From e03304c8b3dc47c78de1290318c7677ad9484e18 Mon Sep 17 00:00:00 2001 From: Dean V Date: Mon, 24 Apr 2017 09:47:59 -0700 Subject: [PATCH 01/41] Edit whonix.md * Removed some redundant or unnecessary sentences/clauses like "..and these pages may be technical" * Removed a sentence referencing a no longer existent Qubes support forum * Rephrased some sentences * Gerundified words where necessary --- privacy/whonix.md | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/privacy/whonix.md b/privacy/whonix.md index 5db698ac..b86d6700 100644 --- a/privacy/whonix.md +++ b/privacy/whonix.md @@ -24,30 +24,25 @@ while the workstation is used for making AppVMs. ## Getting Started with Whonix -To install Whonix, you must have a working Qubes machine already. - -* [Install Whonix in Qubes](/doc/whonix/install/) +* [Installing Whonix in Qubes](/doc/whonix/install/) * [Updating Whonix in Qubes](/doc/whonix/update/) ## Customizing, Reinstalling, & Uninstalling Whonix * [Customizing Whonix](/doc/whonix/customize/) -* [Uninstall Whonix from Qubes](/doc/whonix/uninstall/) +* [Uninstalling Whonix from Qubes](/doc/whonix/uninstall/) -*The following links are on Whonix's website and may be technical.* +*The following pages are from Whonix's website.* * [Using Whonix with DisposableVMs](https://www.whonix.org/blog/qubes-whonix-dispvm) -* [Security Advice for after installing Whonix on Qubes](https://www.whonix.org/wiki/Post_Install_Advice) +* [Security Advice for using Whonix on Qubes](https://www.whonix.org/wiki/Post_Install_Advice) * [How to set up Tor Bridges in Whonix on Qubes](https://www.whonix.org/wiki/Bridges#How_to_use_bridges_in_Whonix) * [Using Multiple Whonix-Workstations with Whonix on Qubes](https://www.whonix.org/wiki/Multiple_Whonix-Workstations#Qubes-Whonix) * [How to use Corridor (a Tor traffic whitelisting gateway) with Whonix](https://www.whonix.org/wiki/Corridor) ## Support for Whonix -*The following links are on Whonix's site.* +*The following pages are from Whonix's website.* * [Whonix Support](https://www.whonix.org/wiki/Support) - General Whonix, Debian, Tor, etc... related issues * [Whonix Qubes Forum](https://forums.whonix.org/c/qubes) - Whonix specific issues - -You can also use [Qubes support](/help/), but not all Qubes users run Whonix. - From 2a84e9ae33a7596589a5b7d40ac6388a7a076b70 Mon Sep 17 00:00:00 2001 From: Dean V Date: Mon, 24 Apr 2017 12:55:06 -0700 Subject: [PATCH 02/41] Incorporated Suggestions --- privacy/whonix.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/privacy/whonix.md b/privacy/whonix.md index b86d6700..ac3139ad 100644 --- a/privacy/whonix.md +++ b/privacy/whonix.md @@ -32,17 +32,17 @@ while the workstation is used for making AppVMs. * [Customizing Whonix](/doc/whonix/customize/) * [Uninstalling Whonix from Qubes](/doc/whonix/uninstall/) -*The following pages are from Whonix's website.* +*The following pages are written by the Whonix developers and are located on their website.* * [Using Whonix with DisposableVMs](https://www.whonix.org/blog/qubes-whonix-dispvm) -* [Security Advice for using Whonix on Qubes](https://www.whonix.org/wiki/Post_Install_Advice) +* [Post-Installation Security Advice](https://www.whonix.org/wiki/Post_Install_Advice) * [How to set up Tor Bridges in Whonix on Qubes](https://www.whonix.org/wiki/Bridges#How_to_use_bridges_in_Whonix) * [Using Multiple Whonix-Workstations with Whonix on Qubes](https://www.whonix.org/wiki/Multiple_Whonix-Workstations#Qubes-Whonix) * [How to use Corridor (a Tor traffic whitelisting gateway) with Whonix](https://www.whonix.org/wiki/Corridor) ## Support for Whonix -*The following pages are from Whonix's website.* +*The following pages are written by the Whonix developers and are located on their website.* * [Whonix Support](https://www.whonix.org/wiki/Support) - General Whonix, Debian, Tor, etc... related issues * [Whonix Qubes Forum](https://forums.whonix.org/c/qubes) - Whonix specific issues From 86f5e31d2c8ef3e9cb331fa06a9a898aebcbc3a6 Mon Sep 17 00:00:00 2001 From: ubestemt Date: Mon, 1 May 2017 21:21:17 +0000 Subject: [PATCH 03/41] Minor edits; fixed some more typos. --- common-tasks/dispvm.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/common-tasks/dispvm.md b/common-tasks/dispvm.md index 8ec57fcf..30b6a359 100644 --- a/common-tasks/dispvm.md +++ b/common-tasks/dispvm.md @@ -16,11 +16,11 @@ Background A Disposable VM (DispVM) is a lightweight VM that can be created quickly and which will disappear when it is finished with. Usually a Disposable VM is created in order to host a single application, like a viewer or an editor. This means that you can safely work with files without risk of compromising any of your VMs. Changes made to a file opened in a disposable VM are passed back to the originating VM. See [this article](http://theinvisiblethings.blogspot.com/2010/06/disposable-vms.html) for more on why would one want to use a Disposable VM. -By default a Disposable VM will inherit the NetVM and firewall settings of the ancestor VM, that is the VM it is launched from. Thus if an AppVM uses sys-net as NetVM (instead of, say, sys-whonix), any DispVM launched from this AppVM will also have sys-net as its NetVM. You can change this behaviour for individual VMs: in the Qubes Manager open VM Settings for the VM in question and go to the "Advanced" tab. Here you can edit the "NetVM for DispVM" setting to change the NetVM of any DispVM launched from that VM. +By default a DispVM will inherit the NetVM and firewall settings of the ancestor VM, that is the VM it is launched from. Thus if an AppVM uses sys-net as NetVM (instead of, say, sys-whonix), any DispVM launched from this AppVM will also have sys-net as its NetVM. You can change this behaviour for individual VMs: in Qubes VM Manager open VM Settings for the VM in question and go to the "Advanced" tab. Here you can edit the "NetVM for DispVM" setting to change the NetVM of any DispVM launched from that VM. -A Disposable VM launched from the Start Meny inherits the NetVM of a so-called internal TempVM, the *[DVM Template](https://www.qubes-os.org/doc/glossary/#dvm-template).* By default it is named `fedora-XX-dvm` (where `XX` is the Fedora version of the default TemplateVM) and hidden in Qubes VM Manager; it can be shown by selecting "Show/Hide internal VMs". Notice that changing the "NetVM for DispVM" setting for the DVM Template does *not* affect the NetVM of DispVMs launched from the Start Meny; only changing the DVM Template's own NetVM does. +A DispVM launched from the Start Menu inherits the NetVM of the [DVM Template](https://www.qubes-os.org/doc/glossary/#dvm-template). By default it is named `fedora-XX-dvm` (where `XX` is the Fedora version of the default TemplateVM) and, as an so-called internal VM, hidden in Qubes VM Manager; it can be shown by selecting "Show/Hide internal VMs". Notice that changing the "NetVM for DispVM" setting for the DVM Template does *not* affect the NetVM of DispVMs launched from the Start Menu; only changing the DVM Template's own NetVM does. -Once a DispVM has been created it will appear in the Qubes Manager with the name "dispX", and NetVM and firewall rules can be set as for a normal VM. +Once a DispVM has been created it will appear in Qubes VM Manager with the name "dispX", and NetVM and firewall rules can be set as for a normal VM. Opening a file in a Disposable VM (via GUI) From e9864b7d8281d2416681e5df07b1a2e98ba84155 Mon Sep 17 00:00:00 2001 From: ubestemt Date: Mon, 1 May 2017 21:24:14 +0000 Subject: [PATCH 04/41] Another typo --- common-tasks/dispvm.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common-tasks/dispvm.md b/common-tasks/dispvm.md index 30b6a359..1fc16ec7 100644 --- a/common-tasks/dispvm.md +++ b/common-tasks/dispvm.md @@ -18,7 +18,7 @@ A Disposable VM (DispVM) is a lightweight VM that can be created quickly and whi By default a DispVM will inherit the NetVM and firewall settings of the ancestor VM, that is the VM it is launched from. Thus if an AppVM uses sys-net as NetVM (instead of, say, sys-whonix), any DispVM launched from this AppVM will also have sys-net as its NetVM. You can change this behaviour for individual VMs: in Qubes VM Manager open VM Settings for the VM in question and go to the "Advanced" tab. Here you can edit the "NetVM for DispVM" setting to change the NetVM of any DispVM launched from that VM. -A DispVM launched from the Start Menu inherits the NetVM of the [DVM Template](https://www.qubes-os.org/doc/glossary/#dvm-template). By default it is named `fedora-XX-dvm` (where `XX` is the Fedora version of the default TemplateVM) and, as an so-called internal VM, hidden in Qubes VM Manager; it can be shown by selecting "Show/Hide internal VMs". Notice that changing the "NetVM for DispVM" setting for the DVM Template does *not* affect the NetVM of DispVMs launched from the Start Menu; only changing the DVM Template's own NetVM does. +A DispVM launched from the Start Menu inherits the NetVM of the [DVM Template](https://www.qubes-os.org/doc/glossary/#dvm-template). By default it is named `fedora-XX-dvm` (where `XX` is the Fedora version of the default TemplateVM) and, as a so-called internal VM, hidden in Qubes VM Manager; it can be shown by selecting "Show/Hide internal VMs". Notice that changing the "NetVM for DispVM" setting for the DVM Template does *not* affect the NetVM of DispVMs launched from the Start Menu; only changing the DVM Template's own NetVM does. Once a DispVM has been created it will appear in Qubes VM Manager with the name "dispX", and NetVM and firewall rules can be set as for a normal VM. From 97530d2c7b828770bd88a350a60bd5a4bb6437aa Mon Sep 17 00:00:00 2001 From: Dean V Date: Tue, 2 May 2017 12:35:31 -0700 Subject: [PATCH 05/41] Restated the obvious Re-submitted a sentence about installing Qubes back into the article. --- privacy/whonix.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/privacy/whonix.md b/privacy/whonix.md index ac3139ad..d2dc9ce5 100644 --- a/privacy/whonix.md +++ b/privacy/whonix.md @@ -23,7 +23,7 @@ by using the gateway as a ProxyVM to route all network traffic through Tor, while the workstation is used for making AppVMs. ## Getting Started with Whonix - +* Note: To install Whonix in Qubes, you must already have a working Qubes machine. * [Installing Whonix in Qubes](/doc/whonix/install/) * [Updating Whonix in Qubes](/doc/whonix/update/) From f572f008266a5eb9b36d554625f8cd3d000cf436 Mon Sep 17 00:00:00 2001 From: Dean V Date: Wed, 17 May 2017 19:54:15 -0700 Subject: [PATCH 06/41] Edit + Disagreement Did some prosaic editing: * Removed unnecessary parentheses * Shortened long sentences * Wording changes. * Removed restatements of earlier sentences Also, this document made the following error about cooperative covert leaking channels in Qubes OS: > It is likely that the only way to **fully protect against leaks of type 1** and 2 is to either pause or shut down all other VMs while performing sensitive operations in the target VM(s) (such as key generation). This is wrong. Closing the other VMs while performing such important activities does nothing to stop leaks in type 1, assuming you turn the other VMs back on at some point. The (presumably compromised) AppVM in question can easily write the information it needs to leak down until the other Qubes come back online. Inserted a new sentence clarifying this. --- security/data-leaks.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/security/data-leaks.md b/security/data-leaks.md index 3fafeab5..1e73ff9d 100644 --- a/security/data-leaks.md +++ b/security/data-leaks.md @@ -16,9 +16,9 @@ The Role of the Firewall **[Firewalling in Qubes](/doc/firewall/) is not intended to be a leak-prevention mechanism.** -There are several reasons for this, which will be explained below. However, the main reason is that Qubes cannot prevent an attacker who has compromised one AppVM (with restrictive firewall rules) from leaking data via cooperative covert channels through a different AppVM (with sufficiently nonrestrictive firewall rules, if any) which the attacker has also compromised. +There are several reasons for this, which will be explained below. However, the main reason is that Qubes cannot prevent an attacker who has compromised one AppVM with restrictive firewall rules from leaking data via cooperative covert channels through another compromised AppVM with nonrestrictive firewall rules. -For example, suppose you have an `email` AppVM. You have set the firewall rules for `email` such that it can communicate only with your email server. Now suppose that an attacker sends you a GPG-encrypted message which exploits a hypothetical bug in the GnuPG process. There are now multiple ways the attacker could proceed to leak data (such as confidential email messages) from `email`. The most obvious way is by simply emailing the data to himself. Another possibility is that the attacker has also compromised another one of your AppVMs, such as your `netvm`, which is normally assumed to be untrusted and has unrestricted access to the network. In this case, the attacker might move data from `email` to the `netvm` via a covert channel, such as the CPU cache. Such covert channels through the CPU cache have been described and even implemented in some "lab environments" and might allow for bandwidths of even a few tens of bits/sec. It is unclear whether such channels could be implemented in a real world system, where multiple VMs execute at the same time, each running tens or hundreds of processes, all using the same cache memory, but it is worth keeping in mind. Of course, this would require special malware written specifically to attack Qubes OS, and perhaps even a specific Qubes OS version and perhaps a specific Qubes OS configuration. Nevertheless, it might be possible. +For example, suppose you have an `email` AppVM. You have set the firewall rules for `email` such that it can communicate only with your email server. Now suppose that an attacker sends you a GPG-encrypted message which exploits a hypothetical bug in the GnuPG process. There are now multiple ways the attacker could proceed to leak data (such as confidential email messages) from `email`. The most obvious way presented in this example is to use your email server to mail the data to him, but lets pretend he can't. Another possibility is that the attacker has also compromised another one of your AppVMs, such as your `netvm`, which is normally assumed to be untrusted and has unrestricted access to the network. In this case, the attacker might move data from `email` to the `netvm` via a covert channel, such as the CPU cache. Such covert channels have been described and even implemented in some "lab environments" and might allow for bandwidths of even a few tens of bits/sec. It is unclear whether such channels could be implemented in a real world system, where multiple VMs are running at the same time, each handling tens or hundreds of processes, all using the same cache memory, but it is worth keeping in mind. Of course, this would require special malware written specifically to attack Qubes OS, and perhaps even a specific Qubes OS version and/or configuration. Nevertheless, it might be possible. Note that physically air-gapped machines are not necessarily immune to this problem. Covert channels can potentially take many forms (e.g., sneakernet thumb drive, bluetooth, or even microphone and speakers). @@ -29,12 +29,12 @@ Types of Data Leaks In order to understand and attempt to prevent data leaks in Qubes, we must distinguish among three different types of relevant data leaks: -1. **Intentional leaks.** Malicious software which actively tries to leak data out of an AppVM, perhaps via cooperative covert channels established with other malicious software in another AppVM (or on some server via networking, if networking, even limited, is allowed for the AppVM). +1. **Intentional leaks.** Malicious software which actively tries to leak data out of an AppVM, perhaps via cooperative covert channels established with other malicious software in another AppVM or on some server via networking, if networking, even limited, is allowed for the AppVM. -1. **Intentional sniffing.** Malicious software trying to use side channels to, e.g., actively guess some key material used in another VM by some non-malicious software there (e.g., non-leak-proof GPG accidentally leaking out bits of the private key by generating some timing patterns when using this key for some crypto operation). Such attacks have been described in the academic literature, but it is doubtful that they would succeed in practice in a moderately busy general purpose system like Qubes OS (where the attacker normally has no way to trigger the target crypto operation explicitly, and it is normally required that the attacker trigger many such operations). +2. **Intentional sniffing.** Malicious software trying to use side channels to, e.g., actively guess some key material used in another VM by some non-malicious software there (e.g., non-leak-proof GPG accidentally leaking out bits of the private key by generating some timing patterns when using this key for some crypto operation). Such attacks have been described in the academic literature, but it is doubtful that they would succeed in practice in a moderately busy general purpose system like Qubes OS where the attacker normally has no way to trigger the target crypto operation explicitly and it is normally required that the attacker trigger many such operations. -1. **Unintentional leaks.** Non-malicious software which is either buggy or doesn't maintain the privacy of user data (whether by design or accident). For example, software which automatically sends error reports to a remote server, where these reports contain details about the system which the user did not want to share. +3. **Unintentional leaks.** Non-malicious software which is either buggy or doesn't maintain the privacy of user data, whether by design or accident. For example, software which automatically sends error reports to a remote server, where these reports contain details about the system which the user did not want to share. -Both Qubes firewall and an empty NetVM (i.e., setting the NetVM of an AppVM to "none") can fully protect against leaks of type 3. However, neither Qubes firewall nor an empty NetVM are guaranteed to protect against leaks of types 1 and 2. It is likely that the only way to fully protect against leaks of type 1 and 2 is to either pause or shut down all other VMs while performing sensitive operations in the target VM(s) (such as key generation). +Both Qubes firewall and an empty NetVM (i.e., setting the NetVM of an AppVM to "none") can fully protect against leaks of type 3. However, neither Qubes firewall nor an empty NetVM are guaranteed to protect against leaks of types 1 and 2. There are few effective, practical policy measures available to end-users today to stop the leaks in type 1. It is likely that the only way to fully protect against leaks of type 2 is to either pause or shut down all other VMs while performing sensitive operations in the target VM(s) (such as key generation). For further discussion, see [this thread](https://groups.google.com/d/topic/qubes-users/t0cmNfuVduw/discussion). From 4409214247718c9b1abf07c4cb05ae4c23d12321 Mon Sep 17 00:00:00 2001 From: Piotr PAWLICKI Date: Mon, 5 Jun 2017 19:06:11 +0200 Subject: [PATCH 07/41] Kali Linux TemplateVM Partial rewrite of the page, mainly the last Kali TemplateVM section to: - add missing steps in TemplateVM creation (ex: trimming to optimize disk space usage) - correct inconsistent file names across subsections, which made the instruction nonfunctional "as-it" - match shell commands with textual instructions - remove unused, duplicate or wrongly formatted links /references - enhance consistency in commands and style used within the same section - enhance consistency in commands and style with other pages (ex: Qubes' Basics and Common Tasks, Fedora 23 to Fedora 24 upgrade, etc.) - better follow Qubes Glossary and Documentation Guidelines - have a hierarchical succession of headers / section titles --- managing-os/pentesting/kali.md | 211 ++++++++++++++++++--------------- 1 file changed, 114 insertions(+), 97 deletions(-) diff --git a/managing-os/pentesting/kali.md b/managing-os/pentesting/kali.md index e87dad3c..83ed7ecd 100644 --- a/managing-os/pentesting/kali.md +++ b/managing-os/pentesting/kali.md @@ -6,7 +6,7 @@ redirect_from: - /doc/kali/ --- -**General Remainder:** +**General reminder:** - The installation scripts and provided tools may have bugs, be vulnerable to Man in the Middle (MitM) attacks or other vulnerabilities. @@ -27,15 +27,10 @@ There are multiple ways to create a Kali Linux VM: 2. Clone the Qubes OS Debian image and turn it into a Kali Linux distribution using [katoolin]. Explained [here](#katoolin). 3. Clone the Qubes OS 'jessie' Debian template, upgrade it to 'stretch' (Debian 9.0) and turn it into a Kali linux template. Explained - [here](#debian-upgrade). + [here](#templatevm-from-debian). -## Alternative Options to Kali - -- [BlackArch][qubes-blackarch] -- [PenTester Framework (PTF)][qubes-ptf] -- [Pentesting][qubes-pentesting] - -## Kali Linux HVM +Kali Linux HVM +-------------- 1. Download the Kali installation DVD @@ -45,11 +40,12 @@ There are multiple ways to create a Kali Linux VM: qvm-start --cdrom :/home/user/Downloads/.iso -## Create Debian Based Kali Template +Debian based Kali Template with Katoolin +---------------------------------------- Katoolin is a script (written in Python) which helps you to install Kali tools. -1. *(Optional)* Install `debian-8` template (if not already installed) +1. (Optional) Install `debian-8` template (if not already installed) 2. Update your `debian-8` template @@ -74,7 +70,7 @@ Katoolin is a script (written in Python) which helps you to install Kali tools. sudo apt-get dist-upgrade sudo apt-get autoremove -6. Install Katoolin and add Kali Linux repositories +5. Install Katoolin and add Kali Linux repositories 1. Install Katoolin @@ -127,12 +123,12 @@ Katoolin is a script (written in Python) which helps you to install Kali tools. What do you want to do ?> ^CShutdown requested...Goodbye... -7. Clean up and update `kali` template +6. Clean up and update `kali` template sudo apt-get dist-upgrade sudo apt-get autoremove -8. Shutdown and trim `kali` template +7. Shutdown and trim `kali` template - Shutdown `kali` template @@ -142,9 +138,9 @@ Katoolin is a script (written in Python) which helps you to install Kali tools. qvm-trim-template kali -9. Start image +8. Start image -11. Install tools +9. Install tools 1. View Categories @@ -160,15 +156,17 @@ Katoolin is a script (written in Python) which helps you to install Kali tools. - **Note:** The `all` option does not work for `Information Gathering`, `Web Apps`, `Forensic Tools`, `Reverse Engineering` and `Extra`. -12. Create a AppVMs based on the `kali` template +10. Create a AppVMs based on the `kali` template - (Optional) Attach necessary devices -## Installing Kali from a Debian template +Kali Linux TemplateVM from a Debian template +-------------------------------------------- -This section will explain how to create your own [Kali] Linux VM as a VM -template. The basic idea is to personalize the template with the tools you need -and then spin up isolated AppVMs based on the template. +This section will explain how to create your own [Kali] Linux TemplateVM based +on a Debian 9.0 (Stretch) TemplateVM. The basic idea is to personalize the +template with all the tools needed, and then spin up isolated AppVMs based on +the template. This has been tested on Qubes OS 3.2. @@ -176,133 +174,152 @@ The steps can be summarised as: 1. Install Qubes' Debian 8.0 (Jessie) template 2. Upgrade the template to Debian 9.0 (Stretch) -3. Install kali through the ``kali-linux-full`` package -4. Use the template to build appVM so that you can maintain isolation between +3. Install Kali Linux through the ``kali-linux-full`` package +4. Use the template to build AppVM so that you can maintain isolation between e.g. pentesting jobs +### Get Kali Linux GPG key ### -Steps to build a Kali template ------------------------------- +This step is required since by (security) default a TemplateVM do not have a +direct Internet connectivity. Users understanding the risks of enabling such +access can change this configuration in firewall settings for the TemplateVM. -### Get the GPG key +1. Retrive the Kali Linux GPG key using a DispVM. -1. You'll need to fetch the Kali GPG key from a dispVM as the template you'll - build won't have direct internet connectivity unless you enable it from the - firewall: + [user@xxxx-dvm ~]$ gpg --keyserver hkp://keys.gnupg.net --recv-key 7D8D0BF6 + [user@xxxx-dvm ~]$ gpg --list-keys --with-fingerprint 7D8D0BF6 + [user@xxxx-dvm ~]$ gpg --export --armor 7D8D0BF6 > kali-key.asc - # in a dispVM - gpg --keyserver hkp://keys.gnupg.net --recv-key 7D8D0BF6 - gpg --list-keys --with-fingerprint 7D8D0BF6 - gpg --export --armor 7D8D0BF6 > kali.asc - -2. **DO NOT TURN OFF** the dispVM +2. **DO NOT TURN OFF** the DispVM, the `kali-key.asc` file will be copied to + the Kali Linux template in a further step. 3. Make sure the key ID is the valid one listed on the [Kali website]. Ideally, verify the fingerprint through other channels as recommended on that link. -Once you have the key, keep the dispVM on as you'll need to copy the key over -to the Kali template. +### Create a Debian 9.0 (Stretch) template ### -### Customize the template +These instructions will show you how to upgrade a Debian 8 TemplateVM to Debian 9. -1. Install [the debian-8 template] if not already installed +**Note:** the prompt on each line indicates where each command should be entered +(`@dom0` or `@debian-9`). -2. Clone the debian template and start a terminal in it: +1. (Optional) Install the [debian-8 Qube template][qubes-template-debian-install] if not already installed. - # in dom0: - qvm-clone debian-8 debian-9 - qvm-run -a debian-9 gnome-terminal +2. Ensure the base template is not running. - # in the debian-9 template terminal: - # substitute jessie for stretch in - sudo -s - sensible-editor /etc/apt/sources.list - sensible-editor /etc/apt/sources.list.d/qubes-r3.list - apt-get update && apt-get dist-upgrade - # (hat tip: [the Debian wiki]) + [user@dom0 ~]$ qvm-shutdown debian-8 - Restart the template when done and make sure you can open a terminal. +3. Clone the base template and start a terminal in the new template. -3. Prepare the kali template: + [user@dom0 ~]$ qvm-clone debian-8 debian-9 + [user@dom0 ~]$ qvm-run -a debian-9 gnome-terminal - # in dom0: - qvm-shutdown debian-9 - qvm-clone debian-9 kali-tpl - qvm-run -a kali-tpl gnome-terminal +4. Attempt the upgrade process in the new template. -3. Add the sources to install Kali linux to the `kali-tpl` template: + [user@debian-9 ~]$ sudo sed -i 's/jessie/stretch/g' /etc/apt/sources.list + [user@debian-9 ~]$ sudo sed -i 's/jessie/stretch/g' /etc/apt/sources.list.d/qubes-r3.list + [user@debian-9 ~]$ sudo apt-get update + [user@debian-9 ~]$ sudo apt-get dist-upgrade + [user@debian-9 ~]$ sudo apt-get autoremove + + 5. Shut down and trim the new template. - # in kali-tpl: - sudo -s - echo 'deb http://http.kali.org/kali kali-rolling main non-free contrib' >> /etc/apt/sources.list + [user@dom0 ~]$ qvm-shutdown debian-9 + [user@dom0 ~]$ qvm-trim-template debian-9 -4. Copy the Kali key from the dispVM into the template: + 6. Ensure a terminal can be opened in the new template. - # in the dispVM: - qvm-copy-to-vm kali-tpl kali.asc + [user@dom0 ~]$ qvm-run -a debian-9 gnome-terminal - # in kali-tpl: - cat /home/user/QubesIncoming/dispXXX/kali-key.asc | sudo apt-key add - +### Create a Kali Linux (rolling) template ### - The last command should return `OK` on a line by itself. +These instructions will show you how to upgrade a Debian 9 TemplateVM to Kali Linux. -5. Update the system: +**Note:** The prompt on each line indicates where each command should be entered +(`@dom0`, `@kali-rolling` or `@xxxx-dvm`). - # in kali-tpl: - sudo -s - apt-get update && apt-get dist-upgrade +1. Ensure the base template is not running. -6. Shut down the `kali-tpl` template: + [user@dom0 ~]$ qvm-shutdown debian-9 - # in dom0: - qvm-shutdown kali-tpl +2. Clone the base template and start a terminal in the new template. -### Install the Kali tools + [user@dom0 ~]$ qvm-clone debian-9 kali-rolling + [user@dom0 ~]$ qvm-run -a kali-rolling gnome-terminal + +3. Copy the Kali GPG key from the DispVM to the new template: + + [user@xxxx-dvm ~]$ qvm-copy-to-vm kali-rolling kali-key.asc + + The DispVM can now be turned off. + +4. Add the Kali GPG key to the list of keys trusted to authenticate packages: + + [user@kali-rolling ~]$ /home/user/QubesIncoming/dispXXX/kali-key.asc | sudo apt-key add - + + This command should return `OK` on a line by itself. + +5. Attempt the upgrade process in the new template. + + [user@kali-rolling ~]$ sudo cat < /etc/apt/sources.list.d/kali.list + # Kali Linux repository + deb http://http.kali.org/kali kali-rolling main non-free contrib + EOF + [user@kali-rolling ~]$ sudo apt-get update + [user@kali-rolling ~]$ sudo apt-get dist-upgrade + [user@kali-rolling ~]$ sudo apt-get autoremove + + 6. Shut down and trim the new template. + + [user@dom0 ~]$ qvm-shutdown kali-rolling + [user@dom0 ~]$ qvm-trim-template kali-rolling + + 7. Ensure a terminal can be opened in the new template. + + [user@dom0 ~]$ qvm-run -a kali-rolling gnome-terminal + +### Install the Kali tools ### At this point you should have a working template and you can install the tools you need. -1. [resize the template] if you plan on installing the full Kali distribution. For example to install `kali-linux-full` you must **grow** the size of the VM system from 10Gb to at least 20Gb. +1. [resize the template disk image][qubes-resize-disk-image] if you plan on installing the full Kali distribution. For example to install `kali-linux-full` you must **grow** the size of the VM system from 10GB to at least 20GB. -1. Install Kali linux: +2. Install Kali Linux tools: - # in kali-tpl: - sudo apt-get install kali-linux-full + [user@kali-rolling ~]$ sudo apt-get install kali-linux-full -2. [optional] Customise the template's home directory (e.g. install your licensed copy of Burp Suite Professional) +3. (Optional) Customise the template's home directory (e.g. install your licensed copy of Burp Suite Professional) -### Use the template +### Use the template ### -The template is ready to be used. You can now spin up AppVMs based on the `kali-tpl` template. +The template is ready to be used. You can now spin up AppVMs based on the `kali-rolling` template. -Alternative Options to Kali -=========================== +Alternative Options to Kali Linux +--------------------------------- - * PenTester Framework: [PTF] ([PTF Qubes OS guide]) - * Black Arch with [BA Qubes OS guide]) - * [KATOOLIN] + * [PenTester Framework][PTF], with [PTF Qubes OS guide][qubes-ptf] + * BlackArch Linux, with [BA Qubes OS guide][qubes-blackarch] + * [KATOOLIN][katoolin-howto] + * more on the [Penetration Testing page][qubes-pentesting] Notes ----- -Thanks to the people in [the discussion thread]. +Thanks to the people in [the discussion thread](https://github.com/QubesOS/qubes-issues/issues/1981). +[qubes-pentesting]: /doc/pentesting/ [qubes-blackarch]: /doc/pentesting/blackarch/ [qubes-ptf]: /doc/pentesting/ptf/ -[qubes-pentesting]: /doc/pentesting/ +[qubes-template-debian-install]: /doc/templates/debian/#install +[qubes-resize-disk-image]: /doc/resize-disk-image/ -[kali-vbox]: https://www.offensive-security.com/kali-linux-vmware-virtualbox-image-download/ [kali]: https://www.kali.org/ +[kali-vbox]: https://www.offensive-security.com/kali-linux-vmware-virtualbox-image-download/ [kali website]: https://docs.kali.org/introduction/download-official-kali-linux-images. -[KATOOLIN]: http://www.tecmint.com/install-kali-linux-tools-using-katoolin-on-ubuntu-debian/ -[the debian-8 template]: https://www.qubes-os.org/doc/templates/debian/#install + [PTF]: https://www.trustedsec.com/may-2015/new-tool-the-pentesters-framework-ptf-released/ -[audio CDs]: https://www.reddit.com/r/Nirvana/comments/3hmra1/the_main_character_in_the_tv_show_mr_robot_has_a/ -[resize the template]: https://www.qubes-os.org/doc/resize-disk-image/ -[the Debian wiki]: https://wiki.debian.org/Qubes#Install_Debian_Templates -[the discussion thread]: https://github.com/QubesOS/qubes-issues/issues/1981 -[PTF Qubes OS guide]: https://www.qubes-os.org/doc/pentesting/ptf/ -[BA Qubes OS guide]: https://www.qubes-os.org/doc/pentesting/blackarch/ + [katoolin]: https://github.com/LionSec/katoolin [katoolin-howto]: http://www.tecmint.com/install-kali-linux-tools-using-katoolin-on-ubuntu-debian/ From 1cb8f1156571ae3b72d759b304a074d553fc7e29 Mon Sep 17 00:00:00 2001 From: Joshua Boat Date: Sat, 10 Jun 2017 18:34:29 +0100 Subject: [PATCH 08/41] Update to add StandaloneVM Tutorial --- privacy/signal.md | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/privacy/signal.md b/privacy/signal.md index a630a50e..a0fce3c2 100644 --- a/privacy/signal.md +++ b/privacy/signal.md @@ -76,6 +76,32 @@ You can now launch the Signal messenger inside its own dedicated AppVM directly The same steps should work for any Chrome app. +Creating a shortcut in the applications menu for a StandaloneVM +--------------------------------------------------------------- + +If you want to add to the standalone VM rather than a template, then follow below. +The following part will also assume that the .desktop file has been correctly made. +This can also be used to add a application portable application/script from a tar archive, also this part of the guide is assuming that the StandaloneVM is called `Signal`. + +1. First you will need to copy/move the .desktop file: `/home/user/Desktop/chrome-bikioccmkafdpakkkcpdbhpfkkhcmohk-Default.desktop`to the applications folder on the StandaloneVM: `/usr/share/applications/` + + [user@Signal ~]$ sudo mv /home/user/Desktop/chrome-bikioccmkafdpakkkcpdbhpfkkhcmohk-Default.desktop /usr/share/applications/ + +2. Now copy/move over the icon file to make it look all nice and pretty. + + [user@Signal ~]$ sudo mv /home/user/Desktop/chrome-bikioccmkafdpakkkcpdbhpfkkhcmohk-Default.desktop /usr/share/icons/hicolor/48x48/apps/ + +3. Now fire up the `dom0` Terminal Emulator from `Q` Menu -> `Terminal Emulator`. All you need to do now is run the command to sync the app menus `qvm-sync-appmenus` along with the Standalone VM name `Signal`. + + [user@dom0 ~]$ qvm-sync-appmenus Signal + +4. Now stop the StandaloneVM: `Signal`. + +5. With your mouse select the `Q` menu -> `Domain: Signal` -> `Signal: Add more shortcuts`. Select `Signal Private Messenger` from the left `Available` column, move it to the right `Selected` column by clicking the `>` button and then `OK` to apply the changes and close the window. + +6. (optional, only on KDE:) Follow the `Q` menu once more, right-click on the new `Signal: Signal Private Messenger` menu item and select `Add to Panel`. + + ----- [Signal]: https://whispersystems.org/ From 7ce89cf1da4e82ceb0f913aa01f436595c50a4f5 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 27 Sep 2017 15:05:49 +0200 Subject: [PATCH 09/41] set Qubes policy to allow by default for USB Input --- common-tasks/usb.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/common-tasks/usb.md b/common-tasks/usb.md index dfddc3ed..de308de1 100644 --- a/common-tasks/usb.md +++ b/common-tasks/usb.md @@ -165,7 +165,7 @@ Edit the `qubes.InputKeyboard` policy file in dom0, which is located here: Add a line like this one to the top of the file: - sys-usb dom0 ask,user=root + sys-usb dom0 allow,user=root (Change `sys-usb` to your desired USB qube.) @@ -183,7 +183,7 @@ Edit the `qubes.InputMouse` policy file in dom0, which is located here: Add a line like this to the op of the file: - sys-usb dom0 ask,user=root + sys-usb dom0 allow,user=root (Change `sys-usb` to your desired USB qube.) From 2f73914e540ac26c0d28387b147b92cb0cf9f296 Mon Sep 17 00:00:00 2001 From: thomas Date: Thu, 19 Oct 2017 16:01:35 -0400 Subject: [PATCH 10/41] debian-8-backports electrum has bug, use fedora-25? --- security/split-bitcoin.md | 26 +++++++++++--------------- 1 file changed, 11 insertions(+), 15 deletions(-) diff --git a/security/split-bitcoin.md b/security/split-bitcoin.md index bb284fa0..ffb6f46b 100644 --- a/security/split-bitcoin.md +++ b/security/split-bitcoin.md @@ -17,28 +17,24 @@ A "split" bitcoin wallet is a strategy of protecting your bitcoin by having your A "Watching" Wallet and a "Cold" Wallet --------------------------------------- -1. Create a Debian 8 backports template using the Qubes VM Manager or running - `qvm-clone debian-8 debian-8-backports` in dom0. +1. Create a fedora-25-electrum template using the Qubes VM Manager or running + `qvm-clone fedora-25 fedora-25-electrum` in dom0. -2. Add backports to the sources for the new template by opening a terminal in - the new template, run `sudo vi /etc/apt/sources.list` and add - `deb http://http.debian.net/debian jessie-backports main`. +2. Start the new template and install electrum: + `qvm-start fedora-25-electrum` + `qvm-run fedora-25-electrum xterm` - (If you are new to `vi` text editing, type `i` to be able to edit, and when - done editing press `ESC` then type `:x` and press `ENTER`.) +3. Install `electrum`. Inside fedora-25-electrum terminal enter: + `sudo dnf update`. + `sudo dnf install electrum`. -3. Update source list: `sudo apt-get update`. +5. shut down your `fedora-25-electrum` template -4. Install `electrum` from backports: - `sudo apt-get -t jessie-backports install electrum`. - -5. shut down your `debian-8-backports` template - -6. create an `offline-bitcoin` qube based on `debian-8-backports` using the Qubes VM Manager or running `qvm-create -t debian-8-backports -l black offline-bitcoin` and `qvm-prefs -s offline-bitcoin netvm none` in dom0. +6. create an `offline-bitcoin` qube based on `fedora-25-electrum` using the Qubes VM Manager or running `qvm-create -t fedora-25-electrum -l black offline-bitcoin` and `qvm-prefs -s offline-bitcoin netvm none` in dom0. 7. follow the [electrum documentation in creating an offline wallet](http://docs.electrum.org/en/latest/coldstorage.html#create-an-offline-wallet) -8. create a `watching-bitcoin` qubes based on `debian-8-backports` connecting to the internet how ever you prefer using the Qubes VM Manager or running for example `qvm-create -t debian-8-backports -l green watching-bitcoin` and `qvm-prefs -s watching-bitcoin netvm sys-whonix` in dom0. +8. create a `watching-bitcoin` qubes based on `fedora-25-electrum` connecting to the internet how ever you prefer using the Qubes VM Manager or running for example `qvm-create -t fedora-25-electrum -l green watching-bitcoin` and `qvm-prefs -s watching-bitcoin netvm sys-whonix` in dom0. 9. follow the [electrum documentation in creating an online watching-only wallet](http://docs.electrum.org/en/latest/coldstorage.html#create-a-watching-only-version-of-your-wallet) From e9b70c277bd62f10b5e06a7d64701815fc3591d0 Mon Sep 17 00:00:00 2001 From: Thomas Chiantia Date: Thu, 19 Oct 2017 21:19:53 -0400 Subject: [PATCH 11/41] Update split-bitcoin.md --- security/split-bitcoin.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/security/split-bitcoin.md b/security/split-bitcoin.md index ffb6f46b..ba65410e 100644 --- a/security/split-bitcoin.md +++ b/security/split-bitcoin.md @@ -20,23 +20,23 @@ A "Watching" Wallet and a "Cold" Wallet 1. Create a fedora-25-electrum template using the Qubes VM Manager or running `qvm-clone fedora-25 fedora-25-electrum` in dom0. -2. Start the new template and install electrum: +2. Start the new template: `qvm-start fedora-25-electrum` `qvm-run fedora-25-electrum xterm` -3. Install `electrum`. Inside fedora-25-electrum terminal enter: +3. Install `electrum` to fedora-25-electrum template VM. From fedora-25-electrum terminal enter: `sudo dnf update`. `sudo dnf install electrum`. -5. shut down your `fedora-25-electrum` template +4. Shut down your `fedora-25-electrum` template -6. create an `offline-bitcoin` qube based on `fedora-25-electrum` using the Qubes VM Manager or running `qvm-create -t fedora-25-electrum -l black offline-bitcoin` and `qvm-prefs -s offline-bitcoin netvm none` in dom0. +5. Create an `offline-bitcoin` qube based on `fedora-25-electrum` using the Qubes VM Manager or running `qvm-create -t fedora-25-electrum -l black offline-bitcoin` and `qvm-prefs -s offline-bitcoin netvm none` in dom0. -7. follow the [electrum documentation in creating an offline wallet](http://docs.electrum.org/en/latest/coldstorage.html#create-an-offline-wallet) +6. Follow the [electrum documentation in creating an offline wallet](http://docs.electrum.org/en/latest/coldstorage.html#create-an-offline-wallet) -8. create a `watching-bitcoin` qubes based on `fedora-25-electrum` connecting to the internet how ever you prefer using the Qubes VM Manager or running for example `qvm-create -t fedora-25-electrum -l green watching-bitcoin` and `qvm-prefs -s watching-bitcoin netvm sys-whonix` in dom0. +7. Create a `watching-bitcoin` qubes based on `fedora-25-electrum` connecting to the internet how ever you prefer using the Qubes VM Manager or running for example `qvm-create -t fedora-25-electrum -l green watching-bitcoin` and `qvm-prefs -s watching-bitcoin netvm sys-whonix` in dom0. -9. follow the [electrum documentation in creating an online watching-only wallet](http://docs.electrum.org/en/latest/coldstorage.html#create-a-watching-only-version-of-your-wallet) +8. Follow the [electrum documentation in creating an online watching-only wallet](http://docs.electrum.org/en/latest/coldstorage.html#create-a-watching-only-version-of-your-wallet) Important Notes --------------- From 5bdec5234b40c1a524a4c02c2adb622ddf6d7daa Mon Sep 17 00:00:00 2001 From: Thomas Chiantia Date: Thu, 19 Oct 2017 21:19:53 -0400 Subject: [PATCH 12/41] Update split-bitcoin.md Signed-off-by: thomas --- security/split-bitcoin.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/security/split-bitcoin.md b/security/split-bitcoin.md index ffb6f46b..ba65410e 100644 --- a/security/split-bitcoin.md +++ b/security/split-bitcoin.md @@ -20,23 +20,23 @@ A "Watching" Wallet and a "Cold" Wallet 1. Create a fedora-25-electrum template using the Qubes VM Manager or running `qvm-clone fedora-25 fedora-25-electrum` in dom0. -2. Start the new template and install electrum: +2. Start the new template: `qvm-start fedora-25-electrum` `qvm-run fedora-25-electrum xterm` -3. Install `electrum`. Inside fedora-25-electrum terminal enter: +3. Install `electrum` to fedora-25-electrum template VM. From fedora-25-electrum terminal enter: `sudo dnf update`. `sudo dnf install electrum`. -5. shut down your `fedora-25-electrum` template +4. Shut down your `fedora-25-electrum` template -6. create an `offline-bitcoin` qube based on `fedora-25-electrum` using the Qubes VM Manager or running `qvm-create -t fedora-25-electrum -l black offline-bitcoin` and `qvm-prefs -s offline-bitcoin netvm none` in dom0. +5. Create an `offline-bitcoin` qube based on `fedora-25-electrum` using the Qubes VM Manager or running `qvm-create -t fedora-25-electrum -l black offline-bitcoin` and `qvm-prefs -s offline-bitcoin netvm none` in dom0. -7. follow the [electrum documentation in creating an offline wallet](http://docs.electrum.org/en/latest/coldstorage.html#create-an-offline-wallet) +6. Follow the [electrum documentation in creating an offline wallet](http://docs.electrum.org/en/latest/coldstorage.html#create-an-offline-wallet) -8. create a `watching-bitcoin` qubes based on `fedora-25-electrum` connecting to the internet how ever you prefer using the Qubes VM Manager or running for example `qvm-create -t fedora-25-electrum -l green watching-bitcoin` and `qvm-prefs -s watching-bitcoin netvm sys-whonix` in dom0. +7. Create a `watching-bitcoin` qubes based on `fedora-25-electrum` connecting to the internet how ever you prefer using the Qubes VM Manager or running for example `qvm-create -t fedora-25-electrum -l green watching-bitcoin` and `qvm-prefs -s watching-bitcoin netvm sys-whonix` in dom0. -9. follow the [electrum documentation in creating an online watching-only wallet](http://docs.electrum.org/en/latest/coldstorage.html#create-a-watching-only-version-of-your-wallet) +8. Follow the [electrum documentation in creating an online watching-only wallet](http://docs.electrum.org/en/latest/coldstorage.html#create-a-watching-only-version-of-your-wallet) Important Notes --------------- From b95467d39c8835663d18c542218346b981ce7427 Mon Sep 17 00:00:00 2001 From: Michael Carbone Date: Thu, 26 Oct 2017 09:51:36 -0400 Subject: [PATCH 13/41] fix typos --- basics_user/user-faq.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/basics_user/user-faq.md b/basics_user/user-faq.md index fbb85b69..5ef705fb 100644 --- a/basics_user/user-faq.md +++ b/basics_user/user-faq.md @@ -44,7 +44,7 @@ Qubes Users' FAQ * [Can I install Qubes on a system without VT-d?](#can-i-install-qubes-on-a-system-without-vt-d) * [What is a DMA attack?](#what-is-a-dma-attack) * [Can I use AMD-v instead of VT-x?](#can-i-use-amd-v-instead-of-vt-x) - * [Can I install Qubes in a virtual machine (e.g., on VMWare)?](#can-i-install-qubes-in-a-virtual-machine-eg-on-vmware) + * [Can I install Qubes in a virtual machine (e.g., on VMware)?](#can-i-install-qubes-in-a-virtual-machine-eg-on-vmware) * [Why does my network adapter not work?](#why-does-my-network-adapter-not-work) * [Can I install Qubes OS together with other operating system (dual-boot/multi-boot)?](#can-i-install-qubes-os-together-with-other-operating-system-dual-bootmulti-boot) @@ -160,7 +160,7 @@ We do not provide OpenGL virtualization for Qubes. This is mostly a security decision, as implementing such a feature would most likely introduce a great deal of complexity into the GUI virtualization infrastructure. However, Qubes does allow for the use of accelerated graphics (OpenGL) in Dom0’s Window Manager, so all the fancy desktop effects should still work. -For further discussion about the potential for GPU passthorugh on Xen/Qubes, please see the following threads: +For further discussion about the potential for GPU passthrough on Xen/Qubes, please see the following threads: - [GPU passing to HVM](https://groups.google.com/group/qubes-devel/browse_frm/thread/31f1f2da39978573?scoring=d&q=GPU&) - [Clarifications on GPU security](https://groups.google.com/group/qubes-devel/browse_frm/thread/31e2d8a47c8b4474?scoring=d&q=GPU&) @@ -280,7 +280,7 @@ Most attacks on NetVM / UsbVM (but not all!) require being somewhat close to the See [this message](http://groups.google.com/group/qubes-devel/msg/6412170cfbcb4cc5). -### Can I install Qubes in a virtual machine (e.g., on VMWare)? +### Can I install Qubes in a virtual machine (e.g., on VMware)? Some users have been able to do this, but it is neither recommended nor supported. Qubes should be installed bare-metal. (After all, it uses its own bare-metal hypervisor!) From 4072678d540fcc9df1d0c122b09816a51edf978b Mon Sep 17 00:00:00 2001 From: Michael Carbone Date: Thu, 26 Oct 2017 11:23:46 -0400 Subject: [PATCH 14/41] fix typos / clarify language thanks to the transifex localization community for reporting these! --- services/dom0-secure-updates.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/services/dom0-secure-updates.md b/services/dom0-secure-updates.md index 4465b0a9..28179c7c 100644 --- a/services/dom0-secure-updates.md +++ b/services/dom0-secure-updates.md @@ -14,7 +14,7 @@ Qubes Dom0 secure update procedure Reasons for Dom0 updates ------------------------ -Normally there should be few reasons for updating software in Dom0. This is because there is no networking in Dom0, which means that even if some bugs will be discovered e.g. in the Dom0 Desktop Manager, this really is not a problem for Qubes, because all the 3rd party software running in Dom0 is not accessible from VMs or network in any way. Some exceptions to the above include: Qubes GUI daemon, Xen store daemon, and disk back-ends (we plan move the disk backends to untrusted domain in Qubes 2.0). Of course we believe this software is reasonably secure and we hope it will not need patching. +Normally there should be few reasons for updating software in Dom0. This is because there is no networking in Dom0, which means that even if some bugs will be discovered e.g. in the Dom0 Desktop Manager, this really is not a problem for Qubes, because all the 3rd party software running in Dom0 is not accessible from VMs or network in any way. Some exceptions to the above include: Qubes GUI daemon, Xen store daemon, and disk back-ends (we plan to move the disk backends to untrusted domain in Qubes 2.0). Of course we believe this software is reasonably secure and we hope it will not need patching. However, we anticipate some other situations when updating Dom0 software might be required: @@ -25,20 +25,20 @@ However, we anticipate some other situations when updating Dom0 software might b Problems with traditional network-based update mechanisms --------------------------------------------------------- -Dom0 is the most trusted domain on Qubes OS, and for this reason we decided to design Qubes in such a way that Dom0 is not connected to any network. In fact only select domains can be connected to a network via so called network domains. There could also be more than one network domain, e.g. in case the user is connected to more than one physically or logically separated networks. +Dom0 is the most trusted domain on Qubes OS, and for this reason we decided to design Qubes in such a way that Dom0 is not connected to any network. In fact only certain domains can be connected to a network via so-called network domains. There can also be more than one network domain, e.g. in case the user is connected to more than one physically or logically separated networks. -Secure update mechanism we use in Qubes (starting from Beta 2 +Secure update mechanism we use in Qubes (starting from Beta 2) ------------------------------------------------------------- Keeping Dom0 not connected to any network makes it hard, however, to provide updates for software in Dom0. For this reason we have come up with the following mechanism for Dom0 updates, which minimizes the amount of untrusted input processed by Dom0 software: The update process is initiated by [qvm-dom0-update script](https://github.com/QubesOS/qubes-core-admin-linux/blob/release2/dom0-updates/qubes-dom0-update), running in Dom0. -Updates (\*.rpm files) are checked and downloaded by UpdateVM, which by default is the same as the firewall VM, but can be configured to be any other, network-connected VM. This is done by [qubes-download-dom0-updates.sh script](https://github.com/QubesOS/qubes-core-agent-linux/blob/release2/misc/qubes-download-dom0-updates.sh) (this script is executed using qrexec by the previously mentioned qvm-dom0-update). Note that we assume that this script might get compromised and might download a maliciously compromised downloads -- this is not a problem as Dom0 verifies digital signatures on updates later. The downloaded rpm files are placed in a ~~~/var/lib/qubes/dom0-updates~~~ directory on UpdateVM filesystem (again, they might get compromised while being kept there, still this isn't a problem). This directory is passed to yum using the ~~~--installroot=~~~ option. +Updates (\*.rpm files) are checked and downloaded by UpdateVM, which by default is the same as the firewall VM, but can be configured to be any other, network-connected VM. This is done by [qubes-download-dom0-updates.sh script](https://github.com/QubesOS/qubes-core-agent-linux/blob/release2/misc/qubes-download-dom0-updates.sh) (this script is executed using qrexec by the previously mentioned qvm-dom0-update). Note that we assume that this script might get compromised and fetch maliciously compromised downloads -- this is not a problem as Dom0 verifies digital signatures on updates later. The downloaded rpm files are placed in a ~~~/var/lib/qubes/dom0-updates~~~ directory on UpdateVM filesystem (again, they might get compromised while being kept there, still this isn't a problem). This directory is passed to yum using the ~~~--installroot=~~~ option. Once updates are downloaded, the update script that runs in UpdateVM requests an RPM service [qubes.ReceiveUpdates](https://github.com/QubesOS/qubes-core-admin-linux/blob/release2/dom0-updates/qubes.ReceiveUpdates) to be executed in Dom0. This service is implemented by [qubes-receive-updates script](https://github.com/QubesOS/qubes-core-admin-linux/blob/release2/dom0-updates/qubes-receive-updates) running in Dom0. The Dom0's qvm-dom0-update script (which originally initiated the whole update process) waits until qubes-receive-updates finished. -The qubes-receive-updates script processes the untrusted input from Update VM: it first extracts the received \*.rpm files (that are sent over qrexec data connection) and then verifies digital signature on each file. The qubes-receive-updates script is a security-critical component of the Dom0 update process (as is the [qfile-dom0-unpacker.c](https://github.com/QubesOS/qubes-core-admin-linux/blob/release2/dom0-updates/qfile-dom0-unpacker.c) and the rpm utility, both used by the qubes-receive-updates for processing the untrusted input. +The qubes-receive-updates script processes the untrusted input from Update VM: it first extracts the received \*.rpm files (that are sent over qrexec data connection) and then verifies digital signature on each file. The qubes-receive-updates script is a security-critical component of the Dom0 update process (as is the [qfile-dom0-unpacker.c](https://github.com/QubesOS/qubes-core-admin-linux/blob/release2/dom0-updates/qfile-dom0-unpacker.c) and the rpm utility, both used by the qubes-receive-updates for processing the untrusted input). Once qubes-receive-updates finished unpacking and verifying the updates, the updates are placed in ``qubes-receive-updates`` directory in Dom0 filesystem. Those updates are now trusted. Dom0 is configured (see /etc/yum.conf in Dom0) to use this directory as a default (and only) [yum repository](https://github.com/QubesOS/qubes-core-admin-linux/blob/release2/dom0-updates/qubes-cached.repo). From e67088f3bd0f52e119ed1cd30fb542302fab1af7 Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Thu, 26 Oct 2017 21:29:16 -0500 Subject: [PATCH 15/41] Revert "attacker emailing himself" sentence for clarity --- security/data-leaks.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/security/data-leaks.md b/security/data-leaks.md index 1e73ff9d..b351b28b 100644 --- a/security/data-leaks.md +++ b/security/data-leaks.md @@ -18,7 +18,7 @@ The Role of the Firewall There are several reasons for this, which will be explained below. However, the main reason is that Qubes cannot prevent an attacker who has compromised one AppVM with restrictive firewall rules from leaking data via cooperative covert channels through another compromised AppVM with nonrestrictive firewall rules. -For example, suppose you have an `email` AppVM. You have set the firewall rules for `email` such that it can communicate only with your email server. Now suppose that an attacker sends you a GPG-encrypted message which exploits a hypothetical bug in the GnuPG process. There are now multiple ways the attacker could proceed to leak data (such as confidential email messages) from `email`. The most obvious way presented in this example is to use your email server to mail the data to him, but lets pretend he can't. Another possibility is that the attacker has also compromised another one of your AppVMs, such as your `netvm`, which is normally assumed to be untrusted and has unrestricted access to the network. In this case, the attacker might move data from `email` to the `netvm` via a covert channel, such as the CPU cache. Such covert channels have been described and even implemented in some "lab environments" and might allow for bandwidths of even a few tens of bits/sec. It is unclear whether such channels could be implemented in a real world system, where multiple VMs are running at the same time, each handling tens or hundreds of processes, all using the same cache memory, but it is worth keeping in mind. Of course, this would require special malware written specifically to attack Qubes OS, and perhaps even a specific Qubes OS version and/or configuration. Nevertheless, it might be possible. +For example, suppose you have an `email` AppVM. You have set the firewall rules for `email` such that it can communicate only with your email server. Now suppose that an attacker sends you a GPG-encrypted message which exploits a hypothetical bug in the GnuPG process. There are now multiple ways the attacker could proceed to leak data (such as confidential email messages) from `email`. The most obvious way is by simply emailing the data to himself. Another possibility is that the attacker has also compromised another one of your AppVMs, such as your `netvm`, which is normally assumed to be untrusted and has unrestricted access to the network. In this case, the attacker might move data from `email` to the `netvm` via a covert channel, such as the CPU cache. Such covert channels have been described and even implemented in some "lab environments" and might allow for bandwidths of even a few tens of bits/sec. It is unclear whether such channels could be implemented in a real world system, where multiple VMs are running at the same time, each handling tens or hundreds of processes, all using the same cache memory, but it is worth keeping in mind. Of course, this would require special malware written specifically to attack Qubes OS, and perhaps even a specific Qubes OS version and/or configuration. Nevertheless, it might be possible. Note that physically air-gapped machines are not necessarily immune to this problem. Covert channels can potentially take many forms (e.g., sneakernet thumb drive, bluetooth, or even microphone and speakers). @@ -35,6 +35,6 @@ In order to understand and attempt to prevent data leaks in Qubes, we must disti 3. **Unintentional leaks.** Non-malicious software which is either buggy or doesn't maintain the privacy of user data, whether by design or accident. For example, software which automatically sends error reports to a remote server, where these reports contain details about the system which the user did not want to share. -Both Qubes firewall and an empty NetVM (i.e., setting the NetVM of an AppVM to "none") can fully protect against leaks of type 3. However, neither Qubes firewall nor an empty NetVM are guaranteed to protect against leaks of types 1 and 2. There are few effective, practical policy measures available to end-users today to stop the leaks in type 1. It is likely that the only way to fully protect against leaks of type 2 is to either pause or shut down all other VMs while performing sensitive operations in the target VM(s) (such as key generation). +Both Qubes firewall and an empty NetVM (i.e., setting the NetVM of an AppVM to "none") can fully protect against leaks of type 3. However, neither Qubes firewall nor an empty NetVM are guaranteed to protect against leaks of types 1 and 2. There are few effective, practical policy measures available to end-users today to stop the leaks of type 1. It is likely that the only way to fully protect against leaks of type 2 is to either pause or shut down all other VMs while performing sensitive operations in the target VM(s) (such as key generation). For further discussion, see [this thread](https://groups.google.com/d/topic/qubes-users/t0cmNfuVduw/discussion). From fb4e74416b5e898a346c058a0a725e544472a62c Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Fri, 27 Oct 2017 21:21:26 -0500 Subject: [PATCH 16/41] Add warning about key verification (#431) --- managing-os/pentesting/kali.md | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/managing-os/pentesting/kali.md b/managing-os/pentesting/kali.md index 83ed7ecd..31dd9b75 100644 --- a/managing-os/pentesting/kali.md +++ b/managing-os/pentesting/kali.md @@ -180,6 +180,10 @@ The steps can be summarised as: ### Get Kali Linux GPG key ### +**CAUTION:** Before proceeding, please carefully read [On Digital Signatures and Key Verification][qubes-verifying-signatures]. +This website cannot guarantee that any PGP key you download from the Internet is authentic. +Always obtain a trusted key fingerprint via other channels, and always check any key you download against your trusted copy of the fingerprint. + This step is required since by (security) default a TemplateVM do not have a direct Internet connectivity. Users understanding the risks of enabling such access can change this configuration in firewall settings for the TemplateVM. @@ -193,8 +197,8 @@ access can change this configuration in firewall settings for the TemplateVM. 2. **DO NOT TURN OFF** the DispVM, the `kali-key.asc` file will be copied to the Kali Linux template in a further step. -3. Make sure the key ID is the valid one listed on the [Kali website]. Ideally, - verify the fingerprint through other channels as recommended on that link. +3. Make sure the key is the authentic Kali key. + See the [Kali website] for further advice and instructions on verification. ### Create a Debian 9.0 (Stretch) template ### @@ -309,6 +313,7 @@ Notes Thanks to the people in [the discussion thread](https://github.com/QubesOS/qubes-issues/issues/1981). +[qubes-verifying-signatures]: /security/verifying-signatures/ [qubes-pentesting]: /doc/pentesting/ [qubes-blackarch]: /doc/pentesting/blackarch/ [qubes-ptf]: /doc/pentesting/ptf/ @@ -317,7 +322,7 @@ Thanks to the people in [the discussion thread](https://github.com/QubesOS/qubes [kali]: https://www.kali.org/ [kali-vbox]: https://www.offensive-security.com/kali-linux-vmware-virtualbox-image-download/ -[kali website]: https://docs.kali.org/introduction/download-official-kali-linux-images. +[kali website]: https://docs.kali.org/introduction/download-official-kali-linux-images [PTF]: https://www.trustedsec.com/may-2015/new-tool-the-pentesters-framework-ptf-released/ From 0b2e959ffa54ac5e77ed79f39b600a8ae55270a1 Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Fri, 27 Oct 2017 21:24:10 -0500 Subject: [PATCH 17/41] Remove deprecated section on upgrading to Debian 9 (#431) Now that native Debian 9 TemplateVMs are available, it is no longer necessary to manually upgrade a Debian 8 template to Debian 9. --- managing-os/pentesting/kali.md | 35 ---------------------------------- 1 file changed, 35 deletions(-) diff --git a/managing-os/pentesting/kali.md b/managing-os/pentesting/kali.md index 31dd9b75..7ee4f3b2 100644 --- a/managing-os/pentesting/kali.md +++ b/managing-os/pentesting/kali.md @@ -200,41 +200,6 @@ access can change this configuration in firewall settings for the TemplateVM. 3. Make sure the key is the authentic Kali key. See the [Kali website] for further advice and instructions on verification. -### Create a Debian 9.0 (Stretch) template ### - -These instructions will show you how to upgrade a Debian 8 TemplateVM to Debian 9. - -**Note:** the prompt on each line indicates where each command should be entered -(`@dom0` or `@debian-9`). - -1. (Optional) Install the [debian-8 Qube template][qubes-template-debian-install] if not already installed. - -2. Ensure the base template is not running. - - [user@dom0 ~]$ qvm-shutdown debian-8 - -3. Clone the base template and start a terminal in the new template. - - [user@dom0 ~]$ qvm-clone debian-8 debian-9 - [user@dom0 ~]$ qvm-run -a debian-9 gnome-terminal - -4. Attempt the upgrade process in the new template. - - [user@debian-9 ~]$ sudo sed -i 's/jessie/stretch/g' /etc/apt/sources.list - [user@debian-9 ~]$ sudo sed -i 's/jessie/stretch/g' /etc/apt/sources.list.d/qubes-r3.list - [user@debian-9 ~]$ sudo apt-get update - [user@debian-9 ~]$ sudo apt-get dist-upgrade - [user@debian-9 ~]$ sudo apt-get autoremove - - 5. Shut down and trim the new template. - - [user@dom0 ~]$ qvm-shutdown debian-9 - [user@dom0 ~]$ qvm-trim-template debian-9 - - 6. Ensure a terminal can be opened in the new template. - - [user@dom0 ~]$ qvm-run -a debian-9 gnome-terminal - ### Create a Kali Linux (rolling) template ### These instructions will show you how to upgrade a Debian 9 TemplateVM to Kali Linux. From 9abdb86f5dff35c13a3602a5de53e8673b10ecf3 Mon Sep 17 00:00:00 2001 From: Inventor Date: Sat, 28 Oct 2017 22:11:21 -0400 Subject: [PATCH 18/41] Update usb.md --- common-tasks/usb.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/common-tasks/usb.md b/common-tasks/usb.md index 24f4d5dc..2e32005d 100644 --- a/common-tasks/usb.md +++ b/common-tasks/usb.md @@ -50,6 +50,8 @@ steps as root in dom0: qubesctl state.highstate +**Warning:** This has the potential to prevent you from connecting a keyboard to Qubes via USB. There are problems with doing this with a encrypted install (LUKS). If you find yourself in this situation, see this [issue][2270-comm23] + Alternatively, you can create a USB qube manually as follows: 1. Read the [Assigning Devices] page to learn how to list and identify your @@ -378,6 +380,7 @@ This feature is not yet available in Qubes Manager however, if you would like to [623]: https://github.com/QubesOS/qubes-issues/issues/623 [1072-comm1]: https://github.com/QubesOS/qubes-issues/issues/1072#issuecomment-124270051 [1072-comm2]: https://github.com/QubesOS/qubes-issues/issues/1072#issuecomment-124119309 +[2270-comm23]:https://github.com/QubesOS/qubes-issues/issues/2270#issuecomment-340230674 [1082]: https://github.com/QubesOS/qubes-issues/issues/1082 [hide-usb]: #how-to-hide-all-usb-controllers-from-dom0 [faq-usbvm]: /doc/user-faq/#i-created-a-usbvm-and-assigned-usb-controllers-to-it-now-the-usbvm-wont-boot From 536e8e0bec23668b66e8b876bb9d4e6089d05d82 Mon Sep 17 00:00:00 2001 From: Inventor Date: Sat, 28 Oct 2017 22:16:50 -0400 Subject: [PATCH 19/41] Warning for usb-vm creation Added a warning to ensure that people don't get locked out of Qubes without adequate warning and a guide to getting them out of it. --- common-tasks/usb.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/common-tasks/usb.md b/common-tasks/usb.md index 2e32005d..53663593 100644 --- a/common-tasks/usb.md +++ b/common-tasks/usb.md @@ -24,6 +24,8 @@ Using and Managing USB Devices Creating and Using a USB qube ----------------------------- +**Warning:** This has the potential to prevent you from connecting a keyboard to Qubes via USB. There are problems with doing this with a encrypted install (LUKS). If you find yourself in this situation, see this [issue][2270-comm23] + The connection of an untrusted USB device to dom0 is a security risk since dom0, like almost every OS, reads partition tables automatically and since the whole USB stack is put to work to parse the data presented by the USB device in order @@ -50,8 +52,6 @@ steps as root in dom0: qubesctl state.highstate -**Warning:** This has the potential to prevent you from connecting a keyboard to Qubes via USB. There are problems with doing this with a encrypted install (LUKS). If you find yourself in this situation, see this [issue][2270-comm23] - Alternatively, you can create a USB qube manually as follows: 1. Read the [Assigning Devices] page to learn how to list and identify your From ae905bc17adaf25bdabd48fa9d5788f2c19cf8cd Mon Sep 17 00:00:00 2001 From: Inventor Date: Sat, 28 Oct 2017 22:17:08 -0400 Subject: [PATCH 20/41] Added period --- common-tasks/usb.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common-tasks/usb.md b/common-tasks/usb.md index 53663593..ff882c1a 100644 --- a/common-tasks/usb.md +++ b/common-tasks/usb.md @@ -24,7 +24,7 @@ Using and Managing USB Devices Creating and Using a USB qube ----------------------------- -**Warning:** This has the potential to prevent you from connecting a keyboard to Qubes via USB. There are problems with doing this with a encrypted install (LUKS). If you find yourself in this situation, see this [issue][2270-comm23] +**Warning:** This has the potential to prevent you from connecting a keyboard to Qubes via USB. There are problems with doing this with a encrypted install (LUKS). If you find yourself in this situation, see this [issue][2270-comm23]. The connection of an untrusted USB device to dom0 is a security risk since dom0, like almost every OS, reads partition tables automatically and since the whole From ea70a064d0ceffadb76f60fcbde0fda63c932f30 Mon Sep 17 00:00:00 2001 From: Inventor Date: Sun, 29 Oct 2017 10:00:13 -0400 Subject: [PATCH 21/41] Changed github issues link --- common-tasks/usb.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common-tasks/usb.md b/common-tasks/usb.md index ff882c1a..bfd935fd 100644 --- a/common-tasks/usb.md +++ b/common-tasks/usb.md @@ -380,7 +380,7 @@ This feature is not yet available in Qubes Manager however, if you would like to [623]: https://github.com/QubesOS/qubes-issues/issues/623 [1072-comm1]: https://github.com/QubesOS/qubes-issues/issues/1072#issuecomment-124270051 [1072-comm2]: https://github.com/QubesOS/qubes-issues/issues/1072#issuecomment-124119309 -[2270-comm23]:https://github.com/QubesOS/qubes-issues/issues/2270#issuecomment-340230674 +[2270-comm23]: https://github.com/QubesOS/qubes-issues/issues/2270#issuecomment-242900312 [1082]: https://github.com/QubesOS/qubes-issues/issues/1082 [hide-usb]: #how-to-hide-all-usb-controllers-from-dom0 [faq-usbvm]: /doc/user-faq/#i-created-a-usbvm-and-assigned-usb-controllers-to-it-now-the-usbvm-wont-boot From 853ffc7c489f3a233a1f8293c80c6f84271f2e54 Mon Sep 17 00:00:00 2001 From: Inventor Date: Sun, 29 Oct 2017 11:07:40 -0400 Subject: [PATCH 22/41] Added missing colon --- common-tasks/usb.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common-tasks/usb.md b/common-tasks/usb.md index bfd935fd..0b221dc2 100644 --- a/common-tasks/usb.md +++ b/common-tasks/usb.md @@ -112,7 +112,7 @@ opt to create a USB qube during installation. This also occurs automatically if you choose to [create a USB qube] using the `qubesctl` method, which is the first pair of steps in the linked section.) -**Warning** USB keyboard cannot be used to type the disk passphrase +**Warning:** USB keyboard cannot be used to type the disk passphrase if USB controllers were hidden from dom0. Before hiding USB controllers make sure your laptop keyboard is not internally connected via USB (by checking output of `lsusb` command) or that you have a PS/2 keyboard at hand From 1db71f3b7b41fb9e4df6d0a9779ae1a80308e149 Mon Sep 17 00:00:00 2001 From: Michael Carbone Date: Mon, 30 Oct 2017 07:01:29 -0400 Subject: [PATCH 23/41] fix typos and clarify language thanks to french localization team for reporting these! --- basics_user/user-faq.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/basics_user/user-faq.md b/basics_user/user-faq.md index 5ef705fb..8e55e191 100644 --- a/basics_user/user-faq.md +++ b/basics_user/user-faq.md @@ -273,7 +273,7 @@ But since you can read the whole memory, it isn't that hard. Now, how does this apply to Qubes OS? The above attack requires access to a PCI device, which means that it can be performed only from NetVM / UsbVM, so someone must first break into one of those VMs. But this isn't that hard, because there is a lot of complex code handling network traffic. -Recent bugs includes DHCP client, DNS client, etc. +Recent bugs include DHCP client, DNS client, etc. Most attacks on NetVM / UsbVM (but not all!) require being somewhat close to the target system - for example connected to the same WiFi network, or in the case of a UsbVM, having physical acccess to a USB port. ### Can I use AMD-v instead of VT-x? @@ -292,9 +292,9 @@ Open a terminal and run `sudo yum install linux-firmware` in the TemplateVM upon ### Can I install Qubes OS together with other operating system (dual-boot/multi-boot)? -You shouldn't do that, because it pose a security risk for your Qubes OS installation. -But if you understand the risk and accept it, read [documentation on multibooting](/doc/multiboot/). -It starts with explanation what is wrong with using such setup. +You shouldn't do that, because it poses a security risk for your Qubes OS installation. +But if you understand the risk and accept it, read [documentation on multibooting](/doc/multiboot/), +it begins with an explanation of the risks with such a setup. Common Problems --------------- @@ -307,7 +307,7 @@ See [here](/doc/version-scheme/#check-installed-version). Run `systemctl enable NetworkManager-dispatcher.service` in the TemplateVM upon which your NetVM is based. You may have to reboot afterward for the change to take effect. -(Note: This is an upstream problem. See [here](https://bugzilla.redhat.com/show_bug.cgi?id=974811). +(Note: This is an upstream problem. See [here](https://bugzilla.redhat.com/show_bug.cgi?id=974811)). For details, see the qubes-users mailing list threads [here](https://groups.google.com/d/topic/qubes-users/xPLGsAJiDW4/discussion) and [here](https://groups.google.com/d/topic/qubes-users/uN9G8hjKrGI/discussion).) ### My keyboard layout settings are not behaving correctly. What should I do? @@ -346,7 +346,7 @@ This is probably because one of the controllers does not support reset. In Qubes R2 any such errors were ignored but in Qubes R3.0 they are not. A device that does not support reset is not safe and generally should not be assigned to a VM. -Most likely the offending controller is a USB3.0 device. +Most likely the offending controller is a USB 3.0 device. You can remove this controller from the usbVM, and see if this allows the VM to boot. Alternatively you may be able to disable USB 3.0 in the BIOS. From 3058a8fa4c88cb41ddae81fc43ee1c5b26de583d Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Tue, 31 Oct 2017 03:36:39 -0500 Subject: [PATCH 24/41] Update Peter Todd's endorsement --- about/experts.md | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/about/experts.md b/about/experts.md index a0e4730f..eb1d15d9 100644 --- a/about/experts.md +++ b/about/experts.md @@ -56,6 +56,21 @@ permalink: /experts/ +
+
+ + + +
+
+ +
"Donated a % of my consulting company's last year revenue to Qubes OS. I rely on it for all my work, and recommend it to clients too." + +
Peter Todd, Applied Cryptography Consultant
+
+ +
+
@@ -86,21 +101,6 @@ permalink: /experts/
-
-
- - - -
-
- -
"One of the most valuable parts of installing QubesOS was forcing myself to think through exactly what vulns [vulnerabilities] I have." - -
Peter Todd, Applied Cryptography Consultant
-
- -
-
From 437cd39a0776ed319f42abd4be55de2a1e92433f Mon Sep 17 00:00:00 2001 From: Archjuna Date: Wed, 1 Nov 2017 18:52:03 +0100 Subject: [PATCH 25/41] Update signal.md --- privacy/signal.md | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/privacy/signal.md b/privacy/signal.md index a0fce3c2..b37363f9 100644 --- a/privacy/signal.md +++ b/privacy/signal.md @@ -38,6 +38,7 @@ If you're a Signal user on Android, you can now have Signal inside Qubes. this app with your phone. 6. Signal should now work in your AppVM. + Creating a Shortcut in the applications menu -------------------------------------------- @@ -101,6 +102,32 @@ This can also be used to add a application portable application/script from a ta 6. (optional, only on KDE:) Follow the `Q` menu once more, right-click on the new `Signal: Signal Private Messenger` menu item and select `Add to Panel`. +Use AppVM based on debian +--------------------------------------------------------------- + +If you don't use chromium, you can install signal with debian : + +1. (Optional)Create a TemplateVM (debian 8) + + [user@dom0 ~]$ sudo qubes-dom0-update qubes-template-debian-8 +2. Open a terminal in debian 8 + + [user@dom0 ~]$ qvm-run -a debian-8 gnome-terminal + +3. Use these commands in your terminal + + (Optional)[user@debian-8 ~]$ sudo apt-get install curl + [user@debian-8 ~]$ curl -s https://updates.signal.org/desktop/apt/keys.asc | sudo apt-key add - + [user@debian-8 ~]$ echo "deb [arch=amd64] https://updates.signal.org/desktop/apt xenial main" | sudo tee -a /etc/apt/sources.list.d/signal-xenial.list + [user@debian-8 ~]$ sudo apt uptdate && sudo apt install signal-desktop + +5. Shutdown the TemplateVM : + + [user@dom0 ~]$ qvm-shutdown debian-8 + +6. Create a AppVM based on this TemplateVM +7. With your mouse select the `Q` menu -> `Domain: "AppVM Name"` -> `"AppVM Name": Add more shortcuts` + Select `Signal` from the left `Available` column, move it to the right `Selected` column by clicking the `>` button and then `OK` to apply the changes and close the window. ----- From 55cf63cc725cae216ebbce4c9ac43a545221cd0d Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Wed, 1 Nov 2017 22:31:00 -0500 Subject: [PATCH 26/41] Add warning about key verification (#476) --- privacy/signal.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/privacy/signal.md b/privacy/signal.md index b37363f9..bf80ba4b 100644 --- a/privacy/signal.md +++ b/privacy/signal.md @@ -105,6 +105,10 @@ This can also be used to add a application portable application/script from a ta Use AppVM based on debian --------------------------------------------------------------- +**CAUTION:** Before proceeding, please carefully read [On Digital Signatures and Key Verification][qubes-verifying-signatures]. +This website cannot guarantee that any PGP key you download from the Internet is authentic. +Always obtain a trusted key fingerprint via other channels, and always check any key you download against your trusted copy of the fingerprint. + If you don't use chromium, you can install signal with debian : 1. (Optional)Create a TemplateVM (debian 8) @@ -131,6 +135,7 @@ If you don't use chromium, you can install signal with debian : ----- +[qubes-verifying-signatures]: /security/verifying-signatures/ [Signal]: https://whispersystems.org/ [signal-wikipedia]: https://en.wikipedia.org/wiki/Signal_(software) [shortcut]: https://support.whispersystems.org/hc/en-us/articles/216839277-Where-is-Signal-Desktop-on-my-computer- From 0bb7473e1ffd7c75f6ff8a7780c2e183845febb2 Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Wed, 1 Nov 2017 22:33:26 -0500 Subject: [PATCH 27/41] Clean up text (#476) --- privacy/signal.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/privacy/signal.md b/privacy/signal.md index bf80ba4b..5cc8ce0d 100644 --- a/privacy/signal.md +++ b/privacy/signal.md @@ -102,19 +102,20 @@ This can also be used to add a application portable application/script from a ta 6. (optional, only on KDE:) Follow the `Q` menu once more, right-click on the new `Signal: Signal Private Messenger` menu item and select `Add to Panel`. -Use AppVM based on debian ---------------------------------------------------------------- +Use an AppVM based on Debian +---------------------------- **CAUTION:** Before proceeding, please carefully read [On Digital Signatures and Key Verification][qubes-verifying-signatures]. This website cannot guarantee that any PGP key you download from the Internet is authentic. Always obtain a trusted key fingerprint via other channels, and always check any key you download against your trusted copy of the fingerprint. -If you don't use chromium, you can install signal with debian : +If you don't use Chromium, you can install signal with Debian: -1. (Optional)Create a TemplateVM (debian 8) +1. (Optional)Create a TemplateVM (Debian 8) [user@dom0 ~]$ sudo qubes-dom0-update qubes-template-debian-8 -2. Open a terminal in debian 8 + +2. Open a terminal in Debian 8 [user@dom0 ~]$ qvm-run -a debian-8 gnome-terminal @@ -123,13 +124,13 @@ If you don't use chromium, you can install signal with debian : (Optional)[user@debian-8 ~]$ sudo apt-get install curl [user@debian-8 ~]$ curl -s https://updates.signal.org/desktop/apt/keys.asc | sudo apt-key add - [user@debian-8 ~]$ echo "deb [arch=amd64] https://updates.signal.org/desktop/apt xenial main" | sudo tee -a /etc/apt/sources.list.d/signal-xenial.list - [user@debian-8 ~]$ sudo apt uptdate && sudo apt install signal-desktop + [user@debian-8 ~]$ sudo apt update && sudo apt install signal-desktop 5. Shutdown the TemplateVM : [user@dom0 ~]$ qvm-shutdown debian-8 -6. Create a AppVM based on this TemplateVM +6. Create an AppVM based on this TemplateVM 7. With your mouse select the `Q` menu -> `Domain: "AppVM Name"` -> `"AppVM Name": Add more shortcuts` Select `Signal` from the left `Available` column, move it to the right `Selected` column by clicking the `>` button and then `OK` to apply the changes and close the window. From d8544f2d9c74aa9e27f30472e7c40f9b86a92412 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Mon, 6 Nov 2017 23:59:05 +0100 Subject: [PATCH 28/41] Update 4.0 release schedule --- releases/4.0/schedule.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/releases/4.0/schedule.md b/releases/4.0/schedule.md index 00bcf6af..b2cf0e4f 100644 --- a/releases/4.0/schedule.md +++ b/releases/4.0/schedule.md @@ -17,3 +17,6 @@ This schedule is based on [Version Scheme](/doc/version-scheme/#release-schedule | 28 Aug 2017
11 Sep 2017
9 Oct 2017
18 Oct 2017 | current-testing freeze before 4.0-rc2 | | 4 Sep 2017
18 Sep 2017
16 Oct 2017
23 Oct 2017 | 4.0-rc2 release | | 6 Nov 2017 | decide whether 4.0-rc2 is the final 4.0 | +| 20 Nov 2017 | current-testing freeze before 4.0-rc3 | +| 27 Nov 2017 | 4.0-rc3 release | +| 11 Dec 2017 | decide whether 4.0-rc3 is the final 4.0 | From 4b2d6119650321da1f46217d62f50e9c78d88fb9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Nov 2017 00:39:28 +0100 Subject: [PATCH 29/41] improve usage instructions --- security/yubi-key.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/security/yubi-key.md b/security/yubi-key.md index a01fff13..306e5316 100644 --- a/security/yubi-key.md +++ b/security/yubi-key.md @@ -88,9 +88,13 @@ To use this mode you need: ### Usage -When you want to unlock your screen, plug YubiKey into USB slot, then enter -password associated with YubiKey. If you configured so, YubiKey will request -confirmation by pressing button on it (it will blink). +When you want to unlock your screen... + +1) Plug YubiKey into USB slot. +2) Enter password associated with YubiKey. +3) Press Enter. +4) If you configured so, YubiKey will request confirmation by pressing button on it (it will blink). + When everything is ok, your screen will be unlocked. In any case you can still use your login password, but do it in secure location From 6c76f98d4562a89068e9fdb5a9b9965ee0db18d6 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Nov 2017 00:46:52 +0100 Subject: [PATCH 30/41] more verbose instructions for Locking the screen when YubiKey is removed --- security/yubi-key.md | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/security/yubi-key.md b/security/yubi-key.md index a01fff13..77cd46e1 100644 --- a/security/yubi-key.md +++ b/security/yubi-key.md @@ -104,7 +104,9 @@ YubiKey. This will require creating simple qrexec service which will expose ability to lock the screen to your USB VM, and then adding udev hook to actually call that service. -1. First configure the qrexec service. Create `/etc/qubes-rpc/custom.LockScreen` (in dom0) +In dom0: + +1. First configure the qrexec service. Create `/etc/qubes-rpc/custom.LockScreen` with simple command to lock the screen. In case of xscreensaver (used in Xfce) it would be: @@ -115,7 +117,9 @@ would require creating `/etc/qubes-rpc/policy/custom.LockScreen` with: sys-usb dom0 allow -3. Create udev hook in your USB VM. Store it in `/rw/config` to have it +In your USB VM: + +3. Create udev hook. Store it in `/rw/config` to have it persistent across VM restarts. For example name the file `/rw/config/yubikey.rules`. Write there single line: @@ -126,8 +130,13 @@ persistent across VM restarts. For example name the file ln -s /rw/config/yubikey.rules /etc/udev/rules.d/ udevadm control --reload - Then make `/rw/config/rc.local` executable. For changes to take effect, you - need to call this script manually for the first time. +5. Then make `/rw/config/rc.local` executable. + + sudo chmod +x /rw/config/rc.local + +6. For changes to take effect, you need to call this script manually for the first time. + + sudo /rw/config/rc.local If you use KDE, the command(s) in first step would be different: From 353c8e841614c28029a2547ff0aea9c78fd6a193 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 15 Nov 2017 02:59:41 +0100 Subject: [PATCH 31/41] more useful link for USB keyboard --- security/yubi-key.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/yubi-key.md b/security/yubi-key.md index a01fff13..62032361 100644 --- a/security/yubi-key.md +++ b/security/yubi-key.md @@ -11,7 +11,7 @@ Using YubiKey to Qubes authentication ===================================== You can use YubiKey to enhance Qubes user authentication, for example to mitigate -risk of snooping the password. This can also slightly improve security when you have [USB keyboard](https://github.com/marmarek/qubes-app-linux-input-proxy). +risk of snooping the password. This can also slightly improve security when you have [USB keyboard](https://www.qubes-os.org/doc/usb/#security-warning-about-usb-input-devices). There (at least) two possible configurations: using OTP mode and using challenge-response mode. From a62f13f13c88aab7a11c060e9a8a60cc658b90f6 Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Tue, 14 Nov 2017 21:15:14 -0600 Subject: [PATCH 32/41] Remove "unofficial" notice and fix typo QubesOS/qubes-issues#2876 --- basics_dev/package-contributions.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/basics_dev/package-contributions.md b/basics_dev/package-contributions.md index 56731da6..4665e0ec 100644 --- a/basics_dev/package-contributions.md +++ b/basics_dev/package-contributions.md @@ -7,8 +7,6 @@ permalink: /doc/package-contributions/ Package Contributions ===================== -**Notice:** *This is an unofficial draft. Once this information is official, this notice will be removed.* - We're very grateful to the talented and hard-working community members who contribute software packages to Qubes OS. This page explains the inclusion criteria and procedures for such packages, as well as the roles and responsibilities of those involved. @@ -23,7 +21,7 @@ In order to be accepted, packages must: * Have a clearly-defined use case for Qubes users. * Not be unduly burdensome to review. -(Please note that we always reserve the right add criteria to this list.) +(Please note that we always reserve the right to add criteria to this list.) Contribution Procedure ---------------------- From 9da16a9ee89898278d81ef517a3c278d88cb189f Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Tue, 14 Nov 2017 21:16:24 -0600 Subject: [PATCH 33/41] Add "Contribute packages" as a way to contribute QubesOS/qubes-issues#2876 --- basics_user/contributing.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/basics_user/contributing.md b/basics_user/contributing.md index 7af8c78f..b2ab9b59 100644 --- a/basics_user/contributing.md +++ b/basics_user/contributing.md @@ -17,6 +17,7 @@ ways in which you can help: * Audit the [source code] * [Report security issues] * [Send patches][patch] to fix bugs or implement features +* [Contribute packages] * [Report bugs] * [Test new releases and updates] * Submit [HCL reports] for your hardware @@ -60,6 +61,7 @@ be grateful to [receive your patch][patch]. [source code]: /doc/source-code/ [Report security issues]: /security/ [patch]: /doc/source-code/#how-to-send-patches +[Contribute packages]: /doc/package-contributions [Report bugs]: /doc/reporting-bugs/ [Test new releases and updates]: /doc/testing/ [HCL reports]: /doc/hcl/ From af529072cf6d460faede6b61c1a3647e34c95151 Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Tue, 14 Nov 2017 21:17:19 -0600 Subject: [PATCH 34/41] Add Package Contributions page to doc index Closes QubesOS/qubes-issues#2876 --- doc.md | 1 + 1 file changed, 1 insertion(+) diff --git a/doc.md b/doc.md index e8f055e1..2f161a0a 100644 --- a/doc.md +++ b/doc.md @@ -207,6 +207,7 @@ The Basics * [Report a Security Issue](/security/) * [Report a Bug](/doc/reporting-bugs/) * [How to Contribute](/doc/contributing/) + * [Package Contributions](/doc/package-contributions/) * [Testing new releases and updates](/doc/testing/) * [Source Code](/doc/source-code/) * [Qubes OS License](/doc/license/) From 08d3c91c01bddc100c4f586a6b5c4de9e06322be Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Tue, 14 Nov 2017 21:35:29 -0600 Subject: [PATCH 35/41] Remove StackExchange link (QubesOS/qubes-issues#2880) --- basics_user/contributing.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/basics_user/contributing.md b/basics_user/contributing.md index b2ab9b59..b3e13b22 100644 --- a/basics_user/contributing.md +++ b/basics_user/contributing.md @@ -32,7 +32,6 @@ ways in which you can help: * Follow us on [Twitter] * Join us on [Reddit] * Like us on [Facebook] - * Support our [StackExchange] proposal * And last but not least, tell your friends and colleagues about how Qubes can help them secure their digital lives! @@ -74,7 +73,6 @@ be grateful to [receive your patch][patch]. [Twitter]: https://twitter.com/QubesOS [Reddit]: https://www.reddit.com/r/Qubes/ [Facebook]: https://www.facebook.com/QubesOS -[StackExchange]: https://area51.stackexchange.com/proposals/98519/qubes-os [GitHub issues]: https://github.com/QubesOS/qubes-issues/issues [qubes-devel]: /mailing-lists/#qubes-devel [Community-Developed Feature Tracker]: https://www.qubes-os.org/qubes-issues/ From e3c16ae26e69b8691be0d8607f3e0beba85b38da Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Wed, 15 Nov 2017 22:37:00 -0600 Subject: [PATCH 36/41] Consolidate FAQs into a single page (QubesOS/qubes-issues#2704) --- basics_user/user-faq.md => about/faq.md | 227 ++++++++++++------------ basics_dev/devel-faq.md | 62 ------- 2 files changed, 113 insertions(+), 176 deletions(-) rename basics_user/user-faq.md => about/faq.md (80%) delete mode 100644 basics_dev/devel-faq.md diff --git a/basics_user/user-faq.md b/about/faq.md similarity index 80% rename from basics_user/user-faq.md rename to about/faq.md index 8e55e191..8633c817 100644 --- a/basics_user/user-faq.md +++ b/about/faq.md @@ -1,75 +1,34 @@ --- -layout: doc -title: Users' FAQ -permalink: /doc/user-faq/ +layout: sidebar +title: FAQ +permalink: /faq/ redirect_from: +- /doc/user-faq/ - /en/doc/user-faq/ - /doc/UserFaq/ - /wiki/UserFaq/ +- /doc/devel-faq/ +- /en/doc/devel-faq/ +- /doc/DevelFaq/ +- /wiki/DevelFaq/ --- -Qubes Users' FAQ -================ +# Frequently Asked Questions -[General Questions](#general-questions) ---------------------------------------- - * [Is Qubes just another Linux distribution?](#is-qubes-just-another-linux-distribution) - * [How is Qubes different from other security solutions?](#how-is-qubes-different-from-other-security-solutions) - * [Does Qubes use full disk encryption (FDE)?](#does-qubes-use-full-disk-encryption-fde) - * [What is the main concept behind Qubes?](#what-is-the-main-concept-behind-qubes) - * [What about other approaches to security?](#what-about-other-approaches-to-security) - * [What about safe languages and formally verified microkernels?](#what-about-safe-languages-and-formally-verified-microkernels) - * [Why does Qubes use virtualization?](#why-does-qubes-use-virtualization) - * [What do all these terms mean?](#what-do-all-these-terms-mean) - * [Does Qubes run every app in a separate VM?](#does-qubes-run-every-app-in-a-separate-vm) - * [Why does Qubes use Xen instead of KVM or some other hypervisor?](#why-does-qubes-use-xen-instead-of-kvm-or-some-other-hypervisor) - * [What about this other/new (micro)kernel/hypervisor?](#what-about-this-othernew-microkernelhypervisor) - * [What's so special about Qubes' GUI virtualization?](#whats-so-special-about-qubes-gui-virtualization) - * [Can I watch YouTube videos in qubes?](#can-i-watch-youtube-videos-in-qubes) - * [Can I run applications, like games, which require 3D support?](#can-i-run-applications-like-games-which-require-3d-support) - * [Is Qubes a multi-user system?](#is-qubes-a-multi-user-system) - * [Why passwordless sudo?](#why-passwordless-sudo) - * [How should I report documentation issues?](#how-should-i-report-documentation-issues) - * [Will Qubes seek to get certified on the GNU Free System Distribution Guidelines (GNU FSDG)?](#will-qubes-seek-to-get-certified-under-the-gnu-free-system-distribution-guidelines-gnu-fsdg) - * [Should I trust this website?](#should-i-trust-this-website) - * [What does it mean to "distrust the infrastructure"?](#what-does-it-mean-to-distrust-the-infrastructure) - * [Why does this website use Cloudflare?](#why-does-this-website-use-cloudflare) - * [Why doesn't this website have security feature X?](#why-doesnt-this-website-have-security-feature-x) +## General & Security Questions -[Installation & Hardware Compatibility](#installation--hardware-compatibility) ------------------------------------------------------------------------------- - * [How much disk space does each qube require?](#how-much-disk-space-does-each-qube-require) - * [How much memory is recommended for Qubes?](#how-much-memory-is-recommended-for-qubes) - * [Can I install Qubes on a system without VT-x?](#can-i-install-qubes-on-a-system-without-vt-x) - * [Can I install Qubes on a system without VT-d?](#can-i-install-qubes-on-a-system-without-vt-d) - * [What is a DMA attack?](#what-is-a-dma-attack) - * [Can I use AMD-v instead of VT-x?](#can-i-use-amd-v-instead-of-vt-x) - * [Can I install Qubes in a virtual machine (e.g., on VMware)?](#can-i-install-qubes-in-a-virtual-machine-eg-on-vmware) - * [Why does my network adapter not work?](#why-does-my-network-adapter-not-work) - * [Can I install Qubes OS together with other operating system (dual-boot/multi-boot)?](#can-i-install-qubes-os-together-with-other-operating-system-dual-bootmulti-boot) +### What is the main concept behind Qubes? -[Common Problems](#common-problems) ------------------------------------ - * [Which version of Qubes am I running?](#which-version-of-qubes-am-i-running) - * [My qubes lost Internet access after a TemplateVM update. What should I do?](#my-qubes-lost-internet-access-after-a-templatevm-update-what-should-i-do) - * [My keyboard layout settings are not behaving correctly. What should I do?](#my-keyboard-layout-settings-are-not-behaving-correctly-what-should-i-do) - * [My dom0 and/or TemplateVM update stalls when attempting to update via …](#my-dom0-andor-templatevm-update-stalls-when-attempting-to-update-via-the-gui-tool-what-should-i-do) - * [How do I run a Windows HVM in non-seamless mode (i.e., as a single window)?](#how-do-i-run-a-windows-hvm-in-non-seamless-mode-ie-as-a-single-window) - * [I created a usbVM and assigned usb controllers to it. Now the usbVM wont boot.](#i-created-a-usbvm-and-assigned-usb-controllers-to-it-now-the-usbvm-wont-boot) - * [I assigned a PCI device to a qube, then unassigned it/shut down the …](#i-assigned-a-pci-device-to-a-qube-then-unassigned-itshut-down-the-qube-why-isnt-the-device-available-in-dom0) - * [How do I install Flash in a Debian qube?](#how-do-i-install-flash-in-a-debian-qube) - * [How do I play video files?](#how-do-i-play-video-files) - * [How do I access my external drive?](#how-do-i-access-my-external-drive) - * [My encrypted drive doesn't appear in Debian qube?](#my-encrypted-drive-doesnt-appear-in-debian-qube) - * [Windows Update is stuck.](#windows-update-is-stuck) - * [Fullscreen Firefox is frozen.](#fullscreen-firefox-is-frozen) - * [I have weird graphics glitches like the screen turning partially black.](#i-have-weird-graphics-glitches-like-the-screen-turning-partially-black) - ------------------ +To build security on the "Security by Compartmentalization (or Isolation)" principle. +### What about other approaches to security? -General Questions ------------------ +The other two popular [approaches](https://blog.invisiblethings.org/2008/09/02/three-approaches-to-computer-security.html) are “Security by Correctness” and “Security by Obscurity.” +We don't believe either of these approaches are capable of providing reasonable security today, nor do we believe that they will be capable of doing so in the foreseeable future. + +### How is Qubes different from other security solutions? + +Please see [this article](https://blog.invisiblethings.org/2012/09/12/how-is-qubes-os-different-from.html) for a thorough discussion. ### Is Qubes just another Linux distribution? @@ -77,26 +36,6 @@ If you really want to call it a distribution, then it's more of a "Xen distribut But Qubes is much more than just Xen packaging. It has its own VM management infrastructure, with support for template VMs, centralized VM updating, etc. It also has a very unique GUI virtualization infrastructure. -### How is Qubes different from other security solutions? - -Please see [this article](https://blog.invisiblethings.org/2012/09/12/how-is-qubes-os-different-from.html) for a thorough discussion. - -### Does Qubes use full disk encryption (FDE)? - -Yes, of course! -Full disk encryption is enabled by default. -Specifically, we use [`LUKS`](https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup)/[`dm-crypt`](https://en.wikipedia.org/wiki/Dm-crypt). -You can even [manually configure your encryption parameters](/doc/encryption-config/), if you like! - -### What is the main concept behind Qubes? - -To build security on the “Security by Compartmentalization (or Isolation)” principle. - -### What about other approaches to security? - -The other two popular [approaches](https://blog.invisiblethings.org/2008/09/02/three-approaches-to-computer-security.html) are “Security by Correctness” and “Security by Obscurity.” -We don't believe either of these approaches are capable of providing reasonable security today, nor do we believe that they will be capable of doing so in the foreseeable future. - ### What about safe languages and formally verified microkernels? In short: these are non-realistic solutions today. We discuss this in further depth in our [Architecture Specification document](/attachment/wiki/QubesArchitecture/arch-spec-0.3.pdf). @@ -105,6 +44,13 @@ In short: these are non-realistic solutions today. We discuss this in further de We believe that this is currently the only practically viable approach to implementing strong isolation while simultaneously providing compatibility with existing applications and drivers. +### Does Qubes use full disk encryption (FDE)? + +Yes, of course! +Full disk encryption is enabled by default. +Specifically, we use [`LUKS`](https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup)/[`dm-crypt`](https://en.wikipedia.org/wiki/Dm-crypt). +You can even [manually configure your encryption parameters](/doc/encryption-config/), if you like! + ### What do all these terms mean? All Qubes-specific terms are defined in the [glossary](/doc/glossary/). @@ -149,30 +95,6 @@ We have designed the GUI virtualization subsystem with two primary goals: securi Our GUI infrastructure introduces only about 2,500 lines of C code (LOC) into the privileged domain (Dom0), which is very little, and thus leaves little space for bugs and potential attacks. At the same time, due to the smart use of Xen shared memory, our GUI implementation is very efficient, so most virtualized applications really feel as if they were executed natively. -### Can I watch YouTube videos in qubes? - -Absolutely. - -### Can I run applications, like games, which require 3D support? - -Those won’t fly. -We do not provide OpenGL virtualization for Qubes. -This is mostly a security decision, as implementing such a feature would most likely introduce a great deal of complexity into the GUI virtualization infrastructure. -However, Qubes does allow for the use of accelerated graphics (OpenGL) in Dom0’s Window Manager, so all the fancy desktop effects should still work. - -For further discussion about the potential for GPU passthrough on Xen/Qubes, please see the following threads: - -- [GPU passing to HVM](https://groups.google.com/group/qubes-devel/browse_frm/thread/31f1f2da39978573?scoring=d&q=GPU&) -- [Clarifications on GPU security](https://groups.google.com/group/qubes-devel/browse_frm/thread/31e2d8a47c8b4474?scoring=d&q=GPU&) - -### Is Qubes a multi-user system? - -No. -Qubes does not pretend to be a multi-user system. -Qubes assumes that the user who controls Dom0 controls the whole system. -It would be very difficult to **securely** implement multi-user support. -See [here](https://groups.google.com/group/qubes-devel/msg/899f6f3efc4d9a06) for details. - ### Why passwordless sudo? Please refer to [this page](https://www.qubes-os.org/doc/vm-sudo/). @@ -227,11 +149,45 @@ So, if feature X isn't enabled, it's most likely for one of three reasons: 3. Our platform supports it, but we're not aware that we can enable it or have forgotten to do so. (If it seems like this is the case, let us know!) +---------- -Installation & Hardware Compatibility -------------------------------------- +## Users -(See also: [System Requirements](/doc/system-requirements/), [Hardware Compatibility List](/hcl/), and [Certified Laptops](/doc/certified-laptops/).) +### Can I watch YouTube videos in qubes? + +Absolutely. + +### Can I run applications, like games, which require 3D support? + +Those won’t fly. +We do not provide OpenGL virtualization for Qubes. +This is mostly a security decision, as implementing such a feature would most likely introduce a great deal of complexity into the GUI virtualization infrastructure. +However, Qubes does allow for the use of accelerated graphics (OpenGL) in Dom0’s Window Manager, so all the fancy desktop effects should still work. + +For further discussion about the potential for GPU passthrough on Xen/Qubes, please see the following threads: + +- [GPU passing to HVM](https://groups.google.com/group/qubes-devel/browse_frm/thread/31f1f2da39978573?scoring=d&q=GPU&) +- [Clarifications on GPU security](https://groups.google.com/group/qubes-devel/browse_frm/thread/31e2d8a47c8b4474?scoring=d&q=GPU&) + +### Is Qubes a multi-user system? + +No. +Qubes does not pretend to be a multi-user system. +Qubes assumes that the user who controls Dom0 controls the whole system. +It would be very difficult to **securely** implement multi-user support. +See [here](https://groups.google.com/group/qubes-devel/msg/899f6f3efc4d9a06) for details. + +### What are the system requirements for Qubes OS? + +See the [System Requirements](/doc/system-requirements/). + +### Is there a list of hardware that is compatible with Qubes OS? + +See the [Hardware Compatibility List](/hcl/). + +### Is there any certified hardware for Qubes OS? + +See [Certified Hardware](/doc/certified-hardware/). ### How much disk space does each qube require? @@ -296,9 +252,6 @@ You shouldn't do that, because it poses a security risk for your Qubes OS instal But if you understand the risk and accept it, read [documentation on multibooting](/doc/multiboot/), it begins with an explanation of the risks with such a setup. -Common Problems ---------------- - ### Which version of Qubes am I running? See [here](/doc/version-scheme/#check-installed-version). @@ -338,10 +291,8 @@ In your TemplateVMs, open a terminal and run `sudo yum upgrade`. Enable "debug mode" in the qube's settings, either by checking the box labeled "Run in debug mode" in the Qubes VM Manager qube settings menu or by running the [qvm-prefs command](/doc/dom0-tools/qvm-prefs/).) - ### I created a usbVM and assigned usb controllers to it. Now the usbVM wont boot. - This is probably because one of the controllers does not support reset. In Qubes R2 any such errors were ignored but in Qubes R3.0 they are not. A device that does not support reset is not safe and generally should not be assigned to a VM. @@ -385,8 +336,7 @@ or MODALIAS=`cat /sys/bus/pci/devices/0000:/modalias` MOD=`modprobe -R $MODALIAS | head -n 1` echo 0000: > /sys/bus/pci/drivers/$MOD/bind - - + ### How do I install Flash in a Debian qube? The Debian way is to install the flashplugin-nonfree package. @@ -472,3 +422,52 @@ If it seems like the issue described in [this thread](https://github.com/QubesOS - Q → System Tools → Window Manager Tweaks → Compositor → uncheck "Enable display compositing" Please report (via the mailing lists) if you experience this issue, and whether disabling the compositor fixes it for you or not. + +---------- + +## Developers + +### Why does dom0 need to be 64-bit? + +Since 2013 [Xen has not supported 32-bit x86 architecture](https://wiki.xenproject.org/wiki/Xen_Project_Release_Features) and Intel VT-d, which Qubes uses to isolate devices and drivers, is available on Intel 64-bit processors only. + +In addition, with features like improved ASLR, it is often more difficult to exploit a bug on x64 Linux than x86 Linux. +While we designed Qubes from the beginning to limit potential attack vectors, we still realize that some of the code running in Dom0, e.g. our GUI daemon or xen-store daemon, however simple, might contain some bugs. +Plus since we haven't implemented a separate storage domain, the disk backends are in Dom0 and are "reachable" from the VMs, which adds up to the potential attack surface. +So, having faced a choice between 32-bit and 64-bit OS for Dom0, it was almost a no-brainer. +The 64-bit option provides some (little perhaps, but some) more protection against some classes of attacks, and at the same time does not have any disadvantages except the extra requirement of a 64 bit processor. +And even though Qubes now "needs" a 64 bit processor, it didn't make sense to run Qubes on a system without 3-4GB of memory, and those have 64-bit CPUs anyway. + +### What is the recommended build environment for Qubes OS? + +Any rpm-based, 64-bit environment, the preferred OS being Fedora. + +### How do I build Qubes from sources? + +See [these instructions](/doc/qubes-builder/). + +### How do I submit a patch? + +See the [Qubes Source Code Repositories](/doc/source-code/) article. + +### What is Qubes' attitude toward changing guest distros? + +We try to respect each distro's culture, where possible. +See the discussion on issue [#1014](https://github.com/QubesOS/qubes-issues/issues/1014) for an example. + +The policy is there mostly to ease maintenance, on several levels: + + * Less modifications means easier migration to new upstream distribution + releases. + * The upstream documentation matches the distribution running in the Qubes VM. + * We're less likely to introduce Qubes-specific issues. + * Each officially supported distribution (ideally) should offer the same set of + Qubes-specific features - a change in one supported distribution should be + followed also in others, including new future distributions. + +### Is I/O emulation component (QEMU) part of the Trusted Computing Base (TCB)? + +No. Unlike many other virtualization systems, Qubes takes special effort to keep QEMU _outside_ of the TCB. +This has been achieved thanks to the careful use of Xen's stub domain feature. +For more details about how we improved on Xen's native stub domain use, see [here](https://blog.invisiblethings.org/2012/03/03/windows-support-coming-to-qubes.html). + diff --git a/basics_dev/devel-faq.md b/basics_dev/devel-faq.md deleted file mode 100644 index ba62c832..00000000 --- a/basics_dev/devel-faq.md +++ /dev/null @@ -1,62 +0,0 @@ ---- -layout: doc -title: Developers' FAQ -permalink: /doc/devel-faq/ -redirect_from: -- /en/doc/devel-faq/ -- /doc/DevelFaq/ -- /wiki/DevelFaq/ ---- - -Qubes Developers' FAQ -===================== - -Why does dom0 need to be 64-bit? --------------------------------- - -Since 2013 [Xen has not supported 32-bit x86 architecture](https://wiki.xenproject.org/wiki/Xen_Project_Release_Features) and Intel VT-d, which Qubes uses to isolate devices and drivers, is available on Intel 64-bit processors only. - -In addition, with features like improved ASLR, it is often more difficult to exploit a bug on x64 Linux than x86 Linux. -While we designed Qubes from the beginning to limit potential attack vectors, we still realize that some of the code running in Dom0, e.g. our GUI daemon or xen-store daemon, however simple, might contain some bugs. -Plus since we haven't implemented a separate storage domain, the disk backends are in Dom0 and are "reachable" from the VMs, which adds up to the potential attack surface. -So, having faced a choice between 32-bit and 64-bit OS for Dom0, it was almost a no-brainer. -The 64-bit option provides some (little perhaps, but some) more protection against some classes of attacks, and at the same time does not have any disadvantages except the extra requirement of a 64 bit processor. -And even though Qubes now "needs" a 64 bit processor, it didn't make sense to run Qubes on a system without 3-4GB of memory, and those have 64-bit CPUs anyway. - -What is the recommended build environment for Qubes OS? ------------------------------------------- - -Any rpm-based, 64-bit environment, the preferred OS being Fedora. - -How do I build Qubes from sources? --------------------------------- - -See [these instructions](/doc/qubes-builder/). - -How do I submit a patch? ------------------------- - -See the [Qubes Source Code Repositories](/doc/source-code/) article. - -What is Qubes' attitude toward changing guest distros? ------------------------------------------------------- - -We try to respect each distro's culture, where possible. -See the discussion on issue [#1014](https://github.com/QubesOS/qubes-issues/issues/1014) for an example. - -The policy is there mostly to ease maintenance, on several levels: - - * Less modifications means easier migration to new upstream distribution - releases. - * The upstream documentation matches the distribution running in the Qubes VM. - * We're less likely to introduce Qubes-specific issues. - * Each officially supported distribution (ideally) should offer the same set of - Qubes-specific features - a change in one supported distribution should be - followed also in others, including new future distributions. - -Is I/O emulation component (QEMU) part of the Trusted Computing Base (TCB)? ------------------------- - -No. Unlike many other virtualization systems, Qubes takes special effort to keep QEMU _outside_ of the TCB. -This has been achieved thanks to the careful use of Xen's stub domain feature. -For more details about how we improved on Xen's native stub domain use, see [here](https://blog.invisiblethings.org/2012/03/03/windows-support-coming-to-qubes.html). From 57ef6d77791eba744183c739a8494f3780521523 Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Wed, 15 Nov 2017 22:38:48 -0600 Subject: [PATCH 37/41] Update links to new FAQ (QubesOS/qubes-issues#2704) --- about/mailing-lists.md | 2 +- basics_user/intro.md | 4 ++-- common-tasks/usb.md | 2 +- doc.md | 6 ++++-- installing/upgrade/upgrade-to-r3.1.md | 2 +- security/security-guidelines.md | 2 +- 6 files changed, 10 insertions(+), 8 deletions(-) diff --git a/about/mailing-lists.md b/about/mailing-lists.md index a6b6dee6..063d10fc 100644 --- a/about/mailing-lists.md +++ b/about/mailing-lists.md @@ -369,7 +369,7 @@ You must be subscribed in order to post to this list. [HCL]: /doc/hcl/ [Installation Guide]: /doc/installation-guide/ [System Requirements]: /doc/system-requirements/ -[User FAQ]: /doc/user-faq/ +[User FAQ]: /faq/#users [documentation]: /doc/ [thunderbird-newsgroup]: https://support.mozilla.org/en-US/kb/creating-newsgroup-account [qubes-users-web]: https://groups.google.com/group/qubes-users diff --git a/basics_user/intro.md b/basics_user/intro.md index 71e2dc8d..ade01e72 100644 --- a/basics_user/intro.md +++ b/basics_user/intro.md @@ -228,9 +228,9 @@ technical details have been omitted here for the sake of presentation. [Xen]: https://www.xenproject.org [paper-compart]: https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf [doc]: /doc/ -[user-faq]: /doc/user-faq/ +[user-faq]: /faq/#users [system-doc]: /doc/system-doc/ -[devel-faq]: /doc/devel-faq/ +[devel-faq]: /faq/#developers [downloads]: /downloads/ [getting started]: /getting-started/ diff --git a/common-tasks/usb.md b/common-tasks/usb.md index d03e699b..8ac8e410 100644 --- a/common-tasks/usb.md +++ b/common-tasks/usb.md @@ -383,7 +383,7 @@ This feature is not yet available in Qubes Manager however, if you would like to [2270-comm23]: https://github.com/QubesOS/qubes-issues/issues/2270#issuecomment-242900312 [1082]: https://github.com/QubesOS/qubes-issues/issues/1082 [hide-usb]: #how-to-hide-all-usb-controllers-from-dom0 -[faq-usbvm]: /doc/user-faq/#i-created-a-usbvm-and-assigned-usb-controllers-to-it-now-the-usbvm-wont-boot +[faq-usbvm]: /faq/#i-created-a-usbvm-and-assigned-usb-controllers-to-it-now-the-usbvm-wont-boot [AEM]: /doc/anti-evil-maid/ [1618]: https://github.com/QubesOS/qubes-issues/issues/1618 [create a USB qube]: #creating-and-using-a-usb-qube diff --git a/doc.md b/doc.md index 2f161a0a..e1d67117 100644 --- a/doc.md +++ b/doc.md @@ -23,13 +23,14 @@ The Basics * [Video Tours](/video-tours/) * [Screenshots](/screenshots/) * [Getting Started](/getting-started/) - * [User FAQ](/doc/user-faq/) + * [User FAQ](/faq/#users) * [Mailing Lists](/mailing-lists/) * [How to Contribute](/doc/contributing/) Security Information -------------------- * [Security Center](/security/) + * [Security FAQ] (/faq/#general-security) * [Security Pack](/security/pack/) * [Security Bulletins](/security/bulletins/) * [Canaries](/security/canaries/) @@ -203,7 +204,7 @@ Developer Documentation The Basics ---------- - * [Developer FAQ](/doc/devel-faq/) + * [Developer FAQ](/faq/#developers) * [Report a Security Issue](/security/) * [Report a Bug](/doc/reporting-bugs/) * [How to Contribute](/doc/contributing/) @@ -222,6 +223,7 @@ The Basics Security Information -------------------- * [Security Center](/security/) + * [Security FAQ] (/faq/#general-security) * [Security Pack](/security/pack/) * [Security Bulletins](/security/bulletins/) * [Security Bulletin Checklist](/security/bulletins/checklist/) diff --git a/installing/upgrade/upgrade-to-r3.1.md b/installing/upgrade/upgrade-to-r3.1.md index b69852f8..e858c6b7 100644 --- a/installing/upgrade/upgrade-to-r3.1.md +++ b/installing/upgrade/upgrade-to-r3.1.md @@ -107,7 +107,7 @@ Maid passphrase to the new configuration. Please consult the Anti Evil Maid If you use USB VM, you may encounter problem with starting it on updated Xen version (because of strict default settings). Take a look at -[User FAQ](/doc/user-faq/#i-created-a-usbvm-and-assigned-usb-controllers-to-it-now-the-usbvm-wont-boot) +[User FAQ](/faq/#i-created-a-usbvm-and-assigned-usb-controllers-to-it-now-the-usbvm-wont-boot) for details. Once you have upgraded dom0, you can install new templates from Qubes R3.1 diff --git a/security/security-guidelines.md b/security/security-guidelines.md index 1bfa6551..125ba46b 100644 --- a/security/security-guidelines.md +++ b/security/security-guidelines.md @@ -129,7 +129,7 @@ It is preferable to avoid using **Bluetooth** if you travel or do not trust your Many laptops allow one to disable various hardware (Camera, BT, Mic, etc) **in BIOS**. This might or might not be a dependable way of getting rid of those devices, depending on how much you trust your BIOS vendor. -If the VM will not start after you have assigned a USB controller, look at [this faq](../user-faq/#i-created-a-usbvm-and-assigned-usb-controllers-to-it-now-the-usbvm-wont-boot). +If the VM will not start after you have assigned a USB controller, look at [this FAQ](/faq/#i-created-a-usbvm-and-assigned-usb-controllers-to-it-now-the-usbvm-wont-boot). Creating and Using a USBVM From 516197b97684a7d8550eb83b75c03fafba3ee44b Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Wed, 15 Nov 2017 23:42:30 -0600 Subject: [PATCH 38/41] Update page title and first section heading (QubesOS/qubes-issues#2704) --- about/faq.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/about/faq.md b/about/faq.md index 8633c817..8da6b2a8 100644 --- a/about/faq.md +++ b/about/faq.md @@ -1,6 +1,6 @@ --- layout: sidebar -title: FAQ +title: Frequently Asked Questions permalink: /faq/ redirect_from: - /doc/user-faq/ @@ -15,7 +15,7 @@ redirect_from: # Frequently Asked Questions -## General & Security Questions +## General & Security ### What is the main concept behind Qubes? From 3958e053d52fc1d1f3ab3539aed20c3c3ffc3797 Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Wed, 15 Nov 2017 23:42:48 -0600 Subject: [PATCH 39/41] Fix links to Security FAQ (QubesOS/qubes-issues#2704) --- doc.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc.md b/doc.md index e1d67117..b2f09968 100644 --- a/doc.md +++ b/doc.md @@ -30,7 +30,7 @@ The Basics Security Information -------------------- * [Security Center](/security/) - * [Security FAQ] (/faq/#general-security) + * [Security FAQ](/faq/#general--security) * [Security Pack](/security/pack/) * [Security Bulletins](/security/bulletins/) * [Canaries](/security/canaries/) @@ -223,7 +223,7 @@ The Basics Security Information -------------------- * [Security Center](/security/) - * [Security FAQ] (/faq/#general-security) + * [Security FAQ](/faq/#general--security) * [Security Pack](/security/pack/) * [Security Bulletins](/security/bulletins/) * [Security Bulletin Checklist](/security/bulletins/checklist/) From be6f2877eaa39b6f35dd0f1af1db76bc326264e5 Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Wed, 15 Nov 2017 23:56:54 -0600 Subject: [PATCH 40/41] Add FAQ entry about XSAs affecting Qubes (QubesOS/qubes-issues#2704) --- about/faq.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/about/faq.md b/about/faq.md index 8da6b2a8..5ec48656 100644 --- a/about/faq.md +++ b/about/faq.md @@ -65,6 +65,10 @@ A typical user would likely need around five qubes. Very paranoid users, or thos In short: we believe the Xen architecture allows for the creation of more secure systems (i.e. with a much smaller TCB, which translates to a smaller attack surface). We discuss this in much greater depth in our [Architecture Specification document](/attachment/wiki/QubesArchitecture/arch-spec-0.3.pdf). +### How is Qubes affected by Xen Security Advisories (XSAs)? + +See the [XSA Tracker](/security/xsa/). + ### What about this other/new (micro)kernel/hypervisor? Whenever starting a discussion about another (micro)kernel or hypervisor in relation to Qubes, we strongly suggest including answers to the following questions first: From 9612a861a64768ad10d196a4544d46cc9d726e91 Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Thu, 16 Nov 2017 00:07:22 -0600 Subject: [PATCH 41/41] Add link to Security FAQ (QubesOS/qubes-issues#2704) --- security-info/security.md | 1 + 1 file changed, 1 insertion(+) diff --git a/security-info/security.md b/security-info/security.md index 77bcf7c4..b44c2136 100644 --- a/security-info/security.md +++ b/security-info/security.md @@ -17,6 +17,7 @@ redirect_from: Qubes OS Project Security Center ================================ +- [Security FAQ](/faq/#general--security) - [Security Goals](/security/goals/) - [Security Pack](/security/pack/) - [Security Bulletins](/security/bulletins/)