I recently wrote a patch that makes all PVH DispVM's fully ephemeral in the sense that all writes to the disk are encrypted by an ephemeral encryption key, with dom0 handling the encryption.
Currently Qubes implements this (when ephemeral=True and vm:root rw 0) for data written to xvda and swap but not for data written to xvdb (i.e /rw). This patch fixes the issue and encrypts ephemerally all data written to disk from a PVH DispVM. This is accomplished by making xvda, xvdb read-only and ephemeral=True the defaults for DispVM's (three line patching of dispvm.py) and by patching /init of initramfs of the pvh kernel so that all data writes are routed to xvdc using dmapper. This routing is already partially accomplished in qubes by mapping all writes to xvda to dmroot when vm:root rw is set to False. The patch now routes in addition (when vm:private rw 0) all writes to xvdb to dmhome and seamlessly relabels in fstab xvdb to dmhome, before /sbin/init is initialized. The fact that xvda and xvdb are now set to be readonly in DispVM's and only xvdc is writeable and ephemerally encrypted ensures that no data escape is possible. I wrote a script to implement the patch on a live R4.1 system. It is available at https://github.com/anywaydense/QubesEphemerize I would be delighted to hear your comments. -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/wEgONN-akszhZqyS8yY4YaoBn7QuVW0gRiDaz-7SadIAS7wr_S9FO_-T9A4-jslRSHNt-sh9A3QtofuOQFhbzRweoFgzXPZszuG4ONA-o78%3D%40proton.me.
