> How about Google Chromebooks which have a system to auto-restore the OS if > it thinks it's been tampered with..?
Doesn't that imply trust in Google, who is known to cooperate with NSA and such (as required by US law)? I have had serious problems with a hacked Android phone, and the "weirdness" went away when I avoided installing Google Play Store/Services. The minute I install Google Play, it appears to be compromised, accessing files and uploading constantly. (A device should download, not upload, lol.) Personally, I have little doubt that Google has backdoors in Play Services for law enforcement, and I also have no doubt that those backdoors have been misused for inappropriate/nefarious purposes (LOVINT style). So Chromebooks, no. Unless everything is open source top to bottom, and I can build it myself. But who has time for that. > Or what about a read-only BIOS in the first place..? > > Is there any reason BIOS can't be read-only..? Lol, that seems like the most basic, logical, simple answer, that I've never seen implemented. A simple switch or jumper could disable the write line on the BIOS flash. In the (very) rare case when you need to flash a BIOS (especially rare on older machines), flipping the switch or connecting the jumper would be such a minor inconvenience. I'm tempted to look up the specs of the flash BIOS chip on my motherboard, and see if I can hack in that tweak myself. I've noticed that with my flashrom reading/comparison, that the beginning of the BIOS area changes when I change BIOS settings, and corresponds to the stuff dumped by 'dmidecode.' Does this mean that your BIOS settings are actually stored in the same flash rom as the BIOS? If so, I'm not necessarily sure that the same write-line-jumper hack is any worse. Maybe even better. It'd also protect against any BIOS setting changes. Are there any BIOS setting changes that *need* to be updated on the fly by the BIOS without user intervention? (If the settings are indeed typically stored in the same flash.) Whenever I reboot, I see some "updating nvvm blah blah blah" thing, which implies that maybe there is some writes to the BIOS settings upon boot. One way to find out, lol... (Looks at soldering iron...) This motherboard is on its last legs (after a poweroff, it's real cranky to wake up, takes reconnecting the power a dozen times or more before it fires up), so experimenting with making the BIOS flash chip read-only isn't a terribly risky project. Will report back with any results if I try it. > I basically want a computer which is most easy to wipe/reinstall and then > it's truly wiped. Computers should have *zero* state in the first place, as in days of old. The state should be kept on your storage devices, operating system, etc.. I seem to recall an article on that particular point, maybe even by the legendary Joanna herself. Google, Google, Google... (Actually, Duckduckgo, Duckduckgo, Duckduckgo): Yeah, it was, God love her: http://blog.invisiblethings.org/2015/12/23/state_harmful.html JJ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3e701c3a47b5d28743c73423e8f5746d.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.