Open zaoqi opened 4 years ago
Maybe it's possible to adapt fedora silverblue for that purpose.
At one point, the devs mentioned the possibility of having a "completely sealed" dom0 that users can't even directly interact with, so they've certainly considered this.
When comparing two root snapshots per
[user@dom0 ~]$ cat /lib/systemd/system-shutdown/root-autosnap
#!/bin/sh
#This permits wyng-backup to backup root-autosnap and root-autosnap-back, taken at each system shutdowns like any other QubesOS LVMs.
#This also permits to restore to different states of dom0 from Heads and compare dom0 between reboots
#TODO: backup /boot content into a LVM and apply same logic, corresponding to each dom0 snapshots
#https://github.com/tasket/wyng-backup/issues/63
#We delete the backup of last shutdown snapshot (last last shutdown)
/usr/sbin/lvremove --noudevsync --force -An qubes_dom0/root-autosnap-back || true
#We take a snapshot of root-autosnap into root-autosnap-back
/usr/sbin/lvcreate --noudevsync --ignoremonitoring -An -pr -s qubes_dom0/root-autosnap -n root-autosnap-back
#We remove root-autosnap
/usr/sbin/lvremove --noudevsync --force -An qubes_dom0/root-autosnap || true
#We create root-autosnap from root
/usr/sbin/lvcreate --noudevsync --ignoremonitoring -An -pr -s qubes_dom0/root -n root-autosnap
And then we compare the content of the filesystems, we see that:
Would need to be out of root fs to be able to have a RO QubesOS dom0 with dmverity
Originally posted by @tlaurion in https://github.com/QubesOS/qubes-issues/issues/4371#issuecomment-761863958
Describe the solution you'd like make dom0 readonly. Build a customized readonly rootfs instead of using Fedora.
Where is the value to a user, and who might that user be? Make QubesOS more secure
Relevant documentation you've consulted https://www.qubes-os.org/news/2020/03/18/gui-domain/
Because the GUI will be separated from dom0, users no longer need to modify the files of dom0