HCL - Purism Librem 13 v2

560 views
Skip to first unread message

Kyle Rankin

unread,
Sep 14, 2018, 2:11:36 PM9/14/18
to qubes...@googlegroups.com
Install works out of the box with no warnings. I haven't run into any
issues with hardware compatibility--hardware in general works (video,
audio, all ports, Fn keys). Hardware Kill Switches work as expected within
Qubes. Suspend/resume works.

By default it works with the standard included coreboot BIOS but I've also
tested it with Heads using the TPM and that works as well.
Qubes-HCL-Purism-Librem_13_v2-20180914-110517.yml

Tai...@gmx.com

unread,
Sep 14, 2018, 6:59:11 PM9/14/18
to qubes...@googlegroups.com
Everyone please be aware that purism's marketing is dishonest.

Their products do not have open source firmware[1] and the ME is not
disabled (the kernel still runs along with mask roms and the me hw init
code)

Intel chips or any new x86 for that matter do NOT respect your privacy!

[1]Their coreboot is simply a shim loader layer for Intel's FSP binary
blob that performs the hardware initiation - these days coreboot doesn't
necessarily mean open source firmware.

In terms of laptops it is much better to purchase for instance an owner
controlled pre-PSP AMD G505S[2] which has open cpu/ram init via coreboot
or one of the ivy/sandy thinkpads which while not owner controlled are
significantly more free than puri.crap as they have open cpu/ram/gpu
init via coreboot and their ME can be nerfed down to the BUP layer which
while is not at all equivilant to not having an ME at all such as on
non-x86 arches or pre-PSP AMD it is still much better.

All of my laptop recommendations here work great with Qubes 4.0 and
there is a nice little qubes g505s community.

[2](for the best user experience make sure to get the highest end quad
core A10 model if you buy one - although the less expensive A6 quad core
models are still quite usable)


I do not have an issue with purism selling non-free laptops - I have an
issue with them being dishonest.

qube...@tutanota.com

unread,
Sep 15, 2018, 6:30:25 AM9/15/18
to Tai...@gmx.com, Qubes Users
Hi, during my email conversation with the Todd Weaver in the pre-IME-disabled time, he told me they will fully disable the IME and AMT within next week. After about a week they announced they did just that. Are this links a lie?
https://puri.sm/posts/measuring-the-intel-me-to-create-a-more-secure-computer/ <https://puri.sm/posts/measuring-the-intel-me-to-create-a-more-secure-computer/>
https://puri.sm/posts/purism-librem-laptops-completely-disable-intel-management-engine/ <https://puri.sm/posts/purism-librem-laptops-completely-disable-intel-management-engine/>

Talking about alternatives: how the Qubes 4.0 stand with RYF certified X200? Like for example this one: https://tehnoetic.com/laptops/tet-x200s <https://tehnoetic.com/laptops/tet-x200s> and others like T400 and T500, which can be found there as well. Working well? Any issues known?
Thank you


Sep 15, 2018, 1:00 AM by Tai...@gmx.com:
> --
> You received this message because you are subscribed to the Google Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to > qubes-users...@googlegroups.com <mailto:qubes-users...@googlegroups.com>> .
> To post to this group, send email to > qubes...@googlegroups.com <mailto:qubes...@googlegroups.com>> .
> To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-users/b706b02b-6461-3461-7a6b-19b8ebdb9a8f%40gmx.com <https://groups.google.com/d/msgid/qubes-users/b706b02b-6461-3461-7a6b-19b8ebdb9a8f%40gmx.com>> .
> For more options, visit > https://groups.google.com/d/optout <https://groups.google.com/d/optout>> .
>

casiu

unread,
Sep 15, 2018, 11:32:23 AM9/15/18
to qube...@tutanota.com, qubes...@googlegroups.com
Unfortunately,yes, those links are definitely a lie.
I not going to even comment their dishonest advertising-language, but in short: there is a huge difference between removing something for good ore verifying that there most likely hasnt been changed anything.
Also, the intel ME thing is from what i have been told totally over the top, the really issues with Purism products lay elsewhere.

I recently got interested in this thematic and almost bought a Purism, but luckily asked first in the coreboot irc. Id really recommend to do some research.
There are plenty of sites who show the technically reasons wy one should never buy Purism stuff.
That being said, purism current approach using HEADS is a lot better then the stuff they sold in the beginning, one could argue that their current laptops actually might actually improve your security a little bit.
If its worth the extra money is a personal choice, i myself feel like its just way to much money for a device which STILL runs almost entirely on properitary software.
If you are serious about your security, id recommend an G505s(i dont have one tough) or an x230, i do have one, and it rocks.

There will be no blobs whatsoever present except the EC-blob (probably liberated soon) and the bub-module.
Also, they are highly modular.(someone custom build mine with fhd display, classic style keyboard, external antenna etc etc, and i fucking love it ;).


Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
> To post to this group, send email to qubes...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/LMRlztC--3-1%40tutanota.com.
> For more options, visit https://groups.google.com/d/optout.


dangm...@gmail.com

unread,
Sep 15, 2018, 1:17:02 PM9/15/18
to qubes-users
This made me laugh out loud. All your ranting and raving about security and dishonesty, and you sent the message using PROTON MAIL. Good lord. Talk about dishonesty and pseudo-security.

casiu

unread,
Sep 15, 2018, 6:51:48 PM9/15/18
to dangm...@gmail.com, qubes...@googlegroups.com
You are confusing security with privacy. Im using protonmail, because its one of the very few Email-provider where one is able to register an account without providing any personal data. I dont have the need nor time nor skill to setup / maintain a emailserver.
Simply because i distrust everything except my own laptop.

But your right, Gmail for sure is the better choice.

For security (not privacy) you might wanna look into pgp, here you go.

https://en.wikipedia.org/wiki/Pretty_Good_Privacy

Your welcome.


Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > > > ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> > > >
> > > > You received this message because you are subscribed to the Google Groups "qubes-users" group.
> > > > To unsubscribe from this group and stop receiving emails from it, send an email to > qubes-users...@googlegroups.com mailto:qubes-users...@googlegroups.com> .
> > > > To post to this group, send email to > qubes...@googlegroups.com mailto:qubes...@googlegroups.com> .
> > > > To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-users/b706b02b-6461-3461-7a6b-19b8ebdb9a8f%40gmx.com https://groups.google.com/d/msgid/qubes-users/b706b02b-6461-3461-7a6b-19b8ebdb9a8f%40gmx.com> .
> > > > For more options, visit > https://groups.google.com/d/optout https://groups.google.com/d/optout> .
> > >
> > > --
> > > You received this message because you are subscribed to the Google Groups "qubes-users" group.
> > > To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
> > > To post to this group, send email to qubes...@googlegroups.com.
> > > To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/LMRlztC--3-1%40tutanota.com.
> > > For more options, visit https://groups.google.com/d/optout.
>
> This made me laugh out loud. All your ranting and raving about security and dishonesty, and you sent the message using PROTON MAIL. Good lord. Talk about dishonesty and pseudo-security.
>
> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> You received this message because you are subscribed to the Google Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
> To post to this group, send email to qubes...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b9839f63-3a6a-4892-ba5b-6e3de3583e93%40googlegroups.com.

awokd

unread,
Sep 16, 2018, 2:51:19 AM9/16/18
to qube...@tutanota.com, tai...@gmx.com, Qubes Users
On Sat, September 15, 2018 10:30 am, qube...@tutanota.com wrote:
> Hi, during my email conversation with the Todd Weaver in the
> pre-IME-disabled time, he told me they will fully disable the IME and AMT
> within next week. After about a week they announced they did just that.
> Are this links a lie?
> https://puri.sm/posts/measuring-the-intel-me-to-create-a-more-secure-compu
> ter/
> <https://puri.sm/posts/measuring-the-intel-me-to-create-a-more-secure-com
> puter/>
> https://puri.sm/posts/purism-librem-laptops-completely-disable-intel-mana
> gement-engine/
> <https://puri.sm/posts/purism-librem-laptops-completely-disable-intel-man
> agement-engine/>

"Lie" depends on your definition of "completely". Skylake onwards
processors can have much of ME disabled. I believe Purism with Heads and a
handful of other manufacturers are using the technique here:
http://blog.ptsecurity.com/2017/08/disabling-intel-me.html, but as you can
see there are still some modules required for initialization before the
HAP bit takes effect and skips the remainder. Additionally, there is an
FSP blob needed for init. Currently shipping AMD CPUs are no better.

> Talking about alternatives: how the Qubes 4.0 stand with RYF certified
> X200? Like for example this one: https://tehnoetic.com/laptops/tet-x200s
> <https://tehnoetic.com/laptops/tet-x200s> and others like T400 and T500,
> which can be found there as well. Working well? Any issues known? Thank
> you

At present, RYF has not certified any laptops with hardware capable of
running Qubes 4.0, but there are a couple older AMDs that can. A scale of
hardware openness/owner control from most to least would be something
like:

10: OpenPOWER, RYF certified x86 with all blobs replaced- Qubes 4.0 can't
run on either
8: older AMD like A10-5750M- a couple blobs required but Qubes 4.0 works
on these and the rest listed
6: pre-Skylake Intel with ME/HAP tweaks- a few more blobs and 2 ME modules
required
4: Skylake+ Intel with ME/HAP tweaks, AMD Ryzen with PSP disabled in UEFI
config- more blobs and modules required
0: Intel/AMD x86 with no tweaks- most shipping volume today

ARM (& possibly RISC) is a special case in that the integrator can decide
where on the scale they want to deliver their product, but neither support
Qubes 4.0.

Dave

unread,
Sep 16, 2018, 3:57:34 AM9/16/18
to qubes-users
>
> This made me laugh out loud. All your ranting and raving about security and dishonesty, and you sent the message using PROTON MAIL. Good lord. Talk about dishonesty and pseudo-security.

Off Topic - but... would you care to elaborate what fault you alleged in Protonmail and your source?

qube...@tutanota.com

unread,
Sep 17, 2018, 6:15:28 AM9/17/18
to Dave, qubes-users
It is offtopic, but I gues he is referring to the need to run JS to have Protonmail running with web-browser and register, or a need to run Bridge to use the Thenderbird. The JS can be anytime replaced with a malicious one and it is game over.

All clear but it really depends on the OPSEC one has.

My point here was actually about running Qubes, which I consider as one of the best security solutions available out there in tandem with Tails, on the as much as possible secure HW. I know I know....dont stone me, but if I use a reasonably secure OS, I would like to use it on reasonably secure hardware (laptop), if thats anyhow possible.


Sep 16, 2018, 9:57 AM by river...@gmail.com:

>>
>> This made me laugh out loud. All your ranting and raving about security and dishonesty, and you sent the message using PROTON MAIL. Good lord. Talk about dishonesty and pseudo-security.
>>
>
> Off Topic - but... would you care to elaborate what fault you alleged in Protonmail and your source?
>
> --
> You received this message because you are subscribed to the Google Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to > qubes-users...@googlegroups.com <mailto:qubes-users...@googlegroups.com>> .
> To post to this group, send email to > qubes...@googlegroups.com <mailto:qubes...@googlegroups.com>> .
> To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-users/dabcb4d5-4400-47a8-b624-3b2cd9c5e6b5%40googlegroups.com <https://groups.google.com/d/msgid/qubes-users/dabcb4d5-4400-47a8-b624-3b2cd9c5e6b5%40googlegroups.com>> .

Tai...@gmx.com

unread,
Sep 17, 2018, 5:52:49 PM9/17/18
to qubes...@googlegroups.com
On 09/16/2018 02:51 AM, 'awokd' via qubes-users wrote:
> On Sat, September 15, 2018 10:30 am, qube...@tutanota.com wrote:
>> Hi, during my email conversation with the Todd Weaver

That liar comes out of nowhere with his super slick marketing and sets
the computing freedom movement back 10 years.

At first I thought it was just being naive but now as he persists it
seems more like malice.

puri.junk does NOT respect you, it is fully blobbed and the ME is not at
all disabled.

Todd weaver is a lying fraudster.

>> in the
>> pre-IME-disabled time, he told me they will fully disable the IME and AMT
>> within next week. After about a week they announced they did just that.
>> Are this links a lie?
>> https://puri.sm/posts/measuring-the-intel-me-to-create-a-more-secure-compu
>> ter/
>> <https://puri.sm/posts/measuring-the-intel-me-to-create-a-more-secure-com
>> puter/>
>> https://puri.sm/posts/purism-librem-laptops-completely-disable-intel-mana
>> gement-engine/
>> <https://puri.sm/posts/purism-librem-laptops-completely-disable-intel-man
>> agement-engine/>
>
> "Lie" depends on your definition of "completely". Skylake onwards
> processors can have much of ME disabled. I believe Purism with Heads and a
> handful of other manufacturers are using the technique here:
> http://blog.ptsecurity.com/2017/08/disabling-intel-me.html, but as you can
> see there are still some modules required for initialization before the
> HAP bit takes effect and skips the remainder. Additionally, there is an
> FSP blob needed for init. Currently shipping AMD CPUs are no better.

Skylake kernel still runs, that is not disabled and there is more than
enough ability to play dirty tricks like SMM rootkits or what not.

HAP is asking politely.

>
>> Talking about alternatives: how the Qubes 4.0 stand with RYF certified
>> X200? Like for example this one: https://tehnoetic.com/laptops/tet-x200s
>> <https://tehnoetic.com/laptops/tet-x200s> and others like T400 and T500,
>> which can be found there as well. Working well? Any issues known? Thank
>> you
>
> At present, RYF has not certified any laptops with hardware capable of
> running Qubes 4.0, but there are a couple older AMDs that can. A scale of
> hardware openness/owner control from most to least would be something
> like:
>
> 10: OpenPOWER, RYF certified x86 with all blobs replaced- Qubes 4.0 can't
> run on either

Since you mention power and there aren't currently any laptops do you
mean laptops or desktops? In terms of desktops there are a variety that
qubes 4.0 can run on.

The future is POWER for all...

> 8: older AMD like A10-5750M- a couple blobs required but Qubes 4.0 works
> on these and the rest listed
> 6: pre-Skylake Intel with ME/HAP tweaks- a few more blobs and 2 ME modules
> required
> 4: Skylake+ Intel with ME/HAP tweaks, AMD Ryzen with PSP disabled in UEFI
> config- more blobs and modules required

That doesn't disable it! you are simply asking nicely for it to shut off
and hoping that it does so. It is not at all equivilant to say pre-core
intel systems where one really could disable it or even better one that
doesn't have any black boxes like the talos.

qube...@tutanota.com

unread,
Sep 17, 2018, 6:09:14 PM9/17/18
to Tai...@gmx.com, Qubes Users
Looks like it is a bit of a blind way. To use the reasonably secure OS without possibility to use it on the reasonably secure HW, is an issue which needs to be addressed a bit. I originally guessed that Qubes would run on the RYF devices well, and I am quite surprised it doesn't (doesnt it?). Is there any strong issue which prevents Qubes to function with RYF devices?

Am I missing something on the assumption that RYF devices, with disabled IME-AMT known security hole, with the coreboot  instead of BIOS and so on, are more secure-potential than the non-RYFs?

I need a working laptop. Desktop is not an option.


Sep 17, 2018, 11:54 PM by Tai...@gmx.com:

> On 09/16/2018 02:51 AM, 'awokd' via qubes-users wrote:
>
>> On Sat, September 15, 2018 10:30 am, >> qube...@tutanota.com <mailto:qube...@tutanota.com>>> wrote:
>>
>>> Hi, during my email conversation with the Todd Weaver
>>>
>
> That liar comes out of nowhere with his super slick marketing and sets
> the computing freedom movement back 10 years.
>
> At first I thought it was just being naive but now as he persists it
> seems more like malice.
>
> puri.junk does NOT respect you, it is fully blobbed and the ME is not at
> all disabled.
>
> Todd weaver is a lying fraudster.
>
>>> in the
>>> pre-IME-disabled time, he told me they will fully disable the IME and AMT
>>> within next week. After about a week they announced they did just that.
>>> Are this links a lie?
>>> https://puri.sm/posts/measuring-the-intel-me-to-create-a-more-secure-compu <https://puri.sm/posts/measuring-the-intel-me-to-create-a-more-secure-compu>
>>> ter/
>>> <>>> https://puri.sm/posts/measuring-the-intel-me-to-create-a-more-secure-com <https://puri.sm/posts/measuring-the-intel-me-to-create-a-more-secure-com>
>>> puter/>
>>> https://puri.sm/posts/purism-librem-laptops-completely-disable-intel-mana <https://puri.sm/posts/purism-librem-laptops-completely-disable-intel-mana>
>>> gement-engine/
>>> <>>> https://puri.sm/posts/purism-librem-laptops-completely-disable-intel-man <https://puri.sm/posts/purism-librem-laptops-completely-disable-intel-man>
>>> agement-engine/>
>>>
>>
>> "Lie" depends on your definition of "completely". Skylake onwards
>> processors can have much of ME disabled. I believe Purism with Heads and a
>> handful of other manufacturers are using the technique here:
>> http://blog.ptsecurity.com/2017/08/disabling-intel-me.html <http://blog.ptsecurity.com/2017/08/disabling-intel-me.html>>> , but as you can
> --
> You received this message because you are subscribed to the Google Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to > qubes-users...@googlegroups.com <mailto:qubes-users...@googlegroups.com>> .
> To post to this group, send email to > qubes...@googlegroups.com <mailto:qubes...@googlegroups.com>> .
> To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-users/c8670cee-80f5-1b08-0a82-8ffb60641867%40gmx.com <https://groups.google.com/d/msgid/qubes-users/c8670cee-80f5-1b08-0a82-8ffb60641867%40gmx.com>> .

awokd

unread,
Sep 18, 2018, 6:12:26 AM9/18/18
to qubes...@googlegroups.com


Tai...@gmx.com:
> On 09/16/2018 02:51 AM, 'awokd' via qubes-users wrote:

>> At present, RYF has not certified any laptops with hardware capable of
>> running Qubes 4.0, but there are a couple older AMDs that can. A scale of
>> hardware openness/owner control from most to least would be something
>> like:
>>
>> 10: OpenPOWER, RYF certified x86 with all blobs replaced- Qubes 4.0 can't
>> run on either
>
> Since you mention power and there aren't currently any laptops do you
> mean laptops or desktops? In terms of desktops there are a variety that
> qubes 4.0 can run on.

You're right, forgot the RYF desktops which support 4.0.

> The future is POWER for all...
>
>> 8: older AMD like A10-5750M- a couple blobs required but Qubes 4.0 works
>> on these and the rest listed
>> 6: pre-Skylake Intel with ME/HAP tweaks- a few more blobs and 2 ME modules
>> required
>> 4: Skylake+ Intel with ME/HAP tweaks, AMD Ryzen with PSP disabled in UEFI
>> config- more blobs and modules required
>
> That doesn't disable it! you are simply asking nicely for it to shut off
> and hoping that it does so. It is not at all equivilant to say pre-core
> intel systems where one really could disable it or even better one that
> doesn't have any black boxes like the talos.

I know, that's why I didn't rate this higher on my invented scale.

awokd

unread,
Sep 18, 2018, 6:19:58 AM9/18/18
to qubes...@googlegroups.com
qube...@tutanota.com:
> Looks like it is a bit of a blind way. To use the reasonably secure OS without possibility to use it on the reasonably secure HW, is an issue which needs to be addressed a bit. I originally guessed that Qubes would run on the RYF devices well, and I am quite surprised it doesn't (doesnt it?). Is there any strong issue which prevents Qubes to function with RYF devices?

There are no RYF laptops with CPUs that support Intel VT-x with EPT /
AMD-V with RVI (SLAT) and Intel VT-d / AMD-Vi (aka AMD IOMMU).

> Am I missing something on the assumption that RYF devices, with disabled IME-AMT known security hole, with the coreboot  instead of BIOS and so on, are more secure-potential than the non-RYFs?
>
> I need a working laptop. Desktop is not an option.

Check the scale I posted for options. A corebooted Lenovo G505s with
microcode update comes close to RYF.

Kyle Rankin

unread,
Nov 10, 2018, 12:24:45 PM11/10/18
to qubes...@googlegroups.com
It's a shame this thread got hijacked by people slandering the company.
Could someone who is responsible for the HCL please update it with the data
I've provided in this thread? This would update the HCL with a version of
the Librem 13v2 that provides a TPM for people who are considering running
Qubes 4.0 with AEM.

-Kyle

PS. For what it's worth we continue to work earnestly behind the scenes to
liberate the remaining binary blobs (FSP and what remains of the ME after
we disable and delete the majority of the modules) because we want to
provide people with modern hardware that runs blob-free. For the ME, we
have already documented what we have done to attempt to both disable (HAP)
and neuter (zero out modules) the ME. We have four ME modules remaining to
liberate (and anyone with access to our BIOS ROM or our BIOS build script
can confirm those claims). Those of you who work in this space are aware of
the challenges behind all of this and if anyone wants to help us in
liberating the FSP and the remaining four ME modules that are present we
would certainly welcome the help.
> --
> You received this message because you are subscribed to the Google Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
> To post to this group, send email to qubes...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180914181059.fkt3blxd3heez54s%40work.
> For more options, visit https://groups.google.com/d/optout.

> ---
> layout:
> 'hcl'
> type:
> 'laptop'
> hvm:
> 'yes'
> iommu:
> 'yes'
> slat:
> 'yes'
> tpm:
> ''
> remap:
> 'yes'
> brand: |
> Purism
> model: |
> Librem 13 v2
> bios: |
> 4.7-Purism-4-heads
> cpu: |
> Intel(R) Core(TM) i7-6500U CPU @ 2.50GHz
> cpu-short: |
> FIXME
> chipset: |
> Intel Corporation Xeon E3-1200 v5/E3-1500 v5/6th Gen Core Processor Host Bridge/DRAM Registers [8086:1904] (rev 08)
> chipset-short: |
> FIXME
> gpu: |
> Intel Corporation HD Graphics 520 [8086:1916] (rev 07) (prog-if 00 [VGA controller])
> Intel Corporation Device [8086:9d24] (rev 21)
> gpu-short: |
> FIXME
> network: |
> Qualcomm Atheros AR9462 Wireless Network Adapter (rev 01)
> memory: |
> 16298
> scsi: |
> Samsung SSD 850 Rev: 2B6Q
> Samsung SSD 850 Rev: 1B6Q
> usb: |
> 1
> versions:
>
> - works:
> 'FIXME:yes|no|partial'
> qubes: |
> R4.0
> xen: |
> 4.8.4
> kernel: |
> 4.14.57-2
> remark: |
> FIXME
> credit: |
> FIXAUTHOR
> link: |
> FIXLINK
>
> ---
>

Holger Levsen

unread,
Nov 10, 2018, 12:30:28 PM11/10/18
to qubes...@googlegroups.com
On Sat, Nov 10, 2018 at 09:24:40AM -0800, Kyle Rankin wrote:
> It's a shame this thread got hijacked by people slandering the company.

indeed.

> PS. For what it's worth we continue to work earnestly behind the scenes to
> liberate the remaining binary blobs (FSP and what remains of the ME after
> we disable and delete the majority of the modules) because we want to
> provide people with modern hardware that runs blob-free. For the ME, we
> have already documented what we have done to attempt to both disable (HAP)
> and neuter (zero out modules) the ME. We have four ME modules remaining to
> liberate (and anyone with access to our BIOS ROM or our BIOS build script
> can confirm those claims). Those of you who work in this space are aware of
> the challenges behind all of this and if anyone wants to help us in
> liberating the FSP and the remaining four ME modules that are present we
> would certainly welcome the help.

thanks for this interesting update. Much appreciated!


--
cheers,
Holger

-------------------------------------------------------------------------------
holger@(debian|reproducible-builds|layer-acht).org
PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
signature.asc

casiu

unread,
Nov 10, 2018, 1:33:19 PM11/10/18
to qubes...@googlegroups.com

"We have four ME modules remaining to liberate (and anyone with access to our BIOS ROM or our BIOS build script
can confirm those claims)."

Last time i checked Intel still did not hand you over their signing-keys ?
Im happy to change my mind, please educate me.:) Is the ME completely shut off BEFORE the kernel boots up?
If not, im sure you know a few me modules more ore less is completely irrelevant from a security point of view.

Also, i wasnt able to find a statement of Purism about the fact that, in the beginning, they claimed the ME was "completely disabled and removed". I mean, that was obviously not true right?

From what i see, despite Purism claims they will liberate it probably sometime , purism-bios still only initializes proprietary blobs, which also defeats the purpose. Im not one for great conspiracy theories, and also at least for now willing to accept the term "opensource-hardware" for something with one or two small irrelevant blobs because they cant be avoided,
but advertising hardware which runs almost entirely on closed source software (certainly, all the important parts do), that just sound highly dishonest in my ears.

Last one: Would you honestly recommend people buying your products to improve their security RIGHT NOW, not someday in the future when and if your products will be completely open source. If so, wy?

If you could provide me an answer to those Questions, i would be very grateful. I read this post twice , and i hope nobody finds it offensive in any way, im actually trying to get a productive discussion here.
Please dont let this go emotional, rather provide people with actual, verifiable TECHNICAL FACTS.

Happy to learn something new, Casiu.


Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> --
>
> You received this message because you are subscribed to the Google Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
> To post to this group, send email to qubes...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20181110172439.GD29964%40greenfly.net.

Kyle Rankin

unread,
Nov 10, 2018, 2:33:53 PM11/10/18
to qubes...@googlegroups.com
I would have preferred to keep this thread focused on the HCL and not get
too derailed off-topic. I'll try to keep this brief and apologies to the
moderators for continuing the off-topic thread. I'll give a reply and then
leave it.

As someone who's working inside the org every day earnestly to try to
improve everyone's security and freedom, I guess I don't get all the
animosity, as I don't know of too many other organizations who are trying
as we are to advance the cause of liberating these closed modules. I don't
agree with the "all or nothing" approach some people are touting--having a
motherboard without AMT at all, and with an ME that is reflashed to have
most of its code removed is, to me, a much better situation than what you
can get off the shelf. Is it 100% there? Of course not, but we are truly
working to get it there.

Other replies inline:

On Sat, Nov 10, 2018 at 06:33:05PM +0000, 'casiu' via qubes-users wrote:
>
> "We have four ME modules remaining to liberate (and anyone with access to our BIOS ROM or our BIOS build script
> can confirm those claims)."
>
> Last time i checked Intel still did not hand you over their signing-keys ?
> Im happy to change my mind, please educate me.:) Is the ME completely shut off BEFORE the kernel boots up?
> If not, im sure you know a few me modules more ore less is completely irrelevant from a security point of view.
>

As part of reflashing the BIOS we reflash the ME so when the system boots
it is running from the remaining four modules (kernel, supporting kernel
libraries) in the ME that initialize the hardware. The high level info is
here:

https://puri.sm/learn/intel-me/

And the more detailed technical information is here:

https://puri.sm/posts/deep-dive-into-intel-me-disablement/

> Also, i wasnt able to find a statement of Purism about the fact that, in the beginning, they claimed the ME was "completely disabled and removed". I mean, that was obviously not true right?

I can only comment on the current state of things and what we have tried to
be open about on our site. I don't recall them using words like
"completely" but I also wasn't working there at the time.

>
> From what i see, despite Purism claims they will liberate it probably sometime , purism-bios still only initializes proprietary blobs, which also defeats the purpose. Im not one for great conspiracy theories, and also at least for now willing to accept the term "opensource-hardware" for something with one or two small irrelevant blobs because they cant be avoided,
> but advertising hardware which runs almost entirely on closed source software (certainly, all the important parts do), that just sound highly dishonest in my ears.
>

We may have to agree to disagree here, as I wouldn't characterize loading
an open source coreboot BIOS that includes Intel FSP binary blobs and the
remaining few percent of the closed ME code that we haven't freed yet, and
then boots into a completely free software OS as "almost entirely on closed
source software." It sounds like you are assigning much more importance and
weight into the FSP than I am when thinking about the whole system.

> Last one: Would you honestly recommend people buying your products to improve their security RIGHT NOW, not someday in the future when and if your products will be completely open source. If so, wy?

I would. For one, we are one of the few companies who are actively working
to improve the current situation with respect to closed firmware and
software on regular laptops. Not everyone has the ability to reflash
firmware themselves to apply an open source BIOS and erase most of the ME
and so we provide hardware that has that already applied. There are still
binary blobs remaining but we are working to remove those as well.

A lot of the arguments seem to center on some belief that we aren't genuine
in our beliefs because we've set big goals, some of which are long term,
and therefore haven't achieved all of those goals yet. For what it's worth,
we have gone to the extra effort to codify our ethical stance into our
corporate Social Purpose Corporation (SPC) charter and mean what we say.

I personally am working to include Heads as a default tamper-detecting BIOS
option for more security-minded people who order our hardware. Our hardware
runs Qubes 4.0 out of the box and it is the primary OS on both my personal
and work laptops (both Librems). We are actively working to integrate our
Librem Key USB security token with Heads (my PR was just merged this past
week) to provide a simple way to detect tampering in the BIOS and
kernel/initrd/grub config.

Is there still more work to do? Sure. But then I've always liked to be busy
and hated being bored at work. Security is like golf. You try to get closer
to the hole with every stroke. If you just try to get a hole in one every
time you will lose.

-Kyle
> To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a-3kTi0BmbRkYMaUfcC7C_cZKCwdoER0eNlTYNchZbzMtTdSPKtm7GR4ZtyomvAkErjJ-mdJ1d2wVv7vacMCescUzPcBRrNiGyWL20LDT44%3D%40protonmail.com.

unman

unread,
Nov 10, 2018, 9:46:18 PM11/10/18
to qubes...@googlegroups.com
On Sat, Nov 10, 2018 at 11:33:48AM -0800, Kyle Rankin wrote:
>
> > Also, i wasnt able to find a statement of Purism about the fact that, in the beginning, they claimed the ME was "completely disabled and removed". I mean, that was obviously not true right?
>
> I can only comment on the current state of things and what we have tried to
> be open about on our site. I don't recall them using words like
> "completely" but I also wasn't working there at the time.
>

I find this somewhat disingenuous.

Original claims:

"This is the first laptop to be manufactured where there is no mystery
software. This means that there are absolutely no proprietary drivers
in the linux kernel, no Linux kernel binary blobs, and no proprietary
software applications required to operate this computer."

Later:
"We promise that a Purism system and all its components will be free
according to the strictest of guidelines set forth by the FSF's Free
Software Definition."

By 2016, the company had (under pressure) rolled back on these claims,
and acknowledged that the BIOS and Intel Binaries required binary blobs.

The "completely" claim is in the October19 2017 post - "Purism Librem
Laptops Completely Disable Intel's Management Engine"

I think that what bothers people is that the early claims were either false
or misleading. I had concerns about the whole "Qubes endorsed" debacle.
I believe issues like these raise questions about the probity of the company,

unman

22...@tutamail.com

unread,
Nov 11, 2018, 12:07:42 AM11/11/18
to qubes-users
Tough questions and discussion but in the spirit of finding the "best" we can get laptop for Qubes 4.0 (Best being defined as: available to purchase, priced right, most open, most "reasonably" secure and...."reasonably simple" to maintain), for me I see the following as my best options, ranked:

Lenovo Carbon 5G X1
Available
Good RAM
Little pricey
Easy install/maintain? Not sure if I can flash these BIOS...

Lenova 400 series
Available
Affordable
Limited RAM?
Little boxy
Easier to install/maintain

Librem 'what ever" model
Available
NOT Affordable
Limited RAM?
Reasonably easy to install/maintain!

G505
NOT as Available
Affordable
Limited RAM?
Very boxy?
Tough to install/maintain (Flash BIOS?? Out of my scope...)


200 series
NOT as Available?
Affordable
Limited RAM?
Very boxy?
Tough to install/maintain! (Flash BIOS?? Out of my scope...)


Dell/HP/Other?
I don't know, but I suspect Qubes was developeded on Lenovo's yet select models work

Desk Tops
I need a laptop...

Keep in mind I might weigh some of the "Easy to install/maintain" perspective more heavily but I see my best options as:

1)Carbon X1 being the ultimate winner (if I want to invest the $1k)
2)T400+ series for the budget concerned
3)Librem if you want to get the best you can with out the "fuss" and pay some $$
4)G505/200 if you have the technical know-how/experience


What I am struggling to weigh is the security/privacy/trust compromises and implications I have made/would make? I know G505/200 type products are most secure but how can I get one pre-installed and done (Easy) yet still balance trust, security, afford-ability, etc....I fear the open source BIOS are out of my technical scope to install and maintain.

I find Librem intriguing with the easiest "most" open source option for the "reasonable" layman(person)...sure not Intel/AMD/government secure but at least non chip maker collusion secure? Lets assume Librem screwed up initially with their claims....are they clear now? Is their product a good option?

Decisions, Decisions...


unman

unread,
Nov 11, 2018, 10:45:25 AM11/11/18
to qubes-users
lenovo x230s are still widely available, and great for Qubes. Limited to
16GB RAM, but even with HDD and 12 GB perfectly serviceable for
Qubes4.0. And *cheap*.
Pretty easy to maintain, and no problem with flashing BIOS from linux.
I'd still recommend - boxy is the new black.

unman

22...@tutamail.com

unread,
Nov 11, 2018, 9:25:58 PM11/11/18
to qubes-users
Unman your posts have been extremely helpful to me and I can't thank you enough for the help(I am sure many others would agree).

However I think your "..Pretty easy to maintain.." would be hell for me.

Librem(and maybe the Majora line) have huge appeal for me as they take care of the BIOS flashing.

I checked out the x230 and you are right they are available and cheap. I would still be interested in finding some company/individual who I can trust to take care of the BIOS flashing for me as a service(I would think others would also want this service as well...). The problem is who?

Thanks...

("-boxy is the new black." Good one and couldn't agree more...very funny!)

Thierry Laurion

unread,
Nov 12, 2018, 1:30:54 AM11/12/18
to 22...@tutamail.com, qubes...@googlegroups.com
Hi!
I checked out the x230 and you are right they are available and cheap. I would still be interested in finding some company/individual who I can trust to take care of the BIOS flashing for me as a service(I would think others would also want this service as well...). The problem is who?
I started Insurgo Technologies Libres/Open Technologies exactly for that! (https://www.facebook.com/InsurgoTech/insights/?section=navPosts)

We actually reprogram A-Grade refurbished x230 with Heads firmware (http://osresearch.net/), while neutralizing Intel ME (https://github.com/osresearch/heads-wiki/blob/master/Clean-the-ME-firmware.md) while being there.

I collaborate with Heads and QubesOS developers for a while now..
QubesOS can even be preinstalled with user's desired customizations (https://github.com/SkypLabs/my-qubes-os-formula/issues) or shipped with latest QubesOS ISO on external MicroSD support. Heads validates ISO integrity with distribution's signing keys prior to boot them (Tails, Fedora, QubesOS).

Heads, deployed with a Nitrokey Pro v2/LibremKey or by using internal TPM, validates rom' integrity before booting from it. With the help of a NitroKey/LibremKey (https://puri.sm/posts/introducing-the-librem-key/), the boot configurations are signed with user's keys and verified and the firmware integrity is attested at each reboot through HOTP (led flashing or TPMTOTP on user's cell phone through Google Authenticator or compatible app.

The user receives the Nitrokey/LibremKey and his computer in distinct shipping packages and reunites at first laptop boot to attest that the firmware of the computer has not been tampered with in transit. (https://puri.sm/posts/introducing-the-librem-key/).

The user, upon bootup integrity attestation, proceeds to the ownership of his new laptop (TPM) and his LibremKey. The user is then invited to reencrypt his SSD encrypted content with it's own chosen passphrase (https://github.com/osresearch/heads/issues/463) and to choose a secondary disk unlock passphrase, which will unlock encrypted disk content only if the firmware has boot attested integrity.

Notes:
  • The user will be able to ask Insurgo interactive support in the near future. (https://github.com/SkypLabs/my-qubes-os-formula/issues/6).
  • Buying from Insurgo (ITL/IOT) funds directly my participation to those projects.
  • Bulk discount are available upon request. Insurgo plans to transit into a working/buying cooperative in the near future.


Prices are in Canadian Dollars (CDN)
  • x230 i5 240GB SSD 16GB Webcam and IPS: $620
    • Hardware reprogramming fee: +250$
    • Backlit Keyboard: 40$  (optional)
    • Webcam 10$  (optional)
  • Nitrokey/LibremKey: + 80$
The refurbisher offers a warranty plan on the value of the purchase:
  • 1 Month %5
  • 3 Months %10
  • 6 Months %15
  • 1 Year %25

Thierry Laurion:

Insurgo, Technologies Libres / Open Technologies:

--
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
To post to this group, send email to qubes...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


--
Thierry Laurion

Holger Levsen

unread,
Nov 12, 2018, 4:58:30 AM11/12/18
to qubes-users
On Sun, Nov 11, 2018 at 03:45:21PM +0000, unman wrote:
> lenovo x230s are still widely available, and great for Qubes.

while I agree with that, I want to point out that they contain several
non free blobs which cannot be changed.

just because there was so much purism bashing in this thread. :-D


--
cheers,
Holger, who is happy that his keyboard, memory and battery works
signature.asc

unman

unread,
Nov 12, 2018, 6:15:24 AM11/12/18
to qubes-users
On Mon, Nov 12, 2018 at 09:58:25AM +0000, Holger Levsen wrote:
> On Sun, Nov 11, 2018 at 03:45:21PM +0000, unman wrote:
> > lenovo x230s are still widely available, and great for Qubes.
>
> while I agree with that, I want to point out that they contain several
> non free blobs which cannot be changed.
>
> just because there was so much purism bashing in this thread. :-D
>
>
> --
> cheers,
> Holger, who is happy that his keyboard, memory and battery works

Try, but 22rip didnt have that as a criteria in his choices. Also, the
x230 keyboard,memory and battery all work. ;-)

Jonathan Seefelder

unread,
Nov 12, 2018, 10:08:38 AM11/12/18
to unman, qubes-users
I have to say, while im happy to see people are actually trying to get a
constructive discussion here, im missing facts, sources and numbers.

The only blob in an X230 which could be security relevant  imo is the
embedded controller. The EC will most likely be liberated in the near
future, and even if it isnt, that  is just no comparison to the amount
of attack-surface  and security-relevance of the blobs a Librem
contains. But thats a personal opinion, there are some who consider
stock-bios not a problem at all, because their threat-model does not
contain such highly-skilled attacks or they trust the vendor. However,
UEFI-exploits from non-state-actors have already been found in the wild,
and will become a lot more common imo.

Example:
https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/

About the Intel-ME:

The other blob in an x230 is be the "ROMP/BUB"-module  (which is the
only part left from the Intel ME), roughly around ~90 kB after
me-cleaner (~ 1.5 MB without), and, very important, the me is shut down
before the kernel initializes.

The Me-version Generation 3 like they are used in a Librem, however, are
after applying ME-cleaner "rbe", "kernel" , "syslib" AND "bup" , and the
minimum firmware-size is at best ~ 300 kb, and is not shut down at all.

BTW, i feel like people overestimate the relevance of the Intel
Managment Engine. THere is so much fake-news about the ME, its
ridiculous. That being said, i personally would never use a device for
sensitive stuff with ME-generation 3 ore higher, and certainly not one
with a prop BIOS ore a significant amount of dangerous blobs.Again,
these are personal choices, bashing without even providing any sources
to fact-check for the reader wont help anybody.

While i would love to have the option of buying a completely free Laptop
directly from a vendor, i have serious doubts about how this would be
possible with x86 architecture, and i wanst able to find any specific
information on how pursim is planning to achieve that.

Freeing a Librem isnt simply a matter of more work and development,
without having Intels signing keys, it is flat-out technically impossible.

And i would love to believe that Intel will provide Purism those keys,
but given the fact that they didnt do it even for Google, i doubt it
even more.

Some more information on this matter would be really great, maybe im
missing something?

If any of these information are incorrect please tell me so, and most
important, please provide sources.
--
Kind Regards
Jonathan Seefelder
CryptoGS IT-Security Solutions
Hofmark 43b
D-84564 Oberbergkirchen
Phone: +49 8637-7505
Fax: +49 8637-7506
Mail: in...@cryptogs.de
www.cryptogs.de


signature.asc

qube...@tutanota.com

unread,
Nov 13, 2018, 6:03:40 AM11/13/18
to 22...@tutamail.com, qubes-users
Sorry to jump out of the Purism thing. Some weeks ago I put here the question too and it was bit stormy, so I keep it aside.

Mate, you mention the "Lenova 400 series". That was my question short before in my post. I am planning to buy this guy: https://tehnoetic.com/tet-t400s <https://tehnoetic.com/tet-t400s> It is RYF and so the ME and AMT is completely removed. My question was, if I could run Qubes 4 on it. The answer was it is too old to have the required virtualization needed to run Qubes 4.

Now, do you think the RYF T400s above, which si T400 series you mention, could run the Qubes 4? This would be great. One could run the reasonably secure OS on reasonably secure HW. Yay!


Nov 11, 2018, 6:07 AM by 22...@tutamail.com:
> --
> You received this message because you are subscribed to the Google Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to > qubes-users...@googlegroups.com <mailto:qubes-users...@googlegroups.com>> .
> To post to this group, send email to > qubes...@googlegroups.com <mailto:qubes...@googlegroups.com>> .
> To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-users/d53fd873-90fb-4426...@googlegroups.com <https://groups.google.com/d/msgid/qubes-users/d53fd873-90fb-4426-b960-efd57aafbadd%40googlegroups.com>> .
> For more options, visit > https://groups.google.com/d/optout <https://groups.google.com/d/optout>> .
>

qube...@tutanota.com

unread,
Nov 13, 2018, 6:27:10 AM11/13/18
to Thierry Laurion, 22rip, Qubes Users
Hi Thiery, I wasn't aware the X230 can be freed same way as the X200 can. As you saw, I am thinking about buying the RYF https://tehnoetic.com/tet-t400s <https://tehnoetic.com/tet-t400s> to be able to run with the Qubes 4. The T400s has but unfortunately 8GB RAM max and so the X230 with 16GB seems very interesting.

So my question is if the X230 is really deprived of all ME-AMT, or any non-free dirt? If this is the case, your offer seems really interesting with all mentioned options available. I also use the RYF X200 for non-Qubes activities, but it would be just excellent if I could have just one machine for Qubes+non-Qubes too.


Nov 12, 2018, 7:30 AM by thierry...@gmail.com:

> Hi!
>
>> I checked out the x230 and you are right they are available and cheap. I would still be interested in finding some company/individual who I can trust to take care of the BIOS flashing for me as a service(I would think others would also want this service as well...). The problem is who?
>>
> I started Insurgo Technologies Libres/Open Technologies exactly for that! (> https://www.facebook.com/InsurgoTech/insights/?section=navPosts <https://www.facebook.com/InsurgoTech/insights/?section=navPosts>> )
>
> We actually reprogram A-Grade refurbished x230 with Heads firmware (> http://osresearch.net/ <http://osresearch.net/>> ), while neutralizing Intel ME (> https://github.com/osresearch/heads-wiki/blob/master/Clean-the-ME-firmware.md <https://github.com/osresearch/heads-wiki/blob/master/Clean-the-ME-firmware.md>> ) while being there.
>
> I collaborate with Heads and QubesOS developers for a while now..
> QubesOS can even be preinstalled with user's desired customizations (> https://github.com/SkypLabs/my-qubes-os-formula/issues <https://github.com/SkypLabs/my-qubes-os-formula/issues>> ) or shipped with latest QubesOS ISO on external MicroSD support. Heads validates ISO integrity with distribution's signing keys prior to boot them (Tails, Fedora, QubesOS).
>
> Heads, deployed with a Nitrokey Pro v2/LibremKey or by using internal TPM, validates rom' integrity before booting from it. With the help of a NitroKey/LibremKey (> https://puri.sm/posts/introducing-the-librem-key/ <https://puri.sm/posts/introducing-the-librem-key/>> ), the boot configurations are signed with user's keys and verified and the firmware integrity is attested at each reboot through HOTP (led flashing or TPMTOTP on user's cell phone through Google Authenticator or compatible app.
>
> The user receives the Nitrokey/LibremKey and his computer in distinct shipping packages and reunites at first laptop boot to attest that the firmware of the computer has not been tampered with in transit. (> https://puri.sm/posts/introducing-the-librem-key/ <https://puri.sm/posts/introducing-the-librem-key/>> ).
>
> The user, upon bootup integrity attestation, proceeds to the ownership of his new laptop (TPM) and his LibremKey. The user is then invited to reencrypt his SSD encrypted content with it's own chosen passphrase(> https://github.com/osresearch/heads/issues/463 <https://github.com/osresearch/heads/issues/463>> ) and to choose a secondary disk unlock passphrase, which will unlock encrypted disk content only if the firmware has boot attested integrity.
>
> Notes:
> The user will be able to ask > Insurgo> interactive support in the near future. (> https://github.com/SkypLabs/my-qubes-os-formula/issues/6 <https://github.com/SkypLabs/my-qubes-os-formula/issues/6>> ).
> Buying from> Insurgo (ITL/IOT)> funds directly my participation to those projects.
> Bulk discount are available upon request. Insurgo plans to transit into a working/buying cooperative in the near future.
>
>
> Prices are in Canadian Dollars (CDN)
> x230> i5 240GB SSD 16GB Webcam and IPS: $620
> Hardware reprogramming fee: +250$
> Backlit Keyboard: 40$  (optional)
> Webcam 10$  (optional)
> Nitrokey/LibremKey: + 80$
> The refurbisher offers a warranty plan on the value of the purchase:
> 1 Month %5
> 3 Months %10
> 6 Months %15
> 1 Year %25
>
> Thierry Laurion:
> GitHub: > https://github.com/tlaurion/ <https://github.com/tlaurion/>
> LinkedIn: > https://www.linkedin.com/in/thierry-laurion-40b4128/ <https://www.linkedin.com/in/thierry-laurion-40b4128/>
>
> Insurgo, Technologies Libres / Open Technologies:
> email: > ins...@riseup.net <mailto:ins...@riseup.net>> for more information.
> GPG key: > http://keys.gnupg.net/pks/lookup?op=get&search=0x79C78E6659DB658F <http://keys.gnupg.net/pks/lookup?op=get&search=0x79C78E6659DB658F>
> Follow this guide or it's platform equivalent: > https://securityinabox.org/en/guide/thunderbird/mac/ <https://securityinabox.org/en/guide/thunderbird/mac/>
> Website: > https://Insurgo.ca <https://Insurgo.ca>
> Facebook: > https://www.facebook.com/InsurgoTech/ <https://www.facebook.com/InsurgoTech/>
>
> On Sun, Nov 11, 2018 at 9:26 PM <> 22...@tutamail.com <mailto:22...@tutamail.com>> > wrote:
>
>> Unman your posts have been extremely helpful to me and I can't thank you enough for the help(I am sure many others would agree).
>>
>> However I think your "..Pretty easy to maintain.." would be hell for me.
>>
>> Librem(and maybe the Majora line) have huge appeal for me as they take care of the BIOS flashing.
>>
>> I checked out the x230 and you are right they are available and cheap. I would still be interested in finding some company/individual who I can trust to take care of the BIOS flashing for me as a service(I would think others would also want this service as well...). The problem is who?
>>
>> Thanks...
>>
>> ("-boxy is the new black." Good one and couldn't agree more...very funny!)
>>
>> --
>> You received this message because you are subscribed to the Google Groups "qubes-users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to >> qubes-users...@googlegroups.com <mailto:qubes-users%2Bunsu...@googlegroups.com>>> .
>> To post to this group, send email to >> qubes...@googlegroups.com <mailto:qubes...@googlegroups.com>>> .
>> To view this discussion on the web visit >> https://groups.google.com/d/msgid/qubes-users/26f75d86-0349-4533-8f3a-66fe2e37c1b3%40googlegroups.com <https://groups.google.com/d/msgid/qubes-users/26f75d86-0349-4533-8f3a-66fe2e37c1b3%40googlegroups.com>>> .
>> For more options, visit >> https://groups.google.com/d/optout <https://groups.google.com/d/optout>>> .
>>
>
>
> --
> Thierry Laurion
>
>
>
> --
> You received this message because you are subscribed to the Google Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to > qubes-users...@googlegroups.com <mailto:qubes-users...@googlegroups.com>> .
> To post to this group, send email to > qubes...@googlegroups.com <mailto:qubes...@googlegroups.com>> .
> To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-users/CAAzJznzOWNrOFTyCNQt-vu5%2BUQXqhZFg-Loxm-oY2oiutORkDQ%40mail.gmail.com <https://groups.google.com/d/msgid/qubes-users/CAAzJznzOWNrOFTyCNQt-vu5%2BUQXqhZFg-Loxm-oY2oiutORkDQ%40mail.gmail.com?utm_medium=email&utm_source=footer>> .
> For more options, visit > https://groups.google.com/d/optout <https://groups.google.com/d/optout>> .
>

keshajournalism

unread,
Nov 13, 2018, 7:58:21 AM11/13/18
to qubes...@googlegroups.com
I tought about buying the x230, but for me, the screen is a little to small, and i feel like the x230 looks a bit ugly *.* To me apple-products look the best, but apparently there are none with coreboot.
I therefor bought myself an X1 Carbon with a nitrokey from cryptogs.de , altough id like to have more ram for windows.
The X230 was recommend to me by them to be more secure, apparently an t400 would have been even better with libreboot, but they are just way to old an slow for me.

cheerio

Thierry Laurion

unread,
Nov 13, 2018, 10:44:26 AM11/13/18
to qube...@tutanota.com, 22...@tutamail.com, qubes...@googlegroups.com
 Hi qubes-fan. Answers inline.
On Tue, Nov 13, 2018 at 6:27 AM <qube...@tutanota.com> wrote:
Hi Thiery, I wasn't aware the X230 can be freed same way as the X200 can.
Unfortunately, the x230 cannot have Intel ME deleted the same way the x200 can, even though binary free firmware is par with it.

The x200 is RYF certified where the x230 isn't for approximately the same reasons Libreboot supports only the former. RYF and Libreboot have a really strong guideline against binary blobs. Even Libreboot opened up it's ethic to support the x220 (Sandy bridge), but backed off, since part of the ME engine is still present even if deactivated. The RYF certification could not be obtainable for those. See archive: https://web.archive.org/web/20170404144825/https://minifree.org/product/libreboot-x220/

Intel ME can be completely removed on the x200 (GM45 based), leaving no trace of it at all. (https://libreboot.org/faq.html#intel). It can be neutralized on the x220 and x230 (Ivy bridge), leaving only the ROMP and BUP modules (<90k of it), but "deactivating" ME before it's kernel is even booted, where the Librem Laptops have parts of it deactivated only, and unfortunately contains binary blobs in the firmware. Once again, depending of your threat model, that may or not be a deal breaker for you.

Neutralizing/Deactivating/Deleting/Freeing Intel ME is a word game where a lot of ink spilled over the last years. I suggest you to read this doc: (https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F) . Basically, Intel ME version <11 can be deactivated, since no kernel needs to be present in the firmware for validation prior to initialization, resulting in the BUP module only being launched, permitting the machine to boot, where version >11 requires the kernel and syslib modules to be present and validated at initialization. So even if Intel ME is neutralized by me_cleaner, the modules are still there in >11. Could they be executed? That depends on your beliefs and threat modeling.

Technically, GM45 based laptops are currently the last Intel based hardware where Intel ME can be completely removed. Unfortunately, such old hardware comes with important limitations, some of which makes it incompatible with QubesOS 4 requirements for isolation and virtualization. The x200 has vt-d1 only, no vt-d2 (No IOMMU!): there is no interrupt remapping, meaning that there is no hardware isolation enforced in QubesOS. (https://github.com/QubesOS/qubes-issues/issues/1594#issuecomment-209213917).

At best, the x200 is an awesome laptop for using Tails, but not with QubesOS. Using it with QubesOS gives the user an illusion of hardware isolation, putting him at risk.

As you saw, I am thinking about buying the RYF https://tehnoetic.com/tet-t400s <https://tehnoetic.com/tet-t400s> to be able to run with the Qubes 4. The  T400s has but unfortunately 8GB RAM max and so the X230 with 16GB seems very interesting.
The T400s is an hardware equivalent of the x200.

So my question is if the X230 is really deprived of all ME-AMT, or any non-free dirt?

If this is the case, your offer seems really interesting with all mentioned options available. I also use the RYF X200 for non-Qubes activities, but it would be just excellent if I could have just one machine for Qubes+non-Qubes too.
A lower end, AMD laptop, the G505s seems a good candidate for libre oriented QubesOS users. It's porting to Heads is on the way, even though I do not have that hardware myself. https://github.com/osresearch/heads/issues/453

As some pointed out earlier, the EC is still a binary blob present in laptops (not currently freed), microcode updates are unfortunately still required for security.

Laptop world needs to be shaken. Binary free laptops exists, but do not support QubesOS.
Talos II is the best libre free desktop/server available but isn't supported by QubesOS, where the KGPE-D16/KCMA-D8 are still the best x86 desktop/servers available. The x230 laptop is the most supported and libre available, where BUP Intel ME initialization is tolerable.

Heads project should be considered as a trusted base of any security conscious user.

Linuxboot, Systemboot and other projects based on u-boot/u-root should also be considered for collocating private cloud services on more recent x86 servers:

Hope that it answers your questions.
Insurgo, Technologies Libres / Open Technologies:

Thierry Laurion

unread,
Nov 13, 2018, 11:53:07 AM11/13/18
to qube...@tutanota.com, 22...@tutamail.com, qubes...@googlegroups.com
Hi all,
Sorry to have misadvertised Purism work. Didn't went across that post: https://puri.sm/posts/neutralizing-intel-management-engine-on-librem-laptops/
So it seems that Intel ME deactivation is on par with Ivy bridge, resulting in only the ROMP and BUP modules being required to initialize ME.


Thierry

--
Thierry Laurion

qube...@tutanota.com

unread,
Nov 14, 2018, 5:11:14 AM11/14/18
to Thierry Laurion, 22rip, Qubes Users
Hi Thierry, thank you for your excellent and extensive explanation of the topic, just wow! This is precisely what semi-techs as me need, to understand the heavy-tech topics more.

It helped me to see the differences in between vt-d1 vs vt-d2 and its implications. Yes, the X200 is excellent for Tails, but I need to run Qubes 4 too.

So if I understand it properly, the X230 has remains of the ME which are but deactivated before kernel boots. This quite shrinks the attack options, clear.

I understand you prefer to post answers directly on the forum. About the prices:

- What exactly means the Hardware reprogramming fee? Is it the ME
cleanup? Is it an extra charge of $250 on top of $620 for actually
freeing the X230? The $620 is for non-free X230 than?

Are you sometimes in EU?

thx

Nov 13, 2018, 5:52 PM by thierry...@gmail.com:

> Hi all,
> Sorry to have misadvertised Purism work. Didn't went across that post: > https://puri.sm/posts/neutralizing-intel-management-engine-on-librem-laptops/ <https://puri.sm/posts/neutralizing-intel-management-engine-on-librem-laptops/>
> So it seems that Intel ME deactivation is on par with Ivy bridge, resulting in only the ROMP and BUP modules being required to initialize ME.
>
> For firmware binary blob requirements, FSP is still required, see here: > https://github.com/osresearch/heads/tree/master/blobs/librem_skl <https://github.com/osresearch/heads/tree/master/blobs/librem_skl>> and here > https://github.com/osresearch/heads/blob/master/config/coreboot-librem13v2.config <https://github.com/osresearch/heads/blob/master/config/coreboot-librem13v2.config>
>
> Thierry
>
>
> On Tue, Nov 13, 2018 at 10:44 AM Thierry Laurion <> thierry...@gmail.com <mailto:thierry...@gmail.com>> > wrote:
>
>>  Hi qubes-fan. Answers inline.
>> On Tue, Nov 13, 2018 at 6:27 AM <>> qube...@tutanota.com <mailto:qube...@tutanota.com>>> > wrote:
>>
>>> Hi Thiery, I wasn't aware the X230 can be freed same way as the X200 can.
>>>
>> Unfortunately, the x230 cannot have Intel ME deleted the same way the x200 can, even though binary free firmware is par with it.
>>
>> The x200 is RYF certified where the x230 isn't for approximately the same reasons Libreboot supports only the former. RYF and Libreboot have a really strong guideline against binary blobs. Even Libreboot opened up it's ethic to support the x220 (Sandy bridge), but backed off, since part of the ME engine is still present even if deactivated. The RYF certification could not be obtainable for those. See archive: >> https://web.archive.org/web/20170404144825/https://minifree.org/product/libreboot-x220/ <https://web.archive.org/web/20170404144825/https://minifree.org/product/libreboot-x220/>
>>
>> Intel ME can be completely removed on the x200 (GM45 based), leaving no trace of it at all. (>> https://libreboot.org/faq.html#intel <https://libreboot.org/faq.html#intel>>> ). It can be neutralized on the x220 and x230 (Ivy bridge), leaving only the ROMP and BUP modules (<90k of it), but "deactivating" ME before it's kernel is even booted, where the Librem Laptops have parts of it deactivated only, and unfortunately contains binary blobs in the firmware. Once again, depending of your threat model, that may or not be a deal breaker for you.
>>
>> Neutralizing/Deactivating/Deleting/Freeing Intel ME is a word game where a lot of ink spilled over the last years. I suggest you to read this doc: (>> https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F <https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F>>> ) . Basically, Intel ME version <11 can be deactivated, since no kernel needs to be present in the firmware for validation prior to initialization, resulting in the BUP module only being launched, permitting the machine to boot, where version >11 requires the kernel and syslib modules to be present and validated at initialization. So even if Intel ME is neutralized by me_cleaner, the modules are still there in >11. Could they be executed? That depends on your beliefs and threat modeling.
>>
>> Technically, GM45 based laptops are currently the last Intel based hardware where Intel ME can be completely removed. Unfortunately, such old hardware comes with important limitations, some of which makes it incompatible with QubesOS 4 requirements for isolation and virtualization. The x200 has vt-d1 only, no vt-d2 (No IOMMU!): there is no interrupt remapping, meaning that there is no hardware isolation enforced in QubesOS. (>> https://github.com/QubesOS/qubes-issues/issues/1594#issuecomment-209213917 <https://github.com/QubesOS/qubes-issues/issues/1594#issuecomment-209213917>>> ).
>>
>> At best, the x200 is an awesome laptop for using Tails, but not with QubesOS. Using it with QubesOS gives the user an illusion of hardware isolation, putting him at risk.
>>
>>
>>> As you saw, I am thinking about buying the RYF >>> https://tehnoetic.com/tet-t400s <https://tehnoetic.com/tet-t400s>>>> <>>> https://tehnoetic.com/tet-t400s <https://tehnoetic.com/tet-t400s>>>> > to be able to run with the Qubes 4. The  T400s has but unfortunately 8GB RAM max and so the X230 with 16GB seems very interesting.
>>>
>> The T400s is an hardware equivalent of the x200.
>>
>>>
>>> So my question is if the X230 is really deprived of all ME-AMT, or any non-free dirt?
>>>
>> See here for the output of me_cleaner: >> https://github.com/osresearch/heads-wiki/blob/master/Clean-the-ME-firmware.md <https://github.com/osresearch/heads-wiki/blob/master/Clean-the-ME-firmware.md>>> with this understanding >> https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F <https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F>
>>
>>
>>> If this is the case, your offer seems really interesting with all mentioned options available. I also use the RYF X200 for non-Qubes activities, but it would be just excellent if I could have just one machine for Qubes+non-Qubes too.
>>>
>> A lower end, AMD laptop, the G505s seems a good candidate for libre oriented QubesOS users. It's porting to Heads is on the way, even though I do not have that hardware myself. >> https://github.com/osresearch/heads/issues/453 <https://github.com/osresearch/heads/issues/453>
>>
>> As some pointed out earlier, the EC is still a binary blob present in laptops (not currently freed), microcode updates are unfortunately still required for security.
>>
>> Laptop world needs to be shaken. Binary free laptops exists, but do not support QubesOS.
>> Talos II is the best libre free desktop/server available but isn't supported by QubesOS, where the KGPE-D16/KCMA-D8 are still the best x86 desktop/servers available. The x230 laptop is the most supported and libre available, where BUP Intel ME initialization is tolerable.
>>
>> Heads project should be considered as a trusted base of any security conscious user.
>> http://osresearch.net/ <http://osresearch.net/>
>>
>> Linuxboot, Systemboot and other projects based on u-boot/u-root should also be considered for collocating private cloud services on more recent x86 servers:
>> https://github.com/systemboot/systemboot <https://github.com/systemboot/systemboot>
>> https://www.linuxboot.org/ <https://www.linuxboot.org/>
>>
>> Hope that it answers your questions.
>>
>>>
>>> Nov 12, 2018, 7:30 AM by>>> thierry...@gmail.com <mailto:thierry...@gmail.com>>>> :
>>>
>>> > Hi!
>>> >
>>> >> I checked out the x230 and you are right they are available and cheap. I would still be interested in finding some company/individual who I can trust to take care of the BIOS flashing for me as a service(I would think others would also want this service as well...). The problem is who?
>>> >>
>>> > I started Insurgo Technologies Libres/Open Technologies exactly for that! (> >>> https://www.facebook.com/InsurgoTech/insights/?section=navPosts <https://www.facebook.com/InsurgoTech/insights/?section=navPosts>>>> <>>> https://www.facebook.com/InsurgoTech/insights/?section=navPosts <https://www.facebook.com/InsurgoTech/insights/?section=navPosts>>>> >> )
>>> >
>>> > We actually reprogram A-Grade refurbished x230 with Heads firmware (> >>> http://osresearch.net/ <http://osresearch.net/>>>> <>>> http://osresearch.net/ <http://osresearch.net/>>>> >> ), while neutralizing Intel ME (> >>> https://github.com/osresearch/heads-wiki/blob/master/Clean-the-ME-firmware.md <https://github.com/osresearch/heads-wiki/blob/master/Clean-the-ME-firmware.md>>>> <>>> https://github.com/osresearch/heads-wiki/blob/master/Clean-the-ME-firmware.md <https://github.com/osresearch/heads-wiki/blob/master/Clean-the-ME-firmware.md>>>> >> ) while being there.
>>> >
>>> > I collaborate with Heads and QubesOS developers for a while now..
>>> > QubesOS can even be preinstalled with user's desired customizations (> >>> https://github.com/SkypLabs/my-qubes-os-formula/issues <https://github.com/SkypLabs/my-qubes-os-formula/issues>>>> <>>> https://github.com/SkypLabs/my-qubes-os-formula/issues <https://github.com/SkypLabs/my-qubes-os-formula/issues>>>> >> ) or shipped with latest QubesOS ISO on external MicroSD support. Heads validates ISO integrity with distribution's signing keys prior to boot them (Tails, Fedora, QubesOS).
>>> >
>>> > Heads, deployed with a Nitrokey Pro v2/LibremKey or by using internal TPM, validates rom' integrity before booting from it. With the help of a NitroKey/LibremKey (> >>> https://puri.sm/posts/introducing-the-librem-key/ <https://puri.sm/posts/introducing-the-librem-key/>>>> <>>> https://puri.sm/posts/introducing-the-librem-key/ <https://puri.sm/posts/introducing-the-librem-key/>>>> >> ), the boot configurations are signed with user's keys and verified and the firmware integrity is attested at each reboot through HOTP (led flashing or TPMTOTP on user's cell phone through Google Authenticator or compatible app.
>>> >
>>> > The user receives the Nitrokey/LibremKey and his computer in distinct shipping packages and reunites at first laptop boot to attest that the firmware of the computer has not been tampered with in transit. (> >>> https://puri.sm/posts/introducing-the-librem-key/ <https://puri.sm/posts/introducing-the-librem-key/>>>> <>>> https://puri.sm/posts/introducing-the-librem-key/ <https://puri.sm/posts/introducing-the-librem-key/>>>> >> ).
>>> >
>>> > The user, upon bootup integrity attestation, proceeds to the ownership of his new laptop (TPM) and his LibremKey. The user is then invited to reencrypt his SSD encrypted content with it's own chosen passphrase(> >>> https://github.com/osresearch/heads/issues/463 <https://github.com/osresearch/heads/issues/463>>>> <>>> https://github.com/osresearch/heads/issues/463 <https://github.com/osresearch/heads/issues/463>>>> >> ) and to choose a secondary disk unlock passphrase, which will unlock encrypted disk content only if the firmware has boot attested integrity.
>>> >
>>> > Notes:
>>> > The user will be able to ask > Insurgo>  interactive support in the near future. (> >>> https://github.com/SkypLabs/my-qubes-os-formula/issues/6 <https://github.com/SkypLabs/my-qubes-os-formula/issues/6>>>> <>>> https://github.com/SkypLabs/my-qubes-os-formula/issues/6 <https://github.com/SkypLabs/my-qubes-os-formula/issues/6>>>> >> ).
>>> > Buying from>  Insurgo (ITL/IOT)>  funds directly my participation to those projects.
>>> > Bulk discount are available upon request. Insurgo plans to transit into a working/buying cooperative in the near future.
>>> >
>>> >
>>> > Prices are in Canadian Dollars (CDN)
>>> > x230>  i5 240GB SSD 16GB Webcam and IPS: $620
>>> > Hardware reprogramming fee: +250$
>>> > Backlit Keyboard: 40$  (optional)
>>> > Webcam 10$  (optional)
>>> > Nitrokey/LibremKey: + 80$
>>> > The refurbisher offers a warranty plan on the value of the purchase:
>>> > 1 Month %5
>>> > 3 Months %10
>>> > 6 Months %15
>>> > 1 Year %25
>>> >
>>> > Thierry Laurion:
>>> > GitHub: > >>> https://github.com/tlaurion/ <https://github.com/tlaurion/>>>> <>>> https://github.com/tlaurion/ <https://github.com/tlaurion/>>>> >
>>> > LinkedIn: > >>> https://www.linkedin.com/in/thierry-laurion-40b4128/ <https://www.linkedin.com/in/thierry-laurion-40b4128/>>>> <>>> https://www.linkedin.com/in/thierry-laurion-40b4128/ <https://www.linkedin.com/in/thierry-laurion-40b4128/>>>> >
>>> >
>>> > Insurgo, Technologies Libres / Open Technologies:
>>> > email: > >>> ins...@riseup.net <mailto:ins...@riseup.net>>>> <mailto:>>> ins...@riseup.net <mailto:ins...@riseup.net>>>> >>  for more information.
>>> > GPG key: > >>> http://keys.gnupg.net/pks/lookup?op=get&search=0x79C78E6659DB658F <http://keys.gnupg.net/pks/lookup?op=get&search=0x79C78E6659DB658F>>>> <>>> http://keys.gnupg.net/pks/lookup?op=get&search=0x79C78E6659DB658F <http://keys.gnupg.net/pks/lookup?op=get&search=0x79C78E6659DB658F>>>> >
>>> > Follow this guide or it's platform equivalent: > >>> https://securityinabox.org/en/guide/thunderbird/mac/ <https://securityinabox.org/en/guide/thunderbird/mac/>>>> <>>> https://securityinabox.org/en/guide/thunderbird/mac/ <https://securityinabox.org/en/guide/thunderbird/mac/>>>> >
>>> > Website: > >>> https://Insurgo.ca <https://Insurgo.ca>>>> <>>> https://Insurgo.ca <https://Insurgo.ca>>>> >
>>> > Facebook: > >>> https://www.facebook.com/InsurgoTech/ <https://www.facebook.com/InsurgoTech/>>>> <>>> https://www.facebook.com/InsurgoTech/ <https://www.facebook.com/InsurgoTech/>>>> >
>>> >
>>> > On Sun, Nov 11, 2018 at 9:26 PM <> >>> 22...@tutamail.com <mailto:22...@tutamail.com>>>> <mailto:>>> 22...@tutamail.com <mailto:22...@tutamail.com>>>> >> > wrote:
>>> >
>>> >> Unman your posts have been extremely helpful to me and I can't thank you enough for the help(I am sure many others would agree).
>>> >> 
>>> >>  However I think your "..Pretty easy to maintain.." would be hell for me.
>>> >> 
>>> >>  Librem(and maybe the Majora line) have huge appeal for me as they take care of the BIOS flashing.
>>> >> 
>>> >>  I checked out the x230 and you are right they are available and cheap. I would still be interested in finding some company/individual who I can trust to take care of the BIOS flashing for me as a service(I would think others would also want this service as well...). The problem is who?
>>> >> 
>>> >>  Thanks...
>>> >> 
>>> >>  ("-boxy is the new black." Good one and couldn't agree more...very funny!)
>>> >> 
>>> >>  --
>>> >>  You received this message because you are subscribed to the Google Groups "qubes-users" group.
>>> >>  To unsubscribe from this group and stop receiving emails from it, send an email to >> >>> qubes-users...@googlegroups.com <mailto:qubes-users%2Bunsu...@googlegroups.com>>>> <mailto:>>> qubes-users%2Bunsu...@googlegroups.com <mailto:qubes-users%252Buns...@googlegroups.com>>>> >>> .
>>> >>  To post to this group, send email to >> >>> qubes...@googlegroups.com <mailto:qubes...@googlegroups.com>>>> <mailto:>>> qubes...@googlegroups.com <mailto:qubes...@googlegroups.com>>>> >>> .
>>> >>  To view this discussion on the web visit >> >>> https://groups.google.com/d/msgid/qubes-users/26f75d86-0349-4533-8f3a-66fe2e37c1b3%40googlegroups.com <https://groups.google.com/d/msgid/qubes-users/26f75d86-0349-4533-8f3a-66fe2e37c1b3%40googlegroups.com>>>> <>>> https://groups.google.com/d/msgid/qubes-users/26f75d86-0349-4533-8f3a-66fe2e37c1b3%40googlegroups.com <https://groups.google.com/d/msgid/qubes-users/26f75d86-0349-4533-8f3a-66fe2e37c1b3%40googlegroups.com>>>> >>> .
>>> >>  For more options, visit >> >>> https://groups.google.com/d/optout <https://groups.google.com/d/optout>>>> <>>> https://groups.google.com/d/optout <https://groups.google.com/d/optout>>>> >>> .
>>> >>
>>> >
>>> >
>>> > --
>>> > Thierry Laurion
>>> >
>>> >
>>> >
>>> > --
>>> >  You received this message because you are subscribed to the Google Groups "qubes-users" group.
>>> >  To unsubscribe from this group and stop receiving emails from it, send an email to > >>> qubes-users...@googlegroups.com <mailto:qubes-users%2Bunsu...@googlegroups.com>>>> <mailto:>>> qubes-users...@googlegroups.com <mailto:qubes-users%2Bunsu...@googlegroups.com>>>> >> .
>>> >  To post to this group, send email to > >>> qubes...@googlegroups.com <mailto:qubes...@googlegroups.com>>>> <mailto:>>> qubes...@googlegroups.com <mailto:qubes...@googlegroups.com>>>> >> .
>>> >  To view this discussion on the web visit > >>> https://groups.google.com/d/msgid/qubes-users/CAAzJznzOWNrOFTyCNQt-vu5%2BUQXqhZFg-Loxm-oY2oiutORkDQ%40mail.gmail.com <https://groups.google.com/d/msgid/qubes-users/CAAzJznzOWNrOFTyCNQt-vu5%2BUQXqhZFg-Loxm-oY2oiutORkDQ%40mail.gmail.com>>>> <>>> https://groups.google.com/d/msgid/qubes-users/CAAzJznzOWNrOFTyCNQt-vu5%2BUQXqhZFg-Loxm-oY2oiutORkDQ%40mail.gmail.com?utm_medium=email&utm_source=footer <https://groups.google.com/d/msgid/qubes-users/CAAzJznzOWNrOFTyCNQt-vu5%2BUQXqhZFg-Loxm-oY2oiutORkDQ%40mail.gmail.com?utm_medium=email&utm_source=footer>>>> >> .
>>> >  For more options, visit > >>> https://groups.google.com/d/optout <https://groups.google.com/d/optout>>>> <>>> https://groups.google.com/d/optout <https://groups.google.com/d/optout>>>> >> .
>>> >
>>>
>>>
>>
>> --
>> Thierry Laurion:
> --
> Thierry Laurion
>
>
>
> --
> You received this message because you are subscribed to the Google Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to > qubes-users...@googlegroups.com <mailto:qubes-users...@googlegroups.com>> .
> To post to this group, send email to > qubes...@googlegroups.com <mailto:qubes...@googlegroups.com>> .
> To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-users/CAAzJznziQtwtWoEuaXpEhUhTG84TjMGsvH5hSM4Svrw1%2BZSW0w%40mail.gmail.com <https://groups.google.com/d/msgid/qubes-users/CAAzJznziQtwtWoEuaXpEhUhTG84TjMGsvH5hSM4Svrw1%2BZSW0w%40mail.gmail.com?utm_medium=email&utm_source=footer>> .

Thierry Laurion

unread,
Nov 14, 2018, 3:28:05 PM11/14/18
to qubes-users
Hi qube!
Answers inline.
Le mercredi 14 novembre 2018 05:11:14 UTC-5, qube...@tutanota.com a écrit :
> Hi Thierry, thank you for your excellent and extensive explanation of the topic, just wow! This is precisely what semi-techs as me need, to understand the heavy-tech topics more.
Pleasure!
>
> It helped me to see the differences in between vt-d1 vs vt-d2 and its implications. Yes, the X200 is excellent for Tails, but I need to run Qubes 4 too.
>
> So if I understand it properly, the X230 has remains of the ME which are but deactivated before kernel boots. This quite shrinks the attack options, clear.
Exactly like Purism did with their Librem13v2: BUP and ROMP are still required (~90Kb) but ME is deactivated with AltMeDisableBit(https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-bit) while all other modules are erased and the image is trimmed, making that space usable to Heads.

Years ago, it was said impossible to deactivate Intel ME. While it would be better to ditch x86 completely, this is currently impossible if hardware isolation is desired in a nice UX experience (read: while using QubesOS).
This is why Purism/RaptorEngineering/QubesOS/Xen/KVM work is so important and needs to be funded and praised.

On my part, I prefer to promote and enforce the "Reduce/Reuse/Recycle" approach, which in the libre world, caught up pretty well with what hardware can be freed the most, as opposed to getting new proprietary hardware components and plan to free them in the longer run. Both works! Insurgo's perspective is one that prefers security and usability over functionality in this "pick two out of three" triangle (https://www.greycampus.com/opencampus/ethical-hacking/security-functionality-and-usability-triangle). Purism is doing an amazing job at pushing functionality and usability forward, proposing blazing fast hardware and memory on high-end hardware, while limiting those choices over security. As a security trainer, my goal is to make vulnerable users responsible for their choices over their personal threat models(https://sec.eff.org/materials/threat-modeling-activity-handout-for-learners), and Purism is a really good alternative to Apple in any high-end case where performance and functionality are picked, where the x230 is a more accessible choice with less binary blobs. For the moment. :)

>
> I understand you prefer to post answers directly on the forum. About the prices:
>
> - What exactly means the Hardware reprogramming fee? Is it the ME
> cleanup? Is it an extra charge of $250 on top of $620 for actually
> freeing the X230? The $620 is for non-free X230 than?
Insurgo aims to become a cooperative. By doing so, hardware costs lower the more hardware is bought. Tranparency measures will be put in place so that people that are willing to wait a bit will pay less, their order being grouped with others to lower the hardware orders. The reprogramming cost is stable, unless there is a bunch of orders are shipped to the same organization. Contact me for details.

So the CDN prices below are the highest that one can pay.

In a nutshell:
i7 complete x230 system + Nitrokey + reprogramming = 1065$
i5 complete x230 system + Nitrokey + reprogramming = 965$

Current direct costs:
-X230 i5 240GB SSD 16GB Webcam and IPS for $595. $635 with the backlit keyboard.
-X230 i7 240GB SSD, 16GB DDR3, Webcam and IPS for $695. $735 with the backlit keyboard. (PREFFERED)
-Nitrokey Pro v2/LibremKey: 80$ (MANDATORY)

Reprogramming fees of 250$ include:
- Funding my development efforts. The laptop costs are my costs. I make money only on this fee!
- Opening up the laptop, backuping chips 4MB and 8MB contents to MicroSD, neutralizing ME, flash back ME and Heads on SPI flash and copy flashed rom images to MicroSD.
- Installation of latest QubesOS on SSD drive. No updates or customization are applied unless requested by user. The resulting system integrity can then be validated on dom0 by the user (rpm -qVa). QubesOS is installed in a LUKS encrypted volume of which encrypted key is communicated to the user over secure communication channel.
- Temporary ownership of TPM and Nitrokey/LibremKey by Insurgo, with Insurgo's keys being inserted into the rom. This permits Insurgo to attest laptop firmware and boot configuration integrity attestation prior to shipping the NitroKey/LibremKey and hardware seperatly (https://puri.sm/posts/the-librem-key-makes-tamper-detection-easy/). Integrity of the rom is modified with Insurgo's keys at this point.

Upon shipments reception:
- The user connects the LibremKey/Nitrokey into his hardware and boots, attesting of the integrity of the firmware and boot configurations.
- The user reowns the hardware. He has to reown his Nitrokey/LibremKey (Admin and user passphrases needs to be set) and generate a new GnuPG keypair/inject his own keypair into Nitrokey/LibremKey, which will replace Insurgo's. The Nitrokey/LibremKey is now ready to be used to attest laptop integrity with user's owned Nitrokey/LibremKey keys.
- The user reflashes a reproducible Heads built from his microSD card and injects his own generated GnuPG public key into the rom. His key will be used to sign his own boot configuration changes, coupled with his connected NitroKey/LibremKey. Any modification made on those configuration files will be detected and alert the user at each boot. Updating QubesOS' Xen or Linux kernel will result in such alert. The integrity of the rom has changed at this point. The suer will be asked to reboot.
- The user is required to validate rom integrity with the help of his NitroKey LibremKey connected, requiring him to type his NitroKey/LibremKey Admin passphrase.
- The user is invited to reencrypt his QubesOS LUKS encrypted container with a new LUKS disk recovery passphrase of his choice. This process takes around 25 minutes.
- The user is requested to reown his TPM (passphrase), which is currently used to measure and generate a TPMTOTP code that can be validated upon Google Authenticator on a smartphone. The TPM also generates a secondary LUKS decryption key, stored in the LUKS header slot #1, so that at each boot, Heads requests the user to type that secondary passphrase instead of previously choosen LUKS disk encryption recovery passphrase (above step). Typing this secondary passphrase is less risky then the disk recovery passphrase, since the TPM is involved in generating the correct unlock key in conjonction of its integrity measurements. This means that even if RAM memory was searched for typed decryption passphrase, that typed passphrase would only unlock the disk on user's hardware. Having a copy of the disk and typing that passphrase to unlock encrypted volume wouldn't work. Plus, that unlock passphrase can be changed at will. So if you think that you were filmed/cought typing it at an internet café, you can change it by setting a new default boot option inside of Heads.
- The user needs to manually change it's user's login passphrase inside of QubesOS.

User's hardware reownership takes approcimately 30 minutes. Th UX is being worked on to make it even more usable without leveraging security.
>
> Are you sometimes in EU?
Unfortunately, not enough! Looking for business opportunities!
>
> thx
Pleasure!

799

unread,
Nov 14, 2018, 4:15:11 PM11/14/18
to 22...@tutamail.com, Qubes users
Hello 22rip,

Am Mo., 12. Nov. 2018, 03:26 hat <22...@tutamail.com> geschrieben:
(...)

However I think your "..Pretty easy to maintain.." would be hell for me.
(...)

I checked out the x230 and you are right they are available and cheap. I would still be interested in finding some company/individual who I can trust to take care of the BIOS flashing for me as a service
(I would think others would also want this service as well...). The problem is who?

I was at the same point some time ago and afraid to give coreboot a try.
I went to a hacking space and got some help from experienced "Coreboot'ers".
I've seen that it is not that hard to build Coreboot and tried it myself from scratch.
If you own a X230 you might want to look at my How-to which I wrote during the process and is targeted at coreboot newbies:


If you need further help, do not hesitate to ask.
It's really not that hard to use coreboot.

- O

Holger Levsen

unread,
Nov 14, 2018, 4:30:50 PM11/14/18
to qubes...@googlegroups.com
On Sat, Nov 10, 2018 at 09:24:40AM -0800, Kyle Rankin wrote:
> It's a shame this thread got hijacked by people...
[...discussing other stuff...]

> Could someone who is responsible for the HCL please update it with the data
> I've provided in this thread? This would update the HCL with a version of
> the Librem 13v2 that provides a TPM for people who are considering running
> Qubes 4.0 with AEM.

has this (updating the HCL for Librem 13v2) happend now?


--
cheers,
Holger
signature.asc

qube...@tutanota.com

unread,
Nov 15, 2018, 4:07:33 AM11/15/18
to Holger Levsen, Qubes Users
Hi Holger, if this point was to me :), sorry for "hijacking" the thread. The flame about Purism laptops here got a bit hot with RYF-puristic guys last time, and the questions (one can work with), were mostly unanswered. But they were basically right.

Just to remind you, I had a conversation directly with the Todd Weaver about, if I remember properly, 2 weeks before they announced the ME cleanup. He told me in the conversation that they will completely remove the ME ( 2 weeks before the announcement), and they actually didn't. I am not blaming them, maybe he was just misinformed. I am just a semi-tech, and as many others I am not able to check stuff in depth, cause my extensive specialization is elsewhere. I am depending in Tech-Threat-Modeling on ppl like you or Thierry or Joanna, same way as you are depending on psychology specialists on psychology part of your Threat  Modeling (right)?

The implications of the claim "ME is completely removed" from Purism, can be extensive If I (or anyone else) advice to an organization (lets say a large, influential one), as a trusted advisor, the Purism laptops with claim: "ME is completely removed and your attack map is shrinked to this or that" and it is not.  It can kill the relation and even worse, put the organization in risk by not considering the threat in their OpSec. This is THE SHAME.

I can't help myself but, after that "mistake" from Purism I must include this to my Trust Model as a handicap for them. They should just make this clear somehow.

Thierry finally cleared this up somehow (at least for me), and put some light for decision making. This is actually something I can work with.

Have a nice day :)


Nov 14, 2018, 10:30 PM by hol...@layer-acht.org:
> --
> You received this message because you are subscribed to the Google Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to > qubes-users...@googlegroups.com <mailto:qubes-users...@googlegroups.com>> .
> To post to this group, send email to > qubes...@googlegroups.com <mailto:qubes...@googlegroups.com>> .
> To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-users/20181114213042....@layer-acht.org <https://groups.google.com/d/msgid/qubes-users/20181114213042.y4w4qdaogapxqvw2%40layer-acht.org>> .
> For more options, visit > https://groups.google.com/d/optout <https://groups.google.com/d/optout>> .
>

Thierry Laurion

unread,
Nov 15, 2018, 4:47:48 AM11/15/18
to qubes...@googlegroups.com, 799, 22...@tutamail.com, Qubes users
Hi all,
Last intrusion to this thread.

I would strongly advise digging into the skulls project anyone interested in flashing coreboot into their x230 themselves : https://github.com/merge/skulls/blob/master/README.md

Sincerely,
Thierry

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Holger Levsen

unread,
Nov 15, 2018, 5:16:24 AM11/15/18
to Qubes Users
On Thu, Nov 15, 2018 at 10:07:31AM +0100, qube...@tutanota.com wrote:
> > has this (updating the HCL for Librem 13v2) happend now?

this was and is my point, here+now.
signature.asc

Tai...@gmx.com

unread,
Nov 16, 2018, 8:50:59 PM11/16/18
to qubes...@googlegroups.com, ca...@protonmail.com
On 11/10/2018 01:33 PM, 'casiu' via qubes-users wrote:
>
> "We have four ME modules remaining to liberate (and anyone with access to our BIOS ROM or our BIOS build script
> can confirm those claims)."
>
> Last time i checked Intel still did not hand you over their signing-keys ?
> Im happy to change my mind, please educate me.:) Is the ME completely shut off BEFORE the kernel boots up?

The ME kernel and init code still run before they shut off thus there is
more than enough time and abilities to perform dirty tricks.

ME/PSP is impossible to disable on modern x86 anyone who tries is
wasting money and setting back the freedom computing movement but the
pur.idiots seem to not really care about that anyways.

> If not, im sure you know a few me modules more ore less is completely irrelevant from a security point of view.
>
> Also, i wasnt able to find a statement of Purism about the fact that, in the beginning, they claimed the ME was "completely disabled and removed". I mean, that was > obviously not true right?

They do claim that it is "disabled" which it is not and they also claim
they have "open source coreboot firmware" which they don't since the hw
init process is entirely blobbed making coreboot nothing more than a
simple wrapper layer.

>
>>From what i see, despite Purism claims they will liberate it probably sometime , purism-bios still only initializes proprietary blobs, which also defeats the purpose. Im not one for great conspiracy theories, and also at least for now willing to accept the term "opensource-hardware" for something with one or two small irrelevant blobs because they cant be avoided,
> but advertising hardware which runs almost entirely on closed source software (certainly, all the important parts do), that just sound highly dishonest in my ears.
>

It sounds highly dishonest since it is.


> Last one: Would you honestly recommend people buying your products to improve their security RIGHT NOW, not someday in the future when and if your products will be > completely open source. If so, wy?

Puridiots pretend as though making a modern, fast and affordable owner
controlled libre computer simply can't be done which isn't true and
various companies do it (raptor computing systems, various riscv
sellers, bunnylabs etc)

Nothing is stopping them from making an OpenPOWER laptop since the
latest OpenPOWER9 code supports laptop level power saving but they say no.

> If you could provide me an answer to those Questions, i would be very grateful. I read this post twice , and i hope nobody finds it offensive in any way,

People will but they're just paid shills so ignore them.

> im actually trying to get a productive discussion here.
> Please dont let this go emotional, rather provide people with actual, verifiable TECHNICAL FACTS.

Sad how few people do that.

Tai...@gmx.com

unread,
Nov 16, 2018, 9:21:25 PM11/16/18
to qubes...@googlegroups.com
RE: people who work for purism say i am being unfair

I am the counterpart to you guys somehow getting the tech media to
publish glorified press releases for you and everything I say is true.

People need to know the truth about what they would be purchasing, this
issue isn't and never was the fact that you are selling non-free laptops
- it is that you are claiming they are somehow open source
firwmare/libre/me disabled when they are not and could never be.

Remember any code exploit for ME is illegal in the US and buying new
intel/amd x86 hardware supports further anti-feature development...why
not make an OpenPOWER laptop? nothing is stopping you besides the false
belief that it is somehow impossible to make and sell owner controlled
hardware that is fast and modern - other companies are doing instead of
trying.

The business model of somehow keeping up open source firmware releases
with new x86 hardware without any vendor cooperation is impossible - it
would take years and millions to reverse engineer FSP thus x86 will
never be free.

On 11/13/2018 06:03 AM, qube...@tutanota.com wrote:
> Sorry to jump out of the Purism thing. Some weeks ago I put here the
question too and it was bit stormy, so I keep it aside.
>
> Mate, you mention the "Lenova 400 series". That was my question short
before in my post. I am planning to buy this guy:
https://tehnoetic.com/tet-t400s <https://tehnoetic.com/tet-t400s> It is
RYF and so the ME and AMT is completely removed. My question was, if I
could run Qubes 4 on it. The answer was it is too old to have the
required virtualization needed to run Qubes 4.
>
> Now, do you think the RYF T400s above, which si T400 series you
mention, could run the Qubes 4? This would be great. One could run the
reasonably secure OS on reasonably secure HW. Yay!
>

It can't since there is no working IOMMU with coreboot and it lacks real
security due to intels first gen iommu being terrible.

X230 can't have ME disabled like T400 only nerfed the hw init "bup"
module still runs (although more than skylake stuff where the kernel
runs and then is politely asked to shut off)

Get an A10 quad core G505s (no ME/PSP) IMO it isn't that hard to compile
and install coreboot - myself and various others are willing to help
owner controlled system users for free if you run in to trouble.

The g505s and other AMD FT3 systems are the only owner controlled qubes
4.0 compatible laptops and they don't have the huge performance penalty
the intel stuff does due to the spectre fixes.

Todd weaver started and owns the company so he isn't mis-informed he is
simply used to making claims he can't deliver because he has no ethics,
no real technical skills and he still fails to listen to those who do.

799

unread,
Nov 17, 2018, 1:53:35 AM11/17/18
to Thierry Laurion, 22...@tutamail.com, Qubes users
Hello Thierry,

Am Do., 15. Nov. 2018, 10:47 hat Thierry Laurion <thierry...@gmail.com> geschrieben:
[...]
I would strongly advise digging into the skulls project anyone interested in flashing coreboot into their x230 themselves : https://github.com/merge/skulls/blob/master/README.md
[...]

I have already heard of skills, but I think that there should be more information on the GitHub page what is the benefit of using Tails over a normal coreboot installation and maybe even a dedicated page which will walk you through the whole process.
Even more as it is currently only supported on the x230 (which I also own) it shouldn't be to hard to do this.

Proper documentation is very important to convince others to try things like coreboot, even when they're not super technical experts.

- O

799

unread,
Nov 17, 2018, 2:06:40 AM11/17/18
to Tai...@gmx.com, qubes...@googlegroups.com
Hello Taiidan,

Am Sa., 17. Nov. 2018, 03:21 hat Tai...@gmx.com <Tai...@gmx.com> geschrieben:
[...]

I am the counterpart to you guys somehow getting the tech media to
publish glorified press releases for you and everything I say is true.

Which articles do you mean?

People need to know the truth about what they would be purchasing, this
issue isn't and never was the fact that you are selling non-free laptops
- it is that you are claiming they are somehow open source
firwmare/libre/me disabled when they are not and could never be.

So a free laptop is a laptop that has everything Purism does but including disabled ME?
At the same time you're saying it is impossible to do so?
So Purism would be the most free laptop you can buy today from shelf, is this correct?
Doesn't sound to bad to me ;-)

Remember any code exploit for ME is illegal in the US and buying new
intel/amd x86 hardware supports further anti-feature development...why
not make an OpenPOWER laptop? nothing is stopping you besides the false
belief that it is somehow impossible to make and sell owner controlled
hardware that is fast and modern - other companies are doing instead of
trying.

Where can I buy a OpenPOWER Laptop and how will this help me and will Qubes OS run on it (today)?

The business model of somehow keeping up open source firmware releases
with new x86 hardware without any vendor cooperation is impossible - it
would take years and millions to reverse engineer FSP thus x86 will
never be free.

This maybe correct, but then there is no need to use this argument in every discussion.
We must try to do what is currently possible.
This is also how I understand the "reasonable" in the quote "reasonable secure".
Best effort and delivering is most time a better approach than trying to be perfect.

Get an A10 quad core G505s (no ME/PSP) IMO it isn't that hard to compile
and install coreboot - myself and various others are willing to help
owner controlled system users for free if you run in to trouble.

The G505s is a very ugly have and old machine which seems to be a consumer notebook.
In my opinion (!) I totally respect that others have a different opinion.
But please do also accept that some people just don't want to buy this laptop for their own personal reasons.

Todd weaver started and owns the company so he isn't mis-informed he is
simply used to making claims he can't deliver because he has no ethics,
no real technical skills and he still fails to listen to those who do.

Do you know Todd? What is the problem for blaming people. I think it's great that people have choices!!
You have even the choice to setup your own company ;-)


I really don't understand why there is so much engagement blaming purism.
I think it is really great if people have the chance to by "other" laptops.
And a Purism Laptop is "very likely higher on the reasonable secure" scale than a normal Windows Laptop and even from a laptop running Qubes without Coreboot and Co.

Honestly I wouldn't feel much more secure even if Intel ME is completely gone, I think that  the attack surface is reduced when running Qubes, Coreboot or if I buy purism.

Purism is good in marketing and this is not a crime. There are so much people who will never ever buy hardware which is 5years old, and spent lots of time installing Linux/Coreboot etc. 
But still they might be interested running "better" hardware or software and are interested in getting support.
Therefore I am lucky that companies are selling Linux to those people.

Purism, thinkpenguin, all others -> THANKS!

@taiidan:
And thank you for your community engagement, don't get me wrong.

- O

799

unread,
Nov 17, 2018, 2:23:32 AM11/17/18
to Tai...@gmx.com, qubes...@googlegroups.com, ca...@protonmail.com
Hello,

Am Sa., 17. Nov. 2018, 02:50 hat Tai...@gmx.com <Tai...@gmx.com> geschrieben:
[...]

ME/PSP is impossible to disable on modern x86 anyone who tries is
wasting money and setting back the freedom computing movement but the
pur.idiots seem to not really care about that anyways.

So do you think it is better for the freedom computing movement if my neighbour who is not an "IT guy" buys a Windows 10 surface book or a MacBook instead of a Purism Laptop?
Maybe he wants to choose exactly between this laptops because he don't want to buy old hardware (which is exactly the freedom he should have).


If not, im sure you know a few me modules more ore less is completely irrelevant from a security point of view.

Why is this irrelevant? Is itbalso irrelevant to run Coreboot?

Also, i wasnt able to find a statement of Purism about the fact that, in the beginning, they claimed the ME was "completely disabled and removed". I mean, that was > obviously not true right?

Which quote on the website are you arguing against and have you asked them in a nice way to change it so that users are more informed that Intel ME can't be fully disabled?
What was the answer from Purism?

They do claim that it is "disabled" which it is not and they also claim
they have "open source coreboot firmware" which they don't since the hw
init process is entirely blobbed making coreboot nothing more than a
simple wrapper layer.

I don't know enough about the coreboot details, basically the coreboot Purism is using is less (reasonable) secure than the coreboot installation we are running on X2xx, T4xx etc.?
What is the difference? I am really interested.

but advertising hardware which runs almost entirely on closed source software (certainly, all the important parts do), that just sound highly dishonest in my ears

Do you really think that the biggest attack vector is the not fully disabled Intel Me stuff/Blobs?
In this case it wouldn't make a difference if users run Windows on top of Purism hardware.
Hardly to believe.

Puridiots pretend as though making a modern, fast and affordable owner
controlled libre computer simply can't be done which isn't true and
various companies do it (raptor computing systems, various riscv
sellers, bunnylabs etc)

Will those computers have the same specs as Purism and do they run Qubes?

Nothing is stopping them from making an OpenPOWER laptop since the
latest OpenPOWER9 code supports laptop level power saving but they say no.

I am sure that someone will do this if there is a market for it.

People will but they're just paid shills so ignore them.

Which people??

Sad how few people do that.

It's also sad that people don't get that it is important not only what but also how you say it if you want to come through with your arguments.
If someone would call me "Puridiots" when I would be working for Purism and taking part in an discussion here, I would ignore those people.
Puridiots sound so "trumpish" to me, don't go this road.

- O

Anac

unread,
Nov 17, 2018, 4:10:45 AM11/17/18
<