[Whonix-devel] Disposable VMs on Qubes 4.0

• Previous message: [Whonix-devel] [Tor Bug Tracker & Wiki] Batch modify: #18101, #21704, #18022, #23025, ...
• Next message: [Whonix-devel] Disposable VMs on Qubes 4.0
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

Disposable VMs in Qubes 4.0 are much more flexible. The major difference
is possibility to use different Disposable VMs "templates" (which in
fact can be any AppVM) for different purposes (different services,
different calling VM etc). All settings of Disposable VM are inherited
from its "template", including private image (IOW, it isn't required to
create /home/user/.qubes-dispvm-customized file for that anymore).
This "all settings" include also netvm - it is no longer inherited from
calling VM, but from Disposable VM "template". But since it's possible
to create multiple such templates, it is possible to achieve the same
behavior.

What is used where is configured using qrexec policy.
I'm preparing the policy for Whonix-related VMs for Qubes 4.0. Here are
possible options I see:

1. Allow starting default Disposable VMs from both Whonix Gateway
(sys-whonix) and Whonix Workstation (anon-whonix or other). This is the
default (if you don't modify policy for Whonix), but it's a very bad
idea, since such Disposable VM most likely will have access to clearnet
directly.

2. Prevent starting Disposable VMs from any of Whonix VMs. This is safe
option, but also it limit functionality.

3. Allow creating Disposable VMs based on anon-whonix, then allow only
such DispVMs be started from Whonix VMs.

3a. Similar, but create separate anon-whonix-dvm for that. Major
difference is that DispVMs based on anon-whonix-dvm will not have access
to private image of anon-whonix here.

Should the above be only about Whonix Workstation VM(s)? Whonix Gateway
have access to the clearnet anyway (at least in theory), so it's much
less important there.

What about templates?

I think preferred is point 3a, but it require that Whonix-based
Disposable VMs works. OTOH, it should be much easier there, because in
Qubes 4.0 there are no more savefiles - DisposableVM is started the
same way as AppVM.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJZtT3tAAoJENuP0xzK19cseloH/jFJY+/e+MPubIlnPJaBgO7w
4TENNO+UQb8I+VyxIpR6bOkJ8n9p3sJ86oTnWJzmVxSClrNahkP8KnfdC9HVp8jr
9wtSGX0QiJVlrZS8hUikEAJbBCf/xPK2zDoRk/bcG0XltBhuBdRDTlKTktcobAGD
/aOtc8aMOLf+wgzdDP/1pYqpNwK9ix2v814109Lj231hUDFQ7cVaTHJjrnLo+8um
MwHPjUEs9+CEBYhPExx9+O/tMwR94MXkjzKvSxqF2IUhKYQiryz3qOdG/4JHntzo
q9tgPAOl34do3PSL3C6NqQthTgR3okrehdRZGi9bKfHCz0xyYdMDLvPm8wh3H2c=
=0XGx
-----END PGP SIGNATURE-----

• Previous message: [Whonix-devel] [Tor Bug Tracker & Wiki] Batch modify: #18101, #21704, #18022, #23025, ...
• Next message: [Whonix-devel] Disposable VMs on Qubes 4.0
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]