[HN Gopher] Qubes-Lite with KVM and Wayland ___________________________________________________________________ Qubes-Lite with KVM and Wayland Author : todsacerdoti Score : 38 points Date : 2021-03-07 19:22 UTC (3 hours ago) (HTM) web link (roscidus.com) (TXT) w3m dump (roscidus.com) | Klwohu wrote: | Is this really a good idea considering the security issues with | Wayland?[1] | | [1]https://github.com/Aishou/wayland-keylogger | miduil wrote: | This is not a wayland security issue. This is the equivalent of | calling a car key lock insecure just because someone can drive | your car when you give them your key. | ianlevesque wrote: | That "security issue with Wayland" is really loading an | untrusted .so file from your home directory, which is exactly | what running apps in KVM VMs instead (as the article proposes) | would fix. So yes, it's a good idea! | Shared404 wrote: | In addition, the author states that similar techniques would | also work on Windows and Mac, and any platform without | sandboxing... which would include most installations of X, | unless there's something I'm missing. | minimalist wrote: | This is an amazing effort, very cool! | | I'm not sure why the author is having so much pain with Qubes. | Indeed the lack of GPU in guest VMs is annoying but it is | possible now to assign a GPU to a HVM fairly reliably thanks to | all of the VFIO/gaming-on-linux enthusiasm in the past years. | Otherwise, I also find that running browsers in multiple VMs on | laptop is a problem if you don't disable JS by default because | modern websites have become so bloated, it's a tragedy. The LVM | remark is also strange. It's very reliable for plenty of people, | but there is the risk of running out of space for metadata [0]. | Thin-pools for VM storage allows for some great Time-Machine- | esque incremental backups also [1]. But for managing multiple | development environments, Qubes is a blessing, not even including | all the security benefits. | | Another option for Xen fans is XCP-ng + a thin client machine for | accessing the VMs. One can also use firejail+Xephyr to achieve | graphical isolation [2] (not sure about Wayland). | | It looks like architecture changes in Qubes future [3] may make | KVM a reality. | | This is still a very cool effort, I'll have to give the Wayland | bits a close read. | | [0]: https://github.com/QubesOS/qubes-issues/issues/3243, | https://listman.redhat.com/archives/linux-lvm/2018-July/msg0... | | [1]: https://github.com/tasket/wyng-backup | | [2]: | https://wiki.gentoo.org/wiki/User:Sakaki/Sakaki's_EFI_Instal... | | [3]: https://www.qubes-os.org/news/2020/03/18/gui-domain/ | Nojlk wrote: | The Qubes people don't recommend doing GPU passthrough because | of the security implications. | | As for the OP, I feel like if somebody cares about security, | they shouldn't be doing any of this. Trying to come up with | some self-designed hodgepodge of things isn't really enough | security-wise, even if you do use VMs, and I'd find it hard to | trust something like this as a platform to do anything | important on. | 1996 wrote: | > The Qubes people don't recommend doing GPU passthrough | because of the security implications. | | Why? DMA? | fsflover wrote: | "Clarifications on GPU security": | https://groups.google.com/g/qubes-devel/c/MeLYpHyLRHQ | | See also: https://www.qubes-os.org/faq/#can-i-run- | applications-like-ga... | | But the fact is, even if you are doing GPI passthrough in | Qubes, it's much more secure than running any other system. | Nojlk wrote: | I don't know details. I was thinking about doing GPU | passthrough myself, but whenever developers chimed in on | any posts about the topic, this is essentially what they | said. | | Some links I remember going through: | | https://www.qubes-os.org/doc/device-handling- | security/#pci-s... | | > Additionally, Qubes restricts the config-space a VM may | use to communicate with a PCI device. Only whitelisted | registers are accessible. However, some devices or | applications require full PCI access. In these cases, the | whole config-space may be allowed. You're potentially | weakening the device isolation, especially if your system | is not equipped with a VT-d Interrupt Remapping unit. This | increases the VM's ability to run a side channel attack and | vulnerability to the same. See Xen PCI Passthrough: PV | guests and PCI quirks and Software Attacks on Intel VT-d | (page 7) for more details. | | https://security.stackexchange.com/questions/162122/gpu- | pass... | effie wrote: | "The Qubes people" have a product to develop and maintain. | They aren't the single highest authority on secure desktop | setups. | | Security isn't a black or white issue. There are levels of | security. Many tech people want something better than the | (very insecure) standard setup on Linux/Windows, but they | don't want the Qubes straight-jacket. This means they search | or develop alternatives and that is overall a good thing. | m463 wrote: | I used qubes for a while, but found it kind of cumbersome to do | most things, and I never got over the hump. | | Since then I've been using proxmox, and I'm at the point where I | don't use the gui anymore, I just do everything from the command | line. | | You can do VM things (like run macos in a vm), but I do most | things in lxc containers. | | It would be kind of nice if proxmox had something like a | Dockerfile, but with _local_ containers that didn 't depend on | going out to dockerhub to pull in and run code. | xvector wrote: | I have been considering grabbing a Librem 14 and switching to | Qubes as a daily. Could you elaborate on what you found | cumbersome? | indigodaddy wrote: | So like, you are using Proxmox as your main OS/desktop? And | then doing application (eg firefox for browsing, etc) things in | in proxmox LXC containers? | | If so, that is pretty interesting... | | Although, using LXD with Ubuntu is totally painless and easy as | well.. ___________________________________________________________________ (page generated 2021-03-07 23:01 UTC)