Upgrading to Fedora 38

Warning

SecureDrop Workstation is currently in a closed beta, and we do not recommend installing it for production purposes independently. See our blog post for more information.

Why do I need to upgrade?

SecureDrop Workstation makes use of several Fedora-based VMs which are part of a Qubes installation by default, including sys-firewall, sys-net, sys- usb, work, and vault . In Qubes 4.1.2, these VMs are based on a Fedora 37 template, which reached end-of-life on December 5, 2023.

If you are provisioning SecureDrop Workstation for the first time, you will need to update your Fedora template manually to Fedora 38 before installing SecureDrop Workstation.

If you are an existing SecureDrop Workstation user, SecureDrop Workstation will install the template automatically when updates are applied, but you should also manually configure VMs not managed by SecureDrop Workstation to use the Fedora 38 template.

Install Fedora-38 template

In a dom0 terminal (Qubes Application Menu > Terminal Emulator), type the following to download the Fedora 38 template:

sudo qvm-template install fedora-38

You will see some information from the template manager, including a progress bar.

When the download has concluded, you will be prompted to install the package. Type y to proceed with the installation.

Update the Fedora-38 template

Once the template installation is complete, update the template using the Qubes Updater. Click Q > Qubes Tools > Qubes Update in the application menu. Click the checkbox “Enable updates for qubes without known updates” option, and click the checkbox next to fedora-38. Click Next and wait for any available updates to be downloaded and applied.

Configure VMs to use the new template

To apply the template to VMs that currently use an older version, open the Qube Manager via Q > Qubes Tools > Qube Manager. All VMs will be visible at a glance; to change a VM’s settings, right-click it and select Qube Settings.

In the Qube Settings window, select fedora-38 from the drop-down menu beside Template, then click OK.

screenshot_qsettings_fedora32

You should perform this process for:

  • work

  • vault

  • sys-net

  • default-mgmt-dvm.

Create a new disposable VM template based on Fedora 38 by running the following commands in dom0:

qvm-create -l red -t fedora-38 fedora-38-dvm
qvm-prefs fedora-38-dvm template_for_dispvms True
qvm-features fedora-38-dvm appmenus-dispvm 1
qubes-prefs default-dispvm fedora-38-dvm

Now, switch the templates for sys-usb and sys-firewall to fedora-38-dvm using the same process that you used above.

Reboot the system to ensure the changes take effect. Alternatively, you can restart only the VMs you have updated. If you get a sys-whonix prompt asking how you want to connect to the Tor network, select the “Connect” option, which allows a direct connection to the Tor network.

Tip

You can also use the Qubes Template Manager (also in Q > Qubes Tools) to make template changes. However, note that it will not allow you to make template changes for VMs that are currently running, so you may have to manually shut down VMs in the correct order to do so.

Getting Support

If you are part of the SecureDrop Workstation Pilot and you have questions about this process or about any other aspect of SecureDrop Workstation, please reach out to us.