On Tuesday, August 29, 2017 at 12:46:04 PM UTC-4, Patrik Hagara wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > On 08/29/2017 06:25 PM, cooloutac wrote: > > On Tuesday, August 29, 2017 at 11:38:59 AM UTC-4, Patrik Hagara > > wrote: On 08/29/2017 04:50 PM, [email protected] > > wrote: > >>>> Leo Gaspard, > >>>> > >>>> I have read about AEM but have never used it, it seems like > >>>> it is geared towards protecting from USB's with malicious > >>>> firmware on them. > >>>> > >>>> Does AEM actually verify the integrity of /boot before using? > >>>> This is what I am looking for, either a method of encrypting > >>>> /boot or even better, a secure method to verify its integrity > >>>> during boot > >>>> > > > > AEM does verify the integrity of /boot using the TPM seal/unseal > > operation. If any of the boot components change, AEM falls back to > > regular, unmeasured boot -- the user is expected to notice this and > > cease using the potentially-compromised system (the lack of > > explicit indication of failed AEM boot is deliberate, see the last > > FAQ item at [1]). > > > > The security provided by AEM is much more stronger than encrypted > > /boot could ever offer, because as already pointed out, there is > > always a little first-stage bootloader stub on the disk > > unencrypted and it would be easy to overwrite it with a malicious > > version that would intercept the encryption passphrase and > > exfiltrate it using eg. unused disk sectors. > > > > If someone did the above with AEM, the TPM would refuse to useal > > the AEM secret as the platform state would be different. > > > > The feature protecting dom0 from malicious USB devices [2] serves > > a different purpose and is not related to AEM. Plus, you always > > need to disconnect all untrusted USB devices while rebooting Qubes, > > regardless of whether you have USB qube set up or not. > > > > > > Cheers, Patrik > > > > > > [1] > > https://blog.invisiblethings.org/2011/09/07/anti-evil-maid.html [2] > > https://www.qubes-os.org/doc/usb/ > > > > my problem is unfortunately i can't keep buying new pc's. SO maybe > > its all for naught for me.. Also AEM does not seem as reliable as > > secureboot. Alot of issues on threads with some people. It seems > > complicated. even false alarms. But I really do think they are > > supposed to compliment each other. trusted boot and measured boot > > yes? AEM definitely comes in handy for people who would find it > > nescessary to buy new equipment. > > Well, it depends... If you can be reasonably sure that the attacker > did not modify any firmware (eg. the network card), you could simply > reinstall Qubes from a trusted install media and restore VMs from a > backup. This becomes trivial once stateless computers [1] are a thing. > > > But I would still want an encrypted boot, if I was going to use > > aem, and key on a external usb disk, which unfortunately means I > > could not use a sys-usb. Am I wrong about this? Does this change > > in 4.0? > > It is possible to use AEM along with USB qube, you just have to > disable the early hiding of USB devices from dom0. But once Qubes is > fully booted and sys-usb started, you get the full USB qubes protecion. > > > So this is where the what fits into you "security model" What are > > you more concered about. I assumed we had to choose between aem vs > > sys-usb? For people travelling with laptops in strange places > > where physical compromise is more likely aem is a good option. > > Some people would prolly not just buy a new laptop but know when to > > destroy theirs too lol. > > The only trade-off for AEM regarding USB devices is that the USB stick > you buy to install AEM on could be compromised already (straight from > the factory, or intercepted & infected during shipping). And since you > need to plug it directly into dom0 in order to perform the install, it > could exploit USB or filesystem drivers and gain control of dom0. > > So it is kind of a trust-on-first-use scenario for the installation > step only. > > > Cheers, > Patrik > > > [1] https://blog.invisiblethings.org/papers/2015/state_harmful.pdf > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQIcBAEBCAAGBQJZpZpBAAoJEFwecd8DH5rlE4gP/3WFFUmqb8ChECEgfgKeDRlz > VdLWPVuG8mnIr8SWeSCbkmgTA4fz1F6BWCv4puTDpADMc/HyXzrxkl6hxPBnSgdb > Rr01lGXkAda0EcSkhEUcuViCTed+yMf2y7gSJdJJrFnWiomeNft3Bq4KlpqA3t86 > r9oofbkH161bGsED8NdTlLFz+uE68gZq7D/ba+xWWJnBM/YT/lWdI29wwZhoJgPn > x6sm4BNE5szbBOwFfV5JXAtCQ8E9K4bF0M8Frvh7DUAa3MsZim3iOmgmavo86Mbm > hLkjN/N4ujxKd3n6YZuA4tqgx4UOxpQWET8jHTMxgHuVd2Dwt6jpl7Uic+3PXoXt > zmoj4BLLhC3vY+8ghPEY7TYNViYCAmAe2LcrNxI4nfUxihLvttR9Nnfut6ENqvDj > oIxRDiDRCWA/ZyC7I9C1ZPiFZ1Jyzy34aFfVF6YCESSvnfI+xGn7XFs+EpVunmiA > jnSxQJTK2Y5Pqh8SLWuMGNPEGr7MF/ekKmIlepn372ftL++2D04kuHvKzn9ZQdun > rC3v7yGuFHHca6Cakj4ks9q4cZ012g2Ch6hE2S8WcTZkEbeequMNEtGYT+9BuWpr > GlLmg5EffaMBxKP6WZuiv6okXyJnVCdBctpxC3qmTeRX4pTn4eaQsr4iXbCkfRnV > ODlfYMpurBuNhFfuwiSw > =ANmo > -----END PGP SIGNATURE-----
Doesn't Qubes assume the netcard will be compromised, hence untrusted. So good to know we can use a usb key with a sys-usb. IS there some sort of risk to doing this? Do we have to pull out the usb stick quickly after booting before system loads or something? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c72785f4-e9fd-4a24-9aea-340978b89114%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
