I read the documentation on FASR devices with S-RTM compared to D-RTM and am unable to decide if one is more secure than the other. In one of the diagrams on the page it shows S-RTM running trusted firmware across the entire boot process while D-RTM has firmware running outside the “trust boundary”. Would it make sense to go for a device with S-RTM rather than D-RTM if I am planning to run Qubes?
1 Like
There is NO devices that can run Qubes with SRTM currently. AFAIK you need Trenchboot to run Qubes with DRTM.
Daniel Micay(GrapheneOS developer) thinks SRTM is more secure.
Why is this the case?
Would you mind linking a source for further reading?
lack of OEM support
1 Like
I have interpreted Micay’s statement differently. The way I have interpreted it, is that the whole x86 secure boot ecosystem is flawed, not that SRTM is better than DRTM when both are on x86. I don’t think his reply was specifically to the question whether SRTM is better than DRTM.
I recommend checking out encrypted /boot with a password, it can ensure the kernel is not being modified by the firmware.
You misunderstand what this is about. Encryption does not solve this problem.