I have been working on host security. I thought one security feature that might help would be implementing FIDO locks on system boot for host and guest. Evil maid thinks she can just done in anytime she wants. No more!
The current challenge I am working to solve is how to configure XML in KVM (or passthrough method for VirtualBox) to pass through host USB and enable guest to recognize the FIDO key.
The XML syntax varies from what I am finding online to KVM for Fedora.
lsusb
USB ID ####(vendor):####(product)
Kvm virt-manager –> overview –> XML (< … >)
KVM virt-manager –> overview –> usb redirector (bus and port)
Configuring the XML is probably the most direct and universal method to achieve a USB FIDO token passthrough. Do you know what the up-to-date syntax for the XML would be?
< devices>
< /controller>
<model
<target
<address
USB is also attack surface. That’s why Qubes supports USBVM (sys-usb).
There’s security trade-off between using USBVM versus AEM:
Not sure. Excellent article, see:
Replay attack?
Relay attack?
While the TOTP solution cleverly solves the replay attack, it’s still vulnerable to a relay attack.
An attacker could steal your laptop and leave behind an identical-looking malicious laptop. When you (unknowingly) boot the malicious relay laptop, it communicates out to your real laptop – which relays the 6-digit OTP code down to the malicious laptop. You verify that the 6-digit OTP is correct and type your FDE decryption password – which is relayed out to the attacker with your real laptop.
Alfield’s article is great. Thanks for sharing. A lot to absorb and think about how to implement. The computer I use has IME removed with Coreboot configurator. Coreboot does not have the option of requiring a BIOS password to boot. I wondered why that was so. Probably HEADS and 2FA keys like Yubikey, Nitrokey, and Purism’s own improve far beyond Legacy BIOS; although, proprietary BIOS had options like fingerprint readers and other HSI features. And that’s when the distinction Michael makes between Enterprise and Cypherpunk security models comes in.
Qubes users can utilize a GRUB script for making use of FIDO keys. I have been working on how to FIDO lock LUKS either at sytemd boot cryptenroll or at dracut on Fedora. Since you mention that USB is an attack surface, it probably wouldn’t be that helpful to make a passthru for Whonix guest but host security should be improved by requiring FIDO at primary stages of start up.
I found out that FIDO keys can be emulated, in QEMU at least (an interesting thought), which might not have the same security attack surface issues as USB passthru. What do you think? I was thinking that a hardware key is practically the only cryptography that could not in some way be alienated from the owner. Emulated keys could be stolen. Password managers could be stolen. Keyloggers could steal passwords. But hardware tokens have material properties that cannot be appropriated like most everything virtual connected to the internet.