AEM questions
61 views
Skip to first unread message
jd...@vfemail.net
Feb 14, 2017, 5:50:33 PM2/14/17
to qubes...@googlegroups.com
hi.
since i will be traveling for a bit, my threadmodell changed and i want aem.
when reading the documentation, a few questions came up:
(in any case, i will use a passphrase for aem.)
1) is there a difference between using an usb drive or using an internal partition? (except of having a second device in case of an usb drive)
2) citing from the aem readme:
'If you've chosen the latter option [using an external boot device], you should then remove the internal
boot partition from dom0's /etc/fstab, never mount it again in dom0, and
never boot from it again, because an attacker might modify it to exploit
GRUB or dom0 filesystem drivers.'
what would happen if i lost my external boot device?
could i still boot without it?
3) is unhiding my usb devices only required during aem setup? (i guess so, but i thought, i would ask)
4) The article from 2011 (http://theinvisiblethings.blogspot.hu/2011/09/anti-evil-maid.html) mentions keyfiles.
Is this implemented? (the readme says nothing about it)
-joe
-------------------------------------------------
ONLY AT VFEmail! - Use our Metadata Mitigator™ to keep your email out of the NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!
No Bandwidth Quotas! 15GB disk space!
Commercial and Bulk Mail Options!
Chris Laprise
Feb 14, 2017, 10:28:40 PM2/14/17
to jd...@vfemail.net, qubes...@googlegroups.com
On 02/14/2017 05:50 PM, jd...@vfemail.net wrote:
>
> hi.
> since i will be traveling for a bit, my threadmodell changed and i
> want aem.
> when reading the documentation, a few questions came up:
> (in any case, i will use a passphrase for aem.)
>
> 1) is there a difference between using an usb drive or using an
> internal partition? (except of having a second device in case of an
> usb drive)
>
Yes. You should keep your AEM boot with you on a separate device. If you
>
> hi.
> since i will be traveling for a bit, my threadmodell changed and i
> want aem.
> when reading the documentation, a few questions came up:
> (in any case, i will use a passphrase for aem.)
>
> 1) is there a difference between using an usb drive or using an
> internal partition? (except of having a second device in case of an
> usb drive)
>
don't, an attacker could see your secret phrase by booting the system.
This is also important if you want AEM to warn you after a /remote/
(non-Evil Maid) attack has affected your BIOS.
> 2) citing from the aem readme:
> 'If you've chosen the latter option [using an external boot device],
> you should then remove the internal
> boot partition from dom0's /etc/fstab, never mount it again in dom0, and
> never boot from it again, because an attacker might modify it to exploit
> GRUB or dom0 filesystem drivers.'
> what would happen if i lost my external boot device?
> could i still boot without it?
>
Qubes install disk to re-create a boot partition, or restore a partimage
backup of the boot drive, or use a (trusted) live CD to unlock your
Qubes drive and backup the VMs before installing Qubes anew.
> 3) is unhiding my usb devices only required during aem setup? (i guess
> so, but i thought, i would ask)
>
This should be turned off when booting AEM (not just installing) from a
USB stick so the verification sequence can read the secret from the USB
stick.
However, you can configure a sys-usb VM to run automatically on startup,
and this will isolate USB devices from the rest of the system. So...
when booting AEM don't leave odd or untrusted devices plugged into your
USB ports, because the system may be vulnerable during boot (but after
boot you should be protected if sys-usb is running and configured properly).
> 4) The article from 2011
> (http://theinvisiblethings.blogspot.hu/2011/09/anti-evil-maid.html)
> mentions keyfiles.
> Is this implemented? (the readme says nothing about it)
>
such as specifying the passphrase in the config... see "man crypttab"
for details; in that case, the USB stick literally becomes a key to your
main drive.
Chris
>
> -joe
>
jd...@vfemail.net
Feb 16, 2017, 10:38:54 AM2/16/17
to Chris Laprise, qubes...@googlegroups.com
Thanks for answering, but i still have some questions:
>> (in any case, i will use a pass phrase for aem.)
the aem data is protected by my aem pw.
after entering it, it is used to decrypt my secret + (somehow) check the
system integrity
if this fails, my aem pw is burned.
in case it succeeds, i enter my luks pw and the system data is encrypted.
at least this is how i understood it.
also if this was the case, why is there the option to leave it on the
internal disk?
from the aem readme
(https://github.com/QubesOS/qubes-antievilmaid/blob/master/anti-evil-maid/README
55-60):
"
You may want to use non-default password for the SRK key (see the
discussion in
the article referenced above), certainly if you want to save the sealed
secrets
to your internal boot partition. In that case you SHOULD NOT pass the '-z'
argument to tpm_takeownership.
"
This suggests it is safe to use an internal boot partition if a password is
passed to `tpm_takeownership`.
So what is the case?
> This is also important if you want AEM to warn you after a /remote/
> (non-Evil Maid) attack has affected your BIOS.
How does this work?
>> 3) is unhiding my usb devices only required during aem setup? (i guess
>> so, but i thought, i would ask)
>
> I think you refer to the option that suppresses USB devices during boot.
I refer to this (
https://github.com/QubesOS/qubes-antievilmaid/blob/master/anti-evil-maid/README
110-120)
"
Note: If you choose to use a USB device (e.g., a flash drive) as your AEM
device
and you previously created a USB qube, then you may have to unhide your USB
controller from dom0:
1. Open the file `/etc/default/grub` in dom0.
2. Find the line that begins with `GRUB_CMDLINE_LINUX`.
3. If present, remove `rd.qubes.hide_all_usb` from that line.
4. Save and close the file.
5. Run the command `grub2-mkconfig -o /boot/grub2/grub.cfg` in dom0.
6. Reboot.
"
here you unhide the usbcontroller so it is accessible from dom0.
>> 3) is unhiding my usb devices only required during aem setup? (i guess
>> so, but i thought, i would ask)
>
> I think you refer to the option that suppresses USB devices during boot.
> This should be turned off when booting AEM (not just installing) from a
> USB stick so the verification sequence can read the secret from the USB
> stick.
This is not mentioned anywhere in the documentation. I think it should.
- Joe
-------------------------------------------------
ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas!
>> (in any case, i will use a pass phrase for aem.)
>>
>> 1) is there a difference between using an usb drive or using an
>> internal partition? (except of having a second device in case of an usb
>> drive)
>
> Yes. You should keep your AEM boot with you on a separate device. If you
> don't, an attacker could see your secret phrase by booting the system.
but isn't this the reason i am using a password for?
>> 1) is there a difference between using an usb drive or using an
>> internal partition? (except of having a second device in case of an usb
>> drive)
>
> Yes. You should keep your AEM boot with you on a separate device. If you
> don't, an attacker could see your secret phrase by booting the system.
the aem data is protected by my aem pw.
after entering it, it is used to decrypt my secret + (somehow) check the
system integrity
if this fails, my aem pw is burned.
in case it succeeds, i enter my luks pw and the system data is encrypted.
at least this is how i understood it.
also if this was the case, why is there the option to leave it on the
internal disk?
from the aem readme
(https://github.com/QubesOS/qubes-antievilmaid/blob/master/anti-evil-maid/README
55-60):
"
You may want to use non-default password for the SRK key (see the
discussion in
the article referenced above), certainly if you want to save the sealed
secrets
to your internal boot partition. In that case you SHOULD NOT pass the '-z'
argument to tpm_takeownership.
"
This suggests it is safe to use an internal boot partition if a password is
passed to `tpm_takeownership`.
So what is the case?
> This is also important if you want AEM to warn you after a /remote/
> (non-Evil Maid) attack has affected your BIOS.
>> 3) is unhiding my usb devices only required during aem setup? (i guess
>> so, but i thought, i would ask)
>
> I think you refer to the option that suppresses USB devices during boot.
https://github.com/QubesOS/qubes-antievilmaid/blob/master/anti-evil-maid/README
110-120)
"
Note: If you choose to use a USB device (e.g., a flash drive) as your AEM
device
and you previously created a USB qube, then you may have to unhide your USB
controller from dom0:
1. Open the file `/etc/default/grub` in dom0.
2. Find the line that begins with `GRUB_CMDLINE_LINUX`.
3. If present, remove `rd.qubes.hide_all_usb` from that line.
4. Save and close the file.
5. Run the command `grub2-mkconfig -o /boot/grub2/grub.cfg` in dom0.
6. Reboot.
"
here you unhide the usbcontroller so it is accessible from dom0.
>> 3) is unhiding my usb devices only required during aem setup? (i guess
>> so, but i thought, i would ask)
>
> I think you refer to the option that suppresses USB devices during boot.
> This should be turned off when booting AEM (not just installing) from a
> USB stick so the verification sequence can read the secret from the USB
> stick.
- Joe
-------------------------------------------------
ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!
Chris Laprise
Feb 16, 2017, 3:43:40 PM2/16/17
to jd...@vfemail.net, qubes...@googlegroups.com
On 02/16/2017 02:17 AM, jd...@vfemail.net wrote:
> Thanks for answering, but i still have some questions:
>
>>> (in any case, i will use a pass phrase for aem.)
>>>
>>> 1) is there a difference between using an usb drive or using an
>>> internal partition? (except of having a second device in case of an usb
>>> drive)
>>
>> Yes. You should keep your AEM boot with you on a separate device. If you
>> don't, an attacker could see your secret phrase by booting the system.
>
> but isn't this the reason i am using a password for?
> the aem data is protected by my aem pw.
> after entering it, it is used to decrypt my secret + (somehow) check the
> system integrity
> if this fails, my aem pw is burned.
> in case it succeeds, i enter my luks pw and the system data is encrypted.
> at least this is how i understood it.
Actually, you're right... I didn't see your mention of the passphrase
> Thanks for answering, but i still have some questions:
>
>>> (in any case, i will use a pass phrase for aem.)
>>>
>>> 1) is there a difference between using an usb drive or using an
>>> internal partition? (except of having a second device in case of an usb
>>> drive)
>>
>> Yes. You should keep your AEM boot with you on a separate device. If you
>> don't, an attacker could see your secret phrase by booting the system.
>
> but isn't this the reason i am using a password for?
> the aem data is protected by my aem pw.
> after entering it, it is used to decrypt my secret + (somehow) check the
> system integrity
> if this fails, my aem pw is burned.
> in case it succeeds, i enter my luks pw and the system data is encrypted.
> at least this is how i understood it.
earlier. Its good that you're reading the material so carefully!
Even so, there is some risk associated with leaving the boot partition
on the internal drive. An altered boot partition could prompt for the
SRK phrase and then send your response over Wifi or other signal. This
could be made to look like a glitch---computer reboots after prompt, etc.
>
>
>> This is also important if you want AEM to warn you after a /remote/
>> (non-Evil Maid) attack has affected your BIOS.
>
> How does this work?
some remote attacks. Its not comprehensive, but IMO still valuable.
>
>>> 3) is unhiding my usb devices only required during aem setup? (i guess
>>> so, but i thought, i would ask)
>>
>> I think you refer to the option that suppresses USB devices during boot.
>
> I refer to this (
> https://github.com/QubesOS/qubes-antievilmaid/blob/master/anti-evil-maid/README
>
> 110-120)
>
> "
> Note: If you choose to use a USB device (e.g., a flash drive) as your AEM
> device
> and you previously created a USB qube, then you may have to unhide
> your USB
> controller from dom0:
>
> 1. Open the file `/etc/default/grub` in dom0.
> 2. Find the line that begins with `GRUB_CMDLINE_LINUX`.
> 3. If present, remove `rd.qubes.hide_all_usb` from that line.
> 4. Save and close the file.
> 5. Run the command `grub2-mkconfig -o /boot/grub2/grub.cfg` in dom0.
> 6. Reboot.
> "
> here you unhide the usbcontroller so it is accessible from dom0.
the USB drive during each boot.
>
>>> 3) is unhiding my usb devices only required during aem setup? (i guess
>>> so, but i thought, i would ask)
>>
>> I think you refer to the option that suppresses USB devices during boot.
>> This should be turned off when booting AEM (not just installing) from a
>> USB stick so the verification sequence can read the secret from the USB
>> stick.
>
> This is not mentioned anywhere in the documentation. I think it should.
Chris
Reply all
Reply to author
Forward
0 new messages