On Wed, Dec 25, 2019 at 6:03 PM <brendan.h...@gmail.com> wrote:
> Insurgo is providing a service.
>
> If one can do the steps themselves, that’s fine.
>
> If I were advising a somewhat less technical journalist or a potentially
> targeted human-rights worker or politically targeted activist who just
> wanted to get stuff done and had the resources, I’d point them to Insurgo.
>
> Brendan
>
> --
> You received this message because you are subscribed to the Google Groups
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to qubes-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/qubes-users/7a7741f2-6b80-40be-a5a0-0f56b658f9fc%40googlegroups.com
> .
>
Hello there, Thierry Laurion from Insurgo Open Technologies.
Thanks Brendan.
I feel the need to clarify things a bit once in a while. This reply is one
of those. This QubesOS community is large, and even if replies were done on
Reddit and other posts here in the past, the same questions arises with the
same scattered answers. Here is a combination of those answers.
- Insurgo made grant applications so that actual best trustworthy
unmaintained hardware becomes mainstreamed under coreboot, and added under
Heads (extend Heads measured boot support of latest coreboot VBOOT+measured
boot on Sandy/Ivy bridge xx30 and xx20 platforms: t530, t430, x220. Thanks
to obtained NlNet grant for Accessible Security project).
- Insurgo is attempting to gather developers, device manufacturers
(RaptorEngineering) and funders around Power9-Power10 hardware based X86
alternative platform (PPC64le QubesOS platform support which has a bounty
offer already but needs commited developers). Let's remember that their
Blackbird/Talos II platforms recently got RYF certification.
- The last x86 platform having met RYF criteria is the X200, thanks
to the Libreboot project, which removed Intel ME.
- Since then, the x86 platforms have blobs we have to accept/deal
with to make it trustworthier:
- Sandy Bridge/Ivy bridge : EC firmware, Intel ME BUP ROMP modules.
Coreboot doesnt rely on FSP blobs for initialization. ME is actually
neutered (no kernel nor syslibs as opposed to newer
platforms, just BUP and
ROMP) and deactivated (AltMeDisable bit, not HAP bit).
- More recent hardware requires ME with its kernel and syslibs
binary blobs present, while ME is asked to be deactivated
through HAP bit,
requires Intel FSP and other binary blobs for hardware initialization.
- Insurgo works to bridge the gap to broader QubesOS
accessibility, so that users in need of remote support can have secured
remote administration from trusted third parties (new revenue? AccessNow?
Other third parties?) over hidden tor onion service from additional GUI
(NlNet grant for Accessible Security project).
- Insurgo tries its best to support Heads community through GitHub
opened issues while promoting collaboration.
- Insurgo tries its best to mainstream CI build systems to produce
reproducible builds artifacts (this is broken for months and is still not
resolved).
- Insurgo tries to raise awareness of researchers and developers on the
current state of "Open Source Firmware" (currently requiring FSP, ME or
equivalent,not having completely neutered Intel ME while claiming it is
deactivated, while system libraries and kernel is still there but
latent...) This implies going to conferences, doing talks, confronting the
status quo, researching, developing so we have alternatives in the
future....while also doing the required clerical work.
- Insurgo made QubesOS preinstallable for the first time on the
PrivacyBeast X230, thanks to its reownership wizard which takes care of GPG
key generation, internal ROM reflashing, TPM ownership and sealing of
measurements, signing boot configuration, while enforcing diceware
passphrases in the provisioning phase. The goal is to generalize it to
other platforms. Ideally through collaboration...
- Insurgo made the PrivacyBeast X230 certified by QubesOS, with a lot of
work done on Heads that is unfortunately not upstreamed yet. Will go back
at this, while branch is available through Gitlab and GitHub.
- Insurgo collaborates with other parties to make needed work to have
fwupd (firmware upgrades), available inside of QubesOS, including Heads
firmware, thanks to NlNet Privacy and Trust grant, once again.
- Insurgo tries to push verified boot to measure also the LVM containers
inside of deployed QubesOS reencrypted disk installation, through Heads, so
that third party OEMs could also deploy reproducible ROMs that are
measureable, verify their reproducibility, have verified boot and known
good QubesOS installation with safer defaults to deploy to users by
themselves (LUKS discards, MAC randomization, sdcard attached to sys-usb
and others). The user would not have to trust those third parties on the
RoT.
- Add internationalization into Heads, so that UK keyboards and other
keymaps can be selected at first boot and saved into the ROM at ownership.
- .... Other work required by both QubesOS, Heads and their subprojects
for more accessible security and usability.
There is something really interesting in the open source world.
Bigger corporation will pay for the development work they require to fit
their needs and upstream changes. This makes software and accomplished work
feel like free as in free beer.
Meanwhile, when a small player tries to make important changes for everyone
in related projects, with really limited resources, people apply the same
free as in free beer logic since they can buy second hand hardware online
at lower price and do the reprogramming themselves, not understanding even
the differences on the model they are buying and the changes in costs
associated with the model they buy, nor the privilege they have to be able
to do required technical work themselves nor the knowledge privilege they
have of knowing that such hardware and free software exist with which their
hardware can be freed with.
Of course, you can and are encouraged to backup your SPI flash chips,
unlock the rom, apply me_cleaner, flash ME and Heads back into SPI flash
chips, replace the wifi card, factory reset your USB security dongle, seal
secrets for remote attestation and sign boot components, if you are tech
savvy enough to do it right, yourself.
Meanwhile, Insurgo's goal is to facilitate that DIY, while still making
money enough to pay itself and others to do the technical required work...
so that you can do it yourself if you'd like, while organizations needing
this kind of privacy/confidentiality/security for their users can also do
the work for their users, without knowing all the technical details. On the
X230 now, and other platforms in the near future.
Meanwhile, the x230 i7 2.9ghz, with its IPS screen and replaced wifi card,
maximized 16GB ram and 256GB SSD drive, which makes the PrivacyBeast X230
hardware, is the one of the last platform on which open source firmware can
fully thrive, meeting QubesOS requirements, pushing things the farthest
possible by truely neutering ME (releasing 5Mb of additional ROM space to
do more stuff from the boot environment), using its TPM to do the measured
boot functions, sealing secrets into a QR code that enforces remote
attestation through TOTP (smartphone based manual validation) or HOTP USB
security dongles (Librem Key/Nitrokey Pro and Nitrokey Storage which
visually attests of firmware integrity with a green or red LED), while
using OpenGPG functions of the smartcard to enforce verified boot on
QubesOS core system components (/boot), making those root of trust required
components tamper evident.
Thanks for you time. Equip yourself accordingly. :)
Thierry Laurion
Insurgo, Open Technologies
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/CAAzJznx%2BSgVSWOMvaohPf-im082uXqSqsu%3DLLL7P4N8rhXRKKA%40mail.gmail.com.
