←back to thread

Qubes OS: A reasonably secure operating system

(www.qubes-os.org)
441 points ploggingdev | 5 comments | 19 Nov 17 16:06 UTC | HN request time: 0.453s | source
Show context
Jeaye ◴[19 Nov 17 17:12 UTC] No.15734704[source]
What I'd really love to see is a marriage between NixOS and Qubes, allowing for full-system declarative configuration, including the various systems which will be running under Qubes.

NixOS has containers that show how this could work, but they're only via systemd-nspawn, so not as jailed as Qube's domUs.

replies(3): >>15735026 #>>15735236 #>>15735329 #
1. akavel ◴[19 Nov 17 18:06 UTC] No.15735026[source]
Me, I'd like to see such a marriage between NixOS and GenodeOS (which provides capabilities management and has the advantage of using a microkernel as base, so much smaller attack surface, aka TSB, than Xen + Linux)

http://www.genode.org/about/index

replies(2): >>15735101 #>>15739616 #
2. Mathnerd314 ◴[19 Nov 17 18:25 UTC] No.15735101[source]
An abandoned attempt: https://github.com/ehmry/genode-nix
replies(1): >>15735497 #
3. akavel ◴[19 Nov 17 19:35 UTC] No.15735497[source]
IIUC, it didn't build the whole OS, it was more of a port of Nix, not whole NixOS, to Genode. But I may be wrong. As such, it could be seen as a step towards the goal. But I believe a different approach might be also possible: by starting from NixOS, and adding support for L4Linux (thus seL4 - bottom layer), then Genode On Linux (top layer), then somehow connecting the two.
4. ohpauleez ◴[20 Nov 17 13:07 UTC] No.15739616[source]
Genode now has its own package management system with the 17.05 and 17.08 releases, informed/inspired by the work from Genode/Nix (linked in the other comment).

This means you can run Genode on NOVA with VirtualBox 5 fully integrated as the VMM, all with the improved Noux/POSIX interop components in place, and have a decent package management solution (that handles API compatibilities, multiple version installs, src vs binary deps, packages, and more). There's also Xen support with the most recent release (for cloud appliance work with Genode)

What's more, based on the roadmap and challenges, they should be bringing VirtualBox5 support to the seL4 kernel, and they even have a goal for being the virtualization foundation of QubesOS. https://genode.org/about/challenges

With the recent toolchain update and new package management system, its easier than ever to cook up your own Genode-based systems.

replies(1): >>15758081 #
5. akavel ◴[22 Nov 17 16:31 UTC] No.15758081[source]
Interesting, thanks for the info! Though from the article about the system (https://genode.org/documentation/developer-resources/package...), it's not clear to me how to:

a) tweak compilation flags of libraries & apps

b) describe full set of runtime config files of an app

and thus build a single full configuration of a whole system, like in NixOS.

Hm; or can this maybe somehow be solved with the "run scripts" mentioned at the end of the article? I'm even less than a noob with regards to Genode, so I'm not sure about that.

Or does the package manager only provide Nix-like functionality, with no way for NixOS-like features?