Fully Ephemeral DispVM's

anywaydense · June 15, 2022, 11:32pm

Currently Qubes DispVM’s are not fully ephemeral; by default data written to xvda and xvdb is written to the disk in plaintext. When the user sets ephemeral=True data written to xvdc is encrypted with an ephemeral encryption key placed in RAM. If in addition the user sets rw:root rw 0 then writes to xvda are routed to xvdc and thus encrypted. However xvdb is at present always written to the disk in plaintext.

I recently wrote a patch for initramfs that resolves this issue; after application of the patch all data written by a PVH DispVM (including to swap) is encrypted by an ephemeral key. The code and a guide is available at

Hopefully this will find its way to R4.2. The patch has been tested only on the most recent stable R4.1.

Kaizer · June 15, 2022, 11:39pm

this is EPIC!!!

ewokky · June 16, 2022, 5:35am

WOW. I saw the title and definitely not expecting this. Up until now Qubes “disposable” has been like browser “private mode”. Adding ephemeral encryption takes this to the next level. This has to be one of the most consequential improvements in the security posture of QubesOS in a long time.

I am going to do a full backup and test this out over the weekend and report back.

anywaydense · June 16, 2022, 6:49am

@ewokky: if you just want to convince yourself that it works you don’t need a full backup. Instead create a copy of a kernel in /var/lib/qubes/vm-kernels, e.g

cp -rf /var/lib/qubes/vm-kernels/5.10.90-1.fc32 /var/lib/qubes/vm-kernels/testkernel

Then patch testkernel with

sudo sh patch_initramfs.sh testkernel

Now you create an AppVM, say testvm,

qvm-create testvm --template sometemplate --class AppVM --label red

Make the testkernel the kernel for testvm with

qvm-prefs testvm kernel testkernel

Now make xvda, xvdb read-only on the AppVM and set ephemeral mode on for xvdc, i.e

qvm-volume config testapp:root rw 0
qvm-volume config testapp:private rw 0
qvm-volume config testapp:volatile ephemeral 1

Now AppVM is made fully ephemeral. In addition all the DispVM’s that will be subsequently created based on this AppVM will also inherit the ephemeral property. To test this issue

qvm-run --dispvm testapp xterm

and check that this DispVM is fully ephemeral (well it has to because xvda, xvdb are readonly, you can only write to xvdc and xvdc is being encrypted by ephemeral=True). If you don’t want the AppVM to be fully ephemeral simply make xvdb writeable again with qvm-volume config testapp:private rw 1.

The same mechanism works for DispVM’s: if you make a named DispVM use the kernel testkernel and you make its xvda, xvdb read-only and make xvdc ephemeral using qvm-prefs then this DispVM will be made fully ephemeral. This will not work on sys-usb and sys-net since they are HVM and not PVH. If you are concerned about sys-net and sys-usb I suggest running them fully in RAM. I have a solution in mind that I’m working on.

Note however that what I outlined above is a tricky way of using this patch, it’s easy to get things wrong. For example the changes made this way might not be persistent across reboots. Furthermore DispVM that were created before the AppVM was made ephemeral are not made ephemeral – one would have to clone them, delete them and then reclone them back. Patching dispvm.py removes all of this unnecessary confusion, every single PVH DispVM is then made fully ephemeral.

If you are really interested I have a python script that allows one to make only select AppVM’s fully ephemeral in a way that is persistent across reboots (it edits qubes.xml which is arguably even more dangerous than editing dispvm.py :)). If there is interest in that I can upload it too. I just find it a harder way of using the patch … less consistent, and more easy to get wrong, and also less in the spirit of what we actually want: all DispVM’s fully ephemeral. By the way even though all my DispVM’s are now fully encrypted I haven’t noticed an impact on performance.

BEBF738VD · June 16, 2022, 8:18am

Wow, great work. Looks very promising and hopefully will be the new default.

Have you ran into any issue after implementing the patch?

tanky0u · June 16, 2022, 10:25am

As a noob QubesOS user, can you explain a bit more this stuff about “getting written to xvda, xvdb, xvdc”? Also can you shortly explain what is a “PVH” ?

augsch · June 16, 2022, 10:30am

arkenoi · June 16, 2022, 12:21pm

it also makes sense to put logs to some securely disposable place as well?

anywaydense · June 16, 2022, 1:54pm

@BEBF738VD : The only issue that I observed so far is about HVM’s (that are also DispVM’s). After implementing the patch newly created HVM’s might start but will refuse to run any applications from qvm-run. However this is easily fixable just by issuing

qvm-volume config hvmvm:private rw 1

The point is that HVM’s cannot be at present fully ephemerized and this command disables the patch from running in initramfs. I mentioned this in the last note on the github page.

It would be good if somebody could check whether this command needs to be issued on sys-net and sys-usb after patching. They might be not affected because they might be still reading their configuration from qubes.xml. In the next iteration of the patch I’ll try to fix the issue with the HVM’s.

brendanhoar · June 17, 2022, 1:18am

My understanding is that @marmarek is intending to utilize a very similar methodology for ephemeral disposable VMs (hence the scaffolding OPs approach uses) but there are some edge cases and UI management items he still has to mull over (as well as the time factor) before moving forward.

B

fsflover · June 17, 2022, 10:10pm

Just to have links here to related issues, for completeness:

github.com/QubesOS/qubes-issues

DisposableVMs: support for in-RAM execution only (for anti-forensics)

opened 05:21PM - 08 Mar 15 UTC

marmarek

T: enhancement help wanted C: core P: major crypto pr submitted C: storage

**Reported by joanna on 25 Sep 2014 20:26 UTC** Currently volatile.img is being …backed up on the fs. See: https://groups.google.com/forum/#!topic/qubes-devel/QwL5PjqPs-4/discussion Migrated-From: https://wiki.qubes-os.org/ticket/904

github.com/QubesOS/qubes-issues

Disposable VMs and Local Forensics on qubes R4.0 context

opened 08:33PM - 29 Jan 18 UTC

Carl53

help wanted C: doc T: task

#### Qubes OS version: R4.0 #### Affected TemplateVMs: Documentation #…## Steps to reproduce the behavior: Go to page: https://www.qubes-os.org/doc/dispvm/#disposable-vms-and-local-forensics or https://www.qubes-os.org/faq/ ### Expected behavior: Information about how next Qubes version relate with this 2013 issue: https://www.qubes-os.org/doc/dispvm/#disposable-vms-and-local-forensics https://groups.google.com/forum/#!topic/qubes-devel/QwL5PjqPs-4/discussion ### Actual behavior: There is no information

github.com/QubesOS/qubes-issues

Reduce leakage of disposable VM content and history into dom0 filesystem

opened 05:32PM - 12 Apr 19 UTC

brendanhoar

T: enhancement help wanted C: other privacy P: default

**The problem you're addressing (if any)** Considerable information about the h…istory of disposable VM usage, as well as some contents of data from inside disposable VM leaks into the filesystem of dom0 and in most cases, survives reboots. In particular, the leakage into the xfwm4-*.state files (and lack of cleanup) is particular disturbing. e.g. in dom0 rm disp_files.txt # if exists rm disp_contents.txt # if exists sudo grep -rn '/' -e 'disp[0-9]' --exclude-dir={dev,proc,sys} | sort > disp_contents.txt sudo find / -name \*disp[0-9]\* | sort > disp_files.txt # matches references to disposable VM names in filenames Some findings on files related to disposable VMs (via disp_files.txt): 1. snapshots/volatile volumes for disposable VMs that were not shutdown correctly in the past (found in /dev/qubes_dom0/ and /dev/mapper/ ) 2. xml config files for the same in /etc/libvirt/libxl/ and /run/libvirt/libxl/ 3. appmenus for the same in /home/admin/.local/share/ 4. qrexec files for the same in /run/qubes/ 5. qubes.db pid and sock files for the same in /run/qubes/ 6. linux mapper links for the same in /run/udev/links/{\x2fmapper,\x2fqubes_dom0}/ 7. directories for the above in /var/lib/qubes/appvms/ 8. libxl logs for every(!!!) disposable VM ever run in this Qubes install in /var/log/libvirt/libxl/ 9. qubes logs for every(!!!) disposable VM ever run in this Qubes install in /var/log/qubes/ 10. xen console logs for every(!!!!) disposable VM ever run in this Qubes install in /var/log/xen/console/ Some finding related to files *containing* references to disposable VMs in dom0 (via disp_contents.txt): 1. Current and many historical disposable VM references are found in files in /run/udev/data/b253* files/nodes. 2. xfwm4*.state files in /home/admin/.cache/sessions/ contains *many references* to disposable VM *WINDOW TITLES* (application names, web site names, etc.) since the installation of the Qubes install (as well as current session). 3. .xsession-errors* in ~ reference many disposable VM names 4. /home/admin/.config/pulse/{guid}-stream-volumes.tdb a binary file appears to have 0..n matches on disp[0-9]. 5. /etc/lvm/backup/qubes_dom0 has current disp VM names plus some that weren't shutdown cleanly. 6. /etc/lvm/backup/qubes_dom0_* files have historical disp VM names. 7. /var/log/qubes/qubes.log* references historical disp VM names. 8. The systemd journal has a ton of historical disp VM references. 9. /var/lib/qubes/qubes.xml contains a lot of historical disp VM references. 10. /var/lib/backups/qubes/qubes*.xml contains a lot of historical disp VM references. 11. /var/lib/xen/userdata* contains a lot of historical disp VM references. 12. /var/lib/logrotate/logrotate.status contains a lot of historical disp VM references. **Describe the solution you'd like** 1. Triage of types of data leaking into dom0. 2. Based on types of data, develop a Qubes policy on eliminating, reducing, cleaning or ignoring the leaked data. 3. Based on type/policy, institute efforts to reduce the content stored into dom0 (at all vs. short term vs long term). **Where is the value to a user, and who might that user be?** All users who may want the historical content of the disposable VM usage not to be memorialized. Journalists, security researchers, etc. **Describe alternatives you've considered** None appear to cover 100% of use cases. Perhaps TAILS in an HVM might reduce it the most. **Additional context** **Relevant [documentation](https://www.qubes-os.org/doc/) you've consulted** **Related, [non-duplicate](https://www.qubes-os.org/doc/reporting-bugs/#new-issues-should-not-be-duplicates-of-existing-issues) issues** #3504 (similar, but does not provide a focus on specific leakage into dom0) #4408 (anti-forensics on swap files only) #1819 (anti-forensics request only covers the block devices for the VM) #1293 (similar to 1819) #3360 (specific to dom0 logging only) #2024 (emulating Tails' approach, dom0 leakage still possible)

FoliKybubu · January 31, 2023, 6:05am

Does someone could explain the underlying process of “Copy to other AppVM” operation ?

in case i apply this fix for “fully ephemeral dispVM’s”, when i copy files between these VMs,
is there any trace possible on disk/dom0 ?

also: does global clipboard fully handled by RAM ?

renehoj · January 31, 2023, 6:19am

If you want to create DVMs with no disk trace, I think unman’s approach is the best option if you have enough memory to run the VM from a ram drive Really Disposable Qubes

fsflover · January 31, 2023, 8:48pm

anon92454060 · March 25, 2023, 9:01pm

Very cool, it worked on my old laptop but on the new one dispVMs just fail to start and I cannot even fix it as you suggested. I have to reinstall to fix it, I do not understand why it would work on one laptop HP Spectre and not on another System 76 Lemur.

thinkpadp1 · September 3, 2023, 12:21am

Anyone have any luck getting this working?

Jera · November 11, 2023, 5:08pm

I have followed all of the instructions on github but when I complete the process no apps are running within dispvms.
The dispvms boot but I cannot open any app into them.

Jera · November 11, 2023, 5:49pm

I thought it might be because the dispvm.py file that I previously replaced was old and maybe incompatible with qubes 4.2. So I edited the file on line 138 and I managed to stop EVERYTHING from running .

Felicia · January 8, 2024, 11:42pm

In qubes version 4.2, this setting will cause all VMs to fail to start, please ask the publisher to update the tutorial.

ghostsinthebaseband · August 28, 2024, 10:06pm

This is a cool idea but the guide needs to be updated. Doesn’t work on latest Qubes.

TAILS can be run inside a VM.
https://tails.net/doc/advanced_topics/virtualization/index.en.html

It would be interesting to approach that community’s security model as close as possible but in Xen terms.