Commit a9c99108 authored by Clark's avatar Clark
Browse files

Beginning a migration to Qubes OS

parent 9b8f7423
# -*- org-confirm-babel-evaluate: nil -*-
#+TITLE: Workstation
#+TAGS: :blog:guides:nextcloud:desktop:debian:xfce:git:emacs:vmware:python:jupyter:
#+TITLE: Qubes OS Workstation
#+SUBTITLE: Distrust the Infrastructure
#+PROPERTY: header-args :cache yes
#+BEGIN_VERSE
This post describes how to bootstrap a general purpose desktop machine running Debian 10.
This post describes how to bootstrap my laptop running Qubes OS, a reasonably secure operating system.
#+END_VERSE
Qubes OS features strong isolation using the Xen Project hypervisor to deploy virtual machines (VMs) for everything. This allows a user to isolate some applications (run inside AppVMs) entirely from the network device, while permitting other AppVMs network access, for example. The network stack itself is hosted in a VM. The user could also create a ProxyVM to route network traffic through a VPN or Tor, which would be enforced on an AppVM basis.
A gentle introduction is provided [[https://www.qubes-os.org/intro/][here]], with a lot of detailed docs [[https://www.qubes-os.org/doc/][here]]. Follow is how /I/ bootstrapped my Lenovo P51 laptop with Qubes OS.
* TODO Digital signatures and key verification
I'll use a USB drive to flash the Qubes OS ISO image to my UEFI. This requires exposing my laptop to: 1) the Qubes OS ISO, and 2) the USB drive. I do not trust the [SanDisk] USB drive, since I did not write the firmware. Thus, I am accepting this risk.
To establish trust in the ISO image, I'm following the procedure documented [[https://www.qubes-os.org/security/verifying-signatures/][here]]. I'm installing Qubes OS, release 4.0.3.
First get the Qubes OS Master Signing Key using =gpg2=.
#+BEGIN_SRC sh
sudo gpg2 --fetch-keys https://keys.qubes-os.org/keys/qubes-master-signing-key.asc
#+END_SRC
Edit the key and trust it ultimately, after verifying the signature. These steps are critical, as it serves to establish the root of trust for the entire OS. I recommend following the procedure provided in the official documentation, including validating the fingerprint against several sources (Qubes OS website, Github repo, Google forums). The commands necessary to ultimately trust the key are as follows.
#+BEGIN_SRC sh
sudo gpg2 --edit-key 0x36879494
gpg> fpr
gpg> trust
gpg> 5
gpg> y
#+END_SRC
Get the Release Signing Key and validate that the signature includes the Qubes Master Signing Key (trusted above).
#+BEGIN_SRC sh
sudo gpg2 --keyserver-options no-self-sigs-only,no-import-clean --fetch-keys https://keys.qubes-os.org/keys/qubes-release-4-signing-key.asc && \
sudo gpg2 --check-signatures "Qubes OS Release 4 Signing Key"
#+END_SRC
Download and verify the Qubes OS R4.0.3 ISO.
#+BEGIN_SRC sh
wget https://mirrors.edge.kernel.org/qubes/iso/Qubes-R4.0.3-x86_64.iso && \
wget https://mirrors.edge.kernel.org/qubes/iso/Qubes-R4.0.3-x86_64.iso.asc && \
sudo gpg2 -v --verify Qubes-R4.0.3-x86_64.iso.asc Qubes-R4.0.3-x86_64.iso
#+END_SRC
Finally, write the ISO to the USB disk. In this case, my USB is mounted to =/dev/sda=. You may need to change this depending on how you mount your USB.
#+BEGIN_SRC sh
# First I format the disk and ensure all bits are zero
sudo dd if=/dev/zero of=/dev/sda status=progress
#+END_SRC
Then flash the ISO to the USB.
#+BEGIN_SRC sh
sudo dd if=Qubes-R4.0.3-x86_64.iso of=/dev/sda status=progress
#+END_SRC
* Debian 10 Images
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment