The Arch package management system, Pacman, relies on a secret, per-machine master key readable only by root. This is used to sign the other Arch root signing keys. Anyone with access to the secret part of the master key can present packages that Pacman will trust, and thus execute arbitrary code as root.
In typical use, this is fine, since the master key is securely generated and only readable by root. This is normally sufficient to prevent the secret part of the key from being accessed by unauthorized parties. However, in QubesOS, this is not sufficient. The master key is stored on the root volume, so it is accessible to all AppVMs based on the TemplateVM. Anyone who compromises one of these AppVMs can dump the secret master key. If they can then perform an on-path attack on the update process, this allows them to execute arbitrary code on the TemplateVM. To fix this vulnerability, it is necessary to ensure that the master signing key is securely deleted after it has been generated. This can be accomplished by placing /etc/pacman.d/gnupg/private-keys-v1.d on a tmpfs, both while building and running the template. Pacman will produce warnings about not being able to sign the master key, but these are not fatal. Sincerely, Demi -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6564df55-0543-a677-6b79-8e72c7db5a86%40gmail.com.
Description: OpenPGP digital signature