Re: [qubes-users] Firewall rules for Thunderbird and Gmail
On 02/13/2018 06:39 AM, Demi Obenour wrote: > What websites and ports do I need to whitelist if I want to enable use > Thunderbird with GMail and Google Calendar? I am using the Google > Calendar add-on. > To actually answer the question, this Google support page has what you need to know: https://support.google.com/a/answer/60764?hl=en Regards, Robert -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/95c26ec0-6735-24fe-1068-4fb587f73504%40fastmail.fm. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] High spec laptop for Qubes OS
On Sun, February 25, 2018 1:52 am, taii...@gmx.com wrote: > You can't pass through a > laptop GPU like that as both the iGPU and dGPU considered a primary video > adapters - you would have to purchase an eGPU if you want a GPU in a VM > and you also need a secondary usb controller, monitor, audio device etc. If you plan on passthrough, the GTX laptops should be removed from the list. Nvidia intentionally cripples their drivers to force you to purchase their more expensive/even higher profit margin products if you want passthrough. Taiidan, I thought the main problem with passthrough on laptops was that they didn't have a hardware switch to toggle which card is driving the (built in) monitor? Since the OP is just planning on using it for CUDA and wouldn't require video out, couldn't it work? Dell does sell some models of laptops with a partially neutered ME. Purism and System76 do as well. You might want to pose that passthrough question to Dell tech. support and if they can't answer it, see if you can return whichever laptop you select if it's unfit for purpose and try another. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b0abe18c17609ff76b7eee7efce33c73.squirrel%40tt3j2x4k5ycaa5zt.onion. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Can't install Qubes, Rebooting after loading initrd.img
воскресенье, 25 февраля 2018 г., 2:33:03 UTC+3 пользователь awokd написал: > On Sat, February 24, 2018 11:13 pm, Daniil .Travnikov wrote: > > Possibly; without logs it's hard to say. Try an old AMD video card. I tried on my old computer: AMD Athlon(tm) 64 X2 Dual Core Processor 6000+ (https://prnt.sc/ijgeed) Motherboard: M3N78-VM (https://www.asus.com/Motherboards/M3N78VM/) But I got this message when I try to install after Grub menu: https://prnt.sc/ijgdty Actually on my friend's computer (https://prnt.sc/ijgf59) was been the same message, but he has definitely enable Virtualization, because he has VirtualBox and VmWare with Windows and even MacOS systems. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/96fc76ab-9f96-47fe-9b59-df8efe8f4863%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Intel SGX and Spectre
I found the following humourous: "there is no credible engineering rationale to support the contention that SGX enclaves will provide confidentiality guarantees in the face of these new micro-architectural cache probing attacks." https://idfusionllc.com/2018/01/25/sgx-after-spectre-and-meltdown-status-analysis-and-remediations/ And in a post here from June 28, 2016: "VM CPU mapping - countermeasurements against covert channels via cpu caches?" "With SGX, the memory is encrypted so that it cannot be "read", however, the CPU still does calculations of an SGX enclave the same way as without them which creates the opportunity for the very same covert channels to form." https://mail-archive.com/qubes-users@googlegroups.com/msg01200.html -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8b7bc8580b77b7b41096f49ccbd6e658.squirrel%40tt3j2x4k5ycaa5zt.onion. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] High spec laptop for Qubes OS
On Sun, 25 Feb 2018 01:11:16 + a...@adammccarthy.co.uk wrote: > > > I'm going to buy a new laptop with a higher spec which should > hopefully handle things well. The following laptops are my final five > contenders. They all have a discrete GPU, which I'm hoping to > passthrough to a VM for playing streaming video (h264/h265/vp9 > codecs). > > I get the impression from the HCL that they should all work fine as > long as I replace any non-Intel wifi m.2 sticks with an Intel 8265. > Do you have any thoughts on whether one would be more appropriate > than another? > > Dell XPS 15 9560 (2017) > Intel i7-7700HQ Quad Core > 32GB RAM > 512GB M.2 NVMe > Intel + NVIDIA GTX 1050 > > Dell XPS 15 2018 > Intel i7-8705G Quad Core > 32GB RAM > 512GB M.2 NVMe > Intel + Radeon RX Vega M GL > > Dell Precision 5520 > Intel Xeon E3-1505M v6 Quad Core > 32GB RAM > 512GB M.2 NVMe > Intel + Nvidia Quadro M1200 > > Lenovo P51 > Intel Xeon E3-1505M v6 Quad Core > 32GB RAM > 512GB M.2 NVMe > Intel + NVIDIA Quadro M2200 > > Razer Blade > Intel i7-7700HQ Quad Core > 16GB RAM > 512GB M.2 NVMe > Intel + NVIDIA GTX 1060 > Hi Adam, I use the Dell XPS 15 9560 (2017) which works well, but the Nvidia chip does not work with the nouveau driver at all (yet - might do in future). I have not tried using Nvidia's own driver. My screen is 1920x1080, and handles HD video OK but with the occasional slight tear. CPU use runs to about 30% avg on a HD video. Best of luck, Mike. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180225112852.1d39ed90.mike%40keehan.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Can't install Qubes, Rebooting after loading initrd.img
воскресенье, 25 февраля 2018 г., 2:33:03 UTC+3 пользователь awokd написал: > On Sat, February 24, 2018 11:13 pm, Daniil .Travnikov wrote: > > > Let's take this off-list. We can update the list if we figure it out. > > Your AMD system is probably too old to support the features Qubes needs. > My suggestion was to use a video card from AMD in your Intel system, not > an AMD CPU (although newer AMD CPUs should work with Qubes too.) > > Again, let's work on getting your Qubes R3.2 working with the newer kernel > before worrying about R4.0. > > In R3.2, have you tried to boot with i915.alpha_support=1 added to the > command line per https://www.qubes-os.org/doc/intel-igfx-troubleshooting/ > ? What happened? > > What about iommu=no-igfx? > > Have you tried adding both at the same time? there a cheap way to solve > this problem? > I took from my friend his Asus EN210 SILENT/DI/1GD3/V2(LP) - https://www.asus.com/Graphics-Cards/EN210_SILENTDI1GD3V2LP/ if it's can help for test. I tried i915.alpha_support=1 and iommu=no-igfx one by one and both at the same time, nothing was changed :( -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/cbf5cd89-bc78-46c0-9015-35e601991ca8%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Can't install Qubes, Rebooting after loading initrd.img
One more thing. When i started again today my usual working way: Xen 4.6.6 Linux 4.4.14-11.pvops.qubes.x86_64 I could imprint one error: https://prnt.sc/ijhwya Is there a connection between my current problem and this error? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fb83753e-198c-496f-82c1-1ab49295b563%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Can't install Qubes, Rebooting after loading initrd.img
On Sun, February 25, 2018 1:10 pm, Daniil .Travnikov wrote: > I took from my friend his Asus EN210 SILENT/DI/1GD3/V2(LP) - > https://www.asus.com/Graphics-Cards/EN210_SILENTDI1GD3V2LP/ if it's can > help for test. > > > I tried i915.alpha_support=1 and iommu=no-igfx one by one and both at the > same time, nothing was changed :( I don't mind trying to help you, but it is important that you understand what I say. 1. Let's take this off list. That means email me directly, so we don't spam everybody. 2. That is not an AMD video card, but you can try it and see if it helps. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a7033849d15c95ab23331989ad9d3855.squirrel%40tt3j2x4k5ycaa5zt.onion. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Cannot assign USB radio peripheral with qvm-usb
On Tuesday, December 5, 2017 at 12:31:29 AM UTC+1, Paul Mosier wrote: > On Monday, December 4, 2017 at 8:39:48 AM UTC-5, awokd wrote: > > Can't help with that specific issue but as a workaround you can assign one > > of your USB controllers directly to the AppVM. Look under "Finding the > > right USB controller" in here > > https://www.qubes-os.org/doc/assigning-devices/ . > > Would love to, but there is only one USB controller on this laptop. It kinda > defeats the purpose to reassign the whole thing. Hi Paul, Did you found a better solution? I'm basically having the same problem right now. -N -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9986c876-6f8c-4102-a9e7-5774fa18e4c9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Can't install Qubes, Rebooting after loading initrd.img
On Sunday, February 25, 2018 at 12:08:37 AM UTC+1, Daniil .Travnikov wrote: > суббота, 24 февраля 2018 г., 3:52:11 UTC+3 пользователь Yuraeitha написал: > > On Friday, February 23, 2018 at 8:35:00 PM UTC+1, Daniil .Travnikov wrote: > > > пятница, 23 февраля 2018 г., 14:07:38 UTC+3 пользователь awokd написал: > > > > On Fri, February 23, 2018 10:46 am, Daniil .Travnikov wrote: > > Thank you for sharing your experience! > > > Since you have trouble getting the installer to work and install Qubes, you > > may not be able to do this fix on your local hardware. You may have to pull > > out the drive, put it in another computer and install Qubes there. Update > > everything, and then make sure you put sys-net and sys-usb in PV mode with > > the "qvm-prefs virt_mode" command in dom0. > > > > Now because sys-net and sys-usb are in PV mode, it may be able to bypass > > the missing I/O MMU issue, which as far as I understand it is related to > > PCI pass-through. That's why you want sys-net, sys-usb and any other > > hardware that is pass-through to be using PV mode. > > > > This isn't a beautiful fix, but it may just work. It's not the first time > > I've fixed a Qubes 4 install with this approach, however, I have not yet > > tried it on this server hardware, which like yours is missing I/O MMU. I > > believe it might work, but it might also not work. While installing on > > another machine has in the past worked, I never tried to use it to change > > sys-net and sys-usb to PV mode before putting it back. > > I installed one of my drives on a friend's computer today and after > installation process I got this on his computer: > https://prnt.sc/ijbfjq > > You can see, that I have not any NetVM, actually at the and of installation > process was been some error, I can repeat tomorrow all installation process > for screenshots if it helps to understand. > > > When I put "qvm-prefs virt_mode" command in dom0 I got this: > https://prnt.sc/ijbgmd > > I think that I am missing something, could you please clarify what I must > exactly put here? > > > One more think, even I have not NetVM, I tried to boot this disk on My > computer, but all what I got was been Grub menu: > http://prntscr.com/ijbhrf > > First and third gave reboot, second just show some error about "first boot > must kernel" (or something like that) without reboot. ah, yes you need to change how you write that command, it's not qvm-block, but qvm-prefs. This may be important in order to fix your missing networking, as it's evident on your screenshot. So you can write "qvm-prefs sys-net virt_mode" in dom0 terminal, and it will print out which virt mode your network VM is using. It's currently either PV, HVM or PVH (security in that order, from worst to best). But hardware compatibility suffers as you increase security, that's why you need to lower it. PV mode is the lowest, however, it is not lower in security in comparison to Qubes 3.2. which entirely uses PV mode. Therefore it's not such a bad thing to start on, to get things working, and then later consider the HVM/PVH implications once you get it all running. I can see you have no sys-usb, so (for now) just ignore this isolation aspect and re-visit it later when you got other issues sorted out. For verification, do in dom0: qvm-prefs sys-net virt_mode To change virt mode, do in dom0: qvm-prefs sys-net virt_mode pv - Now try manually start up sys-net, is it starting? - If it's not starting, try start or create and start a VM which has no networking, does this start in PVH/HVM/PV? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c2189c72-2646-4336-87f3-86a06f42a8f5%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: How to add "nouveau.modeset=0" to boot settings in Qubes 4.x? (ASUS ROG GL552VW-DM141 laptop)
On Friday, February 23, 2018 at 9:29:55 PM UTC+1, Yuraeitha wrote: > On Friday, February 23, 2018 at 12:10:03 AM UTC+1, @LeeteqXV wrote: > > Hi all. I initially thought to save some time and cleared a reply > > to an existing thread to do a new post, but that did not work. > > Sorry about the wrong post. Reposting it here now. Thanks for the > > reply and pointing it out, Yuraeitha. > > > > See my reply + follow-up question at the bottom, below the quoted > > posts: > > > > > > > > ## > > > > My original post, incl. a reply by "Yuraeitha" below..: > > > > > > > > > > > > "I am considering Qubes 4.x for an ASUS ROG GL552VW-DM141 laptop > > with NVIDIA graphics and built-in/onboard "fallback" Intel > > graphics. > > > > > > > > > > In order to get for example Ubuntu Mate installed onto it, to get > > past the installer incompatibilities with NVidia, it is necessary > > to edit the boot menu and add "nouveau.modeset=0" to the startup > > command. Then Ubuntu boots fine. > > > > > > > > > > Can this be done with Qubes 4.x? > > > > > > How/where to affect such boot commands; can that be done from the > > boot media/USB stick directly, as we do with other Linux live USB > > sticks? > > > > > > > > > > Thanks, > > " > > > > > > -- > > https://mastodon.technology/@LeeteqXV/ > > > > ### > > > > Reply from "Yuraeitha" on Feb. 19th..: > > > > > > > > > > > > > > > > > > > > > > > > - show > > quoted text - > > > > > > "@LeeteqXV > > > > It's probably best you start a new thread, this thread is > > about a whole different issue altogether. > > > > But since this is an old thread, I'll briefly answer > > you. > > > > This what you seek, directing a GPU directly into an > > AppVM, or any other work arounds, can currently be done in > > Qubes 3.2. nor Qubes 4.0. > > > > However, it is planned for Qubes 4.1, which may reach > > release. Just don't get hyped yet, things can change, 4.0. > > is barely finished and 4.1. is currently only on the > > drawing board. Look here for quick information about 4.1. > > https://github.com/rootkovska/qubes-roadmap you > > can see the GTX passthrough ability on the map. > > > > Also, you don't really need Ubuntu for these kind of > > things, it can easily be fixed up in both Debian and > > Fedora. You can use Intel graphics just fine for 4k > > videos, you don't need nvidia for stuff like that on > > modern motherboard/CPU systems. You may need powerful > > graphic cards for gaming and high end graphics, but this > > too isn't possible, at least before Qubes 4.1. anyway. If > > you didn't need these in Qubes 4, then it will likely make > > no difference to you to use Intel graphics. Also Qubes > > dom0 frequently has nvidia graphic issues and may require > > a full properitary driver download/install, with a manual > > install. > > > > To get a bit back on-topic, it saves you whole lot of > > hassle if you get adjusted to not be depending too much on > > Ubuntu and others that give everything on a silverplate. > > Although DVM protected content is never stable regardless > > of the Linux distribution, unless you download the Google > > Chrome browser from Google (Not Chromium), which usually > > always have working DVM videos in any Linux. Issue being, > > that Firefox and others, often loose the ability to play > > the video, especially Microsoft silverlight videos, which > > the work-arounds frequently break. > > > > Essentially you can play the codecs fine, HTML5 is for > > example extremely easy to install in Fedora through > > enabling the RPMFusion repositories, which can easily be > > done in Qubes fedora template (best make a copy first). > > But it does not include HTML5-DVM. > > > > Essentially, DVM is so messed up, you ma/y just want to > > download the Google Browser specifically for these videos, > > and just be done with the crapware copyright protectors > > throw at us. It's not like they care about Linux anyway, > > so why would changing to Ubuntu make any difference? > > Ubunt
Re: [qubes-users] Cannot assign USB radio peripheral with qvm-usb
On Tuesday, December 5, 2017 at 12:31:29 AM UTC+1, Paul Mosier wrote: > On Monday, December 4, 2017 at 8:39:48 AM UTC-5, awokd wrote: > > Can't help with that specific issue but as a workaround you can assign one > > of your USB controllers directly to the AppVM. Look under "Finding the > > right USB controller" in here > > https://www.qubes-os.org/doc/assigning-devices/ . > > Would love to, but there is only one USB controller on this laptop. It kinda > defeats the purpose to reassign the whole thing. qvm-usb isn't perfect 1:1 USB translation, so some kinds of device standards and devices types, may not work. For example I've tried getting a Yubi key to work on it recently, and it did not work. Many (all I tested) USB thumb drives, external drives, USB keyboards, USB mouses, and what else of these common devices, seems to work smooth with qvm-usb, without fail and appears reliable. However more exotic devices, such as your USB device, or other exotic devices such as Yubi key, seems not to work with the current state of qvm-usb. I'm aware it's not a beautiful or flexible fix to pass an USB controller directly to a VM. But it may end up being the only viable solution, so it's not out of the question to discuss it early too before reaching a conclusion on getting the qvm-usb to work properly, especially considering direct USB pass-through is easy, assuming hardware support is sufficient. Does your USB controller support PCI reset? If it does, then you won't have to do a full system restart (or bypass security with a few commands (not recommended practice) to switch the USB controller from one AppVM to another. Limitations to consider: - Can only run one VM with the controller at any one time. - The need to restart the VM in order to get USB on an already running VM. - Lacking PCI reset makes it a whole lot more troublesome and cumber-stone. - Must be in HVM or PV "qvm-prefs src-vm virt_mode" to work, PVH won't work. If you have USB PCI reset support, then only having one USB controller might not be so bad as it seems. However, it still isn't as nice as using qvm-usb. PCI reset sensitivity can also be adjusted so that it won't reject PCI cards without PCI reset support, however, it's adding one extra attack vector to your system through USB attacks. You could write a small script to turn off sys-usb (assuming no VMs are tied to it, i.e. for USB tethering internet purposes), which then starts your VM that requires your exotic USB device, and keep using sys-usb for common devices. For example, write a very simple but effective script like this; qvm-shutdown sys-usb wait qvm-start AppVM (the one with exotic USB). wait Have another script which reverses it, by shutting down your exotic USB AppVM, and restarts your sys-usb VM. You can put a XFCE4 Launcher (or use Whisker menu's) which both are pre-installed Qubes 4 plugin (Qubes 3.2. only has the Launcher pre-installed). Pick a random icon to add to either the launcher or the whisker menu, and right click on the launcher itself (or the icon in whisker menu), and click properties for launcher or edit icon for Whisker menu. >From here, both are really similar. It doesn't matter which icon you use, as >long it's an icon you dont plan on using. Whisker menu will replace the icon >you change, however Launcher is more powerful because it doesn't actually >affect the original icon by the changes you make to any icons inside the >Launcher configurations. So if using Launcher (which you can add multiple of, and with the right icons, youcan make it look really stylish too, like the kind of stylish look Apple dock has (I do by no means like Apple products, though one should be objective fair to the aspects they did well). This is quickly and easily done without even installing anything on Qubes. So, now you can add any scripts or any commands you like, to the launcher, change the icons and names, organize it in whatever way you like, there is litterelly no limit. In there, you can put a launcher for special scripts, such as the one switching between sys-usb and AppVM-(with-exotic-USB-use-cases). Essentially by making such a script, you can not only easily make an icon out of it, you can also easily keybind the script too, as well as backup the script for future re-installs of Qubes (be sure to audit the script before moving it out/in of dom0 for security reasons). This is a potential way you can work around the issue, it's not all round fix, but it may be practical enough, depending on your needs. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d0ce3dbd-2b71-4334-b2d4-501aa1cfadff%40googleg
Re: [qubes-users] Cannot assign USB radio peripheral with qvm-usb
On Tuesday, December 5, 2017 at 12:31:29 AM UTC+1, Paul Mosier wrote: > On Monday, December 4, 2017 at 8:39:48 AM UTC-5, awokd wrote: > > Can't help with that specific issue but as a workaround you can assign one > > of your USB controllers directly to the AppVM. Look under "Finding the > > right USB controller" in here > > https://www.qubes-os.org/doc/assigning-devices/ . > > Would love to, but there is only one USB controller on this laptop. It kinda > defeats the purpose to reassign the whole thing. Apologies, I used "icon" and "shortcut" interchangeably, mixing the use-cases together, making it hard to tell when I speak of one or the other. In order not to misunderstand what I said, please be mindful of this mistake when reading my post. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/01c9039e-9d99-4e59-87d1-c270fec7555a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: How to add "nouveau.modeset=0" to boot settings in Qubes 4.x? (ASUS ROG GL552VW-DM141 laptop)
On Sunday, February 25, 2018 at 9:56:12 PM UTC+1, @LeeteqXV wrote: > On Friday, February 23, 2018 at 9:29:55 PM UTC+1, Yuraeitha wrote: > > On Friday, February 23, 2018 at 12:10:03 AM UTC+1, @LeeteqXV wrote: > > > Hi all. I initially thought to save some time and cleared a reply > > > to an existing thread to do a new post, but that did not work. > > > Sorry about the wrong post. Reposting it here now. Thanks for the > > > reply and pointing it out, Yuraeitha. > > > > > > See my reply + follow-up question at the bottom, below the quoted > > > posts: > > > > > > > > > > > > ## > > > > > > My original post, incl. a reply by "Yuraeitha" below..: > > > > > > > > > > > > > > > > > > "I am considering Qubes 4.x for an ASUS ROG GL552VW-DM141 laptop > > > with NVIDIA graphics and built-in/onboard "fallback" Intel > > > graphics. > > > > > > > > > > > > > > > In order to get for example Ubuntu Mate installed onto it, to get > > > past the installer incompatibilities with NVidia, it is necessary > > > to edit the boot menu and add "nouveau.modeset=0" to the startup > > > command. Then Ubuntu boots fine. > > > > > > > > > > > > > > > Can this be done with Qubes 4.x? > > > > > > > > > How/where to affect such boot commands; can that be done from the > > > boot media/USB stick directly, as we do with other Linux live USB > > > sticks? > > > > > > > > > > > > > > > Thanks, > > > " > > > > > > > > > -- > > > https://mastodon.technology/@LeeteqXV/ > > > > > > ### > > > > > > Reply from "Yuraeitha" on Feb. 19th..: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > - show > > > quoted text - > > > > > > > > > "@LeeteqXV > > > > > > It's probably best you start a new thread, this thread is > > > about a whole different issue altogether. > > > > > > But since this is an old thread, I'll briefly answer > > > you. > > > > > > This what you seek, directing a GPU directly into an > > > AppVM, or any other work arounds, can currently be done in > > > Qubes 3.2. nor Qubes 4.0. > > > > > > However, it is planned for Qubes 4.1, which may reach > > > release. Just don't get hyped yet, things can change, 4.0. > > > is barely finished and 4.1. is currently only on the > > > drawing board. Look here for quick information about 4.1. > > > https://github.com/rootkovska/qubes-roadmap you > > > can see the GTX passthrough ability on the map. > > > > > > Also, you don't really need Ubuntu for these kind of > > > things, it can easily be fixed up in both Debian and > > > Fedora. You can use Intel graphics just fine for 4k > > > videos, you don't need nvidia for stuff like that on > > > modern motherboard/CPU systems. You may need powerful > > > graphic cards for gaming and high end graphics, but this > > > too isn't possible, at least before Qubes 4.1. anyway. If > > > you didn't need these in Qubes 4, then it will likely make > > > no difference to you to use Intel graphics. Also Qubes > > > dom0 frequently has nvidia graphic issues and may require > > > a full properitary driver download/install, with a manual > > > install. > > > > > > To get a bit back on-topic, it saves you whole lot of > > > hassle if you get adjusted to not be depending too much on > > > Ubuntu and others that give everything on a silverplate. > > > Although DVM protected content is never stable regardless > > > of the Linux distribution, unless you download the Google > > > Chrome browser from Google (Not Chromium), which usually > > > always have working DVM videos in any Linux. Issue being, > > > that Firefox and others, often loose the ability to play > > > the video, especially Microsoft silverlight videos, which > > > the work-arounds frequently break. > > > > > > Essentially you can play the codecs fine, HTML5 is for > > > example extremely easy to install in Fedora through > > > enabling the RPMFusion repositories, which can easily be > > > done in Qubes fedora template (best make a copy first). > > > But it does not include HTML5-DVM. > > > > > > Essentially, DVM is so messed up, you ma/y just want to > > >
Re: [qubes-users] Intel SGX and Spectre
SGX is a DRM anti-feature mechanism that prevents people from inspecting what runs on their own computer and it enables malware that is immune to antivirus programs because it runs in an ME enclave. https://software.intel.com/en-us/sgx/details "Hardening DRM for enhanced high definition, 4K ultra high definition (UHD) content protection" -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b94ec994-1703-5411-2ba3-3bd4e8245a2e%40gmx.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Cannot assign USB radio peripheral with qvm-usb
Hi N, I did not find a better solution. I run the radio peripheral from sys-usb directly and moved any software for it to that VM. Yuraeitha, my USB controller does not support PCI reset, so your ideas do not help me. If sys-usb goes down the only way to get any USB functionality is to reboot the system. And as this is a somewhat RAM-limited laptop, switching the USB controller to any other VM doesn't always work, as sys-usb doesn't always come up at boot (due to memory access issues). Incidentally, the Yubikey I have works just fine with qvm-usb. I didn't have to do anything unusual for that at all. - Paul -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6f9bfda7-2d42-41c7-824c-aa095931dc5b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] High spec laptop for Qubes OS
On Sunday, February 25, 2018 at 8:46:52 AM UTC+1, tai...@gmx.com wrote: > On 02/24/2018 11:50 PM, Yuraeitha wrote: > > > Qubes OS on normal hardware (fulfilling current security hardware > > requirements) is still a much more secure alternative than > > Windows/Mac/Linux OS's, even on compromised hardware from i.e. > > Intel/AMD/etc. I agree there still are very big security/privacy problems > > in hardware, there definitely is. But all things considered, if you're not > > trying to be immune from state-level/advanced hacker attacks, then it may > > be too extreme to go that far just yet. > Why not have max security all the time? It isn't difficult. > > Besides if the TALOS 2 isn't successful it will be the end of high > performance owner controlled hardware, so maxing out today is important > so you will be able to tomorrow. > > Unless of course, you are a high profile target, or even a medium-level > > target. Don't piss off, or grab unwanted attention of dangerously > > resourceful people. > "Avoid pissing people off" is bad advice and simply no fun - if your > security plan counts on that then you don't have any security at all. > > If you're a normal user, and you don't grab unwanted attention, then you > > should be okay in this time and day, however, that may change down the line > > as attack vectors improve and advance, and increasingly become mainstream > > for less skilled hackers to use. At which point, it's not the few handful > > really skilled hackers you need to worry about, but script kiddie "hackers" > > around every city-block. > > > > Frankly it's impossible to get the perfect hardware to our desires. > > Whatever your needs may be, you need to take everything into account. The > > current situation however, I'd think if you're low profile (normal person > > with no unwanted attention), then you should be fine from a security > > perspective, with most laptops that meet the current hardware > > specifications. > I would argue that the TALOS 2 is perfect, it is the only system that > has freedom, security and performance - you could even play videogames > on it if they were compiled for POWER. > Its featureset and performance are much better than what intel and AMD > are selling rather than being simply equivilant - it isn't at all > "heavily limited". > > A wintel skylake system "meets the current specifications" but I could > cause a commotion and steal your encryption keys while you are > distracted by plugging in a USB debugger because intel "forgot" to > disable that feature in shipping chipsets. > > It's the same if you climb Mount Everest or venture into a wild jungle, no > > matter how much you prepare, there will always be risk. There are no > > perfect hardware, while we can do better, currently we are heavily limited. > > I run open source firmware on all of my computers and I sacrifice > absolutely nothing - I play new games at max settings in a VM on my > KGPE-D16 and if I wanted to I could install OpenBMC for remote lights > out access just like on a mainstream proprietary system - it is feature > equivilant. > > I highly doubt that anyone here would prefer silly apple aesthetics and > total lack of features/expansion ports over a secure functional computer > and I for one prefer the industrial designs of the older thinkpads and > latitudes. > > On 02/24/2018 11:49 PM, vel...@tutamail.com wrote: > > I think a Lenovo is the way to go...the Qubes developers use them, the > > X1/Gen5 was mentioned as being popular with them. I googled and Max Ram is > > 16, however I went from 8-12 and more then satisfied with improvement. I > > wanted the X1 but thought it was out of my budget and thought I would look > > too cool using it:) > The W520 supports 32GB, the T420 and X230 16GB. > > The W520, T420 and X230 (with x220 keyboard) are all decent mobile > workstation performance choices and they support egpu via expresscard. > The G505S is more free (no ME/PSP) but it doesn't have expresscard and > the build quality is not as nice. > > >> Notes: > >> There isn't much point using qubes with hardware that has ME/PSP, > > Is the ME/PSP risk more from a Governement/Intel threat or are the > > vulnerabilities with these features available to other threat vectors as > > well? Would appreciate your thoughts... > Rumor has it that signing keys for all ME versions and local HECI > exploit mechanisms are being traded on obscure internet forums and being > used to attack the usual targets (fortune 500, journalists, political > types etc) > > I highly doubt you I or anyone posting here is important enough to get a > specific exploit package targeted to us by a government actor - you > gotta have something worth stealing such as industrial processes, > proprietary code to some important program, blueprint etc, for instance > the chinese government has many hacking teams dedicated to industrial > espionage but just because you aren't a
Re: [qubes-users] High spec laptop for Qubes OS
On 02/25/2018 06:06 PM, Franz wrote: But does Talos 2 work with Xen? It seems it does not: https://www.google.com.br/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0ahUKEwig_reIlsLZAhXK2VMKHRlvC6cQFggrMAA&url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsg%2Fqubes-users%2FbqRSuU3T6MA%2Fn9tFozKsAQAJ&usg=AOvVaw2aUCCm88WSdcxkcCqWhZbe Yeah unfortunately Xen doesn't support POWER and they have rebuffed advances from IBM and Raptor offering assistance to support it. I had suggested it as their desired use-cases isn't really possible in qubes, according to various other people it is nearly impossible to attach a gpu to a qubes VM compared with using QEMU-KVM. In terms of laptops, the most free is the Lenovo G505S which can run qubes (no ME/PSP) although it doesn't have an eGPU capability and max ram is 16GB so the best choice would be the W520 if one wants an eGPU capable laptop with 32GB max ram. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/52fae349-84dc-edb1-639f-39e6c36865fe%40gmx.com. For more options, visit https://groups.google.com/d/optout.
Re: AW: Re: [qubes-users] High spec laptop for Qubes OS
On 02/25/2018 06:41 PM, [799] wrote: Hello Taiidan, Original-Nachricht An 26. Feb. 2018, 00:33, taii...@gmx.com schrieb: In terms of laptops, the most free is the Lenovo G505S which can run qubes (no ME/PSP) although it doesn't have an eGPU capability and max ram is 16GB so the best choice would be the W520 if one wants an eGPU capable laptop with 32GB max ram. Depending on the use case I would always also think about battery runtime, something where the W520 fails. I would always always think about a x230 which runs so well under Qubes and can be coreboot'ed. The x230 only supports 16gb ram and he said he wants more. Out of interest, why are you not recommending the W540? Obviously because not only does it have ME it also has no open source firmware, it also has the crappy chiclet keyboard and you can't swap it out like one can with a x230/t430 etc. I have both (x230 and W540) and the biggest benefit of the W540 is the high resolution display. Unfortunately it doesn't support Coreboot and build quality is not as nice as the older x230 series. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0680fc7d-70ad-d460-1dc9-c11a69c3c039%40gmx.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Cannot assign USB radio peripheral with qvm-usb
On Monday, February 26, 2018 at 12:14:02 AM UTC+1, Paul Mosier wrote: > Hi N, > > I did not find a better solution. I run the radio peripheral from sys-usb > directly and moved any software for it to that VM. > > Yuraeitha, my USB controller does not support PCI reset, so your ideas do not > help me. If sys-usb goes down the only way to get any USB functionality is > to reboot the system. And as this is a somewhat RAM-limited laptop, > switching the USB controller to any other VM doesn't always work, as sys-usb > doesn't always come up at boot (due to memory access issues). > > Incidentally, the Yubikey I have works just fine with qvm-usb. I didn't have > to do anything unusual for that at all. > > - Paul Alright, so PCI reset is not supported. However, you haven't answered the full question in regard to the PCI reset, did you look at the feature to disable the PCI reset requirements? It's in the link awokd posted up above. As well as the method to make PCI more permissive too. You loose a bit security from local USB attacks, however, the question then becomes what you value more, as well as your threat profile, and if you ever leave your laptop/desktop alone/exposed to people you can't trust. Essentially, you may very well have the opportunity to remove the PCI reset requirement and add permissive mode to your USB, without loosing too much security, given if your environment is favorable (low attack risks on your machine). If you do that, then you won't need to restart the full machine every time you switch the controller, and sys-usb should work at every boot as well. Have you tried or thought about this? If this is no good, then direct USB attachment becomes a big hassle indeed. Interesting that you got the Yubi key to work with qvm-usb btw, I might have a second look at it again. It could be that I us Qubes 4 though? *shrug* I'll have to see what happens. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4a688804-4196-490b-9af4-f3619036f03f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Cannot assign USB radio peripheral with qvm-usb
Hi Yuraeitha, Yes, I have looked to see if PCI reset could be changed. I have had no luck. I am aware of the security implications of running things in sys-usb. For the time being I accept the risks, though I will be looking a little closer at the hardware of my next laptop! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8f74c4f2-4fa9-4af1-a193-6e097db0d89d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Cannot assign USB radio peripheral with qvm-usb
On Monday, February 26, 2018 at 3:34:55 AM UTC+1, Paul Mosier wrote: > Hi Yuraeitha, > > Yes, I have looked to see if PCI reset could be changed. I have had no luck. > > I am aware of the security implications of running things in sys-usb. For > the time being I accept the risks, though I will be looking a little closer > at the hardware of my next laptop! ah, that's too bad, it sucks when having bought hardware with such minor but hugely impacting limitations. If the hardware developers only had more incentive to increase quality on the market... It's frustrating that so few market proper information & specifications, and so so few reviews, focus on things like USB capabilities. Like how many controllers there is etc. can be dodgy to learn about on a laptop... One would think that given all the virtualisation that people get into (not just Qubes, but in general), that information about controllers and even PCI reset would be more available, and even be good selling points. Either way, I wish you good luck in your hunt, may you find a proper pray in the jungle. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a2ee06c1-cb93-4c9d-8295-357d8b9a7fb8%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] win/linux
hi guys, i successfully installed/run windows on a standalone vm but im having problems booting oracle linux. The installation had no problems but when its time to reboot it doesnt start from the hd. i can reboot from the cdrom again but not from hd. what im missing here?? thanks, j Sent from my iPhone -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/DM5PR03MB2633B0F192060CBAEF0DEEABA8C10%40DM5PR03MB2633.namprd03.prod.outlook.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] firewall/proxy VM not working with Qubes 4.0-rc4
I installed Qubes 4.0-rc4 and have a problem with my internet connection. sys-net itself has a working internet connection but sys-firewall does not. No need to mention that every other VM that uses sys-firewall as netVM does also have no working internet connection. If I switch the default netVM from sys-firewall to sys-net (for testing), dom0 can use it to update etc. Also any other VM gets internet connection with sys-net as Networking VM. An update of dom0 from testing-repository did not fix the problem. Also switching the sys-firewall template from fedora-26 to debian-9 does not help. I found a similar problem here: https://github.com/QubesOS/qubes-issues/issues/2141 So I checked the network interfaces and they are like this: sys-net: lo enp0s0 vif2.0 sys-firewall: eth0 lo Not sure, but I guess the vif interface is missing in sys-firewall? How do I fix this problem? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a028078a-1514-4be8-bb00-134326f1fae1%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
