[qubes-users] Setting block.no_part_scan=no on sys-usb’s command line does not work
I am trying to disable automatic partition scanning in sys-usb, and tried including block.no_part_scan=no in sys-usb’s kernelopts. However, it had no effect. `block.no_part_scan=0` also doesn’t work. Did I make a mistake in the command line? Sincerely, Demi -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f27e6521-536d-6fc0-b5d1-f446b5a131a7%40gmail.com. OpenPGP_signature Description: OpenPGP digital signature
[qubes-users] Privilege escalation in Arch templates
The Arch package management system, Pacman, relies on a secret, per-machine master key readable only by root. This is used to sign the other Arch root signing keys. Anyone with access to the secret part of the master key can present packages that Pacman will trust, and thus execute arbitrary code as root. In typical use, this is fine, since the master key is securely generated and only readable by root. This is normally sufficient to prevent the secret part of the key from being accessed by unauthorized parties. However, in QubesOS, this is not sufficient. The master key is stored on the root volume, so it is accessible to all AppVMs based on the TemplateVM. Anyone who compromises one of these AppVMs can dump the secret master key. If they can then perform an on-path attack on the update process, this allows them to execute arbitrary code on the TemplateVM. To fix this vulnerability, it is necessary to ensure that the master signing key is securely deleted after it has been generated. This can be accomplished by placing /etc/pacman.d/gnupg/private-keys-v1.d on a tmpfs, both while building and running the template. Pacman will produce warnings about not being able to sign the master key, but these are not fatal. Sincerely, Demi -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6564df55-0543-a677-6b79-8e72c7db5a86%40gmail.com. OpenPGP_0xB288B55FFF9C22C1.asc Description: application/pgp-keys OpenPGP_signature Description: OpenPGP digital signature
[qubes-users] System76 Alder WS: no GUI output after leaving text mode
This may be due to driver problems. Is there a workaround? Thank you, Demi -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/57d844af-59b1-5bbe-fdf3-62001f0578d6%40gmail.com. OpenPGP_0xB288B55FFF9C22C1.asc Description: application/pgp-keys OpenPGP_signature Description: OpenPGP digital signature
[qubes-users] Installing QubesOS on a System76 with Coreboot
Has anyone had success installing QubesOS on a System76 laptop that uses Coreboot? Thank you, Demi Obenour -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20e5327c-ff04-04c6-d771-1b2545a1b825%40gmail.com. signature.asc Description: OpenPGP digital signature
[qubes-users] Has anyone had a qube compromised?
In all of my time using QubesOS, I have never had reason to believe that a qube was compromised. Has anyone here had a qube compromised? Sincerely, Demi -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9a81ba50-23f4-8e6c-20fb-838aadb24663%40gmail.com. signature.asc Description: OpenPGP digital signature
[qubes-users] Can a compromised AppVM be made trustworthy by truncating its private volume?
If an AppVM is compromised, is truncating its private volume (which is documented) enough to restore it to a trustworthy state? Obviously, this loses all data on that volume, but the cases I have in mind are where a DispVM template was accidentally started itself, rather than a DispVM based on it. Sincerely, Demi -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/25d26c89-11bb-a7ed-dd3a-91be7b43e33e%40gmail.com. signature.asc Description: OpenPGP digital signature
[qubes-users] Re: [qubes-devel] Announcement: Insurgo PrivacyBeast X230 Laptop meets and exceeds Qubes 4.0 hardware certification
On 7/19/19 12:19 AM, Andrew David Wong wrote: > - Coreboot [6] initialization for the x230 is binary-blob-free, > including native graphic initialization. Built with the > Heads [7] payload, it delivers an Anti Evil Maid (AEM) [8]-like > solution built into the firmware. (Even though our requirements [4] > provide an exception for CPU-vendor-provided blobs for silicon and > memory initialization, Insurgo exceeds our requirements by insisting > that these be absent from its machines.) > Is the RAM vulnerable to Rowhammer attacks? My understanding is that recent motherboards mitigate these attacks by increasing the refresh rate, but I am not sure if this one can. Sincerely, Demi -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2468447f-b6ca-8496-f2ea-330a680f52a8%40gmail.com. signature.asc Description: OpenPGP digital signature
[qubes-users] How risky is GPU pass-through?
Someone I know is interested in using QubesOS. However, they are also a gamer: if they could not have a Windows VM with access to a dedicated graphics card for use by games, then QubesOS is not an option for them. How risky is GPU pass-through? My understanding is that on most laptops, the primary (internal) display is connected to the integrated GPU. Therefore, it appears to me that the risks are no more than pass-through of the USB, Ethernet, or wireless controllers, all of which QubesOS does by default. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4eb079dc-a0b4-b216-fd92-33f72bd7e1e3%40gmail.com. For more options, visit https://groups.google.com/d/optout. signature.asc Description: OpenPGP digital signature
[qubes-users] Changed permissions on /srv/ recursively, how can I recover?
I changed permissions on /srv/ recursively (I think they are 750 now? Not sure). This is preventing me from using salt:// in state files. What are the correct permissions for the stuff in that directory? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1fedd0b9-7277-d92c-ae6c-7d77e5bba64f%40gmail.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] How can I build a domU kernel module?
How can I build a kernel module for an AppVM? I would like to write some simple kernel modules, but I cannot figure out how to build them. I get: make[1]: *** No rule to make target 'tools/objtool/objtool', needed by '/home/user/kernel/wierd.o'. Stop. make: *** [Makefile:1507: _module_/home/user/kernel] Error 2 make: Leaving directory '/usr/lib/modules/4.14.18-1.pvops.qubes.x86_64/build' make: *** [Makefile:5: default] Error 2 Makefile: obj-m := wierd.o KDIR := /lib/modules/$(shell uname -r)/build PWD := $(shell pwd) default: make $(MAKE) -c $(KDIR) SUBDIRS=$(PWD) help modules Adding sudo to the inner make command has no effect. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/92691c41-9dca-6f31-aa6c-91cfb3930426%40gmail.com. For more options, visit https://groups.google.com/d/optout. signature.asc Description: OpenPGP digital signature
Re: [qubes-users] HTTP proxy & firewall woes
On 02/21/2018 04:59 PM, Demi M. Obenour wrote: > > On 02/21/2018 08:36 AM, awokd wrote: >> On Wed, February 21, 2018 12:55 pm, Demi Obenour wrote: >>> Weird. Proxy logs indicate that the proxy never receives a CONNECT >>> request from Firefox. >>> >>> On Feb 21, 2018 4:08 AM, "awokd" <aw...@danwin1210.me> wrote: >>> >>> >>>> On Tue, February 20, 2018 5:09 pm, Demi M. Obenour wrote: >>>> >>>>> I use GMail and Thunderbird for email, and Firefox as my browser. I >>>>> do email and GitHub from a different domain that is more trusted than >>>>> others (it’s blue). >>>>> >>>>> >>>>> >>>>> I would love to restrict its networking abilities by using firewall >>>>> rules or a filtering proxy. Sadly, I have not been able to do that >>>> without >>>>> breaking at least GMail. For firewall rules, the culprit seems to be >>>>> Google’s use of DNS load balancing, but I am not sure what is >>>>> breaking for the filtering proxy. OCSP stapling? >>>>> >>>>> I would much prefer to be able to restrict network access, but I >>>>> cannot break what needs to work. Does anyone have suggestions? >>>> Probably OCSP stapling like you said. Some filtering proxies can be >>>> configured to pass through SSL/TLS sessions unmolested, but then they >>>> can't filter them by content. You might also try POP3/SMTP vs. IMAP >>>> although Gmail probably uses the same types of certs for both. >> Assuming you're on R3.2, have you seen >> https://www.qubes-os.org/doc/config/http-filtering-proxy ? >> https://www.qubes-os.org/doc/firewall might also be useful if you're >> having firewall issues. >> > I did, and finally figured out the problem: > > Thunderbird does not support SMTP/IMAP/POP3 over an HTTP proxy, only > over a SOCKS proxy. But the latter is not useful in this case, because > a SOCKS5 proxy receives an IP address, not a domain name, and so cannot > filter by domain name. Furthermore, Google uses many, many IP > addresses, and rotates them frequently, so one cannot usefully filter by > IP address. > > I am going to be reporting this as a Thunderbird bug — the fix is to use > a CONNECT request for SMTP/IMAP/POP3 just as is done for TLS. In the > meantime, I have had no choice but to enable all networking for that > domain. I still gain some security benefit, because Firefox and > Thunderbird honor the HTTP proxy settings, and so I cannot accidentally > browse to a dangerous site by mistake. > > I wonder if Evolution would be a better choice than Thunderbird. It > might not have this bug. Does it have a worse history when it comes to > security? > > Demi I just had a further thought: could I work around this? My thought was to use /etc/hosts to force Thunderbird to use a specific IP, then proxy that IP using a trivial C program using libcurl. Demi -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e79e2835-cf18-019f-0d51-439a7d4025d1%40gmail.com. For more options, visit https://groups.google.com/d/optout. 0xFF9C22C1.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Re: [qubes-users] HTTP proxy & firewall woes
On 02/21/2018 08:36 AM, awokd wrote: > On Wed, February 21, 2018 12:55 pm, Demi Obenour wrote: >> Weird. Proxy logs indicate that the proxy never receives a CONNECT >> request from Firefox. >> >> On Feb 21, 2018 4:08 AM, "awokd" <aw...@danwin1210.me> wrote: >> >> >>> On Tue, February 20, 2018 5:09 pm, Demi M. Obenour wrote: >>> >>>> I use GMail and Thunderbird for email, and Firefox as my browser. I >>>> do email and GitHub from a different domain that is more trusted than >>>> others (it’s blue). >>>> >>>> >>>> >>>> I would love to restrict its networking abilities by using firewall >>>> rules or a filtering proxy. Sadly, I have not been able to do that >>> without >>>> breaking at least GMail. For firewall rules, the culprit seems to be >>>> Google’s use of DNS load balancing, but I am not sure what is >>>> breaking for the filtering proxy. OCSP stapling? >>>> >>>> I would much prefer to be able to restrict network access, but I >>>> cannot break what needs to work. Does anyone have suggestions? >>> Probably OCSP stapling like you said. Some filtering proxies can be >>> configured to pass through SSL/TLS sessions unmolested, but then they >>> can't filter them by content. You might also try POP3/SMTP vs. IMAP >>> although Gmail probably uses the same types of certs for both. > Assuming you're on R3.2, have you seen > https://www.qubes-os.org/doc/config/http-filtering-proxy ? > https://www.qubes-os.org/doc/firewall might also be useful if you're > having firewall issues. > I did, and finally figured out the problem: Thunderbird does not support SMTP/IMAP/POP3 over an HTTP proxy, only over a SOCKS proxy. But the latter is not useful in this case, because a SOCKS5 proxy receives an IP address, not a domain name, and so cannot filter by domain name. Furthermore, Google uses many, many IP addresses, and rotates them frequently, so one cannot usefully filter by IP address. I am going to be reporting this as a Thunderbird bug — the fix is to use a CONNECT request for SMTP/IMAP/POP3 just as is done for TLS. In the meantime, I have had no choice but to enable all networking for that domain. I still gain some security benefit, because Firefox and Thunderbird honor the HTTP proxy settings, and so I cannot accidentally browse to a dangerous site by mistake. I wonder if Evolution would be a better choice than Thunderbird. It might not have this bug. Does it have a worse history when it comes to security? Demi -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/08a309c5-4f90-e7d4-dba1-f0211a8a0605%40gmail.com. For more options, visit https://groups.google.com/d/optout. 0xFF9C22C1.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
[qubes-users] HTTP proxy & firewall woes
I use GMail and Thunderbird for email, and Firefox as my browser. I do email and GitHub from a different domain that is more trusted than others (it’s blue). I would love to restrict its networking abilities by using firewall rules or a filtering proxy. Sadly, I have not been able to do that without breaking at least GMail. For firewall rules, the culprit seems to be Google’s use of DNS load balancing, but I am not sure what is breaking for the filtering proxy. OCSP stapling? I would much prefer to be able to restrict network access, but I cannot break what needs to work. Does anyone have suggestions? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8eb2fda0-f6d6-11a5-b6bb-e457900d5e74%40gmail.com. For more options, visit https://groups.google.com/d/optout. 0xFF9C22C1.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature