Thanks so much for the explanation. So it seems a bit involved for a non-technical user but if someone managed to do the installation for the user then the perks should be pretty nice. Among other things, the relatively reduced price and portability.
If you have the bandwidth for that I think it could pave way for some more potentially affordable / lightweight Qubes setups 
.
Indeed! 
(related Qubes for at-risk populations)
I was thinking about an Alpine Linux template VM ? This would bring a whole new life to the Chromebook coreboot Qubes thing.
A Qubes “Light” edition. Perhaps the minimal templates compare to Alpine?
I will test and report over this weekend 
An Alpine Linux template would be wonderful. Please ping me if you ever get one working
I’m not sure the protection extends to non-CrOS installations.
My understanding is the screw (available on older models only) protects the CrOS firmware, but when you remove the screw to install another OS, this protection vanishes; possibly forever.
However I’d love for this to not be the case, so please let me know if you have evidence to the contrary.
Not technically trained; consume advice with salt.
@deeplow Not sure if this should go in the split thread or stay here, since what I’m replying to is here.
Yep , sad but true.
I played around with flashrom on a fedora clean install and flashrom can’t read the chip but only due to an “booting up state” ME. Some regions should be writable but that is definitely beyond my knowledge. Tinkering with flashlayout regions.
With an external programer like the Ch341a i could read/write the bios. With and Without the screw. But thats in my opinion dispensable because if someone has the time to open up the bottom with ~12? screws and use a hardware programmer then the last WP screw will be no problem.
I will correct that. Thanks for clarifying that
Nonetheless, a “how to install on chromebook” could be interesting as a separate thread. Since this is the HCL Reports thread. Or do you disagree? Yes its sad that the write protection will not work after flashing coreboot, but there are other good points for using a chromebook.
I don’t disagree–there’s just one less point for installing Qubes on Chromebooks.
The pre-installed Coreboot is still a very big argument for it, though. I have yet to confirm that ME is removed, but Coreboot is definitely installed on all recent Chromebooks. Does Coreboot imply that ME is removed? Since ME is a separate OS, I’m not sure.
Not technically trained; consume advice with salt
You should look up the me cleaner project. As of my understanding, they analyze the ME firmware and start to delete different regions of the ME partition layout. So its still there but in a crippled state. So its not fully functional.
In my opinion every step towards open source and more user controlled hardware is the right step. Not a chromebook fanboy and i don’t say that this is the future but what are the alternatives ? HP with a completly HP controlled shure start protected bios ? Lenovo with China Bios ? Or Dell (we all know the best friend of dell) ?
You can compile Coreboot with the option to “clean” the intel me region from my understanding they rely also on the me_cleaner project.
I understand, but what I’m getting at is this: I haven’t seen any indication that installation of Coreboot entails deactivation of ME. Yes, there’s an ME Cleaner out there (though for a limited range of processors, if my memory serves me well), but this doesn’t answer the question of whether Chromebooks have an active ME.
Does Coreboot’s presence entail ME’s absence?
I’m a bit troubled by Google’s privacy issues, but I have a high opinion of CrOS, especially its secure boot feature.
I’m sorry but i guess i don’t understand your question. Do you mean “if coreboot is flashed will the ME removed per default?” ?
I don’t think so. The ME is Hardware integrated that checks the CPU state with a signed key. I guess even Google can’t change that.
Ok i will try it again ^^
If you compile coreboot yourself, the me_cleaner script can be applied as an option.
Neutralizing the ME
A collaborative effort to neutralize the ME has found some success, see here. This tool has been included in coreboot and can be enabled with the option “Strip down the Intel ME/TXE firmware” (CONFIG_USE_ME_CLEANER).
This can free up most of the space used by ME, allowing you to use a larger CBFS. See here.
The me_cleaner script depends on the ME Firmware version not CPU specific. Just FYI
I guess they have. But the only way to find that out is to dump the original Chromebook firmware and look for an ME region. But since the ME is integrated in nearly any Intel CPU i would bet its present also on regular chromebooks with CrOS.
I might have conflated disabling with removing.
It might be true that Google disables ME (but doesn’t remove it), but I have yet to see documentation that shows this. This is why I also find your quoted point less-than-accurate.
Edit: I meant to say that it’s not clear whether Google disables ME. One surefire way to confirm this is if Coreboot installation wipes/disables ME, which is why I’ve been repeating this point. Sorry for the lack of clarity.
I could make a tutorial if anyone is interested. Maybe then i have a
reason to buy the Acer Chromebox ^^
I think being able to disable ME and run Coreboot would be particularly
interesting with some of the high end Chromebooks all with 16 GB RAM, at
least 256 GB SSD and most critically CPUs that support Vt-d:
IF these can be made fully user-controlled they could be the solution
I know I am still owing that (series) of blog posts on debian-minimal
based qubes. As soon as I have slayed a professional dragon I wrangle
with currently I will write it – promise.
My point: we already have an ultra light-weight approach:
debian-minimal! My Qubes system is fully functional doing probably a lot
more than the average install but most of my sys-vm’s for example clock
in at less than 200 MB. sys-net at 250 MB and sys-usb at 300 MB (to make
the camera work).
The average app qube comes in at 400 MB. The only “monster” I couldn’t
tame yet is firefox-esr which needs at least 1.5G if you have multiple
tabs open with some JavaScript enabled. Not sure this can be improved much.
I’m still playing with a usable minimal-template setup. But the debian-minimal, fedora-minimal and fedora-xfce templates look promising.
Hi @Sven a big thank you for pointing me to the possibilities which come with the minimal-templates. Thats insane. Even for a powerful workstation using the minimal templates makes sense. Thats sexy… 
I did some quick reading on the issue of ME on Chromebooks and it turns out things aren’t as clear. As late as 2017, people on the CrOS team were quoted as saying they wanted to remove ME due to ME vulnerabilities discovered by Google at the time, but there has been no follow up to this AFAIK. Lots of unsubstantiated comments saying that it’s been removed/disabled, but never actual sources. Possibly marketing. Would like to see proof that this wasn’t just talk.
Mr. Chromebox, who is apparently a CrOS firmware specialist who has written guides to purging ME from Chromebooks and offers both source codes and services to do so, wrote:
- All Intel-based Chromebooks have an active (albeit minimized) ME
- All Intel-based Chromebooks disable any OS interaction with the ME by disabling/hiding the PCI interface during firmware init
- It’s possible to further disable/neuter the ME on Intel-based Chromebooks using ME Cleaner; however, this doesn’t completely eliminate the attack vectors described in some of the recent CVEs
All-in-all, it seems that, while ME isn’t removed from Chromebooks, and isn’t technically disabled either, Google has put it in a minimized state (as of 2017) that might mitigate some of the risks it poses. At the same time, even using ME Cleaner on Chromebooks wouldn’t completely disable/neuter it, and some attack vectors described in 2017 would still persist. I doubt that things have changed for the better since then.
Your earlier claim that Chromebooks have ME “disabled” is therefore likely to be factually incorrect.