Re: [qubes-users] Re: Intel TXT advice

2016-11-16 Thread Pedro Martins 

On 14-11-2016 20:07, Eric wrote:

On Monday, November 14, 2016 at 11:58:32 AM UTC-8, entr0py wrote:

Eric:

On Sunday, November 13, 2016 at 10:44:33 PM UTC-8,
tai...@gmx.com wrote:

...


Well, the Dell XPS was enough processing power for me. The Business
version, the Precision 5510, not only has vPro and TXT, but also
supports ECC memory (Xeon E5). Adds another layer of protection
(against Rowhammer attacks that can compromise even Qubes), but a)
nobody actually makes DDR4-ECC-SODIMM memory that I can find, and b)
it's basically another thousand bucks. I also happen to hate 16:9
displays, but I would compromise on that for Qubes' sake.



FYI, ECC SODIMM DDR3, no DDR4 yet:

http://www.intelligentmemory.com/ECC-DRAM/DDR3/

--
Pedro Martins

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/baed4659-39aa-61c6-cb17-0cf50be1ba4b%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Intel TXT advice

2016-11-15 Thread taii...@gmx.com 
So you know AFIAK OPOWER8+ systems have a emulation layer for x86 that 
works quite well, on the TALOS page you can see them playing a modern 3d 
game with it via pass thru video although obvious you wouldn't want to 
emulate a VMM.


Xen isn't the be all-end all of virtualization, there are many other 
solutions and some of them work better. (I could never get pass thru 
video to work with xen, only qemu-kvm and I used libvirt for the 
management layer)


There are plenty of non ME systems out there that are new enough to be 
useful for gaming, only AM4/FM2 have PSP but all the other AMD procs 
don't have PSP. The KGPE-d16 for instance is an opteron blob free 
coreboot/libreboot board that is quite nice for a performance 
workstation. For a laptop there is always the novena and a few other 
blob free ones, and if you don't want ME you can buy a non PSP AMD laptop.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/410acebe-d934-b6b3-6656-f24461c13ae6%40gmx.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Intel TXT advice

2016-11-14 Thread 3n7r0py1 
On Monday, November 14, 2016 at 11:55:09 PM UTC, tai...@gmx.com wrote:
> On 11/14/2016 04:50 PM, entr0py wrote:
> 
> > taii...@gmx.com:
> >> On 11/14/2016 03:12 PM, Eric wrote:
> >>> On Monday, November 14, 2016 at 11:58:32 AM UTC-8, entr0py wrote:
>  Eric:
> > On Sunday, November 13, 2016 at 10:44:33 PM UTC-8,
> > tai...@gmx.com wrote:
> >> Forgot to say: Purism is just an overpriced quanta/oem
> >> whitebox laptop, it takes 5mil+ of startup funds to do a
> >> small run of *just a motherboard* let alone an entire laptop
> >> computer including the fab for a fancy aluminum case - it is
> >> quite obvious that their components are not "hand selected"
> >> and that they just called up some chinese OEM and asked them
> >> what they had kicking around.
> >>
> >> I can't understand if they are scammers or just really
> >> naive, Instead of making an OpenPower or ARM laptop and
> >> having it be 100% libre from the start they instead do the
> >> dishonest "you'll go to disneyworld one day poor johnny" - If
> >> google can't convince intel to open up FSP/ME then nobody can
> >> - coreboot with FSP is just shimboot (black box FSP - 95% of
> >> the bios work)
> >>
> >> It bothers me quite a lot that they are on the list of
> >> approved vendors when they are a dishonest company.
> > Whoa. Ok, hold on a sec. I did not buy a Purism computer,
> > though not for those reasons - putting a 28W TDP proc in a
> > 15inch "workstation" is absurd to me. as is their lack of a
> > screen configuration. I hear your anger at the gap between what
> > they promise and what they deliver; I'm more displeased on the
> > hardware side of things (though I do like HW kill switches.
> > I've looked into what they promise and understand very well
> > that they don't actually have a very free computer at all,
> > especially on the bios/firmware side.
> >
> > What I actually ordered (and have now cancelled), was a Dell
> > XPS 15". There is no vPro option in the configure menu, though
> > it does support VT-d and SLAT. I've read all of Joanna's
> > papers, and understand the concerns about Intel ME very well.
> > However, on the Dell order, it claimed "ME Disabled." Perhaps
> > they simply meant that vPro/AMT/TXT was disabled, and that was
> > mine and Dell's fault for wishful thinking and false naming,
> > respectively. Please see linked photo: https://d.pr/Q0YZ
> >
>  Moral considerations aside, why not buy that Dell and pair it
>  with a portable router/firewall like this
>  (https://www.compulab.co.il/utilite-computer/web/products)?
>  Shouldn't that effectively block out any ME-related mischief or
>  do I have a fundamental misunderstanding? It doesn't seem
>  possible otherwise to get the type of processing power you're
>  looking for in a laptop form-factor.
> >>> Also, the concern for me is not ME shenanigans. I'm more concerned
> >>> about having TXT for AEM and measured boot, and the consumer Dell
> >>> model does not have that (the processor and chipset don't support
> >>> it). The other option aside from the Precision 5510, would be a
> >>> ThinkPad T460 or T460p, but the downside there is performance (only
> >>> SATA-3 SSD), and also the screen quality is terrible.
> >>>
> >>> Much as I dislike proprietary anything, I might take a second look
> >>> at the new MacBook Pros, and run things that need higher security
> >>> in a VM or in Whonix.
> >> Why would you buy a macbook? You realize those have regular intel 
> >> processors and ME too right?
> >>
> >> Lenovo is owned by the chinese, and dell business laptop (their consumer 
> >> line is garbage) is a way better choice than either.
> >>
> >> It seems you do have (as you said) a fundamental misunderstanding of how 
> >> security actually works, and how a router/firewall operates. - thus I 
> >> don't think that anyone would be targeting you specifically with a ME 
> >> exploit.
> > (top-posting fixed)
> >
> > Despite my "fundamental misunderstanding of how security actually works", I 
> > am able to read a thread and keep track of who said what - a skill you 
> > seemed to have misplaced in all your wizardry. Also, on your crusade to 
> > dismantle Intel and Google, it might behoove you to take a slightly less 
> > agressive tack with people who generally share your beliefs cause it seems 
> > you're significantly outnumbered as it is.
> >
> > Now if you'd like to respond without the obligatory disdain and actually 
> > explain something, my questions was: "Is Intel ME/AMT able to bypass 
> > firewalls that haven't been specifically configured to support those 
> > services?" This entry: 
> > https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Communication
> >  leads me to think that ME TCP/IP traffic isn't automatically 
> > passed-through, but like *I* said, I may have a

Re: [qubes-users] Re: Intel TXT advice

2016-11-14 Thread taii...@gmx.com 

On 11/14/2016 04:50 PM, entr0py wrote:


taii...@gmx.com:

On 11/14/2016 03:12 PM, Eric wrote:

On Monday, November 14, 2016 at 11:58:32 AM UTC-8, entr0py wrote:

Eric:

On Sunday, November 13, 2016 at 10:44:33 PM UTC-8,
tai...@gmx.com wrote:

Forgot to say: Purism is just an overpriced quanta/oem
whitebox laptop, it takes 5mil+ of startup funds to do a
small run of *just a motherboard* let alone an entire laptop
computer including the fab for a fancy aluminum case - it is
quite obvious that their components are not "hand selected"
and that they just called up some chinese OEM and asked them
what they had kicking around.

I can't understand if they are scammers or just really
naive, Instead of making an OpenPower or ARM laptop and
having it be 100% libre from the start they instead do the
dishonest "you'll go to disneyworld one day poor johnny" - If
google can't convince intel to open up FSP/ME then nobody can
- coreboot with FSP is just shimboot (black box FSP - 95% of
the bios work)

It bothers me quite a lot that they are on the list of
approved vendors when they are a dishonest company.

Whoa. Ok, hold on a sec. I did not buy a Purism computer,
though not for those reasons - putting a 28W TDP proc in a
15inch "workstation" is absurd to me. as is their lack of a
screen configuration. I hear your anger at the gap between what
they promise and what they deliver; I'm more displeased on the
hardware side of things (though I do like HW kill switches.
I've looked into what they promise and understand very well
that they don't actually have a very free computer at all,
especially on the bios/firmware side.

What I actually ordered (and have now cancelled), was a Dell
XPS 15". There is no vPro option in the configure menu, though
it does support VT-d and SLAT. I've read all of Joanna's
papers, and understand the concerns about Intel ME very well.
However, on the Dell order, it claimed "ME Disabled." Perhaps
they simply meant that vPro/AMT/TXT was disabled, and that was
mine and Dell's fault for wishful thinking and false naming,
respectively. Please see linked photo: https://d.pr/Q0YZ


Moral considerations aside, why not buy that Dell and pair it
with a portable router/firewall like this
(https://www.compulab.co.il/utilite-computer/web/products)?
Shouldn't that effectively block out any ME-related mischief or
do I have a fundamental misunderstanding? It doesn't seem
possible otherwise to get the type of processing power you're
looking for in a laptop form-factor.

Also, the concern for me is not ME shenanigans. I'm more concerned
about having TXT for AEM and measured boot, and the consumer Dell
model does not have that (the processor and chipset don't support
it). The other option aside from the Precision 5510, would be a
ThinkPad T460 or T460p, but the downside there is performance (only
SATA-3 SSD), and also the screen quality is terrible.

Much as I dislike proprietary anything, I might take a second look
at the new MacBook Pros, and run things that need higher security
in a VM or in Whonix.

Why would you buy a macbook? You realize those have regular intel processors 
and ME too right?

Lenovo is owned by the chinese, and dell business laptop (their consumer line 
is garbage) is a way better choice than either.

It seems you do have (as you said) a fundamental misunderstanding of how 
security actually works, and how a router/firewall operates. - thus I don't 
think that anyone would be targeting you specifically with a ME exploit.

(top-posting fixed)

Despite my "fundamental misunderstanding of how security actually works", I am 
able to read a thread and keep track of who said what - a skill you seemed to have 
misplaced in all your wizardry. Also, on your crusade to dismantle Intel and Google, it 
might behoove you to take a slightly less agressive tack with people who generally share 
your beliefs cause it seems you're significantly outnumbered as it is.

Now if you'd like to respond without the obligatory disdain and actually explain 
something, my questions was: "Is Intel ME/AMT able to bypass firewalls that haven't 
been specifically configured to support those services?" This entry: 
https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Communication leads me 
to think that ME TCP/IP traffic isn't automatically passed-through, but like *I* said, I 
may have a fundamental misunderstanding of that.
It is the same as any other device connected to your network, if it has 
a world routable IP, you port forward, your router gets hacked, your 
computer gets exploited or it initiates communication on its own then 
yes it can communicate with the outside world.
For all we know it is simply waiting for an "activation" code sent via 
MITM that it will detect.


I do not want to "dismantle" intel/google, I simply want them to be more 
friendly to the customer and for intel to end their war on free software 
and general purpose computing - they used to be great companies but now 
they aren't

Re: [qubes-users] Re: Intel TXT advice

2016-11-14 Thread entr0py 
entr0py:
> taii...@gmx.com:
>> On 11/14/2016 03:12 PM, Eric wrote:
>>> On Monday, November 14, 2016 at 11:58:32 AM UTC-8, entr0py wrote:
 Eric:
> On Sunday, November 13, 2016 at 10:44:33 PM UTC-8,
> tai...@gmx.com wrote:
>> Forgot to say: Purism is just an overpriced quanta/oem
>> whitebox laptop, it takes 5mil+ of startup funds to do a
>> small run of *just a motherboard* let alone an entire laptop
>> computer including the fab for a fancy aluminum case - it is
>> quite obvious that their components are not "hand selected"
>> and that they just called up some chinese OEM and asked them
>> what they had kicking around.
>>
>> I can't understand if they are scammers or just really
>> naive, Instead of making an OpenPower or ARM laptop and
>> having it be 100% libre from the start they instead do the
>> dishonest "you'll go to disneyworld one day poor johnny" - If
>> google can't convince intel to open up FSP/ME then nobody can
>> - coreboot with FSP is just shimboot (black box FSP - 95% of
>> the bios work)
>>
>> It bothers me quite a lot that they are on the list of
>> approved vendors when they are a dishonest company.
> Whoa. Ok, hold on a sec. I did not buy a Purism computer,
> though not for those reasons - putting a 28W TDP proc in a
> 15inch "workstation" is absurd to me. as is their lack of a
> screen configuration. I hear your anger at the gap between what
> they promise and what they deliver; I'm more displeased on the
> hardware side of things (though I do like HW kill switches.
> I've looked into what they promise and understand very well
> that they don't actually have a very free computer at all,
> especially on the bios/firmware side.
>
> What I actually ordered (and have now cancelled), was a Dell
> XPS 15". There is no vPro option in the configure menu, though
> it does support VT-d and SLAT. I've read all of Joanna's
> papers, and understand the concerns about Intel ME very well.
> However, on the Dell order, it claimed "ME Disabled." Perhaps
> they simply meant that vPro/AMT/TXT was disabled, and that was
> mine and Dell's fault for wishful thinking and false naming,
> respectively. Please see linked photo: https://d.pr/Q0YZ
>
 Moral considerations aside, why not buy that Dell and pair it
 with a portable router/firewall like this
 (https://www.compulab.co.il/utilite-computer/web/products)?
 Shouldn't that effectively block out any ME-related mischief or
 do I have a fundamental misunderstanding? It doesn't seem
 possible otherwise to get the type of processing power you're
 looking for in a laptop form-factor.
>>> Also, the concern for me is not ME shenanigans. I'm more concerned
>>> about having TXT for AEM and measured boot, and the consumer Dell
>>> model does not have that (the processor and chipset don't support
>>> it). The other option aside from the Precision 5510, would be a
>>> ThinkPad T460 or T460p, but the downside there is performance (only
>>> SATA-3 SSD), and also the screen quality is terrible.
>>>
>>> Much as I dislike proprietary anything, I might take a second look
>>> at the new MacBook Pros, and run things that need higher security
>>> in a VM or in Whonix.
>>
>> Why would you buy a macbook? You realize those have regular intel processors 
>> and ME too right?
>>
>> Lenovo is owned by the chinese, and dell business laptop (their consumer 
>> line is garbage) is a way better choice than either.
>>
>> It seems you do have (as you said) a fundamental misunderstanding of how 
>> security actually works, and how a router/firewall operates. - thus I don't 
>> think that anyone would be targeting you specifically with a ME exploit.
> 
> (top-posting fixed)
> 
> Despite my "fundamental misunderstanding of how security actually works", I 
> am able to read a thread and keep track of who said what - a skill you seemed 
> to have misplaced in all your wizardry. Also, on your crusade to dismantle 
> Intel and Google, it might behoove you to take a slightly less agressive tack 
> with people who generally share your beliefs cause it seems you're 
> significantly outnumbered as it is.
> 
> Now if you'd like to respond without the obligatory disdain and actually 
> explain something, my questions was: "Is Intel ME/AMT able to bypass 
> firewalls that haven't been specifically configured to support those 
> services?" This entry: 
> https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Communication
>  leads me to think that ME TCP/IP traffic isn't automatically passed-through, 
> but like *I* said, I may have a fundamental misunderstanding of that.
> 

I should add: My question is in the context of independent router/firewalls (on 
separate hardware). I know that firewalls on the same machine as Intel ME have 
no effect because the signals are out-of-band / not OS-dependent.

-- 
You

Re: [qubes-users] Re: Intel TXT advice

2016-11-14 Thread entr0py 
taii...@gmx.com:
> On 11/14/2016 03:12 PM, Eric wrote:
>> On Monday, November 14, 2016 at 11:58:32 AM UTC-8, entr0py wrote:
>>> Eric:
 On Sunday, November 13, 2016 at 10:44:33 PM UTC-8,
 tai...@gmx.com wrote:
> Forgot to say: Purism is just an overpriced quanta/oem
> whitebox laptop, it takes 5mil+ of startup funds to do a
> small run of *just a motherboard* let alone an entire laptop
> computer including the fab for a fancy aluminum case - it is
> quite obvious that their components are not "hand selected"
> and that they just called up some chinese OEM and asked them
> what they had kicking around.
> 
> I can't understand if they are scammers or just really
> naive, Instead of making an OpenPower or ARM laptop and
> having it be 100% libre from the start they instead do the
> dishonest "you'll go to disneyworld one day poor johnny" - If
> google can't convince intel to open up FSP/ME then nobody can
> - coreboot with FSP is just shimboot (black box FSP - 95% of
> the bios work)
> 
> It bothers me quite a lot that they are on the list of
> approved vendors when they are a dishonest company.
 Whoa. Ok, hold on a sec. I did not buy a Purism computer,
 though not for those reasons - putting a 28W TDP proc in a
 15inch "workstation" is absurd to me. as is their lack of a
 screen configuration. I hear your anger at the gap between what
 they promise and what they deliver; I'm more displeased on the
 hardware side of things (though I do like HW kill switches.
 I've looked into what they promise and understand very well
 that they don't actually have a very free computer at all,
 especially on the bios/firmware side.
 
 What I actually ordered (and have now cancelled), was a Dell
 XPS 15". There is no vPro option in the configure menu, though
 it does support VT-d and SLAT. I've read all of Joanna's
 papers, and understand the concerns about Intel ME very well.
 However, on the Dell order, it claimed "ME Disabled." Perhaps
 they simply meant that vPro/AMT/TXT was disabled, and that was
 mine and Dell's fault for wishful thinking and false naming,
 respectively. Please see linked photo: https://d.pr/Q0YZ
 
>>> Moral considerations aside, why not buy that Dell and pair it
>>> with a portable router/firewall like this
>>> (https://www.compulab.co.il/utilite-computer/web/products)?
>>> Shouldn't that effectively block out any ME-related mischief or
>>> do I have a fundamental misunderstanding? It doesn't seem
>>> possible otherwise to get the type of processing power you're
>>> looking for in a laptop form-factor.
>> Also, the concern for me is not ME shenanigans. I'm more concerned
>> about having TXT for AEM and measured boot, and the consumer Dell
>> model does not have that (the processor and chipset don't support
>> it). The other option aside from the Precision 5510, would be a
>> ThinkPad T460 or T460p, but the downside there is performance (only
>> SATA-3 SSD), and also the screen quality is terrible.
>> 
>> Much as I dislike proprietary anything, I might take a second look
>> at the new MacBook Pros, and run things that need higher security
>> in a VM or in Whonix.
> 
> Why would you buy a macbook? You realize those have regular intel processors 
> and ME too right?
> 
> Lenovo is owned by the chinese, and dell business laptop (their consumer line 
> is garbage) is a way better choice than either.
> 
> It seems you do have (as you said) a fundamental misunderstanding of how 
> security actually works, and how a router/firewall operates. - thus I don't 
> think that anyone would be targeting you specifically with a ME exploit.

(top-posting fixed)

Despite my "fundamental misunderstanding of how security actually works", I am 
able to read a thread and keep track of who said what - a skill you seemed to 
have misplaced in all your wizardry. Also, on your crusade to dismantle Intel 
and Google, it might behoove you to take a slightly less agressive tack with 
people who generally share your beliefs cause it seems you're significantly 
outnumbered as it is.

Now if you'd like to respond without the obligatory disdain and actually 
explain something, my questions was: "Is Intel ME/AMT able to bypass firewalls 
that haven't been specifically configured to support those services?" This 
entry: 
https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Communication 
leads me to think that ME TCP/IP traffic isn't automatically passed-through, 
but like *I* said, I may have a fundamental misunderstanding of that.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit

Re: [qubes-users] Re: Intel TXT advice

2016-11-14 Thread Eric 
On Monday, November 14, 2016 at 11:58:32 AM UTC-8, entr0py wrote:
> Eric:
> > On Sunday, November 13, 2016 at 10:44:33 PM UTC-8, tai...@gmx.com
> > wrote:
> >> Forgot to say: Purism is just an overpriced quanta/oem whitebox
> >> laptop, it takes 5mil+ of startup funds to do a small run of *just
> >> a motherboard* let alone an entire laptop computer including the
> >> fab for a fancy aluminum case - it is quite obvious that their
> >> components are not "hand selected" and that they just called up
> >> some chinese OEM and asked them what they had kicking around.
> >> 
> >> I can't understand if they are scammers or just really naive,
> >> Instead of making an OpenPower or ARM laptop and having it be 100%
> >> libre from the start they instead do the dishonest "you'll go to
> >> disneyworld one day poor johnny" - If google can't convince intel
> >> to open up FSP/ME then nobody can - coreboot with FSP is just
> >> shimboot (black box FSP - 95% of the bios work)
> >> 
> >> It bothers me quite a lot that they are on the list of approved
> >> vendors when they are a dishonest company.
> > 
> > Whoa. Ok, hold on a sec. I did not buy a Purism computer, though not
> > for those reasons - putting a 28W TDP proc in a 15inch "workstation"
> > is absurd to me. as is their lack of a screen configuration. I hear
> > your anger at the gap between what they promise and what they
> > deliver; I'm more displeased on the hardware side of things (though I
> > do like HW kill switches. I've looked into what they promise and
> > understand very well that they don't actually have a very free
> > computer at all, especially on the bios/firmware side.
> > 
> > What I actually ordered (and have now cancelled), was a Dell XPS 15".
> > There is no vPro option in the configure menu, though it does support
> > VT-d and SLAT. I've read all of Joanna's papers, and understand the
> > concerns about Intel ME very well. However, on the Dell order, it
> > claimed "ME Disabled." Perhaps they simply meant that vPro/AMT/TXT
> > was disabled, and that was mine and Dell's fault for wishful thinking
> > and false naming, respectively. Please see linked photo:
> > https://d.pr/Q0YZ
> > 
> 
> Moral considerations aside, why not buy that Dell and pair it with a portable 
> router/firewall like this 
> (https://www.compulab.co.il/utilite-computer/web/products)? Shouldn't that 
> effectively block out any ME-related mischief or do I have a fundamental 
> misunderstanding? It doesn't seem possible otherwise to get the type of 
> processing power you're looking for in a laptop form-factor.

Also, the concern for me is not ME shenanigans. I'm more concerned about having 
TXT for AEM and measured boot, and the consumer Dell model does not have that 
(the processor and chipset don't support it). The other option aside from the 
Precision 5510, would be a ThinkPad T460 or T460p, but the downside there is 
performance (only SATA-3 SSD), and also the screen quality is terrible.

Much as I dislike proprietary anything, I might take a second look at the new 
MacBook Pros, and run things that need higher security in a VM or in Whonix. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e2d0cd80-190c-443f-a3ac-d2ca992a6882%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Intel TXT advice

2016-11-14 Thread Eric 
On Monday, November 14, 2016 at 11:58:32 AM UTC-8, entr0py wrote:
> Eric:
> > On Sunday, November 13, 2016 at 10:44:33 PM UTC-8, tai...@gmx.com
> > wrote:
> >> Forgot to say: Purism is just an overpriced quanta/oem whitebox
> >> laptop, it takes 5mil+ of startup funds to do a small run of *just
> >> a motherboard* let alone an entire laptop computer including the
> >> fab for a fancy aluminum case - it is quite obvious that their
> >> components are not "hand selected" and that they just called up
> >> some chinese OEM and asked them what they had kicking around.
> >> 
> >> I can't understand if they are scammers or just really naive,
> >> Instead of making an OpenPower or ARM laptop and having it be 100%
> >> libre from the start they instead do the dishonest "you'll go to
> >> disneyworld one day poor johnny" - If google can't convince intel
> >> to open up FSP/ME then nobody can - coreboot with FSP is just
> >> shimboot (black box FSP - 95% of the bios work)
> >> 
> >> It bothers me quite a lot that they are on the list of approved
> >> vendors when they are a dishonest company.
> > 
> > Whoa. Ok, hold on a sec. I did not buy a Purism computer, though not
> > for those reasons - putting a 28W TDP proc in a 15inch "workstation"
> > is absurd to me. as is their lack of a screen configuration. I hear
> > your anger at the gap between what they promise and what they
> > deliver; I'm more displeased on the hardware side of things (though I
> > do like HW kill switches. I've looked into what they promise and
> > understand very well that they don't actually have a very free
> > computer at all, especially on the bios/firmware side.
> > 
> > What I actually ordered (and have now cancelled), was a Dell XPS 15".
> > There is no vPro option in the configure menu, though it does support
> > VT-d and SLAT. I've read all of Joanna's papers, and understand the
> > concerns about Intel ME very well. However, on the Dell order, it
> > claimed "ME Disabled." Perhaps they simply meant that vPro/AMT/TXT
> > was disabled, and that was mine and Dell's fault for wishful thinking
> > and false naming, respectively. Please see linked photo:
> > https://d.pr/Q0YZ
> > 
> 
> Moral considerations aside, why not buy that Dell and pair it with a portable 
> router/firewall like this 
> (https://www.compulab.co.il/utilite-computer/web/products)? Shouldn't that 
> effectively block out any ME-related mischief or do I have a fundamental 
> misunderstanding? It doesn't seem possible otherwise to get the type of 
> processing power you're looking for in a laptop form-factor.

Well, the Dell XPS was enough processing power for me. The Business version, 
the Precision 5510, not only has vPro and TXT, but also supports ECC memory 
(Xeon E5). Adds another layer of protection (against Rowhammer attacks that can 
compromise even Qubes), but a) nobody actually makes DDR4-ECC-SODIMM memory 
that I can find, and b) it's basically another thousand bucks. I also happen to 
hate 16:9 displays, but I would compromise on that for Qubes' sake. 

As far as blob-free hardware goes, I unfortunately have to live and work in the 
world, and therefore need 1) performance and x86-64 architecture, and 2) to not 
have my computer be a part time job.

Guess I'll keep looking. And saving.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0c8be8fb-0982-48f7-8af5-6a44eb52711d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Intel TXT advice

2016-11-14 Thread entr0py 
Eric:
> On Sunday, November 13, 2016 at 10:44:33 PM UTC-8, tai...@gmx.com
> wrote:
>> Forgot to say: Purism is just an overpriced quanta/oem whitebox
>> laptop, it takes 5mil+ of startup funds to do a small run of *just
>> a motherboard* let alone an entire laptop computer including the
>> fab for a fancy aluminum case - it is quite obvious that their
>> components are not "hand selected" and that they just called up
>> some chinese OEM and asked them what they had kicking around.
>> 
>> I can't understand if they are scammers or just really naive,
>> Instead of making an OpenPower or ARM laptop and having it be 100%
>> libre from the start they instead do the dishonest "you'll go to
>> disneyworld one day poor johnny" - If google can't convince intel
>> to open up FSP/ME then nobody can - coreboot with FSP is just
>> shimboot (black box FSP - 95% of the bios work)
>> 
>> It bothers me quite a lot that they are on the list of approved
>> vendors when they are a dishonest company.
> 
> Whoa. Ok, hold on a sec. I did not buy a Purism computer, though not
> for those reasons - putting a 28W TDP proc in a 15inch "workstation"
> is absurd to me. as is their lack of a screen configuration. I hear
> your anger at the gap between what they promise and what they
> deliver; I'm more displeased on the hardware side of things (though I
> do like HW kill switches. I've looked into what they promise and
> understand very well that they don't actually have a very free
> computer at all, especially on the bios/firmware side.
> 
> What I actually ordered (and have now cancelled), was a Dell XPS 15".
> There is no vPro option in the configure menu, though it does support
> VT-d and SLAT. I've read all of Joanna's papers, and understand the
> concerns about Intel ME very well. However, on the Dell order, it
> claimed "ME Disabled." Perhaps they simply meant that vPro/AMT/TXT
> was disabled, and that was mine and Dell's fault for wishful thinking
> and false naming, respectively. Please see linked photo:
> https://d.pr/Q0YZ
> 

Moral considerations aside, why not buy that Dell and pair it with a portable 
router/firewall like this 
(https://www.compulab.co.il/utilite-computer/web/products)? Shouldn't that 
effectively block out any ME-related mischief or do I have a fundamental 
misunderstanding? It doesn't seem possible otherwise to get the type of 
processing power you're looking for in a laptop form-factor.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e9007159-2961-d96f-1c21-9d5e70de6aec%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Intel TXT advice

2016-11-13 Thread Eric 
On Sunday, November 13, 2016 at 10:44:33 PM UTC-8, tai...@gmx.com wrote:
> Forgot to say:
> Purism is just an overpriced quanta/oem whitebox laptop, it takes 5mil+ 
> of startup funds to do a small run of *just a motherboard* let alone an 
> entire laptop computer including the fab for a fancy aluminum case - it 
> is quite obvious that their components are not "hand selected" and that 
> they just called up some chinese OEM and asked them what they had 
> kicking around.
> 
> I can't understand if they are scammers or just really naive, Instead of 
> making an OpenPower or ARM laptop and having it be 100% libre from the 
> start they instead do the dishonest "you'll go to disneyworld one day 
> poor johnny" - If google can't convince intel to open up FSP/ME then 
> nobody can - coreboot with FSP is just shimboot (black box FSP - 95% of 
> the bios work)
> 
> It bothers me quite a lot that they are on the list of approved vendors 
> when they are a dishonest company.

Whoa. Ok, hold on a sec. I did not buy a Purism computer, though not for those 
reasons - putting a 28W TDP proc in a 15inch "workstation" is absurd to me. as 
is their lack of a screen configuration. I hear your anger at the gap between 
what they promise and what they deliver; I'm more displeased on the hardware 
side of things (though I do like HW kill switches. I've looked into what they 
promise and understand very well that they don't actually have a very free 
computer at all, especially on the bios/firmware side.

What I actually ordered (and have now cancelled), was a Dell XPS 15". There is 
no vPro option in the configure menu, though it does support VT-d and SLAT. 
I've read all of Joanna's papers, and understand the concerns about Intel ME 
very well. However, on the Dell order, it claimed "ME Disabled." Perhaps they 
simply meant that vPro/AMT/TXT was disabled, and that was mine and Dell's fault 
for wishful thinking and false naming, respectively. Please see linked photo: 
https://d.pr/Q0YZ

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/964748e2-f5e9-41ea-9069-2aff75cb3cc0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Intel TXT advice

2016-11-13 Thread taii...@gmx.com 

Forgot to say:
Purism is just an overpriced quanta/oem whitebox laptop, it takes 5mil+ 
of startup funds to do a small run of *just a motherboard* let alone an 
entire laptop computer including the fab for a fancy aluminum case - it 
is quite obvious that their components are not "hand selected" and that 
they just called up some chinese OEM and asked them what they had 
kicking around.


I can't understand if they are scammers or just really naive, Instead of 
making an OpenPower or ARM laptop and having it be 100% libre from the 
start they instead do the dishonest "you'll go to disneyworld one day 
poor johnny" - If google can't convince intel to open up FSP/ME then 
nobody can - coreboot with FSP is just shimboot (black box FSP - 95% of 
the bios work)


It bothers me quite a lot that they are on the list of approved vendors 
when they are a dishonest company.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bbcc0270-0d00-a2ff-7d34-30d7e0d3d345%40gmx.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Intel TXT advice

2016-11-13 Thread taii...@gmx.com 
I am assuming you were one of those people who bought a computer from 
those purism scammers.

https://blogs.coreboot.org/blog/2015/02/23/the-truth-about-purism-why-librem-is-not-the-same-as-libre/

It is impossible to disable (ie, like it was never there, 100% gone) ME 
on any intel system post 775/771 era, anyone who tells you different is 
lying.


vPro is a marketing term for various ME remote management features that 
are activated with a vPro license, all intel systems 2006+ have ME.


On 11/13/2016 08:36 PM, Eric wrote:

On Sunday, November 13, 2016 at 5:01:59 PM UTC-8, entr0py wrote:

Eric:

Just bought a laptop with a Skylake processor for running Qubes, and from 
looking around on Intel's website it appears that no Skylake Core-branded 
processors support Intel TXT. Any point in running Anti-Evil-Maid at this 
point? Can I use a YubiKey to store hashes of the xen/initramfs and use that 
for AEM? (probably not, since it's a USB device?)


I was just looking around for information on AMT/ME a minute ago. It appears 
that some Skylake Core i5/i7's do support TXT. (On their website, TXT might 
fall under the umbrella of vPro.)

https://en.wikipedia.org/wiki/List_of_Intel_Core_i5_microprocessors#Skylake_microarchitecture_.286th_generation.29_2
https://en.wikipedia.org/wiki/List_of_Intel_Core_i7_microprocessors#Skylake_microarchitecture_.286th_generation.29_2

Yes, I misspoke. It appears that the processor/chipset on the computer I 
purchased does not have/support vPro or TXT (though Intel ME is apparently 
disabled, which is a win, I guess?). So hard to find something that checks all 
the boxes for me. My threat model currently doesn't include Evil Maids, so I'm 
probably ok. Shame, though. Hopefully it doesn't close the door on Qubes 4 
compatibility. (It does have SLAT and VT-(d/x).



--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bd49c406-ef4b-2b4c-a1e7-511335a45066%40gmx.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Intel TXT advice

2016-11-13 Thread Jean-Philippe Ouellet 
On Sun, Nov 13, 2016 at 8:36 PM, Eric  wrote:
> though Intel ME is apparently disabled, which is a win, I guess?

You can not "disable" ME. See page 37 of
https://blog.invisiblethings.org/papers/2015/x86_harmful.pdf

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABQWM_CF62b2%2BBKvSJHTiDer8wM_eUDge3UYmr14iUhzeVSYug%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Intel TXT advice

2016-11-13 Thread Chris Laprise 

On 11/13/2016 08:36 PM, Eric wrote:

On Sunday, November 13, 2016 at 5:01:59 PM UTC-8, entr0py wrote:

Eric:

Just bought a laptop with a Skylake processor for running Qubes, and from 
looking around on Intel's website it appears that no Skylake Core-branded 
processors support Intel TXT. Any point in running Anti-Evil-Maid at this 
point? Can I use a YubiKey to store hashes of the xen/initramfs and use that 
for AEM? (probably not, since it's a USB device?)


I was just looking around for information on AMT/ME a minute ago. It appears 
that some Skylake Core i5/i7's do support TXT. (On their website, TXT might 
fall under the umbrella of vPro.)

https://en.wikipedia.org/wiki/List_of_Intel_Core_i5_microprocessors#Skylake_microarchitecture_.286th_generation.29_2
https://en.wikipedia.org/wiki/List_of_Intel_Core_i7_microprocessors#Skylake_microarchitecture_.286th_generation.29_2

Yes, I misspoke. It appears that the processor/chipset on the computer I 
purchased does not have/support vPro or TXT (though Intel ME is apparently 
disabled, which is a win, I guess?). So hard to find something that checks all 
the boxes for me. My threat model currently doesn't include Evil Maids, so I'm 
probably ok. Shame, though. Hopefully it doesn't close the door on Qubes 4 
compatibility. (It does have SLAT and VT-(d/x).


I hate to point this out now, but AEM is kind of a misnomer. It can 
alert you to tampering from *either* physical or remote attacks. So 
anyone who wants to guard against a remote exploit that can also priv 
escalate against Xen--and from there possibly infect firmware or boot 
device--would benefit from using AEM.


When I last shopped around, I was under the impression that TXT was tied 
to AMT/ME/Vpro as a package.


Chris

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b2cf9650-6292-dd13-1a22-aad60ecb8d9f%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Intel TXT advice

2016-11-13 Thread Eric 
On Sunday, November 13, 2016 at 5:01:59 PM UTC-8, entr0py wrote:
> Eric:
> > Just bought a laptop with a Skylake processor for running Qubes, and from 
> > looking around on Intel's website it appears that no Skylake Core-branded 
> > processors support Intel TXT. Any point in running Anti-Evil-Maid at this 
> > point? Can I use a YubiKey to store hashes of the xen/initramfs and use 
> > that for AEM? (probably not, since it's a USB device?)
> > 
> 
> I was just looking around for information on AMT/ME a minute ago. It appears 
> that some Skylake Core i5/i7's do support TXT. (On their website, TXT might 
> fall under the umbrella of vPro.)
> 
> https://en.wikipedia.org/wiki/List_of_Intel_Core_i5_microprocessors#Skylake_microarchitecture_.286th_generation.29_2
> https://en.wikipedia.org/wiki/List_of_Intel_Core_i7_microprocessors#Skylake_microarchitecture_.286th_generation.29_2

Yes, I misspoke. It appears that the processor/chipset on the computer I 
purchased does not have/support vPro or TXT (though Intel ME is apparently 
disabled, which is a win, I guess?). So hard to find something that checks all 
the boxes for me. My threat model currently doesn't include Evil Maids, so I'm 
probably ok. Shame, though. Hopefully it doesn't close the door on Qubes 4 
compatibility. (It does have SLAT and VT-(d/x).

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/44d7026d-e620-487d-a566-eca62d5a278f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Intel TXT advice

2016-11-13 Thread entr0py 
Eric:
> On Tuesday, February 23, 2016 at 1:54:30 AM UTC-8, Marek Marczykowski-Górecki 
> wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA256
>>
>> On Tue, Feb 23, 2016 at 04:11:55AM +, Rusty Bird wrote:
>>> marmarek:
 On Mon, Feb 22, 2016 at 08:52:43PM +, Rusty Bird wrote:
> Though even now it should be possible to use AEM without TXT?
> Just don't install the SINIT blob, in which case *only* the LUKS 
> header(s) would be protected by the TPM.

 But not having xen/kernel/initrd measured means AEM is pretty 
 useless. The whole purpose is to verify the thing that prompt you
 for LUKS passphrase. Without such measurement you'll have no way
 to really know if those binaries were even loaded from your USB
 stick (and not from some additional one plugged in by the attacker,
 for example).
>>>
>>> If the order is fixed, i.e. USB before SATA, and you don't see another
>>> USB drive sticking into the notebook you left at home, then the part in
>>> parentheses wouldn't apply?
>>
>> It is easy enough to hide USB device inside the USB socket itself (those
>> devices are small these days). Or inside your notebook (for example
>> instead of bluetooth card, which is also USB device in most cases).
>>
>> Some more sophisticated attack would be installing some "USB proxy" in
>> USB socket. Which would hijack only initramfs reads. You'll not see
>> any additional USB device in the system in that case.
>>
 Such replaced initrd script can present still unmodified LUKS
 header to TPM, unseal the secret, show it to you, then record LUKS 
 passphrase.
>>>
>>> But Xen/kernel/initrd are on the AEM stick you take with you, so the
>>> attacker would have to modify the BIOS. In which case TXT wouldn't help
>>> much, because a BIOS rootkit can effectively hide itself from TXT if I
>>> understand Joanna right.
>>
>> But attack hidden from TXT is much more complex than attack simply
>> changing boot order. It all depends on your threat model.
>>
> If a per-boot BIOS password has been set, maybe this kind of
> setup is even sort of reasonable?

 You are joking, aren't you?
>>>
>>> Not really. If these assumptions are correct:
>>>
>>> 1. a BIOS rootkit can hide itself from TXT;
>>> 2. an attacker who can boot their own medium can, more and more
>>>probably, also persist such a rootkit in the BIOS;
>>> 3. there are no BIOS master password lists anymore (are there?),
>>>or other easy password prompt bypasses (are option ROMs loaded
>>>early enough from ExpressCards?);
>>
>> I wouldn't rely on BIOS password protection. It failed so many times
>> in the history, so I can't assume that magically now BIOS vendors
>> learned how to do it properly.
>>
>>> then it seems to me that a per-boot BIOS password without TXT could work
>>> out better than the converse, TXT without a PBBP. Not to say that both
>>> together aren't best though!
>>>
>>> AEM protecting the LUKS header would still be (barely) worthwhile
>>> without TXT, if it's easier / faster / less conspicuous for the attacker
>>> to take out the HDD and rewrite a few blocks than to infect the BIOS.
>>>
>>> (BTW Marek, regarding VM random seeds: Have you considered somehow
>>> harnessing whatever it is that Thunderbird+Enigmail use to place line
>>> breaks in my mails after I hit send)
> 
> Just bought a laptop with a Skylake processor for running Qubes, and from 
> looking around on Intel's website it appears that no Skylake Core-branded 
> processors support Intel TXT. Any point in running Anti-Evil-Maid at this 
> point? Can I use a YubiKey to store hashes of the xen/initramfs and use that 
> for AEM? (probably not, since it's a USB device?)
> 

I was just looking around for information on AMT/ME a minute ago. It appears 
that some Skylake Core i5/i7's do support TXT. (On their website, TXT might 
fall under the umbrella of vPro.)

https://en.wikipedia.org/wiki/List_of_Intel_Core_i5_microprocessors#Skylake_microarchitecture_.286th_generation.29_2
https://en.wikipedia.org/wiki/List_of_Intel_Core_i7_microprocessors#Skylake_microarchitecture_.286th_generation.29_2



-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b9cd97d6-0b62-01bd-1f3f-256fa6f029e6%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Intel TXT advice

2016-11-13 Thread Eric 
On Tuesday, February 23, 2016 at 1:54:30 AM UTC-8, Marek Marczykowski-Górecki 
wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> On Tue, Feb 23, 2016 at 04:11:55AM +, Rusty Bird wrote:
> > marmarek:
> > > On Mon, Feb 22, 2016 at 08:52:43PM +, Rusty Bird wrote:
> > >> Though even now it should be possible to use AEM without TXT?
> > >> Just don't install the SINIT blob, in which case *only* the LUKS 
> > >> header(s) would be protected by the TPM.
> > > 
> > > But not having xen/kernel/initrd measured means AEM is pretty 
> > > useless. The whole purpose is to verify the thing that prompt you
> > > for LUKS passphrase. Without such measurement you'll have no way
> > > to really know if those binaries were even loaded from your USB
> > > stick (and not from some additional one plugged in by the attacker,
> > > for example).
> > 
> > If the order is fixed, i.e. USB before SATA, and you don't see another
> > USB drive sticking into the notebook you left at home, then the part in
> > parentheses wouldn't apply?
> 
> It is easy enough to hide USB device inside the USB socket itself (those
> devices are small these days). Or inside your notebook (for example
> instead of bluetooth card, which is also USB device in most cases).
> 
> Some more sophisticated attack would be installing some "USB proxy" in
> USB socket. Which would hijack only initramfs reads. You'll not see
> any additional USB device in the system in that case.
> 
> > > Such replaced initrd script can present still unmodified LUKS
> > > header to TPM, unseal the secret, show it to you, then record LUKS 
> > > passphrase.
> > 
> > But Xen/kernel/initrd are on the AEM stick you take with you, so the
> > attacker would have to modify the BIOS. In which case TXT wouldn't help
> > much, because a BIOS rootkit can effectively hide itself from TXT if I
> > understand Joanna right.
> 
> But attack hidden from TXT is much more complex than attack simply
> changing boot order. It all depends on your threat model.
> 
> > >> If a per-boot BIOS password has been set, maybe this kind of
> > >> setup is even sort of reasonable?
> > > 
> > > You are joking, aren't you?
> > 
> > Not really. If these assumptions are correct:
> > 
> > 1. a BIOS rootkit can hide itself from TXT;
> > 2. an attacker who can boot their own medium can, more and more
> >probably, also persist such a rootkit in the BIOS;
> > 3. there are no BIOS master password lists anymore (are there?),
> >or other easy password prompt bypasses (are option ROMs loaded
> >early enough from ExpressCards?);
> 
> I wouldn't rely on BIOS password protection. It failed so many times
> in the history, so I can't assume that magically now BIOS vendors
> learned how to do it properly.
> 
> > then it seems to me that a per-boot BIOS password without TXT could work
> > out better than the converse, TXT without a PBBP. Not to say that both
> > together aren't best though!
> > 
> > AEM protecting the LUKS header would still be (barely) worthwhile
> > without TXT, if it's easier / faster / less conspicuous for the attacker
> > to take out the HDD and rewrite a few blocks than to infect the BIOS.
> > 
> > (BTW Marek, regarding VM random seeds: Have you considered somehow
> > harnessing whatever it is that Thunderbird+Enigmail use to place line
> > breaks in my mails after I hit send)

Just bought a laptop with a Skylake processor for running Qubes, and from 
looking around on Intel's website it appears that no Skylake Core-branded 
processors support Intel TXT. Any point in running Anti-Evil-Maid at this 
point? Can I use a YubiKey to store hashes of the xen/initramfs and use that 
for AEM? (probably not, since it's a USB device?)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1f4c2d7c-e25c-4143-b988-fb3a72acf4b2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.