On Tuesday, August 29, 2017 at 7:16:16 PM UTC-4, steve.coleman wrote: > If your laptop contains an active TPM and a TCG Opal 2.0 compliant SED > (SSD or spinning platter) drive, then you can create a range, install > the bootstrap/OS, and then mark that range as read-only. > > After doing that *nothing* will be able to write to that area without > the password unlocking that range first, even Dom0 root user, but then > it will also need to be unlocked using that same password at the > appropriate moment during any update to the bootstrap/Xen code during > appropriate Dom0 updates. This same range can also protect the partition > table, MBR, and boot menu, etc. Multiple ranges can be set with > different attributes/encryption keys. > > The tool you would need for doing this is "msed" (name given in my > fedora distro) or "sedutil" (from the drive trust alliance) which allows > you to talk to the drive via sata (not usb afaik) to encrypt or protect > defined ranges that you set up. > > Just be careful to learn/test on a test system, because if you create an > encrypted range everything previously there disappears instantly, > including partitions. Its the world fastest way I know to completely > wipe a drive, flip one bit in the key, poof. Like magic. You can always > reset back to the factory default erasing everything on the drive. > > Calculate your ranges, partition, setup encryption ranges, and install > stuff, then finally mark your /boot range as read-only. Don't encrypt > your /boot or you will need to install Pre-Boot-Authentication (PBA) and > supply a password at boot time. > > Sedutil source and docs > https://github.com/Drive-Trust-Alliance >
This is interesting. I suppose this would be a way to secure your system, and then you could add AEM over it? That way you are using the security features of the hardware, but not trusting them. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8935704e-0147-4df9-8504-b8bd731ad4d7%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
