heads icon indicating copy to clipboard operation
heads copied to clipboard

Published 20 hours ago verified publisher icon linuxboot

Explore QubesOS AEM usb boot

Open tlaurion opened this issue 6 years ago • 10 comments
trafficstars

Would be nice if AntiEvilMaid could be supported from Heads, so S3 suspend and integrity validation would be implemented in QubesOS.

Requires:

tlaurion avatar Dec 28 '18 18:12 tlaurion

It would complement Heads with memory measurements within QubesOS. Not sure if it would work with coreboot though, since latest AEM requires TXT. Will give it a try. Goal of it would be to boot from USB AEM disk from Heads.

tlaurion avatar Dec 28 '18 19:12 tlaurion

from @zaolin :

Blobs of the original fw needs to be extracted. So searching with Uefitool might work for retrieving the ACM. I can help with that

tlaurion avatar Dec 28 '18 23:12 tlaurion

see This WiP branch. Unfortunately, I do not know how to extract what would be required so that SINIT would be functional.

@zaolin : ping! :)

tlaurion avatar Jan 20 '19 21:01 tlaurion

@zaolin updated:

with TXT enabled stripping ME won't work use UEFI tool and text search with unicode enabled for "ACM" then extract the body

You should be able to extract the BIOS ACM from thinkpad vendor firmware acminfo of tboot tools gives you the output if chipset_acm_type equals BIOS and if the acm is valid

SINIT ACM != BIOS ACM

tlaurion avatar Jan 30 '19 20:01 tlaurion

Stripped ME seems to work with TXT. We double checked that.

zaolin avatar Feb 04 '19 21:02 zaolin

#307 would be linked indirectly to this.

tlaurion avatar Feb 08 '19 18:02 tlaurion

@zaolin how you made it?

tlaurion avatar Feb 15 '19 06:02 tlaurion

Update from @zaolin: Waiting from Intel approval.

tlaurion avatar Mar 23 '19 18:03 tlaurion

Estimation in man-days: 15 PD

zaolin avatar Mar 27 '19 21:03 zaolin

Well, #1172 provides TXT required ACM and SINIT blobs, years later. Where to go next?

tlaurion avatar Jul 01 '22 14:07 tlaurion