I might have some ideas, How about intergrating a dispvm as usb qube. The situation now is (to my knowledge, correct me if I am wrong) that if a usb infects the usb qube, it means all future usb`s may become infected too once they connect to sys-usb. By using a dispvm, all traces of malware should be gone the next time it reboots(or atleast raise the bar of difficulty to make persitent malware)
I can think of several ways this can be implemented but the question will be when the usb qube should be rebooted. Everytime a usb disconnects, maybe everytime the computer reboots? These would be some things to figure out. My next idea would be to have an option during installation to use a mirage os unikernel for sys-net or sys-firewall. This would give us severel advantages over the current fedora sys-nets. Number one would be ofcourse security, a unikernel has alot less attack surface because it uses alot less code, this also makes it easier to audit. Furtermore, less memory useage might be an advantage as well, since you can run a mirage vm with a mere 30mb of ram(good for users with low end machines). Another advantage would be faster boot up and shutdown times, booting a mirage vm on my old thinkpad takes roughly 1/2 seconds. Anyway these are my ideas of how we could improve qubes. These are all speculations based of my current knowledge and understanding of qubes, so please feel free to correct me if I was wrong somewhere. So, what do you think? Cheers, Blacklight447 -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To post to this group, send email to qubes-devel@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/6rTwWbMuumJb9xh3XYoq-1NJftb8V4HO-zpw78ToJjVzzWE99eVN6LaEGs1CZbG0UvwnEZN8S5JU0WWq3o2TW9CxPdU1MU4H1JMroPQ5N5k%3D%40protonmail.com. For more options, visit https://groups.google.com/d/optout.
