[Qubes] Anti Evil Maid (Librem's TPM)

Good timing!


@Kyle_Rankin unless I missed something there aren’t any links to the meat (read: code) besides counting the direct patches in https://github.com/osresearch/heads for 13v2

What’s the timeline on adopting/providing upgrades to be able to use Heads? I only just ordered a 15v3, will it make it to me already patched (or if not can I ask you guys to wait until ready)? :slight_smile:

1 Like

Will this ever work for anti-evil-maid?

It will likely just come to you with the regular coreboot. There’s still some user-facing work to be done on Heads to make it ready to be “on by default” for everyone plus software for PureOS itself to manage updates to Heads, plus a bunch of documentation work like a “user’s guide” for customers. No timeline yet but it’s being actively worked on.

1 Like

Hello, I am very interested about this thread, but not very skilled in computing. If Kyle or somebody else which is very skilled in security can answer to my question, it would be more than welcomed. I understood that :

  • TPM disables IME
  • Head works with TPM and is aimed to check the coreboot process against unauthorized access
  • Purism would like to put some of the compartmentalization features of Qubes into PureOS
  • Disk can be encrypted

Question :
How a Spectre attack can bypass all of these security features ?

Please, feel free to keep easy-wording as I am far to be an expert in computing ^^
Thank you very much for your feedback.

Hi @prog-amateur,

I’m definitely not a specialist, but here is my understanding:

  • The TPM module is a hardware module meant to allow you to check the integrity of your system. It is not related in any way with Intel ME
  • The Intel ME is disabled when you flash a recent version of coreboot issued by Purism team
  • Your disk can be encrypted, whether tou have a TPM or not and whether Intel ME is disabled or not

I think @Kyle_Rankin or others can bring much more solid and in depth info :wink:


Intel ME is a coprocessor running its own firmware on all modern Intel Chips. Because its firmware is proprietary and honestly quite scary, Purism overwrites most of it with 0’s to make sure it can’t do anything. Purism’s Coreboot also asks Intel ME not to operate, but i personally don’t trust that. If I trusted Intel ME, I would drun it without worrying.

The TPM is supposed to somehow check the integrity of our boot process.

Based on statements Purism makes, I definitely see why you think that, but no. PureOS’s “security through isolation” refers to use of AppArmor not Xen Hypervisors. Qubes uses virtual machines to provide compartmentalization, PureOS hopes to one day use AppArmor to provide some level of sandboxing. (If PureOS developer knows more about this please correct me. This is what I have picked up from reading blogs, forum posts, and phabricator.)

Disks can be encrypted with or without TPM, with or with Qubes, with or without PureOS.

A spectre attack allows local read access of privileged memory from non-privileged processess. for example, your disk encryption keys are only stored in privileged memory. Spectre (theoretically) could allow any process to read these. From there the attacker could decrypt your disks.


Thank you very much @blendergeek, @thib, it is clearer and very appreciated !

Cannot tell from the links provided earlier, but curious if anyone has been able to successfully leverage TPM with the Librem 15 v3 and Qubes 3.2?

Leverage? I checked my TPM with tpm-tools and it works just fine but without Intel TXT (CPU does not support it - indeed pretty much no not vPro CPUs do anymore) or system firmware support (Heads) that is mostly meaningless.

Wait for heads :slight_smile:
The security model/guarantees will likely not be worse than AEM

Sorry, what I meant there was “make productive use of.” But thanks for the clarification.

From what I can tell the Librem 13’s and 15’s now seem to be using TMP 1.2 from the blog post (I have yet to confirm on my own machine). Do the CPU’s on the Librem 13 v3 and 15 v3 now have TXT support? I just wanted to ask first.

OK, you’ve touched on something I don’t quite understand (this is a complicated business, folks).

The screenshot in the article you linked shows a “Heads/NERF” logo appearing in the boot process, but my Librem13v3 (purchased just a month or two ago) doesn’t display this during boot.

Is there something I need to do to enable all of this? (I understand the Librem Key doesn’t play a role…yet.)

@SteveC Librem laptops don’t ship with HEADS as the payload currently, they ship with SeaBIOS (legacy BIOS). HEADS is currently available for technical users to build/test, but it still has a ways to go before it’s ready for us to ship by default.

If you have a Librem key and are interested in checking it out, take a look at:


That explains quite a bit! Thanks!

Given how I almost fubared my Librem13 recently out of sheer ignorance, I think the better part of valor here would be to NOT muck with the way it boots. Nonetheless, I now know where the info is if I should get an attack of bravery.

Hint, hint:

If done like this, it’s available on most Linux distros, so it’s not locked to that single distro, which would be bad.

LVFS requires a binary update, whereas ours are compiled from source currently.

I just tried setting up anti evil maid on a fresh librem 15v4 running Qubes OS 4.0. Although this should just work (all necessary requirement are there), I keep getting “PCR sanitz check failed” errors. I tried it several times and my file with secrets is ,255 bytes, so this can only mean, I got the wrong SINIT file (see https://github.com/QubesOS/qubes-antievilmaid/blob/master/anti-evil-maid/README). I used the file for Skylake processors, which should work for it-75000U CPUs (it’s called 6th_gen_7th_gen_i5_i7-SINIT_79.bin).
Maybe the modifications by purism to the IME could have lead to the mismatch?

Does anybody know which SINIT file should be used instead?

AEM doesn’t work if the IME (which is the default in the Librems) is cleaned, maybe that’s the reason for your error message.

It is cleaned, so then it’s probably the reason. Although I don’t quite see why it shouldn’t work, if I could only get the correct SINIT file.