Qubes OS 4.3 release notes

Major features and improvements since Qubes 4.2

  • Dom0 upgraded to Fedora 41 (#9402).

  • Xen upgraded to version 4.19 (#9420).

  • Default Fedora template upgraded to Fedora 42 (Fedora TemplateVMs and StandaloneVMs with version lower than 41 are not supported).

  • Default Debian template upgraded to Debian 13 (Debian TemplateVMs and StandaloneVMs with version lower than 12 are not supported).

  • Default Whonix templates upgraded to Whonix 17.4.3 (Whonix TemplateVMs and StandaloneVMs with version lower than 17 are not supported).

  • Preloaded disposables (#1512, #9907, #9917, #9918 & #10026).

  • Device “self-identity oriented” assignment (a.k.a New Devices API) (#9325).

  • QWT (Qubes Windows Tools) reintroduction with improved features (#1861).

Windows 11 welcome page after installation in an HVM

Windows 11 within an HVM qube showing file explorer

UI/UX

  • New Device UX workflow to allow users easy utilization of new Devices API. A dedicated Device Assignments page is added to Global Config. Qubes Devices widget is completely redesigned. (#8537).

Device Assignments page in Global Config

Deny device attachment config in Global Config

Editing device assignment for a network interface in Global Config

Editing a required device in Global Config

Redesigned Qubes Devices widget

  • New and improved flat icons for GUI tools (#5657).

Qube Manager with improved flat icons

  • The far left icons from the Qube Manager are removed (#9776).

  • Application icons are available in VM Settings (#9829).

Qube settings showing icons of Apps

  • Option to add Qubes video Companion to AppMenu (#9761).

  • Improved AppMenu navigation with keyboard (#9006).

  • Better wording to clarify updater settings and actions (#8096).

  • Centralized Tray Notifications (#889).

  • Option to launch root terminal or console terminal from Qubes Domains widget (#9788)

  • Option to open Global Config at a selected section for user convenience (#9530).

  • A Saving changes... dialog is added to Global Config (#9926).

GUI Daemon/Agent improvements

  • Allowing the GUI Daemon background color to be configurable, mostly useful for people with dark themes (#9304).

  • Audio daemon does not connect to recording stream unless recording is explicitly enabled (#9999).

  • Legacy X11 App icons (e.g. Xterm) are properly displayed (#9973).

  • Labeling virtual pointing device as absolute and not relative (#228).

  • Improved global clipboard notifications & configurable global clipboard size (#9296 & #9978).

  • Supporting Windows qubes in systems with sys-gui* (#7565).

Hardware support improvements

  • Support for Advanced Format (AF) drives better known as 4K sector (#4974).

  • Replacing bus/slot/function with full PCI paths for device assignments (#8681 & #8127).

  • Ability to filter input devices with udev rules. (#3604).

  • Fix for graceful rebooting on some (U)EFI systems with buggy firmware (#6258).

  • Better support for Bluetooth and external hot-pluggable audio devices with dynamic AudioVM switching (#7750).

Security features

  • Templates could request custom kernel command line parameters; currently used for Kicksecure and Whonix templates user-sysmaint-split (#9750).

    • Allow VMs to specify boot modes as being only intended for AppVMs or templates (#9920).

  • Shipping GRUB2 from Fedora with all security patches and Bootloader Specification support (#9471).

  • SSL client certificate and GPG key support for private template repositories (#9850).

  • Preventing unsafe practice of 3rd party template installation with rpm/dnf (#9943).

  • Ability to prohibit start of specific qubes (#9622).

  • UUID support for qubes and support for addressing them by UUID in policies (#8862 & #8510).

  • Custom persist feature to avoid unwanted data to persist as much as possible (#1006).

Anonymity improvements

  • Disallowing files, URLs, or any application from Whonix-Workstation qubes to be opened in non-Whonix disposable (#10051).

  • Preventing users from changing their Whonix Workstation qubes’ netvm to sys-firewall (or other clearnet netvms) to avoid IP leaks (#8551).

  • kloak: Keystroke-level online anonymization kernel (#1850).

Performance optimizations

  • Option to use volumes directly without snapshots (#8767).

  • Retiring qubes-rpc-multiplexer and directly executing the command from c (#9062).

  • Caching “system info” structure for qrexec policy evaluation (#9362).

  • Minimal state qubes to make NetVM and USBVM to consume as little RAM as possible.

Updating & upgrading

  • Ability to always hide specific TemplateVMs and StandaloneVMs from update tools (#9029).

  • pacman hook to notify dom0 about successful manual Archlinux upgrades (#9233),

  • Improved R4.2 -> R4.3 upgrade tool (#9317),

    • Using lvmdevices feature instead of device filter (#9421).

New/Improved experimental features

  • Support for Ansible (#10004).

  • Support for Qubes Air (#9015).

    • qrexec protocol extension to support sending source information to destination (#9475).

  • Better support for GUIVM.

    • GUI/Admin domain splitting (#833).

    • Automatically removing ‘nomodeset’ boot option when GPU is attached (#9792).

  • Initial basic steps to support Wayland session only in GUIVM (but not GUI daemon/agent intra-communication) (#8515 & #8410).

Other

  • Allowing user to add free-form text to qubes (for descriptions, notes, comments, remarks, reminders, etc.) (#899).

Qube settings showing qube notes

  • Automatically clean up QubesIncoming directory if empty (#8307).

  • vm-config.* features to pass external configuration to inside the qube (#9837).

  • Admin API for reading/writing denied device-interface list (#9674).

  • New Devices API for salt (#9753).

  • IPv6 DNS support for full IPv4-less environments (#10038).

Dropped or replaced features

  • Default screen locker is changed from XScreenSaver to xfce4-screensaver

  • Create Qubes VM is retired in favor of the improved Create New Qube (#6561).

  • Windows 7 support is dropped from QWT.

For a full list, including more detailed descriptions, please see here.

Known issues

  • Templates restored in 4.3 from a pre-4.3 backup continue to target their original Qubes OS release repos. If you are using fresh templates on a clean 4.3 installation, or if you performed an in-place upgrade from 4.2 to 4.3, then this does not affect you. (For more information, see issue #8701.)

Also see the full list of open bug reports affecting Qubes 4.3.

We strongly recommend updating Qubes OS immediately after installation in order to apply all available bug fixes.

Notes

  • Additional notes for future release candidates will be added here

Download

All Qubes ISOs and associated verification files are available on the downloads page.

Installation instructions

See the installation guide.

Upgrading

Please see how to upgrade to Qubes 4.3.