On Wednesday, August 2, 2017 at 3:15:26 AM UTC+2, Jean-Philippe Ouellet wrote:
> On Tue, Aug 1, 2017 at 7:50 PM, cooloutac <raahe...@gmail.com> wrote:
> > Qubes doesn't support secure boot unfortunately. I think its batshit crazy
> > to consider a pc even reasonably secure without it.
> Secure boot in reality is quite far from the boot chain panacea its
> name may suggest.
> If you haven't already, I'd suggest reading Joanna's "Intel x86
> considered harmful" paper  and checking out Trammell Hudson's Heads
> project .
> FWIW, the systems I currently believe have the most secure boot chains
> do not involve UEFI at all.
> : https://blog.invisiblethings.org/papers/2015/x86_harmful.pdf
> : http://osresearch.net/
I do understand using secureboot is not the perfect way but it's not always
possible to achieve this.
What we have is a custom bios that implements a nailed down version of
secureboot where we control the secure boot databases, So that should reduce
the risk of a 3rd party allowing software that we don't want to.
All that needs to be done from Qubes side to accomodate this is to make sure
the efi executable are signed and the make sure the ceriticate for the public
key is available. Once this is done we can add this to our database and we can
leave secureboot enable when we use Qubes.
So basically my question to the Qubes maintainers is if they will be supporting
this scenario at any point in time. If not we are forced to create another
Thanks in advance for your cooperation,
You received this message because you are subscribed to the Google Groups
To unsubscribe from this group and stop receiving emails from it, send an email
To post to this group, send email to email@example.com.
To view this discussion on the web visit
For more options, visit https://groups.google.com/d/optout.