Thanks & Initial feedback
Craig Balding
I'm very excited about Qubes - decent isolation of my laptop in a
smart/thoughtful design and very well packaged for an alpha. Well done
to both of you!
Half the battle to get Qubes running has been getting Fedora 12 properly
setup on my MacBook Pro 5,1. It's not a Qubes issue, more a clash of
open and closed cultures :/. Stuck with Vesa (tried nouveau tips - no
joy) - performance is good enough for now (occasional X segfaults
immediately after reboots are a pain). Will troubleshoot further later.
Here's some feedback so far:
- the PCI network device grabbing routine in
/usr/lib/qubes/unbind_all_network_devices only grabbed my wireless card
- not the built-in ethernet card. The regexp for slot number matching
is [0-9][0-9]:[0-9][0-9].[0-9] so my ethernet card (00.0a.0) was
ignored. I fixed this locally ([0-9a-f]...) so now both NICs are
grabbed (this was essential for me as there is no compatible wireless
driver in the netvm - the b43/ssb drivers don't work for the Broadcom
BCM4322 in a MacBook Pro 5.1).
- I need to compile the Broadcom Linux STA driver for use within the
NetVM. I'm unable to find a kernel-devel for the netvm in the qubes
repo (not surprised by this given its really just an example netvm). Do
I just grab the respective linux kernel and xen sources or is there any
special magic involved?
- to reduce the friction of copy/pasting URLs from email and social VMs
(think numerous tinyurls) to the random VM (assume I want separation),
it would be desirable to set-up configurable handlers to send URIs
between VMs (without requiring TCP/IP connectivity between the two).
This would provide a friendly way to enforce a users chosen policy of
where they surf (right now, I have a very simple kludge set-up that
prompts me when I click a link in my email client with the message
"Are you sure you want to surf from this VM?"). I realise shooting URLs
between VMs automagically increases the attack surface, but perhaps the
usability win makes this worth considering.
- I'm looking forward to the upcoming audio changes so I can isolate
Skype (well, its isolated on a dedicated machine for now...).
Keep up the good work!
Craig
P.S This email sent from Qubes...yup, I fit in the "determined user"
category ;-)
--
http://cloudsecurity.org
Joanna Rutkowska
> Hi
>
> I'm very excited about Qubes - decent isolation of my laptop in a
> smart/thoughtful design and very well packaged for an alpha. Well done
> to both of you!
>
> Half the battle to get Qubes running has been getting Fedora 12 properly
> setup on my MacBook Pro 5,1. It's not a Qubes issue, more a clash of
> open and closed cultures :/. Stuck with Vesa (tried nouveau tips - no
> joy) - performance is good enough for now (occasional X segfaults
> immediately after reboots are a pain). Will troubleshoot further later.
>
Perhaps you should report the issue on Fedora mailing list. In the
future Qubes would have its own installer, but it will be based (most
likely) on Fedora's anaconda. So fixing this might benefit Qubes in the
future too.
> Here's some feedback so far:
>
> - the PCI network device grabbing routine in
> /usr/lib/qubes/unbind_all_network_devices only grabbed my wireless card
> - not the built-in ethernet card. The regexp for slot number matching
> is [0-9][0-9]:[0-9][0-9].[0-9] so my ethernet card (00.0a.0) was
> ignored. I fixed this locally ([0-9a-f]...) so now both NICs are
> grabbed
Cool. Can you send a patch? :) I could fix it manually, of course, and
it would take a a few secs, but hey, if you send a patch, this will
serve as a good example for other hopefully... (plus you will become the
first Qubes contributor!)
> (this was essential for me as there is no compatible wireless
> driver in the netvm - the b43/ssb drivers don't work for the Broadcom
> BCM4322 in a MacBook Pro 5.1).
>
Oh, that sucks. Did you try to install drivers/firmware via yum in the
netvm?
> - I need to compile the Broadcom Linux STA driver for use within the
> NetVM. I'm unable to find a kernel-devel for the netvm in the qubes
> repo (not surprised by this given its really just an example netvm). Do
> I just grab the respective linux kernel and xen sources or is there any
> special magic involved?
>
I'm uploading the kernel-devel for 2.6.31.9-1 (used in netvm) and
2.6.32.9-1 (used in appvms) just now. Try in a few hours via yum install.
BTW, I assume your MacBook doesn't have VT-d. You should be aware that
without VT-d, BetVM is nothing more than a toy -- it offers no
additional protection as it is *always* possible to escape from such
VTd-unprotected NetVM to Dom0.
> - to reduce the friction of copy/pasting URLs from email and social VMs
> (think numerous tinyurls) to the random VM (assume I want separation),
> it would be desirable to set-up configurable handlers to send URIs
> between VMs (without requiring TCP/IP connectivity between the two).
> This would provide a friendly way to enforce a users chosen policy of
> where they surf (right now, I have a very simple kludge set-up that
> prompts me when I click a link in my email client with the message "Are
> you sure you want to surf from this VM?"). I realise shooting URLs
> between VMs automagically increases the attack surface, but perhaps the
> usability win makes this worth considering.
>
Currently this is not a priority for us. You might write some code that
implements it and submit it to us (in a form of a patch) and then we can
look at it and decide if we want to include it in the mainstream (based
on how secure/insecure it would be).
> - I'm looking forward to the upcoming audio changes so I can isolate
> Skype (well, its isolated on a dedicated machine for now...).
>
Sound virtualization should be avilable in the coming weeks.
> P.S This email sent from Qubes...yup, I fit in the "determined user"
> category ;-)
> --
> http://cloudsecurity.org
>
:)
joanna.