using static dispVM for sys-net

[Jon deps]

am curious if anyone actually does this , and how

or would it make any sense instead to use a static sys-firewall , if I
just have the default sys-firewall (which might be easier because
there would not be a need for the PCI setup ?each time)


https://www.qubes-os.org/doc/disposablevm-customization/#using-static-disposablevms-for-sys-


I can't really understand what the differences would be with a static
dispvm (based on a dispvm-template) vs just a regular sys-net

if nothing is disposed (static) isn't it just the same

[awokd]

Jon deps:

> https://www.qubes-os.org/doc/disposablevm-customization/#using-static-disposablevms-for-sys-
>
>
>
> I can't really understand what the differences would be  with a static
> dispvm (based on a dispvm-template)   vs  just a regular  sys-net
>
> if nothing is disposed (static) isn't it just the same
>

"Static" there refers to the name and VM configuration, not the
contents. You only have to set them up once, not every time.

[Jon deps]

so making a sys-net2 as a -C DispVM (with persistent PCI tag) based on
a custom-dispvm-template has more disposable qualities than

just an appvm based on say Deb-9 template ?


and hence might be a security protocol to make and toss sys-net2
(dispvm) from time to time or

is it very minor and not worth the effort?

[unman]

On Mon, Jul 08, 2019 at 07:24:53PM +0000, Jon deps wrote:
> On 7/3/19 8:50 PM, 'awokd' via qubes-users wrote:
> > Jon deps:
> >
> > > https://www.qubes-os.org/doc/disposablevm-customization/#using-static-disposablevms-for-sys-
> > >
> > >
> > >

> > > I can't really understand what the differences would be?? with a static
> > > dispvm (based on a dispvm-template)???? vs?? just a regular?? sys-net

> > >
> > > if nothing is disposed (static) isn't it just the same
> > >
> > "Static" there refers to the name and VM configuration, not the
> > contents. You only have to set them up once, not every time.
> >
>
>
> so making a sys-net2 as a -C DispVM (with persistent PCI tag) based on a
> custom-dispvm-template has more disposable qualities than
>
> just an appvm based on say Deb-9 template ?
>
>
> and hence might be a security protocol to make and toss sys-net2 (dispvm)
> from time to time or
>
> is it very minor and not worth the effort?
>

Do you use DisposableVMs instead of a standard appVM?
Why?
If you see an advantage there, then you should see advantage in using
them for sys-.
Since the effort is minimal I'd recommend.

[rec wins]

re:
https://www.qubes-os.org/doc/disposablevm-customization/#using-static-disposablevms-for-sys-

if one does all this to make a sys-net2

qvm-create -C DispVM -l red sys-net2
qvm-prefs sys-net2 virt_mode hvm
qvm-service sys-net2 meminfo-writer off
qvm-pci attach --persistent sys-net2 dom0:00_1a.0
qvm-prefs sys-net2 autostart true
qvm-prefs sys-net2 netvm ''
qvm-prefs sys-net2 provides_network true
qvm-prefs sys-net autostart false
qvm-prefs sys-firewall netvm sys-net2
qubes-prefs clockvm sys-net2

don't they also have to edit
$ sudo nano /etc/qubes-rpc/policy/qubes.UpdatesProxy

# Default rule for all TemplateVMs - direct the connection to sys-net
$type:TemplateVM $default allow,target=sys-net

and change it to sys-firewall or sys-net2

because I'm getting complaint that my pci device is already attached to
sys-net2 when I attempt updates


if so maybe the documentation needs another line to indicate ?

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Done:

https://github.com/QubesOS/qubes-doc/commit/af93a8a87085289181e6460ee72c28f121c8b198

In the future, please feel free to submit PRs for such edits.

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl1GCK4ACgkQ203TvDlQ
MDD4/RAAowtJXowHGsJCZFL3mFjLLba4j4wYecoEcOLGplRgh0GVbc/ikljPfxh0
L0Ex+AZtc0DMAj2XwbwFNa9Wqo2IYaZe9qqMb96A7cU48OCVLAzzghxYyYPAhPYx
LTNeAx9x4ULbpzOtlgBh/xz/a+hKYe4LtgMTQO5A0/NbvXNk7Ypnq1ehgAYenDSf
/s/LBRtLpy/rnufr1f/QhkEnOxeKmwGmgiKdwYyoSLfllTcv/a2Apu/yE+UTlcwQ
DM7vDd5dSWdXXTax5zDdMiobq5cYTqSZ72/ZgfOQ2KFBRRaQyAvzflVZCty3i0cM
xU1JLIfo/7Y3mPydQsxUOBLbIC4y+6B8lzITz0lOauZeuirqWSZWsiSQwEOp4+xu
+OznuZC81W2FcTc9OnKS0beBnj74FFK++OO5PKYPPNgaOcyjcrSfRecTcPu2WxAW
m6ILoCqm+eo5CzEN7YsYjbC3ykwIlPeuCCEzwAhqRUjX3/R5sxw+j6gEbV/hRBNp
a1NnrshDBDwIZt+EcC6m3+rv6U5fPmmQParKrK2OgQVDe7/XGj2blbGn2d7z+8PE
L8oSiZ9siooBxRGvwipMmt78WOSf60MtbaUY+DpgOhXwn+W/QIhIoH2L6bTXMRfk
1697BWfLZX1viiAn+v/nVfSbRrV7xBYoeBjQtR0A+xfz2mRTsR4=
=3z8+
-----END PGP SIGNATURE-----

[799]

Hello,

Jon deps <yre...@riseup.net> schrieb am Mi., 3. Juli 2019, 22:30:

am curious if anyone actually does this , and how or would it make any sense instead to use a static sys-firewall ,  if I
just have the default  sys-firewall  (which might be easier because
there would not be a need for the PCI  setup  ?each time)

What would be the better choice regarding attack surface:

 disposable netvm+firewallvm vs. mirage-firewall?

If I understand it right the mirage firewall has no/less option to be compromised.

I am using the mirage fw and are only using a fedora-30-minimal based sys-firewall to get dom0-updates, which can't be done via the mirage firewall.

But I'll also change this firewall to a static disposable FW.

Question:

Afaik the problem when using a static disposable sys-net VM is, that I need to enter my Wifi Credentials each time, as the VM will be unable to remember them.

Is there any way tweaking this behaviour?

799

[awokd]

799:

> What would be the better choice regarding attack surface:
> disposable netvm+firewallvm vs. mirage-firewall?

You still need a netvm with Mirage, but smallest attack surface alone is
disposable netvm + Mirage. "Disposable" doesn't increase or decrease
attack surface, though. It helps against persistence- if something
managed to compromise sys-net's rw area, it would be gone next reboot.

> If I understand it right the mirage firewall has no/less option to be
> compromised.
> I am using the mirage fw and are only using a fedora-30-minimal based
> sys-firewall to get dom0-updates, which can't be done via the mirage
> firewall.
>
> But I'll also change this firewall to a static disposable FW.

If you're using Mirage for a firewall, you don't need that fedora-30
sys-firewall inline any more. That might be what you have already done.
You could create a sys-update and place it anywhere behind Mirage firewall.

> Question:
> Afaik the problem when using a static disposable sys-net VM is, that I need
> to enter my Wifi Credentials each time, as the VM will be unable to
> remember them.
> Is there any way tweaking this behaviour?

Put them in the custom DVM template you base the disposable sys-net
from:
https://www.mail-archive.com/qubes...@googlegroups.com/msg26895.html.

[rec wins]

On 8/9/19 11:12 PM, 799 wrote:
> Hello,

799, do you have mirageOS upstream of sys-net2 (disposable) working.

I built and have mirage as sys-firewall, but I built it before I created
sys-net2 (disposable)

and the mirage firewall works upstream of sys-net but not sys-net2


I'm thinking during the build process it must be looking for sys-net and
not a sys-net2 , esp if it's not there ?

I could rebuild not that I have a sys-net2 , but not too confident
about that

best regards

[Chris Laprise]

On 8/10/19 5:12 AM, 799 wrote:
> Hello,
>

> Jon deps <yre...@riseup.net <mailto:yre...@riseup.net>> schrieb am

To get a similar result, adding Qubes-VM-hardening to your template
would sanitize sys-net on each boot while retaining your wifi connection
passwords. After installing, all you have to do is enable
'vm-boot-protect-root' Qubes service for the sys-net VM. By default, the
contents of /home are retained, but you can change that by also enabling
'vm-boot-tag-qhome' which sets up a quarantine on /home.

(You can also use it to do minor per-vm customizations at startup, which
allows more re-use of a template instead of having to make clones.)

The result isn't quite as secure as using a DispVM, because the Ext4
filesystem itself could (theoretically) be exploited. But I think it
raises the bar quite a bit.

https://github.com/tasket/Qubes-VM-hardening

--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

[rec wins]

> https://www.mail-archive.com/qubes-users-/JYPxA39Uh5...@public.gmane.org/msg26895.html.
>


Sorry how is this done, I don't really follow along with the URL link

how to store the wifi credentials in custom-dvm-template ?


regards

[Sven Semmler]

On 8/17/19 3:55 PM, rec wins wrote:
> how to store the wifi credentials in custom-dvm-template ?

assuming you created sys-net using the a dvm template named
dvm-fed-30-min and know the PCI identifier of your wireless interface
(the one you assigned to sys-net)


1) qvm-shutdown --all --wait
2) qvm-prefs dvm-fed-30-min virt_mode hvm
3) qvm-prefs dvm-fed-30-min provides_network true
4) qvm-pci attach dvm-fed-30-min --persistent dom0:xxxx
5) qvm-start dvm-fed-30-min
6) once started use the NetworkManager in the tray to enter your WiFi
credentials
7) qvm-shutdown --wait dvm-fed-30-min
8) qvm-pci detach dvm-fed-30-min dom0:xxxx
9) qvm-prefs dvm-fed-30-min provides_network false
10) qvm-prefs dvm-fed-30-min virt_mode pvh
11) start sys-net

/Sven

[rec wins]

actually I stored them in the main Fedora Template that the
custom-dvm-template was based on

found the proper file and format from another connection somewhere

perhaps not secure, my method, but seems to work


ty for the steps on your method , I know someone else had been also asking

[anon]

Hello ,

I see this all in red, I'm not sure what it's trying to tell me ? 
increase dom0 memory allocation or ?


Xen free = 387860283 too small for satisfy assignments!
assigned_but_unused=379654787, domdict={'23': {'mem_used': 352968704,
'slow_memset_react': False, 'last_target': 1720813675, 'no_progress':
False, 'memory_current': 1682808832, 'memory_maximum': 4194304000,
'memory_actual': 1699652469, 'id': '23'}, '28': {'mem_used': 297312256,
'slow_memset_react': False, 'last_target': 1538314176, 'no_progress':
False, 'memory_current': 1503195136, 'memory_maximum': 4194304000,
'memory_actual': 1520039249, 'id': '28'}, '15': {'mem_used': None,
'slow_memset_react': False, 'last_target': 402653184, 'no_progress':
False, 'memory_current': 402694144, 'memory_maximum': 419430400,
'memory_actual': 402694144, 'id': '15'}, '18': {'mem_used': 1347514368,
'slow_memset_react': False, 'last_target': 2831155200, 'no_progress':
False, 'memory_current': 2814312448, 'memory_maximum': 2831155200,
'memory_actual': 2831155200, 'id': '18'}, '16': {'mem_used': None,
'slow_memset_react': False, 'last_target': 150994944, 'no_progress':
False, 'memory_current': 150994944, 'memory_maximum': 150994944,
'memory_actual': 150994944, 'id': '16'}, '22': {'mem_used': 759627776,
'slow_memset_react': False, 'last_target': 3054263423, 'no_progress':
False, 'memory_current': 2995167232, 'memory_maximum': 3355443200,
'memory_actual': 3012013357, 'id': '22'}, '0': {'mem_used': 1371455488,
'slow_memset_react': False, 'last_target': 4294967296, 'no_progress':
False, 'memory_current': 4211744768, 'memory_maximum': 4294967296,
'memory_actual': 4294967296, 'id': '0'}, '21': {'mem_used': 1347584000,
'slow_memset_react': False, 'last_target': 3670016000, 'no_progress':
False, 'memory_current': 3653173248, 'memory_maximum': 3670016000,
'memory_actual': 3670016000, 'id': '21'}, '25': {'mem_used': 1162686464,
'slow_memset_react': False, 'last_target': 4375907382, 'no_progress':
False, 'memory_current': 4295909376, 'memory_maximum': 4823449600,
'memory_actual': 4312755167, 'id': '25'}, '19': {'mem_used': 1225986048,
'slow_memset_react': False, 'last_target': 3512729600, 'no_progress':
False, 'memory_current': 3495886848, 'memory_maximum': 3512729600,
'memory_actual': 3512729600, 'id': '19'}, '24': {'mem_used': 313790464,
'slow_memset_react': False, 'last_target': 1572864000, 'no_progress':
False, 'memory_current': 1556021248, 'memory_maximum': 1572864000,
'memory_actual': 1572864000, 'id': '24'}, '20': {'mem_used': 1017421824,
'slow_memset_react': False, 'last_target': 3899579394, 'no_progress':
False, 'memory_current': 3913129984, 'memory_maximum': 4194304000,
'memory_actual': 3913129984, 'id': '20'}, '14': {'mem_used': None,
'slow_memset_react': False, 'last_target': 150994944, 'no_progress':
False, 'memory_current': 150994944, 'memory_maximum': 150994944,
'memory_actual': 150994944, 'id': '14'}, '17': {'mem_used': 339472384,
'slow_memset_react': False, 'last_target': 1676558755, 'no_progress':
False, 'memory_current': 1659715584, 'memory_maximum': 4194304000,
'memory_actual': 1676558755, 'id': '17'}, '13': {'mem_used': None,
'slow_memset_react': False, 'last_target': 297795584, 'no_progress':
False, 'memory_current': 297836544, 'memory_maximum': 314572800,
'memory_actual': 297836544, 'id': '13'}}

[awokd]

anon:

> Hello ,
>
> I see this all in red, I'm not sure what it's trying to tell me ? 
> increase dom0 memory allocation or ?
>
>
> Xen free = 387860283 too small for satisfy assignments!

I think this is telling you you have less RAM available than are calling
for across your running VMs. Qubes/Xen can still function by shrinking
RAM in less used VMs or resorting to swap, but that can impact
performance (possibly unnoticeably). You could either throw more RAM at
it, trim your VMs' memory maximums or run fewer simultaneously, or
ignore it if you're not having performance issues.

--
- don't top post
Mailing list etiquette:
- trim quoted reply to only relevant portions
- when possible, copy and paste text instead of screenshots