Looks like it is a bit of a blind way. To use the reasonably secure OS without possibility to use it on the reasonably secure HW, is an issue which needs to be addressed a bit. I originally guessed that Qubes would run on the RYF devices well, and I am quite surprised it doesn't (doesnt it?). Is there any strong issue which prevents Qubes to function with RYF devices?
Am I missing something on the assumption that RYF devices, with disabled IME-AMT known security hole, with the coreboot instead of BIOS and so on, are more secure-potential than the non-RYFs? I need a working laptop. Desktop is not an option. Sep 17, 2018, 11:54 PM by [email protected]: > On 09/16/2018 02:51 AM, 'awokd' via qubes-users wrote: > >> On Sat, September 15, 2018 10:30 am, >> [email protected] >> <mailto:[email protected]>>> wrote: >> >>> Hi, during my email conversation with the Todd Weaver >>> > > That liar comes out of nowhere with his super slick marketing and sets > the computing freedom movement back 10 years. > > At first I thought it was just being naive but now as he persists it > seems more like malice. > > puri.junk does NOT respect you, it is fully blobbed and the ME is not at > all disabled. > > Todd weaver is a lying fraudster. > >>> in the >>> pre-IME-disabled time, he told me they will fully disable the IME and AMT >>> within next week. After about a week they announced they did just that. >>> Are this links a lie? >>> https://puri.sm/posts/measuring-the-intel-me-to-create-a-more-secure-compu >>> <https://puri.sm/posts/measuring-the-intel-me-to-create-a-more-secure-compu> >>> ter/ >>> <>>> >>> https://puri.sm/posts/measuring-the-intel-me-to-create-a-more-secure-com >>> <https://puri.sm/posts/measuring-the-intel-me-to-create-a-more-secure-com> >>> puter/> >>> https://puri.sm/posts/purism-librem-laptops-completely-disable-intel-mana >>> <https://puri.sm/posts/purism-librem-laptops-completely-disable-intel-mana> >>> gement-engine/ >>> <>>> >>> https://puri.sm/posts/purism-librem-laptops-completely-disable-intel-man >>> <https://puri.sm/posts/purism-librem-laptops-completely-disable-intel-man> >>> agement-engine/> >>> >> >> "Lie" depends on your definition of "completely". Skylake onwards >> processors can have much of ME disabled. I believe Purism with Heads and a >> handful of other manufacturers are using the technique here: >> http://blog.ptsecurity.com/2017/08/disabling-intel-me.html >> <http://blog.ptsecurity.com/2017/08/disabling-intel-me.html>>> , but as you >> can >> see there are still some modules required for initialization before the >> HAP bit takes effect and skips the remainder. Additionally, there is an >> FSP blob needed for init. Currently shipping AMD CPUs are no better. >> > > Skylake kernel still runs, that is not disabled and there is more than > enough ability to play dirty tricks like SMM rootkits or what not. > > HAP is asking politely. > >>> Talking about alternatives: how the Qubes 4.0 stand with RYF certified >>> X200? Like for example this one: >>> >>> https://tehnoetic.com/laptops/tet-x200s >>> <https://tehnoetic.com/laptops/tet-x200s> >>> <>>> https://tehnoetic.com/laptops/tet-x200s >>> <https://tehnoetic.com/laptops/tet-x200s>>>> > and others like T400 and >>> T500, >>> which can be found there as well. Working well? Any issues known? Thank >>> you >>> >> >> At present, RYF has not certified any laptops with hardware capable of >> running Qubes 4.0, but there are a couple older AMDs that can. A scale of >> hardware openness/owner control from most to least would be something >> like: >> >> 10: OpenPOWER, RYF certified x86 with all blobs replaced- Qubes 4.0 can't >> run on either >> > > Since you mention power and there aren't currently any laptops do you > mean laptops or desktops? In terms of desktops there are a variety that > qubes 4.0 can run on. > > The future is POWER for all... > >> 8: older AMD like A10-5750M- a couple blobs required but Qubes 4.0 works >> on these and the rest listed >> 6: pre-Skylake Intel with ME/HAP tweaks- a few more blobs and 2 ME modules >> required >> 4: Skylake+ Intel with ME/HAP tweaks, AMD Ryzen with PSP disabled in UEFI >> config- more blobs and modules required >> > > That doesn't disable it! you are simply asking nicely for it to shut off > and hoping that it does so. It is not at all equivilant to say pre-core > intel systems where one really could disable it or even better one that > doesn't have any black boxes like the talos. > >> 0: Intel/AMD x86 with no tweaks- most shipping volume today >> >> ARM (& possibly RISC) is a special case in that the integrator can decide >> where on the scale they want to deliver their product, but neither support >> Qubes 4.0. >> > > -- > You received this message because you are subscribed to the Google Groups > "qubes-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to > [email protected] > <mailto:[email protected]>> . > To post to this group, send email to > [email protected] > <mailto:[email protected]>> . > To view this discussion on the web visit > > https://groups.google.com/d/msgid/qubes-users/c8670cee-80f5-1b08-0a82-8ffb60641867%40gmx.com > > <https://groups.google.com/d/msgid/qubes-users/c8670cee-80f5-1b08-0a82-8ffb60641867%40gmx.com>> > . > For more options, visit > https://groups.google.com/d/optout > <https://groups.google.com/d/optout>> . > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/LMd_7Yr--3-1%40tutanota.com. For more options, visit https://groups.google.com/d/optout.
