quantum
December 25, 2023, 5:05pm
1
More of a comment than a concern. I installed 4.2.0 on two different computers, a Xeon and an i7, and just realized secure boot is enabled on both (no TPM). Didn’t expect that to be possible.
Interesting, it seems not to be (fully?) implemented yet:
opened 12:57PM - 04 Oct 18 UTC
T: enhancement
help wanted
C: other
security
P: default
According the secure boot specification, users can enroll their own keys for sec… ure boot.
If the QOS bootloader were signed, users could manually enroll the signing key within the UEFI. That would be a better anti evil maid system since it doesn't require the use of potentially untrusted USB keys.
Since dom0 doesn't contain any 3rd party applications, we can enforce code signing on anything that runs within it.
[This](https://blog.invisiblethings.org/2011/09/07/anti-evil-maid.html) blog post mentions secure boot being problematic due to running CA's etc but providing the user with a public key they can enroll manually would be doable.
Edit: I'm aware the developers are generally not very fond of secure boot. Could anyone explain why?
Alternatively a TPM could be used to unseal the drive encryption key.
> Pre-OS firmware components are hashed (measured)
Measurements are initiated by startup firmware (Static CRTM)
Measurements are stored in a secure location (TPM PCRs)
Secrets (encryption keys) are encrypted by the TPM and bounded to
PCR measurements (sealed)
Can only be decrypted (unsealed) with same PCR measurements
stored in the TPM
This chain guarantees that firmware hasn’t been tampered with