mirage/qubes-mirage-firewall mirage/qubes-mirage-firewall

  • Stars
    star
    207
  • Rank 189,769 (Top 4 %)
  • Language
    OCaml
  • Created almost 9 years ago
  • Updated 3 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
mirage/qubes-mirage-firewall
github

mirage

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A Mirage firewall VM for QubesOS

qubes-mirage-firewall

A unikernel that can run as a QubesOS ProxyVM, replacing sys-firewall. It uses the mirage-qubes library to implement the Qubes protocols.

See A Unikernel Firewall for QubesOS for more details.

Binary releases

Pre-built binaries are available from the releases page. See the Deploy section below for installation instructions.

Build from source

Note: The most reliable way to build is using Docker. Fedora 35 works well for this and Debian 11 also works, but you'll need to follow the instructions at docker.com to get Docker (don't use Debian's version).

Create a new Fedora-35 AppVM (or reuse an existing one). In the Qube's Settings (Basic / Disk storage), increase the private storage max size from the default 2048 MiB to 4096 MiB. Open a terminal.

Clone this Git repository and run the build-with-docker.sh script:

mkdir /home/user/docker
sudo ln -s /home/user/docker /var/lib/docker
sudo dnf install docker
sudo systemctl start docker
git clone https://github.com/mirage/qubes-mirage-firewall.git
cd qubes-mirage-firewall
sudo ./build-with-docker.sh

This took about 10 minutes on my laptop (it will be much quicker if you run it again). The symlink step at the start isn't needed if your build VM is standalone. It gives Docker more disk space and avoids losing the Docker image cache when you reboot the Qube.

Note: the object files are stored in the _build directory to speed up incremental builds. If you change the dependencies, you will need to delete this directory before rebuilding.

It's OK to install the Docker package in a template VM if you want it to remain after a reboot, but the build of the firewall itself should be done in a regular AppVM.

You can also build without Docker, as for any normal Mirage unikernel; see the Mirage installation instructions for details.

The Docker build fixes the versions of the libraries it uses, ensuring that you will get exactly the same binary that is in the release. If you build without Docker, it will build against the latest versions instead (and the hash will therefore probably not match). However, it should still work fine.

Deploy

If you want to deploy manually, unpack mirage-firewall.tar.bz2 in domU. The tarball contains vmlinuz, which is the unikernel itself, plus a dummy initramfs file that Qubes requires:

[user@dev ~]$ tar xjf mirage-firewall.tar.bz2

Copy vmlinuz to /var/lib/qubes/vm-kernels/mirage-firewall directory in dom0, e.g. (if dev is the AppVM where you built it):

[tal@dom0 ~]$ mkdir -p /var/lib/qubes/vm-kernels/mirage-firewall/
[tal@dom0 ~]$ cd /var/lib/qubes/vm-kernels/mirage-firewall/
[tal@dom0 mirage-firewall]$ qvm-run -p dev 'cat mirage-firewall/vmlinuz' > vmlinuz

Finally, create a dummy file required by Qubes OS:

[tal@dom0 mirage-firewall]$ gzip -n9 < /dev/null > initramfs

Run this command in dom0 to create a mirage-firewall VM using the mirage-firewall kernel you added above

qvm-create \
  --property kernel=mirage-firewall \
  --property kernelopts='' \
  --property memory=32 \
  --property maxmem=32 \
  --property netvm=sys-net \
  --property provides_network=True \
  --property vcpus=1 \
  --property virt_mode=pvh \
  --label=green \
  --class StandaloneVM \
  mirage-firewall

qvm-features mirage-firewall qubes-firewall 1
qvm-features mirage-firewall no-default-kernelopts 1

Upgrading

To upgrade from an earlier release, just overwrite /var/lib/qubes/vm-kernels/mirage-firewall/vmlinuz with the new version and restart the firewall VM.

Configure AppVMs to use it

You can run mirage-firewall alongside your existing sys-firewall and you can choose which AppVMs use which firewall using the GUI. To configure an AppVM to use it, go to the app VM's settings in the GUI and change its NetVM from default (sys-firewall) to mirage-firewall.

You can also configure it by running this command in dom0 (replace my-app-vm with the AppVM's name):

qvm-prefs --set my-app-vm netvm mirage-firewall

Alternatively, you can configure mirage-firewall to be your default firewall VM.

Note that by default dom0 uses sys-firewall as its "UpdateVM" (a proxy for downloading updates). mirage-firewall cannot be used for this, but any Linux VM should be fine. https://www.qubes-os.org/doc/software-update-dom0/ says:

The role of UpdateVM can be assigned to any VM in the Qubes VM Manager, and there are no significant security implications in this choice. By default, this role is assigned to the firewallvm.

Components

This diagram show the main components (each box corresponds to a source .ml file with the same name):

Ethernet frames arrives from client qubes (such as work or personal) or from sys-net. Internet (IP) packets are sent to firewall, which consults the NAT table and the rules from QubesDB to decide what to do with the packet. If it should be sent on, it uses router to send it to the chosen destination. client_net watches the XenStore database provided by dom0 to find out when clients need to be added or removed.

The boot process:

  • config.ml describes the libraries used and static configuration settings (NAT table size). The mirage tool uses this to generate main.ml.
  • main.ml initialises the drivers selected by config.ml and calls the start function in unikernel.ml.
  • unikernel.ml connects the Qubes agents, sets up the networking components, and then waits for a shutdown request.

Easy deployment for developers

For development, use the test-mirage scripts to deploy the unikernel (qubes-firewall.xen) from your development AppVM. This takes a little more setting up the first time, but will be much quicker after that. e.g.

$ test-mirage dist/qubes-firewall.xen mirage-firewall
Waiting for 'Ready'... OK
Uploading 'dist/qubes-firewall.xen' (7454880 bytes) to "mirage-test"
Waiting for 'Booting'... OK
Connecting to mirage-test console...
Solo5: Xen console: port 0x2, ring @0x00000000FEFFF000
            |      ___|
  __|  _ \  |  _ \ __ \
\__ \ (   | | (   |  ) |
____/\___/ _|\___/____/
Solo5: Bindings version v0.7.3
Solo5: Memory map: 32 MB addressable:
Solo5:   reserved @ (0x0 - 0xfffff)
Solo5:       text @ (0x100000 - 0x319fff)
Solo5:     rodata @ (0x31a000 - 0x384fff)
Solo5:       data @ (0x385000 - 0x53ffff)
Solo5:       heap >= 0x540000 < stack < 0x2000000
2022-08-13 14:55:38 -00:00: INF [qubes.rexec] waiting for client...
2022-08-13 14:55:38 -00:00: INF [qubes.db] connecting to server...
2022-08-13 14:55:38 -00:00: INF [qubes.db] connected
2022-08-13 14:55:38 -00:00: INF [qubes.db] got update: "/mapped-ip/10.137.0.20/visible-ip" = "10.137.0.20"
2022-08-13 14:55:38 -00:00: INF [qubes.db] got update: "/mapped-ip/10.137.0.20/visible-gateway" = "10.137.0.23"
2022-08-13 14:55:38 -00:00: INF [qubes.rexec] client connected, using protocol version 3
2022-08-13 14:55:38 -00:00: INF [unikernel] QubesDB and qrexec agents connected in 0.041 s
2022-08-13 14:55:38 -00:00: INF [dao] Got network configuration from QubesDB:
            NetVM IP on uplink network: 10.137.0.4
            Our IP on uplink network:   10.137.0.23
            Our IP on client networks:  10.137.0.23
            DNS resolver:               10.139.1.1
            DNS secondary resolver:     10.139.1.2
2022-08-13 14:55:38 -00:00: INF [net-xen frontend] connect 0
2022-08-13 14:55:38 -00:00: INF [net-xen frontend] create: id=0 domid=1
2022-08-13 14:55:38 -00:00: INF [net-xen frontend]  sg:true gso_tcpv4:true rx_copy:true rx_flip:false smart_poll:false
2022-08-13 14:55:38 -00:00: INF [net-xen frontend] MAC: 00:16:3e:5e:6c:00
2022-08-13 14:55:38 -00:00: INF [ethernet] Connected Ethernet interface 00:16:3e:5e:6c:00
2022-08-13 14:55:38 -00:00: INF [ARP] Sending gratuitous ARP for 10.137.0.23 (00:16:3e:5e:6c:00)
2022-08-13 14:55:38 -00:00: INF [ARP] Sending gratuitous ARP for 10.137.0.23 (00:16:3e:5e:6c:00)
2022-08-13 14:55:38 -00:00: INF [udp] UDP layer connected on 10.137.0.23
2022-08-13 14:55:38 -00:00: INF [dao] Watching backend/vif
2022-08-13 14:55:38 -00:00: INF [memory_pressure] Writing meminfo: free 20MiB / 27MiB (72.68 %)

Testing if the firewall works

A unikernel which tests the firewall is available in the test/ subdirectory. To use it, run test.sh and follow the instructions to set up the test environment.

Security advisories

See issues tagged "security" for security advisories affecting the firewall.

LICENSE

Copyright (c) 2019, Thomas Leonard All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

  2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

More Repositories

1

mirage

MirageOS is a library operating system that constructs unikernels
OCaml
2,520
star
2

irmin

Irmin is a distributed database that follows the same design principles as Git
OCaml
1,742
star
3

ocaml-cohttp

An OCaml library for HTTP clients and servers using Lwt or Async
OCaml
644
star
4

alcotest

A lightweight and colourful test framework
OCaml
447
star
5

ocaml-git

Pure OCaml Git format and protocol
OCaml
349
star
6

mirage-tcpip

TCP/IP networking stack in pure OCaml, using the Mirage platform libraries. Includes IPv4/6, ICMP, and UDP/TCP support.
OCaml
321
star
7

jitsu

A DNS server that automatically starts unikernels on demand
OCaml
307
star
8

mirage-skeleton

Examples of simple MirageOS apps
OCaml
224
star
9

mirage-www

Website infrastructure and content for mirage.io
HTML
162
star
10

decompress

Pure OCaml implementation of Zlib.
OCaml
116
star
11

ocaml-cow

Caml on the Web (COW) is a set of parsers and syntax extensions to let you manipulate HTML, CSS, XML, JSON and Markdown directly from OCaml code.
OCaml
105
star
12

awa-ssh

Purely functional SSH library in ocaml.
OCaml
104
star
13

ocaml-cstruct

Map OCaml arrays onto C-like structs
OCaml
103
star
14

ocaml-dns

OCaml implementation of the DNS protocol
OCaml
102
star
15

ocaml-solo5

Freestanding OCaml runtime
C
101
star
16

ocaml-github

GitHub APIv3 OCaml bindings
OCaml
100
star
17

capnp-rpc

Cap'n Proto RPC implementation
OCaml
97
star
18

ocaml-rpc

Light library to deal with RPCs in OCaml
OCaml
95
star
19

ocaml-uri

RFC3986 URI parsing library for OCaml
OCaml
93
star
20

digestif

Simple hash algorithms in OCaml
OCaml
88
star
21

ocaml-conduit

Dereference URIs into communication channels for Async or Lwt
OCaml
84
star
22

mirage-crypto

Cryptographic primitives for OCaml, in OCaml (also used in MirageOS)
C
77
star
23

mirage-platform

Archived, see https://github.com/mirage/mirage/issues/1159 for details. Old: Core platform libraries for Mirage (UNIX and Xen). This provides the `OS` library which handles timers, device setup and the main loop, as well as the runtime for the Xen unikernel.
C
77
star
24

xen

Unofficial mirror of xenbits.xen.org/xen.git
C
72
star
25

ocaml-crunch

Convert a filesystem into a static OCaml module
OCaml
70
star
26

ocaml-9p

An OCaml/Mirage-friendly implementation of the 9P protocol
OCaml
63
star
27

functoria

A DSL to invoke otherworldly functors
OCaml
63
star
28

mini-os

Mirror of the Xen MiniOS Git from git://xenbits.xen.org/mini-os.git
C
63
star
29

mirage-qubes

Mirage support for writing QubesOS AppVM unikernels
OCaml
62
star
30

xen-arm-builder

Archived - the Xen and ARM support in MirageOS has been superseeded by our PVH support - Build an SDcard image for Xen/ARM, for a Cubieboard
Shell
57
star
31

charrua

A DHCP library in OCaml
OCaml
55
star
32

orm

Object Relational Mapper extension
OCaml
54
star
33

ke

Fast implementation of queue in OCaml
HTML
52
star
34

eqaf

Constant time equal function to avoid timing attacks in OCaml
OCaml
51
star
35

conan

Like detective conan, find clue about the type of the file
OCaml
49
star
36

prometheus

OCaml library for reporting metrics to a Prometheus server
OCaml
49
star
37

ocaml-matrix

Implementation of a matrix server in OCaml for MirageOS
OCaml
49
star
38

ocaml-tar

Pure OCaml library to read and write tar files
OCaml
49
star
39

ocaml-vchan

Pure OCaml implementation of the "vchan" shared-memory communication protocol
OCaml
46
star
40

metrics

Infrastructure to collect metrics from OCaml applications.
OCaml
46
star
41

bechamel

Agnostic benchmark in OCaml (proof-of-concept)
OCaml
44
star
42

wodan

A Mirage filesystem library
OCaml
44
star
43

ocaml-base64

Base64 encoding and decoding in OCaml
OCaml
43
star
44

colombe

Implementation of SMTP protocols in OCaml
OCaml
42
star
45

ocaml-ipaddr

A library for manipulation of IP (and MAC) address representations
OCaml
40
star
46

mrmime

What do you mean?
OCaml
40
star
47

ezjsonm

An easy interface on top of the Jsonm library.
OCaml
40
star
48

index

A platform-agnostic multi-level index
OCaml
34
star
49

bloomf

Efficient Bloom filters for OCaml
OCaml
34
star
50

emile

& images
OCaml
31
star
51

mirage-nat

library for network address translation intended for use with mirage unikernels
OCaml
31
star
52

repr

OCaml
31
star
53

ocaml-hex

Hexadecimal converter
OCaml
29
star
54

ocaml-diet

A simple implementation of Discrete Interval Encoding Trees
OCaml
28
star
55

ptt

Postes, Télégraphes et Téléphones
OCaml
26
star
56

ocaml-fat

Read and write FAT format filesystems from OCaml
OCaml
26
star
57

encore

Synonym of angkor
OCaml
25
star
58

ocaml-magic-mime

Convert file extensions to MIME types
OCaml
24
star
59

irmin-server

A high-performance server for Irmin
OCaml
24
star
60

optint

Library to provide a fast integer (x64 arch) or allocated int32 (x84 arch)
OCaml
24
star
61

ocaml-lazy-trie

Lazy prefix trees in OCaml
OCaml
23
star
62

qubes-mirage-skeleton

An example Mirage unikernel that runs as a Qubes AppVM
OCaml
23
star
63

ocaml-pcap

OCaml code for generating and analysing pcap (packet capture) files
OCaml
22
star
64

duff

Pure OCaml implementation of libXdiff (Rabin's fingerprint)
OCaml
21
star
65

hacl

Archived. Curve25519 support has been integrated into mirage-crypto-ec (via fiat-crypto). Hacl bindings are available from the hacl-star opam package. OCaml bindings for HACL* elliptic curves
C
21
star
66

arp

Address resolution protocol (ARP) implementation in OCaml targeting MirageOS
OCaml
21
star
67

shared-memory-ring

Xen-style shared memory rings
OCaml
20
star
68

irmin-rpc

RPC client/server for Irmin
OCaml
20
star
69

typebeat

Parsing of the Content-Type header in pure OCaml
OCaml
20
star
70

mirage-solo5

Solo5 core platform libraries for MirageOS
OCaml
20
star
71

ocaml-tuntap

Bindings to UNIX tuntap facilities
OCaml
20
star
72

mirage-lambda

An eDSL for MirageOS apps
OCaml
19
star
73

merge-queues

Mergeable queues
OCaml
19
star
74

ocaml-qcow

Pure OCaml code for parsing, printing, modifying .qcow format data
OCaml
19
star
75

ocaml-vmnet

NATed networking on MacOS X using the vmnet framework
OCaml
18
star
76

mirage-xen

Xen core platform libraries for MirageOS
C
18
star
77

mirage-profile

Collect profiling information
OCaml
18
star
78

cactus

A Btree library in OCaml
OCaml
18
star
79

mirage-clock

Portable clock implementation for Unix and Xen
OCaml
18
star
80

ocaml-mbr

A simple library for manipulating Master Boot Records
OCaml
18
star
81

spamtacus

Ocaml modular spam filter
OCaml
16
star
82

mirage-dev

Development OPAM repository for work-in-progress packages
16
star
83

ocaml-fsevents

macOS bindings to the FSEvents API
OCaml
16
star
84

mirage-fs-unix

Unix Filesystem passthrough for MirageOS
OCaml
16
star
85

mirage-vnetif

Virtual network interface and software bridge for Mirage
OCaml
16
star
86

irmin-rs

Rust
15
star
87

ocaml-hvsock

Bindings for hypervisor sockets, for Linux, Windows and macOS (via Hyperkit)
OCaml
15
star
88

ca-certs

Detect root CA certificates from the operating system
OCaml
15
star
89

irmin-watcher

Portable implementation of the Irmin Watch API
OCaml
15
star
90

checkseum

C
15
star
91

mirage-handbook

WIP Handbook for MirageOS
14
star
92

retreat.mirage.io

Microsite for the MirageOS hack retreats
OCaml
14
star
93

mmap

File mapping
OCaml
13
star
94

mirage-decks

These are the MirageOS slide decks, written as a self-hosting unikernel
HTML
13
star
95

ezxmlm

Like the tax form, this is an easier interface for quick n dirty XMLM scripts
OCaml
13
star
96

mirage-unix

Unix core platform libraries for MirageOS
OCaml
13
star
97

ocaml-gpt

A simple library for manipulating GUID partition tables
OCaml
12
star
98

irmin.org

Irmin website
CSS
12
star
99

mirage-console

Portable console handling for Mirage applications
OCaml
12
star
100

mirage-net-xen

Xen Netfront and Netback ethernet device drivers for Mirage
OCaml
12
star