This has always been a thought of mine. I wanted to replace/remove any non-free kernels with a libre kernel that doesn’t provide non-free binaries. I know some people say it does not matter, but I think it would be a cool idea.
I was thinking about hardening QubesOS by possibly using a deblobbed version of the Kicksecure kernel on all VMs. It would also come with Javascript disabled entirely on all VMs, all non-free binaries removed, everything ran over Tor by default, maybe creating a custom repo with only free software, etc.
This would be inclined towards people who use Libreboot/Canoeboot, specifically those that use systems like OptiPlex 9020 and T440p, that run only 100% free software in the BIOS.
I’ve never attempted it, but I would like to know if anyone would be interested.
Absolutely, this is an admirable project.
But the first thing you should know is that QubeOS is not based on Linux, but is actually a different kernel, Xen. The Xen kernel virtualizes Linux, and all Linux runs under it.
Networking and hardware access is done by certain VM’s having devices (like the ethernet card or monitor/keyboard) passed through them, where Linux then handles the hardware access with it’s drivers.
This is important to understand that, because QubeOS is not a Linux distro. Really, it’s just that they selected Linux (it was either Debian or Fedora IIRC) as their management VMs.
But once you understand that it’s absolutely feasible to adjust the VM’s. It’s probably easier to modify a LInux distro (or create your own) and use that for all the VM’s, and then to reuse Qube’s management related software. That way you could do something like ship a version of debian that disables non-free software and firmware in the debian repos. Doing that is probably easier than creating your own distro entirely from scratch.
Another interesting thing about Qubes is that you are not limited to Linux. Of course, using Linux will be easiest. But the management VM’s can technically be any OS that supports it.