Monday, September 19, 2011

Qubes Beta 2 Released!

I'm proud to announce that we have just released Qubes Beta 2! You can view installation instructions and download the ISO here.

We faced quite a few serious problems with this release that were caused by an upgrade to Xen 4.1 (from Xen 3.4) that we used in Beta 1. But finally we managed to solve all those problems and all in all I'm very happy with this release. It includes many performance optimizations compared to Beta 1 (CPU- and memory-wise) and also many bugfixes.

We also introduced a couple of new features:
  • Generic mechanism for inter-domain services with a centralized policy enforcement (more)
  • Network-less update mechanism for Dom0 (more)
  • VM management improvements: easy device assignment for driver domains, dynamic netvm switching, flexible VM kernel configuration, etc (see the new qvm-prefs utility)
  • Easy management of appmenus (shortcuts in the Start Menu)
  • Update to Xen 4.1 that offers, among other things, better VT-d support and more lightweight management stack (we have ported Qubes to use the new xl now, instead of the slow and heavy xend), and also to 2.6.38-xenlinux kernel for Dom0, and to 3.0.4 pvops kernel for VMs (better hardware compatibility, better power management)
I will write some more posts shortly that would present in detail some of the new features and what cool things one could do with them.

We have also created a dedicated wiki page that enumerates all the security-critical code for Qubes OS. We hope this page would be useful for security researchers that might attempt to find weaknesses in Qubes OS either in our code or in the 3rd party code that we rely on (Xen hypervisor, select Xen backends). Whether your motives are noble (gaining immortal fame, helping create a secure client OS), or not (proving ITL wrong), we would appreciate your efforts! And you might even get a job at ITL.

Speaking of which, I'm happy to announce that Marek Marczykowski, who has effectively become the key Qubes developer over the past few months, has now officially joined ITL :)

10 comments:

Anonymous said...

Don't you have to trust the dom0 kernel? It's involved in all VM management, after all. I suppose it also has some direct hardware access though the worst offenders seem to be segregated.

saso said...

congrats on the release! :)

Galland said...

You are doing a most interesting and professional work. My compliments.

Anonymous said...

Thank you for upgrading to a newer XEN-version. I was unable to run Beta 1 on my laptop, but Beta2 runs smootly. Looks very promising I have to say!

Erik said...

I find Qubes to be extremely interesting!

I especially like the thought of mixing in a few Windows domUs for games and other applications that are not released for *nix.

I also have a question; I know that a compromised domU can not affect the rest of the system, but what to do with it? Will there be snapshot functionality that allows me to return a domU to "last known good" state?

Regards,
Erik

Anonymous said...

Is there anything special i need to have in mind if i want to upgrade from Beta 1 to Beta 2?

Joanna Rutkowska said...

@anon_that_keeps_asking_about_upgrade:

RTFM

Joanna Rutkowska said...

@anon_asking_about_trusting_dom0_kernels:

VM management is handled via Xen store, and Xen tool stack (that however is not exposed to VM interaction).

Anonymous said...

Hi there well done on the release. May I ask you to confirm that you have Quebes OS working on a macbook. I notice the XEN/USB keyboard has been an issue, but an article of also says it does work?

Joanna Rutkowska said...

@Anonymous: currently there is a problem with the *installer* to recognize Mac's keyboard and mouse. But if you e.g. take a disk out of your Mac, plug it into some PC, install Qubes there, and then switch the disk back to your Mac, then it should work fine (you would just need to adjust which devices should be assigned to the netvm using qvm-pci command). I have verified this with a Mac Pro at least.

BTW, you should really be asking such question on our mailing list.