Mirage-firewall DispVM Template

librelifer · April 7, 2023, 7:17pm

Would it make sense to have the mirage-firewall be available as a template, which could operate as a
disposable VM in the event there is an exploitable vulnerability?

Pete · April 15, 2023, 9:59am

Here’s a saltstack script which downloads and installs the mirage firewall:

gist.github.com

https://gist.github.com/100111001/4eca0f78ed69d597d562a1515168fa6c

SaltScriptToDownloadAndInstallMirageFirewallInQubes.sls

# How to install the superlight mirage-firewall for Qubes OS by using saltstack
# Tested on Qubes v4.1 and mirage v0.8.4
# No integrity checks are performed. Latest release version of mirage is downloaded and installed into dom0
# After the install, you have to switch your AppVMs to use the mirage firewall vm created by this script
# inspired by: https://github.com/one7two99/my-qubes/tree/master/mirage-firewall

{% set DownloadVMTemplate = "fedora-37" %}
{% set DispVM = "fedora-37-dvm" %}

{% set DownloadVM = "mirageDownloadVM" %}

This file has been truncated. show original

Based on this bash script:

oijawyuh · April 15, 2023, 6:11pm

How can I run this saltstack script? Would you be kind to share instructions? Thank you.

augsch · April 16, 2023, 9:47am

AFAIK mirage-firewall itself is stateless. It won’t store data that is persistent across reboots.

palainp · April 16, 2023, 10:36am

it doesn’t even onboard the concept of storage apart into memory

Pete · April 16, 2023, 7:15pm

If you want to get familiar with saltstack on qubes, I recommend this page:

If you don’t know how to use salt and still want to create a mirage firewall with a script, I’d rather recommend the bash script to be run in dom0:

oijawyuh · April 17, 2023, 1:38pm

Thanks. One more question. If you create a mirage firewall with a script in a Fedora Qube, is it expected that the sha512 checksum / hash of the output, the mirage-firewall.tar.bz2 file, to match the one posted here https://github.com/mirage/qubes-mirage-firewall/releases/download/v0.8.4/mirage-firewall.tar.bz2 ?

augsch · April 17, 2023, 2:07pm

I guess yes, because the built binary is reproducible.

palainp · April 17, 2023, 2:39pm

You have to use sha256sum vmlinuz (not 512, and not the archive tarbal), and yes it should

EDIT: not sure if you think about compile it by yourself (it should with the build_with_docker script in the qubes-mirage-firewall github repo), or you want to check the vmlinuz hash sum after downloading (in that case it should if you download the latest release).

oijawyuh · April 17, 2023, 3:31pm

I compiled the mirage-firewall twice following the qubes-mirage-firewall github repo instructions in fedora-37 Qube, and using build_with_docker script.

And I downloaded the mirage firwall pre-compiled twice using different internet sources.

sha256 for vmlinuz in both compiled versions is the same: 848714b3d8e1d06d83e77ee688c32796f353fcafa7d8643db0e4d889b568e36e.

sha256 for the vmlinuz pre-compiled downloaded from github is the same: 55a2f823d66473c7d0be66a93289d48b6557f18c9257c6f98aa5a4583663d3c2.

So no, vmlinuz is not the same in the pre-compiled published version and the compiled version. Does this mean there’s a problem somewhere?

palainp · April 17, 2023, 4:21pm

Yes, something isn’t clear here. I’ll check that tomorow.

palainp · April 17, 2023, 4:56pm

Oh I think we’re into Reproducibilty considerations and tweaks · Issue #165 · mirage/qubes-mirage-firewall · GitHub and 3 weeks ago some package has been updated leading into that bad hashsum.

I also have the same docker hashsum as yours into my github actions (Main workflow · palainp/qubes-mirage-firewall@609f529 · GitHub) and I’ll PR to update to the right hashsum.

Thanks for the report!

Pete · April 20, 2023, 12:56pm

The salt script fails if the check sum differs from the docker build according to this comment: Qubes R4.1 · Issue #173 · mirage/qubes-mirage-firewall · GitHub

librelifer · April 22, 2023, 10:35pm

I realized there is a simpler way. You just create the template and then in the settings window → Advanced
tab, you can check disposable template. Way simpler