Systemd inclusion in QubesOS

janglingquo_575 · November 14, 2023, 6:11pm

Does the use of systemd completely compromise the security of QubesOS?

fsflover · November 14, 2023, 6:17pm

No, it doesn’t. See this discussion:

janglingquo_575 · November 14, 2023, 6:21pm

Is there a Devuan template available?

fsflover · November 14, 2023, 6:25pm

Not yet, but Qubes provides security through compartmentalization, and systemd can’t do much against that, except if it’s really malicious in dom0. For example, your offline VMs will never access the Internet and your compromised VMs will not access the data in the former.

janglingquo_575 · November 14, 2023, 6:28pm

“except if it’s really malicious in dom0”. Can you elaborate on this? It is a bit unclear.

fsflover · November 14, 2023, 6:30pm

I mean, dom0 has full access to your whole system. It can do anything and any software running in it should be trusted to not actively compromise your security. Unintentional bugs however are typically safe, since there is no_networking in dom0.

janglingquo_575 · November 14, 2023, 6:38pm

Can you please explain what is “unintentional bugs”? Could dom0 come installed with a maliciously modified version of systemd which has been compromised as part of a supply chain attack?

fsflover · November 14, 2023, 6:43pm

It’s in my links above (which I had to update, since I found more relevant doc pages):

Since there is no networking in dom0, any bugs discovered in dom0 desktop components (e.g., the window manager) are unlikely to pose a problem for Qubes, since none of the third-party software running in dom0 is accessible from VMs or the network in any way. Nonetheless, since software running in dom0 can potentially exercise full control over the system, it is important to install only trusted software in dom0.

janglingquo_575 · November 14, 2023, 6:47pm

“Nonetheless, since software running in dom0 can potentially exercise full control over the system, it is important to install only trusted software in dom0”

Can you define what means “full control” over the system? What does “full control” mean?

Systemd is the very first process that runs. Can you tell me documentation that describes how systemd is integrated with Xen/QubesOS APIs?

fsflover · November 14, 2023, 6:54pm

“Full control” means that from dom0 command line, you can download, install and run any software in dom0 or in any VM: one, two.

Dom0 runs Fedora 32/37 with systemd. Dom0 is a VM with full privileges in the system. See also this post and posts below it: How does Qubes OS work? - #30 by fsflover.

janglingquo_575 · November 14, 2023, 7:10pm

That is a very large attack surface, look at all of the privileged functions available to dom0:

https://dev.qubes-os.org/projects/core-admin-client/en/latest/manpages/

https://dev.qubes-os.org/projects/core-admin/en/latest/manpages/

That’s not to mention the RPC calls that can be made using qubesd, qubesOS store

qubes-create
qubesd-query

→ These functions allow for RPC calls between VMs

janglingquo_575 · November 14, 2023, 7:12pm

Have there been any fuzzing or security audits of dom0 command line tools?

core-admin
core-admin-client

fsflover · November 14, 2023, 7:16pm

However, nobody can attack it, except trusted software already running in dom0, which is minimized and verified. Even more compartmentalization is planned for future Qubes versions: GUI domain | Qubes OS.

You don’t have to use the core-admin. If you expect that it might have bugs, you simply switch off any inter-VM interactions (or interactions between trusted VMs).

janglingquo_575 · November 14, 2023, 7:29pm

But what if systemd is somehow interacting with this API because it is malicious from the beginning (i.e. a supply chain attack)?

How to disable core-admin API? How to switch off inter-VM interactions?

What does the GUI domain offer?

janglingquo_575 · November 14, 2023, 7:34pm

Does Qubes R4.1 already come with GUI-VM separation from dom0?

fsflover · November 14, 2023, 7:52pm

It’s discussed in my links above. You should continue these discussions, in order to keep this forum readable, if you’re interested.

You must trust everything running in dom0 in order to be able to run Qubes. You can verify and compile the code yourself, or rely on the Community for that. Also, the developers provide a possibility to verify that the code comes from them without any modification on the way.

It’s disabled by default: Admin API | Qubes OS

GPU and window manager will not have full access to dom0 anymore. Also there is audio domain to isolate the Pulseaudio and sound hardware (and Bluetooth).

Yes, but it’s in beta and without a strong hardware virtualization yet.

janglingquo_575 · November 14, 2023, 8:04pm

Strong hadware virtualization; can you elaborate on this? Do you mean iGPU or discrete GPU virtualization?

How long has it been in Beta?

janglingquo_575 · November 14, 2023, 8:07pm

Is GUI-VM virtualization stable? Can it be implemented using a saltstack formula in dom0?

janglingquo_575 · November 14, 2023, 8:10pm

there is a tutorial on how to enable the GUI-VM here:

I’ve never tried it not sure if it’s stable.

fsflover · November 14, 2023, 9:41pm

github.com/QubesOS/qubes-issues

GUI/Admin domain splitting

opened 05:08PM - 08 Mar 15 UTC

closed 12:29AM - 07 Feb 23 UTC

marmarek

T: enhancement C: core C: gui-virtualization P: major release notes security C: gui-domain

**Reported by joanna on 27 Apr 2014 12:32 UTC** - Allow to "kiosk" the GUI doma…in reasonably for corporate applications - Allow to use "whatever" OS as GUI domain (e.g. Windows) -- we just need gui-daemon ported to that OS - Potentially requires "qubesd" (discussed elsewhere) (#853) - Requires vm-to-vm vchan for GUI protocol (#2619) Migrated-From: https://wiki.qubes-os.org/ticket/833 Subtasks: - [ ] give GUI domain control over the whole screen - either with GPU passthrough (#2618), or another qubes-gui connection (similar to https://github.com/QubesOS/qubes-issues/issues/833#issuecomment-277015652) - [ ] configure GUI domain environment - window manager, system settings, etc (#4186) - [ ] various startup scripts and configuration - get actual desktop environment started in GUI domain (and only there), pass connection information to other domains etc - [ ] menu handling - redirect menu related qrexec services to GUI domain, trigger menu updates on relevant events (qube creation etc) - [ ] implement (opt-in) debug access to dom0 shell (maybe just qubes.VMShell, or something more elaborate with real pty access) - [ ] collect and implement missing Admin API calls (GUI domain elements assuming direct dom0 access) - [ ] get installer setup all the above

github.com/QubesOS/qubes-issues

Missing Explanation On Using GUI Domain

opened 02:30PM - 05 Jun 23 UTC

Neuro-NX

T: bug C: doc P: default

[How to file a helpful issue](https://www.qubes-os.org/doc/issue-tracking/) #…## Qubes OS release ### Brief summary In the documentation on creating a [gui domain](https://www.qubes-os.org/doc/gui-domain/) there is inadaquate information on how `sys-gui` and `sys-gui-gpu` is to be used, and how to troubleshoot issues. I understand it is a work in progress, but am speaking in terms of improving the documentation. These questions should be touched upon. - Is passing a GPU to sys-gui-gpu safe, or does is still posses the same security risks? - How to execute dom0 commands while in sys-gui-gpu? - What software is meant to be installed in sys-gui? Additionally, are there qube packages that are specific to the gui domain we need to be aware of? This may be important if users decide to install different desktop environments or qube dep packages get removed. - How to deal with empty application menu? - How to deal with empty device menu (qui-devices)? - Troubleshoot tip on using 'qubes.skip_autostart' but also having to manually execute 'qui-*' services when wanting to run as dom0. This point should also be raised. The salt script may not set `default_guivm` to sys-gui* but remain set to dom0, likewise the key `guivm` must also be set to sys-gui*, otherwise they won't show up in the GUI domain. ### Expected behavior Prior to explaining how to create sys-gui*, there should be greater explanation and context how the GUI domain is to be used. ### Actual behavior Documentation gives brief explanation on what sys-gui is and how to create it, but not how to use it.

github.com/QubesOS/qubes-issues

Document how to enabled and test sys-gui/sys-gui-gpu

opened 12:03AM - 17 Jun 21 UTC

marmarek

C: doc T: task P: default

**Qubes OS version (if applicable)** R4.1 **Affected component(s) or f…unctionality (if applicable)** gui, documentation **Brief summary** Document everything needed to test new GUI VM feature. Some hints at https://qubes-os.discourse.group/t/how-to-enable-the-new-gui-vm/2631/3 **Relevant [documentation](https://www.qubes-os.org/doc/) you've consulted** https://www.qubes-os.org/doc/gui-configuration/ https://www.qubes-os.org/news/2020/03/18/gui-domain/ **Related, [non-duplicate](https://www.qubes-os.org/doc/reporting-bugs/#new-issues-should-not-be-duplicates-of-existing-issues) issues** #833

Since the release of Qubes 4.1.