Minimize dom0

[emanruse]

The problem you're addressing (if any)

As of Qubes OS 4.1.2, dom0 is not as minimal (optimal) as it could be. For a security focused OS, this is an open door for various issues capable to affect the system through system updates. There is quite a lot of software which is never used. Example:

root@dom0:~ # dnf list --installed *firmware* | sed -r 's/ {2,}.*//g'
Installed Packages
alsa-sof-firmware.noarch
amd-gpu-firmware.noarch
intel-gpu-firmware.noarch
linux-firmware.noarch
linux-firmware-whence.noarch
nvidia-gpu-firmware.noarch

This is on a system with no NVIDIA or AMD hardware, yet this firmware (which IIUC is certainly proprietary) is there by default (not installed by me explicitly). Additionally, image processing libraries (like LibRaw) are installed in dom0 (as dependencies) etc.

All this is quite concerning in terms of security and doesn't quite match the advises regarding minimizing the attack surface.

fedora-38-xfce is 5.7 GiB.
fedora-38-minimal is 2.6 GiB.
debian-12-minimal is 1.4 GiB.
dom0 is 7.2 GiB.

The solution you'd like

(Options for) minimal/minimized dom0.
Ideally, with a GUI domain, separate from dom0.

During installation, provide options to install software necessary only for existing hardware.

For hardware which does not exist on the system, provide options not to install drivers and firmware for it during initial installation.

For hardware which the user may use in future (but is not present all the time), provide convenient way to install necessary software at a later time, ideally in a temporary, isolated way, so that when the hardware is no longer on the system, the software for it can be easily disabled/removed too.

Reduce proprietary software existence on the system to the possible minimum.

(Perhaps have options to) base dom0 on other, non-Fedora, templates (e.g. Debian minimal?) explaining to the user the pros and cons.

The value to a user, and who that user might be

• Minimize dom0's vulnerability to potential (security) issues entering it through various libraries and dependencies.

• Save storage space and network bandwidth (hence also update times) by not installing (and updating) GiB of unnecessary stuff.

https://forum.qubes-os.org/t/how-to-minimize-dom0/20945/

[marmarek]

As long as GUI in dom0 is supported, minimal dom0 is not a goal. And especially selecting dom0 packages to specific hardware you install on is not a goal. Moving a disk from one system to another is a thing, and it should work.
Of course, you are free to customize your system as you like, but we are not going to maintain several flavors of dom0 in the installer, at least not until GUI domain is fully supported (progress is tracked here).
BTW, firmware files just being present in dom0 filesystem do nothing if the driver for them isn't loaded. And it isn't loaded if you don't have related hardware. There is no security benefit from removing those files, but if you like you can save some disk space this way.

[emanruse]

You have oversimplified the whole idea, reducing it to firmware only. That's quite unfortunate.

[emanruse]

Are you sure the link you shared is correct? It opens an empty page.

[andrewdavidwong]

The link (GUI domain) works for me, even in a browser that's not logged into GitHub.

[emanruse]

After upgrading to 4.2.0, I notice that individual firmware packages are no longer dependent on each other (although linux-firmware is not granular at all), so uninstalling some of them works. However, the `qubes-dist-upgrade` installed 45 new packages as "weak dependencies" (not required by any other package), among which: - cpp (is anyone compiling code in dom0? no package requires that) - hunspell-en (is anyone supposed to spell check in dom0?) - exiv2 (is anyone supposed to manage image metadata in dom0?) - nano-default-editor (considering we already have vim?) - ntfs-3g-system-compression (who uses ntfs in dom0 at all?) - pinenentry (not required by any package at all, according to `repoquery -q --installed --whatrequires pinentry`) - tracker-miners etc. Additionally, `curl` got installed because rpm-0:4.18.2-1.fc37.x86_64 requires it. This has nothing to do with waiting for GuiVM to be completed and goes against the principle of minimalism as a security measure. I hope you can review all that and consider what actually gets into dom0.