mirror of
https://github.com/QubesOS/qubes-doc.git
synced 2024-12-25 07:19:33 -05:00
Created page on installation security considerations.
This commit is contained in:
parent
79e40cc24d
commit
c10f332d30
73
InstallSecurity.md
Normal file
73
InstallSecurity.md
Normal file
@ -0,0 +1,73 @@
|
||||
---
|
||||
layout: doc
|
||||
title: InstallSecurity
|
||||
permalink: /doc/InstallSecurity/
|
||||
redirect_from: /wiki/InstallSecurity/
|
||||
---
|
||||
|
||||
# Installation Security Considerations #
|
||||
|
||||
## Verifying the Qubes ISO ##
|
||||
|
||||
You should [verify][] the PGP signature on your Qubes ISO before you install
|
||||
from it. However, if the machine on which you attempt the verification process
|
||||
is already compromised, it could falsely claim that a malicious ISO has a good
|
||||
signature. Therefore, in order to be certain that your Qubes ISO is trustworthy,
|
||||
you require a trustworthy machine. But how can you be certain *that* machine is
|
||||
trustworthy? Only by using another trusted machine, and so forth. This is a
|
||||
[classic problem][trusting-trust]. While various [solutions][countering] have
|
||||
been proposed, the point is that each user must ultimately make a choice about
|
||||
whether to trust that a file is non-malicious.
|
||||
|
||||
## Choosing an Installation Medium ##
|
||||
|
||||
So, after taking some measures to verify its integrity and authenticity, you've
|
||||
decided to trust your Qubes ISO. Great! Now you must decide what sort of medium
|
||||
on which to write it so that you can install from it. From a Qubes-specific
|
||||
security perspective, each has certain pros and cons.
|
||||
|
||||
### USB Drives ###
|
||||
|
||||
Pros:
|
||||
|
||||
* Works via USB, including with a [USBVM][].
|
||||
* Non-fixed capacity. (Easy to find one on which the ISO can fit.)
|
||||
|
||||
Cons:
|
||||
|
||||
* Rewriteable. (If the drive is mounted to a compromised machine, the ISO could
|
||||
be maliciously altered after it has been written to the drive.)
|
||||
* Untrustworthy firmware. (Firmware can be malicious even if the drive is new.
|
||||
Plugging a drive with rewriteable firmware into a compromised machine can
|
||||
also [compromise the drive][BadUSB]. Installing from a compromised drive
|
||||
could compromise even a brand new Qubes installation.)
|
||||
|
||||
### Optical Discs ###
|
||||
|
||||
Pros:
|
||||
|
||||
* Read-only available. (If you use read-only media, you don't have to worry
|
||||
about the ISO being maliciously altered after it has been written to the
|
||||
disc. You then have the option of verifying the signature on multiple
|
||||
different machines.)
|
||||
|
||||
Cons:
|
||||
|
||||
* Fixed capacity. (If the size of the ISO is larger than your disc, it will be
|
||||
inconvenient.)
|
||||
* Passthrough burning is not supported by Xen. (This mainly applies if you're
|
||||
upgrading from a previous version of Qubes.) Currently, the only options for
|
||||
burning optical discs in Qubes are:
|
||||
1. Use a USB optical drive.
|
||||
2. Attach a SATA optical drive to a secondary SATA controller, then assign
|
||||
this secondary SATA controller to an AppVM.
|
||||
3. Use a SATA optical drive attached to dom0.
|
||||
(Option 3 violates the Qubes security model since it entails transferring
|
||||
an untrusted ISO to dom0 in order to burn it to disc, which leaves only
|
||||
the other two options.)
|
||||
|
||||
[verify]: https://www.qubes-os.org/doc/VerifyingSignatures/
|
||||
[trusting-trust]: http://www.acm.org/classics/sep95/
|
||||
[countering]: http://www.dwheeler.com/trusting-trust/
|
||||
[USBVM]: https://www.qubes-os.org/doc/SecurityGuidelines/#creating-and-using-a-usbvm
|
||||
[BadUSB]: https://srlabs.de/badusb/
|
@ -11,6 +11,7 @@ Qubes Downloads
|
||||
- [System Requirements](/doc/SystemRequirements/)
|
||||
- [Hardware Compatibility List](/hcl/)
|
||||
- [On Digital Signatures and How to Verify Qubes Downloads](/doc/VerifyingSignatures/)
|
||||
- [Installation Security Considerations](/doc/InstallSecurity/)
|
||||
- [Licensing](/doc/QubesLicensing/)
|
||||
|
||||
Qubes Release 3.0
|
||||
|
Loading…
Reference in New Issue
Block a user