Re: [qubes-devel] debugging systemd ordering cycle

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Patrick, > I would appreciate suggestions on debugging systemd ordering [and > also dependency] cycles. If the cycle is relatively short, you could try opening a couple of terminal windows and running "systemctl show" commands on each of the

Re: [qubes-devel] Re: qubes-updates-cache, a Squid-based package update cache

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Iestyn, > I tried retrieving the journal for qubes-updates-cache but it only > had one line that described the timeframe for the journal. Can you paste the output of "systemctl status qubes-updates-cache"? Rusty -BEGIN PGP SIGNATURE-

[qubes-devel] Re: [qubes-users] Back up running VMs on btrfs

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Chris Laprise: > On 02/21/2017 07:43 AM, Rusty Bird wrote: > > Hi Chris! > > > > > On 02/20/2017 08:28 AM, Rusty Bird wrote: > > > > A small qvm-backup wrapper script that handles running VMs by chrooting >

Re: [qubes-devel] Heads firmware talk at CCC

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Trammell Hudson: > The one drawback to the rd.luks.key approach is that only a single key > can be passed in. You can also use "[rd.]luks.key=LUKSUUID=KEYFILE", no idea if that works any better in practise... Rusty -BEGIN PGP SIGNATURE-

Re: [qubes-devel] Heads firmware talk at CCC

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Rusty Bird: > Trammell Hudson: > > On Tuesday I presented my work on the Heads firmware at 33C3 and > > gave Qubes OS (and Joanna's 32C3 tallk) a shout-out. You can watch > > the video, titled "Bootstrapping a s

Re: [qubes-devel] GSoC Anti Evil Maid improvement project

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Patrik Hagara: > For such multi-stage attack, it could be be much more effective and > still perfectly feasible to implant a passive hardware device into > the target computer that would silently capture and record relevant > USB traffic. Such

Re: [qubes-devel] GSoC Anti Evil Maid improvement project

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Patrik Hagara: > I'm thinking about applying to the GSoC program and working on > the Anti Evil Maid shoulder surfing and video surveillance > resistance project idea. Awesome! > However, I've got a question regarding the proposed > solution which

Re: [qubes-devel] GSoC Anti Evil Maid improvement project

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Patrik Hagara: > On Wed, Mar 29, 2017 at 1:39 PM, Rusty Bird <rustyb...@openmailbox.org> wrote: > > 1. The TOTP part of the complex scheme. This would be nicely straight- > >forward, I think. > > Agreed. I ev

Re: [qubes-devel] usability request

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Jean-Philippe Ouellet: > On Wed, Mar 22, 2017 at 8:31 AM, Oleg Artemiev wrote: > > Is this OK to provide a pullrequest for adding VM (qube) functionality > > for kill / shutdown some VM using window color border as a start > >

Re: [qubes-devel] Qubes Security Bulletin #32: Xen hypervisor and Linux kernel vulnerabilities (XSA-226 through XSA-230)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Marek Marczykowski-Górecki: > On Tue, Aug 15, 2017 at 01:59:59PM +, Holger Levsen wrote: > > So, "sudo qubes-dom0-update" for the first paragraph, and > > "sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing" for the > > 2nd… > >

Re: [qubes-devel] [GSoC] Progress report: Anti Evil Maid enhancements

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Patrik Hagara: > I've updated the README a bit [1] to (hopefully) make some things > clearer. Also added a section on how to recover from compromises. > > Rusty: do you think it's ready to be built and pushed into R4 testing > repos? Almost ready

Re: [qubes-devel] [GSoC] Progress report: Anti Evil Maid enhancements

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Patrik Hagara: > Finally managed to track down why unlocking disk with unsealed and > decrypted LUKS key file didn't work on a clean Qubes OS installation. > > While starting to develop this feature, I added the key file path to > my /etc/crypttab

Re: [qubes-devel] [GSoC] Progress report: Anti Evil Maid enhancements

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Patrik! > On 07/05/2017 05:30 PM, Rusty Bird wrote: > > How should portable Qubes installations be handled? We can't save > > the owner password in the initramfs. But I was thinking, the > > function to write a 256 bit value

Re: [qubes-devel] Changing qubes-core-admin license to LGPL v2.1+

the list of contributors: > > - Andrew David Wong (Axon) > - Bahtiar `kalkin-` Gadimov > - Desobediente Civil > - HW42 > - Ivan Konov > - Jasper Tron > - Jeepler > - Jon Griffiths > - Mario Geckler > - Michal Rostecki > - Nicklaus McClendon > - Olivier Médoc

Re: [qubes-devel] [GSoC] Progress report: Anti Evil Maid enhancements

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Patrik Hagara: > Would it be OK if I squashed all the commits so far into a single > large one (as there's already quite a lot of reverts and design > changes anyway). Yes, please do. Rusty -BEGIN PGP SIGNATURE-

Re: [qubes-devel] Re: [GSoC] Progress report: Anti Evil Maid enhancements

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Andrew Morgan: > (For some reason your reply doesn't show up in mailing list, so replying > with it quoted below) Ah what is the matter with Google Groups and my e-mail address. > Heh, I need to stop replying to emails in the wee hours of the

Re: [qubes-devel] [GSoC] Progress report: Anti Evil Maid enhancements

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Patrik! I just noticed that qubes-devel seems to break your PGP/MIME signatures. Inline PGP works better on Google Groups based mailing lists. (The CCs have all been fine, of course.) > On 06/26/2017 05:28 PM, Rusty Bird wrote: > >&g

Re: [qubes-devel] [GSoC] Progress report: Anti Evil Maid enhancements

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Patrik Hagara: > On 07/04/2017 12:28 AM, Rusty Bird wrote: > > Hi Patrik! > >> OK, let's go with the freshness token then. > > > > To avoid implementation complexity here: What do you think about > > unconditi

Re: [qubes-devel] [GSoC] Progress report: Anti Evil Maid enhancements

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Patrik, > I've opened a pull request [1] to the AEM repository. > > Again, enormous thank you to Rusty Bird for being a wonderful GSoC > mentor and helping me clean up the patches for submission. Thank you for not going c

Re: [qubes-devel] [GSoC] Progress report: Anti Evil Maid enhancements

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Patrik, > On 06/19/2017 12:43 PM, Rusty Bird wrote: > > Patrik Hagara: > >> On 06/18/2017 05:51 PM, Rusty Bird wrote: > >>> Rusty Bird: > >>>> Patrik Hagara: > >>>>> Sing

Re: [qubes-devel] [GSoC] Progress report: Anti Evil Maid enhancements

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Marek Marczykowski-Górecki: > On Wed, Jun 07, 2017 at 10:45:30PM +0200, Patrik Hagara wrote: > > On 06/07/2017 09:45 PM, Rusty Bird wrote: > > > Hi Patrik, > > > > > > Sorry that it took me a whi

Re: [qubes-devel] [GSoC] Progress report: Anti Evil Maid enhancements

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Rusty Bird: > Patrik Hagara: > > On 06/09/2017 05:22 AM, Rusty Bird wrote: > > > Rusty Bird: > > >> In the current WIP version, the keyfile is encrypted before sealing > > >> and decrypted after unseal

Re: [qubes-devel] [GSoC] Progress report: Anti Evil Maid enhancements

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Patrik Hagara: > Any and all code reviews are welcome! The changes I made are stored in > my fork of AEM repository [1]. - - Please don't feel obligated to read this on a weekend :) - One thing I noticed is that a comment in anti-evil-maid-unseal

[qubes-devel] AEM: Should we drop .png support?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi everyone, What do you think about getting rid [1] of .png image secret support in the next major version of Anti Evil Maid? This would offset some of the increase in complexity incurred by the upcoming TOTP/keyfile support, in addition to other

Re: [qubes-devel] [GSoC] Progress report: Anti Evil Maid enhancements

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Rusty Bird: > Patrik Hagara: > > Single-use key file code committed > > Whee, I finally get it... Seeing how it all fits together, it looks > really cool! > > What do you think about making replay protection a self-con

Re: [qubes-devel] [GSoC] Progress report: Anti Evil Maid enhancements

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Patrik Hagara: > The initramfs would, upon next boot, read both the sealed LUKS key file > (unsealing it, along with stored counter value) and the publicly > readable counter value from TPM -- and, assuming the values match, > continue booting. An

Re: [qubes-devel] AEM: Should we drop .png support?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Marek Marczykowski-Górecki: > I think PNG support is a nice half-measure against shoulder surfing - > details on the image are harder to copy/remember (or even photograph > with a small camera), than some text. You're right, it is better. I hadn't

Re: [qubes-devel] [GSoC] Progress report: Anti Evil Maid enhancements

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Patrik Hagara: > Single-use key file code committed Whee, I finally get it... Seeing how it all fits together, it looks really cool! What do you think about making replay protection a self-contained secret? If we'd change it from a counter (shared

Re: [qubes-devel] Remove SWAP file on SSD systems / provide option in installer

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Chris Laprise: > On 09/26/2017 11:14 AM, Peter Todd wrote: > > Re: privacy, you can setup swap files to use encrypted storage with > > *volatile* > > encryption keys that are generated at boot, and never get written to > > persistent > > storage.

Re: [qubes-devel] R4.0-rc4 installation image considerations

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Marek Marczykowski-Górecki: > Right now I see two options: > - abandon the goal of fitting the image on DVD (I'd go for this) *single-layer DVD. Still lots of space on dual-layer DVDs, so this option seems totally fine to me. FWIW, I sometimes

Re: [qubes-devel] What happened to last year's GSOC submissions?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Elias Mårtenson: > Last year, there was a lot of activity surrounding two really > interesting projects: One about improving the AEM feature, and > another which was about being able to mark downloaded files as > insecure so that they can be opened

[qubes-devel] qid/dispid recycling vs. Tor circuit isolation

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi! So, the qid/dispid of a removed VM can be recycled immediately. When that happens inside a 10 minute window*, it could break inter-VM Tor circuit isolation, which is based on the VMs' IP addresses. For dispids, a relevant collision happens

Re: [qubes-devel] qid/dispid recycling vs. Tor circuit isolation

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Jean-Philippe Ouellet: > On Wed, Jan 3, 2018 at 7:02 PM, Rusty Bird wrote: > > Hi! > > > > So, the qid/dispid of a removed VM can be recycled immediately. When > > that happens inside a 10 minute window*, it could bre

Re: [qubes-devel] Build ISO from official uploaded packages?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Marcus Linsner: > On Thursday, September 27, 2018 at 7:15:30 PM UTC+2, Rusty Bird wrote: > > Marcus Linsner: > > > I haven't yet tried installing an .iso because I need to get an > > > empty disk, probably next w

[qubes-devel] Build ISO from official uploaded packages?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, Is there a way to build an up-to-date R4.0 installer ISO from the latest pre-built official packages in current(-testing)? I'd rather not rebuild all of them - just the few for which I have extra patches. Rusty -BEGIN PGP SIGNATURE-

Re: [qubes-devel] Build ISO from official uploaded packages?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Marek Marczykowski-Górecki: > On Fri, Sep 21, 2018 at 08:51:52AM +0000, Rusty Bird wrote: > > Is there a way to build an up-to-date R4.0 installer ISO from the > > latest pre-built official packages in current(-testing)? >

Re: [qubes-devel] Build ISO from official uploaded packages?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Marek Marczykowski-Górecki: > On Fri, Sep 21, 2018 at 11:48:17AM +0000, Rusty Bird wrote: > > Now, if I run > > > > $ make iso > > > > it fails with: > > > > -> Installing installer

Re: [qubes-devel] Build ISO from official uploaded packages?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Marcus Linsner: > 2. in another terminal: sudo iotop > 3. in a 3rd terminal: logger > > every time you press Enter in [3.] [...] "Actual DISK WRITE" is like > 15KB) I can't reproduce this in my dom0, which has vanilla journald.conf/ sysctl values

Re: [qubes-devel] Build ISO from official uploaded packages?

fails due to a download error, just rerun it. Unless I made a mistake putting everything together (in which case, please say so), it should spit out an installer image file in the iso/ directory. > I'd be very interested into building(and testing) an iso with all of this: > "Rus

Re: [qubes-devel] Build ISO from official uploaded packages?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Marcus Linsner: > On Tuesday, September 25, 2018 at 3:13:19 PM UTC+2, Rusty Bird wrote: > > Rusty Bird: > > > Marcus Linsner: > In other words, `systemd-journald` causes a write as `Total DISK > WRITE`, but not a sync/flush

Re: [qubes-devel] Build ISO from official uploaded packages?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Rusty Bird: > Marcus Linsner: > > 2. in another terminal: sudo iotop > > 3. in a 3rd terminal: logger > > > > every time you press Enter in [3.] [...] "Actual DISK WRITE" is like > > 15KB) > > I c

Re: [qubes-devel] Re: Question about storage pool "file"

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Manuel Amador (Rudd-O): > > I haven't been able to understand the codebase for the "file" storage > > pool very well. That might be for the better... It's kind of the haunted house storage driver at this point. > > At which point in the lifetime

Re: [qubes-devel] socat dependency of qubes-core-dom0

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 David Hobach: > the latest dom0 update apparently introduced a socat dependency for > qubes-core-dom0 4.0.47-1. > > Where does this come from? https://github.com/QubesOS/qubes-core-admin/commit/c95370c5fbb57c8fc6caadb6c20a1d4ef91e5369

Re: [qubes-devel] "Make an Alpha!"

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Marek Marczykowski-Górecki: > Nest week turned out to be next month, but it's here: > https://ftp.qubes-os.org/iso/Qubes-R4.1.0-alpha20201014-x86_64.iso > and its signature: > https://ftp.qubes-os.org/iso/Qubes-R4.1.0-alpha20201014-x86_64.iso.asc

Re: [qubes-devel] "Make an Alpha!"

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Chris Laprise: > On 9/20/20 3:10 PM, Rusty Bird wrote: > > Chris Laprise: > > > * Allocating a thin lvm pool and then using the plain file pool type > > > > Can you expand on what you're trying to do and how it's

[qubes-devel] "Make an Alpha!"

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Marek, the masses are chanting it!! https://www.youtube.com/watch?v=sq5g-V63Q30=1511 Less shitpostingly, I was about to comment on #6041 with how to move from ext4/file to btrfs/file-reflink but noticed that btrfs-convert had a nasty bug that's

Re: [qubes-devel] "Make an Alpha!"

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 > On 9/20/20 2:03 PM, Marek Marczykowski-Górecki wrote: > > In the meantime, I could use some help with debugging suspend issues[2] > > which I consider one of the very few blockers before I switch to R4.1 > > myself :) Oh shit, I'm like the least

Re: [qubes-devel] Take a snapshot of the Qube's memory

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Pin dev: > I need to analyze memory from one qube that is suspected to contain > malware. $ xl dump-core vmname filename Rusty -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAl80Sl5fFIAALgAo

Re: [qubes-devel] Pool interface questions

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 David Hobach: > I'm trying to understand the qubes.storage.Pool interface and its > requirements for implementations. > > In particular I wonder: > Are implementations required to be fully initialized right after the > constructor is called? You

Re: [qubes-devel] Distributing OS-specific Changes

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi David, > How do you distribute modifications specific to certain template operating > systems? > > I considered sending the seemingly trivial 2-line PR for [5988], but then > noticed that > modifying upstream systemd configuration can be done

Re: [qubes-devel] GitHub ticket #5929 disappeared (official Arch Linux template)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Marek Marczykowski-Górecki: > On Mon, May 10, 2021 at 10:27:38AM +0000, Rusty Bird wrote: > > I was trying to check on the status of the Arch Linux template, but > > the issue ticket[1] has disappeared ("Page not found"

[qubes-devel] GitHub ticket #5929 disappeared (official Arch Linux template)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I was trying to check on the status of the Arch Linux template, but the issue ticket[1] has disappeared ("Page not found"). Maybe it's caught in a GitHub spam filter? (archive.org has a single old capture[2] that's definitely missing some updates.)

Re: [qubes-devel] Addressing the long shutdown time with LVM thin volumes

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Peter Todd: > On Fri, Feb 05, 2021 at 06:59:05PM +0100, donoban wrote: > > On 2/5/21 5:24 PM, Jinoh Kang wrote: > > > - Switch to reflinks. BTRFS has been around 10+ years, so I assume it's > > > stable enough? > > > > I've been using BTRFS for a

Re: [qubes-devel] GitHub ticket #5929 disappeared (official Arch Linux template)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Marek Marczykowski-Górecki: > On Wed, Apr 20, 2022 at 12:32:56PM +0000, Rusty Bird wrote: > > Did you ever hear back from them? > > Yes, a month later, and it's not very optimistic one: > I'm unable to provide any further

Re: [qubes-devel] GitHub ticket #5929 disappeared (official Arch Linux template)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Marek Marczykowski-Górecki: > On Mon, May 10, 2021 at 11:56:51AM +0000, Rusty Bird wrote: > > Marek Marczykowski-Górecki: > > > On Mon, May 10, 2021 at 10:27:38AM +, Rusty Bird wrote: > > > > I was trying to check o