-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Michael Singer: > I had to find a way to mount the read-only volume in the destination > qube. I discovered the page > https://www.qubes-os.org/doc/block-devices/ But it doesn't say how > to mount it either. The normal way with "$ sudo mount /dev/xvdi > /mnt" does not seem to work for read-only. You have to tell the > mount tool that it is a read-only device: "$ sudo mount -o ro,noload > /dev/xvdi /mnt" This way it works.
'mount' without any options generally works for read-only devices - but not if the filesystem is in a dirty state, like after sudden power-off. In that case 'noload' is needed so the kernel doesn't attempt to recover the newest data by replaying the journal, which would fail without write access. > Perhaps this should be added to the documentation. https://www.qubes-os.org/doc/doc-guidelines/#how-to-contribute :) > I read the notes about your split-dmcrypt-tool. Good work! Let's > assume I would not work with LUKS. Suppose I mount sda1 with > read-only option set in a DispVM (after switching off its network), > decrypt it there and search in the files. An exploit bug occurs and > the VM is taken. Now it could happen that someone leaks the > partition password to the internet via a covered channel. So would > it be safer to mount the decrypted volume again in another DispVM > before we search it? Yes, assuming that the exploit is inside the *decrypted* data. Then that second offline DisposableVM would not have access to the (tiny) password, so it would only be able to slowly transmit the (huge) decrypted data over such a hypothetical covert channel. > And how would that be done? With the loopdevice method? What > commands would you use in the terminal? [dom0]# qvm-block attach --ro disp1 sys-usb:sda1 [disp1]# echo Y >/sys/module/block/parameters/no_part_scan [disp1]# (somehow decrypt /dev/xvdi, yielding a device /dev/mapper/something) [disp1]# readlink /dev/mapper/something ../dm-0 [dom0]# qvm-block attach --ro disp2 disp1:dm-0 [disp2]# (mount /dev/mapper/xvdi) Rusty -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmDN4+hfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0 QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv Kt+f0BAAhcWwf+7Ch3fR1qabYxGP0uVbbyvODNa+V8ipHcBS2Nyl7QedxL0BZgTt 8HGIoTlngD4jALNDq3Sl5Btv62aEM0Gel3VuozeJeUOpzuvE1eMOrxxPhMQRexNw rW08pZQM6ILojYndnJZpTCr9Rfa4cuYJ9Ie0V+CWpITutiZZLzhF8cYIDORVynND wrrNnP2BdClRU2caH39qRpW5JNYuwT+bIITiZQbTFoWQFICRrasD2zkcQQgNZFdt f8O2nFgmtCHHBwDXzYuSLYdUKp/gTztawqFDBv8exANiQykW19WqZLG1rcha8Wyt PnyuN3DZhu8NWMVFF3DNQZ6T+TqeG8G+V1VTiDFX2t5CfUaE04zS6vzKMxs4dpNs Ce81P3DMu9iqG7oxAqASFHw/Ud0FtDej8FZfeiQVZKtadcbYu09seLllc7QtQDUO tqDgBX2ZEcuN/Ssp4t5p1PHFPfBV3bLzkQYv3cJgqD68maybVgrPXhxvP6NwSmOe zmW8WW6zv/PI8c2+WAnI4zQdUoxv/ImXDgAXbQ65HueKISlr3mSNxdwPkccngg61 nf4OR8L8/74XPV5WbQmFXMGf7m5e48CsdD7+YQiTqiO9Vm3YWiufDaxh7Wv4D7Ux ifH75jzOEWE3y+bakbL1wAp9+UJe8t0wtneHVJeQ5SZ3n1CCjyE= =m4iy -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/YM3j6FQAdHWkZZEV%40mutt.
