Re: [qubes-users] vif in user ProxyVM?
On 08/22/2016 10:47 AM, johnyju...@sigaint.org wrote: I'm trying to create a ProxyVM of my own, to replace sys-firewall. I'm on 3.2rc2-testing. When I create a ProxyVM in either fedora23 or debian-8, eth0 shows up, but no vif interface appears. vif interfaces appear when you connect downstream vms to the proxyvm. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/aa8fa248-385b-ee7f-098c-70a3d2163a21%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: files disappearing
On 08/21/2016 03:11 PM, J.M. Porup wrote: On Sat, Aug 20, 2016 at 07:05:10PM -0400, Chris Laprise wrote: * Download the Equation Group files from Mega to report on them * qvm-copy-to-vm --> new fedora 23 based appvm * open terminal in new vm, files are there * shutdown, reboot--files are gone One avenue to investigate is to reproduce the problem and then see if another vm can manually mount that filesystem and access the files: 1. Start the appvm in question ("VM1") - private data files do not appear 2. Pause VM1 3. Start a testing appvm ("VM2"). 4. Use qvm-block in dom0: $ qvm-block -A --ro VM2 dom0:/var/lib/qubes/appvms/VM1/private.img 5. In VM2, run: $ mkdir data $ sudo mount /dev/xvdi data $ ls data/home/user 6. Look for your data files Thanks for this suggestion. I tried last night, but mounting /dev/xvdi gave me a fs/superblock error, and non-useful output in dmesg. I tried again this morning, and was able to mount /dev/xvdd (not xvdi, although that probably doesn't make a difference). For that test, you are definitely interested in xvdi not xvdd. Taking a good look around the 4.1.24-10.pvops.qubes.x86_64/ dir, but not finding anything that looks like a home directory, much less my files. I'm probably doing something wrong. Perhaps related: Last week my .bash_history disappeared in dom0, replaced, bizarrely, by the attached text. Difficult to avoid the suspicion this is someone trolling. jmp The error you got does indicate the vm filesystem got corrupted--and that is probably because your dom0 root filesystem was corrupted, considering what happened to your dom0 .bash_history. I would say the level of corruption, which resembles file cross-linking errors, is great enough to consider dom0 isolation to be degraded and the OS damaged in general. The best course of action would be to start with Andrew's suggestion: Most recent laptops have disk and memory tests built into the firmware, accessible from the power-on screen. On completion you should see a short assessment as to whether your memory and drive are healthy or not. You could also use 'smartctl -a' on your drive to look for specific failure indicators. After addressing any hardware problems (such as replacing RAM modules or SSD), I suggest reinstalling Qubes and restoring from your backups. You may wish to first try backing up what's left of your current data before reinstalling and restoring from an older backup, in case you want to try recovering your most recent data later on. If you have specific questions I'd be happy to try answering them for you. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f1db4593-bbf6-40d6-89b3-19710a989a27%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: files disappearing
On 08/20/2016 06:00 PM, J.M. Porup wrote: On Sat, Aug 20, 2016 at 05:56:39PM -0400, J.M. Porup wrote: On Sat, Aug 20, 2016 at 05:29:19PM -0400, J.M. Porup wrote: files in three different vms have disappeared in the last week. In one case I lost work. previously I've seen a vm start without local data, somehow it doesn't "catch", usually a shutdown and restart solves the problem. In this case multiple restarts over multiple days is not working. what can I investigate to discover the cause of the missing data? assuming, for the sake of argument, accident and not adversary. I can reproduce this with appvms based on debian 8, but not fedora 23. * create new appvm * open a terminal, 'touch foo' * shutdown vm * restart vm, file is gone fedora 23 based appvms persist, but the debian 8 based appvms did not, at least in this test. I have not checked all my vms yet. Additional data point. * Download the Equation Group files from Mega to report on them * qvm-copy-to-vm --> new fedora 23 based appvm * open terminal in new vm, files are there * shutdown, reboot--files are gone jmp If you have modified your debian 8 template a lot, another thing you could try is to create a bare/unmodified debian template and switch your appvm to use the latter. Then see if the problem persists. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/68206fac-e059-97a6-9073-6e04f515ea60%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: files disappearing
On 08/20/2016 06:00 PM, J.M. Porup wrote: On Sat, Aug 20, 2016 at 05:56:39PM -0400, J.M. Porup wrote: On Sat, Aug 20, 2016 at 05:29:19PM -0400, J.M. Porup wrote: files in three different vms have disappeared in the last week. In one case I lost work. previously I've seen a vm start without local data, somehow it doesn't "catch", usually a shutdown and restart solves the problem. In this case multiple restarts over multiple days is not working. what can I investigate to discover the cause of the missing data? assuming, for the sake of argument, accident and not adversary. I can reproduce this with appvms based on debian 8, but not fedora 23. * create new appvm * open a terminal, 'touch foo' * shutdown vm * restart vm, file is gone fedora 23 based appvms persist, but the debian 8 based appvms did not, at least in this test. I have not checked all my vms yet. Additional data point. * Download the Equation Group files from Mega to report on them * qvm-copy-to-vm --> new fedora 23 based appvm * open terminal in new vm, files are there * shutdown, reboot--files are gone jmp One avenue to investigate is to reproduce the problem and then see if another vm can manually mount that filesystem and access the files: 1. Start the appvm in question ("VM1") - private data files do not appear 2. Pause VM1 3. Start a testing appvm ("VM2"). 4. Use qvm-block in dom0: $ qvm-block -A --ro VM2 dom0:/var/lib/qubes/appvms/VM1/private.img 5. In VM2, run: $ mkdir data $ sudo mount /dev/xvdi data $ ls data/home/user 6. Look for your data files If you can see your data in VM2, then the problem may be due to some bug in the boot sequence for the template used by VM1. But that doesn't necessarily rule out foul play... You may want to use VM2 to inspect vulnerable files in 'data' such as home/user/.bashrc and home/user/.profile to see if they've been tampered with. To undo the above attach+mount, run 'sudo umount data' in VM2 then shutdown VM2. Finally, un-pause VM1. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d4f40f95-c58e-48ae-14ce-efe69dab42bd%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Missing config files after Backup / Restore
On 08/17/2016 06:41 PM, entr0py wrote: On 08/17/2016 03:20 PM, entr0py wrote: Just migrated my Qubes 3.1 system to new hardware and it went surprisingly smoothly :) I noticed however that my KDE Window Rules did not get backed up / restored (not sure which). It's kind of irrelevant at this point since we're moving away from KDE but I'd still like to know why that happened and if there are other config files that I need to copy over manually. Most of the files in ~/.kde/share/config/ have permissions user:user 600 so it shouldn't be a problem to back up. Is a KDE lock on those files preventing them from being overwritten on the restore? Any other files I should bring back manually? (Just noticed some keybindings not working...) Thanks. If the KDE version stayed the same (4.x) then I'd expect the dom0 restore to include window rules and keybindings. Did you restart the system after the restore? Chris Yes, more details: 1. Backed up the entire system (all up-to-date): dom0, all templates, all vms; 2. Installed fresh Qubes 3.1 with no pre-configuration (seems fedora-23 was installed anyway) 3. Did an incremental restore as follows: a. restored dom0 - noticed that the following did not restore: desktop background, sound prefs, application menu settings (application menu entries were correct) b. reboot c. restored service templates & service vms d. updated dom0 - noticed window rules were not restored e. reboot f. restored dom0 AGAIN - thinking that dom0 update might have some effect window rules did not restore BUT desktop background did. g. restored all other templates & vms h. noticed that keybindings did not restore I think all of these KDE settings are stored in ~/.kde/share/config/. Specifically, the window rules are located in kwinrulesrc. I guess I could reconnect backup drive and go find out if files were backed up to begin with. My hunch is that the problem is on the restore end. How can I tell if files are locked? And if locked can Qubes restore overwrite them? Doesn't dom0 restore move the current home dir into a subdir, then write the restored files to the correct locations? The only way I can think of that failing is if the initial move was piecemeal and didn't catch everything. Another explanation for the problem is that KDE might store some settings elsewhere, such as /etc or /usr/share. FWIW, although I prefer using KDE I have never relied on a restore process to get my desktop settings back. I think its better to have a written checklist of customizations that need to be done after an installation. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/dd322451-6141-d22e-fe16-7787b2fe8c8d%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Missing config files after Backup / Restore
On 08/17/2016 03:20 PM, entr0py wrote: Just migrated my Qubes 3.1 system to new hardware and it went surprisingly smoothly :) I noticed however that my KDE Window Rules did not get backed up / restored (not sure which). It's kind of irrelevant at this point since we're moving away from KDE but I'd still like to know why that happened and if there are other config files that I need to copy over manually. Most of the files in ~/.kde/share/config/ have permissions user:user 600 so it shouldn't be a problem to back up. Is a KDE lock on those files preventing them from being overwritten on the restore? Any other files I should bring back manually? (Just noticed some keybindings not working...) Thanks. If the KDE version stayed the same (4.x) then I'd expect the dom0 restore to include window rules and keybindings. Did you restart the system after the restore? Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b9244b9e-fd43-cb07-5c1e-43f0d473cbf5%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] VPN Link Up, NetVM set to VpnVM but AppVMs still don't have net access?
On 07/26/2016 05:32 PM, gaikokujinkyofu...@gmail.com wrote: On Monday, July 25, 2016 at 5:12:42 PM UTC-10, Chris Laprise wrote: The shebang refers to the '#!/bin/bash' at the start of the script; that is required for it to run. A. Ok. Well I checked and I had forgotten to remove the origonal #!/bin/sh but it was the same file I had used before that had worked? Anyway, I edited it and now only one line and it is bash. But still can't access anything other than direct ip addresses via the appvm that is using the vpnvm? The last three lines you refered to, of the .ovpn, I believe I added as the Qubes VPN doc instructed, anyway I just c/p'd from the .ovpn I have: script-security 2 up 'qubes-vpn-handler.sh up' down 'qubes-vpn-handler.sh down' Is that what you were referring to? Yes. Something else you can try is to bypass the DHCP stuff and add the DNS server manually in your .ovpn with a line like this: setenv vpn_dns 'X.X.X.X' Replace X's with DNS server address. I tried this next, added both like setenv vpn_dns 'X.X.X.X X.X.X.X' (tried without quotes too) but still no go. I then noticed that there was a commented line in the qubes-vpn-handler.sh script so I added that line in that script and took it out of the ovpn file, still not able to ping non ip addresses... Then when you connect and list your nat table again, you should see the DNS IP there. Chris and both times (restarting vpnvm/appvm) the new DNS didn't show up when i tried to list the nat tables? I would have thought manually putting in the DNS would have been sufficent? I thought I'd let you know another user was having the same symptoms (IP access but no DNS) because Network Manager was running in the vpn vm... https://groups.google.com/d/msgid/qubes-users/f35d90b9-2632-4f91-afff-3e1f8ac26302%40googlegroups.com If you had enabled Network Manager in that vm you should disable it. Other possible workarounds are putting a 7sec delay in handler script, or renaming the qubes-setup-dnat-to-ns file before openvpn is run (see linked thread for details). Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/30344390-4f39-eb08-a62b-274f41bdc0e2%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: installing Signal on Qubes mini-HOWTO
On 08/17/2016 11:35 AM, johnyju...@sigaint.org wrote: On the Signal matter, just some personal paranoia Re: Signal and Google Play Services: I've been the subject of some rather intense and ongoing hacking (iPhone, iPad, Android phone/tablet, PC, MacBook, cable modem connection, you name it). On the Android phone, I wiped it several times, and switched to Cyanogen, but the "weirdness" kept coming back. (Seeing stuff being recorded, logged, queued to upload etc., when scrutinizing the filesystem with adb.) The issues often seemed to dance around Google Play Services. The problem kept coming back, until last time, when I wiped the phone yet again, but didn't install Google Play Store (and thus no Google Play Services). Things *appear* to be stable and secure now, with no logging/recording/uploading weirdness showing up on the filesystem. I'd like to install and use Signal for obvious reasons, but I honestly don't trust Google Store/Services enough to take the risk. (I have a psycho ex with some crooked cop buddies, so I half suspect some law enforcement/government hook might be present in Google Play Services. Speculation of course. But I'll personally stay clear for now. I'm not doing anything illegal, but with crooked cops it really doesn't matter much. :) ) I did get a copy of Signal from apkmirror, but I expect it might not work without Play Services, and I'm not sure it'd be smart to implicitly trust apkmirror, either. So I'll keep my SmartPhone as a DumbPhone for now. I was kind of excited to hear about Signal for Chromium, but disappointed to find it relied upon you also having it installed on your smartphone. Aand then there's this: http://arstechnica.com/security/2015/06/not-ok-google-chromium-voice-extension-pulled-after-spying-concerns/ Not cool, Google. Cheers. :) I have to say I don't understand the logic of tying an app like Signal to Google, meaning the user is attached to Google at the hip. Especially when an app like Ring.cx operates without a browser or even a server, which seems far less risky. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1d8e9316-1a77-9f6a-952a-880b847ae52f%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] No DNS with ProxyVM + OpenVPN
On 08/16/2016 06:56 AM, kotot...@gmail.com wrote: To test this theory, you could put a 7sec delay in qubes-vpn-handler.sh right before the line 'iptables -t nat -F PR-QBS'. Then the right IPs should appear in PR-QBS. It did work. Thank you again! I wonder what is changing the NAT rules. I only see one 'up' directive in the openvpn configuration, the one calling the qubes script. Maybe something from Qubes itself? It's correct that the ProxyVM should be connected to sys-firewall right? That was going to be my next question: Is there anything in the vpn config that triggers it, such as any other references to scripts. Ideally, there should only be up and down. If you're comfortable posting the configuration maybe I or someone else could see the cause. Also the parts of the log output near the end that deal with PUSH data, since that is a source of configuration directives. I also wonder if your template might have an openvpn service configured to autostart... creating a second openvpn process? You can check that with ps, systemctl, etc. Also, Network Manager should not be running in that vm. Finally, you could disable the /usr/lib/qubes/qubes-setup-dnat-to-ns script by renaming it right before openvpn starts (but it does have to run once on vm start). That should prevent it from steamrolling over the vpn-specific IPs. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1c702a72-f94b-f897-ee05-38b779a57b69%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes 3.2-rc2 very high hard disk activity
On 08/16/2016 01:39 PM, donoban wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 08/16/2016 06:17 PM, Andrew David Wong wrote: On 2016-08-16 03:58, donoban wrote: I also have experienced a lot of process killed because I run out of memory. This never happened with 3.1. Is it possible that the high HDD activity is excessive swap usage due to low memory? I don't use swap at this moment and with 3.1 I didn't too. I should add it probably, but if I "fix" the "hard disk problem". Each vm has its own swap. If you misconfigure the vm with too little memory (this can easily happen if you inadvertently turn off memory balancing) then it can exhibit the symptoms you describe. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f3f605f4-9a6e-3357-f201-bddfa6113953%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] No DNS with ProxyVM + OpenVPN
On 08/15/2016 01:05 PM, kotot...@gmail.com wrote: Thank you very much for your help. The DNS are transmitted but the rules in the firewall seems to be missing: Chain PR-QBS (1 references) pkts bytes target prot opt in out source destination 0 0 DNAT udp -- anyany anywhere 10.137.5.1 udp dpt:domain to:10.137.2.1 0 0 DNAT tcp -- anyany anywhere 10.137.5.1 tcp dpt:domain to:10.137.2.1 0 0 DNAT udp -- anyany anywhere 10.137.5.254 udp dpt:domain to:10.137.2.254 0 0 DNAT tcp -- anyany anywhere 10.137.5.254 tcp dpt:domain to:10.137.2.254 The qubes script is nonetheless correctly started because I see the notification "VPN is up". Something else may be running a dnat script when you connect, because that is the only thing that would be re-populating PR-QBS with the Qubes internal IPs. To test this theory, you could put a 7sec delay in qubes-vpn-handler.sh right before the line 'iptables -t nat -F PR-QBS'. Then the right IPs should appear in PR-QBS. Alternative theory is that somehow openvpn is passing the internal IPs to the script, but I think that's unlikely. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a1010675-628e-206e-979a-3cf2d49f7671%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] qubes-manager not showing on KDE
On 08/15/2016 11:22 AM, angelo "angico" costa wrote: Hi, guys! Still slowly progressing through Qubes. I changed from XFCE to KDE and qubes-manager simply disappeared! I invoke it through the menu link as well as through CLI, but it just doesn't show up. It shows normally on XFCE, though. Also, 'ps aux | grep qubes-manager' lists it as running: /usr/bin/python2 /usr/bin/qubes-manager -session ... What am I possibly doing wrong? Any hint? Thanks in advance, angico. Hi, What version of Qubes is it? Did you try rebooting to switch to KDE, instead of logout/login? Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e6260346-116c-b934-595d-543e3118983d%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] No DNS with ProxyVM + OpenVPN
On 08/15/2016 03:33 AM, kotot...@gmail.com wrote: Hi, I set up a proxyVM with openvpn following the instructions from https://www.qubes-os.org/doc/vpn/. I cannot do DNS query over the VPN, for example this command executed from a VM connected to the Proxy: [user@fedora-23-dvm ~]$ dig www.google.com ; <<>> DiG 9.10.3-P4-RedHat-9.10.3-13.P4.fc23 <<>> www.google.com ;; global options: +cmd ;; connection timed out; no servers could be reached Executing 'dig @8.8.8.8 www.google.com' works well. What am I doing wrong? Hi, Its possible that your vpn service isn't supplying dns server info upon connection. You can check what openvpn is getting from your service by upping the verbosity to 3 while running openvpn manually like this: $ sudo groupadd -rf qvpn $ sudo sg qvpn -c 'openvpn --cd /rw/config/openvpn/ --config openvpn-client.ovpn --verb 3' You should see a message like this from openvpn, though the dns numbers will probably be different: PUSH: Received control message: PUSH_REPLY,dhcp-option DNS 1.2.3.4,dhcp-option DNS 1.2.3.5 ...etc. This indicates that openvpn has received dns server info from the vpn provider. Another thing to check is whether those dns numbers got into the firewall: $ sudo iptables -v -L -t nat The chain PR-QBS should have two entries per dns address. OTOH, if you want to bypass dhcp and use hard-coded dns numbers instead, add them to your openvpn config file like this: setenv vpn_dns '1.2.3.4 1.2.3.5' Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6c455e5c-50a2-a5dd-770a-96a7ed681e7e%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] VPN ProxyVM rc.local
On 08/15/2016 10:49 AM, Paf LeGeek wrote: I use the Debian 8 Template so the rc.local file is in the /etc/ folder not in the /rw/ folder. As I said, the script works find if i launch it manually in my ProxyVM terminal. This is the content of my rc.local #!/bin/sh -e # # rc.local # # This script is executed at the end of each multiuser runlevel. # Make sure that the script will "exit 0" on success or any other # value on error. # # In order to enable or disable this script just change the execution # bits. # # By default this script does nothing. groupadd -rf qvpn ; sleep 2s sg qvpn -c 'openvpn --cd /etc/openvpn/ --config myopenvpnfile.ovpn \ --daemon --writepid /var/run/openvpn/openvpn-client.pid' exit 0 The vpn doc was written for both Fedora and Debian templates. The /rw/config/rc.local script is a Qubes feature that works on both. The doc uses that location so users do not have to dedicate a whole template to their vpn... /rw/config was designed for per-vm customizations such as this. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/55e32991-6f09-702c-b048-08360a2b6de2%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] VPN ProxyVM rc.local
On 08/14/2016 04:52 PM, Paf LeGeek wrote: Hello ! I am trying to follow the steps in the link below to make a ProxyVpn with VPN autostart : https://www.qubes-os.org/doc/vpn/ But my rc.local does not start on my ProxyVM. I did the commands below on my Debian 8 Template VM : sudo chmod +x /etc/rc.local systemctl disable openvpn.service The rc.local service is enable. This is the result of ls -l : user@debian-8-vpn:~$ ls -l /etc/rc.local -rwxr-xr-x 1 root root 472 Aug 14 22:30 /etc/rc.local If I start the rc.local with sudo sh /etc/rc.local using the terminal on my ProxyVM, it's working. So, why my rc.local does not start automatically on my ProxyVM ? Thanks for your help. Hi, The vpn doc indicates /rw/config/rc.local (in the proxy vm) not /etc/rc.local. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/696aac79-0882-38a9-0f95-9da6e8747b77%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] howto add untrusted repository to appVM (without using seperate template)
On 08/07/2016 07:22 AM, Marek Marczykowski-Górecki wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sat, Aug 06, 2016 at 06:36:10PM -0700, Andrew David Wong wrote: On 2016-08-06 18:05, emilcronja...@gmail.com wrote: Hi there, How do I add an outside/untrusted repository to an app-vm based on the standard template, *without* changing the whole template? And/or how do I, after succeding, install a program from the outside source in the appVM and make the program survive reboot? I guess this is a general question, although my problem is concerned with the VoIP-program Jtisi: they are not included in neither Fedora or Debian repos, and I would not like to add their "untrusted" repo only to the appVM wich would actually run the program. (I know I could create a standalone VM, but I prefer not to use 3 GB of space to run just one program :)). SO: How to solve this? (Without jepoardizing my template-VM) Best regards, E PS: Why oh why is there no voip-client with zrtp-support in the fedora/debian repos?! You could do this by installing the program to some place in the AppVM that survives reboot (e.g., the AppVM's home/ directory). Besides that, I can't think of any way to satisfy all of your desiderata simultaneously. (You could clone the TemplateVM, but you said you didn't want to create a StandaloneVM because it would take up too much disk space, and a cloned TemplateVM would take up roughly the same amount.) I have similar problem with spotify - I don't want to include it in any of my standard template, but on the other hand, I don't want to waste disk space just for one VM. So I ended up with installing it at each VM startup. Using this script: #!/bin/sh # 1. Add the Spotify repository signing key to be able to verify # downloaded packages sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys BBEBDCB318AD50EC6865090613B00F1FD2C19886 # 2. Add the Spotify repository echo deb http://repository.spotify.com stable non-free | sudo tee /etc/apt/sources.list.d/spotify.list # 3. Update list of available packages sudo apt-get update # 4. Install Spotify sudo apt-get -y install spotify-client xdg-utils libxss1 zenity Since I don't restart this VM that often, I call this script manually, just before starting spotify client itself (shell command history is useful ;) ). But is should be enough to put it into /rw/config/rc.local. Downsides: - it downloads the packages each time; not a big problem for me, but can be for others - there is no spotify entry in the menu (needs to be started from terminal) First issue could be fixed by downloading deb files (apt-get -d) and then installing them from a local directory (dpkg -i /rw/debs/*.deb). But it will not automatically download new version. The second issue can be fixed by creating the entry manually. - -- I just wanted to point out a qualitative difference between Jitsi and Spotify: The former is used as a trusted component to protect the users' privacy and probably security. Although that depends on how you're going to use Jitsi, the question is posed in a way that suggests the app would be used to maintain privacy. So the relevant questions are: 1) Is the Jitsi repo signed, and if so... 2) How much do you trust the developers? If you trust them to keep your communications private, you might also trust them enough to add their repo to one or more templates. You could also look for a "portable" version of the app; Such versions don't require standard installation procedures and usually run from whatever folder you place them in. Although Tor Browser is a portable app from the start, for example, there are many examples of apps that have been converted to portable, including Jitsi (for Windows): https://sourceforge.net/projects/jitsiportable/ I wish Ring.cx had a portable version, too, as that app shows a lot of promise... https://ring.cx BTW, you can also just create a standalone appvm and add the Jitsi repo to that. PS: Why oh why is there no voip-client with zrtp-support in the fedora/debian repos?! I have wondered the same thing, myself. The best answer I can come up with is that there is a wide gulf between the wave of privacy-minded users and the curators of those distros. There are a growing number of privacy-enhancing apps that are being ignored by the old guard. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/49930d91-2a73-d318-ddd3-2184ccca60c5%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Yellow dot / guid crash in appvms
On 07/31/2016 04:32 PM, Marek Marczykowski-Górecki wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sun, Jul 31, 2016 at 04:19:50PM -0400, Chris Laprise wrote: ErrorHandler: BadWindow (invalid Window parameter) Major opcode: 10 (X_UnmapWindow) ResourceID: 0xe7 Failed serial number: 179 Current serial number: 179 The above error sometimes results when I start a debian 8 appvm (I'm not currently using fedora appvms so I don't know if the problem exists there too). My app window will not appear until I run some other command in the vm (at which point the vm status dot turns green). I'll determine whether this error can be reproduced. Looks like this issue: https://github.com/QubesOS/qubes-issues/issues/2085 You're using KDE, aren't you? ;) - -- In dom0, yes. I do also happen to have kde installed in the template (completely forgot about that), but I do get this error when starting gtk apps. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bff2411e-df41-4579-669e-e8e4c468c755%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Fedora 23 template upgrade conflict
On 07/29/2016 02:08 PM, 45uiay+8xfsofrot5g94 via qubes-users wrote: Just did, still no luck. The update still presents the same error. I had to use 'dnf clean all' before update would work. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/158132a4-3174-ec27-971f-f0bfb9c09dc8%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes Security Bulletin #24 (Critical bug)
On 07/27/2016 04:27 PM, Andrew David Wong wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2016-07-26 20:01, Chris Laprise wrote: On 07/26/2016 08:45 PM, el...@tutanota.com wrote: What is best way to verify our system supports these things? I think you can also check out the processor with Intel.. ark.intel.com You can search through the different processors if you are looking to pick up a new computer. A guide I found at AMD: http://support.amd.com/en-us/kb-articles/Pages/GPU120AMDRVICPUsHyperVWin8.aspx From Microsoft: http://support.amd.com/en-us/kb-articles/Pages/GPU120AMDRVICPUsHyperVWin8.aspx Basically, anything recent that isn't too cost-reduced. Chris Chris, I think you may have accidentally pasted the same link twice. - -- Sorry, didn't hit Ctrl-shift-V when I should ;) Here's the MS link: http://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e93fd151-1dc1-0c42-5977-d33534a3d61b%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes Security Bulletin #24 (Critical bug)
On 07/26/2016 08:45 PM, el...@tutanota.com wrote: What is best way to verify our system supports these things? I think you can also check out the processor with Intel.. ark.intel.com You can search through the different processors if you are looking to pick up a new computer. A guide I found at AMD: http://support.amd.com/en-us/kb-articles/Pages/GPU120AMDRVICPUsHyperVWin8.aspx From Microsoft: http://support.amd.com/en-us/kb-articles/Pages/GPU120AMDRVICPUsHyperVWin8.aspx Basically, anything recent that isn't too cost-reduced. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/07b40854-c066-ca18-df47-715ad96505cc%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How to log all the websites accessed by a VM
On 07/25/2016 02:20 PM, Marek Marczykowski-Górecki wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Mon, Jul 25, 2016 at 03:14:02PM -0300, Franz wrote: ok now it works, it outputted a list of addresses. But I have to paste this list on firewall rules of that VM and this is on Qubes Manager that is on Dom0, so normal copy paste between VMs does not work. I can only imagine of writing the addresses on a text file, then copying the file to Dom0, using qvm-run --pass-io 'cat /path/to/file_in_src_domain' > /path/to/file_name_in_dom0 opening the file in Dom0 (which seems half prohibited) and finally copying the adresses to Qubes Manager. Otherwise I'll have to digit manually the addresses to Qubes Manager. Which is the suggested way to do that? Personally I do some thing like: qvm-run --pass-io 'cat output-of-that-command' Then copy selected lines into shell (those are ready commands to add firewall entries). - -- A less tedious method to get a somewhat similar effect is to install 'HTTPS Everywhere' extension in Firefox and turn on the "block all unencrypted" feature. Then create some bookmarks for the (HTTPS) sites you wish to use. You can control it further by adding the 'Request Policy' extension and use it to whitelist the 3rd party sites as you encounter them (the extension will remember your choices). Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9e5029f2-82b6-2c03-36d6-40d1bd181357%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] VPN Link Up, NetVM set to VpnVM but AppVMs still don't have net access?
On 07/20/2016 02:59 PM, gaikokujinkyofu...@gmail.com wrote: On Saturday, July 16, 2016 at 5:09:48 PM UTC-4, gaikokuji...@gmail.com wrote: I tried the 'sudo iptables -L -v -t nat' anyway and to be honest I am not sure I understand the output: [user@VPN ~]$ sudo iptables -L -v -t nat Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 PR-QBS all -- anyany anywhere anywhere 0 0 PR-QBS-SERVICES all -- anyany anywhere anywhere Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 432 packets, 30668 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- anyvif+anywhere anywhere 3 192 ACCEPT all -- anylo anywhere anywhere 12 812 MASQUERADE all -- anyany anywhere anywhere Chain PR-QBS (1 references) pkts bytes target prot opt in out source destination 0 0 DNAT udp -- anyany anywhere 10.137.4.1 udp dpt:domain to:10.137.2.1 0 0 DNAT tcp -- anyany anywhere 10.137.4.1 tcp dpt:domain to:10.137.2.1 0 0 DNAT udp -- anyany anywhere 10.137.4.254 udp dpt:domain to:10.137.2.254 0 0 DNAT tcp -- anyany anywhere 10.137.4.254 tcp dpt:domain to:10.137.2.254 Chain PR-QBS-SERVICES (1 references) pkts bytes target prot opt in out source destination Hi, I don't think I am using Network Manager to connect, that is I went only by the Qubes VPN wiki but while trying to diag the problem I read about /etc/resolv.conf in some other doc while searching so thought I'd try (obviously no luck). As for the sudo sg qvpn -c ping whateversite, does returning one thing back and hanging count for anything? I am thinking not as I am not able to connect to the net via the VpnVM. Any thoughts on the DNS dnat rules? Pinging from my vpn vm is probably the same as yours, now that I've checked it: I get a DNS response but the pings themselves aren't permitted. I think the real problem is shown in your PR-QBS chain above. You see that the 'to' addresses on the right are still pointing to a Qubes internal subnet '10.137.x.x'. Something about the DHCP fetching of your DNS servers or the way qubes-vpn-handler.sh is executing is not working. You can verify this by taking the IP address for 'whateversite' and pinging it from your appvm (connected to vpn vm)... that should work even though DNS doesn't. Cause of the problem should be a misconfigured .ovpn (the 3 lines for scripting) or the qubes-vpn-handler.sh script itself can't execute because the execute flag is not set, or the shebang at the start was left out, etc. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/94a81cf2-db21-4c66-40d1-64837a477831%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Unable to update templates
On 07/20/2016 01:20 PM, jkitt wrote: My netvm is a proxyvm that I've set up. I've just found out about the global in which the updatevm can be changed. However, i've set this to my VPN VM yet nothing - it's still trying to connect to the same IP. IRRC that IP is a non-existent node but it's filtered by a proxy. How do i get that proxy running on my VPN VM? Its typical for a VPN to block template updates. This is because the update proxy normally runs in sys-net, which can no longer see the attempt to connect to the update proxy port number (sys-net only sees encrypted stream from VPN). Quick workaround is to set your connection so it looks like: Template -> sys-firewall -> sys-net. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/91f7890d-d110-e228-f9b0-fe0bc249cafd%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Setting up OpenVPN (Can't understand documentation)
On 07/17/2016 04:26 AM, ajshdas7...@sigaint.org wrote: Under "Using iptables and openvpn" @ https://www.qubes-os.org/doc/vpn/ It says to create the proxyvm, but it does not say if the following steps should be taken in the template or in the proxyvm. Does anyone know? That part should be clearer. However, the intent is to setup the proxyvm. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3aec5d45-5e21-56ad-1f9a-e3181a5563bc%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] AEM with Linux 4.4 causes hard reboot (cont... Trying to resolve issue)
On 07/15/2016 10:09 PM, Todd Lasman wrote: On 07/15/2016 04:38 PM, Chris Laprise wrote: On 07/15/2016 09:33 AM, Chris Laprise wrote: On 07/13/2016 11:15 AM, Chris Laprise wrote: I am able to get 4.4.* to boot now! The trick was to add 'min_ram=0x200' to the tboot options like I used to do--the AEM README describes how. But now I cannot get AEM to seal the secret. Nothing at all about AEM is displayed during startup, even though rd.antievilmaid is on the kernel options line. Chris For the record, AEM is now working on my system. The other thing that was required was to update the anti-evil-maid package to version 3.0.3. Chris @Andrew, Todd Lasman... Could one/both of you try this out ...please? :D Especially the tboot workaround; It only requires pressing 'e' at the grub prompt and adding the parameter to the multiboot tboot line (then press Ctrl-x to boot). It would be good to see if this works on other machines before either closing the issue[1] or inquiring upstream. Thanks, Chris 1. https://github.com/QubesOS/qubes-issues/issues/2155 Will do, Chris. Thanks for working this out. May take a few days to get to this, though. I'll report back. By the way, where did you get the aem 3.0.3 package? I've only got 3.0.2 available. Todd Cool. Try this: sudo qubes-dom0-update anti-evil-maid --enablerepo=qubes*testing Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/12a46ee5-6163-3fad-edb9-9b7acc1a2a4d%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] AEM with Linux 4.4 causes hard reboot (cont... Trying to resolve issue)
On 07/15/2016 09:33 AM, Chris Laprise wrote: On 07/13/2016 11:15 AM, Chris Laprise wrote: I am able to get 4.4.* to boot now! The trick was to add 'min_ram=0x200' to the tboot options like I used to do--the AEM README describes how. But now I cannot get AEM to seal the secret. Nothing at all about AEM is displayed during startup, even though rd.antievilmaid is on the kernel options line. Chris For the record, AEM is now working on my system. The other thing that was required was to update the anti-evil-maid package to version 3.0.3. Chris @Andrew, Todd Lasman... Could one/both of you try this out ...please? :D Especially the tboot workaround; It only requires pressing 'e' at the grub prompt and adding the parameter to the multiboot tboot line (then press Ctrl-x to boot). It would be good to see if this works on other machines before either closing the issue[1] or inquiring upstream. Thanks, Chris 1. https://github.com/QubesOS/qubes-issues/issues/2155 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/25ec3d4f-17cb-32a9-01b9-8a30c0150fe4%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Question on DMA attacks
On 07/15/2016 02:43 PM, Andrew David Wong wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2016-07-15 01:46, Marek Marczykowski-Górecki wrote: On Thu, Jul 14, 2016 at 07:22:28PM -0700, neilhard...@gmail.com wrote: From the user FAQ: https://www.qubes-os.org/doc/user-faq/#can-i-install- qubes-on-a-system-without-vt-d "an attacker could always use a simple DMA attack to go from the NetVM to Dom0" So what does this mean though..? Can they launch this DMA attack from a compromised App VM..? Could they simply do a browser exploit in an App VM, and then do a DMA attack from there to go to dom0..? Or is it a lot harder than that..? I'm just trying to work out whether it's really worth buying a new laptop just to get VT-D I currently have VT-X, but not VT-D. DMA is mechanism for PCI devices to access system memory (read/write). Without VT-d any PCI device can access all the memory, regardless to which VM is assigned (or left in dom0). Most PCI devices allow driver to request arbitrary DMA operation (like "put received network packets at this address in memory", or "get this memory area and sent to the network"). So, without VT-d, it gives unlimited access to the whole system. Now, it is only a matter of knowing where to read/write to take over the system, instead of just crashing. But since you can read the whole memory, it isn't that hard. Now, how it applies to Qubes OS? The above attack requires access to PCI device. Which means that can be performed only from NetVM / UsbVM, so someone must first break into one of those VMs. But it isn't that hard, because there is a lot of complex code handling network traffic. Recent bugs includes DHCP client, DNS client etc. Most of attacks on NetVM / UsbVM (but not all!) requires being somehow close to the target system - for example connected to the same WiFi network, or in case of UsbVM, having physical acccess to some USB port. But, just exploiting a browser in an AppVM isn't enough, as normal AppVM do not have any PCI device assigned (unless you do that manually). Clear and lucid answer, as always. Thanks, Marek! Added to the FAQ: https://github.com/QubesOS/qubes-doc/commit/45cffd68543447c81d9922572d52e408b7ff 5e65 IIRC, this point may be covered by Joanna's blog post re: 'What makes Qubes different from ...?' The main website does sort of lack a concise rundown of Qubes' main advantages, such as: * Simple and strong isolation mechanism, instead of complex permissions in monolithic kernels * Safe virtualization of software components that normally expose regular hypervisors to exploits (i.e. graphics, copy+paste) * Window manager that reliably reflects the security context of running apps * Hardware virtualization of risky interfaces such as NICs and USB * Overall philosophy of 'protect the core system and non-networked VMs'; remotely exploited VMs stay contained ('game over' situation unlikely) Plus secondary advantages: * Template system * Disposable VMs * AEM * Trusted document 'sanitizing' * Flexible use of anon networks (Tor, etc.) Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/af563412-101d-1ab2-f7e4-aa94d34712d7%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] VPN Link Up, NetVM set to VpnVM but AppVMs still don't have net access?
On 07/15/2016 01:26 PM, gaikokujinkyofu...@gmail.com wrote: On Thursday, July 14, 2016 at 5:50:52 PM UTC-7, Chris Laprise wrote: On 07/13/2016 12:36 PM, gaikokujinkyofu...@gmail.com wrote: Hi, with quite a bit of help (thanks again) I was able to setup a VpnVM and have it work perferctly as a NetVM for AppVMs with KDE as my desktop env. I then backed up (zipped) the /rw/config dir and reinstalled 3.1 with just xfce, recreated the VpnVM and put all the needed vpn files from the config dir/sub-dir in thier place. I set an AppVM to use the VpnVM as a NetVM and started up the VpnVM, it seems to start up fine, I get the little notification that the VPN is up, but I can't connect to anything. I have also tried, instead of using backed up config file to just recreate everything from scratch, got the VPN notification/confirmation that its up and running, but still couldn't access the net. I can access the net when using the firewall as the netvm though? I am not sure how to diagnose this further, thoughts suggestions would really be apprecaited! I would start troubleshooting by opening a CLI in the appvm, and also in sys-firewall: In each CLI try pinging a known server using domain name (first) and then IP address (second). This should tell you whether the blockage is complete or only DNS related. Chris ah that was a good idea. Well it seems to be DNS related in the VpnVM as I am able to ping a site/ip address from the firewallVM and ping an IP from in the VpnVM but not a site name. I am not sure why that would be though since as far as I can tell everything is the same as it was in the previous setup (obviously not I guess). It seems to netmanager is setting a DNS other than what my VPN provider normally sets? I tried manually editing the /etc/resolv.conf file but that didn't seem to help (automatically generated?) so am not sure where to go from here? Hopefully you are not using Network Manager to connect... That would only interfere with the script-based method described in the doc. The qubes-vpn-handler ignores resolv.conf, but you can edit the latter to test domain names within the vpn vm. Remember, in the vpn vm you will need to prefix your ping commands with 'sudo sg qvpn -c' to get past the firewall. If you do this and pinging site names works (in the vpn vm), then the problem may be with DNS dnat rules. After connecting, you can check those with 'sudo iptables -L -v -t nat'. You should see the appropriate DNS server IPs there (4 rules). Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3bd1af94-2560-fa66-fde8-2b236551e53b%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Is there any debugging in the Qubes 3.2-r1 installer?
On 07/15/2016 01:55 PM, Achim Patzner wrote: Hi! As I'm not getting the install image to boot into the installer (it is dropping me into dracut), is there any debug version that could collect debug information in a convenient way? Alternatively: Could the installation process be launched from a running Qubes 3.1 installation (e. g. as VM, getting access to the destination disk)? Achim Do you see any message about saving an rdsos log? I got that when the installer dropped me to a CLI. In that case, the problem was an inability to continue accessing the USB stick containing the installer, because of a bug in a rarely used storage module. The workaround was to burn the installer image to DVD and run it from that. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7772f3d6-29b8-16c7-cd8e-01905dd2290d%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] AEM boot option causes hard reboot/partial shutdown (Lenovo T450s)
On 07/13/2016 11:15 AM, Chris Laprise wrote: On 07/12/2016 11:15 AM, Chris Laprise wrote: On 07/12/2016 01:48 AM, Chris Laprise wrote: On 07/05/2016 02:21 PM, Marek Marczykowski-Górecki wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Mon, Jul 04, 2016 at 10:26:51AM -0400, Chris Laprise wrote: If I replace the kernel with 4.1 from R3.1, it can make it to the AEM target and the decrypt prompt. It chokes just after decrypting the volumes, but that's to be expected. The 4.4 kernel appears to introduce some factor that causes the crash. Interesting, have you tried 4.2 kernel from R3.1 unstable repository? Do you have any means of collecting kernel/xen messages? I guess you've already disabled "quiet" kernel option and also removed "console=none" from xen cmdline. If this doesn't help, try adding "noreboot" and "sync_console" to xen cmdline. If you have serial console (on docking station?) if would be easier to reliably get log messages. - -- I just tried the 4.2 kernel on the stick created by AEM under R3.2rc1; It seems to work as well as 4.1. I'll try 4.4 again removing those boot options. Unfortunately, the only docking station here is the kind lacking serial ports. Chris A bit more info: Removing rd.antievilmaid from 4.4.12 options doesn't help; it still restarts. I also tried 4.4.14 in the unstable repo but that did not help. It appears to be an incompatibility between kernel version 4.4 and tboot. Chris I am able to get 4.4.* to boot now! The trick was to add 'min_ram=0x200' to the tboot options like I used to do--the AEM README describes how. But now I cannot get AEM to seal the secret. Nothing at all about AEM is displayed during startup, even though rd.antievilmaid is on the kernel options line. Chris For the record, AEM is now working on my system. The other thing that was required was to update the anti-evil-maid package to version 3.0.3. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/045a8d25-acd2-86f7-719f-b1cda382484d%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Changing swap. /etc/fstab cant be edited
On 07/14/2016 05:43 PM, Facundo Curti wrote: Hi list. I'm having troubles to start qubes. When I start it says that a partition is being used by a process. As I was reading: https://forums.opensuse.org/showthread.php/503587-Slow-boot-What-is-quot-A-start-job-is-running-for-dev-disk-by-quot https://bbs.archlinux.org/viewtopic.php?id=161814 https://bbs.archlinux.org/viewtopic.php?id=196083 It is a problem in the swap partition, a bad configuration on /etc/fstab. Recently I resized it... So the UUID should be changed now I'm trying to edit /etc/fstab, but for some reason, I just can do that chrooting the system (not just mount). When I mount the disk, /etc/fstab is almost empty. Anyway, I do that. But I still can not boot. Here is my /etc/fstab: # /etc/fstab # Created by anaconda on Fri Jul 8 23:45:42 2016 # # Accessible filesystems, by reference, are maintained under '/dev/disk' # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info # /dev/mapper/luks-1d18c3c1-3456-420e-86d9-83c5aab56904 / ext4 defaults,x-systemd.device-timeout=0 1 1 UUID=8ac79b31-fdfe-4c2d-b6da-8e91f12b0518 /boot ext4defaults1 2 /dev/mapper/cryptedSwap swapswap defaults,x-systemd.device-timeout=00 0 #/dev/mapper/luks-7a2436b4-6f22-46e6-b9d4-fc72b0913d17 swapswap defaults,x-systemd.device-timeout=0 0 0 - And here is my /etc/crypttab - luks-1d18c3c1-3456-420e-86d9-83c5aab56904 UUID=1d18c3c1-3456-420e-86d9-83c5aab56904 none cryptedSwap /dev/disk/by-partuuid/0319b6a9-5470-49b6-84ef-eac0f91546a0 /dev/urandomswap,cipher=aes-cbc-essiv:sha256,size=256 - I made the swap according this guide: https://wiki.archlinux.org/index.php/Dm-crypt/Swap_encryption#Without_suspend-to-disk_support But the error persist :/ The system starts in emergency mode Some ideas plz? -- Idea: You did not refresh your initramfs or grub.conf after making the changes in fstab/crypttab. :) If you can drop to a CLI when the boot process fails, maybe you can decrypt the root partition, mount and chroot into it. Next, mount boot partition at /boot, verify fstab and crypttab are correct and then run the tools to refresh your boot partition. IIRC, they would be 'dracut -H' and 'grub2-mkconfig -o /boot/grub2/grub.cfg'. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8d0a0013-37a4-85ba-c453-812f0ace9ca7%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Firewall rules
On 07/14/2016 04:51 PM, katerim...@sigaint.org wrote: On 07/14/2016 10:39 AM, katerim...@sigaint.org wrote: Good day I'm using a VPN in sys-net and would setup firewall rules to stop internet connection if VPN crash. In sys-net isn't possible to insert ip addresses, then I did it in sys-firewall. With some tests I saw that if VPN disconnect suddenly, sys-net finds my wifi network and doesn't break the connection, as I would. How can I solve this? (in the proxyVMs all work well) Thank you Take a look at https://www.qubes-os.org/doc/vpn/ For leak protection and security it is best to set up a vpn client in a proxy vm, between sys-net and the appvms. You can follow the instructions from the doc "Using iptables and openvpn", or use the firewall script as an example. The two critical commands that prevent leaks (in the proxy vm configuration) are: iptables -I FORWARD -o eth0 -j DROP iptables -I FORWARD -i eth0 -j DROP This means that no forwarding can take place involving the upstream/clearnet interface eth0, so the only way out is through the vpn tunnel. Chris Hi Chris Thank you for the explanation, I want to know if I can use firewall tab in sys-net (or sys-firewall) like I have done in proxyVM because I have also a VPN in sys-net. If it isn't possible, do I change ip tables in sys-net while in all the other proxyVMs I use firewall tab? Regards The firewall tab (in any vm) is not a good place to add this restriction even if it did accept that kind of rule (which it does not). The best way is to run the vpn client in a separate proxy vm, and set the firewall rules with the qubes-firewall-user-script in that vm as shown in the doc. You can try to use qubes-firewall-user-script in the netvm, but I think this approach is untested. Of course, by Qubes standards it is insecure. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/86dd7246-b123-92ea-7430-076d4d2599ef%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Firewall rules
On 07/14/2016 10:39 AM, katerim...@sigaint.org wrote: Good day I'm using a VPN in sys-net and would setup firewall rules to stop internet connection if VPN crash. In sys-net isn't possible to insert ip addresses, then I did it in sys-firewall. With some tests I saw that if VPN disconnect suddenly, sys-net finds my wifi network and doesn't break the connection, as I would. How can I solve this? (in the proxyVMs all work well) Thank you Take a look at https://www.qubes-os.org/doc/vpn/ For leak protection and security it is best to set up a vpn client in a proxy vm, between sys-net and the appvms. You can follow the instructions from the doc "Using iptables and openvpn", or use the firewall script as an example. The two critical commands that prevent leaks (in the proxy vm configuration) are: iptables -I FORWARD -o eth0 -j DROP iptables -I FORWARD -i eth0 -j DROP This means that no forwarding can take place involving the upstream/clearnet interface eth0, so the only way out is through the vpn tunnel. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/97718377-07be-93f8-4832-ec4c3baeda8a%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] AEM boot option causes hard reboot/partial shutdown (Lenovo T450s)
On 07/12/2016 11:15 AM, Chris Laprise wrote: On 07/12/2016 01:48 AM, Chris Laprise wrote: On 07/05/2016 02:21 PM, Marek Marczykowski-Górecki wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Mon, Jul 04, 2016 at 10:26:51AM -0400, Chris Laprise wrote: If I replace the kernel with 4.1 from R3.1, it can make it to the AEM target and the decrypt prompt. It chokes just after decrypting the volumes, but that's to be expected. The 4.4 kernel appears to introduce some factor that causes the crash. Interesting, have you tried 4.2 kernel from R3.1 unstable repository? Do you have any means of collecting kernel/xen messages? I guess you've already disabled "quiet" kernel option and also removed "console=none" from xen cmdline. If this doesn't help, try adding "noreboot" and "sync_console" to xen cmdline. If you have serial console (on docking station?) if would be easier to reliably get log messages. - -- I just tried the 4.2 kernel on the stick created by AEM under R3.2rc1; It seems to work as well as 4.1. I'll try 4.4 again removing those boot options. Unfortunately, the only docking station here is the kind lacking serial ports. Chris A bit more info: Removing rd.antievilmaid from 4.4.12 options doesn't help; it still restarts. I also tried 4.4.14 in the unstable repo but that did not help. It appears to be an incompatibility between kernel version 4.4 and tboot. Chris I am able to get 4.4.* to boot now! The trick was to add 'min_ram=0x200' to the tboot options like I used to do--the AEM README describes how. But now I cannot get AEM to seal the secret. Nothing at all about AEM is displayed during startup, even though rd.antievilmaid is on the kernel options line. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/94a77415-079f-fd21-78e1-766c0ab3303e%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Multi-drive computers installation
On 07/12/2016 08:35 PM, Drew White wrote: Has anyone been able to install Qubes on a multi-drive PC as a multi-drive PC without having all drives formed into 1 yet? Anaconda always seems to mess up when I manually setup partitions. But both LVM and Btrfs will let you expand volumes into other partitions after installation. The trick is to luks encrypt the partitions first, preferably using the same passphrase as your initial volume. Then you adjust your crypttab and update grub.conf with the new additions. The downside is your kernel options line can get very very long. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b27e6dbb-d716-1e5c-feaa-406d32d9cd23%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Buying new laptop.. What check should I do in-store..?
On 07/12/2016 08:04 PM, neilhard...@gmail.com wrote: Is it worth checking for a BIOS compatible with coreboot or libreboot, or some kind of open source BIOS..? Is it true that if I have a Intel ME processor, but a motherboard that isn't compatible.. that at least this prevents network access to Intel ME...? For example, in my current laptop, there is no mention of Intel ME in the BIOS at all.. etc etc So yeah, just looking for as many different compatibility checks as possible. IMO most laptops sitting "in a store" are pretty awful. They usually represent the most cost-reduced models of their line, leaving out things like Vt-d/IOMMU and a TPM. Still, a trip with a Qubes disk could be educational. I think you named the main points to look for. You may also want to consider the Librem, which is certified as Qubes compatible. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c022d15a-3584-0264-c704-01eca4ca4b3c%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] AEM boot option causes hard reboot/partial shutdown (Lenovo T450s)
On 07/12/2016 01:48 AM, Chris Laprise wrote: On 07/05/2016 02:21 PM, Marek Marczykowski-Górecki wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Mon, Jul 04, 2016 at 10:26:51AM -0400, Chris Laprise wrote: If I replace the kernel with 4.1 from R3.1, it can make it to the AEM target and the decrypt prompt. It chokes just after decrypting the volumes, but that's to be expected. The 4.4 kernel appears to introduce some factor that causes the crash. Interesting, have you tried 4.2 kernel from R3.1 unstable repository? Do you have any means of collecting kernel/xen messages? I guess you've already disabled "quiet" kernel option and also removed "console=none" from xen cmdline. If this doesn't help, try adding "noreboot" and "sync_console" to xen cmdline. If you have serial console (on docking station?) if would be easier to reliably get log messages. - -- I just tried the 4.2 kernel on the stick created by AEM under R3.2rc1; It seems to work as well as 4.1. I'll try 4.4 again removing those boot options. Unfortunately, the only docking station here is the kind lacking serial ports. Chris A bit more info: Removing rd.antievilmaid from 4.4.12 options doesn't help; it still restarts. I also tried 4.4.14 in the unstable repo but that did not help. It appears to be an incompatibility between kernel version 4.4 and tboot. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/85ff2024-584d-a10a-d91d-70c6a5aff820%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] AEM boot option causes hard reboot/partial shutdown (Lenovo T450s)
On 07/05/2016 02:21 PM, Marek Marczykowski-Górecki wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Mon, Jul 04, 2016 at 10:26:51AM -0400, Chris Laprise wrote: If I replace the kernel with 4.1 from R3.1, it can make it to the AEM target and the decrypt prompt. It chokes just after decrypting the volumes, but that's to be expected. The 4.4 kernel appears to introduce some factor that causes the crash. Interesting, have you tried 4.2 kernel from R3.1 unstable repository? Do you have any means of collecting kernel/xen messages? I guess you've already disabled "quiet" kernel option and also removed "console=none" from xen cmdline. If this doesn't help, try adding "noreboot" and "sync_console" to xen cmdline. If you have serial console (on docking station?) if would be easier to reliably get log messages. - -- I just tried the 4.2 kernel on the stick created by AEM under R3.2rc1; It seems to work as well as 4.1. I'll try 4.4 again removing those boot options. Unfortunately, the only docking station here is the kind lacking serial ports. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7e3ad0a9-8e49-7de8-1aa9-20898f3d6bba%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes-users forum - Please, moderate this guy
On 07/09/2016 08:17 AM, Gorka Alonso wrote: https://groups.google.com/d/msg/qubes-users/V8_SvMk0yx0/P4VNTpFnBQAJ "Achim. Don't forget YOU are the homosexual, NOT ME. That's a mental disease, doesn't matter if for political reasons was removed or not from disease list." Even me, being heterosexual, feel offended with this attitude. I agree. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/80af9b5a-8c3b-77ea-044a-db5546b17ee6%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Template installation not being reflected on AppVMs
On 07/08/2016 07:27 PM, danmichaels8...@gmail.com wrote: I am using QUBES 3.0 Fedora-21 When I install certain programs in the template VM for fedora, they do not show up in the AppVMs, even after restarting each of the AppVMs. I installed google-chrome-stable, and yet, it's not reflected in the AppVMs. I have to re-install Chrome inside the actual AppVM every time I start it up. What's up with that...? Did you shutdown the template vm before re-starting the appvms? Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8f83f5f6-0d9b-7ab5-723e-3a32405092cc%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes top priorities suggestions for me as an user.
On 07/08/2016 12:27 AM, raahe...@gmail.com wrote: I'm also confused, you say gpus are so insecure and that qubes is not doing enough to isolate them? I don't think that's what I implied. But trying to be concise on a complex subject can leave some people with the wrong impression, so I apologize if I've left out too much. Two issues with GPUs I'm assuming are that they represent a target for malware (being a large computing resource), and also that when we try to isolate them most do not respond well to bus commands that enable things like passthrough (i.e. they do not 'behave' in IOMMU isolation). Passthrough is also clunky, requiring at least another display output. GPU virtualization is another way for domU apps to access GPU functions, and it shouldn't require separate displays or secondary graphics chips. Excuse me for being noob but doesn't qubes not allow most gpu functions to go past dom0. AFAIK, Qubes doesn't allow any GPU functions whatsoever from domU into dom0. Qubes graphics are virtualized in a 2D, non-accelerated way. Having limited developer resources, that is a good first step to making the system secure and I'm glad it works that way--for now. But I also realize that needs to be a transitional phase and to not remain the status quo. Graphics vendors are currently demonstrating GPU virtualization technology that would make GPU utilization safe, inviting developers to use it. ITL says this would take a lot of developer effort, however. And so you would rather have them in domu domains with similar isolation as the netcard vm (which has no choice) and you would feel that more secure? I'm no expert so dont' know if thats true. If not would even having the ability on machine make me more vulnerable even if not applying it myself? excuse my noobness. Hmmm, no. I think the choice is to either leave the GPU in a privileged domain such as dom0 and employ GPU virtualization to allow safe access from domUs, or to improve in some way the current (impractical) practice of isolating secondary graphics cards in domUs so that they actually work when they're properly isolated. Most people also dont' have two gpus in their machine, which you imply would be the most secure way to use this feature? Only people I know of that do are gamers. If you do graphic designing and need to use special professional programs that require gpu processing I would recommend using a separate computer. But it seems this might be a feature in the future on Qubes. I wouldn't call it a priority though. A lot of people have two GPUs and don't realize it. Even so, its not like we are talking about great expense here: Even having access to weaker GPUs could make a big difference in Qubes' power and usability. I think Qubes is fine for normal everyday users doing everyday tasks for home and office use. I can still edit photos, watch movies, create greeting cards, view almost any webpage. Only thing I can't do is play video games. And thats fine I have another machine for that, since i consider playing video games one of the most dangerous things you can do online anyways. Projecting our own personal routines on the issue will probably not be of much help. And I think I've already made the case against framing this as a games issue; I'd urge the community not to look down its nose on graphics in this way or we will find the world of graphics can stare back at us more sharply. If it gets to the point where OpenBSD is recommended over Qubes because the latter "can't do much" and "lack of GPU virtualization sounds pretty insecure" then I think we'll be in real trouble. :) Its nice that you have so much faith in Qubes and that it can stop all attacks, but that is unrealistic. There is still always danger when doing untrusted tasks even when using Qubes, even with its hardware isolation. People should realize what. Qubes themselves describe it as "somewhat" secure, meaning much better then a traditional os, but nothing is 100%. That is always a factor no matter what we do with Qubes. But it seems to me that the simple Qubes interfaces have already been used to enable some pretty complex functionality "securely". I don't think it follows that accessing GPUs through them necessarily incurs unacceptable risk; but even if this is a possibility, it requires further investigation. Since GPU manufacturers now have an incentive to not appear as an element that undermines security (hence, the GPU virtualization initiatives they're taking) there is a good chance that some reasonably secure accommodation can be made for primary graphics. The alternative is to endow Qubes systems with secondary graphics that work nicely with passthrough. Currently, users can experiment with this in a piecemeal fashion and likely meet with failure. Chris -- You received this message because you are subscribed t
Re: [qubes-users] Qubes top priorities suggestions for me as an user.
On 07/07/2016 12:45 PM, Duncan Guthrie wrote: On 7 July 2016 16:53:35 BST, Chris Laprise <tas...@openmailbox.org> wrote: On 07/07/2016 10:40 AM, Duncan Guthrie wrote: On 7 July 2016 03:28:48 BST, Chris Laprise <tas...@openmailbox.org> wrote: On 07/06/2016 09:42 PM, raahe...@gmail.com wrote: I'm not so adamant about wanting gpu passthrough on qubes, cause imo, gaming online usually means all security is out the window. Plus I feel as though gpu is much bigger attack surface for side channel attacks then net card. I could be wrong because I have no clue about low level stuff, but I feel it would somehow undermine purpose of using qubes. Maybe I'm wrong. I think this is wrong because many kinds of apps rely on GPUs now: Media decoding and creation, 3D design and printing (I would love to have even just SketchUp on Qubes!), and any other responsive 3D interface that app designers want to offer. This even includes web pages, crypto-currency, and many scientific apps. GPUs are now general processing engines that embody MOST of a typical computer's processing power. This is not about games. I think this is wrong. Most heavy computer users work in offices and do word processing and spreadsheets, the 'average' casual use is generally web browsing and light media consumption. Qubes works fine for using Libreoffice, web applications and social media, and programming e.g. in Python. Graphics designers can use GIMP or InkScape, or any of the Windows programs that they commonly use. It is true that you won't be able to use 3D applications like SketchUp, but I do not think such tasks constitute most of the average workload as you say. Perhaps they make up most of your workload, but I don't think that you speak for everyone here. I have found Qubes works for me, and people I know do similar tasks on their computers. Furthermore, there is no getting around the fact that visual rendering is integral to security. The GPU can see any private info that you can, and if compromised can take steps to trick users into sabotaging their own privacy and security. Like the CPU, the GPU must be accepted as a core component of trust, and protected as such... at least any GPU that operates the admin and trusted domains. It is fortunate that we at least have a trend of integrated GPUs (in APUs) where the GPU is manufactured into the same package as the (implicitly) trusted CPU. For the time being, this is a boost to Qubes' compatibility and security even if the GPUs are under-utilized. For Qubes to either 1) give up on GPU support, or 2) relegate them to untrusted status would be an _irretrievable_ error in judgment. It would make the OS a 21st century terminal application, because the lions share of the power expected by PC users would be missing (as it is currently). Chris I dispute this argument. Dropping "GPU support" (I am not sure where you get this impression) is hardly going to make Qubes a terminal application. You can use anything that uses 2D graphics, and can play music and movies, and do word processing, and email, and software development, and... The list goes on. Qubes is about security, and allowing such high level access for the GPU is a terrible compromise. I am not proposing that domUs have direct access to graphics systems operating in dom0. GPU access needs to be properly virtualized, and thankfully some groundwork by Intel (and probably others) has been laid for it. Alternately, a specification for well-behaving discrete graphics could make graphics passthrough a realistic option for many people. Marek has already stated that any domU used for primary graphics (as unrealistic as that may be, given the state of passthrough compatibility) will be a trusted one, and that the purpose of such an implementation would be to facilitate the use of Linux graphics drivers while the rest of the OS slims down and experiments with microkernel admin and storage vms. The current state is, of course, one of trusting the GPU. That poses a problem for those who want both discrete graphics and anti-tampering (AEM) but otherwise? I don't see the compromise you mention. What are you suggesting then? You are criticising Qubes for not having good GPU support, but recognise that you can't have good security when GPU has access to hardware? I am sorry but I don't understand your point fully, and would appreciate it if you could elaborate further. What is your solution, do you want there to be virtualised domains for GPU? If I remember correctly, this is a feature being worked on. Qubes doesn't have good GPU support; It is a work in progress on many fronts. I mentioned that it could go in the direction of GPU virtualization or better passthrough support, or both. In either case, there would still be a protected primary graphics card that would at least render dom0 and other trusted domains. But with the former, the primary graphics can also s
Re: [qubes-users] Qubes top priorities suggestions for me as an user.
On 07/07/2016 10:40 AM, Duncan Guthrie wrote: On 7 July 2016 03:28:48 BST, Chris Laprise <tas...@openmailbox.org> wrote: On 07/06/2016 09:42 PM, raahe...@gmail.com wrote: I'm not so adamant about wanting gpu passthrough on qubes, cause imo, gaming online usually means all security is out the window. Plus I feel as though gpu is much bigger attack surface for side channel attacks then net card. I could be wrong because I have no clue about low level stuff, but I feel it would somehow undermine purpose of using qubes. Maybe I'm wrong. I think this is wrong because many kinds of apps rely on GPUs now: Media decoding and creation, 3D design and printing (I would love to have even just SketchUp on Qubes!), and any other responsive 3D interface that app designers want to offer. This even includes web pages, crypto-currency, and many scientific apps. GPUs are now general processing engines that embody MOST of a typical computer's processing power. This is not about games. I think this is wrong. Most heavy computer users work in offices and do word processing and spreadsheets, the 'average' casual use is generally web browsing and light media consumption. Qubes works fine for using Libreoffice, web applications and social media, and programming e.g. in Python. Graphics designers can use GIMP or InkScape, or any of the Windows programs that they commonly use. It is true that you won't be able to use 3D applications like SketchUp, but I do not think such tasks constitute most of the average workload as you say. Perhaps they make up most of your workload, but I don't think that you speak for everyone here. I have found Qubes works for me, and people I know do similar tasks on their computers. Furthermore, there is no getting around the fact that visual rendering is integral to security. The GPU can see any private info that you can, and if compromised can take steps to trick users into sabotaging their own privacy and security. Like the CPU, the GPU must be accepted as a core component of trust, and protected as such... at least any GPU that operates the admin and trusted domains. It is fortunate that we at least have a trend of integrated GPUs (in APUs) where the GPU is manufactured into the same package as the (implicitly) trusted CPU. For the time being, this is a boost to Qubes' compatibility and security even if the GPUs are under-utilized. For Qubes to either 1) give up on GPU support, or 2) relegate them to untrusted status would be an _irretrievable_ error in judgment. It would make the OS a 21st century terminal application, because the lions share of the power expected by PC users would be missing (as it is currently). Chris I dispute this argument. Dropping "GPU support" (I am not sure where you get this impression) is hardly going to make Qubes a terminal application. You can use anything that uses 2D graphics, and can play music and movies, and do word processing, and email, and software development, and... The list goes on. Qubes is about security, and allowing such high level access for the GPU is a terrible compromise. I am not proposing that domUs have direct access to graphics systems operating in dom0. GPU access needs to be properly virtualized, and thankfully some groundwork by Intel (and probably others) has been laid for it. Alternately, a specification for well-behaving discrete graphics could make graphics passthrough a realistic option for many people. Marek has already stated that any domU used for primary graphics (as unrealistic as that may be, given the state of passthrough compatibility) will be a trusted one, and that the purpose of such an implementation would be to facilitate the use of Linux graphics drivers while the rest of the OS slims down and experiments with microkernel admin and storage vms. The current state is, of course, one of trusting the GPU. That poses a problem for those who want both discrete graphics and anti-tampering (AEM) but otherwise? I don't see the compromise you mention. Defining personal computing and what most people want as a list of traditional activities--instead of using examples of innovative apps and the kind of directions app developers can go--is a mistake that leads projects into an unbearable surfeit of unsupported corner cases. And seriously-- if that's what it would come to then just develop a convenient firmware verification and re-flashing system and run TAILS on the hardware; it would save considerable time and effort. An accurate view of use cases would hardly stop at office software and playing music because almost everyone has make-or-break corner cases. Teleconferencing and 3D printing, for example, are now SMB and home user activities that benefit from GPUs, which become more necessary due to the extra CPU overhead of domain isolation. As for suggesting server-based processing of large jobs to Qubes users... I'm not even sure where to start with t
Re: [qubes-users] Qubes 3.1 crashing, no warning, no error message (Lenovo X230)
On 07/07/2016 06:49 AM, Andreas Rasmussen wrote: On 07/07/2016 05:32 AM, Chris Laprise wrote: On 07/06/2016 01:28 PM, Andreas Rasmussen wrote: Hi! I bought a Lenovo x230 and installed Qubes 3.1 early may. It has worked like a charm, but in the last two or three weeks the computer has been shutting down without warning or error message. It has happened five times with no apparent pattern. It has both happened with both many and few VM's open. The crash goes like this: The screen freezes for 3-5 seconds, then the computer reboots. I get no error message. The reboot looks like a normal boot. I have tried to look in the logfiles, but I'm not sure I'm looking the right places. So for starters: Can anyone tell me what files to look in? /var/log/messages only seem to have information about the session after the crash, same goes for boot.log. (My computer skills are limited, so please bare with me) best, Andreas Logitech mice are known to trigger this bug. Chris . Where do I read more on this? Thanks for the input! https://github.com/QubesOS/qubes-issues/issues/1689 Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bc8b377e-8d90-5594-27d7-94d2e9b4261e%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes 3.1 crashing, no warning, no error message (Lenovo X230)
On 07/06/2016 01:28 PM, Andreas Rasmussen wrote: Hi! I bought a Lenovo x230 and installed Qubes 3.1 early may. It has worked like a charm, but in the last two or three weeks the computer has been shutting down without warning or error message. It has happened five times with no apparent pattern. It has both happened with both many and few VM's open. The crash goes like this: The screen freezes for 3-5 seconds, then the computer reboots. I get no error message. The reboot looks like a normal boot. I have tried to look in the logfiles, but I'm not sure I'm looking the right places. So for starters: Can anyone tell me what files to look in? /var/log/messages only seem to have information about the session after the crash, same goes for boot.log. (My computer skills are limited, so please bare with me) best, Andreas Logitech mice are known to trigger this bug. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0cbd52e5-8f24-8d9e-3f72-7650bb7ef0dc%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Creating a VPN VM using openvpn issues? (starting with no /rw/config/openvpn ?)
On 07/05/2016 11:03 AM, gaikokujinkyofu...@gmail.com wrote: On Tuesday, July 5, 2016 at 10:44:03 AM UTC-4, Chris Laprise wrote: On 07/05/2016 10:17 AM, gaikokujinkyofu...@gmail.com wrote: On Tuesday, July 5, 2016 at 5:52:08 AM UTC-4, Chris Laprise wrote: On 07/04/2016 08:42 PM, gaikokujinkyofu...@gmail.com wrote: No worries, honestly I should have thought of the sudo myself. Well, running it with sudo and it went swimmingly, it connected so that is good, another hurdle cleared. I am now back to one of your earlier posts in this thread, regarding the qubes-firewall-user-script. I have to admit that I am not totally clear on needing to run the groupadd (it seems to be run in the firewall script?) but I ran it (and it shows up in /etc/group so I guess thats good?) but then on the next line: sudo sg qvpn -c openvpn --cd /rw/config/openvpn/ --config openvpn-client.ovpn I get an error saying: Options error: In [CMD-LINE]:1: Error opening configuration file:openvn-client.ovpn I don't understand groups and ids very well so am not sure where there breakdown is here, perhaps I need to set something regarding the openvpn-client.ovpn file? Error message indicates that the filename has a typo: 'openvn-client.ovpn' should be 'openvpn-client.ovpn'. File ids will be OK if you created them with sudo. Running groupadd multiple times with 'f' option is fine, too. Chris Thanks Chris & Eva. I rechecked what I typed (I was typing from one computer the error from another computer that time, logged in on the same comp so am c/p outputs now) and I actually had typed it correctly. I also tried adding the full paths to the openvpn-client.ovpn files as suggested (though I added ca.crt and crl.pem instead of ca.key and crl.key, assuming thats ok?). As for my openvpn.config (openvpn-client.ovpn right?) being stored in the wrong place, I have it in /rw/config/openvpn/ should it be somewhere else? Regardless, after doublechecking what I typed, and adding the full path in as suggested the below is what I got, this time a c/p :p [user@VPN openvpn]$ sudo openvpn --cd /rw/config/openvpn/ --config /rw/config/openvpn/openvpn-client.ovpn Options error: In [CMD-LINE]:1: Error opening configuration file: /rw/config/openvpn/openvpn-client.ovpn Use --help for more information. [user@VPN openvpn]$ thoughts? I have seen SELinux restrictions cause this error. But that shouldn't be a concern if you're using a regular fedora 23 or debian 8 template. Did you enable SELinux or Apparmor? http://unix.stackexchange.com/questions/94806/openvpn-options-error-in-cmd-line1-error-opening-configuration-file Can you do 'ls -lZ /rw/config/openvpn' and paste the output here? Chris I am vaugely familar with SElinux and apparmour (hardening?) but I have not enabled it, at least not intentionally (not tinkered with anything realted to it either). But as for output, absoulutely! here it is: [user@VPN openvpn]$ ls -lZ /rw/config/openvpn total 16 -rw-r--r-- 1 root root ? 1395 Jul 4 17:56 ca.crt -rw-r--r-- 1 root root ? 577 Jul 4 17:56 crl.pem -rw-r--r-- 1 user user ? 375 Jul 5 09:58 openvpn-client.opvn -rwxr-xr-x 1 root root ? 1088 Jul 3 20:45 qubes-vpn-handler.sh [user@VPN openvpn]$ That shows the problem, I think. Change the ownership of the ovpn file to root... sudo chown root:root /rw/config/openvpn/openvpn-client.opvn Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/805c334c-8f46-b747-0956-8c410381287f%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] AEM boot option causes hard reboot/partial shutdown (Lenovo T450s)
Is there an issue open for this yet? Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/82f9adc2-5510-f3f3-db1a-e6d8850a8a6f%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Creating a VPN VM using openvpn issues? (starting with no /rw/config/openvpn ?)
On 07/05/2016 10:17 AM, gaikokujinkyofu...@gmail.com wrote: On Tuesday, July 5, 2016 at 5:52:08 AM UTC-4, Chris Laprise wrote: On 07/04/2016 08:42 PM, gaikokujinkyofu...@gmail.com wrote: No worries, honestly I should have thought of the sudo myself. Well, running it with sudo and it went swimmingly, it connected so that is good, another hurdle cleared. I am now back to one of your earlier posts in this thread, regarding the qubes-firewall-user-script. I have to admit that I am not totally clear on needing to run the groupadd (it seems to be run in the firewall script?) but I ran it (and it shows up in /etc/group so I guess thats good?) but then on the next line: sudo sg qvpn -c openvpn --cd /rw/config/openvpn/ --config openvpn-client.ovpn I get an error saying: Options error: In [CMD-LINE]:1: Error opening configuration file:openvn-client.ovpn I don't understand groups and ids very well so am not sure where there breakdown is here, perhaps I need to set something regarding the openvpn-client.ovpn file? Error message indicates that the filename has a typo: 'openvn-client.ovpn' should be 'openvpn-client.ovpn'. File ids will be OK if you created them with sudo. Running groupadd multiple times with 'f' option is fine, too. Chris Thanks Chris & Eva. I rechecked what I typed (I was typing from one computer the error from another computer that time, logged in on the same comp so am c/p outputs now) and I actually had typed it correctly. I also tried adding the full paths to the openvpn-client.ovpn files as suggested (though I added ca.crt and crl.pem instead of ca.key and crl.key, assuming thats ok?). As for my openvpn.config (openvpn-client.ovpn right?) being stored in the wrong place, I have it in /rw/config/openvpn/ should it be somewhere else? Regardless, after doublechecking what I typed, and adding the full path in as suggested the below is what I got, this time a c/p :p [user@VPN openvpn]$ sudo openvpn --cd /rw/config/openvpn/ --config /rw/config/openvpn/openvpn-client.ovpn Options error: In [CMD-LINE]:1: Error opening configuration file: /rw/config/openvpn/openvpn-client.ovpn Use --help for more information. [user@VPN openvpn]$ thoughts? I have seen SELinux restrictions cause this error. But that shouldn't be a concern if you're using a regular fedora 23 or debian 8 template. Did you enable SELinux or Apparmor? http://unix.stackexchange.com/questions/94806/openvpn-options-error-in-cmd-line1-error-opening-configuration-file Can you do 'ls -lZ /rw/config/openvpn' and paste the output here? Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/317c583a-f734-cdb1-aede-57932d57fe3f%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes top priorities suggestions for me as an user.
On 07/05/2016 04:43 AM, Marek Marczykowski-Górecki wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Mon, Jul 04, 2016 at 10:46:52PM -0700, juris...@gmail.com wrote: 1) qubes is a system for security and isolation. But when you install, you have no encryption options. Full disk encryption is enabled in default installation option. 2) Qubes face 2 problems nowadays for engaging new users with real security. a) Qubes is a system for HIGH END computers with lots of RAM. Usually if for people that has WINDOWS and GAMES also, a good GPU, and wont waste their machine on a UNIQUE linux system at least without dual boot. b) Nvidia spy on people, with their streaming @!^@^% they put in new gpus, network, etc, and people are suspicious amd too. But most consumers are from nvidia. nvidia now spy on hardware level. Does not matter the system security. The solution? REAL windows virtualization with GPU PASSTROUGH. So, the high end computers can use windows for what they need and even play games. Plus, if you do use nvidia in dom-0, they WILL capture the screen on hardware level. Nouveau is not working right for a long time. Onboard or gpu 1 for dom-0 and nvidia or amd high end for windows VM. If the person doesnt have 2 monitors, it can change the vga adapter from 1 to other to use windows after starting the vm. that would be perfect. So we give a finger to nvidia and the drivers problems they cause, and we isolate their spying inside windows vm, plus eliminating the need for a dual boot and for everyone not using their gaming gpus. This was discussed many times, so search the archive for more detailed answer. In short: GPU will always be able to see the screen content - this is what GPU does. Having GPU passthrough done securely (for example without increasing dom0 attack surface by launching qemu there) is quite hard because GPUs use a lot of non standard tricks and hacks in addition to standard PCI operation. Implementing this is on our roadmap, but it is hard and will take time. I must ask: Does ITL have a list of well-behaved hardware on which this can be accomplished? If there are any laptops out there with the kind of workstation-class GPUs that would respond to passthrough predictably and reliably--even just one model--then maybe it should be plastered on the front page of qubes-os.org. Beyond that, I think you know my views about Qubes needing more comprehensive hardware focus--even design. From here, Qubes with designed-for-Windows PCs looks like a strained marriage that's getting worse, and the latter was never the kind of blank canvas that many considered it to be. BTW, I think jurisdan does have an excellent point on #4. It would be prudent to flag anon proxy vms (the way rpm-sourced templates are flagged) so that QM and tools can take preventative action under some circumstances: Switching any appvm away from an anon-flagged proxy should result in a warning dialog. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/16b80eaa-5d05-fb82-87bc-b0d72d09a0f1%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Creating a VPN VM using openvpn issues? (starting with no /rw/config/openvpn ?)
On 07/04/2016 08:42 PM, gaikokujinkyofu...@gmail.com wrote: No worries, honestly I should have thought of the sudo myself. Well, running it with sudo and it went swimmingly, it connected so that is good, another hurdle cleared. I am now back to one of your earlier posts in this thread, regarding the qubes-firewall-user-script. I have to admit that I am not totally clear on needing to run the groupadd (it seems to be run in the firewall script?) but I ran it (and it shows up in /etc/group so I guess thats good?) but then on the next line: sudo sg qvpn -c openvpn --cd /rw/config/openvpn/ --config openvpn-client.ovpn I get an error saying: Options error: In [CMD-LINE]:1: Error opening configuration file:openvn-client.ovpn I don't understand groups and ids very well so am not sure where there breakdown is here, perhaps I need to set something regarding the openvpn-client.ovpn file? Error message indicates that the filename has a typo: 'openvn-client.ovpn' should be 'openvpn-client.ovpn'. File ids will be OK if you created them with sudo. Running groupadd multiple times with 'f' option is fine, too. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/36fac245-7549-00c2-9fa8-3c21ef2e5392%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] AEM boot option causes hard reboot/partial shutdown (Lenovo T450s)
If I replace the kernel with 4.1 from R3.1, it can make it to the AEM target and the decrypt prompt. It chokes just after decrypting the volumes, but that's to be expected. The 4.4 kernel appears to introduce some factor that causes the crash. Swapping xen 4.6.1 with 4.6.0 has no visible effect either way. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c2806248-ec97-631e-70b2-7b4d0e96fbfc%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] newbie question about port forwarding and remote connection
On 07/04/2016 09:29 AM, Nicola Schwendener wrote: Hello all, I'm totally new in Qubes OS. I'm moving from Windows and a "single" OS doing all... I'm posing some (stupid) questions that maybe I understand better how to migate it: Right now I've NoMachine running on my windows pc, allowing connection through sshd daemon and let me doing whatever I want on the PC how can I accomplish that on qubes? If I install on the fedora template, how can I manage the application to run (and in which AppVM)? I don't think is the case to expose the dom0 in order to allow working remotely as I were at home. thank you very much best regards Nick -- Hi, There is a helpful guide on port-forwarding for Qubes appvms: https://www.qubes-os.org/doc/qubes-firewall/ You could install nomachine in either a template or a standalone appvm. If you do the former, you may want to also use 'systemctl disable' on the nomachine service in the template... then you would enable it in the appvm which uses that template. (You would have to re-enable it each time you booted the appvm, however.) With a standalone appvm, installing the software is much the same as any regular OS. You just have to take care of port forwarding (see above link). dom0 isn't a networked domain, and its against Qubes security philosophy to access it remotely. Of course, you can find ways to circumvent this. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e0d06d13-4626-5e81-17cd-7c899d02053b%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] AEM boot option causes hard reboot/partial shutdown (Lenovo T450s)
On 07/04/2016 07:26 AM, Marek Marczykowski-Górecki wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sun, Jul 03, 2016 at 09:20:47PM -0400, Chris Laprise wrote: AEM is now causing reboots for me as well, after installing it under R3.2rc1. Has there been any progress on this? I don't see any signed sources of the newer tboot versions, so I'm reluctant to try them. Try setting `pci_e820_host` property to false on sys-net and sys-usb. - -- I tried it anyway (without success), but the reset is occurring well before the decryption prompt. It happens just after the 'Loading...' grub screen vanishes and there is a cursor at the top of a black screen (before plymouth GUI screen would appear). I still have a boot image with a working AEM. If I could use it to help eliminate some possible causes, like the new kernel version for instance... Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/37e04782-65ef-924e-ba17-567ca3993068%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Creating a VPN VM using openvpn issues? (starting with no /rw/config/openvpn ?)
On 07/03/2016 09:14 PM, gaikokujinkyofu...@gmail.com wrote: On Wednesday, June 22, 2016 at 1:48:33 PM UTC-3:30, gaikokuji...@gmail.com wrote: On Monday, June 20, 2016 at 5:19:27 AM UTC+5:45, Chris Laprise wrote: On 06/19/2016 10:13 PM, gaikokujinkyofu...@gmail.com wrote: On Thursday, June 16, 2016 at 6:33:48 PM UTC+9, gaikokuji...@gmail.com wrote: I started trying to create a VPN VM following the https://www.qubes-os.org/doc/vpn/ page. I checked if openvm was installed, it was (using fedora/ using the "firewall" for the allow networking option not mentioned in the VPN page). There was not a /rw/config/openvm dir so I tried making one then went through the rest of the instructions. I am double checked what I did against the instructions and am fairly sure I followed them correctly. I tried setting my now "VPN" vm as the netvm, shutdown both then restarted vpn vm then the modified-to-use-vpn vm appvm and tried connecting to the internet, nada. I did go to the Fedora "establishing a VPN Connection" page but intimidating is a bit of an understatement. How can I go about diagnosing what is not working? I worked on this a bit more. Waded through the fedora establishing a VPN connection page, rather confusing, but I opened a Network settings window for my VPN VM and added a VPN by importing a openvpn config file via the VPN add a network connection's "import from file" option (and it seemed to import fine). Now I am not entirely sure what I have. I of course did everything outlined in the Qubes VPN page. I now have two network connection icons, one for my wifi and another showing the VPN VM's eth? problem is the VPN VM ethernet connection doesn't seem to be connected. When I go to network via *settings* it now shows me three connections: Wired, the VPN I setup, and Network Proxy. When I go via *Network Connections* it now shows me under Ethernet "VM uplink eth0" and under VPN "VPN Provider" (the provider whose openvpn config I imported). It shows the ethernet as having been used within the last few minutes but the VPN as never having been used. On the Fedora page it mentions setting an autoconnect (automatically connect to VPN when using this connection) option which I thought it was talking about for the VPN but as I couldn't find it on the VPN connection and could on the eth0 connection I tried setting the autoconnect to (and selected the VPN connection from the pull down menu) but while I can select it it does not stay selected if I restart the VPN VM. Now I am not able to connect to the internet on the VPN VM and def not from another AppVM trying to use the VPN as a proxy. I am just not sure where I have gone wrong here. Where would I look for a log to start trying to figure out the issue? (I saw a "run in debug mode" under VM settings... might that be a place to start?) Thanks! Hi again... You should create a separate proxy vm for each type of vpn configuration you're trying, otherwise they will interfere with each other. To get the openvpn + firewall method working, first try running openvpn manually with 'sudo openvpn [...]' before adding any scripts. Omit the --daemon option so it will display information you can use to troubleshoot the link. Once you have the link working, you can try adding script lines to your .ovpn file and the qubes-vpn-handler, then test manually again. Finally, add the qubes-firewall-user-script and reboot the vm, then test again. Keep in mind that once you add the firewall it will block openvpn unless the latter is run under group 'qvpn' so you would type the following: sudo groupadd -rf qvpn sudo sg qvpn -c 'openvpn [...]' NM connection... Try it in a fresh vm. The vpn autoconnect might not work, however; The last time I tried to use it, NM behaved erratically (and did not have appropriate firewall protections anyway). Chris Thanks I will try that out. Some things came up so I hadn't gotten around to trying it out until now. I created a new VM, VpnVM, and ran openvpn openvpn.ovpn and yeah! it connected and I opened firefox from VpnVM, and it was using the vpn, then ran PersonalVM using VpnVM as my NetVM and PersonalVM also showed up as using the VPN so first hurdle cleared? Yes. Lots more hurdles though as my understanding of it all drops off precipitously. I modified the /rw/config/openvpn/openvpn-client.ovpn file with the script-security 2 up 'qubes-vpn-handler.sh up' down 'qubes-vpn-handler.sh down' lines and I created the qubes-vpn-handler.sh and changed permissions. I then tried to start openvpn /rw/config/openvpn/openvpn-client.ovpn and no go. I get errors: Options error: --ca fails with ca.crt: No such file or directory Options error: --crl-verify failes crl.prm: no such file or dir Options error: please correct these errors I didn't get these errors before I added the qubes-vpn-handler.sh thoughts? It looks like you swit
Re: [qubes-users] AEM boot option causes hard reboot/partial shutdown (Lenovo T450s)
On 05/30/2016 03:39 AM, Marek Marczykowski-Górecki wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sun, May 29, 2016 at 11:10:45PM -0700, Andrew David Wong wrote: On 2016-05-29 16:34, Marek Marczykowski-Górecki wrote: On Fri, May 27, 2016 at 03:27:50AM -0700, Andrew David Wong wrote: On 2016-05-19 02:34, Frank Schäckermann wrote: There should be a bootable BIOS-Updater-Image that can be burned to a CD and booted on the TP to get the BIOS updated. At least there was one for my Lenovo W530 a couple of weeks ago. Practically hassle free - not counting getting the CD burned on Qubes OS. ;-) But than again... the T450 mileage may vary... Thanks, Frank. Unfortunately, even after successfully updating the BIOS to the latest version, AEM is still not working (fails the same way as before). I really thought updating the BIOS would fix it, since there's a TPM-related fix in the BIOS patch notes. Marek, I noticed that the version of tboot being used is somewhat old (July 2014). Would upgrading tboot itself break compatibility with AEM? If so, are there any plans to upgrade AEM to be compatible with a newer version of tboot? I think newer tboot shouldn't break anything. The only reason for this particular version (1.8.2) is a package in Fedora. And I see even in Fedora 23 (planned as dom0 for Qubes 3.2), it's still at 1.8.2. Would it be as simple as "qubes-dom0-update tboot" or more complicated? It will not help, as there is no newer package for Fedora (even for upcoming Fedora 24). - -- AEM is now causing reboots for me as well, after installing it under R3.2rc1. Has there been any progress on this? I don't see any signed sources of the newer tboot versions, so I'm reluctant to try them. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c7a71215-370f-c35f-a135-9a16f97fe0ba%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Q wipe files
On 07/01/2016 01:14 AM, Andrew David Wong wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2016-06-30 13:47, 109384'109438'0194328'0914328'098 wrote: Hello, Q security policy don't protect against app-exploits, but give the tools to protect your data. Protect data, but not apps! It's very clever! If, I move a file from VM1_green to VM2_green, the the filemanger and the move-to-VM command. https://www.qubes-os.org/doc/copying-files/ Than later VM1 gets compromised in some way. So I must be sure that the old file(copy) was wiped. How Qubes wipes files, so that the secure copy and paste security mechanism will work, if the security-sensitive user will take this manual action, to protect his/her data? I assume, if I delete a file, it will work in the same safe way... Kind Regards I'm not sure if I understand your question. Is your question: "How can I securely wipe (delete) a file in a VM?" If this is your question, then the answer is basically the same as on a conventional OS. For example, if it's a Linux VM, then you can use the "shred" command. It's a matter of controversy whether this will make the file forensically unrecoverable, especially if it was written to an SSD that utilizes wear-leveling. Actually, how it works in a default Qubes setup is pretty reassuring... You don't need to shred if you are concerned only with domU programs accessing deleted files. Simply[1] deleting the file will cause its blocks to be /discarded/ so they cannot be recovered in any way by that VM except as zeroes. That is because the img file has had holes punched in it at those locations during the delete/trim (i.e. because the img is a sparse file). OTOH, dom0 may still be able to find the data. [1] Not so simple: Ensuring there are no remaining hard links; But there are ways to find these... https://linuxcommando.blogspot.com/2008/09/how-to-find-and-delete-all-hard-links.html Also, remove all snapshots for that volume after you delete the files in question. Chris However, if you believe that the VM that contains the file is compromised, and you've already qvm-copied out all the data you want to keep, why not simply destroy the whole VM? You can do this with qvm-remove (or the same via Qubes Manager). The same concern about forensic recoverability might arise at the dom0 level. You have a couple different options here: * You can use shred in dom0. The same caveat applies as above. * You can write the data to an encrypted disk/container in the first place, then just wipe the encryption header whenever you want to make the data unrecoverable. (Of course, if you use "shred" to wipe the header, then you're back to the previous issue, but at least anyone who recovers the header will still require the passphrase.) If you don't want to wipe your entire disk, you can store certain VMs in an encrypted disk/container and symlink them from /var/lib/qubes/*/, as described here: https://www.qubes-os.org/doc/secondary-storage/ (Or use some other method of relocating them.) - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJXdfxFAAoJENtN07w5UDAwMngP/RSa7rYAn/c6ylnzsZ0S/8+e RoCrXgS8PEwtql6Kt7uTHC7opgfiAljBzLKFKQ8u6l/hFeRWvb/zAxPvCQ14weFN Zktxu4A0yeW1LV+jAR6Z2keFnqqjtddDoWO+frGwpYXhm1BoxwFvHzQDnUQOchR/ Ayzs5X8Qr/F3KXJBAsphLKYKHFdZ6IKEA73SCCor2lzrzft+j4BZKQuIxRqiQRCA 59eB5lcdzdfMS5LbohNGFP8SM+3ApLPqMxxcrRCRvjq3f1+uqmIosGgd3ba4Phhs 97SMJkMeNHeWB1KcPfLcQE7zj17WJzi/Opm/IpN4mO38UlDk8Bt5Smt++tfqLlz3 uYj5/7QwoMGoGbHRFhTmWuM/GcKT2tTHZn6glGRxdyvXTJi/hCo/FMI44oFkh8cl YLJZ70DrTHM/qLB27S+8Q5Zi6Hl8KMEmU+VX08P53cC/UO1beCXrRA2Uu3/dWvrQ oVkVNK+bIyKjyR4HVQo/kHPnERr4jtedaG2By9smUNAq88uouzhMoj1/9RB8DKWu osV96fWj+t9qjSupC+FVENg5GwjR4vTJM5zAnaTHWmKbtLX3u6GDt0vTWju2shVW XukK0hqDtTG0myvTLUCklQj1l/O7hDMnSvD3guiGECfVBL/BOH9rg0i+AlCRBbGI wl3nktfK8BwMT2fh0YKA =3T5X -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b3ad8310-b372-e1f5-9204-71449d882ae8%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: [3.2rc1] Bug: Windows disappear, VMs go from green to yellow
On 06/30/2016 09:56 PM, Marek Marczykowski-Górecki wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Thu, Jun 30, 2016 at 09:35:59PM -0400, Chris Laprise wrote: The gui daemon connection for debian 8 VMs is disappearing in two different scenarios: 1. When starting the VM, the status goes from yellow to green then back to yellow within about 3 seconds. 2. When exiting the vlc player, all windows for that vm will disappear. I can recover from this state by using qvm-run or QM to run something in the vm. Then the gui connection is restored and the vm's windows reappear. This guid.log error is found after the state changes to yellow: invalid PMaxSize for 0x54001ce (0/0) invalid PResizeInc for 0x54001ce (0/0) invalid PBaseSize for 0x54001ce (0/0) ErrorHandler: BadWindow (invalid Window parameter) Major opcode: 4 (X_DestroyWindow) ResourceID: 0x54001cf Failed serial number: 105463 Current serial number: 105465 I can always reproduce the error with vlc. When starting vms, the error occurs about 40% of the time. Already fixed in testing repo. https://github.com/QubesOS/qubes-issues/issues/2085 Thank you :)) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f4ac4744-c86f-78ed-c6e1-01c27662bbb0%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Networking
On 06/30/2016 09:50 PM, Drew White wrote: On Friday, 1 July 2016 11:42:05 UTC+10, Chris Laprise wrote: That's just a description of the emulated adapter. No, it's the physical speed of throughput of data actually. I'm not talking about a descriptor, I'm talking about the actual speed. HVM drivers do have throughput issues... https://discussions.citrix.com/topic/266073-virtual-nic-type-in-hvm-vms/ Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/dcdc6701-26c1-2393-1e25-138eaa4fe502%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Networking
On 06/30/2016 09:37 PM, Drew White wrote: Hi folks, Just wondering why my Win7 has only 100 Mbit networking instead of Gigabit? Is there any way to make it gigabit in the vm? When I only have 1 or 2 VMs running, to use only 100 Mbit out of a 1000 Mbit NIC is just wasteful. Please help. Thanks in advance. -- That's just a description of the emulated adapter. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ed53eee5-8b01-da95-33b5-b71165b7eaa0%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] [3.2rc1] Bug: Windows disappear, VMs go from green to yellow
The gui daemon connection for debian 8 VMs is disappearing in two different scenarios: 1. When starting the VM, the status goes from yellow to green then back to yellow within about 3 seconds. 2. When exiting the vlc player, all windows for that vm will disappear. I can recover from this state by using qvm-run or QM to run something in the vm. Then the gui connection is restored and the vm's windows reappear. This guid.log error is found after the state changes to yellow: invalid PMaxSize for 0x54001ce (0/0) invalid PResizeInc for 0x54001ce (0/0) invalid PBaseSize for 0x54001ce (0/0) ErrorHandler: BadWindow (invalid Window parameter) Major opcode: 4 (X_DestroyWindow) ResourceID: 0x54001cf Failed serial number: 105463 Current serial number: 105465 I can always reproduce the error with vlc. When starting vms, the error occurs about 40% of the time. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d82c223b-bcd7-b1a7-adcb-8448377f089f%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes Manager issues
On 06/29/2016 10:12 PM, Drew White wrote: Hi folks, I've just had Qubes Manager go haywire on me. Freezes up because it's using 597 MB RAM with 38 MB shared. That's just rhediculous. I had to kill the process to get out of it. And as usual, it won't start again and I have to reboot the system. I don't see how it could be nearly 600 MB RAM just for one application like that. Just thought I should let you know the issue. If it used less RAM, then Dom0 would not require more than 1 GB RAM. But one would give it 2GB just to be on the safe side. If anyone else is having this issue, or knows how to resolve this bug, please let me know. I've complained about Qubes Manager not starting before, but got no resolution then, so now I'm putting it here where it's the issue, not something else that caused it, because it's not something else that caused it to be almost 600 MB in RAM. -- Drew, About how long had it been running when you saw it at 597 MB? Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b5f19b28-7218-00a5-da08-6b262fe9d1d4%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Qubes 3.2 rc1 has been released!
On 06/28/2016 02:23 PM, Marek Marczykowski-Górecki wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Tue, Jun 28, 2016 at 10:36:42AM -0700, raahe...@gmail.com wrote: Will we be able to upgrade to 3.2 from dom0 update eventually? Or if we choose not to reinstall is there security implications? Yes. Experimental instruction already online: https://www.qubes-os.org/doc/upgrade-to-r3.2/ - -- FWIW, I tried this yesterday and it produced a system that stalled in the middle of booting, so I installed fresh from DVD. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b24f83d8-ebe8-98c2-1397-1e278355b886%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Opengl, passwords, crypt, vpn and docs
On 06/27/2016 09:18 PM, Eva Star wrote: 1) VPN doc say at the first part that need to add "network-manager" and enable it. At the second part it's without "network-manager". When/On what situations I need I enable? When using a proxy vm to run the vpn client, you can either enable network manager or you can setup the client (e.g. openvpn, etc.) manually in the CLI. So the CLI method with scripts doesn't require enabling network manager in the proxy vm. 2) At the second part of VPN doc. How exactly DNS line at vpnclient.config must be written ? |vpn_dns '1.2.3.4.5 2.3.4.5.6' | Is it correct line? The complete correct line would be: setenv vpn_dns '1.2.3.4.5 2.3.4.5.6' Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/32f35e71-625f-1fb5-3211-485b6bdc26d8%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] qubes-dom0-update results in HTTP Error 404
I'm trying to install a Windows AppVM using this guide-- https://www.qubes-os.org/doc/windows-appvms The problem is I cannot run this command-- `sudo qubes-dom0-update qubes-windows-tools` In the output, there are four 404 errors, all with the same bad URL-- http://yum.qubes-os.org/r3.1/current/dom0/fc20/repodata/45f4890c7aa2937f1bc04bf43bb997ac8b86221a463a0348cf8bcb8c3066f2e7-primary.sqlite.bz2: [Errno 14] HTTP Error 404 - Not Found Trying other mirror. I visited that link in my web browser, and it really is a 404. It looks like Qubes is not using an up-to-date mirror URL? Is there a way I can get Qubes to find and use an up-to-date mirror? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/KLJBIOQ--3-0%40grimtech.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Unable to install 3.2-rc1 on Thinkpad T450s
On 06/26/2016 02:08 PM, 41wycb+5v6q0qb48s8dk via qubes-users wrote: Hello, I've disabled all support for UEFI in the BIOS, having enabled only support to Legacy mode. I've also disabled the secure boot having enabled the 'USB UEFI BIOS Support'. At this stage I'm able to get the grub splash screen and when I try to boot Qubes I get: 'Loading xen.gz ok' 'Loading vmlinuz ok' 'Loading initrd.img ...ok' After this the laptop simply reboots and I'm back to square one again. I've even tried to upgrade my BIOS to the latest stable version (1.24) but this has produced no improvements. Any idea what may cause this? What I'm missing? Thanks I think a T550 user is having a similar problem... https://groups.google.com/d/msgid/qubes-devel/3f5b2229-aeea-49db-93cb-ed3e8feccb15%40googlegroups.com?utm_medium=email_source=footer Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2acd67f3-8f61-b1e6-d95d-b2ec6442caba%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] [3.2rc1] Installer boot error '/dev/root' does not exist
On 06/26/2016 06:50 AM, Marek Marczykowski-Górecki wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sun, Jun 26, 2016 at 06:45:50AM -0400, Chris Laprise wrote: More info, Marek... When I try to scan the /dev/sdb device with partx, it says the device is not readable or not valid device. When I plug in another USB stick, the partitions are enumerated as /dev/sdc1 etc. but they cannot be mounted (devices are unreadable). From dmesg, these errors occur right before the /dev/root error and stoppage: scsi 6:0:0:0: Direct-AccessSamsung Flash Drive1100 PQ: 0 ANSI: 6 sd 6:0:0:0: alua: supports implicit and explicit TPGS sd 6:0:0:0: alua: No target port descriptors found sd 6:0:0:0: alua: Attach failed (-22) sd 6:0:0:0: Failed to add device handler: -22 sd 6:0:0:0: [sdb] ...several lines with drive size and flags... (trace dump occurs) This thread says disabling 'alua' module (scsi_dh_alua?) can resolve the issue: https://www.linuxquestions.org/questions/linux-hardware-18/corsair-flash-voyager-slider-usb-memory-stick-fails-to-attach-4175572901/ Should 'alua' even be present? AFAIK it is for large infrastructure. Fedora installer does not seem to enable it by default. Indeed looks like something unnecessary on desktop system. Try adding this to kernel command line: rd.driver.blacklist=scsi_dh_alua This didn't work. Is that module compiled as integral to the kernel? I was able to rmmod scsi_dh_alua in the CLI, and this allowed newly attached drives to be accessed. But I could not get the boot process to continue. The bugzilla issue points to a patch against scsi_sysfs.c but it shouldn't be necessary if the alua module is excluded. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bfa2b50a-d768-da64-c7e7-902a2751fb9a%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] [3.2rc1] Installer boot error '/dev/root' does not exist
On 06/25/2016 07:10 AM, Marek Marczykowski-Górecki wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sat, Jun 25, 2016 at 05:21:27AM -0400, Chris Laprise wrote: On 06/24/2016 08:25 PM, Chris Laprise wrote: I've tried this on 2 USB sticks (a USB2 and USB3) and I'm not able to boot the new installer from either one. Apparently it can't find the filesystem it needs to transition from the initramfs root. The iso was verified with gpg and written to the drives with plain 'dd if=isoimage of=dev/sdb'. So I'm wondering if there is a simple fix to this or if I'll have to start digging through the rd log. Chris Looking in the rdsos log, I noticed the partitions of my internal drive were enumerated (sda1, sda2, etc), but not the partitions of the USB sticks--only sdb is shown. Check its label (`blkid`). And if it matches the one on kernel command line (/proc/cmdline). They are identical. However, the USB stick partitions still cannot be seen by the installer environment: /dev has an sdb but no partitions. I tried turning off USB3 mode in BIOS, but it had no effect. I also downloaded the fedora 23 live cd and the netinst images to try them out. They both boot up fine on USB sticks. What does work is booting from DVD. But then I have another problem where it won't see USB sticks as destinations at all. It doesn't matter if I plug them in before or after booting. So I cannot try out 3.2rc1 either /from/ or /to/ a USB drive. Chris Also, when I look at the USB sticks with fdisk it sees 2 partitions, but parted sees only one (32MB in size). Partition layout on installation media is intentionally somehow "non standard" (to support any installation type from the same image). So parted may display it that way. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJXbmaPAAoJENuP0xzK19csC9UH/2LnrA9DMG5cYTAef0Lb0mzg e2qe4vzW/YoNkzaXf9nYblpLLWgUDhzmykKoKb9xxwXAYFyt/4thJJlOtlBwswbh KlRb//IveLTTNxLZ+OhEHyJZ63d24dypK2qMV7NcLfvpba8StPLfkgfAlgFoJt7P V6IlgzbYE9f6WWMSpfNGlAXflkZ3Joo/PidmRy9RgEE8zPAphF7eYLaYo2kKv6cN MPkWc0Z748F5ARphnTqOehAjItwPz9sV4HSo0VHCLKsOpi1nuzjq/uo3k9+iURqA BRiWCB8GuF5Fouixrm6p/AtWKsDgG98lFCQeHVqueGMsTVgLemti1Nr80PyVRyk= =FdG0 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/65c3029b-3b5e-134d-71d6-2792427018fa%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] [3.2rc1] Installer boot error '/dev/root' does not exist
On 06/24/2016 08:25 PM, Chris Laprise wrote: I've tried this on 2 USB sticks (a USB2 and USB3) and I'm not able to boot the new installer from either one. Apparently it can't find the filesystem it needs to transition from the initramfs root. The iso was verified with gpg and written to the drives with plain 'dd if=isoimage of=dev/sdb'. So I'm wondering if there is a simple fix to this or if I'll have to start digging through the rd log. Chris Looking in the rdsos log, I noticed the partitions of my internal drive were enumerated (sda1, sda2, etc), but not the partitions of the USB sticks--only sdb is shown. Also, when I look at the USB sticks with fdisk it sees 2 partitions, but parted sees only one (32MB in size). Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0463f88a-3c2b-111c-5ad3-10cd58d44e26%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How to install clean template?
Continuing this in James' original thread... https://groups.google.com/d/msgid/qubes-users/fbc140cc-94e4-4218-8095-3a73d346296f%40googlegroups.com Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b98a35a9-e448-a4c8-be27-a890b607d747%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How do I install packages to a template over a VPN?
There is an issue with updating a template over a vpn: The intercepting updates proxy normally runs in sys-net, which can't see inside the encrypted vpn traffic. This may be a cause of the problem, however it should really only manifest if you are using yum/dnf; Programs like wget should be able to access the net OK if you've set the template's firewall setting to 'allow...'. Another thing to look out for when using qubes-setup-dnat-to-ns is that it needs the vpn-specific nameservers entered into /etc/resolve.conf (in the vpn vm) before its run. This has to be done each time the vpn vm boots, unless you change it in the template. In my previous message, I mentioned you could download the packages in an appvm then transfer them to the template vm for installation. Another possible solution is to create a Standalone appvm: It will permanently accept installed programs and also be able to access the net like a template-based appvm. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c769cf1b-7ef9-d941-fa26-50bfc1edf321%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] AEM boot option causes hard reboot/partial shutdown (Lenovo T450s)
On 06/23/2016 06:53 AM, Andrew David Wong wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2016-06-23 03:49, Rusty Bird wrote: Hi Andrew, On 2016-06-22 21:58, Todd Lasman wrote: On 05/16/2016 11:44 PM, Andrew David Wong wrote: I seem to have this exact same problem, but only after installing Qubes 3.2 (worked fine with 3.1) on my Thinkpad T430. Very interesting. Perhaps my suspicion about the AEM installer having recently changed was right after all? IIRC and going by the dates on the pages below, the installer and all other code changes were before R3.1 (only the README has changed since): [...] Rusty Ah, perhaps not then. It remains a mystery! If it changed after initial 3.0 release (esp. later on, near the 3.1 release date) then that would actually make sense. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fb05403b-c5ff-f005-23d3-29ff89cd075b%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Opening links in your preferred AppVM
On 06/22/2016 02:38 PM, Micah Lee wrote: I published a quick blog post explaining how I do this: https://micahflee.com/2016/06/qubes-tip-opening-links-in-your-preferred-appvm/ Hi Micah, I liked your new article on messaging apps. Just wondering if you've looked at Ring.cx yet... Its open source, has a Linux app and connects through DHT so it doesn't have the server issues you mentioned. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/cb162413-6de6-a49b-21d5-652c313f4180%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How to install clean template?
On 06/22/2016 08:45 PM, Ward... James Ward wrote: I have even bypassed the firewall. I've got the VPN ProxyVM pointing directly at NetVM. That doesn't bypass the firewall exactly. The vpn vm is also a firewall, and it accepts the firewall settings of other vms that are pointing to it. So you would have to 'allow full access' from the template's firewall settings. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4b147657-0c6a-9f40-2c52-8ffef0e8d439%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How do I install packages to a template over a VPN?
On 06/22/2016 05:50 PM, james.e.w...@gmail.com wrote: My employer supports Fedora as a workstation OS, but it requires a lot of software be applied and that software must be obtained over their VPN. What I have tried: 1. clone fedora-23 to OCfedora-23 2. download two VPN rpms from a VM and copy them over to the OCfedora-23 template 3. install and configure VPN on the OCfedora-23 template Now this all works great. I can connect to the work VPN on the template, but I am unable to install my employer's software onto the template. Bear in mind, I can install the same software into a VM based off the template, but would have to reinstall/reregister the VM (with my employer) on every boot. I set up the VPN in a proxy VM and run qubes-setup-dnat-to-ns and directed the template to use that to no avail. Template net access is generally blocked, except it can access normal software repositories through the Qubes update proxy. So if your employer doesn't have a repo to add to your template's /etc/yum.repos.d then you'll have to go around it. You've already supplied a hint to one possible solution: Create a new appvm connected to the vpn vm, then grab all the rpm files you need using wget or similar. Then qvm-copy those rpm files into the template vm and use 'dnf rpmfolder/*rpm' to install them. Another way is to go into the template's firewall settings and temporarily enable all access for 5 min. and install directly into the template. Software install times out on dnf install from an http://site.on.the.vpn. I tried a wget and it also times out. There's something different about a template that prevents this as the same installation script works fine on a VM based on the same template. Can someone tell me what this is? Thanks in advance, James Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7668a57e-2f57-28f5-7729-9fb1f28b4065%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] problem with running mullvad in proxyvm (DNS weirdness and autostart question)?
On 06/21/2016 03:04 PM, Chris Laprise wrote: On 06/21/2016 02:09 AM, Jane Jok wrote: Hello! So, long story short, I've successfully configured a debian-based ProxyVM to run Mullvad's GUI client (I know one can use "vanilla OpenVPN" to connect to mullvad, I still prefer their GUI thing and decided to give it a try) In a word, as long as one does not select "block internet access on connection failure" everything works. Hi, Keep in mind that a Qubes proxy vm implies different conditions for blocking than a regular desktop architecture, so the Mullvad client may not get this right. Its best to setup Qubes-specific blocking instead (which is more effective anyway)... However, there is a persistent DNS leak from any AppVM connected to the MullvadProxyVM (as detected by ipleak.net) Also, if I take the "block connection if tunnel breaks" suggestion from here https://www.qubes-os.org/doc/vpn/ (that is, add |iptables -I FORWARD -o eth0 -j DROP iptables -I FORWARD -i eth0 -j DROP to my iptables in the MullvadProxyVM) No connected AppVM can resolve hostnames (direct IP works tho) I have, however, figured out a sort-a-kinda solution. The solution I have found so far is to edit resolv.conf in AppVM to something external (like say Google's DNS, 8.8.8.8) As long as AppVM's resolv.conf has 8.8.8.8 (or any other external nameserver) in it, everything works like a charm without any DNS leaks. However, it the resolv.conf in AppVMs is not very persistent, and even if |||/rw/config/rc.local| is modified to adjust resolv.conf, certain events (like changing netvms) trigger restoration of "old" resolv.conf So, my first question is: 1) is there a way to prevent reset of manually edited resolv.conf, particularly in case when you change AppVM's netvm ? | |Past advice on setting up a vpn vm revolved around these 3 steps: 1. Update resolv.conf (hard-coded IPs or from openvpn DHCP) 2. Run the /usr/lib/qubes/qubes-setup-dnat-to-ns script 3. Add the eth0 forward-blocking you mentioned to qubes-firewall-user-script The first two basically worked, but had the side-effect of making the local vpn vm commands use the tunnel's dns. That might prevent the vpn from successfully restarting, or maybe create a different kind of leak if local commands inadvertently tried to access the net. That's why qubes-vpn-handler.sh exists. It accepts dns addresses and fixes the dns dnat issue without changing resolv.conf. It shouldn't be too hard to integrate with the GUI client if it uses openvpn or similar; you just need to run it as the up-script. OTOH, if the side-effects I mentioned above seem trivial to you, then you can use #2 to get dns working. Also, don't mean to imply that #3 doesn't work. All three do work together to route DNS and stop leaks. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/56ab626e-b04f-93fd-c703-dfa41c20de72%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Password management best practices for mid-grade tinfoil hats
On 06/21/2016 11:13 AM, stephen.wick...@gmail.com wrote: As I'm moving from OS X to Qubes, gradually, I wanted to get a feel for best practices for management of passwords. Qubues has KeePassX. Should I trust that over the Firefox password manager? Or pretty similar? Would it be a good idea to keep the password manager in a non-networked VM? Or am I growing my tinfoil hat from mid-grade to high-grade? ;) Thanks for your thoughts. Qubes best practice is to use a non-networked 'vault' vm for holding passwords and keys. You can run keepassx in vault and use Qubes copy/paste between that and other vms. Whether it is 'safe' to store passwords in firefox has a lot to do with how sensitive the password is, and how much risk you're taking with that vm. If you're just randomly browsing the web with that vm, then I would not store passwords there for anything other than trivial accounts. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d3226d23-a0c7-296d-196f-4bf1003a98f2%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How to share data between 2 Qubes installations via USB in a sensible way?
On 06/19/2016 05:25 AM, David Hobach wrote: I wonder whether there's any sensible (= relatively secure) way of sharing data between 2 Qubes installations via a single USB pen drive or hard disk? What are you using or do you have any thoughts? [...] Probably I did understand what you are trying to achieve, but when I had to copy data between two Qubes installations made a backup of the first installation on a NAS and restored it on the second installation, changing the name of conflicting VMs before restore. Everything really easy and fast. This is the method I personally use. It's essentially a system "migration" as described here: https://www.qubes-os.org/doc/backup-restore/#tocAnchor-1-1-4 That's indeed a good solution for rare accesses - especially from a security point of view (From what I see the USB drive does not need to be trusted as it can be mounted in some untrusted AppVM and the encryption is done in dom0.). I'm just not so sure if it's good for day-to-day use wrt to speed. So if I want to modify one file on my USB drive, I have to restore the entire backup (maybe 10GB or so), edit the file and then do a backup again? So it would take 15min to edit a single file I guess? Ideally I'd like to plug the USB drive in my machine and see the files dedicated for VM_A inside that VM immediately (same for the other VMs). Then I'd edit, maybe umount and then unplug the USB drive again. Maybe I'm a little picky about speed, but I know that once users have to use secure solutions that are slow, they'll go for totally insecure ones that are fast. So I prefer to see people going to pretty secure ones that are fast. Thanks for the suggestion though - I hadn't considered it so far as I'm not using the original Qubes backup solution (once again for speed reasons - and yes, it adds 1-2 potential attack vectors). Try this automount solution - https://groups.google.com/d/msgid/qubes-users/20160607202924.GD1593%40mail-itl If you are sharing between to similar vms (even if they're on different systems) you can format the volume in vm with LUKS and specify a keyfile in each vm using crypttab. No need to have dom0 format or decrypt the volume. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/57667E11.3060004%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] create new VM freeze screen 1
On 06/18/2016 02:55 PM, 109348'109438'0193284'0913284'092183'0491820439 wrote: Hi Chris, used 2777284 free 17995792 shared 338500 buffers 62024 cached 2037140 buffer/cache used 67812 free 80117772 swap 8011772 used 0 create Fedora23 AppVM = 6 Seconds, yes create Debian8 AppVM = 5 Seconds, yes But this was after a fresh restart of Q (before it took some kind of minutes). Kind Regards When it slows down again, check 'free' again. Also, this grinding slowdown can be caused by a vm that's swapping a lot. If you've been playing around with PCI passthrough, you probably turned off memory balancing without realizing you left that vm with very little memory to use. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5765D975.9070307%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] create new VM freeze screen 1
On 06/18/2016 08:48 AM, Andrew David Wong wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2016-06-18 05:29, '098134'0194328'017834'01783'40917834209 wrote: Hallo, it is a little strange, always if I create a new VM (which takes several minutes), than the system response time for manual inputs (like typing something in an editor) is endless. But there should be plenty CPU and RAM available. It looks like that this is only effected all applications, which are shown on the same screen. So screen two seems ok. Why is this behavior? Can I define some parameter, which guides me to some liquid user experience? Kind Reagards I've noticed the same thing, but it doesn't seem to be affected by which screen an application is on. My CPU usage (as reported by the KDE widget) spikes, so I assumed that was it. Hmmm, create new vm on my system = 5 seconds. This sounds like low memory and lots of swapping. Check the amount of swap usage with 'free'. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/576554AF.6030404%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Copy / Move file within a Template VM
On 06/12/2016 01:09 PM, qubescr...@gmail.com wrote: Hi Chris. Thanks for your response. I hadn't realized that /etc/ was a bad place to move the .ovpn file, and was just following the instructions in 'Streisand' (which is excellent, by the way!) https://github.com/jlund/streisand I guess I'll have to go the insecure route you suggested, because I have no CLI skills, but I was trying to avoid it, as per the Qubes documentation. Ho hum. Yes, it appears one does need to learn CLI in order to use Qubes. I'd originally understood the team's aim was widespread adoption by anyone privacy-minded, and hoped that included me (a Mac user), but perhaps I was expecting too much! Thanks again for your feedback, QC I would be remiss if I didn't suggest the second option in the vpn doc: You can create a proxy vm and enable network manager in that. The advantages are that the directions are mouse-driven, and your password will be pretty safe. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/575DB04A.1050703%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Is there a standard procedure to reinstall whonix?
On 06/10/2016 02:33 PM, Patrick Schleizer wrote: Andrew David Wong: On 2016-06-06 16:02, Andrew David Wong wrote: Added: https://github.com/QubesOS/qubes-doc/commit/ ffbe63ac8c6fa3feb06ab78ac88455cc90fb746a I'm not sure if I understood the proposed two changes, but feel free to submit a pull request to edit the page if you see fit. The live page is available here: https://www.qubes-os.org/doc/whonix/reinstall/ >From #1955 https://github.com/QubesOS/qubes-issues/issues/1955 - Quote Marek: And generally, I think normal users (not developers/testers) do not need to reinstall template ever. Instead - apply standard updates. I guess we just revisitted this. I guess reinstall has its place. I am wondering about the following... At a minimum, you’ll want a ProxyVM (conventionally called sys-whonix) based on whonix-gw and an AppVM based on whonix-ws that uses sys-whonix as its NetVM. Perhaps that should not be done manually. Too error-prone. [ As discussed in #1955 ] perhaps invoking salt would be better. sudo qubesctl state.highstate What do you think? (Optional) Temporarily change all VMs based on whonix-gw and whonix-ws to another template I think this is a bit dangerous. Easily forgotten. And you would not want some my-whonix-ws AppVM to boot with the temporarily set debian-8 template. Is there a way to set the template to some virtual value "none"? Or could we have such a feature? Cheers, Patrick If re-installation is the goal, why not use the in-place method from the template doc? That involves 'qubes-dom0-update template-package' then after it downloads the package and says there is nothing to update, do a 'yum reinstall template-package'. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/575B31A3.8050009%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] debian 8, rc.local not running
On 06/09/2016 10:31 PM, Drew White wrote: Hi folks, Debian 8... On boot, the rc.local file doesn't execute after the system has booted. What could be wrong? root@***:/rw/config# ls -al total **M drwxr-xr-x 3 root root 4.0K Jun 10 12:24 . drwxr-xr-x 9 root root 4.0K Jun 8 12:11 .. -rwxr-xr-x 1 user user 5198 Jun 10 12:20 rc.local it's executable by everyone, readable by everyone, so there should be no issues, right? Hope someone can help please? Every time my PC starts, that VM should set up all the ports to be forwarded and more. I'm about ready to build an applicaiton to handle all the ports and all because Qubes doesn't have something that handles it all in one, they are all separate and distinct, when they shouldn't really be. I have other issues with the Qubes Windows Tools too, but that's another post, and I have pictures and a way around getting them to work on large resolutions, like they say there is a bug for. -- Did you add the shebang at the beginning of the script? Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/575A423B.5010807%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Install VPN in anon-whonix
On 06/09/2016 06:21 AM, asdfg...@sigaint.org wrote: On 06/08/2016 04:15 PM, asdfg...@sigaint.org wrote: Hello I read the guide on whonix site about how setup a VPN in workstation but it is old and my VPN is a little different, it has a GUI interface but also a setup for Open VPN (to work i have to use GUI). Do I setup like a normal VPN in debian (network connection, import configuration, certificate etc...) and change firewall? Thank you Mixing a VPN in the same VM as other tunnels or proxies is a more complex affair. Qubes proxy VMs allow us to do this kind of thing more cleanly. So I recommend using a debian proxy VM. The doc Andrew linked to contains a firewall script I created with Whonix (and other apps) in mind. Its designed to fail closed (block traffic) if openvpn stops working, and to stop all leaks. The only thing in or out is tunneled traffic and related ICMP. Its designed for simple VPNs that tunnel all traffic upstream (i.e. no special subnet selections), so it'll work with most services. There is a fancier version that creates systemd service and has a more explicit firewall setup, though its about the same protection: https://github.com/ttasket/Qubes-vpn-support What's more, you don't have to alter any template beyond installing openvpn to get this working. OTOH, if you're looking for a solution for Network Manager, the doc shows you how but its without a firewall. I am looking into a way to make the firewall script work with NM. Chris Hello I have a problem when run this command sudo chown -R root:root openvpn (no directory) The contents of the openvpn/ dir need to be transferred to /rw/config/ including the openvpn/ dir itself. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5759BA78.50405%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Proxify VM
On 06/09/2016 11:45 AM, Jeremy Lator wrote: Hello To setup socks5 in network-manager openvpn do I have to go advanced-->proxies and enter all the details? Thank you Yes, but I'd ask the NM folks about any issues with that. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5759B8A0.9070505%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Install VPN in anon-whonix
On 06/08/2016 04:15 PM, asdfg...@sigaint.org wrote: Hello I read the guide on whonix site about how setup a VPN in workstation but it is old and my VPN is a little different, it has a GUI interface but also a setup for Open VPN (to work i have to use GUI). Do I setup like a normal VPN in debian (network connection, import configuration, certificate etc...) and change firewall? Thank you Mixing a VPN in the same VM as other tunnels or proxies is a more complex affair. Qubes proxy VMs allow us to do this kind of thing more cleanly. So I recommend using a debian proxy VM. The doc Andrew linked to contains a firewall script I created with Whonix (and other apps) in mind. Its designed to fail closed (block traffic) if openvpn stops working, and to stop all leaks. The only thing in or out is tunneled traffic and related ICMP. Its designed for simple VPNs that tunnel all traffic upstream (i.e. no special subnet selections), so it'll work with most services. There is a fancier version that creates systemd service and has a more explicit firewall setup, though its about the same protection: https://github.com/ttasket/Qubes-vpn-support What's more, you don't have to alter any template beyond installing openvpn to get this working. OTOH, if you're looking for a solution for Network Manager, the doc shows you how but its without a firewall. I am looking into a way to make the firewall script work with NM. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5758DB48.1070408%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Proxify VM
On 06/06/2016 06:11 AM, Jeremy Lator wrote: Shortly I have JonDo in the first VM and a VPN in the second VM. I want that the VPN detect socks of JonDo during the connection MyISP --> JonDo --> Firewall --> VPN-->internet \/ \ / \/ \ / | | || sys-net sys-firewall proxyVMappVM So "internet" is really an appvm with your browser? Then your diagram implies that you want to use vpn software (i.e. openvpn) through jondo. That would mean configuring openvpn to access a socks proxy. I think jondo was created to have the browser (and other apps) access the socks proxy, but if you really want it this way openvpn can support socks proxies. Check this out: https://www.comparitech.com/blog/vpn-privacy/hide-openvpn-traffic-with-ssh-tunnel/ Having sys-firewall there might be a problem. That's because you have to put the address of the jondo vm (seen as the 'gateway' address in the downstream vm) in the openvpn config. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5755D77A.2040909%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] TheBrain installation - JRE Error?
On 06/05/2016 09:29 AM, 0981'029438'109438'0192438'0192438'019438'0943 wrote: Hello, I like to install thebrain 7: http://www.thebrain.com/products/thebrain/download-old/ JAVA is not a high security backbone, so in the future, I would like to install all JAVA Apps in a isolated HVM. But for now, I run into this error: [user@work brain]$ ./TheBrain_unix_7_0_4_5.sh No suitable Java Virtual Machine could be found on your system. Do you want to download a JRE? (y/n) y Downloading JRE with wget ... --2016-06-05 15:16:35-- http://assets.thebrain.com/downloads/java/linux-x86-1.6.0_26.tar.gz Resolving assets.thebrain.com (assets.thebrain.com)... 54.192.46.40, 54.192.46.80, 54.192.46.250, ... Connecting to assets.thebrain.com (assets.thebrain.com)|54.192.46.40|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 21526683 (21M) [application/x-gzip] Saving to: ‘jre.tar.gz’ jre.tar.gz 100%[===>] 20.53M 2.56MB/sin 8.1s 2016-06-05 15:16:43 (2.53 MB/s) - ‘jre.tar.gz’ saved [21526683/21526683] Unpacking JRE ... Preparing JRE ... ./TheBrain_unix_7_0_4_5.sh: bin/unpack200: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory Error unpacking jar files. The architecture or bitness (32/64) of the bundled JVM might not match your machine. What must I do that I can finalize the PB7 installation? Kind Regards Hmmm... This worked for me without the JRE download when I downloaded their current 8.0.2.2 version to a debian vm, which is using the default OpenJDK java runtime. It seems to run fine. If you're using the fedora template, I suggest installing the OpenJDK JRE if its not already there. Otherwise you could use a debian template with OpenJDK. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/57542EFC.7050809%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] "Upgrading" to btrfs
On 06/04/2016 07:05 PM, Achim Patzner wrote: Hi! Did anyone ever try running btrfs-convert on a Qubes /? Successfully? Achim I installed with btrfs on top of luks. You may not want to convert if you have the standard lvm on luks, because then you'll have two volume management layers (btrfs on top of luks) which is slower and uses more CPU. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/575360EA.2070601%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Can't get ProxyVM based VPN working
On 06/04/2016 10:43 AM, ad5108...@gmail.com wrote: I've been trying to configure a ProxyVM with a VPN for a while now, and I can't seem to get it to work. I've tried both the NetworkManager instructions and the command line instructions from here: https://www.qubes-os.org/doc/vpn/. The NetworkManager always times out when attempting to connect to the VPN (funnily enough, it does this in KDE on a separate system too) despite the command line openvpn client working flawlessly and all of the plugins being installed. I'm not sure what goes wrong with the command line version; it does successfully create the tun adapter, but can't resolve hostnames. If I manually reconfigure the DNS using resolv.conf, it begins resolving fine, but no traffic travels through the VPN. Is there any way I can fix this? The current version of the VPN doc is hard to follow because it requires the user to hard-code IP addresses in several places (and you can't use domain names for the server). This is an error-prone approach. I created a couple scripts to handle all of it here - https://github.com/ttasket/Qubes-vpn-support and discussion thread - https://groups.google.com/d/msgid/qubes-devel/57516C4B.4070305%40openmailbox.org Hope you find it useful... Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/575349CF.2090203%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] No /dev/cdrom present?
On 06/02/2016 06:40 PM, gaikokujinkyofu...@gmail.com wrote: Hi I wanted to create a win7 HVM and was going to start off by making an iso from the CD I have but then I tried the simple dd if=/dev/cdrom of=~/win7_image.iso and I get an error: dd: failed to open '/dev/cdrom': No such file or directory I tried this from the term in the personal dom, but then opened up the term from the various doms (including dom0) to see if maybe the cdrom would show up then? (I am still wrapping my head around how Qubes works in terms of isolation, like would it perhaps isolate certain doms from seeing certain devices?) Thoughts? Try /dev/sr0 instead (in dom0). You can also try assigning it to a vm with 'qvm-block -a -ro vmname dom0:sr0' ...but you have to put the disc in first and it doesn't always work. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5750D16E.2000702%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Debian 8 Template, can't install printers
On 06/02/2016 12:32 AM, Drew White wrote: On Thursday, 2 June 2016 14:11:32 UTC+10, Chris Laprise wrote: On 06/01/2016 10:29 PM, Drew White wrote: > > The UI he is describing is system-config-printer (Red Hat). He > could try > gnome-control-center ->Printers instead. That works for me. > > Chris > > > Chris, that is essentially what I did. But not through the > control center, just directly through the menu system and > running that exact section. The gnome utility is not the same as the system-config-printer utility (written by Red Hat). The former works fine for me in debian. BTW, I setup my debian template using 'tasksel' and chose both debian desktop and gnome. Isn't Gnome the Debian Dektop GUI? All/most of gnome was missing back when I installed the debian template. > > I did the same thing in Fedora (RedHat) and it worked fine. > > After it detected the printer, it searched for the drivers, didn't > find them, so I put the OpenDriver file on and installed it. > RedHat based, easy. Debian based, crashed. I have been manually choosing from the built-in drivers. For many printers, you can use a driver with a model number that's close if there's no exact match. There is the problem in the first place. That's the bit I can't get to, as per my OP. I can't get THAT far. If I could then I wouldn't be having the issue and be here trygin to get an answer. Its only about the 5th step when I do it. I suggest you go in through the gnome-control-center, click on the Plus sign, enter the printer IP address in the search dialog (printer should then appear, perhaps more than once), then select the LPD entry and 'Add'. At that point you should have a driver selection dialog, with manufacturers on the left and drivers on the right. > > Currently on Debian 8. I don't know if it's a bug in Debian 8 > or not though. Either in debian or the driver. It could be something in Debian OR the Qubes Drivers. Not the Printer drivers, as I can't even get to the point to select them. Its also possible something about your debian template became corrupt. If so, you could reinstall it. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/57508279.3060704%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] btrfs vs lvm?
On 05/30/2016 11:35 AM, Rusty Bird wrote: Bahtiar `kalkin-` Gadimov: IMHO you should use LVM. Because btrfs is IMHO not mature enough. (Personal anecdote warning) I used it for backups until the partion become read-only and throw out of space warnings, for no obvious reason. On Qubes 3.0, I had the same issue: More than a couple of dozen whole-fs snapshots made the fs readonly. Booting a newer kernel and removing some of the snapshots fixed it then. Rusty IIRC, kernel 3.17 and later are considered safe bets for btrfs. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/574CA281.2020200%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Is it possible to turn a Template HVM into an HVM?
On 05/29/2016 10:31 AM, Achim Patzner wrote: Hi! I guess the subject said it already: If someone created a (Windows 7-based) Template HVM based on the assumption it would be a good idea to do this to derive a number of HVMs from it but had to agree that it was not one of his brightest ideas, is it possible to turn this Template HVM into a standalone HVM? Achim You could create a new standalone hvm using the template as a source (in the dialog, click standalone first, then hvm, then select the template). If you're on btrfs, Qubes will create a reflink from the original disk images, so it will be instant and take no extra space. If not on btrfs, then it will duplicate all the data from the template images. To avoid this, you can create a regular hvm (click hvm in the dialog and standalone should grey-out) then manually move the root.img and private.img files from the template to the new hvm. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/574B3D64.7070005%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Web Conferencing software and QUbes
On 05/26/2016 06:42 PM, Franz wrote: On Thu, May 26, 2016 at 6:16 PM, Chris Laprise <tas...@openmailbox.org <mailto:tas...@openmailbox.org>> wrote: On 05/25/2016 05:13 PM, Franz wrote: On Wed, May 25, 2016 at 2:00 PM, <raahe...@gmail.com <mailto:raahe...@gmail.com> <mailto:raahe...@gmail.com <mailto:raahe...@gmail.com>>> wrote: On Wednesday, May 25, 2016 at 1:24:04 AM UTC-4, J. Eppler wrote: > Hello, > > > > > If there is another web conferencing app that works better for qubes I would be happy to try it. > > https://tox.chat/ > - you will find the clients here: https://tox.chat/download.html > - I would use qTox or uTox for desktop systems > > or another one: > > https://jitsi.org/ > > Best regards > J. Eppler Does TOX have video? if so how is the quality of the connection? qTox and uTox do have video, but for using them in Qubes we have to deal with the usual webcam issues, which means that a USB controller should be assigned to a conference VM. I find this even more difficult now that the current Xen version does not let me to assign one USB controller to sys-usb and the other to a conference-VM anymore, because the two controllers share some resources, which is a security issue. So both controllers must go assigned to the same VM. Otherwise one may think of making a script to hot assign USB controllers form sys-usb to conference VM and then back again, but I have a feeling that it would not work that way, rather need a reboot, then conference, then a reboot again to come back to the starting setting, which seems too much for me. I also thought of putting an additional USB controller into the expresscard slot, bought two of them rated as working with linux, but none really worked with my Qubes. I reverted to using another non-Qubes computer for conferences. But obviously this is a very serious limitation. So, writing this I wonder if it may make sense to use sys-usb as a conference VM. Sys-usb is red and should be considered compromised, but it may be better to have a compromised conference than nothing. Certainly my sys-usb is much more secure than the other non-Qubes computer that I am using now. What do you think? Best Fran Mixing usb isolation with the network? I would avoid that if possible. Why? what may happen in your view? It is only some encrypted conference software that uses the network to communicate with people you trust. A usb webcam could attack the host vm used for conferencing, stealing the keys or contents of the streams and sending them to an eavesdropper. It could also receive updates to its own malware, and maybe even find some wireless mice and keyboards to infect. Best to keep USB and network completely separate. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/574783F4.6080102%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Web Conferencing software and QUbes
On 05/25/2016 05:13 PM, Franz wrote: On Wed, May 25, 2016 at 2:00 PM, <raahe...@gmail.com <mailto:raahe...@gmail.com>> wrote: On Wednesday, May 25, 2016 at 1:24:04 AM UTC-4, J. Eppler wrote: > Hello, > > > > > If there is another web conferencing app that works better for qubes I would be happy to try it. > > https://tox.chat/ > - you will find the clients here: https://tox.chat/download.html > - I would use qTox or uTox for desktop systems > > or another one: > > https://jitsi.org/ > > Best regards > J. Eppler Does TOX have video? if so how is the quality of the connection? qTox and uTox do have video, but for using them in Qubes we have to deal with the usual webcam issues, which means that a USB controller should be assigned to a conference VM. I find this even more difficult now that the current Xen version does not let me to assign one USB controller to sys-usb and the other to a conference-VM anymore, because the two controllers share some resources, which is a security issue. So both controllers must go assigned to the same VM. Otherwise one may think of making a script to hot assign USB controllers form sys-usb to conference VM and then back again, but I have a feeling that it would not work that way, rather need a reboot, then conference, then a reboot again to come back to the starting setting, which seems too much for me. I also thought of putting an additional USB controller into the expresscard slot, bought two of them rated as working with linux, but none really worked with my Qubes. I reverted to using another non-Qubes computer for conferences. But obviously this is a very serious limitation. So, writing this I wonder if it may make sense to use sys-usb as a conference VM. Sys-usb is red and should be considered compromised, but it may be better to have a compromised conference than nothing. Certainly my sys-usb is much more secure than the other non-Qubes computer that I am using now. What do you think? Best Fran Mixing usb isolation with the network? I would avoid that if possible. If there were some Linux-based way to create a virtual webcam device, with a stream piped unidirectionally from sys-usb, that could be a solid workaround. I'm glad you mentioned Qubes' limitation in this context. If it were up to me, I would define web conferencing as a core use case for Qubes. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/57476798.2090603%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] i2p AppVM
On 05/25/2016 02:24 PM, cubit wrote: Hello Are there any i2p users on the list, I would be interested in hearing how you are setting up your AppVMs to best keep this traffic as secure as possible. -- The i2p router is super simple and automatic, esp. if you're using straight i2p to the Internet. Its been a while, but I recall both proxy and app vms were usable with i2p. The biggest safety concern about i2p in general is probably browser customization... they needed an analogue to torbrowser and I don't know if they have one yet. Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/57476463.1040603%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.