Core boot new motherboards

Is it worth running Qubes on a system that has a new motherboard that you cant use core boot on? How much of a security risk is running normal uefi and intel ME with a Qubes system?

You don’t need to run coreboot.

If your system doesn’t support coreboot it doesn’t support coreboot, using a different OS isn’t going to allow you to use coreboot. Using Qubes with the stock firmware is still more secure than Linux or Windows with the same firmware.

ME can be a security issue, I prefer to disable ME, if you can’t disable it you want to make sure you keep it updated. I don’t think there is any magic bean backdoor hiding in ME, but there could be some very dangerous software vulnerabilities.

Thanks for the reply.

Another question. Is it worth getting older hardware that can have coreboot and ME disabled over newer hardware? I see that lots of the computers that are sold with qubes have this done.

I see that the Z690 works with coreboot. What about maybe the Z790-i with ddr5. how difficult would it be to get it working with that?

It’s personal preference, I personally don’t think it matters, but your threat model might be different.

I have both the Z690 and X230, the X230 can be almost fully cleaned with me_cleaner, and the Z690 can only HAP disable ME. I think the over-all user experience with the 12th gen CPU and 64 GB memory makes it worth it for me to only disable ME with HAP, but you might want something else.

The Z790 A or P board might get coreboot support, but currently only the Z690 boards are supported, but the next Dasharo release will add support for 13th gen to the Z690.

GitHub is the best place to get updates in Dasharo Issues · Dasharo/dasharo-issues · GitHub

Thank you so much for the help again its really appreciated.

Is it possible to even run bios malware on a system that has Qubes. surely the safety measure Qubes already has (assuming your being responsible) prevents a ‘hacker’ from infiltrating your hardware. I was thinking of running a 13900k with a z790i motherboard and wouldn’t particularly want to sacrifice smooth performance for something that is low threat.

Yes, it’s possible, but the attacker would need physical access to the system.

Breaking into someone’s home to backdoor their firmware is that I would consider a very high level attack, and it’s far beyond what I spend my time worrying about.

Agree.

Sincere questions:

• Is physical access (i.e. local proximity) really required?
• What constitutes “assuming your being responsible”?

Please ignore if these questions are just spreading FUD (not my intent).

• Best

I guess it depends on the security settings, it’s not unlikely you can flash it with access to dom0.

Thank you for your reply.
Understand if an adversary has control of dom0 it is “game over” anyway. @Nothing for whatever it is worth I trust @renehoj assessments on Z690 with HAP disable ME.
If any of my comments introduced any fear uncertainty or doubt, I sincerely apologize. I will watch the “Core boot new motherboards” discussion going forward… great question btw.

• Best

By the way, if you would like to avoid ME entirely - there are still AMD options. The latest AMD-without-PSP is significantly more powerful than the latest Intel-without-ME - and there are AMD platforms supported by the opensource coreboot BIOS. Actually, we have been discussing one of them - Lenovo G505S - here: Lenovo G505s - #5 by mike_banon . Quad-core CPU, 16GB RAM, no PSP, works fine with Qubes (i.e. because IOMMU is functional with coreboot), and thanks to coreboot you can be sure there are no backdoors in BIOS.

• If you would like an AMD-no-PSP coreboot-supported desktop, there are the similar-by-privacy-level ASUS A88XM-E (MicroATX, uses A10-6800K/A10-6700 CPU, working IOMMU) and ASUS AM1I-A (MiniITX with Athlon 5370/5350 but sadly AM1I-A platform doesn’t have IOMMU which is important for Qubes).

• If you would like a server, there is an awesome ASUS KGPE-D16 which can be even libreboot’ed (a higher level of freedom than coreboot - can run without ANY closed-source binaries at all), and can host up to 2 x 16-core Opterons like 6386SE and 192GB of RAM.

Our 3mdeb company has been working hard on bringing ASUS KGPE-D16 back to coreboot - see Thoughts dereferenced from the scratchpad noise. | KGPE-D16 open-source firmware status (1 year old, the things are better now) and the Dasharo firmware ROMS here - Releases - Dasharo Universe

Not necessarily, because those ME/PSP provide the remote access capabilities by design and have the security holes which could be exploited. Btw even the proprietary BIOS/UEFI can pose such a threat - see Computrace, BadBIOS, etc.

Therefore the opensource coreboot firmware, as well as the no-ME/no-PSP platforms supporting it (examples above) - are really important for the truly secure computing the people are trying to achieve there with QubesOS, but which isn’t enough if alone…

How do you access ME remotely, I know it works with AMT, but how does it work with ME?

https://forum.qubes-os.org/t/a-little-exercise-about-ime-for-fellow-tinfoil-hat-community-members/16337/17

I thought they were referring to something more concrete, maybe some actually evidence of some sort.

I wish I knew.

OK I’m definitely confused. “AMT Enterprise eligible”?

Not trying to be a d!ck, really want to understand. Please educate me if/when you have time. Thanks @renehoj!

There are 4 different types of vPro today, the two main ones are essential and enterprise, then there is a version for Chromebooks and I believe the last one if for notebooks.

AMT with full KVM support is only available in vPro enterprise version.

Enterprise Vpro I think I can grasp. But can you describe more about “essential” vpro? Links welcome and appreciated.

Any idea what would be required to convert vPro essential to VPro enterprise? (Are hardware differences required?)

Thanks again.

12th gen vPro platform processor

The main difference between essential and enterprise seems to be Active Management Technology and Intel Standard Manageability. I couldn’t find much info on ISM, but it seems a lot more limited, stuff like power on timers and WOL.

I don’t think you can use enterprise without a vPro chipset like the Q670 for Alder lake, I have the 12900K which has enterprise AMT, but I don’t have the right chipset to use it.