Summary: Qubes OS Virtualization Challenges (2025)

Installation Attempts

Our 2025 efforts to install multiple versions of Qubes OS (4.2, 3.2, and 3.0) through virtualization proved consistently unsuccessful across several platforms:

• UTM (macOS virtualization)
• VMware Fusion 25
• VMware Fusion 13

Core Issues Encountered

None of the attempted configurations resulted in a functional Qubes OS environment. Critical failures included:

• Non-functional App VMs - Application virtual machines failed to initialize or operate properly
• sys-net networking issues - System networking VM did not establish connectivity
• Overall Qubes framework collapse - The fundamental Qubes architecture failed to operate within nested virtualization

Hardware Abstraction Problems

A significant challenge emerged around hardware-specific service dependencies. Qubes OS relies heavily on direct hardware access for its security model, particularly for:

• Network isolation
• Hardware-based virtualization features (VT-x/AMD-V, VT-d/AMD-Vi)
• Graphics and peripheral management

These services must be deprecated or adapted when running in virtualized environments, but such adaptations fundamentally compromise Qubes’ security architecture.

Final Attempt: Double Virtualization

As a last resort, we attempted a nested VM approach - running Qubes inside a Windows 7 virtual machine. This double-virtualization layer also failed to produce a working operating system, likely due to:

• Excessive virtualization overhead
• Loss of required CPU features through nested translation
• Network and storage abstraction conflicts

Recommendations for Future Reference

Need for Comprehensive VM Guide

There is a critical gap in documentation for installing Qubes OS via virtualization. A future guide should address:

1. Current Limitations Matrix

• ISO compatibility with major hypervisors
• VM platform requirements vs. Qubes requirements
• Version-specific incompatibilities

2. Technological Obsolescence Factors

• Deprecated Qubes versions (3.x series) vs. modern hypervisors
• Legacy hardware assumptions in older ISOs
• Support lifecycle mismatches

3. Corporate Responsibility & Critical Use Limitations

• Clear documentation of unsupported configurations
• Liability and security implications of VM-based Qubes
• When virtualized Qubes defeats the security purpose

Conclusion

Bare-metal installation remains the only viable path for functional Qubes OS deployment. The security model fundamentally requires direct hardware access, making VM-based installations unreliable at best and counterproductive to Qubes’ core mission at worst. Future attempts should focus exclusively on dedicated hardware installations unless significant architectural changes are made to support virtualized environments.

Addendum: The Case for a Virtualized Qubes OS Edition

The DMA Attack Paradox

While Qubes OS developers rightfully emphasize Direct Memory Access (DMA) attacks and chipset-level vulnerabilities as reasons to avoid virtualization, this perspective creates a significant gap in serving real-world user needs.

The False Binary

The current stance presents security as binary: either accept complete hardware security or have nothing. This ignores the reality that:

• Perfect security is unattainable - Even bare-metal installations face chipset vulnerabilities, firmware risks, and supply chain compromises
• Practical security needs vary - Not every user faces nation-state adversaries requiring hardware-level protection
• VM isolation offers substantial benefits - Hypervisor separation provides meaningful security for common threat models

Real-World Use Cases Being Ignored

The Professional/Personal Separation Need

Many users simply want to:

• Separate work and private life on a single machine
• Change MAC addresses between contexts
• Run App VMs for public, private, and untrusted activities
• Compartmentalize browser sessions and applications

These users aren’t protecting state secrets—they’re protecting against:

• Work laptop monitoring invading personal browsing
• Accidental data leakage between contexts
• Malware spreading from untrusted downloads
• Privacy invasions from tracking and profiling

Why VM-Based Qubes Makes Sense Here

For these use cases, the security model doesn’t require hardware-level DMA protection. The threats are:

• Application-level (malicious websites, documents)
• Network-level (tracking, interception)
• OS-level (credential theft, persistence)

A VM-based Qubes installation adequately addresses these threats while remaining accessible to users without dedicated hardware.

The Urgent Need: Qubes VM Edition Before 2026

Product Differentiation Strategy

Qubes OS should offer two distinct editions:

1. Qubes OS Professional (Bare-Metal)

• For power users and high-security requirements
• Full hardware security model
• DMA attack mitigation
• Complete Xen architecture

2. Qubes OS Personal (VM-Compatible)

• Explicitly designed for nested virtualization
• Optimized for VMware, VirtualBox, UTM, Hyper-V
• Reduced hardware assumptions
• Clear documentation of security trade-offs

What VM Edition Must Include

• Tested VM configurations across major hypervisors
• Simplified sys-net that works without hardware PCI passthrough
• Pre-configured App VM templates ready to use
• MAC address randomization that functions in virtual networking
• Explicit compatibility matrix (hypervisor versions, host OS requirements)
• Installation guide addressing common virtualization pitfalls

Addressing the Developer Counterargument

“It Defeats the Purpose”

Response: The purpose isn’t monolithic. Qubes serves multiple security models:

• State-level threats → Bare-metal required
• Corporate/personal separation → VM sufficient
• Malware containment → VM sufficient
• Privacy compartmentalization → VM sufficient

“Hardware Limitations Are Fundamental”

Response: Then work within them pragmatically:

• Document what security properties remain in VM deployment
• Optimize for the 80% use case instead of abandoning it
• Let users make informed choices about their threat models

“We Don’t Have Resources”

Response: The current approach wastes user resources:

• Countless hours attempting unsupported VM installations
• Community fragmentation around workarounds
• Potential users abandoning Qubes entirely

The Consumer Rights Argument

We Deserve Usable Security

Hardware weaknesses should not gatekeep basic compartmentalization.

Users seeking to:

• Separate banking from entertainment browsing
• Isolate work email from personal accounts
• Test suspicious files in disposable VMs
• Maintain different online identities

…should not be told “buy dedicated hardware or go without.”

The 2026 Deadline

By 2026, Qubes OS should provide:

1. Official VM Edition ISO tested on major hypervisors
2. Comprehensive VM Installation Guide covering:

• Host system requirements
• Hypervisor configurations
• Performance tuning
• Troubleshooting common issues

3. Clear Security Model Documentation explaining:

• What protection VM deployment provides
• What protection it doesn’t provide
• Threat model suitability assessment

4. Community Support acknowledging VM users as legitimate

Conclusion: Democratizing Compartmentalization

Security through compartmentalization shouldn’t require hardware privilege.

The chipset vulnerabilities and DMA attack vectors that concern power users are orthogonal to the everyday security needs of people wanting to separate their digital lives. A VM-compatible Qubes edition would:

• Expand the user base dramatically
• Provide practical security to those who need it most
• Maintain the bare-metal option for high-security users
• Fulfill Qubes’ mission of making security accessible

The perfect must not be the enemy of the good. A VM-compatible Qubes OS that provides 70% of the security with 10% of the hardware commitment would serve vastly more people than the current approach that provides 100% security to the 1% who can dedicate hardware.

If I read your post correctly, you’re “demanding” (TBH in not the best tone) that nested virtualization is officially supported.

While ideal that more can benefit from Qubes’ security and hardware compatibility is a challenge, I don’t think nested virt is the answer. At some point Qubes was trying to abstract away from Xen, so it could eventually be compatible with KVM. IMO this is a more worthy endeavour to have a “Qubes Lite”.

You did a lot of effort to find out the obvious:

Qubes OS does not supports nested virtualization.

Even the google AI would tell this

And the reason is very simple: it not makes any sense in practice. Moreover, it goes against the main point of Qubes OS.

Did you just missed to read the FAQ?

Sorry but this is just AI slop. You could have written this in one paragraph.

Proxmox should be able to virtualize Qubes OS, it’s handy for development or training but not for production use.

on M4 Mac (ARM architecture), I cannot install Proxmox VE natively, because it requires x86_64 hardware. Note all of these efforts were focused on thet need to bypass ARM which remains unsupported by Qubes.

Actually any hypervisor ‘can do’ that - If you know what you are doing

I’m used to use VMware for demos, but after the Qubes Video Companion, I do not need to do so any more, as I can simply share my dom0 screen for the audience…

and how did you planned to ‘bypass’ such architectural differences?!
As none of the available hypervisors would do such magic.
(unless you emulate the CPU, which is… slow. veeery slow.)

Actually that’s somewhat of a good point. I don’t think qubes as a project is aiming for vast adoption, at least not vast adoption at the cost of security.

What makes you think to “serve vastly more people” is a good idea? It’s a bad idea! Product for everyone is a product for noone.

The problem is that many people do not consider 70% security (whatever this scales to) acceptable. You could make vms in Ubuntu for this.

What’s one of the things I’m trying to express. There is place under the sun for many. Qubes is going for the higher-security niche. Why change it?

@Dr.1

the current approach that provides 100% security to the 1% who can dedicate hardware.

Where does the official Qubes website say it provides “100% security”? Or that secure software can compensate for insecure hardware?

please just read this: Frequently asked questions (FAQ) — Qubes OS Documentation

Two remarks:

• I have Qubes R4.2.4 running - just for fun - as a VM under VirtualBox. So it is possible to use nested virtualization if your processor supports it.

• This may sound harsh, but if you run Qubes under a type II hypervisor, you won’t need Qubes, because you will get compartmentalization by just putting several VMs under that hypervisor and relying on its security. But that is not much worth, because it is limited by the security of the underlying operating system: If the OS is broken, the type II hypervisor is broken, too, and you can do nothing about it at the level of VMs running under that hypervisor. Especially, you lose the hardware protection offered by Xen, which uses the processor’s ring architecture, and on which the “bare metal” Qubes is relying.

So, there is not much sense in running Qubes as a VM under VMware, etc. You do not switch from 100% security to 90%, but from 95% to 5%.

Thanks everyone for the input. Ultimately, the project is designed for and compatible with specific, documented use case scenarios. The AI generated output that originated this post deviates from the projects stated aims and was a very long winded way of saying QubesOS isn’t designed for nested virtualisation. The LLM’s proposed “VM edition” with the goals of separation, malware containment and privacy compartmentalisation could just as easily be obtained by a user running VMs in any environment of the users choice, though that comes with some serious tradeoffs compared to using this project as it is intended. I also disagree our users waste “countless hours attempting unsupported VM installations” and the “community is fragmented” because of this - there is no indication of this overall and the pathway to using this project is well documented.

im shutting this thread down