[qubes-users] Boot Delay

2017-11-30 Thread Drew White
Hi folks,

How can I set the Boot Delay so that I can see the POST screen before it 
actually goes into an operating system please?

Also, is there an easier way to Add a BIOS to Qubes config rather than running 
a Custom Config all the time and having to use that in my manager that I built?

It gets annoying when I have to edit the file manually to get it all to 
function correctly when I want to switch from this to that and the other and 
then back again doing tests and checks.

Sincerely,
Drew.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8ed1b971-b51c-4d0f-b104-c99b92cabdf4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Qubes and Windows.

2017-11-30 Thread Drew White
Hi folks,

Is there any way to turn off the actual DISPLAY of the Guest WITHOUT actually 
getting rid of the video subsystem?

I removed the VGA from the config, and Windows barfed completely.

Is there an easy way to set up a virtual desktop in it that is unseen by any 
actual video system or the user of qubes?

Thanks in advance.

If you don't understand what I'm asking, just ask me some questions.
I'll reply to intelligent questions and suggestions only. Will report anything 
else.

Sincerely,
Drew.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ee2b565e-0de8-4ea6-8e97-fd657350f728%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: qvm-usb not functioning

2017-11-30 Thread Drew White
On Tuesday, 21 November 2017 06:45:02 UTC+11, awokd  wrote:
> On Mon, November 20, 2017 02:32, Drew White wrote:
> > Hi folks, sys-usb still isn't functioning and allowing me to attach a
> > device.
> >
> > help please?
> 
> 
> Managed to find your thread from a couple months ago. What happened when
> you tried Foppe's suggestion of:
> 
> >Ran into this a couple of months ago. Rafael Susewind's fix:
> >start the template for sys-usb, or in dom0: edit
> >/usr/lib/qubes/udev-usb-add-change and add
> >
> >ID_SERIAL=`echo ${ID_SERIAL} | iconv -t ASCII//TRANSLIT`
> >
> >immediately before
> >
> >DESC="${ID_VENDOR_ID}:${ID_MODEL_ID} ${ID_SERIAL}"

when I added his resolution, no change.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7e6078ba-922f-465a-a4f4-91cc9fb6ad96%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: VPN Disconnects when Qubes goes to sleep (and does not reconnect when coming out of sleep)?

2017-11-30 Thread Chris Laprise

On 11/30/2017 11:44 PM, Michael Siepmann wrote:


On Jun 12, 2017, Andrew Morgan wrote:


Did you follow the "Set up a ProxyVM as a VPN gateway using iptables and
CLI scripts" section of the Qubes VPN docs
(https://www.qubes-os.org/doc/vpn/ 
 )?


If so you should be good just to execute the `/rw/config/rc.local` file
on your VPN VM after every suspend either manually, through a keyboard
shortcut (which I do personally with the following command):

qvm-run -i root sys-vpn "/rw/config/rc.local"


I followed the "Set up a ProxyVM as a VPN gateway using iptables and 
CLI scripts" instructions but for me executing "/rw/config/rc.local" 
doesn't make it work again.


I've also tried commenting out or deleting "persist tun" from my 
OpenVPN config file, as Chris Laprise as suggested in the thread "is 
vpn made manually, not supposed to restart after suspend?" on May 21 
but that isn't helping either.


My current workaround is a script I wrote in dom0 that first does 
"qvm-prefs VMname -s netvm none" for all the VMs I normally have 
running that use sys-vpn (my ProxyVM VPN gateway), then shuts sys-vpn 
down, waits 10 seconds, starts sys-vpn, then does "qvm-prefs VMname -s 
netvm sys-vpn" for all those VMs.


Any ideas what could be going on so that neither executing 
/rw/config/rc.local nor commenting out "persist tun" works in my case?




I have a couple ideas as to workarounds. Instead of re-starting sys-vpn, 
you could:


  qvm-run -u root sys-vpn 'pkill openvpn'
  qvm-run -u root sys-vpn 'sh /rw/config/rc.local'

...before you re-enable the netvm prefs.

Also, one thing that changing the netvm prefs does is to trigger 
qubes-firewall-user-script to run again. You might compare the state of 
iptables before and after your workaround to see if something went 
missing after waking from sleep. If that's the case, you could just 
trigger the script as a third command added to the above.


--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0fdf5dca-12c4-9709-1bf8-824b18d59cac%40posteo.net.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: VPN Disconnects when Qubes goes to sleep (and does not reconnect when coming out of sleep)?

2017-11-30 Thread Michael Siepmann
On Jun 12, 2017, Andrew Morgan wrote:

> Did you follow the "Set up a ProxyVM as a VPN gateway using iptables and
> CLI scripts" section of the Qubes VPN docs
> (https://www.qubes-os.org/doc/vpn/  )?
>
> If so you should be good just to execute the `/rw/config/rc.local` file
> on your VPN VM after every suspend either manually, through a keyboard
> shortcut (which I do personally with the following command):
>
> qvm-run -i root sys-vpn "/rw/config/rc.local"

I followed the "Set up a ProxyVM as a VPN gateway using iptables and CLI
scripts" instructions but for me executing "/rw/config/rc.local" doesn't
make it work again.

I've also tried commenting out or deleting "persist tun" from my OpenVPN
config file, as Chris Laprise as suggested in the thread "is vpn made
manually, not supposed to restart after suspend?" on May 21 but that
isn't helping either.

My current workaround is a script I wrote in dom0 that first does
"qvm-prefs VMname -s netvm none" for all the VMs I normally have running
that use sys-vpn (my ProxyVM VPN gateway), then shuts sys-vpn down,
waits 10 seconds, starts sys-vpn, then does "qvm-prefs VMname -s netvm
sys-vpn" for all those VMs.

Any ideas what could be going on so that neither executing
/rw/config/rc.local nor commenting out "persist tun" works in my case?

Thanks!

Michael Siepmann

-- 

Michael Siepmann, Ph.D.
*The Tech Design Psychologist*™
/Shaping technology to help people flourish/™
303-835-0501   TechDesignPsych.com
   OpenPGP: 6D65A4F7

 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8829c4c7-3d0e-267d-e384-00e4b495301e%40TechDesignPsych.com.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: OpenPGP digital signature


Re: [qubes-users] Re: Qubes support Secure Boot

2017-11-30 Thread xephael
Thanks for the replies.  I generally dislike secure boot, and even UEFI.  I was 
mainly asking since I couldn't find a clear answer...and if it was possible, 
why not do it!

Other distributions use a shim bootloader signed with a Microsoft key.  It 
might be adventitious for QubesOS to do the same.  I can't think of a major 
downside to it right now.  It could make installation a bit easier. Some 
systems may not have the option for secure boot to be deactivated.

I disabled secure boot, but I'm stuck trying to get QubesOS to install. 
Fighting with a nmi watchdog bug soft lockup.  Maybe I'll start another thread 
about that if I can't get it figured out.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/878ca2e2-25ee-4d30-87a3-b70538c8aa19%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Formatting and Permissions for internal HDDs

2017-11-30 Thread Gaijin
On 2017-11-27 10:26, awokd wrote:
> On Mon, November 27, 2017 05:22, Gaijin wrote:
>> In R3.2 I have some additional internal hard drives in my PC. I wanted
>> to format them to be encrypted so that they will match the disk
>> encryption of my main Qubes disk install, and so that I won't have to
>> enter the disk password every time I access the drives or attach them to
>> a VM. I have not been able to figure this out. Is this possible?
> 
> Yes, give them the exact same password as your primary and mount them by
> UUID in both /etc/crypttab and /etc/fstab.

Following your recommendation I tried encrypting the drive and having it
mount in dom0 on boot. That works remembering the password, but it's not
optimal for all drives. That's fine for my backups drive, but I have
another data drive that I want to mount to different AppVMs. Mounting
that to dom0 on boot isn't a good idea. If I unmount an encrypted drive
from dom0 and attach it to an AppVM, I still need to enter the disk
decryption password from the AppVM to access the drive. This is a drive
I wanted to use between several AppVMs. Would I need to setup an
/etc/fstab in each AppVM for this?

>> My other issue is that whether I encrypt the drive partitions with LUKS
>> or just make a ext4 partition, I can't access the drives after creating
>> them because they're assigned ownership to the root account. Normal
>> Qubes use is thru the dom0 account or the user account on the VMs, not
>> root. What would be a good permissions setting to allow dom0 or a VM
>> access the hard drives?
> 
> I think if you mount them as part of boot you will have less trouble.
> Don't remember having to do anything special with permissions, but review
> the ones set on /var/lib/qubes if needed. Also see
> https://www.qubes-os.org/doc/secondary-storage/ .

That permissions issue is still there even if I mount the encrypted
drive at boot. I have this issue on 2 different machines running R3.2.
These are new, blank HDDs that dom0 recognizes when I boot up. They're
set with rw for the Owner root and in the root Group, which only has r,
Others are r as well. Should I be chown-ing these from the AppVMs so
that the User account there can manipulate them? I'm a bit new to *nix
disk permissions...

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/88c25dc1748fe3c6b916aeb5b7ee14d4%40riseup.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] New HCL Entry: Lenovo ThinkPad T470 (20HDCTO1WW)

2017-11-30 Thread Joe Hemmerlein
On Thursday, November 30, 2017 at 1:37:59 PM UTC-8, Mike Keehan wrote:
> Hi Joe,
> 
> This is the content of my EFI/qubes directory after installing
> Qubes 4.0-rc3 in EFI mode :-
> 
> -rwxr-xr-x 1 root root 22231327 Nov 28 17:29 
> initramfs-4.9.56-21.pvops.qubes.x86_64.img
> -rwxr-xr-x 1 root root  5316864 Nov 28 17:29 
> vmlinuz-4.9.56-21.pvops.qubes.x86_64
> -rwxr-xr-x 1 root root  902 Nov 28 17:36 xen.cfg
> -rwxr-xr-x 1 root root  2056349 Nov 28 17:29 xen.efi
> 
> I then selected which EFI directory to boot from using the bios.
> 
> I think the EFI/Boot directory is just a default.
> 
> Mike.

Thanks, Mike. In my case I can't even install Qubes in EFI mode because the 
installer won't run; and installing Qubes in Legacy mode will lead to an empty 
.cfg file. I'll take another stab at it tonight.
-joe

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/38be37d1-796e-436d-a9c2-1ca045755d63%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Suggestions (for forum posts)

2017-11-30 Thread Stumpy
I am not so familiar with google groups but I don't have a google 
account and have noticed that sometimes people only reply to the group 
and don't include the posters address.
Assuming its possible to "respond all" from withing gg can I suggest 
that we encourage each other to not only not top post (which I am 200% 
for) and also respond all so that those who are emailing in can get all 
the responses, and respond to those responses (if that makes sense) via 
email.


Just a thought.

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7955ce8a126f746b61a628394b85f817%40posteo.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] 3 different rez monitors doable?

2017-11-30 Thread Stumpy



On 30.11.2017 16:43, Tom Zander wrote:

On Thursday, 30 November 2017 01:21:40 CET Stumpy wrote:

I don't see why this wouldn't work, but at the same time, I thought
better to be safe than sorry.

I have two monitors (1920x) hooked up to my comp which has two video 
out
ports, I wanted to add a 4k monitor and will have to add an extra 
card.


If it works on Xorg, it should work on Qubes. So you can try on any KDE 
or

Gnome forum to get the confirmation you want.

I have two screens which works fine.


Thanks for that, and to the other responses.

I am thinking I will try to get my hands on a 4k mongfx card to test but 
it seems like it will likely work.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7687d7ae2f71d0dec20675af462f46f8%40posteo.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Recover broken bootloader

2017-11-30 Thread barbudoazul93

> 
> Was having a similar problem. I have boot installed in a separate usb and 
> after following the process of chroot... grub2 install and rebooting it ask 
> me for the passphrase and all end up with a grub> shell with the system not 
> booting. There is a way to clone my boot usb to another usb or to build a new 
> one? or better reinstall. Thanks guys.

Solved, was able to clone the boot usb before it broke definitely using:
dd if=boot.img of=/dev/sd(letter new boot USB) conv=notrunc

been boot.img the image of the old usb stick where I installed the boot 
partition when I installed Qubes. Without the conv=notrunc it didn't work, just 
if someone face a similar problem. Like I said in the previous message the 
chroot - grub-install process didn't work for me, maybe because I use FDE and 
been the boot partition in a separate USB.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3d3b9f7b-69c1-415c-8cae-b32b5b4141a5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes in a corporate network behind HTTP proxy

2017-11-30 Thread pr0xy
On 2017-11-30 02:20, Unman wrote:
> On Wed, Nov 29, 2017 at 03:12:46PM -0800, pr0xy wrote:
>> On 2017-11-27 09:33, awokd wrote:
>> > On Mon, November 27, 2017 05:40, pr0xy wrote:
>> >> On 2017-11-20 18:08, awokd wrote:
>> >>> On Mon, November 20, 2017 10:01, pr0xy wrote:
>>  Please help a somewhat noob who wants to use Qubes in the office.
>> 
>>  I got the OK to try using Qubes R3.2 in my company network as a
>>  workstation. They have a very restrictive proxy that forces all traffic
>>  through an HTTP/HTTPS proxy like:
>> 
>>  proxy.example.com:8080
>> 
>>  How could I force all Qubes traffic to go through that proxy and that
>>  port?
>> 
>>  Would that be in sys-net, or a Firewall VM?
>> >>>
>> >>> Check https://www.qubes-os.org/doc/vpn/ . Ignore the parts about VPN
>> >>> setup
>> >>> but you should be able to set up your proxy redirect in the Proxy VM.
>> >>> I'm
>> >>> assuming local traffic like DNS lookups would not go through the proxy.
>> >>
>> >> Thanks. I have been reading up on the ProxyVM, which seems to be the way
>> >> I would do this, but I'm a bit confused as to where I would add these
>> >> proxy settings. I'm not familiar with manipulating IP tables, or writing
>> >> the sort of scripts on that page, but is that what I would need to set?
>> >>
>> >> I wanted to stay away from setting the environment variables for
>> >> http_proxy, https_proxy, ftp_proxy and no_proxy in each VM.  Ideally I
>> >> think I'd like to use a ProxyVM to proxify an entire AppVM, but the
>> >> documentation doesn't make it clear how I would attempt this.
>> >
>> > You're right, you'd need to manipulate IP tables. There is no built in way
>> > to do it with just the Qubes UI.
>> >
>> > See
>> > https://stackoverflow.com/questions/10595575/iptables-configuration-for-transparent-proxy
>> > for an example if you wanted to use the transparent proxy approach.
>> > Sys-whonix is essentially a transparent proxy that forwards all traffic
>> > through Tor.
>> >
>> > Another option could be
>> > https://www.qubes-os.org/doc/config/http-filtering-proxy/ . See also
>> > https://theinvisiblethings.blogspot.de/2011/09/playing-with-qubes-networking-for-fun.html
>>
>> I know how to manipulate a torrc file to work through my proxy. That
>> works very well as I can just set HTTPProxy host[:port] and it goes.
>>
>> In a ProxyVM I'm a bit lost. Would I be setting Firewall rules in the
>> VM, or adding a network connection and manipulating that? I'm not clear
>> where I would be manipulating the IP Tables.
> 
> You say you want ALL traffic to go through the proxy, but I'm guessing
> that there is a local DNS server on the network.
> The first thing is to be clear about what services are to pass through
> the proxy.
> Then the simplest way to get what you want is to manipulate the rules on
> sys-net.
> If you look at the rules there you will see that traffic from
> sys-firewall and below is subject to MASQUERADE in the nat table, and
> everything originating from vif interfaces outbound is allowed in the
> FORWARD chain.
> So if you want to direct http traffic through the proxy just insert a
> rule in the PREROUTING chain like this:
> iptables -t nat -I PREROUTING -i vif+ -p tcp --dport 80 -j DNAT --to
> proxy.example.com:8080
> 
> You can set this in /rw/config/rc.local - remember to chmod that file.
> Look at https://www.qubes-os.org/doc/firewall/
> 
> I hope this points you in the right direction.
> Obviously this wont affect traffic originating from sys-net but then I
> recommend having a restrictive OUTPUT on sys-net and sys-firewall.
> 
> unman

Sorry, that statement about 'all' traffic was misleading. You're correct
that DNS is handled separately. I have that set on the network
connection of my sys-net. DNS appears to be properly passed to the
iptables of sys-net.

Thanks for that IPtable example. I don't think I would have figured that
out on my own. Specifically I need to pass HTTP, HTTPS and FTP through
the corporate proxies. I modified your example to this:

iptables -t nat -I PREROUTING -i vif+ -p tcp --dport 80:443 -j DNAT --to
proxy.example.com:8080
iptables -t nat -I PREROUTING -i vif+ -p tcp --dport 21 -j DNAT --to
proxy.example.com:10021

I placed that in the /rw/config/rc.local of sys-net and made it
executable. Rebooting the machine shows that it's persistent, and they
show up in the PREROUTING section when I check 
iptables --table nat --list

Problem is that AppVMs connected to the sys-firewall > sys-net don't
seem to take advantage of those settings. For example, I can't use
Firefox to connect to internet sites without manually setting the proxy
in the browser. Likewise, TemplateVMs with the same routing can't
update.

Should I instead be making these iptables settings in a ProxyVM, and
connect like: AppVM/StandaloneVM/TemplateVM > ProxyVM > sys-firewall >
sys-net?



-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" 

Re: [qubes-users] New HCL Entry: Lenovo ThinkPad T470 (20HDCTO1WW)

2017-11-30 Thread Joe Hemmerlein
On Thursday, November 30, 2017 at 11:12:34 AM UTC-8, Tom Zander wrote:
> I think its a known issue that Qubes doesn't support EFI.

Do you have a reference for that? I don't think that's true.

I can run Qubes OS without problems with UEFI on other hardware, and there is 
even UEFI troubleshooting guidance at 
https://www.qubes-os.org/doc/uefi-troubleshooting/ - which doesn't mention lack 
of support for EFI...

-joe

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/50c1b764-46b8-4275-bd71-df7e3d7d0ca6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] New HCL Entry: Lenovo ThinkPad T470 (20HDCTO1WW)

2017-11-30 Thread Mike Keehan
On Thu, 30 Nov 2017 02:07:56 -0800
Joe Hemmerlein  wrote:

> Hi,
> 
> so far it was easy to install and run Qubes OS 4.0 RC3 (and RC2) on
> this hardware - as long as I keep boot mode on "Legacy Only".
> 
> However, the TPM chip on this hardware works in UEFI boot mode only;
> and even with secureboot disabled and CSM support enabled, I can't
> get Qubes OS to boot in UEFI mode:
> - The installer doesn't run in UEFI mode (I get text mode grub, but
> whatever i select simply does nothing and returns to grub)
> - If I turn UEFI mode on after installing Qubes OS, I don't even get
> grub.
> - I tried the UEFI troubleshooting guide to no avail, although I was
> unable to run efibootmgr directly while in legacy boot mode ("EFI
> variables are not supported on this system") so in order to run
> efibootmgr, i booted a separate Fedora 26 Live image which does boot
> in UEFI mode. However, even with updated records, the result is the
> same: selecting those options from the UEFI boot menu simply makes
> the screen flicker once and then i'm back in the UEFI boot menu.
> - I tried copying the EFI and CFG file to /EFU/BOOT and renaming them
> to BOOTX64.EFI and .CFG, and also created new entries with efibootmgr
> for this, again without success.
> 
> 
> I also tried installing Qubes OS 3.2 on this system which didn't work
> and initial troubleshooting failed; but I'd like to concentrate my
> efforts on making this work for Qubes 4.0 so i didn't spend too much
> time on getting Qubes OS 3.2 on the T470.
> 
> Any hints about troubleshooting the UEFI boot option are appreciated;
> i can also provide more exact details about what i already tried.
> Given the specs of this machine, I'm really determined to not give up
> easily.
> 
> For now, I'll test other functionality in legacy mode only.
> 
> Cheers,
> -joe
> 

Hi Joe,

This is the content of my EFI/qubes directory after installing
Qubes 4.0-rc3 in EFI mode :-

-rwxr-xr-x 1 root root 22231327 Nov 28 17:29 
initramfs-4.9.56-21.pvops.qubes.x86_64.img
-rwxr-xr-x 1 root root  5316864 Nov 28 17:29 
vmlinuz-4.9.56-21.pvops.qubes.x86_64
-rwxr-xr-x 1 root root  902 Nov 28 17:36 xen.cfg
-rwxr-xr-x 1 root root  2056349 Nov 28 17:29 xen.efi

I then selected which EFI directory to boot from using the bios.

I think the EFI/Boot directory is just a default.

Mike.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20171130213754.77a18fa6.mike%40keehan.net.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] New HCL Entry: Lenovo ThinkPad T470 (20HDCTO1WW)

2017-11-30 Thread Rashiq
Hey,

Dnia Thursday, November 30, 2017 2:07:56 AM CET Joe Hemmerlein pisze:
> I also tried installing Qubes OS 3.2 on this system which didn't work and
> initial troubleshooting failed; but I'd like to concentrate my efforts on
> making this work for Qubes 4.0 so i didn't spend too much time on getting
> Qubes OS 3.2 on the T470.

also running Qubes R4.0 on a T470.

R3.2 won't run due to drivers for the graphics chip not present in the kernel 
(as far as I remember from my troubleshooting of this some half a year ago).

-- 
Pozdravi,
rashiq

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/21946333.2viy1DbdzO%40lapuntu.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: This is a digitally signed message part.


Re: [qubes-users] New HCL Entry: Lenovo ThinkPad T470 (20HDCTO1WW)

2017-11-30 Thread 'Tom Zander' via qubes-users
On Thursday, 30 November 2017 11:07:56 CET Joe Hemmerlein wrote:
> However, the TPM chip on this hardware works in UEFI boot mode only

I think its a known issue that Qubes doesn't support EFI.
It ironically creates an efi partition, but the installer doesn't create the 
right stuff to actually boot from it.
And I can confirm that the installer doesn't boot without legacy boot 
systems either.

If your hardware is really incompatible with legacy boots, you are out of 
luck.

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1527351.KGz1QmYuqg%40cherry.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: New HCL Entry: Lenovo ThinkPad T470 (20HDCTO1WW)

2017-11-30 Thread Joe Hemmerlein
On Thursday, November 30, 2017 at 2:07:59 AM UTC-8, Joe Hemmerlein wrote:
> Any hints about troubleshooting the UEFI boot option are appreciated; i can 
> also provide more exact details about what i already tried. Given the specs 
> of this machine, I'm really determined to not give up easily.
> 

Here is a detailed log of what I tried.

ThinkPad T470 (20HD-CT01WW)
UEFI/BIOS configuration
===
Setup – Main
- UEFI BIOS Version: N1QET68W (1.43)
- UEFI BIOS Date: 2017-11-10
- Installed Memory: 32768 MB
- UEFI Secure Boot: Off

Setup – Config – USB
- USB UEFI BIOS Support: Enabled

Setup – Security – Security Chip
- Security Chip Type: TPM 2.0
- Security Chip: Enabled
- Intel TXT Feature: Enabled

Setup – Security – Memory Protection
- Execution Prevention: Enabled

Setup – Security – Virtualization
- Intel Virtualization Technology: Enabled
- Intel VT-d Feature: Enabled

Setup – Security – Secure Boot
- Secure Boot: Disabled

Setup – Security – Intel SGX
- Intel SGX Control: Software 
- Current State: Enabled

Setup – Security – Device Guard
- Device Guard: Disabled

Setup – Startup
- Boot (Priority Order) includes "USB HDD" and "NVMe0 Intel SSDPEKKF256G7L"
- UEFI/Legacy Boot: UEFI Only
- CSM Support: Yes


Initial Setup Experience

- Created USB stick using Rufus with dd method from 4.0R3 ISO image
- Able to boot USB stick by invoking UEFI Boot Menu with F12, then selecting 
USB HDD
- This results in a text mode grub menu with the four options
- Option 1 (Test media and install Qubes R4.0-rc3) is default and will start 
automatically
- Option 1 then fails: "XEN 4.8.2 (c/s ) EFI loader // Failed to boot both 
default and fallback entries"
Only way I found to install Qubes OS:
- Change BIOS/UEFI setup configuration item "UEFI/Legacy Boot" to "Legacy Only"
- Boot from USB and install. GUI install works fine with default options (all I 
change is my keyboard layout to Dvorak)
- Reboot, and configure Qubes OS with default options
- Qubes OS starts and is usable as long as BIOS/UEFI setup configuration is 
using "Legacy Only", but...
--- Problem: no TPM available. According to Lenovo, the TPM2.0 will not be 
exposed in legacy boot scenario; in order for TPM to be exposed, it seems like 
we need UEFI boot.
Trying to switch to UEFI

- As described at 
https://www.qubes-os.org/doc/uefi-troubleshooting/#installation-finished-but-qubes-boot-option-is-missing-and-xencfg-is-empty,
 we have an empty (0 bytes) xen.efi file in /boot/efi/EFI/qubes. Followed steps 
in guide, essentially:
- Booted into Qubes with legacy boot
- Renamed xen-4.8.2.efi to xen.efi
- Copied contents from xen.cfg I troubleshooting guide to xen.cfg in dom0
- Edited xen.cfg to adjust for current kernel number in four places
- Rebooted
- Booted with legacy boot from USB install stick
- Selected Advanced – Rescue a Qubes installation
- Selected option 1 to continue
- Found installation on device nvme0n1p2 and entered LUKS passphrase
- Got Shell
- Changes made to files still visible in /mnt/sysimage/boot/efi/EFI/qubes
- Ran the efibootmgr command as shown in the guide, but adjusted devicename. I 
didn’t know whether I should add nvme0n1 or nvme0, or maybe even nvme0n1p1 – so 
I ran the command three times with different labels.
--- Problem: Can't run efibootmgr. Error: "EFI variables are not supported on 
this system"
- Rebooted, but also changing BIOS/UEFI setup boot options again
--- Boot option "Both" with "UEFI First" failed to boot from USB (went back to 
UEFI boot menu)
--- Boot option "Both" with "Legacy First" allowed me to boot from USB to 
rescue a Qubes installation. 
--- Problem: efibootmgr command still fails with "EFI variables are not 
supported on this system".
- It looks like I may need to somehow boot with UEFI enabled I order to run 
efibootmgr.
- Trying a Fedora Live CD (Fedora-Workstation-Live-x86_64-26-1.5.iso)
- Created USB stick with Rufus dd method
- Booted USB stick with boot option set to "UEFI Only" and "CSM Support" 
enabled.
- Fedora stick boots successfully into Fedora 26 Live
- Efibootmr command generally works
- Tried it:
--- efibootmgr -v -c -u -L Qubes431 -l /EFI/qubes/xen.efi -d /dev/nvme0n1 -p 1 
"placeholder /mapbs /noexitboot"
--- efibootmgr -v -c -u -L Qubes431 -l /EFI/qubes/xen.efi -d /dev/nvme0n1p1 -p 
1 "placeholder /mapbs /noexitboot"
--- efibootmgr -v -c -u -L Qubes433 -l /EFI/qubes/xen.efi -d /dev/nvme0n1p1 
"placeholder /mapbs /noexitboot"

- Rebooted (still with "UEFI Only" and "CSM" boot options enabled)
- Selected F12 again for UEFI boot menu, and I could see both new added 
entries. I tried both of them, but...
--- Problem: selecting ay of those entries just gets us back to the UEFI boot 
menu. They’re failing visually the same way as the standard "Qubes" entry fails.
- Rebooted back into the Live image
- I noticed that on nvme0n1p1, the .efi file is actually in 
/efi/EFI/qubes/xen.efi, and not in /EFI/qubes/xen.efi. not sure if that 
matters, but let’s 

Re: [qubes-users] Where is Chrome once installed?

2017-11-30 Thread Max gokey
On Monday, December 5, 2016 at 3:41:21 AM UTC-5, Andrew David Wong wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
> 
> On 2016-12-04 12:58, Patrick Bouldin wrote:
> > Hi, newbie question.
> > 
> > I am using 3.2 and an HP I7 processor.
> > 
> > I created a Fedora VM. I wanted to run a Chrome browser, so I used Firefox 
> > to download and save in the Fedora VM file section, where I installed 
> > Chrome. Then it asks if I want to run it, and I do - no problem. However, I 
> > don't see a way to actually launch Chrome anywhere (other than when it asks 
> > me after installing). No trace of Chrome anywhere.
> > 
> > Any help is appreciated.
> > 
> > Thanks,
> > Patrick
> > 
> 
> I recommend that you install it from the repo instead. In your template, 
> issue:
> 
> $ sudo dnf install --enablerepo=google-chrome google-chrome-stable
> 
> - -- 
> Andrew David Wong (Axon)
> Community Manager, Qubes OS
> https://www.qubes-os.org
> -BEGIN PGP SIGNATURE-
> 
> iQIcBAEBCgAGBQJYRSgmAAoJENtN07w5UDAwJPsP/An98ZuKbdN6ZtB5Ce0ZqAI0
> /SWNnt3x3wmCtdUkIvueklKhE71jPmLDrcAeFU3xMj6romp8grq8rNNH4MHXNm3+
> w3If65jnKJBq18YvUdEXQE5tDhdUB7vQRTmq7GC/0uoB475Bm3cydRPDkyIhSoOV
> g5sTQBM3YdANAiui5IMkCD9Mpot0/2rnzrA1EsCAswDgrY2EDoxjBLZlAFIFID3p
> aGHB7kUgMXcBgnuS2Wg37/vVWAO3MieX7DR+9fqQobsK2AxVUhzCkhiUpM1GYuQj
> dphquB5dbl3YZUB7RgO1KY/KttgWqR2G4bKd5PM/snYRrUc03QyszkGJjI2NAk/F
> /jN5JQlKg6K3hWENxcnyiuVzKZW2xh2FHi3FTDUu0SLDw/XjzBeGDFz6GglcG+SL
> fDt1GPdAI4ITrFrX3EoPiel9zSmDwY3XzjUEkQF0Z/4nl3v8uuYtAEpvq8GIlgNu
> 3lX/YMp2kWpbWF/Ck2QstX+3TXYCjnaSEwCuVcO3tQ8+1oaVCE4IIBa6lx85Liat
> KVtvQrZfcEf74ghDe9Ac6m2z5bVT5Bcw5yHdyYGqWTDmE+5GIurQlfOyIoeL68ym
> lO0LhvD0uHBEIIkJBuFsw7emYl901beXWlh61HQIw/H0T7zqo9KwlAHUeZhyBXWJ
> 9E7wSbUOnKu4zaWgFOEs
> =To/O
> -END PGP SIGNATURE--



I get a error when i type it in "nothing provides libssl3.so(NSS_3.28)(64bit)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8667980d-9819-4ece-bbaa-190e932bc681%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Getting Flash Player to work

2017-11-30 Thread Max gokey
On Monday, September 11, 2017 at 7:31:43 PM UTC-4, pixel fairy wrote:
> try installing google chrome. it has a built in flash engine that chromium 
> doesnt come with

I need help with installing chrome

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ab995e80-b260-4fb7-948f-6b7a7679252f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: 3 different rez monitors doable?

2017-11-30 Thread Nuno Branco
Well I can tell you the answer to 1 and 3 is yes for Qubes 3.2 as I use it.


On 11/30/2017 04:21 PM, Jon Solworth wrote:
> On Wednesday, November 29, 2017 at 7:21:46 PM UTC-5, Stumpy wrote:
>> I don't see why this wouldn't work, but at the same time, I thought 
>> better to be safe than sorry.
>>
>> I have two monitors (1920x) hooked up to my comp which has two video out 
>> ports, I wanted to add a 4k monitor and will have to add an extra card.
>>
>> So.
>> 1) Is there any reason this wouldn't work?
>> 2) Is 3.2 working ok with 4k?
>> 3) assuming it should work ok, any "super-compatible" cards I should be 
>> looking at? esp lower profile cards as my sys's internals are a bit 
>> crowded now.
>> btw, I am not a gamer the most proc intensive things I do is watching 
>> videos, occasional video(minor/non-prof)/gfx editing, photo stitching 
>> etc... most of which i guess don't use a gfx proc anyway?
>> Thx in advance
> Your question about whether it works is really three different questions:
>   1. Can qubes support 3 monitors?
>   2. Can qubes support 4k?
>   3. Can qubes support different resolution.
>
> I don't know the answer to 1, although I can affirm it definitely supports 2;
> note that there may be limitations with the frame buffer size but X supports
> multiple graphics cards.
> In response to 2, it works well on a 4k display (I'm typing it on it now).
> In response to 3, X thinks all your displays have the same density, i.e.,
> dots per inch.  If you don't, it may be painful if you want to avoid tiny
> or gigantic type.  If you search this group you'll get some help for this
> problem.
>
> Jon
>

-- 

Best regards,
Nuno Branco

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0f31e238-7239-a1ba-79b2-9383bd9f08a8%40mulligans.pw.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: 3 different rez monitors doable?

2017-11-30 Thread Jon Solworth
On Wednesday, November 29, 2017 at 7:21:46 PM UTC-5, Stumpy wrote:
> I don't see why this wouldn't work, but at the same time, I thought 
> better to be safe than sorry.
> 
> I have two monitors (1920x) hooked up to my comp which has two video out 
> ports, I wanted to add a 4k monitor and will have to add an extra card.
> 
> So.
> 1) Is there any reason this wouldn't work?
> 2) Is 3.2 working ok with 4k?
> 3) assuming it should work ok, any "super-compatible" cards I should be 
> looking at? esp lower profile cards as my sys's internals are a bit 
> crowded now.
> btw, I am not a gamer the most proc intensive things I do is watching 
> videos, occasional video(minor/non-prof)/gfx editing, photo stitching 
> etc... most of which i guess don't use a gfx proc anyway?
> Thx in advance

Your question about whether it works is really three different questions:
  1. Can qubes support 3 monitors?
  2. Can qubes support 4k?
  3. Can qubes support different resolution.

I don't know the answer to 1, although I can affirm it definitely supports 2;
note that there may be limitations with the frame buffer size but X supports
multiple graphics cards.
In response to 2, it works well on a 4k display (I'm typing it on it now).
In response to 3, X thinks all your displays have the same density, i.e.,
dots per inch.  If you don't, it may be painful if you want to avoid tiny
or gigantic type.  If you search this group you'll get some help for this
problem.

Jon

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8e239092-2f25-4b17-a4d7-f44fbe115f69%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] 3 different rez monitors doable?

2017-11-30 Thread 'Tom Zander' via qubes-users
On Thursday, 30 November 2017 01:21:40 CET Stumpy wrote:
> I don't see why this wouldn't work, but at the same time, I thought
> better to be safe than sorry.
> 
> I have two monitors (1920x) hooked up to my comp which has two video out
> ports, I wanted to add a 4k monitor and will have to add an extra card.

If it works on Xorg, it should work on Qubes. So you can try on any KDE or 
Gnome forum to get the confirmation you want.

I have two screens which works fine.

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/25211675.hEn0ludk9C%40cherry.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] qvm-backup-restore --verify-only broken ?

2017-11-30 Thread Jean-Luc Duriez
Le jeudi 30 novembre 2017 15:03:57 UTC+1, Francesco a écrit :
> On Wed, Nov 29, 2017 at 10:02 PM, Chris Laprise  wrote:
> On 11/29/2017 05:43 PM, Jean-Luc Duriez wrote:
> 
> 
> Hello Qubists
> 
> 
> 
> I currently use Qubes R4 RC2, and would like to upgrade to RC3 after a 
> backup. But I experience problems with the qvm-restore-backup --verify-only 
> command.
> 
> 
> 
> Should I worry about the quality of my backup ?
> 
> 
> 
> 
> 
> 
> How is the USB drive formatted? For me it does not work reliably with NTFS 
> (that is how they sell these drives), but if I format my USB drive to ext3 it 
> works.
> 
> Best
> 
> Fran

Interesting. The drive is itself encrypted (LUKS+ext4), I take this extra care 
is taken because it is stored outside my home.
So as a first step I mount mount it and enter the LUKS key, and I make sure I 
can browse and read the backup files normally.

Jean-Luc

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3f0cd5b8-5e70-4061-99fe-839d1a3f505f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] qvm-backup-restore --verify-only broken ?

2017-11-30 Thread Franz
On Wed, Nov 29, 2017 at 10:02 PM, Chris Laprise  wrote:

> On 11/29/2017 05:43 PM, Jean-Luc Duriez wrote:
>
>> Hello Qubists
>>
>> I currently use Qubes R4 RC2, and would like to upgrade to RC3 after a
>> backup. But I experience problems with the qvm-restore-backup --verify-only
>> command.
>>
>> Should I worry about the quality of my backup ?
>>
>
>
How is the USB drive formatted? For me it does not work reliably with NTFS
(that is how they sell these drives), but if I format my USB drive to ext3
it works.
Best
Fran

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAPzH-qBFVrBQmdz82gsc3QvK4qhj5%2Bh0wdvn7_RYQdK01aP1Bw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Failed to load Kernel Modules

2017-11-30 Thread Mr. Malatesta
On Thursday, November 30, 2017 at 4:16:31 AM UTC-5, Tom Zander wrote:
> On Thursday, 30 November 2017 03:30:35 CET Unman wrote:
> > I think I must be missing your point - it might be clearer if you gave
> > examples of tasks that these user interfaces would serve.
> 
> I think we have some great examples already which could use more love.
> 
> The devices app, which allows you to assign drives (partitions really) to 
> qubes.
> It is currently less than complete.
> Not only does it have bugs (shutting down a qube and starting it again makes 
> a logical drive never be shown there again).
> But more importantly it just adds a new device in /devs/ without mounting 
> it. It should allow a user to the first time select a qubes dir to mount it 
> on.
> The goal; to avoid the user having to use the CLI.
> 
> But also the Qubes-create-new VM GUI app is rather badly designed. It uses 
> lots of terms like ‘appvm’ and similar, which is Ok.
> The problem is that none of these terms are explained. You have to go to 
> browse on the internet to find out what those mean.
> It would be quite easy to add documentation inside the app in order to 
> explain it. Maybe add a graphic-widget that shows not just the list of 
> template VMs, but also which VMs are based on it.
> Because honestly, what a user wants is likely “make another VM like Work”. 
> But then they have to first find out that “Work” is based on a named 
> template, 
> is an appvm and remember that and open the create-vm screen to base it on 
> the same...
> 
> In short, the tools are designed by technical people to do what they already 
> know how to do. They are not designed for new users that need to discover 
> the system at the same time as they get tasks done.
> 
> Ths is just an example or two, I hope it explains my thinking.
> -- 
> Tom Zander
> Blog: https://zander.github.io
> Vlog: https://vimeo.com/channels/tomscryptochannel

Absolutely. Imagine the prospective user who requires as much security as is 
possible who eventually figures out how to install Qubes...someone like me who 
spent a lot of money because he thought that the Librum would boot right up and 
the creation of different reasonably secure VM's would be a click away. After 
purchasing books on Fedora and Linux and Python I have my relatively useless 
Librum and my impossible to install and use Quebes to remind me that if I could 
only understand step by step what 99 percent of you guys are talking about I 
might be able to keep professional/confidential files secure...
Very frustrating. I daily wait for anything that literally shows me the steps 
to do anything on this obviously important architecture e.g. turn on the 
machine; the first screen will look like this; at the prompt you will access 
the menu by typing "x;" then type the following (without the quotes/or, with 
the quotes): . Patiently awaiting a very needed tool...unless Analog is the 
only answer for those who have not studied coding?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3f8196e7-f298-42e5-915d-509cfefeae27%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] qvm-backup-restore --verify-only broken ?

2017-11-30 Thread Jean-Luc Duriez
Thanks for your feedback.

Same issue when I try to verify the backup on a freshly installed 4RC3 system. 

More annoyingly, the standard restore does not work neither with the same 
error, so at this time we cannot restore any backup in a Qubes 4 based system. 
So I am going to be careful and save my AppVM datas with an alternate method in 
the meantime.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f604ad01-ee53-4f2b-857d-2c1f611313d4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] New HCL Entry: Lenovo ThinkPad T470 (20HDCTO1WW)

2017-11-30 Thread Joe Hemmerlein
Hi,

so far it was easy to install and run Qubes OS 4.0 RC3 (and RC2) on this
hardware - as long as I keep boot mode on "Legacy Only".

However, the TPM chip on this hardware works in UEFI boot mode only; and
even with secureboot disabled and CSM support enabled, I can't get Qubes OS
to boot in UEFI mode:
- The installer doesn't run in UEFI mode (I get text mode grub, but
whatever i select simply does nothing and returns to grub)
- If I turn UEFI mode on after installing Qubes OS, I don't even get grub.
- I tried the UEFI troubleshooting guide to no avail, although I was unable
to run efibootmgr directly while in legacy boot mode ("EFI variables are
not supported on this system") so in order to run efibootmgr, i booted a
separate Fedora 26 Live image which does boot in UEFI mode. However, even
with updated records, the result is the same: selecting those options from
the UEFI boot menu simply makes the screen flicker once and then i'm back
in the UEFI boot menu.
- I tried copying the EFI and CFG file to /EFU/BOOT and renaming them to
BOOTX64.EFI and .CFG, and also created new entries with efibootmgr for
this, again without success.


I also tried installing Qubes OS 3.2 on this system which didn't work and
initial troubleshooting failed; but I'd like to concentrate my efforts on
making this work for Qubes 4.0 so i didn't spend too much time on getting
Qubes OS 3.2 on the T470.

Any hints about troubleshooting the UEFI boot option are appreciated; i can
also provide more exact details about what i already tried. Given the specs
of this machine, I'm really determined to not give up easily.

For now, I'll test other functionality in legacy mode only.

Cheers,
-joe

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJmbC%3DEVMcAMKEXLGPooXa-kQt7_vuUDigozex%2Bq4iUSARykoQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.


Qubes-HCL-LENOVO-20HDCTO1WW-20171129-163138.yml
Description: application/yaml


Qubes-HCL-LENOVO-20HDCTO1WW-20171129-163138.cpio.gz
Description: GNU Zip compressed data


Re: [qubes-users] Qubes 3.2 only booting with onboard GPU ?? (ASUS KGPE-D16 + AMD Radeon 6450)

2017-11-30 Thread taii...@gmx.com

Ah 3309 is the latest OEM BIOS version, so that isn't the problem.

Like I said trying enabling SVM in CPU Config in the CMOS menu. For 
coreboot you need 62xx or 63xx CPU's however as stated before.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d7c289e1-e1e8-ef42-0b1a-ab2612722c95%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes 3.2 only booting with onboard GPU ?? (ASUS KGPE-D16 + AMD Radeon 6450)

2017-11-30 Thread taii...@gmx.com

On 11/29/2017 06:56 PM, 'Marek Jenkins' via qubes-users wrote:


How long did you wait for coreboot to boot? if you keep the log level at
max it will take around 60 seconds, otherwise lower it to 2 (what I use)
for 10 second boot. I thought the same thing when I started using it
(that it was broken) until I got a null model cable and noticed that it
was in fact booting.
Lower the log level in menuconfig. (this really should not be a default)

Hi! I did reset CMOS and everything else stated in the manual / coreboot wiki. 
Your advice to change the cable, recompile/reflash .rom with loglevel=2 and 
wait up to 60 seconds didn't help. Still no success.


   I removed some of the RAM which at least solved the issue with the loud 
fans, so I assumed my RAM (Kingston ValueRam) might be incompatible with 
Coreboot ?

Naah, you can use any RAM - the memory compatibility issues were fixed a
long time ago.

Do you have an idea why coreboot boot failed for me ?

You have a very old 61xx CPU, whereas I have 62xx.
I would also suggest the purchase of a null modem cable in addition to 
your $30/ea 62xx CPU so you can view the coreboot boot log via a serial 
port on another machine


Thanks a lot for the hint with VGA boot priority!
I have now found the VGA settings in the BIOS and did the following:
- Enable IOMMU

Don't forget to enable HVM etc as well.

What mainboard revision and BIOS have you used before coreboot (if you remember) ? I am asking, 
since I haven't seen anything "HVM" in the BIOS (default BIOS), only "enable 
IOMMU".

Its called SVM, see below. It is in the CPU configuration menu.

My board is Rev. 1.03G
My BIOS Version: KGPE-D16-ASUS-3309.ROM --> Version 3309


- Set GPU Boot Priority to "PCIe VGA" instead of "Onboard VGA"

This only partly solves my issue. Now, I can at least boot without issues when 
the PCIe graphics card is connected to the PCI slot. But I can still only 
finish the boot process, when I use the VGA Onboard graphics because I still 
get the same error message as before with the PCIe card:

ERST:   Failed to get Error Log Address Range.
BERT:   Can't request iomem region 


Strange - this would probably be an OS problem as it works fine for me.
What BIOS revision are you using as the default BIOS?
You should update the OEM BIOS, I got a new board which had the latest 
version of both BIOS and revision (not sure which one but it had the 
clear CPU socket covers)

The earlier ones had some trouble apparently.

Nevertheless, I still have a working signal on my VGA onboard graphics card and 
can simply continue with the boot process there by switching the connection 
from HDMI to VGA (hope you get what I mean).

After booting completely, there is still no signal on the PCIe VGA card.

Could I have dmesg, xl dmesg and (as root) # lspci -vv please?

I actually formatted the drive already, to see if Qubes 4.0rc3 would solve my 
problems.
Therefore I can't help with that sorry.

No problems :3


Strangely, the Qubes 4 installer gave an error message saying that IOMMU 
support was missing even though IOMMU was enabled in the BIOS at the time.

By now, I really think there is some problem with the whole motherboard. The 
thing is, I bought the board used offline with 2 Opteron 61** CPUs + CPU Fans + 
32GB RAM for just over 120 USD total. I thought I got lucky, but I wasted quite 
a few hours now just to fix weird issues.. I will get the same board new now 
and see if that solves my problems.

I will let you know in a few days, probably this weekend i'll have the new one.

You got an excellent deal, usually the board goes for over $250 used 
$350 new.


Your coreboot issue is probably related to the the 61xx CPU's not the 
board, coreboot doesn't really support them as they are very old as 
stated on both the coreboot and libreboot wikis. I would pick up a few 
62xx CPU's such as the 6287SE (max performance), 6284SE or dual 6220 
(affordable) instead of getting a new board as IMO your board is just 
fine this is a software problem.


HVM needs to be enabled as "Secure Virtual Machine Mode" in "CPU 
Configuration" as stated in the board manual also enable SRAT, C1E etc.


As I have stated before, it works for me - we just have to continue to   
  troubleshoot :D


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/90b90efd-96f3-fa25-96b0-5f4c158711cf%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Start failed: 'qubes.devices.UnknownDevice object' has no attribute 'device_node'

2017-11-30 Thread quentin . ubes
I note that the create VM process fails to complete.  The OK button does not 
work, either for the boot from device or boot from image path.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0917c576-8467-41ac-87ba-c40f00515b2c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Start failed: 'qubes.devices.UnknownDevice object' has no attribute 'device_node'

2017-11-30 Thread quentin . ubes
Trying to create an HVM for tails 3.3 in 4.0-rc3 (upgraded from rc2).

Fails on the `qvm-start HVM_tails-3_3 
--cdrom=untrusted1:/home/user/Downloads/tails.iso` step in the 
https://www.qubes-os.org/doc/tails/ write up.

The  throws the error.

This comes from a vm.devices.block.assignments(True) call in xen.xml.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/dc93a33b-7890-47e2-97fd-fe11cf689265%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Failed to load Kernel Modules

2017-11-30 Thread 'Tom Zander' via qubes-users
On Thursday, 30 November 2017 03:30:35 CET Unman wrote:
> I think I must be missing your point - it might be clearer if you gave
> examples of tasks that these user interfaces would serve.

I think we have some great examples already which could use more love.

The devices app, which allows you to assign drives (partitions really) to 
qubes.
It is currently less than complete.
Not only does it have bugs (shutting down a qube and starting it again makes 
a logical drive never be shown there again).
But more importantly it just adds a new device in /devs/ without mounting 
it. It should allow a user to the first time select a qubes dir to mount it 
on.
The goal; to avoid the user having to use the CLI.

But also the Qubes-create-new VM GUI app is rather badly designed. It uses 
lots of terms like ‘appvm’ and similar, which is Ok.
The problem is that none of these terms are explained. You have to go to 
browse on the internet to find out what those mean.
It would be quite easy to add documentation inside the app in order to 
explain it. Maybe add a graphic-widget that shows not just the list of 
template VMs, but also which VMs are based on it.
Because honestly, what a user wants is likely “make another VM like Work”. 
But then they have to first find out that “Work” is based on a named template, 
is an appvm and remember that and open the create-vm screen to base it on 
the same...

In short, the tools are designed by technical people to do what they already 
know how to do. They are not designed for new users that need to discover 
the system at the same time as they get tasks done.

Ths is just an example or two, I hope it explains my thinking.
-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1634249.gHXZ37I4Bz%40strawberry.
For more options, visit https://groups.google.com/d/optout.