Qubes Certified Desktop

[Anil]

I know there is at least one Qubes Certified Laptop. 

Is there an analogous setup for Desktop? Or at least some desktop hardware that can be setup in the same way as ThinkPad x230, with ME neutered etc. and which is considered as suitable as x230? It could be an assembled system perhaps? Or better, some older version of NUC or other mini PC?

I know Purism is selling a mini PC, but other than that.

Regards,

Anil Eklavya 

--

अनिल एकलव्य
(Anil Eklavya)

[Insurgo Technologies Libres / Open Technologies]

Kgpe-d16 is supported under heads, is blobless and supported by coreboot 4.11 and heads under coreboot 4.8.1 as of right now with plans of upgrading to latest version supporting it before support got dropped since not enough attention nor love was given to it to justify upstream maintainership.

This is an adventurous path though, since noone took the venture of making that refurb hardware ready for consumers as of right now.

Using it as a server personally. With a qubesos supported video card and jumper set to deactivate onboard integrated graphic (which offers really poor graphics) that could be an awesome project, but adventurous.

Insurgo

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.

[Anil]

> Kgpe-d16 is supported under heads, is blobless and supported by coreboot 4.11 and heads under coreboot 4.8.1 as of right now with plans of

Can you give an approximate price (right now no one is shipping, so
they are not showing the price either)? Any particular processor that
is more suitable? The Asus page says it works with Opteron 6000 series
processors. Also the price of the processor.

> Using it as a server personally. With a qubesos supported video card and jumper set to deactivate onboard integrated graphic (which offers really poor graphics) that could be an awesome project, but adventurous.

Someone wrote that Qubes OS is meant to be used as a laptop/desktop
OS. How much effort is required to set it up as a server? As I
understand, the compartmentalization provided by Qubes OS can be
useful in some contexts.

Or even just as a desktop, will the setup be nearly as secure as PrivacyBeast?

Regards,

[Insurgo Technologies Libres / Open Technologies]

On May 1, 2020 7:07:24 AM UTC, Anil <anile...@gmail.com> wrote:
>> Kgpe-d16 is supported under heads, is blobless and supported by
>coreboot 4.11 and heads under coreboot 4.8.1 as of right now with plans
>of
>
>Can you give an approximate price (right now no one is shipping, so
>they are not showing the price either)? Any particular processor that
>is more suitable? The Asus page says it works with Opteron 6000 series
>processors. Also the price of the processor.

Nope I can't. You would have to search around for parts following this doc, do some soldering to adapt spi chip, buy it, reprogram it with firmware built from source, buy compatible RAM and fastest CPU, case, power supply and ssd. Information is scattered around. When I said adventurous, I meant adventurous.

Port and upstreamed doc
https://www.raptorengineering.com/coreboot/kgpe-d16-status.php

https://libreboot.org/docs/hardware/kgpe-d16.html

Build instructions are valid:
http://osresearch.net/Building

Status report on heads. No TPM support as of now. But rom can be remotely attested by libremkey if really really adventurous without a TPM. Less secure since no internal root of trust. TPM is desired.
https://github.com/osresearch/heads/issues/134

It needs adventurous developers or funding to get mainstreamed. Since the board got dropped by coreboot, I lost a bit of interest pushing for that last blob free platform in this lonely path. There is developers ready to do the needed work to bring it back. But funders refused the grant application. Skilled developers are willing to do required work to bring it back but I hesitate to completely self fund the whole project right now since priorities changed, but would be willing for joint partnership.

Anyone interested in bringing back that beast to life contact me at insurgo at riseup dot net. This is last RYF x86 platform ever for sure.

You can try to get to those people selling it through d16 tag here, already assembled https://www.fsf.org/resources/hw/systems

It.would require of you to buy a CH341a reprogrammer and clip to flash built head, and flash built BMC internally from heads as documented on github per status report.

But that wont come with TPM support nor heads added security, but it will all be open source.

>
>> Using it as a server personally. With a qubesos supported video card
>and jumper set to deactivate onboard integrated graphic (which offers
>really poor graphics) that could be an awesome project, but
>adventurous.
>
>Someone wrote that Qubes OS is meant to be used as a laptop/desktop
>OS. How much effort is required to set it up as a server? As I
>understand, the compartmentalization provided by Qubes OS can be
>useful in some contexts.

Absolutely. With openbmc and command line as if you were behind Dom0 remotely, this is a beast.

https://raptorengineering.com/coreboot/kgpe-d16-bmc-port-status.php

With qubes-network-server, you can offer DMZ servers from appvms.

https://github.com/Rudd-O/qubes-network-server

>
>Or even just as a desktop, will the setup be nearly as secure as
>PrivacyBeast?

TPM support lacking under coreboot 4.8.1, present under 4.11. Would love to see that beast fully supported and would even sell it myself under insurgo umbrella. But I wont do it all alone this time. Partners welcome.

As you can see, this is not easy task. But if there is will there is hope.

Have funds?
Insurgo

>
>Regards,
>
>अनिल एकलव्य
>(Anil Eklavya)

[Anil]

> Nope I can't. You would have to search around for parts following this doc, do some soldering to adapt spi chip, buy it, reprogram it with firmware built from source, buy compatible RAM and fastest CPU, case, power supply and ssd. Information is scattered around. When I said adventurous, I meant adventurous.

OK. That means I will have to first spend some time learning more
about this. I can do the soldering, if I know exactly (or find out)
what has to be soldered to what.

>
> Port and upstreamed doc
> https://www.raptorengineering.com/coreboot/kgpe-d16-status.php
>
> https://libreboot.org/docs/hardware/kgpe-d16.html
>
> Build instructions are valid:
> http://osresearch.net/Building
>
> Status report on heads. No TPM support as of now. But rom can be remotely attested by libremkey if really really adventurous without a TPM. Less secure since no internal root of trust. TPM is desired.
> https://github.com/osresearch/heads/issues/134

This will certainly help. Thanks.

>
> It needs adventurous developers or funding to get mainstreamed. Since the board got dropped by coreboot, I lost a bit of interest pushing for that last blob free platform in this lonely path. There is developers ready to do the needed work to bring it back. But funders refused the grant application. Skilled developers are willing to do required work to bring it back but I hesitate to completely self fund the whole project right now since priorities changed, but would be willing for joint partnership.
>
> Anyone interested in bringing back that beast to life contact me at insurgo at riseup dot net. This is last RYF x86 platform ever for sure.

I strongly hope some people do that. People working on
laptops/desktops and phones, but not seemingly on servers. It may not
be for a data centre, but at least some personal website.

> >Or even just as a desktop, will the setup be nearly as secure as
> >PrivacyBeast?
>
> TPM support lacking under coreboot 4.8.1, present under 4.11. Would love to see that beast fully supported and would even sell it myself under insurgo umbrella. But I wont do it all alone this time. Partners welcome.

If I am able to get the hardware and set it up, I can do some routine
part of the work that is not too technical in the sense of knowing the
internal details of TPM or OS kernel etc., with some help, if that can
reduce the effort required.

> Have funds?

Not really. At most I can buy one.

[Insurgo Technologies Libres / Open Technologies]

What is weird is that needed work would be the cost of buying 4 already made servers if not less. Could reach out to technoethical and Vikings one last time, which profited of work that was paid by Leah Rowe originally to sell their d16 branded stuff.

Maybe they would be willing to give back to the community? If you do not have funds but some time to spend, showing your interest to them of this kind of partnership would mean the world me, pointing here, and have a total different impact then if I was the one contacting them. Potential customers have a lot more impact then they think they have. Show that you want something and rust thing will exist. Wait for it to happen or do it on your own and it might go instinct just like it did and never get revived.

The actual reason why that board was dropped by coreboot was because not enough people showed they cared.for it to be maintained. Maintainership is a hard problem.

I'll take this public space since I don't do it enough. Watch my presentation, but most importantly, read the slides 45+ attached to the talk: https://fosdem.org/2020/schedule/speaker/thierry_laurion/



The more time between a board being dropped upstream under coreboot and the time it is put back under compliance the more expensive it will be. Now.would be a good time for collaboration.

If this community showed interest in having a RYF certified server/desktop under Heads, it would happen in a snap.

Chicken and egg problems everywhere.
But if everybody showed their interest for it, it.would happen. See?

>
>Regards,
>
>अनिल एकलव्य
>(Anil Eklavya)

[Anil]

> Maybe they would be willing to give back to the community? If you do not have funds but some time to spend, showing your interest to them of this kind of partnership would mean the world me, pointing here, and have a total different impact then if I was the one contacting them. Potential customers have a lot more impact then they think they have. Show that you want something and rust thing will exist. Wait for it to happen or do it on your own and it might go instinct just like it did and never get revived.

I will contact them and hope they take it up.

> I'll take this public space since I don't do it enough. Watch my presentation, but most importantly, read the slides 45+ attached to the talk: https://fosdem.org/2020/schedule/speaker/thierry_laurion/

I will go through this.

> But if everybody showed their interest for it, it.would happen. See?

Yes. I know it from a different, but coding related context. Since
this mail is on the mailing list, perhaps many others can do the same.

[dhorf-hfre...@hashmail.org]

On Fri, May 01, 2020 at 11:19:45AM +0530, Anil wrote:
> system perhaps? Or better, some older version of NUC or other mini PC?

NUCs will not allow you to do anything weird with the firmware,
so no me_cleaner or coreboot or so.
they work reasonably well with qubes.

> I know Purism is selling a mini PC, but other than that.

asrock deskmini works well for me.
didnt bother with coreboot, but me_cleaner works like a charm.
asrock does not seem to have firmware checksum/signature checks,
and has a good recovery path, so no external hardware/flasher/soldering
needed to apply me_cleaner, including for unbricking.

another option would be chromeboxes.
with official coreboot and linux support.
but rather limited in terms of hardware choices.

[insur...@gmail.com]

On Friday, May 1, 2020 at 4:41:16 AM UTC-4, Anil wrote:

> Nope I can't.  You would have to search around for parts following this doc, do some soldering to adapt spi chip, buy it, reprogram it with firmware built from source, buy compatible RAM and fastest CPU, case, power supply and ssd. Information is scattered around. When I said adventurous, I meant adventurous.

OK. That means I will have to first spend some time learning more
about this. I can do the soldering, if I know exactly (or find out)
what has to be soldered to what.

https://github.com/osresearch/heads/issues/712

[Anil]

I did contact them, but they have their own arguments and according to
them the FSF-RYF certification is more than sufficient. They say as it
is compatible with coreboot version 4.11 and Qubes OS works as
expected, there is nothing more to be done in that direction. I don't
have a technical answer to that.