On 05/10/14 14:51, Joanna Rutkowska wrote:
> On 05/10/14 12:03, Hakisho Nukama wrote:
>> On Tue, Jan 7, 2014 at 6:19 PM, Joanna Rutkowska
>> <
joa...@invisiblethingslab.com> wrote:
>>> There is a very high probability we will introduce remote management
>>> support for Qubes OS sometime this year. This will be most likely
>>> implemented via a dedicated management VM(s) which will be
>>> "semi-trusted" and allowed to ask Dom0 for certain actions (e.g. create
>>> a new VM for me with this image, complete remote attestation, etc) via a
>>> specially designed protocol (qrexec-based, of course).
>>>
>>> This management infrastructure should not only be secure, meaning to
>>> prevent non-authorized admins to compromise somebody's Qubes OS, but
>>> also should allow for "Anti-Snowden Protection" (ASP?), meaning the
>>> authorized admins, who were explicitly allowed to manage somebody's
>>> Qubes OS laptop, should still not be able to steal the user data. Cool, huh?
>>>
>>> This will be a proprietary solution for our customers (in terms of
>>> supporting integration with XYZ management system), but the core
>>> infrastructure for this should be open-source, and should make it also
>>> possible for "enthusiasts" to also manage Qubes remotely and securely
>>> "by hand" (and write custom agents as well).
>>>
>>> There are lots of exciting things coming to Qubes R3...
>>>
>>> joanna.
>>>
>>
>> Are all provisioning tools for this (and other) tasks supported?
>> Like salt, ansible, chef, puppet and the others [1].
>> And how will the MgmtVMs be implemented?
>> As a pipe for these orchestration software with some auditing in between?
>>
>> 1. Inspect this {playbook, runmodule, script}
>> 2. Modify this {playbook, script, ...} (and send diff for approval to Mgmt)
>> 3. Run this {playbook, script, ...}
>>
>>
>
> We're rather thinking about something more generic. Some background
> first -- if we think about a Qubes OS system, there are 3 logically
> separate things to manage:
>
> 1) All the VMs (but excluding the Dom0/AdminVM)
>
> 2) The Qubes system configuration (essentially qubes.xml), including all
> the policies (qrexec, firewalling, and more in the future)
>
> 3) The Dom0 (aka AdminVM in Qubes Odyssey nomenclature), e.g. installing
> Dom0 software updates.
>
> Now, if you look at the current Qubes OS we do have two types of tools
> for managing Qubes configuration as well as all the VMs, these are:
> 1) Qubes command line tools in Dom0, the qvm-* and qubes-* tools,
> 2) The Qubes Manager GUI application.
>
> They represent two different frontends to the Qubes management stack.
> They work by assuming direct access to the /var/lib/qubes/qubes.xml
> file, which is a central database about the Qubes system configuration,
> and direct access to Xen management interfaces, which is the source for
> getting information about the system state (in Qubes R3 this replaced by
> libvirt of course).
>
> What we would like to do in Qubes R3 next is to create a service
> (daemon), lets call it qubesd (yeah, like xend), that would be exposing
> the above functionality over a well defined interface, and be the only
> one entity responsible for managing qubes.xml, talking to libvirt, etc.
> Let's call this interface Qubes Admin API.
>
> Now, why not expose (some subsets of) this Qubes Admin API to some
> (select) VMs, not just internally inside the AdminVM?
>
> The immediate use of this is to allow for a separate GuiVM, distinct
> from AdminVM. One benefit it brings that we can now use essentially any
> OS as the GUI domain. Want Ubunut HVM as your GuiVM? No problemo -- just
> need to build qvm-tools and Qubes Manager for Ubuntu. Want Windows as
> your GUI domain? Again, no problem, just make sure to install Xen PV
> drivers and build qvm-tools and Qubes Manager (both of the latter are
> written in python). Note that Qubes "Start Menu" is just a collection of
> shortcuts that use "qvm-run ..." commands, so no special code to support.
>
> We can easily go further than that! You don't want the GuiVM to be able
> to modify Qubes Policy, only to be able to start/stop VMs and interact
> with programs there (something the corporate customers would love)? We
> can do that too.
>
> Want to have two GuiVMs to support two different users (making Qubes a
> multi-user system)? Possible.
>
> We can easily see that a management VM, understood as a place where your
> remote management agent is running, can also be considered as another
> form of a GuiVM (e.g. it gets qvm-tools or it calls AdminAPI directly).
>
> The challenges to make this correctly are: 1) how to design this
> AdminAPI to be easily serialize'able over a socket-like channel such as
> qrexec? And 2) how to implement flexible policing for this?
>
> Example of policy rules I might want to use:
>
> * Give VM a right to create VM(s) and the right to manage _only_ those
> VMs it created, but excluding ability to change/set policy for those VMs
> (e.g. not able to allow qubes.VMShell for those VMs it created)
>
> * A read-only access to the system configuration and logs (e.g. auditing)
>
> * Full management rights but excluding the rights to change/remove logs
>
> One approach to implement the above policing is to manually divide
> AdminAPI into several sub-APIs and expose each as a different qrexec
> service (qubes.AdminAPI.ReadAccess, qubes.AdminAPI.OwnVMsOnly,
> qubes.AdminAPI.Full, etc). In that case we would be easily able to grant
> admin rights using the existing qrexec policy engine. Not sure if this
> is the best (most elegant and flexible) approach though.
>
> Also, one remaining thing regarding remote management is managing
> Dom0/AdminVM with regards to things that are beyond the scope of the
> Qubes management stack. An example here would be to install a new driver
> to support a SATA device. I almost wrote: "... to support a new graphics
> card", but that would not be needed, as in the model outlined above,
> with GUI domain living in another VM, this would not be necessary.
> Generally this model would mean that Admin VM is really slim and runs
> essentially no user-visible software, so there should be few reasons to
> tinker with it. And we could always expose a VM-triggable qrexec service
> to install updates (from trusted sources only) in the Admin VM without
> compromising security.
>
> joanna.
>
Forwarding to qubes-devel. Please respond there.
j.