On Monday, July 17, 2017 at 8:31:42 PM UTC-4, pixel fairy wrote: > On Sunday, July 16, 2017 at 9:55:55 AM UTC-7, yreb-qusw wrote: > > On 07/16/2017 01:27 AM, pixel fairy wrote: > > > --- > > > In Dom0 install anti-evil-maid: > > > > > > sudo qubes-dom0-update anti-evil-maid > > > --- > > Doesn't sound like 'more work' just doing the above, perhaps there is > > more to it, I thought, it mentioned it's better to install via a USB Drive? > > https://github.com/QubesOS/qubes-antievilmaid/blob/master/anti-evil-maid/README > > as you can see, its a lot of steps, and only some laptops are compatible. > there are even new laptops, like the system76 lemur7 (i7 skylake), that cant > do AEM. > > ideally you can boot from a non usb external device, such as an sd card in > your purse or wallet. if you do use usb, then you have to disable hiding the > usb controller for a bit, which gives your attacker a window of opportunity > for the kinds of things AEM is meant to detect. > > this is a small windows of opportunity, but there is the theoretical case > that a clueless attacker with only a short time boots from their own device, > the attack fails because usb is locked (and they may not even know this) and > your laptop is ok. whereas if AEM needed that usb controller enabled to > function, the attack would succeed, or at least succeed enough to trip AEM. > > > What would be the "trade off" and/or How would I disable it , if it > > somehow messes up my Qubes install? > > the most obvious trade off is needing your boot device to boot your laptop. > so, you must protect this device. you'll probably want more than one of them > in case one is lost or damaged, so you have to protect multiple devices. this > is fine for cyborgs with implanted, bootable usb devices. but, for the rest > of us, its something you must consider carefully in your threat model. > > a more thorough discussion of all this in the background blog post, > https://blog.invisiblethings.org/2011/09/07/anti-evil-maid.html > > if it doesnt work, you wont be able to boot. youd have to reinstall qubes and > start over. if you want to disable it, you might be able to make a new > passphrase for luks that doesnt need the keyfile on your aem device. there > may be other steps required, but i havent tried it.
like pixel said you either can use a usb stick like a yubikey to boot, or use a usbvm don't think you can do both. so in most cases a home desktop pc probably would just use usbvm. but if you someone that travels with a laptop, that might be accessible to others, you might want to boot with usb key. aem can be used on both but without usb key if using usbvm, but should note aem only notifies you that something happened, like pixel said it doesn't stop the attack, like secure boot would in case of hacking teams insyde bios attack. Also the only true option then would be to buy all new hardware if such a compromise did happen. But some people upgrade their hardware every two years anyways. If you careful you can last that long. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/32237f50-3bd7-4c17-bcb0-0bb3f83567a2%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
