Dual boot with windows

Hi!

I must use windows for some tools which are available just for this (creepy) OS and I’m waiting for some cash to buy just a second laptop for this purposes. The question is, does it make sense to install qubes and windows together without loosing the security of qubes? So I can do it so long till I have enough cash for the second laptop.

Qubes is encrypted, but is it also encrypted while the work on it? I suppose there will be several security problems with this setting, isn’t it?

I red the following on this board:
“If you dual boot Windows and Qubes, it’s possible that a Windows virus could modify your Qubes /boot partition and infect Qubes. A way around this is storing the /boot partition on a removable drive which you never plug in while Windows is running or starting, but this doesn’t prevent all possible attacks. Windows viruses could for example compromise the firmware of various components or the mobo. In Qubes, Windows is run sandboxed and doesn’t interact directly with hardware unless you specifically allow it.”

So it does NOT have any sense to install it as dual boot, because of the lost security?

Best regards
qun

I must use windows for some tools which are available just for this
(creepy) OS

I am in the same boat.

The question is, does it make sense to install qubes and windows
together without loosing the security of qubes?

Unless your tools require direct GPU access, I see no reason at all for
you to install Windows in parallel to Qubes. Rather I would strongly
recommend to install Windows inside a qube.

You can do this either manually or use this excellent script:

If you need to connect external devices via USB to your Windows install,
I found the easiest solution to buy another USB controller and assign it
exclusively to the Windows qube. This one works for me:
https://www.amazon.com/gp/product/B00BB7TVMO/

If you require Audio for your work in Windows, there is also a very
cheap solution that works for me:
https://www.amazon.com/gp/product/B07L56C28R/

In summary: I run a Windows 10 Enterprise install inside a qube, it is
hooked up to corporate VPN/domain and runs all the snake oil and
compliance stuff that makes IT happy. If I have to connect to Ethernet
in the office, I assign the respective controller directly to that
Windows qube. Bottom-line: for them this looks and feels exactly like
any other corporate install.

I use all kinds of exotic dongles, tracers, loggers and debuggers
directly connected to Windows through the extra USB controller. No issue
at all. And if I need to be on a Teams/WebEx conference with
screen-sharing I use the audio dongle mentioned above.

So you have all the advantages you could possibly hope to have by
running Windows bare metal in parallel, but you don’t actually do that.
It’s in a qube and has no way to access anything else stored on your
hard drive (happy thought – right?)

Also, you can tell the Windows qube to run fullscreen on a dedicated
workspace so you can switch between Windows and your Qubes world just by
switching the workspace.

Finally with Qubes Windows Tools installed you have the secure Qubes
clipboard and can send/receive files via the respective Qubes mechanism
(receiving requires that your user is named “user” … which might not
work out in a corporate setup … but I am sure there is a way to fix
that with a registry entry or something).

There is this disclaimer:

Pretty much this.It’s also in the Frequently asked questions (FAQ) | Qubes OS

this seems to be the best solution… the problem is, that i edit fotos and think, that the workflow will be rather bad in a VM. But i will test it next days. Thanks!

I think performace will mostly be a function of how much memory you can assign and whether you have an SSD or not. I have 4 GB assigned.

Also I am using a 4K monitor but the max. resolution I can set the Windows qube to is 2560x1600. Out of curiosity I just played a YouTube video fullscreen in that qube and it was fluid. My specs are already 4+ years old.

I think it’ll be fine.

hmmm, ok… I’ll try it! Thanks!

I tried to install everything with the mentioned script and it stucks on downloading Windows… So i just stoped this step with Strg+C, the rest of the installation seems to work.
Now i wait for the ordered Win10-DVD and will install it… hmm… where?
Should I install it on the windows-mgmt? I suppose not.

Now i wait for the ordered Win10-DVD and will install it… hmm…
where?

I just downloaded the ISO directly from Microsoft using their tool on
another Windows PC. No reason to order or wait.

https://www.microsoft.com/en-us/software-download/windows10

Should I install it on the windows-mgmt? I suppose not.
No you just place the ISO file into dom0. You won’t run it from there,
it just get’s mounted to the new qube when the install runs.

./qvm-create-windows-qube.sh -i windows10.iso -a win10x64-pro.xml
my-win-qube

The GUI started, but
I get "failed to initialize private.img
I can not format the D partition.
But this seems to be the “normal bug”.

After that the vm starts without GUI.
As it seems there is no GUI for the win10, because of the drivers, isn’t it?
But it also starts no apps in it (notepad for example)

#Edit: qvm-features <windows_qube> gui 1
helps for the GUI problem

so it works… but now i must manage my RAM in Qubes, to give the win-vm more than 4GB… hope i have so much

is there a posiibility to get a file to the win-vm?
I can not connect USB to it.
So i need the mentioned express card? No other way?

And how can i use full screen or just can make the screen bigger?

One more question:
how can i assign the 34mm card exclusively to the win-vm? (just ordered one)

is there a posiibility to get a file to the win-vm?

If your Windows user is called ‘user’ it should just work by the normal
‘copy to another VM’ mechanism

aka

qvm-copy

/Sven

ah,ok, it works well.

But what about fullscreen? I can not even change the size of the GUI-window of the windows-vm. The entry in guid.conf has no effect.

The 35mm USB-Controller works very well! Just added it from the list of PCI devices in the vm settings. But sometimes the VM don’t want to start. It shows: “unknown headertype ‘127’”

Still no idea about the fullscreen possibility or just bigger window.
I can set it in widows (resolution), but 1920x1080 is unpossible, because of the height. I can not see the windows bar then. So the highest resolution within windows is 1280x1024.

Is there any important difference betweet the installation script above and the manual installation? Any security advantages or something like that? I made a manual installation to get more space on C and installed win-tools. Everything seem to work.

My laptop screen is 1080p and when working with just that screen I set Windows to 1080p and then right click the Qubes Window Title of the VM. Then select ‘fullscreen’.

This works best if you have multiple workspaces and reserve one of them for Windows.

If the Windows user is called other than user, you have to set
qvm-pref <VMname> default_user <username>
Then file copy works in both directions.

thanks, file copy works well.
And yeesss, I got fullscreen! Thanks Sven!
By setting to 1080 I could not see a bit of the screen, because of the Qubes bar, but after right clicking and setting fullscreen it works perfectly! So the fullscreen mode works only if the resolution passes to the resolution of the laptop as I understand.

If the Windows user is called other than user, you have to set
qvm-pref <VMname> default_user <username>
Then file copy works in both directions.

Excellent! Many thanks!

by the way… sometimes (nearly always) I get an error if I want to mount the express card USB controller with the Windows VM and it can not start.

I select just the USB controller I bought (there are also other USB controllers on the list, I think they are from the mainboard) and start the VM.

start failed: internal error: unknown PCI header time ‘127’ see /var/log/libvirt/libxl/libxl-driver.log for more blabla

2021-06-23 22:31:41.484+0000: libxl: libxl_pci.c:1520:do_pci_remove: xc_physdev_unmap_pirq irq=16: Invalid argument
2021-06-23 22:31:41.486+0000: libxl: libxl_pci.c:1202:libxl__device_pci_reset: The kernel doesn't support reset from sysfs for PCI device 0000:00:14.0
2021-06-23 22:31:53.397+0000: libxl: libxl_pci.c:1202:libxl__device_pci_reset: The kernel doesn't support reset from sysfs for PCI device 0000:00:14.0

You probably need the --option no-strict-reset=true parameter when
assigning the USB controller to the HVM.

If you are using the GUI there is a button at the bottom of the dialog
that allows you to do the same.

it was automaticaly set in the GUI, but I also can not unset it