Qubes OS R2
Tutorial
INVISIBLE THINGS LAB
LINUXCON EUROPE, OCT 2014, V1.0-RC1
2
Agenda
Part 1 (for Users)
пЃµ
Basics (Trusted Desktop, AppVMs,
TemplateVMs)
Part 2 (for Power Users & Devs)
пЃµ
Qubes Inter-VM services (qrexec, policies)
пЃµ
Hello World Qubes qrexec App
пЃµ
Qubes Builder (Build your own Qubes,
пЃµ
Porting Window Managers (e.g. Awsome)
пЃµ
Networking
пЃµ
Storage (Block devices handling, UsbVM)
пЃµ
Disposable VMs (Unique features,
customizations)
пЃµ
New templates
пЃµ
Qubes Apps (qrexec basics, Split GPG, PDF
пЃµ
Quick look at Qubes R3 changes
пЃµ
Windows AppVMs (installation, templates)
TorVM)
(NetVMs, ProxyVMs, Firewalling,
convert)
Qubes OS Practical Intro by Invisible Things Lab, 2014
contribute patches, components)
(e.g. Debian-based)
3
Qubes OS Basics
Qubes OS Practical Intro by Invisible Things Lab, 2014
4
Architecture
USB
Qubes OS Practical Intro by Invisible Things Lab, 2014
5
Qubes as multi-domain system
пЃµ
пЃµ
пЃµ
Domains represent areas, e.g.
пЃµ
personal, work, banking
пЃµ
work-web, work-project-XYZ, work-accounting
пЃµ
personal-very-private, personal-health
No 1-1 mapping between apps and VMs!
пЃµ
If anything, then user tasks-oriented sandboxing, not app-oriented
пЃµ
E.g. few benefits from sandboxing: The Web Browser, or The PDF Reader
It’s data we want protect, not apps/system!
Qubes OS Practical Intro by Invisible Things Lab, 2014
6
Trusted Desktop
пЃµ
Apps windows “extracted” from VMs and composed onto common desktop
пЃµ
Clear indications to which VM a given window belongs
Qubes OS Practical Intro by Invisible Things Lab, 2014
7
Trusted Desktop Decorations
Domain name
(unspoofable)
Domain color
(unspoofable)
Qubes OS Practical Intro by Invisible Things Lab, 2014
Domain/app provided
window title (untrusted, sanitized)
8
Trusted Desktop
Desktop (wallpaper)
managed by
Dom0 WM
“Start Menu” managed
by Dom0 WM
Qubes OS Practical Intro by Invisible Things Lab, 2014
9
Trusted Desktop (Apps launcher)
Qubes OS Practical Intro by Invisible Things Lab, 2014
10
Secure clipboard
пЃµ
Challenge: copy clipboard from VM “Alice” to VM “Bob”, don’t let VM “Mallory” to learn
its content in the meantime
пЃµ
Solved by introducing Qubes “global clipboard” to/from which copy/paste is explicitly
controlled by the user (Ctrl-Shift-C, Ctrl-Shift-V)
пЃµ
Requires 4 stages:
пЃµ
Ctrl-C (in the source VM)
пЃµ
Ctrl-Shift-C (tells Qubes: copy this VM buffer into global clipboard)
пЃµ
Ctrl-Shift-V (in the destination VM: tells Qubes: make global clipboard available to this VM)
пЃµ
Ctrl-V (in the destination VM)
пЃµ
Ctrl-Shift-C/V cannot be injected by VMs (unspoofable key combo).
пЃµ
In practice almost as fast as traditional 2-stage copy-paste (don’t freak out! ;)
Qubes OS Practical Intro by Invisible Things Lab, 2014
11
Types of VMs in Qubes
According to role
According to implementation
пЃµ
AppVMs (user apps and files run here)
пЃµ
PV (default) ^ HVM (e.g. Windows)
пЃµ
ServiceVMs (mostly invisible to the
user)
пЃµ
Template-based ^ Standalone
пЃµ
Persistent ^ Disposable
пЃµ
пЃµ
NetVMs
пЃµ
ProxyVMs (e.g. FirewallVM, TorVM, VPN)
пЃµ
Dom0 (admin domain)
пЃµ
GUI domain (in R3)
Templates
Qubes OS Practical Intro by Invisible Things Lab, 2014
12
AppVMs
пЃµ
пЃµ
пЃµ
Linux-based Para Virtualized
пЃµ
Most Desktop Environment stripped off, custom startup.
пЃµ
Quick boot, small memory footprint
Based on a template (Fedora 20 default, but Debian & Arch also avail.)
пЃµ
This means rootfs is non persistent by default!
пЃµ
Separate volume (virtual disk) for user home (/rw)
Disposable VMs
пЃµ
Like AppVMs, but without private volume (non persistent home dir)
пЃµ
Optimized to boot up even faster (restored from snapshot instead of boot)
Qubes OS Practical Intro by Invisible Things Lab, 2014
13
TemplateVMs
пЃµ
Started only for software upgrade/installation or global config mods
пЃµ
By default limited networking only to apt/yum updates proxy
пЃµ
Trusted – a compromised template can compromise all “children”
пЃµ
Non-persistence of rootfs
пЃµ
as reliability feature
пЃµ
as security feature
Qubes OS Practical Intro by Invisible Things Lab, 2014
14
Rootfs non-persistence as security feature?
пЃµ
AppVM’s rootfs gets automatically reverted back to “golden image” on each restart...
пЃµ
пЃµ
No malware persistence on root fs!
... but malware can still place its triggers in /home (generally /rw):
пЃµ
.bashrc
пЃµ
Thunderbird/Firefox/etc profile directory (e.g. subvert plugins)
пЃµ
Malicious PDF/DOC/etc (exploiting hypothetical bug in default handler app)
пЃµ
Malicious fs meta (exploiting hypothetical bug in kernel fs module)
Qubes OS Practical Intro by Invisible Things Lab, 2014
15
Rootfs non-persistence as security feature? (cont.)
пЃµ
... still has some unique security advantages though:
пЃµ
пЃµ
Malware inactive before /rw mounted/parsed, offers chances to scan reliably
пЃµ
Yet problem for malware scanning generally hard in general
пЃµ
But might be easier for limited scenarios (e.g. easy for .bashrc, difficult for TB profile)
Malware triggers via malicious docs or malformed fs will automatically stop
working after template patched
пЃµ
Note how this malware in AppVMs cannot interfere with reliability of template
patching
Qubes OS Practical Intro by Invisible Things Lab, 2014
16
Where are the VM files?
пЃµ
/var/lib/qubes
пЃµ
appvms/my-appvm/
пЃµ
appvms/
пЃµ
private.img
пЃµ
servicevms/
пЃµ
volatile.img
пЃµ
vm-templates/
пЃµ
my-appvm.conf (autogen!)
пЃµ
vm-kernels/
Qubes OS Practical Intro by Invisible Things Lab, 2014
пЃµ
vm-templates/fedora-20-x64/
пЃµ
root.img
пЃµ
root-cow.img
пЃµ
private.img
пЃµ
volatile.img
пЃµ
fedora-20-x64.conf (autogen!)
(template’s home)
17
HVM AppVMs (e.g. Windows-based)
Qubes OS Practical Intro by Invisible Things Lab, 2014
18
AppVMs configuration
пЃµ
пЃµ
/rw/config
пЃµ
/rw/config/rc.local
пЃµ
/rw/config/qubes-firewall-user-script
пЃµ
https://wiki.qubes-os.org/wiki/UserDoc/ConfigFiles
qvm-service
пЃµ
Tells VM’s scripts which (systemd) services should/shouldn’t be started
пЃµ
Note: qvm-service will not warn you about service name spelling errors
пЃµ
https://wiki.qubes-os.org/wiki/Dom0Tools/QvmService
Qubes OS Practical Intro by Invisible Things Lab, 2014
19
Networking in
Qubes OS
Qubes OS Practical Intro by Invisible Things Lab, 2014
20
Default networking topology
Qubes OS Practical Intro by Invisible Things Lab, 2014
The whole networking stacks is
sandboxed...
Qubes OS Practical Intro by Invisible Things Lab, 2014
21
22
Type of VMs (networking-wise)
пЃµ
пЃµ
пЃµ
пЃµ
NetVMs
пЃµ
Have NICs or USB modems assigned via PCI-passthrough
пЃµ
Provide networking to other VMs (run Xen Net Backends)
AppVMs
пЃµ
Have no physical networking devices assigned
пЃµ
Consume networking provided by other VMs (run Xen Net Frontends)
пЃµ
Some AppVMs might not use networking (i.e. be network-disconnected)
ProxyVMs
пЃµ
Behave as AppVMs to other NetVMs (or ProxyVMs), i.e. consume networking
пЃµ
Behave as NetVMs to other AppVMs (or ProxyVMs), i.e. provide networking
пЃµ
Functions: firewalling, VPN, Tor’ing, monitoring, proxying, etc.
Dom0
пЃµ
has no network interfaces!
Qubes OS Practical Intro by Invisible Things Lab, 2014
Example of more complex networking
configuration...
Qubes OS Practical Intro by Invisible Things Lab, 2014
23
24
FirewallVM: special role of any ProxyVM
пЃµ
Any proxy VM becomes firewall VM for the AppVMs (or other ProxyVMs)
directly connected to it
пЃµ
Scripts running in each of the ProxyVM look at the global firewalling config
provided by Dom0 (via XenStore) and use it to configure iptables rules for
its direct children
пЃµ
The role of the FirewallVM is not to prevent data leaks!
пЃµ
Sadly too many cooperative covert channels for this to be meaningful
пЃµ
They are to prevent user mistakes, config mistakes, and accidental leaks only
Qubes OS Practical Intro by Invisible Things Lab, 2014
25
Networking config inside VMs
пЃµ
Interfaces
пЃµ
Firewall
пЃµ
NAT
Qubes OS Practical Intro by Invisible Things Lab, 2014
26
Customizing networking routings
пЃµ
Allow networking between two AppVMs
пЃµ
Allow port forwarding to an AppVM from outside world
пЃµ
See:
пЃµ
https://wiki.qubes-os.org/wiki/QubesFirewall
Qubes OS Practical Intro by Invisible Things Lab, 2014
27
Qubes TorVM
пЃµ
Easy setup
пЃµ
пЃµ
пЃµ
qvm-create -p torvm
пЃµ
qvm-service torvm -d qubes-netwatcher
пЃµ
qvm-service torvm -d qubes-firewall
пЃµ
qvm-service torvm -e qubes-tor
In TorVM (or its template):
пЃµ
sudo yum install qubes-tor-repo
пЃµ
sudo yum install qubes-tor
Configure AppVMs to use it as proxy:
пЃµ
qvm-pres –s myanonvm netvm torvm
Qubes OS Practical Intro by Invisible Things Lab, 2014
28
TorVM configuration example
Qubes OS Practical Intro by Invisible Things Lab, 2014
29
Digression on using TorVM in Qubes OS
пЃµ
TorVM cannot (obviously) anonymize anything beyond IP/MAC
пЃµ
пЃµ
пЃµ
Use e.g. TBB or Whonix workstation in/as clients of TorVM
DispVMs as TorVM clients
пЃµ
Set DispVM’s netvm to none, manually change to torvm (or set torvm for all DispVMs)
пЃµ
Note the volatile.img is backed to disk! (no anti-forensics yet)
Potential leaks through:
пЃµ
qvm-open-in-dvm ...
пЃµ
Set default netvm to none, manually change to torvm (or set torvm for all DispVMs)
пЃµ
adjust qrexec policy to prevent that (qubes.OpenInVM, qubes.VMShell)
Qubes OS Practical Intro by Invisible Things Lab, 2014
30
Further reading
пЃµ
http://theinvisiblethings.blogspot.com/2011/09/playing-with-qubesnetworking-for-fun.html
пЃµ
https://wiki.qubes-os.org/wiki/UserDoc
Qubes OS Practical Intro by Invisible Things Lab, 2014
31
Storage, Block
devices and USB
Qubes OS Practical Intro by Invisible Things Lab, 2014
32
Architecture
USB
Qubes OS Practical Intro by Invisible Things Lab, 2014
33
Storage backend in Qubes
пЃµ
Dom0 hosts block backend for all the VMs
пЃµ
пЃµ
The simplest possible block backend (Xen blkback), no qcow, no qemu!
Also possible to use backends located in (untrusted) VMs
пЃµ
E.g. export block devices from UsbVM
пЃµ
qvm-block
пЃµ
https://wiki.qubes-os.org/wiki/StickMounting
Qubes OS Practical Intro by Invisible Things Lab, 2014
34
Examples of USBVM usage
пЃµ
USB storage device attach example
Qubes OS Practical Intro by Invisible Things Lab, 2014
35
Keeping USBVM untrusted
пЃµ
Backups to USBVM
пЃµ
LUKS on /dev/xvdi exported from USBVM
Qubes OS Practical Intro by Invisible Things Lab, 2014
36
Backing up to untrusted USB
Qubes OS Practical Intro by Invisible Things Lab, 2014
37
Booting HVMs from images
Qubes OS Practical Intro by Invisible Things Lab, 2014
38
qvm-usb (EXPERIMENTAL)
пЃµ
пЃµ
qvm-usb != qvm-block
пЃµ
qvm-block attaches block devices (e.g. USB mass storage device) to VMs
пЃµ
qvm-usb (is supposed to) attaches USB devices (e.g. camera) to VMs
пЃµ
qvm-block works, qvm-usb (mostly) doesn’t (currently)
Current problems with qvm-usb
пЃµ
Xen PVUSB backend is immature, devel seem abandoned
пЃµ
We consider switching to USB-over-IP from Linux kernel, replace IP for qrexec
Qubes OS Practical Intro by Invisible Things Lab, 2014
39
Dom0 storage
пЃµ
пЃµ
/boot
пЃµ
Not encrypted, not integrity protected (cannot be!)
пЃµ
Use Anti Evil Maid
Dom0 root filesystem
пЃµ
LUKS
пЃµ
No integrity protection!
пЃµ
пЃµ
Malleability attacks possible
пЃµ
Difficult to do integrity protection on block-level
No anti-forensics (yet)
пЃµ
DispVM volatile.img backing to Dom0 fs
Qubes OS Practical Intro by Invisible Things Lab, 2014
40
Qubes Apps
Qubes OS Practical Intro by Invisible Things Lab, 2014
41
Qubes Apps Examples
пЃµ
InterVM file copy
пЃµ
Disposable VMs, qvm-open-in-(d)vm
пЃµ
Thunderbird Open-in-DispVM extension
пЃµ
PDF converter
пЃµ
Split GPG
пЃµ
Comparison vs. Smartcard (need for USB controller passthrough)
пЃµ
Key import
Qubes OS Practical Intro by Invisible Things Lab, 2014
42
Trivial: Inter-VM filecopy
пЃµ
пЃµ
Security challenges
пЃµ
Virtual pendrive: no good
пЃµ
Samba, NFS: no good
qubes.FileCopy
пЃµ
minimal cpio-like format
пЃµ
qvm-copy-to-vm
Qubes OS Practical Intro by Invisible Things Lab, 2014
43
Thunderbird extension
Qubes OS Practical Intro by Invisible Things Lab, 2014
44
Qubes Split GPG
Qubes OS Practical Intro by Invisible Things Lab, 2014
45
Qubes PDF Converter
Qubes OS Practical Intro by Invisible Things Lab, 2014
46
qrexec policy
пЃµ
Central place to allow/deny inter-VM services
пЃµ
E.g. disallow “personal” to request qubes.FileCopy from “work”
пЃµ
E.g. disallow any VM to copy clipboard to “vault”
пЃµ
E.g. allow any VM to open files in a fresh DispVM without asking
пЃµ
See /etc/qubes-rpc/policy (also later slides in Part 2)
Qubes OS Practical Intro by Invisible Things Lab, 2014
47
Qubes OS: Part II
For Power Users &
Devs
Qubes OS Practical Intro by Invisible Things Lab, 2014
48
Qubes Inter-VM
Services: qrexec
Qubes OS Practical Intro by Invisible Things Lab, 2014
49
Inter-VM interactions
пЃµ
VMs, to be useful for anything, must be able to communicate with each
other, and/or with devices
пЃµ
Device virtualization (Networking, Storage, Other devices)
пЃµ
XenStore (Xen system-wide registry)
пЃµ
Qubes GUI virtualization (GUI protocol)
пЃµ
Qubes RPC: qrexec
Qubes OS Practical Intro by Invisible Things Lab, 2014
Inter-VM comm mechanisms in Xen
Level 1: Shared Memory
пЃµ
Grant tables hypercall (setting up shared pages between VMs)
пЃµ
Event Channel hypercall (inter-VM signaling, kind of like UNIX signals)
пЃµ
All Xen frontends/backends communicate using these mechanisms
пЃµ
Xen hypervisor doesn’t enforce/look into this communication
пЃµ
Xen provides convenient macros (via .h) that might be used for a primitive
frontend-backend protocols (so called Ring Buffers)
Qubes OS Practical Intro by Invisible Things Lab, 2014
50
Inter-VM comm mechanisms in Xen:
Level 2: vchan
пЃµ
vchan is a usermode library
пЃµ
Written in early days by Qubes project
пЃµ
Merged into Xen starting from 4.2+ (much improved over “ours”)
пЃµ
Qubes R2 still based on Xen 4.1, using “our old vchan”, R3 uses Xen libvchan.
пЃµ
Builds on top of Grant Tables and Event Channels (see the previous slide)
пЃµ
Exposes socket-like “pipe” connecting two VMs
пЃµ
Qubes R2 limitation: one of the VMs is assumed to be Dom0
пЃµ
Qubes R3 (Xen 4.2+): between any two VMs
Qubes OS Practical Intro by Invisible Things Lab, 2014
51
Inter-VM comm mechanism in Qubes:
Level 3: qrexec (only in Qubes OS currently)
пЃµ
Qubes qrexec is:
пЃµ
Inter-VM protocol that runs over vchan
пЃµ
A set of tools (qrexec-agent, qrexec-client{-vm}, qrexec-daemon)
пЃµ
A policy framework
пЃµ
qrexec is a framework for running programs in other VMs with their
stdin/stdout piped together, all controlled by a central policy
пЃµ
Each VM defines a set of services it can handle and by which programs:
пЃµ
/etc/qubes-rpc/qubes.XYZ files
Qubes OS Practical Intro by Invisible Things Lab, 2014
52
53
qrexec policy
пЃµ
Example: prevent clipboard copy
пЃµ
/etc/qubes-rpc/policy/
пЃµ
Example services:
пЃµ
пЃµ
qubes.ClipboardPaste
пЃµ
qubes.FileCopy
Example policies:
пЃµ
$anyvm vault deny
пЃµ
personal work deny
пЃµ
$anyvm $anyvm ask
Qubes OS Practical Intro by Invisible Things Lab, 2014
54
qrexec implementation (Qubes R2)
qrexec-agent
qrexec-daemon
qrexec-client-vm
qrexec
policy
qrexec-daemon
Qubes OS Practical Intro by Invisible Things Lab, 2014
qrexec-agent
qrexec
service
55
qrexec implementation (Qubes R3)
qrexec-agent
qrexec-daemon
qrexec-client-vm
qrexec
policy
qrexec-daemon
Qubes OS Practical Intro by Invisible Things Lab, 2014
qrexec-agent
qrexec
service
56
qrexec: Hello World!
пЃµ
пЃµ
Client program (runs in VM1):
пЃµ
convert_btc_to_eur.sh <btc amount>
пЃµ
Let’s assume client VM has no networking
Server program (runs in VM2)
пЃµ
пЃµ
btc_to_eur_server.sh
Service name: myservice.ConvertBtcEur
пЃµ
/etc/qubes-rpc/myservice.ConverterBtcEur in VM2
пЃµ
/etc/qubes-rpc/policy/myservice.BtcConverter in Dom0
Qubes OS Practical Intro by Invisible Things Lab, 2014
57
qrexec Hello World!
Internet
qrexec-agent
vchan link
vchan link
Dom0
convert_btc_to_eur.sh
qrexec service connection (myservice.ConvertBtcEur)
qrexec-agent
/etc/qubes-rpc/
myservice.ConvertBtcEur
btc_to_eur_server.sh
qrexec-client-vm
VM1
Qubes OS Practical Intro by Invisible Things Lab, 2014
VM2
download EUR/BTC rate
qrexec
policy
58
qrexec: further reading
пЃµ
https://wiki.qubes-os.org/wiki/Qrexec
пЃµ
http://theinvisiblethings.blogspot.com/2013/02/converting-untrusted-pdfsinto-trusted.html
пЃµ
https://wiki.qubes-os.org/wiki/Qrexec2Implementation
пЃµ
https://wiki.qubes-os.org/wiki/Qrexec3Implementation
Qubes OS Practical Intro by Invisible Things Lab, 2014
59
Qubes Builder
Qubes OS Practical Intro by Invisible Things Lab, 2014
60
Why?
пЃµ
Fetches all Qubes git repos, downloads all the additional source code
пЃµ
пЃµ
Verifies digital signatures on all downloaded code, before it gets used!
пЃµ
пЃµ
пЃµ
Additional code e.g.: linux-3.12.23.tar.xz, xen-4.1.6.1.tar.gz, zlib-1.2.3.tar.gz
BTW, special patch for Xen Makefile not to wget dozens of components over
http... ;)
Allows to specify which public keys are trusted for which components
пЃµ
E.g. we don’t want KDE devel signs to approve our GIT commits!
пЃµ
Actually KDE doesn’t use any keys, but that’s another story ;)
Useful targets: get-sources, prepare-merge, etc. All check for known
digital signature on the latest commit (HEAD)
Qubes OS Practical Intro by Invisible Things Lab, 2014
61
qubes-builder anatomy
пЃµ
One big Makefile, really :)
пЃµ
пЃµ
Plus some helper scripts
chroot()-based
пЃµ
chroot not considered a security container
Qubes OS Practical Intro by Invisible Things Lab, 2014
62
qubes-builder usage
пЃµ
пЃµ
builder.conf
пЃµ
Which components (git repos)
пЃµ
Where repos are to be fetched from, which branches, etc
пЃµ
What distros to build for
makefile targets
пЃµ
get-sources
пЃµ
prepare-merae GIT_SUBDIR=marmarek
пЃµ
qubes
пЃµ
sign-all
пЃµ
update-repo-current{-testing}
Qubes OS Practical Intro by Invisible Things Lab, 2014
63
Building Qubes from scratch
пЃµ
git clone qubes-builder.git
пЃµ
gpg –import ...
пЃµ
git describe && git tag –v
пЃµ
cp builder.conf.default builder.conf
пЃµ
[vim builder.conf]
пЃµ
make get-sources qubes [sign-all] iso
Qubes OS Practical Intro by Invisible Things Lab, 2014
64
Building selected components
пЃµ
make core-admin qubes-app-pdf-converter
пЃµ
make COMPONENETS=“core-admin qubes-app-pdf-converter” qubes
Qubes OS Practical Intro by Invisible Things Lab, 2014
65
Future
пЃµ
Support for deterministic builds
пЃµ
Make it work without networking
пЃµ
with qubes yum proxy at least
пЃµ
Better support for non-Linux-based systems
пЃµ
Use VMs instead of chroot for better isolation of components builds
Qubes OS Practical Intro by Invisible Things Lab, 2014
66
Porting Window
Managers
Qubes OS Practical Intro by Invisible Things Lab, 2014
67
Porting Windows Managers to Qubes
пЃµ
пЃµ
Intro
пЃµ
Trusted desktop
пЃµ
guid
пЃµ
Exported window properties
Customization
пЃµ
Remove useless features (e.g. File Manager, Web browser not needed in Dom0)
пЃµ
Ensure “Start Menu” usable with Qubes app shortcuts
пЃµ
Packaging
пЃµ
Example: Awesome
Qubes OS Practical Intro by Invisible Things Lab, 2014
68
Qubes desktop
guid-1
guid-1
guid-2
guid-3
Qubes OS Practical Intro by Invisible Things Lab, 2014
69
guid process exports X properties
пЃµ
_QUBES_VMNAME
пЃµ
пЃµ
String containing VM name
_QUBES_LABEL
пЃµ
Index to table of supported VM “colors”
Qubes OS Practical Intro by Invisible Things Lab, 2014
70
Appmenus
пЃµ
Shortcuts for starting apps in AppVMs
пЃµ
Standard .desktop files
пЃµ
пЃµ
Exec = qvm-run –a personal Firefox
пЃµ
Automatically generated by core-admin-linux, data obtained from VMs
пЃµ
qubes.GetAppmenus
пЃµ
qubes.GetImageRGBA
For most Window Manager nothing is required to be done here
Qubes OS Practical Intro by Invisible Things Lab, 2014
71
Preparing New
VM Templates
Qubes OS Practical Intro by Invisible Things Lab, 2014
72
What makes a Qubes VM template?
пЃµ
root.img
пЃµ
Qubes-specific agents
пЃµ
GUI
пЃµ
qrexec
пЃµ
qrexec service (qubes.FileCopy, qubes.OpenInVM)
пЃµ
startup core scripts
пЃµ
VM services stripping
пЃµ
/rw linking (e.g. /home, /usr/local)
пЃµ
Qubes templates in R2 are assumed to be PV, not HVM
Qubes OS Practical Intro by Invisible Things Lab, 2014
73
Typical steps when making template
пЃµ
Boot distro as HVM
пЃµ
Build and try Qubes core & GUI agents
пЃµ
Packaging of the Qubes components (rpm, deb, etc)
пЃµ
Installing distro in chroot (e.g. debootstrap)
пЃµ
For qubes-builder (for components builds)
пЃµ
Also for template builder (for root.img build)
пЃµ
Adjusting builder scripts
пЃµ
Building and packaging the template
пЃµ
Posting to qubes-devel, getting template uploaded to templates-community
“AppStore” :)
Qubes OS Practical Intro by Invisible Things Lab, 2014
74
Example of practical porting
пЃµ
Debian and Arch Linux Templates builds examples
пЃµ
https://wiki.qubes-os.org/wiki/BuildingNonFedoraTemplate
пЃµ
https://wiki.qubes-os.org/wiki/BuildingArchlinuxTemplate
Qubes OS Practical Intro by Invisible Things Lab, 2014
75
What’s coming in
Qubes R3?
Qubes OS Practical Intro by Invisible Things Lab, 2014
76
Qubes Odyssey Philosophy
пЃµ
Qubes is not a hypervisor/VMM
пЃµ
Isolation is (relatively) easy, it’s integration requires for desktop system that is hard. Qubes
specializes in the latter.
пЃµ
Users of other VMMs might also benefit from “Qubes approach”
пЃµ
Let’s treat VMM as “isolation provider”, allow to use different VMMs
пЃµ
Other VMMs might offer following benefits
пЃµ
Better h/w compatibility (perhaps sacrificing some security)
пЃµ
Better isolation, e.g. covert channel reduction (perhaps sacrificing some performance)
пЃµ
Different usemodels, e.g. Qubes in the Cloud?
Qubes OS Practical Intro by Invisible Things Lab, 2014
Qubes Odyssey HAL
(Hypervisor Abstraction Layer)
пЃµ
Run any hypervisor instead of Xen
пЃµ
пЃµ
KVM, VMWare, Hyper-V, Linux LXC even perhaps
Porting comprises
пЃµ
libvirt driver for particular VMM
пЃµ
VMM-specific implementation of vchan
пЃµ
A few config files (VMM config, storage config)
пЃµ
GUI daemon: (presently ugly)#ifdef replacement for xc_map_foreign_pages()
Qubes OS Practical Intro by Invisible Things Lab, 2014
77
78
Qubes R3
пЃµ
Qubes R2 rewrite to Odyssey HAL
пЃµ
Core to be released soon
пЃµ
New release cycle & versioning:
пЃµ
3.0-rc1, -rc2, ... (ISO might not build even!)
пЃµ
3.0.0, 3.0.1, 3.0.2 < stable release, bug fixes only
пЃµ
3.1-rc1, -rc2, ... < introducing new features
пЃµ
3.1.0, 3.1.1 < stable release with bug fixes
пЃµ
etc
Qubes OS Practical Intro by Invisible Things Lab, 2014
79
Master Signing Key
пЃµ
427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494
Qubes OS Practical Intro by Invisible Things Lab, 2014
© Copyright 2024 Paperzz
