Lots of stuff in your reply!
And in yours. Super helpful!
Justin:
@Insurgo Huge fan of your work. Your endeavors are really inspiring.
Thanks, this is uplifting and really appreciated.
As with the Qubes team, I sometimes worry that you do not hear our (the user base’s) appreciation enough. So for good measure, another heartfelt thank you!
Your question is landing just a little too early.
My bad. Hope I did not speak out of turn. I am new and not ‘in the
know’. More on that at the end of this message.
I cannot yet give details, yet, but it seems that most of that
integration work will get funded and I will finally be able to be paid
to work on those topics as my main focus in the short term.
That is great news! Are donations through Insurgo Initiative - Open Collective a good way to support your Heads development work?
Write protecting bootblock, not yet convinced.
I’m definitely with you here, not eager to externally flash all Heads
upgrades unless absolutely necessary, just thought I’d inquire as to
your current thoughts. Heads wiki Countermeasures
and subsequently write-protecting-the-bios-chip-advanced just always had me curious. Similarly, recommendations to somehow physically disable writable firmware on network hardware (like AR5BHB116 ?) after externally flashing known “good” firmware, sounds interesting in theory, but I have not seen any practical info. Maybe I need to search more, tho not a priority for me atm.
Disk unlock key being a fallback for authentication is not as much desired then having Heads being a clean room for gpg keypair generation, backup and restore, where generated subkeys could be copied/restored to smartcard, and where the key backup media could be used as a fallback if USB dongle is lost, used to restore keys on received replacement dongle.
Until now, I’ve always created my gpg keys in Qubes (well except prior to my first Heads/Qubes install when I used Tails) so I could do
https://docs.nitrokey.com/pro/openpgp-keygen-backup.html and then import onto both a Nitrokey and a Yubikey 4. Using TOTP only with maximized board roms I can use the two keys interchangeably, but this also means another key to keep track of. Consequently the authentication fallback mechanism chosen is less important to me, at least until I lose one of my keys
Still really like the clean room approach!
May try it on my next key expiry.
I still believe the KGPE-D16 is the best x86 workstation/server platform out there.
Hallelujah! That’s really reassuring and made my day!
Have been neglecting my beast for far to long → HCL
But sourcing used, tested and even better refurbished motherboards, or best, already assembled/mounted servers/workstations or having trusted partners to collaborate with is not an easy task by itself, even less in the same country and with proper warranties, unfortunately. I don’t know if you followed, but Immunefi sponsored kgpe-d16 revival, and 3mdeb is working on the coreboot revival for that platform.
I assembled my own, and know nothing beyond what’s in the following
link, but it appears Vikings has 3 workstations in stock at the moment
according to KGPE-D16 Workstation – Vikings Shop
I have some idea what’s involved and understand why these machines would be a extremely challenging to supply. But developments like Thoughts dereferenced from the scratchpad noise. | KGPE-D16 open-source firmware status and https://3mdeb.com/shop/adapters/flash-chip-adapters/asus-kgpe-d16-flash-chip-adapter/ never mind values based reasons like you presciently expressed so well in
Research support for libreboot/coreboot-based systems · Issue #1594 · QubesOS/qubes-issues · GitHub
make the kgpe-d16 a compelling Qubes hardware option in my biased
opinion. Suspect ‘I’m preaching to the choir’ here, but never know who
might be listening.
But selling refurbished workstations and servers would require proper localized partnerships, and on that, I’m a bit soured, yes.
Understood. Thanks for spending your time taking this diversion with me.
In another thread Insurgo wrote:
i’m not sure how to correctly deal with this community problem/
information sharing/fact/technical discussions without having the
discussions at numerous places and then post here…
If I may ask, where are those places? As someone new to this community, I suspect I miss many of these discussions despite my interest. I try to watch the osresearch heads github, osfw slack, and the qubes forum and mailing lists but sense I miss important discussions. How do you keep track of all that you do? Any pointers, recommendations, or suggestions
for keeping abreast of news?
Thanks again.