← Back to context

Comment by fsflover

9 days ago

I'm not convinced that all of these is required for security. My Qubes OS desktop is probably more secure than any GrapheneOS phone, and it only requires good hardware virtualization for that.

> If the hardware is an open book then no.

So you choose security through obscurity. I have no further questions.

6 comments

fsflover

Reply
tranq_cassowary  8 days ago

x86 virtualization isn't perfect at all

QubesOS certainly has some good things going for it with isolation but the guest VMs which run traditional desktop OSes are generally much less secure than mobile OSes like Android OSes and iOS

Iirc it's not even possible to run QubesOS on hardware that has proper verified boot or non-meaningless secureboot.

With regards to security through obscurity, the Pixel firmware isn't obfuscated at all. It's closed source but it's easy to decompile the code and inspect it. They don't try to obfuscate it to make that difficult.

  • fsflover  8 days ago

    > x86 virtualization isn't perfect at all

    You cannot just say this without any links. Last escape from VT-d virtualization, which Qubes uses, was found in 2006 by the Qubes founder ("Blue Pill").

    > Iirc it's not even possible to run QubesOS on hardware that has proper verified boot or non-meaningless secureboot.

    You can run Qubes OS on something even better: Coreboot with Heads and with a hardware key. All based on FLOSS. Works for me.

    > but the guest VMs which run traditional desktop OSes are generally much less secure than mobile OSes like Android OSes and iOS

    First of all, you can in principle run any OS in Qubes VMs, including hardened ones. You can even disable the root account. Second, with such statement, you misinterpret the Qubes' approach to security. You isolate trusted workflows from untrusted ones, which gives you the strong security. You never open anything untrusted in trusted VMs, so their internal security plays no big role.

subscribed  6 days ago

If you choose open platform with barely any hardware security measures then indeed, no questions from me either :)

  • fsflover  6 days ago

    Which security measures? I do have TMP with Heads.

    • subscribed  5 days ago

      Let me list several of the more impactful.

      - dedicated, certified security coprocessor (Titan M2) - on pixel it's fused with verified boot, offers key storage, firmware isolation and anti rollback.

      - verified boot: mandatory and backed by Titan, immutable boot from. Almost all laptops lack as much as anti rollback.

      - strong hardware-backed key protection and actually isolated TEE. Yes, I know about Intel (SGX/TDX) and AMD (SEV/SME). Broken into many times over. How many commodity hardware devices offer comprehensive protections like Titan-backed TEE?

      - secure hardware-backed disk encryption key derivation (with throttling of course)

      - on-device attestation: complete verification of the entire chain. Dreaded Play Integrity or open AOSP / GrapheneOS hardware attestation. Which PC vendors can offer that? Perhaps Apple but that's not a pc and you won't run qubes on that?

      - physical anti-tamper: which laptops wipe encryption keys stored in the secure hardware when you're trying to unlock the bootloader?

      - physical memory tagging (see ARM MTE). Apple offers some but again, that's not for qubes. Intel promises MKTME in the future.

      - does your laptop disable all the unconnected ports whilst the laptop is broken? Does your pin/password verification happen inside TEE/TPM, not in the OS?

      - modes similar to PXN/SMEP, SMAP/PAN (to stop these pesky wifi/gpu firmware from reading userpace memory). There's some support for SMEP and SMAP on intel/amd

      - microcode and firmware upgrades velocity

      There are reasons GOS doesn't support any hardware other than pixels. Regrettably and thankfully that is about to change soon <3

      Don't read me wrong, qubes is brilliant and on SOME hardware (business grade laptops with TPM 2.0, verified firmware upgrade process with some protections and proved track progress with rapid hardware drivers and firmware upgrades -- sure, brilliant choice. For pcs.

      But is not even remotely close security-wise..

      Best available would be probably Purism Libre (lacking TPM if I read it correctly, weak hardware but, oh well, pixel is not super fast either lol), or something with coreboot perhaps?

      Whats the safest and still useful laptop hardware you cna think of? Let's compare with with pixel.

      1 reply →