I am seting up a Qubes machine as a home server, which can be booted from LAN using dropbear.
I know there are security implications about installing packages in dom0 and enabling networking during boot time, but I assume it is still by far securer to use Qubes in such configuration than other monolithic OS.
AntiEvilMaid or TrenchBoot would be one benefit for choosing network-bootable Qubes as server OS.
I am stuck maybe because Qubes is restricting network dracut module by somewhat way.
Could anyone help me, please?
Steps I made so far are below:
git clone https://github.com/dracut-crypt-ssh/dracut-crypt-ssh.git
tar -c dracut-crypt-ssh -f tarfile
make and install dracut-crypt-ssh in dom0:
sudo qubes-dom0-update make gcc dracut-network libblkid-devel dropbear
qvm-run -p dispXXXX cat /home/user/tarfile > tarfile
tar -x -f tarfile
cd dracut-crypt-ssh
./configure
make
sudo make install
sudo vim /etc/default/grub
Dec 02 21:40:01 dom0 dracut[53474]: dracut module 'network-legacy' will not be installed, because command 'dhclient' could not be found!
Dec 02 21:40:01 dom0 dracut[53474]: dracut module 'network' will not be installed, because it's in the list to be omitted!
Dec 02 21:40:01 dom0 dracut[53474]: dracut module 'network' will not be installed, because it's in the list to be omitted!
Dec 02 21:40:01 dom0 dracut[53474]: dracut module 'ifcfg' depends on 'network', which can't be installed
Dec 02 21:40:01 dom0 dracut[53474]: dracut module 'crypt-ssh' depends on 'network', which can't be installed
Dec 02 21:40:01 dom0 dracut[53474]: dracut module 'kernel-network-modules' will not be installed, because it's in the list to be omitted!
Your network controller is hidden from dom0, you need to exclude it from being hidden from dom0.
Edit this file in dom0: /usr/lib/dracut/modules.d/90qubes-pciback/qubes-pciback.sh
if getargbool 0 rd.qubes.hide_all_usb; then
# Select all networking and USB devices
re='0(2|c03)'
elif ! getargbool 1 usbcore.authorized_default; then
# Select only networking devices, but enable USBguard
re='02'
usb_in_dom0=true
else
re='02'
warn 'USB in dom0 is not restricted. Consider rd.qubes.hide_all_usb or usbcore.authorized_default=0.'
fi
HIDE_PCI=$(set -o pipefail; { lspci -mm -n | awk "/^[^ ]* \"$re/ {print \$1}";}) ||
die 'Cannot obtain list of PCI devices to unbind.'
Change re='0(2|c03)' to re='0c03'.
Change all re='02' to re='^$'.
Edit this file in dom0: /usr/lib/dracut/dracut.conf.d/30-qubes.conf
And comment out this:
# Omission of network and kernel-network-modules is needed
# to avoid letting the initramfs load kernel modules related
# to networking, even if PCI devices are seized by Xen's
# pciback kernel module.
omit_dracutmodules+=" network kernel-network-modules "
I didn’t test this, maybe there are more things to do.
Where 00:xx.x is your PCI network controller that you want to add to dom0.
But keep in mind that PCI address could change if you change your PC hardware configuration.
I spent another whole day, lacking experience of configuring grub and dracut, but I finally made it!
Just commenting out re='02' means $re returns a blank and it matches anything, resulting in $HIDE_PCI gets all pci slot numbers. re='^$' would be fine instead.
after fixing this qubes dracut module and modifying some dropbear module config, from ssh client:
ssh root@192.168.100.254 -p 222 console_auth
then entering LUKS password, Qubes will boot(unlock command in ssh did not work as written in dracut-crypt-ssh documentation).
I am not sure if this grub config works, but in the end it worked with: GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX rd.neednet=1 ip=192.168.100.254::192.168.100.1:24::enp4s0:none"