Is it possible to enable UEFI Secure Boot in Qubes OS?

sebuq · November 25, 2020, 12:27am

Greetings to the entire Qubes OS community.

I would like to ask if it is possible to enroll my own signed keys and enable secure boot in Qubes OS. I successfully enable secure boot in other linux distros. But I think in the case of Qubes the situation is much more complicated. I use the Lenovo Thinkapd X260 everything works perfectly. I would like to know if anyone has successfully done the whole process. I read the guide about AEM but is not compatible with (U)EFI

Is it possible to enroll my own keys and enable secure boot or should I reinstall qubes and aem with legacy boot ?
Is there a clear guide for my case?

Considering that I am not an expert (I have a basic knowledge) or a developer.

Thank you

icequbes1 · November 25, 2020, 3:39am

UEFI Secure Boot is not supported in Qubes (as of R4.0, R4.1).

See “Is Secure Boot supported” section:

Jarrah · November 25, 2020, 10:45am

Secureboot on Qubes is quite a bit more complicated. See the work done
by osresearch at https://github.com/osresearch/safeboot/issues/21 for a
(non secureboot) example of why.

The core of the problem is that you need to verify the whole chain,
including config files, XEN, kernel, initramfs and LUKS headers. See
this issue for the full history:

In saying that, this doesn’t mean you can’t add your own keys and run
secureboot. Just that it is not a complete solution.

sebuq · November 25, 2020, 12:15pm

I read about the evolution of the process, but I think it is difficult compared to other software I have used in the past. I really do not want to lose the system. I think the safest way is to reinstall Qubes-legacy boot and install AEM. I will follow the suggestion of the developers.
Thank you.

qubicrm · November 25, 2020, 12:48pm

consider reading this:

especialy is usb devices is a relevant attack vector in your threat model.
For now you have to choose if the most relevant threat is an evil maid attack or a UBS device attack (badUSB).

Regards,

sebuq · November 28, 2020, 2:59pm

I reinstall Qubes OS (legacy boot), install AEM and follow the instructions from https://github.com/QubesOS/qubes-antievilmaid

I enabled txt in bios settings. I installed the right sinit and added to /boot

I reboot my laptop but I receive a message " PCR Sanity check Failed" and in journalctl i see an error. “anti-evil-maid-seal.service: Main process exited, code=exited, status=1/FAILURE”.

I read some discussions in qubes github page but I still cant find the reason for the errors and not starting AEM

sebuq · November 29, 2020, 7:09pm

I installed in /boot the sanity module recommended for my laptop but the message is still there. AEM failed to start. I followed exactly the aem guide but I think something goes wrong. The tboot README recently updated so there must be some changes. Or maybe I have to do changes to grub conf.