Re: [qubes-users] AEM questions

2017-02-16 Thread jd87 

Thanks for answering, but i still have some questions:


(in any case, i will  use a pass phrase for aem.)

1) is there a difference between using an usb drive or using an
internal partition? (except of having a second device in case of an usb
drive)


Yes. You should keep your AEM boot with you on a separate device. If you
don't, an attacker could see your secret phrase by booting the system.


but isn't this the reason i am using a password for?
the aem data is protected by my aem pw.
after entering it, it is used to decrypt my secret + (somehow) check the
system integrity
if this fails, my aem pw is burned.
in case it succeeds, i enter my luks pw and the system data is encrypted.
at least this is how i understood it.

also if this was the case, why is there the option to leave it on the
internal disk?
from the aem readme
(https://github.com/QubesOS/qubes-antievilmaid/blob/master/anti-evil-maid/README
55-60):

"
You may want to use non-default password for the SRK key (see the
discussion in
the article referenced above), certainly if you want to save the sealed
secrets
to your internal boot partition. In that case you SHOULD NOT pass the '-z'
argument to tpm_takeownership.
"

This suggests it is safe to use an internal boot partition if a password is
passed to `tpm_takeownership`.

So what is the case?


This is also important if you want AEM to warn you after a /remote/
(non-Evil Maid) attack has affected your BIOS.


How does this work?


3) is unhiding my usb devices only required during aem setup? (i guess
so, but i thought, i would ask)


I think you refer to the option that suppresses USB devices during boot.


I refer to this (
https://github.com/QubesOS/qubes-antievilmaid/blob/master/anti-evil-maid/README
110-120)

"
Note: If you choose to use a USB device (e.g., a flash drive) as your AEM
device
and you previously created a USB qube, then you may have to unhide your USB
controller from dom0:

  1. Open the file `/etc/default/grub` in dom0.
  2. Find the line that begins with `GRUB_CMDLINE_LINUX`.
  3. If present, remove `rd.qubes.hide_all_usb` from that line.
  4. Save and close the file.
  5. Run the command `grub2-mkconfig -o /boot/grub2/grub.cfg` in dom0.
  6. Reboot.
"
here you unhide the usbcontroller so it is accessible from dom0.


3) is unhiding my usb devices only required during aem setup? (i guess
so, but i thought, i would ask)


I think you refer to the option that suppresses USB devices during boot.
This should be turned off when booting AEM (not just installing) from a
USB stick so the verification sequence can read the secret from the USB
stick.


This is not mentioned anywhere in the documentation. I think it should.

- Joe


-

ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the 
NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!  
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!  


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170216011755.Horde.CWX56sY8PUOKT-USjx2MNA1%40www.vfemail.net.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] AEM questions

2017-02-14 Thread jd87 

hi.
since i will be traveling for a bit, my threadmodell changed and i want
aem.
when reading the documentation, a few questions came up:
(in any case, i will  use a passphrase for aem.)

1) is there a difference between using an usb drive or using an internal
partition? (except of having a second device in case of an usb drive)
2) citing from the aem readme:
'If you've chosen the latter option [using an external boot device], you
should then remove the internal
boot partition from dom0's /etc/fstab, never mount it again in dom0, and
never boot from it again, because an attacker might modify it to exploit
GRUB or dom0 filesystem drivers.'
what would happen if i lost my external boot device?
could i still boot without it?
3) is unhiding my usb devices only required during aem setup? (i guess so,
but i thought, i would ask)
4) The article from 2011
(http://theinvisiblethings.blogspot.hu/2011/09/anti-evil-maid.html)
mentions keyfiles.
Is this implemented? (the readme says nothing about it)

-joe


-

ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the 
NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!  
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!  


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170214165013.Horde.eG6CBeDh3PG1rsUKL2n6-Q7%40www.vfemail.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] building ubuntu14 template

2016-12-18 Thread jd87 

 git revert da5ee8fb0Quoting Unman :


On Sat, Dec 17, 2016 at 01:09:38PM -0600, j...@vfemail.net wrote:

hi.
i am trying to build an ubuntu14 template:

From the doc: 'Ubuntu 14.4 LTS (Trusty) can be built with little

effort.'

So i assume it should work.

When executing `make qubes-vm` i get following error:

Ign http://ppa.launchpad.net trusty/main Translation-en
Reading package lists...
# Parse debian/control for Build-Depends and install
/home/user/qubes-builder/qubes-src/builder-debian//scripts/debian-parser
control --build-depends


/home/user/qubes-builder/chroot-trusty//home/user/qubes-src/vmm-xen/debian-vm/debian/control

|\
    xargs sudo chroot /home/user/qubes-builder/chroot-trusty

apt-get 

install -y
Reading package lists...
Building dependency tree...
Reading state information...
E: Unable to locate package libsystemd-dev
E: Unable to locate package libsystemd-dev
/home/user/qubes-builder/qubes-src/builder-debian/Makefile.qubuntu:167:
recipe for target 'dist-build-dep' failed
make[2]: *** [dist-build-dep] Error 123
Makefile.generic:139: recipe for target 'packages' failed
make[1]: *** [packages] Error 1
Makefile:209: recipe for target 'vmm-xen-vm' failed
make: *** [vmm-xen-vm] Error 1

what can i do to fix this?

-joe
 


The error is in building vmm-xen.
I see there was a patch back in July that added libsystemd-dev under
Build-Depends. Clearly this isn't going to work under Trusty as that
package isn't available.
You could try removing those lines from debian/control and seeing if
vmm-xen-vm builds. I'm pretty sure it wont, but don't have time to test
that.
I'll have a look shortly to get Trusty working again.

It isn't yet in the docs but you could also try a 16.4 build. Feedback
would be useful.
unman


i can build ubuntu16, but need 14, since this sadly is the target platform
in one of the projects i am working in.
currently i use an ubuntu14 hvm and ssh -X, but this is annoying.

Some time ago the doc contained something about problems when building
ubuntu 14, but this section was removed.
Hence i assumed this problem was fixed.

i tried removing libsystemd.
i removed the lines :
 * qubes-src/vmm-xen/debian-vm/debian/control:28:    libsystemd-dev,
 * qubes-src/vmm-xen/debian-vm/debian/control:29:   
libsystemd-dev:amd64,

and executed:
 * make clean
 * make qubes-vm

this failed, since some commands used "--enable-systemd
--with-systemd=/lib/systemd/system".

then i tried reverting the commit:
 * git revert da5ee8fb0
and did some merging (mostly i had to guess, since i don't know what)
when building i got a different error:

-> Building core-qubesdb (debian) for trusty vm (logfile:
build-logs/core-qubesdb-vm-trusty.log)
--> build failed!
Perhaps you should add the directory containing `libsystemd.pc'
to the PKG_CONFIG_PATH environment variable
No package 'libsystemd' found
Package libsystemd-daemon was not found in the pkg-config search path.
Perhaps you should add the directory containing `libsystemd-daemon.pc'
to the PKG_CONFIG_PATH environment variable
No package 'libsystemd-daemon' found
cc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat
-Werror=format-security -I../include -I. -g -Wall -Werror -pie -fPIC -O2
`pkg-config --cflags libsystemd || pkg-config --cflags libsystemd-daemon`
`pkg-config --cflags vchan-xen` -DBACKEND_VMM_xen   -c -o db-daemon.o
db-daemon.c
Package libsystemd was not found in the pkg-config search path.
Perhaps you should add the directory containing `libsystemd.pc'
to the PKG_CONFIG_PATH environment variable
No package 'libsystemd' found
Package libsystemd-daemon was not found in the pkg-config search path.
Perhaps you should add the directory containing `libsystemd-daemon.pc'
to the PKG_CONFIG_PATH environment variable
No package 'libsystemd-daemon' found
db-daemon.c:32:31: fatal error: systemd/sd-daemon.h: No such file or
directory
 #include 
   ^
compilation terminated.
make[3]: *** [db-daemon.o] Error 1
make[3]: Leaving directory `/home/user/qubes-src/core-qubesdb/daemon'
make[2]: *** [all] Error 2
make[2]: Leaving directory `/home/user/qubes-src/core-qubesdb'
make[1]: *** [override_dh_auto_build] Error 2
make[1]: Leaving directory `/home/user/qubes-src/core-qubesdb'
make: *** [build] Error 2
dpkg-buildpackage: error: debian/rules build gave error exit status 2
/home/user/qubes-builder/qubes-src/builder-debian/Makefile.qubuntu:192:
recipe for target 'dist-package' failed
make[2]: *** [dist-package] Error 2
Makefile.generic:139: recipe for target 'packages' failed
make[1]: *** [packages] Error 1
Makefile:209: recipe for target 'core-qubesdb-vm' failed
make: *** [core-qubesdb-vm] Error 1

i guess i did forget some stuff, or other commits also use systemd (i guess
this will be the case for some of the 31 commits)

when looking at the old issues from the ml (
https://groups.google.com/d/msg/qubes-users/w0uZNr8nno8/n1fe6dLtBQAJ ):
Achim Patzner wrote:

I tried that last Sunday but it

[qubes-users] building ubuntu14 template

2016-12-17 Thread jd87 

hi.
i am trying to build an ubuntu14 template:

From the doc: 'Ubuntu 14.4 LTS (Trusty) can be built with little effort.'
So i assume it should work.

When executing `make qubes-vm` i get following error:

Ign http://ppa.launchpad.net trusty/main Translation-en
Reading package lists...
# Parse debian/control for Build-Depends and install
/home/user/qubes-builder/qubes-src/builder-debian//scripts/debian-parser
control --build-depends
/home/user/qubes-builder/chroot-trusty//home/user/qubes-src/vmm-xen/debian-vm/debian/control
|\
    xargs sudo chroot /home/user/qubes-builder/chroot-trusty apt-get 
install -y
Reading package lists...
Building dependency tree...
Reading state information...
E: Unable to locate package libsystemd-dev
E: Unable to locate package libsystemd-dev
/home/user/qubes-builder/qubes-src/builder-debian/Makefile.qubuntu:167:
recipe for target 'dist-build-dep' failed
make[2]: *** [dist-build-dep] Error 123
Makefile.generic:139: recipe for target 'packages' failed
make[1]: *** [packages] Error 1
Makefile:209: recipe for target 'vmm-xen-vm' failed
make: *** [vmm-xen-vm] Error 1

what can i do to fix this?

-joe


-

ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the 
NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!  
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!  


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161217130938.Horde.iQXn3rJsqiEb4cnlyw_ZGg1%40www.vfemail.net.
For more options, visit https://groups.google.com/d/optout.