If dom0 were to move away from Fedora as the OS for dom0; what would be the criteria for choosing an alternative?
https://www.hardenedbsd.com/content/easy-feature-comparison
opened 04:34PM - 18 Apr 16 UTC
T: enhancement
C: core
P: major
We have discussed this numerous times but don't have an issue to track these dis… cussions. It would be worth understanding what would be needed to change dom0 from Fedora to Debian (say Debian 8). Benefits include:
- increased hardware compatibility
- incorporate serious work taken towards reproducible builds
- better firstboot installer
- better (slower) release cycle than Fedora with longer-term support
- other things?
This ticket does not encompass modifying the desktop environment.
https://www.gnu.org/distros/free-distros.html
bored
January 31, 2023, 1:36pm
#2
SeL4 is a microkernel. Any thoughts on using a Rust-based hypervisor like Gramine? or Occulum?
(or are these projects just to take advantage of Intel SGX enclaves).
What about a unikernel (LibraryOS) like mirageOS for dom0?
Sven
February 2, 2023, 5:19am
#4
Please familiarize yourself with Qubes OS architecture and then see these threads:
I’m trying to summarize and redirect Github discussions about alternative dom0 distros to the forum. These discussions surfaced the following developer concerns:
Long Term Support (reduce update churn).
dom0 gets updated between 1-3.5 years/~1.9 years on average.
Up-to-date userland (updated packaging, large support community).
This will be less important as more functionality is moved out of dom0.
Up-to-date kernel (good driver/hardware support).
Small TCB.
“Secure” packaging (reprodu…
I wanted to continue discussion from the Debian in dom0 and Alt RPM Distro (CentOS, RHEL, Suse, Oracle Linux) in dom0 tickets. To keep discussion on track, this thread is to discuss RPM based distros only.
Recap
The short Fedora release cycle is a drag on development, but sticking to a Red Hat adjacent distro has many benefits:
A lot less work than switching to Debian or Nix.
Efficiency gains from using the same distro in dom0 and VMs (via UBI or Fedora CoreOS/IoT ).
A lot of money is poured …
We all know Fedora is a big name, but is it a good choice for a Security Driven OS like QubeOS to be based around?
I found it interesting reading that it was mentioned about the Surface Attack on some things related to QubeOS because it was small in size, like the code, not containing much, therefore limiting the Surface Attack.
Ok, GREAT point, but what about the IDEA that if you use a BIG DISTRO like Fedora and the MASSIVE SIZE of the repos and the software contained in it, this sounds like …
and also
Hi I just found Joanna Rutkowska’s blog post Qubes Air: Generalizing the Qubes Architecture where she states that that is the next step for Qubes-OS. The article was written in 2018. So, I wonder whether that’s still the objective; getting Qubes in the cloud? Really?
These discussions should give you a comprehensive idea of all the ideas that have been discussed, the reasoning behind them and links to plenty of material relevant to this question.
1 Like
deeplow
February 2, 2023, 9:02am
#5
Sven:
then see these threads:
Heh. I was about to link to them before I saw your response
1 Like
Sven
February 2, 2023, 5:36pm
#6
Yeah, this is a very good candidate for an FAQ entry. Something along the lines of…
it doesn’t really matter, because offline / no user interaction / hardware isolation
it’ll be even less important in the future or go away anyway, because more hardware isolation (net, usb, audio, gui domains)
if an attacker reaches dom0 your hardening / favorite distro won’t save you
1 Like