From 9e9087431efdc0fca66fdd3b5a3a1fae90e6d106 Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Mon, 26 Aug 2019 19:39:40 -0500 Subject: [PATCH 1/7] Add section on security updates --- project-security/security.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/project-security/security.md b/project-security/security.md index a3ab976e..25eb0c82 100644 --- a/project-security/security.md +++ b/project-security/security.md @@ -33,6 +33,10 @@ Reporting Security Issues in Qubes OS If you believe you have found a security issue affecting Qubes OS, either directly or indirectly (e.g. the issue affects Xen in a configuration that is used in Qubes OS), then we would be more than happy to hear from you! We promise to treat any reported issue seriously and, if the investigation confirms that it affects Qubes, to patch it within a reasonable time and release a public [Qubes Security Bulletin][Security Bulletins] that describes the issue, discusses the potential impact of the vulnerability, references applicable patches or workarounds, and credits the discoverer. +Security Updates +---------------- + +Qubes security updates are obtained by [Updating Qubes OS]. The Qubes Security Team ----------------------- @@ -82,4 +86,6 @@ Please see [Why and How to Verify Signatures] for information about how to verif [Simon Gaiser (aka HW42)]: /team/#simon-gaiser-aka-hw42 [Joanna Rutkowska]: /team/#joanna-rutkowska [emeritus, canaries only]: /news/2018/11/05/qubes-security-team-update/ +[Updating Qubes OS]: /doc/updating-qubes-os/ + From ba4686599aa939b1923e1f887d0af64ba9597af9 Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Mon, 26 Aug 2019 19:41:11 -0500 Subject: [PATCH 2/7] Link to dom0 kernel upgrade section QubesOS/qubes-issues#4846 --- user/advanced-configuration/managing-vm-kernel.md | 7 ++++++- .../newer-hardware-troubleshooting.md | 8 ++++++-- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/user/advanced-configuration/managing-vm-kernel.md b/user/advanced-configuration/managing-vm-kernel.md index d6cddacf..2df4598d 100644 --- a/user/advanced-configuration/managing-vm-kernel.md +++ b/user/advanced-configuration/managing-vm-kernel.md @@ -9,7 +9,9 @@ redirect_from: VM kernel managed by dom0 ========================= -By default, VMs kernels are provided by dom0. This means that: +By default, VMs kernels are provided by dom0. +(See [here][dom0-kernel-upgrade] for information about upgrading kernels in dom0.) +This means that: 1. You can select the kernel version (using GUI VM Settings tool or `qvm-prefs` commandline tool); 2. You can modify kernel options (using `qvm-prefs` commandline tool); @@ -331,3 +333,6 @@ In any case you can later access the VM's logs (especially the VM console log `/ You can always set the kernel back to some dom0-provided value to fix a VM kernel installation. + +[dom0-kernel-upgrade]: /doc/software-update-dom0/#kernel-upgrade + diff --git a/user/advanced-configuration/newer-hardware-troubleshooting.md b/user/advanced-configuration/newer-hardware-troubleshooting.md index 23bd35d4..4ed30ba8 100644 --- a/user/advanced-configuration/newer-hardware-troubleshooting.md +++ b/user/advanced-configuration/newer-hardware-troubleshooting.md @@ -10,8 +10,8 @@ Troubleshooting newer hardware By default, the kernel that is installed in dom0 comes from the `kernel` package, which is an older Linux LTS kernel. For most cases this works fine since the Linux kernel developers backport fixes to this kernel, but for some newer hardware, you may run into issues. For example, the audio might not work if the sound card is too new for the LTS kernel. - -To fix this, you can try the `kernel-latest` package - though be aware that it's less tested! +To fix this, you can try the `kernel-latest` package -- though be aware that it's less tested! +(See [here][dom0-kernel-upgrade] for more information about upgrading kernels in dom0.) In dom0: ~~~ @@ -23,3 +23,7 @@ You can double-check that the boot used the newer kernel with `uname -r`, which Compare this with the output of `rpm -q kernel`. If the start of `uname -r` matches one of the versions printed by `rpm`, then you're still using the Linux LTS kernel, and you'll probably need to manually fix your boot settings. If `uname -r` reports a higher version number, then you've successfully booted with the kernel shipped by `kernel-latest`. + + +[dom0-kernel-upgrade]: /doc/software-update-dom0/#kernel-upgrade + From 306180e0562818dc54d5a3f446cf821f26e382ed Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Mon, 26 Aug 2019 19:43:07 -0500 Subject: [PATCH 3/7] Add intro sentence explicitly mentioning security updates --- user/common-tasks/updating-qubes-os.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/user/common-tasks/updating-qubes-os.md b/user/common-tasks/updating-qubes-os.md index bfc6d53d..c3a0aa4a 100644 --- a/user/common-tasks/updating-qubes-os.md +++ b/user/common-tasks/updating-qubes-os.md @@ -7,9 +7,10 @@ permalink: /doc/updating-qubes-os/ Updating Qubes OS ================= -This page is about updating your system while staying on the same [supported version of Qubes OS]. -If you're instead looking to upgrade from your current version of Qubes OS to a newer version, see the [Upgrade Guides]. +*This page is about updating your system while staying on the same [supported version of Qubes OS]. +If you're instead looking to upgrade from your current version of Qubes OS to a newer version, see the [Upgrade Guides].* +It is very important to keep your Qubes OS system up-to-date to ensure you have the latest [security] updates, as well as the latest non-security enhancements and bug fixes. Fully updating your Qubes OS system means updating: - [Dom0] @@ -18,7 +19,7 @@ Fully updating your Qubes OS system means updating: Visit the pages above to see to how to update each one. -The final step is to make sure that all of your VMs are running a supported operating system so that they're all receiving security updates. +The final step is to make sure that all of your VMs are running a supported operating system so that they're all receiving upstream security updates. For example, you might be using a [Fedora TemplateVM]. The [Fedora Project] is independent of the Qubes OS Project. They set their own [schedule] for when each Fedora release reaches [end-of-life] (EOL). @@ -29,6 +30,7 @@ The one exception is dom0, which [doesn't have to be upgraded][dom0-eol]. [supported version of Qubes OS]: /doc/supported-versions/#qubes-os [Upgrade Guides]: /doc/upgrade/ +[security]: /security/ [Dom0]: /doc/software-update-dom0/ [TemplateVMs]: /doc/software-update-vm/#installing-or-updating-software-in-the-templatevm [StandaloneVMs]: /doc/software-update-vm/#standalone-vms From 25019a471e443c0752d9c468195750239eed154c Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Mon, 26 Aug 2019 19:43:58 -0500 Subject: [PATCH 4/7] Add general intro --- user/common-tasks/software-update-vm.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/user/common-tasks/software-update-vm.md b/user/common-tasks/software-update-vm.md index 6541077b..bebc633c 100644 --- a/user/common-tasks/software-update-vm.md +++ b/user/common-tasks/software-update-vm.md @@ -11,6 +11,10 @@ redirect_from: Installing and updating software in VMs ======================================= +Updating TemplateVMs and StandaloneVMs are two of the main steps in [Updating Qubes OS]. +It is very import to keep TemplateVMs and StandaloneVMs up-to-date with the latest [security] updates. +Updating these VMs also allows you to receive various non-security bug fixes and enhancements both from the Qubes OS Project and from your upstream distro maintainer. + How TemplateVMs work in Qubes ------------------------------ @@ -256,3 +260,7 @@ sudo dnf config-manager --set-enabled rpmfusion-free rpmfusion-nonfree sudo dnf upgrade --refresh ~~~ + +[Updating Qubes OS]: /doc/updating-qubes-os/ +[security]: /security/ + From c967544150100b5f181468e84aa7104b811a2e6f Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Mon, 26 Aug 2019 19:44:13 -0500 Subject: [PATCH 5/7] Revamp "Installing and updating software in dom0" - Add general intro - Update and revise security section - Improve formatting - Update kernel upgrade section (QubesOS/qubes-issues#4846) --- user/common-tasks/software-update-dom0.md | 85 ++++++++++++++--------- 1 file changed, 51 insertions(+), 34 deletions(-) diff --git a/user/common-tasks/software-update-dom0.md b/user/common-tasks/software-update-dom0.md index 5cb56110..6c5ad088 100644 --- a/user/common-tasks/software-update-dom0.md +++ b/user/common-tasks/software-update-dom0.md @@ -8,39 +8,31 @@ redirect_from: - /wiki/SoftwareUpdateDom0/ --- -Installing and updating software in dom0 -======================================== +# Installing and updating software in dom0 -Why would one want to install or update software in dom0? ---------------------------------------------------------- +Updating dom0 is one of the main steps in [Updating Qubes OS]. +It is very import to keep dom0 up-to-date with the latest [security] updates. +We also publish dom0 updates for various non-security bug fixes and enhancements to Qubes components. +In addition, you may wish to update the kernel, drivers, or libraries in dom0 when [troubleshooting newer hardware]. -Normally, there should be few reasons for installing or updating software in dom0. -This is because there is no networking in dom0, which means that even if some bugs are discovered e.g. in the dom0 Desktop Manager, this really is not a problem for Qubes, because none of the third-party software running in dom0 is accessible from VMs or the network in any way. -Some exceptions to this include: Qubes GUI daemon, Xen store daemon, and disk back-ends. -(We plan move the disk backends to an untrusted domain in a future Qubes release.) Of course, we believe this software is reasonably secure, and we hope it will not need patching. +## Security -However, we anticipate some other situations in which installing or updating dom0 software might be necessary or desirable: +Since there is no networking in dom0, any bugs discovered in dom0 desktop components (e.g., the window manager) are unlikely to pose a problem for Qubes, since none of the third-party software running in dom0 is accessible from VMs or the network in any way. +Nonetheless, since software running in dom0 can potentially exercise full control over the system, it is important to install only trusted software in dom0. -- Updating drivers/libs for new hardware support -- Correcting non-security related bugs (e.g. new buttons for qubes manager) -- Adding new features (e.g. GUI backup tool) - -How is software installed and updated securely in dom0? -------------------------------------------------------- - -The install/update process is split into two phases: "resolve and download" and "verify and install." The "resolve and download" phase is handled by the "UpdateVM." (The role of UpdateVM can be assigned to any VM in the Qubes VM Manager, and there are no significant security implications in this choice. -By default, this role is assigned to the firewallvm.) After the UpdateVM has successfully downloaded new packages, they are sent to dom0, where they are verified and installed. +The install/update process is split into two phases: *resolve and download* and *verify and install*. +The *resolve and download* phase is handled by the UpdateVM. +(The role of UpdateVM can be assigned to any VM in the Qube Manager, and there are no significant security implications in this choice. +By default, this role is assigned to the FirewallVM.) +After the UpdateVM has successfully downloaded new packages, they are sent to dom0, where they are verified and installed. This separation of duties significantly reduces the attack surface, since all of the network and metadata processing code is removed from the TCB. Although this update scheme is far more secure than directly downloading updates in dom0, it is not invulnerable. -For example, there is nothing that the Qubes project can feasibly do to prevent a malicious RPM from exploiting a hypothetical bug in GPG's `--verify` operation. +For example, there is nothing that the Qubes OS Project can feasibly do to prevent a malicious RPM from exploiting a hypothetical bug in the cryptographic signature verification operation. At best, we could switch to a different distro or package manager, but any of them could be vulnerable to the same (or a similar) attack. While we could, in theory, write a custom solution, it would only be effective if Qubes repos included all of the regular TemplateVM distro's updates, and this would be far too costly for us to maintain. -How to install and update software in dom0 ------------------------------------------- - -### How to update dom0 +## How to update dom0 In the Qube Manager, simply select dom0 in the VM list, then click the **Update VM system** button (the blue, downward-pointing arrow). In addition, updating dom0 has been made more convenient: You will be prompted on the desktop whenever new dom0 updates are available and given the choice to run the update with a single click. @@ -52,7 +44,7 @@ To check and install updates for dom0 software: $ sudo qubes-dom0-update -### How to install a specific package +## How to install a specific package To install additional packages in dom0 (usually not recommended): @@ -62,7 +54,7 @@ You may also pass the `--enablerepo=` option in order to enable optional reposit However, this is only for advanced users who really understand what they are doing. You can also pass commands to `dnf` using `--action=...`. -### How to downgrade a specific package +## How to downgrade a specific package **WARNING:** Downgrading a package can expose your system to security vulnerabilities. @@ -80,7 +72,7 @@ You can also pass commands to `dnf` using `--action=...`. sudo dnf downgrade package-version ~~~ -### How to re-install a package +## How to re-install a package You can re-install in a similar fashion to downgrading. @@ -101,15 +93,15 @@ You can re-install in a similar fashion to downgrading. Note that `dnf` will only re-install if the installed and downloaded versions match. You can ensure they match by either updating the package to the latest version, or specifying the package version in the first step using the form `package-version`. -### How to uninstall a package +## How to uninstall a package If you've installed a package such as anti-evil-maid, you can remove it with the following command: sudo dnf remove anti-evil-maid -### Testing repositories +## Testing repositories -There are three Qubes dom0 testing repositories: +There are three Qubes dom0 [testing] repositories: * `qubes-dom0-current-testing` -- testing packages that will eventually land in the stable (`current`) repository @@ -130,11 +122,29 @@ sudo qubes-dom0-update --enablerepo=qubes-dom0-unstable To enable or disable any of these repos permanently, change the corresponding `enabled` value to `1` in `/etc/yum.repos.d/qubes-dom0.repo`. -### Kernel Upgrade ### +## Kernel upgrade + +This section describes upgrading the kernel in dom0 and domUs. + +### dom0 + +The packages `kernel` and `kernel-latest` are for dom0. + +In the `current` repository: + - `kenrnel`: an older LTS kernel that has passed Qubes [testing] (the default dom0 kernel) + - `kernel-latest`: the latest release from kernel.org that has passed Qubes [testing] (useful for [troubleshooting newer hardware]) + +In the `current-testing` repository: + - `kenrnel`: the latest LTS kernel from kernel.org at the time it was built. + - `kernel-latest`: the latest release from kernel.org at the time it was built. + +### domU + +The package `kernel-qubes-vm` is for domUs. +See [Managing VM kernel] for more information. + +### Example -Install newer kernel for dom0 and VMs. -The package `kernel` is for dom0 and the package `kernel-qubes-vm` -is needed for the VMs. (Note that the following example enables the unstable repo.) ~~~ @@ -161,7 +171,7 @@ If you wish to upgrade to a kernel that is not available from the repos, then there is no easy way to do so, but [it may still be possible if you're willing to do a lot of work yourself](https://groups.google.com/d/msg/qubes-users/m8sWoyV58_E/HYdReRIYBAAJ). -### Upgrading over Tor ### +## Updating over Tor ### Requires installed [Whonix](/doc/privacy/whonix/). @@ -172,3 +182,10 @@ For example: sys-whonix. Qubes VM Manager -> System -> Global Settings -> UpdateVM -> sys-whonix + +[Updating Qubes OS]: /doc/updating-qubes-os/ +[security]: /security/ +[testing]: /doc/testing/ +[troubleshooting newer hardware]: /doc/newer-hardware-troubleshooting/ +[Managing VM kernel]: /doc/managing-vm-kernel/ + From dbc5b67b64f049d6bd379879d095f4d8d03fd428 Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Mon, 26 Aug 2019 20:12:55 -0500 Subject: [PATCH 6/7] Update link to "Installing and updating software in dom0" --- introduction/faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/introduction/faq.md b/introduction/faq.md index b0024a92..13a61b23 100644 --- a/introduction/faq.md +++ b/introduction/faq.md @@ -118,7 +118,7 @@ Please refer to [this page](/doc/vm-sudo/). ### Why is dom0 so old? Please see: -- [Why would one want to update software in dom0?](/doc/software-update-dom0/#why-would-one-want-to-install-or-update-software-in-dom0) +- [Installing and updating software in dom0](/doc/software-update-dom0/) - [Note on dom0 and EOL](/doc/supported-versions/#note-on-dom0-and-eol) ### Do you recommend coreboot as an alternative to vendor BIOS? From 32610009424a58e22e133b7d10f8b86c2978b809 Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Wed, 28 Aug 2019 16:48:46 -0500 Subject: [PATCH 7/7] Fix typos; mention kernel-latest-qubes-vm --- user/common-tasks/software-update-dom0.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/user/common-tasks/software-update-dom0.md b/user/common-tasks/software-update-dom0.md index 6c5ad088..6ab412ec 100644 --- a/user/common-tasks/software-update-dom0.md +++ b/user/common-tasks/software-update-dom0.md @@ -131,16 +131,16 @@ This section describes upgrading the kernel in dom0 and domUs. The packages `kernel` and `kernel-latest` are for dom0. In the `current` repository: - - `kenrnel`: an older LTS kernel that has passed Qubes [testing] (the default dom0 kernel) + - `kernel`: an older LTS kernel that has passed Qubes [testing] (the default dom0 kernel) - `kernel-latest`: the latest release from kernel.org that has passed Qubes [testing] (useful for [troubleshooting newer hardware]) In the `current-testing` repository: - - `kenrnel`: the latest LTS kernel from kernel.org at the time it was built. + - `kernel`: the latest LTS kernel from kernel.org at the time it was built. - `kernel-latest`: the latest release from kernel.org at the time it was built. ### domU -The package `kernel-qubes-vm` is for domUs. +The packages `kernel-qubes-vm` and `kernel-latest-qubes-vm` are for domUs. See [Managing VM kernel] for more information. ### Example