[qubes-users] R4.0-rc1 on T470: unable to boot (reboot loop)

2017-09-16 Thread rysiek
Hi all,

first of all, hello. Been meaning to sign up for this list for some time, some 
of you might remember me from the IRC channel (from when I was setting up my 
own Qubes devel builds).

Anywhoo. I decided to give R4.0-rc1 a spin on my Thinkpad T470, and after 
successfully going through the installation process, I am stuck at this issue:
https://groups.google.com/forum/#!topic/qubes-users/Pf1Cd87KSsk

Selecting any of the two options in GRUB ends up rebooting the device. Tried 
removing "quiet" from kernel options, nothing changed. Any suggestions on how 
can I get some debugging output?

QubesOS R3.2 does not run on T470s at all (old kernel vs. new hardware; new 
hardware clearly wins).

Thanks!

-- 
Pozdrawiam,
Michał "rysiek" Woźniak

Zmieniam klucz GPG :: http://rys.io/pl/147
GPG Key Transition :: http://rys.io/en/147

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2493743.SxXS9MZMd7%40lapuntu.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: This is a digitally signed message part.


Re: [qubes-users] Supercookies / Zombie cookies / Web Tracking — how effective are Qubes security domains against this

2017-09-18 Thread rysiek
Hey,

Dnia Monday, September 18, 2017 9:43:15 AM CEST jes...@gmail.com pisze:
> In the past I have used a Firefox plugin called "Better Privacy" to try to
> push back against multi-front user fingerprinting and analysis mechanisms
> such as the kind used by large advertising and user demographics companies
> which include the abuse of Flash LSOs, HTML5 local storage, Silverlight, et
> al to confirm that the same user is browsing along a website or a
> distributed ad network even when they "clear private data" or use incognito
> mode, even when they switch to different browsers installed on the same
> machine, even if they're using coffee shop wifi or VPNs so that they appear
> from different IP addresses, etc.
> (...)

O..k. Straight from the bat, why not Incognito/Private window?

I mean, on my non-Qubes system I have a "work" browser (a normal Firefox 
window, keeping sessions, accepting cookies, etc); and a "fun" browser 
(Chromium Incognito) for everything that I am concerned might track me.

On Qubes, the disposable VM is probably what you're after. But remember, even 
in an incognito window or in a disposable VM, you can be tracked as long as 
the session lasts (i.e. until you close the browser, or reboot the VM).

> So I am curious to what extent Qubes security domains may be sufficiently
> complete as to defeat potentially all of these mechanisms simultaneously?
> Especially if end-user configures one or more domains to pipe all network
> traffic over a VPN or tor to additionally differentiate their IP address?

Most of these mechanisms are browser-bound. Use the browser in your disposable 
VM. Using it through a VPN or Tor is a good idea too.

> I am especially interested to hear about how Qubes security domains interact
> with Flash LSOs, and .. whatever-it-is that Silverlight and other
> multi-browser plugins do, and whether *that* data leaks between domains. :/

Think of each AppVM as a separate machine yoiu're running stuff on. Flash/
Silverlight/etc do not have a way to break out of a VM.

> Thank you for any insight you guys may have on this matter, as it sounds
> like it speaks directly to Qubes primary mission goals of security by
> compartmentalization. :D

Compartmentalization does not do much for anonymity. As in, you can use Qubes, 
and be tracked through each of your AppVMs. You'll have three "identities", 
but all of them will be tracked, since regular AppVMs keep state (including 
browser cookies, etc, unles sthe browser is explicitly configured otherwise).

To combat tracking, I would use the Incognito/Private mode in your browser, or 
a browser in a disposable VM in Qubes. Or both.

-- 
Pozdrawiam,
Michał "rysiek" Woźniak

Zmieniam klucz GPG :: http://rys.io/pl/147
GPG Key Transition :: http://rys.io/en/147

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3563889.KxQ3rpsauL%40lapuntu.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: This is a digitally signed message part.


Re: [qubes-users] Supercookies / Zombie cookies / Web Tracking — how effective are Qubes security domains against this

2017-09-18 Thread rysiek
Dnia Monday, September 18, 2017 10:56:33 AM CEST Micah Lee pisze:
> Qubes security domains don't necessarily help solve this problem because
> really the problem is how your web browsers are configured.
> 
> So a tracking company can't link your browsing activity between Qubes
> domains -- your "personal" traffic and "work" traffic might look like
> two separate people -- but within one of those domains, they can still
> track you, and do all of those tricks.
> 
> If you want web privacy, you'll have to configure your browser within
> Qubes the same way you have to outside of Qubes. Or, you can do all of
> your browser in DisposableVMs. Or use Tor Browser, which has taken many
> steps to prevent browser tracker as a design goal.

Damn, beat me to it!

-- 
Pozdrawiam,
Michał "rysiek" Woźniak

Zmieniam klucz GPG :: http://rys.io/pl/147
GPG Key Transition :: http://rys.io/en/147

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2241560.q67QAilk6l%40lapuntu.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: This is a digitally signed message part.


Re: [qubes-users] Supercookies / Zombie cookies / Web Tracking — how effective are Qubes security domains against this

2017-09-18 Thread rysiek
Hey,

Dnia Monday, September 18, 2017 12:27:21 PM CEST jes...@gmail.com pisze:
> My only concern is working to ensure that to an outside observer such as
> webservers and ad networks nothing short of the shared IP address (and via
> Tor or VPN or different IPs honestly allocated to different domains perhaps
> not even that) can act as a reliable indicator that web browsing activity in
> one Qubes security domain is "linked" to activity from another security
> domain via any secretly stored cookie-like reference identifiers that get
> somehow leaked across domains.

Right.

> For example: if I browse to a Flash or Silverlight website using Browser X
> in my [untrusted] domain, would those plugins be able to store any kinds of
> LSOs or HTML5 local storage or cached E-tags or anything else deep enough
> into the system backend that they could pull them back out again in my
> [work] domain when I browse back to that same site again?
> (...)

As far as I understand, the answer for Qubes is "this should absolutely not 
happen", but the Qubes developers should probably weigh-in on that. I for one 
would find a "how deep does the rabbit-hole get here" discussion on this very 
informative.

-- 
Pozdrawiam,
Michał "rysiek" Woźniak

Zmieniam klucz GPG :: http://rys.io/pl/147
GPG Key Transition :: http://rys.io/en/147

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3904660.0aLW21G1cK%40lapuntu.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: This is a digitally signed message part.


Re: [qubes-users] Supercookies / Zombie cookies / Web Tracking — how effective are Qubes security domains against this

2017-09-19 Thread rysiek
Dnia Monday, September 18, 2017 8:23:46 PM CEST Ted Brenner pisze:
> Not sure if Chromium is free of Google or not.

Me neither, but this does not build confidence:
https://bugs.chromium.org/p/chromium/issues/detail?id=500922
https://news.ycombinator.com/item?id=9724409

They fixed it soon after it was discovered, but sill.

-- 
Pozdrawiam,
Michał "rysiek" Woźniak

Zmieniam klucz GPG :: http://rys.io/pl/147
GPG Key Transition :: http://rys.io/en/147

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1764884.RZTnbDx7hM%40lapuntu.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: This is a digitally signed message part.


Re: [qubes-users] R4.0-rc1 on T470: unable to boot (reboot loop)

2017-09-17 Thread rysiek
Dnia Saturday, September 16, 2017 3:16:16 PM CEST rysiek pisze:
> Selecting any of the two options in GRUB ends up rebooting the device. Tried
> removing "quiet" from kernel options, nothing changed. Any suggestions on
> how can I get some debugging output?

Problem solved.

For the record, the solution was removing `iommu=no-igfx` from Xen params. 
Without it, R4-rc1 boots fine on a T470.

-- 
Pozdrawiam,
Michał "rysiek" Woźniak

Zmieniam klucz GPG :: http://rys.io/pl/147
GPG Key Transition :: http://rys.io/en/147

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/35019748.LKnDF4ot2K%40lapuntu.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: This is a digitally signed message part.


Re: [qubes-users] Ubuntu Template

2017-10-14 Thread rysiek
Hey all,

got the build environment up and running, tried building Ubuntu Xenial and 
Zesty images, both failed with:

   debian/rules override_dh_install
make[1]: Entering directory '/home/user/qubes-src/core-agent-linux'
dh_install --fail-missing
dh_install: qubes-core-agent missing files: lib/systemd/system/avahi-
daemon.service.d/30_qubes.conf
dh_install: qubes-core-agent missing files: lib/systemd/system/
exim4.service.d/30_qubes.conf
dh_install: qubes-core-agent missing files: lib/systemd/system/netfilter-
persistent.service.d/30_qubes.conf
dh_install: usr/lib/python2.7/dist-packages/qubesxdg.pyc exists in debian/tmp 
but is not installed to anywhere
dh_install: usr/lib/python2.7/dist-packages/qubesxdg.pyo exists in debian/tmp 
but is not installed to anywhere
dh_install: missing files, aborting
debian/rules:28: recipe for target 'override_dh_install' failed
make[1]: *** [override_dh_install] Error 2
make[1]: Leaving directory '/home/user/qubes-src/core-agent-linux'
debian/rules:12: recipe for target 'binary' failed
make: *** [binary] Error 2
dpkg-buildpackage: error: fakeroot debian/rules binary gave error exit status 
2
/home/qubes/qubes-builder/qubes-src/builder-debian/Makefile.qubuntu:200: 
recipe for target 'dist-package' failed
make[2]: *** [dist-package] Error 2

Using git://github.com/marmarek/qubes-builder.git master branch. What am I 
missing?

-- 
Pozdrawiam,
Michał "rysiek" Woźniak

Zmieniam klucz GPG :: http://rys.io/pl/147
GPG Key Transition :: http://rys.io/en/147

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6060751.WfBia4mgdj%40lapuntu.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: This is a digitally signed message part.


Re: [qubes-users] Ubuntu Template

2017-10-15 Thread rysiek
Dnia Saturday, October 14, 2017 11:30:16 PM CEST Unman pisze:
> It's the same error resported by OP.
> Ubuntu template build hasnt yet been updated to 4.0

Ah, so it is. Any way I can help with debugging/testing/fixing this?

-- 
Pozdrawiam,
Michał "rysiek" Woźniak

Zmieniam klucz GPG :: http://rys.io/pl/147
GPG Key Transition :: http://rys.io/en/147

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/12069081.DriIOzV88N%40lapuntu.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: This is a digitally signed message part.


Re: [qubes-users] Ubuntu Template

2017-10-01 Thread rysiek
Dnia Sunday, October 1, 2017 4:03:43 PM CEST Unman pisze:
> On Sun, Oct 01, 2017 at 04:45:59AM -0700, Foppe de Haan wrote:
> > Just an fyi: building ubuntu templates in/for R4 isn't currently possible,
> > getting errors related to qubesxdg while building core-agent-linux-vm.
> Yes, I'm working on this. I'm traveliing just now but will finish off
> when I get home.

I have a build environment I was meaning to get back up to speed, if you need 
a tester, let me know!

-- 
Pozdrawiam,
Michał "rysiek" Woźniak

Zmieniam klucz GPG :: http://rys.io/pl/147
GPG Key Transition :: http://rys.io/en/147

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1690704.oVrfNTYTF3%40lapuntu.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: This is a digitally signed message part.


Re: [qubes-users] Re: Anyone disabled the Intel ME yet?

2017-09-25 Thread rysiek
Dnia Sunday, September 24, 2017 9:23:06 PM EEST filtration pisze:
> My motherboard has a "Disable ME" jumper. Not good enough for many of
> you, I know.
> 
> As far as AMT, apparently the entry is through Intel NICs. I hoped to
> mitigate it by using a third party NIC. The Intel device stayed lit
> (amber, not green) on power off, my new one is completely off when
> powered off.

These are not really good options for laptops. :(

-- 
Pozdrawiam,
Michał "rysiek" Woźniak

Zmieniam klucz GPG :: http://rys.io/pl/147
GPG Key Transition :: http://rys.io/en/147

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2185343.oOzdqdhnf9%40lapuntu.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: This is a digitally signed message part.


Re: [qubes-users] Ubuntu Template

2017-11-12 Thread rysiek
Hey,

Dnia Sunday, November 12, 2017 4:51:20 PM CET rysiek pisze:
> is there any movement on this? Is there any way I can jump into this and
> help? Any docs I should read to get me started along the way of fixing
> Ubuntu templates for R4.0?

got it to start building. For this I had to make some changes in:

 - debian/qubes-core-agent.install (from `qubes-core-agent-linux` repo)
 - debian/qubes-gui-agent.install  (from `qubes-gui-agent-linux` repo)

Diffs at the bottom.

Didn't make a PR since I have no idea what are the ramifications and potential 
consequences of these particular changes for the operation/security of built 
templates. I assume the files removed are important (otherwise they wouldn't 
have been there in the first place).

Now, during template build I got:
./create_template_list.sh: line 13: xenstore-read: command not found 

Not sure how serious it is; the template seems to have been built. Installing 
it, however, spits out an error:
trusty: qubes.PostInstall service failed
(full log below).

Running anything in a new AppVM based on this template fires it up for a few 
seconds, shows what I can only assume are boot messages (screenshot attached) 
and then the window disappears and nothing else happens.

Any pointers how to proceed with debugging and fixing the Ubuntu templates 
would be appreciated.



$ sudo yum install qubes-template-trusty-4.0.0-201711122203.noarch.rpm 
Redirecting to '/usr/bin/dnf install qubes-template-
trusty-4.0.0-201711122203.noarch.rpm' (see 'man yum2dnf')

Qubes OS Repository for Dom0 13 MB/s |  77 kB 00:00
Dependencies resolved.

 Package  Arch  Version   Repository   
Size

Installing:
 qubes-template-trustynoarch4.0.0-201711122203@commandline436 
M

Transaction Summary

Install  1 Package

Total size: 436 M
Installed size: 1.9 G
Is this ok [y/N]: y
Downloading Packages:
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Installing  : qubes-template-trusty-4.0.0-201711122203.noarch 

  
1/1 
trusty: Importing data
2621440+0 records in
2621440+0 records out
10737418240 bytes (11 GB, 10 GiB) copied, 30.3018 s, 354 MB/s
trusty: qubes.PostInstall service failed
  Verifying   : qubes-template-trusty-4.0.0-201711122203.noarch 
 
1/1 

Installed:
  qubes-template-trusty.noarch 4.0.0-201711122203   
 

Complete!


diff --git a/debian/qubes-core-agent.install b/debian/qubes-core-agent.install  


   
index 7c1b0c3..ea90569 100644   


   
--- a/debian/qubes-core-agent.install   


   
+++ b/debian/qubes-core-agent.install   


   
@@ -56,15 +56,12 @@ lib/systemd/system/NetworkManager-wait-online.service.d/
30_qubes.conf   

   
 lib/systemd/system/NetworkManager.service.d/30_qubes.conf  



lib/systemd/system/anacron-resume.service.d/30_qubes.conf   


  
 lib/systemd/system/anacron.service.d/30_qubes.conf 


   
-lib/systemd/system/avahi-daemon.service.d/30_q

Re: [qubes-users] Anything like Split GPG for Keepass?

2017-11-13 Thread rysiek
Dnia Monday, November 13, 2017 2:04:00 AM CET Patrick Schleizer pisze:
> Eric Shelton:
> > I am curious how people are making effective use of Keepass in a vault
> > domain.  It seems like with a browser plugin, you might be able to take a
> > Split GPG type of approach, and avoid all of the cutting and pasting
> > across
> > domains.  Any comments or suggestions?
> > 
> > - Eric
> 
> An inter-VM password manager for Qubes OS based on pass

Should also be possible with Keyringer:
https://keyringer.pw

-- 
Pozdrawiam,
Michał "rysiek" Woźniak

Zmieniam klucz GPG :: http://rys.io/pl/147
GPG Key Transition :: http://rys.io/en/147

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1741875.XalDMoeGcs%40lapuntu.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: This is a digitally signed message part.


Re: [qubes-users] When transferring file between Qubes, MD5 changes.

2017-11-16 Thread rysiek
Dnia Thursday, November 16, 2017 9:16:49 AM CET Chris Laprise pisze:
> On 11/16/2017 02:35 AM, vegetarianst...@gmail.com wrote:
> > I am transferring a windows ISO file between qubes.. however, the file's
> > MD5 sum changes every time I complete the transfer.
> > 
> > Why might this be so?
> 
> It might be a bug?
> 
> What version of Qubes? And what OS are the source & destination VMs? Is
> the same mdsum program being using on both ends?

Also, what if you transfer the file with the changed md5 back into the 
original VM? Does the md5 sum change back to what it was, or to something 
different yet?

-- 
Pozdrawiam,
Michał "rysiek" Woźniak

Zmieniam klucz GPG :: http://rys.io/pl/147
GPG Key Transition :: http://rys.io/en/147

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1817646.1gal37gNey%40lapuntu.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: This is a digitally signed message part.


Re: [qubes-users] Re: When transferring file between Qubes, MD5 changes.

2017-11-18 Thread rysiek
Dnia Friday, November 17, 2017 8:27:22 PM CET vegetarianst...@gmail.com pisze:
> The nature of the error was deterministic, deterministic as in "stupid
> human."
> 
> I really appreciate all the support but I had some really similar file names
> and way too much faith in my command line history.

We've all been there. :)

> Sorry guys.
> (I had also been working 16+ hours at the time.)

Hope you got some rest.

-- 
Pozdrawiam,
Michał "rysiek" Woźniak

Zmieniam klucz GPG :: http://rys.io/pl/147
GPG Key Transition :: http://rys.io/en/147

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1976462.SOsYJ1chng%40lapuntu.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: This is a digitally signed message part.


Re: [qubes-users] Ubuntu Template

2017-11-12 Thread rysiek
Hey,

Dnia Saturday, October 14, 2017 11:30:16 PM CET Unman pisze:
> Ubuntu template build hasnt yet been updated to 4.0

is there any movement on this? Is there any way I can jump into this and help? 
Any docs I should read to get me started along the way of fixing Ubuntu 
templates for R4.0?

-- 
Pozdrawiam,
Michał "rysiek" Woźniak

Zmieniam klucz GPG :: http://rys.io/pl/147
GPG Key Transition :: http://rys.io/en/147

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2067280.OE9g9Sp3eV%40lapuntu.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: This is a digitally signed message part.


[qubes-users] R4.0, Ubuntu, and Qt4/Qt5, and Salt

2017-11-18 Thread rysiek
Hey,

I am playing with R4.0 rc2, and with a Kubuntu Zesty VM in it. My idea is to 
use this Kubuntu VM as a stepping stone (my current main system is Kubuntu 
Zesty), letting me move to Qubes gradually, by mounting /home in the VM. This 
will let me have access to all my files and setup while I move it between the 
VMs.

So far so good, there were some hurdles -- for instance, gpg-agent refuses to 
work properly with pinentry unless I manually start gpg-agent with a shell:
gpg-agent --daemon /bin/bash


Two issues I was thus far not able to debug, though:

One annoying thing that happens is that while Qt4 applications in the VM are 
using my color, icon, and widget settings (as defined in Kubuntu $HOME), Qt5 
uses a weird mix of *some* parts of the color scheme, and *some* of the icons.

This is not only annoying and an eye-sore, but also the particular mix of 
colors makes some parts of the interface simply unusable. Tried switching the 
color settings, widget theme, tried figuring out if I am missing any (KDE/Qt 
theme/icon/etc) packages, but am at a loss. I am starting to think Qubes 
somehow messes with the Qt style settings.

Anybody any ideas?


Also, started playing with Salt, wrote a nice sls file to install all the 
stuff I need in the Kubuntu VM, but... each time I run it I get an "ERROR". I 
am guessing this is related to the less-than-stellar support for Ubuntu 
templates in Qubes R4.0.

I'd love to know where I could start digging to perhaps help fix that. Any 
pointers welcome!

-- 
Pozdrawiam,
Michał "rysiek" Woźniak

Zmieniam klucz GPG :: http://rys.io/pl/147
GPG Key Transition :: http://rys.io/en/147

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1701644.fFZ7PIiRsO%40qubuntu.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: This is a digitally signed message part.


Re: [qubes-users] Disk password

2017-11-19 Thread rysiek
On Sunday, November 19, 2017 11:15:01 AM UTC tbennett1...@gmail.com wrote:
> I have bitcoin in a vm wallet. So it turns into a very costly issue.

Depending on how much time and money you're willing to invest, how long and 
complicated the password is, and how much of the password you remember, you 
might be able bruteforce your way in.

Qubes uses LUKS to encrypt the disk:
https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup

There is a number of LUKS bruteforcing tools you might try and resources you 
might dive into:
https://github.com/glv2/bruteforce-luks
http://irq5.io/2014/11/19/bruteforcing-luks-volumes-explained/
https://www.hacker10.com/other-computing/brute-force-linux-encryption-with-luks-volume-cracker/

Note the second link -- it talks about LUKS headers, which is the only thing 
you need to copy off of your drive to start bruteforcing on other machines. 
Don't try bruteforcing on your laptop, it will take forever. Instead, get the 
LUKS header off of it, get some solid CPU power somewhere and use that.

When I needed to recover a lost LUKS password (it was a 6-word diceware 
passphrase, 4 words and the first letter of the 5th I remembered), it took me 
~30h of bruteforcing on some 20 cores to get it.

Good luck!

-- 
Pozdrawiam,
Michał "rysiek" Woźniak

Zmieniam klucz GPG :: http://rys.io/pl/147
GPG Key Transition :: http://rys.io/en/147

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2206727.TezqhYYeyA%40qubuntu.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: This is a digitally signed message part.


Re: [qubes-users] Disk password

2017-11-19 Thread rysiek
On Sunday, November 19, 2017 10:48:11 AM UTC tbennett1...@gmail.com wrote:
> Haven’t used my computer for a few months, can’t remember the disk password
> to boot the os. Possible to change it?

The whole point of full disk encryption is making sure that without the 
password nobody can get in... So, no.

-- 
Pozdrawiam,
Michał "rysiek" Woźniak

Zmieniam klucz GPG :: http://rys.io/pl/147
GPG Key Transition :: http://rys.io/en/147

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1686166.FoxXDqDcxE%40qubuntu.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: This is a digitally signed message part.


Re: [qubes-users] R4.0, Ubuntu, and Salt

2017-11-19 Thread rysiek
On Saturday, November 18, 2017 10:30:49 PM UTC Marek Marczykowski-Górecki 
wrote:
> On Sat, Nov 18, 2017 at 06:36:17PM +0000, rysiek wrote:
> > Also, started playing with Salt, wrote a nice sls file to install all the
> > stuff I need in the Kubuntu VM, but... each time I run it I get an
> > "ERROR". I am guessing this is related to the less-than-stellar support
> > for Ubuntu templates in Qubes R4.0.
> 
> Run qubesctl with --show-output, or check /var/log/qubes/mgmt-*.log for
> details.

Thanks. This only gives me this error:
2017-11-19 22:06:19,000 calling 'state.highstate'...
2017-11-19 22:06:55,812 output: qubuntu:
2017-11-19 22:06:55,813 output: --
2017-11-19 22:06:55,813 output: _error:
2017-11-19 22:06:55,814 output: Failed to return clean data
2017-11-19 22:06:55,814 output: retcode:
2017-11-19 22:06:55,814 output: 1
2017-11-19 22:06:55,814 output: stderr:
2017-11-19 22:06:55,814 output: stdout:
2017-11-19 22:06:55,814 exit code: 20

is tehre any way to enable more debug output?

-- 
Pozdrawiam,
Michał "rysiek" Woźniak

Zmieniam klucz GPG :: http://rys.io/pl/147
GPG Key Transition :: http://rys.io/en/147

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1905541.GLcTUDNXif%40qubuntu.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: This is a digitally signed message part.


Re: [qubes-users] Re: Disk password

2017-11-19 Thread rysiek
On Sunday, November 19, 2017 1:29:03 PM UTC tbennett1...@gmail.com wrote:
> I have no idea the order any of it was put in

You can still try to bruteforce it, but I would start getting used to the fact 
that the contents of this drive are lost for good.

-- 
Pozdrawiam,
Michał "rysiek" Woźniak

Zmieniam klucz GPG :: http://rys.io/pl/147
GPG Key Transition :: http://rys.io/en/147

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5010802.BaddXavdCM%40qubuntu.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: This is a digitally signed message part.


Re: [qubes-users] Ubuntu Template

2017-11-15 Thread rysiek
Dnia Tuesday, November 14, 2017 1:55:06 AM CET Unman pisze:
> I've just put in a couple of PRs to allow building for Xenial in 4.0.

Cool! Would you mind linking them here? I'd love to understand more about 
Qubes internals and that seems like a good place to start. :)

> If anyone wants to try Xenial in 4.0 there's a ready-built template at
> qubes.3isec.org/Templates

Woo! Thanks!

-- 
Pozdrawiam,
Michał "rysiek" Woźniak

Zmieniam klucz GPG :: http://rys.io/pl/147
GPG Key Transition :: http://rys.io/en/147

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2053777.zbLx8grGH0%40lapuntu.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: This is a digitally signed message part.


Re: [qubes-users] Ubuntu Template

2017-11-16 Thread rysiek
Hye,

Dnia Tuesday, November 14, 2017 1:55:06 AM CET Unman pisze:
> I've just put in a couple of PRs to allow building for Xenial in 4.0.

Are these the ones you're talking about?
https://github.com/QubesOS/qubes-gui-agent-linux/pull/23
https://github.com/QubesOS/qubes-core-agent-linux/commit/
54867b6eabed3a6dca0e932ff77f67aedfe43e03

The latter is merged, I believe, and the former I applied manually. However, 
while building, now I get:

mkdir: cannot create directory ‘chroot-qubuntu’: File exists
mount: mount point chroot-qubuntu/tmp/qubes-deb does not exist
/home/qubes/qubes-builder/qubes-src/builder-debian/Makefile.qubuntu:275: 
recipe for target 'update-repo-prepare' failed
make[1]: *** [update-repo-prepare] Error 32
Makefile:297: recipe for target 'template-local-xenial' failed
make: *** [template-local-xenial] Error 1

Not sure where to dig now. 

More debug info below.

-> Building meta-packages (debian) for xenial vm (logfile: build-logs/meta-
packages-vm-xenial.log)
╔══ DEBUG 
══
║ Repo Variables
╠───
║ SRC_DIR: qubes-src 
║ CHROOT_DIR:  /home/qubes/qubes-builder/chroot-xenial
║ CHROOT_REPO_DIR: chroot-qubuntu
║ CHROOT_DEBIAN_DIR:   /home/qubes/qubes-builder/chroot-xenial//
║ BUILDER_REPO_DIR:/home/qubes/qubes-builder/qubes-packages-mirror-repo/
xenial
╠───
║ Chroot Variables
╠───
║ DIST_BUILD_DIR:  /home/user
║ DIST_SRC:
║ DIST_SRC_DEBIAN_DIR: /
╠───
║ Build Variables
╠───
║ DEBIAN_PARSER:   /home/qubes/qubes-builder/qubes-src/builder-debian//
scripts/debian-parser
║ DEBIAN_PLUGIN_DIR:   /home/qubes/qubes-builder/qubes-src/builder-debian/
║ OUTPUT_DIR:  pkgs/xenial
║ PACKAGE_LIST:
║ DISTRIBUTION:qubuntu
║ DIST:xenial
║ DEBIANVERSION:   xenial
║ UPDATE_REPO: /home/qubes/qubes-builder/qubes-src/linux-template-
builder/pkgs-for-template/xenial
║ REPO_SUFFIX: 
║ DISTRIBUTION_CAP:Qubuntu
║ REPO_PROXY:  
║ APT_GET_OPTIONS: 
║ CHROOT_ENV:  BACKEND_VMM=xen 
╚═══
╔══ DEBUG 
══
║ Repo Variables
╠───
║ SRC_DIR: qubes-src
║ CHROOT_DIR:  /home/qubes/qubes-builder/chroot-xenial
║ CHROOT_REPO_DIR: chroot-qubuntu
║ CHROOT_DEBIAN_DIR:   /home/qubes/qubes-builder/chroot-xenial//debian-vm/
debian
║ BUILDER_REPO_DIR:/home/qubes/qubes-builder/qubes-packages-mirror-repo/
xenial
╠───
║ Chroot Variables
╠───
║ DIST_BUILD_DIR:  /home/user
║ DIST_SRC:
║ DIST_SRC_DEBIAN_DIR: /debian-vm/debian
╠───
║ Build Variables
╠───
║ DEBIAN_PARSER:   /home/qubes/qubes-builder/qubes-src/builder-debian//
scripts/debian-parser
║ DEBIAN_PLUGIN_DIR:   /home/qubes/qubes-builder/qubes-src/builder-debian/
║ OUTPUT_DIR:  pkgs/xenial
║ PACKAGE_LIST:debian-vm/debian
║ DISTRIBUTION:qubuntu   
║ DIST:xenial
║ DEBIANVERSION:   xenial
║ UPDATE_REPO: /home/qubes/qubes-builder/qubes-src/linux-template-
builder/pkgs-for-template/xenial
║ REPO_SUFFIX:
║ DISTRIBUTION_CAP:Qubuntu   
║ REPO_PROXY:
║ APT_GET_OPTIONS:
║ CHROOT_ENV:  BACKEND_VMM=xen
╚═══
mkdir: cannot create directory ‘chroot-qubuntu’: File exists
mount: mount point chroot-qubuntu/tmp/qubes-deb does not exist
/home/qubes/qubes-builder/qubes-src/builder-debian/Makefile.qubuntu:275: 
recipe for target 'update-repo-prepare' failed
make[1]: *** [update-repo-prepare] Error 32
Makefile:297: recipe for target 'template-local-xenial' failed
make: *** [template-local-xenial] Error 1


-- 
Pozdrawiam,
Michał "rysiek" Woźniak

Zmieniam klucz GPG :: http://rys.io/pl/147
GPG Key Transition :: http://rys.io/en/147

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view 

Re: [qubes-users] Re: Idea for (resonable secure) cloud-storage usage with Qubes

2017-11-07 Thread rysiek
Hey,

Dnia Saturday, October 21, 2017 9:48:56 AM CET [799] pisze:
> Regarding my specific use case I would like to synchronize the data to keep
> a copy at another location. Using LUKS images can cause a problem depending
> on the transfer mechanism, as I need to use a mechanism which will only
> transfer the qctual changed blocks not the whole image. As such I'd like to
> use an encryption which works with file based encryption - knowing that
> this has reduced security as metadata etc. can be used to attack the
> encryption.

But that's also what we're doing with LUKS+SSHFS. The LUKS volume is 
cryptsetup luksOpened and mounted on the *client*, not on the (SSH) *server*, 
meaning the (SSH) server only has access to encrypted data.

Then we're doing regular file-based operations, like rsync or whatnot. Only 
modified bytes of the LUKS image seem to be actually transferred.

We're not transferring the whole images back and forth. That would defeat the 
purpose.

-- 
Pozdrawiam,
Michał "rysiek" Woźniak

Zmieniam klucz GPG :: http://rys.io/pl/147
GPG Key Transition :: http://rys.io/en/147

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2086835.dST5jOF2SY%40lapuntu.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: This is a digitally signed message part.


Re: [qubes-users] Is Qubes effected by the Intel kernel memory leaking bug?

2018-01-04 Thread rysiek
Dnia Thursday, January 4, 2018 9:33:04 AM CET Andrew David Wong pisze:
> We've just published an announcement about this:
> 
> https://www.qubes-os.org/news/2018/01/04/xsa-254-meltdown-spectre/

Thank you, much appreciated. Good luck to the whole team in dealing with this.

-- 
Pozdrawiam,
Michał "rysiek" Woźniak

Zmieniam klucz GPG :: http://rys.io/pl/147
GPG Key Transition :: http://rys.io/en/147

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5334706.ITVnm1lE8D%40lapuntu.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: This is a digitally signed message part.


Re: [qubes-users] New HCL Entry: Lenovo ThinkPad T470 (20HDCTO1WW)

2018-01-08 Thread rysiek
Dnia Saturday, January 6, 2018 9:32:20 PM CET Sven Semmler pisze:
> On 12/15/2017 03:20 AM, kotot...@gmail.com wrote:
> > It does boot but the X server cannot start. Text installation did
> > not work.
> 
> Based on swami's post from 9/15/17 I suspect you need kernel 4.9 in
> dom0 ...
> 
> https://groups.google.com/d/msg/qubes-users/ZFZT7mQNeWY/xZ1AiCYOAwAJ

I can confirm that T470 won't work with stock R3.2 kernel. Just go for R4.0, 
works pretty well.

-- 
Pozdrawiam,
Michał "rysiek" Woźniak

Zmieniam klucz GPG :: http://rys.io/pl/147
GPG Key Transition :: http://rys.io/en/147

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1585569.CqqnvMDoyJ%40lapuntu.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: This is a digitally signed message part.


Re: [qubes-users] Is Qubes effected by the Intel kernel memory leaking bug?

2018-01-03 Thread rysiek
Dnia Wednesday, January 3, 2018 1:27:38 PM CET 'awokd' via qubes-users pisze:
> On Wed, January 3, 2018 11:55 am, stephenatve...@gmail.com wrote:
> > https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/
> > 
> > 
> > http://pythonsweetness.tumblr.com/post/169166980422/the-mysterious-case-o
> > f-the-linux-page-table
> > 
> > It seems as if Linux countermeasures will involve a significant rewrite
> > aka. FUCKWIT.
> > 
> > Is this perhaps why there is no final 4.0 release?
> 
> Believe PCI passthrough had been the major holdup for 4.0 release but I
> could be wrong. I'm curious to see if Xen/Qubes is impacted as well. One
> article says there was a rumor Xen was, another says there are comments in
> the code that Xen PV/HVM is not. Embargo lifts on the 4th, so there should
> be more facts then. Wouldn't want to engage in making speculative
> assumptions (cough).

And here we are:
https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
https://googleprojectzero.blogspot.pt/2018/01/reading-privileged-memory-with-side.html
https://meltdownattack.com/meltdown.pdf
https://spectreattack.com/spectre.pdf

" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " "
 During the course of our research, we developed the following proofs of 
concept (PoCs):

A PoC that demonstrates the basic principles behind variant 1 in userspace 
on the tested Intel Haswell Xeon CPU, the AMD FX CPU, the AMD PRO CPU and an 
ARM Cortex A57 [2]. This PoC only tests for the ability to read data inside 
mis-speculated execution within the same process, without crossing any 
privilege boundaries.

A PoC for variant 1 that, when running with normal user privileges under a 
modern Linux kernel with a distro-standard config, can perform arbitrary reads 
in a 4GiB range [3] in kernel virtual memory on the Intel Haswell Xeon CPU. If 
the kernel's BPF JIT is enabled (non-default configuration), it also works on 
the AMD PRO CPU. On the Intel Haswell Xeon CPU, kernel virtual memory can be 
read at a rate of around 2000 bytes per second after around 4 seconds of 
startup time. [4]

A PoC for variant 2 that, when running with root privileges inside a KVM 
guest created using virt-manager on the Intel Haswell Xeon CPU, with a 
specific (now outdated) version of Debian's distro kernel [5] running on the 
host, can read host kernel memory at a rate of around 1500 bytes/second, with 
room for optimization. Before the attack can be performed, some initialization 
has to be performed that takes roughly between 10 and 30 minutes for a machine 
with 64GiB of RAM; the needed time should scale roughly linearly with the 
amount of host RAM. (If 2MB hugepages are available to the guest, the 
initialization should be much faster, but that hasn't been tested.)

A PoC for variant 3 that, when running with normal user privileges, can 
read kernel memory on the Intel Haswell Xeon CPU under some precondition. We 
believe that this precondition is that the targeted kernel memory is present 
in the L1D cache.
" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " "

-- 
Pozdrawiam,
Michał "rysiek" Woźniak

Zmieniam klucz GPG :: http://rys.io/pl/147
GPG Key Transition :: http://rys.io/en/147

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/40959822.UoTSMkEhtd%40lapuntu.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: This is a digitally signed message part.


[qubes-users] R4.0 on T470, Suspend-to-RAM issues

2018-01-22 Thread rysiek
Hey all,

R4.0 rc3 used to work pretty well, but with recent updates (yes, I have 
testing repos enabled), I started having some serious issues around Suspend-
to-RAM:


1. Suspend-to-RAM does not work reliably

When trying to suspend for the first time after a full reboot, the screen goes 
blank for a few seconds and then immediately I am greeted with the lock 
screen. The system does not suspend at all.

After unlocking the screen and trying again, system suspends to RAM, but after 
wake-up the screen is *not* locked.


2. No networking after suspend

After suspend-to-RAM (even unsuccessful, like the first scenario described 
above), the system completely loses networking; sys-net becomes unresponsive 
(and with it, the NetworkManager applet), restarting it does not seem to work, 
it is also impossible to start a terminal in sys-net.


3. USB mouse becomes unusable

After suspend-to-RAM (again, including the first scenario from the top of this 
e-mail), the USB mouse becomes unusable, as if the system was not aware it is 
plugged in. Unplugging it and plugging it back in does not solve the issue.


The only way to fix these is to reboot the machine.


I am happy waiting for rc4 and I assume these are some temporary issues 
related to the current state of R4.0 pre-rc4, but thought it might be useful 
to put them out there.

Perhaps someone else has seen such issues? Perhaps there is something I could 
do to debug them?

-- 
Pozdrawiam,
Michał "rysiek" Woźniak

Zmieniam klucz GPG :: http://rys.io/pl/147
GPG Key Transition :: http://rys.io/en/147

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5814775.Jzv2KBC6MB%40lapuntu.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: This is a digitally signed message part.


Re: [qubes-users] Qubes 4.0.x - Linux kernel 4.19.15 package available in testing repository

2019-09-26 Thread rysiek
On 9/26/19 11:59 AM, donoban wrote:
>> On 1/29/19 10:33 AM, Patrik Hagara wrote:
>>> Managed to get rid of the error (and more importantly, the
>>> annoying artifacts) by forcing Xorg to use the generic
>>> modesetting driver instead of i915/i965. ... ...
>>>
>> After this procedure, do you get hardware acceleration? In my case,
>> I do get `name:modesetting`, but I also get these in Xorg.0.log
>> (and no hardware acceleration, obviously):
> (...)
> I did same steps and I have acceleration working fine.

Right. Just tried on a T470 (i5-7200U) and it worked! Many thanks.

So it's the T490 Intel chipset that refuses to cooperate. R4.1 will have
Fedora 29 in dom0, so I guess that should fix it too.

--
Best,
r

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/77c11851-3a94-0105-c590-8e410160daa0%40hackerspace.pl.


signature.asc
Description: OpenPGP digital signature


Re: [qubes-users] Qubes 4.0.x - Linux kernel 4.19.15 package available in testing repository

2019-09-26 Thread rysiek
Hey,

On 1/29/19 10:33 AM, Patrik Hagara wrote:
> Managed to get rid of the error (and more importantly, the annoying
> artifacts) by forcing Xorg to use the generic modesetting driver instead
> of i915/i965.
> 
> Steps (all commands in dom0):
> 
> 1) check the driver currently in use (`xrandr --listproviders`), it's
> the last string (should be "name:Intel" now)
> 
> 2) create file /etc/X11/xorg.conf.d/20-intel.conf (as root) with the
> following contents (also make sure there are no other files in that
> directory with "Device" "Driver" set to "intel"):
> 
>> Section "Device"
>>   Identifier "Intel Graphics"
>>   Driver "modesetting"
>>   Option "AccelMethod" "glamor"
>>   Option "DRI" "3"
>> EndSection
> 
> 3) restart the X server (eg. using `sudo systemctl restart lightdm`)
> 
> 4) use the same xrandr command as in step 1, the driver should now be
> "modesetting" and you should see no errors in /var/log/Xorg.0.log, nor
> any graphical artifacts

After this procedure, do you get hardware acceleration? In my case, I do
get `name:modesetting`, but I also get these in Xorg.0.log (and no
hardware acceleration, obviously):

[29.654] EGL_MESA_drm_image required.
[29.654] (EE) modeset(G0): glamor initialization failed
(...)
[29.728] (EE) AIGLX: reverting to software rendering

Did you install/remove any packages? Can you share the output you get
from `dnf list mesa* libdrm* xorg*`?

> My hardware (sorry for not mentioning this earlier): Lenovo T480s with
> i7-8650U, no discrete GPU.

I'm on a T490. Will also test on a T470 later.

--
Best
r

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4818b401-2add-13c8-4d8e-0a4bf71a323e%40hackerspace.pl.


signature.asc
Description: OpenPGP digital signature


Re: [qubes-users] Whonix 15 has been released

2019-07-05 Thread rysiek
Hey,

On 7/3/19 4:44 PM, 'trichel' via qubes-users wrote:
>> I got the impression that a complete reinstall requires (a) a fedora
>> appvm (I have none), (b) does not work over TOR, since the AppVM's
>> based on whonix must be removed (or set to dummy template) before
>> removing the whonix-14-templates. Then sys-whonix is gone, right?
>> That seems awkward asprocedure. Can someone explain, please? Why can't I
>> install whonix-gw-15 and whonix-ws-15 via dnf in dom0 and THEN remove
>> the -14- ones? Cheers, Bernhard
> 
> After botching the whonix-14 template with an unsuccessful upgrade attempt I 
> reinstalled it by entering sudo qubes-dom0-update 
> --enablerepo=qubes-templates-community --action=reinstall 
> qubes-template-whonix-gw-14 as explained at 
> https://www.whonix.org/wiki/Qubes/Reinstall
> 
> Because this page gives 'sudo qubesctl state.sls qvm.anon-whonix' as a 
> mandatory step I executed that after the reinstall. This installed 2 new 
> templates whonix-gw-15, whonix-ws-15 and a whonix-ws-15-dvm, with all the old 
> stuff still present. I deleted the Whonix 14 templates with dnf and all seems 
> fine now.
> 
> So, apparently just entering sudo qubesctl state.sls qvm.anon-whonix is the 
> easiest way to install new Whonix 15 templates. I didn't create a special 
> update VM for this. Probably it is best to remove the old ones first even 
> though it also works if you don't, apparently. If you need to *upgrade* for 
> some reason (instead of simply replacing the templates with new ones) then 
> you should *NOT* follow this procedure, of course.
> Also see: https://www.whonix.org/wiki/Qubes/Install
> 
> I find it pretty confusing too ... Maybe an expert can give some additional 
> info :)

No expert here, but tested stuff on a QubesOS R4.0 with a working Whonix
14 installation.

Running `sudo qubesctl state.sls qvm.anon-whonix` alone would *not*
install Whonix 15 for me, it would just note that all relevant VMs exist
already and call it quits.


What worked for me was:


1. Install the Whonix 15 templates:

sudo qubes-dom0-update \
  --enablerepo=qubes-templates-community \
  --action=install \
  qubes-template-whonix-gw-15 \
  qubes-template-whonix-gw-15


2. Using Qube Manager, change the templates for relevant qubes
(sys-whonix, anon-whonix, whonix-ws-14-dvm) to relevant Whonix 15 templates.

Restart any modified qubes afterwards, of course, and test stuff works.


3. Remove the unneeded Whonix 14 templates:

sudo dnf remove \
  qubes-template-whonix-gw-14 \
  qubes-template-whonix-gw-14



So far so good.

--
Regards,
rysiek

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/06ca8210-42ab-a398-f959-259d65d7f126%40hackerspace.pl.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: OpenPGP digital signature


[qubes-users] Salt Orchestration, vol.2

2020-03-17 Thread rysiek
Hey hey,

I started diving more deeply into Salt on QubesOS, since now I have two laptops
with very similar config. One thing I'd like to use is Salt Orchestrate runner:
https://docs.saltstack.com/en/latest/topics/orchestrate/orchestrate_runner.html

My use-case is: I need to enable networking on some templates (`dom0:
qvm.prefs`) to pull code on them (`I:qubes:type:template: git`), and then
disable networking on those templates.

So basically, I need Salt's `require`, but working *across* minions.

Seems like it's available on R4.0. Before I dive deep into trying to get it into
a functioning state (ha!), has anyone played with it? And most importantly: how
bad of an idea is it?


Yes, I know enabling networking in templates is a Bad Idea, that's why I only
want to do it temporarily and in a well-managed way. But yes, other ideas on how
to get this code into the templates are obviously welcome too -- I considered
just putting it directly in my salt configs repo (that I then manually copy to
dom0:/srv/salt/), but why would I want code that is supposed to be only running
on TemplateVMs in dom0 at all, right?

--
rysiek

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a8e862aa-244a-0c15-d43e-1bb5c0d543f1%40hackerspace.pl.


signature.asc
Description: OpenPGP digital signature