[Spice-devel] [virt-tools] Feature Request - Secure clipboard

gramps at ruggedinbox.com gramps at ruggedinbox.com
Mon Apr 27 14:04:13 PDT 2015 

On 2015-04-27 10:35, Uri Lublin wrote:
> On 04/27/2015 11:38 AM, Frediano Ziglio wrote:
>>> 
>>> A secure clipboard is nice to have becuase there's no tradeoff 
>>> between
>>> convenience and safety. A vm can read the global clipboard only when 
>>> you
>>> want it. The Xen based Qubes has it and I don't see why KVM's spice 
>>> and
>>> libvirt can't. Here is how they did it:
>>> 
>>> 
>>> slide 10 from
>>> 
>>> https://events.linuxfoundation.org/sites/events/files/slides/LinuxCon_2014_Qubes_Tutorial.pdf
>>> 
>>> Challenge: copy clipboard from VM “Alice” to VM “Bob”, don’t let VM
>>> “Mallory” to learn
>>> its content in the meantime
>>> 
>>> Solved by introducing Qubes “global clipboard” to/from which 
>>> copy/paste is
>>> explicitly
>>> controlled by the user (Ctrl-Shift-C, Ctrl-Shift-V)
>>> 
>>> Requires 4 stages:
>>> Ctrl-C (in the source VM)
>>> Ctrl-Shift-C (tells Qubes: copy this VM buffer into global clipboard)
>>> Ctrl-Shift-V (in the destination VM: tells Qubes: make global 
>>> clipboard
>>> available to this VM)
>>> Ctrl-V (in the destination VM)
>>> Ctrl-Shift-C/V cannot be injected by VMs (unspoofable key combo).
>>> 
>>> In practice almost as fast as traditional 2-stage copy-paste (don’t 
>>> freak
>>> out! ;)
> 
> Thanks for suggesting that.
> 

Thanks for your interest.

>>> 
>>> 
>>> More technical explanation
>>> 
>>> https://www.qubes-os.org/doc/CopyPaste/
>> 
>> Would not easier for user and for us to implement just Ctrl-Shift-C/V 
>> ?
> 
> Frediano, I'm not following what you suggest here.
> Do you mean implement just one operation of the two ?
> 
> Today we have two-stage copy/paste support: following steps 1 and 4
> above. Note that those steps involve applications on
> the guest.
> Steps 2,3 are done automatically when clipboard operation is requested.
> 
> The suggestion is to do steps 2,3  only upon specific request.
> 
>> The idea is:
>> - spice client see the Ctrl-Shift-C
>> - spice send a command to agent
>> - agent inject a Ctrl-C to copy to guest clipboard
>> - agent detect new clipboard and copy to global one (as it knows was a 
>> Ctrl-Shift-C)
>> Or could be implemented by spice client instead of the agent (just 
>> having a vm clipboard copied from the agent and a global one)
> 
> Thanks,
>     Uri.

The same concept can be applied to file drag n' drop feature in spice 
for safe interVM and guest-host file copying. Its too early to mention 
but it can help in the planning phase to make a generic solution for 
other data

and not just text.

Spice already has a drag and drop implementation of its own so I'm 
citing qubes design docs about secure filecopy out of interest not 
relevance. The architecture is different and relies on shared intervm 
memory and converting the data into a cpio-like format. Similar to xen 
shared memory is the KVM device ivshmem.

https://www.qubes-os.org/doc/Qfilecopy/

https://www.qubes-os.org/doc/CopyingFiles/

More information about the Spice-devel mailing list