Qubes-Whonix Security Disadvantages - Help Wanted!

kloak (Anti Keystroke Deanonymization)


Linux Kernel Runtime Guard (LKRG)


tirdad (TCP ISN CPU Information Leak Protection.)


Kernel Hardening through Kernel Boot Parameters


Strong Linux User Account Separation / Protection against Bruteforcing Linux User Account Passwords



apparmor-profile-everything (AppArmor for everything. APT, systemd, init, all systemd units, all applications)


hardened-kernel patch and config

  • In development.
  • Proof of concept functional in Non-Qubes-Whonix.
  • Broken in Qubes-Whonix.
  • Only developed for Non-Qubes-Whonix by @madaidan.
  • Nobody working on Qubes-Whonix support.
  • github / forum discussion

Please help fixing these issues!

1 Like

My impression is that Simplify and promote using in-vm kernel · Issue #5212 · QubesOS/qubes-issues · GitHub will fix a lot of those issues, is that correct?

Yes.

Why can’t Qubes just use grub.d? Why would it require another kernel?

Because Qubes uses at this time by Qubes default a kernel supplied by dom0 (host). Not kernel supplied by VM. VM grub.d / grub.cfg is ignored by default. This might change in future as per ticket Simplify and promote using in-vm kernel · Issue #5212 · QubesOS/qubes-issues · GitHub.

1 Like

Can we trust that the changes on the default kernel option will land some time soon?
Is there an alternative solution to this, like running the whonix gw and ws as HVMs (maybe?) to provide the security mechanisms?

Welcome to Whonix forums and thank you for your question!

No.

Unsupported.

Are there any updates on this?

No.