Add semantic newlines for software-update-dom0.md

This commit is contained in:
pierwill 2019-08-18 12:45:27 -05:00
parent c7e8a45bc8
commit 2dae132dfc

View File

@ -14,7 +14,10 @@ Installing and updating software in dom0
Why would one want to install or update software in dom0? Why would one want to install or update software in dom0?
--------------------------------------------------------- ---------------------------------------------------------
Normally, there should be few reasons for installing or updating software in dom0. This is because there is no networking in dom0, which means that even if some bugs are discovered e.g. in the dom0 Desktop Manager, this really is not a problem for Qubes, because none of the third-party software running in dom0 is accessible from VMs or the network in any way. Some exceptions to this include: Qubes GUI daemon, Xen store daemon, and disk back-ends. (We plan move the disk backends to an untrusted domain in a future Qubes release.) Of course, we believe this software is reasonably secure, and we hope it will not need patching. Normally, there should be few reasons for installing or updating software in dom0.
This is because there is no networking in dom0, which means that even if some bugs are discovered e.g. in the dom0 Desktop Manager, this really is not a problem for Qubes, because none of the third-party software running in dom0 is accessible from VMs or the network in any way.
Some exceptions to this include: Qubes GUI daemon, Xen store daemon, and disk back-ends.
(We plan move the disk backends to an untrusted domain in a future Qubes release.) Of course, we believe this software is reasonably secure, and we hope it will not need patching.
However, we anticipate some other situations in which installing or updating dom0 software might be necessary or desirable: However, we anticipate some other situations in which installing or updating dom0 software might be necessary or desirable:
@ -25,18 +28,25 @@ However, we anticipate some other situations in which installing or updating dom
How is software installed and updated securely in dom0? How is software installed and updated securely in dom0?
------------------------------------------------------- -------------------------------------------------------
The install/update process is split into two phases: "resolve and download" and "verify and install." The "resolve and download" phase is handled by the "UpdateVM." (The role of UpdateVM can be assigned to any VM in the Qubes VM Manager, and there are no significant security implications in this choice. By default, this role is assigned to the firewallvm.) After the UpdateVM has successfully downloaded new packages, they are sent to dom0, where they are verified and installed. This separation of duties significantly reduces the attack surface, since all of the network and metadata processing code is removed from the TCB. The install/update process is split into two phases: "resolve and download" and "verify and install." The "resolve and download" phase is handled by the "UpdateVM." (The role of UpdateVM can be assigned to any VM in the Qubes VM Manager, and there are no significant security implications in this choice.
By default, this role is assigned to the firewallvm.) After the UpdateVM has successfully downloaded new packages, they are sent to dom0, where they are verified and installed.
This separation of duties significantly reduces the attack surface, since all of the network and metadata processing code is removed from the TCB.
Although this update scheme is far more secure than directly downloading updates in dom0, it is not invulnerable. For example, there is nothing that the Qubes project can feasibly do to prevent a malicious RPM from exploiting a hypothetical bug in GPG's `--verify` operation. At best, we could switch to a different distro or package manager, but any of them could be vulnerable to the same (or a similar) attack. While we could, in theory, write a custom solution, it would only be effective if Qubes repos included all of the regular TemplateVM distro's updates, and this would be far too costly for us to maintain. Although this update scheme is far more secure than directly downloading updates in dom0, it is not invulnerable.
For example, there is nothing that the Qubes project can feasibly do to prevent a malicious RPM from exploiting a hypothetical bug in GPG's `--verify` operation.
At best, we could switch to a different distro or package manager, but any of them could be vulnerable to the same (or a similar) attack.
While we could, in theory, write a custom solution, it would only be effective if Qubes repos included all of the regular TemplateVM distro's updates, and this would be far too costly for us to maintain.
How to install and update software in dom0 How to install and update software in dom0
------------------------------------------ ------------------------------------------
### How to update dom0 ### How to update dom0
In the Qube Manager, simply select dom0 in the VM list, then click the **Update VM system** button (the blue, downward-pointing arrow). In addition, updating dom0 has been made more convenient: You will be prompted on the desktop whenever new dom0 updates are available and given the choice to run the update with a single click. In the Qube Manager, simply select dom0 in the VM list, then click the **Update VM system** button (the blue, downward-pointing arrow).
In addition, updating dom0 has been made more convenient: You will be prompted on the desktop whenever new dom0 updates are available and given the choice to run the update with a single click.
Alternatively, command-line tools are available for accomplishing various update-related tasks (some of which are not available via Qubes VM Manager). In order to update dom0 from the command line, start a console in dom0 and then run one of the following commands: Alternatively, command-line tools are available for accomplishing various update-related tasks (some of which are not available via Qubes VM Manager).
In order to update dom0 from the command line, start a console in dom0 and then run one of the following commands:
To check and install updates for dom0 software: To check and install updates for dom0 software:
@ -48,7 +58,8 @@ To install additional packages in dom0 (usually not recommended):
$ sudo qubes-dom0-update anti-evil-maid $ sudo qubes-dom0-update anti-evil-maid
You may also pass the `--enablerepo=` option in order to enable optional repositories (see yum configuration in dom0). However, this is only for advanced users who really understand what they are doing. You may also pass the `--enablerepo=` option in order to enable optional repositories (see yum configuration in dom0).
However, this is only for advanced users who really understand what they are doing.
You can also pass commands to `dnf` using `--action=...`. You can also pass commands to `dnf` using `--action=...`.
### How to downgrade a specific package ### How to downgrade a specific package
@ -87,7 +98,8 @@ You can re-install in a similar fashion to downgrading.
sudo dnf reinstall package sudo dnf reinstall package
~~~ ~~~
Note that `dnf` will only re-install if the installed and downloaded versions match. You can ensure they match by either updating the package to the latest version, or specifying the package version in the first step using the form `package-version`. Note that `dnf` will only re-install if the installed and downloaded versions match.
You can ensure they match by either updating the package to the latest version, or specifying the package version in the first step using the form `package-version`.
### How to uninstall a package ### How to uninstall a package
@ -106,8 +118,8 @@ There are three Qubes dom0 testing repositories:
* `qubes-dom0-unstable` -- packages that are not intended to land in the stable (`qubes-dom0-current`) * `qubes-dom0-unstable` -- packages that are not intended to land in the stable (`qubes-dom0-current`)
repository; mostly experimental debugging packages repository; mostly experimental debugging packages
To temporarily enable any of these repos, use the `--enablerepo=<repo-name>` To temporarily enable any of these repos, use the `--enablerepo=<repo-name>` option.
option. Example commands: Example commands:
~~~ ~~~
sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing
@ -120,8 +132,10 @@ To enable or disable any of these repos permanently, change the corresponding `e
### Kernel Upgrade ### ### Kernel Upgrade ###
Install newer kernel for dom0 and VMs. The package `kernel` is for dom0 and the package `kernel-qubes-vm` Install newer kernel for dom0 and VMs.
is needed for the VMs. (Note that the following example enables the unstable repo.) The package `kernel` is for dom0 and the package `kernel-qubes-vm`
is needed for the VMs.
(Note that the following example enables the unstable repo.)
~~~ ~~~
sudo qubes-dom0-update --enablerepo=qubes-dom0-unstable kernel kernel-qubes-vm sudo qubes-dom0-update --enablerepo=qubes-dom0-unstable kernel kernel-qubes-vm
@ -151,7 +165,10 @@ to do a lot of work yourself](https://groups.google.com/d/msg/qubes-users/m8sWoy
Requires installed [Whonix](/doc/privacy/whonix/). Requires installed [Whonix](/doc/privacy/whonix/).
Go to Qubes VM Manager -> System -> Global Settings. See the UpdateVM setting. Choose your desired Whonix-Gateway ProxyVM from the list. For example: sys-whonix. Go to Qubes VM Manager -> System -> Global Settings.
See the UpdateVM setting.
Choose your desired Whonix-Gateway ProxyVM from the list.
For example: sys-whonix.
Qubes VM Manager -> System -> Global Settings -> UpdateVM -> sys-whonix Qubes VM Manager -> System -> Global Settings -> UpdateVM -> sys-whonix