On Saturday, August 26, 2017 at 11:39:23 AM UTC-4, cybe...@national.shitposting.agency wrote: > Does Qubes offer a method of securing /boot? not just against USB evil maid > attacks, but from tampering in general? > > for example, while a laptop is off, what would stop a malicious user from > live booting to an arbitrary distro and altering kernel or xen images located > on the unencrypted /boot partition? > > Does qubes offer options for encrypting /boot?
This is one reason dual booting is not recommended. There is not much you can do. Maybe disable external boot in bios and make a bios password and lock the case? Don't think that would matter though for remote attacks if dom0 is compromised. Also won't matter if your system has ME/Vpro enabled cause then an attacker then wouldn't need any os at all to comporomise the bios or /boot. Although not all, I still think secure boot is the answer for alot of these type of situations. Its so beneficial even Richard Stallman said its ok to use as a security feature in its current state. Even the closed source proprietary argument doesn't make any sense anymore regarding secure boot. Why some people are still against it I'm not sure. I don't think AEM is a good alternative at all. I keep feeling like we should be able to do both. Joanna's argument against secure boot relates to driver signing which secure boot can verify, and how we have to trust whoever is running the sort of certificate authority. But I'm already trusting ssl certs all over the web, which is alot worse. I still think its better then nothing. I think the real issue is that secure boot is probably very complicated to implement and the ITL team have other priorities. I'm not trying to have privacy as much from the government, as I am security from everyone else. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6cee64ad-a88b-49e9-a3be-0a60cc66d81a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
