How does Qubes OS work?

Thank you so much for your reply.
1- So, the Qubes OS itself has not been hardened. Some Linux distributions are hardened by default.

2- You said “You can have several VMs, some of which are based on Debian and some on Fedora.”, I don’t mean VM, I mean is Qubes OS itself. What kind of Linux is it based on?

3- How many VM templates are there? The Qubes OS is just 6 GB.

4- I meant do you have all these programs (Internet browser, LibreOffice and etc.) in AdminVM?

Thanks again.
Did you read Downloads disabled as we are still developing Citadel and the new Subgraph OS. Check back soon for a new release.?

When was this written?

Why would you need hardening of “Qubes OS itself” if you never run anything in dom0 (AdminVM)?

I explained above that it’s based on Xen. It’s also explained in the FAQ, which I linked and the post of @adw above. Perhaps you could reformulate your question; why exactly you are asking?

Fedora and Debian.

No, and you shouldn’t.

There must be a quick way to describe “what is Qubes” for technical people who know what Linux and Xen are. “Qubes OS is its own thing” is not very helpful. FAQ itself says that “more of a “Xen distribution” than a Linux one”, and I think it’s a perfect short-cut in such case. I also linked the FAQ for more information that it’s not simply Xen.

In principle, Ubuntu is getting further and further from Debian, see snaps. “Based on Debian” is not supposed to explain everything, only to give an idea how to start thinking.

Ok, one last attempt to reason with you:

  1. last commit to citadel happened on April 2, 2019

  2. the issue tracker has been archived on March 11, 2021

  3. one of the developers answered in 2019:

… checking his github the last commit to citadel was on May 10, 2021.

1 Like

Thanks again.

1- About “When was this written?”, you can check it.

2- About “Why would you need hardening of “Qubes OS itself” if…”, so, applications like Internet browser, LibreOffice and etc. are not run in the Dom0. Am I right?
Why do you trust Dom0? To harden Linux, it is necessary to enable or disable some parameters in the kernel, some services, and apply some firewall rules.

3- About “I explained above that it’s based on Xen. It’s also…”, Xen is just a Hypervisor that you can install it on GNU or BSD. For the Qubes OS, Xen Hypervisor installed on Fedora or Debian?

4- Why did the Qubes OS team choose GNU, not BSD or even Solaris?

Thanks again.
Maybe they are working privately. Who knows?
Why is their website still up?

For the sake of clarity for future folks interested in both parts of the conversation: should we split this topic and move the last part to the All around Qubes category?

It seems to me that the conversation has moved away from the original “How does Qubes OS work?” topic a number of posts ago and that splitting wouldn’t be too difficult.

1 Like

Why don’t you just post the answer then?

Sun Jul 28 21:30:50 2019

At this point I have to think you are simply trolling (on this point).

Dom0 is isolated from domUs. DomUs can access only a few interfaces, such as Xen, device backends (in the dom0 kernel and in other VMs, such as the NetVM), and Qubes tools (gui-daemon, qrexec-daemon, etc.). These components are security-critical, and we provide updates for all of them (when necessary), regardless of the support status of the base distribution. For this reason, we consider it safe to continue using a given base distribution in dom0 even after it has reached end-of-life (EOL).

Xen runs below the OS. So Fedora is the OS in the Admin VM. This is basic stuff posted multiple times now in this thread.

Qubes aims to be as free as possible without sacrificing security . All of the code created by the Qubes OS Project itself is 100% free.

… all this stuff is answered in the FAQ.

Nope. This is not “All Around Qubes” material. Just ignore that little nitpicking about Subgraph OS. It ought to be settled to death at this point.

The two Whonix templates (Gateway and Workstation) are also included in the ISO, which helps to explain the size.



You harden Linux in order to run something untrusted on it. When you don’t run anything on it, there is no reason to harden it. Also, a lot of software is removed from Fedora in dom0, decreasing the attack surface.

If you are talking about operating system in VMs, this choice allows to run any software designed for GNU/Linux in VMs. And you can in principle run BSD. If you are talking about dom0, see this: Change the OS used in dom0 · Issue #1919 · QubesOS/qubes-issues · GitHub.


Thank you so much for your reply.

1- About “Sun Jul 28 21:30:50 2019”, maybe they are working on the project. Are you in contact with the team of its creators so that you are so sure that the project will not be developed anymore?

2- The big problems are Fedora and Red Hat. A company that always advertises against the Xen Project. I wish AdminVM didn’t use Fedora.

3- Is FreeBSD not safe or free???

Thank you so much.
One thing is very interesting to me and I want to know this. So, Dom0 only runs the main components of the operating system. It’s kind of like a jail for the kernel.
Which one of these two cases is correct:

1- Dom0 runs a Linux distribution and the rest of the applications such as the Internet browser, LibreOffice and etc. run in another Linux distribution.

2- All applications run in a Linux distribution and only Dom0 protects the kernel from interference from other applications.

Sorry if my question is strange or wrong and I could not express my meaning correctly.

Dom0 runs Fedora. The purpose of dom0 is to be the only privileged domain that can command the hypervisor. It’s the AdminVM. This is the domain where the user can command to start other domains (domU) and use Qubes OS tools to configure and control them. Dom0 is offline. It is only meant for admin purposes. It is not meant to be used for anything else.

There are other domains (domU) that can run a variety of OS. Mostly Linux based but also BSD, Windows, Android or even more exotic OS.

AppVMs: these are the qubes where the user runs applications and does their actual computing. Their /home directory is persistent, everything else is copied from the templates and doesn’t persist.

TemplateVMs: these are qubes used as templates for AppVMs. The user only installs software in them but ideally never runs it. Template VMs are offline by default and use a special proxy to install software (via apt or dnf).

ProxyVMs: these are AppVMs or DispVMs providing internet connection to other qubes when set as ‘netvm’ for that qube. These are usually system qubes.

DispVMs: have no persistence at all and use a specially prepared AppVM as template.

System qubes provide services to other qubes. Mostly this is about isolating hardware access: sys-net (Ethernet/Wi-Fi), sys-usb, sys-audio(Mic/Speaker/Headphone), sys-gui(Graphics) but can also provide non-hardware related services: sys-firewall, sys-vpn etc.

The “protection” (aka compartmentalization) comes from the hypervisor (XEN). All domains except dom0 are jails as they can’t see or interact with any other domain / qube. dom0 is the only domain that is not a jail and can see and interact with other domains. Hence it’s the adminVM/qube.

The Qubes OS idea is the security by compartmentalization into domains and providing secure ways of orchestrating them and moving data among them in a controlled way.


I think we can call it a day.

You hope Subgraph OS is not abandoned – me too. It looks like an interesting concept and I’d like to see it executed. …but I am not holding my breath.

You don’t like Fedora – me neither. In fact none of my domU run Fedora, they are all Debian. …but I don’t interact with dom0 other then using qvm- and qubes- command line tools and understand that architecturally it doesn’t make a difference security wise.

You want to point out that there are other licenses than GNU – sure there are. If you’d like to discuss the finer points of open source licenses I recommend you find another forum. This is not the place for it.


Thanks again.
1- I can’t see some parts that you said in the diagram. For example, ProxyVMs and DispVMs.

2- About “Dom0 is the only domain that is not a jail and can see and interact with other domains. Hence it’s the adminVM/qube.”, other domains? There is only one Dom0, but several DomU.

About “You hope Subgraph OS is not abandoned…”, not really. If it uses Xen Hypervisor, then I hope it will not be abandoned.

About “You don’t like Fedora…”, I did not say that Debian security is better than Fedora or vice versa, I said this because Red Hat and Fedora are enemies of the Xen Project and Debian has more packages.

No, I’m not a fan of BSD. I just wanted to know.

There is only one Dom0, but several DomU.

Yes, and the DomUs are those “other domains”

I think you’re getting hung up on terminology and I can’t blame you; because the terminology has changed over time. The diagram calls dom0 the AdminVM (I think AdminVM is becoming the “official” name for it but that’s going to be a slow process).

The diagram you linked also isn’t trying to display proxies and disposables as such so you’re not going to find them there. It’s not that they don’t exist, it’s just that the diagram is trying to show you something else. Its focus is instead on the interactions and interrelations between qubes (VMs, domains) rather than on what kind of VMs they are.

It depicts a collection of domains (or VMs, or qubes…again, a terminology change in progress). As it turns out, however, depending on your installation and how you’ve set things sup, AppVM 1, AppVM2, and the other AppVM2 might be disposables, or might not be. (The default is that they’ll be regular AppVMs, not disposables.) Also sys-firewall, sys-usb, and sys net might be disposables (they are on my system) as well as being proxies. Sys whonix is a regular AppVM as well as being a proxy.

1 Like

1 is correct.
2 is not: All apps run in VMs isolated with Xen and hardware virtualization.

In other words, AdminVM (Dom0) is the only domain with all privileges and can see and manage all VMs (domUs). For security, it runs no apps and has no network.