Hello Qubes OS Community,
I would like to propose a feature request for the Calamares installer, the addition of an option to set MAC Address randomization (spoofing) for dom0 during the installation process.
Feature Description:
It would be beneficial to have a dedicated MAC Randomization screen in the Calamares installer with three options: RANDOM, FIXED (static), or DISABLED. These settings would configure a NetworkManager configuration file (e.g., /usr/lib/NetworkManager/conf.d/80_randomize-mac.conf) or point to a service/script that handles the MAC address spoofing. A new module and keymap would also be added to point to this feature.
Here’s how the options could work:
- RANDOM:
Setswifi.cloned-mac-address=stableandethernet.cloned-mac-address=stable.
Uses${CONNECTION}/${BOOT}forconnection.stable-id.
Example configuration:
[connection]
wifi.cloned-mac-address=stable
ethernet.cloned-mac-address=stable
connection.stable-id=${CONNECTION}/${BOOT}
ipv6.dhcp-duid=stable-uuid
- FIXED (static):
Allows the user to input a custom MAC address.
Applies the same MAC address for both WiFi and Ethernet.
Example configuration:
[connection]
wifi.cloned-mac-address=00:1A:2B:3C:4D:5E
ethernet.cloned-mac-address=00:1A:2B:3C:4D:5E
connection.stable-id=00:1A:2B:3C:4D:5E
ipv6.dhcp-duid=stable-uuid
- DISABLED:
Comments out the relevant lines in the configuration file to disable MAC address spoofing.
Example configuration:
#[connection]
#wifi.cloned-mac-address=stable
#ethernet.cloned-mac-address=stable
#connection.stable-id=${CONNECTION}/${BOOT}
#ipv6.dhcp-duid=stable-uuid
Why This Feature is Important:
User Convenience:
Having this option during the installation process ensures that users can set up their desired MAC address spoofing configuration from the start, without needing to manually configure it post-installation.
Flexibility:
Offering multiple options (RANDOM, FIXED, DISABLED) caters to different user needs and preferences. For instance, the FIXED option is particularly useful in networks that employ MAC address filtering, where only specific MAC addresses are allowed to connect. Users may want to use a fixed, randomized MAC address that they have previously set up to ensure seamless connectivity in such environments.
Consistency:
Providing a standardized way to configure MAC address spoofing through the installer ensures consistency and reduces the likelihood of configuration errors.
Compatibility or starting point with other operating systems that hold similar values:
This would help as a starting point for other Security or Privacy based distros such as Kicksecure as one example. Kicksecure has specifically chosen not to set MAC Address Spoofing by default as it causes issues for users that install it on a server like a VPS where such a setting can void and account with a provider and is pointless in general on a VPS or sever. While Qubes is not installed on servers, this is just an example since I myself and I’m sure others Qubes users use the Kicksecure templates.
Implementation Notes:
The configuration file (/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf) should be dynamically generated based on the user’s selection during the installation process.
A key map and corresponding module to point to these options.
Clear documentation should be provided to explain the implications of each option and how to manually adjust the configuration if needed.
Decide if MAC Address spoofing should be enabled by default and to set these settings in a screen before the connecting to WiFi network portion of Calamares.
I hope Qubes consider this feature request. I believe it would significantly enhance the privacy and security offerings of Qubes OS, making it an even more robust solution for users who value these aspects and initial setup phase.