On Monday, June 26, 2017 at 10:43:26 PM UTC-4, tai...@gmx.com wrote: > On 06/26/2017 10:30 PM, cooloutac wrote: > > > On Monday, June 26, 2017 at 10:27:32 PM UTC-4, cooloutac wrote: > >> On Monday, June 26, 2017 at 3:50:14 PM UTC-4, qubes...@gmail.com wrote: > >>> I know this question has been asked many times but there is still no > >>> definitive answer. The Purism laptops do not have TPM support and in the > >>> HCL list there is not a machine that ticks every box without issues. What > >>> machines are the devs using? What laptop does Joanna use? > >> are you sure they don't man? > Purism isn't worth buying, it has the same level of firmware freedom and > respect for you and your privacy as a dell and is incredibly overpriced > for what it is. > > I would advise a X220/X230 which is open source besides the ME (supports > ME cleaner) The Ivy/Sandy bridge lenovo thinkpads (X220, W520, T430 etc) > also support TPM and I would be more than pleased to help you install > coreboot >:3 It is what I use as the open source firmware no ME Lenovo > G505S lacks a dock connector which I require. > > In comparison purism's version of coreboot is simply a wrapper layer > that uses a binary blob to do all the work. > > i googled, apparenlty tpm not compatible with coreboot? lol that sucks. I > > think they have secure boot though. so who cares about coreboot at that > > point lol... > Coreboot has a grub payload option with kernel signing, which is the > same as "secure" boot only more versatile as you can sign your owner > kernels. > > "Secure" boot isn't secure, as there are plenty of exploits to bypass it > including the probable nation state backdoors. > > Coreboot has TPM support for various boards, where did you get the idea > it didn't? > > On some native init libre opteron coreboot boards such as the KGPE-D16 > and KCMA-D8 coreboot has owner controlled CRTM which means the CRTM is > not predictable as it would be with a vendor bios (having a predictable > CRTM ruins the security of a TPM)
they are all severely overpriced. and I just refer to the exploits saying hacking teams insyde bios exploit didn't work with secure boot enabled. Doesn't that say something. Richard Stallman says secure boot is ok to use. That doesn't ease your mind? nation state backdoors? so amd is not part of that? Not sure what we can do about that is except petition for laws against it. some guy was on irc the other day complaining he couldn't get qubes installed on one of these opteron server type boards cause I assumed the driver was not working for his intel gpu believe it or not. I think the first thing you should look at when buying hardware is if the vt-d/iommu is supported. And best way to do that is to make sure they show a picture of the option in the manual, and preferably show it enabled. If they mention the word security regarding it too thats a good sign. Everything else should fall into place as far as compatibility with qubes goes. This is pretty hard to do with oem laptops, so you can just walk into a computer store with the live qubes usb. and start rebooting laptops and checking the hcl report. The worst they can do is tell you to leave there is no way you will get arrested. Just be honest and tell them you use qubes-os and you want to make sure the iommu feature work which is its main security benefit. I would stay away from a machine that is too new is the general rule of thumb in linux world. They are usually 1-2 years behind on hardware support. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/39768495-e600-4364-99d6-ff145e8167f6%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
