Re: [qubes-users] Re: HCL - Lenovo Thinkpad X1 Carbon 4th gen (20FB)

2016-11-14 Thread Jean-Philippe Ouellet
On Mon, Nov 14, 2016 at 4:16 PM, Marek Marczykowski-Górecki
 wrote:
> You can temporarily set sys-firewall netvm to none. This will allow you
> to shutdown/restart sys-net without consequences. Remember to change
> sys-firewall netvm back to sys-net afterwards.

Good to know! I wish I'd thought of that earlier :)

>> Curiously, the wireless didn't hang while i had the 4.4 kernel in
>> dom0, and now it hangs with 4.8 in dom0 and either 4.4 OR 4.8 in
>> sys-net. This does not make sense to me, but it is indeed what I have
>> observed. Perhaps it was also failing before and I just never noticed
>> because the whole machine would hang so often.
>
> I'd guess the later... When it hangs, does the suspend before takes
> usual not-so-long time, or is significantly longer?

Assuming you mean "when the wireless card attached to sys-net appears
to hang, does immediately prior overall system resume appear to take
longer?" then I have not noticed that to be the case. I will try to be
more aware of that in the future.

What do you suspect that makes you ask this?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABQWM_BDY7JFJ39AZX-fJQv1vs4KJ%2BukzWcAd98N0afXrzJ-Yg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: One step foerward, two steps back on Macbook 11,1 - can't boot into Qubes

2016-11-14 Thread Jean-Philippe Ouellet
Alternatively, if you just want to see if things will work at all,
IIRC you should also be able to un-check a "use sys-usb" (or similar)
checkbox in the installer somewhere, and IIRC rd.qubes.hide_all_usb is
only set if this box is checked.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABQWM_D8F9ewOqWrOPn-QJVaGE0jcprz2YMxkn04tMi-12GNWg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: One step foerward, two steps back on Macbook 11,1 - can't boot into Qubes

2016-11-14 Thread Jean-Philippe Ouellet
On Tue, Nov 15, 2016 at 12:17 AM, dumbcyber  wrote:
> On Tuesday, 15 November 2016 10:28:52 UTC+11, Marek Marczykowski-Górecki  
> wrote:
>> you need to remove 'rd.qubes.hide_all_usb' from kernel parameters.
>
> Thanks for the info. For me a noob, how do I remove that parameter from 
> kernel?  Thank you.

>From the installer, use your favorite editor on
/boot/efi/EFI/qubes/xen.cfg to remove just the rd.qubes.hide_all_usb
parameter from the kernel= line. It will probably be at the end of the
line.

Note that your EFI partition might be mounted somewhere other than
/boot/efi (I don't remember). The `mount` command should tell you
where. Look for something like:
/dev/nvme0n1p1 on /boot/efi type vfat (rw,relatime,fmask=0077,dmask=...

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABQWM_DMjGFnpCdUNL1wC18DYww8XRgkkYQLy8aeDUpiW7jyMw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: One step foerward, two steps back on Macbook 11,1 - can't boot into Qubes

2016-11-14 Thread dumbcyber
On Tuesday, 15 November 2016 10:28:52 UTC+11, Marek Marczykowski-Górecki  wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> On Mon, Nov 14, 2016 at 02:33:50PM -0800, dumbcyber wrote:
> > On Tuesday, 15 November 2016 09:02:56 UTC+11, dumbcyber  wrote:
> > > On Tuesday, 15 November 2016 08:47:30 UTC+11, dumbcyber  wrote:
> > > > From the beginning I have to ask for forgiveness - I am new to Qubes 
> > > > and have no knowledge of changing boot managers beyond trial and error.
> > > > 
> > > > My hardware is a Macbook 11,1. In fact I don't have any other machines 
> > > > at home.
> > > > 
> > > > I want to create a bootable USB drive with Qubes R3.2. I had the usual 
> > > > problem of seeing the 4-item menu to install but nothing working 
> > > > regardless of option chosen.  I tried some forum suggestions like 
> > > > adding /noexitboot=1 to the cfg file. No luck.
> > > > 
> > > > I created a working Qubes USB on a Lenovo computer at work. I was able 
> > > > to create new VM's and set firewall rules. So I know it works.
> > > > 
> > > > Then my uninformed head took over. What if I took that USB and tried 
> > > > booting it on my Macbook? The Macbook does not even recognise the USB 
> > > > at boot time. If I boot into OSX I can get to the USB drive through 
> > > > terminal and mount it.
> > > > 
> > > > I then tried copying rEFInd to the Qubes USB stick but that just hangs 
> > > > the Macbook after selecting the EFI boot option. I'm resisting 
> > > > installing rEFInd on the Macbook itself until I know more about it 
> > > > especially the need to disable SIP.
> > > > 
> > > > My question is: would that even work - copying rEFInd to the working 
> > > > USB drive built on a Lenovo?  Are there any other options I could try?
> > > > 
> > > > Many thanks.
> > > 
> > > 
> > > I also tried copying the EFI/qubes folder to EFI/BOOT and renaming the 
> > > two xen files to BOOTX64 - this hangs after selecting the EFI boot option 
> > > on Mac startup.
> > 
> > Stupidly, when I copied EFI/qubes to EFI/BOOT I left the /noexitboot 
> > options in the CFG file. I removed them from EFI/BOOT/bootx64.cfg and 
> > retried.
> > 
> > I can now boot into Qubes as far as the disk password prompt. The progress 
> > bar on the bottom centre of the screen progresses all the way across but I 
> > can not enter any characters into the password field.
> 
> Macs have USB keyboard, which makes them incompatible with USB VM (at
> least in default configuration). In particular, enabling USB VM prevent
> USB controllers being initialized in dom0 - even during disk passphrase
> prompt. To disable this part, you need to remove 'rd.qubes.hide_all_usb'
> from kernel parameters.
> Also the problem may be caused by missing USB controller (or keyboard
> itself) driver in initramfs, but AFAIR it was fixed long ago.
> 
> - -- 
> Best Regards,
> Marek Marczykowski-Górecki
> Invisible Things Lab
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
> 
> iQEcBAEBCAAGBQJYKkivAAoJENuP0xzK19csPKUIAJjnVSSSTj1oJGyisBEFhNZk
> 56thercS0SFlvMpdBmY4xXF+F+TuEuoK8VPFXJeQGUhyH8UtjuWYavC0wzWTsl2H
> c3yMucbxHVvzmTTwth3ToYvfcaQUO+Zu89J9CfwsfzRsr2p53n4x6OECfuhuc/Hs
> ftqPUDWOG87jXzaJVKS3SbWdg/8ifrDkEWgYCpXy/jTZiC3Zpd3K50aU0dFSG6Ww
> Xv61SKSZjRbZNtrjBVgkUXxXgw5lD0rRuddlsUNqJJX4r+n/VlF7acukjYXfyfRM
> TMvFoR9k5RH4leniSTMNTeQqQcSUgGAbPaa+dJ/OdyY+x5y6djtCBb72izQVY0k=
> =5rjy
> -END PGP SIGNATURE-

Thanks for the info. For me a noob, how do I remove that parameter from kernel? 
 Thank you.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/981eb4dd-6a27-48be-ae15-f7dc69714fd3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Intel TXT advice

2016-11-14 Thread 3n7r0py1
On Monday, November 14, 2016 at 11:55:09 PM UTC, tai...@gmx.com wrote:
> On 11/14/2016 04:50 PM, entr0py wrote:
> 
> > taii...@gmx.com:
> >> On 11/14/2016 03:12 PM, Eric wrote:
> >>> On Monday, November 14, 2016 at 11:58:32 AM UTC-8, entr0py wrote:
>  Eric:
> > On Sunday, November 13, 2016 at 10:44:33 PM UTC-8,
> > tai...@gmx.com wrote:
> >> Forgot to say: Purism is just an overpriced quanta/oem
> >> whitebox laptop, it takes 5mil+ of startup funds to do a
> >> small run of *just a motherboard* let alone an entire laptop
> >> computer including the fab for a fancy aluminum case - it is
> >> quite obvious that their components are not "hand selected"
> >> and that they just called up some chinese OEM and asked them
> >> what they had kicking around.
> >>
> >> I can't understand if they are scammers or just really
> >> naive, Instead of making an OpenPower or ARM laptop and
> >> having it be 100% libre from the start they instead do the
> >> dishonest "you'll go to disneyworld one day poor johnny" - If
> >> google can't convince intel to open up FSP/ME then nobody can
> >> - coreboot with FSP is just shimboot (black box FSP - 95% of
> >> the bios work)
> >>
> >> It bothers me quite a lot that they are on the list of
> >> approved vendors when they are a dishonest company.
> > Whoa. Ok, hold on a sec. I did not buy a Purism computer,
> > though not for those reasons - putting a 28W TDP proc in a
> > 15inch "workstation" is absurd to me. as is their lack of a
> > screen configuration. I hear your anger at the gap between what
> > they promise and what they deliver; I'm more displeased on the
> > hardware side of things (though I do like HW kill switches.
> > I've looked into what they promise and understand very well
> > that they don't actually have a very free computer at all,
> > especially on the bios/firmware side.
> >
> > What I actually ordered (and have now cancelled), was a Dell
> > XPS 15". There is no vPro option in the configure menu, though
> > it does support VT-d and SLAT. I've read all of Joanna's
> > papers, and understand the concerns about Intel ME very well.
> > However, on the Dell order, it claimed "ME Disabled." Perhaps
> > they simply meant that vPro/AMT/TXT was disabled, and that was
> > mine and Dell's fault for wishful thinking and false naming,
> > respectively. Please see linked photo: https://d.pr/Q0YZ
> >
>  Moral considerations aside, why not buy that Dell and pair it
>  with a portable router/firewall like this
>  (https://www.compulab.co.il/utilite-computer/web/products)?
>  Shouldn't that effectively block out any ME-related mischief or
>  do I have a fundamental misunderstanding? It doesn't seem
>  possible otherwise to get the type of processing power you're
>  looking for in a laptop form-factor.
> >>> Also, the concern for me is not ME shenanigans. I'm more concerned
> >>> about having TXT for AEM and measured boot, and the consumer Dell
> >>> model does not have that (the processor and chipset don't support
> >>> it). The other option aside from the Precision 5510, would be a
> >>> ThinkPad T460 or T460p, but the downside there is performance (only
> >>> SATA-3 SSD), and also the screen quality is terrible.
> >>>
> >>> Much as I dislike proprietary anything, I might take a second look
> >>> at the new MacBook Pros, and run things that need higher security
> >>> in a VM or in Whonix.
> >> Why would you buy a macbook? You realize those have regular intel 
> >> processors and ME too right?
> >>
> >> Lenovo is owned by the chinese, and dell business laptop (their consumer 
> >> line is garbage) is a way better choice than either.
> >>
> >> It seems you do have (as you said) a fundamental misunderstanding of how 
> >> security actually works, and how a router/firewall operates. - thus I 
> >> don't think that anyone would be targeting you specifically with a ME 
> >> exploit.
> > (top-posting fixed)
> >
> > Despite my "fundamental misunderstanding of how security actually works", I 
> > am able to read a thread and keep track of who said what - a skill you 
> > seemed to have misplaced in all your wizardry. Also, on your crusade to 
> > dismantle Intel and Google, it might behoove you to take a slightly less 
> > agressive tack with people who generally share your beliefs cause it seems 
> > you're significantly outnumbered as it is.
> >
> > Now if you'd like to respond without the obligatory disdain and actually 
> > explain something, my questions was: "Is Intel ME/AMT able to bypass 
> > firewalls that haven't been specifically configured to support those 
> > services?" This entry: 
> > https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Communication
> >  leads me to think that ME TCP/IP traffic isn't automatically 
> > passed-through, but like *I* said, I may have a 

[qubes-users] EFI / UEFI guest

2016-11-14 Thread TheGrandQubes
Hi, 

I was wondering what the status is for allowing for EFI / UEFI guest VM (ie an 
appvm or HVM being able to use EFI rather than bios). 
This feature seems to have been implemented in Xen 4.4, "but not build in by 
default" whatever that means. Here is the reference: 
https://wiki.xen.org/wiki/OVMF

Is there currently a way to make OVMF work in Qubes? Or another way to use EFI 
for an HVM instead of Bios? 

Thanks

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/561df1ef-6214-477a-8bbe-f29ce0bbf3d9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: mounting a disk image or volume in app-vm, fast backups

2016-11-14 Thread Chris Laprise

On 11/14/2016 05:20 PM, pixel fairy wrote:

On Monday, November 14, 2016 at 5:09:41 PM UTC-5, Chris Laprise wrote:

Using btrfs as the dom0 filesystem (or a btrfs volume added to a dom0
pool) could enable the advantages being sought here. Using either
snapshots or reflinks, you can create an offline copy of the VM's
private.img, and then attach that to the backup vm. This eliminates the
first rsync step.

that would be faster :) but, reinstalling and restoring from backups would take 
a long time. maybe i could run it overnight.


Or depending on your config, you could create a separate btrfs 
partition. IIRC, Qubes lets you place VMs on other volumes.


If you already have ext4-on-lvm that might work, too. Make a snapshot 
volume then use qvm-block on that.


Chris

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d66959b6-2ef6-d8da-bdad-59d0c563e25e%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Disguising Qubes VMs

2016-11-14 Thread Unman
On Mon, Nov 14, 2016 at 05:02:35PM -0800, Sec Tester wrote:
> A thought on security through obfuscation.
> 
> Right now in terminal is you type: "uname -r" we get the kernel version, 
> which has "qubes" in the name.
> 
> Straight away the attacker, knows he's dealing with a qubes VM. Could we not 
> name the kernels to match their original OS?
> 
> And following that same concept, disguise any other tell tale signs this is a 
> VM on Qubes. QubesIncoming, could just be called received.  Use non qubes 
> unique process or packet names. This would also include renaming Xen stuff. 
> Hiding any obvious qubes unique directories deeper into the file system.
> 
> Of course if an attacker specifically tries to tell if they are in a VM its 
> impossible to 100% hide it, but if an attacker does a quick check and thinks 
> they're on a standard debian desktop, memory attacks & dom0 are never a 
> target.
> 
> Just an idea.
> 

This has come up a few times before.

The problem is that there are countless ways of identifying a qube,
and your obfuscation will be clear to anyone who can see code: the
"quick check" will just include whatever flavour you have that month.

Anyone who has a memory attack would be able to identify where it could
best be used. So berferd might poke about for a while, but it wouldn't
take long for her to see where she was, and to reach for her Xen
toolbox.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161115014220.GA16252%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Disguising Qubes VMs

2016-11-14 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Mon, Nov 14, 2016 at 05:02:35PM -0800, Sec Tester wrote:
> A thought on security through obfuscation.
> 
> Right now in terminal is you type: "uname -r" we get the kernel version, 
> which has "qubes" in the name.
> 
> Straight away the attacker, knows he's dealing with a qubes VM. Could we not 
> name the kernels to match their original OS?
> 
> And following that same concept, disguise any other tell tale signs this is a 
> VM on Qubes. QubesIncoming, could just be called received.  Use non qubes 
> unique process or packet names. This would also include renaming Xen stuff. 
> Hiding any obvious qubes unique directories deeper into the file system.
> 
> Of course if an attacker specifically tries to tell if they are in a VM its 
> impossible to 100% hide it, but if an attacker does a quick check and thinks 
> they're on a standard debian desktop, memory attacks & dom0 are never a 
> target.

I don't think it's reasonable to assume hiding stuff like that will help
in any way. If someone is able to execute code in a VM, will find out it
is Qubes, very easily - for example you have qvm-copy-to-vm tool.
Additionally security by obscurity is a bad idea - it fails almost every
time - sooner or later.

On the other hand, in some cases it may make sense to hide Qubes usage
from someone _not_ being able to execute code directly in your VM - for
example some remote observer. Is kernel version string something that
can be leaked out? I wouldn't be surprised. In that case, instead of
just pretending to run non-Qubes kernel, you can actually use non-Qubes
kernel:
https://www.qubes-os.org/doc/managing-vm-kernel/#using-kernel-installed-in-the-vm

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYKmPPAAoJENuP0xzK19csXrwH/22yYYWzrIqIDQK9E1OW8f76
ObCStzogRwmm53MQE2//4h0ioWW/iBWWXn3J6d19HoH7uI78lfOgc83artbYSCyl
KbNEGznOp1r5BsIw44hV+PrttQkXI1lsL8ZNThUNj9XYQvQs8BcTpEZoXdI5X6LZ
81xtlPJy1O5WbWBUZTMQ/ukxTspAsshntDZgyMHCOwwM6WGO85jU75wUVjpU6PDP
2r+Byku+C4g5XDBShnN5SxV/Wpiy/XJgJBQ0nWsnQQ0OgIt9GdKZj5Fh0dwvaYj9
e44JACJE4lmG3cqTAWEMTerO1ZLl7MuT3am0vcub+JQTzqr6dNYD9+gqGaJx8jc=
=cY7y
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161115012431.GC17458%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Disguising Qubes VMs

2016-11-14 Thread Sec Tester
A thought on security through obfuscation.

Right now in terminal is you type: "uname -r" we get the kernel version, which 
has "qubes" in the name.

Straight away the attacker, knows he's dealing with a qubes VM. Could we not 
name the kernels to match their original OS?

And following that same concept, disguise any other tell tale signs this is a 
VM on Qubes. QubesIncoming, could just be called received.  Use non qubes 
unique process or packet names. This would also include renaming Xen stuff. 
Hiding any obvious qubes unique directories deeper into the file system.

Of course if an attacker specifically tries to tell if they are in a VM its 
impossible to 100% hide it, but if an attacker does a quick check and thinks 
they're on a standard debian desktop, memory attacks & dom0 are never a target.

Just an idea.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c3fc9950-076e-4bfa-a2fe-43dbb3ce2f57%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Fedora 24 template available for Qubes 3.2

2016-11-14 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Mon, Nov 14, 2016 at 11:14:19PM +, Gaijin wrote:
> systemctl doesn't show anything abnormal
> systemctl --all shows several not found inactive dead listings
> ex.
> livesys.service
> ntpd.service
> qubes-core.service
> qubes-dvm.service
> qubes-firewall.service
> qubes-iptables.service
> qubes-misc-post.service
> qubes-mount-dirs.service
> qubes-mount-home.service
> qubes-netwatcher.service
> qubes-network.service
> qubes-qmemman.service
> qubes-qrexec.service
> qubes-random-seed.service
> qubes-sysinit.service
> qubes-updates-proxy.service
> sntp.service
> syslog.service
> ypbind.service
> sys-log.service
> qubes-update-check.service

Uhm, it looks like you've uninstalled qubes tools in the process... If
you still have qubes repository definition in
/etc/yum.repos.d/qubes-r3.repo, you can try to reinstall it:

sudo dnf install qubes-core-vm-systemd

It should show you what conflicts with this package (if anything).

If you don't have repository definition anymore, you'll need to create
it first. It should look like this:

[qubes-vm-r3.2-current]
name = Qubes OS Repository for VM (updates)
baseurl = http://yum.qubes-os.org/r3.2/current/vm/fc$releasever
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-3-primary
skip_if_unavailable=False
gpgcheck = 1
enabled=1

[qubes-vm-r3.2-current-testing]
name = Qubes OS Repository for VM (updates-testing)
baseurl = http://yum.qubes-os.org/r3.2/current-testing/vm/fc$releasever
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-3-primary
skip_if_unavailable=False
gpgcheck = 1
enabled=0

[qubes-vm-r3.2-security-testing]
name = Qubes OS Repository for VM (security-testing)
baseurl = http://yum.qubes-os.org/r3.2/security-testing/vm/fc$releasever
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-3-primary
skip_if_unavailable=False
gpgcheck = 1
enabled=0

[qubes-vm-r3.2-unstable]
name = Qubes OS Repository for VM (unstable)
baseurl = http://yum.qubes-os.org/r3.2/unstable/vm/fc$releasever
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-3-unstable
gpgcheck = 1
enabled=0

You can save some typing by using only the first section (it is enough
for recovery) - save it in some other file there, like
/etc/yum.repos.d/qubes-recovery.repo.

You'll also need to configure network manually (as you no longer have a
script which did that for you) - take a look here (procedure is very
similar):

https://www.qubes-os.org/doc/upgrade-to-r3.0/#upgrading-template-on-already-upgraded-dom0

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYKk+BAAoJENuP0xzK19cs7fsH/AlhudAV3YMj8xcHlq2qON9h
AttdZrrbtO5GA796EP8iLhDpN1b6iV0NMIh2Wbyhxuk6+Wijs6751iJ7F3fKtldA
eh9NJrssHVtgcEWMHfKmflerYWWgPUwqHztTA4vNWXxM7b4uyjxphDzSzvQpNblX
W5C8QKxNhdqYLmf2n4X9FmX4hG09q4CMVwqfwk2T0T9reyv6Hbqlkj68e0sKL1Ig
w4mF/gZqgDHKcHz6YDB0yJzIk0lop7mztBMYA8Dj4WSnGoVtDlPrCepffSCFogOC
xfP9s0GnIjP+z7yTqSlPqpvd/PH8OsAH7Pvn1Hb8z+071SXazm0YhA95WgRecqI=
=wEUi
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161114235753.GR2994%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Intel TXT advice

2016-11-14 Thread taii...@gmx.com

On 11/14/2016 04:50 PM, entr0py wrote:


taii...@gmx.com:

On 11/14/2016 03:12 PM, Eric wrote:

On Monday, November 14, 2016 at 11:58:32 AM UTC-8, entr0py wrote:

Eric:

On Sunday, November 13, 2016 at 10:44:33 PM UTC-8,
tai...@gmx.com wrote:

Forgot to say: Purism is just an overpriced quanta/oem
whitebox laptop, it takes 5mil+ of startup funds to do a
small run of *just a motherboard* let alone an entire laptop
computer including the fab for a fancy aluminum case - it is
quite obvious that their components are not "hand selected"
and that they just called up some chinese OEM and asked them
what they had kicking around.

I can't understand if they are scammers or just really
naive, Instead of making an OpenPower or ARM laptop and
having it be 100% libre from the start they instead do the
dishonest "you'll go to disneyworld one day poor johnny" - If
google can't convince intel to open up FSP/ME then nobody can
- coreboot with FSP is just shimboot (black box FSP - 95% of
the bios work)

It bothers me quite a lot that they are on the list of
approved vendors when they are a dishonest company.

Whoa. Ok, hold on a sec. I did not buy a Purism computer,
though not for those reasons - putting a 28W TDP proc in a
15inch "workstation" is absurd to me. as is their lack of a
screen configuration. I hear your anger at the gap between what
they promise and what they deliver; I'm more displeased on the
hardware side of things (though I do like HW kill switches.
I've looked into what they promise and understand very well
that they don't actually have a very free computer at all,
especially on the bios/firmware side.

What I actually ordered (and have now cancelled), was a Dell
XPS 15". There is no vPro option in the configure menu, though
it does support VT-d and SLAT. I've read all of Joanna's
papers, and understand the concerns about Intel ME very well.
However, on the Dell order, it claimed "ME Disabled." Perhaps
they simply meant that vPro/AMT/TXT was disabled, and that was
mine and Dell's fault for wishful thinking and false naming,
respectively. Please see linked photo: https://d.pr/Q0YZ


Moral considerations aside, why not buy that Dell and pair it
with a portable router/firewall like this
(https://www.compulab.co.il/utilite-computer/web/products)?
Shouldn't that effectively block out any ME-related mischief or
do I have a fundamental misunderstanding? It doesn't seem
possible otherwise to get the type of processing power you're
looking for in a laptop form-factor.

Also, the concern for me is not ME shenanigans. I'm more concerned
about having TXT for AEM and measured boot, and the consumer Dell
model does not have that (the processor and chipset don't support
it). The other option aside from the Precision 5510, would be a
ThinkPad T460 or T460p, but the downside there is performance (only
SATA-3 SSD), and also the screen quality is terrible.

Much as I dislike proprietary anything, I might take a second look
at the new MacBook Pros, and run things that need higher security
in a VM or in Whonix.

Why would you buy a macbook? You realize those have regular intel processors 
and ME too right?

Lenovo is owned by the chinese, and dell business laptop (their consumer line 
is garbage) is a way better choice than either.

It seems you do have (as you said) a fundamental misunderstanding of how 
security actually works, and how a router/firewall operates. - thus I don't 
think that anyone would be targeting you specifically with a ME exploit.

(top-posting fixed)

Despite my "fundamental misunderstanding of how security actually works", I am 
able to read a thread and keep track of who said what - a skill you seemed to have 
misplaced in all your wizardry. Also, on your crusade to dismantle Intel and Google, it 
might behoove you to take a slightly less agressive tack with people who generally share 
your beliefs cause it seems you're significantly outnumbered as it is.

Now if you'd like to respond without the obligatory disdain and actually explain 
something, my questions was: "Is Intel ME/AMT able to bypass firewalls that haven't 
been specifically configured to support those services?" This entry: 
https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Communication leads me 
to think that ME TCP/IP traffic isn't automatically passed-through, but like *I* said, I 
may have a fundamental misunderstanding of that.
It is the same as any other device connected to your network, if it has 
a world routable IP, you port forward, your router gets hacked, your 
computer gets exploited or it initiates communication on its own then 
yes it can communicate with the outside world.
For all we know it is simply waiting for an "activation" code sent via 
MITM that it will detect.


I do not want to "dismantle" intel/google, I simply want them to be more 
friendly to the customer and for intel to end their war on free software 
and general purpose computing - they used to be great companies but now 
they aren't 

Re: [qubes-users] Re: One step foerward, two steps back on Macbook 11,1 - can't boot into Qubes

2016-11-14 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Mon, Nov 14, 2016 at 02:33:50PM -0800, dumbcyber wrote:
> On Tuesday, 15 November 2016 09:02:56 UTC+11, dumbcyber  wrote:
> > On Tuesday, 15 November 2016 08:47:30 UTC+11, dumbcyber  wrote:
> > > From the beginning I have to ask for forgiveness - I am new to Qubes and 
> > > have no knowledge of changing boot managers beyond trial and error.
> > > 
> > > My hardware is a Macbook 11,1. In fact I don't have any other machines at 
> > > home.
> > > 
> > > I want to create a bootable USB drive with Qubes R3.2. I had the usual 
> > > problem of seeing the 4-item menu to install but nothing working 
> > > regardless of option chosen.  I tried some forum suggestions like adding 
> > > /noexitboot=1 to the cfg file. No luck.
> > > 
> > > I created a working Qubes USB on a Lenovo computer at work. I was able to 
> > > create new VM's and set firewall rules. So I know it works.
> > > 
> > > Then my uninformed head took over. What if I took that USB and tried 
> > > booting it on my Macbook? The Macbook does not even recognise the USB at 
> > > boot time. If I boot into OSX I can get to the USB drive through terminal 
> > > and mount it.
> > > 
> > > I then tried copying rEFInd to the Qubes USB stick but that just hangs 
> > > the Macbook after selecting the EFI boot option. I'm resisting installing 
> > > rEFInd on the Macbook itself until I know more about it especially the 
> > > need to disable SIP.
> > > 
> > > My question is: would that even work - copying rEFInd to the working USB 
> > > drive built on a Lenovo?  Are there any other options I could try?
> > > 
> > > Many thanks.
> > 
> > 
> > I also tried copying the EFI/qubes folder to EFI/BOOT and renaming the two 
> > xen files to BOOTX64 - this hangs after selecting the EFI boot option on 
> > Mac startup.
> 
> Stupidly, when I copied EFI/qubes to EFI/BOOT I left the /noexitboot options 
> in the CFG file. I removed them from EFI/BOOT/bootx64.cfg and retried.
> 
> I can now boot into Qubes as far as the disk password prompt. The progress 
> bar on the bottom centre of the screen progresses all the way across but I 
> can not enter any characters into the password field.

Macs have USB keyboard, which makes them incompatible with USB VM (at
least in default configuration). In particular, enabling USB VM prevent
USB controllers being initialized in dom0 - even during disk passphrase
prompt. To disable this part, you need to remove 'rd.qubes.hide_all_usb'
from kernel parameters.
Also the problem may be caused by missing USB controller (or keyboard
itself) driver in initramfs, but AFAIR it was fixed long ago.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYKkivAAoJENuP0xzK19csPKUIAJjnVSSSTj1oJGyisBEFhNZk
56thercS0SFlvMpdBmY4xXF+F+TuEuoK8VPFXJeQGUhyH8UtjuWYavC0wzWTsl2H
c3yMucbxHVvzmTTwth3ToYvfcaQUO+Zu89J9CfwsfzRsr2p53n4x6OECfuhuc/Hs
ftqPUDWOG87jXzaJVKS3SbWdg/8ifrDkEWgYCpXy/jTZiC3Zpd3K50aU0dFSG6Ww
Xv61SKSZjRbZNtrjBVgkUXxXgw5lD0rRuddlsUNqJJX4r+n/VlF7acukjYXfyfRM
TMvFoR9k5RH4leniSTMNTeQqQcSUgGAbPaa+dJ/OdyY+x5y6djtCBb72izQVY0k=
=5rjy
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161114232847.GQ2994%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] selfsecure systems - redunancy?

2016-11-14 Thread Vít Šesták
Well, I have considered something similar in the past. My objective was 
slightly different (backwoods vs. vulnerable code), but the reasoning why ít is 
not as useful idea as it might look will be similar:

1. It cannot prevent some kind of attacks because of covert channels.
2. It can actually lower the level of security.
3. Not as easy to implement.

I am not saying it is totally useless. There might be some cases where security 
benefits outweigt security drawbacks and where this is easy to implement. I 
cannot name any such case, though.

More details about issues:

1. Even when you use two physically separate machines and tinfoil them in 
various ways (sound isolation, heat isolation, countermeasures against power 
analysis), you cannot remove all the covert channels. It is hard (though in 
some special cases possible) to remove timing side channel. But when one 
computation gives a different result, it can be also some covert channel. Sure, 
if someone reads logs, she might find something suspicious.

Well, it can prevent for example directory traversal attacks if one of the 
implementations is non-vulnerable or if there is no attack payload that 
succeeds in both systems. But it can hardly prevent data leak from a RCEd 
system.

2. One might argue: If it prevents some vulnerabilities, it is better than 
nothing, isn't it? Well, this is not always the case. If we consider RCE 
vulnerabilities (where I assume that we cannot prevent data leaks), attacker 
can choose which system to attack.

3. There are many practical difficulties. I can show some of them on web 
brbrowser:

* There are some random-based protocols, e.g. TLS. Even if they here is the 
same source for random numbers (unrealistic for some major reasons, e.g. race 
conditions), two completely different libraries can use it slightly differently 
and generate different number. In TLS, this would result in two different VMs 
trying to read/write a different traffic.
* Differences in implementation: Different browsers support different 
ciphersuites and protocols. They will also send a different UserAgent header. 
Maybes they will render the same pages slightly differently (e.g. even 
different rounding can affect this). SQL queries might differ slightly, but it 
is hard to find it out that they are essentially the same.
* How would you handle persistent state?

Whenever you feel this could be a viable way, ask yourself: Isn't there an even 
cheaper way for reaching the goal?

Regards,
Vít Šesták 'v6ak'

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bc668468-b90d-4fe9-a2b6-ce5da2c241b5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Fedora 24 template available for Qubes 3.2

2016-11-14 Thread Gaijin

On 2016-11-14 06:42, Gaijin wrote:

On 2016-11-13 23:33, Marek Marczykowski-Górecki wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sun, Nov 13, 2016 at 11:12:34PM +, Gaijin wrote:
I have several templates based on Fedora 23 where I've installed 
various
software. When I follow the manual upgrade instructions the update 
proceeds
without error. However, when I get to the step were I am supposed to 
trim

the newly upgraded templates I get an error.

...
File 
"/usr/lib64/python2.7/site-packages/qubes/modules/000QubesVm.py", 
line

1854, in start_quexec_daemon
raise OSError ("Cannot execute qrexec-daemon!")

I cannot open a terminal in these templates, nor can I base AppVMs on 
them.

I just get the qrexec-daemon error.


You can access its console using `sudo xl console fedora-24`. Look for
some failed service startup messages. You can login as root without
password to perform further investigation - like call `systemctl` or
`journalctl -b`.


My Fedora 24 template works fine.


I guess you've meant 23 here? Otherwise, what's the problem?

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYKPgwAAoJENuP0xzK19csGVMIAJdJDwXaWHXsOqvFnsvt7c32
eogiGZ50ju+1Xcl67qCLuX9mOQHQYDOhUWOMaAfa79R4F98hIWhF4LaotxxM2RUr
UIBVq/4tX3mx3DNZQUXGx+91J1S2/wPJ5YGUQhJio7MTUn+OTX7qyu4u5aDnt/jx
QHuZfqE+aI0micLn/8KWV1OyPNcMrOZjWqrEdOSb2Fu5JxXkD+KznZ1DKIZJ9G57
BFDe7Fp8n3yyah4wnjQYe/BkvOoZf2lKzdt4ls4ATowwAHpQibtZkks1y+Q39ZdR
K9oGbh7UNtMRDSJTxQx7+C65+6Cf+m/ek1kDu5Qv+D4blip7ggb8zEE1JAlCxzM=
=wAc/
-END PGP SIGNATURE-



I guess you've meant 23 here? Otherwise, what's the problem?


No, I meant the updated fedora-24 template.

Updating the fedora-23 template, which I haven't made changes to, to
fedora-24 works fine. No update errors. No trim errors. It updated and
works fine with Fedora 24 following the manual update instructions. I
switched my AppVMs that used fedora-23 to use this new template and I
don't see any issues.

All of my other Fedora 23 templates, where I had added different
software, they are the ones that failed at the "trim" stage of the
manual upgrade process. None of those are functioning now.

I haven't had a chance to try checking for failed service startup
messages yet as I don't have access to the machine right now, but will
report back.


systemctl doesn't show anything abnormal
systemctl --all shows several not found inactive dead listings
ex.
livesys.service
ntpd.service
qubes-core.service
qubes-dvm.service
qubes-firewall.service
qubes-iptables.service
qubes-misc-post.service
qubes-mount-dirs.service
qubes-mount-home.service
qubes-netwatcher.service
qubes-network.service
qubes-qmemman.service
qubes-qrexec.service
qubes-random-seed.service
qubes-sysinit.service
qubes-updates-proxy.service
sntp.service
syslog.service
ypbind.service
sys-log.service
qubes-update-check.service

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3986ad734b085a6bef8bac4d5bf566a2%40riseup.net.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: One step foerward, two steps back on Macbook 11,1 - can't boot into Qubes

2016-11-14 Thread dumbcyber
On Tuesday, 15 November 2016 09:02:56 UTC+11, dumbcyber  wrote:
> On Tuesday, 15 November 2016 08:47:30 UTC+11, dumbcyber  wrote:
> > From the beginning I have to ask for forgiveness - I am new to Qubes and 
> > have no knowledge of changing boot managers beyond trial and error.
> > 
> > My hardware is a Macbook 11,1. In fact I don't have any other machines at 
> > home.
> > 
> > I want to create a bootable USB drive with Qubes R3.2. I had the usual 
> > problem of seeing the 4-item menu to install but nothing working regardless 
> > of option chosen.  I tried some forum suggestions like adding /noexitboot=1 
> > to the cfg file. No luck.
> > 
> > I created a working Qubes USB on a Lenovo computer at work. I was able to 
> > create new VM's and set firewall rules. So I know it works.
> > 
> > Then my uninformed head took over. What if I took that USB and tried 
> > booting it on my Macbook? The Macbook does not even recognise the USB at 
> > boot time. If I boot into OSX I can get to the USB drive through terminal 
> > and mount it.
> > 
> > I then tried copying rEFInd to the Qubes USB stick but that just hangs the 
> > Macbook after selecting the EFI boot option. I'm resisting installing 
> > rEFInd on the Macbook itself until I know more about it especially the need 
> > to disable SIP.
> > 
> > My question is: would that even work - copying rEFInd to the working USB 
> > drive built on a Lenovo?  Are there any other options I could try?
> > 
> > Many thanks.
> 
> 
> I also tried copying the EFI/qubes folder to EFI/BOOT and renaming the two 
> xen files to BOOTX64 - this hangs after selecting the EFI boot option on Mac 
> startup.

Stupidly, when I copied EFI/qubes to EFI/BOOT I left the /noexitboot options in 
the CFG file. I removed them from EFI/BOOT/bootx64.cfg and retried.

I can now boot into Qubes as far as the disk password prompt. The progress bar 
on the bottom centre of the screen progresses all the way across but I can not 
enter any characters into the password field.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2a2830e3-47cc-4303-bac7-2d651b4f30b9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: mounting a disk image or volume in app-vm, fast backups

2016-11-14 Thread pixel fairy
On Monday, November 14, 2016 at 5:09:41 PM UTC-5, Chris Laprise wrote:
> Using btrfs as the dom0 filesystem (or a btrfs volume added to a dom0 
> pool) could enable the advantages being sought here. Using either 
> snapshots or reflinks, you can create an offline copy of the VM's 
> private.img, and then attach that to the backup vm. This eliminates the 
> first rsync step.

that would be faster :) but, reinstalling and restoring from backups would take 
a long time. maybe i could run it overnight. 

in the mean time ill try sparse or qcow2 images since those automatically grow 
when needed.
 
> Chris

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8a4ad2fc-6163-4545-bc4e-ed7b85a3bb31%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: mounting a disk image or volume in app-vm, fast backups

2016-11-14 Thread Chris Laprise
Using btrfs as the dom0 filesystem (or a btrfs volume added to a dom0 
pool) could enable the advantages being sought here. Using either 
snapshots or reflinks, you can create an offline copy of the VM's 
private.img, and then attach that to the backup vm. This eliminates the 
first rsync step.


Chris

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1690bdf7-8361-2b5a-6720-9fff629f4ff2%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: One step foerward, two steps back on Macbook 11,1 - can't boot into Qubes

2016-11-14 Thread dumbcyber
On Tuesday, 15 November 2016 08:47:30 UTC+11, dumbcyber  wrote:
> From the beginning I have to ask for forgiveness - I am new to Qubes and have 
> no knowledge of changing boot managers beyond trial and error.
> 
> My hardware is a Macbook 11,1. In fact I don't have any other machines at 
> home.
> 
> I want to create a bootable USB drive with Qubes R3.2. I had the usual 
> problem of seeing the 4-item menu to install but nothing working regardless 
> of option chosen.  I tried some forum suggestions like adding /noexitboot=1 
> to the cfg file. No luck.
> 
> I created a working Qubes USB on a Lenovo computer at work. I was able to 
> create new VM's and set firewall rules. So I know it works.
> 
> Then my uninformed head took over. What if I took that USB and tried booting 
> it on my Macbook? The Macbook does not even recognise the USB at boot time. 
> If I boot into OSX I can get to the USB drive through terminal and mount it.
> 
> I then tried copying rEFInd to the Qubes USB stick but that just hangs the 
> Macbook after selecting the EFI boot option. I'm resisting installing rEFInd 
> on the Macbook itself until I know more about it especially the need to 
> disable SIP.
> 
> My question is: would that even work - copying rEFInd to the working USB 
> drive built on a Lenovo?  Are there any other options I could try?
> 
> Many thanks.


I also tried copying the EFI/qubes folder to EFI/BOOT and renaming the two xen 
files to BOOTX64 - this hangs after selecting the EFI boot option on Mac 
startup.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ad439eb1-2536-4ed7-bf9d-5a8c87efabe1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] DispVM

2016-11-14 Thread Fred
Thanks!

I'll stop trying to get DispVMs working for now then.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a96af410-7d0a-0785-e2a1-9ba1df9dd267%40gmsl.co.uk.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] DispVM

2016-11-14 Thread Unman
On Mon, Nov 14, 2016 at 09:55:36PM +, Unman wrote:
> On Mon, Nov 14, 2016 at 09:39:38PM +, Fred wrote:
> > On 14/11/2016 21:32, Unman wrote: 
> > > Is there anything in /var/log/libvirt/libxl logs?
> > 
> > The following;
> > 
> > 2016-11-14 20:38:15 GMT libxl: error: 
> > libxl_pci.c:1041:libxl__device_pci_reset: The kernel doesn't support reset 
> > from sysfs for PCI device :01:00.1
> > 2016-11-14 20:40:12 GMT xc: error: X86_PV_VCPU_MSRS record truncated: 
> > length 8, min 9: Internal error
> > 2016-11-14 20:40:12 GMT xc: error: Restore failed (0 = Success): Internal 
> > error
> > 2016-11-14 20:40:12 GMT libxl: error: 
> > libxl_stream_read.c:749:libxl__xc_domain_restore_done: restoring domain: 
> > Success
> > 2016-11-14 20:40:12 GMT libxl: error: 
> > libxl_create.c:1145:domcreate_rebuild_done: cannot (re-)build domain: -3
> > 2016-11-14 20:42:58 GMT xc: error: X86_PV_VCPU_MSRS record truncated: 
> > length 8, min 9: Internal error
> > 2016-11-14 20:42:58 GMT xc: error: Restore failed (0 = Success): Internal 
> > error
> > 2016-11-14 20:42:58 GMT libxl: error: 
> > libxl_stream_read.c:749:libxl__xc_domain_restore_done: restoring domain: 
> > Success
> > 2016-11-14 20:42:58 GMT libxl: error: 
> > libxl_create.c:1145:domcreate_rebuild_done: cannot (re-)build domain: -3
> > 2016-11-14 20:43:18 GMT xc: error: X86_PV_VCPU_MSRS record truncated: 
> > length 8, min 9: Internal error
> > 2016-11-14 20:43:18 GMT xc: error: Restore failed (0 = Success): Internal 
> > error
> > 2016-11-14 20:43:18 GMT libxl: error: 
> > libxl_stream_read.c:749:libxl__xc_domain_restore_done: restoring domain: 
> > Success
> > 2016-11-14 20:43:18 GMT libxl: error: 
> > libxl_create.c:1145:domcreate_rebuild_done: cannot (re-)build domain: -3
> > 2016-11-14 20:46:41 GMT xc: error: X86_PV_VCPU_MSRS record truncated: 
> > length 8, min 9: Internal error
> > 2016-11-14 20:46:41 GMT xc: error: Restore failed (0 = Success): Internal 
> > error
> > 2016-11-14 20:46:41 GMT libxl: error: 
> > libxl_stream_read.c:749:libxl__xc_domain_restore_done: restoring domain: 
> > Success
> > 2016-11-14 20:46:41 GMT libxl: error: 
> > libxl_create.c:1145:domcreate_rebuild_done: cannot (re-)build domain: -3
> > 2016-11-14 20:56:02 GMT xc: error: X86_PV_VCPU_MSRS record truncated: 
> > length 8, min 9: Internal error
> > 2016-11-14 20:56:02 GMT xc: error: Restore failed (0 = Success): Internal 
> > error
> > 2016-11-14 20:56:02 GMT libxl: error: 
> > libxl_stream_read.c:749:libxl__xc_domain_restore_done: restoring domain: 
> > Success
> > 2016-11-14 20:56:02 GMT libxl: error: 
> > libxl_create.c:1145:domcreate_rebuild_done: cannot (re-)build domain: -3
> > 2016-11-14 20:56:12 GMT xc: error: X86_PV_VCPU_MSRS record truncated: 
> > length 8, min 9: Internal error
> > 2016-11-14 20:56:12 GMT xc: error: Restore failed (0 = Success): Internal 
> > error
> > 2016-11-14 20:56:12 GMT libxl: error: 
> > libxl_stream_read.c:749:libxl__xc_domain_restore_done: restoring domain: 
> > Success
> > 2016-11-14 20:56:12 GMT libxl: error: 
> > libxl_create.c:1145:domcreate_rebuild_done: cannot (re-)build domain: -3
> > 2016-11-14 21:03:34 GMT xc: error: X86_PV_VCPU_MSRS record truncated: 
> > length 8, min 9: Internal error
> > 2016-11-14 21:03:34 GMT xc: error: Restore failed (0 = Success): Internal 
> > error
> > 2016-11-14 21:03:34 GMT libxl: error: 
> > libxl_stream_read.c:749:libxl__xc_domain_restore_done: restoring domain: 
> > Success
> > 2016-11-14 21:03:34 GMT libxl: error: 
> > libxl_create.c:1145:domcreate_rebuild_done: cannot (re-)build domain: -3
> > 
> 
> That's a known Xen bug, and patches are available, but I'm not sure if
> they are yet in Qubes - have you done an update in dom0?
> 

Just checked and it's still an open issue - #2182

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161114215858.GE14309%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Intel TXT advice

2016-11-14 Thread entr0py
entr0py:
> taii...@gmx.com:
>> On 11/14/2016 03:12 PM, Eric wrote:
>>> On Monday, November 14, 2016 at 11:58:32 AM UTC-8, entr0py wrote:
 Eric:
> On Sunday, November 13, 2016 at 10:44:33 PM UTC-8,
> tai...@gmx.com wrote:
>> Forgot to say: Purism is just an overpriced quanta/oem
>> whitebox laptop, it takes 5mil+ of startup funds to do a
>> small run of *just a motherboard* let alone an entire laptop
>> computer including the fab for a fancy aluminum case - it is
>> quite obvious that their components are not "hand selected"
>> and that they just called up some chinese OEM and asked them
>> what they had kicking around.
>>
>> I can't understand if they are scammers or just really
>> naive, Instead of making an OpenPower or ARM laptop and
>> having it be 100% libre from the start they instead do the
>> dishonest "you'll go to disneyworld one day poor johnny" - If
>> google can't convince intel to open up FSP/ME then nobody can
>> - coreboot with FSP is just shimboot (black box FSP - 95% of
>> the bios work)
>>
>> It bothers me quite a lot that they are on the list of
>> approved vendors when they are a dishonest company.
> Whoa. Ok, hold on a sec. I did not buy a Purism computer,
> though not for those reasons - putting a 28W TDP proc in a
> 15inch "workstation" is absurd to me. as is their lack of a
> screen configuration. I hear your anger at the gap between what
> they promise and what they deliver; I'm more displeased on the
> hardware side of things (though I do like HW kill switches.
> I've looked into what they promise and understand very well
> that they don't actually have a very free computer at all,
> especially on the bios/firmware side.
>
> What I actually ordered (and have now cancelled), was a Dell
> XPS 15". There is no vPro option in the configure menu, though
> it does support VT-d and SLAT. I've read all of Joanna's
> papers, and understand the concerns about Intel ME very well.
> However, on the Dell order, it claimed "ME Disabled." Perhaps
> they simply meant that vPro/AMT/TXT was disabled, and that was
> mine and Dell's fault for wishful thinking and false naming,
> respectively. Please see linked photo: https://d.pr/Q0YZ
>
 Moral considerations aside, why not buy that Dell and pair it
 with a portable router/firewall like this
 (https://www.compulab.co.il/utilite-computer/web/products)?
 Shouldn't that effectively block out any ME-related mischief or
 do I have a fundamental misunderstanding? It doesn't seem
 possible otherwise to get the type of processing power you're
 looking for in a laptop form-factor.
>>> Also, the concern for me is not ME shenanigans. I'm more concerned
>>> about having TXT for AEM and measured boot, and the consumer Dell
>>> model does not have that (the processor and chipset don't support
>>> it). The other option aside from the Precision 5510, would be a
>>> ThinkPad T460 or T460p, but the downside there is performance (only
>>> SATA-3 SSD), and also the screen quality is terrible.
>>>
>>> Much as I dislike proprietary anything, I might take a second look
>>> at the new MacBook Pros, and run things that need higher security
>>> in a VM or in Whonix.
>>
>> Why would you buy a macbook? You realize those have regular intel processors 
>> and ME too right?
>>
>> Lenovo is owned by the chinese, and dell business laptop (their consumer 
>> line is garbage) is a way better choice than either.
>>
>> It seems you do have (as you said) a fundamental misunderstanding of how 
>> security actually works, and how a router/firewall operates. - thus I don't 
>> think that anyone would be targeting you specifically with a ME exploit.
> 
> (top-posting fixed)
> 
> Despite my "fundamental misunderstanding of how security actually works", I 
> am able to read a thread and keep track of who said what - a skill you seemed 
> to have misplaced in all your wizardry. Also, on your crusade to dismantle 
> Intel and Google, it might behoove you to take a slightly less agressive tack 
> with people who generally share your beliefs cause it seems you're 
> significantly outnumbered as it is.
> 
> Now if you'd like to respond without the obligatory disdain and actually 
> explain something, my questions was: "Is Intel ME/AMT able to bypass 
> firewalls that haven't been specifically configured to support those 
> services?" This entry: 
> https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Communication
>  leads me to think that ME TCP/IP traffic isn't automatically passed-through, 
> but like *I* said, I may have a fundamental misunderstanding of that.
> 

I should add: My question is in the context of independent router/firewalls (on 
separate hardware). I know that firewalls on the same machine as Intel ME have 
no effect because the signals are out-of-band / not OS-dependent.

-- 
You 

Re: [qubes-users] DispVM

2016-11-14 Thread Unman
On Mon, Nov 14, 2016 at 09:39:38PM +, Fred wrote:
> On 14/11/2016 21:32, Unman wrote: 
> > Is there anything in /var/log/libvirt/libxl logs?
> 
> The following;
> 
> 2016-11-14 20:38:15 GMT libxl: error: 
> libxl_pci.c:1041:libxl__device_pci_reset: The kernel doesn't support reset 
> from sysfs for PCI device :01:00.1
> 2016-11-14 20:40:12 GMT xc: error: X86_PV_VCPU_MSRS record truncated: length 
> 8, min 9: Internal error
> 2016-11-14 20:40:12 GMT xc: error: Restore failed (0 = Success): Internal 
> error
> 2016-11-14 20:40:12 GMT libxl: error: 
> libxl_stream_read.c:749:libxl__xc_domain_restore_done: restoring domain: 
> Success
> 2016-11-14 20:40:12 GMT libxl: error: 
> libxl_create.c:1145:domcreate_rebuild_done: cannot (re-)build domain: -3
> 2016-11-14 20:42:58 GMT xc: error: X86_PV_VCPU_MSRS record truncated: length 
> 8, min 9: Internal error
> 2016-11-14 20:42:58 GMT xc: error: Restore failed (0 = Success): Internal 
> error
> 2016-11-14 20:42:58 GMT libxl: error: 
> libxl_stream_read.c:749:libxl__xc_domain_restore_done: restoring domain: 
> Success
> 2016-11-14 20:42:58 GMT libxl: error: 
> libxl_create.c:1145:domcreate_rebuild_done: cannot (re-)build domain: -3
> 2016-11-14 20:43:18 GMT xc: error: X86_PV_VCPU_MSRS record truncated: length 
> 8, min 9: Internal error
> 2016-11-14 20:43:18 GMT xc: error: Restore failed (0 = Success): Internal 
> error
> 2016-11-14 20:43:18 GMT libxl: error: 
> libxl_stream_read.c:749:libxl__xc_domain_restore_done: restoring domain: 
> Success
> 2016-11-14 20:43:18 GMT libxl: error: 
> libxl_create.c:1145:domcreate_rebuild_done: cannot (re-)build domain: -3
> 2016-11-14 20:46:41 GMT xc: error: X86_PV_VCPU_MSRS record truncated: length 
> 8, min 9: Internal error
> 2016-11-14 20:46:41 GMT xc: error: Restore failed (0 = Success): Internal 
> error
> 2016-11-14 20:46:41 GMT libxl: error: 
> libxl_stream_read.c:749:libxl__xc_domain_restore_done: restoring domain: 
> Success
> 2016-11-14 20:46:41 GMT libxl: error: 
> libxl_create.c:1145:domcreate_rebuild_done: cannot (re-)build domain: -3
> 2016-11-14 20:56:02 GMT xc: error: X86_PV_VCPU_MSRS record truncated: length 
> 8, min 9: Internal error
> 2016-11-14 20:56:02 GMT xc: error: Restore failed (0 = Success): Internal 
> error
> 2016-11-14 20:56:02 GMT libxl: error: 
> libxl_stream_read.c:749:libxl__xc_domain_restore_done: restoring domain: 
> Success
> 2016-11-14 20:56:02 GMT libxl: error: 
> libxl_create.c:1145:domcreate_rebuild_done: cannot (re-)build domain: -3
> 2016-11-14 20:56:12 GMT xc: error: X86_PV_VCPU_MSRS record truncated: length 
> 8, min 9: Internal error
> 2016-11-14 20:56:12 GMT xc: error: Restore failed (0 = Success): Internal 
> error
> 2016-11-14 20:56:12 GMT libxl: error: 
> libxl_stream_read.c:749:libxl__xc_domain_restore_done: restoring domain: 
> Success
> 2016-11-14 20:56:12 GMT libxl: error: 
> libxl_create.c:1145:domcreate_rebuild_done: cannot (re-)build domain: -3
> 2016-11-14 21:03:34 GMT xc: error: X86_PV_VCPU_MSRS record truncated: length 
> 8, min 9: Internal error
> 2016-11-14 21:03:34 GMT xc: error: Restore failed (0 = Success): Internal 
> error
> 2016-11-14 21:03:34 GMT libxl: error: 
> libxl_stream_read.c:749:libxl__xc_domain_restore_done: restoring domain: 
> Success
> 2016-11-14 21:03:34 GMT libxl: error: 
> libxl_create.c:1145:domcreate_rebuild_done: cannot (re-)build domain: -3
> 

That's a known Xen bug, and patches are available, but I'm not sure if
they are yet in Qubes - have you done an update in dom0?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161114215536.GD14309%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] One step foerward, two steps back on Macbook 11,1 - can't boot into Qubes

2016-11-14 Thread Chris Laprise

On 11/14/2016 04:47 PM, dumbcyber wrote:

>From the beginning I have to ask for forgiveness - I am new to Qubes and have 
no knowledge of changing boot managers beyond trial and error.

My hardware is a Macbook 11,1. In fact I don't have any other machines at home.

I want to create a bootable USB drive with Qubes R3.2. I had the usual problem 
of seeing the 4-item menu to install but nothing working regardless of option 
chosen.  I tried some forum suggestions like adding /noexitboot=1 to the cfg 
file. No luck.

I created a working Qubes USB on a Lenovo computer at work. I was able to 
create new VM's and set firewall rules. So I know it works.

Then my uninformed head took over. What if I took that USB and tried booting it 
on my Macbook? The Macbook does not even recognise the USB at boot time. If I 
boot into OSX I can get to the USB drive through terminal and mount it.

I then tried copying rEFInd to the Qubes USB stick but that just hangs the 
Macbook after selecting the EFI boot option. I'm resisting installing rEFInd on 
the Macbook itself until I know more about it especially the need to disable 
SIP.

My question is: would that even work - copying rEFInd to the working USB drive 
built on a Lenovo?  Are there any other options I could try?

Many thanks.



Macs are not a good fit for Qubes, but some have gotten the combination 
to work.


I've also found booting non-OSX USB drives to be uncertain. Not sure 
what the EFI options are here, but I do know that Linux is much easier 
to boot on a Mac from DVD.


Chris

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/92cf06c2-f38b-271b-3ece-d4205dfdce0d%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Intel TXT advice

2016-11-14 Thread entr0py
taii...@gmx.com:
> On 11/14/2016 03:12 PM, Eric wrote:
>> On Monday, November 14, 2016 at 11:58:32 AM UTC-8, entr0py wrote:
>>> Eric:
 On Sunday, November 13, 2016 at 10:44:33 PM UTC-8,
 tai...@gmx.com wrote:
> Forgot to say: Purism is just an overpriced quanta/oem
> whitebox laptop, it takes 5mil+ of startup funds to do a
> small run of *just a motherboard* let alone an entire laptop
> computer including the fab for a fancy aluminum case - it is
> quite obvious that their components are not "hand selected"
> and that they just called up some chinese OEM and asked them
> what they had kicking around.
> 
> I can't understand if they are scammers or just really
> naive, Instead of making an OpenPower or ARM laptop and
> having it be 100% libre from the start they instead do the
> dishonest "you'll go to disneyworld one day poor johnny" - If
> google can't convince intel to open up FSP/ME then nobody can
> - coreboot with FSP is just shimboot (black box FSP - 95% of
> the bios work)
> 
> It bothers me quite a lot that they are on the list of
> approved vendors when they are a dishonest company.
 Whoa. Ok, hold on a sec. I did not buy a Purism computer,
 though not for those reasons - putting a 28W TDP proc in a
 15inch "workstation" is absurd to me. as is their lack of a
 screen configuration. I hear your anger at the gap between what
 they promise and what they deliver; I'm more displeased on the
 hardware side of things (though I do like HW kill switches.
 I've looked into what they promise and understand very well
 that they don't actually have a very free computer at all,
 especially on the bios/firmware side.
 
 What I actually ordered (and have now cancelled), was a Dell
 XPS 15". There is no vPro option in the configure menu, though
 it does support VT-d and SLAT. I've read all of Joanna's
 papers, and understand the concerns about Intel ME very well.
 However, on the Dell order, it claimed "ME Disabled." Perhaps
 they simply meant that vPro/AMT/TXT was disabled, and that was
 mine and Dell's fault for wishful thinking and false naming,
 respectively. Please see linked photo: https://d.pr/Q0YZ
 
>>> Moral considerations aside, why not buy that Dell and pair it
>>> with a portable router/firewall like this
>>> (https://www.compulab.co.il/utilite-computer/web/products)?
>>> Shouldn't that effectively block out any ME-related mischief or
>>> do I have a fundamental misunderstanding? It doesn't seem
>>> possible otherwise to get the type of processing power you're
>>> looking for in a laptop form-factor.
>> Also, the concern for me is not ME shenanigans. I'm more concerned
>> about having TXT for AEM and measured boot, and the consumer Dell
>> model does not have that (the processor and chipset don't support
>> it). The other option aside from the Precision 5510, would be a
>> ThinkPad T460 or T460p, but the downside there is performance (only
>> SATA-3 SSD), and also the screen quality is terrible.
>> 
>> Much as I dislike proprietary anything, I might take a second look
>> at the new MacBook Pros, and run things that need higher security
>> in a VM or in Whonix.
> 
> Why would you buy a macbook? You realize those have regular intel processors 
> and ME too right?
> 
> Lenovo is owned by the chinese, and dell business laptop (their consumer line 
> is garbage) is a way better choice than either.
> 
> It seems you do have (as you said) a fundamental misunderstanding of how 
> security actually works, and how a router/firewall operates. - thus I don't 
> think that anyone would be targeting you specifically with a ME exploit.

(top-posting fixed)

Despite my "fundamental misunderstanding of how security actually works", I am 
able to read a thread and keep track of who said what - a skill you seemed to 
have misplaced in all your wizardry. Also, on your crusade to dismantle Intel 
and Google, it might behoove you to take a slightly less agressive tack with 
people who generally share your beliefs cause it seems you're significantly 
outnumbered as it is.

Now if you'd like to respond without the obligatory disdain and actually 
explain something, my questions was: "Is Intel ME/AMT able to bypass firewalls 
that haven't been specifically configured to support those services?" This 
entry: 
https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Communication 
leads me to think that ME TCP/IP traffic isn't automatically passed-through, 
but like *I* said, I may have a fundamental misunderstanding of that.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 

[qubes-users] One step foerward, two steps back on Macbook 11,1 - can't boot into Qubes

2016-11-14 Thread dumbcyber
>From the beginning I have to ask for forgiveness - I am new to Qubes and have 
>no knowledge of changing boot managers beyond trial and error.

My hardware is a Macbook 11,1. In fact I don't have any other machines at home.

I want to create a bootable USB drive with Qubes R3.2. I had the usual problem 
of seeing the 4-item menu to install but nothing working regardless of option 
chosen.  I tried some forum suggestions like adding /noexitboot=1 to the cfg 
file. No luck.

I created a working Qubes USB on a Lenovo computer at work. I was able to 
create new VM's and set firewall rules. So I know it works.

Then my uninformed head took over. What if I took that USB and tried booting it 
on my Macbook? The Macbook does not even recognise the USB at boot time. If I 
boot into OSX I can get to the USB drive through terminal and mount it.

I then tried copying rEFInd to the Qubes USB stick but that just hangs the 
Macbook after selecting the EFI boot option. I'm resisting installing rEFInd on 
the Macbook itself until I know more about it especially the need to disable 
SIP.

My question is: would that even work - copying rEFInd to the working USB drive 
built on a Lenovo?  Are there any other options I could try?

Many thanks.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a8601f36-0c2a-4b63-8616-b5e49c65b549%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Please help, can't get into Qubes

2016-11-14 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Mon, Nov 14, 2016 at 01:31:28PM +, Fred wrote:
> On 12/11/2016 08:27, Alex wrote:
> > Try editing /var/lib/qubes/qubes.xml and set "autostart" to False 
> > instead of True for the sys-net vm
> 
> I had actually found this file and tried setting the autostart attribute
> but the VM still auto-started.
> 
> I also tried editing the sys-net XML file directly (removing the bad
> assigned device(s)). There was a warning in the comments at the top
> about this file about changes potentially being overwitten but I
> couldn't find the correct file to make these changes manually. This file
> also existed in more than one place and the qvm-* commands didn't work
> as they couldn't connect.
> 
> In any case I just reinstalled as it was quicker.
> 
> The offline mode of the qvm-* commands may have worked (referred to in
> the link in Marek's response). Or maybe disabling the sysVM service via
> systemctl ?

Both should work. As for services, you need to disable:
 - qubes-netvm.service
 - qubes-vm@sys-net.service (this is really what 'autostart' VM property
   really does)
 - qubes-vm@sys-firewall.service - and any other using sys-net for its
   network - or set those to not use sys-net.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYKjDXAAoJENuP0xzK19csJs8H/0cEeo7N7EnYzIIi5s0QiPri
s0djWNxg4I72EW/HIMdmTh6+YHNFoY+ZSIQpr4/6RH4047EyE3F8hSB8N+fxwpha
rgMFiHWqsZGGoHxAFvl5goPKpWg91E3mUpgh4fJ991zq71P+D9nhX0EmLM1tGwoE
sGeAzI5MfdBdxrjCSkH0mW7oGdhxEELQ3oQxZNjPn4/8TqIqOkWztB3DNs+T/Quv
5CeX3GfZDjLRH60lfrdkDvWCqlr7XsySueRwjPELC2Khagql+2jCWHbLThakWhMx
arEZSVhs7gQ0SiMQQjifzjQ708p00cLwKiLyZDQMcdDGo87ID8JRK+8HlHllt3c=
=Wuoj
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161114214703.GL2994%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] cannot boot into qubes: drive not detected as boot device (EFI)

2016-11-14 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Mon, Nov 14, 2016 at 08:42:41AM -0800, Francesco Rmp wrote:
> Hello everyone,
> thanks in advance for your support.
> 
> I'm new tu qubes but not to linux un general and i'm having a bad issue with 
> my qubes installation.
> 
> I have a qubes 3.2 installation on an external USB drive (because $reasons) 
> and it's not willing to boot, my system doesn't even detect it as a bootable 
> device, for reasons i really don't know.
> 
> The partition layout is as follows:
> 
> 32MB unallocated space (i think for GPT alignment reasons
> 192MB FAT16 EFI System partition
> 512MB ext4 /boot partition
> my LUKS root partition
> other 60MB inallocated (again i think for alignment reasons but meh, anyway 
> who cares)
> 
> in the EFI FAT16 partition i have the following files
> 
> EFI/qubes/
>initramfs-4.4.14-1.pvops.qubes.x86_64.img
>vmlinuz-4.4.14-1.pvops.qubes.x86_64
>xen-4.6.1.efi
>xen.cfg
>xen.efi
> 
> while in the /boot partition i have all the usual grub related files and 
> kernel images.
> 
> i've tried booting into rescue mode from the installation media in an attempt 
> to restore the grub bootloader, what i generally do in a traditional linux 
> distro is chrooting into my installation and then manually restore grub, but 
> in my / i can't find anything grub or grub2 related that i can use to 
> reinstall the bootloader, so i'm a bit stuck.
> 
> any advice on how to rescue my qubes installation so that i can boot into it 
> again?

Some EFI BIOSes handle external drives differently in looking for
what to boot... Try this:
1. Copy EFI/qubes/ to EFI/BOOT/
2. Rename EFI/BOOT/xen.efi to EFI/BOOT/BOOTX64.efi
3. Rename EFI/BOOT/xen.cfg to EFI/BOOT/BOOTX64.cfg

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYKjAaAAoJENuP0xzK19csxCMH/1mSRNaSXvq++qwLI65mWB9X
+EnSsoz19LKqeN/rVwKFLGBZIUcqLNKfu7SoBODKeNHDjx6P/O2oCyhPS/LD07eH
1S9tO72P/ee0JcOS3TaNWIulDs3P6fsz12LoR3lCjCyqXvGBHg8PiiluXQ6f8HQd
iOU7+IBObVVZLrSxOX7qRCDZ2kiP7U+1FTaFFOoxMcj/0dBnEox7hTEv9T5nB2Hg
OJCmbIgtpK49Ek7RZfAGrEr/MkDV1lOjYY3eUujHX6Ubvk/J7CY8TBb+Y0ccUCWJ
Xzrl89wWV8XOeuKU5C5ZV5uTCbQkGLpAbp3qyH3OTBw5nVeDCnwV0f8oCR9eeK4=
=AyzE
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161114214354.GK2994%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] DispVM

2016-11-14 Thread Fred
On 14/11/2016 21:32, Unman wrote: 
> Is there anything in /var/log/libvirt/libxl logs?

The following;

2016-11-14 20:38:15 GMT libxl: error: libxl_pci.c:1041:libxl__device_pci_reset: 
The kernel doesn't support reset from sysfs for PCI device :01:00.1
2016-11-14 20:40:12 GMT xc: error: X86_PV_VCPU_MSRS record truncated: length 8, 
min 9: Internal error
2016-11-14 20:40:12 GMT xc: error: Restore failed (0 = Success): Internal error
2016-11-14 20:40:12 GMT libxl: error: 
libxl_stream_read.c:749:libxl__xc_domain_restore_done: restoring domain: Success
2016-11-14 20:40:12 GMT libxl: error: 
libxl_create.c:1145:domcreate_rebuild_done: cannot (re-)build domain: -3
2016-11-14 20:42:58 GMT xc: error: X86_PV_VCPU_MSRS record truncated: length 8, 
min 9: Internal error
2016-11-14 20:42:58 GMT xc: error: Restore failed (0 = Success): Internal error
2016-11-14 20:42:58 GMT libxl: error: 
libxl_stream_read.c:749:libxl__xc_domain_restore_done: restoring domain: Success
2016-11-14 20:42:58 GMT libxl: error: 
libxl_create.c:1145:domcreate_rebuild_done: cannot (re-)build domain: -3
2016-11-14 20:43:18 GMT xc: error: X86_PV_VCPU_MSRS record truncated: length 8, 
min 9: Internal error
2016-11-14 20:43:18 GMT xc: error: Restore failed (0 = Success): Internal error
2016-11-14 20:43:18 GMT libxl: error: 
libxl_stream_read.c:749:libxl__xc_domain_restore_done: restoring domain: Success
2016-11-14 20:43:18 GMT libxl: error: 
libxl_create.c:1145:domcreate_rebuild_done: cannot (re-)build domain: -3
2016-11-14 20:46:41 GMT xc: error: X86_PV_VCPU_MSRS record truncated: length 8, 
min 9: Internal error
2016-11-14 20:46:41 GMT xc: error: Restore failed (0 = Success): Internal error
2016-11-14 20:46:41 GMT libxl: error: 
libxl_stream_read.c:749:libxl__xc_domain_restore_done: restoring domain: Success
2016-11-14 20:46:41 GMT libxl: error: 
libxl_create.c:1145:domcreate_rebuild_done: cannot (re-)build domain: -3
2016-11-14 20:56:02 GMT xc: error: X86_PV_VCPU_MSRS record truncated: length 8, 
min 9: Internal error
2016-11-14 20:56:02 GMT xc: error: Restore failed (0 = Success): Internal error
2016-11-14 20:56:02 GMT libxl: error: 
libxl_stream_read.c:749:libxl__xc_domain_restore_done: restoring domain: Success
2016-11-14 20:56:02 GMT libxl: error: 
libxl_create.c:1145:domcreate_rebuild_done: cannot (re-)build domain: -3
2016-11-14 20:56:12 GMT xc: error: X86_PV_VCPU_MSRS record truncated: length 8, 
min 9: Internal error
2016-11-14 20:56:12 GMT xc: error: Restore failed (0 = Success): Internal error
2016-11-14 20:56:12 GMT libxl: error: 
libxl_stream_read.c:749:libxl__xc_domain_restore_done: restoring domain: Success
2016-11-14 20:56:12 GMT libxl: error: 
libxl_create.c:1145:domcreate_rebuild_done: cannot (re-)build domain: -3
2016-11-14 21:03:34 GMT xc: error: X86_PV_VCPU_MSRS record truncated: length 8, 
min 9: Internal error
2016-11-14 21:03:34 GMT xc: error: Restore failed (0 = Success): Internal error
2016-11-14 21:03:34 GMT libxl: error: 
libxl_stream_read.c:749:libxl__xc_domain_restore_done: restoring domain: Success
2016-11-14 21:03:34 GMT libxl: error: 
libxl_create.c:1145:domcreate_rebuild_done: cannot (re-)build domain: -3


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2d62348c-f65e-c424-59dc-94a29dc56355%40gmsl.co.uk.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] DispVM

2016-11-14 Thread Unman
On Mon, Nov 14, 2016 at 09:12:08PM +, Fred wrote:
> On 14/11/2016 17:56, Unman wrote:
> 
> > I'm not aware of any particular issues, although there have been some
> > reports of issues with customisation.
> 
> Here is what I get after removing and recreating. No errors and the save
> file says it was created OK. I found an xterm command to run in dom0 to
> try and debug and I got the following;
> 
> time=1479157412.67, qfile-daemon-dvm init
> time=1479157412.67, creating DispVM
> time=1479157412.82, collection loaded
> time=1479157412.91, VM created
> time=1479157412.97, VM starting
> time=1479157412.97, creating config file
> time=1479157413.32, calling restore
> Traceback (most recent call last):
>   File "/usr/lib/qubes/qfile-daemon-dvm", line 200, in 
> main()
>   File "/usr/lib/qubes/qfile-daemon-dvm", line 188, in main
> dispvm = qfile.get_dvm()
>   File "/usr/lib/qubes/qfile-daemon-dvm", line 150, in get_dvm
> return self.do_get_dvm()
>   File "/usr/lib/qubes/qfile-daemon-dvm", line 103, in do_get_dvm
> dispvm.start()
>   File
> "/usr/lib64/python2.7/site-packages/qubes/modules/01QubesDisposableVm.py",
> line 193, in start
> domain_config, libvirt.VIR_DOMAIN_SAVE_PAUSED)
>   File "/usr/lib64/python2.7/site-packages/libvirt.py", line 4405, in
> restoreFlags
> if ret == -1: raise libvirtError ('virDomainRestoreFlags() failed',
> conn=self)
> libvirt.libvirtError: internal error: libxenlight failed to restore
> domain 'disp7'
> 
> 

Is there anything in /var/log/libvirt/libxl logs?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161114213239.GB14309%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Restoring VM causes drive to fill but it isn't full..

2016-11-14 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sun, Nov 13, 2016 at 11:12:36PM -0800, Drew White wrote:
> On Monday, 14 November 2016 17:19:43 UTC+11, Drew White  wrote:
> > Hi folks,
> > 
> > 
> > I'm trying to restore a guest.
> > I have / which has 2.1 GB free. (The root drive where things exist)
> > Then I have my /var/lib/qubes with 78 GB free. (drive which contains all my 
> > Guests)
> > 
> > I try to restore a guest which takes up ~ 48 GB.
> > 
> > Upon initialising the restore script, my / drive starts to fill up 
> > completely.
> > And then the software says it has errors (specifically, no space left on 
> > drive).
> > 
> > It's already extracted a file list to the correct directory on 
> > /var/lib/qubes.
> > 
> > Why does it tell me the drive is full when there is over 78 GB free and it 
> > should be using /var/lib/qubes not / ?
> > 
> > Is this a bug in the Qubes Restore?
> 
> Only way I found to work around this bug is to perform the following..
> 
> On secondary drive create a directory for holding information..
> Get to the second stage of the restore.
> Open the /var/tmp directory.
> Delete the restore_XX directory
> Create a link of that name in the /var/tmp directory that links to the 
> directory on the other drive.
> 
> Doing this meant that the actual usage of drive space never went over 200 MB 
> for that folder.
> 
> The system was unable to extract the menus and apps.templates directory and a 
> few other meaningless things that wouldn't prevent the system from working.
> 
> Why when it's targeting in your /var/tmp directory does it absorb the / disk 
> drive in a matter of seconds?
> 
> Is it just a bug in the code somewhere?
> Or is it a file system thing?
> Or is it the "stick-bit" ?
> 
> I created a new directory there with no sticky bit, and the entire restore 
> utility couldn't extract to that directory.
> 
> Only way around it was to create the new directory and link it to a folder on 
> the storage drive.

Yes, /var/tmp is used to restore the data and there is (currently) no
option to use alternative location. So you method with symlinking
/var/tmp is currently one of the best what you can do...

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYKinCAAoJENuP0xzK19csTKsH/jU+LocZh9XnubGW0lcPGP+k
abQqZoJ5MMzcAbEoT3zRSCJwyS5sPs28vCIAPOAThSj8DYtVOG/V8k4ZV1XCKcOR
5C8ScAfAd/6m8ruNGw3vipATy4taEAWXK5vgdB5z2PvdnpLptMYgCIsQF81+fCB/
dFhFkecGYww2StRRVXY2xLTqG2k+Og9jX9lm16KVY8A1h+F+dhAdgZPwphI66JpW
JiiHC98GEr5naLvEGKJTjm4R1sPPvGmmZsbRGHfD9Q0T6v3B2wCDdbVAzPC2r5sA
gSE4DS30luVYN9UPL6futzEqAbgrRGxMJIhsWeDfJ+oc58ZknMWl3FIXEay750g=
=CoOJ
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161114211650.GB3417%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] mounting a disk image or volume in app-vm, fast backups

2016-11-14 Thread Unman
On Mon, Nov 14, 2016 at 12:33:17PM -0800, Connor Page wrote:
> On Monday, 14 November 2016 19:24:06 UTC, Unman  wrote:
> > qvm-block -A allows you to attach an image file to a qube.
> 
> BTW, what's the correct way to detach one image file? it's not mentioned in 
> the man page :(
> 

qvm-block -A dst src:/home/user/foo.iso

Creates /dev/xvd[i,j..] on dst

To detach, use:
qvm-block -d dst -f xvd[i,j..]

That is, use -f to specify the device name

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161114211229.GA14309%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] DispVM

2016-11-14 Thread Fred
On 14/11/2016 17:56, Unman wrote:

> I'm not aware of any particular issues, although there have been some
> reports of issues with customisation.

Here is what I get after removing and recreating. No errors and the save
file says it was created OK. I found an xterm command to run in dom0 to
try and debug and I got the following;

time=1479157412.67, qfile-daemon-dvm init
time=1479157412.67, creating DispVM
time=1479157412.82, collection loaded
time=1479157412.91, VM created
time=1479157412.97, VM starting
time=1479157412.97, creating config file
time=1479157413.32, calling restore
Traceback (most recent call last):
  File "/usr/lib/qubes/qfile-daemon-dvm", line 200, in 
main()
  File "/usr/lib/qubes/qfile-daemon-dvm", line 188, in main
dispvm = qfile.get_dvm()
  File "/usr/lib/qubes/qfile-daemon-dvm", line 150, in get_dvm
return self.do_get_dvm()
  File "/usr/lib/qubes/qfile-daemon-dvm", line 103, in do_get_dvm
dispvm.start()
  File
"/usr/lib64/python2.7/site-packages/qubes/modules/01QubesDisposableVm.py",
line 193, in start
domain_config, libvirt.VIR_DOMAIN_SAVE_PAUSED)
  File "/usr/lib64/python2.7/site-packages/libvirt.py", line 4405, in
restoreFlags
if ret == -1: raise libvirtError ('virDomainRestoreFlags() failed',
conn=self)
libvirt.libvirtError: internal error: libxenlight failed to restore
domain 'disp7'


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/35732788-20b6-5f26-a21b-851740669fdb%40gmsl.co.uk.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Where to bulk-download mailing list archives?

2016-11-14 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Mon, Nov 14, 2016 at 01:21:29AM -0500, Jean-Philippe Ouellet wrote:
> Does anyone know of a convenient place to grab the complete archives
> of this list? (and qubes-devel too?)
> 
> With the (lets hope indeed temporary) death of gmane and its nntp
> interface, I lost the only easy way I knew of to bulk-download the
> entire history of arbitrary mailing lists for offline grepping.
> 
> I'd rather not write yet another one-off web crawler if I don't need to...

I don't know how to download it from google, but I know how to download
it from my personal mailbox ;) This is what was uploaded to gmane.

https://ftp.qubes-os.org/~marmarek/qubes-users.tar.gz
https://ftp.qubes-os.org/~marmarek/qubes-devel.tar.gz

Archives are from May. I can upload newer, but better find some service
which would do that - some gmane alternative.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYKiMuAAoJENuP0xzK19csM5AH/3latycqGKt0W4TcTO/nNTBF
zbVTUJckL34LpYr0Qj4f9062uxbbLhz+OK7pjyOCwwkBNL7wjQRFH08GCRdnQCXI
d3nhxoLchXQdgS2cj5r/NZrU6WYKgSb0mTnnYl9pm+R/Xck3avTq0Jxb2neCNxkv
HHsT94ikuMIvJ6nnEE0ankMjsWnJr7TYR6lNukEX0XnjueKYzrblmXhrLxTFfMYn
6Y/7FbOX7y1bXDkrnUz5gBU8uuVQ0uVllwVf+TBdxqtJe1WT4SxtNEXRflnLtUUe
zB7YN4P/pz6xNLWkIlc9qUa2tSYo/qSVs/IAl6otf/Eh2o8b1n7sWaYw1capvlA=
=LiEQ
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161114204846.GH2994%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] mounting a disk image or volume in app-vm, fast backups

2016-11-14 Thread Connor Page
On Monday, 14 November 2016 19:24:06 UTC, Unman  wrote:
> qvm-block -A allows you to attach an image file to a qube.

BTW, what's the correct way to detach one image file? it's not mentioned in the 
man page :(

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0c1f7742-b9f6-4db2-bd55-e025802c4960%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Thoughts on Qubes OS Security... Could be improved.

2016-11-14 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Mon, Nov 14, 2016 at 02:44:40AM -0800, Sec Tester wrote:
> > 
> > Why not grsecurity/PaX? especially with Qubes 4 switching to HVM (or PVHv2 
> > or whatever it's called now), it will apparently work fine.
> 
> Nice suggestion. I would certainly welcome its implementation.
> 
> Actually looks like there were successful efforts to implement this back in 
> 2013. 
> 
> https://groups.google.com/forum/#!topic/qubes-devel/l5mi2dklu18
> 
> Seriously, why didnt qubes pick this up and run with it?

There is ongoing work on this:
https://github.com/coldhakca/coldkernel/issues/35


- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYKh22AAoJENuP0xzK19csUgMIAIzixUMxjLEhbFiCvWC4lzCV
AxXqrX9bt43xyA6dQja6v4xwXJgR1V7XocwNfcQYhba8sl3c26KTVCZ5c3nqYkf4
5hISr04mzqvAlQZqpsDV892l4Z9sWmdkNOqrYhW62hVMJ0aDLm3/PR0MFjHtHyrN
0S7X3GqM4fPQhfHgxI7sW1Ox+qVecL+9jlaZcZcxQ/E6dLkmsYIzWlQTtRCLD/Ma
Bj4vaXydJSwNOA+hH0vgzhFWjPNepyRJhONj7g5rzoOb54GRr1XngaMRcamRBSXN
gMwnWhE9HwNh8f/53OgjDWATp+DjYjAfJm1dmsqEC0sXGcHiD4Yf0b5iN9zDW7U=
=EEHE
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161114202526.GE2994%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Improvement: check disk space before copy to VM

2016-11-14 Thread Jean-Philippe Ouellet
On Mon, Nov 14, 2016 at 2:42 PM, Jean-Philippe Ouellet  wrote:
> On Mon, Nov 14, 2016 at 5:49 AM, Sec Tester  wrote:
>> Could open up a vulnerability if not done carefully.
>>
>> VM could use it to query and identify other VMs in existence on the system.
>
> There are already several timing side-channel ways to do that.
>
> Example: ...

Created an issue for this because it's really off-topic for this thread:
https://github.com/QubesOS/qubes-issues/issues/2436

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABQWM_AvwReXyzWs-s2Q6ywOEWEoJS%3DJZuL1cb%3D2foWk78ggPQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Intel TXT advice

2016-11-14 Thread Eric
On Monday, November 14, 2016 at 11:58:32 AM UTC-8, entr0py wrote:
> Eric:
> > On Sunday, November 13, 2016 at 10:44:33 PM UTC-8, tai...@gmx.com
> > wrote:
> >> Forgot to say: Purism is just an overpriced quanta/oem whitebox
> >> laptop, it takes 5mil+ of startup funds to do a small run of *just
> >> a motherboard* let alone an entire laptop computer including the
> >> fab for a fancy aluminum case - it is quite obvious that their
> >> components are not "hand selected" and that they just called up
> >> some chinese OEM and asked them what they had kicking around.
> >> 
> >> I can't understand if they are scammers or just really naive,
> >> Instead of making an OpenPower or ARM laptop and having it be 100%
> >> libre from the start they instead do the dishonest "you'll go to
> >> disneyworld one day poor johnny" - If google can't convince intel
> >> to open up FSP/ME then nobody can - coreboot with FSP is just
> >> shimboot (black box FSP - 95% of the bios work)
> >> 
> >> It bothers me quite a lot that they are on the list of approved
> >> vendors when they are a dishonest company.
> > 
> > Whoa. Ok, hold on a sec. I did not buy a Purism computer, though not
> > for those reasons - putting a 28W TDP proc in a 15inch "workstation"
> > is absurd to me. as is their lack of a screen configuration. I hear
> > your anger at the gap between what they promise and what they
> > deliver; I'm more displeased on the hardware side of things (though I
> > do like HW kill switches. I've looked into what they promise and
> > understand very well that they don't actually have a very free
> > computer at all, especially on the bios/firmware side.
> > 
> > What I actually ordered (and have now cancelled), was a Dell XPS 15".
> > There is no vPro option in the configure menu, though it does support
> > VT-d and SLAT. I've read all of Joanna's papers, and understand the
> > concerns about Intel ME very well. However, on the Dell order, it
> > claimed "ME Disabled." Perhaps they simply meant that vPro/AMT/TXT
> > was disabled, and that was mine and Dell's fault for wishful thinking
> > and false naming, respectively. Please see linked photo:
> > https://d.pr/Q0YZ
> > 
> 
> Moral considerations aside, why not buy that Dell and pair it with a portable 
> router/firewall like this 
> (https://www.compulab.co.il/utilite-computer/web/products)? Shouldn't that 
> effectively block out any ME-related mischief or do I have a fundamental 
> misunderstanding? It doesn't seem possible otherwise to get the type of 
> processing power you're looking for in a laptop form-factor.

Also, the concern for me is not ME shenanigans. I'm more concerned about having 
TXT for AEM and measured boot, and the consumer Dell model does not have that 
(the processor and chipset don't support it). The other option aside from the 
Precision 5510, would be a ThinkPad T460 or T460p, but the downside there is 
performance (only SATA-3 SSD), and also the screen quality is terrible.

Much as I dislike proprietary anything, I might take a second look at the new 
MacBook Pros, and run things that need higher security in a VM or in Whonix. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e2d0cd80-190c-443f-a3ac-d2ca992a6882%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Intel TXT advice

2016-11-14 Thread Eric
On Monday, November 14, 2016 at 11:58:32 AM UTC-8, entr0py wrote:
> Eric:
> > On Sunday, November 13, 2016 at 10:44:33 PM UTC-8, tai...@gmx.com
> > wrote:
> >> Forgot to say: Purism is just an overpriced quanta/oem whitebox
> >> laptop, it takes 5mil+ of startup funds to do a small run of *just
> >> a motherboard* let alone an entire laptop computer including the
> >> fab for a fancy aluminum case - it is quite obvious that their
> >> components are not "hand selected" and that they just called up
> >> some chinese OEM and asked them what they had kicking around.
> >> 
> >> I can't understand if they are scammers or just really naive,
> >> Instead of making an OpenPower or ARM laptop and having it be 100%
> >> libre from the start they instead do the dishonest "you'll go to
> >> disneyworld one day poor johnny" - If google can't convince intel
> >> to open up FSP/ME then nobody can - coreboot with FSP is just
> >> shimboot (black box FSP - 95% of the bios work)
> >> 
> >> It bothers me quite a lot that they are on the list of approved
> >> vendors when they are a dishonest company.
> > 
> > Whoa. Ok, hold on a sec. I did not buy a Purism computer, though not
> > for those reasons - putting a 28W TDP proc in a 15inch "workstation"
> > is absurd to me. as is their lack of a screen configuration. I hear
> > your anger at the gap between what they promise and what they
> > deliver; I'm more displeased on the hardware side of things (though I
> > do like HW kill switches. I've looked into what they promise and
> > understand very well that they don't actually have a very free
> > computer at all, especially on the bios/firmware side.
> > 
> > What I actually ordered (and have now cancelled), was a Dell XPS 15".
> > There is no vPro option in the configure menu, though it does support
> > VT-d and SLAT. I've read all of Joanna's papers, and understand the
> > concerns about Intel ME very well. However, on the Dell order, it
> > claimed "ME Disabled." Perhaps they simply meant that vPro/AMT/TXT
> > was disabled, and that was mine and Dell's fault for wishful thinking
> > and false naming, respectively. Please see linked photo:
> > https://d.pr/Q0YZ
> > 
> 
> Moral considerations aside, why not buy that Dell and pair it with a portable 
> router/firewall like this 
> (https://www.compulab.co.il/utilite-computer/web/products)? Shouldn't that 
> effectively block out any ME-related mischief or do I have a fundamental 
> misunderstanding? It doesn't seem possible otherwise to get the type of 
> processing power you're looking for in a laptop form-factor.

Well, the Dell XPS was enough processing power for me. The Business version, 
the Precision 5510, not only has vPro and TXT, but also supports ECC memory 
(Xeon E5). Adds another layer of protection (against Rowhammer attacks that can 
compromise even Qubes), but a) nobody actually makes DDR4-ECC-SODIMM memory 
that I can find, and b) it's basically another thousand bucks. I also happen to 
hate 16:9 displays, but I would compromise on that for Qubes' sake. 

As far as blob-free hardware goes, I unfortunately have to live and work in the 
world, and therefore need 1) performance and x86-64 architecture, and 2) to not 
have my computer be a part time job.

Guess I'll keep looking. And saving.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0c8be8fb-0982-48f7-8af5-6a44eb52711d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Intel TXT advice

2016-11-14 Thread entr0py
Eric:
> On Sunday, November 13, 2016 at 10:44:33 PM UTC-8, tai...@gmx.com
> wrote:
>> Forgot to say: Purism is just an overpriced quanta/oem whitebox
>> laptop, it takes 5mil+ of startup funds to do a small run of *just
>> a motherboard* let alone an entire laptop computer including the
>> fab for a fancy aluminum case - it is quite obvious that their
>> components are not "hand selected" and that they just called up
>> some chinese OEM and asked them what they had kicking around.
>> 
>> I can't understand if they are scammers or just really naive,
>> Instead of making an OpenPower or ARM laptop and having it be 100%
>> libre from the start they instead do the dishonest "you'll go to
>> disneyworld one day poor johnny" - If google can't convince intel
>> to open up FSP/ME then nobody can - coreboot with FSP is just
>> shimboot (black box FSP - 95% of the bios work)
>> 
>> It bothers me quite a lot that they are on the list of approved
>> vendors when they are a dishonest company.
> 
> Whoa. Ok, hold on a sec. I did not buy a Purism computer, though not
> for those reasons - putting a 28W TDP proc in a 15inch "workstation"
> is absurd to me. as is their lack of a screen configuration. I hear
> your anger at the gap between what they promise and what they
> deliver; I'm more displeased on the hardware side of things (though I
> do like HW kill switches. I've looked into what they promise and
> understand very well that they don't actually have a very free
> computer at all, especially on the bios/firmware side.
> 
> What I actually ordered (and have now cancelled), was a Dell XPS 15".
> There is no vPro option in the configure menu, though it does support
> VT-d and SLAT. I've read all of Joanna's papers, and understand the
> concerns about Intel ME very well. However, on the Dell order, it
> claimed "ME Disabled." Perhaps they simply meant that vPro/AMT/TXT
> was disabled, and that was mine and Dell's fault for wishful thinking
> and false naming, respectively. Please see linked photo:
> https://d.pr/Q0YZ
> 

Moral considerations aside, why not buy that Dell and pair it with a portable 
router/firewall like this 
(https://www.compulab.co.il/utilite-computer/web/products)? Shouldn't that 
effectively block out any ME-related mischief or do I have a fundamental 
misunderstanding? It doesn't seem possible otherwise to get the type of 
processing power you're looking for in a laptop form-factor.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e9007159-2961-d96f-1c21-9d5e70de6aec%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Installing VPN in Qubes Versus VPN on a Router

2016-11-14 Thread entr0py
entr0py:
> taii...@gmx.com:
>> On 11/13/2016 07:39 PM, entr0py wrote:
>>> taii...@gmx.com:
 You can use a VMM with a pfsense VM and separate driver domains
 for the network interfaces, qubes isn't a router operating
 system...
>>> 
>>> Is there an inherent reason that Qubes should not be used as a
>>> router?
>> 
>> - I really don't know how to reply to this
> 
> I can't tell if your reticence is indignance or if my question just
> can't be answered for some reason but it was meant to be a sincere
> question. Admittedly I know very little about this but AFAIK pfSense
> is just a front-end to manage filters with extensibility features. I
> don't know enough to discuss the relative merits of PF vs iptables,
> but I don't see any reason why a Qubes router wouldn't work since
> Debian based "router operating systems" do exist. Is it a question of
> reliability, complexity, ...? I just need a machine that can route
> and filter traffic and not get compromised in the process - or am I
> missing something? I wouldn't know the first thing about BSD or
> virtual driver domains, whereas I've become comfortable chaining
> Qubes proxyVMs and using iptables.
> 

>From advice I've received: the overhead introduced by Qubes (inter-vm 
>operability, gui features) aren't necessary in a router that is largely 
>non-interactive and headless.

My guess is that a cost-effective solution for now would be to use 2012 AMD 
hardware running Xen / KVM. Analogous to Qubes, it would have fat net VMs, 
minimal proxy VMs and a firewall VM (BSD or otherwise) in-between.

Both Xen & KVM support ARM so the forward-looking solution might be to combine 
Xen with something like MirageOS appliances 
(https://mirage.io/wiki/xen-on-cubieboard2) on an ARM device.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4495f539-a266-736a-6ab7-7505d7aa8762%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Improvement: check disk space before copy to VM

2016-11-14 Thread Jean-Philippe Ouellet
On Mon, Nov 14, 2016 at 5:49 AM, Sec Tester  wrote:
> Could open up a vulnerability if not done carefully.
>
> VM could use it to query and identify other VMs in existence on the system.

There are already several timing side-channel ways to do that.

Example:

AppVM$ time /usr/lib/qubes/qrexec-client-vm sys-net qubes.VMShell
Request refused
/usr/lib/qubes/qrexec-client-vm sys-net qubes.VMShell  0.00s user
0.00s system 1% cpu 0.180 total

AppVM$ time /usr/lib/qubes/qrexec-client-vm does-not-exist qubes.VMShell
Request refused
/usr/lib/qubes/qrexec-client-vm does-not-exist qubes.VMShell  0.00s
user 0.00s system 0% cpu 1.565 total

In this case the difference in time is quite obvious because it blocks
while an error dialog is open in dom0.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABQWM_A70au%3DdsuwuWUbiL44xNngaXYxFuUCWGXXZGtQ%3D90ZRw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] macbookpro 11,3 installer keeps returning to grub menu

2016-11-14 Thread pixel fairy
just what the subject line says. there is an error message, but it flashes by 
too fast to read. all four choices have the same result.

hardware is late 2013 15" retina, 11,3

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7a650fa5-bf60-4776-8af5-1fea7f8429db%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] mounting a disk image or volume in app-vm, fast backups

2016-11-14 Thread Unman
On Mon, Nov 14, 2016 at 10:52:27AM -0800, pixel fairy wrote:
> how do you attach an image file to an appvm? 
> 
> what would you recommend for for resizable, or ideally, automatically 
> resizing volume for this? 
> 
> the idea is to attach an image an appvm, rsync the data you want to backup. 
> then remount it in a dedicated backupvm which only runs rdiff-backup to an 
> external disk. that way, the backup is fast (rsync and rdiff) and is 
> protected from any malware trying to write to the past, and can be done 
> without having to shutdown any vm. 
 
qvm-block -A allows you to attach an image file to a qube.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161114192404.GA13372%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Thinkpad X201t

2016-11-14 Thread loren
Yes - that's it! Thanks so much. I'm installing now. I posted your
answer to the Github issue for reference.

Loren

On Mon, Nov 14, 2016 at 10:40:10AM -0800, pixel fairy wrote:
> On Monday, November 14, 2016 at 1:02:42 PM UTC-5, lo...@lorentrogers.com 
> wrote:
> > Hi everyone,
> >
> > This is my first message on this list, so I hope I'm not spamming folks
> > with this!
> >
> > I'm trying to test out an install of Qubes on my Thinkpad X201t, and the
> > installer seems to have issues with the video card. I confirmed that the
> > install media is valid on another computer, but whenever I try to run it
> > in the X201t, I get a warped screen.
>
> i also use an X201t. the issue is with vt-d, which you have to temporarily 
> disable. see https://www.qubes-os.org/doc/thinkpad-troubleshooting/
>
> its mostly usable, but does get slow. even web browsing can get choppy.
>
>
>
> --
> You received this message because you are subscribed to the Google Groups 
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/qubes-users/b780c034-6598-4d3a-baa8-82c478488451%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161114184953.GA8114%40HP-G60.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Thinkpad X201t

2016-11-14 Thread pixel fairy
On Monday, November 14, 2016 at 1:02:42 PM UTC-5, lo...@lorentrogers.com wrote:
> Hi everyone,
> 
> This is my first message on this list, so I hope I'm not spamming folks
> with this!
> 
> I'm trying to test out an install of Qubes on my Thinkpad X201t, and the
> installer seems to have issues with the video card. I confirmed that the
> install media is valid on another computer, but whenever I try to run it
> in the X201t, I get a warped screen.

i also use an X201t. the issue is with vt-d, which you have to temporarily 
disable. see https://www.qubes-os.org/doc/thinkpad-troubleshooting/

its mostly usable, but does get slow. even web browsing can get choppy.



-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b780c034-6598-4d3a-baa8-82c478488451%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] DispVM

2016-11-14 Thread Unman
On Mon, Nov 14, 2016 at 01:37:40PM +, Fred wrote:
> 
> Are there any known issues with the DispVM in Qubes 3.2 that I should be
> aware of?
> 
> I cannot get it to work. I have also tried recreating it two ways based
> on the default template *and* choosing a different non-default one.
> 
> i.e
> 
> qvm-create-default-dvm fedora-23 and qvm-create-default-dvm
> --default-template both work and seem to create the vms. Trying to use
> it however gives no error and the vm does not start in Qubes Manager.
> 

I'm not aware of any particular issues, although there have been some
reports of issues with customisation.
I assume that you have a template : fedora-23-dvm or similar.
Can you remove this using qvm-remove , and then try creating the
template again?
Confirm that the qvm-create-default-dvm script runs properly to
conclusion and that the dvm template is created.
You can try to run a program in that template to make sure all is well.
Then try running program in a dispVM.

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161114175651.GA12561%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Please help, can't get into Qubes

2016-11-14 Thread Fred
On 14/11/2016 13:46, Unman wrote:
> For future reference, I think the sys-net started because there were
> OTHER qubes downstream set to autostart, e.g sys-firewall. If they are
> still starting they will trigger the sys-net. So you need to either set
> the netvm to none for them or stop them starting.

That makes more sense. Thanks.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e37e6bef-f7c3-0fa0-de1c-f5719c7b1713%40gmsl.co.uk.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Improvement: check disk space before copy to VM

2016-11-14 Thread Achim Patzner
Am 14.11.2016 um 14:46 schrieb Robert Mittendorf:

> One basic principle of usability is to make it hard to make mistakes
> (including destroying work/files). 

Imagine a guy dressed in an elaborate tin can standing behind you,
kicking you down some cliff shouting "THIS... IS... UINX...". Really, it
is. Failing to copy a file is nothing dramatic. Nothing is destroyed,
nothing erased. Let some air out of the elephant until you can recognize
the shape of the original mosquito, would you?

> As I stated before I think the protocol would not have to become "more
> non-unidirectional" to improve on this.

Why don't you just write a proof -of-concept and put it on github? If it
is working well and showin an improvement I'm sure someone will add it
to the Qubes repositories. They are not that dogmatic.


Achim

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/75b2f969-3036-89ef-6e52-83e99dee5579%40noses.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] cannot boot into qubes: drive not detected as boot device (EFI)

2016-11-14 Thread Francesco Rmp
Hello everyone,
thanks in advance for your support.

I'm new tu qubes but not to linux un general and i'm having a bad issue with my 
qubes installation.

I have a qubes 3.2 installation on an external USB drive (because $reasons) and 
it's not willing to boot, my system doesn't even detect it as a bootable 
device, for reasons i really don't know.

The partition layout is as follows:

32MB unallocated space (i think for GPT alignment reasons
192MB FAT16 EFI System partition
512MB ext4 /boot partition
my LUKS root partition
other 60MB inallocated (again i think for alignment reasons but meh, anyway who 
cares)

in the EFI FAT16 partition i have the following files

EFI/qubes/
   initramfs-4.4.14-1.pvops.qubes.x86_64.img
   vmlinuz-4.4.14-1.pvops.qubes.x86_64
   xen-4.6.1.efi
   xen.cfg
   xen.efi

while in the /boot partition i have all the usual grub related files and kernel 
images.

i've tried booting into rescue mode from the installation media in an attempt 
to restore the grub bootloader, what i generally do in a traditional linux 
distro is chrooting into my installation and then manually restore grub, but in 
my / i can't find anything grub or grub2 related that i can use to reinstall 
the bootloader, so i'm a bit stuck.

any advice on how to rescue my qubes installation so that i can boot into it 
again?

Thanks

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7378aa02-3074-40db-9ab5-cc755c3207df%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: HCL - Lenovo T450s

2016-11-14 Thread Robert Mittendorf
Am 11/14/2016 um 04:31 PM schrieb xxthatnavygu...@gmail.com:
> On Monday, December 21, 2015 at 10:30:49 PM UTC-6, Alex Guzman wrote:
>> Installed Qubes with no (noticable) issues.
>>
>> Attempted EFI boot fails -- I disabled the quiet flags and it seems to hang 
>> after loading Linux (the last line displayed is something relating to EFI 
>> variables, iirc)
>>
>> Legacy boot works fine. Tested various VMs, seems to be working well. 
>> Networking works OOB, audio works, etc.
>>
>>
>> TPM is installed on the board and I was able to use it successfully. Tested 
>> AEM, seems to work thus far.
>>
>>
>>
>> Only real annoyance is that the RF kill key doesn't seem to work (at least 
>> when using XFCE, haven't tried KDE).
> How do I disable quiet flags? I am having a similar issue with my acer Aspire 
> E15 Touch. Four penguins, something about EFI and mapping and it just freezes 
> there for eternity while my exhaust fan goes nuts.
>
If you use APU graphics, try to increase graphics memory to 512 MB

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e6464248-823b-a2e2-7cdb-f2cf1f06b913%40digitrace.de.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: HCL - Lenovo T450s

2016-11-14 Thread xxthatnavyguyxx
On Monday, December 21, 2015 at 10:30:49 PM UTC-6, Alex Guzman wrote:
> Installed Qubes with no (noticable) issues.
> 
> Attempted EFI boot fails -- I disabled the quiet flags and it seems to hang 
> after loading Linux (the last line displayed is something relating to EFI 
> variables, iirc)
> 
> Legacy boot works fine. Tested various VMs, seems to be working well. 
> Networking works OOB, audio works, etc.
> 
> 
> TPM is installed on the board and I was able to use it successfully. Tested 
> AEM, seems to work thus far.
> 
> 
> 
> Only real annoyance is that the RF kill key doesn't seem to work (at least 
> when using XFCE, haven't tried KDE).

How do I disable quiet flags? I am having a similar issue with my acer Aspire 
E15 Touch. Four penguins, something about EFI and mapping and it just freezes 
there for eternity while my exhaust fan goes nuts.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/23af0b4a-1665-4c07-b387-7fa302168fbc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Attaching a block to a DVM in dom0 script

2016-11-14 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi Vít,

> When trying to implement a backup script (for a different mechanism
> than the builtin one), I need to start a DVM with an attached (RO)
> image. How can I do it?

If you're running R3.2:

  set -e
  dispvm=$(/usr/lib/qubes/qfile-daemon-dvm LAUNCH dom0 "" red)
  qvm-block --attach-file --ro "$dispvm" image-vm:/path/to/image
  ...
  qvm-block --detach "$dispvm"
  /usr/lib/qubes/qfile-daemon-dvm FINISH "$dispvm"

Also check out ,
maybe it already does part of what you want.

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJYKcZJXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfTbkP/2NczLklulmwIQH3ecRM+/7w
ek/RBZTiAQAhQoTTO7B7bwIciSfcYAExZHGHpWZxFdR9lwApN7jELv6VS2IjM56T
3qJyl7/SXu3NH+folQh62yKpAZi84L/v3/PmR1XtWptClBU87Tnd+subTDEVETOs
JA2nOrinZIQZlj58qdbkrTCelW+dZKutqkJs5i2K3L/vW9cGEit73llkxFe/8DDf
LnByVOJ2L7WKfjps5JKoxzKc817zrxJKIrzkfpyK/wNBA818/BhF6GZIRUhn91wU
1D8TAL/lBHq9inAJh8cXPa645z5bobN2Z/YewO2pdi42tZVV9vnx6d7krtlnHNh+
1zgPG9NwVFYr1sIZrqoi82tSZE1IsiWzHGbznB1tcyHJIRO1Adzwy0p9I0zcRHw3
YnH9W417yI8x65aNL+XEhAbzjbD0NMYhgislbsF5/vK/X6ejUu2NVEpeq0sLZtrt
nZteHB0n3H3yjZHG1LC/WOq5cSdUXQbYbrE3W6PRk2/2LX8WkXixCU/6DiIm82PR
njkUWlhWZx3MtQwdyaKENfqg5BJQuBk6OE7Sq/qcA9dlWKPQ92TAI2fjiIzi+S14
TzYnAehc0GJkanz8KjaWKLIADAfGBcwJuLGeI2qStToywimXbizvh8+hXKIzj+a/
9uQfJcZ4o5p9SA3WW9Fn
=QDtR
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9925059c-9212-69ee-0698-966d78e312d2%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Please help, can't get into Qubes

2016-11-14 Thread Unman
On Mon, Nov 14, 2016 at 01:31:28PM +, Fred wrote:
> On 12/11/2016 08:27, Alex wrote:
> > Try editing /var/lib/qubes/qubes.xml and set "autostart" to False 
> > instead of True for the sys-net vm
> 
> I had actually found this file and tried setting the autostart attribute
> but the VM still auto-started.
> 
> I also tried editing the sys-net XML file directly (removing the bad
> assigned device(s)). There was a warning in the comments at the top
> about this file about changes potentially being overwitten but I
> couldn't find the correct file to make these changes manually. This file
> also existed in more than one place and the qvm-* commands didn't work
> as they couldn't connect.
> 
> In any case I just reinstalled as it was quicker.
> 
> The offline mode of the qvm-* commands may have worked (referred to in
> the link in Marek's response). Or maybe disabling the sysVM service via
> systemctl ?
> 
For future reference, I think the sys-net started because there were
OTHER qubes downstream set to autostart, e.g sys-firewall. If they are
still starting they will trigger the sys-net. So you need to either set
the netvm to none for them or stop them starting.

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161114134652.GB9627%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] DispVM

2016-11-14 Thread Fred

Are there any known issues with the DispVM in Qubes 3.2 that I should be
aware of?

I cannot get it to work. I have also tried recreating it two ways based
on the default template *and* choosing a different non-default one.

i.e

qvm-create-default-dvm fedora-23 and qvm-create-default-dvm
--default-template both work and seem to create the vms. Trying to use
it however gives no error and the vm does not start in Qubes Manager.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/755d71cb-e944-1f89-3ba0-daa0baa755d5%40gmsl.co.uk.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Improvement: check disk space before copy to VM

2016-11-14 Thread Unman
On Mon, Nov 14, 2016 at 04:16:37AM -0800, Andrew David Wong wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
> 
> On 2016-11-14 04:03, Salmiakki wrote:
> > On Monday, November 14, 2016 at 10:31:25 AM UTC+1, Robert Mittendorf wrote:
> >> On 2016-11-11 14:58, Marek Marczykowski-Górecki wrote:
> >>>
> > Actually I don't think it is a good idea. File copy protocol is
> > intentionally very simple, including being unidirectional. We don't
> >>> want
> > to add any non-essential features there, to keep it as simple as
> > possible.
> >>>
>  BTW None of file copying tools I know do that (cp, rsync, scp, ...).
> >> Well, I somewhat understand the first argument, but not the second. To
> >> have a bad usability and waste poeple's time just because other tools do
> >> is not a good argument I think.
> >>
> >> Obviously it is not unidirectional, otherwise the source would not know
> >> "out of disk space". This does not have to be an interactive feature,
> >> though.
> >> Why not give the "out of disk space" error before accepting the
> >> transfer? The communication from sink to source would be the same, but
> >> less time would be wasted.
> > 
> > Maybe it could be done more general by just popping up a warning saying 
> > "this VM is low on disk space".
> > It would not work for cases where you transfer extremely large files (or at 
> > least it would only display the warning after transferring quite a large 
> > chunk).
> > However, it would also work for everything else!
> > For example I once had a problem because I decided to sync my entire imap 
> > folder for my mail VM and that is larger than 2 GB. The problem was 
> > actually kind of hard to spot. Ideally of course, the warning would be 
> > accompanied by an option to just extend the space (since it seems to be 
> > possible to do that while the VM is running anyway).
> > 
> 
> I've actually seen such a warning in 3.1 and earlier (haven't had cause to 
> see it yet in 3.2), so it must already exist in some sense (or did exist). I 
> never bothered to look into how the threshold is calculated, though.
> 
> - -- 
> Andrew David Wong (Axon)
> Community Manager, Qubes OS
> https://www.qubes-os.org

That message is thrown by the qube itself. It's a standard free space
check, not a Qubes thing.

On the question of "bad usability" it looks like horses for courses. I
personally don't want a warning if I've already started to clear out
space on the target. And if I'm transferring files as they are being
written, what use would the measure of free disk space be?

It isn't the TOOL here that will "waste people's time". They waste
their own time by not checking beforehand. There are some OS and tools
that try to fix this, but you see plenty of users baffled by the way
they work, and unsure why the warning arise. Best to keep it simple imo.

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161114133538.GA9627%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Attaching a block to a DVM in dom0 script

2016-11-14 Thread Vít Šesták
When trying to implement a backup script (for a different mechanism than the 
builtin one), I need to start a DVM with an attached (RO) image. How can I do 
it?

a. There is a script for starting some app in DVM. The problem is, I cannot get 
the DVM name in a reliable (non-forgeable) and easy way. The best solution I've 
found so far is to call back to dom0 and verify some token. Which is… quite 
hacky.

b. The qvm-trim-template does something in many ways similar. But it 
essentially uses a separate implementation of DVM.

Is there a better way to do it?

Regards,
Vít Šesták 'v6ak'

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2a15714a-9f19-4f94-8476-05f754850a43%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Please help, can't get into Qubes

2016-11-14 Thread Fred
On 12/11/2016 08:27, Alex wrote:
> Try editing /var/lib/qubes/qubes.xml and set "autostart" to False 
> instead of True for the sys-net vm

I had actually found this file and tried setting the autostart attribute
but the VM still auto-started.

I also tried editing the sys-net XML file directly (removing the bad
assigned device(s)). There was a warning in the comments at the top
about this file about changes potentially being overwitten but I
couldn't find the correct file to make these changes manually. This file
also existed in more than one place and the qvm-* commands didn't work
as they couldn't connect.

In any case I just reinstalled as it was quicker.

The offline mode of the qvm-* commands may have worked (referred to in
the link in Marek's response). Or maybe disabling the sysVM service via
systemctl ?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/691de818-3233-eb3c-d82d-11f2b447b91e%40gmsl.co.uk.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Improvement: check disk space before copy to VM

2016-11-14 Thread Andrew David Wong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-11-14 04:03, Salmiakki wrote:
> On Monday, November 14, 2016 at 10:31:25 AM UTC+1, Robert Mittendorf wrote:
>> On 2016-11-11 14:58, Marek Marczykowski-Górecki wrote:
>>>
> Actually I don't think it is a good idea. File copy protocol is
> intentionally very simple, including being unidirectional. We don't
>>> want
> to add any non-essential features there, to keep it as simple as
> possible.
>>>
 BTW None of file copying tools I know do that (cp, rsync, scp, ...).
>> Well, I somewhat understand the first argument, but not the second. To
>> have a bad usability and waste poeple's time just because other tools do
>> is not a good argument I think.
>>
>> Obviously it is not unidirectional, otherwise the source would not know
>> "out of disk space". This does not have to be an interactive feature,
>> though.
>> Why not give the "out of disk space" error before accepting the
>> transfer? The communication from sink to source would be the same, but
>> less time would be wasted.
> 
> Maybe it could be done more general by just popping up a warning saying "this 
> VM is low on disk space".
> It would not work for cases where you transfer extremely large files (or at 
> least it would only display the warning after transferring quite a large 
> chunk).
> However, it would also work for everything else!
> For example I once had a problem because I decided to sync my entire imap 
> folder for my mail VM and that is larger than 2 GB. The problem was actually 
> kind of hard to spot. Ideally of course, the warning would be accompanied by 
> an option to just extend the space (since it seems to be possible to do that 
> while the VM is running anyway).
> 

I've actually seen such a warning in 3.1 and earlier (haven't had cause to see 
it yet in 3.2), so it must already exist in some sense (or did exist). I never 
bothered to look into how the threshold is calculated, though.

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYKascAAoJENtN07w5UDAwJv0P/jiO/pGfAyIGv+eENZ35Z1GY
+dR3udiEvJJvtMV3kPzaY3uOGwF72jwesjdwQo3DxgOZWpeMH5JzJQdHvx1WXoqp
dmpAJJ8VV0tI2JErI6gpxjKo47oIlog1g83u0p6iRksYE7wtqj4+4jsCsZiXO/B3
hsCFBV0f4UhlRPeBr9G23CJ93vn5sgcBvgnvN1whQRCBMZgVRATakmsmkpio0yIH
YbuqGjp35zZZyOGL4ZOybzxEPWiBoZPB+wXDHr1YLQGEhMaZfnKtPgt2HHu39WL/
nw8qotIjUaD3/bFOHncc90yIfpnQZKZaBwxk+hdW+1Rnecv/NiN4l33O+MiPNiRW
wrab84LMvoYJal9J35nVQrxAd+Hmpi/G96Lkr1TQTbnhsIA40+LkGLAxK4Gl9Gl/
8h+irOcYW+z7AQ76XqiRt/GLNGNhSVbPBj1MAfo48PUo9og31FizlDnoumQdrUYc
eAkZ/pjkcbsB2L73jrjYajHahIUkTbXmrUlZAU5mkjjCIjEJ7S7EzngGkSKayN4E
xvZzYZygOydXVcYCFWOewkhphpIUTPcihaXZZGfRKTpYivm7/6I9/0HX3eGl1JGQ
qNAIBaaLm/n8JYa5+3ADHZONLl+HHKZj2arWrmbNKQac5iCnpUMEZ69w04dbIYzy
nLrYKL4b+LA/hZrB6pt8
=MNnR
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7027bb1c-4e40-331e-2db6-bbeb012ab670%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Improvement: check disk space before copy to VM

2016-11-14 Thread Salmiakki
On Monday, November 14, 2016 at 10:31:25 AM UTC+1, Robert Mittendorf wrote:
> On 2016-11-11 14:58, Marek Marczykowski-Górecki wrote:
> >
> > >> Actually I don't think it is a good idea. File copy protocol is
> > >> intentionally very simple, including being unidirectional. We don't
> > want
> > >> to add any non-essential features there, to keep it as simple as
> > >> possible.
> >
> > > BTW None of file copying tools I know do that (cp, rsync, scp, ...).
> Well, I somewhat understand the first argument, but not the second. To
> have a bad usability and waste poeple's time just because other tools do
> is not a good argument I think.
> 
> Obviously it is not unidirectional, otherwise the source would not know
> "out of disk space". This does not have to be an interactive feature,
> though.
> Why not give the "out of disk space" error before accepting the
> transfer? The communication from sink to source would be the same, but
> less time would be wasted.

Maybe it could be done more general by just popping up a warning saying "this 
VM is low on disk space".
It would not work for cases where you transfer extremely large files (or at 
least it would only display the warning after transferring quite a large chunk).
However, it would also work for everything else!
For example I once had a problem because I decided to sync my entire imap 
folder for my mail VM and that is larger than 2 GB. The problem was actually 
kind of hard to spot. Ideally of course, the warning would be accompanied by an 
option to just extend the space (since it seems to be possible to do that while 
the VM is running anyway).

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/abd42d94-3ba6-4499-a95b-dc35f3583615%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Improvement: check disk space before copy to VM

2016-11-14 Thread Sec Tester
Could open up a vulnerability if not done carefully.

VM could use it to query and identify other VMs in existence on the system.

But if it required a dom0 authorization before checking & transferring, should 
be ok.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8d1f49d8-60c0-4b80-94e2-0f0866410495%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Thoughts on Qubes OS Security... Could be improved.

2016-11-14 Thread Sec Tester
> 
> Why not grsecurity/PaX? especially with Qubes 4 switching to HVM (or PVHv2 or 
> whatever it's called now), it will apparently work fine.

Nice suggestion. I would certainly welcome its implementation.

Actually looks like there were successful efforts to implement this back in 
2013. 

https://groups.google.com/forum/#!topic/qubes-devel/l5mi2dklu18

Seriously, why didnt qubes pick this up and run with it?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1a73f70b-5d8a-4938-813c-6fa0c03fbae3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Improvement: check disk space before copy to VM

2016-11-14 Thread Robert Mittendorf
On 2016-11-11 14:58, Marek Marczykowski-Górecki wrote:
>
> >> Actually I don't think it is a good idea. File copy protocol is
> >> intentionally very simple, including being unidirectional. We don't
> want
> >> to add any non-essential features there, to keep it as simple as
> >> possible.
>
> > BTW None of file copying tools I know do that (cp, rsync, scp, ...).
Well, I somewhat understand the first argument, but not the second. To
have a bad usability and waste poeple's time just because other tools do
is not a good argument I think.

Obviously it is not unidirectional, otherwise the source would not know
"out of disk space". This does not have to be an interactive feature,
though.
Why not give the "out of disk space" error before accepting the
transfer? The communication from sink to source would be the same, but
less time would be wasted.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c750d45f-d9bd-0fe4-7a3f-f4682ff78c24%40digitrace.de.
For more options, visit https://groups.google.com/d/optout.