network: enable MAC randomization for wifi connections by default

[marmarek]

We do have NetworkManager new enough to handle this feature already.
Enable both scan MAC address randomization, and also connection mac
address randomization. The later do in a "stable" way - preserving the
same MAC for a connection, until reboot. This is a safe tradeoff
between full random, which breaks some captive portals. The stable MAC
is generated separate for each connection, so it also prevents
correlation of the same machine between different networks.

Do not enable it for wired connections, as those are less often used at
random untrusted localizations, but also more often it's desired to
get the same IP address each time (having random MAC would make it much
harder).

QubesOS/qubes-issues#938

[codecov]

Codecov Report

Merging #297 (8306013) into master (78c37a7) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master     #297   +/-   ##
=======================================
  Coverage   72.53%   72.53%           
=======================================
  Files           3        3           
  Lines         517      517           
=======================================
  Hits          375      375           
  Misses        142      142           

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 78c37a7...8306013. Read the comment docs.

[tlaurion]

@marmarek not sure I understand why we differenciate wifi and ethernet here. A user wanting to have a once randmized mac adress kept permananent would simply have to create such profile and select that profile to connect. Radomized by default, and if problematic for certain scenario (macauth, NAC) fixate that up.

[marmarek]

A user wanting to have a once randmized mac adress kept permananent would simply have to create such profile and select that profile to connect

The problem with this scenario is you can't really have a profile that is automatically chosen based on the wire network you are connecting to. All the wire networks looks the same from the NM point of view, and a single profile is used for all of them. This means also that setting ethernet.cloned-mac-address=stable will keep the same MAC address when you switch networks (because those are the same "connection", from NM point of view). On the other hand, setting to "random" (randomize on each connect) will break things - for example you'll loose all your connections when your cable fell off for a sec (with or without help from your pet).

On the other hand, nowadays you rarely connect to "random" networks using a cable. There may be a hotel or two offering internet over a cable, but most networks, outside of more permanent places like home or work, are wireless. And even those latter ones are commonly wireless too.

Note also, this "all wired network looks the same" means that you can trivially change that setting from GUI - just go to the "Ethernet Connection" settings. Something you can't realistically do via GUI for all the new wifi networks you are connecting to.

Yes, this is not ideal, but this is a safe compromise for the default configuration. Something that is reasonably safe, but also won't by annoying, and potentially hard to diagnose for unskilled user.

Does this answer your question?

[tlaurion]

@marmarek Yes, thank you.

As a side note, though, having Heads full reproducible builds (full ROM builds, eg Heads mazimized builds, the original MAC address that is in the GBE blob, required to be extracted and reinjected at build time) is now fixating MAC to DE:AD:C0:FF:EE per linuxboot/heads@36c04f1

That requires the user to have the OS handle the mac address (randomize, fixate, stable or make permanent) the mac address, unless he doesn't care being "DE:AD:C0:FF:EE" on the network or is alone doing so.

My consideration on that matter was that if the default provided wired network profile was randomized first and made permanent, that issue would have been dealt with by default deployed configuration. Not a major problem, but will require manual customization for QubesOS users using maximized Heads builds; at compile time or some configuration inside of QubesOS.

[marmarek]

I see, so for ethernet that would be a case for "hardware support for reproducible Heads", not really "privacy feature". I'm worried this static MAC may cause issues for other use cases too, like someone booting another (Live?) OS.

Is it feasible to extract+reinject the MAC at flash time? Not a big deal, but it would bypass the need for system configuration (qubes or not).

[ninavizz]

Is this somehow earmarked for mention in the 4.1 release notes? Per @mfc's comment on #2361 I agree this feels important and relevant to many.

[tlaurion]

A user wanting to have a once randmized mac adress kept permananent would simply have to create such profile and select that profile to connect

The problem with this scenario is you can't really have a profile that is automatically chosen based on the wire network you are connecting to. All the wire networks looks the same from the NM point of view, and a single profile is used for all of them. This means also that setting ethernet.cloned-mac-address=stable will keep the same MAC address when you switch networks (because those are the same "connection", from NM point of view). On the other hand, setting to "random" (randomize on each connect) will break things - for example you'll loose all your connections when your cable fell off for a sec (with or without help from your pet).

On the other hand, nowadays you rarely connect to "random" networks using a cable. There may be a hotel or two offering internet over a cable, but most networks, outside of more permanent places like home or work, are wireless. And even those latter ones are commonly wireless too.

Note also, this "all wired network looks the same" means that you can trivially change that setting from GUI - just go to the "Ethernet Connection" settings. Something you can't realistically do via GUI for all the new wifi networks you are connecting to.

Yes, this is not ideal, but this is a safe compromise for the default configuration. Something that is reasonably safe, but also won't by annoying, and potentially hard to diagnose for unskilled user.

Does this answer your question?

@marmarek This was questionned again today, and rereading this, I'm still not really sure why

[user@sys-net ~]$ cat /usr/lib/NetworkManager/conf.d/31-randomize-mac.conf 
[device]
wifi.scan-rand-mac-address=yes

[connection]
wifi.cloned-mac-address=stable
connection.stable-id=${CONNECTION}/${BOOT}

Doesn't include what I now deploy by default:

[user@sys-net ~]$ cat /usr/lib/NetworkManager/conf.d/32-randomize-eth-mac.conf 
[connection]
ethernet.cloned-mac-address=stable

Otherwise, people connecting to LAN with a cable are currently disclosing their physical MAC address.
Putting it stable mitigates the randomization issue you noted (stable replacing random).

So as of now, a static MAC fingerprint of machine through local LAN connection is considered a desirable behavior.

[tlaurion]

Participation welcome under Heads to bring Ethernet On demand Mac address randomization on boards that support it (GBE is a seperate partition which keeps Etherent configuration persistent in firmware), which is why ethernet randomization was expected as part of this PR. I continue to receive a lot of requests for Qubes Ethernet MAC address randomization by default, which is part or OEM disk image, but requires manual re-deployment on top of new templates since not deployed as default.

Coss-posted QubesOS/qubes-issues#938 (comment)

Having a default profile where Ethernet MAC is randomized, and where user can decide prior of connection if he wants that MAC to be persistent would have been my preference, otherwise a lot of ink is lost explaining how to accomplish this feature which is lost on new template deployments.