[Whonix-devel] [qubes-devel] Disposable VMs on Qubes 4.0

• Previous message: [Whonix-devel] Disposable VMs on Qubes 4.0
• Next message: [Whonix-devel] [qubes-devel] Disposable VMs on Qubes 4.0
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> 1. Allow starting default Disposable VMs from both Whonix Gateway
> (sys-whonix) and Whonix Workstation (anon-whonix or other). This is the
> default (if you don't modify policy for Whonix), but it's a very bad
> idea, since such Disposable VM most likely will have access to clearnet
> directly.

True. There would have to be a rule "default NetVM for whonix-ws based
VMs AppVMs should always be a whonix-gw based ProxyVM". Doable?

That should be covered by 'Whonix default VM settings fixes - salt
management' - https://github.com/QubesOS/qubes-issues/issues/1954 -
which won't be available in time so we'll still need a solution 1-4 that
you suggested?

> 2. Prevent starting Disposable VMs from any of Whonix VMs. This is safe
> option, but also it limit functionality.

Yes, would be a very sad limitation of functionality.

> 3. Allow creating Disposable VMs based on anon-whonix, then allow only
> such DispVMs be started from Whonix VMs.

Also quite limited in functionality.

> 3a. Similar, but create separate anon-whonix-dvm for that. Major
> difference is that DispVMs based on anon-whonix-dvm will not have access
> to private image of anon-whonix here.

If it's somehow possible, I'd like to avoid another template that needs
to be separately upgraded. (If that would be the case?)

> 3a. Similar, but create separate anon-whonix-dvm for that. Major
> difference is that DispVMs based on anon-whonix-dvm will not have access
> to private image of anon-whonix here.

Yes, not too bad.

> 3a. Similar, but create separate anon-whonix-dvm for that. Major
> difference is that DispVMs based on anon-whonix-dvm will not have access
> to private image of anon-whonix here.

Why not anon-whonix-disp being "simply" based on whonix-ws template? (I
guess it's not advisable for some reason?)

> 3a. Similar, but create separate anon-whonix-dvm for that. Major
> difference is that DispVMs based on anon-whonix-dvm will not have access
> to private image of anon-whonix here.

A Whonix DispVM having access to private image of anon-whonix doesn't
seem good. As a user starting a DispVM to do some more risky action such
as opening a pdf and links from an pdf, I would expect if that DispVM
gets compromised, that it can not access any other data.

> Should the above be only about Whonix Workstation VM(s)? Whonix Gateway
> have access to the clearnet anyway (at least in theory), so it's much
> less important there.

Yes.

On a related note, a disposable Whonix-Gateway gets us closer to feature
completion. A disposable Whonix-Gateway in combination with a disposable
Whonix-Workstation would be more "Tails-alike".

Then only - DispVMs: support for in-RAM execution only (for
anti-forensics) - https://github.com/QubesOS/qubes-issues/issues/904 -
would be missing on the Qubes side. Once #904 would be implemented, it
would be hard to point out any missing Whonix features with respect to
amnesia.

> What about templates?

Starting the template as DispVM? I wouldn't know what that would be
useful for except for testing. (Which sounds very useful as for a
developer!)

> I think preferred is point 3a, but it require that Whonix-based
> Disposable VMs works.

Is there any work left on the Whonix side to make them work as DisposableVM?

> OTOH, it should be much easier there, because in
> Qubes 4.0 there are no more savefiles - DisposableVM is started the
> same way as AppVM.

Improved Whonix DispVM support should certainly not come before Qubes
4.0. Certainly not in R3.2 if you meant that.

Cheers,
Patrick

• Previous message: [Whonix-devel] Disposable VMs on Qubes 4.0
• Next message: [Whonix-devel] [qubes-devel] Disposable VMs on Qubes 4.0
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]