Re: [qubes-users] Re: Is a legacy BIOS preferable to UEFI for a secure system?
Yes it is, I despise the OEM's forcing UEFI on us. Although both are insecure vs a libre BIOS such as select coreboot boards (ex: KCMA-D8/KGPE-D16) and the OpenPOWER TALOS 2 (only $2.5K now for board/cpu - which is less than x86_64 server hardware with equiv performance) I highly suggest getting one ASAP, especially as the D8 and D16 are the last best owner controlled x86_64 boards and they will stop being available soon (the libre firmware has more features than the closed source firmware, there is also OpenBMC which is so much better than the exploit filled OEM BMC firmware) and are capable of playing modern games in a VM via IOMMU-GFX. Building and flashing firmware is very easy on these boards. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2e1a1d39-499a-f0b2-c3e9-2a0908567363%40gmx.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Is a legacy BIOS preferable to UEFI for a secure system?
On Thursday, February 1, 2018 at 6:18:14 PM UTC+1, vel...@tutamail.com wrote: > Is legacy BIOs still preferred and likely compatible with 4.0 when final? You're seeing it backwards, flipping it around and you might see where the problem is. Instead ask, is UEFI reliable/secure now? In short, no, and probably not for a long time unless some big changes arrive in the mainstream market, which is unlikely to happen any time soon. As I understand it, the LegacyBIOS is so slowly updated, or not updated at all, that Xen/Kernel updates can keep up to speed with it and fix issues not fixed in the LegacyBIOS. But UEFI is another story altogether, not to forget a highly fragmented distribution of different releases, which is impaired in many ways (briefly mentioned further below). This is why UEFI under current schemes, will never catch up to high quality the way it works now, and it will never become anything "reliable" that you might want. In other words, it requires a shift in politics, business ethics, laws, or even the appearance of a strong competitor which provides open and high quality motherboard firmware which becomes distributed mainstream. And none of that is happening, hence we're locked in with poor UEFI updates. Every motherboard provider update their own motherboards, and they are all tailored for each model of motherboard released. In a sense, this is similar to how updates are distributed on Android, or upstream/downstream Linux updates, it can be a major issue, especially if not enough attention is put to it. The problem with motherboard companies though, is that they rarely do much effort to maintain their firmware, especially on the cheap motherboards, but not exclusively so. Some cheap boards can be decent too, but it's like a needle in a haystack without someone buying it and reviewing the motherboard for you first, or just trying your luck... Some motherboards will never even get properly updated, they'll just ignore the customers who bought it. And this issue won't go away, because there are little better competition to be found when all of them are doing the same careless act. Just look at the printer or router industry, they all are ignoring costs required to keep it up to date, reliable and secure. Thereby increasing their profits by reducing costs, trying to hide the fact from customers that they are doing so. If enoguh customers were aware and was annoyed by it, then a new better business taking customers needs into consideration may easier appear, but that hasn't happened yet. Not to forget, there are big muscles on the market, it isn't so easy for a new company to emerge without some serious funding. These existing companies do not want to make something needlessly more expensive to increase the quality, just to satisfy a customer, who has little or no better alternative on the market anyway. You're locked in, you can't pick much better, at least not at that price or if you go look for reviews. And even then, expensive doesn't mean it'll be good either. Combine this corruption of businessses with the security implication Marek explanation up above, and you'll quickly see why this is going nowhere anytime soon. UEFI is no quality, and is very slowly updated and maintained. Quite a few motherbord companies even discourage you to update the motherboard unless something is explicitely broken and an update may fix it. In other words, they're saying: "if it works, don't update". This is just absurd... and it isn't ard to make a double BIOS/UEFI motherboard to secure it against failed updates either. They are just trying to maximize profits, ignoring customer needs, and they're especially happy the less people know about this business model they're using, because then it's easier to maintain buggy hardware/software at little cost, and keep the profits coming in. But there is a big problem with that in terms of quality and customer needs, since this way you don't get the few security or other updates you may want. You could get other motherboard firmware's though, like https://www.coreboot.org/ https://libreboot.org/ and https://www.reddit.com/r/opensource/comments/4lu2l0/open_source_bios/ Some people here are pretty good with alternative motherboard firmware's, maybe you're lucky that some will post here to get some more detailed answers on how to go about it if you want to go down that road. If no one posts here, then try search old posts here in the qubes mail threads, or make a new thread asking if they do not answer your questions. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c740ed95-070d-4e
Re: [qubes-users] Re: Is a legacy BIOS preferable to UEFI for a secure system?
Is legacy BIOs still preferred and likely compatible with 4.0 when final? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/40f6953b-3c11-42a7-914b-ac46970de69c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Is a legacy BIOS preferable to UEFI for a secure system?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sat, Aug 06, 2016 at 11:49:09PM +0100, Stephen Moreno wrote: > On 08/02/2016 09:55 PM, Marek Marczykowski-Górecki wrote: > > > > > I think it doesn't really matter from security point of view. Either > > legacy or UEFI BIOS can contain bugs fatal to the system security. > > > > On the other hand, many UEFI BIOSes contains bugs affecting Qubes OS. > > Legacy BIOSes also have bugs, but those are much older and already have > > workarounds in Xen/Linux. > > In addition, Anti Evil Maid (which can detect some firmware > > modifications) isn't compatible with UEFI. > > In short: choose legacy BIOS (or at least a BIOS with legacy boot mode), > > for better Qubes OS support. > > > > - -- > > Best Regards, > > Marek Marczykowski-Górecki > > Invisible Things Lab > > > > Hi Marek, > > Thanks for your reply. > > After some further research it looks like my choice for an AM3 board is > either: > older 760G chipset with legacy BIOS but no IOMMU > OR > newer 970 chipset with IOMMU but also a UEFI BIOS > > I would be really interested in your views regarding this choice. Which > option would you go for? > (I will need to use bluetooth with this system, in case that sways you > towards a board with IOMMU.) Yes, go for the one with IOMMU. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEbBAEBCAAGBQJXpz6yAAoJENuP0xzK19csA5EH9R1GSFwWFPX9AGj1j4Oxk7ru l54iIL9OvZwclfGbA3cYr9mKlzhaX9uFSLCTKokY5WZoXWse3sWSOCe419J8OAYK fzG6oQm/O4NOsv+HpErJipmAjolhNED1jExzIYQUDBkPb1FTQPW3yoY7Dkf4hWEt 9dCwsObggwsvJCYpb0Xf8WF9HcWRvQp9ZVe5p2A8QtnU1NR/bf16ApgozQczv9D6 e1MoO6GMBQ/xijYksXQpExbpqHT02AAwab7kC3B8NrhNr0uB3PEhqpb/qmUzhhsA 8R7f2wWRpFlKfkOEkV6y9rl1cYQNPnDNUl/mCJs6sShUp1PBqlI36JwwHb4DDw== =zg97 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20160807135912.GG32095%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Is a legacy BIOS preferable to UEFI for a secure system?
W dniu środa, 3 sierpnia 2016 06:15:38 UTC+2 użytkownik Manuel Amador (Rudd-O) napisał: > On 08/02/2016 06:10 PM, grzegorz.chodzi...@gmail.com wrote: > > > > Easier troubleshooting/updating/diagnostics. Modern UEFI installed on e.g > > gaming motherboards can update itself over Ethernet connection, reinstall > > itself from scratch and sometimes contains a built-in mini-linux. If you do > > not need such bonuses then legacy BIOS will do just fine. > > > > How do you / how can I identify these malevolent mobos? > > > -- > Rudd-O > http://rudd-o.com/ Pretty much any motherboard made by MSI, Asus, Asrock or Gigabyte, especially the ones marketed for gamers. Workstation/server motherboards should be fine though. iPMI is less of an issue on ws/server mobos since it usually runs only over its own separate ethernet controller. Funny story, few weeks ago I helped my friend put together a gaming PC. The motherboard didn't even POST correctly until we connected the ethernet cable so it could update itself. Utterly terrifying. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/82dec981-224d-421f-845c-7985950fee33%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Is a legacy BIOS preferable to UEFI for a secure system?
On 08/02/2016 06:10 PM, grzegorz.chodzi...@gmail.com wrote: > > Easier troubleshooting/updating/diagnostics. Modern UEFI installed on e.g > gaming motherboards can update itself over Ethernet connection, reinstall > itself from scratch and sometimes contains a built-in mini-linux. If you do > not need such bonuses then legacy BIOS will do just fine. > How do you / how can I identify these malevolent mobos? -- Rudd-O http://rudd-o.com/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0c85cede-2538-0f56-d011-f38e1eb09181%40rudd-o.com. For more options, visit https://groups.google.com/d/optout.