[qubes-users] Re: Help me test fixes for Intel IGD graphical artifacts on Qubes R4.0

2021-01-15 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sat, Jan 16, 2021 at 01:49:25AM +, Jinoh Kang wrote:
> On 1/15/21 8:06 PM, Marek Marczykowski-Górecki wrote:
> > On Fri, Jan 15, 2021 at 05:29:43PM +, Jinoh Kang wrote:
> >> Is qubes-xorg-x11-drv-intel an option?  Upstream hasn't released for years 
> >> after all...
> > 
> > Something like this. In fact the current (Fedora) package is already
> > built from git snapshot.
> 
> Here's the catch: Fedora hasn't been bumping gitdate for almost a year,
> as seen in Pagure [1].
> 
> > We do backport this package from newer Fedora already:
> > https://github.com/QubesOS/qubes-linux-dom0-updates
> 
> That one from Fedora 28 is a bit behind, too.
> 
> > 
> > But I would prefer to get it upstream anyway (and then possibly build
> > xorg-x11-drv-intel from newer git snapshot).
> 
> Something like this?  (haven't built it yet, will fix later)

I guess, yes.

> diff --git a/src/sna/kgem.c b/src/sna/kgem.c
> index 6a35067c..8a7af809 100644
> --- a/src/sna/kgem.c
> +++ b/src/sna/kgem.c
> @@ -7023,6 +7023,8 @@ struct kgem_bo *kgem_create_map(struct kgem *kgem,
>   struct kgem_bo *bo;
>   uintptr_t first_page, last_page;
>   uint32_t handle;
> + struct drm_i915_gem_set_domain set_domain;
> + bool move_to_gtt = false;
>  
>   assert(MAP(ptr) == ptr);
>  
> @@ -7043,20 +7045,10 @@ struct kgem_bo *kgem_create_map(struct kgem *kgem,
>read_only);
>   if (handle == 0) {
>   if (read_only && kgem->has_wc_mmap) {
> - struct drm_i915_gem_set_domain set_domain;
> -
>   handle = gem_userptr(kgem->fd,
>(void *)first_page, 
> last_page-first_page,
>false);
> -
> - VG_CLEAR(set_domain);
> - set_domain.handle = handle;
> - set_domain.read_domains = I915_GEM_DOMAIN_GTT;
> - set_domain.write_domain = 0;
> - if (do_ioctl(kgem->fd, DRM_IOCTL_I915_GEM_SET_DOMAIN, 
> _domain)) {
> - gem_close(kgem->fd, handle);
> - handle = 0;
> - }
> + move_to_gtt = true;
>   }
>   if (handle == 0) {
>   DBG(("%s: import failed, errno=%d\n", __FUNCTION__, 
> errno));
> @@ -7064,6 +7056,21 @@ struct kgem_bo *kgem_create_map(struct kgem *kgem,
>   }
>   }
>  
> + VG_CLEAR(set_domain);
> + set_domain.handle = handle;
> + if (move_to_gtt) {
> + set_domain.read_domains = I915_GEM_DOMAIN_GTT;
> + set_domain.write_domain = 0;
> + } else {
> + set_domain.read_domains = I915_GEM_DOMAIN_CPU;
> + set_domain.write_domain = I915_GEM_DOMAIN_CPU;
> + }
> + if (do_ioctl(kgem->fd, DRM_IOCTL_I915_GEM_SET_DOMAIN, _domain)) {
> + gem_close(kgem->fd, handle);
> + DBG(("%s: set_domain in import failed, errno=%d\n", 
> __FUNCTION__, errno));
> +     return NULL;
> + }
> +
>   bo = __kgem_bo_alloc(handle, (last_page - first_page) / PAGE_SIZE);
>   if (bo == NULL) {
>   gem_close(kgem->fd, handle);
> 
> ---
> 
> [1] 
> https://src.fedoraproject.org/rpms/xorg-x11-drv-intel/blob/master/f/xorg-x11-drv-intel.spec#_3
> 

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmACRyEACgkQ24/THMrX
1ywP6wgAlKaJitGmJHIgzkCpdGqEh3XjoqS2QOyIvsnzkn98v9E/cWrIrCMgrYAC
U2IIYx4e9vrqAW1JwyNLii7ws5/+yI1Y2H7r7In237hedWQ7rCWJRs0UYsAGrtJx
p/rNlxDhDBDWc2IWyZHE21bdEb1eKhl2W3EUzxsUGJ7ZxVDX8J8EgKS3PvZGLdC2
JdT2rcsy9ZWZ8YEmwm7k9GxHmuFMbAXJzgIVv3NxVWBQ4IJeNOfJrHrW1RFUMoyC
BtdkHNUzBtsMLNlGczRMMPE3LdL6n9E8KnXX6RqXgudsDibdm8ixAagas5E6Cvxq
zPgbcftI5MvpDHYdb4QZsCF6kFVxbQ==
=R/oj
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20210116015337.GE4914%40mail-itl.


[qubes-users] Re: Help me test fixes for Intel IGD graphical artifacts on Qubes R4.0

2021-01-15 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Fri, Jan 15, 2021 at 05:29:43PM +, Jinoh Kang wrote:
> Is qubes-xorg-x11-drv-intel an option?  Upstream hasn't released for years 
> after all...

Something like this. In fact the current (Fedora) package is already
built from git snapshot.
We do backport this package from newer Fedora already:
https://github.com/QubesOS/qubes-linux-dom0-updates

But I would prefer to get it upstream anyway (and then possibly build
xorg-x11-drv-intel from newer git snapshot).

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmAB9dQACgkQ24/THMrX
1yxNRgf7B2nc2Qomgnqi2/lwiUmv0Mqx7e54cl2zQNtQl57TsVuDu+mWEbef15Ry
gtSBg9c8uXuDq8acbGTP5sqRAJmKlCtWyDdGf5jiZEWATCpZXcVyao/9b8pkuDkY
PZSaTEQU+GekWzSrbuoxHJj4HlrPGRxR4CrGGtaqCyqTzJ3V8rV39jbhG5+hxpdF
HBS0XBxZUHd1Lzxl0l/qbXkyiMSTJvuJ0a6Hl7rvPCbmNbaIAhXru4zM6ZCVTxC9
W00+hUyirnqz0lfXEhBUD2w42rwfO6Hs67yn8Te2/u9QnE9XxFKSVaRVZqfH6EUw
zrh+5BaGaAt4TeyiPxb9FdBdo8/wqQ==
=iNFz
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20210115200644.GC4914%40mail-itl.


[qubes-users] Re: Help me test fixes for Intel IGD graphical artifacts on Qubes R4.0

2021-01-13 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Jan 13, 2021 at 01:21:51PM +, Jinoh Kang wrote:
> On 1/11/21 11:03 PM, Marek Marczykowski-Górecki wrote:
> > So, I can confirm the (fixed) 5.10 patch also improves the situation.
> 
> Sounds good.  Thanks for testing!
> 
> > Have you sent it upstream?
> 
> No, qubes-users and qubes-devel are the only mailing list where I
> posted this.
> 
> I guess chances of these patches being merged upstream would not be
> that great.

If that bug indeed affects only Qubes OS, there is a greater chance to
accept the patch, if the option defaults to false.

> After all, we're not going to need it with Qubes R4.1.

Are you sure? The issue affects dom0 windows, which suggests it still
may be necessary. On the other hand, your patch description suggests
it's just any VM-mapped window triggers the faulty path in the
xf86-video-intel driver, that later affects all of the output.

> > I do consider including it in our standard
> > kernel package, but I'd like to see i915 driver maintainer opinion
> > first.
> 
> If you mean you'd prefer to have it upstreamed, I'd appreciate some
> Tested-by: and/or Reviewed-by: lines for the trailer from you.

Can you send a fixed patch (that builds), rebased on top of recent Linux
(5.11-rc3, or recent 5.10)? I'll re-test and add my Tested-by:.

> I'm fine as well if you'd rather just submit it yourself.
> 
> Otherwise I suppose I shall only CC' the maintainers and not the list?

Generally, Linux patches should be sent to whoever MAINTAINERS file
lists, which do include some mailing lists. I highly recommend using
scripts/get_maintainer.pl script for that purpose (if you use git
send-email, that's as easy as --cc-cmd=scripts/get_maintainer.pl).

PS The other (independent) issue I mentioned seems to be
https://bugzilla.suse.com/show_bug.cgi?id=1180543, which is supposed to
be already fixed in >=5.10.6. I've already uploaded 5.10.7, but haven't
tested it on this particular machine yet.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl//EOMACgkQ24/THMrX
1yxXWgf8DkpeBlpx3kQgXn+FFPsQGpLLkX9O3arm4WEcU71y02J0wmOml8XUj1oZ
4y3p6Wmk1KT8nC74SgG4igkCqcb7ay1m1L0D8AjrY8o4CaaJmErnd0kxYXJMfrnN
T2js+Hlh/kax0y7iphCCpX1IGH1QSPHThDKuMs/40blvKMIDLmymkq8BtoduVEwQ
nZzquV2vRZSFYgl79xWtnxr0QF8yzisIwbYgeEgl256G+ivtmhqLlej6eCUZe6FH
U6j7UwalfXTjWVTnUdtuvmt2rgsV8jZ69eUBJuqqBPfkt3XqMGxNKkAd0hFTBGoZ
f9XtU34qHMwk1vxZCddjsJYi/EPERg==
=teyW
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20210113152523.GA4914%40mail-itl.


[qubes-users] Re: Help me test fixes for Intel IGD graphical artifacts on Qubes R4.0

2021-01-11 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Thu, Dec 24, 2020 at 02:21:22AM +, Jinoh Kang wrote:
> When using some Intel integrated graphic cards on Qubes R4.0, screen
> glitches may manifest after switching VTs or entering suspend mode.
> 
> A known workaround does exist for this bug, which is to add a
> configuration file with the following contents within
> /etc/X11/xorg.conf.d:
> 
> > Section "Device"
> >   Identifier "Intel Graphics"
> >   Driver "modesetting"
> >   Option "AccelMethod" "glamor"
> >   Option "DRI" "3"
> > EndSection
> 
> However, the X11 modesetting driver version in Fedora 25 has its own
> drawbacks:
> 
> * It freezes briefly when re-configuring monitors (e.g. plugging in an
>   external monitor or changing screen resolution)
> * XRandR keystone support is buggy
> 
> To remediate this, I've patched the Linux i915 driver and it has been
> working fine for months.  Only the patch for Linux 4.19 has been tested.
> 
> If anyone is affected by the issue, please feel free to test the
> follow-up patches and give some feedback here.

So, I can confirm the (fixed) 5.10 patch also improves the situation.
Have you sent it upstream? I do consider including it in our standard
kernel package, but I'd like to see i915 driver maintainer opinion
first.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl/82ScACgkQ24/THMrX
1yz/XQf9GbeTq3KJpoO/smK7tLJ+EE8Q61G+nejAm5d7VZ+IBofLjWxds2cEn4kJ
xjEpjXxiqTL40cBRa1NkXoLLW7Dcesb/G/7MW+73qYm2DjVYyDQFAQOmnJDXT30L
Vdai3tXb1miTQ6gAme/Zaffe6RLsLzp1Qrq1ieEpQIjJk+tBSWRVTKyNKQAZDkt3
siznMtbre3te7XybIbShUpgXoiwCqpnjZwEmMJg93nFAre5K6XukIksZg+w3Nt1T
/INdhTR6DebTGLtn+pkV9PTGFDRLL+bmWQGallNI2tQnttWogolH9BfEKhkZq+Ja
KUIDySAOIjDhj1UfaGM6m73oIcRc9A==
=TSr5
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20210111230303.GA1633%40mail-itl.


[qubes-users] Re: [PATCH v5.10] drm/i915/userptr: detect un-GUP-able pages early

2021-01-10 Thread Marek Marczykowski-Górecki
   const char *name,
>const char *type,
> diff --git a/drivers/gpu/drm/i915/i915_params.h 
> b/drivers/gpu/drm/i915/i915_params.h
> index 330c03e2b4f7..1169a610a73c 100644
> --- a/drivers/gpu/drm/i915/i915_params.h
> +++ b/drivers/gpu/drm/i915/i915_params.h
> @@ -79,6 +79,7 @@ struct drm_printer;
>   param(bool, disable_display, false, 0400) \
>   param(bool, verbose_state_checks, true, 0) \
>   param(bool, nuclear_pageflip, false, 0400) \
> + param(bool, gem_userptr_prefault, true) \

param(bool, gem_userptr_prefault, true, 0600)

>   param(bool, enable_dp_mst, true, 0600) \
>   param(bool, enable_gvt, false, 0400)
> 




- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl/7fkwACgkQ24/THMrX
1yyJ+Qf+Kp1NqR/RruBKW3pKbNEZy2Y92viOcKkMcOq96fjLEn/boRevpQHjBpjQ
bdBa5wZasgk0aHV6UTGB1GrLMQupbupMcI2kffmJnvo0/uleRdad1QgPqlcWhO+x
Y0CtPioefWLEwBNITIJGr1emtyM/pO7NpVkFJt3jjei7DfG/jFEkmD36oKb/ea+P
GVmug75CpJKPpmYZT39RzqfoI6ZwCq7Lq70I+/kjQBNiyo2N5/xTKiBkt7NDkQas
lmrtBXAQRn0UGps7SU2tfsdkU/vYJWohNGK7NzLTSN4jyBsH8CBTyJ0x6DxTvYox
W9BPiiLAjBSYJ6jeZ4x8Ly89s0rw8Q==
=EF0b
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20210110222307.GA1176%40mail-itl.


Re: [qubes-users] Re: Please help test kernel 5.4 in anticipation of Qubes 4.0.4-rc2

2020-11-28 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sat, Nov 28, 2020 at 01:21:04PM +0100, donoban wrote:
> On 11/28/20 1:04 PM, donoban wrote:
> > Hi,
> > 
> > I have some problems after just booting. There is an error at dom0 and a
> > some VM's fail to start (others run fine).
> 
> The VMs which failed were running PV mode, switching to PVH fixed them.

This seems to be:

https://github.com/QubesOS/qubes-issues/issues/6052

So, it is related to the Linux kernel version, not really Xen version.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl/C0moACgkQ24/THMrX
1yxVwwgAiB+d90EwEnnMi6t8qXDJUC2kK2sZkN3ywHMQN2PHoPQ9H4BNGwXFWiK+
piTZqFMEdnQGfE4OeACjcSza5OFeFKhtXRLELZNlQ36uj9D9AaVXdRaxlynQ2ZqS
AfQ4tnZyOGpnBZR+V1zqe+rYXhwck5FzGagUFesrFwtqz2+brr2gplaYT9aPn3SY
FmE31jV6+WzdB+w+Eb6AcnhhpgrlRkZqUh+11mKfUIrAsCxjFc0j/fezZdpzu0UI
wxJ3LRAfgNr+WEFsIA5VvhxrGeXwRe4iFj5v+TGoROnK+8th2rnQ6VzkRjryTWks
RP7IWzY3nRMX7XygCHtzL3D6r0V01w==
=Jl2W
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20201128224249.GD17443%40mail-itl.


Re: [qubes-users] Re: Please help test kernel 5.4 in anticipation of Qubes 4.0.4-rc2

2020-11-28 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Fri, Nov 27, 2020 at 11:41:12PM +0100, Ludovic Bellier wrote:
> Le 27/11/2020 à 15:58, Andrew David Wong a écrit :
> > The package is already available in current-testing. [3]
> > 
> > [3] https://www.qubes-os.org/doc/testing/
> > 
> Hi,
> 
> I tried to install, but I think it doesn't install because I already
> installed kernel-latest (I need it for my ethernet card):
> 
> [xxx@dom0 ~]$ sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing
> kernel

Try adding `--action=update` option.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl/C0fUACgkQ24/THMrX
1yxDvwf+MyGHHMT1EGHrKpaA6WoGetX+/2ytRCYWWuleEuWWIHGVQHYAXDhyMLZq
RcXO31A/mwurMbchb3dUz1Vw4f2cWw4m4tlL7wCIRyoVSXS3QzYh5g9ynO/bIvWu
6I8sec+xtsxrOLkYHSqrhvkekkmQ9zNoCCoqNzatZO3FGYwstZ4SV/B0VWXSrqmk
z+79r5hN+yfD3fmYkNr8UJbkomERRYICJSGxx4UXaJqz+aomUJcWL72YWugrUj19
cnVc0cy09rt7iqft0RI0m557nMNkaRARi+awwtjnYOTNG+cuf7k6mtjKLSl7hOEz
7ErO0SqwX+pRtdwwPAMvGo/4IQC/PA==
=sEaN
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20201128224052.GC17443%40mail-itl.


[qubes-users] QSB #61 Information leak via power sidechannel (XSA-351)

2020-11-11 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Dear Qubes Community,

We have just published Qubes Security Bulletin (QSB) #61: Information
leak via power sidechannel (XSA-351). The text of this QSB is
reproduced below. This QSB and its accompanying signatures will always
be available in the Qubes Security Pack (qubes-secpack).

View QSB #61 in the qubes-secpack:

https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-061-2020.txt

Learn about the qubes-secpack, including how to obtain, verify, and read
it:

https://www.qubes-os.org/security/pack/

View all past QSBs:

https://www.qubes-os.org/security/bulletins/

View XSA-351 in the XSA Tracker:

https://www.qubes-os.org/security/xsa/#351

```


 ---===[ Qubes Security Bulletin #61 ]===---

 2020-11-10


   Information leak via power sidechannel (XSA-351)


Summary


On 2020-11-10, the Xen Security Team published Xen Security Advisory
351 (XSA-351) [1] with the following description:

| Researchers have demonstrated using software power/energy monitoring
| interfaces to create covert channels, and infer the operations/data used
| by other contexts within the system.
| 
| Access to these interfaces should be restricted to privileged software,
| but it was found that Xen doesn't restrict access suitably, and the
| interfaces are accessible to all guests.
| 
| For more information, see:
|   https://platypusattack.com
|   
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00389.html
| 
| An unprivileged guest administrator can sample platform power/energy
| data.  This may be used to infer the operations/data used by other
| contexts within the system.
| 
| The research demonstrates using this sidechannel to leak the AES keys
| used elsewhere in the system.


Patching
=

The specific packages that resolve the problems discussed in this
bulletin are as follows:

  For Qubes 4.0:
  - Xen packages, version 4.8.5-26
  For Qubes 4.1:
  - Xen packages, version 4.14.0-7

The packages are to be installed in dom0 via the Qube Manager or via
the qubes-dom0-update command as follows:

  For updates from the stable repository (not immediately available):
  $ sudo qubes-dom0-update

  For updates from the security-testing repository:
  $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing

A system restart will be required afterwards.

These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community.

If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new
Xen binaries.


Credits


See the original Xen Security Advisory.


References
===

[1] https://xenbits.xen.org/xsa/advisory-351.html

- --
The Qubes Security Team
https://www.qubes-os.org/security/
```
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl+srmoACgkQ24/THMrX
1yyq8Af/fUy3neIkRJ1JDWX+7y9/o/a/oHOjGZA4ETH+Bu5JnalAxc4w2ts+XkFX
mUAN2Y6bwXmBGMaPjn7MysT3XWINYqz/RVrXbKl9k8Oky0T61HnE0MOGwQeOLXt/
AI/sgRpqK2B6degrbze+0LquzZW/Gxd/4l5diDj+Dop9dPn6EJVz5F4xCNzgRBcl
vPhpXBPN7IwUySCCOx6LdCinYjvTyVeH05dTJA04DZykSaXCullMgOl4i3WKbzgS
+yJFW9/D+NNAtb0Z9+FynvQ3lmIM+OycBsc8LbDv2scMdwakpNeVhCQY1t8I+h6Y
U9u7yjQedhSZpxD586q8zLkBzIXvFA==
=con+
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20201112033921.GD38624%40mail-itl.


[qubes-users] QubesOS and 3mdeb "minisummit" 2020 - starting online today!

2020-05-20 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi,

This year we're doing "minisummit" with 3mdeb in online formula.
It is starting today, you can watch it live and ask questions, or watch
recordings later. More details here:

https://blog.3mdeb.com/2020/2020-05-15-qubesos/

Links to live stream are here:
https://twitter.com/3mdeb_com/status/1263068441319223296

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl7FGd0ACgkQ24/THMrX
1yyrFgf8D/Q7qoxbyX8/QVokbxftU/PuiqXWp9sFeKWre7QF8005fKCrsKZbFv8N
9fs2j0oAyiCNuiLeYcywFB7lcNIvttD8BgJMDj3Nk6YmGDFi3gpCPu/99RSBHc7w
FgMOeY0jVsPoKiuom6uvpEl766zP9VKoNg82kDGaMMcYmOoLhvU6+1BX3obQ14QJ
kwfF44iseAzBOXvrMd9M8qpgHUaIkbwubKiAJYP1TSufkfFXmgKqhUtiGkwEZ53V
2yOtfsRAzaup9gPVLE1ItRrSdkXZrit24XTyX1F7lu2Gh/CQbr+4Ja7UJ61Gin4Q
g94+teHULs3GjWgNkHryr0DwWDflQw==
=Znww
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200520115159.GJ98582%40mail-itl.


Re: [qubes-users] Re: Fedora 30 approaching EOL, Fedora 31 TemplateVM available, Fedora 32 TemplateVM in testing

2020-05-03 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sun, May 03, 2020 at 08:57:52PM +0100, lik...@gmx.de wrote:
> 
> > Fedora 32 TemplateVM in testing
> > ===
> > 
> > For advanced users, a new Fedora 32 TemplateVM is currently available in
> > the `qubes-templates-itl-testing` repository for both Qubes 4.0 and 4.1.
> > We would greatly appreciate testing and feedback [6] from the community
> > regarding this template.
> 
> What's the expectation for Fedora 32 to reside in testing templates before 
> it's moved to official repos?
> I'm asking because it might be worth waiting for Fedora 32 before moving 
> first to Fedora 31. This is of course only reasonable if it will be before 
> EOL of Fedora 30.

You can track template testing here:
https://github.com/QubesOS/qubes-issues/issues/5761
(especially see issues linked there)
Sadly, Python 3.8 in there breaks few things (including updates via
salt), so it may not be ready before Fedora 30 EOL.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl6va54ACgkQ24/THMrX
1yxPSQf/aI95paVe0x++hEsYicKLduDxbcr4BaFlWOtyhKEPjoiU/OJwTevKIafe
jjHms5DOfRwRzasbgDm5fUV4JJad4V5L+B5I9PdB/9a6qL3nalIxOAgOD//OwHNQ
ZG1IytW1aGh+u5zmqGhEMysWep0mfnbf5g8NIZogaGo0HOpBy71tjBfu8FT0nvb+
3s9Nq1yyZdwdQgkU/xOZJ558OmrjPSsgpVYQzpf55JfJt3x1EYjC918CZC7HqCeC
VfhUAAiwS4FsTITxx/RESdp8Ax4JIke5/vs/7JjaVe0BH70MYi96/iIDbSltSUzS
KHAJAl/vbHA9R7xSIiE+qxtP+8v++Q==
=4Rct
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200504011053.GA41017%40mail-itl.


Re: [qubes-users] AppVM won't start any application

2020-04-26 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Thu, Apr 23, 2020 at 09:25:56PM +, 'bfgvusmcar' via qubes-users wrote:
> Hi, I am a new user and I'm very happy with the OS. I installed it a few days 
> ago and I seem to have an issue. I would delete and re-create the qube but it 
> could be a helpful opportunity for both me and you to debug some issue.
> I have a qube based on debian-10 fully updated. It didn't have any particular 
> configuration, a bigger volume as I planned on using it more. Suddenly it 
> won't start any program, not even the terminal.
> From /var/log/xen/console, it seems like the AppVM is starting:

(...)

> [.[0;1;31mFAILED.[0m] Failed to start .[0;1;39mFile System Check on 
> /dev/xvdb.[0m.
> See 'systemctl status systemd-fsck@dev-xvdb.service' for details.

This does look like an issue. xvdb device is "private" volume, where /rw
+ /home lives, so this is important part.
Try extracting more info about it from dom0:

qvm-run -p -u root vm 'systemctl status systemd-fsck@dev-xvdb.service'

Check also earlier entires, specifically "Initialize and mount /rw and
/home" service (some its messages are marked mount-dirs.sh).

> A popup now appears (it wasn't appearing before): "Domain has failed to 
> start: Snapshot origin LV vm-debian-10-root not found in Volume group 
> qubes_dom0".

This on the other hand is about "root" volume. But LVM setup happens
before starting anything inside the VM, if this would be the cause, you
wouldn't get any output from the vm. Check modification time on the log,
if it's really about latest try.

Can you start the debian-10 template itself? Or it fails the same way?

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl6lpXcACgkQ24/THMrX
1yxoyQf/ZqepS8qqrAsW9BoSn6VvMHZSGa5TMyGx63jty70p4v0GWFQJ6XSLbbGx
NBneKN+bsT6bHkPk6XmHsV0oy8J6d6GSrnzBm7di+e10zv5wQv0n7yqcDELhYFIb
DvvyVHkbq4VCq81EeaPVc/nbPcpuhkzN2FZCT6vsH7S8s20fmRdxrO8WfPyUQg8X
UA8TrA3m75mz3JXhyRddmNFH6hbPOxh4p8oG6yPr6ne6L/+bW/KoXUz6sul1OMsj
X6A880L57ffz89qpt94o/oYMEVm/7UqV6Mzn/Nau+tOGaKGduCSmu2SS7YDzSqxk
ipTqSftScK9t5y74FHL9dm76iNJadQ==
=ZdPD
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200426151505.GB29396%40mail-itl.


Re: [EXT] Re: [qubes-users] Qubes Updater doesn't update

2020-03-27 Thread Marek Marczykowski-Górecki
On Sat, Mar 28, 2020 at 12:57:55AM +0100, Ulrich Windl wrote:
> On 2020-03-21 20:39, Marek Marczykowski-Górecki wrote:
> ...
> > Sounds like https://github.com/QubesOS/qubes-issues/issues/5705
> > The fix is already in current-testing repository, and will be uploaded
> > to current (aka stable) in few days.
> ...
> 
> Had the problem with whonix-gw-15 and whonix-ws-15 today (when no Dom0
> update was displayed). I decided to update both templates via cubes manager
> and then manually update Dom0 via command line.
> Should the problem be gone from now then?

Yes.

-- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200328003025.GW18599%40mail-itl.


signature.asc
Description: PGP signature


Re: [qubes-users] Qubes Updater doesn't update

2020-03-21 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Fri, Mar 20, 2020 at 08:21:58PM +, 'trichel' via qubes-users wrote:
> Qubes 4.03
> Qubes updater runs normally without errors, but doesn't actually update 
> *Debian* templates. Same problem with Whonix templates. *Fedora* templates 
> get updated normally. No further details or error messages are provided by 
> the Updater. Qubes Updater also doesn't notice any updates are available for 
> Debian templates, resulting in outdated Templates without the user knowing.
> 
> Updating Debian templates with the Qube Manager just works, but the problem 
> persists.
> 
> Maybe something bugging in my config, or has anybody experienced something 
> similar? Any advice what to do?

Sounds like https://github.com/QubesOS/qubes-issues/issues/5705
The fix is already in current-testing repository, and will be uploaded
to current (aka stable) in few days.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl52bXgACgkQ24/THMrX
1ywWyAgAhOu4olEhm7/9Qoa5BpYubaeLy9fU/V22KAMYYy/e0S0ZIcbcxMvc9KYS
5oFMbtoKipuSlIZhrs7IYhJjiBiWrigmgOjAYSY1coN2PBcXubvKdK46Qf/ueyV+
601+gRMv+wbG0rXIG2MbU3yd8ITm1nNAsdEC8Hbqp1Zp2WPB8hXgaNsjDaxvYohq
slB4Ftdow9D33m0/OTh1gBlc7AloaZgsWcAzTXRCCr8a6d+1dNFHpqbpVpEfXgdj
5cF9f5sWFUhX2Y9ke5UQUjqkpvTG3/WBSNM+G8GxsTrBxfl3mfs28IeTALeV7rg0
nz2Y12nX69/gD9WbIABgkGOp/U+Bqg==
=1GmU
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200321193936.GA29396%40mail-itl.


Re: [qubes-users] Re: [4.0] Intel Wi-Fi 6 AX200 adapter

2020-03-19 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Fri, Mar 20, 2020 at 01:05:02AM +0100, Vít Šesták wrote:
> Hello,
> 
> On March 20, 2020 12:33:31 AM GMT+01:00, "Marek Marczykowski-Górecki" 
>  wrote:
> >I didn't spot VT-d errors, but I'm not entirely sure if I've checked.
> >If they are there, this is something definitely worth looking into and
> >most likely an issue within iwlwifi driver (or the firmware). It could
> >be also worth trying booting Fedora 31 Live directly, but add
> >intel_iommu=on kernel option. If that would break it, it's a clear
> >indication that the issue is somewhere between firmware and the driver.
> 
> I have tried to add this option, but it remained to work. Does it mean that 
> the driver itself is OK and the issue is in Xen or stubdom?

Likely, but not surely.

Some more ideas what could be wrong:
1. Some config space access is filtered and driver doesn't cope with it.
2. Some extended PCIe feature that driver/firmware assumes present is
not implemented in PCI passthrough.
3. Bug in handling any of supported PCIe features.
4. And there is still a possibility for a bug in the driver/firmware.

For the first hypothesis, I'd try enabling permissive option (AFAIR
didn't helped in itself), but then enable verbose logging in pciback
driver:
echo 1 > /sys/module/xen_pciback/parameters/verbose_request
before starting sys-net.

You'll get quite a lot of logs this way, and for understanding them
fully, PCI spec would be handy... But maybe there will be some less
obscure clues, like messages about explicitly failing requests?

For the second hypothesis, I'd take lspci -vv of the device from both
sys-net and dom0 (preferably in exact the same time, during enabling the
interface, but that's unrealistic). And compare. There will be definitely
some differences (more features visible in dom0), but what would be
valuable is:
 - comparing configuration of features visible in both places
 - correlating missing features with iwlwifi driver
It may be also useful to increase iwlwifi log level (I see 'debug'
module option, seems to be a bitmask).

For the third hypothesis, enable iwlwifi debugging and hope for more
details. Decoding that firmware error would also be useful, but unlikely
without firmware documentation or source code.

If everything above fails, I would thoroughly compare driver behavior on
bare metal and in the VM. Start with the driver debug output and if
still no clues, then log hardware interactions (may require modifying
the driver) and compare them. 

Some of the above ideas are quite extreme, and tedious to execute...

PS adding the list back.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl50F2QACgkQ24/THMrX
1ywLuAgAjd/zJfxu9cHAo4h7vEib+0LWOTx55/hv8cGP9CsKNcpIdY6SJfg2Smy1
nhzh7BwxTkwnzGjYsmLzN+NX8uaTOXiLLdoEhoaOGbLekdsfJnXKLyXdu2AEhFHj
ejKYfWTRNLnqDWNViNNhFgx9vbOsasyiQWh0tMJm5cwUkXMz82DTjVqDXBBtgog1
86hMdLcSxRYVNw0q+KL3zmlagpbxDcmwnf0cV6NjyckQ1LWQ+pr/zx3FS74WatJP
D7k7dJ1M6rEdEDJaZ+K+XiXkLzJUufuwwKMlN4VL4SFvwmD5aglZm2B0rdcBBF9a
7pGs+ORAnWH4T4gnpiPi5OcfZWjiAQ==
=SAV0
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200320010747.GB18599%40mail-itl.


Re: [qubes-users] Re: [4.0] Intel Wi-Fi 6 AX200 adapter

2020-03-19 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Thu, Mar 19, 2020 at 11:41:55PM +0200, 'Ilpo Järvinen' via qubes-users wrote:
> On Thu, 19 Mar 2020, Vít Šesták wrote:
> 
> > Hello,
> > I have some interesting updates. I have tried to:
> > 
> > a. Boot Fedora 31 on the laptop (Live version from USB drive) – adapter is
> > detected and finds Wi-Fi networks. It just works.
> > b. Boot Fedora 31 Live (from the same USB drive) in a HVM with attached
> > Wi-Fi card. It had 2000MiB of RAM. It fails in the same way as my previous
> > attempts, not sure why.
> > 
> > This looks like the AppVM is fine, but there is some glitch in the PCI
> > handling. It might be related to Xen or to the DM, not sure.
> > 
> > HVM: https://gist.github.com/v6ak/76f2c089c63b1fe184f3717d5bd5254e
> > sys-net with Fedora 31:
> > https://gist.github.com/v6ak/30ecc502d1ce7508953eb3d505564668
> > 
> > I have also resolved the chicken-egg problem – I can connect to the Internet
> > via USB. This is not a permanent solution, but it was good enough for
> > updating dom0. However, the update (+ subsequent reboot) has not changed
> > anything.
> 
> One option would be compile a kernel with CONFIG_IWLWIFI_TRACING (or 
> something like that) and try to provide the trace log to iwlwifi devs. 
> ...It might not help though if it's not a HW/driver issue but xen/dm/pci 
> related thing.

I've seen very similar thing recently, not sure if exactly the same, but
it's very likely.
Sad news is neither me nor Paweł managed to fix it yet.
Things we've tried:
 - various kernel versions (including 5.5 and 5.4)
 - different firmware versions (apparently the driver tries to load
   versions that new that are nowhere to be found yet)
 - various options like permissive mode

I didn't spot VT-d errors, but I'm not entirely sure if I've checked.
If they are there, this is something definitely worth looking into and
most likely an issue within iwlwifi driver (or the firmware). It could
be also worth trying booting Fedora 31 Live directly, but add
intel_iommu=on kernel option. If that would break it, it's a clear
indication that the issue is somewhere between firmware and the driver.

>> 1. Problem: Domain sys-net did not boot at all because of issues with 
>> attaching ethernet PCI device.

Is it a Realtek card? I don't remember exactly what helped, but
something helped here. Paweł, can you help?
It was either attaching SD card reader (which is another function on the
same PCI device) to the sys-net, or enabling no-strict-reset option (or
maybe permissive?).

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl50AUwACgkQ24/THMrX
1yzCQwf/RHg7jCK7CS0ut98MoI2oDvRf6SJc6oVTNbbklovmmZcRwj9SrXcEw7j9
KQ0X/i7HpEr03MmMxOlQO8R4BUdXqZ5iyDWLnPLNRZimH2ftA55ndOaOqecaQZOc
nzxpeUyEHbO8D/ZwodRoTBF9Tl+e4lI7wOz/O6Ruy604++z3P5gzTuYVp390CiYU
Jt5suLKxoIuICO8EaRBT/5KGDM4BsuW9pfe2YDBs4USWg75D9C86KvgSGZhD6xd/
GwfPd3KXyiPTYHWT5fymupatiPnMVPKjpMQDyOvPbHJqUoUJ+owO/nqfSquWV8Mz
h4M2DffaBN/i8zxxtIWwh0nGLbX/kA==
=c9Wb
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2020031921.GB19117%40mail-itl.


Re: [qubes-users] Another Intel vulnerability

2020-03-12 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Mar 11, 2020 at 04:05:03PM +0800, Sandy Harris wrote:
> https://techxplore.com/news/2020-03-unfixable-flaw-intel-chipset.html

As with many other firmware-level vulnerabilities, this can't be
exploited on Qubes, because no VM can talk to that firmware directly in
the first place.
But the issue is deeper, as the issue isn't only about OS layer, but
keys embedded inside the CPU. If those keys are leaked, many CPU crypto
features become useless. The exact list isn't clear to me, but it may
apply to:
 - fTPM (not used in Qubes),
 - SGX (not used in Qubes),
 - microcode verification (used in Qubes, but inaccessible to VM), 
 - ME/FSP/other firmware verification (used by platform, before Qubes is
   loaded, but may affect system runtime)

There are some rumors that some of the keys may be not unique to a
specific CPU, but shared across CPU family - in that case, key extracted
from one CPU may be used to prepare malware for other systems with the
same CPU family.

In any case, it looks like even if some of the keys are leaked using
this vulnerability, the attacker would need a physical access (or break
into dom0) to attack Qubes, as relevant interfaces are not available
from within a VM.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl5qQIcACgkQ24/THMrX
1yyTJgf/cvES/MttCVUcV/RYYFLIgW2H5SBTtR2XU/kMJF2crppM8NPpie0Q5a+c
qB53aha3h8D5Y66SiKzBN2dSy2halqQv+yCvdSiffbYWJWPCC17xNg/nRBFQ7jG2
owa0zkcYQOwN9Fm2O/SlfImqpJ5R2w1M3r0yHR9Lg+Q2nIgQ9cT6f1QncnlodEIa
Qb8qu93yV3NstQA9VJ3wPJ8uSFecXunEkSdUB8HLRWs2DDd4pnPM/NaI6kn2fz7g
T/WLZMT+7ZmsNMTAVA/mJX6VjYICfdUHXcFOKY6JMByFalWRXM3Yktclrc344ytq
J4H904OttmE+M9PNw9o/RS5MpesWqw==
=wfKX
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200312140040.GA19117%40mail-itl.


Re: [qubes-users] Is Qubes Split GPG safe?

2020-02-14 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Thu, Feb 13, 2020 at 10:05:21PM +0100, Frédéric Pierret wrote:
> 
> On 2020-02-13 20:37, Claudio Chinicz wrote:
> > Hi Frédéric,
> > 
> > Thanks, I've managed to install claws-mail on my Fedora template. The 
> > problem is that Claws-mail does not support Oath2 (Google) authentication, 
> > just like Kmail.
> 
> Your welcome.
> 
> > 
> > Evolution does support Oatrh2 authentication but instead of Gnupg it 
> > supports Open PGP, 

I think you're confusing two unrelated things. Oauth2 has nothing to do
with email encryption.

Also, just to clear terminology, GnuPG/GPG is an implementation of
OpenGPG standard, so _in theory_ it is the same.

- From what I see, Evolution does use GnuPG under the hood.

> > the same standard that TB 79 will support, replacing Enigmail.
> > 
> > Would Open PGP support/integrate with Qubes Split GPG?
> 
> I CC Marek to this question as I known there is some new version of it but I 
> don't know what's inside.

Thanks for bringing this to our attention. For reference, this is about 
https://wiki.mozilla.org/Thunderbird:OpenPGP:2020

- From my reading of this page, it sounds like a DISASTER in terms of
existing pgp encrypted emails support in Thunderbird, but also in terms
of extensibility of Thunderbird (severe limitation of addons, if not
removing them completely). One of the key features of Thunderbird is its
flexibility thanks to addons...

So, it looks like they have decided to use a completely different
implementation (or even writing own) of OpenPGP standard, instead of
using well-established standard of GnuPG. They already acknowledge it
will most likely lead to many interoperability issues and they accept it
at the design level. Life shows that if you already know it will be bad
at the design level, in practice it will be even worse!

But also important aspect is the key storage. Anyone serious about
security knows that keys should be stored isolated. Those not lucky
enough to use Qubes, can use smart cards for that. And according to FAQ
on that page, new Thunderbird won't support smart cards! 
And in the shape presented on that page, it looks like there won't be a way
to plug split gpg either!

As a side note, I do think that even though GnuPG is a well established
standard, its quality isn't very high and steps to break its monopoly in
OpenPGP implementations are a good thing. But it should be done in an
incremental, compatible way, not "break everything" approach.

Another side note, or rather a hint for Thunderbird developers: modern gpg
consists in reality of multiple parts running as separate processes. One
of them is gpg-agent responsible for accessing private keys (either
local or on a smart card) and nothing else. gpg-agent has also a simple,
(kind of) documented protocol. If they still want to break
everything, they could at least consider support for using existing
gpg-agent available in the system. This won't solve interoperability
issues, but at least will allow people to keep their keys secured on
smart cards or with (upcoming new version of) split gpg.

The only good side of this I see is having PGP support in Thunderbird
out of the box without requiring an addon - meaning probably more people
will use it.

BTW we need to verify is this major breakage of Thunderbird addons won't
break other Qubes features too - namely opening attachments in
DisposableVM, which is also done using an addon.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl5GjPAACgkQ24/THMrX
1yxyewf/Un2JTcdEXx/c0mZd+huN3sr/OwfWt4vOaLnNoPdnog0ak9mpdiJfwAj9
Na3g9jXdF/0hjfgLMC7S7kZaCJv08hzycMatmIl2lY7q7oI8kobIye2EBKZg6/Z3
8WYuYILZet1B7J79/J66lUdhZQt72aLnDadFj9EdIJaFH9GtEUH4SNezsaXce9Q/
M+LWJhS947SySfsuZ3js5IunflHI51AV449OxUzA2fO60/tK7zQg6H+9L8UXBgFO
feDvXjLK9+sDGvryn6/M9GNe5Hq5ZBHaFABkpfjhSgF8O2aJm1dFKeMvKJvKh4Ts
AexsYCPoXKT2vr5gBwN+BgOQINRgtg==
=Qqfw
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200214120504.GE18599%40mail-itl.


Re: [qubes-users] Re: R4 system requirements; AMD compatibility?

2020-02-09 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sun, Feb 09, 2020 at 09:28:13AM -0800, brendan.h...@gmail.com wrote:
> On Sunday, February 9, 2020 at 5:25:56 PM UTC, brend...@gmail.com wrote:
> >
> >
> > Has anyone tried utilizing the xen command line options to mask bits in 
> > the cpuid, in particular section 1.2.35 cpuid_mask_ecx)? 
> >
> > The man page below says that "Settings applied here take effect globally, 
> > including for Xen and all guests." This *might* mean it is applied *before* 
> > the resume from sleep CPU bit checks (but I'm not promising anything, as I 
> > have not traced through the source). And also "*Warning: This option is 
> > not fully effective on Family 15h processors or later.*"
> >
> 
> Just noticed that the warning applies only to 1.2.34, which is AMD-only, 
> apparently. Unclear to me if the other items 1.2.35 and higher, which is 
> for "x86" apply only to intel or to all x86 architecture.

I may be missing it in this thread, but have anybody tried Qubes 4.1
builds (with Xen 4.13) on such system? Does it have the same issue?

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl5AcSAACgkQ24/THMrX
1yzQ/ggAmQOFWyP0GNVs5dMuSzKx6mo7myoJ0tlJaKdpNPKZZnYjaLAqhUPig5YG
rd5iv26TjVq/bl8uiRE0/qwV0/sjqgmLTqPIQanzxsB5Cnok3OZyswghGJY/UY8Y
j5ADzpzRtCC7WhQkvhtPSwcC3c72rgmjfQg2IjKfYU6qyv+0aJ2HuJQj/kA49cG6
kzwGRIJJlxVfCsnlXSwmHa17PyiolvYqpQFhCN8EIM3KYFcjrBK+kP7nqdNXuQ8R
atZqH66h8wxp/BvGO9xGZPmWV6uhrC+JIKfdlaspKO4fWFxXuBwxGgS+favkn5wT
vBJcU6wxj2Qwk6MvJV17BMV1dwqntg==
=HtGL
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200209205248.GD29736%40mail-itl.


Re: [qubes-users] Re: R4 system requirements; AMD compatibility?

2020-02-08 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Fri, Feb 07, 2020 at 02:13:56PM -0800, brendan.h...@gmail.com wrote:
> On Friday, February 7, 2020 at 9:35:25 PM UTC, zach...@gmail.com wrote:
> >
> > I preemptively submitted this PR to see what the Qubes team thinks. 
> > https://github.com/QubesOS/qubes-vmm-xen/pull/70
> >
> > I agree it probably should be fixed upstream, although I've seen the Qubes 
> > team make exceptions and apply their own changes. Upstream would probably 
> > take a huge amount of time to get merged and tested. I'm not a developer 
> > though so I'm sure you could explain the issue better than I. If you do 
> > mention it, CC me as well! I like the CLI argument idea, that's probably a 
> > much cleaner way of doing it and defaulting it to true. That way users 
> > could disable it if needed due to hardware screw-ups.
> >
> 
> Marek is somewhat active on xen-devel. Submitting the PR to Qubes is 
> probably as good a place to start the (github) discussion I suppose.
> 
> I expect Claudia is correct that it's really a Xen defect to address, 
> either with a flag to disable the check, or security/stability focused 
> checks only.
> 
> Xen might point upwards again, of course, and tell AMD to fix their 
> microcode or manufacturer's their BIOS's...
> 
> ...but if a disable flag could be added (--yes_i_know_what_im_doing caveat, 
> of course) that'd be a good short term workaround for the larger Qubes user 
> base that is less likely to be able to figure out how to get a build 
> working and rpm applied and keep up to date with upstream.

(continuing discussion from the above PR)

The patch as it is, is not acceptable, as it may introduce security
and/or stability issues on some machines. Xen (and Linux too) assumes
what CPU features is can use based on CPUID flags. If those changes
during system runtime (including suspend/resume) some instructions or
control registers may no longer be valid (->crash) or safe to use
(->security issue).

If that's just about microcode updates, that's probably BIOS bug - if it
applies microcode update on system startup, it should do the same on
system resume too. Anyway it's worth trying updating linux-firmware
package, which carries microcode updates for AMD. This should make Xen
apply microcode updates too - before checking those flags.
I've just uploaded updated version of the package to the current-testing
repository (both R4.0 and R4.1).

If that's about something else, then fixing it would require finding
what exactly is changing (and preferably also why). And only then find
how to mitigate this issue. If specific flags would turn out to be not
related to security features or otherwise having unwanted effects, then
ignoring those changes would be an option. But ignoring _only those
flags verified to be safe to ignore_, not all of them.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl4/abcACgkQ24/THMrX
1yxEGgf/SG+V7TKM8f7QZ5JFVSr++QasDbMefkuc30OeUkXKtFXsTNMH2fp1S8zq
lTgxfrrGH+N7sfP1KkjAZ7ri+DJgmoCyqULUNZAez5DdGlaLJRtsz5rRBtTr4t9F
nmJNC859/RPEpbozwxlM6K8JRhlxVg35Sl46E9lYHbNsTBqAywxhTUgENsZlrblh
gXn2MgnzDHvwShCltlNL2l29HaAXBzIICpPcgiRWLEY/Y1OTNHvYPiTgZdRtkkEM
5tM97EwxZF31k5i7wGpRed84xCid2bXvufq2Xjo2jWxXuQ01r+bv6v/lVwDvd5tz
iOWJsjj4tXLo3bcpuaCM5XvHI9x0yg==
=h62J
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200209020855.GC29736%40mail-itl.


Re: [qubes-users] Re: Qubes OS 4.0.2 has been released!

2020-01-09 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Jan 08, 2020 at 06:07:01AM -0800, fiftyfourthparal...@gmail.com wrote:
> Hi Andrew,
> 
> I installed 4.0.2 on my Dell Inspiron 5593 without new issues.
> 
> The answer to the following question seems to have been implied in earlier 
> responses, but I'd just like an explicit clarification: Can the "critical 
> kernel bug" affect my security in any way?

No, it doesn't affect security. It simply crashes (and reboot). If it
works on your particular hardware, then you're lucky and should be safe
to continue using it.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl4X0IEACgkQ24/THMrX
1yzgDgf8CAQZyZQLeuF45UToxe4lumA3PWb9q8j82LW7p/Llizwu97T1pF/c6mGJ
MXuUGyu8H8AS2nEK6W4zC1ZDClTFMGvsmMOwhkDbSUuSxyK1WXtRdAhsHK32jQ6j
0xnS6woUeFUkmBonjfQZxrDtj719WwrLWsJWffrDG4GPRoQkk6Mp+QjB8N1d/0bX
9hPjWxok0c6Up4hTOoGLVlnW0OlRgZ35P4UOGqxxscjygpgBwXvD+BXg8YMP+f/v
t6gEu7oLJ9faxtNT4nGHgQZhKayuhAGFvf5Q+uvyBplGWqwGpHmEh6FJnlKEoWYD
UbaUNGX1UPuBM8WMstJ/F9P3n8a/tA==
=xWrL
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200110011649.GA29736%40mail-itl.


[qubes-users] QSB #56: Insufficient anti-spoofing firewall rules

2019-12-25 Thread Marek Marczykowski-Górecki
):
  $ sudo dnf update

  For updates to Fedora from the security-testing repository:
  $ sudo dnf update --enablerepo=qubes-vm-*-security-testing

  For updates to Debian from the stable repository
  (not immediately available):
  $ sudo apt update && sudo apt dist-upgrade

  For updates to Debian from the security-testing repository:
  First, uncomment the line below "Qubes security updates testing
  repository" in:
/etc/apt/sources.list.d/qubes-r*.list
  Then:
  $ sudo apt update && sudo apt dist-upgrade

A restart is required for these changes to take effect. This entails
shutting down the TemplateVM before restarting all the TemplateBasedVMs
based on that TemplateVM.

These packages will migrate from the security-testing repositories to
their respective current (stable) repositories over the next two weeks
after being tested by the community.


Credits


The issue was reported by Demi Marie Obenour.


References
==

[1] https://www.qubes-os.org/doc/firewall/#enabling-networking-between-two-qubes
[2] https://nvd.nist.gov/vuln/detail/CVE-2019-14899

- --
The Qubes Security Team
https://www.qubes-os.org/security/
```

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl4DmQkACgkQ24/THMrX
1yyTrgf8DB9+TOy89Gn9kwDYm15nXqCuxOm0k3Zsv3FWJCz1NobTpDJ14+LI0qcf
YR1jXT+XqUvfeIJ2NlJ+DQ4454cd3m27nEP7B0G7A2PU3jbonIyBE9Qe7PpQ8kmU
FtI+GoknrMlUEP+QNwceRg1Q9OPaB6Zzzq0VE6C58rxnL6oGNUXVgrsXV/Jtl1pZ
quf5c8x7cZqRqUbFBkaE2P5deYRfCIj/Vt3N3uhsvEKAay2qwgMnnZmQv2Qhp+cq
gephG2LgrczBjvjlZ/0zt2+7N4LPyDCeP5dVJlFSz/85uNBo0vmTecyFhaUJEhn1
2JzJh9rUVQFNTwetTTsh2M2q6rubnQ==
=29/a
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20191225171448.GA11736%40mail-itl.


[qubes-users] QSB #55: Issues with PV type change and handling IOMMU on AMD (XSA-310, XSA-311)

2019-12-11 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Dear Qubes Community,

We have just published Qubes Security Bulletin (QSB) #055: Issues with
PV type change and handling IOMMU on AMD (XSA-310, XSA-311). The text of
this QSB is reproduced below. This QSB and its accompanying signatures
will always be available in the Qubes Security Pack (qubes-secpack).

View QSB #055 in the qubes-secpack:

https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-055-2019.txt

Learn about the qubes-secpack, including how to obtain, verify, and read
it:

https://www.qubes-os.org/security/pack/

View all past QSBs:

https://www.qubes-os.org/security/bulletins/

View the Xen Security Advisory (XSA) Tracker:

https://www.qubes-os.org/security/xsa/

```

 ---===[ Qubes Security Bulletin #55 ]===---

 2019-12-11


 Issues with PV type change and handling IOMMU on AMD (XSA-310, XSA-311)


Summary


On 2019-12-11, the Xen Security Team published the following Xen
Security Advisories (XSAs):

XSA-310 (CVE-2019-19580) [1] Further issues with restartable PV type
change operations:

| XSA-299 addressed several critical issues in restartable PV type
| change operations.  Despite extensive testing and auditing, some
| corner cases were missed.
| 
| A malicious PV guest administrator may be able to escalate their
| privilege to that of the host.

XSA-311 (CVE-2019-19577) [2] Bugs in dynamic height handling for AMD
IOMMU pagetables:

| When running on AMD systems with an IOMMU, Xen attempted to
| dynamically adapt the number of levels of pagetables (the pagetable
| height) in the IOMMU according to the guest's address space size.  The
| code to select and update the height had several bugs.
| 
| Notably, the update was done without taking a lock which is necessary
| for safe operation.
| 
| A malicious guest administrator can cause Xen to access data
| structures while they are being modified, causing Xen to crash.
| Privilege escalation is thought to be very difficult but cannot be
| ruled out.
| 
| Additionally, there is a potential memory leak of 4kb per guest boot,
| under memory pressure.


Impact
===

XSA-310 applies only to PV domains. Most of the domains in Qubes 4.0 are
PVH or HVM domains and are therefore not affected by XSA-310. However,
PV domains are still supported in Qubes 4.0, and they are specifically
used to host Qemu-instance-supporting HVM domains.

In the default Qubes 4.0 setup, several attacks would have to be chained
together in order to exploit this vulnerability. Specifically, an
attacker would have to:

1. Take control of an HVM domain, e.g., sys-usb, sys-net, or a
   user-created HVM domain. (Most user domains are PVH and are therefore
   not affected.)

2. Successfully attack a Qemu instance running in an associated PV
   stubdomain.

3. Finally, find some way to exploit the vulnerability described in
   XSA-310.

Moreover, since this vulnerability is a race condition, it is an
unreliable attack vector in real world scenarios.

XSA-311 affects only systems running on AMD hardware and also is
thought to be very hard to exploit. But since it can't be ruled out
completely, we recommend applying updates nevertheless.


Patching
=

The specific packages that resolve the problems discussed in this
bulletin are as follows:

  For Qubes 4.0:
  - Xen packages, version 4.8.5-14

The packages are to be installed in dom0 via the Qubes VM Manager or via
the qubes-dom0-update command as follows:

  For updates from the stable repository (not immediately available):
  $ sudo qubes-dom0-update

  For updates from the security-testing repository:
  $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing

A system restart will be required afterwards.

These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community.

If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new
Xen binaries.


Credits


See the original Xen Security Advisory.


References
===

[1] https://xenbits.xen.org/xsa/advisory-310.html
[2] https://xenbits.xen.org/xsa/advisory-311.html

- --
The Qubes Security Team
https://www.qubes-os.org/security/
```

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl3w9qAACgkQ24/THMrX
1ywNmgf+ModX2TIC5BNbPXNRjXQAFGByj21sTdmKlj3mo5Q1zus00gvEYvwWUvRA
ob8Sb1DuaHZhM4x3Ea2FjSqYA+GszDctj9dY5VWrlecd1tsmTijlHPo2x1FpIyWm
Qf24697gel0TDb+51JFCXrqZYye3Bj4mL4tEplDZRmH8fw9J94zPQROztnzi9mmF
ownqn40LMEiTBg0WaV7k3ymnLPRX3rLZGS1oG//ESouL7Mz8Id/vjpsWyrBX8P3A
TyisLzrblA1/9+bSGEUaP4jq5Uf98Eb+GKkXX6yjD8CT+kO7ez02AL+PzmxK7YmT
G67PD1wDDcFFFr/+AeoHkjgjYdyghQ==
=erlC
-END PGP SIGNATURE

Re: [qubes-users] 2 new Intel vulnerabilites

2019-11-15 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Thu, Nov 14, 2019 at 10:37:33AM -0800, Lorenzo Lamas wrote:
> Btw, do you think it is possible for Qubes to distribute the Intel 
> fTPM(http://tpm.fail/) update somehow like Qubes does with microcodes?

I don't think it's directly possible, this part of the system firmware
is specific to particular device configuration (bundled together with
the rest of BIOS/UEFI), not only CPU.

A quote from Intel advisory:

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00241.html
| Intel recommends that users of Intel® CSME, Intel® SPS, Intel® TXE,
| Intel® AMT and Intel® DAL update to the latest version provided by the
| system manufacturer that addresses these issues.

There could be a way to ease updating system firmware by integrating
fwupd, but it isn't done yet:
https://github.com/QubesOS/qubes-issues/issues/4855

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl3PEHUACgkQ24/THMrX
1yy5rAf+OUCwS/oIGN04ps6Skv19pwCL8gkKizEoncXduI5nXUI1hBcqtmfBPbUj
orJqWt65YKQPeCnWubbJHHA5cIe0KtG/yPTtMcG98caU8Qi1y/vi2Nv7lt6+y1GL
BbGe/O2ZHYuZAMGLg9bbk3ZXmQ8hrAyHCB+3vvVxIlrPHkOShjpHztsgguug00MI
sPNdg9IHurPNwbwbMgwHGIUDOgFr7MilGT1y3afzBEIrHZCT5SaPHernUYGd7oD9
PmhGsb5grJo5eYDO+wiizrW/by2BUXH+4Qeimtxk+N7xqqk7/btQXl77dOGQ5k/t
1uNcXNluSAXVspKvKJTIXhGlpJmAMQ==
=cXye
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20191115205412.GB4164%40mail-itl.


[qubes-users] QSB #52: Xen issues affecting PCI passthrough and PV domains (XSA-299, XSA-302)

2019-10-31 Thread Marek Marczykowski-Górecki
perform a DMA
attack in this window of opportunity during system startup, the
attacker could still compromise the system, even with the XSA-302
patches applied.

In practice, this means that devices containing internal writable
firmware or configuration storage are worse for system security than
those that have read-only storage and require firmware to be loaded
externally by a driver. Many people consider devices that require
loading "firmware blobs" to be less freedom-friendly, but the effect on
system trustworthiness is exactly the opposite. Such devices are
actually more trustworthy than those that have (possibly mutable)
firmware stored internally.

In addition, it's easier to reason about the firmware when it is
accessible to the user. Even if the firmware is in a binary form, it is
at least possible to verify its authenticity and that it wasn't modified
maliciously to target your specific device (e.g., by comparing hashes
against a public database). Naturally, a device with open-source
firmware (still loaded externally) would be even better. In the vast
majority of cases, however, a device that doesn't require loading
external firmware actually still has such firmware -- it's just hidden
inside and impossible to attest.


Patching
=

The specific packages that resolve the problems discussed in this
bulletin are as follows:

  For Qubes OS 4.0:
  - Xen packages version 4.8.5-11

The packages are to be installed in dom0 via the Qubes VM Manager or via
the qubes-dom0-update command as follows:

  For updates from the stable repository (not immediately available):
  $ sudo qubes-dom0-update

  For updates from the security-testing repository:
  $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing

These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community.

If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new
Xen binaries.

Credits


See the original Xen Security Advisories.


References
===

[1] https://xenbits.xen.org/xsa/advisory-299.html
[2] https://xenbits.xen.org/xsa/advisory-302.html

- --
The Qubes Security Team
https://www.qubes-os.org/security/

```

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl27CAkACgkQ24/THMrX
1yyVYQf+OBmOSFrr5l5fSLMfqrPWCxiq8rb1O1SXQ6lN1akxEfx7GO36fbpV47/K
Qu7S3MZhfVUf7y9xWcKrcYdUtnXhRvV5az17gF9JOYSinHIxHPnOyXTu/vWtTQPW
057d2ZnQiTijN22ELlNQy6yRHzutUxSfT9vpRH0BCuoM3yR7Q9EUNKMIy/A5lF6q
L1Hkdtnu+1j+2kzsaE5/HrjvN/lQ0KRBgDpYXWrExgQOYYnAigvUeRefH4/dDERF
BISdEo4w49pyU2Hb54YjTit+NbgfkVVIyuU8wC63reImmbrCQHT5hdWUpP2c1ymt
AWadPawOVgGmDDFeFaHfCbTYoU0ahg==
=MUDq
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20191031161258.GX1410%40mail-itl.


Re: [qubes-users] Safe to switch default-mgmt-dvm TemplateVM from Fedora 29 to Fedora 30?

2019-10-16 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Tue, Oct 15, 2019 at 02:39:56PM -0700, 'Heinrich Ulbricht' via qubes-users 
wrote:
> I want to switch the template for all my Fedora 29 AppVMs to Fedora 30.
> 
> In the process I learned about *default-mgmt-dvm* which is currently based 
> on Fedora 29. Is it safe to simply switch the template to a (stock+updates) 
> Fedora 30 template?
> 
> This issues <https://github.com/QubesOS/qubes-issues/issues/5181> suggests 
> there might still be problems.
> This answer 
> <https://groups.google.com/d/msg/qubes-users/WMSowoOgfIA/dXA8tco-CAAJ> 
> suggests it is indeed as simple as switching the template.
> This thread 
> <https://groups.google.com/forum/#!msg/qubes-users/qf4zN6SFe18/rr6rclqoCAAJ> 
> has never been answered but covers basically the same topic (switching to 
> Fedora 29).
> 
> Should I just switch or rather not touch it?

Yes, it's ok to and even desirable to switch. It should be based on
stock template without less trusted repositories and software installed.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl2nCSoACgkQ24/THMrX
1yyAGggAkUSGnRuUiA2OnHRWqgfSXglHFiiZBXQipuYgHtuYtNr6dCDBOiCFfV5t
xaCZalo/wwi3LZ6RG+/8BqvaetoGM2bBjWNUXeFBCBe+GVWM1X6DGwF0xrVaacVQ
kl72aXJXg/h1SnlxNbTkqGQtJ51PlyfWOnr95jRwFegKdGng/RZGkyGwQnA0EKXw
3kzCM1s5SoEakuy/jsXIDrBqD4h1OR4uWev2Bld4FdwnSAVlX/ioKhxWM0Q0BH9W
2dKgVyUbWBE97w5KiSe0PllTdf0J/ZaNKfdmuxs7riBvcki1KesjycUdNthlgK+e
KQkCIlKsMPyJ1RirldPd7NTqOmfM2w==
=53kw
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20191016121227.GA4164%40mail-itl.


[qubes-users] QSB #51: Insufficient validation of backup compression filter on restore

2019-09-10 Thread Marek Marczykowski-Górecki
`qvm-backup-restore` or when the "Verify backup integrity, do not
restore the data" option is selected in the "Restore qubes" GUI tool.

Patching


Note: Patching is not sufficient to recover from a compromised state. If
you suspect you may have restored a malicious backup, see the next
section for details and recommendations.

The specific package that resolves the problems discussed in this
bulletin are as follows:

  For Qubes 4.0:
  - qubes-core-admin-client version 4.0.27

The packages are to be installed in dom0 via the Qubes VM Manager or via
the qubes-dom0-update command as follows:

  For updates from the stable repository (not immediately available):
  $ sudo qubes-dom0-update

  For updates from the security-testing repository:
  $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing

These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community.

Securely Restoring from Backups
===

The safest way to restore from a backup is to do the actual backup
processing outside dom0.

1. Install the `qubes-core-admin-client` package in a domU.

2. Authorize the appropriate qrexec policies in the domU:

   - admin.vm.Create.AppVM
   - admin.vm.Create.TemplateVM
   - admin.vm.Create.StandaloneVM
   - include/admin-local-rwx
   - include/admin-global-ro

3. Use `qvm-backup-restore` in the domU.

In a subsequent update, the above procedure will be automated with a new
`qvm-backup-restore --paranoid-mode` option. See "Compromise recovery in
Qubes OS" for details about how to use this mode. [2]

Indicators of Compromise


It is possible to manually inspect the header of a backup to observe
whether the vulnerability has been exploited. To do so, inspect the
backup as follows:

1. Verify the backup header integrity according to the "emergency backup
   restore without Qubes" instructions for your backup. These vary
   depending on the age of the backup, as the format has changed over
   time. [3][4][5][6]

2. Check the "compressed" and "compression-filter" header fields for
   anything anomalous. For example, you may see something like the
   following:

   $ tar -ivxf qubes-2019-08-06T121200 backup-header{,.hmac}
   backup-header
   backup-header.hmac
   $ scrypt dec backup-header.hmac backup-header.ok
   Please enter passphrase: backup-header!
   $ cmp backup-header.ok backup-header && echo ok || echo wrong
   ok
   $ grep -E '^(compressed|compression-filter)=' backup-header | cat -v
   compressed=True
   compression-filter=gzip

If you see anything other than `True` and a legitimate compression
filter like `gzip` or `bzip2`, this may be a reason for suspicion.

It is worth noting, however, that depending on how a malicious backup
has been stored and/or transferred to the machine on which it is
restored -- and depending on the sophistication of an attacker -- a
previously malicious backup may have self-modified to appear benign
after the fact as part of its exploit payload. Therefore, this should
not be considered an infallible way to detect malicious backups. Storing
the backup exclusively on immutable media throughout this process can
provide further assurance.

The possibility of other similar vulnerabilities cannot be completely
ruled out, so restoring backups in a deprivileged manner (outside dom0,
as described in the previous section) is still recommended.

Credits
===

This issue was discovered and reported by Jean-Philippe Ouellet
, who also provided a fix, a PoC exploit, helped with
mitigations for this general class of issue in the future, and wrote the
initial draft of this advisory.

References
==

[1] 
https://github.com/QubesOS/qubes-core-admin/commit/0cd8281ac10ee06f4b2fce9f86e27eb25292bc25
[2] https://www.qubes-os.org/news/2017/04/26/qubes-compromise-recovery/
[3] https://www.qubes-os.org/doc/backup-restore/
[4] https://www.qubes-os.org/doc/backup-emergency-restore-v4/
[5] https://www.qubes-os.org/doc/backup-emergency-restore-v3/
[6] https://www.qubes-os.org/doc/backup-emergency-restore-v2/

- --
The Qubes Security Team
https://www.qubes-os.org/security/
```

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl132uAACgkQ24/THMrX
1yz8hAgAlEckGMXQShcIyA2ilJuTY5LCwdHyG0V/y0o/J7qlYMsTYPpGPX0HwL7f
4lvmlCIWgPzmPHh+VUh7+VeJ87h1ZU+E0byIc/9LTxY55C713/L545hnV3ErYIhT
1M3z967WmdsqFSXOAGEZrE9ZMLOOsoj1nIjFTWbqL/SUGee0EcGAd6C7RWFzcojd
7mczXSGoi4zqW+yIDniMzqNPmSidZOJdaelkAWf7Y4ZmeJtY95hZAb9Vja0k0lnp
dNXbEo/VQzwGRZ5E9UleWdcklYPNYaY1pmwUJQFcp/LVDWM1T0olJnPptGdmi5da
Ni2ZvsVuIRozXdNoOUlhO0j8AallVg==
=suB1
-END PGP SIGNATURE-

-- 
You received this message because yo

Re: [qubes-users] Moving Qubes+VMs to Larger SSD - How to Handle Storage Pools on Other Disks?

2019-09-08 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sun, Sep 08, 2019 at 07:16:34PM -0500, Andrew David Wong wrote:
> On 07/09/2019 3.28 PM, 'Heinrich Ulbricht' via qubes-users wrote:
> > Here is an update on how my migration from SSD_small to SSD_big is going so 
> > far.
> > 
> > Just as a remindet this is the challenge I face:
> > * dom0 SSD has 100 GB capacity, ~10% of this is free (that's why I want to 
> > migrate to a new SSD)
> > * external storage pool 1 has 1 TB storage, AppVM *1* with < 500 GB private 
> > storage in use
> > * external storage pool 2 has 1 TB storage, AppVM *2* with > 500 GB private 
> > storage in use
> > * I want to migrate everything via backup+restore to new disks/pools
> > 
> > *Here is what worked*
> > * backing up App VMs from all 3 pools using built-in backup mechanisms (UI) 
> > - cool
> > 
> > *Here is what did not work*
> > * *verifying* the huge (400-700 GB) backups *did not work* since this 
> > filled up my dom0 pretty fast and then failed -> this is the reason why I 
> > resorted to what Andrew wrote: having the original still in place while 
> > restoring to different disks, not overwriting anything, just in case 
> > restoring fails
> > * *restoring* the huge (400-700 GB) backups *did not work* since this 
> > filled up my dom0 pretty fast and then failed -> this is exactly like 
> > donoban wrote; I managed to work around this for AppVM *1*, NOT for AppVM 
> > *2* (yet)
> > 
> > To restore AppVM *1* (< 500 GB) I modified *restore.py 
> > <https://github.com/QubesOS/qubes-core-admin-client/blob/9158412a24da300e4c54346ccb54fce1e748500f/qubesadmin/backup/restore.py#L858>*
> >  
> > to restore to another location than */var/tmp*. The easiest for me was to 
> > create a new (temporary) AppVM in my new 1 TB external storate pool *1*, to 
> > increase its private storage to 500 GB, to mount its private volume to dom0 
> > and to use this path as temporary location in *restore.py*. So I was using 
> > my 1 TB disk both as restore target and temporary location for backup 
> > extraction. I was lucky - the pool filled up to 99.8% and the restore 
> > succeeded. So currently it seems you need double the amount of storage your 
> > to-be-restored AppVM consumes to restore the AppVM.
> > 
> > Now there is one challenge left. I have to restore AppVM *2* which is about 
> > 700 GB. To my current knowledge I would now need to have twice this amount 
> > to restore - which currently I don't have. This is why I'd like to somehow 
> > slow down the extraction. donoban mentioned this is possible. I had a look 
> > at restore.py 
> > <https://github.com/QubesOS/qubes-core-admin-client/blob/master/qubesadmin/backup/restore.py>
> >  
> > but honestly have not idea where to start. I also currently don't know how 
> > the different extraction processes interact and how the backup is 
> > structured.
> > 
> > Can anybody suggest a modification (or hack, however dirty - it's meant to 
> > be temporary) to restore.py so it won't need 700 GB of additional temporary 
> > storage when I try to restore my 700 GB AppVM?
> > 
> > Thanks for all your input so far. Knowing that dom0 could fill up certainly 
> > saved my some hours of questioning life.
> > 
> 
> Sorry to hear about the problems. I'm surprised about dom0 filling up. I
> thought we had solved this problem a long time ago. I remember running
> into the same problem years ago, and I thought we had subsequently
> moved to restoring in smaller chunks so that only a small amount of
> temporary storage in dom0 is required when restoring.
> 
> Is this not the case, Marek?

It's this issue:
https://github.com/QubesOS/qubes-issues/issues/4791

In fact, I do have part of the fix already implemented. Hopefully will
have the other part finished this week.

In the meantime, you can try some naive methods of slowing down the
extraction process, for example by attaching strace to it (`strace -p
$(pidof qfile-dom0-unpacker)`), or pausing it from time to time by
sending SIGSTOP signal (and then SIGCONT to unpause). You can do it in a
loop like this:

pid=$(pidof qfile-dom0-unpacker)
while kill -STOP $pid; do sleep 30; kill -CONT $pid; done

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl11ppYACgkQ24/THMrX
1ywFqQf+P3sJIPpk7UOI09+rITICJB6LWm310nKRaJ0sx/lcSkjNH6tAQuF2Z8Nn
G0mepvBBG9bEfUUMGfxurn4ud0exbCz4W/AH8DEpAFuF41BSsTtXKsUCT278W3SP
A8ifNW

[qubes-users] Re: [qubes-devel] qvm-create-windows-qube Automatically creates

2019-08-20 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Mon, Aug 19, 2019 at 11:22:21AM +, 'crazyqube' via qubes-devel wrote:
> I just made my solution for fully automatically creating and installing new 
> Windows qubes from scratch public! It pre-installs Qubes Windows Tools and 
> Firefox so now you don't even have to open Internet Explorer to download a 
> good browser! (lol)
> 
> It's currently ready for use at:
> https://github.com/crazyqube/qvm-create-windows-qube
> 
> If you have any issues or suggestions then by all means create an issue and 
> I'll look into it.

I haven't looked into details nor tried it yet, but on the first sight
looks really cool!

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl1cX68ACgkQ24/THMrX
1ywF4gf+I6MNGnhkiNlujuCpwVOojWyltxU7zpagpHJVr6dax/L+N95ySQlFhynI
cIPN50yCwPT3ZBplTneQstYEZnYxd8QMqz3+0A7eaOr3U+ivZZXy/zSJvhVxEwMf
0/BiIoZMNjskprMzO7lx9FExpx3ginyNTvZt9zfo/J//rOTBrwJF7A8TI+yTFe9T
wfypj/Mtys7KnAlLuCFtnyKlgiZxhtDhjF1IxTrLuPAK+Jy6mSOlGTDCamZrjn+L
ZoHfeX/eEc2hrM1M+0zPJvysdCU8opwX3sdS13m2uq9Kp7byoNeCC2bI9rlX1KSC
84tH9paKxqGK8oP9d2f93eF4H3Pefw==
=YRT5
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190820210134.GJ1457%40mail-itl.


Re: [qubes-users] Re: Sorry, we cannot find your kernels...

2019-06-30 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sat, Jun 29, 2019 at 04:22:08AM -0700, Chris wrote:
> Yup. Down for me too.
> The update servers were down earlier today. Not sure if related.

Yes, it was related. The late Friday's problems resulted in some mirrors
picking up empty  directory. Should be good now.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl0Ym/sACgkQ24/THMrX
1yyS9Qf+PGLoeerd0+jcdz9Ivy/ugcvSf2mAgTLgtA0frg+3FuhnEgSgEIfD7S4K
3Hdnudw+jzYVHk00T7iB1e9Y86bA9f1eeo1wWYIY04ymVQZu+BXU4nrFFqYLnvsL
Fo8agfa9kq/GhjGK8YWGGh/2rHnuelriQ/rtN2Pj8I4w0sZ2vVOk3kQ4qrLJlmHf
5ROdN+8Cllgl8sp41aV/ev+UcR3oDfSW0nV9rDIf0Jhb3Xdvoaj+LnJTlTQ+mD7p
3Qya9Ag3o+IKXliNfitcPzhvZT9YogWPfQfAZdLq7XfVXtaD6AytTCWwkffiNPgN
PKznbZ6qpcPKp3Jt1nZUG1dlYUfbNw==
=PMuV
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190630112443.GB16142%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] qubes update servers down?

2019-06-28 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sat, Jun 29, 2019 at 12:45:51AM +0200, Marek Marczykowski-Górecki wrote:
> On Fri, Jun 28, 2019 at 09:43:19PM +, mossy wrote:
> > Hi,
> > 
> > Updating my qubes templates (debian-9, fedora-29/-30, whonix-14) have
> > been failing all day with `Failed to synchronize cache for repo
> > 'qubes-vm-r4.0-current'`
> > 
> > There's also this bug report:
> > https://github.com/QubesOS/qubes-issues/issues/5130
> > 
> > Any updates?
> 
> Indeed there is some problem. Working on it, should be back in few
> minutes (hopefully).

Took more than few minutes, but it's back online.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl0Wst0ACgkQ24/THMrX
1yzgeAgAhuKNpNEVUnRHqjlikyunb8imNWOWGyGVtli9v4XKDLCqSUt0BP+TVy+D
ARg/Q6xMXKkDO7Gyn65bvjhogsqb/W6cupgRVroupu0Vjlxqo7slI6T7KyW58170
d9ej1vE9HFY594Ge77iA9xu+Ty02g49tLTYTbWgy1wZqp4fAR3ocBqFaY+y5+ZrK
3S34c1vNXrAuwfPLT/mxQBo8wkFR8WmS1zth0/zQ/XQ3EOaMHqFnihmYg8USdiik
efXXpayG1wo90IlUmvKe8j+eLz7M/5oSurt5ioZlqt6AjZUUAwXQN7nuBGuQnroX
SbXwFbsZvY/eD7IsnW6h6OHdJtEnmg==
=M6XH
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190629003747.GY1423%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] qubes update servers down?

2019-06-28 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Fri, Jun 28, 2019 at 09:43:19PM +, mossy wrote:
> Hi,
> 
> Updating my qubes templates (debian-9, fedora-29/-30, whonix-14) have
> been failing all day with `Failed to synchronize cache for repo
> 'qubes-vm-r4.0-current'`
> 
> There's also this bug report:
> https://github.com/QubesOS/qubes-issues/issues/5130
> 
> Any updates?

Indeed there is some problem. Working on it, should be back in few
minutes (hopefully).

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl0WmJsACgkQ24/THMrX
1ywIKgf/Z/prJo24uRatUhvLMkCNViL0gNGAd5aRNxpRRF2GYM6sJbN6s+mTeezR
9VOGLKF1CyiQfY1PVYNrJub7p5YabYH2fiAQdOe2ynTYrPjNiob8K9lYHapnnTwl
azMDv3b9eGq6xZOTPfUeAYCCqQ0qB3fFWnft2mJpVAYY1j+PIZhuH885SEavpwZZ
seDcvbUWMFhNfpLDf589N0+mzGYa9zJ1r6ux99f2yUK+jOLDy/B7Y65vf1Vqoh6v
xrbb4HdwPZxvScmey1me/j0uYLCGM9rSXo1ezzqcVCoC+riE3sxJiFen8yz+U7xa
Tkvul/sOHLkhaoXbkXpdepizLHb66A==
=pD2m
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190628224547.GA16142%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] qubes-dom0-update keep showing the same already downloaded packages.

2019-06-16 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Fri, Jun 14, 2019 at 07:03:01PM -0700, pixel fairy wrote:
> On Friday, June 14, 2019 at 6:18:39 PM UTC-7, Andrew David Wong wrote:
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA512
> > 
> > On 14/06/2019 8.16 PM, pixel fairy wrote:
> > > every time i run qubes-dom0-update, it keeps re downloading a set of 
> > > packages that seem to already be installed. this doesnt seem to prevent 
> > > actual updates, but it does mean somethings wrong. ive tried clean 
> > > packages in dom0 and sys-firewall, but that doesnt help. any ideas? here 
> > > what it looks like right after running it, rebooting, and running it 
> > > again. any idea what caused this, and how to clear it?
> 
> > 
> > Try `sudo dnf reinstall `. Details:
> > 
> > https://github.com/QubesOS/qubes-issues/issues/4792
> 
> thanks. that worked for everything except kernel and kernel-qubes-vm. how do 
> you get the kernel ones with .rpm? qubes is already past the kernel versions 
> that are stuck still downloading, so dnf --reinstall kernel says nothing to 
> do, and rpm --reinstall (without the .rpm as the thread specified) fails 
> because the newer one is already installed. should this thread continue on 
> that issues page?

Do you have already newer kernel version installed? If so, dnf is picky
and refuse to operate on older packages in most cases... But also
shouldn't download old package when newer is already there, unless
you've explicitly requested it to do so.

But you don't have newer kernel (like 4.19.x), running `dnf update` or
`qubes-dom0-update` after doing reinstall for other packages should
help.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl0G1CUACgkQ24/THMrX
1yyzwgf/Y0wWYi6K6F0JZtzuT8iqgFvXNY2Y/ZvX13Asr0u+ssf2p4CJd/XgTaNQ
y5qwUdt7RXe7nQx0lxjlulmaSP6xz9cIQ7LQwyEQLTAtXHBIUg/yWWrZveEGnBkF
HQwIKkk+JIsHiI2+YSEUBYUTrfa7NVi6bG3DN1PRydmpXVGsaYQgtK9QiUOpT0Zm
nbs8lcsWd510G+1nONnRw2qLclbG5YutzSgkbuz63RQ6al6okOM5B8UOMgMqmBhC
FddGbG2GcTf7CGLRjPshbewvXJ5xHbswOs8YNNhoZtKWCmE4/r1wQiFoogm9gjLL
zzoyRoggAg4qER/+Zm9DPwZd6Rq8Zg==
=HPrA
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190616234334.GA10653%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-devel] Re: [qubes-users] Fedora 28 has reached EOL

2019-05-30 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Thu, May 30, 2019 at 02:38:46PM -0400, Chris Laprise wrote:
> 
> I'm getting strangeness from the fedora-30 release:
> 
> 1. As soon as the template installed I started it and ran 'dnf update'. It
> downloaded repo data then said 'nothing to do'. Less than 2 minutes later I
> get a popup saying fedora-30 has updates available I run dnf update
> again and there are 219 packages to update.

This is dnf thinking metadata cache is up to date. dnf update --refresh
should do the job.

> 2. Trying to remove thunderbird, dnf wants to remove 67 packages incl. most
> of qubes*, nftables, salt, tinyproxy. It would be good to be able to remove
> thunderbird or other large apps without the OS crumbling to pieces.

Try dnf --setopt=clean_requirements_on_remove=0 remove thunderbird

clean_requirements_on_remove=True behaves like 'apt autoremove'. And
qubes-vm-recommended depends on thunderbird-qubes, which depends on
thunderbird. So when you remove thunderbird, qubes-vm-recommended needs
to be removed too.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlzwJL0ACgkQ24/THMrX
1yyxjwf/V6DPJ7x7+e4IrO3vEeX+3iWHQLBg065Q1Z5lT/GU7Rw0Jsu0efP66VyA
71la73wl57cGkbbFT/zxvX7ivuyiIsFU2PvAsTbEBZ6GTUUzLZUU5MCdvmQ7ug1F
C//vqz3Hwke+UaQ54D09Gx/ur67BEWve6aMQq9iwJMGgV9/jBtVRehQV1S/pGMLH
AbNCwCeigTPdhK+i36gdHQByLPZ+9H4rpd0CdUzdaFiKY1d94SgLRPa2Roodpcc4
HstUhGtjKAyV4KVX7LSqbUwJLjGV1n6kLaWi81hHf7fWSSbyjLV0hTyBbOHj1S/s
19RAP3obd+q/blHeVilVBxWL5JJuWg==
=m8oh
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190530184517.GK1793%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] kernel panic with new 4.19.43-1.pvops.qubes.x86_64 kernel

2019-05-21 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Tue, May 21, 2019 at 11:42:57AM +1000, haaber wrote:
> > > b) are sym / hard links in /boot allowed ?? I guess only the content of
> > > /efi/EFI/BOOT must be an actual file : the content of /efi/EFI/qubes/
> > > should be handled only by the fully-booted system (when updating),  but
> > > never by the boot-loader, which, badly enough, insists on /EFI/BOOT. So
> > > could files in efi/EFI/qubes be sym'linked ??
> > 
> > This unfortunately won't fly. EFI System Partition (ESP) is accessed
> > directly by UEFI and needs to be FAT32, which does not support symlinks.
> 
> right. From my old-day knowledge of FAT,  hardlinks are possible (though
> not really intended) -- meaning that one could hack it to an "unclean"
> fs. Probably a bad approach, I would have to re-hack it after each
> fs-change.
> 
> More natural: is there a way to change the name /efi/EFI/qubes into
> /efi/EFI/BOOT ?  That would solve all issues most elegantly (and avoid
> the annoying copy & rename procure after each xen-update). Couldn't find
> "EFI/qubes" in any config file, though.   Bernhard

If that's internal disk, you should be able to configure UEFI to use
/boot/efi/EFI/qubes. In fact, installer should do that for you... You
can do that either in UEFI setup (some vendors have include it
somewhere near boot order setting), or using efibootmgr from within the
system. You want to configure it to boot xen.efi.
As for efibootmgr, see the last step here:
https://www.qubes-os.org/doc/uefi-troubleshooting/#installation-finished-but-qubes-boot-option-is-missing-and-xencfg-is-empty

If that doesn't work with your UEFI, your option is to move EFI/qubes/*
into EFI/BOOT/ after each update. The path is included in relevant
packages, so you can't just configure it different. But you can move
bigger files (xen.efi, vmlinuz, initramfs) instead of copying to save
some space.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlzjsYoACgkQ24/THMrX
1yynVggAlT5YRHvBk+zAvWi3I4aIakjwgTl3BOfs8jIHOZhR+IqESW/i0aQTFKgR
cnXj00PvrV1Y0IoCRIzNYpJQAU1nSN9NgI8g/m+FJWPkQ9KKgZvulC39Eh4eQB4e
MBmqB2Uzu1w3bepygVh7w02IfOaNtlUOWbe18dWOhXdlPtnZ6Y/O+zeW43Y+djAY
2VsbNlKeuh2y7P0l2/qUbMYYN7Y4Me9mEmFvJG1qNdHD7ErExJdre23LXHr0GGsI
cX91O/E08ogIp2cbTKkoaOUQm3HPSbo41926k/SJBsbjmlXw1+tiILxbjSJMXjKp
S0e52ptKrDZ4uX9Di3lXub3rootENg==
=39sz
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190521080633.GF1502%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] kernel panic with new 4.19.43-1.pvops.qubes.x86_64 kernel

2019-05-20 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Mon, May 20, 2019 at 02:36:15PM +1000, haaber wrote:
> Right, thank you Marek for the quick answer. The bad thing is that /boot
> in std UEFI install is 200M - which is definitely too small, if you need
> to "double" all files - one copy in efi/EFI/qubes and another one in
> efi/EFI/BOOT  (I suggest changing the automatic-install partition scheme
> to use rather 500M for /boot), since "doubling" makes 6-8 kernels to
> hold instead of 3-4 ! What would be best remedy? I see two solutions.

Bigger /boot/efi is already the case for R4.0.1 installer. But initial
R4.0 indeed had 200M there.

> a) enlarge /boot (but I only have /dev/nvme0n1p1   200M EFI System and
> /dev/nvme0n1p2 238.3G Linux filesystem which means that I would have to
> shrink the thinpool inside the second partition ... I am afraid that a
> full re-install is faster than solving all issues that will arise from
> such an attempt!)

Yes, resizing in this partition layout is non-trivial, reinstall may be
simpler.
Alternatively, you can remove older kernels and reduce installonly_limit
option in /etc/dnf/dnf.conf (default 3) to keep fewer older kernels.

> b) are sym / hard links in /boot allowed ?? I guess only the content of
> /efi/EFI/BOOT must be an actual file : the content of /efi/EFI/qubes/
> should be handled only by the fully-booted system (when updating),  but
> never by the boot-loader, which, badly enough, insists on /EFI/BOOT. So
> could files in efi/EFI/qubes be sym'linked ??

This unfortunately won't fly. EFI System Partition (ESP) is accessed
directly by UEFI and needs to be FAT32, which does not support symlinks.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlzilXoACgkQ24/THMrX
1ywlgQf/byJT0685151GAUO5BDaQQUGZCHquWNi8vp9rh0w4hGGz8wNHbggPIAxm
GD4htwb7cbkp9qktuICWkUiZsBPnXJ3HlEIRZRRjbrIdslkKHS9mX0OuqlvY0RAJ
flOl9DvrdVokrcPWbqg0q2aKDjffR+w7q2EE9maAJzTNd7OUk7Yk0fNpuPcYtB/x
4jWtwZPZhXV5x9QEvGihsh029JQzdyGKVgR/P43yXXT+9Befp4pXEt46bUYYBo0H
Ozhtr+mPa7F/jZ5xrRaYeCT7Q52idO18T8VGY4D7+8VW7cp4bl5Y4OBX3Wu+B/gF
RYWfYtgqUHDCmeBj8YECKnl1AR4tQw==
=z78S
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190520115434.GA1502%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] kernel panic with new 4.19.43-1.pvops.qubes.x86_64 kernel

2019-05-19 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Mon, May 20, 2019 at 11:27:32AM +1000, haaber wrote:
> after last update my Dell runs in a kernel panic  --  reboot spiral. I
> retype 4 important lines from a "photo screenshot" :
> 
> Initramfs unpacking failed: read error

This seems to be the problem. Check if you have enough space for
initramfs (/boot on legacy system, /boot/efi on UEFI). If this partition
is very full, initramfs wouldn't fit. You may remove older
kernel/initramfs to free up some space. Then regenerate initramfs with:

sudo dracut -f --kver KERNEL_VERSION INITRAMFS_PATH

Replace KERNEL_VERSION with actual kernel version - you can copy it from
relevant /boot/vmlinuz-* filename. And replace INITRAMFS_PATH with
actual path:
 - for legacy: /boot/initramfs-KERNEL_VERSION.img (fill KERNEL_VERSION)
 - for UEFI: /boot/efi/EFI/qubes/initramfs-KERNEL_VERSION.img

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlziEFUACgkQ24/THMrX
1yxiuAf+OiwCg8B7mVbe8prB7aBEbm56jpAR9p68EHRDd22yvCVKCKHyWFEQDfeL
8/8tI2AKuXbiPNLpD/895CQiOrP4sn0uhQ0f6B5T2ci1qmJuOxUHITo6ex6ZWPkV
FEOvgO++LJDYh3zLUFSuO8S+TvtuIbpIeH/q0FBAzRy3LUK74yvqsceJVXVEejl2
SvaynQ+eNZ77AC7mSwJgldm9zt8T8pu38+lz5VW4XRF0nOxQpDDmxM0S5Sglj9TF
rgBuTb1dO5fCnMTzbXsJAkm8RwPkr8bYENbEQl3iKFi40sNRrgTFyupglSZzfg4Z
IprykmYvN5kBqqUAfccUAa9POSquvw==
=MDy4
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190520022629.GA15172%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] QSB #49: Microarchitectural Data Sampling speculative side channel (XSA-297)

2019-05-15 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Dear Qubes Community,

We have just published Qubes Security Bulletin (QSB) #49: Microarchitectural
Data Sampling speculative side channel (XSA-297).
The text of this QSB is reproduced below.
This QSB and its accompanying signatures will always be available in
the Qubes Security Pack (qubes-secpack).

View QSB #49 in the qubes-secpack:

<https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-049-2019.txt>

Learn about the qubes-secpack, including how to obtain, verify, and read
it:

<https://www.qubes-os.org/security/pack/>

View all past QSBs:

<https://www.qubes-os.org/security/bulletins/>

```


 ---===[ Qubes Security Bulletin #49 ]===---

 2019-05-15


Microarchitectural Data Sampling speculative side channel (XSA-297)

Summary


On 2018-05-14, the Xen Security Team published Xen Security Advisory
297 (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 /
XSA-297) [1] with the following description:

| Microarchitectural Data Sampling refers to a group of speculative
| sidechannels vulnerabilities.  They consist of:
| 
|  * CVE-2018-12126 - MSBDS - Microarchitectural Store Buffer Data Sampling
|  * CVE-2018-12127 - MLPDS - Microarchitectural Load Port Data Sampling
|  * CVE-2018-12130 - MFBDS - Microarchitectural Fill Buffer Data Sampling
|  * CVE-2019-11091 - MDSUM - Microarchitectural Data Sampling Uncacheable 
Memory
| 
| These issues pertain to the Load Ports, Store Buffers and Fill Buffers
| in the pipeline.  The Load Ports are used to service all memory reads.
| The Store Buffers service all in-flight speculative writes (including
| IO Port writes), while the Fill Buffers service all memory writes
| which are post-retirement, and no longer speculative.
| 
| Under certain circumstances, a later load which takes a fault or
| assist (an internal condition to processor e.g. setting a pagetable
| Access or Dirty bit) may be forwarded stale data from these buffers
| during speculative execution, which may then be leaked via a
| sidechannel.
| 
| MDSUM (Uncacheable Memory) is a special case of the other three.
| Previously, the use of uncacheable memory was believed to be safe
| against speculative sidechannels.
| 
| For more details, see:
|   
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html
| 
| An attacker, which could include a malicious untrusted user process on
| a trusted guest, or an untrusted guest, can sample the content of
| recently-used memory operands and IO Port writes.
| 
| This can include data from:
| 
|  * A previously executing context (process, or guest, or
|hypervisor/toolstack) at the same privilege level.
|  * A higher privilege context (kernel, hypervisor, SMM) which
|interrupted the attacker's execution.
| 
| Vulnerable data is that on the same physical core as the attacker.
| This includes, when hyper-threading is enabled, adjacent threads.
| 
| An attacker cannot use this vulnerability to target specific data.
| An attack would likely require sampling over a period of time and the
| application of statistical methods to reconstruct interesting data.

This is yet another CPU hardware bug related to speculative execution.

Only Intel processors are affected.

Patching
=

The Xen Project has provided patches that mitigate this issue. A CPU
microcode update is required to take advantage of them. Note that
microcode updates may not be available for older CPUs. (See the Intel
advisory linked above for details.)

The specific packages that resolve the problems discussed in this
bulletin are as follows:

  For Qubes 4.0:
  - Xen packages, version 4.8.5-6
  - microcode_ctl 2.1-28.qubes1
  - kernel-qubes-vm package, version 4.19.43-1 (optional)

The packages are to be installed in dom0 via the Qubes VM Manager or via
the qubes-dom0-update command as follows:

  For updates from the stable repository (not immediately available):
  $ sudo qubes-dom0-update

  For updates from the security-testing repository:
  $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing

A system restart will be required afterwards.

These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community.

If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new
Xen binaries.

Credits


See the original Xen Security Advisory.

References
===

[1] https://xenbits.xen.org/xsa/advisory-297.html

- --
The Qubes Security Team
https://www.qubes-os.org/security/
```

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl

Re: [qubes-users] Update checking over clearnet instead of Tor?

2019-04-02 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Tue, Apr 02, 2019 at 01:20:54PM +1100, haaber wrote:
> > On Tue, Apr 02, 2019 at 07:19:46AM +1100, haaber wrote:
> > > 
> > > So do I understand that correctly: if I have, say, a debian-XYZ AppVM on
> > > clearnet it will check if the corresponding template needs an update,
> > > unless I de-activate the qubes-update-check service? Thank you
> > 
> > Yes
> > 
> 
> Oups ! To me, one of the points of using tor as upgrade-transport-layer
> seems to me to render "aimed attacks" on *my* machine much harder. Is
> that a misconception?
> Assuming that 'yes', an attacker would typically see clearnet apt-update
> preceding a tor-based upgrade -- and could be made a reasonable guess
> *who* is upgrading (I don't think there are millions of qubes copies
> running, right?). This opens a (admittedly) small, probability-based
> attack surface, that comes only with small gain, if ever. Do you agree?

The updates _check_ only needs to download repository metadata, not
actual packages. Qubes based on a template do that from time to time,
using own network connection and report if there are any updates
available. 
When you actually download and install those updates (over Tor) in the
template is up to you, it isn't immediately after checking if something
is available, so time based correlation isn't really an issue here.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlyjhOoACgkQ24/THMrX
1yzrVgf/cpAa8ZF7aw1UUkMVW3L+YndBFVOmH0vG1XZ1ppQ3RqG/5OpZnG+eSaQV
l2iyMMWpSDKY6niHEEhXIHBGO17ABmZcybvMe8jGtovm6e+kwRa1ef1yarSI3aLL
W2IcAFoo2XYRVpO+/sGWFD0WHNdIzqcVVNK5o45MKnJPgb+ZQ3+Wg7h9nbU3NCMh
zTlUHjW59gGgx1IKtylc69IM/zgBxKysfrC6SuTRTid2YGpUNfqyMR+oj+FEa2W9
VMoySbjOUnAxrOydvFyUL8vTZ/w1rDNpGAoWyUBcCoUmpDW9ZdfCCYuO1l2fWbE6
SZexjBIGsEzKbDfm2dD9HQT4VPicbQ==
=bswd
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190402155106.GA22235%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] [4.0] Kernel panic in HVM

2019-03-17 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sun, Mar 17, 2019 at 04:02:31PM -0700, Vít Šesták wrote:
> Hello,
> I have tried to boot Fedora 29 Silverblue in a HVM from the official ISO. I 
> have noticed that there is some kernel panic before the HVM shuts down. The 
> problem is that I cannot read it. Is there any way to read it, e.g., by 
> disabling the automatic reboot somehow?

Try pointing kernel at hvc0 console (console=hvc0 kernel arg), then you
should get it in /var/log/xen/console/guest-VMNAME.log.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlyO7cAACgkQ24/THMrX
1yxDRgf+MLv90YwLeNuw5fhZQb2Qh3krQaA6ogJaEmFxvpR/kLpElvNxhl3p8UCU
Kgna/yQOnOBb2bHMFJTnUfH1pEdvr0zPk+OvY+DljeOt0hbhagLgmaIHBHGoqOng
C1ugesrBAVkvoMHvF8i9ndllQXZNtILF//Brd/BVctGW+qe5sv8Q5VuetBo9TqVL
8REEHmue/z4QQ+25NT5L4eFnmjfLS/9R1ayd9cMK+J1STwiJcuorjv9SDmd0p/O5
WGNGXVIzw9WSUe5Psr0G5n9EVFA0VjPZqoITRrONTVeBq3K4aKL21uysjF4FJgIb
USXg57YnD5tH/dVFdZh9Il7qUvE2lw==
=a+tu
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190318010048.GB10743%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] vchan doesn’t work on recent mainline kernels

2019-03-14 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Mar 13, 2019 at 01:07:20PM -0400, Demi Obenour wrote:
> I built a Linux kernel from Linus’s git master, with a slight modification
> (u2mfn module moved in-tree).  The resulting kernel does not work with
> Qubes: libvchan gets -EINVAL from mmap().
> 
> Any suggestions?

Can you post more details? Specifically preceding operations on this FD
(should be /dev/xen/gntalloc or /dev/xen/gntdev).

BTW u2mfn module isn't used by libvchan for a long time. The last its
user is gui-agent and even this isn't the case anymore in R4.1
(gui-agent-linux master branch).

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlyK+GoACgkQ24/THMrX
1yzXwgf/f2ivrNx1yZJd+GiLQg3Nevr3rAFuEec0X+jKdiyNDqh4sRay8bnHnNM7
4anQJ51abzfEGrJ5kpsVDZxsD7/QhF6DIQLb7StwjOFVon85+r/CeJpDjNplnAIz
8mO10Jo8LPQHyUzYjZ0Vb/OLadY7qkEfXITrOaCjv88ZX/fCdDwLEnujhe0AbCk1
TxQ8ALHggzoUwt3ThdRgAMwGLZSn0uqhYF8X4WfOn0EodSoT9c0ruhUDcj1oJ7+r
f+2fquIpTQaBjvnr+pFZjQPcVbI2Pq7i/k4cuSEZ7TocstIG3OFQrd19zPj8C1l8
o4y0w2Rl9ANCNVwkJH8gecKC9juuuQ==
=DDPj
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190315005714.GA10743%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Can't set default_target to @dispvm:foo in policy

2019-03-08 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Fri, Mar 08, 2019 at 01:36:51PM -0800, Ryan Tate wrote:
> I was trying to have a qubes.OpenInVM policy that would pre-fill a target in 
> the permission dialog when the destination was an inside of a certain dispvm.
> 
> Specifying the destination vm (#2 entry) in the policy works fine to specify 
> a dispvm instance.
> 
> But specifying the default_target (part of #3 entry) in the policy as a 
> dispvm instance fails.
> 
> For example, this WORKS:
> 
> $anyvm  @dispvm:dvm-print  ask,default_target=work
> 
> ...but is not what I want.
> 
> What I want is this, but it does NOT WORK:
> 
> $anyvm  @dispvm:dvm-print  ask,default_target=@dispvm:dvm-print
> 
> The resulting dom0 prompt at the top says "Domain '@dispvm:dvm-print' doesn't 
> exist".
> 
> What I expected is the dom0 prompt would have "Disposable VM (dvm-print)" 
> entry pre selected.
> 
> Seems like a bug?

Indeed. Could you report it at
https://github.com/QubesOS/qubes-issues/issues ?


- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlyDAuQACgkQ24/THMrX
1yw38AgAjaUCJl41T2Es03HEhGWkcIH3attyJ2rKcqup5omzxiyTdr5gHWrsDP+3
2bLyP/P2em71tcbE0Pu5yzqDBAhJtVA8kUZuCqvQdyScMpPgPGhI2di1FY8zsAsH
AuFBFn9SJfpxANfZAp7dKUjKQ3bg8CKVVNL6cTOSmHwyUHIOdz3ClH9rd02PhJKT
ZV5bLTogDua5V4xrGvEFDrfHMnxdwsUUSjIWuQmqI4x9lmVfOlxExTZDcXRewz8h
evij5cDIl7O1lXW1YFXQd87VOfJJldbLmHvqV1QN8jPrbuR+0kQft0IgpmOcAcgT
C1iILR0UxBwo/+77rfJk2BB5CFT64w==
=i/lY
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190309000348.GJ9610%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] where/how does dom0 gets its icons? ANSWERED

2019-03-03 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sat, Mar 02, 2019 at 05:32:19PM -0600, Daniel Allcock wrote:
> Thank you to unman for giving me the thread to follow.
> The way the icons are chosen could be improved easily.
> I'd be happy to contribute a patch if I knew the procedure
> for doing so.  (It would not touch dom0.)

Happy to hear that!
See here:
https://www.qubes-os.org/doc/source-code/#how-to-send-patches

> To close out the thread, here is the answer to my question.
> The process of updating the Q menus is controlled by dom0's
> /usr/lib/python3.5/site-packages/qubesappmenus/receive.py.
> When updating the Q menus, dom0 first asks the vm for its
> desktop files.  The vm provides these using 
> /etc/qubes-rpc/qubes.GetAppmenus, which is a shell script
> that jumbles all the desktop files on the system
> together and sends to stdout.  dom0 sanitizes and parses this,
> and assembles the results into a bunch of desktop files in
> dom0's ~/.local/share/qubes-appmenus/VM.  As it is doing this
> it notes which icons specified in the desktop files have 
> relative paths (typically, all of them).  For each icon name,
> dom0 asks the vm to run /etc/qubes-rpc/qubes.GetImageRGBA 
> and deliver the resulting icon file to dom0.  For icons
> described by a relative path, the first thing
> this shell script does is resolve the icon name to a file name using 
> /usr/lib/qubes/xdg-icon, which is also a shell script, and is
> where the actual resolution takes place.

Yes, exactly.
The VM side of this is here:
https://github.com/QubesOS/qubes-core-agent-linux/tree/master/qubes-rpc

> This resolution is simplistic.  It uses a fixed list of
> icon theme names (on my system: Humanity, Adwaita, gnome, oxygen),
> followed by any additional icon themes in /usr/share/icons.  
> The first theme that has a suitably named icon is the theme
> whose icon file gets used.  I don't have Humanity installed, so
> I was getting Adwaita icons every time, and overwriting them
> was the only way I could change my icons.
> 
> A simple fix is to insert my desired icon theme at the beginning
> of the fixed list of themes.  This is not the right
> way to solve the problem in general.  To solve it properly would
> require deciding what the right behavior is: should the theme
> used in dom0 (meaning: one of the same name) get used?  Or should the
> theme preferred by that template's user account get used? Not
> sure what the most natural answer is.  But I'm satisfied for now.

I think the logical thing to do, would be to use template's preferred
theme. If desirable, there could could be a mechanism to synchronize it
with dom0 theme.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlx73fkACgkQ24/THMrX
1ywLBAf+JIaGwRS1JyzWSqc9BLZvKwt/bw8nmSJIjxJi8wohdiZYkTbTRNKF8s0N
6WV4Rud0+hpR9mLHP/zd+vPqoCxrpHJpj8OgzBlvwsJ5epDc5WPecBs/uXjH9u5j
j2kbidAlh/Ho3Xih07irFwKtVj2asTUZt+nZIFoOLez7n/hUhrKzHALOmEMkJ7mD
5dPUbTh0awr5pa+H+NQyvwABJ0ZKmX1lLtkn87DIZoHIx9ug4vuXXEaKr3v7IzVa
ongHCej32hNpfU8We7uOlQYdNnboeA9XISS06efIMabEE2BocKk9C8i3y2v+sJxp
vqZgmQPaLgUGa6YryFCQxeFJY4N2pg==
=xzJo
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190303140026.GI9610%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] [warn] last whonix-gw update, ipv6 and possible VPN leak!

2019-02-23 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Fri, Feb 15, 2019 at 09:14:51PM +, 'Evastar' via qubes-users wrote:
> Hello,
> 
> Seems after last whonix update my old VPN VM begin leaking traffic. After 
> investigation I found that it's because ipv6 primary connection to whonix-gw. 
> I guess that whonix-gw now supporting ipv6. It leak traffic through ipv6 
> connection to whonix and ignore my default old ipv4 setup. 
> "qvm-features VM ipv6 0" fixed this issue! 

"0" in the command above is _not_ the correct way to disable it. It
should be an empty string:

qvm-features VM ipv6 ''

Details: https://www.qubes-os.org/doc/networking/#ipv6

Anyway, Whonix comes with firewall rules blocking native IPv6, regardless of
the above setting. If you reach some IPv6, it must be tunneled over Tor
- - which does support IPv6.

> But I'm not sure about all my others vpns and leaking with ipv6. How I must 
> fix this at vpn setup (on load) to be 100% sure that it never happen again?

As Chris already mentioned, one way is to add extra firewall rules:
https://github.com/QubesOS/qubes-doc/pull/795

qubes-vpn-support / qubes-tunnel also comes with relevant firewall
rules.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxx5PAACgkQ24/THMrX
1yxNqQgAjVLqHETPZrpGoSIDCSEuqeK+vxsC8qjYKZnxOpUYBF4aEY54Jl1Uuo/n
9teh/XisK/25tarxSi+IZyvO//fA9KXHxB4ebFW5WJOqR3a+KakjvudXwuZFUNpv
Zy76Tm6cBlnqWfCxUyJX93RX1TIysz9NoCPyqIQKeLmj01IdRmJGR8nZWnRVqzw7
7AgnCBjscz2h8WJfIZVHCefNH8uOlL3NWU7N7jzCLvVXjZ6NsWaUq3uYqbGskz6O
v1X+daV1618H26NGUmg0vHUPjWvund/53uXSxuEj+bjk6ryXrtZZ8cP2u3YzqpCY
QxzzLb+/HBNn1GF2ICJkT7tzWKN9Rw==
=njJG
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190224002728.GH9610%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] disposible vms for sys-net, firewall, usb?

2019-02-23 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sat, Feb 23, 2019 at 10:15:32PM +0100, 799 wrote:
> Hello,
> 
> Stumpy  schrieb am Sa., 23. Feb. 2019, 17:58:
> 
> > (...) dvms could be used for things like sys-net usb and firewall which
> > had never occured to me.
> > I may not be thinking about it right but that seemed like a really good
> > security idea, so my question is, why is that not the default? (...)
> 
> 
> I am also heavily interested in running "named" disposable VMs as sys-VMs

Take a look here:
https://www.qubes-os.org/doc/disposablevm-customization/#using-static-disposablevms-for-sys-

Multiple different DispVMs is a feature new in Qubes 4.0 and we're still
exploring what would be the best configuration for disposable sys-*.

> with one enhancement, that I am able to store the Wifi-Credentials in a
> Vault-VM and that I can "push" the credentials into the sys-net VM when
> launching it (maybe by some custom scripts which use qvm-run --pass-io from
> dom0 to copy data from Vault-VM to the Sys-Net-VM).

The above documentation cover this with another solution - have separate
DVM template for it. This have one important advantage - will work
universally regardless of configuration/tools you use, including custom
VPN scripts etc.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxx0jUACgkQ24/THMrX
1yy4fQf8Ctbpd5mFk1BVx8O5EihKiJCTCFKPdUNECZ4NMRa6O3BJb2BgPR3uREu5
N+fBnDtBIrIvKADgO4LlA0FRFqKnmgwcMjOUXHu8RpFV+CjdeoJMytw9d/LWh23B
w59/UQonxery+jgIgfaK86+Z6JvcytABeeZp88YOGainNEGY3YDLJMPDTf8MKrwI
B+6vNdvoW6po7fC+wiO8PmNJ0flhnTfK4VutM2zY8/x6b3koYnPCbRXwlv6IrVMt
k22WkCPcw90TX9AmPIo6mzn6vjwOMrPvgmpRVa9qiUeey3ww6soZ8VIupOlIBHOt
cpHOd4JXml6SJY7MwmVUrgW0b3pIVg==
=PfGZ
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190223230734.GG9610%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] QSB #47: Insecure default DisposableVM networking configuration

2019-02-19 Thread Marek Marczykowski-Górecki
bleVM is started, automatically set its
   `default_dispvm` to the DVM Template on which it is based. This means
   that, when a DisposableVM is started from another DisposableVM, they
   will both be based on the same DVM Template. Hence, they will have
   all the same settings, including the same network settings. This
   change will not affect DVM Templates for which user has manually
   modified the `default_dispvm` property.

2. Add a warning message in the Qube Settings GUI when the NetVM of a
   qube in the "Basic" tab is set to a different value than the NetVM of
   the default DVM Template set in the "Advanced" tab.

Note that these changes concern only NetVM settings, not firewall
settings. If you want your DisposableVMs to have the same firewall
settings as the calling qube, you must adjust the firewall settings of
appropriate DVM Template yourself.

In the next version of Qubes, we will ship two DVM Templates by default:
one with network access and one without. This was already previously
discussed in issue #1121 [5].

Patching
=

The specific packages that resolve the problems discussed in this
bulletin are as follows:

  For Qubes OS 4.0:
  - qubes-core-dom0 version 4.0.39
  - qubes-manager version 4.0.28

The packages are to be installed in dom0 via the Qubes VM Manager or via
the qubes-dom0-update command as follows:

  For updates from the stable repository (not immediately available):
  $ sudo qubes-dom0-update

  For updates from the security-testing repository:
  $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing

These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community.

Credits


The issue was reported by Vít 'v6ak' Šesták.

References
===

[1] https://www.qubes-os.org/doc/disposablevm/
[2] https://www.qubes-os.org/doc/data-leaks/
[3] https://www.qubes-os.org/doc/glossary/#dvm-template
[4] https://www.whonix.org/wiki/Qubes/Install
[5] https://github.com/QubesOS/qubes-issues/issues/1121

- --
The Qubes Security Team
https://www.qubes-os.org/security/
```

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxsitkACgkQ24/THMrX
1yy3CAf/f8Su5jWjDH6zDgCh9fLY6phWQXYZvTwU13kzCKAIBYzxUIs4cLZ1JRpG
G52KmcOD62J5qgM3GBTZREYRfeI6Q0dZd8OBi4UxSfJ9BNgDAaIrTJf5J0FKfISC
k+PfcxnVawrcXPjMB6rYEGbfFNp1Ykx8Tb2n0bHbgbz282kY7CgyXRlPnL9opknt
ff7TmGqmPHs9qFLXZgmaPLF8VPKcTYT0OfeljvIzGGNkYVQQvoWpZVZggDJ7HbC+
102PcExgkgkXbd+uPkDPEUynOpdXi84k8XD5r/BvglWm/qNi47OQPbg8WUOxjQWJ
lBbxLpEiQxCslDwNo5xlaTJgO/I/9w==
=K6hy
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190219230145.GF9610%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: QSB #46: APT update mechanism vulnerability

2019-02-14 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Feb 13, 2019 at 04:12:27AM -0800, Vít Šesták wrote:
> Since Qubes 4.0.1 was released [1] before your message and before the DSA 
> [2], I assume it is not a good idea to install Debian and Whonix from the 
> 4.0.1 installation media, is it?
> 
> If it is right, then I suggest adding a note on the download page [3] until 
> 4.0.2 release.

Qubes update tools (qubes manager, updates widget) do include safe apt
upgrade method. So, as long as you update dom0 before updating VMs, it
is safe to use Debian/Whonix from 4.0.1.

> Regards,
> Vít Šesták 'v6ak'
> 
> [1] https://www.qubes-os.org/news/2019/01/09/qubes-401/
> [2] https://www.debian.org/security/2019/dsa-4371
> [3] https://www.qubes-os.org/downloads/
> 


- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxll1oACgkQ24/THMrX
1yxRSQf/XNSo8g5Fv6Yqj6h6GDEIZ2RDeaMYall0SrB58WcYur2zgDY4mzc4suOh
kXNokEhn89f2NXDiidNnpBlLrwvF4FeViRRfmZHy7eGsgIbh5IURFEtoToxKz6gw
Kel+9CzlsGk6y8fnPYutU0IRZvhGQ39MQ9jOd2FLs9kLU1AzIlD/PiZ+wUEZZS2l
dyn9c/a1GeHZPlRSibPHdFMkLIuZpGmfFuspwvuZOqbxg5drOQaktJjKSsDXKhHe
q1EuBQU0PAZ5LtKe44vSqFo2z73GqeReCpJB1VNR9Ep7JIN97MLfZzGtexzFjte+
v8jU3EqjZPGNhJNFA57w1KzYbydQbQ==
=2JNk
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190214162914.GE9610%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] why was DNS/ICMP removed from Qubes manager/firewall in R4?

2019-02-13 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Feb 13, 2019 at 08:42:10AM -0800, simon.new...@gmail.com wrote:
> In 3, if i clicked on "block connections" in the Qubes manager firewall 
> section, there was (if memory serves me) an option to block DNS and ICMP. 
> 
> That is not present in R4 (though docs say you can disable DNS and ICMP 
> manually)
> 
> I'm just wondering what the logic behind the removal was? I would have 
> thought that a general user who clicks "block connections" on Qube would not 
> expect the qube to be able to actually send out and receive network packets 
> such as DNS or ICMP. This presents information leakage scenarios (default DNS 
> lookups of given qube) and also potential egress vectors if a qube is ever 
> compromised (DNS tunnelling, ICMP tunnelling). 

Let me quote full text you can find on firewall tab there:

NOTE: To block all network access, set Networking to (none) on the
Basic settings tab. This tab provides a very simplified firewall
configuration. All DNS requests and ICMP (pings) will be allowed. For
more granular control, use the command line tool qvm-firewall.

There is clear message what to do if you want to cut the qube from the
network.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxk5lQACgkQ24/THMrX
1yzyBQf+ID5V7ema8i77kmTCnsWfNeSPUQnlTjuQbF1oNZJFNeAwAaqp3FLO+Ljt
Slj7e9KjbPYrxxuW40LIL05G78Yqs/MpZ1mA6/Yfy6J2tvoluucTFvatiHqiodO3
HLqyRSehMXqqzKTHNrLrfLWWyz6ykbP/MmIw1zsxjcXj8RCNuEMc5F4qC6npluWN
cahMNcZLELo4PsrjzhqTrSr0BmlVLDQ5QLwoJGi8wSDGMEIDX3qvwq56wh6O0MgR
J780J043BcrIiAfZorrG+WfpLebkU9uSjmOENxcZQQwz2JmEdod9dU1vUEPSdBY1
EKOq9FhCjMI6De6nNgiMf63Y47CxuQ==
=9dvG
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190214035356.GD9610%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: sudo qubes-dom0-update downloads packages but abruptly ends with a "The downloaded packages were..."

2019-02-10 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sun, Feb 10, 2019 at 07:33:21PM +0100, Dupéron Georges wrote:
> I have the same issue. I thought there weren't any new updates, but it's
> been like this for a while.
> 
> There are two updates listed, but they never get installed.
> 
> Note: I am not using the regular sys-net as my updatevm (I am using a plain
> fedora 29 VM, that is connected to sys-firewall, which is connected to the
> sys-ethernet VM to which the PCI device is attached).
> 
> Log:
(...)
> Reinstalling:

This looks like it tries to update to the same version it already have
installed. Looks to be this issue:
https://github.com/QubesOS/qubes-issues/issues/4792

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxgk/0ACgkQ24/THMrX
1yzHkQgAkeyp0rkaSYX+ysS2sdgKk/TTt8fTJohevDpdwpJIQZ1ibMXRr+J2DEWL
LuOi7JWFebK53xGD6eQvu8AaCuvSNpWWf9lrdm8taPi267t1Q03bO6tJyqfOzFcU
H8vMuC0rdq8JH97oCUxl5lhjDNaLX2JJmjIX43td33DANxtdgkwgVg+gPThvxWZl
6CFNEtmH5rW+5n4ISyJZ9PC4k6zzjnmnyhaak4GLCeeJ5WYYU8E1xWD4JuB/ZKcT
mCH/JFgD5Bc5MS8xHYylAhBOF+gNJPOyVnb6qrxaRxmp284l1UjqtzFaiZGAeNd9
9uciJE80mKP8uh9nm8SRFtN6WfjBOQ==
=JLEm
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190210211333.GC9610%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] qubes-templates-itl-testing: certificate expired. Drop https or update cert?

2019-02-10 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sun, Feb 10, 2019 at 06:23:37PM +0100, Dupéron Georges wrote:
> It seems that the SSL certificate for the qubes-templates-itl-testing repo
> has expired.
> 
> sudo qubes-dom0-update --enablerepo=qubes-templates-itl-testing
> qubes-template-debian-9-minimal
> [...]
> DNF will only download packages for the transaction.
> Downloading Packages:
> [MIRROR] qubes-template-debian-9-minimal-4.0.1-201901271906.noarch.rpm:
> Curl error (60): Peer certificate cannot be authenticated with given CA
> certificates for
> https://mirrors.dgplug.org/qubes/repo/yum/r4.0/templates-itl-testing/rpm/qubes-template-debian-9-minimal-4.0.1-201901271906.noarch.rpm
> [SSL certificate problem: certificate has expired]
> 
> GPG signature of the packages is checked by dom0 anyway, so they can be
> downloaded using an insecure connection, right?

Yes, this does not affect integrity of the packages.

> Should the httpS be removed in /etc/yum.repos.d/qubes-templates.repo, or
> can the certificate be updated?

This is just one of the mirrors, yum/dnf should fallback to another one
automatically, doesn't it for you?

Regardless of the above, I've notified mirror operator.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxgkxgACgkQ24/THMrX
1yyjLAf9G+ECqEhEd6pTsXrfhi91l+B5ULITYEcNxH5aoeS6xv+JZ+qu/WsyStfU
+qV6oPaoG1fxhPGZ0wcbkiCrg9CXa5jQbpuP3WPDLeohTEwL1vI3PcIBUjyqFFXu
cTUAu8Y7QLQ9BfA28e+EiMUMXyP0fq7a9EJiBh1Oa8CLkP/BRKdRLXt6794xzYaT
UgCGtos3rXFMVQcntCAPG0lMgAp8Yj83XaOerCvEvj8SyQRuVAjzHq3GH7FXJVRK
K8pylk49T3Od7xzgwEXFSnL8LeqneIzsHXVp9eN+O2AjKACXe1pc9qb5hyZxZwFN
ACFnppacVKyQFz3wRPxNmcttLv5vdQ==
=sPIL
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190210210944.GB9610%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: [qubes-devel] Template disappeared: qubes-template-fedora-29-minimial

2019-02-01 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

[Moving to qubes-users]

On Thu, Jan 31, 2019 at 10:14:26PM -0800, Elias Mårtenson wrote:
> I installed qubes-template-fedora-29-minimial by running the usual command:
> 
> $ sudo qubes-dom0-update qubes-template-fedora-29-minimial
> 
> This worked, but I messed up the template itself when doing some 
> experimentation. So, I removed said template and attempted to reinstall it.
> 
> When I try to perform the reinstall, I get an error message saying that the 
> package does not exist. What could be the cause of this?

Probably something gone wrong with removing the template. Templates
which are still installed are excluded from being installed again.
Verify this with:

rpm -q qubes-template-fedora-29-minimial

If the template package is still there, but actual template is gone (not
listed by qvm-ls tool), you can forcibly remove the package with:

sudo rpm -e --noscripts qubes-template-fedora-29-minimial

See also https://www.qubes-os.org/doc/reinstall-template/

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxUHbMACgkQ24/THMrX
1yxpYQgAjW/MjSP6FmBPGC8Qz/GmTDcbJ53XNAt+NQLG4PeoEclkF9bEW0SQgtwW
z0jnMyPcUWTMmVW2cDwMB5v0u3AMf/ZITDvDqROj6eqE0pNlSQV5B/UTMEkvzE3u
dSN+N1TpM8HbFPKY6LLYU1bRrh98GY+yQ/G40CfwPEz1cPj2U94GkHq8WqRox/Kc
6HkHIdvtuZQlCZpoGjJqMBrJcyCgECCnwsMa1vDcqf/ZpBKBrMlpEc1WKMu85hCX
eHzPjAmKIwXrSeQ0KSksNJENwIcM/nJxP11TpHlOZtQeeqdmOksWNsqndWLciwN8
K0DJ4g0ttvsgqYISrn8PGGKIOF1oTA==
=HJRN
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190201102138.GA2830%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] post-apt-reinstall-issues sys-whonix not connecting to tor

2019-01-25 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Fri, Jan 25, 2019 at 04:20:50PM +0100, qubes-...@tutanota.com wrote:
> Jan 25, 2019, 4:13 PM by marma...@invisiblethingslab.com:
> 
> > On Fri, Jan 25, 2019 at 04:04:02PM +0100, > qubes-...@tutanota.com 
> > <mailto:qubes-...@tutanota.com>>  wrote:
> >
> >> Thank you. Will the existing anon-whonix be recreated together with 
> >> sys-whonix as well? I have an anon-whonix AppVM already existing. Should I 
> >> back it up or chenge its name to prevent data loss?
> >>
> >
> > No, if anon-whonix already exists, it will not be recreated.
> > But note anon-whonix is based on whonix-ws-14 template, which is also
> > affected. You should update it to unaffected version using one of the
> > methods described in the QSB.
>
> Hi, I updated the whonix-gw-14 and whonix-ws-14 as well. I am planning to use 
> the pre-update AppVMs as a backup and transfer necessary data to the newly 
> created post-update AppVMs. Than delete them.
> In this case, I can just rename the anon-whonix AppVM and the new anon-whonix 
> will be created, right?

Yes, exactly.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxLKqcACgkQ24/THMrX
1yxYaAgAjuiGQxpY2tyiH62706bMQ7FejCNPdoBXwL5RzM7j6/5hYlA7cUa/L5fn
Z4q/7F2k9olSQFDvobZ/PJw+cvaV8lFfNWUnSiIkgCVQ5VxZxCHmWR/QWoBf4oRE
7CGWOgT89u1jTUO595IQ3LSq7ixT5DhqhwRYc0JuWYHL0vYIMJJ3+e5X2/Y0bnNr
6DbR9EuY9F6PsLTwXLG1/Bf8XdA7MIaKVhkVQvAcvUFHvdjJIXzBT4HigjclXFzI
AMgAvtEYJXiygylwlrC3fMprDYSSMmv2yDyaBMN9oQ1Q3Aw+hnb+X8unLebV5F8X
hzLmEdXJ7KJJCIipvFzriOEckXqWxQ==
=GgX4
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190125152631.GJ1429%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] post-apt-reinstall-issues sys-whonix not connecting to tor

2019-01-25 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Fri, Jan 25, 2019 at 04:04:02PM +0100, qubes-...@tutanota.com wrote:
> Thank you. Will the existing anon-whonix be recreated together with 
> sys-whonix as well? I have an anon-whonix AppVM already existing. Should I 
> back it up or chenge its name to prevent data loss?

No, if anon-whonix already exists, it will not be recreated.
But note anon-whonix is based on whonix-ws-14 template, which is also
affected. You should update it to unaffected version using one of the
methods described in the QSB.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxLJ7MACgkQ24/THMrX
1yyaCgf/c6fzqF6MahYzCVd0F+KxHiTrG9mtkCDti/HnFWh+uMkwHiROMDibnrZg
0Zqy4N00vqV4fiH5UhlvAvHPS8R+naVoJ5X/9lMxrjJSBNPmMNsMW03qFFBjbBVp
OPyfKPk+pfZOW6Cmo5FsU3/qYQ3z3g6b3t8S59CRGuCEFub7wBBdTEB+2E2PM8Cg
dLYVTaKU3gP6XLkIM1i/F3DWrRl7LE1/xQ1qatUQQMCEt7ydT54m3LSOgqfmA/e2
VK2q8TTKCYj+gDI7SvJ53T4ndb6CQ+9u0deQ0Akmiq8ZgdsmO/avc5uCF6VOu0Mq
e3R8bktGFlm8wu/pCkSq474xKEMMaA==
=ttQ8
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190125151356.GI1429%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes 4.0.x - Linux kernel 4.19.15 package available in testing repository

2019-01-25 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Fri, Jan 25, 2019 at 01:58:59PM +0100, Patrik Hagara wrote:
> On 1/24/19 5:18 PM, Patrik Hagara wrote:
> > On 1/20/19 1:57 AM, Marek Marczykowski-Górecki wrote:
> >> Hi all,
> >>
> >> There is updated "kernel" package available in current-testing
> >> repository - it's a Linux long term support 4.19.x series, as an update
> >> over 4.14.x before. Since the upgrade switches to the next major LTS
> >> branch, I'll keep it in current-testing repository longer than usual 1-2
> >> weeks. This also applies to kernel package for VMs: kernel-qubes-vm.
> >> Please report new issues the usual way, at qubes-issues[1], or
> >> simply by replying here. In either case, please mark it clearly it
> >> happens after updating to 4.19, preferably including a link to the
> >> update:
> >> https://github.com/QubesOS/updates-status/issues/850
> >>
> >> 4.19.x kernel was already available as kernel-latest package for some
> >> time. Users of kernel-latest will see the update to 4.19.15 too, but
> >> kernel-latest soon will carry 4.20.x kernel version.
> >>
> >> [1] https://github.com/QubesOS/qubes-issues/issues
> >>
> >>
> > 
> > I get weird graphical artifacts with the new kernel after ~an hour of
> > usage. Windows from AppVMs turn all white sometimes when switching
> > workspaces in i3wm. Events like mousing over an interactive table rows
> > in a browser (when the current row gets highlighted) return that
> > particular section of the window back to normal (but not the whole
> > window, for that I need to trigger a repaint of the whole window by eg.
> > making it full-screen and immediately switching back to non-full-screen).
> 
> The only error message I've been able to find so far is in dom0 Xorg log:
> 
> > (EE) intel(0): Failed to submit rendering commands (Bad address),
> disabling acceleration.

This is very likely related. Normally I'd say "Bad address" indicate
user-space issue, but the only thing changed is the kernel version... It
may be also that some kernel API have changed and the driver is using
parts that weren't there before.

Anyway, I've looked into 'intel' X driver sources and the version we
currently have (2.99.917) is the latest one. On the other hand, there
was over 800 commits since that release and some of them may be related.
For example maybe this: https://bugs.freedesktop.org/show_bug.cgi?id=105886

This suggests you may want to try enabling or disabling composition, if
i3wm supports it.

> Duckduckgo-ing the error message yielded a few [1][2] Arch Linux bug
> reports describing the same symptoms. The first bug report also has a
> kernel patch [3] linked, which supposedly fixes the issue (haven't tried
> it).

That patch is from 2014, already included in 3.19+

> [1] https://bugs.archlinux.org/task/43143
> [2] https://bugs.archlinux.org/task/55732
> [3]
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d472fcc8379c062bd56a3876fc6ef22258f14a91
> 
> Cheers,
> Patrik

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxLGisACgkQ24/THMrX
1yyRKwf9G9TX89Bh2aePabdq7k40zDEHK68sKmsbL7xcm0JpfsdXHK/MuM+B4AyJ
BT7PrEIr8n1wXc++EArbtwapIPldICAhnBRK4fFdazHmtgAeW5S1GztAFisa4EaD
w0AWDoLLVg4DR7AcwFi1EXse4jgT0/CSYkHIENM0QRl4uevEV6lKlpN4lS8Rgjm8
cUCXajC5RCLT3RVDUTzufUOxLLt/syRzGVtBsgJqCwvVdnOxArZqlEJgSI7wq9lN
HR6OSv1ETGdlubxegn2LsAtqLvHXD+vnV11hgT4EvSZhHTfcbOI8FJdsnU8YxNY1
vsHV3L772QpTm3+jZ05X8AxJLEYrHA==
=XaRm
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190125141611.GH1429%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: QSB #46: APT update mechanism vulnerability

2019-01-24 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Thu, Jan 24, 2019 at 08:57:16PM -0600, Andrew David Wong wrote:
> On 23/01/2019 11.54 PM, Chris Laprise wrote:
> > On 01/23/2019 10:39 PM, Andrew David Wong wrote:
> >> On 23/01/2019 9.36 PM, pixel fairy wrote:
> >>> On Wednesday, January 23, 2019 at 7:24:57 PM UTC-8, Andrew David Wong
> >>> wrote:
> >>>  
> >>>> The Whonix packages are in qubes-templates-community-testing.
> >>>
> >>>
> >>> $ sudo qubes-dom0-update
> >>> --enablerepo=qubes-templates-community-testing
> >>> qubes-template-whonix-gw-14
> >>> Using sys-firewall as UpdateVM to download updates for Dom0; this may
> >>> take some time...
> >>> Last metadata expiration check: 1:08:18 ago on Wed Jan 23 18:22:56 2019.
> >>> No match for argument: qubes-template-whonix-gw-14
> >>> Error: Unable to find a match
> >>>
> >>
> >> That's strange. I was just able to install them with the same command.
> >> Maybe try it again with --clean?
> > 
> > That's why I found its better to just specify qubes*testing for the
> > templates:
> > 
> > https://groups.google.com/d/msgid/qubes-users/f4d997d5-7191-06d0-e7bb-ef42745a7db5%40posteo.net
> > 
> 
> I don't understand. How would that help here? To recap, this command
> worked for me:
> 
> $ sudo qubes-dom0-update --enablerepo=qubes-templates-community-testing 
> qubes-template-whonix-gw-14
> 
> The very same command failed for pixel fairy. 

I think the issue is about the previous point in the patching
instruction: remove buggy template version. Otherwise it will fail
exactly like this (indeed the message is confusing...). Feature request
about simplifying this process is tracked here:
https://github.com/QubesOS/qubes-issues/issues/4518

> Why would using
> qubes*testing instead fix whatever is causing that command to fail?
> Would that somehow force cache busting for some reason?

No. But it would be easier - no need to think in which repository given
template is. In this particular case, it should be fine as given
template is only in one of those repositories.

> > Also, using the 'upgrade' action is a lot less confusing. The official
> > steps are needlessly painful.
> 
> Would it be worth updating the QSB? (CC: Marek)

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxKfzYACgkQ24/THMrX
1yy/RQf/aHFY61ViLRp9IRosZegJ/CybS5uioPxQf/GEy/d5JbkXMYEKWyTgyA7c
HsPB1z/HVfA+I7CRidrtKufr9jgeuE5KGrposFNxG/yCvzDh7nQaVF6svw3gozJw
pO4ULJ02zRg8YaJF+aBv25/p6jI7CQYs93OFZ0x0pVli4+BlkUY8gzhTgrf0V/bU
cpaC9UmzKfWR8TxR6gFTTmVqs5K+WxcBo3LfXF1yNoBlHCgJdhfK5kqmvANE5apS
gw5pM0ccsNYV//cmVr8fULAa05gRPRIQgepPUoj/442fGesfHDMVCm48pta/uhZ2
OPh0sBdqAgmlbRjrAGFi3a0b36ewww==
=7+Ci
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190125031501.GD1429%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] QSB #46: APT update mechanism vulnerability

2019-01-23 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Thu, Jan 24, 2019 at 01:10:42AM +, js...@bitmessage.ch wrote:
> Marek Marczykowski-Górecki:
> > Summary
> > 
> > 
> > The Debian Security Team has announced a security vulnerability
> > (DSA-4371-1) in the Advanced Package Tool (APT).  The vulnerability lies
> > in the way APT performs HTTP redirect handling when downloading
> > packages. Exploitation of this vulnerability could lead to privilege
> > escalation [1] inside an APT-based VM, such as a Debian or Whonix VM.
> > This bug does _not_ allow escape from any VM or enable any attacks on
> > other parts of the Qubes system. In particular, this bug does _not_
> > affect dom0, the Xen hypervisor, or any non-APT-based VMs. Nevertheless,
> > we have decided to release this bulletin, because if a TemplateVM is
> > affected, then every VM based on that template is affected.
> 
> Hi,
> 
> Does this vulnerability apply to whonix users who download updates over tor
> from .onion repos?
> 
> My understanding is that it shouldn't, since the exit node operator or any
> other MITM doesn't even know it's apt traffic, they just see encrypted
> traffic to a hidden service.
> 
> Is this right, or am i not understanding something?

In case of onion indeed MitM attack is not that easy, but if someone
takes over Debian (or Whonix) mirrors still could perform the attack.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxJE2sACgkQ24/THMrX
1yxbaAf+LBDndywJFQnv8ecVh3MADbYF3I1fpBJuPFP58MW3Iti2zB1US0jcxFbk
9GevFxLRd0f0u6sblyX+lko8f469gGhl/N0eK5Tl77omJNQc2on5uZb9pPotuuAi
0S8f49SJhl7B1WaJLKV9MAL2sXraHfZ59juQaLmQiSearuJcanPJAqEM/D0OI/aT
BWTc/fsjDpfQ9hV/BQcEOjoOqKuwnZDBLSrXR/ychWFA0zRPzmFtJjA6shFprPf1
NGxhdabDWSEzcKGyUW+GM/eoBo3qwH7cvQk9tHBFJfSpDDUAmgkodCO3PfVYw44L
5wAONEFFZZJH8xs7V/NSo9nqZVjuKQ==
=zzzU
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190124012252.GA9610%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] QSB #46: APT update mechanism vulnerability

2019-01-23 Thread Marek Marczykowski-Górecki
rough the
Qubes VM Manager. Installing the packages listed below is not enough.

Qubes 4.0:
 - qubes-desktop-linux-manager 4.0.14 (updates widget)
 - qubes-manager 4.0.27 (Qube Manager)

Qubes 3.2:
 - qubes-manager 3.2.14 (Qubes VM Manager)

The packages are to be installed in dom0 via the Qubes VM Manager or via
the qubes-dom0-update command as follows:

  For updates from the stable repository (not immediately available):
  $ sudo qubes-dom0-update

  For updates from the security-testing repository:
  $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing

Now you can safely update your APT-based TemplateVMs through the Qubes
VM Manger.


Credits


This vulnerability was discovered by Max Justicz and reported to the
Debian Security Team.


References
===

[1] https://www.debian.org/security/2019/dsa-4371


- --
The Qubes Security Team
https://www.qubes-os.org/security/
```

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxIntgACgkQ24/THMrX
1yyCMggAiZ39l/FNTMvpZ3mcuYvIt3+OtnJa39IJ1A1O8F7cFQXmENLBbEfO2/r7
y0oIras3jD3FEgqqEHDaUx/OuF9XHsii8XMbvAiWKIVAchK3/Oze2UjPjDF63mtJ
p7ngVs6CciYNmW4Y2QPTs+vUPzSY+SllWl+qf/kWKvKzYsPyC8SCuNYB1dG3SZXg
I3NZcxdVdMao4FN/dJkLitEQeFhMiQTHA6SaD6ozxb5hv4FbIAeaoVFf/gR22EZb
hy3W6wfmYN2eW2Ydq+jq9/YHXzuZhVEGvPcWxblEr2rcat1gz1Gp76h9U8oJppUs
TEa7gg6fGzITNuhJAQCJZddxWDQb4A==
=XKVs
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190123170528.GV1429%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Qubes 4.0.x - Linux kernel 4.19.15 package available in testing repository

2019-01-19 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi all,

There is updated "kernel" package available in current-testing
repository - it's a Linux long term support 4.19.x series, as an update
over 4.14.x before. Since the upgrade switches to the next major LTS
branch, I'll keep it in current-testing repository longer than usual 1-2
weeks. This also applies to kernel package for VMs: kernel-qubes-vm.
Please report new issues the usual way, at qubes-issues[1], or
simply by replying here. In either case, please mark it clearly it
happens after updating to 4.19, preferably including a link to the
update:
https://github.com/QubesOS/updates-status/issues/850

4.19.x kernel was already available as kernel-latest package for some
time. Users of kernel-latest will see the update to 4.19.15 too, but
kernel-latest soon will carry 4.20.x kernel version.

[1] https://github.com/QubesOS/qubes-issues/issues

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxDx4YACgkQ24/THMrX
1ywtlgf9HE/mQmGQIZtymeLHdeAP6FnpBhGrbaJESWM2AhFxRFIQpGLEBIIrpKvH
K6aFYqbFPNHYPE2DnboHmHebP1But8krrSbi4Ig5Z6E1pTFIk9XTrPQSbyY8jei9
hGY6Y8NRdTB3ljAbQpdLmfvmq9LksBQox9V5v+7lbNd6IhFOuqYnfcjz/P6PWO/F
Np/orRT2QEB5Hzuqgm8dnfKUY1NBiwE1Nbxe2vl9OqrEkpceo4sKpBhEpF3LX7Z4
aTjroOnfk4Hrb2souyTKuVhRaBdHP3wxxof+xNcsakFQNp96Jeh/2b/+im6CSaEa
9BUaPC82RwFT//o8TvYwyybX8wuLpg==
=nKaU
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190120005742.GS1205%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] last qubes-dom0-update brings kernel 4.19 and crashs login

2019-01-19 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sat, Jan 19, 2019 at 01:13:06PM -0800, Sergio Matta wrote:
> Yesterday I started qubes-dom0-update and it installs kernel-4.19. Looks 
> great!
> But it is not starting graphical login anymore. 

Do you see text login available? Maybe on tty2 (alt+ctrl+f2)? You can
login there and see lightdm service status (`sudo systemctl status
lightdm`), which is responsible for the graphical login. If it's failed,
what it says there (you should have few log lines there)?
It would be also useful to check X server log - /var/log/Xorg.0.log -
especially if you see any error message at the end.

> I did sudo dnf downgrade kernel and it didin't work.
> I had to change grub to fix.

You should be able to choose older version in grub menu.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxDwFgACgkQ24/THMrX
1yzC9Qf+Om3bUq2dzU5HH3IvhV9QX1r0QoYVYiWGw0H9QeOYrPApKoN3effRu76i
8Ldy69M4AmulghtvWvPznMYBT/n852WjfqTVYMn7TAKYj/309cT0kOxuI0aLRJbJ
B2QbxjAvwaYrQqYNBRRkctVkMtJ4IPJgrjRTo45vFunD+RXAZjcN60u8fI+IwrA+
adA7GDS2iy/7CdZxiHG1/EZ204JkpSWJlEARm83GbPpfkQl0wvsZq0WTtkLgQaxv
YAmxYIEckWA1jbSAps16/9RXIEGCmXGP87jfLL+2yf07L2wnqSAEIR4t0nMsDNMc
W82Uu1FrF/fpoW6EY2ujUySI1NywLA==
=T3E2
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190120002704.GA5575%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] fedora-29-minimal sys-net/firewall problem

2019-01-13 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Fri, Jan 11, 2019 at 09:59:37PM -0800, rumsey.anth...@gmail.com wrote:
> Thanks to Ivan, I figured it out (with a bit of luck).
> 
> After comparing packages in his working template to my own, I first tried to 
> install:
> 
> dbus-glib
> ipcalc
> iproute
> iproute-tc
> iputils
> 
> That fixed it as far as I can tell. I now have a working sys-net and 
> sys-firewall with the fedora-29-minimal template. I'm assuming the ip* 
> packages were the key, but I don't really have any idea.

Yes, it's iproute. Similar problem happened to Debian template[1] and it
was fixed there, but apparently Fedora is also affected. I'll add
relevant dependency.

[1] https://github.com/QubesOS/qubes-issues/issues/4411

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlw7IWMACgkQ24/THMrX
1yzOFgf6AhFaa5Y+g2PHqKiSH908UIPM99+Xwf3lMlb/ISDfuX7EUsyqBLXI9yak
UGjXuG7dcNs+QD9lESTCPxkYS86c1AQWb9zyPEe/Q2n1uJgYGzktEdyD6w51in/3
spZGvNdicSVDFUHeWyr+rdAR5feQETSebecxp3fha+GlG4D8tcDSZJzG13uZMZXk
l9zetIJToWa5DANSEfdw70F1UpIt4BEBa8UxJJHNP3GOwYMulXFVLN6BJ8eJ3LMN
PFfcDf5gK3OMTaLYu+5uj8WUf8dtQGgDwCd1Dzfzswmai8sMQ2EyzQEbuHuFQxvt
sSIsnj4x6zK+BOZ/yqZwjpVRMDBwAQ==
=py4N
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190113113043.GE6577%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] "Qubes Update" icon (Sun Looking icon on top right)

2019-01-13 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sat, Jan 12, 2019 at 08:47:01AM -0800, 22...@tutamail.com wrote:
> Just used this feature again...Debian-9, Fedora-29 and Dom0 updates(or lack 
> of) went fine i.e. My Fedora templates seemed to update and no updates were 
> needed for Dom0 or my Debian templates.
> 
> My Whonix-14-GW and -WS however did deliver an error that might be related to 
> what you refer to Marek. The sun icon gives me the following 
> error(abbreviated):
> 
> File "/var/tmp/.root_62a99a_saltimport salt.modules.cmdmod
> File "/var/tmp/.root_62a99a_saltimport salt.util.http
> File "/var/tmp/.root_62a99a_saltimport salt.util.events
> 
> ...
> ImportError: No module named concurrent...CancelledError
> stdout:
> 
> I manually updated the whonix-gw and -ws using the Qubes Manager OK.
> 
> Any chance some one can share the commands to allow me to update using the 
> "sun icon"? Its nice to check all templates for updates and have them run in 
> the back ground one-by-one. I thought this would crash my system but worked 
> pretty slick appart from the whonix-gw and -ws error I got...

You need to install python-concurrent.futures package there. Open
terminal in whonix-gw (and -ws) and execute:

    sudo apt install python-concurrent.futures

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlw7HMwACgkQ24/THMrX
1yxVWgf/WlABy9S2QcV8nlcNe82GoAjKqtxct7ZkwhSKzINrA0x/5nbJ9xcB2uEY
Lam73TDc3l4ma4PaG/EdfRyIbFgO3Yeus6tKe36xCtdZYpp5JHSWaEOXiEyLheRP
/hPizdgfyEV7iQXm8pM2oaV00r8nGyXH8P62br3wcbEXjd19bAtKPEKOrfhKHJh0
DodMoo0vzPlEm6fpirlQ/tZqrUk88yfLkAAPWNVTfUbgbE5Vl78w/wO1u0IVEXLF
stf/qzpkvsf7MXz8OYUd9+h2dqWLsvoqGiS0x26kW66BcsaXYKqyJUAQAdTstYDN
rU86N2eiuYUNQKT1ZdOA5AEZVrwaDw==
=vXOe
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2019011307.GD6577%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Smart cards, split GPG, and timing attacks

2019-01-13 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sat, Jan 12, 2019 at 12:27:04PM -0800, demioben...@gmail.com wrote:
> That makes sense.  How should one best handle GitHub accounts?  One per 
> project?  GitHub does not seem to allow per-project SSH keys, sadly.

Actually, you can have separate per-repository key, called deployment
key. But you can't re-use the same key for multiple repositories, so if
you have a project with 5 repositories, you need 5 keys...

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlw7EqQACgkQ24/THMrX
1ywzWgf/c4ruiUidk5WARKvLGT0/2dM8Im17JJJy44+LaBw8EnK43YqxK9TK2fxz
kG9K7jwT7w5Ym8oi7mLDpTO0XmV4usf15Vvi2PUUQBIWdJNxJCIViwaFMY0zA79v
TKa/9EAbxi2JrZ16iP349yL1OWGxs2+bN+q7Mt3qd46BwQiUNHFJMKcxXXZ/iBGw
G11XgeB4bllW7HyjR9nfNUEVl38oTVlpoPoYq8NZuLC011TafMhRSFlEQQto+MkD
l9a600ifQCprSqWiUge9QiiJO3rtknTx7NnNdwgFnpfFMm2yIURGMVyJ9i3VxyE9
B0GWaB7FTzmISkNjnmIwuZOgA1niLg==
=+lka
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190113102748.GC6577%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Smart cards, split GPG, and timing attacks

2019-01-11 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Tue, Jan 08, 2019 at 01:15:39AM +, 'awokd' via qubes-users wrote:
> Demi Obenour wrote on 1/7/19 3:16 PM:
> > Looking through the GPG CVE list, it appears that GPG has a fantastic
> > security record.  This seems to jus Most of the recent vulnerabilities have
> > been side-channel attacks.
> > 
> > Is it useful to use split-GPG with a hardware token to prevent side-channel
> > attacks?
> 
> I am far from a cryptographer, but IIRC those side channel attacks get the
> key by observing decryption leaks. So a hardware token wouldn't affect that
> either way, because once the key is unlocked it still gets processed the
> same.

Not really, if key lives on a hardware token, only it can perform
decryption/signing. So, if that hardware token is resistant against side
channel attacks, then split-GPG (or anything else) will not make it
worse.

> > Also, is it best to use one signing key per project one is working on?
> > 
> Again, not a crypto expert but if you're using the same development workflow
> for all projects, don't see much security gain from separate keys. If some
> demand a different, potentially less secure workflow, those might benefit
> from subkeys. Hopefully someone experienced has more insight!

There is one more thing: if you use a single key for multiple projects,
then it's harder to distinguish those projects based on cryptographic
proof. Which means code signed in one project could potentially be used
in another. 
An example: I have a qubes code signing key I use to sign my
qubes-related commits/tags. But I also contribute to other projects,
including also very simple patches, where I only fix one file and
definitely not review the whole repository. If I would use the same key
for both, then one could attack me like this:
1. Introduce a backdoor to some random software that I would likely
   contribute to (or even create new one specifically for this purpose).
2. Wait for me to contribute there (all kind of social engineering will
   help here).
3. Take my signed contribution and pretend the code belongs to qubes -
   this may is quite tricky, and probably require breaking into my github 
account
   (or github infrastructure) to place it under my (or QubesOS) account;
   but even without it, it would help in other attacks.

With separate keys (having project name in key comment) that attack
wouldn't work, or would require significantly more social engineering -
depending whether you attack a machine or a human.

You may also take into account security of development environment for
each project. If one depends on a lot of software without reliable
integrity verification method (or, say, a lot of NodeJS package ;) ),
then such environment would be significantly easier to compromise, and
so the key used there (even if not leaked, then used from there to
sign/decrypt anything).

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlw5PaQACgkQ24/THMrX
1yyotggAj6mbhIApmFSsajZ/Zjk1Lt49Lgnba5TXQDHgODwGp+i4QG3JqKVgHTma
QXvoTKsMZohuABe6wWiTxT/DvJJjUzpHAOEnj/XAzGm6mm8kJqZ/hih2pq7T7+qn
Oe+zOdLNPdS4olmLy/igw/V+CtjNhuWYKsSM7mCzSpRRIPGuG4IvhEX+WyHFDt6u
rMpCL2nNqRHcMo+Qve7/5e2IPnWFZPjDVsaeTiHpaAlFfzDVLUyg2qxGxamezuLo
fH6ZvUd1UOHntUCYWjeD7JpY05Y8P0dAPRsRlcW28eAKAeUy9cepQlLJeafRdYCo
b5e0pWhYe/DqZxMJKzVuSnJy2OpBeA==
=j4nW
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190112010644.GB6577%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Salt orchestration

2019-01-11 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Mon, Jan 07, 2019 at 12:20:31PM -0500, Brian C. Duggan wrote:
> On 1/4/19 3:08 PM, Brian C. Duggan wrote:
> > 2. Salt should ensure that service VMs are running before Salt applies
> > states to their client VMs. For example, I have a service VM that
> > exports gpg-agent's SSH socket through Qrexec. This VM needs to be
> > running so that the client VM can clone git repos using keys on the
> > serivce VM.
> > 
> 
> I did some more testing. Of course, Qubes starts halted VMs when another
> VM makes a Qrexec RPC call to it. The calling process on the client VM
> will block until the service VM starts and the RPC call returns. So this
> isn't really a valid use case for orchestration.
> 
> At first, I thought the SSH authentication attempts failed because the
> service VM wasn't started yet. After more testing, I can see that the
> systemd socket service just doesn't work at the stage during initial
> boot that Salt runs. The socket file exists at this stage, though. SSH
> authentication succeeds during subsequent Salt runs after the VM is booted.
> 
> But I've also noticed that sometimes a new app VM's grain ID is still
> the template's ID when Salt processes templates. 

That shouldn't happen in theory... Can you give more details, especially
which templates, and qubes* packages version?

Additionally, even if grain['id'] doesn't match, target VM will get
access to other's VM pillar data - it's enforced when copying pillar
data out of dom0.


> This can be a problem
> when both dom0 and app VMs need the same pillar data:
> 
> pillar/app/client-vm-1.sls:
> app:
>   client-vm-1:
> server-name: server-vm-1
> 
> pillar/app/client-vm-2.sls:
> app:
>   client-vm-2:
> server-name: server-vm-1
> 
> pillar/top.sls:
> base:
>   dom0,client-vm-1:
> - match: list
> - app.client-vm-1
>   dom0,client-vm-2:
> - match: list
> - app.client-vm-2
> 
> dom0 needs the combined app data to set RPC policies between the clients
> and their servers. The clients need their own data to configure which
> service VM to send their RPC to. It's convenient for clients to find it
> through pillar['app'][grains['id']]. Maybe there's a better way of
> constructing this pillar data?

The fact that you'll see only the right pillar data, regardless of
grains['id'] may help you. You can iterate over 'app' dict and use
whatever you find there, regardless of the first key name level.
It will complicate your configuration, but until proper solution is
found, it should work.

> Is there a way to delay Salt execution on VMs until they are fully booted?

By default it's delayed until qrexec-agent is started, which should be
after essential services. If you want, you may:

1. Add a state waiting for user session and order other things after it.
This won't help with grains and such things, as salt load them before
considering states, but may help with some states, if are dependent on
running X server for example. For this, add this:

/etc/qubes-rpc/qubes.WaitForSession:
cmd.run:
- runas: user

2. Configure qubes.VMRootShell qrexec service in a VM (used by salt) to
wait for user session. This will affect the whole salt call for that VM.
But also means it will wait indefinitely if no user session is started
at all (for example you're logged out of dom0).
For this create /etc/qubes/rpc-config/qubes.VMRootShell in the template
with "wait-for-session=1" inside.

> For the curious, I'm using a Salt formula to set up access to gpg-agent
> on a service VM from client VMs through Qrexec:
> 
> https://gitlab.com/bcduggan/qrexec-gpg-agent-formula

One MAJOR problem with giving unfiltered access to gpg-agent is that,
client can request gpg-agent to export secret keys. Which defeat the
whole purpose of keeping secret keys in separate qube - that client have
no access to its secret part.
You may want to look at https://github.com/hw42/qubes-app-linux-split-gpg2/

I think this problem does not apply to ssh-agent protocol, which AFAIK
does not allow client to extract secret keys.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlw5N7kACgkQ24/THMrX
1yzQPwf+I1+7XjklLKxfGUVG1mBMWUdsvv5WOchp4uhWJeNpZVlavCLZNj0S09IL
T5kGdw0/oM78LDnFRPlAEXRp/w/r2pg1Q0aA/dG7iyQsMWdzqYl/uAdNEpx2ML+h
6T7pRrTCBMUrxAub5rJq3xpGPgfwA9JwCDrR8h4xVC55grUuvMOuR5PH/A1ksbg8
c/RfU/GeTGPjjisEAyYARSM29BT098BD3IcZjaMe1X2jnaQkdZYJnf6nDZ+qMR7t
Thy21mn45BPVcM1TF1012waXimlz9utVI3zytUKDZHURQtfWwTzKB3UOwmOH7460
u2qWHMnEOURbzGBUcp2oiXiG3JEFSA==
=DMM5
-END PGP SIGNATURE-

-- 
You received this message because you are 

Re: [qubes-devel] Re: [qubes-users] qubes dom0 update breaks template updating

2019-01-11 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Fri, Jan 11, 2019 at 11:23:00AM +, qtpie wrote:
> 
> 
> Marek Marczykowski-Górecki:
> > On Wed, Jan 09, 2019 at 10:19:00PM +, qtpie wrote:
> >> The latest dom0 update broke updating my templates. I altered
> >> /etc/qubes-rpc/policy/qubes.UpdatesProxy to change the updateproxy to
> >> sys-whonix.
> > 
> > Can you explain what/how exactly it's broken?
> > /etc/qubes-rpc/policy/qubes.UpdatesProxy should not be overridden by an
> > update, so any local modifications should remain. Also, using sys-whonix
> > as updates proxy is a valid configuration we test regularly and did not
> > spotted any issues recently...
> > 
> 
> I cant reproduce the exact situation anymore. What was broken was that
> on apt update or dnf upgrade, I got a 500 error on the repository URL,
> and the error below.
> 
> The error below I can still trigger by commenting out the line starting
> with $type, and uncommenting the line starting with $tag.

If you leave _only_ lines with $tag, then templates without that tag
won't have access to any updates proxy (as you define it only for
templates with a tag). 

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlw4gF4ACgkQ24/THMrX
1yxrdQf+K1K8P9IDlQ/vmTOv9fWNkSfWofAcmF0VTPGQukRKmYLVrHQu3xSiH9eV
C/bBszQZ2wY4HIzMcPpSxqQ37NSRec/V+s5NUogjzuIvD5vF/MM2pWOZN9A8kM3Z
GmwYTuPh6wjww6tJ+CjKHFOZo1U2/gSQ86h5bsO2NeJMwV8IWwkzSkOKJyuuqxKg
eo66yw9aS3iehEUIz/R68ApXWBlM7L0PRDpgWR96FwcaG1v2SSfFsEE7PODpdTgi
sdbyTNKIIe5G+GCodfzi2RbT0C1hkA3CF8hUrY1+0C+RHuOkH6Vrqa8FCfDuxObl
hiTCm1COw3jGYp4mcJ+EZcaPoeR99Q==
=zQ9b
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2019013910.GD1205%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] "Qubes Update" icon (Sun Looking icon on top right)

2019-01-10 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Tue, Jan 08, 2019 at 06:53:03AM -0800, 22...@tutamail.com wrote:
> Just played around again with the sun icon, this time starting my whonix-gw 
> template used for template updates prior, a couple of observations:
> 
> Seems to work fine when updating Debian and Fedora 29 templates, at least the 
> messages I get in the details appear positive, listing the updates/changes, 
> green check marks, etc
> 
> However when I try to update my whonix14 templates (both -ws and -gw) I get 
> what appears to be errors. I still don't know how to copy errors from Dom0 to 
> an appvm but the errors end with:
> 
> File"/var...salt...futures import cancelledError
> ImportError: No module named concurrent.futures
> ...

See here: https://github.com/QubesOS/qubes-issues/issues/4272

It shouldn't be an issue for new templates, but for older installs, you
need to install python-concurrent.futures manually there.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlw3qQAACgkQ24/THMrX
1ywXmQgAgRKQFTZHK7yHUQ+PYBMnA3FxSnyljl+kv1kT3w8vnHTzMudmxNBczi6G
RwYH1FR7UqEfUxmITbaJOMJZuft3ag0zqnXfFCwPIHn1GPrmbg5EVZ254hqd/Rvq
UHLefaJCWjxO1P7bghAz5710D+/YpeGEKxnd2tXqYu9Nfdd+yoYKTzrgcfBbsy0t
0BElDQS8/kWnYHDx8fnn0Qijv2WUbM4B5LHvu192+mIcxAhya6zPUipbjiAHu3e5
9c4igObPZCMVhdRuyb4Ir9zs/FneuSTi8ZKKDGzZQIPdmK3GTrKNzy8m/yRqgRLi
23RikMqs7z1dieMfQqMPnjk9FzAlvw==
=4jRT
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190110202015.GA1292%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] qubes dom0 update breaks template updating

2019-01-09 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Jan 09, 2019 at 10:19:00PM +, qtpie wrote:
> The latest dom0 update broke updating my templates. I altered
> /etc/qubes-rpc/policy/qubes.UpdatesProxy to change the updateproxy to
> sys-whonix.

Can you explain what/how exactly it's broken?
/etc/qubes-rpc/policy/qubes.UpdatesProxy should not be overridden by an
update, so any local modifications should remain. Also, using sys-whonix
as updates proxy is a valid configuration we test regularly and did not
spotted any issues recently...

> My solution is to uncomment the lines starting with 'tag', while leaving
> the lines in the old formatting untouched.
> 
> This solution seems weird since here it is suggested that the lines
> starting with 'tag' should replace the other lines:
> https://github.com/QubesOS/qubes-mgmt-salt-dom0-virtual-machines/commit/ca27a33b0ec59f5ea2d4b334973eaa837f11ffc4
> 
> I'm not saying this is a bug, I can understand that an update is not
> compatible with certain customisations and it is the users responsiblity
> to fix this.
> 
> In any case - enjoying Qubes everyday!

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlw2lpUACgkQ24/THMrX
1yw3PQf/YuxS53SSNvIjyjbUxNXjCMMRO6RU3p1JjdrPwYbmo+8adCFRdmyDJake
kH+1FginUxsUpqySOvX1Xw516p00Ct+1sKVOcgfmLKU9Ama7peNoUNcRBTr3jmst
FC3rRsrxofT3E3ceCmd/BXFJdIK/JEof130DXEYsBxKdf/9qm5BVYVkN+Q3VmvIA
uwz0VWstF3Z2vXvwgWLcMyTjpuxhdWBMuLeJSGqI0gWwltztgpyGERp24UjraK6E
xZtVIie+7MGnfXI6ZpONeLjdTAAW+VKGvvWs5YncbxKVQIdUucILbkQamwqiyD1m
XatKifnvLe9WO4MrrzZR22h79gua5A==
=WJ+F
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190110004925.GE7536%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] mooltipass hardware password manager

2019-01-09 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Jan 09, 2019 at 03:26:02PM -0800, Benjamin Richter wrote:
> Hi,
> 
> I have a Mooltipass Mini Hardware Password manager 
> (https://www.themooltipass.com/), which identifies as a USB keyboard in order 
> to input passwords.
> 
> I can attach the USB device to a VM to connect to the mooltipass mini and put 
> in credentials, but I cannot get it to input the password, neither 

> by attaching it to a VM directly, 

This may be about permissions to /dev/input/event* device files in the
target qube. See X server log about it. If that's the case, you need an
udev rule to allow it, like this:

/etc/udev/rules.d/90-allow-input-for-qubes.rules:
KERNEL=="event*", GROUP="qubes", MODE="0660"

> nor by leaving it in the USB qube via the input proxy.
> The key events just don't seem to turn up anywhere.

I'm not sure how this device really works, but with input proxy it may
be missing some feedback channel (browser -> device), for example to
choose the right credentials.

> I'm running latest stable R4. My USB keyboard, touchpad and touchscreen work, 
> also I don't have any problems with other USB devices. How can I debug this 
> further?
> 
> journalctl output while connecting:
> 
> Jan 10 00:21:07 sys-usb kernel: usb 2-1: new full-speed USB device number 10 
> using xhci_hcd
> Jan 10 00:21:07 sys-usb kernel: usb 2-1: New USB device found, idVendor=16d0, 
> idProduct=09a0
> Jan 10 00:21:07 sys-usb kernel: usb 2-1: New USB device strings: Mfr=1, 
> Product=2, SerialNumber=0
> Jan 10 00:21:07 sys-usb kernel: usb 2-1: Product: Mooltipass
> Jan 10 00:21:07 sys-usb kernel: usb 2-1: Manufacturer: SE
> Jan 10 00:21:07 sys-usb kernel: hid-generic 0003:16D0:09A0.001B: 
> hiddev96,hidraw1: USB HID v1.11 Device [SE Mooltipass] on 
> usb-:00:07.0-1/input0
> Jan 10 00:21:07 sys-usb kernel: input: SE Mooltipass as 
> /devices/pci:00/:00:07.0/usb2/2-1/2-1:1.1/0003:16D0:09A0.001C/input/input36
> Jan 10 00:21:07 sys-usb kernel: hid-generic 0003:16D0:09A0.001C: 
> input,hidraw2: USB HID v1.11 Keyboard [SE Mooltipass] on 
> usb-:00:07.0-1/input1
> Jan 10 00:21:07 sys-usb mtp-probe[30635]: checking bus 2, device 10: 
> "/sys/devices/pci:00/:00:07.0/usb2/2-1"
> Jan 10 00:21:07 sys-usb mtp-probe[30635]: bus: 2, device: 10 was not an MTP 
> device
> Jan 10 00:21:07 sys-usb kernel: audit: type=1130 audit(1547076067.807:236): 
> pid=1 uid=0 auid=4294967295 ses=4294967295 
> msg='unit=qubes-input-sender-keyboard@event6 comm="systemd" 
> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
> Jan 10 00:21:07 sys-usb audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 
> ses=4294967295 msg='unit=qubes-input-sender-keyboard@event6 comm="systemd" 
> exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
> Jan 10 00:21:07 sys-usb systemd[1]: Started Qubes input proxy sender 
> (keyboard).

This looks promising. What do you have in
/etc/qubes-rpc/policy/qubes.InputKeyboard in dom0? As your USB keyboard
works, you probably have it configured correctly already, but see 
https://www.qubes-os.org/doc/usb/#how-to-use-a-usb-keyboard

You can also see qrexec connections log in dom0 with
`journalctl SYSLOG_IDENTIFIER=qrexec` (or simply grep for qrexec, if you
hate to type that long field name...)

Checking if X server in dom0 sees the device (xinput tool) also may be
helpful. evtest in dom0 may also give some hints.

> Jan 10 00:21:07 sys-usb systemd-logind[436]: Watching system buttons on 
> /dev/input/event6 (SE Mooltipass)

(...)

> Testing ... (interrupt to exit)
> ***
>   This device is grabbed by another process.

This is most likely the input proxy. Which means it's running.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlw2liwACgkQ24/THMrX
1yyIcAf/R5t1JsBeH4V9bOJtevq7qbjwhCW17jWgNyZuAX9KR5EmdzIgXg5w8kwI
XvY3M+rfy5IPEyk8le4IifX4c8OhbfXAkETqAibUxX+qrtRZHTBoIsgsCDWpKj90
T+CYEsGx+I4ilb0ygBzn4v7zDZ/VTiDixJalIY1oQ4+xaDHS/BrFEcZ+EeG9eqeh
vncKoRmPrdA1OR5xvwfG7NBm2pUJHumPP0yu072yKh/a59aAe3ZRxgxZTwbWkbgo
LinsbjG6G57JTjnS9oNAVrMjdTaB3xWG3cMA2343nIZCg8bEEjeiw+qjxo25jyLl
z+uTpLuBbXeUNiKaqLjWhc2ta1Vq0w==
=94WL
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190110004740.GD7536%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Installing snaps in appvms?

2019-01-09 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Jan 09, 2019 at 07:11:50PM -0500, Chris Laprise wrote:
> On 01/09/2019 06:41 PM, Stumpy wrote:
> > On 1/8/19 7:59 PM, 'awokd' via qubes-users wrote:
> > > Stumpy wrote on 1/9/19 12:07 AM:
> > > > On 1/8/19 7:04 PM, Stumpy wrote:
> > > > > I thought I had snap installed but the app i installed via
> > > > > snap now does not seem to be working? I installed snapd in
> > > > > dom0 then tried installing a snap package in one of appvms
> > > > > but I am getting errors. If i try to run a snap from dom0:
> > > > > qvm-run gfx /snap/bin/xnview
> > > > > 
> > > > > I get:
> > > > > Running '/snap/bin/xnview/ on gfx
> > > > > gfx: command failed with code: 1
> > > > > 
> > > > > when i try to run it within the appvm i get:
> > > > > user@gfx:~$ xnview
> > > > > Can not open
> > > > > /var/lib/snapd/seccomp/profiles//snap.xnview.xnview (No such
> > > > > file or directory)
> > > > > aborting: No such file or directory
> > > > > 
> > > > > thoughts? please?
> > > > > 
> > > > 
> > > > oh, and if i try to reinstall the app I get:
> > > > user@gfx:~$ sudo snap install xnview
> > > > snap "xnview" is already installed
> > > 
> > > Nothing should be installed to dom0. You'd have to install snapd in
> > > a template, and possibly the snap package. You might want to create
> > > a Standalone VM and install everything in there, instead of
> > > templates & AppVMs.
> > > 
> > > 
> > 
> > Thanks, I had thought I had to install on dom0 as well, perhaps not,
> > though when I try to:
> > 
> > sudo snap install xnview from the template I get:
> > user@debian-9:~$ sudo snap install xnviewmp
> > error: cannot install "xnviewmp": Get 
> > https://search.apps.ubuntu.com/api/v1/snaps/details/core?channel=stable=anon_download_url%2Carchitecture%2Cchannel%2Cdownload_sha3_384%2Csummary%2Cdescription%2Cdeltas%2Cbinary_filesize%2Cdownload_url%2Cepoch%2Cicon_url%2Clast_updated%2Cpackage_name%2Cprices%2Cpublisher%2Cratings_average%2Crevision%2Cscreenshot_urls%2Csnap_id%2Csupport_url%2Ctitle%2Ccontent%2Cversion%2Corigin%2Cdeveloper_id%2Cprivate%2Cconfinement:
> > dial tcp: lookup search.apps.ubuntu.com on 10.137.3.254:53: dial udp
> > 10.137.3.254:53: connect: network is unreachable
> > 
> > So i was thinking that doing a qubes-dom0-update something so it could
> > get through? For the life of me i cant figure out what I did on my other
> > computer to make it work but it works fine there.
> > 
> > 
> > I forgot to mention, it is installed in the appvm:
> > 
> > 
> > user@debian-9:~$ sudo apt-get install snapd
> > Reading package lists... Done
> > Building dependency tree
> > Reading state information... Done
> > snapd is already the newest version (2.21-2+b1).
> > 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
> > 
> > 
> > ideas?
> > 
> 
> Only apt is configured to access servers through the special Qubes proxy.
> Since templates have networking turned off by default, that means nothing
> else can download packages or data.
> 
> In the short term, you can try enabling networking temporarily for the
> template while you install snap packages. Just set the netvm in the
> template's settings.
> 
> In the long term, Qubes users may benefit from a special accommodation of
> snap, which has become a versatile and important way to install software.
> Support could include access through the update proxy and even special
> storage capabilities. Would be a good idea to open an enhancement issue for
> this. :)

There is some progress on this already:
https://github.com/QubesOS/qubes-issues/issues/2766

The current state is: you can install "qubes-snapd-helper" package in
_template_, to be able to install snaps in qubes _based on that template_.


- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlw2kq8ACgkQ24/THMrX
1yzNvwgAhc0/O9VIzBGH1WDg8l+1sH3yLxxySFannO2ihUUXbUA80cf4+uxrxk/1
Rg+jR0XfdBXD91h817luvs3mIdqwcluq1YHxbGIb0J/vALPLHRhZ8YLasXSdpDIG
MyiVTk1ogAOG6jH30245V/GRPWALJmysYnW4DUki3ZefG/EyCFHWi7lpJZ9XS00F
QbVv7MoDx6GbHiSfHMzYk016fSaEAFlXGUUXczSHgDpJjumP6+MfVkz0l4diYbm5
wGOPIknWLBBSQMMOS0IoaB1iq1hYbZNULt6/gaOOFBIC2I9D2m4Q8KHKeDz95qln
HEzk2d5IJJlv8M1xpoNyzS0+IJNHMQ==
=hL/D
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190110003247.GC7536%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Qubes OS 4.0.1 has been released!

2019-01-09 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Jan 09, 2019 at 01:35:42AM -0800, Lorenzo Lamas wrote:
> I see the hashes are different to 4.0.1-RC2 What has changed compared to RC2?

Minor fix to update widget[1] plus a rebuild with "4.0.1" as a version,
instead of "4.0.1-rc2".

[1] https://github.com/QubesOS/qubes-issues/issues/4667

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlw1yMsACgkQ24/THMrX
1ywoBAf+Nad/7dZEMepMvmLeWjAbKpFF2P1wM9bVHwRY3j+ZB0ahCmRntAN1soeC
1p3A7eppOGIfr5IuhtozeBim/ZdswT1fc/zLPG4UCIfr4Oo0SbZpfI7THijHoc5u
PgmAOu2FGzQ3IwufkFp74b6pN+MiP2MP1aCabKBCA8kF0am24buism5VBZoBwblT
umQGYePGSEFepPN1qbPGbYzy/+Z+aVXOIBdxT61RSQteB8yGJLz+kwmaoOlO6o0r
oTYGaCD8TNvzJFarnaa5/xPvBCptL7BecsbZkn6gNzKNTI3+gT++hMbQ6AJIYatv
sKHmHKC4ti1PW6DBJxNLX6unMNTwVg==
=LZWx
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190109101123.GB7536%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Qubes OS 4.0.1 has been released!

2019-01-08 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Dear Qubes Community,

We're pleased to announce the release of Qubes 4.0.1! This is the first
stable point release of Qubes 4.0. It includes many updates over the
initial 4.0 release, in particular:

 - All 4.0 dom0 updates to date, including a lot of bug fixes and
   improvements for GUI tools
 - Fedora 29 TemplateVM
 - Debian 9 TemplateVM
 - Whonix 14 Gateway and Workstation TemplateVMs
 - Linux kernel 4.14

Qubes 4.0.1 is available on the [Downloads] page.


What is a point release?
- 

A point release does not designate a separate, new version of Qubes OS.
Rather, it designates its respective major or minor release (in this
case, 4.0) inclusive of all updates up to a certain point. Installing
Qubes 4.0 and fully updating it results in the same system as installing
Qubes 4.0.1.


What should I do?
- -

If you're currently using an up-to-date Qubes 4.0 installation
(including updated Fedora 29, Debian 9, and Whonix 14 templates), then
your system is already equivalent to a Qubes 4.0.1 installation. No
action is needed.

Similarly, if you're currently using a Qubes 4.0.1 release candidate
(4.0.1-rc1 or 4.0.1-rc2), and you've followed the standard procedure for
keeping it up-to-date, then your system is equivalent to a 4.0.1 stable
installation, and no additional action is needed.

If you're currently using Qubes 4.0 but don't have these new templates
installed yet, we recommend that you follow the appropriate
documentation to do so:

 - [Fedora 29]
 - [Debian 9]
 - [Whonix 14]

Regardless of your current OS, if you wish to install (or reinstall)
Qubes 4.0 for any reason, then the 4.0.1 ISO will make this more
convenient and secure, since it bundles all Qubes 4.0 updates to date.
It will be especially helpful for users whose hardware is too new to be
compatible with the original Qubes 4.0 installer.


[Downloads]: https://www.qubes-os.org/downloads/
[Fedora 29]: https://www.qubes-os.org/doc/template/fedora/upgrade-28-to-29/
[Debian 9]: https://www.qubes-os.org/doc/template/debian/upgrade-8-to-9/
[Whonix 14]: https://www.whonix.org/wiki/Upgrading_Whonix_13_to_Whonix_14

This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2019/01/09/qubes-401/

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlw1YTUACgkQ24/THMrX
1ywKSgf/RepKuj8klzDbi3G566MRg6XaF6GgVKYtt8xa9PX5w3yk+3j0n26zsW07
fsO4iJQtn4xt4nUDkIkY0ZaFuLXiXes6syLsu2mJ5dhB23C6C07No1tbeJ0GqzmJ
G5TbCsXpTGnTH8URSyb0U0aB2C6dIAwQZUom+HaDgb/x6M6OWAwODhVV/hbFzhm/
msWu6Xy1rVcbaAB2Q2YLGGIShwx3cd5I/K6y0Lw+9sWhIZ8lj4ARfdnWzqGp5u2+
YYVMtRDGBWGm2o5Wu/gmduYNjRpkDSoE2qh5bUvubRm7TWK0HDkTCHvqyGTQXaZZ
mGbhYdSlxM1N4Qm5YuyYMcGd1qUKQg==
=8aly
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190109024925.GJ5040%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Qubes Canary #18

2019-01-08 Thread Marek Marczykowski-Górecki
st the contents of this file blindly! Verify the
digital signatures!
```

This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2019/01/08/canary-18/


- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlw1X7kACgkQ24/THMrX
1ywfmgf/eRS3ND12XUJoXOCbRM/ncvAHDYGUUH9A/D9WY0c0ZXOdA8YRyH2P/BDG
LmR7nGWHO4YCd5On0kUhPH5QyLc8ySCRBQplbCfED08k4s/baCnLcA9ptzgMZ+Ra
HUrbvagkUeR770ZJytQDIxQEf3W2aRCVDAzOlRd8jhYVea+J09VyqYcc7qrxgjuQ
VJD962qmAYqFXJtl5r0/p1y8DIffJsY1gCXlxDIvP4Os/mL2zo2JFKQ7OSn1X9lp
EuA5lzIro2ejkGxULFN6hz0QPi4JICglWJQ0jjF+35G+p83enIeUNwdkdnF9V1wL
nO4NsBXRXHQorBzp8j1uw8RmYTdfhQ==
=S2HG
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190109024304.GI5040%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: fed29 templates/upgrade

2019-01-04 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Fri, Jan 04, 2019 at 05:37:07AM -0600, Andrew David Wong wrote:
> On 1/3/19 11:31 PM, John S.Recdep wrote:
> > On 1/3/19 2:51 PM, 22rip-2xk3N/kkaK1Wk0Htik3J/w...@public.gmane.org
> > wrote:
> >> Thanks 799...I learned something!
> >> 
> >> Similar to 799 but less hardcore...I always download a fresh
> >> template(vs upgrade). In my case I ran with a full/fresh
> >> Fedora-29 after the Fedora-28 hplip issues, and added any new
> >> software from fresh:
> >> 
> >> https://www.qubes-os.org/doc/templates/
> >> 
> > 
> > 
> > hmm, ok let's say I just use the new fresh 29 template, is there
> > some way that I can know what non-stock software I installed on my
> > Fedora-28 template, as I can't remember all that I may have
> > installed 
> > 
> 
> This is more of a Fedora question than a Qubes question. As far as I
> know, there isn't a clean way to do this. Following Marek's advice
> from years ago, I just keep a list of the packages that I install in
> each of my templates.

Since some dnf version it is possible:

sudo dnf history userinstalled

dnf mark can be used to adjust the list (without actually
installing/removing packages). This may list some more packages, as it
will include default packages installed by the template builder. But
should be a good starting point for such a list.

> 
> > 
> > So, no advice on upgrading from my 28 template at this time? I find
> > it strange that the template is in the dom0 updates available, but
> > I see no notice  in the news section on qubes website nor here
> > ..
> > 
> 
> See:
> 
> https://github.com/QubesOS/qubes-issues/issues/4223
> 
> and
> 
> https://github.com/QubesOS/qubes-doc/pull/739
> 
> > 
> > Seems like this happened with 28 release as well
> > 
> 

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlwvTgAACgkQ24/THMrX
1yxPrggAirGLmrqKZm73SVrEoSraBBgGIN7hXEXxgsKr4jtK5ymU7YEVyO2zc44S
wQKcSJrmbO7VlGTNRGmxmMRsFa5f5j5Yxn1HaKeTKFd0HHLJja00SbpYCVnx6RFP
1cLSrAWwHHxazMImQ0mKkeBhmlHI45/dD30EwWJ3C2gYWCPj6PjHyfTpl61itf5M
zPuMBAcyxemZ0LNgg2mCtD56i60n6c44d8+1xjPCBgdDTKbMkk72TTejv3MAuEdC
qeREUS9QPBwR5Zbx0Fr72YIXRsXOEPYT3zi996u48lRXmHdo90AByq2zc4PJKUpc
YdSTPPu4su9j+iPKzxWQUrPl5xt/wQ==
=4V1h
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190104121352.GN23474%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: 4.0.1-RC2 Boot loop after install

2018-12-27 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Dec 26, 2018 at 09:24:01AM -0800, John Goold wrote:
> On Thursday, 20 December 2018 22:02:00 UTC-3:30, John Goold  wrote:
> > Attached is screenshot, taken under my current OS, showing OS and hardware 
> > info.
> > 
> > After spending much too much time trying to track the problem down (using 
> > the 4.0, 4.0.1-RC1 and 4.0.1-RC2 ISOs) I discovered why getting the 
> > installer to run was failing...
> > 
> > I had to unplug my external monitor (connected via an HDMI port).
> > 
> > I was then able to boot the install DVD and install to an external USB 
> > (SSD) drive (Seagate 2 TB). The install completed (supposedly 
> > successfully), but attempts to boot from the USB drive fail.
> > 
> > The boot process starts, with text being displayed starting in the top left 
> > corner of the screen. It progresses to a point, then the screen goes black 
> > and my computer starts to reboot.
> > 
> > I have searched the mailing list and have failed to find a solution (hours 
> > spent doing this). A lot of people seem to end up in boot-loops, using 
> > various hardware.
> > 
> > The attached file shows the hardware. The following information about the 
> > BIOS/Firmware may be relevant:
> > 
> > * Legacy Boot is enabled
> > * Virtualization Technology is enabled
> > 
> > During the install I setup a user account. I did not enable disk encryption 
> > (I will leave that until after I can get Qubes to boot).
> > 
> > Comment: This boot-loop problem (or similar boot-loop problems) seems to be 
> > a major issue with installing Qubes 4.x. Each time I come across a posting 
> > about it, there seem to be different suggestions (some of which work on the 
> > particular hardware involved) and some of which do not.
> > 
> > I believe that I tried R3.1 about a year or so ago and that it booted 
> > alright. I cannot remember why I did not follow through on adopting Qubes 
> > (if I could not get my external monitor working, that would be a 
> > deal-breaker).
> > 
> > Suggestions would be appreciated. I will provide any additional information 
> > I am capable of.
> 
> This thread is getting verbose, so I have replied to the original post and 
> will attempt a brief summary of the rest of the thread (for context):
> 
> Determining what is happening would be facilitated by seeing any entries in 
> log files (assuming the boot got far enough to log anything).
> 
> That means checking files on the USB drive used as the target of the install 
> and which causes the boot-loop when attempting to boot.
> 
> Since the boot is failing, I cannot look at the log files under the booted 
> Qubes OS, so instead I attempted to look for the log files when booted into 
> another OS (Linux Mint 19.1).
> 
> Qubes is using LVM to handle allocating disk space (presumably to facilitate 
> being able to add additional physical disks to an existing Qubes install). 
> There appeared, at first glance to be 3 Logical volumes:
> 
> pool00
> root
> swap
> 
> Linux Mint mounted the LV "swap" automatically, but not the other two. The 
> other two appear not to be "activated" and mount attempts failed. Attempts to 
> "activate" the LVs fail.
> 
> After searching the Net for information on LVM, I came across an article that 
> helped me understand the Qubes setup better…
> 
> There is one Logical Volume Group called "qubes_dom0".
> Within that there is a Logical Volume, "swap", that is detected and mounted 
> automatically by my Linux Mint installation.
> Additionally, there is a "Thin Pool" allocated that uses up the rest of the 
> space in the Volume Group. It is distinguished by information displayed by 
> the lvdisplay command ("LV Pool metadata" and "LV Pool data").
> 
> Within that "thin pool", a logical volume, "root" has been created that uses 
> all the disk space currently assigned.

Yes, that's right.

- From what I've seen in this thread, you did it right, but the system you
used didn't support thin volumes. You can try Qubes installation image,
there is recovery mode ("Rescue" in boot menu in legacy mode).


Other things you can try is to press ESC during boot to see more
messages than just progress bar. If that doesn't really help, try
editing boot entry in grub and remove "quiet" and "rhgb" options from
there. This should give you more details when exactly system reboots.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people n

Re: [qubes-users] Qubes extensions usage / installation

2018-10-19 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Oct 17, 2018 at 10:24:47PM -0700, nils.am...@gmail.com wrote:
> Hi everyone,
> 
> I'm trying to run some commands whenever a VM is started or a device is 
> attached to a VM. I came upon this Github comment by Marek which says that 
> this is possible with Qubes extensions: 
> https://github.com/QubesOS/qubes-issues/issues/4126#issuecomment-40645
> 
> I wrote a simple Qubes extension with the following project structure:
> 
> my_extension/
>  * my_extension/
>** __init__.py
>  * setup.py
> 
> With the following `setup.py`:
> 
> ```
> #!/usr/bin/env python3
> 
> import setuptools
> 
> if __name__ == '__main__':
> setuptools.setup(
> name='my_extension',
> version="1.0",
> author='Nils Amiet',
> author_email='nils.am...@foobar.tld',
> description='My extension',
> license='GPLv3',
> url='https://foobar.tld',
> 
> packages=('my_extension',),
> 
> entry_points={
> 'qubes.ext': [
> 'my_extension = my_extension:MyExtension',
> ],
> }
> )
> ```
> 
> And `__init__.py`:
> 
> ```
> import qubes.ext
> 
> 
> class MyExtension(qubes.ext.Extension):
> @qubes.ext.handler("domain-start", system=True)

'domain-start' event is called on VM object, so it should not have
system=True. system=True is needed for events on Qubes() main object
itself, like property-set:default_template.

> def on_vm_start(self, app, event, vm, **kwargs):

For system=False events, it should be:
  def on_vm_start(self, vm, event, **kwargs):

If you need to access app, you can still do that through vm.app.

> with open("/tmp/my_extension.log", "a+") as fout:
> print("Started vm: {}".format(vm), file=fout)
> 
> ```
> 
> Now, I installed this extension on a deployed Qubes OS installation in dom0 
> with `sudo ./setup.py install` but the file `/tmp/my_extension.log` is never 
> created after having started some VMs. I was expecting to see something being 
> written there.

Besides the system=True, everything else looks ok. Remember to restart
qubesd service after installing the extension.

> Why is my extension not being loaded? Am I missing something here? How can I 
> debug extensions and make sure they are being loaded? Is there a log 
> somewhere?
> 
> Is Qubes OS going to call my `on_vm_start()` function whenever a VM is 
> started just by installing the extension with `setup.py install`? What should 
> I do so that it does?
> 
> Thank you and have a nice day,
> 
> Nils
> 


- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlvJsxsACgkQ24/THMrX
1ywpbAf+KLCp44W+yYOKRpNm3tvTUrvYb20KF4y4FiEoWE9vTapIfT9fLNI3yfZw
eHn52vb14VdtxPnZ7yNEopHbDAKwj2+u1RTrjszsBitjRqiAEFkFeDHCRQB1QAN8
HwPUWXCIvBNbUxQzpLYXvQX6V7/Ll6a/M/9DcanfRyHlU5yCHM+ZmdgBK4kU+Nb3
0cyCsA27CV2AGYuYRyYh5kyT+WX9nIPTwRUmRNi0lIuT45gBIWQ9OYo4kKjDCIUc
/YBqcHn7pTTOwz4e5ct+b/YQWLMKk3n1NX4DGYjnBbpt7E0y9vk3uNnXV8/z3dtt
4GgwIivDTAYx/5pU5AjklNksAL1pgw==
=3wtl
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20181019103403.GA13191%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] dispVM shuts down immediately after starting (I'm trying to run xterm)

2018-10-15 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Mon, Oct 15, 2018 at 11:19:54PM +, floasretch wrote:
> ‐‐‐ Original Message ‐‐‐
> On Monday, October 15, 2018 4:52 PM, Marek Marczykowski-Górecki 
>  wrote:
> 
> > > Same result with qubes.StartApp+debian-xterm
> > > Per your response, I verified that whonix-ws-dvm does have 
> > > /usr/share/applications/debian-xterm.desktop (and whonix-ws-dvm itself 
> > > starts and runs with no problem).
> >
> > I've tried the same command on my whonix-ws-14-dvm and it works...
> > Is your whonix-ws-dvm Whonix 13, or updated to Whonix 14?
> 
> Whonix 14. Originally was 13 (installed with Qubes 4.0), then updated when 14 
> was released.
> 
> I verified /etc/whonix_version in both whonix-ws and whonix-ws-dvm. They're 
> both 14.
> 
> BTW, I haven't been using disposable VMs at all for the past couple months, 
> so I have no idea whether my problem is recent or old. In fact, the last time 
> I did was with the Fedora DVM, and I've deleted it since then. Today was the 
> first time I ever tried using any DVM other than Fedora.
> 
> Qubes and all templates are fully updated.
> 
> Is there a log somewhere?

You can add --pass-io, to see service stdout/stderr. Maybe this will
give some hints.

Alternatively, you can try doing the same in non-disposable VM, for example
whonix-ws-dvm itself. Simply drop --dispvm and add VM name before
service name, like this:
qvm-run --service -- whonix-ws-dvm qubes.StartApp+debian-xterm

And see if xterm will launch. Then, you can inspect ~/.xsession-errors
in that VM, or various logs in /var/log. If no terminal is started at
all, you can access VM console with `sudo xl console whonix-ws-dvm`
(exit with Ctrl+]).

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlvFIsgACgkQ24/THMrX
1yyjIQf/Sp92zf8JWH+uydtWBzd9nlMjHBwlfPsV/nhCDK72ZbMMlVzb7kCP2OIE
oKkFO3IRTXvDbx/Yw1x1GG8Jkx/zH1inYsFU7KHJbPNUuOadq/rsp75gisKwzSqs
cDpTSXF00VjIpIYGYWHZQ4lqZp7IFenlXPBxfaxQdC7FnwWDw1J+vJHj04D6YtiS
62Fu2AyLrEibI5yTK4JRPcn1h3JV/e/L3Jor0ybOY9gYjNCzq2Rtf/wWCBHsBF/g
lHW7PBSBVJbvDF+sR+JoV50UUY3UIsn6Elq2cyS2/CkWA1hPIp12rtlRqMrtiXFt
9Pnu59dZWBiLSWcIldN4lCIreyHoaw==
=gaHd
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20181015232912.GL19709%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] dispVM shuts down immediately after starting (I'm trying to run xterm)

2018-10-15 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Mon, Oct 15, 2018 at 10:41:45PM +, floasretch wrote:
> ‐‐‐ Original Message ‐‐‐
> On Monday, October 15, 2018 3:34 PM, Marek Marczykowski-Górecki 
>  wrote:
> > > [user@dom0 ~]$ qvm-run --verbose --autostart --dispvm=whonix-ws-dvm 
> > > --service -- qubes.StartApp+xterm
> > > Running 'qubes.StartApp+xterm' on $dispvm:whonix-ws-dvm
> > > [user@dom0 ~]$
> > > Is there a log somewhere to tell me what's going wrong?
> >
> > The +xterm part should be a base name of .desktop file in
> > /usr/share/applications (or other directory per XDG standard). xterm on
> > Debian happens to have debian-xterm.desktop, so it should be
> > qubes.StartApp+debian-xterm.
> 
> Same result with qubes.StartApp+debian-xterm
> 
> Per your response, I verified that whonix-ws-dvm does have 
> /usr/share/applications/debian-xterm.desktop (and whonix-ws-dvm itself starts 
> and runs with no problem).

I've tried the same command on my whonix-ws-14-dvm and it works...
Is your whonix-ws-dvm Whonix 13, or updated to Whonix 14?

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlvFGhgACgkQ24/THMrX
1yx0vwgAlI5BIB+VuC+ibNcPQdFhPXzJm7X0YNEV0T8Ex03sbmeLcEfWe5JKpLII
KMSQIIkGtGfVcRAZwnllv18HNls1KxLdXFb3yER/XXAnm89aQcM1IfUmcpT2Eggs
mM1YcdXR5fqPKolZZSujTF3mFJBx2QEqnjyPrrSAvPfUFSiljy6cM5Eab+BxVfUV
TyX6BztEEKFUEZtErPM07QXLmIpLT6Q8QHA/7UInYdJj56Ih8u6dqvR4xyhHIwkV
17lZFtnvIaX5F3Zja2YR9gPyXRCti+Zpyt9PSi7pIaAdjy3h0BVNIUnSQTiiaS7t
maVT8bm/+VMVt0O8lLzXwXuN7QNDaA==
=OgQw
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20181015225209.GK19709%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] dispVM shuts down immediately after starting (I'm trying to run xterm)

2018-10-15 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Mon, Oct 15, 2018 at 07:03:50PM +, 'floasretch' via qubes-users wrote:
> On Qubes 4.0, when I try to start a dispVM, I get a popup notice that it's 
> starting, then a popup that it started, then a popup that it halted. I get no 
> error message, even when I specify --verbose:
> 
> [user@dom0 ~]$ qvm-run --verbose --autostart --dispvm=whonix-ws-dvm --service 
> -- qubes.StartApp+xterm
> Running 'qubes.StartApp+xterm' on $dispvm:whonix-ws-dvm
> [user@dom0 ~]$
> 
> Is there a log somewhere to tell me what's going wrong?

The +xterm part should be a base name of .desktop file in
/usr/share/applications (or other directory per XDG standard). xterm on
Debian happens to have debian-xterm.desktop, so it should be
qubes.StartApp+debian-xterm.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlvFB/wACgkQ24/THMrX
1ywowwf/bf65pAOtUDDGUHoyO0gyGtZ+yNDDJ4/64PmSF8bl3V3I4tU6QSoj1y/X
2fJnWWfO2bNm7iopizYConl+5msRZRhbY514vG/vJdhkLI1ZMiExUUoYSUqiO7tE
//oyX5CNW1L1egGVoxB4H6uv3bf6UrW9HfBEttIaKSpuaPg1PLagsMssPmyxUBBJ
oFcTn9iLI8LrMJR4bNXXatK94deD3NhXyRHZ26udKDi1nKmIq6N2zZIk5p8QuKrg
rhWbPawQj58I6oW7v5wFcO5d+wtSVGpOCJs5mhvlg/NAFVwohhQ+iHQDNL5CliKN
/6s0QsLbOJ7PJ0cKcpKXNVG9YA6a2Q==
=3FCa
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20181015213452.GB4138%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Installing qr-exec on HVM

2018-10-12 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Fri, Oct 05, 2018 at 02:38:28PM -0700, Will Dizon wrote:
> Unfortunately, it didn't work still when qubes-gui-agent was running.
> 
> I tried recompiling everything again, and the results have changed quite a 
> bit.  Now, instead of autohiding the HVM window in dom0, I can see a very 
> clear failure which points me in the direction of Xorg instead.
> 
> Sadly, this feels like a regression, but alas... I'm sure I'll get there 
> eventually.
> 
> As far as "xl console lfs", dom0 reports "unable to attach console".  And in 
> terms of dom0, it is still giving no sense of failure:
> 
> $ qvm-run --pass-io personal whoami
> user
> $ qvm-run --pass-io lfs whoami
> $ qvm-run lfs "touch /tmp/dummy"
> Running 'touch /tmp/dummy' on lfs
> 
> Needless to say, /tmp/dummy doesn't ever emerge.
> 
> The new error is
> 
> systemctl status qubes-gui-agent.service
> ...
> Process: 660 ExecStart=/usr/bin/qubes-gui $GUI_OPTS (code=exited, 
> status=1/FAILURE)
> ...
> lfs qubes-gui[660]: XIO fatal IO error 11 (Resource temporarily unavailable 
> on X server ":0"
> lfs qubes-gui[660]: after 37 requests (36 known processed) with 0 events 
> remaining)
> 
> X works (startx shows me a desktop and consoles), but nothing yet from 
> getting Qubes GUI agent and qrexec.

qubes-gui-agent starts its own X server, on :0. So, it conflicts with
the one started manually with startx.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlvBRPgACgkQ24/THMrX
1yzOfAf/WdwNBlfHtR7Oin5+j3SV48z27ajfarE+UBOXrwZkrsl+mPDrvllou9Kq
uVUVOBBswJhAVT9hWhKJbOZvDPW9r4jyKpiidg3FvdRWX7i/Dci5UYK1qqrPuDtw
vZs3raKofxmprH7wKNcwcBVslr1SeTOOvbkNkv1WYbS46sGd1X//CWvXghYCQzqL
HTX3v732aYO9LADgNwHRV5AQKsBtYLM/Ej8QR2Amd3frHIx905hErix8ForYGzUp
JxRIR0ZuAmoK3aQglb1Jon2YmJ0MeOszMP9aqh1BTpTZ+JrM5/hWj2g0NN+rwRIo
GOYt7eTlrfmGfAeCgQitOOszc/oSzQ==
=g83e
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20181013010601.GD5083%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Default keyring

2018-10-12 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Fri, Oct 12, 2018 at 07:12:35AM -0700, Patrick wrote:
> When creating a new template, then launching a browser in it (in order to 
> install software), a dialog box asks:
> 
> An application wants access to the keyring "Default keyring".
> 
> Never seen this, my passwords don't work.

Is that browser chrome/chromium by a chance? 
I think it's this issue:
https://askubuntu.com/questions/31786/chrome-asks-for-password-to-unlock-keyring-on-startup#191490

Either try setting empty password, or try solution with
- --password-store=basic.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlvBQkwACgkQ24/THMrX
1yxOAAgAgkTv3NhST1QmRCrAjueYMFRv0bQV9gl+JaPuc99QBI1plqnm5uuQqaEb
MbHJ033R0LQhCKneGOUeXu1jEmbeCRlQ3GnDQAuJQRVOl/sszBCuNYL+0cl8oHfg
+hUcKADdOGe1fs0ZG8wpm0ty6uJ6HfZ0MCudQz3r97BmBl3fAsNSEs4Y/xxqAJIj
5/7py1tx9R+R026llEfQmDpQq+UllOODoFywMc/RpSkCnDYKyP02SBXvj/2GGD2/
kAGfbncFWSzAztPmMrBKMjejAhAJJ6ztV+m2cdjxd5m1WVqKsPzqGv5SKw5pqBZV
T4eTPKICj6bL3b8NK/vQrQ2+2M3LIQ==
=XMHS
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20181013005437.GC5083%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Keyboard backlight color based on active qube

2018-10-11 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi,

I've published the first post on my blog:
https://blog.marmarek.net/blog/2018/10/11/keyboard-backlight-color-qubes.html

Have fun!

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlu/gc4ACgkQ24/THMrX
1yzDlAf+MBCvqSROoEHJNUy2Nc935pOd8Mt/SwrIeJs9FYX5ZHUhwssu5XQvlsrW
6LwaVtFMFIZnjb8YQb9/f96FrLoP6p9UHUaecs5SmmIq17q3qNJDD9PvuyS9M75f
ocNKtk4ELZxfGqNdlqwAhxOKDRRzSsBGzfA8kZAFf7ZnKKxdsWMKWVxGLatfDT96
HTIYbPjTz5oC7rJO+Kno1GwPWyv9574oApHlRBaTzp7SfmiWOtytzBRVtPfp+cBb
/bkegV0z68IVXIL9kQ/hHBLElRzmEimuUtBnQXf0T/3VzXip53kwHl6ha7Ch5paH
nWQSqV2asJvkhp4X7FL4LYPrxc6npA==
=GPun
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20181011170102.GO1645%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: debian-9 template

2018-10-10 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Oct 10, 2018 at 05:24:33AM -0700, b...@damon.com wrote:
> On Friday, April 27, 2018 at 10:46:08 PM UTC+10, higgin...@gmail.com wrote:
> ...
> 
> I have been plagued with this issue ever since heeding the call to upgrade 
> whonix-13 to whonix-14.  All my whonix-14 templates are useless.
> 
> I followed the steps carefully, removing / reinstalling.  No errors.
> 
> user@host:~$ sudo dmesg | grep segf
> [   11.396489] qubesdb-daemon[232]: segfault at 7994802abff8 ip 
> 799480098f64 sp 7994802ac000 error 6 in ld-2.24.so[79948008f000+23000]
> [   12.342682] qrexec-agent[648]: segfault at 70d5257f6ff8 ip 
> 70d5255f3355 sp 70d5257f7000 error 6 in ld-2.24.so[70d5255dd000+23000]
> [   15.903799] qrexec-agent[789]: segfault at 70d5257f6ff8 ip 
> 70d5255f3355 sp 70d5257f7000 error 6 in ld-2.24.so[70d5255dd000+23000]
> [ 1524.123824] qrexec-fork-ser[4430]: segfault at 7b59263a8ff8 ip 
> 7b59261a2355 sp 7b59263a9000 error 6 in ld-2.24.so[7b592618c000+23000]
> [ 1547.347882] qrexec-fork-ser[4456]: segfault at 7b59263a8ff8 ip 
> 7b59261a2355 sp 7b59263a9000 error 6 in ld-2.24.so[7b592618c000+23000]
> [ 1594.046093] qrexec-fork-ser[4527]: segfault at 7b59263a8ff8 ip 
> 7b59261a2355 sp 7b59263a9000 error 6 in ld-2.24.so[7b592618c000+23000]
> [ 2963.435851] qrexec-fork-ser[5300]: segfault at 7b59263a8ff8 ip 
> 7b59261a2355 sp 7b59263a9000 error 6 in ld-2.24.so[7b592618c000+23000]
> [ 3145.932364] qrexec-fork-ser[5413]: segfault at 7b59263a8ff8 ip 
> 7b59261a2355 sp 7b59263a9000 error 6 in ld-2.24.so[7b592618c000+23000]
> 
> Everything is hosed.
> 
> If anyone has a fix, I would appreciate knowing it.

This looks to be the issue described here:
https://github.com/QubesOS/qubes-issues/issues/4349

The proper fix is in testing repository right now, you can either
install it[1], or apply a workaround listed in that ticket (add noxsave
to kernelopts of that template and VMs based on it). Actually, you may
need to apply workaround temporarily to be able to install updates...

[1] https://www.qubes-os.org/doc/software-update-vm/#debian

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlu+YEUACgkQ24/THMrX
1yzJmQf/b1fFHTpg8noeSUMtKSPw/LRbj9GNYQ7U8YBX5IbpgPLex6oGG9YBIEy0
U0VMPomxKnUtshM4+bAsRJhMSs6VQ/LxWNtjTUEtKPxIizj4e7Y1u37Abh4T5TJy
td7vtKkuuEfUqIWfhjjHe9WCjVMHn7PeWV8lfNzB3/2/m1BIngedhPYy8mNLnY+Y
CT7laBNR3LvFYVl9VXiwOBKCBM6EcAh5TA8k6Dv36pwOiBhGpYBcP2RwCn3nBVb4
wVv6XkOy3ZPX9okiJkGzBEFn3YzqfWTjKStvHVk0x6BX7dWRP4iChc2E4tcNa6hj
r4Ak9U912AIZfmh3RH3lnXywRpRihg==
=FW0q
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20181010202541.GB5083%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Forbidding VM create/delete/edit network settings from within dom0 for enterprise use-case

2018-09-18 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Fri, Sep 14, 2018 at 09:18:38AM -0700, Yethal wrote:
> W dniu piątek, 14 września 2018 13:21:14 UTC+2 użytkownik Nils Amiet napisał:
> > Hi everyone,
> > 
> > I would like to lock-down Qubes OS so that VMs can't be created or deleted, 
> > nor edited (e.g. modify the associated NetVM).
> > 
> > I already read documentation about qrexec policies, the Admin API and 
> > qubes-core-admin extensions.
> > 
> > If I understand correctly, the Admin API cannot be used to prevent the user 
> > from creating a VM from dom0. For example, from the dom0 terminal I tried 
> > adding the following line to `/etc/qubes-rpc/policy/admin.vm.Create.AppVM`:
> > 
> > ```
> > $adminvm $adminvm deny
> > ```
> > 
> > But then I am still able to run `qvm-create test --label blue`. Is there 
> > something I am missing here or is the policy not being honored on dom0? Why 
> > is that?
> > 
> > I also noticed that the Qubes extensions fire some events and it is 
> > possible to write hooks for those events 
> > (https://dev.qubes-os.org/projects/core-admin/en/latest/qubes-ext.html). 
> > Would it be possible to write a Qubes extension that hooks to some event 
> > that is fired whenever a VM is created and use that mechanism to block VM 
> > creation?
> > 
> > Would the GUI domain that is planned for Qubes OS 4.1 change the situation 
> > or help implementing this at all?
> > 
> > The workaround I'm thinking about is to run Xfce4 in kiosk mode, remove 
> > application menu entries, keyboard shortcuts, desktop right click menu to 
> > prevent access to dom0 but this is just a workaround and it probably we 
> > can't be sure that it will work with upcoming Qubes OS releases. Any 
> > thoughts on that?
> > 
> > Thank you,
> > 
> > Nils
> 
> Wait for 4.1. The plan is that users will not have direct access to dom0. 
> Instead gui domain will have api access to management functions and it will 
> be possible to restrict it for corporate use case.

Yethal is right - "the proper" solution is using GUI domain, which will
be isolated from dom0 and can have policies applied. Right now, with
direct dom0 access, qrexec policy is not enforced when the action is
performed from dom0.

Alternatively the workaround you propose could work, but needs to be
extended to also Admin API - local user must be excluded from "qubes"
group (which gives direct access to qubes services) and instead add a
proxy which checks qrexec policy even if action is performed from dom0.
That is not unthinkable, but definitely require some work, and still it
is a workaround.

But Qubes 4.1 is still in development and I think will not be ready this
year, maybe Q1 2019, depending on progress. GUI domain related stuff can
be tracked here:
https://github.com/QubesOS/qubes-issues/issues/833

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlug/b4ACgkQ24/THMrX
1yzFpwf+OcFW/oMb+kbnkIAj05wLc5rFoRqTni0qpjfs/V+enUg00fJpFlxg0XTy
tIwjVs9Lz4Y/OsjhNQrtzaKFJOtDhBmJjnbpORg22iQ0Lxazg3cbZ2LWTdEhD/I3
P2lrkYEelJ/qUAJ0Lybfdv2Xj+nIdDhakbRNyWo6t/0F2aXXKIVPu5LNGzh9tHmp
QcDKA9hE6nKz4Vg/EJbiuvg8ENKFR5CLkOt/7aKzFCcTcBvAeeVHMPB9d5x11DSU
ibNBA0Nuw6EGAE4xSP0T1DJgWB39yM4KYozhskWqUyIH19kv7pglh5rTT1UXtuvL
KxyysvSKm5fSutIef/BjVlKZK2EJ9w==
=+3cX
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180918132935.GB1577%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: qubes-u2f not installing on templates

2018-09-18 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Mon, Sep 17, 2018 at 04:14:00PM +0300, Ivan Mitev wrote:
> 
> 
> On 9/17/18 3:32 PM, digitalintag...@gmail.com wrote:
> > On Monday, September 17, 2018 at 6:24:45 AM UTC-6, digital...@gmail.com 
> > wrote:
> >> https://www.qubes-os.org/news/2018/09/11/qubes-u2f-proxy/
> >>
> >> Wojtek shared this on 9/11/18.
> >>
> >> Following the instructions, I'm not able to install qubes-u2f on either my 
> >> debian or fedora templates. Anyone else have similar issues?
> 
> The packages are still in the current-testing repositories, and you
> likely didn't enable them.
> 
> 
> > to clarify, the package manager doesn't find the named package on either 
> > distro.
> I don't use the graphical package manager so no idea how to enable
> current-testing there, but if you use a terminal it's pretty
> straightforward:
> 
> For dom0:
> 
> sudo qubes-dom0-update \
>   --enablerepo=qubes-dom0-current-testing qubes-u2f-dom0
> 
> And for a fedora (template)VM:
> 
> sudo dnf --enablerepo=qubes-vm-r4.0-current-testing install \
>   qubes-u2f
> 
> 
> There should be something similar for debian's apt-get

All u2f-related packages area already in stable repository (since
yesterday), so the above is not needed anymore.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlug+oAACgkQ24/THMrX
1yynlQgAjCg01eBO5X2ZlVraOB7bzuO1a2LvYFiAMIqFYDk/x3t8F0eBXjg3dlDZ
vCYhO6Xi3b1PzaIyKMy8yaU5LmGnnAPsd2Bbiwnge7q8JYQumQJS+s2IG3Y3Om5z
S+9mZqEgpTALBwQ3ra5w6sGite722JC4477wq581sT6BvH0eeWBgzHqVYv/+oVCF
bOUdxgy/GCyv8/3njx+j4ZbQymFz2NMfatsm4D3T5rAhCOhBbCUUNsTHzLt0q6Jy
GXIhJe8UBRsxevgeHklozjObbK3X2giJPbMct4iNwQVc7ea0xgiHXZ7sH2gEwNIr
iGSjD6P3J9VhYUx6x2n4k/XimbSRaw==
=PV37
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180918131545.GA1577%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: QSB #43: L1 Terminal Fault speculative side channel (XSA-273)

2018-09-03 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Mon, Sep 03, 2018 at 01:46:11AM -0500, Andrew David Wong wrote:
> On 2018-09-02 22:22, pixel fairy wrote:
> > is it still necessary to disable hyper threading after upgrading
> > in qubes 4?
> > 
> 
> Hyper-threading should be disabled in Xen after you install the updates.
> It should not be necessary for you to take any further action to
> disable it there.
> 
> If you're asking whether you should also disable it in your BIOS
> settings, then I'm not sure (CCing Marek).

There is no need to additionally disable it in BIOS. Xen's smt=off
option means it won't be used even if BIOS reports its availability.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAluM7v8ACgkQ24/THMrX
1ywhvggAk05Ra0VOk/rEelhxGqrQGPouTJWfmGL5/jpDRU7QTmErB2BqqHNQXbY0
TvJD+8DJTQBT84Gw+JrN4CYamS7VXMFFngekxDV4tZWfnkNiJQTJzM+Raa0zBcC2
7m10uoz1T8G9U5AH+5+yfCEx9hHgRn96SFbxmasOwRSyqIQ4MP4IPWLKzeh7EmbE
U0iCKxsEjzD2V8HfDo3CoTfg0mXhygiQPF8qWDTs30hBPVYC14evci94sX2YqP40
8h/NRtZRMNk32F/+H8OU1fPHocO9/LbejU0jkeCxah3BRD3pkHLlCk5f+8hJfwOb
9eRwYGBIyJqYWervftRTN7oJLxCFZw==
=T+UF
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180903082119.GB1371%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] fedora warning

2018-05-26 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sat, May 26, 2018 at 03:25:23PM -0400, haaber wrote:
> 
> > > I just installed f27 in ins full and minimal template on Q4.0 from
> > > the repos. When installing extra packages (for example sys-net
> > > tools) in f27-minimal the download works, BUT checksums fails. The
> > > point is that fucking dnf ignorantly installs the packages anyhow
> > > without putting any questions. Result: such a tempate is
> > > compromised right from the beginning, I will have to delete it
> > > without ever running it.
> > > 
> > > The warning to all users is to NEVER run unattended (say, scripted)
> > > updates on fedora based templates since apparently they give a shit
> > > on security.
> > > 
> > Checksums are only for integrity, not authenticity. For security, PGP
> > signature checking is what matters.
> @andrew: you are right, but if even checksums are ignored, pgp won't be
> considered either ... and that IS an issue.
> 
> @ awokd (on your question about re-downloads): I hope I was not complaining
> based on a misread and I would have liked to verify once more: too late for
> this time however, I had deleted the template this morning right away. I'll
> re-do it!

dnf warns about failed download (for any reason, including unexpected
checksum), but then retry download from another mirror. If all mirrors
fails then package installation will fail. Example message for such
case:
https://github.com/QubesOS/qubes-issues/issues/2945#issuecomment-318877445

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlsJ7wcACgkQ24/THMrX
1yy+zAf+NXlXwb9YOrkp6P4HQQjmQeKSS2roveXErjI9MA6vTUXb72g2KsJUwTHP
UygpzUQqGl1ToAnILaImuPmIFdo2R+7qTnpHurbYpnk76foaK2sDEWixIMsQM9AD
zmwkkm3NlI3DUX3siagCkBsVE8AwBEX8pIR6pvx4+Glncu70HFBiU84g3dcsqEp0
1HkHUJhIi0f/v1A6/jgkRkhBp7xFl5EfqAN7xSJgiUTeSDoVOeavPRPGT/Oh2yKJ
I7Pw3EuaEdQynrjJLrLDCmvHJrpprorjFGuQjzGkMnEP7T+1qQSuhMSbViqKQScN
de4CBtdaBwbF5ZLWHDPIIsXakKFJxg==
=8fqT
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180526233431.GG20125%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] No boot after dom0 security repo update on may 15

2018-05-22 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Thu, May 17, 2018 at 11:54:03AM -, awokd wrote:
> On Wed, May 16, 2018 1:51 pm, pony...@keemail.me wrote:
> > Hi all. My machine directly boots into BIOS screen if my Asus Zenbook
> > UX303 after updating Qubes 4.0 dom0, security repo enabled. I don't
> > remember the error messages (s.th. with keys).
> > So I boot from rescue USB Stick. Have to choose (3), going directly to
> > shell. —
> > And here I'm stuck, since many, many hours. No really helpful, _accurate_
> > instructions for medium talented users found. ;)
> > How to replace dom0? Or restore boot files?I've got a pretty fresh
> > complete backup on external USB drive, but don't want to install
> > everything anew.
> 
> Reinstall/restore might be fastest. If you want to try to fix it, search
> this mailing list for "efibootmgr" assuming you have UEFI boot. Sounds
> like something got corrupted. Reinstall GRUB if not using UEFI.

If that's UEFI, verify content of /boot/efi/EFI/qubes/xen.cfg (/boot/efi
is a separate partition, the first one on default install). Verify that
default= entry points at existing section and it is the newest one. Also
verify if files referenced there looks sane (if you've run out of disk
space, those might be smaller than the rest). By editing this file you
can also boot earlier kernel.

Here is example xen.cfg file:
https://www.qubes-os.org/doc/uefi-troubleshooting/#installation-finished-but-qubes-boot-option-is-missing-and-xencfg-is-empty

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlr/GFoACgkQ24/THMrX
1yyCfQf+Ltm7cIZmPvqdDKZXHdsuNOWPVw09lAZ7p/BMEf5WVd4iIkb/5muuRn7C
YmNjttaiDDcNd5u6teNCs3xHMyC3sxcjaqNwyyWAK8eZ2RACo1rYryCPZiirNbGp
Tzf5fkmrQZHvEN7n6EAolx6B+G3GBiiAEDM+TmDnqEMDXsML8HwGh0T7Fh8H+IBe
YqsigU7zqQGC/kWeUfbLgdaBbe+jUUioJQWBEb5xvmbzdn7kfQuzGmTBqqqyTIkY
+iDZbNl9UaD1SqHLzfqtjeFKo9l21FV1HVm6NG90AwPbTWIGHLppKEMICEKEmUcM
EerCf238hhUi6+gkOLeLOTRIG5yaOQ==
=eBH7
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180518181555.GB20125%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Restore backup in different storage pool

2018-05-19 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Thu, May 17, 2018 at 07:34:26PM +0200, donoban wrote:
> Hi,
> 
> I want to restore a backed VM in a new pool. I don't see any option on
> qvm-backup-restore for specify it.
> 
> Is there any way for do it or do I have to restore and then move it?

There is no direct option for that, but you can temporarily change
default pool (see qubes-prefs tool).

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlsA2NUACgkQ24/THMrX
1ywrKgf/d6ppisSAnXSyltzWeRz8nQO6frYYkTzSuJ3sSZ5ojDcRuhngqabLJcf5
0e0qeeCLqGT8AlyYEVMFTBdLfgSbj4EAnu0mDmQFSIMf23IRQrWuEGv3beCb1T24
1jyGmfpV2kq5EFByjwVZNFtPudzZLJ2iD3cLZYfP2JUsetD8+uJC18Nik6UMJKMp
zLOdPPKmr9wcUVnS6+b0YWg6FmTNoMN7Oylwd6dYouucwC1qT7OA+yhwfJm+7+EI
UuUnAjiTHYIvblPUn3+0ershQsHNSeMgw9WSW4+Du1k0lZUxxlv6MaU6Pgxeteww
faBuqlL5mytZFeB08uEiUAsI3kPhhg==
=SZoX
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180520020926.GF20125%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] U2F on Gmail not working (using Chrome on Personal AppVM)

2018-05-19 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sat, May 12, 2018 at 05:03:11AM -0700, qubesu...@gmail.com wrote:
> Hello there, I was wondering if there is a workaround to make this work.
> I have a Yubikey with U2F, which has the dual purpose of being a normal 
> Yubikey as well as being able to do U2F when the webbrowser requests it.
> 
> I am on the latest stable Qubes 4.0.
> This is so far what I have been doing:
> 
> 1) I go to gmail.com and enter my user and password.
> 2) I plug the yubikey to the laptop, sys-usb recognizes it
> 3) I "attach" the usb to "personal" from the sys-usb
> 
> And nothing happens, the yubikey is not blinking, the light stays steadily on.
> It doesn't react in any way by touching on it, it neither generating yubikeys 
> nor the u2f.
> 
> Does anyone have a solution to this?

In Fedora (template) you need to install u2f-hidraw-policy package, it
will setup udev rules to fix device permissions.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlsA2IIACgkQ24/THMrX
1yyWvQf9HryTAYEvYjj8VkssWYFn8krZiuKfxCVKBcM2qdTPiWfM0fUGLBAJGny6
yhacow9awVbbcrB0iLrHPXLO9WWqt8h6n0lIZvPkZ0oDuxzUhGRUw6WYDteGZOrR
jlP7nSk18cU/JC5HPV/Q5k6BZMrd4JOAe9XtyB3Gj4cIbG3gKMp12dgp39ewUpRB
okjy2aPlcOQMDNxelo/p953e8M8+3ZBWQbcsr/sfFpjbCs4IpmlJyMa7YsstE3+t
HDZ34u+PN4/ZgGWVS5+MOkc8xYDIZoWBnWT1362EoTS+nFs87o4y/gsHie0NyQ0a
aXv0iSBFE3NQ9fK8tXIiZQbmYGcqcw==
=1rIT
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180520020803.GE20125%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Default 'revisions_to_keep'

2018-05-19 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sat, May 19, 2018 at 09:27:53PM +0200, donoban wrote:
> Hi,
> 
> I tough 'revisions_to_keep' was default to 3. I created a new pool
> yesterday and specify 3 when creating it, but then a VM that I moved
> to there had 1. (I discovered it after trying to restore config
> because it doesn't boot fine).
> 
> Then I started to look at all other VM's and all private volumes have
> 1 'revisions_to_keep', also they had 'save_on_stop'. So I think this
> is not very useful, when you halt the vm your are overwriting the only
> snapshot you have.

Actually, revisions_to_keep is about previous revisions. So "1" means
you have one snapshot you can revert to (the state before you've started
the VM).

> Does delay 'save_on_start' too much?
> 
> Maybe this is due I started with some RC and then upgraded to
> current-testing.

Probably, there was a bug about saving revisions_to_keep. Anyway,
default value is 1.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlsA1joACgkQ24/THMrX
1yxqOAf9FW/v7Pe1/jDiVI3QhKWRAn0CPWVlQ8upuIOXga0fnl6mXUVaFXYuT7Go
zYj6ktsZ6hm47ZI3EcRLoOTbCeSOg6gBF3C+IBGaF0vlJOOH5BADgU4AphL/ld05
Cn+b+MHYUwFYfy6Mo+h7cRoVJnAW6ZS/yrUSufZyvr3qZxIAZSUNYx9EHbV10yJk
JtVr96n73Uq//uSPzeNMhCL8gfLwRXvLok7N9a8FsprogG2Z+bxZL+VrZZhMAzFy
fpYIZCblqT3/2IDI/C29mOYhYrblKTiNKVg7y1picrsiBkJrSkPqAmNIeRRYTW7g
Qdm+CsG87li5/+c42p1uT1HeUiZpBQ==
=IgD3
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180520015818.GD20125%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Any way to attach a USB drive to a VM by label?

2018-05-18 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Thu, May 17, 2018 at 05:57:09PM -0700, Qubes Guy wrote:
> I've successfully used qvm-block (in Dom0) to attach USB drives to different 
> VMs (persistently), but I've noticed that Qubes (or Linux) sometimes gives 
> them to different devices over time. In other words, on Monday, my 
> BIG_TOSHIBA drive will be on /dev/sda, but it'll be assigned to /dev/sdj when 
> I boot up on Wednesday. This is throwing off my VeraCrypt / FreeFileSync 
> backup routine. (Another way of saying this is if I say "qvm-block attach 
> MyVM sys-usb:sda --persistent" when one of the three drives I use for MyVM is 
> currently attached to that, this will fail if Qubes moves that drive to a 
> different device-name (during boot) that isn't one of the three I previously 
> attached (when I go to start up that VM).
> 
> I thought about persistently attaching all 10 of my USB drives to the VM 
> (some HDs, some flash, one SSD - I never use all of them at once - don't 
> ask!) because that would certainly fix this problem, but I get the following 
> error when I try to start the VM: "ERROR: Start failed: XML error: target 
> 'xvdi' duplicated for disk sources '/dev/sdc' and '/dev/sde', see 
> /var/log/libvirt/libxl/libxl-driver.log for details".
> 
> Note that I did all the persistent attachment commands while the VM was not 
> running. If I detach all those, start the VM, do the persistent attachments, 
> shut down the VM and then restart it, I get an error along the lines of 
> "qrexec process failed to respond in 60 seconds".
> 
> So, I guess I'm asking if there's a way to just persistently attach 2 or 3 
> external USB drives and have them consistently available on the same device 
> names when I start the VM so VeraCrypt doesn't balk?  (VeraCrypt ultimately 
> doesn't care what device a drive is attached to (it could be sda - sdj on my 
> system) because it shows the attached drive as "/media/user/BIG_TOSHIBA, but 
> if a drive isn't where it's supposed to be, that'll fail.
> 
> In case you're curious, the error messages in 
> /var/log/libvirt/libxl/libxl-driver.log are meaningless to me, but if you 
> want me to post it, I can.
> 
> Any help you guys can give me would be greatly appreciated! Thanks...

It isn't available yet, related issue:
https://github.com/QubesOS/qubes-issues/issues/3437

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlr/GRUACgkQ24/THMrX
1yzuqAf7Bw2L6SpZhPlLrhX20eFvagLuPpKbuMl/yVLMDhRBZqK86kIonC3Zvm1b
eR6cTQ540PNHJiqL0uescJIHS7sHJDnnqC7Y0x12GIlEKWU+1pobRDZIwfErMiD/
2FzJisSgk8tiLIwmyhcrWyUyVxuk6e1TpG5sVdUMb3lTqjiqPPChZBRlLFsYmraK
PvBvY9DCeL6unSIUJqadxBtfeh5KDmSXauLS7T/vxVfEWbsNxI+ZrgGWPALkniZK
MaXGp6hYrmnycl6o8xi74CWoGvwruhUrFOVxAn8hrFR0OA5PmeWVQjtRJ4j0okmL
qXHoFWHbMVltipYLNvBYZANXcIc3bw==
=BsRg
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180518181901.GC20125%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Testing repository: update policy

2018-05-06 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sun, May 06, 2018 at 03:54:10PM -0500, Andrew David Wong wrote:
> On 2018-05-06 13:20, Marek Marczykowski-Górecki wrote:
> > On Sun, May 06, 2018 at 12:25:32PM -0500, Andrew David Wong wrote:
> >> On 2018-05-06 08:51, Vasilis wrote:
> >>> Hi,
> >>>
> >>> I was trying to find out when an updated package makes it into Qubes 
> >>> testing
> >>> repository?
> >>>
> >>> For instance an updated version of the package qubes-desktop-linux-i3 [1] 
> >>> is in
> >>> the repository since Apr. 4 but still not available in the testing 
> >>> repository.
> >>>
> >>> [1] https://github.com/QubesOS/qubes-desktop-linux-i3
> >>>
> >>>
> >>> Cheers,
> >>> ~Vasilis
> >>>
> > 
> >> I found the associated issue and PR:
> > 
> >> https://github.com/QubesOS/qubes-issues/issues/3781
> > 
> >> https://github.com/QubesOS/qubes-desktop-linux-i3/pull/13
> > 
> >> Marek, what's the usual procedure after merging a commit and closing
> >> the qubes-issue that it fixes? Based on looking at past activity, it
> >> looks like you typically increment the package version number, then
> >> (automatically or manually) start a new build of the package, which
> >> then creates a new issue in updates-status. Should I have left the
> >> issue open as a reminder to do this?
> > 
> > Usually every few weeks I review what packages have changes warranting
> > new version (I have a script for that). Last few weeks (and probably
> > some more) were busy because fc27/fc28.
> > If you find some change that waiting unusually long for release, ping me
> > in issue related to that change, or simply in an email.
> > 
> 
> Ok, sounds good.
> 
> Consider yourself pinged for this one. :)

https://github.com/QubesOS/updates-status/issues/512

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlrvdKIACgkQ24/THMrX
1ywgbAf/VyLZ0oRHoTmWJPo4SzB6EV75uw7F/LXadjL6xbN6zr5sKpguNIMzJJBT
9TcJUvugqb7XB59IMl2EP8ubCeVG0Kyp7DbZWqUltcP3IhUa1UApLGuf3JI7veew
Vx1lZaMBXRxB+71ymfEzVeMTcVV2u5YfVWwGbgSjKjvWNNZ+8U5N2Q3zyA2z+f9w
/w5Iel8H7QYjOu6M3YmygBtNT9f+e28ID3/tiS/q2jvsLQPBtc06kcHGQX5fWBkz
0t0CPSLxIvmjQegJuAg/VBVGCSOenn6gwNUq3y16AVm3kHjwIqv8HsloCpS4mxkO
VvpgM92qX0JebubdSK/ZmwOerjt3Rg==
=95C4
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180506213323.GZ1124%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Testing repository: update policy

2018-05-06 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sun, May 06, 2018 at 12:25:32PM -0500, Andrew David Wong wrote:
> On 2018-05-06 08:51, Vasilis wrote:
> > Hi,
> > 
> > I was trying to find out when an updated package makes it into Qubes testing
> > repository?
> > 
> > For instance an updated version of the package qubes-desktop-linux-i3 [1] 
> > is in
> > the repository since Apr. 4 but still not available in the testing 
> > repository.
> > 
> > [1] https://github.com/QubesOS/qubes-desktop-linux-i3
> > 
> > 
> > Cheers,
> > ~Vasilis
> > 
> 
> I found the associated issue and PR:
> 
> https://github.com/QubesOS/qubes-issues/issues/3781
> 
> https://github.com/QubesOS/qubes-desktop-linux-i3/pull/13
> 
> Marek, what's the usual procedure after merging a commit and closing
> the qubes-issue that it fixes? Based on looking at past activity, it
> looks like you typically increment the package version number, then
> (automatically or manually) start a new build of the package, which
> then creates a new issue in updates-status. Should I have left the
> issue open as a reminder to do this?

Usually every few weeks I review what packages have changes warranting
new version (I have a script for that). Last few weeks (and probably
some more) were busy because fc27/fc28.
If you find some change that waiting unusually long for release, ping me
in issue related to that change, or simply in an email.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlrvR4oACgkQ24/THMrX
1ywEnQgAlfOhfMH8xL3Z+aGp3mMJZlcvI0mvQVYuCr/Uvu9a3HF9GXRA4sh97tee
oVc0AqVTZhygk7xuH2CSfmQZeGauqpyvrrobOFU0T0LTB+K4iZplvOAwhf86t+I8
M6nmkyiL+Llbehq9XT8XKr1J3D/3qUKlZNVI7rccDvldzMIrbC//cj+Ckvtf2JFQ
2T5DcbkNVPwstVrf4YvQBOCkGileC/ndf0pSOhQhGMQJ9K3dh87LTxUBh9rCEllf
5BjOJGls1PW98ItxDRBxczRtUShOJMHMoYx9Mfoyna+KKtgco+fizLXQkMyjYERH
XRQAbpcs6umOFydNjXWBHmEp5umh8Q==
=BAtR
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180506182059.GY1124%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qube Manager dbus event handling

2018-05-03 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Thu, May 03, 2018 at 09:50:26PM +0200, donoban wrote:
> On 05/03/18 16:08, donoban wrote:
> > Hi,
> > 
> > I saw Qube Manager should handle dbus signals from
> > 'DomainManager1' for a fast and cheap refreshing of VMs status.
> > 
> > Is anybody currently working on this? If not I think I could do it.
> > I started playing with pydbus and I think the current code doesn't
> > need a very big rewrite for handling all relevant events.
> 
> I am near achieve this. However I see a little problem with current API.
> 
> Dbus objects relative to Qubes domains use 'qid' as identifier, like:
> 
> /org/qubes/DomainManager1/domains/13
> 
> but VMCollection uses VM names as key so I can't retrieve directly an
> vm object using a 'qid'.
> 
> This only affects to domain creation (for the other cases the vm was
> already loaded into a dict) but maybe would be nice to have a direct
> way to get a vm by 'qid'.

There is ongoing work on domains widget to use qubesadmin module
directly (skipping dbus layer). Copying Marta, who is working on it.

Long story short - dbus services was introduced before we've decided to
implement Admin API in 4.0 (initial plan was to have it in 4.1 or
later). But since we've done it in 4.0, there is very little sense to
use dbus, which serve similar purpose (provide info and events about
domains), but adds additional complexity.

As for Qube Manager, there is a little problem - events handling in
qubesadmin is based on asyncio python module. At the same time, both GTK
and Qt use its own event loop. We have it worked out for GTK, using
gbulb module[1][2], it's simple. But we haven't tried it with Qt. In
theory there is quamash module for it, so hopefully that's simple too.
One catch is that, similar to gbulb, there is no package for it in
Fedora... For gbulb we've created one[6], probably the same needed for
quamash.

By using qubesadmin directly, you avoid this qid problem and
additionally things are simpler and there is less places where state can
get out of sync.

Events handling in qubesadmin: docs[4], example usage[5]:

events_dispatcher = qubesadmin.events.EventsDispatcher(args.app)
events_dispatcher.add_handler('backup-progress',
functools.partial(print_progress, profile_name))
events_task = asyncio.ensure_future(
events_dispatcher.listen_for_events())

List of domain related events can be found here:
https://dev.qubes-os.org/projects/core-admin/en/latest/qubes-vm/qubesvm.html

[1] https://github.com/nathan-hoad/gbulb
[2] https://github.com/QubesOS/qubes-dbus/blob/master/qubesdbus/service.py#L37
[3] https://github.com/harvimt/quamash
[4] 
https://dev.qubes-os.org/projects/core-admin-client/en/latest/qubesadmin.events.html#module-qubesadmin.events
[5] 
https://github.com/QubesOS/qubes-core-admin-client/blob/master/qubesadmin/tools/qvm_backup.py#L195-L199
[6] https://github.com/QubesOS/qubes-linux-gbulb

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlrro5UACgkQ24/THMrX
1yySSwf/TZJhCqBBa07Pyev6tW5p9ikH/I0AvVYrFuIoewcJziyQjfyJQDWjKYjx
EHwzfYIdMr8oaa5reaJhcvEG6x/G0WkRd0SFWhZi03evAPtahrnvqwGfZmzMMruF
YaoMeRqvqHXTqLYAu+T4BAxsTXrKwnAh1lxEeYqJWw4aQcQu5b+r130ZkpdTDVqy
2d8iNR/OM6fY4M+F6Hy0Z6cj3EtbdTAsI7na0y4UZPKbt3ZmC6ixK097BYfIbs+b
2xuGdpfdfoEiH9j2CFv9TVAzLotpcs/0oJ8Y2bjC22cDUkCDLkbZ+JzsoZsv8ezQ
7XDTJp4u8Y8XMZWcv+lvJeMbGaSL1Q==
=0rMb
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180504000438.GA11593%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] "How can I properly manage my system?" or "how do I use Admin API, salt and git or other versioning/distribution mechanisms together"

2018-04-21 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Fri, Apr 20, 2018 at 11:40:36PM +0200, viq wrote:
> On 18-04-20 23:21:10, Marek Marczykowski-Górecki wrote:
> > On Fri, Apr 20, 2018 at 10:51:38PM +0200, viq wrote:
> > > On 18-04-20 13:51:50, Marek Marczykowski-Górecki wrote:
> > 
> > > Hm, salt has SPM[6], which I need to read a bit more about. On one
> > > hand, it's a native salt tool, so possibly it could work better for
> > > distributing, and more importantly updating states/formulas, but on the
> > > other hand, as far as I'm aware, it doesn't currently have concept of
> > > signing.
> > 
> > This is exactly the reason we use RPM for distribution-provided
> > formulas.
> > I've tried to play with SPM + some wrapper to actually download files
> > (dom0 has no network), but AFAIR it was a bit crazy to do it this way -
> > the only part of SPM that left could be shortened to "tar x"...
> 
> Ah, so you looked at it more than I did. Would it make sense to have
> pretty much just SPM file inside the RPM, and post-install talk with SPM
> to install that, or does it really bring nothing to the table?

> On the other hand, RPMs don't play nice with local modifications...

Does SPM do?

> > BTW each of our formula packages have FORMULA file, so it should be
> > compatible with SPM out of the box, at least in theory.
> > 
> > > > See linked post[1] what changes are required. Normally I'd say, lets
> > > > package it in rpm, but since qrexec policy doesn't support .d
> > > > directories, it may not work that well. In many places we use salt's
> > > > file.prepend to adjust policy files, so maybe use it here too? This
> > > > start being quite complex:
> > > > 1. Salt formula installed (via rpm?) in dom0, to configure management VM
> > > > 2. Management VM running rest of salt formulas to configure other VMs
> > > 
> > > Yeah, this kinda follows what I was thinking. With some work (1) could
> > > be available from Qubes repos ;) I guess with defaults allowing to set
> > > up mgmt-global, mgmt-personal and mgmt-work, with permissions set up as
> > > the names imply?
> > > 
> > > But, being salt-head that I am, what about templating the settings from
> > > pillars? 
> > 
> > I think it is a good idea, but needs some better handling of pillars. We
> > already have topd[13] module to maintain top.sls. If we could have
> > something allowing the user to simply set pillar entry X to value Y
> > (without learning yaml syntax), that would be great. Pillar modules you
> > link below may be the way to go.
> 
> Hm, where are things like labels and other VM settings stored? 

All VM properties are stored in qubes.xml. We do expose some of them as
pillars already (for example qubes:type), but I don't think it's a good
place for something not directly related to VMs.

I'm thinking of pillars like the name of mgmt-global VM. This isn't
something that belongs to some particular VM (in qubes.xml), especially
when said mgmt-global VM doesn't exist yet.
I was hoping that some of existing pillar modules would support
something with user friendly key-value interface, including:
 - listing available keys (maybe even with some description?)
 - getting and setting values
 - a GUI, or interface to integrate with some

While a script that would handle yaml file wouldn't be horribly long,
I'd guess someone have done that already.

> Maybe it
> would be possible to piggy-back on that? Even if code would be needed,
> pillars just like top system are "just another python file" that IIRC
> can even be distributed inside SPMs.
>  
> > > No, I'm not convinced whether one long yaml is better than
> > > multitude of tiny files... But this could be another way to manage the
> > > whole thing. Some examples of what it could look like are pillar
> > > examples from rspamd-formula[7], salt-formula[8] and shorewall-formula[9]
> > > 
> > > And of course there are different ways to manage pillars than one long
> > > yaml, but this is the most common way. [10] [11] [12]
> > > 
> > > > [1] https://www.qubes-os.org/news/2017/06/27/qubes-admin-api/
> > > > [2] https://github.com/QubesOS/qubes-mgmt-salt-dom0-qvm/
> > > > [3] https://github.com/QubesOS/qubes-mgmt-salt-dom0-virtual-machines/
> > > > [4] https://github.com/QubesOS/qubes-infrastructure/
> > > > [5] https://github.com/QubesOS/qubes-mgmt-salt
> > > 
> > > [6] https://docs.saltstack.com/en/latest/topics/spm/index.html
> > > [7] 
> > > https://github.com/saltstac

Re: [qubes-users] "How can I properly manage my system?" or "how do I use Admin API, salt and git or other versioning/distribution mechanisms together"

2018-04-20 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Fri, Apr 20, 2018 at 10:51:38PM +0200, viq wrote:
> On 18-04-20 13:51:50, Marek Marczykowski-Górecki wrote:

> Hm, salt has SPM[6], which I need to read a bit more about. On one
> hand, it's a native salt tool, so possibly it could work better for
> distributing, and more importantly updating states/formulas, but on the
> other hand, as far as I'm aware, it doesn't currently have concept of
> signing.

This is exactly the reason we use RPM for distribution-provided
formulas.
I've tried to play with SPM + some wrapper to actually download files
(dom0 has no network), but AFAIR it was a bit crazy to do it this way -
the only part of SPM that left could be shortened to "tar x"...

BTW each of our formula packages have FORMULA file, so it should be
compatible with SPM out of the box, at least in theory.

> > See linked post[1] what changes are required. Normally I'd say, lets
> > package it in rpm, but since qrexec policy doesn't support .d
> > directories, it may not work that well. In many places we use salt's
> > file.prepend to adjust policy files, so maybe use it here too? This
> > start being quite complex:
> > 1. Salt formula installed (via rpm?) in dom0, to configure management VM
> > 2. Management VM running rest of salt formulas to configure other VMs
> 
> Yeah, this kinda follows what I was thinking. With some work (1) could
> be available from Qubes repos ;) I guess with defaults allowing to set
> up mgmt-global, mgmt-personal and mgmt-work, with permissions set up as
> the names imply?
> 
> But, being salt-head that I am, what about templating the settings from
> pillars? 

I think it is a good idea, but needs some better handling of pillars. We
already have topd[13] module to maintain top.sls. If we could have
something allowing the user to simply set pillar entry X to value Y
(without learning yaml syntax), that would be great. Pillar modules you
link below may be the way to go.

> No, I'm not convinced whether one long yaml is better than
> multitude of tiny files... But this could be another way to manage the
> whole thing. Some examples of what it could look like are pillar
> examples from rspamd-formula[7], salt-formula[8] and shorewall-formula[9]
> 
> And of course there are different ways to manage pillars than one long
> yaml, but this is the most common way. [10] [11] [12]
> 
> > [1] https://www.qubes-os.org/news/2017/06/27/qubes-admin-api/
> > [2] https://github.com/QubesOS/qubes-mgmt-salt-dom0-qvm/
> > [3] https://github.com/QubesOS/qubes-mgmt-salt-dom0-virtual-machines/
> > [4] https://github.com/QubesOS/qubes-infrastructure/
> > [5] https://github.com/QubesOS/qubes-mgmt-salt
> 
> [6] https://docs.saltstack.com/en/latest/topics/spm/index.html
> [7] 
> https://github.com/saltstack-formulas/rspamd-formula/blob/master/pillar.example
> [8] 
> https://github.com/saltstack-formulas/salt-formula/blob/master/pillar.example
> [9] 
> https://github.com/saltstack-formulas/shorewall-formula/blob/master/pillar.example
> [10] https://docs.saltstack.com/en/latest/ref/pillar/all/
> [11] https://docs.saltstack.com/en/latest/ref/sdb/all/index.html
> [12] https://docs.saltstack.com/en/latest/ref/renderers/all/index.html

[13] https://github.com/QubesOS/qubes-mgmt-salt-base-topd/

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlraWccACgkQ24/THMrX
1ywUUggAjKPrD700d9QLYD49VovSV7WSKp6d3O9YAOYtVfvpoDC4sKtGTkcF4izn
ctQLwjsJhilfeUgS/Jej7jV6MxkJCxyGjXvJQvc1zsjpdGvioSPJ89a04ChcY4S7
sg78gksUW0/yDwgV9KruYp0MVWzS4GoN8siECxZ1xJYtlYEcziJ4Bm+J+G7HNpbd
H5G37MH9R+CbLdLckdjEuBOUV4BWKB1z0X2B71PBdEIF/dguj/rvDfXmZx9GQj36
GOQVwrHsB7b3B6Rp93vc10TX1rVj8WVwwY6k0To7W3IRWFhzPyIR50tTMIzPTGYB
BAFMf9mmGl0Sc36pjk+hQBIq0YBaeg==
=XR7K
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180420212110.GJ27518%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] "How can I properly manage my system?" or "how do I use Admin API, salt and git or other versioning/distribution mechanisms together"

2018-04-20 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Thu, Apr 19, 2018 at 10:20:08PM +0200, viq wrote:
> Salt tools give a nice way to configure system (make sure templates exist
> with certain packages, prepare AppVMs based on them, etc). But I'd prefer
> to edit them in a customized editor, with syntax highlighting, etc, which
> is strongly discouraged from being put into dom0. I also feel that having
> version control over those files is the way to go, preferably synced
> somewhere so I can for example easily replicate this when setting up
> another computer or reinstalling.
> 
> My understanding is that this is a perfect use case for new Admin API -
> have a machine with editor and git set up to adjust salt files, and either
> give admin permissions to that one, or use something like split-git that
> was mentioned to pull the repo into another VM and execute there.

Yes, exactly. In theory it should be easily possible to setup management
VM with appropriate policy (see [1]) and use salt from that VM. The
thing you need to change is to make qvm salt module [2] working in vm,
right now it explicitly checks if its running in dom0. Hopefully this is
the only change you need.

But there is one thing you can't that easily do over Admin API - various
dom0 settings. This include installing packages in dom0, editing various
configuration files (pam? bootloader? qrexec policy?). We're working on
the last one, but others are not solved right now. For multiple dom0
changes you still need to run salt in dom0.

For some cases, we use rpm packages to distribute salt formulas - this
include default setup (virtual-machines formula[3]) and our
infrastructure[4].
For my personal machine, I use salt in dom0 and synchronize this
configuration using signed tarballs, manually...

> Am I on the right track here? If so:
> 1) What packages do I need on admin VM to be able to do this?

Most likely qubes-mgmt-salt-dom0-qvm[2] with its dependencies and
probably minor changes will be enough. The dependencies include at least
python2-qubesadmin. Oh, and qubesctl itself is in
qubes-mgmt-salt-admin-tools[5].

> 2) Where and how should I be executing this? A quick test of running
> qubesctl inside a VM didn't even produce logs in dom0 journal, the command
> just complained it can't reach a daemon.

Client side of Admin API use /etc/qubes-release file to find if its
running in dom0 (and can take a shortcut to talk directly to qubesd), or
not. So I guess you installed package containing /etc/qubes-release,
which normally isn't present in VM. Simply remove the file and retry.
You should see some messages about denied admin.* qrexec calls.

> 3) What would be a good way to track and distribute necessary changes to
> /etc/qubes-rpc/policy/ on dom0?

See linked post[1] what changes are required. Normally I'd say, lets
package it in rpm, but since qrexec policy doesn't support .d
directories, it may not work that well. In many places we use salt's
file.prepend to adjust policy files, so maybe use it here too? This
start being quite complex:
1. Salt formula installed (via rpm?) in dom0, to configure management VM
2. Management VM running rest of salt formulas to configure other VMs

[1] https://www.qubes-os.org/news/2017/06/27/qubes-admin-api/
[2] https://github.com/QubesOS/qubes-mgmt-salt-dom0-qvm/
[3] https://github.com/QubesOS/qubes-mgmt-salt-dom0-virtual-machines/
[4] https://github.com/QubesOS/qubes-infrastructure/
[5] https://github.com/QubesOS/qubes-mgmt-salt

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlrZ1FcACgkQ24/THMrX
1yzccAf/bInV6KALR82K9mt0yHYrE4N1IlHLyoaBmBi1QyNX/rqY+6/NInKl7Sit
VWpp4HBXcZBcqH9u0j9G1cJBQX3XrN84BLWLFJcRYUNRJkcqWH/DnOusDGuhCdvs
XC8sbwHtkRIueUFgMNpBSyWgyy8GjjSIoQItE7JxGkHMin5AGiNxlNZVY+TuFxV+
B59goJIjzuuUXZTXgkzasXeSLBUKVLUPKMOrgt6Jw1REV6WGwrl6ZDG3T4h7kGBY
zldTYhnxFbiBVX0GWVwGqSfEWjYJxX1/Yh5yNv7TTcZGQFFfBLex8MvMVwE/DEYq
kJ4qiQsj2iGVgFnNchQVB/KFz8eCbg==
=uBDd
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180420115150.GC2275%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Qubes R4.0 broken by "TypeError: not enough arguments..." for most qvm-* commands

2018-04-12 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Thu, Apr 12, 2018 at 08:19:10AM -0700, Pablo Di Noto wrote:
> > techg...@gmail.com
> > If, as I suspect, the root cause of your problem is a lack of metadata 
> > space on pool00; you can confirm this by typing "sudo lvs" into a console.  
> > You will then need to figure out a way to enlarge that metadata volume.
> 
> Yes, you are right, the `pool00` volume metadata was >96% when this happened. 
> The thing is that the volume metadata was set to a quite small size after 
> install (96mb on a 46gb pool) and after install was on ~20% usage. I started 
> to use the system, testing stuff with DispVMs, restoring my debian templates 
> and some work VMs. After a couple of days of usage the metadata climbed very 
> little, to 27-28%.
> 
> I tried to have a second pool to hold my machines, precisely to avoid issues 
> with thin provisioning on the pool holding `root` and `swap` and services 
> vms. But the lack of support for cloning/moving between pools made that 
> effort moot.
> 
> So I `lvextend`ed `pool00` and forgot to properly enlarge it's  
> `pool00_tmeta` counterpart.

What sizes you have there?
For me tmeta is 118MB for a ~450GB pool00. And after few months of usage
it's still at 33%...

> When doing some more customization, including restoring more larger sized 
> qubes and cloning/renaming qubes it seems the metadata usage climbed really 
> fast and hit this bug.
> 
> Unfortunately, could not recover from that.
> 
> It looks like qubes lvm actions while metadata was full may have corrupted 
> the metadata somehow, since I could enlarge and repair the thin metadata from 
> a live cd, but many of the volumes that where in use where never available 
> again. The -private and -snap for the qubes that were running (not sure how 
> to discard them) and also all the volumes of the qubes being restored and 
> services vms are lost ("NOT available" as lvm status)

You could also try to revert to earlier revision using "qvm-volume
revert sys-net:private" for example.

> I remember there was some Saltstack magic to recreate the services vms, but 
> could not find anything for R4.0... So I had to revert to R3.2 for the time 
> being.

https://www.qubes-os.org/doc/salt/
Especially links at the bottom:
https://github.com/QubesOS/qubes-mgmt-salt-dom0-virtual-machines/blob/master/README.rst

> I will keep the failing install for debugging, or may be able to recover if 
> someone can provide any tips about:
> 
> - How to recreate sys-net, sys-firewall and sys-usb on a R4.0 system
> - how to recover a qube whose -snap volumes are no longer available (I have 
> no problem losing these short-term data)
> 
> Thanks for pointing to the right direction!
> 


- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlrMuusACgkQ24/THMrX
1yy3lQf/cO0oe9uOUviiKwgdf6+fEzhCbn6XUkmAU7MLLAkYC1uCAwE3DoT8MBGt
bbGkpmWq9gijUCJeWzUD0Z2k1QkZWDdiMgEE8nSgiqyS1O6uNxqqO0ucozWe69Ud
FWwmxkCATwX+FK239+HJSO9Jq6/Izb59qbvB1kwewQheqGkZVF9ISNE3AopkMjG8
4RBy1J0dVjHH3wxHtl9N3Z6/4mVwFquLwlE7cM+kTRpFfPtwvrBrNavfYTrEX5lz
ALBvsh/eunXBOmc4FNSGHj2yaKnNZibfBVDOoBGaexXt1G0ykpu9aou8tQrKv0zl
FqhhNHp9DeOdHm3kP0h1d6PZW1EGiw==
=5Ksa
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180412184252.GB2275%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: [Q4-rc5] Blank screen on boot after installation on Lenovo

2018-04-01 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Wed, Mar 28, 2018 at 11:25:18AM -, 'awokd' via qubes-users wrote:
> On Wed, March 28, 2018 2:09 am, berto0...@gmail.com wrote:
> >> It's in a bit of an indeterminate state right now:
> >> https://github.com/QubesOS/qubes-issues/issues/2971. Did regenerating
> >> initramfs with host only fix it for you, or did you just leave the
> >> keyboard setting on US on the reinstall?
> >
> > Actually, I just pressed the keys as on an imaginary US keyboard after
> > realizing one key was in a different position. That's a quite common
> > method for non-US users -- you just need to be aware that you are dealing
> > with a moved key in the first place. And there is no feedback when typing
> > a password as first task on a new OS, obviously.
> 
> Sounds like that linked issue's not resolved. If you have a Github
> account, mind commenting on it with your experience and pinging
> @andrewdavidwong? I can do it later too, if you don't. If you get a chance
> to regenerate with -H, I'm curious if that fixes it too. Shouldn't (TM)
> hurt anything.

Have you tried final 4.0 image? There were some fixes that didn't
managed to get included in rc5.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlq3FxMACgkQ24/THMrX
1yyY2gf/aMKU0Z5QePTIlSvlCv+w5Q+izB8ROYhVB2u924BN+cdJOpeucLV9BCJD
XjpxhT9jcmPa92VB8Y9ZYuuh0xHD2+2961/Gi84cgtyUhAeqPNwzixkQDFkQNDCk
LwjauR3+qR/ESQQjrnwEQj9wUSWdNaAeU3CKBbl2xyu7R1/mNQbiEKpN0hbaZ0S9
ByZ3DzL5s2TC5Eulc134mCLba7W1Na6cUYeh4pC2caUztJOOIFWuqB8Jqyu0vEvp
l+SidbOeHoMdlTZEBx9VZzab/Xk1DqbuLHqkDU09XaSLlBzEahC/AW5Oz0Z1TJry
K/ZJNK6aVK74WDN/oBvfeswxas3UOg==
=uk26
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180401180132.GW10924%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] installation failure hen trying to instal from usb to samsung sad on lenovo 220

2018-03-30 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Fri, Mar 30, 2018 at 01:50:07AM +0200, Marek Marczykowski-Górecki wrote:
> On Thu, Mar 29, 2018 at 11:56:12AM -0700, kai.fr...@gmail.com wrote:
> > greetings,
> > 
> > i copied the current iso (tried it.both with rc5 and with today final 
> > official iso) to a 32gb usb stick
> > and made my lenovo x220 boot from it. all went well until i choosed to habe 
> > the newly installed
> > samsung 512gb ssd as target (it was listed in the graphic menu of the 
> > available targets).
> > the system kind of halted for a second or two and then throwed an 
> > anaconda 25.20.9-12 exception report
> > Trace back (most recent file first):
> > 
> > File  "/usr/python3.5/site-packages/blivet/devicetree.py", line 184, in 
> > _remove_device raise ValeError("Device %s not in tree" % dev.name)e
> > ...
> > 
> > The exact same line raised alreeady an error when trying to install rc5 on 
> > two other lenovo laptops (t430 and
> > l560) with several different usb drives as targets.
> > 
> > So at this point, i am a bit without clue what else to try to get qubes 
> > installed and am wondering
> > a bit what causes all the pther installations to work for all other users?
> 
> What partitioning layout have you chosen? All defaults?
> 
> Can you extract logs from that system? The error message should have a
> button to switch you to text console, then you'll find full error
> message in /tmp/anaconda-tb-(something) file. You might want to
> review/edit this file before posting it - it contains a lot of details
> about your hardware. If you want, you may send it just to my address
> instead of mailing list.

According to logs, "sdc4" is your installation source. Which is a bit
unusual - installer expect the image to be written to the device
directly, not one of partitions.
While the error message should definitely be improved, the problem is in
how installation USB stick is prepared.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlq0mHEACgkQ24/THMrX
1yyyLQf9GlXm+3OcSKZ8xvcTOXSxvFloDqa1LqYUln9tDVrGVV+IaxazXIFXQtNm
VD/OjTrHSayNVd0v0LtHGuIO9ElbSXh8MQI24xmaz8HgzO1n2MKMfcHRuMiQteL7
SzPdts6RJVZbRXhH3bwW5GvegFZcmP01nsb8Q8aYTlMqXZujrE/00KGOqsEYIGzN
e+Xt17azk7uVq29rlxJ5BIbKP8TorkplcOViu+vKk6MKzpKrIfhGnFR/3RyaFjcM
Dtyh5dwj9DcKhtH9MfwaowaNnYuJJ96Hkxmwqtk/6lEjI0RSL0FTwUSstlgla+HN
mS6HNvRj1HbIQvoQI9FmntRL9DXx5g==
=Qjs0
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180330203642.GV10924%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


ReactOS cooperation? (was: Re: [qubes-users] Disk problems when installing ReactOS 0.4.5 on HVM)

2018-03-30 Thread Marek Marczykowski-Górecki
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Mon, Mar 19, 2018 at 11:37:10AM +0100, Marek Marczykowski-Górecki wrote:
> On Mon, Mar 19, 2018 at 11:21:39AM +0100, Giulio wrote:
> > 
> > > I've tried that already and it doesn't help (you exchange disk not found 
> > > error
> > > for crashing installation). This may be related to *much* newer qemu
> > > version in Qubes 4.x, than was used in Qubes 3.x, apparently devices
> > > emulated there are not supported by ReactOS drivers.
> > > 
> > > But, ReactOS live image seems to work much better.
> > 
> > Thanks for the reponse. Whose issue do you think is it?
> 
> I'm not really sure. But there are other issues related to disk
> currently emulated in Qubes, for example:
> https://github.com/QubesOS/qubes-issues/issues/3651
> 
> > Should i continue
> > the thread about reactos on qubes-issues or try to open an issue on reactos
> > itself?
> 
> Getting in touch with ReactOS people is a good idea. My previous try
> was on FOSDEM this year, having Colin Finck next to me, but we haven't
> figured out what was wrong.
> Later I may try recover logs from those failed attempts.
> 
> There is also tracking issue in their bugtracker:
> https://jira.reactos.org/browse/CORE-13358
> Probably not the best idea to add detailed problems directly there, but
> linking related issues should help.

There is an update from Colin about possible cooperation between Qubes
OS and React OS:
https://github.com/QubesOS/qubes-issues/issues/2809#issuecomment-377487490

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlq0MQwACgkQ24/THMrX
1yzoAAgAlsQL0l57lE91Cy4w0D2Pn9OvZqkf2IgpSGeHi/5Ukmw68DFkqI3kevYN
SRJjSKJ5qr7uPp4dquIFJQQaGgSbCfXjSkfcGYHpcN37YUHoDwCAPXV0VD80hrnU
S9XdV4+U4z04ZpFcu/CCfuoYdBYYe4DdOni0i42bC+BubtcjAeS9pZrUGIwLVfOr
PqcbG26kf7qVos+157jgbAfnVqLvzkwoYL92LXsJVzj3GqpG6NAtnMyP4T8ICWA4
B/Ckc4n20/8xScYAsJ7h8ve79K252r6turFUeirmmueTp/a6Jt7HqYlbDZHKPHF5
GYnXsBntjJuFQx2pedY6So5bTFuNjA==
=k8Le
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180330131534.GU10924%40mail-itl.
For more options, visit https://groups.google.com/d/optout.


  1   2   3   4   5   6   7   8   >