On Mon, May 22, 2017 at 10:34:18AM -0700, blacklight wrote: > On Sunday, 21 May 2017 03:03:50 UTC+2, Andrew David Wong wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA512 > > > > On 2017-05-18 02:55, Zrubi wrote: > > > On 05/18/2017 09:48 AM, pandakaas...@gmail.com wrote: > > >> I recently came across this PDF file stating that dom0 and the > > >> hypervisor (Xen) are stored unencrypted on the disk, because the > > >> disk wouldnt be able to boot(According to the PDF). but as far as I > > >> know, only /boot and GRUB are stored unencrypted. so is this PDF > > >> file wrong, or was I wrong (or both?). > > > > > >> Here you have a link to the file, you can find it on page 7: > > >> http://www.cs.uu.nl/docs/vakken/b3sec/Proj15/QubesOS.pdf > > > > > > > > > The Xen itself and the dom0 kernel (located in /boot) are both > > > unencrypted. > > > > > > This can be the reason using TPM and AEM: > > > https://blog.invisiblethings.org/2011/09/07/anti-evil-maid.html > > > https://www.qubes-os.org/doc/anti-evil-maid/ > > > > > > > And everything except /boot is encrypted with LUKS by default. > > In particular, the contents of dom0 are also encrypted. See: > > > > https://www.qubes-os.org/doc/custom-install/ > > > > - -- > > Andrew David Wong (Axon) > > Community Manager, Qubes OS > > https://www.qubes-os.org > > -----BEGIN PGP SIGNATURE----- > > > > iQIcBAEBCgAGBQJZIOdoAAoJENtN07w5UDAwoZ8QAJijXJxCcIM2Ze/yTtxMUef/ > > h3ROYup2mjHCscn2SOTRqmUj4Aa/aIByILaj1OAOEWzsRDb5Y/r6Vizjakg0dibK > > HOfmIkTFFmbkeA8kHd2w5z7OrBiQCUcDt1rCz11CDgA1YWmLD/4sWigU2OK9J68h > > 9mj5mvwMbv7w4XE+O11LZww9SICBfV5y1akC3AdOS4Qasb7ujdx15X/rOlHEdcIQ > > iZUVO9NmpFpQ/DWCzW/6BY1b+2rRV2HEd9KwRgRTexQ3AEfo+RY7i74PWbpHRtnS > > FVREing5ogQe2R4F/9d1gYepHPw4YAThc0h8ZPjeHC4K67SxdcIHOL3ISbuxtSPL > > c4pPHGvg8+lXzZ9JX1nYie5qvD8rK4dC+G78wWgba77fuCwTkjtGJR2ZUT5LaA3U > > bnAAwSRO3IcJnd3ZK//uXqlJKyvxk/mNzT7AlG53FbZ92zghcBRc8wI0bS6tY76A > > uCFN8P8qi9VuszQoJhxsTxe99yXz97M9VvoLY0CQC8I5HJFJEv73RTHFlchQZG8+ > > U8X/rq+y02RoRHLCwl3KEc8aYOZCMt9EC4p5VGeljlClo5mBSArujDkGEYTPJfk5 > > GV5vy2wU3m8s8CBC3J9wx/8c0gBufqXplfjrR3JwyoaEY2a6gFKpEF2U3KwmaLlW > > Negatcg+YVAMvXotcROJ > > =8WSK > > -----END PGP SIGNATURE----- > > So the notion in the pdf file stating that dom0 is unecrypted is wrong i > understand? also, what about xen, is it located in /boot or is it also > encrypted? >
Yes, there's a fair bit in that paper that's wrong, and this certainly is. But it's just a student paper isn't it? Xen is included in /boot and is therefore unencrypted in a standard install. unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170522184505.GA10518%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
