Hi! I would love to try the Pureboot functionality (Pureboot like functionality) of using a smartcard like Librem Key (or Librem Key) to verify that the notebook hasn’t been tampered by an evil maiden.
Do you know if this would work on a non Purism notebook or if there are alternatives?
How complicated would be the set-up?
How likely would be to brick the device? Let us say if I buy a brand new non-Purism notebook and brick it, it would not be cool at all.
Could this be tested on a Raspberry Pi?
Notice on the Qubes OS website, they describe a Qubes “Certified computer.”
For which there are two companies which sell, refurbished computers which are Qubes Certified. Well, that it is on the Qubes site. This is a Librem Forum after all.
If one looks at the Qubes OS Forum, there discussions about how to accomplish installing and using Heads on your own. Problem being there are only a few computers which use Heads right now. Some are quite old. Old being good in that many things are known about how to mitigate malware and other security issues. New computers with newer hardware, how can anyone know?
There are discussions on the Qubes Forum about ways to accomplish on other models of Laptop some techniques to:
Stopping the negative features of Intel Management Engine.
Anti Evil Maid, which is does something similar as Pure Boot or Heads.
There are some folks trying very hard to program Heads for other model laptops, and more recent laptop models. You can search for links to that. I have not looked in some time about how far along those efforts are. The folks who are working to accomplish Heads on more modern hardware, I think they need contributions of money. Everyone has to pay rent, food. and I hope those same type of folks have a bunch of future genius techie types underfoot in their house.
Once I went onto a Pi Forum, and asked about which model Pi I should use to Flash Heads onto on of the same model Lenovo X-230 used for a Qubes OS ‘Certified Computer.’
I was immediately banned for life.
When I asked the moderator of the PI site what I did wrong. He told me, and I paraphrase, "You are free to do whatever you want to your own hardware. But we do not allow people to encourage others to do things which might damage or brick theirs. but if I chose another login name, even if he knew it was me, I was free to be on the PI forum, so long as I understood that I could not write about Hardware Flashing and such.
NitroKey, who builds Qubes OS Certified computers, (and you don’t have to use their computers with Qubes. Just it is one recognized standard of secure hardware.) NitroKey has a Mini computer that might suffice for your use.
Some of the Laptops that have been refurbished to be Qubes Certified (have Heads) are based on what was originally Lenovo Computers, such as the Lenovo X-230. With the latest versions of Qubes, and possibly the Intel Micro-Code Security updates, these seem to have hangs. Nitro Key sells one T430 with a more advanced Processor, than the others.
The Qubes OS Forum has a number of folks who are concerned with new hardware with Heads on it, if you want to read those posts.
One of those who used to talk about how much he liked his modified T430 with that higher processor (Q, something - just look for the most expensive on the Nitro Pad site for T430),
Librem at least tries to create a laptop from Computer parts that they have at least tried to build with trustworthy parts inside. Well, that is the reason for using a really old third generation Intel processor of the Lenovo X-230, everything is known.
The value of modifying a laptop to be like the Qubes Certified, is that if one lived in country where one can not have shipped into their country a secure model laptop, or could not afford something like Librem anyway. Then it is possible for them to McGyver up their own Secure Laptop.