Re: [qubes-users] Bitcoin Qubes tutorial

[Franz]

On Wed, Sep 14, 2016 at 8:54 PM, Marek Marczykowski-Górecki <
marma...@invisiblethingslab.com> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> On Wed, Sep 14, 2016 at 08:07:35PM -0300, Franz wrote:
> > On Thu, Jun 30, 2016 at 12:42 AM, Andrew David Wong 
> > wrote:
> >
> > > -BEGIN PGP SIGNED MESSAGE-
> > > Hash: SHA512
> > >
> > > On 2016-06-29 09:37, Franz wrote:
> > > > But how can I trust a printing dispVM for something as sensitive as
> > > > a hot wallet? We would need two different dispVMs but we are not
> > > > there yet.
> > >
> > > Indeed, not yet, but it will be implemented in R4.0:
> > >
> > > https://groups.google.com/d/topic/qubes-devel/xLZU0R5ijCg/discussion
> > > https://github.com/QubesOS/qubes-issues/issues/866
> > > https://github.com/QubesOS/qubes-issues/issues/2075
> > >
> > > - --
> > > Andrew David Wong (Axon)
> > > Community Manager, Qubes OS
> > > https://www.qubes-os.org
> > >
> >
> > Andrew,
> > After various tests I am getting a bit more confidence about bitcoins.
> So I
> > prepared the promised tutorial. I tried to go to Qubes documentation to
> see
> > if there is any way to upload it, but found no reference. So I post it
> > here. Perhaps you know what to do.
>
> Thanks!
>
> Below some comments about installation.
>
> > Best
> > Fran
> >
> > BITCOIN WITH ELECTRUM
> >
> > Install Electrum in Fredora template
> >
> > Download the Electrum executable:
> > wget https://download.electrum.org/2.6.4/Electrum-2.6.4.tar.gz
> >
> > Download the signature:
> > wget https://download.electrum.org/2.6.4/Electrum-2.6.4.tar.gz.asc
> >
> > Import the public key of the signer, ThomasV
> > gpg --keyserver pool.sks-keyservers.net --recv-keys 7F9470E6
> >
> > Verify the executable
> > gpg --verify Electrum-2.6.4.tar.gz.asc Electrum-2.6.4.tar.gz
> >
> > If it tells “Good signature from “Thomas Voegtlin (https://electrum.org)
> > ...) it is ok independently from the subsequent warning.
>
> To this point it's ok.
>
> > Install
> > sudo apt-get update
>
> Interesting - I've thought it was for Fedora template (as stated at the
> beginning)...
>
> > Install dependencies:
> > sudo apt-get install python-qt4 python-pip
> >
> > On Qubes manager -> debian-template -> edit firewall rules -> flag “allow
> > full access for 5 minutes”
> > Install Electrum:
> > sudo pip install Electrum-2.6.4.tar.gz
>
> But if that's going to be on Debian, there is already electrum Debian
> package. I suggest using version from backports, as the one in stable is
> quite ancient.
>
> So, for Debian installation instruction would be:
>
> 1. Enable Debian Backports:
>
> https://backports.debian.org/Instructions/#index2h2
>
> 2. Install electrum:
>
> sudo apt-get update && sudo apt-get -t jessie-backports install
> electrum
>
> For Fedora on the other hand, it's better to avoid using 'pip install',
> especially in template, as it does not verify any sort of signature. I
> believe the only integrity assuring mechanism used there is HTTPS to the
> server. But nothing to verify actually downloaded file.
>

I started writing this tutorial time ago using the Debian template. But
then found that the available release on apt-get install was so old
(1.9.8-4) that it did not include the multi-signature wallet mentioned in
the tutorial. So wanted the new release and the suggested method was
pip-install, but for some reason pip- install did not worked of the old
release, even after removing it. So resorted to using Fedora which worked
with pip-install, but forgot to correct the tutorial.

Anyway, using Debian backports the installed version is 2.6.4, just the
same that was available using pip. So everything ok and much  easier.
Thanks Marek.

I have corrected the tutorial accordingly:

BITCOIN WITH ELECTRUM

Install Electrum in Debian template (Fedora template is not recommended
because Electrum package is not available and the pip install method does
not veriry signatures)

Enable Debian Backports:

https://backports.debian.org/Instructions/#index2h2

Install electrum:

sudo apt-get update && sudo apt-get -t jessie-backports install electrum

After installation, create two new VMs depending from the same Debian
template

one allowing networking, we call it “hot”
the other one not allowing networking, we call it “cold”

Launch the Electrum application in the cold VM for example writing
“electrum” in Qubes Manager/”run command in VM”

Create a new 2-2 Multi-Signature wallet and properly save the “seed” and
the password.

Do the same with the hot VM, then follow the GUI exchanging the public kays
between hot and cold VMs.

Next option on hot VM: autoconnet is the easier way. It will take some time
to connect.

Then on receive tab of hot VM you find your address for receiving bitcoins.
It is enough to send bitcoins to this address to receive them. They will
appear only on Electrum of hot VM because it is the only one connected.

Once you have bitcoins you can send them. Transaction should 

Re: [qubes-users] Re: Qubes OS 3.2 rc3: can not boot with VT-d enabled on DELL T7400 (XEON E5440, Intel 5400 chipset)

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Sep 14, 2016 at 01:22:56AM -0700, ludwig jaffe wrote:
> Am Dienstag, 13. September 2016 09:57:53 UTC+2 schrieb ludwig jaffe:
> > Qubes OS 3.2 rc3: can not boot with VT-d enabled on DELL T7400 (XEON E5440, 
> > Intel 5400 chipset)
> > 
> > Hi all, I can NOT boot on my machine, Dell T7400 (XEON E5440, Intel 5400 
> > chipset, LSI HW-RAID1 "DELL SAS6" and 4GB RAM - will become more) with VT-d 
> > enabled. 
> > When I disable VT-d in bios, the machine boots and can run several VMs.
> > 
> > VT-d is needed to assign certain pci-devices to VMs (e.g. scsi-controller 
> > to vm with some proprietary scanner application running windows).
> > 
> > How does it behave?
> > 
> > The grub screen is loaded, and one can select the options, here I edit to 
> > remove quiet as I want to see.
> > 
> > So grub loads, XEN, vmlinuz, initrd.img,
> > and then it crashes on the spot, causing the machine to reboot.
> > 
> > No debug output can be seen.
> > 
> > Any Ideas?
> > 
> > 
> > Thanks,
> > 
> > 
> > Ludwig
> 
> Hi, I tried to change this in grub while booting:
> press esc and edit the line  with the kernel parameters and I removed "quiet"
> and added "console=com1 com1=115200,8n1
> loglvl=all"

This should go to xen parameters, not linux kernel. The line with
"xen.gz" (instead of "console=none").

> Also I tried with com2 as my fat DELL T7400 has 2 real serial interfaces.
> I used a 0 modem cable and minicom with a linux laptop that also has a real 
> serial interface.
> But maybe, I made a mistake (wrong /dev/tty or cable problem) and I will 
> check again and redo it.
> But the console output was still written to the screen (I guess it is the 
> output of grub while it boots). After grub finishes loading XEN, KERNEL, 
> initrd.img, the machine crashes on the spot with VT-d enabled, and reboots.

Just an idea - try also iommu=no-igfx xen option. It helps in some
cases...

> So I guess the initial code that gets executed after grub, which should be 
> the xen, causes the machine to crash.
> Any Ideas? 
> Is there a debug-version of xen that qubes-os uses. 
> The parameters in grub where I remove this stupid "quiet" are just for the 
> kernel, that gets executed later, after xen!
> I do not see any screen output, even no flicker with text. 
> Just after grub finishes a blank black screen and then the machine reboots.
> So xen should at least write some hello world stuff to the screen.
> 
> Quite strange. How to debug xen?
> 


- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJX2e0dAAoJENuP0xzK19csTkgH/jIV6XWGLK86zLyZNTh26zdw
/+GtY4RLDs4gGivpLswfEI5actP0YpdrNRRGmQlRsKh+bajc8kcZHUsqwVnaiUW8
a0ZzhgHbtV6i9XmbctttoLh5Wr4ROLtvLq3XWaNN/szSY5nk4+wxmYnd4aT4jwlJ
AP4P5rnpLMtOdno3Y0ZHjWp//liXsRanzaBOzGr/PmFNk9DnLNXCb6TyTBbA6Coi
MvjLHDDKJhUxgBiZFxTiZhFgEsE1REv+pF2EjJPRaJHHqfnAuarPo0TESYF1grsQ
hiJL7KJ2nxh7W14WWFSzm+07kWi0B57MJjmYrjArJxZolfslj3eg3pJgwuw2ebQ=
=+OEj
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20160915003644.GW31510%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: netvm doesn't recognize physical hardware switch state

[Boris Kourtoukov]

On Wednesday, September 14, 2016 at 3:57:52 AM UTC-4, Connor Page wrote:
> with such a fairly fresh kernel you probably should make sure you also have 
> the latest bios. some people also claim that resetting bios settings 
> miraculously makes their wifi work in Linux.

And there isn't a hardware (controller) that I am just not assigning to the 
netvm for it to see the switch state? That is handled by the same device as the 
wireless card?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/14719cea-2840-4245-8473-40127c6601ba%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Bitcoin Qubes tutorial

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Sep 14, 2016 at 08:07:35PM -0300, Franz wrote:
> On Thu, Jun 30, 2016 at 12:42 AM, Andrew David Wong 
> wrote:
> 
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA512
> >
> > On 2016-06-29 09:37, Franz wrote:
> > > But how can I trust a printing dispVM for something as sensitive as
> > > a hot wallet? We would need two different dispVMs but we are not
> > > there yet.
> >
> > Indeed, not yet, but it will be implemented in R4.0:
> >
> > https://groups.google.com/d/topic/qubes-devel/xLZU0R5ijCg/discussion
> > https://github.com/QubesOS/qubes-issues/issues/866
> > https://github.com/QubesOS/qubes-issues/issues/2075
> >
> > - --
> > Andrew David Wong (Axon)
> > Community Manager, Qubes OS
> > https://www.qubes-os.org
> >
> 
> Andrew,
> After various tests I am getting a bit more confidence about bitcoins. So I
> prepared the promised tutorial. I tried to go to Qubes documentation to see
> if there is any way to upload it, but found no reference. So I post it
> here. Perhaps you know what to do.

Thanks!

Below some comments about installation.

> Best
> Fran
> 
> BITCOIN WITH ELECTRUM
> 
> Install Electrum in Fredora template
> 
> Download the Electrum executable:
> wget https://download.electrum.org/2.6.4/Electrum-2.6.4.tar.gz
> 
> Download the signature:
> wget https://download.electrum.org/2.6.4/Electrum-2.6.4.tar.gz.asc
> 
> Import the public key of the signer, ThomasV
> gpg --keyserver pool.sks-keyservers.net --recv-keys 7F9470E6
> 
> Verify the executable
> gpg --verify Electrum-2.6.4.tar.gz.asc Electrum-2.6.4.tar.gz
> 
> If it tells “Good signature from “Thomas Voegtlin (https://electrum.org)
> ...) it is ok independently from the subsequent warning.

To this point it's ok.

> Install
> sudo apt-get update

Interesting - I've thought it was for Fedora template (as stated at the
beginning)...

> Install dependencies:
> sudo apt-get install python-qt4 python-pip
> 
> On Qubes manager -> debian-template -> edit firewall rules -> flag “allow
> full access for 5 minutes”
> Install Electrum:
> sudo pip install Electrum-2.6.4.tar.gz

But if that's going to be on Debian, there is already electrum Debian
package. I suggest using version from backports, as the one in stable is
quite ancient.

So, for Debian installation instruction would be:

1. Enable Debian Backports:

https://backports.debian.org/Instructions/#index2h2

2. Install electrum:

sudo apt-get update && sudo apt-get -t jessie-backports install electrum

For Fedora on the other hand, it's better to avoid using 'pip install',
especially in template, as it does not verify any sort of signature. I
believe the only integrity assuring mechanism used there is HTTPS to the
server. But nothing to verify actually downloaded file.

> create two new VMs depending from the same template
> 
> one allowing networking, we call it “hot”
> the other one not allowing networking, we call it “cold”
> 
> Launch the Electrum application in the cold VM for example writing
> “electrum” in Qubes Manager/”run command in VM”
> 
> Create a new 2-2 Multi-Signature wallet and properly save the “seed” and
> the password.
> 
> Do the same with the hot VM, then follow the GUI exchanging the public kays
> between hot and cold VMs.
> 
> Next option on hot VM: autoconnet is the easier way. It will take some time
> to connect.
> 
> Then on receive tab of hot VM you find you address for receiving bitcoins.
> It is enough to send bitcoins to this address to recieve them. They will
> appear only on Electrum of hot VM because it is the only one connected.
> 
> Once you have bitcoins you can send them. Transaction should start on hot
> VM Electrum, because the balance on cold Electrum is zero.  So using "Send
> tab" of hot Electrum you prepare you transaction with the address of the
> beneficiery. Then you clik on send button. On the next window you can save
> your transaction file and then move your file to the cold VM see:
> https://www.qubes-os.org/doc/copying-files/. Using Tools tab/load
> transaction on cold Electrum you can find the moved file, sign it and save
> it again. Finally you move the signed transaction file to the hot VM in the
> same way, load it to the hot Electrum and pay it.
> 
> LIMIT FIREWALL RULES TO ELECTRUM SERVERS
> For additional security you can limit the firewall rules of hot VM to
> connect only to Electrum servers.
> To do that:
> Run Marek script
> https://gist.github.com/marmarek/1d0a296930b7784327aaf9a801ec5585
> into a terminal of hot VM then launch Electrum that tries to connect to the
> net, but cannot because the firewall is manually set to "Deny network
> access except...". After some time the terminal will fill with firewall
> setting of Electrum servers. Then copy these settings into a file in the
> same hot VM.
> 
> then from Dom0 terminal write:
> 
> qvm-run --pass-io appl-VM-name 'cat path to just-created-file'
> 
> This makes all the firewall setting to appear 

[qubes-users] HCL - Lenovo T530 2429CQ9

[Andrew]

Installation from a USB stick took some time but worked fine.

To boot, I have had to go into the BIOS and force the Intel integrated GPU
on (ie disable the NVIDIA GPU). I may try to work through the
troubleshooting steps for the NVIDIA GPU but for my needs, the Intel is
fine for now.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAPA6jU6nXwSdtsXmhF9qnym7UsHu38s9qcbvTSNefPW0TF1VgA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Qubes-HCL-LENOVO-2429CQ9-20160914-161642.yml
Description: application/yaml

Re: Negative test result for fedora 24... Was: Re: Request for test: Re: [qubes-users] Fedora 24?

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Sep 14, 2016 at 11:27:20PM +0200, Achim Patzner wrote:
> Am 14.09.2016 um 23:16 schrieb Marek Marczykowski-Górecki:
> > > Ok, as everybody was looking for a problem, I finally found one.
> > I've been
> > > bitten by this
> > > http://forums.fedoraforum.org/showthread.php?p=1770311
> > ("/etc/resolv.conf
> > > missing once NetworkManager is stopped") and don't really know how
> > to deal
> > > with it right now in a way that does not require quite a bit of work.
> >
> > > Marek? Is NetworkManager necessary for a happy AppVM? Does anybody
> > know what
> > > this is good for and how to counter it?
> >
> > No, it shouldn't be needed in AppVM, only in NetVM.
> 
> Nevertheless I've been bitten by this nonsense for some unknown reason;
> maybe I've awoken some mummy in its grave when I added NM-based things
> to the template in order to create a vpn proxy VM. No matter why, it
> might be a good idea to add
> 
> rc-manager=file
> 
> to the [main] section of NetworkManager.conf to avoid running into it
> suddenly. 

This is indeed a good idea, thanks.
https://github.com/marmarek/qubes-core-agent-linux/pull/83

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJX2dpiAAoJENuP0xzK19cshfwH/3wzqa1f3QgjFG0+BKpmiFSZ
kh1WKXu2fb0opQhuNOe5xpk74wUEeiH/9bEm2kkB4zEEfePwYKj1eN/Ypr12CzJm
i2p1T46gq2oTtqWPej2R+UGthIDsZyo/uXe4zrqyGnUH1rCP4h4mGB24XV6oUKMy
+QXR55jFwgyv63RQY77T0+p57YzYiSC2EPWlgZxjuZbCdOVtH+f5sG2I60NYW+1e
EnrPUgtU8T71xR10WZ+Uy/XZMvNNezEkLILH71ptsgBqmdW3qf9KS/0S2ShETrUI
efG+M5Sl2ShkGFvMWH6XuXbI79txzmv15kotmT2+N7SV/2jnVjH8J00yCs+KGRI=
=HZV5
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20160914231649.GT31510%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Bitcoin Qubes tutorial

[Franz]

On Thu, Jun 30, 2016 at 12:42 AM, Andrew David Wong 
wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> On 2016-06-29 09:37, Franz wrote:
> > But how can I trust a printing dispVM for something as sensitive as
> > a hot wallet? We would need two different dispVMs but we are not
> > there yet.
>
> Indeed, not yet, but it will be implemented in R4.0:
>
> https://groups.google.com/d/topic/qubes-devel/xLZU0R5ijCg/discussion
> https://github.com/QubesOS/qubes-issues/issues/866
> https://github.com/QubesOS/qubes-issues/issues/2075
>
> - --
> Andrew David Wong (Axon)
> Community Manager, Qubes OS
> https://www.qubes-os.org
>

Andrew,
After various tests I am getting a bit more confidence about bitcoins. So I
prepared the promised tutorial. I tried to go to Qubes documentation to see
if there is any way to upload it, but found no reference. So I post it
here. Perhaps you know what to do.
Best
Fran

BITCOIN WITH ELECTRUM

Install Electrum in Fredora template

Download the Electrum executable:
wget https://download.electrum.org/2.6.4/Electrum-2.6.4.tar.gz

Download the signature:
wget https://download.electrum.org/2.6.4/Electrum-2.6.4.tar.gz.asc

Import the public key of the signer, ThomasV
gpg --keyserver pool.sks-keyservers.net --recv-keys 7F9470E6

Verify the executable
gpg --verify Electrum-2.6.4.tar.gz.asc Electrum-2.6.4.tar.gz

If it tells “Good signature from “Thomas Voegtlin (https://electrum.org)
...) it is ok independently from the subsequent warning.

Install
sudo apt-get update

Install dependencies:
sudo apt-get install python-qt4 python-pip

On Qubes manager -> debian-template -> edit firewall rules -> flag “allow
full access for 5 minutes”
Install Electrum:
sudo pip install Electrum-2.6.4.tar.gz

create two new VMs depending from the same template

one allowing networking, we call it “hot”
the other one not allowing networking, we call it “cold”

Launch the Electrum application in the cold VM for example writing
“electrum” in Qubes Manager/”run command in VM”

Create a new 2-2 Multi-Signature wallet and properly save the “seed” and
the password.

Do the same with the hot VM, then follow the GUI exchanging the public kays
between hot and cold VMs.

Next option on hot VM: autoconnet is the easier way. It will take some time
to connect.

Then on receive tab of hot VM you find you address for receiving bitcoins.
It is enough to send bitcoins to this address to recieve them. They will
appear only on Electrum of hot VM because it is the only one connected.

Once you have bitcoins you can send them. Transaction should start on hot
VM Electrum, because the balance on cold Electrum is zero.  So using "Send
tab" of hot Electrum you prepare you transaction with the address of the
beneficiery. Then you clik on send button. On the next window you can save
your transaction file and then move your file to the cold VM see:
https://www.qubes-os.org/doc/copying-files/. Using Tools tab/load
transaction on cold Electrum you can find the moved file, sign it and save
it again. Finally you move the signed transaction file to the hot VM in the
same way, load it to the hot Electrum and pay it.

LIMIT FIREWALL RULES TO ELECTRUM SERVERS
For additional security you can limit the firewall rules of hot VM to
connect only to Electrum servers.
To do that:
Run Marek script
https://gist.github.com/marmarek/1d0a296930b7784327aaf9a801ec5585
into a terminal of hot VM then launch Electrum that tries to connect to the
net, but cannot because the firewall is manually set to "Deny network
access except...". After some time the terminal will fill with firewall
setting of Electrum servers. Then copy these settings into a file in the
same hot VM.

then from Dom0 terminal write:

qvm-run --pass-io appl-VM-name 'cat path to just-created-file'

This makes all the firewall setting to appear directly on Dom0 terminal. It
is enough to copy all of them and past them on the same terminal and it is
done. These are the firewall settings that appeared in hot VM for Electrum
servers:
qvm-firewall -a hot btc.mustyoshi.com. tcp 50002
qvm-firewall -a hot erbium1.sytes.net. tcp 50002
qvm-firewall -a hot electrum.trouth.net. tcp 50002
qvm-firewall -a hot eniac.snel.it. tcp 50002
qvm-firewall -a hot electrum.vom-stausee.de. tcp 50002
qvm-firewall -a hot bitcoins.sk. tcp 50002
qvm-firewall -a hot ecdsa.net. tcp pop3
qvm-firewall -a hot antumbra.se. tcp 50002
qvm-firewall -a hot ELECTRUM.jdubya.info. tcp 50002
qvm-firewall -a hot home.hach.re. tcp 50002
qvm-firewall -a hot JElectrum.jdubya.info. tcp 50002
qvm-firewall -a hot us4.einfachmalnettsein.de. tcp 50002
qvm-firewall -a hot electrum.online. tcp 50002
qvm-firewall -a hot elec.luggs.co. tcp https
qvm-firewall -a hot jwu42.hopto.org. tcp 50004
qvm-firewall -a hot electrum.no-ip.org. tcp 50002
qvm-firewall -a hot electrum-europe.trouth.net. tcp 50002
qvm-firewall -a hot VPS.hsmiths.com. tcp 50002
qvm-firewall -a hot petrkr.net. tcp 50002
qvm-firewall -a hot bitcoin.dragon.zone. 

[qubes-users] Re: Using virt-viewer for remote systems

[pixel fairy]

On Wednesday, September 14, 2016 at 12:30:34 PM UTC-7, ludwig jaffe wrote:

> From a user point of view:
> Just send the red framed applications to another remote user to display them 
> there, after the user authenticated to the machine and his role allow him to 
> see red framed applications of the red VM only.
> 
> This would be cool for colaboration.

this is already possible. you can use vnc or rdp, for example, or services like 
chrome remote desktop.

for just a text connection you can use gnu screen or tmux. 

because of qubes network model, you'll have to port forward either from the 
network/firewall/proxy vm, or tunnel out with ssh, netcat etc.

for example, you want to share your screen with a collaborator, and you both 
have a ssh access to ourprivateshell.example.com. in your shared vm, ssh -R 
5900:127.0.0.1:5900 ourprivateshell.example.com then your collaborator will ssh 
-L 5900:1270.0.0.1:5900 ourprivateshell.example.com and run their vncviewer. 

for this session, you would want to run that appvm in one screen instead of the 
usual qubes mixed windows. an hvm is one easy way.

is there an easy way to run an appvm in a single window?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3f2f37c7-eb8d-4936-ad63-fba0106d69d2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: How to set up Internet Connection Sharing over USB..?

[neilhardley]

Alternatively, I could do this with Ethernet.

I know that you can right-click the network icon, click "edit connections", go 
to IPV4 settings, and edit it as network sharing for the WIRED connection.

However, this is only going to share the overall connection.

I am looking to explicitly share the Whonix/Tor connection only.

thanks

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5d825c8f-a563-4bfd-8785-b0f5731117fd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Block device (LVM) as VM's disk image?

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Sep 14, 2016 at 11:22:18AM -0700, Vít Šesták wrote:
> Just noting two more pitfalls:
> 
> 1) When you create a new device, you should overwrite all the content 
> (standard mkfs is not enough) before attaching it to a VM. If you don't do 
> so, the VM might get some old data leaked from another VM. Maybe thin LVs 
> have a different behavior.

LVM thin don't have this problem, as blocks are allocated at first write
only (reading blocks not written before will yield zeros). But we may
want to do the clear data anyway at VM removal, for various reasons (like
anti-forensics).

> 2) When booting from Qubes installation image and trying to perform system 
> recovery, it seems to scan all LVs, regardless they are dom0 LVs or domU LVs. 
> This is potentially dangerous (filesystem parsing bugs). And since the 
> installation image is not updated frequently, there is even higher 
> probability of a known unpatched vulnerability. Maybe it could be determined 
> by the name if it should be scanned.

Yes, we'll probably include the same udev rules (blacklisting scanning
VM-related devices) also in installer/recovery image.

> Since LVM thin volumes are to be used in Qubes 4.0, I'd like to ask you if 
> Qubes addresses those two issues there.

Thanks for reminding this, I've created an issue to not forget about
this one:
https://github.com/QubesOS/qubes-issues/issues/2319

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJX2cFHAAoJENuP0xzK19cslpAH/j7fM3Z03hwBPMVf2OCtrLxL
3tAYxxchi1RDCJ8HaAO5v8orNXnrbSIBhvcTduLEyK7/STsErLeD06Y+arn03gTJ
XwkI07DziBxu/TqtN0ahz6h4ryztplJZf2L8snoPO+OMpUqQZbLuNQvOSk+BEphn
dIne8FrMTKjGerBdDt732qiHt5kdUXYQUFP6GFklXXkyJhlBVO9x+1myDu4FFf34
e4ynaSoOw6x3BH8+kMNhGLGEr1PA03hXV6+Whfj4J0grsGJEkVq8jBKAaHCt0pba
kIBjs0QUJDVPeGKzZccnitx9XJo9Dumbhk+9UYLm6izVBya7x1+jsJQVnWWW64o=
=WBMc
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20160914212943.GS31510%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: Negative test result for fedora 24... Was: Re: Request for test: Re: [qubes-users] Fedora 24?

[Achim Patzner]

Am 14.09.2016 um 23:16 schrieb Marek Marczykowski-Górecki:
> > Ok, as everybody was looking for a problem, I finally found one.
> I've been
> > bitten by this
> > http://forums.fedoraforum.org/showthread.php?p=1770311
> ("/etc/resolv.conf
> > missing once NetworkManager is stopped") and don't really know how
> to deal
> > with it right now in a way that does not require quite a bit of work.
>
> > Marek? Is NetworkManager necessary for a happy AppVM? Does anybody
> know what
> > this is good for and how to counter it?
>
> No, it shouldn't be needed in AppVM, only in NetVM.

Nevertheless I've been bitten by this nonsense for some unknown reason;
maybe I've awoken some mummy in its grave when I added NM-based things
to the template in order to create a vpn proxy VM. No matter why, it
might be a good idea to add

rc-manager=file

to the [main] section of NetworkManager.conf to avoid running into it
suddenly. For something as unclean as a standard Linux system it is
ridiculous to suddenly start symlinking files around (and the generating
conflcts between systemd and NetworkManager – didn't anyone learn
anything from Apple's early problems with launchd?).


Achim


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20e3133d-c27e-7a56-64e8-86f96faf7986%40noses.com.
For more options, visit https://groups.google.com/d/optout.

Re: Negative test result for fedora 24... Was: Re: Request for test: Re: [qubes-users] Fedora 24?

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Sep 14, 2016 at 10:01:19PM +0100, Noses wrote:
> On Tue, 13 Sep 2016 12:35:20 -0700 (PDT)
>  pixel fairy  wrote:
> > i think fedora24 should be the default template for qubes 3.2. were all
> > testing it, cant see any problems. we cant have an EOL release for
> > appvms.
> 
> Ok, as everybody was looking for a problem, I finally found one. I've been
> bitten by this
> http://forums.fedoraforum.org/showthread.php?p=1770311 ("/etc/resolv.conf
> missing once NetworkManager is stopped") and don't really know how to deal
> with it right now in a way that does not require quite a bit of work.
> 
> Marek? Is NetworkManager necessary for a happy AppVM? Does anybody know what
> this is good for and how to counter it?

No, it shouldn't be needed in AppVM, only in NetVM.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJX2b41AAoJENuP0xzK19csG8wH/30hrD6cCGiKIQbtAGhIPnXX
c7TW/0JThVH+R7lO12wFilzwS9eeSgTwNSMFTw3y2jORV8AlBoYPA/MADUfp+xKc
R/SW6z0aaPk1yxF0VxO18NyjP7Ze8LNChS/ApaySSbli9KIMbuVGjzWaMovv8KxX
sGOFIHHXsLDT/Z4tj0FNX/bCgxEBsmTKILRQAW9OunjYGJK7YIUG+wGXwlguovj4
F3DM2AEAnv/npTPJwrLB0E2upqLQJaaCBQGg+v5JXeu3nviSF1GcvF+NXrml0H/g
tH6NJvKqFaXjNafZxct4CGIfeobBffihs1PrXBZdYNzPr5M+OP8vTfY/vGWks4s=
=cOQU
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20160914211637.GR31510%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] HCL - Asus Zenbook UX501VW

[afry]

My touchpad didn't work, but the touchscreen worked well. This was from 
R 3.1. I wasn't able to scale the screen appropriately enough for 
everyday use, it was tough to figure out how to attach the usb device to 
the virtual machines, and I needed to install fuse-exfat for my usb 
drives to be recognized. I really would like to be able to use this 
operating system everyday, but I am finding it a little advanced for me 
to figure out. I attempted to install 3.2 rc3, but I'm getting an error 
message right after trying to do the partitioning, also the graphical 
installer didn't show up on my screen. What has happened during this 
install is:



Partition Scheme options

3)LVM

storage configuration failed: autopart failed:

Encryption requested for LUKS device nvmc01p3 but no encryption key 
specified for this device.


NMI watchdog: BUG: soft lockup - CPU#7 stuck for 22s! [Xorg:1189] <-- 
this is repeated a bunch of times.



I don't know if this helps.


Ann Fry

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/29d079a2-d220-1067-b0ad-fad806e1e950%40cmail.carleton.ca.
For more options, visit https://groups.google.com/d/optout.


Qubes-HCL-ASUSTeK_COMPUTER_INC.-N501VW-20160914-135929.yml
Description: application/yaml

Negative test result for fedora 24... Was: Re: Request for test: Re: [qubes-users] Fedora 24?

[Noses]

On Tue, 13 Sep 2016 12:35:20 -0700 (PDT)
 pixel fairy  wrote:
i think fedora24 should be the default template for 
qubes 3.2. were all testing it, cant see any problems. we 
cant have an EOL release for appvms.


Ok, as everybody was looking for a problem, I finally found one. I've been 
bitten by this
http://forums.fedoraforum.org/showthread.php?p=1770311 ("/etc/resolv.conf 
missing once NetworkManager is stopped") and don't really know how to deal 
with it right now in a way that does not require quite a bit of work.


Marek? Is NetworkManager necessary for a happy AppVM? Does anybody know what 
this is good for and how to counter it?



Achim

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ximss-7538732%40bnc.net.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Creation of imsm container failes. Setting up Inter RST RAID array.

[Robert]

Dnia Środa, 14 Września 2016 19:44 <3n7r0...@gmail.com> napisał(a) 
> On Wednesday, September 14, 2016 at 3:42:02 PM UTC, Robert wrote:
> > Hi!
> > 
> > I could use some help with setting up Intel hw raid array. I have two, 4 TB 
> > drives that I want to use purely for storage (no booting) as a raid 1 array.
> > I did manage to set them up as a software RAID using mdadm. However, I 
> > would want the array to also be accessible from Windows 10 installation. 
> > AFAIK to achieve this I need to use hardware RAID created in BIOS by Intel 
> > Rapid Storage Technology (RST).
> > 
> > I tried to follow these instructions ([1] and [2]):
> > $ sudo mdadm -C /dev/md/imsm /dev/sd[b-c] n 2 e imsm
> > 
> > It fails:
> > mdadm: /dev/sdb is not suitable for this array
> > mdadm: /dev/sdc is not suitable for this array
> > mdadm: create aborted
> > 
> > Also this does not look good:
> > $ sudo mdadm --detail-platform
> > mdadm: imsm capabilities not found for controller: 
> > /sys/devices/pci:00/:00:1f.2 (type SATA)
> > 
> > Some info about hardware:
> > $ dmesg | grep 1f.2
> > [2.677109] ahci 000:00:1j.2: version 3.0
> > [2.677252] ahci 000:00:1j.2: AHCI 0001.0300 32 slots 6 ports 6 Gbps 
> > 0x3f impl RAID mode
> > [2.677254] ahci 000:00:1j.2: flags: 64bit ncq led clo pio slum part ems 
> > apst
> > 
> > Controller is set to RAID mode in BIOS also, RAID array has been created 
> > (VOLUME 1)
> > 
> > $ sudo mdadm --examine /dev/sdb
> > 
> > /dev/sdb:
> > Magic : Intel Raid ISM Cfg Sig.
> >   Version : 1.3.00
> > Orig Family : 66247044
> >Family : 66247044
> >  Generation : 0002
> >Attributes : All supported
> >  UUID : e492be44:10b30ade:b642e816:dd60ca99
> >  Checksum : 0f34c20c correct
> >  MPB Sectors : 1
> > Disks : 2
> >  RAID Devices : 1
> > 
> >   Disk00 Serial : ***
> >   State : active
> >Id : 0002
> > Usable Size : 7814031624 (3726.02 GiB 4000.78 GB)
> > 
> > [Volume1]:
> >  UUID : 5d5fbe08:1c90e2f3:e7896bec:0c7ca70a
> >  RAID Level : 1
> >Members : 2
> >  Slots : [UU]
> >  Failed disk : none
> > This Slot : 0
> >  Array Size : 7814031360 (3726.02 GiB 4000.78 GB)
> >   Per Dev Size : 7814031624 (3726.02 GiB 4000.78 GB)
> >   Sector Offset : 0
> >Num Stripes : 30523560
> >  Chunk Size : 64 KiB
> > Reserved : 0
> >   Migrate State : idle
> >   Map State : uninitialized
> >  Dirty State : clean
> > 
> >   Disk01 Serial : ***
> >   State : active
> >Id : 0005
> > Usable Size : 7814031624 (3726.02 GiB 4000.78 GB)
> > 
> > For /dev/sdc output of --examine is similar.
> > 
> > Hardware specs:
> > mb: asrock z97 extreme4
> > cpu: intel i5 4690
> > 
> > qubes-os: 3.2-rc3
> > 
> > Thanks in advance for all your help and suggestions on how to proceed.
> > Robert
> > 
> > [1] 
> > http://www.intel.com/content/dam/www/public/us/en/documents/white-papers/rst-linux-paper.pdf
> > [2] https://raid.wiki.kernel.org/index.php/RAID_setup#External_Metadata

Thanks for the reply!

> IIUC you want to configure a raid device using your BIOS so it can be 
> recognized by both Windows & Linux.

Yes, exactly.

> Read the intro here to confirm this is what you want:
> https://help.ubuntu.com/community/FakeRaidHowto
> 
> Then go here to read all about Linux Raid (including a blistering critique of 
> FakeRaid):
> https://raid.wiki.kernel.org/index.php/Linux_Raid

Actually, I did not know that I am dealing with FakeRAID here... Thanks for 
pointing this out.
> if the 'raid' card or motherboard dies then you often have to find an exact 
> replacement and this can be tricky for older cards
> if drives move to other machines the data can't easily be read
These two points discouraged me completely.

> (Another option that you may consider in the future is a separate file 
> server.)

Yes, I think, ultimately, it's the best solution. I do plan to buy a budget NAS 
device in the future.

> Fedora-23 should recognize Fake/BIOS-raid devices automatically. Sorry I 
> don't have anything I can test with at the moment.
> 
> `sudo fdisk -l` should show /dev/sdb, /dev/sdc, as well as /dev/md[X].

fdisk -l grepped with 'md' does not return anything
However,
$ sudo mdadm --examine --scan
returns:
ARRAY metadata=imsm UUID=e492be44:10b30ade:b642e816:dd60ca99
ARRAY /dev/md/Volume1 container=e492be44:10b30ade:b642e816:dd60ca99 member=0 
UUID=5d5fbe08:1c90e2f3:e7896bec:0c7ca70a

but when I check /dev/ contents there is no /dev/md/, also I cannot attach 
(there is none) md device to any VM, only /dev/sdb and /dev/sdc

> If that's the case, you only need to configure partitions/volumes on your md 
> device:
> 
> https://raid.wiki.kernel.org/index.php/Partitioning_RAID_/_LVM_on_RAID
> https://www.howtoforge.com/linux_lvm

I think, I'll stick with software RAID. It blows, because I'll have to keep a 

Re: [qubes-users] Can't connect a VPN before Tor

[nishiwaka46]

Le mercredi 14 septembre 2016 05:30:30 UTC+2, 3n7r...@gmail.com a écrit :
> On Tuesday, September 13, 2016 at 11:56:53 PM UTC, nishi...@gmail.com wrote:
> > Le samedi 10 septembre 2016 20:36:38 UTC+2, 3n7r...@gmail.com a écrit :
> > > [First, a rant. I hate mailing lists. How am I supposed to attribute 
> > > quotes from earlier posts in the thread not contained in the previous 
> > > post?]
> > > 
> > > nishi:
> > > >Any advices on how to set up Qubes to have a VPN + sys-whonix working 
> > > >together (or VPN + a TorVM proxy) in a good anonymous way would be 
> > > >really appreciated :)
> > > 
> > > As you know, you can either connect to a VPN from a non-Whonix proxyVM or 
> > > set up the VPN directly in the Whonix-Gateway. Both methods have the goal 
> > > of preventing "unintentional" leaks and have the property of 
> > > failing-closed. IMO, since you are using Qubes already, the proxyVM 
> > > method is easier to configure and provides more flexibility. If you're 
> > > short on RAM and/or need to operate multiple Whonix-Gateways with each 
> > > having a separate VPN, you may be better off connecting to the VPN from 
> > > within the Gateway. From a security/anonymity perspective, neither is 
> > > obviously better than the other. A Gateway compromise would most likely 
> > > be game-over in either scenario.
> > > 
> > > Speaking generally, you've got a whole bunch of moving parts. You need to 
> > > troubleshoot by isolating each piece. 
> > > 
> > > **This step reveals that you use Tor. Only proceed if safe to do so.
> > > 
> > > 1. sys-net <- appVM: Do I have general connectivity?
> > > 2. sys-net <- vpn-VM <- appVM: Does my VPN work?
> > > 3.** sys-net <- appVM w/ Tor Browser Bundle: Does Tor work?
> > > 4.** sys-net <- whonix-gateway: Run whonixcheck. Does Whonix-Gateway work?
> > > 5. sys-net <- vpn-vm <- whonix-gateway
> > > 
> > > My suggestion is to start with a fresh proxyVM and follow Chris' Qubes 
> > > VPN documentation step by step. (Or take a look at his [git 
> > > repo](https://github.com/ttasket/Qubes-vpn-support) ). If the vpn-VM 
> > > allows successful connections from the appVM, then it's simply a matter 
> > > of assigning it to the Whonix-Gateway as its netVM. No Whonix-specific 
> > > configuration is necessary since it's all transparent to Whonix.
> > > 
> > > * Make sure that the Qubes firewall (Qubes VM Manager) is open on the 
> > > Whonix-Gateway. I don't remember what the default setting is.
> > > 
> > > * Both TCP and UDP are fine for upstream VPNs. Tor can not carry UDP but 
> > > it can be carried on UDP, if that makes sense.
> > > 
> > > * Don't add any additional firewalls until you can get this working.
> > > 
> > > 
> > > nishi:
> > > >Which gives in Qubes something a pattern like this one below (I don't 
> > > >know if all firewall VMs are really needed though) :
> > > >
> > > >AppVM => sys-vpn-firewall => sys-vpn => sys-whonix-firewall (or 
> > > >TorVM-firewall) => sys-whonix (or TorVM) => sys-firewall => sys-net
> > > 
> > > Firewalls have limited usefulness as described here: 
> > > https://www.qubes-os.org/doc/data-leaks/
> > > 
> > > rustybird's Corridor can ensure that all traffic goes to a Tor Entry 
> > > Guard (but obviously, can't guarantee that the Entry Guard is 
> > > trustworthy).
> > > 
> > > 
> > > nishi:
> > > >When I purchased a VPN subscription, I saw it as a way to improve 
> > > >anonymity, now I feel it is more a tool to provide security.
> > > 
> > > VPNs don't necessarily improve anonymity OR security. They simply shift 
> > > the trust that you place in your ISP to someone else. That may be good or 
> > > bad.
> > > 
> > > 
> > > Chris:
> > > >Although its straightforward to get the opposite working (Tor -> VPN ->
> > > Internet -- just follow the Qubes vpn doc and connect sys-whonix to the
> > > vpn vm)
> > > 
> > > Just to clarify, to achieve user -> Tor -> VPN -> Internet, sys-whonix 
> > > needs to be connected as the *netVM* for the vpn-vm. If vpn-vm is the 
> > > netVM for sys-whonix, the resulting traffic is user -> VPN -> Tor -> 
> > > Internet. I may be forgetting something, but I believe both 
> > > configurations work out of the box.
> > 
> > Hello,
> > 
> > Thank you for your answer. Yes I agree with you, the proxyVM is easier to 
> > configure and provide more flexibility. I don't know if you can make your 
> > VPN autostart if you install it inside the whonix gateway, so I rather 
> > prefer to have it directly installed in an AppVM, because I find it is a 
> > great Qubes feature : )
> > 
> > Also as I said directly in the Whonix-forum site, I don't believe building 
> > a fortress in a gateway that will become the main target for hackers is 
> > what will necessarily will make us all more secure out there. Whonix or 
> > Qubes are targets right now... You have too many hacking intrusion exploits 
> > nowadays to build a fail-safe system for everyone. If you just type list in 
> > metasploit on kali Linux you know 

[qubes-users] Re: Using virt-viewer for remote systems

[ludwig jaffe]

On Monday, September 12, 2016 at 2:06:19 PM UTC+2, Konstantin Ryabitsev wrote:
> Greetings:
> 
> I need to be able to use virt-viewer to access remote systems (e.g. 
> virt-viewer --connect qemu+ssh://some.host/system vm-name), and it would 
> appear that it's impossible to install due to conflicts:
> 
> # dnf install virt-viewer
> Error: package virt-viewer-2.0-2.fc23.x86_64 requires libvirt.so.0()(64bit), 
> but none of the providers can be installed
> (try to add '--allowerasing' to command line to replace conflicting packages)
> 
> If I do add --allowerasing it will want to remove qubes-gui-vm and 
> xen-qubes-vm, which seems like it would do bad things.
> 
> Any suggestions how I could get virt-viewer installed without clobbering 
> other stuff?
> 
> -K
>From a user point of view:
Just send the red framed applications to another remote user to display them 
there, after the user authenticated to the machine and his role allow him to 
see red framed applications of the red VM only.

This would be cool for colaboration.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2c5efcb0-b419-41ee-bdd3-95d4adf5d678%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Is there any way to mount a Qubes volume from an external drive..?

[neilhardley]

I'm not trying to mount the external HDD itself.

I'm trying to mount the Qubes installation it. The encrypted Qubes OS that I 
have installed on the drive. I want to somehow decrypt and read the data from 
that itself.

It's not a VM backup format. It's the actual hard drive for Qubes itself on an 
external HDD.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/18e995c3-fd41-49c8-b2b9-99076e8aa774%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Block device (LVM) as VM's disk image?

[Vít Šesták]

Just noting two more pitfalls:

1) When you create a new device, you should overwrite all the content (standard 
mkfs is not enough) before attaching it to a VM. If you don't do so, the VM 
might get some old data leaked from another VM. Maybe thin LVs have a different 
behavior.

2) When booting from Qubes installation image and trying to perform system 
recovery, it seems to scan all LVs, regardless they are dom0 LVs or domU LVs. 
This is potentially dangerous (filesystem parsing bugs). And since the 
installation image is not updated frequently, there is even higher probability 
of a known unpatched vulnerability. Maybe it could be determined by the name if 
it should be scanned.

Since LVM thin volumes are to be used in Qubes 4.0, I'd like to ask you if 
Qubes addresses those two issues there.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d589117b-2830-4df5-8fd9-73f66e6a4bc4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Creation of imsm container failes. Setting up Inter RST RAID array.

[3n7r0py1]

On Wednesday, September 14, 2016 at 3:42:02 PM UTC, Robert wrote:
> Hi!
> 
> I could use some help with setting up Intel hw raid array. I have two, 4 TB 
> drives that I want to use purely for storage (no booting) as a raid 1 array.
> I did manage to set them up as a software RAID using mdadm. However, I would 
> want the array to also be accessible from Windows 10 installation. AFAIK to 
> achieve this I need to use hardware RAID created in BIOS by Intel Rapid 
> Storage Technology (RST).
> 
> I tried to follow these instructions ([1] and [2]):
> $ sudo mdadm -C /dev/md/imsm /dev/sd[b-c] n 2 e imsm
> 
> It fails:
> mdadm: /dev/sdb is not suitable for this array
> mdadm: /dev/sdc is not suitable for this array
> mdadm: create aborted
> 
> Also this does not look good:
> $ sudo mdadm --detail-platform
> mdadm: imsm capabilities not found for controller: 
> /sys/devices/pci:00/:00:1f.2 (type SATA)
> 
> Some info about hardware:
> $ dmesg | grep 1f.2
> [2.677109] ahci 000:00:1j.2: version 3.0
> [2.677252] ahci 000:00:1j.2: AHCI 0001.0300 32 slots 6 ports 6 Gbps 0x3f 
> impl RAID mode
> [2.677254] ahci 000:00:1j.2: flags: 64bit ncq led clo pio slum part ems 
> apst
> 
> Controller is set to RAID mode in BIOS also, RAID array has been created 
> (VOLUME 1)
> 
> $ sudo mdadm --examine /dev/sdb
> 
> /dev/sdb:
> Magic : Intel Raid ISM Cfg Sig.
>   Version : 1.3.00
> Orig Family : 66247044
>Family : 66247044
>  Generation : 0002
>Attributes : All supported
>  UUID : e492be44:10b30ade:b642e816:dd60ca99
>  Checksum : 0f34c20c correct
>  MPB Sectors : 1
> Disks : 2
>  RAID Devices : 1
> 
>   Disk00 Serial : ***
>   State : active
>Id : 0002
> Usable Size : 7814031624 (3726.02 GiB 4000.78 GB)
> 
> [Volume1]:
>  UUID : 5d5fbe08:1c90e2f3:e7896bec:0c7ca70a
>  RAID Level : 1
>Members : 2
>  Slots : [UU]
>  Failed disk : none
> This Slot : 0
>  Array Size : 7814031360 (3726.02 GiB 4000.78 GB)
>   Per Dev Size : 7814031624 (3726.02 GiB 4000.78 GB)
>   Sector Offset : 0
>Num Stripes : 30523560
>  Chunk Size : 64 KiB
> Reserved : 0
>   Migrate State : idle
>   Map State : uninitialized
>  Dirty State : clean
> 
>   Disk01 Serial : ***
>   State : active
>Id : 0005
> Usable Size : 7814031624 (3726.02 GiB 4000.78 GB)
> 
> For /dev/sdc output of --examine is similar.
> 
> Hardware specs:
> mb: asrock z97 extreme4
> cpu: intel i5 4690
> 
> qubes-os: 3.2-rc3
> 
> Thanks in advance for all your help and suggestions on how to proceed.
> Robert
> 
> [1] 
> http://www.intel.com/content/dam/www/public/us/en/documents/white-papers/rst-linux-paper.pdf
> [2] https://raid.wiki.kernel.org/index.php/RAID_setup#External_Metadata


IIUC you want to configure a raid device using your BIOS so it can be 
recognized by both Windows & Linux.

Read the intro here to confirm this is what you want:
https://help.ubuntu.com/community/FakeRaidHowto

Then go here to read all about Linux Raid (including a blistering critique of 
FakeRaid):
https://raid.wiki.kernel.org/index.php/Linux_Raid
(Another option that you may consider in the future is a separate file server.)

Fedora-23 should recognize Fake/BIOS-raid devices automatically. Sorry I don't 
have anything I can test with at the moment.

`sudo fdisk -l` should show /dev/sdb, /dev/sdc, as well as /dev/md[X].

If that's the case, you only need to configure partitions/volumes on your md 
device:

https://raid.wiki.kernel.org/index.php/Partitioning_RAID_/_LVM_on_RAID
https://www.howtoforge.com/linux_lvm

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/605456ba-6bb9-464b-8295-eb76b9bbcecb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] VA-API in AppVM

[Sebastian Jug]

Hey guys,

A big problem for me with Qubes is being able to do random mundane tasks like 
watching YouTube videos. Is it possible to get video acceleration working in 
appvm specifically VA-API?

I know the 3d acceleration is not possible unless it's in a HVM but this may be 
more straightforward?

Thanks.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8b8da00b-27e0-4ecd-8c58-8036adc6c6b0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] How to set up Internet Connection Sharing over USB..?

[neilhardley]

Is there any way to set up Internet Connection Sharing using USB..?

For example, with an Android phone, you can share its connection with a 
computer using so-called "tethering".

But I want to "tether" the Whonix VM's internet connection to another computer, 
using USB.

The purpose is to use Qubes as a dedicated Tor router, to take advantage of the 
VT-D protection, but then to use a separate computer to do web browsing, seeing 
as web browsers are so vulnerable, and I don't want Qubes to be hacked due to a 
web browser flaw. 

All I want to run on Qubes is Whonix VM and some kind of Internet sharing over 
USB.

How do I do this..?

Thanks

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/67657be0-a884-4b0e-8cc9-9ccc8ee7f5c4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Creation of imsm container failes. Setting up Inter RST RAID array.

[Robert]

Hi!

I could use some help with setting up Intel hw raid array. I have two, 4 TB 
drives that I want to use purely for storage (no booting) as a raid 1 array.
I did manage to set them up as a software RAID using mdadm. However, I would 
want the array to also be accessible from Windows 10 installation. AFAIK to 
achieve this I need to use hardware RAID created in BIOS by Intel Rapid Storage 
Technology (RST).

I tried to follow these instructions ([1] and [2]):
$ sudo mdadm -C /dev/md/imsm /dev/sd[b-c] n 2 e imsm

It fails:
mdadm: /dev/sdb is not suitable for this array
mdadm: /dev/sdc is not suitable for this array
mdadm: create aborted

Also this does not look good:
$ sudo mdadm --detail-platform
mdadm: imsm capabilities not found for controller: 
/sys/devices/pci:00/:00:1f.2 (type SATA)

Some info about hardware:
$ dmesg | grep 1f.2
[2.677109] ahci 000:00:1j.2: version 3.0
[2.677252] ahci 000:00:1j.2: AHCI 0001.0300 32 slots 6 ports 6 Gbps 0x3f 
impl RAID mode
[2.677254] ahci 000:00:1j.2: flags: 64bit ncq led clo pio slum part ems apst

Controller is set to RAID mode in BIOS also, RAID array has been created 
(VOLUME 1)

$ sudo mdadm --examine /dev/sdb

/dev/sdb:
Magic : Intel Raid ISM Cfg Sig.
  Version : 1.3.00
Orig Family : 66247044
   Family : 66247044
 Generation : 0002
   Attributes : All supported
 UUID : e492be44:10b30ade:b642e816:dd60ca99
 Checksum : 0f34c20c correct
 MPB Sectors : 1
Disks : 2
 RAID Devices : 1

  Disk00 Serial : ***
  State : active
   Id : 0002
Usable Size : 7814031624 (3726.02 GiB 4000.78 GB)

[Volume1]:
 UUID : 5d5fbe08:1c90e2f3:e7896bec:0c7ca70a
 RAID Level : 1
   Members : 2
 Slots : [UU]
 Failed disk : none
This Slot : 0
 Array Size : 7814031360 (3726.02 GiB 4000.78 GB)
  Per Dev Size : 7814031624 (3726.02 GiB 4000.78 GB)
  Sector Offset : 0
   Num Stripes : 30523560
 Chunk Size : 64 KiB
Reserved : 0
  Migrate State : idle
  Map State : uninitialized
 Dirty State : clean

  Disk01 Serial : ***
  State : active
   Id : 0005
Usable Size : 7814031624 (3726.02 GiB 4000.78 GB)

For /dev/sdc output of --examine is similar.

Hardware specs:
mb: asrock z97 extreme4
cpu: intel i5 4690

qubes-os: 3.2-rc3

Thanks in advance for all your help and suggestions on how to proceed.
Robert

[1] 
http://www.intel.com/content/dam/www/public/us/en/documents/white-papers/rst-linux-paper.pdf
[2] https://raid.wiki.kernel.org/index.php/RAID_setup#External_Metadata


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/57d96fc846daf3.76200581%40wp.pl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Compiling Archlinux Template failed on make qubes-vm/vmm-xen-vm

[pqg]

Fariq Omar:
> Firstly, I have to edit the 00_prepare.sh to download the latest
> archlinux image from kernel.org. Seems like the script was outdated.
> But then it was failed once more while 'make qubes-vm or 'make
> vmm-xen-vm' due to the problem below. Any help will be appreciated.
> 
> --> Archlinux dist-package (makefile)
>   --> Building package in /home/user/qubes-src/vmm-xen
> sudo BACKEND_VMM=xen chroot
> "/home/user/qubes-builder/chroot-archlinux" su user -c 'cd
> "/home/user/qubes-src/vmm-xen" && cp archlinux/PKGBUILD* ./ && env
> http_proxy="" makepkg --syncdeps --noconfirm --skipinteg'
> ==> Making package: qubes-vm-xen 4.6.1-20 (Wed Sep 14 12:48:13 UTC 2016)
> ==> Checking runtime dependencies...
> ==> Checking buildtime dependencies...
> ==> Retrieving sources...
>   -> Found xen-4.6.1.tar.gz
>   -> Found series-vm.conf
>   -> Found apply-patches
> ==> WARNING: Skipping all source file integrity checks.
> ==> Extracting sources...
>   -> Extracting xen-4.6.1.tar.gz with bsdtar
> bsdtar: Failed to set default locale
> ==> Starting build()...
> + patch -s -F0 -E -p1 --no-backup-if-mismatch -i 
> ./patches.misc/qemu-tls-1.patch
> + patch -s -F0 -E -p1 --no-backup-if-mismatch -i 
> ./patches.misc/qemu-tls-2.patch
> + patch -s -F0 -E -p1 --no-backup-if-mismatch -i
> ./patches.qubes/xen-shared-loop-losetup.patch
> + patch -s -F0 -E -p1 --no-backup-if-mismatch -i
> ./patches.qubes/xen-no-downloads.patch
> + patch -s -F0 -E -p1 --no-backup-if-mismatch -i
> ./patches.qubes/xen-hotplug-external-store.patch
> + patch -s -F0 -E -p1 --no-backup-if-mismatch -i
> ./patches.qubes/xen-tools-qubes-vm.patch
> + patch -s -F0 -E -p1 --no-backup-if-mismatch -i
> ./patches.qubes/vm-0001-hotplug-do-not-attempt-to-remove-containing-xenstore.patch
> + patch -s -F0 -E -p1 --no-backup-if-mismatch -i
> ./patches.misc/libxc-fix-xc_gntshr_munmap-semantic.patch
> + patch -s -F0 -E -p1 --no-backup-if-mismatch -i
> ./patches.misc/libvchan-Fix-cleanup-when-xc_gntshr_open-failed.patch
> + patch -s -F0 -E -p1 --no-backup-if-mismatch -i
> ./patches.misc/0101-libvchan-create-xenstore-entries-in-one-transaction.patch
> + patch -s -F0 -E -p1 --no-backup-if-mismatch -i
> ./patches.misc/0001-configure-Fix-when-no-libsystemd-compat-lib-are-avai.patch
> + patch -s -F0 -E -p1 --no-backup-if-mismatch -i
> ./patches.misc/0001-libxc-prefer-using-privcmd-character-device.patch
> + patch -s -F0 -E -p1 --no-backup-if-mismatch -i
> ./patches.misc/0001-tools-hotplug-Add-native-systemd-xendriverdomain.ser.patch
> + patch -s -F0 -E -p1 --no-backup-if-mismatch -i
> ./patches.security/xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch
> + patch -s -F0 -E -p1 --no-backup-if-mismatch -i
> ./patches.libxl/0001-libxl-trigger-attach-events-for-devices-attached-bef.patch
> + patch -s -F0 -E -p1 --no-backup-if-mismatch -i
> ./patches.misc/0001-systemd-use-standard-dependencies-for-xendriverdomai.patch
> /home/user/qubes-src/vmm-xen/PKGBUILD: line 49: autoreconf: command not found
> ==> ERROR: A failure occurred in build().
> Aborting...
> /home/user/qubes-builder/qubes-src/builder-archlinux/Makefile.archlinux:120:
> recipe for target 'dist-package' failed
> make[2]: *** [dist-package] Error 2
> 

The script is not outdated so much as incomplete.  It merrily assumed
that the final component of the Archlinux release number was a counter,
but I now suspect it's actually the day-of-month.  Most months the ISO
is cut on the first day of the month, but this month it was cut on the
third.

You may override the release number without modifying the script by
exporting the following environment variable before building:

export ARCHLINUX_REL_VERSION=2016.09.03

This is, of course, not at all clear to the casual user and a legitimate
bug.

Secondly, as you note, the autoreconf command is missing from the build
chroot.  autoreconf is a component of autoconf, and it is sufficient to
add "autoconf" and "automake" or, more succinctly, "base-devel" to the
"pkgs" variable in prepare-chroot-builder.  I've not investigated what
changed here, but presumably base-devel used to be present by default or
as a dependency of something else, but ceased to be some time in the
last 9 months (when I last built the Qubes Archlinux template).  I've
submitted a trivial pull request to integrate this:

https://github.com/marmarek/qubes-builder-archlinux/pull/12

Alas, having cleared these obstacles, you'll hit another issue noted a
couple of weeks ago in the thread to which Foppe pointed you.  This one
was precipitated by the Archlinux update to glibc 2.24 in early August.
2.24 deprecated readlink_r, which is used by (at least) Xen 4.6;
meanwhile, Xen builds with deprecation warnings treated as compilation
errors.  The fix went into Xen 4.7 a few months back, but has not been
backported to 4.6.

The work-around reported by Jovan in the other thread involves pointing
at the Xen 4.7 branch of a couple of marmarek's development repos with a
custom builder.conf.  I don't know enough 

Re: [qubes-users] Re: 4.0 ETA?

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Sep 14, 2016 at 01:28:10AM -0700, ludwig jaffe wrote:
> Am Montag, 12. September 2016 19:09:31 UTC+2 schrieb Jan Betlach:
> > I am about to reinstall my Qubes. Does it make sense to wait for 4.0 
> > release (obviously depends on its ETA) or should I install current 3.2 and 
> > upgrade to 4.0 later. The question is how difficult it is to upgrade if 
> > possible at all.
> 
> 
> Is it possible to down-patch the 4.0 to use older CPUs?
> So I guess only the version of XEN used, is the critical component that locks 
> out the older CPUs.
> Right?
> I would like to suggest to make a fork to support older CPUs. So one can 
> build an old-version 4.0. What would be needed to do so?

Requiring VT-x/AMD-v with SLAT/EPT/RVI + VT-d/AMD-Vi is an implication
of our _decision_, to increase security[1], not a technical
requirement of some software component. But this decision means that
Qubes-specific component will no longer support non-compatible systems.

[1]
https://www.qubes-os.org/news/2016/07/21/new-hw-certification-for-q4/

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJX2Vf3AAoJENuP0xzK19csMRcIAIuljzLJe+OjTPrsnPcEiU81
AnA1elpKQo8D5JTdq3ukh04d6BTe+l/z2lm1qn769uDzrYMNc8DD1ToBRAow5Na2
9tBqoAYScTk/HKnG536lqzVQDN894eHWeZzZ+a3NgcVAwaPupSqMmGnbataTck94
W3JCTG2OfvxY1VfmB+WwZsamra8eaeC59HPypZznkkFub1+Uc+yZL6gbrNymk2I+
6MundHiqF6iy0acVTM2X/FRxj6k5tEuyaqZb05cnJz7ku9bMLKuts2rQX5gUp8Qx
DYN7Vg1IGcCHyQ74/i8cRfbHH6j8iWV0CVXzEIl/Lj7kvXvEjqwLDiIqXOE/HAU=
=tGgn
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20160914140022.GP31510%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Compiling Archlinux Template failed on make qubes-vm/vmm-xen-vm

[Foppe de Haan]

On Wednesday, September 14, 2016 at 3:06:37 PM UTC+2, necrokulto wrote:
> Firstly, I have to edit the 00_prepare.sh to download the latest
> archlinux image from kernel.org. Seems like the script was outdated.
> But then it was failed once more while 'make qubes-vm or 'make
> vmm-xen-vm' due to the problem below. Any help will be appreciated.
> 
> --> Archlinux dist-package (makefile)
>   --> Building package in /home/user/qubes-src/vmm-xen
> sudo BACKEND_VMM=xen chroot
> "/home/user/qubes-builder/chroot-archlinux" su user -c 'cd
> "/home/user/qubes-src/vmm-xen" && cp archlinux/PKGBUILD* ./ && env
> http_proxy="" makepkg --syncdeps --noconfirm --skipinteg'
> ==> Making package: qubes-vm-xen 4.6.1-20 (Wed Sep 14 12:48:13 UTC 2016)
> ==> Checking runtime dependencies...
> ==> Checking buildtime dependencies...
> ==> Retrieving sources...
>   -> Found xen-4.6.1.tar.gz
>   -> Found series-vm.conf
>   -> Found apply-patches
> ==> WARNING: Skipping all source file integrity checks.
> ==> Extracting sources...
>   -> Extracting xen-4.6.1.tar.gz with bsdtar
> bsdtar: Failed to set default locale
> ==> Starting build()...
> + patch -s -F0 -E -p1 --no-backup-if-mismatch -i 
> ./patches.misc/qemu-tls-1.patch
> + patch -s -F0 -E -p1 --no-backup-if-mismatch -i 
> ./patches.misc/qemu-tls-2.patch
> + patch -s -F0 -E -p1 --no-backup-if-mismatch -i
> ./patches.qubes/xen-shared-loop-losetup.patch
> + patch -s -F0 -E -p1 --no-backup-if-mismatch -i
> ./patches.qubes/xen-no-downloads.patch
> + patch -s -F0 -E -p1 --no-backup-if-mismatch -i
> ./patches.qubes/xen-hotplug-external-store.patch
> + patch -s -F0 -E -p1 --no-backup-if-mismatch -i
> ./patches.qubes/xen-tools-qubes-vm.patch
> + patch -s -F0 -E -p1 --no-backup-if-mismatch -i
> ./patches.qubes/vm-0001-hotplug-do-not-attempt-to-remove-containing-xenstore.patch
> + patch -s -F0 -E -p1 --no-backup-if-mismatch -i
> ./patches.misc/libxc-fix-xc_gntshr_munmap-semantic.patch
> + patch -s -F0 -E -p1 --no-backup-if-mismatch -i
> ./patches.misc/libvchan-Fix-cleanup-when-xc_gntshr_open-failed.patch
> + patch -s -F0 -E -p1 --no-backup-if-mismatch -i
> ./patches.misc/0101-libvchan-create-xenstore-entries-in-one-transaction.patch
> + patch -s -F0 -E -p1 --no-backup-if-mismatch -i
> ./patches.misc/0001-configure-Fix-when-no-libsystemd-compat-lib-are-avai.patch
> + patch -s -F0 -E -p1 --no-backup-if-mismatch -i
> ./patches.misc/0001-libxc-prefer-using-privcmd-character-device.patch
> + patch -s -F0 -E -p1 --no-backup-if-mismatch -i
> ./patches.misc/0001-tools-hotplug-Add-native-systemd-xendriverdomain.ser.patch
> + patch -s -F0 -E -p1 --no-backup-if-mismatch -i
> ./patches.security/xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch
> + patch -s -F0 -E -p1 --no-backup-if-mismatch -i
> ./patches.libxl/0001-libxl-trigger-attach-events-for-devices-attached-bef.patch
> + patch -s -F0 -E -p1 --no-backup-if-mismatch -i
> ./patches.misc/0001-systemd-use-standard-dependencies-for-xendriverdomai.patch
> /home/user/qubes-src/vmm-xen/PKGBUILD: line 49: autoreconf: command not found
> ==> ERROR: A failure occurred in build().
> Aborting...
> /home/user/qubes-builder/qubes-src/builder-archlinux/Makefile.archlinux:120:
> recipe for target 'dist-package' failed
> make[2]: *** [dist-package] Error 2

See this thread: 
https://groups.google.com/forum/#!msg/qubes-users/43cDUEWz8M4/wFO8F_rPAQAJ;context-place=forum/qubes-users

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2288f104-1221-4a41-a335-0acb25477c74%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Compiling Archlinux Template failed on make qubes-vm/vmm-xen-vm

[Fariq Omar]

Firstly, I have to edit the 00_prepare.sh to download the latest
archlinux image from kernel.org. Seems like the script was outdated.
But then it was failed once more while 'make qubes-vm or 'make
vmm-xen-vm' due to the problem below. Any help will be appreciated.

--> Archlinux dist-package (makefile)
  --> Building package in /home/user/qubes-src/vmm-xen
sudo BACKEND_VMM=xen chroot
"/home/user/qubes-builder/chroot-archlinux" su user -c 'cd
"/home/user/qubes-src/vmm-xen" && cp archlinux/PKGBUILD* ./ && env
http_proxy="" makepkg --syncdeps --noconfirm --skipinteg'
==> Making package: qubes-vm-xen 4.6.1-20 (Wed Sep 14 12:48:13 UTC 2016)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
  -> Found xen-4.6.1.tar.gz
  -> Found series-vm.conf
  -> Found apply-patches
==> WARNING: Skipping all source file integrity checks.
==> Extracting sources...
  -> Extracting xen-4.6.1.tar.gz with bsdtar
bsdtar: Failed to set default locale
==> Starting build()...
+ patch -s -F0 -E -p1 --no-backup-if-mismatch -i ./patches.misc/qemu-tls-1.patch
+ patch -s -F0 -E -p1 --no-backup-if-mismatch -i ./patches.misc/qemu-tls-2.patch
+ patch -s -F0 -E -p1 --no-backup-if-mismatch -i
./patches.qubes/xen-shared-loop-losetup.patch
+ patch -s -F0 -E -p1 --no-backup-if-mismatch -i
./patches.qubes/xen-no-downloads.patch
+ patch -s -F0 -E -p1 --no-backup-if-mismatch -i
./patches.qubes/xen-hotplug-external-store.patch
+ patch -s -F0 -E -p1 --no-backup-if-mismatch -i
./patches.qubes/xen-tools-qubes-vm.patch
+ patch -s -F0 -E -p1 --no-backup-if-mismatch -i
./patches.qubes/vm-0001-hotplug-do-not-attempt-to-remove-containing-xenstore.patch
+ patch -s -F0 -E -p1 --no-backup-if-mismatch -i
./patches.misc/libxc-fix-xc_gntshr_munmap-semantic.patch
+ patch -s -F0 -E -p1 --no-backup-if-mismatch -i
./patches.misc/libvchan-Fix-cleanup-when-xc_gntshr_open-failed.patch
+ patch -s -F0 -E -p1 --no-backup-if-mismatch -i
./patches.misc/0101-libvchan-create-xenstore-entries-in-one-transaction.patch
+ patch -s -F0 -E -p1 --no-backup-if-mismatch -i
./patches.misc/0001-configure-Fix-when-no-libsystemd-compat-lib-are-avai.patch
+ patch -s -F0 -E -p1 --no-backup-if-mismatch -i
./patches.misc/0001-libxc-prefer-using-privcmd-character-device.patch
+ patch -s -F0 -E -p1 --no-backup-if-mismatch -i
./patches.misc/0001-tools-hotplug-Add-native-systemd-xendriverdomain.ser.patch
+ patch -s -F0 -E -p1 --no-backup-if-mismatch -i
./patches.security/xsa155-xen-0003-libvchan-Read-prod-cons-only-once.patch
+ patch -s -F0 -E -p1 --no-backup-if-mismatch -i
./patches.libxl/0001-libxl-trigger-attach-events-for-devices-attached-bef.patch
+ patch -s -F0 -E -p1 --no-backup-if-mismatch -i
./patches.misc/0001-systemd-use-standard-dependencies-for-xendriverdomai.patch
/home/user/qubes-src/vmm-xen/PKGBUILD: line 49: autoreconf: command not found
==> ERROR: A failure occurred in build().
Aborting...
/home/user/qubes-builder/qubes-src/builder-archlinux/Makefile.archlinux:120:
recipe for target 'dist-package' failed
make[2]: *** [dist-package] Error 2

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAE4VZ6Mr67OK7tHTN%3DNU9GV1qprfTvy6LtHKNwQjz5z1BN3USQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] multiple display support

[Zrubi]

On 09/13/2016 08:44 AM, Zrubi wrote:

> Multiple (2 external +the internal) display support seems to be broken
> starting by Qubes 3.2rc*
> 
> * display settings are not saved.
>  - under KDE it is saved somehow, but have to be disable composition
> for stable operation. But still not always keep after reboot :(

Started to investigate this issue by:

- resetting ALL the settings in dom0 by removed all the old config files
This gives me a state of a clean install - at least regarding the dom0
GUI settings.

- the first time I attached my external displays always failing
resulting a scattered display. If that happens delete all the kscreen
settings located at: .local/share/kscreen/

The workaround for this is attaching the external display BEFORE boot,
or at least before logging in.

- after successfully setup all the external displays I copied the
kscreen configs located here: .local/share/kscreen/
to a safe place like the ~/Documents folder.

It seems to be storing all the unique display configurations in separate
files. So for me it was one for the external screens attached and
another one for the single internal display.

Whenever my display settings are lost for any reason I checked the
directory above and compared the files against the saved ones.
It shows that for some reason they where changed - even if I was never
touched the screen settings.

For a workaround I just copied back the files I saved to the original
locations then reboot/relog and got back my working display setup :)

Since it is a local user settings this can be done automatically by some
early X bash or KDE scripts - but still have to figure out the way it
works...

> * panel are not sticked to my internal (primary) display.
> Both KDE and XFCE behaving this way. My panel gets replaced to the
> most left display instead of the primary one. Really annoying.

This may be related to the messed up display settings. For now I haven't
seen this issue as I using the workaround described above.


-- 
Zrubi

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b6fb17ec-f396-414e-2a55-3b85210950b9%40zrubi.hu.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] HCL - Lenovo X250, Intel Core i7-5600U, 16GB Ram, 512GB SSD

[Peter Völkl]

Woks very well.

Installation steps from UEFI Troubleshooting required: https://www.qube
s-os.org/doc/uefi-troubleshooting/
Notebooks Hardware Settings to "UEFI only" without BIOS Compatibility
also required.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1473857308.3153.6.camel%40voelkl.at.
For more options, visit https://groups.google.com/d/optout.


Qubes-HCL-LENOVO-20CM001RGE-20160914-143646.yml
Description: Qubes-HCL-LENOVO-20CM001RGE-20160914-143646.yml

[qubes-users] DNS-handling script

[asdfgher]

Hello
I have setup a VPN in network-manager of my proxyVM. The guide about to
stop DNS leak says that initially I have to copy all the vpn configuration
files in a folder called openvpn, write the script in each one and after
create DNS-handling script.
I have used a different way, saved dns script in every configuration file
without copy them in openvpn folder and create a DNS-handling in config
folder (where there is also iptables script) because I think that the
guide is for those want to autostart VPN, right?

Regards

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9dfa5ba0995eca2c40ddfd4e32b9faf5.webmail%40localhost.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: 4.0 ETA?

[ludwig jaffe]

Am Montag, 12. September 2016 19:09:31 UTC+2 schrieb Jan Betlach:
> I am about to reinstall my Qubes. Does it make sense to wait for 4.0 release 
> (obviously depends on its ETA) or should I install current 3.2 and upgrade to 
> 4.0 later. The question is how difficult it is to upgrade if possible at all.


Is it possible to down-patch the 4.0 to use older CPUs?
So I guess only the version of XEN used, is the critical component that locks 
out the older CPUs.
Right?
I would like to suggest to make a fork to support older CPUs. So one can build 
an old-version 4.0. What would be needed to do so?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a4912a6f-bce1-4c15-bda9-1379ff52fe91%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] installing Signal on Qubes mini-HOWTO

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Sep 07, 2016 at 11:38:55PM +0100, IX4 Svs wrote:
> On Thu, Sep 1, 2016 at 8:41 AM, IX4 Svs  wrote:
> 
> > On Thu, Sep 1, 2016 at 2:21 AM, Andrew David Wong 
> > wrote:
> >
> >> -BEGIN PGP SIGNED MESSAGE-
> >> Hash: SHA512
> >>
> >> On 2016-08-31 15:50, IX4 Svs wrote:
> >> > On Wed, Aug 24, 2016 at 11:10 PM, Andrew David Wong 
> >> > wrote:
> >> >
> >> >>
> >> >> On 2016-08-15 14:43, IX4 Svs wrote:
> >> >>> On Mon, Aug 15, 2016 at 10:19 AM, Andrew David Wong  >> >
> >> >>> wrote:
> >> >>>
> >> 
> >>  On 2016-08-14 15:22, IX4 Svs wrote:
> >> > Just spent a few minutes to figure this out so I thought I'd
> >> > share.
> >> >
> >> 
> >>  Thanks, Alex! Would you mind if we added this to the docs at some
> >>  point?
> >> 
> >> 
> >> >>> Not at all - especially if you improve my clumsy way of creating the
> >> >> custom
> >> >>> shortcut (steps 7-12) and use the proper Qubes way that Nicklaus
> >> >>> linked to.
> >> >>>
> >> >>> Cheers,
> >> >>>
> >> >>> Alex
> >> >>>
> >> >>
> >> >> Added:
> >> >>
> >> >> https://www.qubes-os.org/doc/signal/
> >> >>
> >> >>
> >> > Andrew, thanks for adding this to the documentation.
> >> >
> >> > I'm afraid my DIY shortcut kludge does not survive some(potentially boot
> >> > time) script and is wiped away from the taskbar, only to be replaced by
> >> a
> >> > default "Chrome browser" shortcut. I admit I don't quite comprehend what
> >> > the actual implementation of
> >> > https://www.qubes-os.org/doc/managing-appvm-shortcuts/#tocAnchor-1-1-1
> >> > should be.
> >>
> >> Neither do I. I've always make my custom shortcuts the same general way
> >> you do.
> >>
> >>
> > Ah, we have a usability issue here then.
> >
> >
> >> > A worked example that replaces all but the first step of the " Creating
> >> a
> >> > Shortcut in KDE" section of https://www.qubes-os.org/doc/signal/ would
> >> be
> >> > very much welcome.
> >> >
> >>
> >> Agreed.
> >>
> >
> > Can someone who has figured out how to create one-click buttons to launch
> > arbitrary applications in AppVMs chime in with an example please? I'll then
> > test it and Andrew can stick it in the wiki for all Qubes users to benefit.
> >
> 
> I had a look myself and may have figured out the "proper" way of creating a
> shortcut to launch Signal. By the way I submitted a pull request for the
> documentation at https://www.qubes-os.org/doc/m
> anaging-appvm-shortcuts/#tocAnchor-1-1-1 because its language is slightly
> inaccurate.
> 
> These instructions (after verification) should replace the shortcut kludge
> of the signal page you created:
> 
> My Signal AppVM uses the fedora-23 template, and I have renamed the
> .desktop file that Chrome created on that AppVM's desktop to
> signal.desktop. Now what?
> 
> 1. Open a dom0 terminal, cd to /var/lib/qubes/vm-templates/fedora-23/
> 2. Copy Signal:/home/user/Desktop/signal.desktop to
> dom0:/var/lib/qubes/vm-templates/fedora-23/apps.templates/signal.desktop
> 3. Lightly edit
> dom0:/var/lib/qubes/vm-templates/fedora-23/apps.templates/signal.desktop to
> be as follows:
> 
> [Desktop Entry]
> Version=1.0
> Type=Application
> Terminal=false
> X-Qubes-VmName=%VMNAME%
> Icon=%VMDIR%/apps.icons/signal.png
> Name=%VMNAME%: Signal Private Messenger
> GenericName=%VMNAME%: Signal
> Comment=Private Instant Messenger
> Exec=qvm-run -q --tray -a %VMNAME% -- 'qubes-desktop-run
> /home/user/Desktop/Signal.desktop'
> 
> 4. Copy
> Signal:/rw/home/user/.local/share/icons/hicolor/48x48/apps/chrome--Default.png
>  to
> dom0:/var/lib/qubes/vm-templates/fedora-23/apps.templates/apps.icons/signal.png
> 
> 5. Copy
> dom0:/var/lib/qubes/vm-templates/fedora-23/apps.templates/apps.icons/signal.png
> to
> dom0:/var/lib/qubes/vm-templates/fedora-23/apps.templates/apps.tempicons/signal.png
> 
> 6. At this point you should be all set. Ensure Qubes knows about the new
> menu item you created by starting the fedora-23 template VM and then
> running in a dom0 terminal: qvm-sync-appmenus fedora-23
> 
> 7. You should now be able to go back to the GUI and from the Q menu: Q ->
> Domain: Signal -> Signal: Add more shortcuts...
> In the window that will appear, you should now have "Signal Private
> Messenger" on the left list of available apps. I moved this to the
> "Selected" list and hit OK, which put the entry in my Q menu.
> 
> 8. Then I went to Q -> Domain: Signal. I right-clicked on "Signal:Signal
> Private Messenger" and selected "Add to panel".
> 
> 9. Success! I now have a button in my KDE panel with which I can launch
> Signal with one click.
> 
> Hope these steps get documented in the wiki (I'm not attempting a direct
> edit lest I break something) and are helpful to people.

Content of /var/lib/qubes/vm-templates/fedora-23/apps.templates (and
other apps.* there) is generated based on /usr/share/applications and

[qubes-users] Re: Qubes OS 3.2 rc3: can not boot with VT-d enabled on DELL T7400 (XEON E5440, Intel 5400 chipset)

[ludwig jaffe]

Am Dienstag, 13. September 2016 09:57:53 UTC+2 schrieb ludwig jaffe:
> Qubes OS 3.2 rc3: can not boot with VT-d enabled on DELL T7400 (XEON E5440, 
> Intel 5400 chipset)
> 
> Hi all, I can NOT boot on my machine, Dell T7400 (XEON E5440, Intel 5400 
> chipset, LSI HW-RAID1 "DELL SAS6" and 4GB RAM - will become more) with VT-d 
> enabled. 
> When I disable VT-d in bios, the machine boots and can run several VMs.
> 
> VT-d is needed to assign certain pci-devices to VMs (e.g. scsi-controller to 
> vm with some proprietary scanner application running windows).
> 
> How does it behave?
> 
> The grub screen is loaded, and one can select the options, here I edit to 
> remove quiet as I want to see.
> 
> So grub loads, XEN, vmlinuz, initrd.img,
> and then it crashes on the spot, causing the machine to reboot.
> 
> No debug output can be seen.
> 
> Any Ideas?
> 
> 
> Thanks,
> 
> 
> Ludwig

Hi, I tried to change this in grub while booting:
press esc and edit the line  with the kernel parameters and I removed "quiet"
and added "console=com1 com1=115200,8n1
loglvl=all"
Also I tried with com2 as my fat DELL T7400 has 2 real serial interfaces.
I used a 0 modem cable and minicom with a linux laptop that also has a real 
serial interface.
But maybe, I made a mistake (wrong /dev/tty or cable problem) and I will check 
again and redo it.
But the console output was still written to the screen (I guess it is the 
output of grub while it boots). After grub finishes loading XEN, KERNEL, 
initrd.img, the machine crashes on the spot with VT-d enabled, and reboots.
So I guess the initial code that gets executed after grub, which should be the 
xen, causes the machine to crash.
Any Ideas? 
Is there a debug-version of xen that qubes-os uses. 
The parameters in grub where I remove this stupid "quiet" are just for the 
kernel, that gets executed later, after xen!
I do not see any screen output, even no flicker with text. 
Just after grub finishes a blank black screen and then the machine reboots.
So xen should at least write some hello world stuff to the screen.

Quite strange. How to debug xen?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7723282e-b530-44ef-90b4-8d34ada72176%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: netvm doesn't recognize physical hardware switch state

[Connor Page]

with such a fairly fresh kernel you probably should make sure you also have the 
latest bios. some people also claim that resetting bios settings miraculously 
makes their wifi work in Linux. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/31c41e26-5c1c-48a9-afec-07c54e853081%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] 3.2-rc3 is awesome...but where is NetworkManager?

[Zrubi]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 09/13/2016 11:55 PM, georgewalke...@gmail.com wrote:
> I just installed 3.2-rc3 on a Thinkpad T460s and it's great...but
> the NetworkManager widget is gone.

It is a known bug:
https://github.com/QubesOS/qubes-issues/issues/2293



- -- 
Zrubi

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3ade6323-b58f-d90f-f845-f5afd7f681bd%40zrubi.hu.
For more options, visit https://groups.google.com/d/optout.