Mainboard buying advice :: Should we still avoid mainboards with Intel vPro ??
Marek Jenkins
I read in another thread that this can cause issues and should be avoided. Is that still correct ?
Is "Intel vPro" a real no-go or can Qubes still work with it?
Or can having vPro support even have positive effects ?
Thanks for your advice.
Marek
![[799]'s profile photo](https://lh3.googleusercontent.com/a/default-user=s40-c)
[799]
> It seems that most new mainboards with Intel
> chipset have support for "Intel vPro"
> technology.
https://groups.google.com/forum/m/#!topic/qubes-users/8XrF_CpyEU0
> Is "Intel vPro" a real no-go or can Qubes still
> work with it?
This is something we are using for some of our customers and is helpful in an Enterprise environment but maybe not something you would like to have on your private machine.
Here some more details:
https://security.stackexchange.com/questions/128619/what-are-the-privacy-and-security-risks-associated-with-intels-management-engin
(This one has also the link to the Qubes article addressing the vpro/Intel AMT topic)
Additionaly:
https://puri.sm/learn/avoiding-intel-amt/
If vpro/Intel AMT is bothering you, I suggest running Coreboot (you might want to check which hardware is compatible:
https://www.coreboot.org/Supported_Motherboards)
[799]
Tai...@gmx.com
> It seems that most new mainboards with Intel chipset have support for "Intel vPro" technology.
>
> I read in another thread that this can cause issues and should be avoided. Is that still correct ?
controlled by intel instead of you thus you don't really own your computer.
vPro is simply a software addon to it which runs on the ME processor, it
enables additional remote management features.
ME is very dangerous for your freedom as it is the worlds greatest
backdoor present in every computer (btw you should stop using gmail if
you care about your freedom and not using your job in 20 years to a
google made robot)
> Is "Intel vPro" a real no-go or can Qubes still work with it?
> Or can having vPro support even have positive effects ?
of security holes.
If ME/vPro was open source, owner controlled, physically removable and
better secured then it would be very cool.
I would buy a KCMA-D8 with a 4386 cpu then install coreboot (on this
board it is fully open source and blob free)
Features:
100% Libre firmware available!
>>>>Fully supports Qubes 4.0<<<<<
No ME/PSP
Dual socket - supports 8 core cpu's - 16 core cpus available on its
bigger brother the KGPE-D16 (also libre)
128GB Max RAM
TPM addon (for AEM)
Multiple PCI-e slots (supports crossfire)
IOMMU, with IOMMU for Graphics (attach a gpu to a VM to play games in
your VM)
Two USB controllers (you need to buy usb headers to use the second)
Supports ECC RAM
Supports OpenBMC, an owner controlled remote management firmware for the
boards KVM processor (the KGPE-D16/KCMA-D8 OpenBMC port was a great
example of a successful crowdfunding campaign....which yours truly
contributed to)
Can play the latest games at high settings in a VM with a 4386 CPU,
equivalent to a FX-8310
The board is only $250 for a variety of independent sellers (not
overpriced/evil newegg/amazon) and you can get a nice cpu for $100
(4386) or a budget one for $30 (4280)
I offer free tech support for libre motherboard purchasers, I am skilled
using coreboot and it runs on a many of my computers - don't hesitate to
ask me questions :D
Tai...@gmx.com
> (This one has also the link to the Qubes article addressing the vpro/Intel AMT topic)
>
> Additionaly:
> https://puri.sm/learn/avoiding-intel-amt/
Purism isn't worth the money for what you get, their laptops aren't and
will never be owner controlled - their marketing is quite dishonest as well.
They also fail to mention that they didn't make ME cleaner, and that it
nerfs ME but doesn't disable it (Don't include any ME binaries and their
laptops WILL turn off after 30 minutes, physically disconnect the ME
processor to avoid a hostile mask ROM and their laptops won't even boot)
> If vpro/Intel AMT is bothering you, I suggest running Coreboot (you might want to check which hardware is compatible:
> https://www.coreboot.org/Supported_Motherboards)
If you pick an intel coreboot supporting board that has a 100% open
source init process (not the binary FSP blob like purism) it offers
improved security and performance vs the proprietary bios, moving the
firmware trust layer to you instead of OEM+vendor (default) or OEM (purism)
There are also a few quality x86-64 coreboot boards and a laptop (the
last free x86 boards FYI) that are owner controlled with an open source
init and without ME/PSP, such as the KCMA-D8 (workstation) KGPE-D16
(server) and Lenovo G505S (laptop)
From here the only choice for high performance owner controlled libre
new hardware is POWER, such as the excellent TALOS 2 (a great price for
server hardware in its performance class)
Marek Jenkins
> board it is fully open source and blob free)
> Features:
> 100% Libre firmware available!
> >>>>Fully supports Qubes 4.0<<<<<
Wow, thank you very much for your in-depth reply!
I never really considered buying a server mainboard yet.
Until know, I had planned to buy an Asrock Q170M vPro mainboard + Intel i7-7700 CPU.
I did quite a bit of research on Intel chipsets and Intel CPUs and only few seem to tick all the boxes for Qubes.
I especially looked for Intel VT-x (including EPT), Intel VT-d, and Intel TXT.
The Asrock Q170M vPro also supports AEM in theory. Last but not least it's very cheap and supports current CPUs (LGA1151).
Can you elaborate a bit on the performance of the Asus KCMA-D8 + AMD Opteron 4386 ?
I had a look at performance benchmarks of the AMD Opteron 4386 (dual CPU) and it seems even a single Intel i7-7700 outperforms the 4386 CPU. Nontheless, its an Octacore CPU (2012) compared to the Intel CPU which is a Quadcore (2017). I have little knowledge about server hardware performance, so that makes the comparison a bit difficult for me. Would you say the KCMA-D8 + 4386 are on the same level or at least have more than enough power to run 8-10+ VMs (including 1-2 Windows HVMs) at the same time with 32GB RAM?
> The board is only $250 for a variety of independent sellers (not
> overpriced/evil newegg/amazon) and you can get a nice cpu for $100
> (4386) or a budget one for $30 (4280)
>
> I offer free tech support for libre motherboard purchasers, I am skilled
> using coreboot and it runs on a many of my computers - don't hesitate to
> ask me questions :D
The reason I asked about the performance is that it would only be a good option for me if the performance is really good (hopefully comparable to current Intel i7 desktop CPUs).
Because where I live in Europe, the Asus KCMA-D8 + AMD Opteron 4386 are way more expensive and hard to get. The mobo costs roughly 360 USD and one (!) 4386 CPU costs about 560 USD. So if I'd go that route I would probably have to buy them abroad (US, China, etc) from the offers I have seen with more reasonable prices :/
TALOS2 also seems promising, although it's not in my budged ;)
Before I decide what to do: Do you maybe know some other mainboards that you can recommend for Qubes 4.0 that are relatively cheap + high performance and ship without vPro / AMT / ME + support for libre BIOS ?
Kind regards!
Marek
Tai...@gmx.com
> Wow, thank you very much for your in-depth reply!
> I never really considered buying a server mainboard yet.
> I did quite a bit of research on Intel chipsets and Intel CPUs and only few seem to tick all the boxes for Qubes.
> The Asrock Q170M vPro also supports AEM in theory. Last but not least it's very cheap and supports current CPUs (LGA1151).
Doing kernel code signing via coreboot with grub payload is a much
better security feature, if you lock your flash chip the only way to
flash will be externally (with a tester clip) so it is very secure.
The KCMA-D8 and KGPE-D16 support an owner controlled core root of trust
TPM via coreboot if you wanna use AEM.
compile stuff.
* You'd be able to play new video games at high settings in a VM, run a
bunch of VMs or do both at the same time with dual 4386 CPU's.
* You could use it as a gigabit vpn router with a router distro.
Another option for more juice is the pricier KGPE-D16 (same featureset
but with more RAM slots, support for socket g34 16 core cpu's and more
PCI-e lanes/slots) and get 16 core CPU's you would be able to have 32
cores total with the opteron 6386 (best G34 cpu) and thus for instance
have three people playing games at high settings on the same PC plus
many VM's.
intel stuff is a bit faster but it is non-free and to get 8 cores you
have to pay a ton of money.
1333mhz sticks)
CPU - Yes definitely, and you can always pop in another 4386 for more
juice such as if you want to play games and use power hungry VM's at the
same time (with my 16 cores I play games in one VM and compile things in
another VM concurrently with no issues)
More things:
The board should be bought brand new but all the other stuff you can get
used as it has a much longer life (cpu - 20 years) than for instance the
capacitors on the board.
Let me know if you want help finding a site that sells them for $250 or
so (not amazon or newegg)
You will need to buy a video card as the onboard video sucks, I advise
AMD as they are friendlier to open source and virtualization compared
with nvidia who adds "bugs" to their drivers to try and stop you from
using a geforce card in a VM to play games (see code 43 error)
OpenBMC needs the ASMB4-iKVM or ASMB5-iKVM, the KCMA-D8 doesn't come
with one but the KGPE-D16 does.
Marek Jenkins
> TXT is a marketing feature, it isn't really relevant.
> Doing kernel code signing via coreboot with grub payload is a much
> better security feature, if you lock your flash chip the only way to
> flash will be externally (with a tester clip) so it is very secure.
Okay good to know, then I'll discard TXT from now on ;)
> * You'd be able to play new video games at high settings in a VM, run a
> bunch of VMs or do both at the same time with dual 4386 CPU's.
> * You could use it as a gigabit vpn router with a router distro.
> Another option for more juice is the pricier KGPE-D16 (same featureset
> but with more RAM slots, support for socket g34 16 core cpu's and more
> PCI-e lanes/slots) and get 16 core CPU's you would be able to have 32
> cores total with the opteron 6386 (best G34 cpu) and thus for instance
> have three people playing games at high settings on the same PC plus
> many VM's.
Sounds perfect! I think you actually convinced me to go for the KGPE-D16 + Opteron 6386 + 64GB RAM then :)
Now I only need to find a trusted seller where I can buy the mainboard (new/affordable price) with EU shipping. Everything except mainboard can be used (RAM, CPU, AMD GPU).
It would be awesome if you could tell me where to buy the hardware cheap.
Preferably via e-mail (marek....@openmailbox.org) for privacy or in your reply over here if you don't want to reveal your e-mail address.
(No worries, this is just one of my "throw-away" email-addresses)
> You will need to buy a video card as the onboard video sucks, I advise
> AMD as they are friendlier to open source and virtualization compared
> with nvidia who adds "bugs" to their drivers to try and stop you from
> using a geforce card in a VM to play games (see code 43 error)
Do you maybe know a AMD card that would work ?
Kind regards,
Marek
Marek Jenkins
Is one better than the other for Qubes OS ?
Tai...@gmx.com
> Thanks again for all the info, I really appreciate your advice!
>
>> TXT is a marketing feature, it isn't really relevant.
>> Doing kernel code signing via coreboot with grub payload is a much
>> better security feature, if you lock your flash chip the only way to
>> flash will be externally (with a tester clip) so it is very secure.
> Okay good to know, then I'll discard TXT from now on ;)
>
>> * You'd be able to play new video games at high settings in a VM, run a
>> bunch of VMs or do both at the same time with dual 4386 CPU's.
>> * You could use it as a gigabit vpn router with a router distro.
>> Another option for more juice is the pricier KGPE-D16 (same featureset
>> but with more RAM slots, support for socket g34 16 core cpu's and more
>> PCI-e lanes/slots) and get 16 core CPU's you would be able to have 32
>> cores total with the opteron 6386 (best G34 cpu) and thus for instance
>> have three people playing games at high settings on the same PC plus
>> many VM's.
> Sounds perfect! I think you actually convinced me to go for the KGPE-D16 + Opteron 6386 + 64GB RAM then :)
upgrade to two if you really wanna be cooking with gas.
Although I would recommend saving money and by getting a KCMA-D8 and a
4386 - you can always buy a second 4386 if you want more speed.
If you have 32 cores honestly they'll probably be sitting idle most of
the time (mine are), as you'd be compiling everything in a matter of
seconds.
Although an advantage of the KGPE-D16 is that it includes the $50 module
needed to run OpenBMC - your choice.
Also for the KGPE-D16 one can also buy an 8 core 6328 which is better
for games than the slower per core speed of the 6386 and slightly faster
than the D8's socket C32 4386 (btw according to the dev one can mix and
match a 6328 and a 6386 so say one for games one for compiles) as hardly
any games use more than 8 cores let alone 16.
>
> It would be awesome if you could tell me where to buy the hardware cheap.
Usual retail:
KGPE-D16 - $400
KCMA-D8 - $250-300
CPU:
4386 - $100-130
6386 - $100-200
>
> (No worries, this is just one of my "throw-away" email-addresses)
them data to spy on you and add to your marketing profile via browser
fingerprinting (don't think they don't know about your other accounts)
>> AMD as they are friendlier to open source and virtualization compared
>> with nvidia who adds "bugs" to their drivers to try and stop you from
>> using a geforce card in a VM to play games (see code 43 error)
> Do you maybe know a AMD card that would work ?
new/performance if you wish to play new games.
No need to buy a FirePro/Radeon Pro, the regular radeons are fine.
Marek Jenkins
> upgrade to two if you really wanna be cooking with gas.
>
> Although I would recommend saving money and by getting a KCMA-D8 and a
> 4386 - you can always buy a second 4386 if you want more speed.
>
> If you have 32 cores honestly they'll probably be sitting idle most of
> the time (mine are), as you'd be compiling everything in a matter of
> seconds.
Probably true ;) I just thought I spend a little bit more now to have a solution that serves me well for the next couple of years to come :D I plan to use the machine for video rendering, gaming and running quite a few VMs + HVMs in parallel.
> Although an advantage of the KGPE-D16 is that it includes the $50 module
> needed to run OpenBMC - your choice.
I looked it up, but I don't really understand the purpose of the OpenBMC module. Was it for TPE/AEM support ?
> Usual retail:
> KGPE-D16 - $400
> KCMA-D8 - $250-300
>
> CPU:
> 4386 - $100-130
> 6386 - $100-200
Thanks for the overview.
Do you by any chance know for sure, if the 6386 works with Coreboot ?
Because on the Coreboot website they advise to avoid the whole 63xx series, due to the "microcode update" issue. I initially also wanted to go for a 63xx CPU but due to their advise I thought about switching to 62xx to avoid all those problems.
Maybe that can be solved ? Because the 63xx is only insignificantly more expensive than the 62xx CPUs...
PS: I will also switch off Google very soon, I didn't know they were doing such advanced things in regards to tracking..
Tai...@gmx.com
>> Although an advantage of the KGPE-D16 is that it includes the $50 module
>> needed to run OpenBMC - your choice.
> I looked it up, but I don't really understand the purpose of the OpenBMC module. Was it for TPE/AEM support ?
running fancontrol in linux)
>> Usual retail:
>> KGPE-D16 - $400
>> KCMA-D8 - $250-300
>>
>> CPU:
>> 4386 - $100-130
>> 6386 - $100-200
> Thanks for the overview.
>
> Do you by any chance know for sure, if the 6386 works with Coreboot ?
on the coreboot wiki and I would never state that.
>
> Maybe that can be solved ? Because the 63xx is only insignificantly more expensive than the 62xx CPUs...
> PS: I will also switch off Google very soon, I didn't know they were doing such advanced things in regards to tracking..
putting cameras and mics around urban centers now to help with their AI
research and of course advertising.
Marek Jenkins
> On 11/04/2017 09:36 PM, 'Marek Jenkins' via qubes-users wrote:
>
> >> Although an advantage of the KGPE-D16 is that it includes the $50 module
> >> needed to run OpenBMC - your choice.
> > I looked it up, but I don't really understand the purpose of the OpenBMC module. Was it for TPE/AEM support ?
> It is for libre remote access and hardware fan control (instead of
> running fancontrol in linux)
Thanks for the clarification! I probably won't really need the remote access feature, but hardware fan control is always good. Even better when libre.
> > Do you by any chance know for sure, if the 6386 works with Coreboot ?
> Yeah it does.
> > Because on the Coreboot website they advise to avoid the whole 63xx series, due to the "microcode update" issue.
> No that's what the libreboot site says, I maintain the kgpe-d16 article
> on the coreboot wiki and I would never state that.
Cool, I didn't expect that - great to get so much support first-hand :) Initially, my plan was also to get a 63xx CPU but then I stumbled on Libreboot's wiki, where they state one should "AVOID [the 63xx series] LIKE THE PLAGUE". Seemed a bit hysterical to me as well, but then again, I thought they know their stuff (no offence) :D (Source: https://libreboot.org/docs/hardware/kgpe-d16.html)
I'm really glad the 63xx CPUs are also supported by Coreboot. I don't really mind about Libreboot' philosophical issues - if it works on Coreboot I'm happy. And now as I have checked the Coreboot Wiki page again I actually realized you openly state the 63xx series works fine ;)
By the way, I also finally managed to compile the Coreboot .rom file yesterday, with the help of the wiki (https://www.coreboot.org/Build_HOWTO). It was just for testing purposes, and I didn't really change much during the setup. I simply chose the ASUS KGPE-D16 mainboard and compiled it as a i386 ROM (AMD chipset). Basically like this:
1. $ make menuconfig (ASUS KGPE-D16, PS/2 init, SeaBios)
2. $ make crossgcc-i386 CPUS=8
3. $ make
Is that all it takes to compile the .rom correctly ? Does SeaBios work out-of-the-box with Qubes ? Also, would it be best to simply clone the latest working config for the KGPE-D16 from the Coreboot website (https://www.coreboot.org/Supported_Motherboards), which can be downloaded here for example:
- https://review.coreboot.org/cgit/coreboot.git/commit/?id=3f09b0ffef990286ecca344cf73023b35be42406
- https://review.coreboot.org/cgit/board-status.git/tree/asus/kgpe-d16/4.6-1125-g3f09b0f/2017-08-21T04_40_02Z/config.txt
Regarding Coreboot, IOMMU and security :
On your wiki page it says "The 63xx "Piledriver" series processors require microcode updates to enable IOMMU (Errata) and may require microcode updates for safe operation due to the 2016 gain-root-via-NMI exploit."
I found some details about the 63xx microcode security updates on the Debian mailing list, but I'm not really sure if the same manual update procedure applies to our use case (Qubes/Xen/Coreboot) since dom0 is based on Fedora. (Source: https://lists.debian.org/debian-user/2016/03/msg01044.html)
Would you generally agree, that "Microcode update" is just a fancy name for fetching + installing a certain AMD package from a repository that patches the security vulnerability in the CPU? Or what is the approach I need to follow to enable IOMMU and fix the security vulnerability when running a 63xx CPU under Qubes/Xen?
> Get a 63xx/43xx, they're slightly faster.
Yes definitely.
> > PS: I will also switch off Google very soon, I didn't know they were doing such advanced things in regards to tracking..
> They are truly the worlds most powerful corporation, they are even
> putting cameras and mics around urban centers now to help with their AI
> research and of course advertising.
Yes it's really crazy and a bit alarming how much data they gather :/ That's also the main reason why I want to keep my browsing in different VMs (work, banking, music/streaming, etc). I mean know one knows, what they will really do with all the personal data in the future.. they sure sell the data or use it for advertising purposes. Besides that, the added security of Qubes against malware was another great thing that convinced me to switch.
Best regards!
Marek
Tai...@gmx.com
> On Monday, 6 November 2017 02:09:32 UTC+1, Tai...@gmx.com wrote:
>> On 11/04/2017 09:36 PM, 'Marek Jenkins' via qubes-users wrote:
>>
>>>> Although an advantage of the KGPE-D16 is that it includes the $50 module
>>>> needed to run OpenBMC - your choice.
>>> I looked it up, but I don't really understand the purpose of the OpenBMC module. Was it for TPE/AEM support ?
>> It is for libre remote access and hardware fan control (instead of
>> running fancontrol in linux)
> Thanks for the clarification! I probably won't really need the remote access feature, but hardware fan control is always good. Even better when libre.
>
>>> Do you by any chance know for sure, if the 6386 works with Coreboot ?
>> Yeah it does.
>>> Because on the Coreboot website they advise to avoid the whole 63xx series, due to the "microcode update" issue.
>> No that's what the libreboot site says, I maintain the kgpe-d16 article
>> on the coreboot wiki and I would never state that.
> Cool, I didn't expect that - great to get so much support first-hand :) Initially, my plan was also to get a 63xx CPU but then I stumbled on Libreboot's wiki, where they state one should "AVOID [the 63xx series] LIKE THE PLAGUE". Seemed a bit hysterical to me as well, but then again, I thought they know their stuff (no offence) :D (Source: https://libreboot.org/docs/hardware/kgpe-d16.html)
>
> I'm really glad the 63xx CPUs are also supported by Coreboot. I don't really mind about Libreboot' philosophical issues - if it works on Coreboot I'm happy. And now as I have checked the Coreboot Wiki page again I actually realized you openly state the 63xx series works fine ;)
2/POWER9 which is 100% owner controlled including microcode (check it out)
But in this case I say the faster cpu is worth it for video games.
If you wanted a 62xx you could get a 6287SE which is almost as fast as a
6386SE, whereas the 6284SE is a tick slower.
>
> 1. $ make menuconfig (ASUS KGPE-D16, PS/2 init, SeaBios)
> 2. $ make crossgcc-i386 CPUS=8
> 3. $ make
>
> - https://review.coreboot.org/cgit/coreboot.git/commit/?id=3f09b0ffef990286ecca344cf73023b35be42406
> - https://review.coreboot.org/cgit/board-status.git/tree/asus/kgpe-d16/4.6-1125-g3f09b0f/2017-08-21T04_40_02Z/config.txt
>
> On your wiki page it says "The 63xx "Piledriver" series processors require microcode updates to enable IOMMU (Errata) and may require microcode updates for safe operation due to the 2016 gain-root-via-NMI exploit."
>
> I found some details about the 63xx microcode security updates on the Debian mailing list, but I'm not really sure if the same manual update procedure applies to our use case (Qubes/Xen/Coreboot) since dom0 is based on Fedora. (Source: https://lists.debian.org/debian-user/2016/03/msg01044.html)
>
> Would you generally agree, that "Microcode update" is just a fancy name for fetching + installing a certain AMD package from a repository that patches the security vulnerability in the CPU? Or what is the approach I need to follow to enable IOMMU and fix the security vulnerability when running a 63xx CPU under Qubes/Xen?
default coreboot includes it as I said so no worries. (check just to
make sure of course)
> Yes definitely.
>
>>> PS: I will also switch off Google very soon, I didn't know they were doing such advanced things in regards to tracking..
>> They are truly the worlds most powerful corporation, they are even
>> putting cameras and mics around urban centers now to help with their AI
>> research and of course advertising.
> Yes it's really crazy and a bit alarming how much data they gather :/ That's also the main reason why I want to keep my browsing in different VMs (work, banking, music/streaming, etc).
removing 50% of job options.
Having creepy people scan your face in public and then harrass you for
whatever reason.
Someone robbing your house because statistically they can get away with
it at exactly that time (their robber research tool told them what the
best time was to rob you: when you are far from home, when the local
cops take a donut break, when your neighbors are otherwise occupied, etc)
Marek Jenkins
> The FSF hard line stance is a good thing, which gets us stuff like TALOS
> 2/POWER9 which is 100% owner controlled including microcode (check it out)
> But in this case I say the faster cpu is worth it for video games.
Yes I've had a look, TALOS II is definitely a great project! Unfortunately, my budget doesn't really allow to spend 5-6k on a workstation. Nontheless, I really appreciate their efforts and can imagine privacy/security-conscious companies do so as well. I don't even think it's that expensive, given that they have to do a lot of development/research and probably only manufacture in relatively small quantities (yet).
> > Is that all it takes to compile the .rom correctly ? Does SeaBios work out-of-the-box with Qubes ? Also, would it be best to simply clone the latest working config for the KGPE-D16 from the Coreboot website (https://www.coreboot.org/Supported_Motherboards), which can be downloaded here for example:
> >
> > - https://review.coreboot.org/cgit/coreboot.git/commit/?id=3f09b0ffef990286ecca344cf73023b35be42406
> > - https://review.coreboot.org/cgit/board-status.git/tree/asus/kgpe-d16/4.6-1125-g3f09b0f/2017-08-21T04_40_02Z/config.txt
> That should be what was included, no need to do that.
Yes true, I just thought I might reverse-engineer the correct settings for the KGPE-D16 from that config.txt file. Now as I have learned that the default settings are fine, that idea doesn't really make sense anymore. I initially expected each motherboard/chipset would require a custom setup to work. (Besides specifying motherboard/chipset).
> > Would you generally agree, that "Microcode update" is just a fancy name for fetching + installing a certain AMD package from a repository that patches the security vulnerability in the CPU? Or what is the approach I need to follow to enable IOMMU and fix the security vulnerability when running a 63xx CPU under Qubes/Xen?
> You need it in the firmware to enable IOMMU and avoid the NMI issue, by
> default coreboot includes it as I said so no worries. (check just to
> make sure of course)
Okay fine, I'll simply go with Coreboot default settings then.
> > Yes it's really crazy and a bit alarming how much data they gather :/ That's also the main reason why I want to keep my browsing in different VMs (work, banking, music/streaming, etc).
> That doesn't do anything if you use an identical browser fingerprint.
Seems I really need to learn a bit more about this as soon as Qubes OS is up and running. I thought if I separate the cookies and use an adblock addon in Firefox I'd avoid most of those tracking problems.
> > I mean know one knows, what they will really do with all the personal data in the future.
> Being denied a job because your politics differ from your bosses -
> removing 50% of job options.
> Having creepy people scan your face in public and then harrass you for
> whatever reason.
> Someone robbing your house because statistically they can get away with
> it at exactly that time (their robber research tool told them what the
> best time was to rob you: when you are far from home, when the local
> cops take a donut break, when your neighbors are otherwise occupied, etc)
Scary stuff, but very likely if I think about it! I once also read that insurance companies increasingly attempt to track/profile people (and their habits) on social media to determine insurance premiums. In other words, sometime in the future your insurance premium could depend on what you post/share online (or what not). Can't believe all those things are legal.
mrp...@gmail.com
Any updates in 2018?
brenda...@gmail.com
B
awokd
sevas
I just bought in to the intel blob myself. Is it feasible to build a custom laptop?
Tai...@gmx.com
> If you bypass the onboard/whitelisted Ethernet and WiFi controllers and use USB connected networking, don’t you strongly mitigate remote access via Intel ME? It cannot use hardware it doesn’t have code to communicate with, right?
Haven't you read the rest of the thread with my posts?
It can do P2P DMA to any NIC, there was research about this topic a few
years ago about using a hacked graphics card firmware to communicate
over the network via P2P DMA to a NIC or to a usb controller if you use
a usb networking device, the myth of "just use another nic and you'll be
fine" was started by purism to help sell their not-actually-libre laptop.
FYI:
ME/PSP is not subject to IOMMU restrictions
It is impossible to disable ME/PSP, purism dell and system76 are lying
about that - with ME cleaner and the hap bit any mask ROM's and the me
kernel still runs - do you really think a hypothetical backdoor is that
primitive? And as ME is a DRM feature (PAVP, intel insider, HDCP, etc)
it is illegal to do research in to breaking the hardware code signing
enforcement.
Impossible = would take years and so much money that you could make
create your own owner controlled POWER or ARM laptop for the same price
- by the time it was figured out the hardware would be very old and not
available any more.
Why just buy a non-ME/PSP computer? there are many owner controlled
choices. (see the rest of my thread) I can't understand why people are
so insistent on having the latest intel hardware and why people have
those delusions that just by doing X thing they can be "safe". I doubt
anyone can tell the difference between a 2018 CPU and a 2013 CPU (ex:
lenovo G505S with an pre-psp AMD quad core A10)
Brand new owner controlled hardware is incredibly rare due to the amount
of money it takes to make a motherboard even a crappy SoC design (think
millions), plus unfortunately now the only owner controlled CPU arch is
POWER.
Ironically though for once you have the *actually* libre hardware TALOS
2 which is faster and less expensive than what intel would sell you for
the same price (2.5K for the CPU and mobo is a great deal, a non-free
xeon with that many threads and equivilant performance would cost more
and it wouldn't have PCI-e 4.0, CAPI and all the other neat features)
Every time you purchase new intel/amd hardware instead of for instance a
TALOS 2 (workstation/server) or Novena (laptop) you are contributing to
future DRM/anti-feature development instead of the development of newer
better libre hardware - if the TALOS 2 is successful there are plans for
a POWER mobile workstation laptop.
In case you don't want to read the rest of the thread:
Reccomendations for qubes 4.0:
Laptops:
Lenovo G505S - owner controlled, no ME/PSP, open source cpu/ram init
(blob for video and power management but can be replaced if someone does
the work and it is IOMMU restricted)
Workstations:
KCMA-D8 (MSRP $315 for the board)
KGPE-D16 (MSRP $415 for the board)
I play brand new games in a VM with IOMMU-GFX on mine.
Non-qubes workstation/server:
TALOS 2 - for virtualization including IOMMU-GFX graphics attaching to a
VM - Brand new very high performance libre owner controlled hardware
even including the cpu microcode - zero non-owner controlled hardware
enforced code signing.
I highly recommend the T2, while ATM xen doesn't support POWER (and the
devs rebuff help from IBM/Raptor) it is an excellent virtualization
platform and the performance is very high.
Non-qubes laptops:
Novena - open source hardware laptop with libre firmware, NOTE THERE IS
NO IOMMU/HVM on the novena.
If you really need 32GB RAM, an external graphics card, docking station
or second battery on your laptop there is also the W520 (32GB) and T420
(16GB) which both support ivy bridge CPU's and open source hardware
init, you can nerf ME via me cleaner/hap bit (not disabled). I recommend
a G505S instead however as it is much more free and secure.
brenda...@gmail.com
I’m pretty sure that ME is one reason Lenovo firmware has a WiFi card whitelist.
B
Tai...@gmx.com
> If I pull the WiFi card out and don’t connect the Ethernet port to anything, then I configure qubes to use only a usb WiFi adapter (as I indicated above), I’m pretty sure that the ME engine won’t be able to use any of the three network interfaces to phone home. For ME to work over a network, it has to have a driver for the network adapter. It is unlikely to have one for the USB adapter.
easily use simple P2P DMA writes it doesn't need drivers.
Don't you think the makers of such a thing would have planned for such a
contingency? many people use USB mobile internet cards or wifi adapters.
purchase) instead of cheaper ones under the guise of FCC rules, it
existed long before ME.
Ilpo Järvinen
> On 03/13/2018 11:05 PM, brenda...@gmail.com wrote:
>
> > If I pull the WiFi card out and don’t connect the Ethernet port to anything,
> > then I configure qubes to use only a usb WiFi adapter (as I indicated
> > above), I’m pretty sure that the ME engine won’t be able to use any of the
> > three network interfaces to phone home. For ME to work over a network, it
> > has to have a driver for the network adapter. It is unlikely to have one for
> > the USB adapter.
> I would re-read what I stated before - a hypothetical backdoor can easily use
> simple P2P DMA writes it doesn't need drivers.
such a hypotetical backdoor is using DMA while something else is using the
device through the normal driver at the same time, I'd seriously consider
removing at least the "simple" qualifier from there. Alternatively, the
attack needs synchronization besides DMA which also invalidates your
claim that simple P2P DMA is enough.
--
i.