Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2024-12-18 04:04:39 -05:00
Code Issues Packages Projects Releases Wiki Activity
b93b3c571e
qubes-doc/developer/debugging/safe-remote-ttys.rst
Marek Marczykowski-Górecki b93b3c571e
Convert to RST
2024-05-21 20:59:46 +02:00

98 lines
2.5 KiB
ReStructuredText
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

==========================
Safe remote dom0 terminals
==========================
If you do not have working graphics in Dom0, then using a terminal can
be quite annoying! This was the case for the author while trying to
debug PCI-passthrough of a machines primary (only) GPU.
Your first thought might be to just allow network access to Dom0, enable
ssh, and connect in remotely. But, this gravely violates the Qubes
security model.
Instead, a better solution is to split the input and output paths of
using a terminal. Use your normal keyboard for input, but have the
output go to a remote machine in a unidirectional manner.
To do this, we make use of script(1), qvm-run, and optionally your
network transport of choice.
To a different VM
-----------------
As an example of forwarding terminal output to another VM on the same
machine:
.. code:: bash
$ mkfifo /tmp/foo
$ qvm-run -p some-vm 'xterm -e "cat 0<&5" 5<&0' </tmp/foo >/dev/null 2>&1 &
$ script -f /tmp/foo
To a different machine
----------------------
In this case over SSH (from a network-connected VM):
.. code:: bash
$ mkfifo /tmp/foo
$ qvm-run -p some-vm \
'ssh user@host sh -c "DISPLAY=:0 xterm -e \"cat 0<&5\" 5<&0"' \
</tmp/foo >/dev/null 2>&1 &
$ script -f /tmp/foo
Note that no data received over SSH is ever treated as terminal input in
Dom0. The input path remains only from your trusted local keyboard.
Multiple terminals
------------------
For multiple terminals, you may find it easier to just use tmux than to
try to blindly switch to the correct window.
Terminal size
-------------
It is up to you to ensure the sizes of the local and remote terminal are
the same, otherwise things may display incorrectly (especially in
interactive programs). Depending on your shell, the size of your local
(blind) terminal is likely stored in the ``$LINES`` and ``$COLUMNS``
variables.
.. code:: bash
$ echo $COLUMNS $LINES
80 24
A note on serial consoles
-------------------------
If your machine has a serial console, you may with to use that, but note
that a similar split-I/O model should be used to ensure Dom0 integrity.
If you use the serial console as normal (via e.g. getty on ttyX, and
logging in as normal), then the machine at the end of the serial cable
could compromise your machine! Ideally, you would take input from your
trusted keyboard, and only send the output over the serial cable via
e.g. disabling getty and using:
.. code:: bash
script -f /dev/ttyS0
You dont even need to connect the TX pin.
Reference in New Issue View Git Blame Copy Permalink