diff --git a/user/advanced-topics/how-to-install-software-in-dom0.md b/user/advanced-topics/how-to-install-software-in-dom0.md index 331849c6..3e9544d0 100644 --- a/user/advanced-topics/how-to-install-software-in-dom0.md +++ b/user/advanced-topics/how-to-install-software-in-dom0.md @@ -11,27 +11,37 @@ ref: 194 title: How to Install Software in Dom0 --- - +**Warning:** Installing software in dom0 is for advanced users only. Doing so +has the potential to compromise your entire Qubes OS installation. Exercise +extreme caution. ## Security -Since there is no networking in dom0, any bugs discovered in dom0 desktop components (e.g., the window manager) are unlikely to pose a problem for Qubes, since none of the third-party software running in dom0 is accessible from VMs or the network in any way. -Nonetheless, since software running in dom0 can potentially exercise full control over the system, it is important to install only trusted software in dom0. +Since there is no networking in dom0, any bugs discovered in dom0 desktop +components (e.g., the window manager) are unlikely to pose a problem for Qubes, +since none of the third-party software running in dom0 is accessible from VMs +or the network in any way. Nonetheless, since software running in dom0 can +potentially exercise full control over the system, it is important to install +only trusted software in dom0. -The install/update process is split into two phases: *resolve and download* and *verify and install*. -The *resolve and download* phase is handled by the UpdateVM. -(The role of UpdateVM can be assigned to any VM in the Qube Manager, and there are no significant security implications in this choice. -By default, this role is assigned to the FirewallVM.) -After the UpdateVM has successfully downloaded new packages, they are sent to dom0, where they are verified and installed. -This separation of duties significantly reduces the attack surface, since all of the network and metadata processing code is removed from the TCB. +The install/update process is split into two phases: *resolve and download* and +*verify and install*. The *resolve and download* phase is handled by the +UpdateVM. (The role of UpdateVM can be assigned to any VM in the Qube Manager, +and there are no significant security implications in this choice. By default, +this role is assigned to the FirewallVM.) After the UpdateVM has successfully +downloaded new packages, they are sent to dom0, where they are verified and +installed. This separation of duties significantly reduces the attack surface, +since all of the network and metadata processing code is removed from the TCB. -Although this update scheme is far more secure than directly downloading updates in dom0, it is not invulnerable. -For example, there is nothing that the Qubes OS Project can feasibly do to prevent a malicious RPM from exploiting a hypothetical bug in the cryptographic signature verification operation. -At best, we could switch to a different distro or package manager, but any of them could be vulnerable to the same (or a similar) attack. -While we could, in theory, write a custom solution, it would only be effective if Qubes repos included all of the regular template distro's updates, and this would be far too costly for us to maintain. +Although this update scheme is far more secure than directly downloading +updates in dom0, it is not invulnerable. For example, there is nothing that the +Qubes OS Project can feasibly do to prevent a malicious RPM from exploiting a +hypothetical bug in the cryptographic signature verification operation. At +best, we could switch to a different distro or package manager, but any of them +could be vulnerable to the same (or a similar) attack. While we could, in +theory, write a custom solution, it would only be effective if Qubes repos +included all of the regular template distro's updates, and this would be far +too costly for us to maintain. ## How to update dom0 @@ -45,13 +55,15 @@ To install additional packages in dom0 (usually not recommended): $ sudo qubes-dom0-update anti-evil-maid ``` -You may also pass the `--enablerepo=` option in order to enable optional repositories (see yum configuration in dom0). -However, this is only for advanced users who really understand what they are doing. -You can also pass commands to `dnf` using `--action=...`. +You may also pass the `--enablerepo=` option in order to enable optional +repositories (see yum configuration in dom0). However, this is only for +advanced users who really understand what they are doing. You can also pass +commands to `dnf` using `--action=...`. ## How to downgrade a specific package -**WARNING:** Downgrading a package can expose your system to security vulnerabilities. +**WARNING:** Downgrading a package can expose your system to security +vulnerabilities. 1. Download an older version of the package: @@ -59,7 +71,8 @@ You can also pass commands to `dnf` using `--action=...`. sudo qubes-dom0-update package-version ~~~ - Dnf will say that there is no update, but the package will nonetheless be downloaded to dom0. + Dnf will say that there is no update, but the package will nonetheless be + downloaded to dom0. 2. Downgrade the package: @@ -77,7 +90,8 @@ You can re-install in a similar fashion to downgrading. sudo qubes-dom0-update package ~~~ - Dnf will say that there is no update, but the package will nonetheless be downloaded to dom0. + Dnf will say that there is no update, but the package will nonetheless be + downloaded to dom0. 2. Re-install the package: @@ -85,12 +99,15 @@ You can re-install in a similar fashion to downgrading. sudo dnf reinstall package ~~~ - Note that `dnf` will only re-install if the installed and downloaded versions match. - You can ensure they match by either updating the package to the latest version, or specifying the package version in the first step using the form `package-version`. + Note that `dnf` will only re-install if the installed and downloaded + versions match. You can ensure they match by either updating the package to + the latest version, or specifying the package version in the first step + using the form `package-version`. ## How to uninstall a package -If you've installed a package such as anti-evil-maid, you can remove it with the following command: +If you've installed a package such as anti-evil-maid, you can remove it with +the following command: ``` sudo dnf remove anti-evil-maid @@ -100,15 +117,15 @@ sudo dnf remove anti-evil-maid There are three Qubes dom0 [testing](/doc/testing/) repositories: -- `qubes-dom0-current-testing` -- testing packages that will eventually land in the stable - (`current`) repository -- `qubes-dom0-security-testing` -- a subset of `qubes-dom0-current-testing` that contains packages - that qualify as security fixes -- `qubes-dom0-unstable` -- packages that are not intended to land in the stable (`qubes-dom0-current`) - repository; mostly experimental debugging packages +- `qubes-dom0-current-testing` -- testing packages that will eventually land in + the stable (`current`) repository +- `qubes-dom0-security-testing` -- a subset of `qubes-dom0-current-testing` + that contains packages that qualify as security fixes +- `qubes-dom0-unstable` -- packages that are not intended to land in the stable + (`qubes-dom0-current`) repository; mostly experimental debugging packages -To temporarily enable any of these repos, use the `--enablerepo=` option. -Example commands: +To temporarily enable any of these repos, use the `--enablerepo=` +option. Example commands: ~~~ sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing @@ -116,12 +133,13 @@ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing sudo qubes-dom0-update --enablerepo=qubes-dom0-unstable ~~~ -To enable or disable any of these repos permanently, change the corresponding `enabled` value to `1` in -`/etc/yum.repos.d/qubes-dom0.repo`. +To enable or disable any of these repos permanently, change the corresponding +`enabled` value to `1` in `/etc/yum.repos.d/qubes-dom0.repo`. ## Contributed package repository -Please see [installing contributed packages](/doc/installing-contributed-packages/). +Please see [installing contributed +packages](/doc/installing-contributed-packages/). ## Kernel upgrade @@ -133,8 +151,11 @@ The packages `kernel` and `kernel-latest` are for dom0. In the `current` repository: -- `kernel`: an older LTS kernel that has passed Qubes [testing](/doc/testing/) (the default dom0 kernel) -- `kernel-latest`: the latest release from kernel.org that has passed Qubes [testing](/doc/testing/) (useful for [troubleshooting newer hardware](/doc/newer-hardware-troubleshooting/)) +- `kernel`: an older LTS kernel that has passed Qubes [testing](/doc/testing/) + (the default dom0 kernel) +- `kernel-latest`: the latest release from kernel.org that has passed Qubes + [testing](/doc/testing/) (useful for [troubleshooting newer + hardware](/doc/newer-hardware-troubleshooting/)) In the `current-testing` repository: @@ -143,8 +164,8 @@ In the `current-testing` repository: ### domU -The packages `kernel-qubes-vm` and `kernel-latest-qubes-vm` are for domUs. -See [Managing VM kernel](/doc/managing-vm-kernels/) for more information. +The packages `kernel-qubes-vm` and `kernel-latest-qubes-vm` are for domUs. See +[Managing VM kernel](/doc/managing-vm-kernels/) for more information. ### Example @@ -154,17 +175,19 @@ See [Managing VM kernel](/doc/managing-vm-kernels/) for more information. sudo qubes-dom0-update --enablerepo=qubes-dom0-unstable kernel kernel-qubes-vm ~~~ -If the update process does not automatically do it (you should see it mentioned in the CLI output -from the update command), you may need to manually rebuild the EFI or grub config depending on which -your system uses. +If the update process does not automatically do it (you should see it mentioned +in the CLI output from the update command), you may need to manually rebuild +the EFI or grub config depending on which your system uses. -*EFI*: Replace the example version numbers with the one you are upgrading to. +#### EFI + +Replace the example version numbers with the one you are upgrading to. ~~~ sudo dracut -f /boot/efi/EFI/qubes/initramfs-4.14.35-1.pvops.qubes.x86_64.img 4.14.35-1.pvops.qubes.x86_64 ~~~ -*Grub2* +#### Grub2 ~~~ sudo grub2-mkconfig -o /boot/grub2/grub.cfg @@ -178,25 +201,25 @@ to do a lot of work yourself](https://groups.google.com/d/msg/qubes-users/m8sWoy ## Changing default kernel -This section describes changing the default kernel in dom0. -It is sometimes needed if you have upgraded to a newer kernel and are having problems booting, for example. -The procedure varies depending on if you are booting with UEFI or grub. -On the next kernel update, the default will revert to the newest. +This section describes changing the default kernel in dom0. It is sometimes +needed if you have upgraded to a newer kernel and are having problems booting, +for example. The procedure varies depending on if you are booting with UEFI or +grub. On the next kernel update, the default will revert to the newest. -*EFI* +### EFI ~~~ sudo nano /boot/efi/EFI/qubes/xen.cfg ~~~ -In the `[global]` section at the top, change the `default=` line to match one of the three boot entries listed below. -For example, +In the `[global]` section at the top, change the `default=` line to match one +of the three boot entries listed below. For example: ~~~ default=4.19.67-1.pvops.qubes.x86_64 ~~~ -*Grub2* +### Grub2 ~~~ sudo nano /etc/default/grub @@ -207,21 +230,20 @@ GRUB_SAVEDEFAULT=true sudo grub2-mkconfig -o /boot/grub2/grub.cfg ~~~ -Then, reboot. -Once the grub menu appears, choose "Advanced Options for Qubes (with Xen hypervisor)". -Next, the top menu item (for example, "Xen hypervisor, version 4.8.5-9.fc25"). -Select the kernel you want as default, and it will be remembered for next boot. +Then, reboot. Once the grub menu appears, choose "Advanced Options for Qubes +(with Xen hypervisor)". Next, the top menu item (for example, "Xen hypervisor, +version 4.8.5-9.fc25"). Select the kernel you want as default, and it will be +remembered for next boot. ## Updating over Tor Requires installed [Whonix](/doc/privacy/whonix/). -Go to Qubes VM Manager -> System -> Global Settings. -See the UpdateVM setting. -Choose your desired Whonix-Gateway ProxyVM from the list. -For example: sys-whonix. +Go to Qubes VM Manager -> System -> Global Settings. See the UpdateVM setting. +Choose your desired Whonix-Gateway ProxyVM from the list. For example: +sys-whonix. -` +``` Qubes VM Manager -> System -> Global Settings -> UpdateVM -> sys-whonix -` +```