Re: [qubes-users] Re: Lenovo G505S Coreboot

2018-05-22 Thread Ivan Ivanov
Alternatively, it could be that NDA is required not exactly to get
these updated microcode files for our a-bit-old CPUs, but to
understand - against what vulnerabilities these microcodes are trying
to give the protection. Maybe there are some secret release notes that
usually come with these microcodes to the OEMs. If you would look at
the commit message which came with 15h/17h files, you would not notice
any mention of the vulnerabilities and spectre - or any other mention
of what has been changed or improved. Its "just an update" -
https://marc.info/?l=linux-kernel=152651230014241=2 . More
messages from this author -
https://marc.info/?a=13724479713=1=2

Best regards,
Ivan

2018-05-22 15:34 GMT+03:00 Ivan Ivanov :
> I think: at the moment, the only possible way to become confident that
> a new 15h microcode at linux-firmware.git is the same (or at least
> close to being the same) as being offered to us under an NDA, without
> signing this NDA, is to install this microcode to your coreboot and
> then run some tests to see the degree of vulnerability to the various
> spectres. Also, that AMD person has uploaded only 15h and 17h -
> meanwhile, there are some nice desktop coreboot-supported 16h boards
> like ASUS AM1I-A (they are early-16h so they do not have PSP backdoor,
> only late-16h has), and these 16h boards are still vulnerable. I will
> try to contact to "remind" about 16h. Maybe they don't share the
> microcodes publicly until they have fully tested them, and NDA is a
> way for OEMs to get the not-publicly-released-yet microcodes to test
> on their hardware. It could be that AMD's guidelines require fully
> testing a new microcode at all the compatible platforms before
> releasing it publicly even if its just a matter of setting a few bits
> - to make sure that all the other functions are still working
> correctly
>
> Best regards,
> Ivan
>
> 2018-05-22 8:19 GMT+03:00 taii...@gmx.com :
>> *ML thread reply*
>> Hey guys you can install the latest microcode now from linux-firmware,
>> no NDA or w/e I believe this is the latest version.
>> See my thread on the coreboot ML for more info.
>>
>> Remember folks the G505S has a piledriver cpu and thus it NEEDS a
>> microcode update to have IOMMU (and thus work for V4) and be secure due
>> to various exploits.
>>
>> before:
>> microcode: CPU0 patch_level=0x0600084f
>>
>> after:
>> microcode: CPU0: new patch_level=0x06000852
>>
>> I think this is the latest version but I don't know for sure.
>>
>> --
>> You received this message because you are subscribed to a topic in the 
>> Google Groups "qubes-users" group.
>> To unsubscribe from this topic, visit 
>> https://groups.google.com/d/topic/qubes-users/WEppbuqRpfY/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to 
>> qubes-users+unsubscr...@googlegroups.com.
>> To post to this group, send email to qubes-users@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/qubes-users/e14e74a7-044f-41c2-0dad-90438aacc1cf%40gmx.com.
>> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAAaskFD7KPUiVOBJFCgN2JprZ1oB2Yr2CPh4Z3bkLcrynqRFgA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Lenovo G505S Coreboot

2018-05-22 Thread Ivan Ivanov
I think: at the moment, the only possible way to become confident that
a new 15h microcode at linux-firmware.git is the same (or at least
close to being the same) as being offered to us under an NDA, without
signing this NDA, is to install this microcode to your coreboot and
then run some tests to see the degree of vulnerability to the various
spectres. Also, that AMD person has uploaded only 15h and 17h -
meanwhile, there are some nice desktop coreboot-supported 16h boards
like ASUS AM1I-A (they are early-16h so they do not have PSP backdoor,
only late-16h has), and these 16h boards are still vulnerable. I will
try to contact to "remind" about 16h. Maybe they don't share the
microcodes publicly until they have fully tested them, and NDA is a
way for OEMs to get the not-publicly-released-yet microcodes to test
on their hardware. It could be that AMD's guidelines require fully
testing a new microcode at all the compatible platforms before
releasing it publicly even if its just a matter of setting a few bits
- to make sure that all the other functions are still working
correctly

Best regards,
Ivan

2018-05-22 8:19 GMT+03:00 taii...@gmx.com :
> *ML thread reply*
> Hey guys you can install the latest microcode now from linux-firmware,
> no NDA or w/e I believe this is the latest version.
> See my thread on the coreboot ML for more info.
>
> Remember folks the G505S has a piledriver cpu and thus it NEEDS a
> microcode update to have IOMMU (and thus work for V4) and be secure due
> to various exploits.
>
> before:
> microcode: CPU0 patch_level=0x0600084f
>
> after:
> microcode: CPU0: new patch_level=0x06000852
>
> I think this is the latest version but I don't know for sure.
>
> --
> You received this message because you are subscribed to a topic in the Google 
> Groups "qubes-users" group.
> To unsubscribe from this topic, visit 
> https://groups.google.com/d/topic/qubes-users/WEppbuqRpfY/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to 
> qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/qubes-users/e14e74a7-044f-41c2-0dad-90438aacc1cf%40gmx.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAAaskFB-Y8ZWHzwb0tq-KT3qFEJD%3DxfWWhP4oEMxyZKCwBxXNg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Lenovo G505S Coreboot

2018-05-21 Thread taii...@gmx.com
*ML thread reply*
Hey guys you can install the latest microcode now from linux-firmware,
no NDA or w/e I believe this is the latest version.
See my thread on the coreboot ML for more info.

Remember folks the G505S has a piledriver cpu and thus it NEEDS a
microcode update to have IOMMU (and thus work for V4) and be secure due
to various exploits.

before:
microcode: CPU0 patch_level=0x0600084f

after:
microcode: CPU0: new patch_level=0x06000852

I think this is the latest version but I don't know for sure.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e14e74a7-044f-41c2-0dad-90438aacc1cf%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys


Re: [qubes-users] Re: Lenovo G505S Coreboot

2018-05-17 Thread Ivan Ivanov
These microcodes from platomav are not new enough to have spectre v2
fixed at them! We are in the process of requesting an updated
microcodes from AMD, and there is already some progress: we have been
offered the updated microcodes with spectre V2 fix under the NDA.
However, most likely this NDA requirement is only because of the Ryzen
microcodes and maybe the microcodes for the other CPUs with built-in
PSP Platform Secure Processor. We have asked AMD to offer us a smaller
set of the microcodes (for the older CPUs only) which will be possible
to obtain without signing the NDA, and we are currently waiting for
reply. It does not make sense to ask the NDA for the microcodes of
CPUs that are ~5 years old, also, the older microcodes could be found
as publicly shared at e.g. linux-firmware.git and nobody sent a DMCA
takedown regarding them , so most likely it means that both 15h and
16h microcodes, as well as some other older ones, should be possible
to obtain without any NDAs. We will keep you updated

Best regards,
Ivan Ivanov

2018-05-16 5:50 GMT+03:00 awokd :
> On Sat, May 12, 2018 7:58 pm, matthewwbradl...@gmail.com wrote:
>> On Saturday, May 12, 2018 at 3:38:31 PM UTC-4, mattheww...@gmail.com
>
>>> Does anybody know where I can find an up-to-date copy of the microcode
>>> for this laptop? The latest microcode images I've been able to find
>>> *anywhere* are
>>> https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/amd-ucode
>>> which according to the logs date back to 2016 and therefore can't
>>> possibly contain spectre mitigations for an A10-5750M CPU.
>>>
>>> Supposedly AMD has/will release mitigating microcode for family 15h but
>>> I don't think AMD has an equivalent to:
>>> https://downloadcenter.intel.com/download/27776/Linux-Processor-Microcode-Data-File
>>>
>>> Does AMD even announce when they release microcode for a particular
>>> family/CPU? Ideally they'd have a list of CPU->microcode.tar.gz but one
>>> can only dream I guess...
>>>
>>> The next step of course will be figuring out how to build coreboot to
>>> load the microcode image, but, one step at a time.
>>
>> EDIT:
>> https://web.archive.org/web/20160726141516/http://www.amd64.org:80/microcode.html
>> doesn't seem to have been up since 2016
>
> See below. There seems to be a way to do it if you edit the patch file
> directly into microcode_amd_fam15h.bin (but we might be getting off-topic
> for Qubes here).
>
> https://www.mail-archive.com/coreboot@coreboot.org/msg51496.html
>
>
>
>
>
> --
> You received this message because you are subscribed to a topic in the Google 
> Groups "qubes-users" group.
> To unsubscribe from this topic, visit 
> https://groups.google.com/d/topic/qubes-users/WEppbuqRpfY/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to 
> qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/qubes-users/ae712ae15304863b9cb47190d8db7f13%40elude.in.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAAaskFBLbjznJZSOmexVGSKFCRMuE1fiHemCbitap9ZEvPEJ_g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Lenovo G505S Coreboot

2018-05-15 Thread awokd
On Sat, May 12, 2018 7:58 pm, matthewwbradl...@gmail.com wrote:
> On Saturday, May 12, 2018 at 3:38:31 PM UTC-4, mattheww...@gmail.com

>> Does anybody know where I can find an up-to-date copy of the microcode
>> for this laptop? The latest microcode images I've been able to find
>> *anywhere* are
>> https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/amd-ucode
>> which according to the logs date back to 2016 and therefore can't
>> possibly contain spectre mitigations for an A10-5750M CPU.
>>
>> Supposedly AMD has/will release mitigating microcode for family 15h but
>> I don't think AMD has an equivalent to:
>> https://downloadcenter.intel.com/download/27776/Linux-Processor-Microcode-Data-File
>>
>> Does AMD even announce when they release microcode for a particular
>> family/CPU? Ideally they'd have a list of CPU->microcode.tar.gz but one
>> can only dream I guess...
>>
>> The next step of course will be figuring out how to build coreboot to
>> load the microcode image, but, one step at a time.
>
> EDIT:
> https://web.archive.org/web/20160726141516/http://www.amd64.org:80/microcode.html
> doesn't seem to have been up since 2016

See below. There seems to be a way to do it if you edit the patch file
directly into microcode_amd_fam15h.bin (but we might be getting off-topic
for Qubes here).

https://www.mail-archive.com/coreboot@coreboot.org/msg51496.html





-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ae712ae15304863b9cb47190d8db7f13%40elude.in.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Lenovo G505S Coreboot

2018-05-12 Thread matthewwbradley6
On Saturday, May 12, 2018 at 3:38:31 PM UTC-4, mattheww...@gmail.com wrote:
> On Wednesday, January 18, 2017 at 6:34:29 AM UTC-5, Asterysk wrote:
> > >First of all we need to make sure that you are prepared for flashing. 
> > >coreboot image cannot be >flashed internally on Lenovo G505S through a 
> > >purely software way (I tried with >internal:laptop=force_I_want_a_brick 
> > >flashrom option, it always fails, cant do that!) . 
> > 
> > >To install a coreboot, you will have to: 
> > >1) get some hardware tools like screwdrivers, CH341A USB flasher and 
> > >SOIC-8 test clip 
> > >2) tear down your laptop to access the motherboard 
> > >3) take SOIC-8 test clip and attach its wires to USB flasher that is 
> > >supported by flashrom (such as CH341A), then attach SOIC-8 test clip to 
> > >BIOS chip with 8 legs, then plug USB flasher device to another computer 
> > >with Linux (while it is still connected to G505S motherboard through wires 
> > >and SOIC-8 test clip) 
> > >4) using flashrom, make a dump of your existing BIOS just in case, then 
> > >flash a new coreboot image with verification 5) assemble your laptop in 
> > >reverse order . That is exactly how computer repair shops are repairing 
> > >laptops with failed BIOS updates, and are earning pretty good money on it 
> > 
> > >Here is a hardware flashing manual - 
> > >http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate . 
> > 
> > Everything is described in a great detail here: complete list of tools and 
> > where you could buy them (need to spend from $0 to $30, depends on what 
> > tools you already have), how to connect these tools properly, a lot of 
> > helpful photos - for example, photo of G505S motherboard, so you could 
> > easily see where is that BIOS chip with 8 legs is located, dont need to 
> > spend time reading the motherboard chip labels. While this instruction 
> > mentions Bus Pirate USB flasher, the instructions for CH341A USB flasher 
> > are exactly the same - only a flashrom command is different (could see this 
> > command at the end of page) 
> > 
> > My current coreboot build is from December 2016 - it is not the latest, but 
> > still pretty recent, so I am not going to rebuild it from scratch yet. 
> > Still, there is one component inside BIOS image that could be easily 
> > updated: KolibriOS, tiny wonderful open source operating system that fits 
> > on a floppy. It could be launched from SeaBIOS Boot Menu, and works as a 
> > RamDisk (no changes to your computer saved). After you tell that you are 
> > prepared for hardware BIOS flashing, I will take KolibriOS latest daily 
> > build, add it to ROM and send a complete coreboot BIOS ROM to you 
> > 
> > Please reply if you have any questions 
> > 
> > Best regards, 
> > qmastery
> > ---
> > 
> > Is it possible to also reflash the USB firmware at the same time in case it 
> > has been tampered by Bad USB ?
> 
> Does anybody know where I can find an up-to-date copy of the microcode for 
> this laptop? The latest microcode images I've been able to find *anywhere* are
> https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/amd-ucode
> which according to the logs date back to 2016 and therefore can't possibly 
> contain spectre mitigations for an A10-5750M CPU.
> 
> Supposedly AMD has/will release mitigating microcode for family 15h but I 
> don't think AMD has an equivalent to: 
> https://downloadcenter.intel.com/download/27776/Linux-Processor-Microcode-Data-File
>  
> 
> Does AMD even announce when they release microcode for a particular 
> family/CPU? Ideally they'd have a list of CPU->microcode.tar.gz but one can 
> only dream I guess...
> 
> The next step of course will be figuring out how to build coreboot to load 
> the microcode image, but, one step at a time.

EDIT: 
https://web.archive.org/web/20160726141516/http://www.amd64.org:80/microcode.html
 doesn't seem to have been up since 2016

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fff92020-1c6d-49c9-9090-dcfbdff66613%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Lenovo G505S Coreboot

2018-05-12 Thread matthewwbradley6
On Wednesday, January 18, 2017 at 6:34:29 AM UTC-5, Asterysk wrote:
> >First of all we need to make sure that you are prepared for flashing. 
> >coreboot image cannot be >flashed internally on Lenovo G505S through a 
> >purely software way (I tried with >internal:laptop=force_I_want_a_brick 
> >flashrom option, it always fails, cant do that!) . 
> 
> >To install a coreboot, you will have to: 
> >1) get some hardware tools like screwdrivers, CH341A USB flasher and SOIC-8 
> >test clip 
> >2) tear down your laptop to access the motherboard 
> >3) take SOIC-8 test clip and attach its wires to USB flasher that is 
> >supported by flashrom (such as CH341A), then attach SOIC-8 test clip to BIOS 
> >chip with 8 legs, then plug USB flasher device to another computer with 
> >Linux (while it is still connected to G505S motherboard through wires and 
> >SOIC-8 test clip) 
> >4) using flashrom, make a dump of your existing BIOS just in case, then 
> >flash a new coreboot image with verification 5) assemble your laptop in 
> >reverse order . That is exactly how computer repair shops are repairing 
> >laptops with failed BIOS updates, and are earning pretty good money on it 
> 
> >Here is a hardware flashing manual - 
> >http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate . 
> 
> Everything is described in a great detail here: complete list of tools and 
> where you could buy them (need to spend from $0 to $30, depends on what tools 
> you already have), how to connect these tools properly, a lot of helpful 
> photos - for example, photo of G505S motherboard, so you could easily see 
> where is that BIOS chip with 8 legs is located, dont need to spend time 
> reading the motherboard chip labels. While this instruction mentions Bus 
> Pirate USB flasher, the instructions for CH341A USB flasher are exactly the 
> same - only a flashrom command is different (could see this command at the 
> end of page) 
> 
> My current coreboot build is from December 2016 - it is not the latest, but 
> still pretty recent, so I am not going to rebuild it from scratch yet. Still, 
> there is one component inside BIOS image that could be easily updated: 
> KolibriOS, tiny wonderful open source operating system that fits on a floppy. 
> It could be launched from SeaBIOS Boot Menu, and works as a RamDisk (no 
> changes to your computer saved). After you tell that you are prepared for 
> hardware BIOS flashing, I will take KolibriOS latest daily build, add it to 
> ROM and send a complete coreboot BIOS ROM to you 
> 
> Please reply if you have any questions 
> 
> Best regards, 
> qmastery
> ---
> 
> Is it possible to also reflash the USB firmware at the same time in case it 
> has been tampered by Bad USB ?

Does anybody know where I can find an up-to-date copy of the microcode for this 
laptop? The latest microcode images I've been able to find *anywhere* are
https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/amd-ucode
which according to the logs date back to 2016 and therefore can't possibly 
contain spectre mitigations for an A10-5750M CPU.

Supposedly AMD has/will release mitigating microcode for family 15h but I don't 
think AMD has an equivalent to: 
https://downloadcenter.intel.com/download/27776/Linux-Processor-Microcode-Data-File
 

Does AMD even announce when they release microcode for a particular family/CPU? 
Ideally they'd have a list of CPU->microcode.tar.gz but one can only dream I 
guess...

The next step of course will be figuring out how to build coreboot to load the 
microcode image, but, one step at a time.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4b6c8e67-8188-4212-9998-8e1d1e9e2e1e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Lenovo G505S Coreboot

2018-05-04 Thread Andrew B
Got it. I understand I need to build the coreboot image and flash it. However 
still a little confused on how exactly to implement the microcode update? I 
assume its still not a part of the latest coreboot. 

Was it these two files I am looking for changes in?

src/vendorcode/amd/agesa/f15tn/Proc/CPU/Family/0x15/TN/F15TnEquivalenceTable.c  

src/vendorcode/amd/agesa/f15tn/Proc/CPU/Family/0x15/TN/F15TnMicrocodePatch0600110F_Enc.c

or do I understand correctly that I can run these commands at a Debian terminal 
and get the needed output too?

dd skip=5284 iflag=skip_bytes 
if=/lib/firmware/amd-ucode/microcode_amd_fam15h.bin of=amd.bin 
xxd -i amd.bin 

I then copy some/all of that content and paste it into the image file itself?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a21a8d4a-18f9-4ca5-9b28-1c4dae1a3ff2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Lenovo G505S Coreboot

2018-04-30 Thread taii...@gmx.com
On 04/30/2018 08:49 PM, Andrew B wrote:

> OK, just to clarify, if I am to build the coreboot image, I need to do that 
> on the G505s by say running Debian or Ubuntu (presumably could use a Live 
> disc/USB) or similar and building the image as shown here?
> https://www.coreboot.org/Board:lenovo/g505s#Building_a_coreboot_image
Yeah.
But you need another PC in case something goes wrong.
> Then I take the created coreboot.rom file and load it onto a separate 
> computer where I can externally flash the G505s as shown here: 
> http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate
Get a USB CH341A, they're easier.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6a4db6a2-96a8-b6fc-9130-b3416111cc65%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys


Re: [qubes-users] Re: Lenovo G505S Coreboot

2018-04-30 Thread Andrew B
OK, just to clarify, if I am to build the coreboot image, I need to do that on 
the G505s by say running Debian or Ubuntu (presumably could use a Live 
disc/USB) or similar and building the image as shown here?
https://www.coreboot.org/Board:lenovo/g505s#Building_a_coreboot_image

Then I take the created coreboot.rom file and load it onto a separate computer 
where I can externally flash the G505s as shown here: 
http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/40dcefb1-64ab-49d1-911e-b71c4c9b6756%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Lenovo G505S Coreboot

2018-04-20 Thread David Hobach



On 04/20/2018 12:21 PM, River~~ wrote:

correction where I said



My assumption is that the time is explained by the fact that it is not
only booting the physical machine but also the various CMs that are tagged
to be started at bootup.



I meant VMs, not CMs



correction where I said


My assumption is that the time is explained by the fact that it is
not only booting the physical machine but also the various CMs that
are tagged to be started at bootup. 



I meant VMs, not CMs


Yes, it tends to be 7s for normal booting with SSD and 30s+ for the VMs 
- that's normal. There is a feature request [1] out there to get the VMs 
started after X instead of before. So that might change in the future.


[1] https://github.com/QubesOS/qubes-issues/issues/3149

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/78ab7eae-1279-0bb0-af0d-6d4321127c9c%40hackingthe.net.
For more options, visit https://groups.google.com/d/optout.


smime.p7s
Description: S/MIME Cryptographic Signature


Re: [qubes-users] Re: Lenovo G505S Coreboot

2018-04-20 Thread River~~
correction where I said

>
> My assumption is that the time is explained by the fact that it is not
> only booting the physical machine but also the various CMs that are tagged
> to be started at bootup.
>

I meant VMs, not CMs

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAK3jUKoxR9ct5FE4U1UqsZsCWtNVBSw0aubo6wSTNZ2KFQcKEw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Lenovo G505S Coreboot

2018-04-20 Thread River~~
 wrote:

> On Tuesday, April 10, 2018 at ...


 One question I have is regarding boot time for 4.0.  Is it several minutes
> long for you on coreboot/Qubes 4.0?


It is what I am seeing. Is this significantly longer than for Qubes 3.2? (I
am new here and  never used 3.2)

My assumption is that the time is explained by the fact that it is not only
booting the physical machine but also the various CMs that are tagged to be
started at bootup.

I also get a Failed to Load Kernel Modules message early on


Yes, I see this as the first line after the four Tuxes appear.

I think the message is slightly different - from memory it is

Failed to Start Load Kernel Modules



>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAK3jUKorcGAefCFefr%2B4bvpgKqrwfZgEkoxByEzPxrYcVMXfCw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Lenovo G505S Coreboot

2018-04-19 Thread qubesthrowaway
On Tuesday, April 10, 2018 at 7:08:37 AM UTC, qma ster wrote:
> Hi there Friend ! What 8 cells battery you have got, and from which seller?
> It is either your battery needs a few power cycles to get to its' full
> performance,
> or maybe you have received a battery with the different power cells
> (not SANYO) :
> e.g. your original battery was SANYO but that new 8cells could be SMP ? :P
> 
> If you would look at the PDF Hardware Maintenance Manual for Lenovo G505S 
> laptop
> (easily found online, contains many FRU replacement parts
> descriptions/IDs, useful)
> you will see that - even for the official G505S batteries, there were
> three manufacturers:
> Sanyo, LG, SMP (Simplo). According to some tests, Sanyo are much
> better than SMP/LG.
> 
> Please look at the attached picture - it contains a small review of
> the battery cells (could be expanded)
> 
> my 8cells battery is Sanyo, and its almost twice longer battery life!
> Mike result is ~1.5x longer,
> but he haven't told me who made his cells, or I forgot what he has
> replied to me and couldnt find.
> Guess its a bit of a lottery... If your battery would not perform
> better after a few power cycles,
> you could try getting another 8 cells battery, preferably from another
> seller - for a higher chance
> that these batteries would be from the different batches with the
> different internals - and we will see
> 
> However, if you would look through this guide above, there are some
> more worthy investments:
> in example, AR9462 wireless network adapter from ath9k family - does
> not need the binary blobs,
> runs on 100% open source and supports 2.4GHz/5GHz and even Bluetooth,
> works fine even at the
> Stallman-endorsed Linux distros. Ideally, batteries should be bought
> after you have got everything else.
> By the way, 2-3 times per year you could get 10-20% off AliExpress
> coupons for a great real discount
> 
> Retyped table from the attached image (so that it will be searchable
> through the Internet) :
> 

Thanks for all the info!  I bought my battery from some random seller on eBay 
and it was disappointing initially but seems better after a few cycles.  I may 
check out your recommended ones anyway.  I did many of the other recommended 
upgrades already, including replacing the thermal paste, the WiFi adapter and 
upgrading to 16gb of Patriot Viper RAM and an SSD.

I'm very happy with my current setup thanks to you and others.  One question I 
have is regarding boot time for 4.0.  Is it several minutes long for you on 
coreboot/Qubes 4.0?  I also get a Failed to Load Kernel Modules message early 
on in Qubes boot if that matters.  Once it's up and running, things run 
smoothly.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a7dfba15-9558-48bf-a2f8-452b98ba45cd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Lenovo G505S Coreboot

2018-04-10 Thread Ivan Ivanov
Hi there Friend ! What 8 cells battery you have got, and from which seller?
It is either your battery needs a few power cycles to get to its' full
performance,
or maybe you have received a battery with the different power cells
(not SANYO) :
e.g. your original battery was SANYO but that new 8cells could be SMP ? :P

If you would look at the PDF Hardware Maintenance Manual for Lenovo G505S laptop
(easily found online, contains many FRU replacement parts
descriptions/IDs, useful)
you will see that - even for the official G505S batteries, there were
three manufacturers:
Sanyo, LG, SMP (Simplo). According to some tests, Sanyo are much
better than SMP/LG.

Please look at the attached picture - it contains a small review of
the battery cells (could be expanded)

my 8cells battery is Sanyo, and its almost twice longer battery life!
Mike result is ~1.5x longer,
but he haven't told me who made his cells, or I forgot what he has
replied to me and couldnt find.
Guess its a bit of a lottery... If your battery would not perform
better after a few power cycles,
you could try getting another 8 cells battery, preferably from another
seller - for a higher chance
that these batteries would be from the different batches with the
different internals - and we will see

However, if you would look through this guide above, there are some
more worthy investments:
in example, AR9462 wireless network adapter from ath9k family - does
not need the binary blobs,
runs on 100% open source and supports 2.4GHz/5GHz and even Bluetooth,
works fine even at the
Stallman-endorsed Linux distros. Ideally, batteries should be bought
after you have got everything else.
By the way, 2-3 times per year you could get 10-20% off AliExpress
coupons for a great real discount

Retyped table from the attached image (so that it will be searchable
through the Internet) :

Laptop batteries for | Model -- ___ | __ | Stated __| Max energy
capacity | Max energy capacity __| __|
G505S and other __| battery cells | ___| capacity | by design
__| after 3 months of _| __|
compatible Lenovo | manufacturer | Voltage | in mAh _| (as seen by
| heavy usage _| Rating |
laptops __|___| ___|_| Ubuntu Linux OS )
__| | __|
official Lenovo | L12S4E01 -- | 14.4V | 2900 mAh | 3.8 Wh
| 3.5 Wh (94% of design) | medium |
4 cells battery | SANYO
|__|__|___| |
battery |
(older revision)
|___|__|__||_|__|
official Lenovo | L12M4E01 -- | 14.88V | 2800 mAh | 3.8 Wh
| 3.1 Wh (81% of design) | bad__ |
4 cells battery | Simplo
_|___|__|___| |
battery |
(newer revision) | Technology
|___|__|___||___|
__| ( SMP )
___|__|__|||___|
8cells G505S battery | " Replace | 14.4V _| 5200 mAh | 6.3 Wh
| 6.1 Wh (96% of design) | the best |
by AliExpress seller _| L12L4A02,
|__|__|___| ___| battery
!_|
MX (HK) LTD -- _| L12L4E01,
|__|__|___|||
Ming Xuan | L12M4A02 "
|_|__|___||_|
__| -- SANYO
|__|__|___||_|

NOTE: battery model number is L12*4E01, where * letter means the
manufacturer of battery cells.
in L12S4E01 , S means SANYO, || in L12M4E01 , M means Simplo Technology ( SMP ),
in L12L4E01, L means LG chemicals || Older (official) batteries were
usually SANYO, newer
(official) batteries are usually SMP, sadly. My experience: SANYO
cells are the best performance

Best regards,
Ivan Ivanov aka qmastery

2018-04-04 4:53 GMT+03:00  :
> Among other suggestions, I added an 8-cell battery to my G505s.  What kind of 
> battery life are people getting with these?  Mine seems hardly better than 
> the OEM 4-cell.  Just wondering if I got a bum battery or if the improvement 
> isn't really that significant.
>
> Thanks again to everyone for helping me get my G505s up and going with 
> coreboot and for all the useful info on recommended upgrades here.
>
> --
> You received this message because you are subscribed to a topic in the Google 
> Groups "qubes-users" group.
> To unsubscribe from this topic, visit 
> https://groups.google.com/d/topic/qubes-users/WEppbuqRpfY/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to 
> qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/qubes-users/0b9d5ae8-6650-47de-9de1-1d520e7b77d5%40googlegroups.com.
> For 

Re: [qubes-users] Re: Lenovo G505S Coreboot

2018-04-03 Thread qubesthrowaway
Among other suggestions, I added an 8-cell battery to my G505s.  What kind of 
battery life are people getting with these?  Mine seems hardly better than the 
OEM 4-cell.  Just wondering if I got a bum battery or if the improvement isn't 
really that significant.

Thanks again to everyone for helping me get my G505s up and going with coreboot 
and for all the useful info on recommended upgrades here.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0b9d5ae8-6650-47de-9de1-1d520e7b77d5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Lenovo G505S Coreboot

2018-04-01 Thread Ivan Ivanov
Thank you very much for answering the qubesthrowaway's questions !
Regarding
> Some of us G505s users are putting together a page with tips on
Coreboot and Qubes, but I'm not sure where it will end up yet
- sorry for delay! we just got a bit distracted with KolibriOS driver stuff
(will be really awesome if that assembly network driver becomes a reality!),
in the same time we would like to
1) upgrade the LZMA libraries of coreboot/seabios - the currently used
ones are very very outdated
2) add paq8px compression support for putting even more useful stuff
to our small 4 MB BIOS chips
By the way it could be possible to upgrade a BIOS chip to 8 MB or even
to 16 MB ;-)
Asterysk has been trying to test this but accidentally damaged a
copper track on his motherboard,
so its going to take a while before we find out the answer to this question.
Ideally we'd like to stay at 4 MB, because if some of us would be
sitting at 8 MB / 16 MB
while everyone else is at 4 MB BIOS chips - that would result in
unnecessary fragmentation,
so more of our efforts should be going towards those "compression methods".
On average, paq8px is 25% better compression than LZMA used by coreboot/SeaBIOS,
but it is much slower - perhaps it is going to take about 3 minutes to
extract 1.44MB KolibriOS floppy
to boot it, although we have not tested this on bare metal (from
coreboot) yet - could be faster!
There are also some extra challenges, e.g. paq8px sources are C++ but
coreboot is C
and doesn't even have g++ in its' toolchains, so I'm unsure how to
merge them together.
And using a "random g++" provided by some distro does not guarantee
that this will be bootable.
Maybe you know a great way of how to put C++ code into coreboot and
make it compile?

Best regards,
Ivan Ivanov aka qmastery

2018-03-28 0:52 GMT+03:00 'awokd' via qubes-users
:
> On Mon, March 26, 2018 6:36 am, qubesthrowa...@gmail.com wrote:
>
> Could you please trim emails when you reply? It was hard to find your
> questions in all that text!
>
>> Would it be a bad idea to run a PCIe SSD off of this instead of the WiFi
>> card?
>
> I'm not sure you could fit one in there, the hole is only big enough for
> half-height mini-PCIe cards.
>
>> Would 1866MHz @ CL10 be as good/better?
>
> Not sure on this one; Coreboot can be picky on memory timings. Might have
> to dig in to the source code to see if that is supported, if nobody else
> knows.
>
>> I just ordered a G505S and several of these upgrades and I'm excited to
>> try flashing coreboot and getting Qubes going on it.  Thanks for all the
>> tips/help.
>
> Welcome! Some of us G505s users are putting together a page with tips on
> Coreboot and Qubes, but I'm not sure where it will end up yet.
>
> --
> You received this message because you are subscribed to a topic in the Google 
> Groups "qubes-users" group.
> To unsubscribe from this topic, visit 
> https://groups.google.com/d/topic/qubes-users/WEppbuqRpfY/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to 
> qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/qubes-users/e08ce7eb54c001a711c200acb10e0024.squirrel%40tt3j2x4k5ycaa5zt.onion.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAAaskFDF7J4kPHUbyZyo%3DM6QR19MW789x4Zqe2JJXPzji8XgWQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Lenovo G505S Coreboot

2018-04-01 Thread qubesthrowaway
On Sunday, April 1, 2018 at 10:20:29 AM UTC-5, awokd wrote:
> On Sun, April 1, 2018 2:53 pm, qubesthrowa...@gmail.com wrote:
> >> 1) Erase a BIOS chip and flash it with coreboot -
> >> http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirat
> >> e . For a BIOS image you could either:
> >
> > I decided to use your prebuilt rom and flashed it successfully on my
> > G505s last night.  Afterwards, I began the Qubes 4.0 installation.  It
> > installed fine, but following the restart it freezes while setting up the
> > Template VMs.  I waiting several hours to verify that it was indeed
> > frozen.  I restarted and tried setup again and it keeps freezing at
> > various points (Fedora Template, Debian Template, Whonix).  I then tried
> > a fresh reinstall but that yielded the same result.
> >
> > I'm currently in the process of downloading 4.0 again and I'll try the
> > install on a different usb stick.  Is there anything else that I might
> > try to make this work?  Thanks for any assistance.
> 
> If you're referring to the rom from Qmaster's post from a year ago, it
> doesn't contain the microcode update needed to run 4.0. See
> https://review.coreboot.org/22843? . There are some more notes
> http://dangerousprototypes.com/docs/Lenovo_G505S_hacking, but be warned
> it's still pretty rough. I can help you build your own Coreboot image with
> the patch or if you trust anonymous strangers bearing gifts, send you the
> one I built for myself. Let me know if you need either!

I'd love to try your prebuilt one!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/50f8866d-849d-4bad-806a-9cafa8c62d68%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Lenovo G505S Coreboot

2018-04-01 Thread taii...@gmx.com
FYI the microcode update is mandatory no matter what OS you are running
otherwise I could literally root your computer with a few commands due
to the NMI exploit on piledriver CPU's and of course the IOMMU wouldn't
work either so no DMA protection.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/242012f5-5225-3bd7-8bb6-1bc5ed8380a0%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys


Re: [qubes-users] Re: Lenovo G505S Coreboot

2018-04-01 Thread 'awokd' via qubes-users
On Sun, April 1, 2018 2:53 pm, qubesthrowa...@gmail.com wrote:
>> 1) Erase a BIOS chip and flash it with coreboot -
>> http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirat
>> e . For a BIOS image you could either:
>
> I decided to use your prebuilt rom and flashed it successfully on my
> G505s last night.  Afterwards, I began the Qubes 4.0 installation.  It
> installed fine, but following the restart it freezes while setting up the
> Template VMs.  I waiting several hours to verify that it was indeed
> frozen.  I restarted and tried setup again and it keeps freezing at
> various points (Fedora Template, Debian Template, Whonix).  I then tried
> a fresh reinstall but that yielded the same result.
>
> I'm currently in the process of downloading 4.0 again and I'll try the
> install on a different usb stick.  Is there anything else that I might
> try to make this work?  Thanks for any assistance.

If you're referring to the rom from Qmaster's post from a year ago, it
doesn't contain the microcode update needed to run 4.0. See
https://review.coreboot.org/22843? . There are some more notes
http://dangerousprototypes.com/docs/Lenovo_G505S_hacking, but be warned
it's still pretty rough. I can help you build your own Coreboot image with
the patch or if you trust anonymous strangers bearing gifts, send you the
one I built for myself. Let me know if you need either!


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6d535d467bbe3ad3a11ff06ac0213b7d.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Lenovo G505S Coreboot

2018-04-01 Thread qubesthrowaway
> 1) Erase a BIOS chip and flash it with coreboot - 
> http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate . 
> For a BIOS image you could either:

I decided to use your prebuilt rom and flashed it successfully on my G505s last 
night.  Afterwards, I began the Qubes 4.0 installation.  It installed fine, but 
following the restart it freezes while setting up the Template VMs.  I waiting 
several hours to verify that it was indeed frozen.  I restarted and tried setup 
again and it keeps freezing at various points (Fedora Template, Debian 
Template, Whonix).  I then tried a fresh reinstall but that yielded the same 
result.

I'm currently in the process of downloading 4.0 again and I'll try the install 
on a different usb stick.  Is there anything else that I might try to make this 
work?  Thanks for any assistance.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/00a0dca6-69a6-4322-91b9-105db0c33470%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Lenovo G505S Coreboot

2018-03-30 Thread qubesthrowaway
On Tuesday, March 27, 2018 at 4:52:33 PM UTC-5, awokd wrote:

> 
> Could you please trim emails when you reply? It was hard to find your
> questions in all that text!
> 

Sorry about not trimming the original!

> 
> I'm not sure you could fit one in there, the hole is only big enough for
> half-height mini-PCIe cards.
>
 
Okay.  I found some half mini PCIe SSD but it appears to just use SATA 
interface and probably not worth losing WiFi.

> 
> Not sure on this one; Coreboot can be picky on memory timings. Might have
> to dig in to the source code to see if that is supported, if nobody else
> knows.
> 
Good to know.

> Welcome! Some of us G505s users are putting together a page with tips on
> Coreboot and Qubes, but I'm not sure where it will end up yet.

That would be amazing and much appreciated.  This seems like a great hardware 
choice for running Qubes.  I have the tools and have flashed a BIOS chip before 
so I feel okay about that part, but building the coreboot file is going to 
stretch me a bit.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bcc0c21d-ce90-4e2d-8c61-6594826a89b8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Lenovo G505S Coreboot

2018-03-27 Thread 'awokd' via qubes-users
On Mon, March 26, 2018 6:36 am, qubesthrowa...@gmail.com wrote:

Could you please trim emails when you reply? It was hard to find your
questions in all that text!

> Would it be a bad idea to run a PCIe SSD off of this instead of the WiFi
> card?

I'm not sure you could fit one in there, the hole is only big enough for
half-height mini-PCIe cards.

> Would 1866MHz @ CL10 be as good/better?

Not sure on this one; Coreboot can be picky on memory timings. Might have
to dig in to the source code to see if that is supported, if nobody else
knows.

> I just ordered a G505S and several of these upgrades and I'm excited to
> try flashing coreboot and getting Qubes going on it.  Thanks for all the
> tips/help.

Welcome! Some of us G505s users are putting together a page with tips on
Coreboot and Qubes, but I'm not sure where it will end up yet.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e08ce7eb54c001a711c200acb10e0024.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Lenovo G505S Coreboot

2018-03-27 Thread qubesthrowaway
On Thursday, January 19, 2017 at 7:28:12 AM UTC-6, qma ster wrote:
> четверг, 19 января 2017 г., 12:16:12 UTC+3 пользователь qmast...@gmail.com 
> написал:
> > четверг, 19 января 2017 г., 7:08:46 UTC+3 пользователь Asterysk написал:
> > > On Thursday, 19 January 2017 03:04:32 UTC+4, tai...@gmx.com  wrote:
> > > > As always physical access is a checkmate situation, you need to not be 
> > > > an idiot and don't leave your stuff in overseas hotel rooms or not have 
> > > > secure locks on your door.
> > > 
> > > Unless USB port seals (e.g. 
> > > http://www.padjack.com/padjack-versions/usb-port-lock/) are put in place 
> > > as soon as the laptop is removed from the manufacturers box it is 
> > > impossible to know whether someone has installed a device that has in 
> > > turn infected firmware. A similar situation for any DMA access ports 
> > > (Thunderbolt etc) 
> > > 
> > > I'm interested in being able to take a possibly infected laptop (i.e. 
> > > infected with firmware malware) and reset it to a known safe starting 
> > > point. Coreboot seems to handle the BIOS (thank you for clarification 
> > > that it completely rewrite legacy and UEFI). Replacing the HD with a new 
> > > SSD should handle that firmware attack vector. That leaves the other 
> > > EEPROMS.
> > > 
> > > I figure, if I'm going to strip down my G505S to reflash with Coreboot, I 
> > > should see what other EEPROMs I can reflash.
> > > 
> > > Apart from the obvious RAM and SSD upgrade and possible putting switches 
> > > on peripherals, are there any other hardware mods you can suggest for the 
> > > G505S.
> > > 
> > > Having sorted out the hardware, I am then going to be looking to use 
> > > Qubes to protect against any attempts to reflash through Malware and 
> > > after thats done, I'll be looking for ways to detect that any attack is 
> > > being attempted.
> > > 
> > > All in all I think I've got about a years work ahead !
> > 
> > To reduce the number of "EEPROMs" you could disconnect: a touch pad, DVD 
> > drive, web camera ; Maybe also a small board with LS-9901P part number 
> > (dont confuse with LA-9901P), see its' google pictures online - and 
> > according to G505S laptop's LA-A091P motherboard datasheet (which also 
> > contains a datasheet for laptop's smaller boards) this board has a Realtek 
> > chip for card reader. By the way, you could either find out what lines of 
> > flex cable the card reader is using, and install a custom jumper on them ; 
> > or maybe get a flex cable with the same number of pins / same pitch between 
> > them , find (from datasheet?) what lines that lonely USB port is using to 
> > get to Bolton-M3 FCH, get a USB female header and solder a custom adapter 
> > which adds only a USB port to laptop (so no card reader chip). Probably the 
> > hardest thing to do is to disconnect a web camera - you will need to tear 
> > down a screen which is quite risky. BTW screen also contains the internal 
> > reprogrammable memory (e.g. for storing EDID), and a malicious firmware 
> > could cause screen to transfer information through electromagnetic impulses 
> > (TEMPEST? - http://www.surasoft.com/articles/tempest.php )
> > 
> > Actually it is possible to remove a motherboard with CPU, CPU Fan, 
> > Heatsink, Power Jack Wire, and Power Button Board attached (could make a 
> > custom power button adapter with huge convenient buttons!) and create a 
> > custom case for all this stuff. If you are lucky you could find someone 
> > selling a used G505S with broken screen for very cheap price, and do that. 
> > This way you avoid webcam, screen, dvd drive, touchpad, card reader chip, 
> > and internal keyboard (see below why)
> > 
> > Maybe don't need to seal the USB ports yet: it not just seriously reducing 
> > the usability of this laptop, but also makes it impossible to connect a USB 
> > keyboard. Maybe you would prefer that, when you type, your keystrokes are 
> > going through external keyboard's USB controller, rather than through 
> > laptop's Embedded Controller KB9012 which has a closed source firmware and 
> > controls PS/2-like laptop's internal keyboard. You could make your own open 
> > hardware USB keyboard with open source firmware, and using it will be 
> > slightly safer (and slightly less convenient) than laptop's internal one
> > 
> > Also, another possible hardware mod (not related to security) - instead of 
> > DVD drive you could install a fan for extra cooling, see 
> > http://forum.notebookreview.com/threads/10mm-5v-cooler-instead-of-laptops-dvd-slimline-sata.797064/
> >  . Although dont know if it worth it, because some really great external 
> > USB coolers are available - 
> > https://www.aliexpress.com/item/Mini-LCD-Vacuum-USB-Cooler-Air-Extracting-Cooling-Fan-Turbo-Radiator-Low-Noise-Desgin-for-Laptop/32231641439.html
> 
> Please read a message above... If we are talking about the motherboard, main 
> board of this laptop : aside from 4MB BIOS flash chip and 128KB EC KB9012's 
> 

Re: [qubes-users] Re: Lenovo G505S Coreboot

2017-12-27 Thread qma ster
Tuesday 26 December 2017 г., 15:18:14 UTC+0 user Blooorp wrote:
> Le mardi 26 décembre 2017 00:05:28 UTC+1, tai...@gmx.com a écrit :
> > On 12/25/2017 12:16 PM, Blooorp wrote:
> > 
> > > Le lundi 25 décembre 2017 16:27:11 UTC+1, awokd a écrit :
> > >> On Mon, December 25, 2017 3:07 pm, Blooorp wrote:
> > >>> "Devices/Add a VGA BIOS image (don't specify location or IDs, let it
> > >>> auto-populate) "
> > >>>
> > >>> make: *** No rule to make target 'vgabios.bin', needed by
> > >>> 'build/coreboot.pre'. Stop.
> > >>>
> > >>>
> > >>> Looks like it didn't work, should I put the location and ID of the one I
> > >>> extracted from the stock bios?
> > >> I think I copied mine to the top level coreboot folder as "vgabios.bin"
> > >> and let it find it there.
> > >>
> > >> Email me directly if it's still not working and I can help, we're off
> > >> topic from qubes-users now...
> > > Everything works now, my mistake was using the wrong vgabios.bin, the 
> > > stock bios contains the ones for each version of the laptop but I didn't 
> > > know that so I took the first that I found, with device ID 6663.
> > > The one I then searched for and that worked, thanks to awokd, was with 
> > > device ID 990b, appropriate for the G505s with integrated graphics and 
> > > not discrete card.
> > >
> > Don't forget about that microcode update - it is mandatory both for for 
> > security and IOMMU.
> > 
> > Use the patch that awoke made, a true service to the community - the 
> > lenovo g505s is now properly working and is the best laptop for qubes as 
> > it supports an open source init version of coreboot without ME/PSP 
> > unlike purisms laptops with the not really disabled ME and entirely 
> > blobbed silicon init via intel FSP.
> 
> Didn't forget about it, he did some awesome work :)
> 
> I took my time to choose the right laptop to get into Qubes, really feels 
> that I made the right choice !
> But now, I need to make Qubes work on it, I'm collecting the issues haha

The perfect VGA BIOSes for Lenovo G505S could be obtained here - 
https://mail.coreboot.org/pipermail/coreboot/2017-July/084680.html

Go to "g505s-atombios" repository and download one or two vgabios files 
(depending on if your G505S had just integrated GPU, or integrated+discrete), 
then compare their checksums - and, if the checksums are correct - feel free to 
add them to your completed coreboot BIOS build. At the ReadMe of this 
repository, you could see how to add (or remove) a vgabios file to coreboot 
BIOS after its building - one or two simple commands.

Actually, for G505S with "integrated+discrete GPU" even a single vgabios for 
integrated GPU - would be enough to show the image on display. I just hope 
that, if you add both vgabios you could somehow make your discrete GPU working 
(it still doesnt work for me)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3822342b-1205-4be1-8623-bb9cba8c71db%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Lenovo G505S Coreboot

2017-12-26 Thread Blooorp
Le mardi 26 décembre 2017 00:05:28 UTC+1, tai...@gmx.com a écrit :
> On 12/25/2017 12:16 PM, Blooorp wrote:
> 
> > Le lundi 25 décembre 2017 16:27:11 UTC+1, awokd a écrit :
> >> On Mon, December 25, 2017 3:07 pm, Blooorp wrote:
> >>> "Devices/Add a VGA BIOS image (don't specify location or IDs, let it
> >>> auto-populate) "
> >>>
> >>> make: *** No rule to make target 'vgabios.bin', needed by
> >>> 'build/coreboot.pre'. Stop.
> >>>
> >>>
> >>> Looks like it didn't work, should I put the location and ID of the one I
> >>> extracted from the stock bios?
> >> I think I copied mine to the top level coreboot folder as "vgabios.bin"
> >> and let it find it there.
> >>
> >> Email me directly if it's still not working and I can help, we're off
> >> topic from qubes-users now...
> > Everything works now, my mistake was using the wrong vgabios.bin, the stock 
> > bios contains the ones for each version of the laptop but I didn't know 
> > that so I took the first that I found, with device ID 6663.
> > The one I then searched for and that worked, thanks to awokd, was with 
> > device ID 990b, appropriate for the G505s with integrated graphics and not 
> > discrete card.
> >
> Don't forget about that microcode update - it is mandatory both for for 
> security and IOMMU.
> 
> Use the patch that awoke made, a true service to the community - the 
> lenovo g505s is now properly working and is the best laptop for qubes as 
> it supports an open source init version of coreboot without ME/PSP 
> unlike purisms laptops with the not really disabled ME and entirely 
> blobbed silicon init via intel FSP.

Didn't forget about it, he did some awesome work :)

I took my time to choose the right laptop to get into Qubes, really feels that 
I made the right choice !
But now, I need to make Qubes work on it, I'm collecting the issues haha

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a2a17389-fa86-4ef1-be57-26eab8feb169%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Lenovo G505S Coreboot

2017-12-25 Thread taii...@gmx.com

On 12/25/2017 12:16 PM, Blooorp wrote:


Le lundi 25 décembre 2017 16:27:11 UTC+1, awokd a écrit :

On Mon, December 25, 2017 3:07 pm, Blooorp wrote:

"Devices/Add a VGA BIOS image (don't specify location or IDs, let it
auto-populate) "

make: *** No rule to make target 'vgabios.bin', needed by
'build/coreboot.pre'. Stop.


Looks like it didn't work, should I put the location and ID of the one I
extracted from the stock bios?

I think I copied mine to the top level coreboot folder as "vgabios.bin"
and let it find it there.

Email me directly if it's still not working and I can help, we're off
topic from qubes-users now...

Everything works now, my mistake was using the wrong vgabios.bin, the stock 
bios contains the ones for each version of the laptop but I didn't know that so 
I took the first that I found, with device ID 6663.
The one I then searched for and that worked, thanks to awokd, was with device 
ID 990b, appropriate for the G505s with integrated graphics and not discrete 
card.

Don't forget about that microcode update - it is mandatory both for for 
security and IOMMU.


Use the patch that awoke made, a true service to the community - the 
lenovo g505s is now properly working and is the best laptop for qubes as 
it supports an open source init version of coreboot without ME/PSP 
unlike purisms laptops with the not really disabled ME and entirely 
blobbed silicon init via intel FSP.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/04faa467-9978-b94d-828b-e82ee25858f3%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Lenovo G505S Coreboot

2017-12-25 Thread Blooorp
Le lundi 25 décembre 2017 16:27:11 UTC+1, awokd a écrit :
> On Mon, December 25, 2017 3:07 pm, Blooorp wrote:
> >
> > "Devices/Add a VGA BIOS image (don't specify location or IDs, let it
> > auto-populate) "
> >
> > make: *** No rule to make target 'vgabios.bin', needed by
> > 'build/coreboot.pre'. Stop.
> >
> >
> > Looks like it didn't work, should I put the location and ID of the one I
> > extracted from the stock bios?
> 
> I think I copied mine to the top level coreboot folder as "vgabios.bin"
> and let it find it there.
> 
> Email me directly if it's still not working and I can help, we're off
> topic from qubes-users now...

Everything works now, my mistake was using the wrong vgabios.bin, the stock 
bios contains the ones for each version of the laptop but I didn't know that so 
I took the first that I found, with device ID 6663.
The one I then searched for and that worked, thanks to awokd, was with device 
ID 990b, appropriate for the G505s with integrated graphics and not discrete 
card.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6ac37dcd-5b99-48bd-9524-63d53fbfb78b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Lenovo G505S Coreboot

2017-12-25 Thread 'awokd' via qubes-users
On Mon, December 25, 2017 3:07 pm, Blooorp wrote:
>
> "Devices/Add a VGA BIOS image (don't specify location or IDs, let it
> auto-populate) "
>
> make: *** No rule to make target 'vgabios.bin', needed by
> 'build/coreboot.pre'. Stop.
>
>
> Looks like it didn't work, should I put the location and ID of the one I
> extracted from the stock bios?

I think I copied mine to the top level coreboot folder as "vgabios.bin"
and let it find it there.

Email me directly if it's still not working and I can help, we're off
topic from qubes-users now...


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/80d656a4e734839f31b0b57ad40ab633.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Lenovo G505S Coreboot

2017-12-25 Thread Blooorp
Le lundi 25 décembre 2017 15:50:33 UTC+1, awokd a écrit :
> On Mon, December 25, 2017 2:38 pm, awokd wrote:
> > On Mon, December 25, 2017 2:24 pm, Blooorp wrote:
> >
> >> Le lundi 25 décembre 2017 15:11:51 UTC+1, awokd a écrit :
> >>
> >>
> >>> On Mon, December 25, 2017 1:47 pm, Blooorp wrote:
> >>>
> >>>
>  Le lundi 25 décembre 2017 14:39:45 UTC+1, awokd a écrit :
> 
> 
> 
> > On Mon, December 25, 2017 12:35 pm, Blooorp wrote:
> >
> >
> >
> >> Hey, I'm having some heavy trouble getting coreboot on my
> >> G505s,
> >> could you take a look at how I did it to see if you spot any
> >> difference compared to how you did it?
> >>
> >> Here is how I built, flashed and tested it :
> >> https://ghostbin.com/paste/wprhk
> >>
> >>
> >>
> >
> > They seem to block Tor users. I can take a look if you put it on
> > pastebin.com for example.
> 
>  Coreboot Lenovo G505s - Build/Flash/Test
>  https://pastebin.com/58K4VGgf
>  Full make output https://pastebin.com/nAPbNjJG
> 
> 
> >>>
> >>> I think you are very close to having it working, probably only the
> >>> video.
> >>>
> >>> Try the following options in your menuconfig:
> >>> General/Use CMOS for configuration values
> >>> General/Allow use of binary-only repository
> >>> Chipset/Add imc firmware (don't specify location or IDs, let it
> >>> auto-populate) Chipset/SATA Mode 2 (don't specify location or IDs, let
> >>> it auto-populate) Devices/Add a VGA BIOS image (don't specify location
> >>> or IDs, let it
> >>> auto-populate) Payload/SeaBIOS 1.11.0
> >>>
> >>>
> >>> And to keep this on topic for the Qubes Users mailing list, if you
> >>> plan on running Qubes 4.0 on there, you'll also want this Coreboot
> >>> patch currently waiting on code review:
> >>> https://review.coreboot.org/#/c/coreboot/+/22843 .
> >>>
> >>>
> >>
> >> I do plan on running Qubes 4.0, how to I actually patch coreboot before
> >>  the build?
> >
> > See the changes I made in that link to those two files, and copy and
> > paste them into your own source files manually. If you don't trust the
> > blob I provided (and you shouldn't!) perform the following steps to verify
> > it:
> >
> >
> > Executing the following on a Debian Stretch install:
> > dd skip=5284 iflag=skip_bytes
> > if=/lib/firmware/amd-ucode/microcode_amd_fam15h.bin of=amd.bin xxd -i
> > amd.bin Then copying and pasting.
> >
> >
> > Executing these steps against
> > coreboot/3rdparty/blobs/cpu/amd/family_15h/microcode_amd_fam15h.bin
> > provides identical results.
> >
> Forgot to add, you should also include nvramcui as a secondary payload to
> let you change CMOS options.

"Devices/Add a VGA BIOS image (don't specify location or IDs, let it
auto-populate) "

make: *** No rule to make target 'vgabios.bin', needed by 'build/coreboot.pre'. 
Stop.

Looks like it didn't work, should I put the location and ID of the one I 
extracted from the stock bios?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/16d07c78-3d48-4d98-a22c-c3609dce98aa%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Lenovo G505S Coreboot

2017-12-25 Thread 'awokd' via qubes-users
On Mon, December 25, 2017 2:38 pm, awokd wrote:
> On Mon, December 25, 2017 2:24 pm, Blooorp wrote:
>
>> Le lundi 25 décembre 2017 15:11:51 UTC+1, awokd a écrit :
>>
>>
>>> On Mon, December 25, 2017 1:47 pm, Blooorp wrote:
>>>
>>>
 Le lundi 25 décembre 2017 14:39:45 UTC+1, awokd a écrit :



> On Mon, December 25, 2017 12:35 pm, Blooorp wrote:
>
>
>
>> Hey, I'm having some heavy trouble getting coreboot on my
>> G505s,
>> could you take a look at how I did it to see if you spot any
>> difference compared to how you did it?
>>
>> Here is how I built, flashed and tested it :
>> https://ghostbin.com/paste/wprhk
>>
>>
>>
>
> They seem to block Tor users. I can take a look if you put it on
> pastebin.com for example.

 Coreboot Lenovo G505s - Build/Flash/Test
 https://pastebin.com/58K4VGgf
 Full make output https://pastebin.com/nAPbNjJG


>>>
>>> I think you are very close to having it working, probably only the
>>> video.
>>>
>>> Try the following options in your menuconfig:
>>> General/Use CMOS for configuration values
>>> General/Allow use of binary-only repository
>>> Chipset/Add imc firmware (don't specify location or IDs, let it
>>> auto-populate) Chipset/SATA Mode 2 (don't specify location or IDs, let
>>> it auto-populate) Devices/Add a VGA BIOS image (don't specify location
>>> or IDs, let it
>>> auto-populate) Payload/SeaBIOS 1.11.0
>>>
>>>
>>> And to keep this on topic for the Qubes Users mailing list, if you
>>> plan on running Qubes 4.0 on there, you'll also want this Coreboot
>>> patch currently waiting on code review:
>>> https://review.coreboot.org/#/c/coreboot/+/22843 .
>>>
>>>
>>
>> I do plan on running Qubes 4.0, how to I actually patch coreboot before
>>  the build?
>
> See the changes I made in that link to those two files, and copy and
> paste them into your own source files manually. If you don't trust the
> blob I provided (and you shouldn't!) perform the following steps to verify
> it:
>
>
> Executing the following on a Debian Stretch install:
> dd skip=5284 iflag=skip_bytes
> if=/lib/firmware/amd-ucode/microcode_amd_fam15h.bin of=amd.bin xxd -i
> amd.bin Then copying and pasting.
>
>
> Executing these steps against
> coreboot/3rdparty/blobs/cpu/amd/family_15h/microcode_amd_fam15h.bin
> provides identical results.
>
Forgot to add, you should also include nvramcui as a secondary payload to
let you change CMOS options.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d0865b38b19dd1a219c6abbaa49ebe44.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Lenovo G505S Coreboot

2017-12-25 Thread 'awokd' via qubes-users
On Mon, December 25, 2017 2:24 pm, Blooorp wrote:
> Le lundi 25 décembre 2017 15:11:51 UTC+1, awokd a écrit :
>
>> On Mon, December 25, 2017 1:47 pm, Blooorp wrote:
>>
>>> Le lundi 25 décembre 2017 14:39:45 UTC+1, awokd a écrit :
>>>
>>>
 On Mon, December 25, 2017 12:35 pm, Blooorp wrote:


> Hey, I'm having some heavy trouble getting coreboot on my G505s,
> could you take a look at how I did it to see if you spot any
> difference compared to how you did it?
>
> Here is how I built, flashed and tested it :
> https://ghostbin.com/paste/wprhk
>
>

 They seem to block Tor users. I can take a look if you put it on
 pastebin.com for example.
>>>
>>> Coreboot Lenovo G505s - Build/Flash/Test
>>> https://pastebin.com/58K4VGgf
>>> Full make output https://pastebin.com/nAPbNjJG
>>>
>>
>> I think you are very close to having it working, probably only the
>> video.
>>
>> Try the following options in your menuconfig:
>> General/Use CMOS for configuration values
>> General/Allow use of binary-only repository
>> Chipset/Add imc firmware (don't specify location or IDs, let it
>> auto-populate) Chipset/SATA Mode 2 (don't specify location or IDs, let it
>> auto-populate) Devices/Add a VGA BIOS image (don't specify location or
>> IDs, let it
>> auto-populate) Payload/SeaBIOS 1.11.0
>>
>>
>> And to keep this on topic for the Qubes Users mailing list, if you plan
>> on running Qubes 4.0 on there, you'll also want this Coreboot patch
>> currently waiting on code review:
>> https://review.coreboot.org/#/c/coreboot/+/22843 .
>>
>
> I do plan on running Qubes 4.0, how to I actually patch coreboot before
> the build?

See the changes I made in that link to those two files, and copy and paste
them into your own source files manually. If you don't trust the blob I
provided (and you shouldn't!) perform the following steps to verify it:

Executing the following on a Debian Stretch install:
dd skip=5284 iflag=skip_bytes
if=/lib/firmware/amd-ucode/microcode_amd_fam15h.bin of=amd.bin
xxd -i amd.bin
Then copying and pasting.

Executing these steps against
coreboot/3rdparty/blobs/cpu/amd/family_15h/microcode_amd_fam15h.bin
provides identical results.



-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/537cb1d917b78ea166d54b2eeda83dac.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Lenovo G505S Coreboot

2017-12-25 Thread Blooorp
Le lundi 25 décembre 2017 15:11:51 UTC+1, awokd a écrit :
> On Mon, December 25, 2017 1:47 pm, Blooorp wrote:
> > Le lundi 25 décembre 2017 14:39:45 UTC+1, awokd a écrit :
> >
> >> On Mon, December 25, 2017 12:35 pm, Blooorp wrote:
> >>
> >>> Hey, I'm having some heavy trouble getting coreboot on my G505s,
> >>> could you take a look at how I did it to see if you spot any
> >>> difference compared to how you did it?
> >>>
> >>> Here is how I built, flashed and tested it :
> >>> https://ghostbin.com/paste/wprhk
> >>>
> >>
> >> They seem to block Tor users. I can take a look if you put it on
> >> pastebin.com for example.
> >
> > Coreboot Lenovo G505s - Build/Flash/Test https://pastebin.com/58K4VGgf
> > Full make output https://pastebin.com/nAPbNjJG
> 
> I think you are very close to having it working, probably only the video.
> 
> Try the following options in your menuconfig:
> General/Use CMOS for configuration values
> General/Allow use of binary-only repository
> Chipset/Add imc firmware (don't specify location or IDs, let it
> auto-populate)
> Chipset/SATA Mode 2 (don't specify location or IDs, let it auto-populate)
> Devices/Add a VGA BIOS image (don't specify location or IDs, let it
> auto-populate)
> Payload/SeaBIOS 1.11.0
> 
> And to keep this on topic for the Qubes Users mailing list, if you plan on
> running Qubes 4.0 on there, you'll also want this Coreboot patch currently
> waiting on code review: https://review.coreboot.org/#/c/coreboot/+/22843 .

I do plan on running Qubes 4.0, how to I actually patch coreboot before the 
build?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ac317a8d-fd7c-442d-a4bb-3d73acce13f0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Lenovo G505S Coreboot

2017-12-25 Thread 'awokd' via qubes-users
On Mon, December 25, 2017 1:47 pm, Blooorp wrote:
> Le lundi 25 décembre 2017 14:39:45 UTC+1, awokd a écrit :
>
>> On Mon, December 25, 2017 12:35 pm, Blooorp wrote:
>>
>>> Hey, I'm having some heavy trouble getting coreboot on my G505s,
>>> could you take a look at how I did it to see if you spot any
>>> difference compared to how you did it?
>>>
>>> Here is how I built, flashed and tested it :
>>> https://ghostbin.com/paste/wprhk
>>>
>>
>> They seem to block Tor users. I can take a look if you put it on
>> pastebin.com for example.
>
> Coreboot Lenovo G505s - Build/Flash/Test https://pastebin.com/58K4VGgf
> Full make output https://pastebin.com/nAPbNjJG

I think you are very close to having it working, probably only the video.

Try the following options in your menuconfig:
General/Use CMOS for configuration values
General/Allow use of binary-only repository
Chipset/Add imc firmware (don't specify location or IDs, let it
auto-populate)
Chipset/SATA Mode 2 (don't specify location or IDs, let it auto-populate)
Devices/Add a VGA BIOS image (don't specify location or IDs, let it
auto-populate)
Payload/SeaBIOS 1.11.0

And to keep this on topic for the Qubes Users mailing list, if you plan on
running Qubes 4.0 on there, you'll also want this Coreboot patch currently
waiting on code review: https://review.coreboot.org/#/c/coreboot/+/22843 .


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2f620a3f08307557df1e69fa2c9074bd.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Lenovo G505S Coreboot

2017-12-25 Thread Blooorp
Le lundi 25 décembre 2017 14:39:45 UTC+1, awokd a écrit :
> On Mon, December 25, 2017 12:35 pm, Blooorp wrote:
> > Hey, I'm having some heavy trouble getting coreboot on my G505s, could
> > you take a look at how I did it to see if you spot any difference
> > compared to how you did it?
> >
> > Here is how I built, flashed and tested it :
> > https://ghostbin.com/paste/wprhk
> 
> They seem to block Tor users. I can take a look if you put it on
> pastebin.com for example.

Coreboot Lenovo G505s - Build/Flash/Test https://pastebin.com/58K4VGgf
Full make output https://pastebin.com/nAPbNjJG

If you need any more information, just ask me, I don't know exactly what may be 
relevant to pinpoint my issue but I really want to get it done :)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/87ab68b9-3b46-4f8d-ae9e-12d43ee7bfc6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Lenovo G505S Coreboot

2017-12-25 Thread 'awokd' via qubes-users
On Mon, December 25, 2017 12:35 pm, Blooorp wrote:
> Hey, I'm having some heavy trouble getting coreboot on my G505s, could
> you take a look at how I did it to see if you spot any difference
> compared to how you did it?
>
> Here is how I built, flashed and tested it :
> https://ghostbin.com/paste/wprhk

They seem to block Tor users. I can take a look if you put it on
pastebin.com for example.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ecffb2dd647bae9b9075ed6b1e3d9940.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Lenovo G505S Coreboot

2017-12-25 Thread Blooorp
Hey, I'm having some heavy trouble getting coreboot on my G505s, could you take 
a look at how I did it to see if you spot any difference compared to how you 
did it?

Here is how I built, flashed and tested it : https://ghostbin.com/paste/wprhk

Basically, I built it with the extracted vgabios binary from the stock rom, 
flashed it with Bus Pirate and tried to start the laptop.
The screen would not turn on, at all.

Thanks in advance :)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1bc45461-677a-4b4f-b850-5c6142feae3f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Lenovo G505S Coreboot

2017-12-25 Thread Blooorp
Hey Asterysk, I'm having some heavy trouble getting coreboot on my G505s, could 
you take a look at how I did it to see if you spot any difference compared to 
how you did it?

Here is how I built, flashed and tested it : https://ghostbin.com/paste/wprhk

Basically, I built it with the extracted vgabios binary from the stock rom, 
flashed it with Bus Pirate and tried to start the laptop.
The screen would not turn on, at all.

Thanks in advance :)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/db8d3b4a-494a-4512-b154-d8ceaf71220c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Lenovo G505S Coreboot

2017-01-19 Thread qmastery16
четверг, 19 января 2017 г., 18:31:35 UTC+3 пользователь Asterysk написал:
> On Thursday, 19 January 2017 17:28:12 UTC+4, qmast...@gmail.com  wrote:
> > четверг, 19 января 2017 г., 12:16:12 UTC+3 пользователь qmast...@gmail.com 
> > написал:
> > > четверг, 19 января 2017 г., 7:08:46 UTC+3 пользователь Asterysk написал:
> > > > On Thursday, 19 January 2017 03:04:32 UTC+4, tai...@gmx.com  wrote:
> > > > > As always physical access is a checkmate situation, you need to not 
> > > > > be 
> > > > > an idiot and don't leave your stuff in overseas hotel rooms or not 
> > > > > have 
> > > > > secure locks on your door.
> > > > 
> > > > Unless USB port seals (e.g. 
> > > > http://www.padjack.com/padjack-versions/usb-port-lock/) are put in 
> > > > place as soon as the laptop is removed from the manufacturers box it is 
> > > > impossible to know whether someone has installed a device that has in 
> > > > turn infected firmware. A similar situation for any DMA access ports 
> > > > (Thunderbolt etc) 
> > > > 
> > > > I'm interested in being able to take a possibly infected laptop (i.e. 
> > > > infected with firmware malware) and reset it to a known safe starting 
> > > > point. Coreboot seems to handle the BIOS (thank you for clarification 
> > > > that it completely rewrite legacy and UEFI). Replacing the HD with a 
> > > > new SSD should handle that firmware attack vector. That leaves the 
> > > > other EEPROMS.
> > > > 
> > > > I figure, if I'm going to strip down my G505S to reflash with Coreboot, 
> > > > I should see what other EEPROMs I can reflash.
> > > > 
> > > > Apart from the obvious RAM and SSD upgrade and possible putting 
> > > > switches on peripherals, are there any other hardware mods you can 
> > > > suggest for the G505S.
> > > > 
> > > > Having sorted out the hardware, I am then going to be looking to use 
> > > > Qubes to protect against any attempts to reflash through Malware and 
> > > > after thats done, I'll be looking for ways to detect that any attack is 
> > > > being attempted.
> > > > 
> > > > All in all I think I've got about a years work ahead !
> > > 
> > > To reduce the number of "EEPROMs" you could disconnect: a touch pad, DVD 
> > > drive, web camera ; Maybe also a small board with LS-9901P part number 
> > > (dont confuse with LA-9901P), see its' google pictures online - and 
> > > according to G505S laptop's LA-A091P motherboard datasheet (which also 
> > > contains a datasheet for laptop's smaller boards) this board has a 
> > > Realtek chip for card reader. By the way, you could either find out what 
> > > lines of flex cable the card reader is using, and install a custom jumper 
> > > on them ; or maybe get a flex cable with the same number of pins / same 
> > > pitch between them , find (from datasheet?) what lines that lonely USB 
> > > port is using to get to Bolton-M3 FCH, get a USB female header and solder 
> > > a custom adapter which adds only a USB port to laptop (so no card reader 
> > > chip). Probably the hardest thing to do is to disconnect a web camera - 
> > > you will need to tear down a screen which is quite risky. BTW screen also 
> > > contains the internal reprogrammable memory (e.g. for storing EDID), and 
> > > a malicious firmware could cause screen to transfer information through 
> > > electromagnetic impulses (TEMPEST? - 
> > > http://www.surasoft.com/articles/tempest.php )
> > > 
> > > Actually it is possible to remove a motherboard with CPU, CPU Fan, 
> > > Heatsink, Power Jack Wire, and Power Button Board attached (could make a 
> > > custom power button adapter with huge convenient buttons!) and create a 
> > > custom case for all this stuff. If you are lucky you could find someone 
> > > selling a used G505S with broken screen for very cheap price, and do 
> > > that. This way you avoid webcam, screen, dvd drive, touchpad, card reader 
> > > chip, and internal keyboard (see below why)
> > > 
> > > Maybe don't need to seal the USB ports yet: it not just seriously 
> > > reducing the usability of this laptop, but also makes it impossible to 
> > > connect a USB keyboard. Maybe you would prefer that, when you type, your 
> > > keystrokes are going through external keyboard's USB controller, rather 
> > > than through laptop's Embedded Controller KB9012 which has a closed 
> > > source firmware and controls PS/2-like laptop's internal keyboard. You 
> > > could make your own open hardware USB keyboard with open source firmware, 
> > > and using it will be slightly safer (and slightly less convenient) than 
> > > laptop's internal one
> > > 
> > > Also, another possible hardware mod (not related to security) - instead 
> > > of DVD drive you could install a fan for extra cooling, see 
> > > http://forum.notebookreview.com/threads/10mm-5v-cooler-instead-of-laptops-dvd-slimline-sata.797064/
> > >  . Although dont know if it worth it, because some really great external 
> > > USB coolers are available - 
> > > 

Re: [qubes-users] Re: Lenovo G505S Coreboot

2017-01-19 Thread Asterysk
On Thursday, 19 January 2017 17:28:12 UTC+4, qmast...@gmail.com  wrote:
> четверг, 19 января 2017 г., 12:16:12 UTC+3 пользователь qmast...@gmail.com 
> написал:
> > четверг, 19 января 2017 г., 7:08:46 UTC+3 пользователь Asterysk написал:
> > > On Thursday, 19 January 2017 03:04:32 UTC+4, tai...@gmx.com  wrote:
> > > > As always physical access is a checkmate situation, you need to not be 
> > > > an idiot and don't leave your stuff in overseas hotel rooms or not have 
> > > > secure locks on your door.
> > > 
> > > Unless USB port seals (e.g. 
> > > http://www.padjack.com/padjack-versions/usb-port-lock/) are put in place 
> > > as soon as the laptop is removed from the manufacturers box it is 
> > > impossible to know whether someone has installed a device that has in 
> > > turn infected firmware. A similar situation for any DMA access ports 
> > > (Thunderbolt etc) 
> > > 
> > > I'm interested in being able to take a possibly infected laptop (i.e. 
> > > infected with firmware malware) and reset it to a known safe starting 
> > > point. Coreboot seems to handle the BIOS (thank you for clarification 
> > > that it completely rewrite legacy and UEFI). Replacing the HD with a new 
> > > SSD should handle that firmware attack vector. That leaves the other 
> > > EEPROMS.
> > > 
> > > I figure, if I'm going to strip down my G505S to reflash with Coreboot, I 
> > > should see what other EEPROMs I can reflash.
> > > 
> > > Apart from the obvious RAM and SSD upgrade and possible putting switches 
> > > on peripherals, are there any other hardware mods you can suggest for the 
> > > G505S.
> > > 
> > > Having sorted out the hardware, I am then going to be looking to use 
> > > Qubes to protect against any attempts to reflash through Malware and 
> > > after thats done, I'll be looking for ways to detect that any attack is 
> > > being attempted.
> > > 
> > > All in all I think I've got about a years work ahead !
> > 
> > To reduce the number of "EEPROMs" you could disconnect: a touch pad, DVD 
> > drive, web camera ; Maybe also a small board with LS-9901P part number 
> > (dont confuse with LA-9901P), see its' google pictures online - and 
> > according to G505S laptop's LA-A091P motherboard datasheet (which also 
> > contains a datasheet for laptop's smaller boards) this board has a Realtek 
> > chip for card reader. By the way, you could either find out what lines of 
> > flex cable the card reader is using, and install a custom jumper on them ; 
> > or maybe get a flex cable with the same number of pins / same pitch between 
> > them , find (from datasheet?) what lines that lonely USB port is using to 
> > get to Bolton-M3 FCH, get a USB female header and solder a custom adapter 
> > which adds only a USB port to laptop (so no card reader chip). Probably the 
> > hardest thing to do is to disconnect a web camera - you will need to tear 
> > down a screen which is quite risky. BTW screen also contains the internal 
> > reprogrammable memory (e.g. for storing EDID), and a malicious firmware 
> > could cause screen to transfer information through electromagnetic impulses 
> > (TEMPEST? - http://www.surasoft.com/articles/tempest.php )
> > 
> > Actually it is possible to remove a motherboard with CPU, CPU Fan, 
> > Heatsink, Power Jack Wire, and Power Button Board attached (could make a 
> > custom power button adapter with huge convenient buttons!) and create a 
> > custom case for all this stuff. If you are lucky you could find someone 
> > selling a used G505S with broken screen for very cheap price, and do that. 
> > This way you avoid webcam, screen, dvd drive, touchpad, card reader chip, 
> > and internal keyboard (see below why)
> > 
> > Maybe don't need to seal the USB ports yet: it not just seriously reducing 
> > the usability of this laptop, but also makes it impossible to connect a USB 
> > keyboard. Maybe you would prefer that, when you type, your keystrokes are 
> > going through external keyboard's USB controller, rather than through 
> > laptop's Embedded Controller KB9012 which has a closed source firmware and 
> > controls PS/2-like laptop's internal keyboard. You could make your own open 
> > hardware USB keyboard with open source firmware, and using it will be 
> > slightly safer (and slightly less convenient) than laptop's internal one
> > 
> > Also, another possible hardware mod (not related to security) - instead of 
> > DVD drive you could install a fan for extra cooling, see 
> > http://forum.notebookreview.com/threads/10mm-5v-cooler-instead-of-laptops-dvd-slimline-sata.797064/
> >  . Although dont know if it worth it, because some really great external 
> > USB coolers are available - 
> > https://www.aliexpress.com/item/Mini-LCD-Vacuum-USB-Cooler-Air-Extracting-Cooling-Fan-Turbo-Radiator-Low-Noise-Desgin-for-Laptop/32231641439.html
> 
> Please read a message above... If we are talking about the motherboard, main 
> board of this laptop : aside from 4MB BIOS flash chip and 128KB EC 

Re: [qubes-users] Re: Lenovo G505S Coreboot

2017-01-19 Thread Asterysk
On Thursday, 19 January 2017 18:17:59 UTC+4, Asterysk  wrote:
> "1) Erase a BIOS chip and flash it with coreboot 
> http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate "
> 
> Did you buy the necessary components from AliExpress as linked in the article 
> ? They are saying a couple of months delivery time !!

All components now ordered, most from Ali Express but a couple from USA. I 
should hopefully be good to start in about a month

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f96c4e71-3529-45bd-bfd6-0436ad6bc506%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Lenovo G505S Coreboot

2017-01-19 Thread Asterysk
"1) Erase a BIOS chip and flash it with coreboot 
http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate "

Did you buy the necessary components from AliExpress as linked in the article ? 
They are saying a couple of months delivery time !!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/379e48f9-0f41-4057-a1f4-e2a318ae1f38%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Lenovo G505S Coreboot

2017-01-19 Thread qmastery16
четверг, 19 января 2017 г., 12:16:12 UTC+3 пользователь qmast...@gmail.com 
написал:
> четверг, 19 января 2017 г., 7:08:46 UTC+3 пользователь Asterysk написал:
> > On Thursday, 19 January 2017 03:04:32 UTC+4, tai...@gmx.com  wrote:
> > > As always physical access is a checkmate situation, you need to not be 
> > > an idiot and don't leave your stuff in overseas hotel rooms or not have 
> > > secure locks on your door.
> > 
> > Unless USB port seals (e.g. 
> > http://www.padjack.com/padjack-versions/usb-port-lock/) are put in place as 
> > soon as the laptop is removed from the manufacturers box it is impossible 
> > to know whether someone has installed a device that has in turn infected 
> > firmware. A similar situation for any DMA access ports (Thunderbolt etc) 
> > 
> > I'm interested in being able to take a possibly infected laptop (i.e. 
> > infected with firmware malware) and reset it to a known safe starting 
> > point. Coreboot seems to handle the BIOS (thank you for clarification that 
> > it completely rewrite legacy and UEFI). Replacing the HD with a new SSD 
> > should handle that firmware attack vector. That leaves the other EEPROMS.
> > 
> > I figure, if I'm going to strip down my G505S to reflash with Coreboot, I 
> > should see what other EEPROMs I can reflash.
> > 
> > Apart from the obvious RAM and SSD upgrade and possible putting switches on 
> > peripherals, are there any other hardware mods you can suggest for the 
> > G505S.
> > 
> > Having sorted out the hardware, I am then going to be looking to use Qubes 
> > to protect against any attempts to reflash through Malware and after thats 
> > done, I'll be looking for ways to detect that any attack is being attempted.
> > 
> > All in all I think I've got about a years work ahead !
> 
> To reduce the number of "EEPROMs" you could disconnect: a touch pad, DVD 
> drive, web camera ; Maybe also a small board with LS-9901P part number (dont 
> confuse with LA-9901P), see its' google pictures online - and according to 
> G505S laptop's LA-A091P motherboard datasheet (which also contains a 
> datasheet for laptop's smaller boards) this board has a Realtek chip for card 
> reader. By the way, you could either find out what lines of flex cable the 
> card reader is using, and install a custom jumper on them ; or maybe get a 
> flex cable with the same number of pins / same pitch between them , find 
> (from datasheet?) what lines that lonely USB port is using to get to 
> Bolton-M3 FCH, get a USB female header and solder a custom adapter which adds 
> only a USB port to laptop (so no card reader chip). Probably the hardest 
> thing to do is to disconnect a web camera - you will need to tear down a 
> screen which is quite risky. BTW screen also contains the internal 
> reprogrammable memory (e.g. for storing EDID), and a malicious firmware could 
> cause screen to transfer information through electromagnetic impulses 
> (TEMPEST? - http://www.surasoft.com/articles/tempest.php )
> 
> Actually it is possible to remove a motherboard with CPU, CPU Fan, Heatsink, 
> Power Jack Wire, and Power Button Board attached (could make a custom power 
> button adapter with huge convenient buttons!) and create a custom case for 
> all this stuff. If you are lucky you could find someone selling a used G505S 
> with broken screen for very cheap price, and do that. This way you avoid 
> webcam, screen, dvd drive, touchpad, card reader chip, and internal keyboard 
> (see below why)
> 
> Maybe don't need to seal the USB ports yet: it not just seriously reducing 
> the usability of this laptop, but also makes it impossible to connect a USB 
> keyboard. Maybe you would prefer that, when you type, your keystrokes are 
> going through external keyboard's USB controller, rather than through 
> laptop's Embedded Controller KB9012 which has a closed source firmware and 
> controls PS/2-like laptop's internal keyboard. You could make your own open 
> hardware USB keyboard with open source firmware, and using it will be 
> slightly safer (and slightly less convenient) than laptop's internal one
> 
> Also, another possible hardware mod (not related to security) - instead of 
> DVD drive you could install a fan for extra cooling, see 
> http://forum.notebookreview.com/threads/10mm-5v-cooler-instead-of-laptops-dvd-slimline-sata.797064/
>  . Although dont know if it worth it, because some really great external USB 
> coolers are available - 
> https://www.aliexpress.com/item/Mini-LCD-Vacuum-USB-Cooler-Air-Extracting-Cooling-Fan-Turbo-Radiator-Low-Noise-Desgin-for-Laptop/32231641439.html

Please read a message above... If we are talking about the motherboard, main 
board of this laptop : aside from 4MB BIOS flash chip and 128KB EC KB9012's 
internal memory, I am not aware about any other "EEPROMs" on this board which 
could be reflashed and how to reflash them. Well, there is probably a CMOS 
memory somewhere, but I dont know where it is located and dont know how to 
access 

Re: [qubes-users] Re: Lenovo G505S Coreboot

2017-01-19 Thread qmastery16
четверг, 19 января 2017 г., 7:08:46 UTC+3 пользователь Asterysk написал:
> On Thursday, 19 January 2017 03:04:32 UTC+4, tai...@gmx.com  wrote:
> > As always physical access is a checkmate situation, you need to not be 
> > an idiot and don't leave your stuff in overseas hotel rooms or not have 
> > secure locks on your door.
> 
> Unless USB port seals (e.g. 
> http://www.padjack.com/padjack-versions/usb-port-lock/) are put in place as 
> soon as the laptop is removed from the manufacturers box it is impossible to 
> know whether someone has installed a device that has in turn infected 
> firmware. A similar situation for any DMA access ports (Thunderbolt etc) 
> 
> I'm interested in being able to take a possibly infected laptop (i.e. 
> infected with firmware malware) and reset it to a known safe starting point. 
> Coreboot seems to handle the BIOS (thank you for clarification that it 
> completely rewrite legacy and UEFI). Replacing the HD with a new SSD should 
> handle that firmware attack vector. That leaves the other EEPROMS.
> 
> I figure, if I'm going to strip down my G505S to reflash with Coreboot, I 
> should see what other EEPROMs I can reflash.
> 
> Apart from the obvious RAM and SSD upgrade and possible putting switches on 
> peripherals, are there any other hardware mods you can suggest for the G505S.
> 
> Having sorted out the hardware, I am then going to be looking to use Qubes to 
> protect against any attempts to reflash through Malware and after thats done, 
> I'll be looking for ways to detect that any attack is being attempted.
> 
> All in all I think I've got about a years work ahead !

To reduce the number of "EEPROMs" you could disconnect: a touch pad, DVD drive, 
web camera ; Maybe also a small board with LS-9901P part number (dont confuse 
with LA-9901P), see its' google pictures online - and according to G505S 
laptop's LA-A091P motherboard datasheet (which also contains a datasheet for 
laptop's smaller boards) this board has a Realtek chip for card reader. By the 
way, you could either find out what lines of flex cable the card reader is 
using, and install a custom jumper on them ; or maybe get a flex cable with the 
same number of pins / same pitch between them , find (from datasheet?) what 
lines that lonely USB port is using to get to Bolton-M3 FCH, get a USB female 
header and solder a custom adapter which adds only a USB port to laptop (so no 
card reader chip). Probably the hardest thing to do is to disconnect a web 
camera - you will need to tear down a screen which is quite risky. BTW screen 
also contains the internal reprogrammable memory (e.g. for storing EDID), and a 
malicious firmware could cause screen to transfer information through 
electromagnetic impulses (TEMPEST? - 
http://www.surasoft.com/articles/tempest.php )

Actually it is possible to remove a motherboard with CPU, CPU Fan, Heatsink, 
Power Jack Wire, and Power Button Board attached (could make a custom power 
button adapter with huge convenient buttons!) and create a custom case for all 
this stuff. If you are lucky you could find someone selling a used G505S with 
broken screen for very cheap price, and do that. This way you avoid webcam, 
screen, dvd drive, touchpad, card reader chip, and internal keyboard (see below 
why)

Maybe don't need to seal the USB ports yet: it not just seriously reducing the 
usability of this laptop, but also makes it impossible to connect a USB 
keyboard. Maybe you would prefer that, when you type, your keystrokes are going 
through external keyboard's USB controller, rather than through laptop's 
Embedded Controller KB9012 which has a closed source firmware and controls 
PS/2-like laptop's internal keyboard. You could make your own open hardware USB 
keyboard with open source firmware, and using it will be slightly safer (and 
slightly less convenient) than laptop's internal one

Also, another possible hardware mod (not related to security) - instead of DVD 
drive you could install a fan for extra cooling, see 
http://forum.notebookreview.com/threads/10mm-5v-cooler-instead-of-laptops-dvd-slimline-sata.797064/
 . Although dont know if it worth it, because some really great external USB 
coolers are available - 
https://www.aliexpress.com/item/Mini-LCD-Vacuum-USB-Cooler-Air-Extracting-Cooling-Fan-Turbo-Radiator-Low-Noise-Desgin-for-Laptop/32231641439.html

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/80b3bae1-4efe-44eb-bbe2-d45d459db4ae%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.