[qubes-users] How to Install Android on Qubes 3.2 --/-- (4.0)
https://groups.google.com/forum/m/#!topic/qubes-users/0N7sLHBRIdk Here are my notes on this. I was unable to run Android from the qubes virtual system. But adding a second hdd, manually encrypting it, manually mounting and unmounting it after boot... Worked. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3767b733-740c-4ee8-bd95-607ca2003ecc%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] AWUS036NHR v2 issues
Anyone have one of these? 802.11bgn It recognizes but only sometimes sees WiFi networks. Seems to work better when I connect the USB after sys-net is started. It connects to my network but loses service after a minute or two even tho it's still connected to the network. I think the Linux formate package is already installed That would make it work, right? I'm trying to avoid using the Alfa drivers. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b2f48a17-552e-4540-bb2a-bb042fb38798%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Librem 13v2: Qubes 4.0 stuck at loading the desktop
I'm using kde and everything works. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1029a001-5dfc-44dc-ac8b-138bfe79d68f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Help with setting up qubes domains structure
> First, read this. It is very informative. > https://groups.google.com/forum/#!topic/qubes-users/hvGX_Q7gv2o I think about halfway through here a few people mentioned their prospects. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/dbd81db3-c21f-42d4-97a1-ef5bf27cd754%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] I think I found a moderately serious bug. And I could use some help with recovery. (kali/HVM/rootfs)
ok thanks for your input. Ill just reinstall, I suppose. I do have backups!! Cant get them unless I boot into rescue because the usb no longer works without my sys-usb being able to start. I will try to recreate this and see on my second HDD. Ill check the dnf log too. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/146a84b4-1a1a-4bde-8a33-2e19e9b38be6%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Dependency error building Qubes
Please share your experience with qubes-builder! I need help. Is that what you are doing? Check out my notes: I created a Template called Dev. This template is responsible for compiling the kernel and qubes-builder. Its based on the latest stable Fedora. (FC27?) Packages installed include: the list posted here: https://github.com/rtiangha/qubes-linux-kernel/tree/devel-4.14-hard as well as busybox, ncurses, ncurses-devel, rpm-sign, sparse, openssl-devel... and possibly a few others. I set up qubes-builder to run only my current Fedora and the only errors were on Privileges. There is a command I used that fixed most of the privileges, (and I dont have it right now, but I can find it again if anyone needs it) then the errors posted that qubes-builder did not have correct privileges for... oh what was that file it was a common file in the /etc dir I think? Ill have to go back and look that one up too. Hope this helps. Let me know if you have any ideas for me. Ill update this when I get a better grip. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/90ac9b1d-cc6f-49c4-a1a6-dc8e68b645b3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] suggestion for quakity assurance of documentation
where is your email? I will email you. I too have found many problems. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/11597ae5-f356-4fc4-a598-e50d4534588e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Qubes 4.0 and HVM's
The proper way to create an HVM can be found here: https://www.qubes-os.org/doc/hvm/ HVMs should be created from the terminal in dom0. Open a terminal: $ qvm-create win7 --class StandaloneVM --property virt_mode=hvm --property kernel="" --property memory=4096 --property maxmem=4096 --property debug=True --label green 1. Your NetBSD-vm should have its netVM set as your default sys-firewall. And your sys-firewall should have its netVM set to sys-net. sys-net should then be connected to the internet using NetworkManager or your choice. After that you will start your NetBSD-vm with the boot-cd/iso file. $ qvm-start NetBSD-vm --cdrom=vault:/home/user/Downloads/NetBSD.iso If you start it twice, the second time you start it you should use the automatically created loop device. Otherwise, Qubes will continue to make new loop devices and kill your RAM. $ qvm-start NetBSD-vm --cdrom=dom0:loop1 2. 10Gb is the default for your root file system (rootfs) and 2Gb is default for your homedir. If you didnt change these on your own, then I assume that you would install /root to the 10Gb and /home to the 2Gb. Maybe you should also change the 10Gb to 15Gb? Or 20Gb? 3. Maybe it hangs and does weird things because you did not set all the settings with the terminal, as stated above? Be careful you do not install NetBSD to the wrong partition. Try this: Open a terminal in dom0. Type: $ sudo pvs $ sudo lvs One of these commands will list all of your virtual machines. Take note that any VM you have will list 3 VMs here. I installed kali recently and kali shows 3 different VMs instead of 2. I installed on the wrong one and now qubes is broken. You do not seem to have this problem. You could also change your VM to 0Gb for your private storage and 20Gb for your system storage and see NetBSD reflect that when you try to install. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/251db4ea-f4a0-48fb-8342-f415ff1f4e7d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] I think I found a moderately serious bug. And I could use some help with recovery. (kali/HVM/rootfs)
I tried to install kali again. Last time I couldnt get it to run, but with your help, I correctly created an HVM. Now I did something stupid. When partitioning, you will be shown 3 virtual drives. If you type 'pvs' (or is it 'lvs'?) into the dom0 terminal, you will see 3 virtual partitions: kali, kali-private and kali-root. Or something of the like. I assume that is the 3 that you see in the kali-vm in qubes-manager. Well, one is obviously my rootfs and one is my homedir. The third has a direct correlation with the homedir. So when you change the size of the homedir, so changes the other one. The bug I think I have found is that when this third partition vm, if overwritten, overwrites dom0 from a virtual domain. I tried to install kali on this third vm and the next time I booted Qubes, errors were given that qubes-manager did not exist. I still could boot, but no VMs could start. Its possible that this could have something to do with loop devices and having too many of them, maybe a buffer overflow? But I doubt it. After starting kali repeatedly, loop devices were made again and again eventually denying me any RAM space to do anything including saving a text doc. Now, I really dont want to reinstall everything but sometimes this is much faster than troubleshooting the issue. But does anyone have any good ideas? Ive downloaded the source code for qubes-manager and Im going to try tomorrow to compile it. But Ive never done this before, I dont know what all I have to do. $ sudo make rpms , right? Then what? Im going to have to boot into recovery mode just to get the qubes-manager onto the machine. Can I do $ sudo dnf reinstall qubes-manager? or $ qubes-dom0-update --reinstall qubes-manager? What if I cant get internet access? Is the rpm still on my machine? Thanks many!! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e8a59a06-cc87-4553-aa71-fc2d2b410c90%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Whats the deal with kernels?
I did do that. The problem was that 'misconfigured' file: .rpmmacros. Apparently you have to edit (or make) the file and add _gpg_dir, _gpg_name and _signature parameters. This is only half true. The file that needs to be modified (and possibly bind-dir this file) is not located in ~/.rpmmacros as suggested. The file is located here: /usr/bin/rpm/macros and you do not need to edit anything except the _gpg_name parameter or it breaks. Does anyone know what the different kernel rpms are for? kernel.rpm kernel-devel.rpm kernel-qubes.rpm I guess I would install the kernel-qubes.rpm. I would also guess that kernel.rpm is without qubes things that I probably want. And devel is with lots of debugging that I probably dont need? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b19ae814-592f-4833-844d-606ad15d5149%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Whats the deal with kernels?
Yes, thank you. I have read that entire page, as well as a few other good resources: github.com/rtiangha/qubes-linux-kernel/blob/devel-4.14-hard/README.md github.com/0spinboson/qubes-doc/blob/patch-1/managing-os/compiling-your-own-kernel.md Im running into a problem right at the end. rpm --add-sign /home/user/*.rpm You must set "%_gpg_name" in your macro file I have made the missing file: ~/.rpmmarco %_signature gpg %_gpg_path /home/user/.gnupg %_gpg_name (b4892c28 / mypgp) I still get the error. Can I ignore this? Qubes-Builder docs suggests editing the builder.conf and changing NO_SIGN=1 but that doesnt exactly apply to kernels, does it? I dont need to sign my packages, do I? Im not sure if the compiler is failing at the rpm signing or if its ignoring and finished. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/78ad93c4-42f4-481a-860e-3baa5cafeae7%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Whats the deal with kernels?
Ive been looking at kernel compiling. Ive amounted certain information, but not enough. I see 3 git repos with kernels: qubes-linux-kernel, rtiangha and fepitre. I know I can change versions with $ git checkout *version* I also know that I can download the sources and build them and I would preferably edit a .config file to edit my options and hardware. What I need to know: -how to use the gen-config file. -whats the difference between the config-base, config-qubes and config-qubes-minimal? (well the minimal part is obvious) -I can edit one of these config files to build with my kernel, correct? -I have built a .config using the '$ make oldconfig' command and it was a nightmare. The most effective way to configure a .config is to use '$ make menuconfig' correct? A good balance between my time and control? -Is there a convenient way to merge an existing .config with the qubes .config? Any other tips? Is there a qubes doc on this? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ab88c28f-fe29-4f9f-9041-3d83b4b427e5%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Whats the deal with kernels?
Ive been looking at kernel compiling. Ive amounted certain information, but not enough. I see 3 git repos with kernels: qubes-linux-kernel, rtiangha and fepitre. I know I can change versions with $ git checkout *version* I also know that I can download the sources and build them and I would preferably edit a .config file to edit my options and hardware. What I need to know: -how to use the gen-config file. -whats the difference between the config-base, config-qubes and config-qubes-minimal? (well the minimal part is obvious) -I can edit one of these config files to build with my kernel, correct? -I have built a .config using the '$ make oldconfig' command and it was a nightmare. The most effective way to configure a .config is to use '$ make menuconfig' correct? A good balance between my time and control? Any other tips? Is there a qubes doc on this? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/586471d4-038a-40b6-b593-93b73dc173cc%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: HOWTO: Compiling Kernels for dom0
I mostly followed this page and the GCC error was due to not having GCC-C++ installed. After that, all was well! $ sudo yum install gcc-c++ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c8d51143-a395-4bcb-89ed-183a6df0afd9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: HOWTO: Compiling Kernels for dom0
Can someone please point me in the right direction? I don't know where to look. I've created a standalone Fedora 26 and I'm looking at this page, the qubes page : working with kernel, I've installed every Palast I can think of. Error gcc plug-ins installation does not support plug-ins... U2mfn v 4.0.17 Kernel 4.14.18-1 Dkms add u2mfn = ✓check Yum group install development tools =✓check The other errors don't look important or give any information, I think. (Bad exit, error 2, g++ not found) $ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/483ada7f-b971-4199-b4fb-a4acb5c490fc%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Remove original Template-VM, keeping the package for reinstallation
Hi. I think that was only half of the answer. I have had this problem too: of removing original templates; ie- debian-9, fedora-26. The documentation; https://www.qubes-os.org/doc/remove-vm-manually/ is only viable via templates that are not "installed by (system/dom0)". The GUI gives the error "You cannot remove templates that were installed by (system/dom0)". The TTY gives that error plus many more, even when following the documentation above. I had to reinstall my entire system because I interrupted a backup restore and the restore gave me too many templates that were "installed by system": debian-9; debian-9-1; fedora-26; fedora-26-1 A small bug that should be noted: sometimes when deleting qubes, they still have a target.wants at boot. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5a6cfb6e-eb9a-4e42-9da5-60d0bd695717%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: installation failure when trying rc5 or final iso on lenovo x220 with samsung ssd as target
Look at the custom install Qubes page. Go in the tty3 and format your drive from there according to instructions. Then go back to GUI and try to install. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3dc5769d-e794-4194-bb1b-9b3020ceaff2%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Unable to remove TemplateVM from application menu
Try doing a search for your template name $ find / debian-9 Delete everything you find. $ lvs $ lvremove debian-9 debian-9-root debian-9-swap #(I think!, double check me) $ systemctl disable debian-9 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ed1d8ad6-1b2d-4696-b6fe-57ba8ac9c4ea%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] update from rc04
Open a terminal in dom0 and type sudo qubes-dom0-update -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9a8c8edf-c050-4f0b-9ad1-52f9b833f1fd%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Changing colors?
Thats awesome! The colors did change, however the files were not persistent. Im going to try writing a script that overwrites the files on startup. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/40c5c2d3-6d06-4ba4-a4ac-03329838392c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: how to add "Files" manually to AppVM
> I tried to attach 1 hdd(storage block) to different vm at the same time) > something like this > > qvm-block attach work dom0:sdd --persistent > > qvm-block attach personal dom0:sdd --persistent > > then if hdd is attached one appvm, it won't work in another appvm(not even > starting a appvm). > > is it normal behavior? Yes that is normal functionality. If you want to add a device with persistence you must have the Virtual Machines turned off. AND you can only have one VM running at a time. The Qubes Team did make a reference to this here. https://www.qubes-os.org/doc/assigning-devices/ "While PCI device can only be used by one powered on VM at a time, it is possible to assign the same device to more than one VM at a time. This means that you can use the device in one VM, shut that VM down, start up a different VM (to which the same device is also assigned), then use the device in that VM. This can be useful if, for example, you have only one USB controller, but you have multiple security domains which all require the use of different USB devices." As well, if you attach a usb device to multiple VMs, you are drawing an attack vector line from one to the next. USB devices, are inherently not trusted. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bf5c94cc-d769-40c8-8bcf-7cc12b093826%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Partitioning Scheme
The real question now is... why can I not create a Physical Vol out of the entire device and is this necessary? I think it is necessary because if you have x amount of bytes not in PV and therefore not encrypted then that is enough for a small attack intrusion, right? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d8ae7bda-2239-49e3-b6cd-8c1e7168080b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Changing colors?
I found the qubes.xml file! I can manually edit the colors and the order of them! But it doesnt actually do anything. Is there a way around this? I want to change the colors and order! I found this: https://github.com/QubesOS/qubes-issues/issues/2523 which suggests that its... not possible in 3.2? But maybe in 4? Im not entirely sure, but it seemed like a maybe. Has anyone done this? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/66442488-da5b-4da1-aa55-d472bbe2ebaa%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Changing Template Name: error this was installed by system
I think that would do it. Thanks. Ive read *almost* everything in the docs and it amazes me when I see something like this that I somehow couldnt find elsewhere! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5a449d76-fc0e-4aa2-89db-caeb2f80b2d8%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Changing Template Name: error this was installed by system
This became an issue when I have a backup qube called debian-9-1 that will also not remove. I have since reinstalled, so no more problem for me at least. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2bb95d78-2b0f-47d8-93b0-5255dc6067ef%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Partitioning Scheme
On Sunday, March 25, 2018 at 7:20:29 AM UTC-4, awokd wrote: > On Sun, March 25, 2018 3:07 am, sevas wrote: > > I had qubes installed without it. I wanted to install android. Android > > didnt recognize the virtual machines. So, I plugged in a 2nd disk. I was > > able to qvm-pci attach my SSD. Android recognized it and was able to > > install. > > I'm surprised this actually worked without trouble! lol! > The options I see for you are: > > A) Go back to 3.2 with the emulated disk controller Android can detect > (see https://github.com/QubesOS/qubes-issues/issues/3651). Not a chance! > B) Wait for someone to add a feature to 4.0/4.1 to change the emulated > disk controller type per VM (or find out if there is a more direct means > to change it). This would let you add both your drives to the same LVM > pool and encryption, and use regular drive images for your HVM. > > C) Dedicate and passthrough the single SSD only for your Android HVM > without encryption etc. Im now thinking about doing this with an SD card. Do you think that would work? Well, Im going to test it tomorrow. > I'm not exactly sure I follow what you've done to this point, so that > might be the safest approach. Fdisk the SSD (assuming there's nothing you > need to keep on it), shutdown your computer, physically disconnect/remove > the SSD, power on and reinstall Qubes if needed. Then power back down and > reattach it. You can then use it with one of the above options. If option > B, suggest manually setting up cryptsetup on it with the same password and > then a separate LVM pool. I could encrypt it from within qubes and decrypt it before use with VM, right? Qubes manages encryption and android is none the wiser. -With Qubes on 2 drives: --Ive tried trimfs and --allow-discard on root and luks --shrinking the pool= no info on google about this --qvm-create BIGVM && dd if=/dev/random of=/BIGFILE.img count=250GB && qvm-remove BIGVM >>shrink pool no cigar >>I'm not exactly sure I follow what you've done to this point, PVcreate: Qubes installation with one m.2 only. Added SSD later. $ sudo pvcreate /dev/sdb #Error device not found (or ignored by filtering) Am I supposed to use $ sudo pvcreate /dev/sdb1 ? I wanted to PV the entire device and not just the partition(s). $ nano /etc/lvm/lvm.conf >#global-filtering = [devices] #No change. >global-filtering = [sdb] #did not fix. >global-filtering = [devices] #did not fix, of course. 'devices' is just >generic for 'add your device here'. But I un-commented it anyway. And >restarted. Im pretty sure Im just misunderstanding the pvcreate tool. I will read up on the correct methods tomorrow too. But some people were using 'global-filtering=sdb' and they could suddenly 'pvcreate sdb' device without partition without errors. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/67cfe244-23b4-414d-97c6-e0d494f27887%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Enhancing Template security?
On Sunday, March 25, 2018 at 8:14:12 PM UTC-4, vel...@tutamail.com wrote: > I am trying to harden my Fedora and Debian templates and was hoping for some > basic help and commands to do the following: > How would I add a service like Qubes-VM-hardening ? Look at Tresnor. > Should I enable AppArmor in a template and VM? One or the other, I think... -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bab3592c-d7bf-4ee9-af97-7a1f8de803fb%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Spilt-GPG help - 3.2
I recommend a dedicated vm(not your vault). I also recommend installing kgpg. Thats all I have. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/59e48702-6490-4aa2-85cb-6d72473d4847%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Partitioning Scheme
Red Hat says use vgreduce. vgreduce says theres no space. Ubuntu says enable discard on root. Fedora says discard is dangerous to enable. Qubes says there is no current solution. Confusious says make qube and dd if=/dev/random and delete qube. A liar said fallocate would allocate all the memory. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f9de2557-6c97-42df-9deb-948dce3730b8%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Partitioning Scheme
A alternative thought that doesnt require any knowledge on my part would be to install qubes twice. Once on each device. Then format the 2nd device from inside the 1st qubes install. Keeping the LVM and LUKS while maintaining separation. Then I should be able to mount the device without any issue... -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c2faccf2-9e45-4137-b56a-e275dd5e10b9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Partitioning Scheme
>From my understanding, LVM thin partitioning allows qubes to use 'pools' to actively change... sizes or something for VMs. I wasnt sure how to remove the drive before installation. Without having the PC open while it was running and remove the hard drive after partitioning and before installation. Which I suppose I could do. I doubt it would hurt anything. But I didnt. Heres what Im trying to do. I had qubes installed without it. I wanted to install android. Android didnt recognize the virtual machines. So, I plugged in a 2nd disk. I was able to qvm-pci attach my SSD. Android recognized it and was able to install. However, my disk was not encrypted and I wanted to move it into the qubes LVM so it would be encrypted and then pci attach it. So, I formatted it using Parted and fDisk, respectively. Then I tried to convert it into a Physical Volume. I was able to PVcreate the partition (sda1), but I think I need to grab the whole disk, right? PVcreate sda gave the error: #device not found (or ignored by filter) A quick search directed my attention to /etc/lvm.conf where it said to comment out the line 'global_filter' #global_filter = [ "a|./|" ] Mine was already commented out. They also said add my device in there. global_filter = [ "a|sda|" ] Of course, restart machine. Nothing. They said to use Parted instead of fdisk. And use partprobe And check /proc/devices (still there) And use PVcreate -vvv ...same info. I gave up. Couldnt find the answer. I installed again. And when attaching my SSD to the HVM, my machine crashed and will not start again. So that bombed. $fsck /dev/mapper/qubes-dom0-root seemed to have solved this. My idea to fix this is one of two. Either figure out how to PVCreate /dev/sda which means reinstalling everything again. Or. Figure out how to shrink the qubes 'pool' to not include sda and maybe create a new Volume Group for sda which I can qvm-pci attach to specific qubes. Or. qvm-pci attach usb controller and run android off usb. However this is not ideal because my internet connectivity is hosted via usb and that removes all tunneling. One way or another, I do need to remove this ssd from dom0 and app/templateVMs. Thanks for your patience with this. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/aac99bf1-c7dd-4ad1-8f3c-c72edb9a38e0%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Changing Template Name: error this was installed by system
I just tried to remove some of them. Well, actually they were a % of a whole backup system qube and I did not finish the restore. $ qvm-remove --force-root qubeVM # Traceback: File /bin/qvm-remove, line 5 in sys.exit (main()) /usr/lib/python3.5/site-packages/qubesadmin/qvm_remove.py, line 47 in main del args.app.domains[vm.name] /usr/lib/python3.5/site-packages/qubesadmin/app.py, line 104, in __delitem__ self.app.qubesd_call(key, 'admin.vm.Remove' and base.py followed by error: installed by qubes manager. Any ideas? Thanks again. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a9a567e6-080c-4487-a8ee-64c4bf5a98a4%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Partitioning Scheme
I have a very slow SSD and a very fast m.2. I am installing qubes on them together. Does qubes automatically install dom0 to the m.2? The boot partition is showing as m.2. I will be qvm-pci attach-ing the ssd to 1 or two specific qubes. Everything else should be m.2. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/622bc294-88c9-47b8-896f-fc0d120431ee%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Install Android-x86 on HVM
I have managed to install by attaching a 2nd HDD to my PC. in dom0, qvm-pci attach --persistent --option no-strict-reset=true 00:{myPCIsataDev}.0 Everything seems to be working... except for the mouse, of course. Otherwise, drive-able. When I shut it down and restarted, it did not boot. I will try again but Im reinstalling Qubes because 'PVcreate' wouldnt allow me to PV the whole device (/dev/sda) only partitions. So I will try again later. I imagine that this could also be done with a pci attach usb controller and have it installed to a thumb drive. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8d198b8e-63e6-4289-a852-e89d1b0a6130%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Install Android-x86 on HVM
Im looking into this and Im thinking that if you add a second HDD you can plug Android into the 2nd HDD and install it. Im about to try. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4ea72d70-e2d2-4032-9490-a6d556d52839%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How to update default template VM?
Not at all. You should be able to use the GUI, if you choose to do so. Linux environments tend to be command line environments. You will occasionally find things that cannot be done via GUI, so its a good idea to learn how to do things from the client. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/31ee72a6-c1fc-4c03-9514-7e7ea26c04f6%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: T520 for Qubes 4.0 , can I / should I boot Win7 HDD, and Qubes 4.0 from an SSD?
Im not for dual booting, but it seemed like a maybe. But thinking more on it, you would be putting your files at risk. If you are running Qubes with the Windows partition not running but attached, then it would be very vulnerable with, hypothetically, lots of attack surface. However if you are running windows with your Qubes partition encrypted and 'safe', then Windows (and all of its rather large attack surface) would be like leaving the screen porch unlocked so now the thief can come inside to look for a way in, rather than standing in the road to look for ways in. Rather, they could gain continued access to windows, and slowly chip away at your Qubes OS while you are working in your Windows OS. The only way to combat this (and do not consider me knowledgeable) would be to switch HDDs every time you switch OS. These other users in this post definitely know more than I do, but Im just trying to help where I can. *This advice is only considering that you are trying to protect your data and takes no consideration for your privacy. You are aware that you can install windows in qubes? On the model of pc, I have the i7 with 16gb ram and an Intel SSD 545s Series and it takes what seems like 15 minutes to boot the system. Ive attributed this to the SSD. Go ahead and set +$100 aside for a NVMe m.2 SSD. What I currently have is manageable, but sometimes becomes rather annoying. Mainly during startup and shutdown. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/85c1a674-ab2e-49ab-887c-84e0f2875743%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How to update default template VM?
debian updates with "sudo apt-get update && sudo apt-get dist-upgrade" Whonix should be the same, ("apt-get" or "yum"), but Im not entirely sure. Keep an eye on your logs (journalctl) and your RPC Policy. Your RPC Policy suggests that Whonix will update through Tor, $tag:whonix-updatevm $default allow,target=sys-whonix so make sure sys-whonix is running. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c027664b-0191-4cf0-9e78-a808330ab7dc%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How to update default template VM?
debian updates with "sudo apt-get update && sudo apt-get dist-upgrade" Whonix should be the same, ("apt-get" or "yum"), but Im not entirely sure. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ab8cd218-d7a1-4842-9bb9-83a536fd5313%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: T520 for Qubes 4.0 , can I / should I boot Win7 HDD, and Qubes 4.0 from an SSD?
Dual booting is only secure if you remove the HDD/SSD with the other operating system on it. having two hard drives is essentially, no more or less secure than having one. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/936a47b8-d3bb-4af1-b921-b594ced5cac2%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How to update default template VM?
Templates do not need to connect to anything. Open a dom0 terminal (xterm/uxterm) and type 'journalctl -f' then open a fedora-26 terminal and type 'sudo yum update' then tell us what it says on the dom0 journalctl output. Type 'sudo vi /etc/qubes-rpc/policy/qubes.UpdatesProxy' Its going to look like this: $type:TemplateVM $default allow,target=sys-whonix $tag:whonix-updatevm $default allow,target=sys-whonix $tag:whonix-updatevm $anyvm deny ## Note that policy parsing stops at the first match, ## so adding anything below "$anyvm $anyvm action" line will have no effect ## Please use a single # to start your custom comments # Default rule for all TemplateVMs - direct the connection to sys-net $type:TemplateVM $default allow,target=sys-net Make sure the last line points to your sys-net. Go into your sys-net qube settings. (Right click>settings>Services) Go to the last tab, Services. Type "qubes-updates-proxy" click add. If the qube is running, open a terminal and type "systemctl restart qubes-updates-proxy" -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0aa3941b-3d2c-485d-be68-d8534a0eae34%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: How to update default template VM?
Check the RPC Policy; for updates. /etc/qubes-rpc/policy/qubes.UpdatesProxy Make sure your sys-net is the correct one. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/176f39f0-af9b-4669-81fa-158af4f1a648%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] vPro and Qubes
vPro = bad. That GitHub page does not recommend vPro. It states that AEM uses a feature of vPro to detect if vPro software (BIOS) has been tampered with while you were away. Then you can throw your computer in the trash when AEM throws up a red flag. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/27270467-3407-4377-a18c-9c14b10cae74%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Mainboard buying advice :: Should we still avoid mainboards with Intel vPro ??
Tai, I would be interested to hear what you would recommend for a qubes laptop. I just bought in to the intel blob myself. Is it feasible to build a custom laptop? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3ad6dab2-4e0f-4376-82f0-c74b5273c926%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: FYI: Kernel Hardening; a discussion (2018)
I looked at that. Its a pretty cool direction. I had read some article that said they were teaming up with a provider that offered end-to-end encryption so you get the whole kit and caboodle. I wanted to install something less offensive on my galaxy, but it turns out Verizon phones are trash and cant even unlock the bootloader. Purism is also doing cool phone stuff. A phone run on linux. So you can install whatever OS you want. And a screen handling program to resize everything. They also are working on the end-to-end angle. I was unaware of the narrow options for kernel hardening and the drama. Just part of my research and -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1f6fec55-0f31-45f7-9fa5-3b86b8cbe581%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: FYI: Kernel Hardening; a discussion (2018)
I do find that very interesting and Ive saved the website for further investigation a little later. Thanks for that! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a44f5a0d-3618-4a64-befc-c2129b33179f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] dom0 memory allocation (Qubes Manager default memory settings)
Im looking around at dom0 memory management. I found some Xen server stuff that has equations for figuring your mem mgmt. Is allocation important? It must be. When they say memory, theyre talking about ram, right? Not HDD memory? Thats a stupid question, of course they are. dom0_mem = 502 + int(physical_mem * 0.0205) 2 GB 543 MB 4 GB 585 MB 8 GB 669 MB 16 GB 837 MB 32 GB 1173 MB 64 GB 1845 MB 128 GB 3188 MB 256 GB 5875 MB 512 GB 11249 MB 1024 GB 21997 MB 2048 GB 43493 MB I upgraded my ram from 2 to 16. So Qubes was installed with 2gigs of ram. I set qubes up while I waited for the ram to arrive. So I need to update Qubes Manager and all the VMs, right? Currently, I have Minimal qube memory: 134MB dom0 memory boost: 236MB So Im changing this to dom0=837 and 469... Good or nah? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9db8d495-fe49-46aa-b797-126334f1b984%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: anyone else get hit by google's auto-deleting qubes users mail responses the moment they are send?
actually... maybe I did. I made a reply to the KDE/Template sec discussion and it was gone. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/07ab9091-2c93-44e9-89bc-1edcb698540c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: anyone else get hit by google's auto-deleting qubes users mail responses the moment they are send?
I have not experienced this and you may be right, it wouldnt suprise me from them these days. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ef30591b-62f2-4528-bd5c-f042d6a059a3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: FYI: Kernel Hardening; a discussion (2018)
I did not mean to go so far south with the above statements. So heres my additions for alternatives... CopperheadOS is doing a project still early in the making on reawakening the open source kernel hardening. The GitHub page can be found here: https://github.com/copperhead/linux-hardened/issues ...which are limited. If anyone has any information on the ColdHak.ca kernel hardening project, please let me know. I have sent messages to two of the ColdHak members and am awaiting response. My question is about what features to expect in their project. As their website has no information on what it actually does. As well, the last and only update was from a little over a year ago, it does not appear as if they are still working on this. Update: One of the members of the ColdHak Team has reached out to me. What was not understood was that the ColdHak Project was an automated tool for building GrSec. The project was killed when GrSec closed the doors to open source developing, as mentioned above. above. There does not appear to be any active design for those who wish to change the -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/aa009611-3d13-40d3-9c18-d4ba54f625dc%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: FYI: Kernel Hardening; a discussion (2018)
I did not mean to go so far south with the above statements. So heres my additions for alternatives... CopperheadOS is doing a project still early in the making on reawakening the open source kernel hardening. The GitHub page can be found here: https://github.com/copperhead/linux-hardened/issues ...which are limited. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4f52c48d-2c51-420c-a7c9-9ec723de270e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] FYI: Kernel Hardening; a discussion (2018)
For those of you who are fresh like myself, Im going to compile some information Ive found on Qubes Kernel hardening. And for the tech savvy Qubes junkies, also like myself, lets have another discussion! Of course anyones welcome to add their 2 cents or drop a dime. ~Things that I think are facts but might not be as of early 2018~ 1. Qubes does not incorporate kernel hardening. 2. GrSecurity is really great security? (Discussion/opinion below) 3. The Coldkernel Team is working on Qubes kernel hardening. 4. GrSecurity is working close with PaX. Q - Why should you care? A - Kernel Hardening protects against many forms of L337 H4X0R5 and monsters. ~More pseudo-phacts~ 5. "PaX is maintained by The PaX Team, whose principal coder is anonymous" -cite: https://en.wikipedia.org/wiki/PaX 6. GrSecurity is really great security but very few distros use it. -Why? An extrapolation on this below. 7. Q - Why is Qubes not integrated with GrSecurity/PaX? A - "Grsec is dead (at least as an open source project), so it doesn't apply anymore." -marmarek (dev) 8. Q - How can we easily incorporate kernel hardening into our Qubes? A - Directly into your qubes just like this: https://coldhak.ca/blog/2016/12/12/coldkernel-qubes-1.html ~On GrSecurity/PaX~ GrSecurity, allegedly, is a really great form of kernel hardening. A brief look at their wikibooks.org page tells you that they have done their homework. Notably, there are features that Qubes users would find very appealing. Upon further investigation, it seems as though this is not an open source project, meaning that only the inner core of developers works on maintaining and updating the code, but the source is still free to distribute so long as its not changed, from my understanding. (cont. below) cite: https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options GrSec doesnt keep their docs well maintained and the setup uses lots of jargon/acronyms that are not for modest users. -misquote, Qubes user, April 2017 -drawbacks to GrSec: -you have to pay for support to keep up-to-date with patches -the likely-hood of users scrutinizing the code is much smaller than open-source development GrSec, while it sounds good, is aimed at a different breed of user-base. I really like the idea of (excuse my lack of proper technical terms) a non-profit that still gets paid. I have no idea how it actually works, but I assume that people that believe in a presented idea donate and developers get paid to preform a civil service. That is a really sound business plan. Sure, lots of people do not donate. Alternately, lots of people DO donate. For instance, Kali Linux. They offer a free to the public open source service: the hacking distro, originally Backtrack Linux. They needed more money, so instead of living off of donations, they created the OffSec brand training and certifications. OffSec and Kali: two mostly different products that do not solely rely on each other. Or I should say, Kali does not rely on OffSec. The difference that Im hinting at is that GrSec does not support this freedom. Its subtly obvious that between not keeping the documentation up-to-date and the software itself being hard to understand, they have made the open source 'project' extremely difficult for the end user. It is only really feasible for enterprises. To reiterate in a somewhat prejudice, unprofessional manner: Theyre not open source because they believe in open source. Their heart isnt in it. Back to business. "In late June, noted open-source programmer Bruce Perens warned that using Grsecurity's Linux kernel security could invite legal trouble." -theregister.co.uk pseudo-facts: Bruce Perens posted a blog article in late June of 2017 that concluded that anyone who compiled their kernel using GrSec was subject to "contributory infringement and breach of contract" due to the GNU policy declining the modification of code. At first glance, it would seem that Perens did slander this company and some would argue that this accusation would be a far-fetched plausability for a company that is only insuring themselves. But as the security community well knows and lawsuits have well-documented, corporations often blur the lines between property dispute. The month after Perens posted his blog, the stated company lashed back as would a person deeply hurt by critique. I wouldnt think that slander would warrant a lawsuit, but a lawsuit it was accusing Bruce, his webhost and others of defamation and business interference. This does not make them stand out from other companies. After all, Cisco sued DefCon in 2005 for similar reasons of exposing vulnerabilities in their routers. But this is the nature of what makes security SECURE. Exposing loopholes and plugging them. And this company acted with a most unbecoming maturity. cite:
[qubes-users] Re: How do I create an HVM?
Oh right. errors too. # got empty response from qubesd. see journalctl journal #protocol error for call b'admin.vm.Create.hvm'+b'' -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6f4494f4-10ff-4c8e-a812-e668d8a2bbe8%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] How do I create an HVM?
Been following the docs and I cant get it. qvm-create --hvm #No such argument qvm-create --HVM #No such argument qvm-create --class hvm qvm-create --class=hvm qvp create --class hardwareVM you get the picture. I must be missing something. I just want to start an iso from a VM. Im forever in your debt. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/be7d2d3b-7022-444a-82a7-8c620034f139%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Kali-rolling issue: kali-defaults collides with qubes-core-agent
By recommends I assume you mean the questions during install of kali-packages-full or whatever its called. I tell it not change anything like "should this package have root privileges or give users privilege?" and I say NO! The only other questions I received were Do you want to install grub? and Do you want to to set this service to have its own domain (lots of sniffing traffic) or work inside sql (little traffic)? And I gave it its own domain I think. Or I picked the option for lots of traffic. That doesnt sound too bad if I can easily overwrite the packages as needed. Ill give it a shot soon. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7b050881-3450-458a-99a2-3a2a0da32352%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Security questions (templates and kde)
I couldve sworn I replied to these... Well, thanks to everyone who put their 2 cents in! There is some stellar advice in here! Im going to have to go back later and read this whole thread and write down bullet points... Heres what I have so far. Templates 3 catagories. 1) original (stripped of programs I dont want) 2) default (default template with minimal added functionality apps added) 3) network enabled #2 is divided into a. default (default template with minimal added functionality apps added) b. EVERYTHING (everything that doesnt need internet access) #3 is divided by program. One for GPG keyring, one for browsing, one for banking, one for keepassx... and sys-net/firewall in one (which Im going to split now, Thanks Steve!)... although keypass is not networked. But thats all templates. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/da482d35-ffe0-4c88-9151-9cb6524c2467%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes os resolution issue
Im thinking about installing it on a test qube soon. I dont entirely understand how kde on a template will make a difference when the desktop is in dom0. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1c99fcb7-67d2-44f1-bd77-31469e7efef1%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Kali-rolling issue: kali-defaults collides with qubes-core-agent
ok so, I do a Force-Overwrite and then when qubes-packages need to update, I can do another Force-Overwrite? Or I could remove the conflicting package, I assume after the install completes. I noticed that it tries to install grub, macchanger and probably many others I dont really need in my kali-rolling VM. -=I WILL KEEP A RECORD OF MY KALI TRIALS HERE=- Katoolin installs the old kali repos. These are not as well maintained or may not even exist... They arent even mentioned on the kali website anymore. -Yes Katoolin, after installing repos, updating and dist-upgrade; updates exactly zero packages. katoolin doesnt seem very helpful for templates so far... -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/24d36b78-bf3e-433f-a020-219b9e2f13ea%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Qubes os resolution issue
May I suggest installing the KDE5 desktop? In kali, I know that there is an options menu to change the zoom or something. Its at the very bottom of the settings menu in Kali KDE desktop. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fe3b022c-8ffe-465d-a78f-69b516e08250%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Can't install software in fedora-26 template: "Failed to synchronize cache..."
glad I could help! I just went through this last week. Even though I changed the settings in qubes manager to point to custom-sys-net, my RPC policy still said sys-net: < # Default rule for all TemplateVMs - direct the connection to sys-net $type:TemplateVM $default allow,target=sys-net /> I deleted the original sys-net because it wasnt letting me change the name of it. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a1165aca-880e-4b60-aa51-b9c1551841d2%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Can't install software in fedora-26 template: "Failed to synchronize cache..."
On Friday, March 9, 2018 at 2:53:41 AM UTC-5, sevas wrote: > I deleted my original sys-net and sys-fw and I received similar errors. What > I did to fix it was > > dom0$ sudo nano /etc/qubes-rpc/policy/qubes-update-policy > > and fixed the command which was pointing to the wrong sys-net. Similar errors being that debian would update but fedora gave me that same error. Good luck. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e8e4fa03-47ac-47de-ac83-efb747bc83cd%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Can't install software in fedora-26 template: "Failed to synchronize cache..."
I deleted my original sys-net and sys-fw and I received similar errors. What I did to fix it was dom0$ sudo nano /etc/qubes-rpc/policy/qubes-update-policy and fixed the command which was pointing to the wrong sys-net. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/24b75246-139a-43ee-a740-b99f7d740e92%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Kali-rolling issue: kali-defaults collides with qubes-core-agent
Im reviving this. I get the same errors about conflict of qubes-core-agent. trying to overwrite '/etc/dconf/profile/user', which is also in package qubes-core-agent 4.0.20-1+deb9u1 dpkg-deb: error: paste subprocess was killed by signal (Broken pipe) How do we solve this? Im going to attempt the HVM method. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2e7d9870-976a-4ef4-894d-5145f496fe14%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Recommendations for fully compat Wireless/my usb errors
Been looking through the files and google trying to find out how to make my USB wireless card work. I didnt try no-strict-reset or permissive mode because it said something something SECURITY something and so I skipped over it without a second thought. After hours and hours of troubleshooting, I realize that that was my problem. I needed no-strict-reset because of FLR. I have no idea what FLR is. Bus 001 Device 006: ID 148f:3070 Ralink Technology, Corp. RT2870/RT3070 Wireless Adapter I guess thats my card. One of those RT numbers. Anyway. I have a few questions. Question 1: Should I fix my wireless card with a car or a hammer? Question 2: What kind of wireless card should I buy or what should I be on the lookout for to make sure its compatible with qubes? (long range for bonus pts!) Question 3: What kind of security am I forfeiting when I use this frothy no-strict-reset card? Question 4: Is there anything I can do for my card? Heres the error output: I think one of these 1st two sections is the output when the VM is already started and I attach the device and the other is when I start it with the device already attached. Or maybe not. It could the the before and after of dom0$ qvm-prefs -s netvm kernelopts "iommu=soft swiotlb=16384" Who knows Not me, I mean. dom0 lvm[923]: Monitoring thin pool qubes_dom0-pool00-tpool. dom0 qubesd[9781]: b' WARNING: Sum of all thin volume sizes (328.68 GiB) exceeds the size of thin pool qubes_dom0/pool00 and the size of whole volume group (166.68 GiB)!\n' dom0 dmeventd[923]: No longer monitoring thin pool qubes_dom0-pool00-tpool. dom0 lvm[923]: Monitoring thin pool qubes_dom0-pool00-tpool. dom0 qubesd[9781]: b' WARNING: Sum of all thin volume sizes (338.68 GiB) exceeds the size of thin pool qubes_dom0/pool00 and the size of whole volume group (166.68 GiB)!\n' dom0 libvirtd[9825]: 2018-03-08 05:27:18.209+: 9861: error : virPCIDeviceReset:1002 : internal error: Unable to reset PCI device :00:14.0: no FLR, PM reset or bus reset available dom0 qubesd[9781]: Start failed: internal error: Unable to reset PCI device :00:14.0: no FLR, PM reset or bus reset available dom0 dmeventd[923]: No longer monitoring thin pool qubes_dom0-pool00-tpool. dom0 lvm[923]: Monitoring thin pool qubes_dom0-pool00-tpool. dom0 qubesd[9781]: b' WARNING: Sum of all thin volume sizes (328.68 GiB) exceeds the size of thin pool qubes_dom0/pool00 and the size of whole volume group (166.68 GiB)!\n' dom0 dmeventd[923]: No longer monitoring thin pool qubes_dom0-pool00-tpool. dom0 lvm[923]: Monitoring thin pool qubes_dom0-pool00-tpool. dom0 qubesd[9781]: b' WARNING: Sum of all thin volume sizes (338.68 GiB) exceeds the size of thin pool qubes_dom0/pool00 and the size of whole volume group (166.68 GiB)!\n' dom0 libvirtd[9825]: 2018-03-08 05:27:18.209+: 9861: error : virPCIDeviceReset:1002 : internal error: Unable to reset PCI device :00:14.0: no FLR, PM reset or bus reset available dom0 qubesd[9781]: Start failed: internal error: Unable to reset PCI device :00:14.0: no FLR, PM reset or bus reset available dom0 dmeventd[923]: No longer monitoring thin pool qubes_dom0-pool00-tpool. This was definitely during attach while VM running: ERROR: Devices tab: Got empty response from qubesd. see journalctl in dom0 for details. followed by: dmesg: [ 122.885838] xhci_hcd :00:14.0: USB bus 2 deregistered [ 122.889909] xhci_hcd :00:14.0: remove, state 1 [ 122.889917] usb usb1: USB disconnect, device number 1 [ 122.889918] usb 1-5: USB disconnect, device number 2 [ 122.982262] usb 1-6: USB disconnect, device number 3 [ 122.982600] usb 1-7: USB disconnect, device number 4 [ 122.984305] xhci_hcd :00:14.0: USB bus 1 deregistered [ 122.984842] kauditd_printk_skb: 5 callbacks suppressed [ 122.984843] audit: type=1130 audit(1520492985.409:136): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-rfkill comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' [ 122.989660] pciback :00:14.0: seizing device -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b951c3a3-0b25-443b-ab4b-15e1737942f0%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Qubes OS 4.0-rc5 has been released!
lol My problem was that I didnt read the date on the paper which was yesterday. I had already downloaded and installed it before I realized that it was out. Despite that the article came up on my phone and this post as well came up 24 hours later. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f921c714-2e05-405a-904c-4dd29dfb2d0d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Changing Template Name: error this was installed by system
Can I not change the name of my system installed template names? I really want to change them. I want to change them to original-debian-9 - original-fedora-26 I am having trouble remembering not to edit the actual original templates and I find myself often wanting to revert my changes. However Im afraid to use the qvm command because it put me through a lot of stress last time. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c158c4c6-d616-4199-8163-87066f524d3b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Qubes OS 4.0-rc5 has been released!
Whoo hoo! I went to download qvm-dom0-update and it says no new updates available -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f6a9802f-d5d6-4466-a58a-2866f8f57831%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: qubes-dom0-update (3.2) failing with error message
I think I *maybe!* had this problem and fixed it. Im no specialist, but try this. It wont hurt. qubes-dom0-update --clean qubes-dom0-update kernel-qubes-vm kernel qubes-core-dom0* restart. Probably wont work, but give it a shot. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/32d06e65-9382-44b4-92f0-a9afe507cc05%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: How to fix an empty dom0 application menu
Thanks! Im making a note! +1 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/530860bb-0b5f-4e92-8a66-38042912e2fc%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Security questions (templates and kde)
Cool. That gave me some ideas. Thanks for sharing your setup. So, another infosec question Im trying to figure out... Templates Vs AppVMs. I find myself with, currently, 8 templates and growing. This is because I am installing different programs in different VMs and Im not wanting to install all my programs into a single VM. Of course, one solution is to install all my programs into a single templateVM and only enable the programs I need in the AppVM. But it seems more secure to me if I keep different templates for different needs and then create a AppVM to run them in. Is this good or am I wasting my time and hard drive space? For instance I have a template specifically for one set of sys-net/sys-firewall and another template for sys-net2/sys-firewall2. And another the vault and more to come. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4a6275f8-6b6b-4ce4-89d6-a7a450162b98%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Security questions (templates and kde)
I wasnt going to say anything... lol. But I was leaning towards debian. But fedora. Thats Red Hat. They are the leading administrative suite as far as I know. Or were. They must have good security or whos going to throw up a server? >In particular, Fedora's downfall is that its one of the very few distros >that don't sign/secure their overall software manifest; a MITM attacker >can prevent you from receiving specific bug fixes without you realizing The above statement reminded me that it says that in the docs. And that does seem like a make or break statement for template choices. Key signing is a fine implementation on qubes. ha, I did read that one too about the ugly kde. @Yuraeitha I havent quite tackled the security through compartmentalization part yet. I have put some thought into it though, and after dividing my attack surface between functions (keyring, passwords, misc files, etc) I realized that each function has only one app to go with it. So I may as well just have one app running in each VM. Or in the case of splitVMs, multiple apps for each program! I would love to hear how you divide your VMs up. I was looking for examples online, but I couldnt find any; aside from an (ITL?) essay I read last year. But starting easy and growing is good advice. >In particular, Fedora's downfall is that its one of the very few distros >that don't sign/secure their overall software manifest; a MITM attacker >can prevent you from receiving specific bug fixes without you realizing The above statement reminded me that it says that in the docs. And that does seem like a make or break statement for template choices. Key signing is a fine implementation on qubes. @Tim W >Correct. I have had both on and functioned fine. Thats good to know. I know I read somewhere that it was buggy with 3.2, I think? As far a attack surface goes, I like using konsole better than xterm or uxterm and when installing that on debian or fedora, it required many dependencies. I removed it, but Im going to take a second look. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/674efcc2-48b2-4956-ae64-6fdcddbc8365%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: I broke Qubes with template reinstall...
Reference: https://groups.google.com/forum/#!topic/qubes-users/5eJF__5UBAc Apparently many people suffer from this problem. After reinstalling the a few dire programs, everything seems to be working. Only problem is that the dom0 applications menu is gone. Possible solution here: https://groups.google.com/forum/#!topic/qubes-users/lsED7b1qVjw Im not messing with it. I reinstalled. Qubes Installation media does not (and did not previously) like partitions with things on them. A quik trip over to the bash prompt and a little fdisk and mkfs.ext4 and were right as rain! reinstalling templates seem very unstable... Im not doing that .ever. again. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7a72c8c6-21f3-40a5-828d-c9ad08008bf6%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: I broke Qubes with template reinstall...
dom0$ qubes-dom0-update --clean #Clean yum repos... dom0$ qubes-dom0-update qubes-core-dom0* ## find: '/var/lib/qubes/dom0-updates/var/cache/yum': No such file/directory ## Installing *linux-debug *vaio-fixes(1/2) dom0$ qubes-dom0-update --gui ## xterm: cannot load font '-misc-fixed-medium-r-semicondensed--##-##-- dom0$ qubes-dom0-update --action=downgrade ## yum version in sys-firewall does not support --downloadonly option ## Error: downgrade not supported dom0$ qubes-dom0-update --action=install ## find: '/var/lib/qubes/dom0-updates/var/cache/yum': No such file/directory dom0$ qubes-dom0-update --action=upgrade ## No upgrade available ... wait for it . DOOM dom0$ qubes-dom0-update qubes* ## -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0623ce6b-c779-423d-8bbc-3836818c45d6%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: I broke Qubes with template reinstall...
A little more info... Qubes 4.0 rc4. Starting Debian-9 returns error that /var/lib/qubes/something doesnt exist. Is there a keyboard command for opening the dom0$terminal? This is crazy. Im afraid to work on it now. dom0$ for VM in `qvm-ls --raw-list`; do qvm-prefs -s $VM kernel 4.14.13-3; done dom0$ for VM in `qvm-ls --raw-list`; do qvm-prefs -s $VM kernel default; done ## kernel not installed ## qubesadmin.exc.QubesPropertyValueError: Kernel 'default' not installed dom0$ qubes-dom0-update ## No updates available. sys-net$ ping google.com ## good dom0$ qubes-dom0-update kernel ## Complete! dom0$ restart dom0$ for VM in `qvm-ls --raw-list`; do qvm-prefs -s $VM kernel 4.14.13-3; done ## qvm-prefs: error: no such property: 'kernel' dom0$ qubes-dom0-update kernel-qubes-vm ## Complete! dom0$ restart -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/820918db-4858-4ab9-a81e-ae85a1649e24%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: I broke Qubes with template reinstall...
A little more info... Qubes 4.0 rc4. Starting Debian-9 returns error that /var/lib/qubes/something doesnt exist. Is there a keyboard command for opening the dom0$terminal? This is crazy. Im afraid to work on it now. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3614616f-2058-4f6f-b735-2385a2384111%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] I broke Qubes with template reinstall...
dom0$ sudo qubes-dom0-update --action=reinstall qubes-template-debian-9 Now my dom0 menu is gone. No more terminal. No more Qubes Manager. No more... anything... I gave up immediately and thought I would reinstall Qubes. Well, that was a fail too. Qubes installer freezes when I click Continue on the first page. Any suggestions?? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/cdb1543a-6c97-45e7-ab2e-d95c19393115%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Security questions (templates and kde)
Thank you both for this enlightening talk, and especially Yuraeitha for such a lengthy researched opinion! We speak of stability. Stability and vulnerability go hand in hand, dont they? I love the kde plasma desktop and I would like to have it. But it looks like a complicated GUI that probably is not as secure as something more simple. But again, the non-root GUI is not going to connect to the internet. My previous feelings were to use one template for internet access and one for background/desktop/personal use. But that may not be needed since applications available in a template are not necessarily used in the appVM. Is that correct or would there be some data leak? XFCE is something I havent used in a long time, but I will surely look into my customization techniques before I make a big move. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/189c4ff2-0d71-4244-a51f-0a6f0dec1f3a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Security questions (templates and kde)
Does choosing a TemplateVM have any tactical advantage to security? Does installing KDE have any tactical disadvantage to security? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/32ffe776-6876-4b12-8a21-e76d6dd74818%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Trouble updating templates
Yes. My updateVM was set to custom-sys-net. I changed it to custom-sys-firewall, as you recommended. I am very unfamiliar with the command-line (thats called bash, right?) tools. But qubes-prefs updatevm custom-sys-net = yes. What I actually did: sys-net$ yum clean all yum repolist all # There are no enabled repos. dom0/sys-net$ systemctl status updates-proxy-setup # No such service. dom0$ systemctl status qubes-updates-proxy # No such service. sys-net$ systemctl status qubes-updates-proxy # good sys-net$ systemctl restart qubes-updates-proxy sys-net$ spt-get update # No new packages. debian-9$ sudo apt-get update # No new packages. Fedora-26$ sudo yum update # 84 new packages. What I think did the trick: Im not sure exactly what did it, but it must have something to do with 1. dom0$ qubes-prefs updatevm sys-firewall 2. $yum clean all; 3. as well as re-enabling the qubes-updates-proxy in the Qube Manager sys-net:settings>Services tab (which I had added and removed multiple times) 4. sys-net$systemctl restart qubes-updates-proxy Thanks for your help, youre a Light Sabor! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/44e8459b-66e9-4119-a5c9-440aa9ae022c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Trouble updating templates
> Normally you shouldn't have to edit this file. Did you set qubes-prefs > updatevm custom-sys-net? (And why sys-net instead of sys-firewall)? Might > also want to clear dnf/yum cache in custom-sys-net. should it be going through the firewall? The default settings send through sys-net. Yeah, I dont have a reason. I want it set up correctly. I see that I need to research qubes command line tools. I will try this soon... Unfortunately, I have not done any qubes-commandline work yet. I started to edit that file because of /doc/software-update-vm/#updates-proxy ="Technical Details" Thanks for taking the time! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5ba6c754-d2e4-464f-9bd8-6edc7da506be%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Trouble updating templates
ooh I spoke too soon. Its not working. Its helping! But journalctl returns: Template > allowed to sys-net Fedora template says failed to synchronize cache for repo "updates" Debian says the same as it did previously. And next to the "state" entry of the Qubes Manager, they both have a down arrow next to the green dot that says they are running. What does that mean? Please excuse me while I go dig through the docs and google. [EDIT] fedora forums says: add your proxy to /etc/dnf/dnf.conf vim /etc/dnf/dnf.conf Qubes says: You may be encountering issue #3135 What happens after running systemctl restart qubes-updates-proxy in sys-net ? https://github.com/QubesOS/qubes-issues/issues/3135 testing... [Edit #2} Fail. journalctl -u qubes-updates-proxy.service -empty- Thats good, right? /etc/dnf/dnf.conf ## This file is overridden by qubes-rpc/policy/qubes-UpdatesProxy /usr/lib/qubes/updates-proxy-configs ## You cannot save changes to this file. dom0: nano /qubes-rpc/policy/qubes-UpdatesProxy # default ## $type:TemplateVM $default allow,target=sys-net # edit#1 $type:TemplateVM $default allow,target=custom-sys-net # edit#2 $type:TemplateVM $anyVM allow,target=custom-sys-net Still not working... -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4726e11a-3d46-4c2a-ac78-5f7b9551d65e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Trouble updating templates
ooh I spoke too soon. Its not working. Its helping! But journalctl returns: Template > allowed to sys-net Fedora template says failed to synchronize cache for repo "updates" Debian says the same as it did previously. And next to the "state" entry of the Qubes Manager, they both have a down arrow next to the green dot that says they are running. What does that mean? Please excuse me while I go dig through the docs and google. [EDIT] fedora forums says: add your proxy to /etc/dnf/dnf.conf vim /etc/dnf/dnf.conf Qubes says: You may be encountering issue #3135 What happens after running systemctl restart qubes-updates-proxy in sys-net ? https://github.com/QubesOS/qubes-issues/issues/3135 testing... -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/13c2e521-b062-44bf-b233-a5f51172550f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: AW: Re: [qubes-users] For community by community - A way to preserve/focus everyones work going into Qubes, bottom-up
A forum is a must. It doesnt have to be official. But it needs to happen. It needs to have a section for -Questions & -Community Tutorials at the very least. The Kali forums is a great example of what a qubes forum should look like. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/50df1bb5-8aa7-4b8b-9631-777fc1be4f25%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Trouble updating templates
ooh I spoke too soon. Its not working. Its helping! But journalctl returns: Template > allowed to sys-net Fedora template says failed to synchronize cache for repo "updates" Debian says the same as it did previously. And next to the "state" entry of the Qubes Manager, they both have a down arrow next to the green dot that says they are running. What does that mean? Please excuse me while I go dig through the docs and google. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/225598f3-f041-42dc-947d-a229f055bd64%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Trouble updating templates
That helped. journalctl -f in dom0 returned a block in the rpc-policy. dom0: nano /etc/qubes-rpc/policy/qubes-UpdatesProxy I had to change the name of my primary sys-net to the name I provided my default sys-net. Thats what I get for going and changing things around. Solved. Thanks! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b7fe1c9f-7196-4404-9017-fc598ea170a3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Trouble updating templates
I cant seem to update my templates. In the debian-9 TVM I type: sudo apt-get update Ign:1 http://. Ign:2 http://. Ign:3 http://. Err:4 Err:5 Err:6 Connection Failed E: The repo "http://...; does no longer have a Release File. N: Updating from such a repo cant be done securely, and is therefore disabled by default. N: See apt-secure man page. The Fedora template doesnt seem to connect at all. My sys-firewall is using the debian-9 template. Type: AppVM Rules: Allow all outgoing Devices: none services: n/a The sys-net (debian-9) Type: AppVM Rules: n/a Devices: Network Controller services: clocksync -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6aca20f4-1a95-496a-8959-9fa8cbb1e616%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.