Qubes OS updates Weekly Review - Y2025-W16
Introduction
Weekly review of new packages uploaded to Qubes OS repositories. Link to previous version here.
Alphabetically sorted list of new packages uploaded to Qubes OS repositories
libqrexec-utils4_4.3.6-1+deb12u1_amd64.deb
libqrexec-utils4_4.3.6-1+deb13u1_amd64.deb
libqrexec-utils4_4.3.6-1+jammy1_amd64.deb
libqrexec-utils4_4.3.6-1+noble1_amd64.deb
libqrexec-utils4-dbgsym_4.3.6-1+deb12u1_amd64.deb
libqrexec-utils4-dbgsym_4.3.6-1+deb13u1_amd64.deb
libqrexec-utils-dev_4.3.6-1+deb12u1_amd64.deb
libqrexec-utils-dev_4.3.6-1+deb13u1_amd64.deb
libqrexec-utils-dev_4.3.6-1+jammy1_amd64.deb
libqrexec-utils-dev_4.3.6-1+noble1_amd64.deb
python3-dnf-plugins-qubes-hooks-4.3.23-1.fc40.noarch.rpm
python3-qrexec_4.3.6-1+deb12u1_amd64.deb
python3-qrexec_4.3.6-1+deb13u1_amd64.deb
python3-qrexec_4.3.6-1+jammy1_amd64.deb
python3-qrexec_4.3.6-1+noble1_amd64.deb
python3-xen-4.19.2-1.fc41.x86_64.rpm
qubes-core-agent_4.3.23-1+deb12u1_amd64.deb
qubes-core-agent_4.3.23-1+deb13u1_amd64.deb
qubes-core-agent-4.3.23-1.fc40.x86_64.rpm
qubes-core-agent-4.3.23-1.fc41.x86_64.rpm
qubes-core-agent-4.3.23-1.fc42.x86_64.rpm
qubes-core-agent_4.3.23-1+jammy1_amd64.deb
qubes-core-agent_4.3.23-1+noble1_amd64.deb
qubes-core-agent-caja_4.3.23-1+deb12u1_amd64.deb
qubes-core-agent-caja_4.3.23-1+deb13u1_amd64.deb
qubes-core-agent-caja-4.3.23-1.fc40.x86_64.rpm
qubes-core-agent-caja-4.3.23-1.fc41.x86_64.rpm
qubes-core-agent-caja-4.3.23-1.fc42.x86_64.rpm
qubes-core-agent-caja_4.3.23-1+jammy1_amd64.deb
qubes-core-agent-caja_4.3.23-1+noble1_amd64.deb
qubes-core-agent-dbgsym_4.3.23-1+deb12u1_amd64.deb
qubes-core-agent-dbgsym_4.3.23-1+deb13u1_amd64.deb
qubes-core-agent-dom0-updates_4.3.23-1+deb12u1_amd64.deb
qubes-core-agent-dom0-updates_4.3.23-1+deb13u1_amd64.deb
qubes-core-agent-dom0-updates-4.3.23-1.fc40.noarch.rpm
qubes-core-agent-dom0-updates-4.3.23-1.fc41.noarch.rpm
qubes-core-agent-dom0-updates-4.3.23-1.fc42.noarch.rpm
qubes-core-agent-dom0-updates_4.3.23-1+jammy1_amd64.deb
qubes-core-agent-dom0-updates_4.3.23-1+noble1_amd64.deb
qubes-core-agent-nautilus_4.3.23-1+deb12u1_amd64.deb
qubes-core-agent-nautilus_4.3.23-1+deb13u1_amd64.deb
qubes-core-agent-nautilus-4.3.23-1.fc40.x86_64.rpm
qubes-core-agent-nautilus-4.3.23-1.fc41.x86_64.rpm
qubes-core-agent-nautilus-4.3.23-1.fc42.x86_64.rpm
qubes-core-agent-nautilus_4.3.23-1+jammy1_amd64.deb
qubes-core-agent-nautilus_4.3.23-1+noble1_amd64.deb
qubes-core-agent-networking_4.3.23-1+deb12u1_amd64.deb
qubes-core-agent-networking_4.3.23-1+deb13u1_amd64.deb
qubes-core-agent-networking-4.3.23-1.fc40.noarch.rpm
qubes-core-agent-networking-4.3.23-1.fc41.noarch.rpm
qubes-core-agent-networking-4.3.23-1.fc42.noarch.rpm
qubes-core-agent-networking_4.3.23-1+jammy1_amd64.deb
qubes-core-agent-networking_4.3.23-1+noble1_amd64.deb
qubes-core-agent-network-manager_4.3.23-1+deb12u1_amd64.deb
qubes-core-agent-network-manager_4.3.23-1+deb13u1_amd64.deb
qubes-core-agent-network-manager-4.3.23-1.fc40.noarch.rpm
qubes-core-agent-network-manager-4.3.23-1.fc41.noarch.rpm
qubes-core-agent-network-manager-4.3.23-1.fc42.noarch.rpm
qubes-core-agent-network-manager_4.3.23-1+jammy1_amd64.deb
qubes-core-agent-network-manager_4.3.23-1+noble1_amd64.deb
qubes-core-agent-passwordless-root_4.3.23-1+deb12u1_amd64.deb
qubes-core-agent-passwordless-root_4.3.23-1+deb13u1_amd64.deb
qubes-core-agent-passwordless-root-4.3.23-1.fc40.noarch.rpm
qubes-core-agent-passwordless-root-4.3.23-1.fc41.noarch.rpm
qubes-core-agent-passwordless-root-4.3.23-1.fc42.noarch.rpm
qubes-core-agent-passwordless-root_4.3.23-1+jammy1_amd64.deb
qubes-core-agent-passwordless-root_4.3.23-1+noble1_amd64.deb
qubes-core-agent-selinux-4.3.23-1.fc40.noarch.rpm
qubes-core-agent-selinux-4.3.23-1.fc41.noarch.rpm
qubes-core-agent-selinux-4.3.23-1.fc42.noarch.rpm
qubes-core-agent-systemd-4.3.23-1.fc40.x86_64.rpm
qubes-core-agent-systemd-4.3.23-1.fc41.x86_64.rpm
qubes-core-agent-systemd-4.3.23-1.fc42.x86_64.rpm
qubes-core-agent-thunar_4.3.23-1+deb12u1_amd64.deb
qubes-core-agent-thunar_4.3.23-1+deb13u1_amd64.deb
qubes-core-agent-thunar-4.3.23-1.fc40.x86_64.rpm
qubes-core-agent-thunar-4.3.23-1.fc41.x86_64.rpm
qubes-core-agent-thunar-4.3.23-1.fc42.x86_64.rpm
qubes-core-agent-thunar_4.3.23-1+jammy1_amd64.deb
qubes-core-agent-thunar_4.3.23-1+noble1_amd64.deb
qubes-core-dom0-4.3.24-1.fc41.noarch.rpm
qubes-core-dom0-4.3.25-1.fc41.noarch.rpm
qubes-core-dom0-linux-4.3.15-1.fc41.x86_64.rpm
qubes-core-dom0-linux-kernel-install-4.3.15-1.fc41.x86_64.rpm
qubes-core-dom0-vaio-fixes-4.3.15-1.fc41.x86_64.rpm
qubes-core-qrexec_4.3.6-1+deb12u1_amd64.deb
qubes-core-qrexec_4.3.6-1+deb13u1_amd64.deb
qubes-core-qrexec-4.3.6-1.fc40.x86_64.rpm
qubes-core-qrexec-4.3.6-1.fc41.x86_64.rpm
qubes-core-qrexec-4.3.6-1.fc42.x86_64.rpm
qubes-core-qrexec_4.3.6-1+jammy1_amd64.deb
qubes-core-qrexec_4.3.6-1+noble1_amd64.deb
qubes-core-qrexec-dbgsym_4.3.6-1+deb12u1_amd64.deb
qubes-core-qrexec-dbgsym_4.3.6-1+deb13u1_amd64.deb
qubes-core-qrexec-devel-4.3.6-1.fc40.x86_64.rpm
qubes-core-qrexec-devel-4.3.6-1.fc41.x86_64.rpm
qubes-core-qrexec-devel-4.3.6-1.fc42.x86_64.rpm
qubes-core-qrexec-dom0-4.3.6-1.fc41.x86_64.rpm
qubes-core-qrexec-libs-4.3.6-1.fc40.x86_64.rpm
qubes-core-qrexec-libs-4.3.6-1.fc41.x86_64.rpm
qubes-core-qrexec-libs-4.3.6-1.fc42.x86_64.rpm
qubes-core-qrexec-vm-4.3.6-1.fc40.x86_64.rpm
qubes-core-qrexec-vm-4.3.6-1.fc41.x86_64.rpm
qubes-core-qrexec-vm-4.3.6-1.fc42.x86_64.rpm
qubes-core-qrexec-vm-selinux-4.3.6-1.fc40.x86_64.rpm
qubes-core-qrexec-vm-selinux-4.3.6-1.fc41.x86_64.rpm
qubes-core-qrexec-vm-selinux-4.3.6-1.fc42.x86_64.rpm
qubes-mgmt-salt-dom0-qubes-infrastructure-4.2.1-1.fc37.noarch.rpm
qubes-mgmt-salt-dom0-qubes-infrastructure-4.2.1-1.fc41.noarch.rpm
qubes-vm-core-4.3.23-1-x86_64.pkg.tar.zst
qubes-vm-dom0-updates-4.3.23-1-x86_64.pkg.tar.zst
qubes-vm-keyring-4.3.23-1-x86_64.pkg.tar.zst
qubes-vm-networking-4.3.23-1-x86_64.pkg.tar.zst
qubes-vm-passwordless-root-4.3.23-1-x86_64.pkg.tar.zst
qubes-vm-qrexec-4.3.6-1-x86_64.pkg.tar.zst
qubes-vm-xen-4.19.2-1-x86_64.pkg.tar.zst
xen-4.19.2-1.fc41.x86_64.rpm
xen-devel-4.19.2-1.fc41.x86_64.rpm
xen-doc-4.19.2-1.fc41.noarch.rpm
xen-hypervisor-4.19.2-1.fc41.x86_64.rpm
xen-libs-4.19.2-1.fc41.x86_64.rpm
xen-licenses-4.19.2-1.fc41.x86_64.rpm
xen-runtime-4.19.2-1.fc41.x86_64.rpm
Highlights
- Better Intel SR-IOV pass-through support
- Final implementation of PCI Device Path assignments
- Continuation of Qubes Air development
Details
In addition to the usual minor fixes and patches (full list here):
-
core-admin v4.3.24 & v4.3.25 (r4.3)
. Two updates to the core in one week. One is to wrap-up and finish PCI Device Path implementation. The other is continuation of RemoteVM (Qubes Air) implementation.
. The behaviour ofqvm-pcior PCI device IDs in HVM qube setting is going to change if they are connected to a PCI hub. How this works is documented in the PR.
. Implementation ofRemoteVMintroducesrelayvmandtransport_rpcproperties. -
vmm-xen v4.19.2-1 (r4.3)
. Xen upgraded from 4.19.1 to 4.19.2
. Small but significant patch to allow Intel SR-IOV pass-through.
. A patch for devices without legacy IRQ. -
core-agent-linux v4.3.23 (r4.3)
Fixing a bug withaptbased TemplateVMs which did not receive update availability notification via their child AppVM automatic periodic checks. -
core-admin-linux v4.3.15 (r4.3)
. Assuring PCI assignments based on the new PCI Device Path is properly implemented at boot time.
. Assuring keyboard with Renesas USB controller are available at boot time to unlock LUKS password.
Epilogue
Users have been reporting success with SR-IOV pass-through and they are enjoying GPU acceleration with it in their qubes. If you want to use it, just use it for trusted qubes and wait for Qubes OS VirtIO Native Context to be developed for other use cases. While it is debated that SR-IOV presents a smaller attack surface within the virtualization layer, Qubes OS does not guaranty Intel’s implementation. Theoretically a malicious program could breach shared Intel’s silicon from a compromised qube and have access to main sys-gui-gpu (which could be dom0).