QWT (support for Windows in Qubes OS) is not available anymore. When will this be solved?

This is not true. I have posted links to the official Qubes repository where it provides qwt packages that work with R4.1 and R4.2.

Do you mean QWT got replaced because it’s not working with R4.1? What do you think now?

So, your reasoning is, Qubes video driver isn’t signed with the special key, so Xen Windows PV drivers also aren’t. I can’t see how Qubes video driver becomes a part of Xen Windows PV drivers.

Is this based on your experiment? From what I read in your post, it’s not likely you actually installed and used QWT in a windows qube.

So what? Qubes OS also ships firmware blobs that without them your PC probably won’t function properly, would you blame them for maintaining hardware compatibility?

No, it isn’t. There’s code that QubesOS trust: Security-critical code | Qubes OS . IIRC, the principle is “trust no infrastructure”. If this is what makes you do not trust Qubes OS, simply stop using it.

What do you expect them to apologize for? For not maintaining Xen’s infrastructure?

They immediately updated QWT without windows PV drivers. Would you expect them to take control over your PC and rip QWT out of it?

I asked the Qubes devs about this. Here is the information I received:

The situation with the PV drivers isn’t much different than it is with other VM packages. Templates use binaries built by upstream projects such as Debian, Fedora, and Arch. We do not rebuild everything from scratch. We ship QWT as an ISO that bundles both the PV drivers and Qubes-specific parts because Windows does not have proper package repositories. If it did, then the PV drivers would be a separate package (built by Xen), and QWT would depend on it. The main difference between the QSB-091 incident and other VM-related incidents (namely, the previous system update problems with Debian and Fedora) is that the Xen PV drivers team did not offer a timely solution. They took down the questionable binaries, but they did not provide new production builds.

Enabling test signing mode was required in Windows 7 if and only if you chose to install the qvideo driver. In Windows 10, testing signing mode is not required, since QWT runs fine without it, and qvideo is not supported.

I think that “trust nobody” is an oversimplification of what is stated. Let’s break it down:

We would like to remind you that Qubes OS has been designed under the assumption that all relevant infrastructure is permanently compromised.

This is saying that Qubes OS is designed to operate under a certain assumption. What is that assumption? It is the assumption that “all relevant infrastructure is permanently compromised.” In order to understand this statement, we have to answer a few questions:

• What does “infrastructure” mean?
• Which infrastructure counts as relevant here?
• What does “compromised” mean?

Let’s look to the next statement for answers:

This means that we assume NO trust in any of the servers or services which host or provide any Qubes-related data, in particular, software updates, source code repositories, and Qubes ISO downloads.

The fact that this sentence starts with “This means that we assume…” shows that it’s here to clarify the previous statement. In particular, it clarifies and explains the assumption, mentioned in the previous sentence, under which Qubes OS is designed to operate.

“NO trust in any of the servers or services which host or provide any Qubes-related data” helps to answer the first question (“What does ‘infrastructure’ mean?”). We see here that “infrastructure” refers to things like servers or services which host or provide data. These are the types of things we’re referring to when we say “infrastructure.”

The phrases “Qubes-related data” and “in particular, software updates, source code repositories, and Qubes ISO downloads” help to answer the second question (“Which infrastructure counts as relevant here?”). We see that the relevant infrastructure is infrastructure used to host or provide Qubes and domU OS software updates (i.e., package repositories), Qubes source code repositories (e.g., GitHub), and Qubes ISO downloads (i.e., download mirrors). These are examples of infrastructure that count as relevant in the phrase “relevant infrastructure.”

Given this context, the answer to the third question ("What does ‘compromised’ mean?) is now pretty clear. It’s referring to scenarios in which someone uses the infrastructure to do something bad. For example, someone could hack into GitHub’s servers and try to mess with our source code, or a rogue employee at GitHub could do the same. We protect against this by cryptographically signing all of our code. This way, even if a hacker or rogue employee messes with our code on GitHub, we’ll always be able to tell, and we’ll know not to trust it. In other words, we don’t treat GitHub as an authoritative source for our code or as the source of truth for anything.

Similarly, any of our download mirrors could be compromised. When you try to download a Qubes ISO, it could instead serve you a fake Qubes ISO with malware inside. We protect against this the same way, namely by cryptographically signing Qubes ISOs. By verifying the signature on your Qubes ISO after you download it, you can determine whether it’s genuine or a forgery, so you’ll know whether to trust it.

What about software updates from package repositories? Same thing. Cryptographically signed. You’re probably beginning to see a pattern here.

We call this general philosophy or approach “distrusting the infrastructure.” Here is our FAQ entry on it:

What does it mean to “distrust the infrastructure”?

A core tenet of the Qubes philosophy is “distrust the infrastructure,” where “the infrastructure” refers to things like hosting providers, CDNs, DNS services, package repositories, email servers, PGP keyservers, etc. As a project, we focus on securing endpoints instead of attempting to secure “the middle” (i.e., the infrastructure), since one of our primary goals is to free users from being forced to entrust their security to unknown third parties. Instead, our aim is for users to be required to trust as few entities as possible (ideally, only themselves and any known persons whom they voluntarily decide to trust).

Users can never fully control all the infrastructure they rely upon, and they can never fully trust all the entities who do control it. Therefore, we believe the best solution is not to attempt to make the infrastructure trustworthy, but instead to concentrate on solutions that obviate the need to do so. We believe that many attempts to make the infrastructure appear trustworthy actually provide only the illusion of security and are ultimately a disservice to real users. Since we don’t want to encourage or endorse this, we make our distrust of the infrastructure explicit.

Now that we understand what the disclaimer means, let’s take note of what it does not say. It does not say that we place no trust in upstream projects that we rely on, e.g., Xen, Fedora, or Debian. It also does not say anything about the infrastructure that those upstream projects use, own, or rely on. It says that we place no trust in “servers or services which host or provide any Qubes-related data.” It does not say anything about servers or services that host or provide Xen-related data, for example.

In other words, we do not try to police other projects or force them to abide by our standards. Even if we wanted to, we could not do that. We can’t force anyone else to do anything. All we can do is decide who we will trust, because we can’t do everything ourselves. For example, we can’t create and maintain the Linux kernel by ourselves. We can’t create or maintain Xen by ourselves. Those are whole projects in themselves, and they’re vastly larger than the Qubes OS Project. This is why “trust nobody” is unrealistic.

If we tried to do everything by ourselves, it would be evidence that we don’t really understand the nature of our own undertaking. As an analogy, it would be as if a small local militia in some town were to say, “We don’t trust the national military, so we’re going to defend the country all by ourselves.” Everyone can immediately see that it’s absurd and delusional for a small group of people with hand weapons to hope to defend against tanks, artillery, aircraft, warships, and ICBMs. Similarly, it would be absurd and delusional for us (the Qubes OS Project) to say, “We don’t trust the Linux Foundation, the Xen Project, the Fedora Project, the Debian Project, or anyone else, so we’re going to defend against cyberattacks all by ourselves.”

Now, you might say, “Well, I wouldn’t expect you to write all the code yourself to replace those huge projects, but couldn’t you at least check all the upstream code you use?” No, this is still a herculean undertaking that would be completely unrealistic for a project of our size. After all, there are multiple entire operating systems inside of Qubes OS, plus a hypervisor. Those gigantic upstream projects can barely even check all of their own code. Moreover, since most projects are not security-oriented, they probably never check their code in the way security researchers would (which is probably part of the reason projects and companies have bug bounties and why independent security researchers often discover major vulnerabilities).

“Okay, fine,” you might say, “but you should at least just check the upstream code that’s included in the Qubes TCB, right?!” At first glance, this might seem like an eminently reasonable request. Of course, we should check all the code in the Qubes TCB, shouldn’t we? After all, isn’t the whole point of Qubes to trust as little as possible? In theory, yes, but “trust as little as possible” isn’t the same as “trust nobody,” and in the real world, “as little as possible” is still quite a lot. Since I am not an expert, I asked @Demi about this. Here is what she said:

No. We do not even review all of the attack surface, such as Xen, Linux blkback, and Python’s regular expression library. There is even attack surface we have no visibility into, such as CPU microcode and USB controller firmware.

Reviewing the entire software TCB is only practical in certain embedded systems, and even there only because these systems are vastly simpler. If the entire TCB is 50,000 lines of code on a microcontroller, then one really can read the entire codebase in a reasonable amount of time, at least if one has access to all of the source code. In Qubes OS, the attack surface alone is quite a bit larger than that, and the TCB is many orders of magnitude larger – it includes Xen, Linux, and every other piece of code that runs in dom0, as well as the toolchains used to build that code. This is at least tens of millions of lines of code, and that is before one gets into the firmware, microcode, and other stuff that Qubes OS doesn’t even have visibility into, much less control over. Admittedly, not all of that code actually runs, but figuring out what does and does not is itself a nontrivial task.

In short, auditing the entire TCB is completely impractical, and auditing the entire attack surface would require far more resources than the Qubes OS Project has. If one wants to build a system people can actually use, one has to trust a lot of stuff.

For just getting back to the original topic:

• I can’t find qubes-windows-tools-4.2.68 or 69 anywhere for download.

• What is the way to install it in dom0? - With the cached repo on sys-firewall I’ve got no idea where to put this package for installation.
  A simple “dnf install qubes-windows-tools-4.1.69-1.fc37.noarch.rpm” is refused.
  “qvm-update install …” will not take anything not in the repo on sys-firewall.

Are you using qubes 4.2. I think I read somewhere that 4.1.69 was only available for 4.2.

Also the command I used to successfully install it just now was

sudo qubes-dom0-update qubes-windows-tools-4.1.69

Thanks!

Outch, so simple … - I didn’t saw it …

I asked for a version with 4.2, because GWeck talked about a version for 4.2, but maybe I misunderstood.

From my understanding it looks like new xen PV drivers for windows have been updated to resolve the previous potential vulnerabilities.

Hopefully this means that sometime in the future we might see new releases of qubes-windows tools.

Hoping for this as well.

Is it still not solved?

If not, it makes R4.2 the first Qubes OS version that does NOT support Windows VMs properly.
Such situation is worse than ever, even worse than Qubes OS R1/R2 where this feature was advertised as a major feature on screenshots.

Hi,

Is there any secure solution to the QSB-091 problem? Like now or in forseeable future?

Or at least some vague information on the current status and when we could expect it to be fixed?

@marmarek

Why it matters for me:

I hope nobody interprets this as agressive or mean, it is not meant that way, but this is a pressing issue for me.
I am one of the few brave souls that dare to use QubesOS as their work OS (pentesting), and i really love it and will likely never switch back.

However being a security professional that handles very sensitive data i cannot just accept the risk in behalf of my clients easily, while simultaneously being dependent on the availability of those features (clipboard at the very least). Some tools i use only run on windows and i need those tools.

So any information however rough they may be are really appreciated.

You could get a physically separate Windows computer to compartmentalize your Windows dependencies; they are a dime a dozen.

Perhaps you could also build the compromised Xen component from source and then QWT. But I don’t know how complicated that will be.

But I agree it that it’s an unfortunate situation.

Also, super happy to see a cyber security professional using Qubes. Given that in this profession you’re already at heightened risk, I find it curious why most professionals so easily dismiss Qubes.

The issue with Windows not working properly on Qubes OS R4.2 should be indeed addressed sooner. It is one of major features of the Qubes OS, that is broken that much first time in its history.

Also we should take into account the fact that user cannot use VirtualBox or other software to run Windows in Qubes OS. Windows has to work on Xen, no alternative running solutions are available (right?)

Perhaps you could also build the compromised Xen component from source and then QWT. But I don’t know how complicated that will be.

But I agree it that it’s an unfortunate situation.

Also, super happy to see a cyber security professional using Qubes. Given that in this profession you’re already at heightened risk, I find it curious why most professionals so easily dismiss Qubes.

You could get a physically separate Windows

Thank for your proposed solution, but unfotunately this wont work for me.

While this is the approach i took for my personal system(s), in a corporate setting it does not work that way.

I have one company issued laptop and i am pretty certain that my IT department wont give me another one just because i use QubesOS and “there is a security situation”. They will say “use another OS then”.

Dualboot might work technically, but this greatly slows down my work, costing more money to my clients for getting less.

Also, super happy to see a cyber security professional using Qubes. Given that in this profession you’re already at heightened risk, I find it curious why most professionals so easily dismiss Qubes.

Thanks! Fully agree with you. Many of my colleges are interested in qubes and i will pitch the system in an in house presentation.

We virtualize everything anyways, so QubesOS is the most obvious OS choice imo. I think this topic deserves its own thread because there are many things to consider and i think i have kind of a good understanding as to why i am the only one in my company doing this.

A post was split to a new topic: Why don’t more Cybersecurity Professionals use Qubes?

@HardcodedNonce
You can consider using RDP from another qube as a quick workaround.

You can consider using RDP from another qube as a quick workaround.

Thank you very much!

This is a great idea that would work basically flawlessly for me from an usability perspective and would offer enough security.

I hope I don’t get flamed for ignorance but I have Windows 7 and 10 running on Qubes 4.2. (as stand-alone HVM) I have been running Qubes as my daily driver since 2018 so I have a pretty high tolerance for experimentation. I read that Windows with QWT, would not run in 4.2 but since I had been running Windows on Qubes since 3.x I figured I give it a try on 4.2

All I did was do a clean install of 4.2 and then restore my Windows Qubes (4.1) and they worked as before including copy / move to another VM. I don’t use seamless mode so I can’t comment on that. I really didn’t expect to have the integrated clip-board functionality, but I do. Go figure!

If anyone @Gweck could enlighten me on why I seem to have full Windows functionality on 4.2 please do. Is it maybe because its a stand-alone HVM qube?