Re: [qubes-users] HCL - Purism Librem 13 v2

[taii...@gmx.com]

On 11/17/2018 02:23 AM, 799 wrote:
> Hello,
> 
> Am Sa., 17. Nov. 2018, 02:50 hat taii...@gmx.com 
> geschrieben:
> 
>> [...]
>> ME/PSP is impossible to disable on modern x86 anyone who tries is
>> wasting money and setting back the freedom computing movement but the
>> pur.idiots seem to not really care about that anyways.
>>
> 
> So do you think it is better for the freedom computing movement if my
> neighbour who is not an "IT guy" buys a Windows 10 surface book or a
> MacBook instead of a Purism Laptop?

I think it is better to not support dishonest companies period.

> Maybe he wants to choose exactly between this laptops because he don't want
> to buy old hardware (which is exactly the freedom he should have).
> 
> 
> If not, im sure you know a few me modules more ore less is completely
>> irrelevant from a security point of view.

It is relevant.

Don't take offense but if you lack understanding of how firmware does
hardware initiation you should not be talking about this.

C2Q era: can really disable the ME, no code/blobs, doesn't load at all.
ivy/sandybridge core era: ME can be nerfed to

> 
> 
> Why is this irrelevant? Is itbalso irrelevant to run Coreboot?
> 
> Also, i wasnt able to find a statement of Purism about the fact that, in
>> the beginning, they claimed the ME was "completely disabled and removed". I
>> mean, that was > obviously not true right?

They say "disabled ME" everywhere and it is in many news articles just
like system76's "made in usa" computer where only the case is made here
as if it is an accomplishment to make a metal box in america - note that
other companies do in fact sell motherboards/cpus that are made here
like raptorcs (openpower cpus are made in fishkill ny and the board is
made in texas) although I bet even they probably still would not make
the legal standard and they should note that some components are
imported (although at least the cpu is from here it is the most
important part)

>>
> 
> Which quote on the website are you arguing against 

"open source coreboot firmware" "librem" "disabled me" so on and so on
not to mention "our pureos libre distro" but it is just a debian clone
and it still has binary blobs.

> and have you asked them
> in a nice way to change it so that users are more informed that Intel ME
> can't be fully disabled?

I have.

They still refuse to be honest and up front.

> What was the answer from Purism?

That they think their marketing is fine and won't be changing anything.

> 
>>
> They do claim that it is "disabled" which it is not and they also claim
>> they have "open source coreboot firmware" which they don't since the hw
>> init process is entirely blobbed making coreboot nothing more than a
>> simple wrapper layer.
>>
> 
> I don't know enough about the coreboot details, basically the coreboot
> Purism is using is less (reasonable) secure than the coreboot installation
> we are running on X2xx, T4xx etc.?

It is much less secure since it is not open source.

> What is the difference? I am really interested.

10 years ago coreboot meant open source firmware but now new hardware
has its hardware initiated via binary blobs as intel/amd don't release
code or documentation required to make code

coreboot/intel fsp is an 10%/90% work situation.

Pretty much purisms "coreboot" is just a wrapper layer (it does no
actual hw init) for the intel fsp binary blob that does all the work of
initiating the hardware.

Let me know if you have any more questions.
> 
> but advertising hardware which runs almost entirely on closed source
>> software (certainly, all the important parts do), that just sound highly
>> dishonest in my ears
>>
> 
> Do you really think that the biggest attack vector is the not fully
> disabled Intel Me stuff/Blobs?

There is plenty of time for dirty tricks in Intel FSP plus the not
actually disabled ME (Mask ROM, plus the Bup/kernel layer)

The kernel, mask roms and the hw init blob still runs hence me is not
disabled.

> In this case it wouldn't make a difference if users run Windows on top of
> Purism hardware.

No it would, obviously running windows is an *up front* security issue
rather than simply theoretical backdoors intentional or otherwise in
intel firmware which is what we are talking about.

> Hardly to believe.
> 
> Puridiots pretend as though making a modern, fast and affordable owner
>> controlled libre computer simply can't be done which isn't true and
>> various companies do it (raptor computing systems, various riscv
>> sellers, bunnylabs etc)
>>
> 
> Will those computers have the same specs as Purism and do they run Qubes?

I am referencing computers in general not laptops...my point is that
they pretend that there isn't any new real open hardware out there as
though OpenPOWER and Risc-V don't exist.

(Let me know if you want help picking an owner controlled system like
kcma-d8 or g505s laptop and building/flashing corebloot)

> 
> Nothing is stopping them from making an OpenPOWER laptop since the
>> 

Re: [qubes-users] HCL - Purism Librem 13 v2

[taii...@gmx.com]

On 11/17/2018 02:06 AM, 799 wrote:> Hello Taiidan,
>
> Am Sa., 17. Nov. 2018, 03:21 hat taii...@gmx.com 
> geschrieben:
>
>> [...]
>> I am the counterpart to you guys somehow getting the tech media to
>> publish glorified press releases for you and everything I say is true.
>>
>
> Which articles do you mean?
Here are two examples of how the tech media glorifies them

https://www.zdnet.com/article/purism-adds-open-source-security-firmware-to-its-linux-laptop-line/

https://www.pcworld.com/article/2860446/this-freedom-loving-laptop-discovered-how-to-make-intel-cpus-boot-without-closed-firmware.html
>
> People need to know the truth about what they would be purchasing, this
>> issue isn't and never was the fact that you are selling non-free laptops
>> - it is that you are claiming they are somehow open source
>> firwmare/libre/me disabled when they are not and could never be.
>>
>
> So a free laptop is a laptop that has everything Purism does but including
> disabled ME?
No, a free laptop has no hardware enforced code signing, no me/psp and
100% open source hardware init - purism has none of those.

> At the same time you're saying it is impossible to do so?
Impossible with new x86 hardware.

> So Purism would be the most free laptop you can buy today from shelf, is
> this correct?
No you can buy a g505s (owner controlled) or one of the various
ivy/sandybridge laptops that run coreboot all of which are more free.

> Doesn't sound to bad to me ;-)
>
> Remember any code exploit for ME is illegal in the US and buying new
>> intel/amd x86 hardware supports further anti-feature development...why
>> not make an OpenPOWER laptop? nothing is stopping you besides the false
>> belief that it is somehow impossible to make and sell owner controlled
>> hardware that is fast and modern - other companies are doing instead of
>> trying.
>>
>
> Where can I buy a OpenPOWER Laptop and how will this help me and will
Qubes
> OS run on it (today)?
There aren't any thats what I am trying to say - but it is possible and
since other companies are creating real owner controlled hardware with
Risc-V, OpenPOWER, etc (not laptops tho) since those two archs CPU's
have TDP's in the laptop range there is nothing stopping them.

>
> The business model of somehow keeping up open source firmware releases
>> with new x86 hardware without any vendor cooperation is impossible - it
>> would take years and millions to reverse engineer FSP thus x86 will
>> never be free.
>>
>
> This maybe correct, but then there is no need to use this argument in
every
> discussion.
> We must try to do what is currently possible.
> This is also how I understand the "reasonable" in the quote "reasonable
> secure".
> Best effort and delivering is most time a better approach than trying
to be
> perfect.
>
> Get an A10 quad core G505s (no ME/PSP) IMO it isn't that hard to compile
>> and install coreboot - myself and various others are willing to help
>> owner controlled system users for free if you run in to trouble.
>>
>
> The G505s is a very ugly have and old machine which seems to be a consumer
> notebook.
> In my opinion (!) I totally respect that others have a different opinion.
> But please do also accept that some people just don't want to buy this
> laptop for their own personal reasons.
>
> Todd weaver started and owns the company so he isn't mis-informed he is
>> simply used to making claims he can't deliver because he has no ethics,
>> no real technical skills and he still fails to listen to those who do.
>>
>
> Do you know Todd? What is the problem for blaming people. I think it's
> great that people have choices!!
> You have even the choice to setup your own company ;-)
I don't have millions in VC so no I can't set up my own company I can
barely feed myself since no one hires native people where I live these days.

>
>
> I really don't understand why there is so much engagement blaming purism.
> I think it is really great if people have the chance to by "other"
laptops.
> And a Purism Laptop is "very likely higher on the reasonable secure" scale
> than a normal Windows Laptop and even from a laptop running Qubes without
> Coreboot and Co.
I simply want them to stop lying! - have them stop being dishonest
marketing!

>
> Honestly I wouldn't feel much more secure even if Intel ME is completely
> gone, I think that  the attack surface is reduced when running Qubes,
> Coreboot or if I buy purism.
>
> Purism is good in marketing and this is not a crime.
It is a crime since it is very dishonest - in america that is considered an
anti-competitive practice.

> There are so much
> people who will never ever buy hardware which is 5years old, and spent
lots
> of time installing Linux/Coreboot etc.
> But still they might be interested running "better" hardware or software
> and are interested in getting support.
> Therefore I am lucky that companies are selling Linux to those people.
>
> Purism, thinkpenguin, all others -> THANKS!
Thinkpenguin is honest - the others 

Re: [qubes-users] HCL - Purism Librem 13 v2

[Anac]

On 11/15/18 4:47 PM, Thierry Laurion wrote:
I would strongly advise digging into the skulls project anyone 
interested in flashing coreboot into their x230 themselves : 
https://github.com/merge/skulls/blob/master/README.md


Hi,
They suggest updating the original BIOS before flashing Skull. But what 
if an older Coreboot has been flashed already? The newest Lenovo BIOS 
for the X230 dates from June 2018, which is definitely newer than the 
Coreboot (SeaBIOS version 1.11.0) which is on this machine now. Should I 
firstly flash the new Lenovo BIOS or directly flash the newest Skull?


I bought that X230 with Coreboot already flashed, so I don't have the 
original BIOS nor any information one might need to gather from it.


Thanks!

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bb649b0d-8f5a-58ca-75b5-9cb68742234e%40rbox.co.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] HCL - Purism Librem 13 v2

[799]

Hello,

Am Sa., 17. Nov. 2018, 02:50 hat taii...@gmx.com 
geschrieben:

> [...]
> ME/PSP is impossible to disable on modern x86 anyone who tries is
> wasting money and setting back the freedom computing movement but the
> pur.idiots seem to not really care about that anyways.
>

So do you think it is better for the freedom computing movement if my
neighbour who is not an "IT guy" buys a Windows 10 surface book or a
MacBook instead of a Purism Laptop?
Maybe he wants to choose exactly between this laptops because he don't want
to buy old hardware (which is exactly the freedom he should have).


If not, im sure you know a few me modules more ore less is completely
> irrelevant from a security point of view.


Why is this irrelevant? Is itbalso irrelevant to run Coreboot?

Also, i wasnt able to find a statement of Purism about the fact that, in
> the beginning, they claimed the ME was "completely disabled and removed". I
> mean, that was > obviously not true right?
>

Which quote on the website are you arguing against and have you asked them
in a nice way to change it so that users are more informed that Intel ME
can't be fully disabled?
What was the answer from Purism?

>
They do claim that it is "disabled" which it is not and they also claim
> they have "open source coreboot firmware" which they don't since the hw
> init process is entirely blobbed making coreboot nothing more than a
> simple wrapper layer.
>

I don't know enough about the coreboot details, basically the coreboot
Purism is using is less (reasonable) secure than the coreboot installation
we are running on X2xx, T4xx etc.?
What is the difference? I am really interested.

but advertising hardware which runs almost entirely on closed source
> software (certainly, all the important parts do), that just sound highly
> dishonest in my ears
>

Do you really think that the biggest attack vector is the not fully
disabled Intel Me stuff/Blobs?
In this case it wouldn't make a difference if users run Windows on top of
Purism hardware.
Hardly to believe.

Puridiots pretend as though making a modern, fast and affordable owner
> controlled libre computer simply can't be done which isn't true and
> various companies do it (raptor computing systems, various riscv
> sellers, bunnylabs etc)
>

Will those computers have the same specs as Purism and do they run Qubes?

Nothing is stopping them from making an OpenPOWER laptop since the
> latest OpenPOWER9 code supports laptop level power saving but they say no.
>

I am sure that someone will do this if there is a market for it.

People will but they're just paid shills so ignore them.
>

Which people??

Sad how few people do that.
>

It's also sad that people don't get that it is important not only what but
also how you say it if you want to come through with your arguments.
If someone would call me "Puridiots" when I would be working for Purism and
taking part in an discussion here, I would ignore those people.
Puridiots sound so "trumpish" to me, don't go this road.

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2tRbKsJTMxVSM_k2JksS2Ek8bW0w%2BuckQBvtNHc5yNj4Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] HCL - Purism Librem 13 v2

[799]

Hello Taiidan,

Am Sa., 17. Nov. 2018, 03:21 hat taii...@gmx.com 
geschrieben:

> [...]
> I am the counterpart to you guys somehow getting the tech media to
> publish glorified press releases for you and everything I say is true.
>

Which articles do you mean?

People need to know the truth about what they would be purchasing, this
> issue isn't and never was the fact that you are selling non-free laptops
> - it is that you are claiming they are somehow open source
> firwmare/libre/me disabled when they are not and could never be.
>

So a free laptop is a laptop that has everything Purism does but including
disabled ME?
At the same time you're saying it is impossible to do so?
So Purism would be the most free laptop you can buy today from shelf, is
this correct?
Doesn't sound to bad to me ;-)

Remember any code exploit for ME is illegal in the US and buying new
> intel/amd x86 hardware supports further anti-feature development...why
> not make an OpenPOWER laptop? nothing is stopping you besides the false
> belief that it is somehow impossible to make and sell owner controlled
> hardware that is fast and modern - other companies are doing instead of
> trying.
>

Where can I buy a OpenPOWER Laptop and how will this help me and will Qubes
OS run on it (today)?

The business model of somehow keeping up open source firmware releases
> with new x86 hardware without any vendor cooperation is impossible - it
> would take years and millions to reverse engineer FSP thus x86 will
> never be free.
>

This maybe correct, but then there is no need to use this argument in every
discussion.
We must try to do what is currently possible.
This is also how I understand the "reasonable" in the quote "reasonable
secure".
Best effort and delivering is most time a better approach than trying to be
perfect.

Get an A10 quad core G505s (no ME/PSP) IMO it isn't that hard to compile
> and install coreboot - myself and various others are willing to help
> owner controlled system users for free if you run in to trouble.
>

The G505s is a very ugly have and old machine which seems to be a consumer
notebook.
In my opinion (!) I totally respect that others have a different opinion.
But please do also accept that some people just don't want to buy this
laptop for their own personal reasons.

Todd weaver started and owns the company so he isn't mis-informed he is
> simply used to making claims he can't deliver because he has no ethics,
> no real technical skills and he still fails to listen to those who do.
>

Do you know Todd? What is the problem for blaming people. I think it's
great that people have choices!!
You have even the choice to setup your own company ;-)


I really don't understand why there is so much engagement blaming purism.
I think it is really great if people have the chance to by "other" laptops.
And a Purism Laptop is "very likely higher on the reasonable secure" scale
than a normal Windows Laptop and even from a laptop running Qubes without
Coreboot and Co.

Honestly I wouldn't feel much more secure even if Intel ME is completely
gone, I think that  the attack surface is reduced when running Qubes,
Coreboot or if I buy purism.

Purism is good in marketing and this is not a crime. There are so much
people who will never ever buy hardware which is 5years old, and spent lots
of time installing Linux/Coreboot etc.
But still they might be interested running "better" hardware or software
and are interested in getting support.
Therefore I am lucky that companies are selling Linux to those people.

Purism, thinkpenguin, all others -> THANKS!

@taiidan:
And thank you for your community engagement, don't get me wrong.

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vvUkTZdJ0keWZ1TonS_CajjwACiTfvR7oPjNgPfF6rjw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] HCL - Purism Librem 13 v2

[799]

Hello Thierry,

Am Do., 15. Nov. 2018, 10:47 hat Thierry Laurion 
geschrieben:

> [...]
> I would strongly advise digging into the skulls project anyone interested
> in flashing coreboot into their x230 themselves :
> https://github.com/merge/skulls/blob/master/README.md
>
[...]
>

I have already heard of skills, but I think that there should be more
information on the GitHub page what is the benefit of using Tails over a
normal coreboot installation and maybe even a dedicated page which will
walk you through the whole process.
Even more as it is currently only supported on the x230 (which I also own)
it shouldn't be to hard to do this.

Proper documentation is very important to convince others to try things
like coreboot, even when they're not super technical experts.

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2sMCHUTwwKX7NbZiKxJiE-XPzSLAyPAHrm7L02sVmtwvw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] HCL - Purism Librem 13 v2

[taii...@gmx.com]

RE: people who work for purism say i am being unfair

I am the counterpart to you guys somehow getting the tech media to
publish glorified press releases for you and everything I say is true.

People need to know the truth about what they would be purchasing, this
issue isn't and never was the fact that you are selling non-free laptops
- it is that you are claiming they are somehow open source
firwmare/libre/me disabled when they are not and could never be.

Remember any code exploit for ME is illegal in the US and buying new
intel/amd x86 hardware supports further anti-feature development...why
not make an OpenPOWER laptop? nothing is stopping you besides the false
belief that it is somehow impossible to make and sell owner controlled
hardware that is fast and modern - other companies are doing instead of
trying.

The business model of somehow keeping up open source firmware releases
with new x86 hardware without any vendor cooperation is impossible - it
would take years and millions to reverse engineer FSP thus x86 will
never be free.

On 11/13/2018 06:03 AM, qubes-...@tutanota.com wrote:
> Sorry to jump out of the Purism thing. Some weeks ago I put here the
question too and it was bit stormy, so I keep it aside.
>
> Mate, you mention the "Lenova 400 series". That was my question short
before in my post. I am planning to buy this guy:
https://tehnoetic.com/tet-t400s  It is
RYF and so the ME and AMT is completely removed. My question was, if I
could run Qubes 4 on it. The answer was it is too old to have the
required virtualization needed to run Qubes 4.
>
> Now, do you think the RYF T400s above, which si T400 series you
mention, could run the Qubes 4? This would be great. One could run the
reasonably secure OS on reasonably secure HW. Yay!
>

It can't since there is no working IOMMU with coreboot and it lacks real
security due to intels first gen iommu being terrible.

X230 can't have ME disabled like T400 only nerfed the hw init "bup"
module still runs (although more than skylake stuff where the kernel
runs and then is politely asked to shut off)

Get an A10 quad core G505s (no ME/PSP) IMO it isn't that hard to compile
and install coreboot - myself and various others are willing to help
owner controlled system users for free if you run in to trouble.

The g505s and other AMD FT3 systems are the only owner controlled qubes
4.0 compatible laptops and they don't have the huge performance penalty
the intel stuff does due to the spectre fixes.

Todd weaver started and owns the company so he isn't mis-informed he is
simply used to making claims he can't deliver because he has no ethics,
no real technical skills and he still fails to listen to those who do.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fc5ab310-4e30-7e39-7996-8004ffb23b5a%40gmx.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] HCL - Purism Librem 13 v2

[taii...@gmx.com]

On 11/10/2018 01:33 PM, 'casiu' via qubes-users wrote:
> 
> "We have four ME modules remaining to liberate (and anyone with access to our 
> BIOS ROM or our BIOS build script
>  can confirm those claims)."
> 
> Last time i checked Intel still did not hand you over their signing-keys ?
> Im happy to change my mind, please educate me.:) Is the ME completely shut 
> off BEFORE the kernel boots up?

The ME kernel and init code still run before they shut off thus there is
more than enough time and abilities to perform dirty tricks.

ME/PSP is impossible to disable on modern x86 anyone who tries is
wasting money and setting back the freedom computing movement but the
pur.idiots seem to not really care about that anyways.

> If not, im sure you know a few me modules more ore less is completely 
> irrelevant from a security point of view.
> 
> Also, i wasnt able to find a statement of Purism about the fact that, in the 
> beginning, they claimed the ME was "completely disabled and removed". I mean, 
> that was > obviously not true right?

They do claim that it is "disabled" which it is not and they also claim
they have "open source coreboot firmware" which they don't since the hw
init process is entirely blobbed making coreboot nothing more than a
simple wrapper layer.

> 
>>From what i see, despite Purism claims they will liberate it probably 
>>sometime , purism-bios still only initializes proprietary blobs, which also 
>>defeats the purpose. Im not one for great conspiracy theories, and also at 
>>least for now willing to accept the term "opensource-hardware" for something 
>>with one or two small irrelevant blobs because they cant be avoided,
> but advertising hardware which runs almost entirely on closed source software 
> (certainly, all the important parts do), that just sound highly dishonest in 
> my ears.
> 

It sounds highly dishonest since it is.


> Last one: Would you honestly recommend people  buying your products to 
> improve their security RIGHT NOW, not someday in the future when and if your 
> products will be > completely open source. If so, wy?

Puridiots pretend as though making a modern, fast and affordable owner
controlled libre computer simply can't be done which isn't true and
various companies do it (raptor computing systems, various riscv
sellers, bunnylabs etc)

Nothing is stopping them from making an OpenPOWER laptop since the
latest OpenPOWER9 code supports laptop level power saving but they say no.

> If you could provide me an answer to those Questions, i would be very 
> grateful. I read this post twice , and i hope nobody finds it offensive in 
> any way, 

People will but they're just paid shills so ignore them.

> im actually trying to get a productive discussion here.
> Please dont let this go emotional, rather provide people with actual, 
> verifiable TECHNICAL  FACTS.

Sad how few people do that.

> 
> Happy to learn something new, Casiu.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1dee8016-05a2-f50e-ec54-807262aa5c37%40gmx.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] HCL - Purism Librem 13 v2

[Holger Levsen]

On Thu, Nov 15, 2018 at 10:07:31AM +0100, qubes-...@tutanota.com wrote:
> > has this (updating the HCL for Librem 13v2) happend now?

this was and is my point, here+now.


-- 
cheers,
Holger

---
   holger@(debian|reproducible-builds|layer-acht).org
   PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20181115101617.d7le3rnrqvculqd4%40layer-acht.org.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: PGP signature

Re: [qubes-users] HCL - Purism Librem 13 v2

[Thierry Laurion]

On November 14, 2018 9:14:58 PM UTC, 799  wrote:
>Hello 22rip,
>
>Am Mo., 12. Nov. 2018, 03:26 hat <22...@tutamail.com> geschrieben:
>
>> (...)
>> However I think your "..Pretty easy to maintain.." would be hell for
>me.
>> (...)
>> I checked out the x230 and you are right they are available and
>cheap. I
>> would still be interested in finding some company/individual who I
>can
>> trust to take care of the BIOS flashing for me as a service
>
>(I would think others would also want this service as well...). The
>problem
>> is who?
>>
>
>I was at the same point some time ago and afraid to give coreboot a
>try.
>I went to a hacking space and got some help from experienced
>"Coreboot'ers".
>I've seen that it is not that hard to build Coreboot and tried it
>myself
>from scratch.
>If you own a X230 you might want to look at my How-to which I wrote
>during
>the process and is targeted at coreboot newbies:
>
>https://github.com/Qubes-Community/Contents/blob/master/docs/coreboot/x230.md
>
>If you need further help, do not hesitate to ask.
>It's really not that hard to use coreboot.
>
>- O
>
>-- 
>You received this message because you are subscribed to the Google
>Groups "qubes-users" group.
>To unsubscribe from this group and stop receiving emails from it, send
>an email to qubes-users+unsubscr...@googlegroups.com.
>To post to this group, send email to qubes-users@googlegroups.com.
>To view this discussion on the web visit
>https://groups.google.com/d/msgid/qubes-users/CAJ3yz2uRx8c_fQ2dxvuJwwqiy_s_Mtr3aSXyz6wxFpFYYv237g%40mail.gmail.com.
>For more options, visit https://groups.google.com/d/optout.

Hi all,
Last intrusion to this thread.

I would strongly advise digging into the skulls project anyone interested in 
flashing coreboot into their x230 themselves :  
https://github.com/merge/skulls/blob/master/README.md

Sincerely, 
Thierry

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/881038F9-9D0E-4FE8-B916-7BC3B2709F37%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] HCL - Purism Librem 13 v2

[qubes-fan]

Hi Holger, if this point was to me :), sorry for "hijacking" the thread. The 
flame about Purism laptops here got a bit hot with RYF-puristic guys last time, 
and the questions (one can work with), were mostly unanswered. But they were 
basically right. 

Just to remind you, I had a conversation directly with the Todd Weaver about, 
if I remember properly, 2 weeks before they announced the ME cleanup. He told 
me in the conversation that they will completely remove the ME ( 2 weeks before 
the announcement), and they actually didn't. I am not blaming them, maybe he 
was just misinformed. I am just a semi-tech, and as many others I am not able 
to check stuff in depth, cause my extensive specialization is elsewhere. I am 
depending in Tech-Threat-Modeling on ppl like you or Thierry or Joanna, same 
way as you are depending on psychology specialists on psychology part of your 
Threat  Modeling (right)?

The implications of the claim "ME is completely removed" from Purism, can be 
extensive If I (or anyone else) advice to an organization (lets say a large, 
influential one), as a trusted advisor, the Purism laptops with claim: "ME is 
completely removed and your attack map is shrinked to this or that" and it is 
not.  It can kill the relation and even worse, put the organization in risk by 
not considering the threat in their OpSec. This is THE SHAME.

I can't help myself but, after that "mistake" from Purism I must include this 
to my Trust Model as a handicap for them. They should just make this clear 
somehow.

Thierry finally cleared this up somehow (at least for me), and put some light 
for decision making. This is actually something I can work with. 

Have a nice day :)


Nov 14, 2018, 10:30 PM by hol...@layer-acht.org:

> On Sat, Nov 10, 2018 at 09:24:40AM -0800, Kyle Rankin wrote:
>
>> It's a shame this thread got hijacked by people...
>>
> [...discussing other stuff...]
>
>> Could someone who is responsible for the HCL please update it with the data
>> I've provided in this thread? This would update the HCL with a version of
>> the Librem 13v2 that provides a TPM for people who are considering running
>> Qubes 4.0 with AEM.
>>
>
> has this (updating the HCL for Librem 13v2) happend now?
>
>
> -- 
> cheers,
>  Holger
>
> ---
>  holger@(debian|reproducible-builds|layer-acht).org
>  PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
>
> -- 
> You received this message because you are subscribed to the Google Groups 
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to > qubes-users+unsubscr...@googlegroups.com 
> > .
> To post to this group, send email to > qubes-users@googlegroups.com 
> > .
> To view this discussion on the web visit > 
> https://groups.google.com/d/msgid/qubes-users/20181114213042.y4w4qdaogapxq...@layer-acht.org
>  
> >
>  .
> For more options, visit > https://groups.google.com/d/optout 
> > .
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/LRLc0ca--3-1%40tutanota.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] HCL - Purism Librem 13 v2

[Holger Levsen]

On Sat, Nov 10, 2018 at 09:24:40AM -0800, Kyle Rankin wrote:
> It's a shame this thread got hijacked by people...
[...discussing other stuff...]

> Could someone who is responsible for the HCL please update it with the data
> I've provided in this thread? This would update the HCL with a version of
> the Librem 13v2 that provides a TPM for people who are considering running
> Qubes 4.0 with AEM.

has this (updating the HCL for Librem 13v2) happend now?


-- 
cheers,
Holger

---
   holger@(debian|reproducible-builds|layer-acht).org
   PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20181114213042.y4w4qdaogapxqvw2%40layer-acht.org.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: PGP signature

Re: [qubes-users] HCL - Purism Librem 13 v2

[799]

Hello 22rip,

Am Mo., 12. Nov. 2018, 03:26 hat <22...@tutamail.com> geschrieben:

> (...)
> However I think your "..Pretty easy to maintain.." would be hell for me.
> (...)
> I checked out the x230 and you are right they are available and cheap. I
> would still be interested in finding some company/individual who I can
> trust to take care of the BIOS flashing for me as a service

(I would think others would also want this service as well...). The problem
> is who?
>

I was at the same point some time ago and afraid to give coreboot a try.
I went to a hacking space and got some help from experienced "Coreboot'ers".
I've seen that it is not that hard to build Coreboot and tried it myself
from scratch.
If you own a X230 you might want to look at my How-to which I wrote during
the process and is targeted at coreboot newbies:

https://github.com/Qubes-Community/Contents/blob/master/docs/coreboot/x230.md

If you need further help, do not hesitate to ask.
It's really not that hard to use coreboot.

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2uRx8c_fQ2dxvuJwwqiy_s_Mtr3aSXyz6wxFpFYYv237g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] HCL - Purism Librem 13 v2

[qubes-fan]

Hi Thierry, thank you for your excellent and extensive explanation of the 
topic, just wow! This is precisely what semi-techs as me need, to understand 
the heavy-tech topics more. 

It helped me to see the differences in between vt-d1 vs vt-d2 and its 
implications. Yes, the X200 is excellent for Tails, but I need to run Qubes 4 
too. 

So if I understand it properly, the X230 has remains of the ME which are but 
deactivated before kernel boots. This quite shrinks the attack options, clear. 

I understand you prefer to post answers directly on the forum. About the prices:

- What exactly means the Hardware reprogramming fee? Is it the ME
cleanup? Is it an extra charge of $250 on top of $620 for actually
freeing the X230? The $620 is for non-free X230 than?

Are you sometimes in EU? 

thx

Nov 13, 2018, 5:52 PM by thierry.laur...@gmail.com:

> Hi all,
> Sorry to have misadvertised Purism work. Didn't went across that post: > 
> https://puri.sm/posts/neutralizing-intel-management-engine-on-librem-laptops/ 
> 
> So it seems that Intel ME deactivation is on par with Ivy bridge, resulting 
> in only the ROMP and BUP modules being required to initialize ME. 
>
> For firmware binary blob requirements, FSP is still required, see here: > 
> https://github.com/osresearch/heads/tree/master/blobs/librem_skl 
> >  and here 
> > 
> https://github.com/osresearch/heads/blob/master/config/coreboot-librem13v2.config
>  
> 
>
> Thierry
>
>
> On Tue, Nov 13, 2018 at 10:44 AM Thierry Laurion <> thierry.laur...@gmail.com 
> > > wrote:
>
>>  Hi qubes-fan. Answers inline.
>> On Tue, Nov 13, 2018 at 6:27 AM <>> qubes-...@tutanota.com 
>> >> > wrote:
>>
>>> Hi Thiery, I wasn't aware the X230 can be freed same way as the X200 can.
>>>
>> Unfortunately, the x230 cannot have Intel ME deleted the same way the x200 
>> can, even though binary free firmware is par with it.
>>
>> The x200 is RYF certified where the x230 isn't for approximately the same 
>> reasons Libreboot supports only the former. RYF and Libreboot have a really 
>> strong guideline against binary blobs. Even Libreboot opened up it's ethic 
>> to support the x220 (Sandy bridge), but backed off, since part of the ME 
>> engine is still present even if deactivated. The RYF certification could not 
>> be obtainable for those. See archive: >> 
>> https://web.archive.org/web/20170404144825/https://minifree.org/product/libreboot-x220/
>>  
>> 
>>
>> Intel ME can be completely removed on the x200 (GM45 based), leaving no 
>> trace of it at all. (>> https://libreboot.org/faq.html#intel 
>> >> ). It can be neutralized on the 
>> x220 and x230 (Ivy bridge), leaving only the ROMP and BUP modules (<90k of 
>> it), but "deactivating" ME before it's kernel is even booted, where the 
>> Librem Laptops have parts of it deactivated only, and unfortunately contains 
>> binary blobs in the firmware. Once again, depending of your threat model, 
>> that may or not be a deal breaker for you. 
>>
>> Neutralizing/Deactivating/Deleting/Freeing Intel ME is a word game where a 
>> lot of ink spilled over the last years. I suggest you to read this doc: (>> 
>> https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F 
>> >> ) . 
>> Basically, Intel ME version <11 can be deactivated, since no kernel needs to 
>> be present in the firmware for validation prior to initialization, resulting 
>> in the BUP module only being launched, permitting the machine to boot, where 
>> version >11 requires the kernel and syslib modules to be present and 
>> validated at initialization. So even if Intel ME is neutralized by 
>> me_cleaner, the modules are still there in >11. Could they be executed? That 
>> depends on your beliefs and threat modeling.
>>
>> Technically, GM45 based laptops are currently the last Intel based hardware 
>> where Intel ME can be completely removed. Unfortunately, such old hardware 
>> comes with important limitations, some of which makes it incompatible with 
>> QubesOS 4 requirements for isolation and virtualization. The x200 has vt-d1 
>> only, no vt-d2 (No IOMMU!): there is no interrupt remapping, meaning that 
>> there is no hardware isolation enforced in QubesOS. (>> 
>> https://github.com/QubesOS/qubes-issues/issues/1594#issuecomment-209213917 
>> >>
>>  ).
>>
>> At best, the x200 is an awesome laptop for using Tails, but not with 
>> QubesOS. Using it with QubesOS gives the user an illusion of hardware 
>> isolation, putting 

Re: [qubes-users] HCL - Purism Librem 13 v2

[Thierry Laurion]

Hi all,
Sorry to have misadvertised Purism work. Didn't went across that post:
https://puri.sm/posts/neutralizing-intel-management-engine-on-librem-laptops/
So it seems that Intel ME deactivation is on par with Ivy bridge, resulting
in only the ROMP and BUP modules being required to initialize ME.

For firmware binary blob requirements, FSP is still required, see here:
https://github.com/osresearch/heads/tree/master/blobs/librem_skl and here
https://github.com/osresearch/heads/blob/master/config/coreboot-librem13v2.config

Thierry


On Tue, Nov 13, 2018 at 10:44 AM Thierry Laurion 
wrote:

>  Hi qubes-fan. Answers inline.
> On Tue, Nov 13, 2018 at 6:27 AM  wrote:
>
>> Hi Thiery, I wasn't aware the X230 can be freed same way as the X200 can.
>
> Unfortunately, the x230 cannot have Intel ME deleted the same way the x200
> can, even though binary free firmware is par with it.
>
> The x200 is RYF certified where the x230 isn't for approximately the same
> reasons Libreboot supports only the former. RYF and Libreboot have a really
> strong guideline against binary blobs. Even Libreboot opened up it's ethic
> to support the x220 (Sandy bridge), but backed off, since part of the ME
> engine is still present even if deactivated. The RYF certification could
> not be obtainable for those. See archive:
> https://web.archive.org/web/20170404144825/https://minifree.org/product/libreboot-x220/
>
> Intel ME can be completely removed on the x200 (GM45 based), leaving no
> trace of it at all. (https://libreboot.org/faq.html#intel). It can be
> neutralized on the x220 and x230 (Ivy bridge), leaving only the ROMP and
> BUP modules (<90k of it), but "deactivating" ME before it's kernel is even
> booted, where the Librem Laptops have parts of it deactivated only, and
> unfortunately contains binary blobs in the firmware. Once again, depending
> of your threat model, that may or not be a deal breaker for you.
>
> Neutralizing/Deactivating/Deleting/Freeing Intel ME is a word game where a
> lot of ink spilled over the last years. I suggest you to read this doc: (
> https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F) .
> Basically, Intel ME version <11 can be deactivated, since no kernel needs
> to be present in the firmware for validation prior to initialization,
> resulting in the BUP module only being launched, permitting the machine to
> boot, where version >11 requires the kernel and syslib modules to be
> present and validated at initialization. So even if Intel ME is neutralized
> by me_cleaner, the modules are still there in >11. Could they be executed?
> That depends on your beliefs and threat modeling.
>
> Technically, GM45 based laptops are currently the last Intel based
> hardware where Intel ME can be completely removed. Unfortunately, such old
> hardware comes with important limitations, some of which makes it
> incompatible with QubesOS 4 requirements for isolation and virtualization.
> The x200 has vt-d1 only, no vt-d2 (No IOMMU!): there is no interrupt
> remapping, meaning that there is no hardware isolation enforced in QubesOS.
> (
> https://github.com/QubesOS/qubes-issues/issues/1594#issuecomment-209213917
> ).
>
> At best, the x200 is an awesome laptop for using Tails, but not with
> QubesOS. Using it with QubesOS gives the user an illusion of hardware
> isolation, putting him at risk.
>
> As you saw, I am thinking about buying the RYF
>> https://tehnoetic.com/tet-t400s  to be
>> able to run with the Qubes 4. The  T400s has but unfortunately 8GB RAM max
>> and so the X230 with 16GB seems very interesting.
>>
> The T400s is an hardware equivalent of the x200.
>
>>
>> So my question is if the X230 is really deprived of all ME-AMT, or any
>> non-free dirt?
>
> See here for the output of me_cleaner:
> https://github.com/osresearch/heads-wiki/blob/master/Clean-the-ME-firmware.md
> with this understanding
> https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F
>
> If this is the case, your offer seems really interesting with all
>> mentioned options available. I also use the RYF X200 for non-Qubes
>> activities, but it would be just excellent if I could have just one machine
>> for Qubes+non-Qubes too.
>>
> A lower end, AMD laptop, the G505s seems a good candidate for libre
> oriented QubesOS users. It's porting to Heads is on the way, even though I
> do not have that hardware myself.
> https://github.com/osresearch/heads/issues/453
>
> As some pointed out earlier, the EC is still a binary blob present in
> laptops (not currently freed), microcode updates are unfortunately still
> required for security.
>
> Laptop world needs to be shaken. Binary free laptops exists, but do not
> support QubesOS.
> Talos II is the best libre free desktop/server available but isn't
> supported by QubesOS, where the KGPE-D16/KCMA-D8 are still the best x86
> desktop/servers available. The x230 laptop is the most supported and libre
> available, where BUP Intel ME initialization is 

Re: [qubes-users] HCL - Purism Librem 13 v2

[Thierry Laurion]

 Hi qubes-fan. Answers inline.
On Tue, Nov 13, 2018 at 6:27 AM  wrote:

> Hi Thiery, I wasn't aware the X230 can be freed same way as the X200 can.

Unfortunately, the x230 cannot have Intel ME deleted the same way the x200
can, even though binary free firmware is par with it.

The x200 is RYF certified where the x230 isn't for approximately the same
reasons Libreboot supports only the former. RYF and Libreboot have a really
strong guideline against binary blobs. Even Libreboot opened up it's ethic
to support the x220 (Sandy bridge), but backed off, since part of the ME
engine is still present even if deactivated. The RYF certification could
not be obtainable for those. See archive:
https://web.archive.org/web/20170404144825/https://minifree.org/product/libreboot-x220/

Intel ME can be completely removed on the x200 (GM45 based), leaving no
trace of it at all. (https://libreboot.org/faq.html#intel). It can be
neutralized on the x220 and x230 (Ivy bridge), leaving only the ROMP and
BUP modules (<90k of it), but "deactivating" ME before it's kernel is even
booted, where the Librem Laptops have parts of it deactivated only, and
unfortunately contains binary blobs in the firmware. Once again, depending
of your threat model, that may or not be a deal breaker for you.

Neutralizing/Deactivating/Deleting/Freeing Intel ME is a word game where a
lot of ink spilled over the last years. I suggest you to read this doc: (
https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F) . Basically,
Intel ME version <11 can be deactivated, since no kernel needs to be
present in the firmware for validation prior to initialization, resulting
in the BUP module only being launched, permitting the machine to boot,
where version >11 requires the kernel and syslib modules to be present and
validated at initialization. So even if Intel ME is neutralized by
me_cleaner, the modules are still there in >11. Could they be executed?
That depends on your beliefs and threat modeling.

Technically, GM45 based laptops are currently the last Intel based hardware
where Intel ME can be completely removed. Unfortunately, such old hardware
comes with important limitations, some of which makes it incompatible with
QubesOS 4 requirements for isolation and virtualization. The x200 has vt-d1
only, no vt-d2 (No IOMMU!): there is no interrupt remapping, meaning that
there is no hardware isolation enforced in QubesOS. (
https://github.com/QubesOS/qubes-issues/issues/1594#issuecomment-209213917).

At best, the x200 is an awesome laptop for using Tails, but not with
QubesOS. Using it with QubesOS gives the user an illusion of hardware
isolation, putting him at risk.

As you saw, I am thinking about buying the RYF
> https://tehnoetic.com/tet-t400s  to be
> able to run with the Qubes 4. The  T400s has but unfortunately 8GB RAM max
> and so the X230 with 16GB seems very interesting.
>
The T400s is an hardware equivalent of the x200.

>
> So my question is if the X230 is really deprived of all ME-AMT, or any
> non-free dirt?

See here for the output of me_cleaner:
https://github.com/osresearch/heads-wiki/blob/master/Clean-the-ME-firmware.md
with this understanding
https://github.com/corna/me_cleaner/wiki/How-does-it-work%3F

If this is the case, your offer seems really interesting with all mentioned
> options available. I also use the RYF X200 for non-Qubes activities, but it
> would be just excellent if I could have just one machine for
> Qubes+non-Qubes too.
>
A lower end, AMD laptop, the G505s seems a good candidate for libre
oriented QubesOS users. It's porting to Heads is on the way, even though I
do not have that hardware myself.
https://github.com/osresearch/heads/issues/453

As some pointed out earlier, the EC is still a binary blob present in
laptops (not currently freed), microcode updates are unfortunately still
required for security.

Laptop world needs to be shaken. Binary free laptops exists, but do not
support QubesOS.
Talos II is the best libre free desktop/server available but isn't
supported by QubesOS, where the KGPE-D16/KCMA-D8 are still the best x86
desktop/servers available. The x230 laptop is the most supported and libre
available, where BUP Intel ME initialization is tolerable.

Heads project should be considered as a trusted base of any security
conscious user.
http://osresearch.net/

Linuxboot, Systemboot and other projects based on u-boot/u-root should also
be considered for collocating private cloud services on more recent x86
servers:
https://github.com/systemboot/systemboot
https://www.linuxboot.org/

Hope that it answers your questions.

>
> Nov 12, 2018, 7:30 AM by thierry.laur...@gmail.com:
>
> > Hi!
> >
> >> I checked out the x230 and you are right they are available and cheap.
> I would still be interested in finding some company/individual who I can
> trust to take care of the BIOS flashing for me as a service(I would think
> others would also want this service as well...). The problem is 

Re: [qubes-users] HCL - Purism Librem 13 v2

['keshajournalism' via qubes-users]

I tought about buying the x230, but for me, the screen is a little to small, 
and i feel like the x230 looks a bit ugly *.* To me apple-products look the 
best, but apparently there are none with coreboot.
I therefor bought myself an X1 Carbon with a nitrokey from cryptogs.de , 
altough id like to have more ram for windows.
The X230 was recommend to me by them to be more secure, apparently an t400 
would have been even better with libreboot, but they are just way to old an 
slow for me.

cheerio

Sent with [ProtonMail](https://protonmail.com) Secure Email.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/DFvULr6Ewgja53ThvuTOr_M_iNYFNzuZX7hk6uiSeqMB2nO4DCLPoPxH8VwuANXpU-HcBvdH5oKacAa4AhCtar60Eivl5d8JFxVz0WTSHKg%3D%40protonmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] HCL - Purism Librem 13 v2

[qubes-fan]

Hi Thiery, I wasn't aware the X230 can be freed same way as the X200 can. As 
you saw, I am thinking about buying the RYF https://tehnoetic.com/tet-t400s 
 to be able to run with the Qubes 4. The  
T400s has but unfortunately 8GB RAM max and so the X230 with 16GB seems very 
interesting.

So my question is if the X230 is really deprived of all ME-AMT, or any non-free 
dirt? If this is the case, your offer seems really interesting with all 
mentioned options available. I also use the RYF X200 for non-Qubes activities, 
but it would be just excellent if I could have just one machine for 
Qubes+non-Qubes too. 


Nov 12, 2018, 7:30 AM by thierry.laur...@gmail.com:

> Hi!
>
>> I checked out the x230 and you are right they are available and cheap. I 
>> would still be interested in finding some company/individual who I can trust 
>> to take care of the BIOS flashing for me as a service(I would think others 
>> would also want this service as well...). The problem is who?
>>
> I started Insurgo Technologies Libres/Open Technologies exactly for that! (> 
> https://www.facebook.com/InsurgoTech/insights/?section=navPosts 
> > )
>
> We actually reprogram A-Grade refurbished x230 with Heads firmware (> 
> http://osresearch.net/ > ), while neutralizing Intel 
> ME (> 
> https://github.com/osresearch/heads-wiki/blob/master/Clean-the-ME-firmware.md 
> >
>  ) while being there.
>
> I collaborate with Heads and QubesOS developers for a while now.. 
> QubesOS can even be preinstalled with user's desired customizations (> 
> https://github.com/SkypLabs/my-qubes-os-formula/issues 
> > ) or shipped with 
> latest QubesOS ISO on external MicroSD support. Heads validates ISO integrity 
> with distribution's signing keys prior to boot them (Tails, Fedora, QubesOS).
>
> Heads, deployed with a Nitrokey Pro v2/LibremKey or by using internal TPM, 
> validates rom' integrity before booting from it. With the help of a 
> NitroKey/LibremKey (> https://puri.sm/posts/introducing-the-librem-key/ 
> > ), the boot 
> configurations are signed with user's keys and verified and the firmware 
> integrity is attested at each reboot through HOTP (led flashing or TPMTOTP on 
> user's cell phone through Google Authenticator or compatible app.
>
> The user receives the Nitrokey/LibremKey and his computer in distinct 
> shipping packages and reunites at first laptop boot to attest that the 
> firmware of the computer has not been tampered with in transit. (> 
> https://puri.sm/posts/introducing-the-librem-key/ 
> > ). 
>
> The user, upon bootup integrity attestation, proceeds to the ownership of his 
> new laptop (TPM) and his LibremKey. The user is then invited to reencrypt his 
> SSD encrypted content with it's own chosen passphrase(> 
> https://github.com/osresearch/heads/issues/463 
> > ) and to choose a secondary 
> disk unlock passphrase, which will unlock encrypted disk content only if the 
> firmware has boot attested integrity.
>
> Notes: 
> The user will be able to ask > Insurgo>  interactive support in the near 
> future. (> https://github.com/SkypLabs/my-qubes-os-formula/issues/6 
> > ). 
> Buying from>  Insurgo (ITL/IOT)>  funds directly my participation to those 
> projects.
> Bulk discount are available upon request. Insurgo plans to transit into a 
> working/buying cooperative in the near future. 
>
>
> Prices are in Canadian Dollars (CDN)
> x230>  i5 240GB SSD 16GB Webcam and IPS: $620 
> Hardware reprogramming fee: +250$ 
> Backlit Keyboard: 40$  (optional)
> Webcam 10$  (optional)
> Nitrokey/LibremKey: + 80$ 
> The refurbisher offers a warranty plan on the value of the purchase:
> 1 Month %5
> 3 Months %10
> 6 Months %15
> 1 Year %25
>
> Thierry Laurion:
> GitHub: > https://github.com/tlaurion/ 
> LinkedIn: > https://www.linkedin.com/in/thierry-laurion-40b4128/ 
> 
>
> Insurgo, Technologies Libres / Open Technologies:
> email: > insu...@riseup.net >  for more 
> information.
> GPG key: > http://keys.gnupg.net/pks/lookup?op=get=0x79C78E6659DB658F 
> 
> Follow this guide or it's platform equivalent: > 
> https://securityinabox.org/en/guide/thunderbird/mac/ 
> 
> Website: > https://Insurgo.ca 
> Facebook: > https://www.facebook.com/InsurgoTech/ 
> 
>
> On Sun, Nov 11, 2018 at 9:26 PM <> 

Re: [qubes-users] HCL - Purism Librem 13 v2

[qubes-fan]

Sorry to jump out of the Purism thing. Some weeks ago I put here the question 
too and it was bit stormy, so I keep it aside. 

Mate, you mention the "Lenova 400 series". That was my question short before in 
my post. I am planning to buy this guy: https://tehnoetic.com/tet-t400s 
 It is RYF and so the ME and AMT is completely 
removed. My question was, if I could run Qubes 4 on it. The answer was it is 
too old to have the required virtualization needed to run Qubes 4. 

Now, do you think the RYF T400s above, which si T400 series you mention, could 
run the Qubes 4? This would be great. One could run the reasonably secure OS on 
reasonably secure HW. Yay!


Nov 11, 2018, 6:07 AM by 22...@tutamail.com:

> Tough questions and discussion but in the spirit of finding the "best" we can 
> get laptop for Qubes 4.0  (Best being defined as: available to purchase, 
> priced right, most open, most "reasonably" secure and"reasonably simple" 
> to maintain), for me I see the following as my best options, ranked:
>
> Lenovo Carbon 5G X1
> Available
> Good RAM
> Little pricey
> Easy install/maintain? Not sure if I can flash these BIOS...
>
> Lenova 400 series
> Available
> Affordable
> Limited RAM?
> Little boxy
> Easier to install/maintain
>
> Librem 'what ever" model
> Available
> NOT Affordable
> Limited RAM?
> Reasonably easy to install/maintain!
>
> G505
> NOT as Available
> Affordable
> Limited RAM?
> Very boxy?
> Tough to install/maintain (Flash BIOS?? Out of my scope...)
>
>
> 200 series
> NOT as Available?
> Affordable
> Limited RAM?
> Very boxy?
> Tough to install/maintain! (Flash BIOS?? Out of my scope...)
>
>
> Dell/HP/Other?
> I don't know, but I suspect Qubes was developeded on Lenovo's yet select 
> models work
>
> Desk Tops
> I need a laptop...
>
> Keep in mind I might weigh some of the "Easy to install/maintain" perspective 
> more heavily but I see my best options as:
>
> 1)Carbon X1 being the ultimate winner (if I want to invest the $1k)
> 2)T400+ series for the budget concerned
> 3)Librem if you want to get the best you can with out the "fuss" and pay some 
> $$
> 4)G505/200 if you have the technical know-how/experience
>
>
> What I am struggling to weigh is the security/privacy/trust compromises and 
> implications I have made/would make? I know G505/200 type products are most 
> secure but how can I get one pre-installed and done (Easy) yet still balance 
> trust, security, afford-ability, etcI fear the open source BIOS are out 
> of my technical scope to install and maintain.
>
> I find Librem intriguing with the easiest "most" open source option for the 
> "reasonable" layman(person)...sure not Intel/AMD/government secure but at 
> least non chip maker collusion secure? Lets assume Librem screwed up 
> initially with their claimsare they clear now? Is their product a good 
> option?
>
> Decisions, Decisions...
>
>  
>
> -- 
> You received this message because you are subscribed to the Google Groups 
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to > qubes-users+unsubscr...@googlegroups.com 
> > .
> To post to this group, send email to > qubes-users@googlegroups.com 
> > .
> To view this discussion on the web visit > 
> https://groups.google.com/d/msgid/qubes-users/d53fd873-90fb-4426-b960-efd57aafb...@googlegroups.com
>  
> >
>  .
> For more options, visit > https://groups.google.com/d/optout 
> > .
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/LRBjPh9--3-1%40tutanota.com.
For more options, visit https://groups.google.com/d/optout.

Re: 'invisible' blobs are blobs too (Re: [qubes-users] HCL - Purism Librem 13 v2)

[Jonathan Seefelder]

I have to say, while im happy to see people are actually trying to get a
constructive discussion here, im missing facts, sources and numbers.

The only blob in an X230 which could be security relevant  imo is the
embedded controller. The EC will most likely be liberated in the near
future, and even if it isnt, that  is just no comparison to the amount
of attack-surface  and security-relevance of the blobs a Librem
contains. But thats a personal opinion, there are some who consider
stock-bios not a problem at all, because their threat-model does not
contain such highly-skilled attacks or they trust the vendor. However,
UEFI-exploits from non-state-actors have already been found in the wild,
and will become a lot more common imo.

Example:
https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/

About the Intel-ME:

The other blob in an x230 is be the "ROMP/BUB"-module  (which is the
only part left from the Intel ME), roughly around ~90 kB after
me-cleaner (~ 1.5 MB without), and, very important, the me is shut down
before the kernel initializes.

The Me-version Generation 3 like they are used in a Librem, however, are
after applying ME-cleaner "rbe", "kernel" , "syslib" AND "bup" , and the
minimum firmware-size is at best ~ 300 kb, and is not shut down at all.

BTW, i feel like people overestimate the relevance of the Intel
Managment Engine. THere is so much fake-news about the ME, its
ridiculous. That being said, i personally would never use a device for
sensitive stuff with ME-generation 3 ore higher, and certainly not one
with a prop BIOS ore a significant amount of dangerous blobs.Again,
these are personal choices, bashing without even providing any sources
to fact-check for the reader wont help anybody.

While i would love to have the option of buying a completely free Laptop
directly from a vendor, i have serious doubts about how this would be
possible with x86 architecture, and i wanst able to find any specific
information on how pursim is planning to achieve that.

Freeing a Librem isnt simply a matter of more work and development,
without having Intels signing keys, it is flat-out technically impossible.

And i would love to believe that Intel will provide Purism those keys,
but given the fact that they didnt do it even for Google, i doubt it
even more.

Some more information on this matter would be really great, maybe im
missing something?

If any of these information are incorrect please tell me so, and most
important, please provide sources.


On 11/12/18 12:15 PM, unman wrote:

> On Mon, Nov 12, 2018 at 09:58:25AM +, Holger Levsen wrote:
>> On Sun, Nov 11, 2018 at 03:45:21PM +, unman wrote:
>>> lenovo x230s are still widely available, and great for Qubes. 
>> while I agree with that, I want to point out that they contain several
>> non free blobs which cannot be changed.
>>
>> just because there was so much purism bashing in this thread. :-D
>>
>>
>> -- 
>> cheers,
>>  Holger, who is happy that his keyboard, memory and battery works
> Try, but 22rip didnt have that as a criteria in his choices. Also, the
> x230 keyboard,memory and battery all work. ;-)
>
-- 
Kind Regards 
Jonathan Seefelder
CryptoGS IT-Security Solutions
Hofmark 43b
D-84564 Oberbergkirchen
Phone: +49 8637-7505
Fax: +49 8637-7506
Mail: i...@cryptogs.de
www.cryptogs.de


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a94c36f7-ecee-caa4-ba93-381acde1a6c0%40cryptogs.de.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: OpenPGP digital signature

Re: 'invisible' blobs are blobs too (Re: [qubes-users] HCL - Purism Librem 13 v2)

[unman]

On Mon, Nov 12, 2018 at 09:58:25AM +, Holger Levsen wrote:
> On Sun, Nov 11, 2018 at 03:45:21PM +, unman wrote:
> > lenovo x230s are still widely available, and great for Qubes. 
> 
> while I agree with that, I want to point out that they contain several
> non free blobs which cannot be changed.
> 
> just because there was so much purism bashing in this thread. :-D
> 
> 
> -- 
> cheers,
>   Holger, who is happy that his keyboard, memory and battery works

Try, but 22rip didnt have that as a criteria in his choices. Also, the
x230 keyboard,memory and battery all work. ;-)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20181112111521.or4rlgnl5gtp5xjf%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

'invisible' blobs are blobs too (Re: [qubes-users] HCL - Purism Librem 13 v2)

[Holger Levsen]

On Sun, Nov 11, 2018 at 03:45:21PM +, unman wrote:
> lenovo x230s are still widely available, and great for Qubes. 

while I agree with that, I want to point out that they contain several
non free blobs which cannot be changed.

just because there was so much purism bashing in this thread. :-D


-- 
cheers,
Holger, who is happy that his keyboard, memory and battery works

---
   holger@(debian|reproducible-builds|layer-acht).org
   PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20181112095825.65tlq4mjdqgo2lh4%40layer-acht.org.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: PGP signature

Re: [qubes-users] HCL - Purism Librem 13 v2

[Thierry Laurion]

Hi!

> I checked out the x230 and you are right they are available and cheap. I
> would still be interested in finding some company/individual who I can
> trust to take care of the BIOS flashing for me as a service(I would think
> others would also want this service as well...). The problem is who?
>
I started Insurgo Technologies Libres/Open Technologies exactly for that! (
https://www.facebook.com/InsurgoTech/insights/?section=navPosts)

We actually reprogram A-Grade refurbished x230 with Heads firmware (
http://osresearch.net/), while neutralizing Intel ME (
https://github.com/osresearch/heads-wiki/blob/master/Clean-the-ME-firmware.md)
while being there.

I collaborate with Heads and QubesOS developers for a while now..
QubesOS can even be preinstalled with user's desired customizations (
https://github.com/SkypLabs/my-qubes-os-formula/issues) or shipped with
latest QubesOS ISO on external MicroSD support. Heads validates ISO
integrity with distribution's signing keys prior to boot them (Tails,
Fedora, QubesOS).

Heads, deployed with a Nitrokey Pro v2/LibremKey or by using internal TPM,
validates rom' integrity before booting from it. With the help of a
NitroKey/LibremKey (https://puri.sm/posts/introducing-the-librem-key/), the
boot configurations are signed with user's keys and verified and the
firmware integrity is attested at each reboot through HOTP (led flashing or
TPMTOTP on user's cell phone through Google Authenticator or compatible app.

The user receives the Nitrokey/LibremKey and his computer in distinct
shipping packages and reunites at first laptop boot to attest that the
firmware of the computer has not been tampered with in transit. (
https://puri.sm/posts/introducing-the-librem-key/).

The user, upon bootup integrity attestation, proceeds to the ownership of
his new laptop (TPM) and his LibremKey. The user is then invited to
reencrypt his SSD encrypted content with it's own chosen passphrase (
https://github.com/osresearch/heads/issues/463) and to choose a secondary
disk unlock passphrase, which will unlock encrypted disk content only if
the firmware has boot attested integrity.

Notes:

   - The user will be able to ask *Insurgo* interactive support in the near
   future. (https://github.com/SkypLabs/my-qubes-os-formula/issues/6).
- *Buying from Insurgo (ITL/IOT) funds directly my participation to those
   projects.*
   -
*Bulk discount are available upon request. Insurgo plans to transit into a
   working/buying cooperative in the near future. *



Prices are in Canadian Dollars (CDN)

   - x230 i5 240GB SSD 16GB Webcam and IPS: $620
   - Hardware reprogramming fee: +250$
  - Backlit Keyboard: 40$  (optional)
  - Webcam 10$  (optional)
   - Nitrokey/LibremKey: + 80$

The refurbisher offers a warranty plan on the value of the purchase:

   - 1 Month %5
   - 3 Months %10
   - 6 Months %15
   - 1 Year %25


Thierry Laurion:

   - GitHub: https://github.com/tlaurion/
   - LinkedIn: https://www.linkedin.com/in/thierry-laurion-40b4128/


Insurgo, Technologies Libres / Open Technologies:

   - email: insu...@riseup.net for more information.
  - GPG key:
  http://keys.gnupg.net/pks/lookup?op=get=0x79C78E6659DB658F
  - Follow this guide or it's platform equivalent:
  https://securityinabox.org/en/guide/thunderbird/mac/
  - Website: https://Insurgo.ca
   - Facebook: https://www.facebook.com/InsurgoTech/


On Sun, Nov 11, 2018 at 9:26 PM <22...@tutamail.com> wrote:

> Unman your posts have been extremely helpful to me and I can't thank you
> enough for the help(I am sure many others would agree).
>
> However I think your "..Pretty easy to maintain.." would be hell for me.
>
> Librem(and maybe the Majora line) have huge appeal for me as they take
> care of the BIOS flashing.
>
> I checked out the x230 and you are right they are available and cheap. I
> would still be interested in finding some company/individual who I can
> trust to take care of the BIOS flashing for me as a service(I would think
> others would also want this service as well...). The problem is who?
>
> Thanks...
>
> ("-boxy is the new black." Good one and couldn't agree more...very funny!)
>
> --
> You received this message because you are subscribed to the Google Groups
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/qubes-users/26f75d86-0349-4533-8f3a-66fe2e37c1b3%40googlegroups.com
> .
> For more options, visit https://groups.google.com/d/optout.
>


-- 
Thierry Laurion

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to 

Re: [qubes-users] HCL - Purism Librem 13 v2

[22rip]

Unman your posts have been extremely helpful to me and I can't thank you enough 
for the help(I am sure many others would agree).

However I think your "..Pretty easy to maintain.." would be hell for me.

Librem(and maybe the Majora line) have huge appeal for me as they take care of 
the BIOS flashing.

I checked out the x230 and you are right they are available and cheap. I would 
still be interested in finding some company/individual who I can trust to take 
care of the BIOS flashing for me as a service(I would think others would also 
want this service as well...). The problem is who?

Thanks...

("-boxy is the new black." Good one and couldn't agree more...very funny!)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/26f75d86-0349-4533-8f3a-66fe2e37c1b3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] HCL - Purism Librem 13 v2

[unman]

On Sat, Nov 10, 2018 at 09:07:42PM -0800, 22...@tutamail.com wrote:
> Tough questions and discussion but in the spirit of finding the "best" we can 
> get laptop for Qubes 4.0  (Best being defined as: available to purchase, 
> priced right, most open, most "reasonably" secure and"reasonably simple" 
> to maintain), for me I see the following as my best options, ranked:
> 
> Lenovo Carbon 5G X1
> Available
> Good RAM
> Little pricey
> Easy install/maintain? Not sure if I can flash these BIOS...
> 
> Lenova 400 series
> Available
> Affordable
> Limited RAM?
> Little boxy
> Easier to install/maintain
> 
> Librem 'what ever" model
> Available
> NOT Affordable
> Limited RAM?
> Reasonably easy to install/maintain!
> 
> G505
> NOT as Available
> Affordable
> Limited RAM?
> Very boxy?
> Tough to install/maintain (Flash BIOS?? Out of my scope...)
> 
> 
> 200 series
> NOT as Available?
> Affordable
> Limited RAM?
> Very boxy?
> Tough to install/maintain! (Flash BIOS?? Out of my scope...)
> 
> 
> Dell/HP/Other?
> I don't know, but I suspect Qubes was developeded on Lenovo's yet select 
> models work
> 
> Desk Tops
> I need a laptop...
> 
> Keep in mind I might weigh some of the "Easy to install/maintain" perspective 
> more heavily but I see my best options as:
> 
> 1)Carbon X1 being the ultimate winner (if I want to invest the $1k)
> 2)T400+ series for the budget concerned
> 3)Librem if you want to get the best you can with out the "fuss" and pay some 
> $$
> 4)G505/200 if you have the technical know-how/experience
> 
> 
> What I am struggling to weigh is the security/privacy/trust compromises and 
> implications I have made/would make? I know G505/200 type products are most 
> secure but how can I get one pre-installed and done (Easy) yet still balance 
> trust, security, afford-ability, etcI fear the open source BIOS are out 
> of my technical scope to install and maintain.
> 
> I find Librem intriguing with the easiest "most" open source option for the 
> "reasonable" layman(person)...sure not Intel/AMD/government secure but at 
> least non chip maker collusion secure? Lets assume Librem screwed up 
> initially with their claimsare they clear now? Is their product a good 
> option?
> 
> Decisions, Decisions...
> 
>  

lenovo x230s are still widely available, and great for Qubes. Limited to
16GB RAM, but even with HDD and 12 GB perfectly serviceable for
Qubes4.0. And *cheap*.
Pretty easy to maintain, and no problem with flashing BIOS from linux.
I'd still recommend - boxy is the new black.

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2018154521.6gghuqm54o7xe3sb%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] HCL - Purism Librem 13 v2

[22rip]

Tough questions and discussion but in the spirit of finding the "best" we can 
get laptop for Qubes 4.0  (Best being defined as: available to purchase, priced 
right, most open, most "reasonably" secure and"reasonably simple" to 
maintain), for me I see the following as my best options, ranked:

Lenovo Carbon 5G X1
Available
Good RAM
Little pricey
Easy install/maintain? Not sure if I can flash these BIOS...

Lenova 400 series
Available
Affordable
Limited RAM?
Little boxy
Easier to install/maintain

Librem 'what ever" model
Available
NOT Affordable
Limited RAM?
Reasonably easy to install/maintain!

G505
NOT as Available
Affordable
Limited RAM?
Very boxy?
Tough to install/maintain (Flash BIOS?? Out of my scope...)


200 series
NOT as Available?
Affordable
Limited RAM?
Very boxy?
Tough to install/maintain! (Flash BIOS?? Out of my scope...)


Dell/HP/Other?
I don't know, but I suspect Qubes was developeded on Lenovo's yet select models 
work

Desk Tops
I need a laptop...

Keep in mind I might weigh some of the "Easy to install/maintain" perspective 
more heavily but I see my best options as:

1)Carbon X1 being the ultimate winner (if I want to invest the $1k)
2)T400+ series for the budget concerned
3)Librem if you want to get the best you can with out the "fuss" and pay some $$
4)G505/200 if you have the technical know-how/experience


What I am struggling to weigh is the security/privacy/trust compromises and 
implications I have made/would make? I know G505/200 type products are most 
secure but how can I get one pre-installed and done (Easy) yet still balance 
trust, security, afford-ability, etcI fear the open source BIOS are out of 
my technical scope to install and maintain.

I find Librem intriguing with the easiest "most" open source option for the 
"reasonable" layman(person)...sure not Intel/AMD/government secure but at least 
non chip maker collusion secure? Lets assume Librem screwed up initially with 
their claimsare they clear now? Is their product a good option?

Decisions, Decisions...

 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d53fd873-90fb-4426-b960-efd57aafbadd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] HCL - Purism Librem 13 v2

[unman]

On Sat, Nov 10, 2018 at 11:33:48AM -0800, Kyle Rankin wrote:
> 
> > Also, i wasnt able to find a statement of Purism about the fact that, in 
> > the beginning, they claimed the ME was "completely disabled and removed". I 
> > mean, that was obviously not true right?
> 
> I can only comment on the current state of things and what we have tried to
> be open about on our site. I don't recall them using words like
> "completely" but I also wasn't working there at the time.
> 

I find this somewhat disingenuous.

Original claims:

"This is the first laptop to be manufactured where there is no mystery
software. This means that there are absolutely no proprietary drivers
in the linux kernel, no Linux kernel binary blobs, and no proprietary
software applications required to operate this computer."

Later:
"We promise that a Purism system and all its components  will be free
according to the strictest of guidelines set forth by the FSF's Free
Software Definition."

By 2016, the company had (under pressure) rolled back on these claims,
and acknowledged that the BIOS and Intel Binaries required binary blobs.

The "completely" claim is in the October19 2017 post - "Purism Librem
Laptops Completely Disable Intel's Management Engine"

I think that what bothers people is that the early claims were either false
or misleading. I had concerns about the whole "Qubes endorsed" debacle.
I believe issues like these raise questions about the probity of the company,

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2018024616.jdigceo4sob5pdn4%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] HCL - Purism Librem 13 v2

[Kyle Rankin]

I would have preferred to keep this thread focused on the HCL and not get
too derailed off-topic. I'll try to keep this brief and apologies to the
moderators for continuing the off-topic thread. I'll give a reply and then
leave it.

As someone who's working inside the org every day earnestly to try to
improve everyone's security and freedom, I guess I don't get all the
animosity, as I don't know of too many other organizations who are trying
as we are to advance the cause of liberating these closed modules. I don't
agree with the "all or nothing" approach some people are touting--having a
motherboard without AMT at all, and with an ME that is reflashed to have
most of its code removed is, to me, a much better situation than what you
can get off the shelf. Is it 100% there? Of course not, but we are truly
working to get it there.

Other replies inline:

On Sat, Nov 10, 2018 at 06:33:05PM +, 'casiu' via qubes-users wrote:
> 
> "We have four ME modules remaining to liberate (and anyone with access to our 
> BIOS ROM or our BIOS build script
>  can confirm those claims)."
> 
> Last time i checked Intel still did not hand you over their signing-keys ?
> Im happy to change my mind, please educate me.:) Is the ME completely shut 
> off BEFORE the kernel boots up?
> If not, im sure you know a few me modules more ore less is completely 
> irrelevant from a security point of view.
> 

As part of reflashing the BIOS we reflash the ME so when the system boots
it is running from the remaining four modules (kernel, supporting kernel
libraries) in the ME that initialize the hardware. The high level info is
here:

https://puri.sm/learn/intel-me/

And the more detailed technical information is here:

https://puri.sm/posts/deep-dive-into-intel-me-disablement/

> Also, i wasnt able to find a statement of Purism about the fact that, in the 
> beginning, they claimed the ME was "completely disabled and removed". I mean, 
> that was obviously not true right?

I can only comment on the current state of things and what we have tried to
be open about on our site. I don't recall them using words like
"completely" but I also wasn't working there at the time.

> 
> From what i see, despite Purism claims they will liberate it probably 
> sometime , purism-bios still only initializes proprietary blobs, which also 
> defeats the purpose. Im not one for great conspiracy theories, and also at 
> least for now willing to accept the term "opensource-hardware" for something 
> with one or two small irrelevant blobs because they cant be avoided,
> but advertising hardware which runs almost entirely on closed source software 
> (certainly, all the important parts do), that just sound highly dishonest in 
> my ears.
> 

We may have to agree to disagree here, as I wouldn't characterize loading
an open source coreboot BIOS that includes Intel FSP binary blobs and the
remaining few percent of the closed ME code that we haven't freed yet, and
then boots into a completely free software OS as "almost entirely on closed
source software." It sounds like you are assigning much more importance and
weight into the FSP than I am when thinking about the whole system.

> Last one: Would you honestly recommend people  buying your products to 
> improve their security RIGHT NOW, not someday in the future when and if your 
> products will be completely open source. If so, wy?

I would. For one, we are one of the few companies who are actively working
to improve the current situation with respect to closed firmware and
software on regular laptops. Not everyone has the ability to reflash
firmware themselves to apply an open source BIOS and erase most of the ME
and so we provide hardware that has that already applied. There are still
binary blobs remaining but we are working to remove those as well.

A lot of the arguments seem to center on some belief that we aren't genuine
in our beliefs because we've set big goals, some of which are long term,
and therefore haven't achieved all of those goals yet. For what it's worth,
we have gone to the extra effort to codify our ethical stance into our
corporate Social Purpose Corporation (SPC) charter and mean what we say.

I personally am working to include Heads as a default tamper-detecting BIOS
option for more security-minded people who order our hardware. Our hardware
runs Qubes 4.0 out of the box and it is the primary OS on both my personal
and work laptops (both Librems). We are actively working to integrate our
Librem Key USB security token with Heads (my PR was just merged this past
week) to provide a simple way to detect tampering in the BIOS and
kernel/initrd/grub config.

Is there still more work to do? Sure. But then I've always liked to be busy
and hated being bored at work. Security is like golf. You try to get closer
to the hole with every stroke. If you just try to get a hole in one every
time you will lose.

-Kyle

> 
> If you could provide me an answer to those Questions, i would be very 
> grateful. 

Re: [qubes-users] HCL - Purism Librem 13 v2

['casiu' via qubes-users]

"We have four ME modules remaining to liberate (and anyone with access to our 
BIOS ROM or our BIOS build script
 can confirm those claims)."

Last time i checked Intel still did not hand you over their signing-keys ?
Im happy to change my mind, please educate me.:) Is the ME completely shut off 
BEFORE the kernel boots up?
If not, im sure you know a few me modules more ore less is completely 
irrelevant from a security point of view.

Also, i wasnt able to find a statement of Purism about the fact that, in the 
beginning, they claimed the ME was "completely disabled and removed". I mean, 
that was obviously not true right?

>From what i see, despite Purism claims they will liberate it probably sometime 
>, purism-bios still only initializes proprietary blobs, which also defeats the 
>purpose. Im not one for great conspiracy theories, and also at least for now 
>willing to accept the term "opensource-hardware" for something with one or two 
>small irrelevant blobs because they cant be avoided,
but advertising hardware which runs almost entirely on closed source software 
(certainly, all the important parts do), that just sound highly dishonest in my 
ears.

Last one: Would you honestly recommend people  buying your products to improve 
their security RIGHT NOW, not someday in the future when and if your products 
will be completely open source. If so, wy?

If you could provide me an answer to those Questions, i would be very grateful. 
I read this post twice , and i hope nobody finds it offensive in any way, im 
actually trying to get a productive discussion here.
Please dont let this go emotional, rather provide people with actual, 
verifiable TECHNICAL  FACTS.

Happy to learn something new, Casiu.


Sent with ProtonMail Secure Email.

‐‐‐ Original Message ‐‐‐
On Saturday, November 10, 2018 5:24 PM, Kyle Rankin  wrote:

> It's a shame this thread got hijacked by people slandering the company.
> Could someone who is responsible for the HCL please update it with the data
> I've provided in this thread? This would update the HCL with a version of
> the Librem 13v2 that provides a TPM for people who are considering running
> Qubes 4.0 with AEM.
>
> -Kyle
>
> PS. For what it's worth we continue to work earnestly behind the scenes to
> liberate the remaining binary blobs (FSP and what remains of the ME after
> we disable and delete the majority of the modules) because we want to
> provide people with modern hardware that runs blob-free. For the ME, we
> have already documented what we have done to attempt to both disable (HAP)
> and neuter (zero out modules) the ME. We have four ME modules remaining to
> liberate (and anyone with access to our BIOS ROM or our BIOS build script
> can confirm those claims). Those of you who work in this space are aware of
> the challenges behind all of this and if anyone wants to help us in
> liberating the FSP and the remaining four ME modules that are present we
> would certainly welcome the help.
>
> On Fri, Sep 14, 2018 at 11:10:59AM -0700, Kyle Rankin wrote:
>
> > Install works out of the box with no warnings. I haven't run into any
> > issues with hardware compatibility--hardware in general works (video,
> > audio, all ports, Fn keys). Hardware Kill Switches work as expected within
> > Qubes. Suspend/resume works.
> > By default it works with the standard included coreboot BIOS but I've also
> > tested it with Heads using the TPM and that works as well.
> > --
> > You received this message because you are subscribed to the Google Groups 
> > "qubes-users" group.
> > To unsubscribe from this group and stop receiving emails from it, send an 
> > email to qubes-users+unsubscr...@googlegroups.com.
> > To post to this group, send email to qubes-users@googlegroups.com.
> > To view this discussion on the web visit 
> > https://groups.google.com/d/msgid/qubes-users/20180914181059.fkt3blxd3heez54s%40work.
> > For more options, visit https://groups.google.com/d/optout.
>
> > layout:
> > 'hcl'
> > type:
> > 'laptop'
> > hvm:
> > 'yes'
> > iommu:
> > 'yes'
> > slat:
> > 'yes'
> > tpm:
> > ''
> > remap:
> > 'yes'
> > brand: |
> > Purism
> > model: |
> > Librem 13 v2
> > bios: |
> > 4.7-Purism-4-heads
> > cpu: |
> > Intel(R) Core(TM) i7-6500U CPU @ 2.50GHz
> > cpu-short: |
> > FIXME
> > chipset: |
> > Intel Corporation Xeon E3-1200 v5/E3-1500 v5/6th Gen Core Processor Host 
> > Bridge/DRAM Registers [8086:1904] (rev 08)
> > chipset-short: |
> > FIXME
> > gpu: |
> > Intel Corporation HD Graphics 520 [8086:1916] (rev 07) (prog-if 00 [VGA 
> > controller])
> > Intel Corporation Device [8086:9d24] (rev 21)
> > gpu-short: |
> > FIXME
> > network: |
> > Qualcomm Atheros AR9462 Wireless Network Adapter (rev 01)
> > memory: |
> > 16298
> > scsi: |
> > Samsung SSD 850 Rev: 2B6Q
> > Samsung SSD 850 Rev: 1B6Q
> > usb: |
> > 1
> > versions:
> >
> > -   works:
> > 'FIXME:yes|no|partial'
> > qubes: |
> > R4.0
> > xen: |
> > 4.8.4
> > kernel: |
> > 4.14.57-2
> >   

Re: [qubes-users] HCL - Purism Librem 13 v2

[Holger Levsen]

On Sat, Nov 10, 2018 at 09:24:40AM -0800, Kyle Rankin wrote:
> It's a shame this thread got hijacked by people slandering the company.

indeed.

> PS. For what it's worth we continue to work earnestly behind the scenes to
> liberate the remaining binary blobs (FSP and what remains of the ME after
> we disable and delete the majority of the modules) because we want to
> provide people with modern hardware that runs blob-free. For the ME, we
> have already documented what we have done to attempt to both disable (HAP)
> and neuter (zero out modules) the ME. We have four ME modules remaining to
> liberate (and anyone with access to our BIOS ROM or our BIOS build script
> can confirm those claims). Those of you who work in this space are aware of
> the challenges behind all of this and if anyone wants to help us in
> liberating the FSP and the remaining four ME modules that are present we
> would certainly welcome the help.

thanks for this interesting update. Much appreciated!


-- 
cheers,
Holger

---
   holger@(debian|reproducible-builds|layer-acht).org
   PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20181110173022.bbxwj64vqc2sykwk%40layer-acht.org.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: PGP signature

Re: [qubes-users] HCL - Purism Librem 13 v2

[Kyle Rankin]

It's a shame this thread got hijacked by people slandering the company.
Could someone who is responsible for the HCL please update it with the data
I've provided in this thread? This would update the HCL with a version of
the Librem 13v2 that provides a TPM for people who are considering running
Qubes 4.0 with AEM.

-Kyle

PS. For what it's worth we continue to work earnestly behind the scenes to
liberate the remaining binary blobs (FSP and what remains of the ME after
we disable and delete the majority of the modules) because we want to
provide people with modern hardware that runs blob-free. For the ME, we
have already documented what we have done to attempt to both disable (HAP)
and neuter (zero out modules) the ME. We have four ME modules remaining to
liberate (and anyone with access to our BIOS ROM or our BIOS build script
can confirm those claims). Those of you who work in this space are aware of
the challenges behind all of this and if anyone wants to help us in
liberating the FSP and the remaining four ME modules that are present we
would certainly welcome the help.


On Fri, Sep 14, 2018 at 11:10:59AM -0700, Kyle Rankin wrote:
> Install works out of the box with no warnings. I haven't run into any
> issues with hardware compatibility--hardware in general works (video,
> audio, all ports, Fn keys). Hardware Kill Switches work as expected within
> Qubes.  Suspend/resume works.
> 
> By default it works with the standard included coreboot BIOS but I've also
> tested it with Heads using the TPM and that works as well.
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/qubes-users/20180914181059.fkt3blxd3heez54s%40work.
> For more options, visit https://groups.google.com/d/optout.

> ---
> layout:
>   'hcl'
> type:
>   'laptop'
> hvm:
>   'yes'
> iommu:
>   'yes'
> slat:
>   'yes'
> tpm:
>   ''
> remap:
>   'yes'
> brand: |
>   Purism
> model: |
>   Librem 13 v2
> bios: |
>   4.7-Purism-4-heads
> cpu: |
>   Intel(R) Core(TM) i7-6500U CPU @ 2.50GHz
> cpu-short: |
>   FIXME
> chipset: |
>   Intel Corporation Xeon E3-1200 v5/E3-1500 v5/6th Gen Core Processor Host 
> Bridge/DRAM Registers [8086:1904] (rev 08)
> chipset-short: |
>   FIXME
> gpu: |
>   Intel Corporation HD Graphics 520 [8086:1916] (rev 07) (prog-if 00 [VGA 
> controller])
>   Intel Corporation Device [8086:9d24] (rev 21)
> gpu-short: |
>   FIXME
> network: |
>   Qualcomm Atheros AR9462 Wireless Network Adapter (rev 01)
> memory: |
>   16298
> scsi: |
>   Samsung SSD 850  Rev: 2B6Q
>   Samsung SSD 850  Rev: 1B6Q
> usb: |
>   1
> versions:
> 
> - works:
> 'FIXME:yes|no|partial'
>   qubes: |
> R4.0
>   xen: |
> 4.8.4
>   kernel: |
> 4.14.57-2
>   remark: |
> FIXME
>   credit: |
> FIXAUTHOR
>   link: |
> FIXLINK
> 
> ---
> 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20181110172439.GD29964%40greenfly.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] HCL - Purism Librem 13 v2

['awokd' via qubes-users]

qubes-...@tutanota.com:
> Looks like it is a bit of a blind way. To use the reasonably secure OS 
> without possibility to use it on the reasonably secure HW, is an issue which 
> needs to be addressed a bit. I originally guessed that Qubes would run on the 
> RYF devices well, and I am quite surprised it doesn't (doesnt it?). Is there 
> any strong issue which prevents Qubes to function with RYF devices? 

There are no RYF laptops with CPUs that support Intel VT-x with EPT /
AMD-V with RVI (SLAT) and Intel VT-d / AMD-Vi (aka AMD IOMMU).

> Am I missing something on the assumption that RYF devices, with disabled 
> IME-AMT known security hole, with the coreboot  instead of BIOS and so on, 
> are more secure-potential than the non-RYFs? 
> 
> I need a working laptop. Desktop is not an option. 

Check the scale I posted for options. A corebooted Lenovo G505s with
microcode update comes close to RYF.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9a44d182-b1ac-6937-b373-aa67a265f76a%40danwin1210.me.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] HCL - Purism Librem 13 v2

['awokd' via qubes-users]

taii...@gmx.com:
> On 09/16/2018 02:51 AM, 'awokd' via qubes-users wrote:

>> At present, RYF has not certified any laptops with hardware capable of
>> running Qubes 4.0, but there are a couple older AMDs that can. A scale of
>> hardware openness/owner control from most to least would be something
>> like:
>>
>> 10: OpenPOWER, RYF certified x86 with all blobs replaced- Qubes 4.0 can't
>> run on either
> 
> Since you mention power and there aren't currently any laptops do you
> mean laptops or desktops? In terms of desktops there are a variety that
> qubes 4.0 can run on.

You're right, forgot the RYF desktops which support 4.0.

> The future is POWER for all...
> 
>> 8: older AMD like A10-5750M- a couple blobs required but Qubes 4.0 works
>> on these and the rest listed
>> 6: pre-Skylake Intel with ME/HAP tweaks- a few more blobs and 2 ME modules
>> required
>> 4: Skylake+ Intel with ME/HAP tweaks, AMD Ryzen with PSP disabled in UEFI
>> config- more blobs and modules required
> 
> That doesn't disable it! you are simply asking nicely for it to shut off
> and hoping that it does so. It is not at all equivilant to say pre-core
> intel systems where one really could disable it or even better one that
> doesn't have any black boxes like the talos.

I know, that's why I didn't rate this higher on my invented scale.

>> 0: Intel/AMD x86 with no tweaks- most shipping volume today
>>
>> ARM (& possibly RISC) is a special case in that the integrator can decide
>> where on the scale they want to deliver their product, but neither support
>> Qubes 4.0.
>>
> 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5ceb457f-53f8-0ec0-c219-2347544cd3a9%40danwin1210.me.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] HCL - Purism Librem 13 v2

[qubes-fan]

Looks like it is a bit of a blind way. To use the reasonably secure OS without 
possibility to use it on the reasonably secure HW, is an issue which needs to 
be addressed a bit. I originally guessed that Qubes would run on the RYF 
devices well, and I am quite surprised it doesn't (doesnt it?). Is there any 
strong issue which prevents Qubes to function with RYF devices? 

Am I missing something on the assumption that RYF devices, with disabled 
IME-AMT known security hole, with the coreboot  instead of BIOS and so on, are 
more secure-potential than the non-RYFs? 

I need a working laptop. Desktop is not an option. 


Sep 17, 2018, 11:54 PM by taii...@gmx.com:

> On 09/16/2018 02:51 AM, 'awokd' via qubes-users wrote:
>
>> On Sat, September 15, 2018 10:30 am, >> qubes-...@tutanota.com 
>> >>  wrote:
>>
>>> Hi, during my email conversation with the Todd Weaver
>>>
>
> That liar comes out of nowhere with his super slick marketing and sets
> the computing freedom movement back 10 years.
>
> At first I thought it was just being naive but now as he persists it
> seems more like malice.
>
> puri.junk does NOT respect you, it is fully blobbed and the ME is not at
> all disabled.
>
> Todd weaver is a lying fraudster.
>
>>> in the
>>> pre-IME-disabled time, he told me they will fully disable the IME and AMT
>>> within next week. After about a week they announced they did just that.
>>> Are this links a lie?
>>> https://puri.sm/posts/measuring-the-intel-me-to-create-a-more-secure-compu 
>>> 
>>> ter/
>>> <>>> 
>>> https://puri.sm/posts/measuring-the-intel-me-to-create-a-more-secure-com 
>>> 
>>> puter/>
>>> https://puri.sm/posts/purism-librem-laptops-completely-disable-intel-mana 
>>> 
>>> gement-engine/
>>> <>>> 
>>> https://puri.sm/posts/purism-librem-laptops-completely-disable-intel-man 
>>> 
>>> agement-engine/>
>>>
>>
>> "Lie" depends on your definition of "completely". Skylake onwards
>> processors can have much of ME disabled. I believe Purism with Heads and a
>> handful of other manufacturers are using the technique here:
>> http://blog.ptsecurity.com/2017/08/disabling-intel-me.html 
>> >> , but as you 
>> can
>> see there are still some modules required for initialization before the
>> HAP bit takes effect and skips the remainder. Additionally, there is an
>> FSP blob needed for init. Currently shipping AMD CPUs are no better.
>>
>
> Skylake kernel still runs, that is not disabled and there is more than
> enough ability to play dirty tricks like SMM rootkits or what not.
>
> HAP is asking politely.
>
>>> Talking about alternatives: how the Qubes 4.0 stand with RYF certified
>>> X200? Like for example this one: >>> 
>>> https://tehnoetic.com/laptops/tet-x200s 
>>> 
>>> <>>> https://tehnoetic.com/laptops/tet-x200s 
>>>  and others like T400 and 
>>> T500,
>>> which can be found there as well. Working well? Any issues known? Thank
>>> you
>>>
>>
>> At present, RYF has not certified any laptops with hardware capable of
>> running Qubes 4.0, but there are a couple older AMDs that can. A scale of
>> hardware openness/owner control from most to least would be something
>> like:
>>
>> 10: OpenPOWER, RYF certified x86 with all blobs replaced- Qubes 4.0 can't
>> run on either
>>
>
> Since you mention power and there aren't currently any laptops do you
> mean laptops or desktops? In terms of desktops there are a variety that
> qubes 4.0 can run on.
>
> The future is POWER for all...
>
>> 8: older AMD like A10-5750M- a couple blobs required but Qubes 4.0 works
>> on these and the rest listed
>> 6: pre-Skylake Intel with ME/HAP tweaks- a few more blobs and 2 ME modules
>> required
>> 4: Skylake+ Intel with ME/HAP tweaks, AMD Ryzen with PSP disabled in UEFI
>> config- more blobs and modules required
>>
>
> That doesn't disable it! you are simply asking nicely for it to shut off
> and hoping that it does so. It is not at all equivilant to say pre-core
> intel systems where one really could disable it or even better one that
> doesn't have any black boxes like the talos.
>
>> 0: Intel/AMD x86 with no tweaks- most shipping volume today
>>
>> ARM (& possibly RISC) is a special case in that the integrator can decide
>> where on the scale they want to deliver their product, but neither support
>> Qubes 4.0.
>>
>
> -- 
> You received this message because you are subscribed to the Google Groups 
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to > qubes-users+unsubscr...@googlegroups.com 
> 

Re: [qubes-users] HCL - Purism Librem 13 v2

[taii...@gmx.com]

On 09/16/2018 02:51 AM, 'awokd' via qubes-users wrote:
> On Sat, September 15, 2018 10:30 am, qubes-...@tutanota.com wrote:
>> Hi, during my email conversation with the Todd Weaver 

That liar comes out of nowhere with his super slick marketing and sets
the computing freedom movement back 10 years.

At first I thought it was just being naive but now as he persists it
seems more like malice.

puri.junk does NOT respect you, it is fully blobbed and the ME is not at
all disabled.

Todd weaver is a lying fraudster.

>> in the
>> pre-IME-disabled time, he told me they will fully disable the IME and AMT
>> within next week. After about a week they announced they did just that.
>> Are this links a lie?
>> https://puri.sm/posts/measuring-the-intel-me-to-create-a-more-secure-compu
>> ter/
>> > puter/>
>> https://puri.sm/posts/purism-librem-laptops-completely-disable-intel-mana
>> gement-engine/
>> > agement-engine/>
> 
> "Lie" depends on your definition of "completely". Skylake onwards
> processors can have much of ME disabled. I believe Purism with Heads and a
> handful of other manufacturers are using the technique here:
> http://blog.ptsecurity.com/2017/08/disabling-intel-me.html, but as you can
> see there are still some modules required for initialization before the
> HAP bit takes effect and skips the remainder. Additionally, there is an
> FSP blob needed for init. Currently shipping AMD CPUs are no better.

Skylake kernel still runs, that is not disabled and there is more than
enough ability to play dirty tricks like SMM rootkits or what not.

HAP is asking politely.

> 
>> Talking about alternatives: how the Qubes 4.0 stand with RYF certified
>> X200? Like for example this one: https://tehnoetic.com/laptops/tet-x200s
>>  and others like T400 and T500,
>> which can be found there as well. Working well? Any issues known? Thank
>> you
> 
> At present, RYF has not certified any laptops with hardware capable of
> running Qubes 4.0, but there are a couple older AMDs that can. A scale of
> hardware openness/owner control from most to least would be something
> like:
> 
> 10: OpenPOWER, RYF certified x86 with all blobs replaced- Qubes 4.0 can't
> run on either

Since you mention power and there aren't currently any laptops do you
mean laptops or desktops? In terms of desktops there are a variety that
qubes 4.0 can run on.

The future is POWER for all...

> 8: older AMD like A10-5750M- a couple blobs required but Qubes 4.0 works
> on these and the rest listed
> 6: pre-Skylake Intel with ME/HAP tweaks- a few more blobs and 2 ME modules
> required
> 4: Skylake+ Intel with ME/HAP tweaks, AMD Ryzen with PSP disabled in UEFI
> config- more blobs and modules required

That doesn't disable it! you are simply asking nicely for it to shut off
and hoping that it does so. It is not at all equivilant to say pre-core
intel systems where one really could disable it or even better one that
doesn't have any black boxes like the talos.

> 0: Intel/AMD x86 with no tweaks- most shipping volume today
> 
> ARM (& possibly RISC) is a special case in that the integrator can decide
> where on the scale they want to deliver their product, but neither support
> Qubes 4.0.
> 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c8670cee-80f5-1b08-0a82-8ffb60641867%40gmx.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] HCL - Purism Librem 13 v2

[qubes-fan]

It is offtopic, but I gues he is referring to the need to run JS to have 
Protonmail running with web-browser and register, or a need to run Bridge to 
use the Thenderbird. The JS can be anytime replaced with a malicious one and it 
is game over. 

All clear but it really depends on the OPSEC one has. 

My point here was actually about running Qubes, which I consider as one of the 
best security solutions available out there in tandem with Tails, on the as 
much as possible secure HW. I know I knowdont stone me, but if I use a 
reasonably secure OS, I would like to use it on reasonably secure hardware 
(laptop), if thats anyhow possible. 


Sep 16, 2018, 9:57 AM by riverbo...@gmail.com:

>>
>> This made me laugh out loud. All your ranting and raving about security and 
>> dishonesty, and you sent the message using PROTON MAIL. Good lord. Talk 
>> about dishonesty and pseudo-security.
>>
>
> Off Topic - but... would you care to elaborate what fault you alleged in 
> Protonmail and your source?
>
> -- 
> You received this message because you are subscribed to the Google Groups 
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to > qubes-users+unsubscr...@googlegroups.com 
> > .
> To post to this group, send email to > qubes-users@googlegroups.com 
> > .
> To view this discussion on the web visit > 
> https://groups.google.com/d/msgid/qubes-users/dabcb4d5-4400-47a8-b624-3b2cd9c5e6b5%40googlegroups.com
>  
> >
>  .
> For more options, visit > https://groups.google.com/d/optout 
> > .
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/LMb0l84--3-1%40tutanota.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] HCL - Purism Librem 13 v2

[Dave]

> 
> This made me laugh out loud. All your ranting and raving about security and 
> dishonesty, and you sent the message using PROTON MAIL. Good lord. Talk about 
> dishonesty and pseudo-security.

Off Topic - but... would you care to elaborate what fault you alleged in 
Protonmail and your source?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/dabcb4d5-4400-47a8-b624-3b2cd9c5e6b5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] HCL - Purism Librem 13 v2

['awokd' via qubes-users]

On Sat, September 15, 2018 10:30 am, qubes-...@tutanota.com wrote:
> Hi, during my email conversation with the Todd Weaver in the
> pre-IME-disabled time, he told me they will fully disable the IME and AMT
> within next week. After about a week they announced they did just that.
> Are this links a lie?
> https://puri.sm/posts/measuring-the-intel-me-to-create-a-more-secure-compu
> ter/
>  puter/>
> https://puri.sm/posts/purism-librem-laptops-completely-disable-intel-mana
> gement-engine/
>  agement-engine/>

"Lie" depends on your definition of "completely". Skylake onwards
processors can have much of ME disabled. I believe Purism with Heads and a
handful of other manufacturers are using the technique here:
http://blog.ptsecurity.com/2017/08/disabling-intel-me.html, but as you can
see there are still some modules required for initialization before the
HAP bit takes effect and skips the remainder. Additionally, there is an
FSP blob needed for init. Currently shipping AMD CPUs are no better.

> Talking about alternatives: how the Qubes 4.0 stand with RYF certified
> X200? Like for example this one: https://tehnoetic.com/laptops/tet-x200s
>  and others like T400 and T500,
> which can be found there as well. Working well? Any issues known? Thank
> you

At present, RYF has not certified any laptops with hardware capable of
running Qubes 4.0, but there are a couple older AMDs that can. A scale of
hardware openness/owner control from most to least would be something
like:

10: OpenPOWER, RYF certified x86 with all blobs replaced- Qubes 4.0 can't
run on either
8: older AMD like A10-5750M- a couple blobs required but Qubes 4.0 works
on these and the rest listed
6: pre-Skylake Intel with ME/HAP tweaks- a few more blobs and 2 ME modules
required
4: Skylake+ Intel with ME/HAP tweaks, AMD Ryzen with PSP disabled in UEFI
config- more blobs and modules required
0: Intel/AMD x86 with no tweaks- most shipping volume today

ARM (& possibly RISC) is a special case in that the integrator can decide
where on the scale they want to deliver their product, but neither support
Qubes 4.0.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d1f1f0e208a53b0c585d8808a1b9cfc6.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] HCL - Purism Librem 13 v2

['casiu' via qubes-users]

You are confusing security with privacy. Im using protonmail, because its one 
of the very few Email-provider where one is able to register an account without 
providing any personal data. I dont have the need nor time nor skill to setup / 
maintain a emailserver.
Simply because i distrust everything except my own laptop.

But your right, Gmail for sure is the better choice.

For security (not privacy) you might wanna look into pgp, here you go.

https://en.wikipedia.org/wiki/Pretty_Good_Privacy

Your welcome.


Sent with ProtonMail Secure Email.

‐‐‐ Original Message ‐‐‐
On Saturday, September 15, 2018 5:17 PM,  wrote:

> On Saturday, September 15, 2018 at 8:32:23 AM UTC-7, casiu wrote:
>
> > Sent with ProtonMail Secure Email.
> > ‐‐‐ Original Message ‐‐‐
> > On Saturday, September 15, 2018 10:30 AM, qubes-...@tutanota.com wrote:
> >
> > > Hi, during my email conversation with the Todd Weaver in the 
> > > pre-IME-disabled time, he told me they will fully disable the IME and AMT 
> > > within next week. After about a week they announced they did just that. 
> > > Are this links a lie?
> > > https://puri.sm/posts/measuring-the-intel-me-to-create-a-more-secure-computer/
> > >  
> > > https://puri.sm/posts/measuring-the-intel-me-to-create-a-more-secure-computer/
> > > https://puri.sm/posts/purism-librem-laptops-completely-disable-intel-management-engine/
> > >  
> > > https://puri.sm/posts/purism-librem-laptops-completely-disable-intel-management-engine/
> > > Talking about alternatives: how the Qubes 4.0 stand with RYF certified 
> > > X200? Like for example this one:https://tehnoetic.com/laptops/tet-x200s 
> > > https://tehnoetic.com/laptops/tet-x200s and others like T400 and T500, 
> > > which can be found there as well. Working well? Any issues known?
> > > Thank you
> > > Sep 15, 2018, 1:00 AM by taii...@gmx.com:
> > >
> > > > Everyone please be aware that purism's marketing is dishonest.
> > > > Their products do not have open source firmware[1] and the ME is not
> > > > disabled (the kernel still runs along with mask roms and the me hw init
> > > > code)
> > > > Intel chips or any new x86 for that matter do NOT respect your privacy!
> > > > [1]Their coreboot is simply a shim loader layer for Intel's FSP binary
> > > > blob that performs the hardware initiation - these days coreboot doesn't
> > > > necessarily mean open source firmware.
> > > > In terms of laptops it is much better to purchase for instance an owner
> > > > controlled pre-PSP AMD G505S[2] which has open cpu/ram init via coreboot
> > > > or one of the ivy/sandy thinkpads which while not owner controlled are
> > > > significantly more free than puri.crap as they have open cpu/ram/gpu
> > > > init via coreboot and their ME can be nerfed down to the BUP layer which
> > > > while is not at all equivilant to not having an ME at all such as on
> > > > non-x86 arches or pre-PSP AMD it is still much better.
> > > > All of my laptop recommendations here work great with Qubes 4.0 and
> > > > there is a nice little qubes g505s community.
> > > > [2](for the best user experience make sure to get the highest end quad
> > > > core A10 model if you buy one - although the less expensive A6 quad core
> > > > models are still quite usable)
> > > > I do not have an issue with purism selling non-free laptops - I have an
> > > > issue with them being dishonest.
> > > >
> > > > -
> > > >
> > > > You received this message because you are subscribed to the Google 
> > > > Groups "qubes-users" group.
> > > > To unsubscribe from this group and stop receiving emails from it, send 
> > > > an email to > 

Re: [qubes-users] HCL - Purism Librem 13 v2

[dangmadzyu]

On Saturday, September 15, 2018 at 8:32:23 AM UTC-7, casiu wrote:
> Sent with ProtonMail Secure Email.
> 
> ‐‐‐ Original Message ‐‐‐
> On Saturday, September 15, 2018 10:30 AM,  wrote:
> 
> > Hi, during my email conversation with the Todd Weaver in the 
> > pre-IME-disabled time, he told me they will fully disable the IME and AMT 
> > within next week. After about a week they announced they did just that. Are 
> > this links a lie?
> > https://puri.sm/posts/measuring-the-intel-me-to-create-a-more-secure-computer/
> >  
> > https://puri.sm/posts/measuring-the-intel-me-to-create-a-more-secure-computer/
> > https://puri.sm/posts/purism-librem-laptops-completely-disable-intel-management-engine/
> >  
> > https://puri.sm/posts/purism-librem-laptops-completely-disable-intel-management-engine/
> >
> > Talking about alternatives: how the Qubes 4.0 stand with RYF certified 
> > X200? Like for example this one:https://tehnoetic.com/laptops/tet-x200s 
> > https://tehnoetic.com/laptops/tet-x200s and others like T400 and T500, 
> > which can be found there as well. Working well? Any issues known?
> > Thank you
> >
> > Sep 15, 2018, 1:00 AM by taii...@gmx.com:
> >
> > > Everyone please be aware that purism's marketing is dishonest.
> > > Their products do not have open source firmware[1] and the ME is not
> > > disabled (the kernel still runs along with mask roms and the me hw init
> > > code)
> > > Intel chips or any new x86 for that matter do NOT respect your privacy!
> > > [1]Their coreboot is simply a shim loader layer for Intel's FSP binary
> > > blob that performs the hardware initiation - these days coreboot doesn't
> > > necessarily mean open source firmware.
> > > In terms of laptops it is much better to purchase for instance an owner
> > > controlled pre-PSP AMD G505S[2] which has open cpu/ram init via coreboot
> > > or one of the ivy/sandy thinkpads which while not owner controlled are
> > > significantly more free than puri.crap as they have open cpu/ram/gpu
> > > init via coreboot and their ME can be nerfed down to the BUP layer which
> > > while is not at all equivilant to not having an ME at all such as on
> > > non-x86 arches or pre-PSP AMD it is still much better.
> > > All of my laptop recommendations here work great with Qubes 4.0 and
> > > there is a nice little qubes g505s community.
> > > [2](for the best user experience make sure to get the highest end quad
> > > core A10 model if you buy one - although the less expensive A6 quad core
> > > models are still quite usable)
> > > I do not have an issue with purism selling non-free laptops - I have an
> > > issue with them being dishonest.
> > > --
> > > You received this message because you are subscribed to the Google Groups 
> > > "qubes-users" group.
> > > To unsubscribe from this group and stop receiving emails from it, send an 
> > > email to > qubes-users+unsubscr...@googlegroups.com 
> > > mailto:qubes-users+unsubscr...@googlegroups.com> .
> > > To post to this group, send email to > qubes-users@googlegroups.com 
> > > mailto:qubes-users@googlegroups.com> .
> > > To view this discussion on the web visit > 
> > > https://groups.google.com/d/msgid/qubes-users/b706b02b-6461-3461-7a6b-19b8ebdb9a8f%40gmx.com
> > >  
> > > https://groups.google.com/d/msgid/qubes-users/b706b02b-6461-3461-7a6b-19b8ebdb9a8f%40gmx.com>
> > >  .
> > > For more options, visit > https://groups.google.com/d/optout 
> > > https://groups.google.com/d/optout> .
> >
> > --
> >
> > You received this message because you are subscribed to the Google Groups 
> > "qubes-users" group.
> > To unsubscribe from this group and stop receiving emails from it, send an 
> > email to qubes-users+unsubscr...@googlegroups.com.
> > To post to this group, send email to qubes-users@googlegroups.com.
> > To view this discussion on the web visit 
> > https://groups.google.com/d/msgid/qubes-users/LMRlztC--3-1%40tutanota.com.
> > For more options, visit https://groups.google.com/d/optout.



This made me laugh out loud. All your ranting and raving about security and 
dishonesty, and you sent the message using PROTON MAIL. Good lord. Talk about 
dishonesty and pseudo-security.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b9839f63-3a6a-4892-ba5b-6e3de3583e93%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] HCL - Purism Librem 13 v2

['casiu' via qubes-users]

Unfortunately,yes, those links are definitely a lie.
I not going to even comment their dishonest advertising-language, but in short: 
there is a huge difference between removing something for good ore verifying 
that there most likely hasnt been changed anything.
Also, the intel ME thing is from what i have been told totally over the top, 
the really issues with Purism products lay elsewhere.

I recently got interested in this thematic and almost bought a Purism, but 
luckily asked first in the coreboot irc. Id really recommend to do some 
research.
There are plenty of sites who show the  technically reasons  wy one should 
never buy Purism stuff.
That being said, purism current approach using HEADS is a lot better then the 
stuff they sold in the beginning, one could argue that their current laptops 
actually might actually improve your security a little bit.
If its worth the extra money is a personal choice, i myself feel like its just 
way to much money for a device which STILL runs almost entirely on properitary 
software.
If you are serious about your security, id recommend an G505s(i dont have one 
tough) or an x230, i do have one, and it rocks.

There will be no blobs whatsoever present except the EC-blob (probably 
liberated soon) and the bub-module.
 Also, they are highly modular.(someone custom build mine with fhd display, 
classic style keyboard, external antenna etc etc, and i fucking love it ;).


Sent with ProtonMail Secure Email.

‐‐‐ Original Message ‐‐‐
On Saturday, September 15, 2018 10:30 AM,  wrote:

> Hi, during my email conversation with the Todd Weaver in the pre-IME-disabled 
> time, he told me they will fully disable the IME and AMT within next week. 
> After about a week they announced they did just that. Are this links a lie?
> https://puri.sm/posts/measuring-the-intel-me-to-create-a-more-secure-computer/
>  
> https://puri.sm/posts/measuring-the-intel-me-to-create-a-more-secure-computer/
> https://puri.sm/posts/purism-librem-laptops-completely-disable-intel-management-engine/
>  
> https://puri.sm/posts/purism-librem-laptops-completely-disable-intel-management-engine/
>
> Talking about alternatives: how the Qubes 4.0 stand with RYF certified X200? 
> Like for example this one:https://tehnoetic.com/laptops/tet-x200s 
> https://tehnoetic.com/laptops/tet-x200s and others like T400 and T500, which 
> can be found there as well. Working well? Any issues known?
> Thank you
>
> Sep 15, 2018, 1:00 AM by taii...@gmx.com:
>
> > Everyone please be aware that purism's marketing is dishonest.
> > Their products do not have open source firmware[1] and the ME is not
> > disabled (the kernel still runs along with mask roms and the me hw init
> > code)
> > Intel chips or any new x86 for that matter do NOT respect your privacy!
> > [1]Their coreboot is simply a shim loader layer for Intel's FSP binary
> > blob that performs the hardware initiation - these days coreboot doesn't
> > necessarily mean open source firmware.
> > In terms of laptops it is much better to purchase for instance an owner
> > controlled pre-PSP AMD G505S[2] which has open cpu/ram init via coreboot
> > or one of the ivy/sandy thinkpads which while not owner controlled are
> > significantly more free than puri.crap as they have open cpu/ram/gpu
> > init via coreboot and their ME can be nerfed down to the BUP layer which
> > while is not at all equivilant to not having an ME at all such as on
> > non-x86 arches or pre-PSP AMD it is still much better.
> > All of my laptop recommendations here work great with Qubes 4.0 and
> > there is a nice little qubes g505s community.
> > [2](for the best user experience make sure to get the highest end quad
> > core A10 model if you buy one - although the less expensive A6 quad core
> > models are still quite usable)
> > I do not have an issue with purism selling non-free laptops - I have an
> > issue with them being dishonest.
> > --
> > You received this message because you are subscribed to the Google Groups 
> > "qubes-users" group.
> > To unsubscribe from this group and stop receiving emails from it, send an 
> > email to > qubes-users+unsubscr...@googlegroups.com 
> > mailto:qubes-users+unsubscr...@googlegroups.com> .
> > To post to this group, send email to > qubes-users@googlegroups.com 
> > mailto:qubes-users@googlegroups.com> .
> > To view this discussion on the web visit > 
> > https://groups.google.com/d/msgid/qubes-users/b706b02b-6461-3461-7a6b-19b8ebdb9a8f%40gmx.com
> >  
> > https://groups.google.com/d/msgid/qubes-users/b706b02b-6461-3461-7a6b-19b8ebdb9a8f%40gmx.com>
> >  .
> > For more options, visit > https://groups.google.com/d/optout 
> > https://groups.google.com/d/optout> .
>
> --
>
> You received this message because you are subscribed to the Google Groups 
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to 

Re: [qubes-users] HCL - Purism Librem 13 v2

[qubes-fan]

Hi, during my email conversation with the Todd Weaver in the pre-IME-disabled 
time, he told me they will fully disable the IME and AMT within next week. 
After about a week they announced they did just that. Are this links a lie?
 https://puri.sm/posts/measuring-the-intel-me-to-create-a-more-secure-computer/ 

https://puri.sm/posts/purism-librem-laptops-completely-disable-intel-management-engine/
 


Talking about alternatives: how the Qubes 4.0 stand with RYF certified X200? 
Like for example this one: https://tehnoetic.com/laptops/tet-x200s 
 and others like T400 and T500, which 
can be found there as well. Working well? Any issues known?
Thank you


Sep 15, 2018, 1:00 AM by taii...@gmx.com:

> Everyone please be aware that purism's marketing is dishonest.
>
> Their products do not have open source firmware[1] and the ME is not
> disabled (the kernel still runs along with mask roms and the me hw init
> code)
>
> Intel chips or any new x86 for that matter do NOT respect your privacy!
>
> [1]Their coreboot is simply a shim loader layer for Intel's FSP binary
> blob that performs the hardware initiation - these days coreboot doesn't
> necessarily mean open source firmware.
>
> In terms of laptops it is much better to purchase for instance an owner
> controlled pre-PSP AMD G505S[2] which has open cpu/ram init via coreboot
> or one of the ivy/sandy thinkpads which while not owner controlled are
> significantly more free than puri.crap as they have open cpu/ram/gpu
> init via coreboot and their ME can be nerfed down to the BUP layer which
> while is not at all equivilant to not having an ME at all such as on
> non-x86 arches or pre-PSP AMD it is still much better.
>
> All of my laptop recommendations here work great with Qubes 4.0 and
> there is a nice little qubes g505s community.
>
> [2](for the best user experience make sure to get the highest end quad
> core A10 model if you buy one - although the less expensive A6 quad core
> models are still quite usable)
>
>
> I do not have an issue with purism selling non-free laptops - I have an
> issue with them being dishonest.
>
> -- 
> You received this message because you are subscribed to the Google Groups 
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to > qubes-users+unsubscr...@googlegroups.com 
> > .
> To post to this group, send email to > qubes-users@googlegroups.com 
> > .
> To view this discussion on the web visit > 
> https://groups.google.com/d/msgid/qubes-users/b706b02b-6461-3461-7a6b-19b8ebdb9a8f%40gmx.com
>  
> >
>  .
> For more options, visit > https://groups.google.com/d/optout 
> > .
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/LMRlztC--3-1%40tutanota.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] HCL - Purism Librem 13 v2

[taii...@gmx.com]

Everyone please be aware that purism's marketing is dishonest.

Their products do not have open source firmware[1] and the ME is not
disabled (the kernel still runs along with mask roms and the me hw init
code)

Intel chips or any new x86 for that matter do NOT respect your privacy!

[1]Their coreboot is simply a shim loader layer for Intel's FSP binary
blob that performs the hardware initiation - these days coreboot doesn't
necessarily mean open source firmware.

In terms of laptops it is much better to purchase for instance an owner
controlled pre-PSP AMD G505S[2] which has open cpu/ram init via coreboot
or one of the ivy/sandy thinkpads which while not owner controlled are
significantly more free than puri.crap as they have open cpu/ram/gpu
init via coreboot and their ME can be nerfed down to the BUP layer which
while is not at all equivilant to not having an ME at all such as on
non-x86 arches or pre-PSP AMD it is still much better.

All of my laptop recommendations here work great with Qubes 4.0 and
there is a nice little qubes g505s community.

[2](for the best user experience make sure to get the highest end quad
core A10 model if you buy one - although the less expensive A6 quad core
models are still quite usable)


I do not have an issue with purism selling non-free laptops - I have an
issue with them being dishonest.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b706b02b-6461-3461-7a6b-19b8ebdb9a8f%40gmx.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] HCL - Purism Librem 13 v2

[Kyle Rankin]

Install works out of the box with no warnings. I haven't run into any
issues with hardware compatibility--hardware in general works (video,
audio, all ports, Fn keys). Hardware Kill Switches work as expected within
Qubes.  Suspend/resume works.

By default it works with the standard included coreboot BIOS but I've also
tested it with Heads using the TPM and that works as well.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180914181059.fkt3blxd3heez54s%40work.
For more options, visit https://groups.google.com/d/optout.
---
layout:
  'hcl'
type:
  'laptop'
hvm:
  'yes'
iommu:
  'yes'
slat:
  'yes'
tpm:
  ''
remap:
  'yes'
brand: |
  Purism
model: |
  Librem 13 v2
bios: |
  4.7-Purism-4-heads
cpu: |
  Intel(R) Core(TM) i7-6500U CPU @ 2.50GHz
cpu-short: |
  FIXME
chipset: |
  Intel Corporation Xeon E3-1200 v5/E3-1500 v5/6th Gen Core Processor Host 
Bridge/DRAM Registers [8086:1904] (rev 08)
chipset-short: |
  FIXME
gpu: |
  Intel Corporation HD Graphics 520 [8086:1916] (rev 07) (prog-if 00 [VGA 
controller])
  Intel Corporation Device [8086:9d24] (rev 21)
gpu-short: |
  FIXME
network: |
  Qualcomm Atheros AR9462 Wireless Network Adapter (rev 01)
memory: |
  16298
scsi: |
  Samsung SSD 850  Rev: 2B6Q
  Samsung SSD 850  Rev: 1B6Q
usb: |
  1
versions:

- works:
'FIXME:yes|no|partial'
  qubes: |
R4.0
  xen: |
4.8.4
  kernel: |
4.14.57-2
  remark: |
FIXME
  credit: |
FIXAUTHOR
  link: |
FIXLINK

---