New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AntiEvilMaid incompatible with portable USB install documentation addition #1035

Closed
adrelanos opened this Issue Jun 24, 2015 · 4 comments

Comments

Projects
None yet
3 participants
@adrelanos
Member

adrelanos commented Jun 24, 2015

The use case where you install Qubes on USB for portable use, for use on different physical computers (which works well) is incompatible with AntiEvilMaid.

Should we add a note to the AntiEvilMaid documentation page (https://www.qubes-os.org/doc/AntiEvilMaid/) (https://github.com/QubesOS/qubes-doc/blob/master/AntiEvilMaid.md) where we briefly explain this?

@marmarek marmarek added the C: doc label Jun 24, 2015

@rustybird

This comment has been minimized.

Show comment
Hide comment
@rustybird

rustybird Jun 28, 2015

What's a good way to get the TPM chip's serial number (or anyway some unique persistent identifier)?

What's a good way to get the TPM chip's serial number (or anyway some unique persistent identifier)?

@rustybird

This comment has been minimized.

Show comment
Hide comment
@rustybird

rustybird Jun 28, 2015

tpm_getpubek -z |
grep -E '^  ([0-9a-f]{8}( |$))+' |  # tab literal between ^ and (
tr -dc 0-9a-f |
sha256sum |
cut -d ' ' -f 1

is brittle but would work as a name for a directory to put the system PS file and the sealed blob into.

tpm_getpubek -z |
grep -E '^  ([0-9a-f]{8}( |$))+' |  # tab literal between ^ and (
tr -dc 0-9a-f |
sha256sum |
cut -d ' ' -f 1

is brittle but would work as a name for a directory to put the system PS file and the sealed blob into.

@rustybird

This comment has been minimized.

Show comment
Hide comment
@rustybird

rustybird Jun 29, 2015

Hey @adrelanos, you can try my tpm_id branch of qubes-antievilmaid if you want. (The commit is signed.) I don't have a portable installation to test it with right now, but it works on my fixed installation.

domU $ rpmbuild -ba antievilmaid.spec
domU $ cd dracut-antievilmaid
domU $ rpmbuild -ba antievilmaid.spec
domU $ (transfer ~/rpmbuild/RPMS/x86_64/* to dom0)

dom0 # (install the RPMs)
dom0 # systemctl daemon-reload
dom0 # systemctl restart tcsd 
dom0 # antievilmaid_install
dom0 # (reboot and reseal on all computers)

Take a look at the README diff though for the new resealing commands, which have to be repeated on every computer.

Hey @adrelanos, you can try my tpm_id branch of qubes-antievilmaid if you want. (The commit is signed.) I don't have a portable installation to test it with right now, but it works on my fixed installation.

domU $ rpmbuild -ba antievilmaid.spec
domU $ cd dracut-antievilmaid
domU $ rpmbuild -ba antievilmaid.spec
domU $ (transfer ~/rpmbuild/RPMS/x86_64/* to dom0)

dom0 # (install the RPMs)
dom0 # systemctl daemon-reload
dom0 # systemctl restart tcsd 
dom0 # antievilmaid_install
dom0 # (reboot and reseal on all computers)

Take a look at the README diff though for the new resealing commands, which have to be repeated on every computer.

@adrelanos

This comment has been minimized.

Show comment
Hide comment
@adrelanos

adrelanos Jun 29, 2015

Member

Sorry, I don't think I have one or even two machines with TPM.

(If you're wondering about my motivation in this ticket: I've heard, that "AntiEvilMaid is currently incompatible with portable USB install" and just wanted to get this added to documentation for better usability, prevent surprises and confusion.)

Member

adrelanos commented Jun 29, 2015

Sorry, I don't think I have one or even two machines with TPM.

(If you're wondering about my motivation in this ticket: I've heard, that "AntiEvilMaid is currently incompatible with portable USB install" and just wanted to get this added to documentation for better usability, prevent surprises and confusion.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment