To upgrade Insurgo Privacybeast to 4.1 or not?

In principle: yes. There are two ways:

a) in-place upgrade: will leave your drive encryption etc. in place, but is rather complex in nature and might present you with things you need to troubleshoot.

b) install from scratch: this requires an update of your heads/coreboot firmware as Insurgo themselves posted to qubes-users in October 2021

If you consider option a) you might want to give it a try. However PLEASE make sure you have a full backup BEFORE doing anything! If you are interested in option b) you could either try to build and flash a newer heads firmware yourself, or follow @KarlinQubes advice and contact Thierry. He does provide a lot of contact options on his main web page. It is likely that he is preparing a build and page with instructions for existing users.

I think you do not have a very clear idea of what it is Insurgo is doing, however it is very well described on his page – so I will not repeat it here. Bottom-line: it’s all about the early boot phase, the heads firmware and the attestation is provides. The Qubes OS you boot into is unchanged.

If you go with “a) in-place upgrade” all you have to do is to sign the new boot files, as you have to do anyway after almost every dom0 update. You should be familiar with this process by now.

If you do a firmware upgrade to support “b) install from scratch” you will need to reset the TPM and seed new secrets (not a big deal and can be done using the firmware’s UI).

That’s exactly how it works. You load the ROM file onto a USB drive and flash it from within the heads UI.

1 Like