Qubes OS

Kabuli ChanaKabuli Chana New Member Posts: 10
edited September 2017 in UP Board Linux
A note to the security conscious, UP^2 can be Qubed

I used Qubes OS 4.0 RC, I assume the current stable 3.2 would work as well, but I wanted the 4.9 kernel.

To get it installed I used fdisk to remove all partitions on mmcblk0 device, and created an empty GPT partition. A boot issue needed to be resolved by changing the xen.cfg file option iommu to:

iommu=force

I'm using a n4200 flavour board.

Comments

  • eduncan911eduncan911 Administrator, Moderator Posts: 157 admin
    edited September 2017
    Nice. I myself plan on install Qubes on it as well.

    I was waiting for 4.0 RCs to mature a bit more first as I went through the 3.0 RCs a while back and lost some data during attempted restores of VMs (had to open and pull files out manually, and rebuild VMs - something I didn't want to do while on client site and wasted a lot of time).

    I am also waiting on an 8GB version of the UP^2, and even then I know it will be limited as I have 8 GB on my tablet/hybrid it is just barely livable with Qubes.

    3.x will not work on the UP boards, any flavor, because it is requires Legacy BIOS. The UP boards are all UEFI.

    But nice to know the kernel they are using in Qubes 4.0 supports the Intel Apollo Lake chipset and eMMC device. A lot of other operating systems, e.g. BSD, don't fully support Intel Apollo Lake yet - like FreeBSD doesn't support eMMC 5.0 from Intel's chipset.

    Eric Duncan - UP Evangelist - My thoughts are of my own free will

    Answered? Please remember to mark the posted answered to highlight it for future visitors!

  • Kabuli ChanaKabuli Chana New Member Posts: 10
    The 4.0.RC1 is definetly rough around the edges, does not shutdown nicely, and is probably not for the faint of heart. I'm still in poke and prod mode with this new board, will kick a few different OS's around, but I think Qubes 4.0 final is going to be usable on n4200/8GB, if the RC is any indication. The footprint on 8GB device appears usable, but of course is going to be dependent on use case.

    I did not try 3.2 version as I needed >= 4.6k due to the wifi I stuffed in the M.2, but according to release notes UEFI is supported starting with 3.1.

    On another note I have been searching for a board to stuff on the SATA port and noticed the one in your picture on the thread regarding the heat-sink issue. From the picture it appears to be not much taller than the NICs, so I assume would allow the use of the ABS case. I was not able to discern any pertinent information and was wondering if you could supply some information, or a link. TIA.
  • eduncan911eduncan911 Administrator, Moderator Posts: 157 admin
    edited September 2017
    anomeome wrote:
    The 4.0.RC1 is definetly rough around the edges, does not shutdown nicely, and is probably not for the faint of heart. I'm still in poke and prod mode with this new board, will kick a few different OS's around, but I think Qubes 4.0 final is going to be usable on n4200/8GB, if the RC is any indication. The footprint on 8GB device appears usable, but of course is going to be dependent on use case.

    Ultimately my plan is to run pfSense within a hypervisor like Xen, to have access to other VMs on this beely little device - mainly for some Docker services I run.

    Though Qubes is based off of Xen, I see my Qubes installations as needing to be done on durable hardware (RAID) as there is so many custom configurations I run, I really dread each time having to setup a new Qubes installation after an upgrade. I've written a lot of scripts to help automate it; but, it always takes me far more time than I prefer. (I run i3wm, custom debian-VMs, and use pgp from custom vaults for both pgp and ssh)

    Windows is able to "RAID" two drives for an OS within it. It's actually been very stable on the servers I run it on opposed to onboard RAID in the bios (which I have had fail 2 times and lost everything!!). Xen doesn't exactly support that. :)

    I could try bios RAID again with the SATADOM I have an the UP^2's eMMC. That out to be an interesting project.

    In the end, I'm most likely do ArchLinux w/Xen running pfSense and a lightweight Dom1 instance to give me Docker Swarm. That way if they do break into pfSense, the x86 exploits are limited within a virtualized BSD OS running on a Linux kernel.
    anomeome wrote:
    I did not try 3.2 version as I needed >= 4.6k due to the wifi I stuffed in the M.2, but according to release notes UEFI is supported starting with 3.1.
    I think i mentioned it in another thread - I've never gotten EFI to work on any device I have here but I also think it is just Lenovo being Lenovo.

    Could have sworn I read where they said EFI was one of the new features of 4.0 though.
    anomeome wrote:
    On another note I have been searching for a board to stuff on the SATA port and noticed the one in your picture on the thread regarding the heat-sink issue. From the picture it appears to be not much taller than the NICs, so I assume would allow the use of the ABS case. I was not able to discern any pertinent information and was wondering if you could supply some information, or a link. TIA.
    Yep! I was wondering if people noticed it. :)

    Aaeon recorded a brief (funny) video of me and the board this weekend at Maker's Fair:

    https://up-community.org/forum/general-discussion-up2/1814-how-to-install,-other-then-ubuntu,-pfsense-freebsd#6413

    There's a small part where I talk about.

    I also posted more details in that link in a reply.

    I'll be posting a Wiki and making a thread about it shortly when I have some time. I have very detailed photos of the entire process.

    In short, it's a Supermicro SATADOM module.

    And no, it doesn't fit the all-metal chassis - it's too tall.

    As for the plastic, I was going to try it next sometime this week. Worse case, I can dremel-out a slot for it. :)

    Eric Duncan - UP Evangelist - My thoughts are of my own free will

    Answered? Please remember to mark the posted answered to highlight it for future visitors!

Sign In or Register to comment.