diff --git a/content/posts/qubes/index.md b/content/posts/qubes/index.md index 7287979..b799335 100644 --- a/content/posts/qubes/index.md +++ b/content/posts/qubes/index.md @@ -473,7 +473,7 @@ Of the [community-recommended computers](https://forum.qubes-os.org/t/5560), the * **Root of trust**: Heads uses the [Trusted Platform Module (TPM)](https://tech.michaelaltfield.net/2023/02/16/evil-maid-heads-pureboot/#tpm) to store secrets during the boot process — the Thinkpad X230 and T430 have TPM v1.1. * **Blobs**: There are no binary blobs on these models after Heads is installed, except for the Intel Management Engine (which can be neutered) and the Ethernet blob (which can be generated). -* **Microcode updates**: Spectre and Meltdown [are mitigated by microcode updates for this generation of CPUs](https://forum.qubes-os.org/t/secure-hardware-for-qubes/19238/52) which are [installed by default on Qubes OS](https://www.whonix.org/wiki/Spectre_Meltdown#Qubes_2). Some attacks target only newer CPUs, and the Ivy generation CPUs won't be vulnerable to these attacks. +* **Microcode updates**: Spectre and Meltdown [are mitigated by microcode updates for this generation of CPUs](https://forum.qubes-os.org/t/secure-hardware-for-qubes/19238/52) which are [installed by default on Qubes OS](https://www.whonix.org/wiki/Spectre_Meltdown#Qubes_2). Some attacks target only newer CPUs (new CPU extensions mean new attack surface), and the Ivy generation CPUs won't be vulnerable to these attacks. Qubes OS also applies appropriate software mitigation to this class of attacks at the hypervisor level, including [disabling HyperThreading](https://www.qubes-os.org/news/2018/09/02/qsb-43/). @@ -487,8 +487,13 @@ We call a qube "untrusted" when it is networked and thus might be compromised at ## Principles -* Make sure to always be aware of which qubes are running simultaneously. When using an untrusted qube, do not simultaneously run any trusted qubes — **the only other qubes running should be sys qubes and other untrusted qubes**. In other words, while untrusted qubes are running there should be nothing sensitive in memory, because you are assuming that all memory could be leaked. -* Perform sensitive operations in trusted qubes (without networking), and shut down trusted qubes when they are not in use. The `vault` is considered a trusted qube. +Make sure to always be aware of which qubes are running simultaneously. + +* Perform sensitive operations in trusted qubes (without networking), while no untrusted qubes are running. Shut down trusted qubes when they are not in use. The `vault` is considered a trusted qube. +* While untrusted qubes are running there should be no qubes running simultaneously that put sensitive data into memory, because you are assuming that all memory could be leaked. Qubes containing sensitive data include: + * Any qubes containing data that isn't compartmentalized to your current activity. For example, if you are doing website moderation, images files you are going to upload to the website aren't sensitive, but files associated with an unrelated project are. + * The `vault` qube containing your KeePassXC database. + * If your untrusted qube requires access to SSH or PGP private keys, set up [split-GPG](https://www.qubes-os.org/doc/split-gpg/) or [split-SSH](https://forum.qubes-os.org/t/split-ssh/19060). Start a fresh untrusted session before putting private keys into memory. ## Sys qubes @@ -499,7 +504,7 @@ We call a qube "untrusted" when it is networked and thus might be compromised at While using an untrusted qube, you may need to have access to a password. We'll use the "Emergency pause" feature to neutralize the untrusted qube while opening the vault for the password. For instance, using the untrusted disposable qube `whonix-workstation-17-dvm`: -* Using the Qubes Domains icon, "Emergency pause" the untrusted qube(s). +* Using the Qubes Domains icon, "Emergency pause" all untrusted qubes that are running. * Start `vault`. Open KeePassXC and copy the required password to the global clipboard. * Shutdown `vault` * Unpause the untrusted qube(s). You can now paste the password from the global clipboard. @@ -508,11 +513,13 @@ While using an untrusted qube, you may need to have access to a password. We'll While using an untrusted qube, you may need to copy a file from the vault. To avoid having the vault and untrusted qube running simultaneously, we'll use an intermediary offline disposable. For instance, using the untrusted disposable qube `whonix-workstation-17-dvm`: -* Using the Qubes Domains icon, "Emergency pause" the untrusted qube(s). +* Using the Qubes Domains icon, "Emergency pause" all untrusted qubes that are running. * Start `debian-12-offline-dvm` and `vault`. Copy the file from the vault to the disposable offline qube. * Shutdown `vault` * Unpause the untrusted qube(s). You can now copy the file to it from the disposable offline qube. +Alternatively, you can create a vault qube for file storage that is compartmentalized to the activity (`vault-webmoderation`). Such a vault can run simultaneously to untrusted qubes used for that activity. Keep your KeePassXC database in `vault`. + ## If you need to save a file to the vault You may also need to copy a file to the vault, so that it can be saved after the disposable is closed. Using the untrusted disposable qube `whonix-workstation-17-dvm`: @@ -521,3 +528,5 @@ You may also need to copy a file to the vault, so that it can be saved after the * Copy the file to the disposable offline qube from the untrusted qube. * When you are done using the untrusted qube, shut it down. * Start `vault`. Copy the file from the disposable offline qube to the vault. [Sanitize it](/posts/qubes/#sanitizing-files) before opening. + +Alternatively, you can create a vault qube for file storage that is compartmentalized to the activity (`vault-webmoderation`). Such a vault can run simultaneously to untrusted qubes used for that activity. Keep your KeePassXC database in `vault`.