Qubes OS


Qubes OS is a security-focused desktop operating system that aims to provide security through isolation. Virtualization is performed by Xen, and user environments can be based on Fedora, Debian, Whonix, and Microsoft Windows, among other operating systems.

Security goals

Qubes implements a Security by Isolation approach.
The assumption is that there can be no perfect, bug-free desktop environment: such an environment counts millions of lines of code and billions of software/hardware interactions.
One critical bug in any of these interactions may be enough for malicious software to take control over a machine.
To secure a desktop a Qubes user takes care to isolate various environments, so that if one of the components gets compromised, the malicious software would get access to only the data inside that environment.
In Qubes, the isolation is provided in two dimensions: hardware controllers can be isolated into functional domains, whereas the user's digital life is decided in domains with different levels of trust.
For instance: work domain, shopping domain, random domain. Each of those domains is run in a separate virtual machine.
In a design decision, Qubes virtual machines, by default, have passwordless root access.
UEFI Secure Boot is not supported out of the box, but this is not considered a major security issue.
Qubes is not a multiuser system.

Installation and requirements

Qubes was not intended to be run as part of a multi-boot system because if an attacker were to take control of one of the other operating systems then they'd likely be able to compromise Qubes.
However, it is still possible to use Qubes as part of a multi-boot system and even to use grub2 as the boot loader/boot manager.
A standard Qubes installation takes all space on the storage medium to which it is installed and it uses LUKS/dm-crypt full disk encryption.
It is possible to customize much of the Qubes OS installation but for security reasons, this is discouraged for users that are not intimately familiar with Qubes.
Qubes 4.x needs at least 32 GiB of disk space and 4 GB of RAM.
However, in practice it typically needs upwards of 6-8 GB of RAM since although it is possible to run it with only 4 GB of RAM, users will likely be limited to running no more than about three Qubes at a time.
Since 2013, Qubes has not had support for 32-bit x86 architectures and now requires a 64-bit processor.
Qubes uses Intel VT-d/AMD's AMD-Vi, which is only available on 64-bit architectures, to isolate devices and drivers.
The 64-bit architecture also provides a little more protection against some classes of attacks.
Since Qubes 4.x, Qubes requires either an Intel processor with support for VT-x with EPT and Intel VT-d virtualization technology or an AMD processor with support for AMD-V with RVI and AMD-Vi virtualization technology.
Qubes targets the desktop market.
This market is dominated by laptops running Intel processors and chipsets and consequently, Qubes developers focus on Intel's VT-x/VT-d technologies.
This is not a major issue for AMD processors since AMD IOMMU is functionally identical to Intel's VT-d.

User experience

The users interact with Qubes OS very much the same way they would interact with a regular desktop operating system. But there are some key differences:

Xen hypervisor and administrative domain (Dom0)

The hypervisor provides isolation between different virtual machines. The administrative domain, also referred to as Dom0, has direct access to all the hardware by default. Dom0 hosts the GUI domain and controls the graphics device, as well as input devices, such as the keyboard and mouse. The GUI domain runs the X server, which displays the user desktop, and the window manager, which allows the user to start and stop the applications and manipulate their windows.
Integration of the different virtual machines is provided by the Application Viewer, which provides an illusion for the user that applications execute natively on the desktop, while in fact they are hosted in different virtual machines. Qubes integrates all these virtual machines onto one common desktop environment.
Because Dom0 is security-sensitive, it is isolated from the network. It tends to have as little interface and communication with other domains as possible in order to minimize the possibility of an attack originating from an infected virtual machine.
The Dom0 domain manages the virtual disks of the other VMs, which are actually stored as files on the dom0 filesystem. Disk space is saved by virtue of various virtual machines sharing the same root file system in a read-only mode. Separate disk storage is only used for userʼs directory and per-VM settings. This allows software installation and updates to be centralized. It is also possible to install software only on a specific VM, by installing it as the non-root user, or by installing it in the non-standard, Qubes-specific /rw hierarchy.

Network domain

The network mechanism is the most exposed to security attacks. To circumvent this it is isolated in a separate, unprivileged virtual machine, called the Network Domain.
An additional firewall virtual machine is used to house the Linux-kernel-based firewall, so that even if the network domain is compromised due to a device driver bug, the firewall is still isolated and protected.

Application Virtual Machines (AppVM)

AppVMs are the virtual machines used for hosting user applications, such as a web browser, an e-mail client or a text editor. For security purposes, these applications can be grouped in different domains, such as "personal", "work", "shopping", "bank", etc. The security domains are implemented as separate, Virtual Machines, thus being isolated from each other as if they were executing on different machines.
Some documents or applications can be run in disposable VMs through an action available in the file manager. The mechanism follows the idea of sandboxes: after viewing the document or application, then the whole Disposable VM will be destroyed.
Each security domain is labelled by a color, and each window is marked by the color of the domain it belongs to. So it is always clearly visible to which domain a given window belongs.

Reception

Security and privacy experts such as Edward Snowden, Daniel J. Bernstein, and Christopher Soghoian have publicly praised the project.
Jesse Smith wrote review of Qubes OS 3.1 for DistroWatch Weekly:
Kyle Rankin from Linux Journal reviewed Qubes OS in 2016:
In 2014, Qubes was selected as a finalist of Access Innovation Prize 2014 for Endpoint Security, run by the international human rights organization Access Now.