Issues with antievilmaid

[Micah Lee]

I'm trying to get antievilmaid working, and I've been following the
instructions here:

http://git.qubes-os.org/?p=joanna/antievilmaid.git;a=blob_plain;f=README;hb=HEAD

I've managed to take ownership of my TPM, set a SRK password, build a
new USB stick for /boot and set it up, boot to an AEM boot, and
allegedly seal a secret.

I first tried a png file as my secret, including
"rd.antievilmaid.png_secret" as one of the flags in
GRUB_CMDLINE_AEM_FLAGS in /etc/default/grub.

When I booted it just displayed the normal Qubes logo and a small
loading bar. When I press escape it says: "Attempting to unseal the
secret passphrase from the TPM...", some blank space, and then "Continue
the boot process only if the secret above is correct!"

I figured it might be some issue with using a png file. So I booted and
re-sealed my TPM, this time with a string instead of a png file. But
when I boot from my USB stick I still have the same problem. It shows
the normal Qubes logo boot, and when I press escape it says the same
thing, but still not displaying my secret phrase.

It asks for my SRK password when I seal a secret, but not when I boot.
Is this expected?

Something that could be the cause:

When I first edited /etc/default/grub, I added the line:

export GRUB_CMDLINE_AEM_FLAG="rd.antievilmaid.asksrkpass
rd.antievilmaid.png_secret"

Not realizing that I had a typo, and it should be
GRUB_CMDLINE_AEM_FLAGS. After rebooting, I edited that to be
GRUB_CMDLINE_AEM_FLAGS and then ran:

sudo grub2-install /dev/sdb

to reinstall grub onto my USB stick. Is it possible that I reinstalled
grub incorrectly, and that flag isn't set like it should be?

--
Micah Lee

[cprise]

Micah,

What happens when you go through the AEM install process all over again?

My guess is the export misspelling had no adverse effect. But if it did,
a fresh AEM install may fix it.

Hopefully you have not run into a display bug.

[Micah Lee]

On 08/25/2014 07:38 PM, cprise wrote:
> Micah,
>
> What happens when you go through the AEM install process all over again?
>
> My guess is the export misspelling had no adverse effect. But if it did,
> a fresh AEM install may fix it.
>
> Hopefully you have not run into a display bug.

Thanks, starting the whole process from the beginning, but without the
typo, worked. However, it only worked using a string as my secret, but
not using a png file.

While running /usr/lib/antievilmaid/antievilmaid_install, this was part
of the output for each initramfs it generated:

dracut-install: ERROR: installing '/usr/lib64/plymouth//label.so'

Is it possible that the png file was failing because of some plymouth
problem?

Also, just to confirm, am I supposed to be able to see my secret string
in the graphical mode, or only in the text mode? As it stands it's like
this when I boot:

* Loads grub, starts booting OS
* Shows Qubes logo and an input box (for SRK password)
* I type my SRK password, and then the input box goes away
* If I press escape to go into text mode I can see my secret, then I can
press escape again to go back graphics mode
* I pull my USB stick, and then another input box appears (LUKS passphrase)
* I type my LUKS passphrase and it boots

Is it not displaying the secret string in graphical mode because of the
same plymouth problem?

--
Micah Lee

[cprise]

On 08/26/14 15:29, Micah Lee wrote:
> On 08/25/2014 07:38 PM, cprise wrote:
>> Micah,
>>
>> What happens when you go through the AEM install process all over again?
>>
>> My guess is the export misspelling had no adverse effect. But if it did,
>> a fresh AEM install may fix it.
>>
>> Hopefully you have not run into a display bug.
> Thanks, starting the whole process from the beginning, but without the
> typo, worked. However, it only worked using a string as my secret, but
> not using a png file.
>
> While running /usr/lib/antievilmaid/antievilmaid_install, this was part
> of the output for each initramfs it generated:
>
> dracut-install: ERROR: installing '/usr/lib64/plymouth//label.so'
>
> Is it possible that the png file was failing because of some plymouth
> problem?

I think that's /probable/. And I haven't seen that error before,
although I have only used a string as a secret. I do have a file at that
path in dom0.

> Also, just to confirm, am I supposed to be able to see my secret string
> in the graphical mode, or only in the text mode?

Yes, the secret string is printed to both the text and graphical
screens. I think something about using the SRK input may be triggering a
bug.

> As it stands it's like
> this when I boot:
>
> * Loads grub, starts booting OS
> * Shows Qubes logo and an input box (for SRK password)
> * I type my SRK password, and then the input box goes away
> * If I press escape to go into text mode I can see my secret, then I can
> press escape again to go back graphics mode
> * I pull my USB stick, and then another input box appears (LUKS passphrase)
> * I type my LUKS passphrase and it boots
>
> Is it not displaying the secret string in graphical mode because of the
> same plymouth problem?

Definitely sounds like a bug to me; Plymouth has prompted other (fixed)
display bugs during AEM boot. OTOH, AEM appears to be basically working
for you.

[Marek Marczykowski-Górecki]

Most likely the PNG secret feature was broken during switching to the new
artwork (which include reworked plymouth theme)...
https://wiki.qubes-os.org/ticket/893

--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

[tel]

Hmm.  Same problem for me, and I'm using a string, rather than a png. 
It boots to the graphical interface and freezes.  If I remove the USB
drive at that point, I can continue with the disk decryption password,
and log in successfully.  No where does it show my my passphrase.

And for what it's worth, I'm getting the same ERROR: install
/usr/lib64/plymouth//label.so

In /usr/lib64/plymouth, all I have are:
details.so, script.so, text.so, and  a directory called renderers,
containing drm.so and frame-buffer.so
 

This is a brand new, fresh install of RC2. 

[Andrew B]

On 09/08/14 16:49, tel wrote:
>
>
> On Monday, August 25, 2014 5:54:04 PM UTC-7, Micah Lee wrote:
>
> I'm trying to get antievilmaid working, and I've been following the
> instructions here:
>

> http://git.qubes-os.org/?p=joanna/antievilmaid.git;a=blob_plain;f=README;hb=HEAD <http://git.qubes-os.org/?p=joanna/antievilmaid.git;a=blob_plain;f=README;hb=HEAD>

> --
> You received this message because you are subscribed to the Google Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com <mailto:qubes-users...@googlegroups.com>.
> To post to this group, send email to qubes...@googlegroups.com <mailto:qubes...@googlegroups.com>.
> Visit this group at http://groups.google.com/group/qubes-users.
> For more options, visit https://groups.google.com/d/optout.

To which PCRs did you seal to? At least on my system, some of them change on every boot. Dump your PCRs across two cold boots and make sure the ones you sealed to do not change.

Andrew

[Todd Lasman]

Pretty sure I sealed to 17, 18, and 19. I thought these were the ones
that would change with a new kernel. Are there different ones that work
better for a usual case?

[tel]

And one more question (and probably off topic): once AEM is installed on the usb stick, what keeps anyone from booting to the hard drive using the boot partition that remains on the disk? Do people disable or delete that boot partition? I'd hate to leave that unencrypted boot partition on the hard disk if I don't have to.

[Marek Marczykowski-Górecki]

On 09.09.2014 07:36, tel wrote:
> And one more question (and probably off topic): once AEM is installed on
> the usb stick, what keeps anyone from booting to the hard drive using the
> boot partition that remains on the disk?

Booting from HD will not show you the secret, so you shouldn't enter disk
encryption password then.

> Do people disable or delete that
> boot partition? I'd hate to leave that unencrypted boot partition on the
> hard disk if I don't have to.

You can simply wipe that partition if you want. Remember to modify also
/etc/fstab (at least add "noauto" option, or comment out the line).

[Todd Lasman]

Getting a little closer. The issue with the error regarding label.so
can be solved by doing (in dom0):

# qubes-dom0-update plymouth-plugin-label

This will allow the text to be printed to the graphical login screen.

On the other hand, I still can't get the sealed passphrase to show!
I've done each step exactly as recommended, sealing to 17, 18, and 19,
but all I get is a blank line where the passphrase should be.
Definitely someting wrong...

[Todd Lasman]

And by the way, using tpm_unsealdata -z -i
/mnt/antievilmaid/antievilmaid/... returns the correct phrase, so I know
it was sealed correctly.

[Todd Lasman]

Micah, did you ever get this working? I'm still getting a blank
passphrase even though I can verify that the passphrase is sealed
correctly.

Todd

[Marek Marczykowski-Górecki]

I'm currently working on #893 (Antievilmaid: PNG secret broken with new
plymouth theme) and will also test/fix text-only version. So hopefully will
solve also your problem.

[Todd Lasman]

May not need fixing. I just tried it again using a different USB device
and it seems to work perfectly (text, that is - no PNG). I wonder if my
old USB device was too slow to return a string when trying to unseal the
secret.

[Marek Marczykowski-Górecki]

PNG support fixed, new package (anti-evil-maid-2.0.7) in current-testing
repository, soon will be as normal update.