Qvm-Create-Windows-Qube : Spin Up New Windows Qubes Quickly, Effortlessly And Securely

qvm-create-windows-qube is a tool for quickly and conveniently installing fresh new Windows qubes with Qubes Windows Tools (QWT) drivers automatically. It officially supports Windows 7, 8.1 and 10 as well as Windows Server 2008 R2, 2012 R2, 2016 and 2019.

The project emphasizes correctness, security and treating Windows as an untrusted guest operating system throughout the entire process. It also features other goodies such as automatic installation of packages including Firefox, Office 365, Notepad++, Visual Studio and more using Chocolatey.

Installation

• Download the installation script by opening the link, right-clicking and then selecting “Save [Page] as…”
• Copy install.sh into Dom0 by running the following command in Dom0:
  • qvm-run -p --filter-escape-chars --no-color-output <qube_script_is_located_on> "cat '/home/user/Downloads/install.sh'" > install.sh
• Review the code of install.sh to ensure its integrity
  • Safer with escape character filtering enabled above; qvm-run disables it by default when output is a file
• Run chmod +x install.sh && ./install.sh
  • Note that this will install packages in the global default TemplateVM, which is fedora-XX by default
• Review the code of the resulting qvm-create-windows-qube.sh

A more streamlined and secure installation process with packaging will be shipping with Qubes R4.1.

Usage

Usage: ./qvm-create-windows-qube.sh [options] -i -a
-h, –help
-c, –count Number of Windows qubes with given basename desired
-t, –template Make this qube a TemplateVM instead of a StandaloneVM
-n, –netvm NetVM for Windows to use
-s, –seamless Enable seamless mode persistently across reboots
-o, –optimize Optimize Windows by disabling unnecessary functionality for a qube
-y, –spyless Configure Windows telemetry settings to respect privacy
-w, –whonix Apply Whonix recommended settings for a Windows-Whonix-Workstation
-p, –packages Comma-separated list of packages to pre-install (see available packages at: https://chocolatey.org/packages)
-i, –iso Windows media to automatically install and setup
-a, –answer-file Settings for Windows installation

Downloading Windows ISO

The windows-media/isos/download-windows.sh script (in windows-mgmt) securely downloads the official Windows ISO to be used by qvm-create-windows-qube.

Creating Windows VM

Windows 10

./qvm-create-windows-qube.sh -n sys-firewall -oyp firefox,notepadplusplus,office365proplus -i win10x64.iso -a win10x64-pro.xml work-win10

./qvm-create-windows-qube.sh -n sys-firewall -oyp steam -i win10x64.iso -a win10x64-pro.xml game-console

Windows Server 2019

./qvm-create-windows-qube.sh -n sys-firewall -oy -i win2019-eval.iso -a win2019-datacenter-eval.xml fs-win2019

Windows 10 LTSC

• A more stable, minified, secure and private version of Windows 10 officially provided by Microsoft

./qvm-create-windows-qube.sh -n sys-firewall -oyp firefox,notepadplusplus,office365proplus -i win10x64-ltsc-eval.iso -a win10x64-ltsc-eval.xml work-win10

./qvm-create-windows-qube.sh -n sys-whonix -oyw -i win10x64-ltsc-eval.iso -a win10x64-ltsc-eval.xml anon-win10

Windows 7

• Not recommended because Windows 7 is no longer supported by Microsoft, however, it’s the only desktop OS the Qubes GUI driver (in Qubes Windows Tools) supports if seamless window integration or dynamic resizing is required
• See the Security > Windows > Advisories section below for more info

./qvm-create-windows-qube.sh -n sys-firewall -soyp firefox,notepadplusplus,office365proplus -i win7x64-ultimate.iso -a win7x64-ultimate.xml work-win7

Security

qvm-create-windows-qube is “reasonably secure” as Qubes would have it.

• windows-mgmt is air gapped
• The entirety of the Windows qube setup process happens is done air gapped
  • There is an exception for installing packages at the very end of the Windows qube installation
• Entire class of command injection vulnerabilities eliminated in the Dom0 shell script by not letting it parse any output from the untrusted windows-mgmt qube
  • Only exit codes are passed by qvm-run; no variables
  • This also mitigates the fallout of another Shellshock Bash vulnerability
• Downloading of the Windows ISOs is made secure by enforcing:
  • ISOs are downloaded straight from Microsoft controlled subdomains of microsoft.com
  • HTTPS TLS 1.2/1.3
  • HTTP public key pinning (HPKP) to whitelist the website’s certificate instead of relying on certificate authorities (CAs)
    • Qubes aims to “distrust the infrastructure”
    • Remember, transport security = encryption * authentication (This allows for the utmost authentication)
  • SHA-256 verification of the files after download
• Windows is treated as an untrusted guest operating system the entire way through
• All commits by the maintainers are always signed with their respective PGP keys
  • Should signing ever cease, assume compromise
  • Current maintainer 1: Elliot Killick
    • PGP key: 018F B9DE 6DFA 13FB 18FB 5552 F9B9 0D44 F83D D5F2
  • Current maintainer 2: Frédéric Pierret (No Keybase account)
    • PGP key: 9FA6 4B92 F95E 706B F28E 2CA6 4840 10B5 CDC5 76E2
    • Mostly concerned with Qubes R4.1 support
      • See the release4.1 branch and qubes-mgmt-salt-windows-mgmt
• The impact of any theoretical vulnerabilities in handling of the Windows ISO (e.g. vulnerability in filesystem parsing) or answer file is limited to windows-mgmt