Re: [qubes-users] Question about qubes s hypervisor

[Jean-Philippe Ouellet]

On Thu, Oct 19, 2017 at 1:25 AM, blacklight  wrote:
> We all know well why xen was chosen as the hypervisor for qubes instead of 
> kvm, since this has been stated in multiple places by the devs. But i wonder 
> how feasable it would be to use bhyve as a hypervisor for qubes. Ive read 
> that it only uses roughly 30k lines of code, so its smaller then xen which is 
> good since less code means less attack surface right? and seems to support 
> vt-d and vt-x. Also its made by the freebsd theme, which are known for the 
> high coding standards. Would it be possible to run qubes with bhyve instead 
> of xen? If not, why?
>
> I would love some info on this :)
>
> Greetings, blacklight447

I've looked into this possibility in the past.

Last I checked, bhyve's device models were required to be in the host
and ran with significant privileges. This may have been addressed by
[1], but I'd need to do more research to be sure and see what privs
they still run with.

Other things that would need to be done before it's a viable candidate:
- some XenStore equivelant
- some vchan equivalent
- expose shared mem for zero-copy framebuffers
- de-systemd-ification of dom0 things
and undoubtedly other things that don't immediately come to mind.

Definitely not a trivial task in any case.

Cheers,
Jean-Philippe

[1]: https://reviews.freebsd.org/D8290

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABQWM_BnwQ%2BK4V%2B9g38qvD2n1FgLDiD7JA98QrSw8J%2B4FO-uBg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] XEN)QUBES END POINT SECYRITY

[a . mcwheel]

Hi,
If you want to scan your traffic for malicious code or for indicators of 
compromise, you may consider to install 2nd firewall VM with pfSense or 
OPNsense as a system. They allow to install Snort/Suricata in IPS mode. In 
addition, OPNsense (don't remember that in pfSense) allows to turn on ClamAV 
module and scan traffic for viruses.
Or you may install Snort/Suricata on separate VM, but it not so easy as *sense 
installation. 

On October 19, 2017 5:44:20 PM UTC, "Νικος Παπακαρασταθης" 
 wrote:
>Hello
>
>Is there any kind of end point security fore qubes xen hv except of
>isolation? Something like usual ...internet security software used in
>windows(antivirus antispam etc unified).If not how for example payments
>are safe?
>
>-- 
>You received this message because you are subscribed to the Google
>Groups "qubes-users" group.
>To unsubscribe from this group and stop receiving emails from it, send
>an email to qubes-users+unsubscr...@googlegroups.com.
>To post to this group, send email to qubes-users@googlegroups.com.
>To view this discussion on the web visit
>https://groups.google.com/d/msgid/qubes-users/aee5931e-4035-42fb-8482-10bcacace0bc%40googlegroups.com.
>For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0FF082D4-FDFC-48CD-80D0-5DD8545CE520%40yandex.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: XEN)QUBES END POINT SECYRITY

[yuraeitha]

On Thursday, October 19, 2017 at 5:44:20 PM UTC, Νικος Παπακαρασταθης wrote:
> Hello
> 
> Is there any kind of end point security fore qubes xen hv except of 
> isolation? Something like usual ...internet security software used in 
> windows(antivirus antispam etc unified).If not how for example payments are 
> safe?

There is a good method to increase security for i.e. payments in an AppVM. If I 
understand you correctly, you're ferering to AppVM security here? and not Qubes 
in general? If so, you can simply make good use of your AppVM firewall. For 
example create a AppVM strictly and only for payments, then limit all internet 
connections in the firewall to only talk with your bank, and whichever 
additional services your bank may use. 
Although it can be a bit of a hassle with some services, who use many different 
domains, and they typically change too from time to time. Either way, this way, 
nothing gets into your bank AppVM, except those connections you allowed in.

You can also use a more lax method, i.e. block any regular http:// and only 
allow https://
Furthermore you can block different types of protocols as well. 

Essentially, the fewer ports, addresses, protocols, is allowed, the harder it 
becomes for an attacker to find a weak attack surface to exploit. Especially if 
thaat AppVM only connects to your bank and its bank services, and absolutely 
nothing else. 

You can do something similar with buying online, although it's a bit more 
tricky due to the many different websites.

Also there is very few malware for Linux (and thereby Qubes), and if any, they 
typically hide in your firefox cache or something, in your home folder, 
apparently capable of exploiting security holes in firefox. Something like 
that. But that's easily fixed with a clean-up, especially if you don't visit 
dodgy websites with your bank AppVM. 

You should be more worried about hack attacks than malware, and if you do a 
good job securing your system, you're narrowing down the amount of hackers who 
can actually pull such an attack off. I.e. if you stay ahead of the script 
kiddies and poor hackers, and you're not infamous in the world, then you're 
probably unlikely to get hacked by someone skilled.

Disclaimer, someone might know better and correct me. Feel free to do so if I 
got anything wrong.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/af143cea-9e6a-4ecf-b701-85e14d39bccc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] XEN)QUBES END POINT SECYRITY

[Chris Laprise]

On 10/19/2017 01:44 PM, Νικος Παπακαρασταθης wrote:

Hello

Is there any kind of end point security fore qubes xen hv except of isolation? 
Something like usual ...internet security software used in windows(antivirus 
antispam etc unified).If not how for example payments are safe?


Hi,

The typical Qubes thinking doesn't hold threat-scanning software (which 
is what I believe you're referring to) in high regard; it is seen as 
offering a false sense of security or creating additional attack 
surface. However, this doesn't mean you can't install AV scanners in 
your VMs... its up to you.


In addition to isolation, Qubes' templates offer some inherent 
protection as well because VMs based on them can resist rootkits. This 
idea is extended somewhat here: 
https://github.com/tasket/Qubes-VM-hardening (the 'systemd' branch is 
experimental but has an ability to scan files).


OTOH, one of the best things you can do to increase security of your 
appVMs is to practice some regular caution. You can, for instance 
install HTTPS Everywhere in your banking VM's browser and can even tell 
it to reject non-encrypted traffic. Also, avoid clicking on links in 
emails; if you copy-paste first you can review the actual domain name of 
the link. And email clients like Thunderbird try to detect phishing scams.


--

Chris Laprise, tas...@posteo.net
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/11d068df-fd93-6c22-bd51-1c013296ce5b%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: How to recover Qubes when keyboard / mice is dysfunctional due to USB qube setup issues?

[yuraeitha]

A manual method, 3 steps to ensure a fix: 
*) Modify the AppVM autostart in /var/lib/qubes/qubes.xml quick, easy and dirty.
*) Modify Grub or EFI settings (plenty of guides around), so Dom0 can see the 
USB controller. You either use EFI or Grub, not both at the same time. First 
identify which you use, before you can change the settings to unblock.

*) Undoing the sys-usb commands.
>From my understanding, the reason the two commands
qubesctl top.enable qvm.sys-usb   and   qubesctl state.highstate
are so hard to undo, is because it's meant to be hack-proof, and it will cause 
the sys-usb to be automatically restoed again to its default state. Further 
reading if you're curious: https://github.com/QubesOS/qubes-issues/issues/2157

In order to easily undo it, I believe you may be able to edit 
/srv/salt/_tops/base/topd.top
Remove the sys-usb line in the file, don't change anything else. 
Be warned, I haven't done this before, it's hypothetical whether it works.

To my knowledge, the first command not only enables the preconfigured sys-usb, 
it also push the sys-usb into the salt file (the top part of the command. The 
second command apparently enables the salt feature for whichever VM is in the 
list (default enabled in Qubes 4). If sys-usb is removed from the file, it 
should supposedly be outside salts protection area.

Now try restart, if everything went well (hopefully), it should be back to 
normal, and USB should be found by Dom0 again. You don't need to disable 
sys-usb, as long as it doesn't autostart (which we at this point fixed).

Keep in mind that the /var/lib/qubes/qubes.xml file may have changed in Qubes 4 
compared to Qubes 3.2. Also SALT should be by default enabled in Qubes 4, so 
you might encounter this kind of memory protection thing in other areas in 
Qubes 4 in the future.

Everything here is edited through plain text files, you do not need chroot or 
anything of the sorts. As long as you can open up your encrypted drives, and 
gain read/Write access, have a text editor you can use, you're basically set.

Keep in mind, I'm not an expert. Be sure to make backups or at the very least 
backup/memorize what you did to the single file you changed, so you can reverse 
it, should it be needed.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/971e01e5-52fe-45c6-b4e0-19994f38c31b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] XEN)QUBES END POINT SECYRITY

[Νικος Παπακαρασταθης]

Hello

Is there any kind of end point security fore qubes xen hv except of isolation? 
Something like usual ...internet security software used in windows(antivirus 
antispam etc unified).If not how for example payments are safe?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/aee5931e-4035-42fb-8482-10bcacace0bc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Audio in Debian VMs just disappeared?

[yuraeitha]

On Wednesday, October 18, 2017 at 11:59:06 PM UTC, Stumpy wrote:
> On 18.10.2017 20:16, qubenix wrote:
> > Foppe de Haan:
> >> On Wednesday, October 18, 2017 at 12:38:05 AM UTC+2, Stumpy wrote:
> >>> hm...
> >>> 
> >>> Is there something else I can post that would make this easier to 
> >>> diag?
> >>> I really really would like to resolve this.
> >>> 
> >>> On 16.10.2017 02:28, Stumpy wrote:
>  No one?
>  I still haven't figured this one out
>  
>  in case the private/paste bin was causing no responses here is the
>  output from VLC:
>  from the vlc window:
>  "Audio output failed:
>  The audio device "default" could not be used:
>  No such file or directory."
>  
>  and from the term that I started vlc from:
>  VLC media player 2.2.6 Umbrella (revision 2.2.6-0-g1aae78981c)
>  [5e890a526938] pulse audio output error: PulseAudio server
>  connection failure: Connection refused
>  [5e890a4410e8] core libvlc: Running vlc with the default
>  interface. Use 'cvlc' to use vlc without interface.
>  ALSA lib confmisc.c:767:(parse_card) cannot find card '0'
>  ALSA lib conf.c:4528:(_snd_config_evaluate) function
>  snd_func_card_driver returned error: No such file or directory
>  Failed to open VDPAU backend libvdpau_nvidia.so: cannot open shared
>  object file: No such file or directory
>  ALSA lib confmisc.c:392:(snd_func_concat) error evaluating strings
>  ALSA lib conf.c:4528:(_snd_config_evaluate) function snd_func_concat
>  returned error: No such file or directory
>  ALSA lib confmisc.c:1246:(snd_func_refer) error evaluating name
>  ALSA lib conf.c:4528:(_snd_config_evaluate) function snd_func_refer
>  returned error: No such file or directory
>  ALSA lib conf.c:5007:(snd_config_expand) Evaluate error: No such 
>  file
>  or directory
>  ALSA lib pcm.c:2495:(snd_pcm_open_noupdate) Unknown PCM default
>  [5e890a526938] alsa audio output error: cannot open ALSA device
>  "default": No such file or directory
>  [5e890a526938] core audio output error: module not functional
>  [76de94d7eaa8] core decoder error: failed to create audio output
>  Failed to open VDPAU backend libvdpau_nvidia.so: cannot open shared
>  object file: No such file or directory
>  [76de74001268] xcb_xv vout display error: no available XVideo
>  adaptor
>  
>  anyone?
>  
>  
>  On 07.10.2017 23:12, Stumpy wrote:
> > For some reason the audio in all my Debian VMs has stopped working?
> > AFAIK I haven't done anything other than regular updates. I didn't
> > notice until recently so I am not sure about exactly when it 
> > started.
> > 
> > In the audio mixer window none of the debian vms are showing up. I
> > tried plaing something in VLC and it gave the follwoing errors:
> > 
> > https://privatebin.net/?f36509f33694a053#821JIyu4z/YqpQ61qGRYFP9Bspo7DAP8HmkPJCAk9Q8=
> > 
> > Also,  another strange, maybe unrelated thing happened, I don' 
> > thave
> > nautilus in my debian VMs any more and I tried to reinstall then 
> > but
> > error saying I had some missing dependencies?
> >> 
> >> pulseaudio-qubes is still installed?
> >> 
> > 
> > Must be something with version 11.1-1 of pulseaudio. I've got the same
> > problem on a Kali VM that has the following pulse packages:
> > 
> > $ sudo dpkg -l | grep pulse
> > ii  gstreamer1.0-pulseaudio:amd64
> > 1.12.3-1 amd64GStreamer plugin for
> > PulseAudio
> > ii  libpulse-mainloop-glib0:amd64
> > 11.1-1   amd64PulseAudio client
> > libraries (glib support)
> > ii  libpulse0:amd64
> > 11.1-1   amd64PulseAudio client
> > libraries
> > ii  libpulse0:i386
> > 11.1-1   i386 PulseAudio client
> > libraries
> > ii  libpulsedsp:amd64
> > 11.1-1   amd64PulseAudio OSS
> > pre-load library
> > ii  pulseaudio
> > 11.1-1   amd64PulseAudio sound 
> > server
> > ii  pulseaudio-utils
> > 11.1-1   amd64Command line tools 
> > for
> > the PulseAudio sound server
> > 
> > However on another Debian stretch template audio is normal. The pulse
> > packages there are:
> > 
> > $ sudo dpkg -l | grep pulse
> > ii  gstreamer1.0-pulseaudio:amd64 1.10.4-1
> >amd64GStreamer plugin for PulseAudio
> > ii  libpulse-mainloop-glib0:amd64 10.0-1+deb9u1
> >amd64PulseAudio client libraries (glib support)
> > ii  libpulse0:amd64   10.0-1+deb9u1
> >amd64PulseAudio client libraries
> > ii  libpulsedsp:amd64 10.0-1+deb9u1
> >amd64PulseAudio OSS pre-load library
> > ii  pulseaudio10.0-1+deb9u1
> >amd64  

[qubes-users] Re: Update sys-net and sys-firewall to fedora-25?

[yuraeitha]

On Thursday, October 19, 2017 at 1:18:21 PM UTC, cqui...@gmail.com wrote:
> Hi, I read around a bit but didn't really find much on this. I just created 
> fedora-24 and fedora-25 vms following the docs pages. Since these are newer 
> versions of the fedora os, should I switch sys-net and sys-firewall to use 
> fedora-25 as a template instead of fedora-23, or should I just leave it as is?
> 
> Thanks!

Fedora 23 is not supported by Fedora anymore, hench you don't get the important 
updates. For example, just last monday, a major crisis happened with Wi-Fi, 
leaving essentially all Wi-Fi networks across the planet vulnurable, especially 
those in Linux/Android, but also Windows/iOS/etc, not to mention all routors 
have to be updated too. This update won't come to Fedora 23, you will get the 
update for Fedora 25 however. This is just an example, using Fedora 23 is 
likely to be a big security issue. Dom0 being Fedora is less of a concern 
though, since it has no internet connection, and all system commnucation with 
Dom0 to VM's is updated by the Qubes team/Xen. Qubes still send updates to 
fedora-23 for the qubes toosl, but fedora-23 itself isn't being updated anymore.

Essentially the Qubes command to upgrade/install the template should include 
all the Qubes tools, so it shouldn't be a problem to replace them in the Qubes 
Global Settings, as well as the individual VM's.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/49518b9c-47ca-44a5-877d-20b4954a3c7e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Docker & dev embbeded on Qubes OS on P51

[jerome . moliere]

Le jeudi 19 octobre 2017 15:05:17 UTC+2, pixel fairy a écrit :
> heres how to run docker in qubes 3.2, same method should work in 4.0
> 
> https://gist.github.com/xahare/6b47526354a92f290aecd17e12108353

Thanks for the link

Regards

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/91a84558-8550-40bb-9f4d-78ea3ddd59c4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Multufactor auth vm

[pixel fairy]

On Wednesday, October 18, 2017 at 3:37:37 AM UTC-7, Roy Bernat wrote:

> 
> Good point .  drifting is known issue ... so what is the solution? :)

if it drifts, reboot the auth vm, time will be resynced.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2c68dee8-954d-49f4-b61a-862e20721c3b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Update sys-net and sys-firewall to fedora-25?

[cquick197]

Hi, I read around a bit but didn't really find much on this. I just created 
fedora-24 and fedora-25 vms following the docs pages. Since these are newer 
versions of the fedora os, should I switch sys-net and sys-firewall to use 
fedora-25 as a template instead of fedora-23, or should I just leave it as is?

Thanks!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/88025e04-e7b9-490d-87c0-e556a0c1732e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Docker & dev embbeded on Qubes OS on P51

[pixel fairy]

heres how to run docker in qubes 3.2, same method should work in 4.0

https://gist.github.com/xahare/6b47526354a92f290aecd17e12108353

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/cb4ad5e1-db2e-4c56-b877-a1d38cc1ba3e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Docker & dev embbeded on Qubes OS on P51

[deadbrain]

Hi Holger,

thanks for the answer I may use a Debian/sid plus siduction kernel 
inside this VM For my use case standard headers are sufficient , I 
don't see the value added to install its own kernel, could you give more 
details please?



Thanks again for the support


On 10/19/2017 01:46 PM, Holger Levsen wrote:

On Thu, Oct 19, 2017 at 04:29:51AM -0700, jerome.moli...@gmail.com wrote:

-> 2) From time to time I am providing Java consulting, and now many customers use 
docker containers (no comments -) ) ... Is it possible inside a VM to run Docker ? No 
problem with firewalling & other stuff...

yes, it's possible. Just that docker builds its own kernel module via
dkms, so you need the kernel headers installer, which I choose to
achieve by running a custom kernel in that VM as then I could just apt
install those headers…




--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5f074210-a18e-91db-094c-345c6af8fbbe%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Docker & dev embbeded on Qubes OS on P51

[Holger Levsen]

On Thu, Oct 19, 2017 at 04:29:51AM -0700, jerome.moli...@gmail.com wrote:
> -> 2) From time to time I am providing Java consulting, and now many 
> customers use docker containers (no comments -) ) ... Is it possible inside a 
> VM to run Docker ? No problem with firewalling & other stuff...

yes, it's possible. Just that docker builds its own kernel module via
dkms, so you need the kernel headers installer, which I choose to
achieve by running a custom kernel in that VM as then I could just apt
install those headers…


-- 
cheers,
Holger

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20171019114650.jxpue5y3xb4upfq7%40layer-acht.org.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: PGP signature

[qubes-users] Docker & dev embbeded on Qubes OS on P51

[jerome . moliere]

Hi all,
I am waiting for the upcoming 4.0 release to install Qubes on a Thinkpad P51 
(big machine). Before pressing the button I would like to know if some of my 
use cases are compatible with Qubes-OS...
-> 1) I am doing ARM Cortex programming based on GCC-arm-none-eabi , in this 
context USB connection with the external device is essential , so is USB pass 
through working well and may it cause problems?

-> 2) From time to time I am providing Java consulting, and now many customers 
use docker containers (no comments -) ) ... Is it possible inside a VM to run 
Docker ? No problem with firewalling & other stuff...

I have seen that installation on P51 may be tedious (but it works as stated on 
the HCL).. Is there any chance to see the process simplified with the 4.0 final 
version ?

Thanks for your support
regards
Jerome 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9dfc63d2-f9f9-4e2c-a822-2bfd215f89a5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: How to recover Qubes when keyboard / mice is dysfunctional due to USB qube setup issues?

[Patrick Schleizer]

Trying to replace

> cd /mnt/var/lib/qubes/servicevms mv sys-usb sys-usb.bak

with qvm-prefs. (That may be even better than using systemctl.)

Please have a look at the following instructions, modified what you
wrote. I hope we could simplify/clarify for novice users and add this to
the Qubes documentation.


You should be able to fix this in grub: something like this -
Interrupt the boot process and change the parameters to remove
rd.qubeshideallusb, and add
rd.break=cleanup.

You'll be prompted to decrypt disks and then drop to shell.
The root filesystem will be mounted ro at /sysroot.

umount /sysroot

mkdir /mnt/disk

mount /dev/mapper/qubes_dom0-root /mnt/disk

chroot /mnt/disk

qvm-prefs -s sys-usb autostart false

exit

sudo umount /mnt/disk

reboot

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/469c182c-e108-954f-5540-7dcc1d80a803%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: How to recover Qubes when keyboard / mice is dysfunctional due to USB qube setup issues?

[Patrick Schleizer]

Trying to replace

> cd /mnt/var/lib/qubes/servicevms mv sys-usb sys-usb.bak

with systemctl disabling the autostart of the VM. Could that work?

Please have a look at the following instructions, modified what you
wrote. I hope we could simplify/clarify for novice users and add this to
the Qubes documentation.


You should be able to fix this in grub: something like this -
Interrupt the boot process and change the parameters to remove
rd.qubeshideallusb, and add
rd.break=cleanup.

You'll be prompted to decrypt disks and then drop to shell.
The root filesystem will be mounted ro at /sysroot.

umount /sysroot

mkdir /mnt/disk

mount /dev/mapper/qubes_dom0-root /mnt/disk

chroot /mnt/disk

systemctl disable qubes-vm@sys-usb

exit

sudo umount /mnt/disk

reboot

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3ef756af-308d-83d8-2db4-f51e36f41e4c%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] iommu=force - security risks?

[Patrick Schleizer]

I had to use iommu=force to make a notebook boot Qubes R4. [1]

Does that pose any security risk?

Cheers,
Patrick

[1] (Because 'BIOS did not enable IDB for VT properly. - TUXEDO
InfinityBook Pro 13' [2])

[2] https://groups.google.com/forum/#!topic/qubes-users/gAKEomiulUY

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2aa931c7-9076-dc1f-2c0e-0ba65f37a73c%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] BIOS did not enable IDB for VT properly. - TUXEDO InfinityBook Pro 13

[Patrick Schleizer]

Patrick Schleizer:
> Qubes R4 RC1 with TUXEDO InfinityBook Pro 13 [1]. Xen crashes. Boot aborts.
> 
>> BIOS did not enable IDB for VT properly. crash Xen for security purposes
> 
> Did anyone see this error ever before? Any idea how to fix it?
> 
> Cheers,
> Patrick
> 
> [1]
> https://www.tuxedocomputers.com/Linux-Hardware/Linux-Notebooks/10-14-Zoll/TUXEDO-InfinityBook-Pro-13-matt-Full-HD-IPS-Aluminiumgehaeuse-Intel-Core-i7-U-CPU-bis-32GB-RAM-zwei-HDD/SSD-bis-12h-Akku-Typ-C-Thunderbolt.geek
> 

Could get it to boot using

iommu=force

Cheers,
Patrick

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/160fea68-ca6e-ad51-c21a-be16826b93ac%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: HCL - Dell XPS 13 (L322X)

[saimonmoore]

Thanks Chris.That's a real shame because I was really looking forward to trying 
out Qubes. I don't need a huge amount of security but if there's an obvious 
vulnerability like that then it doesn't make much sense to install it on this 
machine. It'll have to wait until I get a machine that's compatible.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1558a98d-daca-4bc3-8354-208edf793073%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.