http://www.techradar.com/pro/linux March 2020 LXF260 19
Distribution REVIEWS
Qubes works
on the principle
of security
by isolation.
It makes
intelligent use
of virtualisation
to ensure
that malicious
software
remains
restricted and
isolated from
other parts of
the installation.
CPU: Intel VT-x
with EPT or
AMD-V with RVI
along with Intel
VT-d or AMD
IOMMU
MEM: 4GB
HDD: 32GB
BUILD: 64-bit
only
IN BRIEF
MIN SPEC
VERDICT
Manager app, whose duties have now been delegated
to apps in other logical places. Some of them have
been assigned to the new Qube Manager widget in
the system tray that can be used for monitoring and
managing AppVMs.
All the VMs in the Qubes main menu now list a Qube
Settings entry. This leads to a multi-tabbed settings panel
from where you can control various aspects of that VM.
Settings that affect the operation of Qubes OS as a whole
have been moved to a separate app named Qubes Global
Settings; there’s also a separate app for creating new
custom AppVMs.
All said and done, while it might sound like a handful
Qubes isn’t cumbersome to operate. Thanks to the new
logically positioned management apps, it wouldn’t take
much time and effort to get used to the nuances of the
distro and to mould it to your requirements.
on’t let the relatively small version fool you; the
Qubes project has been putting out releases for
almost a decade. In that period, Qubes has
established itself as arguably the most popular security-
centric distribution, thanks mainly to its unique approach
of isolating the essential elements that constitute an
operating system inside different virtual machines.
Essentially, Qubes divides an installation into a series
of virtual domains called qubes. An individual instance of
an app is restricted within its own qube. So you run Firefox
in one to visit untrusted websites and another instance of
the browser in a different qube to transact online. A
malware-ridden website in the untrusted qube will not
affect the banking session.
Despite its radically different approach, Qubes isn’t all
that different from your typical distro. Sure, it does have a
learning curve, but this isn’t abrupt enough to prevent you
from using the distro post-installation. Qubes is based on
Fedora and uses the Xfce desktop environment, but you’ll
need to familiarise yourself with its peculiarities. For
instance, instead of a list of apps, the application menu
lists several qubes, such as Work, Personal, Untrusted,
each of which rolls the individual apps inside them.
The distro only ships with a handful of the most
essential desktop apps, and you can fetch additional
ones with the package manager like a regular distro. But
here again, you’ll need to make sure you flesh out the
installation from within the DomU unprivileged domain,
or you’ll end up negating Qubes’ security advantages.
Another major diversion from typical distros is that
Qubes isn’t designed as a multi-user system. The user
that logs into Dom0 controls the whole system. Also,
don’t expect to play Steam games inside an AppVM of its
own just yet, as Qubes doesn’t virtualise OpenGL. Its
developers argue that this would introduce a great deal of
complexity to the GUI virtualisation infrastructure.
Streamlined execution
The current version, v4.0.2 is a point release that applies
the latest updates to the major 4.0 release. A majority of
the changes in v4.0 are behind the scenes. Many of these
manifested themselves in terms of changes to how users
interact with the installation.
Perhaps the biggest change in this release is that the
project has ditched paravirtualisation (PV) and switched
over to full virtualisation. The developers admit that PV
might not be the right technology for security-critical
applications. For instance, PV VMs don’t protect against
the Meltdown attack. Also, the edge PV offered over full-
virtualisation back when Qubes was on the drawing board
has been lost thanks to the second-generation
virtualisation technologies like Intel EPT and AMD RVI.
Another talking point of the release has been the more
coherent user experience. One of the most important
steps in this direction is the breakup of the Qubes
Qubes 4.0.
Although it’s only a point release, Mayank Sharma is curious to tinker with
the distro that comes recommended by Edward Snowden himself.
D
The best option to run a secure installation, its advantages
far outweigh the investment it requires, both in terms of
learning to work with its peculiarities and additional
hardware resources.
FEATURES 8/
PERFORMANCE 8/
EASE OF USE 7/
DOCUMENTATION 8/
Rating 8/
DEVELOPER: Invisible Things Lab
WEB: http://www.qubes-os.org
LICENCE: GPL v2 and others
Check out our detailed hands-on Qubes guide (LXF248, page 94) to get
to grips with the distro.
MMMarch 20102ah9Alt29lougi’ March 2020 LXF260 19
Distribution REVIEWS
Qubesworks
ontheprinciple
ofsecurity
byisolation.
Itmakes
intelligentuse
ofvirtualisation
toensure
thatmalicious
software
remains
restrictedand
isolatedfrom
otherpartsof
theinstallation.
CPU:IntelVT-x
withEPTor
AMD-VwithRVI
alongwithIntel
VT-dorAMD
IOMMU
MEM:4GB
HDD:32GB
BUILD:64-bit
only
INBRIEF
MINSPEC
VERDICT
Managerapp,whosedutieshavenowbeendelegated
toappsinotherlogicalplaces.Someofthemhave
beenassignedtothenewQubeManagerwidgetin
thesystemtraythatcanbeusedformonitoringand
managingAppVMs.
AlltheVMsintheQubesmainmenunowlistaQube
Settingsentry.Thisleadstoamulti-tabbedsettingspanel
fromwhereyoucancontrolvariousaspectsofthatVM.
SettingsthataffecttheoperationofQubesOSasawhole
havebeenmovedtoaseparateappnamedQubesGlobal
Settings;there’salsoaseparateappforcreatingnew
customAppVMs.
Allsaidanddone,whileitmightsoundlikeahandful
Qubesisn’tcumbersometooperate.Thankstothenew
logicallypositionedmanagementapps,itwouldn’ttake
muchtimeandefforttogetusedtothenuancesofthe
distroandtomouldittoyourrequirements.
on’tlettherelativelysmallversionfoolyou;the
Qubesprojecthasbeenputtingoutreleasesfor
almostadecade.Inthatperiod,Qubeshas
establisheditselfasarguablythemostpopularsecurity-
centricdistribution,thanksmainlytoitsuniqueapproach
ofisolatingtheessentialelementsthatconstitutean
operatingsysteminsidedifferentvirtualmachines.
Essentially,Qubesdividesaninstallationintoaseries
ofvirtualdomainscalledqubes.Anindividualinstanceof
anappisrestrictedwithinitsownqube.SoyourunFirefox
inonetovisituntrustedwebsitesandanotherinstanceof
thebrowserinadifferentqubetotransactonline.A
malware-riddenwebsiteintheuntrustedqubewillnot
affectthebankingsession.
Despiteitsradicallydifferentapproach,Qubesisn’tall
thatdifferentfromyourtypicaldistro.Sure,itdoeshavea
learningcurve,butthisisn’tabruptenoughtopreventyou
fromusingthedistropost-installation.Qubesisbasedon
FedoraandusestheXfcedesktopenvironment,butyou’ll
needtofamiliariseyourselfwithitspeculiarities.For
instance,insteadofalistofapps,theapplicationmenu
listsseveralqubes,suchasWork,Personal,Untrusted,
eachofwhichrollstheindividualappsinsidethem.
Thedistroonlyshipswithahandfulofthemost
essentialdesktopapps,andyoucanfetchadditional
oneswiththepackagemanagerlikearegulardistro.But
hereagain,you’llneedtomakesureyoufleshoutthe
installationfromwithintheDomUunprivilegeddomain,
oryou’llendupnegatingQubes’securityadvantages.
Anothermajordiversionfromtypicaldistrosisthat
Qubesisn’tdesignedasamulti-usersystem.Theuser
thatlogsintoDom0controlsthewholesystem.Also,
don’texpecttoplaySteamgamesinsideanAppVMofits
ownjustyet,asQubesdoesn’tvirtualiseOpenGL.Its
developersarguethatthiswouldintroduceagreatdealof
complexitytotheGUIvirtualisationinfrastructure.
Streamlinedexecution
Thecurrentversion,v4.0.2isapointreleasethatapplies
thelatestupdatestothemajor4.0release.Amajorityof
thechangesinv4.0arebehindthescenes.Manyofthese
manifestedthemselvesintermsofchangestohowusers
interactwiththeinstallation.
Perhapsthebiggestchangeinthisreleaseisthatthe
projecthasditchedparavirtualisation(PV)andswitched
overtofullvirtualisation.ThedevelopersadmitthatPV
mightnotbetherighttechnologyforsecurity-critical
applications.Forinstance,PVVMsdon’tprotectagainst
theMeltdownattack.Also,theedgePVofferedoverfull-
virtualisationbackwhenQubeswasonthedrawingboard
hasbeenlostthankstothesecond-generation
virtualisationtechnologieslikeIntelEPTandAMDRVI.
Anothertalkingpointofthereleasehasbeenthemore
coherentuserexperience.Oneofthemostimportant
steps in this direction is the breakup of the Qubes
Qubes 4.0.
Although it’s only a point release, Mayank Sharma is curious to tinker with
the distro that comes recommended by Edward Snowden himself.
D
Thebestoptiontoruna secureinstallation,itsadvantages
faroutweightheinvestmentit requires,bothintermsof
learningtoworkwithitspeculiaritiesandadditional
hardwareresources.
FEATURES 8/
PERFORMANCE 8/
EASEOFUSE 7/
DOCUMENTATION 8/
Rating 8/
DEVELOPER: Invisible Things Lab
WEB: http://www.qubes-os.org
LICENCE: GPL v2 and others
Check out our detailed hands-on Qubes guide (LXF248, page 94) to get
to grips with the distro.