Will TPM + HEADS Work With Qubes 4.X?

I’ve never used a TPM system before, so I wanted to pop the question on what it really entails.

My understanding of it is really abstract.

My original understanding of TPM - I thought it just protected the system files that are “deeper” than the Operating System. The BIOS and stuff like that. I didn’t think it had much to do with the OS or anything. I figured it’s pretty autopilot and you wouldn’t need to worry about it unless you’re doing firmware updates to those kinds of components. I thought it was just something that encrypts low-level files/firmware and verifies it’s hash on every boot or… something similar to that. So I figured it requires little user-input, except when updating those types of files / firmware.

But upon reading new articles it appears that it actually does have quite a bit to do with the OS. Seems pretty interwoven really. But that also worries me because that would mean only operating systems designed to work with with it will ultimately work with it. I can’t just install any flavor of Linux I want and expect TPM to work as expected, can I?

I mean it starts to sound like it’s just a form of disk encryption - in which case I’d pop the question of “What makes TPM better than just encrypting your drive normally?”. I’m gonna guess it’s the “verification of system files” process… how does that work? Just checking hashes of critical system files on boot or something? And is that the only difference it provides over just booting from an encrypted image normally?

So I wanted to ask - will TPM + HEADS only work as intended on PureOS or something? Will it not work as intended anymore if the user formats his drive and installs Qubes 4?

I ask because that’s pretty much what I’m doing to do when I get a Purism system.

As for how I’d react to tampering - probably by just pulling off my user-directory files and reinstalling the entire system. I typically just nuke a compromised machine like that. Getting surgical with it is something I only resort to if something critical is on the machine that I can’t so easily just remove and put on a new machine elsewhere. But that’s a rare situation, usually only a problem I run into with certain kinds of pricey productivity software, which wouldn’t be on my Purism machine anyway - those are usually proprietary softwares that have to exist on a Windows machine, hah.

Bonus Question: TPM+HEADS uses an encryption passphrase or whatever, right? Is it possible to bring a yubikey into the mix to provide that password?

But yeah, lemme know what the deal is. Thanks.

Is this prompted by Kyle’s post today? https://puri.sm/posts/demonstrating-tamper-detection-with-heads/

He had an earlier post too where he mentioned Qubes https://puri.sm/posts/librem-now-most-secure-laptop-under-full-user-with-tamper-evident-features/

It’s all early to me, so I don’t know what all a TPM can do, much less what Purism will enable to do. But it does seem like it will be distro independent. Maybe just a grub boot requirement.

I am just guessing though. :confused: