Hello, id suggest to configure coreboot so you can update it internally with the latest microcode-updates. Just make sure its correctly configured to only accept updates signed by yourself.
Coreboot can/ will improve your security by a lot even with IME untouched for a number of reasons, personally, i would consider an proprietary Bios or central Bios blobs a much higher risk then Intel Me untouched. I really dont want to defend the Intel ME or AMD PSP (id never use a computer with newer ME versions), but in comparison, this whole Me thing is a bit blown out of proportion. There are bigger issues with recent hardware. Also, while your right about the Intel ME, the me version on the x230 can be reduced to the minimal amount of blobs, and more important, contrary to newer versions shuts down/ is only active in the very first states of the boot process, thus providing a significant security benefit. I suggest to also check out Raptor Engineering, its completely free and real open source hardware, altough unfortunately its not possible to use with qubes (yet?). Its really awesome hardware, and one could build even a poor mans Qubes os with OpenBSD. cheers On 1/14/19 12:17 PM, Alexandre Belgrand wrote: > Hello, > > I am still brooding over before installing Qubes. > > My first thinking is that since Intel ME backdoors provide full access > to authorities, there is no way we can stop government agencies. Recent > research (read 1) shows that Intel ME has access to all parts of a > computer, even switched-off. > > This is not an NSA problem. If the NSA can do it, then any government > agency including the Chinese, the Russians, the Germans, the French, > India, etc .. can break into anyone's computer. > > Intel ME even includes a VNC server (VNC is crap), which should be able > to display dom0. Intel ME has direct access to network cards and > connections are routed to the Intel ME before they reach the network > stack. Therefore, network connections from intruders should be > invisible to dom0 and other cubes. > > There is also the alternative to switch to Coreboot and try to disable > Intel ME. But I read that on my laptop, a Lenovo Thinkpad X230, it was > impossible to completely remove Intel ME. Intel ME is constantly > monitoring hardware and if it is removed, the computer will reboot > after 30 minutes. In the X230 legacy bios, I disabled Intel ME > completely, but a test in Gnu/linux shows it is still active. > > Also, when installing Coreboot, I loose Lenovo's frequent BIOS updates, > and I am not very sure to be protected against Intel meltdown and > Spectre. > > So a reasonable approach to me is to rely on a firewall and monitor > incoming and outgoing packets. Network surveillance is IMHO the only > way to discover an attack. I am using PC Engines APU with coreboot and > open hardware, which is the best I can find in my price range. > > Network surveillance is how I discovered last time that my computer had > been hacked, when I saw packets flowing to China. > > Since then, now I keep no personal document on a computer. > > When I discovered Qubes, it caught my eye but ... > (a) It does not protect from Intel ME backdoors. > (b) Has a Linux firewall running on a normal Fedora kernel, not even > compiled statically with a limited number of modules. This firewall can > be replaced with OpenBSD as discussed on the mailing list. > (c) Using Coreboot might be an alternative, but I don't know how secure > is Coreboot against other attacks. > > So my first opinion would be that Qubes can only protect against a > simple software attack, not a complex hardware attack. > > What's interesting in Qubes is that : > (d) It has reasonable defense in depth, at the scale of today's > hardware. > (e) It has good privacy protection. For example, it can protect me and > my family when surfing on Internet and keep my data private. > > If you can tell me anything more about Qubes security, I am really > interested. I am still waiting for more information before stepping on. > > (1) What we have learned about Intel ME > http://blog.ptsecurity.com/2018/11/what-we-have-learned-about-intel-me.html > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6d8a2cc6-1885-114f-e733-4808354b714d%40cryptogs.de. For more options, visit https://groups.google.com/d/optout.
