I'm using the mailing list as I can't use GitHub with Tor Browser. This mailing list post is a succinct version of my forum thread https://forum.qubes-os.org/t/mac-randomization-is-flawed-proposed-new-solution/32150
https://github.com/QubesOS/qubes-issues/issues/938 needs to be reopened. We can’t rely solely on either udev (Tails approach) or NetworkManager (Qubes approach) to ensure the true MAC address is never leaked. Some drivers restore to the true/permanent MAC on sleep/suspend and udev doesn't handle this. NM, in normal operation, brings the NIC 'up' with the true MAC address which can result in leaks. NM also restores to the true MAC address in other cases, such as when the user restarts the NM service to apply an updated config. Even if NM did do everything properly, drivers can still leak the true MAC address. As originally proposed in /issues/938, patching drivers is the only way to do this without the possibility of leaks occurring. Patching these drivers is usually very simple, as most of them already support generating random MACs for situations where the EEPROM MAC is invalid. As an initial proposal, I suggest Qubes hosts a contrib repository where these patches can be submitted. Then, Qubes can build a separate kernel with these modified drivers that users can optionally set for their NetVM. I can do the necessary work, but I would want Qubes to confirm how they would like this structured so that it will be accepted. I have built a modified kernel locally with qubesbuilderv2, but I'm not familiar enough with Qubes' build system to say for certain what the best way to do all of this is. It may be that there's an entirely different way to supply the modified drivers that makes more sense than building a separate kernel. I have said I will patch the 3 most popular wireless drivers to start this off. There's a lot of additional information in the forum thread so reading everything there is advised. -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/qubes-devel/UW2n66zOKBmYkb333ic-7vzMKx8XzVltAalnT6W4KvYC7qAp3EZ7m7HmPp-Oo_fPQnb6AmLhbzZNp_aXo9bWJ8zFbaqD1-_uk4G7ALLCTz8%3D%40proton.me.
