Re: [qubes-users] dependency problem after upgrading standalone debian 11 VM

['unman' via qubes-users]

On Fri, Apr 14, 2023 at 04:10:29PM +0200, qubes-li...@riseup.net wrote:
> Hi uman,
> 
> thanks for your reply.
> 
> 'unman' via qubes-users:
> > Exactly this issue arose on GitHub - it is, as you say, because you did
> > not update the qubes repository definition in timely way.
> > You can read the issue 
> > [here](https://github.com/qubesos/qubes-issues/issues/7865)
> 
> > The resolution is to follow the steps in the upgrade script - courtesy
> > of Marek:
> > ```
> > The source of the problem is that in R4.1 we actually stopped shipping own 
> > duplicated xen packages, and are relying on those from official Debian 
> > repositories. But the upgrade path requires manual step because of that.
> > The in-place R4.0 -> R4.1 upgrade tool handle that automatically, but in 
> > case of manual upgrade, see this part:
> > https://github.com/QubesOS/qubes-dist-upgrade/blob/release4.0/scripts/upgrade-template-standalone.sh#L37-L72
> > ```
> 
> Yes I know about this github ticket, I mentioned in my last email, but
> I have the impression that these step can not be used _after_
> running 'apt update; apt upgrade; apt dist-upgrade' anymore - which is the 
> situation I'm in.
> 
> Is there also a way to recover a system after the 'apt upgrade' step happened 
> already?
> 

I'd probably be rolling back most of your recent changes, and starting
again, after making sure that I have a decent backup of the qube in its
current state.
You need to roll back those packages, and -f should work for the
install. I have some old templates hanging about - if you can wait until
tomorrow I'll pull one and work through the process in the morning.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ZDltBO75pErMxI/A%40thirdeyesecurity.org.

Re: [qubes-users] dependency problem after upgrading standalone debian 11 VM

[qubes-lists]

Hi uman,

thanks for your reply.

'unman' via qubes-users:

Exactly this issue arose on GitHub - it is, as you say, because you did
not update the qubes repository definition in timely way.
You can read the issue 
[here](https://github.com/qubesos/qubes-issues/issues/7865)



The resolution is to follow the steps in the upgrade script - courtesy
of Marek:
```
The source of the problem is that in R4.1 we actually stopped shipping own 
duplicated xen packages, and are relying on those from official Debian 
repositories. But the upgrade path requires manual step because of that.
The in-place R4.0 -> R4.1 upgrade tool handle that automatically, but in case 
of manual upgrade, see this part:
https://github.com/QubesOS/qubes-dist-upgrade/blob/release4.0/scripts/upgrade-template-standalone.sh#L37-L72
```


Yes I know about this github ticket, I mentioned in my last email, but
I have the impression that these step can not be used _after_
running 'apt update; apt upgrade; apt dist-upgrade' anymore - which is the 
situation I'm in.

Is there also a way to recover a system after the 'apt upgrade' step happened 
already?

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/34701d44-dc66-5341-c051-1c42da8fb5e6%40riseup.net.

Re: [qubes-users] dependency problem after upgrading standalone debian 11 VM

['unman' via qubes-users]

Exactly this issue arose on GitHub - it is, as you say, because you did
not update the qubes repository definition in timely way.
You can read the issue 
[here](https://github.com/qubesos/qubes-issues/issues/7865)

The resolution is to follow the steps in the upgrade script - courtesy
of Marek:
```
The source of the problem is that in R4.1 we actually stopped shipping own 
duplicated xen packages, and are relying on those from official Debian 
repositories. But the upgrade path requires manual step because of that.
The in-place R4.0 -> R4.1 upgrade tool handle that automatically, but in case 
of manual upgrade, see this part:
https://github.com/QubesOS/qubes-dist-upgrade/blob/release4.0/scripts/upgrade-template-standalone.sh#L37-L72
```

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ZDlNncRfNAH//fIE%40thirdeyesecurity.org.

[qubes-users] Good USB-C docking station?

[nonsense via qubes-users]

I'm desperate to find a good USB-C docking station that will work well with my 
Lenovo ThinkPad, >=2 screens (and QubesOS).

The Lenovo one is terrible. On Qubes it never worked for 2 screens and has four 
a couple of months now jittery video via USB-C - if at all.

It's not just me too... A windows colleague reports degrading performance as 
well...

Anyone with good expetience on a model not requiring extra software?

Thanks for any pointers, John

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1B493B8A-F6F3-4EE2-BDB7-B649E5A96210%40graumannschaft.org.

Re: [qubes-users] SOS - Where is mdadm.conf?! I really really need to edit mdadm.conf on dom0

[brick]

I fixed the problem. Turns out there's a --config option. I just forced it 
to use my config once which was enough to repair the array that was broken. 
I rebooted and all my stuff is back :)

On Thursday, April 13, 2023 at 4:28:37 PM UTC-5 brick wrote:

> Any Qubes devs/experts please...? I asked on linuxquestions as well and 
> according to them, mdadm will try to load whatever file it listed under 
> `man mdadm.conf`, which in the case of dom0 is at /etc/mdadm.conf... but 
> that file did not exist until I put it there so *this is Qubes specific.* 
> *Where 
> does Qubes OS's mdadm get its settings from at boot?* I need to change 
> those settings because they are corrupted... I literally have nowhere else 
> to go but this mailing list. PLEASE HELP
>
> On Thursday, April 13, 2023 at 3:10:09 PM UTC-5 brick wrote:
>
>> Actually yeah that's not it at all. That's a `systemd-tmpfiles` file 
>> whatever the fudge that is, nothing at all to do with mdadm
>>
>> On Thursday, April 13, 2023 at 2:34:38 PM UTC-5 brick wrote:
>>
>>> I don't think that's it. It's only one line long and has no reference to 
>>> my arrays. I tried to put mine there anyway and rebooted but my arrays are 
>>> still all raid0
>>>
>>> On Thursday, April 13, 2023 at 2:18:59 PM UTC-5 Mike Keehan wrote:
>>>
 On Thu, 13 Apr 2023 11:08:09 -0700 (PDT) 
 leo...@gmail.com wrote: 

 > Long story short I had a drive failure, now all my RAID arrays 
 incorrectly 
 > show up as "raid0 inactive". Apparently one way to fix this is to 
 manually 
 > change the arrays to the correct levels in mdadm.conf, but I can't 
 seem to 
 > find that in my dom0 with the `locate` command. 
 > 
 > Please help. I really need these arrays back. My damn fedora-34 
 template is 
 > there so I can't even use sys-net 
 > 

 Try "find / -name mdadm.conf -print 

 It's in /usr/lib/tmpfiles.d/ on my laptop, but I don't have raid. 

 Mike. 

>>>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5cda58f2-3189-471c-9ca5-56822a55cecbn%40googlegroups.com.

Re: [qubes-users] SOS - Where is mdadm.conf?! I really really need to edit mdadm.conf on dom0

[brick]

Any Qubes devs/experts please...? I asked on linuxquestions as well and 
according to them, mdadm will try to load whatever file it listed under 
`man mdadm.conf`, which in the case of dom0 is at /etc/mdadm.conf... but 
that file did not exist until I put it there so *this is Qubes specific.* 
*Where 
does Qubes OS's mdadm get its settings from at boot?* I need to change 
those settings because they are corrupted... I literally have nowhere else 
to go but this mailing list. PLEASE HELP

On Thursday, April 13, 2023 at 3:10:09 PM UTC-5 brick wrote:

> Actually yeah that's not it at all. That's a `systemd-tmpfiles` file 
> whatever the fudge that is, nothing at all to do with mdadm
>
> On Thursday, April 13, 2023 at 2:34:38 PM UTC-5 brick wrote:
>
>> I don't think that's it. It's only one line long and has no reference to 
>> my arrays. I tried to put mine there anyway and rebooted but my arrays are 
>> still all raid0
>>
>> On Thursday, April 13, 2023 at 2:18:59 PM UTC-5 Mike Keehan wrote:
>>
>>> On Thu, 13 Apr 2023 11:08:09 -0700 (PDT) 
>>> leo...@gmail.com wrote: 
>>>
>>> > Long story short I had a drive failure, now all my RAID arrays 
>>> incorrectly 
>>> > show up as "raid0 inactive". Apparently one way to fix this is to 
>>> manually 
>>> > change the arrays to the correct levels in mdadm.conf, but I can't 
>>> seem to 
>>> > find that in my dom0 with the `locate` command. 
>>> > 
>>> > Please help. I really need these arrays back. My damn fedora-34 
>>> template is 
>>> > there so I can't even use sys-net 
>>> > 
>>>
>>> Try "find / -name mdadm.conf -print 
>>>
>>> It's in /usr/lib/tmpfiles.d/ on my laptop, but I don't have raid. 
>>>
>>> Mike. 
>>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c5ab1133-402c-45ef-a3de-e1a2fabeb9ccn%40googlegroups.com.

Re: [qubes-users] SOS - Where is mdadm.conf?! I really really need to edit mdadm.conf on dom0

[brick]

Actually yeah that's not it at all. That's a `systemd-tmpfiles` file 
whatever the fudge that is, nothing at all to do with mdadm

On Thursday, April 13, 2023 at 2:34:38 PM UTC-5 brick wrote:

> I don't think that's it. It's only one line long and has no reference to 
> my arrays. I tried to put mine there anyway and rebooted but my arrays are 
> still all raid0
>
> On Thursday, April 13, 2023 at 2:18:59 PM UTC-5 Mike Keehan wrote:
>
>> On Thu, 13 Apr 2023 11:08:09 -0700 (PDT) 
>> leo...@gmail.com wrote: 
>>
>> > Long story short I had a drive failure, now all my RAID arrays 
>> incorrectly 
>> > show up as "raid0 inactive". Apparently one way to fix this is to 
>> manually 
>> > change the arrays to the correct levels in mdadm.conf, but I can't seem 
>> to 
>> > find that in my dom0 with the `locate` command. 
>> > 
>> > Please help. I really need these arrays back. My damn fedora-34 
>> template is 
>> > there so I can't even use sys-net 
>> > 
>>
>> Try "find / -name mdadm.conf -print 
>>
>> It's in /usr/lib/tmpfiles.d/ on my laptop, but I don't have raid. 
>>
>> Mike. 
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c37d0b4f-c849-44f6-b690-a3d932228326n%40googlegroups.com.

Re: [qubes-users] SOS - Where is mdadm.conf?! I really really need to edit mdadm.conf on dom0

[brick]

I don't think that's it. It's only one line long and has no reference to my 
arrays. I tried to put mine there anyway and rebooted but my arrays are 
still all raid0

On Thursday, April 13, 2023 at 2:18:59 PM UTC-5 Mike Keehan wrote:

> On Thu, 13 Apr 2023 11:08:09 -0700 (PDT)
> leo...@gmail.com wrote:
>
> > Long story short I had a drive failure, now all my RAID arrays 
> incorrectly 
> > show up as "raid0 inactive". Apparently one way to fix this is to 
> manually 
> > change the arrays to the correct levels in mdadm.conf, but I can't seem 
> to 
> > find that in my dom0 with the `locate` command.
> > 
> > Please help. I really need these arrays back. My damn fedora-34 template 
> is 
> > there so I can't even use sys-net
> > 
>
> Try "find / -name mdadm.conf -print
>
> It's in /usr/lib/tmpfiles.d/ on my laptop, but I don't have raid.
>
> Mike.
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3671c893-e3cf-490e-95a5-5c03005964fen%40googlegroups.com.

[qubes-users] Re: SOS - Where is mdadm.conf?! I really really need to edit mdadm.conf on dom0

[brick]

I created my own mdadm.conf and put it in /etc/mdadm.conf as well as in 
/etc/mdadm/mdadm.conf but Qubes doesn't seem to be reading it from either 
of those places. Does Xen do things differently or something?

On Thursday, April 13, 2023 at 1:09:03 PM UTC-5 brick wrote:

> Long story short I had a drive failure, now all my RAID arrays incorrectly 
> show up as "raid0 inactive". Apparently one way to fix this is to manually 
> change the arrays to the correct levels in mdadm.conf, but I can't seem to 
> find that in my dom0 with the `locate` command.
>
> Please help. I really need these arrays back. My damn fedora-34 template 
> is there so I can't even use sys-net
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/846067dd-3d8e-4d21-806f-07660efa3a2dn%40googlegroups.com.

[qubes-users] Re: SOS - Where is mdadm.conf?! I really really need to edit mdadm.conf on dom0

[brick]

EDIT: And no I can't just rebuild the arrays. I need to recover the data if 
it's still there, and something tells me it just might be.

On Thursday, April 13, 2023 at 1:09:03 PM UTC-5 brick wrote:

> Long story short I had a drive failure, now all my RAID arrays incorrectly 
> show up as "raid0 inactive". Apparently one way to fix this is to manually 
> change the arrays to the correct levels in mdadm.conf, but I can't seem to 
> find that in my dom0 with the `locate` command.
>
> Please help. I really need these arrays back. My damn fedora-34 template 
> is there so I can't even use sys-net
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f5da1750-c54c-4cbf-8967-4577b9ddb819n%40googlegroups.com.

Re: [qubes-users] SOS - Where is mdadm.conf?! I really really need to edit mdadm.conf on dom0

[Mike Keehan]

On Thu, 13 Apr 2023 11:08:09 -0700 (PDT)
leo...@gmail.com wrote:

> Long story short I had a drive failure, now all my RAID arrays incorrectly 
> show up as "raid0 inactive". Apparently one way to fix this is to manually 
> change the arrays to the correct levels in mdadm.conf, but I can't seem to 
> find that in my dom0 with the `locate` command.
> 
> Please help. I really need these arrays back. My damn fedora-34 template is 
> there so I can't even use sys-net
> 

Try "find / -name mdadm.conf -print

It's in /usr/lib/tmpfiles.d/ on my laptop, but I don't have raid.

Mike.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/E1pn2T8-00Aoba-Us%40relay09.mail.eu.clara.net.

[qubes-users] SOS - Where is mdadm.conf?! I really really need to edit mdadm.conf on dom0

[brick]

Long story short I had a drive failure, now all my RAID arrays incorrectly 
show up as "raid0 inactive". Apparently one way to fix this is to manually 
change the arrays to the correct levels in mdadm.conf, but I can't seem to 
find that in my dom0 with the `locate` command.

Please help. I really need these arrays back. My damn fedora-34 template is 
there so I can't even use sys-net

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bd2182ce-3fe0-4cef-b98c-e78e522d60d8n%40googlegroups.com.

Re: [qubes-users] dependency problem after upgrading standalone debian 11 VM

[qubes-lists]

Do you have any recommendation on how to solve this issue?


I also tried:
https://github.com/QubesOS/qubes-dist-upgrade/blob/release4.0/scripts/upgrade-template-standalone.sh#L37-L72

found via:
https://github.com/QubesOS/qubes-issues/issues/7865#issuecomment-1407236960

but running:
apt-get install --allow-downgrades -y \
'xen-utils-common=4.14*' \
'libxenstore3.0=4.14*' \
'xenstore-utils=4.14*'

fails because I did run
'apt upgrade; apt dist-upgrade'
already:

Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Selected version '4.14.5+94-ge49571868d-1' (Debian-Security:11/stable-security 
[amd64]) for 'xen-utils-common'
Selected version '4.14.5+94-ge49571868d-1' (Debian-Security:11/stable-security 
[amd64]) for 'libxenstore3.0'
Selected version '4.14.5+94-ge49571868d-1' (Debian-Security:11/stable-security 
[amd64]) for 'xenstore-utils'
You might want to run 'apt --fix-broken install' to correct these.
The following packages have unmet dependencies:
 qubes-core-agent : Depends: xen-utils-guest but it is not going to be installed
E: Unmet dependencies. Try 'apt --fix-broken install' with no packages (or 
specify a solution).
exit


Is there a way out?

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4614fb88-814a-90a8-d68a-c52782b785ce%40riseup.net.

[qubes-users] dependency problem after upgrading standalone debian 11 VM

[qubes-lists]

Hello!

a while ago when migrating Qubes 4.0 to Qubes 4.1
I restored a standalone debian VM (created on r4.0) on a fresh r4.1 system and 
did not
notice that I also should replace the r4.0 repos _in_ the VM to r4.1 repos
but it still worked fine.

Today I replaced this line:
deb [arch=amd64] https://deb.qubes-os.org/r4.0/vm bullseye main

with this:
deb [arch=amd64] https://deb.qubes-os.org/r4.1/vm bullseye main

in the standalone VM.

After an
apt update
apt upgrade
apt dist-upgrade

I'm running into this error:


The following additional packages will be installed:
  xen-utils-guest
The following NEW packages will be installed:
  xen-utils-guest
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
36 not fully installed or removed.
Need to get 0 B/30.1 kB of archives.
After this operation, 53.2 kB of additional disk space will be used.
Do you want to continue? [Y/n]
(Reading database ... 242630 files and directories currently installed.)
Preparing to unpack .../xen-utils-guest_4.14.5-20+deb11u1_amd64.deb ...
Unpacking xen-utils-guest (4.14.5-20+deb11u1) ...
dpkg: error processing archive 
/var/cache/apt/archives/xen-utils-guest_4.14.5-20+deb11u1_amd64.deb (--unpack):
 trying to overwrite '/lib/systemd/system/xendriverdomain.service', which is 
also in package xen-utils-common 2001:4.8.5-42+deb11u1
Errors were encountered while processing:
 /var/cache/apt/archives/xen-utils-guest_4.14.5-20+deb11u1_amd64.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)


Do you have any recommendation on how to solve this issue?

thanks!

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4a0c67be-0d8a-662e-3c53-52bf8dcdef31%40riseup.net.

Re: [qubes-users] 'qvm-copy' and 'qvm-copy-to-vm' in AppVM

[Boryeu Mao]

Maybe the 'qvm-copy-to-vm' version could be made to place the 1st argument 
in the Target field of the pop-up window, such that only a CR is required 
to complete the operation?

On Friday, March 24, 2023 at 8:41:54 AM UTC-7 Boryeu Mao wrote:

> Yes, 'qvm-copy' alone would ensure the security of copying/moving files 
> between AppVM's.  Thanks. 
>
> On Fri, Mar 24, 2023 at 5:43 AM unman  wrote:
>
>> qvm-copy-to-vm is deprecated and will be removed.
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/873f9baf-a28d-4683-8a6d-313cf2c325fcn%40googlegroups.com.

Re: [qubes-users] Kali Linux Purple - Defense

['unman' via qubes-users]

On Tue, Apr 04, 2023 at 10:11:19PM -0700, Foilsurf wrote:
> Hello,
> which of the out of the Box Defense features of the new *Kali Linux Purple*, 
> would be very nice to have also in *QubesOS *to raise the defense bar? (the 
> attacks also get every day harder...)
> Kind Regards
> 
I see that they emphasize defensive tools - mainly scanners, and IDS -
but is there yet detail on configuration features?
I havent yet seen that.
Also, there's no sign that they will be moving from Debian testing.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ZC2DkxvwJhiYiPvE%40thirdeyesecurity.org.

[qubes-users] Kali Linux Purple - Defense

[Foilsurf]

Hello,
which of the out of the Box Defense features of the new *Kali Linux Purple*, 
would be very nice to have also in *QubesOS *to raise the defense bar? (the 
attacks also get every day harder...)
Kind Regards

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2d61be8d-48d0-45c1-9b80-238acdcdab55n%40googlegroups.com.

[qubes-users] qubes-tunnel missing dependency on sssd-client for fedora 36 and 37?

[r . wiesbach]

Hi there,

sudo  journalctl -u qubes-tunnel:


systemd[1]: Starting qubes-tunnel.service - Tunnel service for Qubes
proxyVM...
su[640]: PAM unable to dlopen(/usr/lib64/security/pam_sss.so):
/usr/lib64/security/pam_sss.so: cannot open shared object file: >
su[640]: PAM adding faulty module: /usr/lib64/security/pam_sss.so
su[640]: (to user) root on none
su[640]: pam_unix(su-l:session): session opened for user
user(uid=1000) by (uid=0)
su[640]: pam_unix(su-l:session): session closed for user user
systemd[1]: qubes-tunnel.service: Control process exited, code=exited,
status=1/FAILURE
qtunnel-setup[751]: STOP-ing network forwarding!
systemd[1]: qubes-tunnel.service: Failed with result 'exit-code'.
systemd[1]: Failed to start qubes-tunnel.service - Tunnel service for
Qubes proxyVM.

/usr/lib64/security/pam_sss.so is part of


sudo dnf install sssd-client


(directly, not part of the dependencies libsss_nss_idmap or libsss_idmap)

notably, fedora-34 template does not have sssd-client or its
dependencies libsss_nss_idmap or libsss_idmap installed and the .so file
does not exists there, but nevertheless "sudo  journalctl -u
qubes-tunnel" does not show the error

notably even with this error my openvpn-configuration works fine!

Does somebody know:
1) What this dependency is used for
2) Why this dependency is not needed in fedora 34
3) Which circumstances cause the need for this dependency
4) how to properly report this?
https://github.com/QubesOS-contrib/qubes-tunnel has "issues" disabled ...

Thanks

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/29416411-eaef-547a-bc0a-9e4f5c4bd56c%40web.de.

[qubes-users] Successful Qubes install, now stuck with Freeplane install. Can you help me get started? Please?

[charliesierra2 via qubes-users]

Hi all,



DEAR MODS: If I should have sent this to the wrong place, or if I should go 
about this in a different way, please do tell me. Doing my best in good faith, 
willing to learn.



Qubes beginner here who feels like he's fairly good at flying a Cessna (Mint) 
and is now trying to fly a fighter jet... so many additional buttons and 
switches in this cockpit! Some help would be awesome...



First things first: Thank you so much for creating Qubes! I hugely appreciate 
the immense amounts of time and energy that have been put into this, and 
continue to be put into it, and I am very grateful that there are capable 
people in the world who provide me with such a powerful tool.



This post got longer than planned, so

H E R E   I S   T H E   B R I E F   V E R S I O N   O F   T H I S   P O S T  :



QUESTION: Would you be willing to walk me through the process of installing 
Freeplane on Qubes / Whonix-Qubes?

DONE SO FAR: Managed successful disable of Intel ME via 1vyrain and then Qubes 
/ Whonix-Qubes install on an X230 i7 with 16 GB RAM and SSD.

NEXT GOAL: I want to install Freeplane and test whether it runs well enough on 
this machine on Qubes with rather large mindmap files. Freeplane is a deal 
breaker must-have software for me, so installing and testing it is the first 
next step I want to focus on. If it helps, I don't need Freeplane to have net 
access, actually might even prefer it not to have net access, so maybe a 
standalone / vault type VM just for Freeplane might make sense. Tried to 
install it several times, really unsure why I didn't succeed so far, despite 
lots of reading and my best efforts. If Freeplane works well, I want to use 
Qubes as my daily driver as soon as possible. I'm hoping that I'm not 
delusional to hope that I can learn to do that.

ABOUT ME: 10 years of Linux use (mostly Mint) and converting others to Linux. 
Have done some programming in the long distant past but not considering myself 
a programmer. Done occasional command line stuff when a particular need arose, 
by seeking out and following instructions. Constantly broadening my horizon re 
security and privacy, and valuing both very much. I understand the value of the 
compartmentalization approach of Qubes for security and privacy, and have a 
fairly clear idea how I want to make use of that. Unfortunately I'm still 
lacking a lot on the practical side, I still need to learn how to actually 
operate Qubes. In other words, I can probably draw my ideal Qubes diagram 
without too much trouble, but don't know how to then actually create that 
setup. I'm guessing and hoping that my level of skills just about puts me in 
the "minimum user requirements" range for using Qubes.

Thank you for reading this far, would be great to hear back from you, have a 
great day!



If you have some more time here are some more details and thoughts, but

F E E L   F R E E   T O   S K I P   T H E   R E S T   F R O M   H E R E  :



My guess is that if I had someone sitting next to me who knows how to work 
Qubes, I would probably learn what I need to learn to then continue mostly on 
my own within an hour or maybe even less.
I find the process of digging through documentation and piecing it together 
from there extremely slow.

So slow in fact that that alone could become a deal breaker for me for Qubes, 
because unfortunately, while I have some time that I can dedicate to this, I 
don't have unlimited amounts of time.

At the pace I'm currently going it could take me weeks just to be able to 
actually start using Qubes in real life, but I don't have weeks because I 
actually need to be able to use this machine for real purposes very soon.

So either I can learn to at least start using Qubes as my daily driver within a 
week or two, or I'll need to shelve Qubes for the time being, and go back to 
Mint.

I really like Mint, but Qubes is in a completely different league in what it 
makes possible, so I am definitely motivated to make that switch.

I have the suspicion (and the hope) that this is just an initial barrier that I 
need to push through, and that with help, this might not necessarily take 
overly long.

But right now I'm stuck.



The Freeplane install and test is first on the agenda.

If that's successful, the next goal is to then decide exactly what I want my 
compartmentalization to look like, and then set things up accordingly - 
deciding in which way which qubes connect to the net, installing software in 
various qubes, data storage decisions, etc.

But I would like to focus on step 1 (testing Freeplane) first, and then think 
about this next.



Yeah so that's where I'm at at the moment.

Any takers who would like to talk me through the process of installing 
Freeplane, for a start? Please?

I could really do with some help...



Thank you for reading, keep being awesome, have a peaceful day!

Jack

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe 

Re: [qubes-users] How Qubes handles the start of services

['unman' via qubes-users]

On Mon, Mar 27, 2023 at 06:33:26PM +0200, r.wiesb...@web.de wrote:
> Hi uman,
> 
> that was the reference in qubes-doc that I found before and that I could
> not find today when I was writing this email. However, it does not
> explain what the advantage of this two-switch-model is compared to just
> run the services defined in the per-qube services tab/setting without
> the dependence on being enabled in the template.
> That approach would render adding support for [any generic] systemd
> service not only "pretty simple" but would make every systemd service
> compatible "by design".

I think that a generic systemd service is already compatible by design:if
you install such a service  and enable it in the template it will be
enabled in the qubes using that template. Is that not so?

The current system provides a simple condition that gives granular
control over services on a per qube basis.
The same control can be achieved by *disabling* the service in the template,
and having a switch that enables the service and starts it in the qube.
I do this myself in some cases. (From dom0 with qvm-run, or with entries
in rc.local, e.g.)
Both approaches require some action in the template as well as action in
the qube. So both are "two-switch".
The current mechanism provides a dead mans handle but allows services to
start at an early stage. You are not obliged to use it for other
services.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ZCL4GLiMKwI%2B2btY%40thirdeyesecurity.org.

Re: [qubes-users] Restored GPG domain from Q4.0 to Q4.1, won't start (xenbus_probe_frontend?)

[Thomas Kerin]

Transferring the data got me back in action, so I'm quite happy I had the
old system running and didn't have to muck about to regain access to the
files

I've normally had good enough luck with the qubes backup and restore, but
it does seem like Qubes from older systems might run into incompatibilities
if imported into a newer Qubes, even if the corresponding template is
restored too

Does anyone recognize the error or maybe know why the VM failed to boot
under Qubes 4.1? Could we check for such conditions during the Qubes
Restore?

On Tue, Mar 28, 2023 at 1:45 PM sambucium  wrote:

> I restored my system from a laptop running Qubes 4.0 recently
>
> The template for my gpg domain is based on debian-10. I restored both the
> gpg domain and the template into the new system, but the gpg domain won't
> start
>
> It seems to get stuck waiting for the xvdd device to attach to the VM.
>
> /var/log/xen/console/guest-gpg.log
> blkfront: xvda: flush diskcache: enabled; persistent grants;: enabled;
> indirect descriptors: enabled; bounce buffer: enabled
> xvda: xvda1 xvda2 xvda3
> blkfront: xvdb: flush diskcache: enabled; persistent grants;: enabled;
> indirect descriptors: enabled; bounce buffer: enabled
> blkfront: xvdc: flush diskcache: enabled; persistent grants;: enabled;
> indirect descriptors: enabled; bounce buffer: enabled
> xenbus_probe_frontend: Waiting for devices to initialize:
> 25s..20s..15s...10s...5s...0s...
>
> before the VM shuts down
>
>
> If I boot another VM (ssh /lan) which uses the same template, I get this
> instead
>
> blkfront: xvda: flush diskcache: enabled; persistent grants;: enabled;
> indirect descriptors: enabled; bounce buffer: enabled
> xvda: xvda1 xvda2 xvda3
> blkfront: xvdb: flush diskcache: enabled; persistent grants;: enabled;
> indirect descriptors: enabled; bounce buffer: enabled
> blkfront: xvdc: flush diskcache: enabled; persistent grants;: enabled;
> indirect descriptors: enabled; bounce buffer: enabled
> blkfront: xvdd: flush diskcache: enabled; persistent grants;: enabled;
> indirect descriptors: enabled; bounce buffer: enabled
> ...
> ..
> Waiting for /dev/xvdd device...
> /dev/xvdd: Can't open blockdev
> ...
> VM boots anyway
>
>
> I googled that line and see references to /var/log/xen/xen-hotplug.log -
> this file is empty
>
> I'm wondering how old that VM is, maybe its come from Qubes 3.2 -> 4.0 ->
> 4.1 and finally it's running into bother?
>
> Other VM's seem to boot from that template which is odd, I'm going to try
> transfer the data to a fresh qube, transfer THAT to the new system and
> hopefully it works, but otherwise I'm at a loss here
>
> --
> You received this message because you are subscribed to the Google Groups
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to qubes-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/qubes-users/9ad43683-fe7a-48bf-8112-aad8914735e1n%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAHv%2Btb5HnfX-dr6FBckOioLO4kzX7SMdmK6Dfz4Dp9CgZhkobA%40mail.gmail.com.

[qubes-users] Restored GPG domain from Q4.0 to Q4.1, won't start (xenbus_probe_frontend?)

[sambucium]

I restored my system from a laptop running Qubes 4.0 recently

The template for my gpg domain is based on debian-10. I restored both the 
gpg domain and the template into the new system, but the gpg domain won't 
start

It seems to get stuck waiting for the xvdd device to attach to the VM.

/var/log/xen/console/guest-gpg.log
blkfront: xvda: flush diskcache: enabled; persistent grants;: enabled; 
indirect descriptors: enabled; bounce buffer: enabled
xvda: xvda1 xvda2 xvda3
blkfront: xvdb: flush diskcache: enabled; persistent grants;: enabled; 
indirect descriptors: enabled; bounce buffer: enabled
blkfront: xvdc: flush diskcache: enabled; persistent grants;: enabled; 
indirect descriptors: enabled; bounce buffer: enabled
xenbus_probe_frontend: Waiting for devices to initialize: 
25s..20s..15s...10s...5s...0s...

before the VM shuts down


If I boot another VM (ssh /lan) which uses the same template, I get this 
instead

blkfront: xvda: flush diskcache: enabled; persistent grants;: enabled; 
indirect descriptors: enabled; bounce buffer: enabled
xvda: xvda1 xvda2 xvda3
blkfront: xvdb: flush diskcache: enabled; persistent grants;: enabled; 
indirect descriptors: enabled; bounce buffer: enabled
blkfront: xvdc: flush diskcache: enabled; persistent grants;: enabled; 
indirect descriptors: enabled; bounce buffer: enabled
blkfront: xvdd: flush diskcache: enabled; persistent grants;: enabled; 
indirect descriptors: enabled; bounce buffer: enabled
...
..
Waiting for /dev/xvdd device...
/dev/xvdd: Can't open blockdev
... 
VM boots anyway


I googled that line and see references to /var/log/xen/xen-hotplug.log - 
this file is empty

I'm wondering how old that VM is, maybe its come from Qubes 3.2 -> 4.0 -> 
4.1 and finally it's running into bother?

Other VM's seem to boot from that template which is odd, I'm going to try 
transfer the data to a fresh qube, transfer THAT to the new system and 
hopefully it works, but otherwise I'm at a loss here

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9ad43683-fe7a-48bf-8112-aad8914735e1n%40googlegroups.com.

[qubes-users] High dom0 cpu use

[Mike Keehan]

Xentop is showing dom0 using 50-60% cpu on my laptop, all the time.  It did
not always do this, but I don't know which update may have caused it.

Top within dom0 shows a few processes taking 5% or or less, so whatever is
causing the high cpu usage is either in the kernel, or in whatever Xen is
doing I guess.

Anyone have any clues to what is going on?

Mike.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/E1pgtr6-00EJnf-4v%40relay01.mail.eu.clara.net.

[qubes-users] High dom0 cpu usage

[Mike Keehan]

Xentop is showing dom0 using 50-60% cpu on my laptop, all the time.  It did
not always do this, but I don't know which update may have caused it.

Top within dom0 shows a few processes taking 5% or or less, so whatever is
causing the high cpu usage is either in the kernel, or in whatever Xen is
doing I guess.

Anyone have any clues to what is going on?

Mike.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20230327211132.7facbbbf%40keehan.net.

Re: [qubes-users] How Qubes handles the start of services

[r . wiesbach]

Hi uman,

that was the reference in qubes-doc that I found before and that I could
not find today when I was writing this email. However, it does not
explain what the advantage of this two-switch-model is compared to just
run the services defined in the per-qube services tab/setting without
the dependence on being enabled in the template.
That approach would render adding support for [any generic] systemd
service not only "pretty simple" but would make every systemd service
compatible "by design".

Am 27.03.23 um 17:03 schrieb unman:

On Mon, Mar 27, 2023 at 03:48:15PM +0200, r.wiesb...@web.de wrote:

Hi there,

every VM/qube has a "services" tab in its settings window. It seems like
Qubes is designed in a manner that requires two switches for a service:
it needs to be enabled in the template *and* requires an entry in
"services" tab.

My expectation was that when selected in the "services" tab, qubesrc (or
any other instance) will just start the corresponding service in the VM.
During troubleshooting I found out that it is designed as above, but I
could not find the reason for this design decision.

At least the "services tab" should have a red text warning that it is
required to enable the service in the template as well in order to not
confuse users the way it confused myself.


best,
Ron


This is a long standing design.
The process is explained at https://www.qubes-os.org/doc/qubes-service/

The text on the service tab is unclear - it *does* say that the service
will be turned on. I've raised an issue to have this clarified.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1220e333-5413-e3fd-d3de-78e1c67bd9c6%40web.de.

Re: [qubes-users] How Qubes handles the start of services

['unman' via qubes-users]

On Mon, Mar 27, 2023 at 03:48:15PM +0200, r.wiesb...@web.de wrote:
> Hi there,
> 
> every VM/qube has a "services" tab in its settings window. It seems like
> Qubes is designed in a manner that requires two switches for a service:
> it needs to be enabled in the template *and* requires an entry in
> "services" tab.
> 
> My expectation was that when selected in the "services" tab, qubesrc (or
> any other instance) will just start the corresponding service in the VM.
> During troubleshooting I found out that it is designed as above, but I
> could not find the reason for this design decision.
> 
> At least the "services tab" should have a red text warning that it is
> required to enable the service in the template as well in order to not
> confuse users the way it confused myself.
> 
> 
> best,
> Ron
> 
This is a long standing design.
The process is explained at https://www.qubes-os.org/doc/qubes-service/

The text on the service tab is unclear - it *does* say that the service
will be turned on. I've raised an issue to have this clarified.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ZCGwR5nTbOD/kLIl%40thirdeyesecurity.org.

[qubes-users] How Qubes handles the start of services

[r . wiesbach]

Hi there,

every VM/qube has a "services" tab in its settings window. It seems like
Qubes is designed in a manner that requires two switches for a service:
it needs to be enabled in the template *and* requires an entry in
"services" tab.

My expectation was that when selected in the "services" tab, qubesrc (or
any other instance) will just start the corresponding service in the VM.
During troubleshooting I found out that it is designed as above, but I
could not find the reason for this design decision.

At least the "services tab" should have a red text warning that it is
required to enable the service in the template as well in order to not
confuse users the way it confused myself.


best,
Ron

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/818b8e19-a1b7-7365-a059-2ac8b134c9a9%40web.de.

Re: [qubes-users] RAM budgeting techniques

[tiesta_symonne61 via qubes-users]

On Sun, March 26, 2023 22:07, Demi Marie Obenour wrote:
> zram and zswap are potentially vulnerable to timing attacks, so I
> recommend avoiding them. - --

I see! Let me scratch those off my list then

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fd3ffd86-a9da-59fd-ace1-ed16a254ad02%40dodg.email.

Re: [qubes-users] RAM budgeting techniques

[Demi Marie Obenour]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Sun, Mar 26, 2023 at 08:57:45PM +, Qubes OS Users Mailing List wrote:
> Is there anything I can do to get more qubes out of my RAM, besides trial
> and error with allocation values? I figure there's gotta be some daemon or
> other that I never use that's eating up RAM on every instance of
> fedora/debian for no good reason. Or perhaps some sort of swap
> optimization such as zram or zswap. What's your favorite cure for
> qubestyle creep?

zram and zswap are potentially vulnerable to timing attacks, so I
recommend avoiding them.
- -- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEdodNnxM2uiJZBxxxsoi1X/+cIsEFAmQgwi8ACgkQsoi1X/+c
IsFslBAAyx6aoHvTzW1u7StZ8Mr+mLiSU2IlqBsupfrBa/6UD5gvLbT9o8Pj0e8x
XWwYbPH1XAqqb8sNZQuAvLxDtI/dDY1F0W9jJgOBQ+o05GzzRp+Q+18IWlXlSmWx
uKwT5rx9rb40uPt14sQBMcnMle/0OORFQ6j+ggrzkWhl6RyMVl0g/GZfAyO9/z4k
quABcBW6w4u0AgyOoCyckadRg/Zl6VaUGeHYPCENyrf5vIY/hE+OD1B8sbXqk1F3
klNVAToibjCyhpLwdQVDgzWTgB0Xi8NGTJcgVclOOfrjHiSxZMY9enS8Tw7FErW0
VJy+OI6IZCia/ngoXqWxosf8E75NDaJWLf7NMdtmXMwvCO+o2A9MzvWBWcBJcnYM
U9oWFB+FjO1cw/M6ckxCzuEoDniGaInoIJcqhUWMWD31HKYP7rg7ePf/EpGIODSc
K8n8xBW6hwXmlqDdATAt8jfOQ5ys6Lsf94itBoBgEES+qxrsBK26ccbHBcRlrOn/
rFfpDxtxZ0xwlh5Fx/hGoH1Bj0eZzTlJCvNm83Ak/0M6/gN8I5/kI1e/KKlC22F+
VsYnJhc4TLmMBc0h95UejkxlSWBuicEbGJdIHBqavaVeDZngD5rBbknJhxjGFd5/
nu4bpMLTIWjZ/eVWVHzp4zriJk+FfGotYQ2c+/g/WxFl2DOMxs8=
=Ghkd
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ZCDCMOlDU87sFlP7%40itl-email.

[qubes-users] RAM budgeting techniques

[tiesta_symonne61 via qubes-users]

Is there anything I can do to get more qubes out of my RAM, besides trial
and error with allocation values? I figure there's gotta be some daemon or
other that I never use that's eating up RAM on every instance of
fedora/debian for no good reason. Or perhaps some sort of swap
optimization such as zram or zswap. What's your favorite cure for
qubestyle creep?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/62742024-18e4-501b-96c4-3b9df4954232%40dodg.email.

Re: [qubes-users] 'qvm-copy' and 'qvm-copy-to-vm' in AppVM

[Boryeu Mao]

Yes, 'qvm-copy' alone would ensure the security of copying/moving files
between AppVM's.  Thanks.

On Fri, Mar 24, 2023 at 5:43 AM unman  wrote:

> qvm-copy-to-vm is deprecated and will be removed.
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAOBBCnb%3DpBy9m0VFuDoJfhKg-Wv%2BZevej8F5WHsuVazT3cF%3D9A%40mail.gmail.com.

Re: [qubes-users] Odd behavior wile running two separate Whonix gateways

[Andrew David Wong]

On 3/23/23 9:23 PM, tiesta_symonne61 via qubes-users wrote:
> I'm pretty
> sure the actual traffic is being routed through the correct gateways, but
> my only metric for knowing that is looking at CPU usage while stressing
> the connection and making sure the correct chain of net vm's light up.
> 

Why not use the preinstalled "Nyx - Status Monitor for Tor" tool? It creates a 
nice traffic graph for you and shows you upload and download usage in real 
time. There's even a menu entry for it by default, so it's easy to open.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8439c1c5-4829-c9da-2517-f28708929403%40qubes-os.org.


OpenPGP_signature
Description: OpenPGP digital signature

Re: [qubes-users] Odd behavior wile running two separate Whonix gateways

['unman' via qubes-users]

On Fri, Mar 24, 2023 at 04:23:48AM +, tiesta_symonne61 via qubes-users 
wrote:
> I have two Whonix gateways, the default sys-whonix and a sys-whonix-clone.
> Both are attached to different net vm's.
> 
> The problem is that all qubes that have sys-whonix-clone as its net vm
> show up under sys-whonix's tray icon, not sys-whonix-clone's. I'm pretty
> sure the actual traffic is being routed through the correct gateways, but
> my only metric for knowing that is looking at CPU usage while stressing
> the connection and making sure the correct chain of net vm's light up.
> 
[quote]
Is this just a GUI quirk, or should I worry about actual risk of traffic
getting mixed between the two gateway qubes?
[/quote]
It sounds like a GUI bug - you could check what is happening by running
a sniffer on sys-whonix, or by examining counters on the firewall rules. 
I don't have whonix installed to e able to tell you if the tools for this
are installed.
(You could try running `iptables -L -nv -t nat` and seeing if the counts
for one of the errant qubes increments. Report back.)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ZB2cU6he45EzVAtq%40thirdeyesecurity.org.

Re: [qubes-users] 'qvm-copy' and 'qvm-copy-to-vm' in AppVM

['unman' via qubes-users]

qvm-copy-to-vm is deprecated and will be removed.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ZB2bCFm2zx1DMg2v%40thirdeyesecurity.org.

[qubes-users] Odd behavior wile running two separate Whonix gateways

[tiesta_symonne61 via qubes-users]

I have two Whonix gateways, the default sys-whonix and a sys-whonix-clone.
Both are attached to different net vm's.

The problem is that all qubes that have sys-whonix-clone as its net vm
show up under sys-whonix's tray icon, not sys-whonix-clone's. I'm pretty
sure the actual traffic is being routed through the correct gateways, but
my only metric for knowing that is looking at CPU usage while stressing
the connection and making sure the correct chain of net vm's light up.

Is this just a GUI quirk, or should I worry about actual risk of traffic
getting mixed between the two gateway qubes?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a0729b57-81d5-5925-b787-3eea4d382f16%40dodg.email.

Re: [qubes-users] 'qvm-copy' and 'qvm-copy-to-vm' in AppVM

[Boryeu Mao]

Ah that makes sense.  Thanks much, Glen.  (Scripting is precisely what I
was going for -- I can still have everything else automated.)  Boryeu

On Thu, Mar 23, 2023 at 5:20 PM Glen Larwill  wrote:

> Security?
>
> Forces ANY file movement between VMs to be under the control of a human
> behind a keyboard/mouse. I ran into this as well, then realized the risk I
> was creating running this from a script.
>
> GL
>
>
> On Thu, Mar 23, 2023, 16:50 Boryeu Mao  wrote:
>
>> I'd expected 'qvm-copy-to-vm' to accept the 1st argument as target-vm and
>> get on with copying, but for me both commands request the target-vm in a
>> pop-up window -- so what is the point of having 'qvm-copy-to-vm' at all, if
>> I am not missing something really simple?
>> Thanks
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "qubes-users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to qubes-users+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/qubes-users/35eb7530-a5ca-4096-899c-c98c9f69f2b2n%40googlegroups.com
>> 
>> .
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAOBBCnYzn3rh2fHfNmS723YQKJ%3DHxqhZ4BxbVGFAcEGHAjNZnw%40mail.gmail.com.

Re: [qubes-users] 'qvm-copy' and 'qvm-copy-to-vm' in AppVM

[Glen Larwill]

Security?

Forces ANY file movement between VMs to be under the control of a human
behind a keyboard/mouse. I ran into this as well, then realized the risk I
was creating running this from a script.

GL


On Thu, Mar 23, 2023, 16:50 Boryeu Mao  wrote:

> I'd expected 'qvm-copy-to-vm' to accept the 1st argument as target-vm and
> get on with copying, but for me both commands request the target-vm in a
> pop-up window -- so what is the point of having 'qvm-copy-to-vm' at all, if
> I am not missing something really simple?
> Thanks
>
> --
> You received this message because you are subscribed to the Google Groups
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to qubes-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/qubes-users/35eb7530-a5ca-4096-899c-c98c9f69f2b2n%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CALX3G3UV5voJc7jsSOeQvx153ajEGR%3Dc-5yX84HH_ZqpCeZjng%40mail.gmail.com.

[qubes-users] 'qvm-copy' and 'qvm-copy-to-vm' in AppVM

[Boryeu Mao]

I'd expected 'qvm-copy-to-vm' to accept the 1st argument as target-vm and 
get on with copying, but for me both commands request the target-vm in a 
pop-up window -- so what is the point of having 'qvm-copy-to-vm' at all, if 
I am not missing something really simple?
Thanks

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/35eb7530-a5ca-4096-899c-c98c9f69f2b2n%40googlegroups.com.

Re: [qubes-users] How do I get Snowflake proxy working in sys-whonix?

[Sven Semmler]

This sounds like an excellent question for https://forums.whonix.org/ ;-)

/Sven

--
https://keys.openpgp.org/vks/v1/by-fingerprint/DA5975C9ABC40C833B2F620B2A632C537D744BC7

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e2077167-bdaf-924a-0e51-f5539538dc36%40SvenSemmler.org.

[qubes-users] QSB-088: Two Xen issues affecting PV (stub-)domains (XSA-428, XSA-429)

[Andrew David Wong]

Dear Qubes Community,

We have published [Qubes Security Bulletin (QSB) 088: Two Xen issues affecting 
PV (stub-)domains (XSA-428, 
XSA-429)](https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-088-2023.txt).
 The text of this QSB and its accompanying cryptographic signatures are 
reproduced below. For an explanation of this announcement and instructions for 
authenticating this QSB, please see the end of this announcement.

## Qubes Security Bulletin 088

```

 ---===[ Qubes Security Bulletin 088 ]===---

 2023-03-21

 Two Xen issues affecting PV (stub-)domains (XSA-428, XSA-429)

User action required
-

Users must install the following specific packages in order to address
the issues discussed in this bulletin:

  For Qubes 4.1, in dom0:
  - Xen packages, version 4.14.5-20

These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community. [1] Once available, the packages are to be installed
via the Qubes Update tool or its command-line equivalents. [2]

Dom0 must be restarted afterward in order for the updates to take
effect.

If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new
Xen binaries.

Summary


The following security advisories were published on 2023-03-21:

XSA-428 [3] "x86/HVM pinned cache attributes mis-handling":

| To allow cachability control for HVM guests with passed through
| devices, an interface exists to explicitly override defaults which
| would otherwise be put in place.  While not exposed to the affected
| guests themselves, the interface specifically exists for domains
| controlling such guests.  This interface may therefore be used by not
| fully privileged entities, e.g. qemu running deprivileged in Dom0 or
| qemu running in a so called stub-domain.  With this exposure it is an
| issue that
|  - the number of the such controlled regions was unbounded
|(CVE-2022-42333),
|  - installation and removal of such regions was not properly
|serialized (CVE-2022-42334).

XSA-429 [4] "x86: speculative vulnerability in 32bit SYSCALL path":

| Due to an oversight in the very original Spectre/Meltdown security
| work (XSA-254), one entrypath performs its speculation-safety actions
| too late.
| 
| In some configurations, there is an unprotected RET instruction which
| can be attacked with a variety of speculative attacks.

Impact
---

XSA-428 could allow a malicious stub-domain to crash the hypervisor (and
hence the entire system). A stub-domain is a qube that accompanies a
"fully-virtualized" (HVM) qube and in which qemu is isolated. Privilege
escalation and information leaks cannot be ruled out.

XSA-429 allows a malicious paravirtualized (PV) qube to infer the
contents of arbitrary host memory, including memory assigned to other
qubes. XSA-429 affects only AMD processors that support Supervisor Mode
Execution Prevention (SMEP) or Supervisor Mode Access Prevention (SMAP),
which likely includes certain family 0x16 models and all later models.
XSA-429 does not affect Intel processors.

Discussion
---

In the default Qubes OS configuration, the vulnerabilities reported in
XSA-428 and XSA-429 apply only to stub-domains that control HVM qubes
(e.g., sys-net and sys-usb). However, these vulnerabilities do not make
such stub-domains *themselves* vulnerable. Rather, these vulnerabilities
allow attacks to be launched *from* such stub-domains. Therefore, in
order to exploit these vulnerabilities, an attacker would have to chain
multiple independent vulnerabilities together by first compromising a
suitable stub-domain by some independent means.

For a variety of security reasons (including past PV vulnerabilities,
Meltdown, and Spectre), we abandoned PV in favor of a combination of PVH
and HVM in the default Qubes OS configuration beginning with Qubes 4.0.
[5] While advanced users still have the ability to create PV qubes
manually, this practice is discouraged. Nonetheless, if any PV qubes
exist on affected hardware, they are affected by XSA-429.

Credits


See the original Xen Security Advisories.

References
---

[1] https://www.qubes-os.org/doc/testing/
[2] https://www.qubes-os.org/doc/how-to-update/
[3] https://xenbits.xen.org/xsa/advisory-428.html
[4] https://xenbits.xen.org/xsa/advisory-429.html
[5] https://www.qubes-os.org/doc/releases/4.0/release-notes/

--
The Qubes Security Team
https://www.qubes-os.org/security/

```

*Source*: 


## [Marek 
Marczykowski-Górecki](https://www.qubes-os.org/team/#marek-marczykowski-górecki)'s
 PGP signature

```
-BEGIN PGP SIGNATURE-

iQIzBAABCAAdFiEELRdx/k12ftx2sIn61lWk8hgw4GoFAmQZnWYACgkQ1lWk8hgw
4Gqo7w//Q60WM6LpxsD5WmxodSVmFIL5xe42x2xleqGrabo9MpvWY2lpkOvRanU2

[qubes-users] How do I get Snowflake proxy working in sys-whonix?

[tiesta_symonne61 via qubes-users]

I see there is a 'snowflake' proxy option in the Tor control panel,
however it gets stuck at 0% and refuses to connect. I can't find any
resources. Closest I found is this forum thread:

https://forum.qubes-os.org/t/snowflake-proxy-causes-crash-in-tor-control-panel/12326

It's not the same issue, but one user does point out that the feature is
broken. The thread is a few months old so this may or may not still be the
case. Either way I tried the solution provided by @tzwcfq but it did not
improve things.

Thank you all for reading

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/57af77e5-ca1a-5445-8187-af97ab28e044%40dodg.email.

[qubes-users] Dark theme in Dom

['taran1s' via qubes-users]

Hello everyone, I am trying to set up the dark theme in dom0. All 
working well but at the end it doesnt work. There are some errors 
popping up and I think this is the issue but duno how to solve that.


[xxx@dom0 ~]$ sudo qubes-dom0-update qt5-qtstyleplugins
Using sys-whonix-update as UpdateVM to download updates for Dom0; this 
may take some time...
Qubes OS Repository for Dom00.0  B/s |   0  B 
00:00

Errors during downloading metadata for repository 'qubes-dom0-cached':
  - Curl error (37): Couldn't read a file:// file for 
file:///var/lib/qubes/updates/repodata/repomd.xml [Couldn't open file 
/var/lib/qubes/updates/repodata/repomd.xml]
Error: Failed to download metadata for repo 'qubes-dom0-cached': Cannot 
download repomd.xml: Cannot download repodata/repomd.xml: All mirrors 
were tried

Ignoring repositories: qubes-dom0-cached
Package qt5-qtstyleplugins-5.0.0-39.fc32.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!

[guruji@dom0 ~]$ export QT_QPA_PLATFORMTHEME=gtk2 /etc/environment
bash: export: `/etc/environment': not a valid identifier

#Due to error above I did it manually:
sudo nano /etc/environment  ## added QT_QPA_PLATFORMTHEME=gtk2

[xxx@dom0 ~]$ cat /etc/environment
QT_QPA_PLATFORMTHEME=gtk2

[xxx@dom0 ~]$ echo $QT_QPA_PLATFORMTHEME
gtk2

[xxx@dom0 ~]$ sudo dnf info qt5-qtstyleplugins
Qubes OS Repository for Dom00.0  B/s |   0  B 
00:00

Errors during downloading metadata for repository 'qubes-dom0-cached':
  - Curl error (37): Couldn't read a file:// file for 
file:///var/lib/qubes/updates/repodata/repomd.xml [Couldn't open file 
/var/lib/qubes/updates/repodata/repomd.xml]
Error: Failed to download metadata for repo 'qubes-dom0-cached': Cannot 
download repomd.xml: Cannot download repodata/repomd.xml: All mirrors 
were tried

Ignoring repositories: qubes-dom0-cached
Installed Packages
Name : qt5-qtstyleplugins
Version  : 5.0.0
Release  : 39.fc32
Architecture : x86_64
Size : 1.2 M
Source   : qt5-qtstyleplugins-5.0.0-39.fc32.src.rpm
Repository   : @System
From repo: qubes-dom0-cached
Summary  : Classic Qt widget styles
URL  : https://github.com/qtproject/qtstyleplugins
License  : LGPLv2 or GPLv2
Description  : Classic Qt widget styles, including cleanlooks, motif, 
plastique,

 : qgtk.

Any ideas?

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3de531cd-e96c-5cf0-8ad8-dcf947b7033c%40mailbox.org.

Re: [qubes-users] DNS -- good practice ?

[David Hobach]

Hi Bernhard,

nice to see you're still around. :-)
I hadn't seen you active for a long time, probably I just don't know your nick 
on the forum.


And I ignore if TOR does use "cross checking requests" to detect
manipulation? The question of " best practice " seems non-trivial to me.
Setting up a DNS qube seems a good idea as such, but what kind of
software can trustworthily be run on such a qube??


Personally I use unbound as recursive DNS resolver, but I guess everyone may 
have different trust choices. Anyway that's not specific to Qubes OS.

I also use systemd-resolved in firewall VMs for caching [1].

[1] https://github.com/3hhh/qubes-dns

Best Regards
David


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7723207e-1df1-3542-512c-3cba1c61eeb3%40hackingthe.net.


OpenPGP_0x08DEA51AE90C3780.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature

[qubes-users] Marek Marczykowski-Górecki to be interviewed at Dasharo virtual event

[Andrew David Wong]

Dear Qubes Community,

Our project lead, [Marek 
Marczykowski-Górecki](https://www.qubes-os.org/team/#marek-marczykowski-górecki)
 will be interviewed tomorrow during the [Dasharo Developers 
vPub](https://vpub.dasharo.com/e/1/dasharo-user-group-1). This is a virtual 
event hosted by the [Dasharo](https://www.dasharo.com/) team, who just 
introduced [the first Qubes-certified desktop 
computer](https://www.qubes-os.org/news/2023/03/15/dasharo-fidelisguard-z690-first-qubes-certified-desktop).

[![Dasharo User Group (DUG) #1 and Dasharo Developers vPub 0x6 informational 
poster](https://www.qubes-os.org/attachment/posts/dasharo-event-1.png)](https://vpub.dasharo.com/e/1/dasharo-user-group-1)

The Dasharo Developers vPub will be preceded by the first Dasharo User Group 
meeting, which may be of interest for Qubes users who wish to learn more about 
open-source firmware or are curious about the [Dasharo FidelisGuard 
Z690](https://3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/)
 Qubes-certified computer.

[Read the full announcement for more 
information.](https://vpub.dasharo.com/e/1/dasharo-user-group-1)

## About Dasharo

"Dasharo is an open-source firmware distribution focusing on seamless 
deployment, clean and simple code, long-term maintenance, professional support, 
transparent validation, superior documentation, privacy-respecting 
implementation, liberty for the owners and trustworthiness for all." [Learn 
more about Dasharo.](https://docs.dasharo.com/osf-trivia-list/dasharo/)

Dasharo is a registered trademark of and a product developed by 
[3mdeb](https://3mdeb.com/).

## About 3mdeb

3mdeb and the Qubes OS Project have been partnering together for years to hold 
Qubes OS Summits. Michał Żygowski shared the story with us in [Qubes OS Summit: 
History from organizer's 
perspective](https://www.qubes-os.org/news/2022/09/07/qubes-os-summit-history/).
 You can watch videos from the 2022 summit 
[here](https://www.youtube.com/watch?v=hkWWz3xGqS8) and 
[here](https://www.youtube.com/watch?v=A9GrlQsQc7Q). 3mdeb has also been 
instrumental in recent work on [TrenchBoot Anti Evil Maid for Qubes 
OS](https://www.qubes-os.org/news/2023/01/31/trenchboot-aem-for-qubes-os/). 
[Learn more about 3mdeb.](https://3mdeb.com/about-us/)


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/03/15/marek-marczykowski-gorecki-interviewed-dasharo-virtual-event/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9e775f93-aa64-eb50-b215-12125183563b%40qubes-os.org.

[qubes-users] The Dasharo FidelisGuard Z690 is the first Qubes-certified desktop computer!

[Andrew David Wong]

Dear Qubes Community,

It is our pleasure to announce that the [Dasharo FidelisGuard 
Z690](https://3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/)
 has become the fourth [Qubes-certified 
computer](https://www.qubes-os.org/doc/certified-hardware/) for Qubes 4.X and 
the *first* Qubes-certified desktop computer *ever*!

(In related news, the [Dasharo User Group #1 and Dasharo Developers vPub 
0x6)](https://www.qubes-os.org/news/2023/03/15/marek-marczykowski-gorecki-interviewed-dasharo-virtual-event)
 virtual event is tomorrow and will include an interview with our project lead, 
[Marek 
Marczykowski-Górecki](https://www.qubes-os.org/team/#marek-marczykowski-górecki)!)

## About the Dasharo FidelisGuard Z690

[![Photo of MSI PRO Z690-A DDR4 
motherboard](https://www.qubes-os.org/attachment/posts/dasharo-fidelisguard-z690_1.jpg)](https://3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/)

The [Dasharo FidelisGuard 
Z690](https://3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/)
 is a full desktop PC build that brings the [Dasharo](https://dasharo.com/) 
open-source firmware distribution to the MSI PRO Z690-A DDR4 motherboard with 
Qubes OS preinstalled. The full configuration includes:

| Part | Model Name 
|
|- | -- 
|
| CPU  | Intel Core i5-12600K, 3.7GHz   
|
| Cooling  | Noctua CPU NH-U12S Redux   
|
| RAM  | Kingston Fury Beast, DDR4, 4x8GB (32 GB Total), 3600 MHz, CL17 
|
| Power Supply | Seasonic Focus PX 750W 80 Plus Platinum
|
| Storage  | SSD Intel 670p 512 GB M.2 2280 PCI-E x4 Gen3 NVMe  
|
| Enclosure| SilentiumPC Armis AR1  
|

[![Photo of Dasharo FidelisGuard Z690 with open 
case](https://www.qubes-os.org/attachment/posts/dasharo-fidelisguard-z690_2.jpg)](https://3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/)

This computer comes with a "Dasharo Supporters Entrance Subscription," which 
includes the following:

- Full access to [Dasharo Tools Suite 
(DTS)](https://docs.dasharo.com/dasharo-tools-suite/overview/)
- The latest Dasharo releases issued by the Dasharo Team
- Special Dasharo updates for supporters
- Dasharo Premier Support through an invite-only Matrix channel
- Influence on the Dasharo feature roadmap

[![Photo of Dasharo FidelisGuard Z690 with open 
case](https://www.qubes-os.org/attachment/posts/dasharo-fidelisguard-z690_3.jpg)](https://3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/)

For further details, please see the [Dasharo FidelisGuard 
Z690](https://3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/)
 product page.

[![Photo of the outside of the Dasharo FidelisGuard 
Z690](https://www.qubes-os.org/attachment/posts/dasharo-fidelisguard-z690_4.jpg)](https://3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/)

## Special note regarding the need for `kernel-latest`

Beginning with Qubes OS 4.1.2, the Qubes installer includes the `kernel-latest` 
package and allows users to select this kernel option from the GRUB menu when 
booting the installer. At the time of this announcement, `kernel-latest` is 
*required* for the Dasharo FidelisGuard Z690's graphics drivers to function 
properly. Therefore, all potential purchasers and users of this model should be 
aware that they will have to select a non-default option (`Install Qubes OS RX 
using kernel-latest`) from the GRUB menu when booting the installer. However, 
since Linux 6.1 has officially been promoted to being a long-term support (LTS) 
kernel, it will become the default kernel at some point, which means that the 
need for this non-default selection is only temporary.

## About Dasharo

"Dasharo is an open-source firmware distribution focusing on seamless 
deployment, clean and simple code, long-term maintenance, professional support, 
transparent validation, superior documentation, privacy-respecting 
implementation, liberty for the owners and trustworthiness for all." [Learn 
more about Dasharo.](https://docs.dasharo.com/osf-trivia-list/dasharo/)

Dasharo is a registered trademark of and a product developed by 
[3mdeb](https://3mdeb.com/).

## About 3mdeb

3mdeb and the Qubes OS Project have been partnering together for years to hold 
Qubes OS Summits. Michał Żygowski shared the story with us in [Qubes OS Summit: 
History from organizer's 
perspective](https://www.qubes-os.org/news/2022/09/07/qubes-os-summit-history/).
 You can watch videos from the 2022 summit 
[here](https://www.youtube.com/watch?v=hkWWz3xGqS8) and 
[here](https://www.youtube.com/watch?v=A9GrlQsQc7Q). 3mdeb has also been 

[qubes-users] DNS -- good practice ?

[haaber]

Hi all,

I have the impression that DNS questions should get more attention than
the often attract, with the purpose of caching, anonymity, censorship
prvention  & securing against DNS manipulation. Let me start my question
with a citation, that  -at the end- is not that surprising:

"more than two-thirds of the encrypted DNS resolvers manipulate at least
one domain’s DNS response, showing that the DNS manipulation in the
encrypted DNS is even more prevalent than that in the traditional DNS,
where only 11% of the resolvers have been identified to manipulate DNS
responses."

source:
https://digitalcommons.odu.edu/cgi/viewcontent.cgi?article=1195=computerscience_fac_pubs

Somehow, people who feel that their traffic should be anonymous are
surveilled / manipulated with higher energy :) Of course you may answer
to use TOR at all times, but at the end of the day, that does not work
-- many sites either block or limit TOR traffic, etc.

And I ignore if TOR does use "cross checking requests" to detect
manipulation? The question of " best practice " seems non-trivial to me.
Setting up a DNS qube seems a good idea as such, but what kind of
software can trustworthily be run on such a qube??

Thank you for any helpful comment, Bernhard

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f87b2bf1-b87b-1dc3-337a-5b7c284ab67b%40web.de.

[qubes-users] Qubes OS 4.1.2 has been released!

[Andrew David Wong]

Dear Qubes Community,

We're pleased to announce the stable release of Qubes 4.1.2! This release aims 
to consolidate all the security patches, bug fixes, and upstream template OS 
upgrades that have occurred since the initial Qubes 4.1.0 release. Our goal is 
to provide a secure and convenient way for users to install (or reinstall) the 
latest stable Qubes release with an up-to-date ISO.

Qubes 4.1.2 is available on the 
[downloads](https://www.qubes-os.org/downloads/) page.


## Existing installations

If you are already using any version of Qubes 4.1 (including 4.1.0, 4.1.1, 
4.1.2-rc1, and 4.1.2-rc2), then you should simply [update 
normally](https://www.qubes-os.org/doc/how-to-update/) (which includes 
[upgrading any EOL 
templates](https://www.qubes-os.org/doc/how-to-update/#upgrading-to-avoid-eol) 
you might have) in order to make your system effectively equivalent to this 
stable Qubes 4.1.2 release. No reinstallation or other special action is 
required.


## New installations

If you would like to install Qubes OS for the first time or perform a clean 
reinstallation on an existing system, there has never been a better time to do 
so! Simply [download](https://www.qubes-os.org/downloads/) the Qubes 4.1.2 ISO 
and follow our [installation 
guide](https://www.qubes-os.org/doc/installation-guide/).


## What's new in Qubes 4.1.2?

Qubes 4.1.2 includes numerous updates over the initial 4.1.0 release, in 
particular:

- All 4.1 dom0 updates to date
- Fedora 37 template
- USB keyboard support in the installer 
([#7674](https://github.com/QubesOS/qubes-issues/issues/7674))
- `kernel-latest` available as a boot option when starting the installer 
([#5900](https://github.com/QubesOS/qubes-issues/issues/5900))


## What is a patch release?

The Qubes OS Project uses the [semantic versioning](https://semver.org/) 
standard. Version numbers are written as `..`. Hence, we 
refer to releases that increment the third number as "patch releases." A patch 
release does not designate a separate, new major or minor release of Qubes OS. 
Rather, it designates its respective major or minor release (in this case, 4.1) 
inclusive of all updates up to a certain point. (See [supported 
releases](https://www.qubes-os.org/doc/supported-releases/) for a comprehensive 
list of major and minor releases.) Installing any prior Qubes 4.1 release and 
fully [updating](https://www.qubes-os.org/doc/how-to-update/) it results in 
essentially the same system as installing Qubes 4.1.2. You can learn more about 
how Qubes release versioning works in the [version 
scheme](https://www.qubes-os.org/doc/version-scheme/) documentation.


## Reminder: Qubes 4.0 has reached end-of-life

Qubes 4.0 [reached EOL (end-of-life) on 
2022-08-04](https://www.qubes-os.org/news/2022/07/04/qubes-os-4-0-eol-on-2022-08-04/).
 If you're still using Qubes 4.0, we strongly recommend upgrading to Qubes 4.1.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/03/15/qubes-4-1-2/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/23dc76fa-d8e6-1374-7f61-3eeb15b9576e%40qubes-os.org.

Re: [qubes-users] Btrfs (file-reflink): Why is the CoW on a volatile.img enabled?

[449f09c92]

Thank you for your clarification.
Also, many thanks for maintaining the file-reflink storage driver.

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/978266fe-07db-32a1-ba3f-23552919b298%40cock.li.

Re: [qubes-users] Btrfs (file-reflink): Why is the CoW on a volatile.img enabled?

[Rusty Bird]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Rusty Bird:
> Disabling CoW and hence checksums (besides being specific to Btrfs -
> file-reflink is filesystem agnostic)

Although for volatile volumes in particular it might be possible to
get away with (optionally, configured per-volume) attempting to set
the nocow flag and ignoring any failures. Not sure if even that is
worth implementing though, when it's already possible to configure a
dedicated nocow pool for those volumes.

The filesystem specificity I was thinking of is a bigger issue with
other (snap_on_start or save_on_stop) volume types. E.g. on Btrfs you
can only do a reflink ioctl if the source and destination files have
the same nocow status - a notion that is perfectly captured by making
the whole pool directory nocow or not, without any convoluted logic in
the file-reflink driver.

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmQDUo5fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt/1/RAAjTRYmolu9M59E72mNyEbuQa9eKbPQVK1GVmeqmTOxsFkFUSUMTGYwdtK
yWKDotQapfj/5DpRFVUF8//95ylmVb0il2UGL4dfx/oOEEnJmen/BN0mA7xcti9e
VNzf2VFjqjAiYQVtCO75/ICcc5RjWa1U3XLyjDmwSZVH+EinDxENQBGl6IV2he2x
A89K5skgYPgtHT+4ppUe0DLScBgzpD9Jhd4TwvRs7tb/yG+sMK3qk+H97KcD7Ohv
jnGubMnY1ypoZ700EICxZn9b9pZRDV0zlJZ7lbwbpKEQq8Sf29UhwDDySqiHJGkU
+cGhzd4Uq75o3OLTEtr+blh4gERj5W+AfoWQ3yXqkohSeMAAXtnYfXNvFc5NftDQ
jf0hV3Kqz1VlnxDarQ1YtWziEp8+fP2yfWJx5vDj+OZJ6lPAxX93ozR1uXJ2+1I1
wtRpTFmH+VDB/n2R8ArdnSaqa9FBCK4tfp0ljXOXc1u7Bt5wCDsItm/z4591L7IL
9ZClUPb144qZtCX8Bwv8tMmUHferFL4u+aVvPP7dfRKgtpAGeRWURIHRqs2VfmAC
+3PfK4vPMvk5WJg1djk9y74EG1ihTuAPpzu2NwcHnnx5J8Amm34iPEI9xzV4hrfE
QM8wdQLflFimUh3r4la1xIDdHHZ5GoWjuqb/FVaUGYSZw+eCWdU=
=7lz0
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ZANSjtEd6cUEfaZX%40mutt.

Re: [qubes-users] Btrfs (file-reflink): Why is the CoW on a volatile.img enabled?

[Rusty Bird]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

449f09c92:
> had to edit the relevant code to disable CoW when volatile.img is
> created

file-reflink doesn't inherently do CoW for volatile volumes, it just
defaults to whatever the underlying location on the filesystem does.
For Btrfs, to get nocow non-checksummed volatile volumes you could set
that up like:

# mkdir /var/lib/very-volatile
# chattr +C /var/lib/very-volatile
# qvm-pool add -o dir_path=/var/lib/very-volatile very-volatile file-reflink
# qubes-prefs default_pool_volatile very-volatile

Although it will only apply to *new* VMs created after that. To point
*existing* VMs' volatile volumes to the new pool, you'd currently have
to shut down qubesd and manually edit /var/lib/qubes/qubes.xml
(because the property is not exposed through 'qvm-volume config').

> Is there any reason why copy-on-write is enabled on volatile volumes
> that are mostly used as swap?

Disabling CoW and hence checksums (besides being specific to Btrfs -
file-reflink is filesystem agnostic) means losing protection against
on-disk bit rot. But storing data on the volatile volume doesn't mean
it is unimportant or even short-lived: It's not that unusual to have a
long-running VM with weeks of uptime. Corruption in its swapped memory
(or in diverged 'root' volume data, which too is stored on the
'volatile' volume) could be devastating.

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmQDQg9fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt86Og/+PufuJZNM8DcIfIOq1nMqqM8WP5NTF5j/7XyUGkMJYIQBk5O9rv01FNtK
ceOvWqGRPasHRU1WvCQmL5hrV2DndViNkjWJXW2AMxQgXUaR0lzR5yjTGwA3NmiL
orilLnW/zfgq+uBjdhsLSY/r8NAQQu2qYuPlzr3Ra0I96YGH9JG1N+5whXtI7vAF
IHvI6B1LgbQuS5CNp5E+5ewXmfSl3biw2QPaC/n07YDZbqFHUR701Oh+ZelqiYiZ
MAvSVlasTPo/8gJpLrjBtIw9hx2x/tzNuEE0bgXCQ3r0YAql084EO7JqV85QKikD
63X3U+2KrSiGHLppf2Q9IjS6JDT0Y7rdQUIdWeK3OFQX/8B/7eOe+lMUqMpDKAEo
8McMH/4jfdX6Kf/Z/tywOpVR2ioRi7xbgEejMfMIddNnEAPGvcXs5BTi+Azd4HR5
dvpQcFTrwS/VQ0pRbBVe0IfUDI1BwuTwD0xbij9zMBT+ZQ+S53Eu1y5XvAXlWrmd
PvueRhUK4Wef+Nrj+okDreDW4VZV927I4EDlceAK5srbrX4g62vDSidzmaj9u4O1
wCrHt3zgEyIbUsbWvu8dE31olTzt8gGX0bpZjVrHb4/ov75wVwBrRZSe2usMJw9N
XNlN6R5slFhJaq8OgKlUZQPEat6SlaoR04uqfP7CgrrzpLDpNL4=
=Suy+
-END PGP SIGNATURE-


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ZANByPUMlA4PLqW4%40mutt.

Re: [qubes-users] Qubes Canary 034

[Andrew David Wong]

On 3/3/23 1:33 AM, Cristian Margine wrote:
> Hello,
> You sent the wrong canary. text(it is the text from 033) The current canary 
> is not signed on December 04. 2022.
> 
> 
> Cristian
> 

Fixed, thank you.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/92588110-11cb-b1a6-ff01-539865379915%40qubes-os.org.

[qubes-users] Btrfs (file-reflink): Why is the CoW on a volatile.img enabled?

[449f09c92]

I have /dev/xvdc configured as a 10GB swap and had to edit the relevant 
code to disable CoW when volatile.img is created to avoid overloading 
dom0 by checksum calculation when swapping out occurs in the VM.


Is there any reason why copy-on-write is enabled on volatile volumes 
that are mostly used as swap? Just curious.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/db2302d3-8a9b-3dd8-4b3f-96ba31e065c4%40cock.li.

Re: [qubes-users] Qubes Canary 034

[Cristian Margine]

Hello,
You sent the wrong canary. text(it is the text from 033) The current canary is 
not signed on December 04. 2022.


Cristian




--- Original Message ---
On Thursday, March 2nd, 2023 at 7:07 PM, Andrew David Wong  
wrote:


> 

> 

> Dear Qubes Community,
> 

> We have published a new Qubes canary. The text of this canary is reproduced 
> below. This canary and its accompanying cryptographic signatures will always 
> be available in the Qubes security pack (qubes-secpack).
> 

> ```
> 

> ---===[ Qubes Canary 034 ]===---
> 

> 

> Statements
> ---
> 

> The Qubes security team members who have digitally signed this file [1]
> state the following:
> 

> 1. The date of issue of this canary is December 04, 2022.
> 

> 2. There have been 87 Qubes security bulletins published so far.
> 

> 3. The Qubes Master Signing Key fingerprint is:
> 

> 427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494
> 

> 4. No warrants have ever been served to us with regard to the Qubes OS
> Project (e.g. to hand out the private signing keys or to introduce
> backdoors).
> 

> 5. We plan to publish the next of these canary statements in the first
> fourteen days of March 2023. Special note should be taken if no new
> canary is published by that time or if the list of statements changes
> without plausible explanation.
> 

> 

> Special announcements
> --
> 

> None.
> 

> 

> Disclaimers and notes
> --
> 

> We would like to remind you that Qubes OS has been designed under the
> assumption that all relevant infrastructure is permanently compromised.
> This means that we assume NO trust in any of the servers or services
> which host or provide any Qubes-related data, in particular, software
> updates, source code repositories, and Qubes ISO downloads.
> 

> This canary scheme is not infallible. Although signing the declaration
> makes it very difficult for a third party to produce arbitrary
> declarations, it does not prevent them from using force or other means,
> like blackmail or compromising the signers' laptops, to coerce us to
> produce false declarations.
> 

> The proof of freshness provided below serves to demonstrate that this
> canary could not have been created prior to the date stated. It shows
> that a series of canaries was not created in advance.
> 

> This declaration is merely a best effort and is provided without any
> guarantee or warranty. It is not legally binding in any way to anybody.
> None of the signers should be ever held legally responsible for any of
> the statements made here.
> 

> 

> Proof of freshness
> ---
> 

> Sun, 04 Dec 2022 03:11:56 +
> 

> Source: DER SPIEGEL - International 
> (https://www.spiegel.de/international/index.rss)
> Friends or Frenemies?: Significant Trans-Atlantic Divides Emerge in Global 
> Chip War
> The Russian Mobilization: One Soldier's Effort to Avoid the War
> Tragedy in Mariupol: The Boy Who Lost His Family But Not His Hope
> A Year with Angela Merkel: "You're Done with Power Politics"
> Fears of Chinese Aggression Grow in Taiwan: "Where Are We Supposed to Go?"
> 

> Source: NYT > World News 
> (https://rss.nytimes.com/services/xml/rss/nyt/World.xml)
> 

> He Returned a Dazed Soldier to the Russians. Ukraine Calls It Treason.
> Landslide Tragedy Turns Italy’s Focus to Illegal Construction
> Why Is Rahul Gandhi Walking 2,000 Miles Across India?
> How China’s Police Used Phones and Faces to Track Protesters
> Ukraine Calls for Evacuations From a Russian-Controlled Area
> 

> Source: BBC News - World (https://feeds.bbci.co.uk/news/world/rss.xml)
> Cyril Ramaphosa: South Africa leader won't resign, says spokesman
> Ukraine war: Zelensky calls West's Russian oil cap 'weak'
> Ukraine war: New images show Russian army base built in occupied Mariupol
> Elnaz Rekabi: Family home of Iranian climber demolished
> Columbia peace talks with leftist ELN rebels make progress
> 

> Source: Blockchain.info
> 955f2976b1fbff0d0c47c262ea3ae6410e43f8218fb7
> 

> 

> Footnotes
> --
> 

> [1] This file should be signed in two ways: (1) via detached PGP
> signatures by each of the signers, distributed together with this canary
> in the qubes-secpack.git repo, and (2) via digital signatures on the
> corresponding qubes-secpack.git repo tags. [2]
> 

> [2] Don't just trust the contents of this file blindly! Verify the
> digital signatures! Instructions for doing so are documented here:
> https://www.qubes-os.org/security/pack/
> 

> --
> The Qubes Security Team
> https://www.qubes-os.org/security/
> ```
> 

> 

> This announcement is also available on the Qubes website:
> https://www.qubes-os.org/news/2023/03/02/canary-034/
> 

> --
> You received this message because you are subscribed to the Google Groups 
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to qubes-users+unsubscr...@googlegroups.com.
> To view this discussion on the 

[qubes-users] Re: [CORRECTED] Qubes Canary 034

[Andrew David Wong]

Dear Qubes Community,

*Editor's note*: An earlier version of this announcement mistakenly contained 
the text of an older canary. This has been corrected below. As always, we 
encourage readers to verify the cryptographic signatures on canaries, which can 
always be found in the [Qubes security pack 
(qubes-secpack)](https://www.qubes-os.org/security/pack/).

We have published a new [Qubes 
canary](https://www.qubes-os.org/security/canary/). The text of this canary is 
reproduced below. This canary and its accompanying cryptographic signatures 
will always be available in the [Qubes security pack 
(qubes-secpack)](https://www.qubes-os.org/security/pack/).

```

---===[ Qubes Canary 034 ]===---


Statements
---

The Qubes security team members who have digitally signed this file [1]
state the following:

1. The date of issue of this canary is March 02, 2023.

2. There have been 87 Qubes security bulletins published so far.

3. The Qubes Master Signing Key fingerprint is:

   427F 11FD 0FAA 4B08 0123  F01C DDFA 1A3E 3687 9494

4. No warrants have ever been served to us with regard to the Qubes OS
   Project (e.g. to hand out the private signing keys or to introduce
   backdoors).

5. We plan to publish the next of these canary statements in the last
   fourteen days of May 2023. Special note should be taken if no new
   canary is published by that time or if the list of statements changes
   without plausible explanation.


Special announcements
--

None.


Disclaimers and notes
--

We would like to remind you that Qubes OS has been designed under the
assumption that all relevant infrastructure is permanently compromised.
This means that we assume NO trust in any of the servers or services
which host or provide any Qubes-related data, in particular, software
updates, source code repositories, and Qubes ISO downloads.

This canary scheme is not infallible. Although signing the declaration
makes it very difficult for a third party to produce arbitrary
declarations, it does not prevent them from using force or other means,
like blackmail or compromising the signers' laptops, to coerce us to
produce false declarations.

The proof of freshness provided below serves to demonstrate that this
canary could not have been created prior to the date stated. It shows
that a series of canaries was not created in advance.

This declaration is merely a best effort and is provided without any
guarantee or warranty. It is not legally binding in any way to anybody.
None of the signers should be ever held legally responsible for any of
the statements made here.


Proof of freshness
---

Thu, 02 Mar 2023 09:45:31 +

Source: DER SPIEGEL - International 
(https://www.spiegel.de/international/index.rss)
Dubious Alliance: How Present Is the Far Right in Germany's New Peace Movement?
Kaja Kallas: Estonia's High-Profile Prime Minister - a Star in the Making
The Special Tribunal Debate: "An Arrest Warrant Against Putin Would Be Immense"
The War in Ukraine: China Is Reportedly Negotiating with Russia To Supply 
Kamikaze Drones
Volodymyr Zelenskyy's Heroes: Ukraine's Best Respond to the Earthquake in Turkey

Source: NYT > World News 
(https://rss.nytimes.com/services/xml/rss/nyt/World.xml)
How Russia Lost an Epic Tank Battle, Repeating Earlier Mistakes
Kyiv Sends Reinforcements to Besieged Bakhmut
Bola Tinubu Elected to Be Nigeria’s Next President
Video: How an Israeli Raid on a Safe House Ended With Civilians Killed
Bola Tinubu’s Victory Extends His Party’s Time in Power in Nigeria

Source: BBC News - World (https://feeds.bbci.co.uk/news/world/rss.xml)
Greece train crash: Angry protests erupt after disaster
India PM Modi urges G20 foreign ministers to overcome differences
How fake copyright complaints are muzzling journalists
Whiskey fungus lawsuit forces Jack Daniels to halt building project
Indian guru's fictional country attended UN events

Source: Blockchain.info
00037ab2816f3100fc37acee47a63571b5d3b7ca72145906


Footnotes
--

[1] This file should be signed in two ways: (1) via detached PGP
signatures by each of the signers, distributed together with this canary
in the qubes-secpack.git repo, and (2) via digital signatures on the
corresponding qubes-secpack.git repo tags. [2]

[2] Don't just trust the contents of this file blindly! Verify the
digital signatures! Instructions for doing so are documented here:
https://www.qubes-os.org/security/pack/

--
The Qubes Security Team
https://www.qubes-os.org/security/
```


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/03/02/canary-034/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 

[qubes-users] Qubes Canary 034

[Andrew David Wong]

Dear Qubes Community,

We have published a new [Qubes 
canary](https://www.qubes-os.org/security/canary/). The text of this canary is 
reproduced below. This canary and its accompanying cryptographic signatures 
will always be available in the [Qubes security pack 
(qubes-secpack)](https://www.qubes-os.org/security/pack/).

```

---===[ Qubes Canary 034 ]===---


Statements
---

The Qubes security team members who have digitally signed this file [1]
state the following:

1. The date of issue of this canary is December 04, 2022.

2. There have been 87 Qubes security bulletins published so far.

3. The Qubes Master Signing Key fingerprint is:

   427F 11FD 0FAA 4B08 0123  F01C DDFA 1A3E 3687 9494

4. No warrants have ever been served to us with regard to the Qubes OS
   Project (e.g. to hand out the private signing keys or to introduce
   backdoors).

5. We plan to publish the next of these canary statements in the first
   fourteen days of March 2023. Special note should be taken if no new
   canary is published by that time or if the list of statements changes
   without plausible explanation.


Special announcements
--

None.


Disclaimers and notes
--

We would like to remind you that Qubes OS has been designed under the
assumption that all relevant infrastructure is permanently compromised.
This means that we assume NO trust in any of the servers or services
which host or provide any Qubes-related data, in particular, software
updates, source code repositories, and Qubes ISO downloads.

This canary scheme is not infallible. Although signing the declaration
makes it very difficult for a third party to produce arbitrary
declarations, it does not prevent them from using force or other means,
like blackmail or compromising the signers' laptops, to coerce us to
produce false declarations.

The proof of freshness provided below serves to demonstrate that this
canary could not have been created prior to the date stated. It shows
that a series of canaries was not created in advance.

This declaration is merely a best effort and is provided without any
guarantee or warranty. It is not legally binding in any way to anybody.
None of the signers should be ever held legally responsible for any of
the statements made here.


Proof of freshness
---

Sun, 04 Dec 2022 03:11:56 +

Source: DER SPIEGEL - International 
(https://www.spiegel.de/international/index.rss)
Friends or Frenemies?: Significant Trans-Atlantic Divides Emerge in Global Chip 
War
The Russian Mobilization: One Soldier's Effort to Avoid the War
Tragedy in Mariupol: The Boy Who Lost His Family But Not His Hope
A Year with Angela Merkel: "You're Done with Power Politics"
Fears of Chinese Aggression Grow in Taiwan: "Where Are We Supposed to Go?"

Source: NYT > World News 
(https://rss.nytimes.com/services/xml/rss/nyt/World.xml)
He Returned a Dazed Soldier to the Russians. Ukraine Calls It Treason.
Landslide Tragedy Turns Italy’s Focus to Illegal Construction
Why Is Rahul Gandhi Walking 2,000 Miles Across India?
How China’s Police Used Phones and Faces to Track Protesters
Ukraine Calls for Evacuations From a Russian-Controlled Area

Source: BBC News - World (https://feeds.bbci.co.uk/news/world/rss.xml)
Cyril Ramaphosa: South Africa leader won't resign, says spokesman
Ukraine war: Zelensky calls West's Russian oil cap 'weak'
Ukraine war: New images show Russian army base built in occupied Mariupol
Elnaz Rekabi: Family home of Iranian climber demolished
Columbia peace talks with leftist ELN rebels make progress

Source: Blockchain.info
955f2976b1fbff0d0c47c262ea3ae6410e43f8218fb7


Footnotes
--

[1] This file should be signed in two ways: (1) via detached PGP
signatures by each of the signers, distributed together with this canary
in the qubes-secpack.git repo, and (2) via digital signatures on the
corresponding qubes-secpack.git repo tags. [2]

[2] Don't just trust the contents of this file blindly! Verify the
digital signatures! Instructions for doing so are documented here:
https://www.qubes-os.org/security/pack/

--
The Qubes Security Team
https://www.qubes-os.org/security/
```


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/03/02/canary-034/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f1aa2663-c33d-f11f-93b9-178184387481%40qubes-os.org.

Re: [qubes-users] Yubikey LUKS with Qubes?

['deeplow' via qubes-users]

> I see Qubes 4.2 is going to base dom0 on Fedora 37, which should have all the 
> tools, but I can’t seem to find any kind of iso nightly builds for 4.2.

​
See this https://forum.qubes-os.org/t/qubes-os-4-2-signed-weekly-builds/16929

Cheers,
deeplow
--- Original Message ---
On Tuesday, January 31st, 2023 at 9:24 AM, 'Jeremy Hansen' via qubes-users 
 wrote:

> I’m trying to figure out the things required to use my Yubikey to decrpyt my 
> LUKS root filesystem. As I understand it, dom0 in 4.1.1 doesn’t have the 
> functions require in cryptsetup. It looks like systemd in Fedora 36 added 
> systemd-cryptenroll, which I see in the Fedora guests. Has anyone attempted 
> to get the required utilities to make this work in to dom0, which is based on 
> Fedora 32 I believe.
>
> I see Qubes 4.2 is going to base dom0 on Fedora 37, which should have all the 
> tools, but I can’t seem to find any kind of iso nightly builds for 4.2.
>
> I’ve worked through getting my Yubikey working for auth, but it would be very 
> nice to get the LUKS functionality in there as well.
>
> Thank you
> -jeremy
>
> --
> You received this message because you are subscribed to the Google Groups 
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to qubes-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> [https://groups.google.com/d/msgid/qubes-users/2d985c80-a4d0-45a6-b0d2-512c62335dfb%40Canary](https://groups.google.com/d/msgid/qubes-users/2d985c80-a4d0-45a6-b0d2-512c62335dfb%40Canary?utm_medium=email_source=footer).

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/lhasL73VMeOXIf1R2kYWcQqo-pVaw5m5tbvZZ22Rzm6QwdHq4Da6Qp_56sO5SFw0N_11c4O5s1JvjR064wJopDnb-gkfkDWaHeuBs7maZpo%3D%40protonmail.com.

Re: [qubes-users] System76 Gaze17 Support

[Sven Semmler]

Thank you Sec Is Fun for your HCL report, which is 
[online](https://www.qubes-os.org/hcl/#system76_gazelle_i7-12700h_integrated-graphics-iris-xe-rtx-3060-mobile_sec-is-fun_r4-1)
 now!

Since you haven't provided any details, I assumed your machine works without 
issues. If that was a mistake, please let me know!

/Sven

--
https://keys.openpgp.org/vks/v1/by-fingerprint/DA5975C9ABC40C833B2F620B2A632C537D744BC7

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/df7d9e83-baef-7e61-8da2-65204f5536a2%40SvenSemmler.org.

Re: [qubes-users] HCL - Dell Vostro 3425

[Sven Semmler]

Thank you Taro for your HCL report, which is 
[online](https://www.qubes-os.org/hcl/#dell_vostro-3425_ryzen-5-5625u_integrated-graphics-radeon_taro-yamada_r4-1)
 now!

/Sven

--
https://keys.openpgp.org/vks/v1/by-fingerprint/DA5975C9ABC40C833B2F620B2A632C537D744BC7

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b005d1c7-48fc-dbfc-799f-6a9569b48f94%40SvenSemmler.org.

Re: [qubes-users] HCL - 20MAS21905 Lenovo ThinkPad P52

[Sven Semmler]

Thank you N O for your HCL report, which is 
[online](https://www.qubes-os.org/hcl/#lenovo_thinkpad-p52-20mas21905_i7-8850h_integrated-graphics-hd-630_n-o_r4-1)
 now! Since you haven't posted any comments I assumed there have been no 
issues. In case that is a mistake, please let me know!

/Sven

--
https://keys.openpgp.org/vks/v1/by-fingerprint/DA5975C9ABC40C833B2F620B2A632C537D744BC7

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/424ba5cd-e682-a252-c73c-11128e64a7fc%40SvenSemmler.org.

Re: [qubes-users] HCL - Lenovo X1 Carbon (20KH0035MX)

[Sven Semmler]

Thank you Christian for your HCL report, which is 
[online](https://www.qubes-os.org/hcl/#lenovo_thinkpad-x1-carbon-20kh0035mx_i5-8250u_integrated-graphics-hd-620_christian-nelke_r4-1)
 now. I assumed you meant to convey that all works fine. If that's not correct, 
please let me know so I can correct it.

/Sven

--
https://keys.openpgp.org/vks/v1/by-fingerprint/DA5975C9ABC40C833B2F620B2A632C537D744BC7

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ae305042-6358-6347-ad59-a9fe010f5a02%40SvenSemmler.org.

Re: [qubes-users] xentop's disk I/O

[Manuel Amador (Rudd-O)]

I maintain a Xen Prometheus exporter.  Here is what I know:

You will not see device writes or reads in the dm stubs because no process in 
them is reading or writing from disks.

The Prometheus exporter is awesome, BTW.  You can get system statistics and 
ingest them into Prometheus for system profiling and tuning.  I don't know how 
I lived using xentop before I began maintaining the exporter.  Watching Grafana 
is a far more satisfying way to explore data.

On November 6, 2022 1:28:50 AM GMT+01:00, Ulrich Windl 
 wrote:
>Hi!
>
>Watching xentop, I have a question:
>I know that the network operations aren't accounted in xentop when running 
>Qubes OS, but I'm wondering:
>For domain-0 all of the disk I/O (VBD_RD, VBD_WR, VBD_RSECT, VBD_WSECT) also 
>seem to be zero, and for sys-net-dm all the writes seem to be zero.
>Is it because sys-net is a "HVM"?
>
>Regards,
>Ulrich Windl
>
>-- 
>You received this message because you are subscribed to the Google Groups 
>"qubes-users" group.
>To unsubscribe from this group and stop receiving emails from it, send an 
>email to qubes-users+unsubscr...@googlegroups.com.
>To view this discussion on the web visit 
>https://groups.google.com/d/msgid/qubes-users/2ac2c5f7-cff2-968d-9456-59dcbb45515f%40rz.uni-regensburg.de.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/15180866-4F02-452F-AF21-A07E7526922F%40rudd-o.com.

Re: [qubes-users] Issue creating ubuntu template using fedora-37

[Demi Marie Obenour]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Sat, Feb 25, 2023 at 04:24:42PM +, disp...@proslo.dev wrote:
> I am trying to create ubuntu template using an app-vm created using template 
> fedora-37. I have Qubes OS 4.1.2-rc1. I am using instructions in the below 
> link to create the template
> 
> https://github.com/Qubes-Community/Contents/blob/master/docs/os/ubuntu.md
> 
> I am getting below error when trying to run make qubes-vm​. Any idea how to 
> fix it?

Run 'make remount'.
- -- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEdodNnxM2uiJZBxxxsoi1X/+cIsEFAmP6OiYACgkQsoi1X/+c
IsGIRw//Yi4cCINhSa660M53PCq01rWBhHwaZldO065fOetybXEgSedQ6tCyxQLJ
Jbxj5HJF0RgClL12k73awiTV6ssyXkS/fPl17xxYUxkevq626d8nlJk7T5RKRiiO
EypqKzsmhXLHos4fFsiwYFbMiZ7cL48B+upLMTi42O8X70uHqcf4wL6v9iM1LWlz
5qE0ODHxVglmQVSsgFo2djnv8ZgfdAEHHfV5Ct5fg45jhQNo+Kg2XXhj38KXPTIC
vXdVGnJB2dL+tlqnMwdhGsPhAUwlNquhvq5/cLYnyffulKFXav1k9wEkVTAbo/Wv
a+Te20pCH5oV9IdG7Ie2AliookLvGBoKbGrJ9Hle+5M9CnznucOAmGk6nn3TfXng
On3/oEHurRpaiKZUYAE9BvpOyUnV/Fk8fYtZyKifv9igzZ31EywdZ2JkIig5QTIj
/Q8oOEwLAUQJD1SjmkO/e/nfQZsiuIoNStFnux36qTNpE+nex5c3D9DPPJM/NGyJ
tC0NXGUKtXLb9dzQjsDMfWu20lttvk2t0KEmbUIie7mLxJf8bU6amPrTtC/rJWNu
Xc5IkxsCxFxhuqs6r6zP5uvjqKtF0YJ8kBnChoQQw/NygBGwNsVp7s/wgzKWFi5V
ZegIyexEqigcNWs8rg7Nx/WnWjXA2kCqsABZG4t17ctKBxY9uRo=
=SE+4
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/Y/o6JR7Q%2BN5mhD74%40itl-email.

[qubes-users] Issue creating ubuntu template using fedora-37

[disp-24]

I am trying to create ubuntu template using an app-vm created using template 
fedora-37. I have Qubes OS 4.1.2-rc1. I am using instructions in the below link 
to create the template

https://github.com/Qubes-Community/Contents/blob/master/docs/os/ubuntu.md

I am getting below error when trying to run make qubes-vm​. Any idea how to fix 
it?

scripts/test-sane-mount: line 10: ./test-dev-null: Permission denied
***
*** ERROR ***
*** Cannot create chroot because the current filesystem is mounted as nodev. ***
*** Build Qubes on a different filesystem, or run 'make remount' to remount ***
*** /home with dev option.
*** ***
***
make[1]: *** [Makefile.generic:159: generic-prepare-chroot] Error 1
make: *** [Makefile:265: vmm-xen-vm] Error 1

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/u5G_RxOUUrYreVYkEdhuLYVDkP4fUdef3BRU7uM-DI6m0ForeSs2XUaRDRynX0iFYTVEqJtC9frgCGaJnYPoQdxrSeVrlzUuWTBvPm3_E8Y%3D%40proslo.dev.

Re: [qubes-users] HCL - Yoga 7 16IAP7

[disp-24]

Not sure how this happened. Below is what I sent.

---
layout:
  'hcl'
type:
  'convertible'
hvm:
  'yes'
iommu:
  'yes'
slat:
  'yes'
tpm:
  'unknown'
remap:
  'yes'
brand: |
  LENOVO
model: |
  82QG
bios: |
  J1CN33WW
cpu: |
  12th Gen Intel(R) Core(TM) i7-1260P
cpu-short: |
  FIXME
chipset: |
  Intel Corporation Device [8086:4621] (rev 02)
chipset-short: |
  FIXME
gpu: |
  Intel Corporation Device [8086:46a6] (rev 0c) (prog-if 00 [VGA controller])  
a.k.a "Intel Iris Xe Graphics"
gpu-short: |
  FIXME
network: |
  Intel Corporation Device 51f0 (rev 01)
memory: |
  16108
scsi: |

usb: |
  4
versions:

- works:
'yes'
  qubes: |
R4.1
  xen: |
4.14.5
  kernel: |
5.15.89-1
  remark: |
First time Qubes OS user here. I am excited to try this awesome OS. Thanks 
for all the hard work went into building this OS. To install the OS, I had to 
disable secure boot. The installation and post installation experience was 
crippling slow. I had to add the kernel option `i915.force_probe=*​` based on 
the document 
https://github.com/Qubes-Community/Contents/blob/eb7685d36850e58b99653746cd8a62833d6ca65b/docs/troubleshooting/intel-igfx-troubleshooting.md.
 Unlike the document, the path to grub.cfg​ is /boot/efi/EFI/qubes​ in my 
system. The laptop is functional after adding the kernel option. I sill find 
the typing experience laggy. its not like typing in regular laptop. The 
secondary choices in grub menu does not work. I think the configs in secondary 
options look for kernel in root folder (like /vmlinuz) but kernel is in /boot 
folder in my system.
  credit: |
Me
  link: |
FIXLINK

---

Regards,
Srikanth.




--- Original Message ---
On Friday, February 24th, 2023 at 4:20 PM, Andrew David Wong 
 wrote:


> 
> 
> On 2/23/23 7:05 AM, disp...@proslo.dev wrote:
> 
> > Empty Message
> 
> 
> Hi there,
> 
> It looks like you sent an empty message with no body text and no attachments. 
> Did you mean to add your HCL report to this email?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/Q2_mK98RV81FvuX7bnZcqkL_kXI55ckJepb3fbubiWTazWmCEs4GfzwZuNXLodMdikuHHSkAv6x2RJEai_t3m_VPReJnO0VXCoWAnDK9cuk%3D%40proslo.dev.

Re: [qubes-users] HCL - Yoga 7 16IAP7

[Andrew David Wong]

On 2/23/23 7:05 AM, disp...@proslo.dev wrote:
> Empty Message
> 

Hi there,

It looks like you sent an empty message with no body text and no attachments. 
Did you mean to add your HCL report to this email?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ae4e6dc7-b00c-59c3-7b7e-5f52af046bc8%40qubes-os.org.

[qubes-users] HCL - Yoga 7 16IAP7

[disp-24]

Empty Message

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/RiGGJNHaLxAMj2xC-A96EG9Nu_mOldDpaFtvLU6B_gHPaFGHjOxoZZojUvqjRDt9RW-sSp16g-4riLbctcSlS7R-ebJaEzgwJki2kMlNY4w%3D%40proslo.dev.

[qubes-users] System76 Gaze17 Support

['Sec Is Fun' via qubes-users]

  

  

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/167707316701.924674.12967958698098045607%40startmail.com.


Qubes-HCL-System76-Gazelle-20230222-083048.yml
Description: Binary data

[qubes-users] HCL - Dell Vostro 3425

['moritor' via qubes-users]

Here's my HCL report.

This PC has a buggy wifi card Realtek RTL8821CE. Its native driver crashes 
sys-net. I removed wifi device from sys-net settings temporarily & downloaded 
tomaspinho's driver by Ethernet. Cloned debian-11 template for sys-net, set the 
new template in HVM mode and selected Debian kernel instead of dom0 kernel. 
After installing new driver, PC works pretty well. But suspend doesn't work.

Taro Yamada
---
layout:
'hcl'
type:
'notebook'
hvm:
'yes'
iommu:
'yes'
slat:
'yes'
tpm:
'unknown'
remap:
'yes'
brand: |
Dell Inc.
model: |
Vostro 3425
bios: |
1.6.0
cpu: |
AMD Ryzen 5 5625U with Radeon Graphics
cpu-short: |
FIXME
chipset: |
Advanced Micro Devices, Inc. [AMD] Renoir Root Complex [1022:1630]
chipset-short: |
FIXME
gpu: |
Advanced Micro Devices, Inc. [AMD/ATI] Device [1002:15e7] (rev c2) (prog-if 00 
[VGA controller])
gpu-short: |
FIXME
network: |
Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet 
Controller (rev 15)
Realtek Semiconductor Co., Ltd. RTL8821CE 802.11ac PCIe Wireless Network Adapter
memory: |
15720
scsi: |

usb: |
2
versions:

- works:
'FIXME:yes|no|partial'
qubes: |
R4.1
xen: |
4.14.5
kernel: |
5.15.89-1
remark: |
FIXME
credit: |
Taro Yamada
link: |
FIXLINK

---

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7om7nqqjYL6xVDfmsDjGGr2X7Sd7ggfvJESatGchHDQqO1UARnGAchiUa165HwJjm01aRAkpqK70RMwBH8afZ7U4exh4a_lZpH0Uk75vHqQ%3D%40proton.me.

[qubes-users] HCL - 20MAS21905 Lenovo ThinkPad P52

[N O]

---
layout:
  'hcl'
type:
  'notebook'
hvm:
  'yes'
iommu:
  'yes'
slat:
  'yes'
tpm:
  'unknown'
remap:
  'yes'
brand: |
  LENOVO
model: |
  20MAS21905
bios: |
  N2CET61W (1.44 )
cpu: |
  Intel(R) Core(TM) i7-8850H CPU @ 2.60GHz
cpu-short: |
  FIXME
chipset: |
  Intel Corporation 8th Gen Core Processor Host Bridge/DRAM Registers
[8086:3ec4] (rev 07)
chipset-short: |
  FIXME
gpu: |
  NVIDIA Corporation GP107GLM [Quadro P2000 Mobile] [10de:1cba] (rev a1)
(prog-if 00 [VGA controller])
gpu-short: |
  FIXME
network: |
  Intel Corporation Ethernet Connection (7) I219-LM (rev 10)
  Intel Corporation Wi-Fi 6 AX200 (rev 1a)
memory: |
  32369
scsi: |
  Samsung SSD 860  Rev: 2B6Q
usb: |
  1
versions:

- works:
'FIXME:yes|no|partial'
  qubes: |
R4.1
  xen: |
4.14.5
  kernel: |
5.15.81-1
  remark: |
FIXME
  credit: |
FIXAUTHOR
  link: |
FIXLINK

---

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAPnmA1_LvhO11Nkwf4qw0-kDUcd6mhgGa_f9Kk0xL5h1kCPTsA%40mail.gmail.com.


Qubes-HCL-LENOVO-20MAS21905-20230209-231600.cpio.gz
Description: application/gzip

Re: [qubes-users] HCL - Lenovo X1 Carbon (20KH0035MX)

[Sven Semmler]

Hi Christian,

can you write a few words about what works / doesn't work. How difficult or 
easy it was to install?

/Sven

--
https://keys.openpgp.org/vks/v1/by-fingerprint/DA5975C9ABC40C833B2F620B2A632C537D744BC7

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bab2dbf1-f0d9-9c89-6f5d-1446963a027b%40SvenSemmler.org.

[qubes-users] HCL - Lenovo X1 Carbon (20KH0035MX)

['Christian Nelke' via qubes-users]

---
layout:
  'hcl'
type:
  'notebook'
hvm:
  'yes'
iommu:
  'yes'
slat:
  'yes'
tpm:
  'unknown'
remap:
  'yes'
brand: |
  LENOVO
model: |
  20KH0035MX
bios: |
  N23ET74W (1.49 )
cpu: |
  Intel(R) Core(TM) i5-8250U CPU @ 1.60GHz
cpu-short: |
  FIXME
chipset: |
  Intel Corporation Xeon E3-1200 v6/7th Gen Core Processor Host Bridge/DRAM 
Registers [8086:5914] (rev 08)
chipset-short: |
  FIXME
gpu: |
  Intel Corporation UHD Graphics 620 [8086:5917] (rev 07) (prog-if 00 [VGA 
controller])
gpu-short: |
  FIXME
network: |
  Intel Corporation Ethernet Connection (4) I219-V (rev 21)
  Intel Corporation Wireless 8265 / 8275 (rev 78)
memory: |
  7850
scsi: |

usb: |
  2
versions:

- works:
    'FIXME:yes|no|partial'
  qubes: |
    R4.1
  xen: |
    4.14.5
  kernel: |
    5.15.89-1
  remark: |
    FIXME
  credit: |
    FIXAUTHOR
  link: |
    FIXLINK

---

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/edce9f0bb7a306ef8a336bdc70a3c3f6%40mailfreude.de.


Qubes-HCL-LENOVO-20KH0035MX-20230219-201039.cpio.gz
Description: application/gzip


Qubes-HCL-LENOVO-20KH0035MX-20230219-201039.yml
Description: application/yaml

Re: [qubes-users] HCL - Acer Chromebox CXI4-I7V16G

[Sven Semmler]

Thanks jack (aka 3c9) for your HCL report, which is 
[online](https://www.qubes-os.org/hcl/#acer_chromebox-cxi4-i7v16g_i7-10610u_integrated-graphics-uhd-620_3c9_r4-1)
 now!

I am very curious about your experience. How easy was it to install Qubes OS? 
What's the performance? What works and what doesn't work?

By alphabetical order, you made it to the very top of the 'desktop' list! ;-)

/Sven

--
https://keys.openpgp.org/vks/v1/by-fingerprint/DA5975C9ABC40C833B2F620B2A632C537D744BC7

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d918c597-8247-3d1b-b2a7-817ede161f6a%40SvenSemmler.org.

[qubes-users] HCL - Acer Chromebox CXI4-I7V16G

[jack]

---

layout:

'hcl'

type:

'desktop'

hvm:

'yes'

iommu:

'yes'

slat:

'yes'

tpm:

'unknown'

remap:

'yes'

brand: |

Google

model: |

Kaisa

bios: |

MrChromebox-4.19.1

cpu: |

Intel(R) Core(TM) i7-10610U CPU @ 1.80GHz

cpu-short: |

FIXME

chipset: |

Intel Corporation Comet Lake-U v1 4c Host Bridge/DRAM Controller [8086:9b61] 
(rev 0c)

chipset-short: |

FIXME

gpu: |

Intel Corporation CometLake-U GT2 [UHD Graphics] [8086:9b41] (rev 02) (prog-if 
00 [VGA controller])

gpu-short: |

FIXME

network: |

Intel Corporation Comet Lake PCH-LP CNVi WiFi

Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet 
Controller (rev 15)

memory: |

16257

scsi: |

usb: |

1

versions:

- works:

'FIXME:yes|no|partial'

qubes: |

R4.1

xen: |

4.14.5

kernel: |

5.15.89-1

remark: |

FIXME

credit: |

3c9

link: |

FIXLINK

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f84t15iKP7PRgXhOmYpr2tFGDLu_DpVwJCFUTcYAQBwK28HphZ-XjlydfIooSJg5uUV4AZVB9082p1yLIFWRGZzVOmP-t9s9VIghoo6d84Q%3D%403c9.org.

[qubes-users] Audioconference and screen sharing in Torbrowser

[Ulrich Windl (Google)]

Can't you use "some DVM" connected via sys-whonix with Firefox instead?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a1b6cb52-6258-4f77-9afa-74fedecc55e0%40gmail.com.

[qubes-users] Audioconference and screen sharing in Torbrowser

['taran1s' via qubes-users]

Hello everyone, I would like to ask how to use audio conference in a 
Torbrowser in Whonix anon-whonix in Qubes. I need to make some live 
presentation with a team, through audio and screen sharing.


I tried to use microphone, connected it with the anon-whonix AppVM, but 
Torbrowser doesn't see it. Can anyone help me with the setup?


Thank you.

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bae5e9a4-443a-cf59-b18a-4573f54ce530%40mailbox.org.

[qubes-users] XSAs released on 2023-02-14

[Andrew David Wong]

Dear Qubes Community,

The [Xen Project](https://xenproject.org/) has released one or more [Xen 
security advisories (XSAs)](https://xenbits.xen.org/xsa/).
The security of Qubes OS *is not affected*.
Therefore, *no user action is required*.


## XSAs that DO affect the security of Qubes OS

The following XSAs *do affect* the security of Qubes OS:

- (none)


## XSAs that DO NOT affect the security of Qubes OS

The following XSAs *do not affect* the security of Qubes OS, and no user action 
is necessary:

- XSA-426 (SMT is disabled in Qubes OS by default)


## About this announcement

Qubes OS uses the [Xen 
hypervisor](https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as 
part of its [architecture](https://www.qubes-os.org/doc/architecture/). When 
the [Xen Project](https://xenproject.org/) publicly discloses a vulnerability 
in the Xen hypervisor, they issue a notice called a [Xen security advisory 
(XSA)](https://xenproject.org/developers/security-policy/). Vulnerabilities in 
the Xen hypervisor sometimes have security implications for Qubes OS. When they 
do, we issue a notice called a [Qubes security bulletin 
(QSB)](https://www.qubes-os.org/security/qsb/). (QSBs are also issued for 
non-Xen vulnerabilities.) However, QSBs can provide only *positive* 
confirmation that certain XSAs *do* affect the security of Qubes OS. QSBs 
cannot provide *negative* confirmation that other XSAs do *not* affect the 
security of Qubes OS. Therefore, we also maintain an [XSA 
tracker](https://www.qubes-os.org/security/xsa/), which is a comprehensive list 
of all XSAs publicly disclosed to date, including whether each one affects the 
security of Qubes OS. When new XSAs are published, we add them to the XSA 
tracker and publish a notice like this one in order to inform Qubes users that 
a new batch of XSAs has been released and whether each one affects the security 
of Qubes OS.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/02/15/xsas-released-on-2023-02-14/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e0f5f316-3706-ec86-6a96-ddee80c6f812%40qubes-os.org.

[qubes-users] Qubes OS 4.1.2-rc1 has been released!

[Andrew David Wong]

Dear Qubes Community,

We're pleased to announce the first [release 
candidate](#what-is-a-release-candidate) for Qubes 4.1.2! This [patch 
release](#what-is-a-patch-release) aims to consolidate all the security 
patches, bug fixes, and upstream template OS upgrades that have occurred since 
prior Qubes 4.1 releases. Our goal is to provide a secure and convenient way 
for users to install (or reinstall) the latest stable Qubes release with an 
up-to-date ISO.

Qubes 4.1.2-rc1 is available on the 
[downloads](https://www.qubes-os.org/downloads/) page.


## What's new in Qubes 4.1.2?

Qubes 4.1.2-rc1 includes numerous updates over the initial 4.1.0 release, in 
particular:

- All 4.1 dom0 updates to date
- Fedora 37 template
- USB keyboard support in the installer 
([#7674](https://github.com/QubesOS/qubes-issues/issues/7674))
- `kernel-latest` available as a boot option when starting the installer 
([#5900](https://github.com/QubesOS/qubes-issues/issues/5900))


## Testing Qubes 4.1.2-rc1

If you're willing to [test](https://www.qubes-os.org/doc/testing/) this release 
candidate, you can help to improve the eventual stable release by [reporting 
any bugs you encounter](https://www.qubes-os.org/doc/issue-tracking/). We 
strongly encourage experienced users to join the [testing 
team](https://forum.qubes-os.org/t/joining-the-testing-team/5190)!


## Existing Qubes 4.1 users

If you're not interested in testing this release candidate, and you're already 
using Qubes 4.1, then you should simply [update 
normally](https://www.qubes-os.org/doc/how-to-update/) (which includes 
[upgrading any EOL 
templates](https://www.qubes-os.org/doc/how-to-update/#upgrading-to-avoid-eol) 
you might have) in order to make your system essentially equivalent to this 
patch release. No special action is required on your part.


## Release candidate planning

If no significant bugs are discovered in 4.1.2-rc1, we expect to announce the 
stable release of 4.1.2 in two to three weeks.


## What is a release candidate?

A release candidate (RC) is a software build that has the potential to become a 
stable release, unless significant bugs are discovered in testing. Release 
candidates are intended for more advanced (or adventurous!) users who are 
comfortable testing early versions of software that are potentially buggier 
than stable releases. You can read more about Qubes OS [supported 
releases](https://www.qubes-os.org/doc/supported-releases/) and the [version 
scheme](https://www.qubes-os.org/doc/version-scheme/) in our documentation.


## What is a patch release?

The Qubes OS Project uses the [semantic versioning](https://semver.org/) 
standard. Version numbers are written as `..`. Hence, we 
refer to releases that increment the third number as "patch releases." A patch 
release does not designate a separate, new major or minor release of Qubes OS. 
Rather, it designates its respective major or minor release (in this case, 4.1) 
inclusive of all updates up to a certain point. (See [supported 
releases](https://www.qubes-os.org/doc/supported-releases/) for a comprehensive 
list of major and minor releases.) Installing any prior Qubes 4.1 release and 
fully [updating](https://www.qubes-os.org/doc/how-to-update/) it results in 
essentially the same system as installing Qubes 4.1.2. You can learn more about 
how Qubes release versioning works in the [version 
scheme](https://www.qubes-os.org/doc/version-scheme/) documentation.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/02/09/qubes-4-1-2-rc1/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f968bb2b-3947-74b8-3a95-7b240951b338%40qubes-os.org.

Re: [qubes-users] Passing a YubiKey to a VM?

[Ulrich Windl (Google)]

OK,

after reading the document my original question still stands:
Not having sys-usb I can mount USB sticks by "delegating" them to a VM.
My question was whether a similar mechanism exists fur a YubiKey instead of an 
USB stick.

Regards,
Ulrich

08.02.2023 18:05:25 Ulrich Windl (Google) :

> Sorry, I should have found that!
> 
> 07.02.2023 23:59:40 Andrew David Wong :
> 
>> On 2/7/23 12:24 PM, Ulrich Windl wrote:
>>> How do you use a YubiKey (OpenPGP card, etc.) in Qubes OS?
>> 
>> In case you (or anyone else reading this) has not already seen it, there is 
>> a documentation page on this:
>> 
>> https://www.qubes-os.org/doc/yubikey/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/df223320-1057-498f-adf0-73d96f0ccd24%40gmail.com.

Re: [qubes-users] Passing a YubiKey to a VM?

[Ulrich Windl (Google)]

Sorry, I should have found that!

07.02.2023 23:59:40 Andrew David Wong :

> On 2/7/23 12:24 PM, Ulrich Windl wrote:
>> How do you use a YubiKey (OpenPGP card, etc.) in Qubes OS?
> 
> In case you (or anyone else reading this) has not already seen it, there is a 
> documentation page on this:
> 
> https://www.qubes-os.org/doc/yubikey/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c0b27bd3-d494-4216-8b26-8ae86efbac3f%40gmail.com.

Re: [qubes-users] Passing a YubiKey to a VM?

[Andrew David Wong]

On 2/7/23 12:24 PM, Ulrich Windl wrote:
> How do you use a YubiKey (OpenPGP card, etc.) in Qubes OS?

In case you (or anyone else reading this) has not already seen it, there is a 
documentation page on this:

https://www.qubes-os.org/doc/yubikey/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6114872a-3d66-79f7-7313-e9cc0cb73f95%40qubes-os.org.

[qubes-users] Passing a YubiKey to a VM?

[Ulrich Windl]

Hi!

If you cannot do "USB separation", can you allow to connect a VM to a 
YubiKey attached on USB?


Or: How do you use a YubiKey (OpenPGP card, etc.) in Qubes OS?


Regards,

Ulrich


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/da4dfe73-7bcb-5364-a198-1b48c4fec70c%40gmail.com.

Antw: [EXT] [qubes-users] Yubikey LUKS with Qubes?

[Ulrich Windl]

>>> "'Jeremy Hansen' via qubes-users"  schrieb
am
31.01.2023 um 10:24 in Nachricht
<2d985c80-a4d0-45a6-b0d2-512c62335dfb@Canary>:
> I’m trying to figure out the things required to use my Yubikey to decrpyt my

> LUKS root filesystem. As I understand it, dom0 in 4.1.1 doesn’t have the 
> functions require in cryptsetup. It looks like systemd in Fedora 36 added 

Hi!

It depends *how* you want to use the YibiKey: In the simplest mode the key
enters a constant string (password) via an emulated USB keyboard. So iy you can
enter the pass phase over a USB keyboard, it should also work for the YubiKey.

> systemd-cryptenroll, which I see in the Fedora guests. Has anyone attempted

> to get the required utilities to make this work in to dom0, which is based
on 
> Fedora 32 I believe.

So you want to use FIDO2?

> 
> I see Qubes 4.2 is going to base dom0 on Fedora 37, which should have all 
> the tools, but I can’t seem to find any kind of iso nightly builds for 4.2.
> 
> I’ve worked through getting my Yubikey working for auth, but it would be 
> very nice to get the LUKS functionality in there as well.
> 
> Thank you
> -jeremy
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to qubes-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
>
https://groups.google.com/d/msgid/qubes-users/2d985c80-a4d0-45a6-b0d2-512c623

> 35dfb%40Canary.



-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/63DCDE7D02A100051B28%40gwsmtp.uni-regensburg.de.

Re: [qubes-users] network in template (Qubes 4.1)

[Andrew David Wong]

On 2/1/23 12:54 PM, davaiigoo wrote:
> According to the documentation, there is way to enable networking in Qubes 
> templates for sources other than updates from apt-get or dnf .
> 
> https://www.qubes-os.org/doc/how-to-install-software/#installing-software-from-other-sources
> 
> Tried different combinations without success.
> 
> I definitely need to use git (github.com cannot be resolved) and to a less 
> extent, snap and/or flatpak.
> 

Are you sure you followed the instructions in that section correctly? Following 
them should give your template normal network access.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/163404e1-5675-e500-30cf-7e32ad0d7c32%40qubes-os.org.

[qubes-users] network in template (Qubes 4.1)

[davaiigoo]

According to the documentation, there is way to enable networking in Qubes 
templates for sources other than updates from apt-get or dnf .

https://www.qubes-os.org/doc/how-to-install-software/#installing-software-from-other-sources

Tried different combinations without success.

I definitely need to use git (github.com cannot be resolved) and to a less 
extent, snap and/or flatpak.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1ec1c420-864e-46e1-89ef-1fdd8f2b6f81n%40googlegroups.com.

[qubes-users] Guest post: "TrenchBoot Anti Evil Maid for Qubes OS" by Michal Zygowski of 3mdeb

[Andrew David Wong]

Dear Qubes Community,

The following is a guest post by Michal Zygowski from 
[3mdeb](https://3mdeb.com/) on the work they've been doing to upgrade [Anti 
Evil Maid (AEM)](https://www.qubes-os.org/doc/anti-evil-maid/). The original 
post can be found on the [3mdeb 
blog](https://blog.3mdeb.com/2023/2023-01-31-trenchboot-aem-for-qubesos/). This 
work was made possible through generous 
[donations](https://www.qubes-os.org/donate/) from the Qubes community via 
[OpenCollective](https://opencollective.com/qubes-os). We are immensely 
grateful to the Qubes community for your continued support and to 3mdeb for 
contributing this valuable work.

"TrenchBoot Anti Evil Maid for Qubes OS"
by Michal Zygowski
https://blog.3mdeb.com/2023/2023-01-31-trenchboot-aem-for-qubesos/
https://www.qubes-os.org/news/2023/01/31/trenchboot-aem-for-qubes-os/

As a courtesy to plain text email users, the Markdown source of the article 
body is reproduced below.

8<--

## Abstract

Qubes OS Anti Evil Maid (AEM) software heavily depends on the
availability of the DRTM technologies to prevent the Evil Maid
attacks. However, the project has not evolved much since the
beginning of 2018 and froze on the support of TPM 1.2 with Intel TXT
in legacy boot mode (BIOS). In the post we show how existing
solution can be replaced with TrenchBoot and how one can install it
on the Qubes OS. Also the post will also briefly explain how
TrenchBoot opens the door for future TPM 2.0 and UEFI support for
AEM.

## Introduction

As Qubes OS users, promoters, and developers, we understand how essential it is
to be aware of the latest developments in maintaining the security of your
favorite operating system. We're excited to share our plans to integrate the
TrenchBoot Project into Qubes OS's new Anti-Evil Maid (AEM) implementation. As
you may know, traditional firmware security measures like UEFI Secure Boot and
measured boot, even with a Static Root of Trust (SRT), may only sometimes be
enough to ensure a completely secure environment for your operating system.
Compromised firmware may allow for the injection of malicious software into
your system, making it difficult to detect. To overcome these limitations, many
silicon vendors have started implementing Dynamic Root of Trust (DRT)
technologies to establish a secure environment for operating system launch and
integrity measurements. We're excited to take advantage of these advancements
through integration with the [TrenchBoot Project](https://trenchboot.org/).

The usage of DRT technologies like Intel Trusted Execution Technology (TXT) or
AMD Secure Startup is becoming more and more significant; for example, Dynamic
Root of Trust for Measurement (DRTM) requirements of [Microsoft Secured Core 
PCs](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-highly-secure#what-makes-a-secured-core-pc).
DRTM has yet to find its place in open-source projects, but that gradually
changes. The demand for having firmware-independent Roots of Trust is
increasing, and projects that satisfy this demand are growing TrenchBoot is a
framework that allows individuals and projects to build security engines to
perform launch integrity actions for their systems. The framework builds upon
Boot Integrity Technologies (BITs) that establish one or more Roots of Trust
(RoT) from which a degree of confidence that integrity actions were not
subverted.

[Qubes OS Anti Evil Maid 
(AEM)](https://blog.invisiblethings.org/2011/09/07/anti-evil-maid.html)
software heavily depends on the availability of DRTM technologies to prevent
Evil Maid attacks. However, the project hasn't evolved much since the beginning
of 2018 and froze on the support of TPM 1.2 with Intel TXT in legacy boot mode
(BIOS). Because of that, the usage of this security software is effectively
limited to older Intel machines only. TPM 1.2 implemented SHA1 hashing
algorithm, which is nowadays considered weak in the era of forever-increasing
computer performance and quantum computing. The solution to this problem comes
with a newer TPM 2.0 with more agile cryptographic algorithms and SHA256
implementation by default.

The post will present the TrenchBoot solution for Qubes OS AEM replacing the
current TPM 1.2 and Intel TXT-only implementation. The advantage of TrenchBoot
solution over existing [Trusted 
Boot](https://sourceforge.net/p/tboot/wiki/Home/)
is the easier future integration of AMD platform support, as well as TPM 2.0
and UEFI mode support.

Before we dive into the technical details, it is important to highlight that
this achievement was made possible through the generous contributions of Qubes
OS community via OpenCollective. We would like to express our gratitude and
extend a special thank you to all who have supported our favourite operating
system. To continue supporting Qubes OS, please consider donating through
[OpenCollective 

[qubes-users] Yubikey LUKS with Qubes?

['Jeremy Hansen' via qubes-users]

I’m trying to figure out the things required to use my Yubikey to decrpyt my 
LUKS root filesystem. As I understand it, dom0 in 4.1.1 doesn’t have the 
functions require in cryptsetup. It looks like systemd in Fedora 36 added 
systemd-cryptenroll, which I see in the Fedora guests. Has anyone attempted to 
get the required utilities to make this work in to dom0, which is based on 
Fedora 32 I believe.

I see Qubes 4.2 is going to base dom0 on Fedora 37, which should have all the 
tools, but I can’t seem to find any kind of iso nightly builds for 4.2.

I’ve worked through getting my Yubikey working for auth, but it would be very 
nice to get the LUKS functionality in there as well.

Thank you
-jeremy

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2d985c80-a4d0-45a6-b0d2-512c62335dfb%40Canary.


signature.asc
Description: PGP signature

[qubes-users] XSAs released on 2023-01-25

[Andrew David Wong]

Dear Qubes Community,

The [Xen Project](https://xenproject.org/) has released one or more [Xen 
security advisories (XSAs)](https://xenbits.xen.org/xsa/).
The security of Qubes OS *is not affected*.
Therefore, *no user action is required*.


## XSAs that DO affect the security of Qubes OS

The following XSAs *do affect* the security of Qubes OS:

- (none)


## XSAs that DO NOT affect the security of Qubes OS

The following XSAs *do not affect* the security of Qubes OS, and no user action 
is necessary:

- XSA-425 (Qubes 4.1 does not use the affected Xen version; denial-of-service 
only)


## About this announcement

Qubes OS uses the [Xen 
hypervisor](https://wiki.xenproject.org/wiki/Xen_Project_Software_Overview) as 
part of its [architecture](https://www.qubes-os.org/doc/architecture/). When 
the [Xen Project](https://xenproject.org/) publicly discloses a vulnerability 
in the Xen hypervisor, they issue a notice called a [Xen security advisory 
(XSA)](https://xenproject.org/developers/security-policy/). Vulnerabilities in 
the Xen hypervisor sometimes have security implications for Qubes OS. When they 
do, we issue a notice called a [Qubes security bulletin 
(QSB)](https://www.qubes-os.org/security/qsb/). (QSBs are also issued for 
non-Xen vulnerabilities.) However, QSBs can provide only *positive* 
confirmation that certain XSAs *do* affect the security of Qubes OS. QSBs 
cannot provide *negative* confirmation that other XSAs do *not* affect the 
security of Qubes OS. Therefore, we also maintain an [XSA 
tracker](https://www.qubes-os.org/security/xsa/), which is a comprehensive list 
of all XSAs publicly disclosed to date, including whether each one affects the 
security of Qubes OS. When new XSAs are published, we add them to the XSA 
tracker and publish a notice like this one in order to inform Qubes users that 
a new batch of XSAs has been released and whether each one affects the security 
of Qubes OS.


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2023/01/27/xsas-released-on-2023-01-25/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0dcb1285-9783-d528-c06e-5db13aae167f%40qubes-os.org.

[qubes-users] QWT Windows

[Franz]

Hello friends,
With Qubes 4.1 my old windows 10 standalone installation still boots
correctly, but I cannot copy/move files to or from other qubes.

I understand the problem is already resolved, but the solution is not yet
available with mainstream updates. But I suspect updates will never be able
to fix it and I need to find a way to manually install a new version of QWT.

So may I simply wait or not?
Best
Franz

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAPzH-qCqHWmRNizmS9sOHubVgMRMrmDSzKEL_wG-ROh8hyM4kA%40mail.gmail.com.

[qubes-users] dose qubes os work with HP ENVY x360 15 i7-1065G7

[Ron Burgundy]

dose qubes os work with HP ENVY x360 15  i7-1065G7  

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/578447a2-2ddd-4785-a932-3e33143a8077n%40googlegroups.com.

Re: [qubes-users] Shutdown Delay

[Johnboy3 via qubes-users]

Hi,

I also experience(d) shutdown delays in the beginning of my qubes OS experience 
in about 1/10 shutdowns.
I never had any NFS mounts or alike that should have caused it.
After thrawling through the journalctl messages there was always some VM that 
waited for a process to exit.
Instead of decreasing the shutdown time delay in systemd for dom0 any every 
appVM, I decided to manually shutdown the appVMs and shutdown dom0 afterwards, 
which eradicated the problem near to complete. In fact I don't remember the 
last time i had to wait for a reboot/shutdown.
A simple alias in .bashrc for user in dom0 did the trick for me.

alias shutdown='qvm-shutdown --all --wait;sync;sudo shutdown -h now'
alias reboot='qvm-shutdown --all --wait;sync;sudo reboot'

Hope this is useful for you guys



--- Ursprüngliche Nachricht ---
Von: Ulrich Windl 
Datum: 28.12.2022 11:00:57
An: qubes-users@googlegroups.com
Betreff: [qubes-users] Shutdown Delay

Hi!

Am I the only one that sees extra shutdown delays?
It seems that everything is unmounted, but still thing hang; unsure what
that is. See attachment.
What surprises me is that crypto seems to be stopped before unmount.

Regards,
Ulrich

-- 
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9818d02c-f3ba-4a63-9492-e5ea418c6794%40rz.uni-regensburg.de.




Your E-Mail. Your Cloud. Your Office. eclipso Mail & Cloud. 
https://www.eclipso.de


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b7f0009835aa8240ea99f95829fae53b%40mail.eclipso.de.

[EXT] Re: [qubes-users] Shutdown Delay

[Ulrich Windl]

No, doesn't work either; I had tried it before.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f0d492db-7ff7-4afa-8712-cb7aa01e56c7%40rz.uni-regensburg.de.

[EXT] Re: [qubes-users] Shutdown Delay

[Ulrich Windl]

No NFS involved; wouldn't it have to be NFS in dom0 then? Shudder!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c71f262e-6341-42f2-900d-462c48f99b08%40rz.uni-regensburg.de.

Re: [qubes-users] T530 vs T430

[David Hobach]

Yes.

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/615a-2bc1-7f59-f731-e17a26a4b74d%40hackingthe.net.


OpenPGP_0x08DEA51AE90C3780.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature

[qubes-users] T530 vs T430

[nerved_ougulya via qubes-users]

Hello!
I hope it's the right place, otherwise, please advise me with the correct 
procedure.

After going reading this:

https://www.qubes-os.org/hcl/#lenovo_thinkpad-t530-2429cq9_i7-3520m_integrated-graphics-hd-4000_andrew_r3-1
 


I also read this:"Nearly all mods here can also be applied to the T530/W530" 


https://medium.com/@n4ru/the-definitive-t430-modding-guide-3dff3f6a8e2e 


Now, I wan to know whether Lenovo t530 as secure for Qubes as the t430? 
Is it as corebootable and customizable for hardened security?


Cheers,

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/167324991290.7.8006766569688201562.90216317%40simplelogin.com.


signature.asc
Description: OpenPGP digital signature

Re: [qubes-users] HCL - Dell Latitude E7440

[Sven Semmler]

Thank you Daniele for your HCL report, which is 
[online](https://www.qubes-os.org/hcl/#dell_latitude-e7440_i7-4600u_integrated-graphics-hd-4400_daniele-carati_r4-1)
 now!

/Sven
--
https://keys.openpgp.org/vks/v1/by-fingerprint/DA5975C9ABC40C833B2F620B2A632C537D744BC7

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f3dc59b6-9edc-e4c4-8133-87886e42a4d8%40SvenSemmler.org.

[qubes-users] HCL - Dell Latitude E7440

[Daniele Carati]

Installed Qubes 4.1.1 and no problem so far.

---
layout:
  'hcl'
type:
  'laptop'
hvm:
  'yes'
iommu:
  'yes'
slat:
  'yes'
tpm:
  ''
remap:
  'yes'
brand: |
  Dell Inc.
model: |
  Latitude E7440
bios: |
  A28
cpu: |
  Intel(R) Core(TM) i7-4600U CPU @ 2.10GHz
cpu-short: |
  FIXME
chipset: |
  Intel Corporation Haswell-ULT DRAM Controller [8086:0a04] (rev 0b)
chipset-short: |
  FIXME
gpu: |
  Intel Corporation Haswell-ULT Integrated Graphics Controller 
[8086:0a16] (rev 0b) (prog-if 00 [VGA controller])

gpu-short: |
  FIXME
network: |
  Intel Corporation Ethernet Connection I218-LM (rev 04)
  Intel Corporation Wireless 7260 (rev bb)
memory: |
  16289
scsi: |
  Micron_M510_MSAT Rev: DL05
  TS256GMSA230S    Rev: 7GN1
usb: |
  2
versions:

- works:
    'FIXME:yes|no|partial'
  qubes: |
    R4.1
  xen: |
    4.14.5
  kernel: |
    5.15.81-1
  remark: |
    FIXME
  credit: |
    FIXAUTHOR
  link: |
    FIXLINK

---

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c82dbf15-f467-f9e9-509c-8ec138b47553%40gmail.com.


Qubes-HCL-Dell_Inc_-Latitude_E7440-20230106-151936.yml
Description: application/yaml

[qubes-users] HCL - Dell Latitude E7440

[Daniele Carati]

Installed Qubes 4.1.1 and no problem so far.

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d9d6c030-4af5-6f35-f7a3-3ed8acc2c7b5%40gmail.com.


Qubes-HCL-Dell_Inc_-Latitude_E7440-20230106-151936.cpio.gz
Description: application/gzip


Qubes-HCL-Dell_Inc_-Latitude_E7440-20230106-151936.yml
Description: application/yaml

Re: [qubes-users] Shutdown Delay

[Rusty Bird]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

unman:
> On Wed, Dec 28, 2022 at 11:00:18AM +0100, Ulrich Windl wrote:
> > Am I the only one that sees extra shutdown delays?
> > It seems that everything is unmounted, but still thing hang; unsure what 
> > that is. See attachment.
> > What surprises me is that crypto seems to be stopped before unmount.
> > 
> No, I often see excessive shutdown delays.

What inexplicably fixes these delays on Btrfs - maybe on LVM too? -
is to shut down all VMs in a separate step before shutting down the
system: https://forum.qubes-os.org/t/btrfs-and-qubes-os/6967/17

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmO0ld5fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt8/8w/9EvtIyKmmPDrIKb79SFiKZ0WE6bFBvES8aUJNBczeNzAhPg/Grii5D7KL
4R+HpoVVSDjIAbgXpKV7CrnLna4PpsTXr5KuzZzVU++pBDQKQTOHLTz6U3op/jlA
ZABPH4trzZ5iNfMEEEdeWIIcqEFhwsTbKdJaKbzLFOttNBBJNHrBFFm9ExWLVGxl
iTy995MWru9wCnb5Xb5WuafPTRZs3fIVZGsR0bgKmw6b/9YR56nLVie87LPQmXVZ
BqpTTFtIlkkawj6w1ycdISPBERN6SpcV+Ck3FBwqefORtQBGwgAuyDx95ISorWLm
vzYoap2/XfR8RB0435PH1+qoIE7o7F4GroRl/jLxX5tiN4hR0i9hkgCA62uWTwCL
qY73SbMO9dlWjbmERZ7GUezxlkC3zSfOgtsXX7Nj+4MznWv7+fA5ys0FcO7HX4gz
FSysoZXuot24yA07anjJDPuOwTu/4c7ARtOwG4j+hRz5HlR7+8i4aJ1fUZRT9MMQ
lDQ5hSj//AptWC8dfPIQy+/l9fYuS9mI5wE7Z0VcNmLsh0aX0b4tgQjdJCS3GJ65
1dY7OqgJGvZLDOa4r1EMwycJCaYl1qPh/5wSnrCkYVNMwSKwPHX4nd7STC09/BFN
rNG/aK8uL1+CCYohH0OJ7TckF7Rb/N/3D32bVBe89eBsC3xMBcA=
=DKN1
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/Y7SV3gw3Lf4iO/KS%40mutt.

Re: [qubes-users] Shutdown Delay

['unman' via qubes-users]

On Wed, Dec 28, 2022 at 11:00:18AM +0100, Ulrich Windl wrote:
> Hi!
> 
> Am I the only one that sees extra shutdown delays?
> It seems that everything is unmounted, but still thing hang; unsure what that 
> is. See attachment.
> What surprises me is that crypto seems to be stopped before unmount.
> 
> Regards,
> Ulrich
> 
No, I often see excessive shutdown delays.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/Y7RFxd4RbhGW9VSQ%40thirdeyesecurity.org.

Re: [qubes-users] HCL - HP Omen 17-an007na

[Sven Semmler]

Thank you Focus for your HCL report, which is 
[online](https://www.qubes-os.org/hcl/#hewlett-packard_omen-17-an007na_i5-7300hq_integrated-graphics-hd-630-geforce-gtx-1050-mobile_focus-kiseri_r4-1)
 now!

Little side note to reporters:

if you don't know what certain fields are for (e.g. the -short ones), just 
ignore them but please don't remove them. They are actually used to generate 
the HCL website and in addition to filling them manually I then also have to 
restore them manually in the first place. ... so just leave them as is please. 
:-D

/Sven
--
https://keys.openpgp.org/vks/v1/by-fingerprint/DA5975C9ABC40C833B2F620B2A632C537D744BC7

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3a3eca16-4738-f818-9f54-82dc7ee485dc%40SvenSemmler.org.