Mirage-Firewall - Trusted in Dom0?

104 views
Skip to first unread message

Goldi

unread,
Jan 15, 2019, 10:19:35 AM1/15/19
to qubes...@googlegroups.com
I've been happily using Qubes for several years and noticed that several prominent members of the Qubes Team have in the past suggested installing Mirage-Firewall as an alternative to Sys-Firewall. However, I cannot find any reference to MF in the Qubes Docs.
I'd like to install Mirage-Firewall, but I have a nagging doubt about whether the code can be trusted. Particularly as it has to been installed in Dom0
What do you guys recommend? Can the MF developer be trusted?

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.

gold...@riseup.net

unread,
Jan 18, 2019, 7:38:59 AM1/18/19
to qubes...@googlegroups.com
> --
> You received this message because you are subscribed to the Google
> Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to qubes-users...@googlegroups.com.
> To post to this group, send email to qubes...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/qubes-users/21F0DB51-AF5A-4729-8708-14C54BB4C29A%40riseup.net
> [1].
> For more options, visit https://groups.google.com/d/optout.
>
>
> Links:
> ------
> [1]
> https://groups.google.com/d/msgid/qubes-users/21F0DB51-AF5A-4729-8708-14C54BB4C29A%40riseup.net?utm_medium=email&utm_source=footer
In Nov 2018 a prominent member of the Qubes team; Unman suggested using
Mirage-Firewall.
I'd appreciate very much a reply to my earlier query about the integrity
and reliability of the code/developer of Mirage Firewall

unman

unread,
Jan 18, 2019, 8:52:39 AM1/18/19
to qubes...@googlegroups.com
On Fri, Jan 18, 2019 at 04:38:56AM -0800, gold...@riseup.net wrote:
> On 2019-01-15 15:19, Goldi wrote:
> > I've been happily using Qubes for several years and noticed that
> > several prominent members of the Qubes Team have in the past suggested
> > installing Mirage-Firewall as an alternative to Sys-Firewall. However,
> > I cannot find any reference to MF in the Qubes Docs.
> > I'd like to install Mirage-Firewall, but I have a nagging doubt about
> > whether the code can be trusted. Particularly as it has to been
> > installed in Dom0
> > What do you guys recommend? Can the MF developer be trusted?
> >
> > https://groups.google.com/d/msgid/qubes-users/21F0DB51-AF5A-4729-8708-14C54BB4C29A%40riseup.net?utm_medium=email&utm_source=footer
> In Nov 2018 a prominent member of the Qubes team; Unman suggested using
> Mirage-Firewall.
> I'd appreciate very much a reply to my earlier query about the integrity
> and reliability of the code/developer of Mirage Firewall
>

There is a reference in the docs to GSOC potential work: otherwise
you'll find discussions here and in qubes-devel, and there's an open
issue in qubes-issues.
I have no view on the integrity of Thomas - don't know him. His
contributions have been good and he's always seemed helpful and to know
what he's talking about.
You can look at the code yourself and come to view on that: it's pretty straightforward.
https://github.com/talex5/qubes-mirage-firewall

I've done some testing, and the firewall works as expected, with no
strange effects I could see.

Goldi

unread,
Jan 18, 2019, 11:02:46 AM1/18/19
to qubes...@googlegroups.com



From: gold...@riseup.net
Sent: January 18, 2019 3:45:06 PM UTC
To: unman <un...@thirdeyesecurity.org>
Subject: Re: [qubes-users] Mirage-Firewall - Trusted in Dom0?

Thank you for responding.
I think I'll pass on installing Mirage-Firewall. I'm a user and
regretfully not competent to review MF code. I had hoped that any
recommendation to install anything in Dom0 would have been first
thoroughly assessed by the qubes team. After all, if Dom0 is compromised
its as Joanna used to say "game over"

Illidan Pornrage

unread,
Jan 19, 2019, 8:46:09 AM1/19/19
to qubes...@googlegroups.com
On 1/18/19 5:02 PM, Goldi wrote:
Ok, a short update for you. I am interested in it too and currently
reviewing it.

The qubes mirage firewall is a kernel binary that is just stored in dom0
(+ initramfs and modules storage image), not executed in dom0. (The
initramfs is usually the first program started by a linux kernel. The
modules.img is an image that is available as volume in the qube to pull
extra modules for a linux kernel from. As this is a mirage unikernel and
not a linux kernel the modules.img is empty. The initramfs contains a
part of the firewall.)
It can then be chosen in qubes settings > advanced > kernel, per qube.
This is just a kernel only without extra os that is run in the firewall
qube.

Risks:
- If whatever puts the kernel into a qube to boot from it can be
exploited using a malformed kernel file <-- imo low risk but no
guarantee as I havent reviewed that part of the hypervisor code.
- The installer is corrupted and puts evil things in the rpm for dom0
<-- from the github it isnt even an rpm, just a tarball that gets spit
out by the builder or downloaded as release from github. So great
transparence.
- The firewall being leaky because of bugs or maliciously or the build
script being manipulated maliciously. <-- It is built in a docker
container. The github repo contains the dockerfile which actually
verifies its base image using sha256, the maintainer seems to care about
reproducibility. Mirage libraries get fetched via the opam OCAML file
manager. Which might check signatures on those. Up to verification.

All in all pretty safe to use.

92384235-illid...@gheddo.biz

unread,
Jan 19, 2019, 10:21:15 AM1/19/19
to qubes...@googlegroups.com
The repo of user talex5 is the newest right now. 20190119
Last commit ID: 4526375a1915e34d763da5306f0793bd021fb312
Neither tags nor commits are signed.
Commits are recent but low acticity.
Code is small tho, so reading it is doable.
Actually understanding it is another thing because I dont know anything
about OCAML. That might change.
*Building and testing*

gold...@riseup.net

unread,
Jan 20, 2019, 3:28:38 AM1/20/19
to Illidan Pornrage, qubes...@googlegroups.com
Wow. That's a good comprehensive reply. Thank you.

It goes a long way to convincing me that the code is safe to use.

Does any one else have any feedback on this issue?
Reply all
Reply to author
Forward
0 new messages