[Whonix-devel] Disposable VMs on Qubes 4.0

Marek Marczykowski-Górecki marmarek at invisiblethingslab.com
Sun Sep 10 15:28:15 CEST 2017

Hash: SHA256


Disposable VMs in Qubes 4.0 are much more flexible. The major difference
is possibility to use different Disposable VMs "templates" (which in
fact can be any AppVM) for different purposes (different services,
different calling VM etc). All settings of Disposable VM are inherited
from its "template", including private image (IOW, it isn't required to
create /home/user/.qubes-dispvm-customized file for that anymore).
This "all settings" include also netvm - it is no longer inherited from
calling VM, but from Disposable VM "template". But since it's possible
to create multiple such templates, it is possible to achieve the same

What is used where is configured using qrexec policy.
I'm preparing the policy for Whonix-related VMs for Qubes 4.0. Here are
possible options I see:

1. Allow starting default Disposable VMs from both Whonix Gateway
(sys-whonix) and Whonix Workstation (anon-whonix or other). This is the
default (if you don't modify policy for Whonix), but it's a very bad
idea, since such Disposable VM most likely will have access to clearnet

2. Prevent starting Disposable VMs from any of Whonix VMs. This is safe
option, but also it limit functionality.

3. Allow creating Disposable VMs based on anon-whonix, then allow only
such DispVMs be started from Whonix VMs.

3a. Similar, but create separate anon-whonix-dvm for that. Major
difference is that DispVMs based on anon-whonix-dvm will not have access
to private image of anon-whonix here.

Should the above be only about Whonix Workstation VM(s)? Whonix Gateway
have access to the clearnet anyway (at least in theory), so it's much
less important there.

What about templates?

I think preferred is point 3a, but it require that Whonix-based
Disposable VMs works. OTOH, it should be much easier there, because in
Qubes 4.0 there are no more savefiles - DisposableVM is started the
same way as AppVM.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
Version: GnuPG v2


More information about the Whonix-devel mailing list