The Dom0 secure update mechanism
In general, Dom0 executes a secured qvm-dom0-update script under updateVM, where RPM files are checked, verified and downloaded. Once all the updates are downloaded, the update script requests for RPM service qubes.ReceiveUpdates to be executed in Dom0. This service is implemented by the qubesreceive-updates script running in Dom0. The Dom0’s qvm-dom0update script waits until qubes-receive-updates has finished. The qubes-receive-updates script processes the untrusted input from Update VM; it first extracts the received *.rpm files (that are sent over the qrexec data connection) and then verifies the digital signature on each file in order to avoid processing compromised updates. The qubes-receive-updates script is a security-critical component of the Dom0 update process.