[qubes-users] Window VM disappear when dont use

[phongxuan1511]

hi every one, i'm using Win7 64 bit in Quebe, I have a case that when i dont 
use the VM in 15-20 min, window VM disappear and i cant find this vm anymore, i 
have to restart vm or kill it to reuse it. Any one have solution for my 
problem? Thank you

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0fcb9180-b946-491b-a8dc-622f85f3389f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Window error shift and caplock button

[phongxuan1511]

Hi, iam using window 7 vm. When i type in win 7 the shift and caplocks also 
running too even i dont use it, i dont know why, in the linux vm sitll normal. 
Any one can help me, thank you

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/91b27a1c-0560-4541-ba3e-fae287e27ee3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Can't import keys into templates?

[Gaiko]

On Thursday, June 8, 2017 at 8:41:53 PM UTC-4, Unman wrote:
> On Thu, Jun 08, 2017 at 06:25:09PM -0400, Gaiko Kyofusho wrote:
> > Thanks for the response.
> > You mentioned I can use the package manager, are you refering to the
> > package managers in deb or fed? I tried the "software" programs in the
> > templates and neither came up with brave when I searched.
> > Anyway, I will look over the software-update-vm doc and do it the manual
> > way, was just feeling lazy ;)
> > Thx
> > 
> > On Thu, Jun 8, 2017 at 11:57 AM, Unman  wrote:
> > 
> > > On Thu, Jun 08, 2017 at 10:35:14AM -0400, Gaiko Kyofusho wrote:
> > > > I am not sure I used to right terminology but I wanted to install the
> > > > "Brave" browser which does not seem to be available in the repositories.
> > > I
> > > > have tried adding brave to my deb and fed templates, per thier
> > > instructions
> > > >  > > linuxInstall.md>,
> > > > but get errors at the points when I try to import/add keys? For example
> > > > when I try in deb this:
> > > > curl https://s3-us-west-2.amazonaws.com/brave-apt-staging/keys.asc |
> > > sudo
> > > > apt-key add -
> > > > it tells me it can't find the keys and ends up putting the help page for
> > > > apt-key into the /etc/apt/sources.list.d/brave-*.list file
> > > > in fed when I type:
> > > > sudo rpm --import
> > > > https://s3-us-west-2.amazonaws.com/brave-rpm-release/keys.asc
> > > > I get an error:
> > > > curl: (6) Could not resolve host: s3-us-west-2.amazonaws.com
> > > > error: https://s3-us-west-2.amazonaws.com/brave-rpm-release/keys.asc:
> > > > import read failed(2).
> > > >
> > > > I have occasionally had other "connection" type issues like when I tried
> > > > configuring a default FF setup complete with addons but FF could not
> > > access
> > > > the web nor addons.
> > > >
> > > > ...
> > > >
> > > > now that I think about it, are the templates setup to only be able to
> > > > access the deb/fed repositories? That just occurred to me, I am still
> > > > posting this as even if that is the case I'd like to know how to install
> > > > something like brave (as it seems to be the "best" bet for chromium like
> > > > sec with better than chromium privacy)(I hope).
> > > >
> > > > Thx!!!
> > > >
> > >
> > > As you can see from the error report, DNS isn't enabled for the
> > > templates, so that the address doesn't resolve.
> > > I would download the keys in a normal qube, and then copy them across
> > > to the target template and install them there.
> > >
> > > There are instructions to help you install in templates in the docs:
> > > https://www.qubes-os.org/doc/software-update-vm/
> > >
> > > In this case, you can use the package manager to download and install
> > > brave. The proxy no longer restricts access to official repositories, so
> > > you should be fine using the existing proxy.
> > >
> > > unman
> > >
> 
> Just so you know, the convention on these lists is to avoid top posting.
> 
> If you install the key you will need to run apt-get update to pull the
> package information from the brave repository that you have configured
> as per the instructions. Then the brave package will be available in
> package managers.

Ahh! Sorry, I've managed to not mess up on top posting... until now, 
appologies. As for the update, got it, keys first, then update. Will give it a 
try. Thanks again.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/55e8af7c-7db3-49f1-9b00-8da961650994%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] malware targets CPUs with VPro

[Syd Brisby]

Microsoft has found malware that targets Intel's VPro technology:

https://www.bleepingcomputer.com/news/security/malware-uses-obscure-intel-cpu-feature-to-steal-data-and-avoid-firewalls/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/11041178-9a37-4138-8569-23a7a16d0d97%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Can't import keys into templates?

[Unman]

On Thu, Jun 08, 2017 at 06:25:09PM -0400, Gaiko Kyofusho wrote:
> Thanks for the response.
> You mentioned I can use the package manager, are you refering to the
> package managers in deb or fed? I tried the "software" programs in the
> templates and neither came up with brave when I searched.
> Anyway, I will look over the software-update-vm doc and do it the manual
> way, was just feeling lazy ;)
> Thx
> 
> On Thu, Jun 8, 2017 at 11:57 AM, Unman  wrote:
> 
> > On Thu, Jun 08, 2017 at 10:35:14AM -0400, Gaiko Kyofusho wrote:
> > > I am not sure I used to right terminology but I wanted to install the
> > > "Brave" browser which does not seem to be available in the repositories.
> > I
> > > have tried adding brave to my deb and fed templates, per thier
> > instructions
> > >  > linuxInstall.md>,
> > > but get errors at the points when I try to import/add keys? For example
> > > when I try in deb this:
> > > curl https://s3-us-west-2.amazonaws.com/brave-apt-staging/keys.asc |
> > sudo
> > > apt-key add -
> > > it tells me it can't find the keys and ends up putting the help page for
> > > apt-key into the /etc/apt/sources.list.d/brave-*.list file
> > > in fed when I type:
> > > sudo rpm --import
> > > https://s3-us-west-2.amazonaws.com/brave-rpm-release/keys.asc
> > > I get an error:
> > > curl: (6) Could not resolve host: s3-us-west-2.amazonaws.com
> > > error: https://s3-us-west-2.amazonaws.com/brave-rpm-release/keys.asc:
> > > import read failed(2).
> > >
> > > I have occasionally had other "connection" type issues like when I tried
> > > configuring a default FF setup complete with addons but FF could not
> > access
> > > the web nor addons.
> > >
> > > ...
> > >
> > > now that I think about it, are the templates setup to only be able to
> > > access the deb/fed repositories? That just occurred to me, I am still
> > > posting this as even if that is the case I'd like to know how to install
> > > something like brave (as it seems to be the "best" bet for chromium like
> > > sec with better than chromium privacy)(I hope).
> > >
> > > Thx!!!
> > >
> >
> > As you can see from the error report, DNS isn't enabled for the
> > templates, so that the address doesn't resolve.
> > I would download the keys in a normal qube, and then copy them across
> > to the target template and install them there.
> >
> > There are instructions to help you install in templates in the docs:
> > https://www.qubes-os.org/doc/software-update-vm/
> >
> > In this case, you can use the package manager to download and install
> > brave. The proxy no longer restricts access to official repositories, so
> > you should be fine using the existing proxy.
> >
> > unman
> >

Just so you know, the convention on these lists is to avoid top posting.

If you install the key you will need to run apt-get update to pull the
package information from the brave repository that you have configured
as per the instructions. Then the brave package will be available in
package managers.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170609004150.GA12700%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] [Issue ] Qube Fallback Installer Anaconda

[Richard Brown]

Hello everyone,

I've been trying to install Qube R3.2 on my laptop.
I have an Nvidia chip.

I can boot to the fallback installer when I select the troubleshooting option.

How ever I can't seam to get this installer to work.

Option (5) install medium.
>> Select HDD
>> Use all Free Space
>> LUKs

I get this;

Generating update storage configuration
storage configuration failed: autopart failed:
Encryption requested for LUKS device sda2 but no encryption key specified for 
this device.


I have tryed every type Partition Scheme available.
But always seam to get this issue.

Is this a BUG?  

I expect it to prompt for for the keys but this doesn't happen?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9ac60963-b8eb-4159-aefc-2d3e8f1ef0a0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: The more cores the merrier?

[mojosam]

All of this more or less answers my question.  I'm not planning on having a lot 
of VMs busy simultaneously.  I do expect to have a lot of VMs open for various 
purposes.  Most will be idle much of the time.  Some might be doing a thing or 
two.  It sounds like a fast quad-core processor with gobs of RAM is the best 
approach for that situation.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d2dd7cdf-d707-4d92-a402-d32141165f1f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] AEM boot option causes hard reboot/partial shutdown (Lenovo T450s)

[alexey . kuzmenko]

Just want to confirm that the solution suggested in [issue #2155][1] solved my 
problem with TBOOT. Basically, when you substitute default TBOOT 1.8.2 from 
QubesOS repo with TBOOT 1.9.4 from [Ubuntu][2] my laptop boots and able to 
seal/unseal secrets.

It would be great if TBOOT 1.9.4 is included in QubesOS repo (testing?) as I 
was unable to verify .deb sig of ubuntu package (not sure if there is any 
included in .deb).

Also confirming suspend/sleep issues describe by Chris...


[1]: https://github.com/QubesOS/qubes-issues/issues/2155
[2]: https://launchpad.net/ubuntu/yakkety/amd64/tboot/1.9.4-0ubuntu1

On Wednesday, June 7, 2017 at 10:48:38 PM UTC-4, Chris Laprise wrote:
> On 06/07/2017 08:39 PM, a***o...@gmail.com wrote:
> > Hi All,
> >
> > I am experiencing the same problem with AEM v3.0.4 and TBOOT v1.8.2 on 
> > Thinkpad X1 Carbon 4th Gen (20FCS5CY00) where it reboots precisely after 
> > executing GETSEC[SENTER]. "min_ram" option does not help.
> >
> > My setup:
> > * UEFI BIOS in LegacyBoot mode with SecureBoot disabled
> > * Discrete TPM 1.2 and Intel TXT enabled with "Physical presence" feature 
> > disabled
> > * Fresh Qubes3.2 installed on 1TB SSD (NVME device) with /boot on MBR 
> > partition of a 128G USB flash drive.
> > * Xen 4.6.1 with kernel 4.4.14
> > * SINIT matches the platform as per the TBOOT log output
> >
> > Anybody had any success or ideas how to make it work?
> >
> > --
> > Alex
> >
> 
> Going by the comments in issue #2155, at least one person did get it to 
> boot by upgrading tboot to version 1.9.4. I also upgraded tboot, but had 
> already got it booting with the min_ram parameter... at this stage I 
> don't know if the newer tboot is the factor that allows my system to 
> boot with AEM.
> 
> An additional issue which I'm still experiencing with AEM is sleep/wake 
> not working.
> 
> My other versions are Xen 4.6.5 and Linux 4.9.28-16 (from qubes*testing).

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ae95305f-9618-4309-ba93-f255e57e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: install Qubes 3.2 Stucked at "Starting Switch Root..."

[Paulo Marques]

but If I use version 4.2.3-300.fc23.x86_64 with fusion desktop is the same (i'm 
writing this second message on it)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9eab6f62-4b82-4d8f-975e-4e93e33f51b8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Can't import keys into templates?

[Unman]

On Thu, Jun 08, 2017 at 10:35:14AM -0400, Gaiko Kyofusho wrote:
> I am not sure I used to right terminology but I wanted to install the
> "Brave" browser which does not seem to be available in the repositories. I
> have tried adding brave to my deb and fed templates, per thier instructions
> ,
> but get errors at the points when I try to import/add keys? For example
> when I try in deb this:
> curl https://s3-us-west-2.amazonaws.com/brave-apt-staging/keys.asc | sudo
> apt-key add -
> it tells me it can't find the keys and ends up putting the help page for
> apt-key into the /etc/apt/sources.list.d/brave-*.list file
> in fed when I type:
> sudo rpm --import
> https://s3-us-west-2.amazonaws.com/brave-rpm-release/keys.asc
> I get an error:
> curl: (6) Could not resolve host: s3-us-west-2.amazonaws.com
> error: https://s3-us-west-2.amazonaws.com/brave-rpm-release/keys.asc:
> import read failed(2).
> 
> I have occasionally had other "connection" type issues like when I tried
> configuring a default FF setup complete with addons but FF could not access
> the web nor addons.
> 
> ...
> 
> now that I think about it, are the templates setup to only be able to
> access the deb/fed repositories? That just occurred to me, I am still
> posting this as even if that is the case I'd like to know how to install
> something like brave (as it seems to be the "best" bet for chromium like
> sec with better than chromium privacy)(I hope).
> 
> Thx!!!
> 

As you can see from the error report, DNS isn't enabled for the
templates, so that the address doesn't resolve.
I would download the keys in a normal qube, and then copy them across
to the target template and install them there.

There are instructions to help you install in templates in the docs:
https://www.qubes-os.org/doc/software-update-vm/

In this case, you can use the package manager to download and install
brave. The proxy no longer restricts access to official repositories, so
you should be fine using the existing proxy.

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170608155700.GA10698%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Can't import keys into templates?

[Gaiko Kyofusho]

I am not sure I used to right terminology but I wanted to install the
"Brave" browser which does not seem to be available in the repositories. I
have tried adding brave to my deb and fed templates, per thier instructions
,
but get errors at the points when I try to import/add keys? For example
when I try in deb this:
curl https://s3-us-west-2.amazonaws.com/brave-apt-staging/keys.asc | sudo
apt-key add -
it tells me it can't find the keys and ends up putting the help page for
apt-key into the /etc/apt/sources.list.d/brave-*.list file
in fed when I type:
sudo rpm --import
https://s3-us-west-2.amazonaws.com/brave-rpm-release/keys.asc
I get an error:
curl: (6) Could not resolve host: s3-us-west-2.amazonaws.com
error: https://s3-us-west-2.amazonaws.com/brave-rpm-release/keys.asc:
import read failed(2).

I have occasionally had other "connection" type issues like when I tried
configuring a default FF setup complete with addons but FF could not access
the web nor addons.

...

now that I think about it, are the templates setup to only be able to
access the deb/fed repositories? That just occurred to me, I am still
posting this as even if that is the case I'd like to know how to install
something like brave (as it seems to be the "best" bet for chromium like
sec with better than chromium privacy)(I hope).

Thx!!!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAGpWZxO6-8WCdZ5RKnmW%3D1eC83VE6tU%3Dz9nw7FF9V3YUjeBzUw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: The more cores the merrier?

[cooloutac]

I still think clock speed matters more.  If trying to budget I would focus on 
ram and i/o speed which would make a bigger difference in Qubes then how many 
cores.  faster ram and lots of it and a big ssd should be more a priority.

Also you want to make sure that the board supports iommu/vt-d in the bios.

As far as if the linux kernel utilizing more cores more efficiently in general 
for the os,  I really don't know if you would notice a difference.  I don't 
when going from my dual core to quad core.

But I do notice a huge diff when using 2 cores vs 4 cores on my system assigned 
to a vm, but thats with 2.8ghz clock speed.  On the 3.7ghz quadcore system.  2 
cores assigned to a vm is perfectly fine and runs way faster.

If you plan on maxing out your cpu all the time,  that probably still only 
means two vms running simultaneously maxing out 4 cores.  Because as the guy at 
the store said,  assigning 8 cores to a vm you prolly won't notice any diff.  



-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9191a97c-4296-45e3-bfcf-fe76eddaf47c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: install Qubes 3.2 Stucked at "Starting Switch Root..."

[cooloutac]

On Thursday, June 8, 2017 at 2:13:32 AM UTC-4, Paulo Marques wrote:
> Hi Foppe, 
> 
> "You'll have to install it to a disk and dual-boot to it to get it to work" 
> According to Qubes Team that isn't a very good solution for security reasons 
> because the other system can be "taken" and your all qubes installation is at 
> risk, wright? 
> 
> Anyway, I've insttaled Fedora 23 and it seems to be running alright..

what foppe means is to install qubes baremetal straight to the hdd and boot it 
from bios not a vm.

But if you did that with fedora 23 and it works,  i'm not sure what the 
difference other then maybe vt-d and secure boot.  What kernel is your fedora 
23 using?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/108eb181-3ce5-4bf1-ae91-ad18623dd886%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: install Qubes 3.2 Stucked at "Starting Switch Root..."

[Paulo Marques]

Hi Foppe 
quote "I don't have a dual-boot menu, though, I just tell the bios from which 
disk to boot." - That's exactly what i'm trying to do, that't wy I bought this 
case (  
https://www.google.pt/search?q=Caixa+Nox+Coolbay+VX+Zero+Edition=firefox-b=X=isch=u=univ=0ahUKEwiSjPC5pa7UAhUCshQKHesBBKYQsAQIMg=1024=633
  ) so I could change the disks even more easily, without having to open the 
box buy using the upper tray. But either in the upper tray or in the internal 
bays it seams I can't install it at all . . . :((
Do you know if there is a way to install a system from another OS 
(windows/Linux) by way of copying/intalling the system files from there to 
another disk, a blank/previous formatted one for instance?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2a27774e-3fc0-488d-b336-6bcc4d30b9af%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: How can I change the root image file to be launched?

[Jarle Thorsen]

Patrick Bouldin:
> Hi,
> 
> Long story but when I launch an app VM that is pointing to the fedora-24 root 
> image (says so on the Qubes VM Manager), it actually looks in the fedora-23 
> folder. In dom0 I have verified that the image file exists in the fedora-24 
> folder, and doesn't any longer exist in the fedora-23 folder (this is 
> correct). 
> 
> Somehow the base template is simply pointing to the wrong place, how can I 
> correct?

Have you tried having a look at (edit?) 
/var/lib/qubes/appvms//.conf?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/861e8544-06d2-4e08-ad3f-6f5e6dfd3419%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How to stop sys-whonix and sys-firewall from starting on boot?

[Unman]

On Wed, Jun 07, 2017 at 07:25:01PM -0400, 'Tomei Ningen' via qubes-users wrote:
> Would this require a CLI command to disable or is this possible through Qubes 
> Manager? I've noticed that whenever I deselect the "Start VM automatically on 
> boot" option in the QM settings area [for sys-net and sys-firewall 
> specifically] they still continue to boot up at system startup.
> 
> Best,
> TN
> 
> Sent with [ProtonMail](https://protonmail.com) Secure Email.
> 
>  Original Message 
> Subject: Re: [qubes-users] How to stop sys-whonix and sys-firewall from 
> starting on boot?
> Local Time: June 7, 2017 10:35 PM
> UTC Time: June 7, 2017 10:35 PM
> From: un...@thirdeyesecurity.org
> To: mari...@grrlz.net
> qubes-users@googlegroups.com
> 
> On Wed, Jun 07, 2017 at 08:24:36PM +, mari...@grrlz.net wrote:
> > I have already disabled that option on the VM's settings and I have also
> > disabled automatic updates on Qubes Manager general settings but nothing
> > changed.
> > Any ideas?
> 
> If you have any other qubes set to start automatically, then the upstream
> qubes will be started too.
> The default netvm is started automatically - you can stop this by
> disabling the qubes-netvm service in dom0.
> 
> unman
> 

No you will need to disable the service at command line in dom0. The
option isnt available in Qubes Manager.

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170608105336.GE8560%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Update RPC does not work in debian-8 / missing $DISPLAY when running RPC as root

[Unman]

On Thu, Jun 08, 2017 at 02:54:22AM -0700, Vít Šesták wrote:
> I've traced the issue a bit. Maybe the race condition is not true. The VM 
> updates works in has root's shell configured to bash instead of zsh. But 
> that's still strange:
> 
> * user with bash: OK
> * user with zsh: OK
> * root with bash: OK
> * root with zsh: environment issues
> 
> I've also tried updating to Jessie-Backports (this is probably what you 
> meaned by testing) in a cloned template and it did not change. I am also 
> upgrading to Stretch (in another clone).
> 

There are known issues with using other shells. (I'd mistakenly stated
that zsh was fine, without checking this use case.) I had done some
work on this which I should dust off.
Upgrading the templates wont fix this problem.

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170608104008.GC8560%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Question(s) regarding Qubes minimal templates

[Unman]

On Thu, Jun 08, 2017 at 02:03:34AM -0700, Vít Šesták wrote:
> > Given that more installed applications generally create a larger attack 
> > surface, why aren't the minimal templates set as the default templates for 
> > sensitive VMs such as the SysVMs?
> 
> * Having an extra app installed might add some attack surface, but not 
> always. Having app like Firefox in sys-firewall adds zero attack surface 
> until you (either accidentally or on purpose) run it.

There's been discussion on this before - in my opinion, it isnt the
application itself but the assorted libraries and helpers that are
installed along with it. And that has nothing to do with whether an
application is run or not.
If you look at the packages installed when you install firefox, for
example, you may be surprised at what comes in, and how much the
potential for attack has been widened (Firewire anyone? With Firefox?)

> * With minimal Template without installing anything else, you might be unable 
> to use Wi-Fi etc. So, this might be viable for sys-firewall, but not for 
> sys-net. (Not sure about sys-usb.)

In most cases it requires very little to be installed to get a working
netVM. (See www.qubes-os.org/doc/templates/fedora-minimal/)
sys-usb works as expected on a minimal template.

> 
> > Are there any significant protections afforded by the full-featured VM 
> > images that are absent in the appropriately configured minimal VMs [going 
> > by the current Qubes documentation]? Any pitfalls exposed by the latter?
> 
> The only (sort of) protection I am aware about is haveged – a RNG that feeds 
> kernel RNG.

haveged is installed in the minimal templates too.

> 
> Regards,
> Vít Šesták 'v6ak'

I'm a strong advocate of using minimal (or smaller) templates,
customised for specific use cases. Some people HATE this approach. 

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170608103307.GB8560%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Update RPC does not work in debian-8 / missing $DISPLAY when running RPC as root

[Chris Laprise]

On 06/08/2017 05:54 AM, Vít Šesták wrote:

I've traced the issue a bit. Maybe the race condition is not true. The VM 
updates works in has root's shell configured to bash instead of zsh. But that's 
still strange:

* user with bash: OK
* user with zsh: OK
* root with bash: OK
* root with zsh: environment issues


Hmmm, I haven't used zsh in like... 20 years.



I've also tried updating to Jessie-Backports (this is probably what you meaned 
by testing) in a cloned template and it did not change. I am also upgrading to 
Stretch (in another clone).


I did mean jessie-testing in /etc/apt/sources-list.d/qubes-r3.list. 
Sometimes updating the Qubes packages can help with issues like this.


--

Chris Laprise, tas...@openmailbox.org
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/096bc44d-286a-cee5-6d7a-65e1da779ed4%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Make one qube accessible on all ip ports to all other qubes

[Unman]

On Thu, Jun 08, 2017 at 01:57:01AM -0700, Opal Raava wrote:
> Hi all,
> 
> I've made a qube with a lot of docker apps in it, and it also stores my local 
> git repository. How do I make it visible to all other qubes? the docker qube 
> and most other qubes are all using sys-firewall.
> 
> It seems to have to do that there are firewall rules for all qubes, do I have 
> to enable access for each qube individually using the Qubes VM Manager and 
> the VM settings > firewall rules?
> 
> Thanks,
> --Opal
> 

You need to read the docs - the firewall page is quite clear.
https://www.qubes-os.org/doc/firewall has a section specifically on
allowing data flows between qubes.

The doc page covers specific IP addresses, but you can, of course, use
wild cards to allow "all other qubes".

Of course, you should be careful about what you are doing here, because
you risk undermining one of the core features of Qubes. But if you have
considered that and think that this is consistent with the
compartmentalisation that Qubes offers, you are free to do it.

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170608095620.GA8560%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Update RPC does not work in debian-8 / missing $DISPLAY when running RPC as root

[Vít Šesták]

I've traced the issue a bit. Maybe the race condition is not true. The VM 
updates works in has root's shell configured to bash instead of zsh. But that's 
still strange:

* user with bash: OK
* user with zsh: OK
* root with bash: OK
* root with zsh: environment issues

I've also tried updating to Jessie-Backports (this is probably what you meaned 
by testing) in a cloned template and it did not change. I am also upgrading to 
Stretch (in another clone).

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7f66139f-4a1e-4cd5-af85-fd9dde1254d5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Question(s) regarding Qubes minimal templates

[Vít Šesták]

> Given that more installed applications generally create a larger attack 
> surface, why aren't the minimal templates set as the default templates for 
> sensitive VMs such as the SysVMs?

* Having an extra app installed might add some attack surface, but not always. 
Having app like Firefox in sys-firewall adds zero attack surface until you 
(either accidentally or on purpose) run it.
* With minimal Template without installing anything else, you might be unable 
to use Wi-Fi etc. So, this might be viable for sys-firewall, but not for 
sys-net. (Not sure about sys-usb.)

> Are there any significant protections afforded by the full-featured VM images 
> that are absent in the appropriately configured minimal VMs [going by the 
> current Qubes documentation]? Any pitfalls exposed by the latter?

The only (sort of) protection I am aware about is haveged – a RNG that feeds 
kernel RNG.

Regards,
Vít Šesták 'v6ak'

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/62f067a7-08e8-4d2e-8773-229a2af5119f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Make one qube accessible on all ip ports to all other qubes

[Opal Raava]

Hi all,

I've made a qube with a lot of docker apps in it, and it also stores my local 
git repository. How do I make it visible to all other qubes? the docker qube 
and most other qubes are all using sys-firewall.

It seems to have to do that there are firewall rules for all qubes, do I have 
to enable access for each qube individually using the Qubes VM Manager and the 
VM settings > firewall rules?

Thanks,
--Opal

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b03f89d0-8ed6-4b2b-bee0-62c257a5bba6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] HCL - inspiron 14 5000

[notdisclosed]

Everything seems to be working fine after updating kernel to 4.8, also 
had to do the 'Boot device not recognized after installing' stuff to get 
it to boot in UEFI.


I noticed my wifi speed oscillating a lot, I saw lots of comments about 
network problems in dell laptops but I'm not sure they are related to 
qubes.



Overall it works pretty well. I think I'll keep it as my main OS on this 
laptop.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/014e7fa8e69b9fb6c1f69a9a561f824b%40420blaze.it.
For more options, visit https://groups.google.com/d/optout.
---
layout:
  'hcl'
type:
  'notebook
docking station'
hvm:
  'yes'
iommu:
  'yes'
slat:
  'yes'
tpm:
  'unknown'
remap:
  'yes'
brand: |
  Dell Inc.
model: |
  Inspiron 5468
bios: |
  1.0.7
cpu: |
  Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz
cpu-short: |
  FIXME
chipset: |
  Intel Corporation Device [8086:5904] (rev 02)
chipset-short: |
  FIXME
gpu: |
  Intel Corporation Device [8086:5916] (rev 02) (prog-if 00 [VGA controller])
gpu-short: |
  FIXME
network: |
  Qualcomm Atheros QCA9565 / AR9565 Wireless Network Adapter (rev 01)
  Realtek Semiconductor Co., Ltd. RTL8101/2/6E PCI Express Fast/Gigabit 
Ethernet controller (rev 07)
memory: |
  12186
scsi: |
  SanDisk SDSSDA24 Rev: 80RL
usb: |
  1
versions:

- works:
yes
  qubes: |
R3.2
  xen: |
4.6.5
  kernel: |
4.8.12-12
  remark: |
Had to do the 'boot device not recognized' procedures to get it to boot, 
had to update to kernel 4.8 to make backlight and suspend to work  
  credit: |
Guilherme Lima
  link: |

---

[qubes-users] Re: The more cores the merrier?

[Foppe de Haan]

On Thursday, June 8, 2017 at 9:49:05 AM UTC+2, mojosam wrote:
> My question isn't about how many virtual CPUs to assign but whether a Qubes 
> system with many cores is really faster than one with fewer cores.  Does the 
> OS know how to use many cores and do a good job of exploiting them?

Yes, so long as you use kernel 4.9.13 or newer (iirc that's the first iteration 
with Ryzen SMT support).

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/55576188-ae09-4289-a344-3740bc64662b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: HCL - Surface Pro 3 (i5-4300U 4Gb)

[Eric Duncan]

On Wednesday, May 3, 2017 at 10:54:50 AM UTC-4, seans...@gmail.com wrote:
> I got Qubesos 3.2 installed on my Surface Pro 3, however the newer touch 
> cover (the one made for the pro 4,but works on pro 3) doesn't work out of the 
> box and as such I can't type anything, nor login, since the on-screen 
> keyboard doesn't come up either. Any guidance on this?

Maybe related, but the Type Cover for the Surface 3 (non-Pro) has to be 
kernel-patched and recompiled to enable.  Back when the Surface Pro 3 first 
came out, the same kernel-patching had to be done to enable the type cover.  

A quick search found this Surface Pro 4 Type Cover kernel patch: 
https://ubuntuforums.org/showthread.php?t=2300868

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8fdb-c192-4b70-be6d-f643b756d318%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: The more cores the merrier?

[mojosam]

My question isn't about how many virtual CPUs to assign but whether a Qubes 
system with many cores is really faster than one with fewer cores.  Does the OS 
know how to use many cores and do a good job of exploiting them?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bfa9971f-f98f-40a5-b7bf-c1694c18854b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: install Qubes 3.2 Stucked at "Starting Switch Root..."

[Paulo Marques]

Hi Foppe, 

"You'll have to install it to a disk and dual-boot to it to get it to work" 
According to Qubes Team that isn't a very good solution for security reasons 
because the other system can be "taken" and your all qubes installation is at 
risk, wright? 

Anyway, I've insttaled Fedora 23 and it seems to be running alright...

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/de257bc9-8543-4ce8-a330-8951bda75943%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.