On 8/25/19 6:22 AM, Lukas à Porta wrote:
>
>
> On Wednesday, August 21, 2019 at 11:53:35 PM UTC+2, Steve Coleman wrote:
> Coreboot, which may arguably solve some of the problems, is not well
> supported on the desktop or even server side (unless you are working at
> Google, whose servers' motherboards extensively rely on Coreboot).
Speaking of coreboot:
"NSA researcher plans to allow everyone to guard against firmware attacks"
https://www.cyberscoop.com/nsa-firmware-open-source-coreboot-stm-pe-eugene-myers/
Yet another reason to favor coreboot capable system over a
non-corebootable system. I need to go back and revisit their supported
hardware list.
On another note, I came across this project when researching AMT a while
back:
https://github.com/intel/INTEL-SA-00075-Linux-Detection-And-Mitigation-Tools
The vulnerability check code might be a good-to-know attribute for the
HCL test page for those people that really care about this but are not
able to go as far as to install coreboot. This code is GPL'ed and has
source, so it should not be a big problem to engineer something for the
pre/post install diagnostics (see comment below). What I am not clear on
is whether the Qubes installer would need MEI kernel support compiled in
to do this "AMT test", as I think kernel support is only required for
the actual de-provisioning of AMT.
> A small section on what key words (brands/models of components) to
> steer
> clear of would extreemly helpful when looking for a new system. Bad
> systems never make it to the HCL, so knowing what systems failed to
> even
> get to the HCL test phase is missing. There is no way to report
> completely broken systems. Other key words like "NVIDIA Geforce" or
> "Vendor-x UEFI" on the HCL page entries could link directly to a common
> solutions page with the required fix for that particular troublesome
> component.
>
>
> Sounds like a good idea to me !
:)
> I like the option at the install, a bit like Debian is doing with their
> software survey, although in the case of Qubes OS it seems that users,
> for security purposes, won't like to disclose that information unless
> they can't be used to single-out a user or (as of now, I am not sure :
> to report a machine, you have to send an email and it seems that
> hardware identifiers might be present
> <
https://www.qubes-os.org/doc/hcl/#generating-and-submitting-new-reports> unless
> you don't send out a specific file. It would be nice to streamline the
> process and make it opt-in and anonymous by default). Also, one may not
> know if it will actually work well after the installation is done.
May I make a suggestion on how to accomplish this? First, we need to
break down the HCL submission process into phases, base on user opt-in
during install, with the third phase being completely optional,
depending on how much information the user would be willing to share
with the community.
Phase-1: During pre-install, *if* there is a network connection, and we
have permission, we can enumerate the attached hardware, bios version,
etc, and generate a minimalist HCL report of that hardware baseline. If
the user checks an opt-in checkbox they could submit this preliminary
report anonymously before the install even takes place. This initial
report would include a cryptographic hash value of their detected
hardware/bios data as a temporary 'key' reference. The only publicly
identifying information available at this point would likley be the IP
address that the report is being submitted from, so the installer
program merely promises the the user that the Qubes HCL service will not
retain the IP address and it will not be archived along with that
report, thus assuring them of their complete anonymity. The pre-install
environment should not generally have any user specific information and
the user could even be permitted to review this baseline information
before its submission. If they opted-in, a connection to an HCL web
service will upload/push the initial yml report including this generated
hash value. On the receiving side the hash is recalculated from the
submitted data, and if it is cryptographically correct the document is
stored for later reference. This phase-1 information is not to be made
visible to the public but rather is just stored for later processing.
Phase-2: If they opted in during phase-1, and after a successful Qubes
install, a full HCL report is then be generated along with with the same
hardware baseline info and hash value, and again based on the users
opt-in this update is pushed to the HCL service. The hash value is then
used to pair the two (Phase1/Phase2) reports and thus it associates with
the same base record for that specific hardware combination. At this
point the HCL service can assign a unique system HCL-UUID for that
specific system configuration and that HCL-UUID will be used to allow
updating that specific record anytime in the future regardless of any
addition or deletion of hardware on the system. At that point this HCL
record still contains absolutely no user identifiable information. But
the new installed Qubes system also retains the unique HCL-UUID to
permit any future updates if they choose to do so in an optional Phase-3
submission. If there was no network connection during Phase-1 then this
information can still be submitted to receive the system HCL-UUID at
this time. Absence of a phase-1 report is also not treated as an error,
but since the system installed successfully and is now functioning that
report would not be interesting anyway.
The basic premise here is that, if you only receive the first HCL
report, and not the second, then that hardware was not likley capable of
running a Qubes system. A single instance of failure is not necessarily
"proof" that the hardware can not run qubes, but with multiple
submissions of similar equipment components (the hash) that increases
the confidence level that some component is indeed a Qubes show stopper.
Multiple submissions with the same hash value just means the user is
persistent in trying to install qubes. When they come asking for support
on the qubes-user list this detailed hardware information might actually
come in handy by the qubes team to make sense of why they are having
problems and be able to tell them quickly what to try.
If you do receive the second report in Phase-2 then the system is
clearly capable of running as a basic Qubes system. How well it runs
Qubes is still open to discussion because of all the non-testable
attributes of the system that the installer has no good way to test.
These extended attributes can be user provided in Phase-3. In fact an
update to the HCL program itself could start collecting new information
for older systems for those that wish to participate.
Phase-3: (optional) If the user later wants to update any untestable
attributes like the TPM, or add specific install notes or work around's
then that is just icing on the cake. Given the assigned system HCL-UUID
the user can always resubmit the system's updated HCL by manually adding
this notes, how-to, etc and push it back. Upon adding/changing hardware
which would have changed the original hash value, the HCL-UUID will
still associate to the same configuration on file. The 'who' information
would only be available on the HCL list if the user agrees to submit
this update while providing their full contact information, otherwise
the entries on the HCL list stay completely anonymous.
The HCL is much more likely to collect a complete set of system
information if the owner is permitted to do so while being completely
anonymous, and thus not resorting to the use of email for its report
submission process is a big plus. This optional third step is
potentially where all the FIXME's, 'TPM X.y supported', and 'AEM works
great' all get updated to fill in the missing bits of optional
information or add critical working notes. Because of the assigned
HCL-UUID the user can always update their anonymous record without
giving themselves away. If they loose their systems HCL-UUID, or
deliberately delete it off their system, then they will sever their
ability to update their own systems HCL record and give them plausible
deniability if they desire that. Since there is no information in the
report/server side pointing back at them. The system owners contact
information would only be part of the final HCL report if they
voluntarily add that information so that they can be contacted by the
community for questions. The best part is that the HCL records can be
updated by the owner with some future quirk or work-around that was not
known or even exercised during installation.
Processing of failed installations:
Periodically the entirety of the 'Phase-1 only' collected reports can be
data-mined to build correlations needed to determine what similar
attributes lead to most failures during the install process. With the
sufficient level of confidence that failure information can then be
promoted and added to the HCL 'steer clear of attribute X or Company Y'
on the main HCL compatibility page and listed with its ranked confidence
level. Its merely a suggestion to 'stay away' if you are buying a new
system. Those people with older system can feel free or even encouraged
to try it anyway, and that may just boost the confidence level even
further to confirm the component/bios/system failure.
If later any system with that same component is seen to correctly
install Qubes then that component should be downgraded in confidence or
removed entirely from the 'steer clear of' list. The basic idea is to
automatically calculate this level of confidence for any hardware
show-stoppers that are _never_ seen in any successful Phase-2 reports.
When some are successful and others not, that is where the confidence
level comes into play so that the user can rate the risk in buying a
particular system containing that component or not.
> On the desktop side, a good enough candidate for your need and Qubes OS
> in general might be Intel® NUC Kit NUC7i7DNHE
> <
https://ark.intel.com/content/www/us/en/ark/products/130393/intel-nuc-kit-nuc7i7dnhe.html>and
Its 32GB with one SSD available for a possible RAID configuration, but
it should allow for an external USB RAID setup at a cost to some IO
bandwidth. I'm not sure about the logic or usefulness of putting a RAID
system on a single SSD device like they suggest. Overall it may be
workable, but not optimal for my desktop system needs.
I was generally looking for something more beefy with lots of empty bays
for adding double digit terabytes of internal disk space to host my many
diverse research interests (CompSci, security, RE, AI, Medical, Physics
modeling, and future theoretical physics simulations). I may be retiring
in the next year or two so this may very well be my last 'big system'
and this one will also need to last me for quite a while, I hope.
> Anyway, when you look for hardware for Qubes OS, I strongly recommend
> you not to buy the entire machine and components at the same time but
> only what is needed to boot it. Use a spare SSD and possibly a few DRAM4
> DIMMs (like 2 x 2GB), and check if it does in fact work before
> committing yourself too much.
Yes, that is sort of the mode I am in at the moment. To buy what is
upgradable enough to meet my base requirements, and grow it from there.
Unfortunately for a desktop system I sill need to buy a cat-in-a-bag to
get there. I still have time so I will continue watching the HCL for any
new, fully functional, and most importantly 'purchasable' desktop
systems to show up. But I'm not going to hold my breath.
As for laptops the Lenovo P51 isn't looking too bad (64GB), but I still
don't know what internal USB controllers might be usable/assignable for
a sys-usb and to work USB attached hardware in a docking station
configuration. If I give up on an internal RAID I can probably just use
my network RAID for off line storage, and mount what I need when I am in
my home office.
Steve