Re: [Tails-dev] Tails 0.14 rc1 virtualization testing & howt…

このメッセージを削除

このメッセージに返信
著者: anonym
日付:  
To: The Tails public development discussion list
題目: Re: [Tails-dev] Tails 0.14 rc1 virtualization testing & howto install virtualbox and vmplayer
26/10/12 17:43, adev@??? wrote:
> A Solution:
>
> dpkg --install gcc-4.4_4.4.5-8_i386.deb
> ln -s /usr/bin/gcc-4.4 /usr/bin/gcc-4.6


I did this from a fresh Tails session:

    sudo ln -s /usr/bin/gcc-4.4 /usr/bin/gcc-4.6
    sudo apt-get update
    sudo apt-get install --yes linux-headers-686-pae virtualbox-dkms \
        virtualbox-qt
    vboxmanage createvm --name Tails --ostype Debian --register
    vboxmanage modifyvm Tails --memory 1024
    vboxmanage storagectl Tails --name SATA0 --add sata \
        --controller IntelAHCI
    vboxmanage storageattach Tails --storagectl SATA0 --port 0 \
        --device 0 --type dvddrive --medium host:/dev/cdrom
    vboxmanage startvm Tails


And then Tails starts as a guest within Tails, using the same boot
media (there's no need to copy in the image to ram like you did).
Obviously the guest's guest couldn't connect to the Tor network
due to the guest's firewall.

Actually the Tails host I did this from was itself a VirtualBox guest,
so it also shows that nested VMs work, but the nested-guest is slooow.
Having both guests use the same host key was problematic, so I
recommend changing it:

    VBoxManage setextradata global GUI/Input/HostKeyCombination 65383


which sets it to the Menu key.

> * Allows stronger enforcement of tor-only connections, an attacker must
> break out of a virtual machine, in addition to previous steps taken. A VM
> can be configured to only be able to send traffic through the tor process
> running on the host machine.


Sure, but to configure the applications in the guest to use the host's
Tor is non-trivial for most users (and would require us to make Tor's
ports listen on more than localhost). I'd like a way so a whole VM is
Torified without additional configuration inside the VM. Here's some an
article one can find inspiration from:

<http://www.howtoforge.com/how-to-set-up-a-tor-middlebox-routing-all-virtualbox-virtual-machine-traffic-over-the-tor-network>

(Added to the todo item)

> * Enables the features described at
> https://tails.boum.org/todo/Two-layered_virtualized_system/


Needless to say, including Virtualbox host software in Tails is only a
small step on the way to the above. There's still a lot of work left to
achieve it in a user-friendly way (i.e. zero user configuration).

One interesting thing to note, though, is that the host can start
several guests using the same boot media in the way I described above.
Hence we could add some kind of hook during Tails' boot process that,
depending on some "magic" parameter set by the host (if any), makes
Tails boot into specialized profiles (e.g. one that only runs Tor and
one that runs the GUI stuff). For instance:

* tor-guest: Boot Tails into a minimal mode (no Xorg etc.) that just:
  - starts Tor with all its ports listening on the network.
  - sets an appropriate firewall (only allow inbound traffic from the
    'app-guest' vm (see below) to Tor's ports, and only the outbound
    traffic made by Tor).
* i2p-guest: Same as 'tor-guest' but adapted for i2p.
* app-guest: Boot Tails exactly like it's done now except:
  - it uses the Tor instance running on 'tor-guest' vm.
  - sets an appropriate firewall (only allow connections to the
   'tor-guest' and 'i2p-guest' vms)


If no such profile is set Tails boots normally. In Tails Greeter we add
an option called "Use isolation through virtualization" (or similar)
that when set:

1. Continues from Tails Greeter to a simple X screen (no GNOME etc.
running; only vms are supposed to be run from the host from now on).
2. Starts a Tails guest with the 'tor-guest' parameter in headless
mode. (not sure about the 'i2p-guest' yet since it should start
automatically)
3. Starts a Tails guest with the 'app-guest' parameter in fullscreen
mode. This is where the user should interact with Tails from now on.

Relevant settings from Tails Greeter on the host must be forwarded to
these guests appropriately, e.g. persistent Tor data dir to 'tor-guest'
and all other persistent directories to 'app-guest' (using VirtualBox'
shared directories, I guess), and the language settings should be set in
'app-guest' etc.

A fine question, though, is whether there exist something like this
"magical" parameter I talk about above in VirtualBox. The simplest
would be if Virtualbox could add stuff to the kernel commandline, but I
doubt that is possible in any sane way. More likely something can be
achieved through the guest additions. It seems like the host can execute
arbitrary commands on guests using `vboxmanage guestcontrol execute`,
which could be used to alter how Tails boots from then on.

Are you interested in investigating this?

(Added to the todo item)

> https://tails.boum.org/todo/Two-layered_virtualized_system/virtails.png is
> a great diagram, but could be made even more secure by using multiple
> computers to separate things even further, whonix has a multi-computer
> design
> [...]
> Example setup, each item in brackets[] is a separate computer, connected
> to the other computers via a crossover cable:
> [...]


Why not just use Whonix instead?

Cheers!