|Aspect||Talos II||Modern Intel or AMD x86-64 System|
|Hardware Initialization Firmware||Early hardware initialization is performed by the SBE, the firmware for which is open source and user-modifiable.||Early hardware initialization is performed by the Intel Management Engine (ME) or AMD Platform Security Processor (PSP), a closed-source vendor-signed blob which cannot be modified.|
|Microcode||POWER9 lacks horizontal or vertical microcode, aside from a few instructions which use a hardcoded sequencer. All instruction decode logic is hardcoded.||Microcode is provided by vendor as an encrypted and vendor-signed blob decrypted and verified by the CPU during boot. Cannot be examined or modified.|
|Auxiliary Processor Code||A number of auxillary processors on the CPU chip perform thermal and power regulation.
The code for these processors is open source and user-modifiable.
|The number or purpose of any auxillary processors on Intel and AMD x86-64 designs is not well documented, though at least one such processor is known to exist on current AMD x86-64 designs (the "System Management Unit"). More may exist.
The code for these processors is not open source; it is unclear whether it is user-modifiable.
|Boot Firmware||Ships with open source and user-modifiable firmware.||A typical vendor x86-64 system uses closed source boot firmware, and in some cases (where "Intel Boot Guard" is used) it may not be user-modifiable either.
Although open source boot firmware such as Coreboot is available, on modern x86-64 systems, it incorporates vendor-supplied binary blobs to perform essential platform initialization.
|Management Firmware||Ships with OpenBMC, an open source and user-modifiable IPMI stack.||A typical x86-64 server uses a closed source IPMI stack, which may or may not be user-modifiable.|
|FPGA Firmware||The Verilog source code for the FPGA used for power sequencing is open source. The specific FPGA used was chosen because an open source toolchain exists for it. (As a result, the bitstream can be built on the Talos II itself, allowing self-hosted firmware development.)||A typical x86-64 board may or may not use an FPGA or microcontroller for power sequencing; if used, the bitstream or source code is generally not available.|
|NIC Firmware||Integrated BCM5719 Gigabit Ethernet NIC has closed-source but user-modifiable firmware. The device is behind the system IOMMU, so the security threat posed is limited. Work on writing open source replacement firmware is ongoing. Usage is optional; the device can be disabled. An alternative NIC could be used via PCIe.||Varies by board and I/O peripherals.|
|SAS/SATA Firmware||Optional PM8068 SAS/SATA controller has closed-source firmware. It is unknown whether it is user-modifiable, but the firmware is of a size and complexity likely to make development of an open source replacement infeasible. The device may be disabled, and boards may be ordered with the SAS/SATA controller not present. An alternative storage controller could be used via PCIe.
Note: Since all known SAS/SATA HDD/SSDs use proprietary firmware, the security advantages of open source storage controller firmware appear limited. The IOMMU protects the system from malicious I/O devices, including both storage controllers and storage devices.
|Varies by board and I/O peripherals.|
|Board Schematics||Provided with all shipped boards.||Generally not available.|
|Secure Boot||Optional secure boot functionality with an owner-controlled root of trust for both firmware and OS.||Secure boot configuration varies by vendor. Root of trust for OS kernel verification is generally configurable, but root of trust for vendor firmware may be locked to the vendor.|
|Trusted Boot||An optional FlexVer module is planned to provide trusted boot. Emphasis on physical tamper-proofing provides greater resilience against physical attack than a standard TPM. Firmware will be open source and user-modifiable.||TPM-based, generally as an optional module. Almost always vulnerable to physical attack (e.g. TPM reset attacks). Currently available TPMs are understood to have closed-source firmware. It is unknown whether this firmware is user-modifiable.|
|DRM||Does not contain DRM functionality.||Contains DRM functionality for protection of video content.|