Safe Cube

Linux users with an eye on security often turn to Live systems such as Tails [1]. One significant limitation of the leading security distros is that they offer little protection at runtime: All applications run in a common context.

Qubes OS [2] takes a different approach. Security in Qubes is the result of isolation. Chief developer and security researcher Joanna Rutkowska [3] assumes that, with the millions of lines of code and instructions in today's applications, no perfectly error-free desktop user environment can exist. She calls Qubes OS a "reasonably secure operating system."

Isolation has been an option within the Linux scene for years. Technologies such as sandboxes, containers, and virtual machines (VMs) all offer some means to limit an application's access to the system. If isolation is deployed effectively, an intruder who takes over the application won't be able to access the rest of the operating system. Qubes OS is designed with the goal of building this isolation into the user environment, so it is extremely easy to implement. In fact, there is no excuse not to implement it.

In 2007, Rutkowska founded security corporation Invisible Things Lab [4] in Warsaw, which specializes in security research. Since 2010, the Invisible Things team has also been developing Qubes OS. Version 4.0 is now available after almost two years of development. The latest update includes many changes. The system is based on Fedora with Xfce as the desktop environment, kernel 4.14.18, and the Xen 4.8 hypervisor to enable mutual isolation of workspaces or applications on separate VMs.

Cubed

In Qubes OS, isolation units are known as qubes. You can set up one qube for insecure websites and another for banking transactions, each with different authorizations. If the qube for insecure websites is compromised by malware, the attacker is still denied access to the qube for banking transactions.

The developers ensure this protection by giving the qube read-only access to the filesystem of the VM template on which it is based, so that a qube cannot modify a template in any way. In addition, Qubes offers the option to create "disposable VMs." A disposable qube could be used to open email attachments or suspicious files and dispose of the VM afterwards.

Qubes also encapsulates the network and storage subsystems into separate domains, as VMs are known in Xen. The different domains are based on VM templates that control the rights of the domain and provide the basic framework. A minimal host system with the Xfce desktop runs on the privileged admin VM dom0. In addition to other changes (see the box entitled "Qubes OS 4.0"), Qubes OS 4.0 significantly expands the system of domains.

Qubes OS 4.0

One of the goals of the Qubes 4.0 cycle is to replace the Qube Manager management tool with standalone tools that replicate most of its original functionality. Qube Manager offers a graphical approach to starting and stopping VMs. In version 4.0, USB sticks, mice, headphones, microphones, and similar devices can now be assigned to or removed from a VM using an icon top-right in the panel (Figure 1). Also, unlike the previous version, the system now encrypts all backups (Figure 2). See the release notes for a summary of other changes with Qubes OS 4.0 [5].

Figure 1: You can enable external hardware such as USB sticks, microphones, or webcams specifically in the domain where you need the device.

Figure 2: You can control backups through the menus; select the data to back up by moving the qubes.

Hardware Diva

Due to its structure, Qubes could easily be called demanding when it comes to system resources. The hardware must have a 64-bit Intel or AMD CPU that supports Intel VT-x [6], VT-d, and Extended Page Table (EPT) or AMD-V [7], AMD-Vi, and Rapid Virtualization Indexing (RVI) virtualization technologies. In addition, you'll need at least 4GB RAM and 32GB free hard disk space.

Not only must the CPU support the necessary virtualization features; these features must also be enabled in the BIOS/UEFI. To find out more about your hardware configuration, use the command:

sudo cat /proc/cpuinfo

Check out the Qubes documentation for a list of compatible devices [8]. Typically, some ThinkPads and the current models by Tuxedo Computers are well-equipped for Qubes.

You can test the compatibility of your computer with Qubes OS by simply starting the installer. Qubes does not start as a live system due to its functionality, but the wizard checks the hardware for its suitability while the installation routine is loading. At the beginning of the installation process, after selecting the language, you might see a warning about virtualization functions that are missing or disabled on your hardware.

In particular, don't ignore the warning about the lack of support for IOMMU, also known as VT-d on Intel processors, and Second Level Address Translation (SLAT), also known as hardware storage virtualization. The installation can continue in these cases, but the system will not function fully as intended.

If IOMMU is not supported, you can work around the problem by downgrading the virtualization mode for the sys-net and sys-usb VMs from HVM (Hardware VM) to PV (ParaVirtualized). To downgrade the virtualization mode, run the commands from Listing 1 with administrative rights in the dom0 terminal.

Read First

Qubes OS uses Fedora's Anaconda installation wizard. If you are not familiar with Anaconda, you might have a hard time with the partitioning step at the beginning, but after a little trial and error, you will soon understand the underlying system. By default, the system encrypts the data carriers completely, but you can disable this option.

Before you get started, it is a good idea to browse the well-designed documentation. The installation itself takes about half an hour on state-of-the-art hardware; after the usual reboot, the initial setup follows. As a newcomer, you will want to accept the default settings. If you selected Whonix at the beginning of the installation, you should enable it here. The setup takes another 10 minutes.