good morning!!!!
Skip to content
GitLab
Explore
Sign in
Register
Primary navigation
Search or go to…
Project
B
bor
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Iterations
Wiki
Requirements
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Locked files
Build
Pipelines
Jobs
Pipeline schedules
Test cases
Artifacts
Deploy
Releases
Package Registry
Container Registry
Harbor Registry
Model registry
Operate
Environments
Terraform modules
Monitor
Incidents
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Code review analytics
Issue analytics
Insights
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
github
maticnetwork
bor
Commits
671f22be
Unverified
Commit
671f22be
authored
4 years ago
by
rene
Committed by
GitHub
4 years ago
Browse files
Options
Downloads
Patches
Plain Diff
couple of fixes to docs in clef (#20900)
parent
6a3daa2a
No related branches found
No related tags found
No related merge requests found
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
cmd/clef/docs/setup.md
+7
-7
7 additions, 7 deletions
cmd/clef/docs/setup.md
with
7 additions
and
7 deletions
cmd/clef/docs/setup.md
+
7
−
7
View file @
671f22be
...
@@ -34,7 +34,7 @@ There are two ways that this can be achieved: integrated via Qubes or integrated
...
@@ -34,7 +34,7 @@ There are two ways that this can be achieved: integrated via Qubes or integrated
#### 1. Qubes Integrated
#### 1. Qubes Integrated
Qubes provdes a facility for inter-qubes communication via
`qrexec`
. A qube can request to make a cross-qube RPC request
Qubes prov
i
des a facility for inter-qubes communication via
`qrexec`
. A qube can request to make a cross-qube RPC request
to another qube. The OS then asks the user if the call is permitted.
to another qube. The OS then asks the user if the call is permitted.
...
@@ -48,7 +48,7 @@ This is how [Split GPG](https://www.qubes-os.org/doc/split-gpg/) is implemented.
...
@@ -48,7 +48,7 @@ This is how [Split GPG](https://www.qubes-os.org/doc/split-gpg/) is implemented.
On the
`target`
qubes, we need to define the
rpc
service.
On the
`target`
qubes, we need to define the
RPC
service.
[
qubes.Clefsign
](
qubes/qubes.Clefsign
)
:
[
qubes.Clefsign
](
qubes/qubes.Clefsign
)
:
...
@@ -135,11 +135,11 @@ $ cat newaccnt.json
...
@@ -135,11 +135,11 @@ $ cat newaccnt.json
$
cat
newaccnt.json| qrexec-client-vm debian-work qubes.Clefsign
$
cat
newaccnt.json| qrexec-client-vm debian-work qubes.Clefsign
```
```
This
should pop up first
a dialog
to allow the IPC call:
A dialog
should pop up first to allow the IPC call:
Followed by a GTK-dialog to approve the operation
Followed by a GTK-dialog to approve the operation
:
...
@@ -169,7 +169,7 @@ However, it comes with a couple of drawbacks:
...
@@ -169,7 +169,7 @@ However, it comes with a couple of drawbacks:
-
The
`Origin`
header must be forwarded
-
The
`Origin`
header must be forwarded
-
Information about the remote ip must be added as a
`X-Forwarded-For`
. However, Clef cannot always trust an
`XFF`
header,
-
Information about the remote ip must be added as a
`X-Forwarded-For`
. However, Clef cannot always trust an
`XFF`
header,
since malicious clients may lie about
`XFF`
in order to fool the http server into believing it comes from another address.
since malicious clients may lie about
`XFF`
in order to fool the http server into believing it comes from another address.
-
Even with a policy in place to allow
rpc-
calls between
`caller`
and
`target`
, there will be several popups:
-
Even with a policy in place to allow
RPC
calls between
`caller`
and
`target`
, there will be several popups:
-
One qubes-specific where the user specifies the
`target`
vm
-
One qubes-specific where the user specifies the
`target`
vm
-
One clef-specific to approve the transaction
-
One clef-specific to approve the transaction
...
@@ -177,7 +177,7 @@ However, it comes with a couple of drawbacks:
...
@@ -177,7 +177,7 @@ However, it comes with a couple of drawbacks:
#### 2. Network integrated
#### 2. Network integrated
The second way to set up Clef on a qubes system is to allow networking, and have Clef listen to a port which is accessible
The second way to set up Clef on a qubes system is to allow networking, and have Clef listen to a port which is accessible
f
o
rm other qubes.
fr
o
m other qubes.
...
@@ -193,6 +193,6 @@ to your computer. Over this new network interface, you can SSH into the device.
...
@@ -193,6 +193,6 @@ to your computer. Over this new network interface, you can SSH into the device.
Running Clef off a USB armory means that you can use the armory as a very versatile offline computer, which only
Running Clef off a USB armory means that you can use the armory as a very versatile offline computer, which only
ever connects to a local network between your computer and the device itself.
ever connects to a local network between your computer and the device itself.
Needless to say,
the
while this model should be fairly secure against remote attacks, an attacker with physical access
Needless to say, while this model should be fairly secure against remote attacks, an attacker with physical access
to the USB Armory would trivially be able to extract the contents of the device filesystem.
to the USB Armory would trivially be able to extract the contents of the device filesystem.
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment
