Choosing between TPM or ME removal
100 views
Skip to first unread message
Giulio
Mar 19, 2018, 1:03:16 PM3/19/18
to qubes-users
Hello,
I have been using Qubes 4 on a thinkpad x220 and it runs very well.
Unfortunately, my model is the one with the i7 which is not very well
tested/supported by coreboot and i failed multiple times while trying to
flash it.
So i had to keep the original BIOS but at least i removed the ME
sections and set the disable bit using me_cleaner. The problem is that
this operation makes the TPM non functioning for the operating system:
it is impossible to take ownership.
In the future i'll try to only set the disable bit without removing the
sections and some other combinations of that but in case the TPM will
still not work i'm wondering if i should re flash the original BIOS. In
summary, are the TPM benefits enough to forcw me to keep the ME?
I know this may be more subjective depending on everyone's own threat
model but i would like to hear opinions on it.
I have been using Qubes 4 on a thinkpad x220 and it runs very well.
Unfortunately, my model is the one with the i7 which is not very well
tested/supported by coreboot and i failed multiple times while trying to
flash it.
So i had to keep the original BIOS but at least i removed the ME
sections and set the disable bit using me_cleaner. The problem is that
this operation makes the TPM non functioning for the operating system:
it is impossible to take ownership.
In the future i'll try to only set the disable bit without removing the
sections and some other combinations of that but in case the TPM will
still not work i'm wondering if i should re flash the original BIOS. In
summary, are the TPM benefits enough to forcw me to keep the ME?
I know this may be more subjective depending on everyone's own threat
model but i would like to hear opinions on it.
awokd
Mar 20, 2018, 6:51:24 AM3/20/18
to Giulio, qubes-users
On Mon, March 19, 2018 5:03 pm, Giulio wrote:
> In summary,
> are the TPM benefits enough to forcw me to keep the ME? I know this may be
> more subjective depending on everyone's own threat model but i would like
> to hear opinions on it.
Like you said, depends on threat model. TPM would allow you to use
> In summary,
> are the TPM benefits enough to forcw me to keep the ME? I know this may be
> more subjective depending on everyone's own threat model but i would like
> to hear opinions on it.
Anti-Evil Maid in Qubes, which helps prevent local tampering with the
device. There are some other measures that can also help deter local
tampering such as keeping GRUB/boot off local storage or SED (depending
how much you trust your manufacturer's implementation).
ME with AMT and known and potentially more unknown exploits permits
remote/network tampering with the device. ME without AMT and unknown
exploits may also permit remote/network tampering or escalations of
privilege. Since the source code is closed, there's no way for an end-user
to be sure.
cooloutac
Mar 22, 2018, 9:11:26 AM3/22/18
to qubes-users
It doesn't actually "prevent" tampering. Just notifies you if something changed. And if it was compromised the only solution is to buy a new pc.
Any board that lets you flash firmware from the O/S is exploitable remotely. Which is pretty much all of them. Unless you have a board with secure boot, secure flash, or a board with a jumper to prevent flashing.
Reply all
Reply to author
Forward
0 new messages