Installing Qubes in a Chromebook?

I’m still playing with a usable minimal-template setup. But the debian-minimal, fedora-minimal and fedora-xfce templates look promising.


Hi @Sven a big thank you for pointing me to the possibilities which come with the minimal-templates. Thats insane. Even for a powerful workstation using the minimal templates makes sense. Thats sexy… :smiley:

1 Like

I did some quick reading on the issue of ME on Chromebooks and it turns out things aren’t as clear. As late as 2017, people on the CrOS team were quoted as saying they wanted to remove ME due to ME vulnerabilities discovered by Google at the time, but there has been no follow up to this AFAIK. Lots of unsubstantiated comments saying that it’s been removed/disabled, but never actual sources. Possibly marketing. Would like to see proof that this wasn’t just talk.


Mr. Chromebox, who is apparently a CrOS firmware specialist who has written guides to purging ME from Chromebooks and offers both source codes and services to do so, wrote:

  • All Intel-based Chromebooks have an active (albeit minimized) ME
  • All Intel-based Chromebooks disable any OS interaction with the ME by disabling/hiding the PCI interface during firmware init
  • It’s possible to further disable/neuter the ME on Intel-based Chromebooks using ME Cleaner; however, this doesn’t completely eliminate the attack vectors described in some of the recent CVEs

All-in-all, it seems that, while ME isn’t removed from Chromebooks, and isn’t technically disabled either, Google has put it in a minimized state (as of 2017) that might mitigate some of the risks it poses. At the same time, even using ME Cleaner on Chromebooks wouldn’t completely disable/neuter it, and some attack vectors described in 2017 would still persist. I doubt that things have changed for the better since then.

Your earlier claim that Chromebooks have ME “disabled” is therefore likely to be factually incorrect.


I hope I do not add just noise to the discussion:

every intel CPU has another smaller CPU running minix (as far as we think we know). that is impossible to remove as it is in the silicon.
there are several forms to try to “disable it”
one way is to set the HAP bit, telling it to gracefully shut itself off.
the other way is to remove some parts of the firmware in the spi flash - on newer hardware, I think the proportion of the firmware that can be deleted is increasingly smaller.
Of course, the capabilities remaining after any of these procedures is clearly unknown to users