On 25.11.2016 01:44, taii...@gmx.com wrote:
Purism laptops are new intel so they will never have real coreboot
support, only FSP shimboot which is a black box that does most of the
work.

Its pointless, honestly you might as well just get an AMD (with
iommu/amd-vi) laptop if you want to avoid ME (just make sure it does
not have AMD PSP, lol) - it'll have a closed source BIOS but no more
dangerous than FSP in terms of backdoor potential.

You could also get an older pre-FSP thinkpad, as there is some work
being done RE: stripping out and thus nerfing most of ME.

https://www.phoronix.com/scan.php?page=news_item&px=Purism-Librem-Still-Blobbed
https://blogs.coreboot.org/blog/2015/02/23/the-truth-about-purism-why-librem-is-not-the-same-as-libre/

Purism is at best, selling an unfinished product and at worst being
incredibly dishonest. If google can't get intel to hand over the FSP
and ME code then nobody can. I think it is funny that the purism types
thinks that setting ME to "disabled" in option rom actually shuts it
off.

Hej folks,

Yes, Purism was basically a scam. They could at least have made the thing boot faster by including blobbed Coreboot, but they couldn't even be bothered doing that.

I'd like to add my thoughts about the current situation with Coreboot and the Intel FSP.

Virtualisation is currently broken on the most recent ThinkPad X200, T400, etc laptops and desktops that work without the ME blob, but it is presumably possible to make them boot, perhaps through including microcode updates in the Coreboot build. I haven't tested this yet so it is not clear yet. Either way IOMMU is also broken on this generation (and this will probably never change since this is a flaw in the hardware implementation of IOMMU) so Qubes might not be so secure here. Better than nothing, but still...

Another good option might be the ThinkPad X201, where VT-d is thankfully not broken, but it does include the ME blob in order to make the thing boot. It doesn't include Intel FSP (it is from way before that), so it isn't *that* bad, and certainly it stops *Lenovo* (as opposed to Intel) from putting bad things through the BIOS to attack Qubes. But it is still fatally flawed in that the ME's reach is far indeed... But you get native graphics init which is nice if you are a Coreboot nerd. And it is possible, albeit hard to reverse engineer the chipset to find a flaw to bypass the ME. So this may be a *really* good option in the future for Qubes, if people work on it.

Here lies the dillema with Coreboot and Qubes. Broken IOMMU sans ME, or working (as it stands) IOMMU along with the ME? The X201 is probably a better choice than the vile Librem laptops for the average Qubes user. Durable, cheap second hand, IOMMU all present and correct. ME is bad but not *as* bad as it has become as of late. And of course Coreboot is fast and fun.

D

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6fcdc8c4d278e565af3dc4c44d601d49%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

Reply via email to