Qubes 4.x and Librem 13

[rspei...@gmail.com]

I am interested in purchasing the Purism Librem 13 laptop and noticed that it was supported for Qubes R3.x but not R4.x.

Is this because of some hardware issues or because R4.x hasn't been released yet? Would it make sense to wait for R4.x before purchasing?

[Grzesiek Chodzicki]

W dniu czwartek, 24 listopada 2016 20:53:08 UTC+1 użytkownik rspei...@gmail.com napisał:
> I am interested in purchasing the Purism Librem 13 laptop and noticed that it was supported for Qubes R3.x but not R4.x.
>
> Is this because of some hardware issues or because R4.x hasn't been released yet? Would it make sense to wait for R4.x before purchasing?

Definitely wait for 4.X

[Jean-Philippe Ouellet]

Why? I don't see the logic for that...

I can't envision hardware support regressions on a laptop that (afaik
at least one?) of the devs use as their primary machine.

AFAIK the librem isn't certified for Qubes 4 because it lacks open
firmware which is one of the requiements to be certified for qubes 4
[1], but no machine currently meets those, and librem hardware won't
magically degrade itself with the passage of time in qubes-land.

IMO if it meets your needs now, it will continue to meet your needs then...

[1]: https://www.qubes-os.org/news/2016/07/21/new-hw-certification-for-q4/

[Grzesiek Chodzicki]

Because we have no idea when 4.X is going to be released and until then a better option might present itself. Librem laptops are imho a bit overpriced for the hardware you get.

[rspei...@gmail.com]

Thanks for your feedback. I heard that Coreboot was released for Librem 13 by a 3rd party. Is that not open enough or is it that it hasn't been officially accepted by Librem?

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Thu, Nov 24, 2016 at 12:51:41PM -0800, rspei...@gmail.com wrote:
> Thanks for your feedback. I heard that Coreboot was released for Librem 13 by a 3rd party. Is that not open enough or is it that it hasn't been officially accepted by Librem?

The later. Librem as you can buy it is still shipped with proprietary
BIOS and I haven't heard of any realistic plans for changing it. Even
though most (all?) the work on Coreboot side is done...

Other than that, Librem definitely meet minimum requirements, but as
mentioned before - is somehow overpriced.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJYN17KAAoJENuP0xzK19csQhQH/0DMyOzETXvSRdZxyDlJ28y2
RGTJvJwtV5gHSYkHeZN261sZTNEm6bJkwt3Pdhtuw+4auvulOdE41iOwvq2UCEm5
osG8wFmAxGgcsexDAuqhk78HQUcWKOnm5AI4/lJJAJNmO94/sOJHj5j1be+fvb5/
DEsiv5hO7WiKJScjIyzwC3jJc2YWE6sh4Cv9NTPl7aEot2b4cG28K1XTB3vOvMia
99tIjN9Hb9TzOVvRH/0L8dOWHqNqGoP0WV2mwlAa+Ad0QEhYvOUI7HZ7orvBXtGi
O5mhd2v+EuDu+D8BUfvt5UrRHFOkZa5l+6vDPN8jfOdYB2Za4US8IDS4zpfeldE=
=R78q
-----END PGP SIGNATURE-----

[rspei...@gmail.com]

Thanks Marek... that was very helpful. Realistically speaking... could I purchase the Librem 13, install the Coreboot firmware and then it make be compatible with R4.x?

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Thu, Nov 24, 2016 at 02:30:30PM -0800, rspei...@gmail.com wrote:
> Thanks Marek... that was very helpful. Realistically speaking... could I purchase the Librem 13, install the Coreboot firmware and then it make be compatible with R4.x?

As I said - compatible with Qubes 4.x (in meaning "Qubes 4.x will work
on it") it will be even without Coreboot. It may be somehow more secure
with Coreboot (less places to hide some backdoor), but may be also less
stable - depending how mature is Librem 13 support in Coreboot.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJYN2urAAoJENuP0xzK19csxMQH/RVNVTS1x/Ri+aKr3pMgdmF9
nGUjHdZFRYlExYXizo2TJiNdKleNaQVxhk9dramJ6bEQIy5PwcbjNwIozxXSvSn7
HPQ2skgzkD/qyNygKV4ZEfJ5Stt0pot9mQ12gEtrbWbx4Sev5llPL5IsN0i+thpK
YNha18WkFCtBZbPs6uMh3twsFSUbkY3MsqRgF11oHKXmYjdPQyyHJt6TsL/2Rqpq
W9HrR3PYDHChJIQgVQ/DSL0u+DqxzPGuc4kfzaDErE9w5sPeqsBDXyPajYKl1wAA
zNCvaFPpvzmQj4PV8ETP/pEB5vLhrEgR2+spL5NZ8vD8/7f/mo+3y6tXT9bZ8Bw=
=bNoI
-----END PGP SIGNATURE-----

[Tai...@gmx.com]

Purism laptops are new intel so they will never have real coreboot
support, only FSP shimboot which is a black box that does most of the work.

Its pointless, honestly you might as well just get an AMD (with
iommu/amd-vi) laptop if you want to avoid ME (just make sure it does not
have AMD PSP, lol) - it'll have a closed source BIOS but no more
dangerous than FSP in terms of backdoor potential.

You could also get an older pre-FSP thinkpad, as there is some work
being done RE: stripping out and thus nerfing most of ME.

https://www.phoronix.com/scan.php?page=news_item&px=Purism-Librem-Still-Blobbed
https://blogs.coreboot.org/blog/2015/02/23/the-truth-about-purism-why-librem-is-not-the-same-as-libre/

Purism is at best, selling an unfinished product and at worst being
incredibly dishonest. If google can't get intel to hand over the FSP and
ME code then nobody can. I think it is funny that the purism types
thinks that setting ME to "disabled" in option rom actually shuts it off.

[Duncan Guthrie]

Hej folks,

Yes, Purism was basically a scam. They could at least have made the
thing boot faster by including blobbed Coreboot, but they couldn't even
be bothered doing that.

I'd like to add my thoughts about the current situation with Coreboot
and the Intel FSP.

Virtualisation is currently broken on the most recent ThinkPad X200,
T400, etc laptops and desktops that work without the ME blob, but it is
presumably possible to make them boot, perhaps through including
microcode updates in the Coreboot build. I haven't tested this yet so it
is not clear yet. Either way IOMMU is also broken on this generation
(and this will probably never change since this is a flaw in the
hardware implementation of IOMMU) so Qubes might not be so secure here.
Better than nothing, but still...

Another good option might be the ThinkPad X201, where VT-d is thankfully
not broken, but it does include the ME blob in order to make the thing
boot. It doesn't include Intel FSP (it is from way before that), so it
isn't *that* bad, and certainly it stops *Lenovo* (as opposed to Intel)
from putting bad things through the BIOS to attack Qubes. But it is
still fatally flawed in that the ME's reach is far indeed... But you get
native graphics init which is nice if you are a Coreboot nerd. And it is
possible, albeit hard to reverse engineer the chipset to find a flaw to
bypass the ME. So this may be a *really* good option in the future for
Qubes, if people work on it.

Here lies the dillema with Coreboot and Qubes. Broken IOMMU sans ME, or
working (as it stands) IOMMU along with the ME?
The X201 is probably a better choice than the vile Librem laptops for
the average Qubes user. Durable, cheap second hand, IOMMU all present
and correct. ME is bad but not *as* bad as it has become as of late. And
of course Coreboot is fast and fun.

D

[Duncan Guthrie]

À 25.11.2016 04:36, Jean-Philippe Ouellet a écrit:

> On Thu, Nov 24, 2016 at 8:12 PM, Duncan Guthrie <dgut...@posteo.net>
> wrote:
>> And of course Coreboot is fast and fun.
>

> I love your description of BIOS work as "fun" ;)
>
> In my experience, getting things working has been anything but! xD

I like customising things, so it is fun. Coreboot usually works fine the
first time you compile...

As for the fun, what I am referring too is some of its advanced features
- can your BIOS run Tetris from the flash chip, I ask?

D

[rspei...@gmail.com]

It seems that Purism has failed to follow through on its promise to provide open firmware (i.e coreboot) and overstated it's capability to provide a completely free firmware (i.e. libreboot). As a result, they have left many unhappy customers and/or prospective customers. I doubt that we will ever have libreboot on current/new Intel hardware.

Optimistically speaking, a truly open hardware ecosystem (i.e. Risc-V, OpenPower) will likely take ~3-10 years to become commercially viable. Considering the pragmatic approach that Qubes OS is taking, it would seem ideal to get the most secure and privacy-protecting hardware in the short-term until such time that we can have "truly" secure and privacy-protecting hardware in the long-term.

As Marek pointed out, the Librem 13 would work with Qubes OS 4.x and "may be somehow more secure with Coreboot (less places to hide some backdoor), but may be also less stable - depending how mature is Librem 13 support in Coreboot." As Grzesiek pointed out, waiting until 4.x to be released makes sense since "a better option might present itself". In addition, it would give Purism an opportunity to right a wrong.

That said, besides the Librem 13, I haven't seen nor heard of another laptop that provides hardware switches to disable camera/audio/wifi and components that do not require blobs (CPU excepted of course). Besides my Google Pixel LS Chromebook running linux, I'm unsure whether there is a better option at this point.

Thanks,
Roberto

[Grzesiek Chodzicki]

Don't get me wrong, I respect the idea the Purism guys had when they created Librem. But the Librem 15 costs 1600$ for an 8GB of ram, dual core i7 and a sata SSD. 32 GB of RAM are additional 530$. Total cost of the most pimped out version is over 3400$. For half that money you can have the most pimped out version of Thinkpad T560. High prices alienate the userbase and make it seem like the privacy is a privilege of the rich.

[raah...@gmail.com]

so is healthy food unfortunately man...