Qubes vs. Kicksecure with KVMs

General Discussion
1

I am trying to look for a good operating system and seriously considering daily driving Qubes.

I’m trying to evaluate the pros and cons of Qubes vs. something like Kicksecure using KVMs with virt-manager. Any input on this would be super helpful to my thought process.

Qubes seems perfect to me, however there’s some things that are really putting me off of using it. The main problem for me is the Xen hypervisor. I like to play games and run graphically intensive programs, and using the Xen hypervisor with GPU Passthrough is very ineffective. In contrast, when using KVM with GPU passthrough programs and apps will run at almost bare metal speeds. Also, using things like evdev passthrough and looking-glass.io are novelties that, from what I’ve seen, Qubes just can’t really offer. On top of this, secure boot is offered on Debian/Kicksecure, but not on Qubes.

I’m just wondering, what kind of security benefits does Qubes offer that I would be missing out on?
The main things I can clearly see are the following:

  • Air gapped dom0

  • Safer clipboard

  • USB Protection

  • Ease of use for VMs/Qubes (with tools like qvm-copy, etc)

  • TemplateVMs and easier updating

These are great features and all, but I don’t really know if it’s worth the kill in performance that I get when using Qubes/Xen. If anyone could enlighten me with reasons on why I should choose to use Qubes, or if I am incorrect on any facts, please correct me.

I don’t want this to be a narcissistic post benefiting only me, but instead helping anyone deciding between Qubes and a more traditional OS using KVMs.

Thank you for reading, and I’m looking forward to any responses that I get.

2

Apart from concrete technical implementations that I’m not diving deeply into with this post?

Then the first thing that comes into my mind is the fact that such an infrastructure would be manually designed and handled the whole time, rather than relying on audited, transparently-developed one that has been for quite some time by world-class experts.

On top of this, secure boot is offered on Debian/Kicksecure, but not on Qubes.

Not yet. :wink:

3

I don’t know enough to comment on the difference in security. But, you would most definitely miss out on the Networking Qubes that QubesOS offers, which is a huge game changer for using VPNs with VMs that I wasn’t able to achieve on a traditional OS.

That’s true, but how will secure boot benefit you? At least from what I’ve seen it won’t matter too much since many Qubes users aren’t using UEFI and from what I’ve seen most of the certified hardware runs seabios on coreboot.

You don’t really have to worry about your boot partition getting messed with in dom0 because nothing will touch dom0 except you. And if you need it for anti evil maid, nothing’s stopping the person with physical access from just turning it off in the bios settings. ¯\_(ツ)_/¯