LinuxCNC on non-backdoored hardware - what are the options?

More
20 Oct 2021 16:56 - 20 Oct 2021 17:43 #223686 by Octoplex
Hello, 
I would like to install LinuxCNC on multiple machines for a secure project.

We cannot use backdoored CPUs. Therefore, all Intel and AMD processors post-2005 are unusable for our manufacturing project. This is on account of the chip-on-chip surveillance engines present in almost all post-2005 CPU hardware (IME on Intel / PSP on AMD).

Because of this problem, we have plans to design our CNC-router and robot-arm control systems based on PowerPC970 chips. We can repurpose these from G5 PowerMacs. I have now been tasked with researching different software we can use on these secure CPUs, rather than writing our own from scratch.

I like the look of LinuxCNC.

I understand that LinuxCNC runs using the RTAI (Realtime Application Interface) patch. I can see on the RTAI site that older versions of RTAI supported PowerPC. Does anyone here know what the latest version of RTAI to support PowerPC / secure CPUs was?

Is anyone here running LinuxCNC on secure hardware, or are most LinuxCNC systems based on these newer backdoored-chip architectures?

Alternatively, I'm also considering reverting to m68k processors, as they are also secure, and were supported by RTAI. We would prefer, however, to use the PowerPC970x series, as these are the fastest available chips currently available in volume (on the second-hand market) for those who wish to build a secure manufacturing system without surveillance backdoors.

Obviously, we could air-gap our manufacturing systems and just use the compromised post-2005 hardware, but we would like our manufacturing systems to be operable remotely.

I'd love to hear from anyone who has bulit a secure LinuxCNC system using PowerPC or m68k hardware. Thanks!
Last edit: 20 Oct 2021 17:43 by Octoplex. Reason: typo
The following user(s) said Thank You: arvidb

Please Log in or Create an account to join the conversation.

More
20 Oct 2021 18:03 #223693 by spumco
I'm not an expert on hardware security, but Purism appears to offer an IME-disabled computer:

puri.sm/products/librem-mini/


A quick internet search revealed a few other vendors as well.  You may not be stuck with old hardware.

 

Please Log in or Create an account to join the conversation.

More
20 Oct 2021 18:24 - 20 Oct 2021 18:28 #223695 by Octoplex
Thank you for this suggestion. I looked into Purism and had a short conversation with them. The problem is that Purism have yet to offer a non-backdoored system, as their roadmap is incomplete.

Purism are working backwards to fix compromised hardware.
We'd like to begin secure.

To use a metaphor: We want to build a safe LinuxCNC-based 'swimming pool' for our engineers to 'swim in' as they work. Purism offer the (yet-to-be-reached) goal of muzzling the 'shark' (IME / PSP) in the water. But we'd prefer a pool which never had a 'shark' in to begin with 

Hope this makes sense.
Last edit: 20 Oct 2021 18:28 by Octoplex. Reason: typo

Please Log in or Create an account to join the conversation.

More
20 Oct 2021 20:36 #223701 by PCW
It may be simpler to use a RT-Preempt kernel than RTAI

Please Log in or Create an account to join the conversation.

More
20 Oct 2021 21:01 #223705 by Octoplex
Thanks for the suggestion to look at an a RT-Preempt kernel.
I will investigate this option.

Please Log in or Create an account to join the conversation.

More
20 Oct 2021 21:29 #223709 by tommylight
Let's get one thing out of the way:
I am a highly paranoid computer user with a lifetime of professional experience, still i have over 10 PC's on 24h, all running Linux, and i am fully aware of the amount of data they send ....
So i do understand what you are trying to achieve, but using old hardware implies using old software, and that poses a security risk as they might not broadcast data but might get hacked into by using vulnerabilities inherent in them.
On the other side, a bit of effort usually proves fruitful by choosing new-ish software with lite GUI/DE and forcing it to work on older systems, did that a lot several years back, still have a HP thin client with Geode 1GHz processor running LinuxCNC 2.7 nicely.
Questions:
-are you designing new boards or using existing?
-by 68k you mean 68000 Motorola processors?
-how about using pre 2005 Xeon workstations?
Answers (maybe):
-search for Debian Dog LinuxCNC, over 200MB ISO ready for use, should run on pretty much anything from PIII@700MHz
-search for coolcnc iso, over 50MB ISO ready for use, should run on anything from PII@300MHz
-using new Debian with lite Desktop environment works on quite old systems, Core2 for sure works nicely
-having a go at installing RT kernel and LinuxCNC on Porteus Linux is also an option as that is still updated and maintained and is extremely lite and very low on resources.

Please Log in or Create an account to join the conversation.

More
21 Oct 2021 00:42 #223724 by rodw
I really don't see using a obsolete CPU is a viable alternative. I know the problems of that chip after using an imagesetter in the printing industry. This was a film recorder capable of 4800 dpi. The demise of that chip series basically obsoleted  the Mac based RIP software driving the device as it was written for that chip set. My experience was before 2005 so why would it be a viable option now?

Please Log in or Create an account to join the conversation.

More
21 Oct 2021 03:59 #223773 by rollfree
And what about RPi4?
It works well. Whether with Mesa or with EtherCAT, for example.

And isn't it enough just to get rid of the possibility of communication to the world? Even if there is some coprocessor spying, the information will never leave the PC.

Please Log in or Create an account to join the conversation.

More
21 Oct 2021 07:16 - 21 Oct 2021 07:19 #223786 by Octoplex

are you designing new boards or using existing?


We'd like to use existing boards.

by 68k you mean 68000 Motorola processors?


Yes, they are non-backdoored and (later chips) are capable, but we'd prefer to use something more modern.

how about using pre 2005 Xeon workstations?


I'll look into this. Do you happen to know the best Intel-based industrial workstation from 2005? Or some idea of the reliable manufacturers who were producing off-the-shelf machines for this purpose around this time? It's hard to determine this through searches.

We're also looking at AMD options, since AMD did not backdoor their CPUs until several years after Intel. I have found a list here of non-backdoored AMD CPUs. Again, however, I am finding it difficult to determine precisely which manufacturers and workstations from this era are advisable to use for industrial applications.

Obviously, I can just build custom systems from these older, secure components. But, I wondered if anyone knew of any good off-the-shelf complete-workstations using these non-backdoored AMD CPUs?

Thanks again for everyone's help on this topic!
Last edit: 21 Oct 2021 07:19 by Octoplex. Reason: fixed link

Please Log in or Create an account to join the conversation.

More
21 Oct 2021 07:30 - 21 Oct 2021 07:33 #223789 by Octoplex

And what about RPi4?


Sadly, this solution is also backdoored . We looked into the modern single-board options,like the RPi4, but there appears to be a problem with secure computing across the industry today. The only viable option seems to either air-gap a modern, backdoored, surveillance system CPU, or use a processor manufactured from 2005 or prior (Intel) or 2012 or prior (AMD).

Since we don't want to air-gap, or support surveillance-based CPU manufacturers, it looks like the way forward is to retrace the 'evolution' of computing to the point before CPUs were backdoored, and for us to choose a system that can be trusted.
Last edit: 21 Oct 2021 07:33 by Octoplex. Reason: typo

Please Log in or Create an account to join the conversation.

Time to create page: 0.172 seconds
Powered by Kunena Forum