[HN Gopher] Qubes-Lite with KVM and Wayland
___________________________________________________________________
Qubes-Lite with KVM and Wayland
Author : todsacerdoti
Score : 38 points
Date : 2021-03-07 19:22 UTC (3 hours ago)
(HTM) web link (roscidus.com)
(TXT) w3m dump (roscidus.com)
| Klwohu wrote:
| Is this really a good idea considering the security issues with
| Wayland?[1]
|
| [1]https://github.com/Aishou/wayland-keylogger
| miduil wrote:
| This is not a wayland security issue. This is the equivalent of
| calling a car key lock insecure just because someone can drive
| your car when you give them your key.
| ianlevesque wrote:
| That "security issue with Wayland" is really loading an
| untrusted .so file from your home directory, which is exactly
| what running apps in KVM VMs instead (as the article proposes)
| would fix. So yes, it's a good idea!
| Shared404 wrote:
| In addition, the author states that similar techniques would
| also work on Windows and Mac, and any platform without
| sandboxing... which would include most installations of X,
| unless there's something I'm missing.
| minimalist wrote:
| This is an amazing effort, very cool!
|
| I'm not sure why the author is having so much pain with Qubes.
| Indeed the lack of GPU in guest VMs is annoying but it is
| possible now to assign a GPU to a HVM fairly reliably thanks to
| all of the VFIO/gaming-on-linux enthusiasm in the past years.
| Otherwise, I also find that running browsers in multiple VMs on
| laptop is a problem if you don't disable JS by default because
| modern websites have become so bloated, it's a tragedy. The LVM
| remark is also strange. It's very reliable for plenty of people,
| but there is the risk of running out of space for metadata [0].
| Thin-pools for VM storage allows for some great Time-Machine-
| esque incremental backups also [1]. But for managing multiple
| development environments, Qubes is a blessing, not even including
| all the security benefits.
|
| Another option for Xen fans is XCP-ng + a thin client machine for
| accessing the VMs. One can also use firejail+Xephyr to achieve
| graphical isolation [2] (not sure about Wayland).
|
| It looks like architecture changes in Qubes future [3] may make
| KVM a reality.
|
| This is still a very cool effort, I'll have to give the Wayland
| bits a close read.
|
| [0]: https://github.com/QubesOS/qubes-issues/issues/3243,
| https://listman.redhat.com/archives/linux-lvm/2018-July/msg0...
|
| [1]: https://github.com/tasket/wyng-backup
|
| [2]:
| https://wiki.gentoo.org/wiki/User:Sakaki/Sakaki's_EFI_Instal...
|
| [3]: https://www.qubes-os.org/news/2020/03/18/gui-domain/
| Nojlk wrote:
| The Qubes people don't recommend doing GPU passthrough because
| of the security implications.
|
| As for the OP, I feel like if somebody cares about security,
| they shouldn't be doing any of this. Trying to come up with
| some self-designed hodgepodge of things isn't really enough
| security-wise, even if you do use VMs, and I'd find it hard to
| trust something like this as a platform to do anything
| important on.
| 1996 wrote:
| > The Qubes people don't recommend doing GPU passthrough
| because of the security implications.
|
| Why? DMA?
| fsflover wrote:
| "Clarifications on GPU security":
| https://groups.google.com/g/qubes-devel/c/MeLYpHyLRHQ
|
| See also: https://www.qubes-os.org/faq/#can-i-run-
| applications-like-ga...
|
| But the fact is, even if you are doing GPI passthrough in
| Qubes, it's much more secure than running any other system.
| Nojlk wrote:
| I don't know details. I was thinking about doing GPU
| passthrough myself, but whenever developers chimed in on
| any posts about the topic, this is essentially what they
| said.
|
| Some links I remember going through:
|
| https://www.qubes-os.org/doc/device-handling-
| security/#pci-s...
|
| > Additionally, Qubes restricts the config-space a VM may
| use to communicate with a PCI device. Only whitelisted
| registers are accessible. However, some devices or
| applications require full PCI access. In these cases, the
| whole config-space may be allowed. You're potentially
| weakening the device isolation, especially if your system
| is not equipped with a VT-d Interrupt Remapping unit. This
| increases the VM's ability to run a side channel attack and
| vulnerability to the same. See Xen PCI Passthrough: PV
| guests and PCI quirks and Software Attacks on Intel VT-d
| (page 7) for more details.
|
| https://security.stackexchange.com/questions/162122/gpu-
| pass...
| effie wrote:
| "The Qubes people" have a product to develop and maintain.
| They aren't the single highest authority on secure desktop
| setups.
|
| Security isn't a black or white issue. There are levels of
| security. Many tech people want something better than the
| (very insecure) standard setup on Linux/Windows, but they
| don't want the Qubes straight-jacket. This means they search
| or develop alternatives and that is overall a good thing.
| m463 wrote:
| I used qubes for a while, but found it kind of cumbersome to do
| most things, and I never got over the hump.
|
| Since then I've been using proxmox, and I'm at the point where I
| don't use the gui anymore, I just do everything from the command
| line.
|
| You can do VM things (like run macos in a vm), but I do most
| things in lxc containers.
|
| It would be kind of nice if proxmox had something like a
| Dockerfile, but with _local_ containers that didn 't depend on
| going out to dockerhub to pull in and run code.
| xvector wrote:
| I have been considering grabbing a Librem 14 and switching to
| Qubes as a daily. Could you elaborate on what you found
| cumbersome?
| indigodaddy wrote:
| So like, you are using Proxmox as your main OS/desktop? And
| then doing application (eg firefox for browsing, etc) things in
| in proxmox LXC containers?
|
| If so, that is pretty interesting...
|
| Although, using LXD with Ubuntu is totally painless and easy as
| well..
___________________________________________________________________
(page generated 2021-03-07 23:01 UTC)