On 25.11.2016 01:44, taii...@gmx.com wrote:
Purism laptops are new intel so they will never have real coreboot
support, only FSP shimboot which is a black box that does most of the
Its pointless, honestly you might as well just get an AMD (with
iommu/amd-vi) laptop if you want to avoid ME (just make sure it does
not have AMD PSP, lol) - it'll have a closed source BIOS but no more
dangerous than FSP in terms of backdoor potential.
You could also get an older pre-FSP thinkpad, as there is some work
being done RE: stripping out and thus nerfing most of ME.
Purism is at best, selling an unfinished product and at worst being
incredibly dishonest. If google can't get intel to hand over the FSP
and ME code then nobody can. I think it is funny that the purism types
thinks that setting ME to "disabled" in option rom actually shuts it
Yes, Purism was basically a scam. They could at least have made the
thing boot faster by including blobbed Coreboot, but they couldn't even
be bothered doing that.
I'd like to add my thoughts about the current situation with Coreboot
and the Intel FSP.
Virtualisation is currently broken on the most recent ThinkPad X200,
T400, etc laptops and desktops that work without the ME blob, but it is
presumably possible to make them boot, perhaps through including
microcode updates in the Coreboot build. I haven't tested this yet so it
is not clear yet. Either way IOMMU is also broken on this generation
(and this will probably never change since this is a flaw in the
hardware implementation of IOMMU) so Qubes might not be so secure here.
Better than nothing, but still...
Another good option might be the ThinkPad X201, where VT-d is thankfully
not broken, but it does include the ME blob in order to make the thing
boot. It doesn't include Intel FSP (it is from way before that), so it
isn't *that* bad, and certainly it stops *Lenovo* (as opposed to Intel)
from putting bad things through the BIOS to attack Qubes. But it is
still fatally flawed in that the ME's reach is far indeed... But you get
native graphics init which is nice if you are a Coreboot nerd. And it is
possible, albeit hard to reverse engineer the chipset to find a flaw to
bypass the ME. So this may be a *really* good option in the future for
Qubes, if people work on it.
Here lies the dillema with Coreboot and Qubes. Broken IOMMU sans ME, or
working (as it stands) IOMMU along with the ME?
The X201 is probably a better choice than the vile Librem laptops for
the average Qubes user. Durable, cheap second hand, IOMMU all present
and correct. ME is bad but not *as* bad as it has become as of late. And
of course Coreboot is fast and fun.
You received this message because you are subscribed to the Google Groups
To unsubscribe from this group and stop receiving emails from it, send an email
To post to this group, send email to email@example.com.
To view this discussion on the web visit
For more options, visit https://groups.google.com/d/optout.