Qubes: Anti Evil Maid (AEM): improved TPM support

Anti Evil Maid is an implementation of a TPM-based dynamic (Intel TXT) trusted boot for dracut/initramfs-based OSes (Fedora, Qubes, etc.) with a primary goal to prevent Evil Maid attacks. In short, AEM relies on TPM and a feature found in Intel’s vPro CPUs (TXT) to detect tampering of various boot components.

Even if you don’t use Qubes, this is a good read:

[…]To recap — you need to fully trust:
* CPU (Intel, since we’re depending on TXT)
   + sometimes over-optimizes for performance at the cost of security, see eg. Meltdown/Spectre, cache attacks against SGX enclaves, …
* TPM (various vendors)
   + few known attacks sniffing and injecting commands on the LPC bus; differential power analysis; buggy RSA key generation code
   + note that any potential TPM exploits (should) have no means of compromising your system directly — a TPM under attacker’s control can only be used to hide the fact that a compromise has occurred (ie. defeating the whole AEM feature)
* BIOS (a few vendors)
   + it’s full of holes!
* that the attacker cannot get physically inside your laptop without you noticing (see the glitter hint above)
[…]

https://github.com/QubesOS/qubes-antievilmaid/commit/da6c1bacfe5f8864e08efcf7903f9867d40629b3
https://github.com/QubesOS/qubes-antievilmaid
https://blog.invisiblethings.org/2011/09/07/anti-evil-maid.html

 

QubesOS, Invisible Things Lab, and Purism

Purism ships Debian-derived PureOS, and used to ship QubesOS. Now, Qubes is not really an option. I don’t know the full story, below posts give some background.

https://groups.google.com/forum/#!topic/qubes-users/2GfyEz0eYCE

https://puri.sm/posts/2017-07-shipping-update-for-qubes-orders/

https://forums.puri.sm/t/no-longer-listed-on-the-qubes-websites-certification-page/1050/5

https://www.qubes-os.org/news/2015/12/09/purism-partnership/

https://www.qubes-os.org/doc/certified-hardware/#qubes-certified-laptops

https://www.qubes-os.org/doc/system-requirements/

https://www.qubes-os.org/hcl/

https://web.archive.org/web/20170506112157/https://www.qubes-os.org/doc/certified-laptops/

 

Qubes 3.0-RC2 released

Today the Qubes OS released v3.0 release candidate 2.

They ALSO created a new Twitter feed, @QubesOS.

Qubes is a Linux distribution created by Invisible Things Lab (ITL), a security research firm that specializes in hardware/firmware security; Qubes includes virtualization technology to isolate each process from each other in ways to help increase security.

“There have been no new features in this release compared to Qubes 3.0-rc1 that we released in April, only bugfixes. Although Qubes 3.0-rc2 is major improvement over Qubes 3.0-rc1, there are still some issues to be resolved – check “Known Issues” section of installation guide. Qubes 3.0.0 will follow soon (coming weeks), together with 3.1-rc1 that is currently being merged (and which is bringing a bunch of cool new features, as discussed in the previous annoucment).

More Information:

https://groups.google.com/forum/#!topic/qubes-devel/jw9CdQepMPE
http://blog.invisiblethings.org/2015/04/23/qubes-30rc1-and-roadmap.html
https://www.qubes-os.org/doc/QubesDownloads/