[qubes-users] Re: Qubes 3.2 dnsmasq update?
On 2017-10-07 1:19 PM, Ron Hunter-Duvar wrote: > Well, I did all this, and confirmed that the sys-* servicevms are all > using Fedora 25, but it still has dnsmasq version 2.76. According to > US-CERT, 2.78 is needed to get the vulnerability fixes. Which concerns > me, given the length of time that the exploit code has been public. > Surprises me too, since Debian had it out in a matter of hours. > > However, it's not running in any of these, nor in dom0. Should I just > uninstall it? > > Thanks, > Ron > It's weird, but it seems like every distro *but* Fedora has released an updated version or version with a backported fix. Even Red Hat Enterprise has done it. I don't know what the hold up is, but it'll be a package with a backported fix and currently it's set to be 2.76.4 (or greater if more bugs are found). https://bodhi.fedoraproject.org/updates/FEDORA-2017-515264ae24 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/orcae3%24jon%241%40blaine.gmane.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] HCL - Microsoft Surface Book with Performance Base R4.0 RC1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 The steps to getting Qubes-OS R4.0 RC1 to run on the Surface Book are pretty simple. Not everything works, but it is a testing image. I also have read that the Nvidia dGPU isnt detected by any flavor of linux. I believe that it is running through USB 3.0 to PCIe to the CPU. I will have to investigate this some more and see if I can figure anything out. I had issues with the install media for a long time, and used 10 different USB drives to try to install R4.0 RC1 with the install failing at RPM unpacking the Fedora 25 template. I found out it was because of how I was creating the media. The only way I have successfully created the media was using Fedora and dd the Qubes-OS ISO to the drive. Using Rufus on Windows 10 with their version of dd would not work. Step 1: Use Fedora to dd Qubes-OS R4.0 RC1 ISO to USB drive. Step 2: Install Qubes-OS R4.0 RC1 as normal, with the GUI. Step 3: When the install finishes, hit Ctrl+Alt+F2 to get to the terminal. Step 4: Copy the /EFI/Qubes/ folder contents to a newly created /EFI/BOOT/ folder with "cd /mnt/sysimage/boot/efi/EFI && mkdir BOOT" then "cp ./Qubes/xen* ./BOOT" then "cp ./Qubes/vm* ./BOOT" then "cp ./Qubes/init* ./BOOT" The Surface Book only likes to boot "*.efi" from /EFI/BOOT/ and not /EFI/*/ folders. I also like to leave the /EFI/Qubes directory intact, just in case I mess up the boot folder, then I can just copy everything over again and have the default files. Step 5: Edit the xen.cfg file in /EFI/BOOT/ to remove the Xen boot parameter "iommu=no-igfx" and replace it with "iommu=on". This will be under the "options=" line for each kernel entry. You must edit all of the kernel entries "options=" line for this to work properly. This will allow your machine to boot! Without doing this, you just get a boot loop where Xen starts to load and then you see the magical red top with an unlocked lock Surface splash screen after the screen goes black to start the boot process. If you are lucky and the Qubes-OS installer correctly set up your NVME drive for booting, you should be good to go and able to boot Qubes-OS R4.0 RC1! If you are unlucky or need to add additional boot parameters to the EFI boot chain, then you will need a few more steps. Extra steps need both Qubes-OS R4.0 RC1 and Qubes-OS R3.2 USB drives to be able to boot into the rescue mode and use efibootmgr. the efibootmgr is R4.0 RC1 does not like to play with the GPT formatted NVME drive I have, and registers the boot record as an MBR drive. Step 6: Use Fedora to dd Qubes-OS R3.2 to a USB drive. Step 7: Mount both Qubes-OS drives. Step 8: Navigate to /EFI/BOOT/ on the Qubes-OS R3.2 USB drive and delete "xen.cfg" "xen.efi" "BOOTX64.efi" I have not yet found a way to boot Qubes-OS R3.2 on the Surface Book, even though technically the hardware is compatible. The UEFI workarounds do not seem to work on Xen 4.6.x that Qubes-OS R3.2 uses. So we must use the Xen 4.8.1 version that Qubes-OS R4.0 RC1 uses. Step 9: Navigate to /EFI/BOOT/ on the Qubes-OS R4.0 RC1 USB drive and copy "xen.cfg" "xen.efi" "BOOTX64.efi" to the Qubes-OS R3.2 USB drive in the /EFI/BOOT/ directory. Step 10: Insert the edited Qubes-OS R3.2 USB drive into the Surface Book. Select the "Rescue Qubes" option, then press "e" to edit the boot chain. Go to the end of the second line of the boot chain and add "-- efi=attr=uc" and press Ctrl+X to boot with those options. There is a space between the '--' and 'efi=attr=uc'. You will need an external USB keyboard to continue from this point! The keyboard on the base does not work in the Qubes-OS R3.2 installer. Step 11: When the "Rescue Qubes" mode boots, you will have 4 options to choose from. Press "1" on the keyboard and hit "Enter". Then it will ask you for your encryption password, enter the password that you chose to encrypt your drive during the Qubes-OS install. It will take a minute or two, and then tell you that you that your system is mounted to /mnt/sysimage/. Hit "Enter" to get a shell. If the prompt does not ask for your drive encryption password, and just says "Hit enter to continue to a shell" or something along those lines, then you need to reboot into the UEFI menu and delete the "Qubes" boot entry and follow steps 10 and 11 again. Step 12: change directories to the /EFI/BOOT/ directory and then use efibootmgr to create a new entry for Qubes-OS R4.0 RC1. The commands that I used to do this are: "cd /mnt/sysimage/boot/efi/EFI/BOOT" "efibootmgr -v" The "efibootmgr -v" command is to make sure that no other Qubes boot entries are present. If they are present, note the number [ex: 0005 Qubes HD(1,MBR,0)] and then use the command "efibootmgr -b -B" to remove the entry. The is where you would put the boot entry number, like 0005 in the example I gave you. If there are no Qubes boot entries, then use this command to create one. "efibootmgr -v -c -u -L QubesOS -l /EFI/BOOT/xen.efi -d
[qubes-users] HCL - Microsoft Surface Book with Performance Base
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 The steps to getting Qubes-OS R4.0 RC1 to run on the Surface Book are pretty simple. Not everything works, but it is a testing image. I also have read that the Nvidia dGPU isnt detected by any flavor of linux. I believe that it is running through USB 3.0 to PCIe to the CPU. I will have to investigate this some more and see if I can figure anything out. I had issues with the install media for a long time, and used 10 different USB drives to try to install R4.0 RC1 with the install failing at RPM unpacking the Fedora 25 template. I found out it was because of how I was creating the media. The only way I have successfully created the media was using Fedora and dd the Qubes-OS ISO to the drive. Using Rufus on Windows 10 with their version of dd would not work. Step 1: Use Fedora to dd Qubes-OS R4.0 RC1 ISO to USB drive. Step 2: Install Qubes-OS R4.0 RC1 as normal, with the GUI. Step 3: When the install finishes, hit Ctrl+Alt+F2 to get to the terminal. Step 4: Copy the /EFI/Qubes/ folder contents to a newly created /EFI/BOOT/ folder with "cd /mnt/sysimage/boot/efi/EFI && mkdir BOOT" then "cp ./Qubes/xen* ./BOOT" then "cp ./Qubes/vm* ./BOOT" then "cp ./Qubes/init* ./BOOT" The Surface Book only likes to boot "*.efi" from /EFI/BOOT/ and not /EFI/*/ folders. I also like to leave the /EFI/Qubes directory intact, just in case I mess up the boot folder, then I can just copy everything over again and have the default files. Step 5: Edit the xen.cfg file in /EFI/BOOT/ to remove the Xen boot parameter "iommu=no-igfx" and replace it with "iommu=on". This will be under the "options=" line for each kernel entry. You must edit all of the kernel entries "options=" line for this to work properly. This will allow your machine to boot! Without doing this, you just get a boot loop where Xen starts to load and then you see the magical red top with an unlocked lock Surface splash screen after the screen goes black to start the boot process. If you are lucky and the Qubes-OS installer correctly set up your NVME drive for booting, you should be good to go and able to boot Qubes-OS R4.0 RC1! If you are unlucky or need to add additional boot parameters to the EFI boot chain, then you will need a few more steps. Extra steps need both Qubes-OS R4.0 RC1 and Qubes-OS R3.2 USB drives to be able to boot into the rescue mode and use efibootmgr. the efibootmgr is R4.0 RC1 does not like to play with the GPT formatted NVME drive I have, and registers the boot record as an MBR drive. Step 6: Use Fedora to dd Qubes-OS R3.2 to a USB drive. Step 7: Mount both Qubes-OS drives. Step 8: Navigate to /EFI/BOOT/ on the Qubes-OS R3.2 USB drive and delete "xen.cfg" "xen.efi" "BOOTX64.efi" I have not yet found a way to boot Qubes-OS R3.2 on the Surface Book, even though technically the hardware is compatible. The UEFI workarounds do not seem to work on Xen 4.6.x that Qubes-OS R3.2 uses. So we must use the Xen 4.8.1 version that Qubes-OS R4.0 RC1 uses. Step 9: Navigate to /EFI/BOOT/ on the Qubes-OS R4.0 RC1 USB drive and copy "xen.cfg" "xen.efi" "BOOTX64.efi" to the Qubes-OS R3.2 USB drive in the /EFI/BOOT/ directory. Step 10: Insert the edited Qubes-OS R3.2 USB drive into the Surface Book. Select the "Rescue Qubes" option, then press "e" to edit the boot chain. Go to the end of the second line of the boot chain and add "-- efi=attr=uc" and press Ctrl+X to boot with those options. There is a space between the '--' and 'efi=attr=uc'. You will need an external USB keyboard to continue from this point! The keyboard on the base does not work in the Qubes-OS R3.2 installer. Step 11: When the "Rescue Qubes" mode boots, you will have 4 options to choose from. Press "1" on the keyboard and hit "Enter". Then it will ask you for your encryption password, enter the password that you chose to encrypt your drive during the Qubes-OS install. It will take a minute or two, and then tell you that you that your system is mounted to /mnt/sysimage/. Hit "Enter" to get a shell. If the prompt does not ask for your drive encryption password, and just says "Hit enter to continue to a shell" or something along those lines, then you need to reboot into the UEFI menu and delete the "Qubes" boot entry and follow steps 10 and 11 again. Step 12: change directories to the /EFI/BOOT/ directory and then use efibootmgr to create a new entry for Qubes-OS R4.0 RC1. The commands that I used to do this are: "cd /mnt/sysimage/boot/efi/EFI/BOOT" "efibootmgr -v" The "efibootmgr -v" command is to make sure that no other Qubes boot entries are present. If they are present, note the number [ex: 0005 Qubes HD(1,MBR,0)] and then use the command "efibootmgr -b -B" to remove the entry. The is where you would put the boot entry number, like 0005 in the example I gave you. If there are no Qubes boot entries, then use this command to create one. "efibootmgr -v -c -u -L QubesOS -l /EFI/BOOT/xen.efi -d
[qubes-users] kswapd0 using 100% CPU with not even a MB swap in use
Hi, so kswapd0 is using 100% CPU in one of my Qubes and this makes the fan spin and noisy… and that Qube is hardly using any swap at all: $ free totalusedfree shared buff/cache available Mem:1888212 776484 640712 70296 471016 1031616 Swap: 1048572 716 1047856 So I ran "sudo swapoff -a" (and "sudo swapon -a") and now zero swap is used but kswapd0 is still busy swapping(?) and the fan is noisy and I wonder what to do… Any hints / ideas? (I know I could shut down the VM and restart it but I hope there's a better solution / workaround.) -- cheers, Holger -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20171007102911.2sq63k3yyelhpki6%40layer-acht.org. For more options, visit https://groups.google.com/d/optout. signature.asc Description: PGP signature
[qubes-users] Re: Unable to uninstall or reinstall Whonix
> I looked at Arm again. It seems that Arm is working, but I don’t know the commands to edit the Tor configuration. > > Arm mentions a list of problems relating to Tor (http://imgur.com/XrJHKSK). It seems that I have relaying disabled, torrc differs from what Tor is using, there is insufficient uptime, Tor is preventing utilities like netstat and lsof from working, and no armrc is working. Unfortunately, I can’t figure out how to solve these problems. > > This is the link I found in the bottom of the Arm report: https://trac.torproject.org/projects/tor/ticket/3313. I’m not too sure what it means.. > Forgive me, Person, but maybe you should be reinstalling at this point. You are asking for lots of help with all these problems; the people helping you probably have other things to do. Try again from scratch and resist the urge to "customize." I used to break lots of installs that way, until I reigned in that behavior. Don't proceed with customizations unless you are fully aware of the consequences. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/orbh0u%24oop%241%40blaine.gmane.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Audio in Debian VMs just disappeared?
For some reason the audio in all my Debian VMs has stopped working? AFAIK I haven't done anything other than regular updates. I didn't notice until recently so I am not sure about exactly when it started. In the audio mixer window none of the debian vms are showing up. I tried plaing something in VLC and it gave the follwoing errors: https://privatebin.net/?f36509f33694a053#821JIyu4z/YqpQ61qGRYFP9Bspo7DAP8HmkPJCAk9Q8= Also, another strange, maybe unrelated thing happened, I don' thave nautilus in my debian VMs any more and I tried to reinstall then but error saying I had some missing dependencies? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2219d1ff1f46b2c2f528ad9512c1dcea%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Reasonably secure laptop with touchscreen and enough ram for dictation in Windows App-VM?
On 10/07/2017 01:10 PM, frassefredk...@gmail.com wrote: Thank you for your response and for sharing your thoughts and experince from using Lenovo Thinkpads! I looked at the Hardware Compatibility List and looked at Thinkpads, most of the models did not seem to be for sale anymore. Honestly I haven't seen any user using touchscreen with Qubes. Just out of interest what is the use case for touch? Regarding recommendation: You haven't said which display size you need. ' The use case of touch is mainly for ergonomical reasons. I read and write alot and it is better for my arms to scroll down the documents and highlight things using the touch instead of the keyboard and mouse. This is so important for me that I would pay more for a touchscrren even. But if I would be able to take notes on a Yoga from a conference, using the touch screen, then that would not a be a bad thing either, but I dont expect that to work well wth Qubes. Desired size of the screen is 14-16 inches. I Should be been more clear about my question regarding the security of the Lenovo and if they can be trusted. I have read articles accusing Lenovo of planting backdoors in its hardware. My technical skills are currently on a hobbyists level so I'm not always sure what to trust and not, wanted some input from others regarding this. But then I have also read this article (cited below) that sort of says that the likelyhood of there being a backdoor planted by Lenovo is low. I just dont know what to believe in. Do you have any comments to this? :) "Lenovo hardware is reportedly banned from the US CIA, as well as the UK's MI5 and MI6, as well as the Australian Security Intelligence Organization (ASIO) and Secret Intelligence Service (ASIS). As of the time of writing, no evidence of any wrongdoing on the part of Lenovo has been presented by any of governments who have banned their hardware from use in intelligence services. On devices as open as computers, and especially with Lenovo's ThinkPad product line, which has been long venerated for being foremost among laptops designed with modularity in mind—featuring detailed disassembly manuals and readily available replacement parts—it is difficult to imagine that many opportunities exist to hide a hardware backdoor in a relatively open product. Combined with the fact that the vital components (processor, RAM, etc.) aren't made by Lenovo, there are few opportunities for Lenovo to introduce a hardware-level backdoor in a way that wouldn't be glaringly obvious to any engineer armed with a screwdriver." Source: http://www.techrepublic.com/blog/it-security/corporate-espionage-or-fearmongering-the-facts-about-hardware-level-backdoors/ "...glaringly obvious to any engineer armed with a screwdriver." That's the most unbelievably naive view of security I can remember reading. I bet the author's password is "pa33w0rd", and it's secure because no one would guess some letters were switched with numbers. https://thehackernews.com/2015/09/lenovo-laptop-virus.html Note: (1) confirmed, (2) 3 times, (3) one of them was BIOS-embedded. https://thehackernews.com/2015/08/lenovo-rootkit-malware.html Ron -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/06858cf0-1bfe-31a0-b318-03a811a2ed92%40shaw.ca. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Reasonably secure laptop with touchscreen and enough ram for dictation in Windows App-VM?
On 10/07/2017 09:42 AM, Frasse F wrote: I would like some purchasing advice: I'm looking for a laptop that is reasonably secure and also has a built in touch screen. I would prefer if it had 16 GB of ram as I want to run Qubes OS and I want to sometimes be able to run a Windows App-VM for dictation and speech recognition which is processed locally (I do a lot of writing and I also care about security/privacy). ... My second alternative is to buy a non purism laptop which has both a touchscreen, enough RAM and is fairly secure. So my second alternative that I'm considering would be the Lenovo 520 Yoga. https://www.dustin.se/product/5011033265/yoga-520-touch . The model is running the Intel® Core™ i5-7200U Processor. According to the specification page on Intels website, this processor does not have the vPro technology. https://ark.intel.com/products/95443/Intel-Core-i5-7200U-Processor-3M-Cache-up-to-3_10-GHz These are my questions 1) Is there anything except for the AMT/vPro aspect of the hardware security that I might have overlooked that is critical when evaluating the Lenovo Yogas safety? 2) Should one in general be sceptic towards Lenovo even when they are using hardware from other manufacturers? Personally, I avoid Lenovo like the plague since they became Chinese-owned. Yes, I know pretty much all the hardware is manufactured in China now anyway, but having the senior company management controlled by the Chinese government adds a whole 'nother layer of vulnerabilities. My suspicions were confirmed when they were caught pre-installing spyware on them. Of course, that was only Windows, and they were forced to remove it, and claimed it was only intended for Chinese customers. But to me it shows their intent, and there are many other ways they can embed spyware (BIOS/UFI, other firmware) that would affect Linux too, and wouldn't be so easily removed. Call me paranoid (because I am), but that's my opinion. I typically go with Dell, although their quality has gone down in recent years, and I can't comment on Qubes-specific issues, or your particular requirements. 3) are there a Qubes user out there who are already using a laptop with touch screen and enough ram, running Qubes? What laptop model are you using and would you recommend it? Ron -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/26e6628d-9b30-0b64-0405-06ac2d6898f1%40shaw.ca. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes 3.2 dnsmasq update?
On 10/06/2017 09:04 PM, Ron Hunter-Duvar wrote: On October 6, 2017 5:05:49 PM MDT, Unmanwrote: On Thu, Oct 05, 2017 at 12:41:32PM -0600, Ron Hunter-Duvar wrote: ... The install disk still contains fed23 templates and you're expected to update as soon as you have installed. To install a new template all you have to do is : sudo qubes-dom0-update qubes-template-fedora-25 Thanks for the tip. I don't remember seeing it in the getting started material I read. Doing it now. This will install the template and you can then just switch your serviceVMs - either using Qubes Manager, or by: 'qvm-prefs -s template '. ... Well, I did all this, and confirmed that the sys-* servicevms are all using Fedora 25, but it still has dnsmasq version 2.76. According to US-CERT, 2.78 is needed to get the vulnerability fixes. Which concerns me, given the length of time that the exploit code has been public. Surprises me too, since Debian had it out in a matter of hours. However, it's not running in any of these, nor in dom0. Should I just uninstall it? Thanks, Ron -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/728aa211-a104-87aa-eb42-59301b562ed9%40shaw.ca. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Reasonably secure laptop with touchscreen and enough ram for dictation in Windows App-VM?
Thank you for your response and for sharing your thoughts and experince from using Lenovo Thinkpads! I looked at the Hardware Compatibility List and looked at Thinkpads, most of the models did not seem to be for sale anymore. > Honestly I haven't seen any user using touchscreen with Qubes. > Just out of interest what is the use case for touch? > Regarding recommendation: > You haven't said which display size you need. > ' The use case of touch is mainly for ergonomical reasons. I read and write alot and it is better for my arms to scroll down the documents and highlight things using the touch instead of the keyboard and mouse. This is so important for me that I would pay more for a touchscrren even. But if I would be able to take notes on a Yoga from a conference, using the touch screen, then that would not a be a bad thing either, but I dont expect that to work well wth Qubes. Desired size of the screen is 14-16 inches. I Should be been more clear about my question regarding the security of the Lenovo and if they can be trusted. I have read articles accusing Lenovo of planting backdoors in its hardware. My technical skills are currently on a hobbyists level so I'm not always sure what to trust and not, wanted some input from others regarding this. But then I have also read this article (cited below) that sort of says that the likelyhood of there being a backdoor planted by Lenovo is low. I just dont know what to believe in. Do you have any comments to this? :) "Lenovo hardware is reportedly banned from the US CIA, as well as the UK's MI5 and MI6, as well as the Australian Security Intelligence Organization (ASIO) and Secret Intelligence Service (ASIS). As of the time of writing, no evidence of any wrongdoing on the part of Lenovo has been presented by any of governments who have banned their hardware from use in intelligence services. On devices as open as computers, and especially with Lenovo's ThinkPad product line, which has been long venerated for being foremost among laptops designed with modularity in mind—featuring detailed disassembly manuals and readily available replacement parts—it is difficult to imagine that many opportunities exist to hide a hardware backdoor in a relatively open product. Combined with the fact that the vital components (processor, RAM, etc.) aren't made by Lenovo, there are few opportunities for Lenovo to introduce a hardware-level backdoor in a way that wouldn't be glaringly obvious to any engineer armed with a screwdriver." Source: http://www.techrepublic.com/blog/it-security/corporate-espionage-or-fearmongering-the-facts-about-hardware-level-backdoors/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c6224b9b-9f60-4efc-8e98-ff1320ca97de%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Possible to add second interface to sys-firewall?
On 10/06/2017 01:41 PM, Ed wrote: On 10/06/2017 03:14 PM, Mike Keehan wrote: On Fri, 6 Oct 2017 12:17:26 -0400 Edwrote: On 10/06/2017 12:10 PM, Mike Keehan wrote: Wouldn't it be possible to add a second Firewall VM to be used solely by your special single vm? Yes I believe this would def work, and also should be automatic/reliable across reboots, but I was really hoping to not give up 2-4GB of RAM just for this purpose. I think you will find that the firewall VM runs OK in just 500Mb, maybe less. Search the mail list for "vm memory" - there have been a number of discussions about how much is actually used by the system VMs. (I can't remember the details off hand, or I would give more info!) It is worth knowing that although a VM is initially set up with a 4Gb memory allocation, it only uses what it needs. The rest is still available to the other qubes etc. Mike. You know that's not a bad point. I never really looked into reducing the memory allotment. I just know anecdotally on my systems the firewall vm's use 2-3GB (when left with the default max of 4GB). I also know they will run on less if I'm pushing a system out of memory but I never though to just restrict them to less to start. I'm not really strapped for memory on the machine I'm working with here so it does look like adding an additional firewall VM would be the easiest way to get what I want, it just seemed a tad wasteful to me, but perfect is the enemy of good Appreciate the input! IMO, it's best to leave memory management to the OS until such time as a definite problem is found (which would most likely show up as swapping, which would cause massive performance problems). I suspect you'd find if you looked closely at the vm that most of the memory used is for caching. That's a good thing. No point having memory sit unused and forcing to to keep downloading the same files. The moment the cache is needed for something else, it'll be reallocated. Ron -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/976e6d2e-b2ab-4e82-3a9b-4ac1a001c7b5%40shaw.ca. For more options, visit https://groups.google.com/d/optout.
AW: [qubes-users] Reasonably secure laptop with touchscreen and enough ram for dictation in Windows App-VM?
Hello, >> These are my questions >> 1) Is there anything except for the AMT/vPro >> aspect of the hardware security that I might >> have overlooked that is critical when >> evaluating the Lenovo Yogas safety? If talking about hardware security I would suggest looking into a device which can run coreboot. >> 2) Should one in general be sceptic towards >> Lenovo even when they are using hardware >> from other manufacturers? The good thing with Lenovo/Thinkpad is that lots of devices have a good Linux support. And you get 'older' devices which run smoothly under Qubes after adding a SSD and more RAM. You can also get dockingstations very cheaply. I'm using Thinkpads since years and would definitely recommend it. >> 3) are there a Qubes user out there who are >> already using a laptop with touch screen and >> enough ram, running Qubes? What laptop >> model are you using and would you >> recommend it? Honestly I haven't seen any user using touchscreen with Qubes. Just out of interest what is the use case for touch? Regarding recommendation: You haven't said which display size you need. Leaving touch functionality out, I would recommend a x230 with 16 GB RAM, LTE, SSD and fresh battery -> 10-11h battery runtime. [799] -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5wRHq99M3bbKrsMiz1Nq28tiJ-4So0gE7ptJsgn6DRyyK_P8P6Fp6-YsU6UelLiPX1i4ORjSFe7kkbdv81Ip5-2GGvQl3HoIVGRowX0cGJI%3D%40protonmail.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Reasonably secure laptop with touchscreen and enough ram for dictation in Windows App-VM?
I would like some purchasing advice: I'm looking for a laptop that is reasonably secure and also has a built in touch screen. I would prefer if it had 16 GB of ram as I want to run Qubes OS and I want to sometimes be able to run a Windows App-VM for dictation and speech recognition which is processed locally (I do a lot of writing and I also care about security/privacy). The dream would be to run one of Purisms Libre 13 and 15 laptops, however they do not have a touch screen. Purism are planning to release a Librem 11 laptop (with a touchscreen) but it will only have 8 GB of RAM and cannot be upgraded. I think this is not enough for my needs. Thats why I'm looking for an alternative laptop. I read on Purisms website that having a processor without AMT or in Intels case what they call "vPro" is important to avoid possible hardware backdoors. https://puri.sm/learn/avoiding-intel-amt/ My second alternative is to buy a non purism laptop which has both a touchscreen, enough RAM and is fairly secure. So my second alternative that I'm considering would be the Lenovo 520 Yoga. https://www.dustin.se/product/5011033265/yoga-520-touch . The model is running the Intel® Core™ i5-7200U Processor. According to the specification page on Intels website, this processor does not have the vPro technology. https://ark.intel.com/products/95443/Intel-Core-i5-7200U-Processor-3M-Cache-up-to-3_10-GHz These are my questions 1) Is there anything except for the AMT/vPro aspect of the hardware security that I might have overlooked that is critical when evaluating the Lenovo Yogas safety? 2) Should one in general be sceptic towards Lenovo even when they are using hardware from other manufacturers? 3) are there a Qubes user out there who are already using a laptop with touch screen and enough ram, running Qubes? What laptop model are you using and would you recommend it? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1a4c0100-aa7e-4483-8f41-528464177ef5%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.