date:20161116

It also raises the question,

Is there any benefit running a VPN-Proxy-VM through sys-firewall?

Or maybe save the overhead and just connect VPN-Proxy-VM directly to sys-Net?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/46293b88-6235-4ae6-b360-e9c3875a4f00%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Just Broke Debian-8 Template

On Thursday, 17 November 2016 10:33:28 UTC+10, Vít Šesták  wrote:
> I've tried to replicate it in a DVM and it behaved according to my 
> expectation:
> 
> When running sudo apt remove imagemagick, it asks me for also removing some 
> qubes-* packages. The reason is that those packages depend on ImageMagick 
> package, so you should either remove them as well or keep ImageMagick. Well, 
> the prompt looks mostly as a standard remove prompt. If you don't read 
> carefully what is going to be removed, it is easy not to notice that 
> something additional is going to be removed. I remember I have done a similar 
> kind of mistake when removing a Debian package.
> 
> Now, it is easy to see why just installing ImageMagick didn't help. Your 
> problem is not just that you miss ImageMagick, the problem is also that you 
> have removed few other packages, including Qubes GUI daemon. You should be 
> able to install them in similar way you have installed ImageMagick. You can 
> see the list of packages you have removed in /var/log/apt/term.log. One also 
> could check what dependencies are typically removed when removing 
> ImageMagick. (I can't do it right now because I am not on Qubes ATM.)
> 
> Regards,
> Vít Šesták 'v6ak'

Just for anyones future reference the additional packages seem to be:

qubes-core-agent
qubes-gui-agent
qubes-input-proxy-sender
qubes-pdf-converter

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/89a25239-aea5-4bc6-8efa-b92a64291a46%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Does the Standard Firewall-VM Actaully do anything?

So im finally getting around to rebuilding the sys-firewall VM on a minimal 
template. Put it off because i thought there would be a lot of scripting to 
setup.

According to documentation, it doesnt need any extra packages.
https://www.qubes-os.org/doc/templates/fedora-minimal/

And when creating the VM, there is no specific option for a "firewall VM", only 
"ProxyVM".

* So is it correct to assume the sys-firewall VM is just an empty box routing 
connections?

* There are no specific scripts/rules/packages of protection?

* Does this actually provide any protection in the sense of a traditional 
software firewall? How so? Does it stop incoming connections? Or just add a 
layer of separation between sys-net & app-VMs? 

* It seems sys-firewall is just there for users to create their own custom 
rules in VM Manager settings? Can u give an example of rules U guys actually 
use?

Thanks

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c6e75fcc-20d0-42e1-b36d-54e213f42db4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Enigmial and Splig GPG2 (previously Re: [qubes-users] Upgrading from Split GPG1 to Split GPG2?)

2016-11-16 Thread george

On Sunday, October 9, 2016 at 11:17:53 AM UTC-4, cubit wrote:
> 4. Oct 2016 19:40 by cu...@tutanota.com:
> I upgraded enigmail to v 1.9.5 and it did not go as well as planned.   From 
> what I read of the qubes documents there were nothing to change in qubes 
> settings to take into account the GnuPG2 requrement now.
> 
> 
> But when I run thunderbird 45.2.0 + enigmail 1.9.5 I get the following error.
> 
> 
>    " GnuPG reported an error in the communication with gpg-agent (a component 
> of GnuPG).
> 
>     This is a system setup or configuration error that prevents Enigmail from 
> working properly and cannot be fixed automatically.
> 
>     We strongly recommend that you consult our support web site at 
> https://enigmail.net/faq.;
> 
> 
> 
> 
> The messages decrypt but I lose the notification that the email was decrypted 
> and I do not see any of the options to view details of the encrypted message 
> such like who it was encrypted for. I did restart both the appVM for 
> thunderbird and the appVM for my keys, both debian 8
> 
> 
> 
> 
> Hello qubers,
> 
> 
> Has anyone experienced problems with using Splig GPG with Thunderbird and 
> Enigmail 1.9.5 in Debian 8 appVM?   Have also tried to build the AppVM 
> and TB install from scratch instead of simpli upgrading enigmail with 
> existing AppVM.    When ever I try I get the above error. when checking 
> encrypted email.
> 
> 
> Cubit

Yes. I get the same issue too. I can read the message, but I can't write, and 
I'm also in Debian-8 VM on Qubes 3.2, with Enigmail and Thunderbird. I can READ 
messages, but I can't send them, nor verify/encrypt/sign them. I'm not sure 
what to do with this...

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/93565558-3fd9-4d19-a7d5-23c43ade841e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Just Broke Debian-8 Template

2016-11-16 Thread Vít Šesták

I've tried to replicate it in a DVM and it behaved according to my expectation:

When running sudo apt remove imagemagick, it asks me for also removing some
qubes-* packages. The reason is that those packages depend on ImageMagick
package, so you should either remove them as well or keep ImageMagick. Well,
the prompt looks mostly as a standard remove prompt. If you don't read
carefully what is going to be removed, it is easy not to notice that something
additional is going to be removed. I remember I have done a similar kind of
mistake when removing a Debian package.

Now, it is easy to see why just installing ImageMagick didn't help. Your
problem is not just that you miss ImageMagick, the problem is also that you
have removed few other packages, including Qubes GUI daemon. You should be able
to install them in similar way you have installed ImageMagick. You can see the
list of packages you have removed in /var/log/apt/term.log. One also could
check what dependencies are typically removed when removing ImageMagick. (I
can't do it right now because I am not on Qubes ATM.)

Regards,
Vít Šesták 'v6ak'

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/43a542cf-51b5-431a-b5b4-6a50df5ecd92%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Fedora 24 template available for Qubes 3.2

2016-11-16 Thread blyt9910


> 
> 
> I installed the Fedora 24 template and set all VMs that were using 23 to 24.
> However, I'm unable to remove the Fedora 23 template and dom0 is still 
> fetching updates for it.
> Anyone else having this problem?

Nevermind I got it. Attempted to remove the template before I set dependent VMs 
to the new one.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5fd952d9-c8e1-4568-9795-23a948e73178%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Fedora 24 template available for Qubes 3.2

2016-11-16 Thread blyt9910

On Saturday, November 12, 2016 at 10:53:00 PM UTC-5, Marek Marczykowski-Górecki 
wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> Hi all,
> 
> Fedora 24 template is now available for direct installation. This means
> there are now two ways to have it on Qubes 3.2 system:
> 
> 1. Upgrade existing Fedora 23 template according to this instruction:
> 
> https://www.qubes-os.org/doc/fedora-template-upgrade-23/
> 
> 2. Install a fresh one using:
> 
> qubes-dom0-update qubes-template-fedora-24
> 
> The later option will get you fresh template. If you made any
> modifications there, you'll need to do them again (if you want).
> The same is available for fedora-24-minimal template.
> 
> In any case, after getting new template using any method, the next step
> is switching some/all qubes (VMs) to the new one. This can be done using
> either Qubes Manager (in qube settings), or using qvm-prefs command line
> tool.
> 
> - -- 
> Best Regards,
> Marek Marczykowski-Górecki
> Invisible Things Lab
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
> 
> iQEcBAEBCAAGBQJYJ+OXAAoJENuP0xzK19csWa8H/RqO4RjNVeeIEb7s8KRgUMzg
> VjQUOrC5YmirnFACrq7t8VDZxbcvSrQ88pifMsIKZYzAzfIHa2s3O6m9XzkDetQO
> +of7iUIQaijlec5BKkCGM+3cP3zQSHyrCdb6udOEzYkkSLkeWaYoC6+F/dPrFLVx
> 1Wb2pNeUY0eWGuL64/WjpozpUGXKtD1tp1RbFv7cqVdF530THVXX+W7g3fp6zmUS
> k4goQv0rjhdlhWr9ZYwvlUbGRMpJHaIix4Q4ajXNToVnql69fZxGhhSOtPwBasGe
> j4TIbyTKr01a0mQn6mIa+MKkS19H8RwLpu+25EaOlmd2f91vVO8IJrPBSmwvZ84=
> =+DPm
> -END PGP SIGNATURE-


I installed the Fedora 24 template and set all VMs that were using 23 to 24.
However, I'm unable to remove the Fedora 23 template and dom0 is still fetching 
updates for it.
Anyone else having this problem?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/79832ed4-0457-4048-ad5b-a616a1f06eb1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Incremental / continuous backups?

2016-11-16 Thread Marek Marczykowski-Górecki

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Nov 16, 2016 at 01:35:53PM -0800, pixel fairy wrote:
> On Wednesday, November 16, 2016 at 2:12:37 PM UTC-5, Loren Rogers wrote:
> > What's a good approach for regular backups?
> > 
> > Does Qubes have a simple way of automatically saving VM snapshots? And, 
> > is there a way to do this incrementally? I assume not, since the 
> > encryption would block it?
> 
> you can encrypt the volume and put snapshots on that. maybe the future of 
> qubes-backup? 
> 
> till then i use a script from dom0,
> qvm-run backupkeeper "rm -rf QubesIncoming/*"
> for i in `cat backuplist`;do qvm-run $i "qvm-copy-to-vm backupkeeper .";done
> 
> then rdiff-backup QubesIncoming /run/media/user/.../backups/rdiff
> 
> this way, the same drive can also keep appvm snapshots.
> backupkeeper is just an appvm with no network access and a lot of space. the 
> usb disks are setup with cryptsetup, ext4 and a backups folder owned by user. 
> the first line is to get rid of old backups. qvm-copy-to-vm wont let you 
> overwrite. 
> 
> its no TimeMachine, and deleting and copying entire folders is inefficient. 
> but does the job and easy to recover on any linux system.
> 
> would be nice to be able to initiate the file copy from dom0 and auto allow 
> it. then it could run in the background. 

Actually you can "auto allow it". Simply click "Yes to all" during one
backup run - it will add appropriate rule to policy to allow the same
operation (same source and target VM) in the future without asking.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYLOWUAAoJENuP0xzK19cs3UAH/3CcPVZy9fTSCCI8r/8yR4i5
bx4Y6HDuNQeF3gYp18rsCKAc9U+iBZXMata+lHzN0htIRV3Uncv0orEdhlM7SBT/
0d1mB5DN93hZid+H1MtHD6UmwL3mFhkcFo14kYcEYkQO72whBwMzSXIVd5g5iLmg
m04+RGXt8fhEe1DoL0RcZj/Kcu3R4UxhJR0ODRl96K8n6bUEgfq8Y0SybmUqT9lz
lx2SL1TTUVmNC8ZiMCMni8ckm84vxrPe3u3gCW6KzzO4IlEZG9ON4MCvXnSin/BK
hL/IB2Jy/RkjU1MRa8uqKMCnxzTg3ueMKfqPCoJzTgGSTzZ/ZRzhNRJZOTiHuCw=
=MNuy
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161116230246.GB1145%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Android file transfer

2016-11-16 Thread IX4 Svs

Hi list

I've been through the archives and found a number of partially helpful
suggestions, none of which give me a workable solution. Google also gives
me http://nknu.net/mount-nexus5-on-fedora23-using-simple-mtpfs/ which
unfortunately doesn't fully work on my Qubes system - I can map the phone
device but then mounting with simple-mtpfs inb dom0 gives me a blank
directory.

So, having the following two systems:
Qubes R3.1
Android 6.x phone (unrooted)

..what's the best way to do file transfer between the two? Ideally I'd like
to be able to mount the filesystem of the phone and be able to read/write
contents to a Qubes AppVM.

Thanks in advance,

Alex

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAEe-%3DTe8pojwMtdh3wjQ6X8iJ5O6GBKP%3Dx15GNH7zy9VY2zv-Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Incremental / continuous backups?

On Wednesday, November 16, 2016 at 2:12:37 PM UTC-5, Loren Rogers wrote:
> What's a good approach for regular backups?
> 
> Does Qubes have a simple way of automatically saving VM snapshots? And, 
> is there a way to do this incrementally? I assume not, since the 
> encryption would block it?

you can encrypt the volume and put snapshots on that. maybe the future of 
qubes-backup? 

till then i use a script from dom0,
qvm-run backupkeeper "rm -rf QubesIncoming/*"
for i in `cat backuplist`;do qvm-run $i "qvm-copy-to-vm backupkeeper .";done

then rdiff-backup QubesIncoming /run/media/user/.../backups/rdiff

this way, the same drive can also keep appvm snapshots.
backupkeeper is just an appvm with no network access and a lot of space. the 
usb disks are setup with cryptsetup, ext4 and a backups folder owned by user. 
the first line is to get rid of old backups. qvm-copy-to-vm wont let you 
overwrite. 

its no TimeMachine, and deleting and copying entire folders is inefficient. but 
does the job and easy to recover on any linux system.

would be nice to be able to initiate the file copy from dom0 and auto allow it. 
then it could run in the background. 

> Thanks,
> Loren

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fd45ef84-eb63-450b-978d-4711ea32fb37%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Can't update dom0?

2016-11-16 Thread Fred

On 16/11/2016 20:10, Loren Rogers wrote:
> Clicking the "Update VM System" button with dom0 selected seems like it
> starts, but it doesn't really go anywhere.

I recall reading something about this issue in the Qubes Wiki. IIRC,
they suggested to run the command manually from the command line;

qubes-dom0-update

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d48df016-e2f5-1b63-636c-93e33ec5065b%40gmsl.co.uk.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Cryptsetup Vulnerability affects QubesOS?

2016-11-16 Thread Fred

On 16/11/2016 19:10, berthold_...@web.de wrote:
> Does this affect QubesOS?
> 
> https://threatpost.com/cryptsetup-vulnerability-grants-root-shell-access-on-some-linux-systems/121963/
> 

Looks like a fairly low priority to me. You can get initramfs shell in a
Busybox and have access to /boot (on some systems) and see the encrypted
drives. Some articles seemed to imply that you'd have access to the
decrypted data (which isn't possible!).

A good time to ask if Qubes encrypts /boot in it's LUKS setup. I've not
checked myself.

You'd get the same effect if you boot via GRUB to an initrd shell.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/72fa3b43-d246-c136-76b7-bbf214dd39cb%40gmsl.co.uk.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Qubes not shutting down


On 11/16/2016 02:33 PM, Grzesiek Chodzicki wrote:


W dniu środa, 16 listopada 2016 20:04:14 UTC+1 użytkownik Loren Rogers napisał:

Hi all,

I've successfully installed Qubes on my Thinkpad X201 tablet, but it has
issues shutting down. When I explicitly tell it to reboot or shutdown,
it goes through the entire shutdown sequence, but hangs on an empty
black screen. Occasionally, I see an unchanging white underscore (_)
character displayed in the top left when it hangs.

I tried leaving it in this state for about an hour, and no change--I've
always had to force-reset. I assume this is not normal?

Also, I find that the system randomly begins the shutdown sequence on
its own. (And hangs on the black screen at the end.)

Thanks,
Loren

The same issue occurs on my system only if I shut the system down while a VM 
with a PCI device without FLR support is running


Also, I just confirmed that it shuts down cleanly with all VMs off and 
no USB devices plugged in.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9c6f6d7d-2d89-740d-0aa6-0e0a83c1abed%40lorentrogers.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] isolated workflows - image converter - trusted jpg


What is the command to do the trusted image conversion?

Chris

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a6c2ab9a-c692-fce1-6eba-f6f30f030ab7%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Incremental / continuous backups?


On 11/16/2016 03:27 PM, Jean-Philippe Ouellet wrote:

This is a known problem area.

See discussions in:
- https://github.com/QubesOS/qubes-issues/issues/971
- https://github.com/QubesOS/qubes-issues/issues/858



I think the easiest, most efficient route currently available is to have 
your VMs stored on a btrfs volume, then use snapshots and 'btrfs send'. 
The latter creates a stream that contains the differences from the prior 
snapshot, and this stream can be piped to a backup VM. If the backup VM 
is untrusted, you can encrypt it in dom0 and have the backup VM store 
them as incremental backup files.


A search on 'btrfs send backup' will bring up some guides.

Chris

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/af946f9e-ba2b-e534-40f0-395608640248%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Incremental / continuous backups?

2016-11-16 Thread Jean-Philippe Ouellet

This is a known problem area.

See discussions in:
- https://github.com/QubesOS/qubes-issues/issues/971
- https://github.com/QubesOS/qubes-issues/issues/858

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABQWM_DhLSUAsb0q5ond4Tmt_cRoehziEG-n2kUJo-zADTsf-A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Qubes not shutting down



On 11/16/2016 02:33 PM, Grzesiek Chodzicki wrote:

W dniu środa, 16 listopada 2016 20:04:14 UTC+1 użytkownik Loren Rogers napisał:

Hi all,

I've successfully installed Qubes on my Thinkpad X201 tablet, but it has
issues shutting down. When I explicitly tell it to reboot or shutdown,
it goes through the entire shutdown sequence, but hangs on an empty
black screen. Occasionally, I see an unchanging white underscore (_)
character displayed in the top left when it hangs.

I tried leaving it in this state for about an hour, and no change--I've
always had to force-reset. I assume this is not normal?

Also, I find that the system randomly begins the shutdown sequence on
its own. (And hangs on the black screen at the end.)

Thanks,
Loren

The same issue occurs on my system only if I shut the system down while a VM 
with a PCI device without FLR support is running


Interesting - thanks for the info. Are you saying it doesn't shut down, 
or that it shuts down automatically?


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3bc46312-c0d9-6529-8ecf-407518824c5f%40lorentrogers.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Can't update dom0?

I can't seem to update dom0 using the regular updater. The system keeps 
telling me there are updates for dom0, but I can't get anything to 
actually update. Is there something I'm missing here?


Clicking the "Update VM System" button with dom0 selected seems like it 
starts, but it doesn't really go anywhere. I attached a screenshot of 
the system after it gets going. Eventually, it'll just silently crash. I 
can re-start the process, but it does the exact same thing.


I'm using R3.2 on a Thinkpad X201 Tablet.

Thanks!
Loren

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/627fe6c8-3fe2-5fc1-95a3-6b59c82fc0f0%40lorentrogers.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: selfsecure systems - redunancy?

2016-11-16 Thread Jean-Philippe Ouellet

On Wed, Nov 16, 2016 at 2:43 PM, '81029438'1094328'0194328'0914328
 wrote:
> ... idealistic description of heterogeneous computations and validating i/o 
> proxy ...

This method of verification is not the panacea it may appear to be.

If an attacker can find vulnerabilities (potentially for different
inputs at different times) in each respective system (which may or may
not be that difficult in practice), then their exploit payload could
simply produce identically-incorrect results for an agreed upon
different operation at a later time, and your validating proxy would
not catch it because all outputs are identical.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABQWM_BLkzMA_F33252eifcVUGO8-h5W8ThqSHBY4zPX5xeXvA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] PAM errors after disabling password-less root

On 11/16/2016 01:26 PM, Andrew wrote:

3n7r0...@gmail.com:

On Wednesday, November 16, 2016 at 1:22:43 PM UTC, Chris Laprise wrote:

On 11/15/2016 04:04 PM, Unman wrote:

On Tue, Nov 15, 2016 at 02:26:12PM -0500, Chris Laprise wrote:

On 11/15/2016 07:20 AM, Unman wrote:

On Tue, Nov 15, 2016 at 11:55:13AM +, Unman wrote:

On Tue, Nov 15, 2016 at 05:53:56AM -0500, Chris Laprise wrote:

Following the instructions for the 'vm-sudo' doc, I get the following error
in Debian 9:

/usr/lib/qubes/qrexec-client-vm failed: exit code 1
sudo: PAM authentication error: System error

Also, in the Debian 8 template the instructions don't match, as there
appears to be no file '/etc/pam.d/common-auth'.

Chris

Where did you get that template? The file is present in the default 3.2,
and even in a minimal-no-recommends template for Debian-8.

I'll look at the Debian-9 issue now.

I'm afraid I don't see this issue in a Debian-9 template.
Can you check your editing?

Also, try manually running the qrexec-client-vm dom0 qubes.VMAuth
command, and making sure you get the expected output.
You should see the prompt(from the policy) and then output from dom0.

unman

Thanks for checking. However, I triple-checked my editing in Debian 9 and
Debian 8 template is 'stock' basically nothing added to it.

The qubes.VMAuth request said 'Request refused'. The doc appears to have a
typo for the second command in Step 1. "Adding Dom0 “VMAuth” service" that
causes '$anyvm' to disappear from the output. This line should use single
quotes instead.

Chris

You're right about that typo. Once you fixed it what happened?

It works now for Debian 9, submitted PR to fix the doc. I don't know
what the issue is with the missing file in Debian 8... The template's
basic form may not have a necessary package.

Chris

FWIW, the instructions work when applied to Whonix-Debian-8.

If I may piggyback on this thread with a related issue... The instructions
(pre-typo) worked fine for both Fedora & Whonix VMs. But while the Fedora VMs
would spin up silently, each Whonix VM required 4 sudo authorizations at each boot.
Do you have any idea what that might be or how I could trace it? I don't have any
user scripts / rc.local configured. The authorization requests sometimes appear
while the VM light is yellow and other times won't appear until it's green. I'm
worried that they might need to be clicked in the proper order and there's not
enough identifying information on the dialogue to know what I'm authorizing. Would
it be possible to pass the name of the triggering command to the dom0 sudo prompt?

The typo causes the string '$anyvm dom0 ask' to be stored as ' dom0 ask'
because the shell expands $anyvm to nothing.

So its definitely a bug, IMHO.

The Whonix issue sounds like a decision they made to use sudo from a
user startup script...? I think Patrick may know which ones they are.

Chris

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/c5f0d194-acfd-05e3-79f1-5221f9c0dfd1%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: selfsecure systems - redunancy?

2016-11-16 Thread '81029438'1094328'0194328'0914328

Hello Vít Šesták,

yes I agree, that IT designs (nearly) everything very complex (or why every 
browser shows the same data, e.g. HTML slightly different - it makes not a real 
sense).

In the physical world you have the so called Fit-Form-Function-Code. This means 
you define how long-wide-high, heavy and what kind of function an object has. 
Now 30 years later, you replace this object 1 with an object 2, which must 
fulfill the same "interface" parameters and again you know straight away what 
will be the function and how you must handle this object, without deeper 
insider knowledge, why an engineer designed it more clever than 30 years ago.

Conclusion if the OS1 and the OS2 (over even OS3 ...OSn) get in parallel the 
task to compress a file with the method x, than if all programmers keep always 
the FFC in mind, than the output, the compressed file will be always look the 
same. 

Now you don't need to know all the details in the different implementations, if 
OS1, 2, 3 deliver the same result, but the others are totally different, so you 
agree that OS1,2 and 3 have done a clean job and the others are a little bit 
odd and you skip these outputs.

In the end you file system is just saving only files with a positive 
correlation.

Ok, programmers are lazy and like to copy code between the different OS or 
applications. 

This method will only work, if the coding, which is involved in this task was 
100% redundant - an independent development - or even better in a different 
technology (CPU vs FPGA vs GPU). You must guarantee that bugs cannot be 
transferred (copied) between the independent codings.

Sure, that's a hard pice of work - but if you reach it than you are able to 
check everything quite simple like a black box form the outside.

If the result is as expected - all worked perfect!
If not, someone don't know to deliver a professional coding - or is corrupt and 
like to deliver some kind of backdoors.

The same you can do with the RAM, or to play a movie, or to copy a file, or to 
encrypt a file. 

Who knows really, if your encryption don't leaks some bits in some other files, 
the RAM, elsewhere...?

But if you have N teams, which are running in competition to deliver clean 
results, than you will gain it.

The sky-guide system is vital and runs 4 different chipsets (there could be a 
bug in the chips or a myon passed by and destroyed suddenly some parts of the 
structure - and nothing works now as desinged...), 4 independent operating 
systems, 4 different applications and in the end a voting-system - if someone 
is not in line, the other redundant non-corrupt systems take over the control 
and all is automatic.

But yes, the first task might be quite simple - like encrypt something via CPU 
and GPU and FPGA.

Ok, if you use the same prime number with a backdoor in all 4 redundant 
systems, you will be fooled - so this kind of attack you need another counter 
measurement than pure redundancy. But why not, you can check any prime number 
redundant, if it will be safe or corrupt - the "opinions" of n different OS 
might, or might be not the same - by default.

Exactly in this field you can find very odd things...

Kind Regards

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/251e5260-c3d4-456e-a81f-595cf83d0f07%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Qubes not shutting down

2016-11-16 Thread Grzesiek Chodzicki

W dniu środa, 16 listopada 2016 20:04:14 UTC+1 użytkownik Loren Rogers napisał:
> Hi all,
> 
> I've successfully installed Qubes on my Thinkpad X201 tablet, but it has 
> issues shutting down. When I explicitly tell it to reboot or shutdown, 
> it goes through the entire shutdown sequence, but hangs on an empty 
> black screen. Occasionally, I see an unchanging white underscore (_) 
> character displayed in the top left when it hangs.
> 
> I tried leaving it in this state for about an hour, and no change--I've 
> always had to force-reset. I assume this is not normal?
> 
> Also, I find that the system randomly begins the shutdown sequence on 
> its own. (And hangs on the black screen at the end.)
> 
> Thanks,
> Loren

The same issue occurs on my system only if I shut the system down while a VM 
with a PCI device without FLR support is running

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/61b7d61b-48f4-4a3d-804b-5e795f9da867%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Installing in basic graphics mode

2016-11-16 Thread Marek Marczykowski-Górecki

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- -BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- - -BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

- - - -BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Nov 16, 2016 at 03:08:11PM +0100, D wrote:
> Hi folks,
> 
> I was unable to boot into the graphical installer, on my X200 running
> Coreboot with SeaBIOS, so I selected "install with basic graphics mode".
> I want to install this way, but whenever I select the installation
> destination, it always says "encryption requested for LUKS device sda2 but
> no encryption key specified for this device".
> I followed the instructions for manual encryption, but there is no way to
> select this existing partition in the basic installer.

Text installer lack the password prompt, the only way to provide one
is to use kickstart file. Search mailing list archive - there are
examples ready to use.

- - - - -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
- - - -BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYLLA0AAoJENuP0xzK19csmbIH+QHCl9oglK3HFEmViCjPC+t5
cAOg5pVgIAB4OLelg/zP0hU1NaS2+U4Cf1Iid+rReJbBulnv0kGJF1va6AAZRNbA
Bg5sIVUDYHlIzKNRzuLHd/k4bs1/nZ+cXNyaOXH+6o/ooPM6ch7904pe0ap0AR9m
LeoJrDoNAvScJKeQqqqZ0nP9qyH+pcpT7sidDkSUcH/uhtNPX9dFRuiqY5npLSnB
1U3fNiGgVitaJPxIyU8W0Ufi7QWdHT8VHb0cU5jUVdkfgOID7jMSh+bJ1fj9dcbm
/DB1Yu6AH4Ms7MStYvG5ajEo5e2YeYGuLj/PY0oA/UHFiPkOHMcAkYEoX1Kbt2A=
=f4Hs
- - - -END PGP SIGNATURE-
- - -BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYLLEYAAoJENuP0xzK19csfqEH/iHep3LuFSRco27Db77gmlIy
ul4rlCylLD31g9n49/TfBrLkiR50654dSqiZk2HFcQ6ppzHMDTZ9vi6gE6xr4F5r
5AZGYS8jSjnCda9OG1psbr0ne8w10F7UZOsMJpHEj6/4yuYBg9aNIY+Ei8zo2qKe
TL3OjICDXb0QllW4BN5hqlOf2ReazYYBKtwo/WD0fQ/xnanw0f0bun1VXyKKJF7M
3WAbRUAM5uSzYVCnnpJQo7PFJMwTkAW6/hkrCBPfTBtnjdqiij8C2Mp6f3ODxPc7
8IGr14MZ8CVbPio6aCucypTLUdlw0zdES0Zxw7i8WnOhpugdCK9ZLVa5SqJ7rfk=
=tw3x
- - -END PGP SIGNATURE-
- -BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYLLFMAAoJENuP0xzK19csBz4H/2CTwpbHYLBdrf+RUX7wsoJ4
EL6qNUkfIAuoEqdZFs11aV2NODn23DptJ+gllqpzS/mkUrcHrcHm9U+U++sVUBxb
RPOQfUunfyntzJUCSPlE+7GpfsCjGd5cj7BOjscFKAa7hM3XjhtIWep0FqUQPbWd
DcZ+ZAQXVpo2XaNq6yUJ2CuNSKh1s66y2AVwOe3LvaKNOc7SIToiG9gmfD6O4owR
dJnlczLzbUkvLKnMoKUayTw5dyALaD1EkM9+R5VfunGuojRpNoLpyDoP/YwThHS7
Ty96vKwAM1jWvnrH2qyA+Q9/bI5/plO/xiu3FJyoyuPAnCCMeMFwXntmo0JYaeg=
=K5ME
- -END PGP SIGNATURE-
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYLLIIAAoJENuP0xzK19csGhAH/i6M1/Lsw4UEY1xjP43UoZT2
96gh4Yx7TROXwyFrkwqCZohOPg7fKTXHWIPx9/079ZC+MAIUE7HpmSaFLNLRkuvH
Bj9B/0OqE7gDyWegNtxR10k17KqTQ95bcdG4yIGaxt9sGHUmIyxaUwnuTUvZqZfX
4xbUq2e1OIj5YJMRe7Rk7rFOrAsaYNrXjf7Ffk3eFGV0AD78qUPeTbQ4huy5HP+r
FXG5YYkLWv/1qOKK+/uxIaUOQ7MU5w0YpR/VvwLBANBaNrH5D2UVST0wdkAI5P3S
IMCcSokVMEXJWGTV67vwchatzklpoh4H0aymD1zli99asfZHxlcVWEkrOTm5UUY=
=fjEh
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161116191500.GA1171%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Q Diskmanagement partition?

2016-11-16 Thread '834'109438'1094328'0193284'098

Hello,

Q need enough free disk space in the root partition, as I found in the 
documentation:

https://www.qubes-os.org/doc/out-of-memory/

Check the disk space:

df

Normally I should stay on the standard installation path, with the full disk 
encryption (beside /boot, which stays un-encrypted per default). So that's fine.

Can I improve the disk-management, if 
i) I define a own partition for the root (so this will have always free space)
ii) I estimate the disk size-changes before I store or change a read-only 
Template VM inside the root partition

Would make it sense to give the system an extra reservation, so that the 
qubes-dom0-root has plenty of disk and not too many changes and the hole 
systems become more reliant against out-of-mem-errors?

lsblk

/
qubes_dom0-root

Which other operations will change the disk size of / beside the TVMs?

Can I display the disk space of dom0 (or other VMs) in the QM in some way?
Does post Q some warning, if the dom0 disk space gets short?

Kind Regards


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7c8a5825-c84d-4eaa-a321-95eb797650d7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Incremental / continuous backups?


What's a good approach for regular backups?

Does Qubes have a simple way of automatically saving VM snapshots? And, 
is there a way to do this incrementally? I assume not, since the 
encryption would block it?


Thanks,
Loren

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d9792149-6a77-8bf7-4631-f0cda3530349%40lorentrogers.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Cryptsetup Vulnerability affects QubesOS?

2016-11-16 Thread berthold_tom

Does this affect QubesOS?

https://threatpost.com/cryptsetup-vulnerability-grants-root-shell-access-on-some-linux-systems/121963/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/57ae4a42-40e8-1a8f-a645-ccb22b505c86%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Intel TXT advice

2016-11-16 Thread Pedro Martins


On 14-11-2016 20:07, Eric wrote:

On Monday, November 14, 2016 at 11:58:32 AM UTC-8, entr0py wrote:

Eric:

On Sunday, November 13, 2016 at 10:44:33 PM UTC-8,
tai...@gmx.com wrote:

...


Well, the Dell XPS was enough processing power for me. The Business
version, the Precision 5510, not only has vPro and TXT, but also
supports ECC memory (Xeon E5). Adds another layer of protection
(against Rowhammer attacks that can compromise even Qubes), but a)
nobody actually makes DDR4-ECC-SODIMM memory that I can find, and b)
it's basically another thousand bucks. I also happen to hate 16:9
displays, but I would compromise on that for Qubes' sake.



FYI, ECC SODIMM DDR3, no DDR4 yet:

http://www.intelligentmemory.com/ECC-DRAM/DDR3/

--
Pedro Martins

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/baed4659-39aa-61c6-cb17-0cf50be1ba4b%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Just Broke Debian-8 Template

On Wednesday, November 16, 2016 at 7:37:15 AM UTC-5, Sec Tester wrote:
> On Wednesday, 16 November 2016 21:08:14 UTC+10, Unman  wrote:
> > On Wed, Nov 16, 2016 at 10:26:34AM +, Unman wrote:
> > > On Tue, Nov 15, 2016 at 09:50:58PM -0800, Sec Tester wrote:
> > > > So i wanted to uninstall that rubbish image editor "imagemagick"
> > > > 
> > > > Ran: sudo apt-get remove imagemagick
> > > > 
> > > > VM crashed. Error in VM manager says "qrexec not connected"
> > > > 
> > > > Tried to restart, VM manager Error says "can not start qubes-guid"
> > > > 
> > > > Would prefer not to replace entire template if possible?
> > > > 
> > > > Cheers.
> > > > 
> > > Indeed, the warning about removing qubes-gui-agent and assorted other
> > > qubes modules might have tipped you off that this wasn't wise.
> > > 
> > > Use qvm-revert-template-changes which will get you back to a clean
> > > start.
> > > 
> > > unman
> > >
> > 
> > Alternatively connect to a console from dom0 using:
> > sudo xl console
> > This will give you a console connection from where you can
> > log in as root and reinstall the packages you removed.
> > 
> > unman
> 
> Thank you 
> 
> qvm-revert-template-changes debian-8 - didnt fix it. I tried to set an 
> earlier date, but --help file and man file didnt specific the option format.
> 
> while VM light was still yellow
> ran: sudo xl debian-8
> root
> apt-get install imagemagick
> 
> Unfortunately still wont start up. must be other missing a packages.
> 
> I decided to just replace the template.
> 
> > Indeed, the warning about removing qubes-gui-agent and assorted other
> > qubes modules might have tipped you off that this wasn't wise.
> 
> ha, well just habbit of hitting y when runnning apt-get. Oops :P

I do that on baremetal debian all the time.  hahah tk goodness for Qubes.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2d57158d-0b46-4897-9f3b-b5a25bc8b271%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] recommendation for a laptop to use windows in qubes?

the desktop mobo i bought was because it had txt and vt-d specified as enabled 
by default in the manual.  So I didn't even need the picture lol.  but imo 
thats what to look for.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e458374c-e085-43e4-833f-d130a4ca5f54%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] PAM errors after disabling password-less root

2016-11-16 Thread Andrew

3n7r0...@gmail.com:
> On Wednesday, November 16, 2016 at 1:22:43 PM UTC, Chris Laprise wrote:
>> On 11/15/2016 04:04 PM, Unman wrote:
>>> On Tue, Nov 15, 2016 at 02:26:12PM -0500, Chris Laprise wrote:
 On 11/15/2016 07:20 AM, Unman wrote:
> On Tue, Nov 15, 2016 at 11:55:13AM +, Unman wrote:
>> On Tue, Nov 15, 2016 at 05:53:56AM -0500, Chris Laprise wrote:
>>> Following the instructions for the 'vm-sudo' doc, I get the following 
>>> error
>>> in Debian 9:
>>>
>>> /usr/lib/qubes/qrexec-client-vm failed: exit code 1
>>> sudo: PAM authentication error: System error
>>>
>>>
>>> Also, in the Debian 8 template the instructions don't match, as there
>>> appears to be no file '/etc/pam.d/common-auth'.
>>>
>>> Chris
>>>
>> Where did you get that template? The file is present in the default 3.2,
>> and even in a minimal-no-recommends template for Debian-8.
>>
>> I'll look at the Debian-9 issue now.
>>
> I'm afraid I don't see this issue in a Debian-9 template.
> Can you check your editing?
>
> Also, try manually running the qrexec-client-vm dom0 qubes.VMAuth
> command, and making sure you get the expected output.
> You should see the prompt(from the policy) and then  output from dom0.
>
> unman
>
 Thanks for checking. However, I triple-checked my editing in Debian 9 and
 Debian 8 template is 'stock' basically nothing added to it.

 The qubes.VMAuth request said 'Request refused'. The doc appears to have a
 typo for the second command in Step 1. "Adding Dom0 “VMAuth” service" that
 causes '$anyvm' to disappear from the output. This line should use single
 quotes instead.

 Chris
>>> You're right about that typo. Once you fixed it what happened?
>>
>> It works now for Debian 9, submitted PR to fix the doc. I don't know 
>> what the issue is with the missing file in Debian 8... The template's 
>> basic form may not have a necessary package.
>>
>> Chris
> 
> FWIW, the instructions work when applied to Whonix-Debian-8.
> 
> If I may piggyback on this thread with a related issue... The instructions 
> (pre-typo) worked fine for both Fedora & Whonix VMs. But while the Fedora VMs 
> would spin up silently, each Whonix VM required 4 sudo authorizations at each 
> boot. Do you have any idea what that might be or how I could trace it? I 
> don't have any user scripts / rc.local configured. The authorization requests 
> sometimes appear while the VM light is yellow and other times won't appear 
> until it's green. I'm worried that they might need to be clicked in the 
> proper order and there's not enough identifying information on the dialogue 
> to know what I'm authorizing. Would it be possible to pass the name of the 
> triggering command to the dom0 sudo prompt?
> 

I think not without modifying the Qubes RPC code itself, which is
probably a non-starter.  Anyway you would be relying on untrusted
self-reported information in the trusted Dom0 prompt, so maybe not a
good idea.

If you just want to investigate, this should be logged on the VM itself,
anyway, no?  Maybe I'm wrong.  Look through journalctl and see.

Andrew

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e88e47e3-ed16-51fd-69cf-58a356fb4d04%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] recommendation for a laptop to use windows in qubes?

You don't always have to buy the newest computer.  I wouldn't recommend doing 
that for a linux system.  I built an i5 desktop for qubes I expect it to last 
for years to come.   

I would say a i7 for laptop though,  just check what people say about the model 
on linux forums. or what they have listed if they use it in their profiles.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/681fa5b8-427b-40fd-8c09-9e277408d4b4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] recommendation for a laptop to use windows in qubes?

On Wednesday, November 16, 2016 at 5:36:06 AM UTC-5, Achim Patzner wrote:
> Am 15.11.2016 um 14:46 schrieb Andrew David Wong:
> > If you plan to be using the same machines for Qubes 4.x, you should 
> > also take into consideration the updated requirements for 
> > Qubes-certified hardware, which will go into effect for 4.x:
> > https://www.qubes-os.org/news/2016/07/21/new-hw-certification-for-q4/
> 
> These requirements are probably the worst you can do for corporate 
> users; they prefer "standard hardware"; even I would rather stop using 
> Qubes than not being able to take any off-the-shelf Lenovo systems but 
> having to use underperforming boxes from unknown sources. Keep in mind 
> that the average company doesn't like hardware with broad maintenance 
> contracts and won't buy outdated designs (and that's about every system 
> supported by coreboot) either.
> 
> 
> Achim

someone linked a laptop here the other day looked good for qubes.  like 
yesterday or day before forget what it was.  had a picture in the manual of 
vt-d enabled.  seems the same board used in a couple diff brand laptops.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1bd132ff-7b08-47a1-97b3-3d17d092eeaf%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] recommendation for a laptop to use windows in qubes?

On Wednesday, November 16, 2016 at 5:02:36 AM UTC-5, tai...@gmx.com wrote:
> I have purchased systems that had just that but the proprietary bios 
> still did not properly implement the iommu.
> 
> This is considered a "pro" level technology and you are generally SOL if 
> you buy a consumer level laptop (even some "enterprise" ones) - If you 
> don't care about ME the best choice would be a dell business (latitude 
> or precision) laptop with ProSupport so you can get someone on the phone 
> who speaks english, isn't a moron and is able to escalate problems to 
> the engineering team in case you have any problems such as bad DMAR tables.
> 
> FYI - "VT-d" is IOMMU with the AMD marketing name of AMD-Vi - it is not 
> an intel technology.
> On 11/15/2016 10:45 PM, raahe...@gmail.com wrote:
> > On Tuesday, November 15, 2016 at 7:44:53 PM UTC-5, pixel fairy wrote:
> >> On Tuesday, November 15, 2016 at 8:46:51 AM UTC-5, Andrew David Wong wrote:
> >>> As far as I'm aware, any laptop with VT-x should be able to handle a 
> >>> Windows VMs, and in general, most laptops comes with Windows. So, you're 
> >>> basically just looking for a laptop that has good Qubes compatibility. 
> >>> Take a look at the following:
> >> a sad trend now is laptops that are bios locked to only run windows.
> >>
> >> id also like to find a vendor that will still give us support and coverage 
> >> on hardware issues, like ibm did before lenovo took over.
> > what I always suggest is to buy one that has a manual to view all the 
> > specifications.  Preferably where you can see bios pictures in the manual.  
> > And for Qubes I always suggest one where you can see VT-d is enabled in the 
> > picture.  or if it says its enabled by default then you are good to go for 
> > sure. TO get the full security benefits.
> >

this is why you find the picture of it preferably "enabled" in the manual 
before you buy it.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d3de969f-5f7c-464d-ac69-d1f80808b363%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] PAM errors after disabling password-less root

2016-11-16 Thread 3n7r0py1

On Wednesday, November 16, 2016 at 1:22:43 PM UTC, Chris Laprise wrote:
> On 11/15/2016 04:04 PM, Unman wrote:
> > On Tue, Nov 15, 2016 at 02:26:12PM -0500, Chris Laprise wrote:
> >> On 11/15/2016 07:20 AM, Unman wrote:
> >>> On Tue, Nov 15, 2016 at 11:55:13AM +, Unman wrote:
>  On Tue, Nov 15, 2016 at 05:53:56AM -0500, Chris Laprise wrote:
> > Following the instructions for the 'vm-sudo' doc, I get the following 
> > error
> > in Debian 9:
> >
> > /usr/lib/qubes/qrexec-client-vm failed: exit code 1
> > sudo: PAM authentication error: System error
> >
> >
> > Also, in the Debian 8 template the instructions don't match, as there
> > appears to be no file '/etc/pam.d/common-auth'.
> >
> > Chris
> >
>  Where did you get that template? The file is present in the default 3.2,
>  and even in a minimal-no-recommends template for Debian-8.
> 
>  I'll look at the Debian-9 issue now.
> 
> >>> I'm afraid I don't see this issue in a Debian-9 template.
> >>> Can you check your editing?
> >>>
> >>> Also, try manually running the qrexec-client-vm dom0 qubes.VMAuth
> >>> command, and making sure you get the expected output.
> >>> You should see the prompt(from the policy) and then  output from dom0.
> >>>
> >>> unman
> >>>
> >> Thanks for checking. However, I triple-checked my editing in Debian 9 and
> >> Debian 8 template is 'stock' basically nothing added to it.
> >>
> >> The qubes.VMAuth request said 'Request refused'. The doc appears to have a
> >> typo for the second command in Step 1. "Adding Dom0 “VMAuth” service" that
> >> causes '$anyvm' to disappear from the output. This line should use single
> >> quotes instead.
> >>
> >> Chris
> > You're right about that typo. Once you fixed it what happened?
> 
> It works now for Debian 9, submitted PR to fix the doc. I don't know 
> what the issue is with the missing file in Debian 8... The template's 
> basic form may not have a necessary package.
> 
> Chris

FWIW, the instructions work when applied to Whonix-Debian-8.

If I may piggyback on this thread with a related issue... The instructions 
(pre-typo) worked fine for both Fedora & Whonix VMs. But while the Fedora VMs 
would spin up silently, each Whonix VM required 4 sudo authorizations at each 
boot. Do you have any idea what that might be or how I could trace it? I don't 
have any user scripts / rc.local configured. The authorization requests 
sometimes appear while the VM light is yellow and other times won't appear 
until it's green. I'm worried that they might need to be clicked in the proper 
order and there's not enough identifying information on the dialogue to know 
what I'm authorizing. Would it be possible to pass the name of the triggering 
command to the dom0 sudo prompt?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d88e219e-ded9-4f10-8e70-f7a86b5f9a00%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] recommendation for a laptop to use windows in qubes?

so far dell is the only company thats said yes to this, but no one ive talked 
to has actually tried qubes.  

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2613ee8e-3f79-4f71-8a13-f9c0637afec3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] sys-usb trouble

sys-usb has been giving me problems in the past couple days. whenever its 
restarted, it no longer talks to usb devices. the only solution ive found is 
rebooting the laptop. now, coming out of suspend its "on", but i couldnt even 
start a terminal in it. this might be the relevant log entry.

the last log from it,

No protocol specified
qrexec-policy: cannot connect to X server :0
eintr
Rpc allowed: sys-usb dom0 qubes.WindowIconUpdater
Rpc allowed: sys-usb dom0 qubes.InputMouse
Rpc allowed: sys-usb dom0 qubes.NotifyUpdates
Rpc allowed: sys-usb dom0 qubes.InputMouse

It could be hardware. its an old laptop (lenovo x201t) thats been through a 
lot. even simple web browsing hangs and gets slow and choppy. the battery only 
lasts 10 minutes. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8b18efa0-27a5-4698-8114-1ecf9b5ccdfa%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] error reporting

how do you copy paste errors from the qubes vm manager?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/45971d5d-71c2-422b-9995-ade18449064c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes and Broadcom BCM4360 - A Success Story

2016-11-16 Thread kent . f . davis

On Saturday, March 12, 2016 at 2:29:21 PM UTC-7, Dave C wrote:
> On Saturday, March 12, 2016 at 1:52:19 AM UTC-8, Marek Marczykowski-Górecki 
> wrote:-BEGIN PGP SIGNED MESSAGE-
> 
> Hash: SHA256
> 
> 
> 
> On Fri, Mar 11, 2016 at 10:30:35PM -0800, Dave C wrote:
> 
> > With earlier Qubes I tried to get a broadcom BCM4360 wireless card working, 
> 
> > but had no luck.  Recently I tried again with Qubes 3.1 and guess what, its 
> 
> > working.  I'm using it to post this message now.
> 
> 
> 
> Thanks!
> 
> 
> 
> I'm happy to contribute a little something back.
>  
> 
> See below for a little comment.
> 
> 
> 
> > # Background
> 
> > 
> 
> > I have a MacBookPro which sometimes I boot as a Mac, but also want to be 
> 
> > able to boot to Qubes.  Rather than install directly to the hard drive, I 
> 
> > installed Qubes on a portable SSD (http://amzn.com/B00N0V4JG2), but I don't 
> 
> > think that makes any difference in getting broadcom drivers set up.
> 
> > 
> 
> > If you try the portable SSD, I found I had to use standard partitioning as 
> 
> > LVM didn't not work.  Otherwise its a normal Qubes install with all but the 
> 
> > boot sector encrypted.  Qubes will boot just fine on the MacBookPro.  But 
> 
> > it won't recognize the Broadcom wifi hardware.
> 
> > 
> 
> > # Getting a Network Connection
> 
> > 
> 
> > There's a chicken and egg problem here.  You'll need to get online in order 
> 
> > to install the software needed to make the broadcom work.  This is tricky 
> 
> > if like mine the macbook has no ethernet port.  There's only one USB PCI 
> 
> > device, you can't associate it with a netvm (i.e. to tether).  But there 
> 
> > are a couple thunderbolt ports.
> 
> > 
> 
> > To get online I used a thunderbolt to ethernet with USB adapter 
> 
> > (http://amzn.com/B00PY194CK).  This adapter should work with ethernet, 
> 
> > obviously, and also a USB tether through android device.  I was able to get 
> 
> > both to work, although the tethering was flakey.  The point of this awkward 
> 
> > device is to use it just long enough to get the broadcom working, then you 
> 
> > shouldn't need it any more.
> 
> > 
> 
> > Since I installed Qubes on the portable SSD, I could have instead taken the 
> 
> > portable SSD drive and booted it on some other hardware (i.e. a desktop 
> 
> > with more linux-friendly hardware) and downloaded the necessary software 
> 
> > there.  That's what I'd do if I had to do this all over again, but the 
> 
> > first time through it was handy to be on the machine with the broadcom, as 
> 
> > there was some trial and error.
> 
> > 
> 
> > # Some Assembly Required
> 
> > 
> 
> > Once online, all the steps needed to get broadcom working can be found.  
> 
> > It's a matter of sorting through the weeds to get to what works.  What 
> 
> > follows should help.
> 
> > 
> 
> > ## Net VM Setup
> 
> > 
> 
> > I decided not to modify sys-net directly.  I created a new net vm called 
> 
> > net-powerbook.  I even cloned the fedora-23 template, so my net-powerbook 
> 
> > uses a template called f23-broadcom.  I don't think the additional template 
> 
> > is necessary.  At the time, I thought I'd simply `sudo yum install 
> 
> > broadcom-wl akmod-wl` and presto I'd have the drivers.  With Qubes it is 
> 
> > not that simple.
> 
> > 
> 
> > Attach the right PCI device to net-powerbook.  In my case it is:
> 
> > 
> 
> > 03:00.0 Network controller: Broadcom Corporation BCM4360 802.11ac Wireless 
> 
> > Network Adapter (rev 03)
> 
> > 
> 
> > Note, while using the thunderbolt adapter, I also had another PCI device 
> 
> > attached.  It's not plugged in now, so Qubes doesn't even list the PCI 
> 
> > device, otherwise I'd paste it here.
> 
> > 
> 
> > Fire up a net-powerbook terminal.
> 
> > 
> 
> > ## Install Broadcom Driver (on net-powerbook)
> 
> > 
> 
> > As I mentioned, a simple `sudo yum install broadcom-wl akmod-wl` didn't 
> 
> > work for me.
> 
> 
> 
> I wonder how pvgrub2 usage would work here. 
> 
> After completing steps to enable it[1], just `sudo yum install
> 
> broadcom-wl akmod-wl` should be enough. At least in theory...
> 
> 
> 
> [1] https://www.qubes-os.org/doc/managing-vm-kernel/#tocAnchor-1-3
> 
> 
> 
> 
> 
> 
> 
> This sounds like a more future-proof approach.  No risk of future kernel 
> upgrades breaking the net vm.  Will explore this as time permits.
> 
> BTW, I think `sudo yum install broadcom-wl akmod-wl` did not work as intended 
> in Fedora 23 - nothing to do with Qubes.  While the command had no errors, it 
> doesn't seem to produce the wl module.  Running `sudo modprobe wl` afterwards 
> fails.  Regardless of how you build the module, the pvgrub2 method sounds 
> pretty clean.
> 
> -Dave

I can confirm that a variation of Dave Cohen's suggestions will get wireless 
working on the newest model MacBook Air (MacbookAir7,2).

Generally, the steps required are:
in dom0:
echo :03:00.0 | sudo tee /sys/bus/pci/drivers/pciback/permissive

in sys-net:
sudo dnf

[qubes-users] Upgrade graphic drivers in HVM

2016-11-16 Thread likus

Hi
I installed an HVM with windows and when I want to install some
program, often opens a message written "Your graphic card driver is
outdated" 
How I upgrade it? Standard VGA Graphics driver

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161116141426.842A6E0371%40smtp.hushmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Installing in basic graphics mode

2016-11-16 Thread D


Hi folks,

I was unable to boot into the graphical installer, on my X200 running 
Coreboot with SeaBIOS, so I selected "install with basic graphics mode".
I want to install this way, but whenever I select the installation 
destination, it always says "encryption requested for LUKS device sda2 
but no encryption key specified for this device".
I followed the instructions for manual encryption, but there is no way 
to select this existing partition in the basic installer.


I know that this computer works with Qubes (aside from broken IOMMU, but 
that's another story), since I used Qubes when I had the proprietary 
BIOS.


Any ideas?

D

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a6e72428a9887df24a6030e20324fa30%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] PAM errors after disabling password-less root

On 11/15/2016 04:04 PM, Unman wrote:

On Tue, Nov 15, 2016 at 02:26:12PM -0500, Chris Laprise wrote:

On 11/15/2016 07:20 AM, Unman wrote:

On Tue, Nov 15, 2016 at 11:55:13AM +, Unman wrote:

On Tue, Nov 15, 2016 at 05:53:56AM -0500, Chris Laprise wrote:

Following the instructions for the 'vm-sudo' doc, I get the following error
in Debian 9:

/usr/lib/qubes/qrexec-client-vm failed: exit code 1
sudo: PAM authentication error: System error

Also, in the Debian 8 template the instructions don't match, as there
appears to be no file '/etc/pam.d/common-auth'.

Chris

Where did you get that template? The file is present in the default 3.2,
and even in a minimal-no-recommends template for Debian-8.

I'll look at the Debian-9 issue now.

I'm afraid I don't see this issue in a Debian-9 template.
Can you check your editing?

Also, try manually running the qrexec-client-vm dom0 qubes.VMAuth
command, and making sure you get the expected output.
You should see the prompt(from the policy) and then output from dom0.

unman

Thanks for checking. However, I triple-checked my editing in Debian 9 and
Debian 8 template is 'stock' basically nothing added to it.

Chris

You're right about that typo. Once you fixed it what happened?

It works now for Debian 9, submitted PR to fix the doc. I don't know
what the issue is with the missing file in Debian 8... The template's
basic form may not have a necessary package.

Chris

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/38b9d015-dc6d-d74c-06ba-c3b6b536d638%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Just Broke Debian-8 Template

On Wednesday, 16 November 2016 21:08:14 UTC+10, Unman  wrote:
> On Wed, Nov 16, 2016 at 10:26:34AM +, Unman wrote:
> > On Tue, Nov 15, 2016 at 09:50:58PM -0800, Sec Tester wrote:
> > > So i wanted to uninstall that rubbish image editor "imagemagick"
> > > 
> > > Ran: sudo apt-get remove imagemagick
> > > 
> > > VM crashed. Error in VM manager says "qrexec not connected"
> > > 
> > > Tried to restart, VM manager Error says "can not start qubes-guid"
> > > 
> > > Would prefer not to replace entire template if possible?
> > > 
> > > Cheers.
> > > 
> > Indeed, the warning about removing qubes-gui-agent and assorted other
> > qubes modules might have tipped you off that this wasn't wise.
> > 
> > Use qvm-revert-template-changes which will get you back to a clean
> > start.
> > 
> > unman
> >
> 
> Alternatively connect to a console from dom0 using:
> sudo xl console
> This will give you a console connection from where you can
> log in as root and reinstall the packages you removed.
> 
> unman

Thank you 

qvm-revert-template-changes debian-8 - didnt fix it. I tried to set an earlier 
date, but --help file and man file didnt specific the option format.

while VM light was still yellow
ran: sudo xl debian-8
root
apt-get install imagemagick

Unfortunately still wont start up. must be other missing a packages.

I decided to just replace the template.

> Indeed, the warning about removing qubes-gui-agent and assorted other
> qubes modules might have tipped you off that this wasn't wise.

ha, well just habbit of hitting y when runnning apt-get. Oops :P

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9238ac05-f1cd-465e-abf3-2788d5e002d7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Genymotion in Qubes

2016-11-16 Thread pl11ty

> Nice question. I would also like to know.
>
> Have you setup a Win7 HVM?
>
> This maybe be the best place to try setup Genymotion.
>
More simple should be use an emulator that doesn't require virtualbox in
windows7 because for linux I haven't find something

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0ceaf3d89af3b4a2a0b314aecd4f3b9d.webmail%40localhost.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: One step foerward, two steps back on Macbook 11,1 - can't boot into Qubes

2016-11-16 Thread dumbcyber

On Wednesday, 16 November 2016 11:33:03 UTC+11, dumbcyber  wrote:
> On Tuesday, 15 November 2016 18:14:00 UTC+11, Jean-Philippe Ouellet  wrote:
> > On Tue, Nov 15, 2016 at 12:17 AM, dumbcyber <> wrote:
> > > On Tuesday, 15 November 2016 10:28:52 UTC+11, Marek Marczykowski-Górecki  
> > > wrote:
> > >> you need to remove 'rd.qubes.hide_all_usb' from kernel parameters.
> > >
> > > Thanks for the info. For me a noob, how do I remove that parameter from 
> > > kernel?  Thank you.
> > 
> > From the installer, use your favorite editor on
> > /boot/efi/EFI/qubes/xen.cfg to remove just the rd.qubes.hide_all_usb
> > parameter from the kernel= line. It will probably be at the end of the
> > line.
> > 
> > Note that your EFI partition might be mounted somewhere other than
> > /boot/efi (I don't remember). The `mount` command should tell you
> > where. Look for something like:
> > /dev/nvme0n1p1 on /boot/efi type vfat (rw,relatime,fmask=0077,dmask=...
> 
> Thanks for the guide.  My boot64x.cfg does not contain this parameter. Here 
> is the full CFG file
> 
> [global]
> default=4.4.14-11.pvops.qubes.x86_64
> 
> [4.4.14-11.pvops.qubes.x86_64]
> options=loglvl=all dom0_mem=min:1024M dom0_mem=max:4096M
> kernel=vmlinuz-4.4.14-11.pvops.qubes.x86_64 root=/dev/mapper/qubes_dom0-root 
> rd.luks.uuid=luks-9b163fd2-93d9-4498-a83d-712baae8432e 
> rd.lvm.lv=qubes_dom0/root rd.lvm.lv=qubes_dom0/swap 
> i915.preliminary_hw_support=1 rhgb quiet
> ramdisk=initramfs-4.4.14-11.pvops.qubes.x86_64.img
> 
> [4.4.14-11.pvops.qubes.x86_64]
> options=loglvl=all dom0_mem=min:1024M dom0_mem=max:4096M
> kernel=vmlinuz-4.4.14-11.pvops.qubes.x86_64 root=/dev/mapper/qubes_dom0-root 
> rd.luks.uuid=luks-9b163fd2-93d9-4498-a83d-712baae8432e 
> rd.lvm.lv=qubes_dom0/root rd.lvm.lv=qubes_dom0/swap 
> i915.preliminary_hw_support=1 rhgb quiet
> ramdisk=initramfs-4.4.14-11.pvops.qubes.x86_64.img
> 
> 
> Thanks for your help.
> PS I'm building another Qubes install where I'll uncheck "use sys-usb" later 
> today

Finally its working. I rebuilt everything from the beginning making sure 
sys-usb was unchecked during installation. Qubes boots on the Mac fine - little 
slow but gets there in the end. I can log, keyboard works. Now the next 
challenge, getting it networked but thats not for this post. Thanks for your 
help everyone.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ef15c989-5e90-4dcb-a689-fbd46a8423d4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] recommendation for a laptop to use windows in qubes?

If you really do belong to some massive enterprise I am sure your 
dell/hpe/whatever rep will be able to give you a yes/no answer on what 
laptops support IOMMU.
There is no "uncertainty", if it supports linux plus IOMMU and SLAT or 
RVI (any recent cpu) it supports qubes. Ask your rep and get it writing 
then buy one and test it.


Having coreboot with FSP is pointless, you shouldn't bother with that.

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/18cb5414-a6c1-733f-da4b-be79af45f2e1%40gmx.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Just Broke Debian-8 Template

2016-11-16 Thread Unman

On Wed, Nov 16, 2016 at 10:26:34AM +, Unman wrote:
> On Tue, Nov 15, 2016 at 09:50:58PM -0800, Sec Tester wrote:
> > So i wanted to uninstall that rubbish image editor "imagemagick"
> > 
> > Ran: sudo apt-get remove imagemagick
> > 
> > VM crashed. Error in VM manager says "qrexec not connected"
> > 
> > Tried to restart, VM manager Error says "can not start qubes-guid"
> > 
> > Would prefer not to replace entire template if possible?
> > 
> > Cheers.
> > 
> Indeed, the warning about removing qubes-gui-agent and assorted other
> qubes modules might have tipped you off that this wasn't wise.
> 
> Use qvm-revert-template-changes which will get you back to a clean
> start.
> 
> unman
>

Alternatively connect to a console from dom0 using:
sudo xl console
This will give you a console connection from where you can
log in as root and reinstall the packages you removed.

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161116110813.GA30267%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] recommendation for a laptop to use windows in qubes?

2016-11-16 Thread Achim Patzner

Am 16.11.2016 um 11:53 schrieb taii...@gmx.com:
The "certified" program is stupid in its current form I agree but what
is stopping you from buying a dell business or hpe machine with
iommu/TPM and using that?

The uncertainty whether it will work with Qubes 4.0 at all as it is very
improbable that it will support coreboot. And many companies require
hardware fulfilling all requirements of the software they are planning
to use so this will kill Qubes for them.

If you want a new open source firmware machine that supports adv.
virtualization go hit up IBM, they'll happily sell you a high
performance OpenPOWER8 system with just that, complete with a nice fat
enterprise grade extended support maintenance contract.

Can I carry it around with me? I once had a SparcBook... Nice thing, that.

Coreboot is hobbyist/embedded pretty much,

That's the problem. Requiring it will exclude many from using Qubes. And
a disclaimer "Qubes 4.0 might also work on EFI or even legacy firmware"
isn nor enough reassurance.

the reason that only "outdated" designs are supported is because intel
(and now AMD) actively tries to stop free firmware and people are
mostly doing this on their spare time - it boils down to an issue of
funding.

I don't care for the reason. There is no applicable "serious" hardware
fulfilling the requirement so I cannot seriously try to move Qubes into
corporate environments. Which will in the end severely restrictspreading
of Qubes.

Achim

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/9f84a708-565a-bbd3-516f-988560059d5e%40noses.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Using distribution kernel in Template VM

2016-11-16 Thread Fred

On 16/11/2016 00:31, Marek Marczykowski-Górecki wrote:
>> Is there any way to debug this further? Have any steps been
>> missed?
> 
> Check if u2mfn module was built automatically. Simply login on the 
> template console and check `modinfo u2mfn`. If it's not there, build
> it using `dkms autoinstall` command (see its manual page for exact 
> parameters).

Hi Marek,

Thanks for your reply. I got this fixed in the end by going back to the
Qubes web link and double-checking everything. I saw the dkms
autoinstall comment there and so I tried it and it worked. The strange
thing is, I saw u2mfn in lsmod output so didn't think this step was
necessary.  So was this just the wrong version or something?

So booting a fedora kernel is now working but I'm unable to do what I
was trying to achieve with all of this in the first place which is get
my wifi card working in sys-net.

I can now boot using a vanilla upstream Fedora kernel in sys-net and
associated kernel-devel. I built a wifi driver using akmods for my
broadcom device in the template fedora vm. I assigned my wifi pci device
over to sys-net and although I can see the pci device in lspci in
sys-net and the wl module is loaded, no cigar. As a proof of
process/concept I followed the same steps without Qubes/Xen by getting a
fedora-23 ISO and installing it to USB. Booted that, built driver,
modprobed it and bingo. So for some reason this isn't working when done
through Qubes/Xen. But I'm not sure what could be preventing it and what
to look at next. Some kind of PCI issue perhaps?

In the meantime I've just assigned an entire USB controller over to
sys-net and am using a USB wireless which works just fine but isn't
ideal from some other perspectives.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/95356e9b-060f-ff1e-1b27-a4c0db7179f4%40gmsl.co.uk.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] recommendation for a laptop to use windows in qubes?

The "certified" program is stupid in its current form I agree but what
is stopping you from buying a dell business or hpe machine with
iommu/TPM and using that? Nobody says you have to buy stuff from
whatever company gives kickbacks. (purism "coreboot" with FSP is just a
shimboot loader, FSP does all the work so it is far from secure or open
source and it still has ME - dishonest)

Coreboot is hobbyist/embedded pretty much, the reason that only
"outdated" designs are supported is because intel (and now AMD) actively
tries to stop free firmware and people are mostly doing this on their
spare time - it boils down to an issue of funding.
If there were wealthy backers there'd be TALOS type machines on store
shelves complete with a "coreboot + linux" sticker on the front

Just remember that lenovo is not exactly trustworthy, 4x bios rootkits
in the past few years and they're owned by the PRC - the us government
no longer buys them for classified operations computing.

On 11/16/2016 05:35 AM, Achim Patzner wrote:

Am 15.11.2016 um 14:46 schrieb Andrew David Wong:
If you plan to be using the same machines for Qubes 4.x, you should
also take into consideration the updated requirements for
Qubes-certified hardware, which will go into effect for 4.x:

https://www.qubes-os.org/news/2016/07/21/new-hw-certification-for-q4/

These requirements are probably the worst you can do for corporate
users; they prefer "standard hardware"; even I would rather stop using
Qubes than not being able to take any off-the-shelf Lenovo systems but
having to use underperforming boxes from unknown sources. Keep in mind
that the average company doesn't like hardware with broad maintenance
contracts and won't buy outdated designs (and that's about every
system supported by coreboot) either.

Achim

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/28553b7b-0df0-f879-2acf-c7f670ff6324%40gmx.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] recommendation for a laptop to use windows in qubes?

2016-11-16 Thread Achim Patzner


Am 15.11.2016 um 14:46 schrieb Andrew David Wong:
If you plan to be using the same machines for Qubes 4.x, you should 
also take into consideration the updated requirements for 
Qubes-certified hardware, which will go into effect for 4.x:

https://www.qubes-os.org/news/2016/07/21/new-hw-certification-for-q4/


These requirements are probably the worst you can do for corporate 
users; they prefer "standard hardware"; even I would rather stop using 
Qubes than not being able to take any off-the-shelf Lenovo systems but 
having to use underperforming boxes from unknown sources. Keep in mind 
that the average company doesn't like hardware with broad maintenance 
contracts and won't buy outdated designs (and that's about every system 
supported by coreboot) either.



Achim

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/db901ce2-ac2b-69e7-5204-52b978500373%40noses.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Fedora 24 template available for Qubes 3.2

2016-11-16 Thread yaqu

On Wed, 16 Nov 2016 01:14:24 +0100, Marek Marczykowski-Górecki
 wrote:

> On Wed, Nov 16, 2016 at 12:28:17AM +0100, yaqu wrote:
> > > You have tried to remove fedora-23 using dnf, while some appVMs
> > > still were using it as a template. Dnf has displayed an error,
> > > but also it has removed package, leaving it in qubes config (and
> > > not cleaning template's directory).
> > 
> > Anyway, I think it should be considered as a bug.
> > 
> > Steps to reproduce (assuming fedora-23-minimal is not installed):
> > 
> > $ sudo qubes-dom0-update qubes-template-fedora-23-minimal
> > $ qvm-create -t fedora-23-minimal -l red test-vm
> > $ sudo dnf remove qubes-template-fedora-23-minimal
> 
> Yes, you're right. Previously (before Fedora introduced DNF), failure
> in %preun script aborted the operation, now it results just in a
> message. Not sure if this is a bug of a feature of DNF...

Removing package using plain rpm gives the same result, so it's not
dnf's fault.

There is an interesting entry in rpm changelog:
* Fix %preun scriptlet not aborting package erase
http://rpm.org/wiki/Releases/4.13.0

So it's fixed in rpm 4.13.0, but in dom0 we have broken rpm 4.13.0-rc1.

BTW it was fixed in commit:
https://github.com/rpm-software-management/rpm/commit/1ac507f15f014e69b926a1c2bf9a46a2a4dcaff3
And broken in:
https://github.com/rpm-software-management/rpm/commit/f4a49c3d446bb180ca6b30a4337065fb6511e641

-- 
yaqu

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161116103152.2327120562A%40mail.openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Just Broke Debian-8 Template

2016-11-16 Thread Unman

On Tue, Nov 15, 2016 at 09:50:58PM -0800, Sec Tester wrote:
> So i wanted to uninstall that rubbish image editor "imagemagick"
> 
> Ran: sudo apt-get remove imagemagick
> 
> VM crashed. Error in VM manager says "qrexec not connected"
> 
> Tried to restart, VM manager Error says "can not start qubes-guid"
> 
> Would prefer not to replace entire template if possible?
> 
> Cheers.
> 
Indeed, the warning about removing qubes-gui-agent and assorted other
qubes modules might have tipped you off that this wasn't wise.

Use qvm-revert-template-changes which will get you back to a clean
start.

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161116102634.GA29990%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] recommendation for a laptop to use windows in qubes?

I have purchased systems that had just that but the proprietary bios
still did not properly implement the iommu.

This is considered a "pro" level technology and you are generally SOL if
you buy a consumer level laptop (even some "enterprise" ones) - If you
don't care about ME the best choice would be a dell business (latitude
or precision) laptop with ProSupport so you can get someone on the phone
who speaks english, isn't a moron and is able to escalate problems to
the engineering team in case you have any problems such as bad DMAR tables.

FYI - "VT-d" is IOMMU with the AMD marketing name of AMD-Vi - it is not
an intel technology.

On 11/15/2016 10:45 PM, raahe...@gmail.com wrote:

On Tuesday, November 15, 2016 at 7:44:53 PM UTC-5, pixel fairy wrote:

On Tuesday, November 15, 2016 at 8:46:51 AM UTC-5, Andrew David Wong wrote:

As far as I'm aware, any laptop with VT-x should be able to handle a Windows
VMs, and in general, most laptops comes with Windows. So, you're basically just
looking for a laptop that has good Qubes compatibility. Take a look at the
following:

a sad trend now is laptops that are bios locked to only run windows.

id also like to find a vendor that will still give us support and coverage on
hardware issues, like ibm did before lenovo took over.

what I always suggest is to buy one that has a manual to view all the
specifications. Preferably where you can see bios pictures in the manual. And
for Qubes I always suggest one where you can see VT-d is enabled in the
picture. or if it says its enabled by default then you are good to go for
sure. TO get the full security benefits.

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/45781e23-4ae6-4654-5b0e-53c841bcd320%40gmx.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Qubes at 33c3

2016-11-16 Thread Michael Carbone

Hi all,

For those going to 33c3, some of the Qubes team and related projects
will be there. It will likely be part of the Secure OS/Desktops assembly
as with last year:

https://events.ccc.de/congress/2016/wiki/Projects:Qubes
https://events.ccc.de/congress/2016/wiki/Assembly:Secure_Desktops

Thanks,
Michael

-- 
Michael Carbone

Qubes OS | https://www.qubes-os.org
@QubesOS 

PGP fingerprint: D3D8 BEBF ECE8 91AC 46A7 30DE 63FC 4D26 84A7 33B4


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/07e630db-7216-aac8-555a-e0256f8fc60c%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] vPro and Qubes


Accidentally sent before I was finished, didn't include:
https://www.crowdsupply.com/raptorcs/talos - open source hardware, thus 
making it more difficult for unaccountable hardware backdoors (ME = 
software supported by hardware VS a true hardware backdoor)


There are ARM devices like the Novena that don't have blobs, but they 
aren't high performance and I don't know of any that have the ARM 
equivalent of an IOMMU.


Get out your wallet for big blue!

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/abd0e07a-7dbe-87a9-2df8-dd24a77a516c%40gmx.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] vPro and Qubes