Knowing what I know of Qubes, and reading that post - I think they mean lots of folks are using it for their workstations. Qubes doesn't really make sense on a server, which is how I'd normally read "infrastructure".
VPN providers are an annoyance for "collect it all" types. If they have the ingress servers' wireguard private keys, that annoyance goes away. Note that I use the term "annoyance", not "threat"... they sit in that gray zone where it's an irritant but not worth kidnapping people.
Conceptually, I love it.
I used it since about 2016 until last year, but I had to record some video and use stuff like OBS and it just became impossible (with my skill level) to get working.
I abandoned and went back to Fedora, which is odd as I’d stuck with it through lots of other NVIDIA crap issues and such.
Hopefully adoption increases and one day I can use in a workplace setting.
I was reading about Device Isolation but there's still something I'm not clear on:
Does the OS claim to prevent partially-trusted PCI devices linked to one VM from accessing memory of another VM? If so, how's that done?
I understand by default the hypervisor resets a device when it's moved from one VM to another, which would mitigate an evil device driver in the former from impacting the latter. But that doesn't protect from isolation breaches caused by evil [persistent] firmware.
I thought PCI cards have DMA access to all the system's memory space, unless you happen to have a server-type motherboard with a "smart PCIe bridge that can be programmed to perform address translation and access restrictions" (https://superuser.com/a/988179). Is such hardware more common now? Or does Qubes rely on all hardware you plug into it being trustworthy?
The iommu device is present on nearly all systems these days, even consumer ones. Intel calls it vt-d. The big issue is the device groupings that are setup by the firmware, and down stream pcie bridges. It's become more common because it's the only way to secure thunderbolt ports
Yep, IOMMU support used to be one of those features Intel used for product segmentation, eg. disabling it on the -K overclockable CPUs while leaving it enabled on the counterparts with locked multipliers. Thunderbolt is what forced them to stop playing that game.
> The iommu device is present on nearly all systems these days, even consumer ones.
Along with the IME device or PSP device, which conveniently get to bypass the iommu.
Finding machines with an iommu and without an IME/PSP/equivalent is remarkably difficult. It's basically modern POWER9, 2013-era Opterons, and one or two chromebook-grade Rockchip devices.
If all the criminal elements on the internet including the dark web are actually the state, then worrying about device isolation is the least of your worries!
Maybe this isn't the best place to ask this, but I'll try anyway:
I'm a consultant involved in cybersecurity who often has to build and run VMs to either test out software, run things in sandbox, or connect to TOR from a VM I'll never use again.
Having said that, I currently use Windows with VMWare Workstation, but I find it frustrating and would prefer something that's less frustrating and feels more built-in.
Is there a solution that anyone would recommend for this kind of thing? Internal networks, Windows and Linux sandboxes, etc. I use Microsoft office products regularly, and my workstation (Dell Inspiron with an i9, 64GB ram, 2tb SSD) is connected to a thunderbolt 4 dock with 2 1440 monitors. I'd prefer for a Windows VM to have passthrough to the monitors and be able to interact with the host OS via that VM, so I can still share my screen during meetings and while coordinating efforts.
You don’t really mention specifically what you find “frustrating” about VMWare Workstation so it’s hard to know on what criteria to give a response.
I don’t know how “built in” it can be considered but I’ve used LXD a bit and since it now supports VMs as well I’m guessing you could define VMs in yaml in advance and “easily” (depending on your definition) tear down and re-deploy VMs with preconfigured network settings etc. Vagrant should also work for this with a Virtualbox or VMware backend (paid feature).
What exactly do you mean when you say that the VM should be able to “interact with the host OS”, isn’t that exactly what you don’t want and why you’re running a VM in the first place?
I'd like the ability to drop files to a VM from another VM, like shared folders in Workstation.
My frustrations with VMWare usually revolve around network connectivity issues. My internal or NAT networks often fail to give the guest VMs the expected connectivity.
If I'm doing real malware execution and analysis, I would one- way transfer the relevant file(s) to my sandbox and disable any backward connectivity before execution, but I still need a reasonably simple way of getting files to (suspicious files, etc) and from (resulting logs, registry changes, pcap, etc) the malware sandbox. Ive kinda solved this already using a number of tools outside my work host, but just in the off situations where this is necessary I want to have a template VM prepped in advance.
I second this, it's called magic wormhole, if you want the source, croc is a more friendly solution built ontop of magic wormhole. In any event, quick and easy.
It’s very different. Can I open a PDF from Windows into Windows Sandbox with 2 clicks and close with 1 after reading, nearly instantaneously, without noticing the virtualization? Nope. Windows Sandbox is just a fresh VM, almost useless.
Using a zero install PDF viewer, the wsb login command and a few lines script file one could also have the PDF automatically open in the Windows sandbox with a double click or using "Open with" from the context menu.
I don't get the distinction between type 1 and type 2.
E.g. xen is type 1 and KVM is type 2. But at the end of the day it's a Linux kernel in both cases that runs the virtual machines, so what's the point of distinction?
It's about reducing the size and attack surface of the most-privileged code which runs in the system, e.g. moving code out of the kernel, making hypervisor/VMM smaller, nested VMs, hardware enclaves. This video covers some of the changes over the last decade, including Xen and Bromium, https://youtube.com/watch?v=bNVe2y34dnM
It's what runs above the vms that is the distinction. For xen it has its own kernel instead of running Linux as the hypervisor and host system. Xen still uses Linux typically as the domain zero as it calls it for doing control and setup but it doesn't necessarily have full access to all the hardware on its own.
Completely it's own from scratch. It's a very simple, relative to full Linux or other OS, kernel/hypervisor. It's built to load what it calls the Dom0 system, which it gives a communication channel to to start up other virtual systems that it calls DomU. This in theory lets you use any OS as the Dom0 for initializing everything (Linux, *BSD, even Windows I think) as long as there's some kind of support for that communications channel to tell the Xen kernel to start up another system.
Maybe Fedora with Xen is the route I should try, assuming I can give the Windows VM full GPU pass-through and use it as a "primary" machine. I need to be able to screenshare almost daily via Zoom.
I use vbox regularly on a Linux host, it’s not seamless but it works okay. I have custom built vm images with packer that do things like enable auto login and disable screensaver (these don’t matter on a vm, your host is where they should happen). I don’t need gpu so the vbox drivers suffice, but if I did I would probably consider getting a quadro or something and doing pci pass through (not even sure if vbox supports this)
As a cautionary though, vms are a good boundary but not a comprehensive one. If your threat model includes execution of 0day exploits (malware analysis or browser exploit chains) that can breach hypervisor perimeters you shouldn’t be doing anything sensitive from the host. RDP is better, but iirc there are some case studies of execution on the rdp client.
GPU Passthrough can be solved with LookingGlass (https://looking-glass.io/) if you just want a solve that particular problem. I'm not sure how well it works on a laptop but if you have a dedicated graphics card (e.g. Nvidia) you should theoretically be able to get it working the way you want. I'm sorry for the lack of elegant all-in-one packages. I too wish for an Excalibur of VM solutions.
NixOS or Guix both allow one to fire up a vm based on a specification very easily, and positively encourage interation. The learning curve is steep but rewarding.
Anyone use this as a daily driver? I tried installing it and it crashed on first run. Should have looked at the list of compatible laptop models first. It’s a bit overkill for my needs. My threat model doesn’t require me to spawn a disposable Fedora VM just to read a PDF document. I just open a PDF in Google Docs.
I do. I use it in a Librem 15v4, with 32GB of RAM.
It's not only about threats, it's pretty convenient. I do all my dd operations, feeling confident a mistake won't wipe out my HDD. I have a work vm and a personal vm (and many more), and I can share full screen on my work vm knowing that all personal windows are hidden.
I have files and programs organized by vms. I can try installing new applications in a disposable vm knowing well that all their files will be wiped out when I close the vm.
Daily driving for years now. Only thing to really keep in mind is having sufficient RAM. Otherwise, it's great for development. You can keep TemplateVMs for all of your development environments and tear them up and down, duplicate them, assign to a VPN, etc. Not good if you need GPU acceleration for anything, but some people have worked on GPU passthrough.
I have in the past before I became bound to doing windows-compatible development. It was actually really great. I didn't hate it at all.
I liked the ability to run multiple linux distros and a windows 7 VM for stuff that needed that, but scrubbing PDFs I think is one of those underrated things considering how much malware comes in through those. Like I would rather not do that in a docker container of all broken condoms. Right now I just have a seperate computer to take care of that. I'd probably use qubes if I had an intel laptop as my daily driver again.
Oh and the only other thing was laptop battery life. Maybe an hour and a half tops.
I have for about five years. Install has been fine for me across three laptops (various ThinkPads), with the caveat that I chose models known to work well with linux (you’re booting into fedora, which runs Xen as dom0). Also, the one time I had to do a lot of work was when I bought a newly released version of a laptop; a few months later I upgraded to a later version of Qubes and it installed normally.
There is an up front investment in figuring out how to partition your computer use/apps into VMs and then setting up the VMs. If you’re not already a Linux user there is also the usual learning curve of switching to Linux (most qubes users use mostly Linux vms, windows takes more work to get going, I have windows 10 working but it took some effort).
I absolutely love the disposable VM model. I do all my web surfing (except some financial sites) in disposable VMs and cannot fathom going back to downloading and executing untrusted code (JavaScript) outside a dispVM. Similarly, I cannot imagine opening documents from untrusted third parties outside a vm of some sort. Even software I don’t fully trust (e.g. Zoom, bluRay ripping software) I like to run in disposable VMs or at least their own dedicated vm.
Qubes is like any other specialized tool - it’s worth investing the time if what it offers (security and privacy) is something you especially value. Having seen supposedly exotic and advanced threats become more commonplace over the last 20 years I think we all will end up using systems to some extent similar to Qubes, at least inspired by Qubes. Some of what’s not in your threat model today will be, eventually. The only question is how much.
In practical terms, it is in some ways like going from having one computer to having a network of computers. You do become something of a sysadmin. There is some pain there especially up front but I am at the point where I am expert enough that the ongoing time and pain investment is quite minimal.
More than anything, I feel completely exposed on other OSes. I wish other operating systems (like macOS) would steal the best ideas from qubes. For example, let people open files in disposable VMs when they want to, and cause this to happen by default for downloaded files, and by default have people surf the web in the rough, more seamless equivalent of a disposable VM, possibly with some carve outs for ease of use (like make it almost transparent, with some red flag, to move downloads out of the browser vm, and do likewise with uploads). Also, Qubes has “vaults,” which are just VMs with no internet where you put your most sensitive files; I put basically all my files there because they really don’t need live internet. You could translate this on a “regular” OS into some kind of area that’s extra protected from other processes somehow. For example unprompted access to files in the vault would require explicit authorization, and files in the vault could not cause network connections by default. Something along those lines.
I couldn't agree more. Secure computing adoption requires easy usability.
We helped push technical adoption through skeuomorphic design patterns, but left engineers to figure out how to educate users on permissibility. That's a failure on us as an industry. We should be building to keep people safe from the dangers we all know about FIRST, then and only then should we build the access controls to allow access to other resources and interoperability.
I feel like chromiumos is the closest we have to a mainstream solution for this, but a combination of Nix and Qubes would be even better.
I have been using it for over 5 years for all personal things like email, banking, and paying bills. Once you find good hardware for the OS, it runs very well, but you either need a lot of memory or to close each VM as soon as you're done with it and run only one-two VMs at a time. I would say minimum of 16 GB RAM with 32-64 GB preferred.
I put 64gb ram in a librem 14. Cost around $200. The only thing I feel is lack of GPU. The hardware all works great. (The librem build itself is meh, but it all works perfectly with qubes without any tinkering.)
Works fine on an older ex-windows laptop, repurposed for throwaway VMs, trying things...
Could not get it to run on a 2015 MacBook Pro, would be using it more if I had.
Looking for AWS use of Xen and other hypervisors, to see if Xen is still widely used, but could not figure out if Xen will continued to be used, or if AWS is moving from Xen to KVM.
Q. Will AWS continue to invest in its Xen-based hypervisor?
Yes. ...
Q. What is the Nitro Hypervisor?
... The Nitro Hypervisor is built on core Linux Kernel-based Virtual Machine (KVM) technology ...
> I am not sure how to interpret this. Maybe "Q. Will AWS continue to invest in its Xen-based hypervisor?" is a Marketing / PR way of phrasing something?
The hypervisors for preparation that are covered in this article are Hyper-V, kernel-based virtual machine (KVM), and VMware.
KVM
This section shows you how to use KVM to prepare a RHEL 6 or RHEL 7 distro to upload to Azure.
> Maybe this means that Azure is not using KVM, and only uses Hyper-V, but it can import KVM images?
But I don't really see how it relates to efficiency however since all are VMs running their own kernel. It doesn't change anything that they are different versions or not.
https://mullvad.net/en/blog/2022/6/15/mullvad-is-now-continu...