-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Thu, Aug 11, 2016 at 09:17:35PM -0600, Trammell Hudson wrote: > On Tue, Aug 09, 2016 at 08:40:15PM +0200, Marek Marczykowski-Górecki wrote: > > On Tue, Aug 09, 2016 at 08:32:39AM -0600, Trammell Hudson wrote: > > > I'd like to configure my Qubes installation to have a read-only and > > > dm-verity protected / and /boot partitions for the hypervisor, dom0, > > > qubes configurations and templates, with a separate read-write partition > > > for the user data and volatile portions protected by a sealed TPM key. > > > > This is very interesting setup! Please tell us if you manage to do it. > > Assuming it all works, I'll be doing a writeup and hopefully a CCC talk > on the configuraiton. > > The coreboot parts are working really well now -- the root of trust is > setup in the romstage, which can be protected by the SPI flash chip's WP# > and BP bits to prevent software updates (although still a potential evil > maid risk). > > All of the CBFS entries are measured before they are executed or unpacked, > which includes MRC, SMM, and the Linux kernel/initrd. tpmtop runs in the > Linux payload and if the TPM can unseal the TOTP secret, it attests that > the system is a hopefully good state. Also in the ROM is a GPG keyring > with public signing keys. > > The /boot partition is protected with dm-verity, the root hash > signature is verified with GPG, the xen.gz, vmlinuz and initrd > can also be signed and verified. The private key is in a Yubikey, > so updates to that partition will require the hardware token to resign > the hashes. > > And then Qubes starts up and the hard parts begin... > > > > In the "VM Settings" - "Advanced" tab the "Paths" do not seem to > > > be editable. I could edit the file by hand after setting up Qubes, > > > although if there is an official way to do it during installation or > > > after-the-fact that would be nicer. > > > > There is no supported way for changing those path. > > Is it possible to change them at all? Even when I edit the > /var/lib/qubes/appvms/personal/personal.conf file, > after I start the VM with qvm-start it appears that the file is > re-written (my changes are gone and the paths are back to the > defaults). > > Is there a reason to recreate the file instead of using its contents?
Yes, all the VM settings are stored in /var/lib/qubes/qubes.xml. The VM config is merely for debugging purposes - it is only written and never read by the tools. The same generated config (based on qubes.xml) is sent directly to libvirt. As for file paths - in theory you could edit qubes.xml to move it somewhere else, but in practice there are multiple places relying on exact /var/lib/qubes directory - for example udev scripts preventing all the filesystem guessing code, or hiding those devices from qvm-block. Also DispVM preparation script rely on those paths... So, better use mount --bind. BTW in Qubes 4.0 we already have an API to support arbitrary images location. > > [...] > > Also search the list archive for relocating volatile.img files - AFAIR > > there was some script for that. > > It looks like a symlink for the private.img file will work, but the > volatile.img is always re-created. I see the post that modifies the > /usr/lib/qubes/prepare-volatile-img.sh, so maybe those two are sufficient > to migrate the files from / to /home. Besides the above, for volatile.img it should be enough to modify this script. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJXrXhcAAoJENuP0xzK19cs5QMH/2YvadsEjvc7K5VGAuXQBBHU bkp6MF3d+VhS5N4r7X0UDZP57d4FrafUtRH4l9toUMJkx9R3EeYC4dsrH1dT5NBK phKHFu+Cd+qHTIAgTrwZs88gG4ZUOLcoU3vG/iSiI2cNt24Z5vzJBCfeD+J/0Gdq eQ6EcGNTaqPpEG5RZW90SHTaqJDp+ZnbG5Raqvnq+g3YxZwOCOzBg6UfvflRjMbq Yy+TgXt0SeHBU1TKLbWtIieQtE9Rfpl7lbbGfa0ZsLGAxgjWPJ59PdmIeP8QVbeU GZKo6wY2Tzcu+qldDSpfOTwbqaqrE3AlIzj085OszOo9kRWepzyqU1XT+lNIn4I= =MeYj -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20160812071852.GJ5701%40mail-itl. For more options, visit https://groups.google.com/d/optout.
