Re: [qubes-users] Re: QSB #43: L1 Terminal Fault speculative side channel (XSA-273)

[Jean-Philippe Ouellet]

On Thu, Sep 6, 2018 at 8:28 AM, 'awokd' via qubes-users
 wrote:
> On Tue, September 4, 2018 2:05 am, pixel fairy wrote:
>> On Monday, September 3, 2018 at 1:21:27 AM UTC-7, Marek
>> Marczykowski-Górecki wrote:
>>
>>> On Mon, Sep 03, 2018 at 01:46:11AM -0500, Andrew David Wong wrote:
>>>
 On 2018-09-02 22:22, pixel fairy wrote:

> is it still necessary to disable hyper threading after upgrading in
> qubes 4?
>

 Hyper-threading should be disabled in Xen after you install the
 updates. It should not be necessary for you to take any further action
 to disable it there.

 If you're asking whether you should also disable it in your BIOS
 settings, then I'm not sure (CCing Marek).
>>>
>>> There is no need to additionally disable it in BIOS. Xen's smt=off
>>> option means it won't be used even if BIOS reports its availability.
>>
>> Is this something that can eventually be resolved, allowing safe
>> re-enabling of hyperthreading? or is that even known yet?
>
> You could try asking Intel to replace these defective CPUs. :)

Or not, and ask for docs instead: https://www.bunniestudios.com/blog/?p=5127

Good luck in either case though ;)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABQWM_C9QaR0W4xyW9VZ2VKFhQgXOAnt2qOBkMQ1RX2x2QyPAw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] join list

[anobody1212]

join the list

--
Securely sent with Tutanota. Claim your encrypted mailbox today!
https://tutanota.com 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/LLky_7u--3-1%40tutanota.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Strange sys-whonix-14 starts ; /etc/qubes-rpc/policy/qubes.UpdatesProxy

[John S.Recdep]

On 09/06/2018 02:45 AM, 'awokd' via qubes-users wrote:
> On Wed, September 5, 2018 12:21 am, John S.Recdep wrote:
>> Hello,
>>
>>
>> while upgrading to sys-whonix-14 many weeks ago, I was fighting to
>> maintain  my Fedora and Debian Template to keep using sys-net  not
>> sys-whonix-14
>>
>> and sys-whonix-gw and -ws to use sys-whonix-14  , which are otherwise
>> working fine and I hesitate to mess with
>> /etc/qubes-rpc/policy/qubes.UpdatesProxy
>>
>>
>>
>> However, once in a while I am concerned that sys-whonix-14 is starting
>> when I am NOT updating anything  eg in  dom0  today :
>>
>> qvm-run -a fooappVM fooapplication   (for a fooappVM that wasn't open) and
>> sys-whonix-14  was shutdown
>>
>> for some reason it started up
> 
> This could happen if fooappVM's netvm is set to sys-whonix-14.
> 
>> my  /etc/qubes-rpc/policy/qubes.UpdatesProxy ; looks like this :
> 
>> $type:TemplateVM $default allow,target=sys-whonix-14
> 
> This line, since it is first, means all templates will be updated through
> sys-whonix-14. Maybe when you started fooapplication, Qubes checked the
> related template for any updates?
> 
> 

Thanks for your reply, well I've checked only anon-whonix dispVM3400 and
whonix-ws-dvm-14 are using  sys-whonix-14


I'm pretty sure  fedora-28 and Debian-9  are updating over sys-net

$qubes-prefs
updatevm  -  sys-net

is the dom0 says


1)so how can I proceed further to problem-solve this ?

2)maybe the mismatch is causing issues ?

3)hmm, oh so, dom0 when it starts checks templates for any new versions
say of firefox, and that requires the template to start and use the
designated netvm even if the templates are set to "none" .
.maybe this only applies if the application is started from dom0
via qvm-run  with  its associated appvm also closed  guess I needed to
further test it 

4) if you are using sys-net for  Deb/Fedora  updates and sys-whonix-14
for  -gw -ws  update   could you please  post your  /qubes.UpdatesProxy
for me

5) do most folks NOT  use sys-whonix  for  templates updates?



-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a9bd1c3d-39ca-a4c8-928b-eda9583ae88d%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: ANN: Testing new VPN code for Qubes

[John S.Recdep]

On 09/06/2018 04:22 AM, 22rip-2xk3N/kkaK1Wk0Htik3J/w...@public.gmane.org wrote:
> It appears as if I am getting a TLS error? Why would this suddenly start?
> 
> Wed Sep  5 17:23:39 2018 TLS Error: TLS handshake failed
> Wed Sep  5 17:23:39 2018 SIGUSR1[soft,tls-error] received, process restarting
> Wed Sep  5 17:23:39 2018 Restart pause, 5 second(s)
> Wed Sep  5 17:23:44 2018 TCP/UDP: Preserving recently used remote address: 
> [AF_INET]xxx.xxx.xxx.xx:port xxx
> 
> I have restarted the computer, I am using Qubes 4.0 and leveraging a Debian 9 
> template.
> 
> The other devices are using OpenVPN...
> 
> Any ideas?
> 
> John,
> Not sure what " script in an appvm/qube  instead of the "tunnel"  version ?" 
> is...I had tried to set up the "iptables and CLI scripts" 
> https://www.qubes-os.org/doc/vpn/ but really struggled. I found the Tasket 
> solution easier to set up for a relative novice in desperate need of VPN 
> security. I am also able to setup a few configurations so I can use different 
> destinations. Is this the version you are using?  
> 

Sorry by "script"  I meant  "Qubes-vpn-support"
https://github.com/tasket

vs.  "qubes-tunnel"


btw, it's a bit hard to tell your  the OP ?   Mr. 22rip ?

you installed qubes-tunnel  in  a  Debian Template  and it was working ,
now it is not


PS: tasket doesn't think  trying "Qubes-vpn-support" in an AppVM  will
make any difference, I noted   goodluck

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/062963a7-8614-1b3e-6345-48bf4c4de4ae%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] How to resume pci (usb) operation on dom0, after turning off the VM to which the device was connecte

[getoutandhide]

Good day.
In order to connect a usb webcamera in VM, I had to connect a pci device with 
all usb connectors. Unfortunately I only have 1 ps \ 2 connector.

I used a command to connect a pci device:
 attach --persistent --option permissive = true --option no-strict-reset = true 
skype dom0: 00_14.0

How can I resume pci usb on dom0 when the VM to which I connected the pci 
device will be disabled?

Or just restart the computer only?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/cac69e5b-cad0-4b60-847b-5ac5ff233986%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: compatibility question; qubes 4.0 on intel i3-4360T ?

[chrisrowlands01]

On Thursday, September 6, 2018 at 11:35:15 AM UTC-7, awokd wrote:
> On Thu, September 6, 2018 5:12 am, wrote:
> > On Wednesday, September 5, 2018 at 10:04:12 PM UTC-7,
> >  wrote:
> >> Hello all,
> >>
> >>
> >> I am trying to get Qubes 4.0 running on an Intel i3-4360T chipset with
> >> ASROCK E3C226D2I motherboard.  The architecture apparently supports
> >> VT-x according to the tests I did in accordance with the Qubes docs, so
> >> I hoped I was set.
> >>
> >>
> >> However, Qubes' installer tells me that my system apparently lacks
> >> IOMMU/VT-d/AMD-VI, and Interrupt Remapping.  I was running the
> >> installer from a 8GB USB stick formatted with dd in Linux.
> >>
> >> Is that the end of my Qubes journey right there (short of getting new
> >> hardware), or are there BIOS settings I could check, etc?  Advice would
> >> be greatly appreciated.
> >
> > Also, assuming this is a dead end for my hardware, what would my
> > next-best option be?  Linux on top of Xen?
> 
> Yes, check your BIOS settings and make sure the virtualization options are
> enabled. There may be multiple. If support is broken on your machine, you
> can still run Qubes 3.2 on it but it will be EOL in a few months...

Thanks awokd, I checked more thoroughly and it looks like my model simply lacks 
VT-d alltogether, according to Intel.  I'll have to revisit Qubes another time 
I guess, unfortunately.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3a9373bf-2215-4782-82cf-c6b8cf172bec%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] 'No Bootable Device' error after clean Qubes 4 install

[Guy Frank]

I did a fully automatic disk partition on my last attempt to install Qubes 4.  
When I try to boot my new Qubes install, I get a 'no bootable device' error.  I 
looked at the partitioning scheme using a live usb drive and it shows a /boot 
partition, with EFI and GRUB information and a large encrypted partition, which 
presumably holds / and swap.  It may be relevant that the installation was on a 
500GB SSD drive and that there is also a 2TB hard disk in the system.  I used 
gparted to delete all partitions from both devices before installing Qubes.  
The 2TB device is entirely unallocated and using BIOS to turn off recognition 
of everything but the SSD drive has no effect.  Also the system indicates it 
has UEFI firmware.

I'm not very familiar w/ how the boot process works, but had thought there 
would need to be a GPT table or MBR on the disk, but automatic boot doesn't put 
one there.  In previous attempts to install, I tried to create an ESP (GPT) 
partition, but the Qubes installer would not permit this (and doesn't have it 
as an option).  In another attempt, I added a BIOSBOOT partition (for MBR 
table, I presume) of 1MB.  Installation halts at post-installation (about half 
way through) and never completes.

Any suggestions?

Guy

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/22788151-4a5f-43ba-af84-a6b41fc7a911%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Can I set an unencrypted external HD as /home folder for a VM

[Guy Frank]

On Tuesday, September 4, 2018 at 7:36:12 AM UTC-5, unman wrote:
> On Mon, Sep 03, 2018 at 03:03:25PM -0700, Guy Frank wrote:
> > On Friday, August 31, 2018 at 6:31:58 PM UTC-4, Chris Laprise wrote:
> > > On 08/31/2018 01:40 PM, Guy Frank wrote:
> > > > On Friday, August 31, 2018 at 12:17:54 PM UTC-5, js...@bitmessage.ch 
> > > > wrote:
> > > >> Guy Frank:
> > > >>> One question I had is whether there is any way to set an unencrypted 
> > > >>> (or encrypted?) external HD as the /home folder for a VM?
> > > >>>
> > > >>> Guy
> > > >>
> > > >> Hi Guy,
> > > >>
> > > >> I'm not sure about setting it as /home but i think it's possible. But
> > > >> it's easy to attach an external HD to a vm and save your files to it.
> > > >>
> > > >> https://www.qubes-os.org/doc/usb/
> > > >>
> > > >> Also it's pretty easy to encrypt it with luks for security, it just
> > > >> takes a little longer each time.
> > > >>
> > > >> -- 
> > > >> Jackie
> > > > 
> > > > Thanks Jackie for your reply!
> > > > 
> > > > I remember it being fairly easy to attach USB devices w/ the right 
> > > > clicks here & there.  So, yes, I'd have access to the files on my 
> > > > external HD.
> > > > 
> > > > But it would be more convenient if I could get Qubes to mount the home 
> > > > folder on the HD as the Home folder for the given virtual machine.  I 
> > > > imagine that's trickier and was wondering if there's a way to do it?
> > > > 
> > > > Maybe use a script to mount the attached USB drive home (/home/guyuser) 
> > > > over the Qubes home directory?  But then, if that's possible, some of 
> > > > the setup in the Qubes home directory might get missed.
> > > > 
> > > 
> > > The key to using it as /home would be to setup a new storage pool to 
> > > hold that VM. Unfortunately the docs could use a rewrite:
> > > 
> > > https://www.qubes-os.org/doc/storage-pools/
> > > 
> > > The relevant commands are 'qvm-pool --add' and 'qvm-create --pool'.
> > > 
> > > -- 
> > > 
> > > Chris Laprise, tas...@posteo.net
> > > https://github.com/tasket
> > > https://twitter.com/ttaskett
> > > PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886
> > 
> > Hi Chris:  Thanks! This looks like a step in the right direction, but I 
> > have some questions.  I'm guessing the commands will tell Qubes to treat my 
> >  external HD as a potential place to store a VM.  But that seems like it 
> > wouldn't take the existing home directory on the external HD as the VM home 
> > directory but instead store a VM file containing the VM's home directory 
> > structure on the disk.  That file would, I imagine, be difficult to access 
> > on the Kubuntu I have running on my home desktop and wouldn't contain the 
> > files currently on my external hard disk, which mirror my Kubuntu files.  
> > 
> > Is that the case and is there any fix?  Am beginning to think the only way 
> > to work this is to simply attach my external HD as a USB device and give up 
> > on trying to make the files my home directory.
> > 
> > Guy
> > 
> 
> If it were not USB it would be straightforward.
> 
> It occurs to me that you may be able to change the configuration, (see
> previous thread on assigning SATA devices) to attach the USB device on
> boot, and have fstab configured to mount the newly exposed device in
> the qube as /home or a directory in /home.
> 
> I haven't tried this but I'm assuming it would be possible, and would fit
> your needs.
> I'll have a quick poke at this in the morning, and see if there's any
> mileage in the thought.

Thanks Chris & Unman!  I'll have to give your suggestions a try, if I can get 
Qubes working on this new computer of mine.  The question was meant to see how 
practical Qubes would be, under the assumption that I could install it. Will 
have to circle back to actually doing this.

Guy

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/439cf18d-1b11-43ca-871d-80df560abbca%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: compatibility question; qubes 4.0 on intel i3-4360T ?

['awokd' via qubes-users]

On Thu, September 6, 2018 5:12 am, chrisrowland...@gmail.com wrote:
> On Wednesday, September 5, 2018 at 10:04:12 PM UTC-7,
> chrisro...@gmail.com wrote:
>> Hello all,
>>
>>
>> I am trying to get Qubes 4.0 running on an Intel i3-4360T chipset with
>> ASROCK E3C226D2I motherboard.  The architecture apparently supports
>> VT-x according to the tests I did in accordance with the Qubes docs, so
>> I hoped I was set.
>>
>>
>> However, Qubes' installer tells me that my system apparently lacks
>> IOMMU/VT-d/AMD-VI, and Interrupt Remapping.  I was running the
>> installer from a 8GB USB stick formatted with dd in Linux.
>>
>> Is that the end of my Qubes journey right there (short of getting new
>> hardware), or are there BIOS settings I could check, etc?  Advice would
>> be greatly appreciated.
>
> Also, assuming this is a dead end for my hardware, what would my
> next-best option be?  Linux on top of Xen?

Yes, check your BIOS settings and make sure the virtualization options are
enabled. There may be multiple. If support is broken on your machine, you
can still run Qubes 3.2 on it but it will be EOL in a few months...


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f3395adcb49fbcb130324416a4000d67.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: After I disabled ipv6 for all VMs the following problems arose.

['awokd' via qubes-users]

On Wed, September 5, 2018 7:57 am, getoutandh...@gmail.com wrote:
> After I disabled ipv6 for whonix, when I restart the whonix firewall, I
> get the following message. ip6tables v1.4.21: can't initialize ip6tables
> table 'filter': Winix firewall script failed!

Instead of disabling it, can you set the ip6 firewall to deny all? Might
already be set to that.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bbdf246c671f16d484aec0461b5814da.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Sys-net fail to connect to internet

['awokd' via qubes-users]

On Mon, September 3, 2018 8:29 pm, odindva0...@gmail.com wrote:
> Hey guys currently running Qubes R 4.0 .
> And my sys-net as failing to connect to the internet + when I switch on
> mozila is lagging pretty bad. Please check the pic to see what exactly
> the configuration shows me . https://imgur.com/a/6fgXaAq
> Thanks in advance

Try to switch sys-net's template from Fedora to Debian or vice-versa. If
that doesn't help, make sure you have the firmware for your wireless
adapter installed. See "NetVM (extra firmware)" on the table in
https://www.qubes-os.org/doc/templates/fedora-minimal/ for instructions.
Not sure what you mean about Mozilla lagging.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a518b9c34f718e6ed837b8f84ea79995.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Install Qubes on a specific partition ?

['awokd' via qubes-users]

On Thu, August 30, 2018 7:58 am, Octavio Martin wrote:
> Yep I just realised that the ISO is actually an Installer. What I did is
>
>
> 1) DD'ed the ISO to a 32GB flash drive and the boot on it.
>
>
> 2) I plugged my 1TB usb drive
>
>
> The Qubes installer starts and I see the "Destination" option
>
>
> However it doesn't allow me to select my 100GB partition. The drive is
> there but all it says is "100Mb free" and I don't see any partition.
>
> (I had create the partition using exFat, should it be FAT32?)

I think you need to create the partition as a "Linux" type, or just leave
it unpartitioned and use the manual step in Qubes' installer to create.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7d217182fbd79661cb7abd96604d2937.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: ANN: Testing new VPN code for Qubes

[Chris Laprise]

On 09/06/2018 10:22 AM, 22...@tutamail.com wrote:

It appears as if I am getting a TLS error? Why would this suddenly start?

Wed Sep  5 17:23:39 2018 TLS Error: TLS handshake failed
Wed Sep  5 17:23:39 2018 SIGUSR1[soft,tls-error] received, process restarting
Wed Sep  5 17:23:39 2018 Restart pause, 5 second(s)
Wed Sep  5 17:23:44 2018 TCP/UDP: Preserving recently used remote address: 
[AF_INET]xxx.xxx.xxx.xx:port xxx

I have restarted the computer, I am using Qubes 4.0 and leveraging a Debian 9 
template.

The other devices are using OpenVPN...

Any ideas?


When I search on the TLS error I get results like this:
https://serverfault.com/questions/709860/fix-tls-error-tls-handshake-failed-on-openvpn-client#765205

Specifying 'local' may be worth a try.

It sounds like something has gone wrong with the virtual devices or the 
Qubes firewall for that VM... perhaps triggered by the system update.


I'm also using Debian 9 on Qubes 4. dom0 is updated with 
security-testing enabled. Check your kernel version, mine is 4.14.67-1.


Testing basic connectivity for the VM can be done by first disabling the 
tunnel firewall rules... delete the link at 
/rw/config/qubes-firewall.d/90_tunnel-restrict. Then restart VM and use 
ping/traceroute.





John,
Not sure what " script in an appvm/qube  instead of the "tunnel"  version ?" is...I had 
tried to set up the "iptables and CLI scripts" https://www.qubes-os.org/doc/vpn/ but really 
struggled. I found the Tasket solution easier to set up for a relative novice in desperate need of VPN 
security. I am also able to setup a few configurations so I can use different destinations. Is this the 
version you are using?


You can think of the vpn doc as a much older version of qubes-tunnel. I 
doubt switching to it would help.



--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1460cb9e-f9ff-12ed-0512-9c2d964a530f%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: debian-9 template

[John Maher]

On Thursday, September 6, 2018 at 9:42:02 AM UTC-4, unman wrote:
> On Thu, Sep 06, 2018 at 05:24:24AM -0700, John Maher wrote:
> > On Sunday, April 29, 2018 at 8:20:40 AM UTC-4, higgin...@gmail.com wrote:
> > > tried ---
> > > 
> > > 
> > > sudo qubes-dom0-update --enablerepo=qubes-templates-community 
> > > --action=reinstall qubes-template-debian-9
> > > 
> > > Again it appears to reinstall - message appears saying successfully 
> > > installed.
> > > 
> > > Then try to start DEBIAN-9 VM and get 
> > > "ERROR:VM directory does not exist: 
> > > /var/lib/qubes/vm-templates/debian-9". 
> > > 
> > > Help!
> > 
> > I just did a fresh install of Qubes OS 4.0 on new hardware and I'm having 
> > the exact same problem. None of the suggestions here have resulted in any 
> > change, although I did not try:
> > 
> > sudo qubes-dom0-update --enablerepo=qubes-templates-community 
> > --action=reinstall qubes-template-debian-9
> > 
> > and I'm not that interested in going that route. 
> > 
> > I've been using Qubes OS 3.2 for over a year now without this type of 
> > problem. Any more suggestions or fixes?
> > 
> > Thanks.
> > 
> > John
> > 
> 
> Have you tried the obvious, and created the missing directory?
> Ownership should be root:qubes - compare to the other template
> directories.
> 
> The only content is a symlink icon.png, pointing to
> /usr/share/icons/hicolor/128x128/devices/appvm-black/png
> You could create this yourself also.

Unman, thanks for replying. I didn't run that command (sudo qubes-dom0-update 
--enablerepo=qubes-templates-community --action=reinstall 
qubes-template-debian-9), so I don't know if I would get the same error 
message, but I do have the directory /var/lib/qubes/vm-templates/debian-9. 

I've performed an automatic re-install of the debian-9 template twice and a 
manual re-install once. Still, no applications display under Applications tab. 
I can't even run a terminal via dom0 using:  qvm-run debian-9 gnome-terminal

I have to believe there is a simple command to make this debian-9 template 
functional, but I don't know where to go from here.

Thanks.

John

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/37911ecd-dfe4-4b8c-90c1-f71796bd761f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: ANN: Testing new VPN code for Qubes

[22rip]

It appears as if I am getting a TLS error? Why would this suddenly start?

Wed Sep  5 17:23:39 2018 TLS Error: TLS handshake failed
Wed Sep  5 17:23:39 2018 SIGUSR1[soft,tls-error] received, process restarting
Wed Sep  5 17:23:39 2018 Restart pause, 5 second(s)
Wed Sep  5 17:23:44 2018 TCP/UDP: Preserving recently used remote address: 
[AF_INET]xxx.xxx.xxx.xx:port xxx

I have restarted the computer, I am using Qubes 4.0 and leveraging a Debian 9 
template.

The other devices are using OpenVPN...

Any ideas?

John,
Not sure what " script in an appvm/qube  instead of the "tunnel"  version ?" 
is...I had tried to set up the "iptables and CLI scripts" 
https://www.qubes-os.org/doc/vpn/ but really struggled. I found the Tasket 
solution easier to set up for a relative novice in desperate need of VPN 
security. I am also able to setup a few configurations so I can use different 
destinations. Is this the version you are using?  

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6a910daf-5a4f-48f4-a9bd-6da33fedb0d0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: debian-9 template

[unman]

On Thu, Sep 06, 2018 at 05:24:24AM -0700, John Maher wrote:
> On Sunday, April 29, 2018 at 8:20:40 AM UTC-4, higgin...@gmail.com wrote:
> > tried ---
> > 
> > 
> > sudo qubes-dom0-update --enablerepo=qubes-templates-community 
> > --action=reinstall qubes-template-debian-9
> > 
> > Again it appears to reinstall - message appears saying successfully 
> > installed.
> > 
> > Then try to start DEBIAN-9 VM and get 
> > "ERROR:VM directory does not exist: /var/lib/qubes/vm-templates/debian-9". 
> > 
> > Help!
> 
> I just did a fresh install of Qubes OS 4.0 on new hardware and I'm having the 
> exact same problem. None of the suggestions here have resulted in any change, 
> although I did not try:
> 
> sudo qubes-dom0-update --enablerepo=qubes-templates-community 
> --action=reinstall qubes-template-debian-9
> 
> and I'm not that interested in going that route. 
> 
> I've been using Qubes OS 3.2 for over a year now without this type of 
> problem. Any more suggestions or fixes?
> 
> Thanks.
> 
> John
> 

Have you tried the obvious, and created the missing directory?
Ownership should be root:qubes - compare to the other template
directories.

The only content is a symlink icon.png, pointing to
/usr/share/icons/hicolor/128x128/devices/appvm-black/png
You could create this yourself also.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180906134200.jezcxdjppl64i3l4%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: How to cache these disk reads done by the likes of [14.xvda-0]

[Marcus Linsner]

On Wednesday, September 5, 2018 at 4:26:11 AM UTC+2, Marcus Linsner wrote:
> Regarding OP, maybe I should look into this: 
> https://www.kernel.org/doc/Documentation/filesystems/caching/fscache.txt
> I'm unsure if it'll work for what I want, yet.
> 
> On Tuesday, August 28, 2018 at 10:35:23 PM UTC+2, Marcus Linsner wrote:
> > Side question: how can I send eg. sysrq+m to a qube? (seems not possible 
> > according to this 2016 post https://phabricator.whonix.org/T553#10438 ? )
> 
> Looks like it's possible, from dom0:
> 
> $ xl sysrq
> 'xl sysrq' requires at least 2 arguments.
> 
> Usage: xl [-vf] sysrq  
> 
> Send a sysrq to a domain.
> 
> 
> Or, maybe not:
> [   61.904917] xen:manage: sysrq_handler: Error -13 writing sysrq in 
> control/sysrq
> 
> I tried on a disposable VM, 's' and 'h'.
> $ sysctl kernel.sysrq
> already reports =1
> 
> On first glance I found the code responsible here: 
> https://lists.xenproject.org/archives/html/xen-devel/2018-06/msg01068.html
> if (sysrq_key != '\0') {
>   err = xenbus_printf(xbt, "control", "sysrq", "%c", '\0');
> ...
> I'm not sure if that looks right, I mean why isn't sysrq_key written instead 
> of just a '\0' ? perhaps I'm misreading this. I'm not a programmer :D

Ah sweet! There's a fix: 
https://xenbits.xen.org/gitweb/?p=xen.git;a=commitdiff;h=30a970906038a4d360e1f7ee29ba80ef832dd78b;hp=6de6c8d306c091eb7381575d250beaf2eeaf02df

I can't wait to test it whenever I figure out how to :D (possibly using 
qubes-builder to compile xen, ...)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20fa50d4-69ce-4ea0-9e56-6e100c744826%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: How to show boot entries?

['awokd' via qubes-users]

On Thu, September 6, 2018 12:50 pm, Marcus Linsner wrote:

> So, I guess, be careful which entry you're currently booted in when doing
> dom0 updates, because that's the one that will get the newest kernel.
> (the `default=` under `[global]` section is also modified to point to
> this new kernel, btw; actually now that I look at it, that's the ony
> thing that got modified, there's no new section for the new kernel that
> the default= now references, none of the other xen.cfg have it either,
> hmm... assuming fluke! maybe something got confused since the automenu
> entry doesn't have a default= which makes it auto boot the first entry -
> i was hoping for a prompt though)

Xen + UEFI = painful, unfortunately. I don't know why you can't easily
select one of the non-default entries either, or if there's some secret
key combination to do so.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9ef5e77724f03e3535bd153f71e9ce40.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: How to show boot entries?

[Marcus Linsner]

On Wednesday, September 5, 2018 at 1:37:51 PM UTC+2, Marcus Linsner wrote:
> On Wednesday, September 5, 2018 at 6:17:46 AM UTC+2, Marcus Linsner wrote:
> > On Thursday, March 15, 2018 at 7:08:25 AM UTC+1, coeu...@gmail.com wrote:
> > > Hello, guys. 
> > > 
> > > I want to show boot entries so that I can select certain kernel to boot, 
> > > and I'm using EFI/qubes/xen.efi as boot binary. Currently, it will 
> > > directly boot the default kernel. Could anyone give some advices?
> > > 
> > > BTW, here is the reason: I have multiple kernels installed and 
> > > kernel-latest-4.15.6-1 may raise kernel panic errors on Raven Ridge 
> > > platform, but kernel-4.14.18-1 works just fine.
> > > 
> > > Thanks!
> > > D.F.
> > 
> > I don't understand why there are multiple entries in xen.cfg if the only 
> > way to select any is by setting the default= to one of them.
> > 
> > So, I had to make a copy of the qubes/ folder where xen.cfg is located, 
> > then modify the copied xen.cfg to choose a different kernel. Then add a new 
> > boot entry (which I can only select to boot from by entering BIOS btw), 
> > which will be set as default when added by this command:
> > 
> > first see what we have:
> > $sudo efibootmgr -v
> > then add one more (BIOS-visible) entry:
> > $ sudo efibootmgr -v -c -u -L Mewbs -l /EFI/mewbs/xen.efi -d /dev/sda -p 1
> > then see what happened:
> > $ sudo efibootmgr -v
> > 
> > (I'd copy/paste but it's harder to do from dom0 and I'm currently 
> > lazy/tired. #notproud)
> Alright, it looks like it's easier than I thought, copy/pasting from dom0 
> (was previously using qvm-copy-to-vm), according to 
> https://www.qubes-os.org/doc/copy-from-dom0/ , step 3 (for Qubes 4.0), to 
> quote from there:
> "In other versions, write the data you wish to copy into 
> /var/run/qubes/qubes-clipboard.bin, then echo -n dom0 > 
> /var/run/qubes/qubes-clipboard.bin.source. Then use Ctrl-Shift-V to paste the 
> data to the desired VM."
> 
> There is another file /var/run/qubes/qubes-clipboard.bin.xevent which 
> contains a number and it doesn't need to be modified or touched for the 
> copy/pasting to work.
> 
> With that in mind, let's see how to add another UEFI entry (which, as a 
> reminder, can only be selected from BIOS's Boot Menu - which in my case 
> requires fully entering BIOS - there's no F12 key (but maybe it depends on 
> settings, like secure boot must be disabled?)).
> Let's add an entry which boots with smt=on to enable all cores, thus reducing 
> security, according to: https://www.qubes-os.org/news/2018/09/02/qsb-43/
> 
> Quick help for reference:
> 
> [ctor@dom0 ~]$ sudo efibootmgr -h
> efibootmgr version 14
> usage: efibootmgr [options]
>   -a | --active sets bootnum active
>   -A | --inactive   sets bootnum inactive
>   -b | --bootnum    modify Boot (hex)
>   -B | --delete-bootnum delete bootnum
>   -c | --create create new variable bootnum and add to bootorder
>   -C | --create-only  create new variable bootnum and do not add to 
> bootorder
>   -D | --remove-dups  remove duplicate values from BootOrder
>   -d | --disk disk   (defaults to /dev/sda) containing loader
>   -r | --driver Operate on Driver variables, not Boot Variables.
>   -e | --edd [1|3|-1]   force EDD 1.0 or 3.0 creation variables, or guess
>   -E | --device num  EDD 1.0 device number (defaults to 0x80)
>   -g | --gptforce disk with invalid PMBR to be treated as GPT
>   -i | --iface name create a netboot entry for the named interface
>   -l | --loader name (defaults to \EFI\redhat\grub.efi)
>   -L | --label label Boot manager display label (defaults to "Linux")
>   -m | --mirror-below-4G t|f mirror memory below 4GB
>   -M | --mirror-above-4G X percentage memory to mirror above 4GB
>   -n | --bootnext    set BootNext to  (hex)
>   -N | --delete-bootnext delete BootNext
>   -o | --bootorder ,,,... explicitly set BootOrder (hex)
>   -O | --delete-bootorder delete BootOrder
>   -p | --part part(defaults to 1) containing loader
>   -q | --quietbe quiet
>   -t | --timeout seconds  set boot manager timeout waiting for user input.
>   -T | --delete-timeout   delete Timeout.
>   -u | --unicode | --UCS-2  pass extra args as UCS-2 (default is ASCII)
>   -v | --verbose  print additional information
>   -V | --version  return version and exit
>   -w | --write-signature  write unique sig to MBR if needed
>   -y | --sysprep  Operate on SysPrep variables, not Boot 
> Variables.
>   -@ | --append-binary-args file  append extra args from file (use "-" 
> for stdin)
>   -h | --help show help/usage
> 
> Let's see what we have already:
> 
> [ctor@dom0 ~]$ sudo efibootmgr -v 
> BootCurrent: 0002
> Timeout: 1 seconds
> BootOrder: ,0002
> Boot* Qubes   
> 

Re: [qubes-users] Re: Unable to reset PCI device 0000:00:1f.6 (Qubes-R4.0 / fresh install) : no network

['awokd' via qubes-users]

On Wed, August 29, 2018 1:30 pm, gdru...@gmail.com wrote:
> Finally, I followed the advice of awokd :
>
>
> $ qvm-pci attach --persistent --option permissive=true --option
> no-strict-reset=true sys-net dom0:00_XXX
>
> Everything works perfectly yet (for how long? :-) ).

You can also try without the "--option permissive=true", many devices
don't need that. Glad it worked!


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20800d83ed81c3a512c6589d833a96eb.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Strange sys-whonix-14 starts ; /etc/qubes-rpc/policy/qubes.UpdatesProxy

['awokd' via qubes-users]

On Wed, September 5, 2018 12:21 am, John S.Recdep wrote:
> Hello,
>
>
> while upgrading to sys-whonix-14 many weeks ago, I was fighting to
> maintain  my Fedora and Debian Template to keep using sys-net  not
> sys-whonix-14
>
> and sys-whonix-gw and -ws to use sys-whonix-14  , which are otherwise
> working fine and I hesitate to mess with
> /etc/qubes-rpc/policy/qubes.UpdatesProxy
>
>
>
> However, once in a while I am concerned that sys-whonix-14 is starting
> when I am NOT updating anything  eg in  dom0  today :
>
> qvm-run -a fooappVM fooapplication   (for a fooappVM that wasn't open) and
> sys-whonix-14  was shutdown
>
> for some reason it started up

This could happen if fooappVM's netvm is set to sys-whonix-14.

> my  /etc/qubes-rpc/policy/qubes.UpdatesProxy ; looks like this :

> $type:TemplateVM $default allow,target=sys-whonix-14

This line, since it is first, means all templates will be updated through
sys-whonix-14. Maybe when you started fooapplication, Qubes checked the
related template for any updates?


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5f9fdb3ef9fb904aa48e353e6ecd9d45.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: QSB #43: L1 Terminal Fault speculative side channel (XSA-273)

['awokd' via qubes-users]

On Tue, September 4, 2018 2:05 am, pixel fairy wrote:
> On Monday, September 3, 2018 at 1:21:27 AM UTC-7, Marek
> Marczykowski-Górecki wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA256
>>
>>
>> On Mon, Sep 03, 2018 at 01:46:11AM -0500, Andrew David Wong wrote:
>>
>>> On 2018-09-02 22:22, pixel fairy wrote:
>>>
 is it still necessary to disable hyper threading after upgrading in
 qubes 4?

>>>
>>> Hyper-threading should be disabled in Xen after you install the
>>> updates. It should not be necessary for you to take any further action
>>> to disable it there.
>>>
>>> If you're asking whether you should also disable it in your BIOS
>>> settings, then I'm not sure (CCing Marek).
>>
>> There is no need to additionally disable it in BIOS. Xen's smt=off
>> option means it won't be used even if BIOS reports its availability.
>
> Is this something that can eventually be resolved, allowing safe
> re-enabling of hyperthreading? or is that even known yet?

You could try asking Intel to replace these defective CPUs. :)


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/45f57ffd5fc52babb2066d2a104e3ef1.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: debian-9 template

[John Maher]

On Sunday, April 29, 2018 at 8:20:40 AM UTC-4, higgin...@gmail.com wrote:
> tried ---
> 
> 
> sudo qubes-dom0-update --enablerepo=qubes-templates-community 
> --action=reinstall qubes-template-debian-9
> 
> Again it appears to reinstall - message appears saying successfully installed.
> 
> Then try to start DEBIAN-9 VM and get 
> "ERROR:VM directory does not exist: /var/lib/qubes/vm-templates/debian-9". 
> 
> Help!

I just did a fresh install of Qubes OS 4.0 on new hardware and I'm having the 
exact same problem. None of the suggestions here have resulted in any change, 
although I did not try:

sudo qubes-dom0-update --enablerepo=qubes-templates-community 
--action=reinstall qubes-template-debian-9

and I'm not that interested in going that route. 

I've been using Qubes OS 3.2 for over a year now without this type of problem. 
Any more suggestions or fixes?

Thanks.

John

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ab2f3942-357a-42b8-ab56-13f340d2b564%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: How to show boot entries?

[Marcus Linsner]

On Wednesday, September 5, 2018 at 1:37:51 PM UTC+2, Marcus Linsner wrote:
> With that in mind, let's see how to add another UEFI entry (which, as a 
> reminder, can only be selected from BIOS's Boot Menu - which in my case 
> requires fully entering BIOS - there's no F12 key (but maybe it depends on 
> settings, like secure boot must be disabled?)).

A slight correction here, the boot key(for my mobo/BIOS) is F8 (not F12 as I 
wrongly assumed from experience with other PCs) and it doesn't require entering 
BIOS I found out, however it only shows the boot menu if the BIOS 
Admin(supervisor?) password(as opposed to BIOS User password) is entered when 
the PC is set to prompt for a password before boot. Perhaps this depends on 
some BIOS settings, so that it would otherwise work with the user password too.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b5b132a8-3bc5-4a29-b534-fc5cb8f1a854%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.