Using Qubes without Heads

Has probably been asked a lot but didn’t see a dedicated post. Short and sweet - noob to qubes and noob in general (however this noob is patient and willing to struggle), if looking at an NV41 should this person opt in for Heads or stick with EDK-II ? Not a high threat model. I see warnings about Heads being for advanced users, but if it’s a lot ‘better’ and a noob is willing to learn would you suggest them just going straight with Heads or stick with coreboot,EDK ? Im leaning towards no-go on Heads but want to hear your thoughts!

1 Like

Stick with EDK-II and wait for them to support Boot Guard.

Heads isn’t “better” by any stretch of imagination. It does not work against a physical attacker with a programmer. It is impossible for it to protect against that threat.

2 Likes

Thanks Tommy!

Using EDK2 with Coreboot vboot, it tells you if the firmware can be verified with the expected signing key.

vboot does not tell you if /boot has been modified, /boot is an unencrypted partition, only Heads has the feature that verifies /boot.

1 Like

Where can I read more about this (how it is useful for Qubes, when it’s coming to heads, etc.)?