Re: [qubes-users] Guide on installing Qubes and Coreboot with encrypted boot on thinkpads

[taii...@gmx.com]

Hey guys you don't need a VGA ROM for the integrated graphics - they use
coreboot native init.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/83815341-1da4-75ae-87d3-e4f841bcc967%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys

Re: [qubes-users] Guide on installing Qubes and Coreboot with encrypted boot on thinkpads

[Holger Levsen]

Hi,

On Fri, Apr 06, 2018 at 08:25:37PM +0200, 799 wrote:
> as described in the howto I have extracted the vga.rom from my own
> BIOS-files.
> I can use resume and the laptop reconnects its network adapters as soon as
> it wakes up.
> So far no issues at all.

thanks for explaining.

> > The coreboot config I have used is here:
> > > https://github.com/Qubes-Community/Contents/blob/
> > master/docs/coreboot/x230-configfile
> >
> > thanks, depending on your answer to the above question I probably
> > compare yours with mine ;)
> >
> 
> Can you share your config file?
> I am sure that there is room for improvement in my config.

http://layer-acht.org/thinking/blog/20170827-coreboot-build-environment/
has a link to the config I used. (which doesnt use the nonfree vgabios
blob, but then I also had resume issues, which you dont have...)


-- 
cheers,
Holger

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180413165601.pbalc3hyznzze7em%40layer-acht.org.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: PGP signature

Re: [qubes-users] Guide on installing Qubes and Coreboot with encrypted boot on thinkpads

['awokd' via qubes-users]

On Fri, April 6, 2018 11:18 pm, 799 wrote:
> Am 07.04.2018 12:35 vorm. schrieb "taii...@gmx.com" :
>
>
> On 04/06/2018 05:22 AM, 799 wrote:
>
>
>> It seems to me that if I run Coreboot with grub + encrypted boot, there
>> is no need to run anti evil maid, as the boot partition can't be messed
>> with.
> Assuming you set the write-lock on the flash descriptor and have a
> physical anti-tamper sticker on the case screws.
>
>
> what exactly does it mean "set write-lock on flash descriptor" and where
> can I do this.

Not sure how exactly, but it makes it so you have to physically flash it
again.

> Regarding Stickers I think it is very easy to replace those for someone
> who is willing to sneak silently into my laptop. What kind of stickers do
> you suggest?

Glitter fingernail polish and take a picture.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d0d33afc6577bce6a003eaefcd25fc98.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Guide on installing Qubes and Coreboot with encrypted boot on thinkpads

[799]

Am 07.04.2018 12:35 vorm. schrieb "taii...@gmx.com" :

On 04/06/2018 05:22 AM, 799 wrote:

> It seems to me that if I run Coreboot with grub + encrypted boot, there is
> no need to run anti evil maid, as the boot partition can't be messed with.
Assuming you set the write-lock on the flash descriptor and have a
physical anti-tamper sticker on the case screws.


what exactly does it mean "set write-lock on flash descriptor" and where
can I do this.

Regarding Stickers I think it is very easy to replace those for someone who
is willing to sneak silently into my laptop.
What kind of stickers do you suggest?

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2tOEMd9NborxvQRY9F%2BVGAMeqW35sz6-cMXBJC0nbb4zg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Guide on installing Qubes and Coreboot with encrypted boot on thinkpads

[taii...@gmx.com]

On 04/06/2018 05:22 AM, 799 wrote:

> It seems to me that if I run Coreboot with grub + encrypted boot, there is
> no need to run anti evil maid, as the boot partition can't be messed with.
Assuming you set the write-lock on the flash descriptor and have a
physical anti-tamper sticker on the case screws.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b0e680bd-ac5c-c295-1630-7cbfa0956e78%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys

Re: [qubes-users] Guide on installing Qubes and Coreboot with encrypted boot on thinkpads

[799]

Hello,

On 6 April 2018 at 15:05, Holger Levsen  wrote:

>
> On Fri, Apr 06, 2018 at 09:22:52AM +, 799 wrote:
> > As mentioned I have also drafted a how-to to setup Coreboot on a X230,
> > including building the pi, flashrom and extracting Blobs.
>
> out of curiosity: does resume work reliably for you? For me it didnt
> with coreboot (and the free VGA bios) but it does with legacy bios...
>

as described in the howto I have extracted the vga.rom from my own
BIOS-files.
I can use resume and the laptop reconnects its network adapters as soon as
it wakes up.
So far no issues at all.

I've run into one problem when I tried to start my AppVMs after flashing
coreboot.

Problem:
Some VMs where unable to boot (sys-net and also some other AppVMs),
Error message:
Get the message PCI device 
does not exist

Solution:
Following the suggestions mentioned here and removing some devices which
doesn't make sense.
https://github.com/QubesOS/qubes-issues/issues/3619

qvm-pci ls 
qvm-pci detach  

I had to open Qubes Settings for the sys-net VM to assign the Wifi Network
controller back to the VM.
It got lost after flasing coreboot.

> The coreboot config I have used is here:
> > https://github.com/Qubes-Community/Contents/blob/
> master/docs/coreboot/x230-configfile
>
> thanks, depending on your answer to the above question I probably
> compare yours with mine ;)
>

Can you share your config file?
I am sure that there is room for improvement in my config.


> > I wrote the how-to as I need to look at several places to get everything
> > together for example how to extract Blobs, how to merge two bios files
> into
> > one etc.
> > It seems to me that if I run Coreboot with grub + encrypted boot, there
> is
> > no need to run anti evil maid, as the boot partition can't be messed
> with.
> > Is this correct?
>
> mostly. The boot partition cannot be messed up but the components of
> your computer can be changed (eg a keyboard controller recording your
> keystrokes) and anti-evil-maid is designed to also detect those attacks.
> However these attacks are also much more sophisticated and require more
> time and are harder to do that just replacing a kernel image on an
> unencrypted boot partition.
>

Ok, I have not yet understand all the pieces of anti evil maid and of
course you are right that replacing my keyboard with a keyboard which has a
keylogger installed will make my system reasonable unsecure.
On the other hand, I don't think that I am a high profile target and if
this would change, I guess there are much easier ways to get the
data/information.
https://en.wikipedia.org/wiki/Enhanced_interrogation_techniques ... :-o

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vRVHWS5XJpzzG7g%2BWbP%2BGjq9DsWDBYYme3hHGN%3DeQLKA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Guide on installing Qubes and Coreboot with encrypted boot on thinkpads

[Holger Levsen]

hi,

On Fri, Apr 06, 2018 at 09:22:52AM +, 799 wrote:
> As mentioned I have also drafted a how-to to setup Coreboot on a X230,
> including building the pi, flashrom and extracting Blobs.

out of curiosity: does resume work reliably for you? For me it didnt
with coreboot (and the free VGA bios) but it does with legacy bios...

(and btw, with legacy bios resume is quite very reliable again, just
sometimes/often the wireless doesnt work after resume; though now I
found out a workaround: just suspend+resume until it comes back with
working wireless... ;)

> The coreboot config I have used is here:
> https://github.com/Qubes-Community/Contents/blob/master/docs/coreboot/x230-configfile

thanks, depending on your answer to the above question I probably
compare yours with mine ;)

> I wrote the how-to as I need to look at several places to get everything
> together for example how to extract Blobs, how to merge two bios files into
> one etc.

> It seems to me that if I run Coreboot with grub + encrypted boot, there is
> no need to run anti evil maid, as the boot partition can't be messed with.
> 
> Is this correct?

mostly. The boot partition cannot be messed up but the components of
your computer can be changed (eg a keyboard controller recording your
keystrokes) and anti-evil-maid is designed to also detect those attacks.
However these attacks are also much more sophisticated and require more
time and are harder to do that just replacing a kernel image on an
unencrypted boot partition.


-- 
cheers,
Holger

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180406130502.dwuq4gqwkaxfivv3%40layer-acht.org.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: PGP signature

Re: [qubes-users] Guide on installing Qubes and Coreboot with encrypted boot on thinkpads

[G]

On 2018-04-06 09:22, 799 wrote:


As mentioned I have also drafted a how-to to setup Coreboot on a X230,
including building the pi, flashrom and extracting Blobs.

My how-to is located in the Qubes Community docs.

While I need to fill in some small gaps how to put the hardware parts
together, all the other stuff is covered including extracting Blobs
and vga.rom.

The how-to is located here:
https://github.com/Qubes-Community/Contents/blob/master/docs/coreboot/x230.md

The coreboot config I have used is here:
https://github.com/Qubes-Community/Contents/blob/master/docs/coreboot/x230-configfile



Good guide, thank you. I'm looking forward in better understanding Heads 
(http://osresearch.net/) and maybe adding some notes on it.


Currently i do not have a Github account set up, so i will not be able 
to make a pull request adding my guide. If anyone can do it would be 
much appreciated, otherwise i'll probably do it given some time.




I am interested in getting the best out of both worlds (Coreboot +
Qubes).
It seems that your approach (using GRUB) offers some benefits vs.
using SeaBIOS as the boot partition can so be encrypted.

Are there issues going this way? For example breaking the future
upgrade ability ?

It seems to me that if I run Coreboot with grub + encrypted boot,
there is no need to run anti evil maid, as the boot partition can't be
messed with.

Is this correct?



Currently i have hardcoded the kernel version in the grub config inside 
the ROM. This is an ugly temporary solution as obviously even if i 
upgrade i'll continue to boot the old kernel by default. My idea is to 
modify the update script to always add/update a symlink to the newest 
kernel and use that naming in Grub but i have yet to look into it.


As for the AEM, i guess that if you are satisfied with your Grub config 
you could set the lock bits in coreboot and flash the rom as read only. 
Also preventing the boot of external device should be a good idea. 
However as far as I can understand, while this is better than the 
standard it doesn't really provide a valid chain of trust.  There are 
still additional measures that can be taken like signing your kernel and 
using the TPM, see https://trmm.net/Heads for more deatils.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/66f21da272ab23d0dd5373e3969c7463%40anche.no.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Guide on installing Qubes and Coreboot with encrypted boot on thinkpads

[G]

On 2018-04-05 19:38, 799 wrote:

Nice how-to, I'm currently writing something similar for my X230.

Would you mind adding your howto to the Qubes Community doc
repository, which we've established to work on howtos and docs until
they're easy to be migrated to the official Qubes Docs.
If you agree, I can also add your notes there, mentioning you as the
original author.



Hello, no problem as I said it is copyleft. Where's the Qubes Community 
repository?




I'd like to use grub as payload but without using encrypted boot as I
am afraid to damage my production Qubes environment and loosing time
fixing it.

What do I need to do, if I would like to just use Grub and leave my
boot untouched?

As far as I understand the benefit of having Grub as payload is to be
able to encrypt /boot.
Does this mean than include that it makes no sense to run Grub instead
of SeaBIOS without having boot encrypted?

[799]


The advantage of using SeaBIOS is that it should be able to launch the 
Grub on the original /boot partition which means that Grub config will 
be updated with system updates and that boot options can be changed 
without the need to re-flash. Also probably SeaBIOS do have more low 
level configuration options similar to a vendor BIOS.


Honestly the process of encrypting /boot went far smoother than I 
expected, it actually worked on the first try (even though I did a full 
dd backup copy of the whole disk before and kept also a Grub entry to 
boot the old way). All included it took less than a day for the 
transition.


The other benefit apart from encrypting /boot is a faster boot process 
i'd say and maybe a little more security: don't know if it's possible 
for SeaBIOS (probably yes) but i configured Grub to ask for a user and 
password for every non standard option in the menu (ex: modifying an 
entry or using the command line), this way it should be very difficult 
to boot an external media.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/92530580be3e308d0477f777c4895b03%40anche.no.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Guide on installing Qubes and Coreboot with encrypted boot on thinkpads

[799]

Hello Giulio,

G  schrieb am Di., 27. März 2018, 21:35:

> On 2018-03-27 18:10, G wrote:
> > Hello,
> > since it took a while for me to sum up all piece and a lot of trial
> > and error to get the whole setup working i took some notes to help
> > other who want to try something similar.
> > Please note that everything written there is public domain (so
> > copy-edit-whatever).
> >
> > https://git.lsd.cat/g/thinkad-coreboot-qubes


As mentioned I have also drafted a how-to to setup Coreboot on a X230,
including building the pi, flashrom and extracting Blobs.

My how-to is located in the Qubes Community docs.
While I need to fill in some small gaps how to put the hardware parts
together, all the other stuff is covered including extracting Blobs and
vga.rom.

The how-to is located here:
https://github.com/Qubes-Community/Contents/blob/master/docs/coreboot/x230.md

The coreboot config I have used is here:
https://github.com/Qubes-Community/Contents/blob/master/docs/coreboot/x230-configfile

I wrote the how-to as I need to look at several places to get everything
together for example how to extract Blobs, how to merge two bios files into
one etc.
Having everything in one place is nice for a newbie if he owns exactly the
same modell/x230.

I am interested in getting the best out of both worlds (Coreboot + Qubes).
It seems that your approach (using GRUB) offers some benefits vs. using
SeaBIOS as the boot partition can so be encrypted.

Are there issues going this way? For example breaking the future upgrade
ability ?

It seems to me that if I run Coreboot with grub + encrypted boot, there is
no need to run anti evil maid, as the boot partition can't be messed with.

Is this correct?

[799]

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vT%3DcA%2Bm-xHEVXe7iNa7DS%3DAC80a%3DFqmaZ5c%2Bp67ofPGQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Guide on installing Qubes and Coreboot with encrypted boot on thinkpads

[799]

Hello,

G  schrieb am Di., 27. März 2018, 20:10:

>
> since it took a while for me to sum up all piece and a lot of trial and
> error to get the whole setup working i took some notes to help other who
> want to try something similar.
> Please note that everything written there is public domain (so
> copy-edit-whatever).
>
> https://git.lsd.cat/g/thinpkad-coreboot-qubes
> 


Nice how-to, I'm currently writing something similar for my X230.

Would you mind adding your howto to the Qubes Community doc repository,
which we've established to work on howtos and docs until they're easy to be
migrated to the official Qubes Docs.
If you agree, I can also add your notes there, mentioning you as the
original author.

I did it today in a hurry so any feedback, modification or contribution
> is welcome.


I'd like to use grub as payload but without using encrypted boot as I am
afraid to damage my production Qubes environment and loosing time fixing it.

What do I need to do, if I would like to just use Grub and leave my boot
untouched?

As far as I understand the benefit of having Grub as payload is to be able
to encrypt /boot.
Does this mean than include that it makes no sense to run Grub instead of
SeaBIOS without having boot encrypted?

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2sBicuaNaSyK_J%2BRgibgV-6nacm_MWZ2ERSx-9k7a4MqA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Guide on installing Qubes and Coreboot with encrypted boot on thinkpads

[taii...@gmx.com]

G as in g-money? hehe just had to say that.

The ME is capable of presenting a fake "softTPM" software based TPM but
in this case I doubt that is what the X220 has - and there is no reason
as to why a TPM shouldn't work with a cleaned ME as it doesn't involve
the ME it communicates directly on the LPC bus.
I also must note for everyone that it is impossible to disable ME - the
ME_Cleaner software and the HAP bit do not disable ME the kernel does in
fact run before it shuts off via HAP which is plenty of time to perform
a litany of dirty tricksthat is if you trust ME saying that it is
shutting down (there is no way to verify this without million dollar
equipment) a truly disabled ME could have its CPU physically
disconnected and the platform not work or at the least be able to
function without the ME blob without shutting off after 30 minutes which
will happen even with the HAP bit.

Of course I must mention that TXT is an intel gimmick that isn't
actually required to have an effective AEM setup, it just means that
with it you can slightly change kernel bios etc and not have to re-seal
which isn't at all necessary.

I suggest posting on the coreboot ML to inqure as to why it isn't
working - the aptitude level there is higher and someone will probably
be able to assist.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/305b5059-f852-92cd-efc8-4f09712d7345%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys

Re: [qubes-users] Guide on installing Qubes and Coreboot with encrypted boot on thinkpads

[taii...@gmx.com]

On 03/27/2018 02:10 PM, G wrote:

> Hello,
> since it took a while for me to sum up all piece and a lot of trial
> and error to get the whole setup working i took some notes to help
> other who want to try something similar.
> Please note that everything written there is public domain (so
> copy-edit-whatever).
>
> https://git.lsd.cat/g/thinkad-coreboot-qubes
>
> I did it today in a hurry so any feedback, modification or
> contribution is welcome.
- Forgot microcode updates very important in general especially with the
latest spectre stuff.
- My fan control works fine
- Don't recommend the use of a comparatively expensive non-free RPI from
the evil RPI foundation use a USB CH341A instead for $5

If you want to shut off expresscard you can use "off" in the
devicetree.cb but I see no reason to - IOMMU would prevent any issues.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/32a541c1-404d-9ca5-9ee2-f8cde5f6b244%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys

Re: [qubes-users] Guide on installing Qubes and Coreboot with encrypted boot on thinkpads

[G]

On 2018-03-28 12:14, G wrote:

You're right. So the no ME no TPM rule probably apply only when using
the stock bios. I just noticed coreboot recently pushed a commit
fixing a problem in TPM activation
https://github.com/coreboot/coreboot/commit/676887d2e2e474f70a8ebb1b6065f71e4e81001d
maybe that's the issue with my x220. I'm rebuilding my rom to check if
something changes with that commit, i'll give an update soon.

Giulio


I just flahed the latest commit: still no luck. By checking the source 
code I think that the init_tpm() function is actually being called:


From file coreboot/src/northbridge/intel/sandybridge/romstage.c:
  120   if (IS_ENABLED(CONFIG_LPC_TPM)) {
  121   init_tpm(s3resume);
  122   }

From my config:
CONFIG_LPC_TPM=y
CONFIG_NORTHBRIDGE_INTEL_SANDYBRIDGE=y

I think i'll try opening an issue in coreboot about this.

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ef7fef774ffe5d7df56fdc0daa33a4c3%40anche.no.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Guide on installing Qubes and Coreboot with encrypted boot on thinkpads

[G]

On 2018-03-28 11:42, 'awokd' via qubes-users wrote:

On Wed, March 28, 2018 8:13 am, G wrote:



I looked into adding a secondary TPM, maybe in the ExpressCard slot 
but
it looks like no such piece of hardware exist. Or maybe there's a way 
to
use the integrated TPM without the Intel ME but i don't have the 
skills to

research in that direction.


It looks like they are cleaning ME and still using the TPM?
http://osresearch.net/Installing-Heads


You're right. So the no ME no TPM rule probably apply only when using 
the stock bios. I just noticed coreboot recently pushed a commit fixing 
a problem in TPM activation 
https://github.com/coreboot/coreboot/commit/676887d2e2e474f70a8ebb1b6065f71e4e81001d 
maybe that's the issue with my x220. I'm rebuilding my rom to check if 
something changes with that commit, i'll give an update soon.


Giulio

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d8676aecdf0d84210818138c892c8508%40anche.no.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Guide on installing Qubes and Coreboot with encrypted boot on thinkpads

['awokd' via qubes-users]

On Wed, March 28, 2018 8:13 am, G wrote:

>
> I looked into adding a secondary TPM, maybe in the ExpressCard slot but
> it looks like no such piece of hardware exist. Or maybe there's a way to
> use the integrated TPM without the Intel ME but i don't have the skills to
> research in that direction.

It looks like they are cleaning ME and still using the TPM?
http://osresearch.net/Installing-Heads


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/27b46445c2fb22d6395ae24523c78d8c.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Guide on installing Qubes and Coreboot with encrypted boot on thinkpads

[G]

On 2018-03-27 22:17, awokd wrote:


PS Have you seen Heads? http://osresearch.net/


Nope i didn't know it. By the overview it looks like a very good idea 
but i have yet to understand all the details.
Still the problem is that currently one has to choose between keeping 
the Intel ME active or have a working TPM.


I tried starting a discussion on the tradeoffs of both 
https://groups.google.com/forum/#!topic/qubes-users/JEEaDRZpnpA and as 
other users pointed out, while it stills depend on your threat model, 
the Intel ME pose a potential remote threat while the TPM should help 
notice a physical attack (given coreboot is flashed with write 
protection).


I looked into adding a secondary TPM, maybe in the ExpressCard slot but 
it looks like no such piece of hardware exist. Or maybe there's a way to 
use the integrated TPM without the Intel ME but i don't have the skills 
to research in that direction.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c346292aa1c1a38b6a92abbe79e7facc%40anche.no.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Guide on installing Qubes and Coreboot with encrypted boot on thinkpads

['awokd' via qubes-users]

On Tue, March 27, 2018 7:35 pm, G wrote:
> On 2018-03-27 18:10, G wrote:
>
>> Hello,
>> since it took a while for me to sum up all piece and a lot of trial and
>> error to get the whole setup working i took some notes to help other who
>> want to try something similar. Please note that everything written there
>> is public domain (so copy-edit-whatever).
>>
>> https://git.lsd.cat/g/thinkad-coreboot-qubes
>>
>>
>> I did it today in a hurry so any feedback, modification or
>> contribution is welcome.
>>
>>
>> Giulio
>>
>
> There's a typo in the url: should be
> https://git.lsd.cat/g/thinkpad-coreboot-qubes

Nice write up, and congratulations! I was pretty happy to get Coreboot
running on my system too.

PS Have you seen Heads? http://osresearch.net/


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/33a5d37a086a73e27233a1543979d23e.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Guide on installing Qubes and Coreboot with encrypted boot on thinkpads

[G]

On 2018-03-27 18:10, G wrote:

Hello,
since it took a while for me to sum up all piece and a lot of trial
and error to get the whole setup working i took some notes to help
other who want to try something similar.
Please note that everything written there is public domain (so
copy-edit-whatever).

https://git.lsd.cat/g/thinkad-coreboot-qubes

I did it today in a hurry so any feedback, modification or
contribution is welcome.


Giulio


There's a typo in the url: should be
https://git.lsd.cat/g/thinkpad-coreboot-qubes

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d9c690caf8abd16540d5d99e905fdff2%40anche.no.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Guide on installing Qubes and Coreboot with encrypted boot on thinkpads

[G]

Hello,
since it took a while for me to sum up all piece and a lot of trial and 
error to get the whole setup working i took some notes to help other who 
want to try something similar.
Please note that everything written there is public domain (so 
copy-edit-whatever).


https://git.lsd.cat/g/thinkad-coreboot-qubes

I did it today in a hurry so any feedback, modification or contribution 
is welcome.



Giulio

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b86e10cc71df1700ed87b110a142a131%40anche.no.
For more options, visit https://groups.google.com/d/optout.