Hello, On 6 April 2018 at 15:05, Holger Levsen <hol...@layer-acht.org> wrote:
> > On Fri, Apr 06, 2018 at 09:22:52AM +0000, 799 wrote: > > As mentioned I have also drafted a how-to to setup Coreboot on a X230, > > including building the pi, flashrom and extracting Blobs. > > out of curiosity: does resume work reliably for you? For me it didnt > with coreboot (and the free VGA bios) but it does with legacy bios... > as described in the howto I have extracted the vga.rom from my own BIOS-files. I can use resume and the laptop reconnects its network adapters as soon as it wakes up. So far no issues at all. I've run into one problem when I tried to start my AppVMs after flashing coreboot. Problem: Some VMs where unable to boot (sys-net and also some other AppVMs), Error message: Get the message PCI device <qubes.ext.pci.PCIDevice object at 0xblablabla> does not exist Solution: Following the suggestions mentioned here and removing some devices which doesn't make sense. https://github.com/QubesOS/qubes-issues/issues/3619 qvm-pci ls <APPVM> qvm-pci detach <APPVM> <DEVICE> I had to open Qubes Settings for the sys-net VM to assign the Wifi Network controller back to the VM. It got lost after flasing coreboot. > The coreboot config I have used is here: > > https://github.com/Qubes-Community/Contents/blob/ > master/docs/coreboot/x230-configfile > > thanks, depending on your answer to the above question I probably > compare yours with mine ;) > Can you share your config file? I am sure that there is room for improvement in my config. > > I wrote the how-to as I need to look at several places to get everything > > together for example how to extract Blobs, how to merge two bios files > into > > one etc. > > It seems to me that if I run Coreboot with grub + encrypted boot, there > is > > no need to run anti evil maid, as the boot partition can't be messed > with. > > Is this correct? > > mostly. The boot partition cannot be messed up but the components of > your computer can be changed (eg a keyboard controller recording your > keystrokes) and anti-evil-maid is designed to also detect those attacks. > However these attacks are also much more sophisticated and require more > time and are harder to do that just replacing a kernel image on an > unencrypted boot partition. > Ok, I have not yet understand all the pieces of anti evil maid and of course you are right that replacing my keyboard with a keyboard which has a keylogger installed will make my system reasonable unsecure. On the other hand, I don't think that I am a high profile target and if this would change, I guess there are much easier ways to get the data/information. https://en.wikipedia.org/wiki/Enhanced_interrogation_techniques ... :-o [799] -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vRVHWS5XJpzzG7g%2BWbP%2BGjq9DsWDBYYme3hHGN%3DeQLKA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.