What new security related improvements will Release 4 have?
227 views
Skip to first unread message
stevenwi...@gmail.com
Nov 26, 2016, 5:24:52 PM11/26/16
to qubes-devel
So what new security related features are there in release 4 or what are you considering to implement?
Do you have grsecurity or something similar in place on Dom0 or are you considering something in that direction overall?
And would it make sense to have optional TemplateVMs during install available with grsecurity or overall by default have grsecurity in
all TemplateVMs?
Also i hope youre gonna get more devices listed on your website than can handle Qubes or how about going to some companies that build computers that can run Qubes for you and you get some money out of it too maybe?
I really like the project you are doing and i would like to test Qubes OS out but i dont really a machine thats sufficient enough, nor do i have a USB 3 with 32+ GB at hand right now.
Andrew David Wong
Nov 27, 2016, 7:50:22 PM11/27/16
to stevenwi...@gmail.com, qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 2016-11-26 12:16, stevenwi...@gmail.com wrote:
> So what new security related features are there in release 4 or what are
> you considering to implement?
>
Take a look at the Release 4.0 milestone (both open and closed issues):
https://github.com/QubesOS/qubes-issues/milestone/17
> Do you have grsecurity or something similar in place on Dom0 or are you
> considering something in that direction overall?
> And would it make sense to have optional TemplateVMs during install
> available with grsecurity or overall by default have grsecurity in
> all TemplateVMs?
>
> https://grsecurity.net/
>
Coldkernel testing should begin very soon:
https://github.com/coldhakca/coldkernel/issues/35
>
> Also i hope youre gonna get more devices listed on your website than can
> handle Qubes or how about going to some companies that build computers that
> can run Qubes for you and you get some money out of it too maybe?
>
Yes, we're currently reaching out to hardware manufacturers. We'll post
an announcement when we have details to share.
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYO39DAAoJENtN07w5UDAwxIQP/RihLOh3VC/0hYFcaeXbwBzu
vIZingAFg6MqzWH21tgAmvbKgywA5i1/ODPgOnxgbbduN5MleFF/TROOdohWUrZK
r4PiPUX72hO5EJG0YPXUfxeAQ00DVNbhSXKm4Vj545oaIpDIT6jEncl8hE2vYY1L
Ch3zmw0J33pxxHxGv2mI3EpoG693772dpN2CtnWJSvq8JiNbY40NMnZhCfNbEG6K
146c6pDY14Dfb46fQnjSovF0EHkYU2/evbsc0RxVZzI8ulSTQJhxlZz3uTREgi2Y
kjAaqR9uSuchpqxoF7jlqoCHllsSPgAhVofRkx6qFT+E9h8fKvQQKFQiknqjca+/
i67UzNpW3tzCMU/XKWJXRyoqeGzxzoJMGtopenl7W2IVMnYRfeQB+pTU4C0T0hio
1N2z67g+LCpN4VyTe4vYA48SEJ13D9KrEcoEuWuiKDVbmyFMqvmkFIaTNRCvbQz1
3dU+VBm+9+BfkwMr6pgwwQzfTQmWmaAjhzqJvUGZ3jPSu+lgYiGLw1dMINxjSCDw
amzxjfYGKihW+08bj1H2Z76V+rwsolPm76zrbLC2pZ2vSgJDobNEZWMdwizroPFt
ijOx+njG0PpAgNBK2bAV6KcFBETLDazVQ3COqeFTmEAHoQPHlZYFgWHi41eLWbI+
RDvLB+CkpOaDbCr62zWM
=KWbb
-----END PGP SIGNATURE-----
Hash: SHA512
On 2016-11-26 12:16, stevenwi...@gmail.com wrote:
> So what new security related features are there in release 4 or what are
> you considering to implement?
>
https://github.com/QubesOS/qubes-issues/milestone/17
> Do you have grsecurity or something similar in place on Dom0 or are you
> considering something in that direction overall?
> And would it make sense to have optional TemplateVMs during install
> available with grsecurity or overall by default have grsecurity in
> all TemplateVMs?
>
> https://grsecurity.net/
>
https://github.com/coldhakca/coldkernel/issues/35
>
> Also i hope youre gonna get more devices listed on your website than can
> handle Qubes or how about going to some companies that build computers that
> can run Qubes for you and you get some money out of it too maybe?
>
an announcement when we have details to share.
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYO39DAAoJENtN07w5UDAwxIQP/RihLOh3VC/0hYFcaeXbwBzu
vIZingAFg6MqzWH21tgAmvbKgywA5i1/ODPgOnxgbbduN5MleFF/TROOdohWUrZK
r4PiPUX72hO5EJG0YPXUfxeAQ00DVNbhSXKm4Vj545oaIpDIT6jEncl8hE2vYY1L
Ch3zmw0J33pxxHxGv2mI3EpoG693772dpN2CtnWJSvq8JiNbY40NMnZhCfNbEG6K
146c6pDY14Dfb46fQnjSovF0EHkYU2/evbsc0RxVZzI8ulSTQJhxlZz3uTREgi2Y
kjAaqR9uSuchpqxoF7jlqoCHllsSPgAhVofRkx6qFT+E9h8fKvQQKFQiknqjca+/
i67UzNpW3tzCMU/XKWJXRyoqeGzxzoJMGtopenl7W2IVMnYRfeQB+pTU4C0T0hio
1N2z67g+LCpN4VyTe4vYA48SEJ13D9KrEcoEuWuiKDVbmyFMqvmkFIaTNRCvbQz1
3dU+VBm+9+BfkwMr6pgwwQzfTQmWmaAjhzqJvUGZ3jPSu+lgYiGLw1dMINxjSCDw
amzxjfYGKihW+08bj1H2Z76V+rwsolPm76zrbLC2pZ2vSgJDobNEZWMdwizroPFt
ijOx+njG0PpAgNBK2bAV6KcFBETLDazVQ3COqeFTmEAHoQPHlZYFgWHi41eLWbI+
RDvLB+CkpOaDbCr62zWM
=KWbb
-----END PGP SIGNATURE-----
stevenwi...@gmail.com
Nov 28, 2016, 2:32:47 PM11/28/16
to qubes-devel, stevenwi...@gmail.com
Nice to see those changes coming up :)
Is there any news about support for Windows Server 2012 and 2012R2 and therefore Windows 8, 8.1 and 10?
Also something about GPU Passthrough possibility in some easy way like in the VM Settings to check a box and say how much and which GPUs to pass to the VM?
Jean-Philippe Ouellet
Nov 28, 2016, 7:43:14 PM11/28/16
to stevenwi...@gmail.com, qubes-devel
PCI passthrough "Devices" tab.
For intel integrated GPUs, this has additional complexity without a
clear solution yet.
Tai...@gmx.com
Dec 6, 2016, 5:02:59 AM12/6/16
to Andrew David Wong, qubes-devel, stevenwi...@gmail.com
of compatible devices as they are a dishonest company ran by incompetent
people, endorsing them gives expert level credit to their claim that one
day somehow they will get intel to open up ME/FSP. (I like how they
count "freed operating system" on their list, and many other things that
other people/companies did)
There is nothing special about their laptop it is simply a crappy
quanta/oem type rebrand[1]. They could have went with an AMD (one
without PSP) or ARM chipset and actually had open source firmware and no
ME/PSP, I can't understand why they chose intel.
[1] You really can't make a whole laptop run, let alone just a custom
motherboard with only 300K in crowdfunding and still have them be
reasonably priced on a per unit basis.
Marek Marczykowski-Górecki
Dec 6, 2016, 7:09:11 AM12/6/16
to Tai...@gmx.com, Andrew David Wong, qubes-devel, stevenwi...@gmail.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Tue, Dec 06, 2016 at 05:02:52AM -0500, Tai...@gmx.com wrote:
> I would like to request that you not include purism laptops on your list of
> compatible devices as they are a dishonest company ran by incompetent
> people, endorsing them gives expert level credit to their claim that one day
> somehow they will get intel to open up ME/FSP. (I like how they count "freed
> operating system" on their list, and many other things that other
> people/companies did)
>
> There is nothing special about their laptop it is simply a crappy quanta/oem
> type rebrand[1]. They could have went with an AMD (one without PSP) or ARM
> chipset and actually had open source firmware and no ME/PSP, I can't
> understand why they chose intel.
Take a look here:
https://www.qubes-os.org/news/2016/07/21/new-hw-certification-for-q4/
The certified hardware for Qubes 3.x is mostly about just compatibility,
not trustworthiness. The main criteria is about providing hardware
configuration that work with Qubes OS, and not changing it in
incompatible way in future revisions (like it happens with some brands -
for example next revision get Broadcom wifi poorly supported on Linux).
In hardware certification for Qubes 4.x we want to have something more.
Not only hardware being compatible, but also as trustworthy as
realistically possible. This "realistically" currently means we can't
expect not including Intel ME, unfortunately. But for example we can
require open source BIOS - and we do.
In the current state of Librem laptops I see no way how they could be
certified for Qubes 4.x. Even though Coreboot support for it exists,
Purism is apparently not interested in integrating it and selling
machines with Coreboot installed by default. That's fine - it's their
choice to not pursue trustworthy hardware, but that also means no
certification for Qubes 4.x.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJYRqpjAAoJENuP0xzK19csARUH/2hE7yyxeIO+IAyk+a4/pc5L
32yICU/vOh69F0BLVnAp4j4aEdW71ua6Leh3HSs1OzS7mp/WVBXmGUUfDSJ83jjj
khmkDv9bnJB8VR8n2pEYYQeQIPyKbjVFS8pzXUyd44aD2A7X3a0pa513Vic0AMtY
tG2DX2QVXgo7/FCRaWVhQHu6nZ7CB/aqiGsPy5zWLLKgC/miPIqlRTX1he5LckHD
WgR/e0p+1MOXrZOc8BG8lvflCzK/1PRR0AVxJuYpG6u+qFDRlapVO9pN7pOq7I4V
sOoGVnWmOyYtIcvhJXDfLFZVR+Aqtv5QVebkvGztJf4UBNGbQMi67/nw5w5KgnA=
=bMkF
-----END PGP SIGNATURE-----
Hash: SHA256
On Tue, Dec 06, 2016 at 05:02:52AM -0500, Tai...@gmx.com wrote:
> I would like to request that you not include purism laptops on your list of
> compatible devices as they are a dishonest company ran by incompetent
> people, endorsing them gives expert level credit to their claim that one day
> somehow they will get intel to open up ME/FSP. (I like how they count "freed
> operating system" on their list, and many other things that other
> people/companies did)
>
> There is nothing special about their laptop it is simply a crappy quanta/oem
> type rebrand[1]. They could have went with an AMD (one without PSP) or ARM
> chipset and actually had open source firmware and no ME/PSP, I can't
> understand why they chose intel.
https://www.qubes-os.org/news/2016/07/21/new-hw-certification-for-q4/
The certified hardware for Qubes 3.x is mostly about just compatibility,
not trustworthiness. The main criteria is about providing hardware
configuration that work with Qubes OS, and not changing it in
incompatible way in future revisions (like it happens with some brands -
for example next revision get Broadcom wifi poorly supported on Linux).
In hardware certification for Qubes 4.x we want to have something more.
Not only hardware being compatible, but also as trustworthy as
realistically possible. This "realistically" currently means we can't
expect not including Intel ME, unfortunately. But for example we can
require open source BIOS - and we do.
In the current state of Librem laptops I see no way how they could be
certified for Qubes 4.x. Even though Coreboot support for it exists,
Purism is apparently not interested in integrating it and selling
machines with Coreboot installed by default. That's fine - it's their
choice to not pursue trustworthy hardware, but that also means no
certification for Qubes 4.x.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJYRqpjAAoJENuP0xzK19csARUH/2hE7yyxeIO+IAyk+a4/pc5L
32yICU/vOh69F0BLVnAp4j4aEdW71ua6Leh3HSs1OzS7mp/WVBXmGUUfDSJ83jjj
khmkDv9bnJB8VR8n2pEYYQeQIPyKbjVFS8pzXUyd44aD2A7X3a0pa513Vic0AMtY
tG2DX2QVXgo7/FCRaWVhQHu6nZ7CB/aqiGsPy5zWLLKgC/miPIqlRTX1he5LckHD
WgR/e0p+1MOXrZOc8BG8lvflCzK/1PRR0AVxJuYpG6u+qFDRlapVO9pN7pOq7I4V
sOoGVnWmOyYtIcvhJXDfLFZVR+Aqtv5QVebkvGztJf4UBNGbQMi67/nw5w5KgnA=
=bMkF
-----END PGP SIGNATURE-----
Trammell Hudson
Dec 7, 2016, 10:31:31 AM12/7/16
to Marek Marczykowski-Górecki, Tai...@gmx.com, Andrew David Wong, qubes-devel, stevenwi...@gmail.com
On Tue, Dec 06, 2016 at 01:09:05PM +0100, Marek Marczykowski-Górecki wrote:
> [...]
Thinkpad that can support coreboot. The general consensus was the x230
and t430 series, both of which can use my modified ME firmware to shutdown
the Mangement Engine after it brings up the x86 CPU. The x230 coreboot
also removes all of the closed source blobs since it can do native RAM
init, has a DMAR support for VT-d, and doesn't require any VGA BIOS when
running a Xen patched to removed the EBDA dependencies.
The Chell Chromebook is almost perfect as a Qubes 4 machine -- it has
coreboot support out of the box, a very high-res screen, a more modern
Skylake, a real TPM, and my modified ME firmware works on it as well.
However, the keyboard is near zero-travel and the 32GB MMC drive is both
small and slow. I don't have DMAR support working, although the CPU is
supposed to support VT-d.
The other advantage of the Chromebooks is that they have open source
code for the EC devices and a fairly elegant way to attest that they
have not been tampered with. I'd love for more devices with mutable
firmware to have a similar trustworthy interface.
--
Trammell
> [...]
> In hardware certification for Qubes 4.x we want to have something more.
> Not only hardware being compatible, but also as trustworthy as
> realistically possible. This "realistically" currently means we can't
> expect not including Intel ME, unfortunately. But for example we can
> require open source BIOS - and we do.
There was a discussion on the coreboot list about what is the best
> Not only hardware being compatible, but also as trustworthy as
> realistically possible. This "realistically" currently means we can't
> expect not including Intel ME, unfortunately. But for example we can
> require open source BIOS - and we do.
Thinkpad that can support coreboot. The general consensus was the x230
and t430 series, both of which can use my modified ME firmware to shutdown
the Mangement Engine after it brings up the x86 CPU. The x230 coreboot
also removes all of the closed source blobs since it can do native RAM
init, has a DMAR support for VT-d, and doesn't require any VGA BIOS when
running a Xen patched to removed the EBDA dependencies.
The Chell Chromebook is almost perfect as a Qubes 4 machine -- it has
coreboot support out of the box, a very high-res screen, a more modern
Skylake, a real TPM, and my modified ME firmware works on it as well.
However, the keyboard is near zero-travel and the 32GB MMC drive is both
small and slow. I don't have DMAR support working, although the CPU is
supposed to support VT-d.
The other advantage of the Chromebooks is that they have open source
code for the EC devices and a fairly elegant way to attest that they
have not been tampered with. I'd love for more devices with mutable
firmware to have a similar trustworthy interface.
--
Trammell
Reply all
Reply to author
Forward
0 new messages