Re: [qubes-users] Re: Intel TXT advice
On 14-11-2016 20:07, Eric wrote: On Monday, November 14, 2016 at 11:58:32 AM UTC-8, entr0py wrote: Eric: On Sunday, November 13, 2016 at 10:44:33 PM UTC-8, tai...@gmx.com wrote: ... Well, the Dell XPS was enough processing power for me. The Business version, the Precision 5510, not only has vPro and TXT, but also supports ECC memory (Xeon E5). Adds another layer of protection (against Rowhammer attacks that can compromise even Qubes), but a) nobody actually makes DDR4-ECC-SODIMM memory that I can find, and b) it's basically another thousand bucks. I also happen to hate 16:9 displays, but I would compromise on that for Qubes' sake. FYI, ECC SODIMM DDR3, no DDR4 yet: http://www.intelligentmemory.com/ECC-DRAM/DDR3/ -- Pedro Martins -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/baed4659-39aa-61c6-cb17-0cf50be1ba4b%40gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Intel TXT advice
So you know AFIAK OPOWER8+ systems have a emulation layer for x86 that works quite well, on the TALOS page you can see them playing a modern 3d game with it via pass thru video although obvious you wouldn't want to emulate a VMM. Xen isn't the be all-end all of virtualization, there are many other solutions and some of them work better. (I could never get pass thru video to work with xen, only qemu-kvm and I used libvirt for the management layer) There are plenty of non ME systems out there that are new enough to be useful for gaming, only AM4/FM2 have PSP but all the other AMD procs don't have PSP. The KGPE-d16 for instance is an opteron blob free coreboot/libreboot board that is quite nice for a performance workstation. For a laptop there is always the novena and a few other blob free ones, and if you don't want ME you can buy a non PSP AMD laptop. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/410acebe-d934-b6b3-6656-f24461c13ae6%40gmx.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Intel TXT advice
On Monday, November 14, 2016 at 11:55:09 PM UTC, tai...@gmx.com wrote: > On 11/14/2016 04:50 PM, entr0py wrote: > > > taii...@gmx.com: > >> On 11/14/2016 03:12 PM, Eric wrote: > >>> On Monday, November 14, 2016 at 11:58:32 AM UTC-8, entr0py wrote: > Eric: > > On Sunday, November 13, 2016 at 10:44:33 PM UTC-8, > > tai...@gmx.com wrote: > >> Forgot to say: Purism is just an overpriced quanta/oem > >> whitebox laptop, it takes 5mil+ of startup funds to do a > >> small run of *just a motherboard* let alone an entire laptop > >> computer including the fab for a fancy aluminum case - it is > >> quite obvious that their components are not "hand selected" > >> and that they just called up some chinese OEM and asked them > >> what they had kicking around. > >> > >> I can't understand if they are scammers or just really > >> naive, Instead of making an OpenPower or ARM laptop and > >> having it be 100% libre from the start they instead do the > >> dishonest "you'll go to disneyworld one day poor johnny" - If > >> google can't convince intel to open up FSP/ME then nobody can > >> - coreboot with FSP is just shimboot (black box FSP - 95% of > >> the bios work) > >> > >> It bothers me quite a lot that they are on the list of > >> approved vendors when they are a dishonest company. > > Whoa. Ok, hold on a sec. I did not buy a Purism computer, > > though not for those reasons - putting a 28W TDP proc in a > > 15inch "workstation" is absurd to me. as is their lack of a > > screen configuration. I hear your anger at the gap between what > > they promise and what they deliver; I'm more displeased on the > > hardware side of things (though I do like HW kill switches. > > I've looked into what they promise and understand very well > > that they don't actually have a very free computer at all, > > especially on the bios/firmware side. > > > > What I actually ordered (and have now cancelled), was a Dell > > XPS 15". There is no vPro option in the configure menu, though > > it does support VT-d and SLAT. I've read all of Joanna's > > papers, and understand the concerns about Intel ME very well. > > However, on the Dell order, it claimed "ME Disabled." Perhaps > > they simply meant that vPro/AMT/TXT was disabled, and that was > > mine and Dell's fault for wishful thinking and false naming, > > respectively. Please see linked photo: https://d.pr/Q0YZ > > > Moral considerations aside, why not buy that Dell and pair it > with a portable router/firewall like this > (https://www.compulab.co.il/utilite-computer/web/products)? > Shouldn't that effectively block out any ME-related mischief or > do I have a fundamental misunderstanding? It doesn't seem > possible otherwise to get the type of processing power you're > looking for in a laptop form-factor. > >>> Also, the concern for me is not ME shenanigans. I'm more concerned > >>> about having TXT for AEM and measured boot, and the consumer Dell > >>> model does not have that (the processor and chipset don't support > >>> it). The other option aside from the Precision 5510, would be a > >>> ThinkPad T460 or T460p, but the downside there is performance (only > >>> SATA-3 SSD), and also the screen quality is terrible. > >>> > >>> Much as I dislike proprietary anything, I might take a second look > >>> at the new MacBook Pros, and run things that need higher security > >>> in a VM or in Whonix. > >> Why would you buy a macbook? You realize those have regular intel > >> processors and ME too right? > >> > >> Lenovo is owned by the chinese, and dell business laptop (their consumer > >> line is garbage) is a way better choice than either. > >> > >> It seems you do have (as you said) a fundamental misunderstanding of how > >> security actually works, and how a router/firewall operates. - thus I > >> don't think that anyone would be targeting you specifically with a ME > >> exploit. > > (top-posting fixed) > > > > Despite my "fundamental misunderstanding of how security actually works", I > > am able to read a thread and keep track of who said what - a skill you > > seemed to have misplaced in all your wizardry. Also, on your crusade to > > dismantle Intel and Google, it might behoove you to take a slightly less > > agressive tack with people who generally share your beliefs cause it seems > > you're significantly outnumbered as it is. > > > > Now if you'd like to respond without the obligatory disdain and actually > > explain something, my questions was: "Is Intel ME/AMT able to bypass > > firewalls that haven't been specifically configured to support those > > services?" This entry: > > https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Communication > > leads me to think that ME TCP/IP traffic isn't automatically > > passed-through, but like *I* said, I may have a fundam
Re: [qubes-users] Re: Intel TXT advice
On 11/14/2016 04:50 PM, entr0py wrote: taii...@gmx.com: On 11/14/2016 03:12 PM, Eric wrote: On Monday, November 14, 2016 at 11:58:32 AM UTC-8, entr0py wrote: Eric: On Sunday, November 13, 2016 at 10:44:33 PM UTC-8, tai...@gmx.com wrote: Forgot to say: Purism is just an overpriced quanta/oem whitebox laptop, it takes 5mil+ of startup funds to do a small run of *just a motherboard* let alone an entire laptop computer including the fab for a fancy aluminum case - it is quite obvious that their components are not "hand selected" and that they just called up some chinese OEM and asked them what they had kicking around. I can't understand if they are scammers or just really naive, Instead of making an OpenPower or ARM laptop and having it be 100% libre from the start they instead do the dishonest "you'll go to disneyworld one day poor johnny" - If google can't convince intel to open up FSP/ME then nobody can - coreboot with FSP is just shimboot (black box FSP - 95% of the bios work) It bothers me quite a lot that they are on the list of approved vendors when they are a dishonest company. Whoa. Ok, hold on a sec. I did not buy a Purism computer, though not for those reasons - putting a 28W TDP proc in a 15inch "workstation" is absurd to me. as is their lack of a screen configuration. I hear your anger at the gap between what they promise and what they deliver; I'm more displeased on the hardware side of things (though I do like HW kill switches. I've looked into what they promise and understand very well that they don't actually have a very free computer at all, especially on the bios/firmware side. What I actually ordered (and have now cancelled), was a Dell XPS 15". There is no vPro option in the configure menu, though it does support VT-d and SLAT. I've read all of Joanna's papers, and understand the concerns about Intel ME very well. However, on the Dell order, it claimed "ME Disabled." Perhaps they simply meant that vPro/AMT/TXT was disabled, and that was mine and Dell's fault for wishful thinking and false naming, respectively. Please see linked photo: https://d.pr/Q0YZ Moral considerations aside, why not buy that Dell and pair it with a portable router/firewall like this (https://www.compulab.co.il/utilite-computer/web/products)? Shouldn't that effectively block out any ME-related mischief or do I have a fundamental misunderstanding? It doesn't seem possible otherwise to get the type of processing power you're looking for in a laptop form-factor. Also, the concern for me is not ME shenanigans. I'm more concerned about having TXT for AEM and measured boot, and the consumer Dell model does not have that (the processor and chipset don't support it). The other option aside from the Precision 5510, would be a ThinkPad T460 or T460p, but the downside there is performance (only SATA-3 SSD), and also the screen quality is terrible. Much as I dislike proprietary anything, I might take a second look at the new MacBook Pros, and run things that need higher security in a VM or in Whonix. Why would you buy a macbook? You realize those have regular intel processors and ME too right? Lenovo is owned by the chinese, and dell business laptop (their consumer line is garbage) is a way better choice than either. It seems you do have (as you said) a fundamental misunderstanding of how security actually works, and how a router/firewall operates. - thus I don't think that anyone would be targeting you specifically with a ME exploit. (top-posting fixed) Despite my "fundamental misunderstanding of how security actually works", I am able to read a thread and keep track of who said what - a skill you seemed to have misplaced in all your wizardry. Also, on your crusade to dismantle Intel and Google, it might behoove you to take a slightly less agressive tack with people who generally share your beliefs cause it seems you're significantly outnumbered as it is. Now if you'd like to respond without the obligatory disdain and actually explain something, my questions was: "Is Intel ME/AMT able to bypass firewalls that haven't been specifically configured to support those services?" This entry: https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Communication leads me to think that ME TCP/IP traffic isn't automatically passed-through, but like *I* said, I may have a fundamental misunderstanding of that. It is the same as any other device connected to your network, if it has a world routable IP, you port forward, your router gets hacked, your computer gets exploited or it initiates communication on its own then yes it can communicate with the outside world. For all we know it is simply waiting for an "activation" code sent via MITM that it will detect. I do not want to "dismantle" intel/google, I simply want them to be more friendly to the customer and for intel to end their war on free software and general purpose computing - they used to be great companies but now they aren't becaus
Re: [qubes-users] Re: Intel TXT advice
entr0py: > taii...@gmx.com: >> On 11/14/2016 03:12 PM, Eric wrote: >>> On Monday, November 14, 2016 at 11:58:32 AM UTC-8, entr0py wrote: Eric: > On Sunday, November 13, 2016 at 10:44:33 PM UTC-8, > tai...@gmx.com wrote: >> Forgot to say: Purism is just an overpriced quanta/oem >> whitebox laptop, it takes 5mil+ of startup funds to do a >> small run of *just a motherboard* let alone an entire laptop >> computer including the fab for a fancy aluminum case - it is >> quite obvious that their components are not "hand selected" >> and that they just called up some chinese OEM and asked them >> what they had kicking around. >> >> I can't understand if they are scammers or just really >> naive, Instead of making an OpenPower or ARM laptop and >> having it be 100% libre from the start they instead do the >> dishonest "you'll go to disneyworld one day poor johnny" - If >> google can't convince intel to open up FSP/ME then nobody can >> - coreboot with FSP is just shimboot (black box FSP - 95% of >> the bios work) >> >> It bothers me quite a lot that they are on the list of >> approved vendors when they are a dishonest company. > Whoa. Ok, hold on a sec. I did not buy a Purism computer, > though not for those reasons - putting a 28W TDP proc in a > 15inch "workstation" is absurd to me. as is their lack of a > screen configuration. I hear your anger at the gap between what > they promise and what they deliver; I'm more displeased on the > hardware side of things (though I do like HW kill switches. > I've looked into what they promise and understand very well > that they don't actually have a very free computer at all, > especially on the bios/firmware side. > > What I actually ordered (and have now cancelled), was a Dell > XPS 15". There is no vPro option in the configure menu, though > it does support VT-d and SLAT. I've read all of Joanna's > papers, and understand the concerns about Intel ME very well. > However, on the Dell order, it claimed "ME Disabled." Perhaps > they simply meant that vPro/AMT/TXT was disabled, and that was > mine and Dell's fault for wishful thinking and false naming, > respectively. Please see linked photo: https://d.pr/Q0YZ > Moral considerations aside, why not buy that Dell and pair it with a portable router/firewall like this (https://www.compulab.co.il/utilite-computer/web/products)? Shouldn't that effectively block out any ME-related mischief or do I have a fundamental misunderstanding? It doesn't seem possible otherwise to get the type of processing power you're looking for in a laptop form-factor. >>> Also, the concern for me is not ME shenanigans. I'm more concerned >>> about having TXT for AEM and measured boot, and the consumer Dell >>> model does not have that (the processor and chipset don't support >>> it). The other option aside from the Precision 5510, would be a >>> ThinkPad T460 or T460p, but the downside there is performance (only >>> SATA-3 SSD), and also the screen quality is terrible. >>> >>> Much as I dislike proprietary anything, I might take a second look >>> at the new MacBook Pros, and run things that need higher security >>> in a VM or in Whonix. >> >> Why would you buy a macbook? You realize those have regular intel processors >> and ME too right? >> >> Lenovo is owned by the chinese, and dell business laptop (their consumer >> line is garbage) is a way better choice than either. >> >> It seems you do have (as you said) a fundamental misunderstanding of how >> security actually works, and how a router/firewall operates. - thus I don't >> think that anyone would be targeting you specifically with a ME exploit. > > (top-posting fixed) > > Despite my "fundamental misunderstanding of how security actually works", I > am able to read a thread and keep track of who said what - a skill you seemed > to have misplaced in all your wizardry. Also, on your crusade to dismantle > Intel and Google, it might behoove you to take a slightly less agressive tack > with people who generally share your beliefs cause it seems you're > significantly outnumbered as it is. > > Now if you'd like to respond without the obligatory disdain and actually > explain something, my questions was: "Is Intel ME/AMT able to bypass > firewalls that haven't been specifically configured to support those > services?" This entry: > https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Communication > leads me to think that ME TCP/IP traffic isn't automatically passed-through, > but like *I* said, I may have a fundamental misunderstanding of that. > I should add: My question is in the context of independent router/firewalls (on separate hardware). I know that firewalls on the same machine as Intel ME have no effect because the signals are out-of-band / not OS-dependent. -- You re
Re: [qubes-users] Re: Intel TXT advice
taii...@gmx.com: > On 11/14/2016 03:12 PM, Eric wrote: >> On Monday, November 14, 2016 at 11:58:32 AM UTC-8, entr0py wrote: >>> Eric: On Sunday, November 13, 2016 at 10:44:33 PM UTC-8, tai...@gmx.com wrote: > Forgot to say: Purism is just an overpriced quanta/oem > whitebox laptop, it takes 5mil+ of startup funds to do a > small run of *just a motherboard* let alone an entire laptop > computer including the fab for a fancy aluminum case - it is > quite obvious that their components are not "hand selected" > and that they just called up some chinese OEM and asked them > what they had kicking around. > > I can't understand if they are scammers or just really > naive, Instead of making an OpenPower or ARM laptop and > having it be 100% libre from the start they instead do the > dishonest "you'll go to disneyworld one day poor johnny" - If > google can't convince intel to open up FSP/ME then nobody can > - coreboot with FSP is just shimboot (black box FSP - 95% of > the bios work) > > It bothers me quite a lot that they are on the list of > approved vendors when they are a dishonest company. Whoa. Ok, hold on a sec. I did not buy a Purism computer, though not for those reasons - putting a 28W TDP proc in a 15inch "workstation" is absurd to me. as is their lack of a screen configuration. I hear your anger at the gap between what they promise and what they deliver; I'm more displeased on the hardware side of things (though I do like HW kill switches. I've looked into what they promise and understand very well that they don't actually have a very free computer at all, especially on the bios/firmware side. What I actually ordered (and have now cancelled), was a Dell XPS 15". There is no vPro option in the configure menu, though it does support VT-d and SLAT. I've read all of Joanna's papers, and understand the concerns about Intel ME very well. However, on the Dell order, it claimed "ME Disabled." Perhaps they simply meant that vPro/AMT/TXT was disabled, and that was mine and Dell's fault for wishful thinking and false naming, respectively. Please see linked photo: https://d.pr/Q0YZ >>> Moral considerations aside, why not buy that Dell and pair it >>> with a portable router/firewall like this >>> (https://www.compulab.co.il/utilite-computer/web/products)? >>> Shouldn't that effectively block out any ME-related mischief or >>> do I have a fundamental misunderstanding? It doesn't seem >>> possible otherwise to get the type of processing power you're >>> looking for in a laptop form-factor. >> Also, the concern for me is not ME shenanigans. I'm more concerned >> about having TXT for AEM and measured boot, and the consumer Dell >> model does not have that (the processor and chipset don't support >> it). The other option aside from the Precision 5510, would be a >> ThinkPad T460 or T460p, but the downside there is performance (only >> SATA-3 SSD), and also the screen quality is terrible. >> >> Much as I dislike proprietary anything, I might take a second look >> at the new MacBook Pros, and run things that need higher security >> in a VM or in Whonix. > > Why would you buy a macbook? You realize those have regular intel processors > and ME too right? > > Lenovo is owned by the chinese, and dell business laptop (their consumer line > is garbage) is a way better choice than either. > > It seems you do have (as you said) a fundamental misunderstanding of how > security actually works, and how a router/firewall operates. - thus I don't > think that anyone would be targeting you specifically with a ME exploit. (top-posting fixed) Despite my "fundamental misunderstanding of how security actually works", I am able to read a thread and keep track of who said what - a skill you seemed to have misplaced in all your wizardry. Also, on your crusade to dismantle Intel and Google, it might behoove you to take a slightly less agressive tack with people who generally share your beliefs cause it seems you're significantly outnumbered as it is. Now if you'd like to respond without the obligatory disdain and actually explain something, my questions was: "Is Intel ME/AMT able to bypass firewalls that haven't been specifically configured to support those services?" This entry: https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Communication leads me to think that ME TCP/IP traffic isn't automatically passed-through, but like *I* said, I may have a fundamental misunderstanding of that. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://grou
Re: [qubes-users] Re: Intel TXT advice
On Monday, November 14, 2016 at 1:02:14 PM UTC-8, tai...@gmx.com wrote: > Why would you buy a macbook? You realize those have regular intel > processors and ME too right? > > Lenovo is owned by the chinese, and dell business laptop (their consumer > line is garbage) is a way better choice than either. > > It seems you do have (as you said) a fundamental misunderstanding of how > security actually works, and how a router/firewall operates. - thus I > don't think that anyone would be targeting you specifically with a ME > exploit. Beg your pardon. Calling into question my security knowledge does not lead to any sort of productive discussion. I am fully aware that I have things to learn, and that's why I'm here. I'm not going to get itno a security measuring knowledge with your or fire back with how much I do know; I'll simply thank you for your insight and move on. Cheers. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f6599259-e1da-4379-b936-8e596d817539%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Intel TXT advice
Why would you buy a macbook? You realize those have regular intel processors and ME too right? Lenovo is owned by the chinese, and dell business laptop (their consumer line is garbage) is a way better choice than either. It seems you do have (as you said) a fundamental misunderstanding of how security actually works, and how a router/firewall operates. - thus I don't think that anyone would be targeting you specifically with a ME exploit. On 11/14/2016 03:12 PM, Eric wrote: On Monday, November 14, 2016 at 11:58:32 AM UTC-8, entr0py wrote: Eric: On Sunday, November 13, 2016 at 10:44:33 PM UTC-8, tai...@gmx.com wrote: Forgot to say: Purism is just an overpriced quanta/oem whitebox laptop, it takes 5mil+ of startup funds to do a small run of *just a motherboard* let alone an entire laptop computer including the fab for a fancy aluminum case - it is quite obvious that their components are not "hand selected" and that they just called up some chinese OEM and asked them what they had kicking around. I can't understand if they are scammers or just really naive, Instead of making an OpenPower or ARM laptop and having it be 100% libre from the start they instead do the dishonest "you'll go to disneyworld one day poor johnny" - If google can't convince intel to open up FSP/ME then nobody can - coreboot with FSP is just shimboot (black box FSP - 95% of the bios work) It bothers me quite a lot that they are on the list of approved vendors when they are a dishonest company. Whoa. Ok, hold on a sec. I did not buy a Purism computer, though not for those reasons - putting a 28W TDP proc in a 15inch "workstation" is absurd to me. as is their lack of a screen configuration. I hear your anger at the gap between what they promise and what they deliver; I'm more displeased on the hardware side of things (though I do like HW kill switches. I've looked into what they promise and understand very well that they don't actually have a very free computer at all, especially on the bios/firmware side. What I actually ordered (and have now cancelled), was a Dell XPS 15". There is no vPro option in the configure menu, though it does support VT-d and SLAT. I've read all of Joanna's papers, and understand the concerns about Intel ME very well. However, on the Dell order, it claimed "ME Disabled." Perhaps they simply meant that vPro/AMT/TXT was disabled, and that was mine and Dell's fault for wishful thinking and false naming, respectively. Please see linked photo: https://d.pr/Q0YZ Moral considerations aside, why not buy that Dell and pair it with a portable router/firewall like this (https://www.compulab.co.il/utilite-computer/web/products)? Shouldn't that effectively block out any ME-related mischief or do I have a fundamental misunderstanding? It doesn't seem possible otherwise to get the type of processing power you're looking for in a laptop form-factor. Also, the concern for me is not ME shenanigans. I'm more concerned about having TXT for AEM and measured boot, and the consumer Dell model does not have that (the processor and chipset don't support it). The other option aside from the Precision 5510, would be a ThinkPad T460 or T460p, but the downside there is performance (only SATA-3 SSD), and also the screen quality is terrible. Much as I dislike proprietary anything, I might take a second look at the new MacBook Pros, and run things that need higher security in a VM or in Whonix. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/53242c52-4e21-926a-0f1b-41720bf46aa8%40gmx.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Intel TXT advice
On Monday, November 14, 2016 at 11:58:32 AM UTC-8, entr0py wrote: > Eric: > > On Sunday, November 13, 2016 at 10:44:33 PM UTC-8, tai...@gmx.com > > wrote: > >> Forgot to say: Purism is just an overpriced quanta/oem whitebox > >> laptop, it takes 5mil+ of startup funds to do a small run of *just > >> a motherboard* let alone an entire laptop computer including the > >> fab for a fancy aluminum case - it is quite obvious that their > >> components are not "hand selected" and that they just called up > >> some chinese OEM and asked them what they had kicking around. > >> > >> I can't understand if they are scammers or just really naive, > >> Instead of making an OpenPower or ARM laptop and having it be 100% > >> libre from the start they instead do the dishonest "you'll go to > >> disneyworld one day poor johnny" - If google can't convince intel > >> to open up FSP/ME then nobody can - coreboot with FSP is just > >> shimboot (black box FSP - 95% of the bios work) > >> > >> It bothers me quite a lot that they are on the list of approved > >> vendors when they are a dishonest company. > > > > Whoa. Ok, hold on a sec. I did not buy a Purism computer, though not > > for those reasons - putting a 28W TDP proc in a 15inch "workstation" > > is absurd to me. as is their lack of a screen configuration. I hear > > your anger at the gap between what they promise and what they > > deliver; I'm more displeased on the hardware side of things (though I > > do like HW kill switches. I've looked into what they promise and > > understand very well that they don't actually have a very free > > computer at all, especially on the bios/firmware side. > > > > What I actually ordered (and have now cancelled), was a Dell XPS 15". > > There is no vPro option in the configure menu, though it does support > > VT-d and SLAT. I've read all of Joanna's papers, and understand the > > concerns about Intel ME very well. However, on the Dell order, it > > claimed "ME Disabled." Perhaps they simply meant that vPro/AMT/TXT > > was disabled, and that was mine and Dell's fault for wishful thinking > > and false naming, respectively. Please see linked photo: > > https://d.pr/Q0YZ > > > > Moral considerations aside, why not buy that Dell and pair it with a portable > router/firewall like this > (https://www.compulab.co.il/utilite-computer/web/products)? Shouldn't that > effectively block out any ME-related mischief or do I have a fundamental > misunderstanding? It doesn't seem possible otherwise to get the type of > processing power you're looking for in a laptop form-factor. Also, the concern for me is not ME shenanigans. I'm more concerned about having TXT for AEM and measured boot, and the consumer Dell model does not have that (the processor and chipset don't support it). The other option aside from the Precision 5510, would be a ThinkPad T460 or T460p, but the downside there is performance (only SATA-3 SSD), and also the screen quality is terrible. Much as I dislike proprietary anything, I might take a second look at the new MacBook Pros, and run things that need higher security in a VM or in Whonix. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e2d0cd80-190c-443f-a3ac-d2ca992a6882%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Intel TXT advice
On Monday, November 14, 2016 at 11:58:32 AM UTC-8, entr0py wrote: > Eric: > > On Sunday, November 13, 2016 at 10:44:33 PM UTC-8, tai...@gmx.com > > wrote: > >> Forgot to say: Purism is just an overpriced quanta/oem whitebox > >> laptop, it takes 5mil+ of startup funds to do a small run of *just > >> a motherboard* let alone an entire laptop computer including the > >> fab for a fancy aluminum case - it is quite obvious that their > >> components are not "hand selected" and that they just called up > >> some chinese OEM and asked them what they had kicking around. > >> > >> I can't understand if they are scammers or just really naive, > >> Instead of making an OpenPower or ARM laptop and having it be 100% > >> libre from the start they instead do the dishonest "you'll go to > >> disneyworld one day poor johnny" - If google can't convince intel > >> to open up FSP/ME then nobody can - coreboot with FSP is just > >> shimboot (black box FSP - 95% of the bios work) > >> > >> It bothers me quite a lot that they are on the list of approved > >> vendors when they are a dishonest company. > > > > Whoa. Ok, hold on a sec. I did not buy a Purism computer, though not > > for those reasons - putting a 28W TDP proc in a 15inch "workstation" > > is absurd to me. as is their lack of a screen configuration. I hear > > your anger at the gap between what they promise and what they > > deliver; I'm more displeased on the hardware side of things (though I > > do like HW kill switches. I've looked into what they promise and > > understand very well that they don't actually have a very free > > computer at all, especially on the bios/firmware side. > > > > What I actually ordered (and have now cancelled), was a Dell XPS 15". > > There is no vPro option in the configure menu, though it does support > > VT-d and SLAT. I've read all of Joanna's papers, and understand the > > concerns about Intel ME very well. However, on the Dell order, it > > claimed "ME Disabled." Perhaps they simply meant that vPro/AMT/TXT > > was disabled, and that was mine and Dell's fault for wishful thinking > > and false naming, respectively. Please see linked photo: > > https://d.pr/Q0YZ > > > > Moral considerations aside, why not buy that Dell and pair it with a portable > router/firewall like this > (https://www.compulab.co.il/utilite-computer/web/products)? Shouldn't that > effectively block out any ME-related mischief or do I have a fundamental > misunderstanding? It doesn't seem possible otherwise to get the type of > processing power you're looking for in a laptop form-factor. Well, the Dell XPS was enough processing power for me. The Business version, the Precision 5510, not only has vPro and TXT, but also supports ECC memory (Xeon E5). Adds another layer of protection (against Rowhammer attacks that can compromise even Qubes), but a) nobody actually makes DDR4-ECC-SODIMM memory that I can find, and b) it's basically another thousand bucks. I also happen to hate 16:9 displays, but I would compromise on that for Qubes' sake. As far as blob-free hardware goes, I unfortunately have to live and work in the world, and therefore need 1) performance and x86-64 architecture, and 2) to not have my computer be a part time job. Guess I'll keep looking. And saving. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0c8be8fb-0982-48f7-8af5-6a44eb52711d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Intel TXT advice
Eric: > On Sunday, November 13, 2016 at 10:44:33 PM UTC-8, tai...@gmx.com > wrote: >> Forgot to say: Purism is just an overpriced quanta/oem whitebox >> laptop, it takes 5mil+ of startup funds to do a small run of *just >> a motherboard* let alone an entire laptop computer including the >> fab for a fancy aluminum case - it is quite obvious that their >> components are not "hand selected" and that they just called up >> some chinese OEM and asked them what they had kicking around. >> >> I can't understand if they are scammers or just really naive, >> Instead of making an OpenPower or ARM laptop and having it be 100% >> libre from the start they instead do the dishonest "you'll go to >> disneyworld one day poor johnny" - If google can't convince intel >> to open up FSP/ME then nobody can - coreboot with FSP is just >> shimboot (black box FSP - 95% of the bios work) >> >> It bothers me quite a lot that they are on the list of approved >> vendors when they are a dishonest company. > > Whoa. Ok, hold on a sec. I did not buy a Purism computer, though not > for those reasons - putting a 28W TDP proc in a 15inch "workstation" > is absurd to me. as is their lack of a screen configuration. I hear > your anger at the gap between what they promise and what they > deliver; I'm more displeased on the hardware side of things (though I > do like HW kill switches. I've looked into what they promise and > understand very well that they don't actually have a very free > computer at all, especially on the bios/firmware side. > > What I actually ordered (and have now cancelled), was a Dell XPS 15". > There is no vPro option in the configure menu, though it does support > VT-d and SLAT. I've read all of Joanna's papers, and understand the > concerns about Intel ME very well. However, on the Dell order, it > claimed "ME Disabled." Perhaps they simply meant that vPro/AMT/TXT > was disabled, and that was mine and Dell's fault for wishful thinking > and false naming, respectively. Please see linked photo: > https://d.pr/Q0YZ > Moral considerations aside, why not buy that Dell and pair it with a portable router/firewall like this (https://www.compulab.co.il/utilite-computer/web/products)? Shouldn't that effectively block out any ME-related mischief or do I have a fundamental misunderstanding? It doesn't seem possible otherwise to get the type of processing power you're looking for in a laptop form-factor. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e9007159-2961-d96f-1c21-9d5e70de6aec%40gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Intel TXT advice
...I had assumed you purchased a purism computer as they are the only ones to have claimed to "disable" ME (entirely not true) I have experience with the dell ordering process, it simply means that in the ME settings menu it is set to "Disabled" which to intel means a different thing than to you and I as it is still quite involved in the boot process and is still lurking in the background. They aren't being dishonest, you just misunderstood what it meant - they provide that notification as many business users like to have it enabled and in one touch configuration mode (ME would have been a really cool feature for corporate IT departments if it was FOSS and located on a physically removable eprom chip) vPro is a marketing term for several corporate manageability features, it is a set of modules that is loaded in to ME for remote access if the license key is available on the system. There are several blob free laptops including: http://makezine.com/2014/01/08/building-an-open-source-laptop/ https://kosagi.com//w/index.php?title=Novena_Main_Page https://www.crowdsupply.com/sutajio-kosagi/novena - finally a crowdfunding project with realistic goals and a quality end result - Ima get me one "jwer...@chromium.org: All Chromebooks based on Nvidia and Rockchip SoCs are 100% FOSS as far as firmware goes (graphics acceleration is a different story, but you can run them with software rendering). (Mediatek Chromebooks are 99.9% FOSS, they just have a tiny power management controller with openly available binary firmware.)"" But no unfortunately you aren't going to get a modern "mobile workstation" type laptop that is blob free - if dell asks why you canceled tell them that you want a blob free non-intel coreboot laptop (the CSR wont know what you are talking about - but it will make you feel better) If you want IOMMU laptop though I am not sure what to tell you at the moment, I suppose the best choice would be an older thinkpad (blobs - but no FSP) that is compatible with coreboot and trammel hudsons ME nerfing project. I guess you could always make your own mobile workstation "laptop" by machining a case and sticking a blob free desktop motherboard in it, kind of like a 1U laptop. I used to like dell, their latitude/precision line was really great (until they started H1B abuse and chasing apple with the thinness obsession at the expense of everything else + bad island chiclet keyboard + fisher price design + lousy 16:9 screen) Whoa. Ok, hold on a sec. I did not buy a Purism computer, though not for those reasons - putting a 28W TDP proc in a 15inch "workstation" is absurd to me. as is their lack of a screen configuration. I hear your anger at the gap between what they promise and what they deliver; I'm more displeased on the hardware side of things (though I do like HW kill switches. I've looked into what they promise and understand very well that they don't actually have a very free computer at all, especially on the bios/firmware side. What I actually ordered (and have now cancelled), was a Dell XPS 15". There is no vPro option in the configure menu, though it does support VT-d and SLAT. I've read all of Joanna's papers, and understand the concerns about Intel ME very well. However, on the Dell order, it claimed "ME Disabled." Perhaps they simply meant that vPro/AMT/TXT was disabled, and that was mine and Dell's fault for wishful thinking and false naming, respectively. Please see linked photo: https://d.pr/Q0YZ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/022f71e1-17fa-771a-c240-8ef1dd026940%40gmx.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Intel TXT advice
On Sunday, November 13, 2016 at 10:44:33 PM UTC-8, tai...@gmx.com wrote: > Forgot to say: > Purism is just an overpriced quanta/oem whitebox laptop, it takes 5mil+ > of startup funds to do a small run of *just a motherboard* let alone an > entire laptop computer including the fab for a fancy aluminum case - it > is quite obvious that their components are not "hand selected" and that > they just called up some chinese OEM and asked them what they had > kicking around. > > I can't understand if they are scammers or just really naive, Instead of > making an OpenPower or ARM laptop and having it be 100% libre from the > start they instead do the dishonest "you'll go to disneyworld one day > poor johnny" - If google can't convince intel to open up FSP/ME then > nobody can - coreboot with FSP is just shimboot (black box FSP - 95% of > the bios work) > > It bothers me quite a lot that they are on the list of approved vendors > when they are a dishonest company. Whoa. Ok, hold on a sec. I did not buy a Purism computer, though not for those reasons - putting a 28W TDP proc in a 15inch "workstation" is absurd to me. as is their lack of a screen configuration. I hear your anger at the gap between what they promise and what they deliver; I'm more displeased on the hardware side of things (though I do like HW kill switches. I've looked into what they promise and understand very well that they don't actually have a very free computer at all, especially on the bios/firmware side. What I actually ordered (and have now cancelled), was a Dell XPS 15". There is no vPro option in the configure menu, though it does support VT-d and SLAT. I've read all of Joanna's papers, and understand the concerns about Intel ME very well. However, on the Dell order, it claimed "ME Disabled." Perhaps they simply meant that vPro/AMT/TXT was disabled, and that was mine and Dell's fault for wishful thinking and false naming, respectively. Please see linked photo: https://d.pr/Q0YZ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/964748e2-f5e9-41ea-9069-2aff75cb3cc0%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Intel TXT advice
Forgot to say: Purism is just an overpriced quanta/oem whitebox laptop, it takes 5mil+ of startup funds to do a small run of *just a motherboard* let alone an entire laptop computer including the fab for a fancy aluminum case - it is quite obvious that their components are not "hand selected" and that they just called up some chinese OEM and asked them what they had kicking around. I can't understand if they are scammers or just really naive, Instead of making an OpenPower or ARM laptop and having it be 100% libre from the start they instead do the dishonest "you'll go to disneyworld one day poor johnny" - If google can't convince intel to open up FSP/ME then nobody can - coreboot with FSP is just shimboot (black box FSP - 95% of the bios work) It bothers me quite a lot that they are on the list of approved vendors when they are a dishonest company. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bbcc0270-0d00-a2ff-7d34-30d7e0d3d345%40gmx.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Intel TXT advice
I am assuming you were one of those people who bought a computer from those purism scammers. https://blogs.coreboot.org/blog/2015/02/23/the-truth-about-purism-why-librem-is-not-the-same-as-libre/ It is impossible to disable (ie, like it was never there, 100% gone) ME on any intel system post 775/771 era, anyone who tells you different is lying. vPro is a marketing term for various ME remote management features that are activated with a vPro license, all intel systems 2006+ have ME. On 11/13/2016 08:36 PM, Eric wrote: On Sunday, November 13, 2016 at 5:01:59 PM UTC-8, entr0py wrote: Eric: Just bought a laptop with a Skylake processor for running Qubes, and from looking around on Intel's website it appears that no Skylake Core-branded processors support Intel TXT. Any point in running Anti-Evil-Maid at this point? Can I use a YubiKey to store hashes of the xen/initramfs and use that for AEM? (probably not, since it's a USB device?) I was just looking around for information on AMT/ME a minute ago. It appears that some Skylake Core i5/i7's do support TXT. (On their website, TXT might fall under the umbrella of vPro.) https://en.wikipedia.org/wiki/List_of_Intel_Core_i5_microprocessors#Skylake_microarchitecture_.286th_generation.29_2 https://en.wikipedia.org/wiki/List_of_Intel_Core_i7_microprocessors#Skylake_microarchitecture_.286th_generation.29_2 Yes, I misspoke. It appears that the processor/chipset on the computer I purchased does not have/support vPro or TXT (though Intel ME is apparently disabled, which is a win, I guess?). So hard to find something that checks all the boxes for me. My threat model currently doesn't include Evil Maids, so I'm probably ok. Shame, though. Hopefully it doesn't close the door on Qubes 4 compatibility. (It does have SLAT and VT-(d/x). -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bd49c406-ef4b-2b4c-a1e7-511335a45066%40gmx.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Intel TXT advice
On Sun, Nov 13, 2016 at 8:36 PM, Eric wrote: > though Intel ME is apparently disabled, which is a win, I guess? You can not "disable" ME. See page 37 of https://blog.invisiblethings.org/papers/2015/x86_harmful.pdf -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CABQWM_CF62b2%2BBKvSJHTiDer8wM_eUDge3UYmr14iUhzeVSYug%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Intel TXT advice
> > Yes, I misspoke. It appears that the processor/chipset on the computer I > > purchased does not have/support vPro or TXT (though Intel ME is apparently > > disabled, which is a win, I guess?). So hard to find something that checks > > all the boxes for me. My threat model currently doesn't include Evil Maids, > > so I'm probably ok. Shame, though. Hopefully it doesn't close the door on > > Qubes 4 compatibility. (It does have SLAT and VT-(d/x). > > I hate to point this out now, but AEM is kind of a misnomer. It can > alert you to tampering from *either* physical or remote attacks. So > anyone who wants to guard against a remote exploit that can also priv > escalate against Xen--and from there possibly infect firmware or boot > device--would benefit from using AEM. > > When I last shopped around, I was under the impression that TXT was tied > to AMT/ME/Vpro as a package. Well, that's unfortunate. Guess I'll shop around some more, ask more questions. I know that ThinkPads are popular, as are "business class laptops", but I haven't seen any newer ones being mentioned here (and older laptops are likely to be used, which I'm not a fan of). -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/855d326f-9ccd-4a19-a927-494578c371f1%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Intel TXT advice
On 11/13/2016 08:36 PM, Eric wrote: On Sunday, November 13, 2016 at 5:01:59 PM UTC-8, entr0py wrote: Eric: Just bought a laptop with a Skylake processor for running Qubes, and from looking around on Intel's website it appears that no Skylake Core-branded processors support Intel TXT. Any point in running Anti-Evil-Maid at this point? Can I use a YubiKey to store hashes of the xen/initramfs and use that for AEM? (probably not, since it's a USB device?) I was just looking around for information on AMT/ME a minute ago. It appears that some Skylake Core i5/i7's do support TXT. (On their website, TXT might fall under the umbrella of vPro.) https://en.wikipedia.org/wiki/List_of_Intel_Core_i5_microprocessors#Skylake_microarchitecture_.286th_generation.29_2 https://en.wikipedia.org/wiki/List_of_Intel_Core_i7_microprocessors#Skylake_microarchitecture_.286th_generation.29_2 Yes, I misspoke. It appears that the processor/chipset on the computer I purchased does not have/support vPro or TXT (though Intel ME is apparently disabled, which is a win, I guess?). So hard to find something that checks all the boxes for me. My threat model currently doesn't include Evil Maids, so I'm probably ok. Shame, though. Hopefully it doesn't close the door on Qubes 4 compatibility. (It does have SLAT and VT-(d/x). I hate to point this out now, but AEM is kind of a misnomer. It can alert you to tampering from *either* physical or remote attacks. So anyone who wants to guard against a remote exploit that can also priv escalate against Xen--and from there possibly infect firmware or boot device--would benefit from using AEM. When I last shopped around, I was under the impression that TXT was tied to AMT/ME/Vpro as a package. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b2cf9650-6292-dd13-1a22-aad60ecb8d9f%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Intel TXT advice
On Sunday, November 13, 2016 at 5:01:59 PM UTC-8, entr0py wrote: > Eric: > > Just bought a laptop with a Skylake processor for running Qubes, and from > > looking around on Intel's website it appears that no Skylake Core-branded > > processors support Intel TXT. Any point in running Anti-Evil-Maid at this > > point? Can I use a YubiKey to store hashes of the xen/initramfs and use > > that for AEM? (probably not, since it's a USB device?) > > > > I was just looking around for information on AMT/ME a minute ago. It appears > that some Skylake Core i5/i7's do support TXT. (On their website, TXT might > fall under the umbrella of vPro.) > > https://en.wikipedia.org/wiki/List_of_Intel_Core_i5_microprocessors#Skylake_microarchitecture_.286th_generation.29_2 > https://en.wikipedia.org/wiki/List_of_Intel_Core_i7_microprocessors#Skylake_microarchitecture_.286th_generation.29_2 Yes, I misspoke. It appears that the processor/chipset on the computer I purchased does not have/support vPro or TXT (though Intel ME is apparently disabled, which is a win, I guess?). So hard to find something that checks all the boxes for me. My threat model currently doesn't include Evil Maids, so I'm probably ok. Shame, though. Hopefully it doesn't close the door on Qubes 4 compatibility. (It does have SLAT and VT-(d/x). -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/44d7026d-e620-487d-a566-eca62d5a278f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Intel TXT advice
Eric: > On Tuesday, February 23, 2016 at 1:54:30 AM UTC-8, Marek Marczykowski-Górecki > wrote: >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA256 >> >> On Tue, Feb 23, 2016 at 04:11:55AM +, Rusty Bird wrote: >>> marmarek: On Mon, Feb 22, 2016 at 08:52:43PM +, Rusty Bird wrote: > Though even now it should be possible to use AEM without TXT? > Just don't install the SINIT blob, in which case *only* the LUKS > header(s) would be protected by the TPM. But not having xen/kernel/initrd measured means AEM is pretty useless. The whole purpose is to verify the thing that prompt you for LUKS passphrase. Without such measurement you'll have no way to really know if those binaries were even loaded from your USB stick (and not from some additional one plugged in by the attacker, for example). >>> >>> If the order is fixed, i.e. USB before SATA, and you don't see another >>> USB drive sticking into the notebook you left at home, then the part in >>> parentheses wouldn't apply? >> >> It is easy enough to hide USB device inside the USB socket itself (those >> devices are small these days). Or inside your notebook (for example >> instead of bluetooth card, which is also USB device in most cases). >> >> Some more sophisticated attack would be installing some "USB proxy" in >> USB socket. Which would hijack only initramfs reads. You'll not see >> any additional USB device in the system in that case. >> Such replaced initrd script can present still unmodified LUKS header to TPM, unseal the secret, show it to you, then record LUKS passphrase. >>> >>> But Xen/kernel/initrd are on the AEM stick you take with you, so the >>> attacker would have to modify the BIOS. In which case TXT wouldn't help >>> much, because a BIOS rootkit can effectively hide itself from TXT if I >>> understand Joanna right. >> >> But attack hidden from TXT is much more complex than attack simply >> changing boot order. It all depends on your threat model. >> > If a per-boot BIOS password has been set, maybe this kind of > setup is even sort of reasonable? You are joking, aren't you? >>> >>> Not really. If these assumptions are correct: >>> >>> 1. a BIOS rootkit can hide itself from TXT; >>> 2. an attacker who can boot their own medium can, more and more >>>probably, also persist such a rootkit in the BIOS; >>> 3. there are no BIOS master password lists anymore (are there?), >>>or other easy password prompt bypasses (are option ROMs loaded >>>early enough from ExpressCards?); >> >> I wouldn't rely on BIOS password protection. It failed so many times >> in the history, so I can't assume that magically now BIOS vendors >> learned how to do it properly. >> >>> then it seems to me that a per-boot BIOS password without TXT could work >>> out better than the converse, TXT without a PBBP. Not to say that both >>> together aren't best though! >>> >>> AEM protecting the LUKS header would still be (barely) worthwhile >>> without TXT, if it's easier / faster / less conspicuous for the attacker >>> to take out the HDD and rewrite a few blocks than to infect the BIOS. >>> >>> (BTW Marek, regarding VM random seeds: Have you considered somehow >>> harnessing whatever it is that Thunderbird+Enigmail use to place line >>> breaks in my mails after I hit send) > > Just bought a laptop with a Skylake processor for running Qubes, and from > looking around on Intel's website it appears that no Skylake Core-branded > processors support Intel TXT. Any point in running Anti-Evil-Maid at this > point? Can I use a YubiKey to store hashes of the xen/initramfs and use that > for AEM? (probably not, since it's a USB device?) > I was just looking around for information on AMT/ME a minute ago. It appears that some Skylake Core i5/i7's do support TXT. (On their website, TXT might fall under the umbrella of vPro.) https://en.wikipedia.org/wiki/List_of_Intel_Core_i5_microprocessors#Skylake_microarchitecture_.286th_generation.29_2 https://en.wikipedia.org/wiki/List_of_Intel_Core_i7_microprocessors#Skylake_microarchitecture_.286th_generation.29_2 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b9cd97d6-0b62-01bd-1f3f-256fa6f029e6%40gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Intel TXT advice
On Tuesday, February 23, 2016 at 1:54:30 AM UTC-8, Marek Marczykowski-Górecki wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > On Tue, Feb 23, 2016 at 04:11:55AM +, Rusty Bird wrote: > > marmarek: > > > On Mon, Feb 22, 2016 at 08:52:43PM +, Rusty Bird wrote: > > >> Though even now it should be possible to use AEM without TXT? > > >> Just don't install the SINIT blob, in which case *only* the LUKS > > >> header(s) would be protected by the TPM. > > > > > > But not having xen/kernel/initrd measured means AEM is pretty > > > useless. The whole purpose is to verify the thing that prompt you > > > for LUKS passphrase. Without such measurement you'll have no way > > > to really know if those binaries were even loaded from your USB > > > stick (and not from some additional one plugged in by the attacker, > > > for example). > > > > If the order is fixed, i.e. USB before SATA, and you don't see another > > USB drive sticking into the notebook you left at home, then the part in > > parentheses wouldn't apply? > > It is easy enough to hide USB device inside the USB socket itself (those > devices are small these days). Or inside your notebook (for example > instead of bluetooth card, which is also USB device in most cases). > > Some more sophisticated attack would be installing some "USB proxy" in > USB socket. Which would hijack only initramfs reads. You'll not see > any additional USB device in the system in that case. > > > > Such replaced initrd script can present still unmodified LUKS > > > header to TPM, unseal the secret, show it to you, then record LUKS > > > passphrase. > > > > But Xen/kernel/initrd are on the AEM stick you take with you, so the > > attacker would have to modify the BIOS. In which case TXT wouldn't help > > much, because a BIOS rootkit can effectively hide itself from TXT if I > > understand Joanna right. > > But attack hidden from TXT is much more complex than attack simply > changing boot order. It all depends on your threat model. > > > >> If a per-boot BIOS password has been set, maybe this kind of > > >> setup is even sort of reasonable? > > > > > > You are joking, aren't you? > > > > Not really. If these assumptions are correct: > > > > 1. a BIOS rootkit can hide itself from TXT; > > 2. an attacker who can boot their own medium can, more and more > >probably, also persist such a rootkit in the BIOS; > > 3. there are no BIOS master password lists anymore (are there?), > >or other easy password prompt bypasses (are option ROMs loaded > >early enough from ExpressCards?); > > I wouldn't rely on BIOS password protection. It failed so many times > in the history, so I can't assume that magically now BIOS vendors > learned how to do it properly. > > > then it seems to me that a per-boot BIOS password without TXT could work > > out better than the converse, TXT without a PBBP. Not to say that both > > together aren't best though! > > > > AEM protecting the LUKS header would still be (barely) worthwhile > > without TXT, if it's easier / faster / less conspicuous for the attacker > > to take out the HDD and rewrite a few blocks than to infect the BIOS. > > > > (BTW Marek, regarding VM random seeds: Have you considered somehow > > harnessing whatever it is that Thunderbird+Enigmail use to place line > > breaks in my mails after I hit send) Just bought a laptop with a Skylake processor for running Qubes, and from looking around on Intel's website it appears that no Skylake Core-branded processors support Intel TXT. Any point in running Anti-Evil-Maid at this point? Can I use a YubiKey to store hashes of the xen/initramfs and use that for AEM? (probably not, since it's a USB device?) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1f4c2d7c-e25c-4143-b988-fb3a72acf4b2%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.