Qubes DispVM technical discussion


I don’t think it is useful to set tbb_version="6.5a5-hardened" and then apt-get upgrade tb-updater.

  • Doesn’t work if there is no upgrade of the tb-updater package. (Unless inventing bigger hacks such as apt-get --reinstall.) So you’d still needlessly wait for me to upload the upgraded the tb-updater package.
  • Would be simpler to disable tb-updater automatically downloading the hardcoded version during apt-get upgrade of tb-updater. tb_install_follow=false
  • Then just update-torbrowser and select “6.5a5-hardened” interactively during download verification screen. I left in the ability to manually use update-torbrowser inside TemplateVMs exactly for such reasons.

In TemplateVM or DispVM TemplateVM it probably is best not to touch /rw. In that case rather use /etc. This is because the purpose of /rw is to overwrite settings from within TemplateBasedVMs.

@torjunkie These instructions are a good basis for being added to the wiki. Could you just add them to some final or temporary wiki page instead of posting them in the forums? Then I could just make small modifications as explained above. I’d split them into smaller changes and accompany them with an explanatory wiki edit message that you then could read in the wiki history of that page. I guess that would be more time efficient. (Just write the markup once for the wiki rather than once for the forums and later again for the wiki.)

( Created some temporary page in case needed. https://www.whonix.org/wiki/Qubes/temp )

( Btw since you appreciate learning Whonix internals, one tip. Try running update-torbrowser from command line. Although that output needs to be improved for Whonix 14, it for example explains a bit about the folder into which Tor Browser will be stored. )


The code on how DispVM home is created and how the (non-)existence of the /home/user/.qubes-dispvm-customized status file influences things was recently changed. These changes already ended up in Qubes R3.2 testing repository. So it is probably worth only concentrating on that [before it will be totally changed for good in Qubes 4.0]. (If you are on Qubes R3.2 stable can you please tell if you also already go these changes?)

init - /usr/lib/qubes/init/setup-dvm-home.sh

function initialize_home - /usr/lib/qubes/init/functions:


I have all Qubes git repositories on my disk in folder ~/Qubes. (And scripts to keep them all up to date.) If I want for example to learn about qubes-dispvm-customized, I am using the following “ultimate” grep command (that I can also use in VM template build VMs).

grep --exclude-dir=mnt --exclude-dir=qubes-src/linux-template-builder/mnt --exclude=changelog.upstream --exclude-dir=.git --exclude-dir=chroot-debian --exclude-dir=chroot-jessie -l -r qubes-dispvm-customized


My conclusion is, that dom0 has no knowledge about DispVM template status file /home/user/.qubes-dispvm-customized.

When you have killed and deleted disp1, disp2 (if existing) in Qubes VM Manager (QVMM) and then deleted whonix-ws-dvm (qvm-remove whonix-ws-dvm or using QVMM)… I.e. from a somewhat fresh/clean/resetted state. When you run qvm-create-default-dvm whonix-ws (same for all templates), then “DVM boot complete” indicates that the DVM template was booted (without you seeing that).

Since seeing is believing, you can run in another terminal window "sudo xl console whonix-ws-dvm` during DVM creation (qvm-create-default-dvm). (Run this command several times if it does not work at first, since qvm-create-default-dvm may not be at that stage yet.)

qubesdb-read /qubes-vm-type inside DVM template outputs AppVM.

That is why during that time tb-updater-first-boot.service will copy /var/cache/tb-binary/* to /home/user. (Resulting in the /home/user/.tb/tor-browser DispVM “template”.)

The confusion comes from Qubes calling it on one hand DVM template and on the other hand starting that DVM template like an TemplateBased AppVM.

Start whonix-ws-dvm. (qvm-start whonix-ws-dvm && qvm-run whonix-ws-dvm konsole)

  • create some random file in root image /etc/zzzzzzzzzz
  • create some random file in private image /home/user/zzzzzzzzzz

Shut down the VM (sudo poweroff). Start whonix-ws-dvm again. Learn, that:

  • the random file in root image /etc/zzzzzzzzzz is lost
  • the random file in private image /home/user/zzzzzzzzzz still exists

So DVM “template” really is started like an TemplateBased AppVM.

Shut the DVM “template” down for more experiments.

Now start whonix-ws TemplateVM. Create a file /etc/zzz_create_in_whonix-ws_TemplateVM as well as /home/user/zzz_create_in_whonix-ws_TemplateVM. Shut down whonix-ws- TemplateVM.

Start a DVM “template” konsole. See that /etc/zzz_create_in_whonix-ws_TemplateVM exists. Start DispVM (/usr/lib/qubes/qfile-daemon-dvm qubes.VMShell dom0 DEFAULT red). And run into some Qubes issue:


So my progress on “best way to keep Tor Browser updated in [customized] DispVM / hardened Tor Browser in DispVM” is blocked for a while now so I can provide debug information.

Since DispVM “template” is actually started like an AppVM… Please try the following. Start a whonix-ws-dvm (DVM “template”) konsole and run update-torbrowser there. Once you installed the version of your choice, it should end up in home folder. Then shut whonix-ws-dvm down. From then, you should have up to date Tor Browser also in [customized] DispVM.

I guess all of this will become a lot easier in Qubes 4.0 when the double layered DispVM implementation is replaced by the much (from user point of view) simpler implementation.


So after studying your posts, it sounds like .qubes-dispvm-customized function is to preserve a dispVM template’s private storage area when qvm-create-default-dvm is run on top of an existing dispVM template - making it function like a template-basedVM in terms of file persistence. Otherwise, the dispVM template is completely reset when a new dispVM template is created.

Given that, I think the steps that I outlined above, represent the simplest way for users to get new TBB in non-customized dispVM templates. Of course, I will also add optional instructions for customized templates (and users who wish to use TB internal updater).

Please review this explanation for accuracy:

  1. user creates new dispVM template to replace a non-customized DVM template.

  2. first-boot-home-population copies TBB to /home/user/.tb because qubes categorizes dispVM templates as appVMs.

  3. first-boot-home-population.done is created and preserved in the dispVM template because /var/cache/tb-updater is defined as a bind-dir in /usr/lib/qubes-bind-dirs.d

  4. first-boot-home-population.done is visible to new dispVMs (disp1,disp2,…) and so first-boot-home-population is not executed when each dispVM is launched.

  5. now new version of TBB is released and tb-updater is updated in whonix-ws template

  6. when the dvm template is auto-refreshed by the template change, new TBB in /var/cache/tb-binary is copied to the dvm-template. But no changes are made to /home/user/.tb

  7. now user runs qvm-create-default-dvm whonix-ws

  8. since .qubes-dispvm-customized is not present, the entire dispVM template is discarded and the process begins again from Step #1.

@torjunkie If you haven’t written up text for this entry already, I started last night on some prose and instructions also. I will incorporate your suggestions and post to the main wiki page: https://www.whonix.org/wiki/Qubes/Disposable_VM. In my version, I’d like to add hardened TBB instructions to a footnote, once you and Patrick sort out the best method for switching over whonix-ws template. The instructions are complicated enough already without giving high visibility to the alpha TBBs.


Without testing, this sounds right except the TB installation will only persist if .qubes-dispvm-customized is present. Because next time user boots whonix-ws to run apt-get update, the TB installation will be overwritten by whatever is in /var/cache/tb-binary in whonix-ws - when a new dispVM is launched. If no changes were ever made to whonix-ws after this procedure, then .qubes-dispvm-customized would not be needed because qvm-create-default-dvm would never be run by dom0. And TB installation would have no reason to be ever overwritten. ???


Hi entr0py & Patrick

Good information! I’ll have to wrap my head around it all, as I thought this disp-VM issue was going to be an ‘easy win’. Famous last words. :dizzy_face:

entr0py - as you have suggested, please feel free to write your stuff up and insert into the section Patrick has created. Borrow anything you like, if it is useful.

Agree that hardened stuff is better left as a footnote until the basic browser + remembered (customized) changes can be bedded down.

Patrick - I’ll look at your notes and technical analysis and see if the customized stuff can be worked out at my end. I’m not a technical genius like yourself.



Any thoughts on the (previously existing) quote https://www.whonix.org/wiki/Tor_Browser#Running_Tor_Browser_in_Qubes_TemplateVM

Don’t start Tor Browser in the whonix-ws TemplateVM or whonix-ws-dvm DisposableVM-TemplateVM. It is not expected to be done that way and wrong. […]


I am in process of of working through the wiki edits by @entr0py . For now only stylistic changes. Feel free to discuss these. For example I don’t like the two new lines so much. If you think that a more visible separate was useful we could add ----- (which results in and is the same as <hr>. (As I did for some tunnel documentation.)



Under the Qubes TemplateVM model [1], any changes made to a TemplateBasedVM’s root filesystem are lost upon reboot. This can be advantageous from a security viewpoint since malicious code installed to the root filesystem is discarded prior to the next session.

(On TemplateBasedVM) I somewhat disagree with the latter sentence. This would work indeed against off-the-shelf malware that targets general Linux and installs itself lets say as a rootkit in /etc somehow. It would not work against off-the-shelf malware with “Qubes support” let alone for tailored malware.

Also Qubes doesn’t declare that as security feature. What an security feature is, that if one TemplateBasedVM is compromised (considered a permanent compromise until that TemplateBasedVM gets purged), is that it cannot spread to the TemplateVM or other TemplateBasedVMs.

Therefore I removed that sentence.


Quote https://www.whonix.org/wiki/Qubes/Disposable_VM

Qubes does not have a built-in snapshot capability like VirtualBox that
can completely revert all changes back to a particular VM state.

True. Added a footnote:

Apart from [https://www.qubes-os.org/doc/dom0-tools/qvm-revert-template-changes/ qvm-revert-template-changes] which can only revert back prior the previous (not last) shutdown of the TemplateVM.

And another footnote:

Advertisement Tracking - Real threat to Whonix Project

The conservative view would be to recommend that as a best practice. However, we are already relying on Tor Browser not to generate any unique identifiers every time we use it. So logically, it should be safe to run in a template for customization purposes. But it really needs to be stressed that customization is a dangerous exercise. For example, I found by accident that a seemingly innocuous change:
NoScript -> Options -> Notifications -> check 'Show message about blocked scripts'
will alter reported screen size when JS is enabled.

Application Customization and Privacy Issues

Agreed! Please add!

I haven’t forgotten to answer your questions in.

Good question. Next question. :slight_smile:

My advice now is “check your Tor Browser version and make it work”:


Application Customization and Privacy Issues

So far so good! Great work!

I am done editing on top of your changes and suggestions for now. Made lots of nitpick edits and also real enhancements.

Now, having it documented so far, using hardened Tor Browser in [customized] DispVM is not that hard? In case of issues just use update-torbrowser in DisposableVM-Template. Please feel free to add it. Then use https://www.whonix.org/wiki/Qubes/Disposable_VM#Warning:_Check_your_Tor_Browser_Version.

As for adding instructions for hardened Tor Browser version vs complexity, I think there is an acceptable solution. Use the expand button. See example Whonix mediawiki markup using expand buttons.

I guess this is as far as we can reasonable get with Qubes R3.2 without going into a lot more effort and gymnastics.

Let’s post this sometime soon on qubes-devel? And afterwards also on Whonix blog and qubes-user?


I’m not sure what that is. I do prefer more whitespace to less. For example, https://www.whonix.org/wiki/Tor_Browser has gotten difficult to read. Part of the reason also is because = Heading = is too big relative to body text and should only be used sparingly for main chapters. I prefer ==== Heading ==== to divide subchapters.


I understand why this warning is necessary - namely, there is no way to enforce the behavior that we want.

On the other hand, users shouldn’t be scared into thinking that the process is somehow unpredictable or inherently risky. If directions are followed, there is virtually no chance of using an out-of-date or wrong Tor Browser version. I started using Whonix DispVMs when I wrote my first post in the other thread nearly 7 months ago. Since then (as far as I can remember), I’ve only updated my Tor Browser using the Internal Updater, which pops up within a few seconds of launching Tor Browser in any DispVM. In fact, the annoyance of the pop-up leads one to update the DisposableVM-Template as soon as possible.

Related note: The default update setting in TB preferences is to update automatically. I set mine to notify-only since having every DispVM update automatically is annoying x2.


Added instructions for TBB-alpha. Alpha users are grown-ups so they only get cli. Used the expand button with a separator at the bottom - would be nice to be able to put the whole expand section in a box.

Added some nitpicks back at ya. It’s ready to go I think. I wonder if stylometry algorithms can pick up multiple writers.

Of course, this is not considering the results of Application Customization and Privacy Issues. Hope that doesn’t necessitate a rewrite. :confused:


@Patrick @entr0py

You’ve done an amazing job on the wiki entry! Well done to both of you.

Tester Report on Wiki Entry Correctness (Qubes 3.2)

From a clean state:

  • Creating a fresh Whonix-WS dispVM works;
  • Adding the Tor Browser and Konsole entries to the XFCE menu for dispVM works;
  • Tor Browser XFCE entry successfully launches within the Whonix-WS dispVM;
  • The customized Whonix-WS dispVM remembers Javascript, slider and add-on changes with the touch command for the standard 6.0.7 Tor Browser (well done!);
  • cli commands for updating the customized Whonix-WS dispVM to reflect the preference for the 6.5a5-hardened browser works; and
  • Re-running the touch commands to customized settings for the hardened Tor Browser also works (even better!).

100% success!

Wiki Small Typo


If you intent to spawn DisposableVMs from other VMs


If you intend to spawn DisposableVMs from other VMs

Suggested Additions

One x additional footnote in the ‘Updating Tor Browser’ section (somewhere):

Prior to installing the Tor Browser in the DisposableVM-Template, check the Tor Project signing keys match those found online at: https://www.torproject.org/docs/signing-keys.html


Edit footnote 28 to say:

Advanced users can also select the hardened Tor Browser at this step before recreating the DisposableTemplateVM.