Alt Distro in dom0

I’m trying to summarize and redirect Github discussions about alternative dom0 distros to the forum. These discussions surfaced the following developer concerns:

  1. Long Term Support (reduce update churn).
  2. Up-to-date userland (updated packaging, large support community).
    • This will be less important as more functionality is moved out of dom0.
  3. Up-to-date kernel (good driver/hardware support).
  4. Small TCB.
  5. “Secure” packaging (reproducible builds, package and meta-data signing).
    • Note that Gitian can make most builds reproducible.
  6. “Safe” updates (rollback).
  7. Efficiency sharing distro between dom0 and VM templates.

Keep it chill! Linux distros largely repackage the same code and distro flamewars border on cheering for a brand. If you want to advocate/discuss a certain distro: spawn a new thread and limit your response here to a link and a short summary of how the distro scores on the above list of concerns. I’ll try to keep this list up-to-date:

IMHO, I think that distros advertising tiny install sizes are not competitive with similar offerings derived from RHEL and Debian. Alpine, Yocto, and friends generally trade size for compatibility/functionality by doing things like removing all drivers and substituting GNU CoreUtils with BusyBox. Once you install everything needed to run mainstream software, the image swells back up again:

smallest VM/container IoT/NAS/“cloud”
Alpine 2.5 120 (Xen) 469 (router)
ubi8/Fedora 30-52 70-250 300-460
Deb/Ubuntu 26-30 280 300-500

I’m also very wary of community distros without any commercial offerings to draft off of. From Yocto’s security page:

Yocto Project does not have a Security team … there is some research and proof of concept work occurring with some tools but its struggling due to lack of people/resources.

RPM/RHEL-Adjacent Distro Summary

CentOS Stream is more stable than Fedora, signs both package and repository meta-data, has a 5-year (hardware) support cycle, and would be easier to transition to thanks to sharing a base with Fedora. See the forum thread for in-depth discussions about stability, age of the kernel, and software availability.

Red Hat’s CoreOS spinoffs (Fedora Silverblue or Fedora CoreOS) offer a very compelling combination of security, TCB size, and rollback functionality. However, their short life-cycle makes them unsuitable for use in dom0 (at least until more functionality is moved out of dom0).

Rocky Linux confirmed via chat that they are planning a RHCOS rebuild.

Sorry to turn over old stones every1, but I don’t like fedra so I’d like some advice before I nuke it.

Can you give more insight into that table?:
If we are referring to dom0, surely the second column is the relevant 1? So alpine still potentially has an advantage of ubi8/fedora and definitely still over deb/ubuntu? (graphical compatability aside).

Or am I missing something?

Idk if any of the core-team can advise, I had asked this in a slightly different way before - but got a vague answer, more precisely as to what is needed to migrate from fedora? (As I understand it the GUI dom0 tools are fedora/ubi8 specific?).

for me, it yes (security)

sys-gui solve the gui (is sys-audio possible)

@Quser59 you misunderstood the conversation. It was about some people advocating the project to switch to a different distribution for dom0.

I do not think there is any way for you to have any other distribution in dom0 than Fedora at this time, short of you single-handedly doing all the porting and development work needed to get there.

Also there is little value in doing this beyond " I don’t like fedra" … which is not a reason at all.

You are free to run all your qubes on Debian, Ubuntu, Arch … whatever you’d like and is supported. I use all debian-minimal and love it. Don’t like Fedora either, but it’s in dom0 and the reasons I don’t like it don’t apply there. Also I have basically no interaction with it … so what’s the problem?

1 Like

Sorry if I was unclear, I just think (as I belive @ppc does, (correct me if I’m wrong there)), that fedora in dom0 is clunky: IF:(it is little work to port to alpine).

Hence my earlier question(s) about what is needed to be done. I know @adw referred me to some build-dependencies for the kernel, but I’m talking about comprehensively.

I’m guessing there has been some non-public conversation about this which I am not savvy to? What I’m asking is, if there’s anything I can do which is a good use of time to help migrate from fedora in dom0, please let me know.?

Perhaps I have misinterpreted this, but do you have a sys-gui enabled, or can you run dom0 headless(without gui)?

do you have a sys-gui enabled, or can you run dom0 headless(without gui)?

I am on R4.0.4 …

… so your beef is with XFCE? That’s an entirely different conversation and has only very little to do with the underlying distribution.

What are you trying to achieve? What is your motivation? I am pretty sure I don’t understand fully where you are coming from.

Replace fedora in dom0 without waiting for R4.1+. (ofc contributing work to the community, should such dev work be done).

Reduce vulns in dom0; (yes, I know what I am implying there).

No, but perhaps we should create a new thread?

is there any news i’m missed? i think qubes team don’t have any plan to use other distro for dom0 in default.

but if you want to play and do research, you can look at Qubes Admin API, How to create an AdminVM in R4.1

1 Like

Reduce vulns in dom0; (yes, I know what I am implying there).

I recommend you check your assumptions and make a clear case.

No, but perhaps we should create a new thread?

You are of course free to do so, but may I recommend reading all the discussion that already happened about this topic here in the forum and on github. Personally I have no appetite in going through all that once more.

A few hints:

  • the choice of distribution in dom0 matters little today and will matter even less in the future
  • dom0 is always offline / no remote attack surfaces
  • as more and more hardware interfacing is moved into dedicated system qubes (sys-net, sys-usbm sys-audio, sys-gui etc.) the tasks for dom0 become less and less
  • at some distant point in the future dom0 might be a Qubes OS specific minimal distribution

Short of real and major security benefits in moving dom0 to another distribution it is simply not important enough at the moment to distract from other more urgent development tasks.

Personal likes or dislikes for this or that packet manager / distribution are irrelevant.

1 Like

Apologies, my wording was poor.

What I should have said, instead of ‘reduce vulns in dom0’, is this:
switching dom0 distro to lower TCB such as alpine has many advantages, (which I’m sure have already been discussed).
If something atop dom0 chains flaws to exploit the actual distro chosen, then it follows that a more secure distro reduces vulns - this is what I meant, (sorry I mis-spoke and wrote ‘in dom0’ - it was shorthand for what I meant).

Are you talking about a virtualization escape / Xen flaw?

cmiiw, I think you missunderstood, there’s nothing to do with fedora in dom0, what qubes provides is xen virtualization, in any case xen is more important than what any security that apply in dom0.
As example this attack Project Zero: Pandavirtualization: Exploiting the Xen hypervisor

1 Like

@Sven and @51lieal ::

So my exact thinking was this:
qubes linux packages could have a vuln
that vuln could be really low priority/not necessarily a security concern

attacker exploits said vuln
they then chain this exploit with a fedora-specific exploit (granting access to dom0, as its fedora)

I think this is where @ppc may agree with me

But as you’ve said, this has probably been discussed already - however I felt emoldened by @ppc comment r/e alpine (i.e: they seem to agree alpine is better than fedora).

So I suppose it was more of a question than a statement - in reference to: how different are the libraries of fedora and alpine*?

*(because if they are radically different, then IMHO switching from fedora to alpine is a massive security increase - but of-course you will know far better than me the cost of the increase, and hence what the ROI/priority is).

I agree 100%, xen is more important than anything else - so if there’s more to do there I don’t mean to distract you - sorry if I have.

1 Like

No worries, currently fedora is somewhat better hardware support and only hosting graphical environment.

We can only wait until gui domain is implemented, then we can have much better play with dom0.

1 Like

what about package installing @Sven

a lot because alpine is independent distro

if you what to use alpine then you should get started with APK :rofl:

1 Like

Is alpine bad or something, I’m not getting the joke?

android apk vs alpine apk