@renehoj Pinging you here since you brought this up.
BootGuard is needed to ensure the firmware is actually from the OEM. It is the root of trust. Qubes’s security is basically useless if you end up getting malicious firmware running on there. You can read Intel’s whitepaper on it if you want.
I read the discussions you linked and they are not helpful at all. Most of it devolved into conspiracy talk, and is not what I am interested in. I see that you are a Purism customer, and I also (very stupidly) bought a Librem 14 a few years ago when I was younger and more naive. It is the worst purchasing decision I have ever made, security wise. @unman already touched a bit on why they are bad - but I will expand a bit on what he said here.
Regarding firmware updates
Proprietary firmware exists on your devices, whether you like it or not. You have 2 choices: Either you ship the updates with security fixes, or you don’t and suffer from publicly known vulnerabilities.
The FSF advocates for an absolutely insane approach where the OEM/OS vendor does not ship any firmware updates at all, and actively keep the user ignorant of the fact their computer is vulnerable so they do not update the proprietary firmware for their vulnerable hardware because of “freedom”. Purism is fully aligned with this insane ideology.
Case in point: you are not getting any sort of firmware updates on these devices except for the boot firmware (PureBoot) and the EC firmware. Qubes does attempt to load in microcode updates, but I am not sure/have not checked whether this actually does anything or not, considering the boot firmware can prevent the microcode updates from actually taking effect (Libreboot used to do this).
Outside of Qubes, PureOS is also an absolute disaster. Like I mentioned before, Purism does not participate in LVFS, so you are not getting any firmware updates from there. Even worse, they ship Linux-libre, which surpresses kernel warnings about vulnerable cpus and out of date microcode. I am not even sure if you can load in the microcode updates with this kernel or not. If you use PureBoot (as opposed to their Coreboot + SeaBIOS), you are definitely not getting the microcode updates their either.
They advertise insecurities as a feature.
This even gets more insane on their Librem 5.
Regarding HEADS/PureBoot
Technical wise, I do not fully understand how HEADS work, especially on a Librem laptop. The TPM is supposed get measurements firmware compare that to the key, but what is stopping the firmware from falsifying values to the TPM? Where is the CRTM supposed to be? I am not sure if it’s part of the ME or if it’s part of the BIOS unless AMT is present. Either way, their CPU is non-vPro and they cripple the ME, so it’s most likely in the BIOS. I could be wrong, but the explanation on how it works doesn’t make any sense to me.
Regardless, even if we take the premise that PureBoot does work (which I HIGHLY doubt), the usability of HEADS/PureBoot is terrible. Like Qubes AEM, you need to keep track of when dom0 gets updated, because if you don’t, you would have 0 idea if a warning is there because of actual tampering or if it’s just an update. It’s a hassle.
Then it gets even worse - the pairing with the NitroKey is done via HOTP. HOTP gets out of sync quite often, and I have had it gotten of of sync on my Librem and giving a warning when no updates or tampering actually happened several times.
So in reality, when I get a warning, I have no clue if it is because I installed an update and forgot about it, actual tampering happened, or the thing just got out of sync.
Oh, and this is not to mention, for this to even be secure, I need an external computer which is actually secure to even download the ISO, put it into the USB stick and flash the update. If I used Qubes to download it and the VM somehow got compromised, I will quite literally be signing malware and flashing it into the BIOS chip. This way, a compromised VM/OS can escalate into a full BIOS compromise, and the only way to get out of it is to open the laptop up and reflash the BIOS with a programmer.
To add insult to injury, this payload does not support legacy ATA unlock at all, and I am not sure if it will even work with OPAL’s shadow region for unlocking considering that it is just the Linux kernel trying to boot stuff. Normally I would not fault the firmware too much for this, but in a design like a Librem it is extremely problematic for the reasons I will explain below.
When unlock a drive with LUKS/dm-crypt, the encryption will be stored in computer’s memory. If there is a physical attacker who can get to your RAM, they can get extract your encryption key from there. To protect your drive encryption key and a bunch of sensitive stuff in memory, you would need TME.
If TME doesn’t exist, you can at the very least try to protect your drive encryption keys with OPAL (the drives’ self encryption). Too bad, the HEADS payload does not work with it, as mentioned above.
This, however, is not the end of it. It gets much worse…
UNFUSED CPU
Yes, Purism once again advertises insecurities as a feature.
Conclusion
I really do not like how HEADS work, and my experience with it (in the form of PureBoot) has been terrible. Using HEADS also means that you can’t have Boot Guard or UEFI boot, so it is useless for most modern systems anyways. Even Linux now is trying to setup some form of better boot chain with systemd-cryptenroll, systemd-measured, and whatever. Those certainly will not work with HEADS.
The Librem laptops are as insecure as it gets. The only thing more insecure than it are the Thinkpad X2xx and T4xx. I have no idea why these terrible laptops are so widely recommended in the Qubes community. I cannot in good conscience tell anyone that it is even remotely “secure” hardware. My very, very expensive $2000 Librem 14 just sits there doing nothing, as it is not trustable hardware or software, and I bought it based on emotions (yes, I went through a brief FSF worshipping phase) instead of rational thoughts. I am not sure if I can even sell this for $500 to anyone who is aware of how absolutely messed up it is. And if I don’t tell them about all this stuff - well, it is as if I am scamming them. But seriously, I just want to get rid of this horrendous hardware, get a fraction of the money back so I can save towards buying a Dell Latitude/Precision or something.