anti-evil-maid for dummies?

[gaffne...@gmail.com]

I am working on getting anti-evil-maid with a separate usb stick setup. While I am sure the guide makes perfect sense to an admin, for a new user, it is a bit daunting.

Using a lenovo t420 (it was only laptop on list with 100% support listed for everything qubes uses right now - vt-x, vt-d, tpm, bios support, etc) -- hope it was a good qubes buying decision.

For instance:
2) Install and Verify TPM support under your OS/Dom0.

No explanation is given on 'HOW' to do this, google has not been my friend.

a) Install anti-evil-maid packages (in Dom0 on Qubes). It will install all the required dependencies and tools.

guessing this simply means running in dom0:
sudo qubes-dom0-update anti-evil-maid

b) Start the TrouSerS daemon (this should also load tpm driver into kernel):

# /etc/init.d/tcsd start

----- base: /etc/init.d/tcsd: no such file or directory

I can only guess that I haven't installed and verified tpm in my Dom0?



c) Verify the kernel support for TPM:

# find /sys/devices -name pcrs
# cat <path_to_pcrs>


well at least this is good news, I get the output expected


You should have installed the following packages to perform the setup:
- anti-evil-maid-dracut
- anti-evil-maid

I'm guessing that happened when I installed anti-evil-maid into Dom0 above?



b) Find a USB stick, create a boot partition, set bootable flag, don't
format with any fs. Use fdisk or parted.

NOTE: when using a GPT partition table (rather than msdos), then you should
create an additional BIOS boot partition, where the rest of the GRUB code will
be kept -- please see this page for more info:
http://www.gnu.org/software/grub/manual/html_node/BIOS-installation.html


Wow, where to even begin..... this is really hard to grasp the first time.

Having used google for this, I get the impression that I should be using GPT instead of msdos. --really want to follow best practice

However, finding a guide for a new user to follow has been another challenge. At the moment I am completely lost.

I don't see a need to continue past this for this email as I am stuck.

*Are there any 'newbie friendly' docs/vids on setting up anti-evil-maid for new users that anyone can suggest - a full anti-evil-maid install video tutorial would be amazing if it exists

thanks everyone.

[cprise]

On 12/05/14 16:39, gaffne...@gmail.com wrote:

I am working on getting anti-evil-maid with a separate usb stick setup. While I am sure the guide makes perfect sense to an admin, for a new user, it is a bit daunting.

Using a lenovo t420 (it was only laptop on list with 100% support listed for everything qubes uses right now - vt-x, vt-d, tpm, bios support, etc) -- hope it was a good qubes buying decision.

Hi gaffney,

Its probably a good deal since no doubt you are buying it used. However, consulting with the mailing list first would have been a good idea because TPM is one area where the HCL seems inaccurate. The HCL script hasn't been testing for a TPM so that info wasn't making it into the HCL in many cases. I also noticed this is the case for my T430s (TPM works fine but no note in the HCL).

I don't know if TPM compatibility is something that a program can easily test.

BTW IIRC, Joanna mentioned something in a blog post about Sandy Bridge CPUs (like in the T420) being less secure under very specific circumstances, but I don't remember those specifics.

For instance:
2) Install and Verify TPM support under your OS/Dom0.

No explanation is given on 'HOW' to do this, google has not been my friend.

From the README file:

1) Enable TPM in BIOS.

2) Install and Verify TPM support under your OS/Dom0.

a) Install anti-evil-maid packages (in Dom0 on Qubes). It will install all the required dependencies and tools.

b) Start the TrouSerS daemon (this should also load tpm driver into kernel):

# /etc/init.d/tcsd start

... or (in case of systems that use systemd):

# systemctl start tcsd

Part a should add:

$ sudo qubes-dom0-update anti-evil-maid

Part b should be changed to something like:

b) Enable and start the TrouSerS daemon (this should also load tpm driver into kernel):

$ sudo systemctl enable tcsd

$ sudo systemctl start tcsd

* The part about init.d doesn't really fit anymore.

* Before you start any of this, you need to open up a Konsole (shell terminal) window under Start / Applications / System tools. Konsole is where you type these dom0 commands.

c) Verify the kernel support for TPM:

# find /sys/devices -name pcrs
# cat <path_to_pcrs>


well at least this is good news, I get the output expected


You should have installed the following packages to perform the setup:
- anti-evil-maid-dracut
- anti-evil-maid

I'm guessing that happened when I installed anti-evil-maid into Dom0 above?

Yes, its a bit confusing the way it reiterates.

b) Find a USB stick, create a boot partition, set bootable flag, don't
format with any fs. Use fdisk or parted.

NOTE: when using a GPT partition table (rather than msdos), then you should
create an additional BIOS boot partition, where the rest of the GRUB code will
be kept -- please see this page for more info:
http://www.gnu.org/software/grub/manual/html_node/BIOS-installation.html


Wow, where to even begin..... this is really hard to grasp the first time.

Having used google for this, I get the impression that I should be using GPT instead of msdos. --really want to follow best practice

I think it is easier if you have an existing Linux system to use such as an Ubuntu Live CD. Then you can use (in Ubuntu's case) the Disks app to partition and set bootable flag without using shell commands. Of couse, you can simply opt to create an msdos table and skip the concern about an extra partition.

OTOH, if you are unfamiliar with disk management and partitions in general, you may not be able to get past this point.

However, finding a guide for a new user to follow has been another challenge. At the moment I am completely lost.

I don't see a need to continue past this for this email as I am stuck.

*Are there any 'newbie friendly' docs/vids on setting up anti-evil-maid for new users that anyone can suggest - a full anti-evil-maid install video tutorial would be amazing if it exists

thanks everyone.

I haven't noticed any videos or alternative docs, yet. But if you succeed in setting up AEM you would be in the perfect position to create one. ;)

[Todd Lasman]

>
> For instance:
> 2) Install and Verify TPM support under your OS/Dom0.
>
> No explanation is given on 'HOW' to do this, google has not been my
> friend.

I had a bit of a time figuring this out too, but carefully following
(and playing with) the documentation actually worked out. I'll try to
tell you what I've learned. As for verifying that there is TPM support,
I'd just start by assuming that the support is there. If it isn't, none
of the below will work.

>
> a) Install anti-evil-maid packages (in Dom0 on Qubes). It will install
> all the required dependencies and tools.
>
> guessing this simply means running in dom0:
> sudo qubes-dom0-update anti-evil-maid

That's right

>
> b) Start the TrouSerS daemon (this should also load tpm driver into
> kernel):
>
> # /etc/init.d/tcsd start
>
> ----- base: /etc/init.d/tcsd: no such file or directory
>
> I can only guess that I haven't installed and verified tpm in my Dom0?

Actually, fedora doesn't use init scripts - it uses systemctl. I
believe the correct way to start the daemon is:
# systemctl start tcsd

>
>
>
> c) Verify the kernel support for TPM:
>
> # find /sys/devices -name pcrs
> # cat <path_to_pcrs>
>
>
> well at least this is good news, I get the output expected
>
>
> You should have installed the following packages to perform the setup:
> - anti-evil-maid-dracut
> - anti-evil-maid
>
> I'm guessing that happened when I installed anti-evil-maid into Dom0
> above?

Correct

>
>
>
> b) Find a USB stick, create a boot partition, set bootable flag, don't
> format with any fs. Use fdisk or parted.
>
> NOTE: when using a GPT partition table (rather than msdos), then you
> should
> create an additional BIOS boot partition, where the rest of the GRUB
> code will
> be kept -- please see this page for more info:
> http://www.gnu.org/software/grub/manual/html_node/BIOS-installation.html
>
>
> Wow, where to even begin..... this is really hard to grasp the first
> time.

I just got a USB drive and made a small (500 MB) partition to store
everything. I didn't bother setting the boot flag or anything like that.
When installing antievilmaid from the hard drive, I chose that USB
partition to write to, and everything just worked.
For example, when running the antievilmaid command, you use something
like this:

# /usr/lib/antievilmaid/antievilmaid_install /dev/sdc 1 /boot

This means that that it will take files from your /boot directory on
your hard drive, and transfer those files (along with antievilmaid
files) onto the first (1) partition of /dev/sdc (your USB drive).

Hope this helps as a start...

Todd

[Hakisho Nukama]

On Fri, Dec 5, 2014 at 11:31 PM, cprise <cpr...@gmail.com> wrote:
>
> On 12/05/14 16:39, gaffne...@gmail.com wrote:
>
> I am working on getting anti-evil-maid with a separate usb stick setup.
> While I am sure the guide makes perfect sense to an admin, for a new user,
> it is a bit daunting.
>
> Using a lenovo t420 (it was only laptop on list with 100% support listed for
> everything qubes uses right now - vt-x, vt-d, tpm, bios support, etc) --
> hope it was a good qubes buying decision.
>
>
> Hi gaffney,
>
> Its probably a good deal since no doubt you are buying it used. However,
> consulting with the mailing list first would have been a good idea because
> TPM is one area where the HCL seems inaccurate. The HCL script hasn't been
> testing for a TPM so that info wasn't making it into the HCL in many cases.
> I also noticed this is the case for my T430s (TPM works fine but no note in
> the HCL).
>

https://groups.google.com/forum/#!msg/qubes-users/452tkVCzvOw/_dQ8DXaDzp0J
* AEM still suffers from the tboot-induced memory allocation problem.
Is this still a problem? Is this a common problem on all AEM installations?

> I don't know if TPM compatibility is something that a program can easily
> test.
>

Maybe we can provide the needed packages by default,
to probe with the TrouSerS daemon and fetch and analyze the logs
with qubes-hcl-script?

TrouSerS ERROR: Could not find a device to open!
and the appropriate log message, when a TPM device is found.

Is there the possibility, to hold the /boot during normal
operation inside the encrypted file system and provision
USB-Sticks and the unencrypted boot-partition from there?
Can the /boot from USB-Stick or boot-partition be unmounted,
without problems, so that the underlying /boot appears?

During initialization:
/boot@/dev/sda1 or partition on USB-Stick

After qubes_dom0-root has been decrypted:
/boot@qubes_dom0-root

So all update operations are performed inside the encrypted
volume, and several boot-media can be created from there.
After an update process the provisioning for the boot-devices
is started, and asks for inserting boot-media and mounts
the defined partitions (/dev/disk/by-) to a tmp location and
updates the boot-partitions.

#/etc/aem.conf
/dev/sda1 /tmp/boot0 mbr noaem
/dev/disk/by-label/aemboot /tmp/boot1 mbr aem
/dev/disk/by-partlabel/usbstick1 /tmp/boot2 gpt aem

Best Regards.
Hakisho Nukama

[cprise]

On 12/05/14 20:02, Hakisho Nukama wrote:

On Fri, Dec 5, 2014 at 11:31 PM, cprise <cpr...@gmail.com> wrote:

On 12/05/14 16:39, gaffne...@gmail.com wrote:

I am working on getting anti-evil-maid with a separate usb stick setup.
While I am sure the guide makes perfect sense to an admin, for a new user,
it is a bit daunting.

Using a lenovo t420 (it was only laptop on list with 100% support listed for
everything qubes uses right now - vt-x, vt-d, tpm, bios support, etc) --
hope it was a good qubes buying decision.


Hi gaffney,

Its probably a good deal since no doubt you are buying it used. However,
consulting with the mailing list first would have been a good idea because
TPM is one area where the HCL seems inaccurate. The HCL script hasn't been
testing for a TPM so that info wasn't making it into the HCL in many cases.
I also noticed this is the case for my T430s (TPM works fine but no note in
the HCL).

https://groups.google.com/forum/#!msg/qubes-users/452tkVCzvOw/_dQ8DXaDzp0J
* AEM still suffers from the tboot-induced memory allocation problem.
Is this still a problem? Is this a common problem on all AEM installations?

You know, its been so long since I reconfigured it that I forgot. AFAIK, the option in grub.cfg is still required on the tboot line:
min_ram=0x2000000

This is on a system with 8GB RAM. If the min_ram option is not included, the system will still run but with less available RAM (about 3GB missing).

The out of memory errors I reported alongside my report of missing RAM (in the qubes-devel thread about AEM bugs) were only tangentially related to the tboot issue, if at all, and cleared up soon after I reported them. TL;DR, it all works fine if I include the min_ram parameter.

I don't know if TPM compatibility is something that a program can easily
test.

Maybe we can provide the needed packages by default,
to probe with the TrouSerS daemon and fetch and analyze the logs
with qubes-hcl-script?

TrouSerS ERROR: Could not find a device to open!
and the appropriate log message, when a TPM device is found.

That sounds like a good idea. Maybe the test could be:

systemctl start tcsd
sleep 5
tpm_version | grep "Communication failure"

"Communication failure" is part of the message I get from tpm_version if I first stop tcsd.

Or:

tpm_selftest >>HCL_report

I'll let ITL figure out the best approach.

[...]

Is there the possibility, to hold the /boot during normal
operation inside the encrypted file system and provision
USB-Sticks and the unencrypted boot-partition from there?
Can the /boot from USB-Stick or boot-partition be unmounted,
without problems, so that the underlying /boot appears?

During initialization:
/boot@/dev/sda1 or partition on USB-Stick

After qubes_dom0-root has been decrypted:
/boot@qubes_dom0-root

So all update operations are performed inside the encrypted
volume, and several boot-media can be created from there.
After an update process the provisioning for the boot-devices
is started, and asks for inserting boot-media and mounts
the defined partitions (/dev/disk/by-) to a tmp location and
updates the boot-partitions.

#/etc/aem.conf
/dev/sda1 /tmp/boot0 mbr noaem
/dev/disk/by-label/aemboot /tmp/boot1 mbr aem
/dev/disk/by-partlabel/usbstick1 /tmp/boot2 gpt aem

Best Regards.
Hakisho Nukama

I asked about this possibility some weeks ago when commenting on the difficulty of predicting when a dom0 update will affect /boot. FWIW, I have removed /boot from my fstab and erased the boot partition and there have been no obvious ill effects. I have been letting qubes-dom0-update write newer files into the encrypted /boot directory, which I take as a (clear? appropriate?) signal that the USB stick needs updating (which I then perform with 'cp -a').