On 1/8/19 9:25 PM, simon.new...@gmail.com wrote:
Chris Laprise wrote:
Of course, I should mention anti evil maid: AEM essentially protects the
/boot partition (and your firmware!). That is nothing to sneeze at and
gives you a decent basis for investigating the dom0 root volume if
something does crop up.
AEM wont work with one of my machines BIOS AFAIK . that bios has no legacy mode
its all UEFI, so per the docs, AEM wont work.
was going to try HEADS but the dependence on Google services made me back off.
Didnt realise there was a dependence on google services for heads. That seems
counter intuitive to me. Wheres the dep?
Actually there is no dependency on google services. THere is "Google
Authenticator, but that is an open source TOTP Generator that works
without internet that can be installed on android.
BUT
There are also commandline programs for it on every major desktop distro.
Essentially for HEADS to work you need:
Coreboot working on your board.
A TPM
A persistent storage drive
A stripped down enough linux kernel for your board that fits in bios
flash memory and that can use the tpm
an initramfs for that kernel that is the actual "heads" part that does
all the magic.
A second device that shows you the current totp (time based one time
pad) to compare it with the value that heads is showing. If match then
system files and booted code are still as expected, if not investigate.
TOTP is based on a secret from which the OTPs (one time codes) are
generated via time.
So the second machine stores a secret and needs a roughly accurate time.
On the machine to be verified the secret exists only when it is booted
in the correct state and only then the passphrase should be entered. If
the booted code is different the secret is not existing instead another
secret is existing that is not the right one that generates a mismatches
that of the verifier device.
The verifier device should ideally be offline so as to not be easily
manipulated so it contains another secret that matches a modified
bootloader. I think an old android with removed/castrated radio hardware
containing a totp app would be a good candidate.
Rest assured the official tails git only contains a device config for
the Thinkpad X230 that is quite outdated.
The purism coreboot repo contains a heads fork that is compatible with
librem devices and their other fancy stuff that sadly is quite overpriced.
Porting heads to your device to be verified is a royal PITA as testing
is annoying without a spare device. Because you most certainly will
flash a whole bunch of builds that arent working yet as your bios and
then need to flash the next build or a working backup of normal coreboot
with an InSystemProgrammer which is fiddly stuff.
Been there, done that. Is a major baywatch episode of fail on the beach
and I made a cludgy half working compromise that I would be ashamed to
put anywhere near public.
I could sink insane amounts of additional time in those things but it
feels like a dead end as long as nobody pays me for my time. I cant even
guarantee success as I am not an expert in those things. I just try to
be McGyver as much as I can.
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/233d1ad1-5f0f-9dce-549d-5618c462e12b%40pornrage.org.
For more options, visit https://groups.google.com/d/optout.
