Explore QubesOS AEM usb boot

[tlaurion]

Would be nice if AntiEvilMaid could be supported from Heads, so S3 suspend and integrity validation would be implemented in QubesOS.

Requires:

• Ivy bridge SINIT under /boot

[tlaurion]

It would complement Heads with memory measurements within QubesOS. Not sure if it would work with coreboot though, since latest AEM requires TXT. Will give it a try. Goal of it would be to boot from USB AEM disk from Heads.

[tlaurion]

from @zaolin :

Blobs of the original fw needs to be extracted. So searching with Uefitool might work for retrieving the ACM. I can help with that

[tlaurion]

see This WiP branch. Unfortunately, I do not know how to extract what would be required so that SINIT would be functional.

@zaolin : ping! :)

[tlaurion]

@zaolin updated:

with TXT enabled stripping ME won't work use UEFI tool and text search with unicode enabled for "ACM" then extract the body

You should be able to extract the BIOS ACM from thinkpad vendor firmware acminfo of tboot tools gives you the output if chipset_acm_type equals BIOS and if the acm is valid

SINIT ACM != BIOS ACM

[zaolin]

Stripped ME seems to work with TXT. We double checked that.

[tlaurion]

307 would be linked indirectly to this.

[tlaurion]

@zaolin how you made it?

[tlaurion]

Update from @zaolin: Waiting from Intel approval.

[zaolin]

Estimation in man-days: 15 PD

[tlaurion]

Well, #1172 provides TXT required ACM and SINIT blobs, years later. Where to go next?