QubesOS 4.1 status
591 views
Skip to first unread message
Andrew David Wong
Mar 5, 2019, 9:06:26 PM3/5/19
to Demi M. Obenour, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
You can see the status of Qubes 4.1 on the website here:
https://www.qubes-os.org/doc/supported-versions/#qubes-os
As you can see, the status is just "In development." We generally
don't post more detail than that on the website until closer to
release. If you're seeking more detail, then GitHub and this list are
the right places. :)
(Marek provides periodic updates here, and he may reply to you
directly if he has time.)
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAlx/KxgACgkQ203TvDlQ
MDA7Pg//Ry/U00ZGVjRSo8SP3NqPkJRW4EY1+EAjika2lg1TI/Dw5pO3Cvdluewn
dlVw/axZWmI83Utsnk/m0L8FrmsIkTMRJKfVpZO3qPQ0oYzhfStMnRaNV2D5QNfy
9h4+Hb+11ts3Pj37AWzfwbVy6tIDsFFTqMbVXycTwMVx9ShgCAhHFRVtHfv66k4S
0dNlLVexWbnkh1G3myU047DTF9CydzPF3a0JmmS8MNjD8kSswVBu24ikwipgc3Pj
F/EiGkfdpM2njhV8SUS9mqiDhKJA3/wUR0EpWHlHity9PrCrKOyngDxbUaOVN0MG
vtnCDEXvLLj9/2qGyUbmUgnvjp3T04bbXYYpOm/+ZHRyFVyskjwno4KtzeNPFv3Z
Re0PR1Fih1eAml4JePwK4IPFv6I38DClWtNFxrm+Isivtu32w6I1TXovQJc6+mt+
x0opgbxrkIdRzlM0HW+7WUK4cm9NTUNuT86p/v8RqvpfTf/A5cO975jXsT1clFBq
XsTdT0J2fHhiVg1sQK4n/++0dS1DhHSvUOsx4RCR67fAn1NAh8L/gEGhHKjNj0zE
BG1bH1RTvBWwGNlLdCF/2xHIgUjFO7P8O7gAcaXh+AxxZVUCYhxoYZGgGTzXgrvF
wrShfglz+0tLCmvqh4qUr/gEw2CovW91vlBlfHKH7XpYOQMIch8=
=e3Em
-----END PGP SIGNATURE-----
Hash: SHA512
https://www.qubes-os.org/doc/supported-versions/#qubes-os
As you can see, the status is just "In development." We generally
don't post more detail than that on the website until closer to
release. If you're seeking more detail, then GitHub and this list are
the right places. :)
(Marek provides periodic updates here, and he may reply to you
directly if he has time.)
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAlx/KxgACgkQ203TvDlQ
MDA7Pg//Ry/U00ZGVjRSo8SP3NqPkJRW4EY1+EAjika2lg1TI/Dw5pO3Cvdluewn
dlVw/axZWmI83Utsnk/m0L8FrmsIkTMRJKfVpZO3qPQ0oYzhfStMnRaNV2D5QNfy
9h4+Hb+11ts3Pj37AWzfwbVy6tIDsFFTqMbVXycTwMVx9ShgCAhHFRVtHfv66k4S
0dNlLVexWbnkh1G3myU047DTF9CydzPF3a0JmmS8MNjD8kSswVBu24ikwipgc3Pj
F/EiGkfdpM2njhV8SUS9mqiDhKJA3/wUR0EpWHlHity9PrCrKOyngDxbUaOVN0MG
vtnCDEXvLLj9/2qGyUbmUgnvjp3T04bbXYYpOm/+ZHRyFVyskjwno4KtzeNPFv3Z
Re0PR1Fih1eAml4JePwK4IPFv6I38DClWtNFxrm+Isivtu32w6I1TXovQJc6+mt+
x0opgbxrkIdRzlM0HW+7WUK4cm9NTUNuT86p/v8RqvpfTf/A5cO975jXsT1clFBq
XsTdT0J2fHhiVg1sQK4n/++0dS1DhHSvUOsx4RCR67fAn1NAh8L/gEGhHKjNj0zE
BG1bH1RTvBWwGNlLdCF/2xHIgUjFO7P8O7gAcaXh+AxxZVUCYhxoYZGgGTzXgrvF
wrShfglz+0tLCmvqh4qUr/gEw2CovW91vlBlfHKH7XpYOQMIch8=
=e3Em
-----END PGP SIGNATURE-----
Marek Marczykowski-Górecki
Mar 5, 2019, 10:38:00 PM3/5/19
to Demi M. Obenour, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Tue, Mar 05, 2019 at 05:12:02PM -0500, Demi M. Obenour wrote:
> What is the status of QubesOS 4.1? I see some commits on GitHub, but nothing on the website.
I'm in the process of merging relevant PRs and building initial
packages, so it will be easier to test the whole thing, not only parts.
But the first rc is still few months away. You can get some idea by
looking at issues with "Release 4.1" milestone. This list is definitely
too optimistic, but we'll cleanup it over the time (either by finishing
listed things, or moving to the next milestone). So this may be used as
some kind of a progress bar.
The major thing new in R4.1 will be a possibility to run GUI VM - i.e.
have desktop environment in a separate VM, not dom0. You can see more
here: https://github.com/QubesOS/qubes-issues/issues/833
But it will _not_ be enabled by default, because at this stage is has
rather hard impact on usability (naive whole screen forwarding), or
hardware compatibility (the real GPU passthrough). It will be rather a
technology preview. But actually a lot of surrounding technologies are
also useful in other cases. For example, you could setup a machine with
network-accessible GUI VM (in practice, you can choose GUI VM for each
VM separately) and connect to it remotely. This do mean adding a massive
weak point, but on the other hand, such GUI VM is not a dom0 and can be
very restricted (for example access only very few application, in
selected VMs, not not be allowed to made any changes).
Besides this, there is a lot of ongoing work on UI/UX stuff. Some of it
is also released as updates to 4.0 (like a tool to update multiple
templates at once). And generally, besides GUI VM related stuff, most
other things are about polishing and making easier to use what we
already have, instead of adding more complexity.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlx/QJIACgkQ24/THMrX
1yx6cgf/Roua73Eh7HoSACmEAeHM7kTp0/Ue6bbvAXu39hstW2OW2GOVHEMyFlmY
h+6mGiyMht4PTddypw5t80iSqRjCwS0laRIoJEYFr5cB+nQ/qJ+S2oLwd3yv5PLh
+2U2ViehzcpP/o7Y7i+0z+MfO3ddmfQAeWM+G1CjNEkwYba1lbQ3+eof5k97baJ5
N3E1tSGFfcYhWAKMae0FwmRCJoNMzZcnDzWOCKcpzUtNXsKSyB9NQFgMA8ckidIV
nf3QgcL4VYuIRqNi3Sl+1Kdj38wWW4cCU0DJh6P5Uz6keycLmEdseoMbhcZm9ml2
bWu3KAoJGMK3APa++bWLl0RI6VeJsg==
=D5Aj
-----END PGP SIGNATURE-----
Hash: SHA256
On Tue, Mar 05, 2019 at 05:12:02PM -0500, Demi M. Obenour wrote:
> What is the status of QubesOS 4.1? I see some commits on GitHub, but nothing on the website.
packages, so it will be easier to test the whole thing, not only parts.
But the first rc is still few months away. You can get some idea by
looking at issues with "Release 4.1" milestone. This list is definitely
too optimistic, but we'll cleanup it over the time (either by finishing
listed things, or moving to the next milestone). So this may be used as
some kind of a progress bar.
The major thing new in R4.1 will be a possibility to run GUI VM - i.e.
have desktop environment in a separate VM, not dom0. You can see more
here: https://github.com/QubesOS/qubes-issues/issues/833
But it will _not_ be enabled by default, because at this stage is has
rather hard impact on usability (naive whole screen forwarding), or
hardware compatibility (the real GPU passthrough). It will be rather a
technology preview. But actually a lot of surrounding technologies are
also useful in other cases. For example, you could setup a machine with
network-accessible GUI VM (in practice, you can choose GUI VM for each
VM separately) and connect to it remotely. This do mean adding a massive
weak point, but on the other hand, such GUI VM is not a dom0 and can be
very restricted (for example access only very few application, in
selected VMs, not not be allowed to made any changes).
Besides this, there is a lot of ongoing work on UI/UX stuff. Some of it
is also released as updates to 4.0 (like a tool to update multiple
templates at once). And generally, besides GUI VM related stuff, most
other things are about polishing and making easier to use what we
already have, instead of adding more complexity.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlx/QJIACgkQ24/THMrX
1yx6cgf/Roua73Eh7HoSACmEAeHM7kTp0/Ue6bbvAXu39hstW2OW2GOVHEMyFlmY
h+6mGiyMht4PTddypw5t80iSqRjCwS0laRIoJEYFr5cB+nQ/qJ+S2oLwd3yv5PLh
+2U2ViehzcpP/o7Y7i+0z+MfO3ddmfQAeWM+G1CjNEkwYba1lbQ3+eof5k97baJ5
N3E1tSGFfcYhWAKMae0FwmRCJoNMzZcnDzWOCKcpzUtNXsKSyB9NQFgMA8ckidIV
nf3QgcL4VYuIRqNi3Sl+1Kdj38wWW4cCU0DJh6P5Uz6keycLmEdseoMbhcZm9ml2
bWu3KAoJGMK3APa++bWLl0RI6VeJsg==
=D5Aj
-----END PGP SIGNATURE-----
sagar acharya
Jun 5, 2019, 8:28:44 AM6/5/19
to qubes-devel
Dear Marek, it would be fantastic if PCI passthrough becomes trivial in qubes R4.1. Using graphic cards is so central in games and computation intensive things on GPU. Having it in dom0 and not contained in other VMs made me switch back to another OS.
Request you to add it. Thanks
Marek Marczykowski-Górecki
Jun 5, 2019, 9:48:02 AM6/5/19
to sagar acharya, qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hash: SHA256
On Wed, Jun 05, 2019 at 05:28:44AM -0700, sagar acharya wrote:
> Dear Marek, it would be fantastic if PCI passthrough becomes trivial in qubes R4.1. Using graphic cards is so central in games and computation intensive things on GPU. Having it in dom0 and not contained in other VMs made me switch back to another OS.
Simple PCI passthrough works well. The problematic case if for GPU,
> Dear Marek, it would be fantastic if PCI passthrough becomes trivial in qubes R4.1. Using graphic cards is so central in games and computation intensive things on GPU. Having it in dom0 and not contained in other VMs made me switch back to another OS.
which in practice are very non-standard PCI devices, with a lot of
vendor-specific quirks. Anyway yes, making it work reliably is on the
roadmap, but may not be fully ready in R4.1.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
1ywbfAf/VD9jqwwi1YaTEhT6i6EFlAk9NAqO/xywew+cjcqd8C4+VfYGpEMRQdA9
3msHMNLsdRg6S7/MsI89BG8ZwsCErmZUL3IoYtjt26STvkOzxefJHp6NBY48ZLwZ
MiKUZAr86ChwSAZKH9T9LqXI7i+pyothguJrVwuXzm+R/CTMay/OyBMh+b2xx/Ag
o1mVzYt3FNfCfprHh49AVhUv2tnmZtl4BL4ugHpIuXyytUPWzacuHVaRBtLaK7tJ
JEgj+yB/Z0b/g3qZ3qL0lx2WBQJ6mdStC+S879nxJVcWZnJjhRRu7tEJ62Zi74VM
25gGzNVXlnBFS4m8t4a8L7KkFpTarw==
=2zGK
-----END PGP SIGNATURE-----
Demi M. Obenour
Jun 6, 2019, 8:19:42 PM6/6/19
to Marek Marczykowski-Górecki, sagar acharya, qubes-devel
On 6/5/19 9:47 AM, Marek Marczykowski-Górecki wrote:
> On Wed, Jun 05, 2019 at 05:28:44AM -0700, sagar acharya wrote:
>> Dear Marek, it would be fantastic if PCI passthrough becomes trivial in qubes R4.1. Using graphic cards is so central in games and computation intensive things on GPU. Having it in dom0 and not contained in other VMs made me switch back to another OS.
>
> Simple PCI passthrough works well. The problematic case if for GPU,
> which in practice are very non-standard PCI devices, with a lot of
> vendor-specific quirks. Anyway yes, making it work reliably is on the
> roadmap, but may not be fully ready in R4.1.
>
>
What is the security status of GPU pass-through? It would be amazing
> On Wed, Jun 05, 2019 at 05:28:44AM -0700, sagar acharya wrote:
>> Dear Marek, it would be fantastic if PCI passthrough becomes trivial in qubes R4.1. Using graphic cards is so central in games and computation intensive things on GPU. Having it in dom0 and not contained in other VMs made me switch back to another OS.
>
> Simple PCI passthrough works well. The problematic case if for GPU,
> which in practice are very non-standard PCI devices, with a lot of
> vendor-specific quirks. Anyway yes, making it work reliably is on the
> roadmap, but may not be fully ready in R4.1.
>
>
if GPU pass-through could be a fully security-supported feature,
although I understand it might not be practical. Most uses for GPU
pass-through are for games, which are not trusted at all.
If the security risks of (secondary) GPU pass-through could be
eliminated, it would be possible to have an “Allow this VM to use
hardware-accelerated graphics” checkbox in the GUI, which would be
awesome. Obviously, I am only referring to GPUs that do *not* have
control over the monitor.
Sincerely,
Demi
sagar acharya
Jun 7, 2019, 10:28:22 AM6/7/19
to qubes-devel
> Simple PCI passthrough works well. The problematic case if for GPU,
> which in practice are very non-standard PCI devices, with a lot of
> vendor-specific quirks. Anyway yes, making it work reliably is on the
> roadmap, but may not be fully ready in R4.1.
> which in practice are very non-standard PCI devices, with a lot of
> vendor-specific quirks. Anyway yes, making it work reliably is on the
> roadmap, but may not be fully ready in R4.1.
Thanks. I look forward to it. In my case Ryzen APU 2200G integrated graphics didn't work well with 4.20 kernel due to which I was unable to get the nvidia card to other VM. If I remember correctly, I read zen's passthrough which I was unable to implement.
Aktariel
Jun 14, 2019, 8:38:09 AM6/14/19
to qubes-devel
Will Qubes 4.1 include the improvements in Xen 4.12? (qemu security, smaller codebase, PVH/HVM only codepaths, etc)
Marek Marczykowski-Górecki
Jun 14, 2019, 11:02:04 AM6/14/19
to Aktariel, qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hash: SHA256
On Fri, Jun 14, 2019 at 05:38:09AM -0700, Aktariel wrote:
> Will Qubes 4.1 include the improvements in Xen 4.12? (qemu security, smaller codebase, PVH/HVM only codepaths, etc)
Yes and no. There will be Xen 4.12, but not all the above is relevant
> Will Qubes 4.1 include the improvements in Xen 4.12? (qemu security, smaller codebase, PVH/HVM only codepaths, etc)
for Qubes OS. For example "qemu security" improvements is about qemu
running in dom0 only, which we don't do. We already have it isolated in
stubdomain, which in our opinion is significantly stronger than
improvements available in Xen 4.12 (running qemu as non-root user +
some sanboxing mechanisms).
Regarding PV / PVH/HVM, we do plan to migrate away from PV completely
(to the point of disabling it build-time) in subsequent version, but not
this one yet. There are two reasons for that:
- Dom0 - support for PVH dom0 is only "tech preview"
- stubdomains and various unikernels (MirageOS for example) still
require PV
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
1yzGDggAmHMins6KJi82gKbuU9JmRwlqDyNH35/f3OsH/t3GzzYB5uck6nnENqy/
MDx3abcQNfqde/EcVwx18M/DiTE6ptbFY+kl+/SQ79kcLlb71Kz2+KSvbeVwQoLr
dRRfo9AOSdssZZ1kN/3ZnbA0WdOATgiSKPMeUklq0mbGapvrknNKDzAcYRshx4zN
zjKBljyOcATeXcHlCgPjLkoGPjHufyYdulTV3DdUKf+OFlfXsoTRP139EpbJoBtM
ypOoWEgqR0oghziiRWm6GWO4Chhs4xhTY3Hb3fZ558xfB6USNmXM/HH3KBIeaHb3
TgJ8hGsernOZMZiHugwZBTJNGdQ3KQ==
=NNGe
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages