SoftwareUpdateDom0 changed

Added explanation of secure udpate scheme

SoftwareUpdateDom0.md

@@ -18,6 +18,13 @@ However, we anticipate some other situations in which updating dom0 software mig
 -   Correcting non-security related bugs (e.g. new buttons for qubes manager)
 -   Adding new features (e.g. GUI backup tool)
 
+How is software updated securely in dom0?
+-----------------------------------------
+
+The update process is split into two phases: "resolve and download" and "verify and install." The "resolve and download" phase is handled by the "UpdateVM." (The role of UpdateVM can be assigned to any VM in the Qubes VM Manager, and there are no significant security implications in this choice. By default, this role is assigned to the firewallvm.) After the UpdateVM has successfully downloaded new packages, they are sent to dom0, where they are verified and installed. This separation of duties significantly reduces the attack surface, since all of the network and metadata processing code is removed from the TCB.
+
+Although this update scheme is far more secure than directly downloading updates in dom0, it is not invulnerable. For example, there is nothing that the Qubes project can feasibly do to prevent a malicious RPM from exploiting a hypothetical bug in GPG's `--verify` operation. At best, we could switch to a different distro or package manager, but any of them could be vulnerable to the same (or a similar) attack. While we could, in theory, write a custom solution, it would only be effective if Qubes repos included all of the regular TemplateVM distro's updates, and this would be far too costly for us to maintain.
+
 How to update software in dom0
 ------------------------------