> Simple question: Why are Ethernet and WiFi in sys-net..? > > Is it > > (A) Just for easy access to the same network for all App VMs..? > > (B) Because this is isolating Ethernet and WiFi from the rest of the > system, to stop DMA attacks..?
Primarily (B). Any DMA attack or other network hardware compromise is confined to the net VM, and not your more critical work VM's (or dom0). > It's not clear to me whether the VT-D protection is occurring because you > are putting these devices in sys-net. > > Or whether the VT-D is implemented regardless of which VM the > Wifi/Ethernet are in. I'm not quite clear what you're getting at here. The network device(s) could live in any VM, and thus be isolated from the rest of the system. But by Qubes convention, the devices are put in sys-net, which is sys-firewall's NetVM, which in turn is typically the NetVM for other AppVM's. > I ask this because I want to run some programs in sys-net, and wonder > whether a DMA attack could screw up these programs. It absolutely could. I'd generally recommend against running anything in sys-net unless its very specifically needed, raw net-related, or low-risk. Things like wireshark, iptraf are useful to have in sys-net, for example. Any program running in sys-net doesn't benefit from the firewall rules protection at all, either. Just as with dom0, the fewer programs running (and thus the smaller attack surface) in sys-net (and sys-firewall), the better. Which is why I'd like to see unnecessary things like pulseaudio, exim, (and possibly even the X server) not included in sys-net by default. I think there's a Qubes ticket to that effect. Digressing a bit, but here's an interesting, leaner replacement for sys-firewall: http://roscidus.com/blog/blog/2016/01/01/a-unikernel-firewall-for-qubesos/ What's the nature of the program(s) you want to run in sys-net? Is there any reason they couldn't be run in another AppVM instead? JJ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2b6bd00d61406084ca4dc4b21243f71d.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.
