Re: [qubes-users] Using the second os on the (dual-booted) system as a VM

[MUT]

Would love to see the notes. And yeah thats more or less what i thought of 
doing too.
On Monday, July 11, 2022 at 8:26:30 PM UTC+4 unman wrote:

> On Mon, Jul 11, 2022 at 05:14:05AM -0700, MUT wrote:
> > I want to try creating maybe a standalone VM that would mount a 
> partition 
> > on my hard drive which has a seperate os installed on it as its root, 
> and 
> > use that as a VM. Effectively that would let you use the second OS you 
> have 
> > installed on a computer besides Qubes as a VM in qubes. I searched 
> around 
> > the web to see if someone has done it, but couldn't find anything. 
> > 
> > I'd be very thankful for any help or advice regarding that, will post 
> some 
> > updates after I actually try it.
> > 
> I'm surprised you couldn't find anything on this.
> You want to create a block device using the other partition and use it
> in place of the standalone root.
> You can customise the standalone definition or do some jiggery pokery
> to get it running.
> I hacked about with this and will look out my notes.
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bd4c4604-c637-4fa9-92c2-5c34d372c5f1n%40googlegroups.com.

[qubes-users] VM initial memory

[Qubes]

Hi

I am trying to figure out the significance of the "Initial memory" 
setting of a VM. Does it make any difference? For example VM A and B. A 
is configured with 500 MB initial memory and 2000 MB Max memory. VM B is 
configured with 1000 MB Inintial memory and also 2000 MB Max memory. Is 
there a situation where the initial memory will play a role?


I did once have a problem where, I think a think at the time it was a 
Fedora 32 template that did not boot when its initial memory was set at 
200 MB. Other than start up problems however, does this setting affect 
anything in any way for one to make it a genuine consideration?


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/968e4a7b-9fbc-6718-53f7-625b1b0882c0%40ak47.co.za.

[qubes-users] XSAs released on 2022-07-12

[Andrew David Wong]

Dear Qubes Community,

The Xen Project has released one or more Xen Security Advisories (XSAs).
The security of Qubes OS *is affected*.
Therefore, *user action is required*.


XSAs that affect the security of Qubes OS (user action required)


The following XSAs *do affect* the security of Qubes OS:

- XSA-407

Please see *QSB-083* for the actions users must take in order to
protect themselves, as well as further details about these XSAs:




XSAs that do not affect the security of Qubes OS (no user action required)
--

The following XSAs *do not affect* the security of Qubes OS, and no user 
action is necessary:


- (none)


Related links
-

- Xen XSA list: 
- Qubes XSA tracker: 
- Qubes security pack (qubes-secpack): 


- Qubes security bulletins (QSBs): 


This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2022/07/13/xsas-released-on-2022-07-12/

--
Andrew David Wong
Community Manager
The Qubes OS Project
https://www.qubes-os.org

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/70a17d1f-0935-2fac-77ca-b2c95c5f4f21%40qubes-os.org.

[qubes-users] QSB-083: Retbleed: Arbitrary speculative code execution with return instructions (XSA-407)

[Andrew David Wong]

Dear Qubes Community,

We have just published Qubes Security Bulletin (QSB) 083: Retbleed:
Arbitrary speculative code execution with return instructions (XSA-407).
The text of this QSB is reproduced below. This QSB and its accompanying
signatures will always be available in the Qubes Security Pack
(qubes-secpack).

View QSB-083 in the qubes-secpack:



In addition, you may wish to:

- Get the qubes-secpack: 
- View all past QSBs: 
- View the XSA Tracker: 

```

 ---===[ Qubes Security Bulletin 083 ]===---

 2022-07-12

  Retbleed

Arbitrary speculative code execution
 with return instructions (XSA-407)


User action required
-

Users must install the following specific packages in order to address
the issues discussed in this bulletin:

  For Qubes 4.0, in dom0:
  - Xen packages, version 4.8.5-43

  For Qubes 4.1, in dom0:
  - Xen packages, version 4.14.5-6

These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community. [1] Once available, the packages are to be installed
via the Qubes Update tool or its command-line equivalents. [2]

Dom0 must be restarted afterward in order for the updates to take
effect.

If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new
Xen binaries.


Summary


On 2022-07-12, the Xen Project published XSA-407, "Retbleed -
arbitrary speculative code execution with return instructions" [3]:

| Researchers at ETH Zurich have discovered Retbleed, allowing for
| arbitrary speculative execution in a victim context.
|
| For more details, see:
|   https://comsec.ethz.ch/retbleed
|
| ETH Zurich have allocated CVE-2022-29900 for AMD and CVE-2022-29901 for
| Intel.
|
| Despite the similar preconditions, these are very different
| microarchitectural behaviours between vendors.
|
| On AMD CPUs, Retbleed is one specific instance of a more general
| microarchitectural behaviour called Branch Type Confusion.  AMD have
| assigned CVE-2022-23816 (Retbleed) and CVE-2022-23825 (Branch Type
| Confusion).
|
| For more details, see:
|   https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1037
|
| On Intel CPUs, Retbleed is not a new vulnerability; it is only
| applicable to software which did not follow Intel's original
| Spectre-v2 guidance.  Intel are using the ETH Zurich allocated
| CVE-2022-29901.
|
| For more details, see:
| 
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00702.html
| 
https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/return-stack-buffer-underflow.html

|
| ARM have indicated existing guidance on Spectre-v2 is sufficient.


Impact
---

This is yet another speculative execution issue, which allows an
attacker to infer content of memory they shouldn't have access to. This
includes one VM extracting secrets from another. Any VM can perform this
attack on an affected hardware.

AMD systems based on Zen 1 - Zen 2 microarchitectures are affected.
Specifically those are AMD Ryzen processors with model names 1xxx - 4xxx
and some 5xxxU [4]. Zen 3 microarchitecture (AMD Ryzen 5xxx or newer)
are not affected.

Pre-existing Xen mitigations on Intel machines are effective to prevent
this issue, so Intel systems are not affected.

Credits


See the original Xen Security Advisory.


References
---

[1] https://www.qubes-os.org/doc/testing/
[2] https://www.qubes-os.org/doc/how-to-update/
[3] https://xenbits.xen.org/xsa/advisory-407.html
[4] Unlike other 5xxxU models, Ryzen 3 5300U, Ryzen 5 5500U and
Ryzen 7 5700U are Zen 2, not Zen 3. See
https://en.wikipedia.org/wiki/Zen2
https://en.wikipedia.org/wiki/Zen3

--
The Qubes Security Team
https://www.qubes-os.org/security/

```

This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2022/07/13/qsb-083/

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e75410c2-43d0-b625-d599-0e09f769b635%40qubes-os.org.

Re: [qubes-users] Re: [qubes-announce] Qubes OS 4.0 reaches EOL on 2022-08-04

[Bernhard]

Dear Demi Marie



What about between bisecting between 4.19 and 5.4?


That sounds interesting. I am willing to test.


The problem with staying on 4.19 is that eventually it will lose support
upstream.  Qubes is not RHEL, and we can't support an old kernel
forever.  That you cannot use your hardware on Linux 5.4+ is a bug, but
without access to the hardware in question there is no way (that I am
aware of) to figure out what the bug is so that it can be fixed.


of course it is not a solution: it is a continued workaround, that
allows to install 4.1 with an old kernel without being cut off other
updates, for the time that the real problem takes to solve. *That alone*
is helpful. Because what do I do next? Remove qubes 4.0 and install
vanilla debian instead? Stay on unsupported Q4.0? Both seem worse than
using the newest qubes on an old kernel: surely, it's not forever.

I would really appreciate help of the dev's on that single point: an
explication of how to sneak in an extrakernel in the iso. They do not
need to explain iso packing & unpacking (that is easy), only how to
twiggle the iso boot procedure.

Thank you so much!  Bernhard





--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bd0f00dc-23d2-cf77-6ee8-7f3644ed02b2%40web.de.

Re: [qubes-users] Fedora 36 templates available

[Demi Marie Obenour]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Wed, Jul 13, 2022 at 09:10:25AM +0200, Qubes wrote:
> Metatron wrote:
> > On Mon, Jun 27, 2022 at 07:41:57PM -0700, Andrew David Wong wrote:
> > > Dear Qubes Community,
> > > 
> > > New Fedora 36 templates are now available for Qubes 4.1!
> > 
> > Is anyone else having this problem:
> > # sudo qubes-dom0-update qubes-template-fedora-36
> > Redirecting to 'qvm-template install  fedora-36'
> > Downloading 'qubes-template-fedora-36-0:4.0.6-202205270243'...
> > qubes-template-fedora-36-0:4.0.6-202205270243:   0%|  | 0.00/1.72G 
> > [00:00 > qubes-template-fedora-36-0:4.0.6-202205270243:   0%|  | 0.00/1.72G 
> > [00:01 > ERROR: [Errno 2] No such file or directory: 
> > '/root/.cache/qvm-template/tmps3hgqf8e/qubes-template-fedora-36-0:4.0.6-202205270243.rpm.UNTRUSTED'
> > 
> 
> I haven't tried to install a Fedora-36 template, I was just about to, but
> when I search for available templates they are definitely not listed.
> 
> Strangely enough the output from the below command doesn't list my installed
> templates either. Not sure if this has anything to do with the switch I made
> in the last 2 days from whonix-15 to whonix-16.
> 
> sudo qubes-dom0-update --action=list qubes-template-*
> Using sys-whonix as UpdateVM to download updates for Dom0; this may take
> some time...
> Unable to detect release version (use '--releasever' to specify release
> version)
> Fedora 25 - x86_64 - Updates140  B/s | 4.5 kB 00:33
> Fedora 25 - x86_64  3.0 kB/s | 4.9 kB 00:01
> Qubes Dom0 Repository (updates) 1.4 kB/s | 2.7 kB 00:01
> Qubes Dom0 Repository (updates) 436 kB/s | 6.8 MB 00:16
> Qubes Templates repository  1.7 kB/s | 2.7 kB 00:01
> Available Packages
> qubes-template-debian-9.noarch   4.0.1-201901281256
> qubes-templates-itl
> qubes-template-debian-9-minimal.noarch   4.0.1-201901271906
> qubes-templates-itl
> qubes-template-fedora-29.noarch  4.0.1-201909150719
> qubes-templates-itl
> qubes-template-fedora-29-minimal.noarch  4.0.1-201909141946
> qubes-templates-itl
> qubes-template-fedora-29-xfce.noarch 4.0.1-201909141946
> qubes-templates-itl
> qubes-template-fedora-30.noarch  4.0.1-201912252234
> qubes-templates-itl
> qubes-template-fedora-30-minimal.noarch  4.0.1-201912251612
> qubes-templates-itl
> qubes-template-fedora-30-xfce.noarch 4.0.1-201912251612
> qubes-templates-itl
> qubes-template-fedora-31.noarch  4.0.1-202002142323
> qubes-templates-itl
> qubes-template-fedora-31-minimal.noarch  4.0.1-202002142323
> qubes-templates-itl
> qubes-template-fedora-31-xfce.noarch 4.0.1-202002142323
> qubes-templates-itl
> qubes-template-fedora-32.noarch  4.0.6-202101091318
> qubes-templates-itl
> qubes-template-fedora-32-minimal.noarch  4.0.6-202101091323
> qubes-templates-itl
> qubes-template-fedora-32-xfce.noarch 4.0.6-202101091323
> qubes-templates-itl
> qubes-template-fedora-33-minimal.noarch  4.0.6-202102261802
> qubes-templates-itl
> qubes-template-fedora-33-xfce.noarch 4.0.6-202102261802
> qubes-templates-itl
> qubes-template-fedora-34-xfce.noarch 4.0.6-202110020209
> qubes-templates-itl
> qubes-template-fedora-35-xfce.noarch 4.0.6-202205192300
> qubes-templates-itl

Fedora 36 will not be made available for R4.0.  R4.0 is also going end
of life soon, so you should upgrade to R4.1.
- -- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEdodNnxM2uiJZBxxxsoi1X/+cIsEFAmLOrMkACgkQsoi1X/+c
IsGmYRAA0WArrKOIQSxSXqe15i71NUoL2opjZnxOoqLk1tXUyDe3GpF86fEOIuex
qdwClAeb7/sgBUxvz27pYyiAoef479zB9OFB+M9OoAc2G4vb6uh4S6Ho6ZCXcYZ3
+7iqaNTvrykVygxoyrjLWmh7yw9QDkAOW9RuwVaj3GWhNQtRxy3blE2Zc8KtJhlI
VW1Acbm98MLQZ4wmnQRoPFsF1v0m9pRpr/Lzz9LmSX6dmuGD3nnIA9RvtuSGZpBd
yLx4+CFzBdEHBWIFkGpiTlH0bAZW0YTH8Wx5598qJ4IDU3B0Ud6KBHDaBV+lrSu8
7cS1YBS1AZtdouWvrHxvpwTFtx0bPGAEKaHklnRIhk2k6DzuXWaR5HMWrK/ulNPh
j1aqBpFO+usBJrpmlohqZmEPLGjPj59D5rFnKpl8SkxG3PasyT/b0HdOZ2ZdCwPv
ZSpDOp29b27/pTfb3LLiAJJ5wYu9D2RTdLeXue6p7BZ5A4r1aFHU9Nq69oF/S/dL
fEiEHoAnY+c4yA0Dh48zKBNKoy42uwr5UVo1ITpMUWMV59fhzypViSyBSV2Hk673
B9M8uadIhZIi/WNpN9u1s5GAivGcADVkZp3ZhZs/NVhT10NIG7oLZq9i3YXmtNSH
yfnyBLifUAqOlPNUIw2WohWwDNrTYCv2IyBp/GEBAoPcQ3FM4aA=
=jIak
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/Ys6sya47qqOrI5VS%40itl-email.

Re: [qubes-users] Fedora 36 templates available

[Qubes]

Metatron wrote:

On Mon, Jun 27, 2022 at 07:41:57PM -0700, Andrew David Wong wrote:

Dear Qubes Community,

New Fedora 36 templates are now available for Qubes 4.1!


Is anyone else having this problem:
# sudo qubes-dom0-update qubes-template-fedora-36
Redirecting to 'qvm-template install  fedora-36'
Downloading 'qubes-template-fedora-36-0:4.0.6-202205270243'...
qubes-template-fedora-36-0:4.0.6-202205270243:   0%|  | 0.00/1.72G 
[00:00

I haven't tried to install a Fedora-36 template, I was just about to, 
but when I search for available templates they are definitely not listed.


Strangely enough the output from the below command doesn't list my 
installed templates either. Not sure if this has anything to do with the 
switch I made in the last 2 days from whonix-15 to whonix-16.


sudo qubes-dom0-update --action=list qubes-template-*
Using sys-whonix as UpdateVM to download updates for Dom0; this may take 
some time...
Unable to detect release version (use '--releasever' to specify release 
version)
Fedora 25 - x86_64 - Updates140  B/s | 4.5 kB 
00:33
Fedora 25 - x86_64  3.0 kB/s | 4.9 kB 
00:01
Qubes Dom0 Repository (updates) 1.4 kB/s | 2.7 kB 
00:01
Qubes Dom0 Repository (updates) 436 kB/s | 6.8 MB 
00:16
Qubes Templates repository  1.7 kB/s | 2.7 kB 
00:01

Available Packages
qubes-template-debian-9.noarch   4.0.1-201901281256 
qubes-templates-itl
qubes-template-debian-9-minimal.noarch   4.0.1-201901271906 
qubes-templates-itl
qubes-template-fedora-29.noarch  4.0.1-201909150719 
qubes-templates-itl
qubes-template-fedora-29-minimal.noarch  4.0.1-201909141946 
qubes-templates-itl
qubes-template-fedora-29-xfce.noarch 4.0.1-201909141946 
qubes-templates-itl
qubes-template-fedora-30.noarch  4.0.1-201912252234 
qubes-templates-itl
qubes-template-fedora-30-minimal.noarch  4.0.1-201912251612 
qubes-templates-itl
qubes-template-fedora-30-xfce.noarch 4.0.1-201912251612 
qubes-templates-itl
qubes-template-fedora-31.noarch  4.0.1-202002142323 
qubes-templates-itl
qubes-template-fedora-31-minimal.noarch  4.0.1-202002142323 
qubes-templates-itl
qubes-template-fedora-31-xfce.noarch 4.0.1-202002142323 
qubes-templates-itl
qubes-template-fedora-32.noarch  4.0.6-202101091318 
qubes-templates-itl
qubes-template-fedora-32-minimal.noarch  4.0.6-202101091323 
qubes-templates-itl
qubes-template-fedora-32-xfce.noarch 4.0.6-202101091323 
qubes-templates-itl
qubes-template-fedora-33-minimal.noarch  4.0.6-202102261802 
qubes-templates-itl
qubes-template-fedora-33-xfce.noarch 4.0.6-202102261802 
qubes-templates-itl
qubes-template-fedora-34-xfce.noarch 4.0.6-202110020209 
qubes-templates-itl
qubes-template-fedora-35-xfce.noarch 4.0.6-202205192300 
qubes-templates-itl


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c3baea2b-e333-deb9-c671-47ce049b6ded%40ak47.co.za.