To upgrade Insurgo Privacybeast to 4.1 or not?

Greetings fellow users,

I have searched these boards and all known reputable sources for an answer to this, but finally gave up and decided to post. Unfortunately, my question is fairly specific to the Insurgo Privacybeast, so my scope of people able to properly answer may be limited. In essence, I am just wanting to know the following:

  1. Should an Insurgo Privacybeast x230 that shipped with 4.0 be upgraded to 4.1? I am not very technical, but Id like to think I can follow instructions, and have read over the upgrade/backup steps in the upgrade guide here in preparation. Nothing seems too difficult about the process itself, but my fear is in all the fancy ninja business done by insurgo to elevate the laptop to its extremely secure status (heads, anti evil maid, the hotp usb dongle, etc) locking down every aspect of the software and hardware. To my very limited understanding, something as massive as a migration to a new qubes release could very understandably cause alerts/change notifications on boot or otherwise cause the computer to think something is wrong or has been attacked/tampered with. I guess this long winded paragraph just boils down to - if I should upgrade, how do I do so without breaking the added security the Privacybeast provides, and is there any “resealing” or steps for acknowledging the upgrade changes that need to be done to avoid problems and keep everything secure?

  2. Not strictly related to qubes, but hoping someone with a certified laptop like this could comment on this as well - Similar to the concerns above about upgrading qubes without breaking everything, how do you go about bios/driver updates to the system? I assume there is no way its as easy as just flashing the latest bios from a usb drive, but maybe I will get lucky and be wrong.

Many thanks to all who help, and sorry to take up your time with the lengthy questions, just want to be sure I worded them thoroughly to try to avoid any miscommunication.

1 Like

Insurgo has very good customer service, have you asked them?

That’s really the most appropriate place to be asking this, as it doesn’t really relate to Qubes specifically but more ancillary aspects of Insurgo’s security (still a valid question). Best to email them and return if that is fruitless.

According to the link below, yes:

In principle: yes. There are two ways:

a) in-place upgrade: will leave your drive encryption etc. in place, but is rather complex in nature and might present you with things you need to troubleshoot.

b) install from scratch: this requires an update of your heads/coreboot firmware as Insurgo themselves posted to qubes-users in October 2021

If you consider option a) you might want to give it a try. However PLEASE make sure you have a full backup BEFORE doing anything! If you are interested in option b) you could either try to build and flash a newer heads firmware yourself, or follow @KarlinQubes advice and contact Thierry. He does provide a lot of contact options on his main web page. It is likely that he is preparing a build and page with instructions for existing users.

I think you do not have a very clear idea of what it is Insurgo is doing, however it is very well described on his page – so I will not repeat it here. Bottom-line: it’s all about the early boot phase, the heads firmware and the attestation is provides. The Qubes OS you boot into is unchanged.

If you go with “a) in-place upgrade” all you have to do is to sign the new boot files, as you have to do anyway after almost every dom0 update. You should be familiar with this process by now.

If you do a firmware upgrade to support “b) install from scratch” you will need to reset the TPM and seed new secrets (not a big deal and can be done using the firmware’s UI).

That’s exactly how it works. You load the ROM file onto a USB drive and flash it from within the heads UI.

1 Like

@Sven @golden_jar56 @fsflover: Thanks for picking up this post faster then I could.
Insurgo here. Will try to participate in those Qubes related questions more and involve myself more as well in Qubes users communities, since those questions do not affect only Insurgo, but all Heads users.

I am trying my best to make this smoother for everyone using Heads, from a documentation perspective as well, but I’m quite overwhelmed from a user support request perspective recently.

But what needs to be clear for everyone using Heads as a pre-boot environement is that a manual firmware upgrade is needed (not to be upgraded from Heads flash GUI, but from command line) once to migrate from Legacy boards to Maximized boards.

I have made a blog post on my technical blog, which can be accessed from ZeroNet clearnet proxy over here. This is not directly Heads related (the upgrade is, and is documented over here), while not being directly linked to Qubes either, at least not directly.

From a documentation perspective, this is a bit of a mess. So maybe I will transform this forum post into a guide later on? The ideal would be to have this over GitHub with PRs so that community is involved into improving the documenting process. This Qubes upgrade situation is still complicated for some users, which is a bummer. Which is why the safest path is to backup, manual upgrade of firmware, clean install and restore needed qubes while discarding templates (and reinstalling software needed in template). Yes. this is a bit messy but totally outside of anybody control, unfortunately. Things change everywhere all the time. Qubes still requires a lot of maintenance skills from users (deploying new templates), while resintalling is always a good option from time to time, reestablishing trust in dom0 and used Templates, even more for new users who might have messed things up while they were learning. So… Yeah. I hope this is the benefit out of this learning process. (Signal having unsigned repositories under debian? Riot now being Element repositories? Software not being updated while users are not really knowing how to decode dom0 templates updates showing some errors while update still being successful? Things are messy for non-technical users. I think we all have to say: sorry for the bumpy ride.)

EDIT: on that last note @Sven @deeplow @Demi @marmarek @adw : I would really love to have your participation on this opened issue, this needs to be fixed one way or the other and it is a low hanging fruit requiring a bit of thoughts. Doing business-to-consumer is currently a really bumpy ride, even though it is clearly stated from Insurgo side that I am not responsible for maintaining their Qubes setup once it left my hands, maintaining/deploying software seems to be the most difficult task to accomplish from all non-so-technical users, which if untold, will mess their deployments. We need to come with a solution for users to properly install, be aware of updates, apply updates, restart their qubes and stay safe, without them constantly asking for support because they cannot follow instructions to install and maintain their systems themselves.

I also updated Heads installation guide of Qubes 4.1 over official Heads documentation website here.

I am not sure of the best way to document this better, being most of the time too technical in my explanations which loose non technical users. So any guidelines, re-appropriation of content, simplifications are welcome. I would like to use this opportunity to gather more participation from Heads users as well to make things easier/smoother for everyone.

So here again, any help/guidance welcome.

5 Likes

Hi @Insurgo,

Thank you for taking the time to reply to the post. I’ve read through your linked articles/guides and, unfortunately, it does look like the process would be beyond my capabilities. While I can stay on 4.0 for the time being, that is of course not viable in the long term, so I will have to find some working solution to make the upgrade possible.

I have no idea if its something you offer, or what the price would be, but is it possible to simply mail the PrivacyBeast back to you and pay to have you go through the upgrade process so I can be sure its done correctly? I have nothing on the system that needs to be saved or backed up, so the main and only priority for me is being sure all the securty and features remain in tact and that the system makes the jump to 4.1 in the most effective way possible.

If that is not an option, I am happy to test any in-development guides you have. I firmly believe I am probably your dumbest user, so if its a guide I can follow along with, its a safe bet it will work for everyone. Many thanks again for the reply

@Sven Can we really put this laptop in the Community-recommended list if it’s so hard to install 4.1? (I guess it should work for per-installed Qubes though). Perhaps we need to add a note to the table linking this thread.

@fsflover @golden_jar56 the perceived complexity needs to be addressed.

Installing Qubes 4.1 on the x230 have not got harder.

Unfortunately, manually upgrading the Heads firmware for users who previously had a x230 flashed with Heads is necessary to boot into Qubes 4.1 installer, where users deciding to upgrade from Q4.0 to Q4.1 will loose their Ethernet card until they also upgrade their Heads firmware.

For community users who flashed Heads with x230-hotp-maximized themselves before, they can upgrade from Heads directly, having the firmware image on a USB thumb drive.

For anyone else joining the party with x230/t430/w530, replacing Lenovo firmware with Heads actually got easier, while still requiring external initial flashing.

If you just bought a second hand x230, you can still install Qubes 4.1 from the Lenovo firmware following Qubes requirements (Activating Virtualization extensions [vt-x and vt-d]. Here again nothing changed.

2 Likes

@golden_jar56

The real problem here, unfortunately, is that shipping back and forth the unit won’t really help.
The received system, per re-ownership process, became exclusively yours, the end-user.

Upgrading the firmware will obviously result in changes in the firmware parts, resulting in TPM measurements changes, consequently requiring from the user to acknowledge that those changes came from his own actions.

Since I do not know (and do not need to know, nor want to know) user’s secrets, this “maintenance” needs to be done by the end user of the system, and requires resealing the TPM measurements and HOTP challenge with it’s own provisioned secrets. The process is documented at Step 4 - Installing Qubes and other OSes | Heads - Wiki, which should happen after Qubes 4.1 installation and before starting to use Qubes 4.1.

The goal here would be to simplify as much as possible the Heads firmware upgrade guide, so that everyone can be autonomous upgrading the firmware, now, and in the future.

As for any security components, firmware upgrades should not be a burden and the goal is to go there and have firmware upgrades pushed to the user in the future. We will get there, but are not yet there.

Until then, since the firmware is responsible of pre-boot security and initial state integrity validation (measured boot here), upgrading the firmware should be part of any good digital hygiene, even though firmware is still today dismissed as being an integral part of a system security (and upgraded as any other software in the system).

This is why I need some help there: to streamline the (scary at first) process of upgrading Heads firmware, for everyone to be able to follow, now and in the future.

1 Like

Hi Again @Insurgo

Yes, I am completely aware that I would have to share the passphrases in order for the shipping option to work. While not ideal of course, I think it is the best of the available options.

Lets break this down. Of the 3 possibilities (1.Trying to upgrade on my own, 2. Staying on 4.0 that the laptop shipped with, or 3. Sending it back to you with all necessary passphrases/secrets included) I genuinely feel option 3 poses the least risk. You are obviously trustworthy and while there is always the possibily of interception or compromise coming from the shipping part of the process, the likelihood of that is MUCH lower than the risk I would be taking by trying (and most probably failing completely) option 1 to perform the upgrade myself, and option 2 is already running a high risk as we speak, since things like whonix have already marked 4.0 as obsolete.

As proposed in my last comment, if you believe there is a “dumbed-down” guide releasing soon, I am happy to wait and test with that, but if it is going to be a collaborative project between yourself and members here, and encompasing everything from HEADS, to resealing to backing up, installing and upgrading Qubes, that may take substantial time to write. I guess a potential 4th option would be inquiring if you buy back previously shipped machines (obviously I wouldnt get the price I paid back, but would just want to add whatever extra amount was necessary to essentially trade it in for a new one that ships with 4.1 already installed) These options definitely are out of the ordinary, but I am just trying to be creative in finding a feasible solution to the problem that works for, and is within the capabilities of, everyone

It turns out someone seems to have taken a picture of me attempting to perform the upgrade. I have included it below.

well-theres-your-problem-rave-ho-idea-what-im-doing-memes-6922d79a742889c8-5b15224cbbb56389

This is not a real issue if you think about what the list is for: informing a purchase for a non-technical user. In this context there are only two scenario:

a) the user bought the laptop with R4.0 at which point it was certified and on the community list for R4.0 … and it just works

b) the user bought the laptop with R4.1 … same deal

Nothing in the list promises a “just works” upgrade experience. However, R4.0 users can run an in-place upgrade to R4.1 and that does not require a firmware upgrade.

I can also imagine Insurgo and NitroPad offering a service where you backup your data, wipe the machine and send it back to them. They could then “refurbish” the machine by installing R4.1 and go through the same process in sealing it and shipping it back to you just like a new purchase. Obviously they will charge for that service.

2 Likes

You are right about the new purchases of course. However, I was misled by this table assuming that if it’s certified, you can always install Qubes OS 4.1 without any workarounds. For this reason, I think, there should be a link to here from the table.

Also, just wanted to say a big thank you to Sven and FSFLover. Did not mean to neglect either you. I appreciate the input and advice you provided, and hopefully we can all get some sort of workable answer to this problem, as I am sure there are many in the exact same boat but dont want to reach out or are scared to do so. So thanks to everyone who is helping on this

@fsflover I am thinking about how to do this best without complicating the table and without linking to an actual discussion.

Instead I’d like to create an authoritative sentence or two about R4.1 introducing LUKS2 headers which in turn require a certain version of coreboot. This does apply to the certified laptops but also other laptops based on coreboot including Purism products.

1 Like

Done.

Much thanks to everyone for the help here. Do we have any idea on an easy to follow guide for this whole process, or exactly how this can be done by normal users? Perhaps this is more suited for @Insurgo , but I am grateful for any and all help

Bumping for visibility.

I don’t think it is specifically the LUKS2 headers that matter here, but rather the information used to unseal them.

Why does the command line need to be used for this? That seems like it could be handled automatically via a package of some sort. And what is the command that needs to be run?

Heads is a rolling release.

I would love more participation/review/comments, most importantly on the clarity of the documentation available at https://osresearch.net (where issues/PR happen under GitHub - osresearch/heads-wiki: Documentation for the Heads firmware project).

A pinned issue is opened at Issues · osresearch/heads-wiki · GitHub pointing to Document where to find/download latest CircleCI builds · Issue #88 · osresearch/heads-wiki · GitHub for users that do not want to build Heads themselves (Building Heads is another story altogether. Building issues are often opened because users want to build from so many different Linux distributions, where CircleCI builds on Debian-11 docker).

Fresh install of Qubes 4.1 is still the recommended path.

So basically @golden_jar56 @fsflover:

  1. Backup Q4.0 Qubes/Templates to external storage How to back up, restore, and migrate | Qubes OS
  2. Follow/comment Document where to find/download latest CircleCI builds · Issue #88 · osresearch/heads-wiki · GitHub to download latest ROM from github latest commit (applies directly to PrivacyBeast, without need to externally flash). Verify hashes.
  3. Download Q4.1 ISO and detached signature to ext3/ext4 formatted USB thumb drive. Integrity/authenticity validation of the ISO will be verified prior of launching the installer.
  4. Install Qubes Q4.1 following Step 4 - Installing Qubes and other OSes - Heads - Wiki
  5. Update dom0/Templates.
  6. Restore needed Qubes.
  7. Install additionally needed software under Templates.
2 Likes