date:20180824

On Friday, August 17, 2018 at 12:43:29 PM UTC+2, Marcus Linsner wrote:
> All the app links in xfce4's "[Dom0] Session and Startup" window under the 
> tab "Application Autostart" (see screenshot) cannot be Edit-ed which is 
> probably because they reside in /etc/xdg/autostart/ as *.desktop files; 
> another way to see what command they execute is looking at the tooltip shown 
> by hovering the mouse on them.
> 
> I needed to see what's the command for that blue "Q" in systray(aka 
> Notification Area) because it went away after some dialog popped up.
> 
> The answer is: it's one of the "Domains Tray" items(there are two) whose 
> command is:
> $ python3 -mqui.tray.domains &
> (added the "&" to let it go into background for when running it inside the 
> dom0 terminal; without the "&", Ctrl+Z then "$ bg" also works)
> 
> This post was supposed to be a question but before posting it I've figured it 
> out, but I'm still posting it just in case it might be useful to someone or 
> even future me.

When that blue 'Q' in systray crashes, the dialog(which I missed the first 
time) tells me to restart it by command: qui-domains
and it works! though the command should have an & at the end, because it's 
blocking, so, in dom0:
$ qui-domains &

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/25149afa-01e5-4588-a47f-8235b982793d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Error installing qubes-whonix-workstation-gnome (TemplateVM)

On Thursday, March 19, 2015 at 7:08:58 AM UTC+1, WhonixQubes wrote:
> On 2015-03-19 5:37 am, Iestyn Best wrote:
> > Hi,
> > 
> > I have been following the work of Qubes-OS for a short while now and 
> > have
> > finally installed it on a new company laptop.
> > 
> > I was trying to install the Whonix templates so that I can play with 
> > them
> > but I am getting the following error:
> > 
> > qfile-agent: Fatal error: File copy: Disk quota exceeded; Last file:
> > qubes-template-whonix-workstation-gnome-2.1.8-201503092029.noarch.rpm
> > (error type: Disk quota exceeded)
> > 
> > I have been able to install the Gateway template as long as I did it by
> > itself.
> > 
> > Any help you may be able to provide would be greatly appreciated.
> > 
> > Regards,
> > Iestyn Best
> 
> 
> Hi Iestyn,
> 
> Try increasing the size of your UpdateVM (firewallvm) with step #2 for 
> the Whonix-Workstation install here:
> 
> https://www.whonix.org/wiki/Qubes/Binary_Install
> 
> 
> WhonixQubes

What is step #2 now? I can't find it.
What I found out is that the disk space for root aka / is the one that's being 
used up and when it reaches about 7.8G Used (up from like 4.4 Used) then I'm 
getting that `Disk quota exceeded.` message. However if I restart the 
sys-firewall qube, the space is down to 4.4 Used again (for obvious reasons of 
how Qubes works) and the message won't be shown again(unless you want to 
install 3 TemplateVMs consecutively without restarting `sys-firewall`, I 
suppose). So this 10G total space for / is apparently setable from `[Dom0] Qube 
Manager` in the `Qube settings` for `sys-firewall`, on the `Basic` tab under 
`Disk storage` (in Qubes R4.0 anyway), it's `System storage max. size:` but 
it's grayed out which means it cannot be modified (even when the qube is shut 
down). So I've no idea how to change that and if it even makes sense to be able 
to change it... oh wait... that's what I thought: it can be changed only in the 
TemplateVM that `sys-firewall` uses. Cool! 20G should do, until next reboot. A 
tooltip would be nice for the grayed out items saying they can only be changed 
in the TemplateVM ;-)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/55541573-2cac-4fdb-be2f-c18efeaeeb61%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Use Internal Mic for Skype in Standalone AppVM

2018-08-24 Thread John S.Recdep

On 08/22/2018 04:27 AM,
robertwalz35-re5jqeeqqe8avxtiumw...@public.gmane.org wrote:
> Hello,
> 
> does anybody have experience in using the internal mic inside an AppVM for 
> skype?
> 
> I just created a Standalone AppVM based on fedora-26 template (Qubes R4.0) 
> and attached the mic to this VM. In PulseAudio Volume Control I selected 
> "Audio Stereo Duplex", my speakers are working on this AppVM. As Input Device 
> I selected "Internal Microphone" and in skypeforlinux's audio settings 
> "Microphone: Qubes VCHAN source", "Automatically adjust microphone settings: 
> On"
> 
> I also tried to record with audacity, but I got an error message, that it is 
> unable to capture the stream...
> 
> I use a Lenovo X220 and Qubes R4.0 (Fedora-26 template, Standalone AppVM)
> 
> Would be thankful for an advice!
> 
> Regards
> 

if you do qvm-block or qvm-usb  what choices do you see?

I have a thinkpad with int mic worked on skype but wasn't in a
standalone, looks like you may be confusing 'standalone based on
template' with App-template-based-VM ; iirc there are 3 flavors , appvm,
SAbasedontemplate, and SAnotbasedontemplate (the SA's can be changed
from PVH to HVM, SA's and AppVms are PVH by default --
https://www.qubes-os.org/doc/glossary/


PS: sudo qubes-dom0-update qubes-template-fedora-28  or so  , as sure
you know fed-26  is no longer supported or soon won't be.  things may
work better with the up to date template?
https://www.qubes-os.org/doc/templates/fedora/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e304a7a3-d1f1-823e-a68c-1ca00f6bbc51%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Asking Template VM 'user' passsword after running autoremove.

2018-08-24 Thread John S.Recdep

On 08/24/2018 03:18 AM,
wlminimal-re5jqeeqqe8avxtiumw...@public.gmane.org wrote:
> Hi
> I wanted to clean up my Template VM by running sudo dnf autoremove and sudo 
> apt autoremove..
> But after this, Template vm started asking user's password which I don't know 
> and can run sudo..
> And After restart qubes os, network manager is not running so I can't connect 
> to the internet..
> How can I solve this issue?
> 
as I recall it asks for your sudo pw , which is Not  the one decrypt
your drive,  nor your user,  in Qubes there is no sudo pw by default ,

tasket has a script you can use, iirc that would create one, but that
probably won't solve this 

in my case debian was ok, just fedora  broke iirc

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2eeaa0e7-2d9d-7199-e36f-05aeaccf5c25%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Asking Template VM 'user' passsword after running autoremove.

2018-08-24 Thread John S.Recdep

On 08/24/2018 03:18 AM,
wlminimal-re5jqeeqqe8avxtiumw...@public.gmane.org wrote:
> Hi
> I wanted to clean up my Template VM by running sudo dnf autoremove and sudo 
> apt autoremove..
> But after this, Template vm started asking user's password which I don't know 
> and can run sudo..
> And After restart qubes os, network manager is not running so I can't connect 
> to the internet..
> How can I solve this issue?
> 

I think this happened to a number of people some weeks back(rumor I
heard it that some package maintainer made a mistake somewhere),
happened to me and in the end I just reinstalled the Template from
qubes-dom0-update  instead of trying to fix it, and for me, probably
breaking something else,  if you do a search you can see my thread on
here, lesson learned: make a clone of your clean and/or altered
Templates from time to time, and be cautious with autoremove (though
I'll probably use it again) 

also, one qubster on here backs up his templates to another media source
nightly :)


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e6a37f7a-8f84-ab47-80d1-72f1282f3f6c%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes Server HVM network problem

2018-08-24 Thread Who Cares


> See https://www.qubes-os.org/doc/firewall/.

worked fine there :)

> Not natively with Qubes. However, it might be possible to bridge your
> Win-serv VM straight to your LAN, then your other Windows Client VM could
> access it like normal. See
> https://www.qubes-os.org/doc/network-bridge-support/; unknown if anyone
> has accomplished this under 4.0. So you'd have two separate sys-nets:
> 
> Windows Server VM --- sys-net2 (bridge on Lan2 interface)
> 
> Windows Client VM --- sys-firewall --- sys-net1 (on Lan1 interface to same
> network)

I just assigned the second LAN to the Win-serv Vm this worked just fine here :)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/88f2e32d-0f4a-4bd4-9e58-2942d87a9a3b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Asking Template VM 'user' passsword after running autoremove.

2018-08-24 Thread Chris Laprise

On 08/24/2018 09:18 AM, wlmini...@gmail.com wrote:

Hi
I wanted to clean up my Template VM by running sudo dnf autoremove and sudo apt
autoremove..
But after this, Template vm started asking user's password which I don't know
and can run sudo..
And After restart qubes os, network manager is not running so I can't connect
to the internet..
How can I solve this issue?

You can try to revert the template's filesystem like this (dom0):

$ qvm-volume revert templatename:root

This will only work if you haven't restarted the template since it was
damaged.

The next-easiest solution is to switch (at least temporarily) to another
template for sys-net if you have one -- this is a good reason to have
more than one template, in case your main one gets damaged.

Another thing to try is to get your Qubes install media and see if you
can locate the template .rpm package files on it (I don't recall the
path at the moment); They could be installed manually.

Finally, you could try connecting using the damaged template/sys-net.
There are advice pages around the Internet that describe connecting
without NetworkManager for instance (I suggest doing this with ethernet
cable which is easier than wifi):

https://unix.stackexchange.com/questions/253030/how-to-setup-network-without-wicd-or-networkmanager

In order to execute commands to repair the template, you'll need to
start a root shell from dom0 like this:

$ qvm-run -u root vmname 'xterm'

Good luck!

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/104427f2-ef40-0bec-14fd-bc612d566f53%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] HCL - Lenovo ThinkPad P50

2018-08-24 Thread Achim Patzner

On 22.08.2018 09:36:33, "Benjamin Girdner"  
wrote:
Everything seems to have worked without any special troubleshooting.  
Docking station, multiple monitors, wireless network, lan network, etc  
My windows vm is a bit laggy at times when switching windows within the 
windows vm itself but I don't think that has anything to do with my 
hardware?


I would expect it to have the same problems as a P70 in regard to USB-C 
connectors (attaching devices will create new PCI attachments leading to 
new USB controllers showing up which will be attached to dom0 at that 
point. The same happens for Thunderbolt devices (but creating different 
entries). Not quite what I like...



Achim

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/em3014d819-6270-4e67-bc28-303a81bf1f8a%40sir-face.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes 4.0 SSD Encryption

2018-08-24 Thread brendan . hoar

On Friday, August 24, 2018 at 5:42:16 AM UTC-4, awokd wrote:
> On Thu, August 23, 2018 8:03 pm, tai...@gmx.com wrote:
> > There is no reason to use an SED drive.
> 
> I think that's a bit over-broad. It depends on threat model, which varies
> from person to person.

Agreed.

I'll just add a few bullet points on why it is wise to use the hardware 
encryption that comes with your OPAL-supporting SED SSD (via ATA Password or 
OPAL). This only applies to OPAL-supporting SED SSDs (e.g. Samsung 840 EVO/850 
PRO and later; Crucial M500 and later):

Read/Write user data denial:
1. ATA Password locked drive cannot be read from or written to until unlocked. 
2. OPAL locked drive cannot be written to and on boot only presents a very 
small volume with generic read-only boot code that loads the tool to 
authenticate the user to the drive and decrypt the DEK.

Flash firmware denial:
1. The OPAL standard requires that securely-configured drives (having enabling 
OPAL or ATA Password and importantly, whether currently locked or unlocked) 
shall block firmware updates or, if they do not fully block, the unlocking 
credential used to unlock the drive at boot must also be sent to initiate 
firmware updates.
2. IMPORTANTLY: when not securely-configured (as they come from the factory), 
firmware updates are not blocked at all. Enabling the locking of the drive at 
power on is also the way to block firmware changes.

Don't be fooled by past analysis of the flaws of ATA Password, some no longer 
apply. For example, OPAL supporting drives are required to encrypt the DEK 
using the ATA Password and not store either the DEK or the Password in 
cleartext on the drive when ATA Password (or OPAL) is enabled. The old trick of 
using manufacturer-specific commands (either via the (S)ATA interface or using 
the jumper pinouts) to disable or rewrite the ATA Password cannot work with 
OPAL drives to get to the data on them.

Don't like the DEK that was generated by the manufacturer? Change it (and wipe 
the drive) using ATA Sanitize Crypto Scramble Ext.

> > In terms of encrypting boot that is generally impossible without the use
> > of coreboot
> 
> Encrypting boot is one use case for SEDs when only light security is
> required. Will your average evil maid (or some thief who steals your
> laptop) have access to tools needed to defeat OPAL, assuming it's
> backdoored?

And if your OPAL drive is backdoored by the manufacturer for a government, your 
drive is backdoored whether you're using OPAL or not and depending on what you 
wanted to keep private, you're already screwed.

No security mechanism exists in a vacuum. Layer them as necessary. I want to 
prevent both remote firmware tampering and out-of-sight boot tampering. So I 
utilize the SED hardware security. I also enable software volume encryption, 
when available, as well.

Brendan

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f2448952-5bc9-42e6-84b4-9c147b960843%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Can't assign LTE USB Modem (Non-endpoint PCI devices cannot be assigned to guests)

On Friday, August 24, 2018 at 8:31:07 AM UTC-4, awokd wrote:
> On Fri, August 24, 2018 12:03 pm, Daniil .Travnikov wrote:
> > On Friday, August 24, 2018 at 6:08:54 AM UTC-4, awokd wrote:
> >
> >> On Fri, August 24, 2018 9:53 am, Daniil .Travnikov wrote:
> >>
> >>> I have an LTE USB Modem which I used in Qubes 3.2 very well, but in
> >>> Qubes
> >>> 4.0 I have some issues.
> >>>
> >>>
> >>>
> >>>
> >>> First of all in Qubes Manager I can attach this usb modem only in HVM
> >>>  mode ('ERROR: devices tab: Can't attach PCI device to VM in pvh
> >>> mode').
> >>>
> >>>
> >>> So I changed in VM on HVM mode and attached just usb slot.
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> Then I tried to turn on my VM but I got 2 same error messages (first
> >>> one in windows and the second one on the top right corner):
> >>>
> >>> 'ERROR: Start failed: internal error: Non-endpoint PCI devices cannot
> >>> be assigned to guests, see /var/lob/libvirt/libxl/libxl-driver.log'
> >>>
> >>> 'Qube Status: usb
> >>> Domain usb has failed to start: Internal error: Non-endpoint PCI
> >>> devices cannot be assigned to guests'.
> >>>
> >>>
> >>> Tell me please what am I missing in Qubes 4.0?
> >>>
> >>
> >> Do an "lspci" and "lspci -t" in dom0, and try attaching the leaf device
> >>  instead. Sounds like you are trying to attach some type of bridge.
> >
> > Thank you for your answer.
> >
> >
> >
> > Before your message I tried to attach this device:
> > '00:1d.0 PCI bridge: Intel Corporation Device a330 (rev f0)'
> > and you saw which error I got.
> >
> > After your message I thought maybe I am choosing not correct device and
> > now I am choosing this device: '00:14.0 USB controller: Intel Corporation
> > Device a36d (rev 10)'
> 
> Yes, this one should work better.
> 
> > and got another error messages:
> >
> > 'ERROR: Start failed: internal error: Unable to reset PCI device
> > :00:14.0: no FLR, PM reset or bus reset available, see
> > /var/log/libvirt/libxl/libxl-driver.log for details'
> >
> >
> > 'Qube Status: usb
> > Domain usb has failed to start: internal error: Unable to reset PCI device
> > :00:14.0: no FLR, PM reset or bus reset available'.
> 
> Disable the strict reset requirement on that device, either in the GUI or
> CLI.

Thank you very much again. It works for me.


When I am choosing this device:
'00:14.0 USB controller: Intel Corporation Device a36d (rev 10)'

and start VM, I see that all usb controllers going to work from this started 
new VM.


Like you already saw in the list of pci above I have only 1 USB controller in 
the list (when I run the command 'lspci').
But in my laptop I have 3× USB 3.1 Type-A and they all going to started with VM.

Maybe existing some way, when I can connect only those usb ports which has 
include devices at the time?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d0fde295-5c44-45e7-809b-a0da2913fe37%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Best Laptop for Qubes 4+ and Heads

2018-08-24 Thread Franz

On Thu, Aug 23, 2018 at 5:08 PM, taii...@gmx.com  wrote:

> On 08/20/2018 01:21 PM, stallmanro...@gmail.com wrote:
> >
> > ME disabled (works!)
>
> It is a nice laptop and I recommend it sometimes BUT:
>
> As someone with your screen-name I would hope you know that it is
> impossible to disable ME.
>
> In your case the BUP module still runs along with any mask roms - more
> than enough to add a backdoor to your machine.
>
> Of course in terms of laptops it is still better than newer intel stuff
> like the skylake puri-craptops where the bup AND the kernel run on their
> "disabled" ME - they changed the definition of disabled just like they
> did with the definition of "open firmware" :[
>
> The best and most free laptop is the lenovo G505S of which there is a
> thriving little coreboot-qubes4 community thanks to me telling many
> people to get it :D
>
> G505S:
> * pre-PSP AMD quad core cpu (the A10 model - the others suck)
> * coreboot with open cpu/ram init (unlike the blobbed puri-craptop hw
> init via the intel fsp binary blob)
> * IOMMU that works with qubes 4.0 (Must apply latest microcode updates
> or qubes wont work)
> Blob status: video+EC but people are apparently working on freeing them
> and the IOMMU protects you from any DMA issues.
>
>
Thanks! Is there somewhere a tutorial to do all that?


> In terms of other laptops the X230t (with better *20 series non chiclet
> keyboard) I recommend if someone wants a tablet and the W520 if someone
> wants a mobile workstation with 32GB RAM - both are of course a much
> better choice than a puri-craptop as they have open source hardware init
> via coreboot and the ME can be nerfed.
>
>
> >
> > 2. Tomu support (30$ ) (works fine!)
> > https://www.crowdsupply.com/sutajio-kosagi/tomu
> >
> > porting gnuk to tomu (opensource analog yubikey, needed to use heads)
> >
> > https://github.com/osresearch/heads-wiki/blob/master/GPG.md
> >
> > Dev: https://github.com/aze00/gnuk/tree/efm32
> > PR: https://github.com/im-tomu/tomu-samples/pull/35
> > Issue: https://github.com/im-tomu/tomu-samples/issues/4
> >
> > Alternative - Nitrokey
> > https://shop.nitrokey.com/shop/product/nitrokey-start-6 (based on gnuk)
> >
> > 3. https://inversepath.com/usbarmory nice compatibility (works without
> any issues)
> >
> > 4. for good work you need a bundle i7 2gen, 16 RAM and good SSD disk ( I
> completely lack 256 gigabytes )
> >
> > main templates :
> > archlinux
> > artful
> > bionic
> > centos-7
> > debian-9
> > dev (buster)
> > fedora-28
> > kali-rolling
> > void-template
> > whonix-ws-14
> > whonix-gw-14
> >
> > works fine and easy build from https://github.com/QubesOS/qubes-builder
> >
> > + 8-10 services (vpn,tor,wireguard etc)
> > + 3-4 disp vm's (internet browsing)
> > + 8+10 domains
> >
> > Total disk usage : 20.4%
> > lvm : 36.2%  77.4GB/213.8GB
> >
> > So, 256GB is enough.
> >
> > 5. You can use it like tablet ;)
> >
> > https://github.com/martin-ueding/thinkpad-scripts
> >
> > rotate/touchscreen works great and works on every VM machine.
>
> Nice! glad that still works
>
> Did you install coreboot?
>
> >
> > 6. TPM ownership/reset (work!)
> >
> > 7. 10 open vms
> >
> > temp 52
> > fan 3496 rpm
> >
> > 8. +3G modem or raspberry pi features
>
> The RPI is not an open source firmware device FYI and I recommend
> instead purchasing a beagleboard or novena.
>
> --
> You received this message because you are subscribed to the Google Groups
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/qubes-users/b13a5dc1-e446-888c-4d96-1e62abdf7e0b%40gmx.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAPzH-qDk8qxaSSQQT3DW1F-MVaxk-60i9pHCNCMRtiL8fLpMpw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Asking Template VM 'user' passsword after running autoremove.

2018-08-24 Thread wlminimal

Hi
I wanted to clean up my Template VM by running sudo dnf autoremove and sudo apt 
autoremove..
But after this, Template vm started asking user's password which I don't know 
and can run sudo..
And After restart qubes os, network manager is not running so I can't connect 
to the internet..
How can I solve this issue?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/04d1bb48-94c1-4d57-9d92-4b77fafb84bd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes 4.0 SSD Encryption

On Fri, August 24, 2018 12:25 pm, Daniil .Travnikov wrote:
> On Thursday, August 23, 2018 at 10:30:17 AM UTC-4, Jonathan Seefelder
> wrote:
>
>> If you keep wear-leveling in mind, and encrypt the ssd before you fill
>> it with sensitive data, id suggest an ssd. Ideally, you should encrypt
>> /boot also.
>>
>>
>>
>> cheers
>>
>>
>> On 08/23/18 16:15, jonbrownmaste...@gmail.com wrote:
>>
>>> I know the most secure way of using Qubes 4.0 is using full disk
>>> encryption but should I use a regular HD or is an SSD better without
>>> losing security?
>>>
>
> Qubes 4.0 encrypts /boot by default or I must do something for that?

It does not, but since there is no data stored there, it's not a concern
for many people. If you have reason to suspect someone may tamper with it
without your knowledge, options include AEM, SED, Coreboot with GRUB
payload, off-device /boot, and possibly others.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5f077118f6b9e73d71a013142ed12ac6.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Can't assign LTE USB Modem (Non-endpoint PCI devices cannot be assigned to guests)

On Fri, August 24, 2018 12:03 pm, Daniil .Travnikov wrote:
> On Friday, August 24, 2018 at 6:08:54 AM UTC-4, awokd wrote:
>
>> On Fri, August 24, 2018 9:53 am, Daniil .Travnikov wrote:
>>
>>> I have an LTE USB Modem which I used in Qubes 3.2 very well, but in
>>> Qubes
>>> 4.0 I have some issues.
>>>
>>>
>>>
>>>
>>> First of all in Qubes Manager I can attach this usb modem only in HVM
>>>  mode ('ERROR: devices tab: Can't attach PCI device to VM in pvh
>>> mode').
>>>
>>>
>>> So I changed in VM on HVM mode and attached just usb slot.
>>>
>>>
>>>
>>>
>>>
>>> Then I tried to turn on my VM but I got 2 same error messages (first
>>> one in windows and the second one on the top right corner):
>>>
>>> 'ERROR: Start failed: internal error: Non-endpoint PCI devices cannot
>>> be assigned to guests, see /var/lob/libvirt/libxl/libxl-driver.log'
>>>
>>> 'Qube Status: usb
>>> Domain usb has failed to start: Internal error: Non-endpoint PCI
>>> devices cannot be assigned to guests'.
>>>
>>>
>>> Tell me please what am I missing in Qubes 4.0?
>>>
>>
>> Do an "lspci" and "lspci -t" in dom0, and try attaching the leaf device
>>  instead. Sounds like you are trying to attach some type of bridge.
>
> Thank you for your answer.
>
>
>
> Before your message I tried to attach this device:
> '00:1d.0 PCI bridge: Intel Corporation Device a330 (rev f0)'
> and you saw which error I got.
>
> After your message I thought maybe I am choosing not correct device and
> now I am choosing this device: '00:14.0 USB controller: Intel Corporation
> Device a36d (rev 10)'

Yes, this one should work better.

> and got another error messages:
>
> 'ERROR: Start failed: internal error: Unable to reset PCI device
> :00:14.0: no FLR, PM reset or bus reset available, see
> /var/log/libvirt/libxl/libxl-driver.log for details'
>
>
> 'Qube Status: usb
> Domain usb has failed to start: internal error: Unable to reset PCI device
> :00:14.0: no FLR, PM reset or bus reset available'.

Disable the strict reset requirement on that device, either in the GUI or
CLI.



-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1447110fa3d2cfcdbfd3a2ea2b9f6fe2.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes 4.0 SSD Encryption

On Thursday, August 23, 2018 at 10:30:17 AM UTC-4, Jonathan Seefelder wrote:
> If you keep wear-leveling in mind, and encrypt the ssd before you fill
> it with sensitive data, id suggest an ssd. Ideally, you should encrypt
> /boot also.
> 
> 
> cheers
> 
> 
> On 08/23/18 16:15, jonbrownmaste...@gmail.com wrote:
> > I know the most secure way of using Qubes 4.0 is using full disk encryption 
> > but should I use a regular HD or is an SSD better without losing security?
> >

Qubes 4.0 encrypts /boot by default or I must do something for that?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/634cc92d-36bc-43e6-bcff-e6945e2357b7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Can't assign LTE USB Modem (Non-endpoint PCI devices cannot be assigned to guests)

On Friday, August 24, 2018 at 6:08:54 AM UTC-4, awokd wrote:
> Do an "lspci" and "lspci -t" in dom0, and try attaching the leaf device
> instead. Sounds like you are trying to attach some type of bridge.


This is what I got when run this 2 commands:


[user@dom0 ~]$ lspci
00:00.0 Host bridge: Intel Corporation Device 3ec4 (rev 07)
00:01.0 PCI bridge: Intel Corporation Xeon E3-1200 v5/E3-1500 v5/6th Gen Core 
Processor PCIe Controller (x16) (rev 07)
00:02.0 VGA compatible controller: Intel Corporation Device 3e9b
00:08.0 System peripheral: Intel Corporation Xeon E3-1200 v5/v6 / E3-1500 v5 / 
6th/7th Gen Core Processor Gaussian Mixture Model
00:12.0 Signal processing controller: Intel Corporation Device a379 (rev 10)
00:14.0 USB controller: Intel Corporation Device a36d (rev 10)
00:14.2 RAM memory: Intel Corporation Device a36f (rev 10)
00:16.0 Communication controller: Intel Corporation Device a360 (rev 10)
00:17.0 SATA controller: Intel Corporation Device a353 (rev 10)
00:1d.0 PCI bridge: Intel Corporation Device a330 (rev f0)
00:1d.5 PCI bridge: Intel Corporation Device a335 (rev f0)
00:1d.6 PCI bridge: Intel Corporation Device a336 (rev f0)
00:1d.7 PCI bridge: Intel Corporation Device a337 (rev f0)
00:1f.0 ISA bridge: Intel Corporation Device a30d (rev 10)
00:1f.3 Audio device: Intel Corporation Device a348 (rev 10)
00:1f.4 SMBus: Intel Corporation Device a323 (rev 10)
00:1f.5 Serial bus controller [0c80]: Intel Corporation Device a324 (rev 10)
01:00.0 VGA compatible controller: NVIDIA Corporation GP104M [GeForce GTX 1070 
Mobile] (rev a1)
02:00.0 Non-Volatile memory controller: Samsung Electronics Co Ltd Device a808
03:00.0 Network controller: Intel Corporation Wireless 8265 / 8275 (rev 78)
04:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 
PCI Express Gigabit Ethernet Controller (rev 0c)
05:00.0 SD Host controller: Realtek Semiconductor Co., Ltd. RTS5250 PCI Express 
Card Reader (rev 01)



[user@dom0 Desktop]$ lspci -t
-[:00]-+-00.0
   +-01.0-[01]00.0
   +-02.0
   +-08.0
   +-12.0
   +-14.0
   +-14.2
   +-16.0
   +-17.0
   +-1d.0-[02]00.0
   +-1d.5-[03]00.0
   +-1d.6-[04]00.0
   +-1d.7-[05]00.0
   +-1f.0
   +-1f.3
   +-1f.4
   \-1f.5



What do you mean when you say "leaf device"?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b10af1d2-5955-4939-9a2c-f84eab40ec1e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Can't assign LTE USB Modem (Non-endpoint PCI devices cannot be assigned to guests)

On Friday, August 24, 2018 at 6:08:54 AM UTC-4, awokd wrote:
> On Fri, August 24, 2018 9:53 am, Daniil .Travnikov wrote:
> > I have an LTE USB Modem which I used in Qubes 3.2 very well, but in Qubes
> > 4.0 I have some issues.
> >
> >
> >
> > First of all in Qubes Manager I can attach this usb modem only in HVM
> > mode ('ERROR: devices tab: Can't attach PCI device to VM in pvh mode').
> >
> >
> > So I changed in VM on HVM mode and attached just usb slot.
> >
> >
> >
> >
> > Then I tried to turn on my VM but I got 2 same error messages (first one
> > in windows and the second one on the top right corner):
> >
> > 'ERROR: Start failed: internal error: Non-endpoint PCI devices cannot be
> > assigned to guests, see /var/lob/libvirt/libxl/libxl-driver.log'
> >
> > 'Qube Status: usb
> > Domain usb has failed to start: Internal error: Non-endpoint PCI devices
> > cannot be assigned to guests'.
> >
> >
> > Tell me please what am I missing in Qubes 4.0?
> 
> Do an "lspci" and "lspci -t" in dom0, and try attaching the leaf device
> instead. Sounds like you are trying to attach some type of bridge.

Thank you for your answer.


Before your message I tried to attach this device:
'00:1d.0 PCI bridge: Intel Corporation Device a330 (rev f0)'
and you saw which error I got.

After your message I thought maybe I am choosing not correct device and now I 
am choosing this device:
'00:14.0 USB controller: Intel Corporation Device a36d (rev 10)'

and got another error messages:

'ERROR: Start failed: internal error: Unable to reset PCI device :00:14.0: 
no FLR, PM reset or bus reset available, see 
/var/log/libvirt/libxl/libxl-driver.log for details'

'Qube Status: usb
Domain usb has failed to start: internal error: Unable to reset PCI device 
:00:14.0: no FLR, PM reset or bus reset available'.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a3345a68-8f5c-4a49-b727-c542c50c414a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] hcl report

2018-08-24 Thread johannes Lutmayr

Hey,

wanted to contribute as I find this project Awesome:

Troubles:

- The AMD Vega 56 (the report states 64 but it seems to have gotten that
wrong) is not yet supported out of the box, so it was only letting me go in
the text based installer first (which doesnt work, always ran into #2113 ,
as you cant hand over the LUKS password to the installer). Driver support
will only come when kernel 4.15 will be used.
Problem was overcome by installing a second GPU (which I will need anyways
for PCIe pass through)
- Seems like the software based fTPM 2.0 that is integrated in the Ryzen
2600 isnt yet supported (I switched it on in Bios, Windows worked with it),
but I havent looked deeper into it. Is there a final word out there
already, if fTPM is less secure than dTPM?

Thank you guys, and continue your great work.

Johannes Lutmayr

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAG5qwQSjPAgzV9%2B%2BCWhroaGf1%2B1KjVgZ1zsuQb4gFogX-O7GsQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Qubes-HCL-ASRock-AB350M_Pro4-20180824-134630.yml
Description: application/yaml

Re: [qubes-users] Can't assign LTE USB Modem (Non-endpoint PCI devices cannot be assigned to guests)

2018-08-24 Thread levonsar8

On Friday, August 24, 2018 at 6:08:54 AM UTC-4, awokd wrote:
> On Fri, August 24, 2018 9:53 am, Daniil .Travnikov wrote:
> > I have an LTE USB Modem which I used in Qubes 3.2 very well, but in Qubes
> > 4.0 I have some issues.
> >
> >
> >
> > First of all in Qubes Manager I can attach this usb modem only in HVM
> > mode ('ERROR: devices tab: Can't attach PCI device to VM in pvh mode').
> >
> >
> > So I changed in VM on HVM mode and attached just usb slot.
> >
> >
> >
> >
> > Then I tried to turn on my VM but I got 2 same error messages (first one
> > in windows and the second one on the top right corner):
> >
> > 'ERROR: Start failed: internal error: Non-endpoint PCI devices cannot be
> > assigned to guests, see /var/lob/libvirt/libxl/libxl-driver.log'
> >
> > 'Qube Status: usb
> > Domain usb has failed to start: Internal error: Non-endpoint PCI devices
> > cannot be assigned to guests'.
> >
> >
> > Tell me please what am I missing in Qubes 4.0?
> 
> Do an "lspci" and "lspci -t" in dom0, and try attaching the leaf device
> instead. Sounds like you are trying to attach some type of bridge.

Thank you for your answer.


Before your message I tried to attach this device:
'00:1d.0 PCI bridge: Intel Corporation Device a330 (rev f0)'
and you saw which error I got.



After your message I thought maybe I am choosing not correct device and now I 
am choosing this device:
'00:14.0 USB controller: Intel Corporation Device a36d (rev 10)'

and got another error messages:

'ERROR: Start failed: internal error: Unable to reset PCI device :00:14.0: 
no FLR, PM reset or bus reset available, see 
/var/log/libvirt/libxl/libxl-driver.log for details'

'Qube Status: usb
Domain usb has failed to start: internal error: Unable to reset PCI device 
:00:14.0: no FLR, PM reset or bus reset available'.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/87c3d0d3-afe8-4a2c-af7a-5ed07b459b56%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: How to ccache kernel compilations

On Friday, August 24, 2018 at 12:13:01 PM UTC+2, Marcus Linsner wrote:
> On Friday, August 24, 2018 at 11:24:27 AM UTC+2, Marcus Linsner wrote:
> > This is how a full(well, slightly modified) kernel compilation looks like 
> > now, with ccache working:
> > ie. `time make rpms`
> > real7m47.483s
> > user9m2.507s
> > sys 6m47.245s
> > 
> > cache directory /home/user/.ccache
> > primary config  /home/user/.ccache/ccache.conf
> > secondary config  (readonly)/etc/ccache.conf
> > stats zero time Fri Aug 24 11:09:03 2018
> > cache hit (direct) 14047
> > cache hit (preprocessed)   1
> > cache miss 8
> > cache hit rate 99.94 %
> > called for link   47
> > called for preprocessing   21125
> > unsupported code directive 4
> > no input file   1092
> > cleanups performed 0
> > files in cache 42606
> > cache size 865.4 MB
> > max cache size  20.0 GB
> > 
> > The build phase actually takes only 2min (for 14k files):
> > real2m1.674s
> > user5m28.075s
> > sys 4m50.768s
> > 
> > 
> > cache directory /home/user/.ccache
> > primary config  /home/user/.ccache/ccache.conf
> > secondary config  (readonly)/etc/ccache.conf
> > stats zero time Fri Aug 24 11:17:37 2018
> > cache hit (direct) 14011
> > cache hit (preprocessed)   0
> > cache miss 5
> > cache hit rate 99.96 %
> > called for link   28
> > called for preprocessing   21069
> > unsupported code directive 4
> > no input file342
> > cleanups performed 0
> > files in cache 42616
> > cache size 865.6 MB
> > max cache size  20.0 GB

For posterity, the modifications (applied on top of 'qubes-linux-kernel' repo's 
tag 'v4.14.57-2') that I used to achieve the above, are here:
https://github.com/constantoverride/qubes-linux-kernel/commit/ac9a975512bdc67dc12c948355b14dfdcc229b1a
(also attached just in case github goes away, somehow)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4806bbad-04a5-4463-95a6-d0b8c485267f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
commit ac9a975512bdc67dc12c948355b14dfdcc229b1a
Author: constantoverride 
Date:   Fri Aug 24 12:49:27 2018 +0200

made ccache work; personalized .config a lil

also applied missing patches to avoid compilation errors when gcc plugins are enabled

diff --git a/.gitignore b/.gitignore
index deea910..99f843f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,4 @@ linux-*.tar.bz2
 linux-*.tar.xz
 linux-*.sign
 kernel-*/
+u2mfn/
diff --git a/Makefile b/Makefile
index 25f00e0..6853ea9 100644
--- a/Makefile
+++ b/Makefile
@@ -93,9 +93,17 @@ rpms-dom0: get-sources $(SPECFILE)
 rpms-nobuild:
 	$(RPM_WITH_DIRS) --nobuild -bb $(SPECFILE)
 
-rpms-just-build: 
+rpms-just-cleanbuild:
+	make clean -C kernel-4.14.57/linux-obj
+
+rpms-just-build-clean: rpms-just-cleanbuild
+
+rpms-just-build:
 	$(RPM_WITH_DIRS) --short-circuit -bc $(SPECFILE)
 
+rpms-just-install:
+	$(RPM_WITH_DIRS) --short-circuit -bi $(SPECFILE)
+
 rpms-install: 
 	$(RPM_WITH_DIRS) -bi $(SPECFILE)
 
@@ -110,8 +118,8 @@ verrel:
 
 # mop up, printing out exactly what was mopped.
 
-.PHONY : clean
-clean ::
+.PHONY : rpmclean
+rpmclean ::
 	@echo "Running the %clean script of the rpmbuild..."
 	$(RPM_WITH_DIRS) --clean --nodeps $(SPECFILE)
 
diff --git a/config-qubes-me b/config-qubes-me
new file mode 100644
index 000..6e46fae
--- /dev/null
+++ b/config-qubes-me
@@ -0,0 +1,43 @@
+## comments need doube # like ## !!!
+## single # are not comments!
+
+## remove AMD stuff:
+CONFIG_PROCESSOR_SELECT=y
+CONFIG_CPU_SUP_INTEL=y
+# CONFIG_CPU_SUP_AMD is not set
+# CONFIG_CPU_SUP_CENTAUR is not set
+## CONFIG_GART_IOMMU is not set
+## CONFIG_X86_MCE_AMD is not set
+## CONFIG_PERF_EVENTS_AMD_POWER is not set
+# CONFIG_MICROCODE_AMD is not set
+## CONFIG_AMD_MEM_ENCRYPT is not set
+## CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT is not set
+## CONFIG_ARCH_USE_MEMREMAP_PROT is not set
+# CONFIG_AMD_NUMA is not set
+## CONFIG_X86_AMD_FREQ_SENSITIVITY is not set
+## CONFIG_AMD_NB is not set
+## CONFIG_SENSORS_FAM15H_POWER is not set
+## CONFIG_AGP_AMD64 is not set
+## CONFIG_EDAC_DECODE_MCE is not set
+##

[qubes-users] Re: How to ccache kernel compilations

On Friday, August 24, 2018 at 11:24:27 AM UTC+2, Marcus Linsner wrote:
> This is how a full(well, slightly modified) kernel compilation looks like 
> now, with ccache working:
> ie. `time make rpms`
> real  7m47.483s
> user  9m2.507s
> sys   6m47.245s
> 
> cache directory /home/user/.ccache
> primary config  /home/user/.ccache/ccache.conf
> secondary config  (readonly)/etc/ccache.conf
> stats zero time Fri Aug 24 11:09:03 2018
> cache hit (direct) 14047
> cache hit (preprocessed)   1
> cache miss 8
> cache hit rate 99.94 %
> called for link   47
> called for preprocessing   21125
> unsupported code directive 4
> no input file   1092
> cleanups performed 0
> files in cache 42606
> cache size 865.4 MB
> max cache size  20.0 GB
> 
> The build phase actually takes only 2min (for 14k files):
> real  2m1.674s
> user  5m28.075s
> sys   4m50.768s
> 
> 
> cache directory /home/user/.ccache
> primary config  /home/user/.ccache/ccache.conf
> secondary config  (readonly)/etc/ccache.conf
> stats zero time Fri Aug 24 11:17:37 2018
> cache hit (direct) 14011
> cache hit (preprocessed)   0
> cache miss 5
> cache hit rate 99.96 %
> called for link   28
> called for preprocessing   21069
> unsupported code directive 4
> no input file342
> cleanups performed 0
> files in cache 42616
> cache size 865.6 MB
> max cache size  20.0 GB

And for comparison, a full %build phase when CONFIG_GCC_PLUGINS is 
untouched(aka set):
real17m19.746s
user125m44.920s
sys 17m9.877s

cache directory /home/user/.ccache
primary config  /home/user/.ccache/ccache.conf
secondary config  (readonly)/etc/ccache.conf
stats zero time Fri Aug 24 11:27:18 2018
cache hit (direct)28
cache hit (preprocessed) 133
cache miss 13857
cache hit rate  1.15 %
called for link   30
called for preprocessing   21075
unsupported code directive 4
no input file348
cleanups performed 0
files in cache 84685
cache size   1.7 GB
max cache size  20.0 GB

So you see, 15 more minutes than with ccache. Ok, maybe let's say that that was 
the first compilation with CONFIG_GCC_PLUGINS set (ie. cold cache?), so redoing 
it(make prep; ccache -z; time make rpms-just-build) means it should make use of 
the now primed ccache (ie. hot cache?):
real18m34.318s
user122m23.001s
sys 17m7.478s

cache directory /home/user/.ccache
primary config  /home/user/.ccache/ccache.conf
secondary config  (readonly)/etc/ccache.conf
stats zero time Fri Aug 24 11:46:30 2018
cache hit (direct)   160
cache hit (preprocessed)   2
cache miss 13856
cache hit rate  1.16 %
called for link   30
called for preprocessing   21075
unsupported code directive 4
no input file348
cleanups performed 0
files in cache126746
cache size   2.6 GB
max cache size  20.0 GB

It probably took one minute longer than before because I was using the other 
VMs for browsing (also started a few)
But you get the point, 1.2% ccache hit rate. Appalling! :D

On Friday, August 24, 2018 at 11:51:45 AM UTC+2, awokd wrote:
> Any idea what those GCC plugins are for? Seems like it's usually a hassle
> to track them down on distro version updates too.

According to 'config-qubes' file [1] they help "Enable some more hardening 
options"

According to 
'/home/user/qubes-linux-kernel/kernel-4.14.57/linux-4.14.57/arch/Kconfig' [2]:

menuconfig GCC_PLUGINS
bool "GCC plugins"
depends on HAVE_GCC_PLUGINS
depends on !COMPILE_TEST
help
  GCC plugins are loadable modules that provide extra features to the
  compiler. They are useful for runtime instrumentation and static 
analysis.

  See Documentation/gcc-plugins.txt for details.

(see url [3] at the end, for this gcc-plugins.txt)

config GCC_PLUGIN_LATENT_ENTROPY
bool "Generate some entropy during boot and runtime"
depends on GCC_PLUGINS
help
  By saying Y here the

Re: [qubes-users] Can't assign LTE USB Modem (Non-endpoint PCI devices cannot be assigned to guests)

On Fri, August 24, 2018 9:53 am, Daniil .Travnikov wrote:
> I have an LTE USB Modem which I used in Qubes 3.2 very well, but in Qubes
> 4.0 I have some issues.
>
>
>
> First of all in Qubes Manager I can attach this usb modem only in HVM
> mode ('ERROR: devices tab: Can't attach PCI device to VM in pvh mode').
>
>
> So I changed in VM on HVM mode and attached just usb slot.
>
>
>
>
> Then I tried to turn on my VM but I got 2 same error messages (first one
> in windows and the second one on the top right corner):
>
> 'ERROR: Start failed: internal error: Non-endpoint PCI devices cannot be
> assigned to guests, see /var/lob/libvirt/libxl/libxl-driver.log'
>
> 'Qube Status: usb
> Domain usb has failed to start: Internal error: Non-endpoint PCI devices
> cannot be assigned to guests'.
>
>
> Tell me please what am I missing in Qubes 4.0?

Do an "lspci" and "lspci -t" in dom0, and try attaching the leaf device
instead. Sounds like you are trying to attach some type of bridge.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/641085ee8e1e00ea9f33132a97b13472.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Hardware Issue: Unable to get fans to turn on which is causing my laptop to overheat, fan_mode set to 0

On Sat, August 18, 2018 2:28 pm, Devin Stagner wrote:
> Hello Community,
>
>
> I have been trying to solve the issue of my fans not turning on and my
> laptop sustaining quite hot temperatures.
>
> My computer is a Lenovo Yoga 920
>
>
> I have tried:
> Installed and configured thinkfan following these instructions
>  pad+running+Qubes+OS> Sensors do not show any fans that I can find
>
>
> I searched the computer for fans using
> find /sys/devices -type f -name "*fan*" which gives me
> /sys/devices/pci:00/?00:lf.0/PNP0C09:00/VPC2004:00/fan_mode
>
>
> I found that fan_mode is either 0 for manual or 1 for automatic fan
> control. I thought that since I have been unsuccessful with setting
> manual fan control that I could perhaps change it to automatic, but when
> I edit the file to 1, it doesn't do anything and rebooting resets it back
> to 0.
>
> Perhaps someone can inform me if I am going about this the right way or
> suggest another way to get the fans working on my laptop?

Firmware update? Check the UEFI config too; might be a way to set fan
mode/speed. Usually expect fans to be controlled by the embedded
controller if the OS doesn't pick them up. Could maybe also temporarily
try booting it with a recent Debian and see if that handles the fans any
better, might give an idea where to look in Qubes/Xen.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f00ac5303cae755d4ebf2ec1880746c4.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Can't assign LTE USB Modem (Non-endpoint PCI devices cannot be assigned to guests)

I have an LTE USB Modem which I used in Qubes 3.2 very well, but in Qubes 4.0 I 
have some issues.


First of all in Qubes Manager I can attach this usb modem only in HVM mode 
('ERROR: devices tab: Can't attach PCI device to VM in pvh mode').


So I changed in VM on HVM mode and attached just usb slot.



Then I tried to turn on my VM but I got 2 same error messages (first one in 
windows and the second one on the top right corner):

'ERROR: Start failed: internal error: Non-endpoint PCI devices cannot be 
assigned to guests, see /var/lob/libvirt/libxl/libxl-driver.log'

'Qube Status: usb
Domain usb has failed to start: Internal error: Non-endpoint PCI devices cannot 
be assigned to guests'.


Tell me please what am I missing in Qubes 4.0?



P.S. In Qubes 3.2 (when I had some xenlight error) I just used this command:
'qvm-prefs -s vmname pci_strictreset false'. But here I suppose it's another 
problem.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0f1058bc-4897-4b5c-a43f-290297f0b28f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: How to ccache kernel compilations

On Fri, August 24, 2018 9:24 am, Marcus Linsner wrote:
> This is how a full(well, slightly modified) kernel compilation looks like
> now, with ccache working: ie. `time make rpms` real   7m47.483s user  9m2.507s
> sys   6m47.245s

Any idea what those GCC plugins are for? Seems like it's usually a hassle
to track them down on distro version updates too.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8af436925fcfaeafbf788ff4fe73179f.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] qubes r3.2 automation with ansible + gpg->gpg2 questions

On Fri, August 24, 2018 6:34 am, Oleg Artemiev wrote:
> Hello, list.
>
>
> Sorry if this has been already discussed - didn't read the mailing list
> long time. I've found myself in need to change templates once again as
> templates for too old fedora are not even updating at my side and it
> appears I've time to learn Qubes devops.
>
> Since Qubes OS site seem to have no direct link to search dox I used to
> yandex 'qubes os automation' and found this link:
>
> https://github.com/Rudd-O/ansible-qubes
>
>
> As I understood this project  is not from Qubes team and seem to be
> absent in official documentation. Has this any security reason? It could be
> helpful for those  who already know some ansible (as I do).

Correct, it's not official but Rudd-O has been around for a while and
active in the mailing lists. If you search them too for ansible-qubes, you
should find some related posts.

> Though some of possible  management use cases seem to break Qubes way of
> doing things securely (especially Qubes VM -> Qubes dom0): ---quote---
>
>
> - Qubes VM -> Qubes VM
> - Qubes VM -> Qubes dom0 (see below for enablement instructions)
> - Qubes dom0 -> Qubes VM
> - Qubes VM -> network (SSH) -> Qubes VM on another Qubes host (see below)
> - normal desktop Linux -> network (SSH) -> Qubes VM on another Qubes host
>
>
> ---quote---
>
>
> Also this project claimed to be specific for Qubes  3 (that's not a
> problem for me since I prefer to use old but quite stable releases),
> though an issue related to Qubes 4.0-rc2 .

Qubes 4 uses different means of automation (Salt). I haven't played with
it much. I think 3.2 will go to EOL mode in a few months, so you might not
want to invest a lot of time figuring out ansible automation for it and
instead focus on 4.0?

Don't know about gpg2 vs 1.4.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/71a63f77b93d05da2aed4e0c37ebaa22.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes 4.0 SSD Encryption

On Thu, August 23, 2018 8:03 pm, taii...@gmx.com wrote:
> On 08/23/2018 01:35 PM, brendan.h...@gmail.com wrote:

>> Use an SSD that supports T13 ATA SANITIZE and TCG OPAL, and also
>> remember to enable trim in dom0 (
>> https://www.qubes-os.org/doc/disk-trim/ ). Enable HW encryption (but
>> also enable QUBES' software encryption).
>>
>> Bonus: using SSDs with the above features, when you are done with the
>> system you can instantly (< 2s) erase all user data on the SSD by
>> issuing either an ATA SANITIZE - CRYPTO SCRAMBLE EXT command or an OPAL
>> PSID REVERT command (the latter requires the code printed on the drive
>> label).
>>
>
> Anything TCG is bad news - it was spawned by microsofts project
> palladium "trusted computing" concept and it is not owner controlled.
>
> Do you trust proprietary closed source firmware to protect you? I don't
> - those kinds of things have many holes.
>
>
> There is no reason to use an SED drive.

I think that's a bit over-broad. It depends on threat model, which varies
from person to person.

> In terms of encrypting boot that is generally impossible without the use
> of coreboot

Encrypting boot is one use case for SEDs when only light security is
required. Will your average evil maid (or some thief who steals your
laptop) have access to tools needed to defeat OPAL, assuming it's
backdoored?


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0e9034b54663225703e059723e43796c.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: How to ccache kernel compilations

This is how a full(well, slightly modified) kernel compilation looks like now, 
with ccache working:
ie. `time make rpms`
real7m47.483s
user9m2.507s
sys 6m47.245s

cache directory /home/user/.ccache
primary config  /home/user/.ccache/ccache.conf
secondary config  (readonly)/etc/ccache.conf
stats zero time Fri Aug 24 11:09:03 2018
cache hit (direct) 14047
cache hit (preprocessed)   1
cache miss 8
cache hit rate 99.94 %
called for link   47
called for preprocessing   21125
unsupported code directive 4
no input file   1092
cleanups performed 0
files in cache 42606
cache size 865.4 MB
max cache size  20.0 GB

The build phase actually takes only 2min (for 14k files):
real2m1.674s
user5m28.075s
sys 4m50.768s


cache directory /home/user/.ccache
primary config  /home/user/.ccache/ccache.conf
secondary config  (readonly)/etc/ccache.conf
stats zero time Fri Aug 24 11:17:37 2018
cache hit (direct) 14011
cache hit (preprocessed)   0
cache miss 5
cache hit rate 99.96 %
called for link   28
called for preprocessing   21069
unsupported code directive 4
no input file342
cleanups performed 0
files in cache 42616
cache size 865.6 MB
max cache size  20.0 GB

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d462f7f0-bf71-4a5f-b91a-69f68d803be4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Unable to start standalone vm based on debian-9

On Wed, August 22, 2018 3:03 pm, Fernando wrote:
> On Wednesday, August 22, 2018 at 10:39:19 AM UTC-3, Fernando wrote:
>
>> Hi,
>>
>>
>> This morning I updated my standalone debian-9. From what I remember, it
>> updated the linux image and a few other packages, and it didn't remove
>> any of qubes dependencies.
>>
>> After a system reboot, I'm unable to start the domain. I think I
>> didnt't shutdown the standalone vm manually before the reboot.
>>
>> $ qvm-start mind
>> Cannot connect to qrexec agent for 60 seconds, see
>> /var/log/xen/console/guest-mind.log for details
>>
>>
>> $ tail /var/log/xen/console/guest-mind.log
>> [.[0;32m  OK  .[0m] Reached target Network is Online.
>> You are in emergency mode. After logging in, type "journalctl -xb" to
>> view system logs, "systemctl reboot" to reboot, "systemctl default" or
>> ^D to try again to boot into default mode.
>> Press Enter for maintenance.
>>
>>
>> I've read in the forums about using xen console to login and try to fix
>> it, but I cannot access the vm:
>>
>> $ sudo xl console mind
>> mind is an invalid domain identifier
>>
>> The domain is not listed in the output of "sudo xl list".
>>
>>
>> Any ideas on how can I fix my standalone vm? Any help is greatly
>> appreciated.
>>
>> Thanks,
>>
>>
>> Fernando.
>>
>
> I forgot to mention that I'm using Qubes 4.0 and non-standalone VMs are
> working as usual.
>
> I'm trying to resume work using the standalone backup, but unfortunately
> restoring it is also failing :(

Try to enable debug mode on the HVM. This should show a console which
might give you an idea where it's failing, and generate an additional log
file in /var/log/xen/console. Review both HVM related logs for errors.
Also, double check the kernel setting- if it's showing a version try
changing it to (none) or an older version.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2ace92998547db43ae5f69d0aca9548d.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes Server HVM network problem

On Thu, August 23, 2018 5:43 pm, Who Cares wrote:
> Hello there,
>
>
> I am trying to build a Qubes Server and I want 2 Windows HVMs.
> Heres the Setup:
>
>
> __
> --> sys-net(internal(Lan2)) --> Some other Windows-Clients
> --/
> Windows Server-|
> --\
> --> sys-firewall --> sys-net(Internet(Lan1))
> Windows Client --/
> __
>
>
> My problems here are :
>
>
> 1: Network between booth Windows HVM (I don´t know how to accomplish)

See https://www.qubes-os.org/doc/firewall/.

> 2: Can I attach 2 Networking VMs to the Win-serv VM?

Not natively with Qubes. However, it might be possible to bridge your
Win-serv VM straight to your LAN, then your other Windows Client VM could
access it like normal. See
https://www.qubes-os.org/doc/network-bridge-support/; unknown if anyone
has accomplished this under 4.0. So you'd have two separate sys-nets:

Windows Server VM --- sys-net2 (bridge on Lan2 interface)

Windows Client VM --- sys-firewall --- sys-net1 (on Lan1 interface to same
network)

> __
>
>
> I was already thinking about not to use Qubes but the Xen-Distribution.
> Is Qubes the right Solution for this?
> __
>

Qubes is aimed more at security than providing networking conveniences, so
whether it's right for you depends on where you rank both. :)


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/06d4d123371c576e9a89df46f1784cbb.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Unable to reset PCI device 0000:00:1f.6 (Qubes-R4.0 / fresh install) : no network