Spectrum OS discussion

Hi all,

I recently learned of Spectrum OS from this tweet:

Quick summary from the developer, Alyssa Ross:

a NixOS distribution focused around security through compartmentalisation in the style of Qubes OS, but with the diversity of hardware support and ease of maintenance afforded by the Linux kernel and Nix.

On the motivation page, there’s a discussion of Qubes:

Existing implementations of security by compartmentalization

Qubes OS

Qubes OS is a distribution of the Xen hypervisor that isolates IO and user applications inside their own dedicated virtual machines. Many people interested in secure computing are aware of Qubes, however they are often hampered by usability issues:

  • Hardware compatibility is extremely limited. People often have to buy a new computer just to use Qubes, and even then it can be a struggle to set up.

  • People are reluctant to use Xen on their computer for power management etc. reasons.

  • VMs are heavy, and there is no isolation between applications in the same domain (VM).

  • GUI applications are buggy, command line tools are mostly undocumented.

  • Maintaining many different TemplateVMs with persistent state is difficult. (Qubes can use Salt to mitigate this.)

It is important to note, however, that the Qubes developers have created utilities for using compartmentalized environments that could be very useful to other implementations. For example, Qubes allows clipboard data to be safely shared between isolated environments with explicit user action on both ends, and Qubes Split GPG allows one environment to perform operations using a GPG key stored in another environment, with permission granted on a per-operation basis.

The design page goes into more detail:

I thought this might make make for an interesting discussion topic, and I’m curious to hear what you all think.

4 Likes

From a layman’s perspective my first impression is ambivalent especially with reference to the list highlighting the alleged downsides of Qubes.

I was immediately reminded of crowd-funding campaigns and the comparisons with check boxes at the end of the campaign page. Competition is usually made to look bad/weak and the categories are somewhat dubious. This categories are often extremely simplified and while mostly containing a grain of truth or more it is not seldom only half the truth. There are two sides to every coin.

Regarding this list:

  • Hardware compatibility is limited but measured by the relatively small number of users the HCL (hardware compatibility list) is quite substantial and growing with the user base. There are a few older models that are cheap, easy to come by and reliable. It is also clear that there are a few must-haves for example for virtualization.

  • who are these people? I guess IT professionals? I don’t know if most people know a lot about the differences between Xen or KVM in order to make an educated statement weighing the pros and cons (?)

  • again, there are heavy VM and there are alternatives like mirage, minimal-templates etc… There are solutions like firejail or containers for additional isolation, also adjusting the policies to make use of disposable VM is helpful (can be tricky - pay heed to the warning signs)

  • yes and no. In my mind the documentation is one of the strengths of Qubes so far. I really think the documentation is excellent already and if more people read it more closely I guess half of the questions wouldn’t be necessary.
    Of course, there is always room for improvement but this project is a work in progress that is constantly being developed and everyone can take part in improving things like helping with the documentation or bringing propositions to the table.
    “mostly undocumented” a few examples would have been nice, because apart from the bleeding edge stuff that is being developed and not ready (e.g. gui-vm, or in general Q4.1) yet I think Qubes-specific commands are explained quite well whereas a lot of commands that lack documentation are Linux-specific and can be looked up in the respective Wikis.

  • I agree, salt needs some time and training (at least for me :wink: - I am trying to learn using it on an experimental install that is for educational purposes only)

My point is, you can look at the points made from another perspective and it might look a bit more positive.
That said, it sounds like an interesting project with a huge ambition and it will be interesting to see if the developers can keep up with their own goals while simultaneously keeping it simple and well documented.
(I am careful with predictions because IT is not my area of expertise but I am a bit skeptical because Qubes is being developed for quite some time now and disregarding the manpower and funding of spectrum this is a big plan that will need a lot of time)

4 Likes

In my mind the documentation is one of the strengths of Qubes so far. I really think the documentation is excellent already and if more people read it more closely I guess half of the questions wouldnt be necessary.

Absolutely. Another thing that many users don’t seem to “get” is that
the qubes they are working with are pretty standard distributions.
So that the problems they encounter can often be solved by looking in
those distributions. This should be highlighted somewhere, or flashed
on to the screen every 5 minutes or something.

I don’t like Forums, I don’t like Reddit - one reason is that users seem
to use them as the first point of call instead of trying to read and
solve problems for themselves.
Also they seem to encourage the use of images: a huge down side for me.

I agree, salt needs some time and training (at least for me :wink: - I am trying to learn using it on an experimental install that is for educational purposes only)

You might like to look at
https://github.com/unman/notes/tree/master/salt.
They are notes from some training, that move from basic commands up to
more complicated configurations. You may find them helpful.

3 Likes

A Nix(OS) and Qubes OS newbie here. :smiley:

NixOS as the base distribution is interesting but the AppArmor and other LSMs and audit subsystem supports are in progress so I would hope there will be some progress boost in this area thanks to Spectrum OS. Also, I am looking forward to realizing /nix/store as a cheap way to share the system components between domains but it may be a bit tricky to do it safely.

I am not sure Qubes OS’s hardware requirements are extreme or not — sure, my cute X200 is sadly out of support, but the VT-x/EPT/VT-d-equivalent virtualization capabilities are very common nowadays as far as I know. The real pitfalls would be that some system firmware disables VT-d by default and powerful laptop PCs have dGPU, in which the letter case seems very annoying for some people.

Xen vs. KVM: my understanding is there are some trade-offs and indeed the performance of KVM is promising, but Xen’s recent progress on further isolation and dom0 shrinking is excellent too. I hope Qubes OS and Spectrum OS will be good competitors in this area.

Xorg vs. Wayland: yeah, Wayland seems neat but implementing and stabilizing the user experiences of Qubes OS on top of Wayland will need non-trivial human and time resources, I guess.

That said, Qubes OS might have some use-cases of Nix, both the package manager and the distribution. I would become a heavy user of NixOS TemplateVM for sure. If there is a mechanism to share /nix/store between VMs without making all of them accessible from all AppVMs, it would be a killer feature IMHO.

There is also Bottlerocket, an open source Linux distribution built to run containers:

Bottlerocket is optimized for running containers with high security isolation. The host OS is extremely minimal, it does not come with bash, an interpreter, ssh, or anything beyond the system basics needed to run containers. In fact it uses an immutable root filesystem. You aren’t intended to run or install things directly on the host at all.Bottlerocket is optimized for running containers with high security isolation.

1 Like

I don’t want to belittle that project, but I’ve written a fair number
of pitch documents, and an essential part is to belittle competitive
technologies, so I don’t take those comments too seriously.
The grant assessors simply wont have fact checked those claims.
Also, there is scope for Qubes on KVM (It’s been in the specifications
for some time) and there has been some movement toward it.
That said, it looks like an interesting project, which may have some
feed in to Qubes.

NixOS template? I had one for a client some time back. I’ll see if I can
dust it off and release it.

4 Likes

Thanks a lot! These notes look like to be very useful indeed. This applies to the other notes as well. Very nice collection of information!