Introducing Qubes OS Live USB edition (alpha/demo)
https://twitter.com/QubesOS/status/630761985647509506
https://groups.google.com/forum/?_escaped_fragment_=topic/qubes-users/IQdCEpkooto#!topic/qubes-users/IQdCEpkooto
https://twitter.com/QubesOS
https://twitter.com/rootkovska
https://en.wikipedia.org/wiki/Qubes_OS
https://www.qubes-os.org/
http://invisiblethingslab.com/itl/Welcome.html
http://blog.invisiblethings.org/
http://distrowatch.com/table.php?distribution=qubes
###
Joanna Rutkowska said on Aug 10, 2015:
"Hello,
We have built and uploaded the first ever working Qubes Live USB image! :)
It's based on the recently released 3.0-rc2 release. Now you should be able to
run and try Qubes OS of any laptop without needing to install it anywhere! And
perhaps run Qubes HCL reporting tool and send us some more data? [1]
We have faced several challenges when making this Live USB edition of Qubes OS,
which traditional Linux distro don't need to bother with:
1. We needed to ensure Xen is properly started when booting the stick. In fact
we still don't support UEFI boot for the sitck for this reason, even though the
Fedora liveusb creator we used does support it. Only legacy boot for this
version, sorry.
2. We discovered that the Fedora liveusb-create does _not_ verify signatures on
downloaded packages -- we have temporarily fixed that by creating a local repo,
verifying the signatures manually (ok, with a script ;) and then building from
there. Sigh.
3. We had to solve the problem of Qubes too easily triggering Out Of Memory
condition in Dom0 when running as Live OS.
This last problem has been a result of Qubes using the copy-on-write backing for
the VM's root filesystems, which is used to implement our cool Template-based
scheme [2]. Normally these are backed by regular files on disk -- even though
these files are discardable upon VM reboots, they must be preserved during the
VM's life span, and they can easily grow to a few tens of MBs per VM, sometimes
even more. Also, each of the VM's private image, which essentially holds just
the user home directory, typically starts with a few tens of MBs for an "empty
VM". Now, while these represent rather insignificant numbers on a disk-basked
system, in case of a LiveUSB scenarios all these files must be stored in RAM,
which is always a scare resource on any OS, and especially Qubes.
We have implemented some quick optimizations in order to minimize the above
problem, but this is still far from a proper solution. We're planning to work
more on this next.
Now, there are three directions in how we want to work further on this Qubes
Live USB variant:
1. Introduce easily clickable "install to disk" option, merging this with the
Qubes installation ISO. So, e.g. make it possible to first see if the given
hardware is compatible with Qubes (run the hcl reporting tool) and only then
install on the main disk. Also, ensure UEFI boot works well.
2. Introduce options for persistence while still running this out of a USB
stick. This would be achieved by allowing (select) VMs' private images to be
stored on the r/w partition (or on another stick).
2a. A nice variant of this persistence option, especially for frequent
travellers, I think, would be to augment our backup tools so that it was
possible to create a LiveUSB-hosted backups of select VMs. One could then pick a
few of their VMs, necessary for a specific travel, back them to a LiveUSB stick,
and take this stick when traveling to a hostile country (not risking taking
other, more sensitive ones for the travel). This should make life a bit simpler
for some ... [3]
3. Introduce more useful preconfigured VMs setup, especially including
Whonix/Tor VMs.
[1] https://www.qubes-os.org/doc/HCL/
[2] https://www.qubes-os.org/doc/SoftwareUpdateVM/
[3] https://twitter.com/rootkovska/status/541980196849872896
Current limitations
- --------------------
0. It's considered an alpha currently, so meter your expectations
accordingly...
1. Currently just the 3 exemplary VMs (untrusted, personal, work), plus the
default net and firewall VMs are created automatically,
2. The user has an option to manually (i.e. via command line) create an
additional partition, e.g. for storing GPG keyring, and then mounting it to a
select VMs. This is to add poor-man's persistence. We will be working on
improving/automating that, of course,
3. Currently there is no option of "install to disk". We will be adding this
in the future,
4. The amount of "disk" space is limited by the amount of RAM the laptop
has. This has a side effect of e.g. not being able to restore (even few) VMs
from a large Qubes backup blob,
5. It's ease to generate Out Of Memory (OOM) in Dom0 rather easily by creating
lots of VMs are writing a lot into the VMs filesystem... (Alpha, right?)
6. There is no DispVM savefile, so if one starts one the savefile must be
regenerated which takes about 1-2 mins.
7. UEFI boot doesn't work, and if you try booting it via UEFI Xen will not be
started, rendering the whole experiment unusable.
We're planning to release an updated version sometime in September.
Download and burning
- ---------------------
Get the ISO (and its signature for verification):
http://ftp.qubes-os.org/iso/Qubes-R3.0-rc2-x86_64-LIVE.iso
http://ftp.qubes-os.org/iso/Qubes-R3.0-rc2-x86_64-LIVE.iso.asc
Then "burn" onto a USB stick (replace /dev/sdX with your USB stick device):
$ sudo dd if=Qubes-R3.0-rc2-x86_64-LIVE.iso of=/dev/sdX
Note that you should specify the whole device, (e.g. /dev/sdc, not a single
partition, e.g. /dev/sdc1).
And, please, please, make sure to use caution and not overwrite your HDD or
other important device. And in case you do, please, please, do not email
qubes-users complaining about ;P
Happy Live-Qubesing! ;)
joanna.
###
"Qubes is an open-source operating system designed to provide strong security for desktop computing using Security by Compartmentalization approach. Qubes is based on Xen, the X Window System, and Linux, and can run most Linux applications and utilize most of the Linux drivers. Qubes Release 1 was released in September 2012 and Release 2 in September 2014. Qubes also supports Windows-based AppVMs beginning with Release 2 (currently in “Betaâ€). Qubes Release 3 is coming soon and will introduce Hypervisor Abstraction Layer (HAL), allowing easy porting to alternative virtualization systems."
https://groups.google.com/forum/?_escaped_fragment_=topic/qubes-users/IQdCEpkooto#!topic/qubes-users/IQdCEpkooto
https://twitter.com/QubesOS
https://twitter.com/rootkovska
https://en.wikipedia.org/wiki/Qubes_OS
https://www.qubes-os.org/
http://invisiblethingslab.com/itl/Welcome.html
http://blog.invisiblethings.org/
http://distrowatch.com/table.php?distribution=qubes
###
Joanna Rutkowska said on Aug 10, 2015:
"Hello,
We have built and uploaded the first ever working Qubes Live USB image! :)
It's based on the recently released 3.0-rc2 release. Now you should be able to
run and try Qubes OS of any laptop without needing to install it anywhere! And
perhaps run Qubes HCL reporting tool and send us some more data? [1]
We have faced several challenges when making this Live USB edition of Qubes OS,
which traditional Linux distro don't need to bother with:
1. We needed to ensure Xen is properly started when booting the stick. In fact
we still don't support UEFI boot for the sitck for this reason, even though the
Fedora liveusb creator we used does support it. Only legacy boot for this
version, sorry.
2. We discovered that the Fedora liveusb-create does _not_ verify signatures on
downloaded packages -- we have temporarily fixed that by creating a local repo,
verifying the signatures manually (ok, with a script ;) and then building from
there. Sigh.
3. We had to solve the problem of Qubes too easily triggering Out Of Memory
condition in Dom0 when running as Live OS.
This last problem has been a result of Qubes using the copy-on-write backing for
the VM's root filesystems, which is used to implement our cool Template-based
scheme [2]. Normally these are backed by regular files on disk -- even though
these files are discardable upon VM reboots, they must be preserved during the
VM's life span, and they can easily grow to a few tens of MBs per VM, sometimes
even more. Also, each of the VM's private image, which essentially holds just
the user home directory, typically starts with a few tens of MBs for an "empty
VM". Now, while these represent rather insignificant numbers on a disk-basked
system, in case of a LiveUSB scenarios all these files must be stored in RAM,
which is always a scare resource on any OS, and especially Qubes.
We have implemented some quick optimizations in order to minimize the above
problem, but this is still far from a proper solution. We're planning to work
Now, there are three directions in how we want to work further on this Qubes
Live USB variant:
1. Introduce easily clickable "install to disk" option, merging this with the
Qubes installation ISO. So, e.g. make it possible to first see if the given
hardware is compatible with Qubes (run the hcl reporting tool) and only then
install on the main disk. Also, ensure UEFI boot works well.
2. Introduce options for persistence while still running this out of a USB
stick. This would be achieved by allowing (select) VMs' private images to be
stored on the r/w partition (or on another stick).
2a. A nice variant of this persistence option, especially for frequent
travellers, I think, would be to augment our backup tools so that it was
possible to create a LiveUSB-hosted backups of select VMs. One could then pick a
few of their VMs, necessary for a specific travel, back them to a LiveUSB stick,
and take this stick when traveling to a hostile country (not risking taking
other, more sensitive ones for the travel). This should make life a bit simpler
for some ... [3]
3. Introduce more useful preconfigured VMs setup, especially including
Whonix/Tor VMs.
[1] https://www.qubes-os.org/doc/HCL/
[2] https://www.qubes-os.org/doc/SoftwareUpdateVM/
[3] https://twitter.com/rootkovska/status/541980196849872896
Current limitations
- --------------------
0. It's considered an alpha currently, so meter your expectations
accordingly...
1. Currently just the 3 exemplary VMs (untrusted, personal, work), plus the
default net and firewall VMs are created automatically,
2. The user has an option to manually (i.e. via command line) create an
additional partition, e.g. for storing GPG keyring, and then mounting it to a
select VMs. This is to add poor-man's persistence. We will be working on
improving/automating that, of course,
3. Currently there is no option of "install to disk". We will be adding this
in the future,
4. The amount of "disk" space is limited by the amount of RAM the laptop
has. This has a side effect of e.g. not being able to restore (even few) VMs
from a large Qubes backup blob,
5. It's ease to generate Out Of Memory (OOM) in Dom0 rather easily by creating
lots of VMs are writing a lot into the VMs filesystem... (Alpha, right?)
6. There is no DispVM savefile, so if one starts one the savefile must be
regenerated which takes about 1-2 mins.
7. UEFI boot doesn't work, and if you try booting it via UEFI Xen will not be
started, rendering the whole experiment unusable.
We're planning to release an updated version sometime in September.
Download and burning
- ---------------------
Get the ISO (and its signature for verification):
http://ftp.qubes-os.org/iso/Qubes-R3.0-rc2-x86_64-LIVE.iso
http://ftp.qubes-os.org/iso/Qubes-R3.0-rc2-x86_64-LIVE.iso.asc
Then "burn" onto a USB stick (replace /dev/sdX with your USB stick device):
$ sudo dd if=Qubes-R3.0-rc2-x86_64-LIVE.iso of=/dev/sdX
Note that you should specify the whole device, (e.g. /dev/sdc, not a single
partition, e.g. /dev/sdc1).
And, please, please, make sure to use caution and not overwrite your HDD or
other important device. And in case you do, please, please, do not email
qubes-users complaining about ;P
Happy Live-Qubesing! ;)
joanna.
###
"Qubes is an open-source operating system designed to provide strong security for desktop computing using Security by Compartmentalization approach. Qubes is based on Xen, the X Window System, and Linux, and can run most Linux applications and utilize most of the Linux drivers. Qubes Release 1 was released in September 2012 and Release 2 in September 2014. Qubes also supports Windows-based AppVMs beginning with Release 2 (currently in “Betaâ€). Qubes Release 3 is coming soon and will introduce Hypervisor Abstraction Layer (HAL), allowing easy porting to alternative virtualization systems."