-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Mon, Aug 01, 2016 at 12:41:06AM +0200, Stephen Moreno wrote: > Hi, > > I'm looking to build a new desktop system for Qubes. In an ideal world I would > use a motherboard with a Libreboot open source BIOS, however this is currently > not practical. > > I am therefore intending to use a motherboard with an AMD AM3 chipset, to at > least avoid the AMD PSP and Intel ME technologies. This would either contain a > proprietary legacy BIOS or a newer UEFI BIOS. My question is, what would be > most preferable for a secure Qubes system? > > It is my current understanding that once a legacy BIOS has finished > initializing the hardware, it hands off to the OS and no longer executes. In > contrast, a UEFI BIOS has runtime services that continue to execute while the > OS is running.
No, it isn't true - legacy BIOS can also be executed while the OS is running, as part of SMM: https://en.wikipedia.org/wiki/System_Management_Mode So there is no difference here. > I was therefore coming to the conclusion that if the BIOS was compromised (and > it could potentially be compromised before I received it), then a system that > could only run a legacy BIOS would be preferable, as it could theoretically do > less damage. > > The Wikipedia page on UEFI also states, “UEFI can support remote diagnostics > and repair of computers, even with no operating system installed”. (https:// > en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface) > This has me further concerned about UEFI in a proprietary form. > > Are there any benefits of a UEFI BIOS that would outweigh my concerns? > > Any input on this topic would be much appreciated. I think it doesn't really matter from security point of view. Either legacy or UEFI BIOS can contain bugs fatal to the system security. On the other hand, many UEFI BIOSes contains bugs affecting Qubes OS. Legacy BIOSes also have bugs, but those are much older and already have workarounds in Xen/Linux. In addition, Anti Evil Maid (which can detect some firmware modifications) isn't compatible with UEFI. In short: choose legacy BIOS (or at least a BIOS with legacy boot mode), for better Qubes OS support. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJXoQiqAAoJENuP0xzK19cs+7kIAIsFxRsVyQEFkFKFBvSjVSDF 5626k5Q1U/Jq6dyfAVXeRbqYTdaFg8cS0P+QtbIZKDAoXitQr7Xrs0LxQx5HNRey cO3Ywx2u8Y3oc3ATRSysueqtZvFFWQVKn3FCOvoe4vts2bPpY+Odh5HdmzkLanPG OF38lfX6OTiS9NScj/119yJ9mWQCI9QIyYQBhj3NFndzx5OPCrjQNOUqj1YYCkpd ygJiCD31CCAKzKxIqYualJY0nU1vS8jh3DYiJMVujo8qMn7/E8a3LSZRaGwr0Rmw qUQFjhliaJUhSa4f0jXmFOZZKqxaHOxbaynE5uXfFF3GBzFiziAMb9VjI3bOwKw= =ds13 -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20160802205505.GG32095%40mail-itl. For more options, visit https://groups.google.com/d/optout.
