[prev in list] [next in list] [prev in thread] [next in thread] 

List:       qubes-users
Subject:    Re: [qubes-users] Yubikey, luks disk encryption password, and usb-vm ?
From:       Joe <Joeviocoe () hotmail ! com>
Date:       2018-08-28 17:37:33
Message-ID: a8a40cbd-5431-414a-8192-e27782a9cfc7 () googlegroups ! com
[Download RAW message or body]


On Monday, 5 June 2017 00:33:44 UTC-4,   wrote:
> On Sun, 4 Jun 2017 22:29:57 +0200
> 
> > On 06/04/2017 10:03 PM, wrote:
> > > When using a usb-vm, my usb keyboard is not accessible at boot time,
> > > and thus my disk encryption password must be typed on the built-in
> > > keyboard. 
> > > 
> > > When not using a usb-vm, a usb keyboard can be used to enter the
> > > disk encryption password.
> > > 
> > > When using a simple static password at boot typed by the yubikey
> > > (which acts like a keyboard), it has the same limitations as the
> > > usb keyboard, wherein it can't type the disk password when a usb-vm
> > > is being used. 
> > > 
> > > I could not determine whether the documentation discussing
> > > challenge-response addresses this problem with boot-time disk
> > > passwords as some sub-component
> > > ( https://www.qubes-os.org/doc/yubi-key/ ). I only see the
> > > screensaver discussed, but not disk passwords at boot. 
> > > 
> > > While still using a usb-vm to manage all usb devices, is there any
> > > way to authorize the yubikey automatically at boot time so it can
> > > type in a password for me?
> > > 
> > > Also, here: ( https://github.com/adubois/qubes-app-linux-yubikey),
> > > am I missing the referenced qubes-yubikey-vm and qubes-yubikey-dom0
> > > in the repos, because they don't seem to exist?
> > > 
> > > Thanks!  
> > 
> > With USB VM enabled, all USB devices are hidden from dom0 even during
> > the Linux kernel boot (but not before). If you need to use USB devices
> > during Qubes OS boot (keyboard, yubikey, anti-evil-maid, ...) and
> > don't mind rigorously checking nobody has plugged any suspicious USB
> > devices into your machine before powering it on (as you should be
> > doing anyway), you can follow the steps outlined below.
> > 
> > There's a Linux kernel command line argument you need to remove from
> > /etc/default/grub -- find the line starting with "GRUB_CMDLINE_LINUX"
> > and drop the "rd.qubes.hide_all_usb" argument. Save the changes and
> > rebuild grub configuration using `sudo grub2-mkconfig -o
> > /boot/grub2/grub.cfg` and then reboot.
> > 
> > Please note that if you have anti-evil-maid installed, you also need
> > to re-run `anti-evil-maid-install` script on your AEM device.
> > Unsealing of your secrets will, as expected, fail during next boot.
> > 
> > Once you reboot without this option, you can use any USB device
> > normally.
> > 
> > 
> > Cheers,
> > Patrik
> > 
> 
> Thanks for the clear answer! It took some searching, but it looks like
> that for me, that flag was only present in /boot/efi/EFI/qubes/xen.cfg
> and it does not seem to require rebuilding grub to work. I didn't see
> that location discussed here https://www.qubes-os.org/doc/usb/ under
> "Removing a USB qube" either. 
> 
> Now, to see if I can get the luks challenge response working rather
> than just a static password ...

If you're still interested.
This solution works great with Yubikey (chal/resp mode), with sys-usb running as your \
USB Qube. It temporarily allows USB devices during the boot up when it asks for a \
password (challenge) or the LUKS passphrase.  Once done, it then unbinds the USB PCI \
devices from Dom0, so the USB qubes can handle USB devices as it should.

https://github.com/the2nd/ykluks

-- 
You received this message because you are subscribed to the Google Groups \
"qubes-users" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to qubes-users+unsubscribe@googlegroups.com. To post to this group, \
send email to qubes-users@googlegroups.com. To view this discussion on the web visit \
https://groups.google.com/d/msgid/qubes-users/a8a40cbd-5431-414a-8192-e27782a9cfc7%40googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.



[prev in list] [next in list] [prev in thread] [next in thread]