Re: 'invisible' blobs are blobs too (Re: [qubes-users] HCL - Purism Librem 13 v2)
I have to say, while im happy to see people are actually trying to get a constructive discussion here, im missing facts, sources and numbers. The only blob in an X230 which could be security relevant imo is the embedded controller. The EC will most likely be liberated in the near future, and even if it isnt, that is just no comparison to the amount of attack-surface and security-relevance of the blobs a Librem contains. But thats a personal opinion, there are some who consider stock-bios not a problem at all, because their threat-model does not contain such highly-skilled attacks or they trust the vendor. However, UEFI-exploits from non-state-actors have already been found in the wild, and will become a lot more common imo. Example: https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/ About the Intel-ME: The other blob in an x230 is be the "ROMP/BUB"-module (which is the only part left from the Intel ME), roughly around ~90 kB after me-cleaner (~ 1.5 MB without), and, very important, the me is shut down before the kernel initializes. The Me-version Generation 3 like they are used in a Librem, however, are after applying ME-cleaner "rbe", "kernel" , "syslib" AND "bup" , and the minimum firmware-size is at best ~ 300 kb, and is not shut down at all. BTW, i feel like people overestimate the relevance of the Intel Managment Engine. THere is so much fake-news about the ME, its ridiculous. That being said, i personally would never use a device for sensitive stuff with ME-generation 3 ore higher, and certainly not one with a prop BIOS ore a significant amount of dangerous blobs.Again, these are personal choices, bashing without even providing any sources to fact-check for the reader wont help anybody. While i would love to have the option of buying a completely free Laptop directly from a vendor, i have serious doubts about how this would be possible with x86 architecture, and i wanst able to find any specific information on how pursim is planning to achieve that. Freeing a Librem isnt simply a matter of more work and development, without having Intels signing keys, it is flat-out technically impossible. And i would love to believe that Intel will provide Purism those keys, but given the fact that they didnt do it even for Google, i doubt it even more. Some more information on this matter would be really great, maybe im missing something? If any of these information are incorrect please tell me so, and most important, please provide sources. On 11/12/18 12:15 PM, unman wrote: > On Mon, Nov 12, 2018 at 09:58:25AM +, Holger Levsen wrote: >> On Sun, Nov 11, 2018 at 03:45:21PM +, unman wrote: >>> lenovo x230s are still widely available, and great for Qubes. >> while I agree with that, I want to point out that they contain several >> non free blobs which cannot be changed. >> >> just because there was so much purism bashing in this thread. :-D >> >> >> -- >> cheers, >> Holger, who is happy that his keyboard, memory and battery works > Try, but 22rip didnt have that as a criteria in his choices. Also, the > x230 keyboard,memory and battery all work. ;-) > -- Kind Regards Jonathan Seefelder CryptoGS IT-Security Solutions Hofmark 43b D-84564 Oberbergkirchen Phone: +49 8637-7505 Fax: +49 8637-7506 Mail: i...@cryptogs.de www.cryptogs.de -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a94c36f7-ecee-caa4-ba93-381acde1a6c0%40cryptogs.de. For more options, visit https://groups.google.com/d/optout. signature.asc Description: OpenPGP digital signature
Re: [qubes-users] Installation, no AMD-vi, interrupt mapping, etc.
maybe a dump Question, but did you check if its enabled in the BIOS ? ;) cheers On 10/1/18 11:46 AM, naask...@gmail.com wrote: > My first attempt at installing Qubes brought up a dialog indicating AMD-Vi > and interrupt remapping wasn't available. I know my hardware supports the > necessary virtualization extensions (AMD FX-8120 on a 990FX mobo), so further > investigation suggested that the bios was probably buggy. > > I updated the bios but still no luck, so I tried a manual procedure as > described at [1]: I ran a recent live linux distro from a USB key and > confirmed that interrupt remapping was disabled by default due to this BIOS > bug. I then figured out the IOMMU and SMBus addresses using the described > procedure and managed to get the live linux to boot with interrupt remapping > and virtualization enabled as reported by dmesg. > > I tried the same ivrs_ioapic mapping procedure for the Qubes installer, but > it still raises that dialog saying no interrupt remapping, AMD-Vi, etc. > Running dmesg in the Qubes installer console reports only that IOMMUv2 is not > available, which the live linux also reported, but no other errors. The dmesg > output is a little different though, so perhaps I missed something. > > Any suggestions on what to do next? > > [1] https://superuser.com/questions/1052023/ioapic0-not-in-ivrs-table > -- Kind Regards Jonathan Seefelder CryptoGS IT-Security Solutions Hofmark 43b D-84564 Oberbergkirchen Phone: +49 8637-7505 Fax: +49 8637-7506 Mail: i...@cryptogs.de www.cryptogs.de -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/dd1b14c1-11e1-0bb4-0805-c32aee120bc7%40cryptogs.de. For more options, visit https://groups.google.com/d/optout. signature.asc Description: OpenPGP digital signature
Re: [qubes-users] Qubes can't FDE?
Hello, yes,
altough i personally never used HEADS productive, ive set it up, the
last time is quite some time ago tough. I remember i had to troubleshoot
quite a bit.
About petitboot, i just started to look into it myself, so i wont be
much help there probably, what exactly are you trying to achieve?
I will send you a grub.cfg which is working tomorrow morning, you will
have to edit /adjust it tough.(either change the uuid in the config file
ore the uuid of /boot )
I used kernelsigning, but i wasnt to happy with it in the long run, for
usability, 2fa with one partition or /boot and /root encrypted so far
is the best , we use it every day.
Talking about usability, i highly recommend to add SEAbios as a
secondary payload, at least if you want to boot live-usb from time to time.
cheers
On 9/18/18 3:20 PM, get wrote:
> вторник, 18 сентября 2018 г., 20:16:10 UTC+3 пользователь Jonathan Seefelder
> написал:
>> yes its possible, do you want to encrypt /boot and /root separately so
>> you will need a different password for each partition, or do you want to
>> encrypt it all together with 2fa etc?
>>
>> The first one is relatively easy, you will have to modify the grub.cfg
>> of your coreboot image.Also, the uuid will have to match, you can either
>> do a "normal" install and change the uuid in the grub.cfg, or change the
>> uuid of /root.
>>
>> check out the libreboot-side, there should be all the necessary
>> information. I will write a tutorial some day.
>>
>> cheers
>>
>>
>> On 9/18/18 1:02 PM, 'awokd' via qubes-users wrote:
>>
>>> get:
>>>> FDE in my understanding this is a scheme partition look like
>>>>
>>>> sda 8:00 9,9G 0 disk
>>>> └─sda1 8:10 9,9G 0 LUKS
>>>> └──luks- crypt
>>>> ├─qubes_dom0-boot lvm /boot (encrypted)
>>>> ├─qubes_dom0-swap lvm [SWAP] (encrypted)
>>>> └─qubes_dom0-root lvm / (encrypted)
>>>>
>>>> FDE = cryptsetup whole disk (including /boot). Not only root partition.
>>>> Anaconda can't do it by default. Installation success only with grub
>>>> missing.
>>>> OS research HEADS can't kexec into FDE disk.
>>>>
>>>> Is it only possible to boot from grub2 coreboot ?
>>>>
>>>> cryptomount -a
>>>> set root='hd0,msdos1'
>>>> linux=... vmlinuz=...
>>>>
>>>> I have been trying to do the coreboot firmware for a month already
>>>> to get a load of Qubes with full disk encryption (including /boot). Is it
>>>> possible? Can anyone help me ?:)
>>> I've seen others on this list report it as successful, but haven't done
>>> it myself. I think they had to use the Seabios payload for the initial
>>> install, then switch to coreboot's grub2. Afraid that's about all I know...
>>>
>> --
>> Kind Regards
>> Jonathan Seefelder
>> CryptoGS IT-Security Solutions
> Hi, Jonathan Seefelder.
>
> I'm looking for different ways of how to encrypt the whole disk (include
> /boot) and load it using coreboot modifications.
>
> I know how to load this way Parabola FDE (include /boot)
>
> menuentry 'Linux-libre kernel' {
> cryptomount -a (ahci0,msdos1)
> set root='lvm/matrix-rootvol'
> linux /boot/vmlinuz-linux-libre root=/dev/matrix/rootvol
> cryptdevice=/dev/sda1:root
> initrd /boot/initramfs-linux-libre.img
> }
>
> Is the same method for xen?
>
> Did you try Heads/Petitboot?
>
> https://www.raptorengineering.com/content/kb/1.html
> https://github.com/osresearch/heads
>
> Did you try to add
> https://en.wikipedia.org/wiki/PBKDF2 to grub use qubes FDE?
>
> Did you try add gpg keys?
>
> Thanks.
>
--
Kind Regards
Jonathan Seefelder
CryptoGS IT-Security Solutions
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/6e9da4fd-befb-24cc-b8e3-ad52f1756c03%40seefelder-web.de.
For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: OpenPGP digital signature
Re: [qubes-users] Qubes can't FDE?
yes its possible, do you want to encrypt /boot and /root separately so you will need a different password for each partition, or do you want to encrypt it all together with 2fa etc? The first one is relatively easy, you will have to modify the grub.cfg of your coreboot image.Also, the uuid will have to match, you can either do a "normal" install and change the uuid in the grub.cfg, or change the uuid of /root. check out the libreboot-side, there should be all the necessary information. I will write a tutorial some day. cheers On 9/18/18 1:02 PM, 'awokd' via qubes-users wrote: > get: >> FDE in my understanding this is a scheme partition look like >> >> sda 8:00 9,9G 0 disk >> └─sda1 8:10 9,9G 0 LUKS >> └──luks- crypt >> ├─qubes_dom0-boot lvm /boot (encrypted) >> ├─qubes_dom0-swap lvm [SWAP] (encrypted) >> └─qubes_dom0-root lvm / (encrypted) >> >> FDE = cryptsetup whole disk (including /boot). Not only root partition. >> Anaconda can't do it by default. Installation success only with grub missing. >> OS research HEADS can't kexec into FDE disk. >> >> Is it only possible to boot from grub2 coreboot ? >> >> cryptomount -a >> set root='hd0,msdos1' >> linux=... vmlinuz=... >> >> I have been trying to do the coreboot firmware for a month already >> to get a load of Qubes with full disk encryption (including /boot). Is it >> possible? Can anyone help me ?:) > I've seen others on this list report it as successful, but haven't done > it myself. I think they had to use the Seabios payload for the initial > install, then switch to coreboot's grub2. Afraid that's about all I know... > -- Kind Regards Jonathan Seefelder CryptoGS IT-Security Solutions -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/439d4e54-7594-7e87-704f-884c346a2a44%40seefelder-web.de. For more options, visit https://groups.google.com/d/optout. signature.asc Description: OpenPGP digital signature
Re: [qubes-users] Qubes 4.0 SSD Encryption
If you keep wear-leveling in mind, and encrypt the ssd before you fill it with sensitive data, id suggest an ssd. Ideally, you should encrypt /boot also. cheers On 08/23/18 16:15, jonbrownmaste...@gmail.com wrote: > I know the most secure way of using Qubes 4.0 is using full disk encryption > but should I use a regular HD or is an SSD better without losing security? > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/24ca1b18-bcdf-e5c3-c919-e54a38c87389%40cryptogs.de. For more options, visit https://groups.google.com/d/optout. signature.asc Description: OpenPGP digital signature
