[qubes-users] Re: Are there any security benefits of setting up standalonevm instead of appvm?
Not an expert (or even technically inclined), but here's my suggestion: I get how you feel because I've wondered about the exact same thing as you. Why not create multiple templates, with each containing programs you're comfortable grouping together? If your system supports it, you can put an app in each template. I don't know whether this will increase your system's security, but I don't see why it would hurt as long as your system can handle it. More importantly, this configuration will make you feel more secure while not harming your security. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c4f6696d-cef6-4b32-86e6-9b3bae53bfaa%40googlegroups.com.
[qubes-users] Convert template-based VM to standalone?
Say I have a template-based VM, and I want to "fork" it to be standalone so that it's no longer based on the template. I know I could just create a new standalone VM from a template and copy files over from my home directory . . . but is there a way to just convert the existing guest from template-based to standalone? Is there something I could run from the command line? Thanks! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/592504a9-a013-4e7b-9700-47919551738c%40googlegroups.com.
Re: [qubes-users] Re: No Suspend/Resume on Dell Latitude 7400 (i5-8365U) with 4.0.2rc3
On Wednesday, January 8, 2020 at 8:28:12 AM UTC-3, Claudia wrote: > > January 8, 2020 12:10 AM, "Guerlan" > > wrote: > > > On Tuesday, January 7, 2020 at 8:41:31 PM UTC-3, Claudia wrote: > > > >> January 7, 2020 6:08 PM, "Guerlan" wrote:> On > Monday, January 6, 2020 at > >> 12:43:40 AM UTC-3, Claudia wrote: > >>> > January 6, 2020 3:14 AM, dmoe...@gmail.com wrote:> On Sunday, > January 5, 2020 at 9:49:42 PM > >> UTC-5, > Guerlan wrote: > >> can you tell me how you figured this out? I've been trying to fix a > suspend bug in mine and > >> It'd > be > >> helpful to know how you debugged things > > > > Mostly trial and error, trying all the things listed above. Two > little tricks to use: > > > > 1. Look at the end of journalctl right before it tries to suspend. > This is where I saw that it > was > > going into s2idle, which then brought me to this thread: > > > > >> > https://groups.google.com/forum/#!msg/qubes-users/TmGDlkluJgM/1BFsQZWNDAAJ;context-place=forum/qubes > > users This Dell did not have the lack of S3 that the new Thinkpads > have, but it did still try > >> to > > use s2idle. > > /sys/power/mem_sleep will list supported modes, with the default in > brackets. You can echo to it > >> to > set the default at runtime, or use the boot parameter. > >>> > >>> [lz@dom0 ~]$ cat /sys/power/mem_sleep > >>> s2idle [deep] > >>> > >>> What does this mean? It means that it detected only s2idle or that my > system does not support > >>> suspend to RAM? I've used Ubuntu and Fedora and lid closing always > worked, I just don't know if > >> it > >>> was idle or to ram or other thing. > >> > >> This means that s2idle mode and deep mode are the two modes supported > by your machine, and that > >> deep is the mode that will be used for sleep when no specific mode is > specified, such as using the > >> lid switch or the logout menu or systemctl suspend for example. In OP's > case, deep is manually set > >> as default using the kernel parameter mem_sleep_default=deep. Generally > the kernel chooses the > >> deepest mode supported (s2idle -> shallow -> deep) to be the default, > but on some machines the > >> kernel will choose s2idle as the default even if deep is supported. > >> > >> > https://www.kernel.org/doc/html/v4.18/admin-guide/pm/sleep-states.html#basic-sysfs-interfaces-for-sy > >> tem-suspend-and-hibernation > > > > Thanks! I now understand how it works. I've checked and indeed my system > defaults to deep. I tried > > s2idle by doing echo freeze > /sys/power/state and the screen turns off > but they keyboard keeps > > with lights on. Pressing buttons does nothing. Pressing touchpad, > nothing. Pressing power rapidly, > > nothing. Had to reboot by long pressing power. Shouldn't s2idle always > work since it's software > > based? > > I don't know much about s2idle, but yes, in theory it should be the most > reliable of the sleep states. It could be a graphics driver issue. However, > from your log it looks like it's still entering deep sleep. > > > I have no other ideas. If someone know a little more on how to debug, > I'd be glad. Remember that I > > found this error in ACPI > https://github.com/QubesOS/qubes-issues/issues/ on dmesg. It indicates > > that ASPM does not work. Maybe this is crucial? > > Debugging suspend is a long and complicated process. I don't want to get > any more off-topic in this thread. Please start a new thread for your > machine detailing everything you've tried so far, including logs and any > other relevant information, so it's all in one place. > Ok thanks, here's the new thread https://groups.google.com/forum/#!topic/qubes-users/eMWxHSy9h7c -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4e10bb5b-ac36-49ce-a613-457b6b80013a%40googlegroups.com.
[qubes-users] Debugging a sleep/suspend problem on Razer Blade Stealth 2016 - Qubes
First of all, here's the HCL for my Razer Blade Stealth 2016 4K touchscreen
16gb RAM 512gb SSD:
https://groups.google.com/forum/#!searchin/qubes-users/razer$20blade%7Csort:date/qubes-users/PalZ-1inxnA/D3mQ4OI3CAAJ
When I close the lid and open again, keyboard wont ligth up, screen wont
turn on (it's LED so I can see a brigth black when it turns on), and
hitting keyboard or touchpad does nothing. I have to reboot. I don't know,
however, if keyboard not ligthing when I open the lid is because sys-usb,
which contains the keyboard, is not waken. Every other aspect of the laptop
seems to be working perfectly.
I followed Ubuntu's guide on kernel suspend bugs:
https://wiki.ubuntu.com/DebuggingKernelSuspend
Then, following what they suggest
`sudo sh -c "sync && echo 1 > /sys/power/pm_trace && pm-suspend"`
and find the lines that says hash matches in dmesg rigth after reboot (what
does that mean?)
Well, I found two:
```
[3.583591] ima: Allocated hash algorithm: sha1
[3.593050] input: AT Raw Set 2 keyboard as
/devices/platform/i8042/serio0/input/input4
[3.638808] Magic number: 0:929:176
[3.638867] acpi device:39: hash matches
[3.638893] acpi device:0c: hash matches
[3.639073] rtc_cmos 00:01: setting system clock to 2016-01-01 12:09:51
UTC (1451650191)
```
I couldn't find anything related to those acpi devices. I thougth first
that there was a driver for them, so I should just rmmod those drivers
before sleep and insmod when wakeup, but couldn't find anything. There's
this issue https://ubuntuforums.org/archive/index.php/t-2393029.html which
have those exact hash matches, but no answer.
Then I asked for help on a forum and they found this problematic line on my
dmesg:
`[2.543596] acpi PNP0A08:00: _OSC failed (AE_ERROR); disabling ASPM`
seems like ASPM is disabled on my Qubes. I don't know why. Should this be
considered a bug? Is there anything I can do to get it working? *This looks
promising.*
It's worth noting that on Ubuntu 18, 19, Fedora 30, Linux Mint, etc, *all
these systems work like a charm with the sleep process*. I can close the
lid and open and it works. So the problem seems to be **related to Qubes**.
I even tried qubes most recent dom0 kernel, based on 5.x linux kernel, but
the problem persists.
I also tried `pcie_aspm=force` on `/boot/efi/EFI/qubes/xen.cfg` (is this
where I put kernel parameters?) like this:
`kernel=vmlinuz-4.14.74-1.pvops.qubes.x86_64
root=/dev/mapper/qubes_dom0-root
rd.luks.uuid=luks-39fc83eb-9829-43b7-86e8-08068bd81087
rd.lvm.lv=qubes_dom0/root rd.lvm.lv=qubes_dom0/swap i915.alpha_support=1
pcie_aspm=force rhgb quiet plymouth.ignore-serial-consoles`
but it didn't help.
I pratically *need* to run Qubes on this notebook because any Linux
distribution with any kernel will have a problem that corrupts my SSD many
times a day. No one could solve it, and on Qubes it never happens. I tried
Qubes just to see if it'd solve and it does! I'm loving it, not going back
even on other notebooks. However, closing the lid/putting the system to
sleep is essential for a notebook.
```
[lz@dom0 ~]$ cat /sys/power/mem_sleep
s2idle [deep]
```
as you see, the suspend default is deep mode.
I tried s2idle by doing `echo freeze > /sys/power/state` and the screen
turns off but they keyboard keeps with lights on. Pressing buttons does
nothing. Pressing touchpad, nothing. Pressing power rapidly, nothing. Had
to reboot by long pressing power. I thougth s2idle should always work since
it's software based.
Here's my journalctl of the moment when I go to suspend by closing the lid
(that is, suspending in deep mode):
```
Jan 07 20:56:24 dom0 systemd-logind[1925]: Lid closed.
Jan 07 20:56:24 dom0 systemd-logind[1925]: Suspending...
Jan 07 20:56:24 dom0 systemd[1]: Starting Qubes suspend hooks...
Jan 07 20:56:25 dom0 qmemman.daemon.algo[1921]: balance_when_enough_memory(
xen_free_memory=8172072647, total_mem_pref=2493652659.2,
total_available_memory=13171544083.8)
Jan 07 20:56:25 dom0 qmemman.systemstate[1921]: stat: dom '5'
act=3198156800 pref=963591782.4 last_target=3198156800
Jan 07 20:56:25 dom0 qmemman.systemstate[1921]: stat: dom '0'
act=4294967296 pref=1530060876.8 last_target=4294967296
Jan 07 20:56:25 dom0 qmemman.systemstate[1921]: stat: xenfree=8224501447
memset_reqs=[('5', 3198156800), ('0', 4294967296)]
Jan 07 20:56:25 dom0 qmemman.systemstate[1921]: mem-set domain 5 to
3198156800
Jan 07 20:56:25 dom0 qmemman.systemstate[1921]: mem-set domain 0 to
4294967296
Jan 07 20:56:25 dom0 qrexec[3884]: qubes.GetDate: social -> @default:
allowed to dom0
Jan 07 20:56:25 dom0 qmemman.daemon.algo[1921]:
balance_when_enough_memory(xen_free_memory=8172072647,
total_mem_pref=2450575027.2, total_available_memory=13214621715.8)
Jan 07 20:56:25 dom0 qmemman.systemstate[1921]: stat: dom '5'
act=3198156800 pref=920514150.4 last_target=3198156800
Jan 07 20:56:25 dom0 qmemman.systemstate[1921]: stat: dom '0'
act=4294967296
[qubes-users] Re: Does qubes block usb on thunderbolt port?
On Wednesday, January 8, 2020 at 4:29:57 PM UTC-5, Ryan Tate wrote: > (The one thing that I do wonder is if is neccesary for sys-usb to bail > out on boot when an assigned device is not present, maybe there could be > a system for transient but assigned devices to be allowed to come online > post boot? No idea how feasible this is.) > PCIe attach has to happen at startup, and Xen will fail to start it up if the named device isn't there. My suggestion: create a *second* sys-usb style VM (e.g. called "sys-usb-c") with the "extra" usb pcie device attached and *remember* to have the USB port populated at boot if you want to use devices from that second device VM. The regular sys-usb will always start up for the other ports (regardless of whether you have a device plugged in or not). Brendan -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4eb2e9cd-af16-46ef-9b77-d3a6a888f9b8%40googlegroups.com.
[qubes-users] Re: Does qubes block usb on thunderbolt port?
Ryan Tate writes: > On my ThinkPad X1 Carbon gen5, I can use my thunderbolt 3 ports fine for > display and for power. However, Qubes does not seem to recognize a usb-c > flash stick or a usb-c yubikey plugged into these ports I think I got this figured out. ThinkPads apparently do not show the USB-C controller on these Thunderbolt ports to the OS unless and until something is physically plugged in. I was clued into this by this thread; don't be fooled by the subject line it is about more than hubs - see bit where the user also was not able to connect the drive directly - https://groups.google.com/forum/#!searchin/qubes-users/usb-c$20thunderbolt%7Csort:date/qubes-users/VIqnIcubq9Y/-gmRME7qBgAJ Per the thread above, Qubes does not (seem to) handle controllers that pop up after boot. When I booted with a usb-c flash drive already in the Thunderbolt port, I was able to finally see the USB-C controller via lspci in dom0. I was able to shut down sys-usb and attach the controller to sys-usb (Devices tab in Qubes Settings for sys-usb) and USB-C items then became visible when I started sys-usb again. But, on a reboot, if no USB was plugged in to the port, sys-usb would fail to start up at all because the controller (aka the "device" I had attached) was no longer there. (Also, even when a usb-c item was plugged in at boot and mounted, disconnecting the item and connecting something else (like a displayport cable for external monitor, which worked) left me unable to re-connect the usb-c item, but this may be because I did not set "no-strict-reset" -- I never bothered to fiddle with that when I realized the prior mentioned boot issue). This is all kind of a bummer because it means that effectively I can't use usb-c to attach anything like a storage device, yubikey, etc on this machine with Qubes. On the other hand I realize the Thunderbolt system generally and perhaps specifically the way Lenovo/ThinkPad machines handle exposing USB buses on Thunderbolt raise some unique challenges. (The one thing that I do wonder is if is neccesary for sys-usb to bail out on boot when an assigned device is not present, maybe there could be a system for transient but assigned devices to be allowed to come online post boot? No idea how feasible this is.) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/87muaxprg6.fsf%40disp2634.
Re: [qubes-users] sys-net not starting and no vms booting
dubstepcombust...@gmail.com: > Qubes OS version: R4:0 > > Hey everyone, bear with me as I am somewhat of a noob to Qubes, and haven't > been on in awhile due to this issue which I have held on the backburner. So > one day, everything on Qubes was running fine and smoothly, until I > (stupidly) decided to hard-shutdown my computer with all my vms still up > and running, and when I booted back on again, I was met with Qubes not > working at all. As far as booting is concerned, everything appeared to be > fine, but sys-net would not start, and somehow, the debian-9 template > private vm file was gone. Might be missing something, but if you can still get in to the Qubes desktop, can't you use Qubes Backup to backup your AppVMs? Exclude the broken template(s) from backup. Then reinstall Qubes, restore your AppVMs, and link them back up to the newly installed templates if needed. -- - don't top post Mailing list etiquette: - trim quoted reply to only relevant portions - when possible, copy and paste text instead of screenshots -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d6068e7d-6153-b80c-e121-741e68d3b3d5%40danwin1210.me.
[qubes-users] Re: Does qubes block usb on thunderbolt port?
On Wednesday, January 8, 2020 at 6:19:54 AM UTC-5, Ryan Tate wrote: > > Does qubes block USB data on Thunderbolt ports? > So a few things: 1. Qubes has pcie hotplug disabled in the dom0 kernel, which TB uses for PCIe-based thunderbolt devices. This is disabled for security reasons. 2. The TB alternate mode that supports USBs might not instantiate the PCIe USB controller it connects through *until a USB device is connected to that port*. 3. Therefore...depending on BIOS support...you *might* be able to have a USB device seen by qubes if the USB device is plugged in at power-on. Even if that works, it might be on a USB PCIe controller that is not already attached to your sys-usb (if you have one). 4. If it does work, you might want to create a sys-usb-c which you run only after connecting a device to the port at boot time, and assign the (usually hidden) PCIe USB controller that that VM only. Brendan -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0cbd5089-ce29-4c13-9d9f-d40ff678e95a%40googlegroups.com.
Re: [qubes-users] Are there any security benefits of setting up standalonevm instead of appvm?
On 2020-01-08 12:30, Vasiliy wrote: Are there any security benefits of setting up standalonevm instead of appvm? 1. Thunderbird and other communication tools sometimes can be compromised and malicious code can affect all programs installed. I am scared that even if I don't use a program in an appvm, it can indirectly reduce my security. If this happens in an HVM you are already toast. If it gets pulled into a template while passing the signature test it lies dormant until you run that app in the AppVM, and the system volume is non-persistent there, so the binary blob that the hack downloads onto your system will not stay resident on the system volume. It will likely have to repeat the download each time the AppVM is launched, or recognize that its a Qubes system and find an alternate way to maintain persistence. That is a much higher bar to hurdle than simply installing that binary blob. 2. If an attacker will successfully replace packages while updating the template, they will have full access to all my appvms. I know that Tor somewhat protects from it, but it can still happen. It only gains access if it is run, and if run in an AppVM it only has temporary access to that one AppVM. While that does not keep it from phoning home to the mother ship and sending all your stuff, it still will have a hard time becoming persistent. If the sending your stuff bothers you then think carefully about locking down the firewall rules for each AppVM so long as you know what each AppVM is supposedly for. Example: I have an AppVM called Email. Its only job is to protect the rest of my system from external threats. The networking is set up with a default deny firewall and only the authentication and mail servers are permitted access. Anything else raises a red flag and my system informs me of the problem. If I click on anything malicious like a hacked PDF its opened in a one-time-use DispVM. Anything else is blocked from downloading its payload. Steve -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/aabbf6e4-f82f-19df-bcaf-0ed3994e9627%40jhuapl.edu.
Re: [qubes-users] Are there any security benefits of setting up standalonevm instead of appvm?
On Wed, Jan 08, 2020 at 06:30:32PM +0100, Vasiliy wrote: > Are there any security benefits of setting up standalonevm instead of appvm? dont see any. if anything, it might reduce your security posture. i consider the volatility of the root volume of a templated appvm a good thing. not really a strong/hard security feature, but it certainly will make it harder for non qubes-aware evils to persist, or for you to wreck things by accident. > 1. Thunderbird and other communication tools sometimes can be > compromised and malicious code can affect all programs installed. I am > scared that even if I don't use a program in an appvm, it can > indirectly reduce my security. this is the "a computer is more secure without a compiler installed" cult. i am not the only one to not participate in that. > 2. If an attacker will successfully replace packages while updating > the template, they will have full access to all my appvms. I know that > Tor somewhat protects from it, but it can still happen. if attacks on update mechanism bother you, adding more VMs that need updating just increases the problem. and tor does not protect you from this. at all. it may actualy make you more visible and easier to attack in this way. this depends on your threat model, mostly on whether you believe that you are targeted a) as an individual, b) as a job function, c) as a qubes user or d) in general. > 3. Proprietary software may monitor activities of other programs even > if I don't use it. Similar to what snap does (runs in the background > and updates software without any interraction with the user) some > proprietary programs may do the same even if I don't use them. "dont run software in places where you dont want it to run" should cover this. note the term "run", not "install". it seems to be just another weird variant of (1). if your systems execute stuff without your consent, you already have a decent size problem. and considering f.ex. less than 256 byte sized generic evils that download arbitrary sized payloads from network and execute it, i dont see that an attacker that can execute stuff on your system needs your help in installing the stuff for him. > I would be happy to hear your opinions on this topic. Maybe you want > to point out where I am incorrect or have some advantages and > disadvatages that should be considred, except of usability. Thank you > in advance. if your really are a believer in the (1)+(3) things, and are willing to risk the additional exposure that comes from (2) with lots of roots, going with lots-of-templates (that have one appvm each) still seems to be much better than lots-of-standalones. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200108182759.GI8973%40priv-mua.
Re: [qubes-users] Are there any security benefits of setting up standalonevm instead of appvm?
On 1/8/20 12:30 PM, Vasiliy wrote: Are there any security benefits of setting up standalonevm instead of appvm? For instance, having 5 standalonevms based on minimal template with one program installed in each instead of having 5 appvms for one program in each based on a default template with all programs installed (for example, fedora-30) I am mainly worried about 3 thing: 1. Thunderbird and other communication tools sometimes can be compromised and malicious code can affect all programs installed. I am scared that even if I don't use a program in an appvm, it can indirectly reduce my security. 2. If an attacker will successfully replace packages while updating the template, they will have full access to all my appvms. I know that Tor somewhat protects from it, but it can still happen. 3. Proprietary software may monitor activities of other programs even if I don't use it. Similar to what snap does (runs in the background and updates software without any interraction with the user) some proprietary programs may do the same even if I don't use them. I would be happy to hear your opinions on this topic. Maybe you want to point out where I am incorrect or have some advantages and disadvatages that should be considred, except of usability. Thank you in advance. IMO the only benefits of using standalone is configuration flexibility when one or more packages directly conflicts with Qubes' template system. It can also simplify the process of temporarily trying a complex new app or configuration. There are no security benefits. I don't think the package updates threat is what you think, since you still have to update your standalone VMs to keep them secure anyway. Plus you now have many more updates to run. Updates should all be cryptographically signed, so in any realistic scenario they should be the least of your worries. OTOH, using your apps on standalone vms could result in a successful attack against them leading to the guest OS being compromised. This is a more realistic threat, and using template-based vms help protect against it – the OS is clean again when you restart the vm. Snap or flatpak may actually be a part of your ideal solution. I think there are Qubes instructions for using them with template-based Appvms. If not, you could use template-based Appvms and command them to install the desired packages each time the vm starts. Another thing that might help you is my Qubes-VM-hardening project. It allows you to perform automatic checks and run scripts, and disable /rw-based malware on vm startup: https://github.com/tasket/Qubes-VM-hardening -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0349dc3e-f977-e570-3274-79701d18e0bf%40posteo.net.
[qubes-users] Are there any security benefits of setting up standalonevm instead of appvm?
Are there any security benefits of setting up standalonevm instead of appvm? For instance, having 5 standalonevms based on minimal template with one program installed in each instead of having 5 appvms for one program in each based on a default template with all programs installed (for example, fedora-30) I am mainly worried about 3 thing: 1. Thunderbird and other communication tools sometimes can be compromised and malicious code can affect all programs installed. I am scared that even if I don't use a program in an appvm, it can indirectly reduce my security. 2. If an attacker will successfully replace packages while updating the template, they will have full access to all my appvms. I know that Tor somewhat protects from it, but it can still happen. 3. Proprietary software may monitor activities of other programs even if I don't use it. Similar to what snap does (runs in the background and updates software without any interraction with the user) some proprietary programs may do the same even if I don't use them. I would be happy to hear your opinions on this topic. Maybe you want to point out where I am incorrect or have some advantages and disadvatages that should be considred, except of usability. Thank you in advance. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/16f86353a37.ee74a56c247405.5496737173292994771%40privacy.com.co.
Re: [qubes-users] Qubes, boot from SD card?
On 1/8/20 10:39 AM, gorked wrote: I see some mention of booting from SD on some board somewhere. My question being, If I purchased an intel based Chromebook with 4 GB RAM, and a 16 GB SSD. Could I boot QUBES or other Linux on it. There are some Chromebooks listed in the HCL, but there is no guarantee Qubes will work on just any Chromebook. Also, 4GB should be OK for running a single Appvm. To give apps more room to operate comfortably I would limit all the sys-* VMs to 300MB RAM, and limit dom0 to 1GB RAM (this is what I do on my 8GB systems and it lets me run 4-5 Appvms comfortably). -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c6fd5bf3-b46b-8333-35db-2d3597744902%40posteo.net.
Re: [qubes-users] Qubes, boot from SD card?
On Wed, Jan 08, 2020 at 07:39:12AM -0800, gorked wrote: > My question being, If I purchased an intel based Chromebook with 4 GB RAM, > and a 16 GB SSD. Could I boot QUBES or other Linux on it. 4GB ram is not enough to use qubes. 8GB ram _might_ work if you were a really experienced qubes ninja or just want to try it out for a weekend. using qubes on a chromebook with 16GB ram works ok, including boot from internal mmc or micro-sd. the storage performance is horrible though. "my default_qrexec_timeout is 300" level horrible. (this means the default-default of 1min timeout for vm startup was hit so frequently that i changed it to 5min...) and i would still recommend doing mild ram-usage ninjaing with 16GB, like using mirage for firewall and ssh-agent, and clamping down maxmem of a lot of vms. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200108164633.GH8973%40priv-mua.
[qubes-users] Invitation to a Qubes install party in Cologne, Germany
Dear readers of the qubes-users list, on January 22nd we are hosting a Qubes install party for German speaking people in Cologne, Germany. For more information please read the text below. - Hallo Leser der Qubes-Mailingliste, im Januar treffen wir uns am*22.01.2020* im Zollstockgürtel 59 (Haus 2, 1. OG), 50969 Köln Beginn: 18:00 Uhr Ende: 22:00 Uhr Thema: Einführung in Qubes OS, inkl. „Install-Party“ Wir, der Kölner Kreis, möchten euch ein noch relativ unbekanntes aber auch relativ sicheres Betriebssystem am 22. Januar 2020 vorstellen: Qubes OS. Diejenigen, die schon etwas länger dabei sind erinnern sich vielleicht noch daran, dass wir das schon mal am 15. Juli 2017 gemacht haben. Dieses mal wird es vom Platzangebot etwas kleiner, aber genauso schön! Qubes OS ist ein kostenfrei verfügbares, auf Linux basierendes Betriebssystem, welches IT-Sicherheit in den Fokus stellt und dazu insbesondere Techniken der Virtualisierung verwendet. Qubes OS dient als Arbeitsplatzumgebung, kann also für die alltägliche IT-Arbeit von Wissenschaftlern, Forschern, Anwendern, Entscheidern, usw, also (mit etwas Hilfe) von nahezu Jedem verwendet werden. Wir haben in unserem Team Qubes seit 3,5 Jahren im täglichen Einsatz. Mehr und mehr Menschen installieren und verwenden Qubes - das System ist seit 2012 in stabiler Version verfügbar. Entwickelt wurde Qubes ursprünglich vom Team rund um die polnische IT-Sicherheitsforscherin Joanna Rutkowska (The Invisible Things Labs). Qubes hat uns als betriebliche Anwender bereits 2016 überzeugt und jetzt möchten wir euch zu unserem "Qubes-OS-User-Treffen" einladen, um euch eine erste Einführung in das System und dessen Grundlagen zu geben. Der zweite Teil bietet die Möglichkeit in einer geführten Install-Party selbst mit Qubes zu arbeiten. Durch die Veranstaltung wird euch Martin Wundram als täglicher Nutzer mit fast 4 Jahren Erfahrung und Einarbeitung in das OS begleiten. Zunächst stellt er die wesentlichen Grundlagen und Konzepte von Qubes vor und vergleicht das System kurz mit verschiedenen Alternativen. Er erklärt, für wen sich Qubes besonders lohnen kann und was das System ausmacht. Er stellt dafür Qubes live vor. Den zweiten Teil bildet eine Install-Party. Jeder Teilnehmer kann bei Interesse auf einem selbst mitgebrachten Gerät und mit unserer Hilfe Qubes installieren, eine Grundkonfiguration vornehmen und erste Erfahrungen machen. Wir werden auch einige Geräte zum Ausprobieren mitbringen. Damit lohnt es sich auch für diejenigen, die kein eigenes Gerät haben. Die Teilnahme an der Veranstaltung ist kostenfrei. Eine vorherige Anmeldung ist wegen begrenzter Teilnehmerzahl aber erforderlich. Diese könnt ihr über eine einfache e-mailanschw...@digitrace.de einreichen. Veranstaltungsort: DigiTrace, Zollstockgürtel 59 (Haus 2, 1. OG), 50969 Köln Wir freuen uns auf euch Lara Schwarz -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d993a167-4e18-a77e-27c0-c8a332c1ab4e%40digitrace.de.
[qubes-users] Qubes, boot from SD card?
I see some mention of booting from SD on some board somewhere. My question being, If I purchased an intel based Chromebook with 4 GB RAM, and a 16 GB SSD. Could I boot QUBES or other Linux on it. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9930e47e-d55d-42d6-9d27-1adf14653ada%40googlegroups.com.
[qubes-users] Re: Qubes OS 4.0.2 has been released!
Hi Andrew, I installed 4.0.2 on my Dell Inspiron 5593 without new issues. The answer to the following question seems to have been implied in earlier responses, but I'd just like an explicit clarification: Can the "critical kernel bug" affect my security in any way? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b02ac1a2-ea36-481a-a83c-b85d56eb467c%40googlegroups.com.
[qubes-users] Re: Qubes booting in machine with Windows and Linux
Any other recommendations? Thanks! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9c861a59-14e5-4751-9917-ab086873411e%40googlegroups.com.
[qubes-users] Re: Qubes OS 4.0.2 has been released!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear Qubes Community, Shortly after this announcement was originally sent, a bug was discovered in the dom0 kernel included in Qubes 4.0.2: https://github.com/QubesOS/qubes-issues/issues/5553 Since this bug would present installation problems for the majority of users, we have temporarily removed it from the Downloads page and reinstated the latest release candidate (Qubes 4.0.2-rc3) in its place. On 2020-01-02 8:21 PM, Andrew David Wong wrote: > Dear Qubes Community, > > We're pleased to announce the release of Qubes 4.0.2! This is the second > stable point release of Qubes 4.0. It includes many updates over the > initial 4.0 release, in particular: > > - All 4.0 dom0 updates to date > - Fedora 30 TemplateVM > - Debian 10 TemplateVM > - Whonix 15 Gateway and Workstation TemplateVMs > - Linux kernel 4.19 by default > > Qubes 4.0.2 is available on the Downloads page: > > https://www.qubes-os.org/downloads/ > > > What is a point release? > > > A point release does not designate a separate, new version of Qubes OS. > Rather, it designates its respective major or minor release (in this > case, 4.0) inclusive of all updates up to a certain point. Installing > Qubes 4.0 and fully updating it results in the same system as installing > Qubes 4.0.2. > > > What should I do? > - > > If you installed Qubes 4.0 or 4.0.1 and have fully updated, then your > system is already equivalent to a Qubes 4.0.2 installation. [1] No > further action is required. > > Similarly, if you're currently using a Qubes 4.0.2 release candidate > (4.0.2-rc1, 4.0.2-rc2, or 4.0.2-rc3), and your system is fully updated, > then your system is equivalent to a 4.0.2 stable installation, and no > additional action is needed. [1] > > Regardless of your current OS, if you wish to install (or reinstall) > Qubes 4.0 for any reason, then the 4.0.2 ISO makes this more convenient > and secure, since it bundles all Qubes 4.0 updates to date. > > *Note:* At 4.5 GiB, the Qubes 4.0.2 ISO will not fit on a single-layer > DVD (for the technical details underlying this, please see issue > #5367). [2] Instead, we recommend copying the ISO onto a sufficiently > large USB drive. [3] However, if you would prefer to use optical media, > we suggest selecting a dual-layer DVD or Blu-ray disc. > > Thank you to all the release candidate users for testing this release > and reporting issues! [4] > > > [1] https://www.qubes-os.org/doc/updating-qubes-os/ > [2] https://github.com/QubesOS/qubes-issues/issues/5367 > [3] > https://www.qubes-os.org/doc/installation-guide/#copying-the-iso-onto-the-installation-medium > [4] https://www.qubes-os.org/doc/reporting-bugs/ > > This announcement is also available on the Qubes website: > https://www.qubes-os.org/news/2020/01/02/qubes-4-0-2/ > > - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl4VwukACgkQ203TvDlQ MDBURhAAjdmi4h6c7YcUsncP43CsqWNbLZrHqlVbh0XtI2AfjR/MC3Zc4ZwzAEx9 S5QJmhFpICujZIK5+ONUQ/AJtikb5E1I4/XiSyndpPSfG7XF36p1tn9uRtANJBBr bewO0Xy9rB3vej2qm+CmJI9xJ5gWIYlVNghHArGN9SHcZY1vgfqxL1e9gWXqDVoI QtlphSROHfjGlBnBScG2l16+v9xW4S4ZJrPs6z70gey4G9ylrFiq7BOwbso/wg6W VBWiI8f58snXopwt/KA3SdqTMVnlGue4+6fGkG4IaKTARFtw14YnMXUYL3zsfNdX qAyzupPYVWzE542U+vru5S/saRcDN1dCNZieSMq6YYWvPsc3v4s0hyfp6zNCmKbT ZeD6yFtbRW6aOYQpFxW90VRHntFUo3mc8cHM2YHgrq4vZnemOlQYBhB6SO9SfQAl GYjhArZAwkQCzyJbrsDPN5eFaKapHboL07Vc17TyThWuPltu5BVs9NBrEEHyJ7JR MrJdxpPNyShqdxIxUNqbjF5C4J+EKFPTxWyfArdEq7OCGxcPkbw389+dcZ4J0xMy 5D3rLw6htNStZrvjRH01SRLhoRBQmmBiWA9nQ45t9x8+auHtOxk2WS12DGHBgmOF e/Wx1Tc79wnyGc77mAkrvreEWnFoynSGscEjAlpG/2rLKzxieOw= =B08q -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/99b43cf1-d911-3253-7f14-efc4814d95c9%40qubes-os.org.
Re: [qubes-users] How to use QEMU with Qubes?
January 7, 2020 7:43 PM, "Guerlan" wrote: > I undrstand that HVM uses QEMU to emulate some devices and BIOS. However, > what if I want to have > total control of QEMU? > > What if there's an OS for which there's a QEMU tutorial and I want to do > exact what is in the > tutorial but in Qubes? > Do I need Qemu on dom0? dom0 has qemu-img-xen and qemu-nbd-xen. What are they > for? > > Or does QEMU runs inside xen, not in dom0? Xen uses QEMU just to emulate virtual hardware devices for HVMs, not for the actual virtualization. "Normal" Qemu is actually Qemu/KVM, which is not supported on Xen as far as I know. The next best thing is to create an HVM, see https://www.qubes-os.org/doc/standalone-and-hvm/#installing-an-os-in-an-hvm qemu-img-xen is used for formatting image files or block devices for VMs. qemu-nbd-xen is for network block devices, though I'm not sure if/how they're used in Qubes. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c5507405058f20884de80c525785dde8%40disroot.org.
Re: [qubes-users] Re: No Suspend/Resume on Dell Latitude 7400 (i5-8365U) with 4.0.2rc3
January 8, 2020 12:10 AM, "Guerlan" wrote: > On Tuesday, January 7, 2020 at 8:41:31 PM UTC-3, Claudia wrote: > >> January 7, 2020 6:08 PM, "Guerlan" wrote:> On Monday, >> January 6, 2020 at >> 12:43:40 AM UTC-3, Claudia wrote: >>> January 6, 2020 3:14 AM, dmoe...@gmail.com wrote:> On Sunday, January 5, 2020 at 9:49:42 PM >> UTC-5, Guerlan wrote: >> can you tell me how you figured this out? I've been trying to fix a >> suspend bug in mine and >> It'd be >> helpful to know how you debugged things > > Mostly trial and error, trying all the things listed above. Two little > tricks to use: > > 1. Look at the end of journalctl right before it tries to suspend. This > is where I saw that it was > going into s2idle, which then brought me to this thread: > >> https://groups.google.com/forum/#!msg/qubes-users/TmGDlkluJgM/1BFsQZWNDAAJ;context-place=forum/qubes > users This Dell did not have the lack of S3 that the new Thinkpads have, > but it did still try >> to > use s2idle. /sys/power/mem_sleep will list supported modes, with the default in brackets. You can echo to it >> to set the default at runtime, or use the boot parameter. >>> >>> [lz@dom0 ~]$ cat /sys/power/mem_sleep >>> s2idle [deep] >>> >>> What does this mean? It means that it detected only s2idle or that my >>> system does not support >>> suspend to RAM? I've used Ubuntu and Fedora and lid closing always worked, >>> I just don't know if >> it >>> was idle or to ram or other thing. >> >> This means that s2idle mode and deep mode are the two modes supported by >> your machine, and that >> deep is the mode that will be used for sleep when no specific mode is >> specified, such as using the >> lid switch or the logout menu or systemctl suspend for example. In OP's >> case, deep is manually set >> as default using the kernel parameter mem_sleep_default=deep. Generally the >> kernel chooses the >> deepest mode supported (s2idle -> shallow -> deep) to be the default, but on >> some machines the >> kernel will choose s2idle as the default even if deep is supported. >> >> https://www.kernel.org/doc/html/v4.18/admin-guide/pm/sleep-states.html#basic-sysfs-interfaces-for-sy >> tem-suspend-and-hibernation > > Thanks! I now understand how it works. I've checked and indeed my system > defaults to deep. I tried > s2idle by doing echo freeze > /sys/power/state and the screen turns off but > they keyboard keeps > with lights on. Pressing buttons does nothing. Pressing touchpad, nothing. > Pressing power rapidly, > nothing. Had to reboot by long pressing power. Shouldn't s2idle always work > since it's software > based? I don't know much about s2idle, but yes, in theory it should be the most reliable of the sleep states. It could be a graphics driver issue. However, from your log it looks like it's still entering deep sleep. > I have no other ideas. If someone know a little more on how to debug, I'd be > glad. Remember that I > found this error in ACPI https://github.com/QubesOS/qubes-issues/issues/ > on dmesg. It indicates > that ASPM does not work. Maybe this is crucial? Debugging suspend is a long and complicated process. I don't want to get any more off-topic in this thread. Please start a new thread for your machine detailing everything you've tried so far, including logs and any other relevant information, so it's all in one place. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3a967cec86c0cf40795e6511e062e471%40disroot.org.
[qubes-users] Does qubes block usb on thunderbolt port?
Does qubes block USB data on Thunderbolt ports? On my ThinkPad X1 Carbon gen5, I can use my thunderbolt 3 ports fine for display and for power. However, Qubes does not seem to recognize a usb-c flash stick or a usb-c yubikey plugged into these ports (the only usb-c ports). (The flash stick has usb-a as well, on the other side, and it shows up fine in sys-usb when I plug it in that way.) I poked around in the BIOS to ensure there is no BIOS issue but even at the "no security" setting I encounter this issue. I thought I would just double check to see if Qubes might be involved in this issue since there are various security considerations around Thunderbolt in play (and I couldn't quite follow prior discussions of Qubes + Thunderbolt). I'm on 4.0.1 or 4.0.2. Thanks for any help. Ryan -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/87lfqjrxpy.fsf%40disp2634.
[qubes-users] Split GPG refresh keys in work-email
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I am trying to refresh public keys of my contacts that I previously imported to the backend work-gpg with [user@work ~]$ qubes-gpg-import-key ~/Downloads/whateverkey.asc. How do I refresh the keys, sitting in the offline work-gpg now? I tried to use qubes-gpg-client --refresh-keys but the command is not recognized . Will I need to do it manually with every key? ^^ Thanks you! -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEExlmPb5HoPUTt+CQT44JZDAWK6UwFAl4VmY5fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEM2 NTk4RjZGOTFFODNENDRFREY4MjQxM0UzODI1OTBDMDU4QUU5NEMACgkQ44JZDAWK 6Ux/2xAAhO6TDsOufQEv74J1q9ypJqOE7jP0Ury9pJsN8ew0WKFakZQOjgzIstnW pp2Sd4CHK3Yb6l13i9QYu0CBSJUmilo2zTgZiEZCF6nhaL34htMdqtaWM7H8i5KU J0Gzcww0l5c8tZ7cG90Irrw3Gzo0QQrF15sT1z2OcTzkVw2H4c44DPwyPRI6zLWQ 3a5ic6R00GmmKu8n8UtBI+1+C36k+Wzvc1etcm2SavcateBo8XloM/AXIEC5CD0U vhVA1X2Y1REizAabvjBbq3Aek+O8vN3Vd97cCm/NYCJp4lkEMlfCa62sRaQPQnbD fbksoOAmKpPiJaOdbo2JNnPI+T4uBHQNv1yno+7IFyhYueNnmheJ+v63Vkn9bpgf /qhhGqXvtKEMRm3bgwZXjmyh12nhgLFb0bGwr9FC6VXs2XRsQPDhIQ+OTnXrj8oo KBCU/hqYa4WNEScxZwi/ts7dJXYTHWNaK7g2OQyZVLFg15ReYNdl/3HXPRYRGDWk G74uhrSY4lHRLnkeNxCW98MUl55IoWwlwFWmUQU5nfwOXogtRG+yrCb/IVcKDL+o iEipjKj7+tAUa8srXcq/aTM/XvnpGLBlcDrgqFPNs8hX6YqpQ6NI3vZxgDPOE7GK sZlO+oSowXsmn6O1vdxV05ds1SIaIjq9UzYv5iAvv6LvVoU5Ue8= =fYkM -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bbffab44-65c8-f333-a9f5-516106f7c98f%40cock.li. 0xC1F4E83AF470A4ED.asc Description: application/pgp-keys
