Re: [qubes-users] DispVM Configuration
On Thu, Apr 06, 2017 at 02:03:14PM +0100, Unman wrote: > On Thu, Apr 06, 2017 at 02:17:53AM -0400, Jean-Philippe Ouellet wrote: > > On Wed, Apr 5, 2017 at 11:59 PM, Sam Hentschel > > wrote: > > > Hey all! > > > > > > So far so good with QubesOS on my end. Have almost everything up and > > > running to have this as my daily carry. It's amazing how little RAM all > > > these VMs actually require; and the CPU! None! > > > > > > Anyways, I am having some trouble configuring my DispVMs to allow me to > > > use them for printing and scanning. The protocols and software for > > > printing and scanning are both, as I recall, highly insecure. In > > > addition, the devices that use them (i.e. printer, scanners) should be > > > considered to be backdoored or owned already. > > > > > > I wanted to make it so that when I want to print something, I open up > > > the file in a DispVM and print it from there. I then thought that I > > > could approximately do the same thing with scanning. Open up a DispVM > > > that is running simple-scan, scan the file into the DispVM and then copy > > > it over to the VM that I want. > > > > > > By doing it this way I should be able to move out all the vulnerable > > > printer and scanner code, and my AppVMs will never directly touch those > > > devices or protocols. Instead they will be hidden behind the realtive > > > safety of the Qubes file copy mechanism. > > > > An interesting goal. In practice I'm not sure what real benefit you'd > > get from using a DispVM vs. just a regular stateful AppVM (assuming > > you just use one printer/scanner). Presumably what you care about in > > this context is confidentiality of your documents. Your > > printer/scanner is by its very nature in a perfect position to steal > > your documents, and likely also has a means to store or transmit them. > > This seems true regardless of whether or not your printer/scanner can > > compromise or persistently compromise a VM (which only deals with > > printer drivers and documents the printer will know anyway). > > > > If you use multiple printers, then I can see an argument for wanting > > separate AppVMs per printer, and if you constantly use different > > printers then sure I guess DispVMs make sense. Is this the case? > > > > In other words, I'm curious what threat you're actually trying to > > mitigate by doing this. > > > > > I tried to follow the documentation page: > > > - show internal VMs > > > - run gnome-terminal in fedora-23-dvm > > > - install and configure the necessary applications and hardware devices > > > - touch the /home/user/.qubes-dispvm-customized > > > - shutdown the VM > > > - regenerate the DispVM template using: qvm-create-default-dvm > > > --default-template > > > > > > When I opened up a DispVM the software was nowhere to be found (opened > > > up Firefox, right clicked on the DispVM in the VM Manager and ran > > > gnome-terminal). When I reopen fedora-23-dvm the software is nowhere to > > > be found. So I believe either I am doing something stupid, or the > > > documentation has it wrong. I did notice that the DispVMs start with a > > > ttemplate of fedora-23. So then do they not actually use the > > > fedora-23-dvm template like it says? > > > > If you want to make additional software available, then do so in the > > template of the dispvm (in your case fedora-23 (but you should really > > update to fedora-24!)). > > > > You can think of the process of customizing a DispVM like creating a > > new AppVM. Software that should be available on every run belongs in > > its template. Local state (/home, etc.) happens in the AppVM. > > Customizing the DispVM template is like customizing an AppVM that you > > then take a snapshot of and duplicate each time you want a new DispVM. > > In practice this is similar to how it's actually implemented. > > > > Hi Sam, > > I understand your goal, because I use dispVMs for scanning myself, > rather than a stateful appVM. (I think Jean-Philippe missed your comment > about the protocols and software being highly insecure.) > > I think your problem arises because of the way in which a disposableVM is > generated, which hasn't been made clear enough to you. > What you need to do is clone an existing template to (say) fed24-print. > Then install the software drivers and printing/scanning tools on THAT > template, and use it to generate a DVMTemplate. (This is the equivalent > of the fedora-23-dvm you have identified.) > You do this using 'qvm-create-default-dvm fed24-print' > > When you create a dispVM it uses the DVMTemplate to spawn a new > instance. > Thus the disposableVM will have the printing and scanning software and > drivers in it. > > The customisation you have read about only refers to changes made in > /home/user. This is why it uses examples of customising Firefox profiles, and > why it hasn't worked in your case. Without that, each dispVM will have a > home directory created from the default skel profile. >
Re: [qubes-users] DispVM Configuration
On Thu, Apr 06, 2017 at 02:17:53AM -0400, Jean-Philippe Ouellet wrote: > On Wed, Apr 5, 2017 at 11:59 PM, Sam Hentschel wrote: > > Hey all! > > > > So far so good with QubesOS on my end. Have almost everything up and > > running to have this as my daily carry. It's amazing how little RAM all > > these VMs actually require; and the CPU! None! > > > > Anyways, I am having some trouble configuring my DispVMs to allow me to > > use them for printing and scanning. The protocols and software for > > printing and scanning are both, as I recall, highly insecure. In > > addition, the devices that use them (i.e. printer, scanners) should be > > considered to be backdoored or owned already. > > > > I wanted to make it so that when I want to print something, I open up > > the file in a DispVM and print it from there. I then thought that I > > could approximately do the same thing with scanning. Open up a DispVM > > that is running simple-scan, scan the file into the DispVM and then copy > > it over to the VM that I want. > > > > By doing it this way I should be able to move out all the vulnerable > > printer and scanner code, and my AppVMs will never directly touch those > > devices or protocols. Instead they will be hidden behind the realtive > > safety of the Qubes file copy mechanism. > > An interesting goal. In practice I'm not sure what real benefit you'd > get from using a DispVM vs. just a regular stateful AppVM (assuming > you just use one printer/scanner). Presumably what you care about in > this context is confidentiality of your documents. Your > printer/scanner is by its very nature in a perfect position to steal > your documents, and likely also has a means to store or transmit them. > This seems true regardless of whether or not your printer/scanner can > compromise or persistently compromise a VM (which only deals with > printer drivers and documents the printer will know anyway). > > If you use multiple printers, then I can see an argument for wanting > separate AppVMs per printer, and if you constantly use different > printers then sure I guess DispVMs make sense. Is this the case? > > In other words, I'm curious what threat you're actually trying to > mitigate by doing this. > > > I tried to follow the documentation page: > > - show internal VMs > > - run gnome-terminal in fedora-23-dvm > > - install and configure the necessary applications and hardware devices > > - touch the /home/user/.qubes-dispvm-customized > > - shutdown the VM > > - regenerate the DispVM template using: qvm-create-default-dvm > > --default-template > > > > When I opened up a DispVM the software was nowhere to be found (opened > > up Firefox, right clicked on the DispVM in the VM Manager and ran > > gnome-terminal). When I reopen fedora-23-dvm the software is nowhere to > > be found. So I believe either I am doing something stupid, or the > > documentation has it wrong. I did notice that the DispVMs start with a > > ttemplate of fedora-23. So then do they not actually use the > > fedora-23-dvm template like it says? > > If you want to make additional software available, then do so in the > template of the dispvm (in your case fedora-23 (but you should really > update to fedora-24!)). > > You can think of the process of customizing a DispVM like creating a > new AppVM. Software that should be available on every run belongs in > its template. Local state (/home, etc.) happens in the AppVM. > Customizing the DispVM template is like customizing an AppVM that you > then take a snapshot of and duplicate each time you want a new DispVM. > In practice this is similar to how it's actually implemented. > Hi Sam, I understand your goal, because I use dispVMs for scanning myself, rather than a stateful appVM. (I think Jean-Philippe missed your comment about the protocols and software being highly insecure.) I think your problem arises because of the way in which a disposableVM is generated, which hasn't been made clear enough to you. What you need to do is clone an existing template to (say) fed24-print. Then install the software drivers and printing/scanning tools on THAT template, and use it to generate a DVMTemplate. (This is the equivalent of the fedora-23-dvm you have identified.) You do this using 'qvm-create-default-dvm fed24-print' When you create a dispVM it uses the DVMTemplate to spawn a new instance. Thus the disposableVM will have the printing and scanning software and drivers in it. The customisation you have read about only refers to changes made in /home/user. This is why it uses examples of customising Firefox profiles, and why it hasn't worked in your case. Without that, each dispVM will have a home directory created from the default skel profile. Of course, it's probably occurred to you that what this means is that EVERY instance of a disposableVM will have the scan/print tools in it, and this is probably not what you want. I work around this using multiple disposableVM based off different DV
Re: [qubes-users] DispVM Configuration
On Thu, Apr 06, 2017 at 02:17:53AM -0400, Jean-Philippe Ouellet wrote: > On Wed, Apr 5, 2017 at 11:59 PM, Sam Hentschel wrote: > An interesting goal. In practice I'm not sure what real benefit you'd > get from using a DispVM vs. just a regular stateful AppVM (assuming > you just use one printer/scanner). Presumably what you care about in > this context is confidentiality of your documents. Your > printer/scanner is by its very nature in a perfect position to steal > your documents, and likely also has a means to store or transmit them. > This seems true regardless of whether or not your printer/scanner can > compromise or persistently compromise a VM (which only deals with > printer drivers and documents the printer will know anyway). > > If you use multiple printers, then I can see an argument for wanting > separate AppVMs per printer, and if you constantly use different > printers then sure I guess DispVMs make sense. Is this the case? > > In other words, I'm curious what threat you're actually trying to > mitigate by doing this. On a daily basis I interact with about three printers: one at home, one at work, and one at school. My goals were as follows: - Keep one printer from getting what another printer has handled - Stop the spread of pritner malware from one printer to another (if that makes sense?) - Stop the printers (which may be and probably are compromised) from compromising one of my security domains. - Kind of the same reasons as moving out the networking software and drivers to the NetVM and the USBs to a USBVM? An example scenario: an employer or future employer requires me to print out some forms from an email, fill them out, scan them, and email them back. In this case, it would be nice to be able to print the forms via a DispVM (which I open anyway when interacting with email attachments), fill them out, scan them in the same or a different DispVM and send it back. This way the PDF or word document is never opened in my Email Qube. I can thus takeout extra software in that VM, and minimize it to just working with email. > If you want to make additional software available, then do so in the > template of the dispvm (in your case fedora-23 (but you should really > update to fedora-24!)). Ok, if thats the case I may clone the fedora template and make one specifically for the DispVMs. Some of the software I want on DispVMs, I don't want on my AppVMs and vice versa. Since its the case that the DispVM uses the fedora-23 template, shouldn't the document say to edit that instead of the fedora-23-dvm AppVM? If you agree, maybe I'll go pull down the documentation and rewrite some of it. -- Respectfully, Sam Hentschel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170406125158.GA999%40Personal-Email. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] DispVM Configuration
On Wed, Apr 5, 2017 at 11:59 PM, Sam Hentschel wrote: > Hey all! > > So far so good with QubesOS on my end. Have almost everything up and > running to have this as my daily carry. It's amazing how little RAM all > these VMs actually require; and the CPU! None! > > Anyways, I am having some trouble configuring my DispVMs to allow me to > use them for printing and scanning. The protocols and software for > printing and scanning are both, as I recall, highly insecure. In > addition, the devices that use them (i.e. printer, scanners) should be > considered to be backdoored or owned already. > > I wanted to make it so that when I want to print something, I open up > the file in a DispVM and print it from there. I then thought that I > could approximately do the same thing with scanning. Open up a DispVM > that is running simple-scan, scan the file into the DispVM and then copy > it over to the VM that I want. > > By doing it this way I should be able to move out all the vulnerable > printer and scanner code, and my AppVMs will never directly touch those > devices or protocols. Instead they will be hidden behind the realtive > safety of the Qubes file copy mechanism. An interesting goal. In practice I'm not sure what real benefit you'd get from using a DispVM vs. just a regular stateful AppVM (assuming you just use one printer/scanner). Presumably what you care about in this context is confidentiality of your documents. Your printer/scanner is by its very nature in a perfect position to steal your documents, and likely also has a means to store or transmit them. This seems true regardless of whether or not your printer/scanner can compromise or persistently compromise a VM (which only deals with printer drivers and documents the printer will know anyway). If you use multiple printers, then I can see an argument for wanting separate AppVMs per printer, and if you constantly use different printers then sure I guess DispVMs make sense. Is this the case? In other words, I'm curious what threat you're actually trying to mitigate by doing this. > I tried to follow the documentation page: > - show internal VMs > - run gnome-terminal in fedora-23-dvm > - install and configure the necessary applications and hardware devices > - touch the /home/user/.qubes-dispvm-customized > - shutdown the VM > - regenerate the DispVM template using: qvm-create-default-dvm > --default-template > > When I opened up a DispVM the software was nowhere to be found (opened > up Firefox, right clicked on the DispVM in the VM Manager and ran > gnome-terminal). When I reopen fedora-23-dvm the software is nowhere to > be found. So I believe either I am doing something stupid, or the > documentation has it wrong. I did notice that the DispVMs start with a > ttemplate of fedora-23. So then do they not actually use the > fedora-23-dvm template like it says? If you want to make additional software available, then do so in the template of the dispvm (in your case fedora-23 (but you should really update to fedora-24!)). You can think of the process of customizing a DispVM like creating a new AppVM. Software that should be available on every run belongs in its template. Local state (/home, etc.) happens in the AppVM. Customizing the DispVM template is like customizing an AppVM that you then take a snapshot of and duplicate each time you want a new DispVM. In practice this is similar to how it's actually implemented. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CABQWM_BvCxd4iZB2ANWfaVsr8EdxY%3DtSm21RMPw2RiH0gRr3ow%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] DispVM Configuration
Hey all! So far so good with QubesOS on my end. Have almost everything up and running to have this as my daily carry. It's amazing how little RAM all these VMs actually require; and the CPU! None! Anyways, I am having some trouble configuring my DispVMs to allow me to use them for printing and scanning. The protocols and software for printing and scanning are both, as I recall, highly insecure. In addition, the devices that use them (i.e. printer, scanners) should be considered to be backdoored or owned already. I wanted to make it so that when I want to print something, I open up the file in a DispVM and print it from there. I then thought that I could approximately do the same thing with scanning. Open up a DispVM that is running simple-scan, scan the file into the DispVM and then copy it over to the VM that I want. By doing it this way I should be able to move out all the vulnerable printer and scanner code, and my AppVMs will never directly touch those devices or protocols. Instead they will be hidden behind the realtive safety of the Qubes file copy mechanism. I tried to follow the documentation page: - show internal VMs - run gnome-terminal in fedora-23-dvm - install and configure the necessary applications and hardware devices - touch the /home/user/.qubes-dispvm-customized - shutdown the VM - regenerate the DispVM template using: qvm-create-default-dvm --default-template When I opened up a DispVM the software was nowhere to be found (opened up Firefox, right clicked on the DispVM in the VM Manager and ran gnome-terminal). When I reopen fedora-23-dvm the software is nowhere to be found. So I believe either I am doing something stupid, or the documentation has it wrong. I did notice that the DispVMs start with a ttemplate of fedora-23. So then do they not actually use the fedora-23-dvm template like it says? Thanks in advance for your help! -- Respectfully, Sam Hentschel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170406035927.GA952%40Personal-Email. For more options, visit https://groups.google.com/d/optout.