On Wednesday, February 26, 2020 at 12:18:48 PM UTC, ggg...@gmail.com wrote: > > Boxes being the Sandboxing software available in Linux. It is my hunch, > that the VM's are taking advantage of some hardware feature that insulates > them that might be a security hole for Boxes. I dunno? >
Background: Boxes is simply a nice front end for KVM and QEMU, which is what most Linux virtualization solutions utilize. Reasons that Qubes project initially chose Xen over KVM+QEMU (probably better explained on the Qubes website): 1. The hypervisor code baseis substantially smaller in the Xen case. Smaller generally means less security issues. 2. Xen came with better suited vt-d/IOMMU support at the time. 3. When parts of qemu are needed for certain virtualization scenarios, Xen supports sandboxing qemu into stub domains. 4. QEMU has been historically problematic when it comes to security issues, at least relative to Xen or even Xen w/ qemu in a stub domain. > Also, as I have not gotten a computer to run Qubes OS, I notice that the > App VM seem to be loading a full featured version of a Linux OS. I am > guessing that in reality you guys are using a smallish Limited version of a > Linux Distro. > Generally standard fedora and standard debian come as VM templates under Qubes, yes. With caveats, Qubes also provides slimmer versions of the template distros as well as optional downloads. > I was expecting to see some advice about how to uninstall the module that > runs the camera, and the microphone. I know I rarely use them, so it > would seem like a good idea. OR I guess, it is left to the individual > with the individual distro. > Assuming your camera is USB based (generally the case, even for internal camera devices). Generally, the default installation: 1. Hides all USB devices from dom0, making them unusable. 2. Puts all USB devices into device sandbox called sys-usb (this part is optional, but useful if you want USB devices to work). Generally, you can use command line or the devices widget to assign the devices, including the microphone, to a VM if you choose (some limitations on usbip support being broken for certain device types). I was looking for a list of; If you want to be secure, "Never do > this." Another check list, like a pilot uses before taking off, that is > what the proper procedure is for some of the types of things one might > routinely do with Qubes OS. > This would vary by threat model. Without a threat model, a general checklist would be impossible to provide. > About my hardware deficiency, wait for another month for me to be able to > upgrade RAM, and maybe buy a Programming device. So please be patient > with questions that would be obvious if I was running Qubes OS already. > Good luck! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ef997e2a-b27c-43fd-ae2b-21c3317f3173%40googlegroups.com.
