Re: [qubes-users] qrexec to mimic ssh listen?

[0xB44EFD8751077F97]

Unman:
> On Sat, Sep 16, 2017 at 06:43:00PM +, 0xB44EFD8751077F97 wrote:
>> Using Qubes3.2, I'm attempting to create a communication
>> channel between two VMs. One VM without networking. I'd like to mimic
>> ssh -L port:localhost:port.
>>
>> I think a qrexec rpc should work, but I'm not sure what to include in
>> the rpc-action file. Any help is appreciated.
>>
>> Thanks!
> 
> Have a look at this using socat:
> https://github.com/QubesOS/qubes-issues/issues/2148
> 
> Although it's still marked as open, it works well and is used in Qubes
> 4.0.
> 
> socat TCP-LISTEN:444,fork EXEC:"qrexec-client-vm target-vm my-tcp-service"
> does just what you want.
> 
> If you had my-tcp-service on target-vm: 
> socat STDIO TCP:localhost:22
> 
> You could 'ssh localhost:' and ssh in to target, even when target is not 
> networked.
> A little simple scripting and you can have this as a general listener to
> connect to different services on targets.
> 
> unman
> 
Awesome, this really helped me. Thank you so much!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8b27a8d0-730c-3e3e-4ee7-bfc6bf13503c%40firemail.cc.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Mounting HDD to Windows HVM in Qubes R3.2

[Gaijin]

I have an issue trying to use some internal HDD in a new Qubes R3.2
install. The machine was previously Windows, so the HDD were NTFS
formatted, and they contain various work and backup data. Qubes is on
its own SSD.

Initially Qubes could not see the drives from dom0, so I couldn't attach
them to appVMs. I looked around some forum posts and found someone
suggesting the use of:

sudo ntfsfix /dev/sdb1

Running that on the drives from dom0 allowed me to see the drives and
manipulate their contents on Fedora and Debian based VMs. However, if I
try to attach these same drives to a Windows 7 or Windows 10 HVM,
Windows tells me it needs to format the drives to see them. (I'm
attaching them through VM settings | Advanced | Additional drive with
the backend domain dom0 and the path /dev/sdb) Formatting the drives
isn't an option as I have data on them.

If I run fsck on the volumes from dom0 it tells me they are dirty, but I
can still access the files without issue (outside Windows), but I don't
think it's a hardware issue.

I would like to be able to access these drives from both Windows and
Linux (via Qubes). Any ideas of how I could proceed?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1dd311e18ee406807963e4d729bdc5f1%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Again last dom0 update broke kernel connection

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Thu, Sep 21, 2017 at 04:02:42PM -0300, Franz wrote:
> On Thursday, September 21, 2017, Marek Marczykowski-Górecki <
> marma...@invisiblethingslab.com> wrote:
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA256
> >
> > On Thu, Sep 21, 2017 at 12:54:45PM -0400, Michael Carbone wrote:
> >> On 09/21/2017 12:47 PM, Franz wrote:
> >> > None vm starts except dom0
> >> >
> >> > I am writing this email by a cell phone
> >> >
> >> > -Changing the kernel with qubes manager GUI does not work
> >>
> >> you can use the GUI, just change the VM to a different kernel in VM
> >> Settings > Advanced (and click okay), then change it back to the kernel
> >> you want. this was the same GUI-based workaround as last time.
> >>
> >> > -the terminal line that worked last time runs without errors but does
> not
> >> > solve the problem:
> >> >
> >> > For VM in 'qvm-ls --raw-list'; do qvm-prefs $VM kernel default; done
> >> >
> >> > When I try to start a VM an alert message appears in the upper left
> telling
> >> > that VM kernel does not exists at
> >> > /var/lib/qubes/vm-kernels/4.4.67-13/vmlinuz and it is right: kernels
> are
> >> > all newer than 4.9.
> >> >
> >> > But why is it looking for 4.4.67-13? Hope there is a fix.
> >
> > You can list used kernels by all VMs using qvm-ls -k. Probably one or
> > two of them are still set to use 4.4.67-13.
> 
> Exactly all 54 of them are listed to use 4.4.67-13 except a couple of them
> that I changed to 4.9.45-21 using qubes manager GUI. But even those two
> that show the right kernel do NOT start giving the same alert of not
> finding 4.4.67-13.

They are probably connected to some VM using 4.4.67-13.

Check what is default kernel set:

qubes-prefs default-kernel

If it's still 4.4.67-13, change to newer (4.9.45-21):

qubes-prefs default-kernel 4.9.45-21

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJZxBAjAAoJENuP0xzK19csP0AH/1zUdxDr/WnCRn5IYAK6WAB5
s8mNQ82swpi6ZIOl84S2awApxbqojFl2+Te9qoRtUcqMrIsICidTD+YfT5sCLp6O
O1hTfiwd8CZwEAoVzp9GWvLqP0Gb9yqi1yB0T0vXp+dWs38A3HD9AvO3fPjB7UvB
na7vbIFKMhTavVOhp2eKy/jaKqvncXzfITnuGozThNGP6L4E9C3GtOx+25m/rrFn
Kb6vKx2ovuZa9L2n0QJQlrIscfs9BGr4FwCkt9wFWXcXT/PylioAmibDhfjQw+uC
9Z4pcKCu0TMMCQd923RPQB8JEm2PENRIIGZtcMY7wnVAzX+GqsoF+EFmNn4hCK0=
=bSOt
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170921191649.GI1116%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Again last dom0 update broke kernel connection

[Franz]

On Thursday, September 21, 2017, Marek Marczykowski-Górecki <
marma...@invisiblethingslab.com> wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> On Thu, Sep 21, 2017 at 12:54:45PM -0400, Michael Carbone wrote:
>> On 09/21/2017 12:47 PM, Franz wrote:
>> > None vm starts except dom0
>> >
>> > I am writing this email by a cell phone
>> >
>> > -Changing the kernel with qubes manager GUI does not work
>>
>> you can use the GUI, just change the VM to a different kernel in VM
>> Settings > Advanced (and click okay), then change it back to the kernel
>> you want. this was the same GUI-based workaround as last time.
>>
>> > -the terminal line that worked last time runs without errors but does
not
>> > solve the problem:
>> >
>> > For VM in 'qvm-ls --raw-list'; do qvm-prefs $VM kernel default; done
>> >
>> > When I try to start a VM an alert message appears in the upper left
telling
>> > that VM kernel does not exists at
>> > /var/lib/qubes/vm-kernels/4.4.67-13/vmlinuz and it is right: kernels
are
>> > all newer than 4.9.
>> >
>> > But why is it looking for 4.4.67-13? Hope there is a fix.
>
> You can list used kernels by all VMs using qvm-ls -k. Probably one or
> two of them are still set to use 4.4.67-13.

Exactly all 54 of them are listed to use 4.4.67-13 except a couple of them
that I changed to 4.9.45-21 using qubes manager GUI. But even those two
that show the right kernel do NOT start giving the same alert of not
finding 4.4.67-13.

Please help me
Best
Fran
>
> - --
> Best Regards,
> Marek Marczykowski-Górecki
> Invisible Things Lab
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
>
> iQEcBAEBCAAGBQJZxAExAAoJENuP0xzK19csYh0H/RkseTmQSn/Fvxlj+dULtiK8
> PdAaEGw3wiDWMUVwrYPHt2qngcVCfb74BJDxCqXsdSS2W2b6BZ3xMl4tm4bkx0aQ
> kP/RYlhUQ6vX7kXstkK+MPcS1+umrKlqM7Fzm+M4pRSqa+n/97cVeS8hAGAhP8GM
> rXTlD9afW2ocoNAaUCypq8sLNPYynOVkgsEfxB3iJBd2q24vW3czXakK87yz4bML
> PH/kGjRx0CJe+BWJwi3iFFsFFMS+8Ehw5nFEAYSS1KD7EkRFbPdsXYA+bEMWvizo
> 2OL4ygvHkjRcRLBt8EGw6MHd+YUVXa8pN1KwviwDhLzvMnd6TpRXo/W5e/dcZuU=
> =rP2N
> -END PGP SIGNATURE-
>
> --
> You received this message because you are subscribed to the Google Groups
"qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/20170921181303.GA27080%40mail-itl
.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAPzH-qC8tH8%3DeDXf9XdSuFHGExu57DXHj7mqv7z9-cQktcuPwg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Relation between increasing RAM and the increased need for display memory

[Teqleez]

Hi all.

I assume this is relevant not only for considerations related to the
practical limit/benefit of increasing RAM in existing computers, but also
regarding the specifications when buying new computers.

- At the following amounts of RAM; 8GB -> 16GB -> 24GB -> 32GB -> 48GB ->
64GB, how much does the requirements for the graphics card memory increase
with each step, if we assume the normal/daily/"permanent" usage to be
70-80% of the available RAM?

This obviously depends on how many different VM's one has open, and how
much video memory each one needs, but can we make an assumption on some
sort of average number for this, to see if it is possible to find some kind
of rule-of-thumb figures?

For example, if we assume a "normal"(?!?) Qubes-OS user whose sole reason
for increasing memory is in fact to be able to run more Qubes
simultaneously; how many more Qubes can he/she expect to be running per
extra 8gb of RAM, and how much more will each such step "typically" require
of the graphics card memory, if we assume a "linear" growth in the number
of concurrently open Qubes?

I am guessing that with the capacity to run (increasingly) many Qubes, the
amount of applications running in each one will be lower, to the point
where we most often choose to run "one-app-qubes". For the sake of this
example we could also assume that this example user is a "lazy" person who
will not bother configuring minimal templates, but only use the default
shipped fedora-24(++) template for each one, just for the sake of
simplicity and playing around with these numbers a bit.

Regards,

@LeeteqXV

-- 
Regards,
https://mastodon.technology/@LeeteqXV/
https://twitter.com/@LeeteqXV/
https://Leeteq.com/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAOQTMawHO6YVAoXT1r_LDvxqHPn1h7t9g-UV6EjWnsCti%2BNd4Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Yubikey and qubes-usb-proxy

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Sep 20, 2017 at 05:46:56AM -0700, John Maher wrote:
> I've been trying to get my Yubikey to attach to my gpg qube by doing the 
> following:
> 
>[dom0 ~]$ qvm-usb -a gpg `qvm-usb | grep Yubikey | cut -f1`
> 
> but I'm presented with:
> 
>ERROR: qubes-usb-proxy not installed in the VM
> 
> But that package is installed in the VM (in the template).
> 
> I got this to work fine on my laptop but not on my desktop.
> 
> Any suggestions would be great.

You need that package in both source and destination VM (template). So,
both template of gpg and sys-usb in this case.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJZxAOQAAoJENuP0xzK19csf7EH/A4VSx4RqlQob2eFfxz+PSER
EwkbF90Tu7wu9haeRAhvwyWdh7BVwkA+Qb4wtsPnggZyYxCyeNtn+1qVYTZL5Ov5
ZwLMCSwsIj7s+pK3Rh28GQfnyMgLE2Y5iUor9gLItO54+kYoPWBW0tygXFxeOqIj
NWYVHNlo+RiJDPGD3xqa6H7zRiTX+3IlYOtB6C8Gr2tYITcM1s8u5wYTs2/MpKbE
JsEph8OSiLY8YsM+u2/TvWt30Ajpdvx7sRlblOvvZg1Rn/7KZqIqnFydyt0uMeUY
39DykFZ0WaJF28lpVcdy92kViZE8gTM00KNGulHaMc4pW/N65p5L97o1ldoQulw=
=KvN4
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170921182310.GB27080%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Again last dom0 update broke kernel connection

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Thu, Sep 21, 2017 at 12:54:45PM -0400, Michael Carbone wrote:
> On 09/21/2017 12:47 PM, Franz wrote:
> > None vm starts except dom0
> > 
> > I am writing this email by a cell phone
> > 
> > -Changing the kernel with qubes manager GUI does not work
> 
> you can use the GUI, just change the VM to a different kernel in VM
> Settings > Advanced (and click okay), then change it back to the kernel
> you want. this was the same GUI-based workaround as last time.
> 
> > -the terminal line that worked last time runs without errors but does not
> > solve the problem:
> > 
> > For VM in 'qvm-ls --raw-list'; do qvm-prefs $VM kernel default; done
> > 
> > When I try to start a VM an alert message appears in the upper left telling
> > that VM kernel does not exists at
> > /var/lib/qubes/vm-kernels/4.4.67-13/vmlinuz and it is right: kernels are
> > all newer than 4.9.
> > 
> > But why is it looking for 4.4.67-13? Hope there is a fix.

You can list used kernels by all VMs using qvm-ls -k. Probably one or
two of them are still set to use 4.4.67-13.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJZxAExAAoJENuP0xzK19csYh0H/RkseTmQSn/Fvxlj+dULtiK8
PdAaEGw3wiDWMUVwrYPHt2qngcVCfb74BJDxCqXsdSS2W2b6BZ3xMl4tm4bkx0aQ
kP/RYlhUQ6vX7kXstkK+MPcS1+umrKlqM7Fzm+M4pRSqa+n/97cVeS8hAGAhP8GM
rXTlD9afW2ocoNAaUCypq8sLNPYynOVkgsEfxB3iJBd2q24vW3czXakK87yz4bML
PH/kGjRx0CJe+BWJwi3iFFsFFMS+8Ehw5nFEAYSS1KD7EkRFbPdsXYA+bEMWvizo
2OL4ygvHkjRcRLBt8EGw6MHd+YUVXa8pN1KwviwDhLzvMnd6TpRXo/W5e/dcZuU=
=rP2N
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170921181303.GA27080%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] R4.0-rc1 on Dell Latitude E6430: unable to boot (reboot loop) FIXED

[The Golden Rule]

Model: Dell Latitude E6430.

I did a complete and full install and it would boot loop right after the grub 
loader.

I went into the bios settings for the performance/processor and disabled 
speedstep, anything that has to do with boosting the performance of the 
processor.  I disabled it

I did leave HT Technology enabled.

This may or may not be an issue with every model but its something to take note 
on.

I was able to boot and configure after doing those changes in the bios.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fac8e904-5ea6-434e-8616-db0018065cef%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: R4.0-rc1 on T470: unable to boot (reboot loop)

[The Golden Rule]

On Saturday, September 16, 2017 at 5:16:33 AM UTC-8, rysiek wrote:
> Hi all,
> 
> first of all, hello. Been meaning to sign up for this list for some time, 
> some 
> of you might remember me from the IRC channel (from when I was setting up my 
> own Qubes devel builds).
> 
> Anywhoo. I decided to give R4.0-rc1 a spin on my Thinkpad T470, and after 
> successfully going through the installation process, I am stuck at this issue:
> https://groups.google.com/forum/#!topic/qubes-users/Pf1Cd87KSsk
> 
> Selecting any of the two options in GRUB ends up rebooting the device. Tried 
> removing "quiet" from kernel options, nothing changed. Any suggestions on how 
> can I get some debugging output?
> 
> QubesOS R3.2 does not run on T470s at all (old kernel vs. new hardware; new 
> hardware clearly wins).
> 
> Thanks!
> 
> -- 
> Pozdrawiam,
> Michał "rysiek" Woźniak
> 
> Zmieniam klucz GPG :: http://rys.io/pl/147
> GPG Key Transition :: http://rys.io/en/147

I just recently had the same issue with a Dell Latitude E6430.

I did a complete and full install the it would boot loop right after the grub 
loader.

I went into the bios settings for the processor and disabled speedstep, 
anything that has to do with boosting the performance of the processor.  I 
disabled

I did leave HT Technology enabled.

This may or may not be an issue with every model but its something to take note 
on.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/23f34305-07f4-480f-8225-43006526ba87%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Again last dom0 update broke kernel connection

[Michael Carbone]

On 09/21/2017 12:47 PM, Franz wrote:
> None vm starts except dom0
> 
> I am writing this email by a cell phone
> 
> -Changing the kernel with qubes manager GUI does not work

you can use the GUI, just change the VM to a different kernel in VM
Settings > Advanced (and click okay), then change it back to the kernel
you want. this was the same GUI-based workaround as last time.

> -the terminal line that worked last time runs without errors but does not
> solve the problem:
> 
> For VM in 'qvm-ls --raw-list'; do qvm-prefs $VM kernel default; done
> 
> When I try to start a VM an alert message appears in the upper left telling
> that VM kernel does not exists at
> /var/lib/qubes/vm-kernels/4.4.67-13/vmlinuz and it is right: kernels are
> all newer than 4.9.
> 
> But why is it looking for 4.4.67-13? Hope there is a fix.
> 
> Thanks
> Fran
> 

-- 
Michael Carbone

Qubes OS | https://www.qubes-os.org
@QubesOS 

PGP fingerprint: D3D8 BEBF ECE8 91AC 46A7 30DE 63FC 4D26 84A7 33B4


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0168844e-7f11-e110-510c-e3db79067e2f%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: OpenPGP digital signature

[qubes-users] "Cannot execute qrexec-daemon!" on starting VM

[krozruch]

Hi all,

I am running Qubes OS 3.2 on a Lenovo Thinkpad E550. I have recently been 
having problems with starting / restarting VMs. Whether starting from the GUI 
or command line, VMs fail:

"ERROR: Cannot execute qrexec-daemon!"

In case it is relevant, following a recent update I had an error on boot =~ 
"ACPI Error field exceeds buffer". Radeon was mentioned. and the wifi would 
work for a spell and then fail. All drivers had previously worked fine.

I have not yet restarted the computer as I have unsaved data and have no 
internet connection or sys-usb to backup data. Not understanding the problem 
well, I didn't want to risk rebooting into the shell.

Could anybody advise of a next step?

Many thanks.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8863415e-02ff-4cc2-8217-da6734ad54c4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Again last dom0 update broke kernel connection

[Franz]

None vm starts except dom0

I am writing this email by a cell phone

-Changing the kernel with qubes manager GUI does not work

-the terminal line that worked last time runs without errors but does not
solve the problem:

For VM in 'qvm-ls --raw-list'; do qvm-prefs $VM kernel default; done

When I try to start a VM an alert message appears in the upper left telling
that VM kernel does not exists at
/var/lib/qubes/vm-kernels/4.4.67-13/vmlinuz and it is right: kernels are
all newer than 4.9.

But why is it looking for 4.4.67-13? Hope there is a fix.

Thanks
Fran

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAPzH-qAtziZPqp6q7AgaXmqmO4QBF9jtQRZsjW79k8K51F-SvA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Anyone disabled the Intel ME yet?

[Hugo Costa]

On Thursday, 21 September 2017 07:23:01 UTC+1, Alex  wrote:
> Replying to this thread to report that somebody DID ACTUALLY find an
> exploitable vulnerability in the latest IME 11+, and they will be
> sharing nothing less that this UNSIGNED CODE EXECUTION vuln at blackhat
> europe 2017.
> 
> Abstract here:
> https://www.blackhat.com/eu-17/briefings/schedule/#how-to-hack-a-turned-off-computer-or-running-unsigned-code-in-intel-management-engine-8668
> 
> Title is pretty scary, but we'll see if it's actually that dangerous...
> 
> -- 
> Alex

Was going to post the same. 2 Russian researchers that a couple weeks ago found 
out a way to clean some modules on Intel ME now have found a significative 
exploit that allows them to actually run code on a piece of hardware with 
direct access to the network. The scary thing is - it's impossible to detect.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2f3a80dc-0bfa-4e07-a5ee-16606b435275%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Fixing BOOT of Qubes OS

[stas2855]

Hi Unman,
Yes, I overwrote all entries while installing Ubuntu.

Thanks a lot for your hints, problem is finally resolved after hours of reading 
:)

What I done

chroot /mnt/sysimage
cd boot
grub2-mkconfig
grub2-install /dev/sda
reboot

Old grub file was fine so I booted in now successfully.

Thanks guys for your help!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e4e7ba21-6583-4519-9a7e-ef513e9e5d45%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Has anyone tried to activate SELINUX in Fedora 25?

[jkitt]

On Wednesday, 20 September 2017 09:41:58 UTC+1, pels  wrote:
> [1.617897] systemd[1]: Failed to mount tmpfs at /run: Permission denied
> [.[0;1;31m!!.[0m] Failed to mount API filesystems, freezing.
> [1.621206] systemd[1]: Freezing execution.

Looks like a tmpfs cannot be mounted at boot. In actual fact: these default 
policies are never in a "ready to deploy" state. You have to run the policy in 
permissive mode - throughout the normal boot process, and typical use of the 
confined binaries. Once you have built a log of fired rules then you have to go 
back and tweak the policy. There are, shockingly, no good tools to parse 
selinux audit logs outwith a couple of hard to get tools - distributed in the 
redhat repos. I think there is a Gentoo overlay that you can reverse engineer, 
or maybe you can find a working tool. But once you have ironed out all the 
policy violations,and you can boot without firing anything of concern, then you 
are ready for enforcing mode.

Here are some good primers on the subject. The first video, in particular, 
shows how to effectively parse audit logs - with the aforementioned redhat tool:

https://www.youtube.com/watch?v=MxjenQ31b70

https://www.youtube.com/watch?v=q_y30qZ_plQ

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3f1c9bc5-3b46-4b14-8856-1493f9ea6472%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Managing Xen configs

[nicholas roveda]

I'd like to know where the Xen configurations are stored and how to manipulate 
them, for example, to add net interfaces or exposing a console.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/72b61c1f-51bf-4e10-8ad3-ace0152d386e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Managing Xen configs

[nicholas roveda]

Thanks for your answer.

I wrote that I'm trying to connect TO a Template Emergency Dracut shell FROM 
Dom0, using 'xl console'.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fbd0ed21-a976-44f2-a6ae-61ba1a176996%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Has anyone tried to activate SELINUX in Fedora 25?

[pels]

On Wednesday, September 20, 2017 at 2:54:31 PM UTC+2, cooloutac wrote:
> On Wednesday, September 20, 2017 at 4:41:58 AM UTC-4, pels wrote:
> > I'd like to activate SELINUX(enforcing) in VMs (f25 and f25-minimal), but 
> > fails:
> > 
> > [1.510532] audit: type=1404 audit(1505894636.317:2): enforcing=1 
> > old_enforcing=0 auid=4294967295 ses=4294967295
> > [1.601491] audit: type=1403 audit(1505894636.408:3): policy loaded 
> > auid=4294967295 ses=4294967295
> > [1.605815] systemd[1]: Successfully loaded SELinux policy in 95.611ms.
> > [1.617897] systemd[1]: Failed to mount tmpfs at /run: Permission denied
> > [.[0;1;31m!!.[0m] Failed to mount API filesystems, freezing.
> > [1.621206] systemd[1]: Freezing execution.
> > 
> > I had it enabled  in fedora 24 but after upgrading failed
> > I create a new template (f25 and f25-minimal) with same effect.
> > 
> > I have tried to reset SELinux to its initial state:
> > yum remove selinux-policy
> > rm -rf /etc/selinux
> > yum install selinux-policy-targeted
> > fixfiles -f -F relabel
> > reboot
> > 
> > Any ideas?
> > 
> > Thank you very much
> > 
> > Best Regards
>   
>   Is this a vm, if so do we really care if systemd is running in it?   You 
> sure thats selinux?  what does sestatus say? 
> 
> When googling this error seems people have same issue when running docker.  
> And you have to set seccomp to unconfined.

Thank you cooloutac

-Is this a vm
It happens in Templates and VMs.

-Is this a vm, if so do we really care if systemd is running in it?
The problem is when i enable SELINUX VMs/templates doesn't "boot" or fail to 
start. 
If I disable SELINUX, the templates/VMs start whithout problems and systemd is 
activated.

-You sure thats selinux?
Yes i'm pretty sure, it's exactly the same config that i had in fedora24.
In dom0
qvm-prefs -s fedora-25 kernelopts "nopat security=selinux selinux=1"
and in VMs/Templats
/etc/selinux/config

SELINUX=enforcing 
SELINUXTYPE=targeted

Default selinux config

-what does sestatus say?
I can't execute anything in template/VMs 
in dom0:
qvm-run fedora-25 --nogui -pass-io -u root "sestatus"
Error(fedora-25): Domain 'fedora-25':qreexec not connected

-When googling this error seems people have same issue when running docker.  
And you have to set seccomp to unconfined

Yes, i've read it, but i don't know how disable seccomp and the consequences...


Could you make me a big favour and try to activate SELINUX?

Thank you very much

Best regards

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/acdebd73-c631-456c-97a7-77ae399fc9b3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Fixing BOOT of Qubes OS

[Unman]

On Wed, Sep 20, 2017 at 04:15:21PM -0700, stas2...@gmail.com wrote:
> 
> Guys, Thank you for your replies.
> 
> Unman, Ubuntu is not important to me.
> Most important thing is to load Qubes again.
> I have tried grub2-install /dev/sda3 - but I am getting an error saying that 
> it's unreliable and system will not go further.
> I also done grub2-install /dev/sda successfully, but when I am starting 
> laptop - it gives me grub rescue message that cannot load system.
> 
> I don't have so much knowledge to resolve further.
> Please advise how I can restore qubes loader on my laptop?
> 
> Thanks a lot!
> 
> TO the user: damm swing. Thanks for your suggestion, I will try that as the 
> last option as I don't have a spare system to install qubes to.
>  

First, have you backed up your data?
At a pinch you could do this by using the rescue disk - the data in your
qubes is stored in /var/lib/qubes - each qube has a separate directory
and the data is stored in the private.img files.
(I think you said you can access /mnt/sysimage using the rescue disk.)
You can either copy the private.img files off the system, or mount them
individually and copy off the data.

When you installed Qubes you had a separate /boot partition - probably
at /dev/sda1 - you can check this (if you are not sure) from rescue mode.
I assume that you overwrote the entries there when you installed Ubuntu?

What you need to do now is to generate a new grub configuration, make sure
it is installed to /dev/sda1 (or wherever) and then update grub.
What is the error message you are getting?

I know this seems daunting, but if you take it step by step you should
be fine, professional or not.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170921083457.wonvrewup4frkghr%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Unable to uninstall or reinstall Whonix

[Unman]

On Wed, Sep 20, 2017 at 08:57:41PM -0400, 'Essax' via qubes-users wrote:
> To remove Whonix templates first remove all the appVMs based on those 
> templates. In dom0 type :
> 
> qvm-remove sys-whonix
> qvm-remove anon-whonix
> 
> Then to remove the Whonix templates. In dom0 type :
> 
> qvm-remove whonix-gw
> qvm-remove whonix-ws
> 
> Essax
> 
> Sent with [ProtonMail](https://protonmail.com) Secure Email.
> 
> >  Original Message 
> > Subject: [qubes-users] Re: Unable to uninstall or reinstall Whonix
> > Local Time: September 20, 2017 4:46 PM
> > UTC Time: September 20, 2017 8:46 PM
> > From: xueyilu...@gmail.com
> > To: qubes-users 
> >
> > I believe it is "sudo yum erase qubes-template-whonix-gw" for uninstalling 
> > (I typed it in a Whonix Konsole) and "sudo qubes-dom0-update 
> > --enablerepo=qubes-templates-community qubes-template-whonix-gw 
> > qubes-template-whonix-ws". I haven"t deleted the old Whonix-gw and 
> > Whonix-ws templates yet, because there seems to be no option other than the 
> > terminal commands, which don"t work.
> >

Please don't top post.

I don't use whonix myself, but it seems to me that Essax is partly right
and partly wrong.
You need to make sure that there aren't ANY qubes using the whonix
templates.
You can either do this by deleting them using qvm-remove or (better)
changing the template they are based on, in QubesManager or using
qvm-prefs in a dom0 terminal.

To remove the actual templates, I don't believe you would be able to
use qvm-remove because they have been installed using yum.
You have the correct command, but you used it in the wrong place. Don't
run it in a whonix konsole - run it in dom0 terminal. 
Whonix is Debian based which is why you had "command not found"

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170921081203.6uu3h64355yfrnuk%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.