As a hobby project, I would like to re-design the Qube Manager in Qt Quick and make it more flashy.
The reasons for this are:
Qube Manager is frequently used by me (and probably most other Qubes OS users).
Qube Manager looks a bit clunky in my opinion.
Qube Manager’s codebase seems not to be exposed to any DomUs and thus such a project seems to be a good starting point for me to contribute something to Qubes OS.
This topic is meant to clarify the attack surface exposed by the Qube Manager to DomUs. In other words: To what degree is Qube Manager’s codebase security-relevant?
Why this is relevant to me:
The answer to this question determines my choice of programming language for the project. I consider both C++ and Rust. While C++ seems to be the natural choice for the logic in Qt Quick programs, has an easier integration and I already know C++, using Rust would provide for better security if Qube Manager has relevant attack surface.
So: ambitious! But: this is going to be very difficult to do in not-Python, because there are no bindings for C++/Rust for the Admin API calls, so there’s also a lot of work in making those.
Plus, what do you consider clunky? I’m just not sure if changing the widget library will make it less clunky, I think it is a design issue, not library issue
And to the main question: well, dom0 is isolated, so I think that there is not much attack surface in qube manager by design.
PyQt6/QML is going to be much easier to work with, based on the existing libraries/tools. I think security-wise there is not much difference whether you work with memory-safe language here or not, because of the dom0 isolation (manager can run things in VMs, but not the other way round).
