Nice setup. I have an 2950x under the tree waiting for qubes for my kiddo. TPM is only used for the Anti-Evil Maid feature. You can read up on it and if your threat model includes such an attack or not. Tip, the deal breaker decision: you loose sys-usb, USB isolation, if you enable AEM because it has to be attached to dom0. (Well, last I used it with R3.2 that was). My personal threat model are random USB sticks I use in various work a double client computers. So I'd rather have the USB isolation than AEM, IMO. But each person should review their own threat models. That's why we love qubes.
Tai's valid concerns is that AMD has implemented a remote system monitoring and maintenance utility that remote sys admins use to manage the system, same as Intel ME (now called vPro I think that had wider and wireless adoption). Intel's ME can be neutered to still pass TLS validation given the right hardware (or like me, disable the NIC port and change the vPro wireless device from 9265 to a non-vPro 9260). However, there is no such disabling for AMD - mostly because no one has tried. And no, disabling it in your bios does not turn it off. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to firstname.lastname@example.org. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/67a8430f-067f-41fe-9e1d-ea1732406205%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.