I have been pondering the following topic for some time now.
I am pretty much sold on the concept of QubesOS. The idea of partitioning the major facets of one’s digital life (professional, private, citizen-government communication, banking, crypto,…) in a manner that isolates them from threats (for instance, if my wife sends me some type of meme with corruption/malware, it will not affect my work compartiments). At least this is my high-level understanding of it as a layman.
Now, I am still not fully sure that it’s safe to install Windows 11 on Qubes OS VM, or any other Linux OS VM, I wonder if there are windows backdoor mechanisms that may somehow “take over” control of the OS without the user knowing it. Call it paranoia or a reasonable question, it depends on your outlook.
For that reason I am wondering if there is a case to be made to have a separate laptop for things that you must do on windows, vs having a dedicated VM on Linux for that.
I have not yet made the jump to QubesOS since it looks quite complicated, I have been experimenting with running a Whonix VM on Debian to get an idea of what working with VM’s is like. It seems almost unusable, very blurry and laggy virtual desktop. I hope that QubesOS would be more usable, if not I can’t imagine how people use it for professional and private facets of their digital life, leading us back to the question of dedicated machines vs VM’s.
Qubes is much more secure than other operating systems by default, and even if there are backdoors in Windows, it’s not likely to break through the virtual machine isolation. Unless a real hacking organization launches a customized attack against you using exploits.
The way I see it, Windows 11 is the backdoor, but it will be isolated to just that qube. Of course there is always a risk (much less than not isolating at all), but this is the specific use-case for which Qubes-OS was created - to compartmentalize, isolate and minimize risk of untrusted (read: proprietary, backdoored) software and infecting or sharing data with the rest of your applications.
Qubes will not provide any privacy advantages inside that Windows 11 qube, but Windows 11 (Microsoft, other software you install inside Windows 11) will not know about anything else happening outside of it’s own qube. Whonix is privacy-focused, which is why I mention it, but Windows 11 will likely know you are using Tor (if you route through Whonix). Whonix routes through Tor which in some cases and countries makes the internet sluggish, but that should not affect your note-taking app or accounting software (unless it is cloud-based).
The ideal scenario is to isolate your ‘Windows 11 Recall AI’ to not know everything you do, but if you do everything inside Windows 11 - then there will be no point. If however for example, you only use that 1 or 2 ‘employer-mandated’ apps inside Windows 11 qube, and then say use Discord in a separate Linux qube and Libreoffice Calc for your taxes in another separate Linux qube , then Windows Recall will not be able to see your Discord messages, and nor Discord nor Windows 11 will be able to see your expenses budget.
The security risk is that one application from one vendor that is infected with a virus or exploited can affect any and all other applications installed on that same system or qube.
The privacy risk is that one application from one vendor is snooping on your data from another application from a different vendor on the same system or qube.
If you don’t want one app on your system to know what you are doing in another app on the same system, then this can be a problem. Privacy and security are closely related, but not the same thing and depending on your threat-model this might be acceptable.
Now, I am still not fully sure that it’s safe to install Windows 11 on Qubes OS VM, or any other Linux OS VM, I wonder if there are windows backdoor mechanisms that may somehow “take over” control of the OS without the user knowing it. Call it paranoia or a reasonable question, it depends on your outlook.
A Windows backdoor would be something that allows an attacker to enter a protected are of Windows itself. So, to your question if it would allow a takeover of the OS - yes, with the important note that the OS is Windows.
As for the other question you are probably interested in - can guest-VM malware take over control of the hypervisor - to my mind, if that is possible, that would be a serious backdoor/security bug of Xen/Qubes itself, not of Windows per se. Also, that malware must be specifically designed with the assumption that it will work in a Windows VM on Xen hypervisor, perhaps taking advantage of some non-mitigated side-channel hardware vulnerabilities.
In that sense, perhaps technically it doesn’t matter whether the guest is Windows or anything else, especially considering the default password-less root access of Qubes (Linux) guests, facilitating privilege escalation. The latter relies on Xen isolation being extremely secure.
Disclaimer: I am not an expert or Qubes developer.
For that reason I am wondering if there is a case to be made to have a separate laptop for things that you must do on windows, vs having a dedicated VM on Linux for that.
That really depends on your threat model. A separate machine with bare-metal OS would obviously not be vulnerable to VM-to-hypervisor attacks. It opens the door to other issues though, e.g. how your computer A communicates with your computer B in cases when you need to transfer data, and that is subject to whole lot of various possible attacks as well - something which the Qubes-specific qube-to-qube data transfer mechanism is very good at, thus avoiding popular network-stack vulnerabilities and USB issues.
Any thoughts on this?
Qubes is very usable as long as your main work does not depend on GPU acceleration.
For this, have a look at the chapter " How does Qubes OS compare to using a separate physical machine?" in the documentation FAQ.
Since currently, seamless mode is not well supported under Windows 11, you will have just the normal Windows desktop in a separate window under Qubes. If you wish, you may enlarge this window to full screen. For Linux VMs, you have the choice of several desktops, which run quite smoothly, preferably XFCE or KDE, but there are others like i3.
You can put icons on the desktop that will “shoot” you directly into an application under Windows or Linux, starting the corresponding VM if it is not already running. This feature hides quite a lot of the complexity, once it is configured.