Hi all, Joanna Rutkowska has just published a new article titled "Qubes Air: > Generalizing the Qubes Architecture." The article is available both on > Joanna's blog: > > https://blog.invisiblethings.org/2018/01/22/qubes-air.html > > And on the Qubes website: > > https://www.qubes-os.org/news/2018/01/22/qubes-air/
I confess I found the writing a bit difficult to understand this time. I suggest adding some more example use cases. Consider the following use case -- is this what Joanna had in mind? Suppose you are a journalist, and you have received a PDF document on a USB stick from an anonymous source. Given all the recent meltdown/rowhammer/spectre/xen debacles, you aren't thrilled about plugging in the USB stick into your Qubes laptop. And even if you did plug it in, you wouldn't be thrilled about running the Qubes PDF converter on it either. So what do you do? On the USB front, you might buy a Raspberry Pi, and plug the USB stick into that instead. You could then scp the PDF document from the Rasbperry Pi onto the Qubes laptop. Qubes Air would make this easier by making using the Raspberry Pi appear just like another USB VM (like sys-usb). You could also do the PDF conversion on the same Raspberry Pi (specifically the half of the conversion that would normally run inside a disposable VM). Qubes Air would also make this work smoothly, as if the disposable VM were running on the Qubes laptop. So, what are the security trade-offs? First, this Raspberry Pi arrangement means that both steps are better isolated from the Qubes laptop. Previously, a successful attack on the sys-usb VM or the disposable VM could be escalated via Meltdown et al to take over the whole laptop. Now they can't. Second, the Raspberry Pi has inferior isolation within itself (e.g. no IOMMU). This means that if the journalist re-uses the same Raspberry Pi for several different sources, those sources could interfere with each other. For instance, if source A is malicious, it could reprogram the Raspberry Pi to destroy all data from source B. Are you hoping that Qubes Air could overcome this obstacle? For example, are you hoping that a dedicated Raspberry Pi just for disposable VMs would be able to isolate all disposable VMs from each other? Kind regards, Andrew -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAAXZBWKJe80mvEFfrsMLJV-YeyFV%2BwrUP%3DJHig2Lnw%3DQ1zEtiA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
