Re: [qubes-users] Coreboot?

2019-08-09 Thread 799
Hello,

 schrieb am Di., 6. Aug. 2019, 00:42:

> So like installing coreboot should eliminate any malware installed at
> firmware levels, right?
>

I would not use the very strong claim "any", because I can't backup this
claim through knowledge (I am not a security specialist).
But using coreboot will offer the best approach protecting against firmware
malware/attacks. There are not much reasons, why you should not consider
running coreboot and if you buy most new hardware you are to install
coreboot.
Therefore I would say that coreboot will improve the "reasonable" security
;-)

-  O


>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2ukAPNkkR3Fa2_QQtFiW08eJEUnu%3D61e8f-%2BtBE3hyL2A%40mail.gmail.com.


Re: [qubes-users] Coreboot?

2019-08-05 Thread ljul8047
So like installing coreboot should eliminate any malware installed at firmware 
levels, right?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ee50f98c-6651-4348-b08f-8de105821098%40googlegroups.com.


Re: [qubes-users] Coreboot?

2019-08-05 Thread ljul8047
Thanks a lot for the reply. So if the previous owner’s dom0/laptop was 
infected, it wouldn’t have any effect on me if I change the SSD and install 
coreboot, am I understanding right? I apologise for my ignorance on this topic, 
I’m learning only now.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/67087989-79ef-49eb-8b39-1d9c10a6082e%40googlegroups.com.


Re: [qubes-users] Coreboot?

2019-08-05 Thread 'awokd' via qubes-users
ljul8...@gmail.com:
> I was told that buying an used laptop represents an extra risk since the 
> previous owner could have used the laptop with Qubes and got dom0 infected.

There's some terminology mixed up here. Qubes' dom0 is part of the
operating system, not the hardware. A Qubes dom0 infection, although
unlikely, is no different than a Windows or Linux infection, and can be
cleaned by formatting the drive. What you are concerned about is a
firmware infection, which is less likely to happen compared to other
OS's if someone was already running Qubes. Again, out of the hundreds of
thousands malwares out there, I've only heard of a couple that install
themselves at the firmware level so the chances of you finding a used
laptop with one are minimal. You need to weigh this against the
possibility that new laptops could also be infected. Some say all new
x86 laptops are backdoored, for example.

> After a little bit of research, I was told that installing coreboot would 
> eliminate/delete any malware that, in a hypothetical case, took control of 
> dom0 when the previous owner used the laptop for Qubes but I’m not too sure 
> if this is true, do you guys thinks it’s true?
> 

Yes, I believe flashing Coreboot would eliminate known system firmware
malwares. See 799's reply, he beat me to it!

You might also check out https://insurgo.ca/ if you're not comfortable
flashing yourself.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/17b38f88-625b-2c33-67ae-afc2cd40b797%40danwin1210.me.


Re: [qubes-users] Coreboot?

2019-08-05 Thread 799
Hello,

On Mon, 5 Aug 2019 at 22:58,  wrote:

> I was told that buying an used laptop represents an extra risk since the
> previous owner could have used the laptop with Qubes and got dom0 infected.
> After a little bit of research, I was told that installing coreboot would
> eliminate/delete any malware that, in a hypothetical case, took control of
> dom0 when the previous owner used the laptop for Qubes but I’m not too sure
> if this is true, do you guys thinks it’s true?
>

I would always replace the storage media in a used laptop to get a fresh
SSD, as this is where your data is stored and you don't want to mess
arround with a used SSD or HDDs. And with todays low prices for SSDs it's
even more fun to do so.

If dom0 was "infected" you would not be affected if you use another ssd,
you could of course also reinstall Qubes on the used device, but as
mentioned above .. no reason to do so.
If the previous user has an infected or manipulated BIOS you can indeed
reflash with coreboot, in fact I would always suggest to run coreboot if
your laptop is able to do so - I would even reccomend to buy only devices
which support coreboot (for example Lenovo X230 / T430 / W530 ...).

Keep in mind that an attacker could always place a tiny spy device inside a
used laptop which can then be used to sniff your keyboard entries etc. But
as this is an attack which is more likely used if you are a high priority
target, I think that this scenario is quiet unlikely.

Therefore:
Buy a used Lenovo X/T/W x30, install coreboot and become a happy Qubes user.
If you need more information how to install coreboot, take a look here,
where I tried to document a whole run through for a X230:
https://github.com/one7two99/my-qubes/blob/master/docs/coreboot/howto-coreboot_copy.md

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2t%2B2uiU4N6EOk47g48%3D0o1Fawb5qkQoX8K0tVrfo-81Qg%40mail.gmail.com.


Re: [qubes-users] coreboot on modern hardware?

2019-04-08 Thread taii...@gmx.com
System seventysuck, pur.idiots etc are LYING about having "open source
firmware"

System seventysuck also lies about having "made in usa" hardware
literally all they did was make a metal case here and somehow a metal
box equals a computer in their world.

Their "coreboot" is nothing more than a wrapper layer for Intel FSP
binary blobs, it doesn't init any hardware and just like their "made in
usa" claims is entirely bullshit.

New AMD hardware has PSP which is their version of ME and just as terrible.

New x86 hardware will NEVER be free since intel/amd not only refuse to
provide documentation and sources but also lock down their systems more
and more with ME, boot "guard", "secure" boot etc.


If you want owner controlled open source firmware hardware buy an
OpenPOWER system from RaptorCS like the Blackbird or TALOS 2 both of
which provide better performance and features than enterprise x86
systems you would get for the same price.

Someday there will even be AAA games on POWER just like people said that
there would never be DRM free AAA linux games and now there are many, as
of now there are a few meh open source 3D games and the unreal tech demo
but gaming is the only thing you sacrifice and you can always have an
older pre-PSP AMD owner controlled system for that like I do.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5505a2ee-23e2-43cd-9e0c-2b88a16f11f1%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] coreboot on modern hardware?

2019-04-06 Thread 'awokd' via qubes-users

Chris Laprise wrote on 4/6/19 2:08 PM:

On 3/30/19 3:47 PM, 'awokd' via qubes-users wrote:

Chris Laprise wrote on 3/30/19 7:10 PM:


BTW, like some other Qubers I got a G505s with the AMD A10. Still 
need to figure out how to flash it.


Mike Banon's done some great work here. Check out 
http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate 
(pictures are from a G505s) and 
http://dangerousprototypes.com/docs/Lenovo_G505S_hacking. My thanks to 
Taiidan too for promoting the platform. Feel free to contact me with 
any questions, on or off list.


I'm ordering parts from Mike's guide now, but a little confused about 
something: If I order reasonably short wires and the advanced clip, will 
I need to do any soldering?


Another thing that isn't clear is how power is applied, but I'll cross 
that bridge when I get to it. I plan to use a CH341A flasher.


No soldering needed on these laptops with a clip. FWIW, I got away with 
12" wires but I was only flashing at 1 or 2 MHz. Power is supplied from 
the CH341A through the clip, so pay attention to that warning about 3.3V 
vs. 5V.



--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a1deccad-18a3-e896-a64e-64723a2744f3%40danwin1210.me.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] coreboot on modern hardware?

2019-04-06 Thread Chris Laprise

On 3/30/19 3:47 PM, 'awokd' via qubes-users wrote:

Chris Laprise wrote on 3/30/19 7:10 PM:


I agree. But even so, AMD are better by some noticeable margin.

Intel... OMGWTF. With the 'VISA' exploit they're contradicting the 
researchers, and with 'Foreshadow' they said app programmers should 
deal with it.


I saw that too WRT Foreshadow: "Just code around it!" That's a swing and 
a miss for a real answer. I'll have to catch up on VISA.


BTW, like some other Qubers I got a G505s with the AMD A10. Still need 
to figure out how to flash it.


Mike Banon's done some great work here. Check out 
http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate 
(pictures are from a G505s) and 
http://dangerousprototypes.com/docs/Lenovo_G505S_hacking. My thanks to 
Taiidan too for promoting the platform. Feel free to contact me with any 
questions, on or off list.


I'm ordering parts from Mike's guide now, but a little confused about 
something: If I order reasonably short wires and the advanced clip, will 
I need to do any soldering?


Another thing that isn't clear is how power is applied, but I'll cross 
that bridge when I get to it. I plan to use a CH341A flasher.


--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2beba956-56e5-2d38-5ece-1358ab2422ce%40posteo.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] coreboot on modern hardware?

2019-03-30 Thread 'awokd' via qubes-users

Chris Laprise wrote on 3/30/19 7:10 PM:


I agree. But even so, AMD are better by some noticeable margin.

Intel... OMGWTF. With the 'VISA' exploit they're contradicting the 
researchers, and with 'Foreshadow' they said app programmers should deal 
with it.


I saw that too WRT Foreshadow: "Just code around it!" That's a swing and 
a miss for a real answer. I'll have to catch up on VISA.


BTW, like some other Qubers I got a G505s with the AMD A10. Still need 
to figure out how to flash it.


Mike Banon's done some great work here. Check out 
http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate 
(pictures are from a G505s) and 
http://dangerousprototypes.com/docs/Lenovo_G505S_hacking. My thanks to 
Taiidan too for promoting the platform. Feel free to contact me with any 
questions, on or off list.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/cdde9e9d-2258-37ed-4996-eda3d2a6460a%40danwin1210.me.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] coreboot on modern hardware?

2019-03-30 Thread Chris Laprise

On 3/30/19 12:25 PM, 'awokd' via qubes-users wrote:

Chris Laprise wrote on 3/30/19 2:44 AM:

On 3/29/19 7:18 PM, jrsmi...@gmail.com wrote:

https://github.com/system76/coreboot

Clearly they think they can handle modern hardware. Makes me wonder 
why the coreboot folks have thrown up [their?] hands and declared 
defeat.


If I understand it right, on newer Intel systems Coreboot is limited to 
only calling closed-source, proprietary initialization procedures versus 
older systems where it handles the entire process (less some binary blobs).



Maybe they see something they can no longer stomach.

I bought my first AMD system this week.

Welcome to the club! Hope they don't continue following Intel's path 
with closed-source PSP etc.


I agree. But even so, AMD are better by some noticeable margin.

Intel... OMGWTF. With the 'VISA' exploit they're contradicting the 
researchers, and with 'Foreshadow' they said app programmers should deal 
with it.


BTW, like some other Qubers I got a G505s with the AMD A10. Still need 
to figure out how to flash it.


--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d3c273a0-4cf2-86f0-a433-1f8f1244317a%40posteo.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] coreboot on modern hardware?

2019-03-30 Thread 'awokd' via qubes-users

Chris Laprise wrote on 3/30/19 2:44 AM:

On 3/29/19 7:18 PM, jrsmi...@gmail.com wrote:

https://github.com/system76/coreboot

Clearly they think they can handle modern hardware. Makes me wonder 
why the coreboot folks have thrown up [their?] hands and declared defeat.


If I understand it right, on newer Intel systems Coreboot is limited to 
only calling closed-source, proprietary initialization procedures versus 
older systems where it handles the entire process (less some binary blobs).



Maybe they see something they can no longer stomach.

I bought my first AMD system this week.

Welcome to the club! Hope they don't continue following Intel's path 
with closed-source PSP etc.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/da26242c-ddbd-c3cb-0481-e7029d38193d%40danwin1210.me.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] coreboot on modern hardware?

2019-03-29 Thread Chris Laprise

On 3/29/19 7:18 PM, jrsmi...@gmail.com wrote:

https://github.com/system76/coreboot

Clearly they think they can handle modern hardware. Makes me wonder why the 
coreboot folks have thrown up Thierry hands and declared defeat.


Maybe they see something they can no longer stomach.

I bought my first AMD system this week.

--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/59ec64e1-4a2a-e601-5bc7-f3971b736f41%40posteo.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] coreboot on modern hardware?

2019-03-29 Thread jrsmiley
https://github.com/system76/coreboot

Clearly they think they can handle modern hardware. Makes me wonder why the 
coreboot folks have thrown up Thierry hands and declared defeat. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/81b8ad67-48ab-400b-9bba-9a22280baa4e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] coreboot on modern hardware?

2019-03-29 Thread jrsmiley
>From a recent System76 announcement:

“In firmware news, our engineer Jeremy has made a lot of progress in porting 
Coreboot to the Darter Pro and multiple versions of Galago Pro. It can now run 
both BIOS and UEFI implementations. However, certain bugs need to be worked out 
before we can officially release Coreboot on any of our laptops, such as a bug 
that causes the computer to open from suspend in airplane mode, or another that 
prevents the user from activating the webcam via keyboard functions. These and 
other bugs are being worked out in testing, and many of us across different 
departments are testing Coreboot on our own computers.”

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2bd19eb5-94c6-4890-93e8-737b45a5b42c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] coreboot on modern hardware?

2019-03-28 Thread Chris Laprise

On 3/28/19 3:51 PM, Sven Semmler wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 3/25/19 4:49 PM, jrsmi...@gmail.com wrote:

What does this say about the direction Joanna and Golem are
taking?


I am severely confused about that. I'd have thought the direction to
go is open hardware, more local, more decentralized, more
compartmentalized, zero trust.


I think the idea is that "zero trust" can come from a crypto-based 
algorithm and that the hardware will be locally owned like bitcoin. But 
I don't necessarily agree with this model; it feeds the "monetize every 
relationship and action" trend along with other problems like pollution. 
And if the basis is intimately financial, then economies of scale and 
expertise will weigh heavily on it they way they have with crypto 
currencies: eventual centralization will be baked-in.


Also there are many examples of zero trust (or accountability) in 
traditional methods, like counting paper ballots or balancing your 
checkbook from bank statements; its not an invention of Computer 
Science. But we love computers and must now throw billions of 
transistors at each instance of every little problem; A-Z must receive 
the silicon blessing.


-

What I love about personal computers is that they're the opposite of 
"strap some chips onto objects and forget about it". They're never mere 
"gadgets" but more like a workshop. They do many things and so we focus 
on one or two units most of the time we worry about how fit and 
secure our PCs are and we have a dialog with them about it. OTOH, iot 
and other gadgets rarely even real anything like an operating system to 
us bc we're not supposed to care.


I want operating systems to reveal even more about a computer's internal 
state - in snazzy, intuitive ways - than they already are. That's why I 
thought at the beginning that "Invisible Things Lab" was such an awesome 
moniker while exposing awful things that hide in a computer. Then to 
boot they provided a solution that manifests itself in the window frames 
we constantly look at. Definitely not a trendy move but great nonetheless.


--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/21f0a927-05cc-7303-b7e2-d5aaa76dd867%40posteo.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] coreboot on modern hardware?

2019-03-28 Thread Sven Semmler
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 3/25/19 4:49 PM, jrsmi...@gmail.com wrote:
> What does this say about the direction Joanna and Golem are
> taking?

I am severely confused about that. I'd have thought the direction to
go is open hardware, more local, more decentralized, more
compartmentalized, zero trust.

/Sven
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEE18ry22WNibwI1qeq2m4We49UH7YFAlydJdgACgkQ2m4We49U
H7ZZ9w/7Bc1xKBcK6UuV3yvodiFbSxG5mu3sXCq/6o9kKtmhX3K2GObluqWknq1R
WrM4uMj8PjdVmuOZn/A4etylmm6TrEim2iFHnrS4I7KLFrR+7FJrfgx1F3Tzfy/c
jVWyVDwruXb7OmxXOem3iSzWSLKqEsh26/821huMFdNxPp0DZAK5JDry4YSbd3Ov
JTtBhbXlEYdQ0yuRYLinI53yFyqPxG/xcrL5JT6DX/4phHEuvtZhPu1n+wXI/FM0
bCiOQUpBwPSMf/yL84ah1EqEd+KfCHM5SmRUobJEqTSO/cwbgu7glpF6nf2AwSGV
6XFjA9wiCLqTfMKK2/8vr4h0aMWGLGiKGCpqCkDDClWILTYHmKxB8GjHwQFvXqmf
xQmn06Dmzz1VMo6rEUvANweAUmE1541RF8n5bwhleDsISGbOJOep+GNyQA7mqbGD
dbc7oNgxaRt9PE9+737eAGQ+5/M+whsUYWVU5++GJsKPrO7LdPn2gXK8KL/YknXT
xlrbjYo9TZsCcjjJJ5b46ylYwmXu1kl/b64hLNVdl7n58UuINVJJTLUtRyw1yHKH
kJv5ao3ttZ95tSOciAAcLTOHffPQpdAnAC5I/G1ivKGyj+qx9ntDDIciUXtwwahk
stMw6Lb1U0nGau7tbn2PEhyV/pKok1VZ8JpcCg8SRD2kitZHex8=
=zT7e
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/19184bdc-a7e4-eeb8-e500-06bde14bc70a%40SvenSemmler.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] coreboot on modern hardware?

2019-03-25 Thread jrsmiley
What does this say about the direction Joanna and Golem are taking?  Everyone 
build clouds on Intel hardware.  No getting around that.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/401ade55-d65d-4769-abcb-e54f52cbdd12%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] coreboot on modern hardware?

2019-03-25 Thread Chris Laprise

On 3/23/19 3:03 PM, jrsmi...@gmail.com wrote:

Spent several hours yesterday trying to track down what I would need to do to 
install coreboot on all of my computers, starting with my Qubes box: a Levnovo 
Thinkpad T480.

The bottom line from what I can tell is that if you have an Intel CPU made 
since 2008 (any that have Boot Guard) or an AMD CPU made since 2013 (any that 
have PSP), you are out of luck.  Libreboot spells this out in their docs.  I'm 
not sure if that is because of coreboot itself or something specific to 
Libreboot. I was stuck by how they seemed perfectly fine walling themselves off 
from the present and the future.

I could find nothing indicating that anyone had even tried, much less 
succeeded, in installing coreboot on a T480 and everything I did find was for 
much older hardware.

I read through the coreboot docs where they just wave their hands at the end of the build 
process and say "now go flash".  I also read through the heads docs, which say 
more or less the same thing.

Hackaday has an article on the horrors of installing coreboot on a Toshiba 
laptop.  Not only do they neglect to say which model they used, at the end of 
the article they had it working.

The gist is that the information that's out there is out of date, incomplete, 
misleading, and sometimes just incompetent.

I'm hoping that someone here has first-hand knowledge and can advise me (and 
others who read this).


It serves as a reminder that the 'Wintel' platform is really closed. 
Open source projects like Coreboot cannot make progress where 
information about the hardware is kept secret.


I also think Intel's combination of secrecy and high rate of 
vulnerabilities is particularly toxic; some of this stuff can't be 
patched so running a 'secure' OS on Intel chips now looks like a futile 
exercise.


AMD are also closed, but appear to be more conscientious about how they 
design their CPUs given how they are less vulnerable to side-channel 
attacks.


FWIW, I think Qubes devs may have seen the handwriting on the wall and 
now have at least some level of interest in moving to open hardware like 
the POWER CPUs.


--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0bf40a48-9de1-3bc9-38d9-713d82d341e3%40posteo.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] coreboot on modern hardware?

2019-03-25 Thread 799
Hello,

 schrieb am Mo., 25. März 2019, 02:15:

> That was one of the first places I looked. Maybe I’m just a hardhead, but
> I found it difficult to believe that there really was no support for
> coreboot in any form for modern hardware.
>

The problem seems to be that on modern hardware it is not possible to run
unsigned Firmware because of a feature on newer hardware called "boot guard"

https://www.phoronix.com/scan.php?page=news_item=Intel-Boot-Guard-Kills-Coreboot

What Intel is saying about this "feature":
https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/security-technologies-4th-gen-core-retail-paper.pdf

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2sM6cnCR6stTiwj%3DNfn_cug0gvtqiFVKSdtO64h%3DE%2BZvw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] coreboot on modern hardware?

2019-03-24 Thread jrsmiley
That was one of the first places I looked. Maybe I’m just a hardhead, but I 
found it difficult to believe that there really was no support for coreboot in 
any form for modern hardware.  

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3a38bc37-68b3-4a8e-b3a0-932742ced5d2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] coreboot on modern hardware?

2019-03-24 Thread 799
Hello,

 schrieb am So., 24. März 2019, 10:11:

> On 2019-03-23 19:03, jrsmi...@gmail.com wrote:
> > Spent several hours yesterday trying to track down what I would need
> > to do to install coreboot on all of my computers, starting with my
> > Qubes box: a Levnovo Thinkpad T480.

[...]
> I'd suggest visiting https://coreboot.org/status/board-status.html to
> see if your box is compatible with coreboot. From what I can see, the
> T480 is not coreboot friendly.
>

The provided link is the right place to see, I have also invested some time
for the research before flashing my X230 with Coreboot and again when I
tried to flash my W540.
It seems that everything after the X230/T430/W530 is not corebootable.
On the other hand the ?30-Series offers enough performance for most
workloads.

Newer hardware will (very likely) not work with Coreboot (if you look into
Lenovo) and NOT buying Lenovo and talk about it why you are not buying it,
might be the only way to convince companies to change (even when this is
very (!) unlikely).

- O

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2tbvSzCisSdbdKS4fvNe1Lf0yofGdQN_deNt4xzbtST%3DA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] coreboot on modern hardware?

2019-03-24 Thread ronpunz
On 2019-03-23 19:03, jrsmi...@gmail.com wrote:
> Spent several hours yesterday trying to track down what I would need
> to do to install coreboot on all of my computers, starting with my
> Qubes box: a Levnovo Thinkpad T480.
> 
> The bottom line from what I can tell is that if you have an Intel CPU
> made since 2008 (any that have Boot Guard) or an AMD CPU made since
> 2013 (any that have PSP), you are out of luck.  Libreboot spells this
> out in their docs.  I'm not sure if that is because of coreboot itself
> or something specific to Libreboot. I was stuck by how they seemed
> perfectly fine walling themselves off from the present and the future.
> 
> I could find nothing indicating that anyone had even tried, much less
> succeeded, in installing coreboot on a T480 and everything I did find
> was for much older hardware.
> 
> I read through the coreboot docs where they just wave their hands at
> the end of the build process and say "now go flash".  I also read
> through the heads docs, which say more or less the same thing.
> 
> Hackaday has an article on the horrors of installing coreboot on a
> Toshiba laptop.  Not only do they neglect to say which model they
> used, at the end of the article they had it working.
> 
> The gist is that the information that's out there is out of date,
> incomplete, misleading, and sometimes just incompetent.
> 
> I'm hoping that someone here has first-hand knowledge and can advise
> me (and others who read this).
> 
> Thanks,
> John Smiley

I'd suggest visiting https://coreboot.org/status/board-status.html to
see if your box is compatible with coreboot. From what I can see, the
T480 is not coreboot friendly.

The coreboot web site generally is a very good starting point in
establishing the how, what and when procedures for installing coreboot
successfully.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e4e04ba6dbc7a03a192e8ef1f724cd59%40riseup.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Coreboot + Qubes :: Best Practises / Coreboot docs page

2018-03-18 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

799:
> > $ build/cbfstool build/coreboot.rom add-int -i 0 -n 
> > etc/pci-optionrom-exec
> 
> When do I need to run this? After building my Coreboot ROM?

Yes, see payloads/external/SeaBIOS/seabios/docs/Runtime_config.md for
a list of cbfs options.

> Can't this option be included in the Coreboot or SeaBIOS menuconfig?

Looks like CONFIG_OPTIONROMS=n ("BIOS Interfaces" -> "Option ROMS" in
SeaBIOS menuconfig) should be equivalent.

> I am already using the console setting in my grub installation.
> Can I still boot from a USB stick which has graphical boot enabled?

Booting works, but the GRUB screen is invisible. And the Qubes
installer boot screen (isolinux) is somewhat garbled.

> > You might also enjoy HEADS.
> > https://github.com/osresearch/heads
> 
> Thanks, looks very interesting, but as far as I understand I don't need
> Seabios when I am running Heads?
> Is somebody already using heads? From the website it seems that it is not
> that easy to install and maybe still under development?

I think that's all correct. Not sure though, I still haven't tried
HEADS myself yet.

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJart5cXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrf1aQP+wU1fmTESwGkdUvT1Tzyrnyr
TVKH4hmo7zRv2WXeot12PbfLr/MUsiUkiHLA36u5M1k3HlZasi0wwrMllDNEJnaj
Neq6BtRZE+Dl2OYcMoksjT40deAWYzf4Kct3s6BK93RlsnrkoTSZ4QbJwRxSi0HJ
CZ4lxsW1ucVT6oAieVu7Ol1W8nRXPcrR0BvHKQ2qJGkfC2x8oMOZlLdNLB5hO8Dl
mqye+9V5la+jneVg/8z0PR8UVU/09n8+TmYp3w6isX0VHabv2fpXNQXjiF4gf5nz
uoTl+7/4nXpA81JMUk6CLl0HOnJhlRo0dcG/DaB2J/bSfGk7ADOzHBWrQ1ETifuy
8RLp6Hh0VZU69+BG409hCGte4pzObAjQEjkPYkruSqGLUny6YRGmtwiU/yiLrghV
WfiGW1zIes73NvymEW99Y4/IIy77xKq7HOR+54L5N/pXDOCLKDdslJRlEpYdlhIo
Vmmb58FidYuJ1aJMq45CDuzhFaLLj+DTklENQaUj3VRNZrAIA32aCPrfymabDSSQ
BDqqWge3+kdJi8NhPUJs4ljIK5a6I8942LOG8uUuvX9WXV4731y2DZwTMort0igT
OCjLNy28RGFDMKqSLJj+PVqdpTZNiT1VoNh9m+HstTjTf4mS8h2L51QrWIuKSfwf
yd8R4lXm5Suw6LtUOFlv
=4djs
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180318214708.GA2699%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Coreboot + Qubes :: Best Practises / Coreboot docs page

2018-03-18 Thread 799
Sorry, last Email send in advance while writing...

Hello Rusty,

Rusty Bird  schrieb am Sa., 17. März 2018, 23:18:

SeaBIOS is nice. You can build it with CONFIG_SEABIOS_VGA_COREBOOT=y
> (might be the default now), and completely disable dynamic loading of
> any dubious option ROMs:
>
> $ build/cbfstool build/coreboot.rom add-int -i 0 -n
> etc/pci-optionrom-exec
>

When do I need to run this? After building my Coreboot ROM?
Can't this option be included in the Coreboot or SeaBIOS menuconfig?


That's incompatible with graphical mode GRUB, but you can simply
> change GRUB_TERMINAL_OUTPUT from "gfxterm"[1] to "console"[2] in
> /etc/default/grub and rerun 'grub2-mkconfig -o /boot/grub2/grub.cfg'.
>

I am already using the console setting in my grub installation.
Can I still boot from a USB stick which has graphical boot enabled?


You might also enjoy HEADS.
> https://github.com/osresearch/heads


Thanks, looks very interesting, but as far as I understand I don't need
Seabios when I am running Heads?
Is somebody already using heads? From the website it seems that it is not
that easy to install and maybe still under development?

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2sJovy_hWYNBEcdng0ZJvOO1bJHb8cJYPhrk86TM7NP1Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Coreboot + Qubes :: Best Practises / Coreboot docs page

2018-03-18 Thread 799
Hello Rusty,

Rusty Bird  schrieb am Sa., 17. März 2018, 23:18:

>
> SeaBIOS is nice. You can build it with CONFIG_SEABIOS_VGA_COREBOOT=y
> (might be the default now), and completely disable dynamic loading of
> any dubious option ROMs:
>
> $ build/cbfstool build/coreboot.rom add-int -i 0 -n
> etc/pci-optionrom-exec
>

When do I need to run this?
After I

>
> That's incompatible with graphical mode GRUB, but you can simply
> change GRUB_TERMINAL_OUTPUT from "gfxterm"[1] to "console"[2] in
> /etc/default/grub and rerun 'grub2-mkconfig -o /boot/grub2/grub.cfg'.
>
> IMO it actually looks better - no blindingly bright blue light at
> night, and fewer font changes during startup. I've been meaning
> (forever) to open a pull request to make this the default...
>
> You might also enjoy HEADS[3].
>
> Rusty
>
>
> 1. https://image.ibb.co/jGvCCx/grub_gfxterm.png
> 2. https://image.ibb.co/mbnsCx/grub_console.png
> 3. https://github.com/osresearch/heads
> -BEGIN PGP SIGNATURE-
>
> iQJ7BAEBCgBmBQJarZQ6XxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
> ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
> NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfSKUP+NrPMBRzFqbxr7ciUg/Qnh9m
> 5ykQ4unpLU9CfiAotMDo7xJdjEZA7lwTeloVtsPL1GeVPTpYuFbkX2rxjSUQAb7H
> JSWUxTZOU2YjNjQfOz+W/Wnb0uHK9G8a5h2Pf9v8lEW5/Z3iGeTeOiSSjSc6OJjw
> Nn9ycrr2m6PvcM14OZ5DqnISdKKogUZBz+9TemhPVgSogA1RpsB9GRHgUcDermgs
> D7T62f2Bs79suOMwRDM/IZ6f4MNvsSF1pFSN+xE3JOpivx+xfAgBlc///vsz7dM2
> 05hqyVLoeCs6qHwe2PtbBlHfLdfPVoaC/kwQRDV8Obj9hP4/CFnQkRDyvN1dnwDi
> lV27YYcuWE0lgfsuRW9PwAySzyxEa4OYyDNDEJYW20lB8eTYsusDJAxxiM0X+Ba9
> pxf1FQwRoX7C4yjHU1tWb97cTPOMif07O8a5AFod9FPAwmUcwdPC/X/H3eU2CsaP
> UP5NEK81Wx1avWdTIBuvrbuPZe5Dj0dwTk0Z5TC5hbKUMYxczDLuFnh/1TnViSRo
> 4pOUNfXx4Blg4elUrTXASOnPQnZA5X2snVhkQrmqi3nAyRztzTK6x++OqvjlF+q3
> T8YiSg66Ssi3iXUFiZlEerCfzpe0Wc+kyvVXh9sM0NhwBs6hErLpmSlLD3785Bxr
> P5Lc8JEJpNcnac70K0c=
> =L0qD
> -END PGP SIGNATURE-
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2s_uDpfYWQvQ2DgwpWR4GUeeKjHZLsu61Mo1UXKhc9NBg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Coreboot + Qubes :: Best Practises / Coreboot docs page

2018-03-17 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

799:
> Seabios or Grub and are there any special options which might make sense?

SeaBIOS is nice. You can build it with CONFIG_SEABIOS_VGA_COREBOOT=y
(might be the default now), and completely disable dynamic loading of
any dubious option ROMs:

$ build/cbfstool build/coreboot.rom add-int -i 0 -n etc/pci-optionrom-exec

That's incompatible with graphical mode GRUB, but you can simply
change GRUB_TERMINAL_OUTPUT from "gfxterm"[1] to "console"[2] in
/etc/default/grub and rerun 'grub2-mkconfig -o /boot/grub2/grub.cfg'.

IMO it actually looks better - no blindingly bright blue light at
night, and fewer font changes during startup. I've been meaning
(forever) to open a pull request to make this the default...

You might also enjoy HEADS[3].

Rusty


1. https://image.ibb.co/jGvCCx/grub_gfxterm.png
2. https://image.ibb.co/mbnsCx/grub_console.png
3. https://github.com/osresearch/heads
-BEGIN PGP SIGNATURE-

iQJ7BAEBCgBmBQJarZQ6XxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfSKUP+NrPMBRzFqbxr7ciUg/Qnh9m
5ykQ4unpLU9CfiAotMDo7xJdjEZA7lwTeloVtsPL1GeVPTpYuFbkX2rxjSUQAb7H
JSWUxTZOU2YjNjQfOz+W/Wnb0uHK9G8a5h2Pf9v8lEW5/Z3iGeTeOiSSjSc6OJjw
Nn9ycrr2m6PvcM14OZ5DqnISdKKogUZBz+9TemhPVgSogA1RpsB9GRHgUcDermgs
D7T62f2Bs79suOMwRDM/IZ6f4MNvsSF1pFSN+xE3JOpivx+xfAgBlc///vsz7dM2
05hqyVLoeCs6qHwe2PtbBlHfLdfPVoaC/kwQRDV8Obj9hP4/CFnQkRDyvN1dnwDi
lV27YYcuWE0lgfsuRW9PwAySzyxEa4OYyDNDEJYW20lB8eTYsusDJAxxiM0X+Ba9
pxf1FQwRoX7C4yjHU1tWb97cTPOMif07O8a5AFod9FPAwmUcwdPC/X/H3eU2CsaP
UP5NEK81Wx1avWdTIBuvrbuPZe5Dj0dwTk0Z5TC5hbKUMYxczDLuFnh/1TnViSRo
4pOUNfXx4Blg4elUrTXASOnPQnZA5X2snVhkQrmqi3nAyRztzTK6x++OqvjlF+q3
T8YiSg66Ssi3iXUFiZlEerCfzpe0Wc+kyvVXh9sM0NhwBs6hErLpmSlLD3785Bxr
P5Lc8JEJpNcnac70K0c=
=L0qD
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180317221835.GA2170%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Coreboot VS Libreboot :: Which is better for Qubes OS ?

2017-11-05 Thread taii...@gmx.com

On 11/06/2017 01:28 AM, 'Marek Jenkins' via qubes-users wrote:


63xx/43xx is fine as long as you include a microcode update, you need to
use coreboot for those but it will do it automatically by default.

Is that only the case with Coreboot BIOS or also with the stock BIOS ?
Coreboot, not sure about the stock BIOS (it differs based on board 
revision)

I just told Holger I probably would postpone the installation of Coreboot, 
because I have issues with compiling the ROM.

As long as you have the prerequisites installed it should work with the
default config.

I know that I won't have problems with flashing the BIOS chip myself - my main problem is 
getting the settings right in the Coreboot config console (i am using "$ make 
nconfig" to compile).

But I am overwhelmed by all the settings. E.g. which payload (Seabios, 
GRUB2,etc) to use and which other settings for the KGPE-D16 ?

SeaBIOS for beginners, other then that you don't need to mess with
anything the default settings are fine.

So if that would be solved, I might definitely consider to use Coreboot in the 
near future.


Hi, I just saw you pretty much answered all questions I had regarding Coreboot 
and its setup for KGPE-D16. I didn't see you already posted here at the time of 
writing my reply in the other thread. So in other words, you don't really need 
to go into great detail again in the other thread - I think I am good !

Maybe I get back to you in case I want to add any security features (AEM) to 
Coreboot.
You would need to enable TPM support in menuconfig and buy a compatible 
TPM module.

  But for now, I will start to test it with basic settings.



--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c7a27204-4ed5-245c-5c88-136881acef77%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Coreboot VS Libreboot :: Which is better for Qubes OS ?

2017-11-05 Thread 'Marek Jenkins' via qubes-users
> 63xx/43xx is fine as long as you include a microcode update, you need to 
> use coreboot for those but it will do it automatically by default.

Is that only the case with Coreboot BIOS or also with the stock BIOS ? 

> > I just told Holger I probably would postpone the installation of Coreboot, 
> > because I have issues with compiling the ROM.
> As long as you have the prerequisites installed it should work with the 
> default config.
> > I know that I won't have problems with flashing the BIOS chip myself - my 
> > main problem is getting the settings right in the Coreboot config console 
> > (i am using "$ make nconfig" to compile).
> >
> > But I am overwhelmed by all the settings. E.g. which payload (Seabios, 
> > GRUB2,etc) to use and which other settings for the KGPE-D16 ?
> SeaBIOS for beginners, other then that you don't need to mess with 
> anything the default settings are fine.
> > So if that would be solved, I might definitely consider to use Coreboot in 
> > the near future.
> >

Hi, I just saw you pretty much answered all questions I had regarding Coreboot 
and its setup for KGPE-D16. I didn't see you already posted here at the time of 
writing my reply in the other thread. So in other words, you don't really need 
to go into great detail again in the other thread - I think I am good !

Maybe I get back to you in case I want to add any security features (AEM) to 
Coreboot. But for now, I will start to test it with basic settings.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d08e75bf-baf8-48d6-a2bc-897a6e0a6a2b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Coreboot VS Libreboot :: Which is better for Qubes OS ?

2017-11-05 Thread taii...@gmx.com



On 11/04/2017 09:12 PM, 'Marek Jenkins' via qubes-users wrote:

What is the difference between Coreboot and Libreboot ?

Philosophy, that's it.

Coreboot is sterile and corporate (as evidenced by not only the quiet
acceptance of boards with closed source init but the removal of older
open source boards from the tree, most people in the project and on the
list work for intel/google/etc so any questioning of this is always shot
down)

Thanks for that info. From what I found, Librecore also seems to a fork of 
Coreboot, they only remove all the blobs. But my main concern are Intel 
AMT/ME/vPro - so in other words any remote access / backdoor, so I guess I 
could live with Coreboot.
As I said there isn't any difference if you compile coreboot for a board 
supported by libreboot.

I am going for the KGPE-D16 and it seems they really have put in a lot of 
effort to support it. Also Raptor Engineering seems to do a lot to make 
KGPE-D16 and coreboot work.

I planned to go for a 62xx or 63xx CPU, but probably for a 62xx, because I read the 63xx 
series has a lot of issues with coreboot/libreboot and needs firmware / 
"microcode" updates to work properly - like you mentioned as well.
63xx/43xx is fine as long as you include a microcode update, you need to 
use coreboot for those but it will do it automatically by default.

Do you know if not only the KCMA-D8 but also the KGPE-D16 is also fully 
supported ? Should be, right ?

Sure is, they're pretty much the same thing.

Thanks for your help!

I just told Holger I probably would postpone the installation of Coreboot, 
because I have issues with compiling the ROM.
As long as you have the prerequisites installed it should work with the 
default config.

I know that I won't have problems with flashing the BIOS chip myself - my main problem is 
getting the settings right in the Coreboot config console (i am using "$ make 
nconfig" to compile).

But I am overwhelmed by all the settings. E.g. which payload (Seabios, 
GRUB2,etc) to use and which other settings for the KGPE-D16 ?
SeaBIOS for beginners, other then that you don't need to mess with 
anything the default settings are fine.

So if that would be solved, I might definitely consider to use Coreboot in the 
near future.



--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/86e89b0b-75df-e4d7-c525-e84d3140d01f%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Coreboot VS Libreboot :: Which is better for Qubes OS ?

2017-11-04 Thread 'Marek Jenkins' via qubes-users
On Sunday, November 5, 2017 at 1:55:04 AM UTC+1, tai...@gmx.com wrote:
> On 11/04/2017 08:42 PM, 'Marek Jenkins' via qubes-users wrote:
> 
> > If I choose an older mainboard from AMD for example, which doesn't have all 
> > those bad technologies built-in, I am still much more secure than the 
> > average guy with a new Intel CPU, right ?
> Yeah definitely.
> 
> For instance a H8SCM can be had for $30 (socket C32 like the KCMA-D8), 
> with a 4386 and that you'd be playing new games in a VM with no ME/PSP.

Okay good to know!

I remember you advised to get the mainboard in new condition and everything 
else used. Is that more for security/privacy reasons or just to ensure to buy a 
functional mainboard that hasn't been degraded by years of 24/7 use ?

Because right now, I am sitting on the fence, wether I should really buy the 
mainboard new.
Sometimes I see used mainboards with almost 50% discount, so buying a used one 
would make quite a difference. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e7273856-cd33-48cf-9486-0acfb7a17c73%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Coreboot VS Libreboot :: Which is better for Qubes OS ?

2017-11-04 Thread 'Marek Jenkins' via qubes-users
On Sunday, November 5, 2017 at 1:55:04 AM UTC+1, tai...@gmx.com wrote:
> On 11/04/2017 08:42 PM, 'Marek Jenkins' via qubes-users wrote:
> 
> > If I choose an older mainboard from AMD for example, which doesn't have all 
> > those bad technologies built-in, I am still much more secure than the 
> > average guy with a new Intel CPU, right ?
> Yeah definitely.
> 
> For instance a H8SCM can be had for $30 (socket C32 like the KCMA-D8), 
> with a 4386 and that you'd be playing new games in a VM with no ME/PSP.

Okay good to know !

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/21c003f5-e7d0-41bc-91af-72015e86c72c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Coreboot VS Libreboot :: Which is better for Qubes OS ?

2017-11-04 Thread 'Marek Jenkins' via qubes-users
> > What is the difference between Coreboot and Libreboot ?
> Philosophy, that's it.
>
> Coreboot is sterile and corporate (as evidenced by not only the quiet 
> acceptance of boards with closed source init but the removal of older 
> open source boards from the tree, most people in the project and on the 
> list work for intel/google/etc so any questioning of this is always shot 
> down)

Thanks for that info. From what I found, Librecore also seems to a fork of 
Coreboot, they only remove all the blobs. But my main concern are Intel 
AMT/ME/vPro - so in other words any remote access / backdoor, so I guess I 
could live with Coreboot.

I am going for the KGPE-D16 and it seems they really have put in a lot of 
effort to support it. Also Raptor Engineering seems to do a lot to make 
KGPE-D16 and coreboot work.

I planned to go for a 62xx or 63xx CPU, but probably for a 62xx, because I read 
the 63xx series has a lot of issues with coreboot/libreboot and needs firmware 
/ "microcode" updates to work properly - like you mentioned as well.

Do you know if not only the KCMA-D8 but also the KGPE-D16 is also fully 
supported ? Should be, right ?

> Libreboot is like an anarchist punk scene complete with a jerk in charge 
> (ex: the FSF related drama) - although she has done quite a bit for the 
> free hardware movement (75K+ for the KGPE-D16 and KCMA-D8 board ports, 
> both entirely libre and RYF certified) and has finally paid her debt for 
> the KCMA-D8 port so I respect her a little bit.
> >
> > Is one better than the other for Qubes OS ?
> If you compile coreboot for say the KCMA-D8 (libre board I recommend 
> that supports v4.0) you're getting the same thing as libreboot if you 
> don't include the microcode update (note: microcode update needed in 
> either OS or firmware for 43xx CPU's due to a very bad exploit which 
> doesn't effect the slightly less fast 42xx CPU's)
> 
> All the libreboot boards work without the binaries contrary to what 
> holger said, you aren't going to boot up and find out there isn't any 
> video or w/e - leah laid out a lot of cash to ensure that.
> 
> I use coreboot.

Thanks for your help!

I just told Holger I probably would postpone the installation of Coreboot, 
because I have issues with compiling the ROM. 

I know that I won't have problems with flashing the BIOS chip myself - my main 
problem is getting the settings right in the Coreboot config console (i am 
using "$ make nconfig" to compile). 

But I am overwhelmed by all the settings. E.g. which payload (Seabios, 
GRUB2,etc) to use and which other settings for the KGPE-D16 ? 

So if that would be solved, I might definitely consider to use Coreboot in the 
near future.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/31de8534-35c5-4b44-a5b2-51ba08cb9c57%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Coreboot VS Libreboot :: Which is better for Qubes OS ?

2017-11-04 Thread taii...@gmx.com

On 11/04/2017 08:42 PM, 'Marek Jenkins' via qubes-users wrote:


If I choose an older mainboard from AMD for example, which doesn't have all 
those bad technologies built-in, I am still much more secure than the average 
guy with a new Intel CPU, right ?

Yeah definitely.

For instance a H8SCM can be had for $30 (socket C32 like the KCMA-D8), 
with a 4386 and that you'd be playing new games in a VM with no ME/PSP.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/777005f5-b2e1-3112-dd8e-dd182134dba6%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Coreboot VS Libreboot :: Which is better for Qubes OS ?

2017-11-04 Thread 'Marek Jenkins' via qubes-users
On Sunday, November 5, 2017 at 12:10:26 AM UTC+1, Holger Levsen wrote:
> On Sat, Nov 04, 2017 at 03:53:32PM -0700, 'Marek Jenkins' via qubes-users 
> wrote:
> > so from my understanding, "blobs" is a synonym for proprietary code, right ?
>  
> it's a synonym for "binary object" where in general you don't have the
> source code.
> 
> > I mean if it doesn't really matter for security I can live with those blobs 
> > inside Coreboot. 
> 
> having the source code is generally better for security...
> 
> but if you have hardware which either works with a blob, or doesnt work
> without it, you might want to choose the blob.
> 
> > But Qubes will work better with Coreboot correct or why is it recommended 
> > here ?
> 
> a free bios is better for security. Libreboot supports a lot less
> hardware than coreboot.
> 
> 
> -- 
> cheers,
>   Holger


Okay I see! 

Thanks a lot for taking the time to explain, really appreciate it.

I think Coreboot is an interesting topic, but to be honest, it seems quite 
complex.
I don't really compile code myself and have no idea which settings + payload I 
need to pick to compile the ROM for flashing. And flashing also requires some 
skill + equipment.
Additionally, I read some people have issues with Qubes + SeaBios. Maybe I 
postpone the whole thing to a later day when I have more time to learn 
something new :)

Also, because I don't really think I need that level of security that protects 
someone to tamper with my BIOS :D I just didn't like the idea of having a 
"backdoor" in my system (Intel ME, AMT, vPro), thats how I learned about 
Coreboot.

So the final question:

If I choose an older mainboard from AMD for example, which doesn't have all 
those bad technologies built-in, I am still much more secure than the average 
guy with a new Intel CPU, right ? 

Have a nice weekend!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/97dbc3bf-2d64-4360-a096-72ad1604ca1f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Coreboot VS Libreboot :: Which is better for Qubes OS ?

2017-11-04 Thread taii...@gmx.com

On 11/04/2017 01:57 PM, 'Marek Jenkins' via qubes-users wrote:


What is the difference between Coreboot and Libreboot ?

Philosophy, that's it.

Coreboot is sterile and corporate (as evidenced by not only the quiet 
acceptance of boards with closed source init but the removal of older 
open source boards from the tree, most people in the project and on the 
list work for intel/google/etc so any questioning of this is always shot 
down)


Libreboot is like an anarchist punk scene complete with a jerk in charge 
(ex: the FSF related drama) - although she has done quite a bit for the 
free hardware movement (75K+ for the KGPE-D16 and KCMA-D8 board ports, 
both entirely libre and RYF certified) and has finally paid her debt for 
the KCMA-D8 port so I respect her a little bit.


Is one better than the other for Qubes OS ?
If you compile coreboot for say the KCMA-D8 (libre board I recommend 
that supports v4.0) you're getting the same thing as libreboot if you 
don't include the microcode update (note: microcode update needed in 
either OS or firmware for 43xx CPU's due to a very bad exploit which 
doesn't effect the slightly less fast 42xx CPU's)


All the libreboot boards work without the binaries contrary to what 
holger said, you aren't going to boot up and find out there isn't any 
video or w/e - leah laid out a lot of cash to ensure that.


I use coreboot.

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/114a3ee8-ae29-cd55-8637-04ba19a8fb37%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Coreboot VS Libreboot :: Which is better for Qubes OS ?

2017-11-04 Thread Holger Levsen
On Sat, Nov 04, 2017 at 03:53:32PM -0700, 'Marek Jenkins' via qubes-users wrote:
> so from my understanding, "blobs" is a synonym for proprietary code, right ?
 
it's a synonym for "binary object" where in general you don't have the
source code.

> I mean if it doesn't really matter for security I can live with those blobs 
> inside Coreboot. 

having the source code is generally better for security...

but if you have hardware which either works with a blob, or doesnt work
without it, you might want to choose the blob.

> But Qubes will work better with Coreboot correct or why is it recommended 
> here ?

a free bios is better for security. Libreboot supports a lot less
hardware than coreboot.


-- 
cheers,
Holger

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20171104231020.35rgrbpvspkopsog%40layer-acht.org.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: PGP signature


Re: [qubes-users] Coreboot VS Libreboot :: Which is better for Qubes OS ?

2017-11-04 Thread 'Marek Jenkins' via qubes-users
On Saturday, November 4, 2017 at 10:47:12 PM UTC+1, Holger Levsen wrote:
> On Sat, Nov 04, 2017 at 10:57:30AM -0700, 'Marek Jenkins' via qubes-users 
> wrote:
> > What is the difference between Coreboot and Libreboot ?
> 
> Libreboot is Coreboot with all the non-free blobs removed (and no free
> software added instead). So if you happen to have hardware which needs
> those blobs, you won't be happy with Libreboot.
> 
> 
> -- 
> cheers,
>   Holger

Hi Holger,

so from my understanding, "blobs" is a synonym for proprietary code, right ?

I mean if it doesn't really matter for security I can live with those blobs 
inside Coreboot. 
I don't need extreme security on that level, I guess :D Just a decently secure 
system that respects privacy.

But Qubes will work better with Coreboot correct or why is it recommended here ?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/787f83a4-2e24-4625-8c12-df1984a3ce91%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Coreboot VS Libreboot :: Which is better for Qubes OS ?

2017-11-04 Thread Holger Levsen
On Sat, Nov 04, 2017 at 10:57:30AM -0700, 'Marek Jenkins' via qubes-users wrote:
> What is the difference between Coreboot and Libreboot ?

Libreboot is Coreboot with all the non-free blobs removed (and no free
software added instead). So if you happen to have hardware which needs
those blobs, you won't be happy with Libreboot.


-- 
cheers,
Holger

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20171104214705.chhlfj5cmkstdphu%40layer-acht.org.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: PGP signature