[HN Gopher] What Is Qubes OS? ___________________________________________________________________ What Is Qubes OS? Author : LinuxBender Score : 137 points Date : 2022-07-09 16:47 UTC (6 hours ago) (HTM) web link (www.qubes-os.org) (TXT) w3m dump (www.qubes-os.org) | duxuev wrote: | I remember seeing that Edward Snowden uses it daily. Wonder if | that's still the case. | sacrosanct wrote: | Anyone use this as a daily driver? I tried installing it and it | crashed on first run. Should have looked at the list of | compatible laptop models first. It's a bit overkill for my needs. | My threat model doesn't require me to spawn a disposable Fedora | VM just to read a PDF document. I just open a PDF in Google Docs. | f38zf5vdt wrote: | I have been using it for over 5 years for all personal things | like email, banking, and paying bills. Once you find good | hardware for the OS, it runs very well, but you either need a | lot of memory or to close each VM as soon as you're done with | it and run only one-two VMs at a time. I would say minimum of | 16 GB RAM with 32-64 GB preferred. | shaky-carrousel wrote: | I do. I use it in a Librem 15v4, with 32GB of RAM. | | It's not only about threats, it's pretty convenient. I do all | my dd operations, feeling confident a mistake won't wipe out my | HDD. I have a work vm and a personal vm (and many more), and I | can share full screen on my work vm knowing that all personal | windows are hidden. | | I have files and programs organized by vms. I can try | installing new applications in a disposable vm knowing well | that all their files will be wiped out when I close the vm. | polotics wrote: | Works fine on an older ex-windows laptop, repurposed for | throwaway VMs, trying things... Could not get it to run on a | 2015 MacBook Pro, would be using it more if I had. | eduction wrote: | I have for about five years. Install has been fine for me | across three laptops (various ThinkPads), with the caveat that | I chose models known to work well with linux (you're booting | into fedora, which runs Xen as dom0). Also, the one time I had | to do a lot of work was when I bought a newly released version | of a laptop; a few months later I upgraded to a later version | of Qubes and it installed normally. | | There is an up front investment in figuring out how to | partition your computer use/apps into VMs and then setting up | the VMs. If you're not already a Linux user there is also the | usual learning curve of switching to Linux (most qubes users | use mostly Linux vms, windows takes more work to get going, I | have windows 10 working but it took some effort). | | I absolutely love the disposable VM model. I do all my web | surfing (except some financial sites) in disposable VMs and | cannot fathom going back to downloading and executing untrusted | code (JavaScript) outside a dispVM. Similarly, I cannot imagine | opening documents from untrusted third parties outside a vm of | some sort. Even software I don't fully trust (e.g. Zoom, bluRay | ripping software) I like to run in disposable VMs or at least | their own dedicated vm. | | Qubes is like any other specialized tool - it's worth investing | the time if what it offers (security and privacy) is something | you especially value. Having seen supposedly exotic and | advanced threats become more commonplace over the last 20 years | I think we all will end up using systems to some extent similar | to Qubes, at least inspired by Qubes. Some of what's not in | your threat model today will be, eventually. The only question | is how much. | | In practical terms, it is in some ways like going from having | one computer to having a network of computers. You do become | something of a sysadmin. There is some pain there especially up | front but I am at the point where I am expert enough that the | ongoing time and pain investment is quite minimal. | | More than anything, I feel completely exposed on other OSes. I | wish other operating systems (like macOS) would steal the best | ideas from qubes. For example, let people open files in | disposable VMs when they want to, and cause this to happen by | default for downloaded files, and by default have people surf | the web in the rough, more seamless equivalent of a disposable | VM, possibly with some carve outs for ease of use (like make it | almost transparent, with some red flag, to move downloads out | of the browser vm, and do likewise with uploads). Also, Qubes | has "vaults," which are just VMs with no internet where you put | your most sensitive files; I put basically all my files there | because they really don't need live internet. You could | translate this on a "regular" OS into some kind of area that's | extra protected from other processes somehow. For example | unprompted access to files in the vault would require explicit | authorization, and files in the vault could not cause network | connections by default. Something along those lines. | ChikkaChiChi wrote: | I couldn't agree more. Secure computing adoption requires | easy usability. | | We helped push technical adoption through skeuomorphic design | patterns, but left engineers to figure out how to educate | users on permissibility. That's a failure on us as an | industry. We should be building to keep people safe from the | dangers we all know about FIRST, then and only then should we | build the access controls to allow access to other resources | and interoperability. | | I feel like chromiumos is the closest we have to a mainstream | solution for this, but a combination of Nix and Qubes would | be even better. | i_like_waiting wrote: | Writing from Qubes right now. x230 with 16gb ram and it runs | just fine. Still figuring some things out tho. | mysterydip wrote: | I tried probably half a year ago, and it installed fine, but I | just couldn't wrap my head around how to use it right. | nubb wrote: | same here. the entry bar is really high on qubes. | minimalist wrote: | Daily driving for years now. Only thing to really keep in mind | is having sufficient RAM. Otherwise, it's great for | development. You can keep TemplateVMs for all of your | development environments and tear them up and down, duplicate | them, assign to a VPN, etc. Not good if you need GPU | acceleration for anything, but some people have worked on GPU | passthrough. | jamal-kumar wrote: | Yeah 16gigs+ is what you want here. Not rare in modern | computers. | Sakos wrote: | Using Qubes over a year on my personal laptop, I found 16GB | to be too fussy and I constantly had to fiddle with VM RAM | sizes. I would recommend 32GB. | [deleted] | jamal-kumar wrote: | I have in the past before I became bound to doing windows- | compatible development. It was actually really great. I didn't | hate it at all. | | I liked the ability to run multiple linux distros and a windows | 7 VM for stuff that needed that, but scrubbing PDFs I think is | one of those underrated things considering how much malware | comes in through those. Like I would rather not do that in a | docker container of all broken condoms. Right now I just have a | seperate computer to take care of that. I'd probably use qubes | if I had an intel laptop as my daily driver again. | | Oh and the only other thing was laptop battery life. Maybe an | hour and a half tops. | iou wrote: | Conceptually, I love it. I used it since about 2016 until last | year, but I had to record some video and use stuff like OBS and | it just became impossible (with my skill level) to get working. | | I abandoned and went back to Fedora, which is odd as I'd stuck | with it through lots of other NVIDIA crap issues and such. | | Hopefully adoption increases and one day I can use in a workplace | setting. | imagineerschool wrote: | QubesOS is my favourite technology existing today. | | Daily driver on desktop and laptop. | | Feels like home. | | ^ My highest praise. | neodymiumphish wrote: | Maybe this isn't the best place to ask this, but I'll try anyway: | | I'm a consultant involved in cybersecurity who often has to build | and run VMs to either test out software, run things in sandbox, | or connect to TOR from a VM I'll never use again. | | Having said that, I currently use Windows with VMWare | Workstation, but I find it frustrating and would prefer something | that's less frustrating and feels more built-in. | | Is there a solution that anyone would recommend for this kind of | thing? Internal networks, Windows and Linux sandboxes, etc. I use | Microsoft office products regularly, and my workstation (Dell | Inspiron with an i9, 64GB ram, 2tb SSD) is connected to a | thunderbolt 4 dock with 2 1440 monitors. I'd prefer for a Windows | VM to have passthrough to the monitors and be able to interact | with the host OS via that VM, so I can still share my screen | during meetings and while coordinating efforts. | eointierney wrote: | NixOS or Guix both allow one to fire up a vm based on a | specification very easily, and positively encourage interation. | The learning curve is steep but rewarding. | Dracophoenix wrote: | I don't known of this works with all your criteria, but you | might want to go with UnRaid or Proxmox or a Type 1 hypervisor | like vSphere/ESXi or Xen. | neodymiumphish wrote: | Maybe Fedora with Xen is the route I should try, assuming I | can give the Windows VM full GPU pass-through and use it as a | "primary" machine. I need to be able to screenshare almost | daily via Zoom. | hsbauauvhabzb wrote: | I use vbox regularly on a Linux host, it's not seamless but | it works okay. I have custom built vm images with packer | that do things like enable auto login and disable | screensaver (these don't matter on a vm, your host is where | they should happen). I don't need gpu so the vbox drivers | suffice, but if I did I would probably consider getting a | quadro or something and doing pci pass through (not even | sure if vbox supports this) | | As a cautionary though, vms are a good boundary but not a | comprehensive one. If your threat model includes execution | of 0day exploits (malware analysis or browser exploit | chains) that can breach hypervisor perimeters you shouldn't | be doing anything sensitive from the host. RDP is better, | but iirc there are some case studies of execution on the | rdp client. | Dracophoenix wrote: | GPU Passthrough can be solved with LookingGlass | (https://looking-glass.io/) if you just want a solve that | particular problem. I'm not sure how well it works on a | laptop but if you have a dedicated graphics card (e.g. | Nvidia) you should theoretically be able to get it working | the way you want. I'm sorry for the lack of elegant all-in- | one packages. I too wish for an Excalibur of VM solutions. | tryauuum wrote: | I don't get the distinction between type 1 and type 2. | | E.g. xen is type 1 and KVM is type 2. But at the end of the | day it's a Linux kernel in both cases that runs the virtual | machines, so what's the point of distinction? | transpute wrote: | It's about reducing the size and attack surface of the | most-privileged code which runs in the system, e.g. moving | code out of the kernel, making hypervisor/VMM smaller, | nested VMs, hardware enclaves. This video covers some of | the changes over the last decade, including Xen and | Bromium, https://youtube.com/watch?v=bNVe2y34dnM | simcop2387 wrote: | It's what runs above the vms that is the distinction. For | xen it has its own kernel instead of running Linux as the | hypervisor and host system. Xen still uses Linux typically | as the domain zero as it calls it for doing control and | setup but it doesn't necessarily have full access to all | the hardware on its own. | hnarn wrote: | You don't really mention specifically what you find | "frustrating" about VMWare Workstation so it's hard to know on | what criteria to give a response. | | I don't know how "built in" it can be considered but I've used | LXD a bit and since it now supports VMs as well I'm guessing | you could define VMs in yaml in advance and "easily" (depending | on your definition) tear down and re-deploy VMs with | preconfigured network settings etc. Vagrant should also work | for this with a Virtualbox or VMware backend (paid feature). | | What exactly do you mean when you say that the VM should be | able to "interact with the host OS", isn't that exactly what | you don't want and why you're running a VM in the first place? | neodymiumphish wrote: | I'd like the ability to drop files to a VM from another VM, | like shared folders in Workstation. | | My frustrations with VMWare usually revolve around network | connectivity issues. My internal or NAT networks often fail | to give the guest VMs the expected connectivity. | yjftsjthsd-h wrote: | You work in cybersecurity and want _more_ exposure between | the host and the guest? You have a very different risk | tolerance than I would in your shoes | tssva wrote: | If you just have a need for isolating Windows applications have | you tried the Windows Sandbox functionality built-in to Windows | 10 Pro and Enterprise version? https://docs.microsoft.com/en- | us/windows/security/threat-pro... | dang wrote: | Related: | | _Qubes OS: A reasonably secure operating system_ - | https://news.ycombinator.com/item?id=30776103 - March 2022 (97 | comments) | | _Qubes OS 4.1.0 has been released_ - | https://news.ycombinator.com/item?id=30215210 - Feb 2022 (1 | comment) | | _Ask HN: Qubes OS or just separate VMs for separating work and | private files?_ - https://news.ycombinator.com/item?id=29537961 - | Dec 2021 (6 comments) | | _Qubes OS 4.1 RC2_ - | https://news.ycombinator.com/item?id=29402767 - Dec 2021 (1 | comment) | | _Qubes OS 4.1-rc1 has been released_ - | https://news.ycombinator.com/item?id=28856957 - Oct 2021 (5 | comments) | | _Qubes-Lite with KVM and Wayland_ - | https://news.ycombinator.com/item?id=26378854 - March 2021 (48 | comments) | | _Ask HW: Qubes OS alternative on LXD containers_ - | https://news.ycombinator.com/item?id=25562208 - Dec 2020 (21 | comments) | | _Ask HN: Would it be possible to reimplement Qubes OS but | lighter?_ - https://news.ycombinator.com/item?id=20622850 - Aug | 2019 (2 comments) | | _Joanna Rutkowska leaves Qubes OS, joins Golem_ - | https://news.ycombinator.com/item?id=18300345 - Oct 2018 (68 | comments) | | _Introducing the Qubes U2F Proxy_ - | https://news.ycombinator.com/item?id=17958219 - Sept 2018 (2 | comments) | | _Qubes OS 4.0 has been released_ - | https://news.ycombinator.com/item?id=16699900 - March 2018 (39 | comments) | | _Qubes Air: Generalizing the Qubes Architecture_ - | https://news.ycombinator.com/item?id=16255251 - Jan 2018 (65 | comments) | | _Qubes OS: A reasonably secure operating system_ - | https://news.ycombinator.com/item?id=15734416 - Nov 2017 (144 | comments) | | _Reasonably Secure Computing in the Decentralized World_ - | https://news.ycombinator.com/item?id=15566563 - Oct 2017 (44 | comments) | | _Toward a Reasonably Secure Laptop_ - | https://news.ycombinator.com/item?id=14743238 - July 2017 (100 | comments) | | _"Paranoid Mode" Compromise Recovery on Qubes OS_ - | https://news.ycombinator.com/item?id=14218504 - April 2017 (14 | comments) | | _Tor at the Heart: Qubes OS_ - | https://news.ycombinator.com/item?id=13272076 - Dec 2016 (1 | comment) | | _Qubes OS Begins Commercialization and Community Funding | Efforts_ - https://news.ycombinator.com/item?id=13069615 - Nov | 2016 (24 comments) | | _Qubes OS 3.2 has been released_ - | https://news.ycombinator.com/item?id=12604417 - Sept 2016 (30 | comments) | | _Xen exploitation part 3: XSA-182, Qubes escape_ - | https://news.ycombinator.com/item?id=12232932 - Aug 2016 (5 | comments) | | _Security challenges for the Qubes build process_ - | https://news.ycombinator.com/item?id=11801093 - May 2016 (17 | comments) | | _Qubes OS 3.1 has been released_ - | https://news.ycombinator.com/item?id=11260857 - March 2016 (44 | comments) | | _Qubes OS will ship pre-installed on Purism's security-focused | Librem 13 laptop_ - https://news.ycombinator.com/item?id=10736516 | - Dec 2015 (109 comments) | | _Finally, a 'Reasonably-Secure' Operating System: Qubes R3_ - | https://news.ycombinator.com/item?id=10654193 - Dec 2015 (1 | comment) | | _Converting untrusted PDFs into trusted ones: The Qubes Way | (2013)_ - https://news.ycombinator.com/item?id=10538888 - Nov | 2015 (5 comments) | | _Enhancing Qubes with Rumprun unikernels_ - | https://news.ycombinator.com/item?id=10518842 - Nov 2015 (5 | comments) | | _Critical Xen bug in PV memory virtualization code_ - | https://news.ycombinator.com/item?id=10471912 - Oct 2015 (80 | comments) | | _Qubes - Secure Desktop OS Using Security by | Compartmentalization_ - | https://news.ycombinator.com/item?id=8428453 - Oct 2014 (49 | comments) | | _Introducing Qubes 1.0 ( "a stable and reasonably secure desktop | OS")_ - https://news.ycombinator.com/item?id=4472403 - Sept 2012 | (59 comments) | | _Qubes: an open source OS with strong security for desktop | computing_ - https://news.ycombinator.com/item?id=2645170 - June | 2011 (16 comments) | | _Review: Qubes OS Beta 1 -- a new and refreshing approach to | system security_ - https://news.ycombinator.com/item?id=2504274 - | May 2011 (1 comment) | | * The Linux Security Circus: On GUI isolation* - | https://news.ycombinator.com/item?id=2477667 - April 2011 (47 | comments) | | _Qubes Beta 1 has been released (strong desktop security OS)_ - | https://news.ycombinator.com/item?id=2439096 - April 2011 (3 | comments) | | _Qubes Architecture - actual security-oriented OS_ - | https://news.ycombinator.com/item?id=1796384 - Oct 2010 (1 | comment) | | _Open source Qubes OS is ultra secure_ - | https://news.ycombinator.com/item?id=1249857 - April 2010 (7 | comments) | | _Introducing Qubes OS_ - | https://news.ycombinator.com/item?id=1246990 - April 2010 (20 | comments) | [deleted] | mumphster wrote: | Used extensively by Mullvad VPN for a lot of their infrastructure | | https://mullvad.net/en/blog/2022/6/15/mullvad-is-now-continu... | cpach wrote: | Not really for infrastructure though? Still neat. | jacooper wrote: | My main problem with QubesOS is GPU acceleration. Using any | intensive app is a chore because its so slow, and I Also game on | Linux. | | But In general I don't think its for me anyway, I'm comfortable | with my current Fedora 36 Workstation setup. | mrtweetyhack wrote: | rkagerer wrote: | I was reading about Device Isolation but there's still something | I'm not clear on: | | Does the OS claim to prevent partially-trusted PCI devices linked | to one VM from accessing memory of another VM? If so, how's that | done? | | I understand by default the hypervisor resets a device when it's | moved from one VM to another, which would mitigate an evil device | driver in the former from impacting the latter. But that doesn't | protect from isolation breaches caused by evil [persistent] | firmware. | | I thought PCI cards have DMA access to all the system's memory | space, unless you happen to have a server-type motherboard with a | "smart PCIe bridge that can be programmed to perform address | translation and access restrictions" | (https://superuser.com/a/988179). Is such hardware more common | now? Or does Qubes rely on all hardware you plug into it being | trustworthy? | simcop2387 wrote: | The iommu device is present on nearly all systems these days, | even consumer ones. Intel calls it vt-d. The big issue is the | device groupings that are setup by the firmware, and down | stream pcie bridges. It's become more common because it's the | only way to secure thunderbolt ports | wtallis wrote: | Yep, IOMMU support used to be one of those features Intel | used for product segmentation, eg. disabling it on the -K | overclockable CPUs while leaving it enabled on the | counterparts with locked multipliers. Thunderbolt is what | forced them to stop playing that game. ___________________________________________________________________ (page generated 2022-07-09 23:00 UTC)