On 2018-04-06 09:22, 799 wrote:
As mentioned I have also drafted a how-to to setup Coreboot on a X230, including building the pi, flashrom and extracting Blobs. My how-to is located in the Qubes Community docs. While I need to fill in some small gaps how to put the hardware parts together, all the other stuff is covered including extracting Blobs and vga.rom. The how-to is located here: https://github.com/Qubes-Community/Contents/blob/master/docs/coreboot/x230.md The coreboot config I have used is here: https://github.com/Qubes-Community/Contents/blob/master/docs/coreboot/x230-configfile
Good guide, thank you. I'm looking forward in better understanding Heads (http://osresearch.net/) and maybe adding some notes on it.
Currently i do not have a Github account set up, so i will not be able to make a pull request adding my guide. If anyone can do it would be much appreciated, otherwise i'll probably do it given some time.
I am interested in getting the best out of both worlds (Coreboot + Qubes). It seems that your approach (using GRUB) offers some benefits vs. using SeaBIOS as the boot partition can so be encrypted. Are there issues going this way? For example breaking the future upgrade ability ? It seems to me that if I run Coreboot with grub + encrypted boot, there is no need to run anti evil maid, as the boot partition can't be messed with. Is this correct?
Currently i have hardcoded the kernel version in the grub config inside the ROM. This is an ugly temporary solution as obviously even if i upgrade i'll continue to boot the old kernel by default. My idea is to modify the update script to always add/update a symlink to the newest kernel and use that naming in Grub but i have yet to look into it.
As for the AEM, i guess that if you are satisfied with your Grub config you could set the lock bits in coreboot and flash the rom as read only. Also preventing the boot of external device should be a good idea. However as far as I can understand, while this is better than the standard it doesn't really provide a valid chain of trust. There are still additional measures that can be taken like signing your kernel and using the TPM, see https://trmm.net/Heads for more deatils.
-- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to firstname.lastname@example.org. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/66f21da272ab23d0dd5373e3969c7463%40anche.no. For more options, visit https://groups.google.com/d/optout.