Measured boot without vPro?

Hi all,

AEM requires TXT. Is there a way to have a working, secured measured boot without TXT/AMD SKINIT? Anyway TXT requires me to trust BIOS and same for mechanisms like UEFI secure boot; at least CRTM is supposed to be read-only while SMM, AFAIK, doesn’t have that recommendation/requirement?

Alternatively, is there a way to force enable TXT on non-vPro chipset?

I had actually asked a similar question before, but now I realize I XY problemed myself. I am still talking about the same computer though. B760/TPM2 (fTPM)/UEFI

I remember I saw somewhere on qubes-issues Github tracker that safeboot would be integrated, would combining that with tpm2-totp provide a reasonably secure measured boot solution?

Small edit: Threat model: I want to protect myself against my dualbooted Windows attacking the Qubes install and my threat model does not include firmware reflashing which is obviously insane, such as Equation Group-style HDD firmware reflash. It only includes threats, including limited firmware reflashing, which might be plausibly generalizable, such as BIOS/UEFI firmware reflashing, where an attacker could try to (e.g.) inject into DXE and compromise the bootloader. (and everything goes downhill from there)

Maybe just move Qubes OS /boot partition to the USB drive and plug it in to boot the Qubes OS or disconnect if if you need to boot Windows?

I actually did that for a while, but it doesn’t protect against BIOS firmware overwrite or option ROM attacks though. Although option ROM attacks aren’t really in my threat model.

Also, this is incredibly error-prone, unless you have 2 USB sticks, which I forgot to do.

I actually have a script for this, I might send it.

I wonder if the safeboot integration is still planned?