As someone who is unable to review code, I wonder about the process of installing mirage-firewall.
In the process you have to copy the vmlinuz unikernel in to dom0.
Copy
vmlinuz
to/var/lib/qubes/vm-kernels/mirage-firewall
directory in dom0, e.g. (ifdev
is the AppVM where you built it):
How secure is this process if a user is unable to build and read the code themselves? From a non-technical perspective this kind of copying in to Dom0 would seem to represent a serious security concern.
So as there is no signing on the unikernel or verified hashing how should an individual who cannot personally audit the code weigh the potential security benefits of a reduced attack surface of mirage & additional OS in their security chain with the risk of execution of unverified/signed code in Dom0?
Are there plans to move toward a signed mirage template in the Qubes repo?
I’m aware in general that if you can’t read the code you are always exposed to risk, but perhaps the risk to such a crucial security pillar as Dom0 is not worth it for a user like me until I can lean on the signed verification of the unikernel from QubesOS team (an entity I chose to trust).
Thanks for your input.