Type 1 vs Type 2 Hypervisors[edit]

Do not install Qubes inside a virtual machine - Qubes uses its own bare-metal hypervisor (Xen). ^[1]

According to qubes-os.org: ^[2]

Not all virtual machine software is equal when it comes to security. You may have used or heard of VMs in relation to software like VirtualBox or VMware Workstation. These are known as “Type 2” or “hosted” hypervisors. (The hypervisor is the software, firmware, or hardware that creates and runs virtual machines.) These programs are popular because they’re designed primarily to be easy to use and run under popular OSes like Windows (which is called the host OS, since it “hosts” the VMs). However, the fact that Type 2 hypervisors run under the host OS means that they’re really only as secure as the host OS itself. If the host OS is ever compromised, then any VMs it hosts are also effectively compromised. By contrast, Qubes uses a “Type 1” or “bare metal” hypervisor called Xen. Instead of running inside an OS, Type 1 hypervisors run directly on the “bare metal” of the hardware. This means that an attacker must be capable of subverting the hypervisor itself in order to compromise the entire system, which is vastly more difficult.

The take-home message is that Qubes-Whonix ™ is more secure than the default Whonix ™ configuration using a Type 2 hypervisor like VirtualBox. Therefore, it is recommended to install Qubes-Whonix ™ if users have suitably modern hardware ^[archive].

Qubes-Whonix ™ vs Physically-Isolated Non-Qubes-Whonix[edit]

In Non-Qubes-Whonix ™, using a separate computer for Physical Isolation is certainly more secure than using the same computer for everything in the standard host OS / Type 2 hypervisor configuration. However, it is not clear this is superior to Qubes' compartmentalized software approach ^[archive].

Consider the pros and cons of physical isolation relative to Qubes: ^[2]

Pros
Physical separation doesn’t rely on a hypervisor. (It’s very unlikely that an attacker will break out of Qubes’ hypervisor, but if one were to manage to do so, one could potentially gain control over the entire system).

Physical separation can be a natural complement to physical security. (For example, you might find it natural to lock your secure laptop in a safe when you take your unsecure laptop out with you).

Cons
Physical separation can be cumbersome and expensive, since we may have to obtain and set up a separate physical machine for each security level we need.

There’s generally no secure way to transfer data between physically separate computers running conventional OSes. (Qubes has a secure inter-VM file transfer system to handle this).

Physically separate computers running conventional OSes are still independently vulnerable to most conventional attacks due to their monolithic nature.

Malware which can bridge air gaps has existed for several years now and is becoming increasingly common.

In summary, the relative merits of physical isolation do not necessarily provide any more protection than Qubes' approach. Physical isolation is relatively difficult, still experimental, inconvenient and requires a significant time investment. On the other hand, Qubes is relatively easy to install, has fully integrated Whonix ™, and is convenient for most activities.

Qubes also supports a host of features unavailable in the physically-isolated model, such as: DisposableVMs, a USB VM, secure copy / paste operations between VMs, secure copying and transfers of files between VMs, and sanitization of PDFs and images.

For these reasons, Qubes-Whonix ™ is recommended for the majority of users seeking a higher-security solution.

Qubes-Whonix ™ Hardware Requirements[edit]

For Qubes-Whonix ™ hardware requirements, see here.

VirtualBox Hardening[edit]

For an overview on VM security risks in general, see: How secure are Virtual Machines really? ^[archive]

The less features enabled, the smaller the attack surface ^[archive]. The following features can be removed or disabled without impacting core functionality:

Disable Audio.
Do not enable Shared Folders.
Do not enable video acceleration.
Do not enable 3D acceleration. ^[3] ^[4]
Do not enable the Serial Port.
Remove the Floppy drive.
Remove the CD/DVD drive.
Do not enable the Remote Display server.
Enable PAE/NX (NX is a security feature).
Disable Advanced Configuration and Power Interface (ACPI). ^[5]
Do not attach USB devices.
Disable the USB controller which is enabled by default. Set the Pointing Device to "PS/2 Mouse" or changes will revert.

It is unclear whether enabling IO APIC, EFI will provide additional protection; further investigation is required.

Footnotes[edit]

↑ https://www.qubes-os.org/doc/system-requirements/ ^[archive]
↑ ^2.0 ^2.1 https://www.qubes-os.org/intro/ ^[archive]
↑ Quote http://www.virtualbox.org/manual/ch04.html#guestadd-3d ^[archive]

Untrusted guest systems should not be allowed to use VirtualBox's 3D acceleration features, just as untrusted host software should not be allowed to use 3D acceleration. Drivers for 3D hardware are generally too complex to be made properly secure and any software which is allowed to access them may be able to compromise the operating system running them. In addition, enabling 3D acceleration gives the guest direct access to a large body of additional program code in the VirtualBox host process which it might conceivably be able to use to crash the virtual machine.
↑ Quote https://hsmr.cc/palinopsia/ ^[archive]

If the "3D-Acceleration" feature of VirtualBox is activated, running the proof-of-concept code from inside the VM provides the ability to read framebuffers from the host system.
↑ ACPI information is passed to the guest OS by default, which allows it to obtain battery status and manufacturer information.