Re: Fwd: Re: [qubes-users] Mirage-Firewall - Trusted in Dom0?
On 2019-01-19 13:46, Illidan Pornrage wrote: > On 1/18/19 5:02 PM, Goldi wrote: >> >> >> >> Original Message >> From: goldsm...@riseup.net >> Sent: January 18, 2019 3:45:06 PM UTC >> To: unman >> Subject: Re: [qubes-users] Mirage-Firewall - Trusted in Dom0? >> >> On 2019-01-18 13:52, unman wrote: >>> On Fri, Jan 18, 2019 at 04:38:56AM -0800, goldsm...@riseup.net wrote: On 2019-01-15 15:19, Goldi wrote: > I've been happily using Qubes for several years and noticed that > several prominent members of the Qubes Team have in the past suggested > installing Mirage-Firewall as an alternative to Sys-Firewall. However, > I cannot find any reference to MF in the Qubes Docs. > I'd like to install Mirage-Firewall, but I have a nagging doubt about > whether the code can be trusted. Particularly as it has to been > installed in Dom0 > What do you guys recommend? Can the MF developer be trusted? > > https://groups.google.com/d/msgid/qubes-users/21F0DB51-AF5A-4729-8708-14C54BB4C29A%40riseup.net?utm_medium=email&utm_source=footer In Nov 2018 a prominent member of the Qubes team; Unman suggested using Mirage-Firewall. I'd appreciate very much a reply to my earlier query about the integrity and reliability of the code/developer of Mirage Firewall >>> >>> There is a reference in the docs to GSOC potential work: otherwise >>> you'll find discussions here and in qubes-devel, and there's an open >>> issue in qubes-issues. >>> I have no view on the integrity of Thomas - don't know him. His >>> contributions have been good and he's always seemed helpful and to know >>> what he's talking about. >>> You can look at the code yourself and come to view on that: it's >>> pretty straightforward. >>> https://github.com/talex5/qubes-mirage-firewall >>> >>> I've done some testing, and the firewall works as expected, with no >>> strange effects I could see. >> Thank you for responding. >> I think I'll pass on installing Mirage-Firewall. I'm a user and >> regretfully not competent to review MF code. I had hoped that any >> recommendation to install anything in Dom0 would have been first >> thoroughly assessed by the qubes team. After all, if Dom0 is compromised >> its as Joanna used to say "game over" >> > > Ok, a short update for you. I am interested in it too and currently > reviewing it. > > The qubes mirage firewall is a kernel binary that is just stored in > dom0 (+ initramfs and modules storage image), not executed in dom0. > (The initramfs is usually the first program started by a linux kernel. > The modules.img is an image that is available as volume in the qube to > pull extra modules for a linux kernel from. As this is a mirage > unikernel and not a linux kernel the modules.img is empty. The > initramfs contains a part of the firewall.) > It can then be chosen in qubes settings > advanced > kernel, per qube. > This is just a kernel only without extra os that is run in the firewall qube. > > Risks: > - If whatever puts the kernel into a qube to boot from it can be > exploited using a malformed kernel file <-- imo low risk but no > guarantee as I havent reviewed that part of the hypervisor code. > - The installer is corrupted and puts evil things in the rpm for dom0 > <-- from the github it isnt even an rpm, just a tarball that gets spit > out by the builder or downloaded as release from github. So great > transparence. > - The firewall being leaky because of bugs or maliciously or the build > script being manipulated maliciously. <-- It is built in a docker > container. The github repo contains the dockerfile which actually > verifies its base image using sha256, the maintainer seems to care > about reproducibility. Mirage libraries get fetched via the opam OCAML > file manager. Which might check signatures on those. Up to > verification. > > All in all pretty safe to use. Wow. That's a good comprehensive reply. Thank you. It goes a long way to convincing me that the code is safe to use. Does any one else have any feedback on this issue? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7427343df1d9b1e9dd055eae384d40b3%40riseup.net. For more options, visit https://groups.google.com/d/optout.
Re: Fwd: Re: [qubes-users] Mirage-Firewall - Trusted in Dom0?
On 1/19/19 2:46 PM, Illidan Pornrage wrote: On 1/18/19 5:02 PM, Goldi wrote: Original Message From: goldsm...@riseup.net Sent: January 18, 2019 3:45:06 PM UTC To: unman Subject: Re: [qubes-users] Mirage-Firewall - Trusted in Dom0? On 2019-01-18 13:52, unman wrote: On Fri, Jan 18, 2019 at 04:38:56AM -0800, goldsm...@riseup.net wrote: On 2019-01-15 15:19, Goldi wrote: I've been happily using Qubes for several years and noticed that several prominent members of the Qubes Team have in the past suggested installing Mirage-Firewall as an alternative to Sys-Firewall. However, I cannot find any reference to MF in the Qubes Docs. I'd like to install Mirage-Firewall, but I have a nagging doubt about whether the code can be trusted. Particularly as it has to been installed in Dom0 What do you guys recommend? Can the MF developer be trusted? https://groups.google.com/d/msgid/qubes-users/21F0DB51-AF5A-4729-8708-14C54BB4C29A%40riseup.net?utm_medium=email&utm_source=footer In Nov 2018 a prominent member of the Qubes team; Unman suggested using Mirage-Firewall. I'd appreciate very much a reply to my earlier query about the integrity and reliability of the code/developer of Mirage Firewall There is a reference in the docs to GSOC potential work: otherwise you'll find discussions here and in qubes-devel, and there's an open issue in qubes-issues. I have no view on the integrity of Thomas - don't know him. His contributions have been good and he's always seemed helpful and to know what he's talking about. You can look at the code yourself and come to view on that: it's pretty straightforward. https://github.com/talex5/qubes-mirage-firewall I've done some testing, and the firewall works as expected, with no strange effects I could see. Thank you for responding. I think I'll pass on installing Mirage-Firewall. I'm a user and regretfully not competent to review MF code. I had hoped that any recommendation to install anything in Dom0 would have been first thoroughly assessed by the qubes team. After all, if Dom0 is compromised its as Joanna used to say "game over" Ok, a short update for you. I am interested in it too and currently reviewing it. The qubes mirage firewall is a kernel binary that is just stored in dom0 (+ initramfs and modules storage image), not executed in dom0. (The initramfs is usually the first program started by a linux kernel. The modules.img is an image that is available as volume in the qube to pull extra modules for a linux kernel from. As this is a mirage unikernel and not a linux kernel the modules.img is empty. The initramfs contains a part of the firewall.) It can then be chosen in qubes settings > advanced > kernel, per qube. This is just a kernel only without extra os that is run in the firewall qube. Risks: - If whatever puts the kernel into a qube to boot from it can be exploited using a malformed kernel file <-- imo low risk but no guarantee as I havent reviewed that part of the hypervisor code. - The installer is corrupted and puts evil things in the rpm for dom0 <-- from the github it isnt even an rpm, just a tarball that gets spit out by the builder or downloaded as release from github. So great transparence. - The firewall being leaky because of bugs or maliciously or the build script being manipulated maliciously. <-- It is built in a docker container. The github repo contains the dockerfile which actually verifies its base image using sha256, the maintainer seems to care about reproducibility. Mirage libraries get fetched via the opam OCAML file manager. Which might check signatures on those. Up to verification. All in all pretty safe to use. The repo of user talex5 is the newest right now. 20190119 Last commit ID: 4526375a1915e34d763da5306f0793bd021fb312 Neither tags nor commits are signed. Commits are recent but low acticity. Code is small tho, so reading it is doable. Actually understanding it is another thing because I dont know anything about OCAML. That might change. *Building and testing* -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/69e8ee26-b06a-4a31-b2fb-182e0eda0a7c%40pornrage.org. For more options, visit https://groups.google.com/d/optout.
Re: Fwd: Re: [qubes-users] Mirage-Firewall - Trusted in Dom0?
On 1/18/19 5:02 PM, Goldi wrote: Original Message From: goldsm...@riseup.net Sent: January 18, 2019 3:45:06 PM UTC To: unman Subject: Re: [qubes-users] Mirage-Firewall - Trusted in Dom0? On 2019-01-18 13:52, unman wrote: On Fri, Jan 18, 2019 at 04:38:56AM -0800, goldsm...@riseup.net wrote: On 2019-01-15 15:19, Goldi wrote: I've been happily using Qubes for several years and noticed that several prominent members of the Qubes Team have in the past suggested installing Mirage-Firewall as an alternative to Sys-Firewall. However, I cannot find any reference to MF in the Qubes Docs. I'd like to install Mirage-Firewall, but I have a nagging doubt about whether the code can be trusted. Particularly as it has to been installed in Dom0 What do you guys recommend? Can the MF developer be trusted? https://groups.google.com/d/msgid/qubes-users/21F0DB51-AF5A-4729-8708-14C54BB4C29A%40riseup.net?utm_medium=email&utm_source=footer In Nov 2018 a prominent member of the Qubes team; Unman suggested using Mirage-Firewall. I'd appreciate very much a reply to my earlier query about the integrity and reliability of the code/developer of Mirage Firewall There is a reference in the docs to GSOC potential work: otherwise you'll find discussions here and in qubes-devel, and there's an open issue in qubes-issues. I have no view on the integrity of Thomas - don't know him. His contributions have been good and he's always seemed helpful and to know what he's talking about. You can look at the code yourself and come to view on that: it's pretty straightforward. https://github.com/talex5/qubes-mirage-firewall I've done some testing, and the firewall works as expected, with no strange effects I could see. Thank you for responding. I think I'll pass on installing Mirage-Firewall. I'm a user and regretfully not competent to review MF code. I had hoped that any recommendation to install anything in Dom0 would have been first thoroughly assessed by the qubes team. After all, if Dom0 is compromised its as Joanna used to say "game over" Ok, a short update for you. I am interested in it too and currently reviewing it. The qubes mirage firewall is a kernel binary that is just stored in dom0 (+ initramfs and modules storage image), not executed in dom0. (The initramfs is usually the first program started by a linux kernel. The modules.img is an image that is available as volume in the qube to pull extra modules for a linux kernel from. As this is a mirage unikernel and not a linux kernel the modules.img is empty. The initramfs contains a part of the firewall.) It can then be chosen in qubes settings > advanced > kernel, per qube. This is just a kernel only without extra os that is run in the firewall qube. Risks: - If whatever puts the kernel into a qube to boot from it can be exploited using a malformed kernel file <-- imo low risk but no guarantee as I havent reviewed that part of the hypervisor code. - The installer is corrupted and puts evil things in the rpm for dom0 <-- from the github it isnt even an rpm, just a tarball that gets spit out by the builder or downloaded as release from github. So great transparence. - The firewall being leaky because of bugs or maliciously or the build script being manipulated maliciously. <-- It is built in a docker container. The github repo contains the dockerfile which actually verifies its base image using sha256, the maintainer seems to care about reproducibility. Mirage libraries get fetched via the opam OCAML file manager. Which might check signatures on those. Up to verification. All in all pretty safe to use. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/cb57d323-5b78-f4d8-c4cc-a847f7d0e294%40pornrage.org. For more options, visit https://groups.google.com/d/optout.
Fwd: Re: [qubes-users] Mirage-Firewall - Trusted in Dom0?
Original Message From: goldsm...@riseup.net Sent: January 18, 2019 3:45:06 PM UTC To: unman Subject: Re: [qubes-users] Mirage-Firewall - Trusted in Dom0? On 2019-01-18 13:52, unman wrote: > On Fri, Jan 18, 2019 at 04:38:56AM -0800, goldsm...@riseup.net wrote: >> On 2019-01-15 15:19, Goldi wrote: >> > I've been happily using Qubes for several years and noticed that >> > several prominent members of the Qubes Team have in the past suggested >> > installing Mirage-Firewall as an alternative to Sys-Firewall. However, >> > I cannot find any reference to MF in the Qubes Docs. >> > I'd like to install Mirage-Firewall, but I have a nagging doubt about >> > whether the code can be trusted. Particularly as it has to been >> > installed in Dom0 >> > What do you guys recommend? Can the MF developer be trusted? >> > >> > https://groups.google.com/d/msgid/qubes-users/21F0DB51-AF5A-4729-8708-14C54BB4C29A%40riseup.net?utm_medium=email&utm_source=footer >> In Nov 2018 a prominent member of the Qubes team; Unman suggested using >> Mirage-Firewall. >> I'd appreciate very much a reply to my earlier query about the integrity >> and reliability of the code/developer of Mirage Firewall >> > > There is a reference in the docs to GSOC potential work: otherwise > you'll find discussions here and in qubes-devel, and there's an open > issue in qubes-issues. > I have no view on the integrity of Thomas - don't know him. His > contributions have been good and he's always seemed helpful and to know > what he's talking about. > You can look at the code yourself and come to view on that: it's > pretty straightforward. > https://github.com/talex5/qubes-mirage-firewall > > I've done some testing, and the firewall works as expected, with no > strange effects I could see. Thank you for responding. I think I'll pass on installing Mirage-Firewall. I'm a user and regretfully not competent to review MF code. I had hoped that any recommendation to install anything in Dom0 would have been first thoroughly assessed by the qubes team. After all, if Dom0 is compromised its as Joanna used to say "game over" -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/A088F0AD-EB03-4B4E-AF08-BAE7BC9E8BC9%40riseup.net. For more options, visit https://groups.google.com/d/optout.
