Re: [qubes-users] Re: Announcement: Insurgo PrivacyBeast X230 Laptop meets and exceeds Qubes 4.0 hardware certification
I won't feed trolls. But will invite you to find me comparative prices for grade A x230 i7 2.9ghz of the same specs. Those are not 200$ CAD, but 940+ (with IPS, 16GB RAM, 250GB SSD and Atheros card) + 80$ for a Librem Key (80$CAD) which will visually attest integrity of firmware at each boot, while permitting to sign boot configuration changes and attest that you approved the changes. Added to that price is 500$CAD for the service made on the laptop to neuter Intel ME, flash the rom, preinstall QubesOS and latet updates, preinstall a Windows7 TemplateVM that you can activate over Windows activation phone line. While permitting to have provable integrity, to attest to you that the laptop haven been tampered with in transit, added with a tamper evident sticker on the main screw of the laptop, required to unscrew to access internal hardware. Compare prices for yourself. You will find used hardware requiring fan/cpu thermal paste reaaplication, broken cases, 8GB memory equipped laptops with spinning HD without IPS screen. Please challenge me: https://insurgo.ca/produit/qubesos-certified-privacybeast_x230-reasonably-secured-laptop/ My goal is to start a workers/buyers cooperative with this, charging an additional flat fee on top of hardware cost for what is done on the refurbished hardware. That money is my salary and personal funding source to pay for other knowledgeable work, pay for QubesOS development and for sure, also pay myself so I do not have have a job outside of this and dedicate myself to open hardware and projects that need money to go forward, while continuing to do security trainings for right defenders, that need this kind of tool, btw. OEM reownership in action, permitting QubesOS preinstallation on "slightly more secured hardware" (Heads moto): https://archive.org/details/activateoemreownership The more refurbisher sources of high end and grade A hardware, the best prices users will get. Finding a secure source for that model was not an easy task. Try it for yourself. You will see. Its quite easy to find one super deal. Finding a provider is a different story. If you find one, contact me, you might become a distributor for your own country! Doing the OEM reownership to make QubesOS preinstallable was not an easy task either. https://github.com/osresearch/heads/pull/551 QubesOS certification was made bridge the gap on having QubesOS preinstalled, which never happened, even if it was supposed in the past. To finally promote QubesOS preinstalled machines, without compromising encrypted keys, while promoting my first move torward "Accessible security", project for which grant was received. Else users are redirected on the HCL page and not all people are technical enough to even choose the right hardware, even less ones that can boot from Open Source Firmware. And enven less of them will arrive to the point of having a provable root of trust. All of this work was made open source, and can be ported to other models and platforms, which I would really love to see happen though the Heads project. I also did the port for the KGPE-D16/KCMA-D8, which you can find on the Heads github site, which has OpenBMC iKVM module, can be used a QubesOS server and can be remotely booted, with provable root of trust through iserted Librem Key. You are more then welcome to join forces instead of criticizing in a nonconstructive way. I'm doing my best to pay myself back 2 years of development and laucnhing this all by myself. Now is a time for collaboration to make QubesOS more accessible to freedom defenders, journalists and others who needs this the most. I will do some of that development myself, made grant paper workto be able to pay other people's work and plan on doing that until we have something free to propose to the masses, which supports QubesOS. If you are knowledgeable/technical enough to be able to do it yourself and be able to own provable boot security, then you are more then welcome to do it yourself or be helped by a friend. If you are not in that situation, that is why I did that work and to be able to promote such solutions in my own security trainings for organizations and journalists. If you want to support my work, you are more then welcome to do it, by proposing collaboration and support other hardware through Heads or other Open Source Firmware where the same reownership logic could apply and guarantee integrity/security/confidentiality and in transit tamper evidence. As all of you, I would prefer promoting more performant hardware to the masses, but i'm not compromising myself in promoting FSP binary-blob dependent hardware initialized by non-free Coreboot, nor non-neuteured Intel ME or AMD equivalent crap running by default, or simply asked to be deactivated while binary blobs are still there in SPI flash. Cheers, Thierry/Insurgo Le mercredi 24 juillet 2019 13:54:53 UTC-4, travorfi...@gmail.com a écrit : > > Guyz, this is
Re: [qubes-users] Re: Announcement: Insurgo PrivacyBeast X230 Laptop meets and exceeds Qubes 4.0 hardware certification
Guyz, this is not serious. >100$ laptop >chink keyboard >lost battery >flashed with a $5 ch341a coreboot среда, 24 июля 2019 г., 20:48:11 UTC+3 пользователь Thierry Laurion написал: > > > > On Wed, Jul 24, 2019 at 1:16 PM > > wrote: > >> >sandybridge >> > >> >> $1,581.00 >> >> laught high. >> > I can understand seeing the total price. The reality is 946$CAD, though > for the Grade A refurbished laptop i7 2.9ghz, 16GB ram, 256Gb SSD drive and > IPS screen. See product description. You pay an additional 500$CAD to have > integrity attestation of firmware and QubesOS preinstallation, while > supporting what I try to accomplish. > > Else you can do it yourself from locally available hardware, but I doubt > you can find equivalent quality refurb grade A equivalent hardware with > competitive price. > The OEM Re-Ownership wizard in action, with important links and > references: https://archive.org/details/oemuserreownership > > Regards, > Thierry Laurion/Insurgo > > >> >> >> пятница, 19 июля 2019 г., 7:19:37 UTC+3 пользователь Andrew David Wong >> написал: >>> >>> -BEGIN PGP SIGNED MESSAGE- >>> Hash: SHA512 >>> >>> Dear Qubes Community, >>> >>> We are very pleased to announce that the Insurgo PrivacyBeast X230 [1] >>> has passed Qubes 4.0 Hardware Certification and is now a Qubes-certified >>> Laptop! [2] >>> >>> ## What is Qubes Certified Hardware? >>> >>> Qubes Certified Hardware [3] is hardware that has been certified by the >>> Qubes developers as compatible with Qubes OS. Beginning with Qubes 4.0, >>> in order to achieve certification, the hardware must satisfy a rigorous >>> set of requirements [4], and the vendor must commit to offering >>> customers the very same configuration (same motherboard, same screen, >>> same BIOS version, same Wi-Fi module, etc.) for at least one year. >>> >>> Qubes-certified Laptops [2], in particular, are regularly tested >>> by the Qubes developers to ensure compatibility with all of Qubes' >>> features. The developers test all new major versions and updates to >>> ensure that no regressions are introduced. >>> >>> It is important to note, however, that Qubes Hardware Certification >>> certifies only that a particular hardware *configuration* is *supported* >>> by Qubes. The Qubes OS Project takes no responsibility for any >>> manufacturing or shipping processes, nor can we control whether physical >>> hardware is modified (whether maliciously or otherwise) *en route* to >>> the user. (However, see below for information about how the Insurgo >>> team mitigates this risk.) >>> >>> ## About the Insurgo PrivacyBeast X230 Laptop >>> >>> The Insurgo PrivacyBeast X230 [1] is a custom refurbished ThinkPad X230 >>> [5] that not only *meets* all Qubes Hardware Certification requirements >>> [4] but also *exceeds* them thanks to its unique configuration, >>> including: >>> >>> - Coreboot [6] initialization for the x230 is binary-blob-free, >>> including native graphic initialization. Built with the >>> Heads [7] payload, it delivers an Anti Evil Maid (AEM) [8]-like >>> solution built into the firmware. (Even though our requirements [4] >>> provide an exception for CPU-vendor-provided blobs for silicon and >>> memory initialization, Insurgo exceeds our requirements by insisting >>> that these be absent from its machines.) >>> >>> - Intel ME [9] is neutered through the AltMeDisable bit, while all >>> modules other than ROMP and BUP, which are required to initialize >>> main CPU, have been deleted. [10] >>> >>> - A re-ownership process that allows it to ship pre-installed with >>> Qubes OS, including full-disk encryption already in place, but >>> where the final disk encryption key is regenerated only when the >>> machine is first powered on by the user, so that the OEM doesn't >>> know it. >>> >>> - Heads [7] provisioned pre-delivery to protect against malicious >>> interdiction. [11] >>> >>> ## How to get one >>> >>> Please see the Insurgo PrivacyBeast X230 [1] on the Insurgo website [12] >>> for more information. >>> >>> ## Acknowledgements >>> >>> Special thanks go to: >>> >>> - Thierry Laurion [13], Director of Insurgo, Technologies Libres (Open >>> Technologies), for spearheading this effort and making Heads+Qubes >>> laptops more broadly accessible. >>> >>> - Trammell Hudson [14], for creating Heads [7]. >>> >>> - Purism [15], for greatly improving the UX of Heads [7], including >>> the GUI menu, and for adding Nitrokey [16] and Librem Key [17] >>> support. >>> >>> >>> [1] >>> https://insurgo.ca/produit/qubesos-certified-privacybeast_x230-reasonably-secured-laptop/ >>> >>> [2] >>> https://www.qubes-os.org/doc/certified-hardware/#qubes-certified-laptop-insurgo-privacybeast-x230 >>> >>> [3] https://www.qubes-os.org/doc/certified-hardware/ >>> [4] >>>
Re: [qubes-users] Re: Announcement: Insurgo PrivacyBeast X230 Laptop meets and exceeds Qubes 4.0 hardware certification
On Wed, Jul 24, 2019 at 1:16 PM wrote: > >sandybridge > > > > $1,581.00 > > laught high. > I can understand seeing the total price. The reality is 946$CAD, though for the Grade A refurbished laptop i7 2.9ghz, 16GB ram, 256Gb SSD drive and IPS screen. See product description. You pay an additional 500$CAD to have integrity attestation of firmware and QubesOS preinstallation, while supporting what I try to accomplish. Else you can do it yourself from locally available hardware, but I doubt you can find equivalent quality refurb grade A equivalent hardware with competitive price. The OEM Re-Ownership wizard in action, with important links and references: https://archive.org/details/oemuserreownership Regards, Thierry Laurion/Insurgo > > > пятница, 19 июля 2019 г., 7:19:37 UTC+3 пользователь Andrew David Wong > написал: >> >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA512 >> >> Dear Qubes Community, >> >> We are very pleased to announce that the Insurgo PrivacyBeast X230 [1] >> has passed Qubes 4.0 Hardware Certification and is now a Qubes-certified >> Laptop! [2] >> >> ## What is Qubes Certified Hardware? >> >> Qubes Certified Hardware [3] is hardware that has been certified by the >> Qubes developers as compatible with Qubes OS. Beginning with Qubes 4.0, >> in order to achieve certification, the hardware must satisfy a rigorous >> set of requirements [4], and the vendor must commit to offering >> customers the very same configuration (same motherboard, same screen, >> same BIOS version, same Wi-Fi module, etc.) for at least one year. >> >> Qubes-certified Laptops [2], in particular, are regularly tested >> by the Qubes developers to ensure compatibility with all of Qubes' >> features. The developers test all new major versions and updates to >> ensure that no regressions are introduced. >> >> It is important to note, however, that Qubes Hardware Certification >> certifies only that a particular hardware *configuration* is *supported* >> by Qubes. The Qubes OS Project takes no responsibility for any >> manufacturing or shipping processes, nor can we control whether physical >> hardware is modified (whether maliciously or otherwise) *en route* to >> the user. (However, see below for information about how the Insurgo >> team mitigates this risk.) >> >> ## About the Insurgo PrivacyBeast X230 Laptop >> >> The Insurgo PrivacyBeast X230 [1] is a custom refurbished ThinkPad X230 >> [5] that not only *meets* all Qubes Hardware Certification requirements >> [4] but also *exceeds* them thanks to its unique configuration, >> including: >> >> - Coreboot [6] initialization for the x230 is binary-blob-free, >> including native graphic initialization. Built with the >> Heads [7] payload, it delivers an Anti Evil Maid (AEM) [8]-like >> solution built into the firmware. (Even though our requirements [4] >> provide an exception for CPU-vendor-provided blobs for silicon and >> memory initialization, Insurgo exceeds our requirements by insisting >> that these be absent from its machines.) >> >> - Intel ME [9] is neutered through the AltMeDisable bit, while all >> modules other than ROMP and BUP, which are required to initialize >> main CPU, have been deleted. [10] >> >> - A re-ownership process that allows it to ship pre-installed with >> Qubes OS, including full-disk encryption already in place, but >> where the final disk encryption key is regenerated only when the >> machine is first powered on by the user, so that the OEM doesn't >> know it. >> >> - Heads [7] provisioned pre-delivery to protect against malicious >> interdiction. [11] >> >> ## How to get one >> >> Please see the Insurgo PrivacyBeast X230 [1] on the Insurgo website [12] >> for more information. >> >> ## Acknowledgements >> >> Special thanks go to: >> >> - Thierry Laurion [13], Director of Insurgo, Technologies Libres (Open >> Technologies), for spearheading this effort and making Heads+Qubes >> laptops more broadly accessible. >> >> - Trammell Hudson [14], for creating Heads [7]. >> >> - Purism [15], for greatly improving the UX of Heads [7], including >> the GUI menu, and for adding Nitrokey [16] and Librem Key [17] >> support. >> >> >> [1] >> https://insurgo.ca/produit/qubesos-certified-privacybeast_x230-reasonably-secured-laptop/ >> [2] >> https://www.qubes-os.org/doc/certified-hardware/#qubes-certified-laptop-insurgo-privacybeast-x230 >> [3] https://www.qubes-os.org/doc/certified-hardware/ >> [4] >> https://www.qubes-os.org/doc/certified-hardware/#hardware-certification-requirements >> [5] https://www.thinkwiki.org/wiki/Category:X230 >> [6] https://www.coreboot.org/ >> [7] https://github.com/osresearch/heads/ >> [8] https://www.qubes-os.org/doc/anti-evil-maid/ >> [9] https://libreboot.org/faq.html#intelme >> [10] >> https://github.com/osresearch/heads-wiki/blob/master/Clean-the-ME-firmware.md#how-to-disabledeactive-most-of-it >> [11]
[qubes-users] Re: Announcement: Insurgo PrivacyBeast X230 Laptop meets and exceeds Qubes 4.0 hardware certification
Also x230 can be more powerful. Look at this guyz https://world.taobao.com/item/550879131380.htm https://forum.51nb.com/forum.php?mod=viewthread=1602437 http://thinkpads.kr/xe/REVIEW01/204307 https://forum.51nb.com/thread-1548345-1-1.html -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d2732883-fd2f-4726-8650-dc29b03f9f22%40googlegroups.com.
[qubes-users] Re: Announcement: Insurgo PrivacyBeast X230 Laptop meets and exceeds Qubes 4.0 hardware certification
>sandybridge > $1,581.00 laught high. пятница, 19 июля 2019 г., 7:19:37 UTC+3 пользователь Andrew David Wong написал: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Dear Qubes Community, > > We are very pleased to announce that the Insurgo PrivacyBeast X230 [1] > has passed Qubes 4.0 Hardware Certification and is now a Qubes-certified > Laptop! [2] > > ## What is Qubes Certified Hardware? > > Qubes Certified Hardware [3] is hardware that has been certified by the > Qubes developers as compatible with Qubes OS. Beginning with Qubes 4.0, > in order to achieve certification, the hardware must satisfy a rigorous > set of requirements [4], and the vendor must commit to offering > customers the very same configuration (same motherboard, same screen, > same BIOS version, same Wi-Fi module, etc.) for at least one year. > > Qubes-certified Laptops [2], in particular, are regularly tested > by the Qubes developers to ensure compatibility with all of Qubes' > features. The developers test all new major versions and updates to > ensure that no regressions are introduced. > > It is important to note, however, that Qubes Hardware Certification > certifies only that a particular hardware *configuration* is *supported* > by Qubes. The Qubes OS Project takes no responsibility for any > manufacturing or shipping processes, nor can we control whether physical > hardware is modified (whether maliciously or otherwise) *en route* to > the user. (However, see below for information about how the Insurgo > team mitigates this risk.) > > ## About the Insurgo PrivacyBeast X230 Laptop > > The Insurgo PrivacyBeast X230 [1] is a custom refurbished ThinkPad X230 > [5] that not only *meets* all Qubes Hardware Certification requirements > [4] but also *exceeds* them thanks to its unique configuration, > including: > > - Coreboot [6] initialization for the x230 is binary-blob-free, > including native graphic initialization. Built with the > Heads [7] payload, it delivers an Anti Evil Maid (AEM) [8]-like > solution built into the firmware. (Even though our requirements [4] > provide an exception for CPU-vendor-provided blobs for silicon and > memory initialization, Insurgo exceeds our requirements by insisting > that these be absent from its machines.) > > - Intel ME [9] is neutered through the AltMeDisable bit, while all > modules other than ROMP and BUP, which are required to initialize > main CPU, have been deleted. [10] > > - A re-ownership process that allows it to ship pre-installed with > Qubes OS, including full-disk encryption already in place, but > where the final disk encryption key is regenerated only when the > machine is first powered on by the user, so that the OEM doesn't > know it. > > - Heads [7] provisioned pre-delivery to protect against malicious > interdiction. [11] > > ## How to get one > > Please see the Insurgo PrivacyBeast X230 [1] on the Insurgo website [12] > for more information. > > ## Acknowledgements > > Special thanks go to: > > - Thierry Laurion [13], Director of Insurgo, Technologies Libres (Open > Technologies), for spearheading this effort and making Heads+Qubes > laptops more broadly accessible. > > - Trammell Hudson [14], for creating Heads [7]. > > - Purism [15], for greatly improving the UX of Heads [7], including > the GUI menu, and for adding Nitrokey [16] and Librem Key [17] > support. > > > [1] > https://insurgo.ca/produit/qubesos-certified-privacybeast_x230-reasonably-secured-laptop/ > > [2] > https://www.qubes-os.org/doc/certified-hardware/#qubes-certified-laptop-insurgo-privacybeast-x230 > > [3] https://www.qubes-os.org/doc/certified-hardware/ > [4] > https://www.qubes-os.org/doc/certified-hardware/#hardware-certification-requirements > > [5] https://www.thinkwiki.org/wiki/Category:X230 > [6] https://www.coreboot.org/ > [7] https://github.com/osresearch/heads/ > [8] https://www.qubes-os.org/doc/anti-evil-maid/ > [9] https://libreboot.org/faq.html#intelme > [10] > https://github.com/osresearch/heads-wiki/blob/master/Clean-the-ME-firmware.md#how-to-disabledeactive-most-of-it > > [11] https://en.wikipedia.org/wiki/Interdiction > [12] https://insurgo.ca > [13] https://www.linkedin.com/in/thierry-laurion-40b4128/ > [14] https://trmm.net/About > [15] https://puri.sm/ > [16] https://www.nitrokey.com/ > [17] https://puri.sm/posts/introducing-the-librem-key/ > > This announcement is also available on the Qubes website: > > https://www.qubes-os.org/news/2019/07/18/insurgo-privacybeast-qubes-certification/ > > > - -- > Andrew David Wong (Axon) > Community Manager, Qubes OS > https://www.qubes-os.org > > -BEGIN PGP SIGNATURE- > > iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl0xRMEACgkQ203TvDlQ > MDAEVQ//d5Ziw78qjjYCaepSpJTXwdlw6yiZVXm5ecB1xYMdS7UrQJYX3vS/on/R >
Re: [qubes-users] Re: Announcement: Insurgo PrivacyBeast X230 Laptop meets and exceeds Qubes 4.0 hardware certification
Le lundi 22 juillet 2019 11:40:44 UTC-4, Chris Laprise a écrit : > > On 7/21/19 5:44 PM, Lorenzo Lamas wrote: > > Very nice to finally have a certified Qubes laptop! > > > > Personally, for me it would be nice if there was a more powerful > > alternative in the future. I'm currently using something with about the > > same resource power and I find myself often wishing I had something > > faster because Qubes is quite heavy compared to a standard OS. It would > > be great to have a quad core CPU(and a proper one, not one of those > > power-saving U line from Intel), 32GB RAM or more and a NVMe SSD instead > > of SATA. > > Also, there is the issue of the CPU being a 3rd gen Intel i CPU. Maybe > > this is specifically chosen because later CPU's are harder to get blob > > free, I don't know the details. However, Intel had quite a few side > > channel vulnerabilities over the past year, and this year they dropped > > microcode update support for 1st gen CPU's, so there is a pretty high > > chance they will drop 2nd gen support next year and 3rd gen support the > > year after that. > > There is even one statement from Intel out there that they've > tentatively already dropped support for 3rd gen (which is what the X230 > and its 'sister' the T430s uses). > I didn't find such statement. Would love to find confirming/infirming information for i7-3520M. Microcode updates were released for Windows: https://support.microsoft.com/en-us/help/4494451/kb4494451-intel-microcode-updates They do not seem to have been injected them in Intel repository, though: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files No idea if they are included in Fedora, to be applied by dom0 in QubesOS. > > The Lenovo G505s should be slightly more powerful than the X230, and its > AMD A10 processor is significantly less prone to attack. > > The only problems with it are that HEADS doesn't work (not a big > disadvantage, given how vulnerable X230's older TPM is), TPM was not vulnerable to weak RSA cert generation of 2017: https://web.archive.org/web/20190203222631/https://support.lenovo.com/us/en/product_security/len-15552 And since the TPM is used under Heads as one of the first modified instructions of Coreboot, I don't see how boot measurements could be impacted by S3 resume vulnerability of 2018: https://github.com/kkamagui/napper-for-tpm and to install > Qubes you need to flash it with a Coreboot config that requires you to > add an un-signed graphics driver (I think if enough people posted SHA256 > hashes of the driver it wouldn't be a big problem). > > It also accepts ECC RAM, which reduces the DDR3 side-channel > vulnerabilities somewhat. > For the side-channel attacks, I would love to see a PoC, since from my understanding, it is not possible to access other's qubes memory and those timing attacks are even weaker in virtualized environments: https://security.stackexchange.com/questions/127806/are-virtualized-environments-vulnerable-to-the-row-hammer-attack/130762 For the G505S: I can only redirect to the work needing to be done on that model to reduce size so it could support Librem Key and its external measurements without a TPM (the G505s doesn't have a TPM). After which GPG, cryptsetup-reencrypt and other tools can be injected in the ROM to support a trustworthy "root of trust" on which QubesOS can securely be preinstalled/used: https://github.com/osresearch/heads/issues/453#issuecomment-514652215 > > So the alternative to the 2012 laptop is the 2013 laptop. A bit > underwhelming. > > - > > The overall problem here is none of these open source OS projects are > true integrators or designers, not when it has anything to do with > hardware. The path to resolve this becomes clearer. We need open source hardware supported by QubesOS. ppc64 support is our best bet IMHO: https://github.com/QubesOS/qubes-issues/issues/4318 Meanwhile, actual best solutions needs to be upstreamed, and this is the path i've decided to take which got funded: https://github.com/osresearch/heads/issues/540 > This is why Qubes project will identify USB controller > isolation as a major issue, but then do nothing about it (note the X230 > is lacking a secondary USB controller). That was adressed by unman in a precedent answer. > They'll say Intel or X86 is > fundamentally insecure, but won't begin to describe what a good > alternative would look like at the component level; without that, > there's nothing into which the hardware people to sink their teeth or > even notice Qubes. > ppc64 laptops are in the pipeline by RaptorEngineering. Those will need virtualization support, IOMMU and Open Source Firmware. Better would be to have encrypted memory from each VM to leverage side-channel theoretical attack impacts. Best would be to completely externalize internal SPI flash or design an equivalent. Something that could be hacked on on already existing hardware, or designed
Re: [qubes-users] Re: Announcement: Insurgo PrivacyBeast X230 Laptop meets and exceeds Qubes 4.0 hardware certification
That model is unfortunately not really available to redistribute. The SPI flash isn't big enough to support Heads features right now, even though the Librem Key could be used to support firmware and boot integrity attestation. There is a ticket opened on Heads project page to make that device supported. But that device cannot be used to preinstall QubesOS as of right now. Tasket: you have references to 3rd gen Intel support drop? On July 22, 2019 3:40:39 PM UTC, Chris Laprise wrote: >On 7/21/19 5:44 PM, Lorenzo Lamas wrote: >> Very nice to finally have a certified Qubes laptop! >> >> Personally, for me it would be nice if there was a more powerful >> alternative in the future. I'm currently using something with about >the >> same resource power and I find myself often wishing I had something >> faster because Qubes is quite heavy compared to a standard OS. It >would >> be great to have a quad core CPU(and a proper one, not one of those >> power-saving U line from Intel), 32GB RAM or more and a NVMe SSD >instead >> of SATA. >> Also, there is the issue of the CPU being a 3rd gen Intel i CPU. >Maybe >> this is specifically chosen because later CPU's are harder to get >blob >> free, I don't know the details. However, Intel had quite a few side >> channel vulnerabilities over the past year, and this year they >dropped >> microcode update support for 1st gen CPU's, so there is a pretty high > >> chance they will drop 2nd gen support next year and 3rd gen support >the >> year after that. > >There is even one statement from Intel out there that they've >tentatively already dropped support for 3rd gen (which is what the X230 > >and its 'sister' the T430s uses). > >The Lenovo G505s should be slightly more powerful than the X230, and >its >AMD A10 processor is significantly less prone to attack. > >The only problems with it are that HEADS doesn't work (not a big >disadvantage, given how vulnerable X230's older TPM is), and to install > >Qubes you need to flash it with a Coreboot config that requires you to >add an un-signed graphics driver (I think if enough people posted >SHA256 >hashes of the driver it wouldn't be a big problem). > >It also accepts ECC RAM, which reduces the DDR3 side-channel >vulnerabilities somewhat. > >So the alternative to the 2012 laptop is the 2013 laptop. A bit >underwhelming. > >- > >The overall problem here is none of these open source OS projects are >true integrators or designers, not when it has anything to do with >hardware. This is why Qubes project will identify USB controller >isolation as a major issue, but then do nothing about it (note the X230 > >is lacking a secondary USB controller). They'll say Intel or X86 is >fundamentally insecure, but won't begin to describe what a good >alternative would look like at the component level; without that, >there's nothing into which the hardware people to sink their teeth or >even notice Qubes. > >-- > >Chris Laprise, tas...@posteo.net >https://github.com/tasket >https://twitter.com/ttaskett >PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 > >-- >You received this message because you are subscribed to the Google >Groups "qubes-users" group. >To unsubscribe from this group and stop receiving emails from it, send >an email to qubes-users+unsubscr...@googlegroups.com. >To view this discussion on the web visit >https://groups.google.com/d/msgid/qubes-users/8cd5347b-a30d-3af6-a254-e059be7a4907%40posteo.net. -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/161580D7-2ADD-4941-9F02-F6E3EB647FC6%40gmail.com.
Re: [qubes-users] Re: Announcement: Insurgo PrivacyBeast X230 Laptop meets and exceeds Qubes 4.0 hardware certification
On Mon, Jul 22, 2019 at 11:40:39AM -0400, Chris Laprise wrote: > On 7/21/19 5:44 PM, Lorenzo Lamas wrote: > > Very nice to finally have a certified Qubes laptop! > > > > Personally, for me it would be nice if there was a more powerful > > alternative in the future. I'm currently using something with about the > > same resource power and I find myself often wishing I had something > > faster because Qubes is quite heavy compared to a standard OS. It would > > be great to have a quad core CPU(and a proper one, not one of those > > power-saving U line from Intel), 32GB RAM or more and a NVMe SSD instead > > of SATA. > > Also, there is the issue of the CPU being a 3rd gen Intel i CPU. Maybe > > this is specifically chosen because later CPU's are harder to get blob > > free, I don't know the details. However, Intel had quite a few side > > channel vulnerabilities over the past year, and this year they dropped > > microcode update support for 1st gen CPU's, so there is a pretty high > > chance they will drop 2nd gen support next year and 3rd gen support the > > year after that. > > There is even one statement from Intel out there that they've tentatively > already dropped support for 3rd gen (which is what the X230 and its 'sister' > the T430s uses). > > The Lenovo G505s should be slightly more powerful than the X230, and its AMD > A10 processor is significantly less prone to attack. > > The only problems with it are that HEADS doesn't work (not a big > disadvantage, given how vulnerable X230's older TPM is), and to install > Qubes you need to flash it with a Coreboot config that requires you to add > an un-signed graphics driver (I think if enough people posted SHA256 hashes > of the driver it wouldn't be a big problem). > > It also accepts ECC RAM, which reduces the DDR3 side-channel vulnerabilities > somewhat. > > So the alternative to the 2012 laptop is the 2013 laptop. A bit > underwhelming. > > - > > The overall problem here is none of these open source OS projects are true > integrators or designers, not when it has anything to do with hardware. This > is why Qubes project will identify USB controller isolation as a major > issue, but then do nothing about it (note the X230 is lacking a secondary > USB controller). They'll say Intel or X86 is fundamentally insecure, but > won't begin to describe what a good alternative would look like at the > component level; without that, there's nothing into which the hardware > people to sink their teeth or even notice Qubes. > You are wrong about the x230 lacking a secondary USB controller, if you mean " a second controller". The x230 has controllers which can be allocated to two distinct usb qubes. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190722155351.f4d3jxyu7xwg75xd%40thirdeyesecurity.org.
Re: [qubes-users] Re: Announcement: Insurgo PrivacyBeast X230 Laptop meets and exceeds Qubes 4.0 hardware certification
On 7/21/19 5:44 PM, Lorenzo Lamas wrote: Very nice to finally have a certified Qubes laptop! Personally, for me it would be nice if there was a more powerful alternative in the future. I'm currently using something with about the same resource power and I find myself often wishing I had something faster because Qubes is quite heavy compared to a standard OS. It would be great to have a quad core CPU(and a proper one, not one of those power-saving U line from Intel), 32GB RAM or more and a NVMe SSD instead of SATA. Also, there is the issue of the CPU being a 3rd gen Intel i CPU. Maybe this is specifically chosen because later CPU's are harder to get blob free, I don't know the details. However, Intel had quite a few side channel vulnerabilities over the past year, and this year they dropped microcode update support for 1st gen CPU's, so there is a pretty high chance they will drop 2nd gen support next year and 3rd gen support the year after that. There is even one statement from Intel out there that they've tentatively already dropped support for 3rd gen (which is what the X230 and its 'sister' the T430s uses). The Lenovo G505s should be slightly more powerful than the X230, and its AMD A10 processor is significantly less prone to attack. The only problems with it are that HEADS doesn't work (not a big disadvantage, given how vulnerable X230's older TPM is), and to install Qubes you need to flash it with a Coreboot config that requires you to add an un-signed graphics driver (I think if enough people posted SHA256 hashes of the driver it wouldn't be a big problem). It also accepts ECC RAM, which reduces the DDR3 side-channel vulnerabilities somewhat. So the alternative to the 2012 laptop is the 2013 laptop. A bit underwhelming. - The overall problem here is none of these open source OS projects are true integrators or designers, not when it has anything to do with hardware. This is why Qubes project will identify USB controller isolation as a major issue, but then do nothing about it (note the X230 is lacking a secondary USB controller). They'll say Intel or X86 is fundamentally insecure, but won't begin to describe what a good alternative would look like at the component level; without that, there's nothing into which the hardware people to sink their teeth or even notice Qubes. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8cd5347b-a30d-3af6-a254-e059be7a4907%40posteo.net.
[qubes-users] Re: Announcement: Insurgo PrivacyBeast X230 Laptop meets and exceeds Qubes 4.0 hardware certification
Very nice to finally have a certified Qubes laptop! Personally, for me it would be nice if there was a more powerful alternative in the future. I'm currently using something with about the same resource power and I find myself often wishing I had something faster because Qubes is quite heavy compared to a standard OS. It would be great to have a quad core CPU(and a proper one, not one of those power-saving U line from Intel), 32GB RAM or more and a NVMe SSD instead of SATA. Also, there is the issue of the CPU being a 3rd gen Intel i CPU. Maybe this is specifically chosen because later CPU's are harder to get blob free, I don't know the details. However, Intel had quite a few side channel vulnerabilities over the past year, and this year they dropped microcode update support for 1st gen CPU's, so there is a pretty high chance they will drop 2nd gen support next year and 3rd gen support the year after that. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3481de6a-70b4-4c9a-933a-689549735eee%40googlegroups.com.
Re: [qubes-users] Re: Announcement: Insurgo PrivacyBeast X230 Laptop meets and exceeds Qubes 4.0 hardware certification
On July 19, 2019 9:32:52 PM UTC, 'awokd' via qubes-users wrote: >Thierry Laurion: >> Hello all. >> >> For those of you who would want to ask questions but are against >using >> Google services/Twitter/Facebook, you are more then welcome to >comment post >> on my ZeroNet technical blog: >> >http://127.0.0.1:43110/1DMb3CV66qZPwJqkgm4z12nu8BrAwDoD4g/?Post:26:PrivacyBeast+X230+is+alive!!! > >Unless you hacked my computer, I don't think the above link is going to > >work. :) This is ZeroNet URL. :) It can be accessed through a clearnet proxy here for read access: https://zero.acelewis.com/#1DMb3CV66qZPwJqkgm4z12nu8BrAwDoD4g/?Post:26:PrivacyBeast+X230+is+alive!!! > >Otherwise, nice work with the laptop! Thanks! -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/325EED15-FF83-4B9A-9ED3-788C045D951C%40gmail.com.
Re: [qubes-users] Re: Announcement: Insurgo PrivacyBeast X230 Laptop meets and exceeds Qubes 4.0 hardware certification
Thierry Laurion: Hello all. For those of you who would want to ask questions but are against using Google services/Twitter/Facebook, you are more then welcome to comment post on my ZeroNet technical blog: http://127.0.0.1:43110/1DMb3CV66qZPwJqkgm4z12nu8BrAwDoD4g/?Post:26:PrivacyBeast+X230+is+alive!!! Unless you hacked my computer, I don't think the above link is going to work. :) Otherwise, nice work with the laptop! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ea6940f5-1db1-9556-cfe3-6bfe0ea12345%40danwin1210.me.
[qubes-users] Re: Announcement: Insurgo PrivacyBeast X230 Laptop meets and exceeds Qubes 4.0 hardware certification
Hello all. For those of you who would want to ask questions but are against using Google services/Twitter/Facebook, you are more then welcome to comment post on my ZeroNet technical blog: http://127.0.0.1:43110/1DMb3CV66qZPwJqkgm4z12nu8BrAwDoD4g/?Post:26:PrivacyBeast+X230+is+alive!!! Cheers, Thierry Laurion Insurgo Open Technologies/Technologies Libres Le vendredi 19 juillet 2019 00:19:37 UTC-4, Andrew David Wong a écrit : > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Dear Qubes Community, > > We are very pleased to announce that the Insurgo PrivacyBeast X230 [1] > has passed Qubes 4.0 Hardware Certification and is now a Qubes-certified > Laptop! [2] > > ## What is Qubes Certified Hardware? > > Qubes Certified Hardware [3] is hardware that has been certified by the > Qubes developers as compatible with Qubes OS. Beginning with Qubes 4.0, > in order to achieve certification, the hardware must satisfy a rigorous > set of requirements [4], and the vendor must commit to offering > customers the very same configuration (same motherboard, same screen, > same BIOS version, same Wi-Fi module, etc.) for at least one year. > > Qubes-certified Laptops [2], in particular, are regularly tested > by the Qubes developers to ensure compatibility with all of Qubes' > features. The developers test all new major versions and updates to > ensure that no regressions are introduced. > > It is important to note, however, that Qubes Hardware Certification > certifies only that a particular hardware *configuration* is *supported* > by Qubes. The Qubes OS Project takes no responsibility for any > manufacturing or shipping processes, nor can we control whether physical > hardware is modified (whether maliciously or otherwise) *en route* to > the user. (However, see below for information about how the Insurgo > team mitigates this risk.) > > ## About the Insurgo PrivacyBeast X230 Laptop > > The Insurgo PrivacyBeast X230 [1] is a custom refurbished ThinkPad X230 > [5] that not only *meets* all Qubes Hardware Certification requirements > [4] but also *exceeds* them thanks to its unique configuration, > including: > > - Coreboot [6] initialization for the x230 is binary-blob-free, > including native graphic initialization. Built with the > Heads [7] payload, it delivers an Anti Evil Maid (AEM) [8]-like > solution built into the firmware. (Even though our requirements [4] > provide an exception for CPU-vendor-provided blobs for silicon and > memory initialization, Insurgo exceeds our requirements by insisting > that these be absent from its machines.) > > - Intel ME [9] is neutered through the AltMeDisable bit, while all > modules other than ROMP and BUP, which are required to initialize > main CPU, have been deleted. [10] > > - A re-ownership process that allows it to ship pre-installed with > Qubes OS, including full-disk encryption already in place, but > where the final disk encryption key is regenerated only when the > machine is first powered on by the user, so that the OEM doesn't > know it. > > - Heads [7] provisioned pre-delivery to protect against malicious > interdiction. [11] > > ## How to get one > > Please see the Insurgo PrivacyBeast X230 [1] on the Insurgo website [12] > for more information. > > ## Acknowledgements > > Special thanks go to: > > - Thierry Laurion [13], Director of Insurgo, Technologies Libres (Open > Technologies), for spearheading this effort and making Heads+Qubes > laptops more broadly accessible. > > - Trammell Hudson [14], for creating Heads [7]. > > - Purism [15], for greatly improving the UX of Heads [7], including > the GUI menu, and for adding Nitrokey [16] and Librem Key [17] > support. > > > [1] > https://insurgo.ca/produit/qubesos-certified-privacybeast_x230-reasonably-secured-laptop/ > > [2] > https://www.qubes-os.org/doc/certified-hardware/#qubes-certified-laptop-insurgo-privacybeast-x230 > > [3] https://www.qubes-os.org/doc/certified-hardware/ > [4] > https://www.qubes-os.org/doc/certified-hardware/#hardware-certification-requirements > > [5] https://www.thinkwiki.org/wiki/Category:X230 > [6] https://www.coreboot.org/ > [7] https://github.com/osresearch/heads/ > [8] https://www.qubes-os.org/doc/anti-evil-maid/ > [9] https://libreboot.org/faq.html#intelme > [10] > https://github.com/osresearch/heads-wiki/blob/master/Clean-the-ME-firmware.md#how-to-disabledeactive-most-of-it > > [11] https://en.wikipedia.org/wiki/Interdiction > [12] https://insurgo.ca > [13] https://www.linkedin.com/in/thierry-laurion-40b4128/ > [14] https://trmm.net/About > [15] https://puri.sm/ > [16] https://www.nitrokey.com/ > [17] https://puri.sm/posts/introducing-the-librem-key/ > > This announcement is also available on the Qubes website: > > https://www.qubes-os.org/news/2019/07/18/insurgo-privacybeast-qubes-certification/ > >
