| Qubes OS | |
|---|---|
| Developer | The Qubes OS Project Invisible Things Labs Joanna Rutkowska |
| OS family | Linux (Unix-like) |
| Working state | Current |
| Source model | Open source with proprietary blobs,[1][2] |
| Initial release | September 3, 2012; 13 years ago (2012-09-03)[3] |
| Latest release | 4.3.0[4] |
| Marketing target | security bycompartmentalization, desktop, laptop |
| Available in | Multilingual |
| Update method | DNF (PackageKit) |
| Package manager | RPM Package Manager |
| Supported platforms | x86-64 |
| Kernel type | Microkernel (Xen Hypervisor running minimalLinux-based OSes and others) |
| Userland | GNU[a] |
| Default user interface | Xfce |
| License | Free software licenses (mainlyGPL v2[7]) |
| Official website | qubes-os |
| Tagline | A Reasonably Secure Operating System |
Qubes OS is asecurity-focused desktop operating system that aims to providesecurity throughcompartmentalization.[8] Compartmentalization is provided through the use ofvirtualization technology. This allows the segmentation of applications into securevirtual machines called qubes. Virtualization services in Qubes OS are provided by theXen hypervisor.
The runtimes of individual qubes are generally based on a unique system of underlying operating systemtemplates. Templates provide a single, immutable root file system which can be shared by multiple qubes. This approach has two major benefits. First, updates to a given template are automatically "inherited" by all qubes based on it. Second, shared templates can dramatically reduce storage requirements compared to separate VMs with a full operating install per secure domain.
The base installation of Qubes OS provides a number of officially supported templates based on theFedora andDebian Linux distributions. Alternative community-supported templates includeWhonix,Ubuntu,Arch Linux,CentOS, orGentoo.[9] Users may also create their own templates.
Operating Systems like Qubes OS are referred to in academia asConverged Multi-Level Secure (MLS) Systems.[10] Other proposals of similar systems have surfaced[11][12] andSecureView andVMware vSphere are commercial competitors.[citation needed]

Qubes implements aSecurity by Isolation approach.[13] The assumption is that there can be no perfect, bug-free desktop environment: such an environment counts millions oflines of code and billions ofsoftware/hardware interactions. One critical bug in any of these interactions may be enough formalicious software to take control of a machine.[14][15]
To secure a desktop using Qubes OS, the user takes care to isolate variousenvironments, so that if one of the components gets compromised, the malicious software would get access to only the data inside that environment.[16]
In Qubes OS, the isolation is provided in two dimensions: hardware controllers can be isolated intofunctional domains (e.g.network domains, USB controller domains), whereas the user's digital life is divided intosecurity domains with different levels of trust.
For instance: work domain (most trusted), shopping domain, random domain (less trusted).[17] Each of these domains is run in a separate qube.
The qubes have passwordless root access (e.g. passwordlesssudo) by default.[18]UEFI Secure Boot is not supported out of the box; the Qubes OS team does not consider this a major security issue.[19] Qubes is not amultiuser system.[20]
As a desktop-focused operating system, Qubes OS targets personal computer hardware. This market is dominated by laptops running Intel and AMD processors and chipsets.
Theminimum base system requirements[21] for Qubes OS are:
Users interact with Qubes OS in much the same manner that they interact with any standard graphical desktop operating systems with some key differences:
This sectionneeds additional citations forverification. Please helpimprove this article byadding citations to reliable sources in this section. Unsourced material may be challenged and removed.(December 2023) (Learn how and when to remove this message) |
The Xen hypervisor provides strong isolation between its hosted virtual machines, calleddomains in Xen terminology.
The first domain started by Xen is the privilegedadministrative domain referred to asdomain zero or more commonlydom0.
As of Qubes OS 4.1.2, the operating system running in dom0 isFedora Linux running a paravirtualized Linux kernel. It is the Linux kernel in dom0 that controls and brokers access to all the physical system hardware, via standard Linux kernel device drivers.
The operating system hosts the user's graphical desktop and controls most hardware devices. This includes the graphics device, USB ports, storage and input devices, such as the keyboard and mouse. The base graphical desktop is composed of theX server, theXfwmwindow manager and theXfcedesktop.
By design, dom0 has the least possible direct interaction with the qubes in order to minimize the possibility of an attack originating from there.[25][26]
Updates to the dom0 operating system and the included Template OS images are performed via a special mechanism which does not require dom0 operating system to connect directly to a network.
An app qube (an instance of a qube) provides secure, compartmentalized execution of standard user applications such as aweb browser, anemail client or atext editor.
Operation of app qubes is controlled by theQube Manager. It launches the discrete app qubes and presents their applications on the desktop of dom0 as normal process windows.
This mechanism follows the idea of asandbox. After running the application, viewing the document, etc., the whole disposable will be destroyed on shutdown.[27]
Qubes OS integrates all of the app qubes into a single commondesktop environment. The identity of each app qube for a given process is provided by an unforgeable, colored window border which is defined in the properties of the app qube.
Disk usage in dom0 is minimized by allowing multiple app qubes to share a common "template" root file system image maintained in read-only mode. Additional disk storage is only used for userʼs applications, data and per-VM settings.
The network mechanism is the most exposed to security attacks. To circumvent this, it is isolated in a separate, unprivileged qube, named thenet qube.
Anotherfirewall Domain is used to house the Linux-kernel-based firewall, so that even if the network domain is compromised, the firewall is still isolated and protected (as it is running in a separate Linux kernel in a separate VM).[28]
Security and privacy experts such asEdward Snowden,Daniel J. Bernstein, andChristopher Soghoian have publicly praised the project.[29]
Jesse Smith wrote a review of Qubes OS 3.1 forDistroWatch Weekly:[30]
I had a revelation though on the second day of my trial when I realized I had been using Qubes incorrectly. I had been treating Qubes as a security enhanced Linux distribution, as though it were a regular desktop operating system with some added security. This quickly frustrated me as it was difficult to share files between domains, take screen shots or even access the Internet from programs I had opened in Domain Zero. My experience was greatly improved when I started thinking of Qubes as being multiple, separate computers which all just happened to share a display screen. Once I began to look at each domain as its own island, cut off from all the others, Qubes made a lot more sense. Qubes brings domains together on one desktop in much the same way virtualization lets us run multiple operating systems on the same server.
Kyle Rankin fromLinux Journal reviewed Qubes OS in 2016:[31]
I'm sure you already can see a number of areas where Qubes provides greater security than you would find in a regular Linux desktop.
In 2014, Qubes was selected as a finalist of Access Innovation Prize 2014 for Endpoint Security, run by the international human rights organizationAccess Now.[32]