Re: [qubes-users] Newbie Qubes questions.. please help!

2016-09-07 Thread Chris Laprise

On 09/07/2016 06:46 PM, lemondezur...@gmail.com wrote:

Hi, I could use some clarification on the below:

1. Is Qubes an actual OS/distro, or do you still have to pick a distro? I think 
it's based on Fedora, right?  But you can have templates that use other OSes?


Correct. Its currently based on Fedora (for dom0) but you have a bit of 
choice for vm templates.



2. Is Whonix basically an add-on to Qubes that allows more anonymity online?  
Or is it a separate distro based on Qubes with a privacy focus?


Its the former. However, there is another 'edition' of Whonix that 
doesn't use Qubes and may be less secure.



3. Has anyone setup two-factor authentication on their Qubes setup using 
luks/dmcrypt for full drive encryption (for all partitions aside from /boot and 
GRUB boot manager), then putting /boot and GRUB on a USB stick that is also 
encrypted and requires its own password?  If so, how can one implement this on 
Qubes?  I have successfully setup on Debian before luks/dmcrypt full drive 
encryption on the system drive which has all partitions but /boot, and then put 
/boot and GRUB on a USB stick and it worked fine.  I'm able to get prompted for 
my decryption password for the main drive upon boot.  But as I understand it, 
this is not truly 2-factor authentication and anyone could reproduce a similar 
USB boot drive with any rescue disk to get to the main drive's password prompt?

Thanks in advance.


If you want to put /boot on a USB stick, have a look at the 
anti-evil-maid feature. For 2-factor, take a look at 
https://www.qubes-os.org/doc/yubi-key/


Chris

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/69c1159a-8ea3-6897-edfc-2338ae6e50b2%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Feedback and errors on installation

2016-09-07 Thread Benoit Georgelin
Hi, 
so here is a status : 
Whatever I do with Qubes OS 3.2-rc3 the efibootmgr is not saved for long 

I did this : 
efibootmgr -v -c -u -L Qubes -l /EFI/qubes/xen.efi -d /dev/sda -p 1 
"placeholder /mapbs /noexitboot" 

So I can see the entry in the command 

efibootmgr -v 

I a reboot , it's working. 
If I wait I don't know how (yet) it goes back without Qubes entry 

If you have an idea, let me know , thanks 




De: "Marek Marczykowski-Górecki"  
À: "Benoit Georgelin"  
Cc: "Georgelin Benoît" , "qubes-users" 
 
Envoyé: Mardi 6 Septembre 2016 18:44:43 
Objet: Re: [qubes-users] Feedback and errors on installation 

-BEGIN PGP SIGNED MESSAGE- 
Hash: SHA256 

On Wed, Sep 07, 2016 at 12:40:42AM +0200, Benoit Georgelin wrote: 
> I'm not used to EFI and I don't understand why the disk is not even bootable 
> as it supposed to be, like the usb key. 

You are using EFI. Otherwise launching "chainloader /EFI/BOOT/xen.efi" 
would not work. 
Maybe this is a problem? You have selected booting into legacy mode, but 
installed system in EFI mode? 

> Like if the MBR / GPT was not set properly 
> 
> My computer does not even try. At least with the usb key , grub shell appear 
> ^^ 
> 
> I would like to re-install grub on /dev/sda but in dom0 , there is no grub 
> binaries 
> I also have to see how I can install / update the system 

Yes, in EFI mode grub is not used in installed system at all. But if you 
want, you can install it with "qubes-dom0-update grub2" command. 

- -- 
Best Regards, 
Marek Marczykowski-Górecki 
Invisible Things Lab 
A: Because it messes up the order in which people normally read text. 
Q: Why is top-posting such a bad thing? 
-BEGIN PGP SIGNATURE- 
Version: GnuPG v2 

iQEcBAEBCAAGBQJXz0bcAAoJENuP0xzK19csIUQH/25p+2CyKt/iAYGp4GqkPUdd 
CnWvuc2nFsFMSLNW3yF0Dg5BdfCwLlz+U1csf9sQ2V95yQkv8dFS5htMuMvck8Fg 
W1CFPCAKqj63YEo3t+OD6EdOtJQyxKtmiSxyRXw7T8waZzTu0+TJcbhAx7KjjD6l 
HGbUXug+hhgL5XX0Rv8O4sSsFRbCRwms+D0u+8qmW3UsMgK+pkiQMUZz7FNXgAuW 
Y7QOmP4O0AavooG5Tx7TrTzC5cdbm8qz1j4P69/9NEgVEQsuspQbFJh1io5c5bqO 
CEi4BRTBx/5Yp7FQFzvvXQP0ai1uWrbfANRhkOMZZHvu/BopoShsfzR0+sIWIXQ= 
=oiDw 
-END PGP SIGNATURE- 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1868779375.1315687.1473290317744.JavaMail.zimbra%40georgelin.me.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Newbie Qubes questions.. please help!

2016-09-07 Thread lemondezurich
Hi, I could use some clarification on the below:

1. Is Qubes an actual OS/distro, or do you still have to pick a distro? I think 
it's based on Fedora, right?  But you can have templates that use other OSes?

2. Is Whonix basically an add-on to Qubes that allows more anonymity online?  
Or is it a separate distro based on Qubes with a privacy focus?

3. Has anyone setup two-factor authentication on their Qubes setup using 
luks/dmcrypt for full drive encryption (for all partitions aside from /boot and 
GRUB boot manager), then putting /boot and GRUB on a USB stick that is also 
encrypted and requires its own password?  If so, how can one implement this on 
Qubes?  I have successfully setup on Debian before luks/dmcrypt full drive 
encryption on the system drive which has all partitions but /boot, and then put 
/boot and GRUB on a USB stick and it worked fine.  I'm able to get prompted for 
my decryption password for the main drive upon boot.  But as I understand it, 
this is not truly 2-factor authentication and anyone could reproduce a similar 
USB boot drive with any rescue disk to get to the main drive's password prompt?

Thanks in advance.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/db6a03e0-7072-424e-a1ae-64e59c209fc2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] installing Signal on Qubes mini-HOWTO

2016-09-07 Thread IX4 Svs
On Thu, Sep 1, 2016 at 8:41 AM, IX4 Svs  wrote:

> On Thu, Sep 1, 2016 at 2:21 AM, Andrew David Wong 
> wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA512
>>
>> On 2016-08-31 15:50, IX4 Svs wrote:
>> > On Wed, Aug 24, 2016 at 11:10 PM, Andrew David Wong 
>> > wrote:
>> >
>> >>
>> >> On 2016-08-15 14:43, IX4 Svs wrote:
>> >>> On Mon, Aug 15, 2016 at 10:19 AM, Andrew David Wong > >
>> >>> wrote:
>> >>>
>> 
>>  On 2016-08-14 15:22, IX4 Svs wrote:
>> > Just spent a few minutes to figure this out so I thought I'd
>> > share.
>> >
>> 
>>  Thanks, Alex! Would you mind if we added this to the docs at some
>>  point?
>> 
>> 
>> >>> Not at all - especially if you improve my clumsy way of creating the
>> >> custom
>> >>> shortcut (steps 7-12) and use the proper Qubes way that Nicklaus
>> >>> linked to.
>> >>>
>> >>> Cheers,
>> >>>
>> >>> Alex
>> >>>
>> >>
>> >> Added:
>> >>
>> >> https://www.qubes-os.org/doc/signal/
>> >>
>> >>
>> > Andrew, thanks for adding this to the documentation.
>> >
>> > I'm afraid my DIY shortcut kludge does not survive some(potentially boot
>> > time) script and is wiped away from the taskbar, only to be replaced by
>> a
>> > default "Chrome browser" shortcut. I admit I don't quite comprehend what
>> > the actual implementation of
>> > https://www.qubes-os.org/doc/managing-appvm-shortcuts/#tocAnchor-1-1-1
>> > should be.
>>
>> Neither do I. I've always make my custom shortcuts the same general way
>> you do.
>>
>>
> Ah, we have a usability issue here then.
>
>
>> > A worked example that replaces all but the first step of the " Creating
>> a
>> > Shortcut in KDE" section of https://www.qubes-os.org/doc/signal/ would
>> be
>> > very much welcome.
>> >
>>
>> Agreed.
>>
>
> Can someone who has figured out how to create one-click buttons to launch
> arbitrary applications in AppVMs chime in with an example please? I'll then
> test it and Andrew can stick it in the wiki for all Qubes users to benefit.
>

I had a look myself and may have figured out the "proper" way of creating a
shortcut to launch Signal. By the way I submitted a pull request for the
documentation at https://www.qubes-os.org/doc/m
anaging-appvm-shortcuts/#tocAnchor-1-1-1 because its language is slightly
inaccurate.

These instructions (after verification) should replace the shortcut kludge
of the signal page you created:

My Signal AppVM uses the fedora-23 template, and I have renamed the
.desktop file that Chrome created on that AppVM's desktop to
signal.desktop. Now what?

1. Open a dom0 terminal, cd to /var/lib/qubes/vm-templates/fedora-23/
2. Copy Signal:/home/user/Desktop/signal.desktop to
dom0:/var/lib/qubes/vm-templates/fedora-23/apps.templates/signal.desktop
3. Lightly edit
dom0:/var/lib/qubes/vm-templates/fedora-23/apps.templates/signal.desktop to
be as follows:

[Desktop Entry]
Version=1.0
Type=Application
Terminal=false
X-Qubes-VmName=%VMNAME%
Icon=%VMDIR%/apps.icons/signal.png
Name=%VMNAME%: Signal Private Messenger
GenericName=%VMNAME%: Signal
Comment=Private Instant Messenger
Exec=qvm-run -q --tray -a %VMNAME% -- 'qubes-desktop-run
/home/user/Desktop/Signal.desktop'

4. Copy
Signal:/rw/home/user/.local/share/icons/hicolor/48x48/apps/chrome--Default.png
 to
dom0:/var/lib/qubes/vm-templates/fedora-23/apps.templates/apps.icons/signal.png

5. Copy
dom0:/var/lib/qubes/vm-templates/fedora-23/apps.templates/apps.icons/signal.png
to
dom0:/var/lib/qubes/vm-templates/fedora-23/apps.templates/apps.tempicons/signal.png

6. At this point you should be all set. Ensure Qubes knows about the new
menu item you created by starting the fedora-23 template VM and then
running in a dom0 terminal: qvm-sync-appmenus fedora-23

7. You should now be able to go back to the GUI and from the Q menu: Q ->
Domain: Signal -> Signal: Add more shortcuts...
In the window that will appear, you should now have "Signal Private
Messenger" on the left list of available apps. I moved this to the
"Selected" list and hit OK, which put the entry in my Q menu.

8. Then I went to Q -> Domain: Signal. I right-clicked on "Signal:Signal
Private Messenger" and selected "Add to panel".

9. Success! I now have a button in my KDE panel with which I can launch
Signal with one click.

Hope these steps get documented in the wiki (I'm not attempting a direct
edit lest I break something) and are helpful to people.

Alex

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAEe-%3DTdMYk_L7jtL%3DMYa6uVjV5gQqpgV%2Bz64WVsCseenBS%3DiEg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Installer freezes in Dell Inspiron 5557

2016-09-07 Thread JPL
Did you try again without selecting the "test media" stage? 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/dc47229e-2070-49b7-bac8-0c1be5f08e54%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Installer freezes in Dell Inspiron 5557

2016-09-07 Thread vinícius mota
I dowloaded the last stable version from 
https://www.qubes-os.org/downloads/#qubes-live-usb-alpha/, which is Qubes R3.1 
x86_64, checked the signatures and all that, and created an USB installation 
device using "dd if=Qubes-R3-x86_64.iso of=/dev/sdX" as instructed in 
https://www.qubes-os.org/doc/installation-guide/. I rebooted the computer and, 
after que installation wizard started, I selected "test media & install qubes". 
The test returned no errors after verification of 100% of the USB stick, and 
immediately after that a black screen with the qubes symbol and some sort of 
progress bar have shown up, with the progress set about half of total. The 
problem is that after 5, 10, 15  minutes nothing happens, and no error messages 
are given. Apparently my laptop fulfills all hardware requirements shown in 
https://www.qubes-os.org/doc/system-requirements/, with my processor being 
Intel(R) Core(TM) i7-6500U which, according to 
http://ark.intel.com/products/88194/Intel-Core-i7-6500U-Processor-4M-Cache-up-to-3_10-GHz,
 has both Intel VT-x and VT-d technologies. Does anyone has any advice? Thank 
you...

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e67ba4c6-545b-4e33-8b83-4c559659cbe0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: OpenBSD Xen PHVM

2016-09-07 Thread John R. Shannon

From the OpenBSD 6.0 Release Notes:

> The xen(4) driver now supports domU configuration under Qubes OS.

On 09/06/16 06:50, Marek Marczykowski-Górecki wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Tue, Sep 06, 2016 at 05:28:22AM -0700, Jan Betlach wrote:

On Tuesday, September 6, 2016 at 9:38:59 AM UTC+2, Jan Betlach wrote:

Looks like Open BSD implemented Xen PHVM drivers in 6.0. How exactly does it 
help to run OpenBSD guest in Qubes?


There are more details in the paper here: 
https://www.openbsd.org/papers/asiabsdcon2016-xen-paper.pdf.

Wouldn't it be great to build a pf based firewall in Qubes?  :-)


If that's all what is currently included in 6.0, there is one important
part missing (in addition to my previous email): network backend driver.
Without this, it is impossible to have ProxyVM.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJXzrunAAoJENuP0xzK19cs17oH/RC5mFjG9MOywpvptJD7MXuT
TZCUIiAY0JIkbKxy5YrurHttZ51Qsc2KLT9/+yE98u0evyXNi+m8JlN7zruUq6XF
11wY9GuMjeKGmarOIzrMl/RIZnnYrMLJBYXVec+bi/nptPzRnCldg46NmH/PGSvc
sE7kHX9gjuNZiDXx5Kc+8Q7EnYR9kLwz4/QLYv9LGHsYMEjXVeuUXVYfEETa+SZb
5whn5P7vXIpt2Rc32Qo8ozLQW9hwwQJkSvGe8iqiTEIAcZ4248xdL9rUqHI2zK7k
W67IbH+vC1C7waiAsEV/hHNd34zyXlbCYYrmUmbX+Zl7GXK1QhDByYDHVYUPxg8=
=POAE
-END PGP SIGNATURE-



--
John R. Shannon

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1f45a8c8-adf0-bd50-3554-180aee08fa60%40johnrshannon.com.
For more options, visit https://groups.google.com/d/optout.


Re: Request for test: Re: [qubes-users] Fedora 24?

2016-09-07 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Tue, Sep 06, 2016 at 08:44:35PM -0700, pixel fairy wrote:
> > On 09/05/2016 08:24 PM, Marek Marczykowski-Górecki wrote:
> > > Please, if any of you have a chance, test such template.
> 
> Whats the time frame on 3.2? fedora 25 is out in november. would it be worth 
> it to wait? or just make an updated template then?

We will release 3.2 much earlier. It will come with default Fedora 23
template - it is too late in release cycle for such big change.

But the new template will be available in repositories.

> would also be good to have a newer set of graphics drivers in dom0

In Qubes 3.2 dom0 will stay in Fedora 23 - generally it will be mostly
the same as 3.2-rc3. 

For Qubes 4.0 it hasn't been decided yet (most likely will be Fedora
23 too). But hopefully we'll have newer kernel there. I'd aim for 4.8.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJX0BivAAoJENuP0xzK19csgJ8H/0kPV3AUDysnOqpAXnJH+5FW
n3ULpuumBvGI1S7z+zGbba65UI70KGQ25Aq4EVRObSq+y5JdZrLkji7liGif4acA
j4Qxh9/IAfKYlY6T7BMqU760EIlEa091crKxYa8KpkNU/DRtYaKQ48Jbra3CS49z
HolUzKI+l2KfqcoC5YGOUQT98zgdaC4U/oN9FbIXUPBc4psQdz43jpx9A283L+XV
P/5vFfIZjzVr8PvMuYGCzo66FGZ4VRXixuNAnGRHBDZ1lOD0Ma87k9U+fyBJWBQi
hxOCyQy4edOs+XaNjEkiFCJcxoARgeNZvJpE6atx2D6VpUwJ8qg+9xjSnuQg2WY=
=nEAN
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20160907133959.GL13909%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Streisand - AntiCensorship software

2016-09-07 Thread Connor Page
agree, when I looked at it some time ago I could not imagine why I would need 
all of that. too large an attack surface for my taste. however, I did 
investigate what individual elements are capable of and borrowed some ideas, 
like using port 636 and tls-auth for openvpn.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5bcb49ca-8310-43c7-8d93-778f05c3f9fc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.