Fully Ephemeral DispVM's

ghostsinthebaseband · August 30, 2024, 4:49am

Some further information on the topic:

pot · January 21, 2025, 10:42am

Is this available on the latest qubes release?

fsflover · January 21, 2025, 11:15am

The Issues above aren’t closed, so no.

Eli · April 26, 2025, 7:52pm

To what extent disp VMs in QubesOS are amnestic?

Tails is amnestic. How much a disposable whonix might leak relative to tails? What is left exactly?

If it’s just a little information (like this user has used whonix or tor), that’s not concerning . If it might leave traces of communication, DNS, files, that could be game over.

Whonix is supposed to be better than Tails. I know in terms of security it is better but not sure of privacy.

QubesParanoia · April 26, 2025, 8:52pm

You can use this. Dispvms and dom0 on varlibqubes and all another VMs on vm-pool. Qubes in tmpfs 🤫

It’s fully “as tails”

arkenoi · April 27, 2025, 3:59pm

Quite a lot. It spills a lot of logs to dom0 by default.

Eli · April 27, 2025, 11:51pm

Whose idea was it to export a lot of logs from a VM that is meant to be ephemeral, by default?!!

Sounds like a choice, that can be changed to zero or absolutely necessary logs.

parulin · April 28, 2025, 7:15am

That’s not that simple. As far as I understand, the VM is not technically meant to be ephemeral, the volume is. Every linux distribution exports a lot of logs by default, even Tails OS (in that case, on RAM?).

Reading the previously mentioned Github issues will give you an insight into the questions related to this topic.

QubesParanoia · April 28, 2025, 2:05pm

Dom0 on ram too

Eli · April 28, 2025, 9:14pm

At least disposable whonix should be read only like tails. It’s doable as tails shows.

fsflover · May 8, 2025, 4:08pm

github.com/QubesOS/qubes-issues

Reduce leakage of disposable VM content and history into dom0 filesystem

opened 05:32PM - 12 Apr 19 UTC

brendanhoar

help wanted C: other privacy P: default

**The problem you're addressing (if any)** Considerable information about the h…istory of disposable VM usage, as well as some contents of data from inside disposable VM leaks into the filesystem of dom0 and in most cases, survives reboots. In particular, the leakage into the xfwm4-*.state files (and lack of cleanup) is particular disturbing. e.g. in dom0 rm disp_files.txt # if exists rm disp_contents.txt # if exists sudo grep -rn '/' -e 'disp[0-9]' --exclude-dir={dev,proc,sys} | sort > disp_contents.txt sudo find / -name \*disp[0-9]\* | sort > disp_files.txt # matches references to disposable VM names in filenames Some findings on files related to disposable VMs (via disp_files.txt): 1. snapshots/volatile volumes for disposable VMs that were not shutdown correctly in the past (found in /dev/qubes_dom0/ and /dev/mapper/ ) 2. xml config files for the same in /etc/libvirt/libxl/ and /run/libvirt/libxl/ 3. appmenus for the same in /home/admin/.local/share/ 4. qrexec files for the same in /run/qubes/ 5. qubes.db pid and sock files for the same in /run/qubes/ 6. linux mapper links for the same in /run/udev/links/{\x2fmapper,\x2fqubes_dom0}/ 7. directories for the above in /var/lib/qubes/appvms/ 8. libxl logs for every(!!!) disposable VM ever run in this Qubes install in /var/log/libvirt/libxl/ 9. qubes logs for every(!!!) disposable VM ever run in this Qubes install in /var/log/qubes/ 10. xen console logs for every(!!!!) disposable VM ever run in this Qubes install in /var/log/xen/console/ Some finding related to files *containing* references to disposable VMs in dom0 (via disp_contents.txt): 1. Current and many historical disposable VM references are found in files in /run/udev/data/b253* files/nodes. 2. xfwm4*.state files in /home/admin/.cache/sessions/ contains *many references* to disposable VM *WINDOW TITLES* (application names, web site names, etc.) since the installation of the Qubes install (as well as current session). 3. .xsession-errors* in ~ reference many disposable VM names 4. /home/admin/.config/pulse/{guid}-stream-volumes.tdb a binary file appears to have 0..n matches on disp[0-9]. 5. /etc/lvm/backup/qubes_dom0 has current disp VM names plus some that weren't shutdown cleanly. 6. /etc/lvm/backup/qubes_dom0_* files have historical disp VM names. 7. /var/log/qubes/qubes.log* references historical disp VM names. 8. The systemd journal has a ton of historical disp VM references. 9. /var/lib/qubes/qubes.xml contains a lot of historical disp VM references. 10. /var/lib/backups/qubes/qubes*.xml contains a lot of historical disp VM references. 11. /var/lib/xen/userdata* contains a lot of historical disp VM references. 12. /var/lib/logrotate/logrotate.status contains a lot of historical disp VM references. **Describe the solution you'd like** 1. Triage of types of data leaking into dom0. 2. Based on types of data, develop a Qubes policy on eliminating, reducing, cleaning or ignoring the leaked data. 3. Based on type/policy, institute efforts to reduce the content stored into dom0 (at all vs. short term vs long term). **Where is the value to a user, and who might that user be?** All users who may want the historical content of the disposable VM usage not to be memorialized. Journalists, security researchers, etc. **Describe alternatives you've considered** None appear to cover 100% of use cases. Perhaps TAILS in an HVM might reduce it the most. **Additional context** **Relevant [documentation](https://www.qubes-os.org/doc/) you've consulted** **Related, [non-duplicate](https://www.qubes-os.org/doc/reporting-bugs/#new-issues-should-not-be-duplicates-of-existing-issues) issues** #3504 (similar, but does not provide a focus on specific leakage into dom0) #4408 (anti-forensics on swap files only) #1819 (anti-forensics request only covers the block devices for the VM) #1293 (similar to 1819) #3360 (specific to dom0 logging only) #2024 (emulating Tails' approach, dom0 leakage still possible)