what is the laptop the Qubes OS developers are using?

[Revi wilan]

Hello :D

After a lot of research I still can't find the ideal laptop to install the latest version of Qubes OS...
my requirements : high performances + security + compatibility hardware (if possible libre / open-source hardware) + trusted constructor = laptop not found
Finally, I chose the solution that seems the most logical for me is to buy the same hardware used by the developers of the OS (while waiting for a certified laptop or a Librem 13vXX in 2020 if good improvements).

* I read on another forum that several developers were using the Lenovo ThinkPad X1 Carbon laptop (5th Gen). Is that true ? If yes, what is the exact reference (or details of the specifications) ?

* Do you have any information about future partnerships with manufacturers ? Will you soon have 100% certified laptops for OS cubes ?

I'm open to all your advice regarding the "ideal laptop" ^^
Thanks for your help !

[lords...@gmail.com]

Maybe look at github discussion, I remember something there! :)

[799]

Hello,

On Friday, June 22, 2018 at 4:23:03 PM UTC+2, Revi wilan wrote:
> After a lot of research I still can't find the ideal laptop to install the latest version of Qubes OS...

> my requirements : high performances + security +  compatibility hardware (if possible libre / open-source hardware) + trusted constructor = laptop not founifd

regarding your requirements:

high performances:

What does this mean for you, how much Cores or Core x GHz is enough performance for you?

I own a Quadcore Core i7 Lenovo W540 with 32GB RAM and I am still mostly working with my X230 with a 2-Core i7 and 16GB RAM.

Main reason: I do not feel that much performance gain and having Coreboot and lots of battery runtime with the X230 Slice battery pack is much more important to me.

If you want to work mobile, a high perfomance laptop will only last hald of the day, likely even less

security:

what does this include? If you want to run Libreboot or Coreboot, your choice are (very) limited.

trusted constructor:

as the core components are all build from the same companies and there is so much firmware involved.

 

> Finally, I chose the solution that seems the most logical for me is to buy the same hardware used by the developers of the OS
(while waiting for a certified laptop or a Librem 13vXX in 2020 if good improvements).

Switching to Qubes made me to look through lots of documents and postings and have chosen the hardware I felt reasonable secure with.

I think it is even dangerous to trust some certifications as you need to think about what are the most likely attack vectors in your specific use case.

I would recommend looking at the Lenovo X230:

up to Core i7 2 Cores

excellent battery runtime

docking station

reasonable price

coreboot'able

(799)

[Chris Laprise]

Hi...

The hardware compatibility list has a reference to the X1 Carbon from a
developer:

https://www.qubes-os.org/hcl/#lenovo_thinkpad-x1-carbon-g5-20hrs11400_i7-7600u_kaby-lake_hd-graphics


Here is the background data for that entry:

https://github.com/tasket/qubes-hcl/blob/master/LENOVO-20HRS11400-20171216-082521.yml


And the related discussion:

https://groups.google.com/d/msgid/qubes-users/20171216005409.GH1935%40mail-itl


--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

[Tai...@gmx.com]

On 06/22/2018 10:22 AM, 'Revi wilan' via qubes-users wrote:

> Hello :D
>
> After a lot of research I still can't find the ideal laptop to install the latest version of Qubes OS...
> my requirements : high performances + security + compatibility hardware (if possible libre / open-source hardware) + trusted constructor = laptop not found

BTW compliments on not using shitty google spyware gmail.

Your best option is the G505S running coreboot - many people use it here
with qubes 4.0 (just gotta follow special instructions to install the
microcode update in coreboot otherwise it WONT WORK - and make sure you
get not just the normal update but the spectre update)

G505S has No ME/PSP, it has open source cpu/ram init via coreboot, in
terms of blobs there is a blobbed ec, power control and vga but possible
to remove as it is owner controlled[1] and IOMMU protects you from them.

[1] Owner controlled means no hardware code signing enforcement as in
you can do whatever you want with your laptop.

I would be more than happy to assist you, there are also a few options
for a 100% libre firmware workstation (eX: KGPE-D16 and KCMA-D8) that
runs qubes 4.0 great. I also suggest looking in to the TALOS 2 (a
legitimately open source workstation) discussion if you are interested
in technical discussions or if you also need something for your
non-qubes virtualization needs you can get one now for less money than a
slower and non-free intel/amd x86 junk.

If you want *new* hardware with real freedom the only choice is POWER
and *some* ARM but unfortunately those don't run qubes/xen at the moment
you would have to use another hypervisor.

x86 is dead freedomwise - purism is lying - even google the billion
dollar company can't convince intel to open source ME/FSP.

> Finally, I chose the solution that seems the most logical for me is to buy the same hardware used by the developers of the OS (while waiting for a certified laptop or a Librem 13vXX in 2020 if good improvements).

Despite the name the "Librem" laptops are NOT libre, their hardware init
is entirely blobbed via the FSP and their ME still requires a blob and
kernel init as disabling ME is impossible - these days "coreboot"
doesn't really mean open source firmware.

>
> * I read on another forum that several developers were using the Lenovo ThinkPad X1 Carbon laptop (5th Gen). Is that true ? If yes, what is the exact reference (or details of the specifications)

There is no open source firmware available for that laptop and it is
impossible to make it.

In terms of an open source modern fast laptop your only choice is making
one with POWER which if the TALOS 2 open source workstation (it is
legitimately open source) project is very successful they will
eventually make one.

[cooloutac]

pretty sure they use thinkpads. check hcl list for most compatible one.

[Revi wilan]

Thank you all for your advice and information.

@[ 799 ]

> regarding your requirements:

> 

> high performances:

> What does this mean for you, how much Cores or Core x GHz is enough performance for you?

By high performance I mean a configuration like : 

        (ideally)

• CPU : 4 Cores, 8 Threads, @4.2GHz (like i7-7700K)  / or more
• RAM : 16 / 32 GB
• Storage : 1 TB Solid State Drive PCIe-NVME
• Graphics : Intel UHD Graphics 620 (I don't need more)

> Main reason: I do not feel that much performance gain and having Coreboot and lots of battery runtime with the X230 Slice battery pack is much more important to me.

> If you want to work mobile, a high perfomance laptop will only last hald of the day, likely even less

Yes I understand, battery life is not a priority for me so it's not a problem. However I am ready to lose performance to gain "security" / "Freedom".

> security:

> what does this include? If you want to run Libreboot or Coreboot, your choice are (very) limited.

By security I mean :

        (ideally)

• Hardware Kill Switches (Wireless / Bluetooth / Camera / Microphone)
• Sliding Webcam Cover
• can run Libreboot or Coreboot
• most libre / open-source hardware components and firmware

> I would recommend looking at the Lenovo X230

Thank you for your recommendation.

I keep the idea aside because there is a good compromise between performance and battery life

@Taiidan

Thank you for your various recommendations :D !

> Your best option is the G505S running coreboot - many people use it here

> with qubes 4.0 (just gotta follow special instructions to install the

> microcode update in coreboot otherwise it WONT WORK - and make sure you

> get not just the normal update but the spectre update)

> 

> G505S has No ME/PSP, it has open source cpu/ram init via coreboot, in

> terms of blobs there is a blobbed ec, power control and vga but possible

> to remove as it is owner controlled[1] and IOMMU protects you from them.

> 

> [1] Owner controlled means no hardware code signing enforcement as in

> you can do whatever you want with your laptop.

Indeed the G505S has many advantages and interests me (thanks for the description of the steps to carry out to have the best possible freedom).

However I would have liked the same type of computer with newer hardware and higher performance.

> I would be more than happy to assist you

thank you for your help and your time !

> I also suggest looking in to the TALOS 2 (a

> legitimately open source workstation)

I did not know this workstation and I am happy that such a project exists and that moreover has much success :D

In the future I'm thinking of buying the "Talos II Secure Workstation" (TL2WK2)

> If you want *new* hardware with real freedom the only choice is POWER

> and *some* ARM but unfortunately those don't run qubes/xen at the moment

> you would have to use another hypervisor.

> In terms of an open source modern fast laptop your only choice is making

> one with POWER

Yes I am strongly interested in recent hardware and a maximum freedom.

I'm sorry, but I don't understand what the term "POWER" refers to =S 

Can you explain me plz ?

---

[pixel fairy]

xen on ppc is dead. one could ressurect this project, but i suspect there are good reasons it was abandoned. its not like its hard to find used macs on ebay.

it would be easier to port qubes to kvm https://www.linux-kvm.org/page/PowerPC

you could do most of the work on cheap x86 hardware before spending the time and money on the expensive stuff.

[Tai...@gmx.com]

On 06/26/2018 03:40 PM, pixel fairy wrote:
> xen on ppc is dead. one could ressurect this project, but i suspect there are good reasons it was abandoned. its not like its hard to find used macs on ebay.

There weren't "good reasons" just lack of people wanting to do it.

Also we're talking about POWER not ppc (powerpc), they're much different
from the CPU's on the older macs...

>
> it would be easier to port qubes to kvm https://www.linux-kvm.org/page/PowerPC
>
> you could do most of the work on cheap x86 hardware before spending the time and money on the expensive stuff.

The TALOS 2 Lite costs less than equivilant server class x86 hardware.

[Tai...@gmx.com]

On 06/26/2018 11:12 AM, Revi wilan wrote:
> Thank you all for your advice and information.
>
> @[ 799 ]
>
>> regarding your requirements:
>>  
>> high performances:
>> What does this mean for you, how much Cores or Core x GHz is enough performance for you?
>
> By high performance I mean a configuration like : 
>
>         (ideally)

> CPU : 4 Cores, 8 Threads, @4.2GHz (like i7-7700K)  / or moreRAM : 16 / 32 GBStorage : 1 TB Solid State Drive PCIe-NVMEGraphics : Intel UHD Graphics 620 (I don't need more)

FYI HT now introduces a security issue - also that cpu is a desktop model.

>
>> Main reason: I do not feel that much performance gain and having Coreboot and lots of battery runtime with the X230 Slice battery pack is much more important to me.
>> If you want to work mobile, a high perfomance laptop will only last hald of the day, likely even less
>
> Yes I understand, battery life is not a priority for me so it's not a problem. However I am ready to lose performance to gain "security" / "Freedom".

The g505s has better battery life as AMD's cpus didn't have their
performance ruined by the spectre fixes.

>
>> security:
>> what does this include? If you want to run Libreboot or Coreboot, your choice are (very) limited.
>
> By security I mean :
>
>         (ideally)

> Hardware Kill Switches (Wireless / Bluetooth / Camera / Microphone)Sliding Webcam Covercan run Libreboot or Corebootmost libre / open-source hardware components and firmware

Hardware kill switches are gimmicks - data can easily be cached until
transmission is available moreso with the binary blobbed firmware and
still-has-ME boards that the purism frauds use.

In terms of mics and webcams I would suggest removing them entirely - if
you really need one then you should use an external model so it there
are no "oops I forgot to shut it off" moments as it is obvious whether
if it is plugged in or not.

>
>> I would recommend looking at the Lenovo X230

Unfortunately it has ME whereas the g505s has no black box supervisor
processor neither ME or PSP thus making it owner controlled.

As always ME can't be disabled - it can only be nerfed - the ME kernel
still runs and not providing it will result in the computer shutting off
after 30 minutes HAP bit or no.

Although the *20 and *30 laptops have ExpressCard so you can use an EGPU
and maybe play games in a VM or what not.

>
> Thank you for your recommendation.
> I keep the idea aside because there is a good compromise between performance and battery life
>
> @Taiidan
>
> Thank you for your various recommendations :D !
>
>> Your best option is the G505S running coreboot - many people use it here
>> with qubes 4.0 (just gotta follow special instructions to install the
>> microcode update in coreboot otherwise it WONT WORK - and make sure you
>> get not just the normal update but the spectre update)
>>  
>> G505S has No ME/PSP, it has open source cpu/ram init via coreboot, in
>> terms of blobs there is a blobbed ec, power control and vga but possible
>> to remove as it is owner controlled[1] and IOMMU protects you from them.
>>  
>> [1] Owner controlled means no hardware code signing enforcement as in
>> you can do whatever you want with your laptop.
>
> Indeed the G505S has many advantages and interests me (thanks for the description of the steps to carry out to have the best possible freedom).
> However I would have liked the same type of computer with newer hardware and higher performance.

It is the last and best freedom choice - like I said the newer x86 stuff
can't ever be made owner controlled.

I am sure you will be satisfied with the performance level - many people
on the list are just make sure you get the best A10 model so you get a
quad core CPU otherwise you would have to upgrade your CPU. There is a
lot of info on the qubes list and coreboot list about the g505s and you
should have a look.

The x230 has ME and is slower only dual core, I also doubt you would be
satisfied with the dual core I know I am not with mine and I will be
getting an A10 quad core g505s soon.

>
>> I would be more than happy to assist you
>
> thank you for your help and your time !
>
>> I also suggest looking in to the TALOS 2 (a
>> legitimately open source workstation)
>
> I did not know this workstation and I am happy that such a project exists and that moreover has much success :D
> In the future I'm thinking of buying the "Talos II Secure Workstation" (TL2WK2)

The new talos 2 lite model is very affordable, freedom now costs less
and is faster than x86 locked in proprietary ME/PSP junk. It is a good
choice for non-qubes virt.

>
>> If you want *new* hardware with real freedom the only choice is POWER
>> and *some* ARM but unfortunately those don't run qubes/xen at the moment
>> you would have to use another hypervisor.
>
>> In terms of an open source modern fast laptop your only choice is making
>> one with POWER
>
> Yes I am strongly interested in recent hardware and a maximum freedom.
> I'm sorry, but I don't understand what the term "POWER" refers to =S 
> Can you explain me plz ?
>

POWER, ARM, x86 are all different CPU architectures.

Just get a g505s - I am sure you will be satisfied and I can help you
install coreboot.

[Tai...@gmx.com]

What are your needs anyways? maybe you should get both a desktop and a
laptop? a 7700K is a beefy CPU and if you need that much you won't be
satisfied by any laptop.

I can suggest several legitimately libre workstation choices including
some that run qubes such as the KGPE-D16 (32 cores max, 192GB) and
KCMA-D8 (16 cores max, 128GB) with a good CPU both can play new games at
max in a VM with a good graphics card attached to it. although of course
if you want it as a server and don't want to run qubes the TALOS 2 Lite
is a less expensive choice assuming you are willing to run POWER.

[Chris Laprise]

On 07/01/2018 10:38 AM, Tai...@gmx.com wrote:
> On 06/26/2018 11:12 AM, Revi wilan wrote:
>> By security I mean :
>>
>>         (ideally)
>> Hardware Kill Switches (Wireless / Bluetooth / Camera / Microphone)Sliding Webcam Covercan run Libreboot or Corebootmost libre / open-source hardware components and firmware
>
> Hardware kill switches are gimmicks - data can easily be cached until
> transmission is available moreso with the binary blobbed firmware and
> still-has-ME boards that the purism frauds use.
>
> In terms of mics and webcams I would suggest removing them entirely - if
> you really need one then you should use an external model so it there
> are no "oops I forgot to shut it off" moments as it is obvious whether
> if it is plugged in or not.

Un-converging popular sensing and radio link devices just creates a
re-hash of the Palm Pilot era. No one wants to carry bags of junk around
with their mobile device. And with power on/off, this is a fundamental
question of control over the device.

An unobtrusive and powerful combination of switches is:

1. System power

2. Sensors (cams, mics, accel, GPS)

3. Radios


RE: Virtualization, I'm very skeptical of KVM. To me, it looks like a
type-2 hypervisor and thus a security downgrade. Seems inappropriate for
Qubes.

[awokd]

On Sun, July 1, 2018 3:39 pm, Chris Laprise wrote:

> RE: Virtualization, I'm very skeptical of KVM. To me, it looks like a
> type-2 hypervisor and thus a security downgrade. Seems inappropriate for
> Qubes.

I've heard it compared to a "1.5" hypervisor. IIUC, it would be like Xen's
dom0 handling the boot process. The actual virtualization related calls
are still bare metal in both. Doesn't seem like there's any way with KVM
to match the device model (or dom0?) isolation Qubes takes advantage of in
Xen.

[airele...@tutanota.com]

1. Jul 2018 14:38 by Tai...@gmx.com:

As always ME can't be disabled - it can only be nerfed - the ME kernel
still runs and not providing it will result in the computer shutting off
after 30 minutes HAP bit or no.

MECleaner removes the kernel component in pre-Skylake ME firmware, according to https://github.com/corna/me_cleaner/blob/master/README.md

So from a firmware perspective I think an ME-cleaned, corebooted Ivy bridge laptop (x230/T430/T530/W530 etc...) is a step up from Purism / other newer laptops.

The T530/W530 comes in a quad-core configuration that is roughly 2x as fast as the G505s, per-core - really useful for Qubes as things like video / graphics relies on CPU instead of GPU. The W530 supports 32 GB of RAM. Both have a 1920x1080 display option.

[Franz]

On Sun, Jun 24, 2018 at 4:05 PM, Tai...@gmx.com <Tai...@gmx.com> wrote:

On 06/22/2018 10:22 AM, 'Revi wilan' via qubes-users wrote:
> Hello :D
>
> After a lot of research I still can't find the ideal laptop to install the latest version of Qubes OS...
> my requirements : high performances + security +  compatibility hardware (if possible libre / open-source hardware) + trusted constructor = laptop not found

BTW compliments on not using shitty google spyware gmail.

Your best option is the G505S running coreboot - many people use it here
with qubes 4.0 (just gotta follow special instructions to install the
microcode update in coreboot otherwise it WONT WORK - and make sure you
get not just the normal update but the spectre update)

G505S has No ME/PSP, it has open source cpu/ram init via coreboot, in
terms of blobs there is a blobbed ec, power control and vga but possible
to remove as it is owner controlled[1] and IOMMU protects you from them.

[1] Owner controlled means no hardware code signing enforcement as in
you can do whatever you want with your laptop.

@Taiidan

I do not understand why you keep advising to buy G505S, when it is out of production and it is impossible to find one new.

For me a used laptop is a no way.  First the hardware cannot be as reliable as a new one, but even more important you cannot know what the previous owner has done with it, perhaps installing any sort of compromised applications that may have compromised various firmwares independent from BIOS, such as USB controllers, video card, etc

So which is the point of getting mad trying to install coreboot if you cannot control all the other firmwares inside?

Best

Fran

[airele...@tutanota.com]

@Taiidan

I do not understand why you keep advising to buy G505S, when it is out of production and it is impossible to find one new.

For me a used laptop is a no way. 

 

Not Taiidan, but...

I think newer = more locked down.

ME firmware has become progressively harder to remove (GM45 = complete removal possible; post-Nehalem  = can remove ME kernel and almost all modules; post-Skylake = cannot remove ME kernel).

Post-Haswell, I think you cannot replace the BIOS on post-Haswell laptops due to hardware signing?

So for me, newer = new and improved locks = more of the TCB is not owner-controlled.

First the hardware cannot be as reliable as a new one, but even more important you cannot know what the previous owner has done with it, perhaps installing any sort of compromised applications that may have compromised various firmwares independent from BIOS, such as USB controllers, video card, etc

So which is the point of getting mad trying to install coreboot if you cannot control all the other firmwares inside?

I think this risk is mitigated by:

a) after buying the used laptop, you'll be replacing many hardware components anyway (like hard drive, wireless card)

b) My understanding is that Qubes provides protection against the remaining firmware, like in USB controllers, video card

Meanwhile the act of flashing coreboot = replaces/nerfs some very privileged firmware, firmware that Qubes specifically provides no protection against - BIOS and ME.

[Franz]

On Sun, Jul 1, 2018 at 10:08 PM, <airele...@tutanota.com> wrote:

@Taiidan

I do not understand why you keep advising to buy G505S, when it is out of production and it is impossible to find one new.

For me a used laptop is a no way. 

 

Not Taiidan, but...

I think newer = more locked down.

ME firmware has become progressively harder to remove (GM45 = complete removal possible; post-Nehalem  = can remove ME kernel and almost all modules; post-Skylake = cannot remove ME kernel).

Post-Haswell, I think you cannot replace the BIOS on post-Haswell laptops due to hardware signing?

So for me, newer = new and improved locks = more of the TCB is not owner-controlled.

First the hardware cannot be as reliable as a new one, but even more important you cannot know what the previous owner has done with it, perhaps installing any sort of compromised applications that may have compromised various firmwares independent from BIOS, such as USB controllers, video card, etc

So which is the point of getting mad trying to install coreboot if you cannot control all the other firmwares inside?

I think this risk is mitigated by:

a) after buying the used laptop, you'll be replacing many hardware components anyway (like hard drive, wireless card)

The hard drive yes, but as far as I rememeber in the  Lenovo laptops I opened the wireless card was directly on the motherboard, only the bluetooth card was separated. Does G505S have a separate wireless card?  The ethernet card also is on the motherboard as well as the express card if G505s has one. The audio card, and the battery pilot also are on the motherboard. I mean this matter is so complicated and it is so difficult to find reliable information that I'll never be sure it can be reasonably secure.

b) My understanding is that Qubes provides protection against the remaining firmware, like in USB controllers, video card

Rather than protection it provides separation: you plug an uncompromised USB hard drive into a compromised USB controller and it goes to sys-usb in total direct contact with the controller. Regarding the video card in Qubes 3.2 it is in contact with dom0, but I understand that with 4.0 the architecture changed. 

Meanwhile the act of flashing coreboot = replaces/nerfs some very privileged firmware, firmware that Qubes specifically provides no protection against - BIOS and ME.

Yes that is true.

[a.mc...@yandex.com]

Hi,
So are you saying that W530 does support Libreboot? I mean: Libreboot does support W530? That's a good news, cause I have one. I like this laptop, it has nice proc, and I'd like to improve it further with good SSD and maximum memory.

[Drew White]

Try a full blown laptop.

Love to know if this one and their new ones due out soon would work perfectly..

https://www.evga.com/products/product.aspx?pn=516-34-1833-T1

[airele...@tutanota.com]

1. Jul 2018 04:47 by 169...@gmail.com:

I think this risk is mitigated by:

a) after buying the used laptop, you'll be replacing many hardware components anyway (like hard drive, wireless card)

The hard drive yes, but as far as I remember in the  Lenovo laptops I opened the wireless card was directly on the motherboard, only the bluetooth card

I don't know about the consumer G505S, but for the business Thinkpad line, you can replace the Intel wifi card with an Atheros one (after flashing coreboot, which removes Lenovo's BIOS whitelist).

2. Jul 2018 05:05 by a.mc...@yandex.com:

So are you saying that W530 does support Libreboot?

Support for W530 was recently added to Coreboot: https://review.coreboot.org/#/c/coreboot/+/26136

Libreboot only supports gm45-era thinkpads, because they can be 100% blob-free. Their CPUs are to old to meet Qubes R4.0 requirements.

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Exactly - two main missing features in KVM are:
- isolating device model (qemu) from the host system, or running
without it at all
- non-dom0 backends - for example direct VM-VM network tunnel,
without mediating it through the host system; AFAIK this is
architectural problem, as virtio protocol assumes the backend have full
access VM's memory

It is possible to work around both problems, but with great security
sacrifice.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAls6aMYACgkQ24/THMrX
1yzfsQgAlGgTA7UKC1+AHRCBGcYKqBq/shhQyKvpT8S5rut+9KM6TKcpBQ0dGiOV
ZtECQ2fn+9/BQLU5/nqcmD5CV4cPB1cSPcOCqKl8hJw3FL+0pHqpEBBDTFutgk2U
F9CSPyib2ro5qveWKx8xFmv9Z632xHQ2jQ5Cd15crMHcUTQgvD4q3aOlDijFFpbB
vtP1/+uifELd4r70J2auOUtX/Zfvn6/DYOaVF7Gqs0TdxaopdbR0iHJNs0j5x8KZ
1WmIAQe/HPxZT+UNuhdLBK1AfTqD/3NJP5ZKf3vAObqH8iXR4RzFKOBJjVTLBHfz
DnToEHI18wEl7hxImrNp4oka7tKkbg==
=gw0v
-----END PGP SIGNATURE-----

[Tai...@gmx.com]

On 07/02/2018 02:02 PM, Marek Marczykowski-Górecki wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On Sun, Jul 01, 2018 at 04:08:05PM -0000, 'awokd' via qubes-users wrote:
>> On Sun, July 1, 2018 3:39 pm, Chris Laprise wrote:
>>
>>> RE: Virtualization, I'm very skeptical of KVM. To me, it looks like a
>>> type-2 hypervisor and thus a security downgrade. Seems inappropriate for
>>> Qubes.
>>
>> I've heard it compared to a "1.5" hypervisor. IIUC, it would be like Xen's
>> dom0 handling the boot process. The actual virtualization related calls
>> are still bare metal in both. Doesn't seem like there's any way with KVM
>> to match the device model (or dom0?) isolation Qubes takes advantage of in
>> Xen.
>
> Exactly - two main missing features in KVM are:

> - isolating device model (qemu) from the host system,or running
> without it at all

Some degree of isolation of qemu is possible with AppArmor which I have
enabled on my non-qubes virtualization computer which I use for playing
games in a VM and various other things.

> - non-dom0 backends - for example direct VM-VM network tunnel,
> without mediating it through the host system; AFAIK this is
> architectural problem, as virtio protocol assumes the backend have full
> access VM's memory
>
> It is possible to work around both problems, but with great security
> sacrifice.

I would say that it is a worthwhile sacrifice if the other choice is
being stuck with a ME'ed and blobbed machine - versus having a POWER9
system such as the owner controlled open source firmware TALOS 2 - which
now is available in a much less expensive single socket version the
"TALOS 2 Lite" which costs much less than an equivilant closed/blobbed
x86 system.

IBM has been surprisingly chill with releasing documentation and taking
suggestions from raptor engineering in terms of making things more open
- apparently they also assisted with bringing the T2 to life.

Xen really needs a POWER port and I am suprised IBM hasn't done so on
their own yet.

There will need to be qubes for POWER sooner rather than later as the
supply of libre firmware x86 motherboards is dwindling very quickly -
the KGPE-D16 and KCMA-D8 are no longer in production and are much slower
than a TALOS 2 system of equivilant price.

[Tai...@gmx.com]

On 07/01/2018 07:02 PM, Franz wrote:
> @Taiidan
>
> I do not understand why you keep advising to buy G505S, when it is out of
> production and it is impossible to find one new.

It is the last and best owner controlled x86 laptop and you can easily
find replacement surface parts like keyboard armrest etc to make it look
like new.

Intel stuff has ME and newer AMD stuff has PSP whereas the g505s is a
pre-PSP laptop.

Tell me what is better and just as free for x86 IOMMU laptops? nothing.

BTW anyone who wants to get one make sure you get the good A10 quad core
version not the shitty dual core A8 or what not.

> For me a used laptop is a no way. First the hardware cannot be as reliable
> as a new one

Wrong - you can easily re-flash all the firmware including the EC.

> but even more important you cannot know what the previous
> owner has done with it, perhaps installing any sort of compromised
> applications that may have compromised various firmwares independent from
> BIOS, such as USB controllers, video card, etc

Which is why you install coreboot and re-flash all the other firmware
such as the EC, optical drive, etc.

USB controllers don't have onboard firmware and the VGA firmware on
laptops is loaded in coreboot not from the device.

>
> So which is the point of getting mad trying to install coreboot if you
> cannot control all the other firmwares inside

Again you would re-flash everything but in terms of the one DMA capable
device with blob the VGA binary blob required which as a PCI-e device is
DMA capable - IOMMU would protect the system CPU and memory from
malicious activity which is that it could really do in that situation.

[Tai...@gmx.com]

On 07/01/2018 05:37 PM, airele...@tutanota.com wrote:
>
> 1. Jul 2018 14:38 by Tai...@gmx.com <mailto:Tai...@gmx.com>:

>
>
>> As always ME can't be disabled - it can only be nerfed - the ME kernel
>> still runs and not providing it will result in the computer shutting off
>> after 30 minutes HAP bit or no.
>

> MECleaner removes the kernel component in pre-Skylake ME firmware, according to https://github.com/corna/me_cleaner/blob/master/README.md <https://github.com/corna/me_cleaner/blob/master/README.md>

There is still more than enough code in the BUP etc to do malicious things.

Even if someone there was no blob required at all without the ME chip
physically disconnected there can still be malicious hidden flash chips
or mask ROM's.

>
> So from a firmware perspective I think an ME-cleaned, corebooted Ivy bridge laptop (x230/T430/T530/W530 etc...) is a step up from Purism / other newer laptops.

Yeah they definitely are.

The puri.craptops are absolutely the worst choice around despite being
"new" - as someone would be supporting a dishonest company that sells
you an faux-libre laptop that has entirely blobbed hardware init and a
ME kernel that still runs despite being "disabled" (haha)

No reason to spend that much money on a new shitty device - you could
get a g505s and a TALOS for the same price.

>
> The T530/W530 comes in a quad-core configuration that is roughly 2x as fast as the G505s, per-core - really useful for Qubes as things like video / graphics relies > on CPU instead of GPU. The W530 supports 32 GB of RAM. Both have a 1920x1080 display option>

It is better to purchase the W520 and upgrade to an ivy-bridge cpu as it
has support in coreboot master plus you get a real keyboard not the
crappy chiclet keyboard in the 30 series.

You can play games in a VM on them via an attached expresscard graphics
card and the use of the second usb controller which you assign to the
VM...and if you have lots of money you can even get a PCI-e expansion
system which provides many slots via expresscard xD

On 07/02/2018 01:05 AM, a.mc...@yandex.com wrote:
> Hi,

> So are you saying that W530 does support Libreboot?

The ivybridge/sandybridge laptops don't and can't ever support libreboot
due to not not being owner controlled because of the presence of ME
which again is impossible to disable even with the HAP bit there is
still code running with more than enough capability to do malicious
stuff - they support coreboot without blobs besides the ME blob but that
isn't owner controlled due to the ME hardware enforced code signing. I
would still advise getting a g505s unless you require something not on
the g505s such as expresscard docking station second battery etc which
are present on the ivy/sandy thinkmaxipads.

[Leo Gaspard]

On 07/03/2018 03:02 AM, Marek Marczykowski-Górecki wrote:
> On Sun, Jul 01, 2018 at 04:08:05PM -0000, 'awokd' via qubes-users wrote:
>> On Sun, July 1, 2018 3:39 pm, Chris Laprise wrote:
>
>>> RE: Virtualization, I'm very skeptical of KVM. To me, it looks like a
>>> type-2 hypervisor and thus a security downgrade. Seems inappropriate for
>>> Qubes.
>
>> I've heard it compared to a "1.5" hypervisor. IIUC, it would be like Xen's
>> dom0 handling the boot process. The actual virtualization related calls
>> are still bare metal in both. Doesn't seem like there's any way with KVM
>> to match the device model (or dom0?) isolation Qubes takes advantage of in
>> Xen.
>
> Exactly - two main missing features in KVM are:
> - isolating device model (qemu) from the host system, or running
> without it at all
> - non-dom0 backends - for example direct VM-VM network tunnel,
> without mediating it through the host system; AFAIK this is
> architectural problem, as virtio protocol assumes the backend have full
> access VM's memory
>
> It is possible to work around both problems, but with great security
> sacrifice.

OTOH, Xen puts dom0 in ring 0, while KVM puts dom0 in ring -1.

Which means horizontal privilege escalation are much more dangerous in
Xen than in KVM: full system compromise vs. running VMs compromise.

[awokd]

On Tue, July 3, 2018 11:10 am, 'Leo Gaspard' via qubes-users wrote:

> OTOH, Xen puts dom0 in ring 0, while KVM puts dom0 in ring -1.
>
>
> Which means horizontal privilege escalation are much more dangerous in
> Xen than in KVM: full system compromise vs. running VMs compromise.

That's an interesting trade-off. Have there been any horizontal exploits
in KVM where "dom0" was not affected due to this design (and/or ones in
Xen where dom0 was)? I think the answer to the latter is yes, but they're
relatively rare.

[Leo Gaspard]

If I get a quick look (don't trust anything I say here, and it's just
based on my understanding of the XSA text, and I tl;dr'd most of them)
at a few recent QSB:
* it looks like XSA-260 was one of these, “the debug exception will be
taken after the transition to ring0 is completed” (May 8, 2018)
* XSA-217 and XSA-219 also look like it to me (assuming a guest
wouldn't be allowed to transfer a page to ring -1, which sounds
legitimate) (June 20, 2017)

And I stopped reading after QSB-31 (the one with XSA-21[79]… per chance,
I can only say I had randomly decided to stop at QSB-31 before even
reading).

So that's about 1,5 such vulnerability per year, which sounds like quite
a lot… then, I haven't reviewed KVM's track record during this
timeframe. (as I'm mostly interested in Qubes, not especially in Xen or KVM)

Then, that must be balanced with qemu isolation and non-dom0 backends,
and I can't say which is the worst.

[Chris Laprise]

On 07/02/2018 05:21 PM, Tai...@gmx.com wrote:
> I would say that it is a worthwhile sacrifice if the other choice is
> being stuck with a ME'ed and blobbed machine - versus having a POWER9
> system such as the owner controlled open source firmware TALOS 2 - which
> now is available in a much less expensive single socket version the
> "TALOS 2 Lite" which costs much less than an equivilant closed/blobbed
> x86 system.

It would ruin Qubes' reputation among prospective tech-aware users
because they would see it as just another Linux-based hypervisor. The
only gain would be access to an expensive, big and hot workstation. If
Xen is abandoned that leaves 99.99% of us using Linux+x86, the worst of
both worlds.

I would sooner try porting Qubes to the Magenta microkernel.

[awokd]

On Tue, July 3, 2018 2:39 pm, Chris Laprise wrote:

> gain would be access to an expensive, big and hot workstation. If Xen is

Not arguing your other points and Qubes is critical functionality for me
too, but think this one is a bit off. It's no laptop, sure, but the price
isn't bad for what you get and power at the wall is 70W-120W:
https://www.mail-archive.com/core...@coreboot.org/msg51942.html