[Spice-devel] [virt-tools] Feature Request - Secure clipboard

Uri Lublin uril at redhat.com
Mon Apr 27 03:35:22 PDT 2015 

On 04/27/2015 11:38 AM, Frediano Ziglio wrote:
>>
>> A secure clipboard is nice to have becuase there's no tradeoff between
>> convenience and safety. A vm can read the global clipboard only when you
>> want it. The Xen based Qubes has it and I don't see why KVM's spice and
>> libvirt can't. Here is how they did it:
>>
>>
>> slide 10 from
>>
>> https://events.linuxfoundation.org/sites/events/files/slides/LinuxCon_2014_Qubes_Tutorial.pdf
>>
>> Challenge: copy clipboard from VM “Alice” to VM “Bob”, don’t let VM
>> “Mallory” to learn
>> its content in the meantime
>>
>> Solved by introducing Qubes “global clipboard” to/from which copy/paste is
>> explicitly
>> controlled by the user (Ctrl-Shift-C, Ctrl-Shift-V)
>>
>> Requires 4 stages:
>> Ctrl-C (in the source VM)
>> Ctrl-Shift-C (tells Qubes: copy this VM buffer into global clipboard)
>> Ctrl-Shift-V (in the destination VM: tells Qubes: make global clipboard
>> available to this VM)
>> Ctrl-V (in the destination VM)
>> Ctrl-Shift-C/V cannot be injected by VMs (unspoofable key combo).
>>
>> In practice almost as fast as traditional 2-stage copy-paste (don’t freak
>> out! ;)

Thanks for suggesting that.

>>
>>
>> More technical explanation
>>
>> https://www.qubes-os.org/doc/CopyPaste/
>
> Would not easier for user and for us to implement just Ctrl-Shift-C/V ?

Frediano, I'm not following what you suggest here.
Do you mean implement just one operation of the two ?

Today we have two-stage copy/paste support: following steps 1 and 4 
above. Note that those steps involve applications on
the guest.
Steps 2,3 are done automatically when clipboard operation is requested.

The suggestion is to do steps 2,3  only upon specific request.

> The idea is:
> - spice client see the Ctrl-Shift-C
> - spice send a command to agent
> - agent inject a Ctrl-C to copy to guest clipboard
> - agent detect new clipboard and copy to global one (as it knows was a Ctrl-Shift-C)
> Or could be implemented by spice client instead of the agent (just having a vm clipboard copied from the agent and a global one)

Thanks,
     Uri.

More information about the Spice-devel mailing list