[liberationtech] A tool for encrypted laptops

Fri May 9 13:30:15 PDT 2014

On 9 May 2014 16:08, Steve Weis <steveweis at gmail.com> wrote:
> Hi Tom. Does hibernation on a Mac protect from physical memory
> extraction by default or is this something yontma configures?

Not sure what you mean.  Obviously we can't protect against someone
unscrewing the computer and stealing the chips ;)

> After a quick search, I ran across "destroyfvkeyonstandby" to destroy
> the FileVault key on standby. Is that sufficient?

So I read a lot about pmset, which is made more difficult because
Apple has a lot of terms they use in different situations (hibernate,
standby, power sleep, etc) that aren't always indicative of what we
think they are.  I BELIEVE that the minimal set of settings required
for a 'true' hibernate (memory snapshot to disk, then shut down
everything) are:

standbydelay - Needs to be 0. "the delay, in seconds, before writing
the hibernation image to disk and powering off memory for Standby."

destroyfvkeyonstandby - Needs to be 1.

hibernatemode - Needs to be 25. "The system will store a copy of
memory to persistent storage (the disk), and will remove power to
memory. The system will restore from disk image. If you want
"hibernation" - slower sleeps, slower wakes, and better battery life,
you should use this setting."

Now I believe that when you set hibernatemode to 25, 'standby' (as in
destroyfvkeyonstandby) actually becomes real 'hibernation'.  I
personally have set a bunch of other ones[0], but I don't believe
these are required.  Like I said, I'm fairly confident about these
settings, but Apple's documentation is confusing, so if you think I'm
wrong, do some research and argue back ;)  YoNTMA will prompt you if
it detects these settings are incorrect or you don't have FileVault
enabled.

> As for DMA attacks, my understanding is the latest OS X does pretty
> good job by default. DMA is disabled while the screen is locked and I
> wasn't able to hotplug arbitrary PCI devices via Thunderbolt (at least
> as of a year ago). I wasn't able to conduct DMA attacks via
> Thunderbolt unless the PCI device was connected on bootup and the
> laptop unlocked. That's an artificial setting, except perhaps for a
> laptop dock with a hidden Thunderbolt hub.

Ah cool.  I hadn't looked into DMA countermeasures too closely.

-tom

[0] My other pmset-tings:

#Do not go to sleep when plugged in and idle
sudo pmset -a autopoweroff 0
#Do go to sleep when idle
sudo pmset -a sleep 30
#Do wake up the computer when the lid is opened
sudo pmset -a lidwake 1
#Do not wake up the computer when the AC is plugged in
sudo pmset -a acwake 0
#Do put the screen to half brightness upon idle
sudo pmset -a halfdim 1
#Do put the display to sleep (actually half brightness) after 30 min
sudo pmset -a displaysleep 30
#Do not put the disk to sleep
sudo pmset -a disksleep 0
#Do not wake on magic packet
sudo pmset -a womp 0
#Or modem ring
sudo pmset -a ring 0