Anyone here running Qubes OS on a secured-core laptop (dell latitude, precision, modern thinkpads) and wouldn’t mind sharing their experience? I’m mainly wondering if the security features that are OS agnostic work properly and are supported on Qubes OS. As well as this, does Total Memory Encryption work?
1 Like
After reading up on what a secured-core PC is, it sounds to me like its windows specific, and mainly to handle USB based attacks. That being said, I didn’t spend too much time reading into it so maybe I missed some special feature.
If you use qubes properly and don’t allow USB access past sys-usb that you don’t trust then you already have that protection with Qubes. If you are wanting to get extra protection against physical access attacks, use a laptop that can support heads, or roll the dice on a librem with pureboot and hope you don’t get a bum one like I did. It won’t stop someone with physical access from doing an evil maid attack, but it will alert you that things were changed when you go to boot up next. Just my two cents
1 Like
Secured-core PCs aim to mitigate firmware based attacks as much as possible and are therefore OS agnostic, not reliant on Windows. The link I mentioned above details most of these security features and the only ones reliant on Windows have to do with BitLocker and Windows Hello. I believe the advantages of “DMA protection” are covered by using sys-usb, which is good.
The reason I wanted to look into secured-core PCs instead of a laptop with Heads is due to some concerns I read about Heads firmware and librem devices. This post gives some details. There’s also a lengthy discussion on this forum titled “Secure hardware for Qubes” by TommyTran732 that talks about the shortcomings Heads if you would like to read it.
This post explains some advantages of modern secured-core PCs and limitations of other linux hardware vendors.
1 Like
Yes, most features seem Windows specific. Some of the use virtualization for extra security, with VT-x and VT-d(IOMMU) which are both already mandatory in Qubes.
TPM 2.0 is afaik not yet supported for AEM.
Secure boot is not yet supported for Qubes.
Not sure about SMM isolation.
As well as this, does Total Memory Encryption work?
AMD’s TSME works just fine with Qubes on my machine.
2 Likes
Both TSME (AMD) and TME (Intel) work, it’s all done in the hardware.
The multi key encryption (MKTME) from intel doesn’t work, as fare as I can tell.
Have you tried using AMD’s secure encrypted virtualization (SEV)?
It seems to be supported by libvirt, I’m guessing there is a chance it could work with Qubes OS?
2 Likes
There is no software support yet: Consider support for AMD's SEV for Ryzen PRO (4750U) Laptop · Issue #6105 · QubesOS/qubes-issues · GitHub
It is a few years old now. But Xen still doesn’t support SEV:
GitHub - xcp-ng/hyper-sev-project: Our project to get AMD SEV working with XCP-ng
2 Likes
Yeah I was going to wait for them to be supported before getting the device.
Isn’t this only available on Ryzen Pro CPUs? If so, does this mean you have the Pluton Security chip? Does it do anything special on Linux or do you have it disabled?
1 Like
Yes, you need Ryzen Pro or enterprise CPU’s afaik.
I have a Thinkpad L14 AMD Gen3, to my knowledge it does not have a Pluton chip.
2 Likes
Are you able to get firmware updates from Lenovo using LVFS in Qubes? I tried reading up on LVFS in Qubes but I couldn’t find much about it, although I know it is supported. Do you run the command in dom0?
1 Like
Okay, I wasn’t sure if it worked.
I was looking into MKTME, which doesn’t seem to have any support at all, where at least SEV seem to have some support from libvirt.
1 Like
Does not having MKTME greatly undermined the RAM encryption?
1 Like
No, you just need TME or TSME, and at least you will be protected from cold boot attacks and similar attacks the tries to dump the memory.
2 Likes
Then what threat does not having MKTME pose?
1 Like
You could set different keys for each VM.
TME and TSME you just enable, and it does its thing. Multi key encryption seems like it requires a lot more configuration, and software support to work. It just doesn’t work with Qubes OS, so you are not losing anything, you can’t use it.
2 Likes
I tried but there is no documentation yet and the command didn’t work for me:
1 Like
I’ve had issues with sys-usb on the x220; I deleted my usb qube because adding the correct pci devices to control everything consistently bricked my setup, that said Qubes runs perfectly and despite my issues with it’s clipboard, I am yet to solve hooking my text editor (neovim) to the clipboard, this is by far my favorite OS for general quality of life and privacy / anonymity features.
2 Likes