On Tue, Dec 06, 2016 at 01:09:05PM +0100, Marek Marczykowski-Górecki wrote: > [...] > In hardware certification for Qubes 4.x we want to have something more. > Not only hardware being compatible, but also as trustworthy as > realistically possible. This "realistically" currently means we can't > expect not including Intel ME, unfortunately. But for example we can > require open source BIOS - and we do.
There was a discussion on the coreboot list about what is the best Thinkpad that can support coreboot. The general consensus was the x230 and t430 series, both of which can use my modified ME firmware to shutdown the Mangement Engine after it brings up the x86 CPU. The x230 coreboot also removes all of the closed source blobs since it can do native RAM init, has a DMAR support for VT-d, and doesn't require any VGA BIOS when running a Xen patched to removed the EBDA dependencies. The Chell Chromebook is almost perfect as a Qubes 4 machine -- it has coreboot support out of the box, a very high-res screen, a more modern Skylake, a real TPM, and my modified ME firmware works on it as well. However, the keyboard is near zero-travel and the 32GB MMC drive is both small and slow. I don't have DMAR support working, although the CPU is supposed to support VT-d. The other advantage of the Chromebooks is that they have open source code for the EC devices and a fairly elegant way to attest that they have not been tampered with. I'd love for more devices with mutable firmware to have a similar trustworthy interface. -- Trammell -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20161207153116.GA13270%40chishio.swcp.com. For more options, visit https://groups.google.com/d/optout.
