TPM 1.2 required for Anti-Evil-Maid?

qubes-for-newbs · April 15, 2021, 2:41pm

Hello people,

I’m a beginner with qubes but want to learn. I hope my question has merit.

Currently I am looking for laptop and stumbled upon many newer configurations. Most of them have TPM 2.0. But I would need TPM 1.2 to achieve Anti-Evil-Maid. Right? Edit: I’ve found it out. Yes, TPM 1.2 is needed with Qubes 4.0. This feature-request github QubesOS/qubes-issues/issues/6015 mentions it.
So if the desired isn’t capable of downgrading to 1.2 it wouldn’t work right?

And specifically talking about Dell Laptops, I think this is the list where we can check TPM 1.2 support correct?

https://www.dell.com/support/kbdoc/en-uk/000103639/how-to-troubleshoot-and-resolve-common-issues-with-tpm-and-bitlocker#TPM_models

Or probably this list: https://www.dell.com/support/kbdoc/en-uk/000132583/dell-systems-that-can-upgrade-from-tpm-version-1-2-to-2-0

qubes-for-newbs · April 16, 2021, 7:44am

I’ve found it out. Yes, TPM 1.2 is needed with Qubes 4.0 and below. This feature-request mentions it:

github.com/QubesOS/qubes-issues

[contribution] TPM2-TOTP

opened 06:42AM - 23 Aug 20 UTC

JarrahG

T: enhancement security P: default community dev S: needs review hardware support C: contrib package

**The problem you're addressing (if any)** QubesOS currently has no method for …AEM like boot integrity attestation on UEFI or TPM 2.0 systems. This package, along with some configuration could form the start of such a solution. **Where is the value to a user, and who might that user be?** This package provides a relatively simple method for creating a static root of trust in the TPM on boot. Using this (if properly configured), a user can verify that the firmware, bootloader and kernel have not been modified. This package forms the core of this function. **Describe alternatives you've considered** QubesOS AEM. However, this system supports neither UEFI nor TPM 2.0 **Relevant [documentation](https://www.qubes-os.org/doc/) you've consulted** https://www.qubes-os.org/doc/anti-evil-maid/ **Package** A first draft of the package can be found here: https://github.com/JarrahG/Qubes-TPM2-TOTP This is my first time contributing a package to Qubes. I'm not exactly sure how to integrate it with the Qubes build system. Any advice here would be greatly appreciated. The upstream of the package is located here: https://github.com/tpm2-software/tpm2-totp

fiftyfourthparallel · April 16, 2021, 10:11am

This reply came a bit late, but TPM 1.2 is the only TPM version that works with AEM. Modern machines with TPM 2.0 aren’t compatible. One solution is to get a desktop motherboard with AEM support and then go buy a TPM 1.2 module.

It seems the Qubes team is working with OSResearch on a successor to AEM called SafeBoot that would obviate the need for TPM 1.2. More in this thread: Verified boot on Qubes -- a lofty dream? - #19 by fiftyfourthparallel