Re: [qubes-users] Re: Q wipe files

[0938'14094328'0194328'019384'209321809]

Hello Andrew, 

crypto last line of defense...

the last line of defense is always the crypto.

So with a fractal security concept different security concepts on different 
security level will enhance each other.

The simple idea is, if the crypto is really strong, I can throw away the keys 
of all removed VM1s. If the crypto is working correct, even if some file-copies 
are left on the system in some strange corners, nobody can recover it.
The best would be that all keys are stored on an external storage, which can be 
removed or destroyed more easily.

The physical security is zero, if you are not a owner of a well-armed bunker 
area in the deep ground.
Even for me happens a break-in and out. No material things get moved...

But you might get a disk-copy quite fast, if you gain the full physicall access 
to a PC.

https://www.sandisk.com/about/media-center/press-releases/2015/sandisk-expands-into-the-external-storage-market-with-world%E2%80%99s-highest-performing-portable-ssd

Ok, my physical security is 0%.

What can I do?

How good it the login-protection to a PC? 10%?
(Windows 98 you can just invent a new user-name and a new password and you will 
see all data on this PC. Is this a OS with a password-protection?)

babf bug and backdoor free

babf Disk Encryption 10%
smart policy, which works also in the practice 99.%
smart Q-OS separation of data and apps 99.%
smart Q-OS compartmentalization and save copy and paste 99.% & 99.%
smart password management 10%
smart password complexity 30%
smart non-deterministic random to gain un-guessable passwords 1%
system is free of other weaknesses 1%

So my data will be safe for 30%.

Can I do it better?

Kind Regards

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/71d5e8a2-9036-4424-aac7-80d1ded958e5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Creating a VPN VM using openvpn issues? (starting with no /rw/config/openvpn ?)

[Chris Laprise]

On 07/03/2016 09:14 PM, gaikokujinkyofu...@gmail.com wrote:

On Wednesday, June 22, 2016 at 1:48:33 PM UTC-3:30, gaikokuji...@gmail.com 
wrote:

On Monday, June 20, 2016 at 5:19:27 AM UTC+5:45, Chris Laprise wrote:

On 06/19/2016 10:13 PM, gaikokujinkyofu...@gmail.com wrote:

On Thursday, June 16, 2016 at 6:33:48 PM UTC+9, gaikokuji...@gmail.com wrote:

I started trying to create a VPN VM following the https://www.qubes-os.org/doc/vpn/ page. 
I checked if openvm was installed, it was (using fedora/ using the "firewall" 
for the allow networking option not mentioned in the VPN page). There was not a 
/rw/config/openvm dir so I tried making one then went through the rest of the 
instructions. I am double checked what I did against the instructions and am fairly sure 
I followed them correctly.

I tried setting my now "VPN" vm as the netvm, shutdown both then restarted vpn 
vm then the modified-to-use-vpn vm appvm and tried connecting to the internet, nada.

I did go to the Fedora "establishing a VPN Connection" page but intimidating is 
a bit of an understatement.

How can I go about diagnosing what is not working?

I worked on this a bit more. Waded through the fedora establishing a VPN connection page, 
rather confusing, but I opened a Network settings window for my VPN VM and added a VPN by 
importing a openvpn config file via the VPN add a network connection's "import from 
file" option (and it seemed to import fine).

Now I am not entirely sure what I have. I of course did everything outlined in 
the Qubes VPN page. I now have two network connection icons, one for my wifi 
and another showing the VPN VM's eth? problem is the VPN VM ethernet connection 
doesn't seem to be connected. When I go to network via *settings* it now shows 
me three connections: Wired, the VPN I setup, and Network Proxy.

When I go via *Network Connections* it now shows me under Ethernet "VM uplink eth0" and 
under VPN "VPN Provider" (the provider whose openvpn config I imported). It shows the 
ethernet as having been used within the last few minutes but the VPN as never having been used.

On the Fedora page it mentions setting an autoconnect (automatically connect to 
VPN when using this connection) option which I thought it was talking about for 
the VPN but as I couldn't find it on the VPN connection and could on the eth0 
connection I tried setting the autoconnect to (and selected the VPN connection 
from the pull down menu) but while I can select it it does not stay selected if 
I restart the VPN VM.

Now I am not able to connect to the internet on the VPN VM and def not from 
another AppVM trying to use the VPN as a proxy.

I am just not sure where I have gone wrong here. Where would I look for a log to start 
trying to figure out the issue? (I saw a "run in debug mode" under VM 
settings... might that be a place to start?)

Thanks!

Hi again...

You should create a separate proxy vm for each type of vpn configuration
you're trying, otherwise they will interfere with each other.

To get the openvpn + firewall method working, first try running openvpn
manually with 'sudo openvpn [...]' before adding any scripts. Omit the
--daemon option so it will display information you can use to
troubleshoot the link.

Once you have the link working, you can try adding script lines to your
.ovpn file and the qubes-vpn-handler, then test manually again. Finally,
add the qubes-firewall-user-script and reboot the vm, then test again.
Keep in mind that once you add the firewall it will block openvpn unless
the latter is run under group 'qvpn' so you would type the following:
 sudo groupadd -rf qvpn
 sudo sg qvpn -c 'openvpn [...]'

NM connection... Try it in a fresh vm. The vpn autoconnect might not
work, however; The last time I tried to use it, NM behaved erratically
(and did not have appropriate firewall protections anyway).

Chris

Thanks I will try that out.

Some things came up so I hadn't gotten around to trying it out until now.

I created a new VM, VpnVM, and ran

openvpn openvpn.ovpn

and yeah! it connected and I opened firefox from VpnVM, and it was using the 
vpn, then ran PersonalVM using VpnVM as my NetVM and PersonalVM also showed up 
as using the VPN so first hurdle cleared?


Yes.


Lots more hurdles though as my understanding of it all drops off precipitously.

I modified the /rw/config/openvpn/openvpn-client.ovpn file with the

script-security 2
up 'qubes-vpn-handler.sh up'
down 'qubes-vpn-handler.sh down'

lines

and I created the qubes-vpn-handler.sh and changed permissions.

I then tried to start openvpn /rw/config/openvpn/openvpn-client.ovpn

and no go. I get errors:

Options error: --ca fails with ca.crt: No such file or directory
Options error: --crl-verify failes crl.prm: no such file or dir
Options error: please correct these errors

I didn't get these errors before I added the qubes-vpn-handler.sh

thoughts?


It looks like you switched to the example ovpn config from 

Re: [qubes-users] AEM boot option causes hard reboot/partial shutdown (Lenovo T450s)

[Chris Laprise]

On 05/30/2016 03:39 AM, Marek Marczykowski-Górecki wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sun, May 29, 2016 at 11:10:45PM -0700, Andrew David Wong wrote:

On 2016-05-29 16:34, Marek Marczykowski-Górecki wrote:

On Fri, May 27, 2016 at 03:27:50AM -0700, Andrew David Wong wrote:

On 2016-05-19 02:34, Frank Schäckermann wrote:

There should be a bootable BIOS-Updater-Image that can be
burned to a CD and booted on the TP to get the BIOS updated. At
least there was one for my Lenovo W530 a couple of weeks ago.
Practically hassle free - not counting getting the CD burned on
Qubes OS. ;-) But than again... the T450 mileage may vary...

Thanks, Frank. Unfortunately, even after successfully updating
the BIOS to the latest version, AEM is still not working (fails
the same way as before). I really thought updating the BIOS would
fix it, since there's a TPM-related fix in the BIOS patch notes.
Marek, I noticed that the version of tboot being used is somewhat
old (July 2014). Would upgrading tboot itself break compatibility
with AEM? If so, are there any plans to upgrade AEM to be
compatible with a newer version of tboot?

I think newer tboot shouldn't break anything. The only reason for
this particular version (1.8.2) is a package in Fedora. And I see
even in Fedora 23 (planned as dom0 for Qubes 3.2), it's still at
1.8.2.


Would it be as simple as "qubes-dom0-update tboot" or more complicated?

It will not help, as there is no newer package for Fedora (even for
upcoming Fedora 24).

- -- 


AEM is now causing reboots for me as well, after installing it under 
R3.2rc1.


Has there been any progress on this? I don't see any signed sources of 
the newer tboot versions, so I'm reluctant to try them.


Chris

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c7a71215-370f-c35f-a135-9a16f97fe0ba%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Creating a VPN VM using openvpn issues? (starting with no /rw/config/openvpn ?)

[gaikokujinkyofusho]

On Wednesday, June 22, 2016 at 1:48:33 PM UTC-3:30, gaikokuji...@gmail.com 
wrote:
> On Monday, June 20, 2016 at 5:19:27 AM UTC+5:45, Chris Laprise wrote:
> > On 06/19/2016 10:13 PM, gaikokujinkyofu...@gmail.com wrote:
> > > On Thursday, June 16, 2016 at 6:33:48 PM UTC+9, gaikokuji...@gmail.com 
> > > wrote:
> > >> I started trying to create a VPN VM following the 
> > >> https://www.qubes-os.org/doc/vpn/ page. I checked if openvm was 
> > >> installed, it was (using fedora/ using the "firewall" for the allow 
> > >> networking option not mentioned in the VPN page). There was not a 
> > >> /rw/config/openvm dir so I tried making one then went through the rest 
> > >> of the instructions. I am double checked what I did against the 
> > >> instructions and am fairly sure I followed them correctly.
> > >>
> > >> I tried setting my now "VPN" vm as the netvm, shutdown both then 
> > >> restarted vpn vm then the modified-to-use-vpn vm appvm and tried 
> > >> connecting to the internet, nada.
> > >>
> > >> I did go to the Fedora "establishing a VPN Connection" page but 
> > >> intimidating is a bit of an understatement.
> > >>
> > >> How can I go about diagnosing what is not working?
> > > I worked on this a bit more. Waded through the fedora establishing a VPN 
> > > connection page, rather confusing, but I opened a Network settings window 
> > > for my VPN VM and added a VPN by importing a openvpn config file via the 
> > > VPN add a network connection's "import from file" option (and it seemed 
> > > to import fine).
> > >
> > > Now I am not entirely sure what I have. I of course did everything 
> > > outlined in the Qubes VPN page. I now have two network connection icons, 
> > > one for my wifi and another showing the VPN VM's eth? problem is the VPN 
> > > VM ethernet connection doesn't seem to be connected. When I go to network 
> > > via *settings* it now shows me three connections: Wired, the VPN I setup, 
> > > and Network Proxy.
> > >
> > > When I go via *Network Connections* it now shows me under Ethernet "VM 
> > > uplink eth0" and under VPN "VPN Provider" (the provider whose openvpn 
> > > config I imported). It shows the ethernet as having been used within the 
> > > last few minutes but the VPN as never having been used.
> > >
> > > On the Fedora page it mentions setting an autoconnect (automatically 
> > > connect to VPN when using this connection) option which I thought it was 
> > > talking about for the VPN but as I couldn't find it on the VPN connection 
> > > and could on the eth0 connection I tried setting the autoconnect to (and 
> > > selected the VPN connection from the pull down menu) but while I can 
> > > select it it does not stay selected if I restart the VPN VM.
> > >
> > > Now I am not able to connect to the internet on the VPN VM and def not 
> > > from another AppVM trying to use the VPN as a proxy.
> > >
> > > I am just not sure where I have gone wrong here. Where would I look for a 
> > > log to start trying to figure out the issue? (I saw a "run in debug mode" 
> > > under VM settings... might that be a place to start?)
> > >
> > > Thanks!
> > 
> > Hi again...
> > 
> > You should create a separate proxy vm for each type of vpn configuration 
> > you're trying, otherwise they will interfere with each other.
> > 
> > To get the openvpn + firewall method working, first try running openvpn 
> > manually with 'sudo openvpn [...]' before adding any scripts. Omit the 
> > --daemon option so it will display information you can use to 
> > troubleshoot the link.
> > 
> > Once you have the link working, you can try adding script lines to your 
> > .ovpn file and the qubes-vpn-handler, then test manually again. Finally, 
> > add the qubes-firewall-user-script and reboot the vm, then test again. 
> > Keep in mind that once you add the firewall it will block openvpn unless 
> > the latter is run under group 'qvpn' so you would type the following:
> > sudo groupadd -rf qvpn
> > sudo sg qvpn -c 'openvpn [...]'
> > 
> > NM connection... Try it in a fresh vm. The vpn autoconnect might not 
> > work, however; The last time I tried to use it, NM behaved erratically 
> > (and did not have appropriate firewall protections anyway).
> > 
> > Chris
> 
> Thanks I will try that out.

Some things came up so I hadn't gotten around to trying it out until now.

I created a new VM, VpnVM, and ran 

openvpn openvpn.ovpn

and yeah! it connected and I opened firefox from VpnVM, and it was using the 
vpn, then ran PersonalVM using VpnVM as my NetVM and PersonalVM also showed up 
as using the VPN so first hurdle cleared?

Lots more hurdles though as my understanding of it all drops off precipitously. 

I modified the /rw/config/openvpn/openvpn-client.ovpn file with the 

script-security 2
up 'qubes-vpn-handler.sh up'
down 'qubes-vpn-handler.sh down'

lines

and I created the qubes-vpn-handler.sh and changed permissions.

I then tried to start openvpn /rw/config/openvpn/openvpn-client.ovpn

and no go. I 

Re: [qubes-users] How to correctly install software to template from binary archives

[Marek Marczykowski-Górecki]

On Mon, Jul 04, 2016 at 03:24:09AM +0300, Eva Star wrote:
> 
> > Those links are generated from standard location: /usr/share/applications
> > You need to put .desktop file for your application. Take a look at
> > existing files there for examples.
> > 
> > After you create new file there, execute `qvm-sync-appmenus` in dom0
> > (with template VM name as an argument).
> 
> Thanks for the information :) Seems its works only for TemplateVM?
> Is it possible to somehow add custom links from AppVM to Start menu ->
> AppVM(domain) &


Currently no - this works only for TemplateVMs, and StandaloneVMs - i.e.
only where /usr/share/applications persists.

-- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20160704004515.GK1323%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: PGP signature

Re: [qubes-users] How to correctly install software to template from binary archives

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sun, Jul 03, 2016 at 12:24:56PM -0700, Eva Star wrote:
> 
> >
> >
> > Oh, I thought you were saying it's an installer. If it's just a 
> > standalone executable, I suppose you can put it wherever you like. 
> > Maybe /home would make sense? You could even put it in the /home of an 
> > AppVM (instead of a TemplateVM), if you like, since it'll persist 
> > across reboots there. 
> >
> 
> But what is about the situation, when I want to have it at all VMs and I 
> want quick links at "Start" menu generated with qvm-app-sync ?
> It's not a problem to store it at any location. But how to add shortcut for 
> Qubes Sync? Need to find the answer

Those links are generated from standard location: /usr/share/applications
You need to put .desktop file for your application. Take a look at
existing files there for examples.

After you create new file there, execute `qvm-sync-appmenus` in dom0
(with template VM name as an argument).

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJXeaXtAAoJENuP0xzK19csqzkH/jlolYPH+rHDL94ZYJ3Gw/s4
CmwFl7Ilx82rVNlTVNz2x1Go29XPgi96JC3Gw7QCFEh5m/39XH/oZGrLmb41WsMR
jGBqACGm07aNnlCG+O541SegINw12DZBEvuPsIBk7t9NYgjIbQ9Air7jrcEkcg0W
4xpwD8ElNkcUIj5ahppAU7eusrjI/eIBPuWaJbpDCbjxOu71XuyQp+QSSEI99XzO
a4cuTMRcOTXfv7IJx5AX1h8gXOKJHgMN3fTWQa4fwM9UUBCtWwKXKqXRO+ALzCSX
mBp/axY+NoQkJauDPsjmQSm+YwRbKmpg0jdj1s9a9pM1sjtsELMm6uYjVyybh1s=
=5Grd
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20160703235526.GJ1323%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Using sys-usb as music hub

[Franz]

On Sun, Jul 3, 2016 at 12:55 PM, Andrew David Wong  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> On 2016-07-03 07:11, Franz wrote:
> > On Sun, Jul 3, 2016 at 3:33 AM, Andrew David Wong
> >  wrote:
> >
> > On 2016-07-02 19:06, Franz wrote:
>  On Sat, Jul 2, 2016 at 11:05 AM, Andrew David Wong
>   wrote:
> 
>  On 2016-07-02 05:30, Franz wrote:
> >>> With Qubes release 3.x, having USB controller(s)
> >>> default assigned to sys-usb and Xen meddling checking
> >>> shared resources between different USB controllers, it
> >>> is even more difficult than R2 to use external USB
> >>> music hardware, either for output or input.
> >>>
> >>> So I wonder: why not using sys-usb as a music hub?
> >>> Everything is already assigned and all you have to do
> >>> is plug in external USB devices.
> >>>
> >>> Well, now all music I'm playing on other hardware are
> >>> mp3 downloaded from internet, which means sources that
> >>> I cannot control and eventually compromised. So this
> >>> may result in compromising sys-usb. Consequences? I do
> >>> not know, but I do know that the color of sys-usb is
> >>> default red, so this may not be a mayor problem.
> >>>
> >>> What do you think?
> >>>
> >>> I have seen that default sys-usb does not has a sys-net
> >>> VM. It may be possible to leave it as it is, playing
> >>> music saved on a USB medium, or it may be even more
> >>> convenient to connect sys-usb to a sys-net VM to
> >>> directly play music from youtube, internet radios, etc.
> >>> Would you do that?
> >>>
> >>> Best Fran
> >>>
> 
>  - From a security perspective, I think you're right. sys-usb
>  and sys-net (in some cases, they may be combined) should be
>  assumed to be compromised, which means that we should assume
>  that an attacker could be using sys-usb to do anything
>  (including play music files). If we're already assuming that
>  an attacker could be doing this, why shouldn't you (the
>  actual owner of the system) not do it yourself, if you want
>  to?
> 
>  - From a practical perspective, your performance may not be
>  very good if memory balancing is disabled and a low amount of
>  memory is assigned to the VM, so you may want to adjust this.
>  (You wouldn't adjust this to benefit an attacker, though, so
>  the analogy may start to break down here.)
> 
> 
> > Thanks Andrew, the most lightweight music player I could
> > find is Deadbeef, which is even portable, so no need to
> > install it in template. It works perfectly with the default
> > memory setting of sys-usb. I had to install also
> > pavucontrol in template to be able to rise the volume in
> > sys-usb beyond the maximum of Deadbeef.
> 
> > Really great sound now with very little work!! :-)) My dogs
> > are alarmed hearing loud music in my room.
> 
> > Just a small detail, is there a way to use QM "run command
> > in VM" to launch the script that starts portable Deadbeef?
> 
> > Best Fran
> 
> >
> > Sounds like it should be pretty straightforward to do that. Maybe
> > something like:
> >
> > qvm-run sys-usb /home/user/deadbeef.sh
> >
> >
> >> Well this runs in Dom0, not using Qubes manager "run command in
> >> VM", which, if opened in sys-usb, works directly is sys-usb.
> >
> >> Using "run command in VM" if you write "gnome-terminal" it opens
> >> a terminal, you write "firefox", it opens  firefox. But I have
> >> never been able to run a sh script this way.
> >
> >> Or am I misunderstand what you wrote? Best
> >
>
> Both ways should work. (I tested again just now to confirm.) Perhaps
> you forgot to make your script executable or something?
>
>
Yes I forgot to make it executable. Many thanks

> - --
> Andrew David Wong (Axon)
> Community Manager, Qubes OS
> https://www.qubes-os.org
> -BEGIN PGP SIGNATURE-
>
> iQIcBAEBCgAGBQJXeTVWAAoJENtN07w5UDAwwCQP/1VB02W/WlbLPtm0Zl1BUCAx
> ABeQrI+4Z6ZSJzmeu9VDFaxr9vDsIW0dSvJsaAlLuh8VQc8OqIFORuuSQgCkWeCR
> zjLmjR/om0YL5S7Wsv4zZ8BzlOZn+WTC2ID74gxPh+Vx1nfCfeC7eBzrahfgEVOh
> kOGvDRlhR9QQWkz2xQBo80zTaNu+R681PSE8PmXGDc27OFvU0GKq8b+5ctIFDPYJ
> OyznmAlVeu9hXciCAIhQXlIusK7oNmQlsikHcEU20igDGAMKXH+vzty95M5eZU7t
> Jcv7Xj1PIchZ3tP7RgjfX/NSVFPj46f2HT0cPbTXUXVdK5hjB5zH8RHuQIPPM36O
> NsyhNdvcBukqjqUsDacFtIr28eFPTRrurxK3O0mhWG9JxgRNLaTXmnmuDh+NV4WW
> 4TYahQvvHT8Kl8nYE8NQrMC6vSqBxJlpDy9xoHsnP6Jk3dOkj0qBAiHX2NQQuokv
> kYxcdETgXnDqywym538B5M9l4OBLOGdv+0lj4wyhA2Ygw6BHSCXfqUp8RFUFkpGC
> CcL8uzQazomE94vOV+lPJzTDWpeBP2RVNqpUuJ8CBD3Qai4RzozNxStviVK+Yctu
> GyKxJ4A6B7Q/KsmSh32BNblDNePH1dAwdpnKkdiPW6thgaTI4zZoQAZUBfGJxZBK
> kTsTM22OcfagJz70T+I/
> =eipM
> -END PGP SIGNATURE-
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from 

Re: [qubes-users] xfce-question and -problem

[Niels Kobschätzki]

Marek Marczykowski-Górecki writes:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> On Sat, Jul 02, 2016 at 07:19:06AM +0200, Niels Kobschätzki wrote:
>> Hi,
>> 
>> since there are plans to move away from kde to xfce (or is it now
>> lxde?), I am trying to use xfce more.
>> But I have a problem. I usually start my programs via krunner or in i3
>> via dmenu. I can just start typing something like: untrusted:
>> google-chrome, hit enter and the application will start if it is in the
>> added shortcuts - usually typing only a couple of characters already
>> works.
>> With the Application Launcher that doesn't really work.
>> 
>> There are no suggestions when starting to type a domain-name, not even
>> when the domain-name is completed. When I type something completely like
>> "untrusted: gnome-terminal", the Launcher will on hitting enter show a
>> red icon left from the application-name but nothing else happens. I can
>> click on the right icon in the input field and a menu with the domains
>> and applications appear. When I start typing, I will see how the list
>> gets reduced. But there is still no tab-completion and I can "reach" the
>> apps only by clicking on them. And they still won't start. The Launcher
>> works for me only with dom0-applications. Am I doing something wrong?
>
> Instead of clicking on that icon, you can press down arrow. The same way
> you can choose application from there. So, you can enter fragment of
> domain name (not necessary its beginning!), then choose application
> using arrows.

Ooh…that works. Thanks a lot. This already improves xfce a lot for me.

>> Now my questions:
>>  - Is there any way to get the Exposé-mode in xfce like in KDE where I see 
>> all my open applications at once?
>
> You can have applications from all the desktops in Alt-tab when you
> enable it in "Cycling" tab of "Window Manager Tweaks".
> Or you can simply middle-click on empty space - personally I find this
> really convenient.

I was thinking more in terms of the documentation for a secure use of the full
screen use:
"which are similar to Mac’s “Expose” effect, and which can be used to 
immediately detect potential “GUI forgery”, as they cannot be intercepted by 
any of the VM"

But cycling through everything improves it already. The middle click solution is
not really feasible for me. I run a lot of my stuff full screen since my 
display(s) have a rather low resolution (internal 1280x800; external when 
connected 1440x900).

>>  - Is there a way to get thumbnails from my applications in the
>>  app-switcher?
>
> If you enable composition ("Window Manager Tweaks"->"Compositor"),
> Alt-tab will include window contents.

Thanks

>
>>  - Or would I need to install something like compiz for that?
>> 
>> Please consider using xfce4-whiskermenu-plugin as the default menu. It's
>> search even works in contrast to the Application Launcher.
>> Right now it isn't installed in a default.
>
> Thanks for the suggestion, will try this :)

It's really good. And in contrast to KDE you can assign Super to the
menu-button. For those people like me who are accustomed using their windows-key
because they can't get rid of Windows on some of their machines :/

Niels

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8737nqjwgm.fsf%40mailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] p70 rebrand $2k+ cheeper

[Achim Patzner]

Am 01.07.2016 um 03:19 schrieb bobby.the.jellyfish...@gmail.com:

> for those holding out for a p70 the ws72 is well worth a long look 
>
> https://www.msi.com/Workstation/WS72-6QJ.html
>
> i think its the same laptop ecept max 32gb ram

Not quite and having 64GB of RAM is one of the features that mad us buy
P-series machines.Plus the fact that Lenovo's on-site support is really
great in Germany. We've used up quite a number of main boards until we
found out which EFI settings to leave alone.


Achim

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/84d003be-07e7-f884-c493-a4000376a639%40noses.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes R3.2 - XFCE empty space on bottom of the desktop

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sat, Jul 02, 2016 at 05:26:00PM +, Patrick Schleizer wrote:
> I used 'default task bar' in XFCE.
> 
> When I start a dom0 terminal, if maximized, it uses all space no the screen.
> 
> When I start a VM terminal, even if maximized, it leaves a small area at
> the bottom empty. (Even if there is no task bar.)
> 
> How to fix this?

Do you mean empty panel at the bottom? If you don't use it, you can
remove it (right click on it).

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJXeW0JAAoJENuP0xzK19cs+gwIAIPWAQLpcTnq8ZcvNaOCiCmQ
95qlCQ/MoQIvoiVb8nqDZskNDkBJP0+k7XzaqccLtwN58xW3vxfMpLVYYxSG3JF7
+ilzxw6yats0FHsPdtG1AOX2CKqAIOQ7eey+TxML2mi2ZTR+jiLJ0so9AbC0kybi
QMmtNmKuGXQpvIE8WQ2IdHjAH/bB7u/k6LXIqSLhlxZDZYIFrBvZWFSae848UuFF
le9b7xF6ml+ADiqM6riL8If6UmhwYAPkAIIS45Qk/KtSSDOSISN2RbsTAfsNHDt+
cLQqPEaH2S6PsKxxpeAOlfWa9T1pITTU/HHm/NdJa5lofdR4H2/4+qG/M6LBKmE=
=99B2
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20160703195242.GH1323%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] external screen issue - hdmi switch no longer works with Qubes R3.2

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sat, Jul 02, 2016 at 05:07:00PM +, Patrick Schleizer wrote:
> Since dom0 was upgraded to R3.2 [on my test system], multi monitoring
> got worse. (It is not #2084 [1].)
> 
> I need to manually set to the external display now every time (in KDE),
> but I could life with that.
> 
> What is worse... That my HDMI switch that used to work fine with R3.1
> (and still does on my main system) is now broken in R3.2. Direct hdmi
> connection however still works. Both, KDE and XFCE are affected by that.

Can you elaborate on this? What exactly is the effect?

> In XFCE monitor settings menu I did once see the external screen flash
> up for a second and then vanish again.
> 
> Any idea how to fix that?
> 
> Cheers,
> Patrick
> 
> [1] https://github.com/QubesOS/qubes-issues/issues/2084
> 

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJXeWsVAAoJENuP0xzK19csZ8oH/A5AtF6sXZ/gdcdosulhPHov
SccRFEJO/vKwK0nVHeI+dl6kFEf6m9dQkj21BJqAqU+pVLZefjHDmcx2Q2M9ZIT0
m8tvgiiNBCq2DJqTW3vwUk/rXKQQWh2/XxJM7g8fiU4mJwUk6RtfFrVhdqFLDBoL
P6XQLyoVPDHCEnz49vSzyqGxswYY1XIVQk2nddSXCLCAB91ma4J6XR5v/NfsPWo+
wX02veY/Ecs56YbW4D0jASXGhVYVTZxi6g4x3TwmRNejbi6U/WbpnSTkAyntV00U
SALZtk1tUdNRZlChejEn+0WwXQ0UxZRU6j83ATC5vIbAcrIZvTPPoKtC68rnQTo=
=AHGO
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20160703194422.GG1323%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Will KDE be deprecated? Migration for in-place upgrades?

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sat, Jul 02, 2016 at 01:50:13AM -0700, Eva Star wrote:
> 
> >
> >
> > > Will this tool be available at the system when KDE will be removed by 
> > > default? 
> >
> > Your guess is right - when KDE is not installed, there is also no 
> > ksnapshot tool. But there are others, for example there is 
> > xfce4-screenshooter, which support mostly the same features. 
> >
> 
> Now, it's bash script. I do all the jobs with kdialog to select target vm, 
> then I upload image to this vm from dom0 and additional temp script which 
> do the job of uploading image file to the imgurl server, then open gedit to 
> show the results at appvm: image link link. Also it's possible to 
> copy url automatically to the appvm clipboard.
> 
> There are a log of problems:
> 1) kdialog always swearing about "Qclipboard  event" (maybe because of I'm 
> at XFCE). Anyway, I do not like kdialog . :( 
> 2) ksnapshot used only because of it have "region selection" tool. I use 
> D-bus to control ksnapshot and extract any screenshots from it.
> 
> There is very fine alternative without dependencies called scrot 
> tool. 
> Scrot is okey, but it does not have interface to give user approach to 
> select some region. I need some tool to select region and get two (x,y) 
> coordinates to capture the area of the screen and to forget about ksnapshot.
> 
> As for me, seems it's easier and better to scripts like kdialog and 
> rewrite all on clean c++ with some libs to do jobs. But I only know how to 
> write console apps. I never do something for GUI especially on linux. Seems 
> it's the place for Qt:
> 1) region selector to receive two XY coordinates tool (Qt).
> 2) alternative confirmation dialog by Qt
> 3) maybe some lib that already can capture screenshots to move from 
> commands at shell. 

xfce4-screenshoter also support selecting screen region. But I doubt it
support such detailed API as ksnapshot. It does support some command
line options:

$ xfce4-screenshooter -h
Usage:
  xfce4-screenshooter [OPTION...] 

Help Options:
  -h, --help   Show help options
  --help-all   Show all help options
  --help-gtk   Show GTK+ Options

Application Options:
  -c, --clipboard  Copy the screenshot to the clipboard
  -d, --delay  Delay in seconds before taking the screenshot
  -f, --fullscreen Take a screenshot of the entire screen
  -m, --mouse  Display the mouse on the screenshot
  -o, --open   Application to open the screenshot
  -r, --region Select a region to be captured by clicking a
point of the screen without releasing the mouse button, dragging your
mouse to the other corner of the region, and releasing the mouse button.
  -s, --save   Directory where the screenshot will be saved
  -u, --upload Host the screenshot on ZimageZ, a free online
image hosting service
  -i, --imgur  Host the screenshot on Imgur, a free online
image hosting service
  -V, --versionVersion information
  -w, --window Take a screenshot of the active window
  --display=DISPLAYX display to use


- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJXeWdhAAoJENuP0xzK19csDrwIAJQ0XJquKvNQszODpQg1g5jf
6O+hZSQGZKp6Ov3jGgf0TQnni5yJwVLWkgt/rswuwGyIzmzMDJCRW60Zc1b4B+Jc
ZnMIoznoIPxVjkVaYAMZfttiqZ3LzK0Mc7cgZPpM3FXaffPLhHLGc3nycZJQp7hm
iMNYhuksa8M34O4PSUFT5JpJAiFZ0EC8iqLQ6cDXeNW+ltKb9yShfU85okMhqcnp
tgrj/R/jx/OaTZAWvDIry2cEVEhzrmmNyHLpzGTpae73LjiUVadw+fZfTysCHkgt
UEHjUcJbOLveQosa0ssoU5iHcLZYVRD1lJAjSl3NhODcInAe9Gkjo9zQXHIB+aI=
=5Wa0
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20160703192834.GD1323%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes R3.2 Failed to Load Kernel Modules

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sat, Jul 02, 2016 at 10:12:02AM +0200, Alex wrote:
> It is harmless indeed, and I have a laptop with a simple Fedora 23 on it
> with the same error message on boot. Still I find it active (exited) in
> systemctl status, as in Qubes. It started to happen a couple weeks ago
> on Fedora; I updated that laptop to Fedora 24, and the error is still there.
> 
> I think the service gets loaded twice: the first time it fails, and the
> second time it succeeds. 

This indeed may be the case - the first one would be from initramfs.
I wonder what module fails to load... But probably nothing important.

> It's not a direct problem with Qubes, but I
> can't confirm that the Fedora team has a ticket for this situation.
> Sadly I don't have enough information to formalize a ticket...


- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJXeWaKAAoJENuP0xzK19csI2sH/j4s1Jvm+jcDGrd8jHXtu46K
WiQ2wrftvrtM6fqOHM3xai5PYw4qjs1/PAf6iwx9COAG9Xx23Wq4FVdNss6rxOjQ
qE+blTYNLshND7MW+FbyUFIkKJbgdMkzqbX37uK9lm5V9MQaHReR8P9bbWlJq1oG
RHps/NQr9f0Am+Ya4KFTmmVwnN6FW1FHCT3o5gYIYRVpUIy0DbAzO019QU8Gk5IB
vSoED0P/VGlsVzrgdaNFvT51CUOzPoKgg5+b82P0cwzzB2V5F0LpqUAUb4Lad6Jx
5RN71quO7czXEOFwqKZITU5hgXKOl7jd6GjVcFnyuLTWFRi8fvgwjY8g3wqffTo=
=ykEu
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20160703192459.GC1323%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How to correctly install software to template from binary archives

[Eva Star]

>
>
> Oh, I thought you were saying it's an installer. If it's just a 
> standalone executable, I suppose you can put it wherever you like. 
> Maybe /home would make sense? You could even put it in the /home of an 
> AppVM (instead of a TemplateVM), if you like, since it'll persist 
> across reboots there. 
>

But what is about the situation, when I want to have it at all VMs and I 
want quick links at "Start" menu generated with qvm-app-sync ?
It's not a problem to store it at any location. But how to add shortcut for 
Qubes Sync? Need to find the answer

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b7a4e02f-b832-4613-80f8-5ea4025b962b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] xfce-question and -problem

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sat, Jul 02, 2016 at 07:19:06AM +0200, Niels Kobschätzki wrote:
> Hi,
> 
> since there are plans to move away from kde to xfce (or is it now
> lxde?), I am trying to use xfce more.
> But I have a problem. I usually start my programs via krunner or in i3
> via dmenu. I can just start typing something like: untrusted:
> google-chrome, hit enter and the application will start if it is in the
> added shortcuts - usually typing only a couple of characters already
> works.
> With the Application Launcher that doesn't really work.
> 
> There are no suggestions when starting to type a domain-name, not even
> when the domain-name is completed. When I type something completely like
> "untrusted: gnome-terminal", the Launcher will on hitting enter show a
> red icon left from the application-name but nothing else happens. I can
> click on the right icon in the input field and a menu with the domains
> and applications appear. When I start typing, I will see how the list
> gets reduced. But there is still no tab-completion and I can "reach" the
> apps only by clicking on them. And they still won't start. The Launcher
> works for me only with dom0-applications. Am I doing something wrong?

Instead of clicking on that icon, you can press down arrow. The same way
you can choose application from there. So, you can enter fragment of
domain name (not necessary its beginning!), then choose application
using arrows.

> Now my questions:
>  - Is there any way to get the Exposé-mode in xfce like in KDE where I see 
> all my open applications at once?

You can have applications from all the desktops in Alt-tab when you
enable it in "Cycling" tab of "Window Manager Tweaks".

Or you can simply middle-click on empty space - personally I find this
really convenient.

>  - Is there a way to get thumbnails from my applications in the
>  app-switcher?

If you enable composition ("Window Manager Tweaks"->"Compositor"),
Alt-tab will include window contents.

>  - Or would I need to install something like compiz for that?
> 
> Please consider using xfce4-whiskermenu-plugin as the default menu. It's
> search even works in contrast to the Application Launcher.
> Right now it isn't installed in a default.

Thanks for the suggestion, will try this :)

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJXeWWgAAoJENuP0xzK19csnCEH/RobxuTv+nPQXQZoAg2sZgo6
HKDkPLiDWyrjprVkfPs4oWiKMJDdWw87IfujnfQwHhNz0xt/PMA/rvcgaEUZBlni
sFfN/wt+hpdNo4t1T16kirjeFfrGwEWXWjbEZBf6Z5b/7n43JndIwqOeOchBkgi+
hUPd4iQSn/uIJ47ImWxzjTCj+lv4KyOFI+17bbfJd1yk01setCmkOxzqKqVDLu+2
wg4azd5T/cnEtJ/XofoVPDrygSMkouF7dl/7m7eJ7MHu6v4Nmh/gwy0BZgYT2sn9
TOPFjxcOKph29EdTAiX0DGxDzKbpSE7i5F5f3ApIWFQynmbP4eCEjSX7vj4Nv8c=
=3MEo
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20160703192106.GB1323%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Nesting: VMWare in Whonix/Debian

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sat, Jul 02, 2016 at 02:24:01AM -0700, miralda.gust...@gmail.com wrote:
> Is nested virtualization possible in R3.1? I've looked at some of the other 
> topic questions similar to this but I couldn't find a concrete answer. 
> 
> I've been attempting to run VMWare in Whonix but I keep running into this 
> error 
> 
> "Before you can run VMware, several modules must be compiled and loaded into 
> the running kernel.
> 
> Kernel Headers 4.1.13-9.pvops.qubes.x8664
> 
> Kernel headers for version 4.1.13-9.pvops.qubes.x86_64 were not found. If you 
> installed them in a non-default path you can specify the path below. 
> Otherwise refer to your distribution's documentation for installation 
> instructions and click Refresh to search again in default locations"
> 
> So far i've
> 
> > Downloaded 4.1.13-9.pvops.qubes.x86_64.rpm from 
> > https://ftp.qubes-os.org/repo/yum/r3.1/current/vm/fc23/rpm/ 
> > Converted RPM to Deb with Alien
> 
> Still ran into the same issue
> 
> Is this supported yet or am I just wasting my time?

You may try the way you've tried, probably adding some symlinks etc
(check where that headers were installed). But I didn't see any
successful attempt...

On the other hand, you may try with kernel from Debian repository, which
have headers already packages as deb. Take a look here:
https://www.qubes-os.org/doc/managing-vm-kernel/#installing-kernel-in-debian-vm

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJXeWMlAAoJENuP0xzK19csGJwIAIu/1O8FWwReBgta70ljLjZ9
EhubEjLafJB4U0EiWVpK2z1IpPuvHZXre+1HN24FT+K1Js/FF+VOJbcj38rIVzg5
k7O4+3utwhC+OABvc3YO2BHOL8rxd1ezYGIni2KbhFbFF2maXdYnZpo1Cl4pZ00P
wmtRczC+3vYRlr1ajFDJApgCqA8d6WiYHyRrhpCX67I0JAcZ7qXz4BgELpuUYShx
DkBpuyim6kB3Py6AyJEhSH21gxljhS9wwH2Lgfgfr6GOum7gSWnghXpCNMk7wTv5
4ppK3VZGHCtDL/pZ1zijWnBr6nbDo3TxlWSjvu1RrxqvPLl0EZJ2vymw5L1mKD0=
=dQoM
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20160703191032.GA1323%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] [3.2rc1] Installer boot error '/dev/root' does not exist

[matteo . crackme]

i'm having this problem too, and i don't know how to disable alua

[ 8.319 ] dracut-pre-trigger[547]: cat /tmp/dd_disk: No such file or directory
[ OK ] Started Show Plymouth Boot Screen.
[ OK ] Reached target Paths.
[ OK ] Reached target Basic System.
BLOCKS HERE
[ 14.014 ] sd 7:0:0:0:0: alua: Attach failed (-22)
[ 14.016 ] sd 7:0:0:0:0: [sdf] Asking for cache data failed
[ 14.016 ] sd 7:0:0:0:0: [sdf] Assuming drive cache: write through
If i boot in "basic graphic mode" additional 3 lines are displayed and again 
blocked.
this happens on two computers
if i press tab and at the and i add blacklist alua line nothing change (not 
sure is the right way to do it)
i'd like to use new qubes os release but can't install it right now

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/493805ba-efd0-4b34-a607-697695ff3761%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] RFC: Local name services and VMs

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sat, Jul 02, 2016 at 02:30:15PM +0200, Alex wrote:
> On 07/02/2016 02:19 PM, Achim Patzner wrote:
> > Hi!
> > 
> > 
> > Am I the only one who would like an integrated name service management
> > for local services that will be provisioned at the time of VM creation
> > (e. g. if you create a machine "builder" its assigned IP address could
> > be added to the locally running dnsmasq on the NetVM)?
> This somehow is against the principle of "isolation" between the
> AppVM... But I can understand that, from a developer point of view, this
> may be helpful - if, for example, you develop web-apps and assign a
> web-app per AppVM to host.
> 
> Yet, Qubes OS is designed for workstations, and it may be argued that
> developer workstations may host the services they are developing. I
> think, IMHO, that this is wrong, and may lead to unnecessary complexity
> in dealing with the subtleties of the application working on the
> developer's workstation but not in production. I would recommend to test
> them on the work AppVM, and then complete testing in a staging environment.

I use somehow similar workflow - have code in one VM, then compile and
test in other VM. To transfer between those VMs I use git connection.
Take a look here for details:
https://www.qubes-os.org/doc/development-workflow/#tocAnchor-1-1-3

Also another possibility is to send already compiled artifacts to
testing VM, then trigger a script which will deploy whatever landed in
`~/QubesIncoming/development-vm`. Some variant of it is described here:
https://www.qubes-os.org/doc/development-workflow/#tocAnchor-1-1-4

> I myself built a low-cost staging machine, with proxmox and several VMs
> with a centos template: my production machines are typical VPSs with
> centos, so the differences between staging and production are minimal.
> 
> Beyond the developer point of view, do you think there would be other
> examples that would benefit from having Qubes AppVMs mutually visible?
> (thus needing an auto-registering name resolution system?)

Generally, if your workflow assume frequent communication between two
VMs, it may mean you do something wrong - those VMs should either not
communicate at all, or be a single VM. But there may be also valid use
cases - for example for uni-directional communication (you send
something to less trusted VM and never retrieve it back). 
Also it's better to use qrexec services for that, to reduce attack surface
(all the networking stack, plus enforce policy using dom0, instead of
potentially compromised netvm or firewallvm).

It should be easy to hook any TCP connection into qrexec using socat. 

Something like this (untested):

source VM: launch this somewhere (/rw/config/rc.local?)

socat TCP-LISTEN:,fork EXEC:"qrexec-client-vm target-vm my-tcp-service"

target VM: /usr/local/etc/qubes-rpc/my-tcp-service (this is stored in /rw):

socat STDIO TCP:localhost:

dom0: /etc/qubes-rpc/policy/my-tcp-service

source-vm target-vm allow


@Andrew do you think we should have this documented somewhere? Or maybe
even some tooling to ease such setups?
But first it would good to actually test above instruction ;)

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJXeVlvAAoJENuP0xzK19cssnYH/0ZwyhJlnM/8stSimn8Yoadt
1tBdpbEmA2ksHgbKNdpMhuOJthcmwL/sdPSqoPPyqzDfaWICsSWpi3zWyKSLNhzm
Emd8ub398xSm9TLOqpcOWhc4hLSfSE2QwUAhWvqq6V8zthsv9UePRYNL8Vd5QSpy
zQe/8pRhQUMF1TRPrQEIdXnNI5Q2wVQEBSHV91Gu6LtCYLQAkzSGRRggroM0NUxt
4IKygVsm9b29UVwMQ8Uj4Jqby7hEi/4fV+zQgQ1Wue//8enQl3CR8S2lNu/54yhh
XcHLv4KUpCHoD5YQfDEiN4xssKbmUV4rgKbN2wVcUvQmmUhNDkd/UvyFcp/crfU=
=geL0
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20160703182905.GY1323%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Linux-libre in dom0

[raahelps]

You can probably just copy kernel config from dom0 kernel.  Hopefully someone 
corrects me if I'm wrong.  Template vm is what uses the network firmware, its 
what the appvms use,  so thats probably where you would want the libre kernel 
anyways.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/257453d1-b518-4912-acc8-87e6e4a006b3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Linux-libre in dom0

[raahelps]

On Saturday, July 2, 2016 at 3:09:59 AM UTC-4, Duncan Guthrie wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> On 01/07/16 18:19, raahe...@gmail.com wrote:
> > On Friday, July 1, 2016 at 7:47:11 AM UTC-4, Duncan Guthrie wrote:
> > 
> > 
> > On 01/07/16 02:05, raahe...@gmail.com wrote:
>  On Thursday, June 30, 2016 at 8:49:16 PM UTC-4, Duncan
>  Guthrie wrote: On 01/07/16 00:03, Marek Marczykowski-Górecki
>  wrote:
> >>> On Thu, Jun 30, 2016 at 10:57:42PM +0100, Duncan
> >>> Guthrie wrote:
>  Dear Qubes Users, I have been using Qubes OS for a
>  couple of days now. I own a Lenovo Thinkpad X200 and
>  everything works fine, including WiFi. However, I am
>  concerned about this, because my X200 has an Intel
>  WiFi chipset, which I know uses proprietary firmware.
>  I am concerned about this because the firmware could
>  be malicious, so I think this is quite bad from a
>  security perspective. The more proprietary software,
>  the worse security you have, as has been shown many
>  times. Since the hardware is secret, it is possible 
>  that the WiFi chipset could be used to do malicious
>  actions without any way to tell. I am especially
>  concerned about the firmware being in dom0, which has
>  access to the hardware.
> >>> 
> >>> WiFi card is assigned to NetVM and have no access to
> >>> dom0. So even if its firmware is malicious, it
> >>> shouldn't be a big problem. It may at most mess with
> >>> your network traffic - which should be encrypted anyway
> >>> for anything sensitive.
> >>> 
> >>> In practice the only firmware still needed in dom0, is
> >>> the one for GPU (if applicable).
> >>> 
>  I think this is a good idea in general, whether the firmware
>  is free software or proprietary software. However, there are
>  certain wireless chipsets (made by Atheros corporation) which
>  work without a proprietary firmware blob for WiFi, but don't
>  for Bluetooth, so even if they largely work without the
>  proprietary program, the operating system still loads some
>  proprietary program not needed (most people don't use
>  Bluetooth at any rate). I own such a chipset on my desktop
>  computer; Debian works without any proprietary software at
>  all, while Tails loads firmware for the Bluetooth. What is
>  the answer to this, do you make exceptions for firmware only
>  for wireless cards and GPUs? Or do you just allow them all
>  through.
>  
>  Another thing I have read is that Linux-libre's deblob
>  scripts don't just get rid of firmware that is proprietary,
>  it removes all binary files disguised as source files (e.g.
>  some binary file named "something.h") and "obfuscated" driver
>  sources (I believe that the 2D nv driver has been accused of
>  this). Would you consider at least adapting the deblob
>  scripts from Linux-libre to work for your kernel to only
>  allow select firmware through, for the most common computers?
>  Another option, like Debian (and, if I recall, Ubuntu to some
>  extent, although I have never installed Ubuntu), which I
>  think would be even better is to have a completely free 
>  kernel by default, then a separate repository for firmware,
>  which can be enabled in the installation process. It would
>  probably be considerably simpler than adapting the deblob
>  scripts to be quite selective, too. It wouldn't make Qubes
>  compliant with the Free Software Foundation's "Free Software
>  Distribution Guidelines", but I think that from a security
>  perspective it is better than including the proprietary
>  'blobs' by default, and is a balance between usability of
>  obscure hardware and security of dom0 (it never hurts). What
>  do you think of this proposal?
>  
>   Thanks for your reply, it was really helpful for
>  allowing me to understand more about your security policies.
>  
>  D.
>  
>  
>  
>  I think what Marek is saying is that from a security
>  standpoint it doesn't really matter because the netcard is
>  isolated even at the hardware level with iommu supported
>  system.   And if it messes with your network traffic you
>  should be using encryption,  https or tor etc..
>  
>  I think the reason they are not adopting such kernel is cause
>  qubes is trying to get more users and hardware compatibility
>  is the biggest hurdle and turn off to people.  Its still new
>  type of os and people are hesitant.   Also most people use
>  laptops and wouldn't be as willing to buy an external usb
>  network card for qubes.Which might also be troublesome in
>  some cases when trying to isolate usb controllers.
>  
> > I understand what Marek is saying. I'm 

Re: [qubes-users] Question on "security critical code" page

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-07-03 05:49, danmichaels8...@gmail.com wrote:
> I have a question on the "security-critical code" page on the
> QUBES OS website
> 
> https://www.qubes-os.org/doc/security-critical-code/
> 
> "There is an important distinction between the buggy code and 
> maliciously trojaned code. We could have the most secure
> architecture and the most bulletproof TCB that perfectly isolates
> all domains from each other, but it still would be pretty useless
> if all the code used within domains, e.g. the actual email clients,
> word processors, etc, was somehow trojaned. In that case only
> network-isolated domains could be somehow trusted, while all others
> could be not.
> 
> The above means that we must trust at least some of the vendors
> (not all, of course, but at least those few that provide the apps
> that we use in the most critical domains). In practice in Qubes OS
> we trust the software provided by Fedora project. This software is
> signed by Fedora distribution keys and so it is also critical that
> the tools used in domains for software updates (yum and rpm) be
> trusted."
> 
> 
> 
> I am very confused by this part on the page.
> 
> It seems to imply that QUBES depends on being able to trust the 
> security of word processors etc.
> 
> I thought the whole point of QUBES was that nothing is ever 
> up-to-date and secure, and thus, you put everything in a sandbox
> and isolate it all... and therefore, it doesn't matter about things
> like security problems with a word processor.
> 
> But this page seems to imply something different.
> 
> Can someone explain this to me?
> 

Here's an analogy:

Suppose you have a very secure house. It's very secure in the sense
that the walls and doors are very difficult to break, and the locks on
the doors are very difficult to pick. Only you have the keys to these
locks, so only you can unlock them.

However, some of the rooms in your house have windows. If an intruder
manages to open any of the windows, he can easily climb in and out. To
keep the windows secure, you rely on window shutters. However, you're
not sure how secure these shutters are because you got them from a
standard home improvement store, which focuses on making nice-looking,
functional window shutters (rather than security-oriented window
shutters). If it turns out that you purchased insecure shutters, then
it'll be relatively easy for intruders to enter all of the rooms in
your house that have windows. (However, it will still be very
difficult for them to move between rooms and to access any rooms
without windows.)

In this analogy, the window shutters represent apps (such as word
processors and browsers) that run in AppVMs. These are standard,
received from upstream projects, not developed by Qubes, and typically
not developed with security in mind. (Whonix is a notable exception,
of course.) The windows represent network access. The walls represent
VM isolation. The doors represent secure inter-VM channels
(copy/paste, file transfer).

The moral of the story is: It doesn't matter how strong your walls and
doors are if your window shutters are letting intruders in and out
through your windows. Likewise, it doesn't matter how good your VM
isolation is if your apps are all compromised. The exception is the VM
("room") that has no network access ("windows"). But even this isn't
entirely safe due to the existence of covert channels ("air ducts").

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJXeTQJAAoJENtN07w5UDAwRuAP/AgnoOu21UIFYz8gv9hPRdG6
R2HTnKQVgrLCFpP1ZavjKsbJuVks5TzFdxuSfQ4z/uQDXPpYeDkSaB8+pQMIqhuR
4Hi0q5cIermPi+K1bls4QSEY4BEMCJAZMDEr2aDwXcTCHHbo77f4bNG9AgEyDSZS
q40vI2HWJn1hNRWZu6BxT+daYL+4JAI0K38RC11l89RwYXEqdwpwd8RgLVqUlEGX
YQFYACCg/02MfCE2XjWnKxVQDDIkfCPM7U2GgIQ/CUzYkH3n5eVewibM6/ArGqlE
gNOKmehlCyw1iSmtIH76Fvo8uFCca/i1HF4CyEo5PQpTwnbxsDF6yJ9bp6fJ6IEO
HShBgRQWDbnGvUe3jEdAis175oxAJpC827sD/So7QC8uj8d5e36XvThSdhkF7Xdw
+WoUt8N9ztLuXvez2HPGLBNvB/zQh/8dwWNg4mls5+HpNNDpS4Cdk5Oieq4nUYJ1
adE082xd1M4QrIk+z0yfflVY9pnAOrHbqLxZhuq94FIslo8cSM5yfy9iH7y9aNc3
gdJN49dVkOa396CcvTUMrerksxg1pWGwdvHZQWp/veMhuN+6haw3wZsLPMvcSj2T
HqGX8AqGxUubNBkpeJBu4kjEz3DN3a05HpAMdAk5tYXKfKqhb7m9+sGan072aC7A
kcohGC8azVldhm0iqT0y
=SIzR
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7b49b1df-0ad5-0989-e480-f812807df416%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Opengl, passwords, crypt, vpn and docs

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-07-03 04:47, Eva Star wrote:
> Please, somebody who can. Add the information to qubes-issue  that
> we need to user other software then cryptsetup to crypt AppVMs
> containers (For layer 2)
> 

Sorry, but we need more information before this would make a suitable
issue. Please clarify the proposed feature. What is the threat model?
What is the benefit? What does "layer 2" mean in this context?

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJXeTAXAAoJENtN07w5UDAwnzIP/33xQVAkv7o/J3WHAvdlQ91M
Bg1Ofo3euwrrzRDZccPoyY9F2rkj8K+AvVAWBLFeparSPzs8BeUIRHIhTaOwzATi
fYxH5tE/0lqllfzbEpaAUMmmt7Vj8npQ7XEms9fA5lH2eJ/9b9mF/xmFcb3dh1Ai
Q1avgpnZSniIq0fVjZycYCCDwwvpRsYj88Orp9Vj+KU5ku7fEyZOTbA0UCe1PxBK
STAq/7/9uKWfCEi6mTwohdbM+KXPPYaenKz/j0tGkzgGHCsZw9LQFggXqsWIPwDl
Qy69PlTnTIAbK8GmLg22eRCQjlM1GYE8WH9XGDvZ02U+a2K5m1wGDc81GTrtmEhB
bLIM+N+qS4Cu8pUhzA4IeWLd/cR0IwDbvWucdB7cZ3U/NUFzGql3kHMi6V/XPeRw
ZXZ6AgK4Soz3au1FJIMEuhUWP8e2/2Q8HPNI/Ex40ap1bbYFjFL8Nuu8vXk0o2TP
8Wdhxi7o5/YqCVUDQnhLgLbOihtISZf9o0C5JLO3O9FJbTKATDlrhxx9yxMpLR20
tAYuTHSwGh6kNnc4dhI0VzEK5LiVXuwBHsnFZhJZc2uRksvYlQt5FW0Hv61ATwG7
A7EpfE+vgCoFzruDfTQs699jWkMTj4VxbRWR9UNSBUs0U6zQAp1qBouBpdd+Po4q
kCz+POydheuio0M2rKtX
=/nsP
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2a01c52e-bfed-4828-2629-1231de10ac29%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How to correctly install software to template from binary archives

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-07-03 04:43, Eva Star wrote:
>> 3. Install it in the TemplateVM.
>> 
> How to install it? What is the unix way for this? If I have only
> directory of the program without installer? Where is the best place
> to store such apps?
> 

Oh, I thought you were saying it's an installer. If it's just a
standalone executable, I suppose you can put it wherever you like.
Maybe /home would make sense? You could even put it in the /home of an
AppVM (instead of a TemplateVM), if you like, since it'll persist
across reboots there.

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJXeS7sAAoJENtN07w5UDAwchwQALpdDgwzw0tp+tFZfzIeuJzL
n66Tp5yCL1bH7RMC14kt+l8eTNe+SrAqqSLtj+HOPiO2mJ9nf50KtB1aThGFqSZN
TQj9XFebKYh/0GehKYlRiyySWhHRlZ1gr37Q6DnTT/yhzX1JgJfPvPGe4RWlsRif
mwFqhB8BTLwLJ6MwAWuBAKnaXumhX2eoXvGMdhGSqmqvBChhfTAZ7An6w0b382QH
6MbI+3LmqUtNtFqhxYDMGSYHOu7+9S01HPH0ZEg4tA7f+s65GOLlBUX/BwNroscK
b1YiYrfzQVI0KIjyKwsKQrjn88HxG6cAQSb44+IMtcjyaYKRz7bECna4OdzOAVRF
jLV5EoKKRxqGtC+2oCIGRTgQY31H9EF3Ro/x3qQsK6yy7yOesjdVUGOzQR4QuJyY
Po8Dm2UauRo+UE43lLxzMspB/UGL/D2haZbeMa+C+XpqPrnoIdmQMCYZGobW6yJA
D5L9Oq78TbWwG5Zsu+ppsLj/yKp4q8VsawcqicUjPEpD/xZP74wQWuLnVBsj0B0u
DZdl2O2qljA2iTuWumpXro+CWxy8lJxrvxNn0ZnQ4lBfZ07v/RaM1iC5uUT0gceH
x19wJteEjjBYcPIoxiuvqex7h38yQaRpiinGqbGD3u4T1kQLD3AD9bFpbFU7HsS+
AMHdJ5briMC9DM2UMQji
=htOM
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a9d62e0d-308b-432b-ea9a-2ba9efcf85d7%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] GPU Passthrough Question

[Marcus at WetwareLabs]

On Saturday, July 2, 2016 at 6:12:57 PM UTC+3, foss-...@isvanmij.nl wrote:
>
> Interesting, I haven't noticed the thread you mentioned. The thread I 
> referenced to was more than a year ago.
>
> So if I read through it quickly, this guy had succeeded in passing through 
> his GTX980, but it went wrong on the driver installation (code 43). This is 
> expected, as nVidia disables the card automatically when a virtualised 
> environment is found. Solution is to hide the virtualisation extensions 
> inside the VM, more info on this matter here:
>
> https://lime-technology.com/forum/index.php?topic=38664.0
>
> Marcus, are you reading?
>
>
Hi, 

passing through now works with the QEMU running in dom0, but as it's 
inherently quite unsafe, we are working on the passthrough issues when QEMU 
is running in stubdom (a separate "helper-VM" only for QEMU) which is the 
default configuration of HVMs created with Qubes VM Manager. (see 
discussion here: https://github.com/QubesOS/qubes-issues/issues/1659 ). 
Currently it's broken now, but some progress has been made.

Yes, the issue with Nvidia cards (code 43) could be related to the driver 
detecting that it's running inside VM. The link you provided tells about a 
solution that's specific to KVM (the -cpu kvm=off flag) and there's not yet 
a way to hide the hypervisor in Xen (AFAIK).  Also there's the new patch in 
KVM to spoof the hypervisor vendor id (*hv_vendor_id)* that supposedly has 
solved remaining problems.  It would be awesome if Xen could have these 
patches ported from KVM!  My Oculus Rift should arrive in few weeks, so I'm 
very anxious to get GTX980 working before that :)

Note that I had in many occasions also BSOD during boot (and not just code 
43) when testing with GTX980 drivers installed. Also there was similar 
issues with Radeon 6950, but the reset patch (see here 
https://groups.google.com/d/msg/qubes-users/zHmaZ3dbus8/4ZfZf6BmCAAJ) 
 
seemed to solve those, and I haven't had BSOD after that (regarding Radeon, 
but I haven't tested the reset patch with Nvidia cards yet).

Best regards,
Marcus


 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/52a5da5b-a98e-4b9e-8206-e3e9b20b7214%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Qubes Screenshot Tool with imgurl auto upload available. [beta]

[Eva Star]

I done some research and found that we can send screenshot to gthumb (Gnome 
Thumbs) and add the ability into it to upload screenshots to imgurl like 
tool already do. But it does not solve anything. 

We need some lightweight image editing software at AppVM to edit image for:
1) annotate
2) blur some area
3) crop.

Gthumb can only crop. Maybe GIMP? But it's too heavy.
Also there is Shutter at Fedora Fusion repository. But it have a lot of 
dependencies ( 2 Mb Shutter + 100 mb dependencies) 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/afc9369f-9361-4f30-959c-6aee51ed4c1e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Split GPG and ssh keys

[Eva Star]

>
>
> Seems it can be easy done with new GnuPG version: 
Quote:

> To summarize: Either you use GnuPG 2.1, which is currently in beta. When 
> using this version, you can simply start gpg-agent with the 
> --enable-ssh-support option and add the keygrip for you GPG key (or subkey) 
> into ~/.gnupg/sshcontrol.
> When you are using the current stable GnuPG version (2.0.x) you can use 
> monkeysphere to add your key to gpg-agent (again, after starting gpg-agent 
> with the --enable-ssh-support option).
> It is also possible to use GNOME keyring (or even the regular ssh-agent) 
> with the help of monkeysphere. The only problem in this case is that you 
> will have to re-add your key when logging on again (into Gnome or XFCE). To 
> solve this you can manually export your key and convert it.
>  


P.S. Google by default setup cursor on the answer text area ready for top 
posting.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0b02dd92-b81f-4141-9414-5ac4dbb9fe69%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Opengl, passwords, crypt, vpn and docs

[Eva Star]

Please, somebody who can. Add the information to qubes-issue  that we need 
to user other software then cryptsetup to crypt AppVMs containers (For 
layer 2)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8f825bef-3a47-46b0-9e33-d4a77ddab5e3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How to correctly install software to template from binary archives

[Eva Star]

 

> 3. Install it in the TemplateVM. 
>
How to install it? What is the unix way for this? If I have only directory 
of the program without installer? Where is the best place to store such 
apps?
 

> 4. Edit your app launcher menu to add the command that launches the 
> app. (This doesn't make it visible to qvm-sync-apps. I think you have 
> to make a .desktop file to do that; not sure.) 
>
> I'm not sure what you mean by "How to add it to... Qubes Manager." 
> Programs aren't added to Qubes Manager. 
>

With "How to add it to.. Qubes Manager" I'm exactly mean paragraph 4. from 
your answer. In other words How to create .desktop shortcut and where to 
save it at TemplateVM to make such manual added applications visible for 
 qvm-sync-apps 
Maybe also need to add this information to Qubes Docs:


 Thanks for you answer!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/22457a9b-7be2-4a86-9dd2-1e1392750b81%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Suggestion: Allow modification of Firewall Rules of several Vms at once

[grzegorz . chodzicki]

W dniu sobota, 2 lipca 2016 15:44:38 UTC+2 użytkownik Andrew David Wong napisał:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
> 
> On 2016-07-02 02:50, Grzesiek Chodzicki wrote:
> > The users who are connected to the network are assumed to be
> > authorized. The firewall restriction is not meant to protect the
> > share against malicious users, it is supposed to protect against
> > untrusted AppVMs.
> 
> What's the difference between a malicious user and a malicious AppVM?
> 
> > Moreover password based authentication could be used by malicious
> > AppVMs in a Denial-Of-Service scenario where AppVMs send
> > authentication requests to exhaust server resources.
> > 
> 
> Ok, but isn't it the server's responsibility to protect itself from
> that sort of attack? What if you have other, non-Qubes machines on
> your network, and one or more of them gets compromised and tries to
> DoS the server?
> 
> Certainly if we're talking about a home network using a consumer
> router, the network should be regarded as untrusted. (Even more so if
> the network is shared with anyone else.)
> 
> 
> P.S. - Please avoid top posting.
> 
> > 2016-07-02 4:08 GMT+02:00 Andrew David Wong :
> > 
> > On 2016-07-01 11:04, Grzesiek Chodzicki wrote:
>  @Andrew
>  
>  A user has a network share on the internal network. This
>  share does not require the user to provide any extra
>  credentials to access it (for the same reason Qubes uses
>  passwordless sudo). The user creates a separate AppVM in
>  order to access the share and, in Qubes Firewall, allows the
>  AppVM to connect to the share. However unless the user
>  specifically forbids every other VM access to the share they
>  can connect to it too (due to Qubes NAT all AppVMs use the
>  same LAN IP and MAC address so the share cannot
>  differentiate between the AppVM that is supposed to access it
>  and AppVMs that aren't). Because every AppVM can connect to
>  the share they can now use it as a covert communications
>  channel.
>  
>  I tried to be as clear as I could with this one I hope You 
>  understand what I'm trying to convey.
>  
> > 
> > Why not require a password to access the network share, then only 
> > type/paste that password in the authorized AppVM? The reason for 
> > passwordless sudo in Qubes is that it provides no extra security,
> > but it seems like requiring a password to access your network share
> > would provide some security in this situation (unless, of course,
> > the authentication mechanism can be trivially bypassed for some
> > reason).
> > 
> 
> - -- 
> Andrew David Wong (Axon)
> Community Manager, Qubes OS
> https://www.qubes-os.org
> -BEGIN PGP SIGNATURE-
> 
> iQIcBAEBCgAGBQJXd8U9AAoJENtN07w5UDAwx2YP/2UgTlkKtoWUYrPGfHKQssDa
> S1Ml5NuwSL7vM+YuavJA/vlk9JZGq6A0JtNXtq4hkavwbZbezkwGmnC4TqeV5tUv
> PF6HHUXRmuUvukbLy6drlPBJEzjylNCfNfL6ef54zJwWgCiX4Y0G5TOJIqN2ANGt
> sFNQ5wN9qn9JxO9iTCOXBTinxA+aAP9uxUzFaMxxGq47aUwwFTJmra1JvCj7XtF2
> 2DZmk9P+NyYTRADIVITXGuStEvA7CdCIli6rECe4ObRwOUpWb0yI/4bgUMvGeNm9
> ZnhaX3+V4mWVT3dYc/5SLgEXwGdMrU+a9tEeAv1DDGlTT1o3arolTmUh+C6oCxFi
> vgqsqjjIMqYDhw9snFZTn3ggS9D9/DnwW42bV2BNTxsQujnJMIAoKqz0QueBb8fz
> unMoGwe0bfL4DotVVHcGai3rMQeuFdvhCnUcOhIxtyiZpat/u0OCpCOiZFOAMdVn
> ngX2hQbDjvfjjNKzoTnB7A4yUEJMp2Dh6MQjLw2ybCbH/zqQEL8OeeKZ9QtBkCvu
> 5FZX1/wREGP+S+LKcTFFr1su0kOvG3i+GM8fxLM3CUUJjfTNf8dFoNPE10bxdUtr
> mSUSW4+UN2adEn88wH9wdP4mNN6G16TVKgT4ra/4ZobeJViMgZiee+ahTgjbq8ri
> YQiuDsOoOdCumQ+UqpsU
> =5+uP
> -END PGP SIGNATURE-

Sorry about top-posting I clicked on reply-to-all.

>What's the difference between a malicious user and a malicious AppVM?

Even if AppVM becomes malicious, its network access is restricted by the Qubes 
firewall (unless the AppVM can somehow escape the sandbox but that's beside the 
scope of the discussion). A malicious user would have unrestricted control over 
his/her system.

>Ok, but isn't it the server's responsibility to protect itself from
>that sort of attack? What if you have other, non-Qubes machines on
>your network, and one or more of them gets compromised and tries to
>DoS the server?

>Certainly if we're talking about a home network using a consumer
>router, the network should be regarded as untrusted. (Even more so if
>the network is shared with anyone else.)

It most certainly is the server's responsibility but it wouldn't hurt if the 
attack surface was reduced by restricting VMs access to it.

I understand that this is a very low priority issue however I feel that it 
would help users easily enforce the least-access policy in their Qubes 
instances.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 

Re: [qubes-users] [3.2rc1] Installer boot error '/dev/root' does not exist

[rvalle]

On Sunday, June 26, 2016 at 12:50:52 PM UTC+2, Marek Marczykowski-Górecki wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> On Sun, Jun 26, 2016 at 06:45:50AM -0400, Chris Laprise wrote:
> > More info, Marek...
> > 
> > When I try to scan the /dev/sdb device with partx, it says the device is not
> > readable or not valid device.
> > 
> > When I plug in another USB stick, the partitions are enumerated as /dev/sdc1
> > etc. but they cannot be mounted (devices are unreadable).
> > 
> > From dmesg, these errors occur right before the /dev/root error and
> > stoppage:
> > 
> > scsi 6:0:0:0: Direct-AccessSamsung Flash Drive1100 PQ: 0 ANSI: 6
> > sd 6:0:0:0: alua: supports implicit and explicit TPGS
> > sd 6:0:0:0: alua: No target port descriptors found
> > sd 6:0:0:0: alua: Attach  failed (-22)
> > sd 6:0:0:0: Failed to add device handler: -22
> > sd 6:0:0:0: [sdb] ...several lines with drive size and flags...
> > (trace dump occurs)
> > 
> > This thread says disabling 'alua' module (scsi_dh_alua?) can resolve the
> > issue:
> > https://www.linuxquestions.org/questions/linux-hardware-18/corsair-flash-voyager-slider-usb-memory-stick-fails-to-attach-4175572901/
> > 
> > Should 'alua' even be present? AFAIK it is for large infrastructure. Fedora
> > installer does not seem to enable it by default.
> 
> Indeed looks like something unnecessary on desktop system.
> Try adding this to kernel command line:
> 
> rd.driver.blacklist=scsi_dh_alua
> 
> - -- 
> Best Regards,
> Marek Marczykowski-Górecki
> Invisible Things Lab
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
> 
> iQEcBAEBCAAGBQJXb7OEAAoJENuP0xzK19csmkcH+QG0fPrTWpyO28RywNYMB9EW
> az/7wSFS6zE5vzy3A7c2wHWNmS/51V8KsI0CfexCBOXBsghzqyGp3ZvFuzcdoPHc
> QsG7Ut17HcNOtEiPHj4GkKLb6+KTYVVfWPCUgwQqhdE6SCcU65/5ofTBlvOLvv72
> GfhkC+XvBFDSByRkKV28rxS2AAVRqeLfnE3GRpe8QSZ8MXtwSXBD05YEGq8k0MGH
> GYt4mWrcnS45kTfkZkguL3KwPmrzSoh5QnNBG4+633aKPUpgZKcyFtAIF6OKlgZT
> Zu6LQ6oSMp5n/vJIVdXC1mM55RJ2dE61NnuqWV01mzTwTP4jWkXM+dlcDuCnAtM=
> =+PXY
> -END PGP SIGNATURE-

I am having the same problem. I am trying to apply this boot option, and test 
if it works.

But, how do you do it? Sorry this question might be too basic.

Editing the boot command in Grub shows "...placeholder qubes-verbose" and there 
options are not accepted. 

I don't see any way of editing "qubes-verbose" inside grub command line. I have 
been googling around and reading Grub documentation and there is no trace of 
such functionality. 

Also mounting and editing the file on the USB seems not possible because it is 
a read only ISO filesystem.

Surely many qubes users will have to tune a boot parameter at installation 
time. so, there must be a simple way to do this.

I fear I might have to build a patched ISO for this. 

Surely there must be something I am missing.

how can I test this easily?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/48f2603a-4a6a-4760-9266-e83a9054d55a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] USB-passthrough in 3.2 RC1 not working for me

[Niels Kobschätzki]

Alex writes:

> On 07/03/2016 11:07 AM, Niels Kobschätzki wrote:
>> Hi,
>> 
>> I am trying now the USB-passthrough with my USB-webcam again after
>> upgrading my template to 3.2 and installing qubes-usb-proxy.
>> 
>> I attach my webcam and qvm-usb displays it as: sys-usb:3-1.2
>> 046d:0826 046d_HD_Webcam_C525_33E0C3B0
>> 
>> [...]
>> Any help or ideas?
> Really unqualified idea, but... Could you please try to proxy the whole
> 3-1 device instead of the 3-1.2 characteristic? Something like
>
> $ qvm-usb -a personal sys-usb:3.1
>
> I don't know if this will change anything, it's just a shot in the dark
> to gather more info waiting for somebody who knows how usb proxy works.

qvm-usb: error: Invalid devive name: sys-usb:3-1

Niels

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/87a8hzjb7m.fsf%40mailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] USB-passthrough in 3.2 RC1 not working for me

[Alex]

On 07/03/2016 11:07 AM, Niels Kobschätzki wrote:
> Hi,
> 
> I am trying now the USB-passthrough with my USB-webcam again after
> upgrading my template to 3.2 and installing qubes-usb-proxy.
> 
> I attach my webcam and qvm-usb displays it as: sys-usb:3-1.2
> 046d:0826 046d_HD_Webcam_C525_33E0C3B0
> 
> [...]
> Any help or ideas?
Really unqualified idea, but... Could you please try to proxy the whole
3-1 device instead of the 3-1.2 characteristic? Something like

$ qvm-usb -a personal sys-usb:3.1

I don't know if this will change anything, it's just a shot in the dark
to gather more info waiting for somebody who knows how usb proxy works.

-- 
Alex

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/230a19a5-5541-1669-5de8-e5cd79441181%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: OpenPGP digital signature

Re: [qubes-users] Using sys-usb as music hub

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-07-02 19:06, Franz wrote:
> On Sat, Jul 2, 2016 at 11:05 AM, Andrew David Wong
>  wrote:
> 
> On 2016-07-02 05:30, Franz wrote:
 With Qubes release 3.x, having USB controller(s) default
 assigned to sys-usb and Xen meddling checking shared
 resources between different USB controllers, it is even more
 difficult than R2 to use external USB music hardware, either
 for output or input.
 
 So I wonder: why not using sys-usb as a music hub? Everything
 is already assigned and all you have to do is plug in
 external USB devices.
 
 Well, now all music I'm playing on other hardware are mp3 
 downloaded from internet, which means sources that I cannot 
 control and eventually compromised. So this may result in 
 compromising sys-usb. Consequences? I do not know, but I do
 know that the color of sys-usb is default red, so this may
 not be a mayor problem.
 
 What do you think?
 
 I have seen that default sys-usb does not has a sys-net VM.
 It may be possible to leave it as it is, playing music saved
 on a USB medium, or it may be even more convenient to connect
 sys-usb to a sys-net VM to directly play music from youtube,
 internet radios, etc. Would you do that?
 
 Best Fran
 
> 
> - From a security perspective, I think you're right. sys-usb and
> sys-net (in some cases, they may be combined) should be assumed to
> be compromised, which means that we should assume that an attacker
> could be using sys-usb to do anything (including play music files).
> If we're already assuming that an attacker could be doing this, why
> shouldn't you (the actual owner of the system) not do it yourself,
> if you want to?
> 
> - From a practical perspective, your performance may not be very
> good if memory balancing is disabled and a low amount of memory is
> assigned to the VM, so you may want to adjust this. (You wouldn't
> adjust this to benefit an attacker, though, so the analogy may
> start to break down here.)
> 
> 
>> Thanks Andrew, the most lightweight music player I could find is
>> Deadbeef, which is even portable, so no need to install it in
>> template. It works perfectly with the default memory setting of
>> sys-usb. I had to install also pavucontrol in template to be able
>> to rise the volume in sys-usb beyond the maximum of Deadbeef.
> 
>> Really great sound now with very little work!! :-)) My dogs are
>> alarmed hearing loud music in my room.
> 
>> Just a small detail, is there a way to use QM "run command in VM"
>> to launch the script that starts portable Deadbeef?
> 
>> Best Fran
> 

Sounds like it should be pretty straightforward to do that. Maybe
something like:

qvm-run sys-usb /home/user/deadbeef.sh

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJXeLHMAAoJENtN07w5UDAwhqsQALIRpT/Ji90XWV3zGaVwpkzu
VR3xDnmn3WJFw0xqQ38P+TFDEHPZ+VvBHvaIPQx0jj/NILDZqKs6CCfoiMidlFM+
UpInMxWXLHOay/cOLaX9fFGhkBCCt0mYpUa0MS4AatF7+pZqqp7x3tQjHJ5b9x9S
XRJnjq6OIJ7h0jKFfjVufekFIY1o5U3w85abmnIIyVtZEwgt71FZO+GvMtJN6Pjb
OIOfsoe4Q1lvsKMCy1/0j0UNT1CKaStUs0LiUEBZetdGG9Vdh8tS7PM8zzXz8XfR
1Jg0veqzdcni2h2WrUvBRetUeUahgkVHGBtBTAMHz1prC9CEc8jOgrUZQ2rKfc1S
EJokDqYL9T0bz3sZe3f+UyP4QztyCGHRixGAXO8IAiW6Tv6PG/sNpsEwKwMBDf+C
52/M2L22EZp1LuidFpQ++a8qh1PdrZaWvUX0dcCxFJgA63xbRtaXWDAInZD1VC4g
DeNKfuqKvbFpV61+oVYda23wSNQOV1y9wsy49cBvxJpFcZInCCpGRSMHPc9SHiAy
obNJsTngKKVmWq6XrsiSDRHI36qRqJd0fv7JVEn01XnNB34hLQLsiFXy5IW394zy
govNi8MGZ9M7Edk5ZDJJijXvzckYc6ELRMSKoMGmEpfOpy+nghiKZBqIf+pBsx81
7JrJQ6y14dHq9lGcjuBS
=Mc5u
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d7d6cb56-97b2-339c-1ba4-306aea15e35f%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.