On 1/18/19 5:02 PM, Goldi wrote:
Ok, a short update for you. I am interested in it too and currently
reviewing it.
The qubes mirage firewall is a kernel binary that is just stored in dom0
(+ initramfs and modules storage image), not executed in dom0. (The
initramfs is usually the first program started by a linux kernel. The
modules.img is an image that is available as volume in the qube to pull
extra modules for a linux kernel from. As this is a mirage unikernel and
not a linux kernel the modules.img is empty. The initramfs contains a
part of the firewall.)
It can then be chosen in qubes settings > advanced > kernel, per qube.
This is just a kernel only without extra os that is run in the firewall
qube.
Risks:
- If whatever puts the kernel into a qube to boot from it can be
exploited using a malformed kernel file <-- imo low risk but no
guarantee as I havent reviewed that part of the hypervisor code.
- The installer is corrupted and puts evil things in the rpm for dom0
<-- from the github it isnt even an rpm, just a tarball that gets spit
out by the builder or downloaded as release from github. So great
transparence.
- The firewall being leaky because of bugs or maliciously or the build
script being manipulated maliciously. <-- It is built in a docker
container. The github repo contains the dockerfile which actually
verifies its base image using sha256, the maintainer seems to care about
reproducibility. Mirage libraries get fetched via the opam OCAML file
manager. Which might check signatures on those. Up to verification.
All in all pretty safe to use.