"Their objective is good." Talking about Purism here, not Intel :)
Le dim. 15 avr. 2018 08:52, Thierry Laurion <thierry.laur...@gmail.com> a écrit : > To Taiidan and all others complaining about Purism lies and consumer being > misled. > > I keep reading stuff about purism lying about deactivating/disabling ME > being impossible, lying about the future of Intel removing ME, etc. I think > THIS is misleading. > > First, its me_cleaner job to do the cleaning. > The ME hack itself won't remove ME, but can remove modules by stripping > them. There is a big semantic difference between the words removing, > disabling and deactivating, I agree. Me_cleaner won't remove ME, that is > true. But all this ranting is not factual. > > See here: > https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-bit > > From > https://github.com/corna/me_cleaner/blob/master/README.md: > > "For pre-Skylake firmware (ME version < 11) this tool removes almost > everything, leaving only the two fundamental modules needed for the correct > boot, ROMP and BUP. The code size is reduced from 1.5 MB (non-AMT firmware) > or 5 MB (AMT firmware) to ~90 kB of compressed code. > > Starting from Skylake (ME version >= 11) the ME subsystem and the firmware > structure have changed, requiring substantial changes in me_cleaner. The > fundamental modules required for the correct boot are now four (rbe, > kernel, syslib and bup) and the minimum code size is ~300 kB of compressed > code (from the 2 MB of the non-AMT firmware and the 7 MB of the AMT one)." > > To have Intel without ME ( but also without vt-d2, meaning no IOMMU) one > will need to choose old hardware, like the x200, which will not have more > then 8gb ram and won't support hardware isolation, so no real advantage of > using Qubes. > > x230 and x220 and others will boot with deactivated ME, booting with ROMP > and BUP present, true, but without kernel and no other modules. > > The rest of what you say, I agree. But oversimplifying things doesn't > fulfill the goal of making people aware of what is needed now and in the > future. Maybe Intel will change their way of fusing keys into the CPU when > they realise a lot of money is going out of their pocket to privacy > defending manufacturers. Maybe not. Time only will let us know. Their > objective is good. They might now success against Goliath, but really > trying their best for actual possibilities. ( IOMMU, minimal ME footprint, > disabling ME the same way it is done for three letters agencies laptops). > > > Until brand new laptops can fulfill IOMMU needs for certain threat models, > there is few alternatives now. > > Tl;dr: > Used laptops: > Having IOMMU without ME/PSP (Qubes): Lenovo g505s. > Removed ME, without IOMMU: x200. > Disabled ME with IOMMU (Qubes): x230/x220. > > New laptops: > Deactivated ME, with IOMMU (Qubes): Purism Librems. > > Desktop/Servers: > Used: > With IOMMU (Qubes), no ME/PSP: kgpe-d16, kcma-d8 > New: > With IOMMU (no Qubes): Talos II. > > Let's start a real debate aimed at improving stuff and building proper > arguments. > Pressure against manufacturers will build with market laws, and energy > should be put where things can evolve in the meantime. > > For my part, I wouldn't recommend using a x200 other then for amnesic > laptops. > G505s are not powerful and tough enough to run Qubes as a daily driver. > > ME is a really nasty piece of shit to deal with, agreed. But things needs > to move forward. Hiding in a cave waiting for things to magically happen is > not enough. > > Thierry > > > > > Le mer. 11 avr. 2018 16:57, taii...@gmx.com <taii...@gmx.com> a écrit : > >> On 04/11/2018 03:14 AM, Drew White wrote: >> >> > On Wednesday, 11 April 2018 16:55:48 UTC+10, tai...@gmx.com wrote: >> >> What you ask for is impossible, it simply isn't made - no one has a >> >> laptop with 64GB RAM and 12 threads let alone one that is old enough to >> >> not have UEFI. >> > I know that they exist, and I would have one if I had enough money. But >> they do exist. As for UEFI (Microsofts shit invention) if I can disable it >> or else just replace it with an actual REAL BIOS, then I will. >> You can't do that unless the computer supports coreboot and the new >> stuff doesn't. >> >> The best you will get is a W520 or W530 where you can install coreboot >> >> (open hw init + nerfed ME) and have 32GB RAM. >> > Can the CPU be upgraded in those though? >> Yeah its socketed. >> >> I suggest buying a W520 and installing the best ivybridge CPU you can, >> then you get the better non-chiclet keyboard and it is also better >> supported in coreboot the port for the W530 was never upstreamed. >> >> Purism is not libre - their "open source firmware" has hardware >> >> initiation done entirely via binary blobs and their ME is certainly not >> >> disabled as the kernel still runs along with any hypothetical backdoor. >> >> Their marketing is incredibly dishonest and I simply don't understand >> >> why they get so much air time. >> > lol, then the only way I can get around it is to disable it myself by >> editing the CPU firmware? Or is there something else that controls that? >> (I'll have to look into it.) >> Disabling ME/PSP is impossible, it simply can't be done without >> intervention from intel/amd. >> The puridiots claim they will eventually be able to convince intel to do >> it because some sales guy at a convention said so (they will say >> whatever to get you to buy stuff) - however google tried a few years >> back and even them as a billion dollar company wasn't able to convince >> intel to do it. >> >> ME cleaner nerfs it even with the hap bit it isn't disabled because the >> kernel still runs it simply shuts off after the kernel runs but that is >> more than enough time to set up any potential backdoor and perform a >> variety of dirty tricks. >> >> NSA/MSS/FSB says: "oh no they removed the networking module what will we >> do now D: D: D:" >> > If their information is wrong, then I'll report them for false >> advertising. Thanks for letting me know. >> I don't know who you could report them to but thanks anyway I would like >> that very much their marketing is very sleazy and dishonest. >> Like I said I simply don't understand why I am the only critical voice, >> the tech media frequently publishes glorified press releases for them >> with absolutely no criticism or real facts about how their computers are >> not and can't ever have free firmware or free hardware... >> >> >> https://goblinrefuge.com/mediagoblin/u/onpon4/m/what-purism-s-road-to-fsf-ryf-endorsement-chart-should-look-like/ >> >> https://www.reddit.com/r/linux/comments/3anjgm/on_the_librem_laptop_purism_doesnt_believe_in/ >> >> https://web.archive.org/web/20161010040458/https://blogs.coreboot.org/blog/2015/02/23/the-truth-about-purism-why-librem-is-not-the-same-as-libre/ >> >> https://web.archive.org/web/20161010100959/https://blogs.coreboot.org/blog/2015/08/09/the-truth-about-purism-behind-the-coreboot-scenes/ >> (Gotta love their insulting of their honest competitors and donating to >> their own crowdfunding campaign) >> >> -- >> You received this message because you are subscribed to the Google Groups >> "qubes-users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to qubes-users+unsubscr...@googlegroups.com. >> To post to this group, send email to qubes-users@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/qubes-users/9231e87b-887a-b226-68bd-ac1c3573559b%40gmx.com >> . >> For more options, visit https://groups.google.com/d/optout. >> > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAAzJznyQeuOvDXBp6KuDu6Fz4tXLw%2BqsXcfZ3tfEh6SyQrvFPQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
