[qubes-users] Problem adding USB controller to win7 VM
I'm trying to have my phone connected via USB to my win7 VM so that I can flash it with custom firmware. I have three different USB controllers so I don't mind giving up one of the controllers to the win7 VM. The controllers work just fine when connected to sys-usb, but when I connect either one to the win7 VM it will not boot... How should I go about debugging this? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9a737c6f-6476-4677-ae3a-9479f0821511%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Trouble Networking with a Single PCI-USB Device
I have been able to get my machine up and running Qubes 3.2 with good hardware support: keyboard, touchpad, touchscreen and stylus all work nicely. The one sticking point is wireless networking. In terms of the hardware build, I'm dealing with a machine that has everything mentioned above on one PCI-USB device. This is assigned to dom0. Networking doesn't seem to work in dom0; no wireless SSIDs appear. I don't know if this is a problem or simply dom0 not allowing it by design. However, when I do qvm-usb the network card is listed as an available USB device, so the system is at least aware of it. Additionally, I tested Fedora 23 on this machine and was able to use the network card so long as the Linux kernel was 4.3 or greater, which is the case in Qubes 3.2. I'd like to assign the USB networking card to sys-net (or a new netvm USB qube if need be) if that's possible. However, it cannot be separated out; the entire PCI-USB device must be assigned, which means all of the input devices go as well. As I understand it, the keyboard can be allowed to pass input to dom0 from a USB qube; would treating sys-net this way be making is a USB qube for such purposes? I've tried making this work by adding "sys-net dom0 allow" to the qubes.InputKeyboard file in /etc/qubes-rpc/policy as described in the qubes online documentation, then assigning the PCI device to sys-net. This does not seem to work. Upon re-start, input is no longer received by dom0. I can do nothing at that point. So, I am either misunderstanding what should be possible, incorrectly attempting it, or missing something. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1b03b3ed-8c51-4183-a47e-503584743d4d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Lenovo G505S Coreboot
On Thursday, 19 January 2017 03:04:32 UTC+4, tai...@gmx.com wrote: > As always physical access is a checkmate situation, you need to not be > an idiot and don't leave your stuff in overseas hotel rooms or not have > secure locks on your door. Unless USB port seals (e.g. http://www.padjack.com/padjack-versions/usb-port-lock/) are put in place as soon as the laptop is removed from the manufacturers box it is impossible to know whether someone has installed a device that has in turn infected firmware. A similar situation for any DMA access ports (Thunderbolt etc) I'm interested in being able to take a possibly infected laptop (i.e. infected with firmware malware) and reset it to a known safe starting point. Coreboot seems to handle the BIOS (thank you for clarification that it completely rewrite legacy and UEFI). Replacing the HD with a new SSD should handle that firmware attack vector. That leaves the other EEPROMS. I figure, if I'm going to strip down my G505S to reflash with Coreboot, I should see what other EEPROMs I can reflash. Apart from the obvious RAM and SSD upgrade and possible putting switches on peripherals, are there any other hardware mods you can suggest for the G505S. Having sorted out the hardware, I am then going to be looking to use Qubes to protect against any attempts to reflash through Malware and after thats done, I'll be looking for ways to detect that any attack is being attempted. All in all I think I've got about a years work ahead ! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/25c4d632-9ddd-40a7-a28c-b0ff6c8201de%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: [qubes-devel] Connecting to Guest Video Subsystem?
On 01/18/2017 09:26 PM, drew.qu...@gmail.com wrote: Hi folks, I'm wondering how I would connect to a Guests Display/Monitor as a stream/feed ? Or what do I need to listen to to get the next page? Sincerely, Drew. VNC? This isn't a devel conversation, you should have posted this in the qubes users group -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/eff0c59d-4221-0092-c781-76c69fc803fd%40gmx.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Prob installing VLC in Fedora24 Template
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2017-01-18 08:08, raahe...@gmail.com wrote: > On Wednesday, January 18, 2017 at 5:01:54 AM UTC-5, Arnulf Maria > Bultmann wrote: ya weird. not sure why, did you make any changes to the templates >>> >>> is there a clean all command maybe u can try. >> >> sorry I don't understand what you mean writing "is there a clean >> all command ...". The template itself is unchange > > I mean try sudo dnf clean all. > > Not sure why it works when installed in the appvm but not the > template. Maybe try removing the rpmfusion repos. then dnf > update. then add them again? Maybe someone else can chime in. > Arnulf, I can't reproduce the problem you're experiencing. I have a feeling that you might be doing something wrong but leaving it out of your descriptions. For example, your "procedure" didn't even include enabling the RPMFusion repo, so evidently a lot of important details are missing from your reports. - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJYgCgGAAoJENtN07w5UDAwnRkP/A7qjXYoOOcG9yuodh7RugAq 33NHgYkPIUSecmN1e6JcMHRCkBFZyg1XpkvoKqPCsFuwwv5VZiCr/IVrCM+l3TcU xk6/Kpadu/9QmNi4svyokMLCJqmaPPxvOdJ4yrqe0rFj5XPvB66lz29rWIsoUsLh zag9nOkbjn/OfWKyjZ5jXcjjF8rNg4a01ZlOauLk5Kc+C74myWvblphJktohKAYx 1Res+38ay23AW9I3a8O5zwodIzEOIM5OI6XEof33H758+eynYAmwaAC3F43zQ1Kx NzwHam+x53dIRt/hmBJRRjFh/gwtmPzhEAXxV+KImiAvNtBTmhVZeSdoN+GZHqrV e/B0wPbfI3L79cIiM2RPrOdl7Uz0zZYgBBEb/dAADHUEQJjpjVm2R7ADr+IoZfWs /RMBQiIG5tRLpo0i6tPJDQrPCtIKnBfK1KDAyQgVkBIQvA7aQvtVm1dYN1THfAK9 FgrePrwMnuP1JR8KKLNEzIpqSFUHa05xnpX/H2bN9nJa+bgbi3l7xMCznvlMLZ59 hAKhsA8yUFXBYS7+nEC2hjzFRRuf7pmMVPF0AH/jt1yrhrHYUqGZumOviUWCC9e7 Pe0goi+NRcZI75A17LExOzSSBXjHcUufu31tB6xfge/BPM7psID+USCaFHZwHg2M hNUW17+N7U3ybbo06uxW =3KeN -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/824b1646-9b05-7d35-e06b-13d6a0c24804%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Default UpdateVM and Issues while updating VM
Hi guys, I'm having a hard time trying to figure out this. When I installed Qubes OS I think I chose Whonix as the default to update VMs, but eventually I ended up changing it after a couple of days and set the UpdateVM to "sys-firewall". Now, everything seems to be fine, except for when I try to upgrade the Debian 8 template to Debian 9. No matter what I try, I keep getting this sort of error after running apt-get update && apt-get upgrade: *** E: Failed to fetch [...] Unable to connect to 10.137.255.254:8082: E: Failed to fetch [...] Unable to connect to 10.137.255.254:8082: *** If you notice, it says it can't connect to that IP, which after debugging I've found out corresponds to the Whonix Gateway VM! So for some reason when I clone the current Debian 8 template and try to update it it tries to do it through Whonix, and not through the sys-firewall VM as I have it configured. I've found something similar being described here: https://forums.whonix.org/t/templates-incorrectly-think-theyre-not-connected-to-a-whonix-gateway/2258 . But in that case it is a Whonix VM suffering the issue, which makes more sense... So, in short, any idea or tips on how to properly (re)configure a VM so the updates go through the sys-firewall VM and not through Whonix?!. Cheers -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8c0be511-519d-4eee-b1d7-511d691b1a32%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Updates, security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2017-01-18 18:00, haxy wrote: > On 2017-01-16 13:22, haxy wrote: On 2017-01-14 20:04, haxy wrote: Qubes onion repos have just been implemented. Minimal documentation available here: https://www.qubes-os.org/doc/hidden-service-repos/ > > First of all, thanks for making the onion repos available! Following directions to onionize repositories I made a mistake inputting the onion address. Re-running the commands, dom0 example, "sudo sed -i 's/yum.qubes-os.org/qubes-yum.kk63ava6.onion/' /etc/yum.repos.d/qubes-dom0.repo && cat /etc/yum.repos.d/qubes-dom0.repo" has no effect. Cat still shows the input made with the incorrect onion repo. Tried using "sudo sed -i 's/yum.qubes-os.org/yum.qubesos4z6n4.onion/' /etc/yum.repos.d/qubes-dom0.repo && cat /etc/yum.repos.d/qubes-dom0.repo" with the same results.' (Noticed the command from the whonix wiki differs slightly from the qubes wiki command. "qubes-yum" vice "yum" before the onion address.) Was able to get the debian and fedora repos functioning by manually inputting the correct onion address in their respective files but am unable to do that in Dom0. How can I correct this issue in Dom0? > > You can do it the same way in dom0: by manually editing the file. > > For example: > > $ sudo vim /etc/yum.repos.d/qubes-dom0.repo (Edit the file, save, > and close.) > >> >> > Thanks Andrew. Using vim worked. :) > > Do you know why re-running the command, "sudo sed -i > 's/yum.qubes-os.org/yum.qubesos4z6n4.onion/' > /etc/yum.repos.d/qubes-dom0.repo && cat > /etc/yum.repos.d/qubes-dom0.repo" did not work to overwrite the > first incorrect address entry? Curious if it's reproducible or > something on my end only? > It's possible that 'yum.qubes-os.org' was no longer present in the text and therefore couldn't be found in order to be replaced. > Also, a couple of other questions. > > 1. Seems there are 2 distinct onion addresses that can be used for > the qubes repos, "qubesos4z6n4.onion" or "whonix > kk63ava6.onion". Is there any reason to prefer one over > the other? > No, both point to the same server. > 2. Which onion address should be used for Qubes website access? > "http://qubesos4z6n4.onion/"; or > "http://qubesosmamapaxpa.onion/";? Looks like the > "qubesosmamapaxpa" site is not up to date. > http://qubesos4z6n4.onion/ should be used. We don't have any control over http://qubesosmamapaxpa.onion/ (it appears to be updated only infrequently). - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJYgCMuAAoJENtN07w5UDAwGMsQAJ/eqXk4yOOssNyYvokwkJs+ zvFR4xaX4LillkIceHroYy3yDhl7o7QergoDUPkUZqLhBrl+zakabJjWrPw9jDMV LWgmldy2vq4mM/1jlU5wfHM9aja/497lpm7kgkMfYSZRHdgeY2eX96h/v3qg6Sqa L9Xe3K9w5PMMpN4e2QeqNtPj1OMNGF96xx06Z4Kd0kN5fuVDEmf9t5UIjYp21nUD DtPBS/nJzCcempxPKFsDbKWHrDvNV/kB+hXfzc7OyqlnM69aJPrNyxjsGKQTF7j6 0wQGtDUY3/1dRq4QZgOblMvRUO8KhixnHxgbXg2qXd39WEqPvlc0f5GsNIhaNlYK 6OhrbnABPjOCb7qWLCNDudSjVlBORb+kYHF67R5mwXK09P7on87sbz6pjrTCgZuv oYR1mPIB+k0xbZc1/+L4fDmvUjg3jLSvY5qvZpG77xzOJhklS1aEpJL69z43Hpkq nxWynqKGuvpoq1+oeAlICwiaC3pQXPWgPdmcKJLQ7kKDZixF9UL1D5Pq21jnrT0/ nrKNRYDwCVNLbs7oYbIdXTnY9TSR6JLkzQmgXLG17uYRMFRf1yEquCdOgH2cecZx 7+mvxlQBWALcerfe3py5/qYcd9srnaO+eNDadYnNc7AN5p9B1XXrvBMy5ZWtTh27 QuwsQhFCJ0laMXPz0rOP =BU76 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/41262301-b580-a5b6-77de-aa68ee6e908f%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Updates, security
> -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On 2017-01-16 13:22, haxy wrote: >> On 2017-01-14 20:04, haxy wrote: >> On Sat, Jan 14, 2017 at 12:08:25AM -, haxy wrote: >>> Going back to the first post. >>> >>> "Qubes repository will allow changing the "http" to >>> "https" in the qubes entry /etc/apt/sources.list.d/." >>> >>> How would one implement that on a qubes-fedora template? >>> >>> Looking at Installing and updating software in VMs >>> "http://qubesosmamapaxpa.onion/doc/software-update-vm/"; >>> >>> It looks like https mirrors are used for fedora and that >>> other entries in yum.repos.d including qubes-*.repo could >>> be changed from http to https. >>> >>> Would that work? Although onion service would be >>> preferred, might be a bit better than clearnet after exit >>> node. >>> >>> >> Yes, that will work as you think. The benefits are >> marginal. >> >> >> > Thanks Unman. A marginal benefit is still a benefit. > Especially if easily done. Would be nice if the devs could > make that change in an upcoming update, at least until onion > service repos are implemented. > >> >> Qubes onion repos have just been implemented. Minimal >> documentation available here: >> >> https://www.qubes-os.org/doc/hidden-service-repos/ >> >>> >>> >> First of all, thanks for making the onion repos available! >> >> Following directions to onionize repositories I made a mistake >> inputting the onion address. Re-running the commands, dom0 >> example, "sudo sed -i >> 's/yum.qubes-os.org/qubes-yum.kk63ava6.onion/' >> /etc/yum.repos.d/qubes-dom0.repo && cat >> /etc/yum.repos.d/qubes-dom0.repo" has no effect. Cat still shows >> the input made with the incorrect onion repo. Tried using "sudo >> sed -i 's/yum.qubes-os.org/yum.qubesos4z6n4.onion/' >> /etc/yum.repos.d/qubes-dom0.repo && cat >> /etc/yum.repos.d/qubes-dom0.repo" with the same results.' >> >> (Noticed the command from the whonix wiki differs slightly from the >> qubes wiki command. "qubes-yum" vice "yum" before the onion >> address.) >> >> Was able to get the debian and fedora repos functioning by >> manually inputting the correct onion address in their respective >> files but am unable to do that in Dom0. How can I correct this >> issue in Dom0? >> > > You can do it the same way in dom0: by manually editing the file. > > For example: > > $ sudo vim /etc/yum.repos.d/qubes-dom0.repo > (Edit the file, save, and close.) > > - -- > Andrew David Wong (Axon) > Community Manager, Qubes OS > https://www.qubes-os.org > -BEGIN PGP SIGNATURE- > > iQIcBAEBCgAGBQJYfiA1AAoJENtN07w5UDAwjqgQAM167NqJu3SsyrI5BnkQBzg4 > g5/O1TI0lT/z0HUmMB6130I21hMpYUb7OJQjpo/M7Cfh/3G2D/7EzIXD/jebgexH > gUgEdoPaa7zMWXOAETFeD+AT4rdj8DSARsAZhtWV897IvPaT7GitOpPay6a8+v4+ > UYYIf3Wb/EQjaDB1SuEXAdT3cXYyIKhlTtLRHOF0WSPdF91BOUgjNVKaKthXTH0D > HmZbGlpPjAQL3kVzFGIqulPTPWI+KM6Dg5MC5aiNokzMrm6o2buN0Ig2w6OWYug9 > ys/Hmlxb4GI4VGMcZ9gk4U30ARXieMDgwVD1Vrgx4qcN7i71hXPJtmQDCKmipae7 > KlPdQKM2QN4XiEqBXIFpb9zy9uuqoxPEgl0wAzmjz0QrZedAzHrMBnhx2sQj4BXB > T6NlvuIpSRrRMCJV54lw0OhStDPyJVO9MQJLaHdb83Pg1/u6y+gplQIP4440gLay > mgymvV6aVBBafJ3CB0RFRePjQpPhhx6LxLRlDkK52deXRIwFJcQDzc3tuMQw9b/4 > cC93aivanCdGOtEYis0pOciST7eRw6g+ObTBvV3y1fk/fQYjSNpxYIsty/64UsvY > C4bJ/BjV4h07IlJq48RQsI5zRtf5fPNW4mudrFCig07Y4ongpnJsX7zoP0bP0M1O > MjkWAImlnvdFfLwosh6U > =gdX0 > -END PGP SIGNATURE- > > Thanks Andrew. Using vim worked. :) Do you know why re-running the command, "sudo sed -i 's/yum.qubes-os.org/yum.qubesos4z6n4.onion/' /etc/yum.repos.d/qubes-dom0.repo && cat /etc/yum.repos.d/qubes-dom0.repo" did not work to overwrite the first incorrect address entry? Curious if it's reproducible or something on my end only? Also, a couple of other questions. 1. Seems there are 2 distinct onion addresses that can be used for the qubes repos, "qubesos4z6n4.onion" or "whonix kk63ava6.onion". Is there any reason to prefer one over the other? 2. Which onion address should be used for Qubes website access? "http://qubesos4z6n4.onion/"; or "http://qubesosmamapaxpa.onion/";? Looks like the "qubesosmamapaxpa" site is not up to date. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/842d9913afb8a11eb59de9fd794ab121.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Drive Passthrough not functioning correctly.
On Thursday, 19 January 2017 12:05:07 UTC+11, 01v3g4n10 wrote:
> On Thursday, January 19, 2017 at 12:48:17 AM UTC, Drew White wrote:
> > Hi folks,
> >
> > Here is what I was trying to do..
> > Pass the drive to the guest.
> >
> >
> > [{user}@dom0 {folder}]$ qvm-block -a {vmname} dom0:/dev/sdc
> > Usage: qvm-block -l [options]
> > usage: qvm-block -a [options] :
> > usage: qvm-block -A [options] :
> > usage: qvm-block -d [options] :
> > usage: qvm-block -d [options]
> > List/set VM block devices.
> >
> > qvm-block: error: Invalid device name: dom0:/dev/sdc
> >
> >
> >
> > Why does it say that it's invalid device?
> >
> > Disk /dev/sdc: 931.5 GiB, 1000204886016 bytes, 1953525168 sectors
> >
> > The device is there, so what's happenned?
> >
> > Hope someone can help please.
> >
> > Sincerely,
> > Drew.
> Try removing /dev/ from /dev/sdc and instead use dom0:sdc
> qvm-block -a {vmname} dom0:sdc
> https://www.qubes-os.org/doc/usb/
Same thing, just doesn't have the "/dev/" in the text...
Thanks for the link... Aparently.
root@dom0 {folder}]$ xl block-attach {VMNAME} phy:/dev/sdc xvdr
I had to use that.
So that worked, but qvm-block doesn't.
Is this a bug in qvm-block?
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/ad20c397-490a-45d4-b1f3-0fb2ee191d7b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Drive Passthrough not functioning correctly.
On Thursday, January 19, 2017 at 12:48:17 AM UTC, Drew White wrote:
> Hi folks,
>
> Here is what I was trying to do..
> Pass the drive to the guest.
>
>
> [{user}@dom0 {folder}]$ qvm-block -a {vmname} dom0:/dev/sdc
> Usage: qvm-block -l [options]
> usage: qvm-block -a [options] :
> usage: qvm-block -A [options] :
> usage: qvm-block -d [options] :
> usage: qvm-block -d [options]
> List/set VM block devices.
>
> qvm-block: error: Invalid device name: dom0:/dev/sdc
>
>
>
> Why does it say that it's invalid device?
>
> Disk /dev/sdc: 931.5 GiB, 1000204886016 bytes, 1953525168 sectors
>
> The device is there, so what's happenned?
>
> Hope someone can help please.
>
> Sincerely,
> Drew.
Try removing /dev/ from /dev/sdc and instead use dom0:sdc
qvm-block -a {vmname} dom0:sdc
https://www.qubes-os.org/doc/usb/
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/23da9da5-96ba-4cd7-a815-156d8445cb14%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: All audio on streaming video out of sync
On 2017-01-18 16:23, raahe...@gmail.com wrote: On Wednesday, January 18, 2017 at 12:44:28 AM UTC-5, Gaijin wrote: On 2017-01-18 04:35, raahe...@gmail.com wrote: > On Friday, January 13, 2017 at 9:03:03 PM UTC-5, Gaijin wrote: >> All of the audio for videos played on my AppVMs, regardless of what >> template it's based on (Fedora 24/Debian 8), or what browser I try >> (Firefox/Chrome/Vivaldi), is completely out of sync. It's not just >> YouTube, but Vimeo, self-hosted, etc. >> >> I tried uncommenting audio_low_latency in /etc/qubes/quid.conf in dom0 >> That didn't fix things. >> I tried playing with the realtime-priority in /etc/pulse/daemon.conf >> That didn't seem to make any difference. >> >> Are there any other places where I could try to fix this latency >> issue? >> I assume it's dom0 as everything is affected. > > whats your pc specs/ what soundcard? I'm running Qubes R3.2 Sound is going through an nVidia GeForce GTX 560 Ti card. I don't have nVidia drivers installed. This machine has an Intel Core i7 2600 @ 3.40GHz CPU and 16.0GB Dual-Channel DDR3 @ 665MHz RAM. How are you plugging it in? HDMI? if so you got further then I did. I dont' get sound from hdmi only video. Why not just use the onboard sound card? Oops I was going off an old hardware report from when this machine ran Windows. Got under the desk to check, and sound is going through the motherboard: ASRock H67DE It operates fine usually, and never showed this sort of issue from Qubes 1.x-3.1. When I upgraded to Qubes 3.2 I started noticing this lag. I don't watch a lot of video so it took me a while to notice. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/43684ac057443991e3efc1564ea148f1%40riseup.net. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: QUBES 3.2 won't install... EFI_MEMMAP is not enabled... ESRT header is not in the memory map
This fixed the issue for me. Thank you S MUCH! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/eb18f577-a7ea-445a-9450-7d372b4c8d3e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Drive Passthrough not functioning correctly.
Hi folks,
Here is what I was trying to do..
Pass the drive to the guest.
[{user}@dom0 {folder}]$ qvm-block -a {vmname} dom0:/dev/sdc
Usage: qvm-block -l [options]
usage: qvm-block -a [options] :
usage: qvm-block -A [options] :
usage: qvm-block -d [options] :
usage: qvm-block -d [options]
List/set VM block devices.
qvm-block: error: Invalid device name: dom0:/dev/sdc
Why does it say that it's invalid device?
Disk /dev/sdc: 931.5 GiB, 1000204886016 bytes, 1953525168 sectors
The device is there, so what's happenned?
Hope someone can help please.
Sincerely,
Drew.
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/d670faba-9c9d-466b-910c-87caecd2e855%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Question to Mirage OS firewall users
On 2017-01-18 7:30 AM, Антон Чехов wrote: > Hi! > > Is anyone using the mirage firewall in connection with a proxyVM? How do you > configure it properly? Does it handle qubes-firewall-users-scripts? > I've run a Mirage-based firewall both in front of and behind a firewallVM and they chain together fine. Mirage Firewall in its current iteration does *not* respect modifications to firewall rules via Qubes and has to be inputted manually (there are some instructions on how to do that on the software author's blog). It isn't to say that Mirage Firewall couldn't do it one day, but I believe the author of the code is leaving it up as an exercise for the reader. Maybe he'll get around to implementing it, or maybe not, but from a purely technical standpoint, there's no reason why it couldn't be modified to work with Qubes firewall user scripts, it's just that it hasn't been implemented yet. Note that even if you're running the latest code off of GitHub, currently, Mirage Firewall still doesn't work correctly with DispVMs (or at least, I haven't been able to get it to work; the DispVM connects to it, but there's no traffic), even though there were some minimal fixes applied to try to handle how it handles IP addresses from a different pool. Works fine with AppVMs, though, as well as TemplateVMs, at least in my experience. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/o5ovu5%24nnf%241%40blaine.gmane.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Lenovo G505S Coreboot
As always physical access is a checkmate situation, you need to not be an idiot and don't leave your stuff in overseas hotel rooms or not have secure locks on your door. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1f8b1a4d-7b88-cd5d-972f-1cfbb1b2f2ac%40gmx.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] manual update dom0 to newest 4.5 kernel
My problem exactly. Had Qubes running well on an old Lenovo & would love to run it on this more capable Zenbook. Did you get this working in the end? Alternative is to spare myself the headache & keep running Mint until the next release. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1a23ba76-54e4-45af-ab76-7c90ced86c44%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Network hardware not recognized in Debian-based NetVM
On 01/17/2017 06:49 PM, 'Joshua Bashir Gabriel' via qubes-users wrote: Update: Got it working. It needed the wifi drivers for Debian 8/9, as well as a couple of other utilities, found here: https://wiki.debian.org/WiFi. Also, I added the client for PrivateInternetAccess.com to the Net VM so I have a single netvm with always-on VPN. Cheers, Bash -- Just FYI, configuring VPN in sys-net is not recommended because NetVMs are generally untrusted. Its better to configure a proxyVM to manage VPN connections. Also, those vendor-supplied packages are not usually equipped to block leaks in a Qubes network environment (i.e. where the VPN client essentially runs in an isolated 'router'); They are designed to block leaks originating with locally-running apps, so their assurances of stopping leaks probably won't hold in Qubes. For a secure Qubes configuration, see https://www.qubes-os.org/doc/vpn/#set-up-a-proxyvm-as-a-vpn-gateway-using-iptables-and-cli-scripts Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f437e850-e6f0-da3a-15a7-e1867291fec0%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Lenovo G505S Coreboot
среда, 18 января 2017 г., 19:44:03 UTC+3 пользователь Asterysk написал:
> On Wednesday, 18 January 2017 18:12:31 UTC+4, qmast...@gmail.com wrote:
> > среда, 18 января 2017 г., 14:34:29 UTC+3 пользователь Asterysk написал:
> > > >First of all we need to make sure that you are prepared for flashing.
> > > >coreboot image cannot be >flashed internally on Lenovo G505S through a
> > > >purely software way (I tried with >internal:laptop=force_I_want_a_brick
> > > >flashrom option, it always fails, cant do that!) .
> > >
> > > >To install a coreboot, you will have to:
> > > >1) get some hardware tools like screwdrivers, CH341A USB flasher and
> > > >SOIC-8 test clip
> > > >2) tear down your laptop to access the motherboard
> > > >3) take SOIC-8 test clip and attach its wires to USB flasher that is
> > > >supported by flashrom (such as CH341A), then attach SOIC-8 test clip to
> > > >BIOS chip with 8 legs, then plug USB flasher device to another computer
> > > >with Linux (while it is still connected to G505S motherboard through
> > > >wires and SOIC-8 test clip)
> > > >4) using flashrom, make a dump of your existing BIOS just in case, then
> > > >flash a new coreboot image with verification 5) assemble your laptop in
> > > >reverse order . That is exactly how computer repair shops are repairing
> > > >laptops with failed BIOS updates, and are earning pretty good money on
> > > >it
> > >
> > > >Here is a hardware flashing manual -
> > > >http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate
> > > >.
> > >
> > > Everything is described in a great detail here: complete list of tools
> > > and where you could buy them (need to spend from $0 to $30, depends on
> > > what tools you already have), how to connect these tools properly, a lot
> > > of helpful photos - for example, photo of G505S motherboard, so you could
> > > easily see where is that BIOS chip with 8 legs is located, dont need to
> > > spend time reading the motherboard chip labels. While this instruction
> > > mentions Bus Pirate USB flasher, the instructions for CH341A USB flasher
> > > are exactly the same - only a flashrom command is different (could see
> > > this command at the end of page)
> > >
> > > My current coreboot build is from December 2016 - it is not the latest,
> > > but still pretty recent, so I am not going to rebuild it from scratch
> > > yet. Still, there is one component inside BIOS image that could be easily
> > > updated: KolibriOS, tiny wonderful open source operating system that fits
> > > on a floppy. It could be launched from SeaBIOS Boot Menu, and works as a
> > > RamDisk (no changes to your computer saved). After you tell that you are
> > > prepared for hardware BIOS flashing, I will take KolibriOS latest daily
> > > build, add it to ROM and send a complete coreboot BIOS ROM to you
> > >
> > > Please reply if you have any questions
> > >
> > > Best regards,
> > > qmastery
> > > ---
> > >
> > > Is it possible to also reflash the USB firmware at the same time in case
> > > it has been tampered by Bad USB ?
> >
> > Asterysk, what do you mean by "reflash the USB firmware" ? USB firmware of
> > G505S laptop? on Lenovo G505S platform, USB ports seem to be directly
> > connected to Bolton-M3 Fusion Controller Hub FCH ("southbridge"), according
> > to LA-A091P datasheet -
> > https://justnote.by/assets/files/sch/Compal%20LA-A091P%20r1.0.pdf . There
> > is a Bolton-M3 AMD datasheet for BIOS developers -
> > http://support.amd.com/TechDocs/51205_Bolton_FCH_BIOS_Dev_Guide.pdf , but I
> > cant understand if Bolton-M3 has any personal built-in memory which is
> > possible to rewrite (and infect!), or it only maps the attached stuff to
> > its memory map like LPC and PCI roms... Please help me to clarify!
> >
> > If we talk about the RAM of Bolton-M3 : computer's BIOS, while booting,
> > could install XHCI blob to this RAM to enable USB 3.0. I hate closed source
> > blobs with a passion, so - while building a coreboot - I chose not to
> > include USB 3.0 XHCI blob ; so it is most likely that my laptop's "USB 3.0"
> > blue ports are working only on USB 2.0 speed. That USB speed downgrade is
> > the only downside of my open source build vs the official BIOS
> >
> > If we will look from a side of BadUSB flash drive, behind Bolton-M3 there
> > are some USB devices like Card Reader and Web Camera. They have their
> > personal USB controllers. So, even if Bolton-M3 does not have a personal
> > possible-to-write memory, maybe a BadUSB device with super sophisticated
> > firmware targeting this FCH could somehow hack Bolton-M3 FCH and force it
> > to send the commands to reprogram the USB controllers of connected internal
> > USB devices. To successfully perform this attack the attacker will need to
> > learn a lot of HUGE datasheets! For example, here are two datasheets about
> > Bolton-M3 registers -
> > http:
Re: [qubes-users] Re: USB & PCIe devices management questions
I thought it would be a less cumbersome way to do it than attaching a device, and then manually running two commands to attach, and also two to detach the device. Every single time I use any device. That is less than ideal, that is why I thought I might be able to assign one USB controller to each of my qubes, so I can use USB devices with less hassle, yet still isolate them to specific qubes. Can I consider a USB hub a 'device'? W dniu środa, 18 stycznia 2017 16:13:11 UTC+1 użytkownik podmo napisał: > bb.al...@gmail.com wrote: > > What about PCIe USB cards? Could I assign such pcie device to specific > > cube, so USB ports on that card are available only for that qube, as there > > is another controller on the card(I think so at least), or is my reasoning > > wrong? > > Keep in mind you can passthrough a single USB device to a qube by > following the steps at the bottom of https://www.qubes-os.org/doc/usb so > you don't really need to use all these separate USB controllers, but the > method you are describing would work too. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bb5fa61a-9552-434c-8134-11345273d21c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Lenovo G505S Coreboot
On Wednesday, 18 January 2017 18:12:31 UTC+4, qmast...@gmail.com wrote:
> среда, 18 января 2017 г., 14:34:29 UTC+3 пользователь Asterysk написал:
> > >First of all we need to make sure that you are prepared for flashing.
> > >coreboot image cannot be >flashed internally on Lenovo G505S through a
> > >purely software way (I tried with >internal:laptop=force_I_want_a_brick
> > >flashrom option, it always fails, cant do that!) .
> >
> > >To install a coreboot, you will have to:
> > >1) get some hardware tools like screwdrivers, CH341A USB flasher and
> > >SOIC-8 test clip
> > >2) tear down your laptop to access the motherboard
> > >3) take SOIC-8 test clip and attach its wires to USB flasher that is
> > >supported by flashrom (such as CH341A), then attach SOIC-8 test clip to
> > >BIOS chip with 8 legs, then plug USB flasher device to another computer
> > >with Linux (while it is still connected to G505S motherboard through wires
> > >and SOIC-8 test clip)
> > >4) using flashrom, make a dump of your existing BIOS just in case, then
> > >flash a new coreboot image with verification 5) assemble your laptop in
> > >reverse order . That is exactly how computer repair shops are repairing
> > >laptops with failed BIOS updates, and are earning pretty good money on it
> >
> > >Here is a hardware flashing manual -
> > >http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate .
> >
> > Everything is described in a great detail here: complete list of tools and
> > where you could buy them (need to spend from $0 to $30, depends on what
> > tools you already have), how to connect these tools properly, a lot of
> > helpful photos - for example, photo of G505S motherboard, so you could
> > easily see where is that BIOS chip with 8 legs is located, dont need to
> > spend time reading the motherboard chip labels. While this instruction
> > mentions Bus Pirate USB flasher, the instructions for CH341A USB flasher
> > are exactly the same - only a flashrom command is different (could see this
> > command at the end of page)
> >
> > My current coreboot build is from December 2016 - it is not the latest, but
> > still pretty recent, so I am not going to rebuild it from scratch yet.
> > Still, there is one component inside BIOS image that could be easily
> > updated: KolibriOS, tiny wonderful open source operating system that fits
> > on a floppy. It could be launched from SeaBIOS Boot Menu, and works as a
> > RamDisk (no changes to your computer saved). After you tell that you are
> > prepared for hardware BIOS flashing, I will take KolibriOS latest daily
> > build, add it to ROM and send a complete coreboot BIOS ROM to you
> >
> > Please reply if you have any questions
> >
> > Best regards,
> > qmastery
> > ---
> >
> > Is it possible to also reflash the USB firmware at the same time in case it
> > has been tampered by Bad USB ?
>
> Asterysk, what do you mean by "reflash the USB firmware" ? USB firmware of
> G505S laptop? on Lenovo G505S platform, USB ports seem to be directly
> connected to Bolton-M3 Fusion Controller Hub FCH ("southbridge"), according
> to LA-A091P datasheet -
> https://justnote.by/assets/files/sch/Compal%20LA-A091P%20r1.0.pdf . There is
> a Bolton-M3 AMD datasheet for BIOS developers -
> http://support.amd.com/TechDocs/51205_Bolton_FCH_BIOS_Dev_Guide.pdf , but I
> cant understand if Bolton-M3 has any personal built-in memory which is
> possible to rewrite (and infect!), or it only maps the attached stuff to its
> memory map like LPC and PCI roms... Please help me to clarify!
>
> If we talk about the RAM of Bolton-M3 : computer's BIOS, while booting, could
> install XHCI blob to this RAM to enable USB 3.0. I hate closed source blobs
> with a passion, so - while building a coreboot - I chose not to include USB
> 3.0 XHCI blob ; so it is most likely that my laptop's "USB 3.0" blue ports
> are working only on USB 2.0 speed. That USB speed downgrade is the only
> downside of my open source build vs the official BIOS
>
> If we will look from a side of BadUSB flash drive, behind Bolton-M3 there are
> some USB devices like Card Reader and Web Camera. They have their personal
> USB controllers. So, even if Bolton-M3 does not have a personal
> possible-to-write memory, maybe a BadUSB device with super sophisticated
> firmware targeting this FCH could somehow hack Bolton-M3 FCH and force it to
> send the commands to reprogram the USB controllers of connected internal USB
> devices. To successfully perform this attack the attacker will need to learn
> a lot of HUGE datasheets! For example, here are two datasheets about
> Bolton-M3 registers -
> http://support.amd.com/TechDocs/51191_Bolton_FCH_RPR.pdf ,
> http://support.amd.com/TechDocs/51192_Bolton_FCH_RRG.pdf , 750 pages in
> total! And that is not talking about other Bolton-M3 datasheets, the
> datasheets of USB controllers which need to
[qubes-users] Re: Web video suddenly plays at 1/6 speed
On Friday, January 13, 2017 at 6:48:06 PM UTC-5, justin.h...@gmail.com wrote: > I have a recent desktop machine running Qubes 3.2 on a 4GHz i7 with 16GB of > RAM > and integrated Intel graphics. Until yesterday, I'd been happily watching > Netflix and Youtube videos without any trouble. > > Then I boot up my PC one day and suddenly playback on those sites is at about > 1/6 speed--totally unwatchable. It's the same whether the Qube is based on > fedora-23, fedora-24, debian-8, or debian-9. It also doesn't matter whether I > use Firefox or Chrome. It still happens on a fresh Qube made from an untouched > template. > > Performance otherwise is great--my connection is testing at about 50Mb, > applications (including browsers) are fast and responsive as ever. I can even > watch videos in VLC without any problems. It's only browser-based playback > that > doesn't work, and it never works no matter what. > > I didn't do anything unusual before this started happening except trim all the > templates (which I'd never done) and update all the templates (which I do > regularly). > > I'm completely baffled by this, so I'm turning to the list for help. Any > ideas? I've believed appvms are trimmed already and only dom0 might need manually trimming. But I could be wrong. Weird how its only your browsers affected. Have you tried deleting the appvm's and recreating them? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8053ec24-9d16-4e6c-9f15-cb4436dfee69%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: FYI: Experimental Qubes coldkernel support now available
On 2017-01-18 7:14 AM, Антон Чехов wrote: > Hello, > > I am testing coldkernel and I have a few questions. Does or should it work > with a vpn gateway? Do I have to change some config file or special > permissions? > I did not use grsec much in the past so I am in the process of learning. > I could connect to my coldkernel appvm via vpn gateway after freshly > compiling and starting the appvm. After reboot none of my coldkernel appvm is > connecting to the internet via vpn gateway anymore but connecting to clearnet > without a proxyvm. > To get the coldkernel working properly with net/proxyVMs and usbVMs, you need to add at least two more drivers to the kernel's .config file: CONFIG_XEN_BLKDEV_BACKEND=m CONFIG_XEN_NETDEV_BACKEND=m The easiest way to do that is to add those two lines to the coldkernel.config file *before* running "make qubes-guest" -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/o5o5g5%24lp7%241%40blaine.gmane.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: All audio on streaming video out of sync
On Wednesday, January 18, 2017 at 12:44:28 AM UTC-5, Gaijin wrote: > On 2017-01-18 04:35, raahe...@gmail.com wrote: > > On Friday, January 13, 2017 at 9:03:03 PM UTC-5, Gaijin wrote: > >> All of the audio for videos played on my AppVMs, regardless of what > >> template it's based on (Fedora 24/Debian 8), or what browser I try > >> (Firefox/Chrome/Vivaldi), is completely out of sync. It's not just > >> YouTube, but Vimeo, self-hosted, etc. > >> > >> I tried uncommenting audio_low_latency in /etc/qubes/quid.conf in dom0 > >> That didn't fix things. > >> I tried playing with the realtime-priority in /etc/pulse/daemon.conf > >> That didn't seem to make any difference. > >> > >> Are there any other places where I could try to fix this latency > >> issue? > >> I assume it's dom0 as everything is affected. > > > > whats your pc specs/ what soundcard? > > I'm running Qubes R3.2 > Sound is going through an nVidia GeForce GTX 560 Ti card. I don't have > nVidia drivers installed. > This machine has an Intel Core i7 2600 @ 3.40GHz CPU and 16.0GB > Dual-Channel DDR3 @ 665MHz RAM. How are you plugging it in? HDMI? if so you got further then I did. I dont' get sound from hdmi only video. Why not just use the onboard sound card? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d42d175e-30cb-40ec-b0fd-36727a837349%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Qubes 3.1 and 3.2(rc2) video driver question
On Sunday, August 7, 2016 at 12:29:24 PM UTC-4, Dima Puntus wrote: > Hi, > > > I'd like to know if there's a way to fix the terrible screen tearing that I'm > getting both on internal laptop screen and external monitor. > > > System info: > > > HP Elitebook 2570p: > Intel HD4000 graphics > CPU i7-3840QM > > > I know there's an Intel Graphics driver for Linux package by 01 dot org, but > I'm unable to install it in dom0 due to multiple dependencies which are > missing. What's the best approach to update the video driver? > > > Thank you > Dimitry > Have you used this machine on a baremetal linux? IMO this is a linux desktop issue. You can google the many solutions on how to fix this, but it might be in vain. Sometimes open vs prop drivers make a diff, sometimes playing with compositing and opengl settings helps. But don't get your hopes up. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/66a99758-718f-466d-baf5-baf46afad5a3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: USB & PCIe devices management questions
On Wednesday, January 18, 2017 at 4:58:00 AM UTC-5, Grzesiek Chodzicki wrote: > W dniu sobota, 14 stycznia 2017 16:43:35 UTC+1 użytkownik B&B napisał: > > Hello, for starters, pardon my ignorance, I am at the very beginning of the > > learning curve. > > I am planning out a new workstation build, I want to plan it out with Qubes > > in mind. But I have few questions, as I do not have a Qubes compatible > > desktop right now, and my laptops are not really good to experiment with it. > > > > I want to add and assign a secondary GPU to a Windows based VM, to be used > > as a gaming and CAD machine. If I do that, what about monitor output, if > > primary GPU is in dom0, do I need to connect second GPU to a monitor, or > > can I route the signal somehow without additional hardware? > > I want to use few, separate, color coded USB hubs(spray paint for the win), > > each attached to different domain, with same color coding. I want it to > > work as seamlessly as possible, preferably with no additional steps after I > > attach/detach any device to/from a hub. It simply shows into a VM and acts > > accordingly. I have problem understanding how the qvm-pci and USB > > management works in this area. Is my planned use case even achievable or do > > I need to manage each device every single time I attach it? > > Is assigning devices to vms persistent after booting, or can be made > > persistent? > > GPU passthrough should work out of the box now so that's doable although I'm > afraid You're going to need a second monitor for that to work. > > As for the hubs, this might be tricky without a large number of separate USB > controllers. oh wow thats great. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/de77d4fc-9bff-4b79-9d69-794c6b79983d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Can anyone recommend a video card for Qubes
On Wednesday, January 18, 2017 at 5:00:14 AM UTC-5, qmast...@gmail.com wrote:
> среда, 18 января 2017 г., 7:21:37 UTC+3 пользователь raah...@gmail.com
> написал:
> > On Saturday, January 14, 2017 at 2:20:23 PM UTC-5, tai...@gmx.com wrote:
> > > On 01/14/2017 12:15 PM, qmaster...@gmail.com wrote:
> > >
> > > > суббота, 14 января 2017 г., 5:01:34 UTC-5 пользователь Chris Willard
> > > > написал:
> > > >> Hello All,
> > > >>
> > > >> I am using my on-board video but only getting 1024x768 resolution so
> > > >> wondered if there is another video card type I could use.
> > > >>
> > > >> --
> > > >> Best regards,
> > > >> Chris
> > > >>
> > > > any AMD graphic card should be great for Qubes, because AMD has pretty
> > > > good open source drivers for Linux. Dont get NVIDIA because in that
> > > > case you would have to use NVIDIA closed source drivers with hidden
> > > > backdoors and proven telemetry; nouveau is still not in a good shape,
> > > > probably because no real assistance from NVIDIA - they want everyone to
> > > > use their closed source stuff
> > > >
> > > Wait the nvidia linux drivers have telemetry?
> > > I thought it was only windows, and only if you install the "geforce
> > > experience".
> > >
> > > Irreguardless nvidia is an awful company that adds "bugs" to nerf
> > > featuresets on non-windows platforms, and they make it hard to attach
> > > the card to a virtual machine (ex: error 43).
> > >
> > > Just say NO to binary blobbed hardware.
> >
> > no not open source drivers. It really don't matter if its amd or nvidia.
> > I actually think the nvidia drivers are way better then amd for linux. I
> > use a gtx 650 and its always run great on linux. proprietary drivers
> > better for gaming. open source better for the linux desktops.What you
> > would want to do is just research the card model how it performs with
> > linux. and even more compatible would be the onboard intel like you are
> > already using. But I guess you would have to update the board in that case
> > to get latest resolutions and desktop effects.
>
> People who are using QubesOS usually care a lot about security, so: while
> NVIDIA closed source drivers probably have a better quality/performance than
> AMD open source drivers, NVIDIA closed source drivers are not an option just
> because their source code is closed (and also because it is a painful
> experience to update/maintain them)
>
> Last time I tested, 1 year ago it was like that (">" means "better than") :
> NVIDIA closed source > AMD open source > AMD closed source > NVIDIA open
> source (nouveau)
>
> Meanwhile, AMD drivers have been improving quickly during the recent times,
> so it could be just a matter of time before AMD open source drivers become
> better than NVIDIA closed source drivers (both in quality and performance)
they only have better performance in gaming. Like steam. When it comes to
xfce and kde desktops. the open source drivers give BETTER performance with my
nvidia card then proprietary. Meaning no screen flickering with opengl
effects in kde as example.
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/ef2a1ffb-8152-456d-b098-2e82022ef017%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Prob installing VLC in Fedora24 Template
On Wednesday, January 18, 2017 at 5:01:54 AM UTC-5, Arnulf Maria Bultmann wrote: > > > > > > ya weird. not sure why, did you make any changes to the templates > > > > is there a clean all command maybe u can try. > > sorry I don't understand what you mean writing "is there a clean all command > ...". > The template itself is unchange I mean try sudo dnf clean all. Not sure why it works when installed in the appvm but not the template. Maybe try removing the rpmfusion repos. then dnf update. then add them again? Maybe someone else can chime in. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9077a887-b017-484c-ba9c-06f75e9a83c9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Detection - Best Way
On Wednesday, January 18, 2017 at 12:27:54 AM UTC-5, Asterysk wrote: > It struck me that Qubes could be very useful for Detection of "malware" by > placing a monitoring capability . My question is in two parts: > > (1) Is Wireshark the best tool to use for this within Qubes > (2) Should it be placed in Dom 0 (if indeed thats possible) or in the sys-net > or sys-firewall would be safer in sys-net, although sys-firewall would tell you which vm making the connection. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/526e10af-725a-4e45-a54c-4d2d2bac7c5c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Windows HVM and two monitors (dual head - dual headache ;-) ). Help appreciated.
daltong defourne wrote: > Well, first, the good thing: > Dual head windows HVM booted without issue. How did you configure this? I got it working under VMM on Debian by adding a secondary video adapter to the VM config but haven't been able to figure out where I'd do the same under Qubes. > What I'd like is capability for non-seamless windows VM to go into "full > full" screen and occupy both monitors while doing so (in order not to > waste any "pixel estate" to window borders and panel and such) One thing I noticed under Debian is that if I used the viewer built in to VMM, it wouldn't show me both monitors. I had to use virt-viewer instead. That gave me two independent windows; one for each monitor. Obviously I don't recommend trying to work around Qubes by using a non-standard viewer because that could easily cause security issues, but it might be a datapoint why you're only seeing one monitor. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d1a10d414cff09ceae178ba9c5a98766.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: USB & PCIe devices management questions
bb.alas...@gmail.com wrote: > What about PCIe USB cards? Could I assign such pcie device to specific > cube, so USB ports on that card are available only for that qube, as there > is another controller on the card(I think so at least), or is my reasoning > wrong? Keep in mind you can passthrough a single USB device to a qube by following the steps at the bottom of https://www.qubes-os.org/doc/usb so you don't really need to use all these separate USB controllers, but the method you are describing would work too. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d19965b0b6b79a1266f08b2897148668.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] New Lenovo laptops: X1 (4th Gen), T460/p, and T560
среда, 18 января 2017 г., 14:39:47 UTC+3 пользователь Asterysk написал: > On Wednesday, 18 January 2017 13:32:26 UTC+4, qmast...@gmail.com wrote: > > среда, 18 января 2017 г., 5:46:30 UTC+3 пользователь steve@gmail.com > > написал: > > > On Tuesday, January 17, 2017 at 11:18:06 PM UTC+4, qmast...@gmail.com > > > wrote: > > > > вторник, 17 января 2017 г., 10:16:18 UTC-5 пользователь > > > > steve@gmail.com написал: > > > > > On Saturday, January 14, 2017 at 3:26:04 PM UTC+4, qmast...@gmail.com > > > > > wrote: > > > > > > 26 December 2016 г., 18:00:43 UTC-5 tai...@gmx.com написал: > > > > > > > Lenovo is a shitty company if you care about security, they have > > > > > > > stuck > > > > > > > irremovable rootkits their BIOS 4 separate times and they are > > > > > > > partially > > > > > > > owned by the PRC government > > > > > > > > > > > > Having a PRC backdoor is better than NSA one! (most laptop > > > > > > companies are American, so...) By the way, why not to get a Lenovo > > > > > > G505S laptop? > > > > > > 1) It is the latest AMD-based laptop which is supported by coreboot > > > > > > open source BIOS (so no closed source BIOS backdoors), and it does > > > > > > not have Intel ME backdoor. G505S's APUs are Richland - the last > > > > > > generation before AMD started to embed their own version of Intel > > > > > > ME, "AMD Security Processor" or PSP ( > > > > > > http://www.extremetech.com/wp-content/uploads/2013/11/AMDRoadmap-Mobility.png > > > > > > ) Although a closed source vga blob is still required for working > > > > > > graphics, luckily a coreboot's YABEL prevents the possible > > > > > > undocumented accesses of vga blob to other PCI devices > > > > > > 2) Supported by Qubes 3.2 - see HCL, > > > > > > https://groups.google.com/d/msg/qubes-users/TS1zfKZ7q8w/JQFkVF4xBgAJ > > > > > > . Most likely to be supported by Qubes 4.0 ( HVM=y, IOMMU=y, > > > > > > SLAT=y) and seems to meet its certification criteria so far - > > > > > > https://www.qubes-os.org/news/2016/07/21/new-hw-certification-for-q4/ > > > > > > <-- webcam could be covered, speakers and wireless card are not > > > > > > soldered and could be removed, and just checked the last concerning > > > > > > thing - embedded microphone is a PCI device, not USB connected ;) > > > > > > 3) High end version of G505S has a top of the Richland generation > > > > > > A10-5750M APU, 3352 score at Passmark cpu-benchmark. If to compare > > > > > > with i5-6200U of Lenovo T460s, 3933 score - 17% faster. But > > > > > > i5-6200U is dual core, while A10-5750M is quad core. Also, despite > > > > > > being three years older, A10-5750M integrated graphics is faster > > > > > > than of i5-6200U. According to Passmark: Intel HD 520 - 844 G3D > > > > > > score, AMD HD 8650G - 950 G3D score, 13% faster. > > > > > > 3) In contrast with many modern laptops, G505S has two slots for > > > > > > RAM (instead of one) and its RAM is not soldered. That means: when > > > > > > your RAM fails a memtest after some years, instead of paying a > > > > > > fortune for the RAM chips replacement you could just remove RAM and > > > > > > install a new one. Also you could easily upgrade to 16 GB RAM > > > > > > (2x8GB), which helps not to think of RAM usage while using Qubes > > > > > > (currently running 14 VMs at the same time, with a lot of > > > > > > applications started, and they eat just 13 GB out of 16 GB) > > > > > > 4) G505S has either integrated or both integrated and discrete > > > > > > graphics (depends on G505S version). In any case, it is AMD only - > > > > > > which has great open source drivers for Linux. No need for NVIDIA > > > > > > closed source proprietary drivers with telemetry... > > > > > > 5) Almost all the components could be replaced by user, even a CPU > > > > > > is not soldered. Easy to tear down a laptop and assemble it back. > > > > > > Thanks to open source BIOS, no WiFi card whitelist, so possible to > > > > > > install any wireless card which has open source drivers for Linux > > > > > > (such as AR9462) > > > > > > Currently it is almost impossible to buy a new G505S, but the used > > > > > > ones are selling for cheap (e.g. 3 auctions currently at eBay for > > > > > > G505S version with A10-5750M APU, 1 UK and 2 US-based, one of them > > > > > > with buy it now price $250 - half of the original $500) > > > > > > > > > > I have an old G505 kicking around somewhere, will give it a go with > > > > > Qubes 3.2 and then try Coreboot. Thanks for the reminder ! Wonder if > > > > > this means I can get the KDE Desktop Cube animation to work. > > > > > > > > Steve, do you have G505 or G505S ? This "S" letter is important: while > > > > Lenovo G505S is supported by coreboot, tested and works OK, - there is > > > > no information if G505 is supported. Luckily G505 and G505S hardware > > > > seems to be quite similar, but there are some differences which could > > > > result in that G5
[qubes-users] Re: Question to Mirage OS firewall users
Hi! Is anyone using the mirage firewall in connection with a proxyVM? How do you configure it properly? Does it handle qubes-firewall-users-scripts? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/836d4e97-9045-4f34-bbcd-7c2e5a6328ed%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: HCL - HP 820 G1
On Thursday, 28 August 2014 19:47:34 UTC+1, Mihai Genescu wrote: > Hi, > Thanks for Qubes OS! > > > HVM: Yes, windows and linux HVMs created > Qubes version: R2rc1 and R2rc2 > Net+wireless net work, suspend works, sound works, fn+keys for suspend, > wireless, brightness work. > > Brightness hw keys (Fn+f9 and f10) did not work by default in R2rc1, I had to > add a file in /etc/X11/xorg.conf.d/20-intel.conf containing:Section "Device" > Identifier "Intel Graphics" > Driver "intel" > Option "Backlight" "intel_backlight" # use your backlight that > works here > BusID "PCI:0:2:0" > EndSection...instructions found on the net. > > > USB devices work. > > When it gets out of standby, the brightness is reset to 71 (although it was > less when it entered standby)...but it can be changed again to the desired > level. Hi, Have you managed to upgrade/install Qubes-Os 3.2 on your HP Elitebook 820 G1? Regards, Jerry -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/004f7a84-b3df-4df7-8612-16f6cb48d11a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: FYI: Experimental Qubes coldkernel support now available
Hello, I am testing coldkernel and I have a few questions. Does or should it work with a vpn gateway? Do I have to change some config file or special permissions? I did not use grsec much in the past so I am in the process of learning. I could connect to my coldkernel appvm via vpn gateway after freshly compiling and starting the appvm. After reboot none of my coldkernel appvm is connecting to the internet via vpn gateway anymore but connecting to clearnet without a proxyvm. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/235bc9ba-f0d1-4fcd-ae5f-aa39363949cc%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Lenovo G505S Coreboot
среда, 18 января 2017 г., 14:34:29 UTC+3 пользователь Asterysk написал:
> >First of all we need to make sure that you are prepared for flashing.
> >coreboot image cannot be >flashed internally on Lenovo G505S through a
> >purely software way (I tried with >internal:laptop=force_I_want_a_brick
> >flashrom option, it always fails, cant do that!) .
>
> >To install a coreboot, you will have to:
> >1) get some hardware tools like screwdrivers, CH341A USB flasher and SOIC-8
> >test clip
> >2) tear down your laptop to access the motherboard
> >3) take SOIC-8 test clip and attach its wires to USB flasher that is
> >supported by flashrom (such as CH341A), then attach SOIC-8 test clip to BIOS
> >chip with 8 legs, then plug USB flasher device to another computer with
> >Linux (while it is still connected to G505S motherboard through wires and
> >SOIC-8 test clip)
> >4) using flashrom, make a dump of your existing BIOS just in case, then
> >flash a new coreboot image with verification 5) assemble your laptop in
> >reverse order . That is exactly how computer repair shops are repairing
> >laptops with failed BIOS updates, and are earning pretty good money on it
>
> >Here is a hardware flashing manual -
> >http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate .
>
> Everything is described in a great detail here: complete list of tools and
> where you could buy them (need to spend from $0 to $30, depends on what tools
> you already have), how to connect these tools properly, a lot of helpful
> photos - for example, photo of G505S motherboard, so you could easily see
> where is that BIOS chip with 8 legs is located, dont need to spend time
> reading the motherboard chip labels. While this instruction mentions Bus
> Pirate USB flasher, the instructions for CH341A USB flasher are exactly the
> same - only a flashrom command is different (could see this command at the
> end of page)
>
> My current coreboot build is from December 2016 - it is not the latest, but
> still pretty recent, so I am not going to rebuild it from scratch yet. Still,
> there is one component inside BIOS image that could be easily updated:
> KolibriOS, tiny wonderful open source operating system that fits on a floppy.
> It could be launched from SeaBIOS Boot Menu, and works as a RamDisk (no
> changes to your computer saved). After you tell that you are prepared for
> hardware BIOS flashing, I will take KolibriOS latest daily build, add it to
> ROM and send a complete coreboot BIOS ROM to you
>
> Please reply if you have any questions
>
> Best regards,
> qmastery
> ---
>
> Is it possible to also reflash the USB firmware at the same time in case it
> has been tampered by Bad USB ?
Asterysk, what do you mean by "reflash the USB firmware" ? USB firmware of
G505S laptop? on Lenovo G505S platform, USB ports seem to be directly connected
to Bolton-M3 Fusion Controller Hub FCH ("southbridge"), according to LA-A091P
datasheet - https://justnote.by/assets/files/sch/Compal%20LA-A091P%20r1.0.pdf .
There is a Bolton-M3 AMD datasheet for BIOS developers -
http://support.amd.com/TechDocs/51205_Bolton_FCH_BIOS_Dev_Guide.pdf , but I
cant understand if Bolton-M3 has any personal built-in memory which is possible
to rewrite (and infect!), or it only maps the attached stuff to its memory map
like LPC and PCI roms... Please help me to clarify!
If we talk about the RAM of Bolton-M3 : computer's BIOS, while booting, could
install XHCI blob to this RAM to enable USB 3.0. I hate closed source blobs
with a passion, so - while building a coreboot - I chose not to include USB 3.0
XHCI blob ; so it is most likely that my laptop's "USB 3.0" blue ports are
working only on USB 2.0 speed. That USB speed downgrade is the only downside of
my open source build vs the official BIOS
If we will look from a side of BadUSB flash drive, behind Bolton-M3 there are
some USB devices like Card Reader and Web Camera. They have their personal USB
controllers. So, even if Bolton-M3 does not have a personal possible-to-write
memory, maybe a BadUSB device with super sophisticated firmware targeting this
FCH could somehow hack Bolton-M3 FCH and force it to send the commands to
reprogram the USB controllers of connected internal USB devices. To
successfully perform this attack the attacker will need to learn a lot of HUGE
datasheets! For example, here are two datasheets about Bolton-M3 registers -
http://support.amd.com/TechDocs/51191_Bolton_FCH_RPR.pdf ,
http://support.amd.com/TechDocs/51192_Bolton_FCH_RRG.pdf , 750 pages in total!
And that is not talking about other Bolton-M3 datasheets, the datasheets of USB
controllers which need to be hacked, and lots of other stuff too... Perhaps
only N$A can do that - if they care enough, they are welcome to waste a few
million $$$ to develop this hack XD That is, if they can't find a more simple
to exploit vulnerability like a
[qubes-users] HCL - Lenovo T560
Please find the output of qubes-hcl-report at the end of this mail. NOTE that presently installing is NOT TRIVIAL, as the xen/kernel combination on the installer image leads to an infinite reboot (as described earlier on this list), and I would assume that the default xen/kernel installation would do the same. Based on reports of the 4.8.x kernels in the unstable repository working on similar hardware, I took out the SSD, put it in an older laptop and installed Qubes 3.2 as usual, followed by installing all available updates, switching to the Fedora 24 template and installing 4.8.x kernels. Putting the SSD back in the Lenovo T560 results in a booting system, though, not surprisingly, various wrong/non-existing PCI devices/IDs were assigned to eg. sys-net and sys-usb during the initial install. After sorting this out, networking starts to work (both wireless, as well as cable). After adding e1000e, iwlwifi and iwlmvm to the suspend-blacklist in sys-net, the network actually comes back up after a sleep/restart cycle. In initial tests, I have sound and can play youtube videos. The most important hotkeys (vol up/down, brightness up/down) work. I still need to test an external monitor, and on the quick I see no bluetooth; though this is something I don't care about. I cannot say anything about power consumption / battery life yet. While taking out the SSD is fully documented by Lenovo for this model in the user's guide, I would not recommend doing this if it's the first laptop you are opening up ... Hope this helps others, kudos to the Qubes developers! Stefan --- layout: 'hcl' type: 'notebook' hvm: 'yes' iommu: 'yes' slat: 'yes' tpm: '' brand: | LENOVO model: | 20FJS2DX00 bios: | N1KET26W (1.13 ) cpu: | Intel(R) Core(TM) i7-6600U CPU @ 2.60GHz cpu-short: | FIXME chipset: | Intel Corporation Skylake Host Bridge/DRAM Registers [8086:1904] (rev 08) chipset-short: | FIXME gpu: | Intel Corporation HD Graphics 520 [8086:1916] (rev 07) (prog-if 00 [VGA controller]) gpu-short: | FIXME network: | Intel Corporation Ethernet Connection I219-LM (rev 21) Intel Corporation Wireless 8260 (rev 3a) memory: | 7603 scsi: | SanDisk SD8TB8U2 Rev: 0101 versions: - works: 'yes' qubes: | R3.2 xen: | 4.6.3 kernel: | 4.8.12-12 remark: | Presently requires non-standard installation; see full Mail to qubes-user list. No thorough test yet; will update as I discover issues credit: | Stefan Boresch link: | FIXLINK --- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/51aca9e4-f14c-411f-add2-a069a5e749db%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Anti Evil Maid not working in subsequent setup attempts
mich...@schefczyk.net: > What I did notice is, that there might be interference with cryptsetup. As > long as I have AEM on, the system does ask for the TPM password, does not > show the secret and does NOT ask for the disk password before starting up > anyway. Is your TPM password the same as your disk encryption password? That would defeat the purpose of AEM, and indeed interact weirdly with cryptsetup: https://github.com/QubesOS/qubes-issues/issues/978 Rusty -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170118123729.GA1018%40mutt. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes extraordinary flexibility
I absolutely agree! I routinely run various engineering tools which are typically "distributed" (to put it generously) as massive "untar this and run some script as root -- up to you to resolve dependency hell", and qubes makes this amazingly clean. I used to have such hesitation at installing such software and resort to horrible LXC hacks to try to keep some weak semblance of self-containedness and safety. Qubes is *so* much better, and since 3.2 with USB passthrough (and a couple local wrappers and patches I should really get around to upstreaming) even software which interfaces with external hardware tools are so very nice. Oh, you need to load some quite likely vulnerable kernel driver for this crappy oscilloscope? Sure! Go right ahead! Qubes is not only a security win, but IMHO genuinely a usability win too. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CABQWM_CP399KFmwa9DynvrLTN2C4GaE8XXWz%3D5nmd14p%3D0YmMw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] PFSense
Has any one successfully installed PFSense ? If so, are there any benefits compared to the standard sys-firewall other than having the ability to play with PFSense, thx -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e1a6ec2b-eb0d-4c51-b8d8-505c65cd6423%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Detection - Best Way
On Tuesday, January 17, 2017 at 11:17:07 PM UTC-8, Sae wrote: > On 18/01/2017 06:27, Asterysk wrote: > > It struck me that Qubes could be very useful for Detection of "malware" by > > placing a monitoring capability . My question is in two parts: > > I would create a proxyVM that dumps your traffic with tcpdump, and > insert it before sys-firewall when I want to sniff the traffic. > And then open the pcap with wireshark in a non networked VM for inspection. you can also use xen to inspect the vm itself, https://drakvuf.com/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9bc1d900-97a1-402c-9515-d88b1ebfb69f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] New Lenovo laptops: X1 (4th Gen), T460/p, and T560
On Wednesday, 18 January 2017 13:32:26 UTC+4, qmast...@gmail.com wrote: > среда, 18 января 2017 г., 5:46:30 UTC+3 пользователь steve@gmail.com > написал: > > On Tuesday, January 17, 2017 at 11:18:06 PM UTC+4, qmast...@gmail.com wrote: > > > вторник, 17 января 2017 г., 10:16:18 UTC-5 пользователь > > > steve@gmail.com написал: > > > > On Saturday, January 14, 2017 at 3:26:04 PM UTC+4, qmast...@gmail.com > > > > wrote: > > > > > 26 December 2016 г., 18:00:43 UTC-5 tai...@gmx.com написал: > > > > > > Lenovo is a shitty company if you care about security, they have > > > > > > stuck > > > > > > irremovable rootkits their BIOS 4 separate times and they are > > > > > > partially > > > > > > owned by the PRC government > > > > > > > > > > Having a PRC backdoor is better than NSA one! (most laptop companies > > > > > are American, so...) By the way, why not to get a Lenovo G505S laptop? > > > > > 1) It is the latest AMD-based laptop which is supported by coreboot > > > > > open source BIOS (so no closed source BIOS backdoors), and it does > > > > > not have Intel ME backdoor. G505S's APUs are Richland - the last > > > > > generation before AMD started to embed their own version of Intel ME, > > > > > "AMD Security Processor" or PSP ( > > > > > http://www.extremetech.com/wp-content/uploads/2013/11/AMDRoadmap-Mobility.png > > > > > ) Although a closed source vga blob is still required for working > > > > > graphics, luckily a coreboot's YABEL prevents the possible > > > > > undocumented accesses of vga blob to other PCI devices > > > > > 2) Supported by Qubes 3.2 - see HCL, > > > > > https://groups.google.com/d/msg/qubes-users/TS1zfKZ7q8w/JQFkVF4xBgAJ > > > > > . Most likely to be supported by Qubes 4.0 ( HVM=y, IOMMU=y, SLAT=y) > > > > > and seems to meet its certification criteria so far - > > > > > https://www.qubes-os.org/news/2016/07/21/new-hw-certification-for-q4/ > > > > > <-- webcam could be covered, speakers and wireless card are not > > > > > soldered and could be removed, and just checked the last concerning > > > > > thing - embedded microphone is a PCI device, not USB connected ;) > > > > > 3) High end version of G505S has a top of the Richland generation > > > > > A10-5750M APU, 3352 score at Passmark cpu-benchmark. If to compare > > > > > with i5-6200U of Lenovo T460s, 3933 score - 17% faster. But i5-6200U > > > > > is dual core, while A10-5750M is quad core. Also, despite being three > > > > > years older, A10-5750M integrated graphics is faster than of > > > > > i5-6200U. According to Passmark: Intel HD 520 - 844 G3D score, AMD HD > > > > > 8650G - 950 G3D score, 13% faster. > > > > > 3) In contrast with many modern laptops, G505S has two slots for RAM > > > > > (instead of one) and its RAM is not soldered. That means: when your > > > > > RAM fails a memtest after some years, instead of paying a fortune for > > > > > the RAM chips replacement you could just remove RAM and install a new > > > > > one. Also you could easily upgrade to 16 GB RAM (2x8GB), which helps > > > > > not to think of RAM usage while using Qubes (currently running 14 VMs > > > > > at the same time, with a lot of applications started, and they eat > > > > > just 13 GB out of 16 GB) > > > > > 4) G505S has either integrated or both integrated and discrete > > > > > graphics (depends on G505S version). In any case, it is AMD only - > > > > > which has great open source drivers for Linux. No need for NVIDIA > > > > > closed source proprietary drivers with telemetry... > > > > > 5) Almost all the components could be replaced by user, even a CPU is > > > > > not soldered. Easy to tear down a laptop and assemble it back. Thanks > > > > > to open source BIOS, no WiFi card whitelist, so possible to install > > > > > any wireless card which has open source drivers for Linux (such as > > > > > AR9462) > > > > > Currently it is almost impossible to buy a new G505S, but the used > > > > > ones are selling for cheap (e.g. 3 auctions currently at eBay for > > > > > G505S version with A10-5750M APU, 1 UK and 2 US-based, one of them > > > > > with buy it now price $250 - half of the original $500) > > > > > > > > I have an old G505 kicking around somewhere, will give it a go with > > > > Qubes 3.2 and then try Coreboot. Thanks for the reminder ! Wonder if > > > > this means I can get the KDE Desktop Cube animation to work. > > > > > > Steve, do you have G505 or G505S ? This "S" letter is important: while > > > Lenovo G505S is supported by coreboot, tested and works OK, - there is no > > > information if G505 is supported. Luckily G505 and G505S hardware seems > > > to be quite similar, but there are some differences which could result in > > > that G505S coreboot build does not work for G505. Some additional > > > coreboot coding could be required - or maybe not required, please read > > > till the end... > > > > > > G505 and G505S have different motherboard model: G505S has eith
[qubes-users] Lenovo G505S Coreboot
>First of all we need to make sure that you are prepared for flashing. coreboot >image cannot be >flashed internally on Lenovo G505S through a purely software >way (I tried with >internal:laptop=force_I_want_a_brick flashrom option, it >always fails, cant do that!) . >To install a coreboot, you will have to: >1) get some hardware tools like screwdrivers, CH341A USB flasher and SOIC-8 >test clip >2) tear down your laptop to access the motherboard >3) take SOIC-8 test clip and attach its wires to USB flasher that is supported >by flashrom (such as CH341A), then attach SOIC-8 test clip to BIOS chip with 8 >legs, then plug USB flasher device to another computer with Linux (while it is >still connected to G505S motherboard through wires and SOIC-8 test clip) >4) using flashrom, make a dump of your existing BIOS just in case, then flash >a new coreboot image with verification 5) assemble your laptop in reverse >order . That is exactly how computer repair shops are repairing laptops with >failed BIOS updates, and are earning pretty good money on it >Here is a hardware flashing manual - >http://dangerousprototypes.com/docs/Flashing_a_BIOS_chip_with_Bus_Pirate . Everything is described in a great detail here: complete list of tools and where you could buy them (need to spend from $0 to $30, depends on what tools you already have), how to connect these tools properly, a lot of helpful photos - for example, photo of G505S motherboard, so you could easily see where is that BIOS chip with 8 legs is located, dont need to spend time reading the motherboard chip labels. While this instruction mentions Bus Pirate USB flasher, the instructions for CH341A USB flasher are exactly the same - only a flashrom command is different (could see this command at the end of page) My current coreboot build is from December 2016 - it is not the latest, but still pretty recent, so I am not going to rebuild it from scratch yet. Still, there is one component inside BIOS image that could be easily updated: KolibriOS, tiny wonderful open source operating system that fits on a floppy. It could be launched from SeaBIOS Boot Menu, and works as a RamDisk (no changes to your computer saved). After you tell that you are prepared for hardware BIOS flashing, I will take KolibriOS latest daily build, add it to ROM and send a complete coreboot BIOS ROM to you Please reply if you have any questions Best regards, qmastery --- Is it possible to also reflash the USB firmware at the same time in case it has been tampered by Bad USB ? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20c9649a-731a-4c9d-8adc-67c4db51cdea%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: USB & PCIe devices management questions
What about PCIe USB cards? Could I assign such pcie device to specific cube, so USB ports on that card are available only for that qube, as there is another controller on the card(I think so at least), or is my reasoning wrong? W dniu środa, 18 stycznia 2017 10:58:00 UTC+1 użytkownik Grzesiek Chodzicki napisał: > W dniu sobota, 14 stycznia 2017 16:43:35 UTC+1 użytkownik B&B napisał: > > Hello, for starters, pardon my ignorance, I am at the very beginning of the > > learning curve. > > I am planning out a new workstation build, I want to plan it out with Qubes > > in mind. But I have few questions, as I do not have a Qubes compatible > > desktop right now, and my laptops are not really good to experiment with it. > > > > I want to add and assign a secondary GPU to a Windows based VM, to be used > > as a gaming and CAD machine. If I do that, what about monitor output, if > > primary GPU is in dom0, do I need to connect second GPU to a monitor, or > > can I route the signal somehow without additional hardware? > > I want to use few, separate, color coded USB hubs(spray paint for the win), > > each attached to different domain, with same color coding. I want it to > > work as seamlessly as possible, preferably with no additional steps after I > > attach/detach any device to/from a hub. It simply shows into a VM and acts > > accordingly. I have problem understanding how the qvm-pci and USB > > management works in this area. Is my planned use case even achievable or do > > I need to manage each device every single time I attach it? > > Is assigning devices to vms persistent after booting, or can be made > > persistent? > > GPU passthrough should work out of the box now so that's doable although I'm > afraid You're going to need a second monitor for that to work. > > As for the hubs, this might be tricky without a large number of separate USB > controllers. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/baa9a82f-6fc4-4437-a8f8-2b3c7e871b3e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Prob installing VLC in Fedora24 Template
> > > > ya weird. not sure why, did you make any changes to the templates > > is there a clean all command maybe u can try. sorry I don't understand what you mean writing "is there a clean all command ...". The template itself is unchanged. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7b738b50-2713-49da-a03d-786dec7ba20d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Can anyone recommend a video card for Qubes
среда, 18 января 2017 г., 7:21:37 UTC+3 пользователь raah...@gmail.com написал:
> On Saturday, January 14, 2017 at 2:20:23 PM UTC-5, tai...@gmx.com wrote:
> > On 01/14/2017 12:15 PM, qmaster...@gmail.com wrote:
> >
> > > суббота, 14 января 2017 г., 5:01:34 UTC-5 пользователь Chris Willard
> > > написал:
> > >> Hello All,
> > >>
> > >> I am using my on-board video but only getting 1024x768 resolution so
> > >> wondered if there is another video card type I could use.
> > >>
> > >> --
> > >> Best regards,
> > >> Chris
> > >>
> > > any AMD graphic card should be great for Qubes, because AMD has pretty
> > > good open source drivers for Linux. Dont get NVIDIA because in that case
> > > you would have to use NVIDIA closed source drivers with hidden backdoors
> > > and proven telemetry; nouveau is still not in a good shape, probably
> > > because no real assistance from NVIDIA - they want everyone to use their
> > > closed source stuff
> > >
> > Wait the nvidia linux drivers have telemetry?
> > I thought it was only windows, and only if you install the "geforce
> > experience".
> >
> > Irreguardless nvidia is an awful company that adds "bugs" to nerf
> > featuresets on non-windows platforms, and they make it hard to attach
> > the card to a virtual machine (ex: error 43).
> >
> > Just say NO to binary blobbed hardware.
>
> no not open source drivers. It really don't matter if its amd or nvidia. I
> actually think the nvidia drivers are way better then amd for linux. I use a
> gtx 650 and its always run great on linux. proprietary drivers better for
> gaming. open source better for the linux desktops.What you would want to
> do is just research the card model how it performs with linux. and even
> more compatible would be the onboard intel like you are already using. But I
> guess you would have to update the board in that case to get latest
> resolutions and desktop effects.
People who are using QubesOS usually care a lot about security, so: while
NVIDIA closed source drivers probably have a better quality/performance than
AMD open source drivers, NVIDIA closed source drivers are not an option just
because their source code is closed (and also because it is a painful
experience to update/maintain them)
Last time I tested, 1 year ago it was like that (">" means "better than") :
NVIDIA closed source > AMD open source > AMD closed source > NVIDIA open source
(nouveau)
Meanwhile, AMD drivers have been improving quickly during the recent times, so
it could be just a matter of time before AMD open source drivers become better
than NVIDIA closed source drivers (both in quality and performance)
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/fdac49b7-7c80-4e42-a988-c9b5d303451c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: USB & PCIe devices management questions
W dniu sobota, 14 stycznia 2017 16:43:35 UTC+1 użytkownik B&B napisał: > Hello, for starters, pardon my ignorance, I am at the very beginning of the > learning curve. > I am planning out a new workstation build, I want to plan it out with Qubes > in mind. But I have few questions, as I do not have a Qubes compatible > desktop right now, and my laptops are not really good to experiment with it. > > I want to add and assign a secondary GPU to a Windows based VM, to be used as > a gaming and CAD machine. If I do that, what about monitor output, if primary > GPU is in dom0, do I need to connect second GPU to a monitor, or can I route > the signal somehow without additional hardware? > I want to use few, separate, color coded USB hubs(spray paint for the win), > each attached to different domain, with same color coding. I want it to work > as seamlessly as possible, preferably with no additional steps after I > attach/detach any device to/from a hub. It simply shows into a VM and acts > accordingly. I have problem understanding how the qvm-pci and USB management > works in this area. Is my planned use case even achievable or do I need to > manage each device every single time I attach it? > Is assigning devices to vms persistent after booting, or can be made > persistent? GPU passthrough should work out of the box now so that's doable although I'm afraid You're going to need a second monitor for that to work. As for the hubs, this might be tricky without a large number of separate USB controllers. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b5425b28-4613-4219-8139-ad96af3eb34c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] New Lenovo laptops: X1 (4th Gen), T460/p, and T560
среда, 18 января 2017 г., 5:46:30 UTC+3 пользователь steve@gmail.com написал: > On Tuesday, January 17, 2017 at 11:18:06 PM UTC+4, qmast...@gmail.com wrote: > > вторник, 17 января 2017 г., 10:16:18 UTC-5 пользователь steve@gmail.com > > написал: > > > On Saturday, January 14, 2017 at 3:26:04 PM UTC+4, qmast...@gmail.com > > > wrote: > > > > 26 December 2016 г., 18:00:43 UTC-5 tai...@gmx.com написал: > > > > > Lenovo is a shitty company if you care about security, they have > > > > > stuck > > > > > irremovable rootkits their BIOS 4 separate times and they are > > > > > partially > > > > > owned by the PRC government > > > > > > > > Having a PRC backdoor is better than NSA one! (most laptop companies > > > > are American, so...) By the way, why not to get a Lenovo G505S laptop? > > > > 1) It is the latest AMD-based laptop which is supported by coreboot > > > > open source BIOS (so no closed source BIOS backdoors), and it does not > > > > have Intel ME backdoor. G505S's APUs are Richland - the last generation > > > > before AMD started to embed their own version of Intel ME, "AMD > > > > Security Processor" or PSP ( > > > > http://www.extremetech.com/wp-content/uploads/2013/11/AMDRoadmap-Mobility.png > > > > ) Although a closed source vga blob is still required for working > > > > graphics, luckily a coreboot's YABEL prevents the possible undocumented > > > > accesses of vga blob to other PCI devices > > > > 2) Supported by Qubes 3.2 - see HCL, > > > > https://groups.google.com/d/msg/qubes-users/TS1zfKZ7q8w/JQFkVF4xBgAJ . > > > > Most likely to be supported by Qubes 4.0 ( HVM=y, IOMMU=y, SLAT=y) and > > > > seems to meet its certification criteria so far - > > > > https://www.qubes-os.org/news/2016/07/21/new-hw-certification-for-q4/ > > > > <-- webcam could be covered, speakers and wireless card are not > > > > soldered and could be removed, and just checked the last concerning > > > > thing - embedded microphone is a PCI device, not USB connected ;) > > > > 3) High end version of G505S has a top of the Richland generation > > > > A10-5750M APU, 3352 score at Passmark cpu-benchmark. If to compare with > > > > i5-6200U of Lenovo T460s, 3933 score - 17% faster. But i5-6200U is dual > > > > core, while A10-5750M is quad core. Also, despite being three years > > > > older, A10-5750M integrated graphics is faster than of i5-6200U. > > > > According to Passmark: Intel HD 520 - 844 G3D score, AMD HD 8650G - 950 > > > > G3D score, 13% faster. > > > > 3) In contrast with many modern laptops, G505S has two slots for RAM > > > > (instead of one) and its RAM is not soldered. That means: when your RAM > > > > fails a memtest after some years, instead of paying a fortune for the > > > > RAM chips replacement you could just remove RAM and install a new one. > > > > Also you could easily upgrade to 16 GB RAM (2x8GB), which helps not to > > > > think of RAM usage while using Qubes (currently running 14 VMs at the > > > > same time, with a lot of applications started, and they eat just 13 GB > > > > out of 16 GB) > > > > 4) G505S has either integrated or both integrated and discrete graphics > > > > (depends on G505S version). In any case, it is AMD only - which has > > > > great open source drivers for Linux. No need for NVIDIA closed source > > > > proprietary drivers with telemetry... > > > > 5) Almost all the components could be replaced by user, even a CPU is > > > > not soldered. Easy to tear down a laptop and assemble it back. Thanks > > > > to open source BIOS, no WiFi card whitelist, so possible to install any > > > > wireless card which has open source drivers for Linux (such as AR9462) > > > > Currently it is almost impossible to buy a new G505S, but the used ones > > > > are selling for cheap (e.g. 3 auctions currently at eBay for G505S > > > > version with A10-5750M APU, 1 UK and 2 US-based, one of them with buy > > > > it now price $250 - half of the original $500) > > > > > > I have an old G505 kicking around somewhere, will give it a go with Qubes > > > 3.2 and then try Coreboot. Thanks for the reminder ! Wonder if this means > > > I can get the KDE Desktop Cube animation to work. > > > > Steve, do you have G505 or G505S ? This "S" letter is important: while > > Lenovo G505S is supported by coreboot, tested and works OK, - there is no > > information if G505 is supported. Luckily G505 and G505S hardware seems to > > be quite similar, but there are some differences which could result in that > > G505S coreboot build does not work for G505. Some additional coreboot > > coding could be required - or maybe not required, please read till the > > end... > > > > G505 and G505S have different motherboard model: G505S has either Compal > > LA-A091P (with discrete graphics) or LA-A092P (without discrete), while > > G505 has either LA-9911P (with discrete) or LA-9912P (without discrete). If > > you make the google requests like "motherboard-model pdf" y
