Automated Qubes OS Installation using Kickstart and/or PXE Network Boot

qstateless · September 28, 2022, 1:59am

Thanks for your sharing your expertise, @alzer89!

Agreed. Separate client computers would have their own separate AppVMs.

I think loading the entire thing into the client computer’s RAM would be best. That’s what I’m currently doing with Qubes in tmpfs. Hopefully, I could then even cutoff the network connection to the PXE server once Qubes Dom0 is loaded into the client computer’s RAM.

Yeah, I’m aware of the old Qubes Live 3.1 ISO, and wouldn’t want to rely upon that as you say.

alzer89:

qstateless:

Does the OS need to be remotely loaded from an .ISO (iso9660) formatted image? For example, you seem to use the Qubes Installation .ISO for your PXE setup.

Hahaha. No, it doesn’t

I just used the ISO image because it achieved what I was trying to achieve, which was create a way to “deploy” an automated Qubes OS install.

Basically, PXE boot needs to load the xen/kernel/initrd first, and then root= states where to find the OS drive.

So that parameter on most current Qubes OS installs is root=/dev/sda3 , root=/dev/nvme0n1p3 or root=UUID=s0m3-r4nd0m-uu1d .

But you could easily change it to root=nfs:192.168.69.69:/nfs-exports/laptops/wife-laptop if you wanted to

Or even root=nfs:awesome-qubes-os-share.example.com:/ninja-turtles/michelangelo/cowabunga-dude if you were game enough to do it over WAN
(with encryption, obviously…)

Wow, that is awesome. For some reason, I falsely associated PXE booting with use of ISOs, but this flexibility of where to load the OS from is awesome.

I see. If PXE is limited to serve one client computer at a time, then I would just try duplicating the PXE software setup many times on the PXE server, running each PXE server instance in a separate qube with a different LAN IP on the network. So PXE-1 serves Client-1, PXE-2 serves Client-2, PXE-3 serves Client-3, etc.

Yes.

I think there are some subtle security benefits, although maybe not so important to most people.

The primary feature gained can be lack of any OS state saved if using a client-RAM-based OS image.

Benefits:

Prevents drive firmware attacks / drive firmware persistence on the client computers. Reduces the storage drives footprint down to my PXE server and my file server.
Enables greater anti-forensics on the client computers (can be important even for common situations like civil lawsuits where everyday lawyers try to subpoena your drives, or hackers plant stuff on them remotely and SWAT you, etc). Less drives to manage and worry about as potential liabilities with something nasty sitting on them that I can’t conveniently audit. Reduces the storage drives footprint down to my PXE server and my file server, rather than also having dozens of endpoint computers containing storage drives.
Adds convenience of quickly wiping to a known clean OS state on client computers, which can then easily be done many times per day, compared to a major pain that doesn’t hardly ever get done otherwise. Like having DispVM capability for the entire Qubes OS running on your machine. Just reboot to a fresh read-only instance of RAM-based Qubes OS provided from the PXE server. 99.9% Trustworthy as clean. Would never reinstall Qubes OS multiple times per day like this to a known clean state, but network booting could make this easy.

Huge convenience, yes!

Having 2 or 3 network cards per client computer might be necessary, where one NIC is sacrificed for the PXE network boot of the Qubes OS, which is okay for me.

However, if a RAM-based Qubes is entirely loaded into the client’s RAM first, before Xen/Qubes Dom0 boots up, then maybe the connection to the PXE server can be cutoff once the Qubes OS is loaded into client RAM and the NIC could be used normally by Qubes in a sys-net? It appears with Qubes in tmpfs, that the Dom0 is loaded into RAM like this before booting Xen/Qubes Dom0, so maybe it wouldn’t need any connection/resources/etc tied back to the PXE server once loaded and booted entirely into the client computer’s RAM?

Yes! I am game with you for achieving this setup! I have several duplicate machines ready to go for pursuing this setup.

Yes, I will be looking to encrypt by default. Thanks for the reminder. I also use physical network segmentation in addition, because I don’t like mixing cross-purpose or cross-security-domain stuff into the same physical network.

Yes, I have several different independently segmented networks setup here, and multiple physical NICs on separate sys-nets per Qubes machine.

Wow, 6 weeks. That’s pain.

Presently, with Qubes in tmpfs, I have made custom scripts that restore persistent AppVM configuration and personal file access, upon startup of Dom0 and AppVMs.

If need be, I would just try duplicating the PXE software setup many times on the PXE server, running each PXE server instance in a separate qube with a different LAN IP on the network. So PXE-1 serves Client-1, PXE-2 serves Client-2, PXE-3 serves Client-3, etc.

Also, I could have the PXE server write-protect or, or if need be, just overwrite the Qubes OS install regularly.

Through a combination of tactics, it seems feasible to create a RAM-based Qubes OS PXE boot setup, for multiple client computers, that does not have to change with each reboot.

Nooooo way. Wouldn’t let that happen. Their machines can’t touch the file server shares my work VM contents is stored upon. Physically isolated network. Also, their own AppVMs would have separate credentials (per PC and per VM) to access different shares on the file server, depending upon who’s specific machine and what specific AppVM is accessing the file server.

@alzer89, what do you think is the best way to make a RAM-based Qubes OS ready to use in sys-pxe?

Maybe this would work…

1. Install Qubes OS normally onto a drive or RAW image.
1. Add Qubes in tmpfs modifications to that installation.
1. Copy that drive or RAW image to the sys-pxe server.
1. Point the PXE to this volume or RAW image file containing Qubes in tmpfs.

Then expect the client computer to boot Qubes in tmpfs and run Dom0 from the client computer’s RAM?