Re: [qubes-users] SSD+malicious HDD?

[Chris Laprise]

On 04/05/2017 12:02 AM, g...@vfemail.net wrote:

|Hi guys
1. I have installed and update Qube-os on my SSD and after i connect to
motherboard HDD.SSD- primary, HDD-secondary. It attached directly to
Dom0. If my HDD - malicious, is it a threat?


Future versions of Qubes may be able to protect against a malicious HDD, 
but not currently. Even an AEM-enabled Qubes could be vulnerable to a 
DMA attack.



2.Is Debian 9 safer than Debian 8, or Fedora 24 more safer than Fedora 23?
Thanks|


The first three are receiving security updates, but the fourth is not 
because its at end-of-life.


Chris

--

Chris Laprise, tas...@openmailbox.org
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/355bb172-aa56-f946-5b0d-9176b2050bf7%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] can't install kernel-qubes-vm from qubes-dom0-unstable repo

[Chris Laprise]

I think 'rpm -qa' is essentially saying the package is installed. You 
can check this with 'sudo dnf info kernel-qubes-vm'. If its listed it 
should be installed. You can check this in the kernel dropdown box under 
VM Settings / Advanced.


If the rpm is still cached in dom0, you can try 'sudo dnf reinstall 
kernel-qubes-vm-4.8.12-12'.


If not, try 'sudo qubes-dom0-update kernel-qubes-vm-4.8.12-12 
--enablerepo=qubes-dom0-unstable --action=reinstall'


--

Chris Laprise, tas...@openmailbox.org
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3e28d2d7-7bcd-f348-2aa4-c068e35a8b3a%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Why is there no built-in nvidia driver support? aka GTX 980 issues

[almightylaxz]

On Saturday, April 8, 2017 at 3:26:58 AM UTC+9:30, john.c...@ucdconnect.ie 
wrote:
> On Friday, 16 September 2016 08:09:46 UTC+1, almigh...@gmail.com  wrote:
> > Qubes was working flawlessly on my GTX 670, recently upgraded to a GTX 1070 
> > and now I can't even load the installer
> 
> What drivers did you install for the 670?
> 
> I'm on a 660 atm, and haven't installed any drivers, but am getting screen 
> tearing when fullscreening netflix/youtube.

No particular drivers, everything works (is usable) from the start. I've never 
tried watching videos using Qubes before so I can't really suggest anything.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/186f5d0a-d0f3-4682-b0bc-0a5003ca9ec9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Simple Dom0 password manager for an imperfect-but-strong security upgrade?

[Shane Optima]

>Here's a super simple (but likely quite effective!) exploit which took me a 
>about two minutes to write

It borders on intellectual dishonesty to put this immediately after my bit 
about using a browser extension to modify the page title in an unpredictable 
manner. Your pseudocode doesn't work at all using the browser extension I just 
described, nor can it be fixed to work unless the VM or browser is completely 
compromised by the attack (in which case, the passwords would be lost 
regardless.)

Again, I'm now talking about an easy-to-write extension that would hash the URL 
with a randomized salt.  It uses this hash to insert some characters into the 
page title, preferably at the end where the user isn't likely to care or in 
many cases even notice. 

After this browser extension is created, the Dom0 code could either work 
exactly as I previously described with no modifications needed, or you could 
change it to look for and make use of that signature. This would have the 
advantage that the tool wouldn't break even if the page title changed, and it 
would also be easier to set up the password database; instead of mucking about 
with page titles, you would simply enter the URL and the password, along with 
the value of the salt that the browser extension generates during its 
installation.

>If you're going to write an extension then there's no reason to use window 
>titles since you could communicate over another channel which is not under 
>full attacker control by default, 

Such as? As a small independent project, it would be much more dangerous (as 
well as more difficult) to design and implement an additional channel of 
communication which could be abused in unforeseen ways. I think I've already 
said a thousand different ways that an ideal solution wouldn't use window 
titles, but piggybacking on the already-implemented communication channels 
between Dom0 and the DomUs is very easy to analyze and reason about. Which is 
why it was so easy to come up with a method of protecting against the attack 
you keep FUDing about.

I maintain that this is a limited and unrealistic attack (your pseudocode 
ignores my earlier rebuttals entirely), but instead of continuing to argue 
about how limited and unrealistic it is, I simply showed how easy it would be 
to entirely prevent, even if the user isn't paying attention. I even mentioned 
this possibility in my very first posting, before your first reply!

Of course this isn't an ideal mechanism, and if you piled some additional other 
bugs or exploits on top there might still be some theoretically possible 
attacks lurking in the wings. But if you wish to continuing arguing that this 
is incredibly dangerous and less secure than the status quo, you need to 
actually find one of those bugs and delineate one of those attacks. Instead, 
what you've done here is mix together criticism of the original proposal and 
criticism of a browser extension+Dom0 tool proposal.


>wouldn't have negative UX side-effects

The UX side effects of appending (not prepending) the characters is minimal. 
First off, when window titles are truncated it's always at the end.  Second, we 
don't need fifty characters in a row here. I suspect that you would probably 
not need more than three characters to provide reasonable performance and 
security[1]. 

Realize that attackers' ability to use brute force techniques would be quite 
limited in this situation. I'm not going to use the tool to reenter my password 
a dozen times in case of a login failure, let alone millions of times.

>For the safety of yourself and others, please don't implement this using 
>window titles as proposed.

I mostly suspect you're being well-intentioned here, but you have failed to 
admit when and where you were wrong (or at least where you misunderstood) and 
in addition to the hyperbole you are being very sloppy with your subsequent 
criticisms. *At best* you're being sloppy. At worst, you are being 
intentionally deceptive. But I do try to be an optimistic sort of misanthrope.

I repeat, if you wish to argue that the modified project is not just un-ideal 
but is so insecure as to be worse that the status quo, you have your work cut 
out for you. Fortunately, and perhaps also fortunately for the readers of this 
fine mailing list, you have quite a bit of time at your disposal to come up 
with legitimate criticisms and/or a reasonable alternative before I can 
actually get around to implementing this myself.  As I've said to Chris, I'm 
kind of busy right now and I'm not and have never been a computer professional, 
so it would probably take me much longer than should be necessary.

I simply came here to see if there were any efforts in the works or if anyone 
had any better ideas. Apparently, the answer to both of these questions is 'no'.


Shane

1. This is my off-the-cuff and off-the-top-of-my-head description of how I'd do 
it: on installation, the browser extension would generate a one-time random 

Re: [qubes-users] Pandavirtualization: Exploiting the Xen hypervisor

[Unman]

On Fri, Apr 07, 2017 at 10:33:00PM +, qubenix wrote:
> Wondering if the list has seen this yet:
> https://googleprojectzero.blogspot.com/2017/04/pandavirtualization-exploiting-xen.html
> 
> PoC on Qubes 3.2.
> 
It was announced on the list on the 4th - 
QSB #29: Critical Xen bug in PV memory virtualization code (XSA-212)

Full details and analysis are in the Security Bulletin.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170407224228.GC27657%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Simple Dom0 password manager for an imperfect-but-strong security upgrade?

[Shane Optima]

cooloutac > I'd rather not have such a tool sitting there "enabled".  lol


First off, you've ignored where I said that this should obviously be an opt-in 
thing that isn't present, as the mechanism is pretty hacky and the tool 
shouldn't be used by the careless.

But second, it transcends mere hyperbole or 'FUD' and rises to the level of 
magical thinking to pretend that this would be so dangerous as to present a 
risk even if not used.  Absolutely nothing would happens if the user presses 
the "insert password" key combination if they haven't manually set up a 
password file on Dom0.  

An additional key combination to insert information into the Dom0 database from 
a VM would be a minor convenience that could be put off until the tool is 
overhauled (and probably moved out of Dom0 entirely.)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a2f6e9d7-a1fe-4a5d-b513-a508401fbf10%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Pandavirtualization: Exploiting the Xen hypervisor

[qubenix]

Wondering if the list has seen this yet:
https://googleprojectzero.blogspot.com/2017/04/pandavirtualization-exploiting-xen.html

PoC on Qubes 3.2.

-- 
qubenix
GPG: B536812904D455B491DCDCDD04BE1E61A3C2E500

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9c3e200b-1044-d1a8-9075-3779e110503f%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] can't install kernel-qubes-vm from qubes-dom0-unstable repo

[Holger Levsen]

Hi,

"long ago" I successfully installed kernel-4.8.12-12 from the
qubes-dom0-unstable repo and today I realized that maybe Qubes
would be more stable for me, if I'd also install kernel-qubes-vm
4.8.12-12 instead of still using 4.4.38 in the VMs…

But…

[user@dom0 ~]$ sudo qubes-dom0-update --enablerepo=qubes-dom0-unstable  
kernel-qubes-vm
Using sys-firewall as UpdateVM to download updates for Dom0; this may take some 
time...
Running command on VM: 'sys-firewall'...
fedora/metalink  |  22 kB 00:00 
qubes-dom0-current   | 3.6 kB 00:00 
qubes-dom0-unstable  | 2.9 kB 00:00 
qubes-templates-itl  | 2.9 kB 00:00 
updates/metalink |  20 kB 00:00 
--> Running transaction check
---> Package kernel-qubes-vm.x86_64 1000:4.8.12-12.pvops.qubes will be installed
--> Finished Dependency Resolution
/var/lib/qubes/dom0-updates/packages/kernel-qubes-vm-4.8.12-12.pvops.qubes.x86_64.rpm
 already exists and appears to be complete
find: `/var/lib/qubes/dom0-updates/var/cache/yum': No such file or directory
Redirecting to '/usr/bin/dnf 
--exclude=qubes-template-whonix-gw,qubes-template-fedora-24,qubes-template-fedora-23,qubes-template-debian-8,qubes-template-whonix-ws,
 install kernel-qubes-vm' (see 'man yum2dnf')

Qubes OS Repository for Dom0
   23 MB/s |  44 kB 00:00
Package kernel-qubes-vm-1000:4.4.14-11.pvops.qubes.x86_64 is already installed, 
skipping.
Package kernel-qubes-vm-1000:4.4.38-11.pvops.qubes.x86_64 is already installed, 
skipping.
Dependencies resolved.
==
 Package  ArchVersion   
 Repository  Size
==
Skipping packages with conflicts:
(add '--best --allowerasing' to command line to force their upgrade):
 kernel-qubes-vm  x86_64  1000:4.8.12-12.pvops.qubes
 qubes-dom0-cached   45 M

Transaction Summary
==
Skip  1 Package

Nothing to do.
Complete!
[user@dom0 ~]$ rpm -qa |grep kernel
qubes-core-dom0-linux-kernel-install-3.2.12-1.fc23.x86_64
kernel-4.4.14-11.pvops.qubes.x86_64
kernel-4.4.38-11.pvops.qubes.x86_64
kernel-4.8.12-12.pvops.qubes.x86_64
kernel-qubes-vm-4.4.14-11.pvops.qubes.x86_64
kernel-qubes-vm-4.4.38-11.pvops.qubes.x86_64
[user@dom0 ~]$ sudo qubes-dom0-update --enablerepo=qubes-dom0-unstable --best 
--allowerasing kernel-qubes-vm
Using sys-firewall as UpdateVM to download updates for Dom0; this may take some 
time...
Running command on VM: 'sys-firewall'...
Usage: "yumdownloader [options] package1 [package2] [package..]

Command line error: no such option: --best
[user@dom0 ~]$ 

So, two questions:

a.) How can I actually force installation of 
kernel-qubes-vm-4.8.12-12.pvops.qubes?
The package has already been downloaded, where is it stored?
b.) How can I check what conflicts there are?

I'll try to provide patches for 
qubes-doc.git/common-tasks/software-update-dom0.md
once I know more!


-- 
cheers,
Holger

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170407222418.GA334%40layer-acht.org.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: Digital signature

[qubes-users] Re: grsecurity kernel 4.9.20 not working - Qubes ErrorHandler: BadAccess MIT-SHM

[Reg Tiangha]

On 04/07/2017 03:31 AM, Patrick Schleizer wrote:
> Proxying a message from torjunkie at Whonix forums here due to google
> group vs Tor spam false positive issues. Source:
> 
> https://forums.whonix.org/t/long-wiki-edits-thread/3477/55?
> 
> #
> 
> Greetings,
> 
> I am currently using Qubes 3.2 and have had success to date with
> running the 4.8 grsec kernel series (coldkernel) with Debian-8 AppVMs
> following the steps / advice outlined on the coldhak blog and github
> account.
> 
> I have recently tried to apply the 4.9.20 upgraded kernel to the
> Debian-8 TemplateVM and hit some problems.
> 
> I have followed the advice to install the latest
> qubes-kernel-vm-support package from the Qubes testing repository (for
> the Debian-8 TemplateVM) and avoided the error messages around "Bad
> return status for module build."
> [https://github.com/coldhakca/coldkernel/issues/55]
> [https://github.com/QubesOS/qubes-issues/issues/2691]
> 
> The upgraded kernel successfully builds and the TemplateVM boots.
> However, the TemplateVM state light soon shifts from green to yellow.
> The qrexec.log and console.log look okay (no obvious error messages),
> but the guid.log shows a new cryptic error message I've never seen before:
> 
> ErrorHandler: BadAccess (attempt to access private resource denied)
> Major opcode: 130 (MIT-SHM)
> Minor opcode: 1 (X_ShmAttach)
> ResourceID: 0x219
> Failed serial number: 49
> Current serial number: 50
> 
> Any attempts to run applications fail e.g. terminal. So, grsec
> groups can't be set, paxtest can't be run, and obviously it's not
> functional, so there is no point creating a new AppVM based on it.
> 
> Can anyone who has the 4.9 grsec kernel up and running provide any
> advice on how to resolve this problem?
> 
> Regards
> 

I've been running the 4.9 series for a while and have had no issues. The
one time I noticed something similar (indicator turning green briefly
before turning yellow, although unfortunately I didn't look at the logs
at the time to find out if it was the same issue as yours) was when I
compiled a coldkernel on a Debian 8 template and then installed the .deb
package on a Debian 9 template. I "fixed" the issue by compiling a
version of the kernel on a Debian 9 template and installing that .deb
package instead.

I guess the first thing I would look at is your sysctl.conf file. Do you
have any special grsecurity kernel parameters set in there? If so, try
disabling all of them and see if the issue persists. If if it does not,
then it might be one of those settings that's the problem.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/oc8u3t%248vk%241%40blaine.gmane.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Newbie question on VPN

[alle]

Hi everybody,

I'm a bit lost on configuring a VPN VM. 
Manual says: create new ProxyVM with specs. Works all fine up to the point 
where it says: 
Set up your VPN as described in the NetworkManager documentation linked above.

The "above" manual says:

Procedure 2.3. Adding a New VPN Connection
You can configure a new VPN connection by opening the Network window and 
selecting the plus symbol below the menu.

Press the Super key to enter the Activities Overview, type control network 
and then press Enter. The Network settings tool appears. 

I'm lost about "where" not speaking of the "Super key". 
Acutally I don't get the logic. I assume that I should do that within the newly 
created ProxyVM, but it lacks a GUI. 

So please can someone try to help me out here. And please assume that I'm sort 
of computer literate, but reading some posts and also part of the manuals, 
sometimes it seems to me there are some basic preassumptions that I don't meet 
...

A.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ac1cc291-a353-4bc0-8ffc-3254a021b982%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Why is there no built-in nvidia driver support? aka GTX 980 issues

[john . casey . 1]

On Friday, 16 September 2016 08:09:46 UTC+1, almigh...@gmail.com  wrote:
> Qubes was working flawlessly on my GTX 670, recently upgraded to a GTX 1070 
> and now I can't even load the installer

What drivers did you install for the 670?

I'm on a 660 atm, and haven't installed any drivers, but am getting screen 
tearing when fullscreening netflix/youtube.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/355ad8b2-1995-444c-a3db-aaec58f3cab8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: HCL - Surface Pro 3 (i5-4300U 4Gb)

[gawehner]

On Saturday, November 19, 2016 at 9:48:31 PM UTC-5, Johannes Zipperer wrote:
> I tested Qubes 3.2 with the Fedora 24 template for about 5 hours intensely.
> 
> Installation: No problems during install. Bootable USB is only accepted 
> when the Secure Boot keys are removed (hit ESC or DEL during boot for 
> uefi). TPM Module seems not to be identified but I did put not much 
> effort into diagnosing the problem. 
> 
> Connect wifi: After some trouble of finding the network manager in the 
> sys-net qube I successfully connected. Oddly the reception bars are red 
> while there is no issue using the web.
> 
> Whonix: Following the installation wiki for whonix it worked out of the 
> box to connect to the TOR network verified by check.torproject.org. I 
> was able to watch a youtube clip with smooth playback and with working 
> sound. HighDPI scaling has to be configured manually. The performance 
> concerning web browsing is not much worse from firefox from the 
> fedora-24 template.
> 
> Windows: using in dom0 the command qvm-start Windows-10 
> --cd-rom=fedora-24:/home/user/Downloads/Windows.iso was not successful. 
> So I gave up for now on that.
> 
> Touchscreen and stylus: both work out of the box. Stylus connected not 
> very reliably, but drawing lines and writing after that is fine. 
> Onscreen keyboard is missing and I didn't get florence to type anything. 
> Annotating PDFs works fairly well in Okular. Volume rocker and power button 
> works out of the box
> 
> USB-Devices and microSD: Mounted a FAT formatted USB drive successfully. 
> Cherry DW5000 works out of the box but media keys and super key need 
> configuring. I have no original type or touch cover to test. exFAT 
> microSD didn't work. But the same microSD card worked in the built-in 
> reader when formatted in NTFS (tested transfering and opening a JPG). 
> Using a USB hub with SD cardreader worked out of the box.
> 
> High DPI scaling: works generally well for touch control. Firefox opens 
> first time after restart with too big UI elements and text. Icons in 
> some applications like in Gimp are not scaled and kind of small. The 
> dom0 and template applications are generally not scaled.
> 
> Audio and Video: sound output works out of the box, playing mp3 in vlc 
> as well, mp4 in vlc in software decoding mode very choppy. youtube 
> videos are more fluid but no fullscreen support. streaming youtube 
> videos in vlc didn't work. Recording audio from the microphone with 
> pulsecaster works out of the box.
> 
> installing software: I was able to install and use vlc, Okular, 
> LibreOffice, Inkscape (bad stylus support), Gimp (better stylus 
> support), Thunderbird, Darktable, I changed the language and keyboard 
> layout to german sucessfully. Since I installed, tested and configured 
> everything in the template I have to say something about the use inside 
> a qube. I didn't test the pulsecaster, florence, Okular successfully in 
> the "personal" qube.
> 
> suspend reboot and shutdown: shutdown works, but is slow. device shows 
> black screen after suspending and wakes up when a key is pressed, but I 
> don't know if it really gets into the lower C states inbetween. reboot 
> does not work.
> 
> File manager: starting the file manager needs a second click in 50% of 
> the cases when I wanted to start it. Copying files works.
> 
> Performance and battery life: I assume that it is all rendered in 
> software, so considering that, I think the performance is decent, maybe 
> as a 1,3 GHz quad core Android phone regarding application start and tabbed 
> browsing (sorry for the comparison =/). Battery life is lower 
> than under windows, I didn't find the brightness controls and the 
> brightness sensor did not work out of the box, so my battery life was 
> only around 3 hours.
> 
> Reverting back to windows: I successfully tested installing again Windows 10, 
> which was previously tied to this device on a certain Microsoft account 
> (important because of the license server, that works without keys). It was 
> installed by a USB stick previously formatted by the media creation tool. The 
> risk is not so high to try Qubes, although I recommend getting accustomed 
> before using it in production. I hope this helps others.   
> 
> Life is good, Jesus is better!
>  Johannes

Thank you for your efforts. I've been attempting to install Qubes 3.2 on a 
Surface Pro 4, but I've been unable to get past EFI errors. I'm hoping you can  
help me.

First of all, I downloaded and verified the 3.2 ISO. Following the qubes 
install guide I used Rufus to transfer the iso to a usb stick. I selected the 
iso, set the partition scheme to GPT for UEFI, the File system to Fat32, and 
finally selected dd image to create the bootable disk.

On the Surface Pro 4, I entered into the UEFI menu and disabled Secure Boot 
(None), and prioritized USB Storage in the boot order. I then attached the 
bootable usb device and restarted the machine.

The Surface Pro 

Re: [qubes-users] How much important is TPM?

[cooloutac]

On Friday, April 7, 2017 at 11:15:46 AM UTC-4, cooloutac wrote:
> On Tuesday, April 4, 2017 at 6:20:35 PM UTC-4, tai...@gmx.com wrote:
> > On 04/04/2017 10:19 AM, cooloutac wrote:
> > 
> > >
> > > The hacking teams insyde bios exploit could only have been stopped with 
> > > secure boot.
> > >
> > Uhh no that isn't true, and again you're using microsoft's marketing 
> > name for something that is a generic technology (signing of kernel and 
> > important files) implemented in grub etc.
> > 
> > On my libre coreboot system (not all coreboot is libre) I can use a 
> > signing key mechanism to sign kernels and load them with grub installed 
> > on my motherboards write-locked flash chip.
> > 
> > 
> > Do you work for microsoft?
> 
> Microsoft didn't create secure boot,  intel did. They just tried to 
> monopolize it and failed.   Tell all the major linux distros that they work 
> for Microsoft lol...
> 
> I see you are Libre guy, that explains alot,   but why ignore my comment 
> about what Richard Stallman says about "secure boot"?  DOES Richard Stallman 
> work for windows!?!?haha...

What you are talking about is "restricted boot"  as RMS calls it.  not "secure 
boot".  If you control the keys I don't see the problem.  You are more worried 
about what could potentially happen.  Even though prior predictions have been 
wrong.   Its good to be aware of the potentials for abuse.  But lets not claim 
abuse when it hasn't even happened yet.

I mean I guess there are UEFI boards out there that don't let you disable 
secure boot or use custom keys?  But I've never seen one.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d0f703fe-18df-4d64-95cf-0e7e8105bcc8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] realized why I always lose sound in the vms

[cooloutac]

On Thursday, April 6, 2017 at 1:56:14 AM UTC-4, Jean-Philippe Ouellet wrote:
> On Wed, Apr 5, 2017 at 11:29 PM, cooloutac  wrote:
> > The sound mixer app I installed xfe in mutes things when I lower the volume 
> > all the way by accident.  Never realized till now lol.  I always have to go 
> > into dom0 alsamixer.
> >
> > Is there a better plugin to use?  Does a new iso come with one by default 
> > now?
> 
> This same exact bug keeps coming up again and again. See:
> - https://github.com/QubesOS/qubes-issues/issues/2550
> - https://github.com/QubesOS/qubes-issues/issues/2117
> - https://github.com/QubesOS/qubes-issues/issues/2291
> - https://github.com/QubesOS/qubes-issues/issues/2321
> - https://groups.google.com/forum/#!msg/qubes-users/53TYf5GYkqY/ZU8i5v6JAwAJ
> 
> This was fixed a while ago, but people don't get the fix because of
> the limitations of updating dom0 by only updating the packages
> installed there. When things get fixed in the installer, they don't
> trickle down to existing systems, and we don't publish new release
> ISOs except for on major releases. This means the default install is
> often broken, and many people end up needing to independently solve
> the same problems over and over. This is clearly not ideal, and IMO
> the way in which we manage dom0 needs some rethinking.
> 
> For this specific case I think we'd need a meta-package tracking which
> packages are installed by the installer, and have the installer just
> list that one and have deps of it be pulled in automatically. That
> would let us update *which* packages are installed by default and have
> that change affect existing installs. Then, as for actually putting
> the new mixer in the panel, we'd probably need a %post section in a
> relevant package or something.
> 
> IMO updating needs a better solution overall. I tried to start a
> discussion about this here:
> - https://groups.google.com/forum/#!topic/qubes-users/dCctVsf15dE/discussion
> but it didn't go anywhere.

yes I feel like the losing sound issue is the most common Qubes problem.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4a05-d230-4dd5-afab-2f69ff2242c4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How much important is TPM?

[cooloutac]

On Tuesday, April 4, 2017 at 6:20:35 PM UTC-4, tai...@gmx.com wrote:
> On 04/04/2017 10:19 AM, cooloutac wrote:
> 
> >
> > The hacking teams insyde bios exploit could only have been stopped with 
> > secure boot.
> >
> Uhh no that isn't true, and again you're using microsoft's marketing 
> name for something that is a generic technology (signing of kernel and 
> important files) implemented in grub etc.
> 
> On my libre coreboot system (not all coreboot is libre) I can use a 
> signing key mechanism to sign kernels and load them with grub installed 
> on my motherboards write-locked flash chip.
> 
> 
> Do you work for microsoft?

Microsoft didn't create secure boot,  intel did. They just tried to monopolize 
it and failed.   Tell all the major linux distros that they work for Microsoft 
lol...

I see you are Libre guy, that explains alot,   but why ignore my comment about 
what Richard Stallman says about "secure boot"?  DOES Richard Stallman work for 
windows!?!?haha...

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0a50e594-4d43-4807-94a2-e517dd83b4bb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How much important is TPM?

[cooloutac]

On Tuesday, April 4, 2017 at 6:20:35 PM UTC-4, tai...@gmx.com wrote:
> On 04/04/2017 10:19 AM, cooloutac wrote:
> 
> >
> > The hacking teams insyde bios exploit could only have been stopped with 
> > secure boot.
> >
> Uhh no that isn't true, and again you're using microsoft's marketing 
> name for something that is a generic technology (signing of kernel and 
> important files) implemented in grub etc.
> 
> On my libre coreboot system (not all coreboot is libre) I can use a 
> signing key mechanism to sign kernels and load them with grub installed 
> on my motherboards write-locked flash chip.
> 
> 
> Do you work for microsoft?

You disagree with the experts then,  not me.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a0b86ad8-b79d-4837-8341-9334b9b2472f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: [Qubes 3 - Debian 8] Gnome terminal does not start - locals issue

[glincool . zac]

On Monday, July 13, 2015 at 10:55:18 PM UTC+5:30, J. Eppler wrote:
> Hello, 
> 
> I have an issue with the debian 8 template under Qubes OS 3. The locals are 
> not set correctly.
> The problem is that I cannot start gnome-terminal over the menu: 
> 
> try to start gnome-terminal in xterm:
> (process:6203): Gtk-WARNING **: Locale not supported by C library.
>     Using the fallback 'C' locale.
> Error constructing proxy for org.gnome.Terminal:/org/gnome/Terminal/Factory0: 
> Error calling StartServiceByName for org.gnome.Terminal: 
> GDBus.Error:org.freedesktop.DBus.Error.Spawn.ChildExited: Process 
> org.gnome.Terminal exited with status 8
> 
> the bash message if I switch from user to root via sudo su:
> bash: warning: setlocal: LC_ALL: cannot change locale (en_US.UTF-8)
> 
> the settings are like this:
> LANGUAGE= (unset)
> LC_ALL = "en_US.UTF-8"
> LANG = (unset)
> 
> does somebody has the same problem?
> 
> Best regards
>   J. Eppler


I too encounterred the same problem i tried running the dpkg-reconfigure 
command too but that didn't solve it.The solution that solved  my problem was 
by directly
 **Opening Settings->Region and Language 
->Formats=>India
->Language=>English
 **
Then restarted the system that solved my problem..Hope this helps. :)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0e096745-5882-4146-841c-cd2911766b01%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Unable to install Qubes OS 3.2 on Dell Latitude E4310

[jaspreetkaurchurch]

If a program is unresponsive, try closing it through the Task Manager. You 
probably already know that you can access this tool by pressing Ctrl+Alt+Del, 
but for a quicker route, you can also use Ctrl+Shift+Esc. If your laptop won't 
even let you do that, then it's time for a hard reset.You will get more ideas 
and other useful information in Dell Latitude E4310- 
https://guideusermanual.com/product-name-latitude-e4310-manual=344616=English
 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c38e2943-eaab-48aa-b5d2-2459c8a15259%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] SSD+malicious HDD?

[gg77]

Hi guys
1. I have installed and update Qube-os on my SSD and after i connect to
motherboard HDD.SSD- primary, HDD-secondary. It attached directly to Dom0.
If my HDD - malicious, is it a threat?
2.Is Debian 9 safer than Debian 8, or Fedora 24 more safer than Fedora 23?
Thanks


-

ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the 
NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!  
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!  


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170404230242.Horde.QgMez2hkStdk3mjZZhQzag2%40www.vfemail.net.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] grsecurity kernel 4.9.20 not working - Qubes ErrorHandler: BadAccess MIT-SHM

[Patrick Schleizer]

Proxying a message from torjunkie at Whonix forums here due to google
group vs Tor spam false positive issues. Source:

https://forums.whonix.org/t/long-wiki-edits-thread/3477/55?

#

Greetings,

I am currently using Qubes 3.2 and have had success to date with
running the 4.8 grsec kernel series (coldkernel) with Debian-8 AppVMs
following the steps / advice outlined on the coldhak blog and github
account.

I have recently tried to apply the 4.9.20 upgraded kernel to the
Debian-8 TemplateVM and hit some problems.

I have followed the advice to install the latest
qubes-kernel-vm-support package from the Qubes testing repository (for
the Debian-8 TemplateVM) and avoided the error messages around "Bad
return status for module build."
[https://github.com/coldhakca/coldkernel/issues/55]
[https://github.com/QubesOS/qubes-issues/issues/2691]

The upgraded kernel successfully builds and the TemplateVM boots.
However, the TemplateVM state light soon shifts from green to yellow.
The qrexec.log and console.log look okay (no obvious error messages),
but the guid.log shows a new cryptic error message I've never seen before:

ErrorHandler: BadAccess (attempt to access private resource denied)
Major opcode: 130 (MIT-SHM)
Minor opcode: 1 (X_ShmAttach)
ResourceID: 0x219
Failed serial number: 49
Current serial number: 50

Any attempts to run applications fail e.g. terminal. So, grsec
groups can't be set, paxtest can't be run, and obviously it's not
functional, so there is no point creating a new AppVM based on it.

Can anyone who has the 4.9 grsec kernel up and running provide any
advice on how to resolve this problem?

Regards

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/54ee6082-ee7e-78f9-55fa-1bcae3c4cdc9%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Thunderbolt controller isolation for Passthrough

[squared . beta]

To make story short. 
If Thunderbolt controller is connected via PCIe, could it theoritically be 
isolated to a single VM, to be used for USB hub, or HDD, or even docks?
I am unsure how thunderbolt achieves USB, USB-PD, and display though.
Did anyone try it with any success?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/063b8b35-2cf3-4711-8ce7-846b975b1df8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Why is there no built-in nvidia driver support? aka GTX 980 issues

[sl98077]

On Thursday, March 9, 2017 at 11:56:52 PM UTC-5, cooloutac wrote:
> Just to add you won't get any benefit from the Nvidia card.  Qubes only uses 
> it for desktop effects.  the vms don;t have 3d rendering.


It's not only about 3D rendering it has to do with users that want to also dual 
boot with a spare ssd, be a little mindful others have different obligations.. 
if Qubes wants to grow it needs to be readily available for all users.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4f269b37-f869-4e79-a31b-84a2f0a66ab1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Why is there no built-in nvidia driver support? aka GTX 980 issues

[flippiff]

On Thursday, March 9, 2017 at 11:56:52 PM UTC-5, cooloutac wrote:
> Just to add you won't get any benefit from the Nvidia card.  Qubes only uses 
> it for desktop effects.  the vms don;t have 3d rendering.

It's not only about 3D rendering it has to do with users that want to also dual 
boot with a spare ssd, be a little mindful others have different obligations.. 
if Qubes wants to grow it needs to be readily available for all users.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/116af6c5-4336-49eb-91fb-a465fb8d3460%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.