MTU LUG Wiki

Minutes 2026-02-19

Meeting Minutes 2026-02-19

Qubes presentation by Simone

  • Traditional OS security is not ideal
    • No isolation by default
    • Assumes trusted kernel
    • Only one compromised app can take over the system
    • Easy lateral movement for hacks
  • Qubes:
    • Type 1 hypervisor as desktop OS
    • Everything is isolated in VMs
    • 1 VM per
    • This contains compromised apps within the part of the system they are used on
    • Based on Xen hypervisor
  • Architecture:
    • Xen hypervisor, hardened
    • Dom0: management VM
    • DomU: unpriveleged VMs
  • Dom0:
    • NOT HOST
    • Priveleged
    • Gets most hardware by default
    • Window Manager/GUI is in Dom0
    • No networking
    • Enforces color coding on
  • AppVMs:
    • Unpriveleged
    • Usually Debian or Fedora
    • Runs user applications
    • Video sent to Dom0
    • Input sent from Dom0
    • Stateless by default: /home persists but root filesystem doesn't
  • TemplateVMs:
    • Snapshot-based templates
    • Contains installed packages
    • No direct internet access (update by proxy, updates all AppVMs)
  • DisposableVMs:
    • Similar to AppVms, but self-destructs
    • Useful for viewing untrusted files or sites
    • Also useful to get a fresh environment
    • Automatic creation and deletion
  • Virtualization:
    • PVH by default
    • Can be fully virtualized (FVH) as an option
    • Qubes Windows Tools (QWT) to work with Windows better
    • Can use any OS
  • Networking:
    • Dedicated VM for network
    • Hardware passthrough
    • Firewall is between AppVMs and hardware
    • Impossible to sniff network activity from the VMs
  • Peripherals:
    • Dedicated USB VM
    • Can forward USB devices to Qubes
    • Isolates malicious USBs
      • Can spin up a disposable VM to investigate
    • Audio/Bluetooth have similar systems
  • GUI:
    • Each VM renders own windows
    • Dom0 composites video together
    • Per-VM color coding (makes popups harder to fall for)
    • Each VM has an emulated GPU
    • Anything that requires a real GPU will need hardware passthrough
  • VM Communication:
    • qrexec lets Dom0 control VMs
    • "Send to Qube" to share files between VMs
    • "Open URL in Qube"
  • Whonix/TOR:
    • Whonix is built into Qubes OS
    • Whonix runs everything only through TOR
      • Really slow
    • Whonix-gateway: runs TOR only
    • Whonix-workstation: routes traffic through gateway, disposable
  • Updates/Trust:
    • sys-whonix: updates over TOR
    • sys-net: updates everything else, managed by Dom0
  • Performance:
    • So many VMs has a cost
    • Most VMs are idle, and Xen reallocates unused memmory
    • Overhead with CPU performance, RAM, and I/O
    • Recommended at elast 32GB RAM, and an SSD
    • Requires hardware virtualization (VT-x/VT-d, AMD-V, IOMMU)
    • Qubes in VM is unsupported
  • Useful for journalists, developers, and the paranoid
  • Reduces risk
  • Trains visual/habitual security
  • NOT FOR BEGINNERS
  • Not meant for games
  • Firmware malware still a problem
  • Annoying and takes a lot of work to run
  • Demo:
    • Lots of VMs on the system
    • VMs for:
      • Discord
      • Work
      • Personal
      • Vault
      • Untrusted
      • USB devices
      • Firewall
    • Disposable VM can be created to inspect a USB safely
      • Popups, other sneaky things are both isolated and easy to see
    • All Qubes can be seen on the Qube Manager
Retrieved from "https://lug.mtu.edu/w/index.php?title=Minutes_2026-02-19&oldid=8083"