Michał Żygowski
Michał Żygowski is a versatile engineer with a strong focus on system firmware. Works as a firmware engineer at 3mdeb. Active contributor of coreboot and other open-source projects. Core coreboot developer, maintainer of Braswell SoC, PC Engines, Protectli, and Libretrend platforms. Loves traveling and attending conferences, which actively speaks on. Mainly interested in the firmware, security, and advanced hardware features.
Sessions
There are very few desktop platforms that are user-controllable through
open-source firmware. Moreover, they haven't necessarily been tested with Qubes
OS. However, the recent initiative to port a modern Alder Lake desktop to coreboot
opened a new door for privacy and security respecting machine capable of running
Qubes OS.
In this presentation, a demo of Dasharo[1] distribution compatible with Alder
Lake-S desktop MSI PRO Z690-A WIFI DDR4 running Qubes OS will be shown. The
presenter will also describe new updates to Dasharo firmware and challenges
awaiting in future development. Also it will be discussed how Dasharo plans to
meet the future Qubes certification requirements[2] and approaches the openness
of the firmware based on Dasharo Openness Score of various supported platforms.
[1] https://dasharo.com/
[2] https://groups.google.com/g/qubes-devel/c/08uSf2i-FTo/m/ii9DpjQ-AgAJ
Qubes OS Anti Evil Maid (AEM)[1] heavily depends on the availability of the
Dynamic Root of Trust for Measurement (D-RTM) technologies to prevent the Evil
Maid attacks[2]. However, the project hasn't evolved much since the beginning
of 2018 and froze on the support of TPM 1.2 with Intel TXT in legacy boot mode
(BIOS). Because of that, the usage of this security software is effectively
limited to older Intel machines only. Some attempts were already made to
support AMD and TPM 2.0 by 3mdeb[3], however the work suffered from lack of
business justification and stopped at porting AEM scripts to use TPM 2.0. But a
successfull demo of AMD D-RTM with Qubes OS has been shown on Qubes OS
minisummit 2020[4]. This year the efforts are traditionally continued.
The presentation will describe the project plan of improving and extending the
Qubes OS AEM with TrenchBoot[5] covering both Intel and AMD hardware, TPM 1.2
and 2.0. The goal is to unify the D-RTM early launch and Anti Evil Maid
software to secure the Qubes OS boot process for basically any hardware device
(as long as it supports the required technologies). The presenter will give
detailed overview of project phases and tasks to be fulfilled as well as the
cost outline. At the end a short demo of Qubes OS AEM with TrenchBoot on Dell
OptiPlex 7010/9010 with Intel TXT and TPM1.2 will be shown.
[1] https://blog.invisiblethings.org/2011/09/07/anti-evil-maid.html
[2] https://theinvisiblethings.blogspot.com/2009/10/evil-maid-goes-after-truecrypt.html
[3] https://github.com/3mdeb/qubes-antievilmaid-amd/pull/1/files
[4] https://www.youtube.com/watch?v=rM0vRi6qABE
[5] https://trenchboot.org/