[prev in list] [next in list] [prev in thread] [next in thread] 

List:       qubes-devel
Subject:    Re: [qubes-devel] separate frequency of read/write operations by mount points?
From:       Peter Todd <pete () petertodd ! org>
Date:       2017-02-22 23:43:19
Message-ID: 20170222234307.GC635 () savin ! petertodd ! org
[Download RAW message or body]


On Sat, Feb 18, 2017 at 01:07:02PM -0700, Trammell Hudson wrote:
> On Sat, Feb 18, 2017 at 10:45:31PM +0300, Oleg Artemiev wrote:
> > [...]
> > AFAIR, when App VM is started some image files are made. Are these
> > files are made in /var/lib/qubes/appvms or also in
> > /var/lib/qubes/vm-templates ?
> 
> I've done some work on making Qubes' installation to have a read-only
> (and dm-verity protected) dom0 / with a write-able /home. It requires
> patching qubes/storage/__init__.py to allow the volatile.img file to
> reside on the rw partition (and not be re-created on the ro /):
> 
> https://groups.google.com/forum/#!topic/qubes-devel/hG93VcwWtRY

Thanks!

Worth noting that another valuable reason to make dom0 / read-only is
anti-forensics: a lot of information is logged in /var/ that you may not want
an adversary (like a thief or border security) to get their hands on;
encrypting / isn't always enough to defeat this threat.

-- 
https://petertodd.org 'peter'[:-1]@petertodd.org

-- 
You received this message because you are subscribed to the Google Groups \
"qubes-devel" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to qubes-devel+unsubscribe@googlegroups.com. To post to this group, \
send email to qubes-devel@googlegroups.com. To view this discussion on the web visit \
https://groups.google.com/d/msgid/qubes-devel/20170222234307.GC635%40savin.petertodd.org.
 For more options, visit https://groups.google.com/d/optout.


["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]