How secure are the virtual machines (domU) of Qubes OS? Isn’t their security weak? I know the purpose of the system is compartmentalization, but wouldn’t ignoring the security of the qubes be detrimental? I mean, even a Kicksecure based on minimal Debian would be far less secure compared to any Fedora, Debian, etc. on bare metal. Am I wrong? I would like to discuss this and learn more about this topic.
What do you mean with “security”?
Means it Confidentality? Or means it Integrity? Or Availability?
And why do you think, that a debian based qube is less secure in comparision to an debian on bare metal?
I’m one of the ones wanting better security in domUs, but that being said real generic desktop security on Linux is a non-goal as the best out-of-the box Linux desktop for security is Fedora SecureBlue, and even they say you should only choose that if your first goal is Linux and your second is security. Qubes accomplishes this indirectly by way of isolation/compartmentalization.
is that generic desktop security is a bad goal in general for many reasons I won’t outline here, since they are technical and better explained in books and other references better than I ever could here.
So, the Qubes way if security is your concern is to not do insecure things on sensitive qubes by separating your qubes by security considerations. For example, don’t browse on the same qube you do banking on, since if you only handle financial stuff on one qube, the chance of getting hacked is very low. I.e. how would you get hacked if you only visit known, legitimate financial sites you trust? AFAIK you still can, but the chances are significantly lower this way than just about any other.
If you want to further security in Qubes, a reasonable attempt at general security is nice (and I think compliments Qubes), but you should probably look into securing specific applications on VMs. Application-centric threat models are a great place to start.
If you still want at least something like I do and like me aren’t an expert at Linux desktop security, then I’m waiting for Wayland on Qubes and will be using SecureBlue when it likely gets ported to Qubes.
How secure are the virtual machines (domU) of Qubes OS? Isn’t their
security weak?
Why do you think “their security weak”?
The official templates are not hardened, you are essentially running stock Debian and Fedora.
Qubes OS allows you to separate trusted and untrusted domains, if you offline as many qubes as possible, use disposable qubes when possible, and take great care to separate trusted and untrusted online tasks, then it matters a lot less how much the OS is hardened.
That said, nothing is stopped you from customizing your installation, and improving the security of domUs, if you think it’s needed.
I am not sure, if i understand you completely.
It is up to you to configure your Qubes VMs to fit your needings (same way, as you would that do in other linux distibutions. Even no one blocks you to install a special hardened system inside a HVM.
The Dom0 is a special case, but because that complete system has no connection to any network (except the connection to the implicit trusted sw repositories via a disposable special vm), the attac vector for any "bad guy"is nearby zero to get access to that Dom0 from outside.
If any “bad guy” has physically access to your system, you are lost (same, as in ALL other systems).
Qubes OS is (per definition) “A reasonably secure operating system”, not more or less. The Qubes OS principles are not to make any system as secure as it can be, instead you, as the user, have all opportunities to harden your system as it is required by your security concept and the OS will not stand in your way (as it is in other “Operating Systems” like MS Windows).
This has been discussed in a GitHub issue last year Use a more secure OS as the default template for app qubes · Issue #9332 · QubesOS/qubes-issues · GitHub
I believe a Debian qube is more vulnerable than a bare-metal installation because it can’t fully leverage certain hardware security technologies—especially CPU features. Many security mechanisms rely on virtualization extensions (AMD‑V or VT‑d), Secure Boot, and similar capabilities. For instance, Fedora includes a tool that assesses system security, and its score reflects how well the OS can use underlying hardware features to enable protections. Windows is a clear example: it is significantly more secure when run on bare metal than inside a qube. Windows qube does not have the TPM 2.0 and lacks virtualization, so several protections—such as VBS (Virtualization‑Based Security), Kernel Shadow Stack, TPM 2.0, SLAT, Secure Boot, and others—are not available inside a Windows qube.
Please correct me if i’m wrong, but that would not reduce significantly the security of the system?
First: TPM 2.0 and secure boot in windows are not much more as security humble-mumble. Security, which is completely dependent to an closed source company is not really security. Additionally, Secure boot in linux is completely dependent to Microsoft and their signature also.
Second: Debian on bare metal is more secure than on a Qube? No, in a debian system no one blocks you (or an attacker) from “sudo install_malware.sh”, in a Qube, it is meaningless.
Third: Which security features do you miss in linux, if it is running in a Qube in comparision to running on bare metal (except the MS-dependent “secure boot”)?
I don’t speak over Windows, because that OS is not secure and trusted in any way.
Second answer:
No, the security of the whole system is not affected, only the security of a QUBE (if it is a Windows QUBE, security has no really means in there).
If you follow the principle not to store anything, that you will handle more privately, in an Qube with network access and store never passwords or other security relevant informations in such a Qube, you can throw any Qube away, if you have even minimal suspicion onto the security and privacy of that Qube.
You can even open every file in a disposable, network separated Qube, even, if you know, it is virus or malware infected without serious consequences. Name another system, that can provide that level of security.
Then you can create a new one from template and continue.
This security principle makes Qubes OS unique.