TPM settings for Qubes OS
126 views
Skip to first unread message
Harold Smith
Apr 25, 2020, 8:09:46 PM4/25/20
to qubes-users
Hello, I'm getting ready to Intall Qubes onto a machine, I can't find any information about TPM settings, apart from that TPM is required.
wanting to install onto Dell laptop, in BIOS I have enabled/activated TPM security, when I did, other options came up, they are as follows.
TPM ACPI support
TPM PPI deprovison overide
TPM PPI provision overide.
Just wanting to know about these settings in relation to Qubes.
There is also the matter of virtualization support, I enabled VT Direct I/O and "intel virtualization technology", which I believe are VT-x and VT-d according to what I've read, in the virtualization menu there is also an option for "Trusted Execution", any information about what is necessary to install and run qubes properly regarding these options would be apprreciated.
Thanks for anything.
Harold Smith
Apr 26, 2020, 2:42:18 AM4/26/20
to qubes-users
I tried an install, all was fine until what I think is the very last bit "setting up networking"....it stuck on that and wouldn't finish, no hardware activity, I left it for half an hour, nothing, I don't know what the issue is, I never had any trouble with wifi with tails, which can be tricky for some machines, so I've heard.
dhorf-hfre...@hashmail.org
Apr 26, 2020, 4:05:24 AM4/26/20
to Harold Smith, qubes-users
On Sat, Apr 25, 2020 at 05:09:46PM -0700, Harold Smith wrote:
> Hello, I'm getting ready to Intall Qubes onto a machine, I can't find any
> information about TPM settings, apart from that TPM is required.
where did you get that impression?
> Hello, I'm getting ready to Intall Qubes onto a machine, I can't find any
> information about TPM settings, apart from that TPM is required.
qubes doesnt use a TPM, much less require one.
> and "intel virtualization technology", which I believe are VT-x and VT-d
SLAT (vt-x with ept) is required, IOMMU (vt-d) is strongly recommended.
> option for "Trusted Execution", any information about what is necessary to
named "anti evil maid".
safely using AEM requires a somewhat detailed technical understanding
of how it works, so you will have to do a day or two of reading
if you want to try it.
but it is also completely optional and can be en/disabled on an existing
qubes install.
if you care about boot security but dont have hardware that is supported
by AEM, you could also try something like HEADS (which has its own very
detailed hardware requirements) or a uefi-secureboot-linuxboot hybrid.
Harold Smith
Apr 26, 2020, 4:16:42 PM4/26/20
to qubes-users
Hello, thanks for thereply.
Yes, I have misread the system requirements here.
TPM and TXT were listed as required for AEM in the recommended section, so i'll disable TXT and TPM, I have vt-x with ept and vt-d and I;ll try again.
dhorf-hfre...@hashmail.org
Apr 26, 2020, 4:20:27 PM4/26/20
to Harold Smith, qubes-users
On Sun, Apr 26, 2020 at 01:16:42PM -0700, Harold Smith wrote:
> TPM and TXT were listed as required for AEM in the recommended section, so
> i'll disable TXT and TPM, I have vt-x with ept and vt-d and I;ll try again.
you can also just keep them enabled.
> TPM and TXT were listed as required for AEM in the recommended section, so
> i'll disable TXT and TPM, I have vt-x with ept and vt-d and I;ll try again.
you can use the TPM for whatever you might want to use it for,
assuming it is supported by linux.
and TXT shouldnt do anything unless you install the magic binary
intel modules in your /boot.
basicly both are "dont worry about them unless you have a use for them".
Message has been deleted
Harold Smith
Apr 26, 2020, 9:51:22 PM4/26/20
to qubes-users
Tried the install a few more times, no success, intial installation
is fine, when I select reboot after removing the install USB I get a
black screen with "Terminated" and hangs there forever, if I don't
remove it and click reboot, the same black screen with "terminated"
appears for a few seconds, then It looks like it's going back to the
install process, with "failed to load kernel modules" error at the
beginning, if I leave it running, it asks me for my encryption password
then takes me to the configuration set up, the "initial setup" where it
will spend about 10 minutes doing whonix, fedora, executing qubes
configuration, and then gets to setting up networking where it stops,
and hangs on that, there is no hardware activity at all.
I also tried this before rebooting after the installation
sed -i -e 's/^options=.*/\0 efi=attr=uc/' /mnt/sysimage/boot/efi/EFI/qubes/xen.cfg
^ didn't seem to make any difference.
Boot option show Qubes as an option, and it takes me straight back to the configuration set up again, but this time the screen is frozen
Harold Smith
Apr 26, 2020, 11:25:27 PM4/26/20
to qubes-users
Tried the same ISO with different methods of writing to USB, first with Gnome disk utilities "restore disk image' function, and last time in terminal with
"sudo dd if=Qubes-R3-x86_64.iso of=/dev/sdX bs=1048576 && sync"
Both produced exactly the same results, which is to install just fine, but then fail when rebooting/initial configuring.
I'm a bit lost so I think I'll just have to wait until the qubes install process is a bit more friendly, in maybe 10 years!!
Jarrah
Apr 27, 2020, 5:13:57 AM4/27/20
to qubes...@googlegroups.com
> "sudo dd if=Qubes-R3-x86_64.iso of=/dev/sdX bs=1048576 && sync"
> Both produced exactly the same results, which is to install just fine, but then fail when rebooting/initial configuring.
using Qubes R3? 4.0 is the current supported version and will likely
work far better.
Harold Smith
Apr 28, 2020, 12:47:48 AM4/28/20
to qubes-users
No, I did edit commands to R4.0.3 when I used them
Reply all
Reply to author
Forward
0 new messages