Re: [qubes-users] Coreboot: Security for external monitor
Aug 14, 2022, 7:46 PM by 169...@gmail.com: > Hello friends, > > Laptop w520 thinkpad corebooted. > > I would like to be able to use an external monitor connected by the > displayport. > > This coreboot tutorial > https://www.coreboot.org/Board:lenovo/w520 > suggest to run the following command: > > sudo ./util/nvramtool/nvramtool -w hybrid_graphics_mode="Dual Graphics" > > I tried it in dom0, but nvramtool is not installed, so this starts alarming. > Looking for a way to install it found the following for Fedora: > You can get it from your coreboot build: $ cd coreboot/util/nvramtool $ make then copy the resulting binary to dom0 in the usual way. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/N9iEJNt--3-2%40tutanota.com.
[qubes-users] Coreboot: Security for external monitor
Hello friends, Laptop w520 thinkpad corebooted. I would like to be able to use an external monitor connected by the displayport. This coreboot tutorial https://www.coreboot.org/Board:lenovo/w520 suggest to run the following command: sudo ./util/nvramtool/nvramtool -w hybrid_graphics_mode="Dual Graphics" I tried it in dom0, but nvramtool is not installed, so this starts alarming. Looking for a way to install it found the following for Fedora: sudo dnf copr enable starlabs/coreboot-configurator sudo dnf install coreboot-configurator nvramtool https://support.starlabs.systems/kb/guides/coreboot-configurator https://starlabs.systems/ But here I doubt if it is worth going forward. First I do not know this Starlabs contributor. Do you know if they can be trusted? Second, even admitting to trust them how may I translate this "copr enable" into Qubes parlance, such as: something like: sudo qubes-dom0-update copr enable starlabs/coreboot-configurator Best Franz -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAPzH-qDNpu2q21fnBf5o%3DtHsYEn5fv0uLy2aKn%3DfNpWo5ekUvw%40mail.gmail.com.
Re: [qubes-users] Coreboot?
Hello, schrieb am Di., 6. Aug. 2019, 00:42: > So like installing coreboot should eliminate any malware installed at > firmware levels, right? > I would not use the very strong claim "any", because I can't backup this claim through knowledge (I am not a security specialist). But using coreboot will offer the best approach protecting against firmware malware/attacks. There are not much reasons, why you should not consider running coreboot and if you buy most new hardware you are to install coreboot. Therefore I would say that coreboot will improve the "reasonable" security ;-) - O > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAJ3yz2ukAPNkkR3Fa2_QQtFiW08eJEUnu%3D61e8f-%2BtBE3hyL2A%40mail.gmail.com.
Re: [qubes-users] Coreboot?
So like installing coreboot should eliminate any malware installed at firmware levels, right? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ee50f98c-6651-4348-b08f-8de105821098%40googlegroups.com.
Re: [qubes-users] Coreboot?
Thanks a lot for the reply. So if the previous owner’s dom0/laptop was infected, it wouldn’t have any effect on me if I change the SSD and install coreboot, am I understanding right? I apologise for my ignorance on this topic, I’m learning only now. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/67087989-79ef-49eb-8b39-1d9c10a6082e%40googlegroups.com.
Re: [qubes-users] Coreboot?
ljul8...@gmail.com: > I was told that buying an used laptop represents an extra risk since the > previous owner could have used the laptop with Qubes and got dom0 infected. There's some terminology mixed up here. Qubes' dom0 is part of the operating system, not the hardware. A Qubes dom0 infection, although unlikely, is no different than a Windows or Linux infection, and can be cleaned by formatting the drive. What you are concerned about is a firmware infection, which is less likely to happen compared to other OS's if someone was already running Qubes. Again, out of the hundreds of thousands malwares out there, I've only heard of a couple that install themselves at the firmware level so the chances of you finding a used laptop with one are minimal. You need to weigh this against the possibility that new laptops could also be infected. Some say all new x86 laptops are backdoored, for example. > After a little bit of research, I was told that installing coreboot would > eliminate/delete any malware that, in a hypothetical case, took control of > dom0 when the previous owner used the laptop for Qubes but I’m not too sure > if this is true, do you guys thinks it’s true? > Yes, I believe flashing Coreboot would eliminate known system firmware malwares. See 799's reply, he beat me to it! You might also check out https://insurgo.ca/ if you're not comfortable flashing yourself. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/17b38f88-625b-2c33-67ae-afc2cd40b797%40danwin1210.me.
Re: [qubes-users] Coreboot?
Hello, On Mon, 5 Aug 2019 at 22:58, wrote: > I was told that buying an used laptop represents an extra risk since the > previous owner could have used the laptop with Qubes and got dom0 infected. > After a little bit of research, I was told that installing coreboot would > eliminate/delete any malware that, in a hypothetical case, took control of > dom0 when the previous owner used the laptop for Qubes but I’m not too sure > if this is true, do you guys thinks it’s true? > I would always replace the storage media in a used laptop to get a fresh SSD, as this is where your data is stored and you don't want to mess arround with a used SSD or HDDs. And with todays low prices for SSDs it's even more fun to do so. If dom0 was "infected" you would not be affected if you use another ssd, you could of course also reinstall Qubes on the used device, but as mentioned above .. no reason to do so. If the previous user has an infected or manipulated BIOS you can indeed reflash with coreboot, in fact I would always suggest to run coreboot if your laptop is able to do so - I would even reccomend to buy only devices which support coreboot (for example Lenovo X230 / T430 / W530 ...). Keep in mind that an attacker could always place a tiny spy device inside a used laptop which can then be used to sniff your keyboard entries etc. But as this is an attack which is more likely used if you are a high priority target, I think that this scenario is quiet unlikely. Therefore: Buy a used Lenovo X/T/W x30, install coreboot and become a happy Qubes user. If you need more information how to install coreboot, take a look here, where I tried to document a whole run through for a X230: https://github.com/one7two99/my-qubes/blob/master/docs/coreboot/howto-coreboot_copy.md - O -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAJ3yz2t%2B2uiU4N6EOk47g48%3D0o1Fawb5qkQoX8K0tVrfo-81Qg%40mail.gmail.com.
[qubes-users] Coreboot?
I was told that buying an used laptop represents an extra risk since the previous owner could have used the laptop with Qubes and got dom0 infected. After a little bit of research, I was told that installing coreboot would eliminate/delete any malware that, in a hypothetical case, took control of dom0 when the previous owner used the laptop for Qubes but I’m not too sure if this is true, do you guys thinks it’s true? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/33570915-f78e-4211-9dfe-fb3ff2651c9c%40googlegroups.com.
Re: [qubes-users] coreboot on modern hardware?
System seventysuck, pur.idiots etc are LYING about having "open source firmware" System seventysuck also lies about having "made in usa" hardware literally all they did was make a metal case here and somehow a metal box equals a computer in their world. Their "coreboot" is nothing more than a wrapper layer for Intel FSP binary blobs, it doesn't init any hardware and just like their "made in usa" claims is entirely bullshit. New AMD hardware has PSP which is their version of ME and just as terrible. New x86 hardware will NEVER be free since intel/amd not only refuse to provide documentation and sources but also lock down their systems more and more with ME, boot "guard", "secure" boot etc. If you want owner controlled open source firmware hardware buy an OpenPOWER system from RaptorCS like the Blackbird or TALOS 2 both of which provide better performance and features than enterprise x86 systems you would get for the same price. Someday there will even be AAA games on POWER just like people said that there would never be DRM free AAA linux games and now there are many, as of now there are a few meh open source 3D games and the unreal tech demo but gaming is the only thing you sacrifice and you can always have an older pre-PSP AMD owner controlled system for that like I do. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5505a2ee-23e2-43cd-9e0c-2b88a16f11f1%40gmx.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] coreboot on modern hardware?
Chris Laprise wrote on 4/6/19 2:08 PM: On 3/30/19 3:47 PM, 'awokd' via qubes-users wrote: Chris Laprise wrote on 3/30/19 7:10 PM: BTW, like some other Qubers I got a G505s with the AMD A10. Still need to figure out how to flash it. Mike Banon's done some great work here. Check out http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate (pictures are from a G505s) and http://dangerousprototypes.com/docs/Lenovo_G505S_hacking. My thanks to Taiidan too for promoting the platform. Feel free to contact me with any questions, on or off list. I'm ordering parts from Mike's guide now, but a little confused about something: If I order reasonably short wires and the advanced clip, will I need to do any soldering? Another thing that isn't clear is how power is applied, but I'll cross that bridge when I get to it. I plan to use a CH341A flasher. No soldering needed on these laptops with a clip. FWIW, I got away with 12" wires but I was only flashing at 1 or 2 MHz. Power is supplied from the CH341A through the clip, so pay attention to that warning about 3.3V vs. 5V. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a1deccad-18a3-e896-a64e-64723a2744f3%40danwin1210.me. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] coreboot on modern hardware?
On 3/30/19 3:47 PM, 'awokd' via qubes-users wrote: Chris Laprise wrote on 3/30/19 7:10 PM: I agree. But even so, AMD are better by some noticeable margin. Intel... OMGWTF. With the 'VISA' exploit they're contradicting the researchers, and with 'Foreshadow' they said app programmers should deal with it. I saw that too WRT Foreshadow: "Just code around it!" That's a swing and a miss for a real answer. I'll have to catch up on VISA. BTW, like some other Qubers I got a G505s with the AMD A10. Still need to figure out how to flash it. Mike Banon's done some great work here. Check out http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate (pictures are from a G505s) and http://dangerousprototypes.com/docs/Lenovo_G505S_hacking. My thanks to Taiidan too for promoting the platform. Feel free to contact me with any questions, on or off list. I'm ordering parts from Mike's guide now, but a little confused about something: If I order reasonably short wires and the advanced clip, will I need to do any soldering? Another thing that isn't clear is how power is applied, but I'll cross that bridge when I get to it. I plan to use a CH341A flasher. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2beba956-56e5-2d38-5ece-1358ab2422ce%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] coreboot on modern hardware?
Chris Laprise wrote on 3/30/19 7:10 PM: I agree. But even so, AMD are better by some noticeable margin. Intel... OMGWTF. With the 'VISA' exploit they're contradicting the researchers, and with 'Foreshadow' they said app programmers should deal with it. I saw that too WRT Foreshadow: "Just code around it!" That's a swing and a miss for a real answer. I'll have to catch up on VISA. BTW, like some other Qubers I got a G505s with the AMD A10. Still need to figure out how to flash it. Mike Banon's done some great work here. Check out http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate (pictures are from a G505s) and http://dangerousprototypes.com/docs/Lenovo_G505S_hacking. My thanks to Taiidan too for promoting the platform. Feel free to contact me with any questions, on or off list. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/cdde9e9d-2258-37ed-4996-eda3d2a6460a%40danwin1210.me. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] coreboot on modern hardware?
On 3/30/19 12:25 PM, 'awokd' via qubes-users wrote: Chris Laprise wrote on 3/30/19 2:44 AM: On 3/29/19 7:18 PM, jrsmi...@gmail.com wrote: https://github.com/system76/coreboot Clearly they think they can handle modern hardware. Makes me wonder why the coreboot folks have thrown up [their?] hands and declared defeat. If I understand it right, on newer Intel systems Coreboot is limited to only calling closed-source, proprietary initialization procedures versus older systems where it handles the entire process (less some binary blobs). Maybe they see something they can no longer stomach. I bought my first AMD system this week. Welcome to the club! Hope they don't continue following Intel's path with closed-source PSP etc. I agree. But even so, AMD are better by some noticeable margin. Intel... OMGWTF. With the 'VISA' exploit they're contradicting the researchers, and with 'Foreshadow' they said app programmers should deal with it. BTW, like some other Qubers I got a G505s with the AMD A10. Still need to figure out how to flash it. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d3c273a0-4cf2-86f0-a433-1f8f1244317a%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] coreboot on modern hardware?
Chris Laprise wrote on 3/30/19 2:44 AM: On 3/29/19 7:18 PM, jrsmi...@gmail.com wrote: https://github.com/system76/coreboot Clearly they think they can handle modern hardware. Makes me wonder why the coreboot folks have thrown up [their?] hands and declared defeat. If I understand it right, on newer Intel systems Coreboot is limited to only calling closed-source, proprietary initialization procedures versus older systems where it handles the entire process (less some binary blobs). Maybe they see something they can no longer stomach. I bought my first AMD system this week. Welcome to the club! Hope they don't continue following Intel's path with closed-source PSP etc. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/da26242c-ddbd-c3cb-0481-e7029d38193d%40danwin1210.me. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] coreboot on modern hardware?
On 3/29/19 7:18 PM, jrsmi...@gmail.com wrote: https://github.com/system76/coreboot Clearly they think they can handle modern hardware. Makes me wonder why the coreboot folks have thrown up Thierry hands and declared defeat. Maybe they see something they can no longer stomach. I bought my first AMD system this week. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/59ec64e1-4a2a-e601-5bc7-f3971b736f41%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] coreboot on modern hardware?
https://github.com/system76/coreboot Clearly they think they can handle modern hardware. Makes me wonder why the coreboot folks have thrown up Thierry hands and declared defeat. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/81b8ad67-48ab-400b-9bba-9a22280baa4e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] coreboot on modern hardware?
>From a recent System76 announcement: “In firmware news, our engineer Jeremy has made a lot of progress in porting Coreboot to the Darter Pro and multiple versions of Galago Pro. It can now run both BIOS and UEFI implementations. However, certain bugs need to be worked out before we can officially release Coreboot on any of our laptops, such as a bug that causes the computer to open from suspend in airplane mode, or another that prevents the user from activating the webcam via keyboard functions. These and other bugs are being worked out in testing, and many of us across different departments are testing Coreboot on our own computers.” -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2bd19eb5-94c6-4890-93e8-737b45a5b42c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] coreboot on modern hardware?
On 3/28/19 3:51 PM, Sven Semmler wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 3/25/19 4:49 PM, jrsmi...@gmail.com wrote: What does this say about the direction Joanna and Golem are taking? I am severely confused about that. I'd have thought the direction to go is open hardware, more local, more decentralized, more compartmentalized, zero trust. I think the idea is that "zero trust" can come from a crypto-based algorithm and that the hardware will be locally owned like bitcoin. But I don't necessarily agree with this model; it feeds the "monetize every relationship and action" trend along with other problems like pollution. And if the basis is intimately financial, then economies of scale and expertise will weigh heavily on it they way they have with crypto currencies: eventual centralization will be baked-in. Also there are many examples of zero trust (or accountability) in traditional methods, like counting paper ballots or balancing your checkbook from bank statements; its not an invention of Computer Science. But we love computers and must now throw billions of transistors at each instance of every little problem; A-Z must receive the silicon blessing. - What I love about personal computers is that they're the opposite of "strap some chips onto objects and forget about it". They're never mere "gadgets" but more like a workshop. They do many things and so we focus on one or two units most of the time we worry about how fit and secure our PCs are and we have a dialog with them about it. OTOH, iot and other gadgets rarely even real anything like an operating system to us bc we're not supposed to care. I want operating systems to reveal even more about a computer's internal state - in snazzy, intuitive ways - than they already are. That's why I thought at the beginning that "Invisible Things Lab" was such an awesome moniker while exposing awful things that hide in a computer. Then to boot they provided a solution that manifests itself in the window frames we constantly look at. Definitely not a trendy move but great nonetheless. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/21f0a927-05cc-7303-b7e2-d5aaa76dd867%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] coreboot on modern hardware?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 3/25/19 4:49 PM, jrsmi...@gmail.com wrote: > What does this say about the direction Joanna and Golem are > taking? I am severely confused about that. I'd have thought the direction to go is open hardware, more local, more decentralized, more compartmentalized, zero trust. /Sven -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEE18ry22WNibwI1qeq2m4We49UH7YFAlydJdgACgkQ2m4We49U H7ZZ9w/7Bc1xKBcK6UuV3yvodiFbSxG5mu3sXCq/6o9kKtmhX3K2GObluqWknq1R WrM4uMj8PjdVmuOZn/A4etylmm6TrEim2iFHnrS4I7KLFrR+7FJrfgx1F3Tzfy/c jVWyVDwruXb7OmxXOem3iSzWSLKqEsh26/821huMFdNxPp0DZAK5JDry4YSbd3Ov JTtBhbXlEYdQ0yuRYLinI53yFyqPxG/xcrL5JT6DX/4phHEuvtZhPu1n+wXI/FM0 bCiOQUpBwPSMf/yL84ah1EqEd+KfCHM5SmRUobJEqTSO/cwbgu7glpF6nf2AwSGV 6XFjA9wiCLqTfMKK2/8vr4h0aMWGLGiKGCpqCkDDClWILTYHmKxB8GjHwQFvXqmf xQmn06Dmzz1VMo6rEUvANweAUmE1541RF8n5bwhleDsISGbOJOep+GNyQA7mqbGD dbc7oNgxaRt9PE9+737eAGQ+5/M+whsUYWVU5++GJsKPrO7LdPn2gXK8KL/YknXT xlrbjYo9TZsCcjjJJ5b46ylYwmXu1kl/b64hLNVdl7n58UuINVJJTLUtRyw1yHKH kJv5ao3ttZ95tSOciAAcLTOHffPQpdAnAC5I/G1ivKGyj+qx9ntDDIciUXtwwahk stMw6Lb1U0nGau7tbn2PEhyV/pKok1VZ8JpcCg8SRD2kitZHex8= =zT7e -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/19184bdc-a7e4-eeb8-e500-06bde14bc70a%40SvenSemmler.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] coreboot on modern hardware?
What does this say about the direction Joanna and Golem are taking? Everyone build clouds on Intel hardware. No getting around that. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/401ade55-d65d-4769-abcb-e54f52cbdd12%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] coreboot on modern hardware?
On 3/23/19 3:03 PM, jrsmi...@gmail.com wrote: Spent several hours yesterday trying to track down what I would need to do to install coreboot on all of my computers, starting with my Qubes box: a Levnovo Thinkpad T480. The bottom line from what I can tell is that if you have an Intel CPU made since 2008 (any that have Boot Guard) or an AMD CPU made since 2013 (any that have PSP), you are out of luck. Libreboot spells this out in their docs. I'm not sure if that is because of coreboot itself or something specific to Libreboot. I was stuck by how they seemed perfectly fine walling themselves off from the present and the future. I could find nothing indicating that anyone had even tried, much less succeeded, in installing coreboot on a T480 and everything I did find was for much older hardware. I read through the coreboot docs where they just wave their hands at the end of the build process and say "now go flash". I also read through the heads docs, which say more or less the same thing. Hackaday has an article on the horrors of installing coreboot on a Toshiba laptop. Not only do they neglect to say which model they used, at the end of the article they had it working. The gist is that the information that's out there is out of date, incomplete, misleading, and sometimes just incompetent. I'm hoping that someone here has first-hand knowledge and can advise me (and others who read this). It serves as a reminder that the 'Wintel' platform is really closed. Open source projects like Coreboot cannot make progress where information about the hardware is kept secret. I also think Intel's combination of secrecy and high rate of vulnerabilities is particularly toxic; some of this stuff can't be patched so running a 'secure' OS on Intel chips now looks like a futile exercise. AMD are also closed, but appear to be more conscientious about how they design their CPUs given how they are less vulnerable to side-channel attacks. FWIW, I think Qubes devs may have seen the handwriting on the wall and now have at least some level of interest in moving to open hardware like the POWER CPUs. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0bf40a48-9de1-3bc9-38d9-713d82d341e3%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] coreboot on modern hardware?
Hello, schrieb am Mo., 25. März 2019, 02:15: > That was one of the first places I looked. Maybe I’m just a hardhead, but > I found it difficult to believe that there really was no support for > coreboot in any form for modern hardware. > The problem seems to be that on modern hardware it is not possible to run unsigned Firmware because of a feature on newer hardware called "boot guard" https://www.phoronix.com/scan.php?page=news_item&px=Intel-Boot-Guard-Kills-Coreboot What Intel is saying about this "feature": https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/security-technologies-4th-gen-core-retail-paper.pdf - O -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAJ3yz2sM6cnCR6stTiwj%3DNfn_cug0gvtqiFVKSdtO64h%3DE%2BZvw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] coreboot on modern hardware?
That was one of the first places I looked. Maybe I’m just a hardhead, but I found it difficult to believe that there really was no support for coreboot in any form for modern hardware. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3a38bc37-68b3-4a8e-b3a0-932742ced5d2%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] coreboot on modern hardware?
Hello, schrieb am So., 24. März 2019, 10:11: > On 2019-03-23 19:03, jrsmi...@gmail.com wrote: > > Spent several hours yesterday trying to track down what I would need > > to do to install coreboot on all of my computers, starting with my > > Qubes box: a Levnovo Thinkpad T480. [...] > I'd suggest visiting https://coreboot.org/status/board-status.html to > see if your box is compatible with coreboot. From what I can see, the > T480 is not coreboot friendly. > The provided link is the right place to see, I have also invested some time for the research before flashing my X230 with Coreboot and again when I tried to flash my W540. It seems that everything after the X230/T430/W530 is not corebootable. On the other hand the ?30-Series offers enough performance for most workloads. Newer hardware will (very likely) not work with Coreboot (if you look into Lenovo) and NOT buying Lenovo and talk about it why you are not buying it, might be the only way to convince companies to change (even when this is very (!) unlikely). - O -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAJ3yz2tbvSzCisSdbdKS4fvNe1Lf0yofGdQN_deNt4xzbtST%3DA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] coreboot on modern hardware?
On 2019-03-23 19:03, jrsmi...@gmail.com wrote: > Spent several hours yesterday trying to track down what I would need > to do to install coreboot on all of my computers, starting with my > Qubes box: a Levnovo Thinkpad T480. > > The bottom line from what I can tell is that if you have an Intel CPU > made since 2008 (any that have Boot Guard) or an AMD CPU made since > 2013 (any that have PSP), you are out of luck. Libreboot spells this > out in their docs. I'm not sure if that is because of coreboot itself > or something specific to Libreboot. I was stuck by how they seemed > perfectly fine walling themselves off from the present and the future. > > I could find nothing indicating that anyone had even tried, much less > succeeded, in installing coreboot on a T480 and everything I did find > was for much older hardware. > > I read through the coreboot docs where they just wave their hands at > the end of the build process and say "now go flash". I also read > through the heads docs, which say more or less the same thing. > > Hackaday has an article on the horrors of installing coreboot on a > Toshiba laptop. Not only do they neglect to say which model they > used, at the end of the article they had it working. > > The gist is that the information that's out there is out of date, > incomplete, misleading, and sometimes just incompetent. > > I'm hoping that someone here has first-hand knowledge and can advise > me (and others who read this). > > Thanks, > John Smiley I'd suggest visiting https://coreboot.org/status/board-status.html to see if your box is compatible with coreboot. From what I can see, the T480 is not coreboot friendly. The coreboot web site generally is a very good starting point in establishing the how, what and when procedures for installing coreboot successfully. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e4e04ba6dbc7a03a192e8ef1f724cd59%40riseup.net. For more options, visit https://groups.google.com/d/optout.
[qubes-users] coreboot on modern hardware?
Spent several hours yesterday trying to track down what I would need to do to install coreboot on all of my computers, starting with my Qubes box: a Levnovo Thinkpad T480. The bottom line from what I can tell is that if you have an Intel CPU made since 2008 (any that have Boot Guard) or an AMD CPU made since 2013 (any that have PSP), you are out of luck. Libreboot spells this out in their docs. I'm not sure if that is because of coreboot itself or something specific to Libreboot. I was stuck by how they seemed perfectly fine walling themselves off from the present and the future. I could find nothing indicating that anyone had even tried, much less succeeded, in installing coreboot on a T480 and everything I did find was for much older hardware. I read through the coreboot docs where they just wave their hands at the end of the build process and say "now go flash". I also read through the heads docs, which say more or less the same thing. Hackaday has an article on the horrors of installing coreboot on a Toshiba laptop. Not only do they neglect to say which model they used, at the end of the article they had it working. The gist is that the information that's out there is out of date, incomplete, misleading, and sometimes just incompetent. I'm hoping that someone here has first-hand knowledge and can advise me (and others who read this). Thanks, John Smiley -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/91b65a9e-15d1-49a6-a828-13cc2c5b486b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] coreboot, grub2 and FDE (including /boot + pbkdf2). Is it possible for Qubes ?
Hi, somebody tried something similar? Any tips/guides? Thanks. Installing Parabola or Arch GNU+Linux-Libre, with Full-Disk Encryption (including /boot) https://libreboot.org/docs/gnulinux/encrypted_parabola.html Installing Trisquel GNU+Linux with Full-Disk Encryption (including /boot) https://libreboot.org/docs/gnulinux/encrypted_trisquel.html https://libreboot.org/docs/gnulinux/grub_hardening.html https://www.coreboot.org/Security http://git.savannah.gnu.org/cgit/grub.git/tree/docs/grub.cfg -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/27bc6dfa-1a4b-45aa-baaa-7a57093d870f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Coreboot + Qubes :: Best Practises / Coreboot docs page
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 799: > > $ build/cbfstool build/coreboot.rom add-int -i 0 -n > > etc/pci-optionrom-exec > > When do I need to run this? After building my Coreboot ROM? Yes, see payloads/external/SeaBIOS/seabios/docs/Runtime_config.md for a list of cbfs options. > Can't this option be included in the Coreboot or SeaBIOS menuconfig? Looks like CONFIG_OPTIONROMS=n ("BIOS Interfaces" -> "Option ROMS" in SeaBIOS menuconfig) should be equivalent. > I am already using the console setting in my grub installation. > Can I still boot from a USB stick which has graphical boot enabled? Booting works, but the GRUB screen is invisible. And the Qubes installer boot screen (isolinux) is somewhat garbled. > > You might also enjoy HEADS. > > https://github.com/osresearch/heads > > Thanks, looks very interesting, but as far as I understand I don't need > Seabios when I am running Heads? > Is somebody already using heads? From the website it seems that it is not > that easy to install and maybe still under development? I think that's all correct. Not sure though, I still haven't tried HEADS myself yet. Rusty -BEGIN PGP SIGNATURE- iQJ8BAEBCgBmBQJart5cXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0 NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrf1aQP+wU1fmTESwGkdUvT1Tzyrnyr TVKH4hmo7zRv2WXeot12PbfLr/MUsiUkiHLA36u5M1k3HlZasi0wwrMllDNEJnaj Neq6BtRZE+Dl2OYcMoksjT40deAWYzf4Kct3s6BK93RlsnrkoTSZ4QbJwRxSi0HJ CZ4lxsW1ucVT6oAieVu7Ol1W8nRXPcrR0BvHKQ2qJGkfC2x8oMOZlLdNLB5hO8Dl mqye+9V5la+jneVg/8z0PR8UVU/09n8+TmYp3w6isX0VHabv2fpXNQXjiF4gf5nz uoTl+7/4nXpA81JMUk6CLl0HOnJhlRo0dcG/DaB2J/bSfGk7ADOzHBWrQ1ETifuy 8RLp6Hh0VZU69+BG409hCGte4pzObAjQEjkPYkruSqGLUny6YRGmtwiU/yiLrghV WfiGW1zIes73NvymEW99Y4/IIy77xKq7HOR+54L5N/pXDOCLKDdslJRlEpYdlhIo Vmmb58FidYuJ1aJMq45CDuzhFaLLj+DTklENQaUj3VRNZrAIA32aCPrfymabDSSQ BDqqWge3+kdJi8NhPUJs4ljIK5a6I8942LOG8uUuvX9WXV4731y2DZwTMort0igT OCjLNy28RGFDMKqSLJj+PVqdpTZNiT1VoNh9m+HstTjTf4mS8h2L51QrWIuKSfwf yd8R4lXm5Suw6LtUOFlv =4djs -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180318214708.GA2699%40mutt. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Coreboot + Qubes :: Best Practises / Coreboot docs page
Sorry, last Email send in advance while writing... Hello Rusty, Rusty Bird schrieb am Sa., 17. März 2018, 23:18: SeaBIOS is nice. You can build it with CONFIG_SEABIOS_VGA_COREBOOT=y > (might be the default now), and completely disable dynamic loading of > any dubious option ROMs: > > $ build/cbfstool build/coreboot.rom add-int -i 0 -n > etc/pci-optionrom-exec > When do I need to run this? After building my Coreboot ROM? Can't this option be included in the Coreboot or SeaBIOS menuconfig? That's incompatible with graphical mode GRUB, but you can simply > change GRUB_TERMINAL_OUTPUT from "gfxterm"[1] to "console"[2] in > /etc/default/grub and rerun 'grub2-mkconfig -o /boot/grub2/grub.cfg'. > I am already using the console setting in my grub installation. Can I still boot from a USB stick which has graphical boot enabled? You might also enjoy HEADS. > https://github.com/osresearch/heads Thanks, looks very interesting, but as far as I understand I don't need Seabios when I am running Heads? Is somebody already using heads? From the website it seems that it is not that easy to install and maybe still under development? [799] -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAJ3yz2sJovy_hWYNBEcdng0ZJvOO1bJHb8cJYPhrk86TM7NP1Q%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Coreboot + Qubes :: Best Practises / Coreboot docs page
Hello Rusty, Rusty Bird schrieb am Sa., 17. März 2018, 23:18: > > SeaBIOS is nice. You can build it with CONFIG_SEABIOS_VGA_COREBOOT=y > (might be the default now), and completely disable dynamic loading of > any dubious option ROMs: > > $ build/cbfstool build/coreboot.rom add-int -i 0 -n > etc/pci-optionrom-exec > When do I need to run this? After I > > That's incompatible with graphical mode GRUB, but you can simply > change GRUB_TERMINAL_OUTPUT from "gfxterm"[1] to "console"[2] in > /etc/default/grub and rerun 'grub2-mkconfig -o /boot/grub2/grub.cfg'. > > IMO it actually looks better - no blindingly bright blue light at > night, and fewer font changes during startup. I've been meaning > (forever) to open a pull request to make this the default... > > You might also enjoy HEADS[3]. > > Rusty > > > 1. https://image.ibb.co/jGvCCx/grub_gfxterm.png > 2. https://image.ibb.co/mbnsCx/grub_console.png > 3. https://github.com/osresearch/heads > -BEGIN PGP SIGNATURE- > > iQJ7BAEBCgBmBQJarZQ6XxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w > ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0 > NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfSKUP+NrPMBRzFqbxr7ciUg/Qnh9m > 5ykQ4unpLU9CfiAotMDo7xJdjEZA7lwTeloVtsPL1GeVPTpYuFbkX2rxjSUQAb7H > JSWUxTZOU2YjNjQfOz+W/Wnb0uHK9G8a5h2Pf9v8lEW5/Z3iGeTeOiSSjSc6OJjw > Nn9ycrr2m6PvcM14OZ5DqnISdKKogUZBz+9TemhPVgSogA1RpsB9GRHgUcDermgs > D7T62f2Bs79suOMwRDM/IZ6f4MNvsSF1pFSN+xE3JOpivx+xfAgBlc///vsz7dM2 > 05hqyVLoeCs6qHwe2PtbBlHfLdfPVoaC/kwQRDV8Obj9hP4/CFnQkRDyvN1dnwDi > lV27YYcuWE0lgfsuRW9PwAySzyxEa4OYyDNDEJYW20lB8eTYsusDJAxxiM0X+Ba9 > pxf1FQwRoX7C4yjHU1tWb97cTPOMif07O8a5AFod9FPAwmUcwdPC/X/H3eU2CsaP > UP5NEK81Wx1avWdTIBuvrbuPZe5Dj0dwTk0Z5TC5hbKUMYxczDLuFnh/1TnViSRo > 4pOUNfXx4Blg4elUrTXASOnPQnZA5X2snVhkQrmqi3nAyRztzTK6x++OqvjlF+q3 > T8YiSg66Ssi3iXUFiZlEerCfzpe0Wc+kyvVXh9sM0NhwBs6hErLpmSlLD3785Bxr > P5Lc8JEJpNcnac70K0c= > =L0qD > -END PGP SIGNATURE- > > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAJ3yz2s_uDpfYWQvQ2DgwpWR4GUeeKjHZLsu61Mo1UXKhc9NBg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Coreboot + Qubes :: Best Practises / Coreboot docs page
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 799: > Seabios or Grub and are there any special options which might make sense? SeaBIOS is nice. You can build it with CONFIG_SEABIOS_VGA_COREBOOT=y (might be the default now), and completely disable dynamic loading of any dubious option ROMs: $ build/cbfstool build/coreboot.rom add-int -i 0 -n etc/pci-optionrom-exec That's incompatible with graphical mode GRUB, but you can simply change GRUB_TERMINAL_OUTPUT from "gfxterm"[1] to "console"[2] in /etc/default/grub and rerun 'grub2-mkconfig -o /boot/grub2/grub.cfg'. IMO it actually looks better - no blindingly bright blue light at night, and fewer font changes during startup. I've been meaning (forever) to open a pull request to make this the default... You might also enjoy HEADS[3]. Rusty 1. https://image.ibb.co/jGvCCx/grub_gfxterm.png 2. https://image.ibb.co/mbnsCx/grub_console.png 3. https://github.com/osresearch/heads -BEGIN PGP SIGNATURE- iQJ7BAEBCgBmBQJarZQ6XxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0 NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfSKUP+NrPMBRzFqbxr7ciUg/Qnh9m 5ykQ4unpLU9CfiAotMDo7xJdjEZA7lwTeloVtsPL1GeVPTpYuFbkX2rxjSUQAb7H JSWUxTZOU2YjNjQfOz+W/Wnb0uHK9G8a5h2Pf9v8lEW5/Z3iGeTeOiSSjSc6OJjw Nn9ycrr2m6PvcM14OZ5DqnISdKKogUZBz+9TemhPVgSogA1RpsB9GRHgUcDermgs D7T62f2Bs79suOMwRDM/IZ6f4MNvsSF1pFSN+xE3JOpivx+xfAgBlc///vsz7dM2 05hqyVLoeCs6qHwe2PtbBlHfLdfPVoaC/kwQRDV8Obj9hP4/CFnQkRDyvN1dnwDi lV27YYcuWE0lgfsuRW9PwAySzyxEa4OYyDNDEJYW20lB8eTYsusDJAxxiM0X+Ba9 pxf1FQwRoX7C4yjHU1tWb97cTPOMif07O8a5AFod9FPAwmUcwdPC/X/H3eU2CsaP UP5NEK81Wx1avWdTIBuvrbuPZe5Dj0dwTk0Z5TC5hbKUMYxczDLuFnh/1TnViSRo 4pOUNfXx4Blg4elUrTXASOnPQnZA5X2snVhkQrmqi3nAyRztzTK6x++OqvjlF+q3 T8YiSg66Ssi3iXUFiZlEerCfzpe0Wc+kyvVXh9sM0NhwBs6hErLpmSlLD3785Bxr P5Lc8JEJpNcnac70K0c= =L0qD -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180317221835.GA2170%40mutt. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Coreboot + Qubes :: Best Practises / Coreboot docs page
Hello, I had Coreboot running on my X230 with Qubes 3.2 + Windows Dualboot and reflashed to stock room before installing Qubes 4. Now I want to reinstall Coreboot without using Dualboot, thereof I have more options regarding 2nd payload. Question: What is the best configuration to run Coreboot and Qubes? Seabios or Grub and are there any special options which might make sense? Some information has been provided in https://groups.google.com/forum/m/#!topic/qubes-users/I6kt6362PR0 But I'd like to see a special page in the documentation and would be willing to contribute or create to such a page. Should I use Seabios or Grub? [799] -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAJ3yz2ts6-Jtyb84udOoEh_43YaLzBm3h8KcztP_931LmAuwjg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Coreboot VS Libreboot :: Which is better for Qubes OS ?
On 11/06/2017 01:28 AM, 'Marek Jenkins' via qubes-users wrote: 63xx/43xx is fine as long as you include a microcode update, you need to use coreboot for those but it will do it automatically by default. Is that only the case with Coreboot BIOS or also with the stock BIOS ? Coreboot, not sure about the stock BIOS (it differs based on board revision) I just told Holger I probably would postpone the installation of Coreboot, because I have issues with compiling the ROM. As long as you have the prerequisites installed it should work with the default config. I know that I won't have problems with flashing the BIOS chip myself - my main problem is getting the settings right in the Coreboot config console (i am using "$ make nconfig" to compile). But I am overwhelmed by all the settings. E.g. which payload (Seabios, GRUB2,etc) to use and which other settings for the KGPE-D16 ? SeaBIOS for beginners, other then that you don't need to mess with anything the default settings are fine. So if that would be solved, I might definitely consider to use Coreboot in the near future. Hi, I just saw you pretty much answered all questions I had regarding Coreboot and its setup for KGPE-D16. I didn't see you already posted here at the time of writing my reply in the other thread. So in other words, you don't really need to go into great detail again in the other thread - I think I am good ! Maybe I get back to you in case I want to add any security features (AEM) to Coreboot. You would need to enable TPM support in menuconfig and buy a compatible TPM module. But for now, I will start to test it with basic settings. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c7a27204-4ed5-245c-5c88-136881acef77%40gmx.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Coreboot VS Libreboot :: Which is better for Qubes OS ?
> 63xx/43xx is fine as long as you include a microcode update, you need to > use coreboot for those but it will do it automatically by default. Is that only the case with Coreboot BIOS or also with the stock BIOS ? > > I just told Holger I probably would postpone the installation of Coreboot, > > because I have issues with compiling the ROM. > As long as you have the prerequisites installed it should work with the > default config. > > I know that I won't have problems with flashing the BIOS chip myself - my > > main problem is getting the settings right in the Coreboot config console > > (i am using "$ make nconfig" to compile). > > > > But I am overwhelmed by all the settings. E.g. which payload (Seabios, > > GRUB2,etc) to use and which other settings for the KGPE-D16 ? > SeaBIOS for beginners, other then that you don't need to mess with > anything the default settings are fine. > > So if that would be solved, I might definitely consider to use Coreboot in > > the near future. > > Hi, I just saw you pretty much answered all questions I had regarding Coreboot and its setup for KGPE-D16. I didn't see you already posted here at the time of writing my reply in the other thread. So in other words, you don't really need to go into great detail again in the other thread - I think I am good ! Maybe I get back to you in case I want to add any security features (AEM) to Coreboot. But for now, I will start to test it with basic settings. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d08e75bf-baf8-48d6-a2bc-897a6e0a6a2b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Coreboot VS Libreboot :: Which is better for Qubes OS ?
On 11/04/2017 09:12 PM, 'Marek Jenkins' via qubes-users wrote: What is the difference between Coreboot and Libreboot ? Philosophy, that's it. Coreboot is sterile and corporate (as evidenced by not only the quiet acceptance of boards with closed source init but the removal of older open source boards from the tree, most people in the project and on the list work for intel/google/etc so any questioning of this is always shot down) Thanks for that info. From what I found, Librecore also seems to a fork of Coreboot, they only remove all the blobs. But my main concern are Intel AMT/ME/vPro - so in other words any remote access / backdoor, so I guess I could live with Coreboot. As I said there isn't any difference if you compile coreboot for a board supported by libreboot. I am going for the KGPE-D16 and it seems they really have put in a lot of effort to support it. Also Raptor Engineering seems to do a lot to make KGPE-D16 and coreboot work. I planned to go for a 62xx or 63xx CPU, but probably for a 62xx, because I read the 63xx series has a lot of issues with coreboot/libreboot and needs firmware / "microcode" updates to work properly - like you mentioned as well. 63xx/43xx is fine as long as you include a microcode update, you need to use coreboot for those but it will do it automatically by default. Do you know if not only the KCMA-D8 but also the KGPE-D16 is also fully supported ? Should be, right ? Sure is, they're pretty much the same thing. Thanks for your help! I just told Holger I probably would postpone the installation of Coreboot, because I have issues with compiling the ROM. As long as you have the prerequisites installed it should work with the default config. I know that I won't have problems with flashing the BIOS chip myself - my main problem is getting the settings right in the Coreboot config console (i am using "$ make nconfig" to compile). But I am overwhelmed by all the settings. E.g. which payload (Seabios, GRUB2,etc) to use and which other settings for the KGPE-D16 ? SeaBIOS for beginners, other then that you don't need to mess with anything the default settings are fine. So if that would be solved, I might definitely consider to use Coreboot in the near future. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/86e89b0b-75df-e4d7-c525-e84d3140d01f%40gmx.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Coreboot VS Libreboot :: Which is better for Qubes OS ?
On Sunday, November 5, 2017 at 1:55:04 AM UTC+1, tai...@gmx.com wrote: > On 11/04/2017 08:42 PM, 'Marek Jenkins' via qubes-users wrote: > > > If I choose an older mainboard from AMD for example, which doesn't have all > > those bad technologies built-in, I am still much more secure than the > > average guy with a new Intel CPU, right ? > Yeah definitely. > > For instance a H8SCM can be had for $30 (socket C32 like the KCMA-D8), > with a 4386 and that you'd be playing new games in a VM with no ME/PSP. Okay good to know! I remember you advised to get the mainboard in new condition and everything else used. Is that more for security/privacy reasons or just to ensure to buy a functional mainboard that hasn't been degraded by years of 24/7 use ? Because right now, I am sitting on the fence, wether I should really buy the mainboard new. Sometimes I see used mainboards with almost 50% discount, so buying a used one would make quite a difference. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e7273856-cd33-48cf-9486-0acfb7a17c73%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Coreboot VS Libreboot :: Which is better for Qubes OS ?
On Sunday, November 5, 2017 at 1:55:04 AM UTC+1, tai...@gmx.com wrote: > On 11/04/2017 08:42 PM, 'Marek Jenkins' via qubes-users wrote: > > > If I choose an older mainboard from AMD for example, which doesn't have all > > those bad technologies built-in, I am still much more secure than the > > average guy with a new Intel CPU, right ? > Yeah definitely. > > For instance a H8SCM can be had for $30 (socket C32 like the KCMA-D8), > with a 4386 and that you'd be playing new games in a VM with no ME/PSP. Okay good to know ! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/21c003f5-e7d0-41bc-91af-72015e86c72c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Coreboot VS Libreboot :: Which is better for Qubes OS ?
> > What is the difference between Coreboot and Libreboot ? > Philosophy, that's it. > > Coreboot is sterile and corporate (as evidenced by not only the quiet > acceptance of boards with closed source init but the removal of older > open source boards from the tree, most people in the project and on the > list work for intel/google/etc so any questioning of this is always shot > down) Thanks for that info. From what I found, Librecore also seems to a fork of Coreboot, they only remove all the blobs. But my main concern are Intel AMT/ME/vPro - so in other words any remote access / backdoor, so I guess I could live with Coreboot. I am going for the KGPE-D16 and it seems they really have put in a lot of effort to support it. Also Raptor Engineering seems to do a lot to make KGPE-D16 and coreboot work. I planned to go for a 62xx or 63xx CPU, but probably for a 62xx, because I read the 63xx series has a lot of issues with coreboot/libreboot and needs firmware / "microcode" updates to work properly - like you mentioned as well. Do you know if not only the KCMA-D8 but also the KGPE-D16 is also fully supported ? Should be, right ? > Libreboot is like an anarchist punk scene complete with a jerk in charge > (ex: the FSF related drama) - although she has done quite a bit for the > free hardware movement (75K+ for the KGPE-D16 and KCMA-D8 board ports, > both entirely libre and RYF certified) and has finally paid her debt for > the KCMA-D8 port so I respect her a little bit. > > > > Is one better than the other for Qubes OS ? > If you compile coreboot for say the KCMA-D8 (libre board I recommend > that supports v4.0) you're getting the same thing as libreboot if you > don't include the microcode update (note: microcode update needed in > either OS or firmware for 43xx CPU's due to a very bad exploit which > doesn't effect the slightly less fast 42xx CPU's) > > All the libreboot boards work without the binaries contrary to what > holger said, you aren't going to boot up and find out there isn't any > video or w/e - leah laid out a lot of cash to ensure that. > > I use coreboot. Thanks for your help! I just told Holger I probably would postpone the installation of Coreboot, because I have issues with compiling the ROM. I know that I won't have problems with flashing the BIOS chip myself - my main problem is getting the settings right in the Coreboot config console (i am using "$ make nconfig" to compile). But I am overwhelmed by all the settings. E.g. which payload (Seabios, GRUB2,etc) to use and which other settings for the KGPE-D16 ? So if that would be solved, I might definitely consider to use Coreboot in the near future. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/31de8534-35c5-4b44-a5b2-51ba08cb9c57%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Coreboot VS Libreboot :: Which is better for Qubes OS ?
On 11/04/2017 08:42 PM, 'Marek Jenkins' via qubes-users wrote: If I choose an older mainboard from AMD for example, which doesn't have all those bad technologies built-in, I am still much more secure than the average guy with a new Intel CPU, right ? Yeah definitely. For instance a H8SCM can be had for $30 (socket C32 like the KCMA-D8), with a 4386 and that you'd be playing new games in a VM with no ME/PSP. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/777005f5-b2e1-3112-dd8e-dd182134dba6%40gmx.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Coreboot VS Libreboot :: Which is better for Qubes OS ?
On Sunday, November 5, 2017 at 12:10:26 AM UTC+1, Holger Levsen wrote: > On Sat, Nov 04, 2017 at 03:53:32PM -0700, 'Marek Jenkins' via qubes-users > wrote: > > so from my understanding, "blobs" is a synonym for proprietary code, right ? > > it's a synonym for "binary object" where in general you don't have the > source code. > > > I mean if it doesn't really matter for security I can live with those blobs > > inside Coreboot. > > having the source code is generally better for security... > > but if you have hardware which either works with a blob, or doesnt work > without it, you might want to choose the blob. > > > But Qubes will work better with Coreboot correct or why is it recommended > > here ? > > a free bios is better for security. Libreboot supports a lot less > hardware than coreboot. > > > -- > cheers, > Holger Okay I see! Thanks a lot for taking the time to explain, really appreciate it. I think Coreboot is an interesting topic, but to be honest, it seems quite complex. I don't really compile code myself and have no idea which settings + payload I need to pick to compile the ROM for flashing. And flashing also requires some skill + equipment. Additionally, I read some people have issues with Qubes + SeaBios. Maybe I postpone the whole thing to a later day when I have more time to learn something new :) Also, because I don't really think I need that level of security that protects someone to tamper with my BIOS :D I just didn't like the idea of having a "backdoor" in my system (Intel ME, AMT, vPro), thats how I learned about Coreboot. So the final question: If I choose an older mainboard from AMD for example, which doesn't have all those bad technologies built-in, I am still much more secure than the average guy with a new Intel CPU, right ? Have a nice weekend! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/97dbc3bf-2d64-4360-a096-72ad1604ca1f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Coreboot VS Libreboot :: Which is better for Qubes OS ?
On 11/04/2017 01:57 PM, 'Marek Jenkins' via qubes-users wrote: What is the difference between Coreboot and Libreboot ? Philosophy, that's it. Coreboot is sterile and corporate (as evidenced by not only the quiet acceptance of boards with closed source init but the removal of older open source boards from the tree, most people in the project and on the list work for intel/google/etc so any questioning of this is always shot down) Libreboot is like an anarchist punk scene complete with a jerk in charge (ex: the FSF related drama) - although she has done quite a bit for the free hardware movement (75K+ for the KGPE-D16 and KCMA-D8 board ports, both entirely libre and RYF certified) and has finally paid her debt for the KCMA-D8 port so I respect her a little bit. Is one better than the other for Qubes OS ? If you compile coreboot for say the KCMA-D8 (libre board I recommend that supports v4.0) you're getting the same thing as libreboot if you don't include the microcode update (note: microcode update needed in either OS or firmware for 43xx CPU's due to a very bad exploit which doesn't effect the slightly less fast 42xx CPU's) All the libreboot boards work without the binaries contrary to what holger said, you aren't going to boot up and find out there isn't any video or w/e - leah laid out a lot of cash to ensure that. I use coreboot. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/114a3ee8-ae29-cd55-8637-04ba19a8fb37%40gmx.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Coreboot VS Libreboot :: Which is better for Qubes OS ?
On Sat, Nov 04, 2017 at 03:53:32PM -0700, 'Marek Jenkins' via qubes-users wrote: > so from my understanding, "blobs" is a synonym for proprietary code, right ? it's a synonym for "binary object" where in general you don't have the source code. > I mean if it doesn't really matter for security I can live with those blobs > inside Coreboot. having the source code is generally better for security... but if you have hardware which either works with a blob, or doesnt work without it, you might want to choose the blob. > But Qubes will work better with Coreboot correct or why is it recommended > here ? a free bios is better for security. Libreboot supports a lot less hardware than coreboot. -- cheers, Holger -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20171104231020.35rgrbpvspkopsog%40layer-acht.org. For more options, visit https://groups.google.com/d/optout. signature.asc Description: PGP signature
Re: [qubes-users] Coreboot VS Libreboot :: Which is better for Qubes OS ?
On Saturday, November 4, 2017 at 10:47:12 PM UTC+1, Holger Levsen wrote: > On Sat, Nov 04, 2017 at 10:57:30AM -0700, 'Marek Jenkins' via qubes-users > wrote: > > What is the difference between Coreboot and Libreboot ? > > Libreboot is Coreboot with all the non-free blobs removed (and no free > software added instead). So if you happen to have hardware which needs > those blobs, you won't be happy with Libreboot. > > > -- > cheers, > Holger Hi Holger, so from my understanding, "blobs" is a synonym for proprietary code, right ? I mean if it doesn't really matter for security I can live with those blobs inside Coreboot. I don't need extreme security on that level, I guess :D Just a decently secure system that respects privacy. But Qubes will work better with Coreboot correct or why is it recommended here ? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/787f83a4-2e24-4625-8c12-df1984a3ce91%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Coreboot VS Libreboot :: Which is better for Qubes OS ?
On Sat, Nov 04, 2017 at 10:57:30AM -0700, 'Marek Jenkins' via qubes-users wrote: > What is the difference between Coreboot and Libreboot ? Libreboot is Coreboot with all the non-free blobs removed (and no free software added instead). So if you happen to have hardware which needs those blobs, you won't be happy with Libreboot. -- cheers, Holger -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20171104214705.chhlfj5cmkstdphu%40layer-acht.org. For more options, visit https://groups.google.com/d/optout. signature.asc Description: PGP signature
[qubes-users] Coreboot VS Libreboot :: Which is better for Qubes OS ?
What is the difference between Coreboot and Libreboot ? Is one better than the other for Qubes OS ? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/cab0e10e-d399-4abe-8ba2-29949fde3f1b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Coreboot+SeaBIOS and AEM
This would be a posting for the coreboot mailing list if the default TPM setup instructions are not working for you. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ff3b5f4b-1baf-7440-a539-485437cf1cb4%40gmx.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Coreboot+SeaBIOS and AEM
Hello Guys, i want to configure AEM for my x230.I added TPM support when i was configurating coreboot, however, im not able to take ownership etc.Also im unable to find anything according AEM in the coreboot wiki. Is there maybe someone with the same setup who is willingly to give me some hints? I already set up AEM once with Vendor bios, which was easy. greetings -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b3ca022c-b36d-4855-a380-5cba1d61452c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.