Re: [qubes-devel] kernel downgrade

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 03/29/2018 04:49 PM, Zrubi wrote: > Any suggestion how to solve this? Try this: sudo qubes-dom0-update --action=downgrade [kernel packages] > And if I succed, how can I lock my system to this kernel version? Add the following line into

Re: [qubes-devel] [GSoC] Progress report: Anti Evil Maid enhancements

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hey, I've opened a pull request [1] to the AEM repository. Again, enormous thank you to Rusty Bird for being a wonderful GSoC mentor and helping me clean up the patches for submission. You are awesome! Cheers, Patrik [1]

Re: [qubes-devel] [GSoC] Progress report: Anti Evil Maid enhancements

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 08/16/2017 05:51 PM, Rusty Bird wrote: > Patrik Hagara: >> Rusty: do you think it's ready to be built and pushed into R4 >> testing repos? > > Almost ready IMO. I have some more line comments, can you open a PR > on my

Re: [qubes-devel] [GSoC] Progress report: Anti Evil Maid enhancements

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi! I've updated the README a bit [1] to (hopefully) make some things clearer. Also added a section on how to recover from compromises. Rusty: do you think it's ready to be built and pushed into R4 testing repos? Cheers, Patrik [1]

Re: [qubes-devel] [GSoC] Progress report: Anti Evil Maid enhancements

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 08/13/2017 07:28 PM, Rusty Bird wrote: > Patrik Hagara: >> Finally managed to track down why unlocking disk with unsealed >> and decrypted LUKS key file didn't work on a clean Qubes OS >> installation. > >> While st

Re: [qubes-devel] [GSoC] Progress report: Anti Evil Maid enhancements

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 08/02/2017 07:05 PM, Patrik Hagara wrote: > On 07/26/2017 03:21 PM, Patrik Hagara wrote: >> On 07/25/2017 08:48 PM, Rusty Bird wrote: >>> Patrik Hagara: >>>> Would it be OK if I squashed all the commits so far

Re: [qubes-devel] [GSoC] Progress report: Anti Evil Maid enhancements

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 07/25/2017 08:48 PM, Rusty Bird wrote: > Patrik Hagara: >> Would it be OK if I squashed all the commits so far into a >> single large one (as there's already quite a lot of reverts and >> design changes anyway). > > Y

Re: [qubes-devel] [GSoC] Progress report: Anti Evil Maid enhancements

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 07/24/2017 04:40 PM, Rusty Bird wrote: > Hi Patrik! > >> Thinking about RO/RW AEM media gave me quite a headache. We want >> to allow creating a RO AEM media that would ignore freshness >> tokens -- but then the attacker can trivially downgrade

Re: [qubes-devel] [GSoC] Progress report: Anti Evil Maid enhancements

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 07/20/2017 03:24 AM, Patrik Hagara wrote: > I've got most of the code written already, just need to finish the > -unseal script bits and test it, then I'll push it to my fork -- > should be in the following day or two, depending on

Re: [qubes-devel] Re: [GSoC] Qubes-MIME-Handlers Weekly Progress Report #6

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 07/20/2017 09:08 AM, Andrew Morgan wrote: > On 07/20/2017 12:03 AM, Andrew Morgan wrote: >> On 07/19/2017 11:56 PM, Patrik Hagara wrote: >>> On 07/20/2017 07:42 AM, Andrew Morgan wrote: >>>> I'm currently

Re: [qubes-devel] Re: [GSoC] Qubes-MIME-Handlers Weekly Progress Report #6

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 07/20/2017 07:42 AM, Andrew Morgan wrote: > I'm currently trying to work out a bug where inotify_watch calls > will fail around the 8000th folder that's created or moved in. I'm > assuming this probably has to do with a limit coded somewhere so >

Re: [qubes-devel] [GSoC] Progress report: Anti Evil Maid enhancements

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hey! First off, sorry for the delayed report this week! I was doing "drawing board" work almost exclusively for the past ~three weeks trying to wrap my head around all the outstanding issues and figuring out some decent avenues for fixing them, so

Re: [qubes-devel] [GSoC] Progress report: Anti Evil Maid enhancements

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 07/05/2017 05:30 PM, Rusty Bird wrote: > Patrik Hagara: >> On 07/04/2017 12:28 AM, Rusty Bird wrote: >>> Hi Patrik! >>>> OK, let's go with the freshness token then. >>> >>> To avoid implementat

Re: [qubes-devel] [GSoC] Progress report: Anti Evil Maid enhancements

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 07/04/2017 12:28 AM, Rusty Bird wrote: > Hi Patrik! > > I just noticed that qubes-devel seems to break your PGP/MIME > signatures. Inline PGP works better on Google Groups based mailing > lists. (The CCs have all been fine, of course.) Thanks

Re: [qubes-devel] [GSoC] Progress report: Anti Evil Maid enhancements

On 06/19/2017 12:43 PM, Rusty Bird wrote: > Patrik Hagara: >> On 06/18/2017 05:51 PM, Rusty Bird wrote: >>> Rusty Bird: >>>> Patrik Hagara: >>>>> Single-use key file code committed >>> >>>> Whee, I finally get it... Seeing how it

Re: [qubes-devel] [GSoC] Progress report: Anti Evil Maid enhancements

On 06/18/2017 05:51 PM, Rusty Bird wrote: > Rusty Bird: >> Patrik Hagara: >>> Single-use key file code committed > >> Whee, I finally get it... Seeing how it all fits together, it looks >> really cool! > >> What do you think about making replay prot

Re: [qubes-devel] [GSoC] Progress report: Anti Evil Maid enhancements

On 06/16/2017 09:32 PM, Patrik Hagara wrote: > I will push those changes to my fork after > some cleanup and a re-test (most likely tomorrow). Single-use key file code committed [0] and I'm going to check whether clearing the TPM invalidates PCR-sealed data or not. If it does, then gene

Re: [qubes-devel] [GSoC] Progress report: Anti Evil Maid enhancements

On 06/13/2017 12:45 AM, Patrik Hagara wrote: > Unfortunately, it seems monotonic counters are designed to only be > manipulated (create/increment/destroy) by the OS and thus the TrouSerS > project chose not to provide any APIs to perform those operations. This > trousers-users mailing

Re: [qubes-devel] [GSoC] Progress report: Anti Evil Maid enhancements

On 06/10/2017 08:10 PM, Rusty Bird wrote: > Patrik Hagara: >> Any and all code reviews are welcome! The changes I made are stored in >> my fork of AEM repository [1]. > > - Please don't feel obligated to read this on a weekend :) - :) > One thing I noticed is that a c

Re: [qubes-devel] [GSOC] Extended File Attributes not preserved by most editors

On 06/10/2017 05:47 AM, Andrew Morgan wrote: > Another way to mark files is to just list and later read their > filepaths, line-by-line. However if one is marking a folder of thousands > of files as untrusted, that tracking file can quickly become very long. > Perhaps a database option would

Re: [qubes-devel] [GSoC] Progress report: Anti Evil Maid enhancements

On 06/09/2017 05:22 AM, Rusty Bird wrote: > Rusty Bird: >> In the current WIP version, the keyfile is encrypted before sealing >> and decrypted after unsealing. (Using scrypt - if we trusted the TPM >> to handle the raw keyfile, we could just use SRK password protection >> instead.) > > Sorry, I

Re: [qubes-devel] [GSoC] Progress report: Anti Evil Maid enhancements

On 06/08/2017 03:48 PM, Rusty Bird wrote: > Marek Marczykowski-Górecki: >> On Thu, Jun 08, 2017 at 11:19:22AM +0200, Patrik Hagara wrote: >>> How about storing the key file itself inside the TPM? This may (or may >>> not) open some new possibilities while, apparently, n

Re: [qubes-devel] [GSoC] Progress report: Anti Evil Maid enhancements

On 06/08/2017 01:56 PM, Marek Marczykowski-Górecki wrote:>>> - if someone copy AEM stick _before_ observing proper successful boot, >>>he/she can replay it, because copy of AEM will still have "old" OTP >>>valid (a keyfile encrypted with it) > >> This weakness is impossible to prevent in

Re: [qubes-devel] [GSoC] Progress report: Anti Evil Maid enhancements

On 06/08/2017 12:45 AM, Marek Marczykowski-Górecki wrote:> I was thinking for some time about a scheme where user enters > also something dynamic - OTP (not necessary TOTP) - either in addition > to normal passphrase or, instead of. But it's tricky how to do it > properly. > One idea is to have

Re: [qubes-devel] [GSoC] Progress report: Anti Evil Maid enhancements

On 06/07/2017 09:45 PM, Rusty Bird wrote: > Hi Patrik, > > Sorry that it took me a while to respond to your first "offical" :) > progress report. This email has some general stuff, but I'll post more > here or on GitHub later this week. > >> Right now, I would say the first version of my code

[qubes-devel] [GSoC] Progress report: Anti Evil Maid enhancements

Hi! As some of you may already know, I have been accepted into the Google Summer of Code program to work on improving Qubes' Anti Evil Maid suite to provide resistance against shoulder surfing and/or video surveillance. The project proposal I submitted can be found archived on this (qubes-devel)

Re: [qubes-devel] Re: Request for feedback: 4.9 Kernel

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Thu, Jun 1, 2017 at 2:55 PM, Pablo Di Noto wrote: > Hello, > >> 1) Hardware that used to work with 4.4 or 4.8 no longer works with 4.9. > > Using it on a Lenovo X250 (i3-5010U), and other desktops. > > Experiencing

Re: [qubes-devel] ipv6 for internal network in 4.x?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Mon, May 29, 2017 at 4:45 PM, Peter Todd wrote: > On Sun, May 28, 2017 at 05:46:22AM -0700, pixel fairy wrote: >> > Are you suggesting that VM's no longer have internal ipv4 addresses? You >> > mean >> > via the ipv4-in-ipv6

Re: [qubes-devel] GSoC 2017: Community Bonding Period

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Tue, May 16, 2017 at 03:32:41PM +0200, Marek Marczykowski-Górecki wrote: > Unfortunately, as new GSoC org, we didn't get as many slots as we > requested, so we were forced to reject some, even good proposals. Ah well. I hope you get more and

Re: [qubes-devel] GSoC 2017: Community Bonding Period

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi! First off, thanks to whoever was responsible for me being accepted into the GSoC program and congrats to both Andrew and Paras for getting in, too! :) On Fri, May 05, 2017 at 08:27:34AM -0700, John Casey wrote: > Unfortunately, my Qubes

Re: [qubes-devel] GSoC Anti Evil Maid improvement project

/ CEST). Contact information: * name: Patrik Hagara * e-mail: patriha...@gmail.com * GPG: 09AFE672 E513B8A3 ED35643B 5C1E71DF 031F9AE5 * [GitHub][3] and [LinkedIn][4] [0]: https://www.qubes-os.org/gsoc/ [1]: https://github.com/QubesOS/qubes-issues [2]: https://github.com/QubesOS/qubes

Re: [qubes-devel] GSoC Anti Evil Maid improvement project

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, Mar 29, 2017 at 1:39 PM, Rusty Bird wrote: >>> In case you deem the probability of software-based (but requiring prior >>> physical access) multi-stage evil maid attacks much higher than >>> hardware-based ones, I

[qubes-devel] GSoC Anti Evil Maid improvement project

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi! I'm thinking about applying to the GSoC program and working on the Anti Evil Maid shoulder surfing and video surveillance resistance project idea. However, I've got a question regarding the proposed solution which requires implementing both