Re: [qubes-users] Re: unexpected system restart
On 04/03/2018 02:24 PM, qubenix wrote: > cooloutac: >> On Monday, April 2, 2018 at 12:31:09 PM UTC-4, qubenix wrote: >>> Hello all. I'm currently still on R3.2. >>> >>> I had a situation where I was working with a normal (for me) amount of >>> VMs running. Nothing even close to extreme as far as cpu/mem/io/temp. >>> During startup of an AppVM that I use all the time, my system just did a >>> hard shutdown ("no input" on screen, connected with hdmi) and then right >>> into a restart. >>> >>> How can I debug this in a useful way? Does someone have an idea what >>> might cause it? >>> >>> -- >>> qubenix >>> GPG: B536812904D455B491DCDCDD04BE1E61A3C2E500 >> >> weird. you using sleep mode at all? Checked the obvious issues like temps, >> hdd errors, memory stability? >> > > No sleep, checked all obvious issues. > Does the AppVM have any attached PCI devices? I have one R3.2 system where starting a VM with USB controller attached occasionally causes the whole machine to reboot. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/72b26482-e22d-8194-7383-2b9a9db1bcf2%40fastmail.fm. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Firewall rules for Thunderbird and Gmail
On 02/13/2018 06:39 AM, Demi Obenour wrote: > What websites and ports do I need to whitelist if I want to enable use > Thunderbird with GMail and Google Calendar? I am using the Google > Calendar add-on. > To actually answer the question, this Google support page has what you need to know: https://support.google.com/a/answer/60764?hl=en Regards, Robert -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/95c26ec0-6735-24fe-1068-4fb587f73504%40fastmail.fm. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: USB Keyboard thoughts...
On 12/05/2017 05:09 PM, taii...@gmx.com wrote: > On 12/04/2017 07:31 PM, cooloutac wrote: > >> I use a usb to ps2 adapter for my keyboard. > I assume with the mistaken impression that PS/2 is more secure for > some reason - for the record it sends your keystrokes out on the > ground wire. > Sends keystrokes out? To where? Inquiring minds request further information / references! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/15ea3f01-e90f-6db4-69e8-d4bd452a45ef%40fastmail.fm. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] USB Keyboard thoughts...
On 12/03/2017 09:37 AM, Jean-Philippe Ouellet wrote: > On Fri, Dec 1, 2017 at 1:10 PM, Matty South wrote: >> I love the Qubes project! I've been thinking of ways to improve the security >> when it comes to USB Keyboards. >> >> I'm sure a lot of us who use Qubes as our day-to-day OS have a nice keyboard >> attached to the system. Upon plugging in the USB keyboard for the first >> time, I rightfully got a security warning about the implications of passing >> USB Keyboard input into dom0 (think USB Rubber Ducky attack among others). >> OK, I'm on board so far. What surprises me is that I didn't just authorize >> THIS keyboard to pass through to dom0, I have authorized *ANY* USB keyboard >> to access dom0. I verified this with other keyboards and even a home-made >> Rubber Ducky attack using a teensy. >> >> Curious, is there a reason why we don't restrict the authorized USB keyboard >> based on USB Serial number or even VID or PID. Sure with PID/VID, a physical >> attacker who knows your brand of keyboard could still pass through >> keystrokes, but it would still up the bar a little for these style of >> attacks. >> >> I'm on Version 3.2 so forgive me if this has been addressed in 4.0. >> >> Secondly, I don't want to be the guy begging for improvements, I would like >> to contribute. Can anyone point me to a good place to start if I want to add >> this feature? I'm thinking here maybe? >> https://github.com/QubesOS/qubes-app-linux-usb-proxy > See https://github.com/QubesOS/qubes-issues/issues/2518 > Hi Matty and all, I am the developer of the USG hardware firewall mentioned in issue 2518. On its own this gadget can do most of what you want - it blocks hidden hubs so a flash drive cannot also supply keystrokes, and it blocks devices re-enumerating as a keyboard after first enumerating as something else. Issue 2518 is about encrypting keystrokes from the keyboard to dom0, so that a compromised sys-usb cannot sniff or spoof them. Jean-Philippe suggested borrowing ideas from CrypTech's HSM design, which is worth looking into. However I don't have time to look into this myself right now. I would also require help with the qubes-side implementation of whatever secure channel we choose. You are welcome to look through the thread and let us know what you think! Regards, Robert -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a64e8e14-1378-e0ee-89d2-65433414f17f%40fastmail.fm. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Fedora25 fails updates unless I reboot the machine 9.13.17
On 09/14/2017 10:49 AM, qubester wrote: > Fedora25 fails updates unless I reboot the machine 9.13.17 > > 2 or 3 times now, are others having this problem? is there some > particular remedy or just let it go? > > "failed to syncronize cache" > I see this problem on a Q3.2 system that has been running for several days. Updating Fedora 25 template: > sudo dnf update > Error: Failed to synchronize cache for repo 'updates' Updating Debian 9 template: > sudo apt update > Err:1 http://security.debian.org stretch/updates > InRelease > Could not connect to 10.137.255.254:8082 (10.137.255.254), connection > timed out > Err:2 http://deb.qubes-os.org/r3.2/vm stretch > InRelease > Could not connect to 10.137.255.254:8082 (10.137.255.254), connection > timed out > Err:3 http://deb.debian.org/debian stretch > InRelease > Could not connect to 10.137.255.254:8082 (10.137.255.254), connection > timed out > Err:4 http://deb.debian.org/debian stretch-updates InRelease > Unable to connect to 10.137.255.254:8082: Dom0 update seems to work (or at least fails silently): > sudo qubes-dom0-update > Using sys-firewall as UpdateVM to download updates for Dom0; this may > take some time... > Running command on VM: 'sys-firewall'... > Running command on VM: 'sys-firewall'... > Checking for dom0 updates... > No new updates available Restarting fixes the problem temporarily. I guess the update proxy is crashing? My sys-firewall is running a Debian 9 template, what about yours? Regards, Robert -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/cc35ca37-7613-3cbc-5c2c-1f8d793c9878%40fastmail.fm. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: NAUTILUS MISSING FOLLOWING UPDATE TO DEBIAN 9
On 08/19/2017 10:12 AM, pixel fairy wrote: > On Friday, August 18, 2017 at 3:56:38 AM UTC-7, higgin...@gmail.com wrote: >> Thanks Foppe de Haan. >> >> The sudo apt-get install nautilus was all I needed. >> >> All fine now. >> >> Cheers > @Andrew David Wong , maybe this should be a step in > https://www.qubes-os.org/doc/template/debian/upgrade-8-to-9/ > I noticed that nautilus was removed by "sudo apt-get autoremove" in step 5 of the upgrade doc. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5669abc1-36e3-fd7e-d550-ea31b35c5b5b%40fastmail.fm. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] sys-usb and usb read-only
On 08/11/2017 08:41 PM, Nicolas Mojon wrote: > Hi, > > I would like to know if on the new 4.0 it is possible to lock down data in a > VM like that nothing can go out of the VM (like no internet or copypaste > through dom0). I would like to make that specially for usb sticks or other > stocking device, that people can work on things on the usb in the VM but > nothing must be able to go out. > > Additionally to that, I would like to know if it is possible to use the > sys-usb vm but with an usb keyboard, cause for the moment, when I try to > implement it, it finish in a dead lock cause I cannot use the keyboard when > restarting. And even with the ask policy, it happens after the login so it is > pretty problematic and allow it completely,will probably cause a security > issue for my system on of the question above. > > Thank you in advance... > > Best regards > > Nicolas > Hi Nicolas, I am not aware of any changes between r3.2 and r4.0 that would affect your use case. You can disable the vm's networking of course. If you want a read-only USB flash drive you should look at the USG hardware firewall. I have recently released configurable firmware with a read-only mass storage option: https://github.com/robertfisk/usg/wiki Regarding USB keyboards with sys-usb, as you have discovered this does not work. Enabling sys-usb sets a kernel option to hide all USB controllers from dom0, and you then cannot type the disk password. You have two choices: 1 - Leave sys-usb enabled. Boot with a PS/2 keyboard attached (laptop keyboards are PS/2) 2 - Disable sys-usb. Leave your keyboard's PCI USB controller attached to dom0. Assign other PCI USB controllers to your own usb VM. If your system only has one USB controller you could purchase a USB expansion card. Read the Qubes USB docs for more info: https://www.qubes-os.org/doc/usb/ Regards, Robert -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f539d88f-6575-6786-6139-d2705b0781a5%40fastmail.fm. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] My Windows VM always stops after a while
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 04/13/2017 05:24 PM, loke...@gmail.com wrote: > I have a Windows VM where I run Outlook for work purposes. It works > great and I keep it in a separate xfce workspace. I'm running it in > desktop mode (i.e. the Windows desktop is in a single Xfce > window). > > After a certain amount of time (hard to say how long, but I'd guess > it's in the 30 minute to 1 hour range) the Windows desktop > disappears, and in the Qubes manager the Windows VM is marked as > yellow. It will stay yellow until I hard-kill the VM. > > Does anyone have any idea what is going on, and what I can do to > fix it? > I notice this problem when a Windows VM is left running, but doesn't receive any user input for 30min or more. The window will disappear when I'm not looking and I later find the VM stopped. In my case the solution is to use the VM, and it is reliable until the work is finished and I shut it down. Just a thought - have a look through the power saving & sleep options. It might be trying to "save power" and causing problems with Xen. Regards, Robert -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCgAGBQJY7x2IAAoJEN65WsAVra66Q/kP/ixQBirBWIGjP9fKCsoZFveU BfRsxFcWoz+kdYeDDVXkcH6p8K1Zgnuo3w0ArHGt1tQHxdvLKjdBwcgpJ+iXQTLG wDR5r6SIoN9jpnB0RBNobhEbVADpq4jiy/lidqFjEgPlPf1SM7pSXz5uV1ZMt7mE LwuMv21zGOLjjAGvgQ7ss1Q/dEdyTC0Kcwjm2p5HEUHTe52HDXDyWxf+66usoQ+t wo2ewkorDN003sMMXqZio70P67eJWkZcT65WLCFBOj5LCz5VwshASMUuXeDIXdP3 +BfbUzzdCRnpN8L0TBuCla13zY86GMkvf+/8A17/13nj00yaStwbB/JsGTCXhv9m s/twtyBVNnvLoDvLkH93Tx++5afqlcWTyRY9tX2ltCaEClaHWBLHbVFIFGaEeuFQ xksmCx9oylq/mI/GyipcPA4d9ScqsNvzaFHJVwv6ioQIEhds244zimJfZ1SVSVbA KMQezZhu7XVDFpSYx3EBREWuJGAqAi0Dx8IwqslimWwuouFcmt334qHpTwfCf7m7 mr7R1h7cpWmOKvYliCOMI/2UidI3aFfqX6ibc0LvlBbWkP9DW0Ieqs0syc8x/oUE JvFnhaOPPJnkVfCAU6V287AgqQC3KbPIa5tMIx/+c7bJmOU3/sylrrYG9ww3WQge pXZin1qcKV9xCZJWJFC7 =rA5D -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c78781fc-7b4c-953a-3217-e91273b861cf%40fastmail.fm. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] USG - AFirewall For USB's
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 03/15/2017 05:22 PM, Syd Brisby wrote: > If you remove the wireless module from a laptop, then connect a USB > wifi adapter (or bluetooth adapter) to a USG and plug the two into > the laptop, could a (future?) USG act as a hardware firewall for > the wifi device (or bluetooth device)? For example, Deter MAC > address scanning? Deter portscanning and rogue packets being sent > to ports? Deter man-in-the-middle hotspot attacks? Or deter > bluetooth hacking attempts? etcetera. > Theoretically yes, a USB firewall could perform this function. However it would involve porting large parts of the linux network stack to run on an embedded microprocessor with 256kB flash and 64kB RAM. Difficult and painful if possible at all. Certainly not a task for one developer in their spare time! -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCgAGBQJYycOvAAoJEN65WsAVra66v+EP/1scyx4Fk1s+7R8zIA8wME2c C7hNYmoDv9s2ILcYhsY7wBCbg5AC0kx1dDPZkMnn54n2DQ6Pei3E5ANXIZZB0efY A3CXT8VLdJ0HnmQ85LCyjSIGcY0zP+TbhSeNBptCxMAh5C6Dlte31Rf7gEDRj79z miG7g/p4iNUK3iFLCYxe5HhX0xd0QCm8hWzYf5PBpUWQL0pPQnuKIkesIvgttaSM xlSycSOySstul56WA9Nt+d66hfqhlLgsdpnVaO6nTwcYxZHEqIOMfoT5VDTQqbib pmJPjoulgO6cXY/P2EWLRnToKlzc8j3TBgBvSr2NRQ+W5pmIJc7vNGKLqc2fO1WS Ba1hle7fXLVRu7sAKdZPwZB8s0jxsN8v1iWPnjEex/DF7ZWtgbpt2uU//wm4H9vO Dd3bqvjwcb7dnWzDQ0rnqVa2XBJfWipOQOPPO2UaiKo03a2rQz3UX9sAaN4ukxSs FZmewFPk8NbJ/Ynp0kJdcO3Al5UtsbgGg//nuQeNBmNqMnvJfd4WgpuwstOkx95m h0on7lZIHRQw3BiG83thMCi+9JlcVMI6OnheQJYwtAEVpcNtI0LanpVI9mbkGR2Y 5GngttD19fe4aoNjkNuPko28H3vfQFgK255oKMPnhtD2ES0iROLh+M2FeeAh3G2/ YRbZl7Fc8Si4PDHveKD2 =ZwtO -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5fe82838-011a-54e4-7cae-1c9fbac0fe22%40fastmail.fm. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] USG - AFirewall For USB's
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 03/13/2017 02:56 PM, Jean-Philippe Ouellet wrote: > On Sun, Mar 12, 2017 at 3:06 AM, wrote: >> This guy claims to have created a firewall for untrusted USB's >> https://github.com/robertfisk/USG/wiki . Anyone tested this? > > Previously discussed here: > > https://groups.google.com/d/msg/qubes-users/MEzOZ_naupo/lMjdMDwFAwAJ > > https://groups.google.com/d/topic/qubes-users/UHiDauas4rM/discussion > >> Anyone tested this? I have... a lot! I am preparing another batch of hardware right now. Anyone interested in ordering one can contact me in about 2 weeks when it will be ready. The price is NZ$80 each (about US$60), and tracked airmail to major continents is NZ$55 (about US$40). If you don't want to buy one from me, you can make your own from development boards! https://github.com/robertfisk/USG/wiki/Hardware-%28DIY-v0.9%29 Regards, Robert -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCgAGBQJYxmpmAAoJEN65WsAVra665ZEQAIKSti5AMlFrjreWZdhaTir2 E3bpUDWuwf5nYOHu08WPb8xQhiUGtisN4zbBfRkNq4lLfsIieI3McUo/d3fjg1Pc VqbOJvtnRpvCxtCVXmUEWl08TZXwb1uBAoisSmvR56/j2soLqFD8XcLgXbQc/iBo m7PKQHkl8WWesI9ZHIspuCaXRhUm+k2L/xTqwtbaysMSGggzOgbpNPo3sYVaaZHH 5tJIYiPLwXxToBfFmaA3J+4keA7NH5bUp1nULIq6VPQkSTOz8Fi/0tYbnwJ0OjAD tu5gMTCQp7xYU/TyWI4rD+obS08N4keYy2IKYSXRNqaIKU3n5T5bfL85v+zyZBdY dD2Nk4IIC47+ENbWrHCg3lPnPOKaBlWh9QoHEmFmzLgVaacHa8o5JSmhA46khXe0 +Wgidw3jRGNy4V89q9+51XNzJbYX/EZ2h/xnXNPeTp0d6fjMRMHIzCuSvor0mCI3 ZaSobVn5CRViPn2l9bBiKeHgAXK6XkwoiZI6ysyaga/xCOWO0Fz/BB+iUBhv1DTn 2YP3dMYKnTJ9MA8euNuCgHWuZEZfRgCH+l1v32CFLvmC+omvb7JJQRGTKEHp5/3S wrie4oMgo2VdzfVNHBWfFhPRIv77Qut9nPfq2hSherR0IX/laYK7kzCfaI8ddRbX BZ2Nhaxo8nw9EBdEka24 =Zjm7 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/014bfb50-d56a-77a4-19c7-69994961b895%40fastmail.fm. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] are skylake / kaby lake laptops just screwed?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 01/11/2017 11:34 PM, pixel fairy wrote: > https://www.scmagazine.com/debugging-mechanism-in-intel-cpus-allows-seizing-control-via-usb-port/article/630480/ > > in part of the talk he said to disable dci in the bios, but in q&a > he seemed to say that doesnt help. i have a 7th gen and found no > option to disable it. > Also relevant: Intel SVT Closed Chassis Adapter. Yours for only $390. https://designintools.intel.com/product_p/itpxdpsvt.htm > Intel® Silicon View Technology Closed Chassis Adapter (also known > as SVTCCA or BSSB) provides access to DFx-features, like JTAG and > Run-control, through USB3 port(s) on Intel® Direct Connect > Interface (DCI) enabled silicon and platforms. The tool enables > closed-chassis use-cases where USB3-hosted DCI is limited, > intermittent, or unavailable and includes initial cold boot, > suspend-state operation and survival, Reset-flows, and USB3 or > IOSF path failures. Sweet dreams! Robert -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCgAGBQJYdhD9AAoJEN65WsAVra66V4cP/1wTKzSfY3iDZvwDoz0SYV7n 3cYJtoCJ4Q64Cmses4ztYagv78rQ/XYG5GnHypZcR1KVg7Er+J1BE1EfImPuVrdD OCuRY39gd6mIKtnNXXI5fcN4m1qFEB9BASRvWDKRZltpcVHnt3EQh5xKVJC+AEVv GvuHiTQoILhVoMm1441PhMeZjeOQHXquDUsiR4mcISkgjyac03JiicfErOzKfCJx Q78Qg2E+eFHZfZtEzJE1KYrm4wifdVHPi3h/CIon7pQf+TPQZzftjRHkowMkC1qo eN6BPKoxJebZ482ePs4DtpkvTljuKDJTGN8/fQ0JDRaAyy7ymLk7Mhy0zv92BoDV CqL1mz1P000Dgu3p/naGhlr2sZ9g0oP0xN6KUy6CYZLX8Dk3h2xsCMUH4RHEczWp VGGCnopQyBn5KIDw2KZsNCtzwCX+Ul0k39o+OZzMrXCGp6HD1kykritniDmpRGbZ 1FvCJ1+hn+x2njf7S59eO72FdyYKSPNjipeQrbCWpRdimAPdo17D+2euYsVlpKi5 WAdKEpAONPQd+4VxvFNxpHL+D8l29TvZe1b8PjhYRgeMDksiS+/kw+Ba5M4fhV6X CRQ23uqxmWYFw8gadtJg+xLvCq5y/+c6NxMdbV7fwqvwvGwxqvyOwNl68vZVBNO9 6sGuloEatBlgSUG640Gp =mkaD -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/706fb5cb-5401-e478-3fbc-cbea473fd065%40fastmail.fm. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Possible to get usable Win7 gui?
On 01/02/2017 09:33 AM, Jeremy Rand wrote: > Robert Fisk: >> On 12/30/2016 01:33 AM, Jarle Thorsen wrote: >>> torsdag 29. desember 2016 13.14.25 UTC+1 skrev Grzesiek Chodzicki >>> følgende: >>>> W dniu czwartek, 29 grudnia 2016 13:07:44 UTC+1 użytkownik >>>> Jarle Thorsen napisał: >>>>> Currently my Windows 7 StandaloneVM feels a bit sluggish. >>>>> >>>>> Moving windows (no phun intended) is a pain. >>>>> >>>>> Is it possible to have a Windows VM without any lag, or is >>>>> this just a part of the deal with Qubes OS? >>>>> >>>>> What tweaks should I do to get my Windows VM as responsive as >>>>> possible? >>>>> >>>>> I have no problems with lag in dom0 or any of the Linux VMs. >>>>> >>>>> My display is 2560x1440, maybe a large display is part of my >>>>> problem? >>>> >>>> VM Performance is largely dependent on the CPU and RAM so >>>> ensure that your Windows VM has enough vCPUs and RAM assigned >>>> to it. >>> >>> Throwing more vCPUs and RAM at it hasn't made a big difference so >>> far, but I'm moving my system to a way more powerful system the >>> next couple of days, hope that will make a difference. >>> >>> Can anybody please confirm that it is indeed possible to have a >>> lag-free Windows experience under QubesOS? >>> > >> I run a Win7 VM on a i5 gen 4 ULV machine. I have always had >> problems with lag increasing over time. On bootup the VM is fast, >> but after 20 min it is unusable with each screen redraw taking ~4 >> sec and associated high CPU usage. This has happened both on R3.0 >> and R3.2. > >> I work around the issue by using Remmina (or other RDP client) in >> an appVM, and allowing IP forwarding in the firewall vm. This >> solution does not suffer from increasing lag, and should be usable >> for everything except gaming. See instructions here: > >> https://www.qubes-os.org/doc/firewall/ > > >> Regards, Robert > > I'm curious, are you using Qubes Windows Tools in that VM? My Windows > VM's do not have Qubes Windows Tools. (I'm trying to figure out what > might explain why you've run into this issue and I haven't.) > > Cheers, > -Jeremy > Yes I have QWT installed in the VM, however I guess the problem is somewhere else: I only notice the problem when using Adobe applications. These have custom button and toolbar styles presumably drawn with weird custom Adobe code. As time passes these toolbars redraw slower and slower, to the point where you can see each new UI element appear in a tedious ripple across the screen. I can't remember if restarting the application in question fixes the problem, or whether a VM reboot was required. But using RDP allows me to get on with the work, which is all I really care about! Regards, Robert -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/be509c87-0b6e-a31f-ee28-9ced3b912cec%40fastmail.fm. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Possible to get usable Win7 gui?
On 12/30/2016 01:33 AM, Jarle Thorsen wrote: > torsdag 29. desember 2016 13.14.25 UTC+1 skrev Grzesiek Chodzicki følgende: >> W dniu czwartek, 29 grudnia 2016 13:07:44 UTC+1 użytkownik Jarle Thorsen >> napisał: >>> Currently my Windows 7 StandaloneVM feels a bit sluggish. >>> >>> Moving windows (no phun intended) is a pain. >>> >>> Is it possible to have a Windows VM without any lag, or is this just a part >>> of the deal with Qubes OS? >>> >>> What tweaks should I do to get my Windows VM as responsive as possible? >>> >>> I have no problems with lag in dom0 or any of the Linux VMs. >>> >>> My display is 2560x1440, maybe a large display is part of my problem? >> >> VM Performance is largely dependent on the CPU and RAM so ensure that your >> Windows VM has enough vCPUs and RAM assigned to it. > > Throwing more vCPUs and RAM at it hasn't made a big difference so far, but > I'm moving my system to a way more powerful system the next couple of days, > hope that will make a difference. > > Can anybody please confirm that it is indeed possible to have a lag-free > Windows experience under QubesOS? > I run a Win7 VM on a i5 gen 4 ULV machine. I have always had problems with lag increasing over time. On bootup the VM is fast, but after 20 min it is unusable with each screen redraw taking ~4 sec and associated high CPU usage. This has happened both on R3.0 and R3.2. I work around the issue by using Remmina (or other RDP client) in an appVM, and allowing IP forwarding in the firewall vm. This solution does not suffer from increasing lag, and should be usable for everything except gaming. See instructions here: https://www.qubes-os.org/doc/firewall/ Regards, Robert -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9f4b6ee9-29bc-df4d-241e-22aa95c5fb7e%40fastmail.fm. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] USB hardware firewall
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 12/10/2016 08:25 AM, Marek Marczykowski-Górecki wrote: > On Sun, Sep 04, 2016 at 06:35:42PM +1200, Robert Fisk wrote: >> On 09/01/2016 06:55 PM, johnyju...@sigaint.org wrote: >>> I was thinking earlier that some form of a "USB Firewall" >>> hardware device might be cool to create; one that goes into >>> each USB port in between each device and the PC, and only >>> passes a specific device, or only a HID device (and doesn't >>> permit a drive to add another HID identity). Yet another side >>> project for winter. :) There may be existing products. > > >> Ahem. Allow me to introduce you to a project I have been working >> on for a while now: > >> https://github.com/robertfisk/usg/wiki >> https://github.com/robertfisk/USG/wiki/FAQ > >> The USG (which is Good, not Bad) is a hardware firewall for your >> USB ports. It connects between your computer and your untrusted >> USB device, isolating the badness with two dedicated processors. > >> Features: - Isolates low-level USB exploits by using a simple >> internal protocol with minimal attack surface > >> - No hub support blocks 'hidden' malicious devices > >> - Prevents devices changing their enumerated class after >> connection, stopping malicious class changes. > > >> Device support: mass storage (flash drives), keyboards, mice. > >> Project status: You can build your own USG v0.9 hardware out of >> development boards if you are handy with a soldering iron. End >> user hardware is approaching production-ready status, samples >> will be available in the coming months. > >> Feedback / pull requests / sales leads are welcome! > > This project have great potential! The USB proxy hardware can be > used for somehow more secure USB keyboard usage on Qubes OS, when > only a single USB controller is available. Take a look at this > idea[1]: > > Have a piece of hardware plugged between USB keyboard and PC (based > on https://github.com/robertfisk/USG?), to encrypt and > integrity-protect the events. And then decrypt them in dom0 and > check integrity protection, and only then pass them down to input > devices stack. This should at least partially guard against > malicious USB VM. It still will be able to perform timing based > attacks to guess what you're typing - not sure how accurate such > attacks are currently. Such device could introduce artificial delay > (like - inject queued events every 50ms) to at least partially > mitigate such attacks. > > What do you think about it? I think the hardware you've designed > is perfect for this! > > [1] > https://github.com/QubesOS/qubes-issues/issues/2507#issuecomment-265894809 > > > This sounds like a great idea, and I am keen to be involved. There is plenty of flash space available on the embedded CPUs to implement some form of encryption, although the best method of doing so on bare-metal ARM is certainly open for discussion. A recent batch of hardware samples sold out in November. Due to Real Life(TM) the next batch of hardware is likely to be ready late January or early February. Pricing is currently NZ$80 each (approx US$57). Regards, Robert -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCgAGBQJYTINVAAoJEN65WsAVra66UqgP/js8V9oHjYtsVs8wHhBs0Iq+ NL4pWUUtceGlCPBJZnKhmPM2Q7gNve3CS4K1i3JikSGIMw4BTqH59JqRmHIv1UDW jH3DHfbGRLNXAJQTAUFQVV+M43rMQXcM0BT5xrTUdlwG8dQhe44cS+cW1BzmSBtn FsszZVEp7UU6IJ/YZMYfEIbd/dhq92YBU5fU16F6PVdAFq8ObQoLCMPxWN8GLSKy JgYkcRHiC2mjzYWN5hv+iZYFVWfxR33jkUoo7n2Iyaz27bYjHyKCy83sBsnhUaLg Xr2+HJxGoxtScG9Q42ay1/40W5LQyhLRyvnYg1Yih1p18JrY54oe4k2F5jGnj953 giQri7lg6xWk9Md9rDRKvq7Xc2Kd6VdRAp1ooPfehGSIidGRdyYEAVttaqMxmZB3 7U1j35ELDTN3q79++LxnQr01yERsQHM6cKYQsog5/mOHtSG2+iOK2RoNK5M2fhQB wrULmBTmwNruRGO+W2RBCcOZCvmP8WTthEb85BSVwHlrra6Vv02oFyAvDTj4Q8RI NLV9HqwXILW1eICCoQUOzcW41SAYrn3ykX/eWgksg221Lks9RWzfxDItBXtrjXSR pqKtbqRVZIT0k35GJug8RjTuG2JRaMbSEepblmWCvm9cN4bl/RRkOy9uRgfBLKsx +k6vRfW54/ly/WT/XVJh =1NhG -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1fe8b1eb-4de2-ca63-c91f-4b5d3387bfeb%40fastmail.fm. For more options, visit https://groups.google.com/d/optout.
[qubes-users] USB hardware firewall (was: epoxy on ram to prevent cold boot attacks?)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 09/01/2016 06:55 PM, johnyju...@sigaint.org wrote: > I was thinking earlier that some form of a "USB Firewall" hardware > device might be cool to create; one that goes into each USB port in > between each device and the PC, and only passes a specific device, > or only a HID device (and doesn't permit a drive to add another HID > identity). Yet another side project for winter. :) There may be > existing products. Ahem. Allow me to introduce you to a project I have been working on for a while now: https://github.com/robertfisk/usg/wiki https://github.com/robertfisk/USG/wiki/FAQ The USG (which is Good, not Bad) is a hardware firewall for your USB ports. It connects between your computer and your untrusted USB device, isolating the badness with two dedicated processors. Features: - Isolates low-level USB exploits by using a simple internal protocol with minimal attack surface - No hub support blocks 'hidden' malicious devices - Prevents devices changing their enumerated class after connection, stopping malicious class changes. Device support: mass storage (flash drives), keyboards, mice. Project status: You can build your own USG v0.9 hardware out of development boards if you are handy with a soldering iron. End user hardware is approaching production-ready status, samples will be available in the coming months. Feedback / pull requests / sales leads are welcome! Robert -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCgAGBQJXy8C+AAoJEN65WsAVra66zQEP/jJMgf8FnaLW9jLCb13dZbkM IQQ50CgOFyzVF+S//FlZ794k9qfMFxumxfVMATawsTBooNhlTa9ASedMrcoWMuZI fuYNMeVoSYijyavqvimHMS8axiKwaI48q6olrTsOKwDM6joBb3rKQnsv63NJlbH3 +qUOY9IVDSoFKG9ki9TpltknlYuI3NDIkPRr07Ekx5XiCs92CihuNn1xTlCtweEt 4Y1YtPv2HfYFGcbQk2w17efp0mFweiqZldsxbwNLEPv03GvrNg54vlxC1Yr8ByGB nSPHslfgaCOqv4/XMvYAUA+22b7+d6VxRIYFojetdmmCi5u5fIFGv+6ErLIpPTVs wNZOli0npmLeuAnYME+6wKw0ozsYtKQNudIATHy6t6IwWBew+SCoWnCdlJZQFx0i YZwv8kJXzqTGU50vxad1FsDYQL1AaBEJBwqAGS9vV5OsyvAqpXuUacZWzrLgT4hM +HupcnoWErFMZzbNZeTMMFHuP6yTwV0mh3jP99vLtLYyjYmq6qoy+aDCQUTvtH+Y 4wEq4h7VRY9U0HI5hq0B/5LyJw4KKpimYzNmSyiDi9/FSyRa9tPe1idYjHEQsCuU sTybVvwCocIKF23XV4vPHNYydcdMvG8aHHQSeZ9ywLEkmxTeL0s9SL1+qaOOcqPC c2HOcC6+FigpPFwrGvgC =Hvzi -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/57CBC0BE.6070709%40fastmail.fm. For more options, visit https://groups.google.com/d/optout.