Qubes-Whonix type security for arch?

quequotion · 2016-06-01 17:53:10

Qubes being Fedora and Xen doesn't bother me much, but I've had enough of apt for my next seven lifetimes--so I was a little dissapointed to read that Whonix is a Debian derivative.

Arch's flexibility is probably enough to compile a kernel for, and build packages to set up similar security measures. I haven't looked too deeply into it yet, but if it can be done in another linux odds are it can be done in archlinux.

Step one would be to configure arch like whonix, to run as a VM on Qubes (but eventually, I am thinking of "Qubes-Arch" running an "Arch-Whonix" VM, yes)

The qubes people have a handy looking how to on Archlinux VMs in qubes.
Anyone here familiar with Qubes-Whonix?

rh995 · 2016-06-11 17:34:04

It seems to me like one would need to port every whonix package (https://www.whonix.org/wiki/Dev/Whonix_Packages) to Arch Linux. This would take a huge amount of work, but once that's done, I think that would be the only step.

Arch already runs as a template on Qubes (but when I tried to compile it, there were some errors, those will probably be fixed at some point), so all that's necessary is to port every package, create two templates, and install the gateway packages on one template, and the workstation packages on the other.

EDIT: upon further consideration, many of the whonix packages aren't strictly necessary, and there is an automatic package to convert .deb to arch linux packages: https://aur.archlinux.org/packages/debtap, so this project would actually be very reasonable.

Last edited by rh995 (2016-06-11 17:37:02)

GSF1200S · 2016-06-16 19:52:08

There have been exploits on Xen, and Qubes has Dom0 run as root. As soon as someone breaks out of a VM with some exploit, they have root level access to the system. I readily admit im not an expert here, so maybe its not as bad as it sounds?

I would think using Arch's grsec kernel along with Pax and possibly a MAC implementation would be more safe? Especially if you use KVM and setup some VMs of any distro (including other Arch installs if you want) for different tasks. Yes, KVM has a larger attack surface than Xen, but then if they manage to break out of KVM they have to deal with grsecurity/pax, possibly a MAC layer, and whatever else youve dreamt up.

quequotion · 2016-07-11 03:01:53

rh995 wrote:

EDIT: upon further consideration, many of the whonix packages aren't strictly necessary, and there is an automatic package to convert .deb to arch linux packages: https://aur.archlinux.org/packages/debtap, so this project would actually be very reasonable.

Might not even be so hard as that. Looks like quite a few are debian-specific and can be ignored, then lots of others just package security-oriented configuration files. Maybe a couple sleepless nights going through that list would do it.

GSF1200S wrote:

There have been exploits on Xen, and Qubes has Dom0 run as root. As soon as someone breaks out of a VM with some exploit, they have root level access to the system. I readily admit im not an expert here, so maybe its not as bad as it sounds?
I would think using Arch's grsec kernel along with Pax and possibly a MAC implementation would be more safe? Especially if you use KVM and setup some VMs of any distro (including other Arch installs if you want) for different tasks. Yes, KVM has a larger attack surface than Xen, but then if they manage to break out of KVM they have to deal with grsecurity/pax, possibly a MAC layer, and whatever else youve dreamt up.

Arch is extremely flexible; I guess the only way to know for sure would be to set up some machines and ask people to try to break into them.

Arch Linux

#1 2016-06-01 17:53:10

Qubes-Whonix type security for arch?

#2 2016-06-11 17:34:04

Re: Qubes-Whonix type security for arch?

#3 2016-06-16 19:52:08

Re: Qubes-Whonix type security for arch?

#4 2016-07-11 03:01:53

Re: Qubes-Whonix type security for arch?

Board footer