Qubes is far from perfect

I’m not a Qubes user. I wanted to use Qubes but these things concern me a lot.

  1. poor secure boot support. I’m not saying it’s impossible to use secure boot on Qubes, I’m just saying it’s very difficult at least for me.
  2. poor compatibility test. The HCL list often lacks some newer models. eg I want to buy a surface laptop 5 but I donot know if it can run Qubes until I actually try it myself.
  3. Questionable support for some security features. eg DRTM, exploit protection like CFG or ASLR, SMM protection. IMO Qubes should focus more on hardware security and collaborate more with projects like Trenchboot to achieve complete security. It also confuses me a lot that Qubes does not support TPM 2.0. THis is by no means the best practice.
    pls correct me if I’m wrong.

In regard to TPM I think these have historically been bad in Linux, until fairly recently. The new systemd-measure and ukify tools are only fairly recent and are not really utilized by downstream distributions yet.

At least, on Fedora, it does support TPM 2.0.

I think a lot of users interested in Qubes + Secure Boot will use HEADS firmware with a Thinkpad or Librem.

Unlike regular secure boot, this also helps mitigate Evil Maid.

It only supports some 10-year-old models thus can never be secure. another proof of Qubes’s poor compatibility

1 Like

No, HEADS supports the Librem 14 which is from 2022. The laptop is practically designed for HEADS+Qubes.

I think Trenchboot looks pretty good but I cannot find any practical guide to use it.
edit: there is actually. maybe I’ll give it a try
edit: what is the prerequisites of trenchboot? Can I install it on any of the PCs? I cannot find anything useful in there doc

thank you for that info

can somebody tell me how long will Purism support Librem 14? How long will it accept Intel microcode update? I cannot find any info about that(edit: 1 2 still cannot find the answer
edit: and how quickly will Purism patch exploits in the Firmware? or is this a thing that I should DIY? Can I update the firmware by myself?(edit :yes) Is there any verification mechanism to prevent evil firmware update? What about bootkit? WIll Librem support DRTM to ensure firmware security during the boot?

Also can I use trenchboot with librem 14? What about surface laptop 5?(I think trenchboot is better than the current aem
What about driver updates? Will Qubes provide proper and frequent driver updates?
I’ve been a Windows user and I’m familiar with security on windows. I wanna give Qubes a try but I really need to know the answers before that.

Yes I’m just ranting. cause the most of the questions above donot have a satisfying answer. Other desktop OS are also far from perfect. Linux has the same problem with Qubes. Windows and macOS lack forced app sandbox. WIndows also has driver and support lifetime issue and is not private by default. macOS is a locked down b******t cause I cannot even change the OS on the device. It seems desktop OS are less secure than mobile OS in general.

1 Like

The list is community-curated and will lag behind in terms of compatibility with newer QubesOS versions. Newer versions will usually see better compatibility. One tip is to search the Qubes forums for PC model and CPU compatibility; users will sometimes mention issues or non-issues there.

I do sympathize with the disappointment expressed in your post. However, keep in mind that QubesOS is a very niche OS, not used by many, and that most users that do not experience hardware hurdles with it will not do the (however small) effort of submitting their findings for evaluation. For instance, after submitting my hardware to the list, only then did someone else mention that they had the exact same laptop model, and that it worked fine.

Except for hardware that is on the QubesOS list of supported and/or compatible models, one should avoid buying hardware with the sole intention of using it with QubesOS. One might be sorely disappointed.

If an attacker manages to break from a qube and move into dom0 - which the project considers very hard if one is following the official recommendations - then yes, you are basically ‘screwed’. And if, in addition, the attacker manages to infect the BIOS, you will be ‘screwed’ in the deepest sense and you should throw your hardware away (if you ever manage to detect the infection in the first place).

With your statement that QubesOS is “far from perfect”, I wholeheartedly agree. As the project itself advertises, it is only a ‘reasonably secure’ operating system.

1 Like