AntiEvilMaid incompatible with portable USB install documentation addition

[adrelanos]

The use case where you install Qubes on USB for portable use, for use on different physical computers (which works well) is incompatible with AntiEvilMaid.

Should we add a note to the AntiEvilMaid documentation page (https://www.qubes-os.org/doc/AntiEvilMaid/) (https://github.com/QubesOS/qubes-doc/blob/master/AntiEvilMaid.md) where we briefly explain this?

[rustybird]

What's a good way to get the TPM chip's serial number (or anyway some unique persistent identifier)?

[rustybird]

What's a good way to get the TPM chip's serial number (or anyway some unique persistent identifier)?

[rustybird]

tpm_getpubek -z |
grep -E '^  ([0-9a-f]{8}( |$))+' |  # tab literal between ^ and (
tr -dc 0-9a-f |
sha256sum |
cut -d ' ' -f 1

is brittle but would work as a name for a directory to put the system PS file and the sealed blob into.

[rustybird]

tpm_getpubek -z |
grep -E '^  ([0-9a-f]{8}( |$))+' |  # tab literal between ^ and (
tr -dc 0-9a-f |
sha256sum |
cut -d ' ' -f 1

is brittle but would work as a name for a directory to put the system PS file and the sealed blob into.

[rustybird]

Hey @adrelanos, you can try my tpm_id branch of qubes-antievilmaid if you want. (The commit is signed.) I don't have a portable installation to test it with right now, but it works on my fixed installation.

domU $ rpmbuild -ba antievilmaid.spec
domU $ cd dracut-antievilmaid
domU $ rpmbuild -ba antievilmaid.spec
domU $ (transfer ~/rpmbuild/RPMS/x86_64/* to dom0)

dom0 # (install the RPMs)
dom0 # systemctl daemon-reload
dom0 # systemctl restart tcsd 
dom0 # antievilmaid_install
dom0 # (reboot and reseal on all computers)

Take a look at the README diff though for the new resealing commands, which have to be repeated on every computer.

[rustybird]

Hey @adrelanos, you can try my tpm_id branch of qubes-antievilmaid if you want. (The commit is signed.) I don't have a portable installation to test it with right now, but it works on my fixed installation.

domU $ rpmbuild -ba antievilmaid.spec
domU $ cd dracut-antievilmaid
domU $ rpmbuild -ba antievilmaid.spec
domU $ (transfer ~/rpmbuild/RPMS/x86_64/* to dom0)

dom0 # (install the RPMs)
dom0 # systemctl daemon-reload
dom0 # systemctl restart tcsd 
dom0 # antievilmaid_install
dom0 # (reboot and reseal on all computers)

Take a look at the README diff though for the new resealing commands, which have to be repeated on every computer.

[adrelanos]

Sorry, I don't think I have one or even two machines with TPM.

(If you're wondering about my motivation in this ticket: I've heard, that "AntiEvilMaid is currently incompatible with portable USB install" and just wanted to get this added to documentation for better usability, prevent surprises and confusion.)

[adrelanos]

Sorry, I don't think I have one or even two machines with TPM.

(If you're wondering about my motivation in this ticket: I've heard, that "AntiEvilMaid is currently incompatible with portable USB install" and just wanted to get this added to documentation for better usability, prevent surprises and confusion.)