Re: [qubes-users] Re: Broadcom wireless driver issue.

[Ivan Ivanov]

> I got close to quitting Qubes since I was not able to get the wifi working 
> properly but everything is working great right now.

Glad for you ;-) Although the proper solution is to get rid of
Broadcom in favor of something better (like Atheros ath9k), also for
the security reasons...

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAAaskFA1v_ryv3zMFAk%2B-vHrt%2B7kA7NyH5RX_pSubAh3EuvsPg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] g505s BIOS settings for installing 4.0.1

[Ivan Ivanov]

On 25 Feb 2019 23:44, taii...@gmx.com  wrote:
>
> On 01/10/2019 10:27 AM, cyber.citi...@tutanota.com wrote:
> > Hello everyone,
> >
> > I'd like to install Qubes 4.0.1 on a g505s, but the installation routine is 
> > telling me that IOMMU/Vt-d/AMD-Vi, and Interrupt Remapping are not 
> > available. I've tried every possible combination of BIOS settings I can 
> > imagine (such as enabling SVM support and toggling between Legacy boot and 
> > UEFI boot), but nothing is working. I've seen a lot of posts on this 
> > discussion forum saying that the g505s is compatable with Qubes 4.0, so I'm 
> > confused. Might someone toss me a clue?
> >
> > Thank you.
> >
>
> You need to install coreboot and MAKE SURE that you have included the
> microcode updates otherwise it won't work and you will have no security.
>
> The issue is a lack of microcode updates without them IOMMU won't work,
> this has been posted many times before FYI.
>

Yes, indeed. For convenience, the instructions about how to easily
patch the coreboot with the latest microcodes before building it for
G505S - are available at "G505S hacking" page from DangerousPrototypes
wiki - http://dangerousprototypes.com/docs/Lenovo_G505S_hacking . By
the way Mike updated it recently so I encourage you to take a look and
maybe contribute if you have something to add.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAAaskFDs6v25udXy0Q9kkYpXvE9dnZCu%2Bna64taG83RQS3vuRA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Broadcom wireless driver issue.

[Ivan Ivanov]

22 Feb 2019 at 20:11,  wrote:
>
> I have the same wireless chipset BCM4331 and just got it working.
>

Thank you for sharing your solution. Hope you understand that Broadcom
chips require the closed source binaries at firmware/drivers which
could contain the backdoors - and that is why they are not working
out-of-the-box (because this closed source stuff is a potential
security risk it is rarely preinstalled at distros). Personally I
think you should try your best to switch to a better card, e.g.
something from Atheros ath9k family - they are working with both open
source drivers and firmware , and there are good cards like AR9462
which support 2.4GHz/5GHz and 300Mbps

Best regards,
qmastery

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAAaskFDBiCFypwHBmswRVk9ksPcE_%3D8kdjnMoNLAbWJO0iOhig%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Lenovo G505S Coreboot

[Ivan Ivanov]

Alternatively, it could be that NDA is required not exactly to get
these updated microcode files for our a-bit-old CPUs, but to
understand - against what vulnerabilities these microcodes are trying
to give the protection. Maybe there are some secret release notes that
usually come with these microcodes to the OEMs. If you would look at
the commit message which came with 15h/17h files, you would not notice
any mention of the vulnerabilities and spectre - or any other mention
of what has been changed or improved. Its "just an update" -
https://marc.info/?l=linux-kernel=152651230014241=2 . More
messages from this author -
https://marc.info/?a=13724479713=1=2

Best regards,
Ivan

2018-05-22 15:34 GMT+03:00 Ivan Ivanov <qmaster...@gmail.com>:
> I think: at the moment, the only possible way to become confident that
> a new 15h microcode at linux-firmware.git is the same (or at least
> close to being the same) as being offered to us under an NDA, without
> signing this NDA, is to install this microcode to your coreboot and
> then run some tests to see the degree of vulnerability to the various
> spectres. Also, that AMD person has uploaded only 15h and 17h -
> meanwhile, there are some nice desktop coreboot-supported 16h boards
> like ASUS AM1I-A (they are early-16h so they do not have PSP backdoor,
> only late-16h has), and these 16h boards are still vulnerable. I will
> try to contact to "remind" about 16h. Maybe they don't share the
> microcodes publicly until they have fully tested them, and NDA is a
> way for OEMs to get the not-publicly-released-yet microcodes to test
> on their hardware. It could be that AMD's guidelines require fully
> testing a new microcode at all the compatible platforms before
> releasing it publicly even if its just a matter of setting a few bits
> - to make sure that all the other functions are still working
> correctly
>
> Best regards,
> Ivan
>
> 2018-05-22 8:19 GMT+03:00 taii...@gmx.com <taii...@gmx.com>:
>> *ML thread reply*
>> Hey guys you can install the latest microcode now from linux-firmware,
>> no NDA or w/e I believe this is the latest version.
>> See my thread on the coreboot ML for more info.
>>
>> Remember folks the G505S has a piledriver cpu and thus it NEEDS a
>> microcode update to have IOMMU (and thus work for V4) and be secure due
>> to various exploits.
>>
>> before:
>> microcode: CPU0 patch_level=0x0600084f
>>
>> after:
>> microcode: CPU0: new patch_level=0x06000852
>>
>> I think this is the latest version but I don't know for sure.
>>
>> --
>> You received this message because you are subscribed to a topic in the 
>> Google Groups "qubes-users" group.
>> To unsubscribe from this topic, visit 
>> https://groups.google.com/d/topic/qubes-users/WEppbuqRpfY/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to 
>> qubes-users+unsubscr...@googlegroups.com.
>> To post to this group, send email to qubes-users@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/qubes-users/e14e74a7-044f-41c2-0dad-90438aacc1cf%40gmx.com.
>> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAAaskFD7KPUiVOBJFCgN2JprZ1oB2Yr2CPh4Z3bkLcrynqRFgA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Lenovo G505S Coreboot

[Ivan Ivanov]

I think: at the moment, the only possible way to become confident that
a new 15h microcode at linux-firmware.git is the same (or at least
close to being the same) as being offered to us under an NDA, without
signing this NDA, is to install this microcode to your coreboot and
then run some tests to see the degree of vulnerability to the various
spectres. Also, that AMD person has uploaded only 15h and 17h -
meanwhile, there are some nice desktop coreboot-supported 16h boards
like ASUS AM1I-A (they are early-16h so they do not have PSP backdoor,
only late-16h has), and these 16h boards are still vulnerable. I will
try to contact to "remind" about 16h. Maybe they don't share the
microcodes publicly until they have fully tested them, and NDA is a
way for OEMs to get the not-publicly-released-yet microcodes to test
on their hardware. It could be that AMD's guidelines require fully
testing a new microcode at all the compatible platforms before
releasing it publicly even if its just a matter of setting a few bits
- to make sure that all the other functions are still working
correctly

Best regards,
Ivan

2018-05-22 8:19 GMT+03:00 taii...@gmx.com :
> *ML thread reply*
> Hey guys you can install the latest microcode now from linux-firmware,
> no NDA or w/e I believe this is the latest version.
> See my thread on the coreboot ML for more info.
>
> Remember folks the G505S has a piledriver cpu and thus it NEEDS a
> microcode update to have IOMMU (and thus work for V4) and be secure due
> to various exploits.
>
> before:
> microcode: CPU0 patch_level=0x0600084f
>
> after:
> microcode: CPU0: new patch_level=0x06000852
>
> I think this is the latest version but I don't know for sure.
>
> --
> You received this message because you are subscribed to a topic in the Google 
> Groups "qubes-users" group.
> To unsubscribe from this topic, visit 
> https://groups.google.com/d/topic/qubes-users/WEppbuqRpfY/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to 
> qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/qubes-users/e14e74a7-044f-41c2-0dad-90438aacc1cf%40gmx.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAAaskFB-Y8ZWHzwb0tq-KT3qFEJD%3DxfWWhP4oEMxyZKCwBxXNg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Lenovo G505S Coreboot

[Ivan Ivanov]

These microcodes from platomav are not new enough to have spectre v2
fixed at them! We are in the process of requesting an updated
microcodes from AMD, and there is already some progress: we have been
offered the updated microcodes with spectre V2 fix under the NDA.
However, most likely this NDA requirement is only because of the Ryzen
microcodes and maybe the microcodes for the other CPUs with built-in
PSP Platform Secure Processor. We have asked AMD to offer us a smaller
set of the microcodes (for the older CPUs only) which will be possible
to obtain without signing the NDA, and we are currently waiting for
reply. It does not make sense to ask the NDA for the microcodes of
CPUs that are ~5 years old, also, the older microcodes could be found
as publicly shared at e.g. linux-firmware.git and nobody sent a DMCA
takedown regarding them , so most likely it means that both 15h and
16h microcodes, as well as some other older ones, should be possible
to obtain without any NDAs. We will keep you updated

Best regards,
Ivan Ivanov

2018-05-16 5:50 GMT+03:00 awokd <aw...@elude.in>:
> On Sat, May 12, 2018 7:58 pm, matthewwbradl...@gmail.com wrote:
>> On Saturday, May 12, 2018 at 3:38:31 PM UTC-4, mattheww...@gmail.com
>
>>> Does anybody know where I can find an up-to-date copy of the microcode
>>> for this laptop? The latest microcode images I've been able to find
>>> *anywhere* are
>>> https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/amd-ucode
>>> which according to the logs date back to 2016 and therefore can't
>>> possibly contain spectre mitigations for an A10-5750M CPU.
>>>
>>> Supposedly AMD has/will release mitigating microcode for family 15h but
>>> I don't think AMD has an equivalent to:
>>> https://downloadcenter.intel.com/download/27776/Linux-Processor-Microcode-Data-File
>>>
>>> Does AMD even announce when they release microcode for a particular
>>> family/CPU? Ideally they'd have a list of CPU->microcode.tar.gz but one
>>> can only dream I guess...
>>>
>>> The next step of course will be figuring out how to build coreboot to
>>> load the microcode image, but, one step at a time.
>>
>> EDIT:
>> https://web.archive.org/web/20160726141516/http://www.amd64.org:80/microcode.html
>> doesn't seem to have been up since 2016
>
> See below. There seems to be a way to do it if you edit the patch file
> directly into microcode_amd_fam15h.bin (but we might be getting off-topic
> for Qubes here).
>
> https://www.mail-archive.com/coreboot@coreboot.org/msg51496.html
>
>
>
>
>
> --
> You received this message because you are subscribed to a topic in the Google 
> Groups "qubes-users" group.
> To unsubscribe from this topic, visit 
> https://groups.google.com/d/topic/qubes-users/WEppbuqRpfY/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to 
> qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/qubes-users/ae712ae15304863b9cb47190d8db7f13%40elude.in.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAAaskFBLbjznJZSOmexVGSKFCRMuE1fiHemCbitap9ZEvPEJ_g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Lenovo G505S Coreboot

[Ivan Ivanov]

Hi there Friend ! What 8 cells battery you have got, and from which seller?
It is either your battery needs a few power cycles to get to its' full
performance,
or maybe you have received a battery with the different power cells
(not SANYO) :
e.g. your original battery was SANYO but that new 8cells could be SMP ? :P

If you would look at the PDF Hardware Maintenance Manual for Lenovo G505S laptop
(easily found online, contains many FRU replacement parts
descriptions/IDs, useful)
you will see that - even for the official G505S batteries, there were
three manufacturers:
Sanyo, LG, SMP (Simplo). According to some tests, Sanyo are much
better than SMP/LG.

Please look at the attached picture - it contains a small review of
the battery cells (could be expanded)

my 8cells battery is Sanyo, and its almost twice longer battery life!
Mike result is ~1.5x longer,
but he haven't told me who made his cells, or I forgot what he has
replied to me and couldnt find.
Guess its a bit of a lottery... If your battery would not perform
better after a few power cycles,
you could try getting another 8 cells battery, preferably from another
seller - for a higher chance
that these batteries would be from the different batches with the
different internals - and we will see

However, if you would look through this guide above, there are some
more worthy investments:
in example, AR9462 wireless network adapter from ath9k family - does
not need the binary blobs,
runs on 100% open source and supports 2.4GHz/5GHz and even Bluetooth,
works fine even at the
Stallman-endorsed Linux distros. Ideally, batteries should be bought
after you have got everything else.
By the way, 2-3 times per year you could get 10-20% off AliExpress
coupons for a great real discount

Retyped table from the attached image (so that it will be searchable
through the Internet) :

Laptop batteries for | Model -- ___ | __ | Stated __| Max energy
capacity | Max energy capacity __| __|
G505S and other __| battery cells | ___| capacity | by design
__| after 3 months of _| __|
compatible Lenovo | manufacturer | Voltage | in mAh _| (as seen by
| heavy usage _| Rating |
laptops __|___| ___|_| Ubuntu Linux OS )
__| | __|
official Lenovo | L12S4E01 -- | 14.4V | 2900 mAh | 3.8 Wh
| 3.5 Wh (94% of design) | medium |
4 cells battery | SANYO
|__|__|___| |
battery |
(older revision)
|___|__|__||_|__|
official Lenovo | L12M4E01 -- | 14.88V | 2800 mAh | 3.8 Wh
| 3.1 Wh (81% of design) | bad__ |
4 cells battery | Simplo
_|___|__|___| |
battery |
(newer revision) | Technology
|___|__|___||___|
__| ( SMP )
___|__|__|||___|
8cells G505S battery | " Replace | 14.4V _| 5200 mAh | 6.3 Wh
| 6.1 Wh (96% of design) | the best |
by AliExpress seller _| L12L4A02,
|__|__|___| ___| battery
!_|
MX (HK) LTD -- _| L12L4E01,
|__|__|___|||
Ming Xuan | L12M4A02 "
|_|__|___||_|
__| -- SANYO
|__|__|___||_|

NOTE: battery model number is L12*4E01, where * letter means the
manufacturer of battery cells.
in L12S4E01 , S means SANYO, || in L12M4E01 , M means Simplo Technology ( SMP ),
in L12L4E01, L means LG chemicals || Older (official) batteries were
usually SANYO, newer
(official) batteries are usually SMP, sadly. My experience: SANYO
cells are the best performance

Best regards,
Ivan Ivanov aka qmastery

2018-04-04 4:53 GMT+03:00  <qubesthrowa...@gmail.com>:
> Among other suggestions, I added an 8-cell battery to my G505s.  What kind of 
> battery life are people getting with these?  Mine seems hardly better than 
> the OEM 4-cell.  Just wondering if I got a bum battery or if the improvement 
> isn't really that significant.
>
> Thanks again to everyone for helping me get my G505s up and going with 
> coreboot and for all the useful info on recommended upgrades here.
>
> --
> You received this message because you are subscribed to a topic in the Google 
> Groups "qubes-users" group.
> To unsubscribe from this topic, visit 
> https://groups.google.com/d/topic/qubes-users/WEppbuqRpfY/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to 
> qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google

Re: [qubes-users] Re: Lenovo G505S Coreboot

[Ivan Ivanov]

Thank you very much for answering the qubesthrowaway's questions !
Regarding
> Some of us G505s users are putting together a page with tips on
Coreboot and Qubes, but I'm not sure where it will end up yet
- sorry for delay! we just got a bit distracted with KolibriOS driver stuff
(will be really awesome if that assembly network driver becomes a reality!),
in the same time we would like to
1) upgrade the LZMA libraries of coreboot/seabios - the currently used
ones are very very outdated
2) add paq8px compression support for putting even more useful stuff
to our small 4 MB BIOS chips
By the way it could be possible to upgrade a BIOS chip to 8 MB or even
to 16 MB ;-)
Asterysk has been trying to test this but accidentally damaged a
copper track on his motherboard,
so its going to take a while before we find out the answer to this question.
Ideally we'd like to stay at 4 MB, because if some of us would be
sitting at 8 MB / 16 MB
while everyone else is at 4 MB BIOS chips - that would result in
unnecessary fragmentation,
so more of our efforts should be going towards those "compression methods".
On average, paq8px is 25% better compression than LZMA used by coreboot/SeaBIOS,
but it is much slower - perhaps it is going to take about 3 minutes to
extract 1.44MB KolibriOS floppy
to boot it, although we have not tested this on bare metal (from
coreboot) yet - could be faster!
There are also some extra challenges, e.g. paq8px sources are C++ but
coreboot is C
and doesn't even have g++ in its' toolchains, so I'm unsure how to
merge them together.
And using a "random g++" provided by some distro does not guarantee
that this will be bootable.
Maybe you know a great way of how to put C++ code into coreboot and
make it compile?

Best regards,
Ivan Ivanov aka qmastery

2018-03-28 0:52 GMT+03:00 'awokd' via qubes-users
<qubes-users@googlegroups.com>:
> On Mon, March 26, 2018 6:36 am, qubesthrowa...@gmail.com wrote:
>
> Could you please trim emails when you reply? It was hard to find your
> questions in all that text!
>
>> Would it be a bad idea to run a PCIe SSD off of this instead of the WiFi
>> card?
>
> I'm not sure you could fit one in there, the hole is only big enough for
> half-height mini-PCIe cards.
>
>> Would 1866MHz @ CL10 be as good/better?
>
> Not sure on this one; Coreboot can be picky on memory timings. Might have
> to dig in to the source code to see if that is supported, if nobody else
> knows.
>
>> I just ordered a G505S and several of these upgrades and I'm excited to
>> try flashing coreboot and getting Qubes going on it.  Thanks for all the
>> tips/help.
>
> Welcome! Some of us G505s users are putting together a page with tips on
> Coreboot and Qubes, but I'm not sure where it will end up yet.
>
> --
> You received this message because you are subscribed to a topic in the Google 
> Groups "qubes-users" group.
> To unsubscribe from this topic, visit 
> https://groups.google.com/d/topic/qubes-users/WEppbuqRpfY/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to 
> qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/qubes-users/e08ce7eb54c001a711c200acb10e0024.squirrel%40tt3j2x4k5ycaa5zt.onion.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAAaskFDF7J4kPHUbyZyo%3DM6QR19MW789x4Zqe2JJXPzji8XgWQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Intel ME Backdoor, called Odin's Eye

[Ivan Ivanov]

Yes, hopefully one day we would see more leaks, that could help us to
truly get rid of ME ;)
Meanwhile, perhaps the only thing we could do is to stockpile those
few computer models
that are both coreboot (or libreboot) supported and without Intel ME / AMD PSP

2018-01-07 20:01 GMT+00:00 haaber :
>> воскресенье, 7 января 2018 г., 18:14:26 UTC пользователь haaber написал:
 https://i.redditmedia.com/5mA7LrMiwgmmhrwfYF8Jks0WEng66fxWoCcGw33dhCA.jpg?w=597=339d919645f1de31a42913c748d1d7fb


 Summary:

 Intel Whistleblower leaks details about his role in backdooring all IME 
 chips on behalf of Intelligence Agencies.
>>> The post is unspecific. Of course ME is a problem: the allegations could
>>> be true or could be disinformation. "I know exactly" is an unplausible
>>> formulation for a backdooring engineer - it is almost surely a wrong ot
>>> statement if it was not himself who spied ...  To conclude: unless some
>>> details are given to enhance trustworthyness (a specific backdoor,
>>> protocol, communication interface, whatsoever), I personally consider
>>> this troll post.
>>
>> Sorry but you haven't seen the full story. This "Intel guy" is legit, he 
>> provided proofs like this one:
>>
>> https://i.warosu.org/data/g/img/0595/40/1490327898699.png
> Maybe, maybe not. Who can verify scanned and blacked papers? I would
> appreciate him helping me to remove it from my mainboard though! How to
> do THIS is the right discussion to my pov.
>
> --
> You received this message because you are subscribed to a topic in the Google 
> Groups "qubes-users" group.
> To unsubscribe from this topic, visit 
> https://groups.google.com/d/topic/qubes-users/bqRSuU3T6MA/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to 
> qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/qubes-users/506eac1a-d270-e5aa-ab72-27088ddd7fea%40web.de.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAAaskFB9FS1esuD2NrYiEyNntb4U%3DCRaN%2BYvND5p1dyst679%3Dw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Intel ME Backdoor, called Odin's Eye

[Ivan Ivanov]

*not all the whistleblowers

2018-01-07 20:22 GMT+00:00 Ivan Ivanov <qmaster...@gmail.com>:
> Yes, sadly not whistleblowers are reasonable, but we need any
> whistleblowers - not just the Snowden tier! ;-)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAAaskFABwYJ1%3Dyc4f5BoH0ttA5_vjRMwOENr%2BRF83gR8k%2BvyAw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Intel ME Backdoor, called Odin's Eye

[Ivan Ivanov]

Yes, sadly not whistleblowers are reasonable, but we need any
whistleblowers - not just the Snowden tier! ;-)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAAaskFD8Env%3D%3DwM80yU%3DV3p2ZitEKEkhvtzT46ABPL-Lvc4SJQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Lenovo G505s with Coreboot and Qubes R4-rc3 fails to boot

[Ivan Ivanov]

I believe, something like this could be reliably determined only by experiment.
but 16 GB DDR3 SO-DIMMs are very expensive - especially now,
when the RAM prices hiked and 4 GB of DDR3 now costs like 8 GB :P
Currently it makes much more sense to get extra coreboot supported hardware
(e.g. some spare G505S laptops) rather than more RAM...

Do you live in a country with favorable customer laws?
Could you order a couple of 16 GB memory modules, test them,
and if they don't work (or if you simply don't need that much memory)
return them to seller without additional costs to you? such as repack fee

Best regards,
Ivan Ivanov

2018-01-07 0:27 GMT+03:00 taii...@gmx.com <taii...@gmx.com>:
> On 01/05/2018 07:00 PM, 'awokd' via qubes-users wrote:
>
>> On Fri, January 5, 2018 11:19 pm, 'Emil Novik' via qubes-users wrote:
>>>
>>> Does any G505s owner ever tried to put more than 16Go ram in it?
>>> The limit is meant to be 16Go but some laptops can use more than
>>> officially supported, wondering if the G505s is one of these.
>>>
>>> Would be nice to run 32Go ram on it for Qubes !
>>
>> I think the max supported DIMM size is 8GB. Taiidan is the guru, hopefully
>> he knows!
>
> I highly doubt it can support more than 16GB although considering the
> desktop version of that CPU can support 16GB DIMM's it is worth asking about
> on the coreboot mailinglist.
>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "qubes-users" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/qubes-users/ALUPDysiaEc/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/qubes-users/6426e5c8-43a5-a35c-7773-147d2d614db0%40gmx.com.
>
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAAaskFD%3Dkmhse5Lex71Gra9Z48QjF3KE9QQXG1qByJwKH7tnsw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: [coreboot] G505s with Coreboot unable to run any version of Qubes

[Ivan Ivanov]

Hi Emil, thank you very much for your report.
Regarding Qubes 3.2 : at the Qubes HCL list I wrote:

"after Qubes R3.2 installation it cant boot - cant reach GRUB Boot Menu
because MBR (or GRUB) is corrupted. Use grub2-install to fix it (read more)
Everything else is OK "

https://groups.google.com/forum/#!msg/qubes-users/TS1zfKZ7q8w/JQFkVF4xBgAJ

If you fix your GRUB as described ^^^ you may be able to finally boot Qubes 3.2
Please test it and let me know the results

Live 3.1 was buggy, full 3.1 would have worked. Haven't tested 4.0 -
can't speak about it

Best regards,
Ivan

2017-12-28 1:19 GMT+03:00 Emil Novik via coreboot :
> Hey, I'm having some heavy trouble getting my laptop to run Qubes and I
> first thought I was having issues with the OS. But after digging into the
> logs I managed to get(crashes too early during boot to get any persistent
> logs, had to write most by hand) it feels more like an issue with my
> Coreboot built.
>
> So there are the details :
> - G505s with integrated HD 8650G + discrete R5 M230 graphics.
> - Coreboot 4.6-2477-g6ab3edac3c-dirty with processor microcode patch
> (change-ID: Ibbfee47ce1d5081640d6924e2b12f5213a7fcadb).
> - Runs Debian Stretch fine.
> - Fails to start Qubes 3.2 / 4.0 rc3 / Live 3.1.
> - I added the vgabios.rom for the integrated card with menuconfig and the
> one for the discrete card with cbfstool.
> - Coreboot.rom, .config and full make output as attachment.
>
>
> Some more error data I gathered from coreinfo's Bootlog :
>
> Failed to enable LTR for dev = PCI: 01:00.0
> Failed to enable LTR for dev = PCI: 02:00.0
> ...
> I2C: 01:50 missing read_resources
> I2C: 01:51 missing read_resources
> PNP: 00ff.1 missing read_resources
> ...
> Warning: Can't write PCI_INTR 0xC00/0xC01 registers because
> 'mainboard_picr_data' or 'mainboard_intr_data' tables are NULL
> Warning: Can't write PCI IRQ assignments because 'mainboard_pirq_data'
> structure does not exist
> ...
> ASSERTION ERROR: file
> 'src/vendorcode/amd/agesa/f15tn/Proc/Common/CommonReturns.c', line 187
> ASSERTION ERROR: file
> 'src/vendorcode/amd/agesa/f15tn/Proc/CPU/cpuGeneralServices.c', line 776
> ASSERTION ERROR: file
> 'src/vendorcode/amd/agesa/f15tn/Proc/Common/CommonReturns.c', line 187
> ASSERTION ERROR: file
> 'src/vendorcode/amd/agesa/f15tn/Proc/CPU/cpuGeneralServices.c', line 776
> ASSERTION ERROR: file
> 'src/vendorcode/amd/agesa/f15tn/Proc/Common/CommonReturns.c', line 187
> ASSERTION ERROR: file
> 'src/vendorcode/amd/agesa/f15tn/Proc/CPU/cpuGeneralServices.c', line 776
> ASSERTION ERROR: file
> 'src/vendorcode/amd/agesa/f15tn/Proc/Common/CommonReturns.c', line 187
> ASSERTION ERROR: file
> 'src/vendorcode/amd/agesa/f15tn/Proc/CPU/cpuGeneralServices.c', line 776
> ASSERTION ERROR: file
> 'src/vendorcode/amd/agesa/f15tn/Proc/Common/CommonReturns.c', line 187
> ASSERTION ERROR: file
> 'src/vendorcode/amd/agesa/f15tn/Proc/CPU/cpuGeneralServices.c', line 776
> ASSERTION ERROR: file
> 'src/vendorcode/amd/agesa/f15tn/Proc/Common/CommonReturns.c', line 187
> ASSERTION ERROR: file
> 'src/vendorcode/amd/agesa/f15tn/Proc/CPU/cpuGeneralServices.c', line 776
> ASSERTION ERROR: file
> 'src/vendorcode/amd/agesa/f15tn/Proc/Common/CommonReturns.c', line 187
> ASSERTION ERROR: file
> 'src/vendorcode/amd/agesa/f15tn/Proc/CPU/cpuGeneralServices.c', line 776
> ASSERTION ERROR: file
> 'src/vendorcode/amd/agesa/f15tn/Proc/Common/CommonReturns.c', line 187
> ASSERTION ERROR: file
> 'src/vendorcode/amd/agesa/f15tn/Proc/CPU/cpuGeneralServices.c', line 776
> ASSERTION ERROR: file
> 'src/vendorcode/amd/agesa/f15tn/Proc/Common/CommonReturns.c', line 187
> ASSERTION ERROR: file
> 'src/vendorcode/amd/agesa/f15tn/Proc/CPU/cpuGeneralServices.c', line 776
> ...
> Manufacturer: ef
> SF: Detected W25Q32 with sector size 0x1000, total 0x40
> ASSERTION ERROR: file 'src/drivers/spi/spi_flash.c', line 425
> ASSERTION ERROR: file 'src/drivers/spi/spi_flash.c', line 425
> ASSERTION ERROR: file 'src/drivers/spi/spi_flash.c', line 425
> ASSERTION ERROR: file 'src/drivers/spi/spi_flash.c', line 425
> Manufacturer: ef
> SF: Detected W25Q32 with sector size 0x1000, total 0x40
> ASSERTION ERROR: file 'src/drivers/spi/spi_flash.c', line 425
> ASSERTION ERROR: file 'src/drivers/spi/spi_flash.c', line 425
> ASSERTION ERROR: file 'src/drivers/spi/spi_flash.c', line 425
> ASSERTION ERROR: file 'src/drivers/spi/spi_flash.c', line 425
> ASSERTION ERROR: file 'src/drivers/amd/agesa/state_machine.c', line 309
> ...
> EEPROM not found
> EEPROM not found
> EEPROM not found
> EEPROM not found
> EEPROM not found
> EEPROM not found
> EEPROM not found
> ...
> I2C: 01:50 (unknown)
> I2C: 01:51 (unknown)
> ...
> APIC: 11 (unknown)
> APIC: 12 (unknown)
> APIC: 13 (unknown)
> PCI: 01:00.0 (unknown)
> PCI: 02:00.0 (unknown)
> PNP: 00ff.0 (unknown)
>
>
> "..." are parts I didn't write down as they didn't show any obvious
> errors(but I'm bad at seeing them) and it would take me a lng time to
> write down the full 

Re: [qubes-users] Re: Lenovo G505s with Coreboot and Qubes R4-rc3 fails to boot

[Ivan Ivanov]

Thank you very much! Luckily, when the people search, your posts and
posts like this are among the top results:
https://libreboot.org/faq.html#will-the-purism-laptops-be-supported
"There are severe privacy, security and freedom issues with these
laptops, due to the Intel chipsets that they use"
Hopefully the majority of their buyers realize that they are getting a
typical Intel laptop with coreboot preinstalled,
which is not the "Ultimate Freedom Machine" and actually not much
better than Sandy/Ivy Bridge thinkpads...

Meanwhile, let me to spam this again ;)
" Great idea is to stockpile the G505S and its spare replacement parts
/ IC components , so that - if your current one breaks - you had a
more than one replacement.
Lenovo tells that the average lifespan of G505S laptop is 4 years -
and, while it could survive longer in the caring hands - it would
really help if you have the replacement G505S / G505S motherboards /
major components of G505S motherboard like the spare KB9012QF A3
controllers and southbridge.
Especially the KB9012's - they are very cheap, and at the same time -
vulnerable to voltage spikes, so if you have unstable electricity at
house and your power adapter wouldn't block a spike - KB9012 could
easily die. AliExpress is your friend... :P "

Mike is good at writing wiki pages like these:
http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate
http://dangerousprototypes.com/docs/Flashing_KB9012_with_Bus_Pirate
http://dangerousprototypes.com/docs/Compal_POST_diagnostic_card
http://dangerousprototypes.com/docs/Compal_POST_diagnostic_card_-_Additional
Maybe together we could create a new page for us all, describing the
G505S components and their part numbers.
I will ask him about it soon

Unlike the libreboot-supported laptops, which are good but have a slow
hardware ( Core 2 Duo / 4 GB RAM ),
G505S ia a quad core beast with 16 GB RAM possible -> and at the
same time not Intel ME / PSP !
Could take many years before we see another laptop with such a great
performance / freedom ratio,
so it makes a total sense to turn it into Long Term Support laptop for
you and your freedom caring friends.

And, if you accidentally get too many G505S - their value should only
rise in the future, could re-sell.
Just hope we wouldn't inflate the prices for each other at those auctions ;-)

Happy coming New Year :)
Ivan



2017-12-30 3:20 GMT+03:00 taii...@gmx.com <taii...@gmx.com>:
> On 12/29/2017 06:39 PM, awokd wrote:
>
>> On Fri, December 29, 2017 11:32 pm, Ivan Ivanov wrote:
>>>
>>> 2017-12-30 1:57 GMT+03:00 taii...@gmx.com <taii...@gmx.com>:
>>>
>>> Yes, I am also very disappointed in purism, and its still unclear for
>>> me why they went the Intel road, when - at 2013 - they could have created
>>> a
>>> more freedom-respecting equivalent of G505S, instead of
>>
>> This was hashed over in the Coreboot mailing list recently, see
>> https://mail-archive.com/coreboot@coreboot.org/msg50746.html. To be
>> honest, I'm kind of tired of hearing about Purism now. ;) I think people
>> have made their positions clear.
>
> :<
> I only make so much noise because no one else is doing so - they have
> strangely universal positive coverage in the mainstream tech media and the
> real facts and downsides are never mentioned or investigated - not to
> mention that the real libre products like TALOS 2 and Novena get little to
> no press for some reason.
>
> I respect your opinion, but there are still so many laymen who think that
> "LibreM" means "Libre" (the purism goons say it doesn't and that its not
> their fault people are confused) so I feel as though I must continue.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAAaskFB0U6fSBs3i06-0_8byp5g%2BNRvVJJcqcv40jVPZ8OUFcQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Lenovo G505s with Coreboot and Qubes R4-rc3 fails to boot

[Ivan Ivanov]

Maybe its just a driver which can't find a blob - by itself the GPU
should have this blob loaded on it by coreboot.
https://bugs.freedesktop.org/show_bug.cgi?id=101473
Alex Deucher says that "Invalid PCI ROM header signature: expecting
0xaa55, got 0x" message can be ignored

BTW this "0x" issue is not G505S specific, seems T400s also has it
- https://lists.gnu.org/archive/html/libreboot/2016-05/msg00050.html
There aren't many coreboot supported laptops with dual GPU perhaps
thats why its not fixed yet

Also, maybe it could be possible to somehow pass a copy of that
vgabios blob from GRUB to a Linux kernel, so that its' driver detects
this blob.
If i'm not mistaken i've seen the people trying it for their Mac Pro
(similar problem but got another value, maybe 0x), forgot how its
ended though

The research about GPUs is not over, we are going to continue it soon ;)


2017-12-30 2:25 GMT+03:00 awokd <aw...@danwin1210.me>:
> On Fri, December 29, 2017 10:50 pm, Ivan Ivanov wrote:
>> awokd, Thank you very much for your microcode research ;)
>>
>> Please remind me, which version of G505S do you have:
>> integrated /// integrated + HD 8570M /// integrated + R5 M230 ?
>
> Mine's the integrated. Blooorp turned out to have the integrated + R5
> M230. We managed to get his working with Qubes 4.0 by adding
> xen-pciback.hide(04:00.0) to the dom0 command line in GRUB so it wouldn't
> attempt to initialize the M230 at all. That's why his kept crashing.
>
>> Last time we experimented with Mike, we were 100% sure we extracted
>> vgabios'es correctly, in the best possible way, but - maybe because of
>> unstable AMDGPU at Linux -
>> we couldn't get our discrete GPUs working at this time, no matter what we
>> tried :P
>
>> If you have integrated + one of the discretes:
>> do you have a discrete GPU working when you are using two vgabios'es ? If
>> yes, at what Linux distro and what kernel, your software setup?
>>
>> I'm going to re-test it soon with a more stable kernel, probably
>> something like 4.14.8 at Void Linux: excellent not-systemd distro which is
>> stable while having very modern packages
>>
>> Not Qubes OS, because at Qubes its very difficult to test any GPU,
>> this OS isn't for gaming ;-)
>
> We troubleshot his in a similar way but with Stretch. If you load the
> firmware-amd-graphics package it gave us some helpful output. In this case
> it seemed like it was missing the blob (signature 0x instead of what
> it wanted) so we just hid it. I'm curious too to see if it would work
> properly with one but unfortunately can't try on mine!
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAAaskFAkZUtREMzkvXX%3DL0yse02bXype1mdmzzHCQdQAytxb0g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Lenovo G505s with Coreboot and Qubes R4-rc3 fails to boot

[Ivan Ivanov]

2017-12-30 1:57 GMT+03:00 taii...@gmx.com :
> I am glad there are still some good people in the coreboot community.
>
> Thanks for the info, yeah I have put up a stink about it many times but it
> seemed like no one cared. I have been moderated from the list many times for
> complaining about the direction the project is going in (corporate
> controlled, only unobtainable intel dev boards supported due to absurd
> standards etc) and all the shady money people like purism censoring
> developers (they even tried to get someone fired from google from posting a
> simple fact about their products on the coreboot blog) and constantly
> badgering the FSF to try and get them to ruin the RYF standard.
>
> I assume purism is behind the requests to remove half the useful coreboot
> boards - it makes financial sense for them to do this and they certainly
> have the low morals required for it.

Yes, I am also very disappointed in purism, and its still unclear for
me why they went the Intel road, when - at 2013 - they could have
created a more freedom-respecting equivalent of G505S, instead of
yet-another-Intel-laptop-with-ME-crapware. but deep in the heart i
still hope they'd use their (a bit fraudulently earned) money for a
good cause - e.g. if they would create a truly libre laptop based at
not-ME/PSP cpu

Taiidan, same questions to you (if your G505S has a discrete graphics):
do you have a discrete graphics working with two vgabios'es, and if
yes - at what setup?

Great idea is to stockpile the G505S and its spare replacement parts /
IC components , so that - if your current one breaks - you had a more
than one replacement. Lenovo tells that the average lifespan of G505S
laptop is 4 years - and, while it could survive longer in the caring
hands - it would really help if you have the replacement G505S / G505S
motherboards / major components of G505S motherboard like the spare
KB9012QF A3 controllers and southbridge, Especially the KB9012's -
they are very cheap, and at the same time - vulnerable to voltage
spikes, so if you have unstable electricity at house and your power
adapter wouldn't block a spike - KB9012 could easily die. AliExpress
is your friend... :P

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAAaskFDvfoemy3NfK9sT25RB%2B7OU%2BdZcroJYPirekqsFvk9zwQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Lenovo G505s with Coreboot and Qubes R4-rc3 fails to boot

[Ivan Ivanov]

awokd, Thank you very much for your microcode research ;)

Please remind me, which version of G505S do you have:
integrated /// integrated + HD 8570M /// integrated + R5 M230 ?

Last time we experimented with Mike, we were 100% sure we extracted vgabios'es
correctly, in the best possible way, but - maybe because of unstable
AMDGPU at Linux -
we couldn't get our discrete GPUs working at this time, no matter what
we tried :P

If you have integrated + one of the discretes:
do you have a discrete GPU working when you are using two vgabios'es ?
If yes, at what Linux distro and what kernel, your software setup?

I'm going to re-test it soon with a more stable kernel, probably
something like 4.14.8
at Void Linux: excellent not-systemd distro which is stable while
having very modern packages

Not Qubes OS, because at Qubes its very difficult to test any GPU,
this OS isn't for gaming ;-)
 

  https://www.avast.com/sig-email?utm_medium=email_source=link_campaign=sig-email_content=webmail;
target="_blank">https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif;
alt="" width="46" height="29" style="width: 46px; height: 29px;"
/>
Без вирусов. https://www.avast.com/sig-email?utm_medium=email_source=link_campaign=sig-email_content=webmail;
target="_blank" style="color: #4453ea;">www.avast.ru




2017-12-30 1:11 GMT+03:00 awokd :
> On Fri, December 29, 2017 9:57 pm, qma ster wrote:
>
>> The complete "trying-to-kill-AGESA-boards" story:
>
> Thank you for the background, and for your nice work with Mike on the GPUs!
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAAaskFC2J2O9P7wOqgwEqz0f-FrvQ0pWUU36KWvmJ%3DMYv1_47g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.