Re: [EXT] Re: [qubes-users] Update templates in parallel
On Thursday, 6 August 2020 09:03:31 UTC+8, unman wrote:The security isnt to be found at the proxy level, but at the package management level. It's there that verification is (and should be) done. Unman, speaking of verification at the package management level, would you happen to know the algorithm that's used to verify dom0 and domu packages? I've been looking for this info since I'm worried that it might be the now-deprecated SHA1 (like Github) but I haven't found anything yet. -- I'm not unman, but I just checked the repo data and it appears they use sha256 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5f2b87ac.1c69fb81.be51c.6641%40mx.google.com.
RE: [qubes-users] Re: update error: Jinja variable 'dict object' has no attribute 'os'
I see the following error in the Qubes Update widget window after attempting to upgrade a Fedora 32 template: Rendering SLS 'base:update.qubes-vm' failed: Jinja variable 'dict object' has no attribute 'os' I switched the dvm template to fedora 32 as described in: https://www.qubes-os.org/news/2020/06/30/fedora-32-templates-available/ https://www.qubes-os.org/doc/templates/#switching I was not able to find an open issue about this on GH https://github.com/QubesOS/qubes-issues/issues Do you see the same error? Yes, I do receive the same error, if I accept the update request from the top-level menu icon.The same operation succeeds however, if I trigger it explicitely via the Qube Manager, i.e."Start Qube Manager > Select 'fedora-32' > Update qube" ...With kind regards,VR -- You can also use a simple command line script for this:qvm-run -u root fedora-32 "sudo dnf update -y" ; qvm-shutdown fedora-32Emlay -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5f14aeca.1c69fb81.31d0e.36bf%40mx.google.com.
Re: [qubes-users] Qubes in a corporate network behind HTTP proxy [R4.0.x]
Original message From: "sysad.andes" Date: 7/16/20 15:56 (GMT-05:00) To: awokd Subject: Re: [qubes-users] Qubes in a corporate network behind HTTP proxy [R4.0.x] Original message From: 'awokd' via qubes-users Date: 7/16/20 15:34 (GMT-05:00) To: qubes-users@googlegroups.com Subject: Re: [qubes-users] Qubes in a corporate network behind HTTP proxy [R4.0.x] unman:> On Wed, Jul 15, 2020 at 11:41:57PM -0700, pr0xy wrote:>> On 2020-07-15 09:28, pr0xy wrote:>>> proxy.example.com:8080 >>>>>> In R4.0.x how and where would I set this proxy for the Qubes Updates>>> Proxy? sys-net? sys-firewall? TemplateVMs?https://github.com/QubesOS/qubes-doc/pull/603/files#diff-50cf93c6cf4fa87fc6b6612d706874a1may be useful, but possibly also in need of correction.-- Also, besides what's listed in all the docs, make sure you have qubes-input-proxy installed in whatever template is behind the VM you want to handle updates for your templates -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5f10b64e.1c69fb81.e7294.cf6b%40mx.google.com.
Re: [qubes-users] How to add multiple virtual hard drive to a StandaloneHVM
Original message From: ramboman...@gmail.com Date: 6/11/20 01:28 (GMT-05:00) To: qubes-users Subject: Re: [qubes-users] How to add multiple virtual hard drive to a StandaloneHVM Hello Emily,The reason I was specifying virtual hard drives and not partitions, is because ZFS can be more than just a file system sitting in a single partition. ZFS usually sits on the top of many hard drives and can organize them in many layouts (many acting like raid and more) for a vast variety of needs and specifications. Not knowing much about ZFS let alone the many functionalities it offers, I am trying to reproduce a virtual file server containing many hard drives so I can play around with different layouts and learn from it.In VirtualBox, it is fairly straightforward to add new virtual hard drives to a VM when needed. I'm trying to do the same thing for a StandaloneHVM, but I have not found how to do that yet.How can I simulate a file server containing many hard drives in Qubes?--Kind regardsLem>>Sorry, took a minute to step back from gut response. From dom0 Use lvdisplay to check necessary settings for your specific VM and lvcreate to make the the hard drives, let me know if you need more specifics, and I'll reply when I'm more awake. This will be more involved, but will probably be as close as you get to do what you're asking.>>But also, the difference between partitions and hard disks is somewhat negligible in a fully virtualized system.On Wednesday, 10 June 2020 23:56:08 UTC-4, Emily wrote:-Original Message- From: Lem Ming To: qubes-users Subject: [qubes-users] How to add multiple virtual hard drive to a StandaloneHVM Date: Wed, 10 Jun 2020 16:58:08 -0700 (PDT) Hi all, I am new to Qubes OS. I would like to use StandaloneHVM to virtualize FreeNAS fo r learning purpose. I am looking for a way to add many virtual hard drive to the VM so I can to play and learn about ZFS. How do I add multiple virtual hard drive to a StandaloneHVM? Kind regards, Lem -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/008b0c33-f00f-4d50-aa3c-b30dca5673f9o%40googlegroups.com . I'm sure there's a better/more straightforward way to do this, but off- hand the two methods I know would be creating partitions either during installation, or via live usb after installation. I don't have particular experience with FreeNAS, but most modern installation processes have the ability to create multiple partitions during installation. Either way, start off with your choice of size of private memory cumulatively, then partition as necessary. To do via live OS which was my initial instinct use: qvm-start --cdrom=$BlockorisoID $VMNAME ie, qvm-start --cdrom=sys-usb:1.5-4 FreeNAS Then use your choice of fdisk/parted/gparted/etc. Make sure the iso is available as a block, or if you're willing to accept the risk of USB passthrough, or trying to directly load through another VM. If you need to check available devices use qvm-device or derivatives. Let me know if you have any questions about this, or I'm always appreciative of learning more efficient manners of task completion if someone has a more efficient way to do this. Granted, you could also just attach them with qvm-device and label it as persistent, so I guess in writing my response I may have found a more efficient way to technically accomplish this, but using partitions as opposed to additional persistent block devices just feels a lot more proper to me. Less overlap of VMs. -- Cordially, Emlay She/Her/Hers -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/67d90ad3-ddad-4b2c-8ddf-a27ab2f6c7c0o%40googlegroups.com. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5ee1cd2c.1c69fb81.d5b21.b201%40mx.google.com.
RE: [qubes-users] Re: How do you maximize your VM security?
Original message From: Dominique Date: 6/9/20 12:26 (GMT-05:00) To: qubes-users Subject: [qubes-users] Re: How do you maximize your VM security? On Tuesday, June 9, 2020 at 11:26:22 AM UTC-4, fiftyfour...@gmail.com wrote:Hi all,I took a break from setting up my Qubes OS machine and now I'm looking to finish the job and actually settle in. I am familiar with the overall layout and functions of the OS as a whole, but want to shore up the security of my individual VMs, with Debian running everything except for dom0. I know that isolation should do most of the work, but if further hardening my VMs will add more hurdles for attackers while being of minimal cost to me, why not?For now, I plan on proper firewalling, activating apparmor, installing taskett-hardening, and reducing attack surfaces where possible.Specific question: how would one strip down non-app VMs (sys-net, sys-USB, sys-firewall, whonix-gw) to minimize their attack surfaces? Aside from common-sense hardening and operation of app VMs, these seem to be the most exposed and therefore most vulnerable.More generally: what steps have you taken to harden your VMs? Hi,First step for me was to install the minimal template and use them instead of the complete template for service qubes (sys-net, sys-USB and sys-firewall). Information on minimal template can be found here: https://www.qubes-os.org/doc/templates/minimal/Second step for me was building and using the mirage firewall instead of sys-firewall. Information on mirage can be found here: https://github.com/mirage/qubes-mirage-firewall/Third step for me was random mac address and hostname. https://www.qubes-os.org/doc/anonymizing-your-mac-address/That are things that I do on all my qubes laptop installation. After that, you can play with firewall rules, apparmor and other things.I would love to see a way to add IDS/IPS in qubes easily but did not have time to even check if someone did try to add IDS/IPSHave fun!Dominique1st, I second all of this.2nd, I run a VPN off of the minimal template (technically a double vpn, but it's probably overkill)3rd, on my todo list, create a scratch template with even less than the minimal for these functions4th, only wired networking bc all the insecurity regarding wifi.5th, any applications I don't trust (like Zoom) I run off disposable vms.6th, don't have any hardware VMs running if you aren't actively using them7th, add a root password to all VMs8th, make sure your firewall disallows connections between VMs (granted this is qubes default)9th, add outbound firewall rules to each VM as appropriate10th, don't tell people your qubes configuration (I'm kinda fucking up that one right now :p)11th, use tor if you're seriously concerned about privacy (even though that double vpn was overkill, and this probably moreso)12th, use both DNSSec and DNS over TLS13th, test dns leak with regards to vpn14th, reply in line and don't top post... Okay, not security, just good manners15th, also strip down bios surface (remove possibilities of remote connections, disable any hardware you aren't likely to use, etc.)Codially, Emlay -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ad3b1c28-e980-4d0c-9517-8b18402f816do%40googlegroups.com. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5edfcd90.1c69fb81.a0909.78cc%40mx.google.com.
RE: [qubes-users] Help with "Missing Features HAP/SLAT/EPT/RVI, Interrupt Remapping"
Original message From: 'Chris Jones' via qubes-users Date: 6/8/20 22:16 (GMT-05:00) To: qubes-users@googlegroups.com Subject: [qubes-users] Help with "Missing Features HAP/SLAT/EPT/RVI, Interrupt Remapping" Hi all,New user here, trying and failing to install Qubes R4.0.3 on a new Dell Precision 3630 Tower with Xeon E-2288G cpu.I verfied the ISO and wrote it to a USB stick with dd.If I set the BIOS to boot from the USB stick in UEFI mode then I get dump of registers and stack trace and it says "Panic on CPU 0: FATAL PAGE FAULT"If I set the BIOS to boot in Legacy External Devices mode, and boot from the USB stick, the Qubes installer menu comes up. If I select "Install Qubes R4.0.3" then I am offered the chance to select a language, after which an error window pops up: "Unsupported Hardware Detected"... "Missing Features: HAP/SLAT/EPT/RVI, Interrupt Remapping"In the BIOS settings I had already ticked "Enable Intel Virtualization Technology" and also "Enable VT for Direct I/O". It also does not seem to make any difference whether I tick "Trusted Execution" in the BIOS.I guess there is a possibility that there is a bug in the BIOS, I have R2.3.1 installed.Does anyone have any ideas?Thanks in advance,Chris>>Double check that any reference to any other virtualization technology is enabled in BIOS, specifically EPT/SLAT, ie extended paging tables, your processor seems to support this, but it sounds like the installation candidate isn't detecting the availability of the technology.-- You received this message because you are subscribed to the Google Groups "qubes-users" group.To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com.to view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/00ce4587-c920-040b-7d69-8da2fb9d5e4c%40yahoo.com. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5edf0144.1c69fb81.5d2e8.10cb%40mx.google.com.
RE: [qubes-users] Question for google groups
Original message From: lymepopsicle via qubes-users Date: 6/5/20 00:29 (GMT-05:00) To: qubes-users@googlegroups.com Subject: [qubes-users] Question for google groups Question for https://groups.google.com/forum/#!forum/qubes-users.Can someone help me with the commands for installing Signal in the debian10 template vm? It seems like the official documentation from the Qubeswebsite is outdated, so ideally if someone could update the documentationfor debian 10 rather than the current deprecated debian 9 documentation,that would benefit more users beyond myself.Documentation linked below.https://www.qubes-os.org/doc/signal/ I get an error at step 3 in the documentation after installing curl. Thesoftware does not currently show up in my debian 10 template vm afterfollowing this documentation.Other messengers to consider for future documentation...Ideally, Session, an encrypted messenger that routes messages over onionrouting, should be included in future documentation, however I dont thinkthey have a xen framework yet. Whonix has a page for messengers onhttps://www.whonix.org/wiki/Chatwhich includes a matrix client that I also hope to get running eventually.It's not outdated, it's just slightly wrong, the curl command is actually:curl -s -x 127.0.0.1:8082 https://updates.signal.org/desktop/apt/keys.asc | sudo apt-key add -And then substitute buster for xenial in the following command to update for the distribution -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5ed9d952.1c69fb81.7166e.199a%40mx.google.com.