extra configuration files and services

README.md

@@ -126,9 +126,22 @@ Due to potential security implications of arbitrary code execution (firewall.rul
 
 - Update checks may also leak information, better to disable them except for dom0.
 
+### /var (or other directory) fills up in template qubes!
+
+This happens due to how QubesOS handles overwriting root directory in templates. All the changes go into the `root-cow.img` image which unfortunately is stored under the `varlibqubes` pool.
+There might be a way to enforce template-local CoW cache, but it hasn't been investigated yet. For now, the possible solutions are:
+1. Create a standalone qube
+
+### To template or not to template?
+
+- Templates WILL disclose your system packages to an adversary.
+- On the other hand, standalone qubes - long discussion ahead.
+
 ## In development
 
 - Automated `surgeon-dissect` script which extracts the qubes from qubes.xml with all the necessary modifications and precautions.
+- `reliant-bootstrap` for automated system setup
+- `reliant-shred` for eliminating data leaks volume-wise
 
 [^1]: Using a combination of `systemd.volatile=overlay`, `blockdev --setro` and `mount -o ro`.
 

extra/INSTALL.md

@@ -0,0 +1,30 @@
+# extra
+
+These are extra configuration files required by Reliant. To install them into dom0, run the following commands as root
+
+```sh
+qvm-run --pass-io bootstrap "cat /home/$USER/reliant-system/extra/grub.systemd-volatile-overlay" > /etc/default/grub.systemd-volatile-overlay
+echo ". /etc/default/grub.systemd-volatile-overlay" >> /etc/default/grub
+
+qvm-run --pass-io bootstrap "cat /home/$USER/reliant-system/extra/overlay.conf" > /etc/dracut.conf.d/overlay.conf
+dracut --force --regenerate-all
+
+qvm-run --pass-io bootstrap "cat /home/$USER/reliant-system/extra/shufflecake-close.service" > /etc/systemd/system/shufflecake-close.service
+qvm-run --pass-io bootstrap "cat /home/$USER/reliant-system/extra/shufflecake-close.sh" > /usr/share/scripts/shufflecake-close.sh
+systemctl daemon-reload
+systemctl enable shufflecake-close.service
+```
+
+where `bootstrap` is the name of your bootstrap qube.
+
+### grub.systemd-volatile-overlay
+
+Adds `systemd.volatile=overlay` to the kernel command line to enforce volatile root in dom0.
+
+### overlay.conf
+
+Adds the `overlay.ko` module into the initramfs to support root on OverlayFS.
+
+### shufflecake-close
+
+Ensures all Shufflecake volumes are closed before shutdown to avoid data corruption.

extra/grub.systemd-volatile-overlay

@@ -0,0 +1 @@
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX systemd.volatile=overlay"

extra/overlay.conf

@@ -0,0 +1 @@
+add_drivers+=" overlay "

extra/shufflecake-close.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=Unmount and close Shufflecake volumes
+DefaultDependencies=no
+Before=shutdown.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/share/scripts/shufflecake-close.sh
+
+[Install]
+WantedBy=halt.target reboot.target shutdown.target

extra/shufflecake-close.sh

@@ -0,0 +1,23 @@
+#!/bin/sh
+
+# Load reliant-common
+. /usr/share/scripts/reliant-common.sh
+
+# Read the system configuration file
+reliant_read_config /etc/reliant.conf
+
+# Check if the system is running in maintenance mode
+if [ ! -d /run/shufflecake ]; then
+    # If yes, do nothing
+    exit 0
+fi
+
+# Seal and close each Shufflecake volume
+for path in /run/shufflecake/*; do
+    volume="${path##*/}"
+    reliant-seal "$volume"
+    umount "$path"
+done
+
+# Close the Shufflecake device
+shufflecake close "$RELIANT_SECURE_DEVICE"