[qubes-users] Re: Fedora 30 approaching EOL, Fedora 31 TemplateVM available, Fedora 32 TemplateVM in testing

2020-06-28 Thread Lorenzo Lamas
I noticed that the Fedora 32 template is in the stable repo, but no 
announcement yet.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2ff4a47e-5fc5-49db-966d-4727fdd46fdco%40googlegroups.com.


[qubes-users] Re: A lot of dom0 updates recently

2020-06-19 Thread Lorenzo Lamas
On Wednesday, June 17, 2020 at 11:09:31 AM UTC+2, tetra...@danwin1210.me 
wrote:
>
> dom0 seems to be getting a lot of updates at the moment (3x in the last 
> 1-2 weeks?) ... are there any security holes we should know about? 
>

Hi,

Security issues are always published in Qubes Security Bulletins, which are 
also in the News section of Qubes website.
The only recent Security Bulletin is about the new Intel CPU 
vulnerabilities, but that isn't in the stable updates repository yet, so 
unless you updated dom0 with testing repository, all your recent updates 
are not security updates.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/70e560e7-0b3d-486e-883f-37b4e6ba7d80o%40googlegroups.com.


Re: [qubes-users] Qubes colored border title text

2020-05-28 Thread Lorenzo Lamas


On Thursday, May 21, 2020 at 2:49:30 PM UTC+2, unman wrote:
>
> On Thu, May 21, 2020 at 05:43:55AM -0700, Lorenzo Lamas wrote: 
> > After a Dom0 update, most of the window titles in the Qubes colored 
> borders 
> > are now in a black font, instead of the old white. Is this intentional, 
> and 
> > if so, is it possible for users to manually set it to white again. It 
> looks 
> > really ugly with most colors.(I use the Nodoka style for Window manager, 
> > which was afaik default in an older Qubes release, the new default is 
> > really ugly.) 
> > 
>
> It was intentional and is subject of much debate at github - changes are 
> in pipeline. 
>

Thanks for the explanation! 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/080907c6-2d84-4275-892a-1c73e926004b%40googlegroups.com.


[qubes-users] Qubes colored border title text

2020-05-21 Thread Lorenzo Lamas
After a Dom0 update, most of the window titles in the Qubes colored borders 
are now in a black font, instead of the old white. Is this intentional, and 
if so, is it possible for users to manually set it to white again. It looks 
really ugly with most colors.(I use the Nodoka style for Window manager, 
which was afaik default in an older Qubes release, the new default is 
really ugly.)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4a34b268-8ad5-4f90-9d6f-6605d5e46f71%40googlegroups.com.


[qubes-users] Re: QubesOS and 3mdeb "minisummit" 2020 - starting online today!

2020-05-21 Thread Lorenzo Lamas


On Wednesday, May 20, 2020 at 1:52:06 PM UTC+2, Marek Marczykowski-Górecki 
wrote:
>
> -BEGIN PGP SIGNED MESSAGE- 
> Hash: SHA256 
>
> Hi, 
>
> This year we're doing "minisummit" with 3mdeb in online formula. 
> It is starting today, you can watch it live and ask questions, or watch 
> recordings later. More details here: 
>
> https://blog.3mdeb.com/2020/2020-05-15-qubesos/ 
>
> Links to live stream are here: 
> https://twitter.com/3mdeb_com/status/1263068441319223296 
>
> - -- 
> Best Regards, 
> Marek Marczykowski-Górecki 
> Invisible Things Lab 
> A: Because it messes up the order in which people normally read text. 
> Q: Why is top-posting such a bad thing? 
> -BEGIN PGP SIGNATURE- 
>
> iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl7FGd0ACgkQ24/THMrX 
> 1yyrFgf8D/Q7qoxbyX8/QVokbxftU/PuiqXWp9sFeKWre7QF8005fKCrsKZbFv8N 
> 9fs2j0oAyiCNuiLeYcywFB7lcNIvttD8BgJMDj3Nk6YmGDFi3gpCPu/99RSBHc7w 
> FgMOeY0jVsPoKiuom6uvpEl766zP9VKoNg82kDGaMMcYmOoLhvU6+1BX3obQ14QJ 
> kwfF44iseAzBOXvrMd9M8qpgHUaIkbwubKiAJYP1TSufkfFXmgKqhUtiGkwEZ53V 
> 2yOtfsRAzaup9gPVLE1ItRrSdkXZrit24XTyX1F7lu2Gh/CQbr+4Ja7UJ61Gin4Q 
> g94+teHULs3GjWgNkHryr0DwWDflQw== 
> =Znww 
> -END PGP SIGNATURE- 
>

Great that there are talks about Qubes on modern AMD and bringing AEM to 
AMD since it still requires Intel TXT. With all Intel vulnerabilities, AMD 
seems a better choice in the short term, especially now that with their 
more recent CPU's, they are no longer the underdog to Intel performance 
wise.
When will recordings be available and will there also be presentation 
slides available?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/326b707e-ff92-4ae6-aa9d-e78c81cf2d74%40googlegroups.com.


[qubes-users] Re: Consider making tax deductable donations possible in the EU

2020-05-12 Thread Lorenzo Lamas


On Sunday, May 10, 2020 at 10:26:02 PM UTC+2, Michael Carbone wrote:
>
> On 5/9/20 2:17 PM, Lorenzo Lamas wrote: 
> > Whonix Project has partnered up with the CCT (Center for the Cultivation 
> of 
> > Technology, which is a charitable non-profit host organization in 
> Germany 
> > for international Free Software projects.) 
> > This makes it possible for all EU citizens to deduct donations from 500 
> EUR 
> > and up from their taxes. If Qubes project does the same, it may result 
> in 
> > more donations for the project. 
> > 
> >  
> https://forums.whonix.org/t/european-union-eu-wide-tax-deductible-donations-to-whonix-are-now-possible/9389
>  
> > https://www.whonix.org/wiki/Donate/Tax-Deductible 
>
> thanks for letting me/us know Lorenzo! I'd been in talks with CCT when 
> they first started but they had told me to wait until they were finished 
> getting set up. sounds like they are taking projects now, I'll email them. 
>
> -- 
> Michael Carbone 
>
> Qubes OS | https://www.qubes-os.org 
> @QubesOS <https://www.twitter.com/QubesOS> 
>
> PGP fingerprint: D3D8 BEBF ECE8 91AC 46A7 30DE 63FC 4D26 84A7 33B4 
>


Great to hear! 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6eb47b5e-ee5c-4b68-90f1-4fd085233c96%40googlegroups.com.


[qubes-users] Consider making tax deductable donations possible in the EU

2020-05-09 Thread Lorenzo Lamas
Whonix Project has partnered up with the CCT (Center for the Cultivation of 
Technology, which is a charitable non-profit host organization in Germany 
for international Free Software projects.)
This makes it possible for all EU citizens to deduct donations from 500 EUR 
and up from their taxes. If Qubes project does the same, it may result in 
more donations for the project.

 
https://forums.whonix.org/t/european-union-eu-wide-tax-deductible-donations-to-whonix-are-now-possible/9389
https://www.whonix.org/wiki/Donate/Tax-Deductible

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/01c2cd56-e4bc-4043-9ec2-61c8abafa422%40googlegroups.com.


Re: [qubes-users] Re: Whonix TB Downloader doesn't see the new emergency release of TB, version 9.0.7

2020-03-25 Thread Lorenzo Lamas


On Wednesday, March 25, 2020 at 10:13:23 AM UTC+1, taran1s wrote:
>
> -BEGIN PGP SIGNED MESSAGE- 
> Hash: SHA512 
>
>
>
> Lorenzo Lamas: 
> > Same thing happens here when TB Downloader is automatically run 
> > after it is updated. However, if I manually run TB updater, I can 
> > select version 9.0.7 In addition to this, the security update to 
> > Tor itself, version 4.2.7, is not yet available in Whonix. 
> > 
>
> - -- 
> Kind regards 
> taran1s 
>
> gpg: 12DDA1FE5FB39C110F3D1FD5A664B90BD3BE59B3 
>
>
> Lorenzo, just to be clear, you meant you CAN'T select version 9.0.7 in 
> the TB updater, right? 
>
> -BEGIN PGP SIGNATURE- 
>
> iQIzBAEBCgAdFiEEjkk+SHr9i12eT1pa5k6hqPgAy0QFAl57IHwACgkQ5k6hqPgA 
> y0RTrRAAwszJLQBQD+fBkWKOsMB483DN6q1c6PxSefDxAq37nn1GpXqV5VBQRNJR 
> YauQ70TpQey31nRimRliT8gqYITzegWGcocPvL800ia2Cg+XLhZFVnuKJBA0lq9H 
> yXiSoWCdhdbdKE7HIy7ObMXgLXlE4ZFsbi7msZxODeIsesz+NA2GQfVbePSV8/nH 
> vYn6zwG1h9MXAKtHCReXDSnDK2Tg+30ju2Twz8LV1xbLwPXFSNwlJ0kkTxUsB5Gp 
> cLC1zyxv9218Prr41HzCsEbrRrx3mRVHfbbVgogb5Wfo4Gctt3BNbfideZeXaT9i 
> mdIE8Ck3JlPyrnY7xN48OrBXaGQgRyL1FjSsjCn0fZg5j0Z2DYIalvJDJjGTMBLB 
> 9xgcREP5RMAiTMXD8fajr2uOyRhddgaV/sjU/7t2/6v7qhjATBDabXgrxo92kUPH 
> 51AshcCTXi0pyLA9G8IRX2OUTBkoZt/JgfLcQWjSCFj6IYVhYU1tBfSPpUtd/dTJ 
> 0pn0AWqibX/9kN3NyqjkBq8f6HnHGU4JpjauSbbGS9lhlU2zQUON59tTby1jmqF2 
> AroNodETnJj7IsdvFQl8nJ9NjDqEA64yuF/QksJLZh4Fsovrn9YqrpP4RbwQD49f 
> mrKIU6KNAIsQWjNialVn5w3MDaMXXqiqjJzDiO9RJKzd/1k+4+U= 
> =w5dH 
> -END PGP SIGNATURE- 
>

No, I mean I CAN select 9.0.7. It shows 9.0.6, 9.0.7 and some alpha 
versions. My TB downloader has recently been updated to 3.14.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bdfa11ab-93b3-4825-a643-f81c0b32483e%40googlegroups.com.


[qubes-users] Re: Whonix TB Downloader doesn't see the new emergency release of TB, version 9.0.7

2020-03-25 Thread Lorenzo Lamas
Same thing happens here when TB Downloader is automatically run after it is 
updated. However, if I manually run TB updater, I can select version 9.0.7
In addition to this, the security update to Tor itself, version 4.2.7, is 
not yet available in Whonix.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1b17b781-4003-4da7-b362-c6acf7d61157%40googlegroups.com.


[qubes-users] Re: Fedora-31 template

2020-03-15 Thread Lorenzo Lamas
A Fedora 31 template is now available in the testing repo for Qubes 4.0.

On Friday, November 15, 2019 at 9:23:54 PM UTC+1, Dominique St-Pierre 
Boucher wrote:
>
> Hello Qubes users,
>
> Do any of you tried and succeed upgrading a Fedora template to version 31?
>
> If so, how?
>
> Thanks
>
> Dominique
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c693378f-02ff-4c12-9e4a-d62f0a71a8d8%40googlegroups.com.


Re: [qubes-users] Verify Qubes OS ISO on Windows 10

2020-01-27 Thread Lorenzo Lamas


On Monday, January 27, 2020 at 4:49:19 PM UTC+1, unman wrote:
>
> On Mon, Jan 27, 2020 at 07:04:14AM -0800, Lorenzo Lamas wrote: 
> > 
> > 
> > On Monday, January 27, 2020 at 1:32:53 PM UTC+1, Maria Losdren wrote: 
> > > 
> > > Yes but there is no good documentation on Qubes how to do this in the 
> > > windows gui. 
> > > 
> > > I am a noob and i can only use step by step tutorials. 
> > > 
> > 
> > The command line works differently on Windows. You cannot just use a 
> > program like on Linux, but you have to go to the exe file. So most 
> likely: 
> > CD C:\Program Files (x86)\gnupg\bin 
> > then: 
> > gpg2.exe --import qubes-master-signing-key.asc 
> > (or any other command.) Note that if you copy and paste this it will not 
> > work, you also need to add the file path, e.g.: 
> > gpg2.exe --import C:\Users\*your 
> > username\Downloads\qubes-master-signing-key.asc 
> > 
>
> Does gpg4win have gpg2.exe? 
> In any case, the gpg4win application seems to be a better route for 
> someone who isnt used to linux or the command line. And, from what I can 
> see it's also incorporated in to windows context menus. 
>

Ah you're correct, it is gpg.exe, there is no gpg2.exe
The GUI is easier, but has it's own complexities. There are two different 
applications, GPA and Kleopatra, and if I recall correctly you also need to 
sign the Qubes key yourself otherwise you will get an error, so it also 
involves creating your own keypair.

@Maria
Try this. Open GPA, import your downloaded master key. Check if the 
fingerprint is correct. Right click set owner trust and set it to ultimate. 
Then download the release signing key and also import it. Download the 
Qubes iso and signature. Right click the signature and go to More GpgEx 
options, and click Verify. If the verify gives you an error, try command 
line:
cd C:\Program Files (x86)\gnupg\bin
Then use gpg to verify(change path to correct download folder, you can 
right-click the signature file, click properties, and copy and paste the 
file path):
gpg.exe --verify C:\Users\*your 
username*\Downloads\Qubes-R4.0.3-x86_64.iso.asc

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0e8976df-ffb0-4184-8c63-357d9ad30fe5%40googlegroups.com.


Re: [qubes-users] Verify Qubes OS ISO on Windows 10

2020-01-27 Thread Lorenzo Lamas


On Monday, January 27, 2020 at 1:32:53 PM UTC+1, Maria Losdren wrote:
>
> Yes but there is no good documentation on Qubes how to do this in the 
> windows gui.
>
> I am a noob and i can only use step by step tutorials. 
>

The command line works differently on Windows. You cannot just use a 
program like on Linux, but you have to go to the exe file. So most likely:
CD C:\Program Files (x86)\gnupg\bin
then:
gpg2.exe --import qubes-master-signing-key.asc
(or any other command.) Note that if you copy and paste this it will not 
work, you also need to add the file path, e.g.:
gpg2.exe --import C:\Users\*your 
username\Downloads\qubes-master-signing-key.asc

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/eac413e8-90b2-48be-98ab-543aee668f6b%40googlegroups.com.


[qubes-users] Re: Qubes vulnerable to new Intel gpu vulnerability?

2020-01-20 Thread Lorenzo Lamas
More details have emerged:
https://www.phoronix.com/scan.php?page=news_item=Intel-iGPU-Leak-Details
I wonder if updating the Linux kernel in Qubes will be enough. There is 
still no fixed kernel in the current-testing repo btw.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2ad73531-2365-4ce5-a048-e9736fb523b6%40googlegroups.com.


[qubes-users] Qubes vulnerable to new Intel gpu vulnerability?

2020-01-16 Thread Lorenzo Lamas
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00314.html
Not much details there, but from the description it seems it might be possible 
for a compromised AppVM to gather information from other VMs.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/97dd36e9-5399-4253-8364-7fc7460929c5%40googlegroups.com.


[qubes-users] Firefox critical update not updating my latest fedora-30

2020-01-11 Thread Lorenzo Lamas
You can update from testing repo: sudo dnf update firefox 
—enablerepo=updates-testing

When newer fedora versions are released, updates for older versions are usually 
slower. The comments on the update also show negative feedback which is why it 
has not been pushed to stable automatically. However, there are no problems if 
your system is up to date with latest stable nss and nspr.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/61acb3f9-cb17-468c-adf6-d1e4a91c43fe%40googlegroups.com.


Re: [qubes-users] Re: sys-usb issues recognizing devices & maintaining drive connections

2020-01-11 Thread Lorenzo Lamas


On Saturday, January 4, 2020 at 1:25:19 PM UTC+1, Lorenzo Lamas wrote:
>
>
>
> On Saturday, January 4, 2020 at 10:51:47 AM UTC+1, awokd wrote:
>>
>> > When it is not recognizing devices, the Qubes Devices Widget shows an 
>> > additional device: "sys-usb:2-1:1 - 138a_003c_0030009d7e88". It is not 
>> > visible when everything works fine. Do you have that as well? 
>>
>> An "lsusb" inside sys-usb might help identify that device. 
>>
>>
> This is the output of lsusb:
> Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
> Bus 002 Device 003: ID 138a:003c Validity Sensors, Inc. VFS471 Fingerprint 
> Reader
> Bus 002 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
> Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
> Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd QEMU USB Tablet
> Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
>

Well I tried disabling the Fingerprint reader in Bios, that stopped the 
'ghost' device from showing up, but doesn't fix anything. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8cd6550e-11aa-4213-a488-75c7104d7510%40googlegroups.com.


Re: [qubes-users] Re: sys-usb issues recognizing devices & maintaining drive connections

2020-01-04 Thread Lorenzo Lamas


On Saturday, January 4, 2020 at 10:51:47 AM UTC+1, awokd wrote:
>
> > When it is not recognizing devices, the Qubes Devices Widget shows an 
> > additional device: "sys-usb:2-1:1 - 138a_003c_0030009d7e88". It is not 
> > visible when everything works fine. Do you have that as well? 
>
> An "lsusb" inside sys-usb might help identify that device. 
>
>
This is the output of lsusb:
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 003: ID 138a:003c Validity Sensors, Inc. VFS471 Fingerprint 
Reader
Bus 002 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd QEMU USB Tablet
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2e3cff33-819e-4495-8dba-3d8fb62667cd%40googlegroups.com.


[qubes-users] Re: sys-usb issues recognizing devices & maintaining drive connections

2020-01-03 Thread Lorenzo Lamas

On Friday, January 3, 2020 at 11:02:24 PM UTC+1, scal...@posteo.net wrote:
>
> Since Qubes 3.2 I've had issues with sys-usb not recognizing devices. My 
> solution has been to reboot until it works. 1 in 4 times it seems to 
> work correctly. 
>
> The device that I have the most trouble with is a trackpad. Sometimes 
> after using the machine successfully for days, I'll wake it up and the 
> trackpad mouse speed will be slowed down. Sometimes rebooting sys-usb 
> will fix this. Other times I have to reboot the whole machine. 
>
> All that i've been able to live with. 
>
> But the other problem I've had with sys-usb is connecting to external 
> drives. Here are the copy speeds I get on my machine to an external usb 
> device: 
>
> Tails OS 33mb/sec 
> Qubes OS 12mb/sec 
>
> HOWEVER, the Qubes # is misleading because it seems to have regular i/o 
> issues so it is 12mb/sec when it is working, which is off and on. Then 
> after some time the whole device will become read only and i'll get a 
> i/o error message after copying for some time. This has become a serious 
> problem because i can no longer do Backups to external drives. (Copying 
> smaller files to/from usb is manageable.) 
>
> Therefore I've decided to ask for help here. A search for "sys-usb" 
> didn't reveal any examples of others having similar problems, but maybe 
> someone can help me narrow down the problem here. 
>
> This is my hardware: https://www.coreboot.org/Board:asus/kgpe-d16 
>
> Any advice is much appreciated. 
>
> scallyob 
>

I may have a similar problem. 
It started with Qubes 4.0 for me. I have 2 usb controllers, one for USB 3.0 
and one for USB 2.0.
The USB 2.0 ports also don't recognize devices a lot of the time and I have 
to reboot as well, also probably works about 1 in 4 times. The strange 
thing is, when it was summer, and the temperature inside the house was 
warmer, I rarely had this issue, but now that it's colder again, it happens 
a lot again.
When it is not recognizing devices, the Qubes Devices Widget shows an 
additional device: "sys-usb:2-1:1 - 138a_003c_0030009d7e88". It is not 
visible when everything works fine. Do you have that as well?

When it works it is also slow for me, just mounting and opening the folder 
of an USB drive seems to take ages, transferring small files as well. I 
don't know if it would also become read-only after a while, because I don't 
use it that long, because I use my USB 3.0 ports for that, which still work 
fine fortunately.

I haven't found a solution, so I can't help you there, unfortunately.
I'm on a 2nd gen Intel i5 laptop btw.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a71a1465-a0d4-48ba-993a-4b17f4538ea2%40googlegroups.com.


Re: [qubes-users] Re: Recommended laptop?

2020-01-01 Thread Lorenzo Lamas
Hello Thierry,

Thanks for all that you are doing for the community. Do you see a 
possibility of a Qubes Certified Laptop with an AMD CPU?
Intel is affected a lot more than AMD by the sidechannel vulnerabilities in 
the last years. The Privacy Beast has a 3rd gen Intel CPU, Intel stopped 
providing uCode updates for 1st gen in 2019, so this year is probably the 
last year they will support 3rd gen. More CPU vulnerabilities will most 
certainly be discovered in the coming years, so there is a need for an AMD 
based certified laptop, or at least a newer generation Intel based laptop, 
even though that may mean we're stuck with PSP or ME.

On Tuesday, December 31, 2019 at 9:45:18 PM UTC+1, Thierry Laurion wrote:
>
>
> On Wed, Dec 25, 2019 at 6:03 PM > wrote:
>
>> Insurgo is providing a service.
>>
>> If one can do the steps themselves, that’s fine. 
>>
>> If I were advising a somewhat less technical journalist or a potentially 
>> targeted human-rights worker or politically targeted activist who just 
>> wanted to get stuff done and had the resources, I’d point them to Insurgo.
>>
>> Brendan
>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "qubes-users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to qubes...@googlegroups.com .
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/qubes-users/7a7741f2-6b80-40be-a5a0-0f56b658f9fc%40googlegroups.com
>> .
>>
>
>
> Hello there, Thierry Laurion from Insurgo Open Technologies.
>
> Thanks Brendan.
>
> I feel the need to clarify things a bit once in a while. This reply is one 
> of those. This QubesOS community is large, and even if replies were done on 
> Reddit and other posts here in the past, the same questions arises with the 
> same scattered answers. Here is a combination of those answers.
>
>- Insurgo made grant applications so that actual best trustworthy 
>unmaintained hardware becomes mainstreamed under coreboot, and added under 
>Heads (extend Heads measured boot support of latest coreboot 
> VBOOT+measured 
>boot on Sandy/Ivy bridge xx30 and xx20 platforms:  t530, t430, x220. 
> Thanks 
>to obtained NlNet grant for Accessible Security project).
>- Insurgo is attempting to gather developers, device manufacturers 
>(RaptorEngineering) and funders around Power9-Power10 hardware based X86 
>alternative platform (PPC64le QubesOS platform support which has a bounty 
>offer already but needs commited developers). Let's remember that their 
>Blackbird/Talos II platforms recently got RYF certification.
>   - The last x86 platform having met RYF criteria is the X200, thanks 
>   to the Libreboot project, which removed Intel ME. 
>   - Since then, the x86 platforms have blobs we have to accept/deal 
>   with to make it trustworthier:
>   - Sandy Bridge/Ivy bridge : EC firmware, Intel ME BUP ROMP modules. 
>  Coreboot doesnt rely on FSP blobs for initialization. ME is actually 
>  neutered (no kernel nor syslibs as opposed to newer platforms, just 
> BUP and 
>  ROMP) and deactivated (AltMeDisable bit, not HAP bit).
>  - More recent hardware requires ME with its kernel and syslibs 
>  binary blobs present, while ME is asked to be deactivated through 
> HAP bit, 
>  requires Intel FSP and other binary blobs for hardware 
> initialization.
>  - Insurgo works to bridge the gap to broader QubesOS 
>accessibility, so that users in need of remote support can have secured 
>remote administration from trusted third parties (new revenue? AccessNow? 
>Other third parties?) over hidden tor onion service from additional GUI 
>(NlNet grant for Accessible Security project).
>- Insurgo tries its best to support Heads community through GitHub 
>opened issues while promoting collaboration.
>- Insurgo tries its best to mainstream CI build systems to produce 
>reproducible builds artifacts (this is broken for months and is still not 
>resolved).
>- Insurgo tries to raise awareness of researchers and developers on 
>the current state of "Open Source Firmware" (currently requiring FSP, ME 
> or 
>equivalent,not having completely neutered Intel ME while claiming it is 
>deactivated, while system libraries and kernel is still there but 
>latent...) This implies going to conferences, doing talks, confronting the 
>status quo, researching, developing so we have alternatives in the 
>futurewhile also doing the required clerical work.
>- Insurgo made QubesOS preinstallable for the first time on the 
>PrivacyBeast X230, thanks to its reownership wizard which takes care of 
> GPG 
>key generation, internal ROM reflashing, TPM ownership and sealing of 
>measurements, signing boot configuration, while enforcing diceware 
>passphrases in the provisioning phase. The goal is to 

[qubes-users] HCL - HP Elitebook 8460p

2020-01-01 Thread Lorenzo Lamas
Now running 4.0.2-rc3, everything works. Have also run 4.0.1, 4.0, 3.2 and 
3.1 fine.
The only thing that doesn't work is S3 sleep in combination with Anti Evil 
Maid(problems started with 4.0) If S3 sleep is engaged, laptop will do a 
hard shutdown. When booting without AEM, S3 sleep works fine.
 
Anti Evil Maid works.
Sys-usb works(though sometimes the USB 2.0 ports don't, not sure if it is 
an issue of software or old hardware. The USB 3.0 ports always work).
Attaching USB devices to other VMs works.
Sys-net works with both WiFi and Ethernet(out of the box).
DVD drive works.
 
Webcam and microphone not tested.
 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/15476fa2-354a-4669-8345-9df730c68319%40googlegroups.com.


Qubes-HCL-Hewlett_Packard-HP_EliteBook_8460p-20191231-095921.yml
Description: Binary data


[qubes-users] Notebook with Nvidia Quadro graphics card

2019-12-28 Thread Lorenzo Lamas
Thanks for the reply. Do you know when the option to only use integrated 
graphics was removed? The models i’m looking at are 4th gen i7 CPU’s with 
Quadro K1100M/1200M. Unfortunately, a lot of business laptops have changed to 
prefer sleek design over performance, and use the slower U versions of Intel 
CPU’s. The ones that do have a proper CPU usually also have a discrete Nvidia 
or AMD graphics card.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fe0900a2-27dc-4aa4-9e05-25dcbaaa1e9f%40googlegroups.com.


[qubes-users] Notebook with Nvidia Quadro graphics card

2019-12-28 Thread Lorenzo Lamas
Hi,

I may buy a notebook for Qubes with integrated Intel HD graphics 4600, but it 
also comes with a Nvidia Quadro graphics card. Will that be a problem for 
Qubes? Is there someway I can force it to use the integrated graphics to avoid 
problems?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1fee3a82-5f5d-4d46-b2c8-15b71f1acded%40googlegroups.com.


Re: [qubes-users] 2 new Intel vulnerabilites

2019-11-14 Thread Lorenzo Lamas


On Thursday, November 14, 2019 at 2:57:19 PM UTC+1, Andrew David Wong wrote:
>
> -BEGIN PGP SIGNED MESSAGE- 
> Hash: SHA512 
>
> On 2019-11-14 6:28 AM, Andrew David Wong wrote: 
> > On 2019-11-13 12:40 PM, Lorenzo Lamas wrote: 
> >> There are 2 new vulnerabilities in Intel CPU's, also affecting 
> >> Xen. Xen has issued XSA-304(CVE-2018-12207) and XSA 
> >> 305(CVE-2019-11135). Is the Qubes team aware yet? I haven't seen 
> >> a new QSB. 
> > 
> > 
> > Yes, we're aware. We're currently in the process of preparing 
> > announcements about these XSAs. 
> > 
> > Typically, XSAs have a predisclosure period, during which the XSA 
> > is embargoed, and the Qubes Security Team has time to analyze it 
> > and prepare patches and an announcement. However, these XSAs had 
> > no embargo period, so the Qubes Security Team had no advance notice 
> > of them before they were publicly announced. 
> > 
>
> The announcements have been published: 
>
> https://www.qubes-os.org/news/2019/11/13/xsa-304-qubes-not-affected/ 
>
> https://www.qubes-os.org/news/2019/11/13/qsb-053/ 
>
> - -- 
> Andrew David Wong (Axon) 
> Community Manager, Qubes OS 
> https://www.qubes-os.org 
>
> -BEGIN PGP SIGNATURE- 
>
> iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl3NXTIACgkQ203TvDlQ 
> MDB1tRAAwCpQCkP52V7LlN7TJGA2jdJGffw+Wp12l66m3fmY/y3FnxZnVBR8Q+Jm 
> rZ2TDW/khZVUyi3Oq8OH9BwClIBgO9k3HLu/Cjt68QoKsth24SRmufdzDicsBzJG 
> BFwXpX/uxJ7U08Ja1vlRWj3wln0pCc5xFKMkpDLMQ/3xaL/bAdXgMcxx5eAIUrjI 
> rd2V5UkqQsIFnEIfWyyVI45gcr8jCIb2P5TZ9yKuyKmHJQHBqYUlLwuc0cK+Az+J 
> 4SXwTMpp1H1F+iKhyageOgbCZQiVdxbodlw3rAyvA/rZ1zxogN+q27yfIkQu9TBO 
> Mj461YeX/bAHM35WNPJhCSH9Ivm/ahBGBCJxpwuZF9BWWE1gLfjQuZsEUQbJizjc 
> hn3oxsw2yFSg0bEuRJxkgHr9f/e2LnPDOc5lRJ/HY6ST2739CZfVgrxTV+4wKusv 
> c4/TGuXigOIKisLE3QBUFewZESbo6SfdLPDNHcgUWpunk66g/xMMGvTFIRcXbzWt 
> hKcnKj3+9qWFhJbuRF5VWDDuVIF0/biXglQAsUVM3q6xK5OKDTjXGR6M/DvQGH68 
> sNEEOY8K+OcbGvX0188IGrrmK25i5X0z+0U4hFJFOi8e1iKh24a6cCi9hJ//Sotj 
> q0t5EUspfPzz7i6yE/FU1N0USZQSENtZKz18LV+NsEiQoO9qDaU= 
> =J53Z 
> -END PGP SIGNATURE- 
>
> Thank you, and thanks for the earlier explanation!
> Btw, do you think it is possible for Qubes to distribute the Intel 
> fTPM(http://tpm.fail/) update somehow like Qubes does with microcodes?
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4c7f4ddb-03e6-4894-a6d3-a3bb6fc64b41%40googlegroups.com.


[qubes-users] 2 new Intel vulnerabilites

2019-11-13 Thread Lorenzo Lamas
There are 2 new vulnerabilities in Intel CPU's, also affecting Xen. Xen has 
issued XSA-304(CVE-2018-12207) and XSA 305(CVE-2019-11135). Is the Qubes 
team aware yet? I haven't seen a new QSB.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/14f9373c-7701-44a1-9748-8cecf549421f%40googlegroups.com.


[qubes-users] TPM's vulnerable to practical attack

2019-11-13 Thread Lorenzo Lamas
Posting this here as this might also affect Anti Evil Maid:
http://tpm.fail/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3b7b268e-6f9a-4044-883c-e53f915f421c%40googlegroups.com.


[qubes-users] Re: LibreOffice presentation mode with QubesOS

2019-11-13 Thread Lorenzo Lamas


On Monday, November 4, 2019 at 7:42:26 PM UTC+1, Germann Fabio wrote:
>
> Hi qubes-users,
>
> Recently I tried to present a presentation using LibreOffice on qubes. I'm 
> not able to get into the presentation mode where I got the fullscreen 
> presentation on the HDMI display and the presentation mode screen (current 
> slide, next slide and comments) on the internal display.
>
> I assume this is because in the AppVM there is only one screen. Is there 
> any way around this?
> Has anyone been able to get this working?
>
> Cheers,
> Fabio
>

AppVM's by default don't have fullscreen access, have you enabled it first?
https://www.qubes-os.org/doc/full-screen-mode/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/cbdec1c1-09cc-4b83-92ca-02b312a38ec9%40googlegroups.com.


[qubes-users] Re: Qubes won't install on legacy BIOS (non-UEFI supported pc)

2019-09-18 Thread Lorenzo Lamas
Some of my USB thumb drives are not detected when trying to boot from them, 
others work fine though.
Also, one of my machine doesn't detect a USB thumb when trying to boot from 
it in a USB 3.0 port, unless I go to Bios and set the USB 3.0 ports to 
Legacy mode.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9c86dbca-b870-4a81-b731-f2a226b3641f%40googlegroups.com.


Re: [qubes-users] SWAPGS Side Channel Attack

2019-09-11 Thread Lorenzo Lamas
Thank you Simon for the informative reply. Good to hear there is some 
progress on Spectre variant 1. I hope something similar to Respectre will 
be available in the future.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a3a216a4-3b3a-432a-9427-7c00912d0d63%40googlegroups.com.


[qubes-users] Re: Suspend to RAM not working

2019-09-11 Thread Lorenzo Lamas
Note that Anti Evil Maid is also a variable that affects Suspend. For me, 
when I boot with AEM and suspend the machine, it immediatly shuts down 
instead. Booting without AEM, then Suspend works normally.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bf4ea8bd-11d2-4e29-a974-89226498241d%40googlegroups.com.


Re: [qubes-users] Re: SWAPGS Side Channel Attack

2019-09-07 Thread Lorenzo Lamas


On Saturday, September 7, 2019 at 8:45:52 AM UTC+2, Andrew David Wong wrote:
>
> -BEGIN PGP SIGNED MESSAGE- 
> Hash: SHA512 
>
> On 06/09/2019 6.30 AM, 'awokd' via qubes-users wrote: 
> > Lorenzo Lamas: 
> >> Is anyone from Qubes team reading this? 
> >> 
> > ADW and unman are pretty active in this list, but the original 
> > question might be better suited for qubes-devel. 
> > 
>
> The Qubes Security Team is preparing an answer to this question. 
> Please stand by. 
>
> - -- 
> Andrew David Wong (Axon) 
> Community Manager, Qubes OS 
> https://www.qubes-os.org 
>
> -BEGIN PGP SIGNATURE- 
>
> iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl1zUhUACgkQ203TvDlQ 
> MDAQkw//ctHN6HCb6R5fzPNnqcIhLzAyWoOWewXEGJGBPD1PHXT0xSKDakeqXn91 
> yaZ5t54sB2rnTgZmAvo0GfcBoxt2mMO0KTyYosVDoQYsJIlNlvsKFHsxhMUvgSxP 
> wtYATAuYna6Ohj+hDzCPzt1x3ld3ALk7dBMLIknpepPnkbrKzE24JG3t9N8FPlll 
> kYAwtO3KQWbPA2YLIOlRO5+rgkgNucMflVipSuIUzVH3zc7wQKEpqipYoE9P2/bl 
> yxomkoqZsVLhsuebKnLBlHa/RHhMlWj7sgXC2xL3NTc+O5cTLbnTlEGqzmxmTEHD 
> 6M1GRNa8caO9y0lisoAAb0SSlX6QwAf5r1f0X1G9RRbpN61bHFE/AfGOt9lpHaGM 
> irOacfzcJ5U4+L9g5MzkX/HGfDxN6muaPa5WffvHQpYFl2eBV9t/QBsinKS5oSTI 
> gSsuO5aG6dZ2hvn/n7LXzsaS2OuluU5TSzlvVHMKD79YlNVx3ymFHpV2rXQfS2rM 
> AX3QgjjU2ZAVkKjRRJI3Lwg1cJfiZmHqHOCxDoW05KAwK2pnIAN2646wcT4q8Job 
> 9NVOT1OMDDPIgVfTHJgPLZ0oY06vOS79Et3G44OzhD+zXSJ8bWra469bg4Tf7iXk 
> Rt/5SkJpD3E83qjL8OKXlKKZCGeT3fGswAkkLdU/FILbFh9/KDw= 
> =CQeP 
> -END PGP SIGNATURE- 
>
> Thanks for taking the time to reply! I'll await news from the Qubes 
Security Team. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/37518413-f8e7-4c44-bc7a-6cce9ab90819%40googlegroups.com.


[qubes-users] Re: SWAPGS Side Channel Attack

2019-09-03 Thread Lorenzo Lamas
Is anyone from Qubes team reading this?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2805c188-f69b-4605-8940-413ee2c8ac27%40googlegroups.com.


[qubes-users] Changing brightness crashes XFCE power manager

2019-07-26 Thread Lorenzo Lamas
Using the brightness slider from the power manager tray icon regularly 
crashes power manager(R4.0.1). I've had this issue for quite a long time 
already, not sure if it was also present in R3.2.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c2b3f71a-7096-4d95-b7bf-a4310ab688da%40googlegroups.com.


[qubes-users] Re: Dual-booting Windows vs HVM

2019-07-26 Thread Lorenzo Lamas
If you dual-boot, the machine is only as safe as the unsafest OS. And 
Windows without security updates is very unsafe.

Afaik, this is the latest on using a Windows HVM for gaming:
https://github.com/Qubes-Community/Contents/blob/master/docs/customization/windows-gaming-hvm.md

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b10a3f95-ad62-4d94-96e9-1a72a76b5200%40googlegroups.com.


[qubes-users] Re: Announcement: Insurgo PrivacyBeast X230 Laptop meets and exceeds Qubes 4.0 hardware certification

2019-07-21 Thread Lorenzo Lamas
Very nice to finally have a certified Qubes laptop!

Personally, for me it would be nice if there was a more powerful 
alternative in the future. I'm currently using something with about the 
same resource power and I find myself often wishing I had something faster 
because Qubes is quite heavy compared to a standard OS. It would be great 
to have a quad core CPU(and a proper one, not one of those power-saving U 
line from Intel), 32GB RAM or more and a NVMe SSD instead of SATA. 
Also, there is the issue of the CPU being a 3rd gen Intel i CPU. Maybe this 
is specifically chosen because later CPU's are harder to get blob free, I 
don't know the details. However, Intel had quite a few side channel 
vulnerabilities over the past year, and this year they dropped microcode 
update support for 1st gen CPU's, so there is a pretty high chance they 
will drop 2nd gen support next year and 3rd gen support the year after that.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3481de6a-70b4-4c9a-933a-689549735eee%40googlegroups.com.


Re: [qubes-users] Donating to qubes

2019-07-01 Thread Lorenzo Lamas
On Wednesday, November 7, 2018 at 5:28:00 PM UTC+1, Achim Patzner wrote:
> Am Samstag, den 03.11.2018, 00:24 +0100 schrieb pieter lems:
> Are there any other options available for donating such as paypal
> 
> 
> Just tried it; Open Collective is taking credit cards and Paypal. So go there 
> and donate.
> 
> 
> 
> 
> Achim

Paypal only works for one-time donations, not monthly ones.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a4ea4f3c-20be-4e87-bd8b-76c9bab36e29%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] AMD Zen Secure Encrypted Virtualization (SEV)

2019-06-23 Thread Lorenzo Lamas
Has there been any progress with this? Researchers managed to bypass the 
encryption, but afaik this is fixed with SEV-ES(Secure Encrypted 
Virtualization-Encrypted State).

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c87adc8a-cdab-4cd6-a079-ed56c3b32534%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] No more updates for Fedora-29?

2019-05-30 Thread Lorenzo Lamas
> The new Fedora 30 TemplateVM is currently in testing:
> 
> https://github.com/QubesOS/qubes-issues/issues/4845
> 
> When it migrates to to stable, we will make an announcement, as usual.

Actually, it is already in the stable repo:
https://ftp.qubes-os.org/repo/yum/r4.0/templates-itl/rpm/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/df512507-a4e3-4d21-bee8-30ca149e1494%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Computer shutsoff when lid is closed when it should suspend

2019-05-20 Thread Lorenzo Lamas
Are you perhaps using Anti Evil Maid?

For me suspend worked properly in R3.2, but on R4 I have the same problem with 
suspend, shutting down instead. But only with AEM boot, if I boot without AEM, 
suspend works again.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8b62b395-845c-44fe-9da0-139ec9dc8477%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Subgraph

2019-04-05 Thread Lorenzo Lamas
On Friday, April 5, 2019 at 2:02:35 PM UTC+2, Steven Walker wrote:
> Does anybody know if subgraph is still a work in progress, or has it been 
> discontinued now?
> 
> Steve

Afaik Subgrap OS in its old form is dead, but it is replaced with Subgraph 
Citadel which is still a (slow) work in progress.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bf0c5935-a681-4b82-8534-ea0e2434e1a2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: "Qubes Devices" widget not working anymore

2019-04-05 Thread Lorenzo Lamas
On Friday, April 5, 2019 at 3:15:44 PM UTC+2, john@gmail.com wrote:
> On Thursday, April 4, 2019 at 3:53:49 PM UTC-4, Lorenzo Lamas wrote:
> > Try updating to qubes-desktop-linux-manager 4.0.17 in current-testing.
> 
> Thanks, Lorenzo. It is fixed now, however, I believe I made the mistake of 
> enabling the repo rather than just installing the package from the repo. 
> Nothing terrible happened, but now every time a new VM is started there's a 
> loud "pop" from my speakers, and it's uneffected by the volume control within 
> Qubes. Not terrible, but it means every time I open a disposable VM there's a 
> loud pop (I'll turn down my speakers).
> 
> If you or anyone has any suggestions regarding that that would be fantastic.
> 
> Thanks.
> John

You could try rolling back the update:
"You could look at 'sudo dnf history' in dom0 to identify the last
update, then roll back to the prior one:

sudo dnf rollback 

So if the update that caused the problem is transaction 150, specify 149
on the command line."

And then install only qubes-desktop-linux-manager from current-testing: "sudo 
qubes-dom0-update --enablerepo=qubes-dom0-current-testing 
qubes-desktop-linux-manager". You may need to add "--best --allowerasing" to 
that.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c779ccfe-18bb-46e3-8a5d-69934822c1bf%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Update checking over clearnet instead of Tor?

2019-04-04 Thread Lorenzo Lamas
Thanks unman!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/732065ea-8c90-43ab-ae72-cacd3c4ee220%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Device Manager makes problems

2019-04-04 Thread Lorenzo Lamas
Try updating to qubes-desktop-linux-manager 4.0.17 in current-testing

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f95863bf-c896-4ef4-88f2-66621f507eec%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] "Qubes Devices" widget not working anymore

2019-04-04 Thread Lorenzo Lamas
Try updating to qubes-desktop-linux-manager 4.0.17 in current-testing.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1a560d9f-dd2d-46d5-ba57-10035a11065c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Update checking over clearnet instead of Tor?

2019-04-01 Thread Lorenzo Lamas
I have set my templateVM's to update over Tor. Even when sys-whonix isn't 
running, the update Widget shows that there are new updates, so that must mean 
it checks over clearnet? I think I've also seen this with R3.2, when Qubes 
Manager showed the updates icon even though there was no sys-whonix running.
There should be a warning on installation when enabling updates over Tor that 
it still checks over clearnet, or the checking should be disabled by default 
when the user enables updates over Tor. It would also be nice to have a warning 
in the Updates section in Global Settings in Qube Manager.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7dbe4629-1337-4b5d-96bd-5a3f1870a897%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Only 4 CPUs are brought up. Remaining 4 are parked.

2019-03-27 Thread Lorenzo Lamas
Afaik the specific attack only worked on Intel CPU's, OpenBSD disables SMT on 
other manufacturers as well as they believe other CPU's have similar issues.
I run Qubes on an Intel machine, so I have SMT disabled, but haven't noticed 
any performance hit.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5074628d-d978-4479-83ba-6609cc8b8096%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Dom0 Update breaks sys-usb widget

2019-03-24 Thread Lorenzo Lamas
I had to use --best --allowerasing to update qubes-desktop-linux-manager. USB 
widget now works better than before, but VM widget seems broken.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4036163a-3d84-4dbe-9063-73a6702342be%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Upgrades for dom0-Qubes 4; on system reboot skips plymouth, usb kb dies, can't enter decrypt pw

2019-01-31 Thread Lorenzo Lamas
On Monday, January 28, 2019 at 7:55:06 PM UTC+1, qubert wrote:
> First visible error on screen:
> [FAILED] Failed to start Setup Virtual Console
> Second vis error:
> [FAILED] Failed to start Show Plymouth Boot Screen.
> 
> No problem, eh? Because a few lines later, it prompts me for the passphrase 
> for the encrypted disk. Awesome.
> 
> But every time, as soon as it gets there, my keyboard light goes dead, and I 
> of course can't type anything in.
> 
> I have tried four different keyboards. All keyboards are USB, three are 
> wired, one wireless. Have also tried multiple different usb ports, some usb 
> 2.0 and some usb 3.
> Have been using the system just like this for many months with two different 
> usb keyboards. Nothing changed except running the dom0 upgrade (from qubes 
> manager right-click), and I rebooted immediately after.
> 
> When I edit the boot options by eliminating "quiet" I get exactly the same 
> prompt for the luks decrypt password, except it adds this as the final 
> logging line (this line also overwrites the area in which I should be 
> entering the decrypt pw):
> [ 3.407261] clocksource: Switched to clocksource tsc
> 
> Removing 'rhgb' in addition to quiet eliminates the plymouth boot error, but 
> I still get dumped out onto the terminal password entry line and as soon as 
> that line comes up the keyboard light goes off every time!
> 
> Obviously without a keyboard, I can't even get tty, much less enter the 
> unlock passphrase.
> 
> I'm effectively locked out, and before I start messing with it and changing 
> things, thought I would ask to see if anyone out there knows what might be 
> wrong
> 
> Thanks!

You can try removing rd.qubes.hide_all_usb from boot options, if it is present.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a73f8163-935e-41d8-8859-4d42da8c9956%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: ALL VMs are not working -- qmemman

2019-01-26 Thread Lorenzo Lamas
I also had this error after installing these packages from Dom0 
Security-Testing repo.
I posted about it in the QSB #46 thread, but havent got a reply there. 
Fortunately, with help of someone else I was able to fix it:
https://groups.google.com/d/msg/qubes-users/5D8AxG3jtdw/CqyWjGEiGgAJ

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2ed1d57e-5e02-4fa3-ae06-fc5669dee13a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: QSB #46: APT update mechanism vulnerability

2019-01-24 Thread Lorenzo Lamas
On Thursday, January 24, 2019 at 4:13:36 PM UTC+1, Lorenzo Lamas wrote:
> Please help, after updating dom0 with security-testing(which installed not 
> only qubes-desktop-linux-manager and qubes-manager, but also 
> qubes-mgmt-salt-dom0-update-4.0.5-1 and reboot, no VM at all will start.
> Failed to connect to qmmemman:[Errno 2] No such file or directory.
> Text boot shows:
> Failed to start Qubes memory management daemon.
> 
> systemctl status qubes-qmemman.service shows:
> "qubes-qmemman.service - Qubes memory management daemon
> Loaded: loaded (/usr/lib/systemd/system/qubes-qmemman.service; enabled; 
> vendor preset: enabled)
> Active: failed (Result: exit code) since Thu 2019-01-24 15:41:40 CET; 1min 1s 
> ago
> Proces: 2094 ExecStart=/usr/bin/qmemmand (code=exited, status=1/FAILURE]
> Main PID: 2094 (code-exited, status=1/FAILURE)
> 
> Jan 24 15:41:40 dom0 qmemmand[2094]: sys.exit(main())
> Jan 24 15:41:40 dom0 qmemmand[2094]: File 
> "/usr/lib/python3.5/site-packages/qubes/tools/qmemmand.py", line 261, in main
> Jan 24 15:41:40 dom0 
> qmemmand[2094]:qubes.utils.parse_size(config.get('global', vm-min-mem'))
> Jan 24 15:41:40 dom0 qmemmand[2094]: File 
> "/usr/lib/python3.5/site-packages/qubes/utils.py", line 107, in parse_size
> Jan 24 15:41:40 dom0 qmemmand[2094]: raise qubes.exc.QubesException("Invalid 
> size: {0}.".format(size))
> Jan 24 15:41:40 dom0 qmemmand[2094]: qubes.exc.QubesException: Invalid size 
> 190MIB.
> Jan 24 15:41:40 dom0 systemd[1]: qubes-qmemman.service: Main proces exited, 
> code-exited, status=1/FAILURE
> Jan 24 15:41:40 dom0 systemd[1]: Failed to start Qubes memory management 
> daemon.
> Jan 24 15:41:40 dom0 systemd[1]: qubes-qmemman.service: Unit entered failed 
> state.
> Jan 24 15:41:40 dom0 systemd[1]: qubes-qmemman.service: Failed with result 
> 'exit-code'.
> 
> I tried to undo the update with dnf history undo but it says the package is 
> not available.

Well, thanks to the help of someone more knowledgeable than me, I was able to 
fix it.
The trick was to edit /etc/qubes/qmemman.conf.
In the line vm-min-mem = 190MIB replace with 190M
In the line dom0-mem-boost = 333MIB replace with 333M.
Maybe a typo in one of the patches?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7ca4c96e-4499-4837-9090-7639891ea82b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: QSB #46: APT update mechanism vulnerability

2019-01-24 Thread Lorenzo Lamas
Please help, after updating dom0 with security-testing(which installed not only 
qubes-desktop-linux-manager and qubes-manager, but also 
qubes-mgmt-salt-dom0-update-4.0.5-1 and reboot, no VM at all will start.
Failed to connect to qmmemman:[Errno 2] No such file or directory.
Text boot shows:
Failed to start Qubes memory management daemon.

systemctl status qubes-qmemman.service shows:
"qubes-qmemman.service - Qubes memory management daemon
Loaded: loaded (/usr/lib/systemd/system/qubes-qmemman.service; enabled; vendor 
preset: enabled)
Active: failed (Result: exit code) since Thu 2019-01-24 15:41:40 CET; 1min 1s 
ago
Proces: 2094 ExecStart=/usr/bin/qmemmand (code=exited, status=1/FAILURE]
Main PID: 2094 (code-exited, status=1/FAILURE)

Jan 24 15:41:40 dom0 qmemmand[2094]: sys.exit(main())
Jan 24 15:41:40 dom0 qmemmand[2094]: File 
"/usr/lib/python3.5/site-packages/qubes/tools/qmemmand.py", line 261, in main
Jan 24 15:41:40 dom0 qmemmand[2094]:qubes.utils.parse_size(config.get('global', 
vm-min-mem'))
Jan 24 15:41:40 dom0 qmemmand[2094]: File 
"/usr/lib/python3.5/site-packages/qubes/utils.py", line 107, in parse_size
Jan 24 15:41:40 dom0 qmemmand[2094]: raise qubes.exc.QubesException("Invalid 
size: {0}.".format(size))
Jan 24 15:41:40 dom0 qmemmand[2094]: qubes.exc.QubesException: Invalid size 
190MIB.
Jan 24 15:41:40 dom0 systemd[1]: qubes-qmemman.service: Main proces exited, 
code-exited, status=1/FAILURE
Jan 24 15:41:40 dom0 systemd[1]: Failed to start Qubes memory management daemon.
Jan 24 15:41:40 dom0 systemd[1]: qubes-qmemman.service: Unit entered failed 
state.
Jan 24 15:41:40 dom0 systemd[1]: qubes-qmemman.service: Failed with result 
'exit-code'.

I tried to undo the update with dnf history undo but it says the package is not 
available.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/43c0921f-3f54-4fe2-8a2a-5dfba7959e01%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Fedora 29 update metadata does not expire

2019-01-12 Thread Lorenzo Lamas
After switching to the Fedora 29 template, I noticed I have to clean old 
metadata in order to update it, or I will get this:
Last metadata expiration check: 5 days, 18:23:45 ago.
Dependencies resolved.
Nothing to do.
Complete!

With the older Fedora versions it usually expired after a day or so, but I have 
even seen another templatevm with last check 13 days ago, that's crazy long. 
Is there some setting to let it refresh after X time so I don't have to 
manually clean metadata and launch the update again?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/993be68d-7169-4abd-8c79-1260ac68214e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Qubes OS 4.0.1 has been released!

2019-01-09 Thread Lorenzo Lamas
On Wednesday, January 9, 2019 at 11:11:31 AM UTC+1, Marek Marczykowski-Górecki 
wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> On Wed, Jan 09, 2019 at 01:35:42AM -0800, Lorenzo Lamas wrote:
> > I see the hashes are different to 4.0.1-RC2 What has changed compared to 
> > RC2?
> 
> Minor fix to update widget[1] plus a rebuild with "4.0.1" as a version,
> instead of "4.0.1-rc2".
> 
> [1] https://github.com/QubesOS/qubes-issues/issues/4667
> 
> - -- 
> Best Regards,
> Marek Marczykowski-Górecki
> Invisible Things Lab
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
> -BEGIN PGP SIGNATURE-
> 
> iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlw1yMsACgkQ24/THMrX
> 1ywoBAf+Nad/7dZEMepMvmLeWjAbKpFF2P1wM9bVHwRY3j+ZB0ahCmRntAN1soeC
> 1p3A7eppOGIfr5IuhtozeBim/ZdswT1fc/zLPG4UCIfr4Oo0SbZpfI7THijHoc5u
> PgmAOu2FGzQ3IwufkFp74b6pN+MiP2MP1aCabKBCA8kF0am24buism5VBZoBwblT
> umQGYePGSEFepPN1qbPGbYzy/+Z+aVXOIBdxT61RSQteB8yGJLz+kwmaoOlO6o0r
> oTYGaCD8TNvzJFarnaa5/xPvBCptL7BecsbZkn6gNzKNTI3+gT++hMbQ6AJIYatv
> sKHmHKC4ti1PW6DBJxNLX6unMNTwVg==
> =LZWx
> -END PGP SIGNATURE-

Thanks for the reply! And also thanks for the 4.0.1 release, this has made it 
easier for me to migrate from 3.2.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/36da0d17-8ffc-47be-9174-f6cde9e25152%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Qubes OS 4.0.1 has been released!

2019-01-09 Thread Lorenzo Lamas
On Wednesday, January 9, 2019 at 3:49:32 AM UTC+1, Marek Marczykowski-Górecki 
wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> Dear Qubes Community,
> 
> We're pleased to announce the release of Qubes 4.0.1! This is the first
> stable point release of Qubes 4.0. It includes many updates over the
> initial 4.0 release, in particular:
> 
>  - All 4.0 dom0 updates to date, including a lot of bug fixes and
>improvements for GUI tools
>  - Fedora 29 TemplateVM
>  - Debian 9 TemplateVM
>  - Whonix 14 Gateway and Workstation TemplateVMs
>  - Linux kernel 4.14
> 
> Qubes 4.0.1 is available on the [Downloads] page.
> 
> 
> What is a point release?
> - 
> 
> A point release does not designate a separate, new version of Qubes OS.
> Rather, it designates its respective major or minor release (in this
> case, 4.0) inclusive of all updates up to a certain point. Installing
> Qubes 4.0 and fully updating it results in the same system as installing
> Qubes 4.0.1.
> 
> 
> What should I do?
> - -
> 
> If you're currently using an up-to-date Qubes 4.0 installation
> (including updated Fedora 29, Debian 9, and Whonix 14 templates), then
> your system is already equivalent to a Qubes 4.0.1 installation. No
> action is needed.
> 
> Similarly, if you're currently using a Qubes 4.0.1 release candidate
> (4.0.1-rc1 or 4.0.1-rc2), and you've followed the standard procedure for
> keeping it up-to-date, then your system is equivalent to a 4.0.1 stable
> installation, and no additional action is needed.
> 
> If you're currently using Qubes 4.0 but don't have these new templates
> installed yet, we recommend that you follow the appropriate
> documentation to do so:
> 
>  - [Fedora 29]
>  - [Debian 9]
>  - [Whonix 14]
> 
> Regardless of your current OS, if you wish to install (or reinstall)
> Qubes 4.0 for any reason, then the 4.0.1 ISO will make this more
> convenient and secure, since it bundles all Qubes 4.0 updates to date.
> It will be especially helpful for users whose hardware is too new to be
> compatible with the original Qubes 4.0 installer.
> 
> 
> [Downloads]: https://www.qubes-os.org/downloads/
> [Fedora 29]: https://www.qubes-os.org/doc/template/fedora/upgrade-28-to-29/
> [Debian 9]: https://www.qubes-os.org/doc/template/debian/upgrade-8-to-9/
> [Whonix 14]: https://www.whonix.org/wiki/Upgrading_Whonix_13_to_Whonix_14
> 
> This announcement is also available on the Qubes website:
> https://www.qubes-os.org/news/2019/01/09/qubes-401/
> 
> - -- 
> Best Regards,
> Marek Marczykowski-Górecki
> Invisible Things Lab
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
> -BEGIN PGP SIGNATURE-
> 
> iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlw1YTUACgkQ24/THMrX
> 1ywKSgf/RepKuj8klzDbi3G566MRg6XaF6GgVKYtt8xa9PX5w3yk+3j0n26zsW07
> fsO4iJQtn4xt4nUDkIkY0ZaFuLXiXes6syLsu2mJ5dhB23C6C07No1tbeJ0GqzmJ
> G5TbCsXpTGnTH8URSyb0U0aB2C6dIAwQZUom+HaDgb/x6M6OWAwODhVV/hbFzhm/
> msWu6Xy1rVcbaAB2Q2YLGGIShwx3cd5I/K6y0Lw+9sWhIZ8lj4ARfdnWzqGp5u2+
> YYVMtRDGBWGm2o5Wu/gmduYNjRpkDSoE2qh5bUvubRm7TWK0HDkTCHvqyGTQXaZZ
> mGbhYdSlxM1N4Qm5YuyYMcGd1qUKQg==
> =8aly
> -END PGP SIGNATURE-

I see the hashes are different to 4.0.1-RC2 What has changed compared to RC2?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a1101cec-3133-4c93-bfb1-b979efcda0ec%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Using Windows 7 vm from R3.2

2019-01-08 Thread Lorenzo Lamas
Starting with the QWT iso or attaching it didn't work for me either, it didn't 
show up at all. I copied it to the windows VM and extracted the installer from 
it. 

Btw, I just installed Windows 7 SP1 from an iso and installed all updates in 
just a few hours.(old Sandy Bridge dual core with sata SSD) After installing 7 
SP1, or after installing SP1 if using an older iso, don't let it search for 
updates but instead install manually the April 2015 servicing stack update and 
then the Convenience 
Rollup.(https://www.howtogeek.com/255435/how-to-update-windows-7-all-at-once-with-microsofts-convenience-rollup/)
After that, the number of updates still needed in order to be fully up to date 
is a LOT less.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a26f3ff9-e1c1-4e69-915f-0e4ecccffd04%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: R4.0 and R4.0-rc2 Instructions for USB Keyboard w/Sys-USB fails

2019-01-04 Thread Lorenzo Lamas
On Friday, January 4, 2019 at 7:56:26 PM UTC+1, Eric Duncan wrote:
> > The guide also shows how to hide all USB controlles from Dom0. This is now 
> > default, so you need to unhide them.
> 
> Do you think I need to pass an entire controller?  Could I start of focus on 
> what IDs the USB keyboard is using and just pass that?  I'm new to USB pass 
> through processes, so these are my first attempts.
> 
> Whichever is the case, I'll update the guide as well with a PR to add this 
> step.  
> 
> The guide is also a bit annoying as for other a year I always thought it was 
> only for USB block devices - until I recently scrolled all the way down - and 
> now see the info about other USB devices.  I'll add an Introduction as well 
> to help clarify things and what all that guide covers.
> 
> 

I'm not sure what you mean. There are different ways to connect USB devices to 
an AppVM/Qube. 1 is to attach block devices, this is the safest method and you 
can use this to attach individual partitions. However, if your device is not a 
storage device, but a webcam or keyboard, it will not work. 2. You can also 
attach the complete device to a Qube(USB Passthrough). This works with more 
devices this gives more ways to infect the destination Qube if the device is 
compromised.
Method 3 is to attach the whole USB controller using Xen PCI passthrough. When 
creating a USB Qube(sys-usb), all USB controllers are attached to this Qube so 
Dom0 is protected from all USB devices. You can then connect USB devices to 
other Qubes when necessary  with method 1 and 2. 
This means if you use a USB Qube, if you attach a USB keyboard, it is also 
connected to sys-usb, and not Dom0, and you cannot use USB passthrough on Dom0, 
so you can't use it to type. To solve this, the USB qube gets permission to 
send keystrokes to dom0(done automatically when you execute qubesctl state.sls 
qvm.usb-keyboard). (Btw, this means that the USB qube can send keystrokes to 
Dom0 and also see sent keystrokes i.e. passwords. If you or someone connects a 
compromised/evil USB device to sys-usb it can thus sniff your passwords or sent 
commands to Dom0. If you don't want this: A: only use built-in laptop keyboard 
or PS/2 keyboard and don't give USB Qube permission to send keystrokes. If this 
is not possible or external USB keyboard is needed: B: if you have multiple USB 
controllers you might be able to create a second USB qube and attach one of the 
USB controllers using PCI passthrough to that device and leave the others 
connected to the first USB Qube. Then you can allow permission to send 
keystrokes for the second USB Qube and connect your keyboard to the USB ports 
belonging to that USB controller, and connect other (untrusted) USB devices to 
the USB ports from the other controller connected to the first USB Qube. Now 
you're protected from malicious devices unkowingly connected by yourself, an 
attacker might of course still attach the device to the other USB ports. 
And/Or C: use the DisposableVM feature with sys-usb to ensure a clean sys-usb 
every boot. This is more useful for a non-targeted attack/accidental 
compromise. Of course compromise can still happen between boots.
Even with a USB Qube, Dom0 is still unprotected from USB devices during boot, 
this why USB controllers are hidden from Dom0 during boot.
To enter your LUKS password, you only need to unhide the USB controllers from 
Dom0. If you have access to your machine you can follow the standard 
instructions to hide them, but instead of adding the line(s) 
"rd.qubes.hide_all_usb" you need to remove them. If you don't want to reinstall 
Qubes, you can boot the machine, then edit the boot command in Grub during 
boot(not sure how that works with (U)EFI boot) by pressing 'e' and remove 
"rd.qubes.hide_all_usb" on the same place(s)  and press ctrl+x to boot. Then 
after booting is complete also remove "rd.qubes.hide_all_usb" with the normal 
instructions to make it permanent.

> On Friday, January 4, 2019 at 12:54:56 PM UTC-5, Lorenzo Lamas wrote:
> > On Friday, January 4, 2019 at 6:29:37 PM UTC+1, Eric Duncan wrote:
> > > 
> > > The odd part is... I can press ESC and get to the text output of LUKS 
> > > asking for password.  So something is kind of working?
> > 
> > Indeed strange though that ESC is still working.
> 
> It's a race condition when Xen is attaching USB controllers?  If I act 
> quickly, I can get a few characters typed until the keyboard goes dead.  
> Which begs the question, why does Xen allow me to even type a few chars 
> before the usb is redirected?
I guess the USB controllers are not yet hidden that early in the booting 
process.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an em

[qubes-users] Re: old version of xscreensaver

2019-01-04 Thread Lorenzo Lamas
I have tried KDE shortly on R4 now, here are some of my pro's and cons:

XFCE:
Pros
-Fast and light.
-I have my standard panel on the bottom and created a second, auto-hiding, 
panel on the top filled with Launchers to get something like a MacOS Dock.(But 
way less fancy.)
Cons:
-Not visually appealing.
-Default Window Manager theme (Slick) is very ugly, and also the some of the 
colors from the collored borders get very ugly. I thought R3.2 used a different 
fault. I've set mine to Nodoka.
-I've set appearance to Greybird, the panel looks a lot better now but 
Application Launcher does not match.
-Xscreensaver lockscreen is way too ugly.

KDE:
Pros
-Loads more visually appealing.
-Much nicer lockscreen.
Cons
-After logging in after booting it needs quite some time to load while XFCE 
loads almost instantly.
-Sys-Net network icon is invisible
-Other icons are very out of focus compared to XFCE and some are uglier as well.
-Not sure if there is an alternative to my XFCE 'Dock' that doesn't require 
installing additional software/extensions into Dom0.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9a19e877-f67a-408c-8607-0e8fc9221ff4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: R4.0 and R4.0-rc2 Instructions for USB Keyboard w/Sys-USB fails

2019-01-04 Thread Lorenzo Lamas
On Friday, January 4, 2019 at 6:29:37 PM UTC+1, Eric Duncan wrote:
> Following this guide to enable a sys-usb qubes, but with a USB keyboard fails:
> 
> https://www.qubes-os.org/doc/usb/#how-to-use-a-usb-keyboard
> 
> Tried on two ISOs: R4.0 (bare ISO install, no updates) and R4.0-rc2 (up to 
> date).
> 
> Tried on two systems: Thinkpad X1 Tablet 3rd Gen and Apple Macbook Pro 
> mid-2014.
> 
> Both systems reboot to a keyboard that does not work to enter LUKS password, 
> and therefore losing all access to the system.
> 
> I'm guessing I need to configure the keyboard for USB pass through?  As a 
> step missing perhaps?
> 
> The command executes properly:
> 
> sudo qubesctl state.sls qvm.usb-keyboard
> 
> And after a reboot, the system doesn't allow USB keyboard.
> 
> The odd part is... I can press ESC and get to the text output of LUKS asking 
> for password.  So something is kind of working?

The guide also shows how to hide all USB controlles from Dom0. This is now 
default, so you need to unhide them. Indeed strange though that ESC is still 
working.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/387f0edb-a753-498e-8028-5ee60960a7a9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: qvm-run on R4 with Windows VM

2019-01-04 Thread Lorenzo Lamas
On Friday, January 4, 2019 at 11:51:40 AM UTC+1, Lorenzo Lamas wrote:
> On Sunday, December 30, 2018 at 12:53:41 PM UTC+1, Lorenzo Lamas wrote:
> > On Qubes 3.2, I was able to start executables on my Windows VM through a 
> > launcher with a qvm-run command:
> > "qvm-run -q --tray -a VMname -- 'cmd.exe /c "C:\path\to\file.exe"' "
> > However, when I try this on Qubes 4, it doesn't work, the Windows VM 
> > doesn't even start with this command. How can I fix this?
> 
> Adding a launcher for a application already listed in Qubes automatically 
> makes this command, which is different but doesn't work either and doesn't 
> start the VM either: "qvm-run -q -a --service -- VMname 
> qubes.StartApp+Programs-Accessoiries-Windows_Explorer"

Rectification: the second command DOES autostart the VM, but does not start 
Windows Explorer. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bc59f26a-a534-4268-88e9-ea79b347fd36%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: qvm-run on R4 with Windows VM

2019-01-04 Thread Lorenzo Lamas
On Sunday, December 30, 2018 at 12:53:41 PM UTC+1, Lorenzo Lamas wrote:
> On Qubes 3.2, I was able to start executables on my Windows VM through a 
> launcher with a qvm-run command:
> "qvm-run -q --tray -a VMname -- 'cmd.exe /c "C:\path\to\file.exe"' "
> However, when I try this on Qubes 4, it doesn't work, the Windows VM doesn't 
> even start with this command. How can I fix this?

Adding a launcher for a application already listed in Qubes automatically makes 
this command, which is different but doesn't work either and doesn't start the 
VM either: "qvm-run -q -a --service -- VMname 
qubes.StartApp+Programs-Accessoiries-Windows_Explorer"

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/15e2e791-bf69-4497-8410-f6cb82062f09%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] qvm-run on R4 with Windows VM

2018-12-30 Thread Lorenzo Lamas
On Qubes 3.2, I was able to start executables on my Windows VM through a 
launcher with a qvm-run command:
"qvm-run -q --tray -a VMname -- 'cmd.exe /c "C:\path\to\file.exe"' "
However, when I try this on Qubes 4, it doesn't work, the Windows VM doesn't 
even start with this command. How can I fix this?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a01a0a26-8cc2-4adc-8ee4-d08f8eb38544%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] SINIT module RACM update: access denied (Anti-Evil-Maid)

2018-12-25 Thread Lorenzo Lamas
I'm installing AEM for the first time in Qubes 4 and noticed that the 
readme(https://github.com/QubesOS/qubes-antievilmaid/blob/master/anti-evil-maid/README)
 has been significantly expanded since 3.2, specifically it mentions to make 
sure to get the latest RACM update at the SINIT module instructions:

"Also, make sure you have the latest RACM update, if available (2nd & 3rd gen):
https://software.intel.com/system/files/article/183305/intel-txt-sinit-acm-revocation-tools-guide-rev1-0_2.pdf

It's possible to use 3rd gen SINIT/RACM on 2nd gen platforms. In fact, the
only RACM available at the time of writing is for the 3rd gen, while the 2nd
gen platforms were also affected by the buffer overflow bug in old SINIT
version."

That is not a public link however, you need to login with an account. I have 
successfully registered an account and logged in, but then I get an Access 
Denied message when opening the link.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a8782179-ad68-4728-9da1-64229d71593d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Qubes OS 3.2.1-rc1 has been released!

2018-10-29 Thread Lorenzo Lamas
Any ETA on 4.0.1 yet?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0a0499f5-d653-4ea7-ba57-7c248694f70e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: My farewell to Qubes OS!

2018-10-29 Thread Lorenzo Lamas
Sad to see you go Joanna, thank you for all the work you put into Qubes OS. 
Golem Project is lucky to have you!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d10481ca-f903-437b-a85e-20609de1b22e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: [UPDATE] QSB #37: Information leaks due to processor speculative execution bugs (XSA-254, Meltdown & Sepctre)

2018-03-16 Thread Lorenzo Lamas
After updating to Xen 4.6.6-37, with updated BIOS/microcode, I executed Spectre 
& Meltdown Checker(https://github.com/speed47/spectre-meltdown-checker) in a PV 
Fedora 26 AppVM.(Kernel 4.14.18-1)

Hardware support is now supported:
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
* SPEC_CTRL MSR is available:  YES 
* CPU indicates IBRS capability:  YES  (SPEC_CTRL feature bit)
  * Indirect Branch Prediction Barrier (IBPB)
* PRED_CMD MSR is available:  YES 
* CPU indicates IBPB capability:  YES  (IBPB_SUPPORT feature bit)
  * Single Thread Indirect Branch Predictors (STIBP)
* SPEC_CTRL MSR is available:  YES 
* CPU indicates STIBP capability:  YES 

However, the VM kernel does not seem to support the migitations: 

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  NO  (kernel confirms your system 
is vulnerable)
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  NO 
  * Currently enabled features
* IBRS enabled for Kernel space:  NO 
* IBRS enabled for User space:  NO 
* IBPB enabled:  NO 
* Mitigation 2
  * Kernel compiled with retpoline option:  YES 
  * Kernel compiled with a retpoline-aware compiler:  NO  (kernel reports 
minimal retpoline compilation)
> STATUS:  VULNERABLE  (Vulnerable: Minimal generic ASM retpoline, IBPB)


Does this mean the kernel compiled by Qubes does not support the migitations 
yet, or that this test cannot get proper info from the kernel, since the kernel 
is provided by Dom0 instead of the VM? Or are both true?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/636c6c6c-66fe-45e5-9605-1c3bba03c2eb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Dom0 updates broken

2018-03-16 Thread Lorenzo Lamas
On Friday, March 16, 2018 at 10:29:25 AM UTC+1, awokd wrote:
> On Fri, March 16, 2018 8:42 am, Lorenzo Lamas wrote:
> > On Qubes 3.2 I'm getting this error when performing qubes-dom0-update:
> >
> >
> > tar: /var/lib/qubes/dom0-updates: Cannot open: No such file or directory
> > tar: Error is not recoverable: exiting now
> > Dom0 updates dir does not exists: /var/lib/qubes/dom0-updates
> 
> https://github.com/QubesOS/qubes-issues/issues/3620
> 
> Update your update template once the R3.2 patch hits current.

Thanks! I updated one template from the current-testing and it works again.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/11614dca-8fd2-4908-927f-a925e2f58cc8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Dom0 updates broken

2018-03-16 Thread Lorenzo Lamas
On Qubes 3.2 I'm getting this error when performing qubes-dom0-update:

tar: /var/lib/qubes/dom0-updates: Cannot open: No such file or directory
tar: Error is not recoverable: exiting now
Dom0 updates dir does not exists: /var/lib/qubes/dom0-updates

This was the latest succesful update before it broke:

Return-Code: Success
Command Line   : 
--exclude=qubes-template-whonix-ws,qubes-template-fedora-26,qubes-template-whonix-gw,qubes-template-debian-8,
 upgrade
Transaction performed with:
Installed dnf-1.1.10-1.fc23.noarch@anaconda/rawhide
Installed rpm-4.13.0-0.rc1.13.fc23.x86_64 @anaconda/rawhide
Packages Altered:
Upgraded libgcc-5.3.1-6.fc23.x86_64@anaconda/rawhide
Upgrade 5.3.1-6.qubes1.fc23.x86_64 @qubes-dom0-cached
Upgraded libgomp-5.3.1-6.fc23.x86_64   @anaconda/rawhide
Upgrade  5.3.1-6.qubes1.fc23.x86_64@qubes-dom0-cached
Upgraded libstdc++-5.3.1-6.fc23.x86_64 @anaconda/rawhide
Upgrade5.3.1-6.qubes1.fc23.x86_64  @qubes-dom0-cached
Upgraded qubes-gpg-split-dom0-2.0.27-1.fc23.x86_64 @qubes-dom0-cached
Upgrade   2.0.28-1.fc23.x86_64 @qubes-dom0-cached

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0c859304-c673-4909-b795-01442534e442%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: QSB #37: Information leaks due to processor speculative execution bugs (XSA-254, Meltdown & Sepctre)

2018-01-20 Thread Lorenzo Lamas
On Wednesday, January 17, 2018 at 10:29:18 PM UTC+1, Ilpo Järvinen wrote:
> On Wed, 17 Jan 2018, Lorenzo Lamas wrote:
> 
> > On Thursday, January 11, 2018 at 3:57:50 PM UTC+1, Andrew David Wong wrote:
> > > ## Qubes 3.2
> > > 
> > > For Qubes 3.2, we plan to release an update that will make almost all
> > > VMs run in a fully-virtualized mode. Specifically, we plan to backport
> > > PVH support from Qubes 4.0 and enable it for all VMs without PCI
> > > devices. After this update, all VMs that previously ran in PV mode (and
> > > that do not have PCI devices) will subsequently run in PVH mode, with
> > > the exception of stub domains. Any HVMs will continue to run in HVM
> > > mode.
> > 
> > Is this the shim-based approach from XSA-254?
> 
> No, it won't be a shim-based approach (see also the Marek's mail in this 
> thread).
> 
> > Then it should be made clear that the VM's will be more vulnerable to 
> > Meltdown: 
> 
> Even if shims would be used, that "more" claim is false as Meltdown 
> against the host hypervisor from PVs that are currently used in R3.2 
> expose both host and also the guest through the host hypervisor (its 
> memory). With shims only the guest is still vulnerable, this time through 
> the intermediate xen instance running in the HVM/PVH encapsulating the PV 
> guest. Clearly it's "less" vulnerable rather than "more".
> 
> Qubes has been trying to migrate away from PVs altogether (rather than 
> e.g., placing PVs into those shims) due to PV vulnerabilities in general. 
> In fact, even before these HW vulnerabilities were discovered, the process 
> towards PVH was ongoing which is why R4.0 rcs as is are much better 
> protected already. These vulnerabilities only accelerated this process.
> There will be, unfortunately, be one limitation to this migration still 
> due to PCI passthrough: VMs with PCI devices need to remain PV (or their 
> stubdoms in R4.0).
> 
> > "Note this shim-based approach prevents attacks on the host, but leaves
> > the guest vulnerable to Meltdown attacks by its own unprivileged
> > processes; this is true even if the guest OS has KPTI or similar
> > Meltdown mitigation."
> > https://xenbits.xen.org/xsa/xsa254/README.which-shim
> 
> Also, note that one of the fundamental assumption with Qubes security 
> model is that the VMs _will get compromised_ (regardless of HW exploits). 
> What Qubes aims to protect against is escalation from a compromised VM
> to host or to another VM.
> 
> 
> -- 
>  i.

Thank you for clarifying this.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f08a8a34-859b-4cbe-b8aa-aa9f54e15f5e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: QSB #37: Information leaks due to processor speculative execution bugs (XSA-254, Meltdown & Sepctre)

2018-01-17 Thread Lorenzo Lamas
On Thursday, January 11, 2018 at 3:57:50 PM UTC+1, Andrew David Wong wrote:
> ## Qubes 3.2
> 
> For Qubes 3.2, we plan to release an update that will make almost all
> VMs run in a fully-virtualized mode. Specifically, we plan to backport
> PVH support from Qubes 4.0 and enable it for all VMs without PCI
> devices. After this update, all VMs that previously ran in PV mode (and
> that do not have PCI devices) will subsequently run in PVH mode, with
> the exception of stub domains. Any HVMs will continue to run in HVM
> mode.

Is this the shim-based approach from XSA-254?
Then it should be made clear that the VM's will be more vulnerable to Meltdown:
"Note this shim-based approach prevents attacks on the host, but leaves
the guest vulnerable to Meltdown attacks by its own unprivileged
processes; this is true even if the guest OS has KPTI or similar
Meltdown mitigation."
https://xenbits.xen.org/xsa/xsa254/README.which-shim

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2ed7448b-7d79-479b-ba9f-85a5583bbbcf%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] VM autostart order

2017-11-19 Thread Lorenzo Lamas
I've enabled VM autostart on some of my AppVM's, but now they're they're 
autostarted before some of my ServiceVM's. Is there any way to change the order 
of autostarting VM's so my AppVM's are started last?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4381f051-3794-4805-8f91-d2f70035940e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: QSB #33: Xen hypervisor (XSA-231 through XSA-234)

2017-09-12 Thread Lorenzo Lamas
Is it necessary to install corresponding Xen packages in TemplateVM's from the 
security-testing repository for VM's?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/91f0b86a-eb1d-4a5f-ab89-750d03d4d0df%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: [qubes-devel] Re: Announcement: Recommended Fedora 25 TemplateVM Upgrade for Qubes 3.2

2017-08-23 Thread Lorenzo Lamas
On Saturday, August 5, 2017 at 1:26:51 AM UTC+2, Michael Carbone wrote:
> Lorenzo Lamas:
> > Because Fedora 25 has a newer version of NetworkManager, can the same
> > method for MAC randomization for Debian now be used for Fedora
> > instead of using macchanger as described here? 
> > https://www.qubes-os.org/doc/anonymizing-your-mac-address/
> 
> yes that is correct. I have just submitted a pull request to update that
> doc to reflect that fact:
> 
> https://github.com/QubesOS/qubes-doc/pull/452
> 
> -- 
> Michael Carbone
> 
> Qubes OS | https://www.qubes-os.org
> @QubesOS <https://www.twitter.com/QubesOS>
> 
> PGP fingerprint: D3D8 BEBF ECE8 91AC 46A7 30DE 63FC 4D26 84A7 33B4

THanks!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e5d78193-4827-4724-b986-186088bf8e0b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Qubes Security Bulletin #32: Xen hypervisor and Linux kernel vulnerabilities (XSA-226 through XSA-230)

2017-08-23 Thread Lorenzo Lamas
Is it necessary to install corresponding Xen packages in TemplateVM's from the 
security-testing repository for VM's?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3f6e7c5f-07dc-4c78-8f55-6ea4c5b515d5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Announcement: Recommended Fedora 25 TemplateVM Upgrade for Qubes 3.2

2017-08-04 Thread Lorenzo Lamas
Because Fedora 25 has a newer version of NetworkManager, can the same method 
for MAC randomization for Debian now be used for Fedora instead of using 
macchanger as described here?
https://www.qubes-os.org/doc/anonymizing-your-mac-address/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2f0cb08b-5254-4fb5-a7e3-bd6956cd5ec9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: Fedora 24 will EOL on 2017-08-08. Are F25/26 Templates ready?

2017-07-13 Thread Lorenzo Lamas
Fedora 26 has been released which means there is now less than a month before 
F24 becomes EOL..

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d37335fb-9fa9-4538-8c38-a08b258bf19c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: AEM boot doesn't load serviceVM's since Xen 4.6.3

2017-01-31 Thread Lorenzo Lamas
I just updated Dom0 to the updates in current-testing, this upgraded both 
Xen(to 4.6.4-25) and AEM(to 3.0.5-1) but nothing has changed.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fc76de22-002d-43d0-b06e-93e95d156ae1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] AEM boot doesn't load serviceVM's since Xen 4.6.3

2017-01-09 Thread Lorenzo Lamas
On Sunday, December 4, 2016 at 10:27:19 PM UTC+1, Marek Marczykowski-Górecki 
wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> On Sun, Dec 04, 2016 at 07:49:13AM -0800, Lorenzo Lamas wrote:
> > Since upgrading to Xen 4.6.3-21 from Xen 4.6.1-20, booting with AEM fails 
> > to start serviceVM's(netVM, usbVM, firewallVM). When the boot process 
> > finally completes, trying to manually launch the VMs through VM Manager 
> > doesn't work either. When I choose to boot without AEM, everything works as 
> > expected. Problem remains with the latest Xen 4.6.3-24.
> > It is on a HP Elitebook 8460p with IOMMU running Qubes 3.2
> > 
> > I'm not very familiar with Linux, so if you want logs, please tell me where 
> > to find them.
> 
> What exactly you get when starting sys-net manually? Also, take a look
> at /var/log/libvirt/libxl/libxl-driver.log and
> /var/log/xen/console/hypervisor.log for any related messages. For
> example you can use `tail -f` while starting sys-net manually, to see
> what messages will show up there:
> 
> sudo tail -f /var/log/libvirt/libxl/libxl-driver.log
> /var/log/xen/console/hypervisor.log
> 
> - -- 
> Best Regards,
> Marek Marczykowski-Górecki
> Invisible Things Lab

Not trying to be impatient or rude, but do the logs give any useful information?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1bccfe92-d284-4099-ab72-27b0953631a6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] AEM boot doesn't load serviceVM's since Xen 4.6.3

2016-12-07 Thread Lorenzo Lamas
On Wednesday, December 7, 2016 at 9:01:30 PM UTC+1, eldo...@riseup.net wrote:
> I have exactly the same problem with booting using AEM
> Look at this :
> https://groups.google.com/forum/#!topic/qubes-users/Vs2QDsU1zJQ
You don't mention AEM there. Everything works fine on my machine if I boot 
without AEM. Does booting without AEM change things for you?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a30cb05e-17e0-4f08-8dcb-1fd7c67d00ad%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] AEM boot doesn't load serviceVM's since Xen 4.6.3

2016-12-07 Thread Lorenzo Lamas
> > This sounds familiar. Try removing the network devices from sys-net to 
> > see if it will start then. Next, re-add the network devices and try 
> > starting sys-net again.
> > 
> > Chris
> Yes, removing network devices from sys-net makes it possible to start it, 
> forgot to re-add them and try again, I'll do that later.

If I re-add them, it is again unable to start.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/78a3dc83-1ac5-41cf-a230-074d09bb1fcb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] AEM boot doesn't load serviceVM's since Xen 4.6.3

2016-12-05 Thread Lorenzo Lamas
On Sunday, December 4, 2016 at 10:27:19 PM UTC+1, Marek Marczykowski-Górecki 
wrote:
> What exactly you get when starting sys-net manually? Also, take a look
> at /var/log/libvirt/libxl/libxl-driver.log and
> /var/log/xen/console/hypervisor.log for any related messages. For
> example you can use `tail -f` while starting sys-net manually, to see
> what messages will show up there:
> 
> sudo tail -f /var/log/libvirt/libxl/libxl-driver.log

It says cannot create qrexec-daemon.
During boot it says "Failed to start Qubes NetVM startup" and "Failed to start 
Start Qubes VM sys-net"(and some more for the other serviceVMs)

This is the log from libxl-driver.log:

[user@dom0 ~]$ sudo tail -f /var/log/libvirt/libxl/libxl-driver.log
2016-12-05 17:24:33 CET libxl: error: libxl_pci.c:1047:libxl__device_pci_reset: 
The kernel doesn't support reset from sysfs for PCI device :23:00.0
2016-12-05 17:24:33 CET libxl: error: libxl_pci.c:1047:libxl__device_pci_reset: 
The kernel doesn't support reset from sysfs for PCI device :23:00.2
2016-12-05 17:24:43 CET libxl: error: 
libxl_device.c:1269:libxl__wait_for_backend: Backend 
/local/domain/0/backend/pci/4/0 not ready
2016-12-05 17:24:43 CET libxl: error: libxl_pci.c:1321:do_pci_remove: 
xc_physdev_unmap_pirq irq=16: Invalid argument
2016-12-05 17:24:54 CET libxl: error: 
libxl_device.c:1269:libxl__wait_for_backend: Backend 
/local/domain/0/backend/pci/4/0 not ready
2016-12-05 17:24:54 CET libxl: error: libxl_pci.c:1047:libxl__device_pci_reset: 
The kernel doesn't support reset from sysfs for PCI device :23:00.0
2016-12-05 17:25:04 CET libxl: error: 
libxl_device.c:1269:libxl__wait_for_backend: Backend 
/local/domain/0/backend/pci/4/0 not ready
2016-12-05 17:25:04 CET libxl: error: libxl_pci.c:1321:do_pci_remove: 
xc_physdev_unmap_pirq irq=18: Invalid argument
2016-12-05 17:25:04 CET libxl: error: libxl_pci.c:1047:libxl__device_pci_reset: 
The kernel doesn't support reset from sysfs for PCI device :23:00.2
2016-12-05 17:25:14 CET libxl: error: 
libxl_device.c:1269:libxl__wait_for_backend: Backend 
/local/domain/0/backend/pci/4/0 not ready
2016-12-05 17:29:34 CET libxl: error: 
libxl_device.c:1269:libxl__wait_for_backend: Backend 
/local/domain/0/backend/pci/5/0 not ready
2016-12-05 17:29:45 CET libxl: error: 
libxl_device.c:1269:libxl__wait_for_backend: Backend 
/local/domain/0/backend/pci/5/0 not ready

and hypervisor.log:
[user@dom0 ~]$ sudo tail -f /var/log/xen/console/hypervisor.log
(XEN) 81c03f30 81d53c6a 3e55772b4f5cc499
(XEN) 81c03f60 81c03f5c 
(XEN) 81c03f40 81d53339 81c03ff8
(XEN)81d56b96 000206a7 000103100800 1f898b75
(XEN)   
(XEN)   
(XEN)   
(XEN)   
(XEN)   00010102464c457f
(XEN) 0001003e0003 09b0 0040
(XEN) d6v0 Unhandled invalid opcode fault/trap [#6, ec=]
(XEN) domain_crash_sync called from entry.S: fault at 82d08022c643 
create_bounce_frame+0x12b/0x13a
(XEN) Domain 6 (vcpu#0) crashed on cpu#3:
(XEN) [ Xen-4.6.3  x86_64  debug=n  Not tainted ]
(XEN) CPU:3
(XEN) RIP:e033:[]
(XEN) RFLAGS: 0292   EM: 1   CONTEXT: pv guest (d6v0)
(XEN) rax:    rbx: 00012c00   rcx: 
(XEN) rdx: 81a3f810   rsi: 003f   rdi: 
(XEN) rbp: 81c03e70   rsp: 81c03da8   r8:  0011
(XEN) r9:  0168   r10: 0001   r11: 
(XEN) r12: 000a9b00   r13: 8000   r14: 000111d0
(XEN) r15: 0011   cr0: 80050033   cr4: 000426e0
(XEN) cr3: 000333409000   cr2: 
(XEN) ds:    es:    fs:    gs:    ss: e02b   cs: e033
(XEN) Guest stack trace from rsp=81c03da8:
(XEN)  81d57b3a 0001e030
(XEN)00010092 81c03de8 e02b 81d57b3a
(XEN)81df7920   81c03e10
(XEN)0001 00111d00 00012c00 12c0
(XEN)7ff081c03e88 0013 81dfc020 db3d2ed3ec447c09
(XEN)0100 81c03f00 81df7920 
(XEN) 81c03e88 81d5e406 0100
(XEN)81c03ef0 81d5bd08 0010 81c03f00
(XEN)81c03eb8 db3d2ed3ec447c09 697a696c61697469 db3d2ed3ec447c09
(XEN)  

[qubes-users] Re: Announcement: Qubes OS Begins Commercialization and Community Funding Efforts

2016-12-04 Thread Lorenzo Lamas
It's a bit saddening to hear priorities are shifting to commercial clients, but 
for the rest it's great news, a good way to keep Qubes going!

> In an attempt to keep the open source development of Qubes going, we've teamed
> up with Open Collective [07], which makes it easier to donate to the Qubes
> project.  Now, in addition to our Bitcoin fund [08], we can also accept
> donations via credit card. 
Good to hear, but I would recommend adding more payment options like Paypal so 
it's easier for users in other parts of the world, where credit card is not a 
widely used, to support you.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/72d52e11-346d-49ff-8506-4564887090fa%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] AEM boot doesn't load serviceVM's since Xen 4.6.3

2016-12-04 Thread Lorenzo Lamas
Since upgrading to Xen 4.6.3-21 from Xen 4.6.1-20, booting with AEM fails to 
start serviceVM's(netVM, usbVM, firewallVM). When the boot process finally 
completes, trying to manually launch the VMs through VM Manager doesn't work 
either. When I choose to boot without AEM, everything works as expected. 
Problem remains with the latest Xen 4.6.3-24.
It is on a HP Elitebook 8460p with IOMMU running Qubes 3.2

I'm not very familiar with Linux, so if you want logs, please tell me where to 
find them.

In case it may not be related to the new Xen version but some other update 
installed at the same time, here is the update history:

Transaction ID : 13
Begin time : Tue Nov 22 19:56:34 2016
Begin rpmdb: 934:24862fb1256d9f648273fa8d88ac172b1a06d3d9
End time   :19:58:15 2016 (101 seconds)
End rpmdb  : 939:d785b8e09d66f2d440768eaa6b01d1e77e21ac7c
User   :  
Return-Code: Success
Command Line   : 
--exclude=qubes-template-fedora-23,qubes-template-fedora-24,qubes-template-whonix-ws,qubes-template-whonix-gw,qubes-template-debian-8,
 upgrade
Transaction performed with:
Installed dnf-1.1.10-1.fc23.noarch@anaconda/rawhide
Installed rpm-4.13.0-0.rc1.13.fc23.x86_64 @anaconda/rawhide
Packages Altered:
Upgraded glusterfs-3.7.16-1.fc23.x86_64@qubes-dom0-cached
Upgrade3.7.17-1.fc23.x86_64@qubes-dom0-cached
Upgraded glusterfs-api-3.7.16-1.fc23.x86_64@qubes-dom0-cached
Upgrade3.7.17-1.fc23.x86_64@qubes-dom0-cached
Upgraded glusterfs-client-xlators-3.7.16-1.fc23.x86_64 @qubes-dom0-cached
Upgrade   3.7.17-1.fc23.x86_64 @qubes-dom0-cached
Upgraded glusterfs-libs-3.7.16-1.fc23.x86_64   @qubes-dom0-cached
Upgrade 3.7.17-1.fc23.x86_64   @qubes-dom0-cached
Upgraded libraw1394-2.1.0-6.fc23.x86_64@anaconda/rawhide
Upgrade 2.1.2-1.fc23.x86_64@qubes-dom0-cached
Upgraded qubes-core-dom0-3.2.11-1.fc23.x86_64  @qubes-dom0-cached
Upgrade  3.2.12-1.fc23.x86_64  @qubes-dom0-cached
Upgraded qubes-core-dom0-doc-3.2.11-1.noarch   @qubes-dom0-cached
Upgrade  3.2.12-1.noarch   @qubes-dom0-cached
Upgraded qubes-db-3.2.1-1.fc23.x86_64  @anaconda/rawhide
Upgrade   3.2.3-1.fc23.x86_64  @qubes-dom0-cached
Upgraded qubes-db-dom0-3.2.1-1.fc23.x86_64 @anaconda/rawhide
Upgrade3.2.3-1.fc23.x86_64 @qubes-dom0-cached
Upgraded qubes-db-libs-3.2.1-1.fc23.x86_64 @anaconda/rawhide
Upgrade3.2.3-1.fc23.x86_64 @qubes-dom0-cached
Upgraded xfce4-datetime-plugin-0.6.2-6.fc23.x86_64 @anaconda/rawhide
Upgrade0.7.0-1.fc23.x86_64 @qubes-dom0-cached
Upgraded xfce4-diskperf-plugin-2.5.5-2.fc23.x86_64 @anaconda/rawhide
Upgrade2.6.0-1.fc23.x86_64 @qubes-dom0-cached
Upgraded xfce4-fsguard-plugin-1.0.2-2.fc23.x86_64  @anaconda/rawhide
Upgrade   1.1.0-1.fc23.x86_64  @qubes-dom0-cached
Upgraded xfce4-systemload-plugin-1.1.2-3.fc23.x86_64   @anaconda/rawhide
Upgrade  1.2.0-1.fc23.x86_64   @qubes-dom0-cached
Upgraded quota-1:4.02-5.fc23.x86_64@anaconda/rawhide
Upgrade1:4.02-6.fc23.x86_64@qubes-dom0-cached
Upgraded quota-nls-1:4.02-5.fc23.noarch@anaconda/rawhide
Upgrade1:4.02-6.fc23.noarch@qubes-dom0-cached
Upgraded libpng-2:1.6.23-1.fc23.x86_64 @anaconda/rawhide
Upgrade 2:1.6.26-1.fc23.x86_64 @qubes-dom0-cached
Upgraded xen-2001:4.6.1-20.fc23.x86_64 @anaconda/rawhide
Upgrade  2001:4.6.3-21.fc23.x86_64 @qubes-dom0-cached
Upgraded xen-hvm-2001:4.6.1-20.fc23.x86_64 @anaconda/rawhide
Upgrade  2001:4.6.3-21.fc23.x86_64 @qubes-dom0-cached
Upgraded xen-hypervisor-2001:4.6.1-20.fc23.x86_64  @anaconda/rawhide
Upgrade 2001:4.6.3-21.fc23.x86_64  @qubes-dom0-cached
Upgraded xen-libs-2001:4.6.1-20.fc23.x86_64@anaconda/rawhide
Upgrade   2001:4.6.3-21.fc23.x86_64@qubes-dom0-cached
Upgraded xen-licenses-2001:4.6.1-20.fc23.x86_64@anaconda/rawhide
Upgrade   2001:4.6.3-21.fc23.x86_64@qubes-dom0-cached
Upgraded xen-runtime-2001:4.6.1-20.fc23.x86_64 @anaconda/rawhide
Upgrade  2001:4.6.3-21.fc23.x86_64 @qubes-dom0-cached
Scriptlet output:
   1 sed: can't read /etc/sysconfig/prelink: No such file or directory
   2 Redirecting to /bin/systemctl start  xenstored.service
   3 

[qubes-users] Re: Is there any hope for Wayland?

2016-09-12 Thread Lorenzo Lamas
Imo a good reason for Wayland in Qubes(Dom0 at least) is because x11 lockscreen 
is not secure.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5e0fc300-683a-4303-a8fa-eeb690843ae7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] R3.2 USB passthough Windows HVM

2016-09-06 Thread Lorenzo Lamas
On Saturday, September 3, 2016 at 8:51:47 PM UTC+2, Marek Marczykowski-Górecki 
wrote:
> As for passing through the whole USB controller, it is broken currently:
> https://github.com/QubesOS/qubes-issues/issues/1659
> We'll work on this some more this month and hopefully fix it.

Nice, that would be great.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2da53aca-309b-4c22-bbb9-dff204f3060f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] R3.2 USB passthough Windows HVM

2016-09-03 Thread Lorenzo Lamas
Does the new USB passthrough feature also work with Windows HVMs?

For work I need to use software that is only available on Windows and it uses a 
DRM system which requires a connected USB flash drive counterpart in order to 
start the software(I think it's from Codemeter, but I'm not sure). I'd rather 
not use dual boot or swap hard drives in the same machine to use a Windows 
installation but want to use a Windows HVM instead.

If this is not the case would attaching the USB controller with PCI passthrough 
work? Because I read quite a lot reports of it not working properly with HVMs.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2a5ea09b-38e8-454a-b90e-b2b84ccc3e74%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Qubes processes should use hardening flags

2016-08-20 Thread Lorenzo Lamas
A quick check in the Fedora 23 VM with Checksec shows all migitations enabled 
for most processes. Processes from Qubes however are missing migitations.
A short list: (These are the processes that I know are from Qubes, some might 
be missing)

qubes-db-deamon:No PIE, No Stack Canary, RELRO only partial
qrexec-agent: No Stack Canary, RELRO only partial
qubes-gui: No Stack Canary, RELRO only partial
qrexec-client-c: No Stack Canary, RELRO only partial
qrexec-fork-ser: No Stack Canary, RELRO only partial
icon sender: RELRO only partial

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9769f558-0d97-4e35-9881-9e6076506238%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] adding gresecurity to Qubes

2016-06-16 Thread Lorenzo Lamas


On Wednesday, June 15, 2016 at 6:31:23 AM UTC+2, Sandy Harris wrote:
>
> It may not be necessary. There is a kernel hardening project 
> which is bringing some of the grsecurity & PaX stuff into the 
> mainline kernel. 
> http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project 
>

May not be objective coming from the grsecurity dev, but the kernel 
hardening project should be taken with some salt:
https://forums.grsecurity.net/viewtopic.php?f=7=4476

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/46da9686-ccdf-4c5f-bebe-6dd7fca05cc6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] USB connected to Dom0 during sleep/standby

2016-06-16 Thread Lorenzo Lamas


On Wednesday, June 15, 2016 at 1:54:54 AM UTC+2, Marek Marczykowski-Górecki 
wrote:
>
> -BEGIN PGP SIGNED MESSAGE- 
> Hash: SHA256 
>
> On Tue, Jun 14, 2016 at 11:53:34AM -0700, Lorenzo Lamas wrote: 
> > I'm using an USB Qube to protect against malicious devices and noticed 
> that 
> > after I take it out of sleep/standby, I get 2 notifications: USB device 
> > disconnected from USBvm and USB device connected to USBvm. Does that 
> mean 
> > that the USB device has (shortly) been connected to Dom0? 
>
> No. USB controllers are disabled (by driver unloading) for the duration 
> of system suspend. This is why it looks like the devices are 
> disconnected and latter connected back. 
>
> - -- 
> Best Regards, 
> Marek Marczykowski-Górecki 
> Invisible Things Lab 
> A: Because it messes up the order in which people normally read text. 
> Q: Why is top-posting such a bad thing? 
> -BEGIN PGP SIGNATURE- 
> Version: GnuPG v2 
>
> iQEcBAEBCAAGBQJXYJlHAAoJENuP0xzK19cssWkH/2WN4FOd9uFWYGxKnVTDyrMh 
> UTf9muMQ4CN4TJ0OE8Qm8HCrbJyf2cVfgtyYEz5YlttBqMTB3SD+EE+nk0wtdLsb 
> PoDhw1trZRD4aQDUsl3VzrSUgCUpKEG85vFRkyYbsYNEJVuTRPxgTEq8c7Zpdwz9 
> XVBuBE5dfTD3tX1Om72mvx5d8kuNAGb3QxORYnx6xJAr6UIMKyBlk9a9nzQFSsoD 
> cWgnDb3pmwZV67+cbvOiGFF3baGWXybzLYftsWGOZF21J4OzV8DeF7diBjo1Q+Va 
> OkQqpvKuzf95KYT3ctsL1HdBIFI+kOWO5OouaKuon+7/MLdAM1ZikpN/GDg/kRg= 
> =BAqn 
> -END PGP SIGNATURE- 
>
> Great! Thanks.
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ddb31881-ad71-4ba3-88da-df0005ebad80%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: adding gresecurity to Qubes

2016-06-14 Thread Lorenzo Lamas
Imho it would still be a good idea because of the PaX protections on user 
applications.
For example it could prevent exploitation of your mail client. The 
infection may not be able to survive AppVM reboot but it could still steal 
information. You can of course limit the damage by compartmentalizing more 
granular, but that doesn't prevent it in the first place and more AppVMs 
means more resource usage. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a8f0ae79-0fe8-4863-a488-39914254755e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.