Hi qubes-fan. Answers inline. On Tue, Nov 13, 2018 at 6:27 AM <qubes-...@tutanota.com> wrote:
> Hi Thiery, I wasn't aware the X230 can be freed same way as the X200 can. Unfortunately, the x230 cannot have Intel ME deleted the same way the x200 can, even though binary free firmware is par with it. The x200 is RYF certified where the x230 isn't for approximately the same reasons Libreboot supports only the former. RYF and Libreboot have a really strong guideline against binary blobs. Even Libreboot opened up it's ethic to support the x220 (Sandy bridge), but backed off, since part of the ME engine is still present even if deactivated. The RYF certification could not be obtainable for those. See archive: https://web.archive.org/web/20170404144825/https://minifree.org/product/libreboot-x220/ Intel ME can be completely removed on the x200 (GM45 based), leaving no trace of it at all. (https://libreboot.org/faq.html#intel). It can be neutralized on the x220 and x230 (Ivy bridge), leaving only the ROMP and BUP modules (<90k of it), but "deactivating" ME before it's kernel is even booted, where the Librem Laptops have parts of it deactivated only, and unfortunately contains binary blobs in the firmware. Once again, depending of your threat model, that may or not be a deal breaker for you. Neutralizing/Deactivating/Deleting/Freeing Intel ME is a word game where a lot of ink spilled over the last years. I suggest you to read this doc: ( https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F) . Basically, Intel ME version <11 can be deactivated, since no kernel needs to be present in the firmware for validation prior to initialization, resulting in the BUP module only being launched, permitting the machine to boot, where version >11 requires the kernel and syslib modules to be present and validated at initialization. So even if Intel ME is neutralized by me_cleaner, the modules are still there in >11. Could they be executed? That depends on your beliefs and threat modeling. Technically, GM45 based laptops are currently the last Intel based hardware where Intel ME can be completely removed. Unfortunately, such old hardware comes with important limitations, some of which makes it incompatible with QubesOS 4 requirements for isolation and virtualization. The x200 has vt-d1 only, no vt-d2 (No IOMMU!): there is no interrupt remapping, meaning that there is no hardware isolation enforced in QubesOS. ( https://github.com/QubesOS/qubes-issues/issues/1594#issuecomment-209213917). At best, the x200 is an awesome laptop for using Tails, but not with QubesOS. Using it with QubesOS gives the user an illusion of hardware isolation, putting him at risk. As you saw, I am thinking about buying the RYF > https://tehnoetic.com/tet-t400s <https://tehnoetic.com/tet-t400s> to be > able to run with the Qubes 4. The T400s has but unfortunately 8GB RAM max > and so the X230 with 16GB seems very interesting. > The T400s is an hardware equivalent of the x200. > > So my question is if the X230 is really deprived of all ME-AMT, or any > non-free dirt? See here for the output of me_cleaner: https://github.com/osresearch/heads-wiki/blob/master/Clean-the-ME-firmware.md with this understanding https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F If this is the case, your offer seems really interesting with all mentioned > options available. I also use the RYF X200 for non-Qubes activities, but it > would be just excellent if I could have just one machine for > Qubes+non-Qubes too. > A lower end, AMD laptop, the G505s seems a good candidate for libre oriented QubesOS users. It's porting to Heads is on the way, even though I do not have that hardware myself. https://github.com/osresearch/heads/issues/453 As some pointed out earlier, the EC is still a binary blob present in laptops (not currently freed), microcode updates are unfortunately still required for security. Laptop world needs to be shaken. Binary free laptops exists, but do not support QubesOS. Talos II is the best libre free desktop/server available but isn't supported by QubesOS, where the KGPE-D16/KCMA-D8 are still the best x86 desktop/servers available. The x230 laptop is the most supported and libre available, where BUP Intel ME initialization is tolerable. Heads project should be considered as a trusted base of any security conscious user. http://osresearch.net/ Linuxboot, Systemboot and other projects based on u-boot/u-root should also be considered for collocating private cloud services on more recent x86 servers: https://github.com/systemboot/systemboot https://www.linuxboot.org/ Hope that it answers your questions. > > Nov 12, 2018, 7:30 AM by thierry.laur...@gmail.com: > > > Hi! > > > >> I checked out the x230 and you are right they are available and cheap. > I would still be interested in finding some company/individual who I can > trust to take care of the BIOS flashing for me as a service(I would think > others would also want this service as well...). The problem is who? > >> > > I started Insurgo Technologies Libres/Open Technologies exactly for > that! (> https://www.facebook.com/InsurgoTech/insights/?section=navPosts < > https://www.facebook.com/InsurgoTech/insights/?section=navPosts>> ) > > > > We actually reprogram A-Grade refurbished x230 with Heads firmware (> > http://osresearch.net/ <http://osresearch.net/>> ), while neutralizing > Intel ME (> > https://github.com/osresearch/heads-wiki/blob/master/Clean-the-ME-firmware.md > < > https://github.com/osresearch/heads-wiki/blob/master/Clean-the-ME-firmware.md>> > ) while being there. > > > > I collaborate with Heads and QubesOS developers for a while now.. > > QubesOS can even be preinstalled with user's desired customizations (> > https://github.com/SkypLabs/my-qubes-os-formula/issues < > https://github.com/SkypLabs/my-qubes-os-formula/issues>> ) or shipped > with latest QubesOS ISO on external MicroSD support. Heads validates ISO > integrity with distribution's signing keys prior to boot them (Tails, > Fedora, QubesOS). > > > > Heads, deployed with a Nitrokey Pro v2/LibremKey or by using internal > TPM, validates rom' integrity before booting from it. With the help of a > NitroKey/LibremKey (> https://puri.sm/posts/introducing-the-librem-key/ < > https://puri.sm/posts/introducing-the-librem-key/>> ), the boot > configurations are signed with user's keys and verified and the firmware > integrity is attested at each reboot through HOTP (led flashing or TPMTOTP > on user's cell phone through Google Authenticator or compatible app. > > > > The user receives the Nitrokey/LibremKey and his computer in distinct > shipping packages and reunites at first laptop boot to attest that the > firmware of the computer has not been tampered with in transit. (> > https://puri.sm/posts/introducing-the-librem-key/ < > https://puri.sm/posts/introducing-the-librem-key/>> ). > > > > The user, upon bootup integrity attestation, proceeds to the ownership > of his new laptop (TPM) and his LibremKey. The user is then invited to > reencrypt his SSD encrypted content with it's own chosen passphrase(> > https://github.com/osresearch/heads/issues/463 < > https://github.com/osresearch/heads/issues/463>> ) and to choose a > secondary disk unlock passphrase, which will unlock encrypted disk content > only if the firmware has boot attested integrity. > > > > Notes: > > The user will be able to ask > Insurgo> interactive support in the near > future. (> https://github.com/SkypLabs/my-qubes-os-formula/issues/6 < > https://github.com/SkypLabs/my-qubes-os-formula/issues/6>> ). > > Buying from> Insurgo (ITL/IOT)> funds directly my participation to > those projects. > > Bulk discount are available upon request. Insurgo plans to transit into > a working/buying cooperative in the near future. > > > > > > Prices are in Canadian Dollars (CDN) > > x230> i5 240GB SSD 16GB Webcam and IPS: $620 > > Hardware reprogramming fee: +250$ > > Backlit Keyboard: 40$ (optional) > > Webcam 10$ (optional) > > Nitrokey/LibremKey: + 80$ > > The refurbisher offers a warranty plan on the value of the purchase: > > 1 Month %5 > > 3 Months %10 > > 6 Months %15 > > 1 Year %25 > > > > Thierry Laurion: > > GitHub: > https://github.com/tlaurion/ <https://github.com/tlaurion/> > > LinkedIn: > https://www.linkedin.com/in/thierry-laurion-40b4128/ < > https://www.linkedin.com/in/thierry-laurion-40b4128/> > > > > Insurgo, Technologies Libres / Open Technologies: > > email: > insu...@riseup.net <mailto:insu...@riseup.net>> for more > information. > > GPG key: > > http://keys.gnupg.net/pks/lookup?op=get&search=0x79C78E6659DB658F < > http://keys.gnupg.net/pks/lookup?op=get&search=0x79C78E6659DB658F> > > Follow this guide or it's platform equivalent: > > https://securityinabox.org/en/guide/thunderbird/mac/ < > https://securityinabox.org/en/guide/thunderbird/mac/> > > Website: > https://Insurgo.ca <https://Insurgo.ca> > > Facebook: > https://www.facebook.com/InsurgoTech/ < > https://www.facebook.com/InsurgoTech/> > > > > On Sun, Nov 11, 2018 at 9:26 PM <> 22...@tutamail.com <mailto: > 22...@tutamail.com>> > wrote: > > > >> Unman your posts have been extremely helpful to me and I can't thank > you enough for the help(I am sure many others would agree). > >> > >> However I think your "..Pretty easy to maintain.." would be hell for > me. > >> > >> Librem(and maybe the Majora line) have huge appeal for me as they take > care of the BIOS flashing. > >> > >> I checked out the x230 and you are right they are available and cheap. > I would still be interested in finding some company/individual who I can > trust to take care of the BIOS flashing for me as a service(I would think > others would also want this service as well...). The problem is who? > >> > >> Thanks... > >> > >> ("-boxy is the new black." Good one and couldn't agree more...very > funny!) > >> > >> -- > >> You received this message because you are subscribed to the Google > Groups "qubes-users" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an email to >> qubes-users+unsubscr...@googlegroups.com <mailto: > qubes-users%2bunsubscr...@googlegroups.com>>> . > >> To post to this group, send email to >> qubes-users@googlegroups.com > <mailto:qubes-users@googlegroups.com>>> . > >> To view this discussion on the web visit >> > https://groups.google.com/d/msgid/qubes-users/26f75d86-0349-4533-8f3a-66fe2e37c1b3%40googlegroups.com > < > https://groups.google.com/d/msgid/qubes-users/26f75d86-0349-4533-8f3a-66fe2e37c1b3%40googlegroups.com>>> > . > >> For more options, visit >> https://groups.google.com/d/optout < > https://groups.google.com/d/optout>>> . > >> > > > > > > -- > > Thierry Laurion > > > > > > > > -- > > You received this message because you are subscribed to the Google > Groups "qubes-users" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to > qubes-users+unsubscr...@googlegroups.com <mailto: > qubes-users+unsubscr...@googlegroups.com>> . > > To post to this group, send email to > qubes-users@googlegroups.com > <mailto:qubes-users@googlegroups.com>> . > > To view this discussion on the web visit > > https://groups.google.com/d/msgid/qubes-users/CAAzJznzOWNrOFTyCNQt-vu5%2BUQXqhZFg-Loxm-oY2oiutORkDQ%40mail.gmail.com > < > https://groups.google.com/d/msgid/qubes-users/CAAzJznzOWNrOFTyCNQt-vu5%2BUQXqhZFg-Loxm-oY2oiutORkDQ%40mail.gmail.com?utm_medium=email&utm_source=footer>> > . > > For more options, visit > https://groups.google.com/d/optout < > https://groups.google.com/d/optout>> . > > > > -- Thierry Laurion: - GitHub: https://github.com/tlaurion/ - LinkedIn: https://www.linkedin.com/in/thierry-laurion-40b4128/ Insurgo, Technologies Libres / Open Technologies: - email: insu...@riseup.net - GPG key: http://keys.gnupg.net/pks/lookup?op=get&search=0x79C78E6659DB658F - Follow this guide or it's platform equivalent: https://securityinabox.org/en/guide/thunderbird/mac/ - Website: https://Insurgo.ca - Facebook: https://www.facebook.com/InsurgoTech/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAAzJznykNZ2kcG3%2BedKb-qrWst2UEfmbmMi6MHmvwf_kiuOyXg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
