The issue of non-proprietary BIOS and Qubes OS

125 views
Skip to first unread message

matbl...@gmail.com

unread,
Jun 20, 2017, 9:21:00 AM6/20/17
to qubes-users
Hi,

Since a week I'm trying to find a secure laptop, without any backdoors or anything that can jeopardize the security and anonymity of the user.
My last hope was to get a laptop that can handle Libreboot and install QubesOS on it.

I checked the mailing list and I realized that installing QubesOS on a Libreboot laptop might be difficult. I wonder if anyone managed to run Qubes OS ?

Thanks

aphid...@gmail.com

unread,
Jun 20, 2017, 1:43:02 PM6/20/17
to qubes-users, matbl...@gmail.com
Here is Qubes on a Lenovo T400 with Coreboot:
https://groups.google.com/d/msg/qubes-users/D9slVaqF1u4/84fFLfuYEwAJ

Some additional notes:
* Everything I wrote there, also holds for the T500 as well.
* Unfortunately, Libreboot still doesn't have the Coreboot IOMMU change yet.
* if you build Coreboot without microcode, there may be crashes during high CPU or Windows HVM usage. So you may need to add microcode (by adding ucode=scan to Xen command line).

If you are searching for a laptop and care about firmware blobs, here are some example systems:

Coreboot with no blobs, no management engine:
* Lenovo X200/T400/T500 w/ Coreboot, CPU performance-per-core about 50-60% of Skylake i7-7920HQ. Max 2 cores. Max 8 GB RAM.

Coreboot with partially removed management engine, open source RAM init, some minor blobs:
* Lenovo T530 w/ Coreboot, high-end configurations have CPU performance-per-core about 70-80% of Skylake i7-7920HQ. Max 4 cores. Max 16GB RAM.
* Lenovo W530 w/ Coreboot. Not officially supported, but someone made it work. Max 32 GB RAM.

Coreboot with partially removed management engine, proprietary RAM init
* later versions of Purism Librem

Useful links:
List of coreboot blobs - https://www.coreboot.org/Binary_situation
CPU performance comparison - https://www.notebookcheck.net/Mobile-Processors-Benchmark-List.2436.0.html

Hope this is helpful.

aphid...@gmail.com

unread,
Jun 20, 2017, 2:59:10 PM6/20/17
to qubes-users, matbl...@gmail.com, aphid...@gmail.com
Revised list of example systems, with corrections, price estimates, citations.

Coreboot with all components open source; fully removed management engine:
* Lenovo X200/T400/T500 w/ Coreboot, CPU: T9600 (dual core, each core about 50% of a modern i7-7920HQ [2]). Max 8 GB RAM. Cost: 75 USD used.[4] These systems run Intel Core 2 Duo CPUs, which lack EPT [5], so don't meet Qubes 4.x minimum requirements.

Coreboot with open source RAM init but some minor blobs; partially removed management engine:
* Lenovo T530 w/ Coreboot. CPU: i7-3840QM (quad-core, each core about 80% of a modern i7-7920HQ core [2]). Max 16GB RAM. Cost: 300 USD, used. [4]


* Lenovo W530 w/ Coreboot. Not officially supported, but someone made it work. Max 32 GB RAM.

Coreboot with proprietary RAM init; partially removed management engine
* Purism Librem 15. CPU: i7-6500U (dual core, each-core about 80% of i7-7920HQ [2]). Max 16GB RAM. Cost: 2000 USD new.[3]
* Purism Librem 13. CPU: i5-6200U (dual core, each core about 70% of i7-7920HQ [2]). Max 16GB RAM. Cost: 1700 USD new. [3]

For a list of blobs included in Coreboot, see [1].

All the Lenovo systems above require manual Coreboot compiling and an external flasher. The Purism systems can be flashed with coreboot from software (maybe only certain laptop revisions?) and can be preinstalled with Qubes.


References:
[1]List of coreboot blobs - https://www.coreboot.org/Binary_situation
[2]CPU performance comparison - https://www.notebookcheck.net/Mobile-Processors-Benchmark-List.2436.0.html Uncheck "Still available" find the older CPUs. Performance estimates based on Cinebench R10 32 scores.
[3]Purism 15 - https://puri.sm/shop/librem-15/ and https://puri.sm/shop/librem-13/
[4]e.g. eBay
[5]List of CPUs without EPT - http://ark.intel.com/Search/FeatureFilter?productType=processors&ExtendedPageTables=false

math blanc

unread,
Jun 21, 2017, 3:57:28 AM6/21/17
to aphid...@gmail.com, qubes-users
Hi aphidfarmers,

Thanks for the well documented answer.
Installing Qubes OS 3.x on a X200 sounds like a bad idea to me, isn't ?

Holger Levsen

unread,
Jun 21, 2017, 5:23:18 AM6/21/17
to math blanc, aphid...@gmail.com, qubes-users
On Wed, Jun 21, 2017 at 09:57:25AM +0200, math blanc wrote:
> Installing Qubes OS 3.x on a X200 sounds like a bad idea to me, isn't ?

I'd rather choose an x220 or x230, where you can also clean the ME.

Plus, an x230 is supported by heads, which you might also like to use.
(see https://osresearch.net) - but start with plain coreboot+qubes, that's
a steep enough learning curve already :)


--
cheers,
Holger
signature.asc

Michael Carbone

unread,
Jun 21, 2017, 6:01:05 AM6/21/17
to qubes...@googlegroups.com
Holger Levsen:
FYI x220 also has heads support:

https://github.com/osresearch/heads/pull/190

--
Michael Carbone

Qubes OS | https://www.qubes-os.org
@QubesOS <https://www.twitter.com/QubesOS>

PGP fingerprint: D3D8 BEBF ECE8 91AC 46A7 30DE 63FC 4D26 84A7 33B4


math blanc

unread,
Jun 21, 2017, 6:14:37 AM6/21/17
to math blanc, aphid...@gmail.com, qubes-users
Thanks ! I didn't hear about heads before, it's very interesting :)

Does an X230 with Coreboot and ME cleaned can match a Libreboot laptop ?

Holger Levsen

unread,
Jun 21, 2017, 6:29:25 AM6/21/17
to qubes...@googlegroups.com
On Wed, Jun 21, 2017 at 10:00:00AM +0000, Michael Carbone wrote:
> FYI x220 also has heads support:
> https://github.com/osresearch/heads/pull/190

oh nice! (so they should update their docs… :)


--
cheers,
Holger
signature.asc

aphid...@gmail.com

unread,
Jun 21, 2017, 12:19:21 PM6/21/17
to qubes-users, matbl...@gmail.com, aphid...@gmail.com, hol...@layer-acht.org
On Wednesday, June 21, 2017 at 2:23:18 AM UTC-7, Holger Levsen wrote:
> On Wed, Jun 21, 2017 at 09:57:25AM +0200, math blanc wrote:
> > Installing Qubes OS 3.x on a X200 sounds like a bad idea to me, isn't ?
>
> I'd rather choose an x220 or x230, where you can also clean the ME.

Complete removal (atm possible for Intel Core 2 Duo and prior, e.g. X200) is better than partial removal ("cleaning"), which is the best that can currently be done for later CPUs (such as on the X220, X230, Purism Librem).

There is some more about this here: [1][2]

But this will be moot in the future since Qubes 4.x doesn't support Core 2 Duo anyway.

[1] https://mail.coreboot.org/pipermail/coreboot/2017-May/084372.html
[2] Management Engine section of https://web.archive.org/web/20170404144825/https://minifree.org/product/libreboot-x220/

Noor Christensen

unread,
Jun 22, 2017, 11:57:58 AM6/22/17
to qubes-users
On Wed, Jun 21, 2017 at 12:14:35PM +0200, math blanc wrote:
> Thanks ! I didn't hear about heads before, it's very interesting :)
>
> Does an X230 with Coreboot and ME cleaned can match a Libreboot laptop ?

Just want to chip in to say I'm running the same setup on a X220 with
great results!

-- noor

|_|O|_|
|_|_|O| Noor Christensen
|O|O|O| no...@fripost.org ~ 0x401DA1E0
signature.asc
Reply all
Reply to author
Forward
0 new messages