Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

HCL - Purism Librem 13 v2

595 views
Skip to first unread message

Kyle Rankin

unread,
Sep 14, 2018, 2:11:36 PM9/14/18
to qubes...@googlegroups.com
Install works out of the box with no warnings. I haven't run into any
issues with hardware compatibility--hardware in general works (video,
audio, all ports, Fn keys). Hardware Kill Switches work as expected within
Qubes. Suspend/resume works.

By default it works with the standard included coreboot BIOS but I've also
tested it with Heads using the TPM and that works as well.
Qubes-HCL-Purism-Librem_13_v2-20180914-110517.yml

Tai...@gmx.com

unread,
Sep 14, 2018, 6:59:11 PM9/14/18
to qubes...@googlegroups.com
Everyone please be aware that purism's marketing is dishonest.

Their products do not have open source firmware[1] and the ME is not
disabled (the kernel still runs along with mask roms and the me hw init
code)

Intel chips or any new x86 for that matter do NOT respect your privacy!

[1]Their coreboot is simply a shim loader layer for Intel's FSP binary
blob that performs the hardware initiation - these days coreboot doesn't
necessarily mean open source firmware.

In terms of laptops it is much better to purchase for instance an owner
controlled pre-PSP AMD G505S[2] which has open cpu/ram init via coreboot
or one of the ivy/sandy thinkpads which while not owner controlled are
significantly more free than puri.crap as they have open cpu/ram/gpu
init via coreboot and their ME can be nerfed down to the BUP layer which
while is not at all equivilant to not having an ME at all such as on
non-x86 arches or pre-PSP AMD it is still much better.

All of my laptop recommendations here work great with Qubes 4.0 and
there is a nice little qubes g505s community.

[2](for the best user experience make sure to get the highest end quad
core A10 model if you buy one - although the less expensive A6 quad core
models are still quite usable)


I do not have an issue with purism selling non-free laptops - I have an
issue with them being dishonest.

qube...@tutanota.com

unread,
Sep 15, 2018, 6:30:25 AM9/15/18
to Tai...@gmx.com, Qubes Users
Hi, during my email conversation with the Todd Weaver in the pre-IME-disabled time, he told me they will fully disable the IME and AMT within next week. After about a week they announced they did just that. Are this links a lie?
https://puri.sm/posts/measuring-the-intel-me-to-create-a-more-secure-computer/ <https://puri.sm/posts/measuring-the-intel-me-to-create-a-more-secure-computer/>
https://puri.sm/posts/purism-librem-laptops-completely-disable-intel-management-engine/ <https://puri.sm/posts/purism-librem-laptops-completely-disable-intel-management-engine/>

Talking about alternatives: how the Qubes 4.0 stand with RYF certified X200? Like for example this one: https://tehnoetic.com/laptops/tet-x200s <https://tehnoetic.com/laptops/tet-x200s> and others like T400 and T500, which can be found there as well. Working well? Any issues known?
Thank you


Sep 15, 2018, 1:00 AM by Tai...@gmx.com:
> --
> You received this message because you are subscribed to the Google Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to > qubes-users...@googlegroups.com <mailto:qubes-users...@googlegroups.com>> .
> To post to this group, send email to > qubes...@googlegroups.com <mailto:qubes...@googlegroups.com>> .
> To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-users/b706b02b-6461-3461-7a6b-19b8ebdb9a8f%40gmx.com <https://groups.google.com/d/msgid/qubes-users/b706b02b-6461-3461-7a6b-19b8ebdb9a8f%40gmx.com>> .
> For more options, visit > https://groups.google.com/d/optout <https://groups.google.com/d/optout>> .
>

casiu

unread,
Sep 15, 2018, 11:32:23 AM9/15/18
to qube...@tutanota.com, qubes...@googlegroups.com
Unfortunately,yes, those links are definitely a lie.
I not going to even comment their dishonest advertising-language, but in short: there is a huge difference between removing something for good ore verifying that there most likely hasnt been changed anything.
Also, the intel ME thing is from what i have been told totally over the top, the really issues with Purism products lay elsewhere.

I recently got interested in this thematic and almost bought a Purism, but luckily asked first in the coreboot irc. Id really recommend to do some research.
There are plenty of sites who show the technically reasons wy one should never buy Purism stuff.
That being said, purism current approach using HEADS is a lot better then the stuff they sold in the beginning, one could argue that their current laptops actually might actually improve your security a little bit.
If its worth the extra money is a personal choice, i myself feel like its just way to much money for a device which STILL runs almost entirely on properitary software.
If you are serious about your security, id recommend an G505s(i dont have one tough) or an x230, i do have one, and it rocks.

There will be no blobs whatsoever present except the EC-blob (probably liberated soon) and the bub-module.
Also, they are highly modular.(someone custom build mine with fhd display, classic style keyboard, external antenna etc etc, and i fucking love it ;).


Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
> To post to this group, send email to qubes...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/LMRlztC--3-1%40tutanota.com.
> For more options, visit https://groups.google.com/d/optout.


dangm...@gmail.com

unread,
Sep 15, 2018, 1:17:02 PM9/15/18
to qubes-users
This made me laugh out loud. All your ranting and raving about security and dishonesty, and you sent the message using PROTON MAIL. Good lord. Talk about dishonesty and pseudo-security.

casiu

unread,
Sep 15, 2018, 6:51:48 PM9/15/18
to dangm...@gmail.com, qubes...@googlegroups.com
You are confusing security with privacy. Im using protonmail, because its one of the very few Email-provider where one is able to register an account without providing any personal data. I dont have the need nor time nor skill to setup / maintain a emailserver.
Simply because i distrust everything except my own laptop.

But your right, Gmail for sure is the better choice.

For security (not privacy) you might wanna look into pgp, here you go.

https://en.wikipedia.org/wiki/Pretty_Good_Privacy

Your welcome.


Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > > > ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> > > >
> > > > You received this message because you are subscribed to the Google Groups "qubes-users" group.
> > > > To unsubscribe from this group and stop receiving emails from it, send an email to > qubes-users...@googlegroups.com mailto:qubes-users...@googlegroups.com> .
> > > > To post to this group, send email to > qubes...@googlegroups.com mailto:qubes...@googlegroups.com> .
> > > > To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-users/b706b02b-6461-3461-7a6b-19b8ebdb9a8f%40gmx.com https://groups.google.com/d/msgid/qubes-users/b706b02b-6461-3461-7a6b-19b8ebdb9a8f%40gmx.com> .
> > > > For more options, visit > https://groups.google.com/d/optout https://groups.google.com/d/optout> .
> > >
> > > --
> > > You received this message because you are subscribed to the Google Groups "qubes-users" group.
> > > To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
> > > To post to this group, send email to qubes...@googlegroups.com.
> > > To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/LMRlztC--3-1%40tutanota.com.
> > > For more options, visit https://groups.google.com/d/optout.
>
> This made me laugh out loud. All your ranting and raving about security and dishonesty, and you sent the message using PROTON MAIL. Good lord. Talk about dishonesty and pseudo-security.
>
> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> You received this message because you are subscribed to the Google Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
> To post to this group, send email to qubes...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b9839f63-3a6a-4892-ba5b-6e3de3583e93%40googlegroups.com.

awokd

unread,
Sep 16, 2018, 2:51:19 AM9/16/18
to qube...@tutanota.com, tai...@gmx.com, Qubes Users
On Sat, September 15, 2018 10:30 am, qube...@tutanota.com wrote:
> Hi, during my email conversation with the Todd Weaver in the
> pre-IME-disabled time, he told me they will fully disable the IME and AMT
> within next week. After about a week they announced they did just that.
> Are this links a lie?
> https://puri.sm/posts/measuring-the-intel-me-to-create-a-more-secure-compu
> ter/
> <https://puri.sm/posts/measuring-the-intel-me-to-create-a-more-secure-com
> puter/>
> https://puri.sm/posts/purism-librem-laptops-completely-disable-intel-mana
> gement-engine/
> <https://puri.sm/posts/purism-librem-laptops-completely-disable-intel-man
> agement-engine/>

"Lie" depends on your definition of "completely". Skylake onwards
processors can have much of ME disabled. I believe Purism with Heads and a
handful of other manufacturers are using the technique here:
http://blog.ptsecurity.com/2017/08/disabling-intel-me.html, but as you can
see there are still some modules required for initialization before the
HAP bit takes effect and skips the remainder. Additionally, there is an
FSP blob needed for init. Currently shipping AMD CPUs are no better.

> Talking about alternatives: how the Qubes 4.0 stand with RYF certified
> X200? Like for example this one: https://tehnoetic.com/laptops/tet-x200s
> <https://tehnoetic.com/laptops/tet-x200s> and others like T400 and T500,
> which can be found there as well. Working well? Any issues known? Thank
> you

At present, RYF has not certified any laptops with hardware capable of
running Qubes 4.0, but there are a couple older AMDs that can. A scale of
hardware openness/owner control from most to least would be something
like:

10: OpenPOWER, RYF certified x86 with all blobs replaced- Qubes 4.0 can't
run on either
8: older AMD like A10-5750M- a couple blobs required but Qubes 4.0 works
on these and the rest listed
6: pre-Skylake Intel with ME/HAP tweaks- a few more blobs and 2 ME modules
required
4: Skylake+ Intel with ME/HAP tweaks, AMD Ryzen with PSP disabled in UEFI
config- more blobs and modules required
0: Intel/AMD x86 with no tweaks- most shipping volume today

ARM (& possibly RISC) is a special case in that the integrator can decide
where on the scale they want to deliver their product, but neither support
Qubes 4.0.

Dave

unread,
Sep 16, 2018, 3:57:34 AM9/16/18
to qubes-users
>
> This made me laugh out loud. All your ranting and raving about security and dishonesty, and you sent the message using PROTON MAIL. Good lord. Talk about dishonesty and pseudo-security.

Off Topic - but... would you care to elaborate what fault you alleged in Protonmail and your source?

qube...@tutanota.com

unread,
Sep 17, 2018, 6:15:28 AM9/17/18
to Dave, qubes-users
It is offtopic, but I gues he is referring to the need to run JS to have Protonmail running with web-browser and register, or a need to run Bridge to use the Thenderbird. The JS can be anytime replaced with a malicious one and it is game over.

All clear but it really depends on the OPSEC one has.

My point here was actually about running Qubes, which I consider as one of the best security solutions available out there in tandem with Tails, on the as much as possible secure HW. I know I know....dont stone me, but if I use a reasonably secure OS, I would like to use it on reasonably secure hardware (laptop), if thats anyhow possible.


Sep 16, 2018, 9:57 AM by river...@gmail.com:

>>
>> This made me laugh out loud. All your ranting and raving about security and dishonesty, and you sent the message using PROTON MAIL. Good lord. Talk about dishonesty and pseudo-security.
>>
>
> Off Topic - but... would you care to elaborate what fault you alleged in Protonmail and your source?
>
> --
> You received this message because you are subscribed to the Google Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to > qubes-users...@googlegroups.com <mailto:qubes-users...@googlegroups.com>> .
> To post to this group, send email to > qubes...@googlegroups.com <mailto:qubes...@googlegroups.com>> .
> To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-users/dabcb4d5-4400-47a8-b624-3b2cd9c5e6b5%40googlegroups.com <https://groups.google.com/d/msgid/qubes-users/dabcb4d5-4400-47a8-b624-3b2cd9c5e6b5%40googlegroups.com>> .

Tai...@gmx.com

unread,
Sep 17, 2018, 5:52:49 PM9/17/18
to qubes...@googlegroups.com
On 09/16/2018 02:51 AM, 'awokd' via qubes-users wrote:
> On Sat, September 15, 2018 10:30 am, qube...@tutanota.com wrote:
>> Hi, during my email conversation with the Todd Weaver

That liar comes out of nowhere with his super slick marketing and sets
the computing freedom movement back 10 years.

At first I thought it was just being naive but now as he persists it
seems more like malice.

puri.junk does NOT respect you, it is fully blobbed and the ME is not at
all disabled.

Todd weaver is a lying fraudster.

>> in the
>> pre-IME-disabled time, he told me they will fully disable the IME and AMT
>> within next week. After about a week they announced they did just that.
>> Are this links a lie?
>> https://puri.sm/posts/measuring-the-intel-me-to-create-a-more-secure-compu
>> ter/
>> <https://puri.sm/posts/measuring-the-intel-me-to-create-a-more-secure-com
>> puter/>
>> https://puri.sm/posts/purism-librem-laptops-completely-disable-intel-mana
>> gement-engine/
>> <https://puri.sm/posts/purism-librem-laptops-completely-disable-intel-man
>> agement-engine/>
>
> "Lie" depends on your definition of "completely". Skylake onwards
> processors can have much of ME disabled. I believe Purism with Heads and a
> handful of other manufacturers are using the technique here:
> http://blog.ptsecurity.com/2017/08/disabling-intel-me.html, but as you can
> see there are still some modules required for initialization before the
> HAP bit takes effect and skips the remainder. Additionally, there is an
> FSP blob needed for init. Currently shipping AMD CPUs are no better.

Skylake kernel still runs, that is not disabled and there is more than
enough ability to play dirty tricks like SMM rootkits or what not.

HAP is asking politely.

>
>> Talking about alternatives: how the Qubes 4.0 stand with RYF certified
>> X200? Like for example this one: https://tehnoetic.com/laptops/tet-x200s
>> <https://tehnoetic.com/laptops/tet-x200s> and others like T400 and T500,
>> which can be found there as well. Working well? Any issues known? Thank
>> you
>
> At present, RYF has not certified any laptops with hardware capable of
> running Qubes 4.0, but there are a couple older AMDs that can. A scale of
> hardware openness/owner control from most to least would be something
> like:
>
> 10: OpenPOWER, RYF certified x86 with all blobs replaced- Qubes 4.0 can't
> run on either

Since you mention power and there aren't currently any laptops do you
mean laptops or desktops? In terms of desktops there are a variety that
qubes 4.0 can run on.

The future is POWER for all...

> 8: older AMD like A10-5750M- a couple blobs required but Qubes 4.0 works
> on these and the rest listed
> 6: pre-Skylake Intel with ME/HAP tweaks- a few more blobs and 2 ME modules
> required
> 4: Skylake+ Intel with ME/HAP tweaks, AMD Ryzen with PSP disabled in UEFI
> config- more blobs and modules required

That doesn't disable it! you are simply asking nicely for it to shut off
and hoping that it does so. It is not at all equivilant to say pre-core
intel systems where one really could disable it or even better one that
doesn't have any black boxes like the talos.

qube...@tutanota.com

unread,
Sep 17, 2018, 6:09:14 PM9/17/18
to Tai...@gmx.com, Qubes Users
Looks like it is a bit of a blind way. To use the reasonably secure OS without possibility to use it on the reasonably secure HW, is an issue which needs to be addressed a bit. I originally guessed that Qubes would run on the RYF devices well, and I am quite surprised it doesn't (doesnt it?). Is there any strong issue which prevents Qubes to function with RYF devices?

Am I missing something on the assumption that RYF devices, with disabled IME-AMT known security hole, with the coreboot  instead of BIOS and so on, are more secure-potential than the non-RYFs?

I need a working laptop. Desktop is not an option.


Sep 17, 2018, 11:54 PM by Tai...@gmx.com:

> On 09/16/2018 02:51 AM, 'awokd' via qubes-users wrote:
>
>> On Sat, September 15, 2018 10:30 am, >> qube...@tutanota.com <mailto:qube...@tutanota.com>>> wrote:
>>
>>> Hi, during my email conversation with the Todd Weaver
>>>
>
> That liar comes out of nowhere with his super slick marketing and sets
> the computing freedom movement back 10 years.
>
> At first I thought it was just being naive but now as he persists it
> seems more like malice.
>
> puri.junk does NOT respect you, it is fully blobbed and the ME is not at
> all disabled.
>
> Todd weaver is a lying fraudster.
>
>>> in the
>>> pre-IME-disabled time, he told me they will fully disable the IME and AMT
>>> within next week. After about a week they announced they did just that.
>>> Are this links a lie?
>>> https://puri.sm/posts/measuring-the-intel-me-to-create-a-more-secure-compu <https://puri.sm/posts/measuring-the-intel-me-to-create-a-more-secure-compu>
>>> ter/
>>> <>>> https://puri.sm/posts/measuring-the-intel-me-to-create-a-more-secure-com <https://puri.sm/posts/measuring-the-intel-me-to-create-a-more-secure-com>
>>> puter/>
>>> https://puri.sm/posts/purism-librem-laptops-completely-disable-intel-mana <https://puri.sm/posts/purism-librem-laptops-completely-disable-intel-mana>
>>> gement-engine/
>>> <>>> https://puri.sm/posts/purism-librem-laptops-completely-disable-intel-man <https://puri.sm/posts/purism-librem-laptops-completely-disable-intel-man>
>>> agement-engine/>
>>>
>>
>> "Lie" depends on your definition of "completely". Skylake onwards
>> processors can have much of ME disabled. I believe Purism with Heads and a
>> handful of other manufacturers are using the technique here:
>> http://blog.ptsecurity.com/2017/08/disabling-intel-me.html <http://blog.ptsecurity.com/2017/08/disabling-intel-me.html>>> , but as you can
> --
> You received this message because you are subscribed to the Google Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to > qubes-users...@googlegroups.com <mailto:qubes-users...@googlegroups.com>> .
> To post to this group, send email to > qubes...@googlegroups.com <mailto:qubes...@googlegroups.com>> .
> To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-users/c8670cee-80f5-1b08-0a82-8ffb60641867%40gmx.com <https://groups.google.com/d/msgid/qubes-users/c8670cee-80f5-1b08-0a82-8ffb60641867%40gmx.com>> .

awokd

unread,
Sep 18, 2018, 6:12:26 AM9/18/18
to qubes...@googlegroups.com


Tai...@gmx.com:
> On 09/16/2018 02:51 AM, 'awokd' via qubes-users wrote:

>> At present, RYF has not certified any laptops with hardware capable of
>> running Qubes 4.0, but there are a couple older AMDs that can. A scale of
>> hardware openness/owner control from most to least would be something
>> like:
>>
>> 10: OpenPOWER, RYF certified x86 with all blobs replaced- Qubes 4.0 can't
>> run on either
>
> Since you mention power and there aren't currently any laptops do you
> mean laptops or desktops? In terms of desktops there are a variety that
> qubes 4.0 can run on.

You're right, forgot the RYF desktops which support 4.0.

> The future is POWER for all...
>
>> 8: older AMD like A10-5750M- a couple blobs required but Qubes 4.0 works
>> on these and the rest listed
>> 6: pre-Skylake Intel with ME/HAP tweaks- a few more blobs and 2 ME modules
>> required
>> 4: Skylake+ Intel with ME/HAP tweaks, AMD Ryzen with PSP disabled in UEFI
>> config- more blobs and modules required
>
> That doesn't disable it! you are simply asking nicely for it to shut off
> and hoping that it does so. It is not at all equivilant to say pre-core
> intel systems where one really could disable it or even better one that
> doesn't have any black boxes like the talos.

I know, that's why I didn't rate this higher on my invented scale.

awokd

unread,
Sep 18, 2018, 6:19:58 AM9/18/18
to qubes...@googlegroups.com
qube...@tutanota.com:
> Looks like it is a bit of a blind way. To use the reasonably secure OS without possibility to use it on the reasonably secure HW, is an issue which needs to be addressed a bit. I originally guessed that Qubes would run on the RYF devices well, and I am quite surprised it doesn't (doesnt it?). Is there any strong issue which prevents Qubes to function with RYF devices?

There are no RYF laptops with CPUs that support Intel VT-x with EPT /
AMD-V with RVI (SLAT) and Intel VT-d / AMD-Vi (aka AMD IOMMU).

> Am I missing something on the assumption that RYF devices, with disabled IME-AMT known security hole, with the coreboot  instead of BIOS and so on, are more secure-potential than the non-RYFs?
>
> I need a working laptop. Desktop is not an option.

Check the scale I posted for options. A corebooted Lenovo G505s with
microcode update comes close to RYF.

Kyle Rankin

unread,
Nov 10, 2018, 12:24:45 PM11/10/18
to qubes...@googlegroups.com
It's a shame this thread got hijacked by people slandering the company.
Could someone who is responsible for the HCL please update it with the data
I've provided in this thread? This would update the HCL with a version of
the Librem 13v2 that provides a TPM for people who are considering running
Qubes 4.0 with AEM.

-Kyle

PS. For what it's worth we continue to work earnestly behind the scenes to
liberate the remaining binary blobs (FSP and what remains of the ME after
we disable and delete the majority of the modules) because we want to
provide people with modern hardware that runs blob-free. For the ME, we
have already documented what we have done to attempt to both disable (HAP)
and neuter (zero out modules) the ME. We have four ME modules remaining to
liberate (and anyone with access to our BIOS ROM or our BIOS build script
can confirm those claims). Those of you who work in this space are aware of
the challenges behind all of this and if anyone wants to help us in
liberating the FSP and the remaining four ME modules that are present we
would certainly welcome the help.
> --
> You received this message because you are subscribed to the Google Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
> To post to this group, send email to qubes...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180914181059.fkt3blxd3heez54s%40work.
> For more options, visit https://groups.google.com/d/optout.

> ---
> layout:
> 'hcl'
> type:
> 'laptop'
> hvm:
> 'yes'
> iommu:
> 'yes'
> slat:
> 'yes'
> tpm:
> ''
> remap:
> 'yes'
> brand: |
> Purism
> model: |
> Librem 13 v2
> bios: |
> 4.7-Purism-4-heads
> cpu: |
> Intel(R) Core(TM) i7-6500U CPU @ 2.50GHz
> cpu-short: |
> FIXME
> chipset: |
> Intel Corporation Xeon E3-1200 v5/E3-1500 v5/6th Gen Core Processor Host Bridge/DRAM Registers [8086:1904] (rev 08)
> chipset-short: |
> FIXME
> gpu: |
> Intel Corporation HD Graphics 520 [8086:1916] (rev 07) (prog-if 00 [VGA controller])
> Intel Corporation Device [8086:9d24] (rev 21)
> gpu-short: |
> FIXME
> network: |
> Qualcomm Atheros AR9462 Wireless Network Adapter (rev 01)
> memory: |
> 16298
> scsi: |
> Samsung SSD 850 Rev: 2B6Q
> Samsung SSD 850 Rev: 1B6Q
> usb: |
> 1
> versions:
>
> - works:
> 'FIXME:yes|no|partial'
> qubes: |
> R4.0
> xen: |
> 4.8.4
> kernel: |
> 4.14.57-2
> remark: |
> FIXME
> credit: |
> FIXAUTHOR
> link: |
> FIXLINK
>
> ---
>

Holger Levsen

unread,
Nov 10, 2018, 12:30:28 PM11/10/18
to qubes...@googlegroups.com
On Sat, Nov 10, 2018 at 09:24:40AM -0800, Kyle Rankin wrote:
> It's a shame this thread got hijacked by people slandering the company.

indeed.

> PS. For what it's worth we continue to work earnestly behind the scenes to
> liberate the remaining binary blobs (FSP and what remains of the ME after
> we disable and delete the majority of the modules) because we want to
> provide people with modern hardware that runs blob-free. For the ME, we
> have already documented what we have done to attempt to both disable (HAP)
> and neuter (zero out modules) the ME. We have four ME modules remaining to
> liberate (and anyone with access to our BIOS ROM or our BIOS build script
> can confirm those claims). Those of you who work in this space are aware of
> the challenges behind all of this and if anyone wants to help us in
> liberating the FSP and the remaining four ME modules that are present we
> would certainly welcome the help.

thanks for this interesting update. Much appreciated!


--
cheers,
Holger

-------------------------------------------------------------------------------
holger@(debian|reproducible-builds|layer-acht).org
PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
signature.asc

casiu

unread,
Nov 10, 2018, 1:33:19 PM11/10/18
to qubes...@googlegroups.com

"We have four ME modules remaining to liberate (and anyone with access to our BIOS ROM or our BIOS build script
can confirm those claims)."

Last time i checked Intel still did not hand you over their signing-keys ?
Im happy to change my mind, please educate me.:) Is the ME completely shut off BEFORE the kernel boots up?
If not, im sure you know a few me modules more ore less is completely irrelevant from a security point of view.

Also, i wasnt able to find a statement of Purism about the fact that, in the beginning, they claimed the ME was "completely disabled and removed". I mean, that was obviously not true right?

From what i see, despite Purism claims they will liberate it probably sometime , purism-bios still only initializes proprietary blobs, which also defeats the purpose. Im not one for great conspiracy theories, and also at least for now willing to accept the term "opensource-hardware" for something with one or two small irrelevant blobs because they cant be avoided,
but advertising hardware which runs almost entirely on closed source software (certainly, all the important parts do), that just sound highly dishonest in my ears.

Last one: Would you honestly recommend people buying your products to improve their security RIGHT NOW, not someday in the future when and if your products will be completely open source. If so, wy?

If you could provide me an answer to those Questions, i would be very grateful. I read this post twice , and i hope nobody finds it offensive in any way, im actually trying to get a productive discussion here.
Please dont let this go emotional, rather provide people with actual, verifiable TECHNICAL FACTS.

Happy to learn something new, Casiu.


Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> --
>
> You received this message because you are subscribed to the Google Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
> To post to this group, send email to qubes...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20181110172439.GD29964%40greenfly.net.

Kyle Rankin

unread,
Nov 10, 2018, 2:33:53 PM11/10/18
to qubes...@googlegroups.com
I would have preferred to keep this thread focused on the HCL and not get
too derailed off-topic. I'll try to keep this brief and apologies to the
moderators for continuing the off-topic thread. I'll give a reply and then
leave it.

As someone who's working inside the org every day earnestly to try to
improve everyone's security and freedom, I guess I don't get all the
animosity, as I don't know of too many other organizations who are trying
as we are to advance the cause of liberating these closed modules. I don't
agree with the "all or nothing" approach some people are touting--having a
motherboard without AMT at all, and with an ME that is reflashed to have
most of its code removed is, to me, a much better situation than what you
can get off the shelf. Is it 100% there? Of course not, but we are truly
working to get it there.

Other replies inline:

On Sat, Nov 10, 2018 at 06:33:05PM +0000, 'casiu' via qubes-users wrote:
>
> "We have four ME modules remaining to liberate (and anyone with access to our BIOS ROM or our BIOS build script
> can confirm those claims)."
>
> Last time i checked Intel still did not hand you over their signing-keys ?
> Im happy to change my mind, please educate me.:) Is the ME completely shut off BEFORE the kernel boots up?
> If not, im sure you know a few me modules more ore less is completely irrelevant from a security point of view.
>

As part of reflashing the BIOS we reflash the ME so when the system boots
it is running from the remaining four modules (kernel, supporting kernel
libraries) in the ME that initialize the hardware. The high level info is
here:

https://puri.sm/learn/intel-me/

And the more detailed technical information is here:

https://puri.sm/posts/deep-dive-into-intel-me-disablement/

> Also, i wasnt able to find a statement of Purism about the fact that, in the beginning, they claimed the ME was "completely disabled and removed". I mean, that was obviously not true right?

I can only comment on the current state of things and what we have tried to
be open about on our site. I don't recall them using words like
"completely" but I also wasn't working there at the time.

>
> From what i see, despite Purism claims they will liberate it probably sometime , purism-bios still only initializes proprietary blobs, which also defeats the purpose. Im not one for great conspiracy theories, and also at least for now willing to accept the term "opensource-hardware" for something with one or two small irrelevant blobs because they cant be avoided,
> but advertising hardware which runs almost entirely on closed source software (certainly, all the important parts do), that just sound highly dishonest in my ears.
>

We may have to agree to disagree here, as I wouldn't characterize loading
an open source coreboot BIOS that includes Intel FSP binary blobs and the
remaining few percent of the closed ME code that we haven't freed yet, and
then boots into a completely free software OS as "almost entirely on closed
source software." It sounds like you are assigning much more importance and
weight into the FSP than I am when thinking about the whole system.

> Last one: Would you honestly recommend people buying your products to improve their security RIGHT NOW, not someday in the future when and if your products will be completely open source. If so, wy?

I would. For one, we are one of the few companies who are actively working
to improve the current situation with respect to closed firmware and
software on regular laptops. Not everyone has the ability to reflash
firmware themselves to apply an open source BIOS and erase most of the ME
and so we provide hardware that has that already applied. There are still
binary blobs remaining but we are working to remove those as well.

A lot of the arguments seem to center on some belief that we aren't genuine
in our beliefs because we've set big goals, some of which are long term,
and therefore haven't achieved all of those goals yet. For what it's worth,
we have gone to the extra effort to codify our ethical stance into our
corporate Social Purpose Corporation (SPC) charter and mean what we say.

I personally am working to include Heads as a default tamper-detecting BIOS
option for more security-minded people who order our hardware. Our hardware
runs Qubes 4.0 out of the box and it is the primary OS on both my personal
and work laptops (both Librems). We are actively working to integrate our
Librem Key USB security token with Heads (my PR was just merged this past
week) to provide a simple way to detect tampering in the BIOS and
kernel/initrd/grub config.

Is there still more work to do? Sure. But then I've always liked to be busy
and hated being bored at work. Security is like golf. You try to get closer
to the hole with every stroke. If you just try to get a hole in one every
time you will lose.

-Kyle
> To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a-3kTi0BmbRkYMaUfcC7C_cZKCwdoER0eNlTYNchZbzMtTdSPKtm7GR4ZtyomvAkErjJ-mdJ1d2wVv7vacMCescUzPcBRrNiGyWL20LDT44%3D%40protonmail.com.

unman

unread,
Nov 10, 2018, 9:46:18 PM11/10/18
to qubes...@googlegroups.com
On Sat, Nov 10, 2018 at 11:33:48AM -0800, Kyle Rankin wrote:
>
> > Also, i wasnt able to find a statement of Purism about the fact that, in the beginning, they claimed the ME was "completely disabled and removed". I mean, that was obviously not true right?
>
> I can only comment on the current state of things and what we have tried to
> be open about on our site. I don't recall them using words like
> "completely" but I also wasn't working there at the time.
>

I find this somewhat disingenuous.

Original claims:

"This is the first laptop to be manufactured where there is no mystery
software. This means that there are absolutely no proprietary drivers
in the linux kernel, no Linux kernel binary blobs, and no proprietary
software applications required to operate this computer."

Later:
"We promise that a Purism system and all its components will be free
according to the strictest of guidelines set forth by the FSF's Free
Software Definition."

By 2016, the company had (under pressure) rolled back on these claims,
and acknowledged that the BIOS and Intel Binaries required binary blobs.

The "completely" claim is in the October19 2017 post - "Purism Librem
Laptops Completely Disable Intel's Management Engine"

I think that what bothers people is that the early claims were either false
or misleading. I had concerns about the whole "Qubes endorsed" debacle.
I believe issues like these raise questions about the probity of the company,

unman

22...@tutamail.com

unread,
Nov 11, 2018, 12:07:42 AM11/11/18
to qubes-users
Tough questions and discussion but in the spirit of finding the "best" we can get laptop for Qubes 4.0 (Best being defined as: available to purchase, priced right, most open, most "reasonably" secure and...."reasonably simple" to maintain), for me I see the following as my best options, ranked:

Lenovo Carbon 5G X1
Available
Good RAM
Little pricey
Easy install/maintain? Not sure if I can flash these BIOS...

Lenova 400 series
Available
Affordable
Limited RAM?
Little boxy
Easier to install/maintain

Librem 'what ever" model
Available
NOT Affordable
Limited RAM?
Reasonably easy to install/maintain!

G505
NOT as Available
Affordable
Limited RAM?
Very boxy?
Tough to install/maintain (Flash BIOS?? Out of my scope...)


200 series
NOT as Available?
Affordable
Limited RAM?
Very boxy?
Tough to install/maintain! (Flash BIOS?? Out of my scope...)


Dell/HP/Other?
I don't know, but I suspect Qubes was developeded on Lenovo's yet select models work

Desk Tops
I need a laptop...

Keep in mind I might weigh some of the "Easy to install/maintain" perspective more heavily but I see my best options as:

1)Carbon X1 being the ultimate winner (if I want to invest the $1k)
2)T400+ series for the budget concerned
3)Librem if you want to get the best you can with out the "fuss" and pay some $$
4)G505/200 if you have the technical know-how/experience


What I am struggling to weigh is the security/privacy/trust compromises and implications I have made/would make? I know G505/200 type products are most secure but how can I get one pre-installed and done (Easy) yet still balance trust, security, afford-ability, etc....I fear the open source BIOS are out of my technical scope to install and maintain.

I find Librem intriguing with the easiest "most" open source option for the "reasonable" layman(person)...sure not Intel/AMD/government secure but at least non chip maker collusion secure? Lets assume Librem screwed up initially with their claims....are they clear now? Is their product a good option?

Decisions, Decisions...


unman

unread,
Nov 11, 2018, 10:45:25 AM11/11/18
to qubes-users
lenovo x230s are still widely available, and great for Qubes. Limited to
16GB RAM, but even with HDD and 12 GB perfectly serviceable for
Qubes4.0. And *cheap*.
Pretty easy to maintain, and no problem with flashing BIOS from linux.
I'd still recommend - boxy is the new black.

unman

22...@tutamail.com

unread,
Nov 11, 2018, 9:25:58 PM11/11/18
to qubes-users
Unman your posts have been extremely helpful to me and I can't thank you enough for the help(I am sure many others would agree).

However I think your "..Pretty easy to maintain.." would be hell for me.

Librem(and maybe the Majora line) have huge appeal for me as they take care of the BIOS flashing.

I checked out the x230 and you are right they are available and cheap. I would still be interested in finding some company/individual who I can trust to take care of the BIOS flashing for me as a service(I would think others would also want this service as well...). The problem is who?

Thanks...

("-boxy is the new black." Good one and couldn't agree more...very funny!)

Thierry Laurion

unread,
Nov 12, 2018, 1:30:54 AM11/12/18
to 22...@tutamail.com, qubes...@googlegroups.com
Hi!
I checked out the x230 and you are right they are available and cheap. I would still be interested in finding some company/individual who I can trust to take care of the BIOS flashing for me as a service(I would think others would also want this service as well...). The problem is who?
I started Insurgo Technologies Libres/Open Technologies exactly for that! (https://www.facebook.com/InsurgoTech/insights/?section=navPosts)

We actually reprogram A-Grade refurbished x230 with Heads firmware (http://osresearch.net/), while neutralizing Intel ME (https://github.com/osresearch/heads-wiki/blob/master/Clean-the-ME-firmware.md) while being there.

I collaborate with Heads and QubesOS developers for a while now..
QubesOS can even be preinstalled with user's desired customizations (https://github.com/SkypLabs/my-qubes-os-formula/issues) or shipped with latest QubesOS ISO on external MicroSD support. Heads validates ISO integrity with distribution's signing keys prior to boot them (Tails, Fedora, QubesOS).

Heads, deployed with a Nitrokey Pro v2/LibremKey or by using internal TPM, validates rom' integrity before booting from it. With the help of a NitroKey/LibremKey (https://puri.sm/posts/introducing-the-librem-key/), the boot configurations are signed with user's keys and verified and the firmware integrity is attested at each reboot through HOTP (led flashing or TPMTOTP on user's cell phone through Google Authenticator or compatible app.

The user receives the Nitrokey/LibremKey and his computer in distinct shipping packages and reunites at first laptop boot to attest that the firmware of the computer has not been tampered with in transit. (https://puri.sm/posts/introducing-the-librem-key/).

The user, upon bootup integrity attestation, proceeds to the ownership of his new laptop (TPM) and his LibremKey. The user is then invited to reencrypt his SSD encrypted content with it's own chosen passphrase (https://github.com/osresearch/heads/issues/463) and to choose a secondary disk unlock passphrase, which will unlock encrypted disk content only if the firmware has boot attested integrity.

Notes:
  • The user will be able to ask Insurgo interactive support in the near future. (https://github.com/SkypLabs/my-qubes-os-formula/issues/6).
  • Buying from Insurgo (ITL/IOT) funds directly my participation to those projects.
  • Bulk discount are available upon request. Insurgo plans to transit into a working/buying cooperative in the near future.


Prices are in Canadian Dollars (CDN)
  • x230 i5 240GB SSD 16GB Webcam and IPS: $620
    • Hardware reprogramming fee: +250$
    • Backlit Keyboard: 40$  (optional)
    • Webcam 10$  (optional)
  • Nitrokey/LibremKey: + 80$
The refurbisher offers a warranty plan on the value of the purchase:
  • 1 Month %5
  • 3 Months %10
  • 6 Months %15
  • 1 Year %25

Thierry Laurion:

Insurgo, Technologies Libres / Open Technologies:

--
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
To post to this group, send email to qubes...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


--
Thierry Laurion

Holger Levsen

unread,
Nov 12, 2018, 4:58:30 AM11/12/18
to qubes-users
On Sun, Nov 11, 2018 at 03:45:21PM +0000, unman wrote:
> lenovo x230s are still widely available, and great for Qubes.

while I agree with that, I want to point out that they contain several
non free blobs which cannot be changed.

just because there was so much purism bashing in this thread. :-D


--
cheers,
Holger, who is happy that his keyboard, memory and battery works
signature.asc

unman

unread,
Nov 12, 2018, 6:15:24 AM11/12/18
to qubes-users
On Mon, Nov 12, 2018 at 09:58:25AM +0000, Holger Levsen wrote:
> On Sun, Nov 11, 2018 at 03:45:21PM +0000, unman wrote:
> > lenovo x230s are still widely available, and great for Qubes.
>
> while I agree with that, I want to point out that they contain several
> non free blobs which cannot be changed.
>
> just because there was so much purism bashing in this thread. :-D
>
>
> --
> cheers,
> Holger, who is happy that his keyboard, memory and battery works

Try, but 22rip didnt have that as a criteria in his choices. Also, the
x230 keyboard,memory and battery all work. ;-)

Jonathan Seefelder

unread,
Nov 12, 2018, 10:08:38 AM11/12/18
to unman, qubes-users
I have to say, while im happy to see people are actually trying to get a
constructive discussion here, im missing facts, sources and numbers.

The only blob in an X230 which could be security relevant  imo is the
embedded controller. The EC will most likely be liberated in the near
future, and even if it isnt, that  is just no comparison to the amount
of attack-surface  and security-relevance of the blobs a Librem
contains. But thats a personal opinion, there are some who consider
stock-bios not a problem at all, because their threat-model does not
contain such highly-skilled attacks or they trust the vendor. However,
UEFI-exploits from non-state-actors have already been found in the wild,
and will become a lot more common imo.

Example:
https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/

About the Intel-ME:

The other blob in an x230 is be the "ROMP/BUB"-module  (which is the
only part left from the Intel ME), roughly around ~90 kB after
me-cleaner (~ 1.5 MB without), and, very important, the me is shut down
before the kernel initializes.

The Me-version Generation 3 like they are used in a Librem, however, are
after applying ME-cleaner "rbe", "kernel" , "syslib" AND "bup" , and the
minimum firmware-size is at best ~ 300 kb, and is not shut down at all.

BTW, i feel like people overestimate the relevance of the Intel
Managment Engine. THere is so much fake-news about the ME, its
ridiculous. That being said, i personally would never use a device for
sensitive stuff with ME-generation 3 ore higher, and certainly not one
with a prop BIOS ore a significant amount of dangerous blobs.Again,
these are personal choices, bashing without even providing any sources
to fact-check for the reader wont help anybody.

While i would love to have the option of buying a completely free Laptop
directly from a vendor, i have serious doubts about how this would be
possible with x86 architecture, and i wanst able to find any specific
information on how pursim is planning to achieve that.

Freeing a Librem isnt simply a matter of more work and development,
without having Intels signing keys, it is flat-out technically impossible.

And i would love to believe that Intel will provide Purism those keys,
but given the fact that they didnt do it even for Google, i doubt it
even more.

Some more information on this matter would be really great, maybe im
missing something?

If any of these information are incorrect please tell me so, and most
important, please provide sources.
--
Kind Regards
Jonathan Seefelder
CryptoGS IT-Security Solutions
Hofmark 43b
D-84564 Oberbergkirchen
Phone: +49 8637-7505
Fax: +49 8637-7506
Mail: in...@cryptogs.de
www.cryptogs.de


signature.asc

qube...@tutanota.com

unread,
Nov 13, 2018, 6:03:40 AM11/13/18
to 22...@tutamail.com, qubes-users
Sorry to jump out of the Purism thing. Some weeks ago I put here the question too and it was bit stormy, so I keep it aside.

Mate, you mention the "Lenova 400 series". That was my question short before in my post. I am planning to buy this guy: https://tehnoetic.com/tet-t400s <https://tehnoetic.com/tet-t400s> It is RYF and so the ME and AMT is completely removed. My question was, if I could run Qubes 4 on it. The answer was it is too old to have the required virtualization needed to run Qubes 4.

Now, do you think the RYF T400s above, which si T400 series you mention, could run the Qubes 4? This would be great. One could run the reasonably secure OS on reasonably secure HW. Yay!


Nov 11, 2018, 6:07 AM by 22...@tutamail.com:
> --
> You received this message because you are subscribed to the Google Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to > qubes-users...@googlegroups.com <mailto:qubes-users...@googlegroups.com>> .
> To post to this group, send email to > qubes...@googlegroups.com <mailto:qubes...@googlegroups.com>> .
> To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-users/d53fd873-90fb-4426...@googlegroups.com <https://groups.google.com/d/msgid/qubes-users/d53fd873-90fb-4426-b960-efd57aafbadd%40googlegroups.com>> .
> For more options, visit > https://groups.google.com/d/optout <https://groups.google.com/d/optout>> .
>

qube...@tutanota.com

unread,
Nov 13, 2018, 6:27:10 AM11/13/18
to Thierry Laurion, 22rip, Qubes Users
Hi Thiery, I wasn't aware the X230 can be freed same way as the X200 can. As you saw, I am thinking about buying the RYF https://tehnoetic.com/tet-t400s <https://tehnoetic.com/tet-t400s> to be able to run with the Qubes 4. The T400s has but unfortunately 8GB RAM max and so the X230 with 16GB seems very interesting.

So my question is if the X230 is really deprived of all ME-AMT, or any non-free dirt? If this is the case, your offer seems really interesting with all mentioned options available. I also use the RYF X200 for non-Qubes activities, but it would be just excellent if I could have just one machine for Qubes+non-Qubes too.


Nov 12, 2018, 7:30 AM by thierry...@gmail.com:

> Hi!
>
>> I checked out the x230 and you are right they are available and cheap. I would still be interested in finding some company/individual who I can trust to take care of the BIOS flashing for me as a service(I would think others would also want this service as well...). The problem is who?
>>
> I started Insurgo Technologies Libres/Open Technologies exactly for that! (> https://www.facebook.com/InsurgoTech/insights/?section=navPosts <https://www.facebook.com/InsurgoTech/insights/?section=navPosts>> )
>
> We actually reprogram A-Grade refurbished x230 with Heads firmware (> http://osresearch.net/ <http://osresearch.net/>> ), while neutralizing Intel ME (> https://github.com/osresearch/heads-wiki/blob/master/Clean-the-ME-firmware.md <https://github.com/osresearch/heads-wiki/blob/master/Clean-the-ME-firmware.md>> ) while being there.
>
> I collaborate with Heads and QubesOS developers for a while now..
> QubesOS can even be preinstalled with user's desired customizations (> https://github.com/SkypLabs/my-qubes-os-formula/issues <https://github.com/SkypLabs/my-qubes-os-formula/issues>> ) or shipped with latest QubesOS ISO on external MicroSD support. Heads validates ISO integrity with distribution's signing keys prior to boot them (Tails, Fedora, QubesOS).
>
> Heads, deployed with a Nitrokey Pro v2/LibremKey or by using internal TPM, validates rom' integrity before booting from it. With the help of a NitroKey/LibremKey (> https://puri.sm/posts/introducing-the-librem-key/ <https://puri.sm/posts/introducing-the-librem-key/>> ), the boot configurations are signed with user's keys and verified and the firmware integrity is attested at each reboot through HOTP (led flashing or TPMTOTP on user's cell phone through Google Authenticator or compatible app.
>
> The user receives the Nitrokey/LibremKey and his computer in distinct shipping packages and reunites at first laptop boot to attest that the firmware of the computer has not been tampered with in transit. (> https://puri.sm/posts/introducing-the-librem-key/ <https://puri.sm/posts/introducing-the-librem-key/>> ).
>
> The user, upon bootup integrity attestation, proceeds to the ownership of his new laptop (TPM) and his LibremKey. The user is then invited to reencrypt his SSD encrypted content with it's own chosen passphrase(> https://github.com/osresearch/heads/issues/463 <https://github.com/osresearch/heads/issues/463>> ) and to choose a secondary disk unlock passphrase, which will unlock encrypted disk content only if the firmware has boot attested integrity.
>
> Notes:
> The user will be able to ask > Insurgo> interactive support in the near future. (> https://github.com/SkypLabs/my-qubes-os-formula/issues/6 <https://github.com/SkypLabs/my-qubes-os-formula/issues/6>> ).
> Buying from> Insurgo (ITL/IOT)> funds directly my participation to those projects.
> Bulk discount are available upon request. Insurgo plans to transit into a working/buying cooperative in the near future.
>
>
> Prices are in Canadian Dollars (CDN)
> x230> i5 240GB SSD 16GB Webcam and IPS: $620
> Hardware reprogramming fee: +250$
> Backlit Keyboard: 40$  (optional)
> Webcam 10$  (optional)
> Nitrokey/LibremKey: + 80$
> The refurbisher offers a warranty plan on the value of the purchase:
> 1 Month %5
> 3 Months %10
> 6 Months %15
> 1 Year %25
>
> Thierry Laurion:
> GitHub: > https://github.com/tlaurion/ <https://github.com/tlaurion/>
> LinkedIn: > https://www.linkedin.com/in/thierry-laurion-40b4128/ <https://www.linkedin.com/in/thierry-laurion-40b4128/>
>
> Insurgo, Technologies Libres / Open Technologies:
> email: > ins...@riseup.net <mailto:ins...@riseup.net>> for more information.
> GPG key: > http://keys.gnupg.net/pks/lookup?op=get&search=0x79C78E6659DB658F <http://keys.gnupg.net/pks/lookup?op=get&search=0x79C78E6659DB658F>
> Follow this guide or it's platform equivalent: > https://securityinabox.org/en/guide/thunderbird/mac/ <https://securityinabox.org/en/guide/thunderbird/mac/>
> Website: > https://Insurgo.ca <https://Insurgo.ca>
> Facebook: > https://www.facebook.com/InsurgoTech/ <https://www.facebook.com/InsurgoTech/>
>
> On Sun, Nov 11, 2018 at 9:26 PM <> 22...@tutamail.com <mailto:22...@tutamail.com>> > wrote:
>
>> Unman your posts have been extremely helpful to me and I can't thank you enough for the help(I am sure many others would agree).
>>
>> However I think your "..Pretty easy to maintain.." would be hell for me.
>>
>> Librem(and maybe the Majora line) have huge appeal for me as they take care of the BIOS flashing.
>>
>> I checked out the x230 and you are right they are available and cheap. I would still be interested in finding some company/individual who I can trust to take care of the BIOS flashing for me as a service(I would think others would also want this service as well...). The problem is who?
>>
>> Thanks...
>>
>> ("-boxy is the new black." Good one and couldn't agree more...very funny!)
>>
>> --
>> You received this message because you are subscribed to the Google Groups "qubes-users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to >> qubes-users...@googlegroups.com <mailto:qubes-users%2Bunsu...@googlegroups.com>>> .
>> To post to this group, send email to >> qubes...@googlegroups.com <mailto:qubes...@googlegroups.com>>> .
>> To view this discussion on the web visit >> https://groups.google.com/d/msgid/qubes-users/26f75d86-0349-4533-8f3a-66fe2e37c1b3%40googlegroups.com <https://groups.google.com/d/msgid/qubes-users/26f75d86-0349-4533-8f3a-66fe2e37c1b3%40googlegroups.com>>> .
>> For more options, visit >> https://groups.google.com/d/optout <https://groups.google.com/d/optout>>> .
>>
>
>
> --
> Thierry Laurion
>
>
>
> --
> You received this message because you are subscribed to the Google Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to > qubes-users...@googlegroups.com <mailto:qubes-users...@googlegroups.com>> .
> To post to this group, send email to > qubes...@googlegroups.com <mailto:qubes...@googlegroups.com>> .
> To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-users/CAAzJznzOWNrOFTyCNQt-vu5%2BUQXqhZFg-Loxm-oY2oiutORkDQ%40mail.gmail.com <https://groups.google.com/d/msgid/qubes-users/CAAzJznzOWNrOFTyCNQt-vu5%2BUQXqhZFg-Loxm-oY2oiutORkDQ%40mail.gmail.com?utm_medium=email&utm_source=footer>> .
> For more options, visit > https://groups.google.com/d/optout <https://groups.google.com/d/optout>> .
>

keshajournalism

unread,
Nov 13, 2018, 7:58:21 AM11/13/18
to qubes...@googlegroups.com
I tought about buying the x230, but for me, the screen is a little to small, and i feel like the x230 looks a bit ugly *.* To me apple-products look the best, but apparently there are none with coreboot.
I therefor bought myself an X1 Carbon with a nitrokey from cryptogs.de , altough id like to have more ram for windows.
The X230 was recommend to me by them to be more secure, apparently an t400 would have been even better with libreboot, but they are just way to old an slow for me.

cheerio

Thierry Laurion

unread,
Nov 13, 2018, 10:44:26 AM11/13/18
to qube...@tutanota.com, 22...@tutamail.com, qubes...@googlegroups.com
 Hi qubes-fan. Answers inline.
On Tue, Nov 13, 2018 at 6:27 AM <qube...@tutanota.com> wrote:
Hi Thiery, I wasn't aware the X230 can be freed same way as the X200 can.
Unfortunately, the x230 cannot have Intel ME deleted the same way the x200 can, even though binary free firmware is par with it.

The x200 is RYF certified where the x230 isn't for approximately the same reasons Libreboot supports only the former. RYF and Libreboot have a really strong guideline against binary blobs. Even Libreboot opened up it's ethic to support the x220 (Sandy bridge), but backed off, since part of the ME engine is still present even if deactivated. The RYF certification could not be obtainable for those. See archive: https://web.archive.org/web/20170404144825/https://minifree.org/product/libreboot-x220/

Intel ME can be completely removed on the x200 (GM45 based), leaving no trace of it at all. (https://libreboot.org/faq.html#intel). It can be neutralized on the x220 and x230 (Ivy bridge), leaving only the ROMP and BUP modules (<90k of it), but "deactivating" ME before it's kernel is even booted, where the Librem Laptops have parts of it deactivated only, and unfortunately contains binary blobs in the firmware. Once again, depending of your threat model, that may or not be a deal breaker for you.

Neutralizing/Deactivating/Deleting/Freeing Intel ME is a word game where a lot of ink spilled over the last years. I suggest you to read this doc: (https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F) . Basically, Intel ME version <11 can be deactivated, since no kernel needs to be present in the firmware for validation prior to initialization, resulting in the BUP module only being launched, permitting the machine to boot, where version >11 requires the kernel and syslib modules to be present and validated at initialization. So even if Intel ME is neutralized by me_cleaner, the modules are still there in >11. Could they be executed? That depends on your beliefs and threat modeling.

Technically, GM45 based laptops are currently the last Intel based hardware where Intel ME can be completely removed. Unfortunately, such old hardware comes with important limitations, some of which makes it incompatible with QubesOS 4 requirements for isolation and virtualization. The x200 has vt-d1 only, no vt-d2 (No IOMMU!): there is no interrupt remapping, meaning that there is no hardware isolation enforced in QubesOS. (https://github.com/QubesOS/qubes-issues/issues/1594#issuecomment-209213917).

At best, the x200 is an awesome laptop for using Tails, but not with QubesOS. Using it with QubesOS gives the user an illusion of hardware isolation, putting him at risk.

As you saw, I am thinking about buying the RYF https://tehnoetic.com/tet-t400s <https://tehnoetic.com/tet-t400s> to be able to run with the Qubes 4. The  T400s has but unfortunately 8GB RAM max and so the X230 with 16GB seems very interesting.
The T400s is an hardware equivalent of the x200.

So my question is if the X230 is really deprived of all ME-AMT, or any non-free dirt?

If this is the case, your offer seems really interesting with all mentioned options available. I also use the RYF X200 for non-Qubes activities, but it would be just excellent if I could have just one machine for Qubes+non-Qubes too.
A lower end, AMD laptop, the G505s seems a good candidate for libre oriented QubesOS users. It's porting to Heads is on the way, even though I do not have that hardware myself. https://github.com/osresearch/heads/issues/453

As some pointed out earlier, the EC is still a binary blob present in laptops (not currently freed), microcode updates are unfortunately still required for security.

Laptop world needs to be shaken. Binary free laptops exists, but do not support QubesOS.
Talos II is the best libre free desktop/server available but isn't supported by QubesOS, where the KGPE-D16/KCMA-D8 are still the best x86 desktop/servers available. The x230 laptop is the most supported and libre available, where BUP Intel ME initialization is tolerable.

Heads project should be considered as a trusted base of any security conscious user.

Linuxboot, Systemboot and other projects based on u-boot/u-root should also be considered for collocating private cloud services on more recent x86 servers:

Hope that it answers your questions.
Insurgo, Technologies Libres / Open Technologies: