Re: [qubes-users] Qubes Won't Boot with 4.19.125-1 Kernel

[pudding]

Update: kernel 4.19.128-1 boots fine on my laptop, but 4.19.132-1 that 
comes with the newest dom0 update does not. I've set the install_limit 
to 6 just in case. Will continue observing.



pudding

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f4c44c36-c6da-6d98-2ee0-1c18f461e080%40cock.li.

Re: [qubes-users] Qubes-OS architecture.

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2020-08-02 6:34 AM, Jason Long wrote:
> Why not a good document about it?
>

I think it's mainly lack of necessity and lack of time.

We prefer to focus our limited time and resources on the things that
will provide the greatest real, practical security benefit for our
users in their everyday lives, whereas such a document would be more
of a "nice to have" thing.

P.S. -- Please avoid top-posting.

> Sent from Yahoo Mail on Android
>
> On Wed, Jul 29, 2020 at 2:19 AM, Andrew David
> Wong wrote:
>
> On 2020-07-28 4:04 PM, 'Jason Long' via qubes-users wrote:
>> Hello,I found a pdf file about the Qubes-OS architecture but it
>> is for 2010 :(. Any new version? Tnx.
>>
>
> I take it that you're referring to the PDF available at the bottom
> of this page:
>
> https://www.qubes-os.org/doc/architecture/
>
> I'm afraid there is no newer version of that particular PDF. That
> was more of an initial design document. Now that Qubes actually
> exists and is under continual development, it has been largely
> replaced by our documentation and articles:
>
> https://www.qubes-os.org/doc/
>
> https://www.qubes-os.org/news/categories/#articles
>

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl8oaMMACgkQ203TvDlQ
MDCXRg/+NZadEVmnHGxZTaE3AHgJWAoDXch1811vU739COIEVsrGXf9DNj8/bLrG
uitnptX07mDKBqe7ImZv3MUBQxhzZ4L/S9efSPCKadz4kdnIueJAEa8/WSvYyADp
CYCDmRZHrfWIcaVQveksZNEiaO09GKpCYjaFhQQ5Ljvl4usE+Ewyilu5Hmllgq0P
x4zft0BAKI7HkJyspCTk0k0ZIdS+2bRluas7Q4+4HdSGp3U36FARrbTzRo4JvTsD
hL9QIBepEID5EO1Y4QIH/b+Lirv+N/FyxtXQ39oMfE5G+kto7D9UzsUx0bv3Em9u
SKqAECauMIjmz/R3NxkK13RGVCSI1wUbtLE34aXH0kPy3Ba3G4JFvMo6ZSOqecNz
PvEBwARdzlloqT72boAXrtS5UB28bzqZVe2ab5MbRFQ6adERMwWZRXxzRaX0cWAI
jjdVkNTPt9aX8oaOXiWNTaQi8L7Xdlj5h65rEnVk7BsVTzPqXXKlCzhItIjSn+RE
sTrHWuux9l4c2PyI2jXMhTrBzkhecjjUOM4UqEbYYU41YBeesGMIlMUp2M238aTQ
EmhFj13FNWP4Sgw7MsBrALK3ttYSYA88ExiarTAqoV1tPQ2wpFX9Qt8DtkqlkTl+
Ej43LRhDGzuefXmR1heOevg1uqCNd44KLhqc96fXwLGAV7EYEXI=
=6Tiw
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9ca21ef0-8a7f-70f3-f707-964e691f4765%40qubes-os.org.

Re: [qubes-users] Windows VMs support on qubes

[Claudio Chinicz]

Do a find on this group with the words "qvm-create-windows-qube 2.0" and you'll 
find and interesting thread about Windows on Qubes. I run Windows 10 and it 
works just fine.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ec048124-6259-4d77-abed-d8d72bacdca5o%40googlegroups.com.

[qubes-users] Re: sys-usb issues recognizing devices & maintaining drive connections

['Антон Чехов' via qubes-users]

Hi,

I just wanted to ask if there is hope getting sys-usb to work on the G505s 
in the future? I tried sys-usb in Qubes 4.0 and 4.1 with and without 
kernelopts irqpoll but unfortunately it doesn't work for me. 

Off-topic:
Suspend doesn't work in 4.0 but it works in 4.1.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b17704fa-c98d-49fb-b3ac-ee84287429c7o%40googlegroups.com.

Re: [qubes-users] Update templates in parallel

[fiftyfourthparallel]

On Tuesday, 4 August 2020 00:03:08 UTC+8, Chris Laprise wrote:
>
> Yes, the requirements to get it running keep changing. Right now the 
> easiest way is to install 'kernel-latest-qubes-vm' from dom0 to get a 
> 5.x kernel for VMs (the 5.x kernels have wg module included), then 
> install the wireguard-tools package without dependencies in your template. 
>
> I'll be switching to wireguard in the next few weeks so I'll be updating 
> the wiki then. 
>

I forgot to mention that I was following your latest instructions via this 
thread and still wasn't able to get it 
working: https://groups.google.com/d/msg/qubes-users/f974-MsbZyM/xh93RU7NAQAJ

1. Install the 'kernel-latest-qubes-vm' package in dom0. This will
> provide a 5.x kernel with wireguard module built-in. Set your VPN VM to
> use this kernel.
>
 

> 2. Install only the 'wireguard-tools' package (from testing) in Debian
> 10. Otherwise, there may be a conflict between the built-in and DKMS
> modules.
>
 

> 3. Given the above, it may now be possible to skip using HVM mode
> altogether. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/81236671-e78a-47be-be3e-915c1a954449o%40googlegroups.com.

Re: [qubes-users] Update templates in parallel

[Chris Laprise]

On 8/3/20 10:48 AM, fiftyfourthparal...@gmail.com wrote:
Oh, and while I have you here, Chris, I thought I'd let you know that 
your Wireguard guide in Qubes-VPN-Support doesn't work--I followed it 
step-by-step but was left frustrated, so I took another route.


I just came across this Reddit post where the poster seems to have gone 
through the same experience, so that reminded me to let you know:


https://old.reddit.com/r/Qubes/comments/i2cza9/cant_for_the_life_of_me_get_wireguard_to_work/


Yes, the requirements to get it running keep changing. Right now the 
easiest way is to install 'kernel-latest-qubes-vm' from dom0 to get a 
5.x kernel for VMs (the 5.x kernels have wg module included), then 
install the wireguard-tools package without dependencies in your template.


I'll be switching to wireguard in the next few weeks so I'll be updating 
the wiki then.


--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2265eb4b-76c3-d793-fddb-fee24910fec8%40posteo.net.

Re: [qubes-users] qvm-usb does not see any usb devices

[Cranix]

After bunch of reboots system started to see devices
connected to two usb ports(3.0), I have a few usb 2.0 ports
that are still not visible to sytem.

Any ideas how i can debug this?
On another os all ports work fine.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200803155857.GA22919%40hackerspace.pl.

Re: [qubes-users] Update templates in parallel

[Chris Laprise]

On 8/3/20 10:18 AM, fiftyfourthparal...@gmail.com wrote:

On Monday, 3 August 2020 18:36:28 UTC+8, Chris Laprise wrote:

'curl' would only be used in a Whonix template. This is to signal
Qubes'
proxy to start the Tor-based updateVM as soon as possible. It should
not
try to run curl in a Fedora or regular Debian template.

To suppress interactive prompts, you need to run the script with
'-u' or
'--unattended'.


Thanks--I managed to figure that out and respondright before you posted 
, 
so now I'm using the -atu option.


Not sure if it's a bug, but it seems like your script attempted to run 
curl in Fedora. I can't copy the output, but the VM basically goes, 
"Errors during downloading metadata for repository 'updates': Curl error 
(28); Curl Error (23)" several times before throwing up its arms and 
giving up. Then the script tells me that fedora-32-minimal update 
returned non-zero status.


Seems like dnf itself uses curl. Searching for 'dnf curl' shows a lot of 
hits. dnf is saying it couldn't use curl to retrieve metadata for the 
updates repo. Maybe there is an issue with the way the updatevm is setup 
on your system?


To test manually, here is the command the script uses:

dnf update -y --best

I also just tested the script with a fresh fedora-32-minimal and it 
works (interesting to note that "curl-minimal" was one of the updated 
packages).


--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4b65ca4f-4262-298c-6597-a7e4c7e2512e%40posteo.net.

Re: [qubes-users] Update templates in parallel

[fiftyfourthparallel]

Oh, and while I have you here, Chris, I thought I'd let you know that your 
Wireguard guide in Qubes-VPN-Support doesn't work--I followed it 
step-by-step but was left frustrated, so I took another route.

I just came across this Reddit post where the poster seems to have gone 
through the same experience, so that reminded me to let you know: 

https://old.reddit.com/r/Qubes/comments/i2cza9/cant_for_the_life_of_me_get_wireguard_to_work/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b929c78a-780a-46c2-aa5e-61ec5e9e7fdco%40googlegroups.com.

Re: [qubes-users] Update templates in parallel

[fiftyfourthparallel]

On Monday, 3 August 2020 18:36:28 UTC+8, Chris Laprise wrote:
>
> 'curl' would only be used in a Whonix template. This is to signal Qubes' 
> proxy to start the Tor-based updateVM as soon as possible. It should not 
> try to run curl in a Fedora or regular Debian template. 
>
> To suppress interactive prompts, you need to run the script with '-u' or 
> '--unattended'. 
>

Thanks--I managed to figure that out and respond right before you posted 
, so 
now I'm using the -atu option.

Not sure if it's a bug, but it seems like your script attempted to run curl 
in Fedora. I can't copy the output, but the VM basically goes, "Errors 
during downloading metadata for repository 'updates': Curl error (28); Curl 
Error (23)" several times before throwing up its arms and giving up. Then 
the script tells me that fedora-32-minimal update returned non-zero status.
 
 

> Yes, vm-boot-protect does lock down that dir, along with other startup 
> files and dirs in /home. The way it does this is with the 'immutable' 
> flag. To change it (re)start the VM and do: 
>
> sudo chattr -i -R .config/autostart 
>
> Then change what you need to in that path and restart the VM. During the 
> startup process the dir and its contents will be automatically made 
> immutable again. 


Tested and confirmed working. When combined with your halt-vm-by-window 
script, my Qube Manager is now basically my start menu. Who said security 
doesn't mix well with useability? Now, if only there were a modification 
that allowed you to start VMs by double-clicking on them in the Qube 
Manager...

On Monday, 3 August 2020 19:05:29 UTC+8, Chris Laprise wrote:
>
> BTW, I think the appVM is the right place to make the .config/autostart 
> change if the custom .desktop file is being applied on a per-VM basis. 
>

Tested and confirmed to persist across reboots. Thanks a bunch! 

 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9a80e647-4e3b-43a6-8673-b727b641155bo%40googlegroups.com.

Re: [qubes-users] Windows VMs support on qubes

[donoban]

On 2020-08-03 09:35, flatten wrote:
> I plan to use the Windows VM for specific purposes.
> 
> Has anyone use a Windows VM on qubes? I do not think it is the most
> popular VM given Qubes is designed for security.
> Are older versions of Windows (7, XP), etc supported?
> 

Hi,

Windows 7 HVMs work pretty fine.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6018ad8c-c3cb-44f1-8ed8-279d802d78a0%40riseup.net.

[qubes-users] Memory snapshot

[martingauna]

Hello, I'm running a VM which is suspected to contain malware. Therefore I 
would like to get a snapshot of the VM's RAM in order to further analyze it.

Can this be done in Qubes? 

Thanks,

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/603421b9-a1c5-47ae-936c-23bb68f65865o%40googlegroups.com.

Re: [qubes-users] Update templates in parallel

[Chris Laprise]

On 8/3/20 4:11 AM, fiftyfourthparal...@gmail.com wrote:


Your Qubes-VM-Hardening tool was one of the first things installed 
into my first Qubes, but I'm still not very familiar with how it 
works. I think vm-boot-protect might be blocking me from adding a 
.desktop file into ~/.config/autostart, as Steve suggested (Steve: 
does this need to be done in templates? If done in an appVM, wouldn't 
it get purged upon restart?).


BTW, I think the appVM is the right place to make the .config/autostart 
change if the custom .desktop file is being applied on a per-VM basis.


If you want it for _all_ VMs based on that template, that's a little 
harder. Putting the .desktop file in /etc/skel would only make the 
change when an appVM is first created, so existing VMs using that 
template would not benefit. However, vm-boot-protect-root has the 
ability to copy or "deploy" files into /home on each boot; you would 
have to save the .desktop file under 
/etc/default/vms/vms.all/rw/home/user/.config/autostart in the template.


Another idea is to use rc.local to launch the app via 'systemd-run' 
using its "timer" features or some other way to delay execution. Or you 
could even try adding the .desktop file to /home using rc.local.


--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/66360ea5-43f8-5b53-1114-f613ac039629%40posteo.net.

Re: [qubes-users] Update templates in parallel

[Chris Laprise]

On 8/3/20 4:11 AM, fiftyfourthparal...@gmail.com wrote:



On Sunday, 2 August 2020 22:42:31 UTC+8, Chris Laprise wrote:

You can check out my github for some interesting stuff. The
'Qubes-scripts' project has a (serial) template updater that lets you
select by certain criteria. It could be parallelized pretty easily.

[...]

Finally, there is a VPN tool and one to enhance VM internal security.

-- 
Chris Laprise, tas...@posteo.net

https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886


I tested your halt-vm-by-window and system-stats-xen and found them very 
useful. I also tried your qubes4-multi-update but ran into three issues: 
one is that it relies on curl, which my Fedora minimal wasn't happy 
about; another is that it [Y/n] prompts me for upgrades, which it 
shouldn't do, according to the script; the last is that it attempts to 
update mirage firewall standalones and when it fails, the whole process 
stops.


'curl' would only be used in a Whonix template. This is to signal Qubes' 
proxy to start the Tor-based updateVM as soon as possible. It should not 
try to run curl in a Fedora or regular Debian template.


To suppress interactive prompts, you need to run the script with '-u' or 
'--unattended'.




Your Qubes-VM-Hardening tool was one of the first things installed into 
my first Qubes, but I'm still not very familiar with how it works. I 
think vm-boot-protect might be blocking me from adding a .desktop file 
into ~/.config/autostart, as Steve suggested (Steve: does this need to 
be done in templates? If done in an appVM, wouldn't it get purged upon 
restart?).


Yes, vm-boot-protect does lock down that dir, along with other startup 
files and dirs in /home. The way it does this is with the 'immutable' 
flag. To change it (re)start the VM and do:


sudo chattr -i -R .config/autostart

Then change what you need to in that path and restart the VM. During the 
startup process the dir and its contents will be automatically made 
immutable again.





Anyways, your tools are very convnient and I think they should be more 
widely known, if not integrated into Qubes proper. Thank you



--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d52604db-0419-6ba0-5222-1f41e528ce74%40posteo.net.

Re: [qubes-users] Update templates in parallel

[fiftyfourthparallel]

On Monday, 3 August 2020 16:11:40 UTC+8, 54th Parallel wrote:
>
>
> I tested your halt-vm-by-window and system-stats-xen and found them very 
> useful. I also tried your qubes4-multi-update but ran into three issues: 
> one is that it relies on curl, which my Fedora minimal wasn't happy about; 
> another is that it [Y/n] prompts me for upgrades, which it shouldn't do, 
> according to the script; the last is that it attempts to update mirage 
> firewall standalones and when it fails, the whole process stops.
>
>  
Now that I've actually read the documentation, my problems can be solved by 
using the -atu option--a classic case of RTFM.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4b514065-4b61-4f61-bbc7-46aaf9033011o%40googlegroups.com.

Re: [qubes-users] Update templates in parallel

[fiftyfourthparallel]

On Sunday, 2 August 2020 22:42:31 UTC+8, Chris Laprise wrote:
>
> You can check out my github for some interesting stuff. The 
> 'Qubes-scripts' project has a (serial) template updater that lets you 
> select by certain criteria. It could be parallelized pretty easily. 
>
> [...]
>
> Finally, there is a VPN tool and one to enhance VM internal security. 
>
> -- 
> Chris Laprise, tas...@posteo.net  
> https://github.com/tasket 
> https://twitter.com/ttaskett 
> PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886 
>

I tested your halt-vm-by-window and system-stats-xen and found them very 
useful. I also tried your qubes4-multi-update but ran into three issues: 
one is that it relies on curl, which my Fedora minimal wasn't happy about; 
another is that it [Y/n] prompts me for upgrades, which it shouldn't do, 
according to the script; the last is that it attempts to update mirage 
firewall standalones and when it fails, the whole process stops.

Your Qubes-VM-Hardening tool was one of the first things installed into my 
first Qubes, but I'm still not very familiar with how it works. I think 
vm-boot-protect might be blocking me from adding a .desktop file into 
~/.config/autostart, as Steve suggested (Steve: does this need to be done 
in templates? If done in an appVM, wouldn't it get purged upon restart?).

Anyways, your tools are very convnient and I think they should be more 
widely known, if not integrated into Qubes proper. Thank you

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9909dcfd-4b72-4f7f-b44a-4152b837fe0eo%40googlegroups.com.

[qubes-users] Windows VMs support on qubes

[flatten]

I plan to use the Windows VM for specific purposes.  

Has anyone use a Windows VM on qubes? I do not think it is the most popular VM
given Qubes is designed for security.  
Are older versions of Windows (7, XP), etc supported?

\-- Sent using MsgSafe.io's Free Plan Private, encrypted, online communication
For everyone. https://www.msgsafe.io


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200803073504.8256162754%40exit1-us.msgsafe.io.