TemplateVMs and secrets on private volumes
8 views
Skip to first unread message
Demi Marie Obenour
May 18, 2022, 7:19:05 PM5/18/22
to Qubes OS Development Mailing List
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
*nix TemplateVMs and TemplateBasedVMs are in the rather unusual position
of having a /etc that is effectively public, in that it is shared with
untrusted code. Similarly, Windows TemplateVMs and TemplateBasedVMs
have effectively a publically readable C: drive.
This turns out to have some rather awkward consequenses. For instance,
by default, a TemplateVM and all VMs based on it will share the same SSH
host keys, even though the private parts of them are obviously supposed
to be kept secret. Similarly, VMs based on a Windows template will have
the same password hashes as the Windows template.
What is the recommended solution to this? Should /etc/ssh and
/etc/pki/tls/private be part of the private volume by default, just like
/home and /usr/local are? Should the documentation for Windows qubes
note that joining a Windows qube other than a StandaloneVM to an active
directory domain is a bad idea?
- --
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEdodNnxM2uiJZBxxxsoi1X/+cIsEFAmKFfuMACgkQsoi1X/+c
IsHakA/9FJMgrSuWzrIZHWaGXA5clsoBPdhATBNi4dOWt3nLw/cn7HfGNspgykti
k4m8HjhnChKdd2puO4D74/KH1hTkf6CQqfGk8OP2UNO87Sm8nIWSt5zvGTbJe2JZ
Wn2DsZsHbB0laL/Mz6yvhqCUazHLev1FzW+gm35H5td7HONeiQIEqZrZSzV1z4kX
0aAZUVqNCokv2lMUj6N1W7Sxe3mHSbmPL6OxPW0zYJ/Gz4IZVGOBjobGqsz3yVMj
TP2sAk3gxAfTRvBaACnnGzSoVUE71oe4n+fQnBIr8hMOU2gnMn3Q+/UefL7g38sX
BE/81UIq5o3YKq5sKTLpEswnMu6Vq3vm2+gLsu++55drDXziku9dudPsCo+vrsKD
ir0RmXgQA7r4iuzl2lgfiWW9WhR4fHueBOPrba+OrHrK+6Hdyq3Ff8ZO0JS8yPga
gzKN0eCFsEQjXxovnZ1f1oF8sm7qMaUC9okuvE2vY62MjpGry0fTz+fS8ujPLtpa
xLf6v2PdGldXjmtl6PmZWeh9ec4ZEDIPD4PNLqN87FHBrd7bOWfW6vk/Nk7RBwWK
cmrDzyv4emnGEHSjhGdkiPimXJiBMjceXMuzmNiK/KCufVDZOiHM8WHq+Y1E+4gw
K/DE6kxP/NV/UMeU8C41+hhimGOvn7peydpiZiqo14o9BXJrArw=
=/3pQ
-----END PGP SIGNATURE-----
Hash: SHA256
*nix TemplateVMs and TemplateBasedVMs are in the rather unusual position
of having a /etc that is effectively public, in that it is shared with
untrusted code. Similarly, Windows TemplateVMs and TemplateBasedVMs
have effectively a publically readable C: drive.
This turns out to have some rather awkward consequenses. For instance,
by default, a TemplateVM and all VMs based on it will share the same SSH
host keys, even though the private parts of them are obviously supposed
to be kept secret. Similarly, VMs based on a Windows template will have
the same password hashes as the Windows template.
What is the recommended solution to this? Should /etc/ssh and
/etc/pki/tls/private be part of the private volume by default, just like
/home and /usr/local are? Should the documentation for Windows qubes
note that joining a Windows qube other than a StandaloneVM to an active
directory domain is a bad idea?
- --
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEdodNnxM2uiJZBxxxsoi1X/+cIsEFAmKFfuMACgkQsoi1X/+c
IsHakA/9FJMgrSuWzrIZHWaGXA5clsoBPdhATBNi4dOWt3nLw/cn7HfGNspgykti
k4m8HjhnChKdd2puO4D74/KH1hTkf6CQqfGk8OP2UNO87Sm8nIWSt5zvGTbJe2JZ
Wn2DsZsHbB0laL/Mz6yvhqCUazHLev1FzW+gm35H5td7HONeiQIEqZrZSzV1z4kX
0aAZUVqNCokv2lMUj6N1W7Sxe3mHSbmPL6OxPW0zYJ/Gz4IZVGOBjobGqsz3yVMj
TP2sAk3gxAfTRvBaACnnGzSoVUE71oe4n+fQnBIr8hMOU2gnMn3Q+/UefL7g38sX
BE/81UIq5o3YKq5sKTLpEswnMu6Vq3vm2+gLsu++55drDXziku9dudPsCo+vrsKD
ir0RmXgQA7r4iuzl2lgfiWW9WhR4fHueBOPrba+OrHrK+6Hdyq3Ff8ZO0JS8yPga
gzKN0eCFsEQjXxovnZ1f1oF8sm7qMaUC9okuvE2vY62MjpGry0fTz+fS8ujPLtpa
xLf6v2PdGldXjmtl6PmZWeh9ec4ZEDIPD4PNLqN87FHBrd7bOWfW6vk/Nk7RBwWK
cmrDzyv4emnGEHSjhGdkiPimXJiBMjceXMuzmNiK/KCufVDZOiHM8WHq+Y1E+4gw
K/DE6kxP/NV/UMeU8C41+hhimGOvn7peydpiZiqo14o9BXJrArw=
=/3pQ
-----END PGP SIGNATURE-----
Demi Marie Obenour
May 19, 2022, 10:09:49 AM5/19/22
to Robert, Qubes OS Development Mailing List
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hash: SHA256
On Thu, May 19, 2022 at 07:25:43AM +0000, Robert wrote:
> On 5/19/22 01:18, Demi Marie Obenour wrote:
> > *nix TemplateVMs and TemplateBasedVMs are in the rather unusual position
> > of having a /etc that is effectively public, in that it is shared with
> > untrusted code.
>
> On 5/19/22 01:18, Demi Marie Obenour wrote:
> > *nix TemplateVMs and TemplateBasedVMs are in the rather unusual position
> > of having a /etc that is effectively public, in that it is shared with
> > untrusted code.
>
> > What is the recommended solution to this? Should /etc/ssh and
> > /etc/pki/tls/private be part of the private volume by default
> Why not have the user deploy security-sensitive data into the VMs using
> > /etc/pki/tls/private be part of the private volume by default
> bind-dirs?
That is exactly what I was intending, but given that some directories in
/etc should almost never be shared, I figured that they might belong in
the default bind-dirs. The whole purpose of this is to reduce the
likelihood of user error.
Another option would be to use an overlayfs, as is done for the kernel
module directory. This might be a better choice for /etc/ssh.
- --
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----
IsF98g/+JwZ+IsIGQYiFY80jz3Tr//yuNEK4fRb26wl2vUFO1G1iYe7ShSZcxCsx
9ijoyqecJTQBL0Edrbs9I8s5VLiZrwF6Jk5IGh8SUD9+XJGCL8pPpN6DE/dYLaL4
f+nhEXxqQ8AttgVfX4WZv9g2sr8vPvUwNMBqQ3AOGwtYQ1SFX6jW8gjcIImxm//i
/msknNjKQvHEvTIsSsjttiQzToc9Evhw/7KrHWYqbpyQ0mMapeqoEzGW5Ly8cWgI
2ZwadXqxs7INMxQgO9fmWnJRIkgPVRLL21XCNT51zTIegkfzPhL95TOjyh/fwTGj
x+7lI9CXU6NyAMtVih3okOdhWWfVPyTA6NFY2gINeTzYW1jZVlfQCjoCq4S8zKKr
hNhFVxbj9H1DATyCR7kh+emVM4QihCklTJojvCFmmziBXBXaBJpQpOe/aG3nGxKD
sC1sYNwai7ieJV/EGTSpGiAmIDclyz/h4S0gh+BfQYtBLb3RBg8EnP6z/RLSH6oz
uROKAKalLE4vXjvOvJl53B44RSLbp61CflNuqS4ikne9aoZtKRGqlX/dRKo6G5p1
QlfIP1+ohWb62NNkjDwnNDFyjgCT81ci6xXco9wHXD/op1govz3y0c12fO0YJo7G
bSUA6sIzUs0sNPs4zhT19Jd19Qa/KAVlmIyUh/xyEqNhhnWdxfs=
=2UIK
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages