Introduction
Sailesh Swaminathan
Great to be here! I’m Sailesh, a full-stack developer with a strong interest in systems and operating systems.
I’m new to Qubes OS and noticed that the project has been listed for GSoC 2026. I first learned about Qubes OS through the SecureDrop project.
I’m currently exploring opportunities to contribute to open-source OS projects.
I'm interested in
While researching it, I came across an earlier discussion from GSoC 2018 where this idea was previously mentioned:
https://forums.whonix.org/t/2018-google-summer-of-code/4713
I also found the related thread about porting from iptables to nftables:
https://forums.whonix.org/t/port-to-nftables-as-a-replacement-for-iptables/18896
Since this topic was discussed several years ago, I wanted to clarify:
Is this still an open and relevant problem for Whonix?
Has the migration to nftables or IPv6 support already been completed (fully or partially)?
Would work in this area still be considered a valid proposal for GSoC 2026?
I would really appreciate any guidance on the current status.
Ben Grande
Hash: SHA256
On 26-02-24 12:29:28, Sailesh Swaminathan wrote:
> Hey team!
>
> Great to be here! I’m Sailesh, a full-stack developer with a strong interest in
> systems and operating systems.
>
> I’m new to Qubes OS and noticed that the project has been listed for GSoC 2026.
> I first learned about Qubes OS through the SecureDrop project.
>
> I’m currently exploring opportunities to contribute to open-source OS projects.
project!
> I'm interested in
>
> “Whonix IPv6 and nftables support”.
>
> While researching it, I came across an earlier discussion from GSoC 2018 where
> this idea was previously mentioned:
> https://forums.whonix.org/t/2018-google-summer-of-code/4713
>
> I also found the related thread about porting from iptables to nftables:
> https://forums.whonix.org/t/port-to-nftables-as-a-replacement-for-iptables/
> 18896
>
> Since this topic was discussed several years ago, I wanted to clarify:
>
> • Is this still an open and relevant problem for Whonix?
https://doc.qubes-os.org/en/r4.3/developer/general/gsoc.html#whonix
Please check if you are still interested or choose another GSoC entry on
that page if you'd like.
- --
Benjamin Grande
-----BEGIN PGP SIGNATURE-----
iHUEARYIAB0WIQRklnEdsUUe50UmvUUbcxS/DMyWhwUCaaqPDwAKCRAbcxS/DMyW
h+GJAQCtFvcF7VibzhdTPFavtT58F/DauQzGwkpi7sQKFST1ngEA3nvv2mehLQyT
BT+ZuWL85zUCTLOFqvD0wc+WXPuepwc=
=1Gem
-----END PGP SIGNATURE-----
harshit bhalani
Hello,
I'm Harshit, and I'm interested in the Secure Boot Support project for GSoC 2026.
Before reaching out, I went through Kamil Aronowski's talk from Qubes OS Summit 2025, Piotr Król's talks from Summit 2024 and the Xen Winter Meetup, your own development update from Summit 2025, and issues #4371 and #8206 on GitHub. So I have a rough picture of what the project involves building a tool to package and sign a Unified Kernel Image, hook it into the update mechanism, and add a fallback boot entry. I also noticed UKI packaging didn't make it into R4.3, which makes this feel like a well-timed contribution.
I'm comfortable with Python and Bash. Right now I'm setting up QEMU with OVMF to try to reproduce the shim_lock and SBAT mismatch errors from #4371 before writing anything.
If my understanding is off somewhere, I'd genuinely like to know. And if there are any good starting points or open issues related to this work, I'd love to dig in.
Thanks!
Harshit Bhalani
Marek Marczykowski-Górecki
Hash: SHA256
I think you got everything correctly. Besides the above, there were a
couple of related changes in upstream Xen since 4.19 release which we
currently use. Things related to adding SBAT, NX_COMPAT, and (skipping)
signature verification for the UKI case.
And there is also https://github.com/QubesOS/qubes-pecheck which is
supposed to help with verifying UKI binary correctness. Note it's still
experimental, so if it says something is wrong, it may mean legitimate
issue with the UKI, but it may be also issue with the tool. So, usually
reported error needs to be verified if it's a real issue.
And to your last question - this is I think a good starting point - take
qubes-pecheck and try it on various UKI / EFI binaries (both with Xen,
but also on binaries from Linux distributions that use UKI) and see how
it works, and if it helps finding issues to be fixed.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmmuxl8ACgkQ24/THMrX
1yzPXgf9FgB1B0AOvd69PcFLT/Dr1auNwn7pHzT+KkpOljA2QAlQFlWPbT6HLJ6q
u0LulXq1lPZns7Htf9J80unLmmKD6OHE+bxGkYxjpoRYAlMLu4IvEZAlcDQHp2xA
wpkgIwVcey0fIrpgmFsd5q+6Fdvc/FB2hcyx8FqYzHfh6KsbdORMTx7upr2HyWoN
eXmKQH7D9VK+4QLX+fMSsBbPc59IEfl1PsaH6X7gNgOrB0r8nVBrBnkYrmGCubR+
4QrZJTakxo/cLBWy6d64g3BQdWttnRd3/JIC8qqmqazIxZRbw4yvTNyK5Fnpts7Z
hcJQWQ7IbmKh6bX+vHgRKTjGzsblgA==
=0qdi
-----END PGP SIGNATURE-----
Demi Marie Obenour
- Strict mode, in which anything that a good PE file should not have
is rejected.
- Non-strict mode, which rejects known-bad PE files.
If I recall correctly, it is also possible to get warnings on
suspicious constructs but still get an exit code of 0.
Please let me know if there are any problems and I will fix them.
(I'm the original author.)
--
Sincerely,
Demi Marie Obenour (she/her/hers)