Slashdot Mirror

← Back to Stories (view on slashdot.org)

Qubes OS 3.1 Has Been Released

Posted by timothy on from the or-is-that-have-been-released dept.

Burz writes: Invisible Things Labs has released Qubes OS 3.1. Some of the features recently introduced into this secure concept, single-user desktop OS are Salt management, the Odyssey abstraction layer, and UEFI boot support. The 3.x series also lays the groundwork for distributed verifiable builds, Whonix VMs for Tor isolation, split-GPG key management, USB sandboxing, and a host of others. Qubes has recently gained a following among privacy advocates, notable among them journalist J.M. Porup, Micah Lee at The Intercept and Edward Snowden. Embodying a shift away from complex kernel-based security and towards bare metal hypervisors and IOMMUs for strict isolation of hardware components, Qubes seals off the usual channels for 'VM breakout' and DMA attacks. It isolates NICs and USB hardware within unprivileged VMs which are themselves are a re-working of the usual concept, each booting from read-only OS 'templates' which can be shared. Graphics are also virtualized behind a simple, hardened interface. Some of the more interesting attacks mitigated by Qubes are Evil Maid, BadBIOS, BadUSB and Mousejack.

24 of 43 comments (clear)

  1. Re:This sounds great by Anonymous Coward · · Score: 1

    Only if you want to boot a completely secure OS and then spend a lot of time doing absolutely nothing useful with it

    Did it take many years of advanced training to reach your level of cluelessness, or did it come naturally for you?

  2. A word to the wise by petes_PoV · · Score: 5, Insightful

    When announcing a new "thing" or a new version, it's often helpful to tell people WHAT IT IS and WHAT IT IS FOR.

    --
    politicians are like babies' nappies: they should both be changed regularly and for the same reasons
    1. Re:A word to the wise by freeze128 · · Score: 2

      I agree with your sentiment. All too often, the summary says "Hey, there is a new version of XXXXXX that has just been released!", and that's it. Then, the reader has to do RESEARCH to find out what it is, and why they should care.

      However, in this case, the summary has all the info you need, as long as you read ALL of it. It does indeed say that it is an "secure concept, single-user desktop OS".

    2. Re:A word to the wise by Burz · · Score: 1

      From the OP, it is a secure desktop OS.

    3. Re:A word to the wise by bobo_1968 · · Score: 1

      It's an operating system designed with security in mind. What part of the summary was unclear? The "OS" phrase, reference to moving away from kernel based security, hypervisors, VM based isolation of hardware devices, and list of attacks it claims to mitigate seemed like a dead giveaway.

      "Invisible Things Labs has released Qubes OS 3.1. Some of the features recently introduced into this secure concept, single-user desktop OS"

    4. Re:A word to the wise by fisted · · Score: 1

      Yeah, what coul

      this secure concept, single-user desktop OS

      possibly be?

      In your defense, it's only the 2nd sentence of TFS, can't noone expect you to have that high of an attention span, as it would certainly take you half an hour to read all the way till there.

      --
      CLI paste? paste.pr0.tips!
    5. Re:A word to the wise by Natales · · Score: 1

      Really? has the IQ level in Slashdot gone downhill that much that you can't even do a Google search?

      If you frequent this site, you will notice this community is big on privacy, and QubesOS has been for quite some time among the best options out there, since they are the only ones addressing very hard problems, like hard isolation of driver-level components in the OS, such as the USB or the Network subsystems for example. This is particularly good to mitigate against 'evil maid' type attacks and such. They achieve this using a modified version of the Xen hypervisor with lightweight VMs with a common hardened X-based interface.

      These folks don't release very often, and this update has been coming for a long time, and it's very welcome. Particularly the UEFI boot support, that has blocked me to be able to install it on my private laptop.

    6. Re:A word to the wise by jwymanm · · Score: 1

      What the hell is wrong with both of you? You clearly missed the summary that has all the info you need, as long as you read all of it. It clearly states that it is a secure concept single user desktop OS. Geez, what is wrong with this place. Yes, tongue in cheek.. :)

    7. Re:A word to the wise by petes_PoV · · Score: 1

      you can't even do a Google search?

      If you weren't so quick to scoff and had actually gone to the announcement page for this "thing" you would realise that there is no mention at all about WHAT IT IS or WHAT IT IS FOR. It dives straight in jargon about the new features.

      It is plain to every professional that if you want people to engage - especially when writing publicity material (such as announcing a new release) that it will answer the readers' questions. The most basic question is WHAT IS THIS THING?

      However it's typical of FOSS that the people who make this stuff are more concerned with telling the world how clever they are and how wonderful is the work they have done. How it can be used, what it is for and who might benefit from it are a very distance second. This announcement is a classic example of everything that's wrong with amateur-written (in quality, if not remuneration) products. They are more concerned with features than users.

      --
      politicians are like babies' nappies: they should both be changed regularly and for the same reasons
    8. Re:A word to the wise by Anonymous Coward · · Score: 1

      > So it's an OS?

      What is QubesOS?

      > Is a Linux derivative?

      Is Qubes just another Linux distribution?

      > Can it run software targeted as other OSes?

      Managing Operating Systems withing Qubes

      > Does it has system?

      ???

      > Is it targeting anything specific in terms of hardware.

      Hardware Compatibility List

      > Or purpose (embedded, desktop, phone, server)?

      How is QubesOS different from..?

  3. Qubes 3.1 ? by Anonymous Coward · · Score: 1

    I'm waiting for 3.11 - Qubes for Workgroups.

  4. Re:A Settlement Needs Your Help by Burz · · Score: 2

    OK, I'll bite... Yes, you probably could run Fallout 4 on Qubes IF you installed an additional graphics card on the system and assigned its PCI device to the VM were you installed the game. Qubes cannot yet virtualize 3d GPU access, so VMs either have to go through the shared virtual 2d mode or have a whole (additional) graphics card assigned to them via the IOMMU.

    Its also possible you could run the game in the privileged domain where it would have access to the GPU, but I'm not sure if taking that risk would be worth it.

    There has been some experimentation with GPU virtualization, but progress has been slow on that front.

  5. Possible Changes to Qubes OS by Anonymous Coward · · Score: 1

    Just a few ideas for the Qubes OS...

    Qubes OS needs to use the Mirage OS model for all its master (dom0) and utility VMs (network, VPN, firewall, usb controller/multiplexer, vault, storage, crypto, ...). If there was a way to use the Linux loadable module interfaced easily in the Mirage OS it would allow access a larger number of available/newly updated device drivers. Another possibility is to use minimal kernels like Atom or CoreOs and add the modules as required. Full OS VMs would still be allowed for things like work, personal, private (TOR) browsing, ...

    The GUI needs a permanent VM status bar (VMsb) that only the dom0 controls. It would be positioned on the top of the main display monitor. This would mean that no other VM would be able to have full screen access to the monitor. The VMsb provides the following information: name of the active VM window, security level, color security coding, dynamic VM window change (task bar flashing?), drop down tool for providing USB access for the active VM, drop down tool for active VM security/network/devices). This would allow for special processes like a password entry/authorization system.

    One of the problems with all operating system Window systems is protecting the entry of passwords. The dom0 can control that by: opening a password entry window, indicating via the VMsb that a password entry window is open, graying out all background VM windows. All utility VMs will have a module that requests from the dom0 a password verification (send VM, user name) and the dom0 returns an authentication token. The full VMs could have special PAM modules added to them to allow them to access the new password entry/authorization system.

    The USB controller/multiplexer VM should allow the dom0 to allocate individual USB devices to specific VMs. It would act lice a USB firewall router. This could mitigate the issue with IOMMU only allowing all or nothing access to the USB controller and all devices on the controller bus. It would also allow the dom0 to run all keyboard, mouse/track pad entry past any possible malware attempting to read confidential input information (passwords,...).

    1. Re:Possible Changes to Qubes OS by Burz · · Score: 2

      Someone is already trying to get Mirage working with Qubes. Check out the dev mailing list.

      Your UI ideas are interesting. Qubes' UI is already pretty special though. Its a great foundation for accurately portraying what's going on inside the system.

      Qubes 3.1 already has some of the 'USB allocation' capability you mention: This release can pass through a USB mouse from a USB VM to the rest of the system... this means that an infected mouse cannot masquerade as a keyboard and start entering malicious commands, for example.

  6. Raspberry Pi? by ooloorie · · Score: 1

    Could this run on Raspberry Pi or does that lack some necessary hardware support?

    1. Re:Raspberry Pi? by Burz · · Score: 2

      Qubes currently only runs on 64bit x86 CPUs, preferably with IOMMU support. ARM is not yet supported, however the Odyssey framework is designed to allow switching-out the hypervisor or hardware platforms, so it could be made to work.

      Also, a big reason why Qubes runs x86 is that it was envisioned as a way to run Windows and closed-source apps safely under the control of a FOSS hypervisor and virtualized hardware.

    2. Re:Raspberry Pi? by bobo_1968 · · Score: 1

      Also, a big reason why Qubes runs x86 is that it was envisioned as a way to run Windows and closed-source apps safely under the control of a FOSS hypervisor and virtualized hardware.

      That's super cool. Are you associated with the project? Do you have any examples of use-cases in the wild, or anyone using it in production? I could imagine for example a journalism organization or a government body being interested in legacy support for closed-source/Windows applications being very interested in the added security here.

    3. Re:Raspberry Pi? by Burz · · Score: 1

      I'm just a user, though I have a small list of enhancements I want to make. The project is not actively documenting use cases, although people do discuss them on the mailing list. There is enough corporate and institutional interest in Qubes to have made the integration of Salt necessary.

  7. Re:A Settlement Needs Your Help by PopeRatzo · · Score: 1

    Yes, you probably could run Fallout 4 on Qubes IF you installed an additional graphics card on the system and assigned its PCI device to the VM were you installed the game. Qubes cannot yet virtualize 3d GPU access, so VMs either have to go through the shared virtual 2d mode or have a whole (additional) graphics card assigned to them via the IOMMU.

    This is why I love Slashdot. Ask a stupid question and get a thoughtful, serious answer that might actually be useful.

    Thanks, Burz. You're OK.

    --
    You are welcome on my lawn.
  8. Re:What is it? by lhowaf · · Score: 1

    This sort of acrimonious shite causes me to question the value of AC posts.

    Maybe there should be a "Registered User Posting Anonymously" that gets a score of 0 while AC posts get a score of -1.

  9. Re:A Settlement Needs Your Help by Burz · · Score: 1

    You're OK too, for a corrupt ex-Pope :P

  10. Looks cool, but.. by subk · · Score: 2

    ..Can I run Enlightenment or XFCE (for example) or am I bound to KDE?

    --
    Now, if you'll excuse me, I have backups to corrupt.
    1. Re:Looks cool, but.. by Burz · · Score: 2

      XFCE is an install option.

  11. good by tranvantri · · Score: 1

    good

    --
    https://www.youtube.com/watch?v=5wldG1nbiOU