Nice setup. I have an 2950x under the tree waiting for qubes for my kiddo.

TPM is only used for the Anti-Evil Maid feature. You can read up on it and if 
your threat model includes such an attack or not.  Tip, the deal breaker 
decision: you loose sys-usb, USB isolation, if you enable AEM because it has to 
be attached to dom0. (Well, last I used it with R3.2 that was). My personal 
threat model are random USB sticks I use in various work a double client 
computers.  So I'd rather have the USB isolation than AEM, IMO. But each person 
should review their own threat models.  That's why we love qubes.

Tai's valid concerns is that AMD has implemented a remote system monitoring and 
maintenance utility that remote sys admins use to manage the system, same as 
Intel ME (now called vPro I think that had wider and wireless adoption).  
Intel's ME can be neutered to still pass TLS validation given the right 
hardware (or like me, disable the NIC port and change the vPro wireless device 
from 9265 to a non-vPro 9260).  However, there is no such disabling for AMD - 
mostly because no one has tried. And no, disabling it in your bios does not 
turn it off. 

You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
To post to this group, send email to
To view this discussion on the web visit
For more options, visit

Reply via email to