[qubes-users] Using postgresql database in qubes(AppVM)

2018-03-16 Thread redleopard81 
Hello!
As a web developer, I was using Arch linux as development os then I got to know 
qubes os, and really hooked it.

I almost finished setting up my qubes os as Web development os. But I finally 
found out 1 problem. that is database.

Postgresql database's data location is (normally) /var/lib/pgsql/10/data
As I learned, AppVM's folder will be reset every time I start. (except /home)

So I am thinking about the solution, first, I just create every database that 
need for my project in TemplateVM, so I can see it my Dev AppVM

Is there anyone using qubes os as web development os?
Is there any best practice for this case?

Please help me!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4430b3b8-352c-46fc-9985-381c4d188c64%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How to update default template VM?

2018-03-16 Thread sevas 
Not at all. You should be able to use the GUI, if you choose to do so. 

Linux environments tend to be command line environments. You will occasionally 
find things that cannot be done via GUI, so its a good idea to learn how to do 
things from the client. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/31ee72a6-c1fc-4c03-9514-7e7ea26c04f6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: T520 for Qubes 4.0 , can I / should I boot Win7 HDD, and Qubes 4.0 from an SSD?

2018-03-16 Thread sevas 
Im not for dual booting, but it seemed like a maybe. But thinking more on it, 
you would be putting your files at risk. If you are running Qubes with the 
Windows partition not running but attached, then it would be very vulnerable 
with, hypothetically, lots of attack surface. 

However if you are running windows with your Qubes partition encrypted and 
'safe',
then Windows (and all of its rather large attack surface) would be like leaving 
the screen porch unlocked so now the thief can come inside to look for a way 
in, 
rather than standing in the road to look for ways in. 

Rather, they could gain continued access to windows, and slowly chip away at 
your Qubes OS while you are working in your Windows OS. 

The only way to combat this (and do not consider me knowledgeable) would be to 
switch HDDs every time you switch OS. These other users in this post definitely 
know more than I do, but Im just trying to help where I can. 

*This advice is only considering that you are trying to protect your data and 
takes no consideration for your privacy.

You are aware that you can install windows in qubes?


On the model of pc, I have the i7 with 16gb ram and an Intel SSD 545s Series
and it takes what seems like 15 minutes to boot the system. Ive attributed this
to the SSD. Go ahead and set +$100 aside for a NVMe m.2 SSD. What I currently 
have 
is manageable, but sometimes becomes rather annoying. Mainly during startup and 
shutdown.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/85c1a674-ab2e-49ab-887c-84e0f2875743%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How to update default template VM?

2018-03-16 Thread Michael MENG 
So i have to use CLI instead of "update qube"?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6027a58f-0d99-4a35-bb63-fae4327df9f4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Qubes 4 RC5 on a Thinkpad F430: HCL and some observations

2018-03-16 Thread nortiusmediae 
(I originally posted this via gmane, but it hasn't shown up so far)

Hi, all,

I've spent a bunch of time in the last day or two getting RC5 running on my 
daily driver, a Thinkpad 430 with 16 GB of memory and a 1 TB SSD.  It normally 
runs 3.2, so I got a new WD SSD for playing with 4.0.

First observation:  It's pretty slick overall.  Kudos to the ITL team for 
another winner.  If I ever visit Poland I'll be sure to budget for quite a lot 
of beer, because I owe you folks.

There are a few curiosities:

1. In dom0, typing

qvm-run -a myqube xterm

blocks the dom0 terminal till I close the xterm (or whatever other program).  I 
much preferred the 3.2 behaviour, in which the dom0 prompt returned right away. 
 It's inelegant to keep going ctl-C in dom0, and I don't like the setsid 
alternative since I don't know how much cruft I'm accumulating that way.

2. DispVMs based on AppVMs seem to crash on startup a lot.  As an engineer I 
really like the ability to run old apps on archival VMs without corrupting the 
archives, but on my box startup is a bit flaky. Once they're properly running I 
haven't seen an issue so far.

3. It would be nice if the DispVM frame gave some indication what template or 
AppVM it was based on.  [disp xxxy] is a commendably unique identifier, but 
there's a lot of space on the window frame, so "workDVMxxxy" or 
"personalDVMzzzx" would be pretty useful.  (I usually have several AppVMs going 
at once.)

4. (probably most important)  Dom0 lies through its teeth about the disk usage. 
 I gather you folks have hidden the VMs' guts so you can't just poke around 
/var/lib/qubes anymore, but in the process you've completely confused the only 
tools we mortals have left to manage disk space: domo's du and df commands.

On a 1T SSD, I restored over 450G worth of AppVMs, but dom0's df returns:

Use% Mounted on
devtmpfs  1995976   0   1995976   0% /dev
tmpfs 2009828   0   2009828   0% /dev/shm
tmpfs 20098281612   2008216   1% /run
tmpfs 2009828   0   2009828   0% /sys/fs/cgroup
/dev/mapper/qubes_dom0-root 935037724 3866076 883604596   1% /
tmpfs 2009828   8   2009820   1% /tmp
xenstore  2009828 416   2009412   1% /var/lib/xenstored
/dev/sda1  999320   79676850832   9% /boot
tmpfs  401964   8401956   1% /run/user/1000

You'd never know that the disk is actually half full or a little more. I have 
no idea how to manage my disk space on Qubes 4.0.

Thanks again

BillW



---
layout:
  'hcl'
type:
  'notebook'
hvm:
  'yes'
iommu:
  'yes'
slat:
  'yes'
tpm:
  ''
remap:
  'yes'
brand: |
  LENOVO
model: |
  2349S7W
bios: |
  G1ET73WW (2.09 )
cpu: |
  Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz
cpu-short: |
  FIXME
chipset: |
  Intel Corporation 2nd Generation Core Processor Family DRAM Controller 
[8086:0104] (rev 09)
chipset-short: |
  FIXME
gpu: |
  Intel Corporation 2nd Generation Core Processor Family Integrated Graphics 
Controller [8086:0126] (rev 09) (prog-if 00 [VGA controller])
gpu-short: |
  FIXME
network: |
  Intel Corporation 82579LM Gigabit Network Connection (Lewisville) (rev 04)
  Intel Corporation Centrino Wireless-N 2200 (rev c4)
memory: |
  16073
scsi: |
  WDC WDS100T2B0A- Rev: 30WD
  DVD ROM DDU7740H Rev: 1RS0
usb: |
  3
versions:

- works:
'FIXME:yes|no|partial'
  qubes: |
R4.0
  xen: |
4.8.3
  kernel: |
4.14.18-1
  remark: |
FIXME
  credit: |
FIXAUTHOR
  link: |
FIXLINK

---

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8eaa28e4-78b2-4c0a-a5d4-3071b4f6d6b2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Runing Qubes on: HP ProBook 430 G2 or HP EliteBook 820

2018-03-16 Thread taii...@gmx.com 

How inexpensive?

You can get an G505S for $150 or so and it is the the last and best 
x86_64 owner controlled laptop, it supports qubes 4.0 and doesn't have 
ME/PSP.
It supports coreboot with open source hardware initiation for the 
cpu/ram and while there are blobs for video and power they are 
theoretically replaceable and are restricted from doing anything nasty 
via the IOMMU.


Note: as a new qubes user you should be aware that purism laptops are 
NOT open source, libre or "privacy and security respecting" - their 
marketing is very dishonest.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4e487170-2a2b-9e5b-4aab-7fcb95d6b371%40gmx.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Runing Qubes on: HP ProBook 430 G2 or HP EliteBook 820

2018-03-16 Thread Unman 
On Fri, Mar 16, 2018 at 03:08:29PM -0700, Linus Stridbeck wrote:
> Den fredag 16 mars 2018 kl. 14:40:27 UTC+1 skrev Chris Laprise:
> > On 03/16/2018 07:55 AM, Linus Stridbeck wrote:
> > > I came across very inexpensive HP computers:
> > > 
> > > HP ProBook 430 G2
> > > HP EliteBook 820
> > > 
> > > They both have i3 procesor and I wonder if someone tried ryning Qubes on 
> > > one of them?
> > > 
> > 
> > 
> > They're probably both worth a try if they support 8GB or more RAM. The 
> > EliteBook 820 has an old entry in the HCL...
> > 
> > https://www.qubes-os.org/hcl/
> > 
> > -- 
> > 
> > Chris Laprise, tas...@posteo.net
> > https://github.com/tasket
> > https://twitter.com/ttaskett
> > PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886
> 
> the HP EliteBook 820 have 8. So its not advicebel to go for any less... thats 
> good to know. whats HLC? I loket at wikipedia :). 
> 
HCL= Hardware Compatibility List
http://www.qubes-os.org/hcl/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180316221957.mtdrw6cfvzczergc%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Runing Qubes on: HP ProBook 430 G2 or HP EliteBook 820

2018-03-16 Thread Linus Stridbeck 
Den fredag 16 mars 2018 kl. 14:40:27 UTC+1 skrev Chris Laprise:
> On 03/16/2018 07:55 AM, Linus Stridbeck wrote:
> > I came across very inexpensive HP computers:
> > 
> > HP ProBook 430 G2
> > HP EliteBook 820
> > 
> > They both have i3 procesor and I wonder if someone tried ryning Qubes on 
> > one of them?
> > 
> 
> 
> They're probably both worth a try if they support 8GB or more RAM. The 
> EliteBook 820 has an old entry in the HCL...
> 
> https://www.qubes-os.org/hcl/
> 
> -- 
> 
> Chris Laprise, tas...@posteo.net
> https://github.com/tasket
> https://twitter.com/ttaskett
> PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

the HP EliteBook 820 have 8. So its not advicebel to go for any less... thats 
good to know. whats HLC? I loket at wikipedia :). 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/be3be252-266c-42ed-b225-8cb092c56774%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Runing Qubes on: HP ProBook 430 G2 or HP EliteBook 820

2018-03-16 Thread Linus Stridbeck 
Den fredag 16 mars 2018 kl. 14:40:27 UTC+1 skrev Chris Laprise:
> On 03/16/2018 07:55 AM, Linus Stridbeck wrote:
> > I came across very inexpensive HP computers:
> > 
> > HP ProBook 430 G2
> > HP EliteBook 820
> > 
> > They both have i3 procesor and I wonder if someone tried ryning Qubes on 
> > one of them?
> > 
> 
> 
> They're probably both worth a try if they support 8GB or more RAM. The 
> EliteBook 820 has an old entry in the HCL...
> 
> https://www.qubes-os.org/hcl/
> 
> -- 
> 
> Chris Laprise, tas...@posteo.net
> https://github.com/tasket
> https://twitter.com/ttaskett
> PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

the HP EliteBook 820 have 8. So its not advicebel to go for any less... thats 
good to know. whats HLC? I loket at wikipedia :). 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2f5f1856-addb-413b-89db-7ccc97788f26%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Runing Qubes on: HP ProBook 430 G2 or HP EliteBook 820

2018-03-16 Thread Linus Stridbeck 
Den fredag 16 mars 2018 kl. 12:55:10 UTC+1 skrev Linus Stridbeck:
> I came across very inexpensive HP computers: 
> 
> HP ProBook 430 G2
> HP EliteBook 820 
> 
> They both have i3 procesor and I wonder if someone tried ryning Qubes on one 
> of them?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5b7cda84-9c0b-4b0f-be20-e75f9f831895%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Issues with Yubikey 4 input

2018-03-16 Thread Jon R. 
> I have found that it was not working with Firefox but only with Chrome
... I am only using mu Yubikey to manage my PGP kys and to be authenticated
on web site like Github ...

Thanks for the information. My issue seems to be related to the USB
passthru / sys-usb. I haven't had time to debug it further but I can't even
get the OTP / smart card functionality to be produced outside of the
sys-usb Qube. Once I scour the mailing list / GitHub issues I'll update
here if I find anything pertinent.

Cheers!

On Fri, Mar 16, 2018 at 3:50 AM, ThierryIT  wrote:

> Le vendredi 9 mars 2018 19:34:06 UTC+2, Jon R. a écrit :
> > Hello,
> >
> > I've scoured around the mailing lists / SO / Reddit and haven't come
> across a solution to this yet. I'm running 4.0 (R4.0) and when I attempt to
> use my Yubikey it's seemingly not picking up any input on the button press.
> >
> > It's detecting the USB properly and I can attach it fine:
> >
> > [cloe@dom0 Desktop]$ qvm-usb
> > BACKEND:DEVID  DESCRIPTION USED BY
> > sys-usb:2-1Yubico_Yubikey_4_OTP+CCID
> >
> > [cloe@dom0 Desktop]$ qvm-usb attach work sys-usb:2-1
> >
> > [cloe@dom0 Desktop]$ qvm-usb
> > BACKEND:DEVID  DESCRIPTION USED BY
> > sys-usb:2-1Yubico_Yubikey_4_OTP+CCID   work
> >
> > However upon button presses on the Yubikey in the "work" domain there is
> no action. I've tested this in gedit, the terminal and elsewhere to no
> avail.
> >
> >
> > Can someone point me in the right direction as to what may be happening?
> I've successfully attached storage devices and other smart card related
> devices without any issue so it seems to be isolated to the Yubikey itself.
> I've tried 2 separate Yubikey 4's and an older version to no avail.
> >
> >
> > Thank you for your time.
> >
> >
> > - Cody
>
> I had the same problem than yours ...
> I was able, after a looong period of fight, to attached my Yubikey but it
> was not working ...
> I have found that it was not working with Firefox but only with Chrome ...
> I am only using mu Yubikey to manage my PGP kys and to be authenticated on
> web site like Github ...
>
> Thx
>
> --
> You received this message because you are subscribed to the Google Groups
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/qubes-users/bc3da3a6-2568-40ac-b018-beb6facfb1fa%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJd29SSUPDpjRw07TrEt0q2juN34x_1jSBY3PaHtJ71NF7DjvQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: [UPDATE] QSB #37: Information leaks due to processor speculative execution bugs (XSA-254, Meltdown & Sepctre)

2018-03-16 Thread Yuraeitha 
On Friday, March 16, 2018 at 3:34:05 PM UTC+1, Lorenzo Lamas wrote:
> After updating to Xen 4.6.6-37, with updated BIOS/microcode, I executed 
> Spectre & Meltdown 
> Checker(https://github.com/speed47/spectre-meltdown-checker) in a PV Fedora 
> 26 AppVM.(Kernel 4.14.18-1)
> 
> Hardware support is now supported:
> * Hardware support (CPU microcode) for mitigation techniques
>   * Indirect Branch Restricted Speculation (IBRS)
> * SPEC_CTRL MSR is available:  YES 
> * CPU indicates IBRS capability:  YES  (SPEC_CTRL feature bit)
>   * Indirect Branch Prediction Barrier (IBPB)
> * PRED_CMD MSR is available:  YES 
> * CPU indicates IBPB capability:  YES  (IBPB_SUPPORT feature bit)
>   * Single Thread Indirect Branch Predictors (STIBP)
> * SPEC_CTRL MSR is available:  YES 
> * CPU indicates STIBP capability:  YES 
> 
> However, the VM kernel does not seem to support the migitations: 
> 
> CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
> * Mitigated according to the /sys interface:  NO  (kernel confirms your 
> system is vulnerable)
> * Mitigation 1
>   * Kernel is compiled with IBRS/IBPB support:  NO 
>   * Currently enabled features
> * IBRS enabled for Kernel space:  NO 
> * IBRS enabled for User space:  NO 
> * IBPB enabled:  NO 
> * Mitigation 2
>   * Kernel compiled with retpoline option:  YES 
>   * Kernel compiled with a retpoline-aware compiler:  NO  (kernel reports 
> minimal retpoline compilation)
> > STATUS:  VULNERABLE  (Vulnerable: Minimal generic ASM retpoline, IBPB)
> 
> 
> Does this mean the kernel compiled by Qubes does not support the migitations 
> yet, or that this test cannot get proper info from the kernel, since the 
> kernel is provided by Dom0 instead of the VM? Or are both true?

Important typo, I forgot to add 'in the future'.

"I believe, while not knowing, that the Qubes team might focus more on securing 
the VM's dirt (in above's analogy), but right now, it's all on the fence and 
cemented ground inside it." 

should be:

"I believe, while not knowing, that the Qubes team might in the future focus 
more on securing the VM's dirt (in above's analogy), but right now, it's all on 
the fence and cemented ground inside it."

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b3e1adc9-5b04-4bf5-b87c-86ac0c28318e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: [UPDATE] QSB #37: Information leaks due to processor speculative execution bugs (XSA-254, Meltdown & Sepctre)

2018-03-16 Thread Yuraeitha 
On Friday, March 16, 2018 at 3:34:05 PM UTC+1, Lorenzo Lamas wrote:
> After updating to Xen 4.6.6-37, with updated BIOS/microcode, I executed 
> Spectre & Meltdown 
> Checker(https://github.com/speed47/spectre-meltdown-checker) in a PV Fedora 
> 26 AppVM.(Kernel 4.14.18-1)
> 
> Hardware support is now supported:
> * Hardware support (CPU microcode) for mitigation techniques
>   * Indirect Branch Restricted Speculation (IBRS)
> * SPEC_CTRL MSR is available:  YES 
> * CPU indicates IBRS capability:  YES  (SPEC_CTRL feature bit)
>   * Indirect Branch Prediction Barrier (IBPB)
> * PRED_CMD MSR is available:  YES 
> * CPU indicates IBPB capability:  YES  (IBPB_SUPPORT feature bit)
>   * Single Thread Indirect Branch Predictors (STIBP)
> * SPEC_CTRL MSR is available:  YES 
> * CPU indicates STIBP capability:  YES 
> 
> However, the VM kernel does not seem to support the migitations: 
> 
> CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
> * Mitigated according to the /sys interface:  NO  (kernel confirms your 
> system is vulnerable)
> * Mitigation 1
>   * Kernel is compiled with IBRS/IBPB support:  NO 
>   * Currently enabled features
> * IBRS enabled for Kernel space:  NO 
> * IBRS enabled for User space:  NO 
> * IBPB enabled:  NO 
> * Mitigation 2
>   * Kernel compiled with retpoline option:  YES 
>   * Kernel compiled with a retpoline-aware compiler:  NO  (kernel reports 
> minimal retpoline compilation)
> > STATUS:  VULNERABLE  (Vulnerable: Minimal generic ASM retpoline, IBPB)
> 
> 
> Does this mean the kernel compiled by Qubes does not support the migitations 
> yet, or that this test cannot get proper info from the kernel, since the 
> kernel is provided by Dom0 instead of the VM? Or are both true?

I do by no means have proper insight into this, but I believe for this 
particular case it doesn't matter much if the VM's kernel is not updated 
against these attacks. I will stand corrected if I'm wrong about that.

My reasoning is, despite that information about the CPU can be seen in the 
VM's, as long as the lower system levels can't be exploited (CPU/BIOS/Xen), 
then it won't matter if the AppVM's kernel is exploitable, because it can't 
reach deeper down, and will be blocked by the patch fixes on the lower system 
levels.

However, like Andrew mentioned above, it might still be possible to some extent 
use it in combination with other attacks (hypothetically), so it's not deemed 
completely secure (yet, at least).

An illustrative example, 
- The dig-able dirt is the exploitable VM's. 
- The fence and cemented ground below the dirt inside the fence's area, is the 
secured VM environment.

So a successful attack on an VM would be like the soft dirt ground in the VM's 
can be dug and breach the cement, in order to get out of the protected area 
(prison break). If the ground is cemented below the area inside the fence, then 
you cannot dig further down to escape the fenced area. So too for the AppVM's, 
the soft dirt ground being dug-able, but since you can't dig further down to 
exploit further than the lower level security (cemented ground) then it won't 
matter anyway.

However, the issue being, if some places are not fully cemented, then it might 
be possible to escape. The question then is, since no one can see the cement 
without first digging (not the protectors, not the attackers, essentially no 
one knows without first digging), then it remains unknown if the area is 
inescapable or not.

The aim of Qubes is to secure the cement and fence, not the dirty ground, i.e. 
no matter what you run in the VM's, it should stay secure. While true securing 
the VM's can add extra security, it is however not the aim here. You yourself 
can install more secure VM's if you prefer. I believe, while not knowing, that 
the Qubes team might focus more on securing the VM's dirt (in above's analogy), 
but right now, it's all on the fence and cemented ground inside it.

Qubes OS's work, as I perceive it, focuses on securing the environment from 
below up. So if security inside a VM is needed, then they are not meeting their 
own set goals to allow a any insecure code run wild in VM's without it 
compromising the Qubes OS infrastructure.

I have absolutely no deep insight into any of this, however, this is my 
perspective, perhaps it can be of use, or perhaps it can't.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c4179bd4-d648-4577-b639-e6f56a00a5dd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: HCL- ASUS GL753V

2018-03-16 Thread 'awokd' via qubes-users 
On Fri, March 16, 2018 5:06 pm, olivier.defouloun...@free.fr wrote:
> Le vendredi 16 mars 2018 17:51:19 UTC+1, olivier.de...@free.fr a écrit :
>
>> /home/user/Qubes-HCL-ASUSTeK_COMPUTER_INC_-GL753VD-20180316-173149.cpio
>> .gz
>> /home/user/Qubes-HCL-ASUSTeK_COMPUTER_INC_-GL753VD-20180316-173149.yml
>>
>>
>> Hello,
>>
>>
>> I'm using qubes 3.2 for view weeks and it works very well except win7
>> VM who need cirrus video type instead of xen type.
>> Installation wasn't easy but I succeed with yumi uefi beta 6 and 2 keys
>> because anaconda can't read the iso on the install's key.
>>
>> For qubes 4, I'm so sad because rufus don't works and yumi needs fat32
>> partition to boot. Is it possible to have a lite iso with less 4 Go
>> please ?
>>
>> @+
>>
>>
>> Olivier
>>
>
> oups !

If you were able to boot the Qubes 3.2 installer under UEFI, I'm suprised
you couldn't 4.0's to boot the same way. Actually found it easier on one
of my machines to boot 4.0's UEFI than the older.

Anyways, if you want to make a slimmed down ISO, you could use the Qubes
Builder to make your own: https://www.qubes-os.org/doc/qubes-r3-building/.
There's a bug in it right now but once that's fixed, you could make an ISO
with just the Fedora 26 template included, which should get you under 4GB.

Seems like a lot of effort though, why not just get a bigger USB key or
burn to a DVD?


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f042e003821b7e859198e0776094ebf5.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: HCL- ASUS GL753V

2018-03-16 Thread olivier . defoulounoux 
Le vendredi 16 mars 2018 17:51:19 UTC+1, olivier.de...@free.fr a écrit :
> /home/user/Qubes-HCL-ASUSTeK_COMPUTER_INC_-GL753VD-20180316-173149.cpio.gz
> /home/user/Qubes-HCL-ASUSTeK_COMPUTER_INC_-GL753VD-20180316-173149.yml
> 
> Hello,
> 
> I'm using qubes 3.2 for view weeks and it works very well except win7 VM who 
> need cirrus video type instead of xen type.
> Installation wasn't easy but I succeed with yumi uefi beta 6 and 2 keys 
> because anaconda can't read the iso on the install's key.
> 
> For qubes 4, I'm so sad because rufus don't works and yumi needs fat32 
> partition to boot.
> Is it possible to have a lite iso with less 4 Go please ?
> 
> @+
> 
> Olivier

oups !

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/87c50e5f-2816-46c3-b423-c5859d65b360%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Qubes-HCL-ASUSTeK_COMPUTER_INC_-GL753VD-20180316-173149.cpio.gz
Description: Binary data


Qubes-HCL-ASUSTeK_COMPUTER_INC_-GL753VD-20180316-173149.yml
Description: Binary data

[qubes-users] Re: Dependency error building Qubes

2018-03-16 Thread voitsovich . p 
воскресенье, 11 марта 2018 г., 23:22:41 UTC+2 пользователь 
rucksac...@googlemail.com написал:
> I'm trying to build a Qubes ISO on a Fedora 26 System, following the 
> instructions of the documentation page "Building Qubes OS ISO", and get this 
> error message:
> 
> make[1]: Entering directory '/home/xy/qubes-builder'
> sudo chroot /home/xy/qubes-builder/chroot-fc25 dnf install -y 
> gcc-6.4.1-1.qubes1.fc25.x86_64 libgcc.x86_64
> Qubes OS Builder Repository 251 kB/s | 257  B 00:00   
>  
> No package gcc-6.4.1-1.qubes1.fc25.x86_64 available.
> Package libgcc-6.4.1-1.fc25.x86_64 is already installed, skipping.
> Error: Unable to find a match.
> make[1]: *** [qubes-src/vmm-xen/Makefile.builder:27: 
> workaround-gcc-upgrade-fc25] Error 1
> make[1]: Leaving directory '/home/xy/qubes-builder'
> make: *** [Makefile:224: vmm-xen-dom0] Error 1
> 
> How can I fix this?


Hello guys!
Any updates on this?
As I'm tried to build qubes-iso and have same issue ;-\

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fdf13bd4-3a33-4971-b88d-446b6da349aa%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] HCL- ASUS GL753V

2018-03-16 Thread olivier . defoulounoux 
/home/user/Qubes-HCL-ASUSTeK_COMPUTER_INC_-GL753VD-20180316-173149.cpio.gz
/home/user/Qubes-HCL-ASUSTeK_COMPUTER_INC_-GL753VD-20180316-173149.yml

Hello,

I'm using qubes 3.2 for view weeks and it works very well except win7 VM who 
need cirrus video type instead of xen type.
Installation wasn't easy but I succeed with yumi uefi beta 6 and 2 keys because 
anaconda can't read the iso on the install's key.

For qubes 4, I'm so sad because rufus don't works and yumi needs fat32 
partition to boot.
Is it possible to have a lite iso with less 4 Go please ?

@+

Olivier

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4d28f08c-7f1f-415d-94d3-76cf7a88d823%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: [UPDATE] QSB #37: Information leaks due to processor speculative execution bugs (XSA-254, Meltdown & Sepctre)

2018-03-16 Thread Lorenzo Lamas 
After updating to Xen 4.6.6-37, with updated BIOS/microcode, I executed Spectre 
& Meltdown Checker(https://github.com/speed47/spectre-meltdown-checker) in a PV 
Fedora 26 AppVM.(Kernel 4.14.18-1)

Hardware support is now supported:
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
* SPEC_CTRL MSR is available:  YES 
* CPU indicates IBRS capability:  YES  (SPEC_CTRL feature bit)
  * Indirect Branch Prediction Barrier (IBPB)
* PRED_CMD MSR is available:  YES 
* CPU indicates IBPB capability:  YES  (IBPB_SUPPORT feature bit)
  * Single Thread Indirect Branch Predictors (STIBP)
* SPEC_CTRL MSR is available:  YES 
* CPU indicates STIBP capability:  YES 

However, the VM kernel does not seem to support the migitations: 

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  NO  (kernel confirms your system 
is vulnerable)
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  NO 
  * Currently enabled features
* IBRS enabled for Kernel space:  NO 
* IBRS enabled for User space:  NO 
* IBPB enabled:  NO 
* Mitigation 2
  * Kernel compiled with retpoline option:  YES 
  * Kernel compiled with a retpoline-aware compiler:  NO  (kernel reports 
minimal retpoline compilation)
> STATUS:  VULNERABLE  (Vulnerable: Minimal generic ASM retpoline, IBPB)


Does this mean the kernel compiled by Qubes does not support the migitations 
yet, or that this test cannot get proper info from the kernel, since the kernel 
is provided by Dom0 instead of the VM? Or are both true?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/636c6c6c-66fe-45e5-9605-1c3bba03c2eb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Dom0 updates broken

2018-03-16 Thread Lorenzo Lamas 
On Friday, March 16, 2018 at 10:29:25 AM UTC+1, awokd wrote:
> On Fri, March 16, 2018 8:42 am, Lorenzo Lamas wrote:
> > On Qubes 3.2 I'm getting this error when performing qubes-dom0-update:
> >
> >
> > tar: /var/lib/qubes/dom0-updates: Cannot open: No such file or directory
> > tar: Error is not recoverable: exiting now
> > Dom0 updates dir does not exists: /var/lib/qubes/dom0-updates
> 
> https://github.com/QubesOS/qubes-issues/issues/3620
> 
> Update your update template once the R3.2 patch hits current.

Thanks! I updated one template from the current-testing and it works again.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/11614dca-8fd2-4908-927f-a925e2f58cc8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Fedora no longer starts, installed from RPM.

2018-03-16 Thread Unman 
On Thu, Mar 15, 2018 at 07:32:54PM -0700, Drew White wrote:
> On Friday, 16 March 2018 11:04:31 UTC+11, Unman  wrote:
> > On Thu, Mar 15, 2018 at 04:50:14PM -0700, Drew White wrote:
> > > I installed my template for fedora 17 and 20, and neither of them will 
> > > start.
> > > I installed them from the RPMs provided.
> > > 
> > > Upon start it looks like it's booting then says "Error could not start VM 
> > > F17: Cannot execute QREXEC daemon."
> > > 
> > > How can I get them running again?
> > > 
> > 
> > Hello Drew,
> > 
> > Nice to see you again.
> > 
> > Fedora 17 and 20 are long past eol, and therefore no longer supported in
> > Qubes.
> > You *may* be able to get them running by building your own qubes
> > packages , but I would think that you will have to mangle the code
> > somewhat to do that. It's not impossible but you'll have to hack about
> > in qubes-builder and the relevant package sources.
> > 
> > I suggest you use more up to date Fedora templates.
> > 
> > unman
> 
> Supported or not, they should still start.
> They still use the same Qubes system.
> Even if there is no QREXEC they should still start and then be able to have 
> the console attached to update the QREXEC.
> 
> So support isn't an issue here.
> Right now it's an issue of Qubes 3.2 and those templates not starting.
> 
> Is there anyone that is having a similar issue or else managed to resolve a 
> similar issue here old templates aren't starting any more?
> 

Not supported means the Qubes team dont say it will work and wont put
any effort in to making it work.
Lots of people have had the "QREXEC not running" problem - usually
caused by attached devices or incorrect upstream netvms.That's where I'd
start looking, as well as checking logs, both for the qube and in dom0.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180316135855.bfdowvzuywcrr24f%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Runing Qubes on: HP ProBook 430 G2 or HP EliteBook 820

2018-03-16 Thread Chris Laprise 

On 03/16/2018 07:55 AM, Linus Stridbeck wrote:

I came across very inexpensive HP computers:

HP ProBook 430 G2
HP EliteBook 820

They both have i3 procesor and I wonder if someone tried ryning Qubes on one of 
them?




They're probably both worth a try if they support 8GB or more RAM. The 
EliteBook 820 has an old entry in the HCL...


https://www.qubes-os.org/hcl/

--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/cde75b0e-ab03-c2f6-e9ab-1a3f604d9a39%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Qubes 3.2 UEFI install media

2018-03-16 Thread stan007petro 
Am Montag, 26. Juni 2017 08:29:36 UTC+2 schrieb Dave C:
> I recently had some success install Qubes 3.2 on a lenovo p51, booting UEFI.  
> I went through a lot of a trial and error in the process.  I'm hoping this 
> post can save others some time.  I've seen in other threads some struggling 
> to get Qubes working with UEFI firmware.
> 
> I intended to save my command history to disk so that I could post 
> step-by-step exactly what to do.  But I must have been in a dispvm at the 
> time, because now I can't find that history.  So the following is from memory 
> and not precise.
> 
> I tried every trick I could find related to Qubes UEFI installation, and 
> thinkpad troubleshooting.  What finally worked does not appear to be 
> documented in any of the Qubes documentation.  Qubes uses Fedora's installer, 
> Anaconda, and the following approach is documented on Fedora's wiki.
> 
> 1. Follow Qubes install guide up to the `dd` command.  Don't write to usb 
> with `dd`.
> https://www.qubes-os.org/doc/installation-guide/
> 
> 2. Instead, use Fedora's `livecd-iso-to-disk` tool.  You'll need the 
> `livecd-tools` package.  See 
> https://fedoraproject.org/wiki/How_to_create_and_use_Live_USB#Command_line_method:_Using_the_livecd-iso-to-disk_tool_.28Fedora_only.2C_non-graphical.2C_both_non-destructive_and_destructive_methods_available.29
> 
> I don't recall for certain exactly what I passed to `livecd-iso-to-disk`.  
> Try this:
> 
> sudo livecd-iso-to-disk --efi --format Qubes-R3.2-x86_64.iso /dev/xvdi
> 
> The media as written will not quite boot, yet.  Qubes EFI boot is configured 
> to find a label "Qubes-R3.2-x86_64", but the media written by the livecd tool 
> is labelled "BOOT" (and the filesystem does not support the longer label, so 
> the --label option would not help).
> 
> 3. Mount the usb media (/dev/xvdi in the example above)
> 
> 4. Edit xen.cfg.  If I recall correctly, `/EFI/BOOT/xen.cfg`.
> 
> In this file, replace every occurrence of `LABEL=Qubes-R3.2-x86_64` with 
> `LABEL=BOOT`
> 
> You should now have install media that work on UEFI firmware!
> 
> 
> After install, I recommend upgrading kernel version for recent hardware.  
> I.e. with
> 
> sudo qubes-dom0-update --enablerepo=qubes-dom0-unstable kernel 
> kernel-qubes-vm

Hi, I have one question (I am pretty new).
By doing dosfslabel /dev/sdb1 BOOT Im getting the following message:

There are differences between boot section and its backup.
This is mostly harmless. Differences: (offset:original/backup)
--many numbers--
Not automatically fixing this.

Can I just ignore this message ? Or what can I do to fix it ? 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e8df3101-a4c0-40d0-8742-6428769d8987%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: macosx

2018-03-16 Thread Unman 
On Fri, Mar 16, 2018 at 09:44:19AM -, 'awokd' via qubes-users wrote:
> On Fri, March 16, 2018 5:16 am, Drew White wrote:
> > and will it run osx under it?
> 
> I see some Macbooks in https://www.qubes-os.org/hcl/ but latest report is
> R3.1... Haven't heard of anyone running OSX under Qubes.
> 

Two years ago Eric Shelton was running OSX in Qubes: you will find his
mails in the list archives.
I was able to boot a hackintosh image that I had following his approach,
but the performance was not good, and I had little interest in making
it work.  But yes, in principle, (and no doubt after much hacking about),
you should be able to run OSX in Qubes.

I've had good experience with running Qubes on old MacBooks - I've
always used rEFInd to circumvent boot issues, and everything seems fine.
That's 3.2 - I cant speak to 4.0.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180316133647.bfqwxzrrkph4xjbd%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Lenovo Yoga 920 Hypervisor not starting

2018-03-16 Thread Yuraeitha 
On Friday, March 16, 2018 at 11:56:00 AM UTC+1, 
bbdc0633aad7f210c787697cc1664e7e...@tutanota.com wrote:
> Hi there.
> 
> I am trying to install Qubes and have tried 3.2 and 4.0-rc5.
> 
> In both cases the hypervisor does not start but halts after five lines and 
> the processor still running heavy for a while. The only screen output I get 
> (4.0-rc5)
> "
> Xen 4.8.3 (c/s ) EFI loader
> Using configuration file 'BOOTX64.cfg'
> vmlinuz: 0x00.(some numbers)
> initrd.img: 0x(more numbers)
> 0x:0x00:0x02.0x0: ROM: 0x1 bytes at 0x2d...(numbers)
> "
> 
> The same happens on 3.2, but I get the GRUB menu first. This did not help:
> https://www.qubes-os.org/doc/uefi-troubleshooting/#cannot-start-installation-installation-completes-successfully-but-then-bios-loops-at-boot-device-selection-hangs-at-four-penguins-after-choosing-test-media-and-install-qubes-os-in-grub-menu
> 
> I have also gone to BIOS to enable USB boot and disable Secure boot (Legacy 
> doesn't appear to be an option)
> 
> I installed Fedora and set up Qubes on my USB, both as instructed in the 
> installation guide and in the guide for Lenovo thinkpads:
> https://www.qubes-os.org/doc/thinkpad-troubleshooting
> https://www.qubes-os.org/doc/installation-guide/#copying-the-iso-onto-the-installation-medium
> 
> 
> I have tried the same in a macOS (terminal) and Windows (Rufus) environment.
> 
> I would *really* like Qubes to work, and would be exhilarated if it does 
> eventually.
> 
> 
> 
> Sincerely,
> Troubled Qubes fan

http://www.zdnet.com/article/intel-were-ending-all-legacy-bios-support-by-2020/
This article seems very unfortunate, it might be that LegacyBIOS can have been 
purged on your machine. You might want to look it up, there must be some 
discussions for Linux in general on the Yoga 920 who wants to use LegacyBIOS, 
so you should be able to find a discussion if you dig long enough after it in 
the search engines.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f34af4ab-e13d-48db-a163-22e18246ce9d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Macbook Pro - Broadcom WLAN adapter BCM43602 causing freezing under Qubes OS 4.0 rc5

2018-03-16 Thread c... 
пятница, 16 марта 2018 г., 5:19:41 UTC+3 пользователь Greg написал:
> Hi,
> 
> Please assist if possible - I'm trying to get the Broadcom WLAN adapter 
> BCM43602 working on my Macbook Pro under Qubes OS 4.0 rc5. 
> 
> "03:00.0 Network controller: Broadcom Limited BCM43602 802.11ac Wireless LAN 
> SoC (rev 01)"
> 
> I've managed to install Qubes OS successfully (during the second part of 
> setup, just before sys-net creation I switched to a console and started a 
> short bash script that just loops over and over trying to remove the BCM43602 
> from sys-net, then I went back and completed the setup. The script 
> successfully removed the BCM43602 from sys-net before sys-net was started by 
> the setup wizard, meaning that I managed to avoid the system freeze that 
> would have otherwise occurred during setup).
>  
> Now I'm trying to actually get the BCM43602 working, i.e. attach the adapter 
> to a qube (e.g. sys-net, standalone hvm or anything at all without freezing). 
> However it seems that the system freezes the moment I start the qube it is 
> attached to and it doesn't matter which kernel the associated qube is 
> actually running (e.g. it freezes even when I attach it to a qube that is a 
> fresh Ubuntu 17.10 install with hvm and no kernel seleced). I've tried 
> different combinations of permissive mode and no-strict-reset and pv/hvm but 
> every combination results in freezing. 
> 
> I'm not sure how to proceed? Does anyone have the BCM43602 working under 4.0 
> rc5?
> 
> Any pointers would be appreciated.
> 
> Thanks,
> Greg

Try to start sys-net without attached devices, after that attach adapter 
directly:
sudo xl pci-attach sys-net '03:00.0,permissive=1'
That helped for me.
qvm-pci for some reason freezes my macbook

cheers

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/29ecf6b2-4d7a-44f1-aafc-16b7e475f1ca%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Lenovo Yoga 920 Hypervisor not starting

2018-03-16 Thread Yuraeitha 
On Friday, March 16, 2018 at 11:56:00 AM UTC+1, 
bbdc0633aad7f210c787697cc1664e7e...@tutanota.com wrote:
> Hi there.
> 
> I am trying to install Qubes and have tried 3.2 and 4.0-rc5.
> 
> In both cases the hypervisor does not start but halts after five lines and 
> the processor still running heavy for a while. The only screen output I get 
> (4.0-rc5)
> "
> Xen 4.8.3 (c/s ) EFI loader
> Using configuration file 'BOOTX64.cfg'
> vmlinuz: 0x00.(some numbers)
> initrd.img: 0x(more numbers)
> 0x:0x00:0x02.0x0: ROM: 0x1 bytes at 0x2d...(numbers)
> "
> 
> The same happens on 3.2, but I get the GRUB menu first. This did not help:
> https://www.qubes-os.org/doc/uefi-troubleshooting/#cannot-start-installation-installation-completes-successfully-but-then-bios-loops-at-boot-device-selection-hangs-at-four-penguins-after-choosing-test-media-and-install-qubes-os-in-grub-menu
> 
> I have also gone to BIOS to enable USB boot and disable Secure boot (Legacy 
> doesn't appear to be an option)
> 
> I installed Fedora and set up Qubes on my USB, both as instructed in the 
> installation guide and in the guide for Lenovo thinkpads:
> https://www.qubes-os.org/doc/thinkpad-troubleshooting
> https://www.qubes-os.org/doc/installation-guide/#copying-the-iso-onto-the-installation-medium
> 
> 
> I have tried the same in a macOS (terminal) and Windows (Rufus) environment.
> 
> I would *really* like Qubes to work, and would be exhilarated if it does 
> eventually.
> 
> 
> 
> Sincerely,
> Troubled Qubes fan

Keep looking for other replies and fix suggestions here in the future, but for 
now I'd suggest trying this.

I recently inspected a Lenovo 720 for a short time in the BIOS, I noticed the 
UEFI boot selecting between LegacyBIOS/UEFI was grayed out, and from another 
experience a year or so ago I had to switch some BIOS settings to allow to 
enable LegacyBIOS. Sometimes you need to re-start the BIOS/PC to make changes 
take effect too. Since you probably have a grayed out UEFI boot-selection in 
the boot menu, chances are it's a setting that needs changing, to allow 
LegacyBIOS to be selected. Which setting, is hard to say, I don't have that 
knowledge on hand, but it's probably a UEFI related setting which can't be 
enabled while LegacyBIOS is used. Be careful you don't change anything risky if 
you're trial and error'ing this though.

Keep trying, you might get it working in the end, whether it's by UEFI or 
LegacyBIOS. It might be worth it to see if you can get LegacyBIOS enabled.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/29e9f822-30cc-4825-8d8a-bd16a59e96cd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Runing Qubes on: HP ProBook 430 G2 or HP EliteBook 820

2018-03-16 Thread Linus Stridbeck 
I came across very inexpensive HP computers: 

HP ProBook 430 G2
HP EliteBook 820 

They both have i3 procesor and I wonder if someone tried ryning Qubes on one of 
them?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fef23f9a-7680-46eb-bb12-a3629f431b49%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Lenovo Yoga 920 Hypervisor not starting

2018-03-16 Thread bbdc0633aad7f210c787697cc1664e7ed1b6b85c17e21c5671941633d8168ba0 
Hi there.

I am trying to install Qubes and have tried 3.2 and 4.0-rc5.

In both cases the hypervisor does not start but halts after five lines and the 
processor still running heavy for a while. The only screen output I get 
(4.0-rc5)
"
Xen 4.8.3 (c/s ) EFI loader
Using configuration file 'BOOTX64.cfg'
vmlinuz: 0x00.(some numbers)
initrd.img: 0x(more numbers)
0x:0x00:0x02.0x0: ROM: 0x1 bytes at 0x2d...(numbers)
"

The same happens on 3.2, but I get the GRUB menu first. This did not help:
https://www.qubes-os.org/doc/uefi-troubleshooting/#cannot-start-installation-installation-completes-successfully-but-then-bios-loops-at-boot-device-selection-hangs-at-four-penguins-after-choosing-test-media-and-install-qubes-os-in-grub-menu
 


I have also gone to BIOS to enable USB boot and disable Secure boot (Legacy 
doesn't appear to be an option)

I installed Fedora and set up Qubes on my USB, both as instructed in the 
installation guide and in the guide for Lenovo thinkpads:
https://www.qubes-os.org/doc/thinkpad-troubleshooting 

https://www.qubes-os.org/doc/installation-guide/#copying-the-iso-onto-the-installation-medium
 



I have tried the same in a macOS (terminal) and Windows (Rufus) environment.

I would *really* like Qubes to work, and would be exhilarated if it does 
eventually.



Sincerely,
Troubled Qubes fan


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/L7iRuBZ--3-0%40tutanota.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: macosx

2018-03-16 Thread 'awokd' via qubes-users 
On Fri, March 16, 2018 5:16 am, Drew White wrote:
> and will it run osx under it?

I see some Macbooks in https://www.qubes-os.org/hcl/ but latest report is
R3.1... Haven't heard of anyone running OSX under Qubes.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6db07231cf3f7ab1994ded33a5f01f5a.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Macbook Pro - Broadcom WLAN adapter BCM43602 causing freezing under Qubes OS 4.0 rc5

2018-03-16 Thread 'awokd' via qubes-users 
On Fri, March 16, 2018 2:19 am, Greg wrote:
> Hi,
>
>
> Please assist if possible - I'm trying to get the Broadcom WLAN adapter
> BCM43602 working on my Macbook Pro under Qubes OS 4.0 rc5.
>
>
> "03:00.0 Network controller: Broadcom Limited BCM43602 802.11ac Wireless
> LAN SoC (rev 01)"

> I've tried different combinations of permissive mode and
> no-strict-reset and pv/hvm but every combination results in freezing.

I experienced hard freezes on an AMD system until I got the BIOS updated.
This is a completely different system, but it's worth checking if there
are any BIOS updates available for yours.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/234bd309414c34aa1fdb3d8fe886adcd.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Dom0 updates broken

2018-03-16 Thread 'awokd' via qubes-users 
On Fri, March 16, 2018 8:42 am, Lorenzo Lamas wrote:
> On Qubes 3.2 I'm getting this error when performing qubes-dom0-update:
>
>
> tar: /var/lib/qubes/dom0-updates: Cannot open: No such file or directory
> tar: Error is not recoverable: exiting now
> Dom0 updates dir does not exists: /var/lib/qubes/dom0-updates

https://github.com/QubesOS/qubes-issues/issues/3620

Update your update template once the R3.2 patch hits current.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/101a52dd6b6b4b879b89aa9982da64a7.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Dom0 updates broken

2018-03-16 Thread Lorenzo Lamas 
On Qubes 3.2 I'm getting this error when performing qubes-dom0-update:

tar: /var/lib/qubes/dom0-updates: Cannot open: No such file or directory
tar: Error is not recoverable: exiting now
Dom0 updates dir does not exists: /var/lib/qubes/dom0-updates

This was the latest succesful update before it broke:

Return-Code: Success
Command Line   : 
--exclude=qubes-template-whonix-ws,qubes-template-fedora-26,qubes-template-whonix-gw,qubes-template-debian-8,
 upgrade
Transaction performed with:
Installed dnf-1.1.10-1.fc23.noarch@anaconda/rawhide
Installed rpm-4.13.0-0.rc1.13.fc23.x86_64 @anaconda/rawhide
Packages Altered:
Upgraded libgcc-5.3.1-6.fc23.x86_64@anaconda/rawhide
Upgrade 5.3.1-6.qubes1.fc23.x86_64 @qubes-dom0-cached
Upgraded libgomp-5.3.1-6.fc23.x86_64   @anaconda/rawhide
Upgrade  5.3.1-6.qubes1.fc23.x86_64@qubes-dom0-cached
Upgraded libstdc++-5.3.1-6.fc23.x86_64 @anaconda/rawhide
Upgrade5.3.1-6.qubes1.fc23.x86_64  @qubes-dom0-cached
Upgraded qubes-gpg-split-dom0-2.0.27-1.fc23.x86_64 @qubes-dom0-cached
Upgrade   2.0.28-1.fc23.x86_64 @qubes-dom0-cached

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0c859304-c673-4909-b795-01442534e442%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Issues with Yubikey 4 input

2018-03-16 Thread ThierryIT 
Le vendredi 9 mars 2018 19:34:06 UTC+2, Jon R. a écrit :
> Hello,
> 
> I've scoured around the mailing lists / SO / Reddit and haven't come across a 
> solution to this yet. I'm running 4.0 (R4.0) and when I attempt to use my 
> Yubikey it's seemingly not picking up any input on the button press.
> 
> It's detecting the USB properly and I can attach it fine:
> 
> [cloe@dom0 Desktop]$ qvm-usb
> BACKEND:DEVID  DESCRIPTION USED BY
> sys-usb:2-1    Yubico_Yubikey_4_OTP+CCID
> 
> [cloe@dom0 Desktop]$ qvm-usb attach work sys-usb:2-1
> 
> [cloe@dom0 Desktop]$ qvm-usb
> BACKEND:DEVID  DESCRIPTION USED BY
> sys-usb:2-1    Yubico_Yubikey_4_OTP+CCID   work
> 
> However upon button presses on the Yubikey in the "work" domain there is no 
> action. I've tested this in gedit, the terminal and elsewhere to no avail. 
> 
> 
> Can someone point me in the right direction as to what may be happening? I've 
> successfully attached storage devices and other smart card related devices 
> without any issue so it seems to be isolated to the Yubikey itself. I've 
> tried 2 separate Yubikey 4's and an older version to no avail.
> 
> 
> Thank you for your time.
> 
> 
> - Cody

I had the same problem than yours ...
I was able, after a looong period of fight, to attached my Yubikey but it was 
not working ...
I have found that it was not working with Firefox but only with Chrome ... I am 
only using mu Yubikey to manage my PGP kys and to be authenticated on web site 
like Github ... 

Thx

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bc3da3a6-2568-40ac-b018-beb6facfb1fa%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.