Shouldn't this be specially noted in Qubes HCL? (was: what about usb to jtag interface?)

[Oleg Artemiev]

On Thu, Feb 9, 2017 at 6:38 PM, pixel fairy <pixel...@gmail.com> wrote:
> On Thursday, February 9, 2017 at 3:54:03 AM UTC-8, Oleg Artemiev wrote:
>> I've heared that new intel mother boards will have (or already have)
>> ability to access jtag interface via USB.
> yes, skylake and kabylake processors. heres the ccc talk on it.
> https://www.youtube.com/watch?v=2JCUrG7ERIE
thanks! Started listening - got basics, 'll continue later. Very intersting . :)

>> Does this mean that USB qube is now useless as a security border on
>> such a mother board?
> only if the manufacturer has it enabled. the only vendor who got back to me (and knew what i was talking about) when i asked was system76 to confirm that it is disabled on their lemur series.
> puri.sm was aware, but doesnt have any hardware out using those chips.
So finally it is a question of trusting the vendor (and their public
relations personnel who may think that those capabilities are not
really disabled.

Shouldn't these CPUs and motherboards be specially noted as dangerous
in qubes HCL?

--
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C 9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

[pixel fairy]

On Friday, February 10, 2017 at 2:56:15 PM UTC-8, Oleg Artemiev wrote:
> On Thu, Feb 9, 2017 at 6:38 PM, pixel fairy <pixel...@gmail.com> wrote:
> > On Thursday, February 9, 2017 at 3:54:03 AM UTC-8, Oleg Artemiev wrote:

> >> Does this mean that USB qube is now useless as a security border on
> >> such a mother board?
> > only if the manufacturer has it enabled. the only vendor who got back to me (and knew what i was talking about) when i asked was system76 to confirm that it is disabled on their lemur series.
> > puri.sm was aware, but doesnt have any hardware out using those chips.
> So finally it is a question of trusting the vendor (and their public
> relations personnel who may think that those capabilities are not
> really disabled.

yes, or a cheap data cable if you already have the hardware. unfortunately,
its easy for a vendor to say they're good and then say "oops" if they're not,
and called out on it. we need better competition in security conscious hardware.

> Shouldn't these CPUs and motherboards be specially noted as dangerous
> in qubes HCL?

agreed, but i think its up to Andrew David Wong

(i hope that triggers a mention notice so he sees this)

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Didn't trigger a mention, but I saw it. :)

(In general, the best way to make sure I notice a message is to CC me.)

Actually, I think this should be up to Joanna and Marek (CCed). I
don't know enough about USB->JTAG to confidently evaluate how
dangerous it is.

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJYnrwuAAoJENtN07w5UDAwS3gP/21mSubz7pdmw3doEB71nJGq
pOHaJEF8l+T/TU2h3wgUcR2WvTRexuiOqrx6foG74KRpTL/l2skZlMldCLmBDvud
YXrbko2tTZ2zhYi2SWuYDPtEdeLUxH7bkfSU5kj8SKLtWYs+BWKH0OFlrkD8UUij
PofSSf70Uw4U8KST333SlgPUXyePO9157qGjmoPK3oqwI5+NSMCRF3OeMEFMEhzD
klbguA7+ktvvcZbPsETM8toJYQI4OOY9jYrWJd82r1dYriuOaepKHEsNHEKrPWz7
v+vY/2Lk7Fjp5KKlbvV8jfgcWUd7EkFtS7ccOnHCGpn/VqXkq41qOJ6cjPJIDM1a
o6FhXOByk4WyGKM3Fn/JtIJDZZOWJ2W18L2vVUXVqTiEBMsmznd9vH/1AQkjDpXw
ufXpYIlzUcofS6xmCozcj4z9uUqmJ3W7Fi7VO46UuWBGCsIsfRu2F3ubbezOgxYp
sxKPkWNu2sD1qSI9tAO3nCJWvzwskizCQtbbDpA+Lh1DOrSsQRR6whPHjoC3jKOh
9a8UKA4/OkkW63UfV/1TDMLmql9FbLl96vYYsYT1U5i/C4e7L/96M2wSwmYzvkLe
+L6Z565p8jTCFTRi9Qc2WQ9ltYuuMxUO9bX79Euunw5AkGERP7YOpQ711I+WgTZL
5umBTYbeQQRE7+urfzu0
=LSPJ
-----END PGP SIGNATURE-----