Hi Thierry, thank you for your excellent and extensive explanation of the topic, just wow! This is precisely what semi-techs as me need, to understand the heavy-tech topics more.
It helped me to see the differences in between vt-d1 vs vt-d2 and its implications. Yes, the X200 is excellent for Tails, but I need to run Qubes 4 too. So if I understand it properly, the X230 has remains of the ME which are but deactivated before kernel boots. This quite shrinks the attack options, clear. I understand you prefer to post answers directly on the forum. About the prices: - What exactly means the Hardware reprogramming fee? Is it the ME cleanup? Is it an extra charge of $250 on top of $620 for actually freeing the X230? The $620 is for non-free X230 than? Are you sometimes in EU? thx Nov 13, 2018, 5:52 PM by [email protected]: > Hi all, > Sorry to have misadvertised Purism work. Didn't went across that post: > > https://puri.sm/posts/neutralizing-intel-management-engine-on-librem-laptops/ > <https://puri.sm/posts/neutralizing-intel-management-engine-on-librem-laptops/> > So it seems that Intel ME deactivation is on par with Ivy bridge, resulting > in only the ROMP and BUP modules being required to initialize ME. > > For firmware binary blob requirements, FSP is still required, see here: > > https://github.com/osresearch/heads/tree/master/blobs/librem_skl > <https://github.com/osresearch/heads/tree/master/blobs/librem_skl>> and here > > > https://github.com/osresearch/heads/blob/master/config/coreboot-librem13v2.config > > <https://github.com/osresearch/heads/blob/master/config/coreboot-librem13v2.config> > > Thierry > > > On Tue, Nov 13, 2018 at 10:44 AM Thierry Laurion <> [email protected] > <mailto:[email protected]>> > wrote: > >> Hi qubes-fan. Answers inline. >> On Tue, Nov 13, 2018 at 6:27 AM <>> [email protected] >> <mailto:[email protected]>>> > wrote: >> >>> Hi Thiery, I wasn't aware the X230 can be freed same way as the X200 can. >>> >> Unfortunately, the x230 cannot have Intel ME deleted the same way the x200 >> can, even though binary free firmware is par with it. >> >> The x200 is RYF certified where the x230 isn't for approximately the same >> reasons Libreboot supports only the former. RYF and Libreboot have a really >> strong guideline against binary blobs. Even Libreboot opened up it's ethic >> to support the x220 (Sandy bridge), but backed off, since part of the ME >> engine is still present even if deactivated. The RYF certification could not >> be obtainable for those. See archive: >> >> https://web.archive.org/web/20170404144825/https://minifree.org/product/libreboot-x220/ >> >> <https://web.archive.org/web/20170404144825/https://minifree.org/product/libreboot-x220/> >> >> Intel ME can be completely removed on the x200 (GM45 based), leaving no >> trace of it at all. (>> https://libreboot.org/faq.html#intel >> <https://libreboot.org/faq.html#intel>>> ). It can be neutralized on the >> x220 and x230 (Ivy bridge), leaving only the ROMP and BUP modules (<90k of >> it), but "deactivating" ME before it's kernel is even booted, where the >> Librem Laptops have parts of it deactivated only, and unfortunately contains >> binary blobs in the firmware. Once again, depending of your threat model, >> that may or not be a deal breaker for you. >> >> Neutralizing/Deactivating/Deleting/Freeing Intel ME is a word game where a >> lot of ink spilled over the last years. I suggest you to read this doc: (>> >> https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F >> <https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F>>> ) . >> Basically, Intel ME version <11 can be deactivated, since no kernel needs to >> be present in the firmware for validation prior to initialization, resulting >> in the BUP module only being launched, permitting the machine to boot, where >> version >11 requires the kernel and syslib modules to be present and >> validated at initialization. So even if Intel ME is neutralized by >> me_cleaner, the modules are still there in >11. Could they be executed? That >> depends on your beliefs and threat modeling. >> >> Technically, GM45 based laptops are currently the last Intel based hardware >> where Intel ME can be completely removed. Unfortunately, such old hardware >> comes with important limitations, some of which makes it incompatible with >> QubesOS 4 requirements for isolation and virtualization. The x200 has vt-d1 >> only, no vt-d2 (No IOMMU!): there is no interrupt remapping, meaning that >> there is no hardware isolation enforced in QubesOS. (>> >> https://github.com/QubesOS/qubes-issues/issues/1594#issuecomment-209213917 >> <https://github.com/QubesOS/qubes-issues/issues/1594#issuecomment-209213917>>> >> ). >> >> At best, the x200 is an awesome laptop for using Tails, but not with >> QubesOS. Using it with QubesOS gives the user an illusion of hardware >> isolation, putting him at risk. >> >> >>> As you saw, I am thinking about buying the RYF >>> >>> https://tehnoetic.com/tet-t400s <https://tehnoetic.com/tet-t400s>>>> <>>> >>> https://tehnoetic.com/tet-t400s <https://tehnoetic.com/tet-t400s>>>> > to >>> be able to run with the Qubes 4. The T400s has but unfortunately 8GB RAM >>> max and so the X230 with 16GB seems very interesting. >>> >> The T400s is an hardware equivalent of the x200. >> >>> >>> So my question is if the X230 is really deprived of all ME-AMT, or any >>> non-free dirt? >>> >> See here for the output of me_cleaner: >> >> https://github.com/osresearch/heads-wiki/blob/master/Clean-the-ME-firmware.md >> >> <https://github.com/osresearch/heads-wiki/blob/master/Clean-the-ME-firmware.md>>> >> with this understanding >> >> https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F >> <https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F> >> >> >>> If this is the case, your offer seems really interesting with all mentioned >>> options available. I also use the RYF X200 for non-Qubes activities, but it >>> would be just excellent if I could have just one machine for >>> Qubes+non-Qubes too. >>> >> A lower end, AMD laptop, the G505s seems a good candidate for libre oriented >> QubesOS users. It's porting to Heads is on the way, even though I do not >> have that hardware myself. >> https://github.com/osresearch/heads/issues/453 >> <https://github.com/osresearch/heads/issues/453> >> >> As some pointed out earlier, the EC is still a binary blob present in >> laptops (not currently freed), microcode updates are unfortunately still >> required for security. >> >> Laptop world needs to be shaken. Binary free laptops exists, but do not >> support QubesOS. >> Talos II is the best libre free desktop/server available but isn't supported >> by QubesOS, where the KGPE-D16/KCMA-D8 are still the best x86 >> desktop/servers available. The x230 laptop is the most supported and libre >> available, where BUP Intel ME initialization is tolerable. >> >> Heads project should be considered as a trusted base of any security >> conscious user. >> http://osresearch.net/ <http://osresearch.net/> >> >> Linuxboot, Systemboot and other projects based on u-boot/u-root should also >> be considered for collocating private cloud services on more recent x86 >> servers: >> https://github.com/systemboot/systemboot >> <https://github.com/systemboot/systemboot> >> https://www.linuxboot.org/ <https://www.linuxboot.org/> >> >> Hope that it answers your questions. >> >>> >>> Nov 12, 2018, 7:30 AM by>>> [email protected] >>> <mailto:[email protected]>>>> : >>> >>> > Hi! >>> > >>> >> I checked out the x230 and you are right they are available and cheap. >>> I would still be interested in finding some company/individual who I can >>> trust to take care of the BIOS flashing for me as a service(I would think >>> others would also want this service as well...). The problem is who? >>> >> >>> > I started Insurgo Technologies Libres/Open Technologies exactly for >>> that! (> >>> >>> https://www.facebook.com/InsurgoTech/insights/?section=navPosts >>> <https://www.facebook.com/InsurgoTech/insights/?section=navPosts>>>> <>>> >>> https://www.facebook.com/InsurgoTech/insights/?section=navPosts >>> <https://www.facebook.com/InsurgoTech/insights/?section=navPosts>>>> >> ) >>> > >>> > We actually reprogram A-Grade refurbished x230 with Heads firmware (> >>> >>> http://osresearch.net/ <http://osresearch.net/>>>> <>>> >>> http://osresearch.net/ <http://osresearch.net/>>>> >> ), while neutralizing >>> Intel ME (> >>> >>> https://github.com/osresearch/heads-wiki/blob/master/Clean-the-ME-firmware.md >>> >>> <https://github.com/osresearch/heads-wiki/blob/master/Clean-the-ME-firmware.md>>>> >>> <>>> >>> https://github.com/osresearch/heads-wiki/blob/master/Clean-the-ME-firmware.md >>> >>> <https://github.com/osresearch/heads-wiki/blob/master/Clean-the-ME-firmware.md>>>> >>> >> ) while being there. >>> > >>> > I collaborate with Heads and QubesOS developers for a while now.. >>> > QubesOS can even be preinstalled with user's desired customizations (> >>> >>> https://github.com/SkypLabs/my-qubes-os-formula/issues >>> <https://github.com/SkypLabs/my-qubes-os-formula/issues>>>> <>>> >>> https://github.com/SkypLabs/my-qubes-os-formula/issues >>> <https://github.com/SkypLabs/my-qubes-os-formula/issues>>>> >> ) or shipped >>> with latest QubesOS ISO on external MicroSD support. Heads validates ISO >>> integrity with distribution's signing keys prior to boot them (Tails, >>> Fedora, QubesOS). >>> > >>> > Heads, deployed with a Nitrokey Pro v2/LibremKey or by using internal >>> TPM, validates rom' integrity before booting from it. With the help of a >>> NitroKey/LibremKey (> >>> https://puri.sm/posts/introducing-the-librem-key/ >>> <https://puri.sm/posts/introducing-the-librem-key/>>>> <>>> >>> https://puri.sm/posts/introducing-the-librem-key/ >>> <https://puri.sm/posts/introducing-the-librem-key/>>>> >> ), the boot >>> configurations are signed with user's keys and verified and the firmware >>> integrity is attested at each reboot through HOTP (led flashing or TPMTOTP >>> on user's cell phone through Google Authenticator or compatible app. >>> > >>> > The user receives the Nitrokey/LibremKey and his computer in distinct >>> shipping packages and reunites at first laptop boot to attest that the >>> firmware of the computer has not been tampered with in transit. (> >>> >>> https://puri.sm/posts/introducing-the-librem-key/ >>> <https://puri.sm/posts/introducing-the-librem-key/>>>> <>>> >>> https://puri.sm/posts/introducing-the-librem-key/ >>> <https://puri.sm/posts/introducing-the-librem-key/>>>> >> ). >>> > >>> > The user, upon bootup integrity attestation, proceeds to the ownership >>> of his new laptop (TPM) and his LibremKey. The user is then invited to >>> reencrypt his SSD encrypted content with it's own chosen passphrase(> >>> >>> https://github.com/osresearch/heads/issues/463 >>> <https://github.com/osresearch/heads/issues/463>>>> <>>> >>> https://github.com/osresearch/heads/issues/463 >>> <https://github.com/osresearch/heads/issues/463>>>> >> ) and to choose a >>> secondary disk unlock passphrase, which will unlock encrypted disk content >>> only if the firmware has boot attested integrity. >>> > >>> > Notes: >>> > The user will be able to ask > Insurgo> interactive support in the near >>> future. (> >>> https://github.com/SkypLabs/my-qubes-os-formula/issues/6 >>> <https://github.com/SkypLabs/my-qubes-os-formula/issues/6>>>> <>>> >>> https://github.com/SkypLabs/my-qubes-os-formula/issues/6 >>> <https://github.com/SkypLabs/my-qubes-os-formula/issues/6>>>> >> ). >>> > Buying from> Insurgo (ITL/IOT)> funds directly my participation to >>> those projects. >>> > Bulk discount are available upon request. Insurgo plans to transit into >>> a working/buying cooperative in the near future. >>> > >>> > >>> > Prices are in Canadian Dollars (CDN) >>> > x230> i5 240GB SSD 16GB Webcam and IPS: $620 >>> > Hardware reprogramming fee: +250$ >>> > Backlit Keyboard: 40$ (optional) >>> > Webcam 10$ (optional) >>> > Nitrokey/LibremKey: + 80$ >>> > The refurbisher offers a warranty plan on the value of the purchase: >>> > 1 Month %5 >>> > 3 Months %10 >>> > 6 Months %15 >>> > 1 Year %25 >>> > >>> > Thierry Laurion: >>> > GitHub: > >>> https://github.com/tlaurion/ >>> <https://github.com/tlaurion/>>>> <>>> https://github.com/tlaurion/ >>> <https://github.com/tlaurion/>>>> > >>> > LinkedIn: > >>> https://www.linkedin.com/in/thierry-laurion-40b4128/ >>> <https://www.linkedin.com/in/thierry-laurion-40b4128/>>>> <>>> >>> https://www.linkedin.com/in/thierry-laurion-40b4128/ >>> <https://www.linkedin.com/in/thierry-laurion-40b4128/>>>> > >>> > >>> > Insurgo, Technologies Libres / Open Technologies: >>> > email: > >>> [email protected] <mailto:[email protected]>>>> >>> <mailto:>>> [email protected] <mailto:[email protected]>>>> >> for more >>> information. >>> > GPG key: > >>> >>> http://keys.gnupg.net/pks/lookup?op=get&search=0x79C78E6659DB658F >>> <http://keys.gnupg.net/pks/lookup?op=get&search=0x79C78E6659DB658F>>>> >>> <>>> http://keys.gnupg.net/pks/lookup?op=get&search=0x79C78E6659DB658F >>> <http://keys.gnupg.net/pks/lookup?op=get&search=0x79C78E6659DB658F>>>> > >>> > Follow this guide or it's platform equivalent: > >>> >>> https://securityinabox.org/en/guide/thunderbird/mac/ >>> <https://securityinabox.org/en/guide/thunderbird/mac/>>>> <>>> >>> https://securityinabox.org/en/guide/thunderbird/mac/ >>> <https://securityinabox.org/en/guide/thunderbird/mac/>>>> > >>> > Website: > >>> https://Insurgo.ca <https://Insurgo.ca>>>> <>>> >>> https://Insurgo.ca <https://Insurgo.ca>>>> > >>> > Facebook: > >>> https://www.facebook.com/InsurgoTech/ >>> <https://www.facebook.com/InsurgoTech/>>>> <>>> >>> https://www.facebook.com/InsurgoTech/ >>> <https://www.facebook.com/InsurgoTech/>>>> > >>> > >>> > On Sun, Nov 11, 2018 at 9:26 PM <> >>> [email protected] >>> <mailto:[email protected]>>>> <mailto:>>> [email protected] >>> <mailto:[email protected]>>>> >> > wrote: >>> > >>> >> Unman your posts have been extremely helpful to me and I can't thank >>> you enough for the help(I am sure many others would agree). >>> >> >>> >> However I think your "..Pretty easy to maintain.." would be hell for >>> me. >>> >> >>> >> Librem(and maybe the Majora line) have huge appeal for me as they take >>> care of the BIOS flashing. >>> >> >>> >> I checked out the x230 and you are right they are available and cheap. >>> I would still be interested in finding some company/individual who I can >>> trust to take care of the BIOS flashing for me as a service(I would think >>> others would also want this service as well...). The problem is who? >>> >> >>> >> Thanks... >>> >> >>> >> ("-boxy is the new black." Good one and couldn't agree more...very >>> funny!) >>> >> >>> >> -- >>> >> You received this message because you are subscribed to the Google >>> Groups "qubes-users" group. >>> >> To unsubscribe from this group and stop receiving emails from it, send >>> an email to >> >>> [email protected] >>> <mailto:qubes-users%[email protected]>>>> <mailto:>>> >>> qubes-users%[email protected] >>> <mailto:qubes-users%[email protected]>>>> >>> . >>> >> To post to this group, send email to >> >>> >>> [email protected] <mailto:[email protected]>>>> >>> <mailto:>>> [email protected] >>> <mailto:[email protected]>>>> >>> . >>> >> To view this discussion on the web visit >> >>> >>> https://groups.google.com/d/msgid/qubes-users/26f75d86-0349-4533-8f3a-66fe2e37c1b3%40googlegroups.com >>> >>> <https://groups.google.com/d/msgid/qubes-users/26f75d86-0349-4533-8f3a-66fe2e37c1b3%40googlegroups.com>>>> >>> <>>> >>> https://groups.google.com/d/msgid/qubes-users/26f75d86-0349-4533-8f3a-66fe2e37c1b3%40googlegroups.com >>> >>> <https://groups.google.com/d/msgid/qubes-users/26f75d86-0349-4533-8f3a-66fe2e37c1b3%40googlegroups.com>>>> >>> >>> . >>> >> For more options, visit >> >>> https://groups.google.com/d/optout >>> <https://groups.google.com/d/optout>>>> <>>> >>> https://groups.google.com/d/optout <https://groups.google.com/d/optout>>>> >>> >>> . >>> >> >>> > >>> > >>> > -- >>> > Thierry Laurion >>> > >>> > >>> > >>> > -- >>> > You received this message because you are subscribed to the Google >>> Groups "qubes-users" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> an email to > >>> [email protected] >>> <mailto:qubes-users%[email protected]>>>> <mailto:>>> >>> [email protected] >>> <mailto:qubes-users%[email protected]>>>> >> . >>> > To post to this group, send email to > >>> [email protected] >>> <mailto:[email protected]>>>> <mailto:>>> >>> [email protected] <mailto:[email protected]>>>> >> . >>> > To view this discussion on the web visit > >>> >>> https://groups.google.com/d/msgid/qubes-users/CAAzJznzOWNrOFTyCNQt-vu5%2BUQXqhZFg-Loxm-oY2oiutORkDQ%40mail.gmail.com >>> >>> <https://groups.google.com/d/msgid/qubes-users/CAAzJznzOWNrOFTyCNQt-vu5%2BUQXqhZFg-Loxm-oY2oiutORkDQ%40mail.gmail.com>>>> >>> <>>> >>> https://groups.google.com/d/msgid/qubes-users/CAAzJznzOWNrOFTyCNQt-vu5%2BUQXqhZFg-Loxm-oY2oiutORkDQ%40mail.gmail.com?utm_medium=email&utm_source=footer >>> >>> <https://groups.google.com/d/msgid/qubes-users/CAAzJznzOWNrOFTyCNQt-vu5%2BUQXqhZFg-Loxm-oY2oiutORkDQ%40mail.gmail.com?utm_medium=email&utm_source=footer>>>> >>> >> . >>> > For more options, visit > >>> https://groups.google.com/d/optout >>> <https://groups.google.com/d/optout>>>> <>>> >>> https://groups.google.com/d/optout <https://groups.google.com/d/optout>>>> >>> >> . >>> > >>> >>> >> >> -- >> Thierry Laurion: >> GitHub: >> https://github.com/tlaurion/ <https://github.com/tlaurion/> >> LinkedIn: >> https://www.linkedin.com/in/thierry-laurion-40b4128/ >> <https://www.linkedin.com/in/thierry-laurion-40b4128/> >> >> Insurgo, Technologies Libres / Open Technologies: >> email: >> [email protected] <mailto:[email protected]> >> GPG key: >> >> http://keys.gnupg.net/pks/lookup?op=get&search=0x79C78E6659DB658F >> <http://keys.gnupg.net/pks/lookup?op=get&search=0x79C78E6659DB658F> >> Follow this guide or it's platform equivalent: >> >> https://securityinabox.org/en/guide/thunderbird/mac/ >> <https://securityinabox.org/en/guide/thunderbird/mac/> >> Website: >> https://Insurgo.ca <https://Insurgo.ca> >> Facebook: >> https://www.facebook.com/InsurgoTech/ >> <https://www.facebook.com/InsurgoTech/> >> > > > -- > Thierry Laurion > > > > -- > You received this message because you are subscribed to the Google Groups > "qubes-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to > [email protected] > <mailto:[email protected]>> . > To post to this group, send email to > [email protected] > <mailto:[email protected]>> . > To view this discussion on the web visit > > https://groups.google.com/d/msgid/qubes-users/CAAzJznziQtwtWoEuaXpEhUhTG84TjMGsvH5hSM4Svrw1%2BZSW0w%40mail.gmail.com > > <https://groups.google.com/d/msgid/qubes-users/CAAzJznziQtwtWoEuaXpEhUhTG84TjMGsvH5hSM4Svrw1%2BZSW0w%40mail.gmail.com?utm_medium=email&utm_source=footer>> > . > For more options, visit > https://groups.google.com/d/optout > <https://groups.google.com/d/optout>> . > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/LRGh-XK--3-1%40tutanota.com. For more options, visit https://groups.google.com/d/optout.
