On 03/13/2018 08:55 AM, brendan.h...@gmail.com wrote:
If you bypass the onboard/whitelisted Ethernet and WiFi controllers and use USB
connected networking, don’t you strongly mitigate remote access via Intel ME?
It cannot use hardware it doesn’t have code to communicate with, right?
Wrong.
Haven't you read the rest of the thread with my posts?
It can do P2P DMA to any NIC, there was research about this topic a few
years ago about using a hacked graphics card firmware to communicate
over the network via P2P DMA to a NIC or to a usb controller if you use
a usb networking device, the myth of "just use another nic and you'll be
fine" was started by purism to help sell their not-actually-libre laptop.
FYI:
ME/PSP is not subject to IOMMU restrictions
It is impossible to disable ME/PSP, purism dell and system76 are lying
about that - with ME cleaner and the hap bit any mask ROM's and the me
kernel still runs - do you really think a hypothetical backdoor is that
primitive? And as ME is a DRM feature (PAVP, intel insider, HDCP, etc)
it is illegal to do research in to breaking the hardware code signing
enforcement.
Impossible = would take years and so much money that you could make
create your own owner controlled POWER or ARM laptop for the same price
- by the time it was figured out the hardware would be very old and not
available any more.
Why just buy a non-ME/PSP computer? there are many owner controlled
choices. (see the rest of my thread) I can't understand why people are
so insistent on having the latest intel hardware and why people have
those delusions that just by doing X thing they can be "safe". I doubt
anyone can tell the difference between a 2018 CPU and a 2013 CPU (ex:
lenovo G505S with an pre-psp AMD quad core A10)
Brand new owner controlled hardware is incredibly rare due to the amount
of money it takes to make a motherboard even a crappy SoC design (think
millions), plus unfortunately now the only owner controlled CPU arch is
POWER.
Ironically though for once you have the *actually* libre hardware TALOS
2 which is faster and less expensive than what intel would sell you for
the same price (2.5K for the CPU and mobo is a great deal, a non-free
xeon with that many threads and equivilant performance would cost more
and it wouldn't have PCI-e 4.0, CAPI and all the other neat features)
Every time you purchase new intel/amd hardware instead of for instance a
TALOS 2 (workstation/server) or Novena (laptop) you are contributing to
future DRM/anti-feature development instead of the development of newer
better libre hardware - if the TALOS 2 is successful there are plans for
a POWER mobile workstation laptop.
In case you don't want to read the rest of the thread:
Reccomendations for qubes 4.0:
Laptops:
Lenovo G505S - owner controlled, no ME/PSP, open source cpu/ram init
(blob for video and power management but can be replaced if someone does
the work and it is IOMMU restricted)
Workstations:
KCMA-D8 (MSRP $315 for the board)
KGPE-D16 (MSRP $415 for the board)
I play brand new games in a VM with IOMMU-GFX on mine.
Non-qubes workstation/server:
TALOS 2 - for virtualization including IOMMU-GFX graphics attaching to a
VM - Brand new very high performance libre owner controlled hardware
even including the cpu microcode - zero non-owner controlled hardware
enforced code signing.
I highly recommend the T2, while ATM xen doesn't support POWER (and the
devs rebuff help from IBM/Raptor) it is an excellent virtualization
platform and the performance is very high.
Non-qubes laptops:
Novena - open source hardware laptop with libre firmware, NOTE THERE IS
NO IOMMU/HVM on the novena.
If you really need 32GB RAM, an external graphics card, docking station
or second battery on your laptop there is also the W520 (32GB) and T420
(16GB) which both support ivy bridge CPU's and open source hardware
init, you can nerf ME via me cleaner/hap bit (not disabled). I recommend
a G505S instead however as it is much more free and secure.
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/c6d30713-9a10-dea1-64ea-017d7b9042be%40gmx.com.
For more options, visit https://groups.google.com/d/optout.
