QubesOS first impression notes

May 2020

QubesOS 4.0.3 on ThinkPad T480 (quad-core i5-8250U, 32GB RAM)

tl;dr some inconveniences by design, some rough edges that can be improved, but security/separation features win big time.

Official documentation is good and useful (covers all immediate questions).

Some people will find default desktop UI looking dated, but I used xfce gui for long time and it didn’t bother me.

One-time issues

USB-C portable ssd which I used as backup for all my files didn’t work (panic!), simple patch fixed it. Writing patch in first 10 minutes of usage - linux way.

Default stable kernel (4.19) is too old, but the one in testing (5.5) conveniently had wireguard module backported, so I didn’t need to go through building kernel modules.

Setting up multiple keyboard layouts required some jumping through the hoops, but looks like this is being worked on.

Performance is generally okay, but definitely feels more sluggish when there is io or cpu activity, also hyperthreading is disabled by default (because Spectre/Meltdown/etc) - newer Xen versions are expected to handle this better.

Need to investigate video performance - noticed higher cpu usage (but playback is smooth)

Everyday annoyances

Customization is annoying - in case of AppVM requires restarting both TemplateVM and AppVMs, and for all StandaloneVMs requires copying config files. I understand more high-tech solution is to use salt or some other way of syncing configs, but didn’t look into that yet.

Copy-paste between VMs is quite annoying (maybe I should reduce number of VMs).

Mouse cursor doesn’t change shape inside VM windows - quite inconvenient for resizing/moving delimiters, hopefully will be fixed

To be fixed

Miss xmonad window manager, but there is a fork for qubes, will try later. Meanwhile surviving by configuring Xfce with 10 workspaces and similar keybindings.

Couldn’t make sound play through external usb-c dock audio jack (even though device is visible in pulseaudio) from first try.

UTF-8 intentionally disabled in window titles (shows as underscores) by default.

Screenshot tool saves to dom0, but I actually never need screenshot of desktop, only per-window, will need to see how to integrate maim.

(super minor) For some reason Alt-LClick doesn’t work in chromium (to “mark unread” in slack), probably some xorg/xkb mis-configuration?

Good stuff

USB-C dock worked out of the box (except for the usb keyboard, which are intentionally disabled, followed the doc to enable).

Suspend works out of the box. Shock, I know. IIRC I had to go through some tweaks with Debian kernel of same version on this machine.

(expected) Makes me think of separating stuff better, e.g. links opened in work vs personal browser, etc. Also makes easier to use different gpg and ssh keys (different VMs naturally have different keys in use).

Split GPG!

Chromium consuming all available memory doesn’t make everything go to halt for N minutes until oom-killer resolves it :)