Some doubts

I haven’t installed QubesOS, but I want to know in advance.

About virtual machine escape: Has QubesOS done some security hardening to try to reduce the possibility of virtual machine escape.

How to configure IP: I know that I can configure IP addresses for each qube in dom0, but how is this done? Do I need to install any services in qube in advance?

About updating the agent:

  1. Does the update agent open a proxy port on the local IP of qube or on port 8082 of NetVM?

  2. How do package managers such as dnf configure the agent? Is the default template already configured? If you install a standalonesVM, do you need to configure the agent for the package manager yourself?

  3. In addition to the package manager being able to configure the agent, can other software use this agent (I know it’s not safe, but is it possible to do so)

1 Like

Yes, there are efforts in the default configuration to reduce risks of
escapes, and to reduce risks of using Xen.

If you have the qubes-core-agent-networking package installed, IP is
automatically configured when you set a netvm for a qube. This package
is installed in the default templates.

I’m not clear if you are talking about the Updates proxy or templates
which use the service.
Machines that use the service use 8082 on localhost.
Machines that provide the service use 8082 on localhost.
The two are connected via qrexec. This is explained here

Package managers are configured in exactly the same way as you would
normally set a proxy. Default templates are already configured. If you
install a standalone you will need to configure the agent.

Yes, this is possible, if the software supports use of a proxy like
this. You can restrict this access by reconfiguring the proxy, but by
default there are no restrictions.

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.


Thanks for the answer.

1 Like

AFAIK there was never any VM escape yet with the current default configuration, which was enabled with Qubes 4.1 in 2022 and relies on hardware virtualization. AFAIK last time the latter was broken by the Qubes founder herself in 2006.

1 Like

I was wrong: It was first enabled by default in Qubes 4.0 in 2018.

1 Like