Reasonably secure laptop with touchscreen and enough ram for dictation in Windows App-VM?

[Frasse F]

I would like some purchasing advice: I'm looking for a laptop that is reasonably secure and also has a built in touch screen. I would prefer if it had 16 GB of ram as I want to run Qubes OS and I want to sometimes be able to run a Windows App-VM for dictation and speech recognition which is processed locally (I do a lot of writing and I also care about security/privacy).

The dream would be to run one of Purisms Libre 13 and 15 laptops, however they do not have a touch screen. Purism are planning to release a Librem 11 laptop (with a touchscreen) but it will only have 8 GB of RAM and cannot be upgraded. I think this is not enough for my needs.

Thats why I'm looking for an alternative laptop. I read on Purisms website that having a processor without AMT or in Intels case what they call "vPro" is important to avoid possible hardware backdoors. https://puri.sm/learn/avoiding-intel-amt/

My second alternative is to buy a non purism laptop which has both a touchscreen, enough RAM and is fairly secure. So my second alternative that I'm considering would be the Lenovo 520 Yoga. https://www.dustin.se/product/5011033265/yoga-520-touch . The model is running the Intel® Core™ i5-7200U Processor. According to the specification page on Intels website, this processor does not have the vPro technology. https://ark.intel.com/products/95443/Intel-Core-i5-7200U-Processor-3M-Cache-up-to-3_10-GHz

These are my questions

1) Is there anything except for the AMT/vPro aspect of the hardware security that I might have overlooked that is critical when evaluating the Lenovo Yogas safety?

2) Should one in general be sceptic towards Lenovo even when they are using hardware from other manufacturers?

3) are there a Qubes user out there who are already using a laptop with touch screen and enough ram, running Qubes? What laptop model are you using and would you recommend it?

[One7two99]

Hello,

>> These are my questions 

>> 1) Is there anything except for the AMT/vPro
>> aspect of the hardware security that I might
>> have overlooked that is critical when
>> evaluating the Lenovo Yogas safety? 

If talking about hardware security I would suggest looking into a device which can run coreboot.

>> 2) Should one in general be sceptic towards
>> Lenovo even when they are using hardware
>> from other manufacturers? 

The good thing with Lenovo/Thinkpad is that lots of devices have a good Linux support.
And you get 'older' devices which run smoothly under Qubes after adding a SSD and more RAM.
You can also get dockingstations very cheaply.
I'm using Thinkpads since years and would definitely recommend it.

>> 3) are there a Qubes user out there who are
>> already using a laptop with touch screen and
>> enough ram, running Qubes? What laptop
>> model are you using and would you
>> recommend it? 

Honestly I haven't seen any user using touchscreen with Qubes.
Just out of interest what is the use case for touch?
Regarding recommendation:
You haven't said which display size you need.

Leaving touch functionality out, I would recommend a x230 with 16 GB RAM, LTE, SSD and fresh battery -> 10-11h battery runtime.

[799]

[frassef...@gmail.com]

Thank you for your response and for sharing your thoughts and experince from using Lenovo Thinkpads! I looked at the Hardware Compatibility List and looked at Thinkpads, most of the models did not seem to be for sale anymore.

> Honestly I haven't seen any user using touchscreen with Qubes.
> Just out of interest what is the use case for touch?
> Regarding recommendation:
> You haven't said which display size you need.

> '

The use case of touch is mainly for ergonomical reasons. I read and write alot and it is better for my arms to scroll down the documents and highlight things using the touch instead of the keyboard and mouse. This is so important for me that I would pay more for a touchscrren even. But if I would be able to take notes on a Yoga from a conference, using the touch screen, then that would not a be a bad thing either, but I dont expect that to work well wth Qubes.

Desired size of the screen is 14-16 inches.


I Should be been more clear about my question regarding the security of the Lenovo and if they can be trusted. I have read articles accusing Lenovo of planting backdoors in its hardware. My technical skills are currently on a hobbyists level so I'm not always sure what to trust and not, wanted some input from others regarding this. But then I have also read this article (cited below) that sort of says that the likelyhood of there being a backdoor planted by Lenovo is low. I just dont know what to believe in. Do you have any comments to this? :)

"Lenovo hardware is reportedly banned from the US CIA, as well as the UK's MI5 and MI6, as well as the Australian Security Intelligence Organization (ASIO) and Secret Intelligence Service (ASIS). As of the time of writing, no evidence of any wrongdoing on the part of Lenovo has been presented by any of governments who have banned their hardware from use in intelligence services.

On devices as open as computers, and especially with Lenovo's ThinkPad product line, which has been long venerated for being foremost among laptops designed with modularity in mind—featuring detailed disassembly manuals and readily available replacement parts—it is difficult to imagine that many opportunities exist to hide a hardware backdoor in a relatively open product. Combined with the fact that the vital components (processor, RAM, etc.) aren't made by Lenovo, there are few opportunities for Lenovo to introduce a hardware-level backdoor in a way that wouldn't be glaringly obvious to any engineer armed with a screwdriver."
Source: http://www.techrepublic.com/blog/it-security/corporate-espionage-or-fearmongering-the-facts-about-hardware-level-backdoors/

[Ron Hunter-Duvar]

On 10/07/2017 09:42 AM, Frasse F wrote:
> I would like some purchasing advice: I'm looking for a laptop that is reasonably secure and also has a built in touch screen. I would prefer if it had 16 GB of ram as I want to run Qubes OS and I want to sometimes be able to run a Windows App-VM for dictation and speech recognition which is processed locally (I do a lot of writing and I also care about security/privacy).
>

> ...

> My second alternative is to buy a non purism laptop which has both a touchscreen, enough RAM and is fairly secure. So my second alternative that I'm considering would be the Lenovo 520 Yoga. https://www.dustin.se/product/5011033265/yoga-520-touch . The model is running the Intel® Core™ i5-7200U Processor. According to the specification page on Intels website, this processor does not have the vPro technology. https://ark.intel.com/products/95443/Intel-Core-i5-7200U-Processor-3M-Cache-up-to-3_10-GHz
>
> These are my questions
>
> 1) Is there anything except for the AMT/vPro aspect of the hardware security that I might have overlooked that is critical when evaluating the Lenovo Yogas safety?
>
> 2) Should one in general be sceptic towards Lenovo even when they are using hardware from other manufacturers?

Personally, I avoid Lenovo like the plague since they became
Chinese-owned. Yes, I know pretty much all the hardware is manufactured
in China now anyway, but having the senior company management controlled
by the Chinese government adds a whole 'nother layer of vulnerabilities.

My suspicions were confirmed when they were caught pre-installing
spyware on them. Of course, that was only Windows, and they were forced
to remove it, and claimed it was only intended for Chinese customers.
But to me it shows their intent, and there are many other ways they can
embed spyware (BIOS/UFI, other firmware) that would affect Linux too,
and wouldn't be so easily removed.

Call me paranoid (because I am), but that's my opinion.

I typically go with Dell, although their quality has gone down in recent
years, and I can't comment on Qubes-specific issues, or your particular
requirements.

>
> 3) are there a Qubes user out there who are already using a laptop with touch screen and enough ram, running Qubes? What laptop model are you using and would you recommend it?
>

Ron

[Ron Hunter-Duvar]

"...glaringly obvious to any engineer armed with a screwdriver." That's
the most unbelievably naive view of security I can remember reading. I
bet the author's password is "pa33w0rd", and it's secure because no one
would guess some letters were switched with numbers.

https://thehackernews.com/2015/09/lenovo-laptop-virus.html

Note: (1) confirmed, (2) 3 times, (3) one of them was BIOS-embedded.

https://thehackernews.com/2015/08/lenovo-rootkit-malware.html

Ron

[Tai...@gmx.com]

https://www.reddit.com/r/linux/comments/3anjgm/on_the_librem_laptop_purism_doesnt_believe_in/
Purism is a scam, don't buy from them - their laptops are as owner
controlled and freedom respecting as a dell - their version of coreboot
is a wrapper layer with all the hardware init done by a black box binary
blob so it is worthless.

I would buy a Lenovo G505S, it is owner controlled, supports qubes 4.0,
supports open source init coreboot (need blob for video and power
management, but I would consider that a better tradeoff than the x230's
no blob open source hw init coreboot as the x230 has ME), no ME/PSP and
16GB RAM support.

[Tai...@gmx.com]

On 10/08/2017 05:24 AM, Sean Hunter wrote:

> On Sat, Oct 07, 2017 at 05:01:37PM -0400, Tai...@gmx.com wrote:
>> https://www.reddit.com/r/linux/comments/3anjgm/on_the_librem_laptop_purism_doesnt_believe_in/
>> Purism is a scam, don't buy from them - their laptops are as owner
>> controlled and freedom respecting as a dell - their version of coreboot is a
>> wrapper layer with all the hardware init done by a black box binary blob so
>> it is worthless.

> I see that reddit post from 2 years ago referred to a lot, and I know this is (for some reason) a very emotional topic. However it doesn't seem to correspond to what I see when I dig under the surface, which is the purism guys merging changes into coreboot (eg https://review.coreboot.org/#/q/status:mergbranch:master topic:purism/librem13ed+project:coreboot+purism) and what I see on my own laptop, which is that it is SeaBios + coreboot . I doubt it is perfect, but it is way better than a Dell.
>
> If I look at https://puri.sm/faq/do-librem-devices-support-coreboot/ it says that 13v2 and 15v3 (what I have) come with coreboot pre-installed and for earlier versions they have instructions to update to coreboot.
>
> Sean
You seem to not have noticed the second half of my email, or read the
entirety of that threads topic post.

Their "coreboot" is simply a wrapper layer that performs no hardware
init - everything is done by Intel's FSP binary blob making it pointless
to have as all you do is move trust from vendor (quanta) to OEM (intel)
- the whole point of coreboot is to avoid an OEM backdoor which this
doesn't do so you are paying twice as much as dell for no real reason
and supporting a company that has dishonest advertising.

It is as you say "an emotional topic" because not only do they steal
money and fame from vendors that sell real libre hardware but they also
have shills everywhere to put down their technically superior
competitors and put pressure on the FSF to loosen the RYF standards.

There isn't any reason to buy purism's faux libre laptops instead of say
a Lenovo G505S, which is actually owner controlled (open source hw init
coreboot), supports qubes 4.0 and doesn't have a black box supervisor
processor (ME/PSP)


If google can't convince intel to open source ME and FSP then no one can.

[One7two99]

Hello Taiidan,

>> There isn't any reason to buy purism's faux
>> libre laptops instead of say 

>> a Lenovo G505S ...

I don't understand why this topic is often discussed to emotionally.
As far as I know the G505s is a big laptop (15inch?) which seems also located at the entry class (compared to the "Thinkpad class").
Don't get me wrong I think most "older" are perfectly fine, that why I am suggesting looking at a x230 or similar.
A good thing with Purism Laptop line is, that it shows that there is a market for laptops that seem to look like they are more "free" than others - if the company fools people here, you are right this is bad - but this is also a chance for others to make it better.
More competition is always good :-)

And maybe some users just want to buy a new "shiny" machine and not a 4y old laptop.
Maybe even for the "strange" reason that it just looks more sexy or that they need certain interfaces, a specific display resolution ... Whatever.
Looking at my company it would not be possible to buy a used machine without hardware replacement as all laptop are covered with on-site service.
That's why I'm using the X230 as BYOD device.

>> which is actually owner controlled (open
>> source hw init coreboot), supports qubes
>> 4.0 and doesn't have a black box supervisor
>> processor (ME/PSP)

If I understand you correctly you're saying that the blob which contains Intel AMT/ME is not modified in Purisms laptop line?
As far as I know it is possible (at least for the laptop I am using an also others) to use ME_cleaner which will cripple the AMT Blob so that the risk that anything bad is running there is reduced.

Take a look at this post:
https://puri.sm/posts/neutralizing-intel-management-engine-on-librem-laptops/

"(...) Of those 23 modules, 21 modules are completely removed from the ME partition, and we leave only 2 modules: ROMP and BUP. The ROMP module is a “ROM bypass” module which is used to bypass the ROM initialization code and it’s less than 1KB of code, used to load the BUP module and execute it. The BUP module is a 116KB module which is used to initialize the ME hardware. (...)"

So this would still be a (bit more) reasonable secure laptop.

[799]

[Tai...@gmx.com]

On 10/08/2017 06:44 AM, One7two99 wrote:

Hello Taiidan,

There isn't any reason to buy purism's faux
libre laptops instead of say
a Lenovo G505S ...

I don't understand why this topic is often discussed to emotionally.
As far as I know the G505s is a big laptop (15inch?) which seems also located at the entry class (compared to the "Thinkpad class").

The performance is about the same as an ivy bridge class laptop (X230), the downsides being the build quality is not as good and there is no dock or second battery option.

Don't get me wrong I think most "older" are perfectly fine, that why I am suggesting looking at a x230 or similar.
A good thing with Purism Laptop line is, that it shows that there is a market for laptops that seem to look like they are more "free" than others - if the company fools people here, you are right this is bad - but this is also a chance for others to make it better.
More competition is always good :-)

If it was a bigger market I would agree with you, however in such a small market they simply suck resources from better projects.

And maybe some users just want to buy a new "shiny" machine and not a 4y old laptop.

Then they should buy a dell

Maybe even for the "strange" reason that it just looks more sexy or that they need certain interfaces, a specific display resolution ... Whatever.
Looking at my company it would not be possible to buy a used machine without hardware replacement as all laptop are covered with on-site service.
That's why I'm using the X230 as BYOD device.

which is actually owner controlled (open
source hw init coreboot), supports qubes
4.0 and doesn't have a black box supervisor
processor (ME/PSP)

If I understand you correctly you're saying that the blob which contains Intel AMT/ME is not modified in Purisms laptop line?

It is modified by me_cleaner but as I said before one can do this on pretty much any laptop without boot guard (or cross vendor cpu swap to disable BG) and save the additional thousand dollars you would have spent on a purism laptop over a dell (I like dell because of the "ProSupport" US tech support option on their business lines) - additionally if Intel had a backdoor in ME they would include it in FSP as well making purism's "coreboot" quite pointless

me cleaner only would effect generic ME exploits not the hypothetical intel backdoor which could easily be included in the initial modules, hardware mask ROM or hidden EEPROM.

As far as I know it is possible (at least for the laptop I am using an also others) to use ME_cleaner which will cripple the AMT Blob so that the risk that anything bad is running there is reduced.

Yeah I did it on my X230 and it works great, but me is simply nerfed not disabled - a laptop without it is much better.

Take a look at this post:
https://puri.sm/posts/neutralizing-intel-management-engine-on-librem-laptops/

"(...) Of those 23 modules, 21 modules are completely removed from the ME partition, and we leave only 2 modules: ROMP and BUP. The ROMP module is a “ROM bypass” module which is used to bypass the ROM initialization code and it’s less than 1KB of code, used to load the BUP module and execute it. The BUP module is a 116KB module which is used to initialize the ME hardware. (...)"

So this would still be a (bit more) reasonable secure laptop.

Of course, but at that point you might as well just skip the middleman and go buy a laptop from a chinese whitebox seller like they did - then run ME cleaner yourself (and donate the money you saved to the people who made me_cleaner)

[Sean Hunter]

On Sat, Oct 07, 2017 at 05:01:37PM -0400, Tai...@gmx.com wrote:

> https://www.reddit.com/r/linux/comments/3anjgm/on_the_librem_laptop_purism_doesnt_believe_in/
> Purism is a scam, don't buy from them - their laptops are as owner
> controlled and freedom respecting as a dell - their version of coreboot is a
> wrapper layer with all the hardware init done by a black box binary blob so
> it is worthless.

[Hugo Costa]

> 1) Is there anything except for the AMT/vPro aspect of the hardware security that I might have overlooked that is critical when evaluating the Lenovo Yogas safety?

Intel ME. In December, two russian researchers are going to show how to run code on this chip. It was developed by Intel and the NSA and it's on every Core i something.

>
> 2) Should one in general be sceptic towards Lenovo even when they are using hardware from other manufacturers?
>

You should be sceptic about everything.

> 3) are there a Qubes user out there who are already using a laptop with touch screen and enough ram, running Qubes? What laptop model are you using and would you recommend it?

I have one, Yoga S1, and it has native support for everything. But it has Intel ME. If you really want to go free, maybe try the X200T. It has a Core2Duo, meaning you can install freeboot and disable ME. I think 16GB is possible, but be aware that you won't be able to run a lot.

[Vít Šesták]

Well, I am afraid this will be a bit hard:

Touchscreen. I've a laptop with touchscreen. I was a bit curious, but I don't feel much of need for touchscreen, it was simply not a reason to buy the laptop. When trying to use touchscreen with QubesOS, I've experienced several issues:

* The touchscreen is technically an USB device connected to the same USB controller as other USB devices. This implies any other USB device could spoof its touches. This issue is inherent to the hardware, i.e., not something QubesOS can resolve. Moreover, this is AFAIK a typical implementation of touchscreen.
* Qubes has input proxies for mouse and keyboard. You see, touchscreen is missing there. There are undocumented pieces of support and it should be reportedly easy to make it working, but it seems nobody takes it as a priority.
* Once you get touchscreen input working, it will probably work just like a mouse input. As far as I know, there is no support for passing touch events to VMs in other way than mouse movements and clicks.

Regards,
Vít Šesták 'v6ak'