Closed 3hhh closed 4 years ago
besides snapshots is also not entirely true as at least the private snapshots should always go to the foo
pool.
Ran into this a while back. Think it has to do with there being no config for the volatile pool in the disposable VM on creation, so it falls back on global preferences.
My hacky workaround (in personal scripts) has been to temporarily change the global pool defaults before disposable VM startup, then switch it back, which is just ugh.
I’m sure there have been a lot of users starting VMs out of secondary “more secure” pools not realizing data was being leaked to their “less secure” primary pool.
B
This is because -P
switch applies only to the VM you create. tvm
has volatile volume created in the pool pointed there. But DisposableVM out of it is created separately (implicitly with qvm-run --dispvm
here), and -P
is not set at that time.
This is similar to normal template-based VM:
qvm-create -C TemplateVM -P pool-name template-name
- create template with volumes in pool-name
(in this case all of them)qvm-create -t template-name appvm-name
- create volumes in default pool (with exception to root, which needs to be in the same pool as template)I agree this is confusing behavior in case of DispVM specifically, as one would expect many more setting copied from DisposableVM Template, than in normal AppVM case.
I agree this is confusing behavior in case of DispVM specifically, as one would expect many more setting copied from DisposableVM Template, than in normal AppVM case
In particular, if a user has a disposable VM template housed in a secondary pool and starts a disposable VM based on it, the user will be very surprised to discover that some data from that disposable VM is written to the primary pool.
Pardon my ignorance, but why would there be any security implications here? I was under the impression that qube-level compartmentalization is at some level of abstraction above storage pools. In other words, qubes (including DisposableVMs), shouldn't "know" or "care" which underlying storage pools they're using, right?
This is related to anti-forensics. You may want to configure your system so that some sensitive data lives entirely in a separate storage pool (perhaps separate disk you connect only for those cases). It should be also possible to configure DisposableVMs this way by adjusting appropriate DisposableVM Template. Currently it isn't possible for DisposableVMs created other than with qvm-create
(aka named DisposableVM) - for example by starting an app from the "Disposable: ..." menu, or qvm-run --dispvm
or even qvm-open-in-dvm
- those will use always default storage pool for volatile volume.
Thanks for the explanation! That makes sense. However, I'd think that all the data would be encrypted on disk anyway. Are there use cases in which it wouldn't be or in which that wouldn't be sufficient?
Yes, see https://github.com/QubesOS/qubes-issues/issues/904. TL;DR: it's for the cases when the attacker gets access to unencrypted disk (for example by forcing you to reveal the key, or taking your laptop when it's unlocked).
Automated announcement from builder-github
The package qubes-core-dom0-4.1.14-1.fc32
has been pushed to the r4.1
testing repository for dom0.
To test this update, please install it with the following command:
sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing
Automated announcement from builder-github
The package qubes-core-dom0-4.0.53-1.fc25
has been pushed to the r4.0
testing repository for dom0.
To test this update, please install it with the following command:
sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing
Automated announcement from builder-github
The package qubes-core-dom0-4.0.55-1.fc25
has been pushed to the r4.0
stable repository for dom0.
To install this update, please use the standard update command:
sudo qubes-dom0-update
Or update dom0 via Qubes Manager.
Thanks y’all, I think I can now take out a somewhat gnarly temporary change of default pool in some of my scripts! :)
Qubes OS version 4.0 current-testing
Affected component(s) or functionality
qvm-create
Brief summary Disposable VM's
volatile
volumes are created on the pool of their root parent, not on the pool of their direct parent.To Reproduce
Expected behavior
(volatile is on the foo pool)
Actual behavior
(volatile is on the default pool)
Additional context This was originally reported at https://github.com/QubesOS/qubes-issues/issues/904#issuecomment-508295453
Relevant documentation you've consulted
man qvm-pool
claims that " -P POOL Pool to use for the new domain. All volumes besides snapshots volumes are imported in to the specified POOL. THIS IS WHAT YOU WANT TO USE NORMALLY " Apparently this is not always true.@marmarek said that
--pool volatile=
may work in https://github.com/QubesOS/qubes-issues/issues/1527#issuecomment-500252390 but the-P
behaviour is unexpected and not according to doc anyway.Related, non-duplicate issues https://github.com/QubesOS/qubes-issues/issues/904#issuecomment-508295453 https://github.com/QubesOS/qubes-issues/issues/1527#issuecomment-500252390