Qubes with newer hardware and error messages still safe enough?
stefanne...@gmail.com
Qubes 4.0, CPU Ryzen 5 2400G, MB ASRock B450 Pro4, GPU Radeon R7 370, 32 GB RAM
I can update templates and install appvms without issues. Everything works.
My question is now: On Boot screen i get some error messages (see following screen). Possibly there is a lack of safety i can not estimate. Everything works but under the surface i did not know if it is as safe as it should be. Are there some basic tests which should be made? Or is it enough when the system works?
Tai...@gmx.com
backdoor called AMD PSP platform "security" processor (as in security
from you) that prevents you from doing as you please with the system
firmware hence it is not really your computer.
If you want one that is owner controlled and has free (as in freedom)
open source firmware I have written many walls of text on this subject
so just use a non-google search engine to find my previous posts.
You also are using gmail which is really bad if you care about not being
put of of work or murdered by a robot - your emails and re-captcha
solves are fed in to a massive database that helps googles AI research
including killer robots like project maven and also of course sold to
advertisers and anyone else who can pay.
I do not load images from random people if you want help you have to
send text only.
Sphere
How about give us keywords to help us search this and have it at the first search result?
As for stefanne's inquiry, here are my thoughts:
It's usually normal to see error messages on start of a linux system cause consumer motherboards production processes still have no proper arrangement to fully support Linux operating systems much to our dismay.
To check the level of your safety, I recommend you produce one of these and see the results:
https://www.qubes-os.org/doc/hcl/#generating-and-submitting-new-reports
If it's a yes on HVM, IOMMU, and SLAT then that means your hardware works very well on Qubes. To further increase security, I recommend you to turn off SMT (Simultaneous Multi-threading) as recently there's been a high surge of vulnerabilities involving multi-threading/hyperthreading and will probably haunt us for years to come.
Additionally, if you have an entry of IOMMU=no
Go search around your BIOS setup for an option like AMD-Vi or IOMMU and set that to enabled.
Product another report to check and see if the entry changes to IOMMU=yes
IOMMU is essential because it protects you from alot of complex attacks like Direct Memory Access (DMA) attacks.
Lastly, check for updates everyday and never neglect them for maximum security!
After all this, you may want to configure a VPN.
As for the Platform Security Processor, well it's an option for people whether or not they would go with it.
Tseng Wynn
stefanne...@gmail.com
@ Sphere
result
hvm:'yes'
iommu:'yes'
slat:'yes'
tpm:'unknown'
remap:'yes'
it seems everything works fine. thank you very much for the link. i will report the results to qubes-users email
@ Tseng Wynn
after update kernel-latest it didn#t boot correctly. i tried it already a few weeks ago and had to install qubes from the scratch.
@ Taiidan
thx. interesting. do you have some keywords for the search to get more infos?
--
ps i have an ASRock TPM Modul (TPM2-S). would it be a good idea to install on mainboard? i am a little cautious as its running now.
Eric Duncan
TPM is only used for the Anti-Evil Maid feature. You can read up on it and if your threat model includes such an attack or not. Tip, the deal breaker decision: you loose sys-usb, USB isolation, if you enable AEM because it has to be attached to dom0. (Well, last I used it with R3.2 that was). My personal threat model are random USB sticks I use in various work a double client computers. So I'd rather have the USB isolation than AEM, IMO. But each person should review their own threat models. That's why we love qubes.
Tai's valid concerns is that AMD has implemented a remote system monitoring and maintenance utility that remote sys admins use to manage the system, same as Intel ME (now called vPro I think that had wider and wireless adoption). Intel's ME can be neutered to still pass TLS validation given the right hardware (or like me, disable the NIC port and change the vPro wireless device from 9265 to a non-vPro 9260). However, there is no such disabling for AMD - mostly because no one has tried. And no, disabling it in your bios does not turn it off.
Tai...@gmx.com
> On Thursday, December 13, 2018 at 9:59:27 AM UTC+8, Tai...@gmx.com wrote:
>> On 12/12/2018 03:56 PM wrote:
>>> New to Qubes with basic Linux knowledge i installed successfully a desktop system with follwing configuration:
>>>
>>> Qubes 4.0, CPU Ryzen 5 2400G, MB ASRock B450 Pro4, GPU Radeon R7 370, 32 GB RAM
>>>
>>> I can update templates and install appvms without issues. Everything works.
>>>
>>> My question is now: On Boot screen i get some error messages (see following screen). Possibly there is a lack of safety i can not estimate. Everything works but under the surface i did not know if it is as safe as it should be. Are there some basic tests which should be made? Or is it enough when the system works?
>>>
>>
>> Well you are stuck with a system that has a very obvious frontdoor
>> backdoor called AMD PSP platform "security" processor (as in security
>> from you) that prevents you from doing as you please with the system
>> firmware hence it is not really your computer.
>>
>> If you want one that is owner controlled and has free (as in freedom)
>> open source firmware I have written many walls of text on this subject
>> so just use a non-google search engine to find my previous posts.
>>
>> You also are using gmail which is really bad if you care about not being
>> put of of work or murdered by a robot - your emails and re-captcha
>> solves are fed in to a massive database that helps googles AI research
>> including killer robots like project maven and also of course sold to
>> advertisers and anyone else who can pay.
>>
>> I do not load images from random people if you want help you have to
>> send text only.
>
> How about give us keywords to help us search this and have it at the first search result?
Just search my email address and look at what I post on threads asking
for board recommendations
>
> As for stefanne's inquiry, here are my thoughts:
> It's usually normal to see error messages on start of a linux system cause consumer motherboards production processes still have no proper arrangement to fully support Linux operating systems much to our dismay.
> To check the level of your safety, I recommend you produce one of these and see the results:
> https://www.qubes-os.org/doc/hcl/#generating-and-submitting-new-reports
>
> If it's a yes on HVM, IOMMU, and SLAT then that means your hardware works very well on Qubes. To further increase security, I recommend you to turn off SMT (Simultaneous Multi-threading) as recently there's been a high surge of vulnerabilities involving multi-threading/hyperthreading and will probably haunt us for years to come.
>
> Additionally, if you have an entry of IOMMU=no
> Go search around your BIOS setup for an option like AMD-Vi or IOMMU and set that to enabled.
> Product another report to check and see if the entry changes to IOMMU=yes
> IOMMU is essential because it protects you from alot of complex attacks like Direct Memory Access (DMA) attacks.
>
> Lastly, check for updates everyday and never neglect them for maximum security!
> After all this, you may want to configure a VPN.
>
> As for the Platform Security Processor, well it's an option for people whether or not they would go with it.
stefanne...@gmail.com
> Nice setup. I have an 2950x under the tree waiting for qubes for my kiddo.
:-) Next year i give a try and update my CPU and Bios with AMD Ryzen 3000 Series and much more cores.
Sphere
If only I could establish my own CPU production company I would definitely support libre hardware/libreboot/coreboot and such but sadly we are in a world with high demands to processing and stuff and due to how there is hardly any support for libre hardware, the processing needs are hardly filled out and even more so with limited budget.
I checked KGPE-D16 KCMA-D8 g505s coreboot and it seems good so long as you have enough budget. Say I would make a KVM server or ESXi server out of this for the purpose of gaming VMs running AAA games, which CPU and RAM models would you suggest?
John Smiley
Achim Patzner
> If only I could establish my own CPU production company I would definitely support libre hardware/libreboot/coreboot and such but sadly we are in a world with high demands to processing and stuff and due to how there is hardly any support for libre hardware, the processing needs are hardly filled out and even more so with limited budget.
for less than $1000 a few weeks ago.
Achim
Tai...@gmx.com
OpenPOWER9 boards like the TALOS 2 and Blackbird have real open source
firmware with open hw init directly from the factory.
The prices are pretty good vs non-free intel/amd server hardware in the
same performance/feature class
OpenPOWER is now the only owner controlled performance cpu arch.
Note that qubes/xen doesn't currently run on it but you can use
POWER-KVM/POWER-IOMMU/POWER-IOMMU-GFX virt in the meantime.