Re: [qubes-users] Re: files disappearing
On 08/21/2016 03:11 PM, J.M. Porup wrote: On Sat, Aug 20, 2016 at 07:05:10PM -0400, Chris Laprise wrote: * Download the Equation Group files from Mega to report on them * qvm-copy-to-vm --> new fedora 23 based appvm * open terminal in new vm, files are there * shutdown, reboot--files are gone One avenue to investigate is to reproduce the problem and then see if another vm can manually mount that filesystem and access the files: 1. Start the appvm in question ("VM1") - private data files do not appear 2. Pause VM1 3. Start a testing appvm ("VM2"). 4. Use qvm-block in dom0: $ qvm-block -A --ro VM2 dom0:/var/lib/qubes/appvms/VM1/private.img 5. In VM2, run: $ mkdir data $ sudo mount /dev/xvdi data $ ls data/home/user 6. Look for your data files Thanks for this suggestion. I tried last night, but mounting /dev/xvdi gave me a fs/superblock error, and non-useful output in dmesg. I tried again this morning, and was able to mount /dev/xvdd (not xvdi, although that probably doesn't make a difference). For that test, you are definitely interested in xvdi not xvdd. Taking a good look around the 4.1.24-10.pvops.qubes.x86_64/ dir, but not finding anything that looks like a home directory, much less my files. I'm probably doing something wrong. Perhaps related: Last week my .bash_history disappeared in dom0, replaced, bizarrely, by the attached text. Difficult to avoid the suspicion this is someone trolling. jmp The error you got does indicate the vm filesystem got corrupted--and that is probably because your dom0 root filesystem was corrupted, considering what happened to your dom0 .bash_history. I would say the level of corruption, which resembles file cross-linking errors, is great enough to consider dom0 isolation to be degraded and the OS damaged in general. The best course of action would be to start with Andrew's suggestion: Most recent laptops have disk and memory tests built into the firmware, accessible from the power-on screen. On completion you should see a short assessment as to whether your memory and drive are healthy or not. You could also use 'smartctl -a' on your drive to look for specific failure indicators. After addressing any hardware problems (such as replacing RAM modules or SSD), I suggest reinstalling Qubes and restoring from your backups. You may wish to first try backing up what's left of your current data before reinstalling and restoring from an older backup, in case you want to try recovering your most recent data later on. If you have specific questions I'd be happy to try answering them for you. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f1db4593-bbf6-40d6-89b3-19710a989a27%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] QUBES Windows Tools won't install
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2016-08-21 17:22, neilhard...@gmail.com wrote: > I installed it. Networking was working prior to Windows Tools. After > installing it, the network no longer works. > > "no network access" when you click the network icon in the taskbar. > Thanks for the report. Tracking: https://github.com/QubesOS/qubes-issues/issues/2263 - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJXulQGAAoJENtN07w5UDAwedQQAKWBQTvNKgV9oL/8/DwS8UEL L8SLaxaao/LG/IBVGhDdln8Y/UBH0i7DoaggcmEUZcMWDJ0ZDpQJB6XnKDaum7Wu bIPICvflsHAyOfqWSycnY8OGDaQJ+xnbd9NrzkUliT0T0AfRavcXdu6jgyGLvMVS v9nJyiJU79gTHgwfadOHLuQdm47tVRWOHHBmGq+WnnfqjrYu65XUqDmCEu7ewjb2 t5+zqfMbIJi3eWUYLgGF9DJF7PXB3BqCNFbbFkLgUmFIbtWAYQ/E6sIGKBDpemTo 6d3C67NdnJs3tpk062ZGP3o1IhDKybwYPHQI9jBniDbuzuCyqtH1ZLYfxqFCvs/s 195tTCBrzm3livb/ldomdp86bIEwk9peREIoq7ucUo2t129f561e3QvJHG6P7r4w 0NXnH2RlDL8N2csoue/Mva1SjrD3t7xkG96JWPWKTcAxlDwDX+O341nyl1uq+ifS 7UlGicGv1FnlQZd81krE39Xsj5Do0lpOV5V2F7V2lu+Z6RdnCyAA6z3/uCOgMBf8 kO8AdOWLuIPKq1+DJmFkjWXNBhdBNE0NupnfBDgASY+TXTG5Q23I2t51WKuxBTb9 G6l8C4mRLGHFD+CCh9dtzu+oU+6VJa5ptJC/rNHQblcxdAhsXgPNcRwa1QVt729R plkEkQFgNUjxlfelFU2M =4IZA -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5e641747-d63b-b12f-aa25-4ab5fc96994f%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Problem on port forwarding to a VM from the outside world
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2016-08-21 16:43, nishiwak...@gmail.com wrote: > Le dimanche 21 août 2016 21:28:13 UTC+2, Andrew David Wong a écrit : On > 2016-08-21 04:02, nishiwak...@gmail.com wrote: Any help to configure sys-firewall would be also really appreciated. I got this annoying pop-up when I click on "Firewall rules" tab under the sys-firewall proxyVM settings : "The 'sys-firewall' AppVM is not network connected to a FirewallVM! You may edit the 'sys-firewall' VM firewall rules, but these will not take any effect until you connect it to a working Firewall VM." Only subject related to this problem I found is this message from Unman on Qubes-users group : "When you configure the firewall rules for a vm those rules are applied ON THE FIREWALL to which the vm is attached. So the error message you get is entirely accurate - your firewall is not attached to a firewall and so the rules cannot be applied. Of course you COULD configure a firewall between the fw and the netvm but the same consideration would apply to THAT fw. There's no reason why you cant configure the fw iptables by hand if you want to: you can use /rw/config/qubes-firewall-user-script to have these rules applied automatically." Ok so here's what I understand from this message : this proxyVM Firewall is probably working but rules don't apply because it is attached to a NetVM, which don't have any firewall policies by default. https://www.qubes-os.org/doc/qubes-firewall/ Official documentation says : "Every VM in Qubes is connected to the network via a FirewallVM, which is used to enforce network-level policies. By default there is one default Firewall VM, but the user is free to create more, if needed." And then you got explanations on how to edit rules in a specific VM for a given domain. So I understand you have to edit rules on a AppVM to open up ports there, but I mean not everyone running Qubes OS is highly graduated in IT and network routing. I find quite disappointing that the official documentation don't mention more clearly how to set up the default sys-firewall proxyVM, like if you are supposed to check either "Deny network access except" or "Allow network access except" button or if that doesn't matter, if those policies won't apply anyway because of this pop-up... > > Just ignore the "Firewall rules" tab of sys-firewall. Pretend it's not even > there. > > Suppose you have an AppVM in which you want to enforce specific firewall > rules. You should go into the VM settings for *that VM*, then the "Firewall > rules" tab, then configure your firewall rules there. These firewall > rules are then *enforced by* sys-firewall under the hood. Enforcing these > rules for other VMs is sys-firewall's raison d'être. > > By default, there is only one VM with this job: sys-firewall. Therefore, > there is no other VM that can perform this job *for* sys-firewall. But > that's not a problem, because there's usually no reason to specify firewall > rules for sys-firewall itself anyway. (Besides, you're free to create as > many ProxyVMs as you like an chain them together.) > > > Ok, thank you very much for your help. Unfortunately I still have great > difficulties to open up port 443 or 80 on an AppVM. > > I have read this comment on another thread from Alex Dubois saying : > > "A diagram in the wiki would help people understand. > > For now: A packet comming from the outside has a sourceIP of the > workstation on the LAN that issued it or the router that routed the packet > into your LAN and a destinationIP of your netVM externalIP (probably > 192.168.0.x). The NetVM iptables rules are going to transform it to a > packet with a destinationIP of your firewallVM (10.137.1.5). The firewallVM > iptables rule are going to transform it to a packet with a desktinationIP > of your AppVM (10.137.2.16)." > > I completely agree with him, a diagram would really help. I don't get why > documentation don't address the routing basics stuff that isn't really > basic for newbies, for random people. The documentation is largely a volunteer effort. I'm afraid we simply don't have the workforce to make all necessary and desirable improvements to the documentation. We would love it if someone would submit a pull request adding such a diagram or, in general, improving that page. > I like a lot Qubes, this is an awesome OS, but far too complicated for > mister everyone. I am at the point right now where frustration becomes > overwhelming. I don't think I am not curious, trying to improve or > understand better the way this OS works... I'm just going mad tonight, > lol. > > So let me try to sum up this comment in a visual way to understand better > how routing works on Qubes. > >
Re: [qubes-users] QUBES Windows Tools won't install
I installed it. Networking was working prior to Windows Tools. After installing it, the network no longer works. "no network access" when you click the network icon in the taskbar. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/48fc8ee9-b59d-4069-a853-4e4b3090649d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Problem on port forwarding to a VM from the outside world
Le dimanche 21 août 2016 21:28:13 UTC+2, Andrew David Wong a écrit : > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On 2016-08-21 04:02, nishiwak...@gmail.com wrote: > > Any help to configure sys-firewall would be also really appreciated. I got > > this annoying pop-up when I click on "Firewall rules" tab under the > > sys-firewall proxyVM settings : > > > > "The 'sys-firewall' AppVM is not network connected to a FirewallVM! > > > > You may edit the 'sys-firewall' VM firewall rules, but these will not take > > any effect until you connect it to a working Firewall VM." > > > > Only subject related to this problem I found is this message from Unman on > > Qubes-users group : > > > > "When you configure the firewall rules for a vm those rules are applied ON > > THE FIREWALL to which the vm is attached. So the error message you get is > > entirely accurate - your firewall is not attached to a firewall and so the > > rules cannot be applied. Of course you COULD configure a firewall between > > the fw and the netvm but the same consideration would apply to THAT fw. > > There's no reason why you cant configure the fw iptables by hand if you > > want to: you can use /rw/config/qubes-firewall-user-script to have these > > rules applied automatically." > > > > Ok so here's what I understand from this message : this proxyVM Firewall is > > probably working but rules don't apply because it is attached to a NetVM, > > which don't have any firewall policies by default. > > > > https://www.qubes-os.org/doc/qubes-firewall/ Official documentation says : > > "Every VM in Qubes is connected to the network via a FirewallVM, which is > > used to enforce network-level policies. By default there is one default > > Firewall VM, but the user is free to create more, if needed." > > > > And then you got explanations on how to edit rules in a specific VM for a > > given domain. > > > > So I understand you have to edit rules on a AppVM to open up ports there, > > but I mean not everyone running Qubes OS is highly graduated in IT and > > network routing. > > > > I find quite disappointing that the official documentation don't mention > > more clearly how to set up the default sys-firewall proxyVM, like if you > > are supposed to check either "Deny network access except" or "Allow network > > access except" button or if that doesn't matter, if those policies won't > > apply anyway because of this pop-up... > > > > Just ignore the "Firewall rules" tab of sys-firewall. Pretend it's not even > there. > > Suppose you have an AppVM in which you want to enforce specific firewall > rules. You should go into the VM settings for *that VM*, then the "Firewall > rules" tab, then configure your firewall rules there. These firewall rules are > then *enforced by* sys-firewall under the hood. Enforcing these rules for > other VMs is sys-firewall's raison d'être. > > By default, there is only one VM with this job: sys-firewall. Therefore, there > is no other VM that can perform this job *for* sys-firewall. But that's not a > problem, because there's usually no reason to specify firewall rules for > sys-firewall itself anyway. (Besides, you're free to create as many ProxyVMs > as you like an chain them together.) > > - -- > Andrew David Wong (Axon) > Community Manager, Qubes OS > https://www.qubes-os.org > -BEGIN PGP SIGNATURE- > > iQIcBAEBCgAGBQJXugDBAAoJENtN07w5UDAwLuQQAIlyBs1aeKEiQH2+W0WrNH5l > VTCgtYo+rY3doNjScY95iCZB1e/s2v/RtbDKyXwot6lGFjUoRJTRdK2O78/j/6GS > 1ggqrrtoX2KHB77RN3tJm65d2PqgpQM3G9opU8mUp89Ek0MHhjLl3vLMOUeekIXG > RGhRwOruLZ3D4WkZDpRpqH3qnnrARDmAM32KOeFUKeDGwl1HPM2H78zlyGHWNEYv > SammV42RbOFe3feWUDohCU2V0uMyZcn2jz3HSNfzM1/B/JQ2dvsm3xv4KDCtkZdC > Prugken58eEK2T5s38QnN7JBhgHmvS3jB+X4IoN5eM3D8DabbTU78cGK8Z8He4pq > kzHae//wxS9vcQ3aWjSbUc/Jz+P32jNHYbBtqRcNxT2p8AWcysaEMEsSvDPT4X6t > 89II0Q0aHGX2TGQswKgWHtXuX00Qp7XL2T5mL3EaEXvM/BWMPMnxAEGocVLRbcl5 > TO3ewl/LVJEiGiL6hwj66FuNeIVlYkxHJ2ZQ8VM6NYu6TN96fLrbYxyBE3yNmcJj > DwVi2rwsTYtnFt4znaBOnNmAIwBNRa9z66Y04KXGcyaq+6i9D66J2Yh3NkuWwKfj > /8dBEST20BJB8+8KYX7F1cZt62hVQANYgaGqhFn+x3tMme5FClmK7obvBlMe6gJu > 5SGrV5qlobdhla78qT1T > =iqUV > -END PGP SIGNATURE- Ok, thank you very much for your help. Unfortunately I still have great difficulties to open up port 443 or 80 on an AppVM. I have read this comment on another thread from Alex Dubois saying : "A diagram in the wiki would help people understand. For now: A packet comming from the outside has a sourceIP of the workstation on the LAN that issued it or the router that routed the packet into your LAN and a destinationIP of your netVM externalIP (probably 192.168.0.x). The NetVM iptables rules are going to transform it to a packet with a destinationIP of your firewallVM (10.137.1.5). The firewallVM iptables rule are going to transform it to a packet with a desktinationIP of your AppVM (10.137.2.16)." I completely agree with him, a diagram would really help. I don't get why documentation
Re: [qubes-users] QUBES Windows Tools won't install
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2016-08-21 15:23, neilhard...@gmail.com wrote: > I have a Win7 machine running, but I need to install Windows Tools. > > in dom0, I run > > sudo qubes-dom0-update qubes-windows-tools > > I get > > "no package qubes-windows-tools available" > > I am running QUBES 3.2-rc2 > qubes-windows-tools is currently in the test repo, since it is not yet stable. You can install it by enabling the current-testing repo: $ sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing \ qubes-windows-tools - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJXujGDAAoJENtN07w5UDAwzLoQALrJjTNv+vGRNdDUGed8djEq qEDnXEGd9DZsoqlDd0CcLtv4vR4WbdEbCd56+I83V7SBOBWY+bhM42LWppag0nzv ZPYmYg8pVZlMiNfwbDD/zDqsP+W9ltN16jPu3gWhnA98CtgBKtppJEeB/1PsJrOq tb7ZApAshJYdA0X0koRrzCvHFTCHt7eXfsdmUTqCgpbMUYc6Ws66pMYPtMFnXNAn hHQz5eTeUj7bNUvFIP829yo9lqLyDpYF/qUM6XHyYfzFxo06mLSPXOGdYsDhmh4u I+A/Qk0ma1/jppSINvgWa5n+yMLLnLz1kTTWC0VniIuhFNw1IhoO3es+cYGtWVFi 761TACWBb2gGM/7On3jSW2IRSyMMlJEacf1kme07FsGwTv80cjeE/rGoYpSmzEMy J8Xcw3hNeOyG3LtIqJ6LuIUGbDgTSxXcUYQTbIuN7W6+l39qCqcVJNAoSZm/cTi+ 2MjLKQZNaZb2b3WFpgWFeiR9Byz3qTJTE7gjMrHz9DBFuTX5nM37O2cNTmT5fxC9 dyabNXeEA1BaWtf8aj1I0pICDvO59zaUl1SUuZecJ0dLBMJCY4OU0fgzH3xQGxiu wKFCePZCORhRESC4GJJCS3lecd74NJ4WC8HDy7EBbA/fsvPUEEg5jjlQ7zNXln9s yQng8BWBKHg1Is0w+teg =SaIO -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0ca95a56-5d53-538b-9fb0-f6b3dc52e44b%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] QUBES Windows Tools won't install
I have a Win7 machine running, but I need to install Windows Tools. in dom0, I run sudo qubes-dom0-update qubes-windows-tools I get "no package qubes-windows-tools available" I am running QUBES 3.2-rc2 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9a2848f8-da8b-45af-8175-7e9f09a53f15%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: installing Signal on Qubes mini-HOWTO
On Sunday, August 21, 2016 at 11:44:08 AM UTC-7, grzegorz@gmail.com wrote: > W dniu niedziela, 21 sierpnia 2016 20:32:34 UTC+2 użytkownik pixel fairy > napisał: > > > We'll probably have to repeat the same steps in a Chrome OS VM. > > > > where would you get one? you mean chromiumos? > > i meant this: > http://getchrome.eu/download.php thats just chromium on cinnamon desktop. there are builds you can download for chromiumos, and a couple vagrant files to build it for you. if signal really depends on the play store this may or may not work. the code could be forked and ported to electron, but it would still be up to whispersystems if they want to support that. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b5d87c7d-f124-4d2c-a8b7-8d8aeed62293%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: files disappearing
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2016-08-21 12:11, J.M. Porup wrote: > On Sat, Aug 20, 2016 at 07:05:10PM -0400, Chris Laprise wrote: >>> * Download the Equation Group files from Mega to report on them * >>> qvm-copy-to-vm --> new fedora 23 based appvm * open terminal in new vm, >>> files are there * shutdown, reboot--files are gone >> >> One avenue to investigate is to reproduce the problem and then see if >> another vm can manually mount that filesystem and access the files: >> >> 1. Start the appvm in question ("VM1") - private data files do not >> appear 2. Pause VM1 3. Start a testing appvm ("VM2"). 4. Use qvm-block in >> dom0: $ qvm-block -A --ro VM2 dom0:/var/lib/qubes/appvms/VM1/private.img >> 5. In VM2, run: $ mkdir data $ sudo mount /dev/xvdi data $ ls >> data/home/user 6. Look for your data files >> > > Thanks for this suggestion. I tried last night, but mounting /dev/xvdi gave > me a fs/superblock error, and non-useful output in dmesg. I tried again > this morning, and was able to mount /dev/xvdd (not xvdi, although that > probably doesn't make a difference). > > Taking a good look around the 4.1.24-10.pvops.qubes.x86_64/ dir, but not > finding anything that looks like a home directory, much less my files. I'm > probably doing something wrong. > > Perhaps related: Last week my .bash_history disappeared in dom0, replaced, > bizarrely, by the attached text. Difficult to avoid the suspicion this is > someone trolling. > > jmp > A hardware problem could be the common cause. I recommend running SMART checks on your drives and memtest if you haven't already. - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJXugU/AAoJENtN07w5UDAwmywP/RcY/0plpaXOr6pOadQ9qP+j Xa2l5NwRs27u3N9KwX3BPuiETfpDLIlsrPYToccpttndypu8MvWvtrA8SOP2lDNd qLkIFRAF5YUt+T9fCiB3cK3kbc2HVmXnELXx534WcF52Juo6yXk+FalJXe7uQCru QL9nMADE08DJhPapYgcjnNmQ4h+kSq6eIF9Rjnyt4dFvLrbKgWcxovyA1dl6Pgy0 nYX9VW6cZKl7u5rqbbpp/tDeNUXFaWYCYlXkZBydLwk2LqfgVT6CEvIeFz9ZX4Lq 7g3NOb+u8fvKZx/6OGhLjKbjbzsWnD53E2907/q01qfSmCusXTblIdGKC6H369C4 /l3To4R+kmVqbuONLpkghPtkolOU3b3dwNQ05o88F8IuHy8U5neKiG+hqc1kibGs my6sGPJiI3eivI4oPJolpntQDpEhBF0ZL1+dU6arHhQIktEJul3aPtwA3pJIcuuR OCnHsCN5/5nLDtREcmw2z/2NtDqXpJ94Q0CW556o494gRVfEQrItr/p2lpI5WCr6 3xWIvjydeMLRoc+DuqbNY+MoXNpybBO8SlItSrpPbQQsz9/taQ0nHgmbe6aTKKNm ZY8A/tE+fHAbYtAyZ9yd8kg19J0envsiTY0kEYvtmN/O4anKy2zqaAKj3DrbR+Ok fm+ntxkEQPfRwVc7QpZV =DHc4 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b9981419-f5a4-2fde-ffd4-2e5e04ecf3ee%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: AEM from SDCARD on Thinkpad
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2016-08-21 12:09, blark...@gmail.com wrote: > On Sunday, August 21, 2016 at 1:29:32 PM UTC-4, pixel fairy wrote: >> On Sunday, August 21, 2016 at 10:05:57 AM UTC-7, blar...@gmail.com >> wrote: >>> Trying to configure AEM on an SD card for my Thinkpad. >> >> what model? have you checked the release notes for you bios version or >> seen if theres an update? have you tried booting the sd card on something >> else? > > T460. Supposedly it's not possible because the SD Card reader is a PCI > device. Not sure if anyone has found a way around it. I'd rather use this > SD Card if possible than a USB drive. > If the T460/ThinkPads cannot boot from an SD card, then I don't think there's anything you or anyone else (save Lenovo) can do about this. - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJXugM0AAoJENtN07w5UDAw2xMP/1U9573ymNF5YNiYAgF3tRc4 oLtsG5swMwoDZ748iTq0ZtC2OxgbgRZDl53vkXX06S9q2OPX3nnVBKbZ3xCMenNx FdnDw4QxAr64v3qBQKXaLh9gta7ZZkBWDheloskZ0VTJqqBwCoh/2ceto2Xfm0CD i2X9YxGEn2OeHLjq4HCvnWBJim/6sYkNThOVlssViHuxDf9Vbt7PMW0XxbFtU3Ak FS1BRBgVKJjP1Pdvrbx1iQJpfsdDLbiTTdw11TzpVEGgdX2RSRPIrT1leqwpjhKQ GQbYbCYp6Wfrnn2MtbQuuTkl7uHwuZkk7UuruHfdZGGZuzLAFrb1SS5F+rtehw15 2Dd2lmVdkzlr/UAuAoTz8+JCYjkYWYHrFyBVAVW9KY4fpP9obc30KHe0tQG8AuNs G+0GZixugEuyIGeu+2kpxa7KjF+q1Fm6ruk2fATLBw0TkiSCfuxw364xcPtKoDpN k9VlJPxMJ4Wggx3tMSYZU+YEc3BZZzLMb7xL1KSUNOrwqOwP+s4bKeFfWbyiTo8A Y+6khzDVJlpb0Cxoe0jAfdoE4rf2+34uSHweU+84OgfoAni07lUjtAZFHT/m8GWu pJ6ZfgvtaR1xTK9RTf14+Q2fTslHPJcjTFwshBw2zetBS6q71EmvORvwmZ0SBj/q prUs3xjK9PldwQQNBbDN =4Gk/ -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7036f6ea-dbe7-987e-3dae-d9f5d827d85b%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes OS 4.0 + Wayland + Flatpaks - Can Qubes OS 4.0 become Wayland-only?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2016-08-21 04:40, kev27 wrote: > I know Joanna has long talked about how insecure X11 is and how the Qubes > team worked to isolate the GUI. Wouldn't it be simpler if Qubes became > Wayland-only sooner? > > It seems Fedora 25 will enable Wayland by default [1], but I think it will > still have a XWayland layer for app compatibility. Will Qubes need that, > too? Or can it become Wayland-only by the time Qubes OS 4.0 is out? Are > there still too many components in the Fedora core that need X11 and can't > be transitioned to Wayland anytime soon? > IIRC, there has been quite a bit of discussion about Wayland on these lists over the past few years. I recommend doing a search if you haven't already. - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJXugHWAAoJENtN07w5UDAwQboP/ilUzXPUco52plP6mb26Fuw6 c+2UBZSVJeg1koAbYfSnbZz9cT4raQEJZBOfyhKBbL1baNj58UtcHPpc1zc989t7 jW/Er/GDO0AJfdCKADgodUMNkUPiS9SYBmHmzLgNBJjubM4/V9kQwAVAJuNSX5Id 02VnTM9Woep5tyu8hfFlYW+jMo734T+K3yvyHoLPp0BWU1/bFB5rbLvMf5dRmrJB q8Sx2ywdjYuRXhy2rURTvxUb1/+++9dcGDO8eoffnkGmS9Zr9GRR10VMqQkqlmh3 Cj3sG0SLLy6KAh1Ya7XyhC/3r0xsuwKqKpMrfAtFIuAU4dOKs96kMf24rRI+XKV9 SdsYzA1DtFmi0DMSLg8Vqcv0RGkDkjzixxFox2mSogizLTR95iD6d1MepZRm0VTs E6bE3oo+ysX2CGxV9Y6V4D+5wrb/X5skDNw5F4kj15c1bfhkOdXGIpTRbAT2ZhMJ LG51lWQ8wSk+wmyC9b5WZCWpMgqUVgIQPEM3gGbKYJ4z8wcUn0Vs2Yp56QiNh+T2 is7pFq2DikrPUrfi8XbkCvdhIgGM3ddbQfzoWxJ9i15zZ5vxEusiwk5QXj394Av+ ZZ7WJDFsvU0KuQMCkKHDSKpM/2TW93RvLQnb3cxMz10HY2R+xZdTJhfbRZlvhwAr k+Og3Y/ngTeseRmpi3gJ =zB9f -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/eaee95a4-3c38-c9d7-d109-4e1ffcab8435%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Problem on port forwarding to a VM from the outside world
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2016-08-21 04:02, nishiwak...@gmail.com wrote: > Any help to configure sys-firewall would be also really appreciated. I got > this annoying pop-up when I click on "Firewall rules" tab under the > sys-firewall proxyVM settings : > > "The 'sys-firewall' AppVM is not network connected to a FirewallVM! > > You may edit the 'sys-firewall' VM firewall rules, but these will not take > any effect until you connect it to a working Firewall VM." > > Only subject related to this problem I found is this message from Unman on > Qubes-users group : > > "When you configure the firewall rules for a vm those rules are applied ON > THE FIREWALL to which the vm is attached. So the error message you get is > entirely accurate - your firewall is not attached to a firewall and so the > rules cannot be applied. Of course you COULD configure a firewall between > the fw and the netvm but the same consideration would apply to THAT fw. > There's no reason why you cant configure the fw iptables by hand if you > want to: you can use /rw/config/qubes-firewall-user-script to have these > rules applied automatically." > > Ok so here's what I understand from this message : this proxyVM Firewall is > probably working but rules don't apply because it is attached to a NetVM, > which don't have any firewall policies by default. > > https://www.qubes-os.org/doc/qubes-firewall/ Official documentation says : > "Every VM in Qubes is connected to the network via a FirewallVM, which is > used to enforce network-level policies. By default there is one default > Firewall VM, but the user is free to create more, if needed." > > And then you got explanations on how to edit rules in a specific VM for a > given domain. > > So I understand you have to edit rules on a AppVM to open up ports there, > but I mean not everyone running Qubes OS is highly graduated in IT and > network routing. > > I find quite disappointing that the official documentation don't mention > more clearly how to set up the default sys-firewall proxyVM, like if you > are supposed to check either "Deny network access except" or "Allow network > access except" button or if that doesn't matter, if those policies won't > apply anyway because of this pop-up... > Just ignore the "Firewall rules" tab of sys-firewall. Pretend it's not even there. Suppose you have an AppVM in which you want to enforce specific firewall rules. You should go into the VM settings for *that VM*, then the "Firewall rules" tab, then configure your firewall rules there. These firewall rules are then *enforced by* sys-firewall under the hood. Enforcing these rules for other VMs is sys-firewall's raison d'être. By default, there is only one VM with this job: sys-firewall. Therefore, there is no other VM that can perform this job *for* sys-firewall. But that's not a problem, because there's usually no reason to specify firewall rules for sys-firewall itself anyway. (Besides, you're free to create as many ProxyVMs as you like an chain them together.) - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJXugDBAAoJENtN07w5UDAwLuQQAIlyBs1aeKEiQH2+W0WrNH5l VTCgtYo+rY3doNjScY95iCZB1e/s2v/RtbDKyXwot6lGFjUoRJTRdK2O78/j/6GS 1ggqrrtoX2KHB77RN3tJm65d2PqgpQM3G9opU8mUp89Ek0MHhjLl3vLMOUeekIXG RGhRwOruLZ3D4WkZDpRpqH3qnnrARDmAM32KOeFUKeDGwl1HPM2H78zlyGHWNEYv SammV42RbOFe3feWUDohCU2V0uMyZcn2jz3HSNfzM1/B/JQ2dvsm3xv4KDCtkZdC Prugken58eEK2T5s38QnN7JBhgHmvS3jB+X4IoN5eM3D8DabbTU78cGK8Z8He4pq kzHae//wxS9vcQ3aWjSbUc/Jz+P32jNHYbBtqRcNxT2p8AWcysaEMEsSvDPT4X6t 89II0Q0aHGX2TGQswKgWHtXuX00Qp7XL2T5mL3EaEXvM/BWMPMnxAEGocVLRbcl5 TO3ewl/LVJEiGiL6hwj66FuNeIVlYkxHJ2ZQ8VM6NYu6TN96fLrbYxyBE3yNmcJj DwVi2rwsTYtnFt4znaBOnNmAIwBNRa9z66Y04KXGcyaq+6i9D66J2Yh3NkuWwKfj /8dBEST20BJB8+8KYX7F1cZt62hVQANYgaGqhFn+x3tMme5FClmK7obvBlMe6gJu 5SGrV5qlobdhla78qT1T =iqUV -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/23c121ec-f227-f51b-991d-1eb38750bb11%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: AEM from SDCARD on Thinkpad
On Sunday, August 21, 2016 at 1:29:32 PM UTC-4, pixel fairy wrote: > On Sunday, August 21, 2016 at 10:05:57 AM UTC-7, blar...@gmail.com wrote: > > Trying to configure AEM on an SD card for my Thinkpad. > > what model? have you checked the release notes for you bios version or seen > if theres an update? have you tried booting the sd card on something else? T460. Supposedly it's not possible because the SD Card reader is a PCI device. Not sure if anyone has found a way around it. I'd rather use this SD Card if possible than a USB drive. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/71d7f333-efcf-4b9a-8c03-0ab21b779f07%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: installing Signal on Qubes mini-HOWTO
W dniu niedziela, 21 sierpnia 2016 20:32:34 UTC+2 użytkownik pixel fairy napisał: > > We'll probably have to repeat the same steps in a Chrome OS VM. > > where would you get one? you mean chromiumos? i meant this: http://getchrome.eu/download.php -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/eb789516-7846-4fd6-8fe7-76d96c229745%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: installing Signal on Qubes mini-HOWTO
> We'll probably have to repeat the same steps in a Chrome OS VM. where would you get one? you mean chromiumos? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8cc04e0c-d948-4865-a604-eafaa3d85c2a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Qubes OS 4.0 + Wayland + Flatpaks - Can Qubes OS 4.0 become Wayland-only?
On Sunday, August 21, 2016 at 4:40:55 AM UTC-7, kev27 wrote: > I know Joanna has long talked about how insecure X11 is and how the Qubes > team worked to isolate the GUI. Wouldn't it be simpler if Qubes became > Wayland-only sooner? the gui isolation issues are mostly solved by the current version of qubes, but it is messy under the hood. the biggest current problem is the lack of isolation within a vm. just making more vms quickly adds up in resources. you could run firejail with xpra in an appvm. havent tried it in qubes yet, but thats how i do it on my work laptop. the gui tools would have to be a wayland compositor, not just a window manager. given how qubes works, this will probably smaller and cleaner than the x11 based tools. the first target should probably be dom0. qubes has so many problems with graphics drivers that this might actually help. > It seems Fedora 25 will enable Wayland by default [1], but I think it will > still have a XWayland layer for app compatibility. Will Qubes need that, too? > Or can it become Wayland-only by the time Qubes OS 4.0 is out? Are there > still too many components in the Fedora core that need X11 and can't be > transitioned to Wayland anytime soon? im running fedora 24 with wayland in a vm. most of the apps run in wayland, some are still x11. firefox, chrome, and thunderbird all run in x11. chromium crashes on startup. firefox-wayland crashes on startup. so, for the most part, some apps would benefit. i also hope this gets sorted out in fedora25, and that makes it in time for default templates in qubes-4.0. > Also, since flatpaks [2] will take full advantage of Wayland security, and it > seems to be the app packaging format to take security seriously the most > [3][4][5], maybe encourage flatpak use in Qubes 4.0 somehow, and install its > runtime by default in Qubes 4.0? thats already going into fedora 25, so it would inherit it by default. i dont see anything about configuring the sandbox. have you looked at appimage and firejail? https://firejail.wordpress.com/documentation-2/appimage-support/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b5d5f98f-723d-4cde-bd48-fb0b5519bfbb%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: AEM from SDCARD on Thinkpad
On Sunday, August 21, 2016 at 10:05:57 AM UTC-7, blar...@gmail.com wrote: > Trying to configure AEM on an SD card for my Thinkpad. what model? have you checked the release notes for you bios version or seen if theres an update? have you tried booting the sd card on something else? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8bc49535-d9db-43c2-b2d7-ea12452de8cf%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] AEM from SDCARD on Thinkpad
Trying to configure AEM on an SD card for my Thinkpad. It installs fine and everything, but the problem comes when I try to boot. Can't boot from the SD Card on this computer...afaik. I've tried setting it to boot from the USB FDD and USB HDD in BIOS like some forums have suggested, but no luck there. Like I said I install AEM, following the instructions in the README to a T, try to boot from the SD card and it boots the OS from the disk. Not sure if this is just an issue with Thinkpads not being able to boot from SD Cards or if there's something I'm not doing right. Any help would be appreciated. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7ebaad94-db83-4d96-b00d-9bb9b02c23f0%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: [qubes-devel] Qubes 3.2RC2 not verifying Checksum but passing Siganture?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Am 19.08.2016 um 21:03 schrieb Andrew David Wong: > [Moving to qubes-users.] > > On 2016-08-19 05:53, kernel[consulting] Sebastian Hültenschmidt wrote: > > Hi all, I just recently downloaded the 3.2RC2 and verified the signature > > ok. When i tried to use it, it fails the checksum test after ~4.8% It > > rechecked the signature and tried another USB Stick without sucess. I used > > it anyway to install, but it had only XFCE window manager, no KDE. > > > To verify i dowloaded the 3.2RC1 and it works as expected. Signature ok, > > checksum test ok, KDE available. I just assume you are not switching > > packages when transitioning from one RC to another, so i guess there is > > something broke on the way. RC1 is 4.5 GB, RC2 only 4.0 GB. > > > Did i make a mistake? Anyone else with this behaviour? > > > Best regards, > > > Sebastian > > > This issue has been reported previously: > > https://github.com/QubesOS/qubes-issues/issues/2246 > > As you can see from the comment, the other user's media check also failed > after 4.8%. However, copying the same ISO onto a different flash drive (8 GB > Kingston) from a different computer (Linux Mint 17.1) worked. Perhaps you > could also try an alternative flash drive and/or computer? > > If it still doesn't work for you, we can reopen the issue. > > Hi, thanks for the clarification. I redid everything on Qubes 3.2RC1 and, sure enough, it works. Used Rufus before, it seems Windows added some garbage after the drive gets reconnected. Best regards, Sebastian -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJXua7NAAoJELa1sTZXQc3gmKIH+wYSrePG4nfKRRf3Dn/ZRCxn 8P6TnKI+PS4ErMepFlkuva8Bm/y2Bt/zSWpFaw0ggzLsqAvyFDhpV4Q8W2AU1NuH j6iA0k8dXEDf4rvBYzfZ5Bu2qkK4qV1aRdI69hNff/rX+mqBMItmsPKvJWET6GGV AiB31aqqMliBxshnR9fVN1SrkKpXRJihBKFriM1klVqG/rjqPtL/hkIvhG68p5Fa IT/zPOPYNRlebEn+2aeAyAX37hBfs/sjpgxO1x1hlSYyIuZ2VD82vfUtqUPduhuA igYemn2gX5ugV28DwL8aE7wix0OViYWgX/BuvPvg5Ll6GmqrsNUeDd32YNK4uvU= =geYP -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/57B9AECD.6050205%40kernel-consulting.de. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Qubes OS 4.0 + Wayland + Flatpaks - Can Qubes OS 4.0 become Wayland-only?
I know Joanna has long talked about how insecure X11 is and how the Qubes team worked to isolate the GUI. Wouldn't it be simpler if Qubes became Wayland-only sooner? It seems Fedora 25 will enable Wayland by default [1], but I think it will still have a XWayland layer for app compatibility. Will Qubes need that, too? Or can it become Wayland-only by the time Qubes OS 4.0 is out? Are there still too many components in the Fedora core that need X11 and can't be transitioned to Wayland anytime soon? Also, since flatpaks [2] will take full advantage of Wayland security, and it seems to be the app packaging format to take security seriously the most [3][4][5], maybe encourage flatpak use in Qubes 4.0 somehow, and install its runtime by default in Qubes 4.0? [1] https://linux.slashdot.org/story/16/08/20/0341200/fedora-25-to-run-wayland-by-default-instead-of-xorg-server [2] https://wiki.gnome.org/Projects/SandboxedApps [3] http://flatpak.org/press/2016-06-21-flatpak-released.html [4] https://blogs.gnome.org/uraeus/2016/06/21/fedora-workstation-24-is-out-and-flatpak-is-now-officially-launched/ [5] https://mjg59.dreamwidth.org/42320.html -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a11d3f8b-8234-4ffa-ab11-9a3b1e4f0798%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: installing Signal on Qubes mini-HOWTO
W dniu sobota, 20 sierpnia 2016 02:07:17 UTC+2 użytkownik Gaijin napisał: > On 2016-08-17 16:08, Chris Laprise wrote: > > On 08/17/2016 11:35 AM, johnyju...@sigaint.org wrote: > >> On the Signal matter, just some personal paranoia Re: Signal and > >> Google > >> Play Services: > >> > >> I've been the subject of some rather intense and ongoing hacking > >> (iPhone, > >> iPad, Android phone/tablet, PC, MacBook, cable modem connection, you > >> name > >> it). > >> > >> On the Android phone, I wiped it several times, and switched to > >> Cyanogen, > >> but the "weirdness" kept coming back. (Seeing stuff being recorded, > >> logged, queued to upload etc., when scrutinizing the filesystem with > >> adb.) > >> The issues often seemed to dance around Google Play Services. > >> > >> The problem kept coming back, until last time, when I wiped the phone > >> yet > >> again, but didn't install Google Play Store (and thus no Google Play > >> Services). Things *appear* to be stable and secure now, with no > >> logging/recording/uploading weirdness showing up on the filesystem. > >> > >> I'd like to install and use Signal for obvious reasons, but I honestly > >> don't trust Google Store/Services enough to take the risk. > >> > >> (I have a psycho ex with some crooked cop buddies, so I half suspect > >> some > >> law enforcement/government hook might be present in Google Play > >> Services. > >> Speculation of course. But I'll personally stay clear for now. I'm > >> not > >> doing anything illegal, but with crooked cops it really doesn't matter > >> much. :) ) > >> > >> I did get a copy of Signal from apkmirror, but I expect it might not > >> work > >> without Play Services, and I'm not sure it'd be smart to implicitly > >> trust > >> apkmirror, either. So I'll keep my SmartPhone as a DumbPhone for now. > >> > >> I was kind of excited to hear about Signal for Chromium, but > >> disappointed > >> to find it relied upon you also having it installed on your > >> smartphone. > >> > >> Aand then there's this: > >> http://arstechnica.com/security/2015/06/not-ok-google-chromium-voice-extension-pulled-after-spying-concerns/ > >> > >> Not cool, Google. > >> > >> Cheers. :) > >> > > > > I have to say I don't understand the logic of tying an app like Signal > > to Google, meaning the user is attached to Google at the hip. > > Especially when an app like Ring.cx operates without a browser or even > > a server, which seems far less risky. > > > > Chris > > But Google just announced their end of support for Chrome apps on > Windows, Mac, and Linux in early 2018. > https://blog.chromium.org/2016/08/from-chrome-apps-to-web.html > Won't that kill the Signal app? We'll probably have to repeat the same steps in a Chrome OS VM. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d5e5495f-95e9-44ac-827f-4233bfb62355%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] AMD Zen Secure Encrypted Virtualization (SEV)
On Saturday, August 20, 2016 at 6:05:39 PM UTC+3, J. Eppler wrote: > Hello, > > till now the argument of Qubes OS was that there are no laptops with AMD > CPU's or APU's which Qubes OS can run on. > > Qubes OS primary focus is on laptops and than on workstations. > > Qubes OS uses Xen to isolate "qubes" (vms) from each other. Xen can run on > AMD, Intel, ARM and other platforms. Therefor Qubes itself is not dependent > on the hardware itself. Qubes depends on certain virtualization extensions > like Second Level Address Translation (SLAT), CPU virtualization extension > and IO-Virtualization (IOMMU). AMD has all those virtualization features. So, > in theory Qubes OS could run on AMD chips. > > The problem till now was that AMD was not producing any hardware which was > able to compete with Intel's quasi mono pole. This changed with this weeks > AMD Zen announcement. The next question is: when does AMD Zen CPU's will > appear in laptops? > > The next question is, will AMD offer SEV support for consumer CPU's? I thought I read somewhere that Qubes is moving to hardware-enabled virtualization, though? Zen laptops were supposed to arrive first half of 2017, but I think they got delayed to second half of 2017 now. So yeah, it will be a while until enough people have these. But a Qubes/OEM partnership could still make them relevant sooner. I don't know if ZEV will be in all consumer chips, but considering SGX is in Skylake+ now, I would hope so. AMD does seem to target this at "cloud companies" in their paper, though...I'm sure we'll find out more about it by early next year. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/49209c97-8797-46f6-bbde-edac01c9d918%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Problem on port forwarding to a VM from the outside world
Any help to configure sys-firewall would be also really appreciated. I got this annoying pop-up when I click on "Firewall rules" tab under the sys-firewall proxyVM settings : "The 'sys-firewall' AppVM is not network connected to a FirewallVM! You may edit the 'sys-firewall' VM firewall rules, but these will not take any effect until you connect it to a working Firewall VM." Only subject related to this problem I found is this message from Unman on Qubes-users group : "When you configure the firewall rules for a vm those rules are applied ON THE FIREWALL to which the vm is attached. So the error message you get is entirely accurate - your firewall is not attached to a firewall and so the rules cannot be applied. Of course you COULD configure a firewall between the fw and the netvm but the same consideration would apply to THAT fw. There's no reason why you cant configure the fw iptables by hand if you want to: you can use /rw/config/qubes-firewall-user-script to have these rules applied automatically." Ok so here's what I understand from this message : this proxyVM Firewall is probably working but rules don't apply because it is attached to a NetVM, which don't have any firewall policies by default. https://www.qubes-os.org/doc/qubes-firewall/ Official documentation says : "Every VM in Qubes is connected to the network via a FirewallVM, which is used to enforce network-level policies. By default there is one default Firewall VM, but the user is free to create more, if needed." And then you got explanations on how to edit rules in a specific VM for a given domain. So I understand you have to edit rules on a AppVM to open up ports there, but I mean not everyone running Qubes OS is highly graduated in IT and network routing. I find quite disappointing that the official documentation don't mention more clearly how to set up the default sys-firewall proxyVM, like if you are supposed to check either "Deny network access except" or "Allow network access except" button or if that doesn't matter, if those policies won't apply anyway because of this pop-up... -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7616133c-134c-41e4-99ac-1dc1b5508260%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.