Qubes QubesOS Build Security & Reproducible Builds (Qubes Is A Honeypot Response)

huaopeng · January 22, 2023, 10:08pm

How is the source code for the Xen hypervisor(dom0), Fedora, Debian all obtained, keys verified and
then compiled?

Qubes-Community/Contents/blob/master/docs/building/building-archlinux-template.md

# Building the 'archlinux-minimal' Qubes template

## Read first
This is a community guide, not an official guide. So please, first read the below official guides:
- [Qubes-builder](https://www.qubes-os.org/doc/qubes-builder/)
- [Qubes-builder-details](https://www.qubes-os.org/doc/qubes-builder-details/)
- [Qubes-builder doc directory](https://github.com/marmarek/qubes-builder/tree/master/doc)
- [Qubes templates config](https://github.com/QubesOS/qubes-template-configs/blob/master/README.md)

Only if the above guides don't work for you, then try this one.

Arch Linux is a [rolling](https://en.wikipedia.org/wiki/Rolling_release)
distribution, making it fragile. In fact, with always the latest versions, the
ArchLinux packages meet first the new problems. So it's better to first try to
build templates or packages for Fedora or Debian.

Also read:
- the *Debugging the build process* below section
- the [ArchLinux known issues](https://github.com/QubesOS/qubes-issues/labels/C%3A%20Arch%20Linux) with Qubes-OS

This file has been truncated. show original

→ A custom python script had to be developed to both download and check the signatures of all the Xen, Fedora and Debian dependencies and download them over a secure SSL/TLS channel.

What compiler is used to compile Qubes/Xen/Fedora/Debian?

This is not made clear by the developers. i.e. is it the GNU C compiler GCC?

Does Qubes use reproducible builds? (Detects build infrastructure tampering, code injection, by
detection of differences in hashes of equivalent pacakges, which are reproducible across different
dev infrastructures). Qubes has SOME reproducible builds listed here:

https://qubesos.gitlab.io/qubes-g2g-report/
https://reproducible-builds.org/who/projects/
https://beta.tests.reproducible-builds.org/qubesos.html
https://mirror.notset.fr/qubes/rebuild/deb/r4.1/vm/sources/

Hardened Toolchains

→ I haven’t seen much on hardened tool chains as compared with Gentoo:

https://wiki.gentoo.org/wiki/Hardened/Toolchain#Changes

→ What about hardened C libraries like Muslc? what about C libraries used in Xen or Fedora or Debian?
Are those hardened C libraries? Does Debian and Fedora use PIE (Position Independent Executables)?
Does Xen have any toolchain or C library hardening, or PIE?

huaopeng · January 22, 2023, 10:34pm

Here are the distros which have active reproducible builds:

https://reproducible-builds.org/citests/

adw · January 23, 2023, 1:48am

The whole build is not reproducible yet, if that’s what you’re asking:

huaopeng · January 24, 2023, 2:50am

Having reproducible builds is important from a supply chain attack standpoint. Here are the distros with
active reproducible builds:

https://reproducible-builds.org/citests/

fepitre · January 24, 2023, 9:56am

Do you think we don’t know that and we are not actively working on that subject? Reproducible builds for Debian: a big step forward | Qubes OS

huaopeng · January 24, 2023, 5:27pm

Are there reproducible builds for Xen (Fedora doesn’t have them anymore)? What about hardened C libraries like muslc? More information on which compiler is being used(GCC?), hardened toolchains as described by the hardened Gentoo project:

Stack Smashing Protection (SSP)
FORTIFY_SOURCE
Position Independent Executables (PIE)
Stack clash protection
RELRO
Control Flow Technology (CET)

huaopeng · January 24, 2023, 5:29pm

muslc:

https://wiki.gentoo.org/wiki/Project:Hardened_musl