After tinkering a bit with the nvidia drivers I noticed that the software Qubes ships as stable is slightly out of date. To be honest, Fedora 23 is EOL since a year now, so I decided to do some updating and the unbelievable miracle happened: nouveau drivers started to get alive – so removing nvidia binary blobs again and I could finally start poking around in the system.
So far things went great until I wanted to replace the template of Fedora 23 with something, let’s say ‘more recent’ to achieve at least some basic security inside my ‘qubes’ and of course, things went wrong (as f*.) due to me being curious about the second screen which killed my downloads due to X11 crashing. So to say, I’m sitting here on a different machine downloading the new template from ITL until things are finished.
But I have to admit, I find the idea of Qubes OS quite interesting, running a bunch of VMs as long as you trust Xen – but due to the lack of connectivity between the VMs, this is where safety comes from – it’s sometimes a bit tricky to do the things you used to. Luckily there are some ‘magic helpers’ allowing you to copy and paste stuff from one VM to another.
On the other hand, I find it quite disturbing to sacrifice quite some performance to the virtual machine stack, as it’s about three VMs for a simple task like reading a website: A network connectivity VM, a Firewall VM and the VM running the browser.
Another downside seems to be the audio stack, which gets passed through some stack too, adding a bunch of layers to it, if you do not use an additional soundcard which you’re passing through the actual VM.
In the end, I think tinkering around with Qubes OS it’s like you have to think different: You’re running a network in a box. In other words, its security gain – which is really a great deal – has a huge maintenance trade-off: You have to keep all of your VMs in shape to play on the safe side. Of course, it’s hard for an attacker to hop into the next VM you may say: but why making it easier for them by leaving gaps open?