux in their organization. Talos™ II is a perfect fit for colleges, engineering firms, content creators of all types, data-center operators, and individuals interested in privacy and/or software development.
If you have an open-source application that just seems too slow on your current computer, Talos™ II can save you time and aggravation while protecting your valuable data. |
||||
|
||||
How did you bring the Talos™ product line to a more affordable price point? | ||||
|
||||
POWER9 is a major step forward in the POWER systems line. In addition to lowering TDP, the memory controllers are integrated into the CPU package, bringing the overall chip count down to a level more comparable to competing platforms.
Also, the availability of PCIe 4.0 and the ability to place a second CPU on the board meant that a costly PCIe switch was no longer needed. In addition, IBM has opened more of its technology, and brought other projects, such as OpenBMC, to a state where they can be shipped directly on new hardware. This is a major step forward for libre computing and has helped reduce the cost of the overall development effort required to bring Talos™ II to market. |
||||
|
||||
Did feedback you received from the original Talos offering factor into the Talos™ II system? What did you learn from your first offering? | ||||
|
||||
The only major point of feedback that really shaped Talos™ II was the need to lower cost. With Talos™ II, we were far more careful to contain costs—for example, pushing anything that would only benefit a handful of use cases off the mainboard and onto add-on cards.
The results speak for themselves: we are bringing to market a modern, POWER9 mainboard with all the features expected in a board of this class at a fraction of the cost. |
||||
|
||||
Why is everything from mainboards to kits to full systems available? What do you hope to accomplish with this broad lineup? | ||||
|
||||
We want anyone familiar with the choice and prior freedom of the x86 ecosystem to feel right at home with OpenPOWER. If you already are running Linux or one of the BSDs, building and using a Talos™ II system should be no different than assembling and using a white-box x86 system. This is in stark contrast to, for instance, many ARM systems, where a dizzying array of incompatible hardware features, kernels, and software can interact with arcane boot loaders to make initial setup and subsequent maintenance a trial-and-error nightmare. | ||||
|
||||
What is your relationship to IBM and the OpenPOWER Foundation? | ||||
|
||||
Raptor Engineering, designer of Talos™ II, is a proud member of the OpenPOWER Foundation, and Raptor Computing Systems is first to market with IBM's POWER9 processor. This close relationship has allowed us to leverage the vast experience at IBM to bring this product to market quickly and at an affordable price point. | ||||
|
||||
Where are the boards and complete systems being built, and why? | ||||
|
||||
For this first run, a global supply chain is being used, with the last manufacturing steps being carried out here in the United States. This is being done both to ensure that we meet our shipment promise dates and to ensure a quality finished product. | ||||
|
||||
Doesn't having them produced in the USA drive up their costs? | ||||
|
||||
Production in the United States alters the cost surprisingly little, actually. We still use a global supply chain, which helps lower costs in a significant manner, but, at the end of the day, the higher layer count of these PCBs offsets much of the advantage of overseas production.
Talos™ II uses a lower level of integration on its mainboard than most other offerings; this is a major part of how we can offer a truly libre-friendly machine, but at the same time it means that both production of the PCBs and electronic assembly is more complex than other systems. As a result, with Talos™ II, we would benefit less from the massive industry built around simpler PCBs overseas. |
||||
|
||||
Will you be providing updates, tips and tricks, and general information on a blog closer to product shipment? | ||||
|
||||
Yes. Raptor Computing Systems will keep its customers in the loop as shipment draws closer, and as the marketing embargoes surrounding POWER9 begin to drop off. Stay tuned for updates on Twitter and/or GNU Social. | ||||
|
||||
When can we expect benchmarking on this product? | ||||
|
||||
Benchmarking is closely tied to the marketing embargoes placed by IBM on its POWER9 CPU. While we do not have a firm date to release benchmarks, we can state with confidence that POWER9 significantly exceeds the performance previously seen in POWER8—and that when we do make benchmarks public, you won't be disappointed. | ||||
|
||||
Why did you get into designing computing systems when there already are so many in the marketplace? | ||||
|
||||
Simple: nothing in the marketplace fit our needs. We have many years of experience in owner-controlled computing, and every time one of the major vendors picks up a computing system, they tend to make it more closed. Observing this trend, we decided to do something about the lack of proper, owner-controlled computers on the market. This birthed the Talos I concept and, now, the Talos™ II product. | ||||
|
||||
You have many followers in the EU, as well as the US. Why does Talos™ II appeal to both markets? | ||||
|
||||
We believe powerful, secure computers are equally needed by users on both sides of the pond. This is one area where the US and the EU still share a common interest; both are highly dependent on computing for their way of life, and both are threatened by insecure systems and general loss of privacy. We would be greatly pleased to see adoption of OpenPOWER systems and the Talos™ line by both the US and the EU. | ||||
|
||||
How long have you been active in the FOSS community, and why is it important to you? | ||||
|
||||
Personally, I have been active in the FOSS community for over a decade. As with many people, the initial attraction came from being able to use software that otherwise would have been cost prohibitive, but as DRM became an ever-increasing presence in daily life (for example, Windows Vista's activation schemes), the freedom and owner-control aspects of open source became more important. After seeing where that road leads, I willingly paid more for hardware and software that I have full control over. In the long run, you actually pay less, but the up-front costs can be a hurdle. That is one reason we drove down the cost of Talos™ II as much as possible. | ||||
|
||||
Did the coming GDPR (General Data Protection Regulation) and EU privacy concerns factor into your design decisions? | ||||
|
||||
Interestingly, the design was already more than GDPR ready in the case of Talos™ I; there is strong overlap between the concepts of owner control and the requirements of the GDPR. Since Talos™ II achieves the same owner-control goals, it is very much GDPR ready. | ||||
|
||||
In summary, how does Talos™ II protect its users and their data? | ||||
|
||||
Simply put, Talos™ II allows you, and only you, access to the data stored on a Talos™ II machine. There is no way an unauthorized third party can remotely access unscrambled PII; you can verify this yourself by simply reading through the firmware. To be extra safe, you can even disable all network capable components—for instance, the remote functionality of the OpenBMC firmware.
Due to its lack of black-box, vendor-controlled firmware, Talos™ II won't put you in a situation where you have to decide whether to shut down the part of the business processing PII; if a serious vulnerability is ever found, you don't need to wait for the vendor to issue updates or to buy new hardware. All you need to do is patch, recompile, and deploy your update. Reaction time to firmware-based security threats is minimized as a result of this open model, and multiple organizations can even work together to develop patches for their machines—without sharing protected data. |
||||
|
||||
|
This website makes minimal use of cookies. Use of this site constitutes acceptance of this policy. Terms and conditions of use / contact information.