Re: [qubes-users] Re: Qubes 4.x and Librem 13

[raahelps]

On Saturday, November 26, 2016 at 3:44:49 AM UTC-5, Grzesiek Chodzicki wrote:
> W dniu sobota, 26 listopada 2016 03:06:06 UTC+1 użytkownik rspei...@gmail.com 
> napisał:
> > It seems that Purism has failed to follow through on its promise to provide 
> > open firmware (i.e coreboot) and overstated it's capability to provide a 
> > completely free firmware (i.e. libreboot). As a result, they have left many 
> > unhappy customers and/or prospective customers. I doubt that we will ever 
> > have libreboot on current/new Intel hardware.
> > 
> > Optimistically speaking, a truly open hardware ecosystem (i.e. Risc-V, 
> > OpenPower) will likely take ~3-10 years to become commercially viable. 
> > Considering the pragmatic approach that Qubes OS is taking, it would seem 
> > ideal to get the most secure and privacy-protecting hardware in the 
> > short-term until such time that we can have "truly" secure and 
> > privacy-protecting hardware in the long-term.
> > 
> > As Marek pointed out, the Librem 13 would work with Qubes OS 4.x and "may 
> > be somehow more secure with Coreboot (less places to hide some backdoor), 
> > but may be also less stable - depending how mature is Librem 13 support in 
> > Coreboot." As Grzesiek pointed out, waiting until 4.x to be released makes 
> > sense since "a better option might present itself". In addition, it would 
> > give Purism an opportunity to right a wrong.
> > 
> > That said, besides the Librem 13, I haven't seen nor heard of another 
> > laptop that provides hardware switches to disable camera/audio/wifi and 
> > components that do not require blobs (CPU excepted of course). Besides my 
> > Google Pixel LS Chromebook running linux, I'm unsure whether there is  a 
> > better option at this point.
> > 
> > Thanks,
> > Roberto
> 
> Don't get me wrong, I respect the idea the Purism guys had when they created 
> Librem. But the Librem 15 costs 1600$ for an 8GB of ram, dual core i7 and a 
> sata SSD. 32 GB of RAM are additional 530$. Total cost of the most pimped out 
> version is over 3400$. For half that money you can have the most pimped out 
> version of Thinkpad T560. High prices alienate the userbase and make it seem 
> like the privacy is a privilege of the rich.

so is healthy food unfortunately man...

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9aa80b95-f071-4577-9ae7-35864547e2b8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Qubes 4.x and Librem 13

[Grzesiek Chodzicki]

W dniu sobota, 26 listopada 2016 03:06:06 UTC+1 użytkownik rspei...@gmail.com 
napisał:
> It seems that Purism has failed to follow through on its promise to provide 
> open firmware (i.e coreboot) and overstated it's capability to provide a 
> completely free firmware (i.e. libreboot). As a result, they have left many 
> unhappy customers and/or prospective customers. I doubt that we will ever 
> have libreboot on current/new Intel hardware.
> 
> Optimistically speaking, a truly open hardware ecosystem (i.e. Risc-V, 
> OpenPower) will likely take ~3-10 years to become commercially viable. 
> Considering the pragmatic approach that Qubes OS is taking, it would seem 
> ideal to get the most secure and privacy-protecting hardware in the 
> short-term until such time that we can have "truly" secure and 
> privacy-protecting hardware in the long-term.
> 
> As Marek pointed out, the Librem 13 would work with Qubes OS 4.x and "may be 
> somehow more secure with Coreboot (less places to hide some backdoor), but 
> may be also less stable - depending how mature is Librem 13 support in 
> Coreboot." As Grzesiek pointed out, waiting until 4.x to be released makes 
> sense since "a better option might present itself". In addition, it would 
> give Purism an opportunity to right a wrong.
> 
> That said, besides the Librem 13, I haven't seen nor heard of another laptop 
> that provides hardware switches to disable camera/audio/wifi and components 
> that do not require blobs (CPU excepted of course). Besides my Google Pixel 
> LS Chromebook running linux, I'm unsure whether there is  a better option at 
> this point.
> 
> Thanks,
> Roberto

Don't get me wrong, I respect the idea the Purism guys had when they created 
Librem. But the Librem 15 costs 1600$ for an 8GB of ram, dual core i7 and a 
sata SSD. 32 GB of RAM are additional 530$. Total cost of the most pimped out 
version is over 3400$. For half that money you can have the most pimped out 
version of Thinkpad T560. High prices alienate the userbase and make it seem 
like the privacy is a privilege of the rich.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/626d8958-3215-436d-b937-fb75c5dd16da%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Qubes 4.x and Librem 13

[rspeiglvera]

It seems that Purism has failed to follow through on its promise to provide 
open firmware (i.e coreboot) and overstated it's capability to provide a 
completely free firmware (i.e. libreboot). As a result, they have left many 
unhappy customers and/or prospective customers. I doubt that we will ever have 
libreboot on current/new Intel hardware.

Optimistically speaking, a truly open hardware ecosystem (i.e. Risc-V, 
OpenPower) will likely take ~3-10 years to become commercially viable. 
Considering the pragmatic approach that Qubes OS is taking, it would seem ideal 
to get the most secure and privacy-protecting hardware in the short-term until 
such time that we can have "truly" secure and privacy-protecting hardware in 
the long-term.

As Marek pointed out, the Librem 13 would work with Qubes OS 4.x and "may be 
somehow more secure with Coreboot (less places to hide some backdoor), but may 
be also less stable - depending how mature is Librem 13 support in Coreboot." 
As Grzesiek pointed out, waiting until 4.x to be released makes sense since "a 
better option might present itself". In addition, it would give Purism an 
opportunity to right a wrong.

That said, besides the Librem 13, I haven't seen nor heard of another laptop 
that provides hardware switches to disable camera/audio/wifi and components 
that do not require blobs (CPU excepted of course). Besides my Google Pixel LS 
Chromebook running linux, I'm unsure whether there is  a better option at this 
point.

Thanks,
Roberto

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/aa5e330c-f624-4f7d-8a9c-1fcecd6941b4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Qubes 4.x and Librem 13

[Duncan Guthrie]

À 25.11.2016 04:36, Jean-Philippe Ouellet a écrit:
On Thu, Nov 24, 2016 at 8:12 PM, Duncan Guthrie  
wrote:

And of course Coreboot is fast and fun.


I love your description of BIOS work as "fun" ;)

In my experience, getting things working has been anything but! xD


I like customising things, so it is fun. Coreboot usually works fine the 
first time you compile...


As for the fun, what I am referring too is some of its advanced features 
- can your BIOS run Tetris from the flash chip, I ask?


D

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/40c9e25ff064949581ee8270008c91da%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Qubes 4.x and Librem 13

[Duncan Guthrie]

On 25.11.2016 01:44, taii...@gmx.com wrote:

Purism laptops are new intel so they will never have real coreboot
support, only FSP shimboot which is a black box that does most of the
work.

Its pointless, honestly you might as well just get an AMD (with
iommu/amd-vi) laptop if you want to avoid ME (just make sure it does
not have AMD PSP, lol) - it'll have a closed source BIOS but no more
dangerous than FSP in terms of backdoor potential.

You could also get an older pre-FSP thinkpad, as there is some work
being done RE: stripping out and thus nerfing most of ME.

https://www.phoronix.com/scan.php?page=news_item=Purism-Librem-Still-Blobbed
https://blogs.coreboot.org/blog/2015/02/23/the-truth-about-purism-why-librem-is-not-the-same-as-libre/

Purism is at best, selling an unfinished product and at worst being
incredibly dishonest. If google can't get intel to hand over the FSP
and ME code then nobody can. I think it is funny that the purism types
thinks that setting ME to "disabled" in option rom actually shuts it
off.


Hej folks,

Yes, Purism was basically a scam. They could at least have made the 
thing boot faster by including blobbed Coreboot, but they couldn't even 
be bothered doing that.


I'd like to add my thoughts about the current situation with Coreboot 
and the Intel FSP.


Virtualisation is currently broken on the most recent ThinkPad X200, 
T400, etc laptops and desktops that work without the ME blob, but it is 
presumably possible to make them boot, perhaps through including 
microcode updates in the Coreboot build. I haven't tested this yet so it 
is not clear yet. Either way IOMMU is also broken on this generation 
(and this will probably never change since this is a flaw in the 
hardware implementation of IOMMU) so Qubes might not be so secure here. 
Better than nothing, but still...


Another good option might be the ThinkPad X201, where VT-d is thankfully 
not broken, but it does include the ME blob in order to make the thing 
boot. It doesn't include Intel FSP (it is from way before that), so it 
isn't *that* bad, and certainly it stops *Lenovo* (as opposed to Intel) 
from putting bad things through the BIOS to attack Qubes. But it is 
still fatally flawed in that the ME's reach is far indeed... But you get 
native graphics init which is nice if you are a Coreboot nerd. And it is 
possible, albeit hard to reverse engineer the chipset to find a flaw to 
bypass the ME. So this may be a *really* good option in the future for 
Qubes, if people work on it.


Here lies the dillema with Coreboot and Qubes. Broken IOMMU sans ME, or 
working (as it stands) IOMMU along with the ME?
The X201 is probably a better choice than the vile Librem laptops for 
the average Qubes user. Durable, cheap second hand, IOMMU all present 
and correct. ME is bad but not *as* bad as it has become as of late. And 
of course Coreboot is fast and fun.


D

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6fcdc8c4d278e565af3dc4c44d601d49%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Qubes 4.x and Librem 13

[taii...@gmx.com]

Purism laptops are new intel so they will never have real coreboot 
support, only FSP shimboot which is a black box that does most of the work.


Its pointless, honestly you might as well just get an AMD (with 
iommu/amd-vi) laptop if you want to avoid ME (just make sure it does not 
have AMD PSP, lol) - it'll have a closed source BIOS but no more 
dangerous than FSP in terms of backdoor potential.


You could also get an older pre-FSP thinkpad, as there is some work 
being done RE: stripping out and thus nerfing most of ME.


https://www.phoronix.com/scan.php?page=news_item=Purism-Librem-Still-Blobbed
https://blogs.coreboot.org/blog/2015/02/23/the-truth-about-purism-why-librem-is-not-the-same-as-libre/

Purism is at best, selling an unfinished product and at worst being 
incredibly dishonest. If google can't get intel to hand over the FSP and 
ME code then nobody can. I think it is funny that the purism types 
thinks that setting ME to "disabled" in option rom actually shuts it off.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4ae79ef7-5510-b7ba-f868-79ead8cedd29%40gmx.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Qubes 4.x and Librem 13

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Thu, Nov 24, 2016 at 02:30:30PM -0800, rspeiglv...@gmail.com wrote:
> Thanks Marek... that was very helpful. Realistically speaking... could I 
> purchase the Librem 13, install the Coreboot firmware and then it make be 
> compatible with R4.x?

As I said - compatible with Qubes 4.x (in meaning "Qubes 4.x will work
on it") it will be even without Coreboot. It may be somehow more secure
with Coreboot (less places to hide some backdoor), but may be also less
stable - depending how mature is Librem 13 support in Coreboot.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYN2urAAoJENuP0xzK19csxMQH/RVNVTS1x/Ri+aKr3pMgdmF9
nGUjHdZFRYlExYXizo2TJiNdKleNaQVxhk9dramJ6bEQIy5PwcbjNwIozxXSvSn7
HPQ2skgzkD/qyNygKV4ZEfJ5Stt0pot9mQ12gEtrbWbx4Sev5llPL5IsN0i+thpK
YNha18WkFCtBZbPs6uMh3twsFSUbkY3MsqRgF11oHKXmYjdPQyyHJt6TsL/2Rqpq
W9HrR3PYDHChJIQgVQ/DSL0u+DqxzPGuc4kfzaDErE9w5sPeqsBDXyPajYKl1wAA
zNCvaFPpvzmQj4PV8ETP/pEB5vLhrEgR2+spL5NZ8vD8/7f/mo+3y6tXT9bZ8Bw=
=bNoI
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161124223729.GY1145%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Qubes 4.x and Librem 13

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Thu, Nov 24, 2016 at 12:51:41PM -0800, rspeiglv...@gmail.com wrote:
> Thanks for your feedback. I heard that Coreboot was released for Librem 13 by 
> a 3rd party. Is that not open enough or is it that it hasn't been officially 
> accepted by Librem?

The later. Librem as you can buy it is still shipped with proprietary
BIOS and I haven't heard of any realistic plans for changing it. Even
though most (all?) the work on Coreboot side is done...

Other than that, Librem definitely meet minimum requirements, but as
mentioned before - is somehow overpriced.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYN17KAAoJENuP0xzK19csQhQH/0DMyOzETXvSRdZxyDlJ28y2
RGTJvJwtV5gHSYkHeZN261sZTNEm6bJkwt3Pdhtuw+4auvulOdE41iOwvq2UCEm5
osG8wFmAxGgcsexDAuqhk78HQUcWKOnm5AI4/lJJAJNmO94/sOJHj5j1be+fvb5/
DEsiv5hO7WiKJScjIyzwC3jJc2YWE6sh4Cv9NTPl7aEot2b4cG28K1XTB3vOvMia
99tIjN9Hb9TzOVvRH/0L8dOWHqNqGoP0WV2mwlAa+Ad0QEhYvOUI7HZ7orvBXtGi
O5mhd2v+EuDu+D8BUfvt5UrRHFOkZa5l+6vDPN8jfOdYB2Za4US8IDS4zpfeldE=
=R78q
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161124214232.GX1145%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Qubes 4.x and Librem 13

[rspeiglvera]

Thanks for your feedback. I heard that Coreboot was released for Librem 13 by a 
3rd party. Is that not open enough or is it that it hasn't been officially 
accepted by Librem?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/dadd7e6f-6fe6-4ae7-9ee9-4e52663f4fb5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Qubes 4.x and Librem 13

[rspeiglvera]

Thanks for you feedback. I heard that Coreboot was released for Librem 13 by a 
3rd party. Is that not open enough or is it that it hasn't been officially 
accepted by Librem?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b50932c0-4431-4ea9-92f8-32accc55038a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Qubes 4.x and Librem 13

[Grzesiek Chodzicki]

W dniu czwartek, 24 listopada 2016 21:06:45 UTC+1 użytkownik Jean-Philippe 
Ouellet napisał:
> On Thu, Nov 24, 2016 at 3:00 PM, Grzesiek Chodzicki
>  wrote:
> > W dniu czwartek, 24 listopada 2016 20:53:08 UTC+1 użytkownik 
> > rspei...@gmail.com napisał:
> >> I am interested in purchasing the Purism Librem 13 laptop and noticed that 
> >> it was supported for Qubes R3.x but not R4.x.
> >>
> >> Is this because of some hardware issues or because R4.x hasn't been 
> >> released yet? Would it make sense to wait for R4.x before purchasing?
> >
> > Definitely wait for 4.X
> 
> Why? I don't see the logic for that...
> 
> I can't envision hardware support regressions on a laptop that (afaik
> at least one?) of the devs use as their primary machine.
> 
> AFAIK the librem isn't certified for Qubes 4 because it lacks open
> firmware which is one of the requiements to be certified for qubes 4
> [1], but no machine currently meets those, and librem hardware won't
> magically degrade itself with the passage of time in qubes-land.
> 
> IMO if it meets your needs now, it will continue to meet your needs then...
> 
> [1]: https://www.qubes-os.org/news/2016/07/21/new-hw-certification-for-q4/

Because we have no idea when 4.X is going to be released and until then a 
better option might present itself. Librem laptops are imho a bit overpriced 
for the hardware you get.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6a43a708-1083-484b-800c-9beaeb426617%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Qubes 4.x and Librem 13

[Jean-Philippe Ouellet]

On Thu, Nov 24, 2016 at 3:00 PM, Grzesiek Chodzicki
 wrote:
> W dniu czwartek, 24 listopada 2016 20:53:08 UTC+1 użytkownik 
> rspei...@gmail.com napisał:
>> I am interested in purchasing the Purism Librem 13 laptop and noticed that 
>> it was supported for Qubes R3.x but not R4.x.
>>
>> Is this because of some hardware issues or because R4.x hasn't been released 
>> yet? Would it make sense to wait for R4.x before purchasing?
>
> Definitely wait for 4.X

Why? I don't see the logic for that...

I can't envision hardware support regressions on a laptop that (afaik
at least one?) of the devs use as their primary machine.

AFAIK the librem isn't certified for Qubes 4 because it lacks open
firmware which is one of the requiements to be certified for qubes 4
[1], but no machine currently meets those, and librem hardware won't
magically degrade itself with the passage of time in qubes-land.

IMO if it meets your needs now, it will continue to meet your needs then...

[1]: https://www.qubes-os.org/news/2016/07/21/new-hw-certification-for-q4/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABQWM_C_2STmGof6KZ6%2BAEcQOByqvq0WGTHg-rvvCH8HBgAO-g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.