Hi,
I'm looking to build a new desktop system for Qubes. In an ideal world I would use a motherboard with a Libreboot open source BIOS, however this is currently not practical.
I am therefore intending to use a motherboard with an AMD AM3 chipset, to at least avoid the AMD PSP and Intel ME technologies. This would either contain a proprietary legacy BIOS or a newer UEFI BIOS. My question is, what would be most preferable for a secure Qubes system?
It is my current understanding that once a legacy BIOS has finished initializing the hardware, it hands off to the OS and no longer executes. In contrast, a UEFI BIOS has runtime services that continue to execute while the OS is running.
I was therefore coming to the conclusion that if the BIOS was compromised (and it could potentially be compromised before I received it), then a system that could only run a legacy BIOS would be preferable, as it could theoretically do less damage.
The Wikipedia page on UEFI also states, “UEFI can support remote diagnostics and repair of computers, even with no operating system installed”. (https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface)
This has me further concerned about UEFI in a proprietary form.
Are there any benefits of a UEFI BIOS that would outweigh my concerns?
Any input on this topic would be much appreciated.
I'm looking to build a new desktop system for Qubes. In an ideal world I would use a motherboard with a Libreboot open source BIOS, however this is currently not practical.
I am therefore intending to use a motherboard with an AMD AM3 chipset, to at least avoid the AMD PSP and Intel ME technologies. This would either contain a proprietary legacy BIOS or a newer UEFI BIOS. My question is, what would be most preferable for a secure Qubes system?
It is my current understanding that once a legacy BIOS has finished initializing the hardware, it hands off to the OS and no longer executes. In contrast, a UEFI BIOS has runtime services that continue to execute while the OS is running.
I was therefore coming to the conclusion that if the BIOS was compromised (and it could potentially be compromised before I received it), then a system that could only run a legacy BIOS would be preferable, as it could theoretically do less damage.
The Wikipedia page on UEFI also states, “UEFI can support remote diagnostics and repair of computers, even with no operating system installed”. (https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface)
This has me further concerned about UEFI in a proprietary form.
Are there any benefits of a UEFI BIOS that would outweigh my concerns?
Any input on this topic would be much appreciated.
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/trinity-f83af5b0-0cdc-432f-840a-ed28630a4556-1470004866664%403capp-mailcom-lxa08.
For more options, visit https://groups.google.com/d/optout.
