Secure Clipboard Proposal for libvirt KVM

Hi. I am a privacy distro dev and our project is based around using VMs for security. We are currently making the hard choice of disabling clipboard functionality to prevent malicious guests from pilfering Host clipboard contents. It would be nice to have our cake and eat it too.

A secure clipboard is nice to have because there's no trade-off between convenience and safety. A VM can read the global clipboard only when you want it. The Xen based Qubes has it and I don't see why KVM's spice and libvirt can't. Here is how they did it:

slide 10 from

https://events.linuxfoundation.org/sites/events/files/slides/LinuxCon_2014_Qubes_Tutorial.pdf

Challenge: copy clipboard from VM Alice to VM Bob, dont let VM Mallory to learn its content in the meantime

Solved by introducing Qubes global clipboard to/from which copy/paste is explicitly controlled by the user (Ctrl-Shift-C, Ctrl-Shift-V)

Requires 4 stages: Ctrl-C (in the source VM) Ctrl-Shift-C (tells Qubes: copy this VM buffer into global clipboard) Ctrl-Shift-V (in the destination VM: tells Qubes: make global clipboard available to this VM) Ctrl-V (in the destination VM) Ctrl-Shift-C/V cannot be injected by VMs (unspoofable key combo).

In practice almost as fast as traditional 2-stage copy-paste (don't freak out! ;)

More technical explanation

https://www.qubes-os.org/doc/CopyPaste/

Admin message

Secure Clipboard Proposal for libvirt KVM