Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign upAEM password also fed to disk decryption #978
Comments
marmarek
added this to the Release 3.0 milestone
May 12, 2015
marmarek
added
bug
C: other
P: major
labels
May 12, 2015
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment
Hide comment
rustybird
commented
May 13, 2015
|
Happens only with plymouth enabled |
marmarek
modified the milestones:
Release 3.1,
Release 3.0
Sep 2, 2015
marmarek
modified the milestones:
Far in the future,
Release 3.1
Feb 8, 2016
marmarek
added
the
help wanted
label
Feb 8, 2016
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
rustybird commentedApr 28, 2015
If the AEM secret is protected by a TPM password, then that password, after unsealing the secret, will also be used silently to try and decrypt the disk. This can be verified by entering the disk password into the AEM password prompt.
The TPM password should of course be different from the LUKS password, so this bug will trigger #977: After entering the correct TPM password, you'll have to enter the correct disk password twice (at least if Qubes was installed with the btrfs layout).
(Tested on Qubes 3.0 RC1 with anti-evil-maid 2.0.7 and 2.0.8)