[qubes-users] Re: HCL - Dell Precision 7550
I decided to go back and get the "support" file, attached.
I also noticed the recent thread on qubes-users about the kernel 5.4.
However, when I tried this kernel, Qubes OS was completely unusable:
starting from the point where the OS-level boot log would normally
appear ("Starting service X...", etc.), the screen showed garbled
pixels. I thought the system might be waiting for the disk encryption
password and I tried entering it, but that did not help.
Matt
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/10b9ae47fa643426123f2f4aaabfa18b243bec58.camel%40mattmccutchen.net.
Qubes-HCL-Dell_Inc_-Precision_7550-20201129-161202.cpio.gz
Description: application/cpio-compressed
[qubes-users] HCL - Dell Precision 7550
My employer recently issued me a Dell Precision 7550, which came with a Ubuntu installation with some OEM customizations. I hoped to use Qubes OS to protect my employee records and communications from all the software I'll be running as part of my development work. Unfortunately, my assessment is that under even a pessimistic estimate of this risk, given the many problems and my limited hardware troubleshooting skills, I don't want to do any more work to try to get Qubes OS to work adequately on this laptop at this time. I used the Qubes R4.0.3 installer and the Fedora 32 XFCE template. After installation, I ran updates in both dom0 and the template to see if that would help with anything, but it didn't. (Given that the network didn't work under Qubes OS, I ran updates using a nasty, insecure hack that I deemed adequate for testing, with plans to reinstall with a better approach if I thought there was hope of success.) - To get the installer to start at all, I had to remove noexitboot and mapbs as described at https://www.qubes-os.org/doc/uefi-troubleshooting/#removing-noexitboot-and-mapbs and turn off "Enable switchable graphics" in the BIOS. - Display redrawing was very slow in both the installer and dom0 after installation: when I advanced to the next screen of the installer or started an application in dom0 such as Qube Manager, it could take up to a second or so for the screen to redraw from top to bottom. Disabling compositing in the XFCE Window Manager Tweaks in dom0 made the problem less bad, but it was still unacceptable to me. - After installation, the screen brightness keys on the keyboard had no effect on the screen brightness, and when I tried to drag the screen brightness slider in the XFCE Power Manager applet, the applet segfaulted. - When my NetVM used the dom0-provided kernel, neither the wired nor the Wi-Fi network device worked. When it used the kernel in the VM, the boot process got stuck for a reason not evident from the log in Qube Manager, whether or not the network PCI devices were assigned to the VM. When the devices were assigned, the log did show that the VM tried to initialize at least the wired network using the "e1000e" driver. I'm going to use the OEM procedure to wipe the laptop and reinstall the OS now because I need to reinstall the OS anyway for another reason. I'm open to parallel installing Qubes OS again in the future if someone wants me to perform specific tests, though it will be a low priority for me. This was a humbling reminder that I can't assume Qubes OS will work on arbitrary hardware. I was very fortunate that when I first tried it in October 2014, it worked on the personal Lenovo ThinkPad L430 that I had bought in November 2012 without anticipating I'd use Qubes OS. For my next personal laptop, I'll definitely shop for Qubes OS compatibility, but my employer is only half-serious about information security and I don't think I have any leverage to ask them to consider Qubes OS compatibility in purchasing company laptops. Matt -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d8b1283f5cbac044c63a8213a5dc11ac9ac794d0.camel%40mattmccutchen.net. Qubes-HCL-Dell_Inc_-Precision_7550-20201129-141058.yml Description: application/yaml
Re: [qubes-users] Re: Please help test kernel 5.4 in anticipation of Qubes 4.0.4-rc2
I detected neither issues, all is working well. I'll continue to test with my daily usage and report again in 2 days with more tests. For users who want to test, the complete command is: [xxx@dom0 ~]$ sudo qubes-dom0-update --action=upgrade --enablerepo=qubes-dom0-current-testing kernel kernel-qubes-vm I experienced regular complete freezes of xen (after 5-30 minues xen would be dead) -- I had to downgrade the xen kernel back to 4.19.155 - to be able to write this mail. HCL report attached. Bernhard -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e42ea8ad-86b6-a490-583f-e6808cbf506c%40web.de. Qubes-HCL-Dell_Inc_-Latitude_7390-20201129-212036.yml Description: application/yaml
Re: [qubes-users] Unable to get VPN to ping out. Unable to set up ProxyVM as sys-vpn
On 11/29/20 12:09 PM, David Hobach wrote: On 11/28/20 9:26 PM, setemera...@posteo.net wrote: Documentation followed: http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/doc/vpn/#set-up-a-proxyvm-as-a-vpn-gateway-using-iptables-and-cli-scripts Someone please help me, I'm fucking screaming here every time I try to do the right thing following documentation or try to figure out why my own OS is stopping me from doing basic shit. Hmmm yes the official Qubes doc on VPN is still overcomplicating things a bit too much and even lacking in some areas. Here's a simple and probably even better way than the official doc: 1. Set up a network infrastructure such as: your VPN client VM 1 sys-net -- sys-fw -- sys-vpn -- sys-fw-vpn --| your VPN client VM 2 etc. Use `qvm-prefs netvm` and `qvm-prefs provides_network` for that. 2. IMPORTANT: Configure your Qubes Os firewall to only allow traffic from sys-vpn to your VPN provider. I.e. `qvm-firewall sys-vpn --raw` should show something like ``` action=accept proto=tcp dst4=[VPN IP]/32 dstports=[port]-[port] ``` in the end. Use `qvm-firewall` and not the GUI as the GUI will allow e.g. DNS & pings by default IIRC (you need to remove those GUI rules). If you leave out this step or get it wrong, VPN leaks may be possible. For testing purposes you could skip this step and implement it after step 3 though. 3. Inside sys-vpn at `/rw/config/rc.local` (autostart file) start your VPN client, e.g. `openvpn` with whatever config you need. P.S.: If DNS doesn't work after step 3, you might have to add the following lines to `/rw/config/rc.local` inside `sys-vpn`: #[your openvpn stuff here] echo "nameserver [your DNS server]" > /etc/resolv.conf /usr/lib/qubes/qubes-setup-dnat-to-ns That's it. No messing with iptables et al required... ^^ (Actually there's one iptables rule that would improve security by 0,01%, but I guess it's not really relevant to 99,9% of users.) Maybe someone should update the official recommendations. Thank you for taking the time to help me so far. Be well. You too. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/901294dd-50c1-9d44-9b1c-77219b67a806%40hackingthe.net. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/36d97866-08ea-bc0c-487a-e77ff5e8608a%40hackingthe.net. smime.p7s Description: S/MIME Cryptographic Signature
Re: [qubes-users] Unable to get VPN to ping out. Unable to set up ProxyVM as sys-vpn
On 11/28/20 9:26 PM, setemera...@posteo.net wrote: Documentation followed: http://qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/doc/vpn/#set-up-a-proxyvm-as-a-vpn-gateway-using-iptables-and-cli-scripts Someone please help me, I'm fucking screaming here every time I try to do the right thing following documentation or try to figure out why my own OS is stopping me from doing basic shit. Hmmm yes the official Qubes doc on VPN is still overcomplicating things a bit too much and even lacking in some areas. Here's a simple and probably even better way than the official doc: 1. Set up a network infrastructure such as: your VPN client VM 1 sys-net -- sys-fw -- sys-vpn -- sys-fw-vpn --| your VPN client VM 2 etc. Use `qvm-prefs netvm` and `qvm-prefs provides_network` for that. 2. IMPORTANT: Configure your Qubes Os firewall to only allow traffic from sys-vpn to your VPN provider. I.e. `qvm-firewall sys-vpn --raw` should show something like ``` action=accept proto=tcp dst4=[VPN IP]/32 dstports=[port]-[port] ``` in the end. Use `qvm-firewall` and not the GUI as the GUI will allow e.g. DNS & pings by default IIRC (you need to remove those GUI rules). If you leave out this step or get it wrong, VPN leaks may be possible. For testing purposes you could skip this step and implement it after step 3 though. 3. Inside sys-vpn at `/rw/config/rc.local` (autostart file) start your VPN client, e.g. `openvpn` with whatever config you need. That's it. No messing with iptables et al required... ^^ (Actually there's one iptables rule that would improve security by 0,01%, but I guess it's not really relevant to 99,9% of users.) Maybe someone should update the official recommendations. Thank you for taking the time to help me so far. Be well. You too. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/901294dd-50c1-9d44-9b1c-77219b67a806%40hackingthe.net. smime.p7s Description: S/MIME Cryptographic Signature
