TrenchBoot as a main provider of Anti Evil Maid for QubesOS for all x86 platforms

[miczyg1]

Is your feature request related to a problem? Please describe. Not related to a problem specifically, but widening the use of TrenchBoot.

Is your feature request related to a new idea or technology that would benefit the project? Please describe. The idea is to extend the qubes-antievilmaid to support:

• TrenchBoot as the main provider of DRTM capable software
• both TPM 1.2 and TPM 2.0
• both Intel and AMD platforms
• both UEFI and legacy boot mode

Currently, QubeOS AEM supports only Intel TXT and TPM 1.2 in legacy boot mode which significantly limits the hardware that can be used. This is a perfect hole that TrenchBoot may perfectly fill.

Describe the solution you'd like What is needed for PoC?

• [ ] Clean up the LandingZone package support for QubesOS: https://github.com/3mdeb/qubes-landing-zone/tree/lz_support (it needs renaming to SKL and probably a new release with new features)
• [ ] Rebase/refresh TrenchBoot GRUB2 for QubesOS: https://github.com/3mdeb/qubes-grub2/tree/trenchboot_support
• [ ] Add TPM1.2 support for Intel TXT
• [ ] Extend the AEM scripts to detect TPM version on the platform
• [ ] Extend the AEM scripts to use appropriate software stack for TPM 2.0 if present and include the stack in the dracut scripts
• [ ] TrenchBoot secure kernel loader will need improvements for AMD server SKUs with multiple nodes.
• [ ] Xen Secure Launch - Intel TXT support in Xen for TrenchBoot
• [ ] Test the solution on AMD and Intel hardware with TPM 2.0 and TPM1.2 with legacy boot mode

What is needed for a complete solution?

• [ ] TrenchBoot support for UEFI boot mode for AMD in GRUB and Xen. GRUB + Linux combination is rather known to work on Intel, but not on AMD.
• [ ] TrenchBoot support for UEFI boot mode in GRUB and Xen. Xen needs the UEFI Boot Services otherwise it won't boot, so it would be necessary to implement booting Xen without Boot Services.
• [ ] TrenchBoot support in GRUB2 merged upstream and shipped in a stable GRUB release
• [ ] Test the solution on AMD and Intel hardware with TPM 2.0 and TPM1.2 with legacy and UEFI boot mode

Describe alternatives you've considered None.

Additional context Some work has been done to show AEM on AMD and TPM 2.0. What has been achieved and proven to work is:

• TrenchBoot for AMD platform with former Landing Zone and GRUB with TrenchBoot support successfully booting Qubes OS.
• Successfully extended PCRs 17+ when slaunch is enabled in grub.cfg.

Rewriting the scripts to use TPM 2.0 software stack has been attempted but not finished. The effort has been presented on QubesOS and 3mdeb minisummit 2020: https://youtu.be/rM0vRi6qABE

Relevant documentation you've consulted https://github.com/QubesOS/qubes-issues/issues/6793

Proposal https://docs.dasharo.com/projects/trenchboot-aem/

[pietrushnic]

I will assign it to myself for management purposes. Next step is that 3mdeb will evaluate effort required for TrenchBoot integration in Qubes OS. We initially plan to obtain founding from NLNet and if it would be not enough look for other sources.

Deadline for NLNet proposals is 1st February 2022.

[miczyg1]

We have put up a proposal for the TrenchBoot as Anti Evil Maid provider: https://docs.dasharo.com/projects/trenchboot-aem/ Feel free to review and suggest changes, we also added a Giscus plugin to give comments under the page.