Why does Qubes support mostly Intel Computers (which have ME)

Have you found any good research about possible backdoors in Apple silicon?

Apple hardware? For “privacy” and “security”?

Go back to your iPad. We do serious computing here.

ARM is spyware garbage, as is modern x86 and pretty much everything else made in the past 10-15 years. I recommend you look into RISC-V and OpenPower instead; that’s the closest we have to “clean” hardware right now although both are still far from ideal.

The Triangulation malware was using a suspicious “hidden feature”

If we try to describe this feature and how the attackers took advantage of it, it all comes down to this: they are able to write data to a certain physical address while bypassing the hardware-based memory protection by writing the data, destination address, and data hash to unknown hardware registers of the chip unused by the firmware.

Our guess is that this unknown hardware feature was most likely intended to be used for debugging or testing purposes by Apple engineers or the factory, or that it was included by mistake. Because this feature is not used by the firmware, we have no idea how attackers would know how to use it.

https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/

Thank you for your reply

So you don’t even recommend using Qubes certified Laptops (coreboot + disabled ME) ?

In case it is still the best option available at the moment, which one would you recommend between StarBook 14-inch – Star Labs® and https://shop.nitrokey.com/shop?&search=nitropad That they have Tamper Detection Through Measured Boot through NitroKey usb key ?

Could you point me to some Risc-V and OpenPower solutions already available to the public?

One last OT question: what you think about Google Pixel phones with Graphene OS ?

Thank you again

P.S.: About the old Think Pad, at this link (Introduction to Apple Silicon · AsahiLinux/docs Wiki · GitHub) they say:

" This puts them (Apple silicon) somewhere between x86 PCs and a libre-first system like the Talos II in terms of freedom to replace firmware and boot components; while a number of blobs are required in order to boot the system, none of those have the ability to take over the OS or compromise it post-boot (unlike, say, Intel ME and AMD PSP on recent systems, or the DMA-capable chips on the LPC bus running opaque blobs that exist on even [old ThinkPads](Technoethical X200 laptop | RYF))."

The Talos II mentioned in the quote is an openpower machine that is available (but not for a nice price):

A good working RiscV-implementation (above Raspberry Pi performance level, that is) is still not to be found. Besides … not everything is well made, just because it relies on open intellectual property. You could still built some bad design with it.

Concerning Apple … while they are more towards open boot with their Apple silicon machines for now (iPads or iPhones aside) they are as „open doors and windows“ as x86 is, e.g.:

Don‘t forget those ones either:

What about that nvme-controller? What about that NIC? What about that WIFI-card? (Atheros is considered „blob-free“ but that doesn‘t mean it‘s free of proprietary firmware.) What about … younameit Etc.

If you have got ME disabled and a gpg signed boot environment like heads, you made a huge step forward in a certain area. But you are not safe in a broader sense. You just disabled one (rather hefty) security flaw and gained some control.

Thank You man !

And what about Graphene OS, if I can take advantage of you ?

Again: it depends on whom you like to trust and what’s your concern. First and foremost it‘s as de-googled as it can get (like lineage mini). Second: it relies on a single app store (f-droid). It is heavily patched under the hood. It gets upstream security patches faster than anything else. The dev is well known and some of his code made it upstream. (Couldn‘t be that bad.) The source is published.

But then … it relies on a certain hardware. Much more than lineage e.g.

So again, whom do you trust? (Me?) Maybe the attack surface for your individual needs and threat scenario is smaller on a Nokia C5 without cam and microphone (de-soldered) using a wired headset - disregarding any software aspects.

Thanks again man

It all depends on how far you want to take it. You gain expenses and lose convenience the further you get to “true 100% privacy and security”. The stuff Qubes recommends is among the best you can get when it comes to x86, but it’s still x86, and unless you’re working with 10+ year old hardware, you’re going to have intentional backdoors.

I would recommend a Qubes certified system if you must have x86. In fact I’m in the market for one myself at the moment because I specifically need Qubes.

@OvalZero beat me to the Talos II but the Lichee Console 4A is a promising RISC-V laptop. They have other form factors too.

I’d still prefer a 4G router plugged into an old laptop. Graphene OS is nice but the hardware is still Google. You can’t de-google the hardware, only the software.

Thank you so much Quben for taking the time to answer me, I really appreciate your answer

are there any studies on citing IME and PSP spyware?