Verified boot on Qubes -- a lofty dream?

Lately I’ve been re-examining my reasons for using Chrome OS despite the privacy concerns (Google per se isn’t in my threat model, but that doesn’t mean I want to feed them everything) and found my biggest reason is its use of verified boot, which ensures that only signed and approved code is executed. The root of this trust (not sure if correct terminology) is in a ROM.

When combined with powerwash and a small attack surface, this means that even if malicious actors do somehow punch through the system, persistence is almost impossible to maintain against someone who diligently reboots, which is trivial given how quickly the system starts up.

One of the things that disappointed me most when first using Qubes was that Anti Evil Maid only supported machines with TPM 1.2 and not the newer TPM 2.0. This means the vast majority of recent machines don’t support it, and getting a fresh (not second-hand) machine is hard and getting harder as time goes by.

On top of that, AEM is a weaker variant of secure/verified boot. This is something that probably can never be fixed until there are official Qubes PC vendors because it’s an issue of installing or distributing hardware roots of trust, as well as other issues, based on my limited technical understanding.

I believe Qubes is highly secure, but it can be so much more resilient both online and off with the addition of something akin to verified boot, or just a maintained, updated, accessible version of AEM. It’d make me less anxious about the underlying Xen getting somehow corrupted and staying that way.

Here’s an technical slideshow on Verified Boot (Chrome OS) by a Google dev (PDF).


Purism are developing Pureboot, complete secured boot process, for their devices. I am not sure how well it works with Qubes OS, but I also hope to use it some day. There is a discussion on their forums about it, but it did not progress very far yet.

Upd: Here, they say it works fine already: Librem V4, Qubes, Heads and Librem Key - Librem Key - Purism community.

Upd2: Discussion of the Purism company was shifted to a separate topic: Discussion on Purism.


15 posts were merged into an existing topic: Discussion on Purism

Topics were split as the discussion widely diverged to critiques and appraisals of Purism.

It used to be that any mention of Purism would have folk frothing at
the mouth - happy days.
Undoubtedly they have leveraged misdirection and overpromising in to
what looks like a reasonable company - I wouldn’t touch them.

As to OP’s question, you do know about AEM? And Heads?
Both work with Qubes at the moment - what more would you be looking for?

1 Like

Yes, I know about Heads and AEM. In my OP I was bemoaning the fact that AEM is only available to machines with TPM 1.2, which is outdated. Heads is even more restrictive, having been tested only on a few models (x230, Librem series, and a single outdated Chromebook) and has Coreboot compatibility as a prerequisite. The community can’t stick with x230s indefinitely, and Purism as a company is less than completely trustworthy (see discussions in thread).

1 Like

This thread is somewhat entertaining and I’d like for it to go on (it also helps increase visibility of the post, which is nice), but it’s definitely not about verified boot on Qubes anymore.

Can existing threads be split? If so, may I request that a mod split the thread at one of the earlier points where the conversation became dominated by discussions about Purism?

P.S. According to Liam Gray in a relevant thread, Trammel Hudson is working on AEM for TPM 2.0

@amosbatto @unman @fsflover @JTeller3 I would please ask the participants to stick to the topic at hand: verified boot on Qubes.

I’ve had to split and untangle the threads (which wasn’t easy and certainly was not a perfect job, but I got to it too late).


Correction: The link I posted earlier is to a thread about making Safeboot work on Qubes, not about updating AEM to support TPM 2.0. Though I think it’s fair for Qubes users to use ‘AEM’ as an umbrella term for boot security/attestation, they’re not strictly the same. Safeboot is boot security while AEM is boot integrity attestation. According to the word of Joanna, the former only allows signed code to execute while the latter merely authenticates the machine to the user–one is a gatekeeper, the other is just an informer. Safeboot is a more relaxed version of Heads, also developed by osresearch, with its stated goal being “to work with existing commodity hardware and UEFI SecureBoot mechanisms, as well as relatively stock Linux distributions.” It trades strictness and freedom (lack of blobs) for wider compatibility.

Marmarek has stated that the team hopes to integrate Safeboot at some point. Meanwhile, there’s work on updating AEM to support TPM 2.0 here. I’m not well-read in boot security (I’m not technical) but it looks like AEM and Safeboot are mutually exclusive in that you can’t have both on the same system, so it seems the Qubes team is moving away from AEM.

Can vm-boot-protect by @tasket be described as “Safeboot for individual qubes”?


Purism CSO said today it also works with Qubes 4.1 on their Librem 14 (for those who trust Purism of course):

Chrome OS reference is very funny!

Around 2009 I got into Chrome machines conversions because they were getting hacked 3-5 times a week. If you see a Chrome Box with many USBs, it was sold as a “secure” teleconference equipment for 16k (including a 10 year subscription and some external equipment). The price went up to 25k two years ago.

Google was OK and fixed most hacks within 24 hours at Reboot. Some took as long as 72.

If you are a business this is not good enough and you try to get rid of the equipment. One place decided to convert it to Fedora and block IME and other hardware changes. From a money point of view it was insane. The customer is always right and a bunch of people did the changes. When the equipment was reconnected all the Android phones mikes were turned on with some sound checks from the ringing of VOIP landlines… Let’s stop the story here.

I use the purism mini v1 with pureboot and librem key tamper evident system, and it works perfect. I would have wanted a more powerful desktop CPU but I guess I will have to wait for that one. I hope purism will release a desktop system with pureboot in the coming years.

Heads and AEM are not verified boot like in ChromeOS or macOS. They seem more of an attestation.