Re: [qubes-devel] Re: Announcement: Fedora 33 TemplateVMs available

[Andrew David Wong]

On 3/1/21 6:15 AM, Mike Keehan wrote:

On 2/27/21 6:59 PM, Andrew David Wong wrote:

On 2/26/21 1:22 PM, Andrew David Wong wrote:

Dear Qubes Community,

New Fedora 33 TemplateVMs are now available for both Qubes 4.0 and 4.1.

*Important:* If you wish to use the Qubes Update widget to update a 
Fedora 33 template, you must first switch [1] the `default-mgmt-dvm` 
qube to a Fedora 33 template. (Alternatively, you can create a 
separate management DisposableVM Template based on a Fedora 33 
template for the purpose of updating Fedora 33 templates.) This does 
not affect updating internally using `dnf`.


Instructions are available for upgrading Fedora TemplateVMs [2]. We 
also provide fresh Fedora 33 TemplateVM packages through the official 
Qubes repositories, which you can get with the following commands (in 
dom0).


Standard [3] Fedora 33 TemplateVM:

 $ sudo qubes-dom0-update qubes-template-fedora-33

Minimal [4] Fedora 33 TemplateVM:

 $ sudo qubes-dom0-update qubes-template-fedora-33-minimal

After installing or upgrading a TemplateVM, please remember to update 
[5] (see important note above) and switch all qubes that were using 
the old template to use the new one [1].



[1] https://www.qubes-os.org/doc/templates/#switching
[2] https://www.qubes-os.org/doc/template/fedora/upgrade/
[3] https://www.qubes-os.org/doc/templates/fedora/
[4] https://www.qubes-os.org/doc/templates/minimal/
[5] https://www.qubes-os.org/doc/software-update-domu/

This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2021/02/25/fedora-33-templates-available/



*Addendum:* Fedora 33 has switched the default DNS resolver to 
systemd-resolved [1]. If resolving local domains on your LAN does not 
work as expected even when specifying the full name, you may wish to 
disable systemd-resolved and enable NetworkManager in the TemplateVM 
instead. For more on this, please see issue #6431 [2].


For a complete list of changes in Fedora 33, please see the official 
Fedora 33 release notes [3], and for a more general overview, the 
official Fedora 33 announcement [4].



[1] https://fedoraproject.org/wiki/Changes/systemd-resolved
[2] https://github.com/QubesOS/qubes-issues/issues/6431
[3] https://docs.fedoraproject.org/en-US/fedora/f33/release-notes/
[4] https://fedoramagazine.org/announcing-fedora-33/



Hi Andrew,

Disable it in sys-net's template, or in all Fedora templates?

Mike.



I'm just relaying what was discussed in #6431, but my understanding is 
that it would only be disabled in sys-net's template. I imagine you 
could start there and see if it works as expected. If it does, there's 
probably no need to disable it anywhere else.


--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/b49fecc6-497d-5c61-7dc8-d9d57ee0cdb1%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature

Re: [qubes-devel] Xen exploit mitigations

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Tue, Mar 02, 2021 at 11:17:54AM -0800, Scumbag wrote:
> 
> I asked this before on Qubes 
> forum(https://qubes-os.discourse.group/t/xen-exploit-migitations/2469), but 
> there were no replies so I'm hoping I'll get replies here:
> 
> I saw in the Xen 4.14 release notes that Xen now supports hardware based 
> Control-flow Enforcement Technology (CET) which has been introduced into 
> Intels Tiger Lake and AMDs Zen3 CPUs. 
> - Does Qubes support this as well? 

Yes, we do have this enabled in Qubes 4.1.

> - And does Xen also have a softwarebased CFI? 

Not that I'm aware of.

> - Does Xen also support ASLR now? Some years ago I read a post from Qubes 
> saying that Xen didn’t have many exploit migitations and didn’t even 
> support ASLR.

Indeed Xen doesn't have ASLR and won't have anytime soon (PV must die
first, at the very least). But it does use some other mitigations like
SMAP/SMEP. And also some of the more complex parts like instruction
emulator are integrated with fuzzy testing.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmA/Bt4ACgkQ24/THMrX
1yye8AgAgO7t/Sr4IbK7zD40T9ArO/cesRkgwnRM36pD4NQDXaW8UvMENJt+6yK2
HrEVOelnH9po5NF7vPf6od2wf1ndIWCouNKRIq4qeQ1DwaiaUqbL6GLKYkBOjEPg
1qSoHCg2UAMYg6lxrqM6pHneeTAUCnlYY15SdNv6aEJeP+ufjbpZD8HK4fA+W80S
TRvhMmoK1i2Cf5rsKDgiNiPjm5tZCsvcVwwPaKBvLSyEIceYoBstJQ9mfhlBR+dp
N5LtDFt7LZYaVHwrNClvOr1oHFgaPuLQDQeOs2bVM/vdrgTMUZQO72m4Gkm2+hi3
MZ6PTdX/OsrEHK47g3lTxmF4zwAsCA==
=7enJ
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/YD8G3hWZaOgVPB%2Bg%40mail-itl.

[qubes-devel] Xen exploit mitigations

[Scumbag]

I asked this before on Qubes 
forum(https://qubes-os.discourse.group/t/xen-exploit-migitations/2469), but 
there were no replies so I'm hoping I'll get replies here:

I saw in the Xen 4.14 release notes that Xen now supports hardware based 
Control-flow Enforcement Technology (CET) which has been introduced into 
Intels Tiger Lake and AMDs Zen3 CPUs. 
- Does Qubes support this as well? 
- And does Xen also have a softwarebased CFI? 
- Does Xen also support ASLR now? Some years ago I read a post from Qubes 
saying that Xen didn’t have many exploit migitations and didn’t even 
support ASLR.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/9bee0f80-fe7f-486b-a994-aefd43cc8158n%40googlegroups.com.