[qubes-users] Re: HCL - Surface Pro 3 (i5-4300U 4Gb)
Hi to all, @gawehner: it has been some time now since I did that crazy thing with the surface pro, so my memory is not fresh about how I did it. But I remember using Unetbootin, Rufus and in some cases the linux tool dd at the time. I didn't worry about file system. But try the ISO and DD method. Otherwise I used the standard options for starting the USB Stick. I hope you succeed. As long as you keep the VMs to a minimum it is quite fun to use. Even with 4 Gb ;-p On 7. April 2017 18:22:24 MESZ, gaweh...@gmail.com wrote: On Saturday, November 19, 2016 at 9:48:31 PM UTC-5, Johannes Zipperer wrote: > I tested Qubes 3.2 with the Fedora 24 template for about 5 hours intensely. > > Installation: No problems during install. Bootable USB is only accepted > when the Secure Boot keys are removed (hit ESC or DEL during boot for > uefi). TPM Module seems not to be identified but I did put not much > effort into diagnosing the problem. > > Connect wifi: After some trouble of finding the network manager in the > sys-net qube I successfully connected. Oddly the reception bars are red > while there is no issue using the web. > > Whonix: Following the installation wiki for whonix it worked out of the > box to connect to the TOR network verified by check.torproject.org. I > was able to watch a youtube clip with smooth playback and with working > sound. HighDPI scaling has to be configured manually. The performance > concerning web browsing is not much worse from firefox from the > fedora-24 template. > > Windows: using in dom0 the command qvm-start Windows-10 > --cd-rom=fedora-24:/home/user/Downloads/Windows.iso was not successful. > So I gave up for now on that. > > Touchscreen and stylus: both work out of the box. Stylus connected not > very reliably, but drawing lines and writing after that is fine. > Onscreen keyboard is missing and I didn't get florence to type anything. > Annotating PDFs works fairly well in Okular. Volume rocker and power button works out of the box > > USB-Devices and microSD: Mounted a FAT formatted USB drive successfully. Cherry DW5000 works out of the box but media keys and super key need > configuring. I have no original type or touch cover to test. exFAT > microSD didn't work. But the same microSD card worked in the built-in > reader when formatted in NTFS (tested transfering and opening a JPG). > Using a USB hub with SD cardreader worked out of the box. > > High DPI scaling: works generally well for touch control. Firefox opens > first time after restart with too big UI elements and text. Icons in > some applications like in Gimp are not scaled and kind of small. The > dom0 and template applications are generally not scaled. > > Audio and Video: sound output works out of the box, playing mp3 in vlc > as well, mp4 in vlc in software decoding mode very choppy. youtube > videos are more fluid but no fullscreen support. streaming youtube > videos in vlc didn't work. Recording audio from the microphone with > pulsecaster works out of the box. > > installing software: I was able to install and use vlc, Okular, > LibreOffice, Inkscape (bad stylus support), Gimp (better stylus > support), Thunderbird, Darktable, I changed the language and keyboard > layout to german sucessfully. Since I installed, tested and configured > everything in the template I have to say something about the use inside > a qube. I didn't test the pulsecaster, florence, Okular successfully in > the "personal" qube. > > suspend reboot and shutdown: shutdown works, but is slow. device shows > black screen after suspending and wakes up when a key is pressed, but I > don't know if it really gets into the lower C states inbetween. reboot > does not work. > > File manager: starting the file manager needs a second click in 50% of > the cases when I wanted to start it. Copying files works. > > Performance and battery life: I assume that it is all rendered in > software, so considering that, I think the performance is decent, maybe > as a 1,3 GHz quad core Android phone regarding application start and tabbed browsing (sorry for the comparison =/). Battery life is lower > than under windows, I didn't find the brightness controls and the > brightness sensor did not work out of the box, so my battery life was > only around 3 hours. > > Reverting back to windows: I successfully tested installing again Windows 10, which was previously tied to this device on a certain Microsoft account (important because of the license server, that works without keys). It was installed by a USB stick previously formatted by the media creation tool. The risk is not so high to try Qubes, although I recommend getting accustomed before using it in production. I hope this helps others. > > Life is good, Jesus is better! > Johannes Thank you for your efforts. I've been attempting to install Qubes 3.2 on a Surface Pro 4, but I've been unable to get past EFI errors. I'm hoping you can help me.
Re: [qubes-users] Simple Dom0 password manager for an imperfect-but-strong security upgrade?
On Saturday, April 8, 2017 at 6:19:07 PM UTC-4, Shane Optima wrote: > > Don't be scared. > > It's a Shawshank Redemption reference. > > >>An additional key combination to insert information into the Dom0 database > >>from a VM would be a minor convenience that could be put off until the tool > >>is overhauled (and probably moved out of Dom0 entirely.) > > How many times do you see "insert" and the word dom0? > > I'm assuming you're merely being lazy here, in which case I would appreciate > it if you would refrain from spreading lies about things you can't be > bothered to read. This is a difficult enough discussion without nonsense > being injected. > > If this isn't a matter of sloth and your reading comprehension abilities are > actually limited to simple pattern matching, then there's no point in > continuing this tangent. > > Even assuming you ignored my clarifications entirely, you should pause for a > moment and consider how reasonable it is that you are using a sentence > containing the phrase "probably moved out of Dom0 entirely" to claim that I > am proposing that $foo should be done in Dom0. its already out of dom0, just use the vault vm. If my Mother can handle ctrl shift c, I'm sure you can too. This is like the most important part of Qubes you are talking about it. I think it works fine, usability is not a good reason to add or change anything. You lost me way earlier when you mentioned browser extensions. Yes i'm a noob, but you still sound like a security nightmare to me. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/49609146-e5d0-4d01-8729-a31e24f082ce%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: coldkernel status update
On 04/08/2017 08:17 PM, Colin Childs wrote: > Hi everyone, > > It has been some time since we posted on this list, so here is a brief > update: > > 1. We have recently pushed 0.9a-4.9.20 > > 2. An issue with switching from 4.8.x to 4.9.x was identified and fixed > upstream (https://github.com/coldhakca/coldkernel/issues/55) > > 3. The blog post for Fedora support is currently being written > > 4. Final tests for Whonix support are underway > > 5. 0.9b will be released soon, with support for Fedora and 0.9c will > follow soon after with full Whonix support (and a blog post, again.) > > 6. Once 0.9c is out, we will direct our efforts towards providing > binaries for Qubes users (and potentially our other supported platforms) > > 7. After all above steps are complete, we will evaluate what the next > steps should be. This may include attempting to provide a kernel for Dom0. > > If anyone has questions / comments, please feel free to contact me directly. > > Thanks! > Thanks for all the hard work! WillyPillow just pointed out to me today on the qubes-devel mail list that installing busybox and updating initramfs in Whonix is all you need to do to get it to boot with coldkernel, and I just discovered myself a few minutes ago that for whonixcheck to work, you need to add 'user' to group 9001 (and for tor-browser to work properly, you need to disable memory protection using paxctl just like you do for regular Firefox). I haven't gotten much further than that in my testing, though. In the meantime while we all wait for 0.9c, any other tips are appreciated! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/occ7fh%2486m%241%40blaine.gmane.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Windows 7 installation stops
On Tuesday, April 4, 2017 at 6:10:44 AM UTC-5, pete...@hushmail.com wrote: > Hi > I can't install HVM with Windows 7 because the installation stops on the > screen "Starting Windows". Before this I had installed and removed it many > times. What can be succeeded? I have no problems with win8 or linux OS. > > Best https://github.com/QubesOS/qubes-issues/issues/2488 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8aefeec8-b4be-4328-9913-792a2238d45e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Does Qubes Use GrSecurity?
On Saturday, April 8, 2017 at 9:57:26 PM UTC-4, superlative wrote: > On Saturday, August 29, 2015 at 7:11:41 AM UTC-7, Marek Marczykowski-Górecki > wrote: > > Actually VM template doesn't have anything to say about kernel there. It is > > provided independently from dom0. If you want some custom kernel (for > > example grsec patched), you'll need place it in dom0 in > > /var/lib/qubes/vm-kernels/SOME_NAME/ > > > > Some docs, links: > > 1. Expected files in /var/lib/qubes/vm-kernels/SOME_NAME/: > > https://www.qubes-os.org/doc/TemplateImplementation/#modulesimg-xvdd > > 2. Kernel packaging repo: > > https://github.com/qubesos/qubes-linux-kernel > > 3. qubes-prepare-vm-kernel - tool for preparing VM kernel based on one > > already installed in dom0. Part of `qubes-kernel-vm-support` package > > (not installed by default). > > https://github.com/QubesOS/qubes-linux-utils/blob/master/kernel-modules/qubes-prepare-vm-kernel > > > > - -- > > Best Regards, > > Marek Marczykowski-Górecki > > Invisible Things Lab > > A: Because it messes up the order in which people normally read text. > > Q: Why is top-posting such a bad thing? > > Can I please feature request dom0 getting grsecurity patches upstream from > Qubes? Coming from someone who tried patching it myself once or twice, I > still don't know how to configure the kernel with the new patch. I tried > once, and I spent all day picking configurations to match my hardware, and I > know I didn't get it all right because there were a lot of acronyms that I > didn't understand even after googling them for tens of minutes. However, I > just noticed this in the grsecurity instructions that might not have been > there last time I tried it myself (I had to contact the developer of > grsecurity to update their instructions before on gpg verification which were > outdated, I spent enough time googling how to properly use gpg to tell the > developer exactly what they needed to change in the instructions which he > did), "It is recommended that you start by setting the Configuration Method > option to Automatic." Will setting it to automatic mean I won't have to > manually configure the hardware, so I can just focus on configuring > grsecurity? If so, the grsecurity instructions don't say how to configure > grsecurity. So even if I tried doing grsecurity on my own again, I would at > least know how to configure (automatically) the hardware, but I still > wouldn't know how to configure grsecurity. Or is that automatic too??? there is coldkernel thread on here that uses grsecurity for a vm I think not dom0. That would probably just be an unnecessary nightmare for the developers too not just you lol. Automatic settings, or for example if you choose security over performance, desktop over server. you have to pick xen obviously. THere is like 3 or 4 diff "automatic" settings to choose from. Grsecurity has default system wide protections which is "automatic" system wide protections in the kernel. then there is something called RBAC, which is like a MAC system like Apparmor (which also works in qubes) which also has an "automatic" learning mode. The part I always had trouble with is that you eventually will have know how to edit the rules file manually or add new programs or as system changes or things that your automatic profile won't catch. Most Grsec devs don't even use RBAC I guess its something mostly for servers. For me it was too much trouble for what its worth. Obviously privilege escalation protections are not going to matter. BUT people forget you can also use GRSEC to restrict R00t! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6ff0d53c-ca51-4c66-8375-497cdfcd921a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] coldkernel status update
Hi everyone, It has been some time since we posted on this list, so here is a brief update: 1. We have recently pushed 0.9a-4.9.20 2. An issue with switching from 4.8.x to 4.9.x was identified and fixed upstream (https://github.com/coldhakca/coldkernel/issues/55) 3. The blog post for Fedora support is currently being written 4. Final tests for Whonix support are underway 5. 0.9b will be released soon, with support for Fedora and 0.9c will follow soon after with full Whonix support (and a blog post, again.) 6. Once 0.9c is out, we will direct our efforts towards providing binaries for Qubes users (and potentially our other supported platforms) 7. After all above steps are complete, we will evaluate what the next steps should be. This may include attempting to provide a kernel for Dom0. If anyone has questions / comments, please feel free to contact me directly. Thanks! -- Colin Childs Coldhak https://coldhak.ca Twitter: @coldhakca -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/559bb54c-c791-b56e-a89c-0fd12acaf0ae%40riseup.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Does Qubes Use GrSecurity?
On Saturday, August 29, 2015 at 7:11:41 AM UTC-7, Marek Marczykowski-Górecki wrote: > Actually VM template doesn't have anything to say about kernel there. It is > provided independently from dom0. If you want some custom kernel (for > example grsec patched), you'll need place it in dom0 in > /var/lib/qubes/vm-kernels/SOME_NAME/ > > Some docs, links: > 1. Expected files in /var/lib/qubes/vm-kernels/SOME_NAME/: > https://www.qubes-os.org/doc/TemplateImplementation/#modulesimg-xvdd > 2. Kernel packaging repo: > https://github.com/qubesos/qubes-linux-kernel > 3. qubes-prepare-vm-kernel - tool for preparing VM kernel based on one > already installed in dom0. Part of `qubes-kernel-vm-support` package > (not installed by default). > https://github.com/QubesOS/qubes-linux-utils/blob/master/kernel-modules/qubes-prepare-vm-kernel > > - -- > Best Regards, > Marek Marczykowski-Górecki > Invisible Things Lab > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? Can I please feature request dom0 getting grsecurity patches upstream from Qubes? Coming from someone who tried patching it myself once or twice, I still don't know how to configure the kernel with the new patch. I tried once, and I spent all day picking configurations to match my hardware, and I know I didn't get it all right because there were a lot of acronyms that I didn't understand even after googling them for tens of minutes. However, I just noticed this in the grsecurity instructions that might not have been there last time I tried it myself (I had to contact the developer of grsecurity to update their instructions before on gpg verification which were outdated, I spent enough time googling how to properly use gpg to tell the developer exactly what they needed to change in the instructions which he did), "It is recommended that you start by setting the Configuration Method option to Automatic." Will setting it to automatic mean I won't have to manually configure the hardware, so I can just focus on configuring grsecurity? If so, the grsecurity instructions don't say how to configure grsecurity. So even if I tried doing grsecurity on my own again, I would at least know how to configure (automatically) the hardware, but I still wouldn't know how to configure grsecurity. Or is that automatic too??? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ad21a22d-f474-4221-a160-0d18b35b4175%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: HCL - Surface Pro 3 (i5-4300U 4Gb)
On Saturday, November 19, 2016 at 9:48:31 PM UTC-5, Johannes Zipperer wrote: > I tested Qubes 3.2 with the Fedora 24 template for about 5 hours intensely. I have been using Qubes 3.2 for about two months on a Surface Pro 2 (8GB RAM.) Most of my observations have been in line with yours. Overall, it works quite well and has become my full-time portable setup. Nice to see someone else trying Qubes on Surface Pro! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7df2884b-6ee5-48ac-9c9e-bea7246ef346%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes OS 3.2 Installation Issues: anaconda 'text mode' Installation Destination autopart failed LUKS
Can you share the exact solution for that? What boot kernel parameters have been used? Cheers. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/39964ef0-96a5-47ab-99f1-6ae7e47185ae%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Simple Dom0 password manager for an imperfect-but-strong security upgrade?
> Don't be scared. It's a Shawshank Redemption reference. >>An additional key combination to insert information into the Dom0 database >>from a VM would be a minor convenience that could be put off until the tool >>is overhauled (and probably moved out of Dom0 entirely.) > How many times do you see "insert" and the word dom0? I'm assuming you're merely being lazy here, in which case I would appreciate it if you would refrain from spreading lies about things you can't be bothered to read. This is a difficult enough discussion without nonsense being injected. If this isn't a matter of sloth and your reading comprehension abilities are actually limited to simple pattern matching, then there's no point in continuing this tangent. Even assuming you ignored my clarifications entirely, you should pause for a moment and consider how reasonable it is that you are using a sentence containing the phrase "probably moved out of Dom0 entirely" to claim that I am proposing that $foo should be done in Dom0. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8e12c35b-9b52-426d-b2bd-feba21fd7baf%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Simple Dom0 password manager for an imperfect-but-strong security upgrade?
On Saturday, April 8, 2017 at 4:32:05 PM UTC-4, Shane Optima wrote: > >I wouldn't want a vm inserting anything in dom0. > > You're *still* spreading this nonsense? After what I just said? > > I don't know how much more clearly I lay this out, but let's give it a shot: > Nothing is being 'inserted' into Dom0 and this does not in any way "open up" > Dom0. This is a one-way street from Dom0 to the AppVMs, utilizing channels > that already exist, and it could not function at all unless the tool was > running *and* the user had manually set up a list of passwords in Dom0. > > Even if VMs are *completely compromised*, they remain unable to insert any > information whatsoever into Dom0, they remain unable to generate the key > combination that activates the tool, and in case of a spoofing attack (in the > context of a total VM compromise, which goes far beyond the spoofing > scenario suggested by M. Ouellet) they remain unable to request any passwords > that the user had not previously earmarked as being associated with *that > specific VM*. The Qubes isolation-based security model is thus being entirely > preserved here. > > The aforementioned 'minor convenience' of the flow of information going the > other way isn't being discussed at this time. It's not worth the bother and > security implications, which is why I said that such functionality should > wait until a more mature version of the tool comes along--a tool that > probably doesn't utilize window titles at all and probably doesn't run in > Dom0. And that feature might not even need to be implemented; there might be > no real benefit vs. simply entering everything directly into the offline VM. > I haven't thought about it yet! Because it isn't being discussed! As a > *minor* convenience, it simply isn't on my radar right now. The concept was > mentioned only to emphasize that it is what I am NOT suggesting. Capisce? > > Once again, the simple-to-create prototype version of the tool being talked > about consists of Dom0 looking at window titles and then information flow > occurs in a one-way street from Dom0 to the AppVMs, uses existing channels. > Other than an optional anti-spoofing browser extension, the VMs would remain > *entirely* ignorant of the existence of this tool, meaning that an attacker > who entirely compromised a VM would not and could not know whether or not the > tool were installed or running in Dom0. > > >I personally find you suspect. > > I'd tell you what I personally find you to be, but I don't wish to be locked > up in solitary confinement. Don't be scared. " Absolutely nothing would happens if the user presses the "insert password" key combination if they haven't manually set up a password file on Dom0. An additional key combination to insert information into the Dom0 database from a VM would be a minor convenience that could be put off until the tool is overhauled (and probably moved out of Dom0 entirely.)" How many times do you see "insert" and the word dom0? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4b009d07-f8fc-403a-9a98-d26238c75a3e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: HCL - Surface Pro 3 (i5-4300U 4Gb)
Am Samstag, 19. November 2016 21:48:31 UTC-5 schrieb Johannes Zipperer: > I tested Qubes 3.2 with the Fedora 24 template for about 5 hours intensely. > > Installation: No problems during install. Bootable USB is only accepted > when the Secure Boot keys are removed (hit ESC or DEL during boot for > uefi). TPM Module seems not to be identified but I did put not much > effort into diagnosing the problem. > > Connect wifi: After some trouble of finding the network manager in the > sys-net qube I successfully connected. Oddly the reception bars are red > while there is no issue using the web. > > Whonix: Following the installation wiki for whonix it worked out of the > box to connect to the TOR network verified by check.torproject.org. I > was able to watch a youtube clip with smooth playback and with working > sound. HighDPI scaling has to be configured manually. The performance > concerning web browsing is not much worse from firefox from the > fedora-24 template. > > Windows: using in dom0 the command qvm-start Windows-10 > --cd-rom=fedora-24:/home/user/Downloads/Windows.iso was not successful. > So I gave up for now on that. > > Touchscreen and stylus: both work out of the box. Stylus connected not > very reliably, but drawing lines and writing after that is fine. > Onscreen keyboard is missing and I didn't get florence to type anything. > Annotating PDFs works fairly well in Okular. Volume rocker and power button > works out of the box > > USB-Devices and microSD: Mounted a FAT formatted USB drive successfully. > Cherry DW5000 works out of the box but media keys and super key need > configuring. I have no original type or touch cover to test. exFAT > microSD didn't work. But the same microSD card worked in the built-in > reader when formatted in NTFS (tested transfering and opening a JPG). > Using a USB hub with SD cardreader worked out of the box. > > High DPI scaling: works generally well for touch control. Firefox opens > first time after restart with too big UI elements and text. Icons in > some applications like in Gimp are not scaled and kind of small. The > dom0 and template applications are generally not scaled. > > Audio and Video: sound output works out of the box, playing mp3 in vlc > as well, mp4 in vlc in software decoding mode very choppy. youtube > videos are more fluid but no fullscreen support. streaming youtube > videos in vlc didn't work. Recording audio from the microphone with > pulsecaster works out of the box. > > installing software: I was able to install and use vlc, Okular, > LibreOffice, Inkscape (bad stylus support), Gimp (better stylus > support), Thunderbird, Darktable, I changed the language and keyboard > layout to german sucessfully. Since I installed, tested and configured > everything in the template I have to say something about the use inside > a qube. I didn't test the pulsecaster, florence, Okular successfully in > the "personal" qube. > > suspend reboot and shutdown: shutdown works, but is slow. device shows > black screen after suspending and wakes up when a key is pressed, but I > don't know if it really gets into the lower C states inbetween. reboot > does not work. > > File manager: starting the file manager needs a second click in 50% of > the cases when I wanted to start it. Copying files works. > > Performance and battery life: I assume that it is all rendered in > software, so considering that, I think the performance is decent, maybe > as a 1,3 GHz quad core Android phone regarding application start and tabbed > browsing (sorry for the comparison =/). Battery life is lower > than under windows, I didn't find the brightness controls and the > brightness sensor did not work out of the box, so my battery life was > only around 3 hours. > > Reverting back to windows: I successfully tested installing again Windows 10, > which was previously tied to this device on a certain Microsoft account > (important because of the license server, that works without keys). It was > installed by a USB stick previously formatted by the media creation tool. The > risk is not so high to try Qubes, although I recommend getting accustomed > before using it in production. I hope this helps others. > > Life is good, Jesus is better! > Johannes Nice, but what do you do with only 4GB of RAM. Qubes is a RAM eater, my old workstation got pimped with 40GB of RAM and is now nice to use. I started with 8GB which it had in the beginning before installing Qubes and decided to go for 4 bars of 8GB, as 8GB is not useable at all if one has more then 2 or three machines running at a time. So a M$ surface is the wrong machine as the memory can not be extended, as I guess. How to open that thing an plug more RAM? Qubes is an evil memory eating paranoid system ;-) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from
Re: [qubes-users] Simple Dom0 password manager for an imperfect-but-strong security upgrade?
>I wouldn't want a vm inserting anything in dom0. You're *still* spreading this nonsense? After what I just said? I don't know how much more clearly I lay this out, but let's give it a shot: Nothing is being 'inserted' into Dom0 and this does not in any way "open up" Dom0. This is a one-way street from Dom0 to the AppVMs, utilizing channels that already exist, and it could not function at all unless the tool was running *and* the user had manually set up a list of passwords in Dom0. Even if VMs are *completely compromised*, they remain unable to insert any information whatsoever into Dom0, they remain unable to generate the key combination that activates the tool, and in case of a spoofing attack (in the context of a total VM compromise, which goes far beyond the spoofing scenario suggested by M. Ouellet) they remain unable to request any passwords that the user had not previously earmarked as being associated with *that specific VM*. The Qubes isolation-based security model is thus being entirely preserved here. The aforementioned 'minor convenience' of the flow of information going the other way isn't being discussed at this time. It's not worth the bother and security implications, which is why I said that such functionality should wait until a more mature version of the tool comes along--a tool that probably doesn't utilize window titles at all and probably doesn't run in Dom0. And that feature might not even need to be implemented; there might be no real benefit vs. simply entering everything directly into the offline VM. I haven't thought about it yet! Because it isn't being discussed! As a *minor* convenience, it simply isn't on my radar right now. The concept was mentioned only to emphasize that it is what I am NOT suggesting. Capisce? Once again, the simple-to-create prototype version of the tool being talked about consists of Dom0 looking at window titles and then information flow occurs in a one-way street from Dom0 to the AppVMs, uses existing channels. Other than an optional anti-spoofing browser extension, the VMs would remain *entirely* ignorant of the existence of this tool, meaning that an attacker who entirely compromised a VM would not and could not know whether or not the tool were installed or running in Dom0. >I personally find you suspect. I'd tell you what I personally find you to be, but I don't wish to be locked up in solitary confinement. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b3381dac-bf82-41f6-bd09-1cb498b24aa9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] HCL - Dell Latitude E7250
Hi, I run Qubes R3.2 on my Dell Latitude E7250. Everything seems to work fine, just have to install with a usb3 key. -- Damoun -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/qiY6SukwVT03bvHzYp2awzOfF3_FJXpSJw0LtsEavMNbSE2pL66-DYxJILI-aIyVt1-e-nLI16xjFVg_udFxjA%3D%3D%40miid.fr. For more options, visit https://groups.google.com/d/optout. Qubes-HCL-Dell_Inc_-Latitude_E7250-20170408-212414.yml Description: application/yaml
[qubes-users] Re: DispVM Configuration
On Thursday, April 6, 2017 at 2:41:30 PM UTC-4, Sam Hentschel wrote: > Hey guys! > > I got it all to work, from what I've learned, you need to edit the templateVM > in this case fedora-23 (or fedora-24 or whatever your template is). This is > just like making an AppVM. After editing the templateVM, you go to the dom0 > terminal and type in: > > qvm-create-default-dvm > > and it will create a dvm template (e.g. fedora-23-dvm). > > So to get printing and scanning to working in DispVMs you go to the template, > install system-config-printer and simple-scan, and configure your > printer/scanner with system-config-printer. After powering the template off, > your DispVMs should allow you to print and scan. > > Thanks for all your help guys! I'm glad I could get this figured out! I cloned a template for dipsvm which I also install the printer software into. I do this cause its easier to print something from random webpage, and cause I open files mostly in dispvm all the time anyways, easier to use across diff vms. I believe most users do this. I don't use a dispvm for the scanner, I just use a separate scanner appvm. I turned my usb printer into a network printer with a raspberry pi. Yes the protocols are insecure, But I agree with Jean if you worried about your printer I don't knowhow much more security benefit you get because of that fact. Your lan probably matters more or the printer hardware itself. Besides isolating the printer drivers, the act of scanning and printing is really a privacy risk. Doesn't matter where you are connecting from. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/67e55bac-d1f3-498e-b6fb-0b266a559eb0%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Adding more users/pass phrases to Qubes default disk encryption?
Hello, Are there any pointers at how to achieve adding more users/pass phrases to the disk encryption setup as produced by a default Qubes install? Sincerely, Joh -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1491672040.4473.10.camel%40graumannschaft.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Why is there no built-in nvidia driver support? aka GTX 980 issues
On Friday, April 7, 2017 at 2:51:11 AM UTC-4, sl98077 wrote: > On Thursday, March 9, 2017 at 11:56:52 PM UTC-5, cooloutac wrote: > > Just to add you won't get any benefit from the Nvidia card. Qubes only > > uses it for desktop effects. the vms don;t have 3d rendering. > > > It's not only about 3D rendering it has to do with users that want to also > dual boot with a spare ssd, be a little mindful others have different > obligations.. if Qubes wants to grow it needs to be readily available for all > users. dual booting another os? That would defeat the purpose. Qubes is for people who want some exra security. not a cool tech experiment. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4301c6b7-b56a-4dcc-91f4-6457d581d671%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Why is there no built-in nvidia driver support? aka GTX 980 issues
On Friday, April 7, 2017 at 1:56:58 PM UTC-4, john.c...@ucdconnect.ie wrote: > On Friday, 16 September 2016 08:09:46 UTC+1, almigh...@gmail.com wrote: > > Qubes was working flawlessly on my GTX 670, recently upgraded to a GTX 1070 > > and now I can't even load the installer > > What drivers did you install for the 670? > > I'm on a 660 atm, and haven't installed any drivers, but am getting screen > tearing when fullscreening netflix/youtube. You sure its not a general linux problem? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/25c15360-9ada-49a7-a15d-69c2e4a88f13%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Simple Dom0 password manager for an imperfect-but-strong security upgrade?
On Friday, April 7, 2017 at 6:37:21 PM UTC-4, Shane Optima wrote: > cooloutac > I'd rather not have such a tool sitting there "enabled". lol > > > First off, you've ignored where I said that this should obviously be an > opt-in thing that isn't present, as the mechanism is pretty hacky and the > tool shouldn't be used by the careless. > > But second, it transcends mere hyperbole or 'FUD' and rises to the level of > magical thinking to pretend that this would be so dangerous as to present a > risk even if not used. Absolutely nothing would happens if the user presses > the "insert password" key combination if they haven't manually set up a > password file on Dom0. > > An additional key combination to insert information into the Dom0 database > from a VM would be a minor convenience that could be put off until the tool > is overhauled (and probably moved out of Dom0 entirely.) I wouldn't want a vm inserting anything in dom0. But you are free to do what you want. I personally find you suspect. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6577b209-6d6f-46c2-bb98-b2aedf96c761%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: SUCCESS: GPU passthrough on Qubes 3.1 (Xen 4.6.1) / Radeon 6950 / Win 7 & Win 8.1 (TUTORIAL + HCL)
Did anyone have any luck with GPU passthrough in gaming laptops with discrete GPU and iGPU? W dniu środa, 22 czerwca 2016 17:26:50 UTC+2 użytkownik Marcus at WetwareLabs napisał: > Hello all, > > I've been tinkering with GPU passthrough these couple of weeks and I thought > I should now share some of my findings. It's not so much unlike the earlier > report on GPU passthrough here > (https://groups.google.com/forum/#!searchin/qubes-users/passthrough/qubes-users/cmPRMOkxkdA/gIV68O0-CQAJ). > > I started with Nvidia GTX 980, but I had no luck with ANY of the Xen > hypervisors or Qubes versions. Please see my other thread for more > information > (https://groups.google.com/forum/#!searchin/qubes-users/passthrough/qubes-users/PuZLWxhTgM0/pWe7LXI-AgAJ). > > However after I switched to Radeon 6950, I've had success with all the Xen > versions. So I guess it's a thing with Nvidia driver initialization. On a > side note, someone should really test this with Nvidia Quadros that are > officially supported to be used in VMs. (And of course, there are the hacks > to convert older Geforces to Quadros..) > > Anyway, here's a quick and most likely incomplete list (for most users) for > getting GPU passthrough working on Win 8.1 VM. (works identically on Win7) > > Enclosed are the VM configuration file and HCL file for information about my > hardware setup (feel free to add this to HW compatibility list!) > > TUTORIAL > > Check which PCI addresses correspond to your GPU (and optionally, USB host) > with lspci.Here's mine: > ... > > > # lspci > > 03:00.0 VGA compatible controller: Advanced Micro Devices, Inc. [AMD/ATI] > Cayman XT [Radeon HD 6970] > 03:00.1 Audio device: Advanced Micro Devices, Inc. [AMD/ATI] Cayman/Antilles > HDMI Audio [Radeon HD 6900 Series] > Note that you have to pass both of these devices if you have similar GPU with > dual functionality. > > Edit /etc/default/grub and add following options (change the pci address if > needed): > > GRUB_CMDLINE_LINUX=" rd.qubes.hide_pci=03:00.0,03:00.1 > modprobe=xen-pciback.passthrough=1 xen-pciback.permissive" > GRUB_CMDLINE_XEN_DEFAULT="... dom0_mem=min:1024M dom0_mem=max:4096M" > > For extra logging: > > > GRUB_CMDLINE_XEN_DEFAULT="... apic_verbosity=debug loglvl=all > guest_loglvl=all iommu=verbose" > > There are many other options available, but I didn't see any difference in > success rate. See here: > http://xenbits.xen.org/docs/unstable/misc/xen-command-line.html > http://wiki.xenproject.org/wiki/Xen_PCI_Passthrough > http://wiki.xenproject.org/wiki/XenVGAPassthrough > > Update grub: > > # grub2-mkconfig -o /boot/grub2/grub.cfg > Reboot. Check that VT-t is enabled: > > # xl dmesg > ... > (XEN) Intel VT-d iommu 0 supported page sizes: 4kB, 2MB, 1GB. > (XEN) Intel VT-d iommu 1 supported page sizes: 4kB, 2MB, 1GB. > (XEN) Intel VT-d Snoop Control not enabled. > (XEN) Intel VT-d Dom0 DMA Passthrough not enabled. > (XEN) Intel VT-d Queued Invalidation enabled. > (XEN) Intel VT-d Interrupt Remapping enabled. > (XEN) Intel VT-d Shared EPT tables enabled. > (XEN) I/O virtualisation enabled > (XEN) - Dom0 mode: Relaxed > Check that pci devices are available to be passed: > > # xl pci-assignable list > :03:00.0 > :03:00.1 > Create disk images: > > # dd if=/dev/zero of=win8.img bs=1M count=3 > # dd if=/dev/zero of=win8-user.img bs=1M count=3 > Install VNC server into Dom0 > > # qubes-dom0-update vnc > Modify the win8.hvm: Check that the disk images and Windows installation > CDROM image are correct, and that the IP address does not conflict with any > other VM (I haven't figured out yet how to set up dhcp) Check that 'pci = [ > ]' is commented for nowStart the VM ( -V option runs automatically VNC > client) > > # xl create win8.hvm -V > > If you happen to close the client (but VM is still running), start it again > with > > > # xl vncviewer win8 > Note that I had success starting the VM only as root. Also killing the VM > with 'xl destroy win8' would leave the qemu process lingering if not done as > root (if that occurs, you have to kill that process manually) > Install WindowsPartition the user image using 'Disk Manager'Download signed > paravirtualized drivers here (Qubes PV drivers work only in Win > 7):http://apt.univention.de/download/addons/gplpv-drivers/gplpv_Vista2008x64_signed_0.11.0.373.msi > Don't mind the name, it works on Win 8.1 as well. > For more info: > http://wiki.univention.com/index.php?title=Installing-signed-GPLPV-drivers > > Move the drivers inside user image partition (shut down VM first): > > # losetup (Check for free loop device) > # losetup -P /dev/loop10 win8-user.img (Setup loop device and scan > partition. Assuming loop10 is free) > # mount /dev/loop10p1 /mnt/removable ( Mount the first partition )- copy the > driver there and unmount. > > Reboot VM, install paravirtual drivers and reboot againCreate this script > inside sys-firewall (check
Re: [qubes-users] can't install kernel-qubes-vm from qubes-dom0-unstable repo
On 04/08/2017 05:35 AM, Holger Levsen wrote: If not, try 'sudo qubes-dom0-update kernel-qubes-vm-4.8.12-12 --enablerepo=qubes-dom0-unstable --action=reinstall' this doesnt work anymore: ERROR: yum version installed in VM sys-firewall does not support --downloadonly option ERROR: only 'install' and 'upgrade' actions support (reinstall not) This sounds like you're using Debian as your updatevm. This is one of the few reasons I keep Fedora around. Hope your upgrade works! -- Chris Laprise, tas...@openmailbox.org https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/394e880a-242a-fcdf-9e3a-2ea783bbd85f%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] SSD+malicious HDD?
On Sat, Apr 08, 2017 at 12:22:05AM -0400, Chris Laprise wrote: > On 04/05/2017 12:02 AM, g...@vfemail.net wrote: > >|Hi guys > >1. I have installed and update Qube-os on my SSD and after i connect to > >motherboard HDD.SSD- primary, HDD-secondary. It attached directly to > >Dom0. If my HDD - malicious, is it a threat? > > Future versions of Qubes may be able to protect against a malicious HDD, but > not currently. Even an AEM-enabled Qubes could be vulnerable to a DMA > attack. > > >2.Is Debian 9 safer than Debian 8, or Fedora 24 more safer than Fedora 23? > >Thanks| > > The first three are receiving security updates, but the fourth is not > because its at end-of-life. > > Chris Debian-8 is somewhat more secure then Debian-9, in that the priority is to release security updates for stable(8). Updates for unstable may be delayed for assorted reasons, sometimes weeks after a fix for stable. Note too that for Debian systems there are no security updates for packages from the contrib and non-free repositories. I am fairly certain that a default install has those repositories enabled - you can disable them by removing the names from /etc/apt/sources.list, but this will restrict the software that is available to you. It's a clear trade off. (This is an oversimplification in that some packages may get updates, but there isn't a systematic security update process for these packages.) (It's one of those cases where Qubes trades convenience against security - this one is a mistake imo.) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170408132427.GA31048%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] can't install kernel-qubes-vm from qubes-dom0-unstable repo
On Sat, Apr 08, 2017 at 12:03:55AM -0400, Chris Laprise wrote: > I think 'rpm -qa' is essentially saying the package is installed. I think you misread the output I posted, it was: [user@dom0 ~]$ rpm -qa |grep kernel qubes-core-dom0-linux-kernel-install-3.2.12-1.fc23.x86_64 kernel-4.4.14-11.pvops.qubes.x86_64 kernel-4.4.38-11.pvops.qubes.x86_64 kernel-4.8.12-12.pvops.qubes.x86_64 kernel-qubes-vm-4.4.14-11.pvops.qubes.x86_64 kernel-qubes-vm-4.4.38-11.pvops.qubes.x86_64 and clearly lacks kernel-qubes-vm 4.8.12 :) > If the rpm is still cached in dom0, you can try 'sudo dnf reinstall > kernel-qubes-vm-4.8.12-12'. this didnt do the trick, but it made me look again on the filesystem as qubes-dom0-update also said it was cached… so this time I went for "sudo find / |grep kernel-qubes-vm" which found it in /var/lib/qubes/updates/rpm/ so I just installed it with "rpm -i $file" which worked nicely. However, it didnt show me the conflict dnf showed me while using qubes-dom0-update and I still would like to know what conflict that was…! > If not, try 'sudo qubes-dom0-update kernel-qubes-vm-4.8.12-12 > --enablerepo=qubes-dom0-unstable --action=reinstall' this doesnt work anymore: ERROR: yum version installed in VM sys-firewall does not support --downloadonly option ERROR: only 'install' and 'upgrade' actions support (reinstall not) So thanks, your reply made me dig deeper and find a manual workaround, but I still would be more happy if qubes-dom0-update would work to install kernel-qubes-vm 4.8.12-12 in a way that one can document in qubes-doc… Now hoping that this will indeed make my system more stable too. I'll see. -- cheers, Holger -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170408093521.GA2726%40layer-acht.org. For more options, visit https://groups.google.com/d/optout. signature.asc Description: Digital signature
