-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 08/29/2017 06:25 PM, cooloutac wrote: > On Tuesday, August 29, 2017 at 11:38:59 AM UTC-4, Patrik Hagara > wrote: On 08/29/2017 04:50 PM, [email protected] > wrote: >>>> Leo Gaspard, >>>> >>>> I have read about AEM but have never used it, it seems like >>>> it is geared towards protecting from USB's with malicious >>>> firmware on them. >>>> >>>> Does AEM actually verify the integrity of /boot before using? >>>> This is what I am looking for, either a method of encrypting >>>> /boot or even better, a secure method to verify its integrity >>>> during boot >>>> > > AEM does verify the integrity of /boot using the TPM seal/unseal > operation. If any of the boot components change, AEM falls back to > regular, unmeasured boot -- the user is expected to notice this and > cease using the potentially-compromised system (the lack of > explicit indication of failed AEM boot is deliberate, see the last > FAQ item at [1]). > > The security provided by AEM is much more stronger than encrypted > /boot could ever offer, because as already pointed out, there is > always a little first-stage bootloader stub on the disk > unencrypted and it would be easy to overwrite it with a malicious > version that would intercept the encryption passphrase and > exfiltrate it using eg. unused disk sectors. > > If someone did the above with AEM, the TPM would refuse to useal > the AEM secret as the platform state would be different. > > The feature protecting dom0 from malicious USB devices [2] serves > a different purpose and is not related to AEM. Plus, you always > need to disconnect all untrusted USB devices while rebooting Qubes, > regardless of whether you have USB qube set up or not. > > > Cheers, Patrik > > > [1] > https://blog.invisiblethings.org/2011/09/07/anti-evil-maid.html [2] > https://www.qubes-os.org/doc/usb/ > > my problem is unfortunately i can't keep buying new pc's. SO maybe > its all for naught for me.. Also AEM does not seem as reliable as > secureboot. Alot of issues on threads with some people. It seems > complicated. even false alarms. But I really do think they are > supposed to compliment each other. trusted boot and measured boot > yes? AEM definitely comes in handy for people who would find it > nescessary to buy new equipment.
Well, it depends... If you can be reasonably sure that the attacker did not modify any firmware (eg. the network card), you could simply reinstall Qubes from a trusted install media and restore VMs from a backup. This becomes trivial once stateless computers [1] are a thing. > But I would still want an encrypted boot, if I was going to use > aem, and key on a external usb disk, which unfortunately means I > could not use a sys-usb. Am I wrong about this? Does this change > in 4.0? It is possible to use AEM along with USB qube, you just have to disable the early hiding of USB devices from dom0. But once Qubes is fully booted and sys-usb started, you get the full USB qubes protecion. > So this is where the what fits into you "security model" What are > you more concered about. I assumed we had to choose between aem vs > sys-usb? For people travelling with laptops in strange places > where physical compromise is more likely aem is a good option. > Some people would prolly not just buy a new laptop but know when to > destroy theirs too lol. The only trade-off for AEM regarding USB devices is that the USB stick you buy to install AEM on could be compromised already (straight from the factory, or intercepted & infected during shipping). And since you need to plug it directly into dom0 in order to perform the install, it could exploit USB or filesystem drivers and gain control of dom0. So it is kind of a trust-on-first-use scenario for the installation step only. Cheers, Patrik [1] https://blog.invisiblethings.org/papers/2015/state_harmful.pdf -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJZpZpBAAoJEFwecd8DH5rlE4gP/3WFFUmqb8ChECEgfgKeDRlz VdLWPVuG8mnIr8SWeSCbkmgTA4fz1F6BWCv4puTDpADMc/HyXzrxkl6hxPBnSgdb Rr01lGXkAda0EcSkhEUcuViCTed+yMf2y7gSJdJJrFnWiomeNft3Bq4KlpqA3t86 r9oofbkH161bGsED8NdTlLFz+uE68gZq7D/ba+xWWJnBM/YT/lWdI29wwZhoJgPn x6sm4BNE5szbBOwFfV5JXAtCQ8E9K4bF0M8Frvh7DUAa3MsZim3iOmgmavo86Mbm hLkjN/N4ujxKd3n6YZuA4tqgx4UOxpQWET8jHTMxgHuVd2Dwt6jpl7Uic+3PXoXt zmoj4BLLhC3vY+8ghPEY7TYNViYCAmAe2LcrNxI4nfUxihLvttR9Nnfut6ENqvDj oIxRDiDRCWA/ZyC7I9C1ZPiFZ1Jyzy34aFfVF6YCESSvnfI+xGn7XFs+EpVunmiA jnSxQJTK2Y5Pqh8SLWuMGNPEGr7MF/ekKmIlepn372ftL++2D04kuHvKzn9ZQdun rC3v7yGuFHHca6Cakj4ks9q4cZ012g2Ch6hE2S8WcTZkEbeequMNEtGYT+9BuWpr GlLmg5EffaMBxKP6WZuiv6okXyJnVCdBctpxC3qmTeRX4pTn4eaQsr4iXbCkfRnV ODlfYMpurBuNhFfuwiSw =ANmo -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4139475c-772d-b9e4-27e8-a5b3f524995b%40gmail.com. For more options, visit https://groups.google.com/d/optout.
0x031F9AE5.asc
Description: application/pgp-keys
0x031F9AE5.asc.sig
Description: PGP signature
