Re: [qubes-users] Re: Recommended laptop?

2020-01-01 Thread Chris Laprise 

On 1/1/20 8:28 PM, Thierry Laurion wrote:



On Wed, Jan 1, 2020 at 4:12 PM Chris Laprise > wrote:


On 1/1/20 1:36 PM, Thierry Laurion wrote:
 >
 >
 > Le mercredi 1 janvier 2020 13:32:00 UTC-5, Chris Laprise a écrit :
 >
 >     On 1/1/20 5:43 AM, Lorenzo Lamas wrote:
 >      > Hello Thierry,
 >      >
 >      > Thanks for all that you are doing for the community. Do
you see a
 >      > possibility of a Qubes Certified Laptop with an AMD CPU?
 >      > Intel is affected a lot more than AMD by the sidechannel
 >     vulnerabilities
 >      > in the last years. The Privacy Beast has a 3rd gen Intel
CPU, Intel
 >      > stopped providing uCode updates for 1st gen in 2019, so
this year is
 >      > probably the last year they will support 3rd gen. More CPU
 >      > vulnerabilities will most certainly be discovered in the
coming
 >     years,
 >      > so there is a need for an AMD based certified laptop, or
at least a
 >      > newer generation Intel based laptop, even though that may
mean we're
 >      > stuck with PSP or ME.
 >
 >     As much as I like the Insurgo/Purism/System76 offerings, this
issue has
 >     weighed on me to reconsider.
 >
 >     The massive amount of side-channel vulnerabilities have shown
Intel's
 >     engineering is reckless, and it gets worse. They're still pushing
 >     fraudulent compiler code – detecting and de-optimizing AMD –
almost a
 >     decade after it was reported in the press. And they outright
refuse to
 >     pay government fines relating to their misconduct – which
also included
 >     threatening PC vendors with retaliation if they sell "too
many" AMD
 >     units.
 >
 >     Historically, when a behemoth like Intel goes renegade its
because they
 >     know their products are superior and the public will accept the
 >     situation as a trade-off. But the only thing that's
"superior" about
 >     Intel is their attitude and their ill-gotten revenue.
 >
 >     The biggest problem I see is peoples' willingness to go along
with what
 >     is becoming a tradition of anti-competition. Whatever logical
fallacies
 >     are put forward to make it seem palatable with CPUs will also
undermine
 >     user motivations in other areas.
 >
 > Completely agreeing. This is why this
 >


 > needs collaboration to have real solutions in the future.

The relative ease of using another x86 brand with better implementation
and ethics such as AMD makes it a clear choice in the meantime, while
the much more difficult and lengthy task of adopting open hardware is
pursued.

People can wait 18-36 months for a Qubes port to POWER architecture...
That is 18-36 months of being subject to maximum side-channel (and
probably other) risks and signalling a tacit acceptance of Intel's
engineering. And at the end of that period, we still won't have laptops.

Only holding out for the perfect appears to be the enemy of good in
this
case; it is the wrong mindset for adding alternatives. Under these
circumstances, there should be absolutely no hint that a robust x86
alternative is somehow passe... but that appears to be the message
coming from vendors.

I am not aware of any AMD model to recommend on my end which would have 
the good mix of QubesOS well supported components to fit requirements 
and warned compatibility issues.


If you have such model in mind to recommend, be part of the solution and 
let us know.


Meanwhile, models that fitted the bill for workstation/server got 
dropped by coreboot by lack of interest from the community (KGPE-D16 
). It 
might be brought back under grant work (TBD), but AFAIK, there is not 
such trust altogether from the community torward AMD, not really more 
trust torward their PSP (ME equivalent) and not so much known right now 
from attempts reversing  it.


Yes, this has as much to do with community attitudes as anything else. I 
would still expect some vendor to be able to put 2+2 together and market 
AMD-based systems based on their history and current strengths.


If there is public mistrust bc of PSP, then there should be some 
engagement from Coreboot and Libreboot to demonstrate that deactivation 
is plausible. OTOH, since Coreboot seems stuck in c.2012 with Intel Ivy 
Bridge processors, that could make the issue moot bc AMD units requiring 
no such deactivation (containing no PSP) are available that are also a 
year newer.


Regarding new hardware, which is important, I would rather take my 
chances with AMD PSP firmware properly deactivating

Re: [qubes-users] Re: Recommended laptop?

2020-01-01 Thread Thierry Laurion 
On Wed, Jan 1, 2020 at 4:12 PM Chris Laprise  wrote:

> On 1/1/20 1:36 PM, Thierry Laurion wrote:
> >
> >
> > Le mercredi 1 janvier 2020 13:32:00 UTC-5, Chris Laprise a écrit :
> >
> > On 1/1/20 5:43 AM, Lorenzo Lamas wrote:
> >  > Hello Thierry,
> >  >
> >  > Thanks for all that you are doing for the community. Do you see a
> >  > possibility of a Qubes Certified Laptop with an AMD CPU?
> >  > Intel is affected a lot more than AMD by the sidechannel
> > vulnerabilities
> >  > in the last years. The Privacy Beast has a 3rd gen Intel CPU,
> Intel
> >  > stopped providing uCode updates for 1st gen in 2019, so this year
> is
> >  > probably the last year they will support 3rd gen. More CPU
> >  > vulnerabilities will most certainly be discovered in the coming
> > years,
> >  > so there is a need for an AMD based certified laptop, or at least
> a
> >  > newer generation Intel based laptop, even though that may mean
> we're
> >  > stuck with PSP or ME.
> >
> > As much as I like the Insurgo/Purism/System76 offerings, this issue
> has
> > weighed on me to reconsider.
> >
> > The massive amount of side-channel vulnerabilities have shown Intel's
> > engineering is reckless, and it gets worse. They're still pushing
> > fraudulent compiler code – detecting and de-optimizing AMD – almost a
> > decade after it was reported in the press. And they outright refuse
> to
> > pay government fines relating to their misconduct – which also
> included
> > threatening PC vendors with retaliation if they sell "too many" AMD
> > units.
> >
> > Historically, when a behemoth like Intel goes renegade its because
> they
> > know their products are superior and the public will accept the
> > situation as a trade-off. But the only thing that's "superior" about
> > Intel is their attitude and their ill-gotten revenue.
> >
> > The biggest problem I see is peoples' willingness to go along with
> what
> > is becoming a tradition of anti-competition. Whatever logical
> fallacies
> > are put forward to make it seem palatable with CPUs will also
> undermine
> > user motivations in other areas.
> >
> > Completely agreeing. This is why this
> > <
> https://github.com/QubesOS/qubes-issues/issues/4318#issuecomment-549986749>
>
> > needs collaboration to have real solutions in the future.
>
> The relative ease of using another x86 brand with better implementation
> and ethics such as AMD makes it a clear choice in the meantime, while
> the much more difficult and lengthy task of adopting open hardware is
> pursued.
>
> People can wait 18-36 months for a Qubes port to POWER architecture...
> That is 18-36 months of being subject to maximum side-channel (and
> probably other) risks and signalling a tacit acceptance of Intel's
> engineering. And at the end of that period, we still won't have laptops.
>
> Only holding out for the perfect appears to be the enemy of good in this
> case; it is the wrong mindset for adding alternatives. Under these
> circumstances, there should be absolutely no hint that a robust x86
> alternative is somehow passe... but that appears to be the message
> coming from vendors.
>

I am not aware of any AMD model to recommend on my end which would have the
good mix of QubesOS well supported components to fit requirements and
warned compatibility issues.

If you have such model in mind to recommend, be part of the solution and
let us know.

Meanwhile, models that fitted the bill for workstation/server got dropped
by coreboot by lack of interest from the community (KGPE-D16
).
It might be brought back under grant work (TBD), but AFAIK, there is not
such trust altogether from the community torward AMD, not really more trust
torward their PSP (ME equivalent) and not so much known right now from
attempts reversing  it.

So what model would you suggest in the meantime for which firmware can be
replaced by Open Source Firmware?

>
> --
>
> Chris Laprise, tas...@posteo.net
> https://github.com/tasket
> https://twitter.com/ttaskett
> PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886
>


-- 
Thierry Laurion

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAAzJznyUYV78UYTAT%2Bxru%3DZuwNJOqZH4y9d%3De04iUXoy%3DGyEVA%40mail.gmail.com.

Re: [qubes-users] HOWTO: Enable screen poweroff (instead of blanking)

2020-01-01 Thread Chris Laprise 

On 12/23/19 5:23 PM, Defiant wrote:



On 22. 12. 19 15:45, Claudia wrote:


I just wanted to drop a note here before I forget. Out of the box, Qubes blanks 
the screen after a few minutes, but never powers off the screen, even though 
it's configured to do so in the XFCE Power Manager. I've had this problem on 
several machines, all the way back to R3.2, and I always blamed it on lack of 
hardware support.

Turns out, it's because Qubes comes with Xscreensaver enabled which overrides the XFCE Power Manager settings. Xscreensaver is 
only configured to blank the screen; I'm not sure if it even supports powering it off. To return control to XFCE, go to Menu > 
System Tools > Session and Startup > Application Autostart, and uncheck "Screensaver". Then you can logout, 
reboot, or go to Menu > System Tools > Screensaver > File > Kill Daemon. You may have to also open Menu > System 
Tools > Power Manager > Display, and switch "Display power management" to off and then on again.

Note this will disable the lockscreen. This is not recommended if you use a USB 
keyboard or mouse and a USB Qube, or if someone has physical access to your 
computer while it's on. Otherwise, I recommend enabling screen poweroff in 
order to conserve energy and lengthen the lifespan of your screen's backlight.




I have also noticed this annoyance on several machines and different
linux distributions so it must be an Xfce problem, not a Qubes problem.


That is probably the case since this was one of the problems that got 
solved when I switched to KDE.


--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9b2e5ba7-0f4c-8061-15e5-176870281ba2%40posteo.net.

Re: [qubes-users] Re: Recommended laptop?

2020-01-01 Thread Chris Laprise 

On 1/1/20 1:36 PM, Thierry Laurion wrote:



Le mercredi 1 janvier 2020 13:32:00 UTC-5, Chris Laprise a écrit :

On 1/1/20 5:43 AM, Lorenzo Lamas wrote:
 > Hello Thierry,
 >
 > Thanks for all that you are doing for the community. Do you see a
 > possibility of a Qubes Certified Laptop with an AMD CPU?
 > Intel is affected a lot more than AMD by the sidechannel
vulnerabilities
 > in the last years. The Privacy Beast has a 3rd gen Intel CPU, Intel
 > stopped providing uCode updates for 1st gen in 2019, so this year is
 > probably the last year they will support 3rd gen. More CPU
 > vulnerabilities will most certainly be discovered in the coming
years,
 > so there is a need for an AMD based certified laptop, or at least a
 > newer generation Intel based laptop, even though that may mean we're
 > stuck with PSP or ME.

As much as I like the Insurgo/Purism/System76 offerings, this issue has
weighed on me to reconsider.

The massive amount of side-channel vulnerabilities have shown Intel's
engineering is reckless, and it gets worse. They're still pushing
fraudulent compiler code – detecting and de-optimizing AMD – almost a
decade after it was reported in the press. And they outright refuse to
pay government fines relating to their misconduct – which also included
threatening PC vendors with retaliation if they sell "too many" AMD
units.

Historically, when a behemoth like Intel goes renegade its because they
know their products are superior and the public will accept the
situation as a trade-off. But the only thing that's "superior" about
Intel is their attitude and their ill-gotten revenue.

The biggest problem I see is peoples' willingness to go along with what
is becoming a tradition of anti-competition. Whatever logical fallacies
are put forward to make it seem palatable with CPUs will also undermine
user motivations in other areas.

Completely agreeing. This is why this 
 
needs collaboration to have real solutions in the future.


The relative ease of using another x86 brand with better implementation 
and ethics such as AMD makes it a clear choice in the meantime, while 
the much more difficult and lengthy task of adopting open hardware is 
pursued.


People can wait 18-36 months for a Qubes port to POWER architecture... 
That is 18-36 months of being subject to maximum side-channel (and 
probably other) risks and signalling a tacit acceptance of Intel's 
engineering. And at the end of that period, we still won't have laptops.


Only holding out for the perfect appears to be the enemy of good in this 
case; it is the wrong mindset for adding alternatives. Under these 
circumstances, there should be absolutely no hint that a robust x86 
alternative is somehow passe... but that appears to be the message 
coming from vendors.


--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9b6d6ae6-5252-21a4-2a52-d9dfa355b905%40posteo.net.

Re: [qubes-users] Re: Recommended laptop?

2020-01-01 Thread Thierry Laurion 


Le mercredi 1 janvier 2020 13:32:00 UTC-5, Chris Laprise a écrit :
>
> On 1/1/20 5:43 AM, Lorenzo Lamas wrote: 
> > Hello Thierry, 
> > 
> > Thanks for all that you are doing for the community. Do you see a 
> > possibility of a Qubes Certified Laptop with an AMD CPU? 
> > Intel is affected a lot more than AMD by the sidechannel vulnerabilities 
> > in the last years. The Privacy Beast has a 3rd gen Intel CPU, Intel 
> > stopped providing uCode updates for 1st gen in 2019, so this year is 
> > probably the last year they will support 3rd gen. More CPU 
> > vulnerabilities will most certainly be discovered in the coming years, 
> > so there is a need for an AMD based certified laptop, or at least a 
> > newer generation Intel based laptop, even though that may mean we're 
> > stuck with PSP or ME. 
>
> As much as I like the Insurgo/Purism/System76 offerings, this issue has 
> weighed on me to reconsider. 
>
> The massive amount of side-channel vulnerabilities have shown Intel's 
> engineering is reckless, and it gets worse. They're still pushing 
> fraudulent compiler code – detecting and de-optimizing AMD – almost a 
> decade after it was reported in the press. And they outright refuse to 
> pay government fines relating to their misconduct – which also included 
> threatening PC vendors with retaliation if they sell "too many" AMD units. 
>
> Historically, when a behemoth like Intel goes renegade its because they 
> know their products are superior and the public will accept the 
> situation as a trade-off. But the only thing that's "superior" about 
> Intel is their attitude and their ill-gotten revenue. 
>
> The biggest problem I see is peoples' willingness to go along with what 
> is becoming a tradition of anti-competition. Whatever logical fallacies 
> are put forward to make it seem palatable with CPUs will also undermine 
> user motivations in other areas. 
>
 
Completely agreeing. This is why this 
 
needs collaboration to have real solutions in the future.

>
> -- 
>
> Chris Laprise, tas...@posteo.net  
> https://github.com/tasket 
> https://twitter.com/ttaskett 
> PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886 
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/11ad83dc-145e-4af4-830a-33950773cc63%40googlegroups.com.

Re: [qubes-users] Re: Recommended laptop?

2020-01-01 Thread Chris Laprise 

On 1/1/20 5:43 AM, Lorenzo Lamas wrote:

Hello Thierry,

Thanks for all that you are doing for the community. Do you see a 
possibility of a Qubes Certified Laptop with an AMD CPU?
Intel is affected a lot more than AMD by the sidechannel vulnerabilities 
in the last years. The Privacy Beast has a 3rd gen Intel CPU, Intel 
stopped providing uCode updates for 1st gen in 2019, so this year is 
probably the last year they will support 3rd gen. More CPU 
vulnerabilities will most certainly be discovered in the coming years, 
so there is a need for an AMD based certified laptop, or at least a 
newer generation Intel based laptop, even though that may mean we're 
stuck with PSP or ME.


As much as I like the Insurgo/Purism/System76 offerings, this issue has 
weighed on me to reconsider.


The massive amount of side-channel vulnerabilities have shown Intel's 
engineering is reckless, and it gets worse. They're still pushing 
fraudulent compiler code – detecting and de-optimizing AMD – almost a 
decade after it was reported in the press. And they outright refuse to 
pay government fines relating to their misconduct – which also included 
threatening PC vendors with retaliation if they sell "too many" AMD units.


Historically, when a behemoth like Intel goes renegade its because they 
know their products are superior and the public will accept the 
situation as a trade-off. But the only thing that's "superior" about 
Intel is their attitude and their ill-gotten revenue.


The biggest problem I see is peoples' willingness to go along with what 
is becoming a tradition of anti-competition. Whatever logical fallacies 
are put forward to make it seem palatable with CPUs will also undermine 
user motivations in other areas.


--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9b3a1464-f137-229a-9e8f-2bd0ed7423b3%40posteo.net.

Re: [qubes-users] Re: Recommended laptop?

2020-01-01 Thread Thierry Laurion 
On Wed, Jan 1, 2020 at 5:43 AM Lorenzo Lamas  wrote:

> Hello Thierry,
>
> Thanks for all that you are doing for the community. Do you see a
> possibility of a Qubes Certified Laptop with an AMD CPU?
>
There could be others certifying such models, but I won't do certification
process for those.
Only model that would not have an Intel ME equivalent, doesn't rely on
binary blobs etc would be the G505S
 which doesn't have enough
SPI flash space to do anything interesting.

Intel is affected a lot more than AMD by the sidechannel vulnerabilities in
> the last years. The Privacy Beast has a 3rd gen Intel CPU, Intel stopped
> providing uCode updates for 1st gen in 2019, so this year is probably the
> last year they will support 3rd gen. More CPU vulnerabilities will most
> certainly be discovered in the coming years, so there is a need for an AMD
> based certified laptop, or at least a newer generation Intel based laptop,
> even though that may mean we're stuck with PSP or ME.
>
My personal path is to try to go away of x86 as fast as possible and try to
move actual interest (chicken and egg problem) toward where we should
really want to go

.

I understand all the fuss around those CPU vulnerabilities, but mostly for
the server use case, where everything NEEDS to be kept in memory. The
concept that needs to be gripped here for workstations is that an
information that is not in memory cannot be stolen. Getting the root of
this concept, applied to QubesOS, which shuts off smt (HyperThreading) and
enforces easy DisposableVMs usage, the user changing some of his habits and
compartmentalize accordingly resolves most of the risks. Unsafe browsing?
DisposableVM. Done with unsafe browsing? Close unsafe browser, which shuts
down DisposableVM and deletes disk changes and memory content. Unsafe
attachment? Open in DisposableVM. Often attach untrusted USB device to
computer? Create a separate USB sys-usb-unsafe and affect distinct USB
controller to it and always attach untrusted USB devices to that port only.
Consider USB compartment as being temporary and never trust anything being
in memory of that AppVM or its attached storage. Don't give network access
to AppVMs not needing it.

To say it short, hardware will continue to have vulnerabilities. Those will
continue to be really hard to patch. Users will have to change their habits
in any case, the sooner the better. Now seems a good moment. The current
race for better security enclaves, memory encryption etc won't save the day
if closed and behind NDAs for code review and documentation access. The
best protection a user can have is against himself. Combined with a root of
trust that contains lesser to none untrusted binaries is the best scenario
IMOHO, where untrusted binaries are isolated and untrusted at all time.
Having ways to make users aware of harware casing tampering would be best.
Supply chain not being a problem would be ideal but impossible, targeting
and implants always being possible. Race conditions in accessing
confidential information in memory is key Do you really need those 16
AppVMs opened at all time on older hardware :) Or worst. Have those 20
proprietary software running concurrently on your monolithic operating
system disclosing information you don't know on you and other applications
running at the same time? Habits.

Meanwhile, having a non-monolithic operating system on top of measured
firmware containing less to none binary blobs, and verified boot on core
components is the best we can have as a root of trust (RoT) perspective for
end point devices. It always go down to the simple question: What do you
put your trust in? My personal answer is: on hardware that is the most
user-controllable as possible. And this is where my interest, time and
energies are directed at. The lesser blobs the better.

>
> On Tuesday, December 31, 2019 at 9:45:18 PM UTC+1, Thierry Laurion wrote:
>>
>>
>> On Wed, Dec 25, 2019 at 6:03 PM  wrote:
>>
>>> Insurgo is providing a service.
>>>
>>> If one can do the steps themselves, that’s fine.
>>>
>>> If I were advising a somewhat less technical journalist or a potentially
>>> targeted human-rights worker or politically targeted activist who just
>>> wanted to get stuff done and had the resources, I’d point them to Insurgo.
>>>
>>> Brendan
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "qubes-users" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to qubes...@googlegroups.com.
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/qubes-users/7a7741f2-6b80-40be-a5a0-0f56b658f9fc%40googlegroups.com
>>> .
>>>
>>
>>
>> Hello there, Thierry Laurion from Insurgo Open Technologies.
>>
>> Thanks Brendan.
>>
>> I feel the need to clarify things a bit once in a while. This reply is
>> one

Fwd: [qubes-users] Re: Recommended laptop?

2020-01-01 Thread Thierry Laurion 
Sorry for reposting. Previous mail badly formatted.

On Wed, Jan 1, 2020 at 3:16 AM Anil Eklavya  wrote:

> Thanks for putting all this information in one place. I was earlier
> looking to buy Insurgio Privacy Beast, but it was not clear whether it
> could be shipped to India. I then ordered Librem 13.
>

Website does the simulation in costs for tax and shipping costs. If
shipping address returns a shipping option, it can be shipped to you.

>
> Is there any comparison available between these two, based on privacy and
> security considerations?
>

Unfortunately, not for the moment. External comparisons welcome!
At the end of the day, it goes to those simple points:

   - X230's Intel ME has no kernel, no syslibs. It is reduced to be able to
   boot itself and main CPU and is shut down, not having anything else to
   execute since the modules have been removed completely. See here
   

   .
   - Here is an extract of the same me_cleaner command applied to:
  - X230:

Full image detected
The ME/TXE region goes from 0x3000 to 0x4ff000
Found FPT header at 0x3010
Found 23 partition(s)
Found FTPR header: FTPR partition spans from 0x183000 to 0x24d000
*ME/TXE firmware version 8.1.30.1350*
Removing extra partitions...
Removing extra partition entries in FPT...
Removing EFFS presence flag...
Removing ME/TXE R/W access to the other flash regions...
Correcting checksum (0x7b)...
Reading FTPR modules list...
 UPDATE   (LZMA   , 0x1cf4f2 - 0x1cf6b0): removed

* ROMP (Huffman, fragmented data): NOT removed,
essential BUP  (Huffman, fragmented data): NOT removed,
essential*
 KERNEL   (Huffman, fragmented data): removed
 POLICY   (Huffman, fragmented data): removed
 HOSTCOMM (LZMA   , 0x1cf6b0 - 0x1d648b): removed
 RSA  (LZMA   , 0x1d648b - 0x1db6e0): removed
 CLS  (LZMA   , 0x1db6e0 - 0x1e0e71): removed
 TDT  (LZMA   , 0x1e0e71 - 0x1e7556): removed
 FTCS (Huffman, fragmented data): removed
 ClsPriv  (LZMA   , 0x1e7556 - 0x1e7937): removed
 SESSMGR  (LZMA   , 0x1e7937 - 0x1f6240): removed
Relocating FTPR from 0xd00 - 0xcad00 to 0xd00 - 0xcad00...
 Adjusting FPT entry...
 Adjusting LUT start offset...
 Adjusting Huffman start offset...
 Adjusting chunks offsets...
 Moving data...
*The ME minimum size should be 98304 bytes (0x18000 bytes)*
The ME region can be reduced up to:
 3000:0001afff me
Setting the AltMeDisable bit in PCHSTRP10 to disable Intel ME...
Removing ME/TXE R/W access to the other flash regions...
Extracting and truncating the ME image to "extracted_me.rom"...
Checking the FTPR RSA signature of the extracted ME image... VALID
Checking the FTPR RSA signature... VALID
Done! Good luck!

   - Librem V3:
   Full image detected
   Found FPT header at 0x1010
   Found 1 partition(s)
   Found FTPR header: FTPR partition spans from 0x1000 to 0xa8000
   Found FTPR manifest at 0x1448
   *ME/TXE firmware version 11.6.0.1126 (generation 3)*
   Public key match: Intel ME, firmware versions 11.x.x.x
   The HAP bit is SET
   Reading partitions list...
FTPR (0x1000 - 0xa8000, 0x000a7000 total bytes): NOT removed
   Removing partition entries in FPT...
   Removing EFFS presence flag...
   Correcting checksum (0x98)...
   Reading FTPR modules list...
FTPR.man (uncompressed, 0x001448 - 0x002018): NOT removed,
   partition manif.
rbe.met  (uncompressed, 0x002018 - 0x0020ae): NOT removed, module
   metadata
kernel.met   (uncompressed, 0x0020ae - 0x00213c): NOT removed, module
   metadata
syslib.met   (uncompressed, 0x00213c - 0x0021a0): NOT removed, module
   metadata
bup.met  (uncompressed, 0x0021a0 - 0x00274a): NOT removed, module
   metadata
pm.met   (uncompressed, 0x00274a - 0x0027f8): NOT removed, module
   metadata
vfs.met  (uncompressed, 0x0027f8 - 0x003158): NOT removed, module
   metadata
evtdisp.met  (uncompressed, 0x003158 - 0x0032e6): NOT removed, module
   metadata
loadmgr.met  (uncompressed, 0x0032e6 - 0x00340e): NOT removed, module
   metadata
busdrv.met   (uncompressed, 0x00340e - 0x0037b4): NOT removed, module
   metadata
gpio.met (uncompressed, 0x0037b4 - 0x0038fe): NOT removed, module
   metadata
prtc.met (uncompressed, 0x0038fe - 0x003aae): NOT removed, module
   metadata
policy.met   (uncompressed, 0x003aae - 0x003c72): NOT removed, module
   metadata
crypto.met   (uncompressed, 0x003c72 - 0x003dfc): NOT removed, module
   metadata
heci.met (uncompressed, 0x003dfc - 0x003fc8): NOT removed, module
   metadata
storage.met  (uncompressed, 0x003fc8 - 0x0042c4): NOT removed, module
   metadata
pmdrv.met(uncompressed, 0x0042c4 - 0x0043e8): NOT removed, module
   metadata
maestro.met  (uncompressed, 0x0043e8 - 0x0044d2): NOT removed, module
   metadata
fpf.met

Re: [qubes-users] Re: Recommended laptop?

2020-01-01 Thread Thierry Laurion 
On Wed, Jan 1, 2020 at 3:16 AM Anil Eklavya  wrote:

> Thanks for putting all this information in one place. I was earlier
> looking to buy Insurgio Privacy Beast, but it was not clear whether it
> could be shipped to India. I then ordered Librem 13.
>

Website does the simulation in costs for tax and shipping costs. If
provided shipping address returns a shipping option, it can be shipped to
you.


> Is there any comparison available between these two, based on privacy and
> security considerations?
>

Unfortunately, not for the moment. External comparisons welcome!
At the end of the day, it goes to those simple points:

   - X230's Intel ME has no kernel, no syslibs. It is reduced to be able to
   boot itself and main CPU and is shut down, not having anything else to
   execute since the modules have been removed completely. See here
   

   .
   - Here is an extract of the same me_cleaner command applied to:
  - *X230:*

Full image detected
The ME/TXE region goes from 0x3000 to 0x4ff000
Found FPT header at 0x3010
Found 23 partition(s)
Found FTPR header: FTPR partition spans from 0x183000 to 0x24d000
*ME/TXE firmware version 8.1.30.1350*
Removing extra partitions...
Removing extra partition entries in FPT...
Removing EFFS presence flag...
Removing ME/TXE R/W access to the other flash regions...
Correcting checksum (0x7b)...
Reading FTPR modules list...
 UPDATE   (LZMA   , 0x1cf4f2 - 0x1cf6b0): removed

* ROMP (Huffman, fragmented data): NOT removed,
essential BUP  (Huffman, fragmented data): NOT removed,
essential*
 KERNEL   (Huffman, fragmented data): removed
 POLICY   (Huffman, fragmented data): removed
 HOSTCOMM (LZMA   , 0x1cf6b0 - 0x1d648b): removed
 RSA  (LZMA   , 0x1d648b - 0x1db6e0): removed
 CLS  (LZMA   , 0x1db6e0 - 0x1e0e71): removed
 TDT  (LZMA   , 0x1e0e71 - 0x1e7556): removed
 FTCS (Huffman, fragmented data): removed
 ClsPriv  (LZMA   , 0x1e7556 - 0x1e7937): removed
 SESSMGR  (LZMA   , 0x1e7937 - 0x1f6240): removed
Relocating FTPR from 0xd00 - 0xcad00 to 0xd00 - 0xcad00...
 Adjusting FPT entry...
 Adjusting LUT start offset...
 Adjusting Huffman start offset...
 Adjusting chunks offsets...
 Moving data...
*The ME minimum size should be 98304 bytes (0x18000 bytes)*
The ME region can be reduced up to:
 3000:0001afff me
Setting the AltMeDisable bit in PCHSTRP10 to disable Intel ME...
Removing ME/TXE R/W access to the other flash regions...
Extracting and truncating the ME image to "extracted_me.rom"...
Checking the FTPR RSA signature of the extracted ME image... VALID
Checking the FTPR RSA signature... VALID
Done! Good luck!

   - *Librem V3:*
   Full image detected
   Found FPT header at 0x1010
   Found 1 partition(s)
   Found FTPR header: FTPR partition spans from 0x1000 to 0xa8000
   Found FTPR manifest at 0x1448
   *ME/TXE firmware version 11.6.0.1126 (generation 3)*
   Public key match: Intel ME, firmware versions 11.x.x.x
   The HAP bit is SET
   Reading partitions list...
FTPR (0x1000 - 0xa8000, 0x000a7000 total bytes): NOT removed
   Removing partition entries in FPT...
   Removing EFFS presence flag...
   Correcting checksum (0x98)...
   Reading FTPR modules list...
FTPR.man (uncompressed, 0x001448 - 0x002018): NOT removed,
   partition manif.
rbe.met  (uncompressed, 0x002018 - 0x0020ae): NOT removed, module
   metadata
kernel.met   (uncompressed, 0x0020ae - 0x00213c): NOT removed, module
   metadata
syslib.met   (uncompressed, 0x00213c - 0x0021a0): NOT removed, module
   metadata
bup.met  (uncompressed, 0x0021a0 - 0x00274a): NOT removed, module
   metadata
pm.met   (uncompressed, 0x00274a - 0x0027f8): NOT removed, module
   metadata
vfs.met  (uncompressed, 0x0027f8 - 0x003158): NOT removed, module
   metadata
evtdisp.met  (uncompressed, 0x003158 - 0x0032e6): NOT removed, module
   metadata
loadmgr.met  (uncompressed, 0x0032e6 - 0x00340e): NOT removed, module
   metadata
busdrv.met   (uncompressed, 0x00340e - 0x0037b4): NOT removed, module
   metadata
gpio.met (uncompressed, 0x0037b4 - 0x0038fe): NOT removed, module
   metadata
prtc.met (uncompressed, 0x0038fe - 0x003aae): NOT removed, module
   metadata
policy.met   (uncompressed, 0x003aae - 0x003c72): NOT removed, module
   metadata
crypto.met   (uncompressed, 0x003c72 - 0x003dfc): NOT removed, module
   metadata
heci.met (uncompressed, 0x003dfc - 0x003fc8): NOT removed, module
   metadata
storage.met  (uncompressed, 0x003fc8 - 0x0042c4): NOT removed, module
   metadata
pmdrv.met(uncompressed, 0x0042c4 - 0x0043e8): NOT removed, module
   metadata
maestro.met  (uncompressed, 0x0043e8 - 0x0044d2): NOT removed, module
   metadata
fpf.met  (uncompressed, 0x0044d2 - 0x0045de): NOT

Re: [qubes-users] Recommended laptop?

2020-01-01 Thread Claudia 
December 31, 2019 1:02 PM, "eira wahlin"  wrote:

> I use qubes on an AMD system (thinkpad with Ryzen 5 pro 2500u). While I'm 
> happy with it, I've had
> to make some sacrifices. AMD systems are tricky with hardware forwarding, so 
> I cannot (at the
> moment) use a sys-USB. There is an inherent security problem there.
> 
> Also, I've had to make my own versions of the (horribly elitistic and 
> class-hatingly named) AEM
> system. I use my machine's TPM2 to verify that my BIOS hasn't been infected, 
> but that was difficult
> as hell to set up. AEM relies on Intel's TPM module, and doesn't work with 
> AMD machines.
> 
> So while most of it all works, it's been tricky to set up, and it's not all 
> functional yet.
> 
> <3
> /panina

Hi again, processor buddy. I have the Ryzen 5 (non-Pro) 2500U. I've also had a 
lot of problems with it. The IOMMU grouping is terrible, the kernel has a lot 
of problems with the firmware and ACPI, it doesn't support USB Qube, and so on. 
I haven't dared to even try AEM on this machine. But considering the 
performance for the money, I guess I really can't complain.

I recently got suspend/resume half working. Turns out, some or all of the 
Fam15h processors including the 2500U change their cpuid feature bits when 
resuming from suspend, which causes a Xen panic. This means the fans come back 
on, but the screen doesn't power back on and it can't save any logs, so it's 
really hard to diagnose. You can patch Xen to disable the feature check.

If you don't mind patching Xen, it's very likely that this will fix it for you 
(although you may run into other post-resume problems). And it's really not as 
difficult as it sounds.

This link contains a patch and instructions for building it.
https://www.mail-archive.com/qubes-users@googlegroups.com/msg31697.html

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7cb86fb029b7e582b13e5cf32013d7c4%40disroot.org.

Re: [qubes-users] Re: HCL - Dell Inspiron 15 5000 (5575) AMD Ryzen 5 2500U w/ Vega 8 Graphics

2020-01-01 Thread Claudia 
December 30, 2019 6:44 PM, "qubes123"  wrote:

> Answering to your earlier question, my CPU capability information bits change 
> like this after
> suspend:
> 
> (XEN) Entering ACPI S3 state.
> (XEN) AMD-Vi: Applying erratum 746 workaround for IOMMU at :00:00.2
> (XEN) Finishing wakeup from ACPI S3 state.
> (XEN) CPU0: cap[ 1] is 3e98320b (expected b698320b)
> (XEN) Missing previously available feature(s).
> (XEN) Enabling non-boot CPUs ...
> 
> Without the patch this result in xen panic.
> 
>> I decided to give this a try, but I don't really know how to use the build 
>> system. I did `make
>> vmm-xen`, modified the file
>> chroot-dom0-fc29/home/user/rpmbuild/BUILD/xen-4.12.1/xen/arch/x86/acpi/power.c,
>>  but it appears
>> after running `make vmm-xen` again my changes have been reverted. After it 
>> finishes the line is no
>> longer commented out. Do I have to commit the change, or generate a patch 
>> file, or something like
>> that?
> 
> After you configure the qubes builder (easiest done with ./setup) and 
> download all the sources
> (including the qubes-vmm-xen extra sources), you have to put the patch file 
> in the
> qubes-src/vmm-xen directory.
> 
> Then, include this patch in xen.spec.in file (somewhere below the last patch 
> line eg. as Patch
> 1202: xxx --> filename is relative to the vmm-xen directory).
> Then, change the release (rel file) number to avoid mixing the "official" and 
> your custom versions.
> Then run: make wmm-xen, and the new rpms will be available in the pkgs folder.
> You can check the logs meanwhile xen compiles if your patch was applied 
> sucessfuly or not.
> Then, install all the rpms (7), that are currently installed in dom0 (eg. the 
> devel and the debug
> files etc. are not needed.
> 
> PS: my patch looks like this (it will show the CPUID capability bits changing 
> in the hypervisor
> log)
> 
> diff -ruN a/xen/arch/x86/acpi/power.c b/xen/arch/x86/acpi/power.c
> --- a/xen/arch/x86/acpi/power.c 2019-12-15 18:26:11.18300 +0100
> +++ b/xen/arch/x86/acpi/power.c 2019-12-15 18:23:15.43900 +0100
> @@ -257,7 +257,7 @@
> microcode_resume_cpu(0);
> 
> if ( !recheck_cpu_features(0) )
> - panic("Missing previously available feature(s).");
> + printk(XENLOG_ERR "Missing previously available feature(s).\n");
> 
> /* Re-enabled default NMI/#MC use of MSR_SPEC_CTRL. */
> ci->spec_ctrl_flags |= (default_spec_ctrl_flags & SCF_ist_wrmsr);

Thanks for the patch and the instructions. The qubes-builder documentation is 
outdated and sorely
lacking (it doesn't even mention ./setup!). I applied the patch for marek's 4.1 
repo but I couldn't
get to produce an fc31 package. It kept building for fc29 which I don't 
currently have installed.
Then I built it for fc25 4.0 stable, but the patch wouldn't apply cleanly so I 
just modified the
existing patch-x86-check-feature-flags-after-resume.patch to print an error 
instead of panic, and
changed the message slightly.

patch-x86-check-feature-flags-after-resume.patch
diff --git a/xen/arch/x86/acpi/power.c b/xen/arch/x86/acpi/power.c
index 3d26d4be31..e8fb3f6f31 100644
--- a/xen/arch/x86/acpi/power.c
+++ b/xen/arch/x86/acpi/power.c
@@ -255,6 +255,9 @@ static int enter_state(u32 state)

microcode_resume_cpu(0);

+ if ( !recheck_cpu_features(0) )
+ printk(XENLOG_ERR "Missing previously available feature(s). Ignoring.\n");
+
/* Re-enabled default NMI/#MC use of MSR_SPEC_CTRL. */
ci->spec_ctrl_flags |= (default_spec_ctrl_flags & SCF_ist_wrmsr);
spec_ctrl_exit_idle(ci);

Installed the seven packages already present in dom0. In case anyone is 
wondering those are:
xen-libs-4.8.5-14custom.fc25.x86_64.rpm
xen-4.8.5-14custom.fc25.x86_64.rpm
xen-hypervisor-4.8.5-14custom.fc25.x86_64.rpm
xen-runtime-4.8.5-14custom.fc25.x86_64.rpm
python3-xen-4.8.5-14custom.fc25.x86_64.rpm
xen-licenses-4.8.5-14custom.fc25.x86_64.rpm
xen-hvm-4.8.5-14custom.fc25.x86_64.rpm

Note that 4.8.5-14 -> 4.8.5-14custom shows up as a downgrade.

Ran `strings -a /boot/efi/EFI/qubes/xen.efi | grep Ignoring` to check for my 
unique message, just to be sure.

Rebooted. Checked xl info. Looks good. (Yes, it actually truncated the last 
character of the
version, apparently. Odd.)
xen_major : 4
xen_minor : 8
xen_extra : .5-14custom.fc2
xen_version : 4.8.5-14custom.fc2
cc_compile_date : Wed Jan 1 01:11:51 UTC 2020

Hit suspend from the XFCE menu. Waited 30 seconds or so. Crossed my fingers and 
resumed.

And... SUCCESS!

xl dmesg
(XEN) Preparing system for ACPI S3 state.
(XEN) Disabling non-boot CPUs ...
(XEN) Entering ACPI S3 state.
(XEN) Finishing wakeup from ACPI S3 state.
(XEN) CPU0: cap[ 1] is 7ed8320b (expected f6d8320b)
(XEN) Missing previously available feature(s). Ignoring.
(XEN) Enabling non-boot CPUs ...

Thank you for your help! It appears your machine is not a special case. Exact 
same result for both of us. Bit 27 flips on and bit 31 flips off (xor of 
0x8800). No idea what those mean, though. 

However, I still have a long road ahead of me. I did several

[qubes-users] Re: Installation fails in many different ways

2020-01-01 Thread fiftyfourthparallel 
Thanks for sharing, trueriver,

I finally got past the introductory boss of Qubes--now I get to roam the 
sandbox world. 

It wasn't so much an issue with the trackpad as it was the Nvidia GPU that 
can't be disabled.

Since you seem to be a dev who's interested in Qubes' compatibility with 
this particular 10th gen Dell, I can keep you posted (privately) about my 
experiences if you want.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/abc949ac-e7bb-4ec6-9f90-fc5aa015c2f1%40googlegroups.com.

Re: [qubes-users] Installation fails in many different ways

2020-01-01 Thread fiftyfourthparallel 
awokd,

It was Nvidia--adding "nouveau.modeset=0" to BOOTX64.cfg did the trick.

Thank you!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/955d5e5d-ee2b-4df6-aa80-8ad599b7c1f1%40googlegroups.com.

Re: [qubes-users] Installation fails in many different ways

2020-01-01 Thread fiftyfourthparallel 
It was Nvidia--adding "nouveau.modeset=0" did the trick. 

Thank you!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7b576d6b-fb4f-49bf-ad0a-0eb7c56e122c%40googlegroups.com.

[qubes-users] Re: Installation fails in many different ways

2020-01-01 Thread fiftyfourthparallel 
Tl;dr--Installation successful; Nvidia was the culprit.

Follow up:

*Attempt n *(some large number)*:* Disabled SpeedStep. Passwords quickly 
entered. Cursor lag 819/1025. Cursor freeze 836/1025. "DNF error: Error 
unpacking rpm package anaconda-core-1000:25.20.9-16.fc25.x86_64".

*Attempt n+1:* Kept SpeedStep disabled. Booted ANACONDA. Passwords quickly 
entered.  Cursor lag ~830/1025. Cursor freeze 840/1025. "DNF error: Error 
unpacking rpm package gtk3-3.22.17-2.fc25.x86_64".

*Attempt n+2:* Kept SpeedStep disabled. Disabled C-State Control. Passwords 
quickly set. Cursor lag 808/1025. Cursor freeze 812/1025. *Installation 
proceeds*. At 839/1025: "DNF error: Error unpacking rpm package 
adwaita-icon-theme3.22.0-1.fc25.noarch"

*Attempt n+3:* Same setup as before, but didn't set languages or time. 
Didn't set passwords. Complete freeze 809/1025. CPU fans at max for 5 mins 
before hard reset. Hard doubts about approach.

*Attempt n+4:* Re-enabled SpeedStep and C-State Control. Edited BOOTX64.cfg 
to add "nouveau.modeset=0" param to kernel config keys. Booted ANACONDA. 
Passwords quickly set. Installation succeeded. Nvidia was the culprit here 
(no option to disable in BIOS).


Installation booted, configured, and setup without issues--thanks for the 
great start to a new decade! * Will definitely see some of you around here 
as I poke around.

**Yes, I know it's technically not the start of a new decade.*

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bf5600b3-0214-421d-a888-6b66827b7632%40googlegroups.com.

[qubes-users] Re: Debian standalonevm always enters emergency mode

2020-01-01 Thread Fernando 
One more detail: this seems to be closely related to 
https://github.com/QubesOS/qubes-issues/issues/979

On Wednesday, January 1, 2020 at 11:00:03 AM UTC-3, Fernando wrote:
>
> Happy new year to everyone!
>
> I'm taking advantage of holydays to try to fix an issue that has been 
> bothering me for a while now. I have a debian based standalonevm which 
> recently started presented this issue after running out of space.
>
> The issue is that the vm never starts on it own. In order to be able to 
> start it, I have to run: sudo xl console -t pv .
>
> Then it enters emergency mode and after exiting it, it starts and works 
> normally.
>
> From the output of xl console:
>
> [image: Screenshot_2020-01-01_10-50-41.png]
> From the output of journalctl in the standalone vm:
>
> Jan 01 10:29:31 localhost mount-dirs.sh[303]: Private device management: 
> checking /dev/xvdb
> Jan 01 10:29:31 localhost resize-rootfs-if-needed.sh[302]: dumpe2fs 1.43.4 
> (31-Jan-2017)
> Jan 01 10:29:31 localhost mount-dirs.sh[303]: Private device management: 
> fsck.ext4 /dev/xvdb failed:
> Jan 01 10:29:31 localhost mount-dirs.sh[303]: /dev/xvdb: recovering journal
> Jan 01 10:29:31 localhost mount-dirs.sh[303]: /dev/xvdb contains a file 
> system with errors, check forced.
> Jan 01 10:29:31 localhost mount-dirs.sh[303]: /dev/xvdb: Inodes that were 
> part of a corrupted orphan linke
> Jan 01 10:29:31 localhost mount-dirs.sh[303]: /dev/xvdb: UNEXPECTED 
> INCONSISTENCY; RUN fsck MANUALLY.
> Jan 01 10:29:31 localhost mount-dirs.sh[303]: (i.e., without -a or 
> -p options)
> Jan 01 10:29:31 localhost kernel: EXT4-fs (xvdb): warning: mounting fs 
> with errors, running e2fsck is reco
> Jan 01 10:29:31 localhost kernel: EXT4-fs (xvdb): mounted filesystem with 
> ordered data mode. Opts: discard
> Jan 01 10:29:31 localhost mount-dirs.sh[303]: Checking /rw
> Jan 01 10:29:31 localhost mount-dirs.sh[303]: Private device size 
> management: enlarging /dev/xvdb
>
> ...
>
> Jan 01 10:29:31 localhost kernel: EXT4-fs (xvda3): warning: mounting fs 
> with errors, running e2fsck is rec
> Jan 01 10:29:31 localhost kernel: EXT4-fs (xvda3): recovery complete
> Jan 01 10:29:31 localhost kernel: EXT4-fs (xvda3): mounted filesystem with 
> ordered data mode. Opts: (null)
> Jan 01 10:29:31 localhost kernel: EXT4-fs (xvdd): mounting ext3 file 
> system using the ext4 subsystem
> Jan 01 10:29:31 localhost kernel: EXT4-fs (xvdd): mounted filesystem with 
> ordered data mode. Opts: (null)
> Jan 01 10:29:31 localhost kernel: EXT4-fs (xvda3): re-mounted. Opts: (null)
> ...
>
> -- The start-up result is done.
> Jan 01 10:29:32 localhost systemd-fsck[213]: /dev/xvda3: Inodes that were 
> part of a corrupted orphan linke
> Jan 01 10:29:32 localhost systemd-fsck[213]: /dev/xvda3: UNEXPECTED 
> INCONSISTENCY; RUN fsck MANUALLY.
> Jan 01 10:29:32 localhost systemd-fsck[213]: (i.e., without -a or 
> -p options)
> Jan 01 10:29:32 localhost systemd-fsck[213]: fsck failed with error code 4.
> Jan 01 10:29:32 localhost systemd-fsck[213]: Running request 
> emergency.target/start/replace
>
> ...
>
> -- Unit qubes-mount-dirs.service has begun starting up.
> Jan 01 10:29:31 localhost mount-dirs.sh[303]: Private device management: 
> checking /dev/xvdb
> Jan 01 10:29:31 localhost resize-rootfs-if-needed.sh[302]: dumpe2fs 1.43.4 
> (31-Jan-2017)
> Jan 01 10:29:31 localhost mount-dirs.sh[303]: Private device management: 
> fsck.ext4 /dev/xvdb failed:
> Jan 01 10:29:31 localhost mount-dirs.sh[303]: /dev/xvdb: recovering journal
> Jan 01 10:29:31 localhost mount-dirs.sh[303]: /dev/xvdb contains a file 
> system with errors, check forced.
> Jan 01 10:29:31 localhost mount-dirs.sh[303]: /dev/xvdb: Inodes that were 
> part of a corrupted orphan linke
> Jan 01 10:29:31 localhost mount-dirs.sh[303]: /dev/xvdb: UNEXPECTED 
> INCONSISTENCY; RUN fsck MANUALLY.
> Jan 01 10:29:31 localhost mount-dirs.sh[303]: (i.e., without -a or 
> -p options)
> Jan 01 10:29:31 localhost kernel: EXT4-fs (xvdb): warning: mounting fs 
> with errors, running e2fsck is reco
> Jan 01 10:29:31 localhost kernel: EXT4-fs (xvdb): mounted filesystem with 
> ordered data mode. Opts: discard
> Jan 01 10:29:31 localhost mount-dirs.sh[303]: Checking /rw
>
>
> I tried running fsck/e2fsck, but the command fails cause those partitions 
> are mounted and cannot be unmounted (they are in use). With current issue, 
> everytime I start the standalonevm I need to run xlconsole and exit 
> emergency mode.
>
> Any suggestions?
>
> Thanks and have a great 2020.
>
> Fernando.
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/18072369-a138-4a85-842b-0fb1f8703f7d%40googlegroups.com.

[qubes-users] Debian standalonevm always enters emergency mode

2020-01-01 Thread Fernando 
Happy new year to everyone!

I'm taking advantage of holydays to try to fix an issue that has been 
bothering me for a while now. I have a debian based standalonevm which 
recently started presented this issue after running out of space.

The issue is that the vm never starts on it own. In order to be able to 
start it, I have to run: sudo xl console -t pv .

Then it enters emergency mode and after exiting it, it starts and works 
normally.

>From the output of xl console:

[image: Screenshot_2020-01-01_10-50-41.png] 
>From the output of journalctl in the standalone vm:

Jan 01 10:29:31 localhost mount-dirs.sh[303]: Private device management: 
checking /dev/xvdb
Jan 01 10:29:31 localhost resize-rootfs-if-needed.sh[302]: dumpe2fs 1.43.4 
(31-Jan-2017)
Jan 01 10:29:31 localhost mount-dirs.sh[303]: Private device management: 
fsck.ext4 /dev/xvdb failed:
Jan 01 10:29:31 localhost mount-dirs.sh[303]: /dev/xvdb: recovering journal
Jan 01 10:29:31 localhost mount-dirs.sh[303]: /dev/xvdb contains a file 
system with errors, check forced.
Jan 01 10:29:31 localhost mount-dirs.sh[303]: /dev/xvdb: Inodes that were 
part of a corrupted orphan linke
Jan 01 10:29:31 localhost mount-dirs.sh[303]: /dev/xvdb: UNEXPECTED 
INCONSISTENCY; RUN fsck MANUALLY.
Jan 01 10:29:31 localhost mount-dirs.sh[303]: (i.e., without -a or 
-p options)
Jan 01 10:29:31 localhost kernel: EXT4-fs (xvdb): warning: mounting fs with 
errors, running e2fsck is reco
Jan 01 10:29:31 localhost kernel: EXT4-fs (xvdb): mounted filesystem with 
ordered data mode. Opts: discard
Jan 01 10:29:31 localhost mount-dirs.sh[303]: Checking /rw
Jan 01 10:29:31 localhost mount-dirs.sh[303]: Private device size 
management: enlarging /dev/xvdb

...

Jan 01 10:29:31 localhost kernel: EXT4-fs (xvda3): warning: mounting fs 
with errors, running e2fsck is rec
Jan 01 10:29:31 localhost kernel: EXT4-fs (xvda3): recovery complete
Jan 01 10:29:31 localhost kernel: EXT4-fs (xvda3): mounted filesystem with 
ordered data mode. Opts: (null)
Jan 01 10:29:31 localhost kernel: EXT4-fs (xvdd): mounting ext3 file system 
using the ext4 subsystem
Jan 01 10:29:31 localhost kernel: EXT4-fs (xvdd): mounted filesystem with 
ordered data mode. Opts: (null)
Jan 01 10:29:31 localhost kernel: EXT4-fs (xvda3): re-mounted. Opts: (null)
...

-- The start-up result is done.
Jan 01 10:29:32 localhost systemd-fsck[213]: /dev/xvda3: Inodes that were 
part of a corrupted orphan linke
Jan 01 10:29:32 localhost systemd-fsck[213]: /dev/xvda3: UNEXPECTED 
INCONSISTENCY; RUN fsck MANUALLY.
Jan 01 10:29:32 localhost systemd-fsck[213]: (i.e., without -a or 
-p options)
Jan 01 10:29:32 localhost systemd-fsck[213]: fsck failed with error code 4.
Jan 01 10:29:32 localhost systemd-fsck[213]: Running request 
emergency.target/start/replace

...

-- Unit qubes-mount-dirs.service has begun starting up.
Jan 01 10:29:31 localhost mount-dirs.sh[303]: Private device management: 
checking /dev/xvdb
Jan 01 10:29:31 localhost resize-rootfs-if-needed.sh[302]: dumpe2fs 1.43.4 
(31-Jan-2017)
Jan 01 10:29:31 localhost mount-dirs.sh[303]: Private device management: 
fsck.ext4 /dev/xvdb failed:
Jan 01 10:29:31 localhost mount-dirs.sh[303]: /dev/xvdb: recovering journal
Jan 01 10:29:31 localhost mount-dirs.sh[303]: /dev/xvdb contains a file 
system with errors, check forced.
Jan 01 10:29:31 localhost mount-dirs.sh[303]: /dev/xvdb: Inodes that were 
part of a corrupted orphan linke
Jan 01 10:29:31 localhost mount-dirs.sh[303]: /dev/xvdb: UNEXPECTED 
INCONSISTENCY; RUN fsck MANUALLY.
Jan 01 10:29:31 localhost mount-dirs.sh[303]: (i.e., without -a or 
-p options)
Jan 01 10:29:31 localhost kernel: EXT4-fs (xvdb): warning: mounting fs with 
errors, running e2fsck is reco
Jan 01 10:29:31 localhost kernel: EXT4-fs (xvdb): mounted filesystem with 
ordered data mode. Opts: discard
Jan 01 10:29:31 localhost mount-dirs.sh[303]: Checking /rw


I tried running fsck/e2fsck, but the command fails cause those partitions 
are mounted and cannot be unmounted (they are in use). With current issue, 
everytime I start the standalonevm I need to run xlconsole and exit 
emergency mode.

Any suggestions?

Thanks and have a great 2020.

Fernando.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4f78bfca-5066-49a5-ad17-9ae38f933bd7%40googlegroups.com.

Re: [qubes-users] occasional hangs that stop trackpad and keyboard entry

2020-01-01 Thread trueriver 
I had problems with the trackpad on the install of R 4.0 over a year ago, and 
occasional trackpad hangs when Dom0 was busy. My guess at the time was that 
this was due to running Qubes on only 4gb ram.

So, still on an Asus 360 but now with 8gb ram, I was shocked to find that there 
were still issues during install (had to use a USB mouse on R 4.0.2rc3). 



On the installed system the problem of the trackpad pointer hanging whenever 
Dom0 is busy seemed worse, than on R 4.0 (this is subjective, as I have no data 
to back up my impression). Not a show stopper but frequent enough to be 
annoying.

I found that the problem goes partly away if I keep sys-usb running even when 
not needed. 

To make it go away altogether I found I needed to alter xen.cfg in the EFI 
files, to make the Max ram equal the min. 1024M works for me as a value for 
both figures. Keep a backup copy of the original file in case this fix dies not 
work for you.

Just to be clear, the problem only resolved when both those fixes were applied 
together.

My next post will detail how I came to this conclusion and my thoughts on what 
is happening. As at least one other person is facing this issue at present, I 
thought I would post this brief workaround before the detail. I want to be at 
my laptop to type in the detail, rather than swiping it in on this phone screen 
:(

R~~

It's nothing to do with swapping, which was my guess back in Aug 2018.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a8d61dab-b9c5-487d-b4ae-5172d02fb91e%40googlegroups.com.

Re: [qubes-users] Re: HCL - Dell Inspiron 15 5000 (5575) AMD Ryzen 5 2500U w/ Vega 8 Graphics

2020-01-01 Thread qubes123 
 | q123 - do you happen to know what the exact two flag bits that changed 
represent in the cpu features? I wonder if  the true issue is something not 
being properly preserved during the suspend, or properly re-initialized 
during the resume.
>
>
> Brendan
>

I checked and it seems bits 27 (from 0->1) and 31 (from 1->0) change (for 
CPU0, capability[1]). However, I couldn't directly match, which is the 
correct register (eax, ebx, ecx, or edx) connected to this capability[1].  
So I cannot draw deeper conclusions.
Looking at the "cpufeatures.h" file though, where all the Xen relevant 
CPUID feature bits are listed, (..and assuming capability[1] refers to 
these features) bits 27-31 are not relevant to Xen, therefore the code 
might have to be changed to check only the relevant feature bits and not 
the whole 32 bits in case of AMD (Fam15h at least)...
But I could be wrong, and this feature bit thing is only the consequence of 
what your wrote above.
Please also note, that I use coreboot and a newer AMD microcode, than what 
is generally available in mainstream the linux distros. So my case could be 
unique.

Qubes123

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/003b169b-cca8-4080-bb45-8169d9262efd%40googlegroups.com.

Re: [qubes-users] Re: How do I attach a hard drive to a VM on boot?

2020-01-01 Thread River~~ 
On 16:36, Sun, 22 Dec 2019 <244clarendo...@gmail.com wrote:
>
>
>> The only remaining problem here might be that /dev/sda3 doesn't
>> reference the same drive on each dom0 boot process...
>>
>> So you'd have to write ... Alternatively  you could  ...
>
>
> Another option is to label the filesystem, say with
>
> tune2fs -L foo /dev/sda3
>
> Then, instead of the /dev/xxx entry in fstab, use LABEL=foo like this
>
>
> LABEL=foo   /mnt/tmpauto user,rw 0 0
>
> That way it will find the relevant partition, even if it moves around in
the partition table on the real disk, or if it appears on a different
virtual disk.(not yet tested on Qubes, but this is my normal way of making
fstab entries persist)

That success the problem of the disk moving around in the VM. It doesn't
solve the issue that it might be on a different unit in Dom0.

To get ground that, you might like to label the filesystem as before, and
refer to it in Dom0 as

/dev/disk/by-label/foo

Happy new year !

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAK3jUKr2Ks4WVsXwJLRZMWM8sEACAwnyVOY63haDReDgKqiawQ%40mail.gmail.com.

Re: [qubes-users] Re: State of Arch Template?

2020-01-01 Thread dhorf-hfref . 4a288f10 
> now someone who understands arch needs to add diffutils to the
> pkg-list for the arch builder plugin. :)

correction: someone already did, 5 days ago.

https://github.com/QubesOS/qubes-builder-archlinux/commit/09a435fcc6bdcb19144d198ea20f7a27826c1d80

so it should be fixed for all new arch template builds.
and 5d+ old ones with the problem can be fixed by 
"xl console archtpl", logging in as root, "pacman -S diffutils". 



-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2020010203.GK17393%40priv-mua.

Re: [qubes-users] Re: State of Arch Template?

2020-01-01 Thread dhorf-hfref . 4a288f10 
On Tue, Dec 31, 2019 at 02:53:57PM -0800, Daniel Sanders wrote:
> So I still don't know the root cause of the issue (why the private.img 
> image contains no ext4 filesystem) but I hope it will help its resolution.

"private.img"? *cough*
(this means you are running qubes3 or a qubes4 with a seriously
 off-default storage configuration? ;) 

thank you for debugging this.
if you look closer at the "systemctl --failed" output, it mentions
qubes-mount-dirs.service failing.
if you run "systemctl status qubes-mount-dirs.service" you see
it complains about "/usr/lib/qubes/init/mount-dirs.sh" failing.
if you run /usr/lib/qubes/init/mount-dirs.sh by hand, it complains
about the "cmp" command not being found.
quick check, and yes, it is not installed.
so "pacman -S diffutils", restart template, TA-DAH.

now someone who understands arch needs to add diffutils to the
pkg-list for the arch builder plugin. :)
(thats very much not me, i had to google the "how to install a pkg
 on arch" part...) 


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200101105503.GJ17393%40priv-mua.

Re: [qubes-users] Re: Recommended laptop?

2020-01-01 Thread Lorenzo Lamas 
Hello Thierry,

Thanks for all that you are doing for the community. Do you see a 
possibility of a Qubes Certified Laptop with an AMD CPU?
Intel is affected a lot more than AMD by the sidechannel vulnerabilities in 
the last years. The Privacy Beast has a 3rd gen Intel CPU, Intel stopped 
providing uCode updates for 1st gen in 2019, so this year is probably the 
last year they will support 3rd gen. More CPU vulnerabilities will most 
certainly be discovered in the coming years, so there is a need for an AMD 
based certified laptop, or at least a newer generation Intel based laptop, 
even though that may mean we're stuck with PSP or ME.

On Tuesday, December 31, 2019 at 9:45:18 PM UTC+1, Thierry Laurion wrote:
>
>
> On Wed, Dec 25, 2019 at 6:03 PM > wrote:
>
>> Insurgo is providing a service.
>>
>> If one can do the steps themselves, that’s fine. 
>>
>> If I were advising a somewhat less technical journalist or a potentially 
>> targeted human-rights worker or politically targeted activist who just 
>> wanted to get stuff done and had the resources, I’d point them to Insurgo.
>>
>> Brendan
>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "qubes-users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to qubes...@googlegroups.com .
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/qubes-users/7a7741f2-6b80-40be-a5a0-0f56b658f9fc%40googlegroups.com
>> .
>>
>
>
> Hello there, Thierry Laurion from Insurgo Open Technologies.
>
> Thanks Brendan.
>
> I feel the need to clarify things a bit once in a while. This reply is one 
> of those. This QubesOS community is large, and even if replies were done on 
> Reddit and other posts here in the past, the same questions arises with the 
> same scattered answers. Here is a combination of those answers.
>
>- Insurgo made grant applications so that actual best trustworthy 
>unmaintained hardware becomes mainstreamed under coreboot, and added under 
>Heads (extend Heads measured boot support of latest coreboot 
> VBOOT+measured 
>boot on Sandy/Ivy bridge xx30 and xx20 platforms:  t530, t430, x220. 
> Thanks 
>to obtained NlNet grant for Accessible Security project).
>- Insurgo is attempting to gather developers, device manufacturers 
>(RaptorEngineering) and funders around Power9-Power10 hardware based X86 
>alternative platform (PPC64le QubesOS platform support which has a bounty 
>offer already but needs commited developers). Let's remember that their 
>Blackbird/Talos II platforms recently got RYF certification.
>   - The last x86 platform having met RYF criteria is the X200, thanks 
>   to the Libreboot project, which removed Intel ME. 
>   - Since then, the x86 platforms have blobs we have to accept/deal 
>   with to make it trustworthier:
>   - Sandy Bridge/Ivy bridge : EC firmware, Intel ME BUP ROMP modules. 
>  Coreboot doesnt rely on FSP blobs for initialization. ME is actually 
>  neutered (no kernel nor syslibs as opposed to newer platforms, just 
> BUP and 
>  ROMP) and deactivated (AltMeDisable bit, not HAP bit).
>  - More recent hardware requires ME with its kernel and syslibs 
>  binary blobs present, while ME is asked to be deactivated through 
> HAP bit, 
>  requires Intel FSP and other binary blobs for hardware 
> initialization.
>  - Insurgo works to bridge the gap to broader QubesOS 
>accessibility, so that users in need of remote support can have secured 
>remote administration from trusted third parties (new revenue? AccessNow? 
>Other third parties?) over hidden tor onion service from additional GUI 
>(NlNet grant for Accessible Security project).
>- Insurgo tries its best to support Heads community through GitHub 
>opened issues while promoting collaboration.
>- Insurgo tries its best to mainstream CI build systems to produce 
>reproducible builds artifacts (this is broken for months and is still not 
>resolved).
>- Insurgo tries to raise awareness of researchers and developers on 
>the current state of "Open Source Firmware" (currently requiring FSP, ME 
> or 
>equivalent,not having completely neutered Intel ME while claiming it is 
>deactivated, while system libraries and kernel is still there but 
>latent...) This implies going to conferences, doing talks, confronting the 
>status quo, researching, developing so we have alternatives in the 
>futurewhile also doing the required clerical work.
>- Insurgo made QubesOS preinstallable for the first time on the 
>PrivacyBeast X230, thanks to its reownership wizard which takes care of 
> GPG 
>key generation, internal ROM reflashing, TPM ownership and sealing of 
>measurements, signing boot configuration, while enforcing diceware 
>passphrases in the provisioning phase. The goal is to

[qubes-users] HCL - HP Elitebook 8460p

2020-01-01 Thread Lorenzo Lamas 
Now running 4.0.2-rc3, everything works. Have also run 4.0.1, 4.0, 3.2 and 
3.1 fine.
The only thing that doesn't work is S3 sleep in combination with Anti Evil 
Maid(problems started with 4.0) If S3 sleep is engaged, laptop will do a 
hard shutdown. When booting without AEM, S3 sleep works fine.
 
Anti Evil Maid works.
Sys-usb works(though sometimes the USB 2.0 ports don't, not sure if it is 
an issue of software or old hardware. The USB 3.0 ports always work).
Attaching USB devices to other VMs works.
Sys-net works with both WiFi and Ethernet(out of the box).
DVD drive works.
 
Webcam and microphone not tested.
 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/15476fa2-354a-4669-8345-9df730c68319%40googlegroups.com.


Qubes-HCL-Hewlett_Packard-HP_EliteBook_8460p-20191231-095921.yml
Description: Binary data

Re: [qubes-users] Re: Recommended laptop?

2020-01-01 Thread trueriver 
Thanks Thierry,

Thanks for the detailed explanation and thanks for the work you have chosen to 
do. Thanks even more for upstreaming as much as you already have so that others 
can benefit too.

I want too add a couple of points that I hope are supportative, but let me 
start with an analogy.

When I was an impoverished student I used to fix my own car when it went wrong: 
serious problems too, stripping down the engine at one point. I never enjoyed 
it, and as soon as I was earning I gave that work to the local mechanic even 
though I knew how to do it. 

If someone wants the most secure laptop available on a turnkey basis then they 
would buy from you. Maybe they are not expert enough to know all the pitfalls 
you mention; but even if they do know enough they may make the same choice I 
made over car maintenance. They have things to do with their time that they 
prefer to be doing rather than doing IT stuff. AND they can afford to do so.

There are two sorts of people her who will want to do the work for themselves.

There are those of us who enjoy the process and want to actually work through 
the choices for ourselves as the best way to fully understand our own kit. 

And there are also those of us who need to watch every penny, so will do the 
best we can for ourselves within a budget that makes a 230 affordable at second 
hand prices but not at refurb prices.

Actually I'm in both those groups when it comes to IT, and my security needs 
are not so pressing as to need to pay the security premium that your product 
offers. And I enjoy tinkering with software more than I ever enjoyed lying 
under a car in the road when it was snowing.

So you have my sincere thanks for the info you do share (both through the open 
source channels and through posts like this one). And if a friend asks me to 
install a secure OS for them I will send them to you rather than take on a 
lifetime commitment to give them free support. 

Equally, from where I am at the moment I would actually prefer to buy the 
second hand laptop and work through the process myself. But please don't ever 
think that that means I disrespect what you are doing, or that I have any 
problem with your pricing policies. You've made this your work and you are 
totally entitled to make a living out of it. At the end of the day I'm a 
hobbyist.

And it's not just free beer: I pay back when I can, not with currency, but in 
giving advice here when I see other ppl who are struggling with what I already 
solved, by making bug reports, and I've even edited the Qubes docs on a couple 
of occasions. For me free as in speech is a two way process: I come to ask 
questions here, but when I come I always find myself answering questions as 
well. 

So much kudos to you for your choice of making your livelihood, and for 
facilitating hobbyists and those on low budgets by sharing info as well.

Have a great year Thierry

River~~



-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1f1f6c5e-5ed1-4a96-858d-411c84f4f831%40googlegroups.com.

[qubes-users] Installation fails in many different ways

2020-01-01 Thread trueriver 
I have found problems with touchpad during installs of Qubes on various laptops 
and when installing R 4.0, R 4.0.1 and R 4.0.2rc3. I will be posting soon my 
guess about why this happens. But the first thing to say is I don't think this 
is hardware specific so please don't regret buying that shiny new kit.

But in the meantime here's the workaround that worked for me this week to 
install R 4.0.2rc3 on an Asus laptop.

Don't try to use the trackpad or the touch sensitive screen during install. 
Instead use a USB plug in mouse, have it already plugged in at boot up.

With the installed system you may occasionally get similar symptoms but they 
are transient, going away as soon as Dom0* has done whatever was keeping it 
busy. Unlike the experience with the installer, the system is usable 98% of the 
time, and the trackpad drop outs are an occasional brief irritant rather than a 
show stopper. They can be fixed too (look out for my upcoming post here, 
perhaps today, certainly this week)

((* Dom0 is a special virtual machine that is central to many of the Qubes 
specific security features. Under current versions of Qubes it also looks after 
the screen, keyboard and mouse. In very non technical terms it sometimes needs 
to focus on the security or the background stuff about configuring Xen at the 
expense of the mouse. That's especially the case when it's installing a new 
system. Plans are in place to move these things out of Dom0, but that's a work 
in progress and doesn't help us right now)).

Let me know how you get on using a USB mouse, please. 

And come back if you find occasional returns of this effect on the installed 
system. In my opinion, on my laptops, it's fixable so is worth persevering. My 
strong hunch is that it will work even better on your kit.

And when Qubes works it's great. Welcome, and I hope we can encourage you to 
stay :)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/28b8a92a-3164-453f-87c5-e6c324f524d5%40googlegroups.com.

Re: [qubes-users] Re: Recommended laptop?

2020-01-01 Thread Anil Eklavya 
Thanks for putting all this information in one place. I was earlier looking to 
buy Insurgio Privacy Beast, but it was not clear whether it could be shipped to 
India. I then ordered Librem 13.

Is there any comparison available between these two, based on privacy and 
security considerations?

Regards,

Anil Kumar Singh 

> On 01-Jan-2020, at 2:15 AM, Thierry Laurion  wrote:
> 
> 
> 
>> On Wed, Dec 25, 2019 at 6:03 PM  wrote:
>> Insurgo is providing a service.
>> 
>> If one can do the steps themselves, that’s fine. 
>> 
>> If I were advising a somewhat less technical journalist or a potentially 
>> targeted human-rights worker or politically targeted activist who just 
>> wanted to get stuff done and had the resources, I’d point them to Insurgo.
>> 
>> Brendan
>> 
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "qubes-users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to qubes-users+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/qubes-users/7a7741f2-6b80-40be-a5a0-0f56b658f9fc%40googlegroups.com.
> 
> 
> Hello there, Thierry Laurion from Insurgo Open Technologies.
> 
> Thanks Brendan.
> 
> I feel the need to clarify things a bit once in a while. This reply is one of 
> those. This QubesOS community is large, and even if replies were done on 
> Reddit and other posts here in the past, the same questions arises with the 
> same scattered answers. Here is a combination of those answers.
> Insurgo made grant applications so that actual best trustworthy unmaintained 
> hardware becomes mainstreamed under coreboot, and added under Heads (extend 
> Heads measured boot support of latest coreboot VBOOT+measured boot on 
> Sandy/Ivy bridge xx30 and xx20 platforms:  t530, t430, x220. Thanks to 
> obtained NlNet grant for Accessible Security project).
> Insurgo is attempting to gather developers, device manufacturers 
> (RaptorEngineering) and funders around Power9-Power10 hardware based X86 
> alternative platform (PPC64le QubesOS platform support which has a bounty 
> offer already but needs commited developers). Let's remember that their 
> Blackbird/Talos II platforms recently got RYF certification.
> The last x86 platform having met RYF criteria is the X200, thanks to the 
> Libreboot project, which removed Intel ME. 
> Since then, the x86 platforms have blobs we have to accept/deal with to make 
> it trustworthier:
> Sandy Bridge/Ivy bridge : EC firmware, Intel ME BUP ROMP modules. Coreboot 
> doesnt rely on FSP blobs for initialization. ME is actually neutered (no 
> kernel nor syslibs as opposed to newer platforms, just BUP and ROMP) and 
> deactivated (AltMeDisable bit, not HAP bit).
> More recent hardware requires ME with its kernel and syslibs binary blobs 
> present, while ME is asked to be deactivated through HAP bit, requires Intel 
> FSP and other binary blobs for hardware initialization.
> Insurgo works to bridge the gap to broader QubesOS accessibility, so that 
> users in need of remote support can have secured remote administration from 
> trusted third parties (new revenue? AccessNow? Other third parties?) over 
> hidden tor onion service from additional GUI (NlNet grant for Accessible 
> Security project).
> Insurgo tries its best to support Heads community through GitHub opened 
> issues while promoting collaboration.
> Insurgo tries its best to mainstream CI build systems to produce reproducible 
> builds artifacts (this is broken for months and is still not resolved).
> Insurgo tries to raise awareness of researchers and developers on the current 
> state of "Open Source Firmware" (currently requiring FSP, ME or 
> equivalent,not having completely neutered Intel ME while claiming it is 
> deactivated, while system libraries and kernel is still there but latent...) 
> This implies going to conferences, doing talks, confronting the status quo, 
> researching, developing so we have alternatives in the futurewhile also 
> doing the required clerical work.
> Insurgo made QubesOS preinstallable for the first time on the PrivacyBeast 
> X230, thanks to its reownership wizard which takes care of GPG key 
> generation, internal ROM reflashing, TPM ownership and sealing of 
> measurements, signing boot configuration, while enforcing diceware 
> passphrases in the provisioning phase. The goal is to generalize it to other 
> platforms. Ideally through collaboration...
> Insurgo made the PrivacyBeast X230 certified by QubesOS, with a lot of work 
> done on Heads that is unfortunately not upstreamed yet. Will go back at this, 
> while branch is available through Gitlab and GitHub.
> Insurgo collaborates with other parties to make needed work to have fwupd 
> (firmware upgrades), available inside of QubesOS, including Heads firmware, 
> thanks to NlNet Privacy and Trust grant, once again.
> Insurgo tries to push verified boot to measure also the LVM