Update "How to Install Software in Dom0"

- Convert alert into text warning (Now that every advanced page has the same sticky alert at the top, it looks odd to have similar alerts above and below the h1 heading.) - Fix headings - Fix syntax - Wrap text
2025-08-21 04:38:37 -04:00 · 2021-06-19 21:01:26 -07:00 · 2021-06-19 21:01:26 -07:00 · f490482273
commit f490482273
parent 3676c18bdb
1 changed files with 85 additions and 63 deletions
--- a/user/advanced-topics/how-to-install-software-in-dom0.md
+++ b/user/advanced-topics/how-to-install-software-in-dom0.md
@ -11,27 +11,37 @@ ref: 194
 title: How to Install Software in Dom0
 ---
-<div class="alert alert-danger" role="alert">
+**Warning:** Installing software in dom0 is for advanced users only. Doing so
-  <i class="fa fa-exclamation-triangle"></i>
+has the potential to compromise your entire Qubes OS installation. Exercise
-  <b>Warning:</b> Installing software in dom0 is for advanced users only. Doing so has the potential to compromise your entire Qubes OS installation. Exercise extreme caution.
+extreme caution.
 </div>
 ## Security
-Since there is no networking in dom0, any bugs discovered in dom0 desktop components (e.g., the window manager) are unlikely to pose a problem for Qubes, since none of the third-party software running in dom0 is accessible from VMs or the network in any way.
+Since there is no networking in dom0, any bugs discovered in dom0 desktop
-Nonetheless, since software running in dom0 can potentially exercise full control over the system, it is important to install only trusted software in dom0.
+components (e.g., the window manager) are unlikely to pose a problem for Qubes,
 since none of the third-party software running in dom0 is accessible from VMs
 or the network in any way. Nonetheless, since software running in dom0 can
 potentially exercise full control over the system, it is important to install
 only trusted software in dom0.
-The install/update process is split into two phases: *resolve and download* and *verify and install*.
+The install/update process is split into two phases: *resolve and download* and
-The *resolve and download* phase is handled by the UpdateVM.
+*verify and install*. The *resolve and download* phase is handled by the
-(The role of UpdateVM can be assigned to any VM in the Qube Manager, and there are no significant security implications in this choice.
+UpdateVM. (The role of UpdateVM can be assigned to any VM in the Qube Manager,
-By default, this role is assigned to the FirewallVM.)
+and there are no significant security implications in this choice. By default,
-After the UpdateVM has successfully downloaded new packages, they are sent to dom0, where they are verified and installed.
+this role is assigned to the FirewallVM.) After the UpdateVM has successfully
-This separation of duties significantly reduces the attack surface, since all of the network and metadata processing code is removed from the TCB.
+downloaded new packages, they are sent to dom0, where they are verified and
 installed. This separation of duties significantly reduces the attack surface,
 since all of the network and metadata processing code is removed from the TCB.
-Although this update scheme is far more secure than directly downloading updates in dom0, it is not invulnerable.
+Although this update scheme is far more secure than directly downloading
-For example, there is nothing that the Qubes OS Project can feasibly do to prevent a malicious RPM from exploiting a hypothetical bug in the cryptographic signature verification operation.
+updates in dom0, it is not invulnerable. For example, there is nothing that the
-At best, we could switch to a different distro or package manager, but any of them could be vulnerable to the same (or a similar) attack.
+Qubes OS Project can feasibly do to prevent a malicious RPM from exploiting a
-While we could, in theory, write a custom solution, it would only be effective if Qubes repos included all of the regular template distro's updates, and this would be far too costly for us to maintain.
+hypothetical bug in the cryptographic signature verification operation. At
 best, we could switch to a different distro or package manager, but any of them
 could be vulnerable to the same (or a similar) attack. While we could, in
 theory, write a custom solution, it would only be effective if Qubes repos
 included all of the regular template distro's updates, and this would be far
 too costly for us to maintain.
 ## How to update dom0
@ -45,13 +55,15 @@ To install additional packages in dom0 (usually not recommended):
 $ sudo qubes-dom0-update anti-evil-maid
 ```
-You may also pass the `--enablerepo=` option in order to enable optional repositories (see yum configuration in dom0).
+You may also pass the `--enablerepo=` option in order to enable optional
-However, this is only for advanced users who really understand what they are doing.
+repositories (see yum configuration in dom0). However, this is only for
-You can also pass commands to `dnf` using `--action=...`.
+advanced users who really understand what they are doing. You can also pass
 commands to `dnf` using `--action=...`.
 ## How to downgrade a specific package
-**WARNING:** Downgrading a package can expose your system to security vulnerabilities.
+**WARNING:** Downgrading a package can expose your system to security
 vulnerabilities.
 1. Download an older version of the package:
@ -59,7 +71,8 @@ You can also pass commands to `dnf` using `--action=...`.
    sudo qubes-dom0-update package-version
    ~~~
-    Dnf will say that there is no update, but the package will nonetheless be downloaded to dom0.
+    Dnf will say that there is no update, but the package will nonetheless be
    downloaded to dom0.
 2. Downgrade the package:
@ -77,7 +90,8 @@ You can re-install in a similar fashion to downgrading.
    sudo qubes-dom0-update package
    ~~~
-    Dnf will say that there is no update, but the package will nonetheless be downloaded to dom0.
+    Dnf will say that there is no update, but the package will nonetheless be
    downloaded to dom0.
 2. Re-install the package:
@ -85,12 +99,15 @@ You can re-install in a similar fashion to downgrading.
    sudo dnf reinstall package
    ~~~
-    Note that `dnf` will only re-install if the installed and downloaded versions match.
+    Note that `dnf` will only re-install if the installed and downloaded
-    You can ensure they match by either updating the package to the latest version, or specifying the package version in the first step using the form `package-version`.
+    versions match. You can ensure they match by either updating the package to
    the latest version, or specifying the package version in the first step
    using the form `package-version`.
 ## How to uninstall a package
-If you've installed a package such as anti-evil-maid, you can remove it with the following command:
+If you've installed a package such as anti-evil-maid, you can remove it with
 the following command:
 ```
 sudo dnf remove anti-evil-maid
@ -100,15 +117,15 @@ sudo dnf remove anti-evil-maid
 There are three Qubes dom0 [testing](/doc/testing/) repositories:
- `qubes-dom0-current-testing` -- testing packages that will eventually land in the stable
+- `qubes-dom0-current-testing` -- testing packages that will eventually land in
-  (`current`) repository
+  the stable (`current`) repository
- `qubes-dom0-security-testing` -- a subset of `qubes-dom0-current-testing` that contains packages
+- `qubes-dom0-security-testing` -- a subset of `qubes-dom0-current-testing`
-  that qualify as security fixes
+  that contains packages that qualify as security fixes
- `qubes-dom0-unstable` -- packages that are not intended to land in the stable (`qubes-dom0-current`)
+- `qubes-dom0-unstable` -- packages that are not intended to land in the stable
-  repository; mostly experimental debugging packages
+  (`qubes-dom0-current`) repository; mostly experimental debugging packages
-To temporarily enable any of these repos, use the `--enablerepo=<repo-name>` option.
+To temporarily enable any of these repos, use the `--enablerepo=<repo-name>`
-Example commands:
+option. Example commands:
 ~~~
 sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing
@ -116,12 +133,13 @@ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing
 sudo qubes-dom0-update --enablerepo=qubes-dom0-unstable
 ~~~
-To enable or disable any of these repos permanently, change the corresponding `enabled` value to `1` in
+To enable or disable any of these repos permanently, change the corresponding
-`/etc/yum.repos.d/qubes-dom0.repo`.
+`enabled` value to `1` in `/etc/yum.repos.d/qubes-dom0.repo`.
 ## Contributed package repository
-Please see [installing contributed packages](/doc/installing-contributed-packages/).
+Please see [installing contributed
 packages](/doc/installing-contributed-packages/).
 ## Kernel upgrade
@ -133,8 +151,11 @@ The packages `kernel` and `kernel-latest` are for dom0.
 In the `current` repository:
- `kernel`: an older LTS kernel that has passed Qubes [testing](/doc/testing/) (the default dom0 kernel)
+- `kernel`: an older LTS kernel that has passed Qubes [testing](/doc/testing/)
- `kernel-latest`: the latest release from kernel.org that has passed Qubes [testing](/doc/testing/) (useful for [troubleshooting newer hardware](/doc/newer-hardware-troubleshooting/))
+  (the default dom0 kernel)
 - `kernel-latest`: the latest release from kernel.org that has passed Qubes
  [testing](/doc/testing/) (useful for [troubleshooting newer
  hardware](/doc/newer-hardware-troubleshooting/))
 In the `current-testing` repository:
@ -143,8 +164,8 @@ In the `current-testing` repository:
 ### domU
-The packages `kernel-qubes-vm` and `kernel-latest-qubes-vm` are for domUs.
+The packages `kernel-qubes-vm` and `kernel-latest-qubes-vm` are for domUs. See
-See [Managing VM kernel](/doc/managing-vm-kernels/) for more information.
+[Managing VM kernel](/doc/managing-vm-kernels/) for more information.
 ### Example
@ -154,17 +175,19 @@ See [Managing VM kernel](/doc/managing-vm-kernels/) for more information.
 sudo qubes-dom0-update --enablerepo=qubes-dom0-unstable kernel kernel-qubes-vm
 ~~~
-If the update process does not automatically do it (you should see it mentioned in the CLI output
+If the update process does not automatically do it (you should see it mentioned
-from the update command), you may need to manually rebuild the EFI or grub config depending on which
+in the CLI output from the update command), you may need to manually rebuild
-your system uses.
+the EFI or grub config depending on which your system uses.
-*EFI*: Replace the example version numbers with the one you are upgrading to.
+#### EFI
 Replace the example version numbers with the one you are upgrading to.
 ~~~
 sudo dracut -f /boot/efi/EFI/qubes/initramfs-4.14.35-1.pvops.qubes.x86_64.img 4.14.35-1.pvops.qubes.x86_64
 ~~~
-*Grub2*
+#### Grub2
 ~~~
 sudo grub2-mkconfig -o /boot/grub2/grub.cfg
@ -178,25 +201,25 @@ to do a lot of work yourself](https://groups.google.com/d/msg/qubes-users/m8sWoy
 ## Changing default kernel
-This section describes changing the default kernel in dom0.
+This section describes changing the default kernel in dom0. It is sometimes
-It is sometimes needed if you have upgraded to a newer kernel and are having problems booting, for example.
+needed if you have upgraded to a newer kernel and are having problems booting,
-The procedure varies depending on if you are booting with UEFI or grub.
+for example. The procedure varies depending on if you are booting with UEFI or
-On the next kernel update, the default will revert to the newest.
+grub. On the next kernel update, the default will revert to the newest.
-*EFI*
+### EFI
 ~~~
 sudo nano /boot/efi/EFI/qubes/xen.cfg
 ~~~
-In the `[global]` section at the top, change the `default=` line to match one of the three boot entries listed below.
+In the `[global]` section at the top, change the `default=` line to match one
-For example,
+of the three boot entries listed below. For example:
 ~~~
 default=4.19.67-1.pvops.qubes.x86_64
 ~~~
-*Grub2*
+### Grub2
 ~~~
 sudo nano /etc/default/grub
@ -207,21 +230,20 @@ GRUB_SAVEDEFAULT=true
 sudo grub2-mkconfig -o /boot/grub2/grub.cfg
 ~~~
-Then, reboot.
+Then, reboot. Once the grub menu appears, choose "Advanced Options for Qubes
-Once the grub menu appears, choose "Advanced Options for Qubes (with Xen hypervisor)".
+(with Xen hypervisor)". Next, the top menu item (for example, "Xen hypervisor,
-Next, the top menu item (for example, "Xen hypervisor, version 4.8.5-9.fc25").
+version 4.8.5-9.fc25"). Select the kernel you want as default, and it will be
-Select the kernel you want as default, and it will be remembered for next boot.
+remembered for next boot.
 ## Updating over Tor
 Requires installed [Whonix](/doc/privacy/whonix/).
-Go to Qubes VM Manager -> System -> Global Settings.
+Go to Qubes VM Manager -> System -> Global Settings. See the UpdateVM setting.
-See the UpdateVM setting.
+Choose your desired Whonix-Gateway ProxyVM from the list. For example:
-Choose your desired Whonix-Gateway ProxyVM from the list.
+sys-whonix.
 For example: sys-whonix.
-`
+```
 Qubes VM Manager -> System -> Global Settings -> UpdateVM -> sys-whonix
-`
+```