So I’m starting to look into Gentoo since it’s likely to be more secure than Debian and Fedora (AFAIK; I’m not too knowledgeable on this). I’ve noticed that Gentoo has a very DIY philosophy and that this applies to compiling kernels for specific uses. In Qubes OS, is it possible to compile and deploy specific kernels for specific roles?
For example, can I build a sys-net Gentoo that uses a minimal Kernel that basically can only access the ethernet device and pass-on the data?
More generally speaking, what are the limits of customization for GentooVMs on Qubes? Are we limited because Gentoo comes pre-built and configured via qubes-templates-community-testing? If not, is there really any significant difference in security between Gentoo and other available distros?
You can use the minimal template or either rebuild the template by yourself in customizing build steps but minimal is already just few steps after stage3 and with very minimal Qubes parts needed. Also, you can even try to use other Portage profiles like the hardened ones but this is untested.
For dev and testing purposes, I’ve implemented the build of each Qubes components. For example, our CI is doing that: qubes-builder/scripts/travis-build-gentoo at master · QubesOS/qubes-builder · GitHub. This is useful if you want to test to build Qubes overlay on top of hardened profiles locally (as we do for every other distributions).
If you need more help on this, maybe it is worth to rename or use another thread for that.
Thank you for the speedy reply. If my understanding is correct, the Qubes OS and Gentoo teams are looking to make in-VM kernels a possibility, and this would mean compiling kernels for specific uses is a high possibility in the near future. This sounds great. When it’s done, would the process of installing Gentoo and compiling your own kernel look like this:
Install Gentoo template on dom0
Open Gentoo template and compile customized kernel
Set Gentoo template to use customized kernel
Shut down template to save work
Open Gentoo template settings, switch to in-VM kernel
(Note that I’m not familiar with Gentoo–yet)
I really hope that in the future Qubes ships with a bunch of different kernels each customized (minimized) for specific roles (e.g. one for sys-net, one for sys-usb, etc.). This sounds easier and much more achievable than a sys-net unikernel. Come to think about it, isn’t this already possible with the current version? (e.g. create a sys-net kernel and make it a dom0 update, then select that kernel only for sys-net).
Anyways I’m open to renaming this thread as a general Gentoo Q&A thread. Having a centralized thread raises awareness (via bumps) and invites more people to try it. Let me know if you want me to do that.
Yes indeed just as easy as written . For other readers, this purpose is because someone wants to use specific Gentoo toolchains and kernels.
Well such purposes of building custom kernels can already be done. Not necessary using in-VM kernel provided by the underlying distribution like you want to do for Gentoo but using our linux-kernel (GitHub - QubesOS/qubes-linux-kernel: Qubes component: linux-kernel) component as working base. Here, you can custom the config-base (it’s the default Fedora one) and config-qubes which is merged after config-base to override Fedora values. Long time ago, Reg Tiangha made a post on devel list (https://groups.google.com/d/msg/qubes-users/yBeUJPwKwHM/CFLgGsyKBAAJ) on how to do such things. It’s a little bit deprecated as things as changed but there is still valid tips. For example, he used to create custom kernels (take a look at -slim/-hard branches GitHub - rtiangha/qubes-linux-kernel: Qubes component: linux-kernel). At some point I could redo such doc/tutorial.
Done. I added “with developer” at the end to give the thread an extra ‘oomph’–please let me know if you want this changed.
This is useful for when I decide to delve deeper, which I’m not quite ready to do right now. As a non-technical person it took me a while to work up the courage to learn Qubes, and it involved a lot of me coercing myself. This looks much more technical than learning Qubes, but I’ll get around to it eventually.
An updated document isn’t really urgent for me (can’t speak for others), so I think that working on the in-VM kernel option is much better value for your time compared to updating that doc since it also solves the same problem but in a more substantial way.
. For other readers, this purpose is because someone wants to use specific Gentoo toolchains and kernels.