1. 27

I have been using Ubuntu LTS as my desktop OS since 18.04 and now that 22.04 is getting ready to drop I was curious what my other options were these days. I stumbled upon Qubes and was intrigued by its security model and was curious if anyone had used it, had thoughts about it, like it, hated it, etc.

  1. 5

    I heard there was a project to port Qubes to seL4 as hypervisor. This was years ago, and I haven’t heard about it again.

    I am hopeful it will pick up, at which point Qubes architecture will possibly be sound. Right now, unfortunately, they use Xen, which hypervisor runs with full privileges and is far too large to be trusted.

    edit:

    Found the effort, makatea.

    The requirements document suggests, near the end, that this effort is funded. I am very hopeful for this project.

    I quote:

    This effort is co-funded by a grant from NLnet Foundation. Neutrality’s time is co-funded by the Innosuisse – Swiss Innovation Agency and the European Union, under the Eurostars2 programme as Project E!115764.

    1. 5

      There was work to port Qubes to Genode and the NOVA hypervisor, but not seL4. Last I heard the seL4 virtualization is pretty buggy (yes, seL4 does crash).

      1. 4

        and is far too large to be trusted

        Trusted to protect against who/what?

        If I was looking for an OS that would keep my computer relatively safe against 0days in my web browser, Qubes would be an attractive option: my threat model would essentially be “let me keep my bank activity over there, my work activity over here, and any risky browsing contained far away”. Could someone build an exploit chain from Firefox through the OS into Xen? Sure, but I’m not betting on it: that’s a ton of effort that would be best spent exploiting cloud computing users instead of little ’ol me.

        If I was looking for an OS that would keep me safe against an advanced threat actor with state-level funding? I probably would decide to do less interesting things with my life and stop using a computer to do those things.

        Sweeping claims about what can/cannot be trusted are disappointing when they aren’t tied to a threat model. Qubes, however, disappoints me as well because they don’t publish any explicit threat model that I could easily find via searching.

      2. 4

        context: been using qubes on a thinkpad for over a year tl;dw: love it, try it, decent i3wm integration .. expect a learning curve , this is quite different from a regular linux distro . and don’t expect decent battery life if on a laptop

        1. 4
          1. 4

            This is why the seL4 port is so important.

            In seL4, VM exceptions go to VMM, which is a user process with no more capabilities than the VM itself requires.

            Thus, a VM escape will never yield anything better than getting root on the VM itself.

            1. 2

              The same holds for the NOVA microhypervisor and Fiasco.OC/L4RE.

              1. 1

                They’re also not architecture-wise bankrupt, but they don’t have seL4-tier proofs, nor seL4-tier performance.

                It’s sad that bad architectures (e.g. Xen, KVM) are so common.

                1. 1

                  they don’t have seL4-tier proofs

                  Sure.

                  nor seL4-tier performance.

                  Depends on the performance indicators you address. I agree that seL4 may have lightning-fast ping-pong IPC. But, what about real-world use case scenarios like the secure desktop with several virtual machines, isolated device drivers, and native components for file systems, GUI, network access configuration etc.? And don’t forget the dynamics of such a system. Does the static container approach really fit this use case?

          2. 4

            If you are more BSD then Linux then FreeBSD has similar implementation with quBSD:

            1. 2

              I used QubesOS as my daily driver from 2016 to 2021. I’ve mostly been using a Pinebook Pro since mid 2021, which I’d use QubesOS on if it were available for aarch64 and the performance were tolerable. I have too many thoughts about QubesOS for a comment here; if there’s interest in long-term user perspectives, maybe I should write a post – does OP have specific questions?

              (full disclosure: I was funded to work on a component for QubesOS at one point, but not directly by Qubes or its governing foundation, and I’ve never been part of the Qubes project itself.)

              A few responses to other comments here:

              While it’s true that Xen doesn’t have a spotless security record, I’d rather have it as my hypervisor than Linux. I’d rather have seL4 than either of them! But I don’t know how to run seL4 on my laptop.

              I have way too much Linux-greybeard brain poison to be a reliable source on which usability quirks are real hurdles for “normal” people and which ones aren’t. When I started using QubesOS, there wasn’t a nice tiling window manager easily available; that problem’s been fixed for years, and most of what I want to do is very easily accomplished. There are only occasionally things I want to do but can’t: run software that really needs access to a GPU, and share my entire desktop via teleconferencing software. Both of those are tasks QubesOS explicitly will not support - it’s a feature, not a bug, in other words.

              The friend who got me into Qubes in the first place has been working on a Qubes-lite with KVM and Wayland, which might be of interest to folks here.

              1. 2

                this quote from theo is often brought up when people talk about qubes os from a security perspective.

                I don’t fancy myself in a position to make an assessment, but I suppose this has been validated somewhat by the recent malware targeting hypervisors

                1. 1

                  An ex-colleague of mine from a few jobs ago got funding to build an alternative to Qubes OS, called Spectrum. I think it’s still under active development, but re-reading the motivation linked from https://spectrum-os.org/ has gotten me excited about what could be again.

                  1. 3

                    Not a true alternative. It is based on a broken assumption: “Linux can be trusted to provide isolation.”

                    It cannot. There’s no proof. There can be no proof as Linux is way too large for formal analysis.

                    Probability-wise, Linux is full of bugs. And its history of security issues showcases this very well.

                    1. 1

                      Still Android uses Linux-based isolation for Apps. And I can not say that I have heard particular bad things about it.

                      1. 1

                        Android itself has had its fair share of security-relevant bugs.

                        Whereas Google has been working on Fuchsia (with a much smaller TCB) for a while, and the Android runtime is known to have been ported already.

                        It would indeed not be wise to continue to rely on Linux forever. It simply isn’t a sound architecture.

                        1. 2

                          Monolithic kernel OS architectures are surely one of the worst architectures from a security and safety point of view. However, when we will see a shift away from Linux depends on many other factors too. History is full of cases where the superior technology/architecture does not prevail. I guess it probably depends on much money someone is willing to invest in e.g. Fuchsia. That said, I keep my fingers crossed and the latest news regarding Fuchsia look promising.

                          1. 1

                            For the seL4 Qubes referenced in my comment above, only Xen (hypervisor) would be replaced by seL4.

                            The user would still deal with isolated Linux VMs, it is just the isolation would be provided by seL4 rather than Xen.

                            I am also hopeful for Fuchsia getting somewhere. I doubt Google’d abandon it at this point, being aware of Linux’s unsuitability.

                  2. 1

                    I know usability and security are often at odds, but I’m taken aback when the OS has to have documentation on how to copy and paste text. (TL;DR: you have to use special hot-keys to export or import the per-container clipboard.)

                    I could give a couple of suggestions on how to do this better, but they probably would require some hacks to the client OSs. I’m guessing there are other usability problems coming from this very-low-level compartmentalization.

                    Not saying this OS isn’t great for the Snowden types who need extra high security, but it doesn’t seem like an approach that will work for mainstream users.

                    1. 1

                      but I’m taken aback when the OS has to have documentation on how to copy and paste text.

                      There’s no going around that. Crossing domains needs to be explicit, or the separation does become effectively useless.

                      1. 2

                        Yes, I’m aware of the security issues in clipboard access. But the approach here is pretty crude, and messes up the UX 100% of the time to guard against a problem that occurs only rarely. Better would be to make the clipboard contents opaque to security domains other than the one I copied from, until I choose to paste. (Which is basically what iOS does, for example.)

                        But this UI can’t do that, because it’s running unmodified OSs so its security layer can’t get involved in higher level tasks like clipboard access.

                    2. 1

                      Probably not what you’re looking for, but Windows seems to be getting more and more VM-based isolation, e.g.

                      Microsoft’s solutions tend to be a lot more transparent than Qubes, which is both good (security you don’t use doesn’t help), and bad (Qubes will make you think more seriously about crossing security domains, and e.g. disposable VMs can help recover from undetected compromise.)

                      1. 2

                        Great, but overall more and more anti-customer “features” are forced onto users, often without warning and often really forced upon, with no option to deny.

                        With that it’s hard to consider the OS even remotely secure.

                      Stories with similar links:

                      1. Qubes OS: Security by Compartmentailzation via zem 7 years ago | 6 points | no comments