for those using minimal VMs (advanced users) it is possible to put passwords for the most frequent wi-fi APs in the disposableVM template.
I think that reduces the annoyance that is to enter password each time for every reebot.
But you need the one template just for that, otherwise you introduce security riscs. (I think)
2 Likes
Not possible even for minimal templates, as equbes wrote:
So if you’re an advanced user, you can try to persist the passwords in the mentioned files.
Would you mind sharing the commands?
I like to be able to switch back in case I change my mind.
1 Like
I cannot enter only my home WIFI password into the disposable sys-net template so I get the best of both worlds, no persistence after reboot but it does remember the one or two most frequently used networks? Or would that defeat the purpose?
Commands are as follows and can be read here.
Cons for using a sys-net from a disp template:
- while LAN is always connected, you have to choose WLAN and insert WLAN key on every new boot up
Cons for using sys-usb from a disp template:
- if you don’t have a PS/2 keyboard and created a sys-usb qube, you run into troubles, because disposable qubes can’t be restarted (they just have to be in 2 steps shut down and start right after)
3 Likes
I have two questions about sys-net disposable. And excuse my lack of knowledge. The answer could have been already in this thread, but I need to verify.
I currently have wifi set to “disable” on boot (via a command in /rw/config/rc.local). How can I replicate that when I have a disposable? I mostly use ethernet connection.
I currently have MAC address randomization in sys-net. How is that implemented in a disposable sys-nte?
Thanks in advance for your answers and time.
You can do this the same way as you did - on the /rw/config/rc.local in the disposable, but you don’t need this anymore in a disposable VM. Whenever sys-net will start, it forgot the Wifi passwort/key and so you always need to insert it again (and again on every new bootup). So without insert of the passwort the wifi can’t connect to any wifi network.
Same with the MAC randomisation - you always have to setup it new on every new bootup (sys-net start) or enable the switch under /rw/config/rc.local…
1 Like
I have my Wifi password in my vault and when I need my WLAN I just copy it. It’s not a big bother for me.
2 Likes
When you connect to a Wifi, network manager stores all connection details inside /rw/config/NM-system-connections/[wifi].nmconnection.
Just copy that file to the hopefully dedicated template of your disposable sys-net and your disposable sys-net will work with it on next boot.
The same applies for all the other modifications that need to remain persistent. Do them inside the template. You can see from mount what is persistent in your template (everything on /dev/xvdb).
3 Likes
If the network card firmware is compromised could it potentially give the attacker access to other VMs, such as vaults that are not connected to sys-net?
I think having a password manager (like pass) in a vault containing the wifi passwords that you frequent to, helps with this inconvenience.
Interesting! So the answer would be no, but for these security exceptions.
Are there known attacks on PCI firmware over a network (i.e. without physical access to the system)? Any way to protect against them?
Following XSA-404, I did sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing which installed the qubes-core-dom0-linux-4.1.23 package. Then cpu-microcode-info revealed that I have the 2022-05 update installed.
It would be very helpful to know: Was this update installed after I did the dom0 update, or does this mean it was already updated by some other process?
The XSA seems to say that the updated package qubes-core-dom0-linux-4.1.23 is only providing information, not new microcode.
This is possible, but not necessarily recommended:
- As root, in (sys-)net:
cd /etc/NetworkManager/system-connections/
qvm-copy *
- Punch in the name of your disposable template and hit OK.
- As root, in the disposable template (sys-)net is based on:
cp /home/user/QubesIncoming/*/* /etc/NetworkManager/system-connections/
(If you have copied anything else to this qube, or if you only want to copy one or two network configs, replace those stars with something more accurate)
Before doing any of this, make sure you are OK with broadcasting those SSIDs (and maybe passwords?!?) as alzer mentioned.
Also don’t forget to make the .nmconnection files in then /rw/config/NM-system-connections/ folder to have the user root and group root as the owner:
chown root:root /rw/config/NM-system-connections/*.nmconnection
in you Disp template of sys-net-dvm.
I’ve been debugging this mdf for the past 3 hours.
you mean chown? so:
sudo chown root:root /rw/config/NM-system-connections/*.nmconnection
Yes thanks for the correction. I’ve edited it.
Well now we have a working process to save wifi passwords (and persist network info) across reboots of a disposable (sys-)net qube. Just use @bayesian 's path and not mine in the disposable template (for me, fedora-36-dvm).
2 Likes
Actually we had it already multiple times already
But this topic wasn’t about that.