Qubes comes with a "Convert to trusted PDF" out of the box. Joanna Rutkowska explained how it works under the hood pretty nicely[1]. The tldr is that it is very thorough. With Qubes it is convenient too.
I used Qubes to open the application mails and their attachments and converted the interesting ones to trusted PDFs which I then forwarded to the relevant people. All further communication was only with the trusted versions.
[1] https://blog.invisiblethings.org/2013/02/21/converting-untru...
Unrelated to QubesOS.
Qubes is my daily driver by the way. My attempt of explaining it to a layman: https://forum.qubes-os.org/t/how-to-pitch-qubes-os/4499/15
You can be a victim of a random drive-by, you don't have to be a person on a "list".
Concerning the certified hardware, few vendors try to make the certification, and also coreboot is required: https://www.qubes-os.org/doc/certified-hardware/#hardware-ce...
Why does it matter? You do not run anything in dom0: https://www.qubes-os.org/doc/supported-releases/#note-on-dom...
https://forum.qubes-os.org/t/nested-virtualization/14790
Poke around /etc/libvirt/libxl and your particular VM's config file. You'll find some lines like:
<feature name='vmx' policy='disable'/> <feature name='svm' policy='disable'/>
Enable it, and you should have working nested virtualization.
Qubes OS 4.2-rc1 is available for testing - >>36178205 - June 2023 (3 comments)
New user guide: How to organize your qubes - >>33396604 - Oct 2022 (15 comments)
What Is Qubes OS? - >>32036899 - July 2022 (82 comments)
Qubes OS: A reasonably secure operating system - >>30776103 - March 2022 (97 comments)
Qubes OS 4.1.0 has been released - >>30215210 - Feb 2022 (1 comment)
Ask HN: Qubes OS or just separate VMs for separating work and private files? - >>29537961 - Dec 2021 (6 comments)
Qubes OS 4.1-rc1 has been released - >>28856957 - Oct 2021 (5 comments)
Qubes OS 4.0 has been released - >>16699900 - March 2018 (39 comments)
Qubes OS: A reasonably secure operating system - >>15734416 - Nov 2017 (144 comments)
Reasonably Secure Computing in the Decentralized World - >>15566563 - Oct 2017 (44 comments)
Toward a Reasonably Secure Laptop - >>14743238 - July 2017 (100 comments)
“Paranoid Mode” Compromise Recovery on Qubes OS - >>14218504 - April 2017 (14 comments)
Qubes OS Begins Commercialization and Community Funding Efforts - >>13069615 - Nov 2016 (24 comments)
Qubes OS 3.2 has been released - >>12604417 - Sept 2016 (30 comments)
Security challenges for the Qubes build process - >>11801093 - May 2016 (17 comments)
Qubes OS 3.1 has been released - >>11260857 - March 2016 (44 comments)
Converting untrusted PDFs into trusted ones: The Qubes Way (2013) - >>10538888 - Nov 2015 (5 comments)
Intel x86 considered harmful – survey of attacks against x86 over last 10 years - >>10458318 - Oct 2015 (169 comments)
Qubes – Secure Desktop OS Using Security by Compartmentalization - >>8428453 - Oct 2014 (49 comments)
Introducing Qubes 1.0 ("a stable and reasonably secure desktop OS") - >>4472403 - Sept 2012 (59 comments)
Qubes: an open source OS with strong security for desktop computing - >>2645170 - June 2011 (16 comments)
Review: Qubes OS Beta 1 — a new and refreshing approach to system security - >>2504274 - May 2011 (1 comment)
The Linux Security Circus: On GUI isolation - >>2477667 - April 2011 (47 comments)
Qubes Beta 1 has been released (strong desktop security OS) - >>2439096 - April 2011 (3 comments)
Qubes Architecture - actual security-oriented OS - >>1796384 - Oct 2010 (1 comment)
Open source Qubes OS is ultra secure - >>1249857 - April 2010 (7 comments)
Introducing Qubes OS - >>1246990 - April 2010 (20 comments)
And it should be quite lightweight as it’s just a container…
It’s not that I don’t believe you but I don’t understand it… why would you need VM on Linux for Docker?
edit: huh
https://docs.docker.com/desktop/faqs/linuxfaqs/#:~:text=Dock....
that’s… a bit stupid in my opinion. But you can always just use the default daemon so, eh. whatever. maybe I’m wrong. there are reasons I guess
While its dependency on Xen, a fairly bloated and thus unsafe hypervisor, is unfortunate, there's an effort[0] to remake Qubes around seL4.
It's not unthinkable, as Xen is huge, at hundreds of kLoCs. But there's an effort[0] to make a Qubes that uses seL4 in place of Xen.
Or even better, seL4, for which an effort exists[0].
The main sticking point for me is that Qubes is reasonably secure from _myself_. I make mistakes. I first started using linux with an Ubuntu install that I broke a year later because I accidentally added in a space when typing `rm -rf ~/Arduino` which made it `rm -rf ~ /Arduino`. On Qubes I can `sudo rm -rf /` on the VM I'm using right now and not break a sweat. I have a keybind to spawn a disposable "airgapped" VM to deal with sensitive or untrusted data, and it helps knowing that even if I mess up with whatever I'm doing, the VM will keep everything reasonably contained.
Some cool things that Qubes has outside of just VMs are its features enabled by the communication between VMs. Notable ones are Split GPG (https://www.qubes-os.org/doc/split-gpg/) which let you use a VM as if it were a smartcard for GPG and Split SSH (https://github.com/Qubes-Community/Contents/blob/master/docs...) which let you isolate your private SSH keys from your VM running your SSH client.
There are some sticking points around Qubes. For instance, I use Tailscale to connect my computers to each other from anywhere. Tailscale's install scripts add their keys to my VM's package manager for updates and installs. The proper way to do this in Qubes is to clone a TemplateVM, run Tailscale's install script, update, install, and then base an AppVM off of it. But that creates an entire new OS taking up storage and requiring updates. You can hack a way around this in an AppVM which saves a considerable amount of space, but it takes a lot of upfront time to do and requires you to manually update it.
Another sticking point is hardware acceleration. The desktop environment has access to hardware acceleration, so it runs fine, but opening videos in AppVMs is all software decoded. I'm on a Thinkpad T580 and it can run 1080p videos, but the fans turn on and can't do 4K. When I want to game or do something GPU heavy I either stream from my tower or completely switch over.
Overall, I'm really happy with Qubes and I'm planning to stick with it on my laptops.
It is a common workflow inside the government or other places where you need to move data across airgaps, or view content that is highly untrusted.
Shameless plug, I wrote my own that supports over 200 file formats: https://preview.ninja/
Intel x86 considered harmful – survey of attacks against x86 over last 10 years - >>10458318
> Anti Evil Maid is an implementation of a TPM-based dynamic (Intel TXT) trusted boot for dracut/initramfs-based OSes (Fedora, Qubes, etc.) with a primary goal to prevent Evil Maid attacks.
My reasoning is that while the bootloader and the kernel are signed, the initrd image loaded very early on in boot is not, because it is generated on device. So it provides a convenient way to compromise any system you have physical access to.
The anti evil maid implementation I linked to attempts to mitigate this hole using a TPM. I'm not sure why it isn't on by default but perhaps it's because the implementation has different options that require deciding on a threat model, e.g. setting a TPM password or using an external usb device to store a LUKS key. Here's a good blog post about the anti evil maid implementation that qubes uses(it also works with other distros like Fedora): https://blog.invisiblethings.org/2011/09/07/anti-evil-maid.h...
This blog post contains a good overview of the secure boot status quo along with another potential future fix: https://0pointer.net/blog/brave-new-trusted-boot-world.html