Re: [qubes-users] Re: Fedora 30 approaching EOL, Fedora 31 TemplateVM available, Fedora 32 TemplateVM in testing
@Miguel thanks! and thanks to everyone who provided feedback, this was really educational for me. I'm not quite a qubes newbie, but I'm not an expert either. The idea from Brend was too sophisticated for me and so I was nervous about it. I decided to go with Miguel's approach and that was great. One change though. The qvm-stop is now qvm-shutdown, so the instructions I needed to use are: $ qvm-shutdown --wait sys-usb; \ qvm-prefs sys-usb template fedora-31; \ qvm-start sys-usb it all work quick and painlessly. This really should be added to the instructions for updating a templateVM. I'll see if I can add that into the documentation. Thanks again everyone! On Friday, May 1, 2020 at 5:22:42 PM UTC, Miguel Barbosa Gonçalves wrote: > > On 2020-05-01 17:48, brend...@gmail.com wrote: > > On Friday, May 1, 2020 at 12:39:54 AM UTC-4, seshu wrote: > > > > One question that just occured to me about upgrading the template > > VM's. Many of the comments and posts in this forum are assuming > > Qubes is installed on a laptop. I have it installed on a desktop, > > and my keyboard / mouse uses sys-usb. I need to have this appVM > > running to use the peripheral obviously. But, since the appVM is > > running, I can't update the templateVM? > > Hi! > > Before I had an additional USB controller for my keyboard and mouse, > which by the way is a great idea as good PS/2 devices are are to find > new, I used the following commands in dom0 > > $ qvm-stop --wait sys-usb; \ > qvm-prefs sys-usb template fedora-31; \ > qvm-start sys-usb > > This stops the sys-usb qube, changes the template and starts it again. > > Be careful and do not make any mistakes because if the sys-usb qube does > not start you might be locked out. > > Hope this helps. > > Cheers, > Miguel > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c69af4b4-a44e-41c4-9d45-497f920fe583%40googlegroups.com.
Re: [qubes-users] Dividing Qubes Into Separate Networks (FAILED)
> Without a lot more information, it's difficult to say. > Have you checked that the new qube has necessary firmware? what firmware? > Is the NIC on the pentest-gw working correctly? yes > Does it work when connected to the port currently used by main-gw? yes > Set the VLAN correctly? yes, as I said if I connect a Windows latptop it works right away > Set all parameters necessary to satisfy any port security on the switch? Yes, same answer as above -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/Dq5DAjBavev9h0_CDxYIzuMuw5M9SNhn01wT_G4q0oWb19MIe_ul2Qgu3BZUSvkn3qQ13nIlN1hHcPSQwi_I4vj3IaZwmij_XEEm1OaiRjA%3D%40protonmail.com. publickey - letmereadit@protonmail.com - 0xEE010E73.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Re: [qubes-users] Dividing Qubes Into Separate Networks (FAILED)
On Fri, May 01, 2020 at 07:53:53PM +, 'Zsolt Bicskey' via qubes-users wrote: > Network setup: pfsense router + Unif Switch > > I have two NICs on the server runninq Qubes. On one I want the nework to > conect to the main LAN via DHCP and get out that way (that's done and working > like charm). > > On the other NIC I want a separate gateway (sys-net) and separate firewall > going through a VLAN out to the internet. pfsense and switch is setup > properly. If I connect a Windows laptop to that dedicated port it works. It > does not work on Qubes: > > I cloned the main firewall named it to pentest-firewall. I cloned the main > gateway name it to pentest-gw. If I point the pentest-firewall to the main-gw > everything works but then I am reaching the internet from the wrong NIC. But > if I point the pentest-firewall at the pentest-gw there is no internet. I > assigned the NIC to the pentest-gw. I see the mac address but I am not > getting IP via DHCP. If I set the IP manually then I see on the switch the > dedicated port cycles every 2 seconds between off / on?? / blocked. Either > way I cannot access the internet. > > What am I missing? > Without a lot more information, it's difficult to say. Have you checked that the new qube has necessary firmware? Is the NIC on the pentest-gw working correctly? Does it work when connected to the port currently used by main-gw? Set the VLAN correctly? Set all parameters necessary to satisfy any port security on the switch? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2020050200.GB6970%40thirdeyesecurity.org.
Re: [qubes-users] Clipboard Copy Paste From HVMs
On Fri, May 01, 2020 at 04:42:16PM -0500, Sven Semmler wrote: > On Fri, May 01, 2020 at 09:20:33PM +, Zsolt Bicskey wrote: > > I have a template VM ready, clone the repo but what do I do next? How / > > what do I edit in the builder.conf so I only end up with a package that > > will help with the HVM Clipboard goal? > > I don't know (haven't spend the time) how to do that. But you could use > the setup script to only build the template for the OS you are > interested in (e.g. bionic). The resulting packages will then be in > qubes-packages-mirror-repo/vm-bionic/deb > > I suppose you want at least: > > - qubes-core-agent > - qubes-core-agent-qrexec > - qubes-core-agent-networking > > /Sven > No need to build the whole template. Run ./setup to configure the targets that you want. The run `make` and you will see a list of potential component targets. Then make sure you only build the vm target rather than the dom0 package by appending `-vm` to the name So `make core-agent-linux-vm` will build all the qubes-core-agent packages - as Sven says, they will be in the qubes-packages-mirror-repo directory. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200502003829.GA6970%40thirdeyesecurity.org.
[qubes-users] external CD writer
(Apologies for pestering this list with another newbie question.) So I have this external DVD-RW drive (Asus SDRW-08U7M-U to be specific). On my Debian stretch laptop, plugging in the USB drive creates /dev/sr0 as well as several symlinks to it, e.g. /dev/cdrw, /dev/dvd etc. Plugging the drive into my Qubes desktop, I get notified of the availability of this drive and can attach /dev/sr0 to a Debian buster AppVM qube as /dev/xvdi. I can mount /dev/xvdi and read data from a CD allright. However, in contrast to my Debian laptop, brasero does not recognize the drive as a writer, not even when I create the same /dev/cdrw symlink. In addition to that, both commands dvd+rw-mediainfo /dev/xvdi cd-info -C /dev/xvdi exit with an error (details below). Thus it seems that some crucial bit did not get forwarded to/is not installed in the AppVM. Probably I'm just lacking the knowledge how different writing to a CD is from reading from CD, on the hardware level. Is there more to burning a CD than a single block special device? Any hints welcome. Olaf # dvd+rw-mediainfo /dev/xvdi :-( unable to INQUIRY: Invalid argument # cd-info -C /dev/xvdi cd-info version 2.0.0 x86_64-pc-linux-gnu Copyright (c) 2003-2005, 2007-2008, 2011-2015, 2017 R. Bernstein This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. CD location : /dev/xvdi CD driver name: GNU/Linux access mode: IOCTL Error in getting drive hardware properties Error in getting drive reading properties Error in getting drive writing properties __ Disc mode is listed as: Error in getting information ++ WARN: error in ioctl CDROMREADTOCHDR: Invalid argument -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/707446f665bd912823c2bdf29254087c019c40e0.camel%40aatal-apotheke.de.
Re: [qubes-users] Re: Fedora 30 approaching EOL, Fedora 31 TemplateVM available, Fedora 32 TemplateVM in testing
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Fri, May 01, 2020 at 11:42:52PM +0200, dhorf-hfref.4a288...@hashmail.org wrote: > > So make sure to remove those from your grub/EFI config before rebooting! > > yes, that would be what the second qubesctl call does. > there should be no need for manual config editing during this. > > > > The USB qube will work anyway but if it's not running dom0 will have > > USB. If you skip this step you won't be able to control your computer > > after reboot. > > only during / right after reboot. > once sys-usb tried to start, the controller will not return to dom0 > until next reboot (or you do some ritual dancing that requires a kbd...) > > thats what my "disable sys-usb autostart if you rely on a USB kbd" > recommendation is about. > so you actualy have a kbd to fix things if you manage to wreck your > sys-usb ... config, template, filesystem damage, so many ways ... Cool. Just making sure ... ;-) /Sven - -- public key: https://www.svensemmler.org/0x8F541FB6.asc fingerprint: D7CA F2DB 658D 89BC 08D6 A7AA DA6E 167B 8F54 1FB6 -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE18ry22WNibwI1qeq2m4We49UH7YFAl6smGQACgkQ2m4We49U H7bCNQ//RokYdCPy4h3dN343FIMmKpCJY2LX3VNEOgoVy2PJ1If0al2R39vscXMO LhXllFA5ERsEyx8X43lu76pEP73cXYJFrR0d1LUNflqkL6AzxThysjfcgd7VC+eu mENVF9LDvxI9FDyOxhWii5HOH34LZIaoNRFIWOfQ6Qhf84oILOlxI/nFKNrIm0HN rSaeOabGweu2E+etlaPTaWRp9ziTSAXU+h9abzOIfbHmgArqar9JYUgRyAPtfTTQ 7zjKLgnoHtkc/QuTXDk/sxbO9Zht1ILwOcy2pmoZaSZwsvm3m+bRoLwc8ppysVN/ 41z2a9V6pghO5Sfl62nHtfCrklISFfzbxT1KKpmwNMXYkVGH/bHrepZNWNGrKaTx /yZusE0OF3C533tsBYiA+WvVz54jsqenSwYwEWDFqWwOeQl/Fj6tALb1jyFuNuKs 1sHvGMtmKkF7w7T5uWY27GTWUWkoon6jtkxAFVSxRioVHJTq7MF9N5YThV2vwn0n dN8Mn64+R6eZ0MTvAC/pYCdH0mnxTY44vlxXDesis4QFncbMEXus/JPWk9vin+6R 6sXChTgGt6fzeQr4DuttiweVre0LKf4UNjIf2IoeqvBEHnwRwZPoEzEj5O8aXGrQ Gelu2aM8+yO/IKUg5AHeTh/UadJtjDe0cUontZvOHklk3KPXK7I= =tdli -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200501214508.GF2229%40app-email-private.
Re: [qubes-users] Re: Fedora 30 approaching EOL, Fedora 31 TemplateVM available, Fedora 32 TemplateVM in testing
On Fri, May 01, 2020 at 04:33:55PM -0500, Sven Semmler wrote: > So make sure to remove those from your grub/EFI config before rebooting! yes, that would be what the second qubesctl call does. there should be no need for manual config editing during this. > The USB qube will work anyway but if it's not running dom0 will have > USB. If you skip this step you won't be able to control your computer > after reboot. only during / right after reboot. once sys-usb tried to start, the controller will not return to dom0 until next reboot (or you do some ritual dancing that requires a kbd...) thats what my "disable sys-usb autostart if you rely on a USB kbd" recommendation is about. so you actualy have a kbd to fix things if you manage to wreck your sys-usb ... config, template, filesystem damage, so many ways ... -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200501214252.GC990%40priv-mua.
Re: [qubes-users] Clipboard Copy Paste From HVMs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Fri, May 01, 2020 at 09:20:33PM +, Zsolt Bicskey wrote: > I have a template VM ready, clone the repo but what do I do next? How / what > do I edit in the builder.conf so I only end up with a package that will help > with the HVM Clipboard goal? I don't know (haven't spend the time) how to do that. But you could use the setup script to only build the template for the OS you are interested in (e.g. bionic). The resulting packages will then be in qubes-packages-mirror-repo/vm-bionic/deb I suppose you want at least: - qubes-core-agent - qubes-core-agent-qrexec - qubes-core-agent-networking /Sven - -- public key: https://www.svensemmler.org/0x8F541FB6.asc fingerprint: D7CA F2DB 658D 89BC 08D6 A7AA DA6E 167B 8F54 1FB6 -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE18ry22WNibwI1qeq2m4We49UH7YFAl6sl7gACgkQ2m4We49U H7b1lA//UBHXIOsjQfQI6rw8nhS6iKbDyG44yPDEeHXoMIkOGVrguqTVHYlbB/xy 0mjna3Wc6sHsxmZHiChAklryIeFXhV41gTld57uXlkDmmw8bYvTXQCAvw8B6daLO oPGdyZZW7G7yRGGRs7U+jWnKdrC056wyIxRiS/4DJ8QVyIGLYHzBccSUvTCkC4l3 A/1WaXO5+yt/02/ahE3B+WWROeqWkRxWF+2KyweetGXYFPR3NfYtEk050rHwF4JI dpzBZXQu0qIHQClz5cnzDL8oLgv3IBbk0NKhSLSx19xjpao4zCiOVttG8RrLBalW mP8Yn7yt4I/EkaY/ZJQS7gWAeM17URCVHWusv5dX1oCiuHXBv/24a4GKPnjY0gXE DKbpZ8WX5u+fM/oljQ90OWvM82gUz3FN8JLrtHmxyROodmYQfCaIgGVogATWu3Sa xVX8fxwrd+PeVnj2FdtbdNDt15Rqtr/jVAaY8Gu+OWKHSfwHnDiXyDESN0HMdVNm R9nXmK63KqIYVClyeu3ndknSUKDLe3jKpN4N0DfhUwJQqC8jHVEBQIgP97lFm42b 71WOUo8CS2pE8U7oiBL4cKvFsKI6dyY/+ZayO/LTgSm22Hw7Cvnd+P9YyyRAjOKu /7daG45QIv0foynWH4p6pWtkRf2a4RKD9GQi8/T2fjQASqp7CY4= =4qI8 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200501214216.GD2229%40app-email-private.
Re: [qubes-users] Re: Fedora 30 approaching EOL, Fedora 31 TemplateVM available, Fedora 32 TemplateVM in testing
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Fri, May 01, 2020 at 11:02:56PM +0200, dhorf-hfref.4a288...@hashmail.org wrote: > you should configure a sys-usb anyways. > https://www.qubes-os.org/doc/usb-qubes/ > just two qubesctl calls. (plus one qvm-prefs to disable autostart) WARNING! Read the instructions carefully! Running the script will add parameters to your boot config that tell dom0 to ignore USB. In your case (only USB keyboard) that can end in disaster (meaning you are locked out). So make sure to remove those from your grub/EFI config before rebooting! The USB qube will work anyway but if it's not running dom0 will have USB. If you skip this step you won't be able to control your computer after reboot. We have a tragic case of this every other month in this list. /Sven - -- public key: https://www.svensemmler.org/0x8F541FB6.asc fingerprint: D7CA F2DB 658D 89BC 08D6 A7AA DA6E 167B 8F54 1FB6 -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE18ry22WNibwI1qeq2m4We49UH7YFAl6slcIACgkQ2m4We49U H7a/HA/8DH8OdIVlzk/q4mp4y2XSym41G7bQGtPsuTxQNz61Eq9lrKTd3tXY6C/H ZpuXox5WVRp4Th1kYPb5zAme+GQtCGrJnrkaEag82OkEr4B0NJ+/rg3IGNIYaLQv 44yFGgPHftCsneYNPV0iBKphKhmLV+UQMg8bahXEsi5OY+7T8tnQO4yyYnJA/i4l wduLTM80t77gL4qqAaO4mTORhHve5EOaA3UN89z0B/t46myz/8Zm5QMMRsDNw9qC 0s97ff+n5aDa9LZuMa/k2FTf6vKeVOpVxMG2+D0bXsW6fBK4u4Ia/+5krFmyq+7d wtwypXyicbcb2eeF9R9qqzCuUTzCrtxVIf3DTE8YTlCRnQS0zuvGEr3429t5nsq1 J+nfsWuyrumZNCT4tkaYmmVwao/0cjgeDVu7P+hqxKOUuRNLLIYDCbmlKASgntrH WmmX/m8WUtNTRK2ZOggR2IJCOqnvuz1DQjeq0zy/uqR3imBFTSoWjA8VUB+tC4P/ qYpewKxUg8mCCKplS19r3sppldCbfEpCFrpPCwcZCGec1WwlOLRo8Krrx9Iifh0O 2udkYjDm89h4FO2ZQETPTVDksgX/KT41NEN08IM7wag5DE1zPnkrf3ZTfOlw6b4P NyqZR9JCwx5ds/vSsOOYoqPCDiWSSu8J/LplmVFjxRREncaA/iE= =av9E -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200501213355.GC2229%40app-email-private.
Re: [qubes-users] Clipboard Copy Paste From HVMs
> Maybe I can best describe that based on my use case: Ubuntu > > - first I created a StandaloneVM names qubes-builder based on > fedora-minimal > > - then I followed the instructions from the Qubes website to install the > dependencies, clone the repository and run the setup scripts > > - next I build the actual Ubuntu bionic template > - again following the instructions from the Qubes website I then copied > the resulting RPM into dom0 and installed the template > > This last step you do only one time of course. Now you clone the > template, customize it, install apps... > > Here is what I do every day: > > - in qubes-builder I do a git pull and if there are changes I rerun the > setup script > > - then I run the make commands > - when the build is done I use qvm-copy to copy the Qubes specific > bionic packages to my sys-firewall (it runs an instance of webfs) > > - in sys-firewall I have a script that now copies the packages from > QubesIncoming to the location webfs uses. The script also runs the > reprepro command to prepare the additional info files required. > > - in my templates I added a file into /etc/apt/sources.list.d/ that > points to the IP address of my sys-firewall (the webfs instance) > > - so now I can run a normal sudo apt update in my templates and all is > good. > > In summary: you use qubes-builder to build the Qubes related packages > and then copy / install them in your respective qube. > > /Sven > > -- > public key: https://www.svensemmler.org/0x8F541FB6.asc > fingerprint: D7CA F2DB 658D 89BC 08D6 A7AA DA6E 167B 8F54 1FB6 > Sven, this sounds fantastic... but I got totally stuck. I have a template VM ready, clone the repo but what do I do next? How / what do I edit in the builder.conf so I only end up with a package that will help with the HVM Clipboard goal? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/88_tW5wpU5TVo5GxvJ7yMRkpmfsDFVf5FDIy3fymuueRpu-_yGyeNudhPxRy7ShlbhrfY4I-xqrVGpK1YVBsSJALNz3tnVub1mHwVBG2Ldo%3D%40protonmail.com. publickey - letmereadit@protonmail.com - 0xEE010E73.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Re: [qubes-users] Re: Fedora 30 approaching EOL, Fedora 31 TemplateVM available, Fedora 32 TemplateVM in testing
On Fri, May 01, 2020 at 10:33:08PM +0200, Olaf Klinke wrote: > > > and my keyboard / mouse uses sys-usb. I need to have this appVM > > > running to use the peripheral obviously. But, since the appVM > > > running, I can't update the templateVM? if you really _need_ sys-usb (== only keyboard is USB), i would recommend disabling sys-usb autostart anyways. then replacing the template can be done on next reboot before starting sys-usb. or do that scripted shutdown/prefs/start dance. but that can be a bit tricky for various reasons. and i would recommend to try it with autostart disabled anyways, just in case. > I do not have a sys-usb, since I installed Qubes OS while using a USB > keyboard. Which domain are my USB devices attached to? The Qubes you should configure a sys-usb anyways. https://www.qubes-os.org/doc/usb-qubes/ just two qubesctl calls. (plus one qvm-prefs to disable autostart) > documentation is not explicit about that, it only says removing the > sys-usb qube will attach the devices directly to dom0. Is that the way > Qubes configures itself when installing without PS/2 keyboard? yes, your usb will be directly attached to dom0 currently. and that is not a recommended configuration. otoh, it means you dont have to worry about replacing the template. ;) some hints regarding the whole scripted replacement plan though... > qvm-stop --wait $QUBE_WITH_USB ... there is no qvm-stop. > sleep 10 10sec is _very_ optimistic for a full sys-usb boot and settling the USB situation. i would recommend something like 120sec. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200501210256.GB990%40priv-mua.
Re: [qubes-users] Re: Fedora 30 approaching EOL, Fedora 31 TemplateVM available, Fedora 32 TemplateVM in testing
Will there be a new release of QUBEs to avoid a new release of iso? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/744fbf8d-1cad-4e19-b133-741a6ee6c31a%40googlegroups.com.
Re: [qubes-users] Re: Fedora 30 approaching EOL, Fedora 31 TemplateVM available, Fedora 32 TemplateVM in testing
On Fri, 2020-05-01 at 18:22 +0100, Miguel Barbosa Gonçalves wrote:
> On 2020-05-01 17:48, brendan.h...@gmail.com wrote:
> > On Friday, May 1, 2020 at 12:39:54 AM UTC-4, seshu wrote:
> >
> > One question that just occured to me about upgrading the
> > template
> > VM's. Many of the comments and posts in this forum are assuming
> > Qubes is installed on a laptop. I have it installed on a
> > desktop,
> > and my keyboard / mouse uses sys-usb. I need to have this appVM
> > running to use the peripheral obviously. But, since the appVM
> > is
> > running, I can't update the templateVM?
>
> Hi!
>
> Before I had an additional USB controller for my keyboard and mouse,
> which by the way is a great idea as good PS/2 devices are are to
> find
> new, I used the following commands in dom0
>
> $ qvm-stop --wait sys-usb; \
> qvm-prefs sys-usb template fedora-31; \
> qvm-start sys-usb
>
> This stops the sys-usb qube, changes the template and starts it
> again.
>
> Be careful and do not make any mistakes because if the sys-usb qube
> does
> not start you might be locked out.
>
> Hope this helps.
>
> Cheers,
> Miguel
>
I am on a desktop, too, and would not know where another USB controller
should be on the machine, whence Brendan's suggestions are not feasible
for me. I take it the above commands replace the template rather than
upgrading the same template? I think swapping out the templates might
be a safer route for a qubes-newbie like me.
I do not have a sys-usb, since I installed Qubes OS while using a USB
keyboard. Which domain are my USB devices attached to? The Qubes
documentation is not explicit about that, it only says removing the
sys-usb qube will attach the devices directly to dom0. Is that the way
Qubes configures itself when installing without PS/2 keyboard?
Is it possible to amend the above commands with an automatic revert?
I'm thinking of the way one changes display settings in Windows. After
a change, a diaglogue box is presented asking whether you want to keep
the new settings. If the user does not acknowledge in a few seconds,
the old state is restored. Could the following work?
Thanks
Olaf
#!/bin/bash
qvm-stop --wait $QUBE_WITH_USB
qvm-prefs $QUBE_WITH_USB template fedora-${NEW_VERSION}
qvm-start $QUBE_WITH_USB
echo "hit Ctrl-C to keep the new fedora $NEW_VERSION"
sleep 10
# if keyboard still works, the user will be able to interrupt here.
qvm-stop --wait $QUBE_WITH_USB
qvm-prefs $QUBE_WITH_USB template
fedora-${OLD_VERSION}
qvm-start $QUBE_WITH_USB
echo "failed to upgrade to fedora-${NEW_VERSION}"
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/13e3b003ed5f43eab6e7ba843eb98f0d6f7d34e7.camel%40aatal-apotheke.de.
Re: [qubes-users] How To Set Up Traffic Mirroring To Security Onion
Duknow if make actual sense on Qubes, but i used the following successfully on XenServer/XCP-ng, inbound traffic is not visible to SecurityOnion otherwise as originally targetting the tapped network from my understanding: > https://blog.rootshell.be/2013/09/09/xenserver-port-mirroring/ > > Hope that helps, > > Peace! This information didn't really help me to solve the problem. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/r5iZaiDmyACYEHpp_M92h5-5lPZ0FGPrcGWcFGlhWk2OXpbGNk6QLEMqtnVgLBwSkK_2FxAYIbl8AWU9hX1sdPjtaNQyLZ29AKXvpxXAjbk%3D%40protonmail.com. publickey - letmereadit@protonmail.com - 0xEE010E73.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
[qubes-users] Dividing Qubes Into Separate Networks (FAILED)
Network setup: pfsense router + Unif Switch I have two NICs on the server runninq Qubes. On one I want the nework to conect to the main LAN via DHCP and get out that way (that's done and working like charm). On the other NIC I want a separate gateway (sys-net) and separate firewall going through a VLAN out to the internet. pfsense and switch is setup properly. If I connect a Windows laptop to that dedicated port it works. It does not work on Qubes: I cloned the main firewall named it to pentest-firewall. I cloned the main gateway name it to pentest-gw. If I point the pentest-firewall to the main-gw everything works but then I am reaching the internet from the wrong NIC. But if I point the pentest-firewall at the pentest-gw there is no internet. I assigned the NIC to the pentest-gw. I see the mac address but I am not getting IP via DHCP. If I set the IP manually then I see on the switch the dedicated port cycles every 2 seconds between off / on / blocked. Either way I cannot access the internet. What am I missing? I also tried not clonging the main-gw but creating a VM from a template, check "provides network" and assign the NIC and still didn't work. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4skCjAHbFYSqG5Kn8tkpG97uBQtU0nQd_Hw5iLoeVypckfjK7oAITiXysj4UpQVGxuBrYLTP-skzUlV5cQgPUafgCy3TMyOw2_5tLa0GANs%3D%40protonmail.com. publickey - letmereadit@protonmail.com - 0xEE010E73.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Re: [qubes-users] Re: Fedora 30 approaching EOL, Fedora 31 TemplateVM available, Fedora 32 TemplateVM in testing
On 2020-05-01 17:48, brendan.h...@gmail.com wrote: On Friday, May 1, 2020 at 12:39:54 AM UTC-4, seshu wrote: One question that just occured to me about upgrading the template VM's. Many of the comments and posts in this forum are assuming Qubes is installed on a laptop. I have it installed on a desktop, and my keyboard / mouse uses sys-usb. I need to have this appVM running to use the peripheral obviously. But, since the appVM is running, I can't update the templateVM? Hi! Before I had an additional USB controller for my keyboard and mouse, which by the way is a great idea as good PS/2 devices are are to find new, I used the following commands in dom0 $ qvm-stop --wait sys-usb; \ qvm-prefs sys-usb template fedora-31; \ qvm-start sys-usb This stops the sys-usb qube, changes the template and starts it again. Be careful and do not make any mistakes because if the sys-usb qube does not start you might be locked out. Hope this helps. Cheers, Miguel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e4c09987-5c06-a456-4660-56797cff762f%40mbg.pt.
Re: [qubes-users] How to mount App-VMs from Outside qubes
On Fri, May 01, 2020 at 06:18:10PM +0200, Dieter wrote: > I tried accessing data on an old qubes (3.2) drive that doesnt boot > However after decryption I only see the lvms "qubes_dom0-swap" and > "qubes_dom0-root" > reading from dom0 is no problem but how can I access the other VMs? mount the dom0 root volume check for .img files under /var/lib/qubes/ these are loop-mountable volumes you can dd them to blockdevices, or use as-is. private volumes should be usable on qubes 4.0 unless they contain fancy configuration. if you want to copy them around, beware of them being sparse files. (== unless you use some copy tooling that can handle sparse files, they will take a lot more space after copying than before) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200501165357.GA990%40priv-mua.
[qubes-users] Re: Fedora 30 approaching EOL, Fedora 31 TemplateVM available, Fedora 32 TemplateVM in testing
On Friday, May 1, 2020 at 12:39:54 AM UTC-4, seshu wrote: > > One question that just occured to me about upgrading the template VM's. > Many of the comments and posts in this forum are assuming Qubes is > installed on a laptop. I have it installed on a desktop, and my keyboard / > mouse uses sys-usb. I need to have this appVM running to use the peripheral > obviously. But, since the appVM is running, I can't update the templateVM? > > Is their any workaround, or do I need to go get a ps/2 keyboard and then > turn off sys-usb, update the template and then restart it? Is that the only > option I have? IT seems like there could be a better way? > If you have a desktop, you probably have at least one pcie slot available for an additional USB controller, yes? Some laptops already have multiple pci controllers for usb, and some have expresscard slots that can accept an additional usb controller. This works for all these cases: Clone the template. Do the update in the clone of the template. If successful continue, otherwise stop. Create a sys-usb2 based on the cloned/updated template. Attach your secondary USB controller to it. Make sure a backup keyboard/mouse is properly seen in that controller. If that works: -Set up your system autostart both sys-usb (using primary usb) and sys-usb2 (using secondary usb). -Set up your system to allow keyboard/mouse from both sys-usb and sys-usb2 (see qubes documentation) If that doesn't work: -Stop Set your sys-usb template to the updated clone, so both sys-usb (with primary usb controller) and sys-usb2 (with secondar usb controller) can provide keyboard and mouse to the system, including LUKS password. Reboot. Once you are sure everything works, you can get rid of your secondary sys-usb2 if you want. B -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/de10c671-78e8-42ca-91b5-e59c36111b5e%40googlegroups.com.
[qubes-users] How to mount App-VMs from Outside qubes
Hi, I tried accessing data on an old qubes (3.2) drive that doesnt boot anymore(stuck after decryption with a black screen with blinking _) using this documentation article. https://www.qubes-os.org/doc/mount-from-other-os/ However after decryption I only see the lvms "qubes_dom0-swap" and "qubes_dom0-root" reading from dom0 is no problem but how can I access the other VMs? (I accessed the drive via a live linux so I didnt rename the VG) kind regards, dieter -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/cfbf3052-6693-d47e-3a94-2fd7d5ebfd31%40systemli.org.
Re: [qubes-users] Contradictory measures of disk space in a VM
On Wed, Apr 29, 2020 at 3:27 PM wrote: > On Wed, Apr 29, 2020 at 03:10:48PM -0300, Franz wrote: > > > I tried fsck on dom0, but got the enclosed terror screen. > > it would have helped if you had tried to fsck the right filesystem: > fsck /dev/qubes_dom0/vm-per-dec-private > > and if it is asking for repair a bazillion times, perhaps with -y -f > (and i would keep running it with "-y -f" until at least one run > is completely clean...) > "how to repair a filesystem" is basic system management. > > Dhorf, you are right. What happened is exactly what you have foreseen. It found a lot of errors and corrected them all, and running it again says clean. Well, now I have two similar VMs the original repaired and the new on which I copied the content of the original. Which one should I choose? Which is better? Also thanks, now I understand things, I did not even imagine to exist. Best -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAPzH-qAfsBefoU6yRL07mO8-%3DkwOv6jBY4GzPG9_fn4nT9qLyg%40mail.gmail.com.
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
On Fri, May 01, 2020 at 11:54:27AM +, taran1s wrote: > > > taran1s: > > > > > Chris, I tried now to connect to the kraken.com, which seems to be tor > unfriendly through me->tor->VPN->kraken.com but it returns error on the > site "Disabled". > > I learned now that despite I use the above connection model, using VPN > as an exit, I still exit from the tor exit not and not from the VPN. I > am not sure what broke. > If I understand your model: me->tor->VPN->kraken.com you are running Tor *through* your VPN - this means that your service provider sees your connection to the VPN, and your VPN provider sees your connection to the first Tor hop. Naturally, when you exit the VPN and set up the TOR circuit, it's a Tor exit node that connects to kraken. The VPN is NOT an exit in this model. Nothing has broken. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200501125641.GA3763%40thirdeyesecurity.org.
Re: [qubes-users] Me (anon-whonix AppVM) -> Tor -> VPN, settup with Mullvad VPN
taran1s: > > > Chris Laprise: >> On 4/21/20 11:30 AM, taran1s wrote: >>> Thank you, this did the trick ^^ Link is up. I will test it with the >>> setup me -> sys-whonix -> ProxyVM setup -> >>> clearnet_Tor_unfriendly_services ;) >>> >>> If I understand it well, I can select a new VPN country for the >>> particular session just by executing sudo cp any_country_I_need.ovpn >>> vpn-client.conf right? >>> >> >> Yes, that will work. To change without restarting the VPN VM, you can do: >> >> sudo service qubes-vpn-handler stop >> sudo cp some_location.ovpn vpn-client.conf >> sudo service qubes-vpn-handler start >> > > All is working well. Thank you very much Chris. At the end it is > actually very easy to set up and run. The point was my luck of > experience in basic commands related to Linux and most probably > selecting wrong mullvad setup files for my planned routing > (me->tor->vpn). Now it is much clearer. > > You mention in your previous email "I suggest you look at an > introduction to Linux command line". Do you have any good resource for that? > > Thank you again ;) > Chris, I tried now to connect to the kraken.com, which seems to be tor unfriendly through me->tor->VPN->kraken.com but it returns error on the site "Disabled". I learned now that despite I use the above connection model, using VPN as an exit, I still exit from the tor exit not and not from the VPN. I am not sure what broke. Can you please try to connect through this setup to for example kraken.com and click on Features if it returns the "Disabled" error too? If you have any advice for me, would be very much appreciated. Thank you! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/672bd5a5-8aef-4800-8f9a-456c82c923a1%40mailbox.org. 0xA664B90BD3BE59B3.asc Description: application/pgp-keys
Re: [qubes-users] USB Device attach failed: Attach timeout,
On 4/25/20 11:56 AM, haaber wrote: On 4/24/20 11:18 PM, Mike Keehan wrote: Device attach failed: Attach timeout, check kernel log for details. VM: "video-conference" File: "/usr/lib/qubes/usb-import" Version Control: https://github.com/QubesOS/qubes-app-linux-usb-proxy/blob/master/src/usb-import >> <--snip--> Rather something qubes-specific seems to mess. Cheers, Bernhard There is a known problem with Linux usbip not handling reset properly I believe. I don't think it's a Qubes problem. I use a usb connected camera, and that thread helped me get it working with some programs. But I still have to disconnect and reconnect the camera to make a second video connection. Sometimes it takes a number of disconnects, pauses and reconnects before it works. Along with the occasional "attach timeout" problems from qubes. And some programs just don't work no matter what I try. Got it working by putting the video-conference VM to HVM. Maybe that helps in your case as well? Cheers, Thanks for the suggestion. I tried it, but it didn't help for my particular case. No matter, detaching and re-attaching both physically and qubes-vm wise works well enough for me:) Mike. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d97f45ee-fc53-6414-f985-70ff8be54b75%40keehan.net.
Re: [qubes-users] Qubes Certified Desktop
On Fri, May 01, 2020 at 11:19:45AM +0530, Anil wrote: > system perhaps? Or better, some older version of NUC or other mini PC? NUCs will not allow you to do anything weird with the firmware, so no me_cleaner or coreboot or so. they work reasonably well with qubes. > I know Purism is selling a mini PC, but other than that. asrock deskmini works well for me. didnt bother with coreboot, but me_cleaner works like a charm. asrock does not seem to have firmware checksum/signature checks, and has a good recovery path, so no external hardware/flasher/soldering needed to apply me_cleaner, including for unbricking. another option would be chromeboxes. with official coreboot and linux support. but rather limited in terms of hardware choices. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200501095613.GA54173%40priv-mua.
Re: [qubes-users] Qubes Certified Desktop
> Maybe they would be willing to give back to the community? If you do not have > funds but some time to spend, showing your interest to them of this kind of > partnership would mean the world me, pointing here, and have a total > different impact then if I was the one contacting them. Potential customers > have a lot more impact then they think they have. Show that you want > something and rust thing will exist. Wait for it to happen or do it on your > own and it might go instinct just like it did and never get revived. I will contact them and hope they take it up. > I'll take this public space since I don't do it enough. Watch my > presentation, but most importantly, read the slides 45+ attached to the talk: > https://fosdem.org/2020/schedule/speaker/thierry_laurion/ I will go through this. > But if everybody showed their interest for it, it.would happen. See? Yes. I know it from a different, but coding related context. Since this mail is on the mailing list, perhaps many others can do the same. Regards, अनिल एकलव्य (Anil Eklavya) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAAPfsu8onawVOUQ9yEK%3DfN8%3DUjnTstc1_xtAHtpTzZnDLZ%2BTNw%40mail.gmail.com.
Re: [qubes-users] Qubes Certified Desktop
On May 1, 2020 8:40:57 AM UTC, Anil wrote: >> Nope I can't. You would have to search around for parts following >this doc, do some soldering to adapt spi chip, buy it, reprogram it >with firmware built from source, buy compatible RAM and fastest CPU, >case, power supply and ssd. Information is scattered around. When I >said adventurous, I meant adventurous. > >OK. That means I will have to first spend some time learning more >about this. I can do the soldering, if I know exactly (or find out) >what has to be soldered to what. > >> >> Port and upstreamed doc >> https://www.raptorengineering.com/coreboot/kgpe-d16-status.php >> >> https://libreboot.org/docs/hardware/kgpe-d16.html >> >> Build instructions are valid: >> http://osresearch.net/Building >> >> Status report on heads. No TPM support as of now. But rom can be >remotely attested by libremkey if really really adventurous without a >TPM. Less secure since no internal root of trust. TPM is desired. >> https://github.com/osresearch/heads/issues/134 > >This will certainly help. Thanks. > >> >> It needs adventurous developers or funding to get mainstreamed. Since >the board got dropped by coreboot, I lost a bit of interest pushing for >that last blob free platform in this lonely path. There is developers >ready to do the needed work to bring it back. But funders refused the >grant application. Skilled developers are willing to do required work >to bring it back but I hesitate to completely self fund the whole >project right now since priorities changed, but would be willing for >joint partnership. >> >> Anyone interested in bringing back that beast to life contact me at >insurgo at riseup dot net. This is last RYF x86 platform ever for sure. > >I strongly hope some people do that. People working on >laptops/desktops and phones, but not seemingly on servers. It may not >be for a data centre, but at least some personal website. > >> >Or even just as a desktop, will the setup be nearly as secure as >> >PrivacyBeast? >> >> TPM support lacking under coreboot 4.8.1, present under 4.11. Would >love to see that beast fully supported and would even sell it myself >under insurgo umbrella. But I wont do it all alone this time. Partners >welcome. > >If I am able to get the hardware and set it up, I can do some routine >part of the work that is not too technical in the sense of knowing the >internal details of TPM or OS kernel etc., with some help, if that can >reduce the effort required. > >> Have funds? > >Not really. At most I can buy one. What is weird is that needed work would be the cost of buying 4 already made servers if not less. Could reach out to technoethical and Vikings one last time, which profited of work that was paid by Leah Rowe originally to sell their d16 branded stuff. Maybe they would be willing to give back to the community? If you do not have funds but some time to spend, showing your interest to them of this kind of partnership would mean the world me, pointing here, and have a total different impact then if I was the one contacting them. Potential customers have a lot more impact then they think they have. Show that you want something and rust thing will exist. Wait for it to happen or do it on your own and it might go instinct just like it did and never get revived. The actual reason why that board was dropped by coreboot was because not enough people showed they cared.for it to be maintained. Maintainership is a hard problem. I'll take this public space since I don't do it enough. Watch my presentation, but most importantly, read the slides 45+ attached to the talk: https://fosdem.org/2020/schedule/speaker/thierry_laurion/ The more time between a board being dropped upstream under coreboot and the time it is put back under compliance the more expensive it will be. Now.would be a good time for collaboration. If this community showed interest in having a RYF certified server/desktop under Heads, it would happen in a snap. Chicken and egg problems everywhere. But if everybody showed their interest for it, it.would happen. See? > >Regards, > >अनिल एकलव्य >(Anil Eklavya) -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/D504D4DD-7E04-446A-83D3-CF704A5C551F%40gmail.com.
Re: [qubes-users] Qubes Certified Desktop
> Nope I can't. You would have to search around for parts following this doc, > do some soldering to adapt spi chip, buy it, reprogram it with firmware built > from source, buy compatible RAM and fastest CPU, case, power supply and ssd. > Information is scattered around. When I said adventurous, I meant adventurous. OK. That means I will have to first spend some time learning more about this. I can do the soldering, if I know exactly (or find out) what has to be soldered to what. > > Port and upstreamed doc > https://www.raptorengineering.com/coreboot/kgpe-d16-status.php > > https://libreboot.org/docs/hardware/kgpe-d16.html > > Build instructions are valid: > http://osresearch.net/Building > > Status report on heads. No TPM support as of now. But rom can be remotely > attested by libremkey if really really adventurous without a TPM. Less secure > since no internal root of trust. TPM is desired. > https://github.com/osresearch/heads/issues/134 This will certainly help. Thanks. > > It needs adventurous developers or funding to get mainstreamed. Since the > board got dropped by coreboot, I lost a bit of interest pushing for that last > blob free platform in this lonely path. There is developers ready to do the > needed work to bring it back. But funders refused the grant application. > Skilled developers are willing to do required work to bring it back but I > hesitate to completely self fund the whole project right now since priorities > changed, but would be willing for joint partnership. > > Anyone interested in bringing back that beast to life contact me at insurgo > at riseup dot net. This is last RYF x86 platform ever for sure. I strongly hope some people do that. People working on laptops/desktops and phones, but not seemingly on servers. It may not be for a data centre, but at least some personal website. > >Or even just as a desktop, will the setup be nearly as secure as > >PrivacyBeast? > > TPM support lacking under coreboot 4.8.1, present under 4.11. Would love to > see that beast fully supported and would even sell it myself under insurgo > umbrella. But I wont do it all alone this time. Partners welcome. If I am able to get the hardware and set it up, I can do some routine part of the work that is not too technical in the sense of knowing the internal details of TPM or OS kernel etc., with some help, if that can reduce the effort required. > Have funds? Not really. At most I can buy one. Regards, अनिल एकलव्य (Anil Eklavya) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAAPfsu8%2BYx1LwadkO3fe56v%3DOHkxs1zwU-Dm56T93uR87pcxXg%40mail.gmail.com.
Re: [qubes-users] Qubes Certified Desktop
On May 1, 2020 7:07:24 AM UTC, Anil wrote: >> Kgpe-d16 is supported under heads, is blobless and supported by >coreboot 4.11 and heads under coreboot 4.8.1 as of right now with plans >of > >Can you give an approximate price (right now no one is shipping, so >they are not showing the price either)? Any particular processor that >is more suitable? The Asus page says it works with Opteron 6000 series >processors. Also the price of the processor. Nope I can't. You would have to search around for parts following this doc, do some soldering to adapt spi chip, buy it, reprogram it with firmware built from source, buy compatible RAM and fastest CPU, case, power supply and ssd. Information is scattered around. When I said adventurous, I meant adventurous. Port and upstreamed doc https://www.raptorengineering.com/coreboot/kgpe-d16-status.php https://libreboot.org/docs/hardware/kgpe-d16.html Build instructions are valid: http://osresearch.net/Building Status report on heads. No TPM support as of now. But rom can be remotely attested by libremkey if really really adventurous without a TPM. Less secure since no internal root of trust. TPM is desired. https://github.com/osresearch/heads/issues/134 It needs adventurous developers or funding to get mainstreamed. Since the board got dropped by coreboot, I lost a bit of interest pushing for that last blob free platform in this lonely path. There is developers ready to do the needed work to bring it back. But funders refused the grant application. Skilled developers are willing to do required work to bring it back but I hesitate to completely self fund the whole project right now since priorities changed, but would be willing for joint partnership. Anyone interested in bringing back that beast to life contact me at insurgo at riseup dot net. This is last RYF x86 platform ever for sure. You can try to get to those people selling it through d16 tag here, already assembled https://www.fsf.org/resources/hw/systems It.would require of you to buy a CH341a reprogrammer and clip to flash built head, and flash built BMC internally from heads as documented on github per status report. But that wont come with TPM support nor heads added security, but it will all be open source. > >> Using it as a server personally. With a qubesos supported video card >and jumper set to deactivate onboard integrated graphic (which offers >really poor graphics) that could be an awesome project, but >adventurous. > >Someone wrote that Qubes OS is meant to be used as a laptop/desktop >OS. How much effort is required to set it up as a server? As I >understand, the compartmentalization provided by Qubes OS can be >useful in some contexts. Absolutely. With openbmc and command line as if you were behind Dom0 remotely, this is a beast. https://raptorengineering.com/coreboot/kgpe-d16-bmc-port-status.php With qubes-network-server, you can offer DMZ servers from appvms. https://github.com/Rudd-O/qubes-network-server > >Or even just as a desktop, will the setup be nearly as secure as >PrivacyBeast? TPM support lacking under coreboot 4.8.1, present under 4.11. Would love to see that beast fully supported and would even sell it myself under insurgo umbrella. But I wont do it all alone this time. Partners welcome. As you can see, this is not easy task. But if there is will there is hope. Have funds? Insurgo > >Regards, > >अनिल एकलव्य >(Anil Eklavya) -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4F9099C7-4A70-4BA3-ADF6-8AAF5497C373%40gmail.com.
Re: [qubes-users] Qubes Certified Desktop
> Kgpe-d16 is supported under heads, is blobless and supported by coreboot 4.11 > and heads under coreboot 4.8.1 as of right now with plans of Can you give an approximate price (right now no one is shipping, so they are not showing the price either)? Any particular processor that is more suitable? The Asus page says it works with Opteron 6000 series processors. Also the price of the processor. > Using it as a server personally. With a qubesos supported video card and > jumper set to deactivate onboard integrated graphic (which offers really poor > graphics) that could be an awesome project, but adventurous. Someone wrote that Qubes OS is meant to be used as a laptop/desktop OS. How much effort is required to set it up as a server? As I understand, the compartmentalization provided by Qubes OS can be useful in some contexts. Or even just as a desktop, will the setup be nearly as secure as PrivacyBeast? Regards, अनिल एकलव्य (Anil Eklavya) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAAPfsu-1tkeUOwrwJJSmazsDV8LeyRsJM04jpR9Xwk_nL74usQ%40mail.gmail.com.
