Uncategorized

Qubes MSI support for PCI device pass-through with stub domains

MSI support for PCI device pass-through with stub domains
by Simon Gaiser
In this post, we will describe how we fixed MSI support for VMs running in HVM mode in Qubes 4.0. First, allow us to provide some background about the MSI feature and why we need it in the first place.[…]

https://www.qubes-os.org/news/2017/10/18/msi-support/

 

Standard
Uncategorized

Qubes and Golem

Golem is a global, open sourced, decentralized supercomputer that anyone can access. It’s made up of the combined power of user’s machines, from personal laptops to entire datacenters. Anyone will be able to use Golem to compute (almost) any program you can think of, from rendering to research to running websites, in a completely decentralized & inexpensive way. The Golem Network is a decentralized sharing economy of computing power, where anyone can make money ‘renting’ out their computing power or developing & selling software.

https://github.com/rootkovska/rootkovska.github.io/blob/master/papers/2017/Secure%20Computing%20in%20Decentralized%20World.pdf

https://golem.network/

 

Standard
Uncategorized

Qubes hardware compatibility tiers

OEMs: note Qubes compatibility levels. Your systems are most likely not secure enough for the high-end tier, time to improve your products.

Level 0: Qubes Compatible Laptop.

Level 1: Qubes Certified Laptop.

Level 2: Qubes Stateless Laptop

https://www.qubes-os.org/news/2017/07/08/toward-a-reasonably-secure-laptop/

Standard
Uncategorized

Pandavirtualization: Exploiting the Xen hypervisor

Pandavirtualization: Exploiting the Xen hypervisor
Posted by Jann Horn, Project Zero

On 2017-03-14, I reported a bug to Xen’s security team that permits an attacker with control over the kernel of a paravirtualized x86-64 Xen guest to break out of the hypervisor and gain full control over the machine’s physical memory. The Xen Project publicly released an advisory and a patch for this issue 2017-04-04. To demonstrate the impact of the issue, I created an exploit that, when executed in one 64-bit PV guest with root privileges, will execute a shell command as root in all other 64-bit PV guests (including dom0) on the same physical machine.[…]

https://xenbits.xen.org/xsa/advisory-212.html

https://bugs.chromium.org/p/project-zero/issues/detail?id=1184

https://googleprojectzero.blogspot.com/2017/04/pandavirtualization-exploiting-xen.html

 

 

Standard
Uncategorized

Qubes 3.2 released

http://blog.invisiblethings.org/2016/09/29/qubes-32.html

Excerpting information about the new 3.2 “USB passthrough” feature from the announcement blog post:

[…] In Qubes 3.2, we’re also introducing USB passthrough, which allows one to assign individual USB devices, such as cameras, Bitcoin hardware wallets, and various FTDI devices, to AppVMs. This means that it’s now possible to use Skype and other video conferencing software on Qubes! Qubes has supported the sandboxing of USB devices since the very beginning (2010), but the catch has always been that all the USB devices connected to the same USB controller had to be assigned to the same VM. This limitation was due to the underlying hardware architecture (specifically, PCIe and VT-d technologies). We can now get around this limitation by using software backends. The price we pay for this, however, is increased attack surface on the backend, which is important in the event that several USB devices of different security contexts are connected to a single controller. Sadly, on laptops this is almost always the case. Another potential security problem is that USB virtualization does not prevent a potentially malicious USB device from attacking the VM to which it is connected. These problems are not inherent to Qubes OS. In fact, they pose an even greater threat to traditional, monolithic operating systems. In the case of Qubes, it has at least been possible to isolate all USB devices from the user’s AppVMs. The new USB passthrough feature gives the user more fine-grained control over the management of USB devices while still maintaining this isolation. Nonetheless, it’s very important for users to realize that there are no “automagical” solutions to malicious USB problems. Users should plan their compartmentalization with this in mind. We should also mention that Qubes has long supported the secure virtualization of a certain class of USB devices, specifically mass storage devices (such as flash drives and external hard drives) and, more recently, USB mice. Please note that it is always preferable to use these special, security-optimized protocols when available rather than generic USB passthrough. […]

Standard
Uncategorized

Qubes OS 3.1 rc1 released, with UEFI support

New features since 3.0:
 * Management Stack based of Salt Stack in dom0
 * Out of the box Whonix setup
 * UEFI support
 * LIVE edition (still alpha, not part of R3.1-rc1)
 * Updated GPU drivers in dom0
 * Colorful window application icons (instead of just colorful lock icon)
 * PV Grub support (documentation)
 * Out of the box USB VM setup, including handling USB mouse
 * Xen upgraded to 4.6, for better hardware support (especially Skylake platform)
 * Improve updates proxy flexibility – especially repositories served over HTTPS

https://www.qubes-os.org/news/2015/12/08/qubes-OS-3-1-rc1-has-been-released/

https://www.qubes-os.org/doc/releases/3.1/release-notes/

 

Standard