On 2019-01-19 13:46, Illidan Pornrage wrote: > On 1/18/19 5:02 PM, Goldi wrote: >> >> >> >> -------- Original Message -------- >> From: goldsm...@riseup.net >> Sent: January 18, 2019 3:45:06 PM UTC >> To: unman <un...@thirdeyesecurity.org> >> Subject: Re: [qubes-users] Mirage-Firewall - Trusted in Dom0? >> >> On 2019-01-18 13:52, unman wrote: >>> On Fri, Jan 18, 2019 at 04:38:56AM -0800, goldsm...@riseup.net wrote: >>>> On 2019-01-15 15:19, Goldi wrote: >>>>> I've been happily using Qubes for several years and noticed that >>>>> several prominent members of the Qubes Team have in the past suggested >>>>> installing Mirage-Firewall as an alternative to Sys-Firewall. However, >>>>> I cannot find any reference to MF in the Qubes Docs. >>>>> I'd like to install Mirage-Firewall, but I have a nagging doubt about >>>>> whether the code can be trusted. Particularly as it has to been >>>>> installed in Dom0 >>>>> What do you guys recommend? Can the MF developer be trusted? >>>>> >>>>> https://groups.google.com/d/msgid/qubes-users/21F0DB51-AF5A-4729-8708-14C54BB4C29A%40riseup.net?utm_medium=email&utm_source=footer >>>> In Nov 2018 a prominent member of the Qubes team; Unman suggested using >>>> Mirage-Firewall. >>>> I'd appreciate very much a reply to my earlier query about the integrity >>>> and reliability of the code/developer of Mirage Firewall >>>> >>> >>> There is a reference in the docs to GSOC potential work: otherwise >>> you'll find discussions here and in qubes-devel, and there's an open >>> issue in qubes-issues. >>> I have no view on the integrity of Thomas - don't know him. His >>> contributions have been good and he's always seemed helpful and to know >>> what he's talking about. >>> You can look at the code yourself and come to view on that: it's >>> pretty straightforward. >>> https://github.com/talex5/qubes-mirage-firewall >>> >>> I've done some testing, and the firewall works as expected, with no >>> strange effects I could see. >> Thank you for responding. >> I think I'll pass on installing Mirage-Firewall. I'm a user and >> regretfully not competent to review MF code. I had hoped that any >> recommendation to install anything in Dom0 would have been first >> thoroughly assessed by the qubes team. After all, if Dom0 is compromised >> its as Joanna used to say "game over" >> > > Ok, a short update for you. I am interested in it too and currently > reviewing it. > > The qubes mirage firewall is a kernel binary that is just stored in > dom0 (+ initramfs and modules storage image), not executed in dom0. > (The initramfs is usually the first program started by a linux kernel. > The modules.img is an image that is available as volume in the qube to > pull extra modules for a linux kernel from. As this is a mirage > unikernel and not a linux kernel the modules.img is empty. The > initramfs contains a part of the firewall.) > It can then be chosen in qubes settings > advanced > kernel, per qube. > This is just a kernel only without extra os that is run in the firewall qube. > > Risks: > - If whatever puts the kernel into a qube to boot from it can be > exploited using a malformed kernel file <-- imo low risk but no > guarantee as I havent reviewed that part of the hypervisor code. > - The installer is corrupted and puts evil things in the rpm for dom0 > <-- from the github it isnt even an rpm, just a tarball that gets spit > out by the builder or downloaded as release from github. So great > transparence. > - The firewall being leaky because of bugs or maliciously or the build > script being manipulated maliciously. <-- It is built in a docker > container. The github repo contains the dockerfile which actually > verifies its base image using sha256, the maintainer seems to care > about reproducibility. Mirage libraries get fetched via the opam OCAML > file manager. Which might check signatures on those. Up to > verification. > > All in all pretty safe to use.
Wow. That's a good comprehensive reply. Thank you. It goes a long way to convincing me that the code is safe to use. Does any one else have any feedback on this issue? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7427343df1d9b1e9dd055eae384d40b3%40riseup.net. For more options, visit https://groups.google.com/d/optout.
