Friday, December 14, 2012

Qubes 2 Beta 1 with initial Windows support has been released!


It's my pleasure to announce the first Beta for Qubes Release 2 is now available for download.

This release introduces generic support for fully virtualized AppVMs (called HVMs in Xen parlance), and specifically initial support for Windows-based AppVMs integration. It's been quite a challenge to add support for secure HVMs to Qubes without breaking its security architecture, and I already wrote about it in the past.

Generic support for HVMs means you can now install many different OSes as Qubes VMs, such as various Linux distros, BSD systems, and, of course, Windows. Essentially all you need is an installation ISO and the whole process is similar to creating a VM in a program like Virtual Box or VMWare Workstation (although we believe the underlying architecture for this is more secure in Qubes).

Additionally we provide a set of tools for Windows-based AppVMs (Windows 7 specifically) which allow for tight integration with the rest of the Qubes system. This currently includes support for secure (and policy controllable) clipboard and file exchanges between the Windows-based AppVMs and other AppVMs, integration with Qubes advanced networking infrastructure, and PV drivers for faster operation. As of now there is still no seamless app integration for Windows applications, so Windows VMs are presented as full-desktop-within-a-window, but we're aiming to add support for this in the next Betas.

Unlike the rest of Qubes, which is distributed under a GPL v2 license, the Qubes Windows Support Tools are not open sourced and are distributed as binaries only, under a proprietary license. They are free to use for any Qubes 2 user. The tools are not part of the Qubes 2 installation ISO (which is GPL), and are down loadable on demand.

More information about creating and using HVM domains, including Windows-based AppVMs, can be found in the wiki here.

To summary, here's a quick list of some of the exciting new features that toady's release brings in:
  • Support for generic fully virtualized VMs (without qemu in the TCB!)
  • Support for Windows-based AppVMs integration (clipboard, file exchange, qrexec, pv drivers)
  • Secure audio input to select AppVMs (Hello Skype users!)
  • Clipboard is now also controlled by central policies, unified with other qrexec policies.
  • Out of the box TorVM support
  • Experimental support for PVUSB
  • Updated Xorg packages in Dom0 to support new GPUs
  • DisposableVM customization support
  • ... and, as usual, various fixes and other improvements :)
Existing users of Qubes R1 can upgrade without needing to reinstall – the upgrade procedure is described here. Standard installation is described here.

Enjoy!

PS. Please send all the technical questions to the qubes-devel mailing list, instead posting them as comments to this blog. Keep the comments here for more generic discussions.

PS2. As usual, I would like to remind that we have little control over the servers that are used for Qubes ISO distributions and that the downloads should be verified according to the procedure described here. We always assume that even our own servers (git, wiki, yum) could be compromised, and yet this should not affect Qubes security in any way, because of the extensive use of digital signatures everywhere in the development and distribution process.

20 comments:

Anonymous said...

Many thanks for the brilliant hard and constant work
Franz

Anonymous said...

Very cool, was looking forward for windows availability

braintorch said...

It would be nice to have a browser wrapper application that appears more or less like normal browser but opens entered links according to previously configured rules. For example: if you go to paypal.com it should be opened under SecureVM (and appear like a browser tab), and if you go... errr... 4chan.org it should be opened under InsecureVM (and appear like another browser tab too).

Anonymous said...

@braintorch

That would be a convenience feature, not a necessary one as far as security is concerned. You could set up independent filters for each VM, so that no VM other than Secure could access banking (blacklist banking sites on non-Secure) and the Secure VM couldn't access anything but banking (whitelist banking sites on Secure). It's definitely not as user-friendly or seamless, but I don't think that's an issue they have to deal with in Q2R1.

Anonymous said...

Great to see this shaping up. I have two questions though:

What are the reasons behind not open sourcing the Qubes Windows Support Tools?

I'm not a Windows user, but for those who use it, wouldn't be the decision not to open source the Qubes Windows Support Tools a huge potential security risk?

Joanna Rutkowska said...

If you don't trust closed source software, then you should not use Windows VMs in the first place.

Please note that the Qubes Windows Support Tools runs only in VMs, not in Dom0.

Sergei Chudakov said...

Good work Joanna!

Anonymous said...

I love what you doing.
Please don't stop.

Q. said...

That's really great news! Congratulations to the team, and big thanks for your great work!

By the way, does QubesOS now support Ivy Bridge integrated video? (Your text does say that new display adapters are supported but doesn't mention which, and I couldn't find the details neither on Wiki nor in the devel mailing list). I'm about to buy a new laptop and want to make sure it can run Qubes :)

Anonymous said...

What a xmas present! I look forward to testing this release later on today. Thank you very much for all your hard work! I'm looking forward to making Qubes my full-time OS

Anonymous said...

Count me in for the test!

Anonymous said...

Many thanks for all the work you and all the team have done.

I wish you an Merry Christmas and Happy New Year.

Best regard,
Jeff

Anonymous said...

This looks promising. Any plans on adding 3d hardware acceleration support?

qp said...

This OS is amazing. keep up the great work.

qp
<_

Pym said...

Big kudos to you and your team for all of this work! Spread the Qubes security luv.

Anonymous said...

I would like to thank you for all your articles on security, I have really learned a great deal.

What are your thoughts on OpenBSD? (Seems to be a lot of claims about being very secure but they have the same problems that go along with any OS with a monolithic kernel AFAIK)

Also you have given a lot of information on problems with the x server, do you think Wayland is going to help in this area or is it going to be prone to the same problems.

Joanna Rutkowska said...

@Anon:

1) If I believed OpenBSD is secure enough, we would never decided to create Qubes OS, right?

Does OpenBSD have a special X server that provides GUI isolation? Does it have ability to sandbox networking and USB stacks? etc.

See also this for more discussion:

http://theinvisiblethings.blogspot.com/2012/09/how-is-qubes-os-different-from.html

2) I will talk about Wayland when it comes out. I wouldn't expect any significant change security-wise. Look at OSX's Quartz (their replacement for X) -- does it offer GUI isolation?

Anonymous said...

Thanks for the quick reply.

I read your article about GUI isolation : http://theinvisiblethings.blogspot.ca/2011/04/linux-security-circus-on-gui-isolation.html , and beyond being shocked that this exists (I think it would be trivial to to create a script that captures your keystrokes and eventually capture your root password and with that you could install a SSH server and set up a reverse SSH connection and have root access to someone's computer over SSH, you would just have to get someone to run the program), I noticed if I switched tty's (Ctrl+Alt+F1) (I'm running Debian BTW, planing on trying Qubes this weekend) it doesn't capture keystrokes.

If I only enter my password on other tty's am I safe from key loggers (besides a kernel exploit)? And is GDM/LightDM vulnerable to key loggers?

Great blog BTW, just recently found it. Your networking article was awesome (http://theinvisiblethings.blogspot.ca/search?q=torvm), Qubes seems more impressive everyday.

Anonymous said...

Just like Anonymous #2, I would be interested in your reasoning behind making it closed source.

"If you don't trust closed source software, then you should not use Windows VMs in the first place."

The point is, I think, that we don't trust Windows to be secure, but would like to use Qubes to improve security and mitigate damage once Windows (inevitably) fails.

From that perspective it is very important that Qubes Windows Support Tools can be trusted to work securely with the rest of Qubes to contain the damage.

Which means open source would be prefered.

Joanna Rutkowska said...

@anonymous: Qubes Windows Tools are installed and run inside Windows VMs.