May we get Qubes developers interested on abstracting/decoupling Qubes great functionality to be applied over other hypervisors, please.
At this point in time (hype/buzz, 2024-01 Qubes 4.2 runs exclusively over Xen), what are the main challenges to this objective? What are the pros and cons? Do we have a case (and interest) for it, please?
Some requirements not met
- Xen does not provide hibernation
- Xen is not compatible with firmwares with wider than 16bit segment number, that do nvme calls to it during boot (could be solved with a hypercall sun-function)
I have explored topic #2 in xen-devel mailing list with logs, traces, journals and ring buffer evidences:
( Xen project Mailing List : No firmware ACIP and no boot )
Same discussion on StackExchange and a Taiwanese Hardware Manufacturer:
( unix.stackexchange DOT com/questions/710400/boot-into-xen-on-debian11-initrd-trouble )
( community.acer DOT com/en/discussion/669340/acer-aspire-5-a517-52g-firmware-w-16-bit-pci-segment-size/p1?new=1 )
- Please, list more requirements not met.
A discussion on purpose and trade-offs
Having Qubes functionality over a hypervisor other than Xen, would:
- Keep the user on the same interface across laptop computers, used for different purposes, knowingly with more security and less security.
- Accelerate Qubes GUI tools development/coding.
- Serve users which Use Case emphasise VM compartmentalisation over security. And, quick VM provisioning and use. And, educational/research purposes Use Cases. And, CLI-only and CLI first Use Cases.
- Eventually offer interaction with VMs/Nodes/domains (QUEMU/KVN, QUEMU/GNS3).
- ARM Use Cases (x86 issues and ME/PSP) ( A Secure and Formally Verified Linux KVM Hypervisor ) @fiftyfourthparallel @monocasa.
- Increase the user base (in my point of view, this is a cons).
- Please, list more pros and cons.
- Please, list and detail alternative Qubes functionality Use Cases/User Profiles, and gather arguments for non-existence of such users, and make explicit (and well documented) the underlying tech limitations.
Useful resource: Who uses Qubes and Why discussion
( github DOT com/QubesOS/qubes-issues/issues/1906 )
From the Qubes FAQ ( www.qubes-os DOT org/faq/ ) :
Why does Qubes use Xen instead of KVM or some other hypervisor?
In short: we believe the Xen architecture allows for the creation of more secure systems (i.e. with a much smaller TCB, which translates to a smaller attack surface). We discuss this in much greater depth in our Architecture Specification document.
Possibly, Qubes focus has been anonymity and Whonix use. It seems that Qubes over a hypervisor other than Xen would invalidate the best use of Whonix.
( TODO Link Whonix - Xen discussion )
Challenges
It might be early to ask, but do we know how coupled/decoupled and documented are the hypervisors and Qubes functionalities, towards the integration of Qubes to a hypervisor different than Xen?
- Identify most relevant challenges.
Possible Alternative path
Requirements could be met by successfully steering Xen into delivering laptop compatible functionality, on the dot. This would mean even more Qubes community involvement with the Xen community.
Apparently, Xen is focused on servers, not laptops (mentioned by someone on the discussion on xen-devel, link above).
Is there interest on abstracting Qubes functionality to be applied over other hypervisors?