Qvm-Create-Windows-Qube – Spin Up New Windows Qubes Quickly, Effortlessly And Securely
681
qvm-create-windows-qube is a tool for quickly and conveniently installing fresh new Windows qubes with Qubes Windows Tools (QWT) drivers automatically. It officially supports Windows 7, 8.1 and 10 as well as Windows Server 2008 R2, 2012 R2, 2016 and 2019.
The project emphasizes correctness, security and treating Windows as an untrusted guest operating system throughout the entire process. It also features other goodies such as automatic installation of packages including Firefox, Office 365, Notepad++, Visual Studio and more using Chocolatey.
Installation
Download the installation script by opening the link, right-clicking and then selecting “Save [Page] as…”
Copy install.sh into Dom0 by running the following command in Dom0:
Usage: ./qvm-create-windows-qube.sh [options] -i <iso> -a <answer file> <name> -h, --help -c, --count <number> Number of Windows qubes with given basename desired -t, --template Make this qube a TemplateVM instead of a StandaloneVM -n, --netvm <qube> NetVM for Windows to use -s, --seamless Enable seamless mode persistently across reboots -o, --optimize Optimize Windows by disabling unnecessary functionality for a qube -y, --spyless Configure Windows telemetry settings to respect privacy -w, --whonix Apply Whonix recommended settings for a Windows-Whonix-Workstation -p, --packages <packages> Comma-separated list of packages to pre-install (see available packages at: https://chocolatey.org/packages) -i, --iso <file> Windows media to automatically install and setup -a, --answer-file <xml file> Settings for Windows installation
Downloading Windows ISO
The windows-media/isos/download-windows.sh script (in windows-mgmt) securely downloads the official Windows ISO to be used by qvm-create-windows-qube.
Creating Windows VM
Windows 10
./qvm-create-windows-qube.sh -n sys-firewall -oyp firefox,notepadplusplus,office365proplus -i win10x64.iso -a win10x64-pro.xml work-win10
./qvm-create-windows-qube.sh -n sys-firewall -oyp steam -i win10x64.iso -a win10x64-pro.xml game-console
Windows Server 2019
./qvm-create-windows-qube.sh -n sys-firewall -oy -i win2019-eval.iso -a win2019-datacenter-eval.xml fs-win2019
Windows 10 LTSC
A more stable, minified, secure and private version of Windows 10 officially provided by Microsoft
./qvm-create-windows-qube.sh -n sys-firewall -oyp firefox,notepadplusplus,office365proplus -i win10x64-ltsc-eval.iso -a win10x64-ltsc-eval.xml work-win10
./qvm-create-windows-qube.sh -n sys-whonix -oyw -i win10x64-ltsc-eval.iso -a win10x64-ltsc-eval.xml anon-win10
Windows 7
Not recommended because Windows 7 is no longer supported by Microsoft, however, it’s the only desktop OS the Qubes GUI driver (in Qubes Windows Tools) supports if seamless window integration or dynamic resizing is required
See the Security > Windows > Advisories section below for more info
./qvm-create-windows-qube.sh -n sys-firewall -soyp firefox,notepadplusplus,office365proplus -i win7x64-ultimate.iso -a win7x64-ultimate.xml work-win7
Security
qvm-create-windows-qube is “reasonably secure” as Qubes would have it.
windows-mgmt is air gapped
The entirety of the Windows qube setup process happens is done air gapped
There is an exception for installing packages at the very end of the Windows qube installation
Entire class of command injectionvulnerabilities eliminated in the Dom0 shell script by not letting it parse any output from the untrusted windows-mgmt qube
Only exit codes are passed by qvm-run; no variables
This also mitigates the fallout of another Shellshock Bash vulnerability
Downloading of the Windows ISOs is made secure by enforcing:
ISOs are downloaded straight from Microsoft controlled subdomains of microsoft.com
HTTPS TLS 1.2/1.3
HTTP public key pinning (HPKP) to whitelist the website’s certificate instead of relying on certificate authorities (CAs)
The impact of any theoretical vulnerabilities in handling of the Windows ISO (e.g. vulnerability in filesystem parsing) or answer file is limited to windows-mgmt
Windows
Maintenance
Don’t forget to apply any applicable updates upon creation of your Windows qube. Microsoft frequently builds up-to-date ISOs for current versions of Windows, such as Windows 10. For these Windows versions, it’s recommended to periodically visit the official Microsoft site download-windows.sh provides to get a fresh Windows image out of the box.
Advisories
Windows 7 and Windows Server 2008 R2 reached end of life (EOL) on January 14, 2020. Updates for these OSs are still available with Extended Security Updates (ESUs) if paid for. Office 365 for these OSs will continue getting security updates at no additional cost until January 2023.
If RDP is to be enabled on a Windows 7 qube (not default) then make sure it is fully up-to-date because the latest Windows 7 ISO Microsoft offers is unfortunately still vulnerable to BlueKeep and related DejaBlue vulnerabilities.
A critical vulnerability in Windows 10 and Windows Server 2016/2019 cryptography was recently disclosed. This allows any and all cryptography in these OSs (including HTTPS; the little padlock in your browser) to be easily intercepted. When Microsoft releases an updated ISO, the direct links in download-windows.sh will be updated but until then please update your qubes if they run the aforementioned OSs.
Privacy
qvm-create-windows-qube aims to be the most private way to use Windows. Many Qubes users switched from Windows (or another proprietary OS) in part to get away from Microsoft (or Big Tech in general) and so being able to use Windows from a safe distance is of utmost importance to this project. Or at least, as safe a distance as possible for what is a huge, proprietary binary blob.
Windows Telemetry
Configures Windows telemetry settings to respect privacy.
Opt-out of Customer Experience Improvement Program (CEIP)
Disable Windows Error Reporting (WER)
Disable DiagTrack service
Switch off all telemetry in Windows 10 “Settings” application
Enable “Security” level of telemetry on compatible editions of Windows 10
See spyless.bat for more info
Whonix Recommendations for Windows-Whonix-Workstation
Everything mentioned here up to “Even more security” is implemented. “Most security” is to use an official Whonix-Workstation built yourself from source. This feature is not official or endorsed by Whonix.
It’s recommended to read this Whonix documentation to understand the implications of using Windows in this way.
Easy to Reset Fingerprint
There are countless unique identifiers present in every Windows installation such as the MachineGUID, installation ID, NTFS drive Volume Serial Numbers (VSNs) and more. With qvm-create-windows-qube, these unique identifiers can easily be reset by automatically reinstalling Windows.
Limitations
Fingerprinting is possible through the hypervisor in the event of VM compromise, here are some practical examples (not specific to Windows):
Generally some of the VM interfaces documented here (e.g. screen dimensions)
Contributing
You can start by giving this project a star! High quality PRs are also welcome! Take a look at the todo list below if you’re looking for things that need improvement. Other improvements such as more elegant ways of completing a task, code cleanup and other fixes are also welcome.
Lots of Windows-related GSoCs for those interested.
The logo of this project is by Max Andersen, used with written permission.
This project is the product of an independent effort that is not officially endorsed by Qubes OS.
Qubes Windows Tools Known Issues
Please send patches for these if you are able to. Although, be aware that Qubes Windows Tools is currently unmaintained.
Temporary fix: Close prepare-volume.exe window causing there to be no private disk (can’t make a TemplateVM) but besides that Windows qube creation will continue as normal
Has been merged but QWT needs to be rebuilt to include it and there’s currently no maintainer
Mailing list threads
Windows tagged Qubes OS GitHub issues
Todo
End Goal
Have a feature similar (or superior) to VMWare’s Windows “Easy Install” feature on Qubes. VMWare’s solution is proprietary and only available in their paid products.