various improvements

This commit is contained in:
lukas 2021-11-19 22:21:11 +01:00
parent 60afc86ddc
commit ff3367f1c2
2 changed files with 65 additions and 53 deletions

View File

@ -17,16 +17,18 @@ dateCreated: 2021-11-15T15:39:49.074Z
These instructions are valid for x86-64 computers that do ship with Linux, Windows or macOS.
Phyllome OS targets x86 systems with hardware-assisted virtualization, with a strong preference for those providing IOMMU as well (AMD Vi or Intel VT-d).
Phyllome OS targets x86 systems with hardware-assisted virtualization, with a strong preference for those providing IOMMU-based hardware-assisted virtualization (AMD Vi or Intel VT-d).
A CPU that supports hardware-assisted virtualization might not be enough, as the motherboard also requires to support this feature. Together with the lack of documentation, it makes the selection of a platform rather tricky.
{.is-info}
Sitting idle, Phyllome OS consumes approximately 1 CPU core and 1.5 GB of RAM.
> This requirement scales up with the number of virtual machines running on a dedicated OS.
> This requirement scales up with the number of virtual machines running on a dedicated host: the more virtual machines are running, the more ressources Phyllome OS will use.
{.is-info}
### Minimum requirements for Phyllome OS Desktop
* **x86-64** computer that supports the first generation of hardware-assisted virtualization features
* For AMD-based configurations, it means that AMD V is available and enabled
* For Intel-based configurations, it means that Intel VT-x is available and enabled
@ -35,16 +37,23 @@ Sitting idle, Phyllome OS consumes approximately 1 CPU core and 1.5 GB of RAM.
* **SSD**-based storage device to store disk images and Phyllome OS
* Any graphics card (Linux or macOS guests only)
> For Intel-based configurations, you can check if your model supports Intel VT-d by looking for your model [here](https://ark.intel.com/content/www/us/en/ark/search/featurefilter.html?productType=873&2_VTX=true).
{.is-info}
### Recommended requirements for Phyllome OS Desktop
* **x86-64** computer that supports the second generation of hardware-assisted virtualization features
* For AMD-based configurations, it means that AMD Vi is available and enabled
* For Intel-based configurations, it means that Intel VT-d is available and enabled
* For Intel-based configurations, it means that Intel VT-d is available and enabled.
* **8-core** processor
* **16 GB** of RAM
* **NVME**-based storage device to store disk images and Phyllome OS
* Two graphics cards or a graphics card that supports vfio-mdev or SR-IOV
> For Intel-based configurations, you can check if your model supports Intel VT-d by looking for your model [here](https://ark.intel.com/content/www/us/en/ark/search/featurefilter.html?productType=873&0_VTD=True).
{.is-info}
## Enable hardware-assisted virtualization
### Access the firmware
@ -88,7 +97,7 @@ shutdown /fw /r
* **macOS-based computers**
Hardware-assisted virtualization is a hit or miss on Apple computers, as there is no way to access the firmware on these computers. Apple users can jump to the section *Make sure that hardware-assisted virtualization is enabled* to check whether this feature is activated or not on their particular model.
Hardware-assisted virtualization is a hit or miss on Apple computers, as there is no way to access the firmware configuration tool on these computers. Apple users can go to the install section directly.
* **Other computers**
@ -96,32 +105,28 @@ Make sure the targeted computer is shut down.
During the POST phase, you need to press a certain key to access the firmware configuration tool for your motherboard, which is part of your BIOS or UEFI.
Just after pressing the `power-on` button, hit the right key to access the firmware configuration tool, usually <kbd>F2</kbd> or <kbd>Del</kbd>, but it depends on your model.
Just after pressing the `power-on` button, hit the right key to access the firmware configuration tool, usually <kbd>F2</kbd> or <kbd>Del</kbd>, but it may be another keystroke on your model.
> Do not hesitate to repeatedly press the pertinent key to make sure it is registered.
> Do not hesitate to repeatedly press the pertinent key as soon has your computer has started, to make sure it is registered.
{.is-info}
> Hardware manufacturers could not agree on a common keystroke to access the firmware configuration tool, so, if the given keys do not work out for you, please have a look at the documentation provided by the manufacturer of your computer.
{.is.info}
### Modify the firmware configuration
`to be done`
> Unfortunately, most firmware configuration tool do differ, and the steps here might not be identic on your own platform.
{.is-info}
## Make sure that hardware-assisted virtualization is enabled
In general, the sought after features are found under the `security` tab.
`to be done`
For an AMD-based computer, you need to look for references to `AMD SVM`, AMD V or AMD Vi. Conversingly, for an Intel-based computer, you need to look for `Intel VT-x` and `Intel VT-d`. It is also possible that the feature will be refered simply to as `virtualization`.
* **Windows**
Enable these options, choose to *save and exit* the configuration tool, which will reboot your computer.
* **macOS**
> While you are there, you could also change the boot order, to make sure that your computer will boot from an attached USB thumb drive first.
{.is-info}
* **Linux**
> Failing to activate hardware-assisted virtualization will make running virtual machines extremly slow, if possible at all. If, for some reasons, it cannot be activated on your computer, you would be better off picking a Linux distribution which doesn't require it, such as [Debian](https://www.debian.org/distrib/).
> Failing to activate hardware-assisted virtualization will make running virtual machines extremly slow, if possible at all. If, for some reasons, it cannot be activated on your computer, for example because of a lack of hardware support, you would be better off picking a Linux distribution which doesn't require it, such as [Debian](https://www.debian.org/distrib/).
{.is-warning}
---
*If the activation is successful, you can go to the next section [to prepare an installation medium](https://wiki.phyllo.me/deploy/medium).*

View File

@ -10,9 +10,45 @@ dateCreated: 2021-11-13T11:19:38.215Z
# Is Phyllome OS right for you?
## Phyllome OS editions and versions
> Phyllome OS is not production-ready.
{.is-warning}
### Versions
Phyllome OS exists in two main editions: **Phyllome OS Desktop**, which features a grahical desktop environment, and **Phyllome OS Server**, which does not. Phyllome OS Server is made for power users. It includes all virtualization enhancements that Phyllome OS Desktop provides.
If you don't know which one to choose, you should probably pick the Desktop edition.
### Editions
Each edition comes with several versions, optimized for a particular combinaison of hardware.
| | Intel graphics cards | AMD graphics cards | Nvidia graphics cards |
|---|---|---|---|
| *Intel CPU* | Phyllome OS Desktop II | Phyllome OS Desktop IA | Phyllome OS Desktop IN |
| *AMD CPU* | Phyllome OS Desktop AI | Phyllome OS Desktop AA | Phyllome OS Desktop AN |
> The first letter refers to the CPU manufacturer, the second letter to the GPU manufacturers.
{.is-info}
Depending of your hardware, you need to pick the right edition. For example, if you possess an Intel CPU and an AMD graphics card, you should pick either Phyllome OS Desktop IA or Phyllome OS Server IA.
| | Support since | |
|---|---|---|
| Phyllome OS Desktop II | Alpha |
| Phyllome OS Desktop IA | Beta |
| Phyllome OS Desktop AA | Beta |
| Phyllome OS Desktop AI | Beta |
| Phyllome OS Desktop AN | Release candidate |
| Phyllome OS Desktop IN | Release candidate |
> As of now, only Phyllome OS Desktop II, also known as `dhi`, is supported. In other words, you need to use a computer with both an Intel CPU and an Intel GPU to leverage Phyllome OS.
{.is-info}
## Limitations
Phyllome OS makes a few assumptions, including the following ones:
* **Virtual machines have become viable personal computing environments, including for desktop computing**
@ -22,8 +58,6 @@ Phyllome OS makes a few assumptions, including the following ones:
Some limitations directly result from these assumptions.
## Limitations
Relying on a virtual machine as its primarily personal environment has key advantages, such as the ability to more easily migrate to a new host computer or the ability to create multiple virtual computers out of a single physical computer. However, it also comes with several limitations in comparison to using a bare-metal operating system. Some of these limitations will be tackled or greatly reduced one day, others might not.
### Performance-related
@ -38,7 +72,7 @@ Relying on a virtual machine as its primarily personal environment has key advan
* **Increased general complexity**. Instead of running just an operating system on top of some physical hardware, any Phyllome OS user would need to manage it as well as their primarily guest operating system. As a result, it might be more difficult to troubleshoot an issue, and it will add a pile of code that the user has to trust.
* **Decreased general usability**. Any physical device attached to a computer won't automatically be made to a guest virtual machine. For some users, it might be considered a hindrance. Phyllome OS relies on Linux drivers. Not all hardware fully supports Linux well, which may force users to rely on device or controllers passthrough.
* **Decreased general usability**. Any physical device attached to a computer won't automatically be made to a guest virtual machine. For some users, it might be considered a hindrance. Phyllome OS relies on Linux drivers. Not all hardware fully supports Linux well, which may force users to rely on device or controllers passthrough. Finally, the use of Phyllome OS will severly reduce your laptop battery-life.
## Choosing a desktop-oriented OS
@ -54,47 +88,20 @@ How to read this table? For instance: *If you care most about virtualization and
> In general, the vast majority of users will stick to the bottom-right corner of the table, because that is the operating system that ships with their hardware.
{.is-info}
This table is not meant to be clear-cut, or definitive. Pull requests are welcome.
This table is not meant to be clear-cut, or definitive.
Phyllome OS is intended to be easy-to-use, but still isn't. Out of the box, Chrome OS [^1], or even Windows [^2], might be considered more secure than most Linux desktop-oriented distributions [^3], at the price of greatly limiting user freedom and privacy, however. Due to their tight integration, some BSD distributions might be considered more secure than some Linux distributions. People might find Windows easier to use than, say, Ubuntu. Finally, just as Phyllome OS, Qubes OS is compatible with running Windows-based guest systems. In other words, using virtualization, a user might be able to access more usable operating systems, and in the case of Phyllome OS, one may even host Qubes OS inside Phyllome OS, for instance to test out Qubes OS.
For example, Phyllome OS is intended to be easy-to-use, but still isn't, and Spectrum, which is based on Chromium OS, might well end up being easier to use. Out of the box, Chrome OS [^1], or even Windows [^2], might be considered more secure than most Linux desktop-oriented distributions [^3], at the price of greatly limiting user freedom and privacy, however. Due to their tight integration, some BSDs distributions might be considered more secure than some Linux distributions. People might find Windows easier to use than, say, Ubuntu. Finally, just as Phyllome OS, Qubes OS is compatible with running Windows-based guest systems. In other words, using virtualization, a user might be able to access more usable operating systems, and in the case of Phyllome OS, one may even host Qubes OS inside Phyllome OS, for instance to test out Qubes OS.
Also note that macOS or Windows can also be used to host virtual machines, just as any Linux or BSD distributions.
Also note that macOS or Windows can also be used to host virtual machines, just as any Linux or BSDs distributions.
[^1]: See for instance the paper [*Security of Google Chromebook* (PDF)](http://dhanus.mit.edu/docs/ChromeOSSecurity.pdf) by Katherine Fang, Deborah Hanus, Yuzhi Zheng.
[^2]: A common pain point for Linux security are desktop environments (DE), which have a limited user base scattered across many different DE: there is a lot of complexity due to adding desktop environments atop the Linux kernel and its associated tools. Simple bugs might still lurk in the codebase for a long time. See for instance [*Is the Linux desktop less secure than Windows 10: Or how super mario music can own your system* (PDF)](https://archive.fosdem.org/2017/schedule/event/linux_desktop_versus_windows10/attachments/slides/1730/export/events/attachments/linux_desktop_versus_windows10/slides/1730/fosdem_linux_desktop_security.pdf), by M.Hanno Böck (2017).
[^3]: Take for instance the boot process, or before an operating system effectively takes control over the hardware. Major operating systems editors that are working directly with OEM integrators have a distinct advantage over editors that aren't: these major editors have almost unlimited resources, sometimes almost perfect control over hardware, and can therefore tame the underlying hardware, effectively controlling, measuring and attesting the entire boot process. To implement a user-backed root of trust on a particular hardware platform, one would need to take several extra measures, relying on something like [Heads](https://github.com/osresearch/heads) which, among other things, involves physically flashing a more open firmware to a motherboard, a complicated process that is available for a few hardware platforms only. Fortunately, some hardware integrators like [Purism](https://puri.sm/) or [System76](https://system76.com/) are backing security measures straight into hardware platforms, while at the same time respecting user freedom.
[^3]: Take for instance the boot process, or before an operating system effectively takes control over the hardware. Major operating systems editors that are working directly with OEM integrators have a distinct advantage over editors that aren't: these major editors have almost unlimited resources, sometimes almost perfect control over hardware, and can therefore tame the underlying hardware, effectively controlling, measuring and attesting the entire boot process. To implement a user-backed root of trust on a particular hardware platform, one would need to take several extra measures, relying on something like [Heads](https://github.com/osresearch/heads) which, among other things, involves physically flashing a more open firmware to a motherboard, a complicated process. Fortunately, some hardware integrators like [Purism](https://puri.sm/) or [System76](https://system76.com/) are backing security measures straight into hardware platforms, while at the same time respecting user freedom.
> **Still undecided?** You can give Phyllome OS a try, as a live system booting off from a USB thumb drive, without impacting the existing operating system on your machine.
## Phyllome OS editions and versions
### Versions
Phyllome OS exists in two main editions: **Phyllome OS Desktop**, which features a grahical desktop environment, and **Phyllome OS Server**, which does not. Phyllome OS Server is made for power users or people that want more control. It includes all virtualization enhancements that Phyllome OS Desktop provides.
If you don't know which one to choose, you should probably pick the Desktop edition.
### Editions
Each edition comes with several versions, optimized for a particular combinaison of hardware.
| | Codename | Example | Target release |
|---|---|---|---|---|
| *Intel CPU and Intel graphics cards* | **II** | Phyllome OS Desktop II | Alpha |
| *Intel CPU and AMD graphics cards* | **IA** | Phyllome OS Desktop IA | Beta |
| *Intel CPU and Nvidia graphics cards* | **IN** | Phyllome OS Server IN | RC |
| *AMD CPU and Intel graphics cards* | **AI** | Phyllome OS Desktop AI | Beta |
| *AMD CPU and AMD graphics cards* | **AA** | Phyllome OS Server AA | Beta |
| *AMD CPU and Nvidia graphics cards* | **AN** | Phyllome OS Desktop AN | RC |
The first letter refers to the CPU model, the second letter the graphics card model.
Depending of your hardware, you need to pick the right edition.
For example, if you possess an Intel CPU and a AMD graphics card, you should pick either Phyllome OS Desktop IA or Phyllome OS Server IA.
---
*Please go to [the next section](/deploy/prepare) to prepare your host computer.*