-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Wed, Sep 23, 2015 at 07:59:30PM +0000, Patrick Schleizer wrote:
> Awesome stuff!
>
> Marek Marczykowski-Górecki:
> > There are some QubesDB entries which could break (or at least lower) user
> > anonymity in AnonVM in case of VM compromise. I think you better know
> > which ones.
>
> Anyone please check those!
>
> run:
> qubesdb-list /
qubesdb-multiread /
:)
My output:
[user@testvm tmp]$ qubesdb-multiread /
name = testvm
qubes-base-template = fedora-21
qubes-block-devices =
qubes-debug-mode = 1
qubes-gateway = 10.137.1.1
qubes-ip = 10.137.1.45
qubes-keyboard = xkb_keymap {\x0a\x09xkb_keycodes { include
"evdev+aliases(qwerty)"\x09};\x0a\x09xkb_types { include
"complete"\x09};\x0a\x09xkb_compat { include
"complete"\x09};\x0a\x09xkb_symbols { include
"pc+pl+inet(evdev)"\x09};\x0a\x09xkb_geometry { include
"pc(pc104)"\x09};\x0a};
qubes-netmask = 255.255.255.0
qubes-secondary-dns = 10.137.1.254
qubes-service/meminfo-writer = 1
qubes-service/qubes-update-check = 0
qubes-timezone = Europe/Warsaw
qubes-usb-devices =
qubes-vm-persistence = rw-only
qubes-vm-type = AppVM
qubes-vm-updateable = False
>
> Problematic ones:
>
> - qubes-keyboard:
> Would be better to hide. Although I guess that would be difficult
> implementation wise? I don't know how Qubes keyboard implementation
> works. It would be desirable if it was possible to leave the VM thinking
> "standard US layout", while the user can use its native layout which is
> only known to dom0.
GUI protocol uses keycodes, so when user uses significantly different
layout, it wont work. More precisely - it will work as it would be US
layout. Maybe not a big problem? User is free to change keyboard layout
manually inside of VM (using setxkbmap or any GUI equivalent).
> - qubes-timezone:
> Definitively hide.
>
> - qubes-usb-devices:
> Potentially. Empty for me. What does it contain and when?
This is place where VM can expose what devices are connected to this VM
(mostly useful for USB VM). Dom0 doesn't set anything here. Similar for
qubes-block-devices.
> > There is an idea of introducing some setting in dom0, which
> > would prevent such setting from being exposed, but I'm thinking of some
> > other option: dom0 set those entries at VM startup and do not update
> > them later, VM is free to alter or even remove any QubesDB entry. So
> > VM can replace or even remove all such entries early in startup scripts,
> > even before /rw is mounted.
> >
> > This have huge advantage: simplicity of implementation.
>
> Yes, the latter implementation is to be preferred.
>
> > The only
> > downside I see here it will only work assuming Whonix-workstation
> > template isn't compromised.
>
> Yes.
>
> > What threat model are we aiming for here?
>
> In a compromised Whonix-Workstation it would be useful to hide timezone
> information as this allows anonymity set reduction.
>
> Therefore, do you think it would be possible for an AppVM to remove any
> QubesDB entry permanently?
>
> qubesdb-rm --permanent qubes-timezone
>
> This could be done at first boot of the AppVM (while its still
> considered clean). If it could not be recovered at any subsequent boots,
> that implementation would be perfect from Whonix-inside-VM perspective.
QubesDB content is recreated on each VM startup, and the state is
destroyed at VM shutdown, so not easily possible. If we want dom0 to not
provide those settings at all, it needs to be done as some VM property.
Then to ease configuration we may introduce some simple qrexec service
which will allow a VM to one way switch such property.
Similar approach is used currently for Windows VMs -
Qubes Windows Tools calls qubes.NotifyTools service in dom0, which
update qrexec_installed and guiagent_installed properties on that VM -
so on the next startup it can use integration tools like secure
clipboard, file copy etc.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJWAwnrAAoJENuP0xzK19csI9wH/jIuf5G/ZhIU5/KYgx1ofiLL
HSHH0e0aVSb1C7t1GhexZNyO3lTt6s1cXwNf0jaT9O557vrkkbI/KzyDDkkLUQjz
AUOpxHAY26/4rSG/dkfEgsQ6w2uH5anEyI80dDUYN1yYk0wLGWdU314ZTvNLAlQy
3nuWsVyt7ja3ujWtl87dL5CAUylfECfJtv6Qdgks32F9AOD945znvA4UDx6rsSsL
U9HboNLEwvtYj6d1oSwVilrz91IVb24wa5JTOSjs+zxIFpRNvjjS/vakGf7uFLii
JUN4wjucPI4or2r5nh9hM0aVVMS0LTZkRRtzXxV67YiZ5h5u46ddlSYiGaX22Bo=
=Zcjr
-----END PGP SIGNATURE-----