On 3/23/19 3:03 PM, jrsmi...@gmail.com wrote:
Spent several hours yesterday trying to track down what I would need to do to
install coreboot on all of my computers, starting with my Qubes box: a Levnovo
Thinkpad T480.
The bottom line from what I can tell is that if you have an Intel CPU made
since 2008 (any that have Boot Guard) or an AMD CPU made since 2013 (any that
have PSP), you are out of luck. Libreboot spells this out in their docs. I'm
not sure if that is because of coreboot itself or something specific to
Libreboot. I was stuck by how they seemed perfectly fine walling themselves off
from the present and the future.
I could find nothing indicating that anyone had even tried, much less
succeeded, in installing coreboot on a T480 and everything I did find was for
much older hardware.
I read through the coreboot docs where they just wave their hands at the end of the build
process and say "now go flash". I also read through the heads docs, which say
more or less the same thing.
Hackaday has an article on the horrors of installing coreboot on a Toshiba
laptop. Not only do they neglect to say which model they used, at the end of
the article they had it working.
The gist is that the information that's out there is out of date, incomplete,
misleading, and sometimes just incompetent.
I'm hoping that someone here has first-hand knowledge and can advise me (and
others who read this).
Thanks,
John Smiley
I don't think Libreboot is "fine with walling themselves off from the
future", I just think they would rather not have a back door open that
they cannot close. See:
https://libreboot.org/faq.html#intel (scroll down for AMD) and
https://www.eff.org/deeplinks/2017/05/intels-management-engine-security-hazard-and-users-need-way-disable-it
For myself, I also only use AMD CPUs prior to 2013. If this means I
can't run Qubes 4, much as I would like to, I will have to take other
security precautions, especially since I read that Joanna Rutkowska said
that using IOMMU does not protect from this remote management attack.
(Sorry I can't find that reference).
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/3c008fc0-316d-b34a-93c6-463c48d03272%40yandex.com.
For more options, visit https://groups.google.com/d/optout.
