TPM 1.2 required for Anti-Evil-Maid?

Hello people,

I’m a beginner with qubes but want to learn. I hope my question has merit.

Currently I am looking for laptop and stumbled upon many newer configurations. Most of them have TPM 2.0. But I would need TPM 1.2 to achieve Anti-Evil-Maid. Right? Edit: I’ve found it out. Yes, TPM 1.2 is needed with Qubes 4.0. This feature-request github QubesOS/qubes-issues/issues/6015 mentions it.
So if the desired isn’t capable of downgrading to 1.2 it wouldn’t work right?

And specifically talking about Dell Laptops, I think this is the list where we can check TPM 1.2 support correct?


https://www.dell.com/support/kbdoc/en-uk/000103639/how-to-troubleshoot-and-resolve-common-issues-with-tpm-and-bitlocker#TPM_models

Or probably this list: https://www.dell.com/support/kbdoc/en-uk/000132583/dell-systems-that-can-upgrade-from-tpm-version-1-2-to-2-0

I’ve found it out. Yes, TPM 1.2 is needed with Qubes 4.0 and below. This feature-request mentions it:

1 Like

This reply came a bit late, but TPM 1.2 is the only TPM version that works with AEM. Modern machines with TPM 2.0 aren’t compatible. One solution is to get a desktop motherboard with AEM support and then go buy a TPM 1.2 module.

It seems the Qubes team is working with OSResearch on a successor to AEM called SafeBoot that would obviate the need for TPM 1.2. More in this thread: Verified boot on Qubes -- a lofty dream? - #19 by fiftyfourthparallel

2 Likes