On 1/1/20 8:28 PM, Thierry Laurion wrote:
On Wed, Jan 1, 2020 at 4:12 PM Chris Laprise <tas...@posteo.net
<mailto:tas...@posteo.net>> wrote:
On 1/1/20 1:36 PM, Thierry Laurion wrote:
>
>
> Le mercredi 1 janvier 2020 13:32:00 UTC-5, Chris Laprise a écrit :
>
> On 1/1/20 5:43 AM, Lorenzo Lamas wrote:
> > Hello Thierry,
> >
> > Thanks for all that you are doing for the community. Do
you see a
> > possibility of a Qubes Certified Laptop with an AMD CPU?
> > Intel is affected a lot more than AMD by the sidechannel
> vulnerabilities
> > in the last years. The Privacy Beast has a 3rd gen Intel
CPU, Intel
> > stopped providing uCode updates for 1st gen in 2019, so
this year is
> > probably the last year they will support 3rd gen. More CPU
> > vulnerabilities will most certainly be discovered in the
coming
> years,
> > so there is a need for an AMD based certified laptop, or
at least a
> > newer generation Intel based laptop, even though that may
mean we're
> > stuck with PSP or ME.
>
> As much as I like the Insurgo/Purism/System76 offerings, this
issue has
> weighed on me to reconsider.
>
> The massive amount of side-channel vulnerabilities have shown
Intel's
> engineering is reckless, and it gets worse. They're still pushing
> fraudulent compiler code – detecting and de-optimizing AMD –
almost a
> decade after it was reported in the press. And they outright
refuse to
> pay government fines relating to their misconduct – which
also included
> threatening PC vendors with retaliation if they sell "too
many" AMD
> units.
>
> Historically, when a behemoth like Intel goes renegade its
because they
> know their products are superior and the public will accept the
> situation as a trade-off. But the only thing that's
"superior" about
> Intel is their attitude and their ill-gotten revenue.
>
> The biggest problem I see is peoples' willingness to go along
with what
> is becoming a tradition of anti-competition. Whatever logical
fallacies
> are put forward to make it seem palatable with CPUs will also
undermine
> user motivations in other areas.
>
> Completely agreeing. This is why this
>
<https://github.com/QubesOS/qubes-issues/issues/4318#issuecomment-549986749>
> needs collaboration to have real solutions in the future.
The relative ease of using another x86 brand with better implementation
and ethics such as AMD makes it a clear choice in the meantime, while
the much more difficult and lengthy task of adopting open hardware is
pursued.
People can wait 18-36 months for a Qubes port to POWER architecture...
That is 18-36 months of being subject to maximum side-channel (and
probably other) risks and signalling a tacit acceptance of Intel's
engineering. And at the end of that period, we still won't have laptops.
Only holding out for the perfect appears to be the enemy of good in
this
case; it is the wrong mindset for adding alternatives. Under these
circumstances, there should be absolutely no hint that a robust x86
alternative is somehow passe... but that appears to be the message
coming from vendors.
I am not aware of any AMD model to recommend on my end which would have
the good mix of QubesOS well supported components to fit requirements
and warned compatibility issues.
If you have such model in mind to recommend, be part of the solution and
let us know.
Meanwhile, models that fitted the bill for workstation/server got
dropped by coreboot by lack of interest from the community (KGPE-D16
<https://github.com/osresearch/heads/issues/134#issuecomment-368922440>). It
might be brought back under grant work (TBD), but AFAIK, there is not
such trust altogether from the community torward AMD, not really more
trust torward their PSP (ME equivalent) and not so much known right now
from attempts reversing <https://github.com/PSPReverse/PSPTool> it.
Yes, this has as much to do with community attitudes as anything else. I
would still expect some vendor to be able to put 2+2 together and market
AMD-based systems based on their history and current strengths.
If there is public mistrust bc of PSP, then there should be some
engagement from Coreboot and Libreboot to demonstrate that deactivation
is plausible. OTOH, since Coreboot seems stuck in c.2012 with Intel Ivy
Bridge processors, that could make the issue moot bc AMD units requiring
no such deactivation (containing no PSP) are available that are also a
year newer.
Regarding new hardware, which is important, I would rather take my
chances with AMD PSP firmware properly deactivating (when told to) than
with the equivalent Intel ME function. It would be interesting to
compare errata between the two brands on this point.
So what model would you suggest in the meantime for which firmware can
be replaced by Open Source Firmware?
Given that c.2012 machines are being discussed, I think its worth
mentioning the Lenovo G505s as a workable candidate. But I don't hang
out in Coreboot forums as much as I'd like, so I'd just assume ask you
the same question about what AMD models work? Is this something Insurgo
has looked into?
Complicating the issue is that Coreboot's documentation is 100% geared
to developers; the only guidance for users are links to OEMs. However,
the MrChromebox site lists AMD Stoneyridge c.2017 as Coreboot supported,
which makes models like Lenovo 14E chromebook and HP 15-BW077AX
candidates for testing and porting.
TBH, I'm not exactly sure why, from a consumer standpoint, open firmware
must be a prerequisite when the hardware itself is closed. Perhaps its
more important than correctly functioning CPU hardware, but perhaps not.
I think the perceived need that many have for it is rooted in reports
that some Intel ME versions don't deactivate properly, as deactivating
ME gained the Coreboot project a great deal of visibility.
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/8d2b6307-7e42-65ea-9572-f3207cac0ec7%40posteo.net.
