Ask Slashdot: Why Are There No True Dual-System Laptops Or Tablet Computers?

dryriver writes: This is not a question about dual-booting OSs -- having 2 or more different OSs installed on the same machine. Rather, imagine that I'm a business person or product engineer or management consultant with a Windows 10 laptop that has confidential client emails, word documents, financial spreadsheets, product CAD files or similar on it. Business stuff that needs to stay confidential per my employment contract or NDAs or any other agreement I may have signed. When I have to access the internet from an untrusted internet access point that somebody else controls -- free WiFi in a restaurant, cafe or airport lounge in a foreign country for example -- I do not want my main Win 10 OS, Intel/AMD laptop hardware or other software exposed to this untrusted internet connection at all. Rather, I want to use a 2nd and completely separate System On Chip or SOC inside my Laptop running Linux or Android to do my internet accessing. In other words, I want to be able to switch to a small 2nd standalone Android/Linux computer inside my Windows 10 laptop, so that I can do my emailing and internet browsing just about anywhere without any worries at all, because in that mode, only the small SOC hardware and its RAM is exposed to the internet, not any of the rest of my laptop or tablet. A hardware switch on the laptop casing would let me turn the 2nd SOC computer on when I need to use it, and it would take over the screen, trackpad and keyboard when used. But the SOC computer would have no physical connection at all to my main OS, BIOS, CPU, RAM, SSD, USB ports and so on. Does something like this exist at all (if so, I've never seen it...)? And if not, isn't this a major oversight? Wouldn't it be worth sticking a 200 Dollar Android or Linux SOC computer into a laptop computer if that enables you access internet anywhere, without any worries that your main OS and hardware can be compromised by 3rd parties while you do this?

Because physical security is a myth

[casings]

End thread.

Duct tape another laptop to your main laptop

[DontBeAMoran]

'If the women don't find you handsome, they should at least find you handy.' — Red Green

Re:just run the 2nd OS in a VM and call it a day

[wbr1]

Or .. bring a decent tablet or chromebook. I have a gen 2 nexus 7 that I take for this. Has all my personal stuff, can get to work email if needed, great for personal banking/media/whatever in a hotel or airport. Small size, no potential for ANY exploit like an SOC that shares some other piece of HW and may have an unknown exploit leading back to storage on the host machine.

VMs divide up your resources dynamically

[OrangeTide]

A hardware division of your resources is problematic because they'll never be fully indepedent. They will at least share a keyboard, monitor and probably camera and microphone. So a route between each system is still possible to establish and may be difficult to protect with a hardware only solution.

From software side you can implement more complex policies and enforce them with virtualization. There are OSes specifically to address what you are looking for and do so at different layers, for example Qubes OS lets you do a VM per window and color codes them. And something like BitVisor has a narrower focus on protecting your VPN keys and encrypting your harddrive, from there you can dual-boot and have only your "business" system access certain encrypted partitions and use the VPN. without exposing that information to your personal system. (and vice versa if you choose)

But sadly there are a lot of problems with virtualization that is secure these days due to flaws in CPU architectures. I feel that these issues will be mostly if not completely resolved, but it may take two or three years.

Actually, there was at least one

[rickb928]

My now-ancient ASUS G50VT included ExpressGate. Based on Splashtop, burned into the BIOS ROM, manageable. Rudimentary Firefox browser, email client, Skype, and obviously hard to update. But it ran independently of any OS installed on storage.

Splashtop is now done, but it was also used by ASUS on some motherboards, and then endured obscurity, competition, and finally turned into something else.

It did work. It was pretty minimal, and could have been cool. And it certainly is possible today, even in BIOS, with flexibility and update capabilities, but somehow I don't see any of this on the market.

The obvious solution would be to embed ChromeOS or something similar, fairly lightweight and useful. This could let you keep your primary OS invisible.

Cost?

SplashTop

[DrYak]

actually some companies have indeed exactly tried that, with products such as SplashTop:

some of the first Dell laptops to feature "Latitude On" where exactly that: a special custom SOC in a specially modified mini-PCIe card, that was able to run some restricted Linux (a web kiosk and a few built in apps. basically a distant ancestror of the chromebook concept), while accessing the nornal regular laptop screen and keyboard (but not much beyond that and certainly no access to any Sata mass storage).

it had a few minor advantage (mainly, instant power-on, and lower power usage of the SoC compared to the main CPU)
but a lot of disadvantage (complexity and restrictions due to the switching concept)
and cannot be used at the same time as the main CPU with Windows.

eventually, later version of "Latitude On" evolves into exaclty what you're suggesting: the mini-PCIe card evolved into an SSD with a Linux installation on it, and the main CPU simply dual booted into either the Linux installation on SSD or the Windows installation on SATA HDD.

Re:just run the 2nd OS in a VM and call it a day

[whoever57]

You could also add a VPN and have the VM communicate with the Internet via the VPN.

Re:just run the 2nd OS in a VM and call it a day

[ctilsie242]

If truly worried, I'd just have a dedicated machine where the sensitive OS runs in a VM. You can even set up some secure remote access so you don't have to lug two machines around everywhere. In fact, I'd consider multiple separate VMs, one for each client, so a compromise doesn't mean everything is lost, just whatever is opened at the time.

Attacks where something jumping across or out of VMs is extremely rare. It can happen, but this is not a big attack vector, relatively.

Plus, if you store your VM on an eSATA or USB 3.1 drive, when done with it, just unplug the drive and toss it somewhere secure. $200 buys you a FIPS compliant external SSD with hardware encryption from Apricorn. This takes care of the DAR (data at test) element, regardless of the OS. From there, a PC with VirtualBox, Hyper-V, VMWare, or Parallels can run the VM.

Re:just run the 2nd OS in a VM and call it a day

[SvnLyrBrto]

It'a not that it's not feasible. It's that there's not a big enough market/demand that any manufacturer has bothered to offer that bit of kit. So suggestions for how achieve a similar end result are entirely appropriate. And at the end of the day, "Here's my idea for a device I would like and poses no particularly difficult or interesting technical challenge, but is not offered for sale... GIMME!" is not "news or nerds" or for anyone else. It's banal and trite water-cooler chit-chat at the very best.

If msmash and dryriver think it's such a good idea and are so put out that it doesn't exist; one of them should go get a job in product design at Dell or whatnot, do their own damn market research, and present a business case that there's enough demand for this thing to make it worthwhile to bring to market.