From 8888601f69ad44233e55ba8a71dfe1ab0c9555d2 Mon Sep 17 00:00:00 2001 From: "Morten V. Christiansen" Date: Fri, 24 Apr 2026 05:52:44 +0200 Subject: [PATCH] Record AppVM template and UI baseline --- Setup.md | 8 +++++++- Workplan.md | 4 ++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/Setup.md b/Setup.md index fd7fef5..376aaa0 100644 --- a/Setup.md +++ b/Setup.md @@ -44,7 +44,7 @@ Update this file whenever environment status or verified behavior changes. ## Target Qubes Topology -- Base template for all AppVMs: Debian template. +- Base template for all AppVMs: `debian-13-xfce`. - Allowed network paths: - `k_client` -> `k_proxy` over TLS - `k_proxy` -> `k_server` over TLS @@ -68,6 +68,11 @@ Functional roles: - Provides a dummy protected resource for early integration testing (monotonic increasing number/counter). - May hold user/session state logic needed for authorization decisions. +UI baseline for each AppVM (start-menu visible apps): +- Firefox +- XFCE Terminal +- File Manager + ## Target Request Flow 1. `k_client` sends HTTPS request to `k_proxy`. @@ -125,6 +130,7 @@ Implication: Session note (2026-04-24): - Markdown tracking was reviewed and normalized around `Setup.md` + `Workplan.md` as the active, continuously updated execution record. +- AppVM template decision recorded: use `debian-13-xfce` for `k_client`, `k_proxy`, and `k_server`. ## Known FIDO2 Transport Boundary diff --git a/Workplan.md b/Workplan.md index ced9886..1d18c43 100644 --- a/Workplan.md +++ b/Workplan.md @@ -8,7 +8,7 @@ This is the execution plan for making ChromeCard FIDO2 development and validatio - Treat `/home/user/chromecard/CR_SDK_CK-main` as read-only. - Keep helper scripts such as `fido2_probe.py` and `webauthn_local_demo.py` at `/home/user/chromecard`. -- Target deployment model is Qubes OS with 3 Debian-based AppVMs: `k_client`, `k_proxy`, `k_server`. +- Target deployment model is Qubes OS with 3 AppVMs based on `debian-13-xfce`: `k_client`, `k_proxy`, `k_server`. - Current authenticator link is card->`k_proxy` (USB), but architecture must allow migration to wireless phone-mediated validation. ## Goals @@ -26,7 +26,7 @@ This is the execution plan for making ChromeCard FIDO2 development and validatio ## Phase 0: Qubes VM Baseline (Blocking) 1. Provision/verify AppVMs. -- Ensure `k_client`, `k_proxy`, `k_server` exist and are based on the Debian template. +- Ensure `k_client`, `k_proxy`, `k_server` exist and are based on `debian-13-xfce`. 2. Assign functional responsibilities. - `k_client`: browser client + enrollment process.