/qubes-boot-verification

Verified boot hack for T480

Primary LanguageShellGNU General Public License v3.0GPL-3.0

Update 12 June 2024

With Trenchboot Anti-Evil-Maid now mostly stable (I'm unable to get PCRs 17,18,19 populated on TPM 2.0), I'm updating this repo. Someone pointed out that an attacker could still mettle with the prompt alerting a user to an unmodified boot, so please take the code and this repo as it is. For more info on TrenchBoot Anti Evil Maid - Phase 4, I've provided the most recent of their three blog-posts. No support for a UEFI, but they've hosted a nifty repo. Still, I remain opposed to downgrading zen.

Qubes OS Boot Verification Script

This script helps verify the integrity of your Qubes OS boot process using TPM 2.0 PCR values. It can be installed to automatically check for any changes in the boot process and notify the user if any are detected.

Features

  • Verifies boot process integrity using TPM 2.0 PCR values.
  • Provides notifications if the boot process changes.
  • Supports GUI and headless setups.
  • Easy installation, uninstallation, and updating of known good PCR values.

Prerequisites

  • Qubes OS
  • TPM 2.0 enabled and configured in BIOS/UEFI settings.

Installation

To install the boot verification script, run the following command in dom0:

sudo qvm-boot-verify install

This will:

  • Install required packages.
  • Create the boot verification script.
  • Set up a systemd service.
  • Configure autostart for GUI users.
  • Add the script to .bashrc for headless users.
  • Store the known good PCR values.

Updating PCR Values

To update the known good PCR values after making legitimate changes to your boot process, run:

sudo qvm-boot-verify update

Uninstallation

To uninstall the boot verification script, run:

sudo qvm-boot-verify uninstall

This will:

  • Disable and remove the systemd service.
  • Remove the autostart entry for GUI users.
  • Remove the script from .bashrc for headless users.
  • Delete the boot verification script and the .boot_verif directory.

Usage

Once installed, the boot verification script will automatically run on each boot and notify you of any changes to the boot process. If no changes are detected, you will see a message stating that the boot process is unchanged.

License

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

Author

Kenneth R. Rosen (kennethrrosen@proton.me)