Qubes-Whonix Security Disadvantages - Help Wanted!

kloak (Anti Keystroke Deanonymization)

Linux Kernel Runtime Guard (LKRG)

tirdad (TCP ISN CPU Information Leak Protection.)

Kernel Hardening through Kernel Boot Parameters

Strong Linux User Account Separation / Protection against Bruteforcing Linux User Account Passwords

apparmor-profile-everything (AppArmor for everything. APT, systemd, init, all systemd units, all applications)

hardened-kernel patch and config

  • In development.
  • Proof of concept functional in Non-Qubes-Whonix.
  • Broken in Qubes-Whonix.
  • Only developed for Non-Qubes-Whonix by @madaidan.
  • Nobody working on Qubes-Whonix support.
  • github / forum discussion

Please help fixing these issues!

1 Like

My impression is that https://github.com/QubesOS/qubes-issues/issues/5212 will fix a lot of those issues, is that correct?


Why can’t Qubes just use grub.d? Why would it require another kernel?

Because Qubes uses at this time by Qubes default a kernel supplied by dom0 (host). Not kernel supplied by VM. VM grub.d / grub.cfg is ignored by default. This might change in future as per ticket https://github.com/QubesOS/qubes-issues/issues/5212.

1 Like

Can we trust that the changes on the default kernel option will land some time soon?
Is there an alternative solution to this, like running the whonix gw and ws as HVMs (maybe?) to provide the security mechanisms?

Welcome to Whonix forums and thank you for your question!



[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]