Would like some input regarding the (in)security of clear-text communication between qubes.
Am I correct in assuming that most concern is with the receiving vm?
I guess the qrexec-client-vm stores retrieved data in memory for a while?
One (only one) aspect:
Establishing a data-sharing relationship from a less trusted qube to a more trusted qubes makes very difficult to guarantee the integrity (hence trustworthiness) of the originally more trusted qube.
Some will make the choice to consider that qube tainted and downgrade its trust level to the trust level of the less trusted qube, where the data came from.
To avoid that, the guideline “never copy data from a less trusted qube to a more trusted qube” can be followed.
In a default Qubes OS deployment, that is why there aren’t many convenience tools to copy data into dom0, while those tools exist for other qubes. The idea is that as the most trusted qube, ideally, no data should be copied to dom0, and special precautions should be taken when it is (see official docs about the secure updates mechanism).
Note: The risks associated with sharing data from less trusted to more trusted qubes are independent of whether that data is encrypted or not.
More on this ideas: Biba Model - Wikipedia
1 Like