RE: [qubes-users] UEFI secureboot issue

[Wim Vervoorn]

Hello Marek,



This is clear. Do you have any plans to do this in the future?



Best regards,



Wim Vervoorn





Van: Marek Marczykowski-Górecki<mailto:marma...@invisiblethingslab.com>
Verzonden: zaterdag 16 september 2017 00:32
Aan: Wim Vervoorn<mailto:wvervo...@eltan.com>
CC: taii...@gmx.com<mailto:taii...@gmx.com>; 
qubes-users<mailto:qubes-users@googlegroups.com>; 
raahe...@gmail.com<mailto:raahe...@gmail.com>
Onderwerp: Re: [qubes-users] UEFI secureboot issue



-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Tue, Aug 15, 2017 at 07:20:01AM +, Wim Vervoorn wrote:
> Basically I am not asking for some type of religious war on Secure Boot. All 
> I am basically asking for is if the executables provided in the Qubes 
> distribution are signed and if so which keys have been used.
>
> If they are not and we should sign them ourselves (either for grub or 
> secureboot) this is good to know as well.

No, currently neither of those binaries (xen.efi, kernel, initramfs) are
signed. Only rpm packages carrying them.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJZvFTJAAoJENuP0xzK19csyYQIAJagCeOm29MPiQC8rG/tyxlA
/4OdRu/LmerqyxFW1jUjE19YeH0i+/Lr2VVOI07/NcZeEpH2VfoRmWZYeNExyH+x
FyxOBQIJjg+FyvihtHfPlGRHkRBtvAVrJcFCZgteUH5zN5fa/pY+05X3WjhnReNg
se9EQeMGY8VRyPHXxV4xKjfI77CUF6ezv4p5+1DwP3jbG/jPjFgskfUtfEHjP04N
aIpbbW204hAc4k6bWvRnGbEum+vXuYd318f8R7JzdEtJ1MVvv/DQt1JxQw8FPfUN
nLKv4tmHxqnQWIMktgqenT73t51eOFpdtEBcXnQvWk9XtiLfA8LQZ8b531ZogbU=
=CdQG
-END PGP SIGNATURE-


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1cdfa840052c4f00905bce0360c94545%40Eltsrv03.Eltan.local.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] UEFI secureboot issue

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Tue, Aug 15, 2017 at 07:20:01AM +, Wim Vervoorn wrote:
> Basically I am not asking for some type of religious war on Secure Boot. All 
> I am basically asking for is if the executables provided in the Qubes 
> distribution are signed and if so which keys have been used.
> 
> If they are not and we should sign them ourselves (either for grub or 
> secureboot) this is good to know as well.

No, currently neither of those binaries (xen.efi, kernel, initramfs) are
signed. Only rpm packages carrying them.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJZvFTJAAoJENuP0xzK19csyYQIAJagCeOm29MPiQC8rG/tyxlA
/4OdRu/LmerqyxFW1jUjE19YeH0i+/Lr2VVOI07/NcZeEpH2VfoRmWZYeNExyH+x
FyxOBQIJjg+FyvihtHfPlGRHkRBtvAVrJcFCZgteUH5zN5fa/pY+05X3WjhnReNg
se9EQeMGY8VRyPHXxV4xKjfI77CUF6ezv4p5+1DwP3jbG/jPjFgskfUtfEHjP04N
aIpbbW204hAc4k6bWvRnGbEum+vXuYd318f8R7JzdEtJ1MVvv/DQt1JxQw8FPfUN
nLKv4tmHxqnQWIMktgqenT73t51eOFpdtEBcXnQvWk9XtiLfA8LQZ8b531ZogbU=
=CdQG
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170915223137.GG15973%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] UEFI secureboot issue

[cooloutac]

On Tuesday, August 15, 2017 at 9:23:14 PM UTC-4, Wim Vervoorn wrote:
> -Original Message-
> From: taii...@gmx.com [mailto:taii...@gmx.com] 
> Sent: Tuesday, August 15, 2017 2:50 AM
> To: Wim Vervoorn <wvervo...@eltan.com>; qubes-users 
> <qubes-users@googlegroups.com>
> Cc: raahe...@gmail.com
> Subject: Re: [qubes-users] UEFI secureboot issue
> 
> Secure boot is a stupid Microsoft controlled project to eventually remove the 
> ability for commercial PC's to run non windows operating systems.
> 
> SB 1.0 specs mandate owner controlled (an option to shut it off), SB2.0 
> doesn't and PC's built to that spec such as the Windows 10 ARM PC's and MS's 
> "signature series" PC's prevent you from installing non microsoft operating 
> systems.
> 
> "Secure" boot is simply a marketing name for kernel code signing, you can 
> easily do this with coreboot and a grub payload (grub supports kernel 
> signing).
> 
> SB doesn't stop virii as that wasn't what it was designed to do, preventing 
> rootkits from modding the kernel is irrelevant as you can simply change 
> another critical system file of which there are many on windows.
> 
> Kernel code signing is only useful in an AEM context with an encrypted 
> filesystem but unencrypted kernels.
> 
> I myself have a variety of owner controlled fully libre firmware devices such 
> as the KGPE-D16 and KCMA-D8 asus motherboards, those two are the only ones 
> that offer full libre functionality along with high performance - they also 
> run qubes great - having 32 cores and 128GB ram is excellent for it.
> Please note these are the only owner controlled devices that support
> v4.0 (purism isn't owner controlled and their firmware isn't and can't ever 
> be open source) Another neat feature is an addon user configurable CRTM TPM 
> module (very rare).
> 
> As always I offer free tech support for libre motherboards if you wish to buy 
> one.
> 
> **
> 
> Hello,
> 
> Basically I am not asking for some type of religious war on Secure Boot. All 
> I am basically asking for is if the executables provided in the Qubes 
> distribution are signed and if so which keys have been used.
> 
> If they are not and we should sign them ourselves (either for grub or 
> secureboot) this is good to know as well.
> 
> Best regards,
> 
> Wim Vervoorn

If you get it to work, I'm sure alot of users would love a tutorial if you have 
the time.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2c9cbfb4-cd7b-40de-aa3e-7ff5e9387e07%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] UEFI secureboot issue

[cooloutac]

I'm glad Bruce Schneier changed his tune and is no longer encouraging kids to 
learn how to hack in live environments,  cause I think that breeds sociopaths, 
and is dangerous. (and we are living in an epidemic)

Now he has to stop calling secure boot security theater,  because alot of 
people seem to believe it and take his word like gospel.

Is protecting the bios from rootkits its intended purpose?  seems so?, it helps 
anyways, and it definitely was intended to protect the firmware.  Its not just 
kernel code signing,  its driver code too.

I would add also make a password on your bios obviously,  and enable flash 
protections.

I don't even think most the ITL members use aem, it sounds complicated and 
buggy and I can't afford to buy new hardware if it red flags anyways. 


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e40699c5-cdd1-48c7-864c-074f8f79b08c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] UEFI secureboot issue

[cooloutac]

One of the reasons I liked Qubes,  is first of all it seems like the ITL people 
use it for their daily personal use.  Its more then a fanatical hobby for them. 
 Thats number one.

Number two, They have a respected reputation in the industry.

3.  they don't seem to get involved in industry politics or get very emotional 
or tied to any status quos or value assumptions.   They seem to care only about 
the code and whats practical for Qubes and nothing else seems to phase them.  
Almost robot like.


All that being said we don't know if they are controlled by a nefarious 
government or not.  Joanna always gets flak for saying that herself.  SO 
nothing can be 100% trusted.  ever.  But compared to the alternatives...

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8ec56d01-680f-4476-8939-9ada536a843b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] UEFI secureboot issue

[cooloutac]

On Monday, August 14, 2017 at 8:50:20 PM UTC-4, tai...@gmx.com wrote:
> Secure boot is a stupid Microsoft controlled project to eventually 
> remove the ability for commercial PC's to run non windows operating systems.
> 
> SB 1.0 specs mandate owner controlled (an option to shut it off), SB2.0 
> doesn't and PC's built to that spec such as the Windows 10 ARM PC's and 
> MS's "signature series" PC's prevent you from installing non microsoft 
> operating systems.
> 
> "Secure" boot is simply a marketing name for kernel code signing, you 
> can easily do this with coreboot and a grub payload (grub supports 
> kernel signing).
> 
> SB doesn't stop virii as that wasn't what it was designed to do, 
> preventing rootkits from modding the kernel is irrelevant as you can 
> simply change another critical system file of which there are
> many on windows.
> 
> Kernel code signing is only useful in an AEM context with an encrypted 
> filesystem but unencrypted kernels.
> 
> I myself have a variety of owner controlled fully libre firmware devices 
> such as the KGPE-D16 and KCMA-D8 asus motherboards, those two are the 
> only ones that offer full libre functionality along with high 
> performance - they also run qubes great - having 32 cores and 128GB ram 
> is excellent for it.
> Please note these are the only owner controlled devices that support 
> v4.0 (purism isn't owner controlled and their firmware isn't and can't 
> ever be open source)
> Another neat feature is an addon user configurable CRTM TPM module (very 
> rare).
> 
> As always I offer free tech support for libre motherboards if you wish 
> to buy one.

I have to add another thing.  Its nice to say that the motherboard firmware is 
libre,  but it makes no difference to me cause I don't have the know how to 
read or alter the code myself.

So you and Microsoft are no different to me because I still have to trust and 
rely on you because I'm just an avg noob. But IMO,  it would be more naive and 
dangerous for me to buy a board or get tech support from some random stranger 
online,  then it would be to use monitored support service by paid emplooyees, 
or a commercial product used by millions that can't be as easily altered from 
its factory state. (minus gov't backdoors) I hope you don't take offense.

 I mean the whole argument for libre and open source is having more eyes on the 
code.But what people don't understand is "eyes on the code" encompasses 
many things.  Microsoft for example has "more eyes on the code" for the simple 
fact its more widely used and more widely targeted by attackers.  But its not a 
security focused os unfortunately.  Also,  are we talking about good eyes or 
evil eyes?  IMO, this aint the 90s anymore and evil eyes are the wide majority 
now.  Even linus torvalds has changed his tune past couple years.

And I have to put this out there,  guys like Linus Torvalds, or Brad Spengler,  
would never use linux at home for their family or personal use.   They use 
windows.  I kid you not.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d27a6908-06ab-4e98-9a1a-4d8bb859dbd9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] UEFI secureboot issue

[cooloutac]

On Wednesday, August 16, 2017 at 10:18:34 AM UTC-4, cooloutac wrote:
> On Monday, August 14, 2017 at 8:50:20 PM UTC-4, tai...@gmx.com wrote:
> > Secure boot is a stupid Microsoft controlled project to eventually 
> > remove the ability for commercial PC's to run non windows operating systems.
> > 
> > SB 1.0 specs mandate owner controlled (an option to shut it off), SB2.0 
> > doesn't and PC's built to that spec such as the Windows 10 ARM PC's and 
> > MS's "signature series" PC's prevent you from installing non microsoft 
> > operating systems.
> > 
> > "Secure" boot is simply a marketing name for kernel code signing, you 
> > can easily do this with coreboot and a grub payload (grub supports 
> > kernel signing).
> > 
> > SB doesn't stop virii as that wasn't what it was designed to do, 
> > preventing rootkits from modding the kernel is irrelevant as you can 
> > simply change another critical system file of which there are
> > many on windows.
> > 
> > Kernel code signing is only useful in an AEM context with an encrypted 
> > filesystem but unencrypted kernels.
> > 
> > I myself have a variety of owner controlled fully libre firmware devices 
> > such as the KGPE-D16 and KCMA-D8 asus motherboards, those two are the 
> > only ones that offer full libre functionality along with high 
> > performance - they also run qubes great - having 32 cores and 128GB ram 
> > is excellent for it.
> > Please note these are the only owner controlled devices that support 
> > v4.0 (purism isn't owner controlled and their firmware isn't and can't 
> > ever be open source)
> > Another neat feature is an addon user configurable CRTM TPM module (very 
> > rare).
> > 
> > As always I offer free tech support for libre motherboards if you wish 
> > to buy one.
> 
> Stopped reading past your first sentence, because reality has already proven 
> that wrong.

ok I read on lol...My raspberry pi is an arm processor, its running linux.

Easy do a secureboot with coreboot he says.  Ya i'm sure we can all easily do 
that. /sarcasm   

You say preventing modifications to the kernel is irrelevant.  Which means you 
are failing to understand that the operating system is irrelevant.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4f1e496c-2f41-4ba1-9e43-bcccde39bacc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] UEFI secureboot issue

[cooloutac]

On Monday, August 14, 2017 at 8:50:20 PM UTC-4, tai...@gmx.com wrote:
> Secure boot is a stupid Microsoft controlled project to eventually 
> remove the ability for commercial PC's to run non windows operating systems.
> 
> SB 1.0 specs mandate owner controlled (an option to shut it off), SB2.0 
> doesn't and PC's built to that spec such as the Windows 10 ARM PC's and 
> MS's "signature series" PC's prevent you from installing non microsoft 
> operating systems.
> 
> "Secure" boot is simply a marketing name for kernel code signing, you 
> can easily do this with coreboot and a grub payload (grub supports 
> kernel signing).
> 
> SB doesn't stop virii as that wasn't what it was designed to do, 
> preventing rootkits from modding the kernel is irrelevant as you can 
> simply change another critical system file of which there are
> many on windows.
> 
> Kernel code signing is only useful in an AEM context with an encrypted 
> filesystem but unencrypted kernels.
> 
> I myself have a variety of owner controlled fully libre firmware devices 
> such as the KGPE-D16 and KCMA-D8 asus motherboards, those two are the 
> only ones that offer full libre functionality along with high 
> performance - they also run qubes great - having 32 cores and 128GB ram 
> is excellent for it.
> Please note these are the only owner controlled devices that support 
> v4.0 (purism isn't owner controlled and their firmware isn't and can't 
> ever be open source)
> Another neat feature is an addon user configurable CRTM TPM module (very 
> rare).
> 
> As always I offer free tech support for libre motherboards if you wish 
> to buy one.

Stopped reading past your first sentence, because reality has already proven 
that wrong.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7ec9347e-b9c8-4cc9-b7d1-b6469949f462%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

RE: [qubes-users] UEFI secureboot issue

[Wim Vervoorn]

-Original Message-
From: taii...@gmx.com [mailto:taii...@gmx.com] 
Sent: Tuesday, August 15, 2017 2:50 AM
To: Wim Vervoorn <wvervo...@eltan.com>; qubes-users 
<qubes-users@googlegroups.com>
Cc: raahe...@gmail.com
Subject: Re: [qubes-users] UEFI secureboot issue

Secure boot is a stupid Microsoft controlled project to eventually remove the 
ability for commercial PC's to run non windows operating systems.

SB 1.0 specs mandate owner controlled (an option to shut it off), SB2.0 doesn't 
and PC's built to that spec such as the Windows 10 ARM PC's and MS's "signature 
series" PC's prevent you from installing non microsoft operating systems.

"Secure" boot is simply a marketing name for kernel code signing, you can 
easily do this with coreboot and a grub payload (grub supports kernel signing).

SB doesn't stop virii as that wasn't what it was designed to do, preventing 
rootkits from modding the kernel is irrelevant as you can simply change another 
critical system file of which there are many on windows.

Kernel code signing is only useful in an AEM context with an encrypted 
filesystem but unencrypted kernels.

I myself have a variety of owner controlled fully libre firmware devices such 
as the KGPE-D16 and KCMA-D8 asus motherboards, those two are the only ones that 
offer full libre functionality along with high performance - they also run 
qubes great - having 32 cores and 128GB ram is excellent for it.
Please note these are the only owner controlled devices that support
v4.0 (purism isn't owner controlled and their firmware isn't and can't ever be 
open source) Another neat feature is an addon user configurable CRTM TPM module 
(very rare).

As always I offer free tech support for libre motherboards if you wish to buy 
one.

**

Hello,

Basically I am not asking for some type of religious war on Secure Boot. All I 
am basically asking for is if the executables provided in the Qubes 
distribution are signed and if so which keys have been used.

If they are not and we should sign them ourselves (either for grub or 
secureboot) this is good to know as well.

Best regards,

Wim Vervoorn

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fad326868c7e42219681d63feb020859%40Eltsrv03.Eltan.local.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] UEFI secureboot issue

[taii...@gmx.com]

Secure boot is a stupid Microsoft controlled project to eventually 
remove the ability for commercial PC's to run non windows operating systems.


SB 1.0 specs mandate owner controlled (an option to shut it off), SB2.0 
doesn't and PC's built to that spec such as the Windows 10 ARM PC's and 
MS's "signature series" PC's prevent you from installing non microsoft 
operating systems.


"Secure" boot is simply a marketing name for kernel code signing, you 
can easily do this with coreboot and a grub payload (grub supports 
kernel signing).


SB doesn't stop virii as that wasn't what it was designed to do, 
preventing rootkits from modding the kernel is irrelevant as you can 
simply change another critical system file of which there are

many on windows.

Kernel code signing is only useful in an AEM context with an encrypted 
filesystem but unencrypted kernels.


I myself have a variety of owner controlled fully libre firmware devices 
such as the KGPE-D16 and KCMA-D8 asus motherboards, those two are the 
only ones that offer full libre functionality along with high 
performance - they also run qubes great - having 32 cores and 128GB ram 
is excellent for it.
Please note these are the only owner controlled devices that support 
v4.0 (purism isn't owner controlled and their firmware isn't and can't 
ever be open source)
Another neat feature is an addon user configurable CRTM TPM module (very 
rare).


As always I offer free tech support for libre motherboards if you wish 
to buy one.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5954f0ad-5a54-31d1-af3a-601b7c16b363%40gmx.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] UEFI secureboot issue

[wvervoorn]

On Wednesday, August 2, 2017 at 3:15:26 AM UTC+2, Jean-Philippe Ouellet wrote:
> On Tue, Aug 1, 2017 at 7:50 PM, cooloutac  wrote:
> > Qubes doesn't support secure boot unfortunately.  I think its batshit crazy 
> > to consider a pc even reasonably secure without it.
> 
> Secure boot in reality is quite far from the boot chain panacea its
> name may suggest.
> 
> If you haven't already, I'd suggest reading Joanna's "Intel x86
> considered harmful" paper [1] and checking out Trammell Hudson's Heads
> project [2].
> 
> FWIW, the systems I currently believe have the most secure boot chains
> do not involve UEFI at all.
> 
> Regards,
> Jean-Philippe
> 
> [1]: https://blog.invisiblethings.org/papers/2015/x86_harmful.pdf
> [2]: http://osresearch.net/

Hello,

Suppose I want to create a secure boot chain in another way how do I do this 
for Qubes? As far as I can deduct from the security documents the packages are 
signed but the individual executables are not. Is this correct or am I making a 
mistake here?

Thanks

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ab043313-f9f3-4808-97fa-721fc454678d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] UEFI secureboot issue

[cooloutac]

On Tuesday, August 1, 2017 at 9:15:26 PM UTC-4, Jean-Philippe Ouellet wrote:
> On Tue, Aug 1, 2017 at 7:50 PM, cooloutac  wrote:
> > Qubes doesn't support secure boot unfortunately.  I think its batshit crazy 
> > to consider a pc even reasonably secure without it.
> 
> Secure boot in reality is quite far from the boot chain panacea its
> name may suggest.
> 
> If you haven't already, I'd suggest reading Joanna's "Intel x86
> considered harmful" paper [1] and checking out Trammell Hudson's Heads
> project [2].
> 
> FWIW, the systems I currently believe have the most secure boot chains
> do not involve UEFI at all.
> 
> Regards,
> Jean-Philippe
> 
> [1]: https://blog.invisiblethings.org/papers/2015/x86_harmful.pdf
> [2]: http://osresearch.net/

That sounds insane, what systems are those?   Yes Joanna started saying things 
Richard Stallman had been saying for years.  But its Still just alot of "what 
ifs"...

In reality, and what we know as true facts, and what is,   is that secure boot 
stops attacks like hacking teams insyde bios exploit. Nothing else would.  And 
yes these things can happen remotely, physical access is not required. An OS 
probably isn't even required.  Even Richard Stallman has changed his tune and 
says secure boot is ok to use in its current state as a security feature. He 
half halfheartedly admits he was wrong by saying Microsoft failed its intended 
purpose.  So any FSF hippie nut still preaching against secure boot is just a 
hater.  A hater of microsoft, a hater of redhat,  and someone who doesn't want 
to admit they were wrong.
 I think its insane to call any system even reasonably secure,without secure 
boot.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/42a48f49-907d-4433-a300-84ac64d48c3c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] UEFI secureboot issue

[wvervoorn]

On Wednesday, August 2, 2017 at 3:15:26 AM UTC+2, Jean-Philippe Ouellet wrote:
> On Tue, Aug 1, 2017 at 7:50 PM, cooloutac  wrote:
> > Qubes doesn't support secure boot unfortunately.  I think its batshit crazy 
> > to consider a pc even reasonably secure without it.
> 
> Secure boot in reality is quite far from the boot chain panacea its
> name may suggest.
> 
> If you haven't already, I'd suggest reading Joanna's "Intel x86
> considered harmful" paper [1] and checking out Trammell Hudson's Heads
> project [2].
> 
> FWIW, the systems I currently believe have the most secure boot chains
> do not involve UEFI at all.
> 
> Regards,
> Jean-Philippe
> 
> [1]: https://blog.invisiblethings.org/papers/2015/x86_harmful.pdf
> [2]: http://osresearch.net/

Hello,

I do understand using secureboot is not the perfect way but it's not always 
possible to achieve this.

What we have is a custom bios that implements a nailed down version of 
secureboot where we control the secure boot databases, So that should reduce 
the risk of a 3rd party allowing software that we don't want to.

All that needs to be done from Qubes side to accomodate this is to make sure 
the efi executable are signed and the make sure the ceriticate for the public 
key is available. Once this is done we can add this to our database and we can 
leave secureboot enable when we use Qubes.

So basically my question to the Qubes maintainers is if they will be supporting 
this scenario at any point in time. If not we are forced to create another 
scenario.

Thanks in advance for your cooperation,

Wim Vervoorn

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a6841f46-f202-413e-93e8-db23604a3844%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] UEFI secureboot issue

[Jean-Philippe Ouellet]

On Tue, Aug 1, 2017 at 7:50 PM, cooloutac  wrote:
> Qubes doesn't support secure boot unfortunately.  I think its batshit crazy 
> to consider a pc even reasonably secure without it.

Secure boot in reality is quite far from the boot chain panacea its
name may suggest.

If you haven't already, I'd suggest reading Joanna's "Intel x86
considered harmful" paper [1] and checking out Trammell Hudson's Heads
project [2].

FWIW, the systems I currently believe have the most secure boot chains
do not involve UEFI at all.

Regards,
Jean-Philippe

[1]: https://blog.invisiblethings.org/papers/2015/x86_harmful.pdf
[2]: http://osresearch.net/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABQWM_C1sdiKTX6e6ik_popWiZGFycxxTEvO7W4QHYsXccjWtw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] UEFI secureboot issue

[cooloutac]

Qubes doesn't support secure boot unfortunately.  I think its batshit crazy to 
consider a pc even reasonably secure without it.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/923ca02b-d750-45a6-8a45-375e7052dfc8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

RE: [qubes-users] UEFI secureboot issue

[Wim Vervoorn]

Hello,

I would like to use Qubes on a UEFI system with secure boot enabled.

Until now this fails with a security violation.

I assume this is because the Qubes efi application is not signed by the 
"microsoft-uefica"  key. 

We can of course make it boot by adding the hash of the loader to the UEFI "db" 
but we don't like to do this because we would need to do this again if a change 
is made. We assume you also signed the laoder with an appropriate key but I 
have not been able to find the certificate of the public key so I can add this 
to the "db" database and allow all efi binaries that are released by Qubes. Can 
you tell me where I can find that and share it with me?


Best Regards,
Wim Vervoorn

Eltan B.V.
Ambachtstraat 23
5481 SM Schijndel
The Netherlands

T : +31-(0)73-594 46 64
E : wvervo...@eltan.com
W : http://www.eltan.com

"THIS MESSAGE CONTAINS CONFIDENTIAL INFORMATION. UNLESS YOU ARE THE INTENDED 
RECIPIENT OF THIS MESSAGE, ANY USE OF THIS MESSAGE IS STRICTLY PROHIBITED. IF 
YOU HAVE RECEIVED THIS MESSAGE IN ERROR, PLEASE IMMEDIATELY NOTIFY THE SENDER 
BY TELEPHONE +31-(0)73-5944664 OR REPLY EMAIL, AND IMMEDIATELY DELETE THIS 
MESSAGE AND ALL COPIES." 



-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2a5bc82b17ab42088013f3373f3a56c7%40Eltsrv03.Eltan.local.
For more options, visit https://groups.google.com/d/optout.