Whether clonning of an existing "work"- qube has security flaws?

Hello, Everybody.
I hope all is OK with you !
I am having trouble following the Article - Standalone and HVMs in Qubes OS Docs, and I think this is mainly the reason for below questions :
I have cloned the pre- installed “work” qube, and I added some additional software from the listed into “application”- section to it.

  1. Can you provide me with some links to find out how the two qubes will “work” with each other - e.g. I have noticed I can copy and paste “directly” between them ?
    If the security has been compromised when I cloned a qube not a template ?
  2. I was able to install snapd, and to activate it, and then was able to install Atom, and I can start it with XTerm but it doesn’t seem to work well. When I try to open a project e.g., it is crashing.
    Will it be possible to provide me with links to how, and where to add a completely new software - into the “template” or the “qube”, and how to “make it visible” into the “application”- section so to be able to add it to the software used and hence to be able to use it ?
  3. Which one is standalone, and which one HVM - the qube- template or the virtual machine that can be opened and the GUI of the OS accessed ?
    Thanks, and Best,
    sean

Hi, welcome to the community!

A cloned qube is totally independent. You just copy the contents and preferences of a qube and create a new one. See also: Better Understanding Template Cloning.

Secure copy works for any pair of qubes: How to copy and paste text | Qubes OS.

You should create a separate topic for that, so other people will be able to find it, too. What does it write when you run it from the command line?

See here: https://www.qubes-os.org/doc/glossary/#standalone

By default, there are no standalone qubes installed. They only appear if you create those. Such qubes are fully independent operating systems, with their own root and home partitions.

HVM is a virtualization technology, which is recommended for not officially supported operating systems.

AppVMs get its root filesystem from another qube (template qube), Fedora (or Debian), by default. So whenever you want to introduce changes into the root filesystem (including installing something) you have to do it in the latter qube. After that you will have to shutdown the TemplateVM and reboot the AppVM. This is how Qubes’ isolation works.

Thank you very much for your prompt answer @fsflover !

I didn’t specify well into my question - indeed I was using a “normal” copy and paste between the two cloned qubes (I have created two of them based on the same, “work” template). If this is OK ?

For the Atom, I will create a separate topic as advised, and will upload some data. I found in one of the links you have sent me the Qubes’ article “App menu shortcut troubleshooting” and I think this one will answer my question about the “missing” shortcuts after program installation, and how to create them.

So, if I understood you correctly, a Standalone Qube will be one installed from an iso- file (like installation of VM into VirtualBox e.g.) ?
Whether HVM does it similar way ? I am kind of visual person, and cannot really find the difference between both, sorry …
In the article " Standalones and HVMs" they are talking about Paravirtualized VM which indeed makes the confusion even bigger …
What of the above categories the pre- installed Templates are part of ?

Thanks, and Best,

sean

If you copy something from untrusted qube to a trusted one, you may have a security problem as explained here: How to copy and paste text | Qubes OS.

This is a correct example of a Standalone qube. HVM virtualization should be a good choice for such installation.

However, you can also have a Standalone qube created (cloned) from the original Debian or Fedora template. It will behave as an independent VM and does not have to use HVM virtualization technology. Actually, PVM is recommended for officially supported OSes.

Templates are not Standalone qubes. Well, technically, they are AFAIK the same, but Templates’ purpose is to provide the root filesystem to AppVMs and you shouldn’t use them for anything else for security reasons.

So, StandaloneVM vs TemplateVM is the distinction by the purpose, whereas HVM vs PVM is the distinction by virtualization technology.

It all is indeed somewhat confusing. I hope I made it a bit more clear. When you understand how it works, you could suggest your improvements to the documentation and help new users.

You can have a look at the qube’s Settings / Advanced and see which virtualization technology it uses. By default, it’s PVM (recommended).

I founded, thank you very much @fsflover.
I spent some time playing with all, and I got lots of the basic concepts, thank you once again for your help clarifying it !
sean

1 Like