From 9fff43c63e901ed5c2e3450358eb26c62b3079b1 Mon Sep 17 00:00:00 2001 From: vincentadultman Date: Mon, 2 Apr 2018 14:38:24 +0100 Subject: [PATCH] Add secure boot question As discussed in IRC with marek and h0lger. I've basically summarised what marek said during discussion / from old mailing list thread on same. There appear to be a lot of (to not put too find a point on it) crap discussion on the mailing list about secure boot which may mislead skim reading users. People often ask what binaries they need to sign, so I have included list, but it may be better to omit as we have not tested it (which I've also noted). --- about/faq.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/about/faq.md b/about/faq.md index 1481bbbc..bd995c41 100644 --- a/about/faq.md +++ b/about/faq.md @@ -546,3 +546,7 @@ This has been achieved thanks to the careful use of Xen's stub domain feature. For more details about how we improved on Xen's native stub domain use, see [here](https://blog.invisiblethings.org/2012/03/03/windows-support-coming-to-qubes.html). [force_usb2]: https://www.systutorials.com/qa/1908/how-to-force-a-usb-3-0-port-to-work-in-usb-2-0-mode-in-linux + +### Is Secure Boot supported? + +Secure Boot is not supported out of the box as UEFI support in Xen is very basic. Arguably secure boot reliance on UEFI integrity is not the best design. The relevant binaries (shim.efi, xen.efi, kernel / initramfs) are not signed by the Qubes Team and secure boot has not been tested. Intel TXT (used in [Anti Evil Maid](/doc/anti-evil-maid/)) at least tries to avoid or limit trust in BIOS.