Can I install QubesOS in a Qemu KVM Virtual machine?

It would be nested virtualization and I wonder if it works and there is a tutorial?

Virtual box seems doable, although buggy

1 Like

Nested virtualization is not supported:

1 Like

Yeah that’s the answer! I looked into dual boot, it’s not that quick either (the other OS can change Qubes grub entries, as it happened to me).

1 Like

@Eli, what do you mean by this?

Whilst it is definitely possible to achieve what it is you wish to do, the reason why none of the options come with the standard install ISO is because the security features that require direct hardware access may not work as expected.

Remember that it’ll be in an environment that:

  • Your host OS will be able to see (and potentially interfere with) absolutely everything Xen will be doing, including all the virtual machines
  • Your level of security will be limited by the integrity of your host OS
  • Your host OS might not pass through all of the required components of your hardware, which may lead to Qubes OS crashing, or Qemu causing host OS kernel panics in certain circumstances
  • Depending on what else your host OS is doing, race conditions and memory leaks may occur. Best case scenario, they just slow your machine down. Worst case, you leak secrets and things crash.

If you do give this a go, we recommend you do NOT do anything mission-critical on top of that Qubes OS installation, because we cannot guarantee functionality and integrity to the same standard as running on bare metal.

This is actually why it’s a lot less hassle for all of us if we just tell people that’s it’s better not to do it :stuck_out_tongue:

But, if you understand all of this and still wish to proceed, then by all means, who are we to stop you? :slight_smile:

If your hardware has multiple physical drives, then dual booting with each OS on its own physical drive is more manageable, as the drives tend to interfere with each other less.

But that opens up a whole other can of worms in terms of security and machine integrity…

1 Like

Yeah, it’s for testing. The point is, the users cannot switch completely in one day. They run it alongside something else, and once they are confident that it serves their needs, they switch completely.

I don’t have extra drives now (I had before and Ubuntu used to delete Qubes grub entries). Dual boot on one NVMe is an option , though I’m not sure how well it works.

I understand the can of worms, this is only for transition, nothing security critical for me.

I use it mostly for compartmentalizing my workload. Which is why I missed Qubes and coming back :smiley:

1 Like

An option is to manually keep a backup of your Qubes OS grub.cfg in a separate location on your boot partition.

1 Like

Thanks. Is this the right guide to add Qubes to an existing Ubuntu desktop with UEFI boot, for some fun Christmas project:

1 Like

That is the correct topic, but you could also create a new one in the Community Guides or High Quality Guides category.

Can I install QubesOS in a Qemu KVM Virtual machine?

Most likely, yes. Can;'t speak from experience, though.

It would be nested virtualization and I wonder if it works and there is a tutorial?

Virtual box seems doable, although buggy

That VirtualBox-based tutorial was written for the release 4.2.0, and I never updated it to work with newer releases, so no guarantees there. However, with the recent licensing changes, you could just grab a free copy of VMware Workstation, since it’s now free for both personal and commercial usage. Qubes OS works virtualized in it pretty much out of the box.

1 Like

I’d be curious to see how deep the host OS can see into Qubes OS under that configuration, and whether it could be vulnerable to bit-flipping attacks or arbitrary memory writes (both ways, Qubes to host, and host to Qubes).

I mean, my guess is that it would provide absolutely no security whatsoever, and would be suicide to use in production over running on bare metal.

But if it doesn’t throw too many errors, I’d happily set up a “Try out Qubes OS” website that spins up a fresh install on an instance for 3-4 hours, so people who want to “try” Qubes OS workflow can do so.

Even better if it could be done on something open source instead of VMware….

1 Like

It’s an equivalent of playing a video game with a trainer. As a simple demo, see me using Cheat Engine to replace all the occurrences of the string “Dom0” with “Cheat Engine Test”, and what happens to the window borders with the unspoofable domain name being used as a prefix for the actual title:

I mean, my guess is that it would provide absolutely no security whatsoever, and would be suicide to use in production over running on bare metal.

When it comes to things like working with sensitive data in offline vaults, there’s no benefit to itself having an offline vault, which an online system can see and monitor the whole time.

But if it doesn’t throw too many errors, I’d happily set up a “Try out Qubes OS” website that spins up a fresh install on an instance for 3-4 hours, so people who want to “try” Qubes OS workflow can do so.

Even better if it could be done on something open source instead of VMware….

Sounds nice! You could try setting things up in KVM, and once some things require tweaks and workarounds, maybe someone would know, how to resolve them, and help out.

2 Likes