[qubes-users] Re: Help me test fixes for Intel IGD graphical artifacts on Qubes R4.0
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sat, Jan 16, 2021 at 01:49:25AM +, Jinoh Kang wrote: > On 1/15/21 8:06 PM, Marek Marczykowski-Górecki wrote: > > On Fri, Jan 15, 2021 at 05:29:43PM +, Jinoh Kang wrote: > >> Is qubes-xorg-x11-drv-intel an option? Upstream hasn't released for years > >> after all... > > > > Something like this. In fact the current (Fedora) package is already > > built from git snapshot. > > Here's the catch: Fedora hasn't been bumping gitdate for almost a year, > as seen in Pagure [1]. > > > We do backport this package from newer Fedora already: > > https://github.com/QubesOS/qubes-linux-dom0-updates > > That one from Fedora 28 is a bit behind, too. > > > > > But I would prefer to get it upstream anyway (and then possibly build > > xorg-x11-drv-intel from newer git snapshot). > > Something like this? (haven't built it yet, will fix later) I guess, yes. > diff --git a/src/sna/kgem.c b/src/sna/kgem.c > index 6a35067c..8a7af809 100644 > --- a/src/sna/kgem.c > +++ b/src/sna/kgem.c > @@ -7023,6 +7023,8 @@ struct kgem_bo *kgem_create_map(struct kgem *kgem, > struct kgem_bo *bo; > uintptr_t first_page, last_page; > uint32_t handle; > + struct drm_i915_gem_set_domain set_domain; > + bool move_to_gtt = false; > > assert(MAP(ptr) == ptr); > > @@ -7043,20 +7045,10 @@ struct kgem_bo *kgem_create_map(struct kgem *kgem, >read_only); > if (handle == 0) { > if (read_only && kgem->has_wc_mmap) { > - struct drm_i915_gem_set_domain set_domain; > - > handle = gem_userptr(kgem->fd, >(void *)first_page, > last_page-first_page, >false); > - > - VG_CLEAR(set_domain); > - set_domain.handle = handle; > - set_domain.read_domains = I915_GEM_DOMAIN_GTT; > - set_domain.write_domain = 0; > - if (do_ioctl(kgem->fd, DRM_IOCTL_I915_GEM_SET_DOMAIN, > _domain)) { > - gem_close(kgem->fd, handle); > - handle = 0; > - } > + move_to_gtt = true; > } > if (handle == 0) { > DBG(("%s: import failed, errno=%d\n", __FUNCTION__, > errno)); > @@ -7064,6 +7056,21 @@ struct kgem_bo *kgem_create_map(struct kgem *kgem, > } > } > > + VG_CLEAR(set_domain); > + set_domain.handle = handle; > + if (move_to_gtt) { > + set_domain.read_domains = I915_GEM_DOMAIN_GTT; > + set_domain.write_domain = 0; > + } else { > + set_domain.read_domains = I915_GEM_DOMAIN_CPU; > + set_domain.write_domain = I915_GEM_DOMAIN_CPU; > + } > + if (do_ioctl(kgem->fd, DRM_IOCTL_I915_GEM_SET_DOMAIN, _domain)) { > + gem_close(kgem->fd, handle); > + DBG(("%s: set_domain in import failed, errno=%d\n", > __FUNCTION__, errno)); > + return NULL; > + } > + > bo = __kgem_bo_alloc(handle, (last_page - first_page) / PAGE_SIZE); > if (bo == NULL) { > gem_close(kgem->fd, handle); > > --- > > [1] > https://src.fedoraproject.org/rpms/xorg-x11-drv-intel/blob/master/f/xorg-x11-drv-intel.spec#_3 > - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmACRyEACgkQ24/THMrX 1ywP6wgAlKaJitGmJHIgzkCpdGqEh3XjoqS2QOyIvsnzkn98v9E/cWrIrCMgrYAC U2IIYx4e9vrqAW1JwyNLii7ws5/+yI1Y2H7r7In237hedWQ7rCWJRs0UYsAGrtJx p/rNlxDhDBDWc2IWyZHE21bdEb1eKhl2W3EUzxsUGJ7ZxVDX8J8EgKS3PvZGLdC2 JdT2rcsy9ZWZ8YEmwm7k9GxHmuFMbAXJzgIVv3NxVWBQ4IJeNOfJrHrW1RFUMoyC BtdkHNUzBtsMLNlGczRMMPE3LdL6n9E8KnXX6RqXgudsDibdm8ixAagas5E6Cvxq zPgbcftI5MvpDHYdb4QZsCF6kFVxbQ== =R/oj -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20210116015337.GE4914%40mail-itl.
[qubes-users] Re: Help me test fixes for Intel IGD graphical artifacts on Qubes R4.0
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, Jan 15, 2021 at 05:29:43PM +, Jinoh Kang wrote: > Is qubes-xorg-x11-drv-intel an option? Upstream hasn't released for years > after all... Something like this. In fact the current (Fedora) package is already built from git snapshot. We do backport this package from newer Fedora already: https://github.com/QubesOS/qubes-linux-dom0-updates But I would prefer to get it upstream anyway (and then possibly build xorg-x11-drv-intel from newer git snapshot). - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmAB9dQACgkQ24/THMrX 1yxNRgf7B2nc2Qomgnqi2/lwiUmv0Mqx7e54cl2zQNtQl57TsVuDu+mWEbef15Ry gtSBg9c8uXuDq8acbGTP5sqRAJmKlCtWyDdGf5jiZEWATCpZXcVyao/9b8pkuDkY PZSaTEQU+GekWzSrbuoxHJj4HlrPGRxR4CrGGtaqCyqTzJ3V8rV39jbhG5+hxpdF HBS0XBxZUHd1Lzxl0l/qbXkyiMSTJvuJ0a6Hl7rvPCbmNbaIAhXru4zM6ZCVTxC9 W00+hUyirnqz0lfXEhBUD2w42rwfO6Hs67yn8Te2/u9QnE9XxFKSVaRVZqfH6EUw zrh+5BaGaAt4TeyiPxb9FdBdo8/wqQ== =iNFz -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20210115200644.GC4914%40mail-itl.
[qubes-users] Re: Help me test fixes for Intel IGD graphical artifacts on Qubes R4.0
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, Jan 13, 2021 at 01:21:51PM +, Jinoh Kang wrote: > On 1/11/21 11:03 PM, Marek Marczykowski-Górecki wrote: > > So, I can confirm the (fixed) 5.10 patch also improves the situation. > > Sounds good. Thanks for testing! > > > Have you sent it upstream? > > No, qubes-users and qubes-devel are the only mailing list where I > posted this. > > I guess chances of these patches being merged upstream would not be > that great. If that bug indeed affects only Qubes OS, there is a greater chance to accept the patch, if the option defaults to false. > After all, we're not going to need it with Qubes R4.1. Are you sure? The issue affects dom0 windows, which suggests it still may be necessary. On the other hand, your patch description suggests it's just any VM-mapped window triggers the faulty path in the xf86-video-intel driver, that later affects all of the output. > > I do consider including it in our standard > > kernel package, but I'd like to see i915 driver maintainer opinion > > first. > > If you mean you'd prefer to have it upstreamed, I'd appreciate some > Tested-by: and/or Reviewed-by: lines for the trailer from you. Can you send a fixed patch (that builds), rebased on top of recent Linux (5.11-rc3, or recent 5.10)? I'll re-test and add my Tested-by:. > I'm fine as well if you'd rather just submit it yourself. > > Otherwise I suppose I shall only CC' the maintainers and not the list? Generally, Linux patches should be sent to whoever MAINTAINERS file lists, which do include some mailing lists. I highly recommend using scripts/get_maintainer.pl script for that purpose (if you use git send-email, that's as easy as --cc-cmd=scripts/get_maintainer.pl). PS The other (independent) issue I mentioned seems to be https://bugzilla.suse.com/show_bug.cgi?id=1180543, which is supposed to be already fixed in >=5.10.6. I've already uploaded 5.10.7, but haven't tested it on this particular machine yet. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl//EOMACgkQ24/THMrX 1yxXWgf8DkpeBlpx3kQgXn+FFPsQGpLLkX9O3arm4WEcU71y02J0wmOml8XUj1oZ 4y3p6Wmk1KT8nC74SgG4igkCqcb7ay1m1L0D8AjrY8o4CaaJmErnd0kxYXJMfrnN T2js+Hlh/kax0y7iphCCpX1IGH1QSPHThDKuMs/40blvKMIDLmymkq8BtoduVEwQ nZzquV2vRZSFYgl79xWtnxr0QF8yzisIwbYgeEgl256G+ivtmhqLlej6eCUZe6FH U6j7UwalfXTjWVTnUdtuvmt2rgsV8jZ69eUBJuqqBPfkt3XqMGxNKkAd0hFTBGoZ f9XtU34qHMwk1vxZCddjsJYi/EPERg== =teyW -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20210113152523.GA4914%40mail-itl.
[qubes-users] Re: Help me test fixes for Intel IGD graphical artifacts on Qubes R4.0
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Thu, Dec 24, 2020 at 02:21:22AM +, Jinoh Kang wrote: > When using some Intel integrated graphic cards on Qubes R4.0, screen > glitches may manifest after switching VTs or entering suspend mode. > > A known workaround does exist for this bug, which is to add a > configuration file with the following contents within > /etc/X11/xorg.conf.d: > > > Section "Device" > > Identifier "Intel Graphics" > > Driver "modesetting" > > Option "AccelMethod" "glamor" > > Option "DRI" "3" > > EndSection > > However, the X11 modesetting driver version in Fedora 25 has its own > drawbacks: > > * It freezes briefly when re-configuring monitors (e.g. plugging in an > external monitor or changing screen resolution) > * XRandR keystone support is buggy > > To remediate this, I've patched the Linux i915 driver and it has been > working fine for months. Only the patch for Linux 4.19 has been tested. > > If anyone is affected by the issue, please feel free to test the > follow-up patches and give some feedback here. So, I can confirm the (fixed) 5.10 patch also improves the situation. Have you sent it upstream? I do consider including it in our standard kernel package, but I'd like to see i915 driver maintainer opinion first. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl/82ScACgkQ24/THMrX 1yz/XQf9GbeTq3KJpoO/smK7tLJ+EE8Q61G+nejAm5d7VZ+IBofLjWxds2cEn4kJ xjEpjXxiqTL40cBRa1NkXoLLW7Dcesb/G/7MW+73qYm2DjVYyDQFAQOmnJDXT30L Vdai3tXb1miTQ6gAme/Zaffe6RLsLzp1Qrq1ieEpQIjJk+tBSWRVTKyNKQAZDkt3 siznMtbre3te7XybIbShUpgXoiwCqpnjZwEmMJg93nFAre5K6XukIksZg+w3Nt1T /INdhTR6DebTGLtn+pkV9PTGFDRLL+bmWQGallNI2tQnttWogolH9BfEKhkZq+Ja KUIDySAOIjDhj1UfaGM6m73oIcRc9A== =TSr5 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20210111230303.GA1633%40mail-itl.
[qubes-users] Re: [PATCH v5.10] drm/i915/userptr: detect un-GUP-able pages early
const char *name, >const char *type, > diff --git a/drivers/gpu/drm/i915/i915_params.h > b/drivers/gpu/drm/i915/i915_params.h > index 330c03e2b4f7..1169a610a73c 100644 > --- a/drivers/gpu/drm/i915/i915_params.h > +++ b/drivers/gpu/drm/i915/i915_params.h > @@ -79,6 +79,7 @@ struct drm_printer; > param(bool, disable_display, false, 0400) \ > param(bool, verbose_state_checks, true, 0) \ > param(bool, nuclear_pageflip, false, 0400) \ > + param(bool, gem_userptr_prefault, true) \ param(bool, gem_userptr_prefault, true, 0600) > param(bool, enable_dp_mst, true, 0600) \ > param(bool, enable_gvt, false, 0400) > - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl/7fkwACgkQ24/THMrX 1yyJ+Qf+Kp1NqR/RruBKW3pKbNEZy2Y92viOcKkMcOq96fjLEn/boRevpQHjBpjQ bdBa5wZasgk0aHV6UTGB1GrLMQupbupMcI2kffmJnvo0/uleRdad1QgPqlcWhO+x Y0CtPioefWLEwBNITIJGr1emtyM/pO7NpVkFJt3jjei7DfG/jFEkmD36oKb/ea+P GVmug75CpJKPpmYZT39RzqfoI6ZwCq7Lq70I+/kjQBNiyo2N5/xTKiBkt7NDkQas lmrtBXAQRn0UGps7SU2tfsdkU/vYJWohNGK7NzLTSN4jyBsH8CBTyJ0x6DxTvYox W9BPiiLAjBSYJ6jeZ4x8Ly89s0rw8Q== =EF0b -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20210110222307.GA1176%40mail-itl.
Re: [qubes-users] Re: Please help test kernel 5.4 in anticipation of Qubes 4.0.4-rc2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sat, Nov 28, 2020 at 01:21:04PM +0100, donoban wrote: > On 11/28/20 1:04 PM, donoban wrote: > > Hi, > > > > I have some problems after just booting. There is an error at dom0 and a > > some VM's fail to start (others run fine). > > The VMs which failed were running PV mode, switching to PVH fixed them. This seems to be: https://github.com/QubesOS/qubes-issues/issues/6052 So, it is related to the Linux kernel version, not really Xen version. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl/C0moACgkQ24/THMrX 1yxVwwgAiB+d90EwEnnMi6t8qXDJUC2kK2sZkN3ywHMQN2PHoPQ9H4BNGwXFWiK+ piTZqFMEdnQGfE4OeACjcSza5OFeFKhtXRLELZNlQ36uj9D9AaVXdRaxlynQ2ZqS AfQ4tnZyOGpnBZR+V1zqe+rYXhwck5FzGagUFesrFwtqz2+brr2gplaYT9aPn3SY FmE31jV6+WzdB+w+Eb6AcnhhpgrlRkZqUh+11mKfUIrAsCxjFc0j/fezZdpzu0UI wxJ3LRAfgNr+WEFsIA5VvhxrGeXwRe4iFj5v+TGoROnK+8th2rnQ6VzkRjryTWks RP7IWzY3nRMX7XygCHtzL3D6r0V01w== =Jl2W -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20201128224249.GD17443%40mail-itl.
Re: [qubes-users] Re: Please help test kernel 5.4 in anticipation of Qubes 4.0.4-rc2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, Nov 27, 2020 at 11:41:12PM +0100, Ludovic Bellier wrote: > Le 27/11/2020 à 15:58, Andrew David Wong a écrit : > > The package is already available in current-testing. [3] > > > > [3] https://www.qubes-os.org/doc/testing/ > > > Hi, > > I tried to install, but I think it doesn't install because I already > installed kernel-latest (I need it for my ethernet card): > > [xxx@dom0 ~]$ sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing > kernel Try adding `--action=update` option. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl/C0fUACgkQ24/THMrX 1yxDvwf+MyGHHMT1EGHrKpaA6WoGetX+/2ytRCYWWuleEuWWIHGVQHYAXDhyMLZq RcXO31A/mwurMbchb3dUz1Vw4f2cWw4m4tlL7wCIRyoVSXS3QzYh5g9ynO/bIvWu 6I8sec+xtsxrOLkYHSqrhvkekkmQ9zNoCCoqNzatZO3FGYwstZ4SV/B0VWXSrqmk z+79r5hN+yfD3fmYkNr8UJbkomERRYICJSGxx4UXaJqz+aomUJcWL72YWugrUj19 cnVc0cy09rt7iqft0RI0m557nMNkaRARi+awwtjnYOTNG+cuf7k6mtjKLSl7hOEz 7ErO0SqwX+pRtdwwPAMvGo/4IQC/PA== =sEaN -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20201128224052.GC17443%40mail-itl.
[qubes-users] QSB #61 Information leak via power sidechannel (XSA-351)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Dear Qubes Community, We have just published Qubes Security Bulletin (QSB) #61: Information leak via power sidechannel (XSA-351). The text of this QSB is reproduced below. This QSB and its accompanying signatures will always be available in the Qubes Security Pack (qubes-secpack). View QSB #61 in the qubes-secpack: https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-061-2020.txt Learn about the qubes-secpack, including how to obtain, verify, and read it: https://www.qubes-os.org/security/pack/ View all past QSBs: https://www.qubes-os.org/security/bulletins/ View XSA-351 in the XSA Tracker: https://www.qubes-os.org/security/xsa/#351 ``` ---===[ Qubes Security Bulletin #61 ]===--- 2020-11-10 Information leak via power sidechannel (XSA-351) Summary On 2020-11-10, the Xen Security Team published Xen Security Advisory 351 (XSA-351) [1] with the following description: | Researchers have demonstrated using software power/energy monitoring | interfaces to create covert channels, and infer the operations/data used | by other contexts within the system. | | Access to these interfaces should be restricted to privileged software, | but it was found that Xen doesn't restrict access suitably, and the | interfaces are accessible to all guests. | | For more information, see: | https://platypusattack.com | https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00389.html | | An unprivileged guest administrator can sample platform power/energy | data. This may be used to infer the operations/data used by other | contexts within the system. | | The research demonstrates using this sidechannel to leak the AES keys | used elsewhere in the system. Patching = The specific packages that resolve the problems discussed in this bulletin are as follows: For Qubes 4.0: - Xen packages, version 4.8.5-26 For Qubes 4.1: - Xen packages, version 4.14.0-7 The packages are to be installed in dom0 via the Qube Manager or via the qubes-dom0-update command as follows: For updates from the stable repository (not immediately available): $ sudo qubes-dom0-update For updates from the security-testing repository: $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing A system restart will be required afterwards. These packages will migrate from the security-testing repository to the current (stable) repository over the next two weeks after being tested by the community. If you use Anti Evil Maid, you will need to reseal your secret passphrase to new PCR values, as PCR18+19 will change due to the new Xen binaries. Credits See the original Xen Security Advisory. References === [1] https://xenbits.xen.org/xsa/advisory-351.html - -- The Qubes Security Team https://www.qubes-os.org/security/ ``` -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl+srmoACgkQ24/THMrX 1yyq8Af/fUy3neIkRJ1JDWX+7y9/o/a/oHOjGZA4ETH+Bu5JnalAxc4w2ts+XkFX mUAN2Y6bwXmBGMaPjn7MysT3XWINYqz/RVrXbKl9k8Oky0T61HnE0MOGwQeOLXt/ AI/sgRpqK2B6degrbze+0LquzZW/Gxd/4l5diDj+Dop9dPn6EJVz5F4xCNzgRBcl vPhpXBPN7IwUySCCOx6LdCinYjvTyVeH05dTJA04DZykSaXCullMgOl4i3WKbzgS +yJFW9/D+NNAtb0Z9+FynvQ3lmIM+OycBsc8LbDv2scMdwakpNeVhCQY1t8I+h6Y U9u7yjQedhSZpxD586q8zLkBzIXvFA== =con+ -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20201112033921.GD38624%40mail-itl.
[qubes-users] QubesOS and 3mdeb "minisummit" 2020 - starting online today!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, This year we're doing "minisummit" with 3mdeb in online formula. It is starting today, you can watch it live and ask questions, or watch recordings later. More details here: https://blog.3mdeb.com/2020/2020-05-15-qubesos/ Links to live stream are here: https://twitter.com/3mdeb_com/status/1263068441319223296 - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl7FGd0ACgkQ24/THMrX 1yyrFgf8D/Q7qoxbyX8/QVokbxftU/PuiqXWp9sFeKWre7QF8005fKCrsKZbFv8N 9fs2j0oAyiCNuiLeYcywFB7lcNIvttD8BgJMDj3Nk6YmGDFi3gpCPu/99RSBHc7w FgMOeY0jVsPoKiuom6uvpEl766zP9VKoNg82kDGaMMcYmOoLhvU6+1BX3obQ14QJ kwfF44iseAzBOXvrMd9M8qpgHUaIkbwubKiAJYP1TSufkfFXmgKqhUtiGkwEZ53V 2yOtfsRAzaup9gPVLE1ItRrSdkXZrit24XTyX1F7lu2Gh/CQbr+4Ja7UJ61Gin4Q g94+teHULs3GjWgNkHryr0DwWDflQw== =Znww -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200520115159.GJ98582%40mail-itl.
Re: [qubes-users] Re: Fedora 30 approaching EOL, Fedora 31 TemplateVM available, Fedora 32 TemplateVM in testing
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sun, May 03, 2020 at 08:57:52PM +0100, lik...@gmx.de wrote: > > > Fedora 32 TemplateVM in testing > > === > > > > For advanced users, a new Fedora 32 TemplateVM is currently available in > > the `qubes-templates-itl-testing` repository for both Qubes 4.0 and 4.1. > > We would greatly appreciate testing and feedback [6] from the community > > regarding this template. > > What's the expectation for Fedora 32 to reside in testing templates before > it's moved to official repos? > I'm asking because it might be worth waiting for Fedora 32 before moving > first to Fedora 31. This is of course only reasonable if it will be before > EOL of Fedora 30. You can track template testing here: https://github.com/QubesOS/qubes-issues/issues/5761 (especially see issues linked there) Sadly, Python 3.8 in there breaks few things (including updates via salt), so it may not be ready before Fedora 30 EOL. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl6va54ACgkQ24/THMrX 1yxPSQf/aI95paVe0x++hEsYicKLduDxbcr4BaFlWOtyhKEPjoiU/OJwTevKIafe jjHms5DOfRwRzasbgDm5fUV4JJad4V5L+B5I9PdB/9a6qL3nalIxOAgOD//OwHNQ ZG1IytW1aGh+u5zmqGhEMysWep0mfnbf5g8NIZogaGo0HOpBy71tjBfu8FT0nvb+ 3s9Nq1yyZdwdQgkU/xOZJ558OmrjPSsgpVYQzpf55JfJt3x1EYjC918CZC7HqCeC VfhUAAiwS4FsTITxx/RESdp8Ax4JIke5/vs/7JjaVe0BH70MYi96/iIDbSltSUzS KHAJAl/vbHA9R7xSIiE+qxtP+8v++Q== =4Rct -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200504011053.GA41017%40mail-itl.
Re: [qubes-users] AppVM won't start any application
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Thu, Apr 23, 2020 at 09:25:56PM +, 'bfgvusmcar' via qubes-users wrote: > Hi, I am a new user and I'm very happy with the OS. I installed it a few days > ago and I seem to have an issue. I would delete and re-create the qube but it > could be a helpful opportunity for both me and you to debug some issue. > I have a qube based on debian-10 fully updated. It didn't have any particular > configuration, a bigger volume as I planned on using it more. Suddenly it > won't start any program, not even the terminal. > From /var/log/xen/console, it seems like the AppVM is starting: (...) > [.[0;1;31mFAILED.[0m] Failed to start .[0;1;39mFile System Check on > /dev/xvdb.[0m. > See 'systemctl status systemd-fsck@dev-xvdb.service' for details. This does look like an issue. xvdb device is "private" volume, where /rw + /home lives, so this is important part. Try extracting more info about it from dom0: qvm-run -p -u root vm 'systemctl status systemd-fsck@dev-xvdb.service' Check also earlier entires, specifically "Initialize and mount /rw and /home" service (some its messages are marked mount-dirs.sh). > A popup now appears (it wasn't appearing before): "Domain has failed to > start: Snapshot origin LV vm-debian-10-root not found in Volume group > qubes_dom0". This on the other hand is about "root" volume. But LVM setup happens before starting anything inside the VM, if this would be the cause, you wouldn't get any output from the vm. Check modification time on the log, if it's really about latest try. Can you start the debian-10 template itself? Or it fails the same way? - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl6lpXcACgkQ24/THMrX 1yxoyQf/ZqepS8qqrAsW9BoSn6VvMHZSGa5TMyGx63jty70p4v0GWFQJ6XSLbbGx NBneKN+bsT6bHkPk6XmHsV0oy8J6d6GSrnzBm7di+e10zv5wQv0n7yqcDELhYFIb DvvyVHkbq4VCq81EeaPVc/nbPcpuhkzN2FZCT6vsH7S8s20fmRdxrO8WfPyUQg8X UA8TrA3m75mz3JXhyRddmNFH6hbPOxh4p8oG6yPr6ne6L/+bW/KoXUz6sul1OMsj X6A880L57ffz89qpt94o/oYMEVm/7UqV6Mzn/Nau+tOGaKGduCSmu2SS7YDzSqxk ipTqSftScK9t5y74FHL9dm76iNJadQ== =ZdPD -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200426151505.GB29396%40mail-itl.
Re: [EXT] Re: [qubes-users] Qubes Updater doesn't update
On Sat, Mar 28, 2020 at 12:57:55AM +0100, Ulrich Windl wrote: > On 2020-03-21 20:39, Marek Marczykowski-Górecki wrote: > ... > > Sounds like https://github.com/QubesOS/qubes-issues/issues/5705 > > The fix is already in current-testing repository, and will be uploaded > > to current (aka stable) in few days. > ... > > Had the problem with whonix-gw-15 and whonix-ws-15 today (when no Dom0 > update was displayed). I decided to update both templates via cubes manager > and then manually update Dom0 via command line. > Should the problem be gone from now then? Yes. -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200328003025.GW18599%40mail-itl. signature.asc Description: PGP signature
Re: [qubes-users] Qubes Updater doesn't update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, Mar 20, 2020 at 08:21:58PM +, 'trichel' via qubes-users wrote: > Qubes 4.03 > Qubes updater runs normally without errors, but doesn't actually update > *Debian* templates. Same problem with Whonix templates. *Fedora* templates > get updated normally. No further details or error messages are provided by > the Updater. Qubes Updater also doesn't notice any updates are available for > Debian templates, resulting in outdated Templates without the user knowing. > > Updating Debian templates with the Qube Manager just works, but the problem > persists. > > Maybe something bugging in my config, or has anybody experienced something > similar? Any advice what to do? Sounds like https://github.com/QubesOS/qubes-issues/issues/5705 The fix is already in current-testing repository, and will be uploaded to current (aka stable) in few days. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl52bXgACgkQ24/THMrX 1ywWyAgAhOu4olEhm7/9Qoa5BpYubaeLy9fU/V22KAMYYy/e0S0ZIcbcxMvc9KYS 5oFMbtoKipuSlIZhrs7IYhJjiBiWrigmgOjAYSY1coN2PBcXubvKdK46Qf/ueyV+ 601+gRMv+wbG0rXIG2MbU3yd8ITm1nNAsdEC8Hbqp1Zp2WPB8hXgaNsjDaxvYohq slB4Ftdow9D33m0/OTh1gBlc7AloaZgsWcAzTXRCCr8a6d+1dNFHpqbpVpEfXgdj 5cF9f5sWFUhX2Y9ke5UQUjqkpvTG3/WBSNM+G8GxsTrBxfl3mfs28IeTALeV7rg0 nz2Y12nX69/gD9WbIABgkGOp/U+Bqg== =1GmU -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200321193936.GA29396%40mail-itl.
Re: [qubes-users] Re: [4.0] Intel Wi-Fi 6 AX200 adapter
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, Mar 20, 2020 at 01:05:02AM +0100, Vít Šesták wrote: > Hello, > > On March 20, 2020 12:33:31 AM GMT+01:00, "Marek Marczykowski-Górecki" > wrote: > >I didn't spot VT-d errors, but I'm not entirely sure if I've checked. > >If they are there, this is something definitely worth looking into and > >most likely an issue within iwlwifi driver (or the firmware). It could > >be also worth trying booting Fedora 31 Live directly, but add > >intel_iommu=on kernel option. If that would break it, it's a clear > >indication that the issue is somewhere between firmware and the driver. > > I have tried to add this option, but it remained to work. Does it mean that > the driver itself is OK and the issue is in Xen or stubdom? Likely, but not surely. Some more ideas what could be wrong: 1. Some config space access is filtered and driver doesn't cope with it. 2. Some extended PCIe feature that driver/firmware assumes present is not implemented in PCI passthrough. 3. Bug in handling any of supported PCIe features. 4. And there is still a possibility for a bug in the driver/firmware. For the first hypothesis, I'd try enabling permissive option (AFAIR didn't helped in itself), but then enable verbose logging in pciback driver: echo 1 > /sys/module/xen_pciback/parameters/verbose_request before starting sys-net. You'll get quite a lot of logs this way, and for understanding them fully, PCI spec would be handy... But maybe there will be some less obscure clues, like messages about explicitly failing requests? For the second hypothesis, I'd take lspci -vv of the device from both sys-net and dom0 (preferably in exact the same time, during enabling the interface, but that's unrealistic). And compare. There will be definitely some differences (more features visible in dom0), but what would be valuable is: - comparing configuration of features visible in both places - correlating missing features with iwlwifi driver It may be also useful to increase iwlwifi log level (I see 'debug' module option, seems to be a bitmask). For the third hypothesis, enable iwlwifi debugging and hope for more details. Decoding that firmware error would also be useful, but unlikely without firmware documentation or source code. If everything above fails, I would thoroughly compare driver behavior on bare metal and in the VM. Start with the driver debug output and if still no clues, then log hardware interactions (may require modifying the driver) and compare them. Some of the above ideas are quite extreme, and tedious to execute... PS adding the list back. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl50F2QACgkQ24/THMrX 1ywLuAgAjd/zJfxu9cHAo4h7vEib+0LWOTx55/hv8cGP9CsKNcpIdY6SJfg2Smy1 nhzh7BwxTkwnzGjYsmLzN+NX8uaTOXiLLdoEhoaOGbLekdsfJnXKLyXdu2AEhFHj ejKYfWTRNLnqDWNViNNhFgx9vbOsasyiQWh0tMJm5cwUkXMz82DTjVqDXBBtgog1 86hMdLcSxRYVNw0q+KL3zmlagpbxDcmwnf0cV6NjyckQ1LWQ+pr/zx3FS74WatJP D7k7dJ1M6rEdEDJaZ+K+XiXkLzJUufuwwKMlN4VL4SFvwmD5aglZm2B0rdcBBF9a 7pGs+ORAnWH4T4gnpiPi5OcfZWjiAQ== =SAV0 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200320010747.GB18599%40mail-itl.
Re: [qubes-users] Re: [4.0] Intel Wi-Fi 6 AX200 adapter
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Thu, Mar 19, 2020 at 11:41:55PM +0200, 'Ilpo Järvinen' via qubes-users wrote: > On Thu, 19 Mar 2020, Vít Šesták wrote: > > > Hello, > > I have some interesting updates. I have tried to: > > > > a. Boot Fedora 31 on the laptop (Live version from USB drive) – adapter is > > detected and finds Wi-Fi networks. It just works. > > b. Boot Fedora 31 Live (from the same USB drive) in a HVM with attached > > Wi-Fi card. It had 2000MiB of RAM. It fails in the same way as my previous > > attempts, not sure why. > > > > This looks like the AppVM is fine, but there is some glitch in the PCI > > handling. It might be related to Xen or to the DM, not sure. > > > > HVM: https://gist.github.com/v6ak/76f2c089c63b1fe184f3717d5bd5254e > > sys-net with Fedora 31: > > https://gist.github.com/v6ak/30ecc502d1ce7508953eb3d505564668 > > > > I have also resolved the chicken-egg problem – I can connect to the Internet > > via USB. This is not a permanent solution, but it was good enough for > > updating dom0. However, the update (+ subsequent reboot) has not changed > > anything. > > One option would be compile a kernel with CONFIG_IWLWIFI_TRACING (or > something like that) and try to provide the trace log to iwlwifi devs. > ...It might not help though if it's not a HW/driver issue but xen/dm/pci > related thing. I've seen very similar thing recently, not sure if exactly the same, but it's very likely. Sad news is neither me nor Paweł managed to fix it yet. Things we've tried: - various kernel versions (including 5.5 and 5.4) - different firmware versions (apparently the driver tries to load versions that new that are nowhere to be found yet) - various options like permissive mode I didn't spot VT-d errors, but I'm not entirely sure if I've checked. If they are there, this is something definitely worth looking into and most likely an issue within iwlwifi driver (or the firmware). It could be also worth trying booting Fedora 31 Live directly, but add intel_iommu=on kernel option. If that would break it, it's a clear indication that the issue is somewhere between firmware and the driver. >> 1. Problem: Domain sys-net did not boot at all because of issues with >> attaching ethernet PCI device. Is it a Realtek card? I don't remember exactly what helped, but something helped here. Paweł, can you help? It was either attaching SD card reader (which is another function on the same PCI device) to the sys-net, or enabling no-strict-reset option (or maybe permissive?). - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl50AUwACgkQ24/THMrX 1yzCQwf/RHg7jCK7CS0ut98MoI2oDvRf6SJc6oVTNbbklovmmZcRwj9SrXcEw7j9 KQ0X/i7HpEr03MmMxOlQO8R4BUdXqZ5iyDWLnPLNRZimH2ftA55ndOaOqecaQZOc nzxpeUyEHbO8D/ZwodRoTBF9Tl+e4lI7wOz/O6Ruy604++z3P5gzTuYVp390CiYU Jt5suLKxoIuICO8EaRBT/5KGDM4BsuW9pfe2YDBs4USWg75D9C86KvgSGZhD6xd/ GwfPd3KXyiPTYHWT5fymupatiPnMVPKjpMQDyOvPbHJqUoUJ+owO/nqfSquWV8Mz h4M2DffaBN/i8zxxtIWwh0nGLbX/kA== =c9Wb -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2020031921.GB19117%40mail-itl.
Re: [qubes-users] Another Intel vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, Mar 11, 2020 at 04:05:03PM +0800, Sandy Harris wrote: > https://techxplore.com/news/2020-03-unfixable-flaw-intel-chipset.html As with many other firmware-level vulnerabilities, this can't be exploited on Qubes, because no VM can talk to that firmware directly in the first place. But the issue is deeper, as the issue isn't only about OS layer, but keys embedded inside the CPU. If those keys are leaked, many CPU crypto features become useless. The exact list isn't clear to me, but it may apply to: - fTPM (not used in Qubes), - SGX (not used in Qubes), - microcode verification (used in Qubes, but inaccessible to VM), - ME/FSP/other firmware verification (used by platform, before Qubes is loaded, but may affect system runtime) There are some rumors that some of the keys may be not unique to a specific CPU, but shared across CPU family - in that case, key extracted from one CPU may be used to prepare malware for other systems with the same CPU family. In any case, it looks like even if some of the keys are leaked using this vulnerability, the attacker would need a physical access (or break into dom0) to attack Qubes, as relevant interfaces are not available from within a VM. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl5qQIcACgkQ24/THMrX 1yyTJgf/cvES/MttCVUcV/RYYFLIgW2H5SBTtR2XU/kMJF2crppM8NPpie0Q5a+c qB53aha3h8D5Y66SiKzBN2dSy2halqQv+yCvdSiffbYWJWPCC17xNg/nRBFQ7jG2 owa0zkcYQOwN9Fm2O/SlfImqpJ5R2w1M3r0yHR9Lg+Q2nIgQ9cT6f1QncnlodEIa Qb8qu93yV3NstQA9VJ3wPJ8uSFecXunEkSdUB8HLRWs2DDd4pnPM/NaI6kn2fz7g T/WLZMT+7ZmsNMTAVA/mJX6VjYICfdUHXcFOKY6JMByFalWRXM3Yktclrc344ytq J4H904OttmE+M9PNw9o/RS5MpesWqw== =wfKX -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200312140040.GA19117%40mail-itl.
Re: [qubes-users] Is Qubes Split GPG safe?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Thu, Feb 13, 2020 at 10:05:21PM +0100, Frédéric Pierret wrote: > > On 2020-02-13 20:37, Claudio Chinicz wrote: > > Hi Frédéric, > > > > Thanks, I've managed to install claws-mail on my Fedora template. The > > problem is that Claws-mail does not support Oath2 (Google) authentication, > > just like Kmail. > > Your welcome. > > > > > Evolution does support Oatrh2 authentication but instead of Gnupg it > > supports Open PGP, I think you're confusing two unrelated things. Oauth2 has nothing to do with email encryption. Also, just to clear terminology, GnuPG/GPG is an implementation of OpenGPG standard, so _in theory_ it is the same. - From what I see, Evolution does use GnuPG under the hood. > > the same standard that TB 79 will support, replacing Enigmail. > > > > Would Open PGP support/integrate with Qubes Split GPG? > > I CC Marek to this question as I known there is some new version of it but I > don't know what's inside. Thanks for bringing this to our attention. For reference, this is about https://wiki.mozilla.org/Thunderbird:OpenPGP:2020 - From my reading of this page, it sounds like a DISASTER in terms of existing pgp encrypted emails support in Thunderbird, but also in terms of extensibility of Thunderbird (severe limitation of addons, if not removing them completely). One of the key features of Thunderbird is its flexibility thanks to addons... So, it looks like they have decided to use a completely different implementation (or even writing own) of OpenPGP standard, instead of using well-established standard of GnuPG. They already acknowledge it will most likely lead to many interoperability issues and they accept it at the design level. Life shows that if you already know it will be bad at the design level, in practice it will be even worse! But also important aspect is the key storage. Anyone serious about security knows that keys should be stored isolated. Those not lucky enough to use Qubes, can use smart cards for that. And according to FAQ on that page, new Thunderbird won't support smart cards! And in the shape presented on that page, it looks like there won't be a way to plug split gpg either! As a side note, I do think that even though GnuPG is a well established standard, its quality isn't very high and steps to break its monopoly in OpenPGP implementations are a good thing. But it should be done in an incremental, compatible way, not "break everything" approach. Another side note, or rather a hint for Thunderbird developers: modern gpg consists in reality of multiple parts running as separate processes. One of them is gpg-agent responsible for accessing private keys (either local or on a smart card) and nothing else. gpg-agent has also a simple, (kind of) documented protocol. If they still want to break everything, they could at least consider support for using existing gpg-agent available in the system. This won't solve interoperability issues, but at least will allow people to keep their keys secured on smart cards or with (upcoming new version of) split gpg. The only good side of this I see is having PGP support in Thunderbird out of the box without requiring an addon - meaning probably more people will use it. BTW we need to verify is this major breakage of Thunderbird addons won't break other Qubes features too - namely opening attachments in DisposableVM, which is also done using an addon. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl5GjPAACgkQ24/THMrX 1yxyewf/Un2JTcdEXx/c0mZd+huN3sr/OwfWt4vOaLnNoPdnog0ak9mpdiJfwAj9 Na3g9jXdF/0hjfgLMC7S7kZaCJv08hzycMatmIl2lY7q7oI8kobIye2EBKZg6/Z3 8WYuYILZet1B7J79/J66lUdhZQt72aLnDadFj9EdIJaFH9GtEUH4SNezsaXce9Q/ M+LWJhS947SySfsuZ3js5IunflHI51AV449OxUzA2fO60/tK7zQg6H+9L8UXBgFO feDvXjLK9+sDGvryn6/M9GNe5Hq5ZBHaFABkpfjhSgF8O2aJm1dFKeMvKJvKh4Ts AexsYCPoXKT2vr5gBwN+BgOQINRgtg== =Qqfw -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200214120504.GE18599%40mail-itl.
Re: [qubes-users] Re: R4 system requirements; AMD compatibility?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sun, Feb 09, 2020 at 09:28:13AM -0800, brendan.h...@gmail.com wrote: > On Sunday, February 9, 2020 at 5:25:56 PM UTC, brend...@gmail.com wrote: > > > > > > Has anyone tried utilizing the xen command line options to mask bits in > > the cpuid, in particular section 1.2.35 cpuid_mask_ecx)? > > > > The man page below says that "Settings applied here take effect globally, > > including for Xen and all guests." This *might* mean it is applied *before* > > the resume from sleep CPU bit checks (but I'm not promising anything, as I > > have not traced through the source). And also "*Warning: This option is > > not fully effective on Family 15h processors or later.*" > > > > Just noticed that the warning applies only to 1.2.34, which is AMD-only, > apparently. Unclear to me if the other items 1.2.35 and higher, which is > for "x86" apply only to intel or to all x86 architecture. I may be missing it in this thread, but have anybody tried Qubes 4.1 builds (with Xen 4.13) on such system? Does it have the same issue? - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl5AcSAACgkQ24/THMrX 1yzQ/ggAmQOFWyP0GNVs5dMuSzKx6mo7myoJ0tlJaKdpNPKZZnYjaLAqhUPig5YG rd5iv26TjVq/bl8uiRE0/qwV0/sjqgmLTqPIQanzxsB5Cnok3OZyswghGJY/UY8Y j5ADzpzRtCC7WhQkvhtPSwcC3c72rgmjfQg2IjKfYU6qyv+0aJ2HuJQj/kA49cG6 kzwGRIJJlxVfCsnlXSwmHa17PyiolvYqpQFhCN8EIM3KYFcjrBK+kP7nqdNXuQ8R atZqH66h8wxp/BvGO9xGZPmWV6uhrC+JIKfdlaspKO4fWFxXuBwxGgS+favkn5wT vBJcU6wxj2Qwk6MvJV17BMV1dwqntg== =HtGL -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200209205248.GD29736%40mail-itl.
Re: [qubes-users] Re: R4 system requirements; AMD compatibility?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, Feb 07, 2020 at 02:13:56PM -0800, brendan.h...@gmail.com wrote: > On Friday, February 7, 2020 at 9:35:25 PM UTC, zach...@gmail.com wrote: > > > > I preemptively submitted this PR to see what the Qubes team thinks. > > https://github.com/QubesOS/qubes-vmm-xen/pull/70 > > > > I agree it probably should be fixed upstream, although I've seen the Qubes > > team make exceptions and apply their own changes. Upstream would probably > > take a huge amount of time to get merged and tested. I'm not a developer > > though so I'm sure you could explain the issue better than I. If you do > > mention it, CC me as well! I like the CLI argument idea, that's probably a > > much cleaner way of doing it and defaulting it to true. That way users > > could disable it if needed due to hardware screw-ups. > > > > Marek is somewhat active on xen-devel. Submitting the PR to Qubes is > probably as good a place to start the (github) discussion I suppose. > > I expect Claudia is correct that it's really a Xen defect to address, > either with a flag to disable the check, or security/stability focused > checks only. > > Xen might point upwards again, of course, and tell AMD to fix their > microcode or manufacturer's their BIOS's... > > ...but if a disable flag could be added (--yes_i_know_what_im_doing caveat, > of course) that'd be a good short term workaround for the larger Qubes user > base that is less likely to be able to figure out how to get a build > working and rpm applied and keep up to date with upstream. (continuing discussion from the above PR) The patch as it is, is not acceptable, as it may introduce security and/or stability issues on some machines. Xen (and Linux too) assumes what CPU features is can use based on CPUID flags. If those changes during system runtime (including suspend/resume) some instructions or control registers may no longer be valid (->crash) or safe to use (->security issue). If that's just about microcode updates, that's probably BIOS bug - if it applies microcode update on system startup, it should do the same on system resume too. Anyway it's worth trying updating linux-firmware package, which carries microcode updates for AMD. This should make Xen apply microcode updates too - before checking those flags. I've just uploaded updated version of the package to the current-testing repository (both R4.0 and R4.1). If that's about something else, then fixing it would require finding what exactly is changing (and preferably also why). And only then find how to mitigate this issue. If specific flags would turn out to be not related to security features or otherwise having unwanted effects, then ignoring those changes would be an option. But ignoring _only those flags verified to be safe to ignore_, not all of them. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl4/abcACgkQ24/THMrX 1yxEGgf/SG+V7TKM8f7QZ5JFVSr++QasDbMefkuc30OeUkXKtFXsTNMH2fp1S8zq lTgxfrrGH+N7sfP1KkjAZ7ri+DJgmoCyqULUNZAez5DdGlaLJRtsz5rRBtTr4t9F nmJNC859/RPEpbozwxlM6K8JRhlxVg35Sl46E9lYHbNsTBqAywxhTUgENsZlrblh gXn2MgnzDHvwShCltlNL2l29HaAXBzIICpPcgiRWLEY/Y1OTNHvYPiTgZdRtkkEM 5tM97EwxZF31k5i7wGpRed84xCid2bXvufq2Xjo2jWxXuQ01r+bv6v/lVwDvd5tz iOWJsjj4tXLo3bcpuaCM5XvHI9x0yg== =h62J -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200209020855.GC29736%40mail-itl.
Re: [qubes-users] Re: Qubes OS 4.0.2 has been released!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, Jan 08, 2020 at 06:07:01AM -0800, fiftyfourthparal...@gmail.com wrote: > Hi Andrew, > > I installed 4.0.2 on my Dell Inspiron 5593 without new issues. > > The answer to the following question seems to have been implied in earlier > responses, but I'd just like an explicit clarification: Can the "critical > kernel bug" affect my security in any way? No, it doesn't affect security. It simply crashes (and reboot). If it works on your particular hardware, then you're lucky and should be safe to continue using it. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl4X0IEACgkQ24/THMrX 1yzgDgf8CAQZyZQLeuF45UToxe4lumA3PWb9q8j82LW7p/Llizwu97T1pF/c6mGJ MXuUGyu8H8AS2nEK6W4zC1ZDClTFMGvsmMOwhkDbSUuSxyK1WXtRdAhsHK32jQ6j 0xnS6woUeFUkmBonjfQZxrDtj719WwrLWsJWffrDG4GPRoQkk6Mp+QjB8N1d/0bX 9hPjWxok0c6Up4hTOoGLVlnW0OlRgZ35P4UOGqxxscjygpgBwXvD+BXg8YMP+f/v t6gEu7oLJ9faxtNT4nGHgQZhKayuhAGFvf5Q+uvyBplGWqwGpHmEh6FJnlKEoWYD UbaUNGX1UPuBM8WMstJ/F9P3n8a/tA== =xWrL -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20200110011649.GA29736%40mail-itl.
[qubes-users] QSB #56: Insufficient anti-spoofing firewall rules
): $ sudo dnf update For updates to Fedora from the security-testing repository: $ sudo dnf update --enablerepo=qubes-vm-*-security-testing For updates to Debian from the stable repository (not immediately available): $ sudo apt update && sudo apt dist-upgrade For updates to Debian from the security-testing repository: First, uncomment the line below "Qubes security updates testing repository" in: /etc/apt/sources.list.d/qubes-r*.list Then: $ sudo apt update && sudo apt dist-upgrade A restart is required for these changes to take effect. This entails shutting down the TemplateVM before restarting all the TemplateBasedVMs based on that TemplateVM. These packages will migrate from the security-testing repositories to their respective current (stable) repositories over the next two weeks after being tested by the community. Credits The issue was reported by Demi Marie Obenour. References == [1] https://www.qubes-os.org/doc/firewall/#enabling-networking-between-two-qubes [2] https://nvd.nist.gov/vuln/detail/CVE-2019-14899 - -- The Qubes Security Team https://www.qubes-os.org/security/ ``` - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl4DmQkACgkQ24/THMrX 1yyTrgf8DB9+TOy89Gn9kwDYm15nXqCuxOm0k3Zsv3FWJCz1NobTpDJ14+LI0qcf YR1jXT+XqUvfeIJ2NlJ+DQ4454cd3m27nEP7B0G7A2PU3jbonIyBE9Qe7PpQ8kmU FtI+GoknrMlUEP+QNwceRg1Q9OPaB6Zzzq0VE6C58rxnL6oGNUXVgrsXV/Jtl1pZ quf5c8x7cZqRqUbFBkaE2P5deYRfCIj/Vt3N3uhsvEKAay2qwgMnnZmQv2Qhp+cq gephG2LgrczBjvjlZ/0zt2+7N4LPyDCeP5dVJlFSz/85uNBo0vmTecyFhaUJEhn1 2JzJh9rUVQFNTwetTTsh2M2q6rubnQ== =29/a -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20191225171448.GA11736%40mail-itl.
[qubes-users] QSB #55: Issues with PV type change and handling IOMMU on AMD (XSA-310, XSA-311)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Dear Qubes Community, We have just published Qubes Security Bulletin (QSB) #055: Issues with PV type change and handling IOMMU on AMD (XSA-310, XSA-311). The text of this QSB is reproduced below. This QSB and its accompanying signatures will always be available in the Qubes Security Pack (qubes-secpack). View QSB #055 in the qubes-secpack: https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-055-2019.txt Learn about the qubes-secpack, including how to obtain, verify, and read it: https://www.qubes-os.org/security/pack/ View all past QSBs: https://www.qubes-os.org/security/bulletins/ View the Xen Security Advisory (XSA) Tracker: https://www.qubes-os.org/security/xsa/ ``` ---===[ Qubes Security Bulletin #55 ]===--- 2019-12-11 Issues with PV type change and handling IOMMU on AMD (XSA-310, XSA-311) Summary On 2019-12-11, the Xen Security Team published the following Xen Security Advisories (XSAs): XSA-310 (CVE-2019-19580) [1] Further issues with restartable PV type change operations: | XSA-299 addressed several critical issues in restartable PV type | change operations. Despite extensive testing and auditing, some | corner cases were missed. | | A malicious PV guest administrator may be able to escalate their | privilege to that of the host. XSA-311 (CVE-2019-19577) [2] Bugs in dynamic height handling for AMD IOMMU pagetables: | When running on AMD systems with an IOMMU, Xen attempted to | dynamically adapt the number of levels of pagetables (the pagetable | height) in the IOMMU according to the guest's address space size. The | code to select and update the height had several bugs. | | Notably, the update was done without taking a lock which is necessary | for safe operation. | | A malicious guest administrator can cause Xen to access data | structures while they are being modified, causing Xen to crash. | Privilege escalation is thought to be very difficult but cannot be | ruled out. | | Additionally, there is a potential memory leak of 4kb per guest boot, | under memory pressure. Impact === XSA-310 applies only to PV domains. Most of the domains in Qubes 4.0 are PVH or HVM domains and are therefore not affected by XSA-310. However, PV domains are still supported in Qubes 4.0, and they are specifically used to host Qemu-instance-supporting HVM domains. In the default Qubes 4.0 setup, several attacks would have to be chained together in order to exploit this vulnerability. Specifically, an attacker would have to: 1. Take control of an HVM domain, e.g., sys-usb, sys-net, or a user-created HVM domain. (Most user domains are PVH and are therefore not affected.) 2. Successfully attack a Qemu instance running in an associated PV stubdomain. 3. Finally, find some way to exploit the vulnerability described in XSA-310. Moreover, since this vulnerability is a race condition, it is an unreliable attack vector in real world scenarios. XSA-311 affects only systems running on AMD hardware and also is thought to be very hard to exploit. But since it can't be ruled out completely, we recommend applying updates nevertheless. Patching = The specific packages that resolve the problems discussed in this bulletin are as follows: For Qubes 4.0: - Xen packages, version 4.8.5-14 The packages are to be installed in dom0 via the Qubes VM Manager or via the qubes-dom0-update command as follows: For updates from the stable repository (not immediately available): $ sudo qubes-dom0-update For updates from the security-testing repository: $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing A system restart will be required afterwards. These packages will migrate from the security-testing repository to the current (stable) repository over the next two weeks after being tested by the community. If you use Anti Evil Maid, you will need to reseal your secret passphrase to new PCR values, as PCR18+19 will change due to the new Xen binaries. Credits See the original Xen Security Advisory. References === [1] https://xenbits.xen.org/xsa/advisory-310.html [2] https://xenbits.xen.org/xsa/advisory-311.html - -- The Qubes Security Team https://www.qubes-os.org/security/ ``` - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl3w9qAACgkQ24/THMrX 1ywNmgf+ModX2TIC5BNbPXNRjXQAFGByj21sTdmKlj3mo5Q1zus00gvEYvwWUvRA ob8Sb1DuaHZhM4x3Ea2FjSqYA+GszDctj9dY5VWrlecd1tsmTijlHPo2x1FpIyWm Qf24697gel0TDb+51JFCXrqZYye3Bj4mL4tEplDZRmH8fw9J94zPQROztnzi9mmF ownqn40LMEiTBg0WaV7k3ymnLPRX3rLZGS1oG//ESouL7Mz8Id/vjpsWyrBX8P3A TyisLzrblA1/9+bSGEUaP4jq5Uf98Eb+GKkXX6yjD8CT+kO7ez02AL+PzmxK7YmT G67PD1wDDcFFFr/+AeoHkjgjYdyghQ== =erlC -END PGP SIGNATURE
Re: [qubes-users] 2 new Intel vulnerabilites
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Thu, Nov 14, 2019 at 10:37:33AM -0800, Lorenzo Lamas wrote: > Btw, do you think it is possible for Qubes to distribute the Intel > fTPM(http://tpm.fail/) update somehow like Qubes does with microcodes? I don't think it's directly possible, this part of the system firmware is specific to particular device configuration (bundled together with the rest of BIOS/UEFI), not only CPU. A quote from Intel advisory: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00241.html | Intel recommends that users of Intel® CSME, Intel® SPS, Intel® TXE, | Intel® AMT and Intel® DAL update to the latest version provided by the | system manufacturer that addresses these issues. There could be a way to ease updating system firmware by integrating fwupd, but it isn't done yet: https://github.com/QubesOS/qubes-issues/issues/4855 - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl3PEHUACgkQ24/THMrX 1yy5rAf+OUCwS/oIGN04ps6Skv19pwCL8gkKizEoncXduI5nXUI1hBcqtmfBPbUj orJqWt65YKQPeCnWubbJHHA5cIe0KtG/yPTtMcG98caU8Qi1y/vi2Nv7lt6+y1GL BbGe/O2ZHYuZAMGLg9bbk3ZXmQ8hrAyHCB+3vvVxIlrPHkOShjpHztsgguug00MI sPNdg9IHurPNwbwbMgwHGIUDOgFr7MilGT1y3afzBEIrHZCT5SaPHernUYGd7oD9 PmhGsb5grJo5eYDO+wiizrW/by2BUXH+4Qeimtxk+N7xqqk7/btQXl77dOGQ5k/t 1uNcXNluSAXVspKvKJTIXhGlpJmAMQ== =cXye -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20191115205412.GB4164%40mail-itl.
[qubes-users] QSB #52: Xen issues affecting PCI passthrough and PV domains (XSA-299, XSA-302)
perform a DMA attack in this window of opportunity during system startup, the attacker could still compromise the system, even with the XSA-302 patches applied. In practice, this means that devices containing internal writable firmware or configuration storage are worse for system security than those that have read-only storage and require firmware to be loaded externally by a driver. Many people consider devices that require loading "firmware blobs" to be less freedom-friendly, but the effect on system trustworthiness is exactly the opposite. Such devices are actually more trustworthy than those that have (possibly mutable) firmware stored internally. In addition, it's easier to reason about the firmware when it is accessible to the user. Even if the firmware is in a binary form, it is at least possible to verify its authenticity and that it wasn't modified maliciously to target your specific device (e.g., by comparing hashes against a public database). Naturally, a device with open-source firmware (still loaded externally) would be even better. In the vast majority of cases, however, a device that doesn't require loading external firmware actually still has such firmware -- it's just hidden inside and impossible to attest. Patching = The specific packages that resolve the problems discussed in this bulletin are as follows: For Qubes OS 4.0: - Xen packages version 4.8.5-11 The packages are to be installed in dom0 via the Qubes VM Manager or via the qubes-dom0-update command as follows: For updates from the stable repository (not immediately available): $ sudo qubes-dom0-update For updates from the security-testing repository: $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing These packages will migrate from the security-testing repository to the current (stable) repository over the next two weeks after being tested by the community. If you use Anti Evil Maid, you will need to reseal your secret passphrase to new PCR values, as PCR18+19 will change due to the new Xen binaries. Credits See the original Xen Security Advisories. References === [1] https://xenbits.xen.org/xsa/advisory-299.html [2] https://xenbits.xen.org/xsa/advisory-302.html - -- The Qubes Security Team https://www.qubes-os.org/security/ ``` - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl27CAkACgkQ24/THMrX 1yyVYQf+OBmOSFrr5l5fSLMfqrPWCxiq8rb1O1SXQ6lN1akxEfx7GO36fbpV47/K Qu7S3MZhfVUf7y9xWcKrcYdUtnXhRvV5az17gF9JOYSinHIxHPnOyXTu/vWtTQPW 057d2ZnQiTijN22ELlNQy6yRHzutUxSfT9vpRH0BCuoM3yR7Q9EUNKMIy/A5lF6q L1Hkdtnu+1j+2kzsaE5/HrjvN/lQ0KRBgDpYXWrExgQOYYnAigvUeRefH4/dDERF BISdEo4w49pyU2Hb54YjTit+NbgfkVVIyuU8wC63reImmbrCQHT5hdWUpP2c1ymt AWadPawOVgGmDDFeFaHfCbTYoU0ahg== =MUDq -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20191031161258.GX1410%40mail-itl.
Re: [qubes-users] Safe to switch default-mgmt-dvm TemplateVM from Fedora 29 to Fedora 30?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Tue, Oct 15, 2019 at 02:39:56PM -0700, 'Heinrich Ulbricht' via qubes-users wrote: > I want to switch the template for all my Fedora 29 AppVMs to Fedora 30. > > In the process I learned about *default-mgmt-dvm* which is currently based > on Fedora 29. Is it safe to simply switch the template to a (stock+updates) > Fedora 30 template? > > This issues <https://github.com/QubesOS/qubes-issues/issues/5181> suggests > there might still be problems. > This answer > <https://groups.google.com/d/msg/qubes-users/WMSowoOgfIA/dXA8tco-CAAJ> > suggests it is indeed as simple as switching the template. > This thread > <https://groups.google.com/forum/#!msg/qubes-users/qf4zN6SFe18/rr6rclqoCAAJ> > has never been answered but covers basically the same topic (switching to > Fedora 29). > > Should I just switch or rather not touch it? Yes, it's ok to and even desirable to switch. It should be based on stock template without less trusted repositories and software installed. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl2nCSoACgkQ24/THMrX 1yyAGggAkUSGnRuUiA2OnHRWqgfSXglHFiiZBXQipuYgHtuYtNr6dCDBOiCFfV5t xaCZalo/wwi3LZ6RG+/8BqvaetoGM2bBjWNUXeFBCBe+GVWM1X6DGwF0xrVaacVQ kl72aXJXg/h1SnlxNbTkqGQtJ51PlyfWOnr95jRwFegKdGng/RZGkyGwQnA0EKXw 3kzCM1s5SoEakuy/jsXIDrBqD4h1OR4uWev2Bld4FdwnSAVlX/ioKhxWM0Q0BH9W 2dKgVyUbWBE97w5KiSe0PllTdf0J/ZaNKfdmuxs7riBvcki1KesjycUdNthlgK+e KQkCIlKsMPyJ1RirldPd7NTqOmfM2w== =53kw -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20191016121227.GA4164%40mail-itl.
[qubes-users] QSB #51: Insufficient validation of backup compression filter on restore
`qvm-backup-restore` or when the "Verify backup integrity, do not restore the data" option is selected in the "Restore qubes" GUI tool. Patching Note: Patching is not sufficient to recover from a compromised state. If you suspect you may have restored a malicious backup, see the next section for details and recommendations. The specific package that resolves the problems discussed in this bulletin are as follows: For Qubes 4.0: - qubes-core-admin-client version 4.0.27 The packages are to be installed in dom0 via the Qubes VM Manager or via the qubes-dom0-update command as follows: For updates from the stable repository (not immediately available): $ sudo qubes-dom0-update For updates from the security-testing repository: $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing These packages will migrate from the security-testing repository to the current (stable) repository over the next two weeks after being tested by the community. Securely Restoring from Backups === The safest way to restore from a backup is to do the actual backup processing outside dom0. 1. Install the `qubes-core-admin-client` package in a domU. 2. Authorize the appropriate qrexec policies in the domU: - admin.vm.Create.AppVM - admin.vm.Create.TemplateVM - admin.vm.Create.StandaloneVM - include/admin-local-rwx - include/admin-global-ro 3. Use `qvm-backup-restore` in the domU. In a subsequent update, the above procedure will be automated with a new `qvm-backup-restore --paranoid-mode` option. See "Compromise recovery in Qubes OS" for details about how to use this mode. [2] Indicators of Compromise It is possible to manually inspect the header of a backup to observe whether the vulnerability has been exploited. To do so, inspect the backup as follows: 1. Verify the backup header integrity according to the "emergency backup restore without Qubes" instructions for your backup. These vary depending on the age of the backup, as the format has changed over time. [3][4][5][6] 2. Check the "compressed" and "compression-filter" header fields for anything anomalous. For example, you may see something like the following: $ tar -ivxf qubes-2019-08-06T121200 backup-header{,.hmac} backup-header backup-header.hmac $ scrypt dec backup-header.hmac backup-header.ok Please enter passphrase: backup-header! $ cmp backup-header.ok backup-header && echo ok || echo wrong ok $ grep -E '^(compressed|compression-filter)=' backup-header | cat -v compressed=True compression-filter=gzip If you see anything other than `True` and a legitimate compression filter like `gzip` or `bzip2`, this may be a reason for suspicion. It is worth noting, however, that depending on how a malicious backup has been stored and/or transferred to the machine on which it is restored -- and depending on the sophistication of an attacker -- a previously malicious backup may have self-modified to appear benign after the fact as part of its exploit payload. Therefore, this should not be considered an infallible way to detect malicious backups. Storing the backup exclusively on immutable media throughout this process can provide further assurance. The possibility of other similar vulnerabilities cannot be completely ruled out, so restoring backups in a deprivileged manner (outside dom0, as described in the previous section) is still recommended. Credits === This issue was discovered and reported by Jean-Philippe Ouellet , who also provided a fix, a PoC exploit, helped with mitigations for this general class of issue in the future, and wrote the initial draft of this advisory. References == [1] https://github.com/QubesOS/qubes-core-admin/commit/0cd8281ac10ee06f4b2fce9f86e27eb25292bc25 [2] https://www.qubes-os.org/news/2017/04/26/qubes-compromise-recovery/ [3] https://www.qubes-os.org/doc/backup-restore/ [4] https://www.qubes-os.org/doc/backup-emergency-restore-v4/ [5] https://www.qubes-os.org/doc/backup-emergency-restore-v3/ [6] https://www.qubes-os.org/doc/backup-emergency-restore-v2/ - -- The Qubes Security Team https://www.qubes-os.org/security/ ``` - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl132uAACgkQ24/THMrX 1yz8hAgAlEckGMXQShcIyA2ilJuTY5LCwdHyG0V/y0o/J7qlYMsTYPpGPX0HwL7f 4lvmlCIWgPzmPHh+VUh7+VeJ87h1ZU+E0byIc/9LTxY55C713/L545hnV3ErYIhT 1M3z967WmdsqFSXOAGEZrE9ZMLOOsoj1nIjFTWbqL/SUGee0EcGAd6C7RWFzcojd 7mczXSGoi4zqW+yIDniMzqNPmSidZOJdaelkAWf7Y4ZmeJtY95hZAb9Vja0k0lnp dNXbEo/VQzwGRZ5E9UleWdcklYPNYaY1pmwUJQFcp/LVDWM1T0olJnPptGdmi5da Ni2ZvsVuIRozXdNoOUlhO0j8AallVg== =suB1 -END PGP SIGNATURE- -- You received this message because yo
Re: [qubes-users] Moving Qubes+VMs to Larger SSD - How to Handle Storage Pools on Other Disks?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sun, Sep 08, 2019 at 07:16:34PM -0500, Andrew David Wong wrote: > On 07/09/2019 3.28 PM, 'Heinrich Ulbricht' via qubes-users wrote: > > Here is an update on how my migration from SSD_small to SSD_big is going so > > far. > > > > Just as a remindet this is the challenge I face: > > * dom0 SSD has 100 GB capacity, ~10% of this is free (that's why I want to > > migrate to a new SSD) > > * external storage pool 1 has 1 TB storage, AppVM *1* with < 500 GB private > > storage in use > > * external storage pool 2 has 1 TB storage, AppVM *2* with > 500 GB private > > storage in use > > * I want to migrate everything via backup+restore to new disks/pools > > > > *Here is what worked* > > * backing up App VMs from all 3 pools using built-in backup mechanisms (UI) > > - cool > > > > *Here is what did not work* > > * *verifying* the huge (400-700 GB) backups *did not work* since this > > filled up my dom0 pretty fast and then failed -> this is the reason why I > > resorted to what Andrew wrote: having the original still in place while > > restoring to different disks, not overwriting anything, just in case > > restoring fails > > * *restoring* the huge (400-700 GB) backups *did not work* since this > > filled up my dom0 pretty fast and then failed -> this is exactly like > > donoban wrote; I managed to work around this for AppVM *1*, NOT for AppVM > > *2* (yet) > > > > To restore AppVM *1* (< 500 GB) I modified *restore.py > > <https://github.com/QubesOS/qubes-core-admin-client/blob/9158412a24da300e4c54346ccb54fce1e748500f/qubesadmin/backup/restore.py#L858>* > > > > to restore to another location than */var/tmp*. The easiest for me was to > > create a new (temporary) AppVM in my new 1 TB external storate pool *1*, to > > increase its private storage to 500 GB, to mount its private volume to dom0 > > and to use this path as temporary location in *restore.py*. So I was using > > my 1 TB disk both as restore target and temporary location for backup > > extraction. I was lucky - the pool filled up to 99.8% and the restore > > succeeded. So currently it seems you need double the amount of storage your > > to-be-restored AppVM consumes to restore the AppVM. > > > > Now there is one challenge left. I have to restore AppVM *2* which is about > > 700 GB. To my current knowledge I would now need to have twice this amount > > to restore - which currently I don't have. This is why I'd like to somehow > > slow down the extraction. donoban mentioned this is possible. I had a look > > at restore.py > > <https://github.com/QubesOS/qubes-core-admin-client/blob/master/qubesadmin/backup/restore.py> > > > > but honestly have not idea where to start. I also currently don't know how > > the different extraction processes interact and how the backup is > > structured. > > > > Can anybody suggest a modification (or hack, however dirty - it's meant to > > be temporary) to restore.py so it won't need 700 GB of additional temporary > > storage when I try to restore my 700 GB AppVM? > > > > Thanks for all your input so far. Knowing that dom0 could fill up certainly > > saved my some hours of questioning life. > > > > Sorry to hear about the problems. I'm surprised about dom0 filling up. I > thought we had solved this problem a long time ago. I remember running > into the same problem years ago, and I thought we had subsequently > moved to restoring in smaller chunks so that only a small amount of > temporary storage in dom0 is required when restoring. > > Is this not the case, Marek? It's this issue: https://github.com/QubesOS/qubes-issues/issues/4791 In fact, I do have part of the fix already implemented. Hopefully will have the other part finished this week. In the meantime, you can try some naive methods of slowing down the extraction process, for example by attaching strace to it (`strace -p $(pidof qfile-dom0-unpacker)`), or pausing it from time to time by sending SIGSTOP signal (and then SIGCONT to unpause). You can do it in a loop like this: pid=$(pidof qfile-dom0-unpacker) while kill -STOP $pid; do sleep 30; kill -CONT $pid; done - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl11ppYACgkQ24/THMrX 1ywFqQf+P3sJIPpk7UOI09+rITICJB6LWm310nKRaJ0sx/lcSkjNH6tAQuF2Z8Nn G0mepvBBG9bEfUUMGfxurn4ud0exbCz4W/AH8DEpAFuF41BSsTtXKsUCT278W3SP A8ifNW
[qubes-users] Re: [qubes-devel] qvm-create-windows-qube Automatically creates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Mon, Aug 19, 2019 at 11:22:21AM +, 'crazyqube' via qubes-devel wrote: > I just made my solution for fully automatically creating and installing new > Windows qubes from scratch public! It pre-installs Qubes Windows Tools and > Firefox so now you don't even have to open Internet Explorer to download a > good browser! (lol) > > It's currently ready for use at: > https://github.com/crazyqube/qvm-create-windows-qube > > If you have any issues or suggestions then by all means create an issue and > I'll look into it. I haven't looked into details nor tried it yet, but on the first sight looks really cool! - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl1cX68ACgkQ24/THMrX 1ywF4gf+I6MNGnhkiNlujuCpwVOojWyltxU7zpagpHJVr6dax/L+N95ySQlFhynI cIPN50yCwPT3ZBplTneQstYEZnYxd8QMqz3+0A7eaOr3U+ivZZXy/zSJvhVxEwMf 0/BiIoZMNjskprMzO7lx9FExpx3ginyNTvZt9zfo/J//rOTBrwJF7A8TI+yTFe9T wfypj/Mtys7KnAlLuCFtnyKlgiZxhtDhjF1IxTrLuPAK+Jy6mSOlGTDCamZrjn+L ZoHfeX/eEc2hrM1M+0zPJvysdCU8opwX3sdS13m2uq9Kp7byoNeCC2bI9rlX1KSC 84tH9paKxqGK8oP9d2f93eF4H3Pefw== =YRT5 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190820210134.GJ1457%40mail-itl.
Re: [qubes-users] Re: Sorry, we cannot find your kernels...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sat, Jun 29, 2019 at 04:22:08AM -0700, Chris wrote: > Yup. Down for me too. > The update servers were down earlier today. Not sure if related. Yes, it was related. The late Friday's problems resulted in some mirrors picking up empty directory. Should be good now. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl0Ym/sACgkQ24/THMrX 1yyS9Qf+PGLoeerd0+jcdz9Ivy/ugcvSf2mAgTLgtA0frg+3FuhnEgSgEIfD7S4K 3Hdnudw+jzYVHk00T7iB1e9Y86bA9f1eeo1wWYIY04ymVQZu+BXU4nrFFqYLnvsL Fo8agfa9kq/GhjGK8YWGGh/2rHnuelriQ/rtN2Pj8I4w0sZ2vVOk3kQ4qrLJlmHf 5ROdN+8Cllgl8sp41aV/ev+UcR3oDfSW0nV9rDIf0Jhb3Xdvoaj+LnJTlTQ+mD7p 3Qya9Ag3o+IKXliNfitcPzhvZT9YogWPfQfAZdLq7XfVXtaD6AytTCWwkffiNPgN PKznbZ6qpcPKp3Jt1nZUG1dlYUfbNw== =PMuV -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190630112443.GB16142%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] qubes update servers down?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sat, Jun 29, 2019 at 12:45:51AM +0200, Marek Marczykowski-Górecki wrote: > On Fri, Jun 28, 2019 at 09:43:19PM +, mossy wrote: > > Hi, > > > > Updating my qubes templates (debian-9, fedora-29/-30, whonix-14) have > > been failing all day with `Failed to synchronize cache for repo > > 'qubes-vm-r4.0-current'` > > > > There's also this bug report: > > https://github.com/QubesOS/qubes-issues/issues/5130 > > > > Any updates? > > Indeed there is some problem. Working on it, should be back in few > minutes (hopefully). Took more than few minutes, but it's back online. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl0Wst0ACgkQ24/THMrX 1yzgeAgAhuKNpNEVUnRHqjlikyunb8imNWOWGyGVtli9v4XKDLCqSUt0BP+TVy+D ARg/Q6xMXKkDO7Gyn65bvjhogsqb/W6cupgRVroupu0Vjlxqo7slI6T7KyW58170 d9ej1vE9HFY594Ge77iA9xu+Ty02g49tLTYTbWgy1wZqp4fAR3ocBqFaY+y5+ZrK 3S34c1vNXrAuwfPLT/mxQBo8wkFR8WmS1zth0/zQ/XQ3EOaMHqFnihmYg8USdiik efXXpayG1wo90IlUmvKe8j+eLz7M/5oSurt5ioZlqt6AjZUUAwXQN7nuBGuQnroX SbXwFbsZvY/eD7IsnW6h6OHdJtEnmg== =M6XH -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190629003747.GY1423%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] qubes update servers down?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, Jun 28, 2019 at 09:43:19PM +, mossy wrote: > Hi, > > Updating my qubes templates (debian-9, fedora-29/-30, whonix-14) have > been failing all day with `Failed to synchronize cache for repo > 'qubes-vm-r4.0-current'` > > There's also this bug report: > https://github.com/QubesOS/qubes-issues/issues/5130 > > Any updates? Indeed there is some problem. Working on it, should be back in few minutes (hopefully). - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl0WmJsACgkQ24/THMrX 1ywIKgf/Z/prJo24uRatUhvLMkCNViL0gNGAd5aRNxpRRF2GYM6sJbN6s+mTeezR 9VOGLKF1CyiQfY1PVYNrJub7p5YabYH2fiAQdOe2ynTYrPjNiob8K9lYHapnnTwl azMDv3b9eGq6xZOTPfUeAYCCqQ0qB3fFWnft2mJpVAYY1j+PIZhuH885SEavpwZZ seDcvbUWMFhNfpLDf589N0+mzGYa9zJ1r6ux99f2yUK+jOLDy/B7Y65vf1Vqoh6v xrbb4HdwPZxvScmey1me/j0uYLCGM9rSXo1ezzqcVCoC+riE3sxJiFen8yz+U7xa Tkvul/sOHLkhaoXbkXpdepizLHb66A== =pD2m -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190628224547.GA16142%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] qubes-dom0-update keep showing the same already downloaded packages.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, Jun 14, 2019 at 07:03:01PM -0700, pixel fairy wrote: > On Friday, June 14, 2019 at 6:18:39 PM UTC-7, Andrew David Wong wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA512 > > > > On 14/06/2019 8.16 PM, pixel fairy wrote: > > > every time i run qubes-dom0-update, it keeps re downloading a set of > > > packages that seem to already be installed. this doesnt seem to prevent > > > actual updates, but it does mean somethings wrong. ive tried clean > > > packages in dom0 and sys-firewall, but that doesnt help. any ideas? here > > > what it looks like right after running it, rebooting, and running it > > > again. any idea what caused this, and how to clear it? > > > > > Try `sudo dnf reinstall `. Details: > > > > https://github.com/QubesOS/qubes-issues/issues/4792 > > thanks. that worked for everything except kernel and kernel-qubes-vm. how do > you get the kernel ones with .rpm? qubes is already past the kernel versions > that are stuck still downloading, so dnf --reinstall kernel says nothing to > do, and rpm --reinstall (without the .rpm as the thread specified) fails > because the newer one is already installed. should this thread continue on > that issues page? Do you have already newer kernel version installed? If so, dnf is picky and refuse to operate on older packages in most cases... But also shouldn't download old package when newer is already there, unless you've explicitly requested it to do so. But you don't have newer kernel (like 4.19.x), running `dnf update` or `qubes-dom0-update` after doing reinstall for other packages should help. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl0G1CUACgkQ24/THMrX 1yyzwgf/Y0wWYi6K6F0JZtzuT8iqgFvXNY2Y/ZvX13Asr0u+ssf2p4CJd/XgTaNQ y5qwUdt7RXe7nQx0lxjlulmaSP6xz9cIQ7LQwyEQLTAtXHBIUg/yWWrZveEGnBkF HQwIKkk+JIsHiI2+YSEUBYUTrfa7NVi6bG3DN1PRydmpXVGsaYQgtK9QiUOpT0Zm nbs8lcsWd510G+1nONnRw2qLclbG5YutzSgkbuz63RQ6al6okOM5B8UOMgMqmBhC FddGbG2GcTf7CGLRjPshbewvXJ5xHbswOs8YNNhoZtKWCmE4/r1wQiFoogm9gjLL zzoyRoggAg4qER/+Zm9DPwZd6Rq8Zg== =HPrA -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190616234334.GA10653%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-devel] Re: [qubes-users] Fedora 28 has reached EOL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Thu, May 30, 2019 at 02:38:46PM -0400, Chris Laprise wrote: > > I'm getting strangeness from the fedora-30 release: > > 1. As soon as the template installed I started it and ran 'dnf update'. It > downloaded repo data then said 'nothing to do'. Less than 2 minutes later I > get a popup saying fedora-30 has updates available I run dnf update > again and there are 219 packages to update. This is dnf thinking metadata cache is up to date. dnf update --refresh should do the job. > 2. Trying to remove thunderbird, dnf wants to remove 67 packages incl. most > of qubes*, nftables, salt, tinyproxy. It would be good to be able to remove > thunderbird or other large apps without the OS crumbling to pieces. Try dnf --setopt=clean_requirements_on_remove=0 remove thunderbird clean_requirements_on_remove=True behaves like 'apt autoremove'. And qubes-vm-recommended depends on thunderbird-qubes, which depends on thunderbird. So when you remove thunderbird, qubes-vm-recommended needs to be removed too. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlzwJL0ACgkQ24/THMrX 1yyxjwf/V6DPJ7x7+e4IrO3vEeX+3iWHQLBg065Q1Z5lT/GU7Rw0Jsu0efP66VyA 71la73wl57cGkbbFT/zxvX7ivuyiIsFU2PvAsTbEBZ6GTUUzLZUU5MCdvmQ7ug1F C//vqz3Hwke+UaQ54D09Gx/ur67BEWve6aMQq9iwJMGgV9/jBtVRehQV1S/pGMLH AbNCwCeigTPdhK+i36gdHQByLPZ+9H4rpd0CdUzdaFiKY1d94SgLRPa2Roodpcc4 HstUhGtjKAyV4KVX7LSqbUwJLjGV1n6kLaWi81hHf7fWSSbyjLV0hTyBbOHj1S/s 19RAP3obd+q/blHeVilVBxWL5JJuWg== =m8oh -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190530184517.GK1793%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] kernel panic with new 4.19.43-1.pvops.qubes.x86_64 kernel
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Tue, May 21, 2019 at 11:42:57AM +1000, haaber wrote: > > > b) are sym / hard links in /boot allowed ?? I guess only the content of > > > /efi/EFI/BOOT must be an actual file : the content of /efi/EFI/qubes/ > > > should be handled only by the fully-booted system (when updating), but > > > never by the boot-loader, which, badly enough, insists on /EFI/BOOT. So > > > could files in efi/EFI/qubes be sym'linked ?? > > > > This unfortunately won't fly. EFI System Partition (ESP) is accessed > > directly by UEFI and needs to be FAT32, which does not support symlinks. > > right. From my old-day knowledge of FAT, hardlinks are possible (though > not really intended) -- meaning that one could hack it to an "unclean" > fs. Probably a bad approach, I would have to re-hack it after each > fs-change. > > More natural: is there a way to change the name /efi/EFI/qubes into > /efi/EFI/BOOT ? That would solve all issues most elegantly (and avoid > the annoying copy & rename procure after each xen-update). Couldn't find > "EFI/qubes" in any config file, though. Bernhard If that's internal disk, you should be able to configure UEFI to use /boot/efi/EFI/qubes. In fact, installer should do that for you... You can do that either in UEFI setup (some vendors have include it somewhere near boot order setting), or using efibootmgr from within the system. You want to configure it to boot xen.efi. As for efibootmgr, see the last step here: https://www.qubes-os.org/doc/uefi-troubleshooting/#installation-finished-but-qubes-boot-option-is-missing-and-xencfg-is-empty If that doesn't work with your UEFI, your option is to move EFI/qubes/* into EFI/BOOT/ after each update. The path is included in relevant packages, so you can't just configure it different. But you can move bigger files (xen.efi, vmlinuz, initramfs) instead of copying to save some space. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlzjsYoACgkQ24/THMrX 1yynVggAlT5YRHvBk+zAvWi3I4aIakjwgTl3BOfs8jIHOZhR+IqESW/i0aQTFKgR cnXj00PvrV1Y0IoCRIzNYpJQAU1nSN9NgI8g/m+FJWPkQ9KKgZvulC39Eh4eQB4e MBmqB2Uzu1w3bepygVh7w02IfOaNtlUOWbe18dWOhXdlPtnZ6Y/O+zeW43Y+djAY 2VsbNlKeuh2y7P0l2/qUbMYYN7Y4Me9mEmFvJG1qNdHD7ErExJdre23LXHr0GGsI cX91O/E08ogIp2cbTKkoaOUQm3HPSbo41926k/SJBsbjmlXw1+tiILxbjSJMXjKp S0e52ptKrDZ4uX9Di3lXub3rootENg== =39sz -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190521080633.GF1502%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] kernel panic with new 4.19.43-1.pvops.qubes.x86_64 kernel
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Mon, May 20, 2019 at 02:36:15PM +1000, haaber wrote: > Right, thank you Marek for the quick answer. The bad thing is that /boot > in std UEFI install is 200M - which is definitely too small, if you need > to "double" all files - one copy in efi/EFI/qubes and another one in > efi/EFI/BOOT (I suggest changing the automatic-install partition scheme > to use rather 500M for /boot), since "doubling" makes 6-8 kernels to > hold instead of 3-4 ! What would be best remedy? I see two solutions. Bigger /boot/efi is already the case for R4.0.1 installer. But initial R4.0 indeed had 200M there. > a) enlarge /boot (but I only have /dev/nvme0n1p1 200M EFI System and > /dev/nvme0n1p2 238.3G Linux filesystem which means that I would have to > shrink the thinpool inside the second partition ... I am afraid that a > full re-install is faster than solving all issues that will arise from > such an attempt!) Yes, resizing in this partition layout is non-trivial, reinstall may be simpler. Alternatively, you can remove older kernels and reduce installonly_limit option in /etc/dnf/dnf.conf (default 3) to keep fewer older kernels. > b) are sym / hard links in /boot allowed ?? I guess only the content of > /efi/EFI/BOOT must be an actual file : the content of /efi/EFI/qubes/ > should be handled only by the fully-booted system (when updating), but > never by the boot-loader, which, badly enough, insists on /EFI/BOOT. So > could files in efi/EFI/qubes be sym'linked ?? This unfortunately won't fly. EFI System Partition (ESP) is accessed directly by UEFI and needs to be FAT32, which does not support symlinks. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlzilXoACgkQ24/THMrX 1ywlgQf/byJT0685151GAUO5BDaQQUGZCHquWNi8vp9rh0w4hGGz8wNHbggPIAxm GD4htwb7cbkp9qktuICWkUiZsBPnXJ3HlEIRZRRjbrIdslkKHS9mX0OuqlvY0RAJ flOl9DvrdVokrcPWbqg0q2aKDjffR+w7q2EE9maAJzTNd7OUk7Yk0fNpuPcYtB/x 4jWtwZPZhXV5x9QEvGihsh029JQzdyGKVgR/P43yXXT+9Befp4pXEt46bUYYBo0H Ozhtr+mPa7F/jZ5xrRaYeCT7Q52idO18T8VGY4D7+8VW7cp4bl5Y4OBX3Wu+B/gF RYWfYtgqUHDCmeBj8YECKnl1AR4tQw== =z78S -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190520115434.GA1502%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] kernel panic with new 4.19.43-1.pvops.qubes.x86_64 kernel
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Mon, May 20, 2019 at 11:27:32AM +1000, haaber wrote: > after last update my Dell runs in a kernel panic -- reboot spiral. I > retype 4 important lines from a "photo screenshot" : > > Initramfs unpacking failed: read error This seems to be the problem. Check if you have enough space for initramfs (/boot on legacy system, /boot/efi on UEFI). If this partition is very full, initramfs wouldn't fit. You may remove older kernel/initramfs to free up some space. Then regenerate initramfs with: sudo dracut -f --kver KERNEL_VERSION INITRAMFS_PATH Replace KERNEL_VERSION with actual kernel version - you can copy it from relevant /boot/vmlinuz-* filename. And replace INITRAMFS_PATH with actual path: - for legacy: /boot/initramfs-KERNEL_VERSION.img (fill KERNEL_VERSION) - for UEFI: /boot/efi/EFI/qubes/initramfs-KERNEL_VERSION.img - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlziEFUACgkQ24/THMrX 1yxiuAf+OiwCg8B7mVbe8prB7aBEbm56jpAR9p68EHRDd22yvCVKCKHyWFEQDfeL 8/8tI2AKuXbiPNLpD/895CQiOrP4sn0uhQ0f6B5T2ci1qmJuOxUHITo6ex6ZWPkV FEOvgO++LJDYh3zLUFSuO8S+TvtuIbpIeH/q0FBAzRy3LUK74yvqsceJVXVEejl2 SvaynQ+eNZ77AC7mSwJgldm9zt8T8pu38+lz5VW4XRF0nOxQpDDmxM0S5Sglj9TF rgBuTb1dO5fCnMTzbXsJAkm8RwPkr8bYENbEQl3iKFi40sNRrgTFyupglSZzfg4Z IprykmYvN5kBqqUAfccUAa9POSquvw== =MDy4 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190520022629.GA15172%40mail-itl. For more options, visit https://groups.google.com/d/optout.
[qubes-users] QSB #49: Microarchitectural Data Sampling speculative side channel (XSA-297)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Dear Qubes Community, We have just published Qubes Security Bulletin (QSB) #49: Microarchitectural Data Sampling speculative side channel (XSA-297). The text of this QSB is reproduced below. This QSB and its accompanying signatures will always be available in the Qubes Security Pack (qubes-secpack). View QSB #49 in the qubes-secpack: <https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-049-2019.txt> Learn about the qubes-secpack, including how to obtain, verify, and read it: <https://www.qubes-os.org/security/pack/> View all past QSBs: <https://www.qubes-os.org/security/bulletins/> ``` ---===[ Qubes Security Bulletin #49 ]===--- 2019-05-15 Microarchitectural Data Sampling speculative side channel (XSA-297) Summary On 2018-05-14, the Xen Security Team published Xen Security Advisory 297 (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 / XSA-297) [1] with the following description: | Microarchitectural Data Sampling refers to a group of speculative | sidechannels vulnerabilities. They consist of: | | * CVE-2018-12126 - MSBDS - Microarchitectural Store Buffer Data Sampling | * CVE-2018-12127 - MLPDS - Microarchitectural Load Port Data Sampling | * CVE-2018-12130 - MFBDS - Microarchitectural Fill Buffer Data Sampling | * CVE-2019-11091 - MDSUM - Microarchitectural Data Sampling Uncacheable Memory | | These issues pertain to the Load Ports, Store Buffers and Fill Buffers | in the pipeline. The Load Ports are used to service all memory reads. | The Store Buffers service all in-flight speculative writes (including | IO Port writes), while the Fill Buffers service all memory writes | which are post-retirement, and no longer speculative. | | Under certain circumstances, a later load which takes a fault or | assist (an internal condition to processor e.g. setting a pagetable | Access or Dirty bit) may be forwarded stale data from these buffers | during speculative execution, which may then be leaked via a | sidechannel. | | MDSUM (Uncacheable Memory) is a special case of the other three. | Previously, the use of uncacheable memory was believed to be safe | against speculative sidechannels. | | For more details, see: | https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html | | An attacker, which could include a malicious untrusted user process on | a trusted guest, or an untrusted guest, can sample the content of | recently-used memory operands and IO Port writes. | | This can include data from: | | * A previously executing context (process, or guest, or |hypervisor/toolstack) at the same privilege level. | * A higher privilege context (kernel, hypervisor, SMM) which |interrupted the attacker's execution. | | Vulnerable data is that on the same physical core as the attacker. | This includes, when hyper-threading is enabled, adjacent threads. | | An attacker cannot use this vulnerability to target specific data. | An attack would likely require sampling over a period of time and the | application of statistical methods to reconstruct interesting data. This is yet another CPU hardware bug related to speculative execution. Only Intel processors are affected. Patching = The Xen Project has provided patches that mitigate this issue. A CPU microcode update is required to take advantage of them. Note that microcode updates may not be available for older CPUs. (See the Intel advisory linked above for details.) The specific packages that resolve the problems discussed in this bulletin are as follows: For Qubes 4.0: - Xen packages, version 4.8.5-6 - microcode_ctl 2.1-28.qubes1 - kernel-qubes-vm package, version 4.19.43-1 (optional) The packages are to be installed in dom0 via the Qubes VM Manager or via the qubes-dom0-update command as follows: For updates from the stable repository (not immediately available): $ sudo qubes-dom0-update For updates from the security-testing repository: $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing A system restart will be required afterwards. These packages will migrate from the security-testing repository to the current (stable) repository over the next two weeks after being tested by the community. If you use Anti Evil Maid, you will need to reseal your secret passphrase to new PCR values, as PCR18+19 will change due to the new Xen binaries. Credits See the original Xen Security Advisory. References === [1] https://xenbits.xen.org/xsa/advisory-297.html - -- The Qubes Security Team https://www.qubes-os.org/security/ ``` - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl
Re: [qubes-users] Update checking over clearnet instead of Tor?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Tue, Apr 02, 2019 at 01:20:54PM +1100, haaber wrote: > > On Tue, Apr 02, 2019 at 07:19:46AM +1100, haaber wrote: > > > > > > So do I understand that correctly: if I have, say, a debian-XYZ AppVM on > > > clearnet it will check if the corresponding template needs an update, > > > unless I de-activate the qubes-update-check service? Thank you > > > > Yes > > > > Oups ! To me, one of the points of using tor as upgrade-transport-layer > seems to me to render "aimed attacks" on *my* machine much harder. Is > that a misconception? > Assuming that 'yes', an attacker would typically see clearnet apt-update > preceding a tor-based upgrade -- and could be made a reasonable guess > *who* is upgrading (I don't think there are millions of qubes copies > running, right?). This opens a (admittedly) small, probability-based > attack surface, that comes only with small gain, if ever. Do you agree? The updates _check_ only needs to download repository metadata, not actual packages. Qubes based on a template do that from time to time, using own network connection and report if there are any updates available. When you actually download and install those updates (over Tor) in the template is up to you, it isn't immediately after checking if something is available, so time based correlation isn't really an issue here. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlyjhOoACgkQ24/THMrX 1yzrVgf/cpAa8ZF7aw1UUkMVW3L+YndBFVOmH0vG1XZ1ppQ3RqG/5OpZnG+eSaQV l2iyMMWpSDKY6niHEEhXIHBGO17ABmZcybvMe8jGtovm6e+kwRa1ef1yarSI3aLL W2IcAFoo2XYRVpO+/sGWFD0WHNdIzqcVVNK5o45MKnJPgb+ZQ3+Wg7h9nbU3NCMh zTlUHjW59gGgx1IKtylc69IM/zgBxKysfrC6SuTRTid2YGpUNfqyMR+oj+FEa2W9 VMoySbjOUnAxrOydvFyUL8vTZ/w1rDNpGAoWyUBcCoUmpDW9ZdfCCYuO1l2fWbE6 SZexjBIGsEzKbDfm2dD9HQT4VPicbQ== =bswd -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190402155106.GA22235%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] [4.0] Kernel panic in HVM
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sun, Mar 17, 2019 at 04:02:31PM -0700, Vít Šesták wrote: > Hello, > I have tried to boot Fedora 29 Silverblue in a HVM from the official ISO. I > have noticed that there is some kernel panic before the HVM shuts down. The > problem is that I cannot read it. Is there any way to read it, e.g., by > disabling the automatic reboot somehow? Try pointing kernel at hvc0 console (console=hvc0 kernel arg), then you should get it in /var/log/xen/console/guest-VMNAME.log. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlyO7cAACgkQ24/THMrX 1yxDRgf+MLv90YwLeNuw5fhZQb2Qh3krQaA6ogJaEmFxvpR/kLpElvNxhl3p8UCU Kgna/yQOnOBb2bHMFJTnUfH1pEdvr0zPk+OvY+DljeOt0hbhagLgmaIHBHGoqOng C1ugesrBAVkvoMHvF8i9ndllQXZNtILF//Brd/BVctGW+qe5sv8Q5VuetBo9TqVL 8REEHmue/z4QQ+25NT5L4eFnmjfLS/9R1ayd9cMK+J1STwiJcuorjv9SDmd0p/O5 WGNGXVIzw9WSUe5Psr0G5n9EVFA0VjPZqoITRrONTVeBq3K4aKL21uysjF4FJgIb USXg57YnD5tH/dVFdZh9Il7qUvE2lw== =a+tu -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190318010048.GB10743%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] vchan doesn’t work on recent mainline kernels
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, Mar 13, 2019 at 01:07:20PM -0400, Demi Obenour wrote: > I built a Linux kernel from Linus’s git master, with a slight modification > (u2mfn module moved in-tree). The resulting kernel does not work with > Qubes: libvchan gets -EINVAL from mmap(). > > Any suggestions? Can you post more details? Specifically preceding operations on this FD (should be /dev/xen/gntalloc or /dev/xen/gntdev). BTW u2mfn module isn't used by libvchan for a long time. The last its user is gui-agent and even this isn't the case anymore in R4.1 (gui-agent-linux master branch). - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlyK+GoACgkQ24/THMrX 1yzXwgf/f2ivrNx1yZJd+GiLQg3Nevr3rAFuEec0X+jKdiyNDqh4sRay8bnHnNM7 4anQJ51abzfEGrJ5kpsVDZxsD7/QhF6DIQLb7StwjOFVon85+r/CeJpDjNplnAIz 8mO10Jo8LPQHyUzYjZ0Vb/OLadY7qkEfXITrOaCjv88ZX/fCdDwLEnujhe0AbCk1 TxQ8ALHggzoUwt3ThdRgAMwGLZSn0uqhYF8X4WfOn0EodSoT9c0ruhUDcj1oJ7+r f+2fquIpTQaBjvnr+pFZjQPcVbI2Pq7i/k4cuSEZ7TocstIG3OFQrd19zPj8C1l8 o4y0w2Rl9ANCNVwkJH8gecKC9juuuQ== =DDPj -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190315005714.GA10743%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Can't set default_target to @dispvm:foo in policy
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, Mar 08, 2019 at 01:36:51PM -0800, Ryan Tate wrote: > I was trying to have a qubes.OpenInVM policy that would pre-fill a target in > the permission dialog when the destination was an inside of a certain dispvm. > > Specifying the destination vm (#2 entry) in the policy works fine to specify > a dispvm instance. > > But specifying the default_target (part of #3 entry) in the policy as a > dispvm instance fails. > > For example, this WORKS: > > $anyvm @dispvm:dvm-print ask,default_target=work > > ...but is not what I want. > > What I want is this, but it does NOT WORK: > > $anyvm @dispvm:dvm-print ask,default_target=@dispvm:dvm-print > > The resulting dom0 prompt at the top says "Domain '@dispvm:dvm-print' doesn't > exist". > > What I expected is the dom0 prompt would have "Disposable VM (dvm-print)" > entry pre selected. > > Seems like a bug? Indeed. Could you report it at https://github.com/QubesOS/qubes-issues/issues ? - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlyDAuQACgkQ24/THMrX 1yw38AgAjaUCJl41T2Es03HEhGWkcIH3attyJ2rKcqup5omzxiyTdr5gHWrsDP+3 2bLyP/P2em71tcbE0Pu5yzqDBAhJtVA8kUZuCqvQdyScMpPgPGhI2di1FY8zsAsH AuFBFn9SJfpxANfZAp7dKUjKQ3bg8CKVVNL6cTOSmHwyUHIOdz3ClH9rd02PhJKT ZV5bLTogDua5V4xrGvEFDrfHMnxdwsUUSjIWuQmqI4x9lmVfOlxExTZDcXRewz8h evij5cDIl7O1lXW1YFXQd87VOfJJldbLmHvqV1QN8jPrbuR+0kQft0IgpmOcAcgT C1iILR0UxBwo/+77rfJk2BB5CFT64w== =i/lY -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190309000348.GJ9610%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] where/how does dom0 gets its icons? ANSWERED
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sat, Mar 02, 2019 at 05:32:19PM -0600, Daniel Allcock wrote: > Thank you to unman for giving me the thread to follow. > The way the icons are chosen could be improved easily. > I'd be happy to contribute a patch if I knew the procedure > for doing so. (It would not touch dom0.) Happy to hear that! See here: https://www.qubes-os.org/doc/source-code/#how-to-send-patches > To close out the thread, here is the answer to my question. > The process of updating the Q menus is controlled by dom0's > /usr/lib/python3.5/site-packages/qubesappmenus/receive.py. > When updating the Q menus, dom0 first asks the vm for its > desktop files. The vm provides these using > /etc/qubes-rpc/qubes.GetAppmenus, which is a shell script > that jumbles all the desktop files on the system > together and sends to stdout. dom0 sanitizes and parses this, > and assembles the results into a bunch of desktop files in > dom0's ~/.local/share/qubes-appmenus/VM. As it is doing this > it notes which icons specified in the desktop files have > relative paths (typically, all of them). For each icon name, > dom0 asks the vm to run /etc/qubes-rpc/qubes.GetImageRGBA > and deliver the resulting icon file to dom0. For icons > described by a relative path, the first thing > this shell script does is resolve the icon name to a file name using > /usr/lib/qubes/xdg-icon, which is also a shell script, and is > where the actual resolution takes place. Yes, exactly. The VM side of this is here: https://github.com/QubesOS/qubes-core-agent-linux/tree/master/qubes-rpc > This resolution is simplistic. It uses a fixed list of > icon theme names (on my system: Humanity, Adwaita, gnome, oxygen), > followed by any additional icon themes in /usr/share/icons. > The first theme that has a suitably named icon is the theme > whose icon file gets used. I don't have Humanity installed, so > I was getting Adwaita icons every time, and overwriting them > was the only way I could change my icons. > > A simple fix is to insert my desired icon theme at the beginning > of the fixed list of themes. This is not the right > way to solve the problem in general. To solve it properly would > require deciding what the right behavior is: should the theme > used in dom0 (meaning: one of the same name) get used? Or should the > theme preferred by that template's user account get used? Not > sure what the most natural answer is. But I'm satisfied for now. I think the logical thing to do, would be to use template's preferred theme. If desirable, there could could be a mechanism to synchronize it with dom0 theme. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlx73fkACgkQ24/THMrX 1ywLBAf+JIaGwRS1JyzWSqc9BLZvKwt/bw8nmSJIjxJi8wohdiZYkTbTRNKF8s0N 6WV4Rud0+hpR9mLHP/zd+vPqoCxrpHJpj8OgzBlvwsJ5epDc5WPecBs/uXjH9u5j j2kbidAlh/Ho3Xih07irFwKtVj2asTUZt+nZIFoOLez7n/hUhrKzHALOmEMkJ7mD 5dPUbTh0awr5pa+H+NQyvwABJ0ZKmX1lLtkn87DIZoHIx9ug4vuXXEaKr3v7IzVa ongHCej32hNpfU8We7uOlQYdNnboeA9XISS06efIMabEE2BocKk9C8i3y2v+sJxp vqZgmQPaLgUGa6YryFCQxeFJY4N2pg== =xzJo -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190303140026.GI9610%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] [warn] last whonix-gw update, ipv6 and possible VPN leak!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, Feb 15, 2019 at 09:14:51PM +, 'Evastar' via qubes-users wrote: > Hello, > > Seems after last whonix update my old VPN VM begin leaking traffic. After > investigation I found that it's because ipv6 primary connection to whonix-gw. > I guess that whonix-gw now supporting ipv6. It leak traffic through ipv6 > connection to whonix and ignore my default old ipv4 setup. > "qvm-features VM ipv6 0" fixed this issue! "0" in the command above is _not_ the correct way to disable it. It should be an empty string: qvm-features VM ipv6 '' Details: https://www.qubes-os.org/doc/networking/#ipv6 Anyway, Whonix comes with firewall rules blocking native IPv6, regardless of the above setting. If you reach some IPv6, it must be tunneled over Tor - - which does support IPv6. > But I'm not sure about all my others vpns and leaking with ipv6. How I must > fix this at vpn setup (on load) to be 100% sure that it never happen again? As Chris already mentioned, one way is to add extra firewall rules: https://github.com/QubesOS/qubes-doc/pull/795 qubes-vpn-support / qubes-tunnel also comes with relevant firewall rules. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxx5PAACgkQ24/THMrX 1yxNqQgAjVLqHETPZrpGoSIDCSEuqeK+vxsC8qjYKZnxOpUYBF4aEY54Jl1Uuo/n 9teh/XisK/25tarxSi+IZyvO//fA9KXHxB4ebFW5WJOqR3a+KakjvudXwuZFUNpv Zy76Tm6cBlnqWfCxUyJX93RX1TIysz9NoCPyqIQKeLmj01IdRmJGR8nZWnRVqzw7 7AgnCBjscz2h8WJfIZVHCefNH8uOlL3NWU7N7jzCLvVXjZ6NsWaUq3uYqbGskz6O v1X+daV1618H26NGUmg0vHUPjWvund/53uXSxuEj+bjk6ryXrtZZ8cP2u3YzqpCY QxzzLb+/HBNn1GF2ICJkT7tzWKN9Rw== =njJG -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190224002728.GH9610%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] disposible vms for sys-net, firewall, usb?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sat, Feb 23, 2019 at 10:15:32PM +0100, 799 wrote: > Hello, > > Stumpy schrieb am Sa., 23. Feb. 2019, 17:58: > > > (...) dvms could be used for things like sys-net usb and firewall which > > had never occured to me. > > I may not be thinking about it right but that seemed like a really good > > security idea, so my question is, why is that not the default? (...) > > > I am also heavily interested in running "named" disposable VMs as sys-VMs Take a look here: https://www.qubes-os.org/doc/disposablevm-customization/#using-static-disposablevms-for-sys- Multiple different DispVMs is a feature new in Qubes 4.0 and we're still exploring what would be the best configuration for disposable sys-*. > with one enhancement, that I am able to store the Wifi-Credentials in a > Vault-VM and that I can "push" the credentials into the sys-net VM when > launching it (maybe by some custom scripts which use qvm-run --pass-io from > dom0 to copy data from Vault-VM to the Sys-Net-VM). The above documentation cover this with another solution - have separate DVM template for it. This have one important advantage - will work universally regardless of configuration/tools you use, including custom VPN scripts etc. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxx0jUACgkQ24/THMrX 1yy4fQf8Ctbpd5mFk1BVx8O5EihKiJCTCFKPdUNECZ4NMRa6O3BJb2BgPR3uREu5 N+fBnDtBIrIvKADgO4LlA0FRFqKnmgwcMjOUXHu8RpFV+CjdeoJMytw9d/LWh23B w59/UQonxery+jgIgfaK86+Z6JvcytABeeZp88YOGainNEGY3YDLJMPDTf8MKrwI B+6vNdvoW6po7fC+wiO8PmNJ0flhnTfK4VutM2zY8/x6b3koYnPCbRXwlv6IrVMt k22WkCPcw90TX9AmPIo6mzn6vjwOMrPvgmpRVa9qiUeey3ww6soZ8VIupOlIBHOt cpHOd4JXml6SJY7MwmVUrgW0b3pIVg== =PfGZ -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190223230734.GG9610%40mail-itl. For more options, visit https://groups.google.com/d/optout.
[qubes-users] QSB #47: Insecure default DisposableVM networking configuration
bleVM is started, automatically set its `default_dispvm` to the DVM Template on which it is based. This means that, when a DisposableVM is started from another DisposableVM, they will both be based on the same DVM Template. Hence, they will have all the same settings, including the same network settings. This change will not affect DVM Templates for which user has manually modified the `default_dispvm` property. 2. Add a warning message in the Qube Settings GUI when the NetVM of a qube in the "Basic" tab is set to a different value than the NetVM of the default DVM Template set in the "Advanced" tab. Note that these changes concern only NetVM settings, not firewall settings. If you want your DisposableVMs to have the same firewall settings as the calling qube, you must adjust the firewall settings of appropriate DVM Template yourself. In the next version of Qubes, we will ship two DVM Templates by default: one with network access and one without. This was already previously discussed in issue #1121 [5]. Patching = The specific packages that resolve the problems discussed in this bulletin are as follows: For Qubes OS 4.0: - qubes-core-dom0 version 4.0.39 - qubes-manager version 4.0.28 The packages are to be installed in dom0 via the Qubes VM Manager or via the qubes-dom0-update command as follows: For updates from the stable repository (not immediately available): $ sudo qubes-dom0-update For updates from the security-testing repository: $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing These packages will migrate from the security-testing repository to the current (stable) repository over the next two weeks after being tested by the community. Credits The issue was reported by Vít 'v6ak' Šesták. References === [1] https://www.qubes-os.org/doc/disposablevm/ [2] https://www.qubes-os.org/doc/data-leaks/ [3] https://www.qubes-os.org/doc/glossary/#dvm-template [4] https://www.whonix.org/wiki/Qubes/Install [5] https://github.com/QubesOS/qubes-issues/issues/1121 - -- The Qubes Security Team https://www.qubes-os.org/security/ ``` - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxsitkACgkQ24/THMrX 1yy3CAf/f8Su5jWjDH6zDgCh9fLY6phWQXYZvTwU13kzCKAIBYzxUIs4cLZ1JRpG G52KmcOD62J5qgM3GBTZREYRfeI6Q0dZd8OBi4UxSfJ9BNgDAaIrTJf5J0FKfISC k+PfcxnVawrcXPjMB6rYEGbfFNp1Ykx8Tb2n0bHbgbz282kY7CgyXRlPnL9opknt ff7TmGqmPHs9qFLXZgmaPLF8VPKcTYT0OfeljvIzGGNkYVQQvoWpZVZggDJ7HbC+ 102PcExgkgkXbd+uPkDPEUynOpdXi84k8XD5r/BvglWm/qNi47OQPbg8WUOxjQWJ lBbxLpEiQxCslDwNo5xlaTJgO/I/9w== =K6hy -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190219230145.GF9610%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: QSB #46: APT update mechanism vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, Feb 13, 2019 at 04:12:27AM -0800, Vít Šesták wrote: > Since Qubes 4.0.1 was released [1] before your message and before the DSA > [2], I assume it is not a good idea to install Debian and Whonix from the > 4.0.1 installation media, is it? > > If it is right, then I suggest adding a note on the download page [3] until > 4.0.2 release. Qubes update tools (qubes manager, updates widget) do include safe apt upgrade method. So, as long as you update dom0 before updating VMs, it is safe to use Debian/Whonix from 4.0.1. > Regards, > Vít Šesták 'v6ak' > > [1] https://www.qubes-os.org/news/2019/01/09/qubes-401/ > [2] https://www.debian.org/security/2019/dsa-4371 > [3] https://www.qubes-os.org/downloads/ > - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxll1oACgkQ24/THMrX 1yxRSQf/XNSo8g5Fv6Yqj6h6GDEIZ2RDeaMYall0SrB58WcYur2zgDY4mzc4suOh kXNokEhn89f2NXDiidNnpBlLrwvF4FeViRRfmZHy7eGsgIbh5IURFEtoToxKz6gw Kel+9CzlsGk6y8fnPYutU0IRZvhGQ39MQ9jOd2FLs9kLU1AzIlD/PiZ+wUEZZS2l dyn9c/a1GeHZPlRSibPHdFMkLIuZpGmfFuspwvuZOqbxg5drOQaktJjKSsDXKhHe q1EuBQU0PAZ5LtKe44vSqFo2z73GqeReCpJB1VNR9Ep7JIN97MLfZzGtexzFjte+ v8jU3EqjZPGNhJNFA57w1KzYbydQbQ== =2JNk -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190214162914.GE9610%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] why was DNS/ICMP removed from Qubes manager/firewall in R4?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, Feb 13, 2019 at 08:42:10AM -0800, simon.new...@gmail.com wrote: > In 3, if i clicked on "block connections" in the Qubes manager firewall > section, there was (if memory serves me) an option to block DNS and ICMP. > > That is not present in R4 (though docs say you can disable DNS and ICMP > manually) > > I'm just wondering what the logic behind the removal was? I would have > thought that a general user who clicks "block connections" on Qube would not > expect the qube to be able to actually send out and receive network packets > such as DNS or ICMP. This presents information leakage scenarios (default DNS > lookups of given qube) and also potential egress vectors if a qube is ever > compromised (DNS tunnelling, ICMP tunnelling). Let me quote full text you can find on firewall tab there: NOTE: To block all network access, set Networking to (none) on the Basic settings tab. This tab provides a very simplified firewall configuration. All DNS requests and ICMP (pings) will be allowed. For more granular control, use the command line tool qvm-firewall. There is clear message what to do if you want to cut the qube from the network. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxk5lQACgkQ24/THMrX 1yzyBQf+ID5V7ema8i77kmTCnsWfNeSPUQnlTjuQbF1oNZJFNeAwAaqp3FLO+Ljt Slj7e9KjbPYrxxuW40LIL05G78Yqs/MpZ1mA6/Yfy6J2tvoluucTFvatiHqiodO3 HLqyRSehMXqqzKTHNrLrfLWWyz6ykbP/MmIw1zsxjcXj8RCNuEMc5F4qC6npluWN cahMNcZLELo4PsrjzhqTrSr0BmlVLDQ5QLwoJGi8wSDGMEIDX3qvwq56wh6O0MgR J780J043BcrIiAfZorrG+WfpLebkU9uSjmOENxcZQQwz2JmEdod9dU1vUEPSdBY1 EKOq9FhCjMI6De6nNgiMf63Y47CxuQ== =9dvG -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190214035356.GD9610%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: sudo qubes-dom0-update downloads packages but abruptly ends with a "The downloaded packages were..."
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sun, Feb 10, 2019 at 07:33:21PM +0100, Dupéron Georges wrote: > I have the same issue. I thought there weren't any new updates, but it's > been like this for a while. > > There are two updates listed, but they never get installed. > > Note: I am not using the regular sys-net as my updatevm (I am using a plain > fedora 29 VM, that is connected to sys-firewall, which is connected to the > sys-ethernet VM to which the PCI device is attached). > > Log: (...) > Reinstalling: This looks like it tries to update to the same version it already have installed. Looks to be this issue: https://github.com/QubesOS/qubes-issues/issues/4792 - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxgk/0ACgkQ24/THMrX 1yzHkQgAkeyp0rkaSYX+ysS2sdgKk/TTt8fTJohevDpdwpJIQZ1ibMXRr+J2DEWL LuOi7JWFebK53xGD6eQvu8AaCuvSNpWWf9lrdm8taPi267t1Q03bO6tJyqfOzFcU H8vMuC0rdq8JH97oCUxl5lhjDNaLX2JJmjIX43td33DANxtdgkwgVg+gPThvxWZl 6CFNEtmH5rW+5n4ISyJZ9PC4k6zzjnmnyhaak4GLCeeJ5WYYU8E1xWD4JuB/ZKcT mCH/JFgD5Bc5MS8xHYylAhBOF+gNJPOyVnb6qrxaRxmp284l1UjqtzFaiZGAeNd9 9uciJE80mKP8uh9nm8SRFtN6WfjBOQ== =JLEm -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190210211333.GC9610%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] qubes-templates-itl-testing: certificate expired. Drop https or update cert?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sun, Feb 10, 2019 at 06:23:37PM +0100, Dupéron Georges wrote: > It seems that the SSL certificate for the qubes-templates-itl-testing repo > has expired. > > sudo qubes-dom0-update --enablerepo=qubes-templates-itl-testing > qubes-template-debian-9-minimal > [...] > DNF will only download packages for the transaction. > Downloading Packages: > [MIRROR] qubes-template-debian-9-minimal-4.0.1-201901271906.noarch.rpm: > Curl error (60): Peer certificate cannot be authenticated with given CA > certificates for > https://mirrors.dgplug.org/qubes/repo/yum/r4.0/templates-itl-testing/rpm/qubes-template-debian-9-minimal-4.0.1-201901271906.noarch.rpm > [SSL certificate problem: certificate has expired] > > GPG signature of the packages is checked by dom0 anyway, so they can be > downloaded using an insecure connection, right? Yes, this does not affect integrity of the packages. > Should the httpS be removed in /etc/yum.repos.d/qubes-templates.repo, or > can the certificate be updated? This is just one of the mirrors, yum/dnf should fallback to another one automatically, doesn't it for you? Regardless of the above, I've notified mirror operator. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxgkxgACgkQ24/THMrX 1yyjLAf9G+ECqEhEd6pTsXrfhi91l+B5ULITYEcNxH5aoeS6xv+JZ+qu/WsyStfU +qV6oPaoG1fxhPGZ0wcbkiCrg9CXa5jQbpuP3WPDLeohTEwL1vI3PcIBUjyqFFXu cTUAu8Y7QLQ9BfA28e+EiMUMXyP0fq7a9EJiBh1Oa8CLkP/BRKdRLXt6794xzYaT UgCGtos3rXFMVQcntCAPG0lMgAp8Yj83XaOerCvEvj8SyQRuVAjzHq3GH7FXJVRK K8pylk49T3Od7xzgwEXFSnL8LeqneIzsHXVp9eN+O2AjKACXe1pc9qb5hyZxZwFN ACFnppacVKyQFz3wRPxNmcttLv5vdQ== =sPIL -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190210210944.GB9610%40mail-itl. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: [qubes-devel] Template disappeared: qubes-template-fedora-29-minimial
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 [Moving to qubes-users] On Thu, Jan 31, 2019 at 10:14:26PM -0800, Elias Mårtenson wrote: > I installed qubes-template-fedora-29-minimial by running the usual command: > > $ sudo qubes-dom0-update qubes-template-fedora-29-minimial > > This worked, but I messed up the template itself when doing some > experimentation. So, I removed said template and attempted to reinstall it. > > When I try to perform the reinstall, I get an error message saying that the > package does not exist. What could be the cause of this? Probably something gone wrong with removing the template. Templates which are still installed are excluded from being installed again. Verify this with: rpm -q qubes-template-fedora-29-minimial If the template package is still there, but actual template is gone (not listed by qvm-ls tool), you can forcibly remove the package with: sudo rpm -e --noscripts qubes-template-fedora-29-minimial See also https://www.qubes-os.org/doc/reinstall-template/ - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxUHbMACgkQ24/THMrX 1yxpYQgAjW/MjSP6FmBPGC8Qz/GmTDcbJ53XNAt+NQLG4PeoEclkF9bEW0SQgtwW z0jnMyPcUWTMmVW2cDwMB5v0u3AMf/ZITDvDqROj6eqE0pNlSQV5B/UTMEkvzE3u dSN+N1TpM8HbFPKY6LLYU1bRrh98GY+yQ/G40CfwPEz1cPj2U94GkHq8WqRox/Kc 6HkHIdvtuZQlCZpoGjJqMBrJcyCgECCnwsMa1vDcqf/ZpBKBrMlpEc1WKMu85hCX eHzPjAmKIwXrSeQ0KSksNJENwIcM/nJxP11TpHlOZtQeeqdmOksWNsqndWLciwN8 K0DJ4g0ttvsgqYISrn8PGGKIOF1oTA== =HJRN -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190201102138.GA2830%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] post-apt-reinstall-issues sys-whonix not connecting to tor
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, Jan 25, 2019 at 04:20:50PM +0100, qubes-...@tutanota.com wrote: > Jan 25, 2019, 4:13 PM by marma...@invisiblethingslab.com: > > > On Fri, Jan 25, 2019 at 04:04:02PM +0100, > qubes-...@tutanota.com > > <mailto:qubes-...@tutanota.com>> wrote: > > > >> Thank you. Will the existing anon-whonix be recreated together with > >> sys-whonix as well? I have an anon-whonix AppVM already existing. Should I > >> back it up or chenge its name to prevent data loss? > >> > > > > No, if anon-whonix already exists, it will not be recreated. > > But note anon-whonix is based on whonix-ws-14 template, which is also > > affected. You should update it to unaffected version using one of the > > methods described in the QSB. > > Hi, I updated the whonix-gw-14 and whonix-ws-14 as well. I am planning to use > the pre-update AppVMs as a backup and transfer necessary data to the newly > created post-update AppVMs. Than delete them. > In this case, I can just rename the anon-whonix AppVM and the new anon-whonix > will be created, right? Yes, exactly. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxLKqcACgkQ24/THMrX 1yxYaAgAjuiGQxpY2tyiH62706bMQ7FejCNPdoBXwL5RzM7j6/5hYlA7cUa/L5fn Z4q/7F2k9olSQFDvobZ/PJw+cvaV8lFfNWUnSiIkgCVQ5VxZxCHmWR/QWoBf4oRE 7CGWOgT89u1jTUO595IQ3LSq7ixT5DhqhwRYc0JuWYHL0vYIMJJ3+e5X2/Y0bnNr 6DbR9EuY9F6PsLTwXLG1/Bf8XdA7MIaKVhkVQvAcvUFHvdjJIXzBT4HigjclXFzI AMgAvtEYJXiygylwlrC3fMprDYSSMmv2yDyaBMN9oQ1Q3Aw+hnb+X8unLebV5F8X hzLmEdXJ7KJJCIipvFzriOEckXqWxQ== =GgX4 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190125152631.GJ1429%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] post-apt-reinstall-issues sys-whonix not connecting to tor
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, Jan 25, 2019 at 04:04:02PM +0100, qubes-...@tutanota.com wrote: > Thank you. Will the existing anon-whonix be recreated together with > sys-whonix as well? I have an anon-whonix AppVM already existing. Should I > back it up or chenge its name to prevent data loss? No, if anon-whonix already exists, it will not be recreated. But note anon-whonix is based on whonix-ws-14 template, which is also affected. You should update it to unaffected version using one of the methods described in the QSB. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxLJ7MACgkQ24/THMrX 1yyaCgf/c6fzqF6MahYzCVd0F+KxHiTrG9mtkCDti/HnFWh+uMkwHiROMDibnrZg 0Zqy4N00vqV4fiH5UhlvAvHPS8R+naVoJ5X/9lMxrjJSBNPmMNsMW03qFFBjbBVp OPyfKPk+pfZOW6Cmo5FsU3/qYQ3z3g6b3t8S59CRGuCEFub7wBBdTEB+2E2PM8Cg dLYVTaKU3gP6XLkIM1i/F3DWrRl7LE1/xQ1qatUQQMCEt7ydT54m3LSOgqfmA/e2 VK2q8TTKCYj+gDI7SvJ53T4ndb6CQ+9u0deQ0Akmiq8ZgdsmO/avc5uCF6VOu0Mq e3R8bktGFlm8wu/pCkSq474xKEMMaA== =ttQ8 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190125151356.GI1429%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes 4.0.x - Linux kernel 4.19.15 package available in testing repository
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, Jan 25, 2019 at 01:58:59PM +0100, Patrik Hagara wrote: > On 1/24/19 5:18 PM, Patrik Hagara wrote: > > On 1/20/19 1:57 AM, Marek Marczykowski-Górecki wrote: > >> Hi all, > >> > >> There is updated "kernel" package available in current-testing > >> repository - it's a Linux long term support 4.19.x series, as an update > >> over 4.14.x before. Since the upgrade switches to the next major LTS > >> branch, I'll keep it in current-testing repository longer than usual 1-2 > >> weeks. This also applies to kernel package for VMs: kernel-qubes-vm. > >> Please report new issues the usual way, at qubes-issues[1], or > >> simply by replying here. In either case, please mark it clearly it > >> happens after updating to 4.19, preferably including a link to the > >> update: > >> https://github.com/QubesOS/updates-status/issues/850 > >> > >> 4.19.x kernel was already available as kernel-latest package for some > >> time. Users of kernel-latest will see the update to 4.19.15 too, but > >> kernel-latest soon will carry 4.20.x kernel version. > >> > >> [1] https://github.com/QubesOS/qubes-issues/issues > >> > >> > > > > I get weird graphical artifacts with the new kernel after ~an hour of > > usage. Windows from AppVMs turn all white sometimes when switching > > workspaces in i3wm. Events like mousing over an interactive table rows > > in a browser (when the current row gets highlighted) return that > > particular section of the window back to normal (but not the whole > > window, for that I need to trigger a repaint of the whole window by eg. > > making it full-screen and immediately switching back to non-full-screen). > > The only error message I've been able to find so far is in dom0 Xorg log: > > > (EE) intel(0): Failed to submit rendering commands (Bad address), > disabling acceleration. This is very likely related. Normally I'd say "Bad address" indicate user-space issue, but the only thing changed is the kernel version... It may be also that some kernel API have changed and the driver is using parts that weren't there before. Anyway, I've looked into 'intel' X driver sources and the version we currently have (2.99.917) is the latest one. On the other hand, there was over 800 commits since that release and some of them may be related. For example maybe this: https://bugs.freedesktop.org/show_bug.cgi?id=105886 This suggests you may want to try enabling or disabling composition, if i3wm supports it. > Duckduckgo-ing the error message yielded a few [1][2] Arch Linux bug > reports describing the same symptoms. The first bug report also has a > kernel patch [3] linked, which supposedly fixes the issue (haven't tried > it). That patch is from 2014, already included in 3.19+ > [1] https://bugs.archlinux.org/task/43143 > [2] https://bugs.archlinux.org/task/55732 > [3] > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d472fcc8379c062bd56a3876fc6ef22258f14a91 > > Cheers, > Patrik - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxLGisACgkQ24/THMrX 1yyRKwf9G9TX89Bh2aePabdq7k40zDEHK68sKmsbL7xcm0JpfsdXHK/MuM+B4AyJ BT7PrEIr8n1wXc++EArbtwapIPldICAhnBRK4fFdazHmtgAeW5S1GztAFisa4EaD w0AWDoLLVg4DR7AcwFi1EXse4jgT0/CSYkHIENM0QRl4uevEV6lKlpN4lS8Rgjm8 cUCXajC5RCLT3RVDUTzufUOxLLt/syRzGVtBsgJqCwvVdnOxArZqlEJgSI7wq9lN HR6OSv1ETGdlubxegn2LsAtqLvHXD+vnV11hgT4EvSZhHTfcbOI8FJdsnU8YxNY1 vsHV3L772QpTm3+jZ05X8AxJLEYrHA== =XaRm -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190125141611.GH1429%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: QSB #46: APT update mechanism vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Thu, Jan 24, 2019 at 08:57:16PM -0600, Andrew David Wong wrote: > On 23/01/2019 11.54 PM, Chris Laprise wrote: > > On 01/23/2019 10:39 PM, Andrew David Wong wrote: > >> On 23/01/2019 9.36 PM, pixel fairy wrote: > >>> On Wednesday, January 23, 2019 at 7:24:57 PM UTC-8, Andrew David Wong > >>> wrote: > >>> > >>>> The Whonix packages are in qubes-templates-community-testing. > >>> > >>> > >>> $ sudo qubes-dom0-update > >>> --enablerepo=qubes-templates-community-testing > >>> qubes-template-whonix-gw-14 > >>> Using sys-firewall as UpdateVM to download updates for Dom0; this may > >>> take some time... > >>> Last metadata expiration check: 1:08:18 ago on Wed Jan 23 18:22:56 2019. > >>> No match for argument: qubes-template-whonix-gw-14 > >>> Error: Unable to find a match > >>> > >> > >> That's strange. I was just able to install them with the same command. > >> Maybe try it again with --clean? > > > > That's why I found its better to just specify qubes*testing for the > > templates: > > > > https://groups.google.com/d/msgid/qubes-users/f4d997d5-7191-06d0-e7bb-ef42745a7db5%40posteo.net > > > > I don't understand. How would that help here? To recap, this command > worked for me: > > $ sudo qubes-dom0-update --enablerepo=qubes-templates-community-testing > qubes-template-whonix-gw-14 > > The very same command failed for pixel fairy. I think the issue is about the previous point in the patching instruction: remove buggy template version. Otherwise it will fail exactly like this (indeed the message is confusing...). Feature request about simplifying this process is tracked here: https://github.com/QubesOS/qubes-issues/issues/4518 > Why would using > qubes*testing instead fix whatever is causing that command to fail? > Would that somehow force cache busting for some reason? No. But it would be easier - no need to think in which repository given template is. In this particular case, it should be fine as given template is only in one of those repositories. > > Also, using the 'upgrade' action is a lot less confusing. The official > > steps are needlessly painful. > > Would it be worth updating the QSB? (CC: Marek) - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxKfzYACgkQ24/THMrX 1yy/RQf/aHFY61ViLRp9IRosZegJ/CybS5uioPxQf/GEy/d5JbkXMYEKWyTgyA7c HsPB1z/HVfA+I7CRidrtKufr9jgeuE5KGrposFNxG/yCvzDh7nQaVF6svw3gozJw pO4ULJ02zRg8YaJF+aBv25/p6jI7CQYs93OFZ0x0pVli4+BlkUY8gzhTgrf0V/bU cpaC9UmzKfWR8TxR6gFTTmVqs5K+WxcBo3LfXF1yNoBlHCgJdhfK5kqmvANE5apS gw5pM0ccsNYV//cmVr8fULAa05gRPRIQgepPUoj/442fGesfHDMVCm48pta/uhZ2 OPh0sBdqAgmlbRjrAGFi3a0b36ewww== =7+Ci -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190125031501.GD1429%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] QSB #46: APT update mechanism vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Thu, Jan 24, 2019 at 01:10:42AM +, js...@bitmessage.ch wrote: > Marek Marczykowski-Górecki: > > Summary > > > > > > The Debian Security Team has announced a security vulnerability > > (DSA-4371-1) in the Advanced Package Tool (APT). The vulnerability lies > > in the way APT performs HTTP redirect handling when downloading > > packages. Exploitation of this vulnerability could lead to privilege > > escalation [1] inside an APT-based VM, such as a Debian or Whonix VM. > > This bug does _not_ allow escape from any VM or enable any attacks on > > other parts of the Qubes system. In particular, this bug does _not_ > > affect dom0, the Xen hypervisor, or any non-APT-based VMs. Nevertheless, > > we have decided to release this bulletin, because if a TemplateVM is > > affected, then every VM based on that template is affected. > > Hi, > > Does this vulnerability apply to whonix users who download updates over tor > from .onion repos? > > My understanding is that it shouldn't, since the exit node operator or any > other MITM doesn't even know it's apt traffic, they just see encrypted > traffic to a hidden service. > > Is this right, or am i not understanding something? In case of onion indeed MitM attack is not that easy, but if someone takes over Debian (or Whonix) mirrors still could perform the attack. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxJE2sACgkQ24/THMrX 1yxbaAf+LBDndywJFQnv8ecVh3MADbYF3I1fpBJuPFP58MW3Iti2zB1US0jcxFbk 9GevFxLRd0f0u6sblyX+lko8f469gGhl/N0eK5Tl77omJNQc2on5uZb9pPotuuAi 0S8f49SJhl7B1WaJLKV9MAL2sXraHfZ59juQaLmQiSearuJcanPJAqEM/D0OI/aT BWTc/fsjDpfQ9hV/BQcEOjoOqKuwnZDBLSrXR/ychWFA0zRPzmFtJjA6shFprPf1 NGxhdabDWSEzcKGyUW+GM/eoBo3qwH7cvQk9tHBFJfSpDDUAmgkodCO3PfVYw44L 5wAONEFFZZJH8xs7V/NSo9nqZVjuKQ== =zzzU -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190124012252.GA9610%40mail-itl. For more options, visit https://groups.google.com/d/optout.
[qubes-users] QSB #46: APT update mechanism vulnerability
rough the Qubes VM Manager. Installing the packages listed below is not enough. Qubes 4.0: - qubes-desktop-linux-manager 4.0.14 (updates widget) - qubes-manager 4.0.27 (Qube Manager) Qubes 3.2: - qubes-manager 3.2.14 (Qubes VM Manager) The packages are to be installed in dom0 via the Qubes VM Manager or via the qubes-dom0-update command as follows: For updates from the stable repository (not immediately available): $ sudo qubes-dom0-update For updates from the security-testing repository: $ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing Now you can safely update your APT-based TemplateVMs through the Qubes VM Manger. Credits This vulnerability was discovered by Max Justicz and reported to the Debian Security Team. References === [1] https://www.debian.org/security/2019/dsa-4371 - -- The Qubes Security Team https://www.qubes-os.org/security/ ``` - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxIntgACgkQ24/THMrX 1yyCMggAiZ39l/FNTMvpZ3mcuYvIt3+OtnJa39IJ1A1O8F7cFQXmENLBbEfO2/r7 y0oIras3jD3FEgqqEHDaUx/OuF9XHsii8XMbvAiWKIVAchK3/Oze2UjPjDF63mtJ p7ngVs6CciYNmW4Y2QPTs+vUPzSY+SllWl+qf/kWKvKzYsPyC8SCuNYB1dG3SZXg I3NZcxdVdMao4FN/dJkLitEQeFhMiQTHA6SaD6ozxb5hv4FbIAeaoVFf/gR22EZb hy3W6wfmYN2eW2Ydq+jq9/YHXzuZhVEGvPcWxblEr2rcat1gz1Gp76h9U8oJppUs TEa7gg6fGzITNuhJAQCJZddxWDQb4A== =XKVs -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190123170528.GV1429%40mail-itl. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Qubes 4.0.x - Linux kernel 4.19.15 package available in testing repository
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi all, There is updated "kernel" package available in current-testing repository - it's a Linux long term support 4.19.x series, as an update over 4.14.x before. Since the upgrade switches to the next major LTS branch, I'll keep it in current-testing repository longer than usual 1-2 weeks. This also applies to kernel package for VMs: kernel-qubes-vm. Please report new issues the usual way, at qubes-issues[1], or simply by replying here. In either case, please mark it clearly it happens after updating to 4.19, preferably including a link to the update: https://github.com/QubesOS/updates-status/issues/850 4.19.x kernel was already available as kernel-latest package for some time. Users of kernel-latest will see the update to 4.19.15 too, but kernel-latest soon will carry 4.20.x kernel version. [1] https://github.com/QubesOS/qubes-issues/issues - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxDx4YACgkQ24/THMrX 1ywtlgf9HE/mQmGQIZtymeLHdeAP6FnpBhGrbaJESWM2AhFxRFIQpGLEBIIrpKvH K6aFYqbFPNHYPE2DnboHmHebP1But8krrSbi4Ig5Z6E1pTFIk9XTrPQSbyY8jei9 hGY6Y8NRdTB3ljAbQpdLmfvmq9LksBQox9V5v+7lbNd6IhFOuqYnfcjz/P6PWO/F Np/orRT2QEB5Hzuqgm8dnfKUY1NBiwE1Nbxe2vl9OqrEkpceo4sKpBhEpF3LX7Z4 aTjroOnfk4Hrb2souyTKuVhRaBdHP3wxxof+xNcsakFQNp96Jeh/2b/+im6CSaEa 9BUaPC82RwFT//o8TvYwyybX8wuLpg== =nKaU -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190120005742.GS1205%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] last qubes-dom0-update brings kernel 4.19 and crashs login
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sat, Jan 19, 2019 at 01:13:06PM -0800, Sergio Matta wrote: > Yesterday I started qubes-dom0-update and it installs kernel-4.19. Looks > great! > But it is not starting graphical login anymore. Do you see text login available? Maybe on tty2 (alt+ctrl+f2)? You can login there and see lightdm service status (`sudo systemctl status lightdm`), which is responsible for the graphical login. If it's failed, what it says there (you should have few log lines there)? It would be also useful to check X server log - /var/log/Xorg.0.log - especially if you see any error message at the end. > I did sudo dnf downgrade kernel and it didin't work. > I had to change grub to fix. You should be able to choose older version in grub menu. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxDwFgACgkQ24/THMrX 1yzC9Qf+Om3bUq2dzU5HH3IvhV9QX1r0QoYVYiWGw0H9QeOYrPApKoN3effRu76i 8Ldy69M4AmulghtvWvPznMYBT/n852WjfqTVYMn7TAKYj/309cT0kOxuI0aLRJbJ B2QbxjAvwaYrQqYNBRRkctVkMtJ4IPJgrjRTo45vFunD+RXAZjcN60u8fI+IwrA+ adA7GDS2iy/7CdZxiHG1/EZ204JkpSWJlEARm83GbPpfkQl0wvsZq0WTtkLgQaxv YAmxYIEckWA1jbSAps16/9RXIEGCmXGP87jfLL+2yf07L2wnqSAEIR4t0nMsDNMc W82Uu1FrF/fpoW6EY2ujUySI1NywLA== =T3E2 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190120002704.GA5575%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] fedora-29-minimal sys-net/firewall problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, Jan 11, 2019 at 09:59:37PM -0800, rumsey.anth...@gmail.com wrote: > Thanks to Ivan, I figured it out (with a bit of luck). > > After comparing packages in his working template to my own, I first tried to > install: > > dbus-glib > ipcalc > iproute > iproute-tc > iputils > > That fixed it as far as I can tell. I now have a working sys-net and > sys-firewall with the fedora-29-minimal template. I'm assuming the ip* > packages were the key, but I don't really have any idea. Yes, it's iproute. Similar problem happened to Debian template[1] and it was fixed there, but apparently Fedora is also affected. I'll add relevant dependency. [1] https://github.com/QubesOS/qubes-issues/issues/4411 - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlw7IWMACgkQ24/THMrX 1yzOFgf6AhFaa5Y+g2PHqKiSH908UIPM99+Xwf3lMlb/ISDfuX7EUsyqBLXI9yak UGjXuG7dcNs+QD9lESTCPxkYS86c1AQWb9zyPEe/Q2n1uJgYGzktEdyD6w51in/3 spZGvNdicSVDFUHeWyr+rdAR5feQETSebecxp3fha+GlG4D8tcDSZJzG13uZMZXk l9zetIJToWa5DANSEfdw70F1UpIt4BEBa8UxJJHNP3GOwYMulXFVLN6BJ8eJ3LMN PFfcDf5gK3OMTaLYu+5uj8WUf8dtQGgDwCd1Dzfzswmai8sMQ2EyzQEbuHuFQxvt sSIsnj4x6zK+BOZ/yqZwjpVRMDBwAQ== =py4N -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190113113043.GE6577%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] "Qubes Update" icon (Sun Looking icon on top right)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sat, Jan 12, 2019 at 08:47:01AM -0800, 22...@tutamail.com wrote: > Just used this feature again...Debian-9, Fedora-29 and Dom0 updates(or lack > of) went fine i.e. My Fedora templates seemed to update and no updates were > needed for Dom0 or my Debian templates. > > My Whonix-14-GW and -WS however did deliver an error that might be related to > what you refer to Marek. The sun icon gives me the following > error(abbreviated): > > File "/var/tmp/.root_62a99a_saltimport salt.modules.cmdmod > File "/var/tmp/.root_62a99a_saltimport salt.util.http > File "/var/tmp/.root_62a99a_saltimport salt.util.events > > ... > ImportError: No module named concurrent...CancelledError > stdout: > > I manually updated the whonix-gw and -ws using the Qubes Manager OK. > > Any chance some one can share the commands to allow me to update using the > "sun icon"? Its nice to check all templates for updates and have them run in > the back ground one-by-one. I thought this would crash my system but worked > pretty slick appart from the whonix-gw and -ws error I got... You need to install python-concurrent.futures package there. Open terminal in whonix-gw (and -ws) and execute: sudo apt install python-concurrent.futures - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlw7HMwACgkQ24/THMrX 1yxVWgf/WlABy9S2QcV8nlcNe82GoAjKqtxct7ZkwhSKzINrA0x/5nbJ9xcB2uEY Lam73TDc3l4ma4PaG/EdfRyIbFgO3Yeus6tKe36xCtdZYpp5JHSWaEOXiEyLheRP /hPizdgfyEV7iQXm8pM2oaV00r8nGyXH8P62br3wcbEXjd19bAtKPEKOrfhKHJh0 DodMoo0vzPlEm6fpirlQ/tZqrUk88yfLkAAPWNVTfUbgbE5Vl78w/wO1u0IVEXLF stf/qzpkvsf7MXz8OYUd9+h2dqWLsvoqGiS0x26kW66BcsaXYKqyJUAQAdTstYDN rU86N2eiuYUNQKT1ZdOA5AEZVrwaDw== =vXOe -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2019011307.GD6577%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Smart cards, split GPG, and timing attacks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sat, Jan 12, 2019 at 12:27:04PM -0800, demioben...@gmail.com wrote: > That makes sense. How should one best handle GitHub accounts? One per > project? GitHub does not seem to allow per-project SSH keys, sadly. Actually, you can have separate per-repository key, called deployment key. But you can't re-use the same key for multiple repositories, so if you have a project with 5 repositories, you need 5 keys... - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlw7EqQACgkQ24/THMrX 1ywzWgf/c4ruiUidk5WARKvLGT0/2dM8Im17JJJy44+LaBw8EnK43YqxK9TK2fxz kG9K7jwT7w5Ym8oi7mLDpTO0XmV4usf15Vvi2PUUQBIWdJNxJCIViwaFMY0zA79v TKa/9EAbxi2JrZ16iP349yL1OWGxs2+bN+q7Mt3qd46BwQiUNHFJMKcxXXZ/iBGw G11XgeB4bllW7HyjR9nfNUEVl38oTVlpoPoYq8NZuLC011TafMhRSFlEQQto+MkD l9a600ifQCprSqWiUge9QiiJO3rtknTx7NnNdwgFnpfFMm2yIURGMVyJ9i3VxyE9 B0GWaB7FTzmISkNjnmIwuZOgA1niLg== =+lka -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190113102748.GC6577%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Smart cards, split GPG, and timing attacks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Tue, Jan 08, 2019 at 01:15:39AM +, 'awokd' via qubes-users wrote: > Demi Obenour wrote on 1/7/19 3:16 PM: > > Looking through the GPG CVE list, it appears that GPG has a fantastic > > security record. This seems to jus Most of the recent vulnerabilities have > > been side-channel attacks. > > > > Is it useful to use split-GPG with a hardware token to prevent side-channel > > attacks? > > I am far from a cryptographer, but IIRC those side channel attacks get the > key by observing decryption leaks. So a hardware token wouldn't affect that > either way, because once the key is unlocked it still gets processed the > same. Not really, if key lives on a hardware token, only it can perform decryption/signing. So, if that hardware token is resistant against side channel attacks, then split-GPG (or anything else) will not make it worse. > > Also, is it best to use one signing key per project one is working on? > > > Again, not a crypto expert but if you're using the same development workflow > for all projects, don't see much security gain from separate keys. If some > demand a different, potentially less secure workflow, those might benefit > from subkeys. Hopefully someone experienced has more insight! There is one more thing: if you use a single key for multiple projects, then it's harder to distinguish those projects based on cryptographic proof. Which means code signed in one project could potentially be used in another. An example: I have a qubes code signing key I use to sign my qubes-related commits/tags. But I also contribute to other projects, including also very simple patches, where I only fix one file and definitely not review the whole repository. If I would use the same key for both, then one could attack me like this: 1. Introduce a backdoor to some random software that I would likely contribute to (or even create new one specifically for this purpose). 2. Wait for me to contribute there (all kind of social engineering will help here). 3. Take my signed contribution and pretend the code belongs to qubes - this may is quite tricky, and probably require breaking into my github account (or github infrastructure) to place it under my (or QubesOS) account; but even without it, it would help in other attacks. With separate keys (having project name in key comment) that attack wouldn't work, or would require significantly more social engineering - depending whether you attack a machine or a human. You may also take into account security of development environment for each project. If one depends on a lot of software without reliable integrity verification method (or, say, a lot of NodeJS package ;) ), then such environment would be significantly easier to compromise, and so the key used there (even if not leaked, then used from there to sign/decrypt anything). - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlw5PaQACgkQ24/THMrX 1yyotggAj6mbhIApmFSsajZ/Zjk1Lt49Lgnba5TXQDHgODwGp+i4QG3JqKVgHTma QXvoTKsMZohuABe6wWiTxT/DvJJjUzpHAOEnj/XAzGm6mm8kJqZ/hih2pq7T7+qn Oe+zOdLNPdS4olmLy/igw/V+CtjNhuWYKsSM7mCzSpRRIPGuG4IvhEX+WyHFDt6u rMpCL2nNqRHcMo+Qve7/5e2IPnWFZPjDVsaeTiHpaAlFfzDVLUyg2qxGxamezuLo fH6ZvUd1UOHntUCYWjeD7JpY05Y8P0dAPRsRlcW28eAKAeUy9cepQlLJeafRdYCo b5e0pWhYe/DqZxMJKzVuSnJy2OpBeA== =j4nW -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190112010644.GB6577%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Salt orchestration
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Mon, Jan 07, 2019 at 12:20:31PM -0500, Brian C. Duggan wrote: > On 1/4/19 3:08 PM, Brian C. Duggan wrote: > > 2. Salt should ensure that service VMs are running before Salt applies > > states to their client VMs. For example, I have a service VM that > > exports gpg-agent's SSH socket through Qrexec. This VM needs to be > > running so that the client VM can clone git repos using keys on the > > serivce VM. > > > > I did some more testing. Of course, Qubes starts halted VMs when another > VM makes a Qrexec RPC call to it. The calling process on the client VM > will block until the service VM starts and the RPC call returns. So this > isn't really a valid use case for orchestration. > > At first, I thought the SSH authentication attempts failed because the > service VM wasn't started yet. After more testing, I can see that the > systemd socket service just doesn't work at the stage during initial > boot that Salt runs. The socket file exists at this stage, though. SSH > authentication succeeds during subsequent Salt runs after the VM is booted. > > But I've also noticed that sometimes a new app VM's grain ID is still > the template's ID when Salt processes templates. That shouldn't happen in theory... Can you give more details, especially which templates, and qubes* packages version? Additionally, even if grain['id'] doesn't match, target VM will get access to other's VM pillar data - it's enforced when copying pillar data out of dom0. > This can be a problem > when both dom0 and app VMs need the same pillar data: > > pillar/app/client-vm-1.sls: > app: > client-vm-1: > server-name: server-vm-1 > > pillar/app/client-vm-2.sls: > app: > client-vm-2: > server-name: server-vm-1 > > pillar/top.sls: > base: > dom0,client-vm-1: > - match: list > - app.client-vm-1 > dom0,client-vm-2: > - match: list > - app.client-vm-2 > > dom0 needs the combined app data to set RPC policies between the clients > and their servers. The clients need their own data to configure which > service VM to send their RPC to. It's convenient for clients to find it > through pillar['app'][grains['id']]. Maybe there's a better way of > constructing this pillar data? The fact that you'll see only the right pillar data, regardless of grains['id'] may help you. You can iterate over 'app' dict and use whatever you find there, regardless of the first key name level. It will complicate your configuration, but until proper solution is found, it should work. > Is there a way to delay Salt execution on VMs until they are fully booted? By default it's delayed until qrexec-agent is started, which should be after essential services. If you want, you may: 1. Add a state waiting for user session and order other things after it. This won't help with grains and such things, as salt load them before considering states, but may help with some states, if are dependent on running X server for example. For this, add this: /etc/qubes-rpc/qubes.WaitForSession: cmd.run: - runas: user 2. Configure qubes.VMRootShell qrexec service in a VM (used by salt) to wait for user session. This will affect the whole salt call for that VM. But also means it will wait indefinitely if no user session is started at all (for example you're logged out of dom0). For this create /etc/qubes/rpc-config/qubes.VMRootShell in the template with "wait-for-session=1" inside. > For the curious, I'm using a Salt formula to set up access to gpg-agent > on a service VM from client VMs through Qrexec: > > https://gitlab.com/bcduggan/qrexec-gpg-agent-formula One MAJOR problem with giving unfiltered access to gpg-agent is that, client can request gpg-agent to export secret keys. Which defeat the whole purpose of keeping secret keys in separate qube - that client have no access to its secret part. You may want to look at https://github.com/hw42/qubes-app-linux-split-gpg2/ I think this problem does not apply to ssh-agent protocol, which AFAIK does not allow client to extract secret keys. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlw5N7kACgkQ24/THMrX 1yzQPwf+I1+7XjklLKxfGUVG1mBMWUdsvv5WOchp4uhWJeNpZVlavCLZNj0S09IL T5kGdw0/oM78LDnFRPlAEXRp/w/r2pg1Q0aA/dG7iyQsMWdzqYl/uAdNEpx2ML+h 6T7pRrTCBMUrxAub5rJq3xpGPgfwA9JwCDrR8h4xVC55grUuvMOuR5PH/A1ksbg8 c/RfU/GeTGPjjisEAyYARSM29BT098BD3IcZjaMe1X2jnaQkdZYJnf6nDZ+qMR7t Thy21mn45BPVcM1TF1012waXimlz9utVI3zytUKDZHURQtfWwTzKB3UOwmOH7460 u2qWHMnEOURbzGBUcp2oiXiG3JEFSA== =DMM5 -END PGP SIGNATURE- -- You received this message because you are
Re: [qubes-devel] Re: [qubes-users] qubes dom0 update breaks template updating
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, Jan 11, 2019 at 11:23:00AM +, qtpie wrote: > > > Marek Marczykowski-Górecki: > > On Wed, Jan 09, 2019 at 10:19:00PM +, qtpie wrote: > >> The latest dom0 update broke updating my templates. I altered > >> /etc/qubes-rpc/policy/qubes.UpdatesProxy to change the updateproxy to > >> sys-whonix. > > > > Can you explain what/how exactly it's broken? > > /etc/qubes-rpc/policy/qubes.UpdatesProxy should not be overridden by an > > update, so any local modifications should remain. Also, using sys-whonix > > as updates proxy is a valid configuration we test regularly and did not > > spotted any issues recently... > > > > I cant reproduce the exact situation anymore. What was broken was that > on apt update or dnf upgrade, I got a 500 error on the repository URL, > and the error below. > > The error below I can still trigger by commenting out the line starting > with $type, and uncommenting the line starting with $tag. If you leave _only_ lines with $tag, then templates without that tag won't have access to any updates proxy (as you define it only for templates with a tag). - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlw4gF4ACgkQ24/THMrX 1yxrdQf+K1K8P9IDlQ/vmTOv9fWNkSfWofAcmF0VTPGQukRKmYLVrHQu3xSiH9eV C/bBszQZ2wY4HIzMcPpSxqQ37NSRec/V+s5NUogjzuIvD5vF/MM2pWOZN9A8kM3Z GmwYTuPh6wjww6tJ+CjKHFOZo1U2/gSQ86h5bsO2NeJMwV8IWwkzSkOKJyuuqxKg eo66yw9aS3iehEUIz/R68ApXWBlM7L0PRDpgWR96FwcaG1v2SSfFsEE7PODpdTgi sdbyTNKIIe5G+GCodfzi2RbT0C1hkA3CF8hUrY1+0C+RHuOkH6Vrqa8FCfDuxObl hiTCm1COw3jGYp4mcJ+EZcaPoeR99Q== =zQ9b -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2019013910.GD1205%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] "Qubes Update" icon (Sun Looking icon on top right)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Tue, Jan 08, 2019 at 06:53:03AM -0800, 22...@tutamail.com wrote: > Just played around again with the sun icon, this time starting my whonix-gw > template used for template updates prior, a couple of observations: > > Seems to work fine when updating Debian and Fedora 29 templates, at least the > messages I get in the details appear positive, listing the updates/changes, > green check marks, etc > > However when I try to update my whonix14 templates (both -ws and -gw) I get > what appears to be errors. I still don't know how to copy errors from Dom0 to > an appvm but the errors end with: > > File"/var...salt...futures import cancelledError > ImportError: No module named concurrent.futures > ... See here: https://github.com/QubesOS/qubes-issues/issues/4272 It shouldn't be an issue for new templates, but for older installs, you need to install python-concurrent.futures manually there. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlw3qQAACgkQ24/THMrX 1ywXmQgAgRKQFTZHK7yHUQ+PYBMnA3FxSnyljl+kv1kT3w8vnHTzMudmxNBczi6G RwYH1FR7UqEfUxmITbaJOMJZuft3ag0zqnXfFCwPIHn1GPrmbg5EVZ254hqd/Rvq UHLefaJCWjxO1P7bghAz5710D+/YpeGEKxnd2tXqYu9Nfdd+yoYKTzrgcfBbsy0t 0BElDQS8/kWnYHDx8fnn0Qijv2WUbM4B5LHvu192+mIcxAhya6zPUipbjiAHu3e5 9c4igObPZCMVhdRuyb4Ir9zs/FneuSTi8ZKKDGzZQIPdmK3GTrKNzy8m/yRqgRLi 23RikMqs7z1dieMfQqMPnjk9FzAlvw== =4jRT -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190110202015.GA1292%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] qubes dom0 update breaks template updating
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, Jan 09, 2019 at 10:19:00PM +, qtpie wrote: > The latest dom0 update broke updating my templates. I altered > /etc/qubes-rpc/policy/qubes.UpdatesProxy to change the updateproxy to > sys-whonix. Can you explain what/how exactly it's broken? /etc/qubes-rpc/policy/qubes.UpdatesProxy should not be overridden by an update, so any local modifications should remain. Also, using sys-whonix as updates proxy is a valid configuration we test regularly and did not spotted any issues recently... > My solution is to uncomment the lines starting with 'tag', while leaving > the lines in the old formatting untouched. > > This solution seems weird since here it is suggested that the lines > starting with 'tag' should replace the other lines: > https://github.com/QubesOS/qubes-mgmt-salt-dom0-virtual-machines/commit/ca27a33b0ec59f5ea2d4b334973eaa837f11ffc4 > > I'm not saying this is a bug, I can understand that an update is not > compatible with certain customisations and it is the users responsiblity > to fix this. > > In any case - enjoying Qubes everyday! - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlw2lpUACgkQ24/THMrX 1yw3PQf/YuxS53SSNvIjyjbUxNXjCMMRO6RU3p1JjdrPwYbmo+8adCFRdmyDJake kH+1FginUxsUpqySOvX1Xw516p00Ct+1sKVOcgfmLKU9Ama7peNoUNcRBTr3jmst FC3rRsrxofT3E3ceCmd/BXFJdIK/JEof130DXEYsBxKdf/9qm5BVYVkN+Q3VmvIA uwz0VWstF3Z2vXvwgWLcMyTjpuxhdWBMuLeJSGqI0gWwltztgpyGERp24UjraK6E xZtVIie+7MGnfXI6ZpONeLjdTAAW+VKGvvWs5YncbxKVQIdUucILbkQamwqiyD1m XatKifnvLe9WO4MrrzZR22h79gua5A== =WJ+F -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190110004925.GE7536%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] mooltipass hardware password manager
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, Jan 09, 2019 at 03:26:02PM -0800, Benjamin Richter wrote: > Hi, > > I have a Mooltipass Mini Hardware Password manager > (https://www.themooltipass.com/), which identifies as a USB keyboard in order > to input passwords. > > I can attach the USB device to a VM to connect to the mooltipass mini and put > in credentials, but I cannot get it to input the password, neither > by attaching it to a VM directly, This may be about permissions to /dev/input/event* device files in the target qube. See X server log about it. If that's the case, you need an udev rule to allow it, like this: /etc/udev/rules.d/90-allow-input-for-qubes.rules: KERNEL=="event*", GROUP="qubes", MODE="0660" > nor by leaving it in the USB qube via the input proxy. > The key events just don't seem to turn up anywhere. I'm not sure how this device really works, but with input proxy it may be missing some feedback channel (browser -> device), for example to choose the right credentials. > I'm running latest stable R4. My USB keyboard, touchpad and touchscreen work, > also I don't have any problems with other USB devices. How can I debug this > further? > > journalctl output while connecting: > > Jan 10 00:21:07 sys-usb kernel: usb 2-1: new full-speed USB device number 10 > using xhci_hcd > Jan 10 00:21:07 sys-usb kernel: usb 2-1: New USB device found, idVendor=16d0, > idProduct=09a0 > Jan 10 00:21:07 sys-usb kernel: usb 2-1: New USB device strings: Mfr=1, > Product=2, SerialNumber=0 > Jan 10 00:21:07 sys-usb kernel: usb 2-1: Product: Mooltipass > Jan 10 00:21:07 sys-usb kernel: usb 2-1: Manufacturer: SE > Jan 10 00:21:07 sys-usb kernel: hid-generic 0003:16D0:09A0.001B: > hiddev96,hidraw1: USB HID v1.11 Device [SE Mooltipass] on > usb-:00:07.0-1/input0 > Jan 10 00:21:07 sys-usb kernel: input: SE Mooltipass as > /devices/pci:00/:00:07.0/usb2/2-1/2-1:1.1/0003:16D0:09A0.001C/input/input36 > Jan 10 00:21:07 sys-usb kernel: hid-generic 0003:16D0:09A0.001C: > input,hidraw2: USB HID v1.11 Keyboard [SE Mooltipass] on > usb-:00:07.0-1/input1 > Jan 10 00:21:07 sys-usb mtp-probe[30635]: checking bus 2, device 10: > "/sys/devices/pci:00/:00:07.0/usb2/2-1" > Jan 10 00:21:07 sys-usb mtp-probe[30635]: bus: 2, device: 10 was not an MTP > device > Jan 10 00:21:07 sys-usb kernel: audit: type=1130 audit(1547076067.807:236): > pid=1 uid=0 auid=4294967295 ses=4294967295 > msg='unit=qubes-input-sender-keyboard@event6 comm="systemd" > exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' > Jan 10 00:21:07 sys-usb audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 > ses=4294967295 msg='unit=qubes-input-sender-keyboard@event6 comm="systemd" > exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' > Jan 10 00:21:07 sys-usb systemd[1]: Started Qubes input proxy sender > (keyboard). This looks promising. What do you have in /etc/qubes-rpc/policy/qubes.InputKeyboard in dom0? As your USB keyboard works, you probably have it configured correctly already, but see https://www.qubes-os.org/doc/usb/#how-to-use-a-usb-keyboard You can also see qrexec connections log in dom0 with `journalctl SYSLOG_IDENTIFIER=qrexec` (or simply grep for qrexec, if you hate to type that long field name...) Checking if X server in dom0 sees the device (xinput tool) also may be helpful. evtest in dom0 may also give some hints. > Jan 10 00:21:07 sys-usb systemd-logind[436]: Watching system buttons on > /dev/input/event6 (SE Mooltipass) (...) > Testing ... (interrupt to exit) > *** > This device is grabbed by another process. This is most likely the input proxy. Which means it's running. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlw2liwACgkQ24/THMrX 1yyIcAf/R5t1JsBeH4V9bOJtevq7qbjwhCW17jWgNyZuAX9KR5EmdzIgXg5w8kwI XvY3M+rfy5IPEyk8le4IifX4c8OhbfXAkETqAibUxX+qrtRZHTBoIsgsCDWpKj90 T+CYEsGx+I4ilb0ygBzn4v7zDZ/VTiDixJalIY1oQ4+xaDHS/BrFEcZ+EeG9eqeh vncKoRmPrdA1OR5xvwfG7NBm2pUJHumPP0yu072yKh/a59aAe3ZRxgxZTwbWkbgo LinsbjG6G57JTjnS9oNAVrMjdTaB3xWG3cMA2343nIZCg8bEEjeiw+qjxo25jyLl z+uTpLuBbXeUNiKaqLjWhc2ta1Vq0w== =94WL -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190110004740.GD7536%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Installing snaps in appvms?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, Jan 09, 2019 at 07:11:50PM -0500, Chris Laprise wrote: > On 01/09/2019 06:41 PM, Stumpy wrote: > > On 1/8/19 7:59 PM, 'awokd' via qubes-users wrote: > > > Stumpy wrote on 1/9/19 12:07 AM: > > > > On 1/8/19 7:04 PM, Stumpy wrote: > > > > > I thought I had snap installed but the app i installed via > > > > > snap now does not seem to be working? I installed snapd in > > > > > dom0 then tried installing a snap package in one of appvms > > > > > but I am getting errors. If i try to run a snap from dom0: > > > > > qvm-run gfx /snap/bin/xnview > > > > > > > > > > I get: > > > > > Running '/snap/bin/xnview/ on gfx > > > > > gfx: command failed with code: 1 > > > > > > > > > > when i try to run it within the appvm i get: > > > > > user@gfx:~$ xnview > > > > > Can not open > > > > > /var/lib/snapd/seccomp/profiles//snap.xnview.xnview (No such > > > > > file or directory) > > > > > aborting: No such file or directory > > > > > > > > > > thoughts? please? > > > > > > > > > > > > > oh, and if i try to reinstall the app I get: > > > > user@gfx:~$ sudo snap install xnview > > > > snap "xnview" is already installed > > > > > > Nothing should be installed to dom0. You'd have to install snapd in > > > a template, and possibly the snap package. You might want to create > > > a Standalone VM and install everything in there, instead of > > > templates & AppVMs. > > > > > > > > > > Thanks, I had thought I had to install on dom0 as well, perhaps not, > > though when I try to: > > > > sudo snap install xnview from the template I get: > > user@debian-9:~$ sudo snap install xnviewmp > > error: cannot install "xnviewmp": Get > > https://search.apps.ubuntu.com/api/v1/snaps/details/core?channel=stable=anon_download_url%2Carchitecture%2Cchannel%2Cdownload_sha3_384%2Csummary%2Cdescription%2Cdeltas%2Cbinary_filesize%2Cdownload_url%2Cepoch%2Cicon_url%2Clast_updated%2Cpackage_name%2Cprices%2Cpublisher%2Cratings_average%2Crevision%2Cscreenshot_urls%2Csnap_id%2Csupport_url%2Ctitle%2Ccontent%2Cversion%2Corigin%2Cdeveloper_id%2Cprivate%2Cconfinement: > > dial tcp: lookup search.apps.ubuntu.com on 10.137.3.254:53: dial udp > > 10.137.3.254:53: connect: network is unreachable > > > > So i was thinking that doing a qubes-dom0-update something so it could > > get through? For the life of me i cant figure out what I did on my other > > computer to make it work but it works fine there. > > > > > > I forgot to mention, it is installed in the appvm: > > > > > > user@debian-9:~$ sudo apt-get install snapd > > Reading package lists... Done > > Building dependency tree > > Reading state information... Done > > snapd is already the newest version (2.21-2+b1). > > 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. > > > > > > ideas? > > > > Only apt is configured to access servers through the special Qubes proxy. > Since templates have networking turned off by default, that means nothing > else can download packages or data. > > In the short term, you can try enabling networking temporarily for the > template while you install snap packages. Just set the netvm in the > template's settings. > > In the long term, Qubes users may benefit from a special accommodation of > snap, which has become a versatile and important way to install software. > Support could include access through the update proxy and even special > storage capabilities. Would be a good idea to open an enhancement issue for > this. :) There is some progress on this already: https://github.com/QubesOS/qubes-issues/issues/2766 The current state is: you can install "qubes-snapd-helper" package in _template_, to be able to install snaps in qubes _based on that template_. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlw2kq8ACgkQ24/THMrX 1yzNvwgAhc0/O9VIzBGH1WDg8l+1sH3yLxxySFannO2ihUUXbUA80cf4+uxrxk/1 Rg+jR0XfdBXD91h817luvs3mIdqwcluq1YHxbGIb0J/vALPLHRhZ8YLasXSdpDIG MyiVTk1ogAOG6jH30245V/GRPWALJmysYnW4DUki3ZefG/EyCFHWi7lpJZ9XS00F QbVv7MoDx6GbHiSfHMzYk016fSaEAFlXGUUXczSHgDpJjumP6+MfVkz0l4diYbm5 wGOPIknWLBBSQMMOS0IoaB1iq1hYbZNULt6/gaOOFBIC2I9D2m4Q8KHKeDz95qln HEzk2d5IJJlv8M1xpoNyzS0+IJNHMQ== =hL/D -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190110003247.GC7536%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Qubes OS 4.0.1 has been released!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, Jan 09, 2019 at 01:35:42AM -0800, Lorenzo Lamas wrote: > I see the hashes are different to 4.0.1-RC2 What has changed compared to RC2? Minor fix to update widget[1] plus a rebuild with "4.0.1" as a version, instead of "4.0.1-rc2". [1] https://github.com/QubesOS/qubes-issues/issues/4667 - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlw1yMsACgkQ24/THMrX 1ywoBAf+Nad/7dZEMepMvmLeWjAbKpFF2P1wM9bVHwRY3j+ZB0ahCmRntAN1soeC 1p3A7eppOGIfr5IuhtozeBim/ZdswT1fc/zLPG4UCIfr4Oo0SbZpfI7THijHoc5u PgmAOu2FGzQ3IwufkFp74b6pN+MiP2MP1aCabKBCA8kF0am24buism5VBZoBwblT umQGYePGSEFepPN1qbPGbYzy/+Z+aVXOIBdxT61RSQteB8yGJLz+kwmaoOlO6o0r oTYGaCD8TNvzJFarnaa5/xPvBCptL7BecsbZkn6gNzKNTI3+gT++hMbQ6AJIYatv sKHmHKC4ti1PW6DBJxNLX6unMNTwVg== =LZWx -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190109101123.GB7536%40mail-itl. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Qubes OS 4.0.1 has been released!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Dear Qubes Community, We're pleased to announce the release of Qubes 4.0.1! This is the first stable point release of Qubes 4.0. It includes many updates over the initial 4.0 release, in particular: - All 4.0 dom0 updates to date, including a lot of bug fixes and improvements for GUI tools - Fedora 29 TemplateVM - Debian 9 TemplateVM - Whonix 14 Gateway and Workstation TemplateVMs - Linux kernel 4.14 Qubes 4.0.1 is available on the [Downloads] page. What is a point release? - A point release does not designate a separate, new version of Qubes OS. Rather, it designates its respective major or minor release (in this case, 4.0) inclusive of all updates up to a certain point. Installing Qubes 4.0 and fully updating it results in the same system as installing Qubes 4.0.1. What should I do? - - If you're currently using an up-to-date Qubes 4.0 installation (including updated Fedora 29, Debian 9, and Whonix 14 templates), then your system is already equivalent to a Qubes 4.0.1 installation. No action is needed. Similarly, if you're currently using a Qubes 4.0.1 release candidate (4.0.1-rc1 or 4.0.1-rc2), and you've followed the standard procedure for keeping it up-to-date, then your system is equivalent to a 4.0.1 stable installation, and no additional action is needed. If you're currently using Qubes 4.0 but don't have these new templates installed yet, we recommend that you follow the appropriate documentation to do so: - [Fedora 29] - [Debian 9] - [Whonix 14] Regardless of your current OS, if you wish to install (or reinstall) Qubes 4.0 for any reason, then the 4.0.1 ISO will make this more convenient and secure, since it bundles all Qubes 4.0 updates to date. It will be especially helpful for users whose hardware is too new to be compatible with the original Qubes 4.0 installer. [Downloads]: https://www.qubes-os.org/downloads/ [Fedora 29]: https://www.qubes-os.org/doc/template/fedora/upgrade-28-to-29/ [Debian 9]: https://www.qubes-os.org/doc/template/debian/upgrade-8-to-9/ [Whonix 14]: https://www.whonix.org/wiki/Upgrading_Whonix_13_to_Whonix_14 This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2019/01/09/qubes-401/ - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlw1YTUACgkQ24/THMrX 1ywKSgf/RepKuj8klzDbi3G566MRg6XaF6GgVKYtt8xa9PX5w3yk+3j0n26zsW07 fsO4iJQtn4xt4nUDkIkY0ZaFuLXiXes6syLsu2mJ5dhB23C6C07No1tbeJ0GqzmJ G5TbCsXpTGnTH8URSyb0U0aB2C6dIAwQZUom+HaDgb/x6M6OWAwODhVV/hbFzhm/ msWu6Xy1rVcbaAB2Q2YLGGIShwx3cd5I/K6y0Lw+9sWhIZ8lj4ARfdnWzqGp5u2+ YYVMtRDGBWGm2o5Wu/gmduYNjRpkDSoE2qh5bUvubRm7TWK0HDkTCHvqyGTQXaZZ mGbhYdSlxM1N4Qm5YuyYMcGd1qUKQg== =8aly -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190109024925.GJ5040%40mail-itl. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Qubes Canary #18
st the contents of this file blindly! Verify the digital signatures! ``` This announcement is also available on the Qubes website: https://www.qubes-os.org/news/2019/01/08/canary-18/ - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlw1X7kACgkQ24/THMrX 1ywfmgf/eRS3ND12XUJoXOCbRM/ncvAHDYGUUH9A/D9WY0c0ZXOdA8YRyH2P/BDG LmR7nGWHO4YCd5On0kUhPH5QyLc8ySCRBQplbCfED08k4s/baCnLcA9ptzgMZ+Ra HUrbvagkUeR770ZJytQDIxQEf3W2aRCVDAzOlRd8jhYVea+J09VyqYcc7qrxgjuQ VJD962qmAYqFXJtl5r0/p1y8DIffJsY1gCXlxDIvP4Os/mL2zo2JFKQ7OSn1X9lp EuA5lzIro2ejkGxULFN6hz0QPi4JICglWJQ0jjF+35G+p83enIeUNwdkdnF9V1wL nO4NsBXRXHQorBzp8j1uw8RmYTdfhQ== =S2HG -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190109024304.GI5040%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: fed29 templates/upgrade
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, Jan 04, 2019 at 05:37:07AM -0600, Andrew David Wong wrote: > On 1/3/19 11:31 PM, John S.Recdep wrote: > > On 1/3/19 2:51 PM, 22rip-2xk3N/kkaK1Wk0Htik3J/w...@public.gmane.org > > wrote: > >> Thanks 799...I learned something! > >> > >> Similar to 799 but less hardcore...I always download a fresh > >> template(vs upgrade). In my case I ran with a full/fresh > >> Fedora-29 after the Fedora-28 hplip issues, and added any new > >> software from fresh: > >> > >> https://www.qubes-os.org/doc/templates/ > >> > > > > > > hmm, ok let's say I just use the new fresh 29 template, is there > > some way that I can know what non-stock software I installed on my > > Fedora-28 template, as I can't remember all that I may have > > installed > > > > This is more of a Fedora question than a Qubes question. As far as I > know, there isn't a clean way to do this. Following Marek's advice > from years ago, I just keep a list of the packages that I install in > each of my templates. Since some dnf version it is possible: sudo dnf history userinstalled dnf mark can be used to adjust the list (without actually installing/removing packages). This may list some more packages, as it will include default packages installed by the template builder. But should be a good starting point for such a list. > > > > > So, no advice on upgrading from my 28 template at this time? I find > > it strange that the template is in the dom0 updates available, but > > I see no notice in the news section on qubes website nor here > > .. > > > > See: > > https://github.com/QubesOS/qubes-issues/issues/4223 > > and > > https://github.com/QubesOS/qubes-doc/pull/739 > > > > > Seems like this happened with 28 release as well > > > - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlwvTgAACgkQ24/THMrX 1yxPrggAirGLmrqKZm73SVrEoSraBBgGIN7hXEXxgsKr4jtK5ymU7YEVyO2zc44S wQKcSJrmbO7VlGTNRGmxmMRsFa5f5j5Yxn1HaKeTKFd0HHLJja00SbpYCVnx6RFP 1cLSrAWwHHxazMImQ0mKkeBhmlHI45/dD30EwWJ3C2gYWCPj6PjHyfTpl61itf5M zPuMBAcyxemZ0LNgg2mCtD56i60n6c44d8+1xjPCBgdDTKbMkk72TTejv3MAuEdC qeREUS9QPBwR5Zbx0Fr72YIXRsXOEPYT3zi996u48lRXmHdo90AByq2zc4PJKUpc YdSTPPu4su9j+iPKzxWQUrPl5xt/wQ== =4V1h -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190104121352.GN23474%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: 4.0.1-RC2 Boot loop after install
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, Dec 26, 2018 at 09:24:01AM -0800, John Goold wrote: > On Thursday, 20 December 2018 22:02:00 UTC-3:30, John Goold wrote: > > Attached is screenshot, taken under my current OS, showing OS and hardware > > info. > > > > After spending much too much time trying to track the problem down (using > > the 4.0, 4.0.1-RC1 and 4.0.1-RC2 ISOs) I discovered why getting the > > installer to run was failing... > > > > I had to unplug my external monitor (connected via an HDMI port). > > > > I was then able to boot the install DVD and install to an external USB > > (SSD) drive (Seagate 2 TB). The install completed (supposedly > > successfully), but attempts to boot from the USB drive fail. > > > > The boot process starts, with text being displayed starting in the top left > > corner of the screen. It progresses to a point, then the screen goes black > > and my computer starts to reboot. > > > > I have searched the mailing list and have failed to find a solution (hours > > spent doing this). A lot of people seem to end up in boot-loops, using > > various hardware. > > > > The attached file shows the hardware. The following information about the > > BIOS/Firmware may be relevant: > > > > * Legacy Boot is enabled > > * Virtualization Technology is enabled > > > > During the install I setup a user account. I did not enable disk encryption > > (I will leave that until after I can get Qubes to boot). > > > > Comment: This boot-loop problem (or similar boot-loop problems) seems to be > > a major issue with installing Qubes 4.x. Each time I come across a posting > > about it, there seem to be different suggestions (some of which work on the > > particular hardware involved) and some of which do not. > > > > I believe that I tried R3.1 about a year or so ago and that it booted > > alright. I cannot remember why I did not follow through on adopting Qubes > > (if I could not get my external monitor working, that would be a > > deal-breaker). > > > > Suggestions would be appreciated. I will provide any additional information > > I am capable of. > > This thread is getting verbose, so I have replied to the original post and > will attempt a brief summary of the rest of the thread (for context): > > Determining what is happening would be facilitated by seeing any entries in > log files (assuming the boot got far enough to log anything). > > That means checking files on the USB drive used as the target of the install > and which causes the boot-loop when attempting to boot. > > Since the boot is failing, I cannot look at the log files under the booted > Qubes OS, so instead I attempted to look for the log files when booted into > another OS (Linux Mint 19.1). > > Qubes is using LVM to handle allocating disk space (presumably to facilitate > being able to add additional physical disks to an existing Qubes install). > There appeared, at first glance to be 3 Logical volumes: > > pool00 > root > swap > > Linux Mint mounted the LV "swap" automatically, but not the other two. The > other two appear not to be "activated" and mount attempts failed. Attempts to > "activate" the LVs fail. > > After searching the Net for information on LVM, I came across an article that > helped me understand the Qubes setup better… > > There is one Logical Volume Group called "qubes_dom0". > Within that there is a Logical Volume, "swap", that is detected and mounted > automatically by my Linux Mint installation. > Additionally, there is a "Thin Pool" allocated that uses up the rest of the > space in the Volume Group. It is distinguished by information displayed by > the lvdisplay command ("LV Pool metadata" and "LV Pool data"). > > Within that "thin pool", a logical volume, "root" has been created that uses > all the disk space currently assigned. Yes, that's right. - From what I've seen in this thread, you did it right, but the system you used didn't support thin volumes. You can try Qubes installation image, there is recovery mode ("Rescue" in boot menu in legacy mode). Other things you can try is to press ESC during boot to see more messages than just progress bar. If that doesn't really help, try editing boot entry in grub and remove "quiet" and "rhgb" options from there. This should give you more details when exactly system reboots. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people n
Re: [qubes-users] Qubes extensions usage / installation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, Oct 17, 2018 at 10:24:47PM -0700, nils.am...@gmail.com wrote: > Hi everyone, > > I'm trying to run some commands whenever a VM is started or a device is > attached to a VM. I came upon this Github comment by Marek which says that > this is possible with Qubes extensions: > https://github.com/QubesOS/qubes-issues/issues/4126#issuecomment-40645 > > I wrote a simple Qubes extension with the following project structure: > > my_extension/ > * my_extension/ >** __init__.py > * setup.py > > With the following `setup.py`: > > ``` > #!/usr/bin/env python3 > > import setuptools > > if __name__ == '__main__': > setuptools.setup( > name='my_extension', > version="1.0", > author='Nils Amiet', > author_email='nils.am...@foobar.tld', > description='My extension', > license='GPLv3', > url='https://foobar.tld', > > packages=('my_extension',), > > entry_points={ > 'qubes.ext': [ > 'my_extension = my_extension:MyExtension', > ], > } > ) > ``` > > And `__init__.py`: > > ``` > import qubes.ext > > > class MyExtension(qubes.ext.Extension): > @qubes.ext.handler("domain-start", system=True) 'domain-start' event is called on VM object, so it should not have system=True. system=True is needed for events on Qubes() main object itself, like property-set:default_template. > def on_vm_start(self, app, event, vm, **kwargs): For system=False events, it should be: def on_vm_start(self, vm, event, **kwargs): If you need to access app, you can still do that through vm.app. > with open("/tmp/my_extension.log", "a+") as fout: > print("Started vm: {}".format(vm), file=fout) > > ``` > > Now, I installed this extension on a deployed Qubes OS installation in dom0 > with `sudo ./setup.py install` but the file `/tmp/my_extension.log` is never > created after having started some VMs. I was expecting to see something being > written there. Besides the system=True, everything else looks ok. Remember to restart qubesd service after installing the extension. > Why is my extension not being loaded? Am I missing something here? How can I > debug extensions and make sure they are being loaded? Is there a log > somewhere? > > Is Qubes OS going to call my `on_vm_start()` function whenever a VM is > started just by installing the extension with `setup.py install`? What should > I do so that it does? > > Thank you and have a nice day, > > Nils > - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlvJsxsACgkQ24/THMrX 1ywpbAf+KLCp44W+yYOKRpNm3tvTUrvYb20KF4y4FiEoWE9vTapIfT9fLNI3yfZw eHn52vb14VdtxPnZ7yNEopHbDAKwj2+u1RTrjszsBitjRqiAEFkFeDHCRQB1QAN8 HwPUWXCIvBNbUxQzpLYXvQX6V7/Ll6a/M/9DcanfRyHlU5yCHM+ZmdgBK4kU+Nb3 0cyCsA27CV2AGYuYRyYh5kyT+WX9nIPTwRUmRNi0lIuT45gBIWQ9OYo4kKjDCIUc /YBqcHn7pTTOwz4e5ct+b/YQWLMKk3n1NX4DGYjnBbpt7E0y9vk3uNnXV8/z3dtt 4GgwIivDTAYx/5pU5AjklNksAL1pgw== =3wtl -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20181019103403.GA13191%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] dispVM shuts down immediately after starting (I'm trying to run xterm)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Mon, Oct 15, 2018 at 11:19:54PM +, floasretch wrote: > ‐‐‐ Original Message ‐‐‐ > On Monday, October 15, 2018 4:52 PM, Marek Marczykowski-Górecki > wrote: > > > > Same result with qubes.StartApp+debian-xterm > > > Per your response, I verified that whonix-ws-dvm does have > > > /usr/share/applications/debian-xterm.desktop (and whonix-ws-dvm itself > > > starts and runs with no problem). > > > > I've tried the same command on my whonix-ws-14-dvm and it works... > > Is your whonix-ws-dvm Whonix 13, or updated to Whonix 14? > > Whonix 14. Originally was 13 (installed with Qubes 4.0), then updated when 14 > was released. > > I verified /etc/whonix_version in both whonix-ws and whonix-ws-dvm. They're > both 14. > > BTW, I haven't been using disposable VMs at all for the past couple months, > so I have no idea whether my problem is recent or old. In fact, the last time > I did was with the Fedora DVM, and I've deleted it since then. Today was the > first time I ever tried using any DVM other than Fedora. > > Qubes and all templates are fully updated. > > Is there a log somewhere? You can add --pass-io, to see service stdout/stderr. Maybe this will give some hints. Alternatively, you can try doing the same in non-disposable VM, for example whonix-ws-dvm itself. Simply drop --dispvm and add VM name before service name, like this: qvm-run --service -- whonix-ws-dvm qubes.StartApp+debian-xterm And see if xterm will launch. Then, you can inspect ~/.xsession-errors in that VM, or various logs in /var/log. If no terminal is started at all, you can access VM console with `sudo xl console whonix-ws-dvm` (exit with Ctrl+]). - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlvFIsgACgkQ24/THMrX 1yyjIQf/Sp92zf8JWH+uydtWBzd9nlMjHBwlfPsV/nhCDK72ZbMMlVzb7kCP2OIE oKkFO3IRTXvDbx/Yw1x1GG8Jkx/zH1inYsFU7KHJbPNUuOadq/rsp75gisKwzSqs cDpTSXF00VjIpIYGYWHZQ4lqZp7IFenlXPBxfaxQdC7FnwWDw1J+vJHj04D6YtiS 62Fu2AyLrEibI5yTK4JRPcn1h3JV/e/L3Jor0ybOY9gYjNCzq2Rtf/wWCBHsBF/g lHW7PBSBVJbvDF+sR+JoV50UUY3UIsn6Elq2cyS2/CkWA1hPIp12rtlRqMrtiXFt 9Pnu59dZWBiLSWcIldN4lCIreyHoaw== =gaHd -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20181015232912.GL19709%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] dispVM shuts down immediately after starting (I'm trying to run xterm)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Mon, Oct 15, 2018 at 10:41:45PM +, floasretch wrote: > ‐‐‐ Original Message ‐‐‐ > On Monday, October 15, 2018 3:34 PM, Marek Marczykowski-Górecki > wrote: > > > [user@dom0 ~]$ qvm-run --verbose --autostart --dispvm=whonix-ws-dvm > > > --service -- qubes.StartApp+xterm > > > Running 'qubes.StartApp+xterm' on $dispvm:whonix-ws-dvm > > > [user@dom0 ~]$ > > > Is there a log somewhere to tell me what's going wrong? > > > > The +xterm part should be a base name of .desktop file in > > /usr/share/applications (or other directory per XDG standard). xterm on > > Debian happens to have debian-xterm.desktop, so it should be > > qubes.StartApp+debian-xterm. > > Same result with qubes.StartApp+debian-xterm > > Per your response, I verified that whonix-ws-dvm does have > /usr/share/applications/debian-xterm.desktop (and whonix-ws-dvm itself starts > and runs with no problem). I've tried the same command on my whonix-ws-14-dvm and it works... Is your whonix-ws-dvm Whonix 13, or updated to Whonix 14? - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlvFGhgACgkQ24/THMrX 1yx0vwgAlI5BIB+VuC+ibNcPQdFhPXzJm7X0YNEV0T8Ex03sbmeLcEfWe5JKpLII KMSQIIkGtGfVcRAZwnllv18HNls1KxLdXFb3yER/XXAnm89aQcM1IfUmcpT2Eggs mM1YcdXR5fqPKolZZSujTF3mFJBx2QEqnjyPrrSAvPfUFSiljy6cM5Eab+BxVfUV TyX6BztEEKFUEZtErPM07QXLmIpLT6Q8QHA/7UInYdJj56Ih8u6dqvR4xyhHIwkV 17lZFtnvIaX5F3Zja2YR9gPyXRCti+Zpyt9PSi7pIaAdjy3h0BVNIUnSQTiiaS7t maVT8bm/+VMVt0O8lLzXwXuN7QNDaA== =OgQw -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20181015225209.GK19709%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] dispVM shuts down immediately after starting (I'm trying to run xterm)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Mon, Oct 15, 2018 at 07:03:50PM +, 'floasretch' via qubes-users wrote: > On Qubes 4.0, when I try to start a dispVM, I get a popup notice that it's > starting, then a popup that it started, then a popup that it halted. I get no > error message, even when I specify --verbose: > > [user@dom0 ~]$ qvm-run --verbose --autostart --dispvm=whonix-ws-dvm --service > -- qubes.StartApp+xterm > Running 'qubes.StartApp+xterm' on $dispvm:whonix-ws-dvm > [user@dom0 ~]$ > > Is there a log somewhere to tell me what's going wrong? The +xterm part should be a base name of .desktop file in /usr/share/applications (or other directory per XDG standard). xterm on Debian happens to have debian-xterm.desktop, so it should be qubes.StartApp+debian-xterm. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlvFB/wACgkQ24/THMrX 1ywowwf/bf65pAOtUDDGUHoyO0gyGtZ+yNDDJ4/64PmSF8bl3V3I4tU6QSoj1y/X 2fJnWWfO2bNm7iopizYConl+5msRZRhbY514vG/vJdhkLI1ZMiExUUoYSUqiO7tE //oyX5CNW1L1egGVoxB4H6uv3bf6UrW9HfBEttIaKSpuaPg1PLagsMssPmyxUBBJ oFcTn9iLI8LrMJR4bNXXatK94deD3NhXyRHZ26udKDi1nKmIq6N2zZIk5p8QuKrg rhWbPawQj58I6oW7v5wFcO5d+wtSVGpOCJs5mhvlg/NAFVwohhQ+iHQDNL5CliKN /6s0QsLbOJ7PJ0cKcpKXNVG9YA6a2Q== =3FCa -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20181015213452.GB4138%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Installing qr-exec on HVM
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, Oct 05, 2018 at 02:38:28PM -0700, Will Dizon wrote: > Unfortunately, it didn't work still when qubes-gui-agent was running. > > I tried recompiling everything again, and the results have changed quite a > bit. Now, instead of autohiding the HVM window in dom0, I can see a very > clear failure which points me in the direction of Xorg instead. > > Sadly, this feels like a regression, but alas... I'm sure I'll get there > eventually. > > As far as "xl console lfs", dom0 reports "unable to attach console". And in > terms of dom0, it is still giving no sense of failure: > > $ qvm-run --pass-io personal whoami > user > $ qvm-run --pass-io lfs whoami > $ qvm-run lfs "touch /tmp/dummy" > Running 'touch /tmp/dummy' on lfs > > Needless to say, /tmp/dummy doesn't ever emerge. > > The new error is > > systemctl status qubes-gui-agent.service > ... > Process: 660 ExecStart=/usr/bin/qubes-gui $GUI_OPTS (code=exited, > status=1/FAILURE) > ... > lfs qubes-gui[660]: XIO fatal IO error 11 (Resource temporarily unavailable > on X server ":0" > lfs qubes-gui[660]: after 37 requests (36 known processed) with 0 events > remaining) > > X works (startx shows me a desktop and consoles), but nothing yet from > getting Qubes GUI agent and qrexec. qubes-gui-agent starts its own X server, on :0. So, it conflicts with the one started manually with startx. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlvBRPgACgkQ24/THMrX 1yzOfAf/WdwNBlfHtR7Oin5+j3SV48z27ajfarE+UBOXrwZkrsl+mPDrvllou9Kq uVUVOBBswJhAVT9hWhKJbOZvDPW9r4jyKpiidg3FvdRWX7i/Dci5UYK1qqrPuDtw vZs3raKofxmprH7wKNcwcBVslr1SeTOOvbkNkv1WYbS46sGd1X//CWvXghYCQzqL HTX3v732aYO9LADgNwHRV5AQKsBtYLM/Ej8QR2Amd3frHIx905hErix8ForYGzUp JxRIR0ZuAmoK3aQglb1Jon2YmJ0MeOszMP9aqh1BTpTZ+JrM5/hWj2g0NN+rwRIo GOYt7eTlrfmGfAeCgQitOOszc/oSzQ== =g83e -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20181013010601.GD5083%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Default keyring
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, Oct 12, 2018 at 07:12:35AM -0700, Patrick wrote: > When creating a new template, then launching a browser in it (in order to > install software), a dialog box asks: > > An application wants access to the keyring "Default keyring". > > Never seen this, my passwords don't work. Is that browser chrome/chromium by a chance? I think it's this issue: https://askubuntu.com/questions/31786/chrome-asks-for-password-to-unlock-keyring-on-startup#191490 Either try setting empty password, or try solution with - --password-store=basic. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlvBQkwACgkQ24/THMrX 1yxOAAgAgkTv3NhST1QmRCrAjueYMFRv0bQV9gl+JaPuc99QBI1plqnm5uuQqaEb MbHJ033R0LQhCKneGOUeXu1jEmbeCRlQ3GnDQAuJQRVOl/sszBCuNYL+0cl8oHfg +hUcKADdOGe1fs0ZG8wpm0ty6uJ6HfZ0MCudQz3r97BmBl3fAsNSEs4Y/xxqAJIj 5/7py1tx9R+R026llEfQmDpQq+UllOODoFywMc/RpSkCnDYKyP02SBXvj/2GGD2/ kAGfbncFWSzAztPmMrBKMjejAhAJJ6ztV+m2cdjxd5m1WVqKsPzqGv5SKw5pqBZV T4eTPKICj6bL3b8NK/vQrQ2+2M3LIQ== =XMHS -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20181013005437.GC5083%40mail-itl. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Keyboard backlight color based on active qube
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, I've published the first post on my blog: https://blog.marmarek.net/blog/2018/10/11/keyboard-backlight-color-qubes.html Have fun! - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlu/gc4ACgkQ24/THMrX 1yzDlAf+MBCvqSROoEHJNUy2Nc935pOd8Mt/SwrIeJs9FYX5ZHUhwssu5XQvlsrW 6LwaVtFMFIZnjb8YQb9/f96FrLoP6p9UHUaecs5SmmIq17q3qNJDD9PvuyS9M75f ocNKtk4ELZxfGqNdlqwAhxOKDRRzSsBGzfA8kZAFf7ZnKKxdsWMKWVxGLatfDT96 HTIYbPjTz5oC7rJO+Kno1GwPWyv9574oApHlRBaTzp7SfmiWOtytzBRVtPfp+cBb /bkegV0z68IVXIL9kQ/hHBLElRzmEimuUtBnQXf0T/3VzXip53kwHl6ha7Ch5paH nWQSqV2asJvkhp4X7FL4LYPrxc6npA== =GPun -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20181011170102.GO1645%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: debian-9 template
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, Oct 10, 2018 at 05:24:33AM -0700, b...@damon.com wrote: > On Friday, April 27, 2018 at 10:46:08 PM UTC+10, higgin...@gmail.com wrote: > ... > > I have been plagued with this issue ever since heeding the call to upgrade > whonix-13 to whonix-14. All my whonix-14 templates are useless. > > I followed the steps carefully, removing / reinstalling. No errors. > > user@host:~$ sudo dmesg | grep segf > [ 11.396489] qubesdb-daemon[232]: segfault at 7994802abff8 ip > 799480098f64 sp 7994802ac000 error 6 in ld-2.24.so[79948008f000+23000] > [ 12.342682] qrexec-agent[648]: segfault at 70d5257f6ff8 ip > 70d5255f3355 sp 70d5257f7000 error 6 in ld-2.24.so[70d5255dd000+23000] > [ 15.903799] qrexec-agent[789]: segfault at 70d5257f6ff8 ip > 70d5255f3355 sp 70d5257f7000 error 6 in ld-2.24.so[70d5255dd000+23000] > [ 1524.123824] qrexec-fork-ser[4430]: segfault at 7b59263a8ff8 ip > 7b59261a2355 sp 7b59263a9000 error 6 in ld-2.24.so[7b592618c000+23000] > [ 1547.347882] qrexec-fork-ser[4456]: segfault at 7b59263a8ff8 ip > 7b59261a2355 sp 7b59263a9000 error 6 in ld-2.24.so[7b592618c000+23000] > [ 1594.046093] qrexec-fork-ser[4527]: segfault at 7b59263a8ff8 ip > 7b59261a2355 sp 7b59263a9000 error 6 in ld-2.24.so[7b592618c000+23000] > [ 2963.435851] qrexec-fork-ser[5300]: segfault at 7b59263a8ff8 ip > 7b59261a2355 sp 7b59263a9000 error 6 in ld-2.24.so[7b592618c000+23000] > [ 3145.932364] qrexec-fork-ser[5413]: segfault at 7b59263a8ff8 ip > 7b59261a2355 sp 7b59263a9000 error 6 in ld-2.24.so[7b592618c000+23000] > > Everything is hosed. > > If anyone has a fix, I would appreciate knowing it. This looks to be the issue described here: https://github.com/QubesOS/qubes-issues/issues/4349 The proper fix is in testing repository right now, you can either install it[1], or apply a workaround listed in that ticket (add noxsave to kernelopts of that template and VMs based on it). Actually, you may need to apply workaround temporarily to be able to install updates... [1] https://www.qubes-os.org/doc/software-update-vm/#debian - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlu+YEUACgkQ24/THMrX 1yzJmQf/b1fFHTpg8noeSUMtKSPw/LRbj9GNYQ7U8YBX5IbpgPLex6oGG9YBIEy0 U0VMPomxKnUtshM4+bAsRJhMSs6VQ/LxWNtjTUEtKPxIizj4e7Y1u37Abh4T5TJy td7vtKkuuEfUqIWfhjjHe9WCjVMHn7PeWV8lfNzB3/2/m1BIngedhPYy8mNLnY+Y CT7laBNR3LvFYVl9VXiwOBKCBM6EcAh5TA8k6Dv36pwOiBhGpYBcP2RwCn3nBVb4 wVv6XkOy3ZPX9okiJkGzBEFn3YzqfWTjKStvHVk0x6BX7dWRP4iChc2E4tcNa6hj r4Ak9U912AIZfmh3RH3lnXywRpRihg== =FW0q -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20181010202541.GB5083%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Forbidding VM create/delete/edit network settings from within dom0 for enterprise use-case
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, Sep 14, 2018 at 09:18:38AM -0700, Yethal wrote: > W dniu piątek, 14 września 2018 13:21:14 UTC+2 użytkownik Nils Amiet napisał: > > Hi everyone, > > > > I would like to lock-down Qubes OS so that VMs can't be created or deleted, > > nor edited (e.g. modify the associated NetVM). > > > > I already read documentation about qrexec policies, the Admin API and > > qubes-core-admin extensions. > > > > If I understand correctly, the Admin API cannot be used to prevent the user > > from creating a VM from dom0. For example, from the dom0 terminal I tried > > adding the following line to `/etc/qubes-rpc/policy/admin.vm.Create.AppVM`: > > > > ``` > > $adminvm $adminvm deny > > ``` > > > > But then I am still able to run `qvm-create test --label blue`. Is there > > something I am missing here or is the policy not being honored on dom0? Why > > is that? > > > > I also noticed that the Qubes extensions fire some events and it is > > possible to write hooks for those events > > (https://dev.qubes-os.org/projects/core-admin/en/latest/qubes-ext.html). > > Would it be possible to write a Qubes extension that hooks to some event > > that is fired whenever a VM is created and use that mechanism to block VM > > creation? > > > > Would the GUI domain that is planned for Qubes OS 4.1 change the situation > > or help implementing this at all? > > > > The workaround I'm thinking about is to run Xfce4 in kiosk mode, remove > > application menu entries, keyboard shortcuts, desktop right click menu to > > prevent access to dom0 but this is just a workaround and it probably we > > can't be sure that it will work with upcoming Qubes OS releases. Any > > thoughts on that? > > > > Thank you, > > > > Nils > > Wait for 4.1. The plan is that users will not have direct access to dom0. > Instead gui domain will have api access to management functions and it will > be possible to restrict it for corporate use case. Yethal is right - "the proper" solution is using GUI domain, which will be isolated from dom0 and can have policies applied. Right now, with direct dom0 access, qrexec policy is not enforced when the action is performed from dom0. Alternatively the workaround you propose could work, but needs to be extended to also Admin API - local user must be excluded from "qubes" group (which gives direct access to qubes services) and instead add a proxy which checks qrexec policy even if action is performed from dom0. That is not unthinkable, but definitely require some work, and still it is a workaround. But Qubes 4.1 is still in development and I think will not be ready this year, maybe Q1 2019, depending on progress. GUI domain related stuff can be tracked here: https://github.com/QubesOS/qubes-issues/issues/833 - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlug/b4ACgkQ24/THMrX 1yzFpwf+OcFW/oMb+kbnkIAj05wLc5rFoRqTni0qpjfs/V+enUg00fJpFlxg0XTy tIwjVs9Lz4Y/OsjhNQrtzaKFJOtDhBmJjnbpORg22iQ0Lxazg3cbZ2LWTdEhD/I3 P2lrkYEelJ/qUAJ0Lybfdv2Xj+nIdDhakbRNyWo6t/0F2aXXKIVPu5LNGzh9tHmp QcDKA9hE6nKz4Vg/EJbiuvg8ENKFR5CLkOt/7aKzFCcTcBvAeeVHMPB9d5x11DSU ibNBA0Nuw6EGAE4xSP0T1DJgWB39yM4KYozhskWqUyIH19kv7pglh5rTT1UXtuvL KxyysvSKm5fSutIef/BjVlKZK2EJ9w== =+3cX -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180918132935.GB1577%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: qubes-u2f not installing on templates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Mon, Sep 17, 2018 at 04:14:00PM +0300, Ivan Mitev wrote: > > > On 9/17/18 3:32 PM, digitalintag...@gmail.com wrote: > > On Monday, September 17, 2018 at 6:24:45 AM UTC-6, digital...@gmail.com > > wrote: > >> https://www.qubes-os.org/news/2018/09/11/qubes-u2f-proxy/ > >> > >> Wojtek shared this on 9/11/18. > >> > >> Following the instructions, I'm not able to install qubes-u2f on either my > >> debian or fedora templates. Anyone else have similar issues? > > The packages are still in the current-testing repositories, and you > likely didn't enable them. > > > > to clarify, the package manager doesn't find the named package on either > > distro. > I don't use the graphical package manager so no idea how to enable > current-testing there, but if you use a terminal it's pretty > straightforward: > > For dom0: > > sudo qubes-dom0-update \ > --enablerepo=qubes-dom0-current-testing qubes-u2f-dom0 > > And for a fedora (template)VM: > > sudo dnf --enablerepo=qubes-vm-r4.0-current-testing install \ > qubes-u2f > > > There should be something similar for debian's apt-get All u2f-related packages area already in stable repository (since yesterday), so the above is not needed anymore. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlug+oAACgkQ24/THMrX 1yynlQgAjCg01eBO5X2ZlVraOB7bzuO1a2LvYFiAMIqFYDk/x3t8F0eBXjg3dlDZ vCYhO6Xi3b1PzaIyKMy8yaU5LmGnnAPsd2Bbiwnge7q8JYQumQJS+s2IG3Y3Om5z S+9mZqEgpTALBwQ3ra5w6sGite722JC4477wq581sT6BvH0eeWBgzHqVYv/+oVCF bOUdxgy/GCyv8/3njx+j4ZbQymFz2NMfatsm4D3T5rAhCOhBbCUUNsTHzLt0q6Jy GXIhJe8UBRsxevgeHklozjObbK3X2giJPbMct4iNwQVc7ea0xgiHXZ7sH2gEwNIr iGSjD6P3J9VhYUx6x2n4k/XimbSRaw== =PV37 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180918131545.GA1577%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: QSB #43: L1 Terminal Fault speculative side channel (XSA-273)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Mon, Sep 03, 2018 at 01:46:11AM -0500, Andrew David Wong wrote: > On 2018-09-02 22:22, pixel fairy wrote: > > is it still necessary to disable hyper threading after upgrading > > in qubes 4? > > > > Hyper-threading should be disabled in Xen after you install the updates. > It should not be necessary for you to take any further action to > disable it there. > > If you're asking whether you should also disable it in your BIOS > settings, then I'm not sure (CCing Marek). There is no need to additionally disable it in BIOS. Xen's smt=off option means it won't be used even if BIOS reports its availability. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAluM7v8ACgkQ24/THMrX 1ywhvggAk05Ra0VOk/rEelhxGqrQGPouTJWfmGL5/jpDRU7QTmErB2BqqHNQXbY0 TvJD+8DJTQBT84Gw+JrN4CYamS7VXMFFngekxDV4tZWfnkNiJQTJzM+Raa0zBcC2 7m10uoz1T8G9U5AH+5+yfCEx9hHgRn96SFbxmasOwRSyqIQ4MP4IPWLKzeh7EmbE U0iCKxsEjzD2V8HfDo3CoTfg0mXhygiQPF8qWDTs30hBPVYC14evci94sX2YqP40 8h/NRtZRMNk32F/+H8OU1fPHocO9/LbejU0jkeCxah3BRD3pkHLlCk5f+8hJfwOb 9eRwYGBIyJqYWervftRTN7oJLxCFZw== =T+UF -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180903082119.GB1371%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] fedora warning
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sat, May 26, 2018 at 03:25:23PM -0400, haaber wrote: > > > > I just installed f27 in ins full and minimal template on Q4.0 from > > > the repos. When installing extra packages (for example sys-net > > > tools) in f27-minimal the download works, BUT checksums fails. The > > > point is that fucking dnf ignorantly installs the packages anyhow > > > without putting any questions. Result: such a tempate is > > > compromised right from the beginning, I will have to delete it > > > without ever running it. > > > > > > The warning to all users is to NEVER run unattended (say, scripted) > > > updates on fedora based templates since apparently they give a shit > > > on security. > > > > > Checksums are only for integrity, not authenticity. For security, PGP > > signature checking is what matters. > @andrew: you are right, but if even checksums are ignored, pgp won't be > considered either ... and that IS an issue. > > @ awokd (on your question about re-downloads): I hope I was not complaining > based on a misread and I would have liked to verify once more: too late for > this time however, I had deleted the template this morning right away. I'll > re-do it! dnf warns about failed download (for any reason, including unexpected checksum), but then retry download from another mirror. If all mirrors fails then package installation will fail. Example message for such case: https://github.com/QubesOS/qubes-issues/issues/2945#issuecomment-318877445 - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlsJ7wcACgkQ24/THMrX 1yy+zAf+NXlXwb9YOrkp6P4HQQjmQeKSS2roveXErjI9MA6vTUXb72g2KsJUwTHP UygpzUQqGl1ToAnILaImuPmIFdo2R+7qTnpHurbYpnk76foaK2sDEWixIMsQM9AD zmwkkm3NlI3DUX3siagCkBsVE8AwBEX8pIR6pvx4+Glncu70HFBiU84g3dcsqEp0 1HkHUJhIi0f/v1A6/jgkRkhBp7xFl5EfqAN7xSJgiUTeSDoVOeavPRPGT/Oh2yKJ I7Pw3EuaEdQynrjJLrLDCmvHJrpprorjFGuQjzGkMnEP7T+1qQSuhMSbViqKQScN de4CBtdaBwbF5ZLWHDPIIsXakKFJxg== =8fqT -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180526233431.GG20125%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] No boot after dom0 security repo update on may 15
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Thu, May 17, 2018 at 11:54:03AM -, awokd wrote: > On Wed, May 16, 2018 1:51 pm, pony...@keemail.me wrote: > > Hi all. My machine directly boots into BIOS screen if my Asus Zenbook > > UX303 after updating Qubes 4.0 dom0, security repo enabled. I don't > > remember the error messages (s.th. with keys). > > So I boot from rescue USB Stick. Have to choose (3), going directly to > > shell. — > > And here I'm stuck, since many, many hours. No really helpful, _accurate_ > > instructions for medium talented users found. ;) > > How to replace dom0? Or restore boot files?I've got a pretty fresh > > complete backup on external USB drive, but don't want to install > > everything anew. > > Reinstall/restore might be fastest. If you want to try to fix it, search > this mailing list for "efibootmgr" assuming you have UEFI boot. Sounds > like something got corrupted. Reinstall GRUB if not using UEFI. If that's UEFI, verify content of /boot/efi/EFI/qubes/xen.cfg (/boot/efi is a separate partition, the first one on default install). Verify that default= entry points at existing section and it is the newest one. Also verify if files referenced there looks sane (if you've run out of disk space, those might be smaller than the rest). By editing this file you can also boot earlier kernel. Here is example xen.cfg file: https://www.qubes-os.org/doc/uefi-troubleshooting/#installation-finished-but-qubes-boot-option-is-missing-and-xencfg-is-empty - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlr/GFoACgkQ24/THMrX 1yyCfQf+Ltm7cIZmPvqdDKZXHdsuNOWPVw09lAZ7p/BMEf5WVd4iIkb/5muuRn7C YmNjttaiDDcNd5u6teNCs3xHMyC3sxcjaqNwyyWAK8eZ2RACo1rYryCPZiirNbGp Tzf5fkmrQZHvEN7n6EAolx6B+G3GBiiAEDM+TmDnqEMDXsML8HwGh0T7Fh8H+IBe YqsigU7zqQGC/kWeUfbLgdaBbe+jUUioJQWBEb5xvmbzdn7kfQuzGmTBqqqyTIkY +iDZbNl9UaD1SqHLzfqtjeFKo9l21FV1HVm6NG90AwPbTWIGHLppKEMICEKEmUcM EerCf238hhUi6+gkOLeLOTRIG5yaOQ== =eBH7 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180518181555.GB20125%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Restore backup in different storage pool
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Thu, May 17, 2018 at 07:34:26PM +0200, donoban wrote: > Hi, > > I want to restore a backed VM in a new pool. I don't see any option on > qvm-backup-restore for specify it. > > Is there any way for do it or do I have to restore and then move it? There is no direct option for that, but you can temporarily change default pool (see qubes-prefs tool). - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlsA2NUACgkQ24/THMrX 1ywrKgf/d6ppisSAnXSyltzWeRz8nQO6frYYkTzSuJ3sSZ5ojDcRuhngqabLJcf5 0e0qeeCLqGT8AlyYEVMFTBdLfgSbj4EAnu0mDmQFSIMf23IRQrWuEGv3beCb1T24 1jyGmfpV2kq5EFByjwVZNFtPudzZLJ2iD3cLZYfP2JUsetD8+uJC18Nik6UMJKMp zLOdPPKmr9wcUVnS6+b0YWg6FmTNoMN7Oylwd6dYouucwC1qT7OA+yhwfJm+7+EI UuUnAjiTHYIvblPUn3+0ershQsHNSeMgw9WSW4+Du1k0lZUxxlv6MaU6Pgxeteww faBuqlL5mytZFeB08uEiUAsI3kPhhg== =SZoX -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180520020926.GF20125%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] U2F on Gmail not working (using Chrome on Personal AppVM)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sat, May 12, 2018 at 05:03:11AM -0700, qubesu...@gmail.com wrote: > Hello there, I was wondering if there is a workaround to make this work. > I have a Yubikey with U2F, which has the dual purpose of being a normal > Yubikey as well as being able to do U2F when the webbrowser requests it. > > I am on the latest stable Qubes 4.0. > This is so far what I have been doing: > > 1) I go to gmail.com and enter my user and password. > 2) I plug the yubikey to the laptop, sys-usb recognizes it > 3) I "attach" the usb to "personal" from the sys-usb > > And nothing happens, the yubikey is not blinking, the light stays steadily on. > It doesn't react in any way by touching on it, it neither generating yubikeys > nor the u2f. > > Does anyone have a solution to this? In Fedora (template) you need to install u2f-hidraw-policy package, it will setup udev rules to fix device permissions. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlsA2IIACgkQ24/THMrX 1yyWvQf9HryTAYEvYjj8VkssWYFn8krZiuKfxCVKBcM2qdTPiWfM0fUGLBAJGny6 yhacow9awVbbcrB0iLrHPXLO9WWqt8h6n0lIZvPkZ0oDuxzUhGRUw6WYDteGZOrR jlP7nSk18cU/JC5HPV/Q5k6BZMrd4JOAe9XtyB3Gj4cIbG3gKMp12dgp39ewUpRB okjy2aPlcOQMDNxelo/p953e8M8+3ZBWQbcsr/sfFpjbCs4IpmlJyMa7YsstE3+t HDZ34u+PN4/ZgGWVS5+MOkc8xYDIZoWBnWT1362EoTS+nFs87o4y/gsHie0NyQ0a aXv0iSBFE3NQ9fK8tXIiZQbmYGcqcw== =1rIT -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180520020803.GE20125%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Default 'revisions_to_keep'
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sat, May 19, 2018 at 09:27:53PM +0200, donoban wrote: > Hi, > > I tough 'revisions_to_keep' was default to 3. I created a new pool > yesterday and specify 3 when creating it, but then a VM that I moved > to there had 1. (I discovered it after trying to restore config > because it doesn't boot fine). > > Then I started to look at all other VM's and all private volumes have > 1 'revisions_to_keep', also they had 'save_on_stop'. So I think this > is not very useful, when you halt the vm your are overwriting the only > snapshot you have. Actually, revisions_to_keep is about previous revisions. So "1" means you have one snapshot you can revert to (the state before you've started the VM). > Does delay 'save_on_start' too much? > > Maybe this is due I started with some RC and then upgraded to > current-testing. Probably, there was a bug about saving revisions_to_keep. Anyway, default value is 1. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlsA1joACgkQ24/THMrX 1yxqOAf9FW/v7Pe1/jDiVI3QhKWRAn0CPWVlQ8upuIOXga0fnl6mXUVaFXYuT7Go zYj6ktsZ6hm47ZI3EcRLoOTbCeSOg6gBF3C+IBGaF0vlJOOH5BADgU4AphL/ld05 Cn+b+MHYUwFYfy6Mo+h7cRoVJnAW6ZS/yrUSufZyvr3qZxIAZSUNYx9EHbV10yJk JtVr96n73Uq//uSPzeNMhCL8gfLwRXvLok7N9a8FsprogG2Z+bxZL+VrZZhMAzFy fpYIZCblqT3/2IDI/C29mOYhYrblKTiNKVg7y1picrsiBkJrSkPqAmNIeRRYTW7g Qdm+CsG87li5/+c42p1uT1HeUiZpBQ== =IgD3 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180520015818.GD20125%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Any way to attach a USB drive to a VM by label?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Thu, May 17, 2018 at 05:57:09PM -0700, Qubes Guy wrote: > I've successfully used qvm-block (in Dom0) to attach USB drives to different > VMs (persistently), but I've noticed that Qubes (or Linux) sometimes gives > them to different devices over time. In other words, on Monday, my > BIG_TOSHIBA drive will be on /dev/sda, but it'll be assigned to /dev/sdj when > I boot up on Wednesday. This is throwing off my VeraCrypt / FreeFileSync > backup routine. (Another way of saying this is if I say "qvm-block attach > MyVM sys-usb:sda --persistent" when one of the three drives I use for MyVM is > currently attached to that, this will fail if Qubes moves that drive to a > different device-name (during boot) that isn't one of the three I previously > attached (when I go to start up that VM). > > I thought about persistently attaching all 10 of my USB drives to the VM > (some HDs, some flash, one SSD - I never use all of them at once - don't > ask!) because that would certainly fix this problem, but I get the following > error when I try to start the VM: "ERROR: Start failed: XML error: target > 'xvdi' duplicated for disk sources '/dev/sdc' and '/dev/sde', see > /var/log/libvirt/libxl/libxl-driver.log for details". > > Note that I did all the persistent attachment commands while the VM was not > running. If I detach all those, start the VM, do the persistent attachments, > shut down the VM and then restart it, I get an error along the lines of > "qrexec process failed to respond in 60 seconds". > > So, I guess I'm asking if there's a way to just persistently attach 2 or 3 > external USB drives and have them consistently available on the same device > names when I start the VM so VeraCrypt doesn't balk? (VeraCrypt ultimately > doesn't care what device a drive is attached to (it could be sda - sdj on my > system) because it shows the attached drive as "/media/user/BIG_TOSHIBA, but > if a drive isn't where it's supposed to be, that'll fail. > > In case you're curious, the error messages in > /var/log/libvirt/libxl/libxl-driver.log are meaningless to me, but if you > want me to post it, I can. > > Any help you guys can give me would be greatly appreciated! Thanks... It isn't available yet, related issue: https://github.com/QubesOS/qubes-issues/issues/3437 - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlr/GRUACgkQ24/THMrX 1yzuqAf7Bw2L6SpZhPlLrhX20eFvagLuPpKbuMl/yVLMDhRBZqK86kIonC3Zvm1b eR6cTQ540PNHJiqL0uescJIHS7sHJDnnqC7Y0x12GIlEKWU+1pobRDZIwfErMiD/ 2FzJisSgk8tiLIwmyhcrWyUyVxuk6e1TpG5sVdUMb3lTqjiqPPChZBRlLFsYmraK PvBvY9DCeL6unSIUJqadxBtfeh5KDmSXauLS7T/vxVfEWbsNxI+ZrgGWPALkniZK MaXGp6hYrmnycl6o8xi74CWoGvwruhUrFOVxAn8hrFR0OA5PmeWVQjtRJ4j0okmL qXHoFWHbMVltipYLNvBYZANXcIc3bw== =BsRg -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180518181901.GC20125%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Testing repository: update policy
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sun, May 06, 2018 at 03:54:10PM -0500, Andrew David Wong wrote: > On 2018-05-06 13:20, Marek Marczykowski-Górecki wrote: > > On Sun, May 06, 2018 at 12:25:32PM -0500, Andrew David Wong wrote: > >> On 2018-05-06 08:51, Vasilis wrote: > >>> Hi, > >>> > >>> I was trying to find out when an updated package makes it into Qubes > >>> testing > >>> repository? > >>> > >>> For instance an updated version of the package qubes-desktop-linux-i3 [1] > >>> is in > >>> the repository since Apr. 4 but still not available in the testing > >>> repository. > >>> > >>> [1] https://github.com/QubesOS/qubes-desktop-linux-i3 > >>> > >>> > >>> Cheers, > >>> ~Vasilis > >>> > > > >> I found the associated issue and PR: > > > >> https://github.com/QubesOS/qubes-issues/issues/3781 > > > >> https://github.com/QubesOS/qubes-desktop-linux-i3/pull/13 > > > >> Marek, what's the usual procedure after merging a commit and closing > >> the qubes-issue that it fixes? Based on looking at past activity, it > >> looks like you typically increment the package version number, then > >> (automatically or manually) start a new build of the package, which > >> then creates a new issue in updates-status. Should I have left the > >> issue open as a reminder to do this? > > > > Usually every few weeks I review what packages have changes warranting > > new version (I have a script for that). Last few weeks (and probably > > some more) were busy because fc27/fc28. > > If you find some change that waiting unusually long for release, ping me > > in issue related to that change, or simply in an email. > > > > Ok, sounds good. > > Consider yourself pinged for this one. :) https://github.com/QubesOS/updates-status/issues/512 - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlrvdKIACgkQ24/THMrX 1ywgbAf/VyLZ0oRHoTmWJPo4SzB6EV75uw7F/LXadjL6xbN6zr5sKpguNIMzJJBT 9TcJUvugqb7XB59IMl2EP8ubCeVG0Kyp7DbZWqUltcP3IhUa1UApLGuf3JI7veew Vx1lZaMBXRxB+71ymfEzVeMTcVV2u5YfVWwGbgSjKjvWNNZ+8U5N2Q3zyA2z+f9w /w5Iel8H7QYjOu6M3YmygBtNT9f+e28ID3/tiS/q2jvsLQPBtc06kcHGQX5fWBkz 0t0CPSLxIvmjQegJuAg/VBVGCSOenn6gwNUq3y16AVm3kHjwIqv8HsloCpS4mxkO VvpgM92qX0JebubdSK/ZmwOerjt3Rg== =95C4 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180506213323.GZ1124%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Testing repository: update policy
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sun, May 06, 2018 at 12:25:32PM -0500, Andrew David Wong wrote: > On 2018-05-06 08:51, Vasilis wrote: > > Hi, > > > > I was trying to find out when an updated package makes it into Qubes testing > > repository? > > > > For instance an updated version of the package qubes-desktop-linux-i3 [1] > > is in > > the repository since Apr. 4 but still not available in the testing > > repository. > > > > [1] https://github.com/QubesOS/qubes-desktop-linux-i3 > > > > > > Cheers, > > ~Vasilis > > > > I found the associated issue and PR: > > https://github.com/QubesOS/qubes-issues/issues/3781 > > https://github.com/QubesOS/qubes-desktop-linux-i3/pull/13 > > Marek, what's the usual procedure after merging a commit and closing > the qubes-issue that it fixes? Based on looking at past activity, it > looks like you typically increment the package version number, then > (automatically or manually) start a new build of the package, which > then creates a new issue in updates-status. Should I have left the > issue open as a reminder to do this? Usually every few weeks I review what packages have changes warranting new version (I have a script for that). Last few weeks (and probably some more) were busy because fc27/fc28. If you find some change that waiting unusually long for release, ping me in issue related to that change, or simply in an email. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlrvR4oACgkQ24/THMrX 1ywEnQgAlfOhfMH8xL3Z+aGp3mMJZlcvI0mvQVYuCr/Uvu9a3HF9GXRA4sh97tee oVc0AqVTZhygk7xuH2CSfmQZeGauqpyvrrobOFU0T0LTB+K4iZplvOAwhf86t+I8 M6nmkyiL+Llbehq9XT8XKr1J3D/3qUKlZNVI7rccDvldzMIrbC//cj+Ckvtf2JFQ 2T5DcbkNVPwstVrf4YvQBOCkGileC/ndf0pSOhQhGMQJ9K3dh87LTxUBh9rCEllf 5BjOJGls1PW98ItxDRBxczRtUShOJMHMoYx9Mfoyna+KKtgco+fizLXQkMyjYERH XRQAbpcs6umOFydNjXWBHmEp5umh8Q== =BAtR -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180506182059.GY1124%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qube Manager dbus event handling
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Thu, May 03, 2018 at 09:50:26PM +0200, donoban wrote: > On 05/03/18 16:08, donoban wrote: > > Hi, > > > > I saw Qube Manager should handle dbus signals from > > 'DomainManager1' for a fast and cheap refreshing of VMs status. > > > > Is anybody currently working on this? If not I think I could do it. > > I started playing with pydbus and I think the current code doesn't > > need a very big rewrite for handling all relevant events. > > I am near achieve this. However I see a little problem with current API. > > Dbus objects relative to Qubes domains use 'qid' as identifier, like: > > /org/qubes/DomainManager1/domains/13 > > but VMCollection uses VM names as key so I can't retrieve directly an > vm object using a 'qid'. > > This only affects to domain creation (for the other cases the vm was > already loaded into a dict) but maybe would be nice to have a direct > way to get a vm by 'qid'. There is ongoing work on domains widget to use qubesadmin module directly (skipping dbus layer). Copying Marta, who is working on it. Long story short - dbus services was introduced before we've decided to implement Admin API in 4.0 (initial plan was to have it in 4.1 or later). But since we've done it in 4.0, there is very little sense to use dbus, which serve similar purpose (provide info and events about domains), but adds additional complexity. As for Qube Manager, there is a little problem - events handling in qubesadmin is based on asyncio python module. At the same time, both GTK and Qt use its own event loop. We have it worked out for GTK, using gbulb module[1][2], it's simple. But we haven't tried it with Qt. In theory there is quamash module for it, so hopefully that's simple too. One catch is that, similar to gbulb, there is no package for it in Fedora... For gbulb we've created one[6], probably the same needed for quamash. By using qubesadmin directly, you avoid this qid problem and additionally things are simpler and there is less places where state can get out of sync. Events handling in qubesadmin: docs[4], example usage[5]: events_dispatcher = qubesadmin.events.EventsDispatcher(args.app) events_dispatcher.add_handler('backup-progress', functools.partial(print_progress, profile_name)) events_task = asyncio.ensure_future( events_dispatcher.listen_for_events()) List of domain related events can be found here: https://dev.qubes-os.org/projects/core-admin/en/latest/qubes-vm/qubesvm.html [1] https://github.com/nathan-hoad/gbulb [2] https://github.com/QubesOS/qubes-dbus/blob/master/qubesdbus/service.py#L37 [3] https://github.com/harvimt/quamash [4] https://dev.qubes-os.org/projects/core-admin-client/en/latest/qubesadmin.events.html#module-qubesadmin.events [5] https://github.com/QubesOS/qubes-core-admin-client/blob/master/qubesadmin/tools/qvm_backup.py#L195-L199 [6] https://github.com/QubesOS/qubes-linux-gbulb - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlrro5UACgkQ24/THMrX 1yySSwf/TZJhCqBBa07Pyev6tW5p9ikH/I0AvVYrFuIoewcJziyQjfyJQDWjKYjx EHwzfYIdMr8oaa5reaJhcvEG6x/G0WkRd0SFWhZi03evAPtahrnvqwGfZmzMMruF YaoMeRqvqHXTqLYAu+T4BAxsTXrKwnAh1lxEeYqJWw4aQcQu5b+r130ZkpdTDVqy 2d8iNR/OM6fY4M+F6Hy0Z6cj3EtbdTAsI7na0y4UZPKbt3ZmC6ixK097BYfIbs+b 2xuGdpfdfoEiH9j2CFv9TVAzLotpcs/0oJ8Y2bjC22cDUkCDLkbZ+JzsoZsv8ezQ 7XDTJp4u8Y8XMZWcv+lvJeMbGaSL1Q== =0rMb -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180504000438.GA11593%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] "How can I properly manage my system?" or "how do I use Admin API, salt and git or other versioning/distribution mechanisms together"
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, Apr 20, 2018 at 11:40:36PM +0200, viq wrote: > On 18-04-20 23:21:10, Marek Marczykowski-Górecki wrote: > > On Fri, Apr 20, 2018 at 10:51:38PM +0200, viq wrote: > > > On 18-04-20 13:51:50, Marek Marczykowski-Górecki wrote: > > > > > Hm, salt has SPM[6], which I need to read a bit more about. On one > > > hand, it's a native salt tool, so possibly it could work better for > > > distributing, and more importantly updating states/formulas, but on the > > > other hand, as far as I'm aware, it doesn't currently have concept of > > > signing. > > > > This is exactly the reason we use RPM for distribution-provided > > formulas. > > I've tried to play with SPM + some wrapper to actually download files > > (dom0 has no network), but AFAIR it was a bit crazy to do it this way - > > the only part of SPM that left could be shortened to "tar x"... > > Ah, so you looked at it more than I did. Would it make sense to have > pretty much just SPM file inside the RPM, and post-install talk with SPM > to install that, or does it really bring nothing to the table? > On the other hand, RPMs don't play nice with local modifications... Does SPM do? > > BTW each of our formula packages have FORMULA file, so it should be > > compatible with SPM out of the box, at least in theory. > > > > > > See linked post[1] what changes are required. Normally I'd say, lets > > > > package it in rpm, but since qrexec policy doesn't support .d > > > > directories, it may not work that well. In many places we use salt's > > > > file.prepend to adjust policy files, so maybe use it here too? This > > > > start being quite complex: > > > > 1. Salt formula installed (via rpm?) in dom0, to configure management VM > > > > 2. Management VM running rest of salt formulas to configure other VMs > > > > > > Yeah, this kinda follows what I was thinking. With some work (1) could > > > be available from Qubes repos ;) I guess with defaults allowing to set > > > up mgmt-global, mgmt-personal and mgmt-work, with permissions set up as > > > the names imply? > > > > > > But, being salt-head that I am, what about templating the settings from > > > pillars? > > > > I think it is a good idea, but needs some better handling of pillars. We > > already have topd[13] module to maintain top.sls. If we could have > > something allowing the user to simply set pillar entry X to value Y > > (without learning yaml syntax), that would be great. Pillar modules you > > link below may be the way to go. > > Hm, where are things like labels and other VM settings stored? All VM properties are stored in qubes.xml. We do expose some of them as pillars already (for example qubes:type), but I don't think it's a good place for something not directly related to VMs. I'm thinking of pillars like the name of mgmt-global VM. This isn't something that belongs to some particular VM (in qubes.xml), especially when said mgmt-global VM doesn't exist yet. I was hoping that some of existing pillar modules would support something with user friendly key-value interface, including: - listing available keys (maybe even with some description?) - getting and setting values - a GUI, or interface to integrate with some While a script that would handle yaml file wouldn't be horribly long, I'd guess someone have done that already. > Maybe it > would be possible to piggy-back on that? Even if code would be needed, > pillars just like top system are "just another python file" that IIRC > can even be distributed inside SPMs. > > > > No, I'm not convinced whether one long yaml is better than > > > multitude of tiny files... But this could be another way to manage the > > > whole thing. Some examples of what it could look like are pillar > > > examples from rspamd-formula[7], salt-formula[8] and shorewall-formula[9] > > > > > > And of course there are different ways to manage pillars than one long > > > yaml, but this is the most common way. [10] [11] [12] > > > > > > > [1] https://www.qubes-os.org/news/2017/06/27/qubes-admin-api/ > > > > [2] https://github.com/QubesOS/qubes-mgmt-salt-dom0-qvm/ > > > > [3] https://github.com/QubesOS/qubes-mgmt-salt-dom0-virtual-machines/ > > > > [4] https://github.com/QubesOS/qubes-infrastructure/ > > > > [5] https://github.com/QubesOS/qubes-mgmt-salt > > > > > > [6] https://docs.saltstack.com/en/latest/topics/spm/index.html > > > [7] > > > https://github.com/saltstac
Re: [qubes-users] "How can I properly manage my system?" or "how do I use Admin API, salt and git or other versioning/distribution mechanisms together"
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, Apr 20, 2018 at 10:51:38PM +0200, viq wrote: > On 18-04-20 13:51:50, Marek Marczykowski-Górecki wrote: > Hm, salt has SPM[6], which I need to read a bit more about. On one > hand, it's a native salt tool, so possibly it could work better for > distributing, and more importantly updating states/formulas, but on the > other hand, as far as I'm aware, it doesn't currently have concept of > signing. This is exactly the reason we use RPM for distribution-provided formulas. I've tried to play with SPM + some wrapper to actually download files (dom0 has no network), but AFAIR it was a bit crazy to do it this way - the only part of SPM that left could be shortened to "tar x"... BTW each of our formula packages have FORMULA file, so it should be compatible with SPM out of the box, at least in theory. > > See linked post[1] what changes are required. Normally I'd say, lets > > package it in rpm, but since qrexec policy doesn't support .d > > directories, it may not work that well. In many places we use salt's > > file.prepend to adjust policy files, so maybe use it here too? This > > start being quite complex: > > 1. Salt formula installed (via rpm?) in dom0, to configure management VM > > 2. Management VM running rest of salt formulas to configure other VMs > > Yeah, this kinda follows what I was thinking. With some work (1) could > be available from Qubes repos ;) I guess with defaults allowing to set > up mgmt-global, mgmt-personal and mgmt-work, with permissions set up as > the names imply? > > But, being salt-head that I am, what about templating the settings from > pillars? I think it is a good idea, but needs some better handling of pillars. We already have topd[13] module to maintain top.sls. If we could have something allowing the user to simply set pillar entry X to value Y (without learning yaml syntax), that would be great. Pillar modules you link below may be the way to go. > No, I'm not convinced whether one long yaml is better than > multitude of tiny files... But this could be another way to manage the > whole thing. Some examples of what it could look like are pillar > examples from rspamd-formula[7], salt-formula[8] and shorewall-formula[9] > > And of course there are different ways to manage pillars than one long > yaml, but this is the most common way. [10] [11] [12] > > > [1] https://www.qubes-os.org/news/2017/06/27/qubes-admin-api/ > > [2] https://github.com/QubesOS/qubes-mgmt-salt-dom0-qvm/ > > [3] https://github.com/QubesOS/qubes-mgmt-salt-dom0-virtual-machines/ > > [4] https://github.com/QubesOS/qubes-infrastructure/ > > [5] https://github.com/QubesOS/qubes-mgmt-salt > > [6] https://docs.saltstack.com/en/latest/topics/spm/index.html > [7] > https://github.com/saltstack-formulas/rspamd-formula/blob/master/pillar.example > [8] > https://github.com/saltstack-formulas/salt-formula/blob/master/pillar.example > [9] > https://github.com/saltstack-formulas/shorewall-formula/blob/master/pillar.example > [10] https://docs.saltstack.com/en/latest/ref/pillar/all/ > [11] https://docs.saltstack.com/en/latest/ref/sdb/all/index.html > [12] https://docs.saltstack.com/en/latest/ref/renderers/all/index.html [13] https://github.com/QubesOS/qubes-mgmt-salt-base-topd/ - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlraWccACgkQ24/THMrX 1ywUUggAjKPrD700d9QLYD49VovSV7WSKp6d3O9YAOYtVfvpoDC4sKtGTkcF4izn ctQLwjsJhilfeUgS/Jej7jV6MxkJCxyGjXvJQvc1zsjpdGvioSPJ89a04ChcY4S7 sg78gksUW0/yDwgV9KruYp0MVWzS4GoN8siECxZ1xJYtlYEcziJ4Bm+J+G7HNpbd H5G37MH9R+CbLdLckdjEuBOUV4BWKB1z0X2B71PBdEIF/dguj/rvDfXmZx9GQj36 GOQVwrHsB7b3B6Rp93vc10TX1rVj8WVwwY6k0To7W3IRWFhzPyIR50tTMIzPTGYB BAFMf9mmGl0Sc36pjk+hQBIq0YBaeg== =XR7K -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180420212110.GJ27518%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] "How can I properly manage my system?" or "how do I use Admin API, salt and git or other versioning/distribution mechanisms together"
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Thu, Apr 19, 2018 at 10:20:08PM +0200, viq wrote: > Salt tools give a nice way to configure system (make sure templates exist > with certain packages, prepare AppVMs based on them, etc). But I'd prefer > to edit them in a customized editor, with syntax highlighting, etc, which > is strongly discouraged from being put into dom0. I also feel that having > version control over those files is the way to go, preferably synced > somewhere so I can for example easily replicate this when setting up > another computer or reinstalling. > > My understanding is that this is a perfect use case for new Admin API - > have a machine with editor and git set up to adjust salt files, and either > give admin permissions to that one, or use something like split-git that > was mentioned to pull the repo into another VM and execute there. Yes, exactly. In theory it should be easily possible to setup management VM with appropriate policy (see [1]) and use salt from that VM. The thing you need to change is to make qvm salt module [2] working in vm, right now it explicitly checks if its running in dom0. Hopefully this is the only change you need. But there is one thing you can't that easily do over Admin API - various dom0 settings. This include installing packages in dom0, editing various configuration files (pam? bootloader? qrexec policy?). We're working on the last one, but others are not solved right now. For multiple dom0 changes you still need to run salt in dom0. For some cases, we use rpm packages to distribute salt formulas - this include default setup (virtual-machines formula[3]) and our infrastructure[4]. For my personal machine, I use salt in dom0 and synchronize this configuration using signed tarballs, manually... > Am I on the right track here? If so: > 1) What packages do I need on admin VM to be able to do this? Most likely qubes-mgmt-salt-dom0-qvm[2] with its dependencies and probably minor changes will be enough. The dependencies include at least python2-qubesadmin. Oh, and qubesctl itself is in qubes-mgmt-salt-admin-tools[5]. > 2) Where and how should I be executing this? A quick test of running > qubesctl inside a VM didn't even produce logs in dom0 journal, the command > just complained it can't reach a daemon. Client side of Admin API use /etc/qubes-release file to find if its running in dom0 (and can take a shortcut to talk directly to qubesd), or not. So I guess you installed package containing /etc/qubes-release, which normally isn't present in VM. Simply remove the file and retry. You should see some messages about denied admin.* qrexec calls. > 3) What would be a good way to track and distribute necessary changes to > /etc/qubes-rpc/policy/ on dom0? See linked post[1] what changes are required. Normally I'd say, lets package it in rpm, but since qrexec policy doesn't support .d directories, it may not work that well. In many places we use salt's file.prepend to adjust policy files, so maybe use it here too? This start being quite complex: 1. Salt formula installed (via rpm?) in dom0, to configure management VM 2. Management VM running rest of salt formulas to configure other VMs [1] https://www.qubes-os.org/news/2017/06/27/qubes-admin-api/ [2] https://github.com/QubesOS/qubes-mgmt-salt-dom0-qvm/ [3] https://github.com/QubesOS/qubes-mgmt-salt-dom0-virtual-machines/ [4] https://github.com/QubesOS/qubes-infrastructure/ [5] https://github.com/QubesOS/qubes-mgmt-salt - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlrZ1FcACgkQ24/THMrX 1yzccAf/bInV6KALR82K9mt0yHYrE4N1IlHLyoaBmBi1QyNX/rqY+6/NInKl7Sit VWpp4HBXcZBcqH9u0j9G1cJBQX3XrN84BLWLFJcRYUNRJkcqWH/DnOusDGuhCdvs XC8sbwHtkRIueUFgMNpBSyWgyy8GjjSIoQItE7JxGkHMin5AGiNxlNZVY+TuFxV+ B59goJIjzuuUXZTXgkzasXeSLBUKVLUPKMOrgt6Jw1REV6WGwrl6ZDG3T4h7kGBY zldTYhnxFbiBVX0GWVwGqSfEWjYJxX1/Yh5yNv7TTcZGQFFfBLex8MvMVwE/DEYq kJ4qiQsj2iGVgFnNchQVB/KFz8eCbg== =uBDd -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180420115150.GC2275%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Qubes R4.0 broken by "TypeError: not enough arguments..." for most qvm-* commands
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Thu, Apr 12, 2018 at 08:19:10AM -0700, Pablo Di Noto wrote: > > techg...@gmail.com > > If, as I suspect, the root cause of your problem is a lack of metadata > > space on pool00; you can confirm this by typing "sudo lvs" into a console. > > You will then need to figure out a way to enlarge that metadata volume. > > Yes, you are right, the `pool00` volume metadata was >96% when this happened. > The thing is that the volume metadata was set to a quite small size after > install (96mb on a 46gb pool) and after install was on ~20% usage. I started > to use the system, testing stuff with DispVMs, restoring my debian templates > and some work VMs. After a couple of days of usage the metadata climbed very > little, to 27-28%. > > I tried to have a second pool to hold my machines, precisely to avoid issues > with thin provisioning on the pool holding `root` and `swap` and services > vms. But the lack of support for cloning/moving between pools made that > effort moot. > > So I `lvextend`ed `pool00` and forgot to properly enlarge it's > `pool00_tmeta` counterpart. What sizes you have there? For me tmeta is 118MB for a ~450GB pool00. And after few months of usage it's still at 33%... > When doing some more customization, including restoring more larger sized > qubes and cloning/renaming qubes it seems the metadata usage climbed really > fast and hit this bug. > > Unfortunately, could not recover from that. > > It looks like qubes lvm actions while metadata was full may have corrupted > the metadata somehow, since I could enlarge and repair the thin metadata from > a live cd, but many of the volumes that where in use where never available > again. The -private and -snap for the qubes that were running (not sure how > to discard them) and also all the volumes of the qubes being restored and > services vms are lost ("NOT available" as lvm status) You could also try to revert to earlier revision using "qvm-volume revert sys-net:private" for example. > I remember there was some Saltstack magic to recreate the services vms, but > could not find anything for R4.0... So I had to revert to R3.2 for the time > being. https://www.qubes-os.org/doc/salt/ Especially links at the bottom: https://github.com/QubesOS/qubes-mgmt-salt-dom0-virtual-machines/blob/master/README.rst > I will keep the failing install for debugging, or may be able to recover if > someone can provide any tips about: > > - How to recreate sys-net, sys-firewall and sys-usb on a R4.0 system > - how to recover a qube whose -snap volumes are no longer available (I have > no problem losing these short-term data) > > Thanks for pointing to the right direction! > - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlrMuusACgkQ24/THMrX 1yy3lQf/cO0oe9uOUviiKwgdf6+fEzhCbn6XUkmAU7MLLAkYC1uCAwE3DoT8MBGt bbGkpmWq9gijUCJeWzUD0Z2k1QkZWDdiMgEE8nSgiqyS1O6uNxqqO0ucozWe69Ud FWwmxkCATwX+FK239+HJSO9Jq6/Izb59qbvB1kwewQheqGkZVF9ISNE3AopkMjG8 4RBy1J0dVjHH3wxHtl9N3Z6/4mVwFquLwlE7cM+kTRpFfPtwvrBrNavfYTrEX5lz ALBvsh/eunXBOmc4FNSGHj2yaKnNZibfBVDOoBGaexXt1G0ykpu9aou8tQrKv0zl FqhhNHp9DeOdHm3kP0h1d6PZW1EGiw== =5Ksa -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180412184252.GB2275%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: [Q4-rc5] Blank screen on boot after installation on Lenovo
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, Mar 28, 2018 at 11:25:18AM -, 'awokd' via qubes-users wrote: > On Wed, March 28, 2018 2:09 am, berto0...@gmail.com wrote: > >> It's in a bit of an indeterminate state right now: > >> https://github.com/QubesOS/qubes-issues/issues/2971. Did regenerating > >> initramfs with host only fix it for you, or did you just leave the > >> keyboard setting on US on the reinstall? > > > > Actually, I just pressed the keys as on an imaginary US keyboard after > > realizing one key was in a different position. That's a quite common > > method for non-US users -- you just need to be aware that you are dealing > > with a moved key in the first place. And there is no feedback when typing > > a password as first task on a new OS, obviously. > > Sounds like that linked issue's not resolved. If you have a Github > account, mind commenting on it with your experience and pinging > @andrewdavidwong? I can do it later too, if you don't. If you get a chance > to regenerate with -H, I'm curious if that fixes it too. Shouldn't (TM) > hurt anything. Have you tried final 4.0 image? There were some fixes that didn't managed to get included in rc5. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlq3FxMACgkQ24/THMrX 1yyY2gf/aMKU0Z5QePTIlSvlCv+w5Q+izB8ROYhVB2u924BN+cdJOpeucLV9BCJD XjpxhT9jcmPa92VB8Y9ZYuuh0xHD2+2961/Gi84cgtyUhAeqPNwzixkQDFkQNDCk LwjauR3+qR/ESQQjrnwEQj9wUSWdNaAeU3CKBbl2xyu7R1/mNQbiEKpN0hbaZ0S9 ByZ3DzL5s2TC5Eulc134mCLba7W1Na6cUYeh4pC2caUztJOOIFWuqB8Jqyu0vEvp l+SidbOeHoMdlTZEBx9VZzab/Xk1DqbuLHqkDU09XaSLlBzEahC/AW5Oz0Z1TJry K/ZJNK6aVK74WDN/oBvfeswxas3UOg== =uk26 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180401180132.GW10924%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] installation failure hen trying to instal from usb to samsung sad on lenovo 220
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, Mar 30, 2018 at 01:50:07AM +0200, Marek Marczykowski-Górecki wrote: > On Thu, Mar 29, 2018 at 11:56:12AM -0700, kai.fr...@gmail.com wrote: > > greetings, > > > > i copied the current iso (tried it.both with rc5 and with today final > > official iso) to a 32gb usb stick > > and made my lenovo x220 boot from it. all went well until i choosed to habe > > the newly installed > > samsung 512gb ssd as target (it was listed in the graphic menu of the > > available targets). > > the system kind of halted for a second or two and then throwed an > > anaconda 25.20.9-12 exception report > > Trace back (most recent file first): > > > > File "/usr/python3.5/site-packages/blivet/devicetree.py", line 184, in > > _remove_device raise ValeError("Device %s not in tree" % dev.name)e > > ... > > > > The exact same line raised alreeady an error when trying to install rc5 on > > two other lenovo laptops (t430 and > > l560) with several different usb drives as targets. > > > > So at this point, i am a bit without clue what else to try to get qubes > > installed and am wondering > > a bit what causes all the pther installations to work for all other users? > > What partitioning layout have you chosen? All defaults? > > Can you extract logs from that system? The error message should have a > button to switch you to text console, then you'll find full error > message in /tmp/anaconda-tb-(something) file. You might want to > review/edit this file before posting it - it contains a lot of details > about your hardware. If you want, you may send it just to my address > instead of mailing list. According to logs, "sdc4" is your installation source. Which is a bit unusual - installer expect the image to be written to the device directly, not one of partitions. While the error message should definitely be improved, the problem is in how installation USB stick is prepared. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlq0mHEACgkQ24/THMrX 1yyyLQf9GlXm+3OcSKZ8xvcTOXSxvFloDqa1LqYUln9tDVrGVV+IaxazXIFXQtNm VD/OjTrHSayNVd0v0LtHGuIO9ElbSXh8MQI24xmaz8HgzO1n2MKMfcHRuMiQteL7 SzPdts6RJVZbRXhH3bwW5GvegFZcmP01nsb8Q8aYTlMqXZujrE/00KGOqsEYIGzN e+Xt17azk7uVq29rlxJ5BIbKP8TorkplcOViu+vKk6MKzpKrIfhGnFR/3RyaFjcM Dtyh5dwj9DcKhtH9MfwaowaNnYuJJ96Hkxmwqtk/6lEjI0RSL0FTwUSstlgla+HN mS6HNvRj1HbIQvoQI9FmntRL9DXx5g== =Qjs0 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180330203642.GV10924%40mail-itl. For more options, visit https://groups.google.com/d/optout.
ReactOS cooperation? (was: Re: [qubes-users] Disk problems when installing ReactOS 0.4.5 on HVM)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Mon, Mar 19, 2018 at 11:37:10AM +0100, Marek Marczykowski-Górecki wrote: > On Mon, Mar 19, 2018 at 11:21:39AM +0100, Giulio wrote: > > > > > I've tried that already and it doesn't help (you exchange disk not found > > > error > > > for crashing installation). This may be related to *much* newer qemu > > > version in Qubes 4.x, than was used in Qubes 3.x, apparently devices > > > emulated there are not supported by ReactOS drivers. > > > > > > But, ReactOS live image seems to work much better. > > > > Thanks for the reponse. Whose issue do you think is it? > > I'm not really sure. But there are other issues related to disk > currently emulated in Qubes, for example: > https://github.com/QubesOS/qubes-issues/issues/3651 > > > Should i continue > > the thread about reactos on qubes-issues or try to open an issue on reactos > > itself? > > Getting in touch with ReactOS people is a good idea. My previous try > was on FOSDEM this year, having Colin Finck next to me, but we haven't > figured out what was wrong. > Later I may try recover logs from those failed attempts. > > There is also tracking issue in their bugtracker: > https://jira.reactos.org/browse/CORE-13358 > Probably not the best idea to add detailed problems directly there, but > linking related issues should help. There is an update from Colin about possible cooperation between Qubes OS and React OS: https://github.com/QubesOS/qubes-issues/issues/2809#issuecomment-377487490 - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlq0MQwACgkQ24/THMrX 1yzoAAgAlsQL0l57lE91Cy4w0D2Pn9OvZqkf2IgpSGeHi/5Ukmw68DFkqI3kevYN SRJjSKJ5qr7uPp4dquIFJQQaGgSbCfXjSkfcGYHpcN37YUHoDwCAPXV0VD80hrnU S9XdV4+U4z04ZpFcu/CCfuoYdBYYe4DdOni0i42bC+BubtcjAeS9pZrUGIwLVfOr PqcbG26kf7qVos+157jgbAfnVqLvzkwoYL92LXsJVzj3GqpG6NAtnMyP4T8ICWA4 B/Ckc4n20/8xScYAsJ7h8ve79K252r6turFUeirmmueTp/a6Jt7HqYlbDZHKPHF5 GYnXsBntjJuFQx2pedY6So5bTFuNjA== =k8Le -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180330131534.GU10924%40mail-itl. For more options, visit https://groups.google.com/d/optout.