[qubes-users] Re: HCL - Dell XPS 15 9560

[Luis Sotomayor]

Hi,

Have the xps 9560 i7-770hq with integrated graphics card 1070.  Bios 
doesn't have a setting to disable the graphics card.  My Quebes install 
get's stuck on the video card.
Did try changing SATA to ACHI and Legacy Boot (only way it would boot) but 
no dice.
Can you explain more about the (modprobe.blacklist=nouveau)?

THX,

On Saturday, February 3, 2018 at 3:06:02 PM UTC-4 hotr...@gmail.com wrote:

> On Friday, February 2, 2018 at 5:49:50 PM UTC-6, hotr...@gmail.com wrote:
> > Legacy boot 
> > needed Kernel parm modprobe.blacklist=nouveau
>
> Hi,
>
> Qubes 4.0 rc4 is the only OS on the machine right now. I don't use Windows!
> Set SATA to ACHI
> Set Legacy Boot node
>
> Got "soft lockup - CPU#0 stuck for 23s!" messages and loop.
> At the blue GRUB(I think?) screen, hit tab and added 
> modprobe.blacklist=nouveau
>
> Installation completed successfully.
>
> So far, only spent about an hour testing.
> WIFI works,
> Video(intel GPU) and sound work.
> Startup and Shutdown work fine.
>
> The HiDPI screen renders everything very small, been working on scaling 
> the desktop.
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f40c1853-6524-472c-b2f2-4d987521bd46n%40googlegroups.com.

[qubes-users] Re: HCL - Dell XPS 15 9560

[Luis Sotomayor]

Hi,

Have the xps 9560 i7-770hq with integrated graphics card 1070.  Bios 
doesn't have a setting to disable the graphics card.  My Quebes install 
get's stuck on the video card.
Did try changing SATA to ACHI and Legacy Boot (only way it would boot) but 
no dice.
Can you explain more about the (modprobe.blacklist=nouveau)?

THX,


On Saturday, February 3, 2018 at 3:06:02 PM UTC-4 hotr...@gmail.com wrote:

> On Friday, February 2, 2018 at 5:49:50 PM UTC-6, hotr...@gmail.com wrote:
> > Legacy boot 
> > needed Kernel parm modprobe.blacklist=nouveau
>
> Hi,
>
> Qubes 4.0 rc4 is the only OS on the machine right now. I don't use Windows!
> Set SATA to ACHI
> Set Legacy Boot node
>
> Got "soft lockup - CPU#0 stuck for 23s!" messages and loop.
> At the blue GRUB(I think?) screen, hit tab and added 
> modprobe.blacklist=nouveau
>
> Installation completed successfully.
>
> So far, only spent about an hour testing.
> WIFI works,
> Video(intel GPU) and sound work.
> Startup and Shutdown work fine.
>
> The HiDPI screen renders everything very small, been working on scaling 
> the desktop.
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e3778fad-0480-4015-814b-7d762be01817n%40googlegroups.com.

[qubes-users] YouTube Sound & Video

[Pmonf]

I recently installed Qubes 4.0.3 on a new Thinkpad E15 with an Intel 
i-5-10210U with 16GB ram with a 512SSD.I have two problems I have not yet 
resolved:

 1. There is no sound on, for instance, youtube videos and the 
framerate is very slow. It doesn't matter what template I use to access the 
browser.

 2. The touchpad and mouse pointer movement is not smooth and "hops" 
across the screen in all domains.

I have played with the Pulse Audio controls without success. If anyone 
knows of a fix for either problem, please let me know.

Thanks!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/893ccfff-ff8f-41a6-9234-d1e29c76955eo%40googlegroups.com.

[qubes-users] Re: Does qubes protect against all firmware viruses ?

[tomas . schutz707]

I am still looking into this, it is a lot of to think of. Do you know any 
sites where is threat modeling for average user? I was trying dozens of 
phrases... and i didn't find any threat model website. Everything only for 
companies and developers, which were completely useless, i even banned 
these words in my search...

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/54700e35-2a83-4972-9ade-36b4d39abcd0o%40googlegroups.com.

[qubes-users] Re: HCL - Lenovo ThinkPad W520

[pokhojo]

I have the W520 with CPU type i7-2630QM and Nvidia Quadro 2000M (Lenovo 
4284-E78).
https://ark.intel.com/content/www/us/en/ark/compare.html?productIds=52219,53474

This laptop version doesnt have VT-d, but I completed the installation of 
Qubes R4.0.3 even though there was a warning about this. 
When booting the system however, the laptop screen goes black and I cant 
see what's going on. 

Any suggestions?

On Friday, 6 January 2017 21:42:53 UTC+1, Andreas wrote:
>
> Amazing work, Qubes developers. Thank you!
>
>
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/969604e6-ddd3-4e6f-85d5-4977d90c467bo%40googlegroups.com.

[qubes-users] Can’t get rid off black screen

[shamaarmartin96]

I turned off auto start rebooted turned it back on rebooted again. Now I have 
what appears to be a command screen but I can’t interact with it. The screen is 
blocking the qubes icon and I keep restarting it and it’s lets me type for a 
second then disappears back to a black screen. I would reinstall but I didn’t 
back up the wallet on this qube. Any advice would be helpful. Thanks.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b401ea91-f2b3-4872-982c-33e021e68b04o%40googlegroups.com.

[qubes-users] saltstack used to update firefox profile

[liked2]

Hi,

I'm trying to build up my AppVms with saltstack and currently stuck with 
updating my firefox profile because it's located in a randomly generated 
directory (where xxx are random alpha-numerics):
/home/user/.mozilla/firefox/xxx.default-release/prefs.js

1st try with file.append from saltstack seems not to work with wildcards:

/home/user/.mozilla/firefox/*.default-release/prefs.js:
  file.append:
    - text:
  - user_pref("browser.startup.homepage", "https://www.ecosia.org/;);

2nd try with a for loop also fails:

{% for file in salt[cmd.run']('ls -l 
/home/user/.mozilla/firefox/*.default-release/prefs.js') %}
{{ file }}
{ file.find type=f 
name='/home/user/.mozilla/firefox/*.default-release/prefs.js' }
  file.append:
    - text:
  - user_pref("browser.startup.homepage", "https://www.ecosia.org/;);
{% endfor %}


Do you have a 3rd working example/suggestion?


Thanks in advance! P.

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/83355a10-4690-0abb-2f6d-5fe90a7a2ce6%40gmx.de.

[qubes-users] Re: Security benefits of rootless template VMs

[dmoerner]

On Friday, July 10, 2020 at 4:18:30 AM UTC-4, Alex Lu wrote:
>
> Is having like 5 templateVMs 4 of which have no root is better than having 
> 1 templateVM 
> which have root and in charge of every appVM?
>

There is one potential disadvantage to this setup: Will you actually bother 
to keep all those templates updated? Especially if some of them have no 
root, some have sudo prompts, and some have sudo access without prompts, it 
starts to become a real pain. You have to keep in mind the human cost to 
managing this kind of complexity, even with nice new tools like Qubes 
Update.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6123a05b-8a8a-44a5-aad7-79d8c07fdd0do%40googlegroups.com.

[qubes-users] Re: DisposableVM Help

[fiftyfourthparallel]

On Sunday, 12 July 2020 07:40:58 UTC+8, Robert Spigler wrote:
>
> I have a debian-10-dvm and a whonix-ws-15-dvm.  I also had a 
> fedora-30-dvm, but when upgrading to fedora-32, I followed "Creating a New 
> DisposableVM Template" here: (
> https://www.qubes-os.org/doc/disposablevm-customization/), so no longer 
> have the fedora-30-dvm. Instead, I have a custom-disposablevm-template 
> based on fedora-32. I would prefer to rename this to 
> fedora-32-dvm-template, but renaming fails with 'Failed to clone appmenus'.
>
> My main question/problem is that unlike the debian-10-dvm and 
> whonix-ws-15-dvm, opening an application in fedora-32-dvm-template does not 
> open a disposableVM (disp), instead it opens 
> 'custom-disposablevm-template'.  IIUC, that is because I am supposed to 
> create fedora-32-dvm from the dvm-template.  But I cannot figure out how to 
> do that.  It is set as the default disposableVM template, so opening files 
> through the GUI in a disposableVM will open them in a disposableVM based on 
> fedora-32, but I would still like to be able to open an application through 
> the GUI/start menu in a fedora-32-dvm.
>
> What I am also having trouble understanding is what dvm-template is the 
> debian-10-dvm and whonix-ws-15-dvm based on? I know Qubes4.0 introduced 
> multiple DVMTemplates, but I don't see any other DVMTemplates listed under 
> the start menu.  In Qubes Manager, debian-10-dvm and whonix-ws-15-dvm are 
> marked as being their own DVMTemplates? But also DVM's themselves?
>
> Thank you,
>
> Robert
>

I read about this particular bug in whonix DVM that's possibly relevant: 

>Use caution when spawning a DispVM for the first time when it is based on 
a freshly created DVM Template. This Qubes bug 
 [archive] 

 can 
lead to the DVM Template starting instead of the DispVM. [29] 
 [30] 
 There could 
be serious consequences if an application like Tor Browser was started in a 
DVM Template and used extensively for web browsing. Compromise of the DVM 
Template would mean all DispVMs spawned from it would be similarly 
compromised; see Running Tor Browser in Qubes TemplateVM 

.

https://www.whonix.org/wiki/Qubes/DisposableVM

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d524eb3c-79bc-4428-af34-da08f4a2955do%40googlegroups.com.

Re: [qubes-users] vCPUs count over-booking

[Claudio Chinicz]

Hi unman, thank you for the detailed explanation. Regards

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0e4a85b7-4d98-4919-81d5-75ef9f51bb4bo%40googlegroups.com.

Re: [qubes-users] Qubes Methodology

[unman]

On Fri, Jul 10, 2020 at 01:27:04PM +, 'qubesanon' via qubes-users wrote:
> Hello! I am looking for guidance in how best to set up my Qubes. I understand 
> that it's a very personal decision but having a methodology for how to 
> navigate the tradeoffs with an individual's personal philosophy seems prudent.
> 
> I believe that it's best to start with different types of threats that Qubes 
> may help you protect against. I am not a security expert, so please forgive 
> the informality of my description here as well as gross errors/omissions. 
> Corrections are very welcome.
> 
> 1. Malicious software: A user wishes to reduce the harm/access of malicious 
> hardware.
> Solution: Execute malicious software in a VM only with access to data that 
> the user is willing to risk.
> 
> 2. Malicious install script: While install scripts are smaller and easier to 
> audit, they are typically run as root.
> Solution: Install software in standalone VM. Consider that VM compromised 
> from inception.
> 
> 3. Tracking based on cookies/ad networks: privacy is undermined because your 
> behavior is correlated across seemingly unrelated websites you visit.
> Solution: Separate VMs (and/or use disposable VMs) for different types of web 
> browsing. Use a search engine that does not track you.
> 
> 4. Tracking based on IP.
> Solution: Use Whonix/TOR or a VPN. Use a search engine that does not track 
> you.
> 
> 5. Theft of data from hardware.
> Solution: Store in VM without network access. The data may need to be 
> acquired from a VM with network access, but keeping it at rest on a 
> non-network VM is still beneficial.
> 
> Personally, I find the tracking threats (3 and 4) to be the most challenging 
> to wrap my head around. Ideally, I would want as much traffic as possible 
> going through Whonix. And that which can't may want a different VM for each 
> website visited. While that approach is extreme and onerous both on myself 
> and my machine's precious resources, I find it difficult to determine where 
> to draw the line between caution and convenience.
> 
> Some questions that might help bring clarity:
> 
> - Under what circumstances would I want to use a different VM for my email 
> and for my financial accounts?
> - Under what circumstances would I want to use a different VM for my email 
> and for my shopping?
> 
> Thanks!
> 

Brief response:

Beside considering the types of threats you should start by considering
the way you live your digital life - this is implicit in your questions,
but I would make it explicit.

Draw the line between caution and convenience wherever it works for you.
It has to work, or you will find yourself ignoring your own guidelines.

Start by sketching out the areas of your life, and then allocate
qubes/colours to those areas. This will help you to decide how many
qubes you need. I always suggest starting big - you can always merge and
cut down after. It's much better to merge than retrospectively split.
Use background colours to match the ones you choose - force windows to
specific desktops - much easier in KDE, but doable in Xfce (I think).
Use different templates for different purposes.
Use many different disposableVMTemplates, and use the disposableVMs
systematically, allocated to different areas.
Use Tor.
Use Multiple Tor gateways systematically.
Randomly change things around in sensitive online areas.
Store data in offline qubes based on mini templates. Storing data
carries a minimal risk. Always *open* that data in an offline
disposableVM.

On your specific questions:
1. Always. That way an attacker cant leverage your email to get your
financial details/logins etc.
It follows that you should probably have different email qubes for
different accounts to keep your financial emails separate from your
other emails.

2. The same answer as 1 - except that the risk of being attacked by
shopping sites is probably higher than by banking sites, so here the
risk runs both ways. Leveraging email to get access to your shopping
habits etc, and leveraging a website to get access to your emails.

unman


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200712125603.GF922%40thirdeyesecurity.org.

Re: [qubes-users] Possibility to detect suspend events in VM?

[unman]

On Fri, Jul 10, 2020 at 01:04:40PM +0200, Phil Kn??fer wrote:
> Hi,
> 
> when accessing an SMB share in a Qubes AppVM after the system has been
> suspended for some time, I experience a serious lag (up to about a
> minute or so for each share that is mounted from the same SMB server).
> This seems to be due to the fact that the server has already timed out
> the SMB session, while the client (the AppVM) is still trying to resume
> it and therefore runs in TCP timeouts.
> 
> For bare-metal Linux systems, a possible solution is to unmount all SMB
> shares before the system goes into suspend (e.g., via a script in
> /usr/lib/systemd/system-sleep or via pm-utils).
> 
> I tried this approach in Qubes but it seems that the AppVMs do not know
> about a suspend event. Is there a way to trigger scripts on suspend in
> Qubes AppVMs or do I need to coordinate the SMB unmount from dom0 (it
> should be possible to trigger a script there that interacts with VMs via
> qvm-run or similar)?
> 
> 
> Regards,
> Phil
> 
> 

I think that the dom0 route is the way to go - it's what I use myself.
If you did find a way in the qube of detecting such events, I'd be
interested.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200712123719.GE922%40thirdeyesecurity.org.

Re: [qubes-users] Security benefits of rootless template VMs

[unman]

On Fri, Jul 10, 2020 at 08:18:20AM +, Alex Lu wrote:
> I've been thinking about splitting my templateVMs into a bunch of smaller
> ones with no root access where I don't need it. Is having like 5 templateVMs
> 4 of which have no root is better than having 1 templateVM which have root
> and in charge of every appVM? Or there is no security benefits considered I
> never do anything in templateVMs, besides installing packages, all of which
> are from official repos?
> 
> Alex
> 

The purported security benefit is that if the qube is compromised it
will be more difficult for the attacker to use root commands.
The Qubes position is that this benefit is illusory, in that if an
attacker is able to compromise your qube in the first place they will be
able to get root, even if `su` is not available.
Take a look at /etc/sudoers.d/qubes.

That said, there is a clear benefit in using multiple templates, in that
you reduce the attack surface of each qube. Base your templates off
minimal templates and only install the packages you need for qubes that
will use that template.

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200712123554.GD922%40thirdeyesecurity.org.

Re: [qubes-users] DisposableVM Help

[unman]

On Sat, Jul 11, 2020 at 04:40:57PM -0700, Robert Spigler wrote:
> I have a debian-10-dvm and a whonix-ws-15-dvm.  I also had a fedora-30-dvm, 
> but when upgrading to fedora-32, I followed "Creating a New DisposableVM 
> Template" here: (https://www.qubes-os.org/doc/disposablevm-customization/), 
> so no longer have the fedora-30-dvm. Instead, I have a 
> custom-disposablevm-template based on fedora-32. I would prefer to rename 
> this to fedora-32-dvm-template, but renaming fails with 'Failed to clone 
> appmenus'.
> 
> My main question/problem is that unlike the debian-10-dvm and 
> whonix-ws-15-dvm, opening an application in fedora-32-dvm-template does not 
> open a disposableVM (disp), instead it opens 
> 'custom-disposablevm-template'.  IIUC, that is because I am supposed to 
> create fedora-32-dvm from the dvm-template.  But I cannot figure out how to 
> do that.  It is set as the default disposableVM template, so opening files 
> through the GUI in a disposableVM will open them in a disposableVM based on 
> fedora-32, but I would still like to be able to open an application through 
> the GUI/start menu in a fedora-32-dvm.
> 
> What I am also having trouble understanding is what dvm-template is the 
> debian-10-dvm and whonix-ws-15-dvm based on? I know Qubes4.0 introduced 
> multiple DVMTemplates, but I don't see any other DVMTemplates listed under 
> the start menu.  In Qubes Manager, debian-10-dvm and whonix-ws-15-dvm are 
> marked as being their own DVMTemplates? But also DVM's themselves?
> 
> Thank you,
> 
> Robert
> 

Hi Robert,

As you say, Qube 4.0 allowed for the use of many DVMTemplates - any
qube can be used as the basis for disposableVMs.
So the debian-10-dvm is not based on a dvm-template - it *is* a
dvm-template, a qube using the debian-10 template which has had the
`template_for_dvms` flag set.
That's all there is to it.

In your case, I suspect that the appmenus have not been correctly set,
so that they still refer to 'custom-disposablevm-template', instead of
using that as the basis for a disposableVM.
You can try running the command
 `qvm-features custom-disposablevm-template appmenus-dispvm 1`, although
there was an open issue about this command failing in some cases.

In dom0, (and therefore the menus), the difference is between:
qvm-run custom-disposablevm-template --service qubes.StartApp+xterm
and
qvm-run dispvm=custom-disposablevm-template --service qubes.StartApp+xterm

hth

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200712122741.GC922%40thirdeyesecurity.org.

Re: [qubes-users] vCPUs count over-booking

[unman]

On Sat, Jul 11, 2020 at 11:44:34AM -0700, Claudio Chinicz wrote:
> Hi,
> 
> I noted that my sum total of vCPUs is larger than the actual number of vCPUs.
> 
> Maybe Xen works at the minimum in order to keep sum total of vCPUs within 
> limits?
> 
> One thing I tried was to disable VT-x and then HVMs (min and max vCPUs is the 
> same) would not start.
> 
> Any ideas of how Xen manages vCPUs within the limits of the processor?
> 
> Regards
> 

Interesting question, Claudio.
As I understand it Xen allows you to create arbitrary number of vCPUs,
unrelated to the actual number of pCPUs you have. As you allocate more
vCPUs the system will start scheduling calls to the pCPUs and this may
impact performance.I don't think that disabling VT-x will impact this,
and as you have discovered it means that HVMs will not function.
To work around the limit you may find it useful to reduce the number
of vCPUs in most "ordinary" qubes to 1. You can also limit the  number
that dom0 uses, with the `dom0-max-vCPUs` parameter at boot.
If you have processor intensive qubes, you can then try allocating
specific vCPUs to that qube - this is called "pinning". In Xen this can
be done with the `xl vcpu-pin` command . You can make a pin hard ,"MUST
use this CPU", or soft, "PREFERS to use this CPU"
By default Qubes makes all qubes hard/soft pin to all CPUs.
If you think that you are being impacted by the scheduler, you can try
pinning on processor intensive qubes and see if it helps. There used to
be a health warning saying that pinning caused as many problems as it
(may) solve, so try at your own risk.

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200712121407.GB922%40thirdeyesecurity.org.