From 40b6688944c5118cdd97ed858c60666cc60b36bb Mon Sep 17 00:00:00 2001 From: Risto Kuusela Date: Wed, 20 Dec 2023 13:21:02 +0200 Subject: [PATCH] Add IDS-VM as a defensive networking mechanism - Adds new virtual machine called ids-vm. - If enabled, sets it as a default gateway for other VMs except or net-vm. - Uses mitmproxy to monitor http and https traffic. - Creates a web interface to the mitmproxy. - Sets Chromium to ignore self-signed CA certificate generated by mitmproxy. Signed-off-by: Risto Kuusela --- modules/virtualization/microvm/guivm.nix | 1 + modules/virtualization/microvm/idsvm.nix | 167 ++++++++++++++++++ .../mitmproxy-ca/mitmproxy-ca-cert.cer | 20 +++ .../mitmproxy-ca/mitmproxy-ca-cert.p12 | Bin 0 -> 1015 bytes .../mitmproxy-ca/mitmproxy-ca-cert.pem | 20 +++ .../microvm/mitmproxy-ca/mitmproxy-ca.p12 | Bin 0 -> 2392 bytes .../microvm/mitmproxy-ca/mitmproxy-ca.pem | 47 +++++ .../mitmproxy-ca/mitmproxy-dhparam.pem | 14 ++ modules/virtualization/microvm/netvm.nix | 4 - overlays/custom-packages/default.nix | 1 + .../custom-packages/mitmweb-ui/default.nix | 5 + packages/mitmweb-ui/default.nix | 51 ++++++ targets/generic-x86_64.nix | 4 + targets/lenovo-x1-carbon.nix | 15 +- targets/nvidia-jetson-orin/default.nix | 5 + 15 files changed, 349 insertions(+), 5 deletions(-) create mode 100644 modules/virtualization/microvm/idsvm.nix create mode 100644 modules/virtualization/microvm/mitmproxy-ca/mitmproxy-ca-cert.cer create mode 100644 modules/virtualization/microvm/mitmproxy-ca/mitmproxy-ca-cert.p12 create mode 100644 modules/virtualization/microvm/mitmproxy-ca/mitmproxy-ca-cert.pem create mode 100644 modules/virtualization/microvm/mitmproxy-ca/mitmproxy-ca.p12 create mode 100644 modules/virtualization/microvm/mitmproxy-ca/mitmproxy-ca.pem create mode 100644 modules/virtualization/microvm/mitmproxy-ca/mitmproxy-dhparam.pem create mode 100644 overlays/custom-packages/mitmweb-ui/default.nix create mode 100644 packages/mitmweb-ui/default.nix diff --git a/modules/virtualization/microvm/guivm.nix b/modules/virtualization/microvm/guivm.nix index 028b6b927f..168210ea6c 100644 --- a/modules/virtualization/microvm/guivm.nix +++ b/modules/virtualization/microvm/guivm.nix @@ -57,6 +57,7 @@ pkgs.waypipe pkgs.networkmanagerapplet pkgs.nm-launcher + pkgs.mitmweb-ui ]; }; diff --git a/modules/virtualization/microvm/idsvm.nix b/modules/virtualization/microvm/idsvm.nix new file mode 100644 index 0000000000..6d74e41a73 --- /dev/null +++ b/modules/virtualization/microvm/idsvm.nix @@ -0,0 +1,167 @@ +# Copyright 2022-2023 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ + config, + lib, + pkgs, + ... +}: let + configHost = config; + vmName = "ids-vm"; + macAddress = "02:00:00:01:01:02"; + networkName = "ethint0"; + idsvmBaseConfiguration = { + imports = [ + # (import ./common/vm-networking.nix {inherit vmName macAddress useDHCP;}) + ({lib, ...}: { + ghaf = { + users.accounts.enable = lib.mkDefault configHost.ghaf.users.accounts.enable; + development = { + # NOTE: SSH port also becomes accessible on the network interface + # that has been passed through to NetVM + ssh.daemon.enable = lib.mkDefault configHost.ghaf.development.ssh.daemon.enable; + debug.tools.enable = lib.mkDefault configHost.ghaf.development.debug.tools.enable; + }; + }; + + system.stateVersion = lib.trivial.release; + + nixpkgs.buildPlatform.system = configHost.nixpkgs.buildPlatform.system; + nixpkgs.hostPlatform.system = configHost.nixpkgs.hostPlatform.system; + + microvm.hypervisor = "qemu"; + + environment.systemPackages = [ + pkgs.mitmproxy + pkgs.snort + pkgs.tcpdump + ]; + + networking = { + enableIPv6 = false; + firewall.allowedTCPPorts = [22 8080 8081]; # SSH, mitmproxy, mitmweb + firewall.allowedUDPPorts = [67]; + useNetworkd = true; + nat = { + enable = true; + internalInterfaces = [networkName]; + extraCommands = '' + iptables -t nat -A PREROUTING -i ethint0 -p tcp --dport 80 -j REDIRECT --to-port 8080 + iptables -t nat -A PREROUTING -i ethint0 -p tcp --dport 443 -j REDIRECT --to-port 8080 + ''; + }; + }; + + # Here we add default CA keypair and corresponding self-signed certificate + # for mitmproxy in different formats. These should be, of course, randomly and + # securely generated and stored for each instance, but for development purposes + # we use these fixed ones. + environment.etc = { + "mitmproxy/mitmproxy-ca-cert.cer".source = ./mitmproxy-ca/mitmproxy-ca-cert.cer; + "mitmproxy/mitmproxy-ca-cert.p12".source = ./mitmproxy-ca/mitmproxy-ca-cert.p12; + "mitmproxy/mitmproxy-ca-cert.pem".source = ./mitmproxy-ca/mitmproxy-ca-cert.pem; + "mitmproxy/mitmproxy-ca.pem".source = ./mitmproxy-ca/mitmproxy-ca.pem; + "mitmproxy/mitmproxy-ca.p12".source = ./mitmproxy-ca/mitmproxy-ca.p12; + "mitmproxy/mitmproxy-dhparam.pem".source = ./mitmproxy-ca/mitmproxy-dhparam.pem; + }; + + systemd.services."mitmweb-server" = let + mitmwebScript = pkgs.writeShellScriptBin "mitmweb-server" '' + ${pkgs.mitmproxy}/bin/mitmweb --web-host localhost --web-port 8081 --set confdir=/etc/mitmproxy + ''; + in { + enable = true; + description = "Run mitmweb to establish web interface for mitmproxy"; + path = [mitmwebScript]; + wantedBy = ["multi-user.target"]; + serviceConfig = { + Type = "simple"; + # RemainAfterExit = true; + StandardOutput = "journal"; + StandardError = "journal"; + ExecStart = "${mitmwebScript}/bin/mitmweb-server"; + Restart = "on-failure"; + RestartSec = "1"; + }; + }; + + microvm.interfaces = [ + { + type = "tap"; + # The interface names must have maximum length of 15 characters + id = "tap-${vmName}"; + mac = macAddress; + } + ]; + + systemd.network = { + enable = true; + # Set internal network's interface name to networkName + links."10-${networkName}" = { + matchConfig.PermanentMACAddress = macAddress; + linkConfig.Name = networkName; + }; + networks."10-${networkName}" = { + matchConfig.MACAddress = macAddress; + DHCP = "no"; + gateway = ["192.168.100.1"]; + addresses = [ + { + addressConfig.Address = "192.168.100.3/24"; + } + { + # IP-address for debugging subnet + addressConfig.Address = "192.168.101.4/24"; + } + ]; + linkConfig.RequiredForOnline = "routable"; + linkConfig.ActivationPolicy = "always-up"; + }; + }; + + services.resolved.dnssec = "false"; + + microvm = { + optimize.enable = true; + shares = [ + { + tag = "ro-store"; + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + } + ]; + writableStoreOverlay = lib.mkIf config.ghaf.development.debug.tools.enable "/nix/.rw-store"; + }; + + imports = import ../../module-list.nix; + }) + ]; + }; + cfg = config.ghaf.virtualization.microvm.idsvm; +in { + options.ghaf.virtualization.microvm.idsvm = { + enable = lib.mkEnableOption "IDSVM"; + + extraModules = lib.mkOption { + description = '' + List of additional modules to be imported and evaluated as part of + IDSVM's NixOS configuration. + ''; + default = []; + }; + }; + + config = lib.mkIf cfg.enable { + microvm.vms."${vmName}" = { + autostart = true; + config = + idsvmBaseConfiguration + // { + imports = + idsvmBaseConfiguration.imports + ++ cfg.extraModules; + }; + specialArgs = {inherit lib;}; + }; + }; +} diff --git a/modules/virtualization/microvm/mitmproxy-ca/mitmproxy-ca-cert.cer b/modules/virtualization/microvm/mitmproxy-ca/mitmproxy-ca-cert.cer new file mode 100644 index 0000000000..9beb77739f --- /dev/null +++ b/modules/virtualization/microvm/mitmproxy-ca/mitmproxy-ca-cert.cer @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDNTCCAh2gAwIBAgIUItvWgfGeI8GlhgumoYarXZhO1OMwDQYJKoZIhvcNAQEL +BQAwKDESMBAGA1UEAwwJbWl0bXByb3h5MRIwEAYDVQQKDAltaXRtcHJveHkwHhcN +MjMwNjI2MjA0MjUxWhcNMzMwNjI1MjA0MjUxWjAoMRIwEAYDVQQDDAltaXRtcHJv +eHkxEjAQBgNVBAoMCW1pdG1wcm94eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC +AQoCggEBAOPknE6S+anfr52iO58VsPBcKrTbpWCV1NPmpWh6YmZxuzA3IjNu8X9i +0ByVgutysmrIXWqt7EOds8vCqLCX3+pGB6XsNMC4ksn42SH6QmWUTZizUjCI+7c2 +B1fYxzU5aaG2Z9TDtfExdWqnHR0c0dTR7c2IUeH7qgy/8oSukQeFdhp/j/d+cosU +KtXxMl9vk4wiseLRS2JBb+QKdM+TdNKLpAZmYT68WIIPB/0Vsxo1ZeSf8A4KLElr +9z9oksT5RPZAkuqV4TtWZoSPf01lB5jBCRblSGqw3m9ARAjH3MN1cDvwKkOtPrEC +iBKv9S51CyGPLkrEQoQrscvGKkEp5mECAwEAAaNXMFUwDwYDVR0TAQH/BAUwAwEB +/zATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE +FLfWC+xt92Gs5X8I0H9E0ZPZ1nUZMA0GCSqGSIb3DQEBCwUAA4IBAQCEuExtxt6S +Pr7hXul8xNl8gjb94xB2vB6DJwtn97vXDtMqQ7P6o9e+7d2Yzp/y/hAlVpkZbwJo +WnE5aKI+SiuoyPJhM3qtSqFEnjogm+2GS+Htd9SGYPX6qrsbG5/FUE2NKF4sr9zB +vNYOzcaJO6X1+A3a7fS65ytjRYwO0T+6NtPkqwJ/ACT3vov94u9oGJ8O9rkFoG93 +7Guyh26JA71/N8SKWSIB/35pYKvX2usmsPCs8UYNC3UH4fH4d0yHBA9vV9XLE5H5 +cgESHG6F13V3WpeEgc83DWG6Tvml64ldORCVSi5doLTfaN/UIEZXFPMZ2ZCfsQvA ++PqFqfsCDYU1 +-----END CERTIFICATE----- diff --git a/modules/virtualization/microvm/mitmproxy-ca/mitmproxy-ca-cert.p12 b/modules/virtualization/microvm/mitmproxy-ca/mitmproxy-ca-cert.p12 new file mode 100644 index 0000000000000000000000000000000000000000..b7103f08eeac334b8b0ca8f23c5f7da5f6299e46 GIT binary patch literal 1015 zcmXqLV*bp;$ZXKWyqAqrtIebBJ1-+U zZL4Ev_+5EyzzesCk(-slK*LbTK!A-ol!cjxGdHs&x1cD$q7o*?g(PMmC(dhRY+z<& zW@KPuWNH{C&T9Bvu)Zw`}QO?_w`me$f=@0-d# z;~=NlQ;)0-_wpTFIF8>rTv}lLLCblq-A1Mkq4i(&O1TyL^}LQawP!p z*$iYsd_ER27Lo1OxZmV{Ph9h~p5sEj%f-nzua!z72R$$a0E3>9p=F0p?y-B5?Djp3 zds%bjW=)gX-^T)Fd*qtcxzoSzzRq`9%X#y!#n<<}y*uOF{7?S`RKsRU<}+nP6X!;e48ecD<0^TV&67M}RCh*3x;ul0Iq zdDQfl#`EU9iM#xME`8k@Ybh|*OD}f8mirm^uPC^Mi+q;6Ibr@r?gKx5wXXcl#M^3W zsBEAJ&lj8`h9Yu847m)M3?)FafT4&XpP_=G(m>Zh(SVbURhy5QNs5($MP&aQv-u}) edM_;M+SPwYBlY%&y??D)I8KQF50;u+QUU;3qCc-Fe^-+e#Ny08De{tpBbtWY2tf(ha{ zf_$V&Cf^I!9{rsLKt@jLMTx^rspP zyzNMb`azG}YPZ3bhbvU3=Up)|(Z0dHrJiWo)Tbhz#&_YR$@qwX-JywVA&fXddG?CR zd3tKRboq3jxsyJ9mfQb%s(*i6KF-zgaQ$hR7r!M`xm(?3mbFagRy6fm({oR0-7x%k zB;|G5l#Y#Scw(rf3qGTXAUtQ{SvEmGV#w7o-oo_NS(Z1rf4CeK&HrFkiAj`7R5EKl z8m>^@-7c^H<10rL8U(;RTgV#XMJ6LA0D{{XEQCg0kiZU*#qdDfI4%Voh{fX3AVl7Q zygOAGWbimhY$qmTgfW6OL&QbzHOG>5)GGksbuXYc0InCsGbK zO#QrYrIm99*4Uci3#b?WbwANuUzk}|- zA2w4c?0n~_8hqa@*YLKsT=c4l@`*t|3DsNhY|wWUg0WiP%643i z{SgCWWf3feEV1vcj3hD55R7R+fx!1eLHvM$F@;DbAIbdR5&t;iUrIEZpWH~E;0n=; z`YYJwmKTc>QvT?R3_*%^T|?SWtCtj76LCUO#vzUhchnWWXnq*O=$T{AT#s;!`pzEDYGL?&S(Lk+yuP zZJ?;ksoN_4>E1$zXg<3{@siznwV8=)#Q1ghtSf;xNU?Gf!oEK7K%%@>UPy5k!!)kl zEr!b3Gi=|@)|t~1x=>1aP$~19Gkj<3#Qc#{?Oj8$PZo~-;c$B2mE53;`hM##BK}uA zBhE6*_a^w{w`jLqPN9y?@ANP$%O0Ub&B`rn9r5tU%}`nJTm6;e8(1prr~h$;OS$lm zD#<%MN%>Qf8Sk>Rb+r4Sw4hqHb|Xzf+U_I?K-F!toqYFLtVUVnI+Z z&6qK`hnzE&L2;4Kq)yaF;%cqhb!BeyGUqImU3#1@F>(YTcJyZ{_VznQM zX3tf_H!AIVW5#=O93_P%Uyu?5)Fo|QvlDJrWuKo&)oeAb035p}nX${KE;6d~v_7Bc zuU$*(PEg5EW*9ArX$cOvZf-t}Q@G8FD_mN67ODACPLbj)^xW?4#o?%@t?^Cno5t9Y zL-{Qu{bR1d6dBYgOUZ6Ou!Rb{W>u6qbn(e9=I7x7<2WmJ$6cQIFq=xfef?wRe91qY zxC84*-n{*24_@$HPpR&@;`?dFp<-&5nBOI@a_)lE9F)bRe(q_*^dJ@&t$fs{f1Bd{ z(rZ3p$wnvIQk%F-CuTiZ`h11RNvp9WUA+te&7k)lXfquXp}xab6n8COzFL19pl1Vpv+66sH=+Jlxum=_L*r^3isvt)vEdKnP19R4_$B5 zXmATM-6oIjC-=8xF9K+p`IEufxiI+hXV=# literal 0 HcmV?d00001 diff --git a/modules/virtualization/microvm/mitmproxy-ca/mitmproxy-ca.pem b/modules/virtualization/microvm/mitmproxy-ca/mitmproxy-ca.pem new file mode 100644 index 0000000000..b2c545328d --- /dev/null +++ b/modules/virtualization/microvm/mitmproxy-ca/mitmproxy-ca.pem @@ -0,0 +1,47 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA4+ScTpL5qd+vnaI7nxWw8FwqtNulYJXU0+alaHpiZnG7MDci +M27xf2LQHJWC63Kyashdaq3sQ52zy8KosJff6kYHpew0wLiSyfjZIfpCZZRNmLNS +MIj7tzYHV9jHNTlpobZn1MO18TF1aqcdHRzR1NHtzYhR4fuqDL/yhK6RB4V2Gn+P +935yixQq1fEyX2+TjCKx4tFLYkFv5Ap0z5N00oukBmZhPrxYgg8H/RWzGjVl5J/w +DgosSWv3P2iSxPlE9kCS6pXhO1ZmhI9/TWUHmMEJFuVIarDeb0BECMfcw3VwO/Aq +Q60+sQKIEq/1LnULIY8uSsRChCuxy8YqQSnmYQIDAQABAoIBAQC/S1L5kd4Ifj+H +7nplm2ufF36xuf4kCSFRjjYicTjQDX+3hVAsJGCLMYLHu6jdwrWJdQ8VUVEVoPcf +fxLiyVmn6YjZ+mB9tXFiIIUDRHMfmVFZcIz5OMMykyOu1cTCJKNKnzahHndHMuEA +2a5SlbJ9FoqrEFbLftjLQwRr46zRxduoF2Znz/XhPMcoOsMoFuUIEtS3kmblW8Zr +UzKkvT2GUb5b19WNIbK/1ZWnkYTh6nTQPNz8FYpNb7ZuS/UfNGP05r+ZbgzmSS8B +Mwl2u2AqXEo15ULjEP8XQpmQXDbaOAjZHzF0nqx2Sw7iY9MfAarIekGLVRJ+LRwA +mkT8TPuRAoGBAP+20Ah6SCJN4DpDLC/Zu/2rRanpxxyk1awseFlfNOPegAuM+Gic +fHeUDYooHxZwbowAjyo4o36rnHJJi8ZniTHZG9ddy9U75TgVZK4Xr7MkmmOCpv1Q +50BTxsnWir3pTspgWCZ8oXmyvNJV/hl0fGqFW3WxI41upMM6w3uSMdvnAoGBAOQl +1dgXh+Qo8DhAaWmhmDLpcfWD2XB3rhZxQfbYCC+oyrQgpgyQpOEgmPKcjDrsToRK +Ze08O3t5inrvyH41THhByDfV6pxZSGRPoBxr1ZMej6V50FFHctQbDqDhmBdlKpkx +3ryGBrhUxjwklg915UwvZc1iewYdZxd0JeST+CJ3AoGBALbU9QU6uRyd5baClLNZ +0InczaBhIBYg3Q2PdjUgV2adjZu0nV/ekzfESbIAYcnfdYrwU2xytqM4/FDSuPeQ +y40ymC9yRu0dOBTTZvr6wIsrnp+LqO3xzIY34CgsF2MVz1nvbNeHwMSMwWj6RwXY +PaTD2NLbZnoXJALany5ZJwD9AoGAVKqZ1my9GHX819NHi1TVx6cMjIFWsz8m0ttL +EJERUKaCOyCWnrkbBxTyza48+Czz4nI9qzGcHXF4a7EKpZOgAkzfQaFYRJd5nwhR +sdpu0v8XbeBr543tVjuITToLGDuJ+HoiX7IZUlTbkDw/mBM3efNpAzRV1WoZ9QE8 +grxK7HcCgYAT0dGsFd1RY+m/Ik/jTxRDSi7zLLtyZO8AsGsfqsm0b8GhTTlXzEmH +kgp75/W058vjc7H1PY7FNr5neUn/Dtom2YtJRhANK/dhzh+RDSfFgbCX+VHTwh1a +nb7F25+bEhlvfe5yLb+O6ZzbsL/EdJYg0BoHCgTI2bZJkzRtAzdHuA== +-----END RSA PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIIDNTCCAh2gAwIBAgIUItvWgfGeI8GlhgumoYarXZhO1OMwDQYJKoZIhvcNAQEL +BQAwKDESMBAGA1UEAwwJbWl0bXByb3h5MRIwEAYDVQQKDAltaXRtcHJveHkwHhcN +MjMwNjI2MjA0MjUxWhcNMzMwNjI1MjA0MjUxWjAoMRIwEAYDVQQDDAltaXRtcHJv +eHkxEjAQBgNVBAoMCW1pdG1wcm94eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC +AQoCggEBAOPknE6S+anfr52iO58VsPBcKrTbpWCV1NPmpWh6YmZxuzA3IjNu8X9i +0ByVgutysmrIXWqt7EOds8vCqLCX3+pGB6XsNMC4ksn42SH6QmWUTZizUjCI+7c2 +B1fYxzU5aaG2Z9TDtfExdWqnHR0c0dTR7c2IUeH7qgy/8oSukQeFdhp/j/d+cosU +KtXxMl9vk4wiseLRS2JBb+QKdM+TdNKLpAZmYT68WIIPB/0Vsxo1ZeSf8A4KLElr +9z9oksT5RPZAkuqV4TtWZoSPf01lB5jBCRblSGqw3m9ARAjH3MN1cDvwKkOtPrEC +iBKv9S51CyGPLkrEQoQrscvGKkEp5mECAwEAAaNXMFUwDwYDVR0TAQH/BAUwAwEB +/zATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE +FLfWC+xt92Gs5X8I0H9E0ZPZ1nUZMA0GCSqGSIb3DQEBCwUAA4IBAQCEuExtxt6S +Pr7hXul8xNl8gjb94xB2vB6DJwtn97vXDtMqQ7P6o9e+7d2Yzp/y/hAlVpkZbwJo +WnE5aKI+SiuoyPJhM3qtSqFEnjogm+2GS+Htd9SGYPX6qrsbG5/FUE2NKF4sr9zB +vNYOzcaJO6X1+A3a7fS65ytjRYwO0T+6NtPkqwJ/ACT3vov94u9oGJ8O9rkFoG93 +7Guyh26JA71/N8SKWSIB/35pYKvX2usmsPCs8UYNC3UH4fH4d0yHBA9vV9XLE5H5 +cgESHG6F13V3WpeEgc83DWG6Tvml64ldORCVSi5doLTfaN/UIEZXFPMZ2ZCfsQvA ++PqFqfsCDYU1 +-----END CERTIFICATE----- diff --git a/modules/virtualization/microvm/mitmproxy-ca/mitmproxy-dhparam.pem b/modules/virtualization/microvm/mitmproxy-ca/mitmproxy-dhparam.pem new file mode 100644 index 0000000000..c10121fbff --- /dev/null +++ b/modules/virtualization/microvm/mitmproxy-ca/mitmproxy-dhparam.pem @@ -0,0 +1,14 @@ + +-----BEGIN DH PARAMETERS----- +MIICCAKCAgEAyT6LzpwVFS3gryIo29J5icvgxCnCebcdSe/NHMkD8dKJf8suFCg3 +O2+dguLakSVif/t6dhImxInJk230HmfC8q93hdcg/j8rLGJYDKu3ik6H//BAHKIv +j5O9yjU3rXCfmVJQic2Nne39sg3CreAepEts2TvYHhVv3TEAzEqCtOuTjgDv0ntJ +Gwpj+BJBRQGG9NvprX1YGJ7WOFBP/hWU7d6tgvE6Xa7T/u9QIKpYHMIkcN/l3ZFB +chZEqVlyrcngtSXCROTPcDOQ6Q8QzhaBJS+Z6rcsd7X+haiQqvoFcmaJ08Ks6LQC +ZIL2EtYJw8V8z7C0igVEBIADZBI6OTbuuhDwRw//zU1uq52Oc48CIZlGxTYG/Evq +o9EWAXUYVzWkDSTeBH1r4z/qLPE2cnhtMxbFxuvK53jGB0emy2y1Ei6IhKshJ5qX +IB/aE7SSHyQ3MDHHkCmQJCsOd4Mo26YX61NZ+n501XjqpCBQ2+DfZCBh8Va2wDyv +A2Ryg9SUz8j0AXViRNMJgJrr446yro/FuJZwnQcO3WQnXeqSBnURqKjmqkeFP+d8 +6mk2tqJaY507lRNqtGlLnj7f5RNoBFJDCLBNurVgfvq9TCVWKDIFD4vZRjCrnl6I +rD693XKIHUCWOjMh1if6omGXKHH40QuME2gNa50+YPn1iYDl88uDbbMCAQI= +-----END DH PARAMETERS----- diff --git a/modules/virtualization/microvm/netvm.nix b/modules/virtualization/microvm/netvm.nix index 1164a3e58e..076766a2cb 100644 --- a/modules/virtualization/microvm/netvm.nix +++ b/modules/virtualization/microvm/netvm.nix @@ -49,10 +49,6 @@ dhcp-authoritative = true; domain = "ghaf"; listen-address = ["127.0.0.1,192.168.100.1"]; - dhcp-option = [ - "option:router,192.168.100.1" - "6,192.168.100.1" - ]; expand-hosts = true; domain-needed = true; bogus-priv = true; diff --git a/overlays/custom-packages/default.nix b/overlays/custom-packages/default.nix index e80e3c788b..f64c633104 100644 --- a/overlays/custom-packages/default.nix +++ b/overlays/custom-packages/default.nix @@ -13,5 +13,6 @@ _: { (import ./qemu) (import ./nm-launcher) (import ./labwc) + (import ./mitmweb-ui) ]; } diff --git a/overlays/custom-packages/mitmweb-ui/default.nix b/overlays/custom-packages/mitmweb-ui/default.nix new file mode 100644 index 0000000000..79e7b34c7c --- /dev/null +++ b/overlays/custom-packages/mitmweb-ui/default.nix @@ -0,0 +1,5 @@ +# Copyright 2022-2023 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +(final: _prev: { + mitmweb-ui = final.callPackage ../../../packages/mitmweb-ui {}; +}) diff --git a/packages/mitmweb-ui/default.nix b/packages/mitmweb-ui/default.nix new file mode 100644 index 0000000000..184d8f8bde --- /dev/null +++ b/packages/mitmweb-ui/default.nix @@ -0,0 +1,51 @@ +# Copyright 2022-2023 TII (SSRC) and the Ghaf contributors +# SPDX-License-Identifier: Apache-2.0 +{ + stdenvNoCC, + pkgs, + lib, + ... +}: let + waypipePort = 1100; # TODO: remove hardcoded port number + nmLauncher = + pkgs.writeShellScript + "mitmweb-ui" + '' + # Create ssh-tunnel between chromium-vm and ids-vm + ${pkgs.openssh}/bin/ssh -i /run/waypipe-ssh/id_ed25519 \ + -o StrictHostKeyChecking=no \ + -t ghaf@chromium-vm.ghaf \ + ${pkgs.openssh}/bin/ssh -M -S /tmp/control_socket \ + -f -N -L 8081:localhost:8081 ghaf@192.168.100.3 + # TODO: check pipe creation failures + + # Launch chromium application and open mitmweb page + ${pkgs.openssh}/bin/ssh -i /run/waypipe-ssh/id_ed25519 -o StrictHostKeyChecking=no chromium-vm.ghaf \ + ${pkgs.waypipe}/bin/waypipe --border=#ff5733,5 --vsock -s ${toString waypipePort} server \ + chromium --enable-features=UseOzonePlatform --ozone-platform=wayland \ + http://localhost:8081 + + # Use the control socket to close the ssh tunnel between chromium-vm and ids-vm + ${pkgs.openssh}/bin/ssh -i /run/waypipe-ssh/id_ed25519 \ + -o StrictHostKeyChecking=no \ + -t ghaf@chromium-vm.ghaf \ + ${pkgs.openssh}/bin/ssh -q -S /tmp/control_socket -O exit ghaf@192.168.100.3 + ''; +in + stdenvNoCC.mkDerivation { + name = "mitmweb-ui"; + + phases = ["installPhase"]; + + installPhase = '' + mkdir -p $out/bin + cp ${nmLauncher} $out/bin/mitmweb-ui + ''; + + meta = with lib; { + description = "Script to launch Chromium to open mitmweb interface using ssh-tunneling and authentication."; + platforms = [ + "x86_64-linux" + ]; + }; + } diff --git a/targets/generic-x86_64.nix b/targets/generic-x86_64.nix index b9dadbad82..35b1389809 100644 --- a/targets/generic-x86_64.nix +++ b/targets/generic-x86_64.nix @@ -28,6 +28,10 @@ # networks."SSID_OF_NETWORK".psk = "WPA_PASSWORD"; }; + services.dnsmasq.settings.dhcp-option = [ + "option:router,192.168.100.1" # set net-vm as a default gw + "option:dns-server,192.168.100.1" + ]; } ]; hostConfiguration = lib.nixosSystem { diff --git a/targets/lenovo-x1-carbon.nix b/targets/lenovo-x1-carbon.nix index 240e007bf5..093d98b15e 100644 --- a/targets/lenovo-x1-carbon.nix +++ b/targets/lenovo-x1-carbon.nix @@ -64,6 +64,11 @@ unmanaged = ["ethint0"]; }; }; + services.dnsmasq.settings.dhcp-option = [ + "option:router,192.168.100.3" # set IDS-VM as a default gw + "option:dns-server,192.168.100.1" + ]; + # noXlibs=false; needed for NetworkManager stuff environment.noXlibs = false; environment.etc."NetworkManager/system-connections/Wifi-1.nmconnection" = { @@ -133,7 +138,10 @@ ({pkgs, ...}: { ghaf.graphics.weston.launchers = [ { - path = "${pkgs.openssh}/bin/ssh -i /run/waypipe-ssh/id_ed25519 -o StrictHostKeyChecking=no chromium-vm.ghaf ${pkgs.waypipe}/bin/waypipe --border \"#ff5733,5\" --vsock -s ${toString guivmConfig.waypipePort} server chromium --enable-features=UseOzonePlatform --ozone-platform=wayland"; + # The SPKI fingerprint is calculated like this: + # $ openssl x509 -noout -in mitmproxy-ca-cert.pem -pubkey | openssl asn1parse -noout -inform pem -out public.key + # $ openssl dgst -sha256 -binary public.key | openssl enc -base64 + path = "${pkgs.openssh}/bin/ssh -i /run/waypipe-ssh/id_ed25519 -o StrictHostKeyChecking=no chromium-vm.ghaf ${pkgs.waypipe}/bin/waypipe --border \"#ff5733,5\" --vsock -s ${toString guivmConfig.waypipePort} server chromium --enable-features=UseOzonePlatform --ozone-platform=wayland --user-data-dir=~/.config/chromium/Default --ignore-certificate-errors-spki-list=Bq49YmAq1CG6FuBzp8nsyRXumW7Dmkp7QQ/F82azxGU="; icon = "${../assets/icons/png/browser.png}"; } @@ -171,6 +179,7 @@ ../modules/host ../modules/virtualization/microvm/microvm-host.nix ../modules/virtualization/microvm/netvm.nix + ../modules/virtualization/microvm/idsvm.nix ../modules/virtualization/microvm/guivm.nix ../modules/virtualization/microvm/appvm.nix ({ @@ -234,6 +243,10 @@ [netvmPCIPassthroughModule] ++ netvmExtraModules; }; + virtualization.microvm.idsvm = { + enable = true; + # extraModules = idsvmExtraModules; + }; virtualization.microvm.guivm = { enable = true; extraModules = let diff --git a/targets/nvidia-jetson-orin/default.nix b/targets/nvidia-jetson-orin/default.nix index 2f612d920f..5a5afe6b62 100644 --- a/targets/nvidia-jetson-orin/default.nix +++ b/targets/nvidia-jetson-orin/default.nix @@ -34,6 +34,11 @@ hardware.enableRedistributableFirmware = som == "agx"; # Note: When 21.11 arrives replace the below statement with # wirelessRegulatoryDatabase = true; + + services.dnsmasq.settings.dhcp-option = [ + "option:router,192.168.100.1" # set net-vm as a default gw + "option:dns-server,192.168.100.1" + ]; } ]; hostConfiguration = lib.nixosSystem {