How to Install Any Linux Distro from an ISO on Qubes

Continuing the discussion from Any easier way to install ubuntu or kubuntu?:

Great that you have the templates up btw! That’s nice. But why can’t anyone just install .iso files? Is that hard to implement? It’s not virtualbox, but kind of similar right…

Hi @bxkapjaiz2,

It is possible to install any OS from an ISO as a StandaloneVM, but that’s a trade-off:

  • A TemplateVM is used as a template to create the AppVM that you’ll actually use day-to-day. That provides security benefits that are at the core of Qubes OS. It is also easy to update multiple AppVMs by updating a single TempkateVM, which is convenient. But such a TemplateVM requires integration with Qubes OS, so they are significantly more complex to create by yourself, and using the default templates (which maintained by the Qubes OS team) is recommended.

  • A StandaloneVM is similar with other VMs you may have used outside Qubes OS. The trade-off: you don’t get the security benefits from using a template, and you don’t get the convenience of maintenance either. (But it’s not worse than maintaining any other VM you’ve used in the past outside Qubes OS.)

If you’re interested into creating a StandaloneVM with Ubuntu, you can take a look at how the SecureDrop team does it to create a StandaloneVM and Boot into the installation ISO.

Notes:

  • The VM in the example is called sd-staging-base-focal, you can give it any name you want.
  • You likely want to use Ubuntu’s default kernel, so skip the line: qvm-prefs sd-staging-base-focal kernel ''

If that sounds like what you want to do but are not sure how to use those instructions, let me know! :slight_smile:

2 Likes

Aha! Ok, so that’s how it works. Cool. I will need to try that. :slight_smile:
About the security of Qubes…
Let’ say someone wanted your credit card or passwords on your machine…
If one tries to hack Qubes, and i don’t even know if it’s easy or hard for hackers to get into Qubes. Might even be easy…
But do they need to attack dom0 first then? And dom0 runs fedora right… So they attack dom0, and then they need to access som domain app vm after that? Or do they need to attack some templateVM? Internet is off there though…
Could they easily hack and access the vault? That’s also offline…

Please tell me a bit on how hackers or crackers would hack Qubes, and do they find it easy or hard compared to a laptop with a regular OS like linux mint as an example…
Qubes is way harder to hack right?

I don’t really understand how it looks when it comes to layers hackers need to get through if they even can. Thanks for the explanation!

Also… A standalone VM from an iso is still behind dom0, so it’s one layer more secure then if a regular laptop had the iso installed regularly on some laptop right…

Awesome! There is a lot to learn, you’ll see it’s a very interesting space! Don’t hesitate to update this thread with your findings or related questions.


On your second question: the forum has many topics that will explain this better than I do. It’s easy to miss, but the search feature works great actually!

If you don’t find what you look for, it’s fine! Just please open a separate topic, that makes it easier for everyone to find answers after the fact.

The line between what’s a related question and what’s a separate topic is a jugement call, but you’ll get a feeling for it over time, and a tidy forum with smaller, focused topics is more useful for everyone :slightly_smiling_face:

1 Like

It is not more secure in itself, it is the same as that operating system (e.g. Ununtu) anywhere else. But of it gets compromised, it cannot affect other VMs, or dom0 (unless there is a flaw that we’re not aware of), so the information you keep in the other VMs is overall safer. It is the core of security through compartimentaization: when things that are kept separate fail, not everything fails at the same time. Does that makes sense?

1 Like

Thanks!

Yes. Great answers. Thanks for taking your time to answer. :slight_smile: take care.

2 Likes

There’s a bit more to it. There are also standaloneVMs that are integrated into Qubes. The integration not only allows you to have the Template and App qubes based on it as @gonzalo-bulnes mentioned but also having windows run seamlessly – which means you don’t see the VM in full screen with desktop and all. Instead you see the windows individually and can move them around other VM’s windows.

Meanwhile, a Hardware-assisted Virtual Machine (HVM), also known as a “Fully-Virtualized Virtual Machine,” utilizes the virtualization extensions of the host CPU. These are typically contrasted with Paravirtualized (PV) VMs.

HVMs allow you to create qubes based on any OS for which you have an installation ISO, so you can easily have qubes running Windows, *BSD, or any Linux distribution. You can also use HVMs to run “live” distros.

You can read more about it here:

1 Like

A standalone may be created by cloning from a template. It can also be
created from an ISO installation.
To create a qube by installing from an ISO you will need a HVM, as
explained on that page.

If the HVM uses, or is based on, a supported distro, then you
may be able to install the relevant qubes packages, to support
normal qubes features and operations, like copying between qubes.
It isn’t guaranteed that this will work.

For a standalone created from a template, it almost certainly
will work.

3 Likes