Slashdot Mirror

← Back to Stories (view on slashdot.org)

Qubes OS 3.1 Has Been Released

Posted by timothy on from the or-is-that-have-been-released dept.

Burz writes: Invisible Things Labs has released Qubes OS 3.1. Some of the features recently introduced into this secure concept, single-user desktop OS are Salt management, the Odyssey abstraction layer, and UEFI boot support. The 3.x series also lays the groundwork for distributed verifiable builds, Whonix VMs for Tor isolation, split-GPG key management, USB sandboxing, and a host of others. Qubes has recently gained a following among privacy advocates, notable among them journalist J.M. Porup, Micah Lee at The Intercept and Edward Snowden. Embodying a shift away from complex kernel-based security and towards bare metal hypervisors and IOMMUs for strict isolation of hardware components, Qubes seals off the usual channels for 'VM breakout' and DMA attacks. It isolates NICs and USB hardware within unprivileged VMs which are themselves are a re-working of the usual concept, each booting from read-only OS 'templates' which can be shared. Graphics are also virtualized behind a simple, hardened interface. Some of the more interesting attacks mitigated by Qubes are Evil Maid, BadBIOS, BadUSB and Mousejack.

7 of 43 comments (clear)

  1. A word to the wise by petes_PoV · · Score: 5, Insightful

    When announcing a new "thing" or a new version, it's often helpful to tell people WHAT IT IS and WHAT IT IS FOR.

    --
    politicians are like babies' nappies: they should both be changed regularly and for the same reasons
    1. Re:A word to the wise by freeze128 · · Score: 2

      I agree with your sentiment. All too often, the summary says "Hey, there is a new version of XXXXXX that has just been released!", and that's it. Then, the reader has to do RESEARCH to find out what it is, and why they should care.

      However, in this case, the summary has all the info you need, as long as you read ALL of it. It does indeed say that it is an "secure concept, single-user desktop OS".

  2. Re:A Settlement Needs Your Help by Burz · · Score: 2

    OK, I'll bite... Yes, you probably could run Fallout 4 on Qubes IF you installed an additional graphics card on the system and assigned its PCI device to the VM were you installed the game. Qubes cannot yet virtualize 3d GPU access, so VMs either have to go through the shared virtual 2d mode or have a whole (additional) graphics card assigned to them via the IOMMU.

    Its also possible you could run the game in the privileged domain where it would have access to the GPU, but I'm not sure if taking that risk would be worth it.

    There has been some experimentation with GPU virtualization, but progress has been slow on that front.

  3. Re:Raspberry Pi? by Burz · · Score: 2

    Qubes currently only runs on 64bit x86 CPUs, preferably with IOMMU support. ARM is not yet supported, however the Odyssey framework is designed to allow switching-out the hypervisor or hardware platforms, so it could be made to work.

    Also, a big reason why Qubes runs x86 is that it was envisioned as a way to run Windows and closed-source apps safely under the control of a FOSS hypervisor and virtualized hardware.

  4. Re:Possible Changes to Qubes OS by Burz · · Score: 2

    Someone is already trying to get Mirage working with Qubes. Check out the dev mailing list.

    Your UI ideas are interesting. Qubes' UI is already pretty special though. Its a great foundation for accurately portraying what's going on inside the system.

    Qubes 3.1 already has some of the 'USB allocation' capability you mention: This release can pass through a USB mouse from a USB VM to the rest of the system... this means that an infected mouse cannot masquerade as a keyboard and start entering malicious commands, for example.

  5. Looks cool, but.. by subk · · Score: 2

    ..Can I run Enlightenment or XFCE (for example) or am I bound to KDE?

    --
    Now, if you'll excuse me, I have backups to corrupt.
    1. Re:Looks cool, but.. by Burz · · Score: 2

      XFCE is an install option.