Intel gen 14th+ (Meteor Lake) strong dependencies against ME/CSME (s0ix requiring ME, s3 deprecated, ME not HAP disabled)
Opened this issue · 6 comments
There seems to be a confusion from community around possibility of getting Clevo laptops with unfused bootguard keys and being able to flash custom firmware on those Clevo laptops. Clarify that Clevo laptops have unfused bootguard keys only if ordered through Novacustom bulk orders from Clevo to be rebranded and distributed with Dasharo firmware.
EDIT:
ME/CSME is now required (cannot be disabled) to obtain S0ix sleep state. S3 is not possible on newer Intel platforms.
So user has to switch ME on to suspend (sleep), or accept that no sleep is possible. Note that hibernation is not possible on QubesOS (Xen). So this means important change on UX.
This is true on Intel gen 13+, ie NovaCustom V56 14th Gen, amongst others.
This proved to be wrong statement, not so late after QubesOS mini-summit 2024, it was proven that Novacustom V56/Nitropad V56 Intel CPU gen 14th CAN do S3 still. So this problem is reported for next gen, CSME/ME not required for sleep YET.
Edit: unsure as of now see next comment...
Seems like s3 cannot be set nor ME HAP bit enabled to disable ME on v560ty/v540tu per @mkopec comments under #1871
- S3 not preferred: #1871 (comment)
- HAP not enabled: ME not disabled: #1871 (comment)
"Clarify bootguard key fusing and update platforms limitations" will be seperate issue once we have to cross that bridge, no point doing prevention/documenting unknowns for the moment (i'm asked to be less verbose and told i'm off topic: letting go).
There seems to be a confusion from community around possibility of getting Clevo laptops with unfused bootguard keys and being able to flash custom firmware on those Clevo laptops. Clarify that Clevo laptops have unfused bootguard keys only if ordered through Novacustom bulk orders from Clevo to be rebranded and distributed with Dasharo firmware.
ME disablement/s3 was not considered a "Business oriented" discussion up to now even if flagged raised back to QubesOS mini-summit directly with stakeholders. Waiting for updates from the "business" side of things.
Heads never supported ME enabled platform up to now.
Heads never supported ME enabled platform up to now.
Looking at the Intel's approach to S3, it is rather a matter of when not if this changes, unless this will be a hard blocker of supporting new platforms.
Heads never supported ME enabled platform up to now.
Looking at the Intel's approach to S3, it is rather a matter of when not if this changes, unless this will be a hard blocker of supporting new platforms.
@macpijan the point is that we are not there yet.
Also, it will then be a documentation problem. If and when s3 is totally deprecated, and ME is needed for s01x (which QubesOS doesn't support yet, btw) then there will need to be a documentation and/or toggle under Heads giving choice to the user between s01x/ME being disabled. That binary choice will need to be taken by the user, and the user configuring his laptop power saving settings to poweroff, or Xen having to support hibernation... as any other OS out there offering the option.
But we are not there yet, aren't we? In all case, if ME can be disabled, it will be the default under Heads, and hopefully as an open source community pushing for what should be used, we will switch away of Intel to something else and focus on the alternatives more intensely. If we know it will happen in the future, maybe we should work on this today. Can somebody explain me why I would want my computer to always be awake again? If this is the case, I will power it off, which is recommended opsec anyway outside of roaming from outside the house to inside the house and when laptop is in physical presence, otherwise it should be powered off. My 2 cents.
Note to everyone lurking into this issue: we are not there yet and v506tu/v540tu will not have ME enabled, and supports s3. Its a question of adapting the configurations before #1821 under #1846 based on #1871 per @mkopec
Ref #1846 (comment)
ME is now disabled and S3 is enabled and functional: #1846 (comment)
As I mentioned elsewhere, it's not supported by Intel so if it breaks with some update to silicon or fw there's a good chance they won't fix it (that's what happened with Tiger Lake), but right now it seems to work well