Re: [qubes-users] Re: Qubes 3.2 dnsmasq update?

2017-10-08 Thread Ron Hunter-Duvar

On 10/08/2017 07:27 AM, Ron Hunter-Duvar wrote:

On October 7, 2017 10:43:55 PM MDT, Reg Tiangha  
wrote:

On 2017-10-07 1:19 PM, Ron Hunter-Duvar wrote:

...
It's weird, but it seems like every distro *but* Fedora has released an
updated version or version with a backported fix. Even Red Hat
Enterprise has done it. I don't know what the hold up is, but it'll be
a
package with a backported fix and currently it's set to be 2.76.4 (or
greater if more bugs are found).

https://bodhi.fedoraproject.org/updates/FEDORA-2017-515264ae24

One of the reasons I like Debian so much is the priority they put on security. 
That, and stability. You may not get all the latest shiny stuff, at least not 
in stable, but you know it will be rock solid.

Tried fedora several times in the past, and always went to something else 
instead.

Ron


Not really the place for this probably (dev list might be better), but I 
wonder if the devs ever considered basing dom0 on Alpine Linux. Running 
a lightweight and secure Xen dom0 is one of its intended uses 
(https://wiki.alpinelinux.org/wiki/Xen_Dom0).


Hmm, I wonder what it would take to do a variant of Qubes with Alpine 
running dom0 and Debian for everything else.


Ron

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6ead09b3-c3d0-e402-c10a-6548504d918a%40shaw.ca.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] kswapd0 using 100% CPU with not even a MB swap in use

2017-10-08 Thread Ron Hunter-Duvar

On 10/07/2017 04:29 AM, Holger Levsen wrote:

Hi,

so kswapd0 is using 100% CPU in one of my Qubes and this makes the fan spin
and noisy… and that Qube is hardly using any swap at all:

$ free
   totalusedfree  shared  buff/cache   available
Mem:1888212  776484  640712   70296  471016 1031616
Swap:   1048572 716 1047856

So I ran "sudo swapoff -a" (and "sudo swapon -a") and now zero swap is used but
kswapd0 is still busy swapping(?) and the fan is noisy and I wonder what to do…

Any hints / ideas?

(I know I could shut down the VM and restart it but I hope there's a better
solution / workaround.)



Two questions:
1. What's that Qube doing?
2. What's it's max memory?

Just speculating, but if a Qube hits the max memory it's allowed by the 
dom0, would it start swapping, even if there was lots of memory 
available on the machine?


Ron

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a44fa4e1-5c65-c65d-6fa6-1a30d4fcc36b%40shaw.ca.
For more options, visit https://groups.google.com/d/optout.


Re: AW: Re: [qubes-users] Reasonably secure laptop with touchscreen and enough ram for dictation in Windows App-VM?

2017-10-08 Thread taii...@gmx.com

On 10/08/2017 06:44 AM, One7two99 wrote:


Hello Taiidan,


There isn't any reason to buy purism's faux
libre laptops instead of say
a Lenovo G505S ...

I don't understand why this topic is often discussed to emotionally.
As far as I know the G505s is a big laptop (15inch?) which seems also located at the 
entry class (compared to the "Thinkpad class").
The performance is about the same as an ivy bridge class laptop (X230), 
the downsides being the build quality is not as good and there is no 
dock or second battery option.

Don't get me wrong I think most "older" are perfectly fine, that why I am 
suggesting looking at a x230 or similar.
A good thing with Purism Laptop line is, that it shows that there is a market for laptops 
that seem to look like they are more "free" than others - if the company fools 
people here, you are right this is bad - but this is also a chance for others to make it 
better.
More competition is always good :-)
If it was a bigger market I would agree with you, however in such a 
small market they simply suck resources from better projects.

And maybe some users just want to buy a new "shiny" machine and not a 4y old 
laptop.

Then they should buy a dell

Maybe even for the "strange" reason that it just looks more sexy or that they 
need certain interfaces, a specific display resolution ... Whatever.
Looking at my company it would not be possible to buy a used machine without 
hardware replacement as all laptop are covered with on-site service.
That's why I'm using the X230 as BYOD device.


which is actually owner controlled (open
source hw init coreboot), supports qubes
4.0 and doesn't have a black box supervisor
processor (ME/PSP)

If I understand you correctly you're saying that the blob which contains Intel 
AMT/ME is not modified in Purisms laptop line?
It is modified by me_cleaner but as I said before one can do this on 
pretty much any laptop without boot guard (or cross vendor cpu swap to 
disable BG) and save the additional thousand dollars you would have 
spent on a purism laptop over a dell (I like dell because of the 
"ProSupport" US tech support option on their business lines) - 
additionally if Intel had a backdoor in ME they would include it in FSP 
as well making purism's "coreboot" quite pointless


me cleaner only would effect generic ME exploits not the hypothetical 
intel backdoor which could easily be included in the initial modules, 
hardware mask ROM or hidden EEPROM.

As far as I know it is possible (at least for the laptop I am using an also 
others) to use ME_cleaner which will cripple the AMT Blob so that the risk that 
anything bad is running there is reduced.
Yeah I did it on my X230 and it works great, but me is simply nerfed not 
disabled - a laptop without it is much better.

Take a look at this post:
https://puri.sm/posts/neutralizing-intel-management-engine-on-librem-laptops/

"(...) Of those 23 modules, 21 modules are completely removed from the ME partition, 
and we leave only 2 modules: ROMP and BUP. The ROMP module is a “ROM bypass” module which 
is used to bypass the ROM initialization code and it’s less than 1KB of code, used to 
load the BUP module and execute it. The BUP module is a 116KB module which is used to 
initialize the ME hardware. (...)"

So this would still be a (bit more) reasonable secure laptop.
Of course, but at that point you might as well just skip the middleman 
and go buy a laptop from a chinese whitebox seller like they did - then 
run ME cleaner yourself (and donate the money you saved to the people 
who made me_cleaner)


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/158fc220-d2ec-962a-f16e-03d3c9c1ffc0%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] kswapd0 using 100% CPU with not even a MB swap in use

2017-10-08 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sun, Oct 08, 2017 at 01:34:56PM -0400, Chris Laprise wrote:
> On 10/08/2017 08:18 AM, Marek Marczykowski-Górecki wrote:
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA256
> > 
> > On Sat, Oct 07, 2017 at 10:29:11AM +, Holger Levsen wrote:
> > > Hi,
> > > 
> > > so kswapd0 is using 100% CPU in one of my Qubes and this makes the fan 
> > > spin
> > > and noisy… and that Qube is hardly using any swap at all:
> > > 
> > > $ free
> > >totalusedfree  shared  buff/cache   
> > > available
> > > Mem:1888212  776484  640712   70296  471016 
> > > 1031616
> > > Swap:   1048572 716 1047856
> > > 
> > > So I ran "sudo swapoff -a" (and "sudo swapon -a") and now zero swap is 
> > > used but
> > > kswapd0 is still busy swapping(?) and the fan is noisy and I wonder what 
> > > to do…
> > > 
> > > Any hints / ideas?
> > I've seen this some time ago and `echo 3 > /proc/sys/vm/drop_caches`
> > helped. No idea why it is spinning...
> > 
> 
> What VM kernel are you using? I saw a great reduction in this problem when I
> upgraded to the latest 4.9 kernels; currently using 4.9.45-21 and the
> problem isn't reappearing.

Indeed on 4.9.45-21 kernel it happens much rarer than on 4.4.x, but still
happens sometimes...

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJZ2mRZAAoJENuP0xzK19cshFsH+QHtxSPUahVkmYLUcbgfmNzm
BQTqvCU3SaWb+C51zze8oC3FDq+Wrw+yi/1QmkR7mt+s90nk1LJQtUDVsJhgcHKF
KBAS3DsicaWXvPpbC6YPHsnNRzxsWWnbhE7StVjdb3zcu5scIBmQ1KTSBk1WbEWX
rIbxIkQgzyUW6GSmwxpslxtUb9W3jl7OlwShtXQOKZiQ8m0w75WboYSG7wVsHwjo
AiA5Tkn2aqdP8JWJsPi9GIIaBWKIMUEfrq5+pvvrkSb+Ik8E2jkZ8GKlXcBxAo7f
BB7diYeavtvcZVvEsX8lIhCZMwxCITm71+nMUtdQlW8AdcLIcdRSOyhWUf+mRLI=
=vlux
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20171008174558.GB1059%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] 4.0-rc1 error console/logs when app won't start?

2017-10-08 Thread rbondi
TLDNR: `grep "" /var/log/* | less` has no info, where 
else should I look?

What I did: 
- installed the latest chrome  in the template for sys-fedora25
> In sys-firewall itself, that made Chrome show up in Settings > Applications, 
> so:
-  I pushed it over
> Now a menu item for Chrome shows up, sys-firewall:Google Chrome
- When I select sys-firewall > sys-firewall:Google Chrome, nothing happens
  - sys-firewall:Firefox still works fine

Where can I look to see what errors are causing Google Chrome to not launch?

I'm using:
- 4.0-rc1 
- Librem 13 version 2
- fedora25

TMIA, |r:b:

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c55edc72-f2cf-4fe7-baa7-014bdef1ba76%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Mac-Spoofing Doesn’t Work

2017-10-08 Thread Chris Laprise

On 10/08/2017 05:34 AM, Sean Hunter wrote:

On Fri, Oct 06, 2017 at 11:55:04PM -0400, Chris Laprise wrote:

On 10/06/2017 11:26 PM, Person wrote:

Cloning VMs is quite troublesome right now, so it is hard to update Fedora and 
Debian in order to use NetworkManager.

You can easily install the Fedora 25 template that should already have the
correct version of NM:

$ sudo qubes-dom0-update qubes-template-fedora-25


Yup confirmed here - I've just tried turning on mac spoofing using the NetworkManager instructions and the fedora-25 
template in 4.0rc1 and spoofs the mac address on sys-net fine for me.  One thing is it seems it is now preferred to use 
"wifi.assigned-mac-address" etc rather than "wifi.cloned-mac-address".  
"cloned-mac-address" is deprecated.  I found this on the "nm-settings" manpage.


It seems that way on the man page, but the way it was explained to me on 
NM mailing list is that page is for the dbus NM interface and 
cloned-mac-address is deprecated there but it is still what they expect 
you to use in the config file. There was no page that fully explained 
the possible values for the config file itself.




My internal qubes still seem to have pretty standard Xen mac addrs (not that it 
matters).  I'm guessing I'm not actually running Networkmanager on them.


The internal MAC addresses shouldn't matter.



Sean



--

Chris Laprise, tas...@posteo.net
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8bf308c0-a424-9a5f-1e92-477a3029431e%40posteo.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] kswapd0 using 100% CPU with not even a MB swap in use

2017-10-08 Thread Chris Laprise

On 10/08/2017 08:18 AM, Marek Marczykowski-Górecki wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sat, Oct 07, 2017 at 10:29:11AM +, Holger Levsen wrote:

Hi,

so kswapd0 is using 100% CPU in one of my Qubes and this makes the fan spin
and noisy… and that Qube is hardly using any swap at all:

$ free
   totalusedfree  shared  buff/cache   available
Mem:1888212  776484  640712   70296  471016 1031616
Swap:   1048572 716 1047856

So I ran "sudo swapoff -a" (and "sudo swapon -a") and now zero swap is used but
kswapd0 is still busy swapping(?) and the fan is noisy and I wonder what to do…

Any hints / ideas?

I've seen this some time ago and `echo 3 > /proc/sys/vm/drop_caches`
helped. No idea why it is spinning...



What VM kernel are you using? I saw a great reduction in this problem 
when I upgraded to the latest 4.9 kernels; currently using 4.9.45-21 and 
the problem isn't reappearing.


--

Chris Laprise, tas...@posteo.net
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/cf1f1c77-bba3-5fe1-3966-eec90f149625%40posteo.net.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: USB error

2017-10-08 Thread cooloutac
On Sunday, October 1, 2017 at 6:09:41 AM UTC-4, dr.giz.jd wrote:
> hi 
> 
> I am having a usb qube issue, I keep getting an error message when trying to 
> start the qube
> 
> Erro starting VM ‘sys-usb’: Requested operation is not valid: PCI device 
> :00: 14.0 is in use by driver xenlight, domain sys-usb
> 
> I had this issues start after something crashed on the usb, but i am still 
> getting the same error after a fresh install of qubes 3.2 I have updated dom0 
> to all latest updates. But I am fairly new to qubes and this has me stumped 
> anyone got any suggestions please.

make sure the controller is not assigned to more then one vm. 
info maybe in /var/log/libvirt/libxl/sys-usb.log  

you can try qvm-pci -s sys-usb pci_strictreset false   and reboot machine.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/31cb6a98-96a4-4e9c-a144-39e55a21fb04%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Fedora25 fails updates unless I reboot the machine 9.13.17

2017-10-08 Thread cooloutac
On Thursday, October 5, 2017 at 9:38:50 AM UTC-4, Bill Wether wrote:
> On my thinkpad 430, I fix this by setting sys-firewall's netvm to 'none', 
> restarting sys-net, and setting it back. Works every time so far. 
> 
> Cheers
> 
> BillW

what about just removing the sys-net and recreating it.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c52294c0-af5a-467d-84f5-66c45a08c291%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Installation "Couldn't obtain the File System Protocol Interface."

2017-10-08 Thread cooloutac
On Saturday, September 23, 2017 at 8:53:09 PM UTC-4, janchristop...@gmail.com 
wrote:
> Hey folks,
> 
> currently trying to install QubesOS 3.2 from USB which I created using rufus.
> After booting the installation medium, I get the message "Couldn't obtain the 
> File System Protocol Interface." 
> Then I am returned to the Menu of the installation medium, after which 
> selecting any option just refreshes the menu.
> 
> Using a MSI B250M Mortar, set the boot option to "UEFI + Legacy" (the only 
> other option being "UEFI").
> 
> Anyone with similar struggles or suggestions?
> 
> Cheers

I don't know if this is related at all,  but I had the same exact message in 
windows 10 recently.   Turned out to be the usb wire. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a9a419a6-652a-41d8-a2c3-e80e3bc17d73%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Qubes 3.2 dnsmasq update?

2017-10-08 Thread Ron Hunter-Duvar
On October 7, 2017 10:43:55 PM MDT, Reg Tiangha  
wrote:
>On 2017-10-07 1:19 PM, Ron Hunter-Duvar wrote:
>
>> Well, I did all this, and confirmed that the sys-* servicevms are all
>> using Fedora 25, but it still has dnsmasq version 2.76. According to
>> US-CERT, 2.78 is needed to get the vulnerability fixes. Which
>concerns
>> me, given the length of time that the exploit code has been public.
>> Surprises me too, since Debian had it out in a matter of hours.
>> 
>> However, it's not running in any of these, nor in dom0. Should I just
>> uninstall it?
>> 
>> Thanks,
>> Ron
>> 
>
>It's weird, but it seems like every distro *but* Fedora has released an
>updated version or version with a backported fix. Even Red Hat
>Enterprise has done it. I don't know what the hold up is, but it'll be
>a
>package with a backported fix and currently it's set to be 2.76.4 (or
>greater if more bugs are found).
>
>https://bodhi.fedoraproject.org/updates/FEDORA-2017-515264ae24

One of the reasons I like Debian so much is the priority they put on security. 
That, and stability. You may not get all the latest shiny stuff, at least not 
in stable, but you know it will be rock solid.

Tried fedora several times in the past, and always went to something else 
instead.

Ron


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/C4B1473D-77A7-4B64-ABD8-4E867D2723E3%40shaw.ca.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] kswapd0 using 100% CPU with not even a MB swap in use

2017-10-08 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sat, Oct 07, 2017 at 10:29:11AM +, Holger Levsen wrote:
> Hi,
> 
> so kswapd0 is using 100% CPU in one of my Qubes and this makes the fan spin
> and noisy… and that Qube is hardly using any swap at all:
> 
> $ free
>   totalusedfree  shared  buff/cache   
> available
> Mem:1888212  776484  640712   70296  471016 
> 1031616
> Swap:   1048572 716 1047856
> 
> So I ran "sudo swapoff -a" (and "sudo swapon -a") and now zero swap is used 
> but
> kswapd0 is still busy swapping(?) and the fan is noisy and I wonder what to 
> do…
> 
> Any hints / ideas?

I've seen this some time ago and `echo 3 > /proc/sys/vm/drop_caches`
helped. No idea why it is spinning...

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJZ2heAAAoJENuP0xzK19cs7KsH/1kTlCNMxHSnCqI42UoWxuRE
KdhTOx8XFZEWakifL+fUS4F3ofaREpZtnSm9tTtSzhOnRJN+KJYZAk1+MfCaXOBA
cEuVcu1l/1gNyZtzsVoZNbMleQCzPQXmXw9rbDMbACSWuvtRIVWJF9rDPq2VJOCJ
c9PrlgvlFk2/YzOjtHbuDig5nRNX+PSgOMcIHeNd7phz9r+XzwNSpwdlq4xse0ta
WM+EpPlUylt5iuFOcrx3Nuf43hL7fbp6GTgIKKOx7sO7++c6Eu34NJRgqJvWbrAn
rA4HnYUSDFogzVZvVlOatdxo6idi6xdVUw17DcLpcuFRI/5A9fgAhGn/ZRw4kzU=
=zt6J
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20171008121806.GA10749%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


AW: Re: [qubes-users] Reasonably secure laptop with touchscreen and enough ram for dictation in Windows App-VM?

2017-10-08 Thread 'One7two99' via qubes-users
Hello Taiidan,

>> There isn't any reason to buy purism's faux
>> libre laptops instead of say
>> a Lenovo G505S ...

I don't understand why this topic is often discussed to emotionally.
As far as I know the G505s is a big laptop (15inch?) which seems also located 
at the entry class (compared to the "Thinkpad class").
Don't get me wrong I think most "older" are perfectly fine, that why I am 
suggesting looking at a x230 or similar.
A good thing with Purism Laptop line is, that it shows that there is a market 
for laptops that seem to look like they are more "free" than others - if the 
company fools people here, you are right this is bad - but this is also a 
chance for others to make it better.
More competition is always good :-)

And maybe some users just want to buy a new "shiny" machine and not a 4y old 
laptop.
Maybe even for the "strange" reason that it just looks more sexy or that they 
need certain interfaces, a specific display resolution ... Whatever.
Looking at my company it would not be possible to buy a used machine without 
hardware replacement as all laptop are covered with on-site service.
That's why I'm using the X230 as BYOD device.

>> which is actually owner controlled (open
>> source hw init coreboot), supports qubes
>> 4.0 and doesn't have a black box supervisor
>> processor (ME/PSP)

If I understand you correctly you're saying that the blob which contains Intel 
AMT/ME is not modified in Purisms laptop line?
As far as I know it is possible (at least for the laptop I am using an also 
others) to use ME_cleaner which will cripple the AMT Blob so that the risk that 
anything bad is running there is reduced.

Take a look at this post:
https://puri.sm/posts/neutralizing-intel-management-engine-on-librem-laptops/

"(...) Of those 23 modules, 21 modules are completely removed from the ME 
partition, and we leave only 2 modules: ROMP and BUP. The ROMP module is a “ROM 
bypass” module which is used to bypass the ROM initialization code and it’s 
less than 1KB of code, used to load the BUP module and execute it. The BUP 
module is a 116KB module which is used to initialize the ME hardware. (...)"

So this would still be a (bit more) reasonable secure laptop.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/U2YSAuXB-Uq42W3Bh-cTkPFPaMW9K6COj7i8EpLRkFhhp3pG6A8ZMXJDvg-pm7wPPsGucv-dCjU93W5WLBat8IzE8R5cG8ku1uFTRVePHcI%3D%40protonmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Reasonably secure laptop with touchscreen and enough ram for dictation in Windows App-VM?

2017-10-08 Thread taii...@gmx.com

On 10/08/2017 05:24 AM, Sean Hunter wrote:


On Sat, Oct 07, 2017 at 05:01:37PM -0400, taii...@gmx.com wrote:

https://www.reddit.com/r/linux/comments/3anjgm/on_the_librem_laptop_purism_doesnt_believe_in/
Purism is a scam, don't buy from them - their laptops are as owner
controlled and freedom respecting as a dell - their version of coreboot is a
wrapper layer with all the hardware init done by a black box binary blob so
it is worthless.

I see that reddit post from 2 years ago referred to a lot, and I know this is 
(for some reason) a very emotional topic.  However it doesn't seem to 
correspond to what I see when I dig under the surface, which is the purism guys 
merging changes into coreboot (eg 
https://review.coreboot.org/#/q/status:mergbranch:master 
topic:purism/librem13ed+project:coreboot+purism) and what I see on my own 
laptop, which is that it is SeaBios + coreboot .  I doubt it is perfect, but it 
is way better than a Dell.

If I look at https://puri.sm/faq/do-librem-devices-support-coreboot/ it says 
that 13v2 and 15v3 (what I have) come with coreboot pre-installed and for 
earlier versions they have instructions to update to coreboot.

Sean
You seem to not have noticed the second half of my email, or read the 
entirety of that threads topic post.


Their "coreboot" is simply a wrapper layer that performs no hardware 
init - everything is done by Intel's FSP binary blob making it pointless 
to have as all you do is move trust from vendor (quanta) to OEM (intel) 
- the whole point of coreboot is to avoid an OEM backdoor which this 
doesn't do so you are paying twice as much as dell for no real reason 
and supporting a company that has dishonest advertising.


It is as you say "an emotional topic" because not only do they steal 
money and fame from vendors that sell real libre hardware but they also 
have shills everywhere to put down their technically superior 
competitors and put pressure on the FSF to loosen the RYF standards.


There isn't any reason to buy purism's faux libre laptops instead of say 
a Lenovo G505S, which is actually owner controlled (open source hw init 
coreboot), supports qubes 4.0 and doesn't have a black box supervisor 
processor (ME/PSP)



If google can't convince intel to open source ME and FSP then no one can.

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e47abc3a-b86c-5ea9-8d86-316ef10da455%40gmx.com.
For more options, visit https://groups.google.com/d/optout.