Anyone here running Qubes OS on a secured-core laptop (dell latitude, precision, modern thinkpads) and wouldn’t mind sharing their experience? I’m mainly wondering if the security features that are OS agnostic work properly and are supported on Qubes OS. As well as this, does Total Memory Encryption work?
1 Like
After reading up on what a secured-core PC is, it sounds to me like its windows specific, and mainly to handle USB based attacks. That being said, I didn’t spend too much time reading into it so maybe I missed some special feature.
If you use qubes properly and don’t allow USB access past sys-usb that you don’t trust then you already have that protection with Qubes. If you are wanting to get extra protection against physical access attacks, use a laptop that can support heads, or roll the dice on a librem with pureboot and hope you don’t get a bum one like I did. It won’t stop someone with physical access from doing an evil maid attack, but it will alert you that things were changed when you go to boot up next. Just my two cents
1 Like
Secured-core PCs aim to mitigate firmware based attacks as much as possible and are therefore OS agnostic, not reliant on Windows. The link I mentioned above details most of these security features and the only ones reliant on Windows have to do with BitLocker and Windows Hello. I believe the advantages of “DMA protection” are covered by using sys-usb, which is good.
The reason I wanted to look into secured-core PCs instead of a laptop with Heads is due to some concerns I read about Heads firmware and librem devices. This post gives some details. There’s also a lengthy discussion on this forum titled “Secure hardware for Qubes” by TommyTran732 that talks about the shortcomings Heads if you would like to read it.
This post explains some advantages of modern secured-core PCs and limitations of other linux hardware vendors.
1 Like
Yes, most features seem Windows specific. Some of the use virtualization for extra security, with VT-x and VT-d(IOMMU) which are both already mandatory in Qubes.
TPM 2.0 is afaik not yet supported for AEM.
Secure boot is not yet supported for Qubes.
Not sure about SMM isolation.
As well as this, does Total Memory Encryption work?
AMD’s TSME works just fine with Qubes on my machine.
3 Likes
Both TSME (AMD) and TME (Intel) work, it’s all done in the hardware.
The multi key encryption (MKTME) from intel doesn’t work, as fare as I can tell.
Have you tried using AMD’s secure encrypted virtualization (SEV)?
It seems to be supported by libvirt, I’m guessing there is a chance it could work with Qubes OS?
2 Likes
There is no software support yet: Consider support for AMD's SEV for Ryzen PRO (4750U) Laptop · Issue #6105 · QubesOS/qubes-issues · GitHub
It is a few years old now. But Xen still doesn’t support SEV:
GitHub - xcp-ng/hyper-sev-project: Our project to get AMD SEV working with XCP-ng · GitHub
2 Likes
Yeah I was going to wait for them to be supported before getting the device.
Isn’t this only available on Ryzen Pro CPUs? If so, does this mean you have the Pluton Security chip? Does it do anything special on Linux or do you have it disabled?
1 Like
Yes, you need Ryzen Pro or enterprise CPU’s afaik.
I have a Thinkpad L14 AMD Gen3, to my knowledge it does not have a Pluton chip.
2 Likes
Are you able to get firmware updates from Lenovo using LVFS in Qubes? I tried reading up on LVFS in Qubes but I couldn’t find much about it, although I know it is supported. Do you run the command in dom0?
1 Like
Okay, I wasn’t sure if it worked.
I was looking into MKTME, which doesn’t seem to have any support at all, where at least SEV seem to have some support from libvirt.
1 Like
Does not having MKTME greatly undermined the RAM encryption?
1 Like
No, you just need TME or TSME, and at least you will be protected from cold boot attacks and similar attacks the tries to dump the memory.
2 Likes
Then what threat does not having MKTME pose?
1 Like
You could set different keys for each VM.
TME and TSME you just enable, and it does its thing. Multi key encryption seems like it requires a lot more configuration, and software support to work. It just doesn’t work with Qubes OS, so you are not losing anything, you can’t use it.
2 Likes
I tried but there is no documentation yet and the command didn’t work for me:
1 Like
I’ve had issues with sys-usb on the x220; I deleted my usb qube because adding the correct pci devices to control everything consistently bricked my setup, that said Qubes runs perfectly and despite my issues with it’s clipboard, I am yet to solve hooking my text editor (neovim) to the clipboard, this is by far my favorite OS for general quality of life and privacy / anonymity features.
2 Likes
Are you sure that TSME does not work on “normal” Ryzens?
According to:
they do.
But not like there is any easy way to verify this.
1 Like
It works on the 9950X, I have firmware options to enable both TSME and memory scrambling.
I don’t know what Ryzen models have the feature, but it might be similar to Intel CPUs, where only the high-end (i7/i9) models support memory encryption.
1 Like
Are you sure that it’s supported if it’s visible?
I can also see that option for a 2700 in the bios
Apparently this is how you can test for TSME
Also how would one detect from the kernel (linux) that the system is booted with TSME enabled (not just SME).
Because TSME is invisible to the OS, this takes some work. You need to be sure that the processorl memory encryption feature is enabled (bit 23 of MSR 0xc0010010) in order to determine from the OS if TSME is enabled. If it is, that means that the CPU will recognize the encryption bit in a page table entry. You’ll need a kernel module to detect TSME at this point. The idea is to:
Allocate a page Zero the page or set it to a pattern Find the PTE entry for that page (using lookup_address()) Be sure you're working with a 4K page and not a 2MB or larger page (check the level returned from lookup_address()). If it's a 2MB or larger page, trying allocating another page. Change the encryption bit in the PTE - if set, clear it or if clear, set it Flush the TLB Flush the cache (either wbinvd_on_all_cpus() or clflush the page) Update the PTE (using set_pte_atomic()) Flush the TLB again Examine the allocated page If the pattern is the same, that means that TSME is active and is encrypting/decrypting all data going through the memory controller and so the encryption bit setting doesn't matter. If the pattern is different (looks like cipher text), that means that TSME is not active and the memory controller is only encrypting/decrypting data based on the page table encryption bit (SME). Most/All the stuff here is pertaining to SME, just mentioning that TSME also exists but not actually how to work with it.
1 Like
I tried to boot bare-metal Linux, and it does say TSME is enabled.
[ 12.376080] ccp 0000:16:00.2: psp: TSME enabled
I don’t know if that means it is working, but I don’t see the same text in Qubes OS.
In Qubes OS the state of TSME might only be visible to the hypervisor, and it doesn’t get passed down to the guests.
2 Likes