[qubes-users] Help with qubes-vpn-support

2020-04-14 Thread lurk
I'm setting up wireguard, but encountered an issue with 
qubes-vpn-support (https://github.com/tasket/Qubes-vpn-support).


Traffic from my vpn proxyvm ('sys-mullvad') is getting through. Apt 
updates and installations, wget, ping, etc all work from within 
sys-mullvad. I don't think this is expected behavior.


FWIW, I'm on Qubes 4.0.3, with the debian 10 minimal template used for 
this. Tried the debian 10 template too, to the same effect. Did I miss 
anything?


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a1e17539b72431bd9810373e94916a73%40firemail.cc.


Re: [EXT] Re: [qubes-users] On "https://www.qubes-os.org/doc/tails/"

2020-04-14 Thread Ulrich Windl

On 4/15/20 12:48 AM, Ulrich Windl wrote:

On 3/1/20 2:28 AM, unman wrote:

[...]

Works for me.
Did you download the version for virtual machines?



Hmmm, seems one of the problems is that the ISO for VMs has the same 
name as the regular ISO:


https://mirrors.dotsrc.org/tails/stable/tails-amd64-4.5/tails-amd64-4.5.iso
https://archive.torproject.org/amnesia.boum.org/tails/stable/tails-amd64-4.5/tails-amd64-4.5.iso 



Trying with the correct image...


Ok, it seems the real reason for the error message about the graphics 
card was lack of RAM (only 400MB) in the VM: After increasing it to 1GB, 
it started OK. (As it was quite slow, I increased RAM to 2GB)


Still I have some issues I don't know how to handle:

1) Starting from an ISO image found in some VM, how can I populate the 
root LV so that I don't need the ISO image any more? I have these LVS 
right now, all empty:


  vm-Tails-VM-private qubes_dom0 Vwi-a-tz-- 
2.00g pool00 vm-Tails-VM-private-1586907685-back 0.00
  vm-Tails-VM-private-1586907685-back qubes_dom0 Vwi-a-tz-- 
2.00g pool00 0.00
  vm-Tails-VM-private-snapqubes_dom0 Vwi-aotz-- 
2.00g pool00 vm-Tails-VM-private 0.00
  vm-Tails-VM-rootqubes_dom0 Vwi-a-tz-- 
10.00g pool00 vm-Tails-VM-root-1586907685-back0.00
  vm-Tails-VM-root-1586907685-backqubes_dom0 Vwi-a-tz-- 
10.00g pool00 0.00
  vm-Tails-VM-root-snap   qubes_dom0 Vwi-aotz-- 
10.00g pool00 vm-Tails-VM-root0.00
  vm-Tails-VM-volatilequbes_dom0 Vwi-aotz-- 
10.00g pool00 0.00


How can I enable networking in tails? I selected sys-firewall as NetVM, 
but DHCP does not get an address. When configuring the IPv4 
address/mask/DNS Qubes Manager displays, I have a network connection, 
but as Tails forgets everything, I would have to configure those after 
each boot...




Ulrich



--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9f7f5b3a-7a7b-a9f9-eee9-aa90299cfba3%40rz.uni-regensburg.de.


Re: [qubes-users] Is a StandaloneVM equally secure as a AppVM that is created on it's own TemplateVM, and what is the difference between a StandaloneVM and a AppVM ?

2020-04-14 Thread Sven Semmler
On Tue, Apr 14, 2020 at 03:49:33PM -0700, Vít Šesták wrote:
> b. When you have a StandaloneVM you don't run often, it might miss some 
> updates, so you are more likely to run some software with known 
> vulnerabilities after boot. This does not happen for Temlate-based-VM 
> provided that you use some other VMs from the same template.

That is true if you depend on the build-in mechanism to update your
qubes. It's however very easy to write a simple shell script in dom0
that calls something like ...

qvm-run -a qube "sudo apt update && sudo apt upgrade -y" 

... for every template and standalone qube. You can even go a step
further and have cron run it once a day. 

/Sven

-- 
 public key: https://www.svensemmler.org/0x8F541FB6.asc
fingerprint: D7CA F2DB 658D 89BC 08D6 A7AA DA6E 167B 8F54 1FB6

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200414232412.GA2174%40app-email-private.


signature.asc
Description: PGP signature


Re: [EXT] Re: [qubes-users] On "https://www.qubes-os.org/doc/tails/"

2020-04-14 Thread Ulrich Windl

On 3/1/20 2:28 AM, unman wrote:

[...]

Works for me.
Did you download the version for virtual machines?



Hmmm, seems one of the problems is that the ISO for VMs has the same 
name as the regular ISO:


https://mirrors.dotsrc.org/tails/stable/tails-amd64-4.5/tails-amd64-4.5.iso
https://archive.torproject.org/amnesia.boum.org/tails/stable/tails-amd64-4.5/tails-amd64-4.5.iso

Trying with the correct image...

Ulrich

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c3ce049f-0e6c-2c54-4bc6-0e2674687037%40rz.uni-regensburg.de.


[qubes-users] Is a StandaloneVM equally secure as a AppVM that is created on it's own TemplateVM, and what is the difference between a StandaloneVM and a AppVM ?

2020-04-14 Thread Vít Šesták
In my opinion, the main reason for deciding between StandaloneVM and 
Template-based-VM is not security, it is management. With a Template-based-VM, 
you manage all or most of the apps in the template. If you have a single VM 
template for many Template-based-VMs, you just update the template and reboot 
the related VMs that are running. With standalone VMs, you need to update all 
of them separately.

Security concerns:

a. Malware might not survive reboot of Template-based-VM. This is however true 
just for some malware that is not adapted to Qubes OS, ale even this malware 
might survive VM reboot. AFAIR, this is explicitly a non-goal. There are many 
places to hook the malware after reboot – .bashrc, /usr/local/bin, browser 
extensions, …
b. When you have a StandaloneVM you don't run often, it might miss some 
updates, so you are more likely to run some software with known vulnerabilities 
after boot. This does not happen for Temlate-based-VM provided that you use 
some other VMs from the same template.
c. On the other hand, Template-based-VMs always require a reboot after 
updating. Without that, you can still run outdated software with some known 
vulnerabilities.

So, it depends on how you use it.

Regards,
Vít Šesták 'v6ak'

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/54e65034-0959-458f-bba7-56757a780a44%40googlegroups.com.


Re: [EXT] [qubes-users] Re: Neuer Artikel über Qubes OS

2020-04-14 Thread Ulrich Windl

On 4/14/20 2:44 PM, GWeck wrote:

Hallo,

sehr schöner Artikel!

Ich habe den Link zur Kenntnis an den Präsidiums-Arbeitskreis 
Datenschutz und IT-Sicherheit der Gesellschft für Informatik weitergeleitet.




Hi Guys!

Please no private conversations in German in this list!


Herzliche Grüße

Ihr G. Weck

--
You received this message because you are subscribed to the Google 
Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to qubes-users+unsubscr...@googlegroups.com 
.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/782ba97f-eb11-4e0c-95a7-7e170eb1c2dd%40googlegroups.com 
.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/aa29e1c8-858e-1014-9558-43ab1fa90529%40rz.uni-regensburg.de.


[qubes-users] Blank screen after resume if using Nvidia on Lenovo P53

2020-04-14 Thread John Doe
Hello,
I have Lenovo P53 with Nvidia+Intel GPU and I have various troubles depending 
on the configuration.

First, I need to use a more recent kernel than the default one in order to make 
touchpad and trackpoint working:

Linux dom0 5.5.9-1.qubes.x86_64 #1 SMP Sun Mar 15 05:53:26 UTC 2020 x86_64 
x86_64 x86_64 GNU/Linux

With this kernel, I have some other issues that depend on the GPU I select in 
BIOS. With this kernel:

a. When I choose Intel+Nvidia combo, I get random freezes. Sometimes, the 
system works several hours, sometimes it freezes much sooner, even during the 
boot. If you have some idea how to resolve this, I am OK with using this option 
(i.e. probably just Intel all the time). But I do not want to much debug it, 
because it is pain, as the behaviour looks quite non-deterministic. Note that I 
need also HDMI to work, but I am not 100% sure about this combination.
b. When I choose just Nvidia, the system works with Nouveau driver quite well 
until I suspend it. When I resume, it deterministically (with rare exceptions) 
keeps the screen blank, even without any blacklight. HDMI-connected screen is 
also affected. It however seems that it is just the graphical output and the 
laptop works otherwise; For example, I can press Ctrl+Alt+F2 and then 
Ctrl+Alt+Del to reboot the machine.

Adding nouveau.modeset=0 to the kernel commandline changes nothing but the 
rendering performance. That is, I see a blank screen with this kernel option 
after resume. With this option, nouveau kernel module is loaded, but apparently 
not used, because I can rmmod nouveau. Anyway, running rmmod nouveau does not 
seem to change the resume behavior.

Do you have any idea how to fix that or what the cause is?


-
Hardware info:

$ cat /proc/cpuinfo  | grep 'model name' | head -n1
model name : Intel(R) Core(TM) i7-9850H CPU @ 2.60GHz
$ sudo lshw -C display
  *-display
   description: VGA compatible controller
   product: NVIDIA Corporation
   vendor: NVIDIA Corporation
   physical id: 0
   bus info: pci@:01:00.0
   version: a1
   width: 64 bits
   clock: 33MHz
   capabilities: pm msi pciexpress vga_controller bus_master cap_list rom
   configuration: driver=nouveau latency=0
   resources: irq:184 memory:ed00-edff memory:c000-cfff 
memory:d000-d1ff ioport:2000(size=128) memory:c-d



-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/HE1PR1001MB137022821F070D64F33EC709ACDA0%40HE1PR1001MB1370.EURPRD10.PROD.OUTLOOK.COM.


[qubes-users] HCL - Dell Inc. OptiPlex 9010

2020-04-14 Thread Michal Zygowski
Works without issues running coreboot. Tested suspend to RAM, PS/2
keyboard/mouse, GbE, onboard video, wake from suspend, onboard TPM 1.2.
Untested: PCI passthrough, discrete GPU.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/79384932-5178-4c00-cd8a-1d01d3c2b944%403mdeb.com.


Qubes-HCL-Dell_Inc_-OptiPlex_9010-20200414-084742.cpio.gz
Description: application/gzip


Qubes-HCL-Dell_Inc_-OptiPlex_9010-20200414-084742.yml
Description: application/yaml


Re: [qubes-users] Privacy Beast vs Nitropad comparison?

2020-04-14 Thread Andrew Sullivan
Thanks for the reply.  I'm in the UK, so I think you're right, the Insurgo 
machine would probably cost me in terms of shipping, import duty etc.  So 
the Nitropad (from Germany I think) is probably a better bet.

I also think you're right in that both machines use a Nitrokey.  The 
difference I think is that Insurgo put their security key on the machine, 
and then force you to change it when you first boot up.  With the Nitropad, 
there is just a default key (something like "changemenow") which obviously 
needs to be changed (!) but I don't know if there is a formal reowning 
process.

Never heard of easyOS, I'll have a look.

"noobs need Qubes" wasn't my quote!!!


On Tuesday, 14 April 2020 15:04:54 UTC+1, Catacombs wrote:
>
> Your choice between NitroPad or Insurgo might depend on where you live.  I 
> think Insurgo is based in north America, and Nitro is based in Europe.  
> Different taxes, shipping problems, searches.  I thought they both allowed 
> for non-tampered shipping security with NitroKey.
>
> Option three is is the laptop from Puri, Librem.  From north America, also 
> allows for non-tampered shipping security with NitroKey.  https://puri.sm/
>
> Besides there standard offering they have a sale on what they call 
> refurbished, which some believe is Puri/Librem clearing their warehouse 
> shelves.  
>
> https://forums.puri.sm/t/refurbished-librem-laptops-on-sale/8841
>
> For their Pure OS, they offer another service, (for a monthly fee).  
> Despite being Debian based, these do not install so easily on other Linux 
> OS's.  https://librem.one/
>
> They offer their own Debian based OS, Pure OS.Pure uses Boxes for 
> security.   These is free OS, and you can give it a whirl without buying 
> anything.  https://www.pureos.net/  
>
> Puri/Librem  will install Qubes for you, (I think for a charge) or you can 
> do that on your own.
>
> The other OS's which one might use is Tails Linux (yeah, you knew that, 
> but I had to mention it.)  and Easy OS.  
>
> Easy OS some might not consider to be secure, only one developer, Barry 
> Kauler, uses Boxes for security.  
> http://murga-linux.com/puppy/viewtopic.php?t=109958
>
> I guess noobs need Qubes is a joke, because it has some intensive learning 
> associated with using it properly.  or at all
>
>
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b5a8aadb-e75d-4ab5-94de-3d58f2e76dac%40googlegroups.com.


Re: [qubes-users] Privacy Beast vs Nitropad comparison?

2020-04-14 Thread Catacombs
Your choice between NitroPad or Insurgo might depend on where you live.  I 
think Insurgo is based in north America, and Nitro is based in Europe.  
Different taxes, shipping problems, searches.  I thought they both allowed 
for non-tampered shipping security with NitroKey.

Option three is is the laptop from Puri, Librem.  From north America, also 
allows for non-tampered shipping security with NitroKey.  https://puri.sm/

Besides there standard offering they have a sale on what they call 
refurbished, which some believe is Puri/Librem clearing their warehouse 
shelves.  

https://forums.puri.sm/t/refurbished-librem-laptops-on-sale/8841

For their Pure OS, they offer another service, (for a monthly fee).  
Despite being Debian based, these do not install so easily on other Linux 
OS's.  https://librem.one/

They offer their own Debian based OS, Pure OS.Pure uses Boxes for 
security.   These is free OS, and you can give it a whirl without buying 
anything.  https://www.pureos.net/  

Puri/Librem  will install Qubes for you, (I think for a charge) or you can 
do that on your own.

The other OS's which one might use is Tails Linux (yeah, you knew that, but 
I had to mention it.)  and Easy OS.  

Easy OS some might not consider to be secure, only one developer, Barry 
Kauler, uses Boxes for security.  
http://murga-linux.com/puppy/viewtopic.php?t=109958

I guess noobs need Qubes is a joke, because it has some intensive learning 
associated with using it properly.  or at all




-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4bb668a5-5c0e-44cf-a2d5-2e39c9af71c3%40googlegroups.com.


Re: [qubes-users] Re: Neuer Artikel über Qubes OS

2020-04-14 Thread Knut von Walter
Hallo Herr Weck,

Ihr Lob und Ihre Unterstützung weiß ich sehr zu schätzen!

Vielen Dank.

Best

                Knut von Walter

On 2020-04-14 14:44, GWeck wrote:
> Hallo,
>
> sehr schöner Artikel!
>
> Ich habe den Link zur Kenntnis an den Präsidiums-Arbeitskreis
> Datenschutz und IT-Sicherheit der Gesellschft für Informatik
> weitergeleitet.
>
> Herzliche Grüße
>
> Ihr G. Weck

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/88d18ffd-4b3c-f137-633c-55efe1c7a13f%40websecur.eu.


[qubes-users] Re: The best hardware to run Qubes on a Server?

2020-04-14 Thread Eloy Beltran


Unfortunately I have no knowledge of networks, nor can I elaborate a complex 
firewall, 
the only thing I have tried is the Hidden Service of Tor, 
and the Xen type 1 hypervisors to isolate the ram memory from being read by 
third parties and the server environment. 
I find Whonix interesting, I don't know anyone who uses or has a Hidden 
Service. 
In the end it is a project that I will end up abandoning, so don't be too 
bothered by me, your answer is all I need.

Thank you



El viernes, 10 de abril de 2020, 2:12:45 (UTC+2), Eloy Beltran escribió:
>
> ¿What computer? Only use Whonix under Hidden Service.
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/26772e55-5da9-4475-9ff4-939a5ddf2abb%40googlegroups.com.


[qubes-users] Re: Neuer Artikel über Qubes OS

2020-04-14 Thread GWeck
Hallo,

sehr schöner Artikel!

Ich habe den Link zur Kenntnis an den Präsidiums-Arbeitskreis Datenschutz 
und IT-Sicherheit der Gesellschft für Informatik weitergeleitet.

Herzliche Grüße

Ihr G. Weck

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/782ba97f-eb11-4e0c-95a7-7e170eb1c2dd%40googlegroups.com.


Re: [qubes-users] can't open anything in standalone vm ?

2020-04-14 Thread Stumpy

On 2020-04-13 19:30, 'awokd' via qubes-users wrote:

Stumpy:


oops. only relied to awokd (sorry).
repost:


Thanks,
gave it a try and either i am misunderstanding the command or something
else?

[sam@dom0 ~]$ sudo xl console miffed
miffed is an invalid domain identifier (rc=-6)


No problem; did you see my reply? Miffed has to be powered on first.



sorry, i guess i missed your email.

I tried with miffed turned on and it certainly gave different output 
(alot of it) though i cant say I am able to make much of it (a few 
"errors" and "failed" in there but not sure if those are the problem. Is 
this something that i shouold send or put on a pastebin?


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a0b86dc6-2ce2-7c15-0434-aaf4c34d5457%40posteo.net.


Re: [qubes-users] Privacy Beast vs Nitropad comparison?

2020-04-14 Thread Andrew Sullivan
Hello

I'm thinking of trying my hand at Qubes (currently a long-time Linux Mint 
user), and I need a new laptop anyway so I'm thinking of the Nitropad or 
Insurgo machines. 

You say that the Insurgo is "more secure" and "exceeds" the requirements of 
Qubes certification; in what ways is this?  Is it just the reownership 
process (which I admit does look more stringent in the as of the Insurgo, 
but they end up re-owned just the same?).

If I got one of these machines and for some reason decided that Qubes 
wasn't for me, would it be easy to "nuke" the Qubes and just install Linux 
Mint or whatever?  Would a Linux installer have any problems with Coreboot 
etc?

Thanks in advance

Andrew

On Wednesday, 8 April 2020 11:40:23 UTC+1, Maillist wrote:
>
> Hello, 
>
> the Privacy Beast is more secure. As they write, it meets and exceeds 
> the Qubes os certification, the Nitropad only meets them.They differ in 
> the OEM reownership process. 
>
>
> cheers. 
>
> On 4/8/20 1:03 AM, 'dcon' via qubes-users wrote: 
> > Are there any significant differences between the two? It seems that 
> Nitropad has more hardware configuration options. With ME inactivation, is 
> there any reason to swap out the WiFi module? 
> > 
> > I’d like to thank both vendors for bringing these to the market!   
> > 
> > Noobs need Qubes!  
> > 
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/93fd27f8-2838-43c3-9f84-0c3865382d0d%40googlegroups.com.


[qubes-users] Neuer Artikel über Qubes OS

2020-04-14 Thread Knut von Walter
Hi Freunde, auf der Webseite
https://1centforpeace.de/catego…/mobilitaet-digitalisierung/
 habe ich
einen Artikel über Qubes OS geschrieben. Über Euer Feedback freue ich mich.

Best Knut

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/74784b7c-20ef-ecbf-1a92-a61a4cf60f9d%40websecur.eu.


[qubes-users] ANN: Qubes network server available for Qubes OS release 4.0.x

2020-04-14 Thread Manuel Amador (Rudd-O)
Hello, folks!

After a long hiatus because of reasons, I'm happy to announce Qubes
network server -- an add-on to Qubes OS that allows you to expose
selected AppVMs to other VMs and to other machines in your LAN as well. 
The latest tagged release is compatible with Qubes 4.0.

The URL to check is: https://github.com/Rudd-O/qubes-network-server

An excerpt from the README.md file follows here.  I hope this helps you
understand what possibilities Qubes network server opens up for you.

I'm happy to report that, with a minor readjustment (attaching my
networked AppVMs to NetVMs instead of ProxyVMs), this functions as an
adequate replacement for Qubes network server from release 3.2.

--


  QUBES NETWORK SERVER

This software lets you turn your [Qubes OS
4.0](https://www.qubes-os.org/) machine into
a network server, enjoying all the benefits of Qubes OS (isolation, secure
inter-VM process communication, ease of use) with none of the drawbacks
of setting up your own Xen server.


WHY?

Qubes OS is a magnificent operating system, but there are so many use
cases that its networking model cannot crack:

  * As an automated integration testing system.  Qubes OS would be
phenomenal for this, and its automation tools would make it
extremely easy to bring up and tear down entire environments.
  * If only those environments could network with each other securely!*
Remote management of Qubes OS instances.  Vanilla Qubes OS cannot
easily be managed remotely.  A better networking model would allow
for orchestration tools such as [Ansible
Qubes](https://github.com/Rudd-O/ansible-qubes)  to manage entire
Qubes OS deployments, all of their VMs, and even minutiae within
each VM.
  * Anything that involves a secure server, serving data to people or
machines, simply cannot be done under vanilla Qubes OS.


ENHANCED NETWORKING MODEL

The traditional Qubes OS networking model contemplates a client-only use
case.  User VMs (AppVMs or StandaloneVMs) are attached to ProxyVMs,
which give the user control over outbound connections taking place from
user VMs.  ProxyVMs in turn attach to NetVMs, which provide outbound
connectivity for ProxyVMs and other user VMs alike.

No provision is made for running a server in a virtualized environment,
such that the server's ports are accessible by (a) other VMs (b)
machines beyond the perimeter of the NetVM.  To the extent that such a
thing is possible, it is only possible by painstakingly maintaining
firewall rules for multiple VMs, which need to carefully override the
existing firewall rules, and require careful thought not to open the
system to unexpected attack vectors.  The Qubes OS user interface
provides no help either.

Qubes network server changes all that.

With the Qubes network server software, it becomes possible to make
network servers in user VMs available to other machines, be them peer
VMs in the same Qubes OS system or machines connected to a physical link
shared by a NetVM.  Those network server VMs also obey the Qubes OS
outbound firewall rules controls, letting you run services with outbound
connections restricted.

This is all, of course, opt-in, so the standard Qubes OS network
security model remains in effect until you decide to enable the feature
on any particular VM.

The only drawback of this method is that it requires you to attach VMs
meant to be exposed to the network directly to a NetVM, rather than
through a ProxyVM.  VMs exposed through a ProxyVM will not be visible to
machines on the same network as the NetVM.


HOW TO USE THIS SOFTWARE

Once installed (see the full README.md at the URL posted above), usage
of the software is straightforward.

These sample instructions assume you already have an AppVM VM set up,
named /testvm/, and that your /sys-net/ VM is attached to a LAN with
subnet 192.168.16.0/24.

First, attach the VM you want to expose to the network to a NetVM that
has an active network connection:

qvm-prefs -s testvm netvm sys-net

Then, set an IP address on the VM:

qvm-prefs -s testvm ip 192.168.16.25

(The step above requires you restart the /testvm/ VM if it was running.)

Then, to enable the network server feature for your /testvm/ VM, all you
have to do in your AdminVM (/dom0/) is run the following command:

qvm-features testvm routing-method forward

Now testvm is exposed to the network with address 192.168.16.25, as well
as to other VMs attached to its /sys-net/ NetVM.

Do note that /testvm/ will have the standard Qubes OS firewall rules
stopping inbound traffic.  To solve that issue, you can [use the
standard rc.local Qubes OS mechanism to alter the firewall
rules](https://www.qubes-os.org/doc/firewall/#where-to-put-firewall-rules)
in your /testvm/ AppVM.

-- 
Rudd-O
http://rudd-o.com/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop 

Re: [qubes-users] Build USB install with kernel 5+

2020-04-14 Thread Frédéric Pierret
Hi,
I used to build newer ISO in the past for such troubles with kernel-latest 
embedded. If you are interested, I can build you an 4.0.3 with 
kernel-latest-5.6 for try?

Best,

On 2020-04-14 07:54, 'Max Andersen' via qubes-users wrote:
> Just want to mention the system(firmware, etc.) is brand new, so many
> issues might be lack of support.
> 
> On 4/14/20 1:28 AM, 'awokd' via qubes-users wrote:
>> 'Max Andersen' via qubes-users:
>>
>>> I can actually put in an older wireless usb in the machine, and it sees it 
>>> with lsusb in dom0, but I Dont know how To enable it in vm
>> In dom0, use qvm-usb to try to attach that device to sys-net. Some USB
>> devices don't passthrough very well, though.
> 
> qvm-usb shows no output:
> 
> [max@dom0 ~]$ qvm-usb
> BACKEND:DEVID  DESCRIPTION  USED BY
> [max@dom0 ~]$ lsusb
> Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
> Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
> Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
> Bus 001 Device 006: ID 0bda:8179 Realtek Semiconductor Corp. RTL8188EUS
> 802.11n Wireless Network Adapter
> Bus 001 Device 005: ID 046d:c52f Logitech, Inc. Unifying Receiver
> Bus 001 Device 004: ID 046d:c318 Logitech, Inc. Illuminated Keyboard
> Bus 001 Device 002: ID 05e3:0608 Genesys Logic, Inc. Hub
> Bus 001 Device 003: ID 8087:0026 Intel Corp.
> Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
> [max@dom0 ~]$
> 
>>> Tried qvm-pci
>>>
>>> It showed usb controller on that?
>>>
>>> When runming qvm-pci a sys-net-clone-1 dom0:00_14.0 it failed with got 
>>> empty response from qubesd and hung
>> You might be trying to attach the USB controller itself to
>> sys-net-clone-1. This can work, if you're sure nothing else is on it
>> (like your keyboard & mouse). Many systems only have one controller
>> though, so try USB passthrough first.
> 
> 
> That was probably what I did and it failed :).
> 
> Sincerely
> 
> Max
> 
> 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/aa585133-1fc0-c11a-29a7-519a442075a3%40qubes-os.org.