On Sunday, July 16, 2017 at 9:55:55 AM UTC-7, yreb-qusw wrote: > On 07/16/2017 01:27 AM, pixel fairy wrote: > > --- > > In Dom0 install anti-evil-maid: > > > > sudo qubes-dom0-update anti-evil-maid > > --- > Doesn't sound like 'more work' just doing the above, perhaps there is > more to it, I thought, it mentioned it's better to install via a USB Drive?
https://github.com/QubesOS/qubes-antievilmaid/blob/master/anti-evil-maid/README as you can see, its a lot of steps, and only some laptops are compatible. there are even new laptops, like the system76 lemur7 (i7 skylake), that cant do AEM. ideally you can boot from a non usb external device, such as an sd card in your purse or wallet. if you do use usb, then you have to disable hiding the usb controller for a bit, which gives your attacker a window of opportunity for the kinds of things AEM is meant to detect. this is a small windows of opportunity, but there is the theoretical case that a clueless attacker with only a short time boots from their own device, the attack fails because usb is locked (and they may not even know this) and your laptop is ok. whereas if AEM needed that usb controller enabled to function, the attack would succeed, or at least succeed enough to trip AEM. > What would be the "trade off" and/or How would I disable it , if it > somehow messes up my Qubes install? the most obvious trade off is needing your boot device to boot your laptop. so, you must protect this device. you'll probably want more than one of them in case one is lost or damaged, so you have to protect multiple devices. this is fine for cyborgs with implanted, bootable usb devices. but, for the rest of us, its something you must consider carefully in your threat model. a more thorough discussion of all this in the background blog post, https://blog.invisiblethings.org/2011/09/07/anti-evil-maid.html if it doesnt work, you wont be able to boot. youd have to reinstall qubes and start over. if you want to disable it, you might be able to make a new passphrase for luks that doesnt need the keyfile on your aem device. there may be other steps required, but i havent tried it. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6e60c38d-2430-455f-8cef-e1d360b7f28c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
