[qubes-users] Installer issues for 3.2

[Drew White]

I'm running the installer again.

I select to NOT install Debian or Whonix.

It is installing them even though I selected for it not to.

Is there a bug in the installer where it does this?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/758e8f8a-d50a-491c-bb6e-6855e8ef2cb5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] changing DVD/CD on the fly

[Drew White]

On Monday, 28 November 2016 14:42:22 UTC+11, Marek Marczykowski-Górecki  wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> On Sun, Nov 27, 2016 at 07:32:55PM -0800, Drew White wrote:
> > On Monday, 28 November 2016 14:19:41 UTC+11, Marek Marczykowski-Górecki  
> > wrote:
> > > See if qvm-block tool can help you here. If not, you probably need to
> > > look at `xl cd-eject` and `xl cd-insert`. Disclaimer: I have never used
> > > them.
> > 
> > libxl: error: libxl.c:2919:libxl_cdrom_insert: cdrom-insert doesn't work 
> > for stub domains
> 
> So... this is your answer, it isn't possible.

It appears not for "stub domains" at least.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5fc72443-5261-4b8c-884e-8ea816ac0f8d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Control Alt Delete

[Drew White]

On Monday, 28 November 2016 14:18:33 UTC+11, Christopher Thacker  wrote:
> What is the Qubes version of "Control Alt Delete"?
> 
> If I leave Qubes and the screen goes black upon my return 5 minutes later, 
> then I can't interact with anything on the laptop screen.  My mouse works 
> fine but the Qubes VM does not respond to any mouse input.  I even unplugged 
> and replugged my mouse.
> 
> Even the little icons in my lower left and lower right do not respond.  It is 
> as if the entire screen, including the Qubes VM manager, freezes.  In such 
> situations manually restart the laptop.
> 
> What is the "Control Alt Delete" mechanism so i can get a "task manager" to 
> see what is happening?
> 
> Thank you.

Ctrl+Alt+ESC then click

Then proceed to see what guest vanished from the screen.
After that, in the run dialogue for that guest, run something to bring back the 
display of it.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/03c98812-df57-4693-9d77-3902b946b2e1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] changing DVD/CD on the fly

[Drew White]

On Monday, 28 November 2016 14:19:41 UTC+11, Marek Marczykowski-Górecki  wrote:
> See if qvm-block tool can help you here. If not, you probably need to
> look at `xl cd-eject` and `xl cd-insert`. Disclaimer: I have never used
> them.
> 
> - -- 
> Best Regards,
> Marek Marczykowski-Górecki
> Invisible Things Lab
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?

libxl: error: libxl.c:2919:libxl_cdrom_insert: cdrom-insert doesn't work for 
stub domains

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/660896c4-5cc7-4e9a-8d2f-b18f18f0bdf4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] changing DVD/CD on the fly

[Drew White]

On Monday, 28 November 2016 14:19:41 UTC+11, Marek Marczykowski-Górecki  wrote:
> See if qvm-block tool can help you here. If not, you probably need to
> look at `xl cd-eject` and `xl cd-insert`. Disclaimer: I have never used
> them.
> 


Thanks Marek, I'll give it a try.
And no, qvm-block merely kept saying it couldn't unmount a cdrom.

I'll let you know how it goes.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/17fff5d9-93e8-4dfe-a323-d0c516bab6c5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] changing DVD/CD on the fly

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sun, Nov 27, 2016 at 07:03:37PM -0800, Drew White wrote:
> Hi folks,
> 
> I'm trying to change the DVD in the drive on the fly, but I'm unable to 
> unmount an assigned DVD/CDROM.
> 
> I've had a look and I can't find the information anywhere here.
> 
> How do I change the DVD/CD on the fly in the VM when referring to ISO's?

See if qvm-block tool can help you here. If not, you probably need to
look at `xl cd-eject` and `xl cd-insert`. Disclaimer: I have never used
them.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYO6JGAAoJENuP0xzK19csUacH/1MysTjYInRl6PXJu8/l/vAJ
C96pFD6cSTCo+J9nmZO+jaoRsXLnWWsCMzmwycZA7/5Evc3fPEKxKiuH5cWJtWbB
tbBa/cIiA9Ym84+cXlVjWGqcb2Rd7J4jEIWGyqKO57qobQLs/JPI+JAvxyUKZ/ON
RAopmUfy+A3mJtwYU18k/gdJFcQSlo5qHRYQpXSyOAu6DqKkdRHut7L57M/0bKzB
p5yOueq0szCK52rIAqYtESliIwjfiEFf2+W63gvPA0Y0uUB0VRGupAapJxKbkK8e
Uq73PFFcn0+h64C1hW4RFHPoaasRgXoSTVMpL/gc/phlMeUk7qQ7xkEBiLdUlpw=
=QLND
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161128031934.GB1145%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Control Alt Delete

[Christopher Thacker]

What is the Qubes version of "Control Alt Delete"?

If I leave Qubes and the screen goes black upon my return 5 minutes later, then 
I can't interact with anything on the laptop screen.  My mouse works fine but 
the Qubes VM does not respond to any mouse input.  I even unplugged and 
replugged my mouse.

Even the little icons in my lower left and lower right do not respond.  It is 
as if the entire screen, including the Qubes VM manager, freezes.  In such 
situations manually restart the laptop.

What is the "Control Alt Delete" mechanism so i can get a "task manager" to see 
what is happening?

Thank you.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5e6e77fa-1abb-4c56-86eb-0ed66e653396%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] changing DVD/CD on the fly

[Drew White]

Hi folks,

I'm trying to change the DVD in the drive on the fly, but I'm unable to unmount 
an assigned DVD/CDROM.

I've had a look and I can't find the information anywhere here.

How do I change the DVD/CD on the fly in the VM when referring to ISO's?

Thanks in advance.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a3d36c1e-e3b6-4cdc-a600-8da0d9f9b198%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] custom kernel doesn't work installed in debian cloned template

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sat, Nov 26, 2016 at 09:02:08PM -0800, raahe...@gmail.com wrote:
> I followed instructions to install pvgrub2-xen in dom0. Then in template vm 
> installed qubes-kernel-vm-support and grub2-common.  Then i installed the 
> distribution kernel from debian repos with apt-get (3.16).   then update-grub 
> and shutdown but It doesn't work right.  I eventually would like to be able 
> to compile my own kernel,  was hoping it would be easier with pvgrub support 
> but I think I must be missing something.
> 
> When I boot it after selecting pvgrub in kernel settings.   sudo xl console 
> sows it has booted fine but then is asking me for a login.  If I type root i 
> get root.   But I can't load any applications in the gui environment.  from 
> dom0 terminal or from the start menu on desktop. 

Make sure you have u2mfn module compiled. In some cases (I think it
depends on package installation order) it isn't done automatically.
AFAIR the easiest way is to execute:

sudo dkms autoinstall

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYO5wFAAoJENuP0xzK19csocUH/jIGrtN9mcq+yBKexGLwUiew
Frx9riBphesgcpDz3Q4ygI9E5DK3vEj19lnBnhvwKexqv1K1ZE6aas1OH2HlSSrQ
obc2qJOZPU1+Yz0vW6ncWWn8vFbS1VJ35RhPoTIh+l+dU7m1sSrLdewXkWgAa5gp
XI2Tzc2KA+/2MMhhdk6UT1mm/Aclh8Eg3JpuEAesET5vyTpZTFIaTqkeujYGOGK9
PR1zMyhNpawd70U49pT1QrvVpfgfwHB/Om9rDmSWHcO1SOLcSwD24Ti+oudXK6rv
06gJ1RXN8SouCjWiQMv0GEzYtRcEWVJiEu991CzgR7d4NYI/IsPs7ivAZr6Cptg=
=GNyw
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161128025253.GM2130%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How to block template vm? (prevent it from starting)

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sat, Nov 19, 2016 at 09:27:39AM -0800, Pawel Debski wrote:
> Folks,
> 
> is it possible to somehow block a TemplateVM and all VMs based on this 
> template?
> 
> I.e. whenever some app would be started in any VM involving this template I'd 
> like to get an error messages or at least have the operation fail silently 
> instead of having Qubes start the VM.

There is no builtin option for this, but if you really want, you can
intentionally break such template. Like renaming
/var/lib/qubes/vm-templates//root.img to some other
name.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYO5v/AAoJENuP0xzK19csNfAH/3+Q66qBuyWjxbmWSkJmPEVC
fkIDLlgV2TVgjK6g0thQNE1LQo9DgvBNhS+yOq0soidNAGfR53iKXEo8vVXlgnFs
WsnuYuT35jndOVp5046awpo7mpXyH2QD0VnaOFru/IqOk/k5Zq697UFyFGEMjCnE
ScrwWsbR3EQRC2sx21R9wCue/jqYPjiFD7WdZipk1tLRySiqVrtwfrwSuMaBg19I
C65W/YunAydoSfGg8gcgdhBJj891BooYbHzfnkms3ygUl7Tr+JWb/T1G6zpLkUIR
2ZuTH0TigxJgQvb74lSJD5pDRRGf5zOPac6Mug0TO0oDcMs0IMT7KSbE3Dfs55k=
=vvdo
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161128025247.GL2130%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes can not decrypt the root directory partition.

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sun, Nov 27, 2016 at 01:19:11AM +, Alexander Villalba wrote:
> tezeb:
> 
> I do not have Backup ! And I do not think it's a hardware problem. Anyway
> there's diagnostic software for that.
> 
> Marek Marczykowski-Górecki:
> 
> And not, it's not the Caps Lock, the keyboard is fine (please, I'm not a
> baby!)
> 
> But I do believe there are more options. It would be terrible if there were
> no more options.

Lets start from the beginning. In default installation you should have
LUKS container on one partition. You should be able to access it
from console (from whatever running linux - Tails, Qubes installation
disk in rescue mode or anything else):

Check what partition it is:

sudo blkid

Search for TYPE="crypto_LUKS", on my system it is /dev/sda3, so lets go
to the next step:

sudo cryptsetup open /dev/sda3 sda3crypt

This should ask you for your disk passphrase. If all goes well, you
should get /dev/mapper/sda3crypt. If not, examine LUKS header:

sudo cryptsetup luksDump /dev/sda3

You should see at least one key slot "ENABLED". If not (and you don't
have any backup), there is no way to recover the data.

Next step is to activate LVM - this is what lies inside LUKS container
on Qubes. This is easy:

sudo vgscan -ay

You should get /dev/qubes_dom0/root, which you can mount normally and
access your data - VM data images are in /var/lib/qubes/appvms.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYO5r2AAoJENuP0xzK19csOV4H/jeg5fisG5eufBn10M0Iy7NK
ObiNpRO7Cgu8pPSrdecqeKWDL0Tdm2fiGMviRw65UM0x3vBFxa0LhmCFFCKJ+kYP
pLX4fjyK+hXuanay5WX2cFhS/w7RvQ7D1MTQvQmUDRJonDoce6jXGH4lJkebRGPb
WOqZ2LK5H0HfmAkib+WP8+Q2GOTZgWmtQc8gjcxFYfcbAYsFwTolzOb3863vycWj
xbvVoL0FZJqfyC7Z+prCXtXCxuDRf6Vj9fyJXp51IDwJazZ+WamCnIOcaFhE1Ugj
y8HYdBwGdwTpyavcKvRQ6q0mUNbiHGWrHEPQqKfnXAhNdINa1qgUMFCRN3OF/Fg=
=I3gv
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161128024822.GA1145%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Fedora 24 minimal template can not be setup with salt

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Fri, Nov 18, 2016 at 01:46:26PM +0100, qu...@posteo.de wrote:
> Hi,
> 
> I am planning to setup my templates with salt. I have done some preparation
> some time ago but not with the Fedora 24 templates I thought it was time to
> do it properly.
> 
> One of the issues is that the minimal template can not use salt by default
> afaik but needs the package "qubes-mgmt-salt" which needs to be installed
> manually.

If you want to manage it from dom0, using qubesctl wrapper tool, you
don't need salt installed in target template at all. See here:

https://www.qubes-os.org/doc/salt/

> When I try to do this on the Fedora 24 minimal template I get a conflict
> between the packages qubes-mgmt-salt-config and salt-minion. The conflicting
> files are /etc/salt and /etc/salt/minion.d. Is this known or is there a
> workaround for it besides forcing the installation?

As noted above - you don't need qubes-mgmt-salt-config installed.
Neither salt-minion.

The only think you need, is qubes-mgmt-salt-vm-connector in your
_default_ template.

> In general it would be great if you would use salt to setup the templates,
> at least optionally, because then it is more transparent what is in them,
> you do not need more disk space on the dvd and users can easily customize
> them. This would also allow users to not backup the templates which in my
> case would save almost 10 GB.

Part of it makes sense. Especially managing templates to save on backup
space. This also makes it easier to migrate to new template, or recreate
it for whatever reason. I think the only currently missing piece is more
documentation on it.
But it isn't possible to directly create new template using salt - you
need something to boot in the VM first to run salt-minion there... Also
it won't save much space on DVD, as we don't want to depend on internet
access during installation.

> The Fedora standard image has way to many packages and also has
> gstreamer-plugins-bad installed which provides atm a known remotely
> exploitable security hole, at least when Chromium is used.

Standard templates are mostly default installation of given distribution
- - in case of Fedora - it's Fedora Workstation. With actually some stuff
excluded (like libreoffice, evolution) to make it smaller than the
default...

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYO5HxAAoJENuP0xzK19cs8EcH/190Rjv99S9PnX88PCyrV0k5
iKxyGuAXxLi/6uXsIgTRCcnVw2QpxIK6Ih5cl05yARqELsYGLbcUUNqObOoKqnbC
DCIkpQtHZOFsIylmDIENDHKhievUTZpTLw2IV7OiBL/f5MXyasL8JPDXGGGjq4kQ
osGjYEoFmwBUTFTbBWrcsW7/b4Wl0nHqOe1a+Vxcg9A+zhwxwbk7fKxcHLyx3327
Rq7h0Vl7sfkr9u8nWr7Ptwcf8jHR7Agsmlh2F5oR83CWHNe0viuv+gzo+U1YKn8N
fEH4BxxVANtBS3dhnYL3nG43TZKxg4l05UHyt1m2+kUmhhNj21LVuydGXVc87gE=
=G4Au
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161128020953.GZ1145%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Custom Bios

[Drew White]

Hi folks,

I'm trying to get a custom BIOS to work, but I can't find where the options are.

There is nothing in the documentation to specify where to set it

If you know how to do it that would be great!

Otherwise, do I have to create a XEN config, and then is there a way to convert 
that to the Qubes config file?

Either way it would be good if there was the availability to do such a task.

I did a search in the forum, but could not find anything.

Thanks in advance.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/98cbfad3-ea1f-4612-abd1-d84bfa80ee61%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Creating USB qube: PCI device in use by driver xenlight

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-11-26 14:29, Grzesiek Chodzicki wrote:
> W dniu sobota, 26 listopada 2016 19:52:39 UTC+1 użytkownik Pawel Debski 
> napisał:
>> W dniu sobota, 26 listopada 2016 18:56:49 UTC+1 użytkownik Grzesiek 
>> Chodzicki napisał:
>>> put following command in dom0 terminal: qvm-prefs -s vmname pci_strictreset 
>>> false
>>
>> Tx Greg, that works.
>>
>> Can we briefly discuss how much does it lower the security of the 
>> workstation. I mean: does it really allow to plug-in fabricated USB device 
>> to install keylogger to obtain credentials to highly sensitive applications 
>> running in other qube (say VaultVM).
>>
>> What other potential attack scenaria does it open?
>> (assuming that one is interested only to protect VaultVM transient content)
> 
> If the device is assigned to one vm only at all times then it doesn't lower 
> security afaik. PCI strict reset is used to reset the device's state when 
> moving the device between machines. If the device is not moved between 
> machines then it shouldn't matter.
> 

Correct. From `man qvm-prefs`:

pci_strictreset
Accepted values: True, False

Control whether prevent assigning to VM a device which does not support any 
reset method. Generally such devices should not be assigned to any VM, because 
there will be no way to reset device state after VM shutdown, so the device 
could attack next VM to which it will be assigned. But in some cases it could 
make sense - for example when the VM to which it is assigned is trusted one, or 
is running all the time.

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYO4QdAAoJENtN07w5UDAwDQUP/j8ipg43tTTftByJ57Fgwoee
3jt4EQtOu/Dj9B1zOvJjdESSXFBconqzRuB6gtEXkUJFNbHVM1zXrYKVl3BIs8fL
9Q5bde7bFOL3s8iUct9LUptZrkJApWE1lLslIXkf310Q/ZueWOeDOj6AWH3JgOQq
4e+YRfmWo2iYdgtOwE8lTafhf6dWW70XwaigDgftmjSrEEXQzCDZIB/skxJYFk08
FTvO/j9Hf5yfjRVHMWCXkK7XNAWQGcZfVh0CXv/mW8YEfmw/c+C9bJMT5HYjf6xw
SuLMX5plaE1uqUhGrNhKLICfrF+mr6D0fJLbUqblGmRY7TyneyT4KY404T6euMQw
nfgyrXQXhEPk9IDDXI+Lhf1rEOFiSIqovTxMbTdj6nYlvhE4tuj951sOvcsbwXje
sriPw1viRntTOLXig41tj1cuKCtoAzoUCz1E/EDS4lUAMJ9eh85sxyGevBxbDMnl
H3nE1pyTmy0sobvIc8MwdcgMdQM18yCxmoFq3GbHp3gnibngRSufMbNBe7/u0XKK
ihTQxY1hUMnhq/iiXg1UwLVUqDY/1ohzvB0gs3qqvh7AT6gu+8ypEhkxydpv04bb
ZcqWZO1C+z9xmDz0k2rHL9nViqj2D/C1PgWJ1/y3MFR+S84TVnOEWt0QjvhOYgSH
+Hse/mswOmQy9h+BNNpf
=6i/C
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/848eb69d-92bf-1af1-b771-cf385b04d0a2%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Passthrough

[Drew White]

On Friday, 25 November 2016 23:36:42 UTC+11, Desobediente  wrote:
> In the settings tab on the qubes manager you could passthrough almost 
> everything. For example, if you passthrough the video card, your screen will 
> black out.

I don't want to pass through the device from dom0 to the guest, I jsut want 
everything that the guest sees to be the physical device that is faked to be as 
it really is. Not remove it from dom0 and everything else, because that would 
mean that qubes would stop working because the device isn't shared.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b7aad368-1fba-4cf6-bf47-64f1fabcbda2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Stuck during boot with processor stuck - now with journalctl logs

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Tue, Nov 22, 2016 at 10:54:32AM -0800, Ronald Duncan wrote:
> Added in the journalctl logs
> 
> The laptop works best with  latest linux kernal 
> 
> rjd@rjd-GL752VW:~$ uname -a
> Linux rjd-GL752VW 4.8.0-27-generic #29-Ubuntu SMP Thu Oct 20 21:03:13 UTC 
> 2016 x86_64 x86_64 x86_64 GNU/Linux
> 
> What is best way of updating qubes to latest kernal and hypervisor.

There is 4.8.10 kernel in unstable repository, you can install it with:

sudo qubes-dom0-update --enablerepo=qubes*unstable kernel

This assume you can boot your system. Does the hang happen all the time,
or only sometimes? If the former, try disabling nouveau driver (which
looks to be the problematic one), for example using nouveau.modeset=0
kernel option.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYO04zAAoJENuP0xzK19csk64H/jRt3ma1zKxR4sSrE+vhBw2m
4xlViEX3d6wcgul0N4YDJ/D61nlALUjVoel0pEJFIfBAr6rWNAonchd42LclPEk2
nGiF7R5S5t4Ua1B57dj3Gd6PpCU76wiBnHjSLlSY0MOydwpaVLuHTZR+9zqGhFVj
1OVSVH7lZBdetK+VlWGxcOK6VI6LPzKqMCWITC06LrRETF3pwuX0eOpObKzMpB5t
yP+8ExTIGSoOqsHoA6FdV2Ie2813biAJsobreKZEK32wJeFa5uNX9fJzrPR9zSlf
kzeTh1JQXRkf+N4ZpF9aq52n8kzFjguDITyBPPc7dmGR5DCkKFDGBnfRM/RIZBo=
=qGwa
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161127212051.GY1145%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Unsolicited feedback on qubes-issue #2455

[Marek Marczykowski-Górecki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sun, Nov 27, 2016 at 12:47:14PM +0100, Alex wrote:
> On 11/26/2016 11:59 PM, Marek Marczykowski-Górecki wrote:
> >> - Qubes-GUID crashed in one AppVM as soon as I started monodevelop
> >> the first time. Cannot reproduce this problem either. Error in guid
> >> log was:
> > 
> >> ErrorHandler: BadAccess (attempt to access private resource
> >> denied) Major opcode: 130 (MIT-SHM) Minor opcode: 1 (X_ShmAttach) 
> >> ResourceID:   0x254 Failed serial number:  3670 Current serial
> >> number: 3671
> > 
> >> may be related to the fact that monodevelop shows and hides many
> >> windows in rapid sequence when starting?
> > 
> > Yes, it may be. Very similar error (#2171) was already fixed some
> > time ago, but apparently not all the cases. Anyway it's rather
> > problem in gui-daemon, independent of Fedora version.
> It may be nice to have a fallback handler for qubes-guid crashes, if the
> X architecture permits, that restarts the daemon and restores windows
> redirection to dom0. After the crash I could check programs were running
> inside the VM (via qvm-run) but no window could be seen in dom0. It was
> not a pleasant situation :/ A simple recovery-by-restart may help a lot
> with the user experience in such cases...

Actually this should be the case - restarting gui daemon should be
enough. And qvm-run (without --nogui) should automatically start gui
daemon if not running currently. What happened when you've tried? Any
error regarding gui daemon startup?

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYOv0RAAoJENuP0xzK19csKrYH/3hBLL7t3Soy/mWh7NehdUDs
Wdweh7QIEjx7x2eF6JGxHTbfeBpj6tCqCjYebhfTfBAqblevsVBepyWqYLB/4W/F
CDK6qTWTiV6aqn22PX69rdpVT0eljT2MgMzzJDwApie8n+qzw1JYkkoLAU2I2ICn
jbXGXHIK60Pgd//YJKbk9/T0Uy6lRO3C00Imn3rj3ekQC2mmglSOivA9rkPwECQx
IvKao/RuRiV0AFNja6pOGL157GoA3hvKhMVj1MX18R5d9jMXKIKbIfA75d3ol+lD
bbJi5LsQkPMLLUM0ooZxbFQA1kN3jBYGWAjBlCKMBTnZGW0VsX6LVLQMuNlf3ac=
=pg11
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161127153441.GW1145%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Creating USB qube: PCI device in use by driver xenlight

[Pawel Debski]

Great, tx.

Wiadomość została wysłana przy pomocy AquaMail dla systemu Android
http://www.aqua-mail.com


Dnia 26 listopada 2016 23:29:39 Grzesiek Chodzicki 
 napisał(a):


W dniu sobota, 26 listopada 2016 19:52:39 UTC+1 użytkownik Pawel Debski 
napisał:
W dniu sobota, 26 listopada 2016 18:56:49 UTC+1 użytkownik Grzesiek 
Chodzicki napisał:
> W dniu sobota, 26 listopada 2016 18:53:26 UTC+1 użytkownik Pawel Debski 
napisał:

> > Folks,
> >
> > I'm trying to create a VM that will handle all USB devices that are or 
may be connected to the machine.

> >
> > 1. I have created a new AppVM based on fedora-24-full-sw template.
> >
> > 2. fedora-24-full-sw template is a copy of Fedora 24 template with all 
sorts of additional software installed, for example for Bluetooth handling, 
3G modem, finger print reader, camera, flash card reader and so on.

> >
> > 3. I have assigned an USB controller to the newly created AppVM and 
switched-off memory balancing in the options as recommended by the message 
on "Advanced" tab.

> >
> > 4. When I'm trying to start the VM I'm getting the following message:
> > "PCI device in use by driver xenlight"
> >
> > Please note that at the moment only one single USB bus is assigned to 
this VM.

> > Without any assigned devices this VM starts properly.
> >
> > What shall I do to make it work with USB bus?
> >
> > Best regards
> > PD
>
> put following command in dom0 terminal: qvm-prefs -s vmname 
pci_strictreset false


Tx Greg, that works.

Can we briefly discuss how much does it lower the security of the 
workstation. I mean: does it really allow to plug-in fabricated USB device 
to install keylogger to obtain credentials to highly sensitive applications 
running in other qube (say VaultVM).


What other potential attack scenaria does it open?
(assuming that one is interested only to protect VaultVM transient content)


If the device is assigned to one vm only at all times then it doesn't lower 
security afaik. PCI strict reset is used to reset the device's state when 
moving the device between machines. If the device is not moved between 
machines then it shouldn't matter.


--
You received this message because you are subscribed to a topic in the 
Google Groups "qubes-users" group.
To unsubscribe from this topic, visit 
https://groups.google.com/d/topic/qubes-users/livE9VYBvUI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to 
qubes-users+unsubscr...@googlegroups.com.

To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c965fe62-57f0-4dc1-ad5a-ba3108df6b15%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/158a5a371f0.27bf.e8d9d2e9cd019a112d31c27ed70f495b%40econsulting.pl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Unsolicited feedback on qubes-issue #2455

[Alex]

On 11/26/2016 11:59 PM, Marek Marczykowski-Górecki wrote:
> In addition to this, all automatic tests also passes, so basic
> things like DispVM, NetVM etc should work.
They do, for me too :) I just forgot to mention them :D

> 
>> Now for more unsolicited input, but trying to be as specific as I
>> can be - please note that I don't fully understand the working of
>> Qubes-GUID (I never studied it, until now :) - One AppVM with a lot
>> of installed software took a couple of tries to correctly start.
>> The first time the start failed with "qrexec daemon not running",
>> and in guid log I found a long list of "invalid PMaxSize for 
>> 0x201d (32767/32767)" and so on. Cannot reproduce this
>> problem.
> 
> This particular message shouldn't be a problem, probably the reason
> is somewhere else. Do you still have the last message of the log?
I'm sorry, but I was in a semi-hurry and did not keep the logs. My
plan-B was to restore everything from a backup in case the upgrade
produced some catastrophic situation, and since a mere VM reboot fixed
the situation, I did not keep the logs but only some fragments I deemed
important. My bad.

>> - Qubes-GUID crashed in one AppVM as soon as I started monodevelop
>> the first time. Cannot reproduce this problem either. Error in guid
>> log was:
> 
>> ErrorHandler: BadAccess (attempt to access private resource
>> denied) Major opcode: 130 (MIT-SHM) Minor opcode: 1 (X_ShmAttach) 
>> ResourceID:   0x254 Failed serial number:  3670 Current serial
>> number: 3671
> 
>> may be related to the fact that monodevelop shows and hides many
>> windows in rapid sequence when starting?
> 
> Yes, it may be. Very similar error (#2171) was already fixed some
> time ago, but apparently not all the cases. Anyway it's rather
> problem in gui-daemon, independent of Fedora version.
It may be nice to have a fallback handler for qubes-guid crashes, if the
X architecture permits, that restarts the daemon and restores windows
redirection to dom0. After the crash I could check programs were running
inside the VM (via qvm-run) but no window could be seen in dom0. It was
not a pleasant situation :/ A simple recovery-by-restart may help a lot
with the user experience in such cases...

-- 
Alex

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c9667aae-25d6-e28d-c78d-eac10ce12616%40gmx.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: 2/3 of VMs randomly lose network access; sys-net, sys-firewall, and others normal

[Me]

Andrew David Wong:
> A strange networking problem just started in the past day or so:
> 
> Every few hours, around 2/3 of my VMs will suddenly lose network
> access. I can still ping websites from sys-net and sys-firewall,
> and some VMs still have normal network access, even though all of
> them are using the same sys-firewall. (Other devices on my LAN are
> also fine.)
> 
> The weird part is, if I create a new, additional "sys-firewall1"
> ProxyVM and switch over one of the non-working VMs to it
> *without restarting* the non-working VM, network access gets
> successfully restored. So, the problem must be in sys-firewall
> or the AppVMs, I think.
> 
> I've tried basing sys-firewall on fedora-24 and fedora-24-minimal
> with the same results. Also double-checked NetVM assignments
> and firewall rules, of course.
> 
> Any ideas for logs or tools I should check to find out what's
> failing, or where it's failing?
> 
> -
> 
> I can't imagine what caused this problem to suddenly start,
> except maybe a dom0 or template update, so here are the packages
> I've updated in dom0 recently as part of normal qubes-dom0-update:
> 
> libsndfile
> sudo
> bind99-libs
> bind99-license
> ghostscript-core
> hswdata
> perf
> ntfs-3g
> ntfsprogs
> perl
> perl-libs
> perl-macros
> 
> And here are the packages I've updated in my fedora-24 template
> (again, as normal updates):
> 
> libicu
> libidn2
> gnome-abrt
> gnome-software
> libdmapsharing
> libmetalink
> lz4
> lz4-r131
> rpm
> rpm-build-libs
> rpm-libs
> rpm-plugin-selinux
> rpm-plugin-systemd-inhibit
> rpm-python
> rpm-python3
> 
> Any ideas?
> 
I had networking issues after downloading Fedora 24. I've ditched that
and gone back to Fedora 23 - all is well again >


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d0eed97d-610b-72ed-81db-6d9ff485fd97%40tutanota.com.
For more options, visit https://groups.google.com/d/optout.