Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2024-12-28 00:39:30 -05:00
Code Issues Packages Projects Releases Wiki Activity

SecurityGuidelines changed

Browse Source 
Added document structure
This commit is contained in:
Axon 2014-08-05 08:12:10 +00:00
parent 47841c322a
commit 54959413bc
1 changed files with 58 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

84
SecurityGuidelines.md
View File

@ -7,9 +7,24 @@ permalink: /wiki/SecurityGuidelines/
Security Guidelines
===================
1. [Security Guidelines](#SecurityGuidelines)
1. [Download Verification](#DownloadVerification)
2. [Observing Security Contexts](#ObservingSecurityContexts)
3. [Installing Versus Running Programs](#InstallingVersusRunningPrograms)
4. [Enabling and Verifying VT-d/IOMMU](#EnablingandVerifyingVT-dIOMMU)
5. [Updating Software](#UpdatingSoftware)
6. [Handling Untrusted Files](#HandlingUntrustedFiles)
7. [Anti Evil Maid](#AntiEvilMaid)
8. [Reassigning USB Controllers](#ReassigningUSBControllers)
9. [Creating and Using a USBVM](#CreatingandUsingaUSBVM)
10. [Dom0 Precautions](#Dom0Precautions)
The [Qubes introduction](http://theinvisiblethings.blogspot.com/2012/09/introducing-qubes-10.html) makes clear that without some active and responsible participation of the user, no real security is possible. So, for example, Qubes does not automagically make your Firefox (or any other app) running in one of the AppVMs suddenly more secure. It is just as [secure (or insecure)](https://en.wikipedia.org/wiki/Computer_insecurity) as on a normal Linux or Windows OS. But what drastically changes is the context in which your applications are used. [This context](/wiki/QubesArchitecture) is a [responsibility of the user](/wiki/SecurityGoals). But participation requires knowledge. So it is worth stressing some basic items:
**1.** **Verify authenticity and integrity of your downloads**, [particularly Qubes iso](/wiki/VerifyingSignatures).
Download Verification
---------------------
**Verify the authenticity and integrity of your downloads, [particularly Qubes iso](/wiki/VerifyingSignatures).**
Standard program installation
@ -31,15 +46,24 @@ Even then, you might want to consider new repository to be **less** secure and d
But if you need to download programs that cannot be verified, then it is certainly better to install them in a **cloned template or a standalone VM**.
**2.** To each VM is associated a specific colour of window borders in Qubes. They are how Qubes communicates the **security context** of applications and data so that users can be easily aware of this at all times. So be sure to check the colour of window borders before taking any action, particularly if related to security, [see blog](http://theinvisiblethings.blogspot.com/2011/05/app-oriented-ui-model-and-its-security.html).
Observing Security Contexts
---------------------------
To each VM is associated a specific colour of window borders in Qubes. They are how Qubes communicates the **security context** of applications and data so that users can be easily aware of this at all times. So be sure to check the colour of window borders before taking any action, particularly if related to security, [see blog](http://theinvisiblethings.blogspot.com/2011/05/app-oriented-ui-model-and-its-security.html).
Also, be sure to use **Expose-like effect** when dealing with a smaller window displayed on top of a larger window. Remember that a "red" Firefox, can always draw a "green" password prompt box, and you don't want to enter your password there!
Check **Expose-like effect** is activated (e.g. System Tools -\> System Settings -\> Desktop Effects -\> All Effects -\> Desktop Grid Present Windows effects in KDE, or, if you're a hard-core Xfce4 user or something, then manually move the more trusted window so that it is not displayed on top of a less trusted one, but rather over the trusted Dom0 wallpaper.
**3.** With the exception of the editor required for configuration, one should not run applications in either template VMs or in Dom0. From a security standpoint there is a great difference between installing a program and running it.
Installing Versus Running Programs
----------------------------------
**4.** In **Dom0** terminal, run:
With the exception of the editor required for configuration, one should not run applications in either template VMs or in Dom0. From a security standpoint there is a great difference between installing a program and running it.
Enabling and Verifying VT-d/IOMMU
---------------------------------
In **Dom0** terminal, run:
``` {.wiki}
qubes-hcl-report <userVM>
@ -49,7 +73,10 @@ where \<userVM\> is the name of the VM within which the report will be written (
If VT-d is not active, attempt to activate it by selecting the **VT-d flag** within the BIOS settings. If your processor/BIOS does not allow VT-d activation you still enjoy much better security than alternative systems, but you may be vulnerable to **DMA attacks**. Next time you buy a computer consult our **HCL (Hardware Compatibility List)** and possibly contribute to it.
**5.** To keep your system regularly updated against security related bugs and get new features, run in Dom0:
Updating Software
-----------------
To keep your system regularly updated against security related bugs and get new features, run in Dom0:
``` {.wiki}
sudo qubes-dom0-update
@ -63,15 +90,24 @@ sudo yum update
or use the equivalent items in Qubes Manager, which displays an icon when an update is available.
**6.** When you receive or download any file from an **untrusted source**, do not browse to it with a file manager which has preview enabled. **To disable preview in Nautilus**: Gear (up-right-icon) -\> Preferences -\> Preview (tab) -\> Show thumbnails: Never. Note that this change can be made in a TemplateVM (including the [DispVM template](/wiki/UserDoc/DispVMCustomization)) so that future AppVMs created from this TemplateVM will inherit this feature.
Handling Untrusted Files
------------------------
When you receive or download any file from an **untrusted source**, do not browse to it with a file manager which has preview enabled. **To disable preview in Nautilus**: Gear (up-right-icon) -\> Preferences -\> Preview (tab) -\> Show thumbnails: Never. Note that this change can be made in a TemplateVM (including the [DispVM template](/wiki/UserDoc/DispVMCustomization)) so that future AppVMs created from this TemplateVM will inherit this feature.
Also, **do not open it in trusted VMs**. Rather open it in a **disposable VM** right-clicking on it. You may even modify it within the disposable VM and then [copy it to other VM](/wiki/CopyingFiles).
Alternatively PDFs may be converted to **trusted PDF** right clicking on them. This converts text to graphic form, so size will increase.
**7.** If there is a risk that somebody may **physically attack** your computer when you leave it powered down, or if you use Qubes in **dual boot mode**, then you may want to [install AEM](/wiki/AntiEvilMaid) (Anti Evil Maid). AEM will inform you of any unauthorized modifications to your BIOS or boot partition. If AEM alerts you of an attack it is really bad news because **there is no true fix**. If you are really serious about security you have to buy a new laptop and install Qubes from a trusted ISO. So buying a used laptop is not an option for a security focused one.
Anti Evil Maid
--------------
**8.** Before you [assign a USB controller to a VM](/wiki/AssigningDevices) check if any **input devices** are included in that controller.
If there is a risk that somebody may **physically attack** your computer when you leave it powered down, or if you use Qubes in **dual boot mode**, then you may want to [install AEM](/wiki/AntiEvilMaid) (Anti Evil Maid). AEM will inform you of any unauthorized modifications to your BIOS or boot partition. If AEM alerts you of an attack it is really bad news because **there is no true fix**. If you are really serious about security you have to buy a new laptop and install Qubes from a trusted ISO. So buying a used laptop is not an option for a security focused one.
Reassigning USB Controllers
---------------------------
Before you [assign a USB controller to a VM](/wiki/AssigningDevices) check if any **input devices** are included in that controller.
Assigning USB keyboard will **deprive Dom0 VM of a keyboard**. Since a USB controller assignment survives reboot, you may find yourself **unable to access your system**. Most non-Apple laptops have a PS/2 input for keyboard and mouse, so this problem does not exist.
@ -85,7 +121,10 @@ It is preferably to avoid using **Bluetooth** if you travel and if you do not tr
Many laptops will also allow one to disable various hardware (Camera, BT, Mic, etc) **in BIOS**. This might or might not be safe, depending on how much you trust your BIOS vendor.
**9.** The connection of an **untrusted USB external drive to Dom0** may involve some risk because Dom0 reads **partition tables** automatically, and also because the whole USB stack is put to work **to parse** all the USB device info first, to determine if it is a USB Mass Storage, and to read its config, etc. This happens even if the drive is then assigned and mounted in another VM.
Creating and Using a USBVM
--------------------------
The connection of an **untrusted USB external drive to Dom0** may involve some risk because Dom0 reads **partition tables** automatically, and also because the whole USB stack is put to work **to parse** all the USB device info first, to determine if it is a USB Mass Storage, and to read its config, etc. This happens even if the drive is then assigned and mounted in another VM.
To avoid this risk it is possible to prepare and utilize a **USBVM**. However this is not presently recommended for beginners, as Xen does not yet provide a working PVUSB, and so only USB Mass Storage devices could be passed to individual VMs later (via qvm-block). This involves that a USBVM cannot be preinstalled and the whole thing cannot be automatized. So avoid it if you have doubts.
@ -95,22 +134,12 @@ An **USBVM** operates like a dedicated temporary parking area, used just to prev
**The process for creating a USBVM** is:
1. In Dom0 terminal type:
``` {.wiki}
lsusb
```
to check if you have a USB controller free of input devices or programmable devices. If you find such free controller, then
1. Create a new AppVM. Call it "usbvm" (or whatever you want).
2. Give it "red" or "orange" or "yellow" label.
3. In the AppVM's settings, go to the "devices" tab. Find your USB
controller in the "Available" list. Move it to the "Selected" list.
1. Click OK. Restart the AppVM. (Restarting may not even be required.)
2. **In dom0 terminal**, run
1. In Dom0 terminal type `lsusb` to check if you have a USB controller free of input devices or programmable devices. If you find such free controller, then
2. Create a new AppVM. Call it "usbvm" (or whatever you want).
3. Give it "red" or "orange" or "yellow" label.
4. In the AppVM's settings, go to the "devices" tab. Find your USB controller in the "Available" list. Move it to the "Selected" list.
5. Click OK. Restart the AppVM. (Restarting may not even be required.)
6. **In dom0 terminal**, run
``` {.wiki}
qvm-prefs -s usbvm autostart true
@ -118,4 +147,7 @@ controller in the "Available" list. Move it to the "Selected" list.
This will cause your new **USBVM** to automatically start when the system starts up. So that in case you forgot to start it and then accidentally plugged a USB stick (or your colleague at work did it while you were at lunch), **it won't compromise the Dom0**.
**10.** Do not use any file managers in dom0. Some file managers (such as the Thunar File Manager, which is pre-installed by default in the Xfce4 version of dom0) list loop devices used by running VMs. When one of these devices is selected in the file manager, the loop device is mounted to dom0, effectively transferring the contents of the home directory of an untrusted AppVM to dom0. See: [this email](https://groups.google.com/d/msg/qubes-users/_tkjmBa9m9w/9BbKh94PVtcJ).
Dom0 Precautions
----------------
Do not use any file managers in dom0. Some file managers (such as the Thunar File Manager, which is pre-installed by default in the Xfce4 version of dom0) list loop devices used by running VMs. When one of these devices is selected in the file manager, the loop device is mounted to dom0, effectively transferring the contents of the home directory of an untrusted AppVM to dom0. See: [this email](https://groups.google.com/d/msg/qubes-users/_tkjmBa9m9w/9BbKh94PVtcJ).