Question on qvm-get-image security
27 views
Skip to first unread message
prev...@dnmx.su
Mar 25, 2025, 12:47:10 PM3/25/25
to qubes...@googlegroups.com
The tool `qvm-get-image` in `dom0` is really poorly explained. No manual
and `--help` only says "Secure copy of images between virtual machines."
One must visit the
[code](https://github.com/QubesOS/qubes-app-linux-img-converter/blob/main/qvm-get-image)
to try to understand, but I see the developers have been doing (much
work)[https://github.com/QubesOS/qubes-issues/issues/6425] just for the
non-tech so I don't understand why such very simple thing (a good
explanation for `qvm-get-image`) isn't existent even though it can be
essential[^1] in many cases.
My question is on `qvm-get-image` security. How does it work? My guess is
`qvm-get-tinted-image` what's used in `dom0` to retrieve app icons from
VMs, including untrusted ones. Since `qvm-get-tinted-image` is the same as
`qvm-get-image` with extra tint, as can be seen in the
[code](https://github.com/QubesOS/qubes-app-linux-img-converter/blob/main/qvm-get-tinted-image),
my guess was `qvm-get-image` is completely secure to use.
I'm posting this because I won't take the risk of *compromising* `dom0`*
with a *guess*. Also because I saw:
[quote="unman, post:4, topic:5084"]
Well they are not widely advertised or promoted, and they do have some use.
They were introduced as tradeoff between security and usability.
I still prefer the “full screen and screenshot” route for backgrounds.
[/quote]
I'm also posting this as **a suggestion for adding more explanation to
`qvm-get-image` tool**, e.g.
> Secure copy of images between virtual machines. Use with confidence to
get any image you want from any VM into dom0.
especially since `dom0` *already did that countless times* for all the app
icons in the app menus.
---
[^1]: A simple case is when one wants to transfer many images to `dom0`
e.g. for wallpapers, while they are very many that the screenshot method
is much manual work. Transferring images into `dom0` can be for other
non-trivial reasons other than wallpapers, and it's because `dom0` is the
GUI and management domain and *not* because one is doing work (e.g. what
should be done in AppVMs) in `dom0`.
and `--help` only says "Secure copy of images between virtual machines."
One must visit the
[code](https://github.com/QubesOS/qubes-app-linux-img-converter/blob/main/qvm-get-image)
to try to understand, but I see the developers have been doing (much
work)[https://github.com/QubesOS/qubes-issues/issues/6425] just for the
non-tech so I don't understand why such very simple thing (a good
explanation for `qvm-get-image`) isn't existent even though it can be
essential[^1] in many cases.
My question is on `qvm-get-image` security. How does it work? My guess is
`qvm-get-tinted-image` what's used in `dom0` to retrieve app icons from
VMs, including untrusted ones. Since `qvm-get-tinted-image` is the same as
`qvm-get-image` with extra tint, as can be seen in the
[code](https://github.com/QubesOS/qubes-app-linux-img-converter/blob/main/qvm-get-tinted-image),
my guess was `qvm-get-image` is completely secure to use.
I'm posting this because I won't take the risk of *compromising* `dom0`*
with a *guess*. Also because I saw:
[quote="unman, post:4, topic:5084"]
Well they are not widely advertised or promoted, and they do have some use.
They were introduced as tradeoff between security and usability.
I still prefer the “full screen and screenshot” route for backgrounds.
[/quote]
I'm also posting this as **a suggestion for adding more explanation to
`qvm-get-image` tool**, e.g.
> Secure copy of images between virtual machines. Use with confidence to
get any image you want from any VM into dom0.
especially since `dom0` *already did that countless times* for all the app
icons in the app menus.
---
[^1]: A simple case is when one wants to transfer many images to `dom0`
e.g. for wallpapers, while they are very many that the screenshot method
is much manual work. Transferring images into `dom0` can be for other
non-trivial reasons other than wallpapers, and it's because `dom0` is the
GUI and management domain and *not* because one is doing work (e.g. what
should be done in AppVMs) in `dom0`.
unman
Mar 25, 2025, 8:25:39 PM3/25/25
to prev...@dnmx.su, qubes...@googlegroups.com
On Tue, Mar 25, 2025 at 07:19:12PM +0400, prev...@dnmx.su wrote:
> The tool `qvm-get-image` in `dom0` is really poorly explained. No manual
> and `--help` only says "Secure copy of images between virtual machines."
> One must visit the
> [code](https://github.com/QubesOS/qubes-app-linux-img-converter/blob/main/qvm-get-image)
> to try to understand, but I see the developers have been doing (much
> work)[https://github.com/QubesOS/qubes-issues/issues/6425] just for the
> non-tech so I don't understand why such very simple thing (a good
> explanation for `qvm-get-image`) isn't existent even though it can be
> essential[^1] in many cases.
>
> My question is on `qvm-get-image` security. How does it work? My guess is
> `qvm-get-tinted-image` what's used in `dom0` to retrieve app icons from
> VMs, including untrusted ones. Since `qvm-get-tinted-image` is the same as
> `qvm-get-image` with extra tint, as can be seen in the
> [code](https://github.com/QubesOS/qubes-app-linux-img-converter/blob/main/qvm-get-tinted-image),
> my guess was `qvm-get-image` is completely secure to use.
>
> I'm posting this because I won't take the risk of *compromising* `dom0`*
> with a *guess*. Also because I saw:
> [quote="unman, post:4, topic:5084"]
> Well they are not widely advertised or promoted, and they do have some use.
> They were introduced as tradeoff between security and usability.
> I still prefer the ???full screen and screenshot??? route for backgrounds.
> The tool `qvm-get-image` in `dom0` is really poorly explained. No manual
> and `--help` only says "Secure copy of images between virtual machines."
> One must visit the
> [code](https://github.com/QubesOS/qubes-app-linux-img-converter/blob/main/qvm-get-image)
> to try to understand, but I see the developers have been doing (much
> work)[https://github.com/QubesOS/qubes-issues/issues/6425] just for the
> non-tech so I don't understand why such very simple thing (a good
> explanation for `qvm-get-image`) isn't existent even though it can be
> essential[^1] in many cases.
>
> My question is on `qvm-get-image` security. How does it work? My guess is
> `qvm-get-tinted-image` what's used in `dom0` to retrieve app icons from
> VMs, including untrusted ones. Since `qvm-get-tinted-image` is the same as
> `qvm-get-image` with extra tint, as can be seen in the
> [code](https://github.com/QubesOS/qubes-app-linux-img-converter/blob/main/qvm-get-tinted-image),
> my guess was `qvm-get-image` is completely secure to use.
>
> I'm posting this because I won't take the risk of *compromising* `dom0`*
> with a *guess*. Also because I saw:
> [quote="unman, post:4, topic:5084"]
> Well they are not widely advertised or promoted, and they do have some use.
> They were introduced as tradeoff between security and usability.
> [/quote]
>
> I'm also posting this as **a suggestion for adding more explanation to
> `qvm-get-image` tool**, e.g.
> > Secure copy of images between virtual machines. Use with confidence to
> get any image you want from any VM into dom0.
> especially since `dom0` *already did that countless times* for all the app
> icons in the app menus.
>
> ---
>
> [^1]: A simple case is when one wants to transfer many images to `dom0`
> e.g. for wallpapers, while they are very many that the screenshot method
> is much manual work. Transferring images into `dom0` can be for other
> non-trivial reasons other than wallpapers, and it's because `dom0` is the
> GUI and management domain and *not* because one is doing work (e.g. what
> should be done in AppVMs) in `dom0`.
>
You're right in that there's no man page or info. There's an open issue
>
> I'm also posting this as **a suggestion for adding more explanation to
> `qvm-get-image` tool**, e.g.
> > Secure copy of images between virtual machines. Use with confidence to
> get any image you want from any VM into dom0.
> especially since `dom0` *already did that countless times* for all the app
> icons in the app menus.
>
> ---
>
> [^1]: A simple case is when one wants to transfer many images to `dom0`
> e.g. for wallpapers, while they are very many that the screenshot method
> is much manual work. Transferring images into `dom0` can be for other
> non-trivial reasons other than wallpapers, and it's because `dom0` is the
> GUI and management domain and *not* because one is doing work (e.g. what
> should be done in AppVMs) in `dom0`.
>
about providing such for all command line utilities. Could you help?
As you can see from the code `qvm-get-image` relies on calling in to
qubesimgconverter, and should be secure in use.
My own preference is for screenshots, but since I do this rarely, and
never for backgrounds, I am not plagued by any lack of convenience in
dealing with many files. But that is my preference.
--
I never presume to speak for the Qubes team.
When I comment in the mailing lists I speak for myself.
Reply all
Reply to author
Forward
0 new messages