DispVM Configuration

[Sam Hentschel]

Hey all!

So far so good with QubesOS on my end. Have almost everything up and
running to have this as my daily carry. It's amazing how little RAM all
these VMs actually require; and the CPU! None!

Anyways, I am having some trouble configuring my DispVMs to allow me to
use them for printing and scanning. The protocols and software for
printing and scanning are both, as I recall, highly insecure. In
addition, the devices that use them (i.e. printer, scanners) should be
considered to be backdoored or owned already.

I wanted to make it so that when I want to print something, I open up
the file in a DispVM and print it from there. I then thought that I
could approximately do the same thing with scanning. Open up a DispVM
that is running simple-scan, scan the file into the DispVM and then copy
it over to the VM that I want.

By doing it this way I should be able to move out all the vulnerable
printer and scanner code, and my AppVMs will never directly touch those
devices or protocols. Instead they will be hidden behind the realtive
safety of the Qubes file copy mechanism.

I tried to follow the documentation page:
- show internal VMs
- run gnome-terminal in fedora-23-dvm
- install and configure the necessary applications and hardware devices
- touch the /home/user/.qubes-dispvm-customized
- shutdown the VM
- regenerate the DispVM template using: qvm-create-default-dvm
--default-template

When I opened up a DispVM the software was nowhere to be found (opened
up Firefox, right clicked on the DispVM in the VM Manager and ran
gnome-terminal). When I reopen fedora-23-dvm the software is nowhere to
be found. So I believe either I am doing something stupid, or the
documentation has it wrong. I did notice that the DispVMs start with a
ttemplate of fedora-23. So then do they not actually use the
fedora-23-dvm template like it says?

Thanks in advance for your help!

--
Respectfully,
Sam Hentschel

[Jean-Philippe Ouellet]

On Wed, Apr 5, 2017 at 11:59 PM, Sam Hentschel <hents...@gmail.com> wrote:
> Hey all!
>
> So far so good with QubesOS on my end. Have almost everything up and
> running to have this as my daily carry. It's amazing how little RAM all
> these VMs actually require; and the CPU! None!
>
> Anyways, I am having some trouble configuring my DispVMs to allow me to
> use them for printing and scanning. The protocols and software for
> printing and scanning are both, as I recall, highly insecure. In
> addition, the devices that use them (i.e. printer, scanners) should be
> considered to be backdoored or owned already.
>
> I wanted to make it so that when I want to print something, I open up
> the file in a DispVM and print it from there. I then thought that I
> could approximately do the same thing with scanning. Open up a DispVM
> that is running simple-scan, scan the file into the DispVM and then copy
> it over to the VM that I want.
>
> By doing it this way I should be able to move out all the vulnerable
> printer and scanner code, and my AppVMs will never directly touch those
> devices or protocols. Instead they will be hidden behind the realtive
> safety of the Qubes file copy mechanism.

An interesting goal. In practice I'm not sure what real benefit you'd
get from using a DispVM vs. just a regular stateful AppVM (assuming
you just use one printer/scanner). Presumably what you care about in
this context is confidentiality of your documents. Your
printer/scanner is by its very nature in a perfect position to steal
your documents, and likely also has a means to store or transmit them.
This seems true regardless of whether or not your printer/scanner can
compromise or persistently compromise a VM (which only deals with
printer drivers and documents the printer will know anyway).

If you use multiple printers, then I can see an argument for wanting
separate AppVMs per printer, and if you constantly use different
printers then sure I guess DispVMs make sense. Is this the case?

In other words, I'm curious what threat you're actually trying to
mitigate by doing this.

> I tried to follow the documentation page:
> - show internal VMs
> - run gnome-terminal in fedora-23-dvm
> - install and configure the necessary applications and hardware devices
> - touch the /home/user/.qubes-dispvm-customized
> - shutdown the VM
> - regenerate the DispVM template using: qvm-create-default-dvm
> --default-template
>
> When I opened up a DispVM the software was nowhere to be found (opened
> up Firefox, right clicked on the DispVM in the VM Manager and ran
> gnome-terminal). When I reopen fedora-23-dvm the software is nowhere to
> be found. So I believe either I am doing something stupid, or the
> documentation has it wrong. I did notice that the DispVMs start with a
> ttemplate of fedora-23. So then do they not actually use the
> fedora-23-dvm template like it says?

If you want to make additional software available, then do so in the
template of the dispvm (in your case fedora-23 (but you should really
update to fedora-24!)).

You can think of the process of customizing a DispVM like creating a
new AppVM. Software that should be available on every run belongs in
its template. Local state (/home, etc.) happens in the AppVM.
Customizing the DispVM template is like customizing an AppVM that you
then take a snapshot of and duplicate each time you want a new DispVM.
In practice this is similar to how it's actually implemented.

[Sam Hentschel]

On Thu, Apr 06, 2017 at 02:17:53AM -0400, Jean-Philippe Ouellet wrote:
> On Wed, Apr 5, 2017 at 11:59 PM, Sam Hentschel <hents...@gmail.com> wrote:
> An interesting goal. In practice I'm not sure what real benefit you'd
> get from using a DispVM vs. just a regular stateful AppVM (assuming
> you just use one printer/scanner). Presumably what you care about in
> this context is confidentiality of your documents. Your
> printer/scanner is by its very nature in a perfect position to steal
> your documents, and likely also has a means to store or transmit them.
> This seems true regardless of whether or not your printer/scanner can
> compromise or persistently compromise a VM (which only deals with
> printer drivers and documents the printer will know anyway).
>
> If you use multiple printers, then I can see an argument for wanting
> separate AppVMs per printer, and if you constantly use different
> printers then sure I guess DispVMs make sense. Is this the case?
>
> In other words, I'm curious what threat you're actually trying to
> mitigate by doing this.

On a daily basis I interact with about three printers: one at home, one
at work, and one at school. My goals were as follows:

- Keep one printer from getting what another printer has handled
- Stop the spread of pritner malware from one printer to another (if
that makes sense?)
- Stop the printers (which may be and probably are compromised) from
compromising one of my security domains.
- Kind of the same reasons as moving out the networking software and
drivers to the NetVM and the USBs to a USBVM?

An example scenario: an employer or future employer requires me to print
out some forms from an email, fill them out, scan them, and email them
back. In this case, it would be nice to be able to print the forms via
a DispVM (which I open anyway when interacting with email attachments),
fill them out, scan them in the same or a different DispVM and send it
back. This way the PDF or word document is never opened in my Email
Qube. I can thus takeout extra software in that VM, and minimize it to
just working with email.

> If you want to make additional software available, then do so in the
> template of the dispvm (in your case fedora-23 (but you should really
> update to fedora-24!)).

Ok, if thats the case I may clone the fedora template and make one
specifically for the DispVMs. Some of the software I want on DispVMs, I
don't want on my AppVMs and vice versa. Since its the case that the
DispVM uses the fedora-23 template, shouldn't the document say to edit
that instead of the fedora-23-dvm AppVM? If you agree, maybe I'll go
pull down the documentation and rewrite some of it.

--
Respectfully,
Sam Hentschel

[Unman]

On Thu, Apr 06, 2017 at 02:17:53AM -0400, Jean-Philippe Ouellet wrote:

Hi Sam,

I understand your goal, because I use dispVMs for scanning myself,
rather than a stateful appVM. (I think Jean-Philippe missed your comment
about the protocols and software being highly insecure.)

I think your problem arises because of the way in which a disposableVM is
generated, which hasn't been made clear enough to you.
What you need to do is clone an existing template to (say) fed24-print.
Then install the software drivers and printing/scanning tools on THAT
template, and use it to generate a DVMTemplate. (This is the equivalent
of the fedora-23-dvm you have identified.)
You do this using 'qvm-create-default-dvm fed24-print'

When you create a dispVM it uses the DVMTemplate to spawn a new
instance.
Thus the disposableVM will have the printing and scanning software and
drivers in it.

The customisation you have read about only refers to changes made in
/home/user. This is why it uses examples of customising Firefox profiles, and
why it hasn't worked in your case. Without that, each dispVM will have a
home directory created from the default skel profile.

Of course, it's probably occurred to you that what this means is that
EVERY instance of a disposableVM will have the scan/print tools in it,
and this is probably not what you want.
I work around this using multiple disposableVM based off different
DVMTemplates. I have a simple script that switches between the different
DVMTemplates and starts a new disposableVM which effectively gives
multiple template disposableVM. (This is a feature coming with v4, and my
approach is at best a hack.)
I have a keyboard shortcut that switches DVMTemplate and starts a "print
/scan disposableVM", and another that reverts to the standard
DVMTemplate.
I've posted about this before, and you can see the script in this list
- the thread was, I think, "Disposable VMs" a few months back.

unman

[Sam Hentschel]

Unman,

I figured out that the qvm-create-default-dvm command creates the
fedora-23-dvm VM based of the template chosen. I mad e clone of
fedora-23 and did everything I needed in that. After installing it, I
could get the DispVMs to work from emails to open up PDFs and print
them, but I can't get it to work from the menu in xfce on Dom0. Any
tips? Do I have to change the menu to point at this new dvm image?

--
Respectfully,
Sam Hentschel

[Sam Hentschel]

Hey guys!

I got it all to work, from what I've learned, you need to edit the templateVM in this case fedora-23 (or fedora-24 or whatever your template is). This is just like making an AppVM. After editing the templateVM, you go to the dom0 terminal and type in:

qvm-create-default-dvm <template-name>

and it will create a dvm template (e.g. fedora-23-dvm).

So to get printing and scanning to working in DispVMs you go to the template, install system-config-printer and simple-scan, and configure your printer/scanner with system-config-printer. After powering the template off, your DispVMs should allow you to print and scan.

Thanks for all your help guys! I'm glad I could get this figured out!

[cooloutac]

I cloned a template for dipsvm which I also install the printer software into. I do this cause its easier to print something from random webpage, and cause I open files mostly in dispvm all the time anyways, easier to use across diff vms. I believe most users do this. I don't use a dispvm for the scanner, I just use a separate scanner appvm. I turned my usb printer into a network printer with a raspberry pi.

Yes the protocols are insecure, But I agree with Jean if you worried about your printer I don't knowhow much more security benefit you get because of that fact. Your lan probably matters more or the printer hardware itself. Besides isolating the printer drivers, the act of scanning and printing is really a privacy risk. Doesn't matter where you are connecting from.