One can use coreboot with grub's kernel signing features on an owner
controlled non PSP/ME PC such as the Lenovo G505 (laptop) or KCMA-D8
(workstation), then after coreboot is working you enable the flash write
restriction so that it can't be flashed internally (an attacker would
have to have physical access for around 10mins to reflash) - this is
technically superior to "secure boot" as it is owner controlled by you
instead of microsoft.
You can also use AEM if you purchase the TPM accessory.
The Libre OpenPOWER9 TALOS 2 server/workstation (also owner controlled)
features kernel signing features as well including some special sauce
from raptor - if you have the money to buy new server/workstation class
professional grade hardware it is a good deal for what you get and would
last 10 years before you need to upgrade seeing as how powerful it is
(the entry level 4 core CPU has 12 SMT threads, much better than intels
non-SMT hyperthreading.)
As always I am more than happy to assist someone with purchasing and
configuring libre devices and the security features present.
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/c317cfb0-16f5-bfad-d63c-cc5e9aa74210%40gmx.com.
For more options, visit https://groups.google.com/d/optout.
