Idea
- Any updates or changes to the template of your service qubes imply the risk of a hidden error, making your service qubes unbootable.
- A separate template / disposable template only for service qubes should decrease this thread.
- Having one complete step-by-step guide to save much time for seeking the not mentioned details …
- There are a few guides around this theme complex, but none of them is covering all aspects, so one has to jump between multiple sources.
Thoughts
- Building a separate template for each service qube is space consuming, as the system-disk of each template will use about 10 to 20 GB.
- Using a mini-template as base for the “sys-…” qubes reduces the number of packages and therefore the needed space and attack surface.
- As an additional security aspect, we’ll make the service qubes disposable.
- It should work, starting with “fedora-xx-minimal” or “debian-xx-minimal”. The work is nearly the same and we can use the official Qubes’ book for this installation part.
- As shown up in the discussion about this guide, I didn’t see the point of hardening the template. Until finding a solution for this, I’ll state a big
WARNING
- The new “sys-mini” template isn’t hardened in any way, what may open other attacking vectors, already closed in the default templates. Even the guide itself is complete, you must be aware that it doesn’t cover any aspect of hardening.
- Installing/configuring of apparmor, selinux or grsecurity is left open
In so far, even if the guide itself is no rocket science and mostly any user should be able to follow, it’s this subsequent part you should be aware of, before starting.
Requirements
- You’ll need Qubes-OS 4.3 as we are using some enhancements of Qubes GUI-Tools, not available before.
- You should have basic knowledge, how to use the different Qubes GUI-Tools.
- You should be able to use a terminal in dom0
What we will get:
- One very small template as base for our service qubes: “sys-mini”
- One named disposable template “sys-mini-dvm” between “sys-mini” and the service qubes
- New disposable service qubes: “sys-net”, “sys-firewall”, “sys-usb”
- Possibility for easy building additional service qubes, for example: “sys-vpn”, “sys-audio”, …
It would be nice
- to get this guide checked by some users, experienced or not
- any improvements are welcome
There’s the problem of seeing the single trees, but not the complete forest …
Let’s start:
First is to create “sys-mini” and prepare it with needed packages:
- Use the template manager to install the minimal-template of your choice.
- Make a clone of it and name it: “sys-mini”
- Follow this doc (Minimal templates — Qubes OS Documentation) to install
- passwordless-root
- xfce4-terminal, thunar and qubes-core-agent-thunar (mostly for convenience)
- Shutdown “sys-mini”, change its applications: Add xfce4-terminal and thunar.
- Restart “sys-mini” and from now on use xfce4-terminal for having copy and paste available.
- Resume following the doc:
Install the needed packages for your planned tasks:- “sys-net” look at NetVM
- “sys-firewall” look at FirewallVM
- “sys-usb” look at USB qube
- Maybe you’ve installed some more service qubes like sys-vpn or so. In that case you should know what you’ve done to make them run and repeat your work.
- Don’t forget to install needed firmware packages for your wifi or ethernet device!
- Shutdown sys-mini.
Now we’ll create the “sys-mini-dvm” as a named disposable template for all service qubes.
For this start a terminal in dom0: (only three commands, as I found no way to do this in the Qubes Manager)
user@dom0:~$ qvm-create --template sys-mini --label black sys-mini-dvm
user@dom0:~$ qvm-prefs sys-mini-dvm template_for_dispvms True
user@dom0:~$ qvm-features sys-min-dvm appmenus-dispvm 1
(It’s ok to use --label black for sys-mini-dvm, as it is as safe as any other template, as long as you don’t expose it to the internet.)
Now as it already exists, we can use the Qubes Manager to configure “sys-mini-dvm” for our needs.
- choose “sys-mini-dvm” and click “Settings”
- Settings: Basic
- Net qube: “none”
- Settings: Advanced
- Default disposable template: none"
- Settings: Applications
- Xfce Terminal, Thunar File Manager
- Settings: Basic
We are ready to create the new service qubes:
Be aware: Your old service qubes are still running and many global settings depend on them. We will not touch them, until we are sure the new qubes will do their work. That’s why we’ll create the new qubes with “-new” appended to their names.
sys-net
-
click “New qube”, use “Named disposable”
- Name: sys-net-new
- Label: red
- Disposable qube template: sys-mini-dvm
- Network: Choose “No network connnetion”
- Applications: xfce4-terminal, thunar
- Advanced Options: Tap “Provides network-access to other qubes”
-
choose “sys-net-new” and click “Settings”
- Settings: Advanced
- Initial memory: 300 MiB
- Max memory: 300 MiB
- Untap “Include in memory balancing”
- Default disposable template: “none”
- Virtualization - Mode: “HVM”
- Settings: Devices
- choose your network devices
- Settings: Applications
- Xfce Terminal, Thunar File Manager
- Settings: Services
- choose (custom…) - Add
- Name of the service: “minimal-netvm”
- choose (custom…) - Add
- Name of the service: “clocksync”
- choose (custom…) - Add
- Settings: Advanced
sys-firewall
-
click “New qube”, use “Named disposable”
- Name: sys-firewall-new
- Label: green
- Disposable qube template: sys-mini-dvm
- Network: Choose “sys-net-new”
- Applications: xfce4-terminal, thunar
- Advanced Options: Tap “Provides network-access to other qubes”
-
choose “sys-firewall-new” and click “Settings”
- Settings: Advanced
- Initial memory: 400 MiB
- Max memory: 3000 MiB
- Default disposable template: “none”
- Virtualization - Mode: “HVM”
- Settings: Applications
- Xfce Terminal, Thunar File Manager
- Settings: Services
- choose (custom…) - Add
- Name of the service: “qubes-updates-proxy”
- choose (custom…) - Add
- Settings: Advanced
sys-usb
-
click “New qube”, use “Named disposable”
- Name: sys-usb-new
- Label: red
- Disposable qube template: sys-mini-dvm
- Network: Choose “No network connnetion”
- Applications: xfce4-terminal, thunar
-
choose “sys-usb-new” and click “Settings”
- Settings: Advanced
- Initial memory: 300 MiB
- Max memory: 300 MiB
- Untap “Include in memory balancing”
- Default disposable template: “none”
- Virtualization - Mode: “HVM”
- Settings: Devices
- choose your usb devices
- Settings: Applications
- Xfce Terminal, Thunar File Manager
- Settings: Services
- choose (custom…) - Add
- Name of the service: “minimal-usbvm”
- choose (custom…) - Add
- Settings: Advanced
It’s time to check our work!
Keep in mind: We havn’t changed any global settings.
- During the next tests we will have some problems with using usb-devices.
- It will be no good idea to use the Update Manager.
- sys-whonix shouldn’t be started, as it still depends on your old “sys-net” and “sys-firewall”.
- Maybe it’s a good idea, to save this guide locally, as you’ll need to stop all virtual machines connected to the net!
Stop “sys-net” and “sys-firewall”.
Start “sys-net-new”.
- If sys-net-new declines running, most probably one of your network devices needs “strict reset”.
- If the Network-Manager-Applet appears and you are able to see and connect your network-connections, all is good.
- On any other problems recheck the steps before.
Start “sys-firewall-new”
- change the network setting of “personal” (for example) to “sys-firewall-new”, start it and check if you can reach the web!
- On any problems recheck the steps before.
Stop “sys-usb” and start “sys-usb-new”.
- Your devices should get disconnected and should reappear now connected to “sys-usb-new”.
- For me I got a system message, that my usb-mouse and usb-keyboard were declined for input to dom0. - That’s normal!
- On any other problems recheck the steps before.
If until now all works as expected, we’ve done the main work. Now we can change the system to fully use the new service qubes:
Changing the system
- Rename sys-net to “sys-net-old”, “sys-firewall” to “sys-firewall-old” and “sys-usb” to “sys-usb-old”.
- Untap the “autostart”-setting of each.
- Stop “sys-net-new”, “sys-firewall-new” and “sys-usb-new” and rename them to “sys-usb”, “sys-firewall” and “sys-usb”
- Tap the “autostart”-setting of each.
- If needed, open the settings of “sys-firewall” and change network to “sys-net”.
- Restart the new service qubes, now correctly named.
- Check and change the network settings of all qubes, maybe they actually use “sys-firewall-old”?!
Open the “Global Settings Manager” and check if all settings point to the correct quebes.
After this your usb-mouse and usb-keyboard should work correctly even in dom0. Maybe you’ll need to restart “sys-usb”.
Start the Update Manager and make a full update to see if all these settings are correct.
Last check: Restart your Qubes System! - It should run without any problems.
Worth mentioning, but not enough for another guide …
Without being an expert in hardening a linux system, it makes no sense, to compete with the Qubes team. They did this work already for the standard debian-XX-xfce and fedora-XX-xfce templates.
As long as they don’t release some hardened mini-templates, it could be senseful, to use this guide, but startup with an xfce-template to clone.
In that case instead of installing needed packages, the task is to strip down all unneeded packages. You have to install the needed packages for your hardware only.
If anyone is able to give a list of needed packages, I would be glad to append it to this guide!
I’ll close my work on this guide now, but I’ll follow the discussion …
