[prev in list] [next in list] [prev in thread] [next in thread]
List: qubes-devel
Subject: Re: [qubes-devel] separate frequency of read/write operations by mount points?
From: Peter Todd <pete () petertodd ! org>
Date: 2017-02-22 23:43:19
Message-ID: 20170222234307.GC635 () savin ! petertodd ! org
[Download RAW message or body]
On Sat, Feb 18, 2017 at 01:07:02PM -0700, Trammell Hudson wrote:
> On Sat, Feb 18, 2017 at 10:45:31PM +0300, Oleg Artemiev wrote:
> > [...]
> > AFAIR, when App VM is started some image files are made. Are these
> > files are made in /var/lib/qubes/appvms or also in
> > /var/lib/qubes/vm-templates ?
>
> I've done some work on making Qubes' installation to have a read-only
> (and dm-verity protected) dom0 / with a write-able /home. It requires
> patching qubes/storage/__init__.py to allow the volatile.img file to
> reside on the rw partition (and not be re-created on the ro /):
>
> https://groups.google.com/forum/#!topic/qubes-devel/hG93VcwWtRY
Thanks!
Worth noting that another valuable reason to make dom0 / read-only is
anti-forensics: a lot of information is logged in /var/ that you may not want
an adversary (like a thief or border security) to get their hands on;
encrypting / isn't always enough to defeat this threat.
--
https://petertodd.org 'peter'[:-1]@petertodd.org
--
You received this message because you are subscribed to the Google Groups \
"qubes-devel" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to qubes-devel+unsubscribe@googlegroups.com. To post to this group, \
send email to qubes-devel@googlegroups.com. To view this discussion on the web visit \
https://groups.google.com/d/msgid/qubes-devel/20170222234307.GC635%40savin.petertodd.org.
For more options, visit https://groups.google.com/d/optout.
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic