Announcement: Toward a Reasonably Secure Laptop
133 views
Skip to first unread message
Andrew David Wong
Jul 8, 2017, 10:58:22 PM7/8/17
to qubes...@googlegroups.com, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Dear Qubes Community,
It's no secret that hardware selection is one of the biggest hurdles Qubes
users face. Finding a computer that is secure, trustworthy, and compatible
is more difficult than it should be. In an effort to address the compatibility
aspect of that problem, we introduced the Qubes-certified laptop
program [1] back in 2015.
So far, only one laptop has been Qubes-certified: the Purism Librem 13v1.
A number of users purchased this laptop comfortable in the knowledge that it
would be compatible with Qubes, and it served them well in that regard.
However, the Librem 13v1 is no longer being manufactured, and the Librem 13v2
has not undergone Qubes-certification (nor has any other laptop yet). This
means that the need for compatible hardware is more pressing than ever.
It's important to remember that Qubes-certification is only about
*compatibility* -- not security, trustworthiness, or anything else. Being
Qubes-certified has always meant that a computer has been tested to
ensure that it runs Qubes OS well -- nothing more, nothing less. But we know
that security-conscious users care about more than just compatibility, which
is why we announced updated requirements for Qubes 4.x certification [2]
last year.
So far, no third-party manufacturers have produced a computer
that satisfies these requirements. However, ITL has entered initial talks with
a promising partner with whom we can foresee creating a true Reasonably Secure
Laptop. Our plan is to introduce a tier-based model of laptop support:
- *Level 0: Qubes Compatible Laptop.* As with the Purism Librem 13v1, this
will be a laptop that comes with no guarantees regarding security or
trustworthiness. We'll guarantee only that the laptop is compatible with
Qubes OS. In practice, a vendor who wishes to introduce a Level 0
laptop will typically have to allow for specific choices regarding the GPU,
Wi-Fi, and Bluetooth modules. The vendor will also have to be willing to
"freeze" the configuration of the laptop for at least one year.
- *Level 1: Qubes Certified Laptop.* In addition to meeting all the
requirements of Level 0, this laptop will also have to conform to our
updated requirements for Qubes 4.x certification [2].
- *Level 2: Qubes Stateless Laptop.* For details about this, please see
Joanna Rutkowska's paper State Considered Harmful [3]. We can foresee
multiple levels of compatibility here. However, we expect that it will be at
least two years before a true stateless laptop can be created. In the
immediate future, therefore, we intend to pursue a Level 1 laptop.
Please note that laptops on the Qubes Hardware Compatibility List (HCL) [4]
do not have a specific level. This is because neither ITL nor the Qubes OS
Project makes any affirmations regarding the vast majority of laptops on this
list. Rather, the list is compiled from voluntary contributions from members
of the community like you!
This is just the beginning. There's a long road ahead before we can make
a Reasonably Secure Laptop a reality, but the need is too great to ignore.
[1] https://www.qubes-os.org/news/2015/12/09/purism-partnership/
[2] https://www.qubes-os.org/news/2016/07/21/new-hw-certification-for-q4/
[3] https://blog.invisiblethings.org/papers/2015/state_harmful.pdf
[4] https://www.qubes-os.org/hcl/
This post can be viewed on the Qubes website at:
https://www.qubes-os.org/news/2017/07/08/toward-a-reasonably-secure-laptop/
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJZYZu5AAoJENtN07w5UDAwPMoP/joGmGegmibHq8bJ8/rmtLZv
UH+J+njz2jl7VYYNKgnkrO4gkXk8SLaxsH74zZWDjMw4TZVwNYabX64qjUKx3doe
L6M6dAerm8MhvEJqKq3YctiRQvByD2FY/f2lLc27UjLYFYC/y5r+fbh8WJDLgV72
k1TbYWY1ZKQSnmV/8vULFRHHkRpGf4LqH8AEXNTBe9LyEDOL5dUXmjPLKqBeA7bZ
spT2/cl2NY/iDX+1MfN2iO+ig3dW8h+z4CJf5Z4S5RX/ikbr4VEQEl1+zIje4mOG
S3LUnvM5KoHGtgCG4/qsDrjE5Sr46POapiAW3zklCy6k7l97iFk4OicYUh0lB5M3
Aaleti5crLP/PCncv/M8fD2b7GO0LxnF5hIfHP71sKnYv2eStXSzZGYog0SjfmJ4
MZ6uSQD2+ZI/Gbmqd5iAcLlZ+dwa66iRpW5uW6Kl28KvkR+GpPc4UjvOjYvWkheL
/txuJf5s7taQ/zyF6gVoaKM2RNm2eGK2L3bENqROQwGDpdaxsgDCHfbfIRCMBjuX
XFXTRfvLPBdSUlpPVgySQLb+vy+KvhnDZJAYaXEn1sDkL3TKM9D1eTOpseC6F5bj
doZ2pNGty/FF0kWM2SQNhBBL19WoophnsXSR0Lqd90IQfdL7sCg61jilKDZUsAxJ
ElGF0/3S+ikI5T1N9cxy
=O6e+
-----END PGP SIGNATURE-----
Hash: SHA512
Dear Qubes Community,
It's no secret that hardware selection is one of the biggest hurdles Qubes
users face. Finding a computer that is secure, trustworthy, and compatible
is more difficult than it should be. In an effort to address the compatibility
aspect of that problem, we introduced the Qubes-certified laptop
program [1] back in 2015.
So far, only one laptop has been Qubes-certified: the Purism Librem 13v1.
A number of users purchased this laptop comfortable in the knowledge that it
would be compatible with Qubes, and it served them well in that regard.
However, the Librem 13v1 is no longer being manufactured, and the Librem 13v2
has not undergone Qubes-certification (nor has any other laptop yet). This
means that the need for compatible hardware is more pressing than ever.
It's important to remember that Qubes-certification is only about
*compatibility* -- not security, trustworthiness, or anything else. Being
Qubes-certified has always meant that a computer has been tested to
ensure that it runs Qubes OS well -- nothing more, nothing less. But we know
that security-conscious users care about more than just compatibility, which
is why we announced updated requirements for Qubes 4.x certification [2]
last year.
So far, no third-party manufacturers have produced a computer
that satisfies these requirements. However, ITL has entered initial talks with
a promising partner with whom we can foresee creating a true Reasonably Secure
Laptop. Our plan is to introduce a tier-based model of laptop support:
- *Level 0: Qubes Compatible Laptop.* As with the Purism Librem 13v1, this
will be a laptop that comes with no guarantees regarding security or
trustworthiness. We'll guarantee only that the laptop is compatible with
Qubes OS. In practice, a vendor who wishes to introduce a Level 0
laptop will typically have to allow for specific choices regarding the GPU,
Wi-Fi, and Bluetooth modules. The vendor will also have to be willing to
"freeze" the configuration of the laptop for at least one year.
- *Level 1: Qubes Certified Laptop.* In addition to meeting all the
requirements of Level 0, this laptop will also have to conform to our
updated requirements for Qubes 4.x certification [2].
- *Level 2: Qubes Stateless Laptop.* For details about this, please see
Joanna Rutkowska's paper State Considered Harmful [3]. We can foresee
multiple levels of compatibility here. However, we expect that it will be at
least two years before a true stateless laptop can be created. In the
immediate future, therefore, we intend to pursue a Level 1 laptop.
Please note that laptops on the Qubes Hardware Compatibility List (HCL) [4]
do not have a specific level. This is because neither ITL nor the Qubes OS
Project makes any affirmations regarding the vast majority of laptops on this
list. Rather, the list is compiled from voluntary contributions from members
of the community like you!
This is just the beginning. There's a long road ahead before we can make
a Reasonably Secure Laptop a reality, but the need is too great to ignore.
[1] https://www.qubes-os.org/news/2015/12/09/purism-partnership/
[2] https://www.qubes-os.org/news/2016/07/21/new-hw-certification-for-q4/
[3] https://blog.invisiblethings.org/papers/2015/state_harmful.pdf
[4] https://www.qubes-os.org/hcl/
This post can be viewed on the Qubes website at:
https://www.qubes-os.org/news/2017/07/08/toward-a-reasonably-secure-laptop/
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJZYZu5AAoJENtN07w5UDAwPMoP/joGmGegmibHq8bJ8/rmtLZv
UH+J+njz2jl7VYYNKgnkrO4gkXk8SLaxsH74zZWDjMw4TZVwNYabX64qjUKx3doe
L6M6dAerm8MhvEJqKq3YctiRQvByD2FY/f2lLc27UjLYFYC/y5r+fbh8WJDLgV72
k1TbYWY1ZKQSnmV/8vULFRHHkRpGf4LqH8AEXNTBe9LyEDOL5dUXmjPLKqBeA7bZ
spT2/cl2NY/iDX+1MfN2iO+ig3dW8h+z4CJf5Z4S5RX/ikbr4VEQEl1+zIje4mOG
S3LUnvM5KoHGtgCG4/qsDrjE5Sr46POapiAW3zklCy6k7l97iFk4OicYUh0lB5M3
Aaleti5crLP/PCncv/M8fD2b7GO0LxnF5hIfHP71sKnYv2eStXSzZGYog0SjfmJ4
MZ6uSQD2+ZI/Gbmqd5iAcLlZ+dwa66iRpW5uW6Kl28KvkR+GpPc4UjvOjYvWkheL
/txuJf5s7taQ/zyF6gVoaKM2RNm2eGK2L3bENqROQwGDpdaxsgDCHfbfIRCMBjuX
XFXTRfvLPBdSUlpPVgySQLb+vy+KvhnDZJAYaXEn1sDkL3TKM9D1eTOpseC6F5bj
doZ2pNGty/FF0kWM2SQNhBBL19WoophnsXSR0Lqd90IQfdL7sCg61jilKDZUsAxJ
ElGF0/3S+ikI5T1N9cxy
=O6e+
-----END PGP SIGNATURE-----
Chris Laprise
Jul 14, 2017, 7:46:02 AM7/14/17
to qubes...@googlegroups.com
On 07/08/2017 10:58 PM, Andrew David Wong wrote:
> So far, no third-party manufacturers have produced a computer
> that satisfies these requirements. However, ITL has entered initial talks with
> a promising partner with whom we can foresee creating a true Reasonably Secure
> Laptop. Our plan is to introduce a tier-based model of laptop support:
It would be great to have a reasonably secure & modern laptop that has
> So far, no third-party manufacturers have produced a computer
> that satisfies these requirements. However, ITL has entered initial talks with
> a promising partner with whom we can foresee creating a true Reasonably Secure
> Laptop. Our plan is to introduce a tier-based model of laptop support:
physical / non-programmable power switches and LEDs (and removable
batteries).
Whenever I think about 'blue pill' I think about the possibility that
malware could fake reboot sequences. Knowing when a computer has truly
reset / powered-on is part of the initial verification and trust process.
--
Chris Laprise, tas...@openmailbox.org
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
Syd Brisby
Jul 15, 2017, 1:08:36 AM7/15/17
to qubes-devel, tas...@openmailbox.org
Well, at least one phone maker has recognised that the best security comes from physical separation. Unfortunately, PC / laptop makers are a long way behind.
Privat phone:
http://privat-smartphone.com/#solution
"PRIVAT has two independent mainboards, one for the smartphone hardware and the other one for the independent camera. Furthermore, each one has its own operating system with an internal memory and an expandable SD slot. You can also physically disconnect through a switch the GPS module, cameras and microphones. The use of PRIVAT could be useful for famous artists, business men, politicians or simply everyone who needs to keep high control of his private data through an robust system."
Privat phone:
http://privat-smartphone.com/#solution
"PRIVAT has two independent mainboards, one for the smartphone hardware and the other one for the independent camera. Furthermore, each one has its own operating system with an internal memory and an expandable SD slot. You can also physically disconnect through a switch the GPS module, cameras and microphones. The use of PRIVAT could be useful for famous artists, business men, politicians or simply everyone who needs to keep high control of his private data through an robust system."
pixel fairy
Jul 15, 2017, 4:37:52 AM7/15/17
to qubes-devel, tas...@openmailbox.org
cool, now we just need to get qubes running on that phone!
Radoslaw Szkodzinski
Jul 16, 2017, 2:34:36 AM7/16/17
to pixel fairy, qubes-devel, tas...@openmailbox.org
it than you'd expect. This architecture vastly complicates separation
and evaluation of the device.
The critical parts are already running under a relatively weak
(security-wise) Qualcomm OKL4-like hypervisor on QDSP. Good luck
getting Xen running on this without magic Qualcomm NDAs.
There have been ways to exfiltrate even encryption keys using the chip.
A determined attacker may just make the call home wait for the
connection being enabled manually.
Not to mention Android itself is full of exploitable holes, every
implementation. Just check out their (in)security bulletin. Similarly
iOS, just a bit better.
I'm not aware of a phone that can be called secure or made secure.
Probably not even unavailable OpenMoko GTA04. too much firmware
running on that.
Have fun breaking them,
--
Radosław Szkodziński
Reply all
Reply to author
Forward
0 new messages