Add security information pertaining to DisposableVMs

This patch was prepared in collaboration with Simon Gaiser.

common-tasks/dispvm.md

@@ -23,6 +23,22 @@ While running, DispVMs will appear in Qubes VM Manager with the name `disp####`.
 See [this article](https://blog.invisiblethings.org/2010/06/01/disposable-vms.html) for more on why one would want to use a Disposable VM.
 
 
+Security
+--------
+
+If a [DVM Template] becomes compromised, then any DisposableVM based on that DVM Template could be compromised.
+In particular, the *default* DVM Template is important because it is used by the "Open in DispVM" feature.
+This means that it will have access to everything that you open with this feature.
+For this reason, it is strongly recommended that you base the default DVM Template on a trusted TemplateVM.
+
+### Disposable VMs and Local Forensics ###
+
+At this time, DispVMs should not be relied upon to circumvent local forensics, as they do not run entirely in RAM. 
+For details, see [this thread](https://groups.google.com/d/topic/qubes-devel/QwL5PjqPs-4/discussion).
+
+When it is essential to avoid leaving any trace, consider using [Tails](https://tails.boum.org/).
+
+
 Disposable VMs and Networking (R4.0 and later)
 -----------------------------
 
@@ -153,10 +169,6 @@ You can change the template used to generate the Disposable VMs, and change sett
 These changes will be reflected in every new Disposable VM based on that template. 
 Full instructions can be found [here](/doc/dispvm-customization/).
 
-Disposable VMs and Local Forensics
-----------------------------------
 
-At this time, DispVMs should not be relied upon to circumvent local forensics, as they do not run entirely in RAM. 
-For details, see [this thread](https://groups.google.com/d/topic/qubes-devel/QwL5PjqPs-4/discussion).
+[DVM Template]: /doc/glossary/#dvm-template
 
-When it is essential to avoid leaving any trace, consider using [Tails](https://tails.boum.org/).

configuration/salt.md

@@ -240,6 +240,24 @@ This way dom0 doesn't directly interact with potentially malicious target VMs;
 and in the case of a compromised Salt VM, because they are temporary, the 
 compromise cannot spread from one VM to another.
 
+In Qubes 3.2, this temporary VM is based on the default template.
+
+Beginning with Qubes 4.0 and after [QSB #45], we implemented two changes:
+
+1. Added the `management_dispvm` VM property, which specifies the DVM
+   Template that should be used for management, such as Salt
+   configuration.  TemplateBasedVMs inherit this property from their
+   parent TemplateVMs.  If the value is not set explicitly, the default
+   is taken from the global `management_dispvm` property. The
+   VM-specific property is set with the `qvm-prefs` command, while the
+   global property is set with the `qubes-prefs` command.
+
+2. Created the `default-mgmt-dvm` DVM Template, which is hidden from
+   the menu (to avoid accidental use), has networking disabled, and has
+   a black label (the same as TemplateVMs). This VM is set as the global
+   `management_dispvm`. Keep in mind that this DVM template has full control
+   over the VMs it's used to manage.
+
 ## Writing Your Own Configurations
 
 Let's start with a quick example:
@@ -535,3 +553,4 @@ The solution is to shut down the updateVM between each install:
 [jinja]: http://jinja.pocoo.org/
 [jinja-tmp]: http://jinja.pocoo.org/docs/2.9/templates/
 [jinja-call-salt-functions]: https://docs.saltstack.com/en/getstarted/config/jinja.html#get-data-using-salt
+[QSB #45]: /news/2018/12/03/qsb-45/

customization/dispvm-customization.md

@@ -12,6 +12,15 @@ redirect_from:
 Disposable VM Customization
 ============================
 
+Security
+--------
+
+If a DVM Template becomes compromised, then any DisposableVM based on that DVM Template could be compromised.
+Therefore, you should not make any risky customizations (e.g., installing untrusted browser plugins) in important DVM Templates.
+In particular, the *default* DVM Template is important becuase it is used by the "Open in DispVM" feature.
+This means that it will have access to everything that you open with this feature.
+For this reason, it is strongly recommended that you base the default DVM Template on a trusted TemplateVM and refrain from making any risky customizations to it.
+
 Qubes 4.0
 ----------