February 10, 2022, 4:14pm
When you connect to a Wifi, network manager stores all connection details inside /rw/config/NM-system-connections/[wifi].nmconnection.
Just copy that file to the hopefully dedicated template of your disposable sys-net and your disposable sys-net will work with it on next boot.
The same applies for all the other modifications that need to remain persistent. Do them inside the template. You can see from
mount what is persistent in your template (everything on /dev/xvdb).
June 18, 2022, 7:40pm
That’s possibly sufficient for most of us. In theory though, the
something can still persist by reflashing any firmware on the network cards attached to
sys-net , and making the VM disposable does not help with a thread of that level of sophistication.
If the network card firmware is compromised could it potentially give the attacker access to other VMs, such as vaults that are not connected to
QSB-081: x86: MMIO Stale Data vulnerabilities (XSA-404) | Qubes OS.
I think having a password manager (like
pass) in a vault containing the wifi passwords that you frequent to, helps with this inconvenience.
June 19, 2022, 4:59pm
Interesting! So the answer would be no, but for these security exceptions.
Are there known attacks on PCI firmware over a network (i.e. without physical access to the system)? Any way to protect against them?
June 25, 2022, 10:04am
Following XSA-404, I did
sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing which installed the
qubes-core-dom0-linux-4.1.23 package. Then
cpu-microcode-info revealed that I have the 2022-05 update installed.
It would be very helpful to know: Was this update installed after I did the
dom0 update, or does this mean it was already updated by some other process?
The XSA seems to say that the updated package
qubes-core-dom0-linux-4.1.23 is only providing information, not new microcode.
September 23, 2022, 12:51am
This is possible, but not necessarily recommended:
As root, in (sys-)net:
Punch in the name of your disposable template and hit OK.
As root, in the disposable template (sys-)net is based on:
cp /home/user/QubesIncoming/*/* /etc/NetworkManager/system-connections/
(If you have copied anything else to this qube, or if you only want to copy one or two network configs, replace those stars with something more accurate)
Before doing any of this, make sure you are OK with broadcasting those SSIDs (and maybe passwords?!?) as
Also don’t forget to make the
.nmconnection files in then
/rw/config/NM-system-connections/ folder to have the user
root and group
root as the owner:
chown root:root /rw/config/NM-system-connections/*.nmconnection
in you Disp template of
I’ve been debugging this mdf for the past 3 hours.
November 18, 2022, 11:10pm
you mean chown? so:
sudo chown root:root /rw/config/NM-system-connections/*.nmconnection
Yes thanks for the correction. I’ve edited it.
November 28, 2022, 9:16pm
Well now we have a working process to save wifi passwords (and persist network info) across reboots of a disposable (sys-)net qube. Just use
@bayesian 's path and not mine in the disposable template (for me, fedora-36-dvm).
November 28, 2022, 9:58pm
Actually we had it already multiple times already
I would never, ever, ever, never connect online any qube that has template in it’s prefs/name, hahah. Actually, my default netVM is none.
Setup connection in sys-net dispVM and while it’s still on, fire up it’s dvm-template and copy correspondent .nmconnection from sys-net to
folder of a dvm-template. Shutdown both, and restart sys-net. That way, it’ll persist across reboots.
But this topic wasn’t about that.