Update check without sys-whonix

I was wondering, how qubes checks for updates.
I update packages via sys-whonix, which works fine, but the system seems to check for updates without sys-whonix. Whenever i update packages (using gui or console) it fires up sys-whonix automatically, but only on downloading the packages, not for checking for updates.
This seems to be by design. Why?

Unless you have disabled the qubes-update-check service, every qube will
check for updates, and then feed results back to relate to the appropriate
template.
If you have qubes connected to clearnet then you are presumably not
concerned whether you use Tor or not. If you do only want to use Tor
then only use Qubes connected to a Tor netvm, Whonix-gw.

Yes, i mainly use the clearnet. I just activated updates using tor to see what’s what.
Been just curious to see the update check using clearnet instead of tor. Thought this was a bug.

Downloading dom0 and template updates over Tor can provide specific security benefits by making it more difficult for you to be subject to targeted attacks involving malicious or withheld packages. For example:

  1. An attacker may have gained access to an authentic upstream package signing key. He can use this key to sign a malicious package that is intended only for you. If you download updates using Tor, you force him to distribute the malicious package to everyone instead of only to you, which increases his risk.

  2. An attacker may wish to withhold a specific package update from you so that your older version of the package retains a vulnerability known to the attacker. By using Tor, you prevent the attacker from knowing whether it is you trying to download a specific update as opposed to someone else.

In these scenarios, you may not care whether the update check goes over your clearnet connection, so long as the update is actually downloaded over Tor, since the latter is what matters for protecting you against these attacks.

The question that asks dom0 updates over Tor only applies to dom0.

If you wanted all dom0 and template updates to happen via Tor, you would need to do the following:

In Qubes Global Prefs:

  1. Set Dom0 UpdateVM to sys-whonix

  2. Uncheck: Check for qube updates by default

  3. Click: Disable checking for updates for all qubes

  4. Edit /etc/qubes-rpc/polic/qubes.UpdatesProxy, change the second-to-last line containing sys-net to sys-whonix:

    # Default rule for all TemplateVMs - direct the connection to sys-whonix
    $type:TemplateVM $default allow,target=sys-whonix
    

    (This is what Global Prefs tells you to do when you hover over Dom0 UpdateVM)

This will disable AppVMs from performing any checks for updates, which have a purpose of informing dom0’s updater GUI.

This means no notifications when updates are available, and you must now perform template updates manually by starting the template and doing the appropriate update command (dnf, apt, pacman, etc), or by using qubesctl.

A workaround to get notifications and still use Tor:

  1. Do all the steps above
  2. Create a new AppVM with a template you want notifications for
  3. Set the AppVM network to sys-whonix
  4. (Option 1) Enable the qubes-update-check in Services, and just run this qube every now and then for at least 10 minutes
  5. (Option 2) Or execute qvm-run appvm_template_update_checker /usr/lib/qubes-upgrades-status-notify; qvm-shutdown appvm_template_update_checker

Now that I’ve described how to do it, I’d recommend against this (for most people) as it requires you to take on more responsibility in keeping your system up to date.

1 Like

To follow up on what icequbes1 said, you can also update StandaloneVM via sys-whonix with Networking as none by adding these two lines in /etc/qubes-rpc/polic/qubes.UpdatesProxy:

$type:StandaloneVM $default allow,target=sys-whonix
$type:StandaloneVM $anyvm deny

And then in the service tap of the StandaloneVM add updates-proxy-setup

1 Like

I also have an additional question relating to this.

It says, in https://www.qubes-os.org/doc/rpc-policy/

(Note: the $ character is deprecated in qrexec keywords – please use @ instead (e.g. @anyvm). For more information, see the bulletin here.)

Should I be changing every files that contain $ to @ in /etc/qubes-rpc/polic/ folder?

cause there are a lot of files in there

Answer:

If one were to change all the dollar signs to at signs in the current official version of Qubes,
what would be the best way to go about it?

I mean, probably sed would do the job but I don’t feel so confident as my recall on sed is bit rusty.

Has anyone here done it? If so, please share the trick with us!

ahh actually I just done it myself. If anyone needs to know, here is the way.

[@dom0 ~]$ cd /etc/qubes-rpc/policy
[@dom0 policy]$ for i in admin* qubes* whonix*; do
> sed -i 's/\$/\@/g' $i
> done