Boot Verification with TPM 2.0, without Anti Evil Maid (AEM)

1 Like

TPM boot verification checks that the disk has not been swapped out for another imposter disk, that the disk cannot be booted on a different platform, and hasn’t been modified without permission by a physical access attack (something like a bad usb attack).

I have three issues to solve to get the last check mark green for HSI attestation (Global Config → This Device → Security Report).

  1. Qubes 4.2 on System 76 has an issue with right clicking on trackpad to move files between qubes and with ctrl-shift-c/v for copying and pasting the script into

Platform Configuration Registers

  1. I am wondering how to find the path/to/known_good_pcr_file as outlined in the kennethrrosen GitHub guide.

Replace /path/to/known_good_pcr_value with the path where you store the known good PCR value.

  1. How do I tell if the boot is ‘headless’