[qubes-users] Re: Is it possible to build any BSD template on QubesOS?

I have pfSense (BSD) installed, and working fine for over 6 mos now, as my network IDPS on the external interface. Went OCD and created a complete installation guide and integration script.
It’s a bit long and detailed but it works like a charm:

I managed to get an OpenBSD template sort of working a while back. I
was able to get networking and storage to work, and X11 worked via
emulated VGA, but I ultimately gave up because of some clashes on the
OpenBSD mailing lists. A proper integration would require substantial
additions to the OpenBSD kernel:

- - nullfs (BSD version of bind mounts) for /home and /usr/local. The
  workaround (a loopback NFS mount) is not something I would be okay
  with for production use.
- - Hardened xnf(4) (netfront) and xbf(4) (blkfront) drivers. The current
  drivers are not safe in the presence of malicious backends.
- - Userspace access to Xen event channels and grant tables, so that
  libvchan and gui-agent can work.

Additionally, a Xen-aware bootloader would be needed if booting other
than in HVM mode is desired.
- --
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

Yeah, a more integrated BSD OS would be nice. Something like Windows tools. The only gui I’d be interested in though is macos.

In this case, I’m just running the cli and using the webapp for management. Sure it’s a HVM and is more isolated and more resource hungry. Yet it’s a lot like my stand alone pfSense box. It just works. And over the months I’ve gone back to my integration guide/script and refined it.

Keep in mind that I answered the OP’s question for the use case where “any” means a HVM with a CLI and using a webapp for “gui” management. The integration guide/script is optional for people wanting to replicate my implementation of pfSense/OPNsense.

BTW, could you expound a little on your concern for xnf(4) (netfront) and xbf(4) (blkfront) drivers? Or point me to a reference? I wish to better understand your concern for threat vectors.

Right now, the OpenBSD netfront and netback drivers are not hardened
against malicious backends, so they can be attacked by malicious
backends.
- --
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab