[qubes-users] Impact of the Intel hyper-threading bug [Skylake & Kaby Lake]?

[private user82]

I am concerned about the recent bug affecting Skylake and Kaby Lake gen Intel 
processors - https://lists.debian.org/debian-devel/2017/06/msg00308.html

As BIOS updates aren't yet available from many mobo manufacturers, how can we 
Qubes users best defend ourselves against an exploit? In this post I am hoping 
to reach out to someone who may be able to comment on how we can best configure 
our platforms until a fix is available.

Following the advice in the linked Debian advisory, I have disabled 
hyper-threading in the BIOS settings. My questions are as follows:

1) When I check /proc/cpuinfo in dom0, 'ht' remains listed as a flag 
(capability). Running $ lscpu in dom0 indicates that 'Threads per core: 1' so I 
assume the BIOS has in fact disabled hyper-threading. Is this correct, or 
should the flag also disappear when functionality is disabled in BIOS settings?

2) Is it safe to run multiple VCPUs (up to the number of physical cores) for 
each Guest VM. Or, in light of this bug, should we only be using a single VCPU 
for each guest?

Many thanks in advance.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/129571500992085%40web5j.yandex.ru.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] dvm starting extremly slow -> guid

[Qru]

Hi,

some days ago I installed the fedora-25 template, but didn't use it 
because first I wanted to test it.

I also updated my templates (around 20) and dom0.

Then I noticed that starting a dvm takes really long (around 45 
Seconds).
Before it was about 3 seconds, which is somehow acceptable. But 40 
seconds?


I now changed the dvm to fedora-25 to perhaps improve the behaviour but 
the dvm startet even slower (around 50 seconds).


To test it, I startet the dvm from the dom0-console:

[user@dom0 ~]$ sh - c 'echo firefox | usr/lib/qubes/qfile-daemon-dvm 
qubes.VMShell dom0 DEFAULT red'

time=1500551220.14, qfile-daemon-dvm init
time=1500551220.14, creating DispVM
time=1500551220.19, collection loaded
time=1500551220.19, VM created
time=1500551220.2, VM starting
time=1500551220.2, creating config file
time=1500551220.31, calling restore
time=1500551221.25, done
time=1500551221.27, done qubesdb
time=1500551221.27, resumed
time=1500551221.46, qrexec done
time=1500551271.78, guid done
time=1500551271.78, VM started
time=1500551271.79, reloading firewall
time=1500551271.8, starting VM process

It seems that guid startup takes 50 seconds. What is going on there or 
how can I debug it further?


Qru

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/93e37a22cfb07b8441af296f4ccc8bb7%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: HCL report for acer aspire v5-572pg

[Oleg Artemiev]

On Mon, Jul 24, 2017 at 6:57 PM, Oleg Artemiev  wrote:
> Hello.
>
> No sound by dedefault, no vt-d
actually sound works, sorry for mistake.

> Though, this is temporary laptop till I'll have fully compatible purism one.
> I'ven't removed any numbers. This laptop is obviously not for Qubes.
>
> It's okay to put this onto the Qubes Web HCL.

-- 
Bye.Olli.
gpg --search-keys grey_olli , use key w/ fingerprint below:
Key fingerprint = 9901 6808 768C 8B89 544C  9BE0 49F9 5A46 2B98 147E
Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABunX6OJOvwQO2XSzQ1O1i7Tg9pV37F4FFHguSBG0j32rsDhxw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Unable to install KDE desktop

[nzfrio]

On Monday, 24 July 2017 08:25:43 UTC+12, dava...@gmail.com  wrote:
> Hi,
> 
> Running the command "sudo qubes-dom0-update @kde-desktop-qubes" in dom0 
> returns the following error:
> "Warning: Group 'kde-desktop-qubes' does not exists."
> 
> Am I doing something wrong?

I have the same issue; I've been digging through documentation and attempting 
to list available groups to find out where it's gone, but to no avail.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a4ebf595-dd40-4857-ab89-053f3cfdebe7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Need Help! Can´t get Access to Systemfiles like guid.conf grub

[Unman]

On Tue, Jul 25, 2017 at 10:14:26AM -0700, darkstrange...@gmail.com wrote:
> Need Help! Can´t get Access to Systemfiles and folders. 
> Can´t access to the Grub.d Folder and can´t open the guid.conf files. I´m a 
> new Qubes OS User so sorry for this question. But i didn´t find any help yet. 
> Can anyone tell me how i can open the folder and edit the System Files?
> 
> Many thanks
> 

Open a terminal in dom0 - from menu or by right-clicking on desktop.
Then 'sudo su' will give you root.
Remember, with great power comes great responsibility.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170725225728.zz26pqlic7abafvi%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes Blog ? and/or Fedora 25 notices ?

[Unman]

On Mon, Jul 24, 2017 at 08:21:24PM -1000, yreb-qusw wrote:
> Hello,
> I don't really see where  , if anywhere,  there is official Qubes type
> updates for the OS , other than the canary and QSB thing
> https://www.qubes-os.org/news/
> 
> ie., the Docs to see seem a bit static, Maybe that is what this mailing list
> is for in part.
> 
> 
> For Example, is there a show of hands for people using Q3.2  whom have
> updated to F25?and/or  when if ever, would I know that , that may be
> recommended ?
> 
> Maybe when some doc appears in the Docs section ?
> 
> ---

There's a qubes-announce list, which has significant notifications, but
otherwise news comes through on this list, sometimes by announcement 
and sometimes just filters through.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170725225151.mn6bsuwa5muxy6y3%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Soft U2F in Qubes?

[Rusty Bird]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Micah Lee:
> How hard would it be to build a Qubes version of Soft U2F that stores
> the secret in a separate VM, similar to split gpg? This could make using
> U2F much more usable and secure inside of Qubes, I think.

I suppose the most secure way (which avoids the USB protocol's attack
surface) would be to have the separate VM implement only the "high
level" U2F device, connect it to the browsing VM via qrexec, and then
hook that up the browser (either by emulating a USB device, or via a
specialized browser extension). Someone could probably do this by
cannibalizing e.g. virtual-u2f [1].

If the website supports TOTP as well, and you're okay with Tor Browser
or Firefox, you may be interested in Split Browser [2]. Its TOTP login
is almost as slick - Ctrl-Shift-Enter to request logging in, Enter to
confirm.

Rusty


1. https://github.com/mplatt/virtual-u2f
2. https://github.com/rustybird/qubes-split-browser
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJZd6pCXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfjm0QAI8yXlDCeycu0a6bwyGiTuHL
BT+9Ej8xWeKdLgAf61/kagSBn12M+w8aCpX/ZNjOSHMCl5j8mn+OLz0KpMivP1CL
rXakk9thv9DMh2MemvtTzaVpI4Zf50yvZG9kHFj0oT9Y+aEIuClj+lOmwmVKQ3Xi
iSZeu6uWwUNbUlRZ0hQgLJULd/H4uFkQyqzpAa9kC75KsgEZ/zwORUloO4JJZO7/
5YOw18/WH7k+X4XMLyNlTHmLI8NcG35R91t7yDSBrSxr6VQroj1QPEDW2rtESgkb
YuxlspIB3g+MzS+oXk3OSA/9ew5rMC4gp/Lk0vDtTTdA9HoY+YDnD93Xi54FBqJR
TjcVL8ODM3pTI2RYkQxOCqCxj4t8nXr18GzvNshNSfbUvZRFgOc7lnhkS8xnf1eW
nVbVcZV8yvv0uCslYrnWb451EAU8xsOcM5NOvX4paGjAWS2DjKsQXvEzez7bz4os
ziRQ0KO98Pd4RUOY+PMhCKBoZKQdzF3IcvcGeDcmhuxeYnFfpMXACkQ61reaijbV
dxUWrvzMZ6MxhW/StSQy9OMcNiP98UlHU1VfP1PfiEY+cFa/citfyK4cTdB0WEB/
4YjpxWyLd55UwMrGblJ+op3NyqbkpqAUcXjyhq6zdttkFgdNdST6deNDUr0MQjCU
LAJBzr/0WaOv8ZS/P/xu
=FSN9
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170725202954.GB6414%40mutt.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes OS Systemfiles are read only to root, need help

[darkstranger80]

Ok Manny thanks and cam u Tell a noob how it goes?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/37842fa7-6024-4e92-a1f6-cc6e9d5edd27%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes OS Systemfiles are read only to root, need help

[Chris Laprise]

On 07/25/2017 03:15 PM, darkstrange...@gmail.com wrote:

how i can change it to change and edit system files?



If your shell is running in dom0 and root can't alter system files, then 
has your / filesystem been mounted as read-only? This can happen if a 
problem was encountered during boot.


Running 'mount' command by itself will tell you if / was mounted as 
read-only. If so, you can try re-mounting it with the '-o remount,rw' 
options.


--

Chris Laprise, tas...@openmailbox.org
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4bdb6911-55cb-8fa1-6812-821a800101fb%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] qvm-run problem with strings containing & ?

[Chris Laprise]

On 07/25/2017 12:49 PM, mittend...@digitrace.de wrote:

Hello Qubes users.

I use qvm-run to start a firefox in a disp-vm.

The command is
/usr/bin/qvm-run --dispvm firefox "$url"
or
/usr/bin/qvm-run --dispvm "firefox "$url""

This works fine, as long as there is no & in the url. If there is an &,
this letter and all following symbols are removed.

If I use

firefox "$url"

the correct url is opened up in the current VM as expected

Is this a bug in qvm-run or is there an error in the command?

Thanks.



Than again, maybe not quite a bug. The quotes you supply are used-up by 
the dom0 shell. This is expected.


Running the command with --pass-io, you can see that everything to the 
right of & is run as a separate command on the target VM, except when 
its escaped as \&.


  qvm-run --pass-io untrusted "notify-send HI"
...results in "WHAT not found" in red lettering (from untrusted VM). But 
using \& works as a single command.


You can also supply an additional set of quotes like this:

  qvm-run --pass-io untrusted "notify-send \"HI\""

This quoting method seems mose usable because you don't have to be 
vigilant about escaping different characters... just escaping the extra 
quotes should do it.


--

Chris Laprise, tas...@openmailbox.org
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f8f6955a-5bdf-877a-85b6-791e91757c52%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Qubes OS Systemfiles are read only to root, need help

[darkstranger80]

how i can change it to change and edit system files?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9e8ca3a4-a2a0-4167-b274-f6507a302da6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] qvm-run problem with strings containing & ?

[Chris Laprise]

On 07/25/2017 12:49 PM, mittend...@digitrace.de wrote:

Hello Qubes users.

I use qvm-run to start a firefox in a disp-vm.

The command is
/usr/bin/qvm-run --dispvm firefox "$url"
or
/usr/bin/qvm-run --dispvm "firefox "$url""

This works fine, as long as there is no & in the url. If there is an &,
this letter and all following symbols are removed.

If I use

firefox "$url"

the correct url is opened up in the current VM as expected

Is this a bug in qvm-run or is there an error in the command?

Thanks.



Might be a bug. As a workaround, have you tried escaping the character 
with a backslash like this: \&


--

Chris Laprise, tas...@openmailbox.org
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1ec8474f-451a-9611-527d-a075be4b3dfb%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Soft U2F in Qubes?

[Micah Lee]

GitHub has released an interesting piece of Mac software called Soft
U2F: https://githubengineering.com/soft-u2f/

It's basically a virtual security key, and it stores its secret in the
macOS keyring. When you login to a website with 2FA, instead of using a
physical USB security key, you just click an "approve" button that pops up.

Their blog about it says: "Authenticators are normally USB devices that
communicate over the HID protocol. By emulating a HID device, Soft U2F
is able to communicate with your U2F-enabled browser, and by extension,
any websites implementing U2F."

As it stands, U2F is a pain in Qubes because you have to deal with USB
passthrough, and exposing your VMs to sys-usb.

How hard would it be to build a Qubes version of Soft U2F that stores
the secret in a separate VM, similar to split gpg? This could make using
U2F much more usable and secure inside of Qubes, I think.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/518a8fa7-05f3-f1ea-247a-bff614acbdc6%40micahflee.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Need Help! Can´t get Access to Systemfiles like guid.conf grub

[darkstranger80]

Need Help! Can´t get Access to Systemfiles and folders. 
Can´t access to the Grub.d Folder and can´t open the guid.conf files. I´m a new 
Qubes OS User so sorry for this question. But i didn´t find any help yet. Can 
anyone tell me how i can open the folder and edit the System Files?

Many thanks

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/766336f9-518f-462a-9fbe-3687dbc88ab0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] qvm-run problem with strings containing & ?

[mittendorf]

Hello Qubes users.

I use qvm-run to start a firefox in a disp-vm.

The command is
/usr/bin/qvm-run --dispvm firefox "$url"
or
/usr/bin/qvm-run --dispvm "firefox "$url""

This works fine, as long as there is no & in the url. If there is an &,
this letter and all following symbols are removed.

If I use

firefox "$url"

the correct url is opened up in the current VM as expected

Is this a bug in qvm-run or is there an error in the command?

Thanks.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e9bbe3cd-9fff-d1f9-28ce-e7f47ad43453%40digitrace.de.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] HCL - Lenovo Miix 700

[Timon Orawski]

Generally exceptionally usable (low ram can be an issue sometimes)

Gotchas:
- had to disable secure boot
- I had to upgrade the fedora-23 templatevm to fedora 24 on a different
machine and transfer it via usb to get wifi working.

Working: WIFI, USB, suspend, touchscreen, hardware buttons and multimedia
keys except for airplane mode.
Video appears to be unaccelerated.


Have not yet tested cameras, external display via mini-hdmi or sd card slot.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CACMYrpHBN1TH%2B9zYyi-Kds%3DDmfTUsDB2ZXUMQ3aZE2-YYMa12A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Qubes-HCL-LENOVO-80QL-20170725-115139.yml
Description: application/yaml

Re: [qubes-users] Re: Anyone got a intel z270 motherboard to work with Qube os

[Paulo Marques]

> Yeah, using a different network adapter worked fine. Even though the onboard 
> NIC is listed for passthrough to net-sys, the net-sys always indicated a 
> modulo error when booted. 
> 
> 
> I bought some cheap gb adapters off amazon for like 4$ a while back, and it 
> worked without any configuration on a fresh install 
> 
> 
I Ivan,

Can you explain in detail how did you did to work out with the Asus Z-270 
Prime? I got the same problem a few weeks ago and couldn't make it work yet. 
https://groups.google.com/forum/#!msg/qubes-users/ikMEsdOjeoU/jHy5Q00nBAAJ
Thanks !!!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2814baca-f112-40dd-b47e-eb6001cafa89%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Qubes Blog ? and/or Fedora 25 notices ?

[rob_66]

yreb-qusw:
> updated to F25? that may be
> recommended ?

I did it four weeks ago (upgraded the existing F24 templates) an haven't
been run in no issues at all.

So: recommended from my point of view.

https://www.qubes-os.org/doc/template/fedora/upgrade-24-to-25/

Cheers, Rob

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/416c605a-46c0-cbae-424d-4ea3dac5800b%40posteo.es.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Qubes Blog ? and/or Fedora 25 notices ?

[yreb-qusw]

Hello,
I don't really see where  , if anywhere,  there is official Qubes type 
updates for the OS , other than the canary and QSB thing

https://www.qubes-os.org/news/

ie., the Docs to see seem a bit static, Maybe that is what this mailing 
list is for in part.



For Example, is there a show of hands for people using Q3.2  whom have 
updated to F25?and/or  when if ever, would I know that , that may be 
recommended ?


Maybe when some doc appears in the Docs section ?

---

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8e5071ee-d52a-f7ab-43bb-14832a2c7b9b%40riseup.net.
For more options, visit https://groups.google.com/d/optout.