Secure Boot Violation

[Ulrich Windl]

I just discovered that Qubes OS 4.3 is not ready for secure boot, and even if I don't have Microsoft's latest certificates installed.
Is this expected? Most modern hardware comes with secure boot enabled these days.

Kind regards,
Ulrich

[Shuos Jedao]

Hi Ulrich,

Indeed, secure boot is not supported by Qubes OS 4.3, nor any prior
version to my knowledge, mainly because it is not supported by Xen; but
also because secure boot is not an amazing system. Quoting the Heads
developer:
"What's wrong with UEFI Secure Boot?
Can't audit it, signing keys are controlled by vendors, doesn't handle
hand off in all cases, depends on possible leaked keys."

If you want an alternative, you have Heads
(https://trmm.net/Heads/,https://osresearch.net/) or Anti evil maid
(https://doc.qubes-os.org/en/latest/user/security-in-qubes/anti-evil-maid.html#anti-evil-maid-aem).

You may want to check the following:
-
https://doc.qubes-os.org/en/latest/introduction/faq.html#is-secure-boot-supported
-
https://forum.qubes-os.org/t/is-it-possible-to-enable-uefi-secure-boot-in-qubes-os/1640


Kindly,
Shuos Jedao

Encrypt and sign your emails!
You can check my PGP keys at https://keys.openpgp.org