X230 vs Purism - real world attack probability

[scurge1tl]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I have a question related to the decision about what laptop is the
better option for Qubes usage, from the security point of view, in the
real world.

The question is related to the IME on Intel, PSP on AMD and other
Hardware holes. I took these laptop examples to sample the differences
somehow.

Pose the non-existent micro controllers updates, like in case of X230
with IME disabled and corebooted, which doesn't but get these updates
anymore, higher risk than only partial disabling of the IME by Purism
which still but gets the micro controllers updates? Or is it a vice
versa?

If I would like to have a strong security position, in case of the
laptop Hardware with Qubes, and would decide in between the two, which
variant will be more prone to the real world attacks? What attack
vectors are available in both cases? For example, is one of the cases
more resistant to the remote exploitation. Is one of the options
forcing an attacker more to execute an attack with physical access
than the other option?

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEExlmPb5HoPUTt+CQT44JZDAWK6UwFAlzkAp9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEM2
NTk4RjZGOTFFODNENDRFREY4MjQxM0UzODI1OTBDMDU4QUU5NEMACgkQ44JZDAWK
6UzOVBAAvH7Wp+GJSrKoptNX5OEzxm9Q3FEkgVgnaZ57HlIH94TCy3Rc+kk+cR5m
DGghaSnhSOvOxEKgZXM1g6+KIAUUH1yNRfSKkmPQANjUgrhs65VsNd1miKOzkLmV
5INzHAtiOvTQFYuCaBkzIvuxPaHDqOyDyIOSVxgzeQOYJ7k4NgGWCES7hUHrp2f2
TmhSZwdWqaNo1n6YJZvLetKj8ZxqqJwg/T0GPzvmMHo9KGohx8mHWVPFsVsRFhgM
ObcvPRempjhLE4aZR6UVKoJOxf2M6VPYFzghejeFb7wh3ncha9c38dspWV4ALlIj
lC7K5fXFWH0t7TX0YreXWnxQgdMKuCBHY9KZFKXnHPDKg/X5QXJtduabY/ZhqU/g
6+rW8MSEE6PrhIjQWKU4Zvw3y58zKePqwCCgHOZwpguQ+uUr1ZFjyKVnjSKGlPgF
QnH9rHqMQY9FNTnYCSuD5hoXAifXQg7AZ2MlB83SkbekMRjf5XsSRGDQ29cewKG/
igDFRgH3UCe0dwwqHY3hzshxKkPCvqcmkQiyb+G8nYSVeaYuzilbC+q1MEZ1xQS/
0uhNJ8ysLk8CoQRKUCc18dctKUCWdmqicJlvoeliEovUK3rAY/Uy5q86z8Ad5A42
PNraTWlfOfQ2wegc+YEPv37341+LPXSbt2RzHOg9BAaRkvupFWk=
=N5BL
-----END PGP SIGNATURE-----

[awokd]

scurge1tl:

> I have a question related to the decision about what laptop is the
> better option for Qubes usage, from the security point of view, in the
> real world.
>
> The question is related to the IME on Intel, PSP on AMD and other
> Hardware holes. I took these laptop examples to sample the differences
> somehow.
>
> Pose the non-existent micro controllers updates, like in case of X230
> with IME disabled and corebooted, which doesn't but get these updates
> anymore, higher risk than only partial disabling of the IME by Purism
> which still but gets the micro controllers updates? Or is it a vice
> versa?
>
> If I would like to have a strong security position, in case of the
> laptop Hardware with Qubes, and would decide in between the two, which
> variant will be more prone to the real world attacks? What attack
> vectors are available in both cases? For example, is one of the cases
> more resistant to the remote exploitation. Is one of the options
> forcing an attacker more to execute an attack with physical access
> than the other option?

Which micro controllers do you mean, hard drive? I don't see any vendors
commonly shipping updates for those, and peripherals are user
replaceable on both.

Real world attacks on both at the hardware level are currently slim,
unless you've given reason to someone else to spend time or resources
targeting you directly. Exception might be USB drives, since it appears
relatively easy to compromise those at the manufacturer's level. Some
have shipped with viruses, for example.

You might want to consider AMD as well. Their CPUs have been more
resistant to some of the recent attacks than Intel.

[Tai...@gmx.com]

On 05/21/2019 09:52 AM, scurge1tl wrote:
> I have a question related to the decision about what laptop is the
> better option for Qubes usage, from the security point of view, in the
> real world.
>
> The question is related to the IME on Intel, PSP on AMD and other
> Hardware holes. I took these laptop examples to sample the differences
> somehow.
>
> Pose the non-existent micro controllers updates, like in case of X230
> with IME disabled and corebooted, which doesn't but get these updates
> anymore,

What updates? who told you that? What micro controllers?

> higher risk than only partial disabling of the IME by Purism
> which still but gets the micro controllers updates? Or is it a vice
> versa?
>
> If I would like to have a strong security position, in case of the
> laptop Hardware with Qubes, and would decide in between the two, which
> variant will be more prone to the real world attacks? What attack
> vectors are available in both cases? For example, is one of the cases
> more resistant to the remote exploitation. Is one of the options
> forcing an attacker more to execute an attack with physical access
> than the other option?
>

pur.company is junk, they are an incredibly dishonest company that sells
"coreboot open firmware librem" machines that have a hw init process
that is entirely performed via the Intel FSP binary blob.

The x230 is far more free than anything pur.company could sell you,
freeing intel fsp won't happen due to how difficult it would be without
documentation and how long it would take and it is both impossible and
illegal to free Intel ME.

Illegal? Yes - ME/PSP is a DRM mechanism and bypassing them is illegal
in the usa where they are based.

But since the 230 still has an ME abit more nerfed than the purijunk you
should get a G505S which has no ME/PSP and is the most free laptop option.

Pur.junk = me kernel+init code run (not disabled), HW init 100% blobbed
- performed via Intel FSP
X230 = me init code runs (not disabled), HW init is open source
G505S = No ME/PSP, CPU/RAM hw init is open source, graphics/power mgmt
requires blob but IOMMU prevents them from messing with stuff. - the
most free

pur.company lies by claiming their ME is "disabled" when the kernel and
init code still run.


I don't want to say their name as they send someone out of the woodwork
to defend them and waste my time every time someone mentions them in a
negative light they go and start claiming that they are "doing their
best" - whereas various other much newer companies are actually selling
owner controlled libre firmware trustworthy general computing hardware
proving their claims of "doing our best" to be bullshit.

If you want more info see my other posts as I have made many of them re:
pur.company or laptop/desktop/workstation selections.

[scurge1tl]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Tai...@gmx.com:

> On 05/21/2019 09:52 AM, scurge1tl wrote:
>> I have a question related to the decision about what laptop is
>> the better option for Qubes usage, from the security point of
>> view, in the real world.
>>
>> The question is related to the IME on Intel, PSP on AMD and
>> other Hardware holes. I took these laptop examples to sample the
>> differences somehow.
>>
>> Pose the non-existent micro controllers updates, like in case of
>> X230 with IME disabled and corebooted, which doesn't but get
>> these updates anymore,
>
> What updates? who told you that? What micro controllers?

I heard that many times during discussions. I am not a programmer so I
have to rely on others to evaluate the situation.

>
>> higher risk than only partial disabling of the IME by Purism
>> which still but gets the micro controllers updates? Or is it a
>> vice versa?
>>
>> If I would like to have a strong security position, in case of
>> the laptop Hardware with Qubes, and would decide in between the
>> two, which variant will be more prone to the real world attacks?
>> What attack vectors are available in both cases? For example, is
>> one of the cases more resistant to the remote exploitation. Is
>> one of the options forcing an attacker more to execute an attack
>> with physical access than the other option?
>>
>
> pur.company is junk, they are an incredibly dishonest company that
> sells "coreboot open firmware librem" machines that have a hw init
> process that is entirely performed via the Intel FSP binary blob.
>
> The x230 is far more free than anything pur.company could sell
> you, freeing intel fsp won't happen due to how difficult it would
> be without documentation and how long it would take and it is both
> impossible and illegal to free Intel ME.
>
> Illegal? Yes - ME/PSP is a DRM mechanism and bypassing them is
> illegal in the usa where they are based.
>
> But since the 230 still has an ME abit more nerfed than the
> purijunk you should get a G505S which has no ME/PSP and is the most
> free laptop option.

You mention G505S. Can it run Qubes without issues?

>
> Pur.junk = me kernel+init code run (not disabled), HW init 100%
> blobbed - performed via Intel FSP X230 = me init code runs (not
> disabled), HW init is open source G505S = No ME/PSP, CPU/RAM hw
> init is open source, graphics/power mgmt requires blob but IOMMU
> prevents them from messing with stuff. - the most free

Can the G505S be bought in the setup you mentioned, with CPU/RAM HW
init opensource and so on, or it is needed to hack it myself?
What is the performance of the X230 versus G505S? Seems that X230 and
G505S have 1366x768. Is there full HD option? Can the Ram be upgraded
to 16GB on both?

>
> pur.company lies by claiming their ME is "disabled" when the kernel
> and init code still run.
>
>
> I don't want to say their name as they send someone out of the
> woodwork to defend them and waste my time every time someone
> mentions them in a negative light they go and start claiming that
> they are "doing their best" - whereas various other much newer
> companies are actually selling owner controlled libre firmware
> trustworthy general computing hardware proving their claims of
> "doing our best" to be bullshit.
>
> If you want more info see my other posts as I have made many of
> them re: pur.company or laptop/desktop/workstation selections.
>

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEExlmPb5HoPUTt+CQT44JZDAWK6UwFAlztYvBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEM2
NTk4RjZGOTFFODNENDRFREY4MjQxM0UzODI1OTBDMDU4QUU5NEMACgkQ44JZDAWK
6Uy78A/+N+BL/lLBodnYBR7yfrOisHvUtxMacQ2A/m6+4OAsZSRyGVN+qxSOg269
LZgxwZfaJuWZuuhPGuLftY7j7Vz4zopgPjlcVQ0UR01HD9jx16lXD3E2mvGxxuSr
gwOY1FlrknV15qFl/V1HvGXKXpqOCKOyPUjdjSyGpB8kc0lvjAaC1KDj09G6CzXF
scp98rOLFYbvIairEfWuiIvwjTmfwyTxNQRrG7hYomiE5EzDslPT4Owpoky9RGzj
T3ICHJq2pq/8GqgnX7DarxkPRlKt7VNMg6ZdfoCkeN+zqty0T2WMvre77kgAlykQ
HMh+hdkrGztFapM1lA1PBifxNhznxDcsICEzl5khPyey3sZYkA1HVZ37Z+SVMYyB
XtbFc+vFx8l0uEhyXlJkotgxg+1liguReK3KCn1t75CpUsiVrQI2dtxC7Ns3SjmI
H/Hlg30Ju4KV9emb0icNHwtv9HhE9huOnFzKS3KjGHTn+GrS0ubzQXfvRmfrAFbC
Kwz6OYQP6VsX4FwJek6UwS+rfTyHi50Uef/QvxKqN3OyukonVfGFzB+l7EWZthpd
U63IdtVD0dcHag27qh65ayPXwTTLLHxpa+52eHxnxI+19u2RT5XErhdEDBzL9UDC
kghFEw/Rmt1sGaG93+vRRVFpyph1JWnyyQEbnji/FAx72ALv754=
=YmLb
-----END PGP SIGNATURE-----

[awokd]

scurge1tl:

> Can the G505S be bought in the setup you mentioned, with CPU/RAM HW
> init opensource and so on, or it is needed to hack it myself?
> What is the performance of the X230 versus G505S? Seems that X230 and
> G505S have 1366x768. Is there full HD option? Can the Ram be upgraded
> to 16GB on both?

You need to Coreboot a G505s yourself with a hardware flash. No HD
option, but it supports 16GB RAM.

[scurge1tl]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

'awokd' via qubes-users:

Are the inits opensource by default or it needs to be flashed too?
Also how does the G505S stand against X230 in regards of performance?

I suppose it can run Qubes without any issues. Is it?
Thank you.

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEExlmPb5HoPUTt+CQT44JZDAWK6UwFAlzuwNBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEM2
NTk4RjZGOTFFODNENDRFREY4MjQxM0UzODI1OTBDMDU4QUU5NEMACgkQ44JZDAWK
6UxBJA//UvHzk/0oNswv+zM7KxBeVSV43XomDN2vuezJyE0Lq9t+M1ykht88wDOp
kq5BXN60CNWd8F95DiHjrmeErTNCkGPjNI8IWxh5N6rDCDwyOO0kD0p/xlXdxvU4
L3KEb+wRdxI0/BMjJEgPi9Cfrjn9kgWYYoTcbJqDQMdN+PlZy6rA4xcMk2gIoUN3
MiONCJ0b5bfmohAW5YIUsMLq3nG929gKn8VujsMRjZ9jNeHehgxtViZi9rpLiUbT
N+lNXJ5Y/JT1Qu/oTXu1iAQDnJcX98GA9fubna8swBma90sykTgKAz93qf5H5oKI
vjtthK9nIjVSKo+fuvAHUVUPvEK22NweX5DV7AacWo2su6J7onsVO3V29Bfqn5ia
+T3fhqL88nN2VRyHp9TrXH33T6cpznAYhI8ITkknMxQeVCKjpPrF6r/35mMbFaZ8
AV6F2IpJKIqRD8DFsweqqYYXAwP6WdrCxmeDSxFxVeALDZ4IIalJqX+L1yL9zRUD
j+yxfM+NjW1wEjcoL6rM0+vqZzqqMZ8VqAZNACvVWtQPHb6E/HYZHjzLyIAHhIph
u9FcoFrxRFmdDoUCoEZB4jjV904YDxQ6BsJxHe+L0FvjXgoH/MTh3IGwKiqEQJ2k
guzvaFJefahJT//u5U8nxsa1DlaowrT2Zme5x/C7paX/5aYYNhM=
=4Z6K
-----END PGP SIGNATURE-----

[awokd]

scurge1tl:

> Are the inits opensource by default or it needs to be flashed too?

Not sure what you mean by inits. Coreboot is open source. The only
required blobs are CPU microcode and video BIOS.

> Also how does the G505S stand against X230 in regards of performance?

You could maybe check some benchmark sites, but don't forget to factor
in speed decreases on the Intel due to mitigations. It's fine for
regular use, but wouldn't try gaming or video editing on it.

> I suppose it can run Qubes without any issues. Is it?

Yes, runs well here.