[qubes-users] Re: Android-x86 7.1-r2 with GAPPS installation guide

[christophe . vial . 974]

Hi, I'm also trying to build an ISO with gapps. I'm following the updated 
instructions, but I'm stuck at the configure kernel part, I don't 
understand what I am supposed to do in the menuconfig. And I don't know 
where to edit the parameters for XEN and SELINUX. Someone could provide me 
instructions about what to do ? 
Thanks

> .
> # Configure kernel:
> /usr/bin/make -C kernel O=$OUT/obj/kernel ARCH=x86_64 menuconfig
>
>
> # You need to edit these parameters:
> XEN=yes
> XEN_BLKDEV_BACKEND=yes
> XEN_BLKDEV_FRONTEND=yes
> XEN_NETDEV_BACKEND=no
> XEN_NETDEV_FRONTEND=no
> SECURITY_SELINUX_BOOTPARAM=yes
> SECURITY_SELINUX_BOOTPARAM_VALUE=1
> SECURITY_SELINUX_DISABLE=yes
> DEFAULT_SECURITY_SELINUX=yes
>
>
> # The kernel config will be in out/target/product/x86_64/obj/kernel/.config
>
> # Also, you can edit the config to set the device type from tablet to 
> phone.
> # Edit device/generic/common/device.mk and change PRODUCT_CHARACTERISTICS 
> from tablet to default:
> PRODUCT_CHARACTERISTICS := default
>
>
> # Start the build:
> make -j$( nproc --all ) iso_img
>
> While the ISO boots and installs and the mouse works fine, the system 
> can't get past the initial Google first run wizard. After clicking the 
> button to set up a new device (vs transferring from an existing phone), the 
> screen turns black, and it doesn't go anywhere. It's still responsive - I 
> can click on the back button, and it will get highlighted as if I had 
> actually clicked it. However, nothing happens.
>
> Thoughts?
>
> On Wednesday, December 18, 2019 at 2:21:19 PM UTC-6, arthur...@gmail.com 
> wrote:
>>
>> So, I managed to get the instructions to work (albeit with a few 
>> modifications - I'll post them when/if I can figure out the GApps issue). 
>> However, I'm having issues whenever I try to include and compile GApps. I 
>> can confirm that Android-x86 will build successfully on its own, but when I 
>> include GApps in my device.mk, I get a lot of these after every GApps 
>> app build:
>>
>> End-of-central-directory signature not found. Either this file is not a 
>> zipfile, or it constitutes one disk of a multi-part archive. In the latter 
>> case the central directory and zipfile comment will be found on the last 
>> disk(s) of this archive.
>>
>>
>> I then get these for each app before it all fails:
>>
>> Unable to open 
>> 'out/target/product/x86_64/obj/APPS/PixelLauncherIcons_intermediates/package.apk'
>>  
>> for verification
>>
>>
>> I've got the complete log, my device.mk, etc, but does anyone know 
>> what's up?
>>
>> On Thursday, December 12, 2019 at 9:20:54 PM UTC-6, arthur...@gmail.com 
>> wrote:
>>>
>>> Are the instructions in the first post edited and updated, or are there 
>>> more recent instructions which should be used? I'm personally interested in 
>>> an image with GApps (I downloaded the nogapps ISO and tried to somehow 
>>> install GApps, but to no avail - I wasn't sure if the image provided up 
>>> near the start of the thread was functional). If there are updated/verified 
>>> instructions that could be provided, that would be awesome!
>>>
>>> On Saturday, April 27, 2019 at 6:29:08 PM UTC-5, alex.j...@gmail.com 
>>> wrote:

 On Saturday, April 27, 2019 at 9:35:19 PM UTC, alex.j...@gmail.com 
 wrote:
 > On Thursday, April 25, 2019 at 10:20:32 PM UTC, Daniil Travnikov 
 wrote:
 > > I am stuck on this process already twice.
 > > 
 > > When I put the command
 > > 
 > > Download sources:
 > > repo sync --no-tags --no-clone-bundle --force-sync -j$( nproc --all 
 )
 > > 
 > > 
 > > and when it show this:
 > > 
 > > 
 > > From git://git.osdn.net/gitroot/android-x86/platform/frameworks/av
 > >  * [new branch]  nougat-x86 -> x86/nougat-x86
 > > Fetching project platform/external/android-clat
 > > remote: Counting objects: 1, done
 > > remote: Finding sources: 100% (793/793)   
 > > remote: Total 793 (delta 244), reused 793 (delta 244)
 > > Receiving objects: 100% (793/793), 517.38 KiB | 0 bytes/s, done.
 > > Resolving deltas: 100% (244/244), done.
 > > From 
 https://android.googlesource.com/platform/external/android-clat
 > >  * [new tag] android-7.1.2_r36 -> android-7.1.2_r36
 > > 
 > > 
 > > I got nothing, I mean it's look like freeze.
 > 
 > Did you try to remove downloaded repo and sync it again from scratch? 
 The OpenGAPPS repo changed, see below, maybe it's somehow related.
 > 
 > I'd recommend to build Android 8 release, the mouse works fine there. 
 Also the Settings bug is fixed if you use userdebug build variant instead 
 of eng.
 > The guide in the same as in first post except:
 > 
 > Android 8 will take 211GB to build. I've build it with 32GB RAM 
 without swap, maybe it'll work with less RAM.
 > 
 > repo init -u git://git.osdn.net/gitroot/android-x86/manifest -b 
 oreo-x86 -m 

[qubes-users] Re: HCL - Dell Latitude E5470 + Docking Station

[brendan . hoar]

On Monday, May 11, 2020 at 6:13:21 PM UTC-4, Rafael Reis wrote:

> My only concern right now is the decisions for the GUI of Qubes 4.1. I 
> wonder if the separation of the GUI and dom0 would result in 
> incompatibility with E5470 or even a big decrease in performance. This 
> thing is perfect for Qubes if your threat model isn't government agencies 
> high.
>

Following the developer discussion, my understanding is that for Qubes 4.1, 
GUI/dom0 separation will be an optional feature and not the default. 

Brendan

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ee3bd705-b849-4924-88fb-871db3d69cb6%40googlegroups.com.

Re: [qubes-users] Dividing Qubes Into Separate Networks (FAILED)

['Matt Drez' via qubes-users]

> 

> Hello. I have a similar setup but without a VLAN - never been a fan. I have a 
> 4-port pfsense router (community edition on a Protectli appliance), a couple 
> of small unmanaged switches and a couple of ubiquiti APs. I cloned sys-net & 
> sys-firewall to, say, sys-net-play & sys-firewall-play.
> 

> My Qubes box has 2 wired NICs - one is assigned the default network, the 
> other play. I added a new DHCP scope to the pfsense for play (typical 
> consumer class c), tossed a couple of firewall rules on the pfsense box for 
> both subnets to prevent traffic between them. Each LAN has its own switch and 
> AP.
> 

> From my Qubes box, I can assign either network to any VM. In fact, I do just 
> that to remote control some hobby gear I have on the play net.
> 

> I am wondering it you might need to use two wired NICs.
> 

> DG
> 


I also have an almost identical setup. I wanted to do what you were attempting 
(Zsolt) but had the same outcome so I quit trying . I thought it's not 
possible. I tried following this old article but the commands did no longer 
work the same way 
https://blog.invisiblethings.org/2011/09/28/playing-with-qubes-networking-for-fun.html

I am not sure if your goal is feasible at all. It didn't work for me but I am 
fairly new to Linux so actually don't listen to me lol :)

I have the quad port commercial pfsense netgate appliance but I only use an 
unmanaged switch unlike your unifi. I could not make the VLAN work. I ended up 
just having 1 sys-net and separate everything with two firewalls and can chose 
on each VM which route to take similar to what DG was saying. 


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/vJaU6dX1Zkc3SjX0EDCoe7QltXRINfCPUqlmF-IdTMqmLhUaDME2QbK1uoXbAxb-JehfXTpoLt3LJGzPAdv0M6bl3JWD8X0nZAgm-qTOv50%3D%40pm.me.


publickey - mattdrez@pm.me - 0x8196D0F4.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature

[qubes-users] Re: HCL - Dell Latitude E5470 + Docking Station

[Rafael Reis]

Hey Andrew!

Sorry for the late reply, haven't checked the mailing list in a while. 

I have a 5470 service tag # 5V2GBG2 
You may see the full original config here 

. 

Basically it came stock with a quad core i7-6820HQ. Sata drive with the 
tiny sata cable. No m.2 bracket or SSD installed to the NVME ngff slot. 
Nothing installed on the wwan ngff slot, and intel's wifi card installed to 
the ngff wireless slot. 

It has 3 ngff slots (M.2 NVME, WIFI, WWAN) keyed differently (Key A, B etc) 
and the sata data+power cable for 1 sata drive.

I've upgraded ram to 2x8GB DDR4, removed the stock sata hdd and replaced it 
with a sata ssd. Since I needed more capacity than performance, I got a 
512GB Crucial BX500. It was way more affordable than an nvme drive atm, and 
I didn't have the m.2 bracket either, which would mean I would only be able 
to secure the nvme ssd with double sided tape or other improvised solution. 
The BX500 is known to have an exploitable hardware encryption, so be 
advised to use only software encryption on that drive.

That drive became my Windows 10 drive, GPT / UEFI enabled.
Started using Qubes on a USB 3.0 64GB flash drive, it worked pretty well 
considering the constraints, but decided I needed a drive for Qubes itself.

After some deep research I discovered that the WWAN slot indeed takes a 
SATA M.2 SSD. (source 

).
You'd better go for the shorter ones, otherwise they'll collide with the 
inner plastic frame and won't fit. I believe you can fit 32 and 40mm length 
drives without any trouble.  I couldn't find an affordable SATA M.2 with at 
least 256GB for Qubes (that was my personal need), so I ended up getting a 
regular 80mm lenght one. To make it fit, I had to "mod" the inner plastic 
frame, and disassemble 50% of the laptop.  I opted simply to break pieces 
of the plastic frame in order to free space for the lengthier drive. Then, 
I isolated the surroundings with tape and secured the ssd (don't remember 
how, if I was able to bolt it in, tape it, or pressure). The SSD I used in 
the WWAN port is https://www.lexar.com/portfolio_page/ssd-nm100/ 256GB 
version

You have to change BIOS settings under drive configuration to enable the 
required sata ports. 

Initialized that drive as GPT, and installed Qubes to it.

You are right regarding the "dual boot". I don't have Grub. I use the 
"BIOS" UEFI bootmanager to choose which OS I'd like to boot. All I have to 
do is press F12 after powering up. I've renamed Qubes to Recovery, so it is 
inconspicuous. Default boot drive is the BX500 with windows. 

The level of compatibility of the E5470 with Qubes is outstanding. The 
performance is incredible.
The only thing that didn't work OOB was the SD card reader, which was 
easily fixed by opting to  kernel-latest . Docking station works 100%, with 
multiple monitors. Even 2 monitors + laptop monitor works perfectly. I wish 
it was possible to nuke Intel ME on 6th gen laptops and have it fully 
Opensource. It would make a great candidate for certification.

My only concern right now is the decisions for the GUI of Qubes 4.1. I 
wonder if the separation of the GUI and dom0 would result in 
incompatibility with E5470 or even a big decrease in performance. This 
thing is perfect for Qubes if your threat model isn't government agencies 
high.

Hope I could help, and let me know if you have further questions.
Em quarta-feira, 6 de maio de 2020 20:51:29 UTC-3, andrew@gmail.com 
escreveu:
>
> Hi Rafael
>
> Interested to see you got an SSD drive to work in the WWAN slot in your 
> E5470. Could you tell me what drive you used, and the spec for your laptop. 
> Am I right in thinking that you have Windows installed on one drive and 
> Qubes on the other, and that you actually choose which drive to boot from 
> at power up? So it's not "dual-boot" in the usual sense (ie multiple OSs on 
> the same drive)?
>
> Thanks
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f9156423-0ca7-4db4-909a-5020e891f47d%40googlegroups.com.

Re: [qubes-users] What's your flow for new templateVM?

[ryantate via qubes-users]

On Monday, May 11, 2020 at 6:02:06 PM UTC-4, ryan...@ryantate.com wrote:
>
>
>
> Very intriguing. I am looking at
>
> https://docs.saltstack.com/en/latest/ref/states/all/salt.states.pkg.html
>
> https://www.qubes-os.org/doc/salt/
>
> lmk if there is anything else I should read!
>

(To be clear, I'm just starting to read these) 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f77d5515-26c2-4345-b7bb-022abaeb57fa%40googlegroups.com.

Re: [qubes-users] What's your flow for new templateVM?

[ryantate via qubes-users]

On Monday, May 11, 2020 at 11:11:45 AM UTC-4, unman wrote:

> If you want to install a package, don't open the template and install it 
> there, edit the install.sls file to include the package, and run 
> `qubesctl --skip-dom0 --targets=  state.apply install` 
>


Dumb question, where is install.sls (or where should I create it)? I poked 
around in /srv in dom0 but still not sure
 

>
> I have full systems set up in salt to customise a new install as I want, 
> with new templates and different setups. Sometimes it can be a bit 
> shaky, and you *have* to check the logs, but it's great to run the full 
> state, have a coffee, and come back to a fully configured system. 
> For travel, I have a minimum state I can download and apply, to get a 
> workable system with gpg, vpn, ssh set up out of the box. So cool. 
>
>
Very intriguing. I am looking at

https://docs.saltstack.com/en/latest/ref/states/all/salt.states.pkg.html

https://www.qubes-os.org/doc/salt/

lmk if there is anything else I should read!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/aa429efa-816b-471d-9e45-128c30f51f7c%40googlegroups.com.

[qubes-users] [Solution] Fix Screen Tearing for Chromium-Based Browsers on Qubes

['Elliot Killick' via qubes-users]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi, I just thought I would share the solution I found to my screen
tearing problem for Chromium-based browsers on Qubes.

First, test if you are experiencing screen tearing in Chromium by
watching this video in full screen (You should see only straight
vertical lines going across the screen; no rips):
https://www.youtube.com/watch?v=MfL_JkcEFbE

If you are, then what fixed it completely for me was going to:
chrome://flags/#ignore-gpu-blacklist
And then enabling:
"Override software rendering list"
Description:
"Overrides the built-in software rendering list and enables
GPU-acceleration on unsupported system configurations.  Mac, Windows,
Linux, Chrome OS, Android
#ignore-gpu-blacklist"

Then watch that video again to confirm the fix was successful. Worked
like a charm with my Intel iGPU at least.

If that doesn't fix it then I recommend going to:
chrome://gpu
and seeing what you can tweak in there.

I tested each and this fix worked for me in Chromium, Brave Browser,
Iridium Browser and (just to top it off) Google Chrome.

I think the culprit in the Chromium source is this line at:
https://chromium.googlesource.com/chromium/src/gpu/+/master/config/software_rendering_list.json#355
Seems strange but for some reason my "GPU0" is detected as "VENDOR=
0x [VMware, Inc.]" (you would think it would say Xen?) in
chrome://gpu after enabling #ignore-gpu-blacklist (Before it was
"VENDOR= 0x [Google Inc.]"), it also has the "Mesa" driver vendor
with version >= 9.2.1 and is of course running on "Linux", all of which
falls in line with that entry in the software_rendering_list.json file.

I kept digging by looking at the "cr_bugs" field in the JSON file and at
first was alarmed because the first one listed (#145531
) was a
UAF security bug that was closed as "Wont Fix". However, I tried all the
PoCs and none of them produced a crash for me with #ignore-gpu-blacklist
enabled so I think it's safe and adding this GPU driver to the blacklist
is just a precaution the Chromium team took. Then I went through the
other cr_bugs listed and sure enough others were reporting it doesn't
seem like this bug exists anymore and that it does appear to be safe
now. I've had the #ignore-gpu-blacklist enabled for a while now and have
experienced no instability.

No such fix should be necessary for Firefox as it came out of the box
with no screen tearing for me.

Note, this is only a fix for screen tearing in Chromium-based browsers.
If you're experiencing screen tearing elsewhere like on your desktop too
then it's probably something you need to change in you xorg.conf in Dom0.

And as a side note, if your browser fails to play some videos, that is
due to it not supporting some formats which can be diagnosed at a site
such as:
https://tekeye.uk/html/html5-video-test-page

Anyway, this ended up being longer than expected. Hope it helped a
fellow Qubes user. :)
-BEGIN PGP SIGNATURE-

iHUEARYIAB0WIQQBj7nebfoT+xj7VVL5uQ1E+D3V8gUCXrm7qwAKCRD5uQ1E+D3V
8hv6AP447YQfhWVF5kMl6mEddg3Bm2tjKsujgaSg18UAh1ulHQEAvffT9yTzDueS
iAwa1HcGnTAlrio4aLZ/lo59iFEHtwU=
=Gw26
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ba2897b5-2bd1-b7a1-7052-2e680d497600%40zohomail.eu.

[qubes-users] Connect to wifi - settings doesnt load

[Alaa Ashkar]

Qubes OS version
R4.0
Affected component(s) or functionality
Configuration of networking in sys-net. Not able to run Settings.

Brief summary
Not able to run sys-net Settings. I would like to configure the wireless
networks.

After adding "Settings" to sys-net in Qube Manager, clicking on "Service:
sys-net | Settings" produced no observable system response.

Also running gnome_control_center fails.

If i run:

export XGD_CURRENT_DESKTOP=GNOME gnome_control_center

Then the settings open but i get a segmentation fault.

How should i address this?


Thanks in advance

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAB2TdYArszNOZn5yAuQup0rhq5gZMG6N1PBmTtn_p0Fdrg9Txw%40mail.gmail.com.

Re: [qubes-users] What's your flow for new templateVM?

['Elliot Killick' via qubes-users]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 2020-05-11 14:26, 'Ryan Tate' via qubes-users wrote:
> Saw the new f31 templateVM (thanks for that) and just curious how
folks generally migrate to a new templateVM.
>
> I manually maintain this big text list of packages and just use
> that
to manually update the fresh templateVM to what I need. There's
typically also some non package installs, which I include basic pointers
for (think downloaded rpms and so forth), as well as some outside repos
to add (e.g. keybase). There's also typically some packages I forgot to
put on the list, which I can usually suss out by going through the bash
history for the old template, although often there's one or two that
slip through the cracks, which I find out about eventually and it's not
a huge deal.
>
> I'm particularly curious if anyone does anything more
> sophisticated
than that, using salt or some other automated deploy system to prep new
template images.
>
> Thanks for any tips!
>
I also keep a list of packages I want to have on each of my templates.
For the switching part of each AppVM to the new TemplateVM (e.g.
fedora-30 to fedora-31) I use a simple Python script that utilizes the
Qubes Admin API:

#!/usr/bin/python3

import qubesadmin
from qubesadmin.exc import *

from_templatevm = 'fedora-30'
to_templatevm = 'fedora-31'

qubes = qubesadmin.Qubes().app.domains

for qube in qubes:
if qube.name == from_templatevm:
appvms = qube.appvms
for appvm in appvms:
print('Changing TemplateVM of:', appvm.name)
try:
appvm.__setattr__('template', to_templatevm)
except QubesVMNotHaltedError:
print("Cannot change TemplateVM while qube is turned on!
")

I usually just run this after my next reboot when almost (don't forget
to shutdown the NetVMs) all my qubes will be turned off. This is much
better than switching them manually one by one in Qubes Manager.

After that all I do is clone, for example, fedora-30-dvm to
fedora-31-dvm with its template now changed.


-BEGIN PGP SIGNATURE-

iHUEARYIAB0WIQQBj7nebfoT+xj7VVL5uQ1E+D3V8gUCXrm5oQAKCRD5uQ1E+D3V
8qS/AQCtW8COW7f2ndgpDTAJD/VYRzfqgo333UeR7EmcC1JKqAD+O0Jh2Z3tseRn
cmEcBRFQyOYmPjvGCdHfq/Ypnj66VQo=
=9oMW
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b2444535-cd8c-ca3c-274e-e16f024e54b0%40zohomail.eu.

Re: [qubes-users] Dividing Qubes Into Separate Networks (FAILED)

[donovang]

- On May 11, 2020, at 10:16 AM, qubes-users qubes-users@googlegroups.com 
wrote:

> Here is full summary of where I am at. Could someone please provide guidance
> with this? Thank you very much.
> 
> 
> Qubes OS version
> Qubes OS R4.0
> 
> Affected component(s) or functionality
> Networking
> 
> Brief summary
> I tried to separate everything into to two subnets meanings 2 NICs, 2 gateways
> (sys-net), 2 firewalls. Everything works on the network before the new gw and
> after it. All qubes can communicate to the firewall. After the gateway
> everything works properly on the physical network as designed and can get out
> to the internet if I connect any client other to it but the new gateway.
> 
> The main gateway remains functional but the new one can't get on the network,
> hence the whole chain doesn't work.
> 
> To Reproduce
> Steps to reproduce the behavior (I tried 3 different way, same results):
> First Version:
> Simply clone the main gateway from Qubes Manager.
> 
> Second Version:
> From dom0 (as root) under /srv/formulas/base/virtual/machines/formula 
> duplicate
> and edit the following two files: sys-net.top and sys-net.sls and run qubesctl
> state.apply qvm/sys-net2 to create a new sys-net from scratch.
> 
> Third version:
> Create new stanadlone VM, mark "provides networking"
> 
> Expected behavior
> My hope was that once I have a new sys-net I can just assign the other NIC to 
> it
> and connect to the network just like the main gateway
> 
> Actual behavior
> If I leave the advanced network manager on DHCP then the gw is not getting and
> IP from the server. (If I connect any other non-Qubes clients they get an IP
> right away). If I set the IP manually then it "takes it" but I still cannot 
> get
> on the network, and can't get online.
> 
> Additional context
> The physical setup is this: modem <--> pfsense firewall <--> Unifi Switch <-->
> Server Running Qubes
> 
> The server has two built in NICs, one PCI and one WiFi. It might be important
> that if I assign all 3 (not in use) NICs to the 2nd gw then only 1 has a mac
> address. The other 2 show up as ens[0-9] but I don't see a mac
> 
> The network is setup so that the main gw on Qubes is on the main LAN segment 
> on
> the network. The 2nd gw has a designated VLAN setup
> 
> Solutions you've tried
> 1) To make sure everything works on the server running Qubes and the network
> itself I used a live boot Linux and tried all NICs. Every NIC was able to
> connect to both the main LAN and the separate VLAN using both DHCP and manual
> IP settings.
> 
> 2) As I listed above I tried cloning the 2nd gw from the main one and I tried
> creating from scratch
> 
> 3) I tried editing the gw network settings though nmcli and the GUI
> 
> 4) I booted the server with a Fedora 31 live USB, set network setting 
> manually,
> copied out the /etc/sysconfig/network-scripts/ifcfg-interface-name and 
> manually
> entered all those through nmcli
> 
> Just to reiterate once more, the network setup outside of Qubes is 100%
> functional. If I connect any machines to any segment of network to any port on
> the switch they always work as intended.
> 
> --
Hello. I have a similar setup but without a VLAN - never been a fan. I have a 
4-port pfsense router (community edition on a Protectli appliance), a couple of 
small unmanaged switches and a couple of ubiquiti APs. I cloned sys-net & 
sys-firewall to, say, sys-net-play & sys-firewall-play.

My Qubes box has 2 wired NICs - one is assigned the default network, the other 
play. I added a new DHCP scope to the pfsense for play (typical consumer class 
c), tossed a couple of firewall rules on the pfsense box for both subnets to 
prevent traffic between them. Each LAN has its own switch and AP. 

>From my Qubes box, I can assign either network to any VM. In fact, I do just 
>that to remote control some hobby gear I have on the play net.

I am wondering it you might need to use two wired NICs. 

DG

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/105947273.20643.1589227917080.JavaMail.zimbra%40unseen.is.

Re: [qubes-users] Can I have Windows & Qubes on the same laptop?

[Anil]

> I bought it from the folk at Third Eye Security - you could mail
> supp...@3isec.com to see what they have available.
> They provide customised Thinkpads to order - my x230 had custom switches,
> coreboot, 16GB RAM, 500MB SSD, Qubes installed, for 499GBP.

Do they have a website?

Regards,

अनिल एकलव्य
(Anil Eklavya)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAAPfsu8dv_PAzNOu_DeL%2BMa%3DMGvVr4JQ2jq-nJyfSt6yDEYa7Q%40mail.gmail.com.

Re: [qubes-users] How to bridge a subnet ot the firewall

['Matt Drez' via qubes-users]

> > > you are simply sniffing the wrong side of the SPS.
> > > sniff the downstream interface(s) instead of upstream.
> > > wouldn't a tcpdump -i eth0 sniff rx tx?
> 

> You will get the NAT'd addresses with this. You want to listen on the
> vif* addresses.
Thank you. That worked. I appreciate your help. 




-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/zWkkDrKlwinjQ-vObRkpVx7zUm01UJqkHE7Noj3qo3SSWj8kyILl4riZfGONdiCjHW6Z-5pOnAVgNLqbNQkTwZ5oPNAkGtItutNIUkUrRq8%3D%40pm.me.


publickey - mattdrez@pm.me - 0x8196D0F4.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature

Re: [qubes-users] Dividing Qubes Into Separate Networks (FAILED)

['Zsolt Bicskey' via qubes-users]

Here is full summary of where I am at. Could someone please provide guidance 
with this? Thank you very much. 


Qubes OS version
Qubes OS R4.0

Affected component(s) or functionality
Networking

Brief summary
I tried to separate everything into to two subnets meanings 2 NICs, 2 gateways 
(sys-net), 2 firewalls. Everything works on the network before the new gw and 
after it. All qubes can communicate to the firewall. After the gateway 
everything works properly on the physical network as designed and can get out 
to the internet if I connect any client other to it but the new gateway.

The main gateway remains functional but the new one can't get on the network, 
hence the whole chain doesn't work.

To Reproduce
Steps to reproduce the behavior (I tried 3 different way, same results):
First Version:
Simply clone the main gateway from Qubes Manager.

Second Version:
>From dom0 (as root) under /srv/formulas/base/virtual/machines/formula 
>duplicate and edit the following two files: sys-net.top and sys-net.sls and 
>run qubesctl state.apply qvm/sys-net2 to create a new sys-net from scratch.

Third version:
Create new stanadlone VM, mark "provides networking"

Expected behavior
My hope was that once I have a new sys-net I can just assign the other NIC to 
it and connect to the network just like the main gateway

Actual behavior
If I leave the advanced network manager on DHCP then the gw is not getting and 
IP from the server. (If I connect any other non-Qubes clients they get an IP 
right away). If I set the IP manually then it "takes it" but I still cannot get 
on the network, and can't get online.

Additional context
The physical setup is this: modem <--> pfsense firewall <--> Unifi Switch <--> 
Server Running Qubes

The server has two built in NICs, one PCI and one WiFi. It might be important 
that if I assign all 3 (not in use) NICs to the 2nd gw then only 1 has a mac 
address. The other 2 show up as ens[0-9] but I don't see a mac

The network is setup so that the main gw on Qubes is on the main LAN segment on 
the network. The 2nd gw has a designated VLAN setup

Solutions you've tried
1) To make sure everything works on the server running Qubes and the network 
itself I used a live boot Linux and tried all NICs. Every NIC was able to 
connect to both the main LAN and the separate VLAN using both DHCP and manual 
IP settings.

2) As I listed above I tried cloning the 2nd gw from the main one and I tried 
creating from scratch

3) I tried editing the gw network settings though nmcli and the GUI

4) I booted the server with a Fedora 31 live USB, set network setting manually, 
copied out the /etc/sysconfig/network-scripts/ifcfg-interface-name and manually 
entered all those through nmcli

Just to reiterate once more, the network setup outside of Qubes is 100% 
functional. If I connect any machines to any segment of network to any port on 
the switch they always work as intended.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/DotEY68sj7rk4E3Tt8V0vE0PMA-xOYjmClEKiCy8Veiyg4ym0vX9RVXDvYQVk01XhfPZJKUpqMUjyEd-locpLAAI7Ycb13Swee_n5mt3G4M%3D%40protonmail.com.


publickey - letmereadit@protonmail.com - 0xEE010E73.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature

Re: [qubes-users] What's your flow for new templateVM?

[Steve Coleman]

On Mon, May 11, 2020, 10:26 AM 'Ryan Tate' via qubes-users <
qubes-users@googlegroups.com> wrote:

> I manually maintain this big text list of packages and just use
> that to manually update the fresh templateVM to what I
> need. There's typically also some non package installs, which I
> include basic pointers for (think downloaded rpms and so forth),
> as well as some outside repos to add (e.g. keybase). There's also
> typically some packages I forgot to put on the list, which I can
> usually suss out by going through the bash history for the old
> template, although often there's one or two that slip through the
> cracks, which I find out about eventually and it's not a huge
> deal.
>

I'm particularly curious if anyone does anything more
> sophisticated than that, using salt or some other automated deploy
> system to prep new template images.

I was just playing with creating a domain bash script that runs "qvm-run
-p"  in one template to extract the list of packages (dnf list), then
subtracts the list from the second template, pulls that difference list up
in an editor, and then pushes the manually edited list to the next template
( dnf install $list). Then I found there were so many packages I did not
particularly want to carry forward without proper investigation that I
essentially put that script on hold.

I obviously need to take my time to decide what I want to bring forward.
Things like python2 packages need to be weeded out, as well as other
packages that I was merely investigating for use at work but don't have any
need for now that I am retired.

I think the general script/process has merit but I have far too many
packages to evaluate in a single session. Simply pushing everything in one
go would merely add a lot of stuff I did not need. When I have time I may
just delete most of the packages from the editor and do this in chunks as I
find time to work on it.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ5FDnjUHU_XoWewpbjbMdWGWJzUbZHqeK_n%3DvUTZqDVHfBrrg%40mail.gmail.com.

Re: [qubes-users] What's your flow for new templateVM?

[unman]

On Mon, May 11, 2020 at 10:52:32AM -0400, Stumpy wrote:
> On 2020-05-11 10:26, 'Ryan Tate' via qubes-users wrote:
> > Saw the new f31 templateVM (thanks for that) and just curious how folks
> > generally migrate to a new templateVM.
> > 
> > I manually maintain this big text list of packages and just use that to
> > manually update the fresh templateVM to what I need. There's typically
> > also some non package installs, which I include basic pointers for
> > (think downloaded rpms and so forth), as well as some outside repos to
> > add (e.g. keybase). There's also typically some packages I forgot to put
> > on the list, which I can usually suss out by going through the bash
> > history for the old template, although often there's one or two that
> > slip through the cracks, which I find out about eventually and it's not
> > a huge deal.
> > 
> > I'm particularly curious if anyone does anything more sophisticated than
> > that, using salt or some other automated deploy system to prep new
> > template images.
> > 
> > Thanks for any tips!
> > 
> 
> Ditto, would really be interested as well, I have a similar system but i am
> sure there are better ways to do it.
> 

Salt it - if you get used to using salt, it's simple to use.
If you want to install a package, don't open the template and install it
there, edit the install.sls file to include the package, and run
`qubesctl --skip-dom0 --targets=  state.apply install`

That *should* install the package, and you have a record of what you've
done. So our "big text file" becomes functional.
You can also leverage salt to apply the same packages to Debian and
Fedora templates - where names differ, you can apply packages by
checking OS.
And, of course, you can add/edit sources.files, insert gpg keys, copy in
rpms/source, and your salt files will be a record of what you want.

On a new system, or a new template, all you have to do is run the
`install` state targeting the template(s) you want.
Really, a great system, and I suspect sadly under used.

I have full systems set up in salt to customise a new install as I want,
with new templates and different setups. Sometimes it can be a bit
shaky, and you *have* to check the logs, but it's great to run the full
state, have a coffee, and come back to a fully configured system.
For travel, I have a minimum state I can download and apply, to get a
workable system with gpg, vpn, ssh set up out of the box. So cool.

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200511151141.GB15472%40thirdeyesecurity.org.

Re: [qubes-users] Can I have Windows & Qubes on the same laptop?

[unman]

On Mon, May 11, 2020 at 01:35:57PM +, taran1s wrote:
> 
> 
> 
> Could you share where did you buy the X230 with HW switches already
> installed? I didn't see the vendor that would offer this. Thank you !

I bought it from the folk at Third Eye Security - you could mail
supp...@3isec.com to see what they have available.
They provide customised Thinkpads to order - my x230 had custom switches,
coreboot, 16GB RAM, 500MB SSD, Qubes installed, for 499GBP.
They'll also fit nitrocaster mods to get a more intense screen on the
x230, and are always happy to negotiate price depending on what you have.

That reads like an ad. Hope it's not a problem. I've bought a few
machines from them and they've always been great.

In interest of full disclosure - I now do some work for Third Eye, and
they provide server space for some Qubes repositories, the unofficial
Ubuntu and Arch that I run, and the official Tor mirror.

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200511145744.GA15472%40thirdeyesecurity.org.

Re: [qubes-users] What's your flow for new templateVM?

[Stumpy]

On 2020-05-11 10:26, 'Ryan Tate' via qubes-users wrote:
Saw the new f31 templateVM (thanks for that) and just curious how folks 
generally migrate to a new templateVM.


I manually maintain this big text list of packages and just use that to 
manually update the fresh templateVM to what I need. There's typically 
also some non package installs, which I include basic pointers for 
(think downloaded rpms and so forth), as well as some outside repos to 
add (e.g. keybase). There's also typically some packages I forgot to put 
on the list, which I can usually suss out by going through the bash 
history for the old template, although often there's one or two that 
slip through the cracks, which I find out about eventually and it's not 
a huge deal.


I'm particularly curious if anyone does anything more sophisticated than 
that, using salt or some other automated deploy system to prep new 
template images.


Thanks for any tips!



Ditto, would really be interested as well, I have a similar system but i 
am sure there are better ways to do it.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d3dff887-25b8-443f-be20-687ebcb63da0%40posteo.net.

[qubes-users] What's your flow for new templateVM?

['Ryan Tate' via qubes-users]

Saw the new f31 templateVM (thanks for that) and just curious how 
folks generally migrate to a new templateVM.


I manually maintain this big text list of packages and just use 
that to manually update the fresh templateVM to what I 
need. There's typically also some non package installs, which I 
include basic pointers for (think downloaded rpms and so forth), 
as well as some outside repos to add (e.g. keybase). There's also 
typically some packages I forgot to put on the list, which I can 
usually suss out by going through the bash history for the old 
template, although often there's one or two that slip through the 
cracks, which I find out about eventually and it's not a huge 
deal.


I'm particularly curious if anyone does anything more 
sophisticated than that, using salt or some other automated deploy 
system to prep new template images.


Thanks for any tips!

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/878shybl9a.fsf%40disp2634.

Re: [qubes-users] Can I have Windows & Qubes on the same laptop?

[taran1s]

unman:
> On Mon, May 11, 2020 at 04:17:39AM -0700, Andrew Sullivan wrote:
>>
>>
>> On Monday, 11 May 2020 12:08:22 UTC+1, unman wrote:
>>>
>>> On Mon, May 11, 2020 at 02:31:52AM -0700, Andrew Sullivan wrote: 
>>>
>>> Not *double* but *top-posted*. Please don't do this. 
>>>
>>> It's not a naive idea - it's a good one. Depending on your machine you 
>>> may be able to find ways to do this, by installing a kill switch, or by 
>>> BIOS configuration. 
>>> You may find that your BIOS allows you to disable certain devices pre 
>>> boot, and this may enable you to switch between active disks. Have a 
>>> look.(Depending on what's available this may determine what sort of disk 
>>> you use to install Qubes) 
>>> I have an x230 with some extra hardware switches installed to allow for 
>>> device isolation. With minimal skills you could do the same yourself. 
>>> Take a look at what's already there and have a think about what you 
>>> might manage to do. If it's important enough you'll find a way. 
>>>
>>
>> Not *double* but *top-posted*. Please don't do this. - oops, sorry; is this 
>> the right place?
> 
> Yes, it is. Thanks.
> Inline replies are also fine.
> 
>>
>> When I get a suitable laptop (I have a separate post on this) I'll look 
>> into that.  Are you able to share
>> how you implemented hardware switches on your X230? Do you find the X230 
>> "man enough" to run Qubes?  They're not expensive...
>>
> 
> I bought the x230 with HW switches and Qubes installed.
> There's already a switch for WiFi, and control over the
> speakers and Mic.
> There's a micro switch to isolate the mSata SSD or main drive.
> Another for the camera.
> There was option to install a switch to isolate USB/SD slots, but I
> haven't seen that, and wouldn't use it much anyway.
> Coreboot allows you to control many other components.
> 
> The x230 is great - I posted some comparisons here some time back
> between x220/x230 with different configurations. Takeaway was that 16GB
> RAM and fast SSD are optimal.
> As with security, assessing the (wo)manliness of a laptop depends on
> what you will use it for. I'm using an x220 tablet right now, and it's
> fine for multiple qubes, music/video/compiling. I did some video editing
> last week and the x230 was fine. BUT, for various reasons, I don't game, I 
> tend
> not to use heavy graphical components, and I work in terminal *a lot*,
> so I guess you should factor that in to my view.
> 
> unman
> 

Could you share where did you buy the X230 with HW switches already
installed? I didn't see the vendor that would offer this. Thank you !

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/39d92186-c32c-89f4-f91d-3e13db2dc85f%40mailbox.org.


0xA664B90BD3BE59B3.asc
Description: application/pgp-keys

Re: [qubes-users] Can I have Windows & Qubes on the same laptop?

[unman]

On Mon, May 11, 2020 at 12:37:18PM +, Logan wrote:
> On 5/11/20 12:28 PM, unman wrote:
> > 
> > On Mon, May 11, 2020 at 12:25:54PM +, Logan wrote:
> > > On 5/11/20 12:09 PM, unman wrote:
> > > > Screeds and screeds of HTML.
> > > > Can you NOT do this?
> > > > Look at your settings and change to "plain text", at least for this
> > > > list, please
> > > 
> > > 
> > > Sorry to be a nuisance. I believe it is fixed now: I have added
> > > googlegroups.com into my text domains in Thunderbird so it shouldn't 
> > > happen
> > > again.
> > > 
> > 
> > Cheers, thanks.
> > Sorry for the grouchiness - stressful times.
> > 
> No worries mate. It's my first time using a group like this and it's not
> unreasonable to assume some Qubes users are using terminal-based readers.
> Plaintext never goes out of fashion.
> 
> Have a good rest of your day. :)
> 

Time for a drink and bed, I think.
Cheers.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200511132409.GA14702%40thirdeyesecurity.org.

[qubes-users] App menu not syncing

[jiggermast47]

Hi,

I can't sync app menus from one of my standalone Debian 10 VMs. In dom0
I get:

[user@dom0 ~]$ qvm-sync-appmenus VMNAME

Traceback (most recent call last):
  File "/usr/bin/qvm-sync-appmenus", line 9, in 
    load_entry_point('qubesdesktop==4.0.20', 'console_scripts',
'qvm-sync-appmenus')()
  File "/usr/lib/python3.5/site-packages/qubesappmenus/receive.py", line
397, in main
    new_appmenus = retrieve_appmenus_templates(vm, use_stdin=use_stdin)
  File "/usr/lib/python3.5/site-packages/qubesappmenus/receive.py", line
373, in retrieve_appmenus_templates
    new_appmenus = get_appmenus(vm if not use_stdin else None)
  File "/usr/lib/python3.5/site-packages/qubesappmenus/receive.py", line
155, in get_appmenus
    "Error getting application list")
qubesadmin.exc.QubesException: Error getting application list


.x-session-errors in the VM shows:

executed QUBESRPC qubes.GetAppmenus dom0 pid 10029
send exit code 2
pid 10029 exited with 2

When I install something via apt, I get this, maybe a hint:

Processing triggers for qubes-core-agent (4.0.55-1+deb10u1) ...
execv: Permission denied


Any idea where to look?

Best



-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/02b3b71d-ea19-3f95-c04f-f6ca563dc430%40posteo.de.

Re: [qubes-users] Can I have Windows & Qubes on the same laptop?

[Logan]

On 5/11/20 12:28 PM, unman wrote:


On Mon, May 11, 2020 at 12:25:54PM +, Logan wrote:

On 5/11/20 12:09 PM, unman wrote:

Screeds and screeds of HTML.
Can you NOT do this?
Look at your settings and change to "plain text", at least for this
list, please



Sorry to be a nuisance. I believe it is fixed now: I have added
googlegroups.com into my text domains in Thunderbird so it shouldn't happen
again.



Cheers, thanks.
Sorry for the grouchiness - stressful times.

No worries mate. It's my first time using a group like this and it's not 
unreasonable to assume some Qubes users are using terminal-based 
readers. Plaintext never goes out of fashion.


Have a good rest of your day. :)


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200511122848.GA14188%40thirdeyesecurity.org.



--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8de76799-a888-e9e2-728c-fe96d67299c8%40threatmodel.io.


publickey - logan@threatmodel.io.asc.pgp
Description: application/pgp-key


signature.asc
Description: OpenPGP digital signature

Re: [qubes-users] Can I have Windows & Qubes on the same laptop?

[unman]

On Mon, May 11, 2020 at 12:25:54PM +, Logan wrote:
> On 5/11/20 12:09 PM, unman wrote:
> > Screeds and screeds of HTML.
> > Can you NOT do this?
> > Look at your settings and change to "plain text", at least for this
> > list, please
> 
> 
> Sorry to be a nuisance. I believe it is fixed now: I have added
> googlegroups.com into my text domains in Thunderbird so it shouldn't happen
> again.
> 

Cheers, thanks.
Sorry for the grouchiness - stressful times.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200511122848.GA14188%40thirdeyesecurity.org.

Re: [qubes-users] Can I have Windows & Qubes on the same laptop?

[Logan]

On 5/11/20 12:09 PM, unman wrote:

On Mon, May 11, 2020 at 12:01:49PM +, Logan wrote:

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e6af715a-fe00-46ec-ddde-24748076ad2b%40threatmodel.io.

   
 
   
   
 Would you be willing to share the URL
   here? If not, could you message me privately? I'm definitely
   interested in reading it.
   
   -Logan
 
 
 
 On 5/11/20 11:58 AM, Mark Fernandes
   wrote:
 
 
   
   On Monday, 11 May 2020 12:08:22 UTC+1, unman wrote:
 ??
 
 
   Depending on your machine you
   
   may be able to find ways to do this, by installing a kill
   switch, or by
   
   BIOS configuration.
   
   You may find that your BIOS allows you to disable certain
   devices pre
   
   boot, and this may enable you to switch between active 
disks.??
 
 
 
 I'm by no means an expert on Qubes or this particular
   issue. However, I am in the midst of writing a Wikibooks book
   on cost-effective end-user security that has a section about
   this. My thoughts in the book are more like RFCs (requests for
   comments) rather than definitive ideas (my hope is that other
   people will further develop, revise, and correct them, as
   applicable). Please take that into account when reading
 them. The section is shown below.
 
 
 
 
 

 https://en.wikipedia.org/wiki/Qubes_OS;
 moz-do-not-send="true">Qubes OS 4.0.3 side-by-side with other https://en.wikipedia.org/wiki/Operating_system;
 moz-do-not-send="true">operating 
systems
 https://en.wikipedia.org/wiki/Qubes_OS;
 moz-do-not-send="true">Qubes OS 4.0.3 is https://www.qubes-os.org/faq/index.html#can-i-run-applications-like-games-which-require-3d-support;
 moz-do-not-send="true">documented as not coping well with https://en.wikipedia.org/wiki/Software;
 moz-do-not-send="true">software that specifically benefits from https://en.wikipedia.org/wiki/Hardware_acceleration;
 moz-do-not-send="true">3D-optimised hardware. Since a user may well want to use such optimisation, the best way to use such optimisation on the same machine 
might be to do something like, or the same as, the following:
 
 
   https://en.wikipedia.org/wiki/Installation_(computer_programs)" 
moz-do-not-send="true">Install a https://en.wikipedia.org/wiki/Linux; moz-do-not-send="true">Linux https://en.wikipedia.org/wiki/Operating_system; moz-do-not-send="true">operating system, with good security but still with the capacity for being able to utilise 3D-optimised hardware, on an https://en.wikipedia.org/wiki/SSD; moz-do-not-send="true">SSD external https://en.wikipedia.org/wiki/Data_storage; moz-do-not-send="true">drive, such that this other operating system is not run over Qubes, but instead run separate to Qubes.
   When wanting to use this other Linux OS, disable the 
internal drive (containing Qubes) in either:
   
 the https://en.wikipedia.org/wiki/BIOS; 
moz-do-not-send="true">BIOS,??
   
 
 ??OR IF 
WISHING TO BE MORE SECURE,
 
   
 both the BIOS??
   
 
 as well as by physically 
disconnecting the internal drive
 (this latter option 
might be a good idea to do??
 because https://en.wikipedia.org/wiki/Malware;
 moz-do-not-send="true">malware in a BIOS's https://en.wikipedia.org/wiki/Firmware;
 moz-do-not-send="true">firmware??
 can still connect to 
BIOS-disabled drives).
 
   https://en.wikipedia.org/wiki/Booting; moz-do-not-send="true">Boot off the SSD to run this other Linux.
   After using the 
non-Qubes installation, because of the possibility of malware being introduced into the BIOS firmware by the non-Qubes installation, optionally https://en.wikipedia.org/wiki/BIOS#Reprogramming; moz-do-not-send="true">flash the BIOS's firmware to ensure better the Qubes installation isn???t compromised through firmware https://en.wikipedia.org/wiki/Malware; moz-do-not-send="true">malware when you next use Qubes.
 
 
 By following the above steps, and choosing the 
most secure options in the steps, because of:
 
   the disabling of the 

Re: [qubes-users] Re: Consider making tax deductable donations possible in the EU

[Stumpy]

On 2020-05-10 16:25, Michael Carbone wrote:

On 5/9/20 2:17 PM, Lorenzo Lamas wrote:

Whonix Project has partnered up with the CCT (Center for the Cultivation of
Technology, which is a charitable non-profit host organization in Germany
for international Free Software projects.)
This makes it possible for all EU citizens to deduct donations from 500 EUR
and up from their taxes. If Qubes project does the same, it may result in
more donations for the project.

  
https://forums.whonix.org/t/european-union-eu-wide-tax-deductible-donations-to-whonix-are-now-possible/9389
https://www.whonix.org/wiki/Donate/Tax-Deductible


thanks for letting me/us know Lorenzo! I'd been in talks with CCT when
they first started but they had told me to wait until they were finished
getting set up. sounds like they are taking projects now, I'll email them.



I have no clue if this is possible but doing something similar so people 
in the US are able  to make tax deductible contribs would be good too.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/891f9b4d-5ec7-4b9f-a4c2-4ec301fdac3e%40posteo.net.

Re: [qubes-users] Can I have Windows & Qubes on the same laptop?

[unman]

On Mon, May 11, 2020 at 12:01:49PM +, Logan wrote:
> -- 
> You received this message because you are subscribed to the Google Groups 
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to qubes-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/qubes-users/e6af715a-fe00-46ec-ddde-24748076ad2b%40threatmodel.io.

> 
>   
> 
>   
>   
> Would you be willing to share the URL
>   here? If not, could you message me privately? I'm definitely
>   interested in reading it.
>   
>   -Logan
> 
> 
> 
> On 5/11/20 11:58 AM, Mark Fernandes
>   wrote:
> 
>cite="mid:be02e5ea-f7a5-473b-9fd0-1d06a9223...@googlegroups.com">
>   
>   On Monday, 11 May 2020 12:08:22 UTC+1, unman wrote:
> ??
> 
> 
>   Depending on your machine you
>   
>   may be able to find ways to do this, by installing a kill
>   switch, or by
>   
>   BIOS configuration.
>   
>   You may find that your BIOS allows you to disable certain
>   devices pre
>   
>   boot, and this may enable you to switch between active 
> disks.??
> 
> 
> 
> I'm by no means an expert on Qubes or this particular
>   issue. However, I am in the midst of writing a Wikibooks book
>   on cost-effective end-user security that has a section about
>   this. My thoughts in the book are more like RFCs (requests for
>   comments) rather than definitive ideas (my hope is that other
>   people will further develop, revise, and correct them, as
>   applicable). Please take that into account when reading
> them. The section is shown below.
> 
> 
>  id="docs-internal-guid-5cb878be-7fff-1d6d-bc3d-05d7880773a7">
> 
>  
> id="docs-internal-guid-83215b1d-7fff-5294-3335-b19118084401"> style="font-size: 12pt; font-family: Arial; color: rgb(102, 102, 102); 
> background-color: transparent; font-variant-numeric: normal; 
> font-variant-east-asian: normal; vertical-align: baseline; white-space: 
> pre-wrap;">
> 
>  href="https://en.wikipedia.org/wiki/Qubes_OS;
> moz-do-not-send="true">Qubes OS 
> 4.0.3 side-by-side with other  href="https://en.wikipedia.org/wiki/Operating_system;
> moz-do-not-send="true">operating 
> systems
>  href="https://en.wikipedia.org/wiki/Qubes_OS;
> moz-do-not-send="true">Qubes OS 4.0.3 is  href="https://www.qubes-os.org/faq/index.html#can-i-run-applications-like-games-which-require-3d-support;
> moz-do-not-send="true">documented as not coping well with  href="https://en.wikipedia.org/wiki/Software;
> moz-do-not-send="true">software that specifically benefits 
> from  href="https://en.wikipedia.org/wiki/Hardware_acceleration;
> moz-do-not-send="true">3D-optimised hardware. Since a user may well 
> want to use such optimisation, the best way to use such optimisation on the 
> same machine might be to do something like, or the same as, the 
> following:
> 
> 
>style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;" 
> role="presentation"> href="https://en.wikipedia.org/wiki/Installation_(computer_programs)" 
> moz-do-not-send="true">Install style="font-size: 11pt; background-color: transparent; font-variant-numeric: 
> normal; font-variant-east-asian: normal; vertical-align: baseline; 
> white-space: pre-wrap;"> a  href="https://en.wikipedia.org/wiki/Linux; moz-do-not-send="true"> style="font-size: 11pt; background-color: transparent; font-variant-numeric: 
> normal; font-variant-east-asian: normal; text-decoration-line: underline; 
> text-decoration-skip-ink: none; vertical-align: baseline; white-space: 
> pre-wrap;">Linux  href="https://en.wikipedia.org/wiki/Operating_system; 
> moz-do-not-send="true">operating 
> system, with good security but 
> still with the capacity for being able to utilise 3D-optimised hardware, on 
> an https://en.wikipedia.org/wiki/SSD; 
> moz-do-not-send="true">SSD style="font-size: 11pt; background-color: transparent; font-variant-numeric: 
> normal; font-variant-east-asian: normal; vertical-align: baseline; 
> white-space: pre-wrap;"> external  href="https://en.wikipedia.org/wiki/Data_storage; 
> moz-do-not-send="true">drive style="font-size: 11pt; background-color: transparent; font-variant-numeric: 
> normal; font-variant-east-asian: normal; vertical-align: baseline; 
> white-space: pre-wrap;">, such that this other operating system is not run 
> over Qubes, but instead run separate to Qubes.
>

Re: [qubes-users] Can I have Windows & Qubes on the same laptop?

[unman]

On Mon, May 11, 2020 at 04:17:39AM -0700, Andrew Sullivan wrote:
> 
> 
> On Monday, 11 May 2020 12:08:22 UTC+1, unman wrote:
> >
> > On Mon, May 11, 2020 at 02:31:52AM -0700, Andrew Sullivan wrote: 
> >
> > Not *double* but *top-posted*. Please don't do this. 
> >
> > It's not a naive idea - it's a good one. Depending on your machine you 
> > may be able to find ways to do this, by installing a kill switch, or by 
> > BIOS configuration. 
> > You may find that your BIOS allows you to disable certain devices pre 
> > boot, and this may enable you to switch between active disks. Have a 
> > look.(Depending on what's available this may determine what sort of disk 
> > you use to install Qubes) 
> > I have an x230 with some extra hardware switches installed to allow for 
> > device isolation. With minimal skills you could do the same yourself. 
> > Take a look at what's already there and have a think about what you 
> > might manage to do. If it's important enough you'll find a way. 
> >
> 
> Not *double* but *top-posted*. Please don't do this. - oops, sorry; is this 
> the right place?

Yes, it is. Thanks.
Inline replies are also fine.

> 
> When I get a suitable laptop (I have a separate post on this) I'll look 
> into that.  Are you able to share
> how you implemented hardware switches on your X230? Do you find the X230 
> "man enough" to run Qubes?  They're not expensive...
> 

I bought the x230 with HW switches and Qubes installed.
There's already a switch for WiFi, and control over the
speakers and Mic.
There's a micro switch to isolate the mSata SSD or main drive.
Another for the camera.
There was option to install a switch to isolate USB/SD slots, but I
haven't seen that, and wouldn't use it much anyway.
Coreboot allows you to control many other components.

The x230 is great - I posted some comparisons here some time back
between x220/x230 with different configurations. Takeaway was that 16GB
RAM and fast SSD are optimal.
As with security, assessing the (wo)manliness of a laptop depends on
what you will use it for. I'm using an x220 tablet right now, and it's
fine for multiple qubes, music/video/compiling. I did some video editing
last week and the x230 was fine. BUT, for various reasons, I don't game, I tend
not to use heavy graphical components, and I work in terminal *a lot*,
so I guess you should factor that in to my view.

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200511120532.GA13836%40thirdeyesecurity.org.

Re: [qubes-users] Can I have Windows & Qubes on the same laptop?

[Logan]

publickey - logan@threatmodel.io.asc.pgp
Description: application/pgp-key

  
  

On 5/11/20 11:58 AM, Mark Fernandes
  wrote:


  
  On Monday, 11 May 2020 12:08:22 UTC+1, unman wrote:
 


  Depending on your machine you
  
  may be able to find ways to do this, by installing a kill
  switch, or by
  
  BIOS configuration.
  
  You may find that your BIOS allows you to disable certain
  devices pre
  
  boot, and this may enable you to switch between active disks. 



I'm by no means an expert on Qubes or this particular
  issue. However, I am in the midst of writing a Wikibooks book
  on cost-effective end-user security that has a section about
  this. My thoughts in the book are more like RFCs (requests for
  comments) rather than definitive ideas (my hope is that other
  people will further develop, revise, and correct them, as
  applicable). Please take that into account when reading
them. The section is shown below.






Qubes OS 4.0.3 side-by-side with other operating systems
Qubes OS 4.0.3 is documented as not coping well with software that specifically benefits from 3D-optimised hardware. Since a user may well want to use such optimisation, the best way to use such optimisation on the same machine might be to do something like, or the same as, the following:


  Install a Linux operating system, with good security but still with the capacity for being able to utilise 3D-optimised hardware, on an SSD external drive, such that this other operating system is not run over Qubes, but instead run separate to Qubes.
  When wanting to use this other Linux OS, disable the internal drive (containing Qubes) in either:
  
the BIOS,   
  

   OR IF WISHING TO BE MORE SECURE,

  
both the BIOS 
  

as well as by physically disconnecting the internal drive
(this latter option might be a good idea to do 
because malware in a BIOS's firmware 
can still connect to BIOS-disabled drives).

  Boot off the SSD to run this other Linux.
  After using the non-Qubes installation, because of the possibility of malware being introduced into the BIOS firmware by the non-Qubes installation, optionally flash the BIOS's firmware to ensure better the Qubes installation isn’t compromised through firmware malware when you next use Qubes.


By following the above steps, and choosing the most secure options in the steps, because of:

  the disabling of the internal drive via the BIOS,
  the physical disconnection of the drive containing the Qubes installation,   and
  the flashing of the BIOS firmware before the ‘reconnection’ of the 
Qubes installation,

any such other OS should not be able to access or even ‘touch’ the Qubes OS installation, thereby hopefully safeguarding the Qubes installation from attacks conducted through the other presumably-less-secure OS.


  




  

  
Kind regards,

  

  
Mark Fernandes
  



Would you be willing to share the URL
  here? If not, could you message me privately? I'm definitely
  interested in reading it.
  
  -Logan




  -- 
  You received this message because you are subscribed to the Google
  Groups "qubes-users" group.
  To unsubscribe from this group and stop receiving emails from it,
  send an email to qubes-users+unsubscr...@googlegroups.com.
  To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/be02e5ea-f7a5-473b-9fd0-1d06a9223f0c%40googlegroups.com.



  




-- 
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/cfe9c216-80e3-1537-f453-fce6c3723175%40threatmodel.io.


publickey - logan@threatmodel.io.asc.pgp
Description: application/pgp-key


signature.asc
Description: OpenPGP digital signature

Re: [qubes-users] Can I have Windows & Qubes on the same laptop?

[Logan]

publickey - logan@threatmodel.io.asc.pgp
Description: application/pgp-key

  
  
Would you be willing to share the URL
  here? If not, could you message me privately? I'm definitely
  interested in reading it.
  
  -Logan



On 5/11/20 11:58 AM, Mark Fernandes
  wrote:


  
  On Monday, 11 May 2020 12:08:22 UTC+1, unman wrote:
 


  Depending on your machine you
  
  may be able to find ways to do this, by installing a kill
  switch, or by
  
  BIOS configuration.
  
  You may find that your BIOS allows you to disable certain
  devices pre
  
  boot, and this may enable you to switch between active disks. 



I'm by no means an expert on Qubes or this particular
  issue. However, I am in the midst of writing a Wikibooks book
  on cost-effective end-user security that has a section about
  this. My thoughts in the book are more like RFCs (requests for
  comments) rather than definitive ideas (my hope is that other
  people will further develop, revise, and correct them, as
  applicable). Please take that into account when reading
them. The section is shown below.






Qubes OS 4.0.3 side-by-side with other operating systems
Qubes OS 4.0.3 is documented as not coping well with software that specifically benefits from 3D-optimised hardware. Since a user may well want to use such optimisation, the best way to use such optimisation on the same machine might be to do something like, or the same as, the following:


  Install a Linux operating system, with good security but still with the capacity for being able to utilise 3D-optimised hardware, on an SSD external drive, such that this other operating system is not run over Qubes, but instead run separate to Qubes.
  When wanting to use this other Linux OS, disable the internal drive (containing Qubes) in either:
  
the BIOS,   
  

   OR IF WISHING TO BE MORE SECURE,

  
both the BIOS 
  

as well as by physically disconnecting the internal drive
(this latter option might be a good idea to do 
because malware in a BIOS's firmware 
can still connect to BIOS-disabled drives).

  Boot off the SSD to run this other Linux.
  After using the non-Qubes installation, because of the possibility of malware being introduced into the BIOS firmware by the non-Qubes installation, optionally flash the BIOS's firmware to ensure better the Qubes installation isn’t compromised through firmware malware when you next use Qubes.


By following the above steps, and choosing the most secure options in the steps, because of:

  the disabling of the internal drive via the BIOS,
  the physical disconnection of the drive containing the Qubes installation,   and
  the flashing of the BIOS firmware before the ‘reconnection’ of the 
Qubes installation,

any such other OS should not be able to access or even ‘touch’ the Qubes OS installation, thereby hopefully safeguarding the Qubes installation from attacks conducted through the other presumably-less-secure OS.


  




  

  
Kind regards,

  

  
Mark Fernandes
  
  -- 
  You received this message because you are subscribed to the Google
  Groups "qubes-users" group.
  To unsubscribe from this group and stop receiving emails from it,
  send an email to qubes-users+unsubscr...@googlegroups.com.
  To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/be02e5ea-f7a5-473b-9fd0-1d06a9223f0c%40googlegroups.com.



  




-- 
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e6af715a-fe00-46ec-ddde-24748076ad2b%40threatmodel.io.


publickey - logan@threatmodel.io.asc.pgp
Description: application/pgp-key


signature.asc
Description: OpenPGP digital signature

Re: [qubes-users] Can I have Windows & Qubes on the same laptop?

[Mark Fernandes]

On Monday, 11 May 2020 12:08:22 UTC+1, unman wrote:
>
>  
>
 Depending on your machine you 
> may be able to find ways to do this, by installing a kill switch, or by 
> BIOS configuration. 
> You may find that your BIOS allows you to disable certain devices pre 
> boot, and this may enable you to switch between active disks. 




I'm by no means an expert on Qubes or this particular issue. However, I am 
in the midst of writing a Wikibooks book on cost-effective end-user 
security that has a section about this. My thoughts in the book are more 
like RFCs (requests for comments) rather than definitive ideas (my hope is 
that other people will further develop, revise, and correct them, as 
applicable). *Please take that into account when reading them.* The section 
is shown below.

--


Qubes OS 4.0.3  side-by-side with 
other operating systems 

Qubes OS 4.0.3  is documented as 
not coping well 

 
with software  that specifically 
benefits from 3D-optimised hardware 
. Since a user may 
well want to use such optimisation, the best way to use such optimisation 
on the same machine might be to do something like, or the same as, the 
following:


   1. 
   
   Install  
   a Linux  operating system 
   , with good security but 
   still with the capacity for being able to utilise 3D-optimised hardware, on 
   an SSD  external drive 
   , such that this other 
   operating system is not run over Qubes, but instead run separate to Qubes.
   2. 
   
   When wanting to use this other Linux OS, disable the internal drive 
   (containing Qubes) in either:
   1. 
  
  the BIOS ,   
  
   OR IF WISHING TO BE MORE SECURE,

   1. 
  
  both the BIOS 
  
as well as by physically disconnecting the internal drive

(this latter option might be a good idea to do 

because malware  in a BIOS's firmware 
 

can still connect to BIOS-disabled drives).

   1. 
   
   Boot  off the SSD to run this 
   other Linux.
   2. 
   
   After using the non-Qubes installation, because of the possibility of 
   malware being introduced into the BIOS firmware by the non-Qubes 
   installation, optionally flash 
    the BIOS's firmware 
   to ensure better the Qubes installation isn’t compromised through firmware 
   malware  when you next use Qubes.
   

By following the above steps, and choosing the most secure options in the 
steps, because of:

   - 
   
   the disabling of the internal drive via the BIOS,
   - 
   
   the physical disconnection of the drive containing the Qubes 
   installation,   and
   - 
   
   the flashing of the BIOS firmware before the ‘reconnection’ of the 
   Qubes installation,
   
any such other OS should not be able to access or even ‘touch’ the Qubes OS 
installation, thereby hopefully safeguarding the Qubes installation from 
attacks conducted through the other presumably-less-secure OS.


--


Kind regards,


Mark Fernandes

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/be02e5ea-f7a5-473b-9fd0-1d06a9223f0c%40googlegroups.com.

Re: [qubes-users] Can I have Windows & Qubes on the same laptop?

[Andrew Sullivan]

On Monday, 11 May 2020 12:08:22 UTC+1, unman wrote:
>
> On Mon, May 11, 2020 at 02:31:52AM -0700, Andrew Sullivan wrote: 
> > Sorry if I have double-posted this... 
> > 
> > The link to "multiboot" seems to refer to a conventional dual-boot 
> > installation, where the two OSs are on the same disc.  If the OSs were 
> > installed n physically separate (internal) drives, would this mitigate 
> the 
> > risk (accepting that /boot would be exposed)? 
> > 
> > Probably a naive idea, but is it possible to somhow "switch off" or 
> > inactivate one disc (short of physically removing it)? 
> > 
> > On Monday, 11 May 2020 10:11:47 UTC+1, dhorf-hfr...@hashmail.org wrote: 
> > > 
> > > On Mon, May 11, 2020 at 01:48:58AM -0700, matteochi...@gmail.com 
> > >  wrote: 
> > > 
> > > > Firstly, is it safe to have Windows and Qubes on the same machine? I 
> > > > use VeraCrypt for full disc encryption 
> > > 
> > > veracrypt does not support actual full disc encryption. 
> > > 
> > > 
> > > > Also, I've got a 2TB external HDD, would it be safer to run Qubes 
> from 
> > > > that and keep Windows on my internal drive or is that worse? 
> > > 
> > > if that HDD is connected via USB, i would not recommend installing 
> > > qubes to it. 
> > > while both "install to usb" and "install to hdd" are supported, they 
> > > have major drawbacks. 
> > > 
> > > 
> > > > I want to keep maximum security and keep Windows and Qubes seperate. 
> > > 
> > > this is not possible. 
> > > if you multiboot, you are very far from "maximum security". 
> > > 
> > > 
> > > > Any answers to questions or installation guidance is greatly 
> > > 
> > > https://www.qubes-os.org/doc/multiboot/ 
> > > 
>
>
> Not *double* but *top-posted*. Please don't do this. 
>
> It's not a naive idea - it's a good one. Depending on your machine you 
> may be able to find ways to do this, by installing a kill switch, or by 
> BIOS configuration. 
> You may find that your BIOS allows you to disable certain devices pre 
> boot, and this may enable you to switch between active disks. Have a 
> look.(Depending on what's available this may determine what sort of disk 
> you use to install Qubes) 
> I have an x230 with some extra hardware switches installed to allow for 
> device isolation. With minimal skills you could do the same yourself. 
> Take a look at what's already there and have a think about what you 
> might manage to do. If it's important enough you'll find a way. 
>

Not *double* but *top-posted*. Please don't do this. - oops, sorry; is this 
the right place?

When I get a suitable laptop (I have a separate post on this) I'll look 
into that.  Are you able to share
how you implemented hardware switches on your X230? Do you find the X230 
"man enough" to run Qubes?  They're not expensive...

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c0c67440-0541-4a9f-abbd-3d3be78fd49d%40googlegroups.com.

Re: [qubes-users] Can I have Windows & Qubes on the same laptop?

[taran1s]

unman:
> On Mon, May 11, 2020 at 02:31:52AM -0700, Andrew Sullivan wrote:
>> Sorry if I have double-posted this...
>>
>> The link to "multiboot" seems to refer to a conventional dual-boot 
>> installation, where the two OSs are on the same disc.  If the OSs were 
>> installed n physically separate (internal) drives, would this mitigate the 
>> risk (accepting that /boot would be exposed)?
>>
>> Probably a naive idea, but is it possible to somhow "switch off" or 
>> inactivate one disc (short of physically removing it)?
>>
>> On Monday, 11 May 2020 10:11:47 UTC+1, dhorf-hfr...@hashmail.org wrote:
>>>
>>> On Mon, May 11, 2020 at 01:48:58AM -0700, matteochi...@gmail.com 
>>>  wrote: 
>>>
 Firstly, is it safe to have Windows and Qubes on the same machine? I 
 use VeraCrypt for full disc encryption 
>>>
>>> veracrypt does not support actual full disc encryption. 
>>>
>>>
 Also, I've got a 2TB external HDD, would it be safer to run Qubes from 
 that and keep Windows on my internal drive or is that worse? 
>>>
>>> if that HDD is connected via USB, i would not recommend installing 
>>> qubes to it. 
>>> while both "install to usb" and "install to hdd" are supported, they 
>>> have major drawbacks. 
>>>
>>>
 I want to keep maximum security and keep Windows and Qubes seperate. 
>>>
>>> this is not possible. 
>>> if you multiboot, you are very far from "maximum security". 
>>>
>>>
 Any answers to questions or installation guidance is greatly 
>>>
>>> https://www.qubes-os.org/doc/multiboot/ 
>>>
> 
> 
> Not *double* but *top-posted*. Please don't do this.
> 
> It's not a naive idea - it's a good one. Depending on your machine you
> may be able to find ways to do this, by installing a kill switch, or by
> BIOS configuration.
> You may find that your BIOS allows you to disable certain devices pre
> boot, and this may enable you to switch between active disks. Have a
> look.(Depending on what's available this may determine what sort of disk
> you use to install Qubes)
> I have an x230 with some extra hardware switches installed to allow for
> device isolation. With minimal skills you could do the same yourself.
> Take a look at what's already there and have a think about what you
> might manage to do. If it's important enough you'll find a way.
> 

This is quite interesting. Could you be more specific about the extra HW
switches you made for the device isolation? The X230 as far as I
remember has built in HW kill switch for wifi.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/16a60727-ae0d-13fb-1fa7-ce476f3011aa%40mailbox.org.


0xA664B90BD3BE59B3.asc
Description: application/pgp-keys

Re: [qubes-users] Can I have Windows & Qubes on the same laptop?

[unman]

On Mon, May 11, 2020 at 02:31:52AM -0700, Andrew Sullivan wrote:
> Sorry if I have double-posted this...
> 
> The link to "multiboot" seems to refer to a conventional dual-boot 
> installation, where the two OSs are on the same disc.  If the OSs were 
> installed n physically separate (internal) drives, would this mitigate the 
> risk (accepting that /boot would be exposed)?
> 
> Probably a naive idea, but is it possible to somhow "switch off" or 
> inactivate one disc (short of physically removing it)?
> 
> On Monday, 11 May 2020 10:11:47 UTC+1, dhorf-hfr...@hashmail.org wrote:
> >
> > On Mon, May 11, 2020 at 01:48:58AM -0700, matteochi...@gmail.com 
> >  wrote: 
> >
> > > Firstly, is it safe to have Windows and Qubes on the same machine? I 
> > > use VeraCrypt for full disc encryption 
> >
> > veracrypt does not support actual full disc encryption. 
> >
> >
> > > Also, I've got a 2TB external HDD, would it be safer to run Qubes from 
> > > that and keep Windows on my internal drive or is that worse? 
> >
> > if that HDD is connected via USB, i would not recommend installing 
> > qubes to it. 
> > while both "install to usb" and "install to hdd" are supported, they 
> > have major drawbacks. 
> >
> >
> > > I want to keep maximum security and keep Windows and Qubes seperate. 
> >
> > this is not possible. 
> > if you multiboot, you are very far from "maximum security". 
> >
> >
> > > Any answers to questions or installation guidance is greatly 
> >
> > https://www.qubes-os.org/doc/multiboot/ 
> >


Not *double* but *top-posted*. Please don't do this.

It's not a naive idea - it's a good one. Depending on your machine you
may be able to find ways to do this, by installing a kill switch, or by
BIOS configuration.
You may find that your BIOS allows you to disable certain devices pre
boot, and this may enable you to switch between active disks. Have a
look.(Depending on what's available this may determine what sort of disk
you use to install Qubes)
I have an x230 with some extra hardware switches installed to allow for
device isolation. With minimal skills you could do the same yourself.
Take a look at what's already there and have a think about what you
might manage to do. If it's important enough you'll find a way.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2020050817.GB13469%40thirdeyesecurity.org.

Re: [qubes-users] Can I have Windows & Qubes on the same laptop?

[unman]

On Mon, May 11, 2020 at 11:11:42AM +0200, dhorf-hfref.4a288...@hashmail.org 
wrote:
> On Mon, May 11, 2020 at 01:48:58AM -0700, matteochicarella...@gmail.com wrote:
> 
> > Firstly, is it safe to have Windows and Qubes on the same machine? I
> > use VeraCrypt for full disc encryption
> 
> veracrypt does not support actual full disc encryption.
> 

Really? It looks to me as if it does, and if you extract the loader from
the MBR and use it elsewhere, cleaning the MBR, it looks good to me.

> 
> > Also, I've got a 2TB external HDD, would it be safer to run Qubes from
> > that and keep Windows on my internal drive or is that worse?
> 
> if that HDD is connected via USB, i would not recommend installing
> qubes to it.
> while both "install to usb" and "install to hdd" are supported, they
> have major drawbacks.

perhaps you could expand on this? Do you mean security drawbacks, or
usability? 
I often run Qubes from usb, both installed and live versions, and dont
hit *major* issues. 

> 
> > I want to keep maximum security and keep Windows and Qubes seperate.
> 
> this is not possible.
> if you multiboot, you are very far from "maximum security".
> 

What are the risks here? They will depend on how your system is
configured, and what sort of attack you are open to. And "maximum
security" will change according to your use case.

If you think that it is likely that your machine will be taken, and the
information extracted and used against you, then you will need different
security measures from the case where you are worried about a drive by
attack from a script kiddie.
Assess the risk, and plan accordingly.

> 
> > Any answers to questions or installation guidance is greatly
> 
> https://www.qubes-os.org/doc/multiboot/
> 

+1

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200511105852.GA13469%40thirdeyesecurity.org.

Re: [qubes-users] Can I have Windows & Qubes on the same laptop?

[matteochicarella . uk]

Thank you for the info

I though VeraCrypt was one of the most secure programs for full disc 
encryption. I know this isn't a Qubes question but do you possibly know a 
better option? Thanks

Also, do you reckon it would be safer to install Qubes on an external drive via 
USB/install it internally alongside Windows or would it be better to use Whonix 
vm in Windows Virtualbox. I mean in regards to file security.

Sorry for the bother, I know these aren't Qubes questions but you clearly 
understand things well. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ec28921f-4d67-43c6-a8ec-2dd044733be6%40googlegroups.com.

[qubes-users] Choice of hardware for Qubes...

[Andrew Sullivan]

Good morning

I plan to try Qubes, with a view to maybe using it as my main OS.  Happily 
I also need to update my laptop.

I've been looking at the HCL, and see that Dell and Lenovo machines seem to 
rate quite well.  The Dell Outlet web site has some (apparently) compatible 
machines at what look like good prices, and maybe buying from them might be 
safer than Amazon/eBay (I'm in the UK btw).  Two that I am considering are:

Latitude E5470 - claimed to be fully compatible with R4.0, can install 32GB 
RAM, but only has a 14" (FHD) screen, might take a second 2242-format SSD 
(although mixed reports on this)

M4800 - bit of a monster, but portability isn't really an issue; also takes 
32GB RAM, lots of potential storage space, 15" screen (it won't be the QHD 
screen).

Any thoughts would be appreciated.

TIA

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e69d48c0-0db3-4ee0-8dae-bcffe1307f52%40googlegroups.com.

Re: [qubes-users] Can I have Windows & Qubes on the same laptop?

[Andrew Sullivan]

Sorry if I have double-posted this...

The link to "multiboot" seems to refer to a conventional dual-boot 
installation, where the two OSs are on the same disc.  If the OSs were 
installed n physically separate (internal) drives, would this mitigate the 
risk (accepting that /boot would be exposed)?

Probably a naive idea, but is it possible to somhow "switch off" or 
inactivate one disc (short of physically removing it)?

On Monday, 11 May 2020 10:11:47 UTC+1, dhorf-hfr...@hashmail.org wrote:
>
> On Mon, May 11, 2020 at 01:48:58AM -0700, matteochi...@gmail.com 
>  wrote: 
>
> > Firstly, is it safe to have Windows and Qubes on the same machine? I 
> > use VeraCrypt for full disc encryption 
>
> veracrypt does not support actual full disc encryption. 
>
>
> > Also, I've got a 2TB external HDD, would it be safer to run Qubes from 
> > that and keep Windows on my internal drive or is that worse? 
>
> if that HDD is connected via USB, i would not recommend installing 
> qubes to it. 
> while both "install to usb" and "install to hdd" are supported, they 
> have major drawbacks. 
>
>
> > I want to keep maximum security and keep Windows and Qubes seperate. 
>
> this is not possible. 
> if you multiboot, you are very far from "maximum security". 
>
>
> > Any answers to questions or installation guidance is greatly 
>
> https://www.qubes-os.org/doc/multiboot/ 
>
>
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6f036494-8cae-4c78-bb35-007a33c6fe77%40googlegroups.com.

Re: [qubes-users] Can I have Windows & Qubes on the same laptop?

[dhorf-hfref . 4a288f10]

On Mon, May 11, 2020 at 01:48:58AM -0700, matteochicarella...@gmail.com wrote:

> Firstly, is it safe to have Windows and Qubes on the same machine? I
> use VeraCrypt for full disc encryption

veracrypt does not support actual full disc encryption.


> Also, I've got a 2TB external HDD, would it be safer to run Qubes from
> that and keep Windows on my internal drive or is that worse?

if that HDD is connected via USB, i would not recommend installing
qubes to it.
while both "install to usb" and "install to hdd" are supported, they
have major drawbacks.


> I want to keep maximum security and keep Windows and Qubes seperate.

this is not possible.
if you multiboot, you are very far from "maximum security".


> Any answers to questions or installation guidance is greatly

https://www.qubes-os.org/doc/multiboot/




-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200511091142.GF1079%40priv-mua.

[qubes-users] Can I have Windows & Qubes on the same laptop?

[matteochicarella . uk]

Hello, I'm looking to get started on Qubes and can't quite find the answer I'm 
looking for in the documentation.

I have a Windows 10 laptop and I'm looking to keep Windows as my main OS but I 
want to have Qubes also installed as a seperate OS.

Firstly, is it safe to have Windows and Qubes on the same machine? I use 
VeraCrypt for full disc encryption

Also, I've got a 2TB external HDD, would it be safer to run Qubes from that and 
keep Windows on my internal drive or is that worse?

Is there anything special about what I want to do (eg do I have to do something 
differently) I want to keep maximum security and keep Windows and Qubes 
seperate.

Any answers to questions or installation guidance is greatly appreciated, 
thanks for your time and help.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1295126e-3789-4b6b-b37a-e677dde83a63%40googlegroups.com.

Re: [qubes-users] Qubes better dove tailed for Journalists, and Human Rights Workers.

[Mark Fernandes]

On Saturday, 9 May 2020 22:03:15 UTC+1, Steve Coleman wrote:
>
>
> On Fri, May 8, 2020 at 7:13 PM Catacombs > 
> wrote:
>
>> A Journalist or a Human Rights investigator, I think are more comfortable 
>> with ease of use, not secure.  
>>
>  
> There is always a trade-off between security and usability for sure.  .
>

I'll just throw-in my two-cents slightly-tangential opinion regarding 
Qube's usability.

I often say about my Chromebook, is that it might not be able to do as much 
as you can with a conventional PC, but what it does do, it does well. I 
think that kind of mindset is important when thinking about Qubes. If it's 
hard to do networking, or play videos, then maybe that should be tolerated, 
in light of it being able to do its other functions pretty well. Sometimes 
we have to work or think around problems, rather than thinking things like, 
I need to use my 3D-optimised hardware under Qubes, so Qubes must be 
further developed to cater for that.

Anyway, that's just my contributed opinion.


Kind regards,


Mark Fernandes

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5ac3641a-1064-4adb-abb4-c2d1f1de0742%40googlegroups.com.

Re: [qubes-users] Re: HCL - Latitude E6230

[dhorf-hfref . 4a288f10]

On Sun, May 10, 2020 at 06:00:49PM -0700, Catacombs wrote:
> am trying to find a USB Wireless Dongle which comes pre installed in
> the Kernel.  But.   

there is only exactly _one_ wifi usb dongle that is documented to 
work with qvm-usb (aka linux usbip) _and_ has a driver included 
in mainline kernel:

ID 7392:7811 Edimax Technology Co., Ltd EW-7811Un 802.11n Wireless
Adapter [Realtek RTL8188CUS]
Driver=rtl8192cu, 480M
https://www.amazon.de/gp/product/B003MTTJOY
2.4 GHz only, very compact, 8eur, mainline driver


other usb network devices that work with qvm-usb can be found here:
https://github.com/QubesOS/qubes-issues/issues/3778



-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200511075046.GE1079%40priv-mua.