Qubes hardware and other best practices

f59a9dc2 · anarsec · 74dbacec · f59a9dc2 · f59a9dc2 · f59a9dc2
Verified Commit f59a9dc2 authored 1 year ago by anarsec
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@

 Built with [Zola](https://www.getzola.org/).

-If you would like to suggest edits to a guide, get [in touch](https://www.anarsec.guide/contact/) or submit an issue or merge request here - whatever is your preference.
+If you would like to suggest edits to a guide, you can either [contact us](https://www.anarsec.guide/contact/) or submit an issue/merge request on 0xacab - whatever is your preference.

 We are also open to submitted guides - please get in touch with proposals.


--- a/content/contact/_index.md
+++ b/content/contact/_index.md
@@ -25,7 +25,7 @@ paginate_by = 5

 # Contribute

-Anarsec encourages contributions! If you would like to suggest edits to a guide, get in touch with us, or submit an issue or merge request on [Riseup's Gitlab instance](https://0xacab.org/anarsec/anarsec.guide) - whatever is your preference.  
+Anarsec encourages contributions! If you would like to suggest edits to a guide, either use the contact information listed above, or submit an issue or merge request on [Riseup's Gitlab instance](https://0xacab.org/anarsec/anarsec.guide) - whatever is your preference.  

 We are also open to submitted guides - please get in touch with proposals. 


--- a/content/posts/qubes/index.md
+++ b/content/posts/qubes/index.md
@@ -34,6 +34,7 @@ At the risk of overwhelming you, here is an overview of how Qubes OS is structur

 ![Qubes Architecture](qubes-general.png)

+For now, ignore the greyed-out sections of the diagram. Daily use of Qubes OS primarily involves interaction with two components:

 * **App qubes**. There are three in this example. #1 is running the Debian operating system, #2 is running Fedora, and #3 is running Whonix. App qubes are where you run applications, store files, and do your work. You can have many isolated App qubes for different activities or purposes. Each App qube is like an entire self-contained operating system. 

@@ -49,7 +50,7 @@ A Disposable qube is a type of App qube that self-destructs when its originating

 ![Qubes Architecture](qubes-arch.png)

-We now see the whole picture - two new components are introduced:
+Two more components are necessary to complete the Qubes OS system:

 * **Admin qube**. This is the small, isolated and trusted qube that manages the other qubes. It is very protected because if it's compromised, it's game over. It uses a technology called Xen as the hypervisor. It is also named dom0, which is a Xen naming convention. The Admin qube has no network connectivity and is only used for running the [desktop environment](https://en.wikipedia.org/wiki/Desktop_environment) and [window manager](https://en.wikipedia.org/wiki/Window_manager). 

@@ -81,16 +82,16 @@ And to use Tails:
 * If the learning curve for Qubes OS is too steep

 # Getting Started
-Qubes OS runs ideally on a laptop with a solid-state drive (SSD, which is faster than a hard disk drive, or HDD) and 16GB of RAM. A [hardware compatibility list](https://www.qubes-os.org/hcl/) is maintained where you can see if a specific laptop model will work. If you want to [install HEADS open-source firmware](/posts/qubes-best/#heads-open-source-firmware) it has [limited compatibility](https://osresearch.net/Prerequisites#supported-devices), so keep this in mind when you're buying your laptop—we recommend the ThinkPad X230 because the install is less involved than for other models. The X230 is also the only laptop model that is developer-tested, and is easily found in refurbished computer stores for around $200 USD. See the [community-recommended computers](https://forum.qubes-os.org/t/5560) list for several other options. 
+Qubes OS runs ideally on a laptop with a solid-state drive (SSD, which is faster than a hard disk drive, or HDD) and 16GB of RAM. A [hardware compatibility list](https://www.qubes-os.org/hcl/) is maintained where you can see if a specific laptop model will work. If you want to [install HEADS open-source firmware](/posts/qubes-best/#heads-open-source-firmware) it has [limited compatibility](https://osresearch.net/Prerequisites#supported-devices), so keep this in mind when you're buying your laptop—we recommend the ThinkPad X230 because the install is less involved than for other models. The X230 is also the only laptop model that is developer-tested, and is easily found in refurbished computer stores for around $200 USD. See the [community-recommended computers](https://forum.qubes-os.org/t/5560) list for several other options, and [Best Practices](#hardware-security) for further discussion of hardware security. 

-The [installation guide](https://www.qubes-os.org/doc/installation-guide/) will get you up and running. If using the [command line](/glossary/#command-line-interface-cli) is above your head, ask a friend to walk you though it, or first learn command line basics and GPG (required during the [verification stage](https://www.qubes-os.org/security/verifying-signatures/)) with [Linux Essentials](/posts/linux/). 
+The [installation guide](https://www.qubes-os.org/doc/installation-guide/) will get you up and running. Do not set up dual boot - an other OS could be used to compromise Qubes OS. If using the [command line](/glossary/#command-line-interface-cli) is above your head, ask a friend to walk you though it, or first learn command line basics and GPG (required during the [verification stage](https://www.qubes-os.org/security/verifying-signatures/)) with [Linux Essentials](/posts/linux/). 

 In the post-installation:
 * Tick the checkmark for Whonix qubes, as well as for updates to happen over Tor.

-* The post-installation gives the option of installing exclusively Debian or Fedora Templates (instead of both), as well as using the Debian Template for all sys qubes (the default is Fedora). Whether you opt to use Debian or Fedora for qubes that don't require Tor is your decision. Privacy Guides [makes the argument](https://www.privacyguides.org/os/linux-overview/#choosing-your-distribution) that the Fedora software model (semi-rolling release) is more secure than the Debian software model (frozen), yet also recommends [Kicksecure](https://www.privacyguides.org/en/os/linux-overview/#kicksecure) (which is based on Debian). See [Best Practices](#best-practices) for further discussion of this configuration choice. 
+* The post-installation gives the option of installing exclusively Debian or Fedora Templates (instead of both), as well as using the Debian Template for all sys qubes (the default is Fedora). Whether you opt to use Debian or Fedora for qubes that don't require Tor is your decision. Privacy Guides [makes the argument](https://www.privacyguides.org/os/linux-overview/#choosing-your-distribution) that the Fedora software model (semi-rolling release) is more secure than the Debian software model (frozen), yet also recommends [Kicksecure](https://www.privacyguides.org/en/os/linux-overview/#kicksecure) (which is based on Debian). See [Best Practices](#post-installation-decisions) for further discussion of this configuration choice. 

-* Make sys-net disposable if you will be using an Ethernet connection (or don't mind entering the Wi-Fi password upon boot).
+* Make sys-net disposable. If you will be using Wi-Fi instead of Ethernet, you will need to enter the Wi-Fi password again upon boot.

 The [Getting Started](https://www.qubes-os.org/doc/getting-started/) document is a good overview of most of what you need to know to begin. The [Qubes documentation](https://www.qubes-os.org/doc/) is very thorough, but difficult to orient to for a new user. We'll cover some basics here that aren't already mentioned in the Getting Started link. 

@@ -227,7 +228,7 @@ If your file is opening in a different application than what you require, you'll

 For PDF files, right-clicking will also give the option **Convert To Trusted PDF**. This will sanitize the PDF file so that it can go from being untrusted to trusted. This is achieved by it being converted into images in a disposable, and cleaning the metadata. 

-Particular types of files in an App qube can be set to be opened in a disposable by default. For example, if I always want to open PDF files in a disposable, I would implement [this guide](https://forum.qubes-os.org/t/opening-all-files-in-disposable-qube/4674), and only include the line `application/pdf=open-in-dvm.desktop;` in `.local/share/applications/mimeapps.list`. This is not failsafe as some files may end in `.pdf` but in reality be something else, which is where the guide's approach of opening all files in a disposable is useful. 
+Particular types of files in an App qube can be set to be opened in a disposable by default. However, if I set PDF files to always open in a disposable, this is not failsafe - some files may end in `.pdf` but in reality be something else. [This guide](https://forum.qubes-os.org/t/opening-all-files-in-disposable-qube/4674) sets all file types to open in a disposable to mitigate this possibility. If you'd nonetheless like to open only PDF files in a disposable, right-click a PDF and select **Open With Other Application > qvm-open-in-dvm**. 

 # How to Use Devices (like USBs) 
 To learn how to attach devices, we will format the empty USB or hard drive you will be using for backups. The USB will be attached to an offline disposable to mitigate against [BadUSB attacks](https://en.wikipedia.org/wiki/BadUSB). 
@@ -311,6 +312,8 @@ There is a lot more flexibility in how you configure Qubes OS than Tails, but mo
 	* Open attachments in a qube that is disposable and offline. 
 	* Open links in a Whonix qube that is disposable. 

+#### Post-installation Decisions
+
 During the [post-installation of Qubes OS](#getting-started), you have the option of installing exclusively Debian or Fedora Templates (instead of both). You also have the option of using the Debian Template for all sys qubes (the default is Fedora). Our recommendation is to install only Debian Templates, and to convert them to [Kicksecure](https://www.privacyguides.org/en/os/linux-overview/#kicksecure). This way, every App qube on your system will either be Whonix or Kicksecure - Kicksecure is significantly more [hardened](/glossary#hardening) than either Debian or Fedora.  

 Kicksecure is not currently [available as a Template](https://www.kicksecure.com/wiki/Qubes#Template). To get the Kicksecure Template you will clone the Debian Template - follow the [Kicksecure docs for distribution morphing on Qubes OS](https://www.kicksecure.com/wiki/Qubes#Distribution_Morphing). App qubes that require Internet access without Tor can now use the Kicksecure template instead of the Debian Template. We recommend to use disposable qubes whenever possible when connecting to the Internet. To create a Kicksecure disposable:
@@ -325,5 +328,31 @@ Kicksecure is not currently [available as a Template](https://www.kicksecure.com
 Kicksecure is [considered untested](https://www.kicksecure.com/wiki/Qubes#Service_VMs) for sys qubes. If during the Qubes OS installation, you set all sys qubes to use the Debian Template, and set sys qubes to be disposable, the Template for `sys-net`, `sys-firewall`, and `sys-usb` will be `debian-11-dvm`. If you want to use disposable Kicksecure for sys qubes:
 * Set `sys-net`, `sys-firewall`, and `sys-usb` to use the `kicksecure-16-dvm` Template.

+#### Hardware Security 
+Hardware security is a nuanced subject, with three prominent factors at play for a Qubes OS computer:
+* **Root of trust**: A secure element to store secrets that can be used as a root of trust during the boot process.  
+* **Blobs:** Newer hardware comes with [binary blobs](https://en.wikipedia.org/wiki/Binary_blob) which require trusting corporations to do the right thing, while some older hardware is available without binary blobs. 
+* **Microcode updates**: Newer hardware gets microcode updates to the CPU which (ideally) address security vulnerabilities as they are discovered, while older hardware doesn't after it is considered End Of Life. The [Heads threat model page](https://osresearch.net/Heads-threat-model/#binary-blobs-microcode-updates-and-transient-execution-vulnerabilities) explains why CPU vulnerabilities matter:
+
+	>"With the disclosure of the Spectre and Meltdown vulnerabilities in January 2018, it became apparent that most processors manufactured since the late 1990s can potentially be compromised by attacks made possible because of [transient execution CPU vulnerabilities](https://en.wikipedia.org/wiki/Transient_execution_CPU_vulnerability). [...]  Future not-yet-identified vulnerabilities of this kind is likely. For users of Qubes OS, this class of vulnerabilities can additionally compromise the enforced isolation of virtual machines, and it is prudent to take the risks associated with these vulnerabilities into account when deciding on a platform on which to run Heads and Qubes OS." 
+
+Of the [community-recommended computers](https://forum.qubes-os.org/t/5560), the **ThinkPad X230** and the **ThinkPad T430** strike a relatively unique balance, because they both use the [Ivy generation](https://en.wikipedia.org/wiki/Ivy_Bridge_(microarchitecture)) of CPUs and they are both compatible with Heads:
+* **Root of trust**: Heads uses the [Trusted Platform Module (TPM)](https://tech.michaelaltfield.net/2023/02/16/evil-maid-heads-pureboot/#tpm) to store secrets during the boot process - the Thinkpad X230 and T430 have TPM v1.1.  
+* **Blobs**: No binary blobs are present on these models after Heads is installed, with the exception of the Intel Management Engine (which can be "neutered") and the ethernet blob (which can be generated). 
+* **Microcode updates**: Spectre and Meltdown [are mitigated by microcode updates for this CPU generation](https://forum.qubes-os.org/t/secure-hardware-for-qubes/19238/52) which are [installed by default on Qubes OS](https://www.whonix.org/wiki/Spectre_Meltdown#Qubes_2). Newer hardware uses CPUs with other extensions that are vulnerable to new attack vectors - the Ivy generation is unimpacted by these. 
+
+Qubes OS also applies proper software mitigation to this class of attacks at the level of the hypervisor, including [disabling HyperThreading](https://www.qubes-os.org/news/2018/09/02/qsb-43/).
+
+#### OPSEC for Memory Use  
+To address "future not-yet-identified vulnerabilities of this kind" on older hardware that is no longer receiving microcode updates, the OPSEC suggestion is to limit the presence of secrets in memory that could result in leaks. Every qube that is running is using memory, and a compromised qube could use such vulnerabilities to read from the memory of other qubes. Disposables will be reset after being shutdown, so we can assume that their compromise would likely be transient. Perform sensitive operations in qubes with no networking, and shutdown secure qubes when not in use. Pay attention to which qubes are running simultaneously:  
+* [vault qube](#how-to-organize-your-qubes): Do not run with an unlocked KeePassXC database at the same time as a highly-untrusted qube.  
+* sys-usb: Disposable. Only run when needed, and shutdown when finished. 
+* sys-net: Disposable. Only run when needed, and shutdown when finished. Shutdown when performing sensitive operations in other qubes, as far as possible. Restart before activities which require sys-net (i.e. email, ssh sessions, etc.).
+
+#### Remove Passwordless Root 
+By default, Qubes OS does not require a password for root permissions (in other words, you can run a command with `sudo` without a password). The [docs](https://www.qubes-os.org/doc/vm-sudo/) explain the rationale for this decision. In alignment with the security principle of defense-in-depth, we recommend enabling a password for root permissions. Forcing an adversary to successfully execute privilege escalation can be a mitigating factor, considering the hardening of Kicksecure/Whonix Templates as well as the limited time window provided by disposables.  
+
+If you are comfortable with the command line, follow the [docs](https://www.qubes-os.org/doc/vm-sudo/#replacing-passwordless-root-access-with-dom0-user-prompt) for replacing passwordless root access with a Dom0 user prompt in Debian/Whonix/Kicksecure Templates.  
+
 # Wrapping Up
 The documentation has several [troubleshooting entries](https://www.qubes-os.org/doc/#troubleshooting), and the [forum](https://forum.qubes-os.org/) is generally very helpful. We recommend starting to use Qubes OS gradually, where you can progressively do tasks on Qubes OS instead of your previous operating system, because trying to learn everything at once may be overwhelming. 
--- a/content/posts/qubes/qubes-arch.png
+++ b/content/posts/qubes/qubes-arch.png
--- a/content/posts/qubes/qubes-general.png
+++ b/content/posts/qubes/qubes-general.png