Hello, I have a question.
I am new to QubesOS.
I have heard that it is impossible to remove the ME on modern Intel CPUs as it shuts down in 30 minutes when removed.
What I came up with is to create a cluster of computers with the ME removed and restart them sequentially at intervals of 30 minutes or less.
I think that would avoid the shutdown problem,
I would like to know if it is possible.
Furthermore, is it conceivable to run QOS on that cluster?
Please let me know what you think.
I 
OS
Can you please explain use case of this, but for dummies?You usw first computer, then it resets, then…?
I think the use case is clear: you can run your modern cluster for anything without Intel ME.
I do not see why it couldn’t work in principle, but it would be a huge waste of resources for frequent reboots and data transfer and for running several machines simultaneously…
That’s why I asked, Not to say about wasting energy…
Let’s say you reboot every 30 minutes and it takes 1 minute to reboot, I think it would only be a 3% time loss.
(1 min / 30 min * 100)
Currently the only computers that can be used without the ME are those supported by LibreBoot, but they are old and consume so much power.
And only very old CPUs are supported,
Modern CPUs consume much less power.
I think this idea is much more energy-efficient 
The problem with the 30 minute shutdown for me is that my work is interrupted because the computer shuts down every 30 minutes.
My point is, "Well, can’t we use clusters to prevent work from being interrupted?
You forgot that you need at least two computers for a single task in such case, i.e., you are wasting one whole computer and its resources. Also the regular copying of files takes resources. The latter could be significant, depending on the file sizes.
However you are right about a higher energy efficiency of the newer CPUs. I have no idea whether it would be worth it.
Or maybe do you expect to use them both at the same time as an actual cluster? Perhaps for that you need Qubes Air, which is not ready yet.
Your setup would not be equal to a librebooted computer. The whole reason they are rebooting every 30 minutes is that proprietary software outside of our control is still doing something on your computer that you don’t want. You would still have to trust that the non-removed part of Intel ME is not doing anything else suspicious.
I don’t think you are “wasting” the computers, just “using” the resources of the two computers.
Ah, yes, indeed.
Maybe I should compare it to me_cleaner?
So I guess it doesn’t make much sense?
Huh?
I thought I was replying to you, but it looks like I posted the above message as a new message.
Anyway, thanks for the reply.
You could use the two computers for two different tasks, or sell one of them. Instead you would use them to run a single Qubes OS instance, which likely could work fine on just one computer. How is this not wasting resources? Which benefit of using the two do you see, apart from partly removing Intel ME?
You would not be able to benefit from the additional security through isolation offered by Qubes Air, because you would have to copy all your working files between the computers all the time. However, you might benefit from more CPU power and RAM on Qubes Air, if you find how to use them.
Yes, this could probably be a reasonable comparison.
I saw this as as a reply to me, although the interface doesn’t show it as one. Might be a bug in Discouce @deeplow?
The Art of War Quotes
“The supreme art of war is to subdue the enemy without fighting.” ...
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. ...
“Let your plans be dark and impenetrable as night, and when you move, fall like a thunderbolt.”Well, since you worked on it do you mind giving us an high level overview on how that kernel version would achieve such a thing?
Your kernel would run on the main CPU, how would it block or even monitor what the ME is doing?
Why would anyone in their right mind use an unofficial Qubes OS kernel provided by an anonymous person anyway?
I guess getting chewed up again …
No thanks you’re smart enough I looked into you.
Plus it would be a push to qubes os repo.
Been reviewing all of it for the 3rd time now.
Have been contributing to docs.
Well I coded this at the key of @marmarek on his code style. So I think once he sees that code was done to mimic his style he’s gonna love it!
~X
Currently the only computers that can be used without the ME are those supported by LibreBoot, but they are old and consume so much power.
You forgot about AMD ! The latest AMD-without-PSP is significantly more powerful than the latest Intel-without-ME - and there are AMD platforms supported by the opensource coreboot BIOS. Actually, we have been discussing one of them - Lenovo G505S - here: Lenovo G505s - #5 by mike_banon . Quad-core CPU, 16GB RAM, no PSP, works fine with Qubes (i.e. because IOMMU is functional with coreboot), and thanks to coreboot you can be sure there are no backdoors in BIOS
This is gibberish and shows absolutely no understanding of how ME works - you are creating spam and FUD. Not a great look for your first few posts from suspension.
You cannot do anything in the kernel to have control over ME. The intel ME is a separate microcontroller with its own processor, memory, and I/O and running closed firmware - which has total visibility into the RAM and CPU that you know as “your computer”.
If you know anything about Rings, then you will know that something running in Ring 1 has no control over Ring 0 - but Ring 0 can totally pwn ring 1. The kernel runs in Ring 0. Drivers are Ring 1/2. Userlnd is ring 3. Just think of ME as a kind of “Ring -3” (even though its not, its actually another separate computer inside your computer, with full host memory access)
Heres a handy infographic …
and heres some educational reading
Hi @mike_banon ! this is a great point. I was sad to see the AMD boards exit coreboot , i had started to work on the HP t730 about 18 months back but it was slow going. too long winded and off topic to go into, - I should have just reached out. love the blog btw. keep up the good work.
Hi there @Plexus ! Thank you for the kind words 
I was sad to see the AMD boards exit coreboot
It’s not that bad:
HP T730
Well, it is a thin client which seems to have an embedded AMD RX-427BB CPU with the performance inferior to i.e. A10-6700 / A10-6800K of the coreboot-supported A88XM-E board. Another issue with RX-427BB - is that it’s based on Steamroller, which - still being the architecture of fam15h family - doesn’t have a PSP “backdoor”, but its’ AGESA library already became a binary blob, which seriously ruins the compatibility with the opensource coreboot BIOS. That’s the same reason why - despite that A88XM-E has FM2+ socket - you can’t put A10-7*** CPU to A88XM-E and still enjoy coreboot ; but you’ll be fine with A10-6700 / A10-6800K because their AGESA is 100% opensource - including all that cool low-level stuff like DDR3 memory training…
More info about the “coreboot for AMD” could be found here - and, although it’s written with G505S in mind, the coreboot for A88XM-E / AM1I-A boards is pretty similar and the primary difference is just how to flash a BIOS and what config to use. If you have any plans to get one of these platforms for your coreboot no-ME/PSP experience, I will be happy to answer to all your questions that might arise
Any way you can explain this coreboot thing to me? Should I get it even though my system is PSP-less and already has IOMMU?
May be the devs are developing 4.2 with coreboot to replace the ME for anyone who are using Intel with Qubes.
