Qubes-Whonix Security Disadvantages - Help Wanted!

kloak (Anti Keystroke Deanonymization)

• Already installed by default in Non-Qubes-Whonix for a long time.
• Not on the horizon for Qubes-Whonix. Qubes VM kernel non-default issue.
• Qubes issue: (provide Linux kernel input device so kloak (anti keystroke deanonymization tool) can be used in Qubes-Whonix · Issue #2558 · QubesOS/qubes-issues · GitHub merged into Feature Request: Anti-Keystroke Fingerprinting Tool · Issue #1850 · QubesOS/qubes-issues · GitHub)
  • 2024 update: Pull request: Add event buffering for cloaking user input patterns by ArrayBolt3 · Pull Request #149 · QubesOS/qubes-gui-daemon · GitHub

**[Linux Kernel Runtime Guard (LKRG)](Linux Kernel Runtime Guard (LKRG) for Debian, Whonix, Qubes, Kicksecure)**

• Soon to be installed by default in Non-Qubes-Whonix.
• Not soon to be installed in Qubes-Whonix by default because Qubes is not using Qubes VM kernel by default yet.
• Qubes issues:
  • ~~ make Linux Kernel Runtime Guard (LKRG) easily available in Qubes · Issue #5461 · QubesOS/qubes-issues · GitHub ~~
  • ~~ Feature Request: Anti-Keystroke Fingerprinting Tool · Issue #1850 · QubesOS/qubes-issues · GitHub ~~
  • ~~ Simplify and promote using in-vm kernel · Issue #5212 · QubesOS/qubes-issues · GitHub ~~
  • ~~ network internet connectivity issues with Qubes VM kernel · Issue #5667 · QubesOS/qubes-issues · GitHub ~~
• 2024 update: LKRG is deprecated in Whonix.

tirdad (TCP ISN CPU Information Leak Protection.)

• Soon to be installed by default in Non-Qubes-Whonix.
• Not soon to be installed in Qubes-Whonix by default because Qubes is not using Qubes VM kernel by default yet.
• Qubes issue: Simplify and promote using in-vm kernel · Issue #5212 · QubesOS/qubes-issues · GitHub

Kernel Hardening through Kernel Boot Parameters

• Already installed by default in Non-Qubes-Whonix for a long time.
• Not on the horizon for Qubes-Whonix. Qubes VM kernel non-default issue.
• Qubes issues:
  • Simplify and promote using in-vm kernel · Issue #5212 · QubesOS/qubes-issues · GitHub
  • Kernel hardening - change default options · Issue #2045 · QubesOS/qubes-issues · GitHub
  • 2024 update: Kicksecure/Whonix security-misc boot time kernel parameters missing · Issue #9570 · QubesOS/qubes-issues · GitHub

Strong Linux User Account Separation / Protection against Bruteforcing Linux User Account Passwords

• Already default in Non-Qubes-Whonix.
• Might be fixeable in Qubes-Whonix
  • Qubes sudo / su / root Hardening - Development Discussion
• Qubes issues:
  • fix, forbid non-root users using 'su' by adrelanos · Pull Request #171 · QubesOS/qubes-core-agent-linux · GitHub
  • Automate vm sudo authorization setup · Issue #2695 · QubesOS/qubes-issues · GitHub
  • Package security-misc from Whonix to Qubes · Issue #1885 · QubesOS/qubes-issues · GitHub

apparmor-profile-everything (AAE) (AppArmor for everything. APT, systemd, init, all systemd units, all applications)

• In development.
• Proof of concept functional in Non-Qubes-Whonix.
• ~~ Using apparmor-profile-everything on Debian Buster ~~
• Broken in Qubes-Whonix.
• Only developed for Non-Qubes-Whonix by @madaidan.
• Nobody working on Qubes-Whonix support.
• github / forum discussion
• 2024 update: AAE is deprecated in Whonix. → new plan:

hardened-kernel (HK) patch and config

• In development.
• Proof of concept functional in Non-Qubes-Whonix.
• Broken in Qubes-Whonix.
• Only developed for Non-Qubes-Whonix by @madaidan.
• Nobody working on Qubes-Whonix support.
• github / forum discussion
• 2024 update: HK is deprecated in Whonix.

Please help fixing these issues!

My impression is that Simplify and promote using in-vm kernel · Issue #5212 · QubesOS/qubes-issues · GitHub will fix a lot of those issues, is that correct?

Yes.

Why can’t Qubes just use grub.d? Why would it require another kernel?

Because Qubes uses at this time by Qubes default a kernel supplied by dom0 (host). Not kernel supplied by VM. VM grub.d / grub.cfg is ignored by default. This might change in future as per ticket Simplify and promote using in-vm kernel · Issue #5212 · QubesOS/qubes-issues · GitHub.

Can we trust that the changes on the default kernel option will land some time soon?
Is there an alternative solution to this, like running the whonix gw and ws as HVMs (maybe?) to provide the security mechanisms?

Welcome to Whonix forums and thank you for your question!

No.

Unsupported.

Are there any updates on this?

No.

Hi all, is this topic up-to-date? I looked through what I could on Github. For instance, the first issue, it seems there is still some work to do, but hopefully recent developments will help resolve the issue. And it seems the workaround is to just write what you want to within a notepad and paste the contents into your browser (that ideally doesn’t have JS enabled).

Thanks for your time

Should there be any substantial updates, these will be notified in the linked tickets.