I can’t stop thinking about Qubes OS. I really feel like it’s the most interesting innovation in OS distributions in 20 years. In fact that’s what I tell everyone who will listen when I talk about it.
Explaining Computers did a very nice intro to the operating system, which is where I heard about it: https://www.youtube.com/watch?v=hWDvS_Mp6gc.
I just wanted to compile some tips and tricks I have encountered so far with Qubes:
Table of Contents
Hardware Support (Ryzen 3000 series)
[Update: I tried out the Qubes 4.1 beta on several recent devices. If you want to potentially skip a lot of the headache mentioned below and are using newer hardware, check out that article first!]
Qubes OS is very finicky about hardware at least as of V4. Specifically on my AsRock A300 mini system with Ryzen 3rd-gen CPU, I had a real bear of a time just getting the OS to install. My solution was to install on a donor Intel machine with a USB-to-SATA adapter to skip having to mount the hard drive temporarily in the case.
Then I made the following changes to the install image, rather than having to build and install a custom ISO image for the install:
- Use at least an 8GB USB stick for writing the Qubes install image.
- Download and verify the md5sum of your image. Don’t skip this step. An image this big can easily get mangled during download and it will definitely cause random issues if it didn’t download properly. I had repeated failures installing the VM image rpms, and the problem just ended up being a bad download. So check the image with e.g.: md5sum Qubes-*-x86_64.iso
Then compare to the md5sum to the website. - Write the image using etcher or dd, whatever you are comfortable with.
- Create an extra partition to add the updated kernels to the drive:
$ fdisk /dev/sdX
Device Boot Start End Sectors Size Id Type
/dev/xvdi1 * 0 9435135 9435136 4.5G 0 Empty
/dev/xvdi2 1028 59495 58468 28.6M ef EFI (FAT-12/16/32)
Command (m for help): n
Partition type
p primary (2 primary, 0 extended, 2 free)
e extended (container for logical partitions)
Select (default p): p
Partition number (3,4, default 3): 3
First sector (9435136-15482879, default 9435136): <enter>
Last sector, +/-sectors or +/-size{K,M,G,T,P} (9435136-15482879, default 15482879): <enter>
Created a new partition 3 of type ‘Linux’ and of size 2.9 GiB.
Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.
$ sudo mke2fs -j /dev/sdX3 - Mount your partition, either using the mount command, or eject and reinsert the drive if you use an auto-mounting program:
$ sudo mount /dev/sdX3 /mnt - Download the newer kernels from the Qubes OS distribution:
$ cd /mnt
$ sudo mkdir qubes-updates
$ cd qubes-updates/
$ sudo wget https://mirrors.edge.kernel.org/qubes/repo/yum/r4.0/current-testing/dom0/fc25/rpm/kernel-latest-5.6.16-1.qubes.x86_64.rpm
$ sudo wget https://mirrors.edge.kernel.org/qubes/repo/yum/r4.0/current-testing/dom0/fc25/rpm/kernel-latest-qubes-vm-5.6.16-1.qubes.x86_64.rpm - All done with that part! Now unmount the drive for now.
$ cd ~ && sudo umount /mnt
Now, attach your target hard drive/SSD to a system which will boot the OS, and run the installer using your USB thumb drive. Run through the installer, and when you get to the point where you would click the reboot option, instead hit Ctrl+Alt+F2 to get to a virtual console, and install the updated kernel files:
# mount /dev/sdX3 /mnt/sysimage/mnt
# chroot /mnt/sysimage
# cd /mnt/qubes-updates
# rpm -ivh –nodeps *
Then reboot and at the first boot, you should have the new 5.6.16-1 kernel to pick from. This kernel should work mych better with more modern Ryzen processors.
Windows
The Qubes Windows drivers seem to be somewhat inompatible at present, and don’t work well in Windows 10. I found they weren’t particularly great in WIndows 7 either however, with some lock-ups and failing to show the display when booting up. For the moment, I would say that you should skip installing them, even if this means not having rootless mode and copy/paste between Qubes.
Without the drivers, installing Windows from ISO files or even physical media works great, and cloning the volumes to make backups or a master image for testing Windows software works really well.
Alt-key sticking and mousewheel issues
I use the Alt+number keys to switch virtual workspaces. I’ve noticed (but not yet found the root cause) for the fact that sometimes when you switch workspaces, the system will cause the Alt key to ‘stick’, i.e. it will act like it’s still pressed down even though it isn’t. This will cause issues like being unable to click links in Firefox, and causing the scroll wheel to navigate backwards and forwards instead of scrolling the page. Obviously once you touch and let go of Alt this will fix itself, but in the meantime this will cause you major annoyances.
To work around this issue in Firefox, you can click the URL bar and type about:config (and accept the scary warning), then set the mousewheel.with_alt.action value from its default value of 2 to 0 (just click on the value to set it).
You will also see issues where using the mouse wheel will scroll Workspaces even when your mouse is in a window. Since I never use this functionality anyway, I disabled this feature in the Qubes Menu by going to System Tools > Windows Manager Tweaks, then uncheck “Use the mouse wheel on the desktop to switch workspaces”
Copying files from VMs to dom0
Once you understand the security model of Qubes, you generally do not want to be copying files from random VMs to dom0. But in the real world you will need to do this at least occasionally. If nothing else, when you need to run a command it’s convenient to copy
The Qubes website has a lot of good information about how to do so, and why you shouldn’t do this regularly. But I’m lazy, and wrote a quick bash function in the style of the other qvm- commands to make this easy. Just add it to your .bashrc in dom0, and “source .bashrc”. Then feel like the deviant hax0r you are for being able to easily get files into your dom0 VM in a super insecure way.
qvm-copy-from ()
{
if [ $# -ne 2 ]; then
echo “Format: qvm-copy-from <vm> <file>”
return
fi
VM=$1
FILE=$2
DESTFILE=$(basename $2)
mkdir -p ~/QubesIncoming/$VM
qvm-run –pass-io $VM “cat $FILE” > ~/QubesIncoming/$VM/$DESTFILE
}
This will, in the tradition of how inter-VM copying is done, put the file in your QubesIncoming/vm-name directory. Salt to taste.
