Is a StandaloneVM equally secure as a AppVM that is created on it's own TemplateVM, and what is the difference between a StandaloneVM and a AppVM ?
76 views
Skip to first unread message
M
Apr 5, 2020, 3:03:27 PM4/5/20
to qubes-users
Is a StandaloneVM equally secure as a AppVM that is created on it's own TemplateVM ?
What is the "practical" difference between a StandaloneVM and a AppVM, and when is it recommended to use a StandaloneVM instead of a AppVM ?
I have read this page: https://www.qubes-os.org/doc/standalone-and-hvm/
Chris Laprise
Apr 8, 2020, 9:51:07 PM4/8/20
to M, qubes-users
an app or configuration that might conflict with a template.
Overall, they are less secure than a regular (template-based) appVM
because if an attack succeeds with a privilege escalation, then the
whole OS in the standalone may be compromised permanently. OTOH, an
appVM's OS would bounce back to a good state when restarting it.
Also, after some time standalone VMs will use more disk space when you
have multiple instances.
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
Dan Krol
Apr 12, 2020, 5:23:16 PM4/12/20
to Chris Laprise, M, qubes-users
> Standalone VMs are good in rare cases when you need to experiment with
> an app or configuration that might conflict with a template.
Personally, so far I've used it when I want to install something that's not in the Debian/Fedora repository (which half the time just means dev tools and dependencies). I recently reduced my need there considerably with Flatpak user-level installation, but not entirely.
Is there a better way to achieve the same? bind-dirs for normal OS packages seems complicated and sort of defeats the purpose of the security benefit you just described. Perhaps I ought to clone Debian 10 Template, install what I want, and then make an AppVM based on that?
Thanks,
Dan
Sven Semmler
Apr 12, 2020, 5:52:16 PM4/12/20
to Dan Krol, Chris Laprise, M, qubes-users
On Sun, Apr 12, 2020 at 05:22:59PM -0400, Dan Krol wrote:
> > Standalone VMs are good in rare cases when you need to experiment with
> > an app or configuration that might conflict with a template.
>
> Personally, so far I've used it when I want to install something that's not
> in the Debian/Fedora repository (which half the time just means dev tools
> and dependencies). I recently reduced my need there considerably with
> Flatpak user-level installation, but not entirely.
I use Standalone's in cases where the qubes is either based on an OS
> > Standalone VMs are good in rare cases when you need to experiment with
> > an app or configuration that might conflict with a template.
>
> Personally, so far I've used it when I want to install something that's not
> in the Debian/Fedora repository (which half the time just means dev tools
> and dependencies). I recently reduced my need there considerably with
> Flatpak user-level installation, but not entirely.
that I normally don't use...
-> Windows 7 (win-only tools for work)
-> Fedora (Qubes builder only)
... or when it needs a lot of packages and tools that none of the other
qubes needs:
-> dev qube (IDEs, dev tools, hex editor, logic analyzer, traffic
analyzer etc.)
-> also some USB drivers for debug tools I could only make work
in Standalone HVM but that's likely a limitation of my knowledge
/Sven
--
public key: https://www.svensemmler.org/0x8F541FB6.asc
fingerprint: D7CA F2DB 658D 89BC 08D6 A7AA DA6E 167B 8F54 1FB6
Chris Laprise
Apr 13, 2020, 5:42:31 PM4/13/20
to Dan Krol, qubes-users
Vít Šesták
Apr 14, 2020, 6:49:33 PM4/14/20
to qubes-users
In my opinion, the main reason for deciding between StandaloneVM and Template-based-VM is not security, it is management. With a Template-based-VM, you manage all or most of the apps in the template. If you have a single VM template for many Template-based-VMs, you just update the template and reboot the related VMs that are running. With standalone VMs, you need to update all of them separately.
Security concerns:
a. Malware might not survive reboot of Template-based-VM. This is however true just for some malware that is not adapted to Qubes OS, ale even this malware might survive VM reboot. AFAIR, this is explicitly a non-goal. There are many places to hook the malware after reboot – .bashrc, /usr/local/bin, browser extensions, …
b. When you have a StandaloneVM you don't run often, it might miss some updates, so you are more likely to run some software with known vulnerabilities after boot. This does not happen for Temlate-based-VM provided that you use some other VMs from the same template.
c. On the other hand, Template-based-VMs always require a reboot after updating. Without that, you can still run outdated software with some known vulnerabilities.
So, it depends on how you use it.
Regards,
Vít Šesták 'v6ak'
Security concerns:
a. Malware might not survive reboot of Template-based-VM. This is however true just for some malware that is not adapted to Qubes OS, ale even this malware might survive VM reboot. AFAIR, this is explicitly a non-goal. There are many places to hook the malware after reboot – .bashrc, /usr/local/bin, browser extensions, …
b. When you have a StandaloneVM you don't run often, it might miss some updates, so you are more likely to run some software with known vulnerabilities after boot. This does not happen for Temlate-based-VM provided that you use some other VMs from the same template.
c. On the other hand, Template-based-VMs always require a reboot after updating. Without that, you can still run outdated software with some known vulnerabilities.
So, it depends on how you use it.
Regards,
Vít Šesták 'v6ak'
Sven Semmler
Apr 14, 2020, 7:24:22 PM4/14/20
to Vít Šesták, qubes-users
On Tue, Apr 14, 2020 at 03:49:33PM -0700, Vít Šesták wrote:
> b. When you have a StandaloneVM you don't run often, it might miss some updates, so you are more likely to run some software with known vulnerabilities after boot. This does not happen for Temlate-based-VM provided that you use some other VMs from the same template.
That is true if you depend on the build-in mechanism to update your
> b. When you have a StandaloneVM you don't run often, it might miss some updates, so you are more likely to run some software with known vulnerabilities after boot. This does not happen for Temlate-based-VM provided that you use some other VMs from the same template.
qubes. It's however very easy to write a simple shell script in dom0
that calls something like ...
qvm-run -a qube "sudo apt update && sudo apt upgrade -y"
... for every template and standalone qube. You can even go a step
further and have cron run it once a day.
Reply all
Reply to author
Forward
0 new messages