Hello, I want to run potential malware in a Windows HVM. Normally, before QubesOS, I would setup a VM with secure boot and swtpm to help prevent malware from compromising the low levels components of the VM making breaking out harder. However, as I try to setup my Qube, I am finding that Xen doesn’t support secure boot. This makes it a bit harder, how do I go about hardening the HVM such that I can trust even if the kernel gets compromised somehow, malware is still going to have a tough if not impossible time breaking out and compromising other Qubes or even dom0?
I bring up TPM and XSM as I see them as a potential jumping off point to help hardening with a Qube but I don’t know how to set them up.