On Sun, 4 Jun 2017 22:29:57 +0200 Patrik Hagara <patriha...@gmail.com> wrote:
> On 06/04/2017 10:03 PM, hawk...@bitmessage.ch wrote: > > When using a usb-vm, my usb keyboard is not accessible at boot time, > > and thus my disk encryption password must be typed on the built-in > > keyboard. > > > > When not using a usb-vm, a usb keyboard can be used to enter the > > disk encryption password. > > > > When using a simple static password at boot typed by the yubikey > > (which acts like a keyboard), it has the same limitations as the > > usb keyboard, wherein it can't type the disk password when a usb-vm > > is being used. > > > > I could not determine whether the documentation discussing > > challenge-response addresses this problem with boot-time disk > > passwords as some sub-component > > ( https://www.qubes-os.org/doc/yubi-key/ ). I only see the > > screensaver discussed, but not disk passwords at boot. > > > > While still using a usb-vm to manage all usb devices, is there any > > way to authorize the yubikey automatically at boot time so it can > > type in a password for me? > > > > Also, here: ( https://github.com/adubois/qubes-app-linux-yubikey), > > am I missing the referenced qubes-yubikey-vm and qubes-yubikey-dom0 > > in the repos, because they don't seem to exist? > > > > Thanks! > > With USB VM enabled, all USB devices are hidden from dom0 even during > the Linux kernel boot (but not before). If you need to use USB devices > during Qubes OS boot (keyboard, yubikey, anti-evil-maid, ...) and > don't mind rigorously checking nobody has plugged any suspicious USB > devices into your machine before powering it on (as you should be > doing anyway), you can follow the steps outlined below. > > There's a Linux kernel command line argument you need to remove from > /etc/default/grub -- find the line starting with "GRUB_CMDLINE_LINUX" > and drop the "rd.qubes.hide_all_usb" argument. Save the changes and > rebuild grub configuration using `sudo grub2-mkconfig -o > /boot/grub2/grub.cfg` and then reboot. > > Please note that if you have anti-evil-maid installed, you also need > to re-run `anti-evil-maid-install` script on your AEM device. > Unsealing of your secrets will, as expected, fail during next boot. > > Once you reboot without this option, you can use any USB device > normally. > > > Cheers, > Patrik > Thanks for the clear answer! It took some searching, but it looks like that for me, that flag was only present in /boot/efi/EFI/qubes/xen.cfg and it does not seem to require rebuilding grub to work. I didn't see that location discussed here https://www.qubes-os.org/doc/usb/ under "Removing a USB qube" either. Now, to see if I can get the luks challenge response working rather than just a static password ... -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9B2FFA9B-A748-43F5-A40C-8DB9D57365FA%40mail.bitmessage.ch. For more options, visit https://groups.google.com/d/optout.