@holoscript/holosystem 0.2.2 → 0.2.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +588 -0
- package/bin/holosystem.mjs +434 -7
- package/docs/native-build-threat-model.md +150 -0
- package/docs/vm-launch-threat-model.md +121 -0
- package/native/windows-sandbox/Program.cs +667 -0
- package/native/windows-sandbox/README.md +19 -0
- package/native/windows-sandbox/build.ps1 +18 -0
- package/native/windows-x64/holosystem-sandbox-launcher.exe +0 -0
- package/package.json +4 -2
- package/src/index.mjs +45 -0
- package/src/native-build.mjs +970 -0
- package/src/substrate-debian-release.mjs +852 -0
- package/src/substrate-import-debian.mjs +979 -0
- package/src/substrate-import.mjs +578 -0
- package/src/substrate.mjs +789 -0
- package/src/vm-launch.mjs +1292 -0
|
@@ -0,0 +1,121 @@
|
|
|
1
|
+
# Machine VM launch threat model
|
|
2
|
+
|
|
3
|
+
## Claim
|
|
4
|
+
|
|
5
|
+
`vm-launch` and `vm-launch-whpx` prove that two launches of the same measured
|
|
6
|
+
QEMU runtime, Linux kernel, and initramfs reached the same pinned serial success
|
|
7
|
+
signal through generated, closed full-system QEMU invocations. Optional virtual
|
|
8
|
+
devices are minimized: there is no default device set, network, USB, display, or
|
|
9
|
+
monitor. Each receipt binds the plan, complete runtime manifest, executable,
|
|
10
|
+
guest artifacts, and adapter-specific fixed launch policy.
|
|
11
|
+
|
|
12
|
+
The TCG adapter is a machine-VM execution receipt and sets `hardwareBacked` to
|
|
13
|
+
`false`. The separately named WHPX adapter selects only `accel=whpx`, has no TCG
|
|
14
|
+
fallback, and sets `hardwareBacked` to `true` only when two explicit WHPX boots
|
|
15
|
+
succeed with matching observations. This proves use of QEMU's hardware-backed
|
|
16
|
+
Windows Hypervisor Platform adapter for those launches; it does not prove host
|
|
17
|
+
process isolation. QEMU retains the ambient rights of its Windows process in
|
|
18
|
+
both adapters.
|
|
19
|
+
|
|
20
|
+
`vm-launch-whpx-sandboxed` is a separate schema and receipt. It runs the same
|
|
21
|
+
measured WHPX launch behind a measured native Windows launcher that creates a
|
|
22
|
+
filtered token with `DISABLE_MAX_PRIVILEGE`, sets low mandatory integrity,
|
|
23
|
+
verifies at most the single pass-through privilege remains enabled, creates
|
|
24
|
+
QEMU suspended with only NUL/stdout/stderr handles inherited, assigns QEMU to a
|
|
25
|
+
Job Object before resume, and applies kill-on-close, one-process, 512 MiB, and
|
|
26
|
+
full Job UI restrictions. Its `host-process-isolation` claim is limited to
|
|
27
|
+
those controls. It is not an AppContainer and does not claim host filesystem
|
|
28
|
+
confidentiality or host network isolation.
|
|
29
|
+
|
|
30
|
+
## Protected assets and trust boundaries
|
|
31
|
+
|
|
32
|
+
The protected inputs are the declarative plan, the complete caller-owned QEMU
|
|
33
|
+
runtime directory, the guest kernel, and the guest initramfs. Operational paths
|
|
34
|
+
are not part of the plan or receipt. The receipt exposes digests, byte counts,
|
|
35
|
+
bounded launch summaries, coverage, and named residual boundaries.
|
|
36
|
+
|
|
37
|
+
The tracer does not prove:
|
|
38
|
+
|
|
39
|
+
- QEMU, the guest kernel, initramfs, or firmware were built from trusted source;
|
|
40
|
+
- Windows, the CPU, QEMU, or Node.js implemented the measurement correctly;
|
|
41
|
+
- TCG hardware virtualization, or WHPX IOMMU separation, measured boot, Secure
|
|
42
|
+
Boot, TPM, confidential memory, or side-channel resistance;
|
|
43
|
+
- host crash dumps, swap, hibernation, debugger state, or physical custody are
|
|
44
|
+
protected;
|
|
45
|
+
- the guest success program establishes a broader workload security property.
|
|
46
|
+
|
|
47
|
+
Those limitations are machine-readable in `boundaries` and `coverage` rather
|
|
48
|
+
than implied away by a successful boot.
|
|
49
|
+
|
|
50
|
+
## Adversary specifications
|
|
51
|
+
|
|
52
|
+
| Adversary action | Required result | Receipt or test evidence |
|
|
53
|
+
| ---------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------- | ---------------------------------------------------------- |
|
|
54
|
+
| Add a shell command, argument vector, environment field, device, network mode, or unknown plan field | Reject before process launch | `vm-launch-field-unknown`; closed-vocabulary test |
|
|
55
|
+
| Put WHPX in a TCG plan, TCG in a WHPX plan, or request a fallback | Reject rather than downgrade, cross-route, or overclaim | Separate schemas; accelerator/unknown-field tests |
|
|
56
|
+
| Replace any QEMU executable, DLL, firmware file, kernel, or initramfs before measurement | Reject before process launch | Runtime, binary, kernel, and initrd digest mismatch issues |
|
|
57
|
+
| Replace measured files while the launch snapshot is being created | Reject the snapshot | Runtime, kernel, and initrd snapshot mismatch issues |
|
|
58
|
+
| Replace caller-owned files after the first launch | Second launch still uses the same private snapshot | Private-snapshot substitution test |
|
|
59
|
+
| Persistently self-modify the private runtime or guest artifacts during a launch | Reject on post-launch remeasurement | Private-snapshot drift test |
|
|
60
|
+
| Inject QEMU behavior through inherited environment variables or user configuration | Launch with a minimal environment and `-no-user-config` | Generated-argv test |
|
|
61
|
+
| Obtain implicit host devices or a communication channel | Start with `-nodefaults`, `-nic none`, USB off, no display, and no monitor | Generated-argv test |
|
|
62
|
+
| Forge the guest signal, use the wrong exit path, or change adapter diagnostics | Reject the receipt and retain no raw output | Console, exit-code, and diagnostic-digest tests |
|
|
63
|
+
| Make clean launches observably disagree | Reject deterministic coverage | `vm-launch-nondeterministic` |
|
|
64
|
+
| Inject a fake process runner through the public API | Ignore it and execute only the bound process implementation | Public process-runner injection test |
|
|
65
|
+
| Select ambient execution, weaken a sandbox control, change the launcher, or forge its protocol | Reject the distinct sandbox schema, launcher digest, or incomplete evidence | Closed sandbox vocabulary and protocol-forgery tests |
|
|
66
|
+
| Pass inherited parent handles into sandboxed QEMU | Admit only NUL input and the two bounded output pipes | Native handle-list evidence and receipt assertion |
|
|
67
|
+
| Spawn another process or escape launcher lifetime/resource bounds | Assign suspended QEMU before resume to a one-process, kill-on-close Job | Native Job evidence and adversarial receipt tests |
|
|
68
|
+
| Put an operational path or guest output in the receipt | Withhold it; report only digest and byte count | Receipt disclosure assertions |
|
|
69
|
+
|
|
70
|
+
## Fixed launch policy
|
|
71
|
+
|
|
72
|
+
The plan does not express QEMU arguments. Each implementation generates a q35
|
|
73
|
+
invocation for exactly one bound accelerator (`tcg` or `whpx`) with one CPU,
|
|
74
|
+
128 MiB, no user configuration, no default devices, no network, no USB, no
|
|
75
|
+
display, no monitor, no reboot, direct kernel boot, serial stdio, and a fixed
|
|
76
|
+
ISA debug-exit device. The TCG adapter pins QEMU's `max` CPU model; the WHPX
|
|
77
|
+
adapter leaves CPU selection to that hardware backend because the TCG model is
|
|
78
|
+
not a valid substitute. The guest command line is fixed and disables trust in
|
|
79
|
+
CPU random seeding. The process has a bounded timeout and output buffer and
|
|
80
|
+
receives only a small host/runtime environment.
|
|
81
|
+
|
|
82
|
+
Exactly two launches are required. The snapshot is remeasured immediately before
|
|
83
|
+
and after each launch. Each launch must exit with the fixed debug-exit status and
|
|
84
|
+
produce the plan-pinned serial digest. TCG must emit zero stderr bytes. WHPX must
|
|
85
|
+
produce the plan-pinned diagnostic digest after removal of only the exact,
|
|
86
|
+
randomized private-executor prefix that QEMU repeats at diagnostic line starts. Raw
|
|
87
|
+
stdout and stderr are never included in the receipt.
|
|
88
|
+
|
|
89
|
+
The sandboxed adapter additionally copies the package-pinned launcher into the
|
|
90
|
+
private measured snapshot. The launcher protocol is closed and binary-safe: it
|
|
91
|
+
returns base64 child streams plus derived control evidence, and HoloSystem
|
|
92
|
+
rejects unknown fields, non-canonical base64, an unbounded enabled-privilege
|
|
93
|
+
count, a missing control, or launcher stderr. Launcher and QEMU snapshots are
|
|
94
|
+
remeasured before and after both launches.
|
|
95
|
+
|
|
96
|
+
## Residual risk and next layer
|
|
97
|
+
|
|
98
|
+
The QEMU runtime closure includes firmware data files and DLLs, so substitution
|
|
99
|
+
changes its digest. Hashing does not establish provenance or measured boot.
|
|
100
|
+
Windows QEMU also cannot disable host crash-dump capture through this contract;
|
|
101
|
+
`host-crash-dump-custody` remains an explicit boundary.
|
|
102
|
+
|
|
103
|
+
The ambient adapters do not place QEMU behind an OS process sandbox.
|
|
104
|
+
`virtual-device-minimization` therefore describes only their generated
|
|
105
|
+
guest-facing virtual device surface.
|
|
106
|
+
|
|
107
|
+
The sandboxed adapter is narrower than AppContainer or a separate host VM. Its
|
|
108
|
+
filtered token retains normal read access allowed to the caller and does not
|
|
109
|
+
create an OS network capability boundary. The QEMU command still contains no
|
|
110
|
+
guest network device, but a compromised host QEMU process could use host
|
|
111
|
+
network APIs. `host-filesystem-confidentiality` and `host-network-isolation`
|
|
112
|
+
therefore remain explicit missing layers even when the declared process
|
|
113
|
+
isolation controls verify. The launcher binary is measured, but source-to-binary
|
|
114
|
+
reproducibility and code signing remain part of `qemu-runtime-supply-chain` and
|
|
115
|
+
host correctness trust.
|
|
116
|
+
|
|
117
|
+
The next stronger layer is an AppContainer or separate-host-VM adapter that can
|
|
118
|
+
retain WHPX access while proving capability-scoped filesystem and network
|
|
119
|
+
denial, followed by firmware/measured-boot evidence. It must continue to report
|
|
120
|
+
IOMMU, device-assignment, crash-dump custody, and side-channel boundaries
|
|
121
|
+
separately.
|