Rebuild the Secure Hardware section #331

New Issue

2017-09-04T19:02:10Z

ghost commented

2017-09-04 19:02:10 +00:00

(Migrated from github.com)

See #330.

We need better options.

We should consider these (not necessarily only HW): LibreBoot, https://system76.com

See #330. We need better options. We should consider these (not necessarily only HW): LibreBoot, https://system76.com

kewde commented

2017-09-12 11:36:15 +00:00

(Migrated from github.com)

The state of secure hardware is a sad one. The same holds true for operating systems..

I think we should decide on the requirements for secure hardware. Bootstrapping hardware projects is hard, there won't be a plethora of projects to pick from, but we should establish some minimal requirements. There is definitely a need for something better than Intel chips and their ME bullshit.

We should consider all hardware projects that at least provide more security than a typical consumer-grade computer. They won't stand up to the ideals of a secure computer, but they are at least improvements over the existing options and a step into the right direction. The creation of more secure hardware is an incremental process and won't happen overnight, but what we can do is show support for those that have started the journey.

The state of secure hardware is a sad one. The same holds true for operating systems.. I think we should decide on the requirements for secure hardware. Bootstrapping hardware projects is hard, there won't be a plethora of projects to pick from, but we should establish some minimal requirements. There is definitely a need for something better than Intel chips and their ME bullshit. We should consider all hardware projects that at least provide more security than a typical consumer-grade computer. They won't stand up to the ideals of a secure computer, but they are at least improvements over the existing options and a step into the right direction. The creation of more secure hardware is an incremental process and won't happen overnight, but what we can do is show support for those that have started the journey.

Eduardo06sp commented

2017-12-28 07:11:13 +00:00

(Migrated from github.com)

May be interesting to some:
"System76 will disable Intel Management engine on its laptops"
https://liliputing.com/2017/11/system76-will-disable-intel-management-engine-linux-laptops.html

May be interesting to some: "System76 will disable Intel Management engine on its laptops" https://liliputing.com/2017/11/system76-will-disable-intel-management-engine-linux-laptops.html

ghost commented

2017-12-28 18:34:19 +00:00

(Migrated from github.com)

u/trai_dep on purism:

What's vexing with Purism is, since their launch years ago, they've been promising, Any day now! When the Core/Libre boot folks were saying, Not so fast. And their "progress chart" is the same place now as it was then. Even shadier shenanigans in other ways that I won't get into here.

https://www.reddit.com/r/linux/comments/3ew6pz/libreboot_exposes_the_purism_librem_as_fraud/

https://www.reddit.com/r/linux/comments/69k4l9/purism_librem_laptops_any_feedback_from_real/

u/trai_dep on purism: >What's vexing with Purism is, since their launch years ago, they've been promising, Any day now! When the Core/Libre boot folks were saying, Not so fast. And their "progress chart" is the same place now as it was then. Even shadier shenanigans in other ways that I won't get into here. > >https://www.reddit.com/r/linux/comments/3ew6pz/libreboot_exposes_the_purism_librem_as_fraud/ > >https://www.reddit.com/r/linux/comments/69k4l9/purism_librem_laptops_any_feedback_from_real/

👍 1

beerisgood commented

2017-12-28 19:01:24 +00:00

(Migrated from github.com)

@Shifterovich interessing. Thanks

kewde commented

2017-12-30 08:33:23 +00:00

(Migrated from github.com)

Purism definitely hasn't managed to get rid of all proprietary code.
It is however a step in the right direction. I haven't done much research in this area. Feel free to share information, the good and the bad.

LibreBoot provides a hardware compatibility list, which is a good entry point for what we're doing:
https://libreboot.org/docs/hardware/

I don't know if there are any vendors who provide these laptops with libreboot in them by default? Also, recommending secure hardware is one thing, but providing users with a place to purchase their equipment is another. Whilst the hardware might be secure, the seller may have malicious intent. I think for now, that we should focus on merely getting a list of potential hardware.

Purism definitely hasn't managed to get rid of all proprietary code. It is however a step in the right direction. I haven't done much research in this area. Feel free to share information, the good and the bad. LibreBoot provides a hardware compatibility list, which is a good entry point for what we're doing: https://libreboot.org/docs/hardware/ I don't know if there are any vendors who provide these laptops with libreboot in them by default? Also, recommending secure hardware is one thing, but providing users with a place to purchase their equipment is another. Whilst the hardware might be secure, the seller may have malicious intent. I think for now, that we should focus on merely getting a list of potential hardware.

Atavic commented

2018-10-06 19:53:28 +00:00

(Migrated from github.com)

Almost a year passed, and we got this. For more, see: https://securinghardware.com/articles/hardware-implants/

Almost a year passed, and we got [this](https://github.com/CHEF-KOCH/NSABlocklist/issues/25). For more, see: https://securinghardware.com/articles/hardware-implants/

gjhklfdsa commented

2018-11-25 18:25:46 +00:00

(Migrated from github.com)

@Shifterovich I would warn against using System76. They don't appear to have any long term privacy and security goals. They appear to be focusing more on ease of use than Purism, this is a good thing, however they appear to promote non-free software in the process.

Their OS is based on Ubuntu. PureOS (what Purism uses) is based on Debian. Basically everything in Ubuntu can be done in Debian. However, Debian is noticeably more "free".

As for the Purism haters, they did suck for a long time. Currently however they are probably the only viable Linux laptop supplier with Coreboot, a CPU that is at least Intel Core i5, a free software OS, while still promoting ease of use for long term adoption.
System76 cannot say these things.

@Shifterovich I would warn against using System76. They don't appear to have any long term privacy and security goals. They appear to be focusing more on ease of use than Purism, this is a good thing, however they appear to promote non-free software in the process. Their OS is based on Ubuntu. PureOS (what Purism uses) is based on Debian. Basically everything in Ubuntu can be done in Debian. However, Debian is noticeably more "free". As for the Purism haters, they did suck for a long time. Currently however they are probably the only viable Linux laptop supplier with Coreboot, a CPU that is at least Intel Core i5, a free software OS, while still promoting ease of use for long term adoption. System76 cannot say these things.

gary-host-laptop commented

2021-01-20 23:34:09 +00:00

(Migrated from github.com)

In my opinion this should be closed since there's already #904 discussing this. @freddy-m @dngray