I was reading the Qubes OS whitepaper (Version 0.3, by Joanna Rutkowska, January 2010) and it caught my attention that during the boot process, some of the security guarantees of Qubes OS rely on something called Intel TXT (trusted execution tech).
I would like to know, if this Intel TXT, and the protections that it provides for secure boot, is also available for devices that are corebooted and that are Intel-ME-cleaned.
I can’t tell you anything about the TXT, but you can see that some machines with Coreboot and neutralized ME run Qubes OS flawlessly:
Thanks for the link. I had seen that thread before.
However, as I am not as technically-literate in these topics, I don’t understand what “runs flawlessly” entails:
does it mean that Intel TXT is still present and does its thing in a corebooted/intel-ME-cleaned Qubes OS machine;
or, does it mean that corebooted and intel-ME-cleaned Qubes OS skips using Intel TXT during the boot, not entering into a fail mode per se, but continuing its boot while sidestepping and not utilizing Intel TXT and such secure boot protections as outlined in the whitepaper mentioned above?
I am not completely sure, but I think intel TXT is dependent on intel ME functionality.
But I also think you can have coreboot and intel ME
The machines above that can be flashed with heads firmware have the option to keep or deactivate/neuter intel ME
even if you keep intel me, txt still won’t work (some motherboard can flash coreboot and still keep txt fully functional)
I don’t understand whether what Heads does uses Intel TXT or just similar to TXT. It uses the TPM in a way TXT is described to do, but is that the same as saying it uses Intel TXT?
That’s what I want to know for sure, too. I have seen some posts hinting at that, but haven’t seen a definittive post that says, “If you coreboot and use the intel-me-cleaner tool, you won’t get the Intel TXT functionality during the booting of Qubes OS.”
Do we have a table showing which motherboards work with that and which don’t?
Good question. What about SeaBIOS? I think my thinkpad x220 has coreboot with SeaBIOS instead of HEADS.
Bumping my own thread for the lack of a clear answer on whether the Intel TXT protection during boot as explained in the Qubes OS whitepaper (V. 0.3, Rutkowska, January 2010) still functions for laptops (specifically Thinkpad X220 i5-2520M, let’s say) that are Coreboot’ed and got their Intel ME cleaned (via Intel-ME-cleaner tool).
coreboot does not provide TXT support for x220 or x230 - regardless of
me_cleaner status.
So is this specific to the x220/x230 models? Are there any other brand/models that coreboot provides TXT support?