search

QubesOS / qubes-issues

The Qubes OS Project issue tracker
https://www.qubes-os.org/doc/issue-tracking/
535 stars 47 forks source link

Make dom0 read-only #5777

Open zaoqi opened 4 years ago

zaoqi commented 4 years ago

Describe the solution you'd like make dom0 readonly. Build a customized readonly rootfs instead of using Fedora.

Where is the value to a user, and who might that user be? Make QubesOS more secure

Relevant documentation you've consulted https://www.qubes-os.org/news/2020/03/18/gui-domain/

Because the GUI will be separated from dom0, users no longer need to modify the files of dom0

w1k1n9cc commented 4 years ago

Maybe it's possible to adapt fedora silverblue for that purpose.

andrewdavidwong commented 4 years ago

At one point, the devs mentioned the possibility of having a "completely sealed" dom0 that users can't even directly interact with, so they've certainly considered this.

tlaurion commented 1 year ago

When comparing two root snapshots per

[user@dom0 ~]$ cat /lib/systemd/system-shutdown/root-autosnap 
#!/bin/sh

#This permits wyng-backup to backup root-autosnap and root-autosnap-back, taken at each system shutdowns like any other QubesOS LVMs.
#This also permits to restore to different states of dom0 from Heads and compare dom0 between reboots

#TODO: backup /boot content into a LVM and apply same logic, corresponding to each dom0 snapshots
#https://github.com/tasket/wyng-backup/issues/63

#We delete the backup of last shutdown snapshot (last last shutdown)
/usr/sbin/lvremove --noudevsync --force -An qubes_dom0/root-autosnap-back || true
#We take a snapshot of root-autosnap into root-autosnap-back
/usr/sbin/lvcreate --noudevsync --ignoremonitoring -An -pr -s qubes_dom0/root-autosnap -n root-autosnap-back
#We remove root-autosnap
/usr/sbin/lvremove --noudevsync --force -An qubes_dom0/root-autosnap || true
#We create root-autosnap from root
/usr/sbin/lvcreate --noudevsync --ignoremonitoring -An -pr -s qubes_dom0/root -n root-autosnap

And then we compare the content of the filesystems, we see that:

Would need to be out of root fs to be able to have a RO QubesOS dom0 with dmverity

Originally posted by @tlaurion in https://github.com/QubesOS/qubes-issues/issues/4371#issuecomment-761863958