Qubes-Whonix Security Disadvantages - Help Wanted!

** kloak** (Anti Keystroke Deanonymization)

• Already installed by default in Non-Qubes-Whonix for a long time.
• Not on the horizon for Qubes-Whonix. Qubes VM kernel non-default issue.
• Qubes issue: (provide Linux kernel input device so kloak (anti keystroke deanonymization tool) can be used in Qubes-Whonix · Issue #2558 · QubesOS/qubes-issues · GitHub merged into Feature Request: Anti-Keystroke Fingerprinting Tool · Issue #1850 · QubesOS/qubes-issues · GitHub)
  • ~~2024 update: Pull request: https://github.com/QubesOS/qubes-gui-daemon/pull/149~~
  • 2025 update: Improved. Qubes-Whonix 18 on Qubes R4.3 comes with Qubes Event Buffering by default.

Linux Kernel Runtime Guard (LKRG)

• Soon to be installed by default in Non-Qubes-Whonix.
• Not soon to be installed in Qubes-Whonix by default because Qubes is not using Qubes VM kernel by default yet.
• Qubes issues:
  • ~~ make Linux Kernel Runtime Guard (LKRG) easily available in Qubes · Issue #5461 · QubesOS/qubes-issues · GitHub ~~
  • ~~ Feature Request: Anti-Keystroke Fingerprinting Tool · Issue #1850 · QubesOS/qubes-issues · GitHub ~~
  • ~~ Simplify and promote using in-vm kernel · Issue #5212 · QubesOS/qubes-issues · GitHub ~~
  • ~~ network internet connectivity issues with Qubes VM kernel · Issue #5667 · QubesOS/qubes-issues · GitHub ~~
• 2024 update: LKRG is deprecated in Whonix.

tirdad (TCP ISN CPU Information Leak Protection.)

• Installed by default in Non-Qubes-Whonix.
• Not installed in Qubes-Whonix by default because Qubes is not using Qubes VM kernel by default yet. Requires In-VM Kernel.
  • Qubes issues:
    • Simplify and promote using in-vm kernel · Issue #5212 · QubesOS/qubes-issues · GitHub
    • Use in-vm kernel for Whonix (and possibly Kicksecure) · Issue #9570 · QubesOS/qubes-issues · GitHub
    • Fix booting on 4k storage also for templates using in-vm kernel · Issue #9759 · QubesOS/qubes-issues · GitHub

Kernel Hardening through Kernel Boot Parameters

• Already installed by default in Non-Qubes-Whonix for a long time.
• Not on the horizon for Qubes-Whonix. Qubes VM kernel non-default issue.
• Qubes issues:
  • Simplify and promote using in-vm kernel · Issue #5212 · QubesOS/qubes-issues · GitHub
  • Use in-vm kernel for Whonix (and possibly Kicksecure) · Issue #9570 · QubesOS/qubes-issues · GitHub
  • Fix booting on 4k storage also for templates using in-vm kernel · Issue #9759 · QubesOS/qubes-issues · GitHub
  • Kernel hardening - change default options · Issue #2045 · QubesOS/qubes-issues · GitHub
  • 2024 update: Use in-vm kernel for Whonix (and possibly Kicksecure) · Issue #9570 · QubesOS/qubes-issues · GitHub

Strong Linux User Account Separation / Protection against Bruteforcing Linux User Account Passwords

• Already default in Non-Qubes-Whonix.
• Might be fixeable in Qubes-Whonix
  • ~~Qubes sudo / su / root Hardening - Development Discussion
• Qubes issues:~~
  • ~~ fix, forbid non-root users using 'su' by adrelanos · Pull Request #171 · QubesOS/qubes-core-agent-linux · GitHub ~~
  • ~~ Automate vm sudo authorization setup · Issue #2695 · QubesOS/qubes-issues · GitHub ~~
  • ~~ Package security-misc from Whonix to Qubes · Issue #1885 · QubesOS/qubes-issues · GitHub ~~
• 2025 update: Much better nowadays due to user-sysmaint-split. Remaining Qubes issue:
  • harden insecure permissions inside `/dev/xen` folder / research security impact of the Qubes `/dev/xen` folder permissions · Issue #9717 · QubesOS/qubes-issues · GitHub

apparmor-profile-everything (AAE) (AppArmor for everything. APT, systemd, init, all systemd units, all applications)

• In development.
• Proof of concept functional in Non-Qubes-Whonix.
• ~~ Using apparmor-profile-everything on Debian Buster ~~
• Broken in Qubes-Whonix.
• Only developed for Non-Qubes-Whonix by @madaidan.
• Nobody working on Qubes-Whonix support.
• github / forum discussion
• 2024 update: AAE is deprecated in Whonix. → new plan:

hardened-kernel (HK) patch and config

• In development.
• Proof of concept functional in Non-Qubes-Whonix.
• Broken in Qubes-Whonix.
• Only developed for Non-Qubes-Whonix by @madaidan.
• Nobody working on Qubes-Whonix support.
• github / forum discussion
• 2024 update: HK is deprecated in Whonix.

Please help fixing these issues!

My impression is that Simplify and promote using in-vm kernel · Issue #5212 · QubesOS/qubes-issues · GitHub will fix a lot of those issues, is that correct?

Yes.

Why can’t Qubes just use grub.d? Why would it require another kernel?

Because Qubes uses at this time by Qubes default a kernel supplied by dom0 (host). Not kernel supplied by VM. VM grub.d / grub.cfg is ignored by default. This might change in future as per ticket Simplify and promote using in-vm kernel · Issue #5212 · QubesOS/qubes-issues · GitHub.

Can we trust that the changes on the default kernel option will land some time soon?
Is there an alternative solution to this, like running the whonix gw and ws as HVMs (maybe?) to provide the security mechanisms?

Welcome to Whonix forums and thank you for your question!

No.

Unsupported.

Are there any updates on this?

No.

Hi all, is this topic up-to-date? I looked through what I could on Github. For instance, the first issue, it seems there is still some work to do, but hopefully recent developments will help resolve the issue. And it seems the workaround is to just write what you want to within a notepad and paste the contents into your browser (that ideally doesn’t have JS enabled).

Thanks for your time

Should there be any substantial updates, these will be notified in the linked tickets.

Above post has been updated just now.