2015-05-26 11:35:25 -04:00
|
|
|
---
|
|
|
|
layout: doc
|
2015-10-13 23:31:03 -04:00
|
|
|
title: Installation Security
|
2015-10-11 03:04:59 -04:00
|
|
|
permalink: /en/doc/install-security/
|
|
|
|
redirect_from:
|
|
|
|
- /doc/InstallSecurity/
|
|
|
|
- /wiki/InstallSecurity/
|
2015-05-26 11:35:25 -04:00
|
|
|
---
|
|
|
|
|
|
|
|
# Installation Security Considerations #
|
|
|
|
|
|
|
|
## Verifying the Qubes ISO ##
|
|
|
|
|
|
|
|
You should [verify][] the PGP signature on your Qubes ISO before you install
|
|
|
|
from it. However, if the machine on which you attempt the verification process
|
|
|
|
is already compromised, it could falsely claim that a malicious ISO has a good
|
|
|
|
signature. Therefore, in order to be certain that your Qubes ISO is trustworthy,
|
|
|
|
you require a trustworthy machine. But how can you be certain *that* machine is
|
|
|
|
trustworthy? Only by using another trusted machine, and so forth. This is a
|
|
|
|
[classic problem][trusting-trust]. While various [solutions][countering] have
|
|
|
|
been proposed, the point is that each user must ultimately make a choice about
|
|
|
|
whether to trust that a file is non-malicious.
|
|
|
|
|
|
|
|
## Choosing an Installation Medium ##
|
|
|
|
|
|
|
|
So, after taking some measures to verify its integrity and authenticity, you've
|
|
|
|
decided to trust your Qubes ISO. Great! Now you must decide what sort of medium
|
|
|
|
on which to write it so that you can install from it. From a Qubes-specific
|
|
|
|
security perspective, each has certain pros and cons.
|
|
|
|
|
|
|
|
### USB Drives ###
|
|
|
|
|
|
|
|
Pros:
|
|
|
|
|
|
|
|
* Works via USB, including with a [USBVM][].
|
|
|
|
* Non-fixed capacity. (Easy to find one on which the ISO can fit.)
|
|
|
|
|
|
|
|
Cons:
|
|
|
|
|
|
|
|
* Rewriteable. (If the drive is mounted to a compromised machine, the ISO could
|
|
|
|
be maliciously altered after it has been written to the drive.)
|
|
|
|
* Untrustworthy firmware. (Firmware can be malicious even if the drive is new.
|
|
|
|
Plugging a drive with rewriteable firmware into a compromised machine can
|
|
|
|
also [compromise the drive][BadUSB]. Installing from a compromised drive
|
|
|
|
could compromise even a brand new Qubes installation.)
|
|
|
|
|
|
|
|
### Optical Discs ###
|
|
|
|
|
|
|
|
Pros:
|
|
|
|
|
|
|
|
* Read-only available. (If you use read-only media, you don't have to worry
|
|
|
|
about the ISO being maliciously altered after it has been written to the
|
|
|
|
disc. You then have the option of verifying the signature on multiple
|
|
|
|
different machines.)
|
|
|
|
|
|
|
|
Cons:
|
|
|
|
|
|
|
|
* Fixed capacity. (If the size of the ISO is larger than your disc, it will be
|
|
|
|
inconvenient.)
|
|
|
|
* Passthrough burning is not supported by Xen. (This mainly applies if you're
|
|
|
|
upgrading from a previous version of Qubes.) Currently, the only options for
|
|
|
|
burning optical discs in Qubes are:
|
|
|
|
1. Use a USB optical drive.
|
|
|
|
2. Attach a SATA optical drive to a secondary SATA controller, then assign
|
|
|
|
this secondary SATA controller to an AppVM.
|
2015-07-23 07:19:16 -04:00
|
|
|
3. Use a SATA optical drive attached to dom0.
|
2015-05-26 11:35:25 -04:00
|
|
|
(Option 3 violates the Qubes security model since it entails transferring
|
|
|
|
an untrusted ISO to dom0 in order to burn it to disc, which leaves only
|
|
|
|
the other two options.)
|
|
|
|
|
|
|
|
[verify]: https://www.qubes-os.org/doc/VerifyingSignatures/
|
|
|
|
[trusting-trust]: http://www.acm.org/classics/sep95/
|
|
|
|
[countering]: http://www.dwheeler.com/trusting-trust/
|
|
|
|
[USBVM]: https://www.qubes-os.org/doc/SecurityGuidelines/#creating-and-using-a-usbvm
|
|
|
|
[BadUSB]: https://srlabs.de/badusb/
|