Hi everyone,
I’ve been considering a method for creating disposable sys-* VMs, and I’d love to hear your thoughts on it.
In many cases, I prefer to use a custom template for each disposable. I want to keep root filesystems minimal to reduce attack surface and I aim to avoid installing proprietary (thus untrusted) firmware like sys-net firmware on other VMs’ templates.
This results in a separate template being used for each sys-* VM, which kind of defeats the point of Qubes’ template-based approach. To simplify, I thought of condensing the usual
TemplateVM → AppVM (disposable template) → DispVM
setup to
StandaloneVM → DispVM.
Some advantages I can think of are
- Fewer VMs overall (no intermediate AppVM), reducing clutter.
- Easier management since both root and home are managed in one place.
- Might slightly reduce the startup time and resource overhead of the disposable (?)
I’ve found that setting template-for-dispvms to true for a standalone VM works well. For security, I also set its netVM to none. The standalone can access the update proxy by enabling updates-proxy-setup and giving it appropriate RPC permissions.
I haven’t seen any discussion on this approach though. Are there any reasons to avoid it? Any security concerns I should be aware of?