On Wednesday, August 2, 2017 at 3:15:26 AM UTC+2, Jean-Philippe Ouellet wrote:
> On Tue, Aug 1, 2017 at 7:50 PM, cooloutac <raahe...@gmail.com> wrote:
> > Qubes doesn't support secure boot unfortunately.  I think its batshit crazy 
> > to consider a pc even reasonably secure without it.
> Secure boot in reality is quite far from the boot chain panacea its
> name may suggest.
> If you haven't already, I'd suggest reading Joanna's "Intel x86
> considered harmful" paper [1] and checking out Trammell Hudson's Heads
> project [2].
> FWIW, the systems I currently believe have the most secure boot chains
> do not involve UEFI at all.
> Regards,
> Jean-Philippe
> [1]: https://blog.invisiblethings.org/papers/2015/x86_harmful.pdf
> [2]: http://osresearch.net/


I do understand using secureboot is not the perfect way but it's not always 
possible to achieve this.

What we have is a custom bios that implements a nailed down version of 
secureboot where we control the secure boot databases, So that should reduce 
the risk of a 3rd party allowing software that we don't want to.

All that needs to be done from Qubes side to accomodate this is to make sure 
the efi executable are signed and the make sure the ceriticate for the public 
key is available. Once this is done we can add this to our database and we can 
leave secureboot enable when we use Qubes.

So basically my question to the Qubes maintainers is if they will be supporting 
this scenario at any point in time. If not we are forced to create another 

Thanks in advance for your cooperation,

Wim Vervoorn

You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to