Secure hardware for Qubes

seal the case preventing non-destructive opening

This just sounds terrible, depends on luck, and is so much worse than normal verified boot. Even in an ideal world where you can absolutely guarantee that opening up the computer will be destructive, you are still missing out on protection against malware persistence that verified boot provides.

There is no guarantee that your BIOS (which is writable) hasn’t been tampered with malware because you do not have BootGuard. If it is compromised, you will need to fix this by opening up the computer and reflash it - which is not going to go well because it is destructive.

It is just a terrible idea in general.

buy the model from Nitrokey with heads

Oh I have one. It is terrible - I will elaborate more on this in my response to @fsflover.

You are right, it is not completely useless like I originally said.

With that being said, I am still not a fan of Qubes AEM, since the entire thing hinges on the fact that no one will see the secret message, which is displayed on the screen and can be shoulder surfed, recorded on camera, or whatever.

It is also painful because

After Xen, kernel, BIOS, or firmware upgrades, you will need to reboot
and enter your disk decryption passphrase even though you can’t see your
secret. Please note that you will see a Freshness toekn unsealing failed!
error.

Now you have to also keep track of whether there is a Xen or Kernel update everytime dom0 is updated. If you don’t, you would have no idea whether that error is because of tampering or an update.

On top of that, not having BootGuard means that if the computer is ever compromised, you will have to open it up and reflash the BIOS chip with a programmer.

I plan to just use self encrypting drives with a signed image in the shadow region or legacy ATA unlock. Obviously, there is no protection against malware persistence like proper verified boot, but at least I can hope that the evil maid attacks won’t succeed. I can also update Xen and the Kernel without too much worrying with this setup, and I can just reinstall the OS if I do get compromised. However, if a machine doesn’t have BootGuard properly set up, this plan fails spectacularly.

Oh, and without BootGuard, any plans of running Windows or normal Linux in the future is also out of the window.

I don’t think there’s any excuse for not setting it up properly. These are not secure or trustworthy hardware

Pretty sure this is wrong.

Most consumer desktop PCs can’t use Intel BootGuard.

You can mitigate some of those.
E.g. reboot after dom0 updates. Do not reboot into qubes in non-private places and so on.

Is this ideal? No. Do you have the chops to roll your own signing of firmwares and stuff? Then Dasharo Enterprise might be good for you (not sure if they do that with laptops) - they give you unfused intel CPU and you fuse in your own keys, then sign all firmwares with your own keys that nobody else has. Only Intel signing keys remain a threat (for ME and such).

That’s not entirely true. You can ask ME to write-protect portions of SPI chips holding bios that boot code. You can also ask your kernel to do the same (default nowadays when secure boot is enabled for example, obviously if kernel is compromised, it won’t help)

As the old adage says, what one man made, another can break. Secureboot is not a panacea either, you can subvert it in multiple ways, esp. if you can open the case and tinkle with the components directly. There are hardware and software bugs.

You just have to know what’s your threat model and plan accordingly.

E.g. reboot after dom0 updates. Do not reboot into qubes in non-private places and so on.

I have no idea how this mitigates anything.

Is this ideal? No. Do you have the chops to roll your own signing of firmwares and stuff?

This is terrible. I am not going to read the firmware code on every update (who are we kidding?). And even if I do, that is going to take me awhile. All it means is that I will just not get easy automatic firmware updates via the UEFI capsule, having to waste time blindly signing a binary built from a source code that I do not read, and having to set up a separate infrastructure to even build and sign the firmware securely. The OEM is still implicitly trusted with so many things anyways, making this whole excercise security theatre.

That’s not entirely true. You can ask ME to write-protect portions of SPI chips holding bios that boot code.

Then how am I supposed to get easy automatic updates? Now instead of having manual flashing every time I get compromised, I have to do a manual flash every update now. What is even the point?

As the old adage says, what one man made, another can break. Secureboot is not a panacea either, you can subvert it in multiple ways, esp. if you can open the case and tinkle with the components directly. There are hardware and software bugs.

Yeah, but these are vulnerabilities. Not setting up BootGuard or not blowing the fuses is just adding obvious hardware vulnerabilities for no reason. In what threat model would it ever make sense to not setup BootGuard?

Easy. If you reboot right after installing an update - you know that this time the secrets changes are legit. (remember we are still using the context of AEM). At any other time it’s a huge warning sign.

Huh? I am not sure what it has to do with anything on hand? Do you read binary firmwares before applying those updates?

Oh, sorry, I thought we were talking about secure hardware here, not “easy to use”. The two goals are rarely compatible.

Well, the situation is very different here. While OEM has some control, it’s much less. For example if OEM is coerced into making changes, you are under no obligation to sign and install them when YOU hold the signing keys.

The way it happens on Intel platforms is a special file is placed onto the boot filesystem, the early bootloader notices the file, verifies its integrity and then applies, before any of the less trusted later components get into the picture.

wait a minute, why do you need a flashing after every compromise? If the flash is not writeable from your compromised OS, there’s no need to rewrite it, right?

Also if you get this deeply compromised very often, what is even the point of storing any sort of important data on such systems? Every compromise would exfiltrate it all anyway I imagine.

Yup.

The two are not the same.
IF there are unblown fuses - you are in GREAT luck I would say. You can actually blow them the way YOU want, you can put in your own keys and have a much more secure system in the end.

If you assume that the attacker has the signing keys that bootguard would trust, then having bootguard does not really buy you anything?

Actually I take back my concession that it is not completely useless even without BootGuard because of AEM.

The CRTM (what does the measurement) is part of the BIOS, not part of the ME like you said. Without Boot Guard, the CRTM is useless since it is also mutable anyways. That also means every thing down the chain including the AEM is would be useless without Boot Guard.

https://www.intel.com/content/www/us/en/developer/articles/technical/intel-trusted-execution-technology-a-primer.html

The Core Root of Trust for Measurement (CRTM) provided by Intel AMT measures the system BIOS

AMT is ME. it measures BIOS, not part of the BIOS

Easy. If you reboot right after installing an update - you know that this time the secrets changes are legit. (remember we are still using the context of AEM). At any other time it’s a huge warning sign.

No, you don’t. Not all dom0 updates are kernel and xen updates. You need to actually check which packages are updated, every single time.

Oh, sorry, I thought we were talking about secure hardware here, not “easy to use”. The two goals are rarely compatible.

No, and that is the point. It’s not going to be read anyways. There are only 2 choices:

• Automatically applying the signed binary and getting the fix ASAP.
• Sit on it, delay updates, and then not fully reading or understanding everything. Suffer from the vulnerabilities that you wouldn’t have otherwise while you are sitting on it.

Huh? I am not sure what it has to do with anything on hand? Do you read binary firmwares before applying those updates?

Secure hardware have blown fuses and Bootguard properly setup. Sitting on updates and not fully reading the code (exactly what’s going to happen if you are not working this piece of software as a job) is hardly a good security practice. You are not going to read every single line every update anyways, so might as well take the signed timely automatic updates.

Well, the situation is very different here. While OEM has some control, it’s much less. For example if OEM is coerced into making changes, you are under no obligation to sign and install them when YOU hold the signing keys.

This is all hopes and dreams. Say tomorrow an update is released with critical fixes. Are you going to sit on it for months/years partially reading it or would you apply it immediately? This is just an illusion of control.

The way it happens on Intel platforms is a special file is placed onto the boot filesystem, the early bootloader notices the file, verifies its integrity and then applies, before any of the less trusted later components get into the picture.

What?

wait a minute, why do you need a flashing after every compromise? If the flash is not writeable from your compromised OS, there’s no need to rewrite it, right?

Also if you get this deeply compromised very often, what is even the point of storing any sort of important data on such systems? Every compromise would exfiltrate it all anyway I imagine.

What are you even saying? There are only 2 possible scenarios here:

• The flash is writable, in which case you need to manually flash it to fix after a compromise.
• The flash is “readonly” (as in just not allowing write but having no real verification whether it has somehow been tampered with because of not having BootGuard), then I have to manually flash every update, which is even worse.

IF there are unblown fuses - you are in GREAT luck I would say. You can actually blow them the way YOU want, you can put in your own keys and have a much more secure system in the end.

Again, security theatre for the reasons I explained above. Unless you are working on this software full time and actually audits everything every time there is a new release, and do it in a timely manner - this is a meaningless excercise.

These are non-vPro setups, so how does AMT even come into the picture?

While this is true, you can still reboot after every dom0 update.

you can do this with Dasharo Enterprise too, just sign whatever they release and apply. And you are still better off becuase it’s on your schedule (aka, nobody can steal the OEM keys and sign the image that your system would accept)

this is a separate issue.

Basically we have two vectors on discussion:

1. Somebody steals OEM key and signs firmware with it then installs on random systems they want to compromise.
2. A backdoor is introduced into a firmware/bios and then gets distributed everywhere (with corresponding increase in probability of its discovery)

Holding your own keys mitigates item #1, while item #2 remains a concern in both approaches.

Seriously, look it up.

There are actually 3 scenarios, the missing scenario is:
3. The flash is writeable only early on boot, but then the configuration is locked and you cannot write to the flash (some rgions, anyway) when your userspace OS is booted.

Like I explained there are extra protections you get with your own keys even if you otherwise blidly trust vendor releases otherwise.

Yes. Intel ME is still there in all modern CPUs. that’s what gives you software TPM and such. The wording in the blog post is just vague, but underlying tech is all there and in use.

(now a bunch of that stuff is deprecated anyway, and this is why Trench Boot as the AEM replacement is making rounds, but the underlying ideas are similar.)

While this is true, you can still reboot after every dom0 update.

Sure. It is extra work, interrupts the workflow, and is still worse than just normal secure boot though.

you can do this with Dasharo Enterprise too, just sign whatever they release and apply. And you are still better off becuase it’s on your schedule (aka, nobody can steal the OEM keys and sign the image that your system would accept)

This doesn’t actually work. The scenario you mentioned implies that:

• Someone stole their keys and sign the malicious images.
• Those same people also compromise their web server and distribute the malicious images.

Chances are, such an actor will also compromise the git system where you are getting your source code from, so you are still just blindly building malicious code and signing it anyways.

And if they are not compromised, well, you just do the extra work of building it, signing it, and applying it a bit later than you would have otherwise for nothing.

Holding your own keys mitigates item #1, while item #2 remains a concern in both approaches.

No, it doesn’t even mitigates #1 for the reason I mentioned above.

3. The flash is writeable only early on boot, but then the configuration is locked and you cannot write to the flash (some rgions, anyway) when your userspace OS is booted.

Sure, but security is still reduced to trusting that said lock works properly instead of having the CPU verifies the code that’s actually there.

Like I explained there are extra protections you get with your own keys even if you otherwise blindly trust vendor releases otherwise.

It’s blind trust in either cases.

Yes. Intel ME is still there in all modern CPUs. that’s what gives you software TPM and such. The wording in the blog post is just vague, but underlying tech is all there and in use.

Are you sure about this? Can you link me on that? All the links I have found says its the AMT and not the ME. Anyhow, I got a little carried away since we are talking about AEM without BootGuard/blown fuses so it implies AMT is there.

no! Remember we are still discussing EvilMaid, right? They generate their own validly signed image and then write it to your computer themselves.

you realize git commits are signed, right? If the bad actor compromised the git server and also developer keys - it’s only going to take so much less for people to notice it and to shout about it from the hilltops.

If you want your rootkit to live long and happy life, you need to ensure it s circulation is as narrow as possible.

Well, AEB has certain system requirements, your system either meets them or it does not so of course necessary bits to support TXT and such are there.

no! Remember we are still discussing EvilMaid, right? They generate their own validly signed image and then write it to your computer themselves.

Yeah, I am quite tired at this point and lost track of it. I guess in that specific context, you may be right (I am actually too tired to think properly at this point). But I’d like to also take into account getting proper updates and what not. Remember that you will still need a separate build system to build and sign this stuff (if you are trying to sign the firmware on the same computer, if the OS gets compromised, you are basically screwed forever), and then have to think about how you are going to keep that system secure.

you realize git commits are signed, right? If the bad actor compromised the git server and also developer keys - it’s only going to take so much less for people to notice it and to shout about it from the hilltops.

Nah man. They don’t even sign all of their git commits: Commits · Dasharo/edk2 · GitHub

Now, one may say that signed git commits are a meme, and that signed tags is the proper way to do it. And I would agree. The problem here is that they also don’t sign all of their tags properly either: Tags · Dasharo/edk2 · GitHub

Also, if they ever get into a situation where their firmware signing key compromised, I don’t know how their pgp/ssh keys can be trusted.

And if that ever happens, the attacker don’t even need an Evil Maid to attack you. They can just remotely compromise your system because your firmware is already compromised anyways.

Really, if you want to think about a scenario where an OEM is so bad they got their signing keys compromised, then you are screwed, with or without evil maids. At that point, all one can do is rely on pure luck.

@TommyTran732, thanks for pointing that out. I will take care of that immediately. We have many coders and 20+ people in the company - mistakes happen constantly. In some repositories, we have CI and other checks set up, which leads to not allowing merge commits without signatures. I’m not sure what happened here, but we will resolve that. And for the future, we would appreciate it if such an issue would be raised with us, for example here. I will get back here with information on what happened and hopefully, we can sign those commits ASAP.

key compromise is concern everywhere of course.

As for Dasharo not signing their commits/tags, I did not really check that, I assumed they did same as Qubes devs do because you know, this is just something you must do in this kind of serious context.

Hopefully they’ll reconsider.

As for maintaining your own signing infrastructure - sure. As I said, security and usability don’t go hand in hand. You can offload all the hard parts on other people - sure, you pay with less security as the result.

Well, this is not entirely true. Even with compromised bootguard AEM helps because the measuring happens before the components guarded with boot guard get a chance to run.

Also it’s not like oem keys have not been leaked in the past. Some were quite high profile, but probably even more low profile leaks.

Something is not right how GitHub handles PR merging.

Please have a look here: Dasharo (UEFI) v0.1.0 for QEMU Q35 by maheshtammisetti · Pull Request #44 · Dasharo/edk2 · GitHub - all commits signed.

But as soon as they landed on target branch after merging, the Verified label disappeared: Commits · Dasharo/edk2 · GitHub

We will investigate it to avoid such issues in the future. Thanks for noticing it…

Ah, well at least you guys responded very quickly xd

And yeah, I will definitely raise it with you guys in the future. In fact, I was going to report that later. I have quite literally just found out about the git signing stuff when I was arguing with @kindagreen, I wasn’t aware of Dasharo at all until he brought you guys up.

@TommyTran732 We have a very interesting discussion on Dasharo Matrix. It looks like it is partially the fault of Github and its policies for doing rebase merge. We are trying to realize the best options for our repos to minimize confusion and improve trustworthiness.