[qubes-users] Re: Restoring VM causes drive to fill but it isn't full..

2016-11-13 Thread Drew White
On Monday, 14 November 2016 17:19:43 UTC+11, Drew White  wrote:
> Hi folks,
> 
> 
> I'm trying to restore a guest.
> I have / which has 2.1 GB free. (The root drive where things exist)
> Then I have my /var/lib/qubes with 78 GB free. (drive which contains all my 
> Guests)
> 
> I try to restore a guest which takes up ~ 48 GB.
> 
> Upon initialising the restore script, my / drive starts to fill up completely.
> And then the software says it has errors (specifically, no space left on 
> drive).
> 
> It's already extracted a file list to the correct directory on /var/lib/qubes.
> 
> Why does it tell me the drive is full when there is over 78 GB free and it 
> should be using /var/lib/qubes not / ?
> 
> Is this a bug in the Qubes Restore?

Only way I found to work around this bug is to perform the following..

On secondary drive create a directory for holding information..
Get to the second stage of the restore.
Open the /var/tmp directory.
Delete the restore_XX directory
Create a link of that name in the /var/tmp directory that links to the 
directory on the other drive.

Doing this meant that the actual usage of drive space never went over 200 MB 
for that folder.

The system was unable to extract the menus and apps.templates directory and a 
few other meaningless things that wouldn't prevent the system from working.

Why when it's targeting in your /var/tmp directory does it absorb the / disk 
drive in a matter of seconds?

Is it just a bug in the code somewhere?
Or is it a file system thing?
Or is it the "stick-bit" ?

I created a new directory there with no sticky bit, and the entire restore 
utility couldn't extract to that directory.

Only way around it was to create the new directory and link it to a folder on 
the storage drive.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/311204ce-cba2-4c7f-934e-585045c8663c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Intel TXT advice

2016-11-13 Thread Eric
On Sunday, November 13, 2016 at 10:44:33 PM UTC-8, tai...@gmx.com wrote:
> Forgot to say:
> Purism is just an overpriced quanta/oem whitebox laptop, it takes 5mil+ 
> of startup funds to do a small run of *just a motherboard* let alone an 
> entire laptop computer including the fab for a fancy aluminum case - it 
> is quite obvious that their components are not "hand selected" and that 
> they just called up some chinese OEM and asked them what they had 
> kicking around.
> 
> I can't understand if they are scammers or just really naive, Instead of 
> making an OpenPower or ARM laptop and having it be 100% libre from the 
> start they instead do the dishonest "you'll go to disneyworld one day 
> poor johnny" - If google can't convince intel to open up FSP/ME then 
> nobody can - coreboot with FSP is just shimboot (black box FSP - 95% of 
> the bios work)
> 
> It bothers me quite a lot that they are on the list of approved vendors 
> when they are a dishonest company.

Whoa. Ok, hold on a sec. I did not buy a Purism computer, though not for those 
reasons - putting a 28W TDP proc in a 15inch "workstation" is absurd to me. as 
is their lack of a screen configuration. I hear your anger at the gap between 
what they promise and what they deliver; I'm more displeased on the hardware 
side of things (though I do like HW kill switches. I've looked into what they 
promise and understand very well that they don't actually have a very free 
computer at all, especially on the bios/firmware side.

What I actually ordered (and have now cancelled), was a Dell XPS 15". There is 
no vPro option in the configure menu, though it does support VT-d and SLAT. 
I've read all of Joanna's papers, and understand the concerns about Intel ME 
very well. However, on the Dell order, it claimed "ME Disabled." Perhaps they 
simply meant that vPro/AMT/TXT was disabled, and that was mine and Dell's fault 
for wishful thinking and false naming, respectively. Please see linked photo: 
https://d.pr/Q0YZ

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/964748e2-f5e9-41ea-9069-2aff75cb3cc0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: HCL - Lenovo Thinkpad X1 Carbon 4th gen (20FB)

2016-11-13 Thread Jean-Philippe Ouellet
On Mon, Nov 14, 2016 at 2:02 AM, Jean-Philippe Ouellet  wrote:
> kernel-4.8.7-11 from qubes-dom0-testing

Err, that should be qubes-dom0-unstable.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABQWM_C%2BQAvtzSzy_Xvrx%2Bgmbt2PbFCLN9SH%2B6rsqmZtnKqgoA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: HCL - Lenovo Thinkpad X1 Carbon 4th gen (20FB)

2016-11-13 Thread Jean-Philippe Ouellet
tl;dr - kernel-4.8.7-11   +1 from me!

On Thu, Oct 13, 2016 at 1:20 AM, Jean-Philippe Ouellet  wrote:
> The laptop fails to resume about once a day and requires a
> hold-the-power-button reset
> I'm hoping that newer kernels fix this (dom0 currently on 4.4.14-11),

Since last Friday (~3 days) I've been on kernel-4.8.7-11 from
qubes-dom0-testing with only a single full-fan hang while attempting
to resume (not the usual failure mode, and *much* less frequent), as
opposed to the several-per-day just-dead hangs I was consistently
experiencing before, so... progress! :)

Wireless[1] now sometimes fails to come back after resume with this in
the dmesg:
Freezing user space processes ... (elapsed 0.001 seconds) done.
Freezing remaining freezable tasks ... (elapsed 0.001 seconds) done.
PM: freeze of devices complete after 0.090 msecs
suspending xenstore...
PM: late freeze of devices complete after 0.053 msecs
PM: noirq freeze of devices complete after 21.827 msecs
xen:grant_table: Grant tables using version 1 layout
PM: noirq thaw of devices complete after 0.648 msecs
PM: early thaw of devices complete after 0.089 msecs
PM: thaw of devices complete after 0.453 msecs
Restarting tasks ... done.
IPv6: ADDRCONF(NETDEV_UP): wlp0s0: link is not ready
iwlwifi :00:00.0: L1 Enabled - LTR Enabled
iwlwifi :00:00.0: L1 Enabled - LTR Enabled
iwlwifi :00:00.0: Failed to load firmware chunk!
iwlwifi :00:00.0: Could not load the [0] uCode section
iwlwifi :00:00.0: Failed to start INIT ucode: -110
iwlwifi :00:00.0: Failed to run INIT ucode: -110
iwlwifi :00:00.0: L1 Enabled - LTR Enabled
iwlwifi :00:00.0: L1 Enabled - LTR Enabled
iwlwifi :00:00.0: Failed to load firmware chunk!
iwlwifi :00:00.0: Could not load the [0] uCode section
iwlwifi :00:00.0: Failed to start INIT ucode: -110
iwlwifi :00:00.0: Failed to run INIT ucode: -110


Rebooting sys-net (so far) reliably makes it work again (and man... I
really wish there were some way to restart it without shutting
everything else down first - it'd be awesome if sys-firewall would
gracefully re-establish whatever it needs. idk what that would be
exactly, or what the challenges are - i haven't looked under the hood
of qubes networking yet).

Curiously, the wireless didn't hang while i had the 4.4 kernel in
dom0, and now it hangs with 4.8 in dom0 and either 4.4 OR 4.8 in
sys-net. This does not make sense to me, but it is indeed what I have
observed. Perhaps it was also failing before and I just never noticed
because the whole machine would hang so often.

[1]: lspci => 00:00.0 Network controller: Intel Corporation Wireless
8260 (rev 3a)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABQWM_Avb0g5uBGHXzgwJ70PMNj0FM_oB9Ut4m%2BZZVNVAPyEJQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Intel TXT advice

2016-11-13 Thread taii...@gmx.com

Forgot to say:
Purism is just an overpriced quanta/oem whitebox laptop, it takes 5mil+ 
of startup funds to do a small run of *just a motherboard* let alone an 
entire laptop computer including the fab for a fancy aluminum case - it 
is quite obvious that their components are not "hand selected" and that 
they just called up some chinese OEM and asked them what they had 
kicking around.


I can't understand if they are scammers or just really naive, Instead of 
making an OpenPower or ARM laptop and having it be 100% libre from the 
start they instead do the dishonest "you'll go to disneyworld one day 
poor johnny" - If google can't convince intel to open up FSP/ME then 
nobody can - coreboot with FSP is just shimboot (black box FSP - 95% of 
the bios work)


It bothers me quite a lot that they are on the list of approved vendors 
when they are a dishonest company.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bbcc0270-0d00-a2ff-7d34-30d7e0d3d345%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Fedora 24 template available for Qubes 3.2

2016-11-13 Thread Gaijin

On 2016-11-13 23:33, Marek Marczykowski-Górecki wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sun, Nov 13, 2016 at 11:12:34PM +, Gaijin wrote:
I have several templates based on Fedora 23 where I've installed 
various
software. When I follow the manual upgrade instructions the update 
proceeds
without error. However, when I get to the step were I am supposed to 
trim

the newly upgraded templates I get an error.

...
File "/usr/lib64/python2.7/site-packages/qubes/modules/000QubesVm.py", 
line

1854, in start_quexec_daemon
raise OSError ("Cannot execute qrexec-daemon!")

I cannot open a terminal in these templates, nor can I base AppVMs on 
them.

I just get the qrexec-daemon error.


You can access its console using `sudo xl console fedora-24`. Look for
some failed service startup messages. You can login as root without
password to perform further investigation - like call `systemctl` or
`journalctl -b`.


My Fedora 24 template works fine.


I guess you've meant 23 here? Otherwise, what's the problem?

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYKPgwAAoJENuP0xzK19csGVMIAJdJDwXaWHXsOqvFnsvt7c32
eogiGZ50ju+1Xcl67qCLuX9mOQHQYDOhUWOMaAfa79R4F98hIWhF4LaotxxM2RUr
UIBVq/4tX3mx3DNZQUXGx+91J1S2/wPJ5YGUQhJio7MTUn+OTX7qyu4u5aDnt/jx
QHuZfqE+aI0micLn/8KWV1OyPNcMrOZjWqrEdOSb2Fu5JxXkD+KznZ1DKIZJ9G57
BFDe7Fp8n3yyah4wnjQYe/BkvOoZf2lKzdt4ls4ATowwAHpQibtZkks1y+Q39ZdR
K9oGbh7UNtMRDSJTxQx7+C65+6Cf+m/ek1kDu5Qv+D4blip7ggb8zEE1JAlCxzM=
=wAc/
-END PGP SIGNATURE-



I guess you've meant 23 here? Otherwise, what's the problem?


No, I meant the updated fedora-24 template.

Updating the fedora-23 template, which I haven't made changes to, to 
fedora-24 works fine. No update errors. No trim errors. It updated and 
works fine with Fedora 24 following the manual update instructions. I 
switched my AppVMs that used fedora-23 to use this new template and I 
don't see any issues.


All of my other Fedora 23 templates, where I had added different 
software, they are the ones that failed at the "trim" stage of the 
manual upgrade process. None of those are functioning now.


I haven't had a chance to try checking for failed service startup 
messages yet as I don't have access to the machine right now, but will 
report back.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ae12c9baa64b9c182396c72773d9fd1d%40riseup.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Intel TXT advice

2016-11-13 Thread taii...@gmx.com
I am assuming you were one of those people who bought a computer from 
those purism scammers.

https://blogs.coreboot.org/blog/2015/02/23/the-truth-about-purism-why-librem-is-not-the-same-as-libre/

It is impossible to disable (ie, like it was never there, 100% gone) ME 
on any intel system post 775/771 era, anyone who tells you different is 
lying.


vPro is a marketing term for various ME remote management features that 
are activated with a vPro license, all intel systems 2006+ have ME.


On 11/13/2016 08:36 PM, Eric wrote:

On Sunday, November 13, 2016 at 5:01:59 PM UTC-8, entr0py wrote:

Eric:

Just bought a laptop with a Skylake processor for running Qubes, and from 
looking around on Intel's website it appears that no Skylake Core-branded 
processors support Intel TXT. Any point in running Anti-Evil-Maid at this 
point? Can I use a YubiKey to store hashes of the xen/initramfs and use that 
for AEM? (probably not, since it's a USB device?)


I was just looking around for information on AMT/ME a minute ago. It appears 
that some Skylake Core i5/i7's do support TXT. (On their website, TXT might 
fall under the umbrella of vPro.)

https://en.wikipedia.org/wiki/List_of_Intel_Core_i5_microprocessors#Skylake_microarchitecture_.286th_generation.29_2
https://en.wikipedia.org/wiki/List_of_Intel_Core_i7_microprocessors#Skylake_microarchitecture_.286th_generation.29_2

Yes, I misspoke. It appears that the processor/chipset on the computer I 
purchased does not have/support vPro or TXT (though Intel ME is apparently 
disabled, which is a win, I guess?). So hard to find something that checks all 
the boxes for me. My threat model currently doesn't include Evil Maids, so I'm 
probably ok. Shame, though. Hopefully it doesn't close the door on Qubes 4 
compatibility. (It does have SLAT and VT-(d/x).



--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bd49c406-ef4b-2b4c-a1e7-511335a45066%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Where to bulk-download mailing list archives?

2016-11-13 Thread Jean-Philippe Ouellet
Does anyone know of a convenient place to grab the complete archives
of this list? (and qubes-devel too?)

With the (lets hope indeed temporary) death of gmane and its nntp
interface, I lost the only easy way I knew of to bulk-download the
entire history of arbitrary mailing lists for offline grepping.

I'd rather not write yet another one-off web crawler if I don't need to...

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABQWM_D5EMktWLNqmJDna6sx4dSP%2B1m%3D%3DvttmV1LrWhBM1B%2BEQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Installing VPN in Qubes Versus VPN on a Router

2016-11-13 Thread taii...@gmx.com

On 11/13/2016 07:39 PM, entr0py wrote:

taii...@gmx.com:

VT-d is intels marketing term for IOMMU, you can buy an AMD system
that has IOMMU (AMD-Vi) (but not FM2/AM4 as that has PSP). Qubes
needs IOMMU not "VT-d"

Thanks for reply. I understood this previously but I'm not familiar with AMD's 
offerings and didn't realize they had a current lineup that fits this category. 
It also seems that Skylake i3's have IOMMU without vPro.
- All intel computers from around 2006+ have ME, not just the ones with 
vPro (which again is just a marketing term for the business level remote 
management services)
They are a shitty company and you shouldn't support them anyway. (ME, 
outsoucing/h1b abuses, general anti-foss attitude)

https://hackaday.com/2016/01/22/the-trouble-with-intels-management-engine/



You can use a VMM with a pfsense VM and separate driver domains for
the network interfaces, qubes isn't a router operating system...

Is there an inherent reason that Qubes should not be used as a router?

- I really don't know how to reply to this

x86/wintel is only a small subsection of the computing world, you can
buy for instance an IBM OPOWER8 workstation or the Tyan Palmetto
(also OPOWER8) - they have open source firmware and no ME type stuff.
- OPOWER has an IOMMU equivalent.

The newish and readily available blob free x86 amd boards are high
performance level (kgpe-d16) I don't know what your connection is
like so if you want something lower power you could go with a
coreboot board with the features you want and simply not include the
blobs (which could mean no video, no fan control and no USB3 - but
none of those are needed on a passively cooled router anyways and you
can install/control via serial)

There is the apu2 from pcengines, which has no blobs (AFIAK, ask
them) although it doesn't have an IOMMU.

Small subsection? I guess I need to get out and see more of the computing 
world. Thanks for the suggestions. I'll do some reading!


I find it ironic that you apparently value your privacy but you are
using gmail - if you do not pay for a service YOU are the product.

Yes, and that maxim applies to every website you visit that doesn't cost you any money. 
Everyone uses Google. Just because there's no "g" in the url doesn't mean that 
you're free of Google's tentacles (and fingerprinting).

Yes, I use this gmail address to access groups.google.com and nothing else, in 
a dedicated vm, over Tor. But you are correct - a non-gmail address, in a 
dedicated vm, over Tor would be considerably better. But I fail to see the 
irony. This pseudonym has long-ago broadcast several hundred words onto the 
Internet so it would be naive to think that it's still an anonymous identity. 
The stylometry is out there for anyone that wants to look. The distinction is 
that I have other pseudonyms that aren't quite so vociferous. :) Of course, 
Google probably has them all linked already anyway...


- I use request policy and thus I don't load any of their services s.
I hear excuses - It is very lazy of you not to simply get another 
service, either paid or free.
there are actually one or two unicorn email providers out there that 
don't do gmail style abuses, but the storage limits are realistic (300MB 
or so) and you exist to get their name out in to the world and thus 
promote their *paid* business email offerings. It costs them next to 
nothing to provide an account like that and then it results in people 
singing their praises = more business.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f25241eb-1f4c-1620-728f-29da07458c5b%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Intel TXT advice

2016-11-13 Thread Jean-Philippe Ouellet
On Sun, Nov 13, 2016 at 8:36 PM, Eric  wrote:
> though Intel ME is apparently disabled, which is a win, I guess?

You can not "disable" ME. See page 37 of
https://blog.invisiblethings.org/papers/2015/x86_harmful.pdf

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABQWM_CF62b2%2BBKvSJHTiDer8wM_eUDge3UYmr14iUhzeVSYug%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Thoughts on Qubes OS Security... Could be improved.

2016-11-13 Thread Eric
On Sunday, November 13, 2016 at 7:51:09 PM UTC-8, Manuel Amador (Rudd-O) wrote:
> On 11/12/2016 03:21 AM, Sec Tester wrote:
> > SELinux or AppArmor.
> 
> SELinux would be absofuckinglutely great.  Confined apps like Firefox
> would run much more securely.
> 
> I got one DispVM owned by an attacker at Defcon in 2014.  Isolation was
> nice to have because the machine didn't get owned, but the VM would have
> never been owned if SELinux had been active.
> 
> -- 
> Rudd-O
> http://rudd-o.com/

Why not grsecurity/PaX? especially with Qubes 4 switching to HVM (or PVHv2 or 
whatever it's called now), it will apparently work fine.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/afccb992-80b0-4e7c-8f20-bc9d1b3d8c6e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Thoughts on Qubes OS Security... Could be improved.

2016-11-13 Thread Manuel Amador (Rudd-O)
On 11/12/2016 03:21 AM, Sec Tester wrote:
> SELinux or AppArmor.

SELinux would be absofuckinglutely great.  Confined apps like Firefox
would run much more securely.

I got one DispVM owned by an attacker at Defcon in 2014.  Isolation was
nice to have because the machine didn't get owned, but the VM would have
never been owned if SELinux had been active.

-- 
Rudd-O
http://rudd-o.com/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c6aa365c-7c11-1ff1-6cac-482f1db0d329%40rudd-o.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] A really nice guide on installing Coreboot on a X220 with a Raspberry Pi

2016-11-13 Thread David Schissler
https://tylercipriani.com/blog/2016/11/13/coreboot-on-the-thinkpad-x220-with-a-raspberry-pi/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/99d88b29-2c63-410b-8f4d-96a9452ba205%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] A really nice guide on installing Coreboot on a T420 with a Raspberry Pi

2016-11-13 Thread David Schissler
https://tylercipriani.com/blog/2016/11/13/coreboot-on-the-thinkpad-x220-with-a-raspberry-pi/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/52679ea2-b31c-472a-a736-814c95e76598%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Intel TXT advice

2016-11-13 Thread Chris Laprise

On 11/13/2016 08:36 PM, Eric wrote:

On Sunday, November 13, 2016 at 5:01:59 PM UTC-8, entr0py wrote:

Eric:

Just bought a laptop with a Skylake processor for running Qubes, and from 
looking around on Intel's website it appears that no Skylake Core-branded 
processors support Intel TXT. Any point in running Anti-Evil-Maid at this 
point? Can I use a YubiKey to store hashes of the xen/initramfs and use that 
for AEM? (probably not, since it's a USB device?)


I was just looking around for information on AMT/ME a minute ago. It appears 
that some Skylake Core i5/i7's do support TXT. (On their website, TXT might 
fall under the umbrella of vPro.)

https://en.wikipedia.org/wiki/List_of_Intel_Core_i5_microprocessors#Skylake_microarchitecture_.286th_generation.29_2
https://en.wikipedia.org/wiki/List_of_Intel_Core_i7_microprocessors#Skylake_microarchitecture_.286th_generation.29_2

Yes, I misspoke. It appears that the processor/chipset on the computer I 
purchased does not have/support vPro or TXT (though Intel ME is apparently 
disabled, which is a win, I guess?). So hard to find something that checks all 
the boxes for me. My threat model currently doesn't include Evil Maids, so I'm 
probably ok. Shame, though. Hopefully it doesn't close the door on Qubes 4 
compatibility. (It does have SLAT and VT-(d/x).


I hate to point this out now, but AEM is kind of a misnomer. It can 
alert you to tampering from *either* physical or remote attacks. So 
anyone who wants to guard against a remote exploit that can also priv 
escalate against Xen--and from there possibly infect firmware or boot 
device--would benefit from using AEM.


When I last shopped around, I was under the impression that TXT was tied 
to AMT/ME/Vpro as a package.


Chris

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b2cf9650-6292-dd13-1a22-aad60ecb8d9f%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Installing VPN in Qubes Versus VPN on a Router

2016-11-13 Thread Chris Laprise

On 11/13/2016 04:38 AM, Sec Tester wrote:

I guess the main benefit to having VPN on router is it takes that overhead off the 
PCs CPU & memory.

But the paper is right, a lot of network hardware is backdoored. Especially the 
cisco stuff. And im suspicious of the Chinese stuff too.

We should endeavor to run open source routers. But im not aware of any open 
source modems? Im actually surprised someone hasnt cracked the proprietary DSL 
code and leaked an open source modem.

I bet we would not like what we found in their proprietary code :/

Having a VPN-Proxy-VM offers the flexibility to chose what VMs directly connect 
to the internet, and which VMs are routed through the VPN which is nice.

I've set my VPN-Proxy-VM using a minimal template, to future reduce the attack 
surface.

You can also run the whonix-gw over the vpn, or vise versa.

I imagine since snowden said to the world he uses Qubes OS, the NSA have had 
their team looking for ways in. I think qubes can be hardened much more than it 
currently is.



Its not just backdoors... IIRC the NSA and probably other groups greatly 
prefer to attack routers for some reason. I think the reason is they are 
generally neglected and insecure.


Quite frankly, there is all too much insecurity to go around... and I 
don't even think software is the worst culprit anymore. We're all using 
souped-up ancient architectures that expose us to things like 'DRAMA' 
and it seems there is little-to-no innovation with respect to more 
secure hardware architecture. Qubes tries to propose new architecture in 
software, but I worry even it may not be enough.


Router vs laptop: If we regard a well-maintained OpenWRT router as more 
secure than Qubes on a laptop, then we've given up on link encryption in 
our applications (HTTPS, ZRTP, etc.) by implication. Then the only way 
to have reliable link encryption is to have everyone we communicate with 
sitting at home connecting to a single VPN server... each from their 
router-bound VPN clients... tethered by an ethernet cable between router 
and PC. Egads.


Chris

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5947e135-73bc-8dcc-b248-a0d97bb47d94%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Intel TXT advice

2016-11-13 Thread Eric
On Sunday, November 13, 2016 at 5:01:59 PM UTC-8, entr0py wrote:
> Eric:
> > Just bought a laptop with a Skylake processor for running Qubes, and from 
> > looking around on Intel's website it appears that no Skylake Core-branded 
> > processors support Intel TXT. Any point in running Anti-Evil-Maid at this 
> > point? Can I use a YubiKey to store hashes of the xen/initramfs and use 
> > that for AEM? (probably not, since it's a USB device?)
> > 
> 
> I was just looking around for information on AMT/ME a minute ago. It appears 
> that some Skylake Core i5/i7's do support TXT. (On their website, TXT might 
> fall under the umbrella of vPro.)
> 
> https://en.wikipedia.org/wiki/List_of_Intel_Core_i5_microprocessors#Skylake_microarchitecture_.286th_generation.29_2
> https://en.wikipedia.org/wiki/List_of_Intel_Core_i7_microprocessors#Skylake_microarchitecture_.286th_generation.29_2

Yes, I misspoke. It appears that the processor/chipset on the computer I 
purchased does not have/support vPro or TXT (though Intel ME is apparently 
disabled, which is a win, I guess?). So hard to find something that checks all 
the boxes for me. My threat model currently doesn't include Evil Maids, so I'm 
probably ok. Shame, though. Hopefully it doesn't close the door on Qubes 4 
compatibility. (It does have SLAT and VT-(d/x).

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/44d7026d-e620-487d-a566-eca62d5a278f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Intel TXT advice

2016-11-13 Thread entr0py
Eric:
> On Tuesday, February 23, 2016 at 1:54:30 AM UTC-8, Marek Marczykowski-Górecki 
> wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA256
>>
>> On Tue, Feb 23, 2016 at 04:11:55AM +, Rusty Bird wrote:
>>> marmarek:
 On Mon, Feb 22, 2016 at 08:52:43PM +, Rusty Bird wrote:
> Though even now it should be possible to use AEM without TXT?
> Just don't install the SINIT blob, in which case *only* the LUKS 
> header(s) would be protected by the TPM.

 But not having xen/kernel/initrd measured means AEM is pretty 
 useless. The whole purpose is to verify the thing that prompt you
 for LUKS passphrase. Without such measurement you'll have no way
 to really know if those binaries were even loaded from your USB
 stick (and not from some additional one plugged in by the attacker,
 for example).
>>>
>>> If the order is fixed, i.e. USB before SATA, and you don't see another
>>> USB drive sticking into the notebook you left at home, then the part in
>>> parentheses wouldn't apply?
>>
>> It is easy enough to hide USB device inside the USB socket itself (those
>> devices are small these days). Or inside your notebook (for example
>> instead of bluetooth card, which is also USB device in most cases).
>>
>> Some more sophisticated attack would be installing some "USB proxy" in
>> USB socket. Which would hijack only initramfs reads. You'll not see
>> any additional USB device in the system in that case.
>>
 Such replaced initrd script can present still unmodified LUKS
 header to TPM, unseal the secret, show it to you, then record LUKS 
 passphrase.
>>>
>>> But Xen/kernel/initrd are on the AEM stick you take with you, so the
>>> attacker would have to modify the BIOS. In which case TXT wouldn't help
>>> much, because a BIOS rootkit can effectively hide itself from TXT if I
>>> understand Joanna right.
>>
>> But attack hidden from TXT is much more complex than attack simply
>> changing boot order. It all depends on your threat model.
>>
> If a per-boot BIOS password has been set, maybe this kind of
> setup is even sort of reasonable?

 You are joking, aren't you?
>>>
>>> Not really. If these assumptions are correct:
>>>
>>> 1. a BIOS rootkit can hide itself from TXT;
>>> 2. an attacker who can boot their own medium can, more and more
>>>probably, also persist such a rootkit in the BIOS;
>>> 3. there are no BIOS master password lists anymore (are there?),
>>>or other easy password prompt bypasses (are option ROMs loaded
>>>early enough from ExpressCards?);
>>
>> I wouldn't rely on BIOS password protection. It failed so many times
>> in the history, so I can't assume that magically now BIOS vendors
>> learned how to do it properly.
>>
>>> then it seems to me that a per-boot BIOS password without TXT could work
>>> out better than the converse, TXT without a PBBP. Not to say that both
>>> together aren't best though!
>>>
>>> AEM protecting the LUKS header would still be (barely) worthwhile
>>> without TXT, if it's easier / faster / less conspicuous for the attacker
>>> to take out the HDD and rewrite a few blocks than to infect the BIOS.
>>>
>>> (BTW Marek, regarding VM random seeds: Have you considered somehow
>>> harnessing whatever it is that Thunderbird+Enigmail use to place line
>>> breaks in my mails after I hit send)
> 
> Just bought a laptop with a Skylake processor for running Qubes, and from 
> looking around on Intel's website it appears that no Skylake Core-branded 
> processors support Intel TXT. Any point in running Anti-Evil-Maid at this 
> point? Can I use a YubiKey to store hashes of the xen/initramfs and use that 
> for AEM? (probably not, since it's a USB device?)
> 

I was just looking around for information on AMT/ME a minute ago. It appears 
that some Skylake Core i5/i7's do support TXT. (On their website, TXT might 
fall under the umbrella of vPro.)

https://en.wikipedia.org/wiki/List_of_Intel_Core_i5_microprocessors#Skylake_microarchitecture_.286th_generation.29_2
https://en.wikipedia.org/wiki/List_of_Intel_Core_i7_microprocessors#Skylake_microarchitecture_.286th_generation.29_2



-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b9cd97d6-0b62-01bd-1f3f-256fa6f029e6%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Installing VPN in Qubes Versus VPN on a Router

2016-11-13 Thread entr0py
taii...@gmx.com:
> VT-d is intels marketing term for IOMMU, you can buy an AMD system
> that has IOMMU (AMD-Vi) (but not FM2/AM4 as that has PSP). Qubes
> needs IOMMU not "VT-d"

Thanks for reply. I understood this previously but I'm not familiar with AMD's 
offerings and didn't realize they had a current lineup that fits this category. 
It also seems that Skylake i3's have IOMMU without vPro.


> You can use a VMM with a pfsense VM and separate driver domains for
> the network interfaces, qubes isn't a router operating system...

Is there an inherent reason that Qubes should not be used as a router?

 
> x86/wintel is only a small subsection of the computing world, you can
> buy for instance an IBM OPOWER8 workstation or the Tyan Palmetto
> (also OPOWER8) - they have open source firmware and no ME type stuff.
> - OPOWER has an IOMMU equivalent.
> 
> The newish and readily available blob free x86 amd boards are high
> performance level (kgpe-d16) I don't know what your connection is
> like so if you want something lower power you could go with a
> coreboot board with the features you want and simply not include the
> blobs (which could mean no video, no fan control and no USB3 - but
> none of those are needed on a passively cooled router anyways and you
> can install/control via serial)
> 
> There is the apu2 from pcengines, which has no blobs (AFIAK, ask
> them) although it doesn't have an IOMMU.

Small subsection? I guess I need to get out and see more of the computing 
world. Thanks for the suggestions. I'll do some reading!


> I find it ironic that you apparently value your privacy but you are
> using gmail - if you do not pay for a service YOU are the product.

Yes, and that maxim applies to every website you visit that doesn't cost you 
any money. Everyone uses Google. Just because there's no "g" in the url doesn't 
mean that you're free of Google's tentacles (and fingerprinting).

Yes, I use this gmail address to access groups.google.com and nothing else, in 
a dedicated vm, over Tor. But you are correct - a non-gmail address, in a 
dedicated vm, over Tor would be considerably better. But I fail to see the 
irony. This pseudonym has long-ago broadcast several hundred words onto the 
Internet so it would be naive to think that it's still an anonymous identity. 
The stylometry is out there for anyone that wants to look. The distinction is 
that I have other pseudonyms that aren't quite so vociferous. :) Of course, 
Google probably has them all linked already anyway...

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c80109ea-f5f9-13f7-f1e1-ebac37436c5a%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Fedora 24 template available for Qubes 3.2

2016-11-13 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sun, Nov 13, 2016 at 11:12:34PM +, Gaijin wrote:
> I have several templates based on Fedora 23 where I've installed various
> software. When I follow the manual upgrade instructions the update proceeds
> without error. However, when I get to the step were I am supposed to trim
> the newly upgraded templates I get an error.
> 
> ...
> File "/usr/lib64/python2.7/site-packages/qubes/modules/000QubesVm.py", line
> 1854, in start_quexec_daemon
> raise OSError ("Cannot execute qrexec-daemon!")
> 
> I cannot open a terminal in these templates, nor can I base AppVMs on them.
> I just get the qrexec-daemon error.

You can access its console using `sudo xl console fedora-24`. Look for
some failed service startup messages. You can login as root without
password to perform further investigation - like call `systemctl` or
`journalctl -b`.

> My Fedora 24 template works fine.

I guess you've meant 23 here? Otherwise, what's the problem?

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYKPgwAAoJENuP0xzK19csGVMIAJdJDwXaWHXsOqvFnsvt7c32
eogiGZ50ju+1Xcl67qCLuX9mOQHQYDOhUWOMaAfa79R4F98hIWhF4LaotxxM2RUr
UIBVq/4tX3mx3DNZQUXGx+91J1S2/wPJ5YGUQhJio7MTUn+OTX7qyu4u5aDnt/jx
QHuZfqE+aI0micLn/8KWV1OyPNcMrOZjWqrEdOSb2Fu5JxXkD+KznZ1DKIZJ9G57
BFDe7Fp8n3yyah4wnjQYe/BkvOoZf2lKzdt4ls4ATowwAHpQibtZkks1y+Q39ZdR
K9oGbh7UNtMRDSJTxQx7+C65+6Cf+m/ek1kDu5Qv+D4blip7ggb8zEE1JAlCxzM=
=wAc/
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161113233304.GA2994%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Installing VPN in Qubes Versus VPN on a Router

2016-11-13 Thread taii...@gmx.com
VT-d is intels marketing term for IOMMU, you can buy an AMD system that 
has IOMMU (AMD-Vi) (but not FM2/AM4 as that has PSP). Qubes needs IOMMU 
not "VT-d"


You can use a VMM with a pfsense VM and separate driver domains for the 
network interfaces, qubes isn't a router operating system...


There is no getting around ME, on the coreboot list there is some talk 
of nerfing the binary (thanks Trammel Hudson!) but other than that 
you're still supporting a company that makes insecure technology if you 
buy their products.


Things you may want to look in to (5K is a great deal for the level of 
juice this has)

https://www.crowdsupply.com/raptorcs/talos

x86/wintel is only a small subsection of the computing world, you can 
buy for instance an IBM OPOWER8 workstation or the Tyan Palmetto (also 
OPOWER8) - they have open source firmware and no ME type stuff. - OPOWER 
has an IOMMU equivalent.


The newish and readily available blob free x86 amd boards are high 
performance level (kgpe-d16) I don't know what your connection is like 
so if you want something lower power you could go with a coreboot board 
with the features you want and simply not include the blobs (which could 
mean no video, no fan control and no USB3 - but none of those are needed 
on a passively cooled router anyways and you can install/control via serial)


There is the apu2 from pcengines, which has no blobs (AFIAK, ask them) 
although it doesn't have an IOMMU.



I find it ironic that you apparently value your privacy but you are 
using gmail - if you do not pay for a service YOU are the product.

On 11/13/2016 03:39 PM, entr0py wrote:

taii...@gmx.com:

Ideally you would want a blob free coreboot system with no Intel ME or AMD PSP 
type backdoors.
https://www.coreboot.org/Binary_situation
Intel is actively trying to nerf free software with Boot Guard/ME, if you buy a 
computer with those features it isn't really your computer.

A backdoor in a modem is irrelevant, it is post WAN and should be considered part of the 
"internet".


Right, I've always followed the advice to secure each pc as if it were 
connected directly to the internet and not to rely on the router for any 
security.

But now I'm interested in actually building a secure router. One reason is what 
you mentioned regarding Intel ME. Since Qubes 4.0 will require VT-d (and 
unavoidably Intel ME) and the fact that it's cool to use new hardware, I'd like 
to place a physical barrier to block ME signals.

I had always imagined repurposing a Qubes PC to serve as a router, especially 
because of the flexibility it has with chaining and branching multiple 
transparent proxy VMs. But obviously now, it doesn't make any sense to use an 
ME equipped machine as a router.

So if I had a budget (for argument's sake) of $2000 to build a secure router 
for 10-15 clients in a small business environment where maximum throughput is 
not really an issue, what would you all advise? A libreboot machine? but then 
what kind of OS could it run that could meaningfully isolate sys-net and 
provide similar routing capabilities?

TIA.



--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b3e9d105-c0aa-72cd-ef25-1b9fde8c7add%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Fedora 24 template available for Qubes 3.2

2016-11-13 Thread Gaijin

On 2016-11-13 03:52, Marek Marczykowski-Górecki wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi all,

Fedora 24 template is now available for direct installation. This means
there are now two ways to have it on Qubes 3.2 system:

1. Upgrade existing Fedora 23 template according to this instruction:

https://www.qubes-os.org/doc/fedora-template-upgrade-23/

2. Install a fresh one using:

qubes-dom0-update qubes-template-fedora-24

The later option will get you fresh template. If you made any
modifications there, you'll need to do them again (if you want).
The same is available for fedora-24-minimal template.

In any case, after getting new template using any method, the next step
is switching some/all qubes (VMs) to the new one. This can be done 
using
either Qubes Manager (in qube settings), or using qvm-prefs command 
line

tool.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYJ+OXAAoJENuP0xzK19csWa8H/RqO4RjNVeeIEb7s8KRgUMzg
VjQUOrC5YmirnFACrq7t8VDZxbcvSrQ88pifMsIKZYzAzfIHa2s3O6m9XzkDetQO
+of7iUIQaijlec5BKkCGM+3cP3zQSHyrCdb6udOEzYkkSLkeWaYoC6+F/dPrFLVx
1Wb2pNeUY0eWGuL64/WjpozpUGXKtD1tp1RbFv7cqVdF530THVXX+W7g3fp6zmUS
k4goQv0rjhdlhWr9ZYwvlUbGRMpJHaIix4Q4ajXNToVnql69fZxGhhSOtPwBasGe
j4TIbyTKr01a0mQn6mIa+MKkS19H8RwLpu+25EaOlmd2f91vVO8IJrPBSmwvZ84=
=+DPm
-END PGP SIGNATURE-


I have several templates based on Fedora 23 where I've installed various 
software. When I follow the manual upgrade instructions the update 
proceeds without error. However, when I get to the step were I am 
supposed to trim the newly upgraded templates I get an error.


...
File "/usr/lib64/python2.7/site-packages/qubes/modules/000QubesVm.py", 
line 1854, in start_quexec_daemon

raise OSError ("Cannot execute qrexec-daemon!")

I cannot open a terminal in these templates, nor can I base AppVMs on 
them. I just get the qrexec-daemon error.


My Fedora 24 template works fine.

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2ab97c2ba52204bc3cd3babc8855460b%40riseup.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Intel TXT advice

2016-11-13 Thread Eric
On Tuesday, February 23, 2016 at 1:54:30 AM UTC-8, Marek Marczykowski-Górecki 
wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> On Tue, Feb 23, 2016 at 04:11:55AM +, Rusty Bird wrote:
> > marmarek:
> > > On Mon, Feb 22, 2016 at 08:52:43PM +, Rusty Bird wrote:
> > >> Though even now it should be possible to use AEM without TXT?
> > >> Just don't install the SINIT blob, in which case *only* the LUKS 
> > >> header(s) would be protected by the TPM.
> > > 
> > > But not having xen/kernel/initrd measured means AEM is pretty 
> > > useless. The whole purpose is to verify the thing that prompt you
> > > for LUKS passphrase. Without such measurement you'll have no way
> > > to really know if those binaries were even loaded from your USB
> > > stick (and not from some additional one plugged in by the attacker,
> > > for example).
> > 
> > If the order is fixed, i.e. USB before SATA, and you don't see another
> > USB drive sticking into the notebook you left at home, then the part in
> > parentheses wouldn't apply?
> 
> It is easy enough to hide USB device inside the USB socket itself (those
> devices are small these days). Or inside your notebook (for example
> instead of bluetooth card, which is also USB device in most cases).
> 
> Some more sophisticated attack would be installing some "USB proxy" in
> USB socket. Which would hijack only initramfs reads. You'll not see
> any additional USB device in the system in that case.
> 
> > > Such replaced initrd script can present still unmodified LUKS
> > > header to TPM, unseal the secret, show it to you, then record LUKS 
> > > passphrase.
> > 
> > But Xen/kernel/initrd are on the AEM stick you take with you, so the
> > attacker would have to modify the BIOS. In which case TXT wouldn't help
> > much, because a BIOS rootkit can effectively hide itself from TXT if I
> > understand Joanna right.
> 
> But attack hidden from TXT is much more complex than attack simply
> changing boot order. It all depends on your threat model.
> 
> > >> If a per-boot BIOS password has been set, maybe this kind of
> > >> setup is even sort of reasonable?
> > > 
> > > You are joking, aren't you?
> > 
> > Not really. If these assumptions are correct:
> > 
> > 1. a BIOS rootkit can hide itself from TXT;
> > 2. an attacker who can boot their own medium can, more and more
> >probably, also persist such a rootkit in the BIOS;
> > 3. there are no BIOS master password lists anymore (are there?),
> >or other easy password prompt bypasses (are option ROMs loaded
> >early enough from ExpressCards?);
> 
> I wouldn't rely on BIOS password protection. It failed so many times
> in the history, so I can't assume that magically now BIOS vendors
> learned how to do it properly.
> 
> > then it seems to me that a per-boot BIOS password without TXT could work
> > out better than the converse, TXT without a PBBP. Not to say that both
> > together aren't best though!
> > 
> > AEM protecting the LUKS header would still be (barely) worthwhile
> > without TXT, if it's easier / faster / less conspicuous for the attacker
> > to take out the HDD and rewrite a few blocks than to infect the BIOS.
> > 
> > (BTW Marek, regarding VM random seeds: Have you considered somehow
> > harnessing whatever it is that Thunderbird+Enigmail use to place line
> > breaks in my mails after I hit send)

Just bought a laptop with a Skylake processor for running Qubes, and from 
looking around on Intel's website it appears that no Skylake Core-branded 
processors support Intel TXT. Any point in running Anti-Evil-Maid at this 
point? Can I use a YubiKey to store hashes of the xen/initramfs and use that 
for AEM? (probably not, since it's a USB device?)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1f4c2d7c-e25c-4143-b988-fb3a72acf4b2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Fedora 24 template available for Qubes 3.2

2016-11-13 Thread yaqu
On Sun, 13 Nov 2016 12:30:25 -0800 (PST), Grzesiek Chodzicki
 wrote:

> W dniu niedziela, 13 listopada 2016 20:54:06 UTC+1 użytkownik yaqu
> napisał:
> > 
> > It looks like you do not have this package installed (or you have
> > executed this command in VM instead of dom0).
> > 
> > To get a list of templates installed from rpm in dom0, you can use
> > this command:
> > [user@dom0 ~]$ rpm -qa | grep template
> 
> I did execute it in dom0, fedora-23 was installed by default when I
> installed Qubes on my PC.

Please, check if your fedora-23 template was really installed from rpm
(and it wasn't cloned from previous version and upgraded to f23):

[user@dom0 ~]$ qvm-prefs fedora-23 | grep rpm
installed_by_rpm   : True

You can also check this using Qubes VM Manager (in VM settings, tab
Basic, under "General").

If your fedora-23 template was not installed from rpm, you can remove
it using Qubes VM Manager or using command:

[user@dom0 ~]$ qvm-remove fedora-23

-- 
yaqu

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161113222608.AC803103F86%40mail2.openmailbox.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Thoughts on Qubes OS Security... Could be improved.

2016-11-13 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sat, Nov 12, 2016 at 08:40:26PM -0800, Sec Tester wrote:
> 
> > > This might add significant time to the install, but could be a tick box 
> > > option, with a note about extra time.
> > 
> > I think a better practice along these lines is to supply the additional 
> > packages needed to create a desktop-friendly template... alongside the 
> > minimal template. This would take a *little* extra time during installation.
> > 
> > Another option would be to simply provide a script that purges all the 
> > packages that are unneeded for a minimal template.
> > 
> 
> Good suggestion. A script that shrinks templates into minimals. I like this 
> idea. A script could then also create a min debian template too.
> 
> I just had a look inside the Qubes-R3.2-x86_64.iso
> I found the templates under packages/q
> 
> I wonder if a script could also be used to turn a whonix-ws into a whonix-gw 
> or vise versa. This could reduce the size of the Qubes.iso by about 500mb. 
> making more room for other goodies.

Actually, it may be even possible to transform debian-8-minimal into whonix-ws
and whonix-gw - given some not-so-big additional local packages
repository. Search for "apt-get install whonix" on
phabricator.whonix.org. This is on the roadmap, but there are also much
more higher priority tasks...

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYKNmzAAoJENuP0xzK19csxjgH/0MCokqN0Zd8Q3XKhDM6cPFA
gKwMcFES8udRYCJa2Q72Alxt5M+oUZHhfBQZxU8O7qGogtenQru9Rc8VlbI5guGl
Wp7wTg0GSWOuRfwaNu8Hp6jcKF+Lx7VU9ILE53ga8r904EK25ccXUjLyW7H+oAmy
MwsC77oYbgbWY47fROJoH8RM42t5Yl2y5sUX5zDB9GrlUJq3fkTOgSYZZsdl6nun
GG1KNPKxkPPS7HdWLZ1kIvp3GVUKYReC4eIWoutkXP0RsR5iHDOxV+vHMIqPxbv+
ATnvKVqcSZFroEOvVkDNk8lYpAAP3/oN8LOGB+MhQhVlWmU5zZ2vFfuMpPyyP3c=
=JQbf
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161113212300.GC1839%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] R3.2, xfce, resume and changing resolution issues

2016-11-13 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Mon, Nov 07, 2016 at 11:04:20AM +0100, yaqu wrote:
> On Sun, 6 Nov 2016 19:34:30 -0800, Andrew David Wong 
> wrote:
> 
> > > Now icons are not accessible. To fix it one needs to turn LCD off
> > > and on:
> > > 
> > > [user@dom0 ~]$ xrandr --output LVDS1 --off; xrandr --output LVDS1
> > > --auto
> [...]
> > 
> > For now, please try using the qubes-monitor-layout-notify tool as
> > described in the comments on this issue:
> > 
> > https://github.com/QubesOS/qubes-issues/issues/1599
> 
> Thanks, executing qubes-monitor-layout-notify works as a workaround - it
> is much cleaner solution than hack with switching displays off and on :)

Actually this tool is called automatically when monitor layout is
changed (see watch-screen-layout-changes process). The problem is a race
condition - it is called before new configuration is actually applied,
so it sends the old configuration again... I haven't found yet any way to
receive notification _after_ new configuration is applied. Any idea?

Source code of the tool is in
https://github.com/QubesOS/qubes-gui-daemon screen-layout-handler
directory.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYKNm8AAoJENuP0xzK19cstWUH+wT3YjafSDqbsSxB6KdmPScA
oBUdLDctcRnihqUQvVwoIqCE+JC6jnjdPE2SHZZzz9+Mz6Yy6EdAd3J9eeNTLbp9
9S4vDlgzzQUGL4cn5C0c3aMNAH8jSK2PnNH0a79NRukh09vXRzmlWKYlEc3Djt6z
GrwcPczqtH7DiqwfiUlhAo7CpkQPfu36GSuO81t9r3lso/volUNbDvNbpxdpqfjz
liNWDKcvv6TMgeGaCGZbIGJz35vpdWtNVAzaoYKcx/ogqH+8Y61feKvJY0GNAiLb
9Zm8h4Xrp2UBDiZL2lUyn9M95JKIgm0+bpI7/WYbWwRt3J5tTCSs6IVfb3hjbw0=
=4rAT
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161113212308.GD1839%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: #2 .odt files and LibreOffice Install

2016-11-13 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sat, Nov 12, 2016 at 09:30:07PM -0800, Sec Tester wrote:
> you want to copy the file from your work VM to the fedora-23 template and 
> then install all with terminal?
> 
> 1)open terminal in your workVM
> 2)ls (useful to lists directories/files)
> 3)cd Downloads (or where ever you saved it)
> 4)qvm-copy-to-vm "DestinationVM" filename
> 
> https://www.qubes-os.org/doc/vm-tools/qvm-copy-to-vm/
> 
> 4)sudo dnf install /path/to/package.rpm
> (path will likely be /home/user/QubesIncoming/nameofsendingVM)
> 
> 
> That should get libreoffice installed for you.

If application is available in distribution repository, this is _the_
recommended way of installing it. If for nothing else, you'll have at
least some integrity protection (packages are digitally signed) and also
package will be updated using standard mechanisms.

This is the case for LibreOffice. Open the template and execute:

sudo dnf install libreoffice

If you don't know package name, you can search for it:

sudo dnf search some-program-name

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYKNmnAAoJENuP0xzK19cs4F4H/0vnksasKcnA36RW6m0gn4aj
eIhHIIt+o7xwPunHEwl4JEI3P/xiC56f1We0aAGxa9PMvQpiKhnqgWOEV37KaEQ+
ehvlvin+qGbPu17b//wu4oxl2QVVePpRhyXE7bhdesm5KwhfjgJ3NIt5vnf5t+kX
ge1G5n8y8VjKCohVai1xBEd/rjpjGtQ1TgH6NwN3v0otJJTYnq8/8MRRo8L2DL0S
a6P9el1lAhNGRkSdAaB1mAxfyQ/ADbVUHkb8tXdXmHNSrB3bHNiOKJZeAeqViIse
siwTI/N1UxE9lEoEtqP3xVnmlOSeUCIxIPdMU86f6Ylz34VqJUN8twCCgInXINU=
=4kgt
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161113212247.GB1839%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Installing VPN in Qubes Versus VPN on a Router

2016-11-13 Thread Grzesiek Chodzicki
W dniu niedziela, 13 listopada 2016 21:39:29 UTC+1 użytkownik entr0py napisał:
> taii...@gmx.com:
> > Ideally you would want a blob free coreboot system with no Intel ME or AMD 
> > PSP type backdoors.
> > https://www.coreboot.org/Binary_situation
> > Intel is actively trying to nerf free software with Boot Guard/ME, if you 
> > buy a computer with those features it isn't really your computer.
> > 
> > A backdoor in a modem is irrelevant, it is post WAN and should be 
> > considered part of the "internet".
> > 
> 
> Right, I've always followed the advice to secure each pc as if it were 
> connected directly to the internet and not to rely on the router for any 
> security.
> 
> But now I'm interested in actually building a secure router. One reason is 
> what you mentioned regarding Intel ME. Since Qubes 4.0 will require VT-d (and 
> unavoidably Intel ME) and the fact that it's cool to use new hardware, I'd 
> like to place a physical barrier to block ME signals.
> 
> I had always imagined repurposing a Qubes PC to serve as a router, especially 
> because of the flexibility it has with chaining and branching multiple 
> transparent proxy VMs. But obviously now, it doesn't make any sense to use an 
> ME equipped machine as a router.
> 
> So if I had a budget (for argument's sake) of $2000 to build a secure router 
> for 10-15 clients in a small business environment where maximum throughput is 
> not really an issue, what would you all advise? A libreboot machine? but then 
> what kind of OS could it run that could meaningfully isolate sys-net and 
> provide similar routing capabilities?
> 
> TIA.

Have You considered running PfSense as Your main router OS on a dedicated box? 
You need a small PC with more than one network interface card. PfSense is open 
source, it's infinitely configurable and has an extensive plugin system to 
extend it beyond typical router capabilities.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b64882ec-e1ce-4a6d-8421-8f970d9a671c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Installing VPN in Qubes Versus VPN on a Router

2016-11-13 Thread entr0py
taii...@gmx.com:
> Ideally you would want a blob free coreboot system with no Intel ME or AMD 
> PSP type backdoors.
> https://www.coreboot.org/Binary_situation
> Intel is actively trying to nerf free software with Boot Guard/ME, if you buy 
> a computer with those features it isn't really your computer.
> 
> A backdoor in a modem is irrelevant, it is post WAN and should be considered 
> part of the "internet".
> 

Right, I've always followed the advice to secure each pc as if it were 
connected directly to the internet and not to rely on the router for any 
security.

But now I'm interested in actually building a secure router. One reason is what 
you mentioned regarding Intel ME. Since Qubes 4.0 will require VT-d (and 
unavoidably Intel ME) and the fact that it's cool to use new hardware, I'd like 
to place a physical barrier to block ME signals.

I had always imagined repurposing a Qubes PC to serve as a router, especially 
because of the flexibility it has with chaining and branching multiple 
transparent proxy VMs. But obviously now, it doesn't make any sense to use an 
ME equipped machine as a router.

So if I had a budget (for argument's sake) of $2000 to build a secure router 
for 10-15 clients in a small business environment where maximum throughput is 
not really an issue, what would you all advise? A libreboot machine? but then 
what kind of OS could it run that could meaningfully isolate sys-net and 
provide similar routing capabilities?

TIA.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/651811bc-0423-bae3-5949-7ae67d781fb8%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Fedora 24 template available for Qubes 3.2

2016-11-13 Thread Grzesiek Chodzicki
W dniu niedziela, 13 listopada 2016 20:54:06 UTC+1 użytkownik yaqu napisał:
> On Sun, 13 Nov 2016 11:23:35 -0800 (PST), Grzesiek Chodzicki
>  wrote:
> 
> > Following error message is printed after running sudo dnf remove
> > qubes-template-fedora-23: "No match for argument:
> > qubes-template-fedora-23 Error: No packages marked for removal."
> 
> It looks like you do not have this package installed (or you have
> executed this command in VM instead of dom0).
> 
> To get a list of templates installed from rpm in dom0, you can use this
> command:
> [user@dom0 ~]$ rpm -qa | grep template
> 
> -- 
> yaqu

I did execute it in dom0, fedora-23 was installed by default when I installed 
Qubes on my PC.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b7cdd78b-24eb-425e-bae3-e60d940acc37%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] selfsecure systems - redunancy?

2016-11-13 Thread '1093'4218'2184189'481'0'414
Hello,

due to this artical

https://nakedsecurity.sophos.com/2016/10/19/linux-kernel-bugs-we-add-them-in-and-then-take-years-to-get-them-out/

Linux  bugs are expoitable for ca. 1-2 years, until they are fixed.

Selfsecure Sytems are running redudant subsystems

Will it be possible to run to VM's in parallel on the "same task"?
The technology of this VM's are 100% idenpendet (no parts of the coding is a 
copy of each other).
The command is only 100% clean, if both instances will do the same and so it is 
executed and otherwise blocked and logged.

Would this work?

Which VM will be the counterpart to the standard Linux Templates?

E.g. Would it possible to match up Win-VM and Linux-VM?
(Why this will not work for internet browsing for example?)


Kind Regards



 



-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/071c3bb6-79a1-455c-8b7d-57f0929924af%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Fedora 24 template available for Qubes 3.2

2016-11-13 Thread yaqu
On Sun, 13 Nov 2016 11:23:35 -0800 (PST), Grzesiek Chodzicki
 wrote:

> Following error message is printed after running sudo dnf remove
> qubes-template-fedora-23: "No match for argument:
> qubes-template-fedora-23 Error: No packages marked for removal."

It looks like you do not have this package installed (or you have
executed this command in VM instead of dom0).

To get a list of templates installed from rpm in dom0, you can use this
command:
[user@dom0 ~]$ rpm -qa | grep template

-- 
yaqu

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161113195405.77E2A104967%40mail2.openmailbox.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] dom0 window manager style

2016-11-13 Thread cubit
13. Nov 2016 19:52 by qu...@axenhus.com:

> If you're using XFCE I think it's Nodoka. (That's what I got anyway.)




That was it! I guess I skipped over that.




 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/KWUF9On--3-0%40tutanota.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] dom0 window manager style

2016-11-13 Thread Jimmy Axenhus
Den 2016-11-13 kl. 20:49, skrev cubit:
> I have a really stupid question.  I was looking at dom0's window manager
> settings and changed the style and now I can not find the one that Qubes
> uses by default.   Can anyone know what it is called or how to get it
> back, I've gone though the list and nothing looks similar and yes I have
> tried "Default" :)
> 

If you're using XFCE I think it's Nodoka. (That's what I got anyway.)

> 
> 
> -- 
> You received this message because you are subscribed to the Google
> Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to qubes-users+unsubscr...@googlegroups.com
> .
> To post to this group, send email to qubes-users@googlegroups.com
> .
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/qubes-users/KWUE8cq--3-0%40tutanota.com 
> .
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e6321a3e-ff38-d902-df4f-d4a131485859%40axenhus.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] dom0 window manager style

2016-11-13 Thread cubit
I have a really stupid question.  I was looking at dom0's window manager 
settings and changed the style and now I can not find the one that Qubes uses 
by default.   Can anyone know what it is called or how to get it back, I've 
gone though the list and nothing looks similar and yes I have tried "Default" :)



-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/KWUE8cq--3-0%40tutanota.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] VM label icons

2016-11-13 Thread jim higginson
Thanks for comments. I'd tried a few "styles" but must they had little
effect - so I assumed there was another problem!
Around 30% of styles seem very faint - but fortunately the rest seem fine.
Must have been unlucky with original choices.
I know it's a trivial issue - but it was good to get a speedy reply and
resolution. Hopefully I can now progress on to more complex matters!
Cheers.

On 12 November 2016 at 19:23, Marek Marczykowski-Górecki <
marma...@invisiblethingslab.com> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> On Sat, Nov 12, 2016 at 10:38:41AM -0800, longridge wrote:
> > AM new user - just finding my way around.
> >
> > On all VM's that I open, the label heading is clear and bold (obviously
> less so when inactive) but the icons (eg minimise, maximise, close etc) are
> all very faint. (barely visible)
> >
> > Am sure there just be a way to enhance them (screen examples from online
> articles are all clear) - but have spent ages trying various settings -
> without success.
> >
> > Grateful for any help!
>
> Try changing windows style: settings -> window manager -> style.
>
> - --
> Best Regards,
> Marek Marczykowski-Górecki
> Invisible Things Lab
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
>
> iQEcBAEBCAAGBQJYJ2xKAAoJENuP0xzK19csKbEH/2g47H9OgAksNoEMSLsiAUeh
> VyKQqzxLaKs6+ycsbGn7vfop2rooQ1L08HAVgBpuFml/DD01gnz15wHH/T5JxU4t
> WEZ4JvIk/hWExeKpa2O0qMYAofP8jSjwgcK3Mmk9r98NW8aWtSzz9Wr5HLlCddJx
> 55ehA2h3bqFRliYKU7orlDSK4WMc7hhkot/Cp9jVkLZiCxRUxrcf9PDy4gcFAy5J
> 0B0/1ykDQckbk5q1zPehKMRT35X7dtPUBRqYI8CrM7KVq4hIlJ6JPwQFNMEM8gls
> Kx9w0ZQ4D2wMupdZIni8xuufVtmEbUAwN+Rwdlc/b2EvkeStQb0r01LuboMj3ws=
> =yCZN
> -END PGP SIGNATURE-
>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "qubes-users" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/
> topic/qubes-users/WOlK9XXipYg/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/qubes-users/20161112192352.GQ7073%40mail-itl.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CA%2Bu1g%3Dhz%2BADoL%2BtiJQtikt98b%3DpSJAZ4ZoH3jOvOGZVKKKZj0Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Fedora 24 template available for Qubes 3.2

2016-11-13 Thread Grzesiek Chodzicki
W dniu niedziela, 13 listopada 2016 05:01:37 UTC+1 użytkownik Sec Tester 
napisał:
> NICE!!
> 
> Any specific improvements or fixes running Fedora-24?
> 
> I noticed F-23 seemed to have trouble playing flash videos for me.
> 
> F-24 Min template coming?
> A Deb-8 min template would also be nice :)

Following error message is printed after running sudo dnf remove 
qubes-template-fedora-23:
"No match for argument: qubes-template-fedora-23
Error: No packages marked for removal."

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2f7cca41-bc3f-407c-8439-4ef3199f3683%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Installing VPN in Qubes Versus VPN on a Router

2016-11-13 Thread taii...@gmx.com
Ideally you would want a blob free coreboot system with no Intel ME or 
AMD PSP type backdoors.

https://www.coreboot.org/Binary_situation
Intel is actively trying to nerf free software with Boot Guard/ME, if 
you buy a computer with those features it isn't really your computer.


A backdoor in a modem is irrelevant, it is post WAN and should be 
considered part of the "internet".


You need a computer with more than one server grade pci-e interfaced 
nics if you want real LAN>WAN performance, 25Mbps is simply a pitiful 
amount to settle for - the newer "server" grade ARM chipsets can do much 
better than that.

On 11/13/2016 08:22 AM, hed...@tutanota.com wrote:

13. Nov 2016 08:48 by amad...@riseup.net:



We see much correspondence in these forums about installing a VPN within Qubes. 
Surely, the most secure place for VPN is to install on a Router?
I say these things after reading the following paper [ > 
https://cryptome.org/2013/12/Full-Disclosure.pdf>  ] in which a group of hackers 
demonstrate that the majority of routers (in-particular those provided by ISP's] have 
backdoors to government agencies. These adversary's are able attack our LAN and its 
devices; including the ability to intercept VPN and Tor traffic.
The solution they say is to isolate these rogue routers in the Militarized Zone 
by creating a DMZ [demilitarized zone]. Achieved by installing a 2nd router 
[flashed with open source firmware such as OPenWRT]. It is here, on the router, 
that we should enable and run OpenVPN.
Thoughts on this paper and it's conclusions are welcomed



An always-on VPN connection on the router works well but can be a bit slow 
since the processing power of router CPUs is generally quite limited. If 
choosing a router, I'd suggest a dual-core ARM-based device. Although openvpn 
is only single-threaded you can usually configure cpu-affinity to place it on 
one core and the other routing tasks on the other core.




For those who want to go beyond around 20-25 Mb/s, which is where an ARM router 
will start to reach its limits, a fine alternative is a small fanless PC, such 
as the Intel NUC or Gigabyte Brix, and run an open source firewall on it, 
instead of a router. I'm using IPFire. If the processor supports AES-NI, the 
limiting factor will be your network speed, not the firewall's CPU.




Finally, I've always felt that running a vpn on Qubes and having an always-on 
vpn running on a router/PC complement each other.






--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ea5142fa-fced-8bca-f83d-5af25ac3624c%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Installing VPN in Qubes Versus VPN on a Router

2016-11-13 Thread hedron
13. Nov 2016 16:01 by no...@noses.com:


> 
> Am 13.11.2016 um 14:22 schrieb > hed...@tutanota.com> :
> 
> 
>> 13. Nov 2016 08:48 by >> amad...@riseup.net>> :
>> 
> Thoughts on thispaper and it's conclusions are welcomed
>   
>> 
> 
> There is a point where additional components won't give you
> defense-in-depth but only additional complexity that will in the endmake 
> you less secure.
> 
>

Allowing a backdoored router into your network will, complexity or no 
complexity, compromise your security. The only conclusion to reach is not to 
use them wherever possible, or isolate them if their use is mandatory.


 


> 
>>   
>> An always-on VPN connection on the router works well but can bea bit 
>> slow since the processing power of router CPUs isgenerally quite 
>> limited. If choosing a router, I'd suggest adual-core ARM-based 
>> device. Although openvpn is onlysingle-threaded you can usually 
>> configure cpu-affinity to placeit on one core and the other routing 
>> tasks on the other core.
>> 
> 
> One of the GL-Inet small arm(s 8-) ) routers is sufficient for 80
> MBit/s (see > https://www.gl-inet.com/> ). I'm using one of their "Mifi"
> devices (> https://www.gl-inet.com/mifi/> ) to write this and right nowit 
> is holding up quite well with 150 MBit/s LTE plus an OpenVPN ontop of it. 
> The only problem is the about 1MBit/s I'm getting fromtheir uplink. 
> 
>

I've never come across these devices. They look like good value for money.

 


> 
>>   
>> For those who want to go beyond around 20-25 Mb/s, which iswhere an 
>> ARM router will start to reach its limits
>> 
> 
> Seriously? I doubt that. Right now I'm using an ASUS RT-AC5300 (ARM,
> dual core) router on a 400/20 MBit link (residential cable) and evenif 
> I'm sturating it using an OpenVPN process running on the routerits cores 
> seem quite unimpressed. But maybe DD-WRT is magical.
> 




 Yeah, maybe my 25 Mb/sec generalisation is a bit out-of date but it still 
depends on what you're prepared to spend. Let's see: ASUS RT-AC5300. It has 8 
antennas and is a beast of a router that sells for 439 euros on amazon.de. At 
that price it really ought to be fast. Back in more reasonably-priced 
territory, I did some real-world tests 18 months ago on my ASUS RT-AC56U (97 
euros on amazon.de, ARM x 2) and never exceeded 25 Mb/s with 80% cpu load. Even 
had it achieved 100% cpu, that would still only equate to 30 Mb/s. Flippant 
comments about magic aside, if you throw big mony at the hardware, you'll get 
more speed. I'm still betting that a small i3 with AES-NI would outperform it 
on openvpn, and for a fraction of the price. 


 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/KWTqII3--3-0%40tutanota.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] [feature request] Shutdown template after update

2016-11-13 Thread Achim Patzner
Am 10.11.2016 um 12:43 schrieb Eva Star:

>> I hope I'm not too offtopic but a gui option to shut down multiple vms at 
>> once would be cool.
> `qvm-shutdown --all --wait` -- will shutdown all VMs (if it helps)

Multiple, not all. Select multipel lines and then get a pop-up option
"shut these down". Or "qvm-shutdown --class=Template --all".


Achim

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/524504aa-61af-72ca-8db6-842c6aba33b2%40noses.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] [feature request] Shutdown template after update

2016-11-13 Thread Achim Patzner
Am 10.11.2016 um 00:24 schrieb Marek Marczykowski-Górecki:
> On Tue, Nov 08, 2016 at 10:37:02PM +0100, Achim Patzner wrote:
> > Maybe I should have added the (obviously in my eyes obvious) argument:
> > The current update-procedures are launched by a GUI-application and then
> > open a window that is asking questions which need keyboard interaction.
> > And in some cases the default answer (at least in Fedora) (which is
> > making things worse – at least the default Xterm is looking different
> > for Fedora and Debian) is not what you want. Or at least not what I want
> > (aborting the update). Now someone wants to add another bloody
> > interactive option that will require at least me to select the
> > non-default option.
>
> I'd like to change this default - indeed it is very confusing, but I
> don't know how.

Only be recompiling it. This is hardcoded. I remember a
"Linux-Stammtisch" in the area where the discussion over this topic
nearly led to bloodshed so please avoid supplying patches unless you've
got a black belt in something.

> The only related option is to accept automatically.
> Maybe this is the way to go?

I'm currently living with about 10 Fedora-based templates. I'm usually
updating the fattest, reviewing the list carefully and then go on with
the update. The others are just getting a treatment using qvm-run
(because I am annoyed by all those questions using the Manager). So
using "-y" on the command line would not be exactly what I consider safe
nor secure.

> Personally I like to review list of packages to be updated, but I guess
> most users don't do that.

… until they have been burnt. I just spent hours finding out how I
destroyed my native Arch system until I remembered that I'm EFI booting
without grub and forgot copying the new kernel (which I didn't notice
being installed because I didn't check the f* list) to /boot/efi/EFI/arch.

> I think it's important to give the user some feedback. Fully automated
> updates are somehow broken in most tools[1] - this is why we have this
> terminal window,

I guess I mentioned already that I'm mildly hating someone for using an
xterm in default settings 8-). Although it is looking coool when you're
updating 20 machines at the same time and showing your stamp collection
to someone I've yet to figure out how to use a different font size for it.

> instead of just some progress bar or something even less intrusive.

Sometimes I like the way Ubuntu and the likes are handling things –
until they break something. 8-)

> But automatically shutting down the template (after user have a chance
> to see update feedback) is a good idea. Something like "Press enter to
> shutdown template, or Ctrl-C to just close this window".

I once got into a serious discussion with Jordan Hubbard about the fact
that I really disliked the sudden pop-ups asking for something innocent
like "do you really want to shut down/have your cat slaughtered by
satanists/vote for Trump?" with the least convenient option being the
default while I was busily typing at something (you know that Macs are
used by pushing mice and touching pads; that's why you can remove keys,
one after the other, without any user noticing it).

It's the same with the update process; the keyboard is not flushed
before the "shutdown or not" question so any extraneous return key will
still be in the buffer. Shutting a machine down isn't as bad as messing
up your boot disk (which I did on the Mac by accepting a system update I
would not have accepted if I had time to read the pop-up) but you should
always be careful with users… Their attitude might type first, think later.


Achim

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ee71786a-1bf7-475b-3637-fee3a1e6bc38%40noses.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Installing VPN in Qubes Versus VPN on a Router

2016-11-13 Thread Achim Patzner
Am 13.11.2016 um 14:22 schrieb hed...@tutanota.com:

> 13. Nov 2016 08:48 by amad...@riseup.net :
>
> We see much correspondence in these forums about installing a VPN
> within Qubes. Surely, the most secure place for VPN is to install
> on a Router?
>

You might continue proving that this is the case for a router running on
its own VM compared to a router running on separate hardware but keep in
mind counting the problem of keeping the router's os current and free of
security-relevant problems.

> The solution they say is to isolate these rogue routers in the
> Militarized Zone by creating a DMZ [demilitarized zone]. Achieved
> by installing a 2nd router [flashed with open source firmware such
> as OPenWRT]. It is here, on the router, that we should enable and
> run OpenVPN.
>

And of course another router/packet filter/firewall/whatever behind it
as there could be something _inside_ the VPN that would not be agreaable
to you.

> Thoughts on this paper and it's conclusions are welcomed
>

There is a point where additional components won't give you
defense-in-depth but only additional complexity that will in the end
make you less secure.

> An always-on VPN connection on the router works well but can be a bit
> slow since the processing power of router CPUs is generally quite
> limited. If choosing a router, I'd suggest a dual-core ARM-based
> device. Although openvpn is only single-threaded you can usually
> configure cpu-affinity to place it on one core and the other routing
> tasks on the other core.
>

One of the GL-Inet small arm(s 8-) ) routers is sufficient for 80 MBit/s
(see https://www.gl-inet.com/). I'm using one of their "Mifi" devices
(https://www.gl-inet.com/mifi/) to write this and right now it is
holding up quite well with 150 MBit/s LTE plus an OpenVPN on top of it.
The only problem is the about 1MBit/s I'm getting from their uplink.

> For those who want to go beyond around 20-25 Mb/s, which is where an
> ARM router will start to reach its limits
>

Seriously? I doubt that. Right now I'm using an ASUS RT-AC5300 (ARM,
dual core) router on a 400/20 MBit link (residential cable) and even if
I'm sturating it using an OpenVPN process running on the router its
cores seem quite unimpressed. But maybe DD-WRT is magical.

> , a fine alternative is a small fanless PC, such as the Intel NUC or
> Gigabyte Brix, and run an open source firewall on it, instead of a router.
>

For security-sensitive applications I'm using a USBArmory-based
"crypto-afterburner" that I can plug into other machines offering two
"USB-NICs" and I don't have problems with reathing the USB bandwidth
limit. If it wasn't impossible to get a single USB port into a VM I
would have found a place to stick one inside my Thinkpad already. If
there was a Qubes developer feeling bored I would have thrown one at him
already to see if we could have a few interesting things introduced into
Qubes (like boot media running on a separate volume that need to be
unlocked first, external key storage, external crypto functions…)

> Finally, I've always felt that running a vpn on Qubes and having an
> always-on vpn running on a router/PC complement each other.

And an independent packet filter in front of it. And one behind it. And
no wireless networking in between any component. Again: Consider a USB
Armory; write some interesting tools, add them to Qubes. That might
really help.


Achom

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a07e2dfb-10f7-d37e-50f4-0712f8d25453%40noses.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Lenovo ThinkPad T460s 20FAS5WM00

2016-11-13 Thread berthold_tom
all working as intended, only exception: no sound @hdmi yet.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f34a4ca4-44f9-daa5-a06d-f2f14bc83ffd%40riseup.net.
For more options, visit https://groups.google.com/d/optout.


Qubes-HCL-LENOVO-20FAS5WM00-20161113-145806.yml
Description: application/yaml


Re: [qubes-users] Installing VPN in Qubes Versus VPN on a Router

2016-11-13 Thread hedron

13. Nov 2016 08:48 by amad...@riseup.net:


> We see much correspondence in these forums about installing a VPN within 
> Qubes. Surely, the most secure place for VPN is to install on a Router?
> I say these things after reading the following paper [ > 
> https://cryptome.org/2013/12/Full-Disclosure.pdf>  ] in which a group of 
> hackers demonstrate that the majority of routers (in-particular those 
> provided by ISP's] have backdoors to government agencies. These adversary's 
> are able attack our LAN and its devices; including the ability to intercept 
> VPN and Tor traffic.
> The solution they say is to isolate these rogue routers in the Militarized 
> Zone by creating a DMZ [demilitarized zone]. Achieved by installing a 2nd 
> router [flashed with open source firmware such as OPenWRT]. It is here, on 
> the router, that we should enable and run OpenVPN.
> Thoughts on this paper and it's conclusions are welcomed
>
>

An always-on VPN connection on the router works well but can be a bit slow 
since the processing power of router CPUs is generally quite limited. If 
choosing a router, I'd suggest a dual-core ARM-based device. Although openvpn 
is only single-threaded you can usually configure cpu-affinity to place it on 
one core and the other routing tasks on the other core.




For those who want to go beyond around 20-25 Mb/s, which is where an ARM router 
will start to reach its limits, a fine alternative is a small fanless PC, such 
as the Intel NUC or Gigabyte Brix, and run an open source firewall on it, 
instead of a router. I'm using IPFire. If the processor supports AES-NI, the 
limiting factor will be your network speed, not the firewall's CPU.




Finally, I've always felt that running a vpn on Qubes and having an always-on 
vpn running on a router/PC complement each other. 




-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/KWSqbru--3-0%40tutanota.com.
For more options, visit https://groups.google.com/d/optout.


Archlinux template – dend early Christmas gifts to Marek ASAP! Re: [qubes-users] Arch-template and Firefox (49.0.2)

2016-11-13 Thread Achim Patzner
> qubes-template-archlinux package is available qubes-templates-community 
> repository!

Make a wish 8-). But watch the movie “Wishmaster” first to see why getting more 
Genies is not a good idea.

> I haven't tested it in any way. It include only what builder-archlinux
> scripts does

> - test it out

Without testing it (I do not have real bandwidth in the middle of nowhere right 
now): Did you modify /etc/fstab to mount a /dev/shm larger than 256MB?

> - automate powerpill setup (probably as part of core-agent-linux
>   repository - some post-installation script or such)

As much as I am in favor of it, everybody with a good grasp on security should 
think what was the least of three evils: Adding another repository (for 
powerpill as package), using the AUR to install powerpill or giving his 
template access to the network for updating (while updating). I’m still not 
clear about it myself (although using powerpill at home with a 400 MBit line 
is… fascinating).

> - adjust https://www.qubes-os.org/doc/templates/archlinux/
> - write some separate announcement(?)

Just change the subject on this message 8-)


Achim

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0F71EC19-F107-4BF9-85C3-5AEE0D568392%40noses.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Installing VPN in Qubes Versus VPN on a Router

2016-11-13 Thread Sec Tester
I guess the main benefit to having VPN on router is it takes that overhead off 
the PCs CPU & memory.

But the paper is right, a lot of network hardware is backdoored. Especially the 
cisco stuff. And im suspicious of the Chinese stuff too.

We should endeavor to run open source routers. But im not aware of any open 
source modems? Im actually surprised someone hasnt cracked the proprietary DSL 
code and leaked an open source modem. 

I bet we would not like what we found in their proprietary code :/

Having a VPN-Proxy-VM offers the flexibility to chose what VMs directly connect 
to the internet, and which VMs are routed through the VPN which is nice.

I've set my VPN-Proxy-VM using a minimal template, to future reduce the attack 
surface.

You can also run the whonix-gw over the vpn, or vise versa.

I imagine since snowden said to the world he uses Qubes OS, the NSA have had 
their team looking for ways in. I think qubes can be hardened much more than it 
currently is.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/43b6362b-0fd1-4105-b865-ccf0415cc8ce%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Problems with Qubes setup with AMD GPU (r9 290)

2016-11-13 Thread Eva Star

On 11/11/2016 07:14 AM, panecond...@gmail.com wrote:

Hey there,

I am currently trying to get a live usb drive of Qubes running but the OS freezes after 
the first login prombt. I since tried to get several linux based live systems (e.g. 
Tails, regular Debian) running, but all fail right after the "greeter".

I have since searched around and think it could be related to my system utilizing 
an AMD GPU (R 290) . I found this possible relevant thread on the Qubes 
troubleshoot FAQs -> 
https://groups.google.com/forum/#!topic/qubes-devel/4npXsO2mL3Y. In this thread, a 
similiar problem has been resolved by adding some firmware to the OS, but the link 
is not working for the new firmware.

Is there a good resource someone could point me to? Or, theoretically speaking, 
is it possible to install Qubes on a flash drive (min. 32 GB, I think) or an 
Intel machine and then install the required firmware? My CPU lacks internal GPU 
capabilities, but in my head, this could work, right?

Thanks for your time!



Click ESC on boot and check messages of login process to get more 
information about issue. Maybe it's the problem with other hardware.



--
Regards

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/cb4f3280-3a6a-5fa0-3664-fe300314cc5e%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.