zlacker

What Is Qubes OS?

submitted by LinuxB+(OP) on 2022-07-09 16:47:52 | 224 points 82 comments
[view article] [source] [go to bottom]

NOTE: showing posts with links only show all posts
3. mumphs+5a[view] [source] 2022-07-09 17:44:51
>>LinuxB+(OP)
Used extensively by Mullvad VPN for a lot of their infrastructure

https://mullvad.net/en/blog/2022/6/15/mullvad-is-now-continu...

24. rkager+Nr[view] [source] 2022-07-09 19:48:10
>>LinuxB+(OP)
I was reading about Device Isolation but there's still something I'm not clear on:

Does the OS claim to prevent partially-trusted PCI devices linked to one VM from accessing memory of another VM? If so, how's that done?

I understand by default the hypervisor resets a device when it's moved from one VM to another, which would mitigate an evil device driver in the former from impacting the latter. But that doesn't protect from isolation breaches caused by evil [persistent] firmware.

I thought PCI cards have DMA access to all the system's memory space, unless you happen to have a server-type motherboard with a "smart PCIe bridge that can be programmed to perform address translation and access restrictions" (https://superuser.com/a/988179). Is such hardware more common now? Or does Qubes rely on all hardware you plug into it being trustworthy?

◧◩◪◨
29. transp+Tw[view] [source] [discussion] 2022-07-09 20:22:27
>>tryauu+nr
It's about reducing the size and attack surface of the most-privileged code which runs in the system, e.g. moving code out of the kernel, making hypervisor/VMM smaller, nested VMs, hardware enclaves. This video covers some of the changes over the last decade, including Xen and Bromium, https://youtube.com/watch?v=bNVe2y34dnM
◧◩◪◨
31. Dracop+xx[view] [source] [discussion] 2022-07-09 20:27:12
>>neodym+Sq
GPU Passthrough can be solved with LookingGlass (https://looking-glass.io/) if you just want a solve that particular problem. I'm not sure how well it works on a laptop but if you have a dedicated graphics card (e.g. Nvidia) you should theoretically be able to get it working the way you want. I'm sorry for the lack of elegant all-in-one packages. I too wish for an Excalibur of VM solutions.
32. dang+rC[view] [source] 2022-07-09 21:03:54
>>LinuxB+(OP)
Related:

Qubes OS: A reasonably secure operating system - https://news.ycombinator.com/item?id=30776103 - March 2022 (97 comments)

Qubes OS 4.1.0 has been released - https://news.ycombinator.com/item?id=30215210 - Feb 2022 (1 comment)

Ask HN: Qubes OS or just separate VMs for separating work and private files? - https://news.ycombinator.com/item?id=29537961 - Dec 2021 (6 comments)

Qubes OS 4.1 RC2 - https://news.ycombinator.com/item?id=29402767 - Dec 2021 (1 comment)

Qubes OS 4.1-rc1 has been released - https://news.ycombinator.com/item?id=28856957 - Oct 2021 (5 comments)

Qubes-Lite with KVM and Wayland - https://news.ycombinator.com/item?id=26378854 - March 2021 (48 comments)

Ask HW: Qubes OS alternative on LXD containers - https://news.ycombinator.com/item?id=25562208 - Dec 2020 (21 comments)

Ask HN: Would it be possible to reimplement Qubes OS but lighter? - https://news.ycombinator.com/item?id=20622850 - Aug 2019 (2 comments)

Joanna Rutkowska leaves Qubes OS, joins Golem - https://news.ycombinator.com/item?id=18300345 - Oct 2018 (68 comments)

Introducing the Qubes U2F Proxy - https://news.ycombinator.com/item?id=17958219 - Sept 2018 (2 comments)

Qubes OS 4.0 has been released - https://news.ycombinator.com/item?id=16699900 - March 2018 (39 comments)

Qubes Air: Generalizing the Qubes Architecture - https://news.ycombinator.com/item?id=16255251 - Jan 2018 (65 comments)

Qubes OS: A reasonably secure operating system - https://news.ycombinator.com/item?id=15734416 - Nov 2017 (144 comments)

Reasonably Secure Computing in the Decentralized World - https://news.ycombinator.com/item?id=15566563 - Oct 2017 (44 comments)

Toward a Reasonably Secure Laptop - https://news.ycombinator.com/item?id=14743238 - July 2017 (100 comments)

“Paranoid Mode” Compromise Recovery on Qubes OS - https://news.ycombinator.com/item?id=14218504 - April 2017 (14 comments)

Tor at the Heart: Qubes OS - https://news.ycombinator.com/item?id=13272076 - Dec 2016 (1 comment)

Qubes OS Begins Commercialization and Community Funding Efforts - https://news.ycombinator.com/item?id=13069615 - Nov 2016 (24 comments)

Qubes OS 3.2 has been released - https://news.ycombinator.com/item?id=12604417 - Sept 2016 (30 comments)

Xen exploitation part 3: XSA-182, Qubes escape - https://news.ycombinator.com/item?id=12232932 - Aug 2016 (5 comments)

Security challenges for the Qubes build process - https://news.ycombinator.com/item?id=11801093 - May 2016 (17 comments)

Qubes OS 3.1 has been released - https://news.ycombinator.com/item?id=11260857 - March 2016 (44 comments)

Qubes OS will ship pre-installed on Purism’s security-focused Librem 13 laptop - https://news.ycombinator.com/item?id=10736516 - Dec 2015 (109 comments)

Finally, a 'Reasonably-Secure' Operating System: Qubes R3 - https://news.ycombinator.com/item?id=10654193 - Dec 2015 (1 comment)

Converting untrusted PDFs into trusted ones: The Qubes Way (2013) - https://news.ycombinator.com/item?id=10538888 - Nov 2015 (5 comments)

Enhancing Qubes with Rumprun unikernels - https://news.ycombinator.com/item?id=10518842 - Nov 2015 (5 comments)

Critical Xen bug in PV memory virtualization code - https://news.ycombinator.com/item?id=10471912 - Oct 2015 (80 comments)

Qubes – Secure Desktop OS Using Security by Compartmentalization - https://news.ycombinator.com/item?id=8428453 - Oct 2014 (49 comments)

Introducing Qubes 1.0 ("a stable and reasonably secure desktop OS") - https://news.ycombinator.com/item?id=4472403 - Sept 2012 (59 comments)

Qubes: an open source OS with strong security for desktop computing - https://news.ycombinator.com/item?id=2645170 - June 2011 (16 comments)

Review: Qubes OS Beta 1 — a new and refreshing approach to system security - https://news.ycombinator.com/item?id=2504274 - May 2011 (1 comment)

* The Linux Security Circus: On GUI isolation* - https://news.ycombinator.com/item?id=2477667 - April 2011 (47 comments)

Qubes Beta 1 has been released (strong desktop security OS) - https://news.ycombinator.com/item?id=2439096 - April 2011 (3 comments)

Qubes Architecture - actual security-oriented OS - https://news.ycombinator.com/item?id=1796384 - Oct 2010 (1 comment)

Open source Qubes OS is ultra secure - https://news.ycombinator.com/item?id=1249857 - April 2010 (7 comments)

Introducing Qubes OS - https://news.ycombinator.com/item?id=1246990 - April 2010 (20 comments)

◧◩
35. tssva+xL[view] [source] [discussion] 2022-07-09 22:21:52
>>neodym+Cl
If you just have a need for isolating Windows applications have you tried the Windows Sandbox functionality built-in to Windows 10 Pro and Enterprise version? https://docs.microsoft.com/en-us/windows/security/threat-pro...
◧◩◪◨
37. mlinks+RR[view] [source] [discussion] 2022-07-09 23:19:34
>>Chikka+8i
https://spectrum-os.org/ at least in its goals and design looks promising in that regard.
◧◩◪◨⬒⬓
41. s_ting+J11[view] [source] [discussion] 2022-07-10 00:57:51
>>neodym+d01
https://wormhole.app/
◧◩◪
47. alildp+jj1[view] [source] [discussion] 2022-07-10 04:47:37
>>alildp+dj1
Some web searches that I have made were ...

* doc

https://github.com/awsdocs/amazon-ec2-user-guide-windows/tre...

  ... Nitro-based instance type, such as M5 or C5 ...
  ... instance based on the Xen System, such as M4 or C4 ...
* FAQ

https://aws.amazon.com/ec2/faqs/

  Q. Will AWS continue to invest in its Xen-based hypervisor?
  Yes. ...

  Q. What is the Nitro Hypervisor?
  ... The Nitro Hypervisor is built on core Linux Kernel-based Virtual Machine (KVM) technology ...
> I am not sure how to interpret this. Maybe "Q. Will AWS continue to invest in its Xen-based hypervisor?" is a Marketing / PR way of phrasing something?

* Others

https://brendangregg.com/blog/2021-07-05/computing-performan... https://www.usenix.org/conference/lisa21/presentation/gregg-... https://www.usenix.org/system/files/lisa21_slides_gregg_comp...

  VM Improvements
  #6 VM Xen AWS 2017
  #7 VM AWS Nitro 2017
◧◩◪
49. alildp+xj1[view] [source] [discussion] 2022-07-10 04:50:10
>>alildp+qj1
I cloud only find pages with mention of KVM, and no Xen.

https://cloud.google.com/compute/docs/instances/nested-virtu...

  Compute Engine VMs run on a physical host that has Google's security-hardened, KVM-based hypervisor.
◧◩◪
51. alildp+Vj1[view] [source] [discussion] 2022-07-10 04:56:13
>>alildp+Pj1
https://github.com/MicrosoftDocs/azure-docs/blob/main/articl...

  The hypervisors for preparation that are covered in this article are Hyper-V, kernel-based virtual machine (KVM), and VMware.
  KVM
  This section shows you how to use KVM to prepare a RHEL 6 or RHEL 7 distro to upload to Azure.
> Maybe this means that Azure is not using KVM, and only uses Hyper-V, but it can import KVM images?
◧◩
66. fsflov+In2[view] [source] [discussion] 2022-07-10 16:21:22
>>sacros+L8
One can also ask for help on the Qubes forum: https://forum.qubes-os.org.
◧◩◪◨
69. fsflov+6o2[view] [source] [discussion] 2022-07-10 16:23:33
>>nubb+hc
My super-short introduction: https://forum.qubes-os.org/t/newbie-tutorial-s/9349/4

You simply do everything in virtual machines. Here is why: https://forum.qubes-os.org/t/how-to-pitch-qubes-os/4499/15

◧◩◪◨
71. fsflov+xp2[view] [source] [discussion] 2022-07-10 16:33:07
>>neodym+zq
> I'd like the ability to drop files to a VM from another VM, like shared folders in Workstation.

https://www.qubes-os.org/doc/how-to-copy-and-move-files/

◧◩
73. fsflov+nq2[view] [source] [discussion] 2022-07-10 16:38:13
>>alildp+Hi1
> Used to use Qubes OS, quit because I could not figure out how to move files / share files between VMs securely / easily.

Is this what your're looking for? https://www.qubes-os.org/doc/how-to-copy-and-move-files/

◧◩
74. fsflov+qr2[view] [source] [discussion] 2022-07-10 16:44:16
>>rkager+Nr
https://www.qubes-os.org/faq/#why-is-vt-damd-viamd-iommu-imp...
◧◩◪◨⬒⬓
75. simcop+Gs2[view] [source] [discussion] 2022-07-10 16:50:42
>>tryauu+2o2
Completely it's own from scratch. It's a very simple, relative to full Linux or other OS, kernel/hypervisor. It's built to load what it calls the Dom0 system, which it gives a communication channel to to start up other virtual systems that it calls DomU. This in theory lets you use any OS as the Dom0 for initializing everything (Linux, *BSD, even Windows I think) as long as there's some kind of support for that communications channel to tell the Xen kernel to start up another system.

https://wiki.xenproject.org/wiki/Xen_Project_Software_Overvi...

◧◩◪◨⬒⬓⬔⧯
82. 0xCMP+QYg[view] [source] [discussion] 2022-07-14 22:29:17
>>bzmrgo+ly1
PSA: wormhole.app and magic wormhole are not the same

If you want to use the well known magic wormhole then visit the repo for instructions: https://github.com/magic-wormhole/magic-wormhole

The current supported version is a python cli app. A rust version is being developed, but last I checked was not considered ready.

[go to top]