SystemdVM

janglingquo_575 · December 2, 2023, 12:12am

Should systemd be removed from dom0 and isolated into its own VM? This is similar to how sys-gui
is isolated in its own VM due to the potential attack surface of graphics/window libraries.

oldschool · December 2, 2023, 8:38pm

Isolate the init system? Really? and start up how exactly? Or do you really mean REPLACE not isolate.

This sounds more like an old hate on systemd type post, I thought we were over that, what, go back to an older init system? Really bad idea, systemd is light years better now, sure it has issues here and there, and networkd is still crap, but going backwards isn’t a solution.

Just checked, you brought this up a few weeks ago (here) here we go again.

janglingquo_575 · December 2, 2023, 9:47pm

How else to mitigate the attack surface? Use app armour profiles? If they insist on using systemd, can they at least try and mitigate the vulnerable and buggy nature of systemd? Using app armour?

fsflover · December 2, 2023, 10:05pm

To me this looks like basically the same suggestion as to minimize dom0:

github.com/QubesOS/qubes-issues

Minimize dom0

opened 09:37AM - 26 Oct 23 UTC

closed 10:55AM - 26 Oct 23 UTC

emanruse

T: enhancement R: declined P: default

### The problem you're addressing (if any) As of Qubes OS 4.1.2, dom0 is not …as minimal (optimal) as it could be. For a security focused OS, this is an open door for various issues capable to affect the system through system updates. There is quite a lot of software which is never used. Example: ``` root@dom0:~ # dnf list --installed *firmware* | sed -r 's/ {2,}.*//g' Installed Packages alsa-sof-firmware.noarch amd-gpu-firmware.noarch intel-gpu-firmware.noarch linux-firmware.noarch linux-firmware-whence.noarch nvidia-gpu-firmware.noarch ``` This is on a system with no NVIDIA or AMD hardware, yet this firmware (which IIUC is certainly **proprietary**) is there by default (not installed by me explicitly). Additionally, image processing libraries (like LibRaw) are installed in dom0 (as dependencies) etc. All this is quite concerning in terms of security and doesn't quite match the advises regarding minimizing the attack surface. fedora-38-xfce is 5.7 GiB. fedora-38-minimal is 2.6 GiB. debian-12-minimal is 1.4 GiB. dom0 is **7.2 GiB**. ### The solution you'd like (Options for) minimal/minimized dom0. Ideally, with a GUI domain, separate from dom0. During installation, provide options to install software necessary only for existing hardware. For hardware which does not exist on the system, provide options not to install drivers and firmware for it during initial installation. For hardware which the user may use in future (but is not present all the time), provide convenient way to install necessary software at a later time, ideally in a temporary, isolated way, so that when the hardware is no longer on the system, the software for it can be easily disabled/removed too. Reduce proprietary software existence on the system to the possible minimum. (Perhaps have options to) base dom0 on other, non-Fedora, templates (e.g. Debian minimal?) explaining to the user the pros and cons. ### The value to a user, and who that user might be - Minimize dom0's vulnerability to potential (security) issues entering it through various libraries and dependencies. - Save storage space and network bandwidth (hence also update times) by not installing (and updating) GiB of unnecessary stuff. https://forum.qubes-os.org/t/how-to-minimize-dom0/20945/

This is being done, but takes a huge effort, and currently GUI qube is in the works.

janglingquo_575 · December 3, 2023, 1:00am

If they insist on using systemd instead of runit, or sysvinit; could we at least try to mitigate the bugs and the attack surface? I mean how can QubesOS call itself secure when there is so much evidence suggesting it is vulnerable and buggy?

https://nosystemd.org/

fsflover · December 3, 2023, 9:30am

They do not insist on that. As I said above, dom0 will likely be changed, see also this Issue:

github.com/QubesOS/qubes-issues

Change the OS used in dom0

opened 04:34PM - 18 Apr 16 UTC

mfc

T: enhancement C: core P: major

We have discussed this numerous times but don't have an issue to track these dis…cussions. It would be worth understanding what would be needed to change dom0 from Fedora to Debian (say Debian 8). Benefits include: - increased hardware compatibility - incorporate serious work taken towards reproducible builds - better firstboot installer - better (slower) release cycle than Fedora with longer-term support - other things? This ticket does not encompass modifying the desktop environment.

Concerning how systemd currently affects the security of Qubes, please continue this discussion:

Systemd may very well be buggy, but those bugs are not exploitable, because you run nothing in dom0 (or suggest a way to exploit a bug in that discussion). Or do you have evidence that it’s malicious?

janglingquo_575 · December 3, 2023, 4:22pm

Yes. I keep getting a systemd related crash. It crashes the entire hypervisor somehow. It seems to
be more related to Whonix, but I can’t figure out how an RDRAND call could crash the entire hypervisor.

“random:systemd: uninitialized urandom read”

oldschool · December 3, 2023, 6:13pm

I’d like to see grub replaced with systemd-boot in qubes. Some people here have already done it, so it’s doable.

janglingquo_575 · December 3, 2023, 8:16pm

More systemd attack surface? Isn’t that worse?

oldschool · December 3, 2023, 9:02pm

The attack surface of grub is massively larger than systemd-boot, but your hatred of all things systemd prevents you from seeing that.

janglingquo_575 · December 3, 2023, 9:05pm

I supposed its not systemd per se, but RDRAND which is the real root of the issue. Would it then be advisable to follow the following hardening guide for the Xen kernel?

https://madaidans-insecurities.github.io/guides/linux-hardening.html#choosing-the-right-distro

fsflover · December 6, 2023, 4:39pm

You should report it to the Qubes Issues.