Re: [qubes-users] Choosing between TPM or ME removal
On Tuesday, March 20, 2018 at 6:51:24 AM UTC-4, awokd wrote: > On Mon, March 19, 2018 5:03 pm, Giulio wrote: > > > In summary, > > are the TPM benefits enough to forcw me to keep the ME? I know this may be > > more subjective depending on everyone's own threat model but i would like > > to hear opinions on it. > > Like you said, depends on threat model. TPM would allow you to use > Anti-Evil Maid in Qubes, which helps prevent local tampering with the > device. There are some other measures that can also help deter local > tampering such as keeping GRUB/boot off local storage or SED (depending > how much you trust your manufacturer's implementation). > > ME with AMT and known and potentially more unknown exploits permits > remote/network tampering with the device. ME without AMT and unknown > exploits may also permit remote/network tampering or escalations of > privilege. Since the source code is closed, there's no way for an end-user > to be sure. It doesn't actually "prevent" tampering. Just notifies you if something changed. And if it was compromised the only solution is to buy a new pc. Any board that lets you flash firmware from the O/S is exploitable remotely. Which is pretty much all of them. Unless you have a board with secure boot, secure flash, or a board with a jumper to prevent flashing. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/139eecab-cabf-417d-9c3e-065290c6c749%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Choosing between TPM or ME removal
On Mon, March 19, 2018 5:03 pm, Giulio wrote: > In summary, > are the TPM benefits enough to forcw me to keep the ME? I know this may be > more subjective depending on everyone's own threat model but i would like > to hear opinions on it. Like you said, depends on threat model. TPM would allow you to use Anti-Evil Maid in Qubes, which helps prevent local tampering with the device. There are some other measures that can also help deter local tampering such as keeping GRUB/boot off local storage or SED (depending how much you trust your manufacturer's implementation). ME with AMT and known and potentially more unknown exploits permits remote/network tampering with the device. ME without AMT and unknown exploits may also permit remote/network tampering or escalations of privilege. Since the source code is closed, there's no way for an end-user to be sure. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0f43b1be88eef8c948132feb7d800126.squirrel%40tt3j2x4k5ycaa5zt.onion. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Choosing between TPM or ME removal
Hello, I have beenĀ using Qubes 4 on a thinkpad x220 and it runs very well. Unfortunately, my model is the one with the i7 which is not very well tested/supported by coreboot and i failed multiple times while trying to flash it. So i had to keep the original BIOS but at least i removed the ME sections and set the disable bit using me_cleaner. The problem is that this operation makes the TPM non functioning for the operating system: it is impossible to take ownership. In the future i'll try to only set the disable bit without removing the sections and some other combinations of that but in case the TPM will still not work i'm wondering if i should re flash the original BIOS. In summary, are the TPM benefits enough to forcw me to keep the ME? I know this may be more subjective depending on everyone's own threat model but i would like to hear opinions on it. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6c195f3e-d0e6-2006-ec9a-12e872501c4a%40anche.no. For more options, visit https://groups.google.com/d/optout.
