Re: [qubes-users] Re: Intel TXT advice

Sun, 13 Nov 2016 19:05:01 -0800 

On 11/13/2016 08:36 PM, Eric wrote:

On Sunday, November 13, 2016 at 5:01:59 PM UTC-8, entr0py wrote:

Eric:

Just bought a laptop with a Skylake processor for running Qubes, and from 
looking around on Intel's website it appears that no Skylake Core-branded 
processors support Intel TXT. Any point in running Anti-Evil-Maid at this 
point? Can I use a YubiKey to store hashes of the xen/initramfs and use that 
for AEM? (probably not, since it's a USB device?)


I was just looking around for information on AMT/ME a minute ago. It appears 
that some Skylake Core i5/i7's do support TXT. (On their website, TXT might 
fall under the umbrella of vPro.)

https://en.wikipedia.org/wiki/List_of_Intel_Core_i5_microprocessors#Skylake_microarchitecture_.286th_generation.29_2
https://en.wikipedia.org/wiki/List_of_Intel_Core_i7_microprocessors#Skylake_microarchitecture_.286th_generation.29_2

Yes, I misspoke. It appears that the processor/chipset on the computer I 
purchased does not have/support vPro or TXT (though Intel ME is apparently 
disabled, which is a win, I guess?). So hard to find something that checks all 
the boxes for me. My threat model currently doesn't include Evil Maids, so I'm 
probably ok. Shame, though. Hopefully it doesn't close the door on Qubes 4 
compatibility. (It does have SLAT and VT-(d/x).
I hate to point this out now, but AEM is kind of a misnomer. It can alert you to tampering from *either* physical or remote attacks. So anyone who wants to guard against a remote exploit that can also priv escalate against Xen--and from there possibly infect firmware or boot device--would benefit from using AEM.
When I last shopped around, I was under the impression that TXT was tied to AMT/ME/Vpro as a package. 

Chris

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b2cf9650-6292-dd13-1a22-aad60ecb8d9f%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Reply via email to