Qubes DispVM technical discussion

Qubes-Whonix
10

So after studying your posts, it sounds like .qubes-dispvm-customized function is to preserve a dispVM template’s private storage area when qvm-create-default-dvm is run on top of an existing dispVM template - making it function like a template-basedVM in terms of file persistence. Otherwise, the dispVM template is completely reset when a new dispVM template is created.

Given that, I think the steps that I outlined above, represent the simplest way for users to get new TBB in non-customized dispVM templates. Of course, I will also add optional instructions for customized templates (and users who wish to use TB internal updater).

Please review this explanation for accuracy:

  1. user creates new dispVM template to replace a non-customized DVM template.

  2. first-boot-home-population copies TBB to /home/user/.tb because qubes categorizes dispVM templates as appVMs.

  3. first-boot-home-population.done is created and preserved in the dispVM template because /var/cache/tb-updater is defined as a bind-dir in /usr/lib/qubes-bind-dirs.d

  4. first-boot-home-population.done is visible to new dispVMs (disp1,disp2,…) and so first-boot-home-population is not executed when each dispVM is launched.

  5. now new version of TBB is released and tb-updater is updated in whonix-ws template

  6. when the dvm template is auto-refreshed by the template change, new TBB in /var/cache/tb-binary is copied to the dvm-template. But no changes are made to /home/user/.tb

  7. now user runs qvm-create-default-dvm whonix-ws

  8. since .qubes-dispvm-customized is not present, the entire dispVM template is discarded and the process begins again from Step #1.

@torjunkie If you haven’t written up text for this entry already, I started last night on some prose and instructions also. I will incorporate your suggestions and post to the main wiki page: Qubes Disposables. In my version, I’d like to add hardened TBB instructions to a footnote, once you and Patrick sort out the best method for switching over whonix-ws template. The instructions are complicated enough already without giving high visibility to the alpha TBBs.

1 Like