Let's say hi to each other and talk about:
- Qubes Summit history
- What changed since the last event
- Event schedule and organization announcements
- Shout out to sponsors
This talk is a summary of projects Qubes team currently works on, and a rough roadmap for Qubes OS 4.2.
SecureDrop Workstation is a new and improved front-end for journalists using SecureDrop. It was built on top of Qubes OS and relies heavily on its features and security properties. In this talk, we'll introduce the system and discuss some lessons learned by treating Qubes OS as a framework for secure multi-VM applications.
In this talk, we will present the second generation of the Qubes OS builder.
This new builder leverages container or disposable qube isolation to perform every
stage of the build and release process. From fetching sources to building them,
everything is executed inside a "cage" (either a disposable or a container) with the
help of what we call an "executor." For every command that needs to perform an action
on sources, like cloning and verifying Git repos, rendering a SPEC file, generating
SRPM or Debian source packages, a new cage is used. The global architecture will
be presented and demonstrations on how to use this new build system will be made.
Enterprises are usually a domain of Windows-only systems and users. We will present how Qubes could be tailored to meet requirements of enterprises which rely on Windows but at the same time provide a "reasonable secure system" based on Qubes. A key requirement is to achieve a system which is usable for users with ordinary Windows experience. Therefore key is the integration of a Windows VM within Qubes OS.
A brief overview of the current state of Qubes OS policy tools, the in-development graphical policy editor / configuration editor, the process of simplifying the complexities of policy configuration and design and implementation challenges.
GVM is a GPU Virtual Machine built by the OpenMdev Project for IOMMU-capable computers such as x86 and ARM.
Could Qubes OS replace its custom GUI isolation protocol with Wayland while
staying as performant and secure? With the advent of Wayland, many strides
have been made in the desktop Linux space, limiting the effects a malicious
application can have. Gone are the days of every application being able to
snoop every keypress! This presentation will dive into the differences
between X and Wayland, and why it makes for a great fit in isolating
operating systems like Qubes OS and Spectrum.
Qubes OS currently has poor support for audio and video capture. Audio capture works if used properly, but is easy to misuse and its latency is excessive. Video capture is not supported except via device pass-through, which raises serious security concerns. This talk is about replacing the legacy PulseAudio-based solution with a modern PipeWire-based one, and replacing camera pass-through with Qubes Video Companion.
Afterparty at Südblock (Admiralstr. 1-2, https://www.suedblock.org/)
- Day 2 event schedule and organization announcements
- Shout out to sponsors
NovaCustom has previously experienced a number of problems related to the proprietary firmware of the laptop. In this talk, we will present three cases in which Dasharo open source coreboot based firmware has played an important role.
- The first case is about the desire for a modified fan curve.
- The second case study concerns an application where the customer asked whether it is possible to disable certain CPU options, which turned out to be necessary for audio production.
- The third case is about the implementation of an own startup logo in the firmware.
In addition, there will be an explanation of the security aspects of the Dasharo firmware that NovaCustom has recently started using. Thanks to the growing active Dasharo community, the firmware can be increasingly optimised to the needs of our users.
Although Qubes OS already has a number of certified laptop models, their hardware is often quite old. The need for newer hardware that is fully compatible with Qubes OS is there, and this is where NovaCustom could play a role with certified hardware and firmware that is fully adapted with the Qubes OS operating system.
Talk about the Experince of User Support for Qubes at Nitrokey.
Let us attend to the past, present & future development of localizing the official Qubes OS Documentation.
There are very few desktop platforms that are user-controllable through
open-source firmware. Moreover, they haven't necessarily been tested with Qubes
OS. However, the recent initiative to port a modern Alder Lake desktop to coreboot
opened a new door for privacy and security respecting machine capable of running
In this presentation, a demo of Dasharo distribution compatible with Alder
Lake-S desktop MSI PRO Z690-A WIFI DDR4 running Qubes OS will be shown. The
presenter will also describe new updates to Dasharo firmware and challenges
awaiting in future development. Also it will be discussed how Dasharo plans to
meet the future Qubes certification requirements and approaches the openness
of the firmware based on Dasharo Openness Score of various supported platforms.
Following up on last year's presentation, deeplow presents the final work for his contribution proposal for an integrated onboarding tutorial for Qubes OS.
Qubes OS Anti Evil Maid (AEM) heavily depends on the availability of the
Dynamic Root of Trust for Measurement (D-RTM) technologies to prevent the Evil
Maid attacks. However, the project hasn't evolved much since the beginning
of 2018 and froze on the support of TPM 1.2 with Intel TXT in legacy boot mode
(BIOS). Because of that, the usage of this security software is effectively
limited to older Intel machines only. Some attempts were already made to
support AMD and TPM 2.0 by 3mdeb, however the work suffered from lack of
business justification and stopped at porting AEM scripts to use TPM 2.0. But a
successfull demo of AMD D-RTM with Qubes OS has been shown on Qubes OS
minisummit 2020. This year the efforts are traditionally continued.
The presentation will describe the project plan of improving and extending the
Qubes OS AEM with TrenchBoot covering both Intel and AMD hardware, TPM 1.2
and 2.0. The goal is to unify the D-RTM early launch and Anti Evil Maid
software to secure the Qubes OS boot process for basically any hardware device
(as long as it supports the required technologies). The presenter will give
detailed overview of project phases and tasks to be fulfilled as well as the
cost outline. At the end a short demo of Qubes OS AEM with TrenchBoot on Dell
OptiPlex 7010/9010 with Intel TXT and TPM1.2 will be shown.
As the world is evermore consumed by detecting and preventing ransomware and other financially damaging attacks on systems and organizations, far too little attention has been paid to an attack surface common to every single vulnerability - firmware. It’s time for firmware to be open source and secure.
The presentation will compare performance between Dasharo and Vendor BIOSes
on Dasharo-supported platforms, in the context of QubesOS usage. I will attempt
to present the most significant differences that an end user user will see when
installing Dasharo over the original proprietary firmware.
Let's summarize the event and think about what we can improve in the future.