Re: [Tails-dev] LUKS update
Jan Nielsen wrote (26 Dec 2013 03:58:24 GMT) : Hi all. I propose that the next release of TAILS come shipped with cryptsetup version 1.6. Currently, it comes with version 1.4.3 . I ask this so that the default encryption cipher used by LUKS (when performing FDE on a USB, for example) becomes aes-xts-plain64 instead of the older, less secure aes-cbc-essiv cipher. I am aware that this can be accomplished in version 1.4.3 of cryptsetup. But an upgrade to the newest version would be greatly helpful in preserving the encryption security in TAILS. This discussion has started in the CBC malleability attack thread started two days ago. Please add anything that backs your proposal there (that might, or might not include an offer to do the needed backporting and testing work). Thanks in advance. Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] Please review'n'merge test/rjb-migration
On Wed, Dec 25, 2013 at 08:36:57PM +0100, intrigeri wrote: berta...@ptitcanardnoir.org wrote (24 Dec 2013 11:39:27 GMT) : and then run the test suite. I get the same error you had a week ago or so: Call to virDomainCreateWithFlags failed: unsupported configuration: ich9-usb-ehci1 not supported in this QEMU binary (Libvirt::Error) How did you fix this? If I'm the second one to hit it, perhaps this should be documented? To be honest, it did get fixed almost by itself. I just played a bit manually with virsh to create the VM while trying to understand the issue, and at some point it did worked. As I didn't changed anything really, in the host configuration nor in the VM one, I assumed I did something wrong at first and there were in fact no issue at all. I also did a search on Debian's BTS and qemu/libvirt sources to find reports or changes that might be related, but found nothing. Did you restart the computer/VM where you installed the test suite after having done so? I remember I did, that might be why I had it to work. If you get this issue too, sure it needs to be documented. But we have to understand it first. :) bert. ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] Please review'n'merge test/rjb-migration
berta...@ptitcanardnoir.org wrote (26 Dec 2013 10:03:06 GMT) : How did you fix this? If I'm the second one to hit it, perhaps this should be documented? To be honest, it did get fixed almost by itself. [...] Did you restart the computer/VM where you installed the test suite after having done so? I remember I did, that might be why I had it to work. I've rebooted the system and it now works! If you get this issue too, sure it needs to be documented. But we have to understand it first. :) Added `service libvirt-bin restart' to the documentation. Hopefully this will be enough. Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] Please review draft documentation for IUK
intrigeri wrote (25 Dec 2013 18:54:12 GMT) : Not enough memory available --- Applied, but I had to turn the bullet list into something else, and /br into newline, since zenity can't display these. This gives: Not enough memory available to check for upgrades. Make sure this system satisfies the requirements for running Tails. See file:///usr/share/doc/tails/website/doc/about/requirements/index.en.html. Try to restart Tails and upgrade again. Actually, upgrade again seems suboptimal: first, it suggests that the user has something specific to do, which is wrong; second, this is not about upgrading, but merely about checking for upgrades. Or do a manual upgrade. See https://tails.boum.org/doc/first_steps/upgrade#manual XXX: I get this error message when trying to do the upgrade from a VM with 1024MB. That's in contradiction with what is on the requirement page at the moment. IIRC, I've seen that too when the web browser was open, but not otherwise. Can you confirm this? Also, we're running many various programs in parallel (and in the background) at login time, so the results might be a little bit racy / random in this area. Perhaps we should just merge feature/dont_autostart_iceweasel to workaround this issue (IIRC that branch was only blocked by the broken test suite, and it looks like, thanks to bertagaz, I might be able to fix that in the next few days). Anyway, the requirements page also says one can use Tails on a DVD, and then one doesn't get incremental upgrades either, so personally I'm not *that* concerned even if incremental upgrades require, say, a bit more than 1GB of RAM. On the long run, I'll port all this stuff from Moose to Moo, and we'll save some RAM — WIP (e.g. I've proposed a patch upstream to port GnuPG::Interface to Moo today). Re-thinking of it a bit, this might be a bit more serious than I thought initially. I still hold the position that it's fine if applying an incremental upgrade requires a bit more than 1GB of RAM. However, *checking* for available upgrades should work with the minimal recommended amount of RAM. So, *if* it's enough to close the web browser to make this work (which I believe, and will try to confirm later today - #6535), then I'll mark this as blocked by #5735 (dont autostart iceweasel) and will work on completing that one too. Worst case, if even closing the browser is not enough, then I'll have to find another solution or workaround. Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] Please review draft documentation for IUK
intrigeri wrote (25 Dec 2013 18:54:12 GMT) :
#1. New version available
-
Applied (as found on the blueprint).
So, this reads:
You should manually upgrade to %{name}s %{version}s.\n\n.
For more information about this new version, go to
%{details_url}s.\n\n.
Note that it is not possible to do an automatic upgrade .
on your system. Automatic upgrades are only possible on .
a Tails device installed using Tails Installer.\n\n.
To learn how to manually upgrade, go to .
https://tails.boum.org/doc/first_steps/upgrade/#manual;,
I find this confusing for users who would be pointed to the manual
upgrade despite they have installed Tails with our installer,
e.g. because there isn't enough free space on the system partition, or
not enough free memory to apply the incremental upgrade.
What do you think?
Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
___
tails-dev mailing list
tails-dev@boum.org
https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] Please review draft documentation for IUK
intrigeri wrote (25 Dec 2013 18:54:12 GMT) : Applied, but zenity does not support bold text AFAICT, so: I was wrong, and am reintroducing all the bold text that sajolida proposed. ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] CBC malleability attack
On Wed, 2013-12-25 at 21:34 +0100, intrigeri wrote: Hi, Marco Calamari wrote (24 Dec 2013 11:42:36 GMT) : After readint the descritpion of this attack (injection attack type against LUKS-CBC volumes) http://www.jakoblell.com/blog/2013/12/22/practical-malleability-attack-against-cbc-encrypted-luks-partitions/ I check that my persistent partition (built a lot of TAILS version ago) is of CBC type. If an attacker gets write access to a Tails USB stick, they can as well corrupt the initramfs or some other part of the system, and from there have a persistent file be modified during next boot, without having to guess what block this file is stored at in the persistent volume. Seems easier than the attack against CBC, no? Or did I miss the threat model you had in mind? Hi no, absolutely, you're right; but CBC is under critics since a long time, so at least doing persistency without it should not need an explicit danger, but only because it is not best of breed and the alternative block cypher is already there and comes for free Time to switch to XTS and/or warn user having CBC partition to reformat? Note that cryptsetup 1.6 defaults to XTS. Once Tails is based on Wheezy, we might want to install this version, assuming a backport is not too painful to produce and maintain. Anyone volunteering to try this? Additionally, this would provide compatibility with the on-disk TrueCrypt format (which is not very useful until the rest of the udisks / GNOME Disks / Nautilus stack has this support, wishlist bug reported there a while ago, needs someone to write the code). -- +--- http://www.winstonsmith.org ---+ | il Progetto Winston Smith: scolleghiamo il Grande Fratello | | the Winston Smith Project: unplug the Big Brother | | Marco A. Calamari mar...@marcoc.it http://www.marcoc.it | | DSS/DH: 8F3E 5BAE 906F B416 9242 1C10 8661 24A9 BFCE 822B | + PGP RSA: ED84 3839 6C4D 3FFE 389F 209E 3128 5698 --+ signature.asc Description: This is a digitally signed message part ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] Please review draft documentation for IUK
intrigeri wrote (26 Dec 2013 13:30:53 GMT) : However, *checking* for available upgrades should work with the minimal recommended amount of RAM. So, *if* it's enough to close the web browser to make this work (which I believe, and will try to confirm later today - #6535), then I'll mark this as blocked by #5735 (dont autostart iceweasel) and will work on completing that one too. In my tests, everything works fine with 1GB of RAM, see details on #6535, even when leaving the browser open. sajolida, please tell me how I can reproduce this issue. E.g. were you running the incremental upgrader multiple times in the same session, or using APT, or running other apps at the same time, or what? Reassigned #6535 to sajolida for more info. In the meantime, I'll consider this as not something I can do anything about. Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] Last steps toward enabling incremental upgrades by default [
intrigeri wrote (17 Dec 2013 17:13:41 GMT) : I've just released Tails-IUK 0.13, that fixes all coding tasks left for phase three. I'm giving it a manual testing session as we speak. Please use this version (or later) for any further testing, documentation work and comments. From now on, please use Tails-IUK 0.14 (that has all improvements suggested by sajolida) for testing etc. #6014 says we're almost there! If you want to test the incremental upgrader itself, install Tails 0.22~rc2, set an admin password, retrieve the latest tails-iuk package from our APT repo (http://deb.tails.boum.org/pool/main/t/tails-iuk/, or preferably by adding our feature-incremental-upgrades-integration suite to your APT sources), install it and run: $ tails-upgrade-frontend-wrapper Still valid (note that I've only tested by installing the .deb with dpkg, not with APT that will suck way more memory). Please also install the latest version of the wrapper script (config/chroot_local-includes/usr/local/bin/tails-upgrade-frontend-wrapper) from the feature/incremental-upgrades-integration Git branch into /usr/local/bin/. Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] Please review'n'merge test/rjb-migration
intrigeri wrote (25 Dec 2013 19:57:34 GMT) : I've merged devel into this branch, and pushed a few minor improvements on top. Once the issue reported in my other mail is solved and I can run the test suite, I'll look further. I'm looking further. I don't want to merge this branch with so many failing tests, as one expected failure (e.g. due to a missing image update) may very well hide other issues that might be caused by the migration to RJB. So, I've started fixing every test case I could. Doing this in the test/rjb-migration branch too, even if it doesn't 100% belong here, because IMO this goes with merging this branch. In the state where I've brought test/rjb-migration today, all tests now pass but: * the USB -related tests. Reported as #6537. I'm going to try and fix those now. * the Windows should appear like those in Microsoft Windows XP scenario: in 0.22, the browser's title bar displays the Iceweasel icon, instead of the IE one, so it looks like the Windows camouflage script misses an update for FF24. Reported as #6536, will try to fix in time for 0.22.1 as it's a regression. Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
[Tails-dev] #6538: Tails Installer tries to install to too small devices [Was: Installation USB-Stick]
intrigeri wrote (10 Sep 2013 10:17:30 GMT) : Andreas Meyer wrote (10 Sep 2013 09:53:02 GMT) : I guess this is all because the stick is just 1 GB and not 2 GB. Yes, probably. After fiddling manually with GPT / MBR, I have sometimes seen this error too (due to some weirdness in how GPT legacy mode works, IIRC) even when doing Clone Install. Wiping out the first MB or so of the drive has always restored things to workable state for me. Actually, while working on the automated test suite, I've hit this issue in this scenario: Scenario: Installing Tails to a USB drive with an MBR partition table but no partitions Given a computer And I create a 2 GiB disk named mbr And I create a msdos label on disk mbr And the computer is set to boot from the Tails DVD [...] And I plug USB drive mbr And I Clone Install Tails to USB drive mbr So, it seems that Tails Installer does not correctly detect when the destination device is too small to hold the system partition. The fact that the destination device already has a MBR partition table might matter, or not. Reported as #6538, added implementation hints, marked as easy: https://labs.riseup.net/code/issues/6538 Any taker? (This looks like good stuff for e.g. Andres or WinterFairy, I guess.) Cheers! -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
Re: [Tails-dev] Please review'n'merge test/rjb-migration
intrigeri wrote (26 Dec 2013 18:17:21 GMT) : I don't want to merge this branch with so many failing tests, as one expected failure (e.g. due to a missing image update) may very well hide other issues that might be caused by the migration to RJB. So, I've started fixing every test case I could. Doing this in the test/rjb-migration branch too, even if it doesn't 100% belong here, because IMO this goes with merging this branch. In the state where I've brought test/rjb-migration today, all tests now pass but: * the USB -related tests. Reported as #6537. I'm going to try and fix those now. I believe I've done what #6537 was about, but this feature still fails for me a bit later (#6539). I'll try re-running it entirely, but well, seeing the installer stuck at various stages of the process is no news, and that's why we have never removed these steps from the manual test suite yet. So IMO this is not a blocker. * the Windows should appear like those in Microsoft Windows XP scenario: in 0.22, the browser's title bar displays the Iceweasel icon, instead of the IE one, so it looks like the Windows camouflage script misses an update for FF24. Reported as #6536, will try to fix in time for 0.22.1 as it's a regression. I'm testing a fix for this. Once I'm done with validating this part of the test suite, I'll ask bertagaz to review all the commits I've added on top of what he submitted, and to merge the branch. Stay tuned, we're getting close :) /me is very happy to be able to run this test suite in good conditions, finally! Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc ___ tails-dev mailing list tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev
