On 8/26/19 6:27 PM, 799 wrote: > Hello > > David Hobach <trip...@hackingthe.net <mailto:trip...@hackingthe.net>> > schrieb am Mo., 26. Aug. 2019, 11:22: > > On 8/26/19 10:24 AM, panina wrote: > > Hi! > > > > This is not strictly Qubes-OS related, rather inspired by Qubes. > > > > I've been struggling with some parts of Qubes usage. Most of the time, > > it is overkill for me, and putting some strain on my computer. The > > bugginess is also quite annoying, whenever I just need to do some > > everyday work. > > I've been thinking I'd like some form of dual-boot solution, or > possibly > > a Live USB that could be used. > > Most of the time I work with ssh and webapps, so the only persistent > > data I need to work will fit on a smartcard. > > > > My thought is to have an installation that mounts most of the root > > partition as readonly, and uses ramdisks wherever the system wants to > > write (e.g /var/log). I'm also thinking it should be possible to get a > > fingerprint or somesuch of the root partition, and use my TPM2 to > check > > this. > > > > The system should also have a possibility to update itself, that I can > > choose to do in environments that I feel is safe. > > > > I am wondering if anyone knows of an OS that works like this? Or if > > anyone knows of tools that might accomplish parts of this? > > Ehm... You're describing Qubes OS with disposable VMs there? The > fingerprinting is essentially AEM? > > If you need to keep your data on an external disk (SDCard), you can use > either a manual approach with qvm-copy, permanently attach the disk > to a > single disposable VM with a fixed name or use an automated solution > such > as [1]. You might also want to look into qvm-pool. > > [1] https://github.com/3hhh/qcrypt > > > I don't know why people are complaining about the "bugginess" and that > it needs more performance. > > If you buy the right hardware you'll not run into lots of bugs and get > enough performance to run qubes. You can buy a Lenovo T530/430, W530, > X230 for not much money, add a SSD some RAM and you'll not run into > performance problems (normal use).
This is a view that I see quite a lot. It is a whole different discussion. Hence the re-subjecting. Firstly, this view completely lacks class analysis. Not everyone can afford to buy the newest shiny. A lot of us have to use whatever we can get our hands on. Whenever a secure OS is mentioned, Qubes is the go-to. Everyone comes here. The approach that you have to buy new, specific hardware to have a functioning OS means anyone poor, or in a country with a poor dollar exchange rate, is left behind. If Qubes was one of many options, this would cause less damage. But right now, there aren't many alternatives. So privacy and secure tech becomes an economic issue, a luxury. I firmly claim that basic privacy should be a human right. However, this is a completely different discussion. Furthermore, Qubes currently concentrates on Intel hardware. I do not in any way feel that this is a sane choice right now. I feel it would be rather stupid to buy new hardware right now that has Intel processors. Too many security issues, and new ones popping up all the time. So my second problem is: this approach would assume that I agree with every choice that the Qubes team does, which I don't. > > As David mentioned Qubes will do exactly what you need if you're using > disposable VMs. > Regarding the fingerprinting, you can use AEM (Anti Evil Maid) or write > your own script. > I tried something which will fingerprint all files in /boot and gpg sign > the signature which is then stored in the LUKS encrypted root partition. > > You can then free booting into Qubes check the current boot Partition > against the fingerprints. > https://github.com/one7two99/my-qubes/tree/master/docs/boot-protect > > Not sure if this is really secure, would be nice to have this checked by > someone who knows more about security. > > [799] > > -- > You received this message because you are subscribed to the Google > Groups "qubes-users" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to qubes-users+unsubscr...@googlegroups.com > <mailto:qubes-users+unsubscr...@googlegroups.com>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vkPZAv4pTQzTn9_W%2Bp_yC5_ZtOz3rmdvi59on60u88Qw%40mail.gmail.com > <https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vkPZAv4pTQzTn9_W%2Bp_yC5_ZtOz3rmdvi59on60u88Qw%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2a4270f6-a370-f535-cd2d-26ac09b2f1da%40nonbinary.me.
signature.asc
Description: OpenPGP digital signature
