Windows qubes

Like any other unmodified OSes, Windows can be installed in Qubes as an HVM domain.

Qubes Windows Tools (QWT) are then usually installed to provide integration with the rest of the Qubes system; they also include Xen’s paravirtualized (PV) drivers to increase performance compared to qemu emulated devices. Alternatively, only Xen’s PV drivers can be installed if integration with Qubes isn’t required or if the tools aren’t supported on a given version of Windows. In the latter case, one would have to enable networking between two qubes to be able to exchange files with HVMs.

Warning

Windows VMs use a netfront driver that is not hardened against attacks by a malicious netback driver. This means that the net qube to which you connect your Windows VMs should be as trusted (or as untrusted) as the Windows VM itself.

It is recommended that you create a dedicated firewall qube for Windows VMs, for example a clone of sys-firewall named sys-firewall-windows. This also allows you to work around this issues until it is fixed: qubes-issues#6829. The workaround is to disconnect sys-firewall-windows from its net qube or use the Qubes Firewall to block traffic.

If you use the Qubes Firewall then it is recommended that you use the qvm-firewall utility for this purpose, as it allows you to block ICMP and DNS traffic. By default the firewall rules contain an accept rule at position 0. You can delete this rule using qvm-firewall QUBE_NAME del --rule-no 0 , or insert a new drop all rule as rule number 0, using qvm-firewall QUBE_NAME add --before 0 drop. If you have customised the firewall settings, insert the drop rule as above.