To Taiidan and all others complaining about Purism lies and consumer being misled.
I keep reading stuff about purism lying about deactivating/disabling ME being impossible, lying about the future of Intel removing ME, etc. I think THIS is misleading. First, its me_cleaner job to do the cleaning. The ME hack itself won't remove ME, but can remove modules by stripping them. There is a big semantic difference between the words removing, disabling and deactivating, I agree. Me_cleaner won't remove ME, that is true. But all this ranting is not factual. See here: https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-bit From https://github.com/corna/me_cleaner/blob/master/README.md: "For pre-Skylake firmware (ME version < 11) this tool removes almost everything, leaving only the two fundamental modules needed for the correct boot, ROMP and BUP. The code size is reduced from 1.5 MB (non-AMT firmware) or 5 MB (AMT firmware) to ~90 kB of compressed code. Starting from Skylake (ME version >= 11) the ME subsystem and the firmware structure have changed, requiring substantial changes in me_cleaner. The fundamental modules required for the correct boot are now four (rbe, kernel, syslib and bup) and the minimum code size is ~300 kB of compressed code (from the 2 MB of the non-AMT firmware and the 7 MB of the AMT one)." To have Intel without ME ( but also without vt-d2, meaning no IOMMU) one will need to choose old hardware, like the x200, which will not have more then 8gb ram and won't support hardware isolation, so no real advantage of using Qubes. x230 and x220 and others will boot with deactivated ME, booting with ROMP and BUP present, true, but without kernel and no other modules. The rest of what you say, I agree. But oversimplifying things doesn't fulfill the goal of making people aware of what is needed now and in the future. Maybe Intel will change their way of fusing keys into the CPU when they realise a lot of money is going out of their pocket to privacy defending manufacturers. Maybe not. Time only will let us know. Their objective is good. They might now success against Goliath, but really trying their best for actual possibilities. ( IOMMU, minimal ME footprint, disabling ME the same way it is done for three letters agencies laptops). Until brand new laptops can fulfill IOMMU needs for certain threat models, there is few alternatives now. Tl;dr: Used laptops: Having IOMMU without ME/PSP (Qubes): Lenovo g505s. Removed ME, without IOMMU: x200. Disabled ME with IOMMU (Qubes): x230/x220. New laptops: Deactivated ME, with IOMMU (Qubes): Purism Librems. Desktop/Servers: Used: With IOMMU (Qubes), no ME/PSP: kgpe-d16, kcma-d8 New: With IOMMU (no Qubes): Talos II. Let's start a real debate aimed at improving stuff and building proper arguments. Pressure against manufacturers will build with market laws, and energy should be put where things can evolve in the meantime. For my part, I wouldn't recommend using a x200 other then for amnesic laptops. G505s are not powerful and tough enough to run Qubes as a daily driver. ME is a really nasty piece of shit to deal with, agreed. But things needs to move forward. Hiding in a cave waiting for things to magically happen is not enough. Thierry Le mer. 11 avr. 2018 16:57, taii...@gmx.com <taii...@gmx.com> a écrit : > On 04/11/2018 03:14 AM, Drew White wrote: > > > On Wednesday, 11 April 2018 16:55:48 UTC+10, tai...@gmx.com wrote: > >> What you ask for is impossible, it simply isn't made - no one has a > >> laptop with 64GB RAM and 12 threads let alone one that is old enough to > >> not have UEFI. > > I know that they exist, and I would have one if I had enough money. But > they do exist. As for UEFI (Microsofts shit invention) if I can disable it > or else just replace it with an actual REAL BIOS, then I will. > You can't do that unless the computer supports coreboot and the new > stuff doesn't. > >> The best you will get is a W520 or W530 where you can install coreboot > >> (open hw init + nerfed ME) and have 32GB RAM. > > Can the CPU be upgraded in those though? > Yeah its socketed. > > I suggest buying a W520 and installing the best ivybridge CPU you can, > then you get the better non-chiclet keyboard and it is also better > supported in coreboot the port for the W530 was never upstreamed. > >> Purism is not libre - their "open source firmware" has hardware > >> initiation done entirely via binary blobs and their ME is certainly not > >> disabled as the kernel still runs along with any hypothetical backdoor. > >> Their marketing is incredibly dishonest and I simply don't understand > >> why they get so much air time. > > lol, then the only way I can get around it is to disable it myself by > editing the CPU firmware? Or is there something else that controls that? > (I'll have to look into it.) > Disabling ME/PSP is impossible, it simply can't be done without > intervention from intel/amd. > The puridiots claim they will eventually be able to convince intel to do > it because some sales guy at a convention said so (they will say > whatever to get you to buy stuff) - however google tried a few years > back and even them as a billion dollar company wasn't able to convince > intel to do it. > > ME cleaner nerfs it even with the hap bit it isn't disabled because the > kernel still runs it simply shuts off after the kernel runs but that is > more than enough time to set up any potential backdoor and perform a > variety of dirty tricks. > > NSA/MSS/FSB says: "oh no they removed the networking module what will we > do now D: D: D:" > > If their information is wrong, then I'll report them for false > advertising. Thanks for letting me know. > I don't know who you could report them to but thanks anyway I would like > that very much their marketing is very sleazy and dishonest. > Like I said I simply don't understand why I am the only critical voice, > the tech media frequently publishes glorified press releases for them > with absolutely no criticism or real facts about how their computers are > not and can't ever have free firmware or free hardware... > > > https://goblinrefuge.com/mediagoblin/u/onpon4/m/what-purism-s-road-to-fsf-ryf-endorsement-chart-should-look-like/ > > https://www.reddit.com/r/linux/comments/3anjgm/on_the_librem_laptop_purism_doesnt_believe_in/ > > https://web.archive.org/web/20161010040458/https://blogs.coreboot.org/blog/2015/02/23/the-truth-about-purism-why-librem-is-not-the-same-as-libre/ > > https://web.archive.org/web/20161010100959/https://blogs.coreboot.org/blog/2015/08/09/the-truth-about-purism-behind-the-coreboot-scenes/ > (Gotta love their insulting of their honest competitors and donating to > their own crowdfunding campaign) > > -- > You received this message because you are subscribed to the Google Groups > "qubes-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to qubes-users+unsubscr...@googlegroups.com. > To post to this group, send email to firstname.lastname@example.org. > To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-users/9231e87b-887a-b226-68bd-ac1c3573559b%40gmx.com > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to email@example.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAAzJznxzJ1FG9AeNUD0OSvNE%2B_XM1OwLfF7%3DcMeMmqweuEFKQg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.