There’s a spectrum of openness when it comes to computers. Most people hover somewhere between fully closed – proprietary hardware, proprietary operating system – and partly open – proprietary hardware, open source operating system. Even if you run Linux on your AMD or Intel machine, you’re running it on top of a veritable spider’s web of proprietary firmware for networking, graphics, the IME, WiFi, BlueTooth, USB, and more. Even if you opt for something like a System76 machine, which has open firmware as a BIOS replacement and to cover some functions like keyboard lighting, you’re still running lots of closed firmware blobs for all kinds of components. It’s virtually impossible to free yourself from this web.
Virtually impossible, yes, but not entirely impossible. There are options out there to run a machine that is entirely open source, from firmware all the way up to the applications you run. Sure, I can almost hear you think, but it’s going to be some outdated, slow machine that requires tons of tinkering and deep knowledge, out of reach of normal users or people who just want to buy a computer, take it out of the box, and get going.
What if I told you there is a line of modern workstations, with all the modern amenities we’ve come to expect, that is entirely open? The instruction set, the firmware for the various components, the boot environment, the operating system, and the applications? No firmware blobs, no closed code hiding in various corners, yet modern performance, modern features, and a full, modern operating system?
Full disclosure: Raptor Computing Systems sent us the workstation as a loan, and it will be returned to them. They did not read this review before publication, and placed zero restrictions on anything I could write about.
Now you’re playing with POWER
Most people’s knowledge and experiences with the Power ISA begins and ends with Apple. The company used Power-based processors from 1994 until 2006, when it switched to using processors from Intel and the x86 ISA. Aside from Apple, there are two other major cornerstones of the Power ISA that most people are familiar with. First, game consoles. The GameCube, Wii, Xbox 360 and PlayStation 3 all used PowerPC-based processors, and were all widely successful. Second, various embedded systems use Power processors as well.
Aside from Apple, game consoles, and embedded systems, IBM has been developing and using processors based on the Power ISA for a long time now. IBM released the first Power processor in 1990, the POWER1, for its servers and supercomputers. They’ve steadily kept developing their line of processors for decades, and they are currently in the process of rolling out POWER10, which should be available later this year.
Other Power ISA processors you may have heard of, such as the PowerPC G4 or G5 or the various gaming console processors, do not necessarily correspond to IBM’s own POWERx generations of processors, but are implementations of the same ISA. The nomenclature of the Power ISA has changed quite a bit over time, and companies like Apple and Sony using their own marketing names to advertise the processors they were using certainly didn’t help. To this day, PowerPC is often used as the name of the entire ISA, which is incorrect. The proper name for the ISA today is the Power ISA, but the confusion is understandable.
The Power ISA, and related technologies, have been made freely available by IBM for anyone to use, and the specifications and reference implementations are open source, overseen by the OpenPOWER Foundation. The goal of the OpenPOWER Foundation is to enable the various partners involved in making Power hardware, like IBM, NXP, and others, to work together and promote the use and further development of the open Power ISA. In 2019, the OpenPOWER Foundation became part of the Linux Foundation.
With Apple no longer making any Power-based computers, and with game consoles all having made the transition to x86, you may be left wondering how, exactly, you can get your hands on this fully open hardware. And, even if you could, how exotic and quirky is this hardware going to be? Is this another case of buying discard IBM POWER servers and turning them into very loud workstations with tape and glue, or something unrealistic and outdated no sane person would use?
Thank god, no.
Luckily for us, one company sells mainboards, POWER9 processors, and fully assembled POWER workstations: Raptor Computing Systems. Last year, they sent me their Blackbird Secure Desktop, and after many, many shipping problems caused by UPS losing packages and the effects of COVID-19, I can now finally tell you what it’s like to use this truly fully open source computer.
Like what we do? Become an OSNews Patreon and support our continued work!
Specifications
The Blackbird Secure Desktop is built around Raptor’s Blackbird micro-ATX motherboard. This motherboard has a Sforza CPU socket, 2 DDR4 RAM slots compatible with EEC registered memory with a maximum combined capacity of 256GB, 2 PCIe 4.0 slots (16x and 8x), 2 gigabit Ethernet ports, another Ethernet port used for the BMC (OpenBMC – more on that later), 4 SATA ports (6Gb/s), and more than enough USB options (4 USB 3.0, 1 USB 2.0), and two RS-232 ports (one external, one internal using a header). On top of that, it has a CMedia 5.1 audio chip and associated jacks, an HDMI port driven by the on-board ASpeed graphics chip, as well as the ASpeed BMC.
The board also comes with amenities we’ve come to expect from modern motherboards, like fan headers, an internal LED panel that displays the status of the motherboard, standard front panel connectors, a header for external audio, and so on. You also get a number of more exotic features, such as various headers to control the BMC, headers to update the open source firmware packages on the board, a FlexVer connector, and more. The only modern amenity that’s really missing from this board is an M.2 slot, which is something Raptor should really add to future revisions or new boards.
In what will be a running theme in this review, for an exotic non-x86 ISA, the Blackbird motherboard is decidedly… Normal. Anyone who knows their way around a regular x86 motherboard won’t be confused by the Blackbird. Nor the unique ISA, nor the fact that the entire board is free from binary blobs makes it any harder to use than any other motherboard. Sure, the processor socket and the cooler mounting mechanism is a bit different, but even within x86 there are various different socket types and mounting mechanisms, so this is just another one to add to the list.
My preassembled machine came equipped with the base processor option – an IBM POWER9 processor with 4 cores and 16 threads, running at a base clock speed of 3.2Ghz, with a turbo frequency of 3.80Ghz. Unlike x86 cores, POWER9 uses four-way multithreading (or eight-way for the more exotic chips). This particular processor also boasts 48 PCIe lanes. You can also configure the Blackbird Secure Desktop with an 8-core variant, but higher core counts will most likely lead to instability and downclocking due power delivery constraints. If you want more cores, you’ll have to step up to the single-socket Talos II Lite board or the dual-socket Talos II board.
My machine further came equipped with 64GB of registered ECC DDR4 RAM (running at 2666MHz) and an AMD Radeon Pro WX4100 GPU. To circumvent the lack of an on-board M.2 slot, my machine came configured with a PCIe M.2 adapter carrying a Samsung 960 EVO M.2 SSD at 500GB. All this hardware is housed in a relatively small generic Antec desktop-style micro-ATX case (with a stand for orienting the case vertically), and is powered by a standard 300W TFX power supply.
Performance is excellent, and benchmarks show that POWER9 processors can hold their own against competing x86 processors from Intel and AMD. Not once did I feel this machine was lacking in power, performance, or smoothness.
Of note here is that if you buy the Blackbird motherboard and CPU separately and build your own machine from there, you can use any regular PC case you want, as long as it can fit a micro-ATX motherboard. The same obviously applies to the power supply – if it’s ATX, you’re good to go. And while the board supports registered ECC memory, you can opt for cheaper, regular memory too. I’m guessing quite a few OSNews readers have a random case, PSU, and some DDR4 memory lying around, so if you’re interested in building a POWER9 machine, you won’t necessarily have to buy a lot of specialised, expensive equipment.
There’s an elephant in my room
One aspect where hardware like this decidedly differs from generic x86 is pricing. Exotic, niche hardware like this that eschews the large PC part makers is not cheap, and the Blackbird is no exception. Time to rip off the band-aid: a base configuration of the Blackbird Secure Desktop, with the 4-core/16-thread CPU, 8GB of EEC registered RAM, no dedicated GPU, and a 128GB Samsung NVMe drive will set you back $3,370. My model, with the bigger SSD, dedicated GPU, and 64GB of RAM is considerably more expensive at an estimated $5000. Buying just the motherboard with the base 4-core/16-thread processor and passive 2U CPU heatsink costs $1,732.07.
There’s no going around it: that’s a lot of money. You can get a lot of x86 for that – current processor and GPU shortage not withstanding – and there’s going to be a lot of people here who would be perfectly fine with that. However, this hardware does offer the one thing other platforms simply cannot offer: complete openness. There isn’t any other platform that’s completely free and open source from top to bottom. Is that unique feature worth the price of admission?
If you’re tired of companies like Apple, Intel, Microsoft, and so on invading your privacy and taking ownership of “your” hardware, or in case you’re a journalist investigating serious corporate or government crimes – either in totalitarian dictatorships like China or in western democracies – it just might be. There’s really no other way to know for sure your hardware hasn’t been compromised.
These machines cost a lot of money, but that’s the price to pay for hardware you actually own, instead of just leas. Machines from x86 competitors don’t go beyond sort-of-but-not-really disabling the IME and some open firmware, which is obviously better than a fully locked-down machine, but nowhere near something like the Blackbird.
Are you sure this is exotic?
Taking the machine out of the box and setting it up is pretty much identical to any other computer, but the server-like architecture of the Blackbird does come with a few peculiarities that you won’t find in generic x86 hardware. Much like a server, the Blackbird has a BMC – running OpenBMC, an open source BMC firmware stack – that powers on first, the second you connect the PSU to the power outlet. It’s the BMC’s job to interface between the system-management software and platform hardware. OpenBMC is a tiny Linux distribution designed specifically for running on BMCs.
The BMC outputs to both the VGA port and serial, but most of us will use the former. Once the BMC has fully booted its Linux installation, you end up at a Petitboot menu, where you can select your preferred boot device.
Petitboot is an operating system bootloader based on Linux kexec. It can load any operating system image that supports the Linux kexec re-boot mechanism like Linux and FreeBSD. Petitboot can load images from any device that can be mounted by Linux, and can also load images from the network using the HTTP, HTTPS, NFS, SFTP, and TFTP protocols.
Petitboot might be one of my favourite features of the Blackbird. It automatically recognises any bootable medium, and can rescan for new media even once it’s already running. Think of it as a combination between a BIOS boot menu and GRUB, but easier to use than both. In Petitboot you can also check system logs, change individual boot options, exit to a shell for more control, and more.
From here on out, booting an operating system is pretty much identical to any other PC. Linux and several BSD variants are supported, with the more popular operating systems on POWER machines like these being Fedora and Void Linux. Installing these distributions is identical to installing their x86 counterparts, and the two distributions I tried, Fedora and Void, have outstanding support for POWER and work out of the box, without any additional hacks or tricks.
Actually running these distributions – I settled on Fedora myself – is almost an entirely uneventful experience. Everything just works, and other than actively searching for it, you’d be hard-pressed to find any signs you’re not running on x86. The repositories for Fedora seem fully covered, and even external projects such as RPM Fusion just work. I run Fedora 34 using Wayland, and that, too, works entirely flawlessly.
There are a few notes, however, about running Linux on POWER. first and foremost, the browser situation. Firefox is my preferred browser, but the POWER9 version is severely crippled because its JIT has not yet been ported to ppc64. This means anything more complex than basic web pages bring the browsing experience to a crawl, and using Firefox on POWER is, therefore, a very unpleasant experience. There is an effort underway to port the Firefox JIT to ppc64, but it seems it hasn’t been very active.
With Firefox being problematic on POWER9, the best browser to use is Chromium. The open source base for Google’s Chrome browser has been ported to ppc64 and works perfectly fine and without any issues, with my preferences definitely going to the Ungoogled Chromium version, so we don’t have to deal with any Google nonsense on a fully open source workstation. The installation is straightforward – add the repository and install it from there, or download the specific RPM for the latest release.
The second limitation of running Linux on POWER is one that is entirely obvious, but that I want to mention anyway. It’s an open door, but anything that is not or cannot be ported to POWER won’t run. There isn’t much of this kind of software – one of the strengths of the Linux world is the relative ease with which different architectures can be supported because of its open source nature – but it does exist.
An example of this is obviously video games. Steam, which thanks to Proton and native Linux games has turned Linux into a very capable gaming platform (I don’t run Windows at all anymore), doesn’t run on POWER, and while work on bringing Wine to POWER is underway, I doubt it will deliver usable performance for games. Interestingly enough, since Minecraft, one of the most popular games of all time, is written in Java, it runs just fine on POWER with a small modification. The latest version of Minecraft – 1.16.5 – is available for POWER.
Other than these two limitations, running Linux on the Blackbird is an uneventful experience. My biggest surprise while using Linux on POWER is just how… Pedestrian it all feels. If you’ve used Fedora or Debian or Void on x86, you’ve pretty much used them on POWER, too. For instance, I was pleasantly surprised to see that the very latest version of my Linux Twitter client of choice, Cawbird, was available in the Fedora ppc64 repositories without any issues, which you just wouldn’t expect from a non-essential app developed by a small team.
Adding a dedicated GPU
There is one other unique quirk of the Blackbird that straddles the line between software and hardware. The onboard ASpeed graphics chip isn’t exactly great – it maxes out at 1920×1080 with only usable performance – which means most people will want to add a dedicated GPU. However, adding a dedicated GPU requires loading a proprietary firmware blob, which goes against the very nature of the hardware. As such, if you are interested in a Blackbird because your use case requires 100% user-controlled, open source hardware without any proprietary code, you have no choice but to stick to the more limited ASpeed graphics or possible future fully open source graphics cards.
For people willing to make the concession and add a dedicated GPU, there’s a few steps you need to take that aren’t required on x86 hardware. The firmware required for your GPU needs to be loaded by the Linux video drivers in Petitboot, and a small area of the firmware’s flash storage – about 1.8MB – has been set aside specifically for firmware that needs to be loaded, and you need to copy the required firmware into this area.
Once you know which firmware files you need, it’s not a difficult process – especially not for people reading OSNews – but it is the only instance I’ve experienced where there is a marked difference between using Linux on regular x86 and using Linux on POWER. There’s room for making this process a little easier – maybe through a script or a tool that takes some of the guesswork and manual commands out of the equation – but making it easier to compromise the security of machines like this seems… Counterproductive.
In short, while using the onboard graphics is a must if you need to maintain the security of the machine, you at least have the option to move to a dedicated GPU for massively increased performance. Whether or not you feel comfortable doing so is a question I cannot answer. Firmware blobs like these have access to a lot of important areas of the system, so running unaudited, closed source firmware is a massive security risk.
Proceed with caution.
Some random Post-its®
I’ve noticed that quite a number of people with understanding of why Apple transitioned to Intel in 2006 have a tendency to assume the Blackbird will be an overheating power hog. Nothing could be further from the truth, as the user-reported power consumption figures illustrate. The 300W power supply my system came with has no issues powering the hardware, and while POWER does run a little hotter than x86 processors tend to do (70-90°C), this is normal for POWER and the temperature range Raptor’s engineers aim for.
I am not a big fan of the case the Blackbird comes in, since its airflow is pretty terrible. The 2U CPU cooler the Blackbird Secure Desktop comes with is a passive heatsink, connected to the PSU fan through a duct, effectively meaning the PSU fan draws air past the CPU heatsink, exhausting it out the back. However, since the front of the case is almost entirely closed off, the influx of ambient air isn’t going to be great. The upside is that the case is quite small, and easy to stow away under or next to your monitor or desk.
Raptor and I are discussing the possibility of sending me the 8-core CPU with an actively cooled 3U heatsink, so I can transplant the mainboard into a bigger, airflow-optimised case. If this goes through, you can expect a follow-up article with some benchmarks comparing the 4-core CPU to the 8-core model, as well as information about if we can get some lower temperatures – and thus, less fan noise – using a bigger case, which is valuable information for people considering buying just the mainboard. If you would like me to test some of the BSDs or a specific Linux distribution, lot me know, and I’ll see if I can write about that, too.
Note that aftermarket coolers do not exist; you can choose between Raptor’s fanless 2U cooler and the 3U cooler with a fan. While you could probably jerry-rig some Intel/AMD coolers with some redneck engineering and elbow grease, do so at entirely your own risk.
Conclusion
I’m rarely this positive in reviews, but I have to say I love the Blackbird. Having such a capable, modern workstation that is entirely open source, without any dubious, unaudited firmware blobs anywhere in the system is something I deeply appreciate. We’re in the middle of the war on general purpose computing, and it seems that every day we read the tech news, we learn of another consumer or user right that we seemingly give up without a fight to the likes of Apple, Google, Microsoft, Intel, and others.
The Blackbird, and its higher-end sibling the Talos II, is, as far as I know, the only fully open source alternative to the Intel and ARM machines that you lease, not buy. That you may use, not own.
That being said, the Blackbird has a number of problems, with the most obvious one being its price. The cost of admission to the front lines of this war is nothing to sneeze at, and it’s entirely unreasonable to expect someone who worries about the state of computing to just shell out this kind of money. Most people’s computing budgets – including my own, since our first kid is on the way! – simply do not have any room for $3000+ machines, and there’s nothing wrong with appreciating a machine like this without being willing to spend the money to own one.
Still, the mere fact a fully open source machine like the Blackbird exists at all is astonishing. Here we have a fully capable, easy to use and modern computer that is fully open source and free of proprietary code, that is barely distinguishable from a proprietary firmware-ridden PC or, even worse, Mac. All I can hope for is that Raptor, its customers, and its suppliers like IBM, can somehow, perhaps slowly, manage to bring the price down, making truly Free hardware accessible to more and more people.
Also a laptop would be nice but you know, baby steps!
The Blackbird Secure Desktop is an excellent piece of hardware, and a machine the current abysmal state of the computing landscape desperately needs.
Ouch, that pricing is a bit ridiculous from a price/performance standpoint. The whole “totally opensource” seems a very flimsy value proposition at that cost honestly.
A pity, I’d love to have a Power9 workstation to fart around with. I’ve always liked the Power architecture.
javiercero1,
It’s not for you if you don’t appreciate openness. To be perfectly honest I could seriously see myself using this instead of an x86 computer. It even has a BMC, which is awesome. I suspect quite a few of us would appreciate totally open hardware. Alas, at this price point it’s just not something I can afford. 🙁
Apparently, we both have similar appreciation for opneness since neither of us consider this product to have enough of a value proposition to justify us purchasing it.
javiercero1,
Appreciation and having enough money are two independent variables. To quote Thom Holwerda:
Oh, congratulations Thom!
Compared to server and workstation stuff, the price isn’t that outrageous.
I’d really like to see something based on the A2O processor. That looks to be more inline with AMD’s and Intel’s consumer stuff.
They are being hopeful. Good luck finding anyone who can build a secure general purpose platform.
That supply chain thing again.
So you plugged it into the wall without a secure router? Oh, dear. It gets worse.
I just funning around. It was a very through review and raised lots of interesting points and made some nice observations espeically from a managers or end users point of view. The issue of open and secure systems won’t go away and a system like this requires real expertise and a lot of resources to make the fullest use of it but it shows what is possible and opens up discussion so this is useful. Like you say, baby steps!
What’s the carbon footprint of this system, I’m pegging on a per-unit basis the answer is probably horrendous relative to the wider hardware platforms, so it seems like a huge barrow to push for a smallish benefit, and somewhat ironic!
Thom, would you consider using a kill-a-watt for reviews? Ideally several measurements for off/idle/heavy load…
Also, I’m really curious about the scalability of 4X threads per core. Are you open to benchmarking the systems you review?
An actually usable machine at “not such a steep” price? However, “without any proprietary code” is not 100% true.
As article mentions, GPU runs a dedicated firmware code. But that is not the only extra code inside the computer. The HDD/SDD controllers are proprietary, and they are already known to be hackable attack targets: https://icmconference.org/wp-content/uploads/A14-VanK-HardDrive_Firmware_Hacking_ICMC-Copy.pdf .
And having open source BMC is very good, but might not be perfect. ASPEED chips used on POWER machines (among others) had known vulnerabilities: https://www.zdnet.com/article/bmc-caught-with-pantsdown-over-new-batch-of-security-flaws/
At the end of the day, this is still better than 99% of the things out there.
sukru,
That’s a good observation. Intel AMT has had some sinful vulnerabilities in it’s proprietary firmware and is a good incentive to move away from closed proprietary systems, but at the end of the day open firmware is only part of the solution. We also need the code to be audited. A compelling case could be made for these subsystems to be running formally verified kernels. This would really raise the bar for secure systems compared to typical x86 systems of today.
Alfman,
BMCs are double-edged swords. They are really helpful, but also have insecurities by design.
It goes without saying they should be behind a firewall, and in a separate LAN (or VLAN). But that is not enough. For example, SuperMicro variants can have passwords resets from local shell (I could not find a definitive answer on OpenBMC one).
So, if an exploit somehow gains local root (which is already very bad), can in theory leave behind backdoors though the BMC:
https://serverfault.com/questions/85042/is-it-possible-to-reset-the-password-on-a-supermicro-ipmi-interface
Computer security used to be much simpler… 🙁
Yes, you are right. It’s not just supermicro either.
Virtually all admin tools can potentially open up attack surfaces. The capabilities of SSH can be invaluable, even though enabling it opens up a greater attack surface. A VPN is simultaneously useful and yet can open up new potential lines of attack. The way I see it, there are legitimate and even mandatory use cases to use these kinds of admin tools. When used properly, they can offer a high degree of security. However it really sucks when we’re forced to rely on proprietary blobs in positions of trust and acting as gatekeepers. I do not consider this acceptable at all, however x86 vendors for their part (ie intel, dell, hp, etc) are collectively guilty.
Ideally to me the BMC would just be a very simple low power SBC that runs the user’s operating system of choice without relying on anything proprietary. Maybe running off an SD card or something where you could set the write-protect tab if you are paranoid enough.
Actually we are in luck 🙂
https://pikvm.org/
I have forgotten about this project. Back in time I took a look, but realized my soldering skills were not good, and passed it. But it will allow a Raspberry PI (4 or ZeroW) to handle 90% of the BMC tasks (and 2, 3 for a smaller subset).
It even supports the REDFISH standard, which modern BMCs use to communicate.
There is a bit of work, and requires external connectors for USB, power control, and a HDMI->Camera converter.
sukru,
That is super awesome! The product is still in pre-order, and I’d rather buy a turnkey product than build it myself, but I am definitely interested!
“The kit will cost about $130 – or less, we are working to make it as cheap as possible.”
I really hope they have a good case that covers up the exposed breadboards and wires, since that’s not really production ready. Apart from that, this looks like it could be way better than the proprietary stuff I have now!
Alfman,
It actually looks nice in the case, and can be used with a KVM, too: https://youtu.be/dTchVKxx7Fo?t=265
Nitpicking here, but Nintendo Switch is ARM…
Q: Could this platform play games…?
It is a perfect workstation for pretty much anything. I could play many games (provided that they have source codes) without any issue at all, been documenting my exploration in https://www.youtube.com/watch?v=erNb_5mFypw&list=PLDegflDdH9RKn08gkPWb_v71hhMFFeTD6
We obviously have very diverging definitions on what “perfect” means. Ha ha.
I think a $5K workstation to run a 20 year old game at low frame rate is a bit suboptimal gaming experience, but that’s just me…
Yes, this is not a gaming computer, it is more for professional and scientists. But being able to support some games is a plus (to me), a workstation should be fun.
The GPU performance is pretty much on par with x86_64 just because amdgpu binary blob is exactly the same.
So the AMD drivers work natively on the PPC with full acceleration? That’s pretty good news. I knew that AMD had opensourced a lot of the linux driver, but I didn’t know if it was a portable deal that allowed AMD GPUs to work on non-x86 systems.
In fairness, I’m pretty sure the game is locked at 75Hz. It stays that the entire video, no matter what is happening on screen.
Heh. “Open” just means it’s easier for the original supplier or anyone else with access (retailer, courier, software repository maintainer, coworker) to create a malicious/trojan clone of the hardware/firmware/software; and often (for open source projects like OpenBMI which tend to rely partly on poorly vetted and unpaid volunteers) it’s easier for an attacker to become a developer and slip something in the original. This means that you end up having to trust more people more; which makes security worse.
Note 1: I’m assuming that nobody is able to verify that what they bought actually matches the original “open” design; which is a very reasonable assumption given that it’d take some extreme equipment and a huge amount of time (e.g. electron microscope and many decades) to check.
Note 2: The only true basis for trust is the consequences of being proven untrustworthy later (e.g. “I can trust you because if you break that trust you will lose profit”). From this perspective there’s also minimal basis for trust as the company itself is a small high risk venture.
Higher price for “same or worse” security isn’t a great proposition.
In addition; there’s also no alternative suppliers. You lose the ability to switch from one motherboard manufacturer to another, or from Intel to AMD, or …. This means that the risk of “vendor lock in” (which is arguably the biggest problem for products from companies like Apple and Microsoft) is also “same or worse”. Lack of diversity has other problems too (e.g. lack of competition between hardware manufacturers to drive prices down).
Brendan,
Your point is certainly true for hardware, which is difficult to validate. But the same criticism doesn’t really apply to open drivers & firmware. Obviously you’re right that open drivers can’t solve hardware trust issues, but it’s still incrementally better over proprietary drivers.
Unfortunately though this trust is often ill founded in practice. Whether intentional or not, manufacturers of proprietary devices including intel, dell, HP, cisco, and on and on continue to produce exploitable code. We need to make a commitment to improve or else I have no doubt that we will go in circles repeating the same the same mistakes over and over again. Open source is a good start because it reduces the need for implied trust in proprietary blobs. We’d make a lot of progress by phasing out dangerous programming languages one project at a time. And long term we should be training students on formal code verification so that eventually more programmers could apply verification skills to real world systems. I think these are good plans, but it’s another thing altogether to actually get the industry to actually impliment them. I’m afraid the most likely outcome may just be more of the same..
Bringing prices down is a matter of scales of economy, which may prove very difficult to overcome. For better or worse the market usually follows the incumbents.
Hardware-wise, I agree. But software/driver wise, FOSS is actually one of the best ways we have to combat vendor locking.
There’s loads of cherrypicking and bikeshedding in this topic. Nobody has yet touched on tiered security. Basically, a generic x86 Windows XP system with a no-name motherboard and components when behind layers of tiered security and isolation is 1000 times more secure than this product will ever be without proper use.
HollyB,
What are you talking about? Exploits come out in proprietary x86 products every year. We need a multi-pronged approach to solve the software/firmware security issues that have plagued our industry for decades. If we keep going down the same path of insecure languages, unverified&unverifiable proprietary blobs, implicit trust in parties with privileged access and so on, it’s going to be more of the same. We’re not going to get a new outcome unless we work hard to get there. Better security is achievable if we choose to adhere to better standards and transparency than in the past, but I concede that the willingness may not be there.
In your example you need to put a lot of trust in the equipment around the Windows XP box. It is hard to find good hardware that you can trust, especially when it is tied to proprietary software.
In this case the hardware you start off with can be trusted. Of course trusting yourself/the end user is another essential step, but that is independent from this.
I addressed all this in my comment at the bottom. It’s all about degrees of assurance and tiered security with options on or off depending on your use case which itself is a security issue all of its own etcetera. There’s no single answer as it involves so many variables. I’m not religious about proprietory versus none proprietory because, again, variables.
“That being said, the Blackbird has a number of problems, with the most obvious one being its price. The cost of admission to the front lines of this war is nothing to sneeze at, and it’s entirely unreasonable to expect someone who worries about the state of computing to just shell out this kind of money. Most people’s computing budgets – including my own, since our first kid is on the way! – simply do not have any room for $3000+ machines, and there’s nothing wrong with appreciating a machine like this without being willing to spend the money to own one.”
But there are people like me that have been willing to buy computers around $2,500 (both my wife and I have iMacs —with pretty much everything upgraded – upgrade memory was from Crucial, not Apple —) and I used to have 5 PCs which I dual booted each to different OSs while running sometimes up to a half dozen virtual PCs on them so they were loaded with ram. These were PCs, not Apple. I also had 4 older servers running different NOSs (network OSs – none being MS because I love up time, not headaches) with different email systems to see how all the different OSs and NOSs were compatible to each other or not. This was geek paradise to me while it lasted until I got burned out.
During that time period I *might* have thought about buying one of these machines. I wonder if OS/2 runs on the Blackbird.
PS: Ask them if the name has anything to do with the Beatles and the song Blackbird. I would ***definitely*** ask if I were you since I’m a big Beatles fan who has most of their albums in 5 languages and all date different formats ranging from time period (meaning first edition) 45s and albums including “Picture Albums” which has the picture on the album cover on the records themselves. I geek out on multiple things, including motorcycles. I don’t just hide in a basement. 😉
Well, apparently you can get the mobo+8-core CPU for $2K, so if you have a spare ATX case and components, you can get on that $2.5K budget ;-).
If I were a betting person, I’d think the “blackbird” monicker may have to do more with the Mach-3 SR-71 plane, as the name conjures speed.
I’m not sure I quite understand how much openness one really gains with something like the Blackbird, as opposed to just careful selection of ordinary x86 components.
Thom writes:
Even if you run Linux on your AMD or Intel machine, you’re running it on top of a veritable spider’s web of proprietary firmware for networking, graphics, the IME, WiFi, BlueTooth, USB, and more. Even if you opt for something like a System76 machine, which has open firmware as a BIOS replacement and to cover some functions like keyboard lighting, you’re still running lots of closed firmware blobs for all kinds of components. It’s virtually impossible to free yourself from this web.
Let’s consider all these blobs individually:
• WiFi and Bluetooth: Thom doesn’t mention anything about WiFi and Bluetooth on the Blackbird. I assume it doesn’t have them, and so any workstation without them is just as open in this regard.
• Networking: my understanding is that most desktop-class ethernet hardware doesn’t utilize driver-loaded firmware. As reported by ethtool, they do apparently contain some sort of firmware, presumably factory installed. Thom doesn’t tell us anything about the Blackbird’s NICs: do they not have such firmware? Do they have open source firmware?
• Graphics: As Thom himself concedes, with the Blackbird you have a choice between onboard “not exactly great” graphics, or installing a performant GPU that uses non-free firmware. But isn’t that the case with x86 as well? If you want open, just use Intel graphics, which have open source drivers and work fine without firmware (IIUC, GuC / HuC firmware is entirely optional).
• USB: I admit ignorance here: do USB controllers use firmware? If so, what do the Blackbird’s USB controllers do – do they work without firmware, or do they have open source firmware?
• IME: Certainly a concern, although it can apparently be disabled, and some x86 machines are shipped with it disabled.
• BIOS: This (along with the IME) is probably the biggest issue. The x86 solution is coreboot hardware, as Thom himself notes.
So at the end of the day, if you’re using x86 with coreboot, from Purism or System76, and you have similar components to the Blackbird (no WiFi or Bluetooth, Intel GPU, etc.), how are you “still running lots of closed firmware blobs for all kinds of components,” and why is it “virtually impossible to free yourself from this web”?
Honestly, I think the whole “openess” is more of a marketing gimmick to try to justify the poor value proposition from a price/performance point.
the target audience are people with relatively sophisticated IT skills, so that same audience can just buy a more performant Rizen system for 1/3th or less of the price… and they know how to lock down the respective ports in their router if privacy from some malicious management engine (which I don’t think it’s that common in the AMD world) is of that much of a concern.
It’s neat they managed to get a full blown ATX motherboard for Power9 though. Pity about the cost. I wonder if this could work for the Amiga folk. I think they also had some custom ATX boards with PPC parts on them at some point.
atrocia,
I agree with your points in principal. The problem with x86 is that it is difficult to avoid intel & amd proprietary firmware. It’s true we can disable some features, but not everyone actually wants to disable features. For example I actually benefit from AMT, these features can be extremely useful for admins, but I just wish the damn thing were open source you know? If I disable the feature, I’m left having to purchase more dumb proprietary gear (like a lantronix spider), which is expensive and their tech support treats small customers poorly. Often times we’re left with zero good options for voting with our feet. You raise valid points about closed peripheral hardware, but even so these open initiatives are a move in the right direction and I applaud them for it. I wouldn’t mind replacing some of my x86 servers, unfortunately I’m quite price sensitive.
As a long-time (quite satisfied) Blackbird owner I wanted to comment on a few items here…
Yes, I have my Blackbird wired in as there is no WiFi. I’m also the kind of person that doesn’t use WiFi after the recent EU/US lockdowns, so this is a “don’t care” in my book.
They do indeed have open source firmware.
Those Intel graphics require both the Intel ME and various “management” cores that are still being discovered. Not exactly a great option there — while the AMD GPU firmware can’t exactly just go extract data from the rest of the system, the Intel ME certainly can!
There is no firmware, either in a kernel-loaded or on-chip form, for the USB 3.0 controller on the mainboard. Other platforms definitely use firmware, and there are even reports of that firmware being potentially malicious in the form of arbitrary platform DMA.
Nope! IME cannot be disabled. It must always run during system startup and then only afterward (on those “disabled” machines) it’s politely asked to go into an undocumented mode where it doesn’t appear to respond to certain outside stimuli. The problem with that is that for all we know the mode switch just changes what it responds to — you can’t prove a null hypothesis here with the data available. Look up the “BUP” modules for just a piece of what still runs on the Intel ME in “neutered” or “disabled” mode.
See above — coreboot is only the second level firmware (best case) and, unfortunately, also has the well-deserved moniker “shimboot” on x86 due to mostly gluing together / sequencing various large proprietary binaries on the majority of x86 platforms.
Given the above points, including the fact that the Intel ME in reality cannot be disabled, your argument only really holds for the GPU and disk on-board controllers. The interesting part about that is that the GPU and disk controllers are both very easy to sandbox / work around — GPU via the IOMMU (why should the GPU need to read / write arbitrary data to the system?) and encryption for the disk controllers (what the controller never sees cannot, by definition, be stolen / leaked).
For me, the cost was worth it to have a trustable ring 0 / ring 1. For others, it’s entirely possible they’d rather buy a cheap x86 laptop each year and just throw it out a few years later at end of support. Choice is a good thing, the world would be quite boring if everyone was the same and used the same computer.
whitepines,
I appreciate all the info you provided in your post!
Do you know for a fact whether Blackbird uses the IOMMU to isolate the GPU/disk controllers or was the point hypothetical?
I’m left with a question about sandboxing the GPU using IOMMU is in conjuction with unified memory APIs (for example CL_MEM_ALLOC_HOST_PTR)… How exactly would graphics drivers open up IOMMU apertures into host address space? Is every single allocation mapped into the IOMMU? Is the entire process mapped? When it comes to the IOMMU there always seems to be a perpetual balancing act between performance and isolation.
I ask because a very similar issue comes up with thunderbolt devices where external peripherals actually have DMA access on the host. This was an absolutely terrible design IMHO, but anyways the official solution is to stick it all behind an IOMMU. The issue is this has been fraught with security/performance trade-offs: ether giving a device too much access, or relying on inefficient bounce buffers for enforcement resulting in bad performance.
Yeah. I think it’s best not to be dependent on proprietary stuff in the first place because the community can support it long after the manufacturer looses interest. It’s an easy choice to make, but sometimes it can be a challenge as a consumer to find open hardware. A lot of new IOT devices fit in this category. There’s tons of hardware out there and it’s getting quite cheap too, but it can be extremely difficult to find something open unless you go the DIY route. There’s nothing wrong with DIY, but sometimes you just want something that’s production ready AND is open source & open API.
We need a store like amazon dedicated to exclusively open hardware!
Yes it does, it’s basically part of how POWER works in terms of the PCIe controllers. While x86 tends to run in permissive mode, Power defaults to strict mode where the peripheral is only allowed to access specific pre-configured areas of memory by the IOMMU hardware. I have seen constant EEH faults (bad / blocked DMA) with certain peripherals, but at the same time that gives me confidence that the system is indeed blocking the invalid DMA the peripheral was trying to do.
For more information on the controller than you could ever want, check out the datasheets and specifications.
I’ve only partly glanced through the controller datasheet myself, it’s quite dense:
https://wiki.raptorcs.com/w/images/a/a5/POWER9_PCIe_controller_v11_27JUL2018_pub.pdf
https://wiki.raptorcs.com/w/images/6/6c/IODA2WGSpec-1.0.0-20160217.pdf
Exactly, every single range the card needs is opened up (and closed) dynamically in the IOMMU by the driver. Without that configuration of the IOMMU, the PCIe controller would detect the invalid access, block that same access, stall the bus, and raise an error to the OS (EEH). I’ve seen that happen firsthand with some of the early AMD GPU drivers, but haven’t seen it any more from those same GPUs (a couple of AMD RX series something or others) with the newer 5.x series kernels.
Performance is quite good, but that’s largely because IBM designed the PCIe controller and IOMMU properly. I’ve heard many stories of x86 systems that were less well designed and the performance loss and other issues that came with that.
I’ve even passed the AMD GPU through to a virtual machine on the Blackbird, which makes it fairly easy to do low level driver development. The same translation system is used to do that passthrough as is used to isolate the card from the host, if that makes sense?
whitepines,
Indeed, an IOMMU makes it trivial to attach a device to a VM because it’s such a strait forward mapping.
I think it’s much harder to use IOMMU to isolate peripherals on the host because now all the associated drivers are involved. It becomes especially complex inside operating systems that optimize data transfers using shared memory buffers and zero-copy DMA. This is super efficient and secure assuming the owner trusts their PCI hardware. But it starts to break down when an IOMMU is required in order to securely isolate DMA from external peripherals.
Here’s a link to give an idea of what I mean:
https://www.lightbluetouchpaper.org/2019/02/26/struck-by-a-thunderbolt/
This is why I think thunderbolt security is fundamentally broken. Anyways I realize that I’m really off topic here…thanks for answering my questions!
Interestingly, POWER9 is immune to the attack against Linux in that paper. From the PHB4 datasheet:
https://wiki.raptorcs.com/w/images/a/ad/P9_PHB_version1.0_27July2018_pub.pdf
> “No PCIe ATS services support”
ATS is a very bad idea conceptually, and it seems IBM agreed.
Thanks for the detailed explanation. I appreciate in particular the clarifications of how the problems with coreboot (“shimboot”) and Intel’s ME are deeper than I understood..
A few follow-up questions:
> They [the Blackbird’s NICs] do indeed have open source firmware.
Can you provide more details, and / or a link to information about this?
> Other platforms definitely use firmware [for their USB controllers], and there are even reports of that firmware being potentially malicious in the form of arbitrary platform DMA.
Can you provide links to the use of firmware and to the reports you mention?
It sounds like this system has a ways to go to be a reasonable daily driver even for relatively sophisticated users, but someone has to get the process started so we can get economies of scale and build community interest in getting more software ported, etc. One blocker for this to be my main system would be Qubes OS support; fortunately, it looks like some work on that is underway (https://github.com/QubesOS/qubes-issues/issues/4318).
As someone who uses a Debian Blackbird as a daily driver, I’m honestly curious (other than Qubes) what you think still needs work?
Sure, I can’t play proprietary games on it, and Firefox could use help, but I have a dedicated gaming PC with Steam for games and Chromium is a reasonable (very fast) alternative to Firefox on the Blackbird. It was installed graphically from a USB stick just like I would do on an x86 box, so I wonder what I’m missing?
I can (and have) switched off IME on my old Thinkpad laptop. You can also block its ports at a router. I could if I wanted to easily open the case and remove all the wifi and bluetooth aerials and 3G modem and speakers and microphones and webcam. The graphics is integrated Intel. My laptop used cost one tenth what this did and one third new. If I wanted security I wouldn’t plug it into the internet. Data can be transferred by DVD or floppy, or scanner and printed paper for the paranoid. Good luck breaking into that even if it was running an unpatched version of Windows 2000.
First there’s the memory. Not just the usual suspects such as BIOS or hard disc but the half a dozen or so components on the board with a few megabytes or a few kilobytes you have forgotten about. Is is read only or re-writable? You do have a read only BIOS, right? If writable a hardware switch gauranteed to make it read only, right? Programs and data are indistinguishable. Stop and think about that. Then there are all the other vulnerabilities at a board level but this is a nightmare beyond the scope of this discussion. Then there is the ROM in your mouse and other external devices. Oh, whoops.
Then there is the surrounding ecosystem. You guys are running at least two routers, right? No don’t tell me you’re plugged straight into the wall or hotspotting. Who has access? Where do you use it? One of the joys of a 15 inch clunker is it’s a disincentive to carry it around and leave it with that nice student I’ve been chatting with while I dash off to the loo.
I’d call this product (mostly) open access but I wouldn’t call it secure. I don’t personally see why the majority or almost all or maybe all computers cannot be open access. For various reasons you can lock things down in specific ways if necessary either before it leaves the factory or when you receive it. Some stuff will almost certainly be locked down at the point of manufacture. This will either be by leaving components our or blowing fuses. Am I bothered by CPU level OS code? Not especially as it serves a purpose. Am I bothered by locked down baseband code? No and for the same reasons. The same arguments extend out to closed versus open software. They both have their merits and demerits. some people need fully auitable and others don’t. Some have this level of access and can’t be bothered or don’t know how to ensure it is bug free let alone secure. Developers and end-users have different use cases too.
One of the bests securities is don’t vote an idiot into power. No computer only pen and pencil required plus a good walk outside.
So when people say “security” what do they mean by security? Security from what? From whom? Someone else or you? YMMV.
HollyB,
Please don’t chastise me just for commenting, but I think it’s extremely important to shine a light on this topic of disabling privileged ME vendor code in the context of proprietary firmwares, which I thank you for bringing up.
The IME is not designed to be disabled. While bioses can provide some options to set some flags that the ME checks to disable certain features like vPro or temporarily stop the ME from grabbing the bus, intel’s proprietary management engine code is still there running in the background. It’s proven difficult to patch out entirely because intel still uses the ME for normal system management tasks and they employ a watchdog to reset the system when the ME isn’t responding (ie because the user hacked it out of the firmware).
https://www.intel.com/content/dam/support/us/en/documents/motherboards/desktop/sb/intelmebxsettings_v02.pdf
http://blog.ptsecurity.com/2017/08/disabling-intel-me.html
As far as I’m aware, these researchers were the first to discover the existence of the “HAP bit”, accessible with a flash programmer. I’m not aware of a bios where this is easy for owners to get to, but if anyone knows otherwise, please comment.
https://www.bleepingcomputer.com/news/hardware/researchers-find-a-way-to-disable-much-hated-intel-me-component-courtesy-of-the-nsa/
I remember when vendors including system76 and purism were working hard to disable ME without effecting functionality back in 2017 too. Apparently even dell provided the option at one point, but it was retracted shortly thereafter…
https://www.zdnet.com/article/computer-vendors-start-disabling-intel-management-engine/
https://www.dell.com/community/Laptops-General-Read-Only/Deactivating-Intel-ME/td-p/5188150
This is so suspect that I believe dell was pressured behind the scenes to remove the option.
IMHO what needs to happen is what zdnet proposed:
The note about 8 core / 32 thread CPUs being potentially unstable is incorrect. I’ve had my Blackbird since the mid-spring of 2019 (pre-ordered it in 2018), and it’s been running the 32 thread CPU, 64GB of RAM, a couple of SSDs (now three NVMes), and an AMD GPU flawlessly since then. According to the BMC, the CPU is idling at 38 watts. I routinely peg all 32 threads for extended periods of time when compiling things / running VMs, and I’ve never once had a system crash. It is utterly reliable under load.