'Re: [qubes-users] Qubes Security Bulletin #24 (Critical bug)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       qubes-users
Subject:    Re: [qubes-users] Qubes Security Bulletin #24 (Critical bug)
From:       Marek =?utf-8?Q?Marczykowski-G=C3=B3recki?= <marmarek () invisiblethingslab ! com>
Date:       2016-07-26 23:21:30
Message-ID: 20160726232130.GO32095 () mail-itl
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Wed, Jul 27, 2016 at 01:13:29AM +0200, Achim Patzner wrote:
> > Am 26.07.2016 um 19:42 schrieb Andrew David Wong <adw@qubes-os.org>:
> > 
> > The updated requirements for Qubes R4.x-certified hardware are
> > explained here:
> > 
> > https://www.qubes-os.org/news/2016/07/21/new-hw-certification-for-q4/
> > 
> > Although the requirements for Qubes-certified hardware are likely to
> > be more stringent than that minimum requirements
> 
> If
> 
> "Another important requirement we're introducing today is that Qubes-certified \
> hardware should run only open-source boot firmware (aka "the BIOS"), such as \
> coreboot. The only exception is the use of a (properly authenticated) \
> CPU-vendor-provided blobs for silicon and memory initialization (see Intel FSP) as \
> well as other internal operations (see Intel ME). However, we specifically require \
> all code used for and dealing with the System Management Mode (SMM) to be \
> open-source." 
> is the minimum requirement, Qubes just put itself out of the game by being able to \
> run on prehistoric hardware only (see coreboot's list of supported systems and \
> CPUs) or being at the mercy of someone being able to provide a system with \
> appropriate firmware support by twisting some of Intel's appendages. It's nice to \
> demand free beer for everyone but you'll have to find someone providing it. \
> Especially with Qubes hardware demands to be more than a fancy typewriter (unlike \
> others I found 64 GB of memory and a sufficient number of CPU cores not to be \
> wasted).

The above are requirements for Qubes-certified hardware, which are
intended for top-level security/compatibility. Not a minimum system
requirements.

But in Qubes 4.0 will will also have revised minimum requirements,
especially requirement for VT-x with EPT (or AMD equivalent). Previously
it was needed only for running HVMs (Windows in most cases). But this
shouldn't be a big issue in practice, as most high-end hardware today
have it.
More details:
https://github.com/QubesOS/qubes-issues/issues/2185

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJXl/B6AAoJENuP0xzK19csJbEH/1T8r0e6Xqz+m4PWjw12Z04r
Sb/WGXdx43Sn5hfRNc61tmgmrdoA3vsWRHG9oK0cSYDWg3v6ByMk/znbTVP3XCi+
5sW+BcRXAJwXK9StMTEZc48g6hFKzmkFQpRc7tRAnAVA4ZV31moUGDYrRIng80rL
kcOJ+BUQZJ9rkxV/voe0Lb4DeRXjP8Xeyf5W0EiKdTG4Fs/3fdUu3auGtQVuZR1w
RAtaOL6Yg9frCnVO7Ud8wMiF2ZJ2nZh0pni2g6YVzP4UZ/MpTvXR7hakzyB6ormF
uw+CSKqfqmjDaU9cce/4XqDLN19qstvCGmM+lVl6qGxPSJk+ABK8qo48IUOjEX4=
=fUaM
-----END PGP SIGNATURE-----

-- 
You received this message because you are subscribed to the Google Groups \
"qubes-users" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to qubes-users+unsubscribe@googlegroups.com. To post to this group, \
send email to qubes-users@googlegroups.com. To view this discussion on the web visit \
https://groups.google.com/d/msgid/qubes-users/20160726232130.GO32095%40mail-itl. For \
more options, visit https://groups.google.com/d/optout.


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic