Re: [qubes-users] Lenovo Precision 7540 available without vPro OR with Intel ME Disabled

2019-11-26 Thread Steve Coleman 

On 2019-11-26 16:05, Lambda wrote:
Lenovo's 2019 laptop is currently on sale and their CPU selection[1] 
includes:

- i7-9750H: no vPro, No Out-of-Band Systems Management
- i7-9850H: vPro, Intel ME Disabled
Strangely enough in Europe[2] they list it as:
- i7-9750H: no vPro, No Out-of-Band Systems Management (so no option to 
fully disable ME)

- i7-9850H: vPro, No Out-of-Band Systems Management
I don't know if it's a website bug or if they simply don't disable ME in 
the EU!


It's not clear what the implication of each option is.
For example vPro is an umbrella term for ME, SGX, TXT, Boot Guard, VT-x, 
VT-d.
So by choosing a CPU without vPro would that mean it would be impossible 
to use virtualization? Doubtful I would guess.


If I choose the non-vPro CPU without ME, SGX, TXT, Boot Guard; what 
exactly do I lose?
I'm aware that for AEM support I would need to have ME and TXT 1.2. But 
those CPUs have TPM 2.x
And it seems SGX is also a security hazard. Not sure if problems have 
been fixed with the latest CPUs.
It looks the only advantage of the the i7-9850H is that it has software 
and hardware patches for most of the security vulnerabilities [3]. While 
the i7-9750H does not


This link might make it 'a little' clearer about the difference:

https://www.intel.com/content/www/us/en/products/compare-products.html/processors?productIds=191045,191047

Look at the "Advanced Technologies" and "Security & Reliability" drop downs.

They both have VT-x, VT-d, EPT, OS Guard, and SGX/ME

The i7-9850H adds on the vPro, TSX-NI, Trusted Execution, and SIPP, none 
of which you need as far as I can tell.



Am I wrong in my analysis? Which CPU would you recommend?
Would that recommendation change if I was running Linux instead?

Thank you.

[1] 
https://www.dell.com/en-us/work/shop/cty/pdp/spd/precision-15-7540-laptop/xctop754015us
[2] 
https://www.dell.com/en-uk/work/shop/workstations/precision-7540-build-your-own/spd/precision-15-7540-laptop/xctop7540emea
[3] 
https://www.intel.com/content/www/us/en/architecture-and-technology/engineering-new-protections-into-hardware.html


--
You received this message because you are subscribed to the Google 
Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to qubes-users+unsubscr...@googlegroups.com 
.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2973fa8f-f761-4520-b969-3dbbbd40a948%40googlegroups.com 
.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7b09fce6-59e9-dd6c-6260-8ca987b4ff27%40jhuapl.edu.

[qubes-users] Lenovo Precision 7540 available without vPro OR with Intel ME Disabled

2019-11-26 Thread Lambda 
Lenovo's 2019 laptop is currently on sale and their CPU selection[1] 
includes:
- i7-9750H: no vPro, No Out-of-Band Systems Management
- i7-9850H: vPro, Intel ME Disabled
Strangely enough in Europe[2] they list it as:
- i7-9750H: no vPro, No Out-of-Band Systems Management (so no option to 
fully disable ME)
- i7-9850H: vPro, No Out-of-Band Systems Management
I don't know if it's a website bug or if they simply don't disable ME in 
the EU!

It's not clear what the implication of each option is.
For example vPro is an umbrella term for ME, SGX, TXT, Boot Guard, VT-x, 
VT-d.
So by choosing a CPU without vPro would that mean it would be impossible to 
use virtualization? Doubtful I would guess.

If I choose the non-vPro CPU without ME, SGX, TXT, Boot Guard; what exactly 
do I lose?
I'm aware that for AEM support I would need to have ME and TXT 1.2. But 
those CPUs have TPM 2.x
And it seems SGX is also a security hazard. Not sure if problems have been 
fixed with the latest CPUs.
It looks the only advantage of the the i7-9850H is that it has software and 
hardware patches for most of the security vulnerabilities [3]. While the 
i7-9750H does not.

Am I wrong in my analysis? Which CPU would you recommend?
Would that recommendation change if I was running Linux instead?

Thank you.

[1] 
https://www.dell.com/en-us/work/shop/cty/pdp/spd/precision-15-7540-laptop/xctop754015us
[2] 
https://www.dell.com/en-uk/work/shop/workstations/precision-7540-build-your-own/spd/precision-15-7540-laptop/xctop7540emea
[3] 
https://www.intel.com/content/www/us/en/architecture-and-technology/engineering-new-protections-into-hardware.html

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2973fa8f-f761-4520-b969-3dbbbd40a948%40googlegroups.com.