Joanna's (Qubes OS Founder) blog [1] is a gold mine when it comes to hardware-software boundary security. Especially "State considered harmful" [2] and "x86 considered harmful" [3] papers are eye-openers.<p>[1] <a href="https://blog.invisiblethings.org/" rel="nofollow">https://blog.invisiblethings.org/</a><p>[2] <a href="https://blog.invisiblethings.org/papers/2015/state_harmful.pdf" rel="nofollow">https://blog.invisiblethings.org/papers/2015/state_harmful.p...</a><p>[3] <a href="https://blog.invisiblethings.org/papers/2015/x86_harmful.pdf" rel="nofollow">https://blog.invisiblethings.org/papers/2015/x86_harmful.pdf</a>
I'm very excited that Microsoft is moving in the same direction. The feature Windows Defender Application Guard (WDAG) runs Windows applications, right now only the Edge browser, in a virtualization isolated container[1]. Under the hood it's using what Microsoft calls "Hyper-V Containers", which are lightweight virtual machines that share some host resources such as a read-only filesystem. The closest open source analogues to that are Intel(R) Clear Containers[2] and Qubes.<p>The closest you can get to Qubes on Windows would be to follow Microsoft's Privileged Access Workstation (PAW) guide, but it requires a lot of additional infrastructure[3]. That infrastructure allows you to do remote attestation of the virtual machines, but makes it costly to deploy in a SMB or homelab environment.<p>I don't expect it'll be very long before PAW and WDAG are usable at the same time, with colored window borders indicating the origin virtual machine. I hope this is on Microsoft's roadmap.<p>Video on privileged access workstation use, starting at a demo: <a href="https://youtu.be/3v8yQz2GWZw?t=41m48s" rel="nofollow">https://youtu.be/3v8yQz2GWZw?t=41m48s</a><p>Video on privileged access workstation setup: <a href="https://www.youtube.com/watch?v=aPhfRTLXk_k" rel="nofollow">https://www.youtube.com/watch?v=aPhfRTLXk_k</a><p>[1] <a href="https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-application-guard/wd-app-guard-overview" rel="nofollow">https://docs.microsoft.com/en-us/windows/threat-protection/w...</a><p>[2] <a href="https://clearlinux.org/features/intel®-clear-containers" rel="nofollow">https://clearlinux.org/features/intel®-clear-containers</a><p>[3] <a href="https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/privileged-access-workstations" rel="nofollow">https://docs.microsoft.com/en-us/windows-server/identity/sec...</a>
What I'd really love to see is a marriage between NixOS and Qubes, allowing for full-system declarative configuration, including the various systems which will be running under Qubes.<p>NixOS has containers that show how this could work, but they're only via systemd-nspawn, so not as jailed as Qube's domUs.
I've been running Qubes 3.2 for about 10 months on a intel skull canyon nuc. I love it.<p>I have separate vms for media and browsing, for music (spotify), development (python, rust), skype, personal email, work email and password manager.<p>It needs 16gb of ram to be able to run all of these at once and about 150gb of disk if you actually create separate template vms.<p>My only real pain was coping and pasting between all of these vms (you need to ctrl+c then ctrl+shift+c for copy and the ctrl+shift+v, ctrl+v for paste [1])<p>I solved that with a custom solution that automatically distributes the clipboard contents (for text only) to multiple vms (depending on the source of the clipboard change). I know it defeats the purpose of isolation for the clipboard but it's ok for my use case.<p>[1] <a href="https://www.qubes-os.org/doc/copy-paste/" rel="nofollow">https://www.qubes-os.org/doc/copy-paste/</a>
I ran Qubes on a laptop for a while.
1) It's a huge battery hog.
2) It's a real pain to run a non rolling release distro (i.e. Arch). Some dependency is going to try and upgrade itself that can't and it will brick your whole distro. Even being locked to a specific release proved a bit of a pain. It just adds a lot of complexity to your day to day operations (i.e. opening a program is a tiny bit more complicated) that turned out to be a huge drain for me.
Their weakest point is the hypervisor, Xen, which while a better choice than Linux/KVM, is still extremely bloated and has a poor security history.<p>Thankfully, better designs such as seL4's VMM do exist, although it might need a little more work [1] until usable for the purpose.<p>[1] <a href="https://sel4.systems/Info/Roadmap/" rel="nofollow">https://sel4.systems/Info/Roadmap/</a>
Note that while Qubes OS uses full-disk encryption, it runs on Xen, which does not support hibernate.<p>This means that, if you use this OS on a laptop, you'll be vulnerable to cold-boot attacks, even after you close your lid, unless you configure it to shutdown on lid close. (I.e., if a highly skilled adversary steals your laptop then, even if your laptop lid is closed, they will be able to read your RAM and therefore decrypt your entire hard drive.)<p>Despite the major security implications, it doesn't sound like a fix will be implemented any time soon. [1]<p>[1] <a href="https://github.com/QubesOS/qubes-issues/issues/2414" rel="nofollow">https://github.com/QubesOS/qubes-issues/issues/2414</a>
Whatever happened to the Qubes-Purism marriage? They were on track to start Qubes-certifying Librems, and selling Librems with Qubes pre-installed ... then they cancelled the plans, and I never heard why?
10 years ago, I helped design a similar system. It was a capabilities based OS on a formally modeled microkernel.<p>I'm still not sure than there's a market for this stuff. It must be free, and it's hard to build a business model around that.
I wish there was a way I could try it. The hardware requirements ...<p><a href="https://www.qubes-os.org/doc/certified-hardware/" rel="nofollow">https://www.qubes-os.org/doc/certified-hardware/</a><p>Is anyone running this on a laptop? I get the feeling after reading that page that this is really strictly desktop only. Maybe the page has not been updated in a bit?
How about Subgraph OS? It has grsecurity patch, tor network, container isolate, firewall. It's another good choice also<p><a href="https://subgraph.com" rel="nofollow">https://subgraph.com</a>
Version 4.0 should be out soon (at RC2 now):<p><a href="https://www.qubes-os.org/news/2017/10/23/qubes-40-rc2/" rel="nofollow">https://www.qubes-os.org/news/2017/10/23/qubes-40-rc2/</a><p>Some exciting changes are coming:<p><a href="https://www.qubes-os.org/news/2017/10/03/core3/" rel="nofollow">https://www.qubes-os.org/news/2017/10/03/core3/</a><p><a href="https://www.qubes-os.org/doc/releases/4.0/release-notes/" rel="nofollow">https://www.qubes-os.org/doc/releases/4.0/release-notes/</a><p>EDIT: Downvotes for providing relevant sources, really?
I use <a href="https://en.wikipedia.org/wiki/Lightweight_Portable_Security" rel="nofollow">https://en.wikipedia.org/wiki/Lightweight_Portable_Security</a>