UEFI Secure Boot support #602
Comments
|
Hi @osresearch, thanks for the ping! This sounds very promising and we'll follow the upstream issue with interest. We're currently tracking Qubes 4.1 support in general in #600. Since the upstream work is still pending, we would suggest that we consider UEFI SecureBoot support in that context. Does that make sense, and if so, are there other questions we can answer about the SecureDrop Workstation project in the meantime? If you'd like to speak with us synchronously, please note that we meet Monday to Thursday at 9 AM PDT / 12 PM EDT for our daily standup here, which is open for anyone to join via this link: https://meet.google.com/ekb-kkhf-mrk |
|
We should revisit this in light of recent research elsewhere. Leaving open for now, flagging @lsd-cat if they're interested :) |
I've made progress on supporting UEFI SecureBoot in Qubes 4.1(QubesOS/qubes-issues#4371 (comment)) as well as improving integration with UEFI Platform Keys, signed/immutable root filesystems, and making use of the TPM2 for disk sealing, rollback protection, attestation, etc (https://github.com/osresearch/safeboot).
I'm interested in discussing how to merge these sorts of things into SecureDrop workstation to improve the system's resilence against both software and physical attacks.
The text was updated successfully, but these errors were encountered: