2015-05-26 11:35:25 -04:00
|
|
|
---
|
|
|
|
layout: doc
|
2015-10-13 23:31:03 -04:00
|
|
|
title: Installation Security
|
2015-10-28 18:14:40 -04:00
|
|
|
permalink: /doc/install-security/
|
2015-10-11 03:04:59 -04:00
|
|
|
redirect_from:
|
2015-10-28 18:14:40 -04:00
|
|
|
- /en/doc/install-security/
|
2015-10-11 03:04:59 -04:00
|
|
|
- /doc/InstallSecurity/
|
|
|
|
- /wiki/InstallSecurity/
|
2015-05-26 11:35:25 -04:00
|
|
|
---
|
|
|
|
|
|
|
|
# Installation Security Considerations #
|
|
|
|
|
2016-03-09 19:29:33 -05:00
|
|
|
|
2015-05-26 11:35:25 -04:00
|
|
|
## Verifying the Qubes ISO ##
|
|
|
|
|
2016-03-09 19:29:33 -05:00
|
|
|
You should [verify] the PGP signature on your Qubes ISO before you install
|
2015-05-26 11:35:25 -04:00
|
|
|
from it. However, if the machine on which you attempt the verification process
|
|
|
|
is already compromised, it could falsely claim that a malicious ISO has a good
|
|
|
|
signature. Therefore, in order to be certain that your Qubes ISO is trustworthy,
|
|
|
|
you require a trustworthy machine. But how can you be certain *that* machine is
|
|
|
|
trustworthy? Only by using another trusted machine, and so forth. This is a
|
2016-03-09 19:29:33 -05:00
|
|
|
[classic problem]. While various [solutions] have been proposed, the point is
|
|
|
|
that each user must ultimately make a choice about whether to trust that a file
|
|
|
|
is non-malicious.
|
|
|
|
|
2015-05-26 11:35:25 -04:00
|
|
|
|
|
|
|
## Choosing an Installation Medium ##
|
|
|
|
|
|
|
|
So, after taking some measures to verify its integrity and authenticity, you've
|
|
|
|
decided to trust your Qubes ISO. Great! Now you must decide what sort of medium
|
|
|
|
on which to write it so that you can install from it. From a Qubes-specific
|
|
|
|
security perspective, each has certain pros and cons.
|
|
|
|
|
2016-03-09 19:29:33 -05:00
|
|
|
|
2015-05-26 11:35:25 -04:00
|
|
|
### USB Drives ###
|
|
|
|
|
|
|
|
Pros:
|
|
|
|
|
2016-03-09 19:29:33 -05:00
|
|
|
* Works via USB, including with a [USB qube].
|
2015-05-26 11:35:25 -04:00
|
|
|
* Non-fixed capacity. (Easy to find one on which the ISO can fit.)
|
|
|
|
|
|
|
|
Cons:
|
|
|
|
|
2016-01-10 18:41:30 -05:00
|
|
|
* Rewritable. (If the drive is mounted to a compromised machine, the ISO could
|
2015-05-26 11:35:25 -04:00
|
|
|
be maliciously altered after it has been written to the drive.)
|
|
|
|
* Untrustworthy firmware. (Firmware can be malicious even if the drive is new.
|
2016-01-10 18:41:30 -05:00
|
|
|
Plugging a drive with rewritable firmware into a compromised machine can
|
2015-05-26 11:35:25 -04:00
|
|
|
also [compromise the drive][BadUSB]. Installing from a compromised drive
|
|
|
|
could compromise even a brand new Qubes installation.)
|
|
|
|
|
2016-03-09 19:29:33 -05:00
|
|
|
|
2015-05-26 11:35:25 -04:00
|
|
|
### Optical Discs ###
|
|
|
|
|
|
|
|
Pros:
|
|
|
|
|
|
|
|
* Read-only available. (If you use read-only media, you don't have to worry
|
|
|
|
about the ISO being maliciously altered after it has been written to the
|
|
|
|
disc. You then have the option of verifying the signature on multiple
|
|
|
|
different machines.)
|
|
|
|
|
|
|
|
Cons:
|
|
|
|
|
|
|
|
* Fixed capacity. (If the size of the ISO is larger than your disc, it will be
|
|
|
|
inconvenient.)
|
2015-10-24 15:40:49 -04:00
|
|
|
* Passthrough recording (a.k.a., "burning") is not supported by Xen. (This
|
|
|
|
mainly applies if you're upgrading from a previous version of Qubes.)
|
|
|
|
Currently, the only options for recording optical discs (e.g., CDs, DVDs,
|
|
|
|
BRDs) in Qubes are:
|
2015-05-26 11:35:25 -04:00
|
|
|
1. Use a USB optical drive.
|
|
|
|
2. Attach a SATA optical drive to a secondary SATA controller, then assign
|
|
|
|
this secondary SATA controller to an AppVM.
|
2015-07-23 07:19:16 -04:00
|
|
|
3. Use a SATA optical drive attached to dom0.
|
2016-01-10 18:41:30 -05:00
|
|
|
|
2015-10-24 15:40:49 -04:00
|
|
|
(Option 3 violates the Qubes security model since it entails transferring an
|
|
|
|
untrusted ISO to dom0 in order to burn it to disc, which leaves only the
|
|
|
|
other two options.)
|
2015-05-26 11:35:25 -04:00
|
|
|
|
2019-01-19 18:27:37 -05:00
|
|
|
Considering the pros and cons of each, perhaps a USB drive with non-rewritable
|
|
|
|
(or at least cryptographically-signed) firmware and a physical write-protect
|
|
|
|
switch might be the option.
|
|
|
|
|
2016-03-09 19:29:33 -05:00
|
|
|
|
2017-03-18 22:31:12 -04:00
|
|
|
[verify]: /security/verifying-signatures/
|
2017-03-31 12:00:33 -04:00
|
|
|
[classic problem]: https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf
|
2017-05-03 10:43:40 -04:00
|
|
|
[solutions]: https://www.dwheeler.com/trusting-trust/
|
2019-03-29 20:12:44 -04:00
|
|
|
[USB qube]: /doc/usb-qubes/#creating-and-using-a-usb-qube
|
2015-05-26 11:35:25 -04:00
|
|
|
[BadUSB]: https://srlabs.de/badusb/
|
2016-03-09 19:29:33 -05:00
|
|
|
|