Hi, I love to play with different operating systems and I’m distro-hopper. I just can’t stop myself from trying different operating systems. For right now I’m using NixOS.
I’m really interested about QubesOS and I love idea behind it, also I’m looking for challenges. But I’m not sure is it for my use case.
I’m doing a lot of stuff on my computer - programming, system administration, watching videos, internet browsing, music production, gaming (open source games and I can live without them, I don’t playing games too much), writing documents and I still try new things. But I also need security and privacy so I sometimes need to boot into TailsOS from my pendrive. It will be cool for me to have really secure and private workstation like QubesOS.
Of course QubesOS have some cons. It need a lot of resources, but I have good, modern PC with AMD Ryzen 7 7700 and 32 GB DDR5 6400MHz RAM on ASRock B650M motherboard. When I was using Gentoo I was able to compile software and doing my work or playing video game at the same time. Performance shouldn’t be problem for me. One thing which I hate about my hardware is that I don’t have motherboard open source firmware which can be huge security problem.
Also as I heard QubesOS don’t using GPU acceleration by default. I have Nvidia RTX 4060 Ti but I’ll changing it soon for something from AMD because of terrible support for Linux. I was always doing all my stuff requiring GPU in KVM with GPU Passthrough.
From what I’ve seen on this forum GPU Passthrough on Xen is possible so as I have integrated GPU I can use it. But configuration like this is usable for stuff like gaming, blender, AI etc. ? People are saying that this is hard to make it work, it’s really like that? There are sources on forum how to do this step by step so it shouldn’t be that bad. And in this thread which is about GPU Passthrough there’s info that there’s need to have additional keyboard or mouse if we’re not planning to use VirtualGL. When I was using my KVM I was just pressing shortcut which was just switching my mouse and keyboard input between machine and VM with evdev - is it possible with XEN too? I don’t have any other keyboard than this one which I’m using currently so I can at least just switch usb port physically or something to use it in VM?
And how about audio production? Any of you have experience with that on QubesOS? I’m not doing music professionally and I would like to try it.
Thank you in advance for your answers and suggestions!
This is a security problem. If you are targeted by any of the many actors who have tooling derived from the kind of information that Intel and AMD hide behind NDAs, they will get you instantly and Qubes can not defend against this.
|
You can of course run NixOS or Gentoo in qubes running the Debian or Fedora templates with chroot.
You should feel encouraged to attempt pci passthrough and report details on the results and experience for the particular board you have. Some users have more than one pcie card GPU. Another computer dedicated to 3D applications (such as Blender or AutoCAD) is the strategy I would go for personally.
Audio production needs something closer to “real time” and can be sensitive to interruptions. If you are serious about audio production, this work should probably be done on a separate computer.
For all of the things you have listed, a lot more RAM is recommended.
Multiple computers can be harder for you or easier for you, subject to your mental models and how you individually reason about them.
Whonix Workstation in disposable qubes and Whonix Gateway (in AppVM qubes) can be a great alternative to Tails. But be mindful that there are differences between how more anti-forensic Tails is.
This is a security problem. If you are targeted by any of the many actors who have tooling derived from the kind of information that Intel and AMD hide behind NDAs, they will get you instantly and Qubes can not defend against this.
I know that. But is there any model of motherboard which can work with open source firmware and handle modern and powerful hardware like this in my computer?
Buying new hardware will be too expensive for me. Instead, better option is too just change few parts and have disks with separate operating systems.
Your specific circumstances to affordability do not make the security problem that comes with closed source firmware go away. You can ignore it, but it’s still there. It’s not a Qubes thing (I am confident you already know this).
While Qubes does not defend against closed source firmware, the abscence of Qubes also does not defend against closed source firmware. The closed source firmware (and the problems that come with it) are already there, right now.
No. to exploit firmware bugs the attacker must have direct access to the underlying hardware. Qubes’ whole purpose is to prevent direct hardware access from any qube. The attacker would first need to compromise the hypervisor (qubes os itself) before being able to exploit firmware bugs. @mlody that is therefore not a direct issue you have to worry about while using QubesOS.
The history of CVEs for Intel ME and AMD PSP tell a very different story. In an ideal world, direct access to the hardware would be required to exploit those vulnerabilities, but the actual reality is very different.
If your going to distro hop like that, get a usb enclosure and boot from that. You may be able to set up a hot swapable nvme or ssd bay. Startech and Icydock make them. I’ve seen an ssd one that came built into a CoolerMaster case. Windows is probably the only os that doesn’t boot from usb. Rufus might work around that. Never tried it.
Most bioses have keys fused to their vendors. So unless signing keys leak, that makes it hard for malware to infect your boot firmware. Of course, signing keys do sometimes leak and some vendors have shipped questionable or malicious firmware. You may be able to prevent writing to boot firmware from an advanced menu, but those options tend to be in security focused hardware. You can check these things from linux with “fwupdmgr security”
Qubes is probably fine for most of your needs. Not gaming or ai. Probably not sound or music production either. Audio and usb go through vm proxies that may cause latency spikes. Havent had a problem with this video conferencing, so maybe its fine. As de_dust2 said, use other computers for what they’re good for. Or in your case, other boot disks.
32 gigs of ram is plenty for a bunch of light tasks, web, and programming.
I installed QubesOS yesterday on my PC and I love it! Everything is working out of the box, it’s not usual for me when using Linux. Of course QubesOS is little bit complicated but I’m not afraid - it’s exactly what I was looking for.
I’m planning to try 3D stuff and music production on QubesOS soon. I paid 100% of the price price for my computer so I will use 100% of my computer, I don’t need another PC at all.
I agree with @de_dust2 - closed source firmware is huge security problem - I can live with it at the moment. It’s still better to have secure operating system at least.
I used to use an older branch of blender on qubes from before the UI changes made it really slow without real acceleration. They still have that up. Some light modelling apps also work with software rendering. Wings3d for simple modeling. OpenSCAD for 3d printing. Prusa slicer also works, just slowly. Looking forward to reading what works for you.
Cool! Coreboot is great option but it’s not 100% open source, also as I know coreboot is only giving possibility to remove Intel ME or PSP but in the most cases is impossible. Unfortunately this motherboard is for Intel. I promised to myself that if I will buy any hardware in future it will be full open source. For right now I have to deal with what I have
