qubes-mirage-firewall template
54 views
Skip to first unread message
alain pierre
Aug 31, 2022, 6:20:01 AM8/31/22
to qubes...@googlegroups.com
Hi Qubes-devel,
Since 2016 [1], MirageOS [2] has a unikernel that is able to acts in place of the classic sys-firewall AppVM running Linux. Since 2020 it supports the Qubes 4 dynamic firewall ruleset and the just released 0.8.0 version runs as PVH on Qubes 4.1 [3]. The approach using a MirageOS unikernel has several advantages:
- the attack surface is totally different from a Linux kernel (more than 10x smaller) and remote exploits won't be, by design, the same (there's no shell, no process or user management),
- the memory needed to run the single kernel is very small (the default memsize is 64MB),
- the boot time is really fast, the order of magnitude is about 50ms.
So some disadvantages:
- the current installation procedure requires copying the unikernel from an AppVM to dom0,
- it has less performance (i.e. if you've a fast Internet connection, there's a drop in bandwidth) -- this is not an issue for usual DSL/ADSL lines.
Some qubes-mirage-firewall users ask the mirage team to be able to install it as a template with qubes-dom0-update. Do you think this could be something that would be valuable for Qubes users?
The Robur collective actually developed reproducible builds for MirageOS unikernels: https://builds.robur.coop/job/qubes-firewall
This conducts a build on a daily basis with the current HEAD of qubes-mirage-firewall and the latest (to opam, the OCaml package manager) released packages that it depends on. It would be great if we could push whenever the binary is updated a new release to all QubesOS users, thus:
- how should it be packaged (at the moment, it is the binary (virtual machine image))?
- could that be integrated into the QubesOS community repository?
Best,
Hannes & Pierre
1: https://roscidus.com/blog/blog/2016/01/01/a-unikernel-firewall-for-qubesos/
2: https://mirage.io
3: https://github.com/mirage/qubes-mirage-firewall/releases/tag/v0.8.0
Since 2016 [1], MirageOS [2] has a unikernel that is able to acts in place of the classic sys-firewall AppVM running Linux. Since 2020 it supports the Qubes 4 dynamic firewall ruleset and the just released 0.8.0 version runs as PVH on Qubes 4.1 [3]. The approach using a MirageOS unikernel has several advantages:
- the attack surface is totally different from a Linux kernel (more than 10x smaller) and remote exploits won't be, by design, the same (there's no shell, no process or user management),
- the memory needed to run the single kernel is very small (the default memsize is 64MB),
- the boot time is really fast, the order of magnitude is about 50ms.
So some disadvantages:
- the current installation procedure requires copying the unikernel from an AppVM to dom0,
- it has less performance (i.e. if you've a fast Internet connection, there's a drop in bandwidth) -- this is not an issue for usual DSL/ADSL lines.
Some qubes-mirage-firewall users ask the mirage team to be able to install it as a template with qubes-dom0-update. Do you think this could be something that would be valuable for Qubes users?
The Robur collective actually developed reproducible builds for MirageOS unikernels: https://builds.robur.coop/job/qubes-firewall
This conducts a build on a daily basis with the current HEAD of qubes-mirage-firewall and the latest (to opam, the OCaml package manager) released packages that it depends on. It would be great if we could push whenever the binary is updated a new release to all QubesOS users, thus:
- how should it be packaged (at the moment, it is the binary (virtual machine image))?
- could that be integrated into the QubesOS community repository?
Best,
Hannes & Pierre
1: https://roscidus.com/blog/blog/2016/01/01/a-unikernel-firewall-for-qubesos/
2: https://mirage.io
3: https://github.com/mirage/qubes-mirage-firewall/releases/tag/v0.8.0
Joe
Aug 31, 2022, 2:59:07 PM8/31/22
to qubes...@googlegroups.com
On 8/31/22 12:10, alain pierre wrote:
> Some qubes-mirage-firewall users ask the mirage team to be able to install
> it as a template with qubes-dom0-update. Do you think this could be
> something that would be valuable for Qubes users?
>
I'm obviously biased, but very much in favor of this being an
> Some qubes-mirage-firewall users ask the mirage team to be able to install
> it as a template with qubes-dom0-update. Do you think this could be
> something that would be valuable for Qubes users?
>
easily-installable component.
This firewall reduces the risk of routing-related problems (QSB-056
comes to mind), and crucially the reduced RAM usage is a real game changer.
I for one hope we can get this going :-)
Joe
Demi Marie Obenour
Aug 31, 2022, 6:02:32 PM8/31/22
to Joe, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
I hope so too, and I would like it to become fast enough to be the
default.
- --
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEdodNnxM2uiJZBxxxsoi1X/+cIsEFAmMP2nAACgkQsoi1X/+c
IsEISxAAxkjNWXds2utvpXvbSC5A5dvqwR2yB5ETUyezuZbf78//8B+uqBJBWBet
VTNhgj26dfDKmbzOiCdCwQScMe/L8YHcpH3tG4aO0GuoFs/w2wgIGmV4lGqAq2L6
Q+FRkJGbqq0vLGF+qdk0AIHSh6jFy2zoY0qgmFhXlqDaznkfP0xyypbbwpXatkYU
HDeyK6kGdKi6z9P/Z15Qv6uSXImluespQxv2EW2yYfLeMzCM9LNSG1am+7Rl2z0e
8MqnSCNHs+wMdbVowjZ6+KavVmnpb6neHpAypc3yCfmcv84rRtsYnLzH/IF4e6E2
8oS8ImDXUQLNJLhdW4LXAsdmjHqyT++ioqhiVKWJJBUrKn/rgp7u+UXwSiyz9dQT
AXaQmkPlp5IPHEDlZbGmDUeTC3/ppFWII9wgA7jhPiEXXJZZMNgl4brewLylnk0r
1NdQJd7FJsOuE1PjSARCYy+8uzLbN+91CJ+8I+QS2ePFg11hb4T0fgA0AWg5r4hn
wLKlBXjioNx738TjkSoZY6kYIUYwV9sAa7HqPBioXmNFHMS9OQWleKsKePWZQ8PV
gBwMn4p2Ie3E8Oqw7GqtWbv833ul6WolOBsAP1R4MdFT4oTQpSJzj3XR910NssH/
D5AKO2+8SSQCw3C/4pM04Mur1ge+9XaYQo2GJYQOC8jsRbKL7Vk=
=y8WR
-----END PGP SIGNATURE-----
Hash: SHA512
default.
- --
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEdodNnxM2uiJZBxxxsoi1X/+cIsEFAmMP2nAACgkQsoi1X/+c
IsEISxAAxkjNWXds2utvpXvbSC5A5dvqwR2yB5ETUyezuZbf78//8B+uqBJBWBet
VTNhgj26dfDKmbzOiCdCwQScMe/L8YHcpH3tG4aO0GuoFs/w2wgIGmV4lGqAq2L6
Q+FRkJGbqq0vLGF+qdk0AIHSh6jFy2zoY0qgmFhXlqDaznkfP0xyypbbwpXatkYU
HDeyK6kGdKi6z9P/Z15Qv6uSXImluespQxv2EW2yYfLeMzCM9LNSG1am+7Rl2z0e
8MqnSCNHs+wMdbVowjZ6+KavVmnpb6neHpAypc3yCfmcv84rRtsYnLzH/IF4e6E2
8oS8ImDXUQLNJLhdW4LXAsdmjHqyT++ioqhiVKWJJBUrKn/rgp7u+UXwSiyz9dQT
AXaQmkPlp5IPHEDlZbGmDUeTC3/ppFWII9wgA7jhPiEXXJZZMNgl4brewLylnk0r
1NdQJd7FJsOuE1PjSARCYy+8uzLbN+91CJ+8I+QS2ePFg11hb4T0fgA0AWg5r4hn
wLKlBXjioNx738TjkSoZY6kYIUYwV9sAa7HqPBioXmNFHMS9OQWleKsKePWZQ8PV
gBwMn4p2Ie3E8Oqw7GqtWbv833ul6WolOBsAP1R4MdFT4oTQpSJzj3XR910NssH/
D5AKO2+8SSQCw3C/4pM04Mur1ge+9XaYQo2GJYQOC8jsRbKL7Vk=
=y8WR
-----END PGP SIGNATURE-----
Holger Levsen
Sep 1, 2022, 7:04:59 AM9/1/22
to qubes...@googlegroups.com
On Wed, Aug 31, 2022 at 06:02:23PM -0400, Demi Marie Obenour wrote:
> I hope so too, and I would like it to become fast enough to be the
> default.
I have the same concern. On slow computers (eg x230) it's not only slow
> I hope so too, and I would like it to become fast enough to be the
> default.
but might also be using one cpu 100%
--
cheers,
Holger
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄
These heat waves aren’t tragedies, they’re crimes. The fossil fuel industry
knew decades ago that this is what their pollution was causing, so they
spent billions to lie to the public and block climate action.
Reply all
Reply to author
Forward
0 new messages