can you elaborate, please. i saw in many website, they sad you can disable amd psp in bios. however i expect it will only disable “the part that when disabled it will don’t create noticeable different”
I should think it would be easier and more secure to just create backups of your templates. That way, if anything goes wrong in any of your VMs, you just delete the compromised qube and spin up a clone.
AV isn’t even recommended for mainstream distros. As I understand it, one of the reasons Linux doesn’t make heavy use of AV is that all AV software, by necessity, requires root access to do its thing; which means if the AV is ever compromised, the malware has unrestricted root access as well. Thus the AV is an unecessary point of failure and the Linux philosophy is deny root access to any and all installed applications by default.
That being said, you do you if that’s what you want to do. Under no circumstances, however, would I ever install AV on dom0. That’s a f***over waiting to happen.
If you’re PC itself is already infected, antivirus isn’t going to help you. You need a new computer (imx).
How does it matter? The Qubes backups are encrypted and even the names of qubes are not in plain text. What would an attacker gain by looking at those files? (unless you don’t trust the encryption technology)
Even though you are technically right, this is not so simple at all. When you connect your USB, you cannot be sure that your computer isn’t owned. It’s not relevant what happens when take it out. See BadUSB.
Yes, you should install Coreboot (or other open-source alternative) in order to trust your BIOS more and possibly to disable Intel ME. You cannot do this on modern AMD.
If i was to write some malware that was specifically designed just for you, with the intention of getting your files on your USB stick, and my recon showed that you do sometimes take your computer offline; then I would factor that into my malware.
For example, I would make it copy the entire contents of any block device matching the description I defined (your USB stick). I would then get it to encrypt those files using my server’s public key (so you couldn’t recognise them), and either store them in your RAM, or somewhere obscure on your boot device.
Then, when it detected a network interface, it would send over those files to me.
Just to be thorough, in case the network interface only had LAN access, I would then instruct the malware to propagate itself onto all network devices, with copies of the encrypted files, in the hope that one of them would eventually make its way to an internet connection, and then send it to me.
(This was less about accuracy about what malware can actually do, and more about trying to get you into the habit of realizing that there is ALWAYS a risk)
Shortly after SA-00086 was patched, vendors for AMD processor mainboards started shipping BIOS updates that allow disabling the AMD Platform Security Processor
depend on how you trust that
you should disable that because it with disable psp at “some level” in “some motherboard” and “some cpu model” although not everything (still better than nothing)
don’t think me using amd cpu (apu)
that picture is cut from a research paper