Re: [qubes-users] Turn off quiet boot? [SOLVED]

[Ron Hunter-Duvar]

On 10/12/2017 12:37 AM, Patrik Hagara wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 10/12/2017 01:42 AM, Ron Hunter-Duvar wrote:

Does anyone know how to turn off QubesOs' quiet boot (splash
screen instead of kernel messages)?
...
This is with EFI booting. No grub (don't even have a grub.cfg file
in /boot).

Thanks,

Ron


Removing the "rhgb" (historically "Red Hat Graphical Boot") parameter
will result in defaulting to text boot instead of plymouth splash
screen. You can still switch back and forth by pressing Esc.

The "quiet" parameter, as you found out, only affects early kernel
boot messages (before initramfs is mounted and plymouth can be started
started).


Cheers,
Patrik
Thanks, Patrik, that did the trick. Never thought to question what the 
"rhgb" was for.


Ron

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/01cb95ec-1be1-4574-91f7-e9598c1c07ff%40shaw.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Error Creating Ubuntu VM in Qubes 3.2

[Ron Hunter-Duvar]

On October 12, 2017 4:25:29 PM MDT, Person  wrote:
>l tried the former commands again, with “ls -lh” and “pwd”, but the
>terminal remained unresponsive, even if it was formerly responsive.
>
>So I tried changing the command around a little. The Qubes site
>mentions to enter this command: “qvm-run --pass-io  'cat
>/path/to/file_in_src_domain' > /path/to/file_name_in_dom0”, and I
>realized that I didn’t put in a desired path for the file in dom0. I
>tried using a directory in dom0 that I found, which was
>/home/user/Downloads. When I entered this command, dom0’s response was
>“Usage: qvm-run [options] [] []” and “qvm-run: error: Too
>many arguments”. I’m not too sure what this means, but I believe I
>somehow typed in the command wrong. I typed in “qvm-run —pass-io
>sys-net ‘cat /home/user/Downloads’ /home/user/Downloads”. (The first
>“/home/user/Downloads is the directory in sys-net and the second is the
>directory in dom0.)

Where you show the command you typed, you're missing the output redirection 
(the ">"). So instead of the shell doing the redirection to the file, it passes 
it as an argument to the qvm-run command, resulting in the error you got.

Ron

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/60927EFB-EB40-4004-9655-6F035AF74196%40shaw.ca.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Turn off quiet boot?

[Ron Hunter-Duvar]

Does anyone know how to turn off QubesOs' quiet boot (splash screen 
instead of kernel messages)?


I like to see the messages during boot (and shutdown). More than once 
I've caught a lurking problem (although it scrolls by fast, those red "[ 
FAILED ]" messages really stand out).


I've removed the "quiet" keyword from the "kernel=" lines in 
/boot/efi/EFI/qubes/xen.cfg, but that only gives me the first page or 
so, and still brings up the splash screen. Pressing Esc gets me back to 
the messages, but I'd like to have it stay there.


This is with EFI booting. No grub (don't even have a grub.cfg file in 
/boot).


Thanks,

Ron

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e70e29b0-3c89-64c5-3c6a-955b289255b2%40shaw.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] kswapd0 using 100% CPU with not even a MB swap in use

[Ron Hunter-Duvar]

On 10/07/2017 04:29 AM, Holger Levsen wrote:

Hi,

so kswapd0 is using 100% CPU in one of my Qubes and this makes the fan spin
and noisy… and that Qube is hardly using any swap at all:

$ free
   totalusedfree  shared  buff/cache   available
Mem:1888212  776484  640712   70296  471016 1031616
Swap:   1048572 716 1047856

So I ran "sudo swapoff -a" (and "sudo swapon -a") and now zero swap is used but
kswapd0 is still busy swapping(?) and the fan is noisy and I wonder what to do…

Any hints / ideas?

(I know I could shut down the VM and restart it but I hope there's a better
solution / workaround.)



Two questions:
1. What's that Qube doing?
2. What's it's max memory?

Just speculating, but if a Qube hits the max memory it's allowed by the 
dom0, would it start swapping, even if there was lots of memory 
available on the machine?


Ron

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a44fa4e1-5c65-c65d-6fa6-1a30d4fcc36b%40shaw.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Qubes 3.2 dnsmasq update?

[Ron Hunter-Duvar]

On October 7, 2017 10:43:55 PM MDT, Reg Tiangha <r...@reginaldtiangha.com> 
wrote:
>On 2017-10-07 1:19 PM, Ron Hunter-Duvar wrote:
>
>> Well, I did all this, and confirmed that the sys-* servicevms are all
>> using Fedora 25, but it still has dnsmasq version 2.76. According to
>> US-CERT, 2.78 is needed to get the vulnerability fixes. Which
>concerns
>> me, given the length of time that the exploit code has been public.
>> Surprises me too, since Debian had it out in a matter of hours.
>> 
>> However, it's not running in any of these, nor in dom0. Should I just
>> uninstall it?
>> 
>> Thanks,
>> Ron
>> 
>
>It's weird, but it seems like every distro *but* Fedora has released an
>updated version or version with a backported fix. Even Red Hat
>Enterprise has done it. I don't know what the hold up is, but it'll be
>a
>package with a backported fix and currently it's set to be 2.76.4 (or
>greater if more bugs are found).
>
>https://bodhi.fedoraproject.org/updates/FEDORA-2017-515264ae24

One of the reasons I like Debian so much is the priority they put on security. 
That, and stability. You may not get all the latest shiny stuff, at least not 
in stable, but you know it will be rock solid.

Tried fedora several times in the past, and always went to something else 
instead.

Ron


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/C4B1473D-77A7-4B64-ABD8-4E867D2723E3%40shaw.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Reasonably secure laptop with touchscreen and enough ram for dictation in Windows App-VM?

[Ron Hunter-Duvar]

On 10/07/2017 01:10 PM, frassefredk...@gmail.com wrote:

Thank you for your response and for sharing your thoughts and experince from 
using Lenovo Thinkpads! I looked at the Hardware Compatibility List and looked 
at Thinkpads, most of the models did not seem to be for sale anymore.


Honestly I haven't seen any user using touchscreen with Qubes.
Just out of interest what is the use case for touch?
Regarding recommendation:
You haven't said which display size you need.
'

The use case of touch is mainly for ergonomical reasons. I read and write alot 
and it is better for my arms to scroll down the documents and highlight things 
using the touch instead of the keyboard and mouse. This is so important for me 
that I would pay more for a touchscrren even. But if I would be able to take 
notes on a Yoga from a conference, using the touch screen, then that would not 
a be a bad thing either, but I dont expect that to work well wth Qubes.

Desired size of the screen is 14-16 inches.


I Should be been more clear about my question regarding the security of the 
Lenovo and if they can be trusted. I have read articles accusing Lenovo of 
planting backdoors in its hardware. My technical skills are currently on a 
hobbyists level so I'm not always sure what to trust and not, wanted some input 
from others regarding this. But then I have also read this article (cited 
below)  that sort of says that the likelyhood of there being a backdoor planted 
by Lenovo is low. I just dont know what to believe in. Do you have any comments 
to this? :)

"Lenovo hardware is reportedly banned from the US CIA, as well as the UK's MI5 
and MI6, as well as the Australian Security Intelligence Organization (ASIO) and 
Secret Intelligence Service (ASIS). As of the time of writing, no evidence of any 
wrongdoing on the part of Lenovo has been presented by any of governments who have 
banned their hardware from use in intelligence services.

On devices as open as computers, and especially with Lenovo's ThinkPad product line, 
which has been long venerated for being foremost among laptops designed with 
modularity in mind—featuring detailed disassembly manuals and readily available 
replacement parts—it is difficult to imagine that many opportunities exist to hide a 
hardware backdoor in a relatively open product. Combined with the fact that the 
vital components (processor, RAM, etc.) aren't made by Lenovo, there are few 
opportunities for Lenovo to introduce a hardware-level backdoor in a way that 
wouldn't be glaringly obvious to any engineer armed with a screwdriver."
Source: 
http://www.techrepublic.com/blog/it-security/corporate-espionage-or-fearmongering-the-facts-about-hardware-level-backdoors/

"...glaringly obvious to any engineer armed with a screwdriver." That's 
the most unbelievably naive view of security I can remember reading. I 
bet the author's password is "pa33w0rd", and it's secure because no one 
would guess some letters were switched with numbers.


https://thehackernews.com/2015/09/lenovo-laptop-virus.html

Note: (1) confirmed, (2) 3 times, (3) one of them was BIOS-embedded.

https://thehackernews.com/2015/08/lenovo-rootkit-malware.html

Ron

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/06858cf0-1bfe-31a0-b318-03a811a2ed92%40shaw.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Reasonably secure laptop with touchscreen and enough ram for dictation in Windows App-VM?

[Ron Hunter-Duvar]

On 10/07/2017 09:42 AM, Frasse F wrote:

I would like some purchasing advice: I'm looking for a laptop that is 
reasonably secure and also has a built in touch screen. I would prefer if it 
had 16 GB of ram as I want to run Qubes OS and I want to sometimes be able to 
run a Windows App-VM for dictation and speech recognition which is processed 
locally (I do a lot of writing and I also care about security/privacy).

...
My second alternative is to buy a non purism laptop which has both a 
touchscreen, enough RAM and is fairly secure. So my second alternative that I'm 
considering would be the Lenovo 520 Yoga. 
https://www.dustin.se/product/5011033265/yoga-520-touch . The model is running 
the Intel® Core™ i5-7200U Processor. According to the specification page on 
Intels website, this processor does not have the vPro technology. 
https://ark.intel.com/products/95443/Intel-Core-i5-7200U-Processor-3M-Cache-up-to-3_10-GHz

These are my questions

1) Is there anything except for the AMT/vPro aspect of the hardware security 
that I might have overlooked that is critical when evaluating the Lenovo Yogas 
safety?

2) Should one in general be sceptic towards Lenovo even when they are using 
hardware from other manufacturers?
Personally, I avoid Lenovo like the plague since they became 
Chinese-owned. Yes, I know pretty much all the hardware is manufactured 
in China now anyway, but having the senior company management controlled 
by the Chinese government adds a whole 'nother layer of vulnerabilities.


My suspicions were confirmed when they were caught pre-installing 
spyware on them. Of course, that was only Windows, and they were forced 
to remove it, and claimed it was only intended for Chinese customers. 
But to me it shows their intent, and there are many other ways they can 
embed spyware (BIOS/UFI, other firmware) that would affect Linux too, 
and wouldn't be so easily removed.


Call me paranoid (because I am), but that's my opinion.

I typically go with Dell, although their quality has gone down in recent 
years, and I can't comment on Qubes-specific issues, or your particular 
requirements.




3) are there a Qubes user out there who are already using a laptop with touch 
screen and enough ram, running Qubes? What laptop model are you using and would 
you recommend it?



Ron

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/26e6628d-9b30-0b64-0405-06ac2d6898f1%40shaw.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes 3.2 dnsmasq update?

[Ron Hunter-Duvar]

On 10/06/2017 09:04 PM, Ron Hunter-Duvar wrote:

On October 6, 2017 5:05:49 PM MDT, Unman <un...@thirdeyesecurity.org> wrote:

On Thu, Oct 05, 2017 at 12:41:32PM -0600, Ron Hunter-Duvar wrote:
...
The install disk still contains fed23 templates and you're expected to
update as soon as you have installed.

To install a new template all you have to do is :
sudo qubes-dom0-update qubes-template-fedora-25

Thanks for the tip. I don't remember seeing it in the getting started material 
I read. Doing it now.



This will install the template and you can then just switch your
serviceVMs - either using Qubes Manager, or by:
'qvm-prefs  -s template '.

...
Well, I did all this, and confirmed that the sys-* servicevms are all 
using Fedora 25, but it still has dnsmasq version 2.76. According to 
US-CERT, 2.78 is needed to get the vulnerability fixes. Which concerns 
me, given the length of time that the exploit code has been public. 
Surprises me too, since Debian had it out in a matter of hours.


However, it's not running in any of these, nor in dom0. Should I just 
uninstall it?


Thanks,
Ron

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/728aa211-a104-87aa-eb42-59301b562ed9%40shaw.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Possible to add second interface to sys-firewall?

[Ron Hunter-Duvar]

On 10/06/2017 01:41 PM, Ed wrote:

On 10/06/2017 03:14 PM, Mike Keehan wrote:

On Fri, 6 Oct 2017 12:17:26 -0400
Ed  wrote:


On 10/06/2017 12:10 PM, Mike Keehan wrote:



Wouldn't it be possible to add a second Firewall VM to be used
solely by your special single vm?


Yes I believe this would def work, and also should be
automatic/reliable across reboots, but I was really hoping to not
give up 2-4GB of RAM just for this purpose.



I think you will find that the firewall VM runs OK in just 500Mb, maybe
less.  Search the mail list for "vm memory" - there have been a number
of discussions about how much is actually used by the system VMs.  (I
can't remember the details off hand, or I would give more info!)

It is worth knowing that although a VM is initially set up with a 4Gb
memory allocation, it only uses what it needs.   The rest is still
available to the other qubes etc.


    Mike.



You know that's not a bad point.  I never really looked into reducing 
the memory allotment.  I just know anecdotally on my systems the 
firewall vm's use 2-3GB (when left with the default max of 4GB).  I 
also know they will run on less if I'm pushing a system out of memory 
but I never though to just restrict them to less to start.


I'm not really strapped for memory on the machine I'm working with 
here so it does look like adding an additional firewall VM would be 
the easiest way to get what I want, it just seemed a tad wasteful to 
me, but perfect is the enemy of good


Appreciate the input!



IMO, it's best to leave memory management to the OS until such time as a 
definite problem is found (which would most likely show up as swapping, 
which would cause massive performance problems).


I suspect you'd find if you looked closely at the vm that most of the 
memory used is for caching. That's a good thing. No point having memory 
sit unused and forcing to to keep downloading the same files. The moment 
the cache is needed for something else, it'll be reallocated.


Ron

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/976e6d2e-b2ab-4e82-3a9b-4ac1a001c7b5%40shaw.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes 3.2 dnsmasq update?

[Ron Hunter-Duvar]

On October 6, 2017 5:05:49 PM MDT, Unman <un...@thirdeyesecurity.org> wrote:
>On Thu, Oct 05, 2017 at 12:41:32PM -0600, Ron Hunter-Duvar wrote:
>> On 10/05/2017 01:52 AM, Ilpo Järvinen wrote:
>> > On Wed, 4 Oct 2017, Ron Hunter-Duvar wrote:
...
>> > FC23 has been EOL'ed for long time, you should upgrade your
>template to
>> > FC25 or later (as FC24 likewise, is EOL'ed). The easiest
>alternative is to
>> > install fedora-25 template that is nowadays included to qubes
>repositories
>> > (IIRC). Then change your AppVMs having fedora-23 as their template
>to use
>> > fedora-25 template.
>> > 
>> 
>> I wondered about that too. Why does Qubes 3.2 still use FC23? Wasn't
>it EOL
>> in 2015?
>> 
>> I use debian-8 for all my appvms. I changed the default before I
>created any
>> of them.
>> 
>> But I still need it for my servicevms. Especially since they're the
>ones
>> exposed to the internet (although still behind a separate firewall,
>but
>> that's potentially affected too).
>> 
>> Haven't had time to look into how to setup a new template and convert
>the
>> servicevms. But for this, if there's no fix coming, I guess I'll have
>to
>> deal with it.
>> 
>> Thanks,
>> Ron
>
>No, Fed 23 was EOL in December 2016.
>It's still used in dom0 because there should be little call to upgrade
>dom0 - see the explanation here:
>www.qubes-os.org/doc/software-update-dom0/
>
>The install disk still contains fed23 templates and you're expected to
>update as soon as you have installed.
>
>To install a new template all you have to do is :
>sudo qubes-dom0-update qubes-template-fedora-25

Thanks for the tip. I don't remember seeing it in the getting started material 
I read. Doing it now.


>This will install the template and you can then just switch your
>serviceVMs - either using Qubes Manager, or by:
>'qvm-prefs  -s template '.
>
>Of course, there's no reason why you shouldnt use Debian for all your
>qubes, and ditch Fedora template altogether.

Do you mean I can switch my servicevms to Debian? I don't want to create any 
unnecessary headaches for myself right now, but I much prefer Debian.


>unman

Thanks,
Ron

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/C9A5D777-0E22-493D-B321-D53276938729%40shaw.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes 3.2 dnsmasq update?

[Ron Hunter-Duvar]

On 10/05/2017 01:52 AM, Ilpo Järvinen wrote:

On Wed, 4 Oct 2017, Ron Hunter-Duvar wrote:


Saw the news earlier today about the major dnsmasq vulnerabilities (remote
code execution), and already received the update for the debian-8 template,
but not for the fedora-23 template or dom0.

Anyone know of an ETA for this?

dom0 does not have network connectivity.


Yeah, I wondered about that. Any reason for it to even have dnsmasq 
installed? Because it does.




FC23 has been EOL'ed for long time, you should upgrade your template to
FC25 or later (as FC24 likewise, is EOL'ed). The easiest alternative is to
install fedora-25 template that is nowadays included to qubes repositories
(IIRC). Then change your AppVMs having fedora-23 as their template to use
fedora-25 template.



I wondered about that too. Why does Qubes 3.2 still use FC23? Wasn't it 
EOL in 2015?


I use debian-8 for all my appvms. I changed the default before I created 
any of them.


But I still need it for my servicevms. Especially since they're the ones 
exposed to the internet (although still behind a separate firewall, but 
that's potentially affected too).


Haven't had time to look into how to setup a new template and convert 
the servicevms. But for this, if there's no fix coming, I guess I'll 
have to deal with it.


Thanks,
Ron

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ad369241-56f8-8920-f558-aea94c030ab7%40shaw.ca.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Qubes 3.2 dnsmasq update?

[Ron Hunter-Duvar]

Hi,

Saw the news earlier today about the major dnsmasq vulnerabilities 
(remote code execution), and already received the update for the 
debian-8 template, but not for the fedora-23 template or dom0.


Anyone know of an ETA for this?

Thanks,

Ron

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2c95d75c-293e-0e3e-6e31-f3163d5654b3%40shaw.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Error Creating Ubuntu VM in Qubes 3.2

[Ron Hunter-Duvar]

On 10/03/2017 09:37 PM, Person wrote:

Because the terminal didn’t respond with an error message, I am relatively sure 
that the ISO was successfully copied to dom0. Copying it to dom0 wasn’t a 
problem, really, but finding it in dom0 was. And the “find” commands don’t seem 
to work for finding in dom0.

In a dom0 terminal, the file should be in whatever directory you were in 
when you ran the qvm-run command, since you didn't specify a directory 
in the command you showed. If you didn't change directories first, that 
would either be /root if you were root or /home/user otherwise.


You should be able to find it (as root) by running:

# find /root /home -name '*.iso'

If it's not found in either of them, then you either put it somewhere 
else (like /tmp or /var/lib/qubes), or the copy didn't work.


As for what to do with it once it's copied, I can't help there at this 
point.


Ron

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7d3a91a8-1853-4179-0b9c-9b05e4cfc171%40shaw.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Yubikey in challenge/response mode to unlock LUKS on boot

[Ron Hunter-Duvar]

On 10/02/2017 08:34 PM, joevio...@gmail.com wrote:

On Saturday, 5 August 2017 11:20:27 UTC-4, the2nd  wrote:

Hi,

i switched to Qubes OS 3.2 on my notebook some weeks ago. Besides some issues i 
had it works very well.

One problem was to get the installer to install qubes on LVM-on-LUKS. I 
preferred this over the default LUKS-on-LVM setup because you dont have to 
encrypt any LV separately.
...
Please note that the current version will probably not work with a default 
qubes LUKS-on-LVM installation. But if some experienced user is willing to help 
testing i'll try to come up with a version that supports this too.

Besides the yubikey/luks stuff the module handles the rd.qubes.hide_all_usb 
stuff via its own rd.ykluks.hide_all_usb command line parameter because the 
yubikey is connected via USB and needs to be accessable until we got the 
challenge from it. i am still unsure if this is the best method to implement 
this. So if anyone with a deeper knowledge of qubes/dracut does have a 
better/more secure solution i happy about any help.

Regards
the2nd

This is working great for me.
A few questions though:

1)  The default Qubes 3.2 install seems to be LVM-on-LUKS where there is only 
one LUKS encryption and root/swap LVMs within that.  So your instructions work 
with the default install.

...
I'd have to say that the2nd is right. I didn't notice on my first Qubes 
3.2 install, because I only had one encrypted partition on my OS drive 
(skipped a swap partition, despite the installer's whining). Second time 
around I gave in and created one.


lsblk shows sda2 with a luks-encrypted / within it, and sda3 with a 
luks-encrypted swap. If it were LVM-on-LUKS, it would be a single 
luks-encrypted partition two logical volumes within it.


Ron

PS: I'm a Qubes-noob, but long-time Linux user.

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/814cee70-0b5c-12a4-ee3e-bdb1f5479f3e%40shaw.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: timeout on VMstart: cannot execute qrexec-daemon

[Ron Hunter-Duvar]

On October 2, 2017 10:30:49 AM MDT, evo  wrote:
>
>
>Am 01.10.2017 um 22:06 schrieb evo:
>> Hello!
>> 
>> i can not start one of the StandaloneVMs
>> it just give me a timeout and "cannot execute qrexec-daemon"
>> 
>> after reboot the same thing.
>> 
>> logs show the following:
>> 
>> guid.VM
>> Icon size: 128x128
>> XIO:  fatal IO error 11 (Resource temporarily unavailable) on X
>server
>> ":0.0"
>> 
>>   after 31000 requests (31000 known processed) with 0 events
>remaining.
>> 
>> 
>> 
>> can somebody help please?
>> 
>
>
>please help somebody, i have my password-manager and other important
>stuff there and just an older backup :-/

You might be able to recover the essential files by creating a new VM and 
copying the private.img and volatile.img files from the old VM 
(/var/log/qubes/appvms/) to the new one, then booting the new one. 
This worked for me when I had to reinstall QubesOs.

As to the error itself, it seems to suggest a missing icon file somewhere. I 
don't know why that would stop the VM from starting, but qrexec-daemon seems to 
be rather brittle. No idea how you would fix it. Might require either digging 
into the code or help from one of the developers to track down and resolve.

Ron

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/F491CFE0-3275-42EE-B90A-F4404A11DB11%40shaw.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Error Creating Ubuntu VM in Qubes 3.2

[Ron Hunter-Duvar]

On 10/01/2017 06:59 PM, Person wrote:

The file was in Home/User/Downloads, and I did make sure to include the 
command. Also, the Ubuntu file did end in “.iso”.

I did run qvm-start in dom0. I believe I typed “qvm-start  
--cdrom=sys-net:/home/user/Downloads/”, or I did the 
same thing but replaced “Ubuntu” with “hvm”. (“Ubuntu” is the name of the standalone VM I 
made and wanted to attach the .iso to.)

As for the qvm-run error, I have no idea if I entered the location correctly or not. I typed 
“qvm-run --pass-io  'cat 
/home/user/Downloads/' > 
ubuntu-17.04-server-amd64.iso”.

I did copy the template to dom0, but I could not find it in dom0 (when I open 
the dom0 Boot Screen where stand-alone VMs look for things to boot from, I 
cannot find the template file there) and so was unable to install it in dom0. I 
did install Xenial in sys-net, but I couldn’t find the template when I looked 
at my list of VMs, even when I use the methods you listed.

I believe my main problem is copying the files to dom0 in general, because that 
is the only way I can make these files into VMs.

You didn't actually type the angle brackets <> around the vm and file 
names, did you? If so, that would probably be your problem.


Ron

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/048d7722-a76d-ffce-a7b0-e5d0204e310a%40shaw.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] 4.0-rc1: qvm- remove incomplete (?) - All qubes functionality (qubesd) down as a result

[Ron Hunter-Duvar]

On 09/28/2017 10:55 AM, Johannes Graumann wrote:

On Wed, 2017-09-27 at 13:19 +0200, Johannes Graumann wrote:

Gentlepeople,

I recently managed to install the community whonix templates into my
4.0 setup and have since been striving to recreate the arrangements
of
proxyvms etc. I ran in 3.2.

In this process I erroneously create a vm called 'sys-whonix-gw',
using
the whonix-gw template. I proceeded to remove this vm using 'qvm-
remove' and ever since all qubes functionality does not come up at
reboot. Investigating the output of 'systemctl status qubesd' et al,
I
became aware of an error thrown that reports 'sys-whonix-gw' as
missing
... apparently there are remnants of that vm left in the system
despite
me calling 'qvm-remove'.

Short of a reinstall, is there anything I can do to rescue this
situation?

Thanks for any pointers.

Sincerely, Joh

Any hit at all?

Joh



Hi Joh,

I found quite a few bits and pieces of VMs lying around when looking at 
how to recover VMs from my previous install. This might take a while, 
but you can run the following commands in a root terminal session on dom0:


# cd /

# grep -r  * 2>/dev/null

No guarantees, and be careful what you remove/edit, but it's worth a shot.

Ron


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b69f4236-8b49-c187-2d51-e4dce68ae315%40shaw.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: How to recover Qubes when keyboard / mice is dysfunctional due to USB qube setup issues?

[Ron Hunter-Duvar]

On 09/27/2017 11:35 AM, Yethal wrote:

W dniu środa, 27 września 2017 14:08:56 UTC+2 użytkownik Patrick Schleizer 
napisał:

cooloutac:

On Sunday, September 24, 2017 at 12:23:39 PM UTC-4, cooloutac wrote:

On Sunday, September 24, 2017 at 12:23:23 PM UTC-4, cooloutac wrote:

On Sunday, September 24, 2017 at 9:25:24 AM UTC-4, Patrick Schleizer wrote:

Quote from https://www.qubes-os.org/doc/usb/


Caution: By assigning a USB controller to a USB qube, it will no

longer be available to dom0. This can make your system unusable if, for
example, you have only one USB controller, and you are running Qubes off
of a USB drive.

How can one recover from such a situation if there is no PS2
keyboard/mice available?

I guess... Unless there is a better way...? Boot the system using from
an external disk using a USB recovery operating system... Then modify
the local disk (with broken Qubes)... Then do what?

Cheers,
Patrick

ya that. exactly.

that would be the only way I would know of.

sorry i misunderstood.  you could use the qubes keyboard proxy.  or unhide it 
from dom0.  think they are both explained in the docs there, but don't think 
either are recommended but if you have no choice.


The Qubes documentation explains how to hide/unhide it with the gui. But
when the disk is not booted (for recovery booted from USB), the gui
cannot be used since it refers to the USB booted and not internal disk
supposed to be recovered.

To undo it some file on the internal disk needs to be modified. Which
files needs what modification?

Remove rd.qubeshideallusb parameter from grub and then rebuild grub

Incidentally, I believe that messing up the sys-usb setup, losing 
keyboard & mouse, and recovering from it is how I eventually made my 
system unbootable. That plus intervening updates and other tweaks.


So not sure I have much to add on how to do it properly. But maybe 
serves as a cautionary tale.


I used an old ps/2 keyboard to get control of the system again (no 
mouse), and get the USB controller I had my main keyboard and my mouse 
on assigned back to dom0 again (thankfully I have several controllers on 
this motherboard, with keyboard, mouse and nothing else on one of them).


I got it working, but I think I messed up something on sys-usb. From 
time to time after that I would get a kernel panic starting sys-usb 
during boot. Then after a recent dom0 update, I got a "non-system disk 
or disk error" BIOS error and that was it. Couldn't get it properly 
recovered.


So I booted from a Ubuntu live USB, mounted the Qubes partitions, copied 
everything off to a backup USB hard drive, then did a clean reinstall of 
Qubes. After the reinstall, I've been more careful in setting up 
sys-usb, and it's working fine so far.


Ron

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/54af4c88-0887-3e44-1b6b-0a27e4df25ee%40shaw.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How to recover VMs copied before reinstall?

[Ron Hunter-Duvar]

On 09/26/2017 09:36 AM, Ron Hunter-Duvar wrote:

On September 26, 2017 9:20:57 AM MDT, 'One7two99' via qubes-users 
<qubes-users@googlegroups.com> wrote:

Hello Ron,


 Original Message 
Subject: Re: [qubes-users] How to recover VMs copied before

reinstall?

Local Time: 26 September 2017 4:58 PM
From: ro...@shaw.ca

[...] I want to access my existing ones from the previous install,

not create new ones. I put a lot of hours into getting them set up the
way I wanted them, and they contain important data I don"t want to
lose. [...]

I am also building all sys- / template- and App-VMs based on the
available templates in Qubes. As I would like to rollout Qubes for
friends and maybe also co-workers I have documented each step when
configuring/provisioning new AppVMs or templates.

I've written a handful scripts which will take the default
qubes-templates and apply all updates / packe installation and
post-configuration tasks without user interaction.
This reduces time rebuilding the system but also allows another backup
policy where I only store the data and reinstall everything else from
my scripts.

If you're interested I can forward them to you.

[799]

I'm not sure if that will help, but I'll take a look. If I can at least get my 
files into new appvms of the same name, it would do the trick.

Thanks,
Ron
Turns out there's an easy way to restore my files and firewall settings. 
Here's what I did for each VM:


1. Create a new appvm of the same name and type as the old one (with the 
old ones in a different location of course).


2. Start then stop the appvm (to ensure it's properly initialized).

3. Copy the firewall.xml, private.img and volatile.img files from the 
old one to the new one.


4. Start the appvm, and everything's back where it should be (other than 
menu customizations, and possibly previously installed apps).


I don't know if all these steps are required (particularly #2, and both 
img files in #3), but the recipe works, so I'm sticking with it.


The hardest part was actually restoring the old appvm files, given the 
deliberate roadblocks to moving files into dom0.


Thanks,
Ron

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7f668487-dfa8-7fef-26be-6f3604912ed0%40shaw.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How to script the creation of templates (Was: How to recover VMs copied before reinstall?)

[Ron Hunter-Duvar]

Thanks, 799, I'll take a look at them when I get a chance.

Ron


On 09/27/2017 03:52 AM, 'One7two99' via qubes-users wrote:

Hello Ron,

Me:
>> I've written a handful scripts which will take the default
>> qubes-templates and apply all updates / packe installation and
>> post-configuration tasks without user interaction.
>> This reduces time rebuilding the system but also allows another backup
>> policy where I only store the data and reinstall everything else from
>> my scripts.
>> If you"re interested I can forward them to you.

Ron:
> I"m not sure if that will help, but I"ll take a look. If I can at 
least get my files into new

> appvms of the same name, it would do the trick.

Here is a script I am using to rebuild my work-template, which is 
based on a fedora template.
The scripts allows me to install a Qubes 3.2 default and then run all 
commands to add a new template, update it, install additional packages 
and even installs some software (here only the VMware Horizon View 
Client) which is not available in the default repositories.


There is some "overhead" in the script as I'd like to run it even 
after having it done once.
As such it will also remove any existing VM with the same name 
(qvm-destroy).

qvm-destroy is another scripts:
[content of qvm-destroy]

#!/bin/bash
# Kill a running AppVM and remove it
# Usage: qvm-destroy 
echo "Killing VM: $1"
qvm-kill $1
echo "Removing VM: $1"
qvm-remove $1
echo "Waiting for 5s (just to be sure)"
sleep 5s

[content of my create-t-fedora-25-work.sh]
#!/bin/bash
templatebasevm=fedora-25
worktemplatevm=t-fedora-25-work
internetvm=my-untrusted

# Install minimal Fedora 25 template
sudo qubes-dom0-update qubes-template-$templatebasevm

# Remove existing Template VM
./qvm-destroy $worktemplatevm

echo "Clone template to $worktemplatevm"
qvm-clone $templatebasevm $worktemplatevm
# Hide original template
qvm-prefs -s $templatebasevm internal true

echo Launch new template-vm $worktemplatevm
qvm-start --skip-if-running --tray $worktemplatevm
echo "Wait for 10sec until Template VM is up"
sleep 10s
echo "Install updates and additional applications in $worktemplatevm"
qvm-run $worktemplatevm 'xterm -e "sudo dnf -y update && \
   sudo dnf -y install mc nano pass libreoffice gimp && \
   sudo dnf -y install gstreamer gstreamer-plugins-base libffi 
libpng12 libXSrnSaver"'

echo "Wait until all packages have been installed."
read -p "Press Enter to continue"

# Download VMware Horizon View
echo "Starting $internetvm to download Horizon View"
qvm-start --tray $internetvm
sleep 10s
# FIXME: the qvm-copy-to-vm has the name of the target template 
($worktemplatevm)

# hardcoded, as I didn't find a way to use the variable within this line
qvm-run $internetvm 'xterm -e "cd /home/user && wget 
https://download3.vmware.com/software/view/viewclients/CART17Q2/VMware-Horizon-Client-4.5.0-5650368.x64.bundle 
&& \
 mv VMware-Horizon-Client-4.5.0-5650368.x64.bundle 
VMware-Horizon-Client-4.5.0.bundle && \
 qvm-copy-to-vm t-fedora-25-work 
VMware-Horizon-Client-4.5.0.bundle && \

 sleep 10s"'
echo "(qvm-)Copy file VMware-Horizon-Client-4.5.0.bundle from 
$internetvm to $worktemplatevm"

read -p "Press Enter to continue"

# Install VMware Horizon View
qvm-run $worktemplatevm 'xterm -e "chmod +x 
~/QubesIncoming/my-untrusted/VMware-Horizon-Client-4.5.0.bundle && \
 sudo 
~/QubesIncoming/my-untrusted/VMware-Horizon-Client-4.5.0.bundle && \
 rm 
/QubesIncoming/my-untrusted/VMware-Horizon-Client-4.5.0.bundle && \

 shutdown -h now"'

You'll find this and also other scripts I use to rebuild my templates 
and appvms in the attached archive.

Any improvements are welcome.

I'll try to think if I'll add something like backing up the private 
image file and adding it when rebuilding an appvm makes sense.


[799]
--
You received this message because you are subscribed to the Google 
Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to qubes-users+unsubscr...@googlegroups.com 
.
To post to this group, send email to qubes-users@googlegroups.com 
.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/gWaGUcU_dTBx_dZOXjYj1jHab3dHrtOWk8Fmxg5g7QQlxozzrnywgGdlGro9pnagdfywJ_ztlIwlzboaU6WOrWNCusCjuDdad6jNfkr5z4Q%3D%40protonmail.com 
.

For more options, visit https://groups.google.com/d/optout.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email 

Re: [qubes-users] How to recover VMs copied before reinstall?

[Ron Hunter-Duvar]

On September 26, 2017 9:20:57 AM MDT, 'One7two99' via qubes-users 
 wrote:
>Hello Ron,
>
>>  Original Message 
>> Subject: Re: [qubes-users] How to recover VMs copied before
>reinstall?
>> Local Time: 26 September 2017 4:58 PM
>> From: ro...@shaw.ca
>>
>> [...] I want to access my existing ones from the previous install,
>not create new ones. I put a lot of hours into getting them set up the
>way I wanted them, and they contain important data I don"t want to
>lose. [...]
>
>I am also building all sys- / template- and App-VMs based on the
>available templates in Qubes. As I would like to rollout Qubes for
>friends and maybe also co-workers I have documented each step when
>configuring/provisioning new AppVMs or templates.
>
>I've written a handful scripts which will take the default
>qubes-templates and apply all updates / packe installation and
>post-configuration tasks without user interaction.
>This reduces time rebuilding the system but also allows another backup
>policy where I only store the data and reinstall everything else from
>my scripts.
>
>If you're interested I can forward them to you.
>
>[799]

I'm not sure if that will help, but I'll take a look. If I can at least get my 
files into new appvms of the same name, it would do the trick.

Thanks,
Ron

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/60E8F6C5-38BA-43DA-8B4F-319D038140CE%40shaw.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How to recover VMs copied before reinstall?

[Ron Hunter-Duvar]

On September 26, 2017 4:20:34 AM MDT, Chris Laprise <tas...@posteo.net> wrote:
>On 09/25/2017 07:12 PM, Ron Hunter-Duvar wrote:
>> Hi,
>>
>> My first Qubes install ended up unbootable, and I didn't have a
>recent enough backup of my VMs. So I booted from a Ubuntu live cd,
>mounted the partitions, and copied everything off to a backup drive and
>did a clean reinstall.
>>
>> Now I've copied my appvms back to /var/lib/qubes/appvms/, but they
>don't show up in the VM Manager.
>>
>> Can anyone tell me how to get these appvms useable again?
>>
>> Thanks,
>> Ron
>>
>
>Try using `qvm-add-appvm vmname templatename`.

Doesn't that just create a new appvm? I want to access my existing ones from 
the previous install, not create new ones. I put a lot of hours into getting 
them set up the way I wanted them, and they contain important data I don't want 
to lose.

I am wondering if creating new ones of the same name, then overwriting the img 
files with the old ones would work. 

Thanks,
Ron

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/EAA26BF9-CB89-4F54-A754-A7B2BB36B630%40shaw.ca.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] How to recover VMs copied before reinstall?

[Ron Hunter-Duvar]

Hi, 

My first Qubes install ended up unbootable, and I didn't have a recent enough 
backup of my VMs. So I booted from a Ubuntu live cd, mounted the partitions, 
and copied everything off to a backup drive and did a clean reinstall. 

Now I've copied my appvms back to /var/lib/qubes/appvms/, but they don't show 
up in the VM Manager. 

Can anyone tell me how to get these appvms useable again? 

Thanks,
Ron

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/BAC83D8B-6BFC-4D5D-9810-D4432F534EA6%40shaw.ca.
For more options, visit https://groups.google.com/d/optout.