From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <devel-bounces@spectrum-os.org>
X-Spam-Checker-Version: SpamAssassin 3.4.3 (2019-12-06) on atuin.qyliss.net
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=3.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS
	autolearn=unavailable autolearn_force=no version=3.4.3
Received: by atuin.qyliss.net (Postfix, from userid 496)
	id 8CC792C826; Sat, 21 Nov 2020 15:23:50 +0000 (UTC)
Received: from [127.0.0.1] (localhost [IPv6:::1])
	by atuin.qyliss.net (Postfix) with ESMTP id F02A52C80A;
	Sat, 21 Nov 2020 15:23:39 +0000 (UTC)
Received: by atuin.qyliss.net (Postfix, from userid 496)
	id BE86E2C805; Sat, 21 Nov 2020 15:23:38 +0000 (UTC)
Received: from wout2-smtp.messagingengine.com (wout2-smtp.messagingengine.com [64.147.123.25])
	by atuin.qyliss.net (Postfix) with ESMTPS id 02AF92C803
	for <devel@spectrum-os.org>; Sat, 21 Nov 2020 15:23:33 +0000 (UTC)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43])
	by mailout.west.internal (Postfix) with ESMTP id 975C0CAB;
	Sat, 21 Nov 2020 10:23:31 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163])
  by compute3.internal (MEProxy); Sat, 21 Nov 2020 10:23:31 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=
	from:to:cc:subject:date:message-id:in-reply-to:references
	:mime-version:content-type:content-transfer-encoding; s=fm1; bh=
	QIBMvftZ8PQ/JByIwsgbVDzdKyt6Kun/WYA0oJFKccM=; b=nA57DQYsTke90LDT
	wsnDUk4RQ3BHYumZbYijziF1hFbsr+sO5RfkU0bhTNJ+qemCFUUGNI6yygrq46my
	hRAvrHgeeLcO+DoH5zSla/SPKybsGxC3j1kJBxQ/JoollIYE5hGJEVPqxXtYUOLc
	4WCDKsDSmyLXpDQCmrSzzotMHgrxu5A+x++UqhF3EdvmDg6JziMIptGVwJlRWsT5
	ys0NxdhGZzcg/tp3xQLczKO2qudrko0/CaGIjPFP50x/zNfTIb8PD1ZK4CRcMMfu
	pHpS5QzClQ5S//7WCExsYuNuANCWpSWTql5okg9U6/GhorWwE9pJksNHbXAv2ATh
	Wa+p4g==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:content-transfer-encoding:content-type
	:date:from:in-reply-to:message-id:mime-version:references
	:subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender
	:x-sasl-enc; s=fm1; bh=QIBMvftZ8PQ/JByIwsgbVDzdKyt6Kun/WYA0oJFKc
	cM=; b=IvVdwhIbnOWRuLiokvMpgVf35ctxol3T17PJ5rRSoasnPIqr4nVxyX9Bo
	YwfC5emYuDha0Bt1+/pbGH5SqWHFs6sim+NCuG8wkGFtjuapEtg08KYr+qIeqTfQ
	07YmwCXKRnb7jyxasHlAZBoJlp08ZdWaSPR+kiwFhM8cucG9Pm3TQ7L6klJP8DvP
	ay3bfGGZrCsLV2+qu7PDzNrEAGdZD2W5olwsVOyXOR1OS1AHn8YzidHBzML4Isnv
	9cIhmWHrwi76L/Z41HhRw+5lOkaju1TfFkaD2TDMnYPbVqD6fXqLBY4/eJNMQ6hS
	JR1ZXVq14L+TopzFXREvl7f3Q0bDQ==
X-ME-Sender: <xms:8jC5X0-jSqtFHkgVBZbZn-Je7HfQ1OAWmqa_k6k__R0LHbXVd1pXAw>
    <xme:8jC5X8ueSlQULznHIaolt29Kn5U_bM3b8RRMpjxjuAIhjDAX2PXd92I7Lw9n-o1RP
    T09FvY2xMz2v6WmIA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrudegvddgjeeiucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
    uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne
    cujfgurhephffvufffkffojghfgggtgfesthekredtredtjeenucfhrhhomheptehlhihs
    shgrucftohhsshcuoehhihesrghlhihsshgrrdhisheqnecuggftrfgrthhtvghrnhepte
    ehuedugfdvleffgeeugeekkeehgefhheeukedtgeefuefhveejtdetteekkeevnecuffho
    mhgrihhnpehinhhvihhsihgslhgvthhhihhnghhsrdhorhhgpdhinhhvihguihhordhush
    dpfihikhhiphgvughirgdrohhrghdpsghlrggtkhhhrghtrdgtohhmnecukfhppeegiedr
    kedtrddugeefrddugeeinecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrg
    hilhhfrhhomhepqhihlhhishhssegvvhgvrdhqhihlihhsshdrnhgvth
X-ME-Proxy: <xmx:8jC5X6BW9FJzWg86GFSxJjEIJwMlZ2VesbK11kXunmbo5uDR2rAhBw>
    <xmx:8jC5X0cOQLhzs55TaLJ9le5Sam91qlI0gkwTHk9Sxmn51bzaWU3KEw>
    <xmx:8jC5X5Oi0fduAx--eX0VRiYQYzbu3KZd0O3T7aag1-AgM4Czpf3u2w>
    <xmx:8zC5X7WnuYB6mC_b28T7VG6nqAEoZySyB-bY6YW2emZj58a3jqQC2Q>
Received: from eve.qyliss.net (p2e508f92.dip0.t-ipconnect.de [46.80.143.146])
	by mail.messagingengine.com (Postfix) with ESMTPA id 836483064AA7;
	Sat, 21 Nov 2020 10:23:30 -0500 (EST)
Received: by eve.qyliss.net (Postfix, from userid 1000)
	id 46912703; Sat, 21 Nov 2020 15:23:28 +0000 (UTC)
From: Alyssa Ross <hi@alyssa.is>
To: devel@spectrum-os.org
Subject: [PATCH www 2/1] design.html: mention aarch64 as well as x86_64
Date: Sat, 21 Nov 2020 15:23:14 +0000
Message-Id: <20201121152314.15152-1-hi@alyssa.is>
X-Mailer: git-send-email 2.27.0
In-Reply-To: <20201118120116.21390-1-hi@alyssa.is>
References: <20201118120116.21390-1-hi@alyssa.is>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: XSUII3ODIRD7WFD3LWFUKF44QQNBH3YA
X-Message-ID-Hash: XSUII3ODIRD7WFD3LWFUKF44QQNBH3YA
X-MailFrom: qyliss@eve.qyliss.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header
CC: Molly Miller <mm@m-squa.red>, Michael Raskin <7c6f434c@mail.ru>
X-Mailman-Version: 3.3.1
Precedence: list
List-Id: Patches and low-level development discussion <devel.spectrum-os.org>
Archived-At: <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/message/XSUII3ODIRD7WFD3LWFUKF44QQNBH3YA/>
List-Archive: <https://spectrum-os.org/lists/hyperkitty/list/devel@spectrum-os.org/>
List-Help: <mailto:devel-request@spectrum-os.org?subject=help>
List-Post: <mailto:devel@spectrum-os.org>
List-Subscribe: <mailto:devel-join@spectrum-os.org>
List-Unsubscribe: <mailto:devel-leave@spectrum-os.org>

Michael is right that aarch64 is probably suitably performant at this
point.

I also improved the arguments here a bit as it was lacking before.
For example, the "huge attack surface" (of the Management Engine) link
pointed to a talk that wasn't about the ME at all, but about a
backdoor in VIA's instruction set.

Cc: Michael Raskin <7c6f434c@mail.ru>
---

I'd like to continue to link to x86 Considered Harmful somewhere in
the text, but couldn't figure out how to fit it in since there's not
really anywhere I'm talking about x86 specifically rather than all
architectures.  I'd appreciate suggestions for how I might do that.

 design.html | 47 +++++++++++++++++++++++++++++------------------
 1 file changed, 29 insertions(+), 18 deletions(-)

diff --git a/design.html b/design.html
index f683ed4..3c0e37d 100644
--- a/design.html
+++ b/design.html
@@ -113,19 +113,28 @@ configuration file.  This use case should be kept i=
n mind when writing
 the Nix API for Spectrum.

 <p>
-While Spectrum is expected to largely run on personal computers, most
-of which will almost certainly use the x86_64 architecture, this will
-not be the only architecture given first class support by Spectrum.
-One of the advantages to Spectrum's Linux base is the extremely wide
-hardware support that Linux offers, and, beyond that, x86_64
-is <a href=3D"https://blog.invisiblethings.org/papers/2015/x86_harmful.p=
df">notably
-untrustworthy</a>, especially with
-the <a href=3D"https://invidio.us/watch?v=3D_eSAF_qT_FY">huge attack
-surface</a> of
-the <a href=3D"https://en.wikipedia.org/wiki/Intel_Management_Engine">In=
tel
-Management Engine</a>
-/ <a href=3D"https://en.wikipedia.org/wiki/AMD_Platform_Security_Process=
or">AMD
-Platform Security Processor</a>.
+Spectrum is expected to largely run on personal computers, most of
+which will almost certainly use the x86_64 or aarch64 architectures.
+Unfortunately, these common architectures are the most lacking in
+terms of trustworthiness.  All require unauditable proprietary blogs
+to boot, and
+the <a href=3D"https://en.wikipedia.org/wiki/Intel_Management_Engine">In=
tel
+Management
+Engine</a>, <a href=3D"https://en.wikipedia.org/wiki/AMD_Platform_Securi=
ty_Processor">AMD
+Platform Security Processer</a>,
+and <a href=3D"https://en.wikipedia.org/wiki/ARM_architecture#Security_e=
xtensions">ARM
+TrustZone</a>, all of which are constantly running highly privileged,
+unauditable code.  A backdoor or compromise in any of this code could
+give complete access to the system, invisibly to running the operating
+system.  As more functionality is moved into these environments, the
+attack surfaces grow larger and larger, and
+already <a href=3D"https://en.wikipedia.org/wiki/Intel_Management_Engine=
#Security_vulnerabilities">many
+vulnerabilities</a> have been demonstrated in the most studied of
+these systems, Intel's Management Engine.  Fears of backdoors are not
+unjustified either =E2=80=94 VIA C3 x86 CPUs used in personal computers =
have
+been found to contain
+a <a href=3D"https://i.blackhat.com/us-18/Thu-August-9/us-18-Domas-God-M=
ode-Unlocked-Hardware-Backdoors-In-x86-CPUs-wp.pdf">hardware
+backdoor</a> allowing local privilege escalation.

 <p>
 I would like Spectrum to additionally have first class support for at
@@ -133,13 +142,15 @@ least ppc64le.  This is the only other architecture=
 that can come
 close to the sheer performance x86_64 can offer at the high end, and
 in stark contrast to x86_64, it is possible to buy a new ppc64le
 (POWER9) system that does not require any proprietary firmware that
-cannot be inspected and audited.  A blocker for POWER9 support is an
-support in crosvm for virtualizing that architecture, which is outside
-the expertise of anybody currently working on Spectrum but would be a
-very welcome contribution.
+cannot be inspected and audited.  One of the advantages of Spectrum's
+Linux base is the extremely wide hardware support that Linux offers,
+so the only blocker for POWER9 support is support in crosvm for
+virtualizing that architecture, which is outside the expertise of
+anybody currently working on Spectrum but would be a very welcome
+contribution.

 <p>
-Ideally, all Spectrum packages, x86_64 and ppc64le, would be built on
+Ideally, all Spectrum packages, for all architectures, would be built on
 POWER9 hardware.  Even if a user has to trust the x86_64 computer
 available to them, anti-freedom firmware, undocumented backdoors and
 all, they would be able to benefit from binary packages that were
--
2.27.0