Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lock Screen qrexec service #5893

Open
maltfield opened this issue Jun 15, 2020 · 4 comments
Open

Lock Screen qrexec service #5893

maltfield opened this issue Jun 15, 2020 · 4 comments
Labels
C: core P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality.

Comments

@maltfield
Copy link

maltfield commented Jun 15, 2020
edited
Loading

The problem you're addressing (if any)

Physical security devices running in AppVMs currently have no way to lock the screen in QubesOS. As it is now, installing/using such a device requires the user to install code in dom0.

Describe the solution you'd like

I think the community would benefit from a new Lock Screen qrexec service built-into Qubes so that users can install apps in AppVMs that have the ability to lock the screen (for some security reason)--without the user having to also install code in dom0.

Where is the value to a user, and who might that user be?

My use case is for USB peripheral hardware "panic buttons" or tripwires that would trigger the screen to lock. For example:

But I'm sure there's other use-cases where only software running in an AppVM would need to lock the screen for when some user-defined security-related condition is met.

Describe alternatives you've considered

The only other way to do this is for the user to install code in dom0, which should be avoided.

Additional context

Relevant documentation you've consulted
@maltfield maltfield added P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality. labels Jun 15, 2020
maltfield added a commit to maltfield/qubes-core-admin that referenced this issue Jun 15, 2020
@maltfield
adding new qubes.LockScreen and cooresponding policy file for issue:
3c623cc 
 * QubesOS/qubes-issues#5893
@maltfield maltfield mentioned this issue Jun 15, 2020
Open
@maltfield
Copy link
Author

Please see relevant PR. This is my first PR for QubesOS, so please let me know if there's any issues

@marmarek
Copy link
Member

Similar thing is already documented here: https://www.qubes-os.org/doc/yubi-key/#locking-the-screen-when-yubikey-is-removed

@andrewdavidwong
Copy link
Member

I suppose the question is whether we want to ship Qubes with such a qrexec service by default, or whether we think the documentation is sufficient (and that users who want this should create the qrexec service themselves).

@andrewdavidwong andrewdavidwong added this to the TBD milestone Jun 17, 2020
@maltfield
Copy link
Author

In addition to the YubiKey example, another use-case for this is the BusKill project, which is almost the same as the "lock your screen on YubiKey removal," except it uses a magnetic breakaway and includes actions other than lockscreen, such as shutdown and a self-destruct script that wipes the LUKS Header.

More info on this here:

Please consider making the lockscreen built-into qrexec by default to make installation & use of such tools easier.

@andrewdavidwong andrewdavidwong removed this from the Release TBD milestone Aug 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C: core P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. T: enhancement Type: enhancement. A new feature that does not yet exist or improvement of existing functionality.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@marmarek @maltfield @andrewdavidwong