-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Axon:
> Are you suggesting (contrary to the outcome of the previous
> discussion on this topic) that there might be some benefit to
> having more than one TorVM?[1]
>
> [1]
>
https://groups.google.com/d/topic/qubes-devel/le7-Rrq6yxY/discussion
What
>
is your threat model?
Two notions here:
1) Can you theoretically improve the stream isolation by running
multiple torvms?
Unlikely, and I agree with your statement from [1][2].
2) Can you reduce the impact of a torvm compromise by running per VM
torvms?
Yes, you might have a change to limit the impact of a torvm compromise.
Simply compare the impact of a torvm compromise that is handling
traffic of all your VMs with a torvm compromise that is handling
traffic of a single VM.
Hypotetical scenario: Attacker got remote code execution in one of
your VMs running behind a torvm *and* compromised your torvm via a
TransPort/SOCKSPort 0day (but he has no linux kernel IP/TCP 0day to
compromise -> firewallvm).
I'm not saying that you should run per VM torvms. After all, how
likely is a transport/socksport 0day really? I hope it is rather unlikely.
I'm saying that depending on your threat model there might be benefits
of such a setup. The underlying assumption here is that an attacker is
able to compromise only some anonvms but not all of them (so he can
attack/compromise/deanonymize only some torvms with its
transport/socksport 0days).
And then there is the guard topic - where I largely agree with Patrick
(that persistent guards are a good thing), but that is not a topic for
qubes-users.
If RAM would not be limited resource we wouldn't have this discussion
I guess ;)
[2]
>> I think the default stream isolation settings probably mean it
>> is useless to have multiple TorVMs
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJT5g1ZAAoJEG58zmw5nc+veVcP/3o8HKGzYcVPLCkrqdMC47vV
HdDB8GL3OE3gkvSudNY6InkuS/LBXFCxlvNHshcoG9A4E4GgTpnIrlfC4aOotZxz
5C9ly5aJhL1t77Hd4FZt2nju/yjHg0e+jaiGU/kl80Kc+gguAEpoCocBjuKMggPZ
QHXVhRZ83WRzoFvsfgGQNv3k5giDxB9mAXV3sd3sdF5ZU+LwfDDyjhuHxg2wOeDh
3shG8EwTbXNePPs5mjrYIoAIl1r2s370ZxO074SGzzikqsxnlKHmsc2Ig0QU2Rag
S4kBh9eGqi6OVTnY2CtcxkWLZbUwzSdpBzeIUGj09JbzQw/uOt2S74pw6wZXBfHn
UwVBNb43YiJxn2XeiJ7NyGu2qDEg++uwMyEg1g1v31XnOHUv+KgEwWr5E1sKSTvf
+cNGundCEVZogtDqNY2tv1zf8j+bKgB6pI2a4xyJMPrMFYteMufqwVjHQdInCk9Y
DSb7exOtXt2K8zNwIPh57JZYPiOSTBqzFghcbVNxLijh4e5Qc3dBn3BTNuGwc1Yy
/7lSQ6tyXXAh5lU+vEiJ6pcFlIy7WFgCCaNtJNlBh/V19L24qDLHMSdoN1lRi1SR
a1pJVai6dLA3CGNlWlzMiv2T7uUNRbVnlB9SniJfZoI1pTdKtMb1LJvK2rOC6e5a
mzGJ6qT0DJOBgHT+Ywoy
=tofi
-----END PGP SIGNATURE-----