On 04.08.2014 23:58, Mihail Ivanov wrote:
> Hello,
> so I take it - passing a physical partition to a DomU isn't insecure?
In both cases we trust xen-blkback driver, no difference here.
You need to ensure that those partitions will never get parsed in dom0. For
file-baked disk we have custom udev rules for that.
> Also - shouldn't the decryption take place in Dom0 and then pass the
> unlocked partition to Xen?
> (that is when starting the VM from Dom0, the GUI asks for the passwords,
> unlocks the partition - it has a constant label, when unlocked,
> and starts it, therefore Xen will use the unlocked partition).
Actually Xen (as a hypervisor) do not handle disks in any special way. It only
provides communication interface (shared memory), so backend domain (dom0
currently) can provide disk access for frontend domain (the VM).
Regarding place of decryption - it makes no big difference. In both cases VM
have access to the data (own private.img). If encryption takes place in VM,
the VM have access to the encryption password/key. But this key gives access
to... this VM private.img, nothing more. Unless you use the same/similar
password for other things...
To minimize amount of passwords to remember, you can use some password manager
- decrypt password vault only for a short time to start the VM, and then wipe
its memory. It even can be automated somehow ("enter master password to start
the VM").
> Afterwards - when the user wants,
> he can delete the key from memory and kill the VM,
> therefore negating cold boot attacks.
>
> I will look into /usr/lib/qubes/init/misc-post.sh later.
>
> As for the Sound.
> I perfectly well understand how the Sound works, yet it seems to me you're
> ignoring the chance that there are exploits for the DSP.
> Basically I've read that you say the sound frames are sent to the sound
> card and nowhere executed as code. Yet, isn't there a chance
> that the sound card could be exploited by those frames(recent sound card
> get more complex, have dedicated CPU's,etc).
I would classify this type of attack as "Very Unlikely(TM)". Somewhere near
"sound card exploited by playing specially crafted sound to the mic".
> Now about the GPU:
> I am thinking the VM which owns the GPU can flash it with whatever it wants.
> Or that is probably the case for most GPU's anyway.
Yes, except that in Qubes (at least for now), no VM have direct access to the GPU.
> So a friend of mine was wondering if we can do the following:
>
> Use a GPU switch VM, basically it should do this->
> PC has two gpus - g1,g2. g1 always stays in Dom0
> g2 can move around and on boot is not in Dom0
>
> So we decide we want g2 in DomU1 =>
> g2 is passwed to GPU Switch VM,
> We deny the GPU access to our memory
> and check it's bios.
> After that - if it has changed, we flash it anew.
> Afterwords we clean-up it's memory.
> The GPU Switch VM can be read only,
> so it will be restored to the same state each time the GPU must be checked.
> When we are done - the GPU is clean and ready to be passed to DomU1.
>
> Can you comment on this solution?
I don't know if this is technically possible (especially checking if GPU
firmware hasn't changed). Perhaps we can simply flash the GPU every time? I
wonder how many firmware flash GPU can sustain...
But the idea sounds right.
>
> Now there's another one which I propose:
> To avoid the chance of GPU memory corruption and GPU Bios corruption,
> why not pass the IGP around? Most desktops and laptops have
> IGP's which use the system memory and have no bios.
> I've read in Xen's ml it's possible to pass the IGP around.
I'm not sure if the fact that IGP is simpler is enough. But surely reduce
attack surface.
> And about the USB:
>
> Basically I think we need USB PV as well, I know there's some beta stuff,
> and maybe if I get some free time
> I will look into it, as it's a crucial part as well.
Yes, we need USB PV. This is a long story, but in short: there are a few
implementations, every have some pros and cons, including stability ("not
working at all, panic every 5 min ;)"), OS support ("frontend driver only for
windows") etc.
I plan to write some separate mail/wiki page about it (current state and
possibilities). But probably will have time for this only after final R2 release.
> I think it's a necessity to boot from USB, otherwise one needs TPM and vPro
> if possible(although I've read the articles on qubes's site and don't
> really trust TXT).
USB boot doesn't make TPM / TXT unnecessary. You still want some way to verify
(or exclude from TCB) BIOS for example.
> Hence getting a storage VM should be easier.
Please, don't top-post.