Qubes OS updates Weekly Review - Y2025-W26

parulin · July 8, 2025, 10:00am

It’s worth mentioning that those improvements are the result of the work of … @alimirjamali!

Some time ago, you told us that the publication might become irregular. In fact, it’s a daily newsletter now!? So the title should be something like: “Qubes OS updates Daily Review - Y2025-D186”

alimirjamali · July 8, 2025, 10:17am

While I am not 100% sure, but there are some points about the CVE:

A compromised GPU kernel could potentially read local memory values from another kernel. Qubes OS GUI daemon/agent architecture does not allow direct access to GPU from GUI client qubes. So the entire CVE should be irrelevant for Qubes OS.
The CVE-2023-4969 was found in 2023. And according to Debian security tracker, it was fixed long ago with the 20250410-2 firmware (or even before that).

barto · July 8, 2025, 10:40am

Correct! I use the workaround together with the “auto-login at boot” hack (also from the “Quick Quality of Life Improvements” thread), so I always get to the DE before all the auto-starts are launched.

likeafox · July 8, 2025, 4:27pm

@alimirjamali with the “list of new packages uploaded to Qubes OS repositories” which repositories exactly? Does it include testing repos, or is it only main ones that users will download from?

alimirjamali · July 8, 2025, 4:33pm

Very good question. The list includes everything. Stable, Testing, Unstable. R4.2, R4.3, … Debian, Fedora, Archlinux, Templates, Dom0, …

List of files is directly extracted from one of the Qubes OS mirrors via rsync protocol. The source of the script which prepares the template is here:

github.com/alimirjamali/personal-qubesos

Infrastructure/qubes-observer-tt

main

#!/usr/bin/env python3
#
# The Qubes OS Tweak Tools, https://github.com/alimirjamali/personal-qubesos
#
# Copyright (C) 2024  Ali Mirjamali <ali@mirjamali.com>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License
# along with this program; if not, see <http://www.gnu.org/licenses/>.
#

This file has been truncated. show original

Scumbag · July 8, 2025, 6:07pm

Thanks for your reply! It is indeed an old vulnerability, but AMD just started rolling out updates for client hardware in the last 2 months. There still isn’t even an update for Windows for quite a few hardware models. And there’s another vulnerability that also needs this same process isolation mode to be fixed: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-6013.html

For Qubes default configuration it does not matter of course, unless you are able to use GPU passthrough. Though with the upcoming GPU acceleration feature, this might provide more security. I didn’t find any details on how to enable the process isolation mode though.

deeplow · July 8, 2025, 6:28pm

So many features I’ve been looking forward to. This is really great to see. Thanks everyone!

SteveC · July 8, 2025, 8:54pm

OK, so in other words…if you have sys-usb, you can’t log in until it’s started. This is a good thing.

The real issue is the autostart doesn’t necessarily “do” sys-usb first; it might be after six other VMs if you want that many to autostart.

SteveC · July 8, 2025, 8:57pm

I don’t know when it was, but it was recent: Someone got the running qubes app to show when a disposable VM should be restarted/shutdown due to an updated template.

Thanks!!