[qubes-users] Re: Troubleshooting Qubes graphical slowness

[rec wins]

On 12/30/19 6:28 AM, Steve Coleman wrote:
> On 2019-12-29 23:32, tetrahedra via qubes-users wrote:
>> On Sun, Dec 29, 2019 at 01:44:28PM +, 'awokd' via qubes-users wrote:
>>> tetrahedra via qubes-users:
 On Fri, Dec 27, 2019 at 09:57:16AM +0100, tetrahedra via qubes-users
 wrote:
> Unfortunately I need to get work done so have to reboot to "just
> make it
> go away" but I am still interested in troubleshooting ideas (for
> when it
> happens next).
>>>
>>> Investigate xl top more thoroughly. You can identify offending VMs with
>>> it, and see if all your RAM is in use which triggers swapping to (slow)
>>> disk.
>>
>> My disk is a pretty fast SSD, and I did use xentop (`xl top` is just an
>> alias for xentop) and it didn't show anything unusual as far as I can
>> recall. Perusing the xentop man page doesn't show any potentially
>> relevant options except for `--full-name` and that option doesn't seem
>> to do anything. Pressing "B" (for "vBds") seems to list a number of
>> devices for each VM but none of them have any 2-digit unique identifying
>> number (as `iotop` seems to display).
>>
> 
> I have had graphics slowdown issues in the past on two occasions that
> acted like this, so here are some things to try:
> 
> 1) Add the 'nopat' argument to the 'kernel opts:' boot command line.
> 
>> qvm-prefs  -s kernelopts nopat
> 
> 2) The second, I can not seem to locate that email exchange at the
> moment, but it was a option on the graphics subsystem that needed to be
> turned off. Something like backing store, but I'm sure that is not the
> correct name for it. I'll keep looking for that one until I hear back if
> #1 above fixed your problem or not.
> 
> Steve
> 
> 

so how many VMs are open at one time, how much RAM have you?  you know
you can go into qubes settings and change the max RAM / per VM to say
1500 or so ?

I still believe  "speed step" in the UEFI was what was my slowness
problem before, I believe I still have it enabled, slowness for
everything but esp boot times  YMMV

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/23f3da7d-c26b-b0d5-165c-7b90a9e3f0c7%40riseup.net.

[qubes-users] Re: HOWTO: Enable screen poweroff (instead of blanking)

[rec wins]

On 12/22/19 4:45 AM, Claudia wrote:
> I just wanted to drop a note here before I forget. Out of the box, Qubes 
> blanks the screen after a few minutes, but never powers off the screen, even 
> though it's configured to do so in the XFCE Power Manager. I've had this 
> problem on several machines, all the way back to R3.2, and I always blamed it 
> on lack of hardware support.
> 
> Turns out, it's because Qubes comes with Xscreensaver enabled which overrides 
> the XFCE Power Manager settings. Xscreensaver is only configured to blank the 
> screen; I'm not sure if it even supports powering it off. To return control 
> to XFCE, go to Menu > System Tools > Session and Startup > Application 
> Autostart, and uncheck "Screensaver". Then you can logout, reboot, or go to 
> Menu > System Tools > Screensaver > File > Kill Daemon. You may have to also 
> open Menu > System Tools > Power Manager > Display, and switch "Display power 
> management" to off and then on again.
> 
> Note this will disable the lockscreen. This is not recommended if you use a 
> USB keyboard or mouse and a USB Qube, or if someone has physical access to 
> your computer while it's on. Otherwise, I recommend enabling screen poweroff 
> in order to conserve energy and lengthen the lifespan of your screen's 
> backlight.
> 

there Does seem to be another session> application autostart
 item  called   Screensaver (Launch screensaver and locker program)(not
just xscreensaver)   that is  'checked' to start  , maybe I'll leave it
alone  for now

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ce83b375-1bcc-2690-887d-deb5661b9097%40riseup.net.

[qubes-users] Re: HOWTO: Enable screen poweroff (instead of blanking)

[rec wins]

On 12/23/19 12:23 PM, Defiant wrote:
> 
> 
> On 22. 12. 19 15:45, Claudia wrote:
>>
>> I just wanted to drop a note here before I forget. Out of the box, Qubes 
>> blanks the screen after a few minutes, but never powers off the screen, even 
>> though it's configured to do so in the XFCE Power Manager. I've had this 
>> problem on several machines, all the way back to R3.2, and I always blamed 
>> it on lack of hardware support.
>>
>> Turns out, it's because Qubes comes with Xscreensaver enabled which 
>> overrides the XFCE Power Manager settings. Xscreensaver is only configured 
>> to blank the screen; I'm not sure if it even supports powering it off. To 
>> return control to XFCE, go to Menu > System Tools > Session and Startup > 
>> Application Autostart, and uncheck "Screensaver". Then you can logout, 
>> reboot, or go to Menu > System Tools > Screensaver > File > Kill Daemon. You 
>> may have to also open Menu > System Tools > Power Manager > Display, and 
>> switch "Display power management" to off and then on again.
>>
>> Note this will disable the lockscreen. This is not recommended if you use a 
>> USB keyboard or mouse and a USB Qube, or if someone has physical access to 
>> your computer while it's on. Otherwise, I recommend enabling screen poweroff 
>> in order to conserve energy and lengthen the lifespan of your screen's 
>> backlight.
>>
>>
> 
> I have also noticed this annoyance on several machines and different
> linux distributions so it must be an Xfce problem, not a Qubes problem.
> 
> You're probably asking yourself why do we even need xscreensaver when we
> can instead use a screen locker like lightlocker. I think I read on the
> issues tracker that xscreensaver is the most secure screen "locker" for
> X11 which is why it is used in Qubes, and if you would want to use
> something stronger you'd have to go wayland.
> 
> I hear Qubes 4.1 will use the new Xfce 4.14 though I am unsure whether
> this bug has been fixed in that version.
> 
> 
> Kind regards!
> 

thanks for this,  always wondered ... had given up on any systemwide
changing things

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/aa633cc9-1de5-232c-18d3-a3ce8173ebc9%40riseup.net.

[qubes-users] Re: Recommended laptop?

[rec wins]

On 12/25/19 1:03 PM,
brendan.hoar-re5jqeeqqe8avxtiumw...@public.gmane.org wrote:
> Insurgo is providing a service.
> 
> If one can do the steps themselves, that’s fine. 
> 
> If I were advising a somewhat less technical journalist or a potentially 
> targeted human-rights worker or politically targeted activist who just wanted 
> to get stuff done and had the resources, I’d point them to Insurgo.
> 
> Brendan
> 

+1 thinkpads think mine is a x540 or something,  +1 16gb RAM and SSD,
bought my thinkpad used year ago for like $200 add the RAM and SSD ,

apparently some feel Intel isn't really trustworthy  but might have to
pay more for non Intel machines, and roll dice if it has the VT-d or
Iommu  required minimums,  personally I don't use the  TPM though I have
it,  fear I'll likely lock myself out , and don't know what I'm doing in
general :)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f0dfb38f-d19e-1076-2e8a-645e3d9a99e6%40riseup.net.

[qubes-users] Re: redshift or brightness control?

[rec wins]

On 12/12/19 4:35 AM, shroobi wrote:
>>
>> so $sudo dnf install redshift-gtk   ?
>>
>> seems to not be the package name , hmm
>>
> 
> 
> $ sudo qubes-dom0-update redshift-gtk
> 
> The dnf command is only used for removing packages.
> 

do you invoke it from command line?  if so, may I ask with what command
argument ?

via xfce menu "failed to run redshift, trying location provider
'geoclue2' ,

maybe because dom0 has no access to the world or something ?


sorry if this might be more redshift-y than qubes-y

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c6d8ac51-7574-b443-8d6f-f60fda070fc7%40riseup.net.

[qubes-users] Re: redshift or brightness control?

[rec wins]

On 12/11/19 6:58 AM, shroobi wrote:
>> On 12/9/19 9:33 PM, beppo wrote:
>>> Am 10.12.19 um 08:09 schrieb rec wins:  
>>>> hello, is there a way to install and use redshift or any brightness
>>>> control for dom0, which I assume is where the package would have to go  
>>>
>>> That's right, you have to install it to dom0 (on your own risk). Just run
>>> $ sudo qubes-dom0-update redshift
>>> in dom0. (add also redshift-gtk for gtk-support.
>>>   
>>
>> I was under the impression , esp since dom0 is Fedora 25 to "never
>> install anything" in dom0  but OK,
>>
>> is/are there any other helpful utilities people install in dom0 that are
>> "safe"
>>
> 
> I second redshift. I also like having a graphical text editor.
> 
> It's true that Qubes warns against adding packages to dom0, but the choice is 
> yours. I
> rarely install anything to dom0, but when I do I only choose well-known 
> packages with few
> or no dependencies. 
> 

so $sudo dnf install redshift-gtk   ?

seems to not be the package name , hmm

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/82f231c1-98fb-325e-2d93-87991d1d7fb5%40riseup.net.

[qubes-users] redshift or brightness control?

[rec wins]

hello, is there a way to install and use redshift or any brightness
control for dom0, which I assume is where the package would have to go,
I get blinded in the evening, and manually changing monitor brightness
isn't practical TIA

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4cefa212-46d5-007b-6ad1-3e934044803d%40riseup.net.

[qubes-users] Re: Qubes' Thunderbird Add-On

[rec wins]

On 11/28/19 1:57 AM, cubit wrote:
> With the recent upgrade to Thunderbird 68.2  and the depreciation of old 
> style add-ons.   Are there any plans to bring back the Qubes Add-on to allow 
> opening of email in dispVM as needed/by default?
> 
> Cu-
> 

whoops, I just saw this after I posted same question, guess I still
don't know how to use thunderbird gmane search correctly  :)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d01364eb-9909-10ff-35fb-ba169dd8ce55%40riseup.net.

[qubes-users] thunderbird qubes add-on

[rec wins]

Hello, using Debian-10 as my template with Thunderbird 68.2.2, I no
longer have the Qubes integration add-on,  so can't 'open attachements
in DVM'  directly.

How would I go about getting back the qubes integration or is this a
'known issue'  etc and just wait ?


recce

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/420dcec7-cfb3-476e-2d31-14c64f74c86b%40riseup.net.

[qubes-users] Re: 2 new Intel vulnerabilites

[rec wins]

On 11/14/19 2:55 AM, Chris Laprise wrote:
> On 11/14/19 7:28 AM, Andrew David Wong wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA512
>>
>> On 2019-11-13 12:40 PM, Lorenzo Lamas wrote:
>>> There are 2 new vulnerabilities in Intel CPU's, also affecting Xen.
>>> Xen has issued XSA-304(CVE-2018-12207) and XSA 305(CVE-2019-11135).
>>> Is the Qubes team aware yet? I haven't seen a new QSB.
>>>
>>
>> Yes, we're aware. We're currently in the process of preparing
>> announcements about these XSAs.
>>
>> Typically, XSAs have a predisclosure period, during which the XSA is
>> embargoed, and the Qubes Security Team has time to analyze it and
>> prepare patches and an announcement. However, these XSAs had no
>> embargo period, so the Qubes Security Team had no advance notice of
>> them before they were publicly announced.
> 
> The researchers behind these MDS vuln disclosures were being strung
> along by Intel, who kept changing embargo dates. Eventually they decided
> to simply publish because the proposed patches from Intel were not
> addressing a large number of possible attacks.
> 
> I have summary, links and some advice here:
> https://groups.google.com/d/msgid/qubes-users/85c426f7-7e17-b1ab-87c3-71f92d169955%40posteo.net
> 
> 
> In short, Intel have played a monopolist's game and delivered products
> that match; Its much better (and simpler) for people to move to AMD at
> least for the time being. It would help if the Qubes community had some
> clear AMD choices.
> 

so, are there people running Q4.x  on AMD machines?  if so which ones?


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e15049ac-149f-a053-9bd5-3dbaa323931c%40riseup.net.

Re: [qubes-users] Re: using static dispVM for sys-net

[rec wins]

On 9/9/19 11:32 AM, Sven Semmler wrote:
> On 8/17/19 3:55 PM, rec wins wrote:
>> how to store the wifi credentials in custom-dvm-template ?
> assuming you created sys-net using the a dvm template named
> dvm-fed-30-min and know the PCI identifier of your wireless interface
> (the one you assigned to sys-net)
> 
> 
> 1) qvm-shutdown --all --wait
> 2) qvm-prefs dvm-fed-30-min virt_mode hvm
> 3) qvm-prefs dvm-fed-30-min provides_network true
> 4) qvm-pci attach dvm-fed-30-min --persistent dom0:
> 5) qvm-start dvm-fed-30-min
> 6) once started use the NetworkManager in the tray to enter your WiFi
> credentials
> 7) qvm-shutdown --wait dvm-fed-30-min
> 8) qvm-pci detach dvm-fed-30-min dom0:
> 9) qvm-prefs dvm-fed-30-min provides_network false
> 10) qvm-prefs dvm-fed-30-min virt_mode pvh
> 11) start sys-net
> 
> /Sven
> 


actually I stored them in the main Fedora Template that the
custom-dvm-template  was based on

found the proper file and format from another connection somewhere

perhaps not secure, my method, but seems to work


ty for the steps on your method , I know someone else had been also asking

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e8ba37d2-3a9d-55a0-c601-bcd1923938e1%40riseup.net.

[qubes-users] Re: script to fix qubes-whonix time-sync issue

[rec wins]

On 9/6/19 4:55 AM, qtpie wrote:
> qtpie:
>> unman:
>>> On Thu, Sep 05, 2019 at 12:23:13PM +0200, donoban wrote:
 On 9/5/19 11:41 AM, qtpie wrote:> My usecase is this: suspend a laptop
 with sys-whonix and whonix appvms
> running, then resume it a few hours later.
>
> After resume Tor lost connection, re-connection fails until i manually
> sync time on sys-net then
> @sys-firewall 'sudo ntpdate [timeserver]
> @sys-whonix 'sudo qvm-sync-clock'
> @sys-whonix 'sudo systemctl restart 
> tor-fCAy/bagh0fxz5zemyojwq-xmd5yjdbdmrexy1tmh2ibg-xmd5yjdbdmrexy1tmh2...@public.gmane.org'
>
> Is this also you usecase? You do not expierence any issues after
> suspend/resume on qubes 4 with Tor running?
>

 Ouch yes, usually after suspend/resume I had to run just:
 @sys-whonix 'sudo systemctl restart 
 tor-fCAy/bagh0fxz5zemyojwq-xmd5yjdbdmrexy1tmh2ibg-xmd5yjdbdmrexy1tmh2...@public.gmane.org'


 Currently I am not using whonix, I am testing with minimal fedora torvm[1].

 It seems stable. I don't have problems with suspend/resume and I skipped
 the sync clock steps [2]. Probably it's less anonymous than Whonix, but
 for me seems fine.

 [1] https://hackmd.io/JIXLStC-Sbq8rr1mjomCDQ
>>>
>>> You know there's a Qubes package for that? (deprecated but still
>>> buildable.)
>>> I have my own fork for a torVM which includes Qubes firewall
>>> support, which Whonix doesn't provide.
>>>
>>
>> Which package? I couldnt immediately find it.
>>
> 
> FYI: I'm also going to apply shutdown-on-suspend to sys-usb, since I
> have to kill it manually right now since it hangs after resume. It might
> not be elegant, there might be a bug/fix, but I dont care, just want the
> problem solved.
> 
> If anyone knows the existing package to do this it would be very welcome.
> 

I have been running sdwtime-gui  in sys-whonix and anon-whonix every
time I use them,  then it is hit and miss  whether  it  awakes and has
failed, but I don't suspend so often

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/586d615a-72c3-344c-3d64-8ff0adf1e302%40riseup.net.

[qubes-users] Re: Debian-10 Updates fail via disposable net/firewall

[rec wins]

On 9/3/19 10:12 PM, ronpunz wrote:
> I have fresh install of Q4.0.2rc1
> 
> I've setup disposable vm's for sys-net and sys-firewall. Everything
> works well (i can update Fedora and Whonix) via dispVMs. However, Debian
> template updates fail because Debian is calling for updates via sys-net
> (which obviously cant start because disp-sys-net is running)
> 
> Can anyone identify why and where Debian is calling up sys-net?
> 
> 

I had a similar problem , with disposable sys-net only,   I changed
/etc/qubes-rpc/policy/qubes.UpdatesProxy

to sys-net2 (disposable)  however  wasn't getting updates in the end I
ended up changing it to sys-whonix  as a work around


If you do a search in the forum, you may see my previous posts  on this .

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3bb73eea-1408-8351-2226-322be7b1f108%40riseup.net.

[qubes-users] Re: Device showing up in Qubes sys-usb terminal but not devices icon, and attach error in dom0

[rec wins]

On 8/29/19 2:36 AM, Brendan Hoar wrote:
> On Thu, Aug 29, 2019 at 3:02 AM rec wins 
>  wrote:
> 
>>
>> OTP won't ,  if the key does  more than U2F  you may need to  get  a
>> configuration application for the key  and  make sure it's  U2F  only
>> slot 1  , 2  etc
>>
> 
> Yubikey OTP works through a keyboard-like HID, which are blacklisted by
> default in Qubes. In order to directly attach a keyboard-like device to a
> VM you have to override this setting.
> 
> See:
> https://www.qubes-os.org/doc/usb-qubes/#enable-a-usb-keyboard-for-login
> 
> B
> 


I could be wrong but I not sure you can use  1 key for both U2F and OTP
 , as I mentioned,  you may need to  use the  developers software to
disable one of them . If you disable everything but U2F

then follow the  Qubes Docs for U2F


sort of defeats the purpose of an onlykey I imagine,  I  myself  am
using a U2F only yubikey   , not OTP  gave up on that long time ago

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/489a753d-27eb-1635-4e93-79767bead459%40riseup.net.

[qubes-users] Re: Device showing up in Qubes sys-usb terminal but not devices icon, and attach error in dom0

[rec wins]

On 8/30/19 2:40 AM, unman wrote:
> On Thu, Aug 29, 2019 at 08:58:33PM -1000, rec wins wrote:
>> On 8/29/19 1:49 AM, unman wrote:
>>> On Wed, Aug 28, 2019 at 09:01:46PM -1000, rec wins wrote:
>>>> On 5/27/19 6:09 AM, Stumpy wrote:
>>>>> I am trying to use an onlykey U2F but have run into some issues like it
>>>>> showing up in dom0 and sys-usb but seems like i cant use it.
>>>>>
>>>>> in sys-usb:
>>>>> [user@sys-usb ~]$ lsusb | grep Only
>>>>> Bus 004 Device 010: ID 1d50:60fc OpenMoko, Inc. OnlyKey Two-factor
>>>>> Authentication and Password Solution
>>>>>
>>>>> and in Dom0:
>>>>> [ralph@dom0 ~]$ qvm-usb | grep ONLY ; sudo qvm-usb a sys-usb sys-usb:42
>>>>> sys-usb:4-2 CRYPTOTRUST_ONLYKEY_346etc
>>>>> Device attach failed:
>>>>> [ralph@dom0 ~]$
>>>>>
>>>>> I decided to go with the chrome app but even though sys-usb seems to see
>>>>> the onlykey I cant seem to attach it to the chrome appvm i made?
>>>>>
>>>>
>>>>
>>>> so in dom0  you did
>>>> $qvm-usb
>>>>
>>>> get the BDM number and do
>>>>
>>>> $qvm-usb attach chromevm sys-usb:X-X
>>>>
>>>> U2F  keys will work in chromium  for  google logins  with  no
>>>> complicated  passthrough setup necessary
>>>>
>>>> OTP won't ,  if the key does  more than U2F  you may need to  get  a
>>>> configuration application for the key  and  make sure it's  U2F  only
>>>> slot 1  , 2  etc
>>>>
>>>
>>> Have you looked at the qubes-u2f-proxy package?
>>> https://www.qubes-os.org/doc/u2f-proxy
>>>
>>> After installation in dom0 and the relevant template, you enable the
>>> service in the qube you want to use it in, and the device should then
>>> be available for use in that qube.
>>> You *dont* attach the USB device to the qube.
>>>
>>> Try that, and see how you get on.
>>>
>>> unman
>>>
>>
>>
>> attaching does work(only in chromium fwiw) even with the FF about:config
>> changes,  though,  apparently  this isn't  'secure'  so
>>
>> looking at the u2f proxy  at this point
>>
>>
>> Repeat qvm-service --enable (or do this in VM settings -> Services in
>> the Qube Manager) for all qubes that should have the proxy enabled. As
>> usual with software updates, shut down the templates after installation,
>> then restart sys-usb and all qubes that use the proxy. After that, you
>> may use your U2F token (but see Browser support below).
>>
>>
>> after installing the proxy in the templates and shutting them down, and
>> restarting the appVMs  based on them. there is No   qvm-service  to
>> do  qvm-service --enable
>>
>> and/or  what or where is this supposed to be  'repeated' ?
>>
>> "Repeat qvm-service --enable for all qubes that should have the proxy
>> enabled."
>>
>> sure sounds like  by "qubes" what is meant is the  AppVMs  or  TBAVM  or
>> whatever they are called now :)
>>
> "qube" is a "user friendly term for a VM"
> (https://www.qubes-os.org/doc/glossary;)
> 
> qvm-service is a dom0 command line tool - you can also enable the
> service in the GUI interface as noted in the instructions.
> You enable the service for *each* qube where you want to use the proxy -
> that's the "repeat" part.
> Check the policy file in /etc/qubes-rpc/policy/
> 


OK seems to be operational now in FF ,  not sure what I was supposed to
see   in  /policy/

@dom0 ~]$ !529
cat /etc/qubes-rpc/policy/u2f.Register
$anyvm sys-usb allow,user=root


u2f.Authenticate  says the same



Stumpy did you do this :

https://docs.crp.to/qubes.html



need to keep the  support organize  or just gets too complicated  IMO
or  are you Sebastian   please bottompost   unman, awokd, brendan
are the ones to talk to

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8cd4a8bc-4643-b539-8650-53d4eb43d6e6%40riseup.net.

[qubes-users] Re: Device showing up in Qubes sys-usb terminal but not devices icon, and attach error in dom0

[rec wins]

On 8/29/19 1:49 AM, unman wrote:
> On Wed, Aug 28, 2019 at 09:01:46PM -1000, rec wins wrote:
>> On 5/27/19 6:09 AM, Stumpy wrote:
>>> I am trying to use an onlykey U2F but have run into some issues like it
>>> showing up in dom0 and sys-usb but seems like i cant use it.
>>>
>>> in sys-usb:
>>> [user@sys-usb ~]$ lsusb | grep Only
>>> Bus 004 Device 010: ID 1d50:60fc OpenMoko, Inc. OnlyKey Two-factor
>>> Authentication and Password Solution
>>>
>>> and in Dom0:
>>> [ralph@dom0 ~]$ qvm-usb | grep ONLY ; sudo qvm-usb a sys-usb sys-usb:42
>>> sys-usb:4-2 CRYPTOTRUST_ONLYKEY_346etc
>>> Device attach failed:
>>> [ralph@dom0 ~]$
>>>
>>> I decided to go with the chrome app but even though sys-usb seems to see
>>> the onlykey I cant seem to attach it to the chrome appvm i made?
>>>
>>  
>>
>> so in dom0  you did
>> $qvm-usb
>>
>> get the BDM number and do
>>
>> $qvm-usb attach chromevm sys-usb:X-X
>>
>> U2F  keys will work in chromium  for  google logins  with  no
>> complicated  passthrough setup necessary
>>
>> OTP won't ,  if the key does  more than U2F  you may need to  get  a
>> configuration application for the key  and  make sure it's  U2F  only
>> slot 1  , 2  etc
>>
> 
> Have you looked at the qubes-u2f-proxy package?
> https://www.qubes-os.org/doc/u2f-proxy
> 
> After installation in dom0 and the relevant template, you enable the
> service in the qube you want to use it in, and the device should then
> be available for use in that qube.
> You *dont* attach the USB device to the qube.
> 
> Try that, and see how you get on.
> 
> unman
> 


attaching does work(only in chromium fwiw) even with the FF about:config
changes,  though,  apparently  this isn't  'secure'  so

looking at the u2f proxy  at this point


Repeat qvm-service --enable (or do this in VM settings -> Services in
the Qube Manager) for all qubes that should have the proxy enabled. As
usual with software updates, shut down the templates after installation,
then restart sys-usb and all qubes that use the proxy. After that, you
may use your U2F token (but see Browser support below).


after installing the proxy in the templates and shutting them down, and
restarting the appVMs  based on them. there is No   qvm-service  to
do  qvm-service --enable

and/or  what or where is this supposed to be  'repeated' ?

"Repeat qvm-service --enable for all qubes that should have the proxy
enabled."

sure sounds like  by "qubes" what is meant is the  AppVMs  or  TBAVM  or
whatever they are called now :)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0b048746-8ec2-f582-3673-f47bc1373c99%40riseup.net.

[qubes-users] Re: Device showing up in Qubes sys-usb terminal but not devices icon, and attach error in dom0

[rec wins]

On 5/27/19 6:09 AM, Stumpy wrote:
> I am trying to use an onlykey U2F but have run into some issues like it
> showing up in dom0 and sys-usb but seems like i cant use it.
> 
> in sys-usb:
> [user@sys-usb ~]$ lsusb | grep Only
> Bus 004 Device 010: ID 1d50:60fc OpenMoko, Inc. OnlyKey Two-factor
> Authentication and Password Solution
> 
> and in Dom0:
> [ralph@dom0 ~]$ qvm-usb | grep ONLY ; sudo qvm-usb a sys-usb sys-usb:42
> sys-usb:4-2 CRYPTOTRUST_ONLYKEY_346etc
> Device attach failed:
> [ralph@dom0 ~]$
> 
> I decided to go with the chrome app but even though sys-usb seems to see
> the onlykey I cant seem to attach it to the chrome appvm i made?
> 


so in dom0  you did
$qvm-usb

get the BDM number and do

$qvm-usb attach chromevm sys-usb:X-X

U2F  keys will work in chromium  for  google logins  with  no
complicated  passthrough setup necessary

OTP won't ,  if the key does  more than U2F  you may need to  get  a
configuration application for the key  and  make sure it's  U2F  only
slot 1  , 2  etc

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fd0e81b4-68a9-b977-0966-de4df579764a%40riseup.net.

[qubes-users] Re: Anonymous as possible

[rec wins]

On 8/26/19 9:19 AM, 'awokd' via qubes-users wrote:
> GT500Shlby:
> 
>> then using a vpn with bitcoin
> 
> Be aware of the money trail.
> 
>> However, my concern is, I'm having trouble finding the latest release date. 
>> the listed release schedule makes it look like the current stable release 
>> is over a year old. What is the TL;DR of the state of development of Qubes?
> 
> TL;DR check file date on 4.0.1-x86_64 ISO in
> https://mirrors.edge.kernel.org/qubes/iso/ . Longer info is 4.0.2 is in
> active development. The point releases don't really matter though,
> because if you patch 4.0 to current level you have 4.0.1. Same when
> 4.0.2 ships. Multiple people are constantly updating Qubes; check the
> Qubes Github repos for another idea of activity level.
> 

sound like a good candidate for  whonix-dvms   maybe with the apparmour
thingy


https://www.whonix.org/wiki/DoNot
https://www.whonix.org/wiki/Documentation

https://forums.whonix.org/c/general-tor-and-anonymity-talk

don't trust "qubes" either  verify your .iso , maybe evil-maid with a
TPM if it's that badgoodluck

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8ae26d02-2c06-b901-70fc-8d9315c53102%40riseup.net.

[qubes-users] Re: Can't find Debian 10/minimal template

[rec wins]

On 8/20/19 2:46 AM, unman wrote:
> On Tue, Aug 20, 2019 at 12:24:36PM +, 'username908' via qubes-users wrote:
>> @799, the link you sent was for VM testing repositories, not for dom0 
>> testing repos. Even when enabling all repos after following this doc: 
>> https://www.qubes-os.org/doc/software-update-dom0/#testing-repositories , it 
>> doesn't work.
>>
>> qubes-dom0-current-testing  | 3.8 kB  00:00
>> qubes-dom0-current-testing/primary_db   | 4.9 MB  00:13
>> qubes-templates-community   | 3.0 kB  00:00
>> qubes-templates-itl | 3.0 kB  00:00
>> No Match for argument qubes-template-debian-10
>>
>> @unman, from your link, I'm getting "Error getting repository data for 
>> qubes-templates-itl-testing, repository not found". Are you sure it's 
>> necessary to create this repo to get the Debian template?
>>
> 
> The repository is already defined (in dom0) in
> /etc/yum.repos.d/qubes-templates.repo
> 
> By default it's not enabled.
> You can use it (temporarily) like this:
> `sudo qubes-dom0-update --enablerepo=qubes-templates-itl-testing 
> qubes-template-debian-10`
> 
> unman
> 

another option backup all  VMs wanted  reinstall to 4.0.2   ,  seems
like a good idea once in a while,  sort of like using  fresh templates

albeit bit time-consuming

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/af0b47de-09eb-88f5-ac0e-97134518cfa1%40riseup.net.

[qubes-users] Re: using static dispVM for sys-net

[rec wins]

On 8/10/19 5:28 AM, 'awokd' via qubes-users wrote:
> 799:
> 
>> What would be the better choice regarding attack surface:
>>  disposable netvm+firewallvm vs. mirage-firewall?
> 
> You still need a netvm with Mirage, but smallest attack surface alone is
> disposable netvm + Mirage. "Disposable" doesn't increase or decrease
> attack surface, though. It helps against persistence- if something
> managed to compromise sys-net's rw area, it would be gone next reboot.
> 
>> If I understand it right the mirage firewall has no/less option to be
>> compromised.
>> I am using the mirage fw and are only using a fedora-30-minimal based
>> sys-firewall to get dom0-updates, which can't be done via the mirage
>> firewall.
>>
>> But I'll also change this firewall to a static disposable FW.
> 
> If you're using Mirage for a firewall, you don't need that fedora-30
> sys-firewall inline any more. That might be what you have already done.
> You could create a sys-update and place it anywhere behind Mirage firewall.
> 
>> Question:
>> Afaik the problem when using a static disposable sys-net VM is, that I need
>> to enter my Wifi Credentials each time, as the VM will be unable to
>> remember them.
>> Is there any way tweaking this behaviour?
> 
> Put them in the custom DVM template you base the disposable sys-net
> from:
> https://www.mail-archive.com/qubes-users-/jypxa39uh5tlh3mboc...@public.gmane.org/msg26895.html.
> 


Sorry  how is this done,  I don't really follow along with the  URL link

how to store the wifi credentials in custom-dvm-template ?


regards

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3038a47a-b816-9c10-b52d-43b4458adcc4%40riseup.net.

[qubes-users] Re: using static dispVM for sys-net

[rec wins]

On 8/9/19 11:12 PM, 799 wrote:
> Hello,
> 
> Jon deps  schrieb am Mi., 3. 
> Juli 2019, 22:30:
> 
>> am curious if anyone actually does this , and how or would it make any
>> sense instead to use a static sys-firewall ,  if I
>> just have the default  sys-firewall  (which might be easier because
>> there would not be a need for the PCI  setup  ?each time)
> 
> 
> What would be the better choice regarding attack surface:
>  disposable netvm+firewallvm vs. mirage-firewall?
> If I understand it right the mirage firewall has no/less option to be
> compromised.
> I am using the mirage fw and are only using a fedora-30-minimal based
> sys-firewall to get dom0-updates, which can't be done via the mirage
> firewall.
> 
> But I'll also change this firewall to a static disposable FW.
> 
> Question:
> Afaik the problem when using a static disposable sys-net VM is, that I need
> to enter my Wifi Credentials each time, as the VM will be unable to
> remember them.
> Is there any way tweaking this behaviour?
> 
> 799
> 

799,  do you have  mirageOS  upstream of sys-net2 (disposable)  working.

I built and have mirage as sys-firewall, but I built it before I created
sys-net2 (disposable)

and the mirage firewall works  upstream of sys-net  but  not sys-net2


I'm thinking during the build process it must be looking for sys-net and
not a sys-net2 , esp  if it's not there ?

I could rebuild not that I have a sys-net2  , but  not too confident
about that

best regards

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/92d1f0ca-24bb-88a7-976b-a71309b361b9%40riseup.net.

[qubes-users] Re: Lenovo T480/T480s anyone got power management working properly?

[rec wins]

On 8/4/19 8:37 AM, mmoris-dg3qef7t2pdafugrpc6...@public.gmane.org wrote:
> Hello,
> 
> I'm struggling to get my T480s working on resume as it displays a blank
> screen that doesn't allow me to do anything.
> All problematic modules are already part of the suspend blacklist:
> 
> ehci_pci
> xhci_pci
> iwldvm
> iwlmvm
> 
> Nonetheless the resume only works when I shutdown the sys-usb before the
> suspend, which is a bit painful to do on every suspend.
> Power management also doesn't work, when I press the power off button
> nothing happens nor the laptop enters the suspend state.
> The battery also get hot very quickly and drains very fast it seems its
> not optimized.
> 
> Did anyone managed to fix these issues with the T480s or the T480?
> 
> Any recommendations are really appreciate.
> 
> Thank you!
> 
> -- 
> You received this message because you are subscribed to the Google
> Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to
> qubes-users+unsubscribe-/jypxa39uh5tlh3mboc...@public.gmane.org
> .
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/qubes-users/6d955b4251a377fd6607926a01f818d4%40disroot.org
> .


???
This is a long-standing issue for some, resolved for some but not for
others at different times. See
https://github.com/QubesOS/qubes-issues/issues/4042

The situation has improved for me by getting kernel 4.19.43-1 from
qubes-dom0-security-testing. You could try the new kernel. (But note
that our problems might be a bit different, I never had a qrexec problem
when restarting sys-usb after resume.)

If you need to automate restarting of sys-usb because you can't avoid
this problem, you can add commands in
/usr/lib64/pm-utils/sleep.d/52qubes-pause-vms for suspend and resume,
e.g., qvm-shutdown sys-usb and qvm-start sys-usb. You might need to
qvm-kill sys-usb before suspend to get this to work reliably.

Daniel

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4720d109-d5b9-20ad-300b-96dfbed304b3%40riseup.net.

[qubes-users] Re: using static dispVM for sys-net

[rec wins]

On 7/8/19 2:15 PM, unman wrote:
> On Mon, Jul 08, 2019 at 07:24:53PM +, Jon deps wrote:
>> On 7/3/19 8:50 PM, 'awokd' via qubes-users wrote:
>>> Jon deps:
>>>
 https://www.qubes-os.org/doc/disposablevm-customization/#using-static-disposablevms-for-sys-



 I can't really understand what the differences would be?? with a static
 dispvm (based on a dispvm-template) vs?? just a regular?? sys-net

 if nothing is disposed (static) isn't it just the same

>>> "Static" there refers to the name and VM configuration, not the
>>> contents. You only have to set them up once, not every time.
>>>
>>
>>
>> so making a sys-net2 as a -C DispVM (with persistent PCI tag)  based on a
>> custom-dispvm-template has more disposable qualities   than
>>
>> just an appvm based on say Deb-9 template ?
>>
>>
>> and hence might be a security protocol  to  make and toss sys-net2 (dispvm)
>> from time to timeor
>>
>> is it very minor and not worth the effort?
>>
> 
> Do you use DisposableVMs instead of a standard appVM?
> Why?
> If you see an advantage there, then you should see advantage in using
> them for sys-.
> Since the effort is minimal I'd recommend.
> 
re:
https://www.qubes-os.org/doc/disposablevm-customization/#using-static-disposablevms-for-sys-

if one does all this  to make a  sys-net2

qvm-create -C DispVM -l red sys-net2
qvm-prefs sys-net2 virt_mode hvm
qvm-service sys-net2 meminfo-writer off
qvm-pci attach --persistent sys-net2 dom0:00_1a.0
qvm-prefs sys-net2 autostart true
qvm-prefs sys-net2 netvm ''
qvm-prefs sys-net2 provides_network true
qvm-prefs sys-net autostart false
qvm-prefs sys-firewall netvm sys-net2
qubes-prefs clockvm sys-net2

don't they also have to edit
$ sudo nano /etc/qubes-rpc/policy/qubes.UpdatesProxy

# Default rule for all TemplateVMs - direct the connection to sys-net
$type:TemplateVM $default allow,target=sys-net

and change it to sys-firewall  or sys-net2

because I'm getting complaint that my pci device is already attached to
sys-net2when  I attempt  updates


if so maybe  the documentation needs another line  to indicate ?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/09d59428-1792-a0c2-3a84-5e6802b7f97f%40riseup.net.

[qubes-users] Re: How can I restore a template from a backup?

[rec wins]

On 8/2/19 8:11 AM, 'awokd' via qubes-users wrote:
> mmoris-dg3qef7t2pdafugrpc6...@public.gmane.org:
>> Hello,
>>
>> I've done a fresh install of Qubes and I'm trying to restore the debian-9 & 
>> fedora-29 templates from a backup, but I'm not able to do it since the 
>> templates were installed by the package manager.
>> Is is possible to restore the templates from a backup or this is only 
>> applicable to the AppVM ? And if so, will the restored templates receive any 
>> updates since they haven't been installed through package manager?
> 
> If you haven't made a lot of customizations to your old templates, you
> should just keep the new ones and repeat customizations where needed.
> Fedora 30 is available now and Debian 10 in a month I'd guess, so you
> might want to just fresh start with those. Otherwise, you can uninstall
> the templates with sudo dnf remove, but you have to make sure no AppVMs
> are using them and nothing in qubes-prefs refers to them. One at a time
> would be easier so you can flip between them as needed. Old templates
> should receive updates once restored, but test.
> 

during restore you could try the  "ignore missing templates" and "ignore
username mismatch"

I imagine you might get away with renaming the new templates  to
fedora-30.new or something   or just uninstall them and  restore the old
backup ones

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/14aa569a-ee3c-7292-ae85-ad147980ff0d%40riseup.net.

[qubes-users] Re: Qubes-OS compatible SSD SAMSUNG.

[rec wins]

On 8/1/19 6:27 AM, 0brand wrote:
> 
>> Good morning I have the following doubt:
>>
>> The qubes-os operating system is compatible with the following SSD disk 
>> models:
>>
>> SAMSUNG 860 EVO?
>> SAMSUNG860 QVO?
>> SAMSUNG860 PRO?
>>
>> I have directly asked the manufacturer SAMSUNG and he has told me that LINUX 
>> is generally compatible, but they have no list of which LINUX distributions 
>> are fully compatible.
> 
> I used the 860 pro in a previous hardware configuration with no issues.
> 
> Regards
> 
> 0brand
> 
> 

old 840 evo  seems to work fine on 4.0.1, not sure about 4.0.2 yet

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ee47394e-bb54-fb81-c75f-da814d6b6b32%40riseup.net.