Re: [qubes-users] QSB-078: Linux kernel PV driver issues and LVM misconfiguration
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Mon, Mar 14, 2022 at 06:53:29PM -0400, Demi Marie Obenour wrote: > On Mon, Mar 14, 2022 at 06:12:44PM -0400, Demi Marie Obenour wrote: > > On Sun, Mar 13, 2022 at 08:13:39PM +, 'awokd' via qubes-users wrote: > > > Demi Marie Obenour: > > > > > > > > + # "r|.*|" ] > > > > > > > > > I see how it allows crypt-luks volumes in general, along with nvme, > > > > > sata, > > > > > and raid. What does that last line allow? > > > > > > > > /dev/md.* matches devices provided by the Linux Multiple Device (RAID) > > > > driver. > > > > > > Thanks; I should have specified what does "r|.*|" cover? > > > > It is a generic deny-all. LVM sadly defaults to allow-all. > > Marek, should we patch LVM to add a trailing "r|.*|" if none is present? I don't like changing how config file is interpreted - is rather unfriendly and confusing for those who know what they are doing and change their lvm.conf. The specific filter syntax is describe in the comment just above the this option. The great majority of users do not need to change it (unless we missed some common device? but then we should update the default filter), so the risk of messing it up by novice user is minimal. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmIvyX4ACgkQ24/THMrX 1yxSRQf+IXT1L2UnZCKmlMKljo5U2xIjcErQ6HsvE9KtsdktXQsV2bK/pNJhCxkl rNcTRQVWnB6dZ2rAOMYzBcoDW8JImLTNpK/BCrXyGyBgGWlnQ0QFZSm5QYXgWDkU sV6xyK24x5ubfB1rD1Svbq1vaN/nxT6ajccr/ZYm0zHi2BgB0suwW+x1yzHLyiS/ AGjGAOMxo9/Rc4jcKKZHR0GH2vO6Iu40mAezS4DGZWtIBY2qt0NloxIvcVVw8cEN Yc4gr0XC3uB1cfCs6sfaWbXPVjXCPfoc1Z8bb0zh69xRB1BQsjpc+imzdO+KCddS 64v2+9RsqMIaH79hNbCGBuRjOIJpfw== =m7a2 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/Yi/Jfo/nVmGTF2OE%40mail-itl.
Re: [qubes-users] Re: Should the footer at the bottom of the mailing list be deleted?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, Mar 09, 2022 at 06:19:16PM -0800, Andrew David Wong wrote: > On 3/9/22 1:25 PM, Demi Marie Obenour wrote: > > The footer on each message is rather annoying, mostly because it breaks > > digital signatures. Should it be set to the empty string, or do its > > benefits outweigh the drawbacks? > > As far as I can tell from examining the settings interface, it can't be > entirely removed or entirely replaced with an empty string. Google Groups > will not allow it. And to be honest, I think some kind of automatic footer with basic ML info is a good thing. I am on a few ML that don't have it, and every now and then somebody sends an email _to the list_ asking how to unsubscribe... Having a link to the message in the footer is also convenient sometimes. Google used to put the footer in a separate mime part, which was compatible with signatures, but they changed it. I have no idea what other (non-self-hosted) providers do. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmIpZpwACgkQ24/THMrX 1yxOXAf9H8ouM8sISHAfSXDXu16NeTjsD2B+POCm9MU8YVo+yUgBlvkPieNVDksx sTFkD8RwuJlEDEa67HZrhmLjEvlIyIlEAhYnCFM+0uhp3NoK6VDIuo9oJSlzfPmN 9VAKQ0DmuNp8JR2V2LyW25ofph4tgcTOGJOeK0Su+MfyjdQSgWjt8AHLZibHCcjc EKjAJoKtCkfqEwx1GI96qR2OKDTOIjHQLvGsjIJBxtBrMzz0geXjm2Pz4UsoZu71 p9QiisrNkbt18yaq+uxJQyKVUgR0gQIwE+wnjeA2nVq8jJzHWhbAdDS9yW6IlxUF LseEWJK51doZIfZDNQjdXqK9AIRbKg== =FvVg -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/Yilmnb3QgfIesFZb%40mail-itl.
Re: [qubes-users] 4.1 rc1 'start automatically on boot' saving abnormality
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, Nov 05, 2021 at 02:48:37PM +0100, Marek Marczykowski-Górecki wrote: > On Fri, Nov 05, 2021 at 02:19:30AM -0700, code9n wrote: > > Hi, > > > > Qubes manager version: qubes-manager-4.1.19-1.fc32.noarch . > > > > Start qube automatically on boot: > > On a normal default app qube based on a template, either fedora or debian, > > either running or not running. > > Steps: > > 1) Highlight the qube I want to get to open automatically on boot in the > > Qubes manager. > > 2) Click on the 'Qube Settings' cog button and the manager opens to the > > 'Basic' page. > > Ok, this is the crucial step: it indeed happens when qube settings is > opened from within qube manager. When it's opened from the menu > separately, it works fine. Oh, it's even funnier than that. Clicking apply several times will toggle the setting each time! - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmGFShAACgkQ24/THMrX 1yy/wgf/QnYfEnq6ujDBvdCk/Uigp70nZjEpf8y9NUtAsAiZM3X5CIzPdw36mgRy +SU9NX4V6Ov3KK/Kw10QKIhBGGWRsepGoXpeaSXSbYH/55BBXa6QZOjulmwyih1Y mNBK/XWzcZ900XCZF/KKeykuTQR0gGyRZs3TRHxHTlAuEu6Zt7riHUUfgsAsGHBQ KAgCYgHUfn6ADhKuCh8L/v84zUFDl/U4iNmyV1aJ7tN5AWYMbGRBicezTT8jJRa0 1iB66l/QeceA3CXm+gXOsF/87BK8D38DD1VP3sYJOl8l7GSKNzoo9cqSpoAlCdJF lN6sDT7NbZZc/d0jzF5CM8acIEqCDQ== =enzk -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/YYVKD9F3ABUYrQrk%40mail-itl.
Re: [qubes-users] 4.1 rc1 'start automatically on boot' saving abnormality
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, Nov 05, 2021 at 02:19:30AM -0700, code9n wrote: > Hi, > > Qubes manager version: qubes-manager-4.1.19-1.fc32.noarch . > > Start qube automatically on boot: > On a normal default app qube based on a template, either fedora or debian, > either running or not running. > Steps: > 1) Highlight the qube I want to get to open automatically on boot in the > Qubes manager. > 2) Click on the 'Qube Settings' cog button and the manager opens to the > 'Basic' page. Ok, this is the crucial step: it indeed happens when qube settings is opened from within qube manager. When it's opened from the menu separately, it works fine. I've copied your report to https://github.com/QubesOS/qubes-issues/issues/7039 - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmGFNjYACgkQ24/THMrX 1ywQ7ggAmWCOZsdMcwI8EAXijrR7MkjraI4EVgkZR2S4CepWfLCgFAv8vD8o/fO/ zfEKu9Uv9H81WklhBVFNGzaHsT+jBdcSL4gzOZTmQ3TJbuRaNpGVHjaf6pNvXuxS zrKi6PVZkd20e6XMvZNYc2ntwrNlYykqC722eh1QNakrz6jRt/0peKWFvagskVCZ 63olmc1wdjvYdUOx+j/9ZNE4ufAMJ6Hu5rm3zKp1Hh79Ppst1HDF4FWX4V8Sdjci N7ufZS1757UxbnH9wqji/MBFbICMcWKwgvV+R2W7fVjDQ+Psn/1pPiCYytDJCaRw 9/+B6afD/e2YXwNrA6wo2FrBxAj8Tg== =169t -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/YYU2NWT2LRqBsN0x%40mail-itl.
Re: [qubes-users] 4.1 rc1 'start automatically on boot' saving abnormality
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Thu, Nov 04, 2021 at 03:16:22PM -0700, code9n wrote: > Note: Made a Tasket Qubes vpn support networking qube on Qubes 4.1 rc1 > which works efficiently as always but when I check the 'start qube > automatically on boot' box in Qube Settings / manager gui it won't save if > I click on 'apply' first. > But it will save if I just check the box then click directly on 'OK'. Can you provide exact steps you've done? Which buttons and in which order you clicked? I just tried and clicking 'apply' just after selecting 'start qube automatically on boot' does save the setting for me. What qubes-manager package version you have, you can check it with `rpm -q qubes-manager` command. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmGEfuoACgkQ24/THMrX 1yxljQf9EVaX9aJGRaY7KPp8Zl+d4V01MSdoKLM0BsG0I1jiY++yLdBn+SlGCI6p OjklXd0RmhRfTF+wQ/PZ0UTF3UkccClgd8DQ4pIncQYQIfH190ZhRbsp2Fl5qGnZ O7NUZXJk/iH6/MZYu+rV9ydtaQd1yhhDgCI78p5HdrQkAjoOPy0xemEoQks1jHTY 3+UrKuC3qdWiNBNmfxNd88wvppbki9uDW8HRnCHcgYFdaYhYmHhnVpzY5IMTjVqs p+k+uiBnJ22KG2PqI7hgYJQdEThyLJdX3iNJbwscRGFNoxPlIY8qQSOCrnC1GARB M7535Ox00MkLtbTMjuncw9H76hSD8w== =YTsL -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/YYR%2B6yRiR303/u2q%40mail-itl.
Re: [qubes-users] 4.1 rc1 UK keyboard reverted to US layout
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Thu, Nov 04, 2021 at 03:10:20PM -0700, code9n wrote: > > Note: I carefully made sure the GB / UK keyboard option was selected > during install but have the US set up on my UK keyboard Lenovo T430. Looks like this issue: https://github.com/QubesOS/qubes-issues/issues/6814 - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmGEfgYACgkQ24/THMrX 1yxdAgf+LBOJK4Sp2hv5FS2zz/8XRN+QktbnvXh4MeOrJ7iGEAC+5i6+wvEjEUN7 IFk+KNtCoknHwwtQXd/9PZwdcx3kO9KfS0BrQ8HNjSK/sh/rM+qC5vRRdU6UyxFK goK7r0W7R9lWJwdxfQ0gzZZa3UlidwVTuG2s9hecpsh7Fdxd1OKx2DzVZU3jPacN S6ea+t5I8MaLnOA6X0OaQBXMLRJNOId9glzAOrKtfsL7nQ8IZ5kzZV2ClJvbMe91 fEaaVVnSwssrYDt95k1/Xb/flclFydRwkZuLMUd90COOAEENxt12qGNVWin9sk3Z RwOAc9zf0P1nGq0tN/qfkOfZZUfpew== =D5Xk -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/YYR%2BBolacEhXKDuF%40mail-itl.
Re: [qubes-users] Systemd terminating qubesd during backup?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Mon, Oct 11, 2021 at 11:52:59AM -0400, Steve Coleman wrote: > I seem to have an intermittent problem when my backup scripts are running > late at night. > > My qubesd is apparently being shutdown (sent a sigterm signal) by systemd > during my long running backup sessions which then causes an eof pipe close > exception and qvm-backup then receives a socket exception and immediately > receives a second exception while still handling the first exception, thus > the qvm-backup process gets forcibly terminated mid stream. Just prior to > the qubesd shutdown I can clearly see that systemd had also > shutdown/restarted the qubes memory manager (qubes-qmemman) too. > > Q: What kind of background maintenance processing would actually require > qubesd or the memory manager to be restarted? I guess that's logrorate (but it isn't clear to me why qubesd too, not just qubes-qmemman service...). > Q: Could this processing be put on hold during backups? > > Q: Or, how could I at least know when this maintenance is scheduled to > happen so I could defer my own processing? If that's indeed logrotate, see `systemctl status logrotate.timer` > My scripts can certainly trap this error, erase the incomplete backup file, > then loop and check for qubesd to complete its restart, and then finally > restart my own backup processing, but why should this even be necessary? > > When this happens its almost always during the backup of my largest VM which > can take well over 90 minutes to complete. If I can somehow block/defer > this kind of system maintenance until after my backups are complete that > would be better than having to deal with trapping random restarts. Again, if that's logrotate, you can stop the timer before, and restart it afterwards. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmFl4ocACgkQ24/THMrX 1ywC1gf8ChUCgVxe/SIHnVF8+hoA8/JoKlQTyddVGfjf5qp3a49vMtUbvMJ0hqWH C5Ejz5dF+UxkqEkcXS1/oKlgnBIwal+GYEe1u2VwZyLmB9WV725ukzi8MYCOVKvM amJuLGcD7vT2T6akTxnOLta+ofByJhSWgup7eEnXYfuOQ3hp8fKVWJ451QWbOafV oY1TPJ/ptfl2ynUePyX8R990RnHS6V7LoBShbI5CB4e4g+6ogm9ibVC94nk9d+pD PcIF9c+iC8jhVXMzkoP73KR7WEJ74WmrcefigoffwDLIjXwNPiQqwC4kGmq32rfG 7TVjl9Rv8DpUNfVTtDq+8xjOx3Ck3Q== =6Alm -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/YWXih4xG5dAuGaKS%40mail-itl.
Re: [qubes-users] Unable to install templates in Qubes OS 4.1beta
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Mon, Oct 11, 2021 at 09:55:47PM +0200, 799 wrote: > Hello, > > I have setup Qubes 4.1 on my Surface and now I am running into issues > trying to install more templates. > sys-net is set as Dom0 Update VM and I am also able to search for packages > and they get listed correctly. > > [user@dom0 ~]$ sudo qubes-dom0-update --action=search qubes-template- > Using sys-net as UpdateVM to download updates for Dom0; this may take some > time... > > Strangely the output (listed packages) is not shown in dom0 but in the > sys-net in a windows with sh as shell. > The first line says: Converting database from bdb_ro to sqlite backend > Then I get a list of the templates. > > ... but if I try install via: > [user@dom0 ~]$ sudo qubes-dom0-update qubes-template-fedora-33 > > ... I can see that it will download the package but I get: > > Using sys-net as UpdateVM to download updates for Dom0; this may take some > time... > Last metadata expiration check: -1 day, 21:47:12 ago on Mon 11 Oct 2021 > 05:49:33 PM CEST. > No match for argument: qubes-template-fedora-33 > Error: Unable to find a match: qubes-template-fedora-33 Regardless of the issue above, I recommend using new qvm-template tool instead. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmFl3CgACgkQ24/THMrX 1yzoOwf/VMeKND3Uv7xKjnew6hb3kJYpKtUfSNH/u4v8fHC8OL6cjQfygvgqwySn +h5mo3VSJLpF9dTkbIUJH9APa3/3hJg1AFgyoRNjrE7ixtpe2veuKl25pQFQmWNV PAkSsJGKXwpOHUJ7iIIfaqbebyjr+jgo2sGj4abu/MKZUse4Ll8ol4emiirvVGVQ KU+Ko1OAVGIGXlr3Q2NDedpwXZ19frF03SJ2on9hYmABPnlEHg4+7E9yn3LT07Ph htxfYMD8n16dhnrKI6j2rbaXBsBGRx/mkaQXeLuxJbsFTZMnUORv69ySUAvbLWNt TYjcwy3H5EegtmnZoIiYz3NyLA8+5w== =FFC/ -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/YWXcKBWlNqt6bcYi%40mail-itl.
[qubes-users] QSB-071: Fatal options filtering flaw in Split GPG
Dear Qubes Community, We have just published Qubes Security Bulletin (QSB) 071: Fatal options filtering flaw in Split GPG. The text of this QSB is reproduced below. This QSB and its accompanying signatures will always be available in the Qubes Security Pack (qubes-secpack). View QSB-071 in the qubes-secpack: https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-071-2021.txt Learn about the qubes-secpack, including how to obtain, verify, and read it: https://www.qubes-os.org/security/pack/ View all past QSBs: https://www.qubes-os.org/security/bulletins/ ``` ---===[ Qubes Security Bulletin 071 ]===--- 2021-09-09 Fatal options filtering flaw in Split GPG User action required - Users must install the following specific packages in order to address the issues discussed in this bulletin: For Qubes 4.0, in templates and standalones: - qubes-gpg-split 2.0.53 For Qubes 4.1, in templates and standalones: - qubes-gpg-split 2.0.53 Due to the ease with which this flaw can be exploited, we are immediately migrating these packages to the current (stable) repository, bypassing the usual testing period. These packages are to be installed via the Qubes Update tool or its command-line equivalents. [1] Summary Split GPG [2] is designed to isolate private keys from the application using them in order to protect them from being extracted and to allow the user to retain control over when they are used. This isolation is implemented by forwarding calls to `gpg` into a backend qube that holds the private keys and allowing only specific `gpg` options. This option filtering mechanism rejects options like `--export-secret-keys` and others that might leak private keys to the frontend qube. Unfortunately, several options were declared incorrectly, which allowed this filtering mechanism to be bypassed. Impact --- An attacker controlling a frontend qube (where `qubes-gpg-client` is executed) can extract an arbitrary file (including a secret key) from the backend qube. Discussion --- Several `gpg` options were declared incorrectly in Split GPG, which resulted in Split GPG interpreting them differently than `gpg`. If Split GPG interpreted one option as an argument to another option, Split GPG would allow it, since option filtering is performed at the level of the options themselves, not their arguments. This would allow options misinterpreted as arguments to bypass the filtering mechanism. Specifically: - All `--s2k-*` options were declared as not taking arguments when in fact they do take arguments. - `--export-ssh-key` was declared as taking an argument when it doesn't take one directly; it does change the meanings of positional arguments, however. - `--with-colons` was aliased with `-k`, which differs in its argument requirements. - `--default-recipient`, which takes an argument, was interpreted as `--default-recipient-self`, which does not take an argument. - `--display` was interpreted as `--display-charset`, which resulted in `--display` being allowed when it should have been denied. For our immediate, initial response, we have corrected all of these inconsistencies and added automated testing to verify that GnuPG and Split GPG both understand the options in the same way. More generally, we will prioritize finishing Split GPG 2 [3], which does not rely on option filtering at all. Instead, it uses `gpg-agent`'s protocol to delegate only secret key processing to the backend qube. In addition to obviating the need for fragile option filtering, this dramatically reduces the attack surface, as most of the untrusted data processing is done in the frontend qube and never reaches the backend qube. Credits This issue was discovered by Demi Marie Obenour. References --- [1] https://www.qubes-os.org/doc/updating-qubes-os/ [2] https://www.qubes-os.org/doc/split-gpg/ [3] https://github.com/QubesOS/qubes-issues/issues/474 -- The Qubes Security Team https://www.qubes-os.org/security/ ``` This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2021/09/09/qsb-071/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/YTqHZEE4pC0MGCr1%40mail-itl. signature.asc Description: PGP signature
Re: [EXT] Re: [qubes-users] resume from suspend issue after QSB-070
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 > >>> Marek Marczykowski-Górecki 31.08.2021, 02:52 >>> > On Mon, Aug 30, 2021 at 05:39:40PM -0700, Andrew David Wong wrote: > > On 8/30/21 2:12 PM, haaber wrote: > > > > > > > > Kind of answering my own question, but disabling hyperthreading > > > > > happened to > > > > > be a workaround for the resume from suspend issue. > > > > > > > > But shouldn't hyperthreading have already been disabled ever since > > > > QSB-043? > > > > > > > > https://www.qubes-os.org/news/2018/09/02/qsb-43/ > > > > > > > I admit that I missed that one as well. Shame on me. Is there some way > > > to detect active hyperthreading on boot && print out a big red warning ? > > > > > > That seems a reasonable measure, especially for new-comers how cannot > > > reasonably be asked to read all old QSB's first :) > > > > > > > I'm confused. I was under the impression that Qubes OS (after the QSB-043 > > patches) automatically disables hyper-threading for you such that you don't > > have to know anything, do anything, or read any past QSBs. > > > > As QSB-043 explains, you would have had to follow special instructions to > > re-enable hyper-threading in Qubes 3.2, and no such instructions were > > provided for re-enabling it in Qubes 4.0 (since, as the QSB explains, it's > > never safe in that release), so I don't even know how'd you do it in that > > release. > > > > But perhaps I'm mistaken or misunderstanding the question. > > There are (at least) two ways to disable hyper-threading: > 1. In system BIOS (if there is such option) > 2. In software - by disabling every second thread of each core. > > The QSB-043 uses the second method. It has is drawbacks, as the logic to > bring up and down CPUs is quite complex. And yes, there are known > issues[1] affecting suspend. Disabling hyper-threading in BIOS, prevents > Xen from starting those secondary threads at all, and so it doesn't need > to bring them down. > > [1] https://github.com/QubesOS/qubes-issues/issues/6066#issuecomment-901843312 On Fri, Sep 03, 2021 at 10:28:35PM +0200, Ulrich Windl wrote: > Hi! > > > Can't it be disabled via kernel (grub) command line, too? This is exactly "the second method" above. > Also rumours say you can even disable it at runtime (and the threads will be > migrated to other threads before). > Occasionally some tools seem to have problems with HT being disabled (like > "expecting 8 CPUS, but only found 4"). This is kind of similar issue as the one discussed here. That's why it's better to disable HT in BIOS - to not show those 8 CPUs at all. But from the OS level, we don't have other choice, and we prefer a secure default - that's why we disable HT at Xen level, to provide safer option regardless of what user has set in the BIOS. PS Please don't top-post. And keep the mailing list in CC. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmEylm0ACgkQ24/THMrX 1yxCnwf/UrrViQb+pAT0Ujn5Z3sHVCdUTeYJDXzXBReCEnMfpnIT1OGOyFTNKuoX 2tAFL0WOuXr08GlDbH1UnAebqXjG35wnUPMQYQIerbMgysVi3XcEYk2CaJQwfnnP iMTI5WTe+FFpVgid8JRa8bT38kljELddxufpx7WzvWYfMauab5s+GdB3CeStjP/t cq58mv8d3wGjdRIlHHA8ZX6UXB4REKj+JB9/156H6GiRCeeq5x3bzd9nBOkRAxoX r6yFVwpf3B1mNrtSaz24QRvz5ZUnMFoIB5XSig6xMFghBE+9BvUfcUbhcLWrMlBS 8+UsV/fczd9++e/Atzb6f+S8+e2GyA== =ecZD -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/YTKWbX6sqpr8mVCc%40mail-itl.
Re: [qubes-users] resume from suspend issue after QSB-070
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Mon, Aug 30, 2021 at 05:39:40PM -0700, Andrew David Wong wrote: > On 8/30/21 2:12 PM, haaber wrote: > > > > > > Kind of answering my own question, but disabling hyperthreading > > > > happened to > > > > be a workaround for the resume from suspend issue. > > > > > > But shouldn't hyperthreading have already been disabled ever since > > > QSB-043? > > > > > > https://www.qubes-os.org/news/2018/09/02/qsb-43/ > > > > > I admit that I missed that one as well. Shame on me. Is there some way > > to detect active hyperthreading on boot && print out a big red warning ? > > > > That seems a reasonable measure, especially for new-comers how cannot > > reasonably be asked to read all old QSB's first :) > > > > I'm confused. I was under the impression that Qubes OS (after the QSB-043 > patches) automatically disables hyper-threading for you such that you don't > have to know anything, do anything, or read any past QSBs. > > As QSB-043 explains, you would have had to follow special instructions to > re-enable hyper-threading in Qubes 3.2, and no such instructions were > provided for re-enabling it in Qubes 4.0 (since, as the QSB explains, it's > never safe in that release), so I don't even know how'd you do it in that > release. > > But perhaps I'm mistaken or misunderstanding the question. There are (at least) two ways to disable hyper-threading: 1. In system BIOS (if there is such option) 2. In software - by disabling every second thread of each core. The QSB-043 uses the second method. It has is drawbacks, as the logic to bring up and down CPUs is quite complex. And yes, there are known issues[1] affecting suspend. Disabling hyper-threading in BIOS, prevents Xen from starting those secondary threads at all, and so it doesn't need to bring them down. [1] https://github.com/QubesOS/qubes-issues/issues/6066#issuecomment-901843312 - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmEtfVgACgkQ24/THMrX 1yxJVgf8DMIUPdVfDjhTP6Lc/NEwIV+Fmgr0PZCa8zKQRVmKDosKH1zB2f5+fbl0 fJPygQBjx4YWu8J4p8a2kLb9T9QGRJuSFUZ1xtH0/wb5S9nZHsEEJSsFvD1NjOFN I5ynF1U+qaVbalztFSESJgRkTvTfgJLcCBT2GUvDsm6xqHEdK1BtaS0Mxogx00mQ 8xGHAUpUoC37FgLz2dSitgjmg6PzJJNiWQ14bDlKwydHy3ug9Z+fln0K9C3Pqv1s GzPs9LwM3OsNRZcKYwMNB3QGshJYIxFZMPn9s+dI9cy+DRQ6LWpGSgSdq3HLspYY MwMnD/wFxQCbNjp7c83uI7VD0wW50w== =lfCs -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/YS19WGKe0oTDpKhE%40mail-itl.
[qubes-users] Re: [qubes-devel] Introducing: Qubes Video Companion v1.0
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, Apr 21, 2021 at 05:41:56AM +, 'Elliot Killick' via qubes-devel wrote: > Hello, everyone! Hi! > Starting this past early September, I've been working on and off to > create a new tool for secure webcam integration in Qubes OS out of > /absolute necessity/ for remote work at both my (new) job and school at > the university I'm newly attending. The tool is called Qubes Video > Companion and I'm proud to announce that it's evolved far past that > basic requirement and at version 1.0.4 is now publicly available for > testing! This looks awesome! (...) > 2. Do video conferencing in any qube with qrexec+usbip (with a sys-usb > qube; can't be done from dom0) > > Even disregarding my personal hardware issues above, qrexec+usbip is a > mess to get working and does poor on performance according to this > GitHub issue: https://github.com/QubesOS/qubes-issues/issues/4035. > Although, I've never been able to test it out myself. Additionally, the > security concerns of using TCP/IP and USBIP between qubes is there. A small clarification: qvm-usb does not use TCP/IP. It is running USBIP protocol over qrexec instead of TCP (apparently kernel driver doesn't care ¯\_(ツ)_/¯ ). Otherwise it is all correct. (...) > Repo can be found here: > > https://github.com/elliotkillick/qubes-video-companion > > I spent a lot of time trying to make this a "just works" (and well) > experience (discounting just a couple of hiccups in the FAQ of the > README and GitHub Issues) as I would've wanted back in September (or > earlier) so please star the repo if my project achieves that for you. > Otherwise, create an issue and I'll try to diagnose and fix the problem > you're having as soon as I have a moment. I've read the README there and it all looks really well thought and made! As you noted in the issue #2, integrating it into devices widget would be awesome too. In fact, qvm-usb has quite similar architecture to Qubes Video Companion - there is qubes.USB qrexec service that is called from usb-device-wanting qube, to sys-usb. To facilitate it from dom0 level, there are two extra services: qubes.USBAttach and qubes.USBDetach. You can find it here: https://github.com/QubesOS/qubes-app-linux-usb-proxy/tree/master/qubes-rpc Plus a dom0 part to plug it as a "device": https://github.com/QubesOS/qubes-app-linux-usb-proxy/blob/master/qubesusbproxy/core3ext.py It's a bit clumsy design (make a dom0->qube1 connection, to trigger qube1->sys-usb connection), but it works, reliably. This will work for a camera. For screen share, not really - you have too many options (N x N matrix, instead of 1 x N). But maybe that isn't a problem (to have GUI for camera only)? > As for contribution to the Qubes Community Repo (if that is to be > desired) I first want to fix the issue with Firefox (see the GitHub > issue) because Mozilla has been a great supporter of Qubes with the big > grant they gave so it's the least we could do as well as to not put > Firefox at a disadvantage. Yes, having this in community repo would be fantastic! In fact, I'd even consider adding it into the main repo and have it installed by default! But for that, we need more testers, proper review etc first. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmCAZHMACgkQ24/THMrX 1yxM/wf/ZS/2NOegExrqhio9kI+HuZYL2dE2dPNWwRivObWeCZJawrX2P93u2Lws /h2xhgZTr7ge8nQYGCzsMXxvOnDfEEmdolC6PL1JTphAaI5o2mdb0ZNu+B4Pjnb9 KJtWaZ0PXBzG6xvVproaIqRnz4Zaq+IKWw77WXxCYMHdoa0/U/eOB2S1JFEOgPMI 5Qu5Xu94XwfxRqlIlz28/YTvhIiAgybH7fK0T4kJ834Zt3VOZTtABtRpYHtiJnnQ vzL4wCpF/bvnr3nbOoMnS3ahDDSXdG5fYHAneqCit5VSD7PLGnSUiKLI8kRoAaj6 LGH43kRRGHLcxBgCYfknMsoXrhlL+w== =fBCr -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/YIBkc3KsSGMwGE99%40mail-itl.
Re: [qubes-users] Re: QSB-067: Multiple RPM vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, Mar 19, 2021 at 03:42:23PM -0700, Andrew David Wong wrote: > On 3/19/21 3:12 PM, Vít Šesták wrote: > > It seems to have been fixed now. The dom0 updates have passed. The DomU > > Fedora updates have succeeded with updating the macros.qubes file, which is > > supposingly the workaround by Qubes team. > > > > Regards, > > Vít Šesták 'v6ak' > > > > I now realize that we neglected to state, in the QSB, what the desired > result from updating Fedora-based TemplateVMs and StandaloneVMs should be. I > presume this is it: > > -- > ID: /usr/lib/rpm/macros.d/macros.qubes > Function: file.managed > Result: True >Comment: File /usr/lib/rpm/macros.d/macros.qubes updated >Started: > Duration: >Changes: > -- > diff: > New file > -- > ID: dnf-makecache > Function: cmd.script > Result: True >Comment: DNF cache successfully created >Started: > Duration: >Changes: > -- > > Marek or Demi, can you confirm? Yes this seems right (in subsequent runs, the /usr/lib/rpm/macros.d/macros.qubes state will not have "New file" comment, but will still have "Result: True"). Below you should also see a summary with "Failed: 0". - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmBVNVIACgkQ24/THMrX 1yzSRAf+MghA3DpM18Rqikkcc3Qg9+ZEZsvXNr4cc+ZYVFLUWfdSQyVzNzMUcmPl Y5Y6TGAjbTIJ0ni87FPMws+TeIa3SuYWwhzMk0c1NQhajOznQ9/k6HaLb3M/fpLn mJB9KKgOtZntt3FsvysYfDPHiZ5udQVlXdD3pabOlpfZaO1+VUdwZoDlmVUdAGxa 6PZX/edN3ENuoc6FA50PNqswHZ0eSnLuh/Dyx9DcRcz/8lDn/Zs3q6u/D2WJojn0 gIs9U1ZH2u/y7jh1nbYpYpWrrLe9+gVHe7KyPg7YiggFxfz+sQMFFLlj4xA+sd4N M5u12yktJEblUoHinSIFBHSXoqQR1Q== =CvtC -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/YFU1UsLe0C8xMuxF%40mail-itl.
Re: [qubes-users] Re: Qubes OS 4.0.4 has been released!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, Mar 05, 2021 at 09:12:07AM +0100, haaber wrote: > Dear Andrew > > thank you. My system (based on q4.0) is up-to-date. However I need to > test the > > kernel-latest-5.10.16-1.3.fc32.qubes.x86_64.rpm > > compile that marmarek put only in r4.1 repos. Could you push it please > into r4.0 as well or are they incompatible ?? That very package was built for r4.1 only (they are not directly compatible, I'd need to built r4.0 version separately). But in the meatime there is kernel-latest-5.11.4 for both 4.0 and 4.1, that includes the same fix. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmBKNdAACgkQ24/THMrX 1ywbjgf+M70MVByRydvWSSHpfe3+pCFXhj0JefiL8m2k/SwrgHxQRPG4UvOjT1TJ FUrrPMGIDnsbkvFEphSkucLw0Jqfb9lhepd6PUNwD6l8Oq+iXZUoVhGb3IvEP52Q YqnmO0xDoqhCmqALUimhArq42w0zMqzBIIr+E84fdp5efUHkQo8pmBLcRtAOJDQa GHBr1nHkvC5nMLTFF6Yuha1U0MrW7giAOd055KvNacE2IgNTx3NVJ/CFloy5P7KN GePuAbWRPQiW9QT1zFDkwuI/mw5RTHizsE9y34ppz4raHC0D8gnzwJd1E+3iTaeq 9h3N3hNHvfBlLNIvZ5t+KA2OGXxuAQ== =Jybj -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/YEo10PHmLLevmsvg%40mail-itl.
[qubes-users] Re: Help me test fixes for Intel IGD graphical artifacts on Qubes R4.0
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On Sat, Jan 16, 2021 at 01:49:25AM +, Jinoh Kang wrote:
> On 1/15/21 8:06 PM, Marek Marczykowski-Górecki wrote:
> > On Fri, Jan 15, 2021 at 05:29:43PM +, Jinoh Kang wrote:
> >> Is qubes-xorg-x11-drv-intel an option? Upstream hasn't released for years
> >> after all...
> >
> > Something like this. In fact the current (Fedora) package is already
> > built from git snapshot.
>
> Here's the catch: Fedora hasn't been bumping gitdate for almost a year,
> as seen in Pagure [1].
>
> > We do backport this package from newer Fedora already:
> > https://github.com/QubesOS/qubes-linux-dom0-updates
>
> That one from Fedora 28 is a bit behind, too.
>
> >
> > But I would prefer to get it upstream anyway (and then possibly build
> > xorg-x11-drv-intel from newer git snapshot).
>
> Something like this? (haven't built it yet, will fix later)
I guess, yes.
> diff --git a/src/sna/kgem.c b/src/sna/kgem.c
> index 6a35067c..8a7af809 100644
> --- a/src/sna/kgem.c
> +++ b/src/sna/kgem.c
> @@ -7023,6 +7023,8 @@ struct kgem_bo *kgem_create_map(struct kgem *kgem,
> struct kgem_bo *bo;
> uintptr_t first_page, last_page;
> uint32_t handle;
> + struct drm_i915_gem_set_domain set_domain;
> + bool move_to_gtt = false;
>
> assert(MAP(ptr) == ptr);
>
> @@ -7043,20 +7045,10 @@ struct kgem_bo *kgem_create_map(struct kgem *kgem,
>read_only);
> if (handle == 0) {
> if (read_only && kgem->has_wc_mmap) {
> - struct drm_i915_gem_set_domain set_domain;
> -
> handle = gem_userptr(kgem->fd,
>(void *)first_page,
> last_page-first_page,
>false);
> -
> - VG_CLEAR(set_domain);
> - set_domain.handle = handle;
> - set_domain.read_domains = I915_GEM_DOMAIN_GTT;
> - set_domain.write_domain = 0;
> - if (do_ioctl(kgem->fd, DRM_IOCTL_I915_GEM_SET_DOMAIN,
> _domain)) {
> - gem_close(kgem->fd, handle);
> - handle = 0;
> - }
> + move_to_gtt = true;
> }
> if (handle == 0) {
> DBG(("%s: import failed, errno=%d\n", __FUNCTION__,
> errno));
> @@ -7064,6 +7056,21 @@ struct kgem_bo *kgem_create_map(struct kgem *kgem,
> }
> }
>
> + VG_CLEAR(set_domain);
> + set_domain.handle = handle;
> + if (move_to_gtt) {
> + set_domain.read_domains = I915_GEM_DOMAIN_GTT;
> + set_domain.write_domain = 0;
> + } else {
> + set_domain.read_domains = I915_GEM_DOMAIN_CPU;
> + set_domain.write_domain = I915_GEM_DOMAIN_CPU;
> + }
> + if (do_ioctl(kgem->fd, DRM_IOCTL_I915_GEM_SET_DOMAIN, _domain)) {
> + gem_close(kgem->fd, handle);
> + DBG(("%s: set_domain in import failed, errno=%d\n",
> __FUNCTION__, errno));
> + return NULL;
> + }
> +
> bo = __kgem_bo_alloc(handle, (last_page - first_page) / PAGE_SIZE);
> if (bo == NULL) {
> gem_close(kgem->fd, handle);
>
> ---
>
> [1]
> https://src.fedoraproject.org/rpms/xorg-x11-drv-intel/blob/master/f/xorg-x11-drv-intel.spec#_3
>
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmACRyEACgkQ24/THMrX
1ywP6wgAlKaJitGmJHIgzkCpdGqEh3XjoqS2QOyIvsnzkn98v9E/cWrIrCMgrYAC
U2IIYx4e9vrqAW1JwyNLii7ws5/+yI1Y2H7r7In237hedWQ7rCWJRs0UYsAGrtJx
p/rNlxDhDBDWc2IWyZHE21bdEb1eKhl2W3EUzxsUGJ7ZxVDX8J8EgKS3PvZGLdC2
JdT2rcsy9ZWZ8YEmwm7k9GxHmuFMbAXJzgIVv3NxVWBQ4IJeNOfJrHrW1RFUMoyC
BtdkHNUzBtsMLNlGczRMMPE3LdL6n9E8KnXX6RqXgudsDibdm8ixAagas5E6Cvxq
zPgbcftI5MvpDHYdb4QZsCF6kFVxbQ==
=R/oj
-END PGP SIGNATURE-
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/20210116015337.GE4914%40mail-itl.
[qubes-users] Re: Help me test fixes for Intel IGD graphical artifacts on Qubes R4.0
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, Jan 15, 2021 at 05:29:43PM +, Jinoh Kang wrote: > Is qubes-xorg-x11-drv-intel an option? Upstream hasn't released for years > after all... Something like this. In fact the current (Fedora) package is already built from git snapshot. We do backport this package from newer Fedora already: https://github.com/QubesOS/qubes-linux-dom0-updates But I would prefer to get it upstream anyway (and then possibly build xorg-x11-drv-intel from newer git snapshot). - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmAB9dQACgkQ24/THMrX 1yxNRgf7B2nc2Qomgnqi2/lwiUmv0Mqx7e54cl2zQNtQl57TsVuDu+mWEbef15Ry gtSBg9c8uXuDq8acbGTP5sqRAJmKlCtWyDdGf5jiZEWATCpZXcVyao/9b8pkuDkY PZSaTEQU+GekWzSrbuoxHJj4HlrPGRxR4CrGGtaqCyqTzJ3V8rV39jbhG5+hxpdF HBS0XBxZUHd1Lzxl0l/qbXkyiMSTJvuJ0a6Hl7rvPCbmNbaIAhXru4zM6ZCVTxC9 W00+hUyirnqz0lfXEhBUD2w42rwfO6Hs67yn8Te2/u9QnE9XxFKSVaRVZqfH6EUw zrh+5BaGaAt4TeyiPxb9FdBdo8/wqQ== =iNFz -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20210115200644.GC4914%40mail-itl.
[qubes-users] Re: Help me test fixes for Intel IGD graphical artifacts on Qubes R4.0
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, Jan 13, 2021 at 01:21:51PM +, Jinoh Kang wrote: > On 1/11/21 11:03 PM, Marek Marczykowski-Górecki wrote: > > So, I can confirm the (fixed) 5.10 patch also improves the situation. > > Sounds good. Thanks for testing! > > > Have you sent it upstream? > > No, qubes-users and qubes-devel are the only mailing list where I > posted this. > > I guess chances of these patches being merged upstream would not be > that great. If that bug indeed affects only Qubes OS, there is a greater chance to accept the patch, if the option defaults to false. > After all, we're not going to need it with Qubes R4.1. Are you sure? The issue affects dom0 windows, which suggests it still may be necessary. On the other hand, your patch description suggests it's just any VM-mapped window triggers the faulty path in the xf86-video-intel driver, that later affects all of the output. > > I do consider including it in our standard > > kernel package, but I'd like to see i915 driver maintainer opinion > > first. > > If you mean you'd prefer to have it upstreamed, I'd appreciate some > Tested-by: and/or Reviewed-by: lines for the trailer from you. Can you send a fixed patch (that builds), rebased on top of recent Linux (5.11-rc3, or recent 5.10)? I'll re-test and add my Tested-by:. > I'm fine as well if you'd rather just submit it yourself. > > Otherwise I suppose I shall only CC' the maintainers and not the list? Generally, Linux patches should be sent to whoever MAINTAINERS file lists, which do include some mailing lists. I highly recommend using scripts/get_maintainer.pl script for that purpose (if you use git send-email, that's as easy as --cc-cmd=scripts/get_maintainer.pl). PS The other (independent) issue I mentioned seems to be https://bugzilla.suse.com/show_bug.cgi?id=1180543, which is supposed to be already fixed in >=5.10.6. I've already uploaded 5.10.7, but haven't tested it on this particular machine yet. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl//EOMACgkQ24/THMrX 1yxXWgf8DkpeBlpx3kQgXn+FFPsQGpLLkX9O3arm4WEcU71y02J0wmOml8XUj1oZ 4y3p6Wmk1KT8nC74SgG4igkCqcb7ay1m1L0D8AjrY8o4CaaJmErnd0kxYXJMfrnN T2js+Hlh/kax0y7iphCCpX1IGH1QSPHThDKuMs/40blvKMIDLmymkq8BtoduVEwQ nZzquV2vRZSFYgl79xWtnxr0QF8yzisIwbYgeEgl256G+ivtmhqLlej6eCUZe6FH U6j7UwalfXTjWVTnUdtuvmt2rgsV8jZ69eUBJuqqBPfkt3XqMGxNKkAd0hFTBGoZ f9XtU34qHMwk1vxZCddjsJYi/EPERg== =teyW -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20210113152523.GA4914%40mail-itl.
[qubes-users] Re: Help me test fixes for Intel IGD graphical artifacts on Qubes R4.0
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Thu, Dec 24, 2020 at 02:21:22AM +, Jinoh Kang wrote: > When using some Intel integrated graphic cards on Qubes R4.0, screen > glitches may manifest after switching VTs or entering suspend mode. > > A known workaround does exist for this bug, which is to add a > configuration file with the following contents within > /etc/X11/xorg.conf.d: > > > Section "Device" > > Identifier "Intel Graphics" > > Driver "modesetting" > > Option "AccelMethod" "glamor" > > Option "DRI" "3" > > EndSection > > However, the X11 modesetting driver version in Fedora 25 has its own > drawbacks: > > * It freezes briefly when re-configuring monitors (e.g. plugging in an > external monitor or changing screen resolution) > * XRandR keystone support is buggy > > To remediate this, I've patched the Linux i915 driver and it has been > working fine for months. Only the patch for Linux 4.19 has been tested. > > If anyone is affected by the issue, please feel free to test the > follow-up patches and give some feedback here. So, I can confirm the (fixed) 5.10 patch also improves the situation. Have you sent it upstream? I do consider including it in our standard kernel package, but I'd like to see i915 driver maintainer opinion first. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl/82ScACgkQ24/THMrX 1yz/XQf9GbeTq3KJpoO/smK7tLJ+EE8Q61G+nejAm5d7VZ+IBofLjWxds2cEn4kJ xjEpjXxiqTL40cBRa1NkXoLLW7Dcesb/G/7MW+73qYm2DjVYyDQFAQOmnJDXT30L Vdai3tXb1miTQ6gAme/Zaffe6RLsLzp1Qrq1ieEpQIjJk+tBSWRVTKyNKQAZDkt3 siznMtbre3te7XybIbShUpgXoiwCqpnjZwEmMJg93nFAre5K6XukIksZg+w3Nt1T /INdhTR6DebTGLtn+pkV9PTGFDRLL+bmWQGallNI2tQnttWogolH9BfEKhkZq+Ja KUIDySAOIjDhj1UfaGM6m73oIcRc9A== =TSr5 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20210111230303.GA1633%40mail-itl.
[qubes-users] Re: [PATCH v5.10] drm/i915/userptr: detect un-GUP-able pages early
const char *name, >const char *type, > diff --git a/drivers/gpu/drm/i915/i915_params.h > b/drivers/gpu/drm/i915/i915_params.h > index 330c03e2b4f7..1169a610a73c 100644 > --- a/drivers/gpu/drm/i915/i915_params.h > +++ b/drivers/gpu/drm/i915/i915_params.h > @@ -79,6 +79,7 @@ struct drm_printer; > param(bool, disable_display, false, 0400) \ > param(bool, verbose_state_checks, true, 0) \ > param(bool, nuclear_pageflip, false, 0400) \ > + param(bool, gem_userptr_prefault, true) \ param(bool, gem_userptr_prefault, true, 0600) > param(bool, enable_dp_mst, true, 0600) \ > param(bool, enable_gvt, false, 0400) > - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl/7fkwACgkQ24/THMrX 1yyJ+Qf+Kp1NqR/RruBKW3pKbNEZy2Y92viOcKkMcOq96fjLEn/boRevpQHjBpjQ bdBa5wZasgk0aHV6UTGB1GrLMQupbupMcI2kffmJnvo0/uleRdad1QgPqlcWhO+x Y0CtPioefWLEwBNITIJGr1emtyM/pO7NpVkFJt3jjei7DfG/jFEkmD36oKb/ea+P GVmug75CpJKPpmYZT39RzqfoI6ZwCq7Lq70I+/kjQBNiyo2N5/xTKiBkt7NDkQas lmrtBXAQRn0UGps7SU2tfsdkU/vYJWohNGK7NzLTSN4jyBsH8CBTyJ0x6DxTvYox W9BPiiLAjBSYJ6jeZ4x8Ly89s0rw8Q== =EF0b -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20210110222307.GA1176%40mail-itl.
Re: [qubes-users] Re: Please help test kernel 5.4 in anticipation of Qubes 4.0.4-rc2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sat, Nov 28, 2020 at 01:21:04PM +0100, donoban wrote: > On 11/28/20 1:04 PM, donoban wrote: > > Hi, > > > > I have some problems after just booting. There is an error at dom0 and a > > some VM's fail to start (others run fine). > > The VMs which failed were running PV mode, switching to PVH fixed them. This seems to be: https://github.com/QubesOS/qubes-issues/issues/6052 So, it is related to the Linux kernel version, not really Xen version. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl/C0moACgkQ24/THMrX 1yxVwwgAiB+d90EwEnnMi6t8qXDJUC2kK2sZkN3ywHMQN2PHoPQ9H4BNGwXFWiK+ piTZqFMEdnQGfE4OeACjcSza5OFeFKhtXRLELZNlQ36uj9D9AaVXdRaxlynQ2ZqS AfQ4tnZyOGpnBZR+V1zqe+rYXhwck5FzGagUFesrFwtqz2+brr2gplaYT9aPn3SY FmE31jV6+WzdB+w+Eb6AcnhhpgrlRkZqUh+11mKfUIrAsCxjFc0j/fezZdpzu0UI wxJ3LRAfgNr+WEFsIA5VvhxrGeXwRe4iFj5v+TGoROnK+8th2rnQ6VzkRjryTWks RP7IWzY3nRMX7XygCHtzL3D6r0V01w== =Jl2W -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20201128224249.GD17443%40mail-itl.
Re: [qubes-users] Re: Please help test kernel 5.4 in anticipation of Qubes 4.0.4-rc2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, Nov 27, 2020 at 11:41:12PM +0100, Ludovic Bellier wrote: > Le 27/11/2020 à 15:58, Andrew David Wong a écrit : > > The package is already available in current-testing. [3] > > > > [3] https://www.qubes-os.org/doc/testing/ > > > Hi, > > I tried to install, but I think it doesn't install because I already > installed kernel-latest (I need it for my ethernet card): > > [xxx@dom0 ~]$ sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing > kernel Try adding `--action=update` option. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl/C0fUACgkQ24/THMrX 1yxDvwf+MyGHHMT1EGHrKpaA6WoGetX+/2ytRCYWWuleEuWWIHGVQHYAXDhyMLZq RcXO31A/mwurMbchb3dUz1Vw4f2cWw4m4tlL7wCIRyoVSXS3QzYh5g9ynO/bIvWu 6I8sec+xtsxrOLkYHSqrhvkekkmQ9zNoCCoqNzatZO3FGYwstZ4SV/B0VWXSrqmk z+79r5hN+yfD3fmYkNr8UJbkomERRYICJSGxx4UXaJqz+aomUJcWL72YWugrUj19 cnVc0cy09rt7iqft0RI0m557nMNkaRARi+awwtjnYOTNG+cuf7k6mtjKLSl7hOEz 7ErO0SqwX+pRtdwwPAMvGo/4IQC/PA== =sEaN -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20201128224052.GC17443%40mail-itl.
[qubes-users] QSB #61 Information leak via power sidechannel (XSA-351)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Dear Qubes Community, We have just published Qubes Security Bulletin (QSB) #61: Information leak via power sidechannel (XSA-351). The text of this QSB is reproduced below. This QSB and its accompanying signatures will always be available in the Qubes Security Pack (qubes-secpack). View QSB #61 in the qubes-secpack: https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-061-2020.txt Learn about the qubes-secpack, including how to obtain, verify, and read it: https://www.qubes-os.org/security/pack/ View all past QSBs: https://www.qubes-os.org/security/bulletins/ View XSA-351 in the XSA Tracker: https://www.qubes-os.org/security/xsa/#351 ``` ---===[ Qubes Security Bulletin #61 ]===--- 2020-11-10 Information leak via power sidechannel (XSA-351) Summary On 2020-11-10, the Xen Security Team published Xen Security Advisory 351 (XSA-351) [1] with the following description: | Researchers have demonstrated using software power/energy monitoring | interfaces to create covert channels, and infer the operations/data used | by other contexts within the system. | | Access to these interfaces should be restricted to privileged software, | but it was found that Xen doesn't restrict access suitably, and the | interfaces are accessible to all guests. | | For more information, see: | https://platypusattack.com | https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00389.html | | An unprivileged guest administrator can sample platform power/energy | data. This may be used to infer the operations/data used by other | contexts within the system. | | The research demonstrates using this sidechannel to leak the AES keys | used elsewhere in the system. Patching = The specific packages that resolve the problems discussed in this bulletin are as follows: For Qubes 4.0: - Xen packages, version 4.8.5-26 For Qubes 4.1: - Xen packages, version 4.14.0-7 The packages are to be installed in dom0 via the Qube Manager or via the qubes-dom0-update command as follows: For updates from the stable repository (not immediately available): $ sudo qubes-dom0-update For updates from the security-testing repository: $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing A system restart will be required afterwards. These packages will migrate from the security-testing repository to the current (stable) repository over the next two weeks after being tested by the community. If you use Anti Evil Maid, you will need to reseal your secret passphrase to new PCR values, as PCR18+19 will change due to the new Xen binaries. Credits See the original Xen Security Advisory. References === [1] https://xenbits.xen.org/xsa/advisory-351.html - -- The Qubes Security Team https://www.qubes-os.org/security/ ``` -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl+srmoACgkQ24/THMrX 1yyq8Af/fUy3neIkRJ1JDWX+7y9/o/a/oHOjGZA4ETH+Bu5JnalAxc4w2ts+XkFX mUAN2Y6bwXmBGMaPjn7MysT3XWINYqz/RVrXbKl9k8Oky0T61HnE0MOGwQeOLXt/ AI/sgRpqK2B6degrbze+0LquzZW/Gxd/4l5diDj+Dop9dPn6EJVz5F4xCNzgRBcl vPhpXBPN7IwUySCCOx6LdCinYjvTyVeH05dTJA04DZykSaXCullMgOl4i3WKbzgS +yJFW9/D+NNAtb0Z9+FynvQ3lmIM+OycBsc8LbDv2scMdwakpNeVhCQY1t8I+h6Y U9u7yjQedhSZpxD586q8zLkBzIXvFA== =con+ -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20201112033921.GD38624%40mail-itl.
[qubes-users] QubesOS and 3mdeb "minisummit" 2020 - starting online today!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, This year we're doing "minisummit" with 3mdeb in online formula. It is starting today, you can watch it live and ask questions, or watch recordings later. More details here: https://blog.3mdeb.com/2020/2020-05-15-qubesos/ Links to live stream are here: https://twitter.com/3mdeb_com/status/1263068441319223296 - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl7FGd0ACgkQ24/THMrX 1yyrFgf8D/Q7qoxbyX8/QVokbxftU/PuiqXWp9sFeKWre7QF8005fKCrsKZbFv8N 9fs2j0oAyiCNuiLeYcywFB7lcNIvttD8BgJMDj3Nk6YmGDFi3gpCPu/99RSBHc7w FgMOeY0jVsPoKiuom6uvpEl766zP9VKoNg82kDGaMMcYmOoLhvU6+1BX3obQ14QJ kwfF44iseAzBOXvrMd9M8qpgHUaIkbwubKiAJYP1TSufkfFXmgKqhUtiGkwEZ53V 2yOtfsRAzaup9gPVLE1ItRrSdkXZrit24XTyX1F7lu2Gh/CQbr+4Ja7UJ61Gin4Q g94+teHULs3GjWgNkHryr0DwWDflQw== =Znww -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200520115159.GJ98582%40mail-itl.
Re: [qubes-users] Re: Fedora 30 approaching EOL, Fedora 31 TemplateVM available, Fedora 32 TemplateVM in testing
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sun, May 03, 2020 at 08:57:52PM +0100, lik...@gmx.de wrote: > > > Fedora 32 TemplateVM in testing > > === > > > > For advanced users, a new Fedora 32 TemplateVM is currently available in > > the `qubes-templates-itl-testing` repository for both Qubes 4.0 and 4.1. > > We would greatly appreciate testing and feedback [6] from the community > > regarding this template. > > What's the expectation for Fedora 32 to reside in testing templates before > it's moved to official repos? > I'm asking because it might be worth waiting for Fedora 32 before moving > first to Fedora 31. This is of course only reasonable if it will be before > EOL of Fedora 30. You can track template testing here: https://github.com/QubesOS/qubes-issues/issues/5761 (especially see issues linked there) Sadly, Python 3.8 in there breaks few things (including updates via salt), so it may not be ready before Fedora 30 EOL. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl6va54ACgkQ24/THMrX 1yxPSQf/aI95paVe0x++hEsYicKLduDxbcr4BaFlWOtyhKEPjoiU/OJwTevKIafe jjHms5DOfRwRzasbgDm5fUV4JJad4V5L+B5I9PdB/9a6qL3nalIxOAgOD//OwHNQ ZG1IytW1aGh+u5zmqGhEMysWep0mfnbf5g8NIZogaGo0HOpBy71tjBfu8FT0nvb+ 3s9Nq1yyZdwdQgkU/xOZJ558OmrjPSsgpVYQzpf55JfJt3x1EYjC918CZC7HqCeC VfhUAAiwS4FsTITxx/RESdp8Ax4JIke5/vs/7JjaVe0BH70MYi96/iIDbSltSUzS KHAJAl/vbHA9R7xSIiE+qxtP+8v++Q== =4Rct -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200504011053.GA41017%40mail-itl.
Re: [qubes-users] AppVM won't start any application
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Thu, Apr 23, 2020 at 09:25:56PM +, 'bfgvusmcar' via qubes-users wrote: > Hi, I am a new user and I'm very happy with the OS. I installed it a few days > ago and I seem to have an issue. I would delete and re-create the qube but it > could be a helpful opportunity for both me and you to debug some issue. > I have a qube based on debian-10 fully updated. It didn't have any particular > configuration, a bigger volume as I planned on using it more. Suddenly it > won't start any program, not even the terminal. > From /var/log/xen/console, it seems like the AppVM is starting: (...) > [.[0;1;31mFAILED.[0m] Failed to start .[0;1;39mFile System Check on > /dev/xvdb.[0m. > See 'systemctl status systemd-fsck@dev-xvdb.service' for details. This does look like an issue. xvdb device is "private" volume, where /rw + /home lives, so this is important part. Try extracting more info about it from dom0: qvm-run -p -u root vm 'systemctl status systemd-fsck@dev-xvdb.service' Check also earlier entires, specifically "Initialize and mount /rw and /home" service (some its messages are marked mount-dirs.sh). > A popup now appears (it wasn't appearing before): "Domain has failed to > start: Snapshot origin LV vm-debian-10-root not found in Volume group > qubes_dom0". This on the other hand is about "root" volume. But LVM setup happens before starting anything inside the VM, if this would be the cause, you wouldn't get any output from the vm. Check modification time on the log, if it's really about latest try. Can you start the debian-10 template itself? Or it fails the same way? - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl6lpXcACgkQ24/THMrX 1yxoyQf/ZqepS8qqrAsW9BoSn6VvMHZSGa5TMyGx63jty70p4v0GWFQJ6XSLbbGx NBneKN+bsT6bHkPk6XmHsV0oy8J6d6GSrnzBm7di+e10zv5wQv0n7yqcDELhYFIb DvvyVHkbq4VCq81EeaPVc/nbPcpuhkzN2FZCT6vsH7S8s20fmRdxrO8WfPyUQg8X UA8TrA3m75mz3JXhyRddmNFH6hbPOxh4p8oG6yPr6ne6L/+bW/KoXUz6sul1OMsj X6A880L57ffz89qpt94o/oYMEVm/7UqV6Mzn/Nau+tOGaKGduCSmu2SS7YDzSqxk ipTqSftScK9t5y74FHL9dm76iNJadQ== =ZdPD -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200426151505.GB29396%40mail-itl.
Re: [EXT] Re: [qubes-users] Qubes Updater doesn't update
On Sat, Mar 28, 2020 at 12:57:55AM +0100, Ulrich Windl wrote: > On 2020-03-21 20:39, Marek Marczykowski-Górecki wrote: > ... > > Sounds like https://github.com/QubesOS/qubes-issues/issues/5705 > > The fix is already in current-testing repository, and will be uploaded > > to current (aka stable) in few days. > ... > > Had the problem with whonix-gw-15 and whonix-ws-15 today (when no Dom0 > update was displayed). I decided to update both templates via cubes manager > and then manually update Dom0 via command line. > Should the problem be gone from now then? Yes. -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200328003025.GW18599%40mail-itl. signature.asc Description: PGP signature
Re: [qubes-users] Qubes Updater doesn't update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, Mar 20, 2020 at 08:21:58PM +, 'trichel' via qubes-users wrote: > Qubes 4.03 > Qubes updater runs normally without errors, but doesn't actually update > *Debian* templates. Same problem with Whonix templates. *Fedora* templates > get updated normally. No further details or error messages are provided by > the Updater. Qubes Updater also doesn't notice any updates are available for > Debian templates, resulting in outdated Templates without the user knowing. > > Updating Debian templates with the Qube Manager just works, but the problem > persists. > > Maybe something bugging in my config, or has anybody experienced something > similar? Any advice what to do? Sounds like https://github.com/QubesOS/qubes-issues/issues/5705 The fix is already in current-testing repository, and will be uploaded to current (aka stable) in few days. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl52bXgACgkQ24/THMrX 1ywWyAgAhOu4olEhm7/9Qoa5BpYubaeLy9fU/V22KAMYYy/e0S0ZIcbcxMvc9KYS 5oFMbtoKipuSlIZhrs7IYhJjiBiWrigmgOjAYSY1coN2PBcXubvKdK46Qf/ueyV+ 601+gRMv+wbG0rXIG2MbU3yd8ITm1nNAsdEC8Hbqp1Zp2WPB8hXgaNsjDaxvYohq slB4Ftdow9D33m0/OTh1gBlc7AloaZgsWcAzTXRCCr8a6d+1dNFHpqbpVpEfXgdj 5cF9f5sWFUhX2Y9ke5UQUjqkpvTG3/WBSNM+G8GxsTrBxfl3mfs28IeTALeV7rg0 nz2Y12nX69/gD9WbIABgkGOp/U+Bqg== =1GmU -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200321193936.GA29396%40mail-itl.
Re: [qubes-users] Re: [4.0] Intel Wi-Fi 6 AX200 adapter
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, Mar 20, 2020 at 01:05:02AM +0100, Vít Šesták wrote: > Hello, > > On March 20, 2020 12:33:31 AM GMT+01:00, "Marek Marczykowski-Górecki" > wrote: > >I didn't spot VT-d errors, but I'm not entirely sure if I've checked. > >If they are there, this is something definitely worth looking into and > >most likely an issue within iwlwifi driver (or the firmware). It could > >be also worth trying booting Fedora 31 Live directly, but add > >intel_iommu=on kernel option. If that would break it, it's a clear > >indication that the issue is somewhere between firmware and the driver. > > I have tried to add this option, but it remained to work. Does it mean that > the driver itself is OK and the issue is in Xen or stubdom? Likely, but not surely. Some more ideas what could be wrong: 1. Some config space access is filtered and driver doesn't cope with it. 2. Some extended PCIe feature that driver/firmware assumes present is not implemented in PCI passthrough. 3. Bug in handling any of supported PCIe features. 4. And there is still a possibility for a bug in the driver/firmware. For the first hypothesis, I'd try enabling permissive option (AFAIR didn't helped in itself), but then enable verbose logging in pciback driver: echo 1 > /sys/module/xen_pciback/parameters/verbose_request before starting sys-net. You'll get quite a lot of logs this way, and for understanding them fully, PCI spec would be handy... But maybe there will be some less obscure clues, like messages about explicitly failing requests? For the second hypothesis, I'd take lspci -vv of the device from both sys-net and dom0 (preferably in exact the same time, during enabling the interface, but that's unrealistic). And compare. There will be definitely some differences (more features visible in dom0), but what would be valuable is: - comparing configuration of features visible in both places - correlating missing features with iwlwifi driver It may be also useful to increase iwlwifi log level (I see 'debug' module option, seems to be a bitmask). For the third hypothesis, enable iwlwifi debugging and hope for more details. Decoding that firmware error would also be useful, but unlikely without firmware documentation or source code. If everything above fails, I would thoroughly compare driver behavior on bare metal and in the VM. Start with the driver debug output and if still no clues, then log hardware interactions (may require modifying the driver) and compare them. Some of the above ideas are quite extreme, and tedious to execute... PS adding the list back. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl50F2QACgkQ24/THMrX 1ywLuAgAjd/zJfxu9cHAo4h7vEib+0LWOTx55/hv8cGP9CsKNcpIdY6SJfg2Smy1 nhzh7BwxTkwnzGjYsmLzN+NX8uaTOXiLLdoEhoaOGbLekdsfJnXKLyXdu2AEhFHj ejKYfWTRNLnqDWNViNNhFgx9vbOsasyiQWh0tMJm5cwUkXMz82DTjVqDXBBtgog1 86hMdLcSxRYVNw0q+KL3zmlagpbxDcmwnf0cV6NjyckQ1LWQ+pr/zx3FS74WatJP D7k7dJ1M6rEdEDJaZ+K+XiXkLzJUufuwwKMlN4VL4SFvwmD5aglZm2B0rdcBBF9a 7pGs+ORAnWH4T4gnpiPi5OcfZWjiAQ== =SAV0 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200320010747.GB18599%40mail-itl.
Re: [qubes-users] Re: [4.0] Intel Wi-Fi 6 AX200 adapter
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Thu, Mar 19, 2020 at 11:41:55PM +0200, 'Ilpo Järvinen' via qubes-users wrote: > On Thu, 19 Mar 2020, Vít Šesták wrote: > > > Hello, > > I have some interesting updates. I have tried to: > > > > a. Boot Fedora 31 on the laptop (Live version from USB drive) – adapter is > > detected and finds Wi-Fi networks. It just works. > > b. Boot Fedora 31 Live (from the same USB drive) in a HVM with attached > > Wi-Fi card. It had 2000MiB of RAM. It fails in the same way as my previous > > attempts, not sure why. > > > > This looks like the AppVM is fine, but there is some glitch in the PCI > > handling. It might be related to Xen or to the DM, not sure. > > > > HVM: https://gist.github.com/v6ak/76f2c089c63b1fe184f3717d5bd5254e > > sys-net with Fedora 31: > > https://gist.github.com/v6ak/30ecc502d1ce7508953eb3d505564668 > > > > I have also resolved the chicken-egg problem – I can connect to the Internet > > via USB. This is not a permanent solution, but it was good enough for > > updating dom0. However, the update (+ subsequent reboot) has not changed > > anything. > > One option would be compile a kernel with CONFIG_IWLWIFI_TRACING (or > something like that) and try to provide the trace log to iwlwifi devs. > ...It might not help though if it's not a HW/driver issue but xen/dm/pci > related thing. I've seen very similar thing recently, not sure if exactly the same, but it's very likely. Sad news is neither me nor Paweł managed to fix it yet. Things we've tried: - various kernel versions (including 5.5 and 5.4) - different firmware versions (apparently the driver tries to load versions that new that are nowhere to be found yet) - various options like permissive mode I didn't spot VT-d errors, but I'm not entirely sure if I've checked. If they are there, this is something definitely worth looking into and most likely an issue within iwlwifi driver (or the firmware). It could be also worth trying booting Fedora 31 Live directly, but add intel_iommu=on kernel option. If that would break it, it's a clear indication that the issue is somewhere between firmware and the driver. >> 1. Problem: Domain sys-net did not boot at all because of issues with >> attaching ethernet PCI device. Is it a Realtek card? I don't remember exactly what helped, but something helped here. Paweł, can you help? It was either attaching SD card reader (which is another function on the same PCI device) to the sys-net, or enabling no-strict-reset option (or maybe permissive?). - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl50AUwACgkQ24/THMrX 1yzCQwf/RHg7jCK7CS0ut98MoI2oDvRf6SJc6oVTNbbklovmmZcRwj9SrXcEw7j9 KQ0X/i7HpEr03MmMxOlQO8R4BUdXqZ5iyDWLnPLNRZimH2ftA55ndOaOqecaQZOc nzxpeUyEHbO8D/ZwodRoTBF9Tl+e4lI7wOz/O6Ruy604++z3P5gzTuYVp390CiYU Jt5suLKxoIuICO8EaRBT/5KGDM4BsuW9pfe2YDBs4USWg75D9C86KvgSGZhD6xd/ GwfPd3KXyiPTYHWT5fymupatiPnMVPKjpMQDyOvPbHJqUoUJ+owO/nqfSquWV8Mz h4M2DffaBN/i8zxxtIWwh0nGLbX/kA== =c9Wb -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2020031921.GB19117%40mail-itl.
Re: [qubes-users] Another Intel vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, Mar 11, 2020 at 04:05:03PM +0800, Sandy Harris wrote: > https://techxplore.com/news/2020-03-unfixable-flaw-intel-chipset.html As with many other firmware-level vulnerabilities, this can't be exploited on Qubes, because no VM can talk to that firmware directly in the first place. But the issue is deeper, as the issue isn't only about OS layer, but keys embedded inside the CPU. If those keys are leaked, many CPU crypto features become useless. The exact list isn't clear to me, but it may apply to: - fTPM (not used in Qubes), - SGX (not used in Qubes), - microcode verification (used in Qubes, but inaccessible to VM), - ME/FSP/other firmware verification (used by platform, before Qubes is loaded, but may affect system runtime) There are some rumors that some of the keys may be not unique to a specific CPU, but shared across CPU family - in that case, key extracted from one CPU may be used to prepare malware for other systems with the same CPU family. In any case, it looks like even if some of the keys are leaked using this vulnerability, the attacker would need a physical access (or break into dom0) to attack Qubes, as relevant interfaces are not available from within a VM. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl5qQIcACgkQ24/THMrX 1yyTJgf/cvES/MttCVUcV/RYYFLIgW2H5SBTtR2XU/kMJF2crppM8NPpie0Q5a+c qB53aha3h8D5Y66SiKzBN2dSy2halqQv+yCvdSiffbYWJWPCC17xNg/nRBFQ7jG2 owa0zkcYQOwN9Fm2O/SlfImqpJ5R2w1M3r0yHR9Lg+Q2nIgQ9cT6f1QncnlodEIa Qb8qu93yV3NstQA9VJ3wPJ8uSFecXunEkSdUB8HLRWs2DDd4pnPM/NaI6kn2fz7g T/WLZMT+7ZmsNMTAVA/mJX6VjYICfdUHXcFOKY6JMByFalWRXM3Yktclrc344ytq J4H904OttmE+M9PNw9o/RS5MpesWqw== =wfKX -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200312140040.GA19117%40mail-itl.
Re: [qubes-users] Is Qubes Split GPG safe?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Thu, Feb 13, 2020 at 10:05:21PM +0100, Frédéric Pierret wrote: > > On 2020-02-13 20:37, Claudio Chinicz wrote: > > Hi Frédéric, > > > > Thanks, I've managed to install claws-mail on my Fedora template. The > > problem is that Claws-mail does not support Oath2 (Google) authentication, > > just like Kmail. > > Your welcome. > > > > > Evolution does support Oatrh2 authentication but instead of Gnupg it > > supports Open PGP, I think you're confusing two unrelated things. Oauth2 has nothing to do with email encryption. Also, just to clear terminology, GnuPG/GPG is an implementation of OpenGPG standard, so _in theory_ it is the same. - From what I see, Evolution does use GnuPG under the hood. > > the same standard that TB 79 will support, replacing Enigmail. > > > > Would Open PGP support/integrate with Qubes Split GPG? > > I CC Marek to this question as I known there is some new version of it but I > don't know what's inside. Thanks for bringing this to our attention. For reference, this is about https://wiki.mozilla.org/Thunderbird:OpenPGP:2020 - From my reading of this page, it sounds like a DISASTER in terms of existing pgp encrypted emails support in Thunderbird, but also in terms of extensibility of Thunderbird (severe limitation of addons, if not removing them completely). One of the key features of Thunderbird is its flexibility thanks to addons... So, it looks like they have decided to use a completely different implementation (or even writing own) of OpenPGP standard, instead of using well-established standard of GnuPG. They already acknowledge it will most likely lead to many interoperability issues and they accept it at the design level. Life shows that if you already know it will be bad at the design level, in practice it will be even worse! But also important aspect is the key storage. Anyone serious about security knows that keys should be stored isolated. Those not lucky enough to use Qubes, can use smart cards for that. And according to FAQ on that page, new Thunderbird won't support smart cards! And in the shape presented on that page, it looks like there won't be a way to plug split gpg either! As a side note, I do think that even though GnuPG is a well established standard, its quality isn't very high and steps to break its monopoly in OpenPGP implementations are a good thing. But it should be done in an incremental, compatible way, not "break everything" approach. Another side note, or rather a hint for Thunderbird developers: modern gpg consists in reality of multiple parts running as separate processes. One of them is gpg-agent responsible for accessing private keys (either local or on a smart card) and nothing else. gpg-agent has also a simple, (kind of) documented protocol. If they still want to break everything, they could at least consider support for using existing gpg-agent available in the system. This won't solve interoperability issues, but at least will allow people to keep their keys secured on smart cards or with (upcoming new version of) split gpg. The only good side of this I see is having PGP support in Thunderbird out of the box without requiring an addon - meaning probably more people will use it. BTW we need to verify is this major breakage of Thunderbird addons won't break other Qubes features too - namely opening attachments in DisposableVM, which is also done using an addon. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl5GjPAACgkQ24/THMrX 1yxyewf/Un2JTcdEXx/c0mZd+huN3sr/OwfWt4vOaLnNoPdnog0ak9mpdiJfwAj9 Na3g9jXdF/0hjfgLMC7S7kZaCJv08hzycMatmIl2lY7q7oI8kobIye2EBKZg6/Z3 8WYuYILZet1B7J79/J66lUdhZQt72aLnDadFj9EdIJaFH9GtEUH4SNezsaXce9Q/ M+LWJhS947SySfsuZ3js5IunflHI51AV449OxUzA2fO60/tK7zQg6H+9L8UXBgFO feDvXjLK9+sDGvryn6/M9GNe5Hq5ZBHaFABkpfjhSgF8O2aJm1dFKeMvKJvKh4Ts AexsYCPoXKT2vr5gBwN+BgOQINRgtg== =Qqfw -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200214120504.GE18599%40mail-itl.
Re: [qubes-users] Re: R4 system requirements; AMD compatibility?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sun, Feb 09, 2020 at 09:28:13AM -0800, brendan.h...@gmail.com wrote: > On Sunday, February 9, 2020 at 5:25:56 PM UTC, brend...@gmail.com wrote: > > > > > > Has anyone tried utilizing the xen command line options to mask bits in > > the cpuid, in particular section 1.2.35 cpuid_mask_ecx)? > > > > The man page below says that "Settings applied here take effect globally, > > including for Xen and all guests." This *might* mean it is applied *before* > > the resume from sleep CPU bit checks (but I'm not promising anything, as I > > have not traced through the source). And also "*Warning: This option is > > not fully effective on Family 15h processors or later.*" > > > > Just noticed that the warning applies only to 1.2.34, which is AMD-only, > apparently. Unclear to me if the other items 1.2.35 and higher, which is > for "x86" apply only to intel or to all x86 architecture. I may be missing it in this thread, but have anybody tried Qubes 4.1 builds (with Xen 4.13) on such system? Does it have the same issue? - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl5AcSAACgkQ24/THMrX 1yzQ/ggAmQOFWyP0GNVs5dMuSzKx6mo7myoJ0tlJaKdpNPKZZnYjaLAqhUPig5YG rd5iv26TjVq/bl8uiRE0/qwV0/sjqgmLTqPIQanzxsB5Cnok3OZyswghGJY/UY8Y j5ADzpzRtCC7WhQkvhtPSwcC3c72rgmjfQg2IjKfYU6qyv+0aJ2HuJQj/kA49cG6 kzwGRIJJlxVfCsnlXSwmHa17PyiolvYqpQFhCN8EIM3KYFcjrBK+kP7nqdNXuQ8R atZqH66h8wxp/BvGO9xGZPmWV6uhrC+JIKfdlaspKO4fWFxXuBwxGgS+favkn5wT vBJcU6wxj2Qwk6MvJV17BMV1dwqntg== =HtGL -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200209205248.GD29736%40mail-itl.
Re: [qubes-users] Re: R4 system requirements; AMD compatibility?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, Feb 07, 2020 at 02:13:56PM -0800, brendan.h...@gmail.com wrote: > On Friday, February 7, 2020 at 9:35:25 PM UTC, zach...@gmail.com wrote: > > > > I preemptively submitted this PR to see what the Qubes team thinks. > > https://github.com/QubesOS/qubes-vmm-xen/pull/70 > > > > I agree it probably should be fixed upstream, although I've seen the Qubes > > team make exceptions and apply their own changes. Upstream would probably > > take a huge amount of time to get merged and tested. I'm not a developer > > though so I'm sure you could explain the issue better than I. If you do > > mention it, CC me as well! I like the CLI argument idea, that's probably a > > much cleaner way of doing it and defaulting it to true. That way users > > could disable it if needed due to hardware screw-ups. > > > > Marek is somewhat active on xen-devel. Submitting the PR to Qubes is > probably as good a place to start the (github) discussion I suppose. > > I expect Claudia is correct that it's really a Xen defect to address, > either with a flag to disable the check, or security/stability focused > checks only. > > Xen might point upwards again, of course, and tell AMD to fix their > microcode or manufacturer's their BIOS's... > > ...but if a disable flag could be added (--yes_i_know_what_im_doing caveat, > of course) that'd be a good short term workaround for the larger Qubes user > base that is less likely to be able to figure out how to get a build > working and rpm applied and keep up to date with upstream. (continuing discussion from the above PR) The patch as it is, is not acceptable, as it may introduce security and/or stability issues on some machines. Xen (and Linux too) assumes what CPU features is can use based on CPUID flags. If those changes during system runtime (including suspend/resume) some instructions or control registers may no longer be valid (->crash) or safe to use (->security issue). If that's just about microcode updates, that's probably BIOS bug - if it applies microcode update on system startup, it should do the same on system resume too. Anyway it's worth trying updating linux-firmware package, which carries microcode updates for AMD. This should make Xen apply microcode updates too - before checking those flags. I've just uploaded updated version of the package to the current-testing repository (both R4.0 and R4.1). If that's about something else, then fixing it would require finding what exactly is changing (and preferably also why). And only then find how to mitigate this issue. If specific flags would turn out to be not related to security features or otherwise having unwanted effects, then ignoring those changes would be an option. But ignoring _only those flags verified to be safe to ignore_, not all of them. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl4/abcACgkQ24/THMrX 1yxEGgf/SG+V7TKM8f7QZ5JFVSr++QasDbMefkuc30OeUkXKtFXsTNMH2fp1S8zq lTgxfrrGH+N7sfP1KkjAZ7ri+DJgmoCyqULUNZAez5DdGlaLJRtsz5rRBtTr4t9F nmJNC859/RPEpbozwxlM6K8JRhlxVg35Sl46E9lYHbNsTBqAywxhTUgENsZlrblh gXn2MgnzDHvwShCltlNL2l29HaAXBzIICpPcgiRWLEY/Y1OTNHvYPiTgZdRtkkEM 5tM97EwxZF31k5i7wGpRed84xCid2bXvufq2Xjo2jWxXuQ01r+bv6v/lVwDvd5tz iOWJsjj4tXLo3bcpuaCM5XvHI9x0yg== =h62J -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200209020855.GC29736%40mail-itl.
Re: [qubes-users] Re: Qubes OS 4.0.2 has been released!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, Jan 08, 2020 at 06:07:01AM -0800, fiftyfourthparal...@gmail.com wrote: > Hi Andrew, > > I installed 4.0.2 on my Dell Inspiron 5593 without new issues. > > The answer to the following question seems to have been implied in earlier > responses, but I'd just like an explicit clarification: Can the "critical > kernel bug" affect my security in any way? No, it doesn't affect security. It simply crashes (and reboot). If it works on your particular hardware, then you're lucky and should be safe to continue using it. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl4X0IEACgkQ24/THMrX 1yzgDgf8CAQZyZQLeuF45UToxe4lumA3PWb9q8j82LW7p/Llizwu97T1pF/c6mGJ MXuUGyu8H8AS2nEK6W4zC1ZDClTFMGvsmMOwhkDbSUuSxyK1WXtRdAhsHK32jQ6j 0xnS6woUeFUkmBonjfQZxrDtj719WwrLWsJWffrDG4GPRoQkk6Mp+QjB8N1d/0bX 9hPjWxok0c6Up4hTOoGLVlnW0OlRgZ35P4UOGqxxscjygpgBwXvD+BXg8YMP+f/v t6gEu7oLJ9faxtNT4nGHgQZhKayuhAGFvf5Q+uvyBplGWqwGpHmEh6FJnlKEoWYD UbaUNGX1UPuBM8WMstJ/F9P3n8a/tA== =xWrL -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200110011649.GA29736%40mail-itl.
[qubes-users] QSB #56: Insufficient anti-spoofing firewall rules
): $ sudo dnf update For updates to Fedora from the security-testing repository: $ sudo dnf update --enablerepo=qubes-vm-*-security-testing For updates to Debian from the stable repository (not immediately available): $ sudo apt update && sudo apt dist-upgrade For updates to Debian from the security-testing repository: First, uncomment the line below "Qubes security updates testing repository" in: /etc/apt/sources.list.d/qubes-r*.list Then: $ sudo apt update && sudo apt dist-upgrade A restart is required for these changes to take effect. This entails shutting down the TemplateVM before restarting all the TemplateBasedVMs based on that TemplateVM. These packages will migrate from the security-testing repositories to their respective current (stable) repositories over the next two weeks after being tested by the community. Credits The issue was reported by Demi Marie Obenour. References == [1] https://www.qubes-os.org/doc/firewall/#enabling-networking-between-two-qubes [2] https://nvd.nist.gov/vuln/detail/CVE-2019-14899 - -- The Qubes Security Team https://www.qubes-os.org/security/ ``` - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl4DmQkACgkQ24/THMrX 1yyTrgf8DB9+TOy89Gn9kwDYm15nXqCuxOm0k3Zsv3FWJCz1NobTpDJ14+LI0qcf YR1jXT+XqUvfeIJ2NlJ+DQ4454cd3m27nEP7B0G7A2PU3jbonIyBE9Qe7PpQ8kmU FtI+GoknrMlUEP+QNwceRg1Q9OPaB6Zzzq0VE6C58rxnL6oGNUXVgrsXV/Jtl1pZ quf5c8x7cZqRqUbFBkaE2P5deYRfCIj/Vt3N3uhsvEKAay2qwgMnnZmQv2Qhp+cq gephG2LgrczBjvjlZ/0zt2+7N4LPyDCeP5dVJlFSz/85uNBo0vmTecyFhaUJEhn1 2JzJh9rUVQFNTwetTTsh2M2q6rubnQ== =29/a -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20191225171448.GA11736%40mail-itl.
[qubes-users] QSB #55: Issues with PV type change and handling IOMMU on AMD (XSA-310, XSA-311)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Dear Qubes Community, We have just published Qubes Security Bulletin (QSB) #055: Issues with PV type change and handling IOMMU on AMD (XSA-310, XSA-311). The text of this QSB is reproduced below. This QSB and its accompanying signatures will always be available in the Qubes Security Pack (qubes-secpack). View QSB #055 in the qubes-secpack: https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-055-2019.txt Learn about the qubes-secpack, including how to obtain, verify, and read it: https://www.qubes-os.org/security/pack/ View all past QSBs: https://www.qubes-os.org/security/bulletins/ View the Xen Security Advisory (XSA) Tracker: https://www.qubes-os.org/security/xsa/ ``` ---===[ Qubes Security Bulletin #55 ]===--- 2019-12-11 Issues with PV type change and handling IOMMU on AMD (XSA-310, XSA-311) Summary On 2019-12-11, the Xen Security Team published the following Xen Security Advisories (XSAs): XSA-310 (CVE-2019-19580) [1] Further issues with restartable PV type change operations: | XSA-299 addressed several critical issues in restartable PV type | change operations. Despite extensive testing and auditing, some | corner cases were missed. | | A malicious PV guest administrator may be able to escalate their | privilege to that of the host. XSA-311 (CVE-2019-19577) [2] Bugs in dynamic height handling for AMD IOMMU pagetables: | When running on AMD systems with an IOMMU, Xen attempted to | dynamically adapt the number of levels of pagetables (the pagetable | height) in the IOMMU according to the guest's address space size. The | code to select and update the height had several bugs. | | Notably, the update was done without taking a lock which is necessary | for safe operation. | | A malicious guest administrator can cause Xen to access data | structures while they are being modified, causing Xen to crash. | Privilege escalation is thought to be very difficult but cannot be | ruled out. | | Additionally, there is a potential memory leak of 4kb per guest boot, | under memory pressure. Impact === XSA-310 applies only to PV domains. Most of the domains in Qubes 4.0 are PVH or HVM domains and are therefore not affected by XSA-310. However, PV domains are still supported in Qubes 4.0, and they are specifically used to host Qemu-instance-supporting HVM domains. In the default Qubes 4.0 setup, several attacks would have to be chained together in order to exploit this vulnerability. Specifically, an attacker would have to: 1. Take control of an HVM domain, e.g., sys-usb, sys-net, or a user-created HVM domain. (Most user domains are PVH and are therefore not affected.) 2. Successfully attack a Qemu instance running in an associated PV stubdomain. 3. Finally, find some way to exploit the vulnerability described in XSA-310. Moreover, since this vulnerability is a race condition, it is an unreliable attack vector in real world scenarios. XSA-311 affects only systems running on AMD hardware and also is thought to be very hard to exploit. But since it can't be ruled out completely, we recommend applying updates nevertheless. Patching = The specific packages that resolve the problems discussed in this bulletin are as follows: For Qubes 4.0: - Xen packages, version 4.8.5-14 The packages are to be installed in dom0 via the Qubes VM Manager or via the qubes-dom0-update command as follows: For updates from the stable repository (not immediately available): $ sudo qubes-dom0-update For updates from the security-testing repository: $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing A system restart will be required afterwards. These packages will migrate from the security-testing repository to the current (stable) repository over the next two weeks after being tested by the community. If you use Anti Evil Maid, you will need to reseal your secret passphrase to new PCR values, as PCR18+19 will change due to the new Xen binaries. Credits See the original Xen Security Advisory. References === [1] https://xenbits.xen.org/xsa/advisory-310.html [2] https://xenbits.xen.org/xsa/advisory-311.html - -- The Qubes Security Team https://www.qubes-os.org/security/ ``` - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl3w9qAACgkQ24/THMrX 1ywNmgf+ModX2TIC5BNbPXNRjXQAFGByj21sTdmKlj3mo5Q1zus00gvEYvwWUvRA ob8Sb1DuaHZhM4x3Ea2FjSqYA+GszDctj9dY5VWrlecd1tsmTijlHPo2x1FpIyWm Qf24697gel0TDb+51JFCXrqZYye3Bj4mL4tEplDZRmH8fw9J94zPQROztnzi9mmF ownqn40LMEiTBg0WaV7k3ymnLPRX3rLZGS1oG//ESouL7Mz8Id/vjpsWyrBX8P3A TyisLzrblA1/9+bSGEUaP4jq5Uf98Eb+GKkXX6yjD8CT+kO7ez02AL+PzmxK7YmT G67PD1wDDcFFFr/+AeoHkjgjYdyghQ== =erlC -END PGP SIGNATURE
Re: [qubes-users] 2 new Intel vulnerabilites
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Thu, Nov 14, 2019 at 10:37:33AM -0800, Lorenzo Lamas wrote: > Btw, do you think it is possible for Qubes to distribute the Intel > fTPM(http://tpm.fail/) update somehow like Qubes does with microcodes? I don't think it's directly possible, this part of the system firmware is specific to particular device configuration (bundled together with the rest of BIOS/UEFI), not only CPU. A quote from Intel advisory: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00241.html | Intel recommends that users of Intel® CSME, Intel® SPS, Intel® TXE, | Intel® AMT and Intel® DAL update to the latest version provided by the | system manufacturer that addresses these issues. There could be a way to ease updating system firmware by integrating fwupd, but it isn't done yet: https://github.com/QubesOS/qubes-issues/issues/4855 - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl3PEHUACgkQ24/THMrX 1yy5rAf+OUCwS/oIGN04ps6Skv19pwCL8gkKizEoncXduI5nXUI1hBcqtmfBPbUj orJqWt65YKQPeCnWubbJHHA5cIe0KtG/yPTtMcG98caU8Qi1y/vi2Nv7lt6+y1GL BbGe/O2ZHYuZAMGLg9bbk3ZXmQ8hrAyHCB+3vvVxIlrPHkOShjpHztsgguug00MI sPNdg9IHurPNwbwbMgwHGIUDOgFr7MilGT1y3afzBEIrHZCT5SaPHernUYGd7oD9 PmhGsb5grJo5eYDO+wiizrW/by2BUXH+4Qeimtxk+N7xqqk7/btQXl77dOGQ5k/t 1uNcXNluSAXVspKvKJTIXhGlpJmAMQ== =cXye -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20191115205412.GB4164%40mail-itl.
[qubes-users] QSB #52: Xen issues affecting PCI passthrough and PV domains (XSA-299, XSA-302)
perform a DMA attack in this window of opportunity during system startup, the attacker could still compromise the system, even with the XSA-302 patches applied. In practice, this means that devices containing internal writable firmware or configuration storage are worse for system security than those that have read-only storage and require firmware to be loaded externally by a driver. Many people consider devices that require loading "firmware blobs" to be less freedom-friendly, but the effect on system trustworthiness is exactly the opposite. Such devices are actually more trustworthy than those that have (possibly mutable) firmware stored internally. In addition, it's easier to reason about the firmware when it is accessible to the user. Even if the firmware is in a binary form, it is at least possible to verify its authenticity and that it wasn't modified maliciously to target your specific device (e.g., by comparing hashes against a public database). Naturally, a device with open-source firmware (still loaded externally) would be even better. In the vast majority of cases, however, a device that doesn't require loading external firmware actually still has such firmware -- it's just hidden inside and impossible to attest. Patching = The specific packages that resolve the problems discussed in this bulletin are as follows: For Qubes OS 4.0: - Xen packages version 4.8.5-11 The packages are to be installed in dom0 via the Qubes VM Manager or via the qubes-dom0-update command as follows: For updates from the stable repository (not immediately available): $ sudo qubes-dom0-update For updates from the security-testing repository: $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing These packages will migrate from the security-testing repository to the current (stable) repository over the next two weeks after being tested by the community. If you use Anti Evil Maid, you will need to reseal your secret passphrase to new PCR values, as PCR18+19 will change due to the new Xen binaries. Credits See the original Xen Security Advisories. References === [1] https://xenbits.xen.org/xsa/advisory-299.html [2] https://xenbits.xen.org/xsa/advisory-302.html - -- The Qubes Security Team https://www.qubes-os.org/security/ ``` - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl27CAkACgkQ24/THMrX 1yyVYQf+OBmOSFrr5l5fSLMfqrPWCxiq8rb1O1SXQ6lN1akxEfx7GO36fbpV47/K Qu7S3MZhfVUf7y9xWcKrcYdUtnXhRvV5az17gF9JOYSinHIxHPnOyXTu/vWtTQPW 057d2ZnQiTijN22ELlNQy6yRHzutUxSfT9vpRH0BCuoM3yR7Q9EUNKMIy/A5lF6q L1Hkdtnu+1j+2kzsaE5/HrjvN/lQ0KRBgDpYXWrExgQOYYnAigvUeRefH4/dDERF BISdEo4w49pyU2Hb54YjTit+NbgfkVVIyuU8wC63reImmbrCQHT5hdWUpP2c1ymt AWadPawOVgGmDDFeFaHfCbTYoU0ahg== =MUDq -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20191031161258.GX1410%40mail-itl.
Re: [qubes-users] Safe to switch default-mgmt-dvm TemplateVM from Fedora 29 to Fedora 30?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Tue, Oct 15, 2019 at 02:39:56PM -0700, 'Heinrich Ulbricht' via qubes-users wrote: > I want to switch the template for all my Fedora 29 AppVMs to Fedora 30. > > In the process I learned about *default-mgmt-dvm* which is currently based > on Fedora 29. Is it safe to simply switch the template to a (stock+updates) > Fedora 30 template? > > This issues <https://github.com/QubesOS/qubes-issues/issues/5181> suggests > there might still be problems. > This answer > <https://groups.google.com/d/msg/qubes-users/WMSowoOgfIA/dXA8tco-CAAJ> > suggests it is indeed as simple as switching the template. > This thread > <https://groups.google.com/forum/#!msg/qubes-users/qf4zN6SFe18/rr6rclqoCAAJ> > has never been answered but covers basically the same topic (switching to > Fedora 29). > > Should I just switch or rather not touch it? Yes, it's ok to and even desirable to switch. It should be based on stock template without less trusted repositories and software installed. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl2nCSoACgkQ24/THMrX 1yyAGggAkUSGnRuUiA2OnHRWqgfSXglHFiiZBXQipuYgHtuYtNr6dCDBOiCFfV5t xaCZalo/wwi3LZ6RG+/8BqvaetoGM2bBjWNUXeFBCBe+GVWM1X6DGwF0xrVaacVQ kl72aXJXg/h1SnlxNbTkqGQtJ51PlyfWOnr95jRwFegKdGng/RZGkyGwQnA0EKXw 3kzCM1s5SoEakuy/jsXIDrBqD4h1OR4uWev2Bld4FdwnSAVlX/ioKhxWM0Q0BH9W 2dKgVyUbWBE97w5KiSe0PllTdf0J/ZaNKfdmuxs7riBvcki1KesjycUdNthlgK+e KQkCIlKsMPyJ1RirldPd7NTqOmfM2w== =53kw -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20191016121227.GA4164%40mail-itl.
[qubes-users] QSB #51: Insufficient validation of backup compression filter on restore
`qvm-backup-restore` or when the "Verify backup integrity, do not
restore the data" option is selected in the "Restore qubes" GUI tool.
Patching
Note: Patching is not sufficient to recover from a compromised state. If
you suspect you may have restored a malicious backup, see the next
section for details and recommendations.
The specific package that resolves the problems discussed in this
bulletin are as follows:
For Qubes 4.0:
- qubes-core-admin-client version 4.0.27
The packages are to be installed in dom0 via the Qubes VM Manager or via
the qubes-dom0-update command as follows:
For updates from the stable repository (not immediately available):
$ sudo qubes-dom0-update
For updates from the security-testing repository:
$ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing
These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community.
Securely Restoring from Backups
===
The safest way to restore from a backup is to do the actual backup
processing outside dom0.
1. Install the `qubes-core-admin-client` package in a domU.
2. Authorize the appropriate qrexec policies in the domU:
- admin.vm.Create.AppVM
- admin.vm.Create.TemplateVM
- admin.vm.Create.StandaloneVM
- include/admin-local-rwx
- include/admin-global-ro
3. Use `qvm-backup-restore` in the domU.
In a subsequent update, the above procedure will be automated with a new
`qvm-backup-restore --paranoid-mode` option. See "Compromise recovery in
Qubes OS" for details about how to use this mode. [2]
Indicators of Compromise
It is possible to manually inspect the header of a backup to observe
whether the vulnerability has been exploited. To do so, inspect the
backup as follows:
1. Verify the backup header integrity according to the "emergency backup
restore without Qubes" instructions for your backup. These vary
depending on the age of the backup, as the format has changed over
time. [3][4][5][6]
2. Check the "compressed" and "compression-filter" header fields for
anything anomalous. For example, you may see something like the
following:
$ tar -ivxf qubes-2019-08-06T121200 backup-header{,.hmac}
backup-header
backup-header.hmac
$ scrypt dec backup-header.hmac backup-header.ok
Please enter passphrase: backup-header!
$ cmp backup-header.ok backup-header && echo ok || echo wrong
ok
$ grep -E '^(compressed|compression-filter)=' backup-header | cat -v
compressed=True
compression-filter=gzip
If you see anything other than `True` and a legitimate compression
filter like `gzip` or `bzip2`, this may be a reason for suspicion.
It is worth noting, however, that depending on how a malicious backup
has been stored and/or transferred to the machine on which it is
restored -- and depending on the sophistication of an attacker -- a
previously malicious backup may have self-modified to appear benign
after the fact as part of its exploit payload. Therefore, this should
not be considered an infallible way to detect malicious backups. Storing
the backup exclusively on immutable media throughout this process can
provide further assurance.
The possibility of other similar vulnerabilities cannot be completely
ruled out, so restoring backups in a deprivileged manner (outside dom0,
as described in the previous section) is still recommended.
Credits
===
This issue was discovered and reported by Jean-Philippe Ouellet
, who also provided a fix, a PoC exploit, helped with
mitigations for this general class of issue in the future, and wrote the
initial draft of this advisory.
References
==
[1]
https://github.com/QubesOS/qubes-core-admin/commit/0cd8281ac10ee06f4b2fce9f86e27eb25292bc25
[2] https://www.qubes-os.org/news/2017/04/26/qubes-compromise-recovery/
[3] https://www.qubes-os.org/doc/backup-restore/
[4] https://www.qubes-os.org/doc/backup-emergency-restore-v4/
[5] https://www.qubes-os.org/doc/backup-emergency-restore-v3/
[6] https://www.qubes-os.org/doc/backup-emergency-restore-v2/
- --
The Qubes Security Team
https://www.qubes-os.org/security/
```
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl132uAACgkQ24/THMrX
1yz8hAgAlEckGMXQShcIyA2ilJuTY5LCwdHyG0V/y0o/J7qlYMsTYPpGPX0HwL7f
4lvmlCIWgPzmPHh+VUh7+VeJ87h1ZU+E0byIc/9LTxY55C713/L545hnV3ErYIhT
1M3z967WmdsqFSXOAGEZrE9ZMLOOsoj1nIjFTWbqL/SUGee0EcGAd6C7RWFzcojd
7mczXSGoi4zqW+yIDniMzqNPmSidZOJdaelkAWf7Y4ZmeJtY95hZAb9Vja0k0lnp
dNXbEo/VQzwGRZ5E9UleWdcklYPNYaY1pmwUJQFcp/LVDWM1T0olJnPptGdmi5da
Ni2ZvsVuIRozXdNoOUlhO0j8AallVg==
=suB1
-END PGP SIGNATURE-
--
You received this message because yo
Re: [qubes-users] Moving Qubes+VMs to Larger SSD - How to Handle Storage Pools on Other Disks?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sun, Sep 08, 2019 at 07:16:34PM -0500, Andrew David Wong wrote: > On 07/09/2019 3.28 PM, 'Heinrich Ulbricht' via qubes-users wrote: > > Here is an update on how my migration from SSD_small to SSD_big is going so > > far. > > > > Just as a remindet this is the challenge I face: > > * dom0 SSD has 100 GB capacity, ~10% of this is free (that's why I want to > > migrate to a new SSD) > > * external storage pool 1 has 1 TB storage, AppVM *1* with < 500 GB private > > storage in use > > * external storage pool 2 has 1 TB storage, AppVM *2* with > 500 GB private > > storage in use > > * I want to migrate everything via backup+restore to new disks/pools > > > > *Here is what worked* > > * backing up App VMs from all 3 pools using built-in backup mechanisms (UI) > > - cool > > > > *Here is what did not work* > > * *verifying* the huge (400-700 GB) backups *did not work* since this > > filled up my dom0 pretty fast and then failed -> this is the reason why I > > resorted to what Andrew wrote: having the original still in place while > > restoring to different disks, not overwriting anything, just in case > > restoring fails > > * *restoring* the huge (400-700 GB) backups *did not work* since this > > filled up my dom0 pretty fast and then failed -> this is exactly like > > donoban wrote; I managed to work around this for AppVM *1*, NOT for AppVM > > *2* (yet) > > > > To restore AppVM *1* (< 500 GB) I modified *restore.py > > <https://github.com/QubesOS/qubes-core-admin-client/blob/9158412a24da300e4c54346ccb54fce1e748500f/qubesadmin/backup/restore.py#L858>* > > > > to restore to another location than */var/tmp*. The easiest for me was to > > create a new (temporary) AppVM in my new 1 TB external storate pool *1*, to > > increase its private storage to 500 GB, to mount its private volume to dom0 > > and to use this path as temporary location in *restore.py*. So I was using > > my 1 TB disk both as restore target and temporary location for backup > > extraction. I was lucky - the pool filled up to 99.8% and the restore > > succeeded. So currently it seems you need double the amount of storage your > > to-be-restored AppVM consumes to restore the AppVM. > > > > Now there is one challenge left. I have to restore AppVM *2* which is about > > 700 GB. To my current knowledge I would now need to have twice this amount > > to restore - which currently I don't have. This is why I'd like to somehow > > slow down the extraction. donoban mentioned this is possible. I had a look > > at restore.py > > <https://github.com/QubesOS/qubes-core-admin-client/blob/master/qubesadmin/backup/restore.py> > > > > but honestly have not idea where to start. I also currently don't know how > > the different extraction processes interact and how the backup is > > structured. > > > > Can anybody suggest a modification (or hack, however dirty - it's meant to > > be temporary) to restore.py so it won't need 700 GB of additional temporary > > storage when I try to restore my 700 GB AppVM? > > > > Thanks for all your input so far. Knowing that dom0 could fill up certainly > > saved my some hours of questioning life. > > > > Sorry to hear about the problems. I'm surprised about dom0 filling up. I > thought we had solved this problem a long time ago. I remember running > into the same problem years ago, and I thought we had subsequently > moved to restoring in smaller chunks so that only a small amount of > temporary storage in dom0 is required when restoring. > > Is this not the case, Marek? It's this issue: https://github.com/QubesOS/qubes-issues/issues/4791 In fact, I do have part of the fix already implemented. Hopefully will have the other part finished this week. In the meantime, you can try some naive methods of slowing down the extraction process, for example by attaching strace to it (`strace -p $(pidof qfile-dom0-unpacker)`), or pausing it from time to time by sending SIGSTOP signal (and then SIGCONT to unpause). You can do it in a loop like this: pid=$(pidof qfile-dom0-unpacker) while kill -STOP $pid; do sleep 30; kill -CONT $pid; done - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl11ppYACgkQ24/THMrX 1ywFqQf+P3sJIPpk7UOI09+rITICJB6LWm310nKRaJ0sx/lcSkjNH6tAQuF2Z8Nn G0mepvBBG9bEfUUMGfxurn4ud0exbCz4W/AH8DEpAFuF41BSsTtXKsUCT278W3SP A8ifNW
[qubes-users] Re: [qubes-devel] qvm-create-windows-qube Automatically creates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Mon, Aug 19, 2019 at 11:22:21AM +, 'crazyqube' via qubes-devel wrote: > I just made my solution for fully automatically creating and installing new > Windows qubes from scratch public! It pre-installs Qubes Windows Tools and > Firefox so now you don't even have to open Internet Explorer to download a > good browser! (lol) > > It's currently ready for use at: > https://github.com/crazyqube/qvm-create-windows-qube > > If you have any issues or suggestions then by all means create an issue and > I'll look into it. I haven't looked into details nor tried it yet, but on the first sight looks really cool! - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl1cX68ACgkQ24/THMrX 1ywF4gf+I6MNGnhkiNlujuCpwVOojWyltxU7zpagpHJVr6dax/L+N95ySQlFhynI cIPN50yCwPT3ZBplTneQstYEZnYxd8QMqz3+0A7eaOr3U+ivZZXy/zSJvhVxEwMf 0/BiIoZMNjskprMzO7lx9FExpx3ginyNTvZt9zfo/J//rOTBrwJF7A8TI+yTFe9T wfypj/Mtys7KnAlLuCFtnyKlgiZxhtDhjF1IxTrLuPAK+Jy6mSOlGTDCamZrjn+L ZoHfeX/eEc2hrM1M+0zPJvysdCU8opwX3sdS13m2uq9Kp7byoNeCC2bI9rlX1KSC 84tH9paKxqGK8oP9d2f93eF4H3Pefw== =YRT5 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190820210134.GJ1457%40mail-itl.
Re: [qubes-users] Re: Sorry, we cannot find your kernels...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sat, Jun 29, 2019 at 04:22:08AM -0700, Chris wrote: > Yup. Down for me too. > The update servers were down earlier today. Not sure if related. Yes, it was related. The late Friday's problems resulted in some mirrors picking up empty directory. Should be good now. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl0Ym/sACgkQ24/THMrX 1yyS9Qf+PGLoeerd0+jcdz9Ivy/ugcvSf2mAgTLgtA0frg+3FuhnEgSgEIfD7S4K 3Hdnudw+jzYVHk00T7iB1e9Y86bA9f1eeo1wWYIY04ymVQZu+BXU4nrFFqYLnvsL Fo8agfa9kq/GhjGK8YWGGh/2rHnuelriQ/rtN2Pj8I4w0sZ2vVOk3kQ4qrLJlmHf 5ROdN+8Cllgl8sp41aV/ev+UcR3oDfSW0nV9rDIf0Jhb3Xdvoaj+LnJTlTQ+mD7p 3Qya9Ag3o+IKXliNfitcPzhvZT9YogWPfQfAZdLq7XfVXtaD6AytTCWwkffiNPgN PKznbZ6qpcPKp3Jt1nZUG1dlYUfbNw== =PMuV -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190630112443.GB16142%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] qubes update servers down?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sat, Jun 29, 2019 at 12:45:51AM +0200, Marek Marczykowski-Górecki wrote: > On Fri, Jun 28, 2019 at 09:43:19PM +, mossy wrote: > > Hi, > > > > Updating my qubes templates (debian-9, fedora-29/-30, whonix-14) have > > been failing all day with `Failed to synchronize cache for repo > > 'qubes-vm-r4.0-current'` > > > > There's also this bug report: > > https://github.com/QubesOS/qubes-issues/issues/5130 > > > > Any updates? > > Indeed there is some problem. Working on it, should be back in few > minutes (hopefully). Took more than few minutes, but it's back online. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl0Wst0ACgkQ24/THMrX 1yzgeAgAhuKNpNEVUnRHqjlikyunb8imNWOWGyGVtli9v4XKDLCqSUt0BP+TVy+D ARg/Q6xMXKkDO7Gyn65bvjhogsqb/W6cupgRVroupu0Vjlxqo7slI6T7KyW58170 d9ej1vE9HFY594Ge77iA9xu+Ty02g49tLTYTbWgy1wZqp4fAR3ocBqFaY+y5+ZrK 3S34c1vNXrAuwfPLT/mxQBo8wkFR8WmS1zth0/zQ/XQ3EOaMHqFnihmYg8USdiik efXXpayG1wo90IlUmvKe8j+eLz7M/5oSurt5ioZlqt6AjZUUAwXQN7nuBGuQnroX SbXwFbsZvY/eD7IsnW6h6OHdJtEnmg== =M6XH -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190629003747.GY1423%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] qubes update servers down?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, Jun 28, 2019 at 09:43:19PM +, mossy wrote: > Hi, > > Updating my qubes templates (debian-9, fedora-29/-30, whonix-14) have > been failing all day with `Failed to synchronize cache for repo > 'qubes-vm-r4.0-current'` > > There's also this bug report: > https://github.com/QubesOS/qubes-issues/issues/5130 > > Any updates? Indeed there is some problem. Working on it, should be back in few minutes (hopefully). - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl0WmJsACgkQ24/THMrX 1ywIKgf/Z/prJo24uRatUhvLMkCNViL0gNGAd5aRNxpRRF2GYM6sJbN6s+mTeezR 9VOGLKF1CyiQfY1PVYNrJub7p5YabYH2fiAQdOe2ynTYrPjNiob8K9lYHapnnTwl azMDv3b9eGq6xZOTPfUeAYCCqQ0qB3fFWnft2mJpVAYY1j+PIZhuH885SEavpwZZ seDcvbUWMFhNfpLDf589N0+mzGYa9zJ1r6ux99f2yUK+jOLDy/B7Y65vf1Vqoh6v xrbb4HdwPZxvScmey1me/j0uYLCGM9rSXo1ezzqcVCoC+riE3sxJiFen8yz+U7xa Tkvul/sOHLkhaoXbkXpdepizLHb66A== =pD2m -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190628224547.GA16142%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] qubes-dom0-update keep showing the same already downloaded packages.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, Jun 14, 2019 at 07:03:01PM -0700, pixel fairy wrote: > On Friday, June 14, 2019 at 6:18:39 PM UTC-7, Andrew David Wong wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA512 > > > > On 14/06/2019 8.16 PM, pixel fairy wrote: > > > every time i run qubes-dom0-update, it keeps re downloading a set of > > > packages that seem to already be installed. this doesnt seem to prevent > > > actual updates, but it does mean somethings wrong. ive tried clean > > > packages in dom0 and sys-firewall, but that doesnt help. any ideas? here > > > what it looks like right after running it, rebooting, and running it > > > again. any idea what caused this, and how to clear it? > > > > > Try `sudo dnf reinstall `. Details: > > > > https://github.com/QubesOS/qubes-issues/issues/4792 > > thanks. that worked for everything except kernel and kernel-qubes-vm. how do > you get the kernel ones with .rpm? qubes is already past the kernel versions > that are stuck still downloading, so dnf --reinstall kernel says nothing to > do, and rpm --reinstall (without the .rpm as the thread specified) fails > because the newer one is already installed. should this thread continue on > that issues page? Do you have already newer kernel version installed? If so, dnf is picky and refuse to operate on older packages in most cases... But also shouldn't download old package when newer is already there, unless you've explicitly requested it to do so. But you don't have newer kernel (like 4.19.x), running `dnf update` or `qubes-dom0-update` after doing reinstall for other packages should help. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl0G1CUACgkQ24/THMrX 1yyzwgf/Y0wWYi6K6F0JZtzuT8iqgFvXNY2Y/ZvX13Asr0u+ssf2p4CJd/XgTaNQ y5qwUdt7RXe7nQx0lxjlulmaSP6xz9cIQ7LQwyEQLTAtXHBIUg/yWWrZveEGnBkF HQwIKkk+JIsHiI2+YSEUBYUTrfa7NVi6bG3DN1PRydmpXVGsaYQgtK9QiUOpT0Zm nbs8lcsWd510G+1nONnRw2qLclbG5YutzSgkbuz63RQ6al6okOM5B8UOMgMqmBhC FddGbG2GcTf7CGLRjPshbewvXJ5xHbswOs8YNNhoZtKWCmE4/r1wQiFoogm9gjLL zzoyRoggAg4qER/+Zm9DPwZd6Rq8Zg== =HPrA -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190616234334.GA10653%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-devel] Re: [qubes-users] Fedora 28 has reached EOL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Thu, May 30, 2019 at 02:38:46PM -0400, Chris Laprise wrote: > > I'm getting strangeness from the fedora-30 release: > > 1. As soon as the template installed I started it and ran 'dnf update'. It > downloaded repo data then said 'nothing to do'. Less than 2 minutes later I > get a popup saying fedora-30 has updates available I run dnf update > again and there are 219 packages to update. This is dnf thinking metadata cache is up to date. dnf update --refresh should do the job. > 2. Trying to remove thunderbird, dnf wants to remove 67 packages incl. most > of qubes*, nftables, salt, tinyproxy. It would be good to be able to remove > thunderbird or other large apps without the OS crumbling to pieces. Try dnf --setopt=clean_requirements_on_remove=0 remove thunderbird clean_requirements_on_remove=True behaves like 'apt autoremove'. And qubes-vm-recommended depends on thunderbird-qubes, which depends on thunderbird. So when you remove thunderbird, qubes-vm-recommended needs to be removed too. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlzwJL0ACgkQ24/THMrX 1yyxjwf/V6DPJ7x7+e4IrO3vEeX+3iWHQLBg065Q1Z5lT/GU7Rw0Jsu0efP66VyA 71la73wl57cGkbbFT/zxvX7ivuyiIsFU2PvAsTbEBZ6GTUUzLZUU5MCdvmQ7ug1F C//vqz3Hwke+UaQ54D09Gx/ur67BEWve6aMQq9iwJMGgV9/jBtVRehQV1S/pGMLH AbNCwCeigTPdhK+i36gdHQByLPZ+9H4rpd0CdUzdaFiKY1d94SgLRPa2Roodpcc4 HstUhGtjKAyV4KVX7LSqbUwJLjGV1n6kLaWi81hHf7fWSSbyjLV0hTyBbOHj1S/s 19RAP3obd+q/blHeVilVBxWL5JJuWg== =m8oh -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190530184517.GK1793%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] kernel panic with new 4.19.43-1.pvops.qubes.x86_64 kernel
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Tue, May 21, 2019 at 11:42:57AM +1000, haaber wrote: > > > b) are sym / hard links in /boot allowed ?? I guess only the content of > > > /efi/EFI/BOOT must be an actual file : the content of /efi/EFI/qubes/ > > > should be handled only by the fully-booted system (when updating), but > > > never by the boot-loader, which, badly enough, insists on /EFI/BOOT. So > > > could files in efi/EFI/qubes be sym'linked ?? > > > > This unfortunately won't fly. EFI System Partition (ESP) is accessed > > directly by UEFI and needs to be FAT32, which does not support symlinks. > > right. From my old-day knowledge of FAT, hardlinks are possible (though > not really intended) -- meaning that one could hack it to an "unclean" > fs. Probably a bad approach, I would have to re-hack it after each > fs-change. > > More natural: is there a way to change the name /efi/EFI/qubes into > /efi/EFI/BOOT ? That would solve all issues most elegantly (and avoid > the annoying copy & rename procure after each xen-update). Couldn't find > "EFI/qubes" in any config file, though. Bernhard If that's internal disk, you should be able to configure UEFI to use /boot/efi/EFI/qubes. In fact, installer should do that for you... You can do that either in UEFI setup (some vendors have include it somewhere near boot order setting), or using efibootmgr from within the system. You want to configure it to boot xen.efi. As for efibootmgr, see the last step here: https://www.qubes-os.org/doc/uefi-troubleshooting/#installation-finished-but-qubes-boot-option-is-missing-and-xencfg-is-empty If that doesn't work with your UEFI, your option is to move EFI/qubes/* into EFI/BOOT/ after each update. The path is included in relevant packages, so you can't just configure it different. But you can move bigger files (xen.efi, vmlinuz, initramfs) instead of copying to save some space. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlzjsYoACgkQ24/THMrX 1yynVggAlT5YRHvBk+zAvWi3I4aIakjwgTl3BOfs8jIHOZhR+IqESW/i0aQTFKgR cnXj00PvrV1Y0IoCRIzNYpJQAU1nSN9NgI8g/m+FJWPkQ9KKgZvulC39Eh4eQB4e MBmqB2Uzu1w3bepygVh7w02IfOaNtlUOWbe18dWOhXdlPtnZ6Y/O+zeW43Y+djAY 2VsbNlKeuh2y7P0l2/qUbMYYN7Y4Me9mEmFvJG1qNdHD7ErExJdre23LXHr0GGsI cX91O/E08ogIp2cbTKkoaOUQm3HPSbo41926k/SJBsbjmlXw1+tiILxbjSJMXjKp S0e52ptKrDZ4uX9Di3lXub3rootENg== =39sz -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190521080633.GF1502%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] kernel panic with new 4.19.43-1.pvops.qubes.x86_64 kernel
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Mon, May 20, 2019 at 02:36:15PM +1000, haaber wrote: > Right, thank you Marek for the quick answer. The bad thing is that /boot > in std UEFI install is 200M - which is definitely too small, if you need > to "double" all files - one copy in efi/EFI/qubes and another one in > efi/EFI/BOOT (I suggest changing the automatic-install partition scheme > to use rather 500M for /boot), since "doubling" makes 6-8 kernels to > hold instead of 3-4 ! What would be best remedy? I see two solutions. Bigger /boot/efi is already the case for R4.0.1 installer. But initial R4.0 indeed had 200M there. > a) enlarge /boot (but I only have /dev/nvme0n1p1 200M EFI System and > /dev/nvme0n1p2 238.3G Linux filesystem which means that I would have to > shrink the thinpool inside the second partition ... I am afraid that a > full re-install is faster than solving all issues that will arise from > such an attempt!) Yes, resizing in this partition layout is non-trivial, reinstall may be simpler. Alternatively, you can remove older kernels and reduce installonly_limit option in /etc/dnf/dnf.conf (default 3) to keep fewer older kernels. > b) are sym / hard links in /boot allowed ?? I guess only the content of > /efi/EFI/BOOT must be an actual file : the content of /efi/EFI/qubes/ > should be handled only by the fully-booted system (when updating), but > never by the boot-loader, which, badly enough, insists on /EFI/BOOT. So > could files in efi/EFI/qubes be sym'linked ?? This unfortunately won't fly. EFI System Partition (ESP) is accessed directly by UEFI and needs to be FAT32, which does not support symlinks. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlzilXoACgkQ24/THMrX 1ywlgQf/byJT0685151GAUO5BDaQQUGZCHquWNi8vp9rh0w4hGGz8wNHbggPIAxm GD4htwb7cbkp9qktuICWkUiZsBPnXJ3HlEIRZRRjbrIdslkKHS9mX0OuqlvY0RAJ flOl9DvrdVokrcPWbqg0q2aKDjffR+w7q2EE9maAJzTNd7OUk7Yk0fNpuPcYtB/x 4jWtwZPZhXV5x9QEvGihsh029JQzdyGKVgR/P43yXXT+9Befp4pXEt46bUYYBo0H Ozhtr+mPa7F/jZ5xrRaYeCT7Q52idO18T8VGY4D7+8VW7cp4bl5Y4OBX3Wu+B/gF RYWfYtgqUHDCmeBj8YECKnl1AR4tQw== =z78S -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190520115434.GA1502%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] kernel panic with new 4.19.43-1.pvops.qubes.x86_64 kernel
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Mon, May 20, 2019 at 11:27:32AM +1000, haaber wrote: > after last update my Dell runs in a kernel panic -- reboot spiral. I > retype 4 important lines from a "photo screenshot" : > > Initramfs unpacking failed: read error This seems to be the problem. Check if you have enough space for initramfs (/boot on legacy system, /boot/efi on UEFI). If this partition is very full, initramfs wouldn't fit. You may remove older kernel/initramfs to free up some space. Then regenerate initramfs with: sudo dracut -f --kver KERNEL_VERSION INITRAMFS_PATH Replace KERNEL_VERSION with actual kernel version - you can copy it from relevant /boot/vmlinuz-* filename. And replace INITRAMFS_PATH with actual path: - for legacy: /boot/initramfs-KERNEL_VERSION.img (fill KERNEL_VERSION) - for UEFI: /boot/efi/EFI/qubes/initramfs-KERNEL_VERSION.img - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlziEFUACgkQ24/THMrX 1yxiuAf+OiwCg8B7mVbe8prB7aBEbm56jpAR9p68EHRDd22yvCVKCKHyWFEQDfeL 8/8tI2AKuXbiPNLpD/895CQiOrP4sn0uhQ0f6B5T2ci1qmJuOxUHITo6ex6ZWPkV FEOvgO++LJDYh3zLUFSuO8S+TvtuIbpIeH/q0FBAzRy3LUK74yvqsceJVXVEejl2 SvaynQ+eNZ77AC7mSwJgldm9zt8T8pu38+lz5VW4XRF0nOxQpDDmxM0S5Sglj9TF rgBuTb1dO5fCnMTzbXsJAkm8RwPkr8bYENbEQl3iKFi40sNRrgTFyupglSZzfg4Z IprykmYvN5kBqqUAfccUAa9POSquvw== =MDy4 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190520022629.GA15172%40mail-itl. For more options, visit https://groups.google.com/d/optout.
[qubes-users] QSB #49: Microarchitectural Data Sampling speculative side channel (XSA-297)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Dear Qubes Community, We have just published Qubes Security Bulletin (QSB) #49: Microarchitectural Data Sampling speculative side channel (XSA-297). The text of this QSB is reproduced below. This QSB and its accompanying signatures will always be available in the Qubes Security Pack (qubes-secpack). View QSB #49 in the qubes-secpack: <https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-049-2019.txt> Learn about the qubes-secpack, including how to obtain, verify, and read it: <https://www.qubes-os.org/security/pack/> View all past QSBs: <https://www.qubes-os.org/security/bulletins/> ``` ---===[ Qubes Security Bulletin #49 ]===--- 2019-05-15 Microarchitectural Data Sampling speculative side channel (XSA-297) Summary On 2018-05-14, the Xen Security Team published Xen Security Advisory 297 (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 / XSA-297) [1] with the following description: | Microarchitectural Data Sampling refers to a group of speculative | sidechannels vulnerabilities. They consist of: | | * CVE-2018-12126 - MSBDS - Microarchitectural Store Buffer Data Sampling | * CVE-2018-12127 - MLPDS - Microarchitectural Load Port Data Sampling | * CVE-2018-12130 - MFBDS - Microarchitectural Fill Buffer Data Sampling | * CVE-2019-11091 - MDSUM - Microarchitectural Data Sampling Uncacheable Memory | | These issues pertain to the Load Ports, Store Buffers and Fill Buffers | in the pipeline. The Load Ports are used to service all memory reads. | The Store Buffers service all in-flight speculative writes (including | IO Port writes), while the Fill Buffers service all memory writes | which are post-retirement, and no longer speculative. | | Under certain circumstances, a later load which takes a fault or | assist (an internal condition to processor e.g. setting a pagetable | Access or Dirty bit) may be forwarded stale data from these buffers | during speculative execution, which may then be leaked via a | sidechannel. | | MDSUM (Uncacheable Memory) is a special case of the other three. | Previously, the use of uncacheable memory was believed to be safe | against speculative sidechannels. | | For more details, see: | https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html | | An attacker, which could include a malicious untrusted user process on | a trusted guest, or an untrusted guest, can sample the content of | recently-used memory operands and IO Port writes. | | This can include data from: | | * A previously executing context (process, or guest, or |hypervisor/toolstack) at the same privilege level. | * A higher privilege context (kernel, hypervisor, SMM) which |interrupted the attacker's execution. | | Vulnerable data is that on the same physical core as the attacker. | This includes, when hyper-threading is enabled, adjacent threads. | | An attacker cannot use this vulnerability to target specific data. | An attack would likely require sampling over a period of time and the | application of statistical methods to reconstruct interesting data. This is yet another CPU hardware bug related to speculative execution. Only Intel processors are affected. Patching = The Xen Project has provided patches that mitigate this issue. A CPU microcode update is required to take advantage of them. Note that microcode updates may not be available for older CPUs. (See the Intel advisory linked above for details.) The specific packages that resolve the problems discussed in this bulletin are as follows: For Qubes 4.0: - Xen packages, version 4.8.5-6 - microcode_ctl 2.1-28.qubes1 - kernel-qubes-vm package, version 4.19.43-1 (optional) The packages are to be installed in dom0 via the Qubes VM Manager or via the qubes-dom0-update command as follows: For updates from the stable repository (not immediately available): $ sudo qubes-dom0-update For updates from the security-testing repository: $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing A system restart will be required afterwards. These packages will migrate from the security-testing repository to the current (stable) repository over the next two weeks after being tested by the community. If you use Anti Evil Maid, you will need to reseal your secret passphrase to new PCR values, as PCR18+19 will change due to the new Xen binaries. Credits See the original Xen Security Advisory. References === [1] https://xenbits.xen.org/xsa/advisory-297.html - -- The Qubes Security Team https://www.qubes-os.org/security/ ``` - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl
Re: [qubes-users] Update checking over clearnet instead of Tor?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Tue, Apr 02, 2019 at 01:20:54PM +1100, haaber wrote: > > On Tue, Apr 02, 2019 at 07:19:46AM +1100, haaber wrote: > > > > > > So do I understand that correctly: if I have, say, a debian-XYZ AppVM on > > > clearnet it will check if the corresponding template needs an update, > > > unless I de-activate the qubes-update-check service? Thank you > > > > Yes > > > > Oups ! To me, one of the points of using tor as upgrade-transport-layer > seems to me to render "aimed attacks" on *my* machine much harder. Is > that a misconception? > Assuming that 'yes', an attacker would typically see clearnet apt-update > preceding a tor-based upgrade -- and could be made a reasonable guess > *who* is upgrading (I don't think there are millions of qubes copies > running, right?). This opens a (admittedly) small, probability-based > attack surface, that comes only with small gain, if ever. Do you agree? The updates _check_ only needs to download repository metadata, not actual packages. Qubes based on a template do that from time to time, using own network connection and report if there are any updates available. When you actually download and install those updates (over Tor) in the template is up to you, it isn't immediately after checking if something is available, so time based correlation isn't really an issue here. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlyjhOoACgkQ24/THMrX 1yzrVgf/cpAa8ZF7aw1UUkMVW3L+YndBFVOmH0vG1XZ1ppQ3RqG/5OpZnG+eSaQV l2iyMMWpSDKY6niHEEhXIHBGO17ABmZcybvMe8jGtovm6e+kwRa1ef1yarSI3aLL W2IcAFoo2XYRVpO+/sGWFD0WHNdIzqcVVNK5o45MKnJPgb+ZQ3+Wg7h9nbU3NCMh zTlUHjW59gGgx1IKtylc69IM/zgBxKysfrC6SuTRTid2YGpUNfqyMR+oj+FEa2W9 VMoySbjOUnAxrOydvFyUL8vTZ/w1rDNpGAoWyUBcCoUmpDW9ZdfCCYuO1l2fWbE6 SZexjBIGsEzKbDfm2dD9HQT4VPicbQ== =bswd -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190402155106.GA22235%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] [4.0] Kernel panic in HVM
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sun, Mar 17, 2019 at 04:02:31PM -0700, Vít Šesták wrote: > Hello, > I have tried to boot Fedora 29 Silverblue in a HVM from the official ISO. I > have noticed that there is some kernel panic before the HVM shuts down. The > problem is that I cannot read it. Is there any way to read it, e.g., by > disabling the automatic reboot somehow? Try pointing kernel at hvc0 console (console=hvc0 kernel arg), then you should get it in /var/log/xen/console/guest-VMNAME.log. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlyO7cAACgkQ24/THMrX 1yxDRgf+MLv90YwLeNuw5fhZQb2Qh3krQaA6ogJaEmFxvpR/kLpElvNxhl3p8UCU Kgna/yQOnOBb2bHMFJTnUfH1pEdvr0zPk+OvY+DljeOt0hbhagLgmaIHBHGoqOng C1ugesrBAVkvoMHvF8i9ndllQXZNtILF//Brd/BVctGW+qe5sv8Q5VuetBo9TqVL 8REEHmue/z4QQ+25NT5L4eFnmjfLS/9R1ayd9cMK+J1STwiJcuorjv9SDmd0p/O5 WGNGXVIzw9WSUe5Psr0G5n9EVFA0VjPZqoITRrONTVeBq3K4aKL21uysjF4FJgIb USXg57YnD5tH/dVFdZh9Il7qUvE2lw== =a+tu -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190318010048.GB10743%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] vchan doesn’t work on recent mainline kernels
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, Mar 13, 2019 at 01:07:20PM -0400, Demi Obenour wrote: > I built a Linux kernel from Linus’s git master, with a slight modification > (u2mfn module moved in-tree). The resulting kernel does not work with > Qubes: libvchan gets -EINVAL from mmap(). > > Any suggestions? Can you post more details? Specifically preceding operations on this FD (should be /dev/xen/gntalloc or /dev/xen/gntdev). BTW u2mfn module isn't used by libvchan for a long time. The last its user is gui-agent and even this isn't the case anymore in R4.1 (gui-agent-linux master branch). - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlyK+GoACgkQ24/THMrX 1yzXwgf/f2ivrNx1yZJd+GiLQg3Nevr3rAFuEec0X+jKdiyNDqh4sRay8bnHnNM7 4anQJ51abzfEGrJ5kpsVDZxsD7/QhF6DIQLb7StwjOFVon85+r/CeJpDjNplnAIz 8mO10Jo8LPQHyUzYjZ0Vb/OLadY7qkEfXITrOaCjv88ZX/fCdDwLEnujhe0AbCk1 TxQ8ALHggzoUwt3ThdRgAMwGLZSn0uqhYF8X4WfOn0EodSoT9c0ruhUDcj1oJ7+r f+2fquIpTQaBjvnr+pFZjQPcVbI2Pq7i/k4cuSEZ7TocstIG3OFQrd19zPj8C1l8 o4y0w2Rl9ANCNVwkJH8gecKC9juuuQ== =DDPj -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190315005714.GA10743%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Can't set default_target to @dispvm:foo in policy
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, Mar 08, 2019 at 01:36:51PM -0800, Ryan Tate wrote: > I was trying to have a qubes.OpenInVM policy that would pre-fill a target in > the permission dialog when the destination was an inside of a certain dispvm. > > Specifying the destination vm (#2 entry) in the policy works fine to specify > a dispvm instance. > > But specifying the default_target (part of #3 entry) in the policy as a > dispvm instance fails. > > For example, this WORKS: > > $anyvm @dispvm:dvm-print ask,default_target=work > > ...but is not what I want. > > What I want is this, but it does NOT WORK: > > $anyvm @dispvm:dvm-print ask,default_target=@dispvm:dvm-print > > The resulting dom0 prompt at the top says "Domain '@dispvm:dvm-print' doesn't > exist". > > What I expected is the dom0 prompt would have "Disposable VM (dvm-print)" > entry pre selected. > > Seems like a bug? Indeed. Could you report it at https://github.com/QubesOS/qubes-issues/issues ? - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlyDAuQACgkQ24/THMrX 1yw38AgAjaUCJl41T2Es03HEhGWkcIH3attyJ2rKcqup5omzxiyTdr5gHWrsDP+3 2bLyP/P2em71tcbE0Pu5yzqDBAhJtVA8kUZuCqvQdyScMpPgPGhI2di1FY8zsAsH AuFBFn9SJfpxANfZAp7dKUjKQ3bg8CKVVNL6cTOSmHwyUHIOdz3ClH9rd02PhJKT ZV5bLTogDua5V4xrGvEFDrfHMnxdwsUUSjIWuQmqI4x9lmVfOlxExTZDcXRewz8h evij5cDIl7O1lXW1YFXQd87VOfJJldbLmHvqV1QN8jPrbuR+0kQft0IgpmOcAcgT C1iILR0UxBwo/+77rfJk2BB5CFT64w== =i/lY -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190309000348.GJ9610%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] where/how does dom0 gets its icons? ANSWERED
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sat, Mar 02, 2019 at 05:32:19PM -0600, Daniel Allcock wrote: > Thank you to unman for giving me the thread to follow. > The way the icons are chosen could be improved easily. > I'd be happy to contribute a patch if I knew the procedure > for doing so. (It would not touch dom0.) Happy to hear that! See here: https://www.qubes-os.org/doc/source-code/#how-to-send-patches > To close out the thread, here is the answer to my question. > The process of updating the Q menus is controlled by dom0's > /usr/lib/python3.5/site-packages/qubesappmenus/receive.py. > When updating the Q menus, dom0 first asks the vm for its > desktop files. The vm provides these using > /etc/qubes-rpc/qubes.GetAppmenus, which is a shell script > that jumbles all the desktop files on the system > together and sends to stdout. dom0 sanitizes and parses this, > and assembles the results into a bunch of desktop files in > dom0's ~/.local/share/qubes-appmenus/VM. As it is doing this > it notes which icons specified in the desktop files have > relative paths (typically, all of them). For each icon name, > dom0 asks the vm to run /etc/qubes-rpc/qubes.GetImageRGBA > and deliver the resulting icon file to dom0. For icons > described by a relative path, the first thing > this shell script does is resolve the icon name to a file name using > /usr/lib/qubes/xdg-icon, which is also a shell script, and is > where the actual resolution takes place. Yes, exactly. The VM side of this is here: https://github.com/QubesOS/qubes-core-agent-linux/tree/master/qubes-rpc > This resolution is simplistic. It uses a fixed list of > icon theme names (on my system: Humanity, Adwaita, gnome, oxygen), > followed by any additional icon themes in /usr/share/icons. > The first theme that has a suitably named icon is the theme > whose icon file gets used. I don't have Humanity installed, so > I was getting Adwaita icons every time, and overwriting them > was the only way I could change my icons. > > A simple fix is to insert my desired icon theme at the beginning > of the fixed list of themes. This is not the right > way to solve the problem in general. To solve it properly would > require deciding what the right behavior is: should the theme > used in dom0 (meaning: one of the same name) get used? Or should the > theme preferred by that template's user account get used? Not > sure what the most natural answer is. But I'm satisfied for now. I think the logical thing to do, would be to use template's preferred theme. If desirable, there could could be a mechanism to synchronize it with dom0 theme. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlx73fkACgkQ24/THMrX 1ywLBAf+JIaGwRS1JyzWSqc9BLZvKwt/bw8nmSJIjxJi8wohdiZYkTbTRNKF8s0N 6WV4Rud0+hpR9mLHP/zd+vPqoCxrpHJpj8OgzBlvwsJ5epDc5WPecBs/uXjH9u5j j2kbidAlh/Ho3Xih07irFwKtVj2asTUZt+nZIFoOLez7n/hUhrKzHALOmEMkJ7mD 5dPUbTh0awr5pa+H+NQyvwABJ0ZKmX1lLtkn87DIZoHIx9ug4vuXXEaKr3v7IzVa ongHCej32hNpfU8We7uOlQYdNnboeA9XISS06efIMabEE2BocKk9C8i3y2v+sJxp vqZgmQPaLgUGa6YryFCQxeFJY4N2pg== =xzJo -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190303140026.GI9610%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] [warn] last whonix-gw update, ipv6 and possible VPN leak!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, Feb 15, 2019 at 09:14:51PM +, 'Evastar' via qubes-users wrote: > Hello, > > Seems after last whonix update my old VPN VM begin leaking traffic. After > investigation I found that it's because ipv6 primary connection to whonix-gw. > I guess that whonix-gw now supporting ipv6. It leak traffic through ipv6 > connection to whonix and ignore my default old ipv4 setup. > "qvm-features VM ipv6 0" fixed this issue! "0" in the command above is _not_ the correct way to disable it. It should be an empty string: qvm-features VM ipv6 '' Details: https://www.qubes-os.org/doc/networking/#ipv6 Anyway, Whonix comes with firewall rules blocking native IPv6, regardless of the above setting. If you reach some IPv6, it must be tunneled over Tor - - which does support IPv6. > But I'm not sure about all my others vpns and leaking with ipv6. How I must > fix this at vpn setup (on load) to be 100% sure that it never happen again? As Chris already mentioned, one way is to add extra firewall rules: https://github.com/QubesOS/qubes-doc/pull/795 qubes-vpn-support / qubes-tunnel also comes with relevant firewall rules. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxx5PAACgkQ24/THMrX 1yxNqQgAjVLqHETPZrpGoSIDCSEuqeK+vxsC8qjYKZnxOpUYBF4aEY54Jl1Uuo/n 9teh/XisK/25tarxSi+IZyvO//fA9KXHxB4ebFW5WJOqR3a+KakjvudXwuZFUNpv Zy76Tm6cBlnqWfCxUyJX93RX1TIysz9NoCPyqIQKeLmj01IdRmJGR8nZWnRVqzw7 7AgnCBjscz2h8WJfIZVHCefNH8uOlL3NWU7N7jzCLvVXjZ6NsWaUq3uYqbGskz6O v1X+daV1618H26NGUmg0vHUPjWvund/53uXSxuEj+bjk6ryXrtZZ8cP2u3YzqpCY QxzzLb+/HBNn1GF2ICJkT7tzWKN9Rw== =njJG -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190224002728.GH9610%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] disposible vms for sys-net, firewall, usb?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sat, Feb 23, 2019 at 10:15:32PM +0100, 799 wrote: > Hello, > > Stumpy schrieb am Sa., 23. Feb. 2019, 17:58: > > > (...) dvms could be used for things like sys-net usb and firewall which > > had never occured to me. > > I may not be thinking about it right but that seemed like a really good > > security idea, so my question is, why is that not the default? (...) > > > I am also heavily interested in running "named" disposable VMs as sys-VMs Take a look here: https://www.qubes-os.org/doc/disposablevm-customization/#using-static-disposablevms-for-sys- Multiple different DispVMs is a feature new in Qubes 4.0 and we're still exploring what would be the best configuration for disposable sys-*. > with one enhancement, that I am able to store the Wifi-Credentials in a > Vault-VM and that I can "push" the credentials into the sys-net VM when > launching it (maybe by some custom scripts which use qvm-run --pass-io from > dom0 to copy data from Vault-VM to the Sys-Net-VM). The above documentation cover this with another solution - have separate DVM template for it. This have one important advantage - will work universally regardless of configuration/tools you use, including custom VPN scripts etc. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxx0jUACgkQ24/THMrX 1yy4fQf8Ctbpd5mFk1BVx8O5EihKiJCTCFKPdUNECZ4NMRa6O3BJb2BgPR3uREu5 N+fBnDtBIrIvKADgO4LlA0FRFqKnmgwcMjOUXHu8RpFV+CjdeoJMytw9d/LWh23B w59/UQonxery+jgIgfaK86+Z6JvcytABeeZp88YOGainNEGY3YDLJMPDTf8MKrwI B+6vNdvoW6po7fC+wiO8PmNJ0flhnTfK4VutM2zY8/x6b3koYnPCbRXwlv6IrVMt k22WkCPcw90TX9AmPIo6mzn6vjwOMrPvgmpRVa9qiUeey3ww6soZ8VIupOlIBHOt cpHOd4JXml6SJY7MwmVUrgW0b3pIVg== =PfGZ -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190223230734.GG9610%40mail-itl. For more options, visit https://groups.google.com/d/optout.
[qubes-users] QSB #47: Insecure default DisposableVM networking configuration
bleVM is started, automatically set its `default_dispvm` to the DVM Template on which it is based. This means that, when a DisposableVM is started from another DisposableVM, they will both be based on the same DVM Template. Hence, they will have all the same settings, including the same network settings. This change will not affect DVM Templates for which user has manually modified the `default_dispvm` property. 2. Add a warning message in the Qube Settings GUI when the NetVM of a qube in the "Basic" tab is set to a different value than the NetVM of the default DVM Template set in the "Advanced" tab. Note that these changes concern only NetVM settings, not firewall settings. If you want your DisposableVMs to have the same firewall settings as the calling qube, you must adjust the firewall settings of appropriate DVM Template yourself. In the next version of Qubes, we will ship two DVM Templates by default: one with network access and one without. This was already previously discussed in issue #1121 [5]. Patching = The specific packages that resolve the problems discussed in this bulletin are as follows: For Qubes OS 4.0: - qubes-core-dom0 version 4.0.39 - qubes-manager version 4.0.28 The packages are to be installed in dom0 via the Qubes VM Manager or via the qubes-dom0-update command as follows: For updates from the stable repository (not immediately available): $ sudo qubes-dom0-update For updates from the security-testing repository: $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing These packages will migrate from the security-testing repository to the current (stable) repository over the next two weeks after being tested by the community. Credits The issue was reported by Vít 'v6ak' Šesták. References === [1] https://www.qubes-os.org/doc/disposablevm/ [2] https://www.qubes-os.org/doc/data-leaks/ [3] https://www.qubes-os.org/doc/glossary/#dvm-template [4] https://www.whonix.org/wiki/Qubes/Install [5] https://github.com/QubesOS/qubes-issues/issues/1121 - -- The Qubes Security Team https://www.qubes-os.org/security/ ``` - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxsitkACgkQ24/THMrX 1yy3CAf/f8Su5jWjDH6zDgCh9fLY6phWQXYZvTwU13kzCKAIBYzxUIs4cLZ1JRpG G52KmcOD62J5qgM3GBTZREYRfeI6Q0dZd8OBi4UxSfJ9BNgDAaIrTJf5J0FKfISC k+PfcxnVawrcXPjMB6rYEGbfFNp1Ykx8Tb2n0bHbgbz282kY7CgyXRlPnL9opknt ff7TmGqmPHs9qFLXZgmaPLF8VPKcTYT0OfeljvIzGGNkYVQQvoWpZVZggDJ7HbC+ 102PcExgkgkXbd+uPkDPEUynOpdXi84k8XD5r/BvglWm/qNi47OQPbg8WUOxjQWJ lBbxLpEiQxCslDwNo5xlaTJgO/I/9w== =K6hy -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190219230145.GF9610%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: QSB #46: APT update mechanism vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, Feb 13, 2019 at 04:12:27AM -0800, Vít Šesták wrote: > Since Qubes 4.0.1 was released [1] before your message and before the DSA > [2], I assume it is not a good idea to install Debian and Whonix from the > 4.0.1 installation media, is it? > > If it is right, then I suggest adding a note on the download page [3] until > 4.0.2 release. Qubes update tools (qubes manager, updates widget) do include safe apt upgrade method. So, as long as you update dom0 before updating VMs, it is safe to use Debian/Whonix from 4.0.1. > Regards, > Vít Šesták 'v6ak' > > [1] https://www.qubes-os.org/news/2019/01/09/qubes-401/ > [2] https://www.debian.org/security/2019/dsa-4371 > [3] https://www.qubes-os.org/downloads/ > - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxll1oACgkQ24/THMrX 1yxRSQf/XNSo8g5Fv6Yqj6h6GDEIZ2RDeaMYall0SrB58WcYur2zgDY4mzc4suOh kXNokEhn89f2NXDiidNnpBlLrwvF4FeViRRfmZHy7eGsgIbh5IURFEtoToxKz6gw Kel+9CzlsGk6y8fnPYutU0IRZvhGQ39MQ9jOd2FLs9kLU1AzIlD/PiZ+wUEZZS2l dyn9c/a1GeHZPlRSibPHdFMkLIuZpGmfFuspwvuZOqbxg5drOQaktJjKSsDXKhHe q1EuBQU0PAZ5LtKe44vSqFo2z73GqeReCpJB1VNR9Ep7JIN97MLfZzGtexzFjte+ v8jU3EqjZPGNhJNFA57w1KzYbydQbQ== =2JNk -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190214162914.GE9610%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] why was DNS/ICMP removed from Qubes manager/firewall in R4?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, Feb 13, 2019 at 08:42:10AM -0800, simon.new...@gmail.com wrote: > In 3, if i clicked on "block connections" in the Qubes manager firewall > section, there was (if memory serves me) an option to block DNS and ICMP. > > That is not present in R4 (though docs say you can disable DNS and ICMP > manually) > > I'm just wondering what the logic behind the removal was? I would have > thought that a general user who clicks "block connections" on Qube would not > expect the qube to be able to actually send out and receive network packets > such as DNS or ICMP. This presents information leakage scenarios (default DNS > lookups of given qube) and also potential egress vectors if a qube is ever > compromised (DNS tunnelling, ICMP tunnelling). Let me quote full text you can find on firewall tab there: NOTE: To block all network access, set Networking to (none) on the Basic settings tab. This tab provides a very simplified firewall configuration. All DNS requests and ICMP (pings) will be allowed. For more granular control, use the command line tool qvm-firewall. There is clear message what to do if you want to cut the qube from the network. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxk5lQACgkQ24/THMrX 1yzyBQf+ID5V7ema8i77kmTCnsWfNeSPUQnlTjuQbF1oNZJFNeAwAaqp3FLO+Ljt Slj7e9KjbPYrxxuW40LIL05G78Yqs/MpZ1mA6/Yfy6J2tvoluucTFvatiHqiodO3 HLqyRSehMXqqzKTHNrLrfLWWyz6ykbP/MmIw1zsxjcXj8RCNuEMc5F4qC6npluWN cahMNcZLELo4PsrjzhqTrSr0BmlVLDQ5QLwoJGi8wSDGMEIDX3qvwq56wh6O0MgR J780J043BcrIiAfZorrG+WfpLebkU9uSjmOENxcZQQwz2JmEdod9dU1vUEPSdBY1 EKOq9FhCjMI6De6nNgiMf63Y47CxuQ== =9dvG -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190214035356.GD9610%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: sudo qubes-dom0-update downloads packages but abruptly ends with a "The downloaded packages were..."
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sun, Feb 10, 2019 at 07:33:21PM +0100, Dupéron Georges wrote: > I have the same issue. I thought there weren't any new updates, but it's > been like this for a while. > > There are two updates listed, but they never get installed. > > Note: I am not using the regular sys-net as my updatevm (I am using a plain > fedora 29 VM, that is connected to sys-firewall, which is connected to the > sys-ethernet VM to which the PCI device is attached). > > Log: (...) > Reinstalling: This looks like it tries to update to the same version it already have installed. Looks to be this issue: https://github.com/QubesOS/qubes-issues/issues/4792 - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxgk/0ACgkQ24/THMrX 1yzHkQgAkeyp0rkaSYX+ysS2sdgKk/TTt8fTJohevDpdwpJIQZ1ibMXRr+J2DEWL LuOi7JWFebK53xGD6eQvu8AaCuvSNpWWf9lrdm8taPi267t1Q03bO6tJyqfOzFcU H8vMuC0rdq8JH97oCUxl5lhjDNaLX2JJmjIX43td33DANxtdgkwgVg+gPThvxWZl 6CFNEtmH5rW+5n4ISyJZ9PC4k6zzjnmnyhaak4GLCeeJ5WYYU8E1xWD4JuB/ZKcT mCH/JFgD5Bc5MS8xHYylAhBOF+gNJPOyVnb6qrxaRxmp284l1UjqtzFaiZGAeNd9 9uciJE80mKP8uh9nm8SRFtN6WfjBOQ== =JLEm -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190210211333.GC9610%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] qubes-templates-itl-testing: certificate expired. Drop https or update cert?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sun, Feb 10, 2019 at 06:23:37PM +0100, Dupéron Georges wrote: > It seems that the SSL certificate for the qubes-templates-itl-testing repo > has expired. > > sudo qubes-dom0-update --enablerepo=qubes-templates-itl-testing > qubes-template-debian-9-minimal > [...] > DNF will only download packages for the transaction. > Downloading Packages: > [MIRROR] qubes-template-debian-9-minimal-4.0.1-201901271906.noarch.rpm: > Curl error (60): Peer certificate cannot be authenticated with given CA > certificates for > https://mirrors.dgplug.org/qubes/repo/yum/r4.0/templates-itl-testing/rpm/qubes-template-debian-9-minimal-4.0.1-201901271906.noarch.rpm > [SSL certificate problem: certificate has expired] > > GPG signature of the packages is checked by dom0 anyway, so they can be > downloaded using an insecure connection, right? Yes, this does not affect integrity of the packages. > Should the httpS be removed in /etc/yum.repos.d/qubes-templates.repo, or > can the certificate be updated? This is just one of the mirrors, yum/dnf should fallback to another one automatically, doesn't it for you? Regardless of the above, I've notified mirror operator. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxgkxgACgkQ24/THMrX 1yyjLAf9G+ECqEhEd6pTsXrfhi91l+B5ULITYEcNxH5aoeS6xv+JZ+qu/WsyStfU +qV6oPaoG1fxhPGZ0wcbkiCrg9CXa5jQbpuP3WPDLeohTEwL1vI3PcIBUjyqFFXu cTUAu8Y7QLQ9BfA28e+EiMUMXyP0fq7a9EJiBh1Oa8CLkP/BRKdRLXt6794xzYaT UgCGtos3rXFMVQcntCAPG0lMgAp8Yj83XaOerCvEvj8SyQRuVAjzHq3GH7FXJVRK K8pylk49T3Od7xzgwEXFSnL8LeqneIzsHXVp9eN+O2AjKACXe1pc9qb5hyZxZwFN ACFnppacVKyQFz3wRPxNmcttLv5vdQ== =sPIL -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190210210944.GB9610%40mail-itl. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: [qubes-devel] Template disappeared: qubes-template-fedora-29-minimial
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 [Moving to qubes-users] On Thu, Jan 31, 2019 at 10:14:26PM -0800, Elias Mårtenson wrote: > I installed qubes-template-fedora-29-minimial by running the usual command: > > $ sudo qubes-dom0-update qubes-template-fedora-29-minimial > > This worked, but I messed up the template itself when doing some > experimentation. So, I removed said template and attempted to reinstall it. > > When I try to perform the reinstall, I get an error message saying that the > package does not exist. What could be the cause of this? Probably something gone wrong with removing the template. Templates which are still installed are excluded from being installed again. Verify this with: rpm -q qubes-template-fedora-29-minimial If the template package is still there, but actual template is gone (not listed by qvm-ls tool), you can forcibly remove the package with: sudo rpm -e --noscripts qubes-template-fedora-29-minimial See also https://www.qubes-os.org/doc/reinstall-template/ - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxUHbMACgkQ24/THMrX 1yxpYQgAjW/MjSP6FmBPGC8Qz/GmTDcbJ53XNAt+NQLG4PeoEclkF9bEW0SQgtwW z0jnMyPcUWTMmVW2cDwMB5v0u3AMf/ZITDvDqROj6eqE0pNlSQV5B/UTMEkvzE3u dSN+N1TpM8HbFPKY6LLYU1bRrh98GY+yQ/G40CfwPEz1cPj2U94GkHq8WqRox/Kc 6HkHIdvtuZQlCZpoGjJqMBrJcyCgECCnwsMa1vDcqf/ZpBKBrMlpEc1WKMu85hCX eHzPjAmKIwXrSeQ0KSksNJENwIcM/nJxP11TpHlOZtQeeqdmOksWNsqndWLciwN8 K0DJ4g0ttvsgqYISrn8PGGKIOF1oTA== =HJRN -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190201102138.GA2830%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] post-apt-reinstall-issues sys-whonix not connecting to tor
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, Jan 25, 2019 at 04:20:50PM +0100, qubes-...@tutanota.com wrote: > Jan 25, 2019, 4:13 PM by marma...@invisiblethingslab.com: > > > On Fri, Jan 25, 2019 at 04:04:02PM +0100, > qubes-...@tutanota.com > > <mailto:qubes-...@tutanota.com>> wrote: > > > >> Thank you. Will the existing anon-whonix be recreated together with > >> sys-whonix as well? I have an anon-whonix AppVM already existing. Should I > >> back it up or chenge its name to prevent data loss? > >> > > > > No, if anon-whonix already exists, it will not be recreated. > > But note anon-whonix is based on whonix-ws-14 template, which is also > > affected. You should update it to unaffected version using one of the > > methods described in the QSB. > > Hi, I updated the whonix-gw-14 and whonix-ws-14 as well. I am planning to use > the pre-update AppVMs as a backup and transfer necessary data to the newly > created post-update AppVMs. Than delete them. > In this case, I can just rename the anon-whonix AppVM and the new anon-whonix > will be created, right? Yes, exactly. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxLKqcACgkQ24/THMrX 1yxYaAgAjuiGQxpY2tyiH62706bMQ7FejCNPdoBXwL5RzM7j6/5hYlA7cUa/L5fn Z4q/7F2k9olSQFDvobZ/PJw+cvaV8lFfNWUnSiIkgCVQ5VxZxCHmWR/QWoBf4oRE 7CGWOgT89u1jTUO595IQ3LSq7ixT5DhqhwRYc0JuWYHL0vYIMJJ3+e5X2/Y0bnNr 6DbR9EuY9F6PsLTwXLG1/Bf8XdA7MIaKVhkVQvAcvUFHvdjJIXzBT4HigjclXFzI AMgAvtEYJXiygylwlrC3fMprDYSSMmv2yDyaBMN9oQ1Q3Aw+hnb+X8unLebV5F8X hzLmEdXJ7KJJCIipvFzriOEckXqWxQ== =GgX4 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190125152631.GJ1429%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] post-apt-reinstall-issues sys-whonix not connecting to tor
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, Jan 25, 2019 at 04:04:02PM +0100, qubes-...@tutanota.com wrote: > Thank you. Will the existing anon-whonix be recreated together with > sys-whonix as well? I have an anon-whonix AppVM already existing. Should I > back it up or chenge its name to prevent data loss? No, if anon-whonix already exists, it will not be recreated. But note anon-whonix is based on whonix-ws-14 template, which is also affected. You should update it to unaffected version using one of the methods described in the QSB. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxLJ7MACgkQ24/THMrX 1yyaCgf/c6fzqF6MahYzCVd0F+KxHiTrG9mtkCDti/HnFWh+uMkwHiROMDibnrZg 0Zqy4N00vqV4fiH5UhlvAvHPS8R+naVoJ5X/9lMxrjJSBNPmMNsMW03qFFBjbBVp OPyfKPk+pfZOW6Cmo5FsU3/qYQ3z3g6b3t8S59CRGuCEFub7wBBdTEB+2E2PM8Cg dLYVTaKU3gP6XLkIM1i/F3DWrRl7LE1/xQ1qatUQQMCEt7ydT54m3LSOgqfmA/e2 VK2q8TTKCYj+gDI7SvJ53T4ndb6CQ+9u0deQ0Akmiq8ZgdsmO/avc5uCF6VOu0Mq e3R8bktGFlm8wu/pCkSq474xKEMMaA== =ttQ8 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190125151356.GI1429%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes 4.0.x - Linux kernel 4.19.15 package available in testing repository
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, Jan 25, 2019 at 01:58:59PM +0100, Patrik Hagara wrote: > On 1/24/19 5:18 PM, Patrik Hagara wrote: > > On 1/20/19 1:57 AM, Marek Marczykowski-Górecki wrote: > >> Hi all, > >> > >> There is updated "kernel" package available in current-testing > >> repository - it's a Linux long term support 4.19.x series, as an update > >> over 4.14.x before. Since the upgrade switches to the next major LTS > >> branch, I'll keep it in current-testing repository longer than usual 1-2 > >> weeks. This also applies to kernel package for VMs: kernel-qubes-vm. > >> Please report new issues the usual way, at qubes-issues[1], or > >> simply by replying here. In either case, please mark it clearly it > >> happens after updating to 4.19, preferably including a link to the > >> update: > >> https://github.com/QubesOS/updates-status/issues/850 > >> > >> 4.19.x kernel was already available as kernel-latest package for some > >> time. Users of kernel-latest will see the update to 4.19.15 too, but > >> kernel-latest soon will carry 4.20.x kernel version. > >> > >> [1] https://github.com/QubesOS/qubes-issues/issues > >> > >> > > > > I get weird graphical artifacts with the new kernel after ~an hour of > > usage. Windows from AppVMs turn all white sometimes when switching > > workspaces in i3wm. Events like mousing over an interactive table rows > > in a browser (when the current row gets highlighted) return that > > particular section of the window back to normal (but not the whole > > window, for that I need to trigger a repaint of the whole window by eg. > > making it full-screen and immediately switching back to non-full-screen). > > The only error message I've been able to find so far is in dom0 Xorg log: > > > (EE) intel(0): Failed to submit rendering commands (Bad address), > disabling acceleration. This is very likely related. Normally I'd say "Bad address" indicate user-space issue, but the only thing changed is the kernel version... It may be also that some kernel API have changed and the driver is using parts that weren't there before. Anyway, I've looked into 'intel' X driver sources and the version we currently have (2.99.917) is the latest one. On the other hand, there was over 800 commits since that release and some of them may be related. For example maybe this: https://bugs.freedesktop.org/show_bug.cgi?id=105886 This suggests you may want to try enabling or disabling composition, if i3wm supports it. > Duckduckgo-ing the error message yielded a few [1][2] Arch Linux bug > reports describing the same symptoms. The first bug report also has a > kernel patch [3] linked, which supposedly fixes the issue (haven't tried > it). That patch is from 2014, already included in 3.19+ > [1] https://bugs.archlinux.org/task/43143 > [2] https://bugs.archlinux.org/task/55732 > [3] > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d472fcc8379c062bd56a3876fc6ef22258f14a91 > > Cheers, > Patrik - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxLGisACgkQ24/THMrX 1yyRKwf9G9TX89Bh2aePabdq7k40zDEHK68sKmsbL7xcm0JpfsdXHK/MuM+B4AyJ BT7PrEIr8n1wXc++EArbtwapIPldICAhnBRK4fFdazHmtgAeW5S1GztAFisa4EaD w0AWDoLLVg4DR7AcwFi1EXse4jgT0/CSYkHIENM0QRl4uevEV6lKlpN4lS8Rgjm8 cUCXajC5RCLT3RVDUTzufUOxLLt/syRzGVtBsgJqCwvVdnOxArZqlEJgSI7wq9lN HR6OSv1ETGdlubxegn2LsAtqLvHXD+vnV11hgT4EvSZhHTfcbOI8FJdsnU8YxNY1 vsHV3L772QpTm3+jZ05X8AxJLEYrHA== =XaRm -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190125141611.GH1429%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: QSB #46: APT update mechanism vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Thu, Jan 24, 2019 at 08:57:16PM -0600, Andrew David Wong wrote: > On 23/01/2019 11.54 PM, Chris Laprise wrote: > > On 01/23/2019 10:39 PM, Andrew David Wong wrote: > >> On 23/01/2019 9.36 PM, pixel fairy wrote: > >>> On Wednesday, January 23, 2019 at 7:24:57 PM UTC-8, Andrew David Wong > >>> wrote: > >>> > >>>> The Whonix packages are in qubes-templates-community-testing. > >>> > >>> > >>> $ sudo qubes-dom0-update > >>> --enablerepo=qubes-templates-community-testing > >>> qubes-template-whonix-gw-14 > >>> Using sys-firewall as UpdateVM to download updates for Dom0; this may > >>> take some time... > >>> Last metadata expiration check: 1:08:18 ago on Wed Jan 23 18:22:56 2019. > >>> No match for argument: qubes-template-whonix-gw-14 > >>> Error: Unable to find a match > >>> > >> > >> That's strange. I was just able to install them with the same command. > >> Maybe try it again with --clean? > > > > That's why I found its better to just specify qubes*testing for the > > templates: > > > > https://groups.google.com/d/msgid/qubes-users/f4d997d5-7191-06d0-e7bb-ef42745a7db5%40posteo.net > > > > I don't understand. How would that help here? To recap, this command > worked for me: > > $ sudo qubes-dom0-update --enablerepo=qubes-templates-community-testing > qubes-template-whonix-gw-14 > > The very same command failed for pixel fairy. I think the issue is about the previous point in the patching instruction: remove buggy template version. Otherwise it will fail exactly like this (indeed the message is confusing...). Feature request about simplifying this process is tracked here: https://github.com/QubesOS/qubes-issues/issues/4518 > Why would using > qubes*testing instead fix whatever is causing that command to fail? > Would that somehow force cache busting for some reason? No. But it would be easier - no need to think in which repository given template is. In this particular case, it should be fine as given template is only in one of those repositories. > > Also, using the 'upgrade' action is a lot less confusing. The official > > steps are needlessly painful. > > Would it be worth updating the QSB? (CC: Marek) - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxKfzYACgkQ24/THMrX 1yy/RQf/aHFY61ViLRp9IRosZegJ/CybS5uioPxQf/GEy/d5JbkXMYEKWyTgyA7c HsPB1z/HVfA+I7CRidrtKufr9jgeuE5KGrposFNxG/yCvzDh7nQaVF6svw3gozJw pO4ULJ02zRg8YaJF+aBv25/p6jI7CQYs93OFZ0x0pVli4+BlkUY8gzhTgrf0V/bU cpaC9UmzKfWR8TxR6gFTTmVqs5K+WxcBo3LfXF1yNoBlHCgJdhfK5kqmvANE5apS gw5pM0ccsNYV//cmVr8fULAa05gRPRIQgepPUoj/442fGesfHDMVCm48pta/uhZ2 OPh0sBdqAgmlbRjrAGFi3a0b36ewww== =7+Ci -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190125031501.GD1429%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] QSB #46: APT update mechanism vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Thu, Jan 24, 2019 at 01:10:42AM +, js...@bitmessage.ch wrote: > Marek Marczykowski-Górecki: > > Summary > > > > > > The Debian Security Team has announced a security vulnerability > > (DSA-4371-1) in the Advanced Package Tool (APT). The vulnerability lies > > in the way APT performs HTTP redirect handling when downloading > > packages. Exploitation of this vulnerability could lead to privilege > > escalation [1] inside an APT-based VM, such as a Debian or Whonix VM. > > This bug does _not_ allow escape from any VM or enable any attacks on > > other parts of the Qubes system. In particular, this bug does _not_ > > affect dom0, the Xen hypervisor, or any non-APT-based VMs. Nevertheless, > > we have decided to release this bulletin, because if a TemplateVM is > > affected, then every VM based on that template is affected. > > Hi, > > Does this vulnerability apply to whonix users who download updates over tor > from .onion repos? > > My understanding is that it shouldn't, since the exit node operator or any > other MITM doesn't even know it's apt traffic, they just see encrypted > traffic to a hidden service. > > Is this right, or am i not understanding something? In case of onion indeed MitM attack is not that easy, but if someone takes over Debian (or Whonix) mirrors still could perform the attack. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxJE2sACgkQ24/THMrX 1yxbaAf+LBDndywJFQnv8ecVh3MADbYF3I1fpBJuPFP58MW3Iti2zB1US0jcxFbk 9GevFxLRd0f0u6sblyX+lko8f469gGhl/N0eK5Tl77omJNQc2on5uZb9pPotuuAi 0S8f49SJhl7B1WaJLKV9MAL2sXraHfZ59juQaLmQiSearuJcanPJAqEM/D0OI/aT BWTc/fsjDpfQ9hV/BQcEOjoOqKuwnZDBLSrXR/ychWFA0zRPzmFtJjA6shFprPf1 NGxhdabDWSEzcKGyUW+GM/eoBo3qwH7cvQk9tHBFJfSpDDUAmgkodCO3PfVYw44L 5wAONEFFZZJH8xs7V/NSo9nqZVjuKQ== =zzzU -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190124012252.GA9610%40mail-itl. For more options, visit https://groups.google.com/d/optout.
[qubes-users] QSB #46: APT update mechanism vulnerability
rough the Qubes VM Manager. Installing the packages listed below is not enough. Qubes 4.0: - qubes-desktop-linux-manager 4.0.14 (updates widget) - qubes-manager 4.0.27 (Qube Manager) Qubes 3.2: - qubes-manager 3.2.14 (Qubes VM Manager) The packages are to be installed in dom0 via the Qubes VM Manager or via the qubes-dom0-update command as follows: For updates from the stable repository (not immediately available): $ sudo qubes-dom0-update For updates from the security-testing repository: $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing Now you can safely update your APT-based TemplateVMs through the Qubes VM Manger. Credits This vulnerability was discovered by Max Justicz and reported to the Debian Security Team. References === [1] https://www.debian.org/security/2019/dsa-4371 - -- The Qubes Security Team https://www.qubes-os.org/security/ ``` - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxIntgACgkQ24/THMrX 1yyCMggAiZ39l/FNTMvpZ3mcuYvIt3+OtnJa39IJ1A1O8F7cFQXmENLBbEfO2/r7 y0oIras3jD3FEgqqEHDaUx/OuF9XHsii8XMbvAiWKIVAchK3/Oze2UjPjDF63mtJ p7ngVs6CciYNmW4Y2QPTs+vUPzSY+SllWl+qf/kWKvKzYsPyC8SCuNYB1dG3SZXg I3NZcxdVdMao4FN/dJkLitEQeFhMiQTHA6SaD6ozxb5hv4FbIAeaoVFf/gR22EZb hy3W6wfmYN2eW2Ydq+jq9/YHXzuZhVEGvPcWxblEr2rcat1gz1Gp76h9U8oJppUs TEa7gg6fGzITNuhJAQCJZddxWDQb4A== =XKVs -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190123170528.GV1429%40mail-itl. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Qubes 4.0.x - Linux kernel 4.19.15 package available in testing repository
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi all, There is updated "kernel" package available in current-testing repository - it's a Linux long term support 4.19.x series, as an update over 4.14.x before. Since the upgrade switches to the next major LTS branch, I'll keep it in current-testing repository longer than usual 1-2 weeks. This also applies to kernel package for VMs: kernel-qubes-vm. Please report new issues the usual way, at qubes-issues[1], or simply by replying here. In either case, please mark it clearly it happens after updating to 4.19, preferably including a link to the update: https://github.com/QubesOS/updates-status/issues/850 4.19.x kernel was already available as kernel-latest package for some time. Users of kernel-latest will see the update to 4.19.15 too, but kernel-latest soon will carry 4.20.x kernel version. [1] https://github.com/QubesOS/qubes-issues/issues - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxDx4YACgkQ24/THMrX 1ywtlgf9HE/mQmGQIZtymeLHdeAP6FnpBhGrbaJESWM2AhFxRFIQpGLEBIIrpKvH K6aFYqbFPNHYPE2DnboHmHebP1But8krrSbi4Ig5Z6E1pTFIk9XTrPQSbyY8jei9 hGY6Y8NRdTB3ljAbQpdLmfvmq9LksBQox9V5v+7lbNd6IhFOuqYnfcjz/P6PWO/F Np/orRT2QEB5Hzuqgm8dnfKUY1NBiwE1Nbxe2vl9OqrEkpceo4sKpBhEpF3LX7Z4 aTjroOnfk4Hrb2souyTKuVhRaBdHP3wxxof+xNcsakFQNp96Jeh/2b/+im6CSaEa 9BUaPC82RwFT//o8TvYwyybX8wuLpg== =nKaU -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190120005742.GS1205%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] last qubes-dom0-update brings kernel 4.19 and crashs login
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sat, Jan 19, 2019 at 01:13:06PM -0800, Sergio Matta wrote: > Yesterday I started qubes-dom0-update and it installs kernel-4.19. Looks > great! > But it is not starting graphical login anymore. Do you see text login available? Maybe on tty2 (alt+ctrl+f2)? You can login there and see lightdm service status (`sudo systemctl status lightdm`), which is responsible for the graphical login. If it's failed, what it says there (you should have few log lines there)? It would be also useful to check X server log - /var/log/Xorg.0.log - especially if you see any error message at the end. > I did sudo dnf downgrade kernel and it didin't work. > I had to change grub to fix. You should be able to choose older version in grub menu. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxDwFgACgkQ24/THMrX 1yzC9Qf+Om3bUq2dzU5HH3IvhV9QX1r0QoYVYiWGw0H9QeOYrPApKoN3effRu76i 8Ldy69M4AmulghtvWvPznMYBT/n852WjfqTVYMn7TAKYj/309cT0kOxuI0aLRJbJ B2QbxjAvwaYrQqYNBRRkctVkMtJ4IPJgrjRTo45vFunD+RXAZjcN60u8fI+IwrA+ adA7GDS2iy/7CdZxiHG1/EZ204JkpSWJlEARm83GbPpfkQl0wvsZq0WTtkLgQaxv YAmxYIEckWA1jbSAps16/9RXIEGCmXGP87jfLL+2yf07L2wnqSAEIR4t0nMsDNMc W82Uu1FrF/fpoW6EY2ujUySI1NywLA== =T3E2 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190120002704.GA5575%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] fedora-29-minimal sys-net/firewall problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, Jan 11, 2019 at 09:59:37PM -0800, rumsey.anth...@gmail.com wrote: > Thanks to Ivan, I figured it out (with a bit of luck). > > After comparing packages in his working template to my own, I first tried to > install: > > dbus-glib > ipcalc > iproute > iproute-tc > iputils > > That fixed it as far as I can tell. I now have a working sys-net and > sys-firewall with the fedora-29-minimal template. I'm assuming the ip* > packages were the key, but I don't really have any idea. Yes, it's iproute. Similar problem happened to Debian template[1] and it was fixed there, but apparently Fedora is also affected. I'll add relevant dependency. [1] https://github.com/QubesOS/qubes-issues/issues/4411 - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlw7IWMACgkQ24/THMrX 1yzOFgf6AhFaa5Y+g2PHqKiSH908UIPM99+Xwf3lMlb/ISDfuX7EUsyqBLXI9yak UGjXuG7dcNs+QD9lESTCPxkYS86c1AQWb9zyPEe/Q2n1uJgYGzktEdyD6w51in/3 spZGvNdicSVDFUHeWyr+rdAR5feQETSebecxp3fha+GlG4D8tcDSZJzG13uZMZXk l9zetIJToWa5DANSEfdw70F1UpIt4BEBa8UxJJHNP3GOwYMulXFVLN6BJ8eJ3LMN PFfcDf5gK3OMTaLYu+5uj8WUf8dtQGgDwCd1Dzfzswmai8sMQ2EyzQEbuHuFQxvt sSIsnj4x6zK+BOZ/yqZwjpVRMDBwAQ== =py4N -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190113113043.GE6577%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] "Qubes Update" icon (Sun Looking icon on top right)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On Sat, Jan 12, 2019 at 08:47:01AM -0800, 22...@tutamail.com wrote:
> Just used this feature again...Debian-9, Fedora-29 and Dom0 updates(or lack
> of) went fine i.e. My Fedora templates seemed to update and no updates were
> needed for Dom0 or my Debian templates.
>
> My Whonix-14-GW and -WS however did deliver an error that might be related to
> what you refer to Marek. The sun icon gives me the following
> error(abbreviated):
>
> File "/var/tmp/.root_62a99a_saltimport salt.modules.cmdmod
> File "/var/tmp/.root_62a99a_saltimport salt.util.http
> File "/var/tmp/.root_62a99a_saltimport salt.util.events
>
> ...
> ImportError: No module named concurrent...CancelledError
> stdout:
>
> I manually updated the whonix-gw and -ws using the Qubes Manager OK.
>
> Any chance some one can share the commands to allow me to update using the
> "sun icon"? Its nice to check all templates for updates and have them run in
> the back ground one-by-one. I thought this would crash my system but worked
> pretty slick appart from the whonix-gw and -ws error I got...
You need to install python-concurrent.futures package there. Open
terminal in whonix-gw (and -ws) and execute:
sudo apt install python-concurrent.futures
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlw7HMwACgkQ24/THMrX
1yxVWgf/WlABy9S2QcV8nlcNe82GoAjKqtxct7ZkwhSKzINrA0x/5nbJ9xcB2uEY
Lam73TDc3l4ma4PaG/EdfRyIbFgO3Yeus6tKe36xCtdZYpp5JHSWaEOXiEyLheRP
/hPizdgfyEV7iQXm8pM2oaV00r8nGyXH8P62br3wcbEXjd19bAtKPEKOrfhKHJh0
DodMoo0vzPlEm6fpirlQ/tZqrUk88yfLkAAPWNVTfUbgbE5Vl78w/wO1u0IVEXLF
stf/qzpkvsf7MXz8OYUd9+h2dqWLsvoqGiS0x26kW66BcsaXYKqyJUAQAdTstYDN
rU86N2eiuYUNQKT1ZdOA5AEZVrwaDw==
=vXOe
-END PGP SIGNATURE-
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/2019011307.GD6577%40mail-itl.
For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Smart cards, split GPG, and timing attacks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sat, Jan 12, 2019 at 12:27:04PM -0800, demioben...@gmail.com wrote: > That makes sense. How should one best handle GitHub accounts? One per > project? GitHub does not seem to allow per-project SSH keys, sadly. Actually, you can have separate per-repository key, called deployment key. But you can't re-use the same key for multiple repositories, so if you have a project with 5 repositories, you need 5 keys... - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlw7EqQACgkQ24/THMrX 1ywzWgf/c4ruiUidk5WARKvLGT0/2dM8Im17JJJy44+LaBw8EnK43YqxK9TK2fxz kG9K7jwT7w5Ym8oi7mLDpTO0XmV4usf15Vvi2PUUQBIWdJNxJCIViwaFMY0zA79v TKa/9EAbxi2JrZ16iP349yL1OWGxs2+bN+q7Mt3qd46BwQiUNHFJMKcxXXZ/iBGw G11XgeB4bllW7HyjR9nfNUEVl38oTVlpoPoYq8NZuLC011TafMhRSFlEQQto+MkD l9a600ifQCprSqWiUge9QiiJO3rtknTx7NnNdwgFnpfFMm2yIURGMVyJ9i3VxyE9 B0GWaB7FTzmISkNjnmIwuZOgA1niLg== =+lka -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190113102748.GC6577%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Smart cards, split GPG, and timing attacks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Tue, Jan 08, 2019 at 01:15:39AM +, 'awokd' via qubes-users wrote: > Demi Obenour wrote on 1/7/19 3:16 PM: > > Looking through the GPG CVE list, it appears that GPG has a fantastic > > security record. This seems to jus Most of the recent vulnerabilities have > > been side-channel attacks. > > > > Is it useful to use split-GPG with a hardware token to prevent side-channel > > attacks? > > I am far from a cryptographer, but IIRC those side channel attacks get the > key by observing decryption leaks. So a hardware token wouldn't affect that > either way, because once the key is unlocked it still gets processed the > same. Not really, if key lives on a hardware token, only it can perform decryption/signing. So, if that hardware token is resistant against side channel attacks, then split-GPG (or anything else) will not make it worse. > > Also, is it best to use one signing key per project one is working on? > > > Again, not a crypto expert but if you're using the same development workflow > for all projects, don't see much security gain from separate keys. If some > demand a different, potentially less secure workflow, those might benefit > from subkeys. Hopefully someone experienced has more insight! There is one more thing: if you use a single key for multiple projects, then it's harder to distinguish those projects based on cryptographic proof. Which means code signed in one project could potentially be used in another. An example: I have a qubes code signing key I use to sign my qubes-related commits/tags. But I also contribute to other projects, including also very simple patches, where I only fix one file and definitely not review the whole repository. If I would use the same key for both, then one could attack me like this: 1. Introduce a backdoor to some random software that I would likely contribute to (or even create new one specifically for this purpose). 2. Wait for me to contribute there (all kind of social engineering will help here). 3. Take my signed contribution and pretend the code belongs to qubes - this may is quite tricky, and probably require breaking into my github account (or github infrastructure) to place it under my (or QubesOS) account; but even without it, it would help in other attacks. With separate keys (having project name in key comment) that attack wouldn't work, or would require significantly more social engineering - depending whether you attack a machine or a human. You may also take into account security of development environment for each project. If one depends on a lot of software without reliable integrity verification method (or, say, a lot of NodeJS package ;) ), then such environment would be significantly easier to compromise, and so the key used there (even if not leaked, then used from there to sign/decrypt anything). - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlw5PaQACgkQ24/THMrX 1yyotggAj6mbhIApmFSsajZ/Zjk1Lt49Lgnba5TXQDHgODwGp+i4QG3JqKVgHTma QXvoTKsMZohuABe6wWiTxT/DvJJjUzpHAOEnj/XAzGm6mm8kJqZ/hih2pq7T7+qn Oe+zOdLNPdS4olmLy/igw/V+CtjNhuWYKsSM7mCzSpRRIPGuG4IvhEX+WyHFDt6u rMpCL2nNqRHcMo+Qve7/5e2IPnWFZPjDVsaeTiHpaAlFfzDVLUyg2qxGxamezuLo fH6ZvUd1UOHntUCYWjeD7JpY05Y8P0dAPRsRlcW28eAKAeUy9cepQlLJeafRdYCo b5e0pWhYe/DqZxMJKzVuSnJy2OpBeA== =j4nW -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190112010644.GB6577%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Salt orchestration
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Mon, Jan 07, 2019 at 12:20:31PM -0500, Brian C. Duggan wrote: > On 1/4/19 3:08 PM, Brian C. Duggan wrote: > > 2. Salt should ensure that service VMs are running before Salt applies > > states to their client VMs. For example, I have a service VM that > > exports gpg-agent's SSH socket through Qrexec. This VM needs to be > > running so that the client VM can clone git repos using keys on the > > serivce VM. > > > > I did some more testing. Of course, Qubes starts halted VMs when another > VM makes a Qrexec RPC call to it. The calling process on the client VM > will block until the service VM starts and the RPC call returns. So this > isn't really a valid use case for orchestration. > > At first, I thought the SSH authentication attempts failed because the > service VM wasn't started yet. After more testing, I can see that the > systemd socket service just doesn't work at the stage during initial > boot that Salt runs. The socket file exists at this stage, though. SSH > authentication succeeds during subsequent Salt runs after the VM is booted. > > But I've also noticed that sometimes a new app VM's grain ID is still > the template's ID when Salt processes templates. That shouldn't happen in theory... Can you give more details, especially which templates, and qubes* packages version? Additionally, even if grain['id'] doesn't match, target VM will get access to other's VM pillar data - it's enforced when copying pillar data out of dom0. > This can be a problem > when both dom0 and app VMs need the same pillar data: > > pillar/app/client-vm-1.sls: > app: > client-vm-1: > server-name: server-vm-1 > > pillar/app/client-vm-2.sls: > app: > client-vm-2: > server-name: server-vm-1 > > pillar/top.sls: > base: > dom0,client-vm-1: > - match: list > - app.client-vm-1 > dom0,client-vm-2: > - match: list > - app.client-vm-2 > > dom0 needs the combined app data to set RPC policies between the clients > and their servers. The clients need their own data to configure which > service VM to send their RPC to. It's convenient for clients to find it > through pillar['app'][grains['id']]. Maybe there's a better way of > constructing this pillar data? The fact that you'll see only the right pillar data, regardless of grains['id'] may help you. You can iterate over 'app' dict and use whatever you find there, regardless of the first key name level. It will complicate your configuration, but until proper solution is found, it should work. > Is there a way to delay Salt execution on VMs until they are fully booted? By default it's delayed until qrexec-agent is started, which should be after essential services. If you want, you may: 1. Add a state waiting for user session and order other things after it. This won't help with grains and such things, as salt load them before considering states, but may help with some states, if are dependent on running X server for example. For this, add this: /etc/qubes-rpc/qubes.WaitForSession: cmd.run: - runas: user 2. Configure qubes.VMRootShell qrexec service in a VM (used by salt) to wait for user session. This will affect the whole salt call for that VM. But also means it will wait indefinitely if no user session is started at all (for example you're logged out of dom0). For this create /etc/qubes/rpc-config/qubes.VMRootShell in the template with "wait-for-session=1" inside. > For the curious, I'm using a Salt formula to set up access to gpg-agent > on a service VM from client VMs through Qrexec: > > https://gitlab.com/bcduggan/qrexec-gpg-agent-formula One MAJOR problem with giving unfiltered access to gpg-agent is that, client can request gpg-agent to export secret keys. Which defeat the whole purpose of keeping secret keys in separate qube - that client have no access to its secret part. You may want to look at https://github.com/hw42/qubes-app-linux-split-gpg2/ I think this problem does not apply to ssh-agent protocol, which AFAIK does not allow client to extract secret keys. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlw5N7kACgkQ24/THMrX 1yzQPwf+I1+7XjklLKxfGUVG1mBMWUdsvv5WOchp4uhWJeNpZVlavCLZNj0S09IL T5kGdw0/oM78LDnFRPlAEXRp/w/r2pg1Q0aA/dG7iyQsMWdzqYl/uAdNEpx2ML+h 6T7pRrTCBMUrxAub5rJq3xpGPgfwA9JwCDrR8h4xVC55grUuvMOuR5PH/A1ksbg8 c/RfU/GeTGPjjisEAyYARSM29BT098BD3IcZjaMe1X2jnaQkdZYJnf6nDZ+qMR7t Thy21mn45BPVcM1TF1012waXimlz9utVI3zytUKDZHURQtfWwTzKB3UOwmOH7460 u2qWHMnEOURbzGBUcp2oiXiG3JEFSA== =DMM5 -END PGP SIGNATURE- -- You received this message because you are
Re: [qubes-devel] Re: [qubes-users] qubes dom0 update breaks template updating
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, Jan 11, 2019 at 11:23:00AM +, qtpie wrote: > > > Marek Marczykowski-Górecki: > > On Wed, Jan 09, 2019 at 10:19:00PM +, qtpie wrote: > >> The latest dom0 update broke updating my templates. I altered > >> /etc/qubes-rpc/policy/qubes.UpdatesProxy to change the updateproxy to > >> sys-whonix. > > > > Can you explain what/how exactly it's broken? > > /etc/qubes-rpc/policy/qubes.UpdatesProxy should not be overridden by an > > update, so any local modifications should remain. Also, using sys-whonix > > as updates proxy is a valid configuration we test regularly and did not > > spotted any issues recently... > > > > I cant reproduce the exact situation anymore. What was broken was that > on apt update or dnf upgrade, I got a 500 error on the repository URL, > and the error below. > > The error below I can still trigger by commenting out the line starting > with $type, and uncommenting the line starting with $tag. If you leave _only_ lines with $tag, then templates without that tag won't have access to any updates proxy (as you define it only for templates with a tag). - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlw4gF4ACgkQ24/THMrX 1yxrdQf+K1K8P9IDlQ/vmTOv9fWNkSfWofAcmF0VTPGQukRKmYLVrHQu3xSiH9eV C/bBszQZ2wY4HIzMcPpSxqQ37NSRec/V+s5NUogjzuIvD5vF/MM2pWOZN9A8kM3Z GmwYTuPh6wjww6tJ+CjKHFOZo1U2/gSQ86h5bsO2NeJMwV8IWwkzSkOKJyuuqxKg eo66yw9aS3iehEUIz/R68ApXWBlM7L0PRDpgWR96FwcaG1v2SSfFsEE7PODpdTgi sdbyTNKIIe5G+GCodfzi2RbT0C1hkA3CF8hUrY1+0C+RHuOkH6Vrqa8FCfDuxObl hiTCm1COw3jGYp4mcJ+EZcaPoeR99Q== =zQ9b -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2019013910.GD1205%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] "Qubes Update" icon (Sun Looking icon on top right)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Tue, Jan 08, 2019 at 06:53:03AM -0800, 22...@tutamail.com wrote: > Just played around again with the sun icon, this time starting my whonix-gw > template used for template updates prior, a couple of observations: > > Seems to work fine when updating Debian and Fedora 29 templates, at least the > messages I get in the details appear positive, listing the updates/changes, > green check marks, etc > > However when I try to update my whonix14 templates (both -ws and -gw) I get > what appears to be errors. I still don't know how to copy errors from Dom0 to > an appvm but the errors end with: > > File"/var...salt...futures import cancelledError > ImportError: No module named concurrent.futures > ... See here: https://github.com/QubesOS/qubes-issues/issues/4272 It shouldn't be an issue for new templates, but for older installs, you need to install python-concurrent.futures manually there. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlw3qQAACgkQ24/THMrX 1ywXmQgAgRKQFTZHK7yHUQ+PYBMnA3FxSnyljl+kv1kT3w8vnHTzMudmxNBczi6G RwYH1FR7UqEfUxmITbaJOMJZuft3ag0zqnXfFCwPIHn1GPrmbg5EVZ254hqd/Rvq UHLefaJCWjxO1P7bghAz5710D+/YpeGEKxnd2tXqYu9Nfdd+yoYKTzrgcfBbsy0t 0BElDQS8/kWnYHDx8fnn0Qijv2WUbM4B5LHvu192+mIcxAhya6zPUipbjiAHu3e5 9c4igObPZCMVhdRuyb4Ir9zs/FneuSTi8ZKKDGzZQIPdmK3GTrKNzy8m/yRqgRLi 23RikMqs7z1dieMfQqMPnjk9FzAlvw== =4jRT -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190110202015.GA1292%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] qubes dom0 update breaks template updating
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, Jan 09, 2019 at 10:19:00PM +, qtpie wrote: > The latest dom0 update broke updating my templates. I altered > /etc/qubes-rpc/policy/qubes.UpdatesProxy to change the updateproxy to > sys-whonix. Can you explain what/how exactly it's broken? /etc/qubes-rpc/policy/qubes.UpdatesProxy should not be overridden by an update, so any local modifications should remain. Also, using sys-whonix as updates proxy is a valid configuration we test regularly and did not spotted any issues recently... > My solution is to uncomment the lines starting with 'tag', while leaving > the lines in the old formatting untouched. > > This solution seems weird since here it is suggested that the lines > starting with 'tag' should replace the other lines: > https://github.com/QubesOS/qubes-mgmt-salt-dom0-virtual-machines/commit/ca27a33b0ec59f5ea2d4b334973eaa837f11ffc4 > > I'm not saying this is a bug, I can understand that an update is not > compatible with certain customisations and it is the users responsiblity > to fix this. > > In any case - enjoying Qubes everyday! - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlw2lpUACgkQ24/THMrX 1yw3PQf/YuxS53SSNvIjyjbUxNXjCMMRO6RU3p1JjdrPwYbmo+8adCFRdmyDJake kH+1FginUxsUpqySOvX1Xw516p00Ct+1sKVOcgfmLKU9Ama7peNoUNcRBTr3jmst FC3rRsrxofT3E3ceCmd/BXFJdIK/JEof130DXEYsBxKdf/9qm5BVYVkN+Q3VmvIA uwz0VWstF3Z2vXvwgWLcMyTjpuxhdWBMuLeJSGqI0gWwltztgpyGERp24UjraK6E xZtVIie+7MGnfXI6ZpONeLjdTAAW+VKGvvWs5YncbxKVQIdUucILbkQamwqiyD1m XatKifnvLe9WO4MrrzZR22h79gua5A== =WJ+F -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190110004925.GE7536%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] mooltipass hardware password manager
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, Jan 09, 2019 at 03:26:02PM -0800, Benjamin Richter wrote: > Hi, > > I have a Mooltipass Mini Hardware Password manager > (https://www.themooltipass.com/), which identifies as a USB keyboard in order > to input passwords. > > I can attach the USB device to a VM to connect to the mooltipass mini and put > in credentials, but I cannot get it to input the password, neither > by attaching it to a VM directly, This may be about permissions to /dev/input/event* device files in the target qube. See X server log about it. If that's the case, you need an udev rule to allow it, like this: /etc/udev/rules.d/90-allow-input-for-qubes.rules: KERNEL=="event*", GROUP="qubes", MODE="0660" > nor by leaving it in the USB qube via the input proxy. > The key events just don't seem to turn up anywhere. I'm not sure how this device really works, but with input proxy it may be missing some feedback channel (browser -> device), for example to choose the right credentials. > I'm running latest stable R4. My USB keyboard, touchpad and touchscreen work, > also I don't have any problems with other USB devices. How can I debug this > further? > > journalctl output while connecting: > > Jan 10 00:21:07 sys-usb kernel: usb 2-1: new full-speed USB device number 10 > using xhci_hcd > Jan 10 00:21:07 sys-usb kernel: usb 2-1: New USB device found, idVendor=16d0, > idProduct=09a0 > Jan 10 00:21:07 sys-usb kernel: usb 2-1: New USB device strings: Mfr=1, > Product=2, SerialNumber=0 > Jan 10 00:21:07 sys-usb kernel: usb 2-1: Product: Mooltipass > Jan 10 00:21:07 sys-usb kernel: usb 2-1: Manufacturer: SE > Jan 10 00:21:07 sys-usb kernel: hid-generic 0003:16D0:09A0.001B: > hiddev96,hidraw1: USB HID v1.11 Device [SE Mooltipass] on > usb-:00:07.0-1/input0 > Jan 10 00:21:07 sys-usb kernel: input: SE Mooltipass as > /devices/pci:00/:00:07.0/usb2/2-1/2-1:1.1/0003:16D0:09A0.001C/input/input36 > Jan 10 00:21:07 sys-usb kernel: hid-generic 0003:16D0:09A0.001C: > input,hidraw2: USB HID v1.11 Keyboard [SE Mooltipass] on > usb-:00:07.0-1/input1 > Jan 10 00:21:07 sys-usb mtp-probe[30635]: checking bus 2, device 10: > "/sys/devices/pci:00/:00:07.0/usb2/2-1" > Jan 10 00:21:07 sys-usb mtp-probe[30635]: bus: 2, device: 10 was not an MTP > device > Jan 10 00:21:07 sys-usb kernel: audit: type=1130 audit(1547076067.807:236): > pid=1 uid=0 auid=4294967295 ses=4294967295 > msg='unit=qubes-input-sender-keyboard@event6 comm="systemd" > exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' > Jan 10 00:21:07 sys-usb audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 > ses=4294967295 msg='unit=qubes-input-sender-keyboard@event6 comm="systemd" > exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' > Jan 10 00:21:07 sys-usb systemd[1]: Started Qubes input proxy sender > (keyboard). This looks promising. What do you have in /etc/qubes-rpc/policy/qubes.InputKeyboard in dom0? As your USB keyboard works, you probably have it configured correctly already, but see https://www.qubes-os.org/doc/usb/#how-to-use-a-usb-keyboard You can also see qrexec connections log in dom0 with `journalctl SYSLOG_IDENTIFIER=qrexec` (or simply grep for qrexec, if you hate to type that long field name...) Checking if X server in dom0 sees the device (xinput tool) also may be helpful. evtest in dom0 may also give some hints. > Jan 10 00:21:07 sys-usb systemd-logind[436]: Watching system buttons on > /dev/input/event6 (SE Mooltipass) (...) > Testing ... (interrupt to exit) > *** > This device is grabbed by another process. This is most likely the input proxy. Which means it's running. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlw2liwACgkQ24/THMrX 1yyIcAf/R5t1JsBeH4V9bOJtevq7qbjwhCW17jWgNyZuAX9KR5EmdzIgXg5w8kwI XvY3M+rfy5IPEyk8le4IifX4c8OhbfXAkETqAibUxX+qrtRZHTBoIsgsCDWpKj90 T+CYEsGx+I4ilb0ygBzn4v7zDZ/VTiDixJalIY1oQ4+xaDHS/BrFEcZ+EeG9eqeh vncKoRmPrdA1OR5xvwfG7NBm2pUJHumPP0yu072yKh/a59aAe3ZRxgxZTwbWkbgo LinsbjG6G57JTjnS9oNAVrMjdTaB3xWG3cMA2343nIZCg8bEEjeiw+qjxo25jyLl z+uTpLuBbXeUNiKaqLjWhc2ta1Vq0w== =94WL -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190110004740.GD7536%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Installing snaps in appvms?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, Jan 09, 2019 at 07:11:50PM -0500, Chris Laprise wrote: > On 01/09/2019 06:41 PM, Stumpy wrote: > > On 1/8/19 7:59 PM, 'awokd' via qubes-users wrote: > > > Stumpy wrote on 1/9/19 12:07 AM: > > > > On 1/8/19 7:04 PM, Stumpy wrote: > > > > > I thought I had snap installed but the app i installed via > > > > > snap now does not seem to be working? I installed snapd in > > > > > dom0 then tried installing a snap package in one of appvms > > > > > but I am getting errors. If i try to run a snap from dom0: > > > > > qvm-run gfx /snap/bin/xnview > > > > > > > > > > I get: > > > > > Running '/snap/bin/xnview/ on gfx > > > > > gfx: command failed with code: 1 > > > > > > > > > > when i try to run it within the appvm i get: > > > > > user@gfx:~$ xnview > > > > > Can not open > > > > > /var/lib/snapd/seccomp/profiles//snap.xnview.xnview (No such > > > > > file or directory) > > > > > aborting: No such file or directory > > > > > > > > > > thoughts? please? > > > > > > > > > > > > > oh, and if i try to reinstall the app I get: > > > > user@gfx:~$ sudo snap install xnview > > > > snap "xnview" is already installed > > > > > > Nothing should be installed to dom0. You'd have to install snapd in > > > a template, and possibly the snap package. You might want to create > > > a Standalone VM and install everything in there, instead of > > > templates & AppVMs. > > > > > > > > > > Thanks, I had thought I had to install on dom0 as well, perhaps not, > > though when I try to: > > > > sudo snap install xnview from the template I get: > > user@debian-9:~$ sudo snap install xnviewmp > > error: cannot install "xnviewmp": Get > > https://search.apps.ubuntu.com/api/v1/snaps/details/core?channel=stable=anon_download_url%2Carchitecture%2Cchannel%2Cdownload_sha3_384%2Csummary%2Cdescription%2Cdeltas%2Cbinary_filesize%2Cdownload_url%2Cepoch%2Cicon_url%2Clast_updated%2Cpackage_name%2Cprices%2Cpublisher%2Cratings_average%2Crevision%2Cscreenshot_urls%2Csnap_id%2Csupport_url%2Ctitle%2Ccontent%2Cversion%2Corigin%2Cdeveloper_id%2Cprivate%2Cconfinement: > > dial tcp: lookup search.apps.ubuntu.com on 10.137.3.254:53: dial udp > > 10.137.3.254:53: connect: network is unreachable > > > > So i was thinking that doing a qubes-dom0-update something so it could > > get through? For the life of me i cant figure out what I did on my other > > computer to make it work but it works fine there. > > > > > > I forgot to mention, it is installed in the appvm: > > > > > > user@debian-9:~$ sudo apt-get install snapd > > Reading package lists... Done > > Building dependency tree > > Reading state information... Done > > snapd is already the newest version (2.21-2+b1). > > 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. > > > > > > ideas? > > > > Only apt is configured to access servers through the special Qubes proxy. > Since templates have networking turned off by default, that means nothing > else can download packages or data. > > In the short term, you can try enabling networking temporarily for the > template while you install snap packages. Just set the netvm in the > template's settings. > > In the long term, Qubes users may benefit from a special accommodation of > snap, which has become a versatile and important way to install software. > Support could include access through the update proxy and even special > storage capabilities. Would be a good idea to open an enhancement issue for > this. :) There is some progress on this already: https://github.com/QubesOS/qubes-issues/issues/2766 The current state is: you can install "qubes-snapd-helper" package in _template_, to be able to install snaps in qubes _based on that template_. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlw2kq8ACgkQ24/THMrX 1yzNvwgAhc0/O9VIzBGH1WDg8l+1sH3yLxxySFannO2ihUUXbUA80cf4+uxrxk/1 Rg+jR0XfdBXD91h817luvs3mIdqwcluq1YHxbGIb0J/vALPLHRhZ8YLasXSdpDIG MyiVTk1ogAOG6jH30245V/GRPWALJmysYnW4DUki3ZefG/EyCFHWi7lpJZ9XS00F QbVv7MoDx6GbHiSfHMzYk016fSaEAFlXGUUXczSHgDpJjumP6+MfVkz0l4diYbm5 wGOPIknWLBBSQMMOS0IoaB1iq1hYbZNULt6/gaOOFBIC2I9D2m4Q8KHKeDz95qln HEzk2d5IJJlv8M1xpoNyzS0+IJNHMQ== =hL/D -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190110003247.GC7536%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Qubes OS 4.0.1 has been released!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, Jan 09, 2019 at 01:35:42AM -0800, Lorenzo Lamas wrote: > I see the hashes are different to 4.0.1-RC2 What has changed compared to RC2? Minor fix to update widget[1] plus a rebuild with "4.0.1" as a version, instead of "4.0.1-rc2". [1] https://github.com/QubesOS/qubes-issues/issues/4667 - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlw1yMsACgkQ24/THMrX 1ywoBAf+Nad/7dZEMepMvmLeWjAbKpFF2P1wM9bVHwRY3j+ZB0ahCmRntAN1soeC 1p3A7eppOGIfr5IuhtozeBim/ZdswT1fc/zLPG4UCIfr4Oo0SbZpfI7THijHoc5u PgmAOu2FGzQ3IwufkFp74b6pN+MiP2MP1aCabKBCA8kF0am24buism5VBZoBwblT umQGYePGSEFepPN1qbPGbYzy/+Z+aVXOIBdxT61RSQteB8yGJLz+kwmaoOlO6o0r oTYGaCD8TNvzJFarnaa5/xPvBCptL7BecsbZkn6gNzKNTI3+gT++hMbQ6AJIYatv sKHmHKC4ti1PW6DBJxNLX6unMNTwVg== =LZWx -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190109101123.GB7536%40mail-itl. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Qubes OS 4.0.1 has been released!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Dear Qubes Community, We're pleased to announce the release of Qubes 4.0.1! This is the first stable point release of Qubes 4.0. It includes many updates over the initial 4.0 release, in particular: - All 4.0 dom0 updates to date, including a lot of bug fixes and improvements for GUI tools - Fedora 29 TemplateVM - Debian 9 TemplateVM - Whonix 14 Gateway and Workstation TemplateVMs - Linux kernel 4.14 Qubes 4.0.1 is available on the [Downloads] page. What is a point release? - A point release does not designate a separate, new version of Qubes OS. Rather, it designates its respective major or minor release (in this case, 4.0) inclusive of all updates up to a certain point. Installing Qubes 4.0 and fully updating it results in the same system as installing Qubes 4.0.1. What should I do? - - If you're currently using an up-to-date Qubes 4.0 installation (including updated Fedora 29, Debian 9, and Whonix 14 templates), then your system is already equivalent to a Qubes 4.0.1 installation. No action is needed. Similarly, if you're currently using a Qubes 4.0.1 release candidate (4.0.1-rc1 or 4.0.1-rc2), and you've followed the standard procedure for keeping it up-to-date, then your system is equivalent to a 4.0.1 stable installation, and no additional action is needed. If you're currently using Qubes 4.0 but don't have these new templates installed yet, we recommend that you follow the appropriate documentation to do so: - [Fedora 29] - [Debian 9] - [Whonix 14] Regardless of your current OS, if you wish to install (or reinstall) Qubes 4.0 for any reason, then the 4.0.1 ISO will make this more convenient and secure, since it bundles all Qubes 4.0 updates to date. It will be especially helpful for users whose hardware is too new to be compatible with the original Qubes 4.0 installer. [Downloads]: https://www.qubes-os.org/downloads/ [Fedora 29]: https://www.qubes-os.org/doc/template/fedora/upgrade-28-to-29/ [Debian 9]: https://www.qubes-os.org/doc/template/debian/upgrade-8-to-9/ [Whonix 14]: https://www.whonix.org/wiki/Upgrading_Whonix_13_to_Whonix_14 This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2019/01/09/qubes-401/ - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlw1YTUACgkQ24/THMrX 1ywKSgf/RepKuj8klzDbi3G566MRg6XaF6GgVKYtt8xa9PX5w3yk+3j0n26zsW07 fsO4iJQtn4xt4nUDkIkY0ZaFuLXiXes6syLsu2mJ5dhB23C6C07No1tbeJ0GqzmJ G5TbCsXpTGnTH8URSyb0U0aB2C6dIAwQZUom+HaDgb/x6M6OWAwODhVV/hbFzhm/ msWu6Xy1rVcbaAB2Q2YLGGIShwx3cd5I/K6y0Lw+9sWhIZ8lj4ARfdnWzqGp5u2+ YYVMtRDGBWGm2o5Wu/gmduYNjRpkDSoE2qh5bUvubRm7TWK0HDkTCHvqyGTQXaZZ mGbhYdSlxM1N4Qm5YuyYMcGd1qUKQg== =8aly -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190109024925.GJ5040%40mail-itl. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Qubes Canary #18
st the contents of this file blindly! Verify the digital signatures! ``` This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2019/01/08/canary-18/ - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlw1X7kACgkQ24/THMrX 1ywfmgf/eRS3ND12XUJoXOCbRM/ncvAHDYGUUH9A/D9WY0c0ZXOdA8YRyH2P/BDG LmR7nGWHO4YCd5On0kUhPH5QyLc8ySCRBQplbCfED08k4s/baCnLcA9ptzgMZ+Ra HUrbvagkUeR770ZJytQDIxQEf3W2aRCVDAzOlRd8jhYVea+J09VyqYcc7qrxgjuQ VJD962qmAYqFXJtl5r0/p1y8DIffJsY1gCXlxDIvP4Os/mL2zo2JFKQ7OSn1X9lp EuA5lzIro2ejkGxULFN6hz0QPi4JICglWJQ0jjF+35G+p83enIeUNwdkdnF9V1wL nO4NsBXRXHQorBzp8j1uw8RmYTdfhQ== =S2HG -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190109024304.GI5040%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: fed29 templates/upgrade
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, Jan 04, 2019 at 05:37:07AM -0600, Andrew David Wong wrote: > On 1/3/19 11:31 PM, John S.Recdep wrote: > > On 1/3/19 2:51 PM, 22rip-2xk3N/kkaK1Wk0Htik3J/w...@public.gmane.org > > wrote: > >> Thanks 799...I learned something! > >> > >> Similar to 799 but less hardcore...I always download a fresh > >> template(vs upgrade). In my case I ran with a full/fresh > >> Fedora-29 after the Fedora-28 hplip issues, and added any new > >> software from fresh: > >> > >> https://www.qubes-os.org/doc/templates/ > >> > > > > > > hmm, ok let's say I just use the new fresh 29 template, is there > > some way that I can know what non-stock software I installed on my > > Fedora-28 template, as I can't remember all that I may have > > installed > > > > This is more of a Fedora question than a Qubes question. As far as I > know, there isn't a clean way to do this. Following Marek's advice > from years ago, I just keep a list of the packages that I install in > each of my templates. Since some dnf version it is possible: sudo dnf history userinstalled dnf mark can be used to adjust the list (without actually installing/removing packages). This may list some more packages, as it will include default packages installed by the template builder. But should be a good starting point for such a list. > > > > > So, no advice on upgrading from my 28 template at this time? I find > > it strange that the template is in the dom0 updates available, but > > I see no notice in the news section on qubes website nor here > > .. > > > > See: > > https://github.com/QubesOS/qubes-issues/issues/4223 > > and > > https://github.com/QubesOS/qubes-doc/pull/739 > > > > > Seems like this happened with 28 release as well > > > - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlwvTgAACgkQ24/THMrX 1yxPrggAirGLmrqKZm73SVrEoSraBBgGIN7hXEXxgsKr4jtK5ymU7YEVyO2zc44S wQKcSJrmbO7VlGTNRGmxmMRsFa5f5j5Yxn1HaKeTKFd0HHLJja00SbpYCVnx6RFP 1cLSrAWwHHxazMImQ0mKkeBhmlHI45/dD30EwWJ3C2gYWCPj6PjHyfTpl61itf5M zPuMBAcyxemZ0LNgg2mCtD56i60n6c44d8+1xjPCBgdDTKbMkk72TTejv3MAuEdC qeREUS9QPBwR5Zbx0Fr72YIXRsXOEPYT3zi996u48lRXmHdo90AByq2zc4PJKUpc YdSTPPu4su9j+iPKzxWQUrPl5xt/wQ== =4V1h -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190104121352.GN23474%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: 4.0.1-RC2 Boot loop after install
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On Wed, Dec 26, 2018 at 09:24:01AM -0800, John Goold wrote:
> On Thursday, 20 December 2018 22:02:00 UTC-3:30, John Goold wrote:
> > Attached is screenshot, taken under my current OS, showing OS and hardware
> > info.
> >
> > After spending much too much time trying to track the problem down (using
> > the 4.0, 4.0.1-RC1 and 4.0.1-RC2 ISOs) I discovered why getting the
> > installer to run was failing...
> >
> > I had to unplug my external monitor (connected via an HDMI port).
> >
> > I was then able to boot the install DVD and install to an external USB
> > (SSD) drive (Seagate 2 TB). The install completed (supposedly
> > successfully), but attempts to boot from the USB drive fail.
> >
> > The boot process starts, with text being displayed starting in the top left
> > corner of the screen. It progresses to a point, then the screen goes black
> > and my computer starts to reboot.
> >
> > I have searched the mailing list and have failed to find a solution (hours
> > spent doing this). A lot of people seem to end up in boot-loops, using
> > various hardware.
> >
> > The attached file shows the hardware. The following information about the
> > BIOS/Firmware may be relevant:
> >
> > * Legacy Boot is enabled
> > * Virtualization Technology is enabled
> >
> > During the install I setup a user account. I did not enable disk encryption
> > (I will leave that until after I can get Qubes to boot).
> >
> > Comment: This boot-loop problem (or similar boot-loop problems) seems to be
> > a major issue with installing Qubes 4.x. Each time I come across a posting
> > about it, there seem to be different suggestions (some of which work on the
> > particular hardware involved) and some of which do not.
> >
> > I believe that I tried R3.1 about a year or so ago and that it booted
> > alright. I cannot remember why I did not follow through on adopting Qubes
> > (if I could not get my external monitor working, that would be a
> > deal-breaker).
> >
> > Suggestions would be appreciated. I will provide any additional information
> > I am capable of.
>
> This thread is getting verbose, so I have replied to the original post and
> will attempt a brief summary of the rest of the thread (for context):
>
> Determining what is happening would be facilitated by seeing any entries in
> log files (assuming the boot got far enough to log anything).
>
> That means checking files on the USB drive used as the target of the install
> and which causes the boot-loop when attempting to boot.
>
> Since the boot is failing, I cannot look at the log files under the booted
> Qubes OS, so instead I attempted to look for the log files when booted into
> another OS (Linux Mint 19.1).
>
> Qubes is using LVM to handle allocating disk space (presumably to facilitate
> being able to add additional physical disks to an existing Qubes install).
> There appeared, at first glance to be 3 Logical volumes:
>
> pool00
> root
> swap
>
> Linux Mint mounted the LV "swap" automatically, but not the other two. The
> other two appear not to be "activated" and mount attempts failed. Attempts to
> "activate" the LVs fail.
>
> After searching the Net for information on LVM, I came across an article that
> helped me understand the Qubes setup better…
>
> There is one Logical Volume Group called "qubes_dom0".
> Within that there is a Logical Volume, "swap", that is detected and mounted
> automatically by my Linux Mint installation.
> Additionally, there is a "Thin Pool" allocated that uses up the rest of the
> space in the Volume Group. It is distinguished by information displayed by
> the lvdisplay command ("LV Pool metadata" and "LV Pool data").
>
> Within that "thin pool", a logical volume, "root" has been created that uses
> all the disk space currently assigned.
Yes, that's right.
- From what I've seen in this thread, you did it right, but the system you
used didn't support thin volumes. You can try Qubes installation image,
there is recovery mode ("Rescue" in boot menu in legacy mode).
Other things you can try is to press ESC during boot to see more
messages than just progress bar. If that doesn't really help, try
editing boot entry in grub and remove "quiet" and "rhgb" options from
there. This should give you more details when exactly system reboots.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people n
Re: [qubes-users] Qubes extensions usage / installation
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On Wed, Oct 17, 2018 at 10:24:47PM -0700, nils.am...@gmail.com wrote:
> Hi everyone,
>
> I'm trying to run some commands whenever a VM is started or a device is
> attached to a VM. I came upon this Github comment by Marek which says that
> this is possible with Qubes extensions:
> https://github.com/QubesOS/qubes-issues/issues/4126#issuecomment-40645
>
> I wrote a simple Qubes extension with the following project structure:
>
> my_extension/
> * my_extension/
>** __init__.py
> * setup.py
>
> With the following `setup.py`:
>
> ```
> #!/usr/bin/env python3
>
> import setuptools
>
> if __name__ == '__main__':
> setuptools.setup(
> name='my_extension',
> version="1.0",
> author='Nils Amiet',
> author_email='nils.am...@foobar.tld',
> description='My extension',
> license='GPLv3',
> url='https://foobar.tld',
>
> packages=('my_extension',),
>
> entry_points={
> 'qubes.ext': [
> 'my_extension = my_extension:MyExtension',
> ],
> }
> )
> ```
>
> And `__init__.py`:
>
> ```
> import qubes.ext
>
>
> class MyExtension(qubes.ext.Extension):
> @qubes.ext.handler("domain-start", system=True)
'domain-start' event is called on VM object, so it should not have
system=True. system=True is needed for events on Qubes() main object
itself, like property-set:default_template.
> def on_vm_start(self, app, event, vm, **kwargs):
For system=False events, it should be:
def on_vm_start(self, vm, event, **kwargs):
If you need to access app, you can still do that through vm.app.
> with open("/tmp/my_extension.log", "a+") as fout:
> print("Started vm: {}".format(vm), file=fout)
>
> ```
>
> Now, I installed this extension on a deployed Qubes OS installation in dom0
> with `sudo ./setup.py install` but the file `/tmp/my_extension.log` is never
> created after having started some VMs. I was expecting to see something being
> written there.
Besides the system=True, everything else looks ok. Remember to restart
qubesd service after installing the extension.
> Why is my extension not being loaded? Am I missing something here? How can I
> debug extensions and make sure they are being loaded? Is there a log
> somewhere?
>
> Is Qubes OS going to call my `on_vm_start()` function whenever a VM is
> started just by installing the extension with `setup.py install`? What should
> I do so that it does?
>
> Thank you and have a nice day,
>
> Nils
>
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlvJsxsACgkQ24/THMrX
1ywpbAf+KLCp44W+yYOKRpNm3tvTUrvYb20KF4y4FiEoWE9vTapIfT9fLNI3yfZw
eHn52vb14VdtxPnZ7yNEopHbDAKwj2+u1RTrjszsBitjRqiAEFkFeDHCRQB1QAN8
HwPUWXCIvBNbUxQzpLYXvQX6V7/Ll6a/M/9DcanfRyHlU5yCHM+ZmdgBK4kU+Nb3
0cyCsA27CV2AGYuYRyYh5kyT+WX9nIPTwRUmRNi0lIuT45gBIWQ9OYo4kKjDCIUc
/YBqcHn7pTTOwz4e5ct+b/YQWLMKk3n1NX4DGYjnBbpt7E0y9vk3uNnXV8/z3dtt
4GgwIivDTAYx/5pU5AjklNksAL1pgw==
=3wtl
-END PGP SIGNATURE-
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/20181019103403.GA13191%40mail-itl.
For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] dispVM shuts down immediately after starting (I'm trying to run xterm)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Mon, Oct 15, 2018 at 11:19:54PM +, floasretch wrote: > ‐‐‐ Original Message ‐‐‐ > On Monday, October 15, 2018 4:52 PM, Marek Marczykowski-Górecki > wrote: > > > > Same result with qubes.StartApp+debian-xterm > > > Per your response, I verified that whonix-ws-dvm does have > > > /usr/share/applications/debian-xterm.desktop (and whonix-ws-dvm itself > > > starts and runs with no problem). > > > > I've tried the same command on my whonix-ws-14-dvm and it works... > > Is your whonix-ws-dvm Whonix 13, or updated to Whonix 14? > > Whonix 14. Originally was 13 (installed with Qubes 4.0), then updated when 14 > was released. > > I verified /etc/whonix_version in both whonix-ws and whonix-ws-dvm. They're > both 14. > > BTW, I haven't been using disposable VMs at all for the past couple months, > so I have no idea whether my problem is recent or old. In fact, the last time > I did was with the Fedora DVM, and I've deleted it since then. Today was the > first time I ever tried using any DVM other than Fedora. > > Qubes and all templates are fully updated. > > Is there a log somewhere? You can add --pass-io, to see service stdout/stderr. Maybe this will give some hints. Alternatively, you can try doing the same in non-disposable VM, for example whonix-ws-dvm itself. Simply drop --dispvm and add VM name before service name, like this: qvm-run --service -- whonix-ws-dvm qubes.StartApp+debian-xterm And see if xterm will launch. Then, you can inspect ~/.xsession-errors in that VM, or various logs in /var/log. If no terminal is started at all, you can access VM console with `sudo xl console whonix-ws-dvm` (exit with Ctrl+]). - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlvFIsgACgkQ24/THMrX 1yyjIQf/Sp92zf8JWH+uydtWBzd9nlMjHBwlfPsV/nhCDK72ZbMMlVzb7kCP2OIE oKkFO3IRTXvDbx/Yw1x1GG8Jkx/zH1inYsFU7KHJbPNUuOadq/rsp75gisKwzSqs cDpTSXF00VjIpIYGYWHZQ4lqZp7IFenlXPBxfaxQdC7FnwWDw1J+vJHj04D6YtiS 62Fu2AyLrEibI5yTK4JRPcn1h3JV/e/L3Jor0ybOY9gYjNCzq2Rtf/wWCBHsBF/g lHW7PBSBVJbvDF+sR+JoV50UUY3UIsn6Elq2cyS2/CkWA1hPIp12rtlRqMrtiXFt 9Pnu59dZWBiLSWcIldN4lCIreyHoaw== =gaHd -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20181015232912.GL19709%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] dispVM shuts down immediately after starting (I'm trying to run xterm)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Mon, Oct 15, 2018 at 10:41:45PM +, floasretch wrote: > ‐‐‐ Original Message ‐‐‐ > On Monday, October 15, 2018 3:34 PM, Marek Marczykowski-Górecki > wrote: > > > [user@dom0 ~]$ qvm-run --verbose --autostart --dispvm=whonix-ws-dvm > > > --service -- qubes.StartApp+xterm > > > Running 'qubes.StartApp+xterm' on $dispvm:whonix-ws-dvm > > > [user@dom0 ~]$ > > > Is there a log somewhere to tell me what's going wrong? > > > > The +xterm part should be a base name of .desktop file in > > /usr/share/applications (or other directory per XDG standard). xterm on > > Debian happens to have debian-xterm.desktop, so it should be > > qubes.StartApp+debian-xterm. > > Same result with qubes.StartApp+debian-xterm > > Per your response, I verified that whonix-ws-dvm does have > /usr/share/applications/debian-xterm.desktop (and whonix-ws-dvm itself starts > and runs with no problem). I've tried the same command on my whonix-ws-14-dvm and it works... Is your whonix-ws-dvm Whonix 13, or updated to Whonix 14? - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlvFGhgACgkQ24/THMrX 1yx0vwgAlI5BIB+VuC+ibNcPQdFhPXzJm7X0YNEV0T8Ex03sbmeLcEfWe5JKpLII KMSQIIkGtGfVcRAZwnllv18HNls1KxLdXFb3yER/XXAnm89aQcM1IfUmcpT2Eggs mM1YcdXR5fqPKolZZSujTF3mFJBx2QEqnjyPrrSAvPfUFSiljy6cM5Eab+BxVfUV TyX6BztEEKFUEZtErPM07QXLmIpLT6Q8QHA/7UInYdJj56Ih8u6dqvR4xyhHIwkV 17lZFtnvIaX5F3Zja2YR9gPyXRCti+Zpyt9PSi7pIaAdjy3h0BVNIUnSQTiiaS7t maVT8bm/+VMVt0O8lLzXwXuN7QNDaA== =OgQw -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20181015225209.GK19709%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] dispVM shuts down immediately after starting (I'm trying to run xterm)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Mon, Oct 15, 2018 at 07:03:50PM +, 'floasretch' via qubes-users wrote: > On Qubes 4.0, when I try to start a dispVM, I get a popup notice that it's > starting, then a popup that it started, then a popup that it halted. I get no > error message, even when I specify --verbose: > > [user@dom0 ~]$ qvm-run --verbose --autostart --dispvm=whonix-ws-dvm --service > -- qubes.StartApp+xterm > Running 'qubes.StartApp+xterm' on $dispvm:whonix-ws-dvm > [user@dom0 ~]$ > > Is there a log somewhere to tell me what's going wrong? The +xterm part should be a base name of .desktop file in /usr/share/applications (or other directory per XDG standard). xterm on Debian happens to have debian-xterm.desktop, so it should be qubes.StartApp+debian-xterm. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlvFB/wACgkQ24/THMrX 1ywowwf/bf65pAOtUDDGUHoyO0gyGtZ+yNDDJ4/64PmSF8bl3V3I4tU6QSoj1y/X 2fJnWWfO2bNm7iopizYConl+5msRZRhbY514vG/vJdhkLI1ZMiExUUoYSUqiO7tE //oyX5CNW1L1egGVoxB4H6uv3bf6UrW9HfBEttIaKSpuaPg1PLagsMssPmyxUBBJ oFcTn9iLI8LrMJR4bNXXatK94deD3NhXyRHZ26udKDi1nKmIq6N2zZIk5p8QuKrg rhWbPawQj58I6oW7v5wFcO5d+wtSVGpOCJs5mhvlg/NAFVwohhQ+iHQDNL5CliKN /6s0QsLbOJ7PJ0cKcpKXNVG9YA6a2Q== =3FCa -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20181015213452.GB4138%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Installing qr-exec on HVM
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, Oct 05, 2018 at 02:38:28PM -0700, Will Dizon wrote: > Unfortunately, it didn't work still when qubes-gui-agent was running. > > I tried recompiling everything again, and the results have changed quite a > bit. Now, instead of autohiding the HVM window in dom0, I can see a very > clear failure which points me in the direction of Xorg instead. > > Sadly, this feels like a regression, but alas... I'm sure I'll get there > eventually. > > As far as "xl console lfs", dom0 reports "unable to attach console". And in > terms of dom0, it is still giving no sense of failure: > > $ qvm-run --pass-io personal whoami > user > $ qvm-run --pass-io lfs whoami > $ qvm-run lfs "touch /tmp/dummy" > Running 'touch /tmp/dummy' on lfs > > Needless to say, /tmp/dummy doesn't ever emerge. > > The new error is > > systemctl status qubes-gui-agent.service > ... > Process: 660 ExecStart=/usr/bin/qubes-gui $GUI_OPTS (code=exited, > status=1/FAILURE) > ... > lfs qubes-gui[660]: XIO fatal IO error 11 (Resource temporarily unavailable > on X server ":0" > lfs qubes-gui[660]: after 37 requests (36 known processed) with 0 events > remaining) > > X works (startx shows me a desktop and consoles), but nothing yet from > getting Qubes GUI agent and qrexec. qubes-gui-agent starts its own X server, on :0. So, it conflicts with the one started manually with startx. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlvBRPgACgkQ24/THMrX 1yzOfAf/WdwNBlfHtR7Oin5+j3SV48z27ajfarE+UBOXrwZkrsl+mPDrvllou9Kq uVUVOBBswJhAVT9hWhKJbOZvDPW9r4jyKpiidg3FvdRWX7i/Dci5UYK1qqrPuDtw vZs3raKofxmprH7wKNcwcBVslr1SeTOOvbkNkv1WYbS46sGd1X//CWvXghYCQzqL HTX3v732aYO9LADgNwHRV5AQKsBtYLM/Ej8QR2Amd3frHIx905hErix8ForYGzUp JxRIR0ZuAmoK3aQglb1Jon2YmJ0MeOszMP9aqh1BTpTZ+JrM5/hWj2g0NN+rwRIo GOYt7eTlrfmGfAeCgQitOOszc/oSzQ== =g83e -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20181013010601.GD5083%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Default keyring
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, Oct 12, 2018 at 07:12:35AM -0700, Patrick wrote: > When creating a new template, then launching a browser in it (in order to > install software), a dialog box asks: > > An application wants access to the keyring "Default keyring". > > Never seen this, my passwords don't work. Is that browser chrome/chromium by a chance? I think it's this issue: https://askubuntu.com/questions/31786/chrome-asks-for-password-to-unlock-keyring-on-startup#191490 Either try setting empty password, or try solution with - --password-store=basic. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlvBQkwACgkQ24/THMrX 1yxOAAgAgkTv3NhST1QmRCrAjueYMFRv0bQV9gl+JaPuc99QBI1plqnm5uuQqaEb MbHJ033R0LQhCKneGOUeXu1jEmbeCRlQ3GnDQAuJQRVOl/sszBCuNYL+0cl8oHfg +hUcKADdOGe1fs0ZG8wpm0ty6uJ6HfZ0MCudQz3r97BmBl3fAsNSEs4Y/xxqAJIj 5/7py1tx9R+R026llEfQmDpQq+UllOODoFywMc/RpSkCnDYKyP02SBXvj/2GGD2/ kAGfbncFWSzAztPmMrBKMjejAhAJJ6ztV+m2cdjxd5m1WVqKsPzqGv5SKw5pqBZV T4eTPKICj6bL3b8NK/vQrQ2+2M3LIQ== =XMHS -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20181013005437.GC5083%40mail-itl. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Keyboard backlight color based on active qube
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, I've published the first post on my blog: https://blog.marmarek.net/blog/2018/10/11/keyboard-backlight-color-qubes.html Have fun! - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlu/gc4ACgkQ24/THMrX 1yzDlAf+MBCvqSROoEHJNUy2Nc935pOd8Mt/SwrIeJs9FYX5ZHUhwssu5XQvlsrW 6LwaVtFMFIZnjb8YQb9/f96FrLoP6p9UHUaecs5SmmIq17q3qNJDD9PvuyS9M75f ocNKtk4ELZxfGqNdlqwAhxOKDRRzSsBGzfA8kZAFf7ZnKKxdsWMKWVxGLatfDT96 HTIYbPjTz5oC7rJO+Kno1GwPWyv9574oApHlRBaTzp7SfmiWOtytzBRVtPfp+cBb /bkegV0z68IVXIL9kQ/hHBLElRzmEimuUtBnQXf0T/3VzXip53kwHl6ha7Ch5paH nWQSqV2asJvkhp4X7FL4LYPrxc6npA== =GPun -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20181011170102.GO1645%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: debian-9 template
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, Oct 10, 2018 at 05:24:33AM -0700, b...@damon.com wrote: > On Friday, April 27, 2018 at 10:46:08 PM UTC+10, higgin...@gmail.com wrote: > ... > > I have been plagued with this issue ever since heeding the call to upgrade > whonix-13 to whonix-14. All my whonix-14 templates are useless. > > I followed the steps carefully, removing / reinstalling. No errors. > > user@host:~$ sudo dmesg | grep segf > [ 11.396489] qubesdb-daemon[232]: segfault at 7994802abff8 ip > 799480098f64 sp 7994802ac000 error 6 in ld-2.24.so[79948008f000+23000] > [ 12.342682] qrexec-agent[648]: segfault at 70d5257f6ff8 ip > 70d5255f3355 sp 70d5257f7000 error 6 in ld-2.24.so[70d5255dd000+23000] > [ 15.903799] qrexec-agent[789]: segfault at 70d5257f6ff8 ip > 70d5255f3355 sp 70d5257f7000 error 6 in ld-2.24.so[70d5255dd000+23000] > [ 1524.123824] qrexec-fork-ser[4430]: segfault at 7b59263a8ff8 ip > 7b59261a2355 sp 7b59263a9000 error 6 in ld-2.24.so[7b592618c000+23000] > [ 1547.347882] qrexec-fork-ser[4456]: segfault at 7b59263a8ff8 ip > 7b59261a2355 sp 7b59263a9000 error 6 in ld-2.24.so[7b592618c000+23000] > [ 1594.046093] qrexec-fork-ser[4527]: segfault at 7b59263a8ff8 ip > 7b59261a2355 sp 7b59263a9000 error 6 in ld-2.24.so[7b592618c000+23000] > [ 2963.435851] qrexec-fork-ser[5300]: segfault at 7b59263a8ff8 ip > 7b59261a2355 sp 7b59263a9000 error 6 in ld-2.24.so[7b592618c000+23000] > [ 3145.932364] qrexec-fork-ser[5413]: segfault at 7b59263a8ff8 ip > 7b59261a2355 sp 7b59263a9000 error 6 in ld-2.24.so[7b592618c000+23000] > > Everything is hosed. > > If anyone has a fix, I would appreciate knowing it. This looks to be the issue described here: https://github.com/QubesOS/qubes-issues/issues/4349 The proper fix is in testing repository right now, you can either install it[1], or apply a workaround listed in that ticket (add noxsave to kernelopts of that template and VMs based on it). Actually, you may need to apply workaround temporarily to be able to install updates... [1] https://www.qubes-os.org/doc/software-update-vm/#debian - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlu+YEUACgkQ24/THMrX 1yzJmQf/b1fFHTpg8noeSUMtKSPw/LRbj9GNYQ7U8YBX5IbpgPLex6oGG9YBIEy0 U0VMPomxKnUtshM4+bAsRJhMSs6VQ/LxWNtjTUEtKPxIizj4e7Y1u37Abh4T5TJy td7vtKkuuEfUqIWfhjjHe9WCjVMHn7PeWV8lfNzB3/2/m1BIngedhPYy8mNLnY+Y CT7laBNR3LvFYVl9VXiwOBKCBM6EcAh5TA8k6Dv36pwOiBhGpYBcP2RwCn3nBVb4 wVv6XkOy3ZPX9okiJkGzBEFn3YzqfWTjKStvHVk0x6BX7dWRP4iChc2E4tcNa6hj r4Ak9U912AIZfmh3RH3lnXywRpRihg== =FW0q -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20181010202541.GB5083%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Forbidding VM create/delete/edit network settings from within dom0 for enterprise use-case
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, Sep 14, 2018 at 09:18:38AM -0700, Yethal wrote: > W dniu piątek, 14 września 2018 13:21:14 UTC+2 użytkownik Nils Amiet napisał: > > Hi everyone, > > > > I would like to lock-down Qubes OS so that VMs can't be created or deleted, > > nor edited (e.g. modify the associated NetVM). > > > > I already read documentation about qrexec policies, the Admin API and > > qubes-core-admin extensions. > > > > If I understand correctly, the Admin API cannot be used to prevent the user > > from creating a VM from dom0. For example, from the dom0 terminal I tried > > adding the following line to `/etc/qubes-rpc/policy/admin.vm.Create.AppVM`: > > > > ``` > > $adminvm $adminvm deny > > ``` > > > > But then I am still able to run `qvm-create test --label blue`. Is there > > something I am missing here or is the policy not being honored on dom0? Why > > is that? > > > > I also noticed that the Qubes extensions fire some events and it is > > possible to write hooks for those events > > (https://dev.qubes-os.org/projects/core-admin/en/latest/qubes-ext.html). > > Would it be possible to write a Qubes extension that hooks to some event > > that is fired whenever a VM is created and use that mechanism to block VM > > creation? > > > > Would the GUI domain that is planned for Qubes OS 4.1 change the situation > > or help implementing this at all? > > > > The workaround I'm thinking about is to run Xfce4 in kiosk mode, remove > > application menu entries, keyboard shortcuts, desktop right click menu to > > prevent access to dom0 but this is just a workaround and it probably we > > can't be sure that it will work with upcoming Qubes OS releases. Any > > thoughts on that? > > > > Thank you, > > > > Nils > > Wait for 4.1. The plan is that users will not have direct access to dom0. > Instead gui domain will have api access to management functions and it will > be possible to restrict it for corporate use case. Yethal is right - "the proper" solution is using GUI domain, which will be isolated from dom0 and can have policies applied. Right now, with direct dom0 access, qrexec policy is not enforced when the action is performed from dom0. Alternatively the workaround you propose could work, but needs to be extended to also Admin API - local user must be excluded from "qubes" group (which gives direct access to qubes services) and instead add a proxy which checks qrexec policy even if action is performed from dom0. That is not unthinkable, but definitely require some work, and still it is a workaround. But Qubes 4.1 is still in development and I think will not be ready this year, maybe Q1 2019, depending on progress. GUI domain related stuff can be tracked here: https://github.com/QubesOS/qubes-issues/issues/833 - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlug/b4ACgkQ24/THMrX 1yzFpwf+OcFW/oMb+kbnkIAj05wLc5rFoRqTni0qpjfs/V+enUg00fJpFlxg0XTy tIwjVs9Lz4Y/OsjhNQrtzaKFJOtDhBmJjnbpORg22iQ0Lxazg3cbZ2LWTdEhD/I3 P2lrkYEelJ/qUAJ0Lybfdv2Xj+nIdDhakbRNyWo6t/0F2aXXKIVPu5LNGzh9tHmp QcDKA9hE6nKz4Vg/EJbiuvg8ENKFR5CLkOt/7aKzFCcTcBvAeeVHMPB9d5x11DSU ibNBA0Nuw6EGAE4xSP0T1DJgWB39yM4KYozhskWqUyIH19kv7pglh5rTT1UXtuvL KxyysvSKm5fSutIef/BjVlKZK2EJ9w== =+3cX -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180918132935.GB1577%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: qubes-u2f not installing on templates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Mon, Sep 17, 2018 at 04:14:00PM +0300, Ivan Mitev wrote: > > > On 9/17/18 3:32 PM, digitalintag...@gmail.com wrote: > > On Monday, September 17, 2018 at 6:24:45 AM UTC-6, digital...@gmail.com > > wrote: > >> https://www.qubes-os.org/news/2018/09/11/qubes-u2f-proxy/ > >> > >> Wojtek shared this on 9/11/18. > >> > >> Following the instructions, I'm not able to install qubes-u2f on either my > >> debian or fedora templates. Anyone else have similar issues? > > The packages are still in the current-testing repositories, and you > likely didn't enable them. > > > > to clarify, the package manager doesn't find the named package on either > > distro. > I don't use the graphical package manager so no idea how to enable > current-testing there, but if you use a terminal it's pretty > straightforward: > > For dom0: > > sudo qubes-dom0-update \ > --enablerepo=qubes-dom0-current-testing qubes-u2f-dom0 > > And for a fedora (template)VM: > > sudo dnf --enablerepo=qubes-vm-r4.0-current-testing install \ > qubes-u2f > > > There should be something similar for debian's apt-get All u2f-related packages area already in stable repository (since yesterday), so the above is not needed anymore. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlug+oAACgkQ24/THMrX 1yynlQgAjCg01eBO5X2ZlVraOB7bzuO1a2LvYFiAMIqFYDk/x3t8F0eBXjg3dlDZ vCYhO6Xi3b1PzaIyKMy8yaU5LmGnnAPsd2Bbiwnge7q8JYQumQJS+s2IG3Y3Om5z S+9mZqEgpTALBwQ3ra5w6sGite722JC4477wq581sT6BvH0eeWBgzHqVYv/+oVCF bOUdxgy/GCyv8/3njx+j4ZbQymFz2NMfatsm4D3T5rAhCOhBbCUUNsTHzLt0q6Jy GXIhJe8UBRsxevgeHklozjObbK3X2giJPbMct4iNwQVc7ea0xgiHXZ7sH2gEwNIr iGSjD6P3J9VhYUx6x2n4k/XimbSRaw== =PV37 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180918131545.GA1577%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: QSB #43: L1 Terminal Fault speculative side channel (XSA-273)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Mon, Sep 03, 2018 at 01:46:11AM -0500, Andrew David Wong wrote: > On 2018-09-02 22:22, pixel fairy wrote: > > is it still necessary to disable hyper threading after upgrading > > in qubes 4? > > > > Hyper-threading should be disabled in Xen after you install the updates. > It should not be necessary for you to take any further action to > disable it there. > > If you're asking whether you should also disable it in your BIOS > settings, then I'm not sure (CCing Marek). There is no need to additionally disable it in BIOS. Xen's smt=off option means it won't be used even if BIOS reports its availability. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAluM7v8ACgkQ24/THMrX 1ywhvggAk05Ra0VOk/rEelhxGqrQGPouTJWfmGL5/jpDRU7QTmErB2BqqHNQXbY0 TvJD+8DJTQBT84Gw+JrN4CYamS7VXMFFngekxDV4tZWfnkNiJQTJzM+Raa0zBcC2 7m10uoz1T8G9U5AH+5+yfCEx9hHgRn96SFbxmasOwRSyqIQ4MP4IPWLKzeh7EmbE U0iCKxsEjzD2V8HfDo3CoTfg0mXhygiQPF8qWDTs30hBPVYC14evci94sX2YqP40 8h/NRtZRMNk32F/+H8OU1fPHocO9/LbejU0jkeCxah3BRD3pkHLlCk5f+8hJfwOb 9eRwYGBIyJqYWervftRTN7oJLxCFZw== =T+UF -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180903082119.GB1371%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] fedora warning
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sat, May 26, 2018 at 03:25:23PM -0400, haaber wrote: > > > > I just installed f27 in ins full and minimal template on Q4.0 from > > > the repos. When installing extra packages (for example sys-net > > > tools) in f27-minimal the download works, BUT checksums fails. The > > > point is that fucking dnf ignorantly installs the packages anyhow > > > without putting any questions. Result: such a tempate is > > > compromised right from the beginning, I will have to delete it > > > without ever running it. > > > > > > The warning to all users is to NEVER run unattended (say, scripted) > > > updates on fedora based templates since apparently they give a shit > > > on security. > > > > > Checksums are only for integrity, not authenticity. For security, PGP > > signature checking is what matters. > @andrew: you are right, but if even checksums are ignored, pgp won't be > considered either ... and that IS an issue. > > @ awokd (on your question about re-downloads): I hope I was not complaining > based on a misread and I would have liked to verify once more: too late for > this time however, I had deleted the template this morning right away. I'll > re-do it! dnf warns about failed download (for any reason, including unexpected checksum), but then retry download from another mirror. If all mirrors fails then package installation will fail. Example message for such case: https://github.com/QubesOS/qubes-issues/issues/2945#issuecomment-318877445 - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlsJ7wcACgkQ24/THMrX 1yy+zAf+NXlXwb9YOrkp6P4HQQjmQeKSS2roveXErjI9MA6vTUXb72g2KsJUwTHP UygpzUQqGl1ToAnILaImuPmIFdo2R+7qTnpHurbYpnk76foaK2sDEWixIMsQM9AD zmwkkm3NlI3DUX3siagCkBsVE8AwBEX8pIR6pvx4+Glncu70HFBiU84g3dcsqEp0 1HkHUJhIi0f/v1A6/jgkRkhBp7xFl5EfqAN7xSJgiUTeSDoVOeavPRPGT/Oh2yKJ I7Pw3EuaEdQynrjJLrLDCmvHJrpprorjFGuQjzGkMnEP7T+1qQSuhMSbViqKQScN de4CBtdaBwbF5ZLWHDPIIsXakKFJxg== =8fqT -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180526233431.GG20125%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] No boot after dom0 security repo update on may 15
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Thu, May 17, 2018 at 11:54:03AM -, awokd wrote: > On Wed, May 16, 2018 1:51 pm, pony...@keemail.me wrote: > > Hi all. My machine directly boots into BIOS screen if my Asus Zenbook > > UX303 after updating Qubes 4.0 dom0, security repo enabled. I don't > > remember the error messages (s.th. with keys). > > So I boot from rescue USB Stick. Have to choose (3), going directly to > > shell. — > > And here I'm stuck, since many, many hours. No really helpful, _accurate_ > > instructions for medium talented users found. ;) > > How to replace dom0? Or restore boot files?I've got a pretty fresh > > complete backup on external USB drive, but don't want to install > > everything anew. > > Reinstall/restore might be fastest. If you want to try to fix it, search > this mailing list for "efibootmgr" assuming you have UEFI boot. Sounds > like something got corrupted. Reinstall GRUB if not using UEFI. If that's UEFI, verify content of /boot/efi/EFI/qubes/xen.cfg (/boot/efi is a separate partition, the first one on default install). Verify that default= entry points at existing section and it is the newest one. Also verify if files referenced there looks sane (if you've run out of disk space, those might be smaller than the rest). By editing this file you can also boot earlier kernel. Here is example xen.cfg file: https://www.qubes-os.org/doc/uefi-troubleshooting/#installation-finished-but-qubes-boot-option-is-missing-and-xencfg-is-empty - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlr/GFoACgkQ24/THMrX 1yyCfQf+Ltm7cIZmPvqdDKZXHdsuNOWPVw09lAZ7p/BMEf5WVd4iIkb/5muuRn7C YmNjttaiDDcNd5u6teNCs3xHMyC3sxcjaqNwyyWAK8eZ2RACo1rYryCPZiirNbGp Tzf5fkmrQZHvEN7n6EAolx6B+G3GBiiAEDM+TmDnqEMDXsML8HwGh0T7Fh8H+IBe YqsigU7zqQGC/kWeUfbLgdaBbe+jUUioJQWBEb5xvmbzdn7kfQuzGmTBqqqyTIkY +iDZbNl9UaD1SqHLzfqtjeFKo9l21FV1HVm6NG90AwPbTWIGHLppKEMICEKEmUcM EerCf238hhUi6+gkOLeLOTRIG5yaOQ== =eBH7 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180518181555.GB20125%40mail-itl. For more options, visit https://groups.google.com/d/optout.
