My question to a Qubes security professional then - What should I do with Intel TXT in my new machine if it is a security issue now?
Thank you in advance for your time.
The main gist i get from her latest article even more then txt is weak, is that if the vendor manufacturer is in cahoots with a state actor or whoever(such as NSA), they could compromise us through intel me and we would never even be able to prove it. Not only that, corporations might be able to really limit the control we have over our pcs in the future. Richard Stallman has been saying the same things for years but Joanna really explains everything in detail.
No security measure is 100% imo. I would still use it if you have the option, why not? I don't think it would actually weaken your security? Only poc i can find online with someone exploiting txt is the ITL team themselves. So I imagine it would take someone of their expertise. Do you have more information on this subject you can share?
If you don't mind me asking what board do you have? Which laptop comes with txt, or if a desktop board where did you buy your tpm header module?
Also, imo, regardless of these security concerns I feel qubes would be more secure then your normal linux or windows systems even without Intel ME/Vpro. Qubes takes into account something might be compromised already while most linux systems are too arrogant or blind to believe something is even possible by design. I would love to hear others opinions.
> > You can read Joanna's latest pdf writeups on intel me on the blog. Â
> >
> > No security measure is 100% imo. Â I would still use it if you have the
> > option, Â why not? Â I don't think it would actually weaken your security?
> > Only poc i can find online with someone exploiting txt is the ITL team
> > themselves. Â So I imagine it would take someone of their expertise. Â Do you
> > have more information on this subject you can share?
> >
> > If you don't mind me asking what board do you have? Â Which laptop comes
> > with txt, or if a desktop board where did you buy your tpm header module?
> >
> > Â Also, imo, regardless of these security concerns I feel qubes would be
> > more secure then your normal linux or windows systems even without Intel
> > ME/Vpro. Â Qubes takes into account something might be compromised already
> > while most linux systems are too arrogant or blind to believe something is
> > even possible by design. I would love to hear others opinions.
But you would want to still turn on intel vt-d which helps isolate the netcard used to help prevent dma side attacks for example. someone please correct me if I'm wrong.
Vpro means different things so not sure what you mean by that. Â If you are not using aem then you don't need intel txt. Â
But you would want to still turn on intel vt-d which helps isolate the netcard used to help prevent dma side attacks for example. Â someone please correct me if I'm wrong.
> > You can read Joanna's latest pdf writeups on intel me on the blog. ÂThank you. If I hadn't read that I would be interested to do so. That is why I was wondering if I should disable the lot or if there was some use still. I see now that I should leave it enabled if I want to use AEM. This is a desktop machine in my home and not really expecting anyone to break in to compromise it as I don't have any state secrets or company property / data. I don't think I need AEM - would I disable TXT?> >
> > No security measure is 100% imo. Â I would still use it if you have the
> > option, Â why not? Â I don't think it would actually weaken your security?
> > Only poc i can find online with someone exploiting txt is the ITL team
> > themselves. Â So I imagine it would take someone of their expertise. Â Do you
> > have more information on this subject you can share?
A search of Intel TXT exploit sure delivered a lot of direct results and most of them concerning ITL but I'm sure I saw some other company with an exploit. If not TXT then definitely ME. I will double check.> >
> > If you don't mind me asking what board do you have? Â Which laptop comes
> > with txt, or if a desktop board where did you buy your tpm header module?The desk top machine has an Intel i7 processor and I had the Q170 chipset especially put in to replace the Z170.
> >
> > Â Also, imo, regardless of these security concerns I feel qubes would be
> > more secure then your normal linux or windows systems even without Intel
> > ME/Vpro. Â Qubes takes into account something might be compromised already
> > while most linux systems are too arrogant or blind to believe something is
> > even possible by design. I would love to hear others opinions.I believe as much. Qubes is a game changer. I'm surprised it took so long for technology to get past a monolithic kernel. Kudos ITL. Also why I was confident to just disable the lot if someone with knowledge could confirm if there was any critical usage of the TXT technology for Qubes. This is new ground for most of us and why I have come asking what might appear to be basic questions. I can see the genius in this design and I intend to become a proficient contributing user.
So I can the conclude that if I don't think I need to worry about Evil Maid and therefore not have to use AEM - I can just turn TXT and Vpro off and Qubes will be just as secure without it and function normally?
For me Intel ME is a no brainer and there is a slide on the motherboard / chipset to turn it off. If I turn it off at the slide is it truly off?
The desk top machine has an Intel i7 processor and I had the Q170 chipset especially put in to replace the Z170.You mention later on you made that choice because you believed that "The Z170 chipset does not support vt-d." Â FWIW, that is not true - VT-d works on Z170. Â You will find multiple users on this forum who have been using Z170 systems and Skylake just fine with VT-d.Intel has made figuring out what combinations of CPUs and chipsets support VT-d a challenge (and on top of that, motherboard vendors have contributed their own blunders). Â It was a real mess before Haswell. Â Things got easier starting with Haswell, since northbridge and southbridge functionality relating to VT-d got pulled into the CPU package. Â Now you just need to pick the right CPU and make sure your BIOS includes VT-d support.
Â
For me Intel ME is a no brainer and there is a slide on the motherboard / chipset to turn it off. If I turn it off at the slide is it truly off?I have not heard of any such capability, and I am very skeptical - particularly where Skylake is concerned - that ME _can_ be turned off, or that Intel has made firmware blobs that would in effect disable the objectionable features of ME available to motherboard vendors (and even if they were offered, I'm not sure we have any way to actually verify that they in fact neuter ME). Â For example, my understanding is that the SGX instructions, introduced in Skylake, are closely integrated with code running in ME for the secure enclaves, etc. Â As I understand it, ME is currently unavoidable if you have an Intel CPU made after 2008 or so - there is no way to boot up the CPU without it.What motherboard do you have that indicates it has the capability to disable ME? Â It would be interesting to look at the user manual to see exactly what is said about this.
Yes, I misspoke. It appears that the processor/chipset on the computer I purchased does not have/support vPro or TXT (though Intel ME is apparently disabled, which is a win, I guess?). So hard to find something that checks all the boxes for me. My threat model currently doesn't include Evil Maids, so I'm probably ok. Shame, though. Hopefully it doesn't close the door on Qubes 4 compatibility. (It does have SLAT and VT-(d/x).
Well, that's unfortunate. Guess I'll shop around some more, ask more questions. I know that ThinkPads are popular, as are "business class laptops", but I haven't seen any newer ones being mentioned here (and older laptops are likely to be used, which I'm not a fan of).
Whoa. Ok, hold on a sec. I did not buy a Purism computer, though not for those reasons - putting a 28W TDP proc in a 15inch "workstation" is absurd to me. as is their lack of a screen configuration. I hear your anger at the gap between what they promise and what they deliver; I'm more displeased on the hardware side of things (though I do like HW kill switches. I've looked into what they promise and understand very well that they don't actually have a very free computer at all, especially on the bios/firmware side.
What I actually ordered (and have now cancelled), was a Dell XPS 15". There is no vPro option in the configure menu, though it does support VT-d and SLAT. I've read all of Joanna's papers, and understand the concerns about Intel ME very well. However, on the Dell order, it claimed "ME Disabled." Perhaps they simply meant that vPro/AMT/TXT was disabled, and that was mine and Dell's fault for wishful thinking and false naming, respectively. Please see linked photo: https://d.pr/Q0YZ
Well, the Dell XPS was enough processing power for me. The Business version, the Precision 5510, not only has vPro and TXT, but also supports ECC memory (Xeon E5). Adds another layer of protection (against Rowhammer attacks that can compromise even Qubes), but a) nobody actually makes DDR4-ECC-SODIMM memory that I can find, and b) it's basically another thousand bucks. I also happen to hate 16:9 displays, but I would compromise on that for Qubes' sake.
As far as blob-free hardware goes, I unfortunately have to live and work in the world, and therefore need 1) performance and x86-64 architecture, and 2) to not have my computer be a part time job.
Guess I'll keep looking. And saving.
Also, the concern for me is not ME shenanigans. I'm more concerned about having TXT for AEM and measured boot, and the consumer Dell model does not have that (the processor and chipset don't support it). The other option aside from the Precision 5510, would be a ThinkPad T460 or T460p, but the downside there is performance (only SATA-3 SSD), and also the screen quality is terrible.
Much as I dislike proprietary anything, I might take a second look at the new MacBook Pros, and run things that need higher security in a VM or in Whonix.
Beg your pardon. Calling into question my security knowledge does not lead to any sort of productive discussion. I am fully aware that I have things to learn, and that's why I'm here. I'm not going to get itno a security measuring knowledge with your or fire back with how much I do know; I'll simply thank you for your insight and move on.
Cheers.
Thank you for the explanation. Even Trump can act presidential. :) So it turns out my reasoning had a rather obvious flaw. I kept stubbornly assuming that my ME device would be on the LISTENING end when it could just as easily be set to call out periodically and render my genius plan moot. I guess now I'm back in the depressing boat with everyone else.
> I do not want to "dismantle" intel/google, I simply want them to be more
> friendly to the customer and for intel to end their war on free software
> and general purpose computing - they used to be great companies but now
> they aren't because of nepotism and outsourcing.
>
> Features like boot guard could have been implemented fully open source
> and transparent, with a jumper to disable or place the computer in
> signing mode so that you can sign/write your own firmware.
> In 10-20 years you won't even be able to run unapproved binaries or view
> unapproved files on an average computer, similarly as to how secure boot
> v2 standards don't require the option to disable it (and thus you must
> ask microsoft for permission to run linux on your own computer) it is a
> slippery slope and if you give them an inch they take a mile.
>
> It is the hollowing of the market, the removal of the middle class of
> computing.
> You can buy a low performance arm (or the like) device with free
> firmware or you can splash out 4-8K for a super high performance OPOWER8
> device from ibm/tyan - it is a myth that free firmware is only available
> on old/slow devices. My next laptop will be a desktop board in a custom
> made mobile 1U chassis.
I spent some time reading up on Power (including this optimistic Anandtech review: http://www.anandtech.com/show/9567/the-power-8-review-challenging-the-intel-xeon-/2). The chips are seemingly priced competitively enough (though my office would turn into a sauna). I was intimidated by the prospect of having to port x86 packages to Power arch but looking through Debian repos, it appears that nearly all of the packages I use have already been ported to ppc64el. Then I noticed the one exception, the dealbreaker, is that Xen doesn't support Power. So it comes down to Qubes + Intel ME versus KVM + Power8 + clueless user. So yeah... guess my Intel boycott lasted all of one day. :/