Hi @wvrbocv , welcome to the Community. Apart from AEM , one can also use Heads with Qubes. (You would need to have TPM in your hardware to use both, Intel ME is AFAIK not necessary.)
See also:
Lately I’ve been re-examining my reasons for using Chrome OS despite the privacy concerns (Google per se isn’t in my threat model, but that doesn’t mean I want to feed them everything) and found my biggest reason is its use of verified boot, which ensures that only signed and approved code is executed. The root of this trust (not sure if correct terminology) is in a ROM.
When combined with powerwash and a small attack surface, this means that even if malicious actors do somehow punch through th…
and
opened 12:57PM - 04 Oct 18 UTC
T: enhancement
help wanted
C: other
security
P: default
According the secure boot specification, users can enroll their own keys for sec… ure boot.
If the QOS bootloader were signed, users could manually enroll the signing key within the UEFI. That would be a better anti evil maid system since it doesn't require the use of potentially untrusted USB keys.
Since dom0 doesn't contain any 3rd party applications, we can enforce code signing on anything that runs within it.
[This](https://blog.invisiblethings.org/2011/09/07/anti-evil-maid.html) blog post mentions secure boot being problematic due to running CA's etc but providing the user with a public key they can enroll manually would be doable.
Edit: I'm aware the developers are generally not very fond of secure boot. Could anyone explain why?
Alternatively a TPM could be used to unseal the drive encryption key.
> Pre-OS firmware components are hashed (measured)
Measurements are initiated by startup firmware (Static CRTM)
Measurements are stored in a secure location (TPM PCRs)
Secrets (encryption keys) are encrypted by the TPM and bounded to
PCR measurements (sealed)
Can only be decrypted (unsealed) with same PCR measurements
stored in the TPM
This chain guarantees that firmware hasn’t been tampered with
I am successfully using TPM with Heads and Librem Key on my Librem 14 to make sure my BIOS is not tampered with.
1 Like