I’m happy to announce that today we’re releasing Qubes OS 3.2!
This is an incremental improvement over the 3.1 version that we released earlier this year. A lot of work went into making this release more polished, more stable and easier to use than our previous releases.
One major feature that we’ve improved upon in this release is our integrated management infrastructure, which was introduced in Qubes 3.1. Whereas before it was only possible to manage whole VMs, it is now possible to manage the insides of VMs as well.
The principal challenge we faced was how to allow such a tight integration of the management engine software (for which we use Salt) with potentially untrusted VMs without opening a large attack surface on the (complex) management code. We believe we found an elegant solution to this problem, which we’ve implemented in Qubes 3.2.
We now use this management functionality for basic system setup during installation, for preparing our automatic tests, and for applying various custom configurations. In the future, we envision a simple GUI application allowing users to download ready-to-use Salt recipes for setting up various things, for example:
- Pre-configured apps optimized to take advantage of Qubes’ compartmentalization, such as Thunderbird with Qubes Split GPG
- UI and system-wide customizations for specific use cases
- Corporate remote management and integration
These features are planned for the upcoming Qubes 4.x releases.
In Qubes 3.2, we’re also introducing USB passthrough, which allows one to assign individual USB devices, such as cameras, Bitcoin hardware wallets, and various FTDI devices, to AppVMs. This means that it’s now possible to use Skype and other video conferencing software on Qubes!
Qubes has supported the sandboxing of USB devices since the very beginning (2010), but the catch has always been that all the USB devices connected to the same USB controller had to be assigned to the same VM. This limitation was due to the underlying hardware architecture (specifically, PCIe and VT-d technologies).
We can now get around this limitation by using software backends. The price we pay for this, however, is increased attack surface on the backend, which is important in the event that several USB devices of different security contexts are connected to a single controller. Sadly, on laptops this is almost always the case. Another potential security problem is that USB virtualization does not prevent a potentially malicious USB device from attacking the VM to which it is connected.
These problems are not inherent to Qubes OS. In fact, they pose an even greater threat to traditional, monolithic operating systems. In the case of Qubes, it has at least been possible to isolate all USB devices from the user’s AppVMs. The new USB passthrough feature gives the user more fine-grained control over the management of USB devices while still maintaining this isolation. Nonetheless, it’s very important for users to realize that there are no “automagical” solutions to malicious USB problems. Users should plan their compartmentalization with this in mind.
We should also mention that Qubes has long supported the secure virtualization of a certain class of USB devices, specifically mass storage devices (such as flash drives and external hard drives) and, more recently, USB mice. Please note that it is always preferable to use these special, security-optimized protocols when available rather than generic USB passthrough.
Eye-candy-wise, we have switched from KDE to Xfce4 as the default desktop environment in dom0. The reasons for the switch are stability, performance, and aesthetics, as explained here. While we hope the new default desktop environment will provide a better experience for all users, Qubes 3.2 also supports KDE, awesome, and i3 window managers.
For other features and improvements, please see the release notes.
Existing users on Qubes 3.1 may choose to perform an in-place upgrade, though a clean installation is recommended. Users on any of the Qubes 3.2 release candidates can simply update their systems normally in order to be upgraded to the stable 3.2 release.
I’d like to thank the whole team for their work and engagement!