Re: [qubes-devel] split-gpg keeps asking for target VM when it shouldn't need to

[Elias Mårtenson]

On Friday, 24 November 2017 15:05:27 UTC+8, Jean-Philippe Ouellet wrote:
 

> ...but surely not *all* of them able to do perform any operation they 
> want on any data they want using any key they want as soon as you 
> authorize it once for any VM! (by default the agent authorizes any use 
> of the keyring for 300 seconds(?) after first use) 
>

Yes, 300 seconds is the default. And it's only authorised for a given VM. 
Trying to sign
from another VM will present the popup again.

As long as I don't accept the GPG warning popup unless I know it's OK, I 
don't see
this as an issue. Also, every signing request during these 300 seconds will 
display a
notification, which will quickly reveal if there are any strange things 
happening (and,
again, I'd need to manually authorise the first access anyway).
 

> Was there some documentation you got this from? If so, please do point 
> me to it so I can correct it ASAP. 
>

When I initially did this for 3.2, I followed the official documentation on 
this, which gave
me the configuration that is identical to what I managed to set up with 4.0 
now:
https://www.qubes-os.org/doc/split-gpg/

There are no mentions of limiting access to specific VM's, and the 
following statement
seems pretty reasonable to me:

*“With Qubes Split GPG this problem is drastically minimized, because 
each time the key*
*is to be used the user is asked for consent (with a definable time 
out, 5 minutes by default),*
*plus is always notified each time the key is used via a tray 
notification from the domain*
*where GPG backend is running. This way it would be easy to spot 
unexpected requests*
*to decrypt documents.”*

The attack scenario you describe just doesn't seem as serious to me as it 
does to you. This
scenario would involve a rogue application calling qubes-gpg-client to 
attempt to sign some
data, and somehow manage to trick me into accepting the request.

Regards,
Elias

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/da229360-96f6-44d1-9e3e-2e2fd9579c4b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-devel] split-gpg keeps asking for target VM when it shouldn't need to

[Jean-Philippe Ouellet]

On Fri, Nov 24, 2017 at 1:50 AM, Elias Mårtenson  wrote:
> On Friday, 24 November 2017 14:46:47 UTC+8, Elias Mårtenson wrote:
>>
>> On Friday, 24 November 2017 14:39:26 UTC+8, Jean-Philippe Ouellet wrote:
>>
>>>
>>> Use a specific source vm in the first field, not $anyvm, otherwise you
>>> may actually be better off without split-gpg entirely depending on
>>> your threat model.
>>
>>
>> I still get the notification asking me to allow the signing. With the line
>> added, the
>> behaviour seems to be identical to what I had in 3.2.
>
>
> I do agree with you in the general case, that locking things are better than
> not
> locking them. In this particular case, however, I want almost all my VM's to
> be
> able to sign at one point or the other.

...but surely not *all* of them able to do perform any operation they
want on any data they want using any key they want as soon as you
authorize it once for any VM! (by default the agent authorizes any use
of the keyring for 300 seconds(?) after first use)

> And this behaviour was deemed acceptable
> in 3.2, so I don't really see how my solution can be seen as being overly
> bad?

No, I can assure you it was not acceptable in 3.2 either. The only
legitimate use I can think of is perhaps if you only have public keys
in that VM and used it as some kind of poor-mans key-distribution
system... but even that is a stretch.

Was there some documentation you got this from? If so, please do point
me to it so I can correct it ASAP.

Regards,
Jean-Philippe

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/CABQWM_Dj83RM8E3dg8n_pMOfM9jv1p7i1s3tUcear4xjrV8GLQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-devel] split-gpg keeps asking for target VM when it shouldn't need to

[Elias Mårtenson]

On Friday, 24 November 2017 14:46:47 UTC+8, Elias Mårtenson wrote:
>
> On Friday, 24 November 2017 14:39:26 UTC+8, Jean-Philippe Ouellet wrote:
>  
>
>> Use a specific source vm in the first field, not $anyvm, otherwise you 
>> may actually be better off without split-gpg entirely depending on 
>> your threat model.
>
>
> I still get the notification asking me to allow the signing. With the line 
> added, the
> behaviour seems to be identical to what I had in 3.2.
>

I do agree with you in the general case, that locking things are better 
than not
locking them. In this particular case, however, I want almost all my VM's 
to be
able to sign at one point or the other. And this behaviour was deemed 
acceptable
in 3.2, so I don't really see how my solution can be seen as being overly 
bad?

Regards,
Elias

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/240c288e-17bd-4e1d-96fa-38c67c7b701f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-devel] split-gpg keeps asking for target VM when it shouldn't need to

[Elias Mårtenson]

On Friday, 24 November 2017 14:39:26 UTC+8, Jean-Philippe Ouellet wrote:
 

> No! I would very strongly recommend against that! 
>
> That allows any VM (including entirely untrusted ones, like sys-net, 
> DispVMs with who knows what, etc.) to sign & decrypt stuff with your 
> keys! 
>
> Use a specific source vm in the first field, not $anyvm, otherwise you 
> may actually be better off without split-gpg entirely depending on 
> your threat model.


I still get the notification asking me to allow the signing. With the line 
added, the
behaviour seems to be identical to what I had in 3.2.

Regards,
Elias

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/0655c425-c010-4eb3-9aa7-93e849c6b464%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-devel] split-gpg keeps asking for target VM when it shouldn't need to

[Jean-Philippe Ouellet]

On Fri, Nov 24, 2017 at 1:35 AM, Elias Mårtenson  wrote:
> On Friday, 24 November 2017 12:10:06 UTC+8, Jean-Philippe Ouellet wrote:
>
>>
>> Explicitly allowing it in policy e.g.
>> some-vmsome-vm-keysallow
>> in /etc/qubes-rpc/policy/qubes.Gpg will stop asking for confirmation each
>> time.
>
>
> Thank you.
>
> Adding “$anyvm private-gpg allow” to the file fixed the problem.

No! I would very strongly recommend against that!

That allows any VM (including entirely untrusted ones, like sys-net,
DispVMs with who knows what, etc.) to sign & decrypt stuff with your
keys!

Use a specific source vm in the first field, not $anyvm, otherwise you
may actually be better off without split-gpg entirely depending on
your threat model.

Regards,
Jean-Philippe

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/CABQWM_BmAdN2%2BwhP9%3DYZT%3Dwekm4%3Dj00A4U%3D69jvy3TXDib3LiQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-devel] split-gpg keeps asking for target VM when it shouldn't need to

[Elias Mårtenson]

On Friday, 24 November 2017 12:10:06 UTC+8, Jean-Philippe Ouellet wrote:
 

> Explicitly allowing it in policy e.g. 
> some-vmsome-vm-keysallow 
> in /etc/qubes-rpc/policy/qubes.Gpg will stop asking for confirmation each 
> time.


Thank you.

Adding “$anyvm private-gpg allow” to the file fixed the problem.

Regards,
Elias 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/7dd26f51-9947-4f7d-aa52-a18a748ae36b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-devel] split-gpg keeps asking for target VM when it shouldn't need to

[Jean-Philippe Ouellet]

On Thu, Nov 23, 2017 at 11:09 PM, Jean-Philippe Ouellet  wrote:
> On Thu, Nov 23, 2017 at 10:47 PM, Elias Mårtenson  wrote:
>> I'm using split-gpg, and I end up using it a lot since I sign my git commits
>> using it.
>>
>> Since upgrading to 4.0rc2, I have noticed that every time a VM wants to call
>> out to the GPG VM,
>> a dialog box is shown asking me for the target VM. At this point I need to
>> click on the menu
>> and manually choose the GPG VM, even though the name of that VM is already
>> specified
>> in the QUBES_GPG_DOMAIN environment variable.
>>
>> Is this a bug?
>
> It's an effect of https://github.com/QubesOS/qubes-issues/issues/910
>
> Explicitly allowing it in policy e.g.
> some-vmsome-vm-keysallow
> in /etc/qubes-rpc/policy/qubes.Gpg will stop asking for confirmation each 
> time.
>
> Technically QUBES_GPG_DOMAIN isn't required anymore if each VM only
> has at most one corresponding split-gpg VM, as you could configure the
> target with:
> some-vm$anyvmallow,target=some-vm-keys

Perhaps this is an indication that the dialog should have an
additional "remember this target and allow future requests" (or
similar) option.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/CABQWM_AEuQw4xhoVsL42gViFZgMt-j99JWEajk5iNJxn2PTs9A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-devel] split-gpg keeps asking for target VM when it shouldn't need to

[Jean-Philippe Ouellet]

On Thu, Nov 23, 2017 at 10:47 PM, Elias Mårtenson  wrote:
> I'm using split-gpg, and I end up using it a lot since I sign my git commits
> using it.
>
> Since upgrading to 4.0rc2, I have noticed that every time a VM wants to call
> out to the GPG VM,
> a dialog box is shown asking me for the target VM. At this point I need to
> click on the menu
> and manually choose the GPG VM, even though the name of that VM is already
> specified
> in the QUBES_GPG_DOMAIN environment variable.
>
> Is this a bug?

It's an effect of https://github.com/QubesOS/qubes-issues/issues/910

Explicitly allowing it in policy e.g.
some-vmsome-vm-keysallow
in /etc/qubes-rpc/policy/qubes.Gpg will stop asking for confirmation each time.

Technically QUBES_GPG_DOMAIN isn't required anymore if each VM only
has at most one corresponding split-gpg VM, as you could configure the
target with:
some-vm$anyvmallow,target=some-vm-keys

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/CABQWM_C2gqWPA9_4sQFdOhFz1G4FEO2F6Qc_Mj_D5o_kOvUSxA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-devel] split-gpg keeps asking for target VM when it shouldn't need to

[Elias Mårtenson]

I'm using split-gpg, and I end up using it a lot since I sign my git 
commits using it.

Since upgrading to 4.0rc2, I have noticed that every time a VM wants to 
call out to the GPG VM,
a dialog box is shown asking me for the target VM. At this point I need to 
click on the menu
and manually choose the GPG VM, even though the name of that VM is already 
specified
in the QUBES_GPG_DOMAIN environment variable.

Is this a bug?

Regards,
Elias

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/11091248-cf43-465c-9e31-93030998d2cc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.