From 9586996f15f625c01c7f081cc9a6e7257b397df1 Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Mon, 3 Dec 2018 20:11:10 -0600 Subject: [PATCH] Add security information pertaining to DisposableVMs This patch was prepared in collaboration with Simon Gaiser. --- common-tasks/dispvm.md | 22 +++++++++++++++++----- configuration/salt.md | 19 +++++++++++++++++++ customization/dispvm-customization.md | 9 +++++++++ 3 files changed, 45 insertions(+), 5 deletions(-) diff --git a/common-tasks/dispvm.md b/common-tasks/dispvm.md index 5208d48f..b9250a17 100644 --- a/common-tasks/dispvm.md +++ b/common-tasks/dispvm.md @@ -23,6 +23,22 @@ While running, DispVMs will appear in Qubes VM Manager with the name `disp####`. See [this article](https://blog.invisiblethings.org/2010/06/01/disposable-vms.html) for more on why one would want to use a Disposable VM. +Security +-------- + +If a [DVM Template] becomes compromised, then any DisposableVM based on that DVM Template could be compromised. +In particular, the *default* DVM Template is important because it is used by the "Open in DispVM" feature. +This means that it will have access to everything that you open with this feature. +For this reason, it is strongly recommended that you base the default DVM Template on a trusted TemplateVM. + +### Disposable VMs and Local Forensics ### + +At this time, DispVMs should not be relied upon to circumvent local forensics, as they do not run entirely in RAM. +For details, see [this thread](https://groups.google.com/d/topic/qubes-devel/QwL5PjqPs-4/discussion). + +When it is essential to avoid leaving any trace, consider using [Tails](https://tails.boum.org/). + + Disposable VMs and Networking (R4.0 and later) ----------------------------- @@ -153,10 +169,6 @@ You can change the template used to generate the Disposable VMs, and change sett These changes will be reflected in every new Disposable VM based on that template. Full instructions can be found [here](/doc/dispvm-customization/). -Disposable VMs and Local Forensics ----------------------------------- -At this time, DispVMs should not be relied upon to circumvent local forensics, as they do not run entirely in RAM. -For details, see [this thread](https://groups.google.com/d/topic/qubes-devel/QwL5PjqPs-4/discussion). +[DVM Template]: /doc/glossary/#dvm-template -When it is essential to avoid leaving any trace, consider using [Tails](https://tails.boum.org/). diff --git a/configuration/salt.md b/configuration/salt.md index 12308b0a..9518e7b7 100644 --- a/configuration/salt.md +++ b/configuration/salt.md @@ -240,6 +240,24 @@ This way dom0 doesn't directly interact with potentially malicious target VMs; and in the case of a compromised Salt VM, because they are temporary, the compromise cannot spread from one VM to another. +In Qubes 3.2, this temporary VM is based on the default template. + +Beginning with Qubes 4.0 and after [QSB #45], we implemented two changes: + +1. Added the `management_dispvm` VM property, which specifies the DVM + Template that should be used for management, such as Salt + configuration. TemplateBasedVMs inherit this property from their + parent TemplateVMs. If the value is not set explicitly, the default + is taken from the global `management_dispvm` property. The + VM-specific property is set with the `qvm-prefs` command, while the + global property is set with the `qubes-prefs` command. + +2. Created the `default-mgmt-dvm` DVM Template, which is hidden from + the menu (to avoid accidental use), has networking disabled, and has + a black label (the same as TemplateVMs). This VM is set as the global + `management_dispvm`. Keep in mind that this DVM template has full control + over the VMs it's used to manage. + ## Writing Your Own Configurations Let's start with a quick example: @@ -535,3 +553,4 @@ The solution is to shut down the updateVM between each install: [jinja]: http://jinja.pocoo.org/ [jinja-tmp]: http://jinja.pocoo.org/docs/2.9/templates/ [jinja-call-salt-functions]: https://docs.saltstack.com/en/getstarted/config/jinja.html#get-data-using-salt +[QSB #45]: /news/2018/12/03/qsb-45/ diff --git a/customization/dispvm-customization.md b/customization/dispvm-customization.md index 5dbfbd78..4de0c937 100644 --- a/customization/dispvm-customization.md +++ b/customization/dispvm-customization.md @@ -12,6 +12,15 @@ redirect_from: Disposable VM Customization ============================ +Security +-------- + +If a DVM Template becomes compromised, then any DisposableVM based on that DVM Template could be compromised. +Therefore, you should not make any risky customizations (e.g., installing untrusted browser plugins) in important DVM Templates. +In particular, the *default* DVM Template is important becuase it is used by the "Open in DispVM" feature. +This means that it will have access to everything that you open with this feature. +For this reason, it is strongly recommended that you base the default DVM Template on a trusted TemplateVM and refrain from making any risky customizations to it. + Qubes 4.0 ----------