Sys-net disposable? (4.1 rc)

When you connect to a Wifi, network manager stores all connection details inside /rw/config/NM-system-connections/[wifi].nmconnection.

Just copy that file to the hopefully dedicated template of your disposable sys-net and your disposable sys-net will work with it on next boot.

The same applies for all the other modifications that need to remain persistent. Do them inside the template. You can see from mount what is persistent in your template (everything on /dev/xvdb).

3 Likes

If the network card firmware is compromised could it potentially give the attacker access to other VMs, such as vaults that are not connected to sys-net?

Potentially, yes: QSB-081: x86: MMIO Stale Data vulnerabilities (XSA-404) | Qubes OS.

2 Likes

I think having a password manager (like pass) in a vault containing the wifi passwords that you frequent to, helps with this inconvenience.

Interesting! So the answer would be no, but for these security exceptions.

Are there known attacks on PCI firmware over a network (i.e. without physical access to the system)? Any way to protect against them?

Following XSA-404, I did sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing which installed the qubes-core-dom0-linux-4.1.23 package. Then cpu-microcode-info revealed that I have the 2022-05 update installed.

It would be very helpful to know: Was this update installed after I did the dom0 update, or does this mean it was already updated by some other process?

The XSA seems to say that the updated package qubes-core-dom0-linux-4.1.23 is only providing information, not new microcode.