As far as I remember, there was an idea to kill stubdoms after boot, which 
would both reduce risk (as stubdoms run in PV) and CPU+memory overhead. I 
cannot try it right now, because I haven't installed Q4.

> If I switch to disposable VMs, I assume the risk would be reduced.

You can sort reduce some risk of having your AppVMs permanently pwned. As a 
result, this  could prevent some kinds of gradual pwnage of dom0.

OTOH, if attacker pwns some your VM and has a reliable way to escape from the 
VM to dom0, it does not matter if it is DispVM or not.

> Can this be done for the sys-vms?

Not sure about 4, but I have done something similar for sys-usb in Q3.2. 
Strictly speaking, it is not a DVM, but it behaves similarly. The hack is 
simple in Q3.2: 1. Truncate VM's private.img to zero bytes. 2. Ensure that the 
VM template has created /home/user in root.img. (You can do something like 
this: sudo mkdir /tmp/root && sudo mount --bind / /tmp/root && sudo mkdir 
/tmp/root/home/user && sudo chown user:user /tmp/root/home/user && sudo chmod 
700 /tmp/root/home/user)

In Q4, you will probably be able to do something similar, but you probably 
can't truncate LVM volume to zero bytes, so this will require some elaboration.

The VM sys-firewall could utilize the same hack unless you have some scripts 
there. VM sys-net probably cannot utilize this (at least not that 
straightforwardly) because of network config you have there.

Vít Šesták 'v6ak'

You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
To post to this group, send email to
To view this discussion on the web visit
For more options, visit

Reply via email to