You do not have permission to delete messages in this group
Copy link
Report message
Sign in to report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to qubes...@googlegroups.com
The Arch package management system, Pacman, relies on a secret,
per-machine master key readable only by root. This is used to sign
the other Arch root signing keys. Anyone with access to the secret
part of the master key can present packages that Pacman will trust,
and thus execute arbitrary code as root.
In typical use, this is fine, since the master key is securely
generated and only readable by root. This is normally sufficient to
prevent the secret part of the key from being accessed by unauthorized
parties. However, in QubesOS, this is not sufficient. The master
key is stored on the root volume, so it is accessible to all AppVMs
based on the TemplateVM. Anyone who compromises one of these AppVMs
can dump the secret master key. If they can then perform an on-path
attack on the update process, this allows them to execute arbitrary
code on the TemplateVM.
To fix this vulnerability, it is necessary to ensure that the master
signing key is securely deleted after it has been generated. This can
be accomplished by placing /etc/pacman.d/gnupg/private-keys-v1.d on
a tmpfs, both while building and running the template. Pacman will
produce warnings about not being able to sign the master key, but
these are not fatal.