On Wednesday, August 2, 2017 at 3:15:26 AM UTC+2, Jean-Philippe Ouellet wrote: > On Tue, Aug 1, 2017 at 7:50 PM, cooloutac <raahe...@gmail.com> wrote: > > Qubes doesn't support secure boot unfortunately. I think its batshit crazy > > to consider a pc even reasonably secure without it. > > Secure boot in reality is quite far from the boot chain panacea its > name may suggest. > > If you haven't already, I'd suggest reading Joanna's "Intel x86 > considered harmful" paper [1] and checking out Trammell Hudson's Heads > project [2]. > > FWIW, the systems I currently believe have the most secure boot chains > do not involve UEFI at all. > > Regards, > Jean-Philippe > > [1]: https://blog.invisiblethings.org/papers/2015/x86_harmful.pdf > [2]: http://osresearch.net/
Hello, I do understand using secureboot is not the perfect way but it's not always possible to achieve this. What we have is a custom bios that implements a nailed down version of secureboot where we control the secure boot databases, So that should reduce the risk of a 3rd party allowing software that we don't want to. All that needs to be done from Qubes side to accomodate this is to make sure the efi executable are signed and the make sure the ceriticate for the public key is available. Once this is done we can add this to our database and we can leave secureboot enable when we use Qubes. So basically my question to the Qubes maintainers is if they will be supporting this scenario at any point in time. If not we are forced to create another scenario. Thanks in advance for your cooperation, Wim Vervoorn -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a6841f46-f202-413e-93e8-db23604a3844%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
