-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Michael Singer:
> I had to find a way to mount the read-only volume in the destination
> qube. I discovered the page
> https://www.qubes-os.org/doc/block-devices/ But it doesn't say how
> to mount it either. The normal way with "$ sudo mount /dev/xvdi
> /mnt" does not seem to work for read-only. You have to tell the
> mount tool that it is a read-only device: "$ sudo mount -o ro,noload
> /dev/xvdi /mnt" This way it works.

'mount' without any options generally works for read-only devices -
but not if the filesystem is in a dirty state, like after sudden
power-off. In that case 'noload' is needed so the kernel doesn't
attempt to recover the newest data by replaying the journal, which
would fail without write access.

> Perhaps this should be added to the documentation.

https://www.qubes-os.org/doc/doc-guidelines/#how-to-contribute :)

> I read the notes about your split-dmcrypt-tool. Good work! Let's
> assume I would not work with LUKS. Suppose I mount sda1 with
> read-only option set in a DispVM (after switching off its network),
> decrypt it there and search in the files. An exploit bug occurs and
> the VM is taken. Now it could happen that someone leaks the
> partition password to the internet via a covered channel. So would
> it be safer to mount the decrypted volume again in another DispVM
> before we search it?

Yes, assuming that the exploit is inside the *decrypted* data. Then
that second offline DisposableVM would not have access to the (tiny)
password, so it would only be able to slowly transmit the (huge)
decrypted data over such a hypothetical covert channel.

> And how would that be done? With the loopdevice method? What
> commands would you use in the terminal?

 [dom0]# qvm-block attach --ro disp1 sys-usb:sda1

[disp1]# echo Y >/sys/module/block/parameters/no_part_scan
[disp1]# (somehow decrypt /dev/xvdi, yielding a device /dev/mapper/something)
[disp1]# readlink /dev/mapper/something
../dm-0

 [dom0]# qvm-block attach --ro disp2 disp1:dm-0

[disp2]# (mount /dev/mapper/xvdi)

Rusty
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmDN4+hfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt+f0BAAhcWwf+7Ch3fR1qabYxGP0uVbbyvODNa+V8ipHcBS2Nyl7QedxL0BZgTt
8HGIoTlngD4jALNDq3Sl5Btv62aEM0Gel3VuozeJeUOpzuvE1eMOrxxPhMQRexNw
rW08pZQM6ILojYndnJZpTCr9Rfa4cuYJ9Ie0V+CWpITutiZZLzhF8cYIDORVynND
wrrNnP2BdClRU2caH39qRpW5JNYuwT+bIITiZQbTFoWQFICRrasD2zkcQQgNZFdt
f8O2nFgmtCHHBwDXzYuSLYdUKp/gTztawqFDBv8exANiQykW19WqZLG1rcha8Wyt
PnyuN3DZhu8NWMVFF3DNQZ6T+TqeG8G+V1VTiDFX2t5CfUaE04zS6vzKMxs4dpNs
Ce81P3DMu9iqG7oxAqASFHw/Ud0FtDej8FZfeiQVZKtadcbYu09seLllc7QtQDUO
tqDgBX2ZEcuN/Ssp4t5p1PHFPfBV3bLzkQYv3cJgqD68maybVgrPXhxvP6NwSmOe
zmW8WW6zv/PI8c2+WAnI4zQdUoxv/ImXDgAXbQ65HueKISlr3mSNxdwPkccngg61
nf4OR8L8/74XPV5WbQmFXMGf7m5e48CsdD7+YQiTqiO9Vm3YWiufDaxh7Wv4D7Ux
ifH75jzOEWE3y+bakbL1wAp9+UJe8t0wtneHVJeQ5SZ3n1CCjyE=
=m4iy
-----END PGP SIGNATURE-----

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/YM3j6FQAdHWkZZEV%40mutt.

Reply via email to