[Note: This thread is intended to be a discussion thread for the topics in this post. Please keep your replies on topic. Some examples of off-topic replies include:
“When is my order shipping?” (We contact people to arrange shipping and update shipping addresses over email, not in a forum thread.)
“I have a support request.” (These are better handled with the Purism support team.)
“I want to air a personal grievance.” (You can do that in your own topic.)
]
Qubes is a high-security operating system that makes it easy to isolate workflows into different virtual machines (VMs) or “Qubes” that you can label, colorize, and firewall off based on trust level. One of the challenges finding the best Qubes laptop has always been hardware compatibilityQubes uses advanced Xen features and relies on hardware virtualization extensions like IOMMU to power all of its virtual machine features and the Linux kernel in Qubes often doesn’t support all of these features on all hardware.
While Qubes maintains a community-built hardware compatibility list, it’s not always up to date and typically reflects Qubes support on a particular piece of hardware in a point in time. Since few vendors apart from Purism test Qubes on their hardware, much less support it, if you want to run Qubes on your own laptop, you are often on your own.
Qubes’s heavy reliance on virtualization also means that machines running Qubes typically need more resourcesin particular RAM and fast storagethan a regular operating system. It’s not uncommon to have five to ten virtual machines running at a single time with many of them running their own independent web browsers. While Qubes lists 4GB of RAM as the minimum, to get the most use out of Qubes you really need a minimum of 8GB of RAM, with 16 or 32GB RAM recommended if you intend to create and run many VMs simultaneously.
I didn’t realize Purism provides the option to ship a laptop with Qubes already installed. Absolutely love it.
Regarding Qubes certification, were the Librem laptops certified in the past but no longer? I only see two laptops (neither from Purism) on the Qubes certification list.
I see that the Qubes project requires a monthly fee in order to maintain certification, so I can understand why to not maintain the certification forever.
We don’t preinstall at this point, we just provide install media, because Qubes doesn’t yet provide an OEM install setup like we have with PureOS that allows the user to set their own encryption key at first boot. However the Qubes install is relatively simple.
Yes the first Librem 13 was certified and when it came time to certify the Librem 13v2 they updated the terms of the certification with various fees, etc. We decided we could better use those funds to support Qubes ourselves so that’s what we’ve done sine then.
This fact is the central reason I have ordered a L14. There are lots of other reasons that could easily apply to other vendors. But this one and primarily this one, along with the other portfolio of services, is THE reason I stick with Purism.
Everyone has their reasons. This is mine. And I look forward to taking receipt of my L14, installing Qubes, and setting it up just so. It’s like arranging one’s new office in a way.
I’ve dual booted in the past for testing purposes (to do so you need to share the /boot partition between PureOS and Qubes) but Qubes strongly discourages dual booting.
The reason is that Qubes goes to great lengths to reduce its dom0 attack surface with limited packages and limited functionality because it has full root across all VMs. When you dual boot, you put that at risk if an attacker is able to compromise the less-hardened other OS and use that to also attack Qubes (since they share /boot).
Thanks, that makes sense. Do the VMs support most applications? I’ve never used VMs so I’m not sure what applications will run on them. I’m also not sure how to setup the network fire wall / walls. I assume you set up fire walls for each VM to meet the threat level? Are setup outlines included with Qubes install & setup? Thanks, Fred
Hi Fred,
Yes, you can do pretty much anything you would do on a normal OS inside a VM.
Qubes comes with a firewall VM installed by default (called sys-firewall). You don’t have to setup a firewall in each VM, since each VM will get their internet connection from sys-firewall.
sys-firewall is not pre-configured with any settings besides VM isolation and such, but you can add custom rules there (for example, to block connections from/to a specific server/port).
However, you might be able to get a good Pure OS template by using a similar method to the one described in this page (and replacing Kali repos/signature with Pure OS’s). Or you can just install Pure OS directly into a HVM and you will also get access to a Pure OS desktop.
Personally, I would rather just use Debian templates included by default in Qubes and wouldn’t bother with Pure OS.
If you still want to have Pure OS in Qubes and the previous method did not work, I would recommend taking a look at how Pure OS differs from debian and try to modify a debian template from there.
Most of the differences are either installed applications and configuration differences (shouldn’t be too hard to configure yourself), security hardenings (which are mostly redundant if you are already running a VM inside qubes) or desktop environment, which you probably won’t use inside Qubes.
This is a common theme with Qubes. You will need to configure a lot yourself. The appeal with Pure OS is having a good sensible default configuration out of the box where you can just get straight to work.