Make dom0 read-only

[zaoqi]

Describe the solution you'd like
make dom0 readonly. Build a customized readonly rootfs instead of using Fedora.

Where is the value to a user, and who might that user be?
Make QubesOS more secure

Relevant documentation you've consulted
https://www.qubes-os.org/news/2020/03/18/gui-domain/

Because the GUI will be separated from dom0, users no longer need to modify the files of dom0

[w1k1n9cc]

Maybe it's possible to adapt fedora silverblue for that purpose.

[andrewdavidwong]

At one point, the devs mentioned the possibility of having a "completely sealed" dom0 that users can't even directly interact with, so they've certainly considered this.

[tlaurion]

When comparing two root snapshots per

[user@dom0 ~]$ cat /lib/systemd/system-shutdown/root-autosnap 
#!/bin/sh

#This permits wyng-backup to backup root-autosnap and root-autosnap-back, taken at each system shutdowns like any other QubesOS LVMs.
#This also permits to restore to different states of dom0 from Heads and compare dom0 between reboots

#TODO: backup /boot content into a LVM and apply same logic, corresponding to each dom0 snapshots
#https://github.com/tasket/wyng-backup/issues/63

#We delete the backup of last shutdown snapshot (last last shutdown)
/usr/sbin/lvremove --noudevsync --force -An qubes_dom0/root-autosnap-back || true
#We take a snapshot of root-autosnap into root-autosnap-back
/usr/sbin/lvcreate --noudevsync --ignoremonitoring -An -pr -s qubes_dom0/root-autosnap -n root-autosnap-back
#We remove root-autosnap
/usr/sbin/lvremove --noudevsync --force -An qubes_dom0/root-autosnap || true
#We create root-autosnap from root
/usr/sbin/lvcreate --noudevsync --ignoremonitoring -An -pr -s qubes_dom0/root -n root-autosnap

And then we compare the content of the filesystems, we see that:

• /etc/libvirt/libxl
• /etc/lvm
• /etc/xdg/adjtime
• /home
• /root
• /var

Would need to be out of root fs to be able to have a RO QubesOS dom0 with dmverity

Originally posted by @tlaurion in #4371 (comment)