←back to thread

Qubes OS: A reasonably secure operating system

(www.qubes-os.org)
441 points ploggingdev | 2 comments | 19 Nov 17 16:06 UTC | HN request time: 0.434s | source
Show context
snvzz ◴[19 Nov 17 17:00 UTC] No.15734641[source]
Their weakest point is the hypervisor, Xen, which while a better choice than Linux/KVM, is still extremely bloated and has a poor security history.

Thankfully, better designs such as seL4's VMM do exist, although it might need a little more work [1] until usable for the purpose.

[1] https://sel4.systems/Info/Roadmap/

replies(6): >>15734676 #>>15734739 #>>15734803 #>>15734841 #>>15734956 #>>15735067 #
dijit ◴[19 Nov 17 17:07 UTC] No.15734676[source]
Could you clarify "Better choice"?

I've been using KVM/Xen/VMware for some time and always enjoyed it. And since Amazon and Google especially are going all in on KVM I'm surprised to hear the Xen is a better choice.

replies(2): >>15734758 #>>15734812 #
snvzz ◴[19 Nov 17 17:28 UTC] No.15734812[source]
>Could you clarify "Better choice"?

KVM is, like VMware, a Type 2 hypervisor. [1]

Xen is a proper Type 1 hypervisor.

[1] https://microkerneldude.wordpress.com/2010/10/14/much-ado-ab...

replies(3): >>15734912 #>>15735038 #>>15736268 #
1. theossuary ◴[19 Nov 17 17:43 UTC] No.15734912[source]
Why is a type 1 hypervisor instantly considered more secure though? I'd assume using Linux, instead of rolling your own code to interface with hardware, would make you more secure?
replies(1): >>15735096 #
2. snvzz ◴[19 Nov 17 18:24 UTC] No.15735096[source]
In the Linux vs Xen example, the TCB is much bigger with Linux. The idea is to keep the TCB as small as possible, with an emphasis on restricting the code size that's actually running privileged.