Re: [qubes-users] delaying total shutdown of disposable qube

2021-04-21 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Rusty Bird:
> Ólafur Jens Sigurðsson:
> > We would like to add a new disposable template in which the disposable vm's
> > will be shut down with a delay of a few minutes, just enough for the person
> > to start replying to the email and finding that they need the file and then
> > open up the file manager from that disposable qube that was almost shut down
> > and thus saving the file.
> > 
> > How would we do this? Is there some option in Qubes-OS that supports this?
> 
> I'm not aware of a built-in option, but you could cobble two things
> together:

Umm, but also: If you open the file in a DisposableVM for editing,
don't you already get the modified file back if you just press save
and close the DisposableVM window?

> 1. To make the destination qubes.OpenInVM service wait indefinitely
> after the launched program is done, create an executable file at
> /usr/local/etc/qubes-rpc/qubes.OpenInVM in e.g. fedora-delayed-dvm
> containing:
> 
> #!/bin/sh
> /etc/qubes-rpc/"${0##*/}" "$@"
> exec sleep inf
> 
> Maybe also link it at /usr/local/etc/qubes-rpc/qubes.OpenURL to
> get the same behavior for URLs.
> 
> 2. To automatically shut down DisposableVMs based on
> fedora-delayed-dvm when they have been running with no windows for 15
> minutes, install the qubes-app-shutdown-idle package in the TemplateVM
> (e.g. fedora-33), and:
> 
> $ qvm-service --enable fedora-delayed-dvm shutdown-idle

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmCAhfhfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt/N/Q//dQzHhB2rbbhEywWELJ52mGLk3+8dJKcKTTgRAm9FAY7+dyjB6uw4ptfS
AZeGDpKGnVVzKbZdAvzCW7tPX4Hj5uKWQoX6e2PpgowBpgWAJbnMkLcYK53XjJab
ff7pMEhCSviZdsnqVp2klA2CtzPcKZeSYH6G4OYkkW0UcxxZZXMlV8jMESa75nm3
TETyb01xDPE13I5LWpZnThltPUK8L+xi6UhCmegL6rXQtP+FiHe2Yx0it6qyQdCa
JzwekV+AOq2OjjlFUxd6+kRASXNNnkDbYArQ4Z4eMbYr4Qx3RBi4uZ5orT+anZPd
QQqpgfXHs4qgTwxDzTcWynaXmSvsgM7UqTV1S1QdagM1xfjUDN5I7ptJObck60oW
bDrP2hX0efhj/q/D3+Y2+09+k/1CdduwbVVZY/msAhe/OgdMr0SoQ2W8foa46qAk
o7THJ/LYGoUuuGdrlHh+y3X0ph5kFfHtf1LTsXPai78CMbNw5mUtEVtWO0k0OiQ1
tUvp+HQUF3KvJyt0ZCO1hCnph0tkSqxmHULs860dUAdNsNia74lMXt69blVrL+fK
NHUnSmJk45H+F58OInmebVoeHXDbFhhK0Euum3cJw+Idfi0oyTNH0jer1Hm21Tmr
DrLEBsSKXqyUBO4sh8HrjTH2uqomMXCQoH4nJ4CVcVqdls0i3p8=
=vlKf
-END PGP SIGNATURE-


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/YICF%2BKmMwm9L%2BrAA%40mutt.


Re: [qubes-users] delaying total shutdown of disposable qube

2021-04-21 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Ólafur Jens Sigurðsson:
> We would like to add a new disposable template in which the disposable vm's
> will be shut down with a delay of a few minutes, just enough for the person
> to start replying to the email and finding that they need the file and then
> open up the file manager from that disposable qube that was almost shut down
> and thus saving the file.
> 
> How would we do this? Is there some option in Qubes-OS that supports this?

I'm not aware of a built-in option, but you could cobble two things
together:

1. To make the destination qubes.OpenInVM service wait indefinitely
after the launched program is done, create an executable file at
/usr/local/etc/qubes-rpc/qubes.OpenInVM in e.g. fedora-delayed-dvm
containing:

#!/bin/sh
/etc/qubes-rpc/"${0##*/}" "$@"
exec sleep inf

Maybe also link it at /usr/local/etc/qubes-rpc/qubes.OpenURL to
get the same behavior for URLs.

2. To automatically shut down DisposableVMs based on
fedora-delayed-dvm when they have been running with no windows for 15
minutes, install the qubes-app-shutdown-idle package in the TemplateVM
(e.g. fedora-33), and:

$ qvm-service --enable fedora-delayed-dvm shutdown-idle

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmCAgmBfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt88MA/9HStm1HvlA5D2EoSCmTN2cARLtA8l34Rl5SCoFvxQ/hC0BCeZHAPjXKN0
ERm52C2hoI2tIWERzYB+LzUvZhs5WoRxCqWp06s8DX5KHqQeNX6MajzjGeyq+jf0
iW27jItdoyqbBX2KkNhv8dsbek8RwYG5Vz67scBjvvQDag+WAoYuqrKAYugEl5NY
uOjVK8X1e3YVtP7nOhtJYqApVOz6QXJ4glp5aovTRHkwQsDum6ijs1Djjln96bGm
y6w5Nl5hwC4P15pbh5zQJ7rwkCQ+sbIYjmul9lkbEnpg7oON3yanzRI8QSTnWElY
U/Xr5VzOHK11P/82DAUE+ud210IFQW6Qu8MkebaTt9cJLduxVH91o1LfT9WFKIiU
YeDmM9LFxP5f6LJjDx0+lX5IiuQGWw/534hJhMUXDGUfmo5bn0RBDTOKCUp2ymlB
ntNRYJ373fOsPM8RBd6J95lJ8OiNYLL4m1ad4U9sCUvmU0g7AMafYeZewtj/5tLZ
xqWQ/iOuT7beaIjgRmBTL5Lid0qzYAzecXyT+71VBzwpVFuL298wjO8PUXqDe3Y8
pCRfGkNy04Cw4ojQR/rygNKRxnqvYxV9pCjVuvo24O5aKNmBjE2Yhh98YlSwFAD+
ilQgKH26elRbpFiduzcY78EZHgDQSNVDE8PZhbrjwS2o/ikqBbs=
=08qo
-END PGP SIGNATURE-


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/YICCYAG8zdb2Jgn0%40mutt.


Re: [qubes-users] Recover data from 'private-cow.img'

2021-04-19 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Stickstoff:
> [dom0] qvm-volume revert vmname:private old
> > Got empty response from qubesd. See journalctl in dom0 for details.
> 
> Journal says:
> > unhandled exception while calling src=b' dom0' meth=b' \
> > admin.vm.volume.Revert' dest=b'vmname' arg=b' private' \ 
> > len(untrusted_payload)=3
> [..]
> > NotImplementedError: Volume Filevolume has revert() not implemented

The legacy 'file' storage driver just doesn't implement the required
functionality for 'qvm-volume revert' - one of the many reasons it
will be deprecated:

https://github.com/QubesOS/qubes-issues/issues/6399

> On 4/18/21 11:25 AM, haaber wrote:
> > These are real disc-image files! There is a filesystem, but it is not
> > in sector 1 :) 

> After way too long I figured out that the regular 'private.img' seems to
> contain its filesystem beginning right at sector 1,
> 'private-cow.img.old' apparently as well, and 'private-cow.img' at
> sector 560.

private.img is a full disk image, but private-cow.img(.old) is more
like a patch as you said, and isn't mountable.

You could use this script (after backing up private.img and
private-cow.img.old):

https://github.com/rustybird/qubes-stuff/blob/master/dom0/bin/qvm-legacy-filevolume-revert

$ qvm-legacy-filevolume-revert vmname private

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmB9t/hfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt/I5xAAmGRwSaNEzIt3ceEPbaJB6WVTUuqnwOUjRa5ds0/Fd0W7UWOc+kJVhdl+
QrshJn4kTRwf4N/DVuwhtzX146G+zJFf3PZegaTChXMoLCyxHg1zOsdSqaBUWILX
LUV7PFCKHTqhDX1XqoOYxhWPJpleYE3Gvzvv2IlqKXxFy8mP7guoMkNBjVoh5NVA
CBBKc7Z1MHk4+5OTJ8J3EFdrEXeODMzkUQw0GNs048MyI+Zig3z6r0t78h2JNFwY
Hb+BPPVZ3YdzVcjLu4FegEdy9EvTwdQ/z+K87DupKLMu5FNT9GRbvgHzdLNxq9je
6GOVrSLwkvPYo86LBaVE+9b73mX5oc8OKaLAK1dv3LB2f756IP4wU4dgFVmjkkjU
jlaHSqXFv3S6R44u31iVlDzDNclqcuZwvhyFkeAn//JG9E0Mh+er80N8qBLP3gMj
QMYFk8kWakpI56ceR8rQ9dignsWkBdd6+PBGAilHVX22Mx2C+2sfw0cu6QLRMstm
DzocEMwY0sEI2cZJZpcODToB4MhzWcPB1me5s2/etkAgCNWqodR/HHZ0T+j5ZXH5
20P0GMa2YpQFvIZ7uZxbj96aQfyBtPv7a+EkEBYK0f5zNPFst6KLVvVPiyTF6IT5
CRLyyXOAHmAxMCgGysyet9ZsshuMCeMbh8kJp5rBMLbPYcgW1Hw=
=N9oy
-END PGP SIGNATURE-


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/YH23%2BM9yxZV5MT4Q%40mutt.


Re: [qubes-users] qubes-split-browser issues

2021-02-08 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

taran1s:
> Rusty Bird:
> > taran1s:
> > > Rusty Bird:
> > > > Anything interesting in 'sudo journalctl' on
> > > > the DisposableVM?
> > 
> > > Can you navigate me how to open the terminal in the active dispvm please?
> > 
> > In the Domains Widget (system tray Q button), there's 'Run Terminal'
> > inside the disp1234 submenu.
> 
> Sorry, in the Domains Widget there is no active disp12... available. I can
> see the dispvm only in the Qube Manager.

Are you maybe confusing the Domains widget (Q on the upper right of
the screen - next to the Clipboard widget, Devices widget, etc.) with
the Applications button (Q on the upper left corner)?

Qube Manager can also open a terminal: Right click on disp1234, "Run
command in qube", enter "qubes-run-terminal".

Once you've got a terminal in the DisposableVM, can you please also
post (after the Tor Browser window has appeared) the full contents of:

/home/user/.tb/tor-browser/Browser/sb.js
/home/user/.tb/tor-browser/Browser/defaults/pref/sb-load.js

And the output of:

ps -efH | grep -i browser

> > The logs in the *persistent* VM would be relevant too:
> > 
> >  journalctl -t qubes.StartApp+split-browser-dom0 \
> > -t qubes.StartApp+split-browser-safest-dom0


> > Ah, for some reason the hotkeys aren't intercepted. Can you start a
> > new Split Browser, and post the full contents of Tor Browser's Browser
> > Console? (Ctrl-Shift-j)
> 
> split-browser-safest
> 
> [02-08 11:25:56] Torbutton NOTE: Initializing security-prefs.js
> [...]
> [02-08 11:25:56] Torbutton NOTE: security-prefs.js initialization complete
> Content Security Policy: Couldn’t parse invalid host 'wasm-eval'
> [Exception... "Component returned failure code: 0x80520001
> (NS_ERROR_FILE_UNRECOGNIZED_PATH) [nsIXPCComponents_Utils.readUTF8URI]"
> nsresult: "0x80520001 (NS_ERROR_FILE_UNRECOGNIZED_PATH)"  location: "JS
> frame :: resource://gre/modules/L10nRegistry.jsm :: L10nRegistry.loadSync ::
> line 661"  data: no] 14 L10nRegistry.jsm:661:19
> Bootstrapped manifest not allowed to use 'resource' directive.
> chrome.manifest:2
> Content Security Policy: Couldn’t parse invalid host 'wasm-eval'
> [Exception... "Component returned failure code: 0x80520001
> (NS_ERROR_FILE_UNRECOGNIZED_PATH) [nsIXPCComponents_Utils.readUTF8URI]"
> nsresult: "0x80520001 (NS_ERROR_FILE_UNRECOGNIZED_PATH)"  location: "JS
> frame :: resource://gre/modules/L10nRegistry.jsm :: L10nRegistry.loadSync ::
> line 661"  data: no] L10nRegistry.jsm:661:19
> Content Security Policy: Couldn’t parse invalid host 'wasm-eval'
> [Exception... "Component returned failure code: 0x80004001
> (NS_ERROR_NOT_IMPLEMENTED) [nsIAppStartup.secondsSinceLastOSRestart]"
> nsresult: "0x80004001 (NS_ERROR_NOT_IMPLEMENTED)"  location: "JS frame ::
> resource:///modules/BrowserGlue.jsm :: _collectStartupConditionsTelemetry ::
> line 1743"  data: no] BrowserGlue.jsm:1743:9
> Error: setevents stream -> 510 Command filtered tor-control-port.js:237:19
> [02-08 11:25:59] Torbutton NOTE: no SOCKS credentials found for current
> document.
> Unchecked lastError value: Error: Could not establish connection. Receiving
> end does not exist. store.js:135
> a11y.sitezoom - Unknown scalar.
> [02-08 11:26:02] Torbutton WARN: Your Tor Browser is out of date.

Unremarkable log spam except for this^ line: Somehow the Split Browser
prefs from sb.js (which would disable Torbutton's broken update check)
aren't being applied.

> Key event not available on GTK2: key=“u” modifiers=“accel shift”
> id=“torbutton-new-identity-key” browser.xhtml
> Key event not available on some keyboard layouts: key=“r”
> modifiers=“accel,alt” id=“key_toggleReaderMode” browser.xhtml
> Key event not available on some keyboard layouts: key=“i”
> modifiers=“accel,alt,shift” id=“key_browserToolbox” browser.xhtml

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmAhQlBfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt+v9Q//Xvl8KgoG0J8P9hxyAOSdQWnH3yOLqhBHkF7PO7LVAiJkSt+0YXtDLPy/
jjp8SAkgix2RCJyUG29mDszEvJjOrOYLHXIKDG8dmhKRWfD4QvWB1cw7a2eZAhdh
H0jOGVACYI4UZ9W87/apxTnexx9vs8cvcSORMoxwsJg4spRWTj4RvaTxMTHyVTjc
v7kT9JzTRznaG96n78yUlM/+aCY/UWcHmDASwY0eoHJGzrnNO82NURx1h+K9P+Tp
F1GA+8UBO8k02stWpFmoRhjz4JBYTWtzgaXhe063Y2MsZD2ERu+Y7lXz+Iy3bPjE
G5cF86CBQQklCSqxA6Ih9cBwY6qw35se6BFzIm8ldLbe/kYGNnnfjZMJli3MpJky
vcBfkGIoyAMs2GQibDkQm0+EEJtjsmCzK9nLMdf2eR91Bw+I1ti19+ZMB6D0LKQB
3ALE3PK5tu93AenOi8WC/hWI0aPe3a4xoDu8T1Mgd3JyhsMEcsHtxYC3zttKOGo/
4jtDB+hx8m/YJfvJqVr2d+Go

Re: [qubes-users] qubes-split-browser issues

2021-02-06 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

taran1s:
> Rusty Bird:
> > Anything interesting in 'sudo journalctl' on
> > the DisposableVM?
> 
> Can you navigate me how to open the terminal in the active dispvm please?

In the Domains Widget (system tray Q button), there's 'Run Terminal'
inside the disp1234 submenu.

The logs in the *persistent* VM would be relevant too:

journalctl -t qubes.StartApp+split-browser-dom0 \
   -t qubes.StartApp+split-browser-safest-dom0

> > > - At the end, if I save a bookmark in the disp VM TB, launched from
> > > the surfer VM, the bookmark doesnt survive the killing of the disp
> > > VM and is not available from the another disp VM launched from the
> > > surfer VM.
> > 
> > Did you use the hotkeys? Ctrl-d to save a persistent bookmark, and
> > Alt-b to open the persistent bookmarks list. Other methods (like
> > clicking the star outline in the address bar, etc.) unfortunately
> > won't work.
> 
> Yes I did. Clicking ctrl-d saves the bookmark with blue Saved to library!
> popup in the active TB dispVM. alt-b opens up the bookmarks menu and I can
> see the bookmark. It doesn't but survive the reboot.

Ah, for some reason the hotkeys aren't intercepted. Can you start a
new Split Browser, and post the full contents of Tor Browser's Browser
Console? (Ctrl-Shift-j)

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmAewjxfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt9wrxAAi4flIxX5ZgSBtW7J8Reo+3CraHaBOyP5jbFu3NyToEn0IshH+Juj9sK3
7+Zuhi6XADMHv6+vT6d0Glb5D3wkP7DE7dMr1tEU2ByJSgOIUB3kQUXiAyoiiMc/
cTEqw06GZwnNNobNVuT7Qc8/VXdLzAZhvmJFgjMpG44leyH9nVn+UDF/v6QpHaLV
jmONk5nbip1HDIFS80EFHnD8oi3gDFrovte5hKLis41EuKeGYNTsFJXmBsnSo3qX
5WyBdyk8vrvbnS8/ELW5ubTXcc42X1syTaR9GW4NeAXLdNBSzYEwCl0kJKAnXcz0
8hYTUNsem11I20BKFYEm7X4LYMfCvl2v3/Ol6wteEA4XBRpHM8Xu4DnIUQHZtkTi
vD50h3KYr7/C+OzvkMN/hlsy0PdCPbYUafrVZPs0EuXuaIDug9cldBrIkGD00M9g
CDGC4JyDgEtp0/upiFVdgvCEfYqp/t7zLJ35uc/wdjYQhJcdWOWys9O9koqbm8Bf
4kMrbk/y+ErTiXqX1yUhHVWhC9zmyjvOs2js55/o6BzJ4WUHjLzZbhMZtNEkdRFz
RB4BSb/RZHtPYlPG4vlmwTcSLwMDjJIJf1xedT+cPU8Z6BlE1jZ1Xy7Re1YodasP
S87zGRDLltbbYnnmdBDKzVKFBUAmyrCgxePXDmvgNjqqq15uiOw=
=tfYj
-END PGP SIGNATURE-


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20210206162220.GA1843%40mutt.


Re: [qubes-users] kernel-latest broke my system

2021-02-04 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Fabrizio Romano Genovese:
> In trying to make my wifi adapter working, I decided to try `kernel-latest` 
> on Dom0, which installed kernel `5.10.11-1.fc25.qubes.x86_64`. The result 
> is a system where I cannot start VMs (not even VMs with no devices 
> connected to them) due to `libvirt` errors ( The kernel doesn't support 
> reset from sysfs for PCI device ...).
> 
> I tried to go back to my old kernels by changing `xen.cfg` in 
> `/boot/efi/EFI/qubes` (here I have options 5.4.90-1.qubes.x86_64 and 
> 5.4.91-1.fc25.qubes.x86_64, besides the one I mentioned above). The real 
> big problem is that these kernels do not seem to appear to work anymore. As 
> soon as I change `default` in `xen.cgf` selecting one of these two kernels, 
> I am not able to access the system (after I insert the LUKS passphrase I 
> get black screen in the authorization manager. Moreover, from boot messages 
> it seems that neither these kernel can start sys-net anymore).
> 
> 
> Any suggestion is really appreciated, I spent the last week configuring my 
> PC and I would literally break into tears if I had to re-do everything from 
> scratch.

Did you also install kernel-latest-qubes-vm (in addition to
kernel-latest) in dom0? Then maybe that too happens to be somehow
broken on your system.

If you can log in on a console (Ctrl-Alt-F2) *after* all your
autostart VMs have failed to start, check 'qubes-prefs default_kernel'
and try setting the VM kernel to another version - i.e. to one of the
directory names in /var/lib/qubes/vm-kernels/ - like this:

qubes-prefs default_kernel 5.4.90-1
qubes-prefs default_kernel 5.4.91-1.fc25

If you can't log in at all, you could mount the root filesystem from a
Qubes installer console and edit the 'default_kernel' property inside
var/lib/qubes/qubes.xml on the root filesystem mountpoint.

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmAcY8ZfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt9qzQ//VGZZvcU0kmZc/0rphRHJL8Ds5NHqQcFE/tijIxFGin6as/3r/l0hRP5L
xYA7IXoVlPj/Q2r+Ub5JnPJUl2/0WeYSU40PFJMALCBbjM0Vs1LqE55WbuNu1xBt
8uKlRKIxMfe+uJzFGjUBmNbV8elNCPpxMRHeAWG6iqvHfm/62RlEamKj+7xm1DTY
sOUJzbSFguHWd5P0e/orVpQfaYrfRGexwpLv7+LkM+aQ2i8pDgcnt+ueLtLYDS/F
yQVAd1PLEuxI5AxaKL4OFgDIT5X6EGSof3yayr7/CSCwPo9fMb2W/30ZOGa5+2J5
Y2mXfUfnbZsCBCVolOKNZhVC7we0JxcfDElsJ8nWNHhrOq7vtIKm/Z0NUL2fw7Yu
LFHKgpRRXwnICRETfTWpaCE1mfYx0XA1h+PDxVCNQsn6Qt49Zm993ZGrk6pAS6Dt
9zfDt2wB1qEIB0vd/6ao350B6eDkOB2JElldR6H/BXoFbv1m9h3YD7d8KazehpX5
f2NdT4Zg+ZmJYw4sZbRPIYaYjlNBumJnkF+XyM2ZN/dzDfMe4oY8/AuqxBGeWHln
BTDgX19GwfMviPeTv6K+FsmcaykA48j4sdw/ns6ZVexJ57KgC4cExsKiIT31jHBL
vgzUALinx/QwtCfwl7XxL1TakJ9tQqLt42E0UTA6rPBVDXS/074=
=hqBL
-END PGP SIGNATURE-


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20210204211446.GA1168%40mutt.


Re: [qubes-users] qubes-split-browser issues

2021-02-04 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

taran1s:
> - TB opens up in disp-VM whonix-ws-15-disp.

In a VM named like disp1234 though, right?

> The welcome page is not Whonix Welcome Page as normally when I open
> the TB in the disp VM directly, but instead it opens up the About
> Tor welcome page. Is this intended?

Yes, so far so good.

I've configured about:tor as the homepage, because Tor Browser has
been plagued by a bunch of obscure bugs on first startup (which should
be every startup for DisposableVMs) when it's blank or a file:// URL.

> - TB opens up in the Security Level: Standard, instead of Safest, as
> mentioned in the name of the link (Split Browser (TB Security level:
> Safest). [...]
>
> - once I close the TB, the disp VM remains active and needs to be
> stopped manually.

Those two are strange. Anything interesting in 'sudo journalctl' on
the DisposableVM?

> - At the end, if I save a bookmark in the disp VM TB, launched from
> the surfer VM, the bookmark doesnt survive the killing of the disp
> VM and is not available from the another disp VM launched from the
> surfer VM.

Did you use the hotkeys? Ctrl-d to save a persistent bookmark, and
Alt-b to open the persistent bookmarks list. Other methods (like
clicking the star outline in the address bar, etc.) unfortunately
won't work.

> This behavior is the same if I execute split-browser in the
> terminal, or through the GUI as Split Browser or as Split Browser
> (TB Security level: Safest).

So 'split-browser --safest' also opens up on Standard?

Hmm, maybe try with a freshly created DisposableVM template instead of
whonix-ws-15-disp? I'm definitely interested in debugging this.

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmAcUt1fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt96Ow/7BmpbNO9F3dyHPa0LZHtkUla9OFRoTLtoxkv3OakQyZe5NlTFiyxesmxc
5CYHonVn7+xDyjxPWM9PEZHGBnNwWbJVaKc/+/6/VV5V9lRE2uMv9z+bVQIKZVc0
dXQZ6OHa6vJtxrnhoJZ5Sw4/nFzFvSa3Bwrs03zHDjSqr7Rn4/z0pBCnNauC9ifQ
oXt1JUaxWbWrBvc4LNV/AJYigslIdWn8gonVYsZ0TKwrqNvlO+VpuGDTCKd+yehn
obhBlalR20yBKF119R85+ouqk6qdtN5U+E5MP/yi3xvJGclUK0RmDBGjc2OHnIvw
YRgYSBvY7pbUH3S8TCPPUQx+XQw6RoGwEBLbMUN2SMQRZ5AossvVXpWhQVZXybj6
h2UzJy2pnR0ZbsQbGcrrzNHWCW7cYKAbb+m2lh0O+BGWzo+/WL/ER8yvGhUmzUsi
m2xDL1Fd7Kj6LBHFSoGImEVl3Ntx5F3AInsbcaNf61vuDO2vsVwbBVOEj7a/VzUU
N+N1ySAalaaautd1VuH95x19CzyWOh4O1eI4tZX6RLwmi2dryhAKUDKHG/VtEJVH
R9+xNM26z8gtM4ooRMlFAERllXFeLxCj8hTIkGiOoTgOVxu4DfEM9XaxpsxxS3U8
Xp4OXNI0QMgc/yEXKvLjBnKh6zYnbjOBsU7P6Xt07Do7nwnMH18=
=UTUB
-END PGP SIGNATURE-


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20210204200237.GA1116%40mutt.


Re: [qubes-users] Exported Volume Error.

2021-01-27 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

'Stuart Perkins' via qubes-users:
> Ok, now I'm afraid to turn off my computer or even stop any Debian template 
> based VM's...

Don't panic, it's just a bug* in qubes-core-dom0-4.0.56. Your VM data
is still okay.

> Here is what happened.  
> 
> I was going to do a general update on Dom0 and my Debian-10 and
> Fedora-32 templates.
> 
> As is my habit, I deleted the older clones of those template VM's
> and was creating new clones with qvm-clone from a Dom0 command
> window.
> 
> While attempting to create a new clone of the Debian-10 template, it
> halted with an error:
> 
> file pool cannot export dirty volumes.
> 
> Searching for that issue suggested I start the template VM and exit
> it cleanly...although I don't have a recollection of a "dirty" exit
> (crash, kill etc...).
> 
> I went to start the template with qvm-start and it won't, giving the
> error:
> 
> file pool cannot start a VM with an exported volume.
> 
> How in the world do I recover from this?

If you restart your computer (or only qubesd), it will drop the
lingering export lock and you'll be able to start the original
template again, etc.

Rusty

* 
https://github.com/QubesOS/qubes-core-admin/commit/0eb95044dd937857581a22c13a692eff5d92c70b#r46447802
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmASBdNfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt/aMxAAhvLLYX/P41rPlt2dc+Apt1IJ+TsEYfY8QPLxgmbihLPAstFTizD6bFKR
MHaoHNdGuVESxx4NHUT4QINhNf8u42H1uhq3oyjyEEaXBg1BTdijoTq6lboE7/PS
aQ9x/6+qpuM4yF7sfdKcKCLI65NveWzlI9BllBi14/on5Qyp/+xbWZHu8ZQ6M/AW
Sk7XkjpbxcIJiyO94dCLSJthEgvhUoYa42WJI9vuaH3Mi//8PVVJ4siY4GtCCEP6
8d2rcJOo2F9t1MW3cs1K4cxDgk+0F93dsH6/QkN54AJb1hZC9Kmr+J0+Rplge1qU
M8VWOfXVzJLaWuQmEDFM3PXQiXdwYsgsl/rf54Kb7TwL9n86k9cUYkzysYjEjByQ
x0nq0KbXYX2ORG5OlAXYKUbvqYEj+xjaN2NU/fXhJ1S5r8ONjY2z5XnRA7wEB56L
RFWIsSV8+cUXGICRmQDqlHW3jutWz8LSpOYHRLGqXLf7MK4pw1X31WaVEySKcuTE
D8obLteR7Zv0C0malWBWDRdsNokpZKzNPmlKupnGlZDcAmP/f2kKlMe63EwhEXoL
gGrb6EeB/cOGaHpbQDNntGD/3AjXcdtNRq3gGHUjCjzb0QQcAbQ3I6bf1zEQrLYV
61p4/y/6qWXi1pUtMyXF+bC/LweGJ84LFxDstlnEittImdsRk0w=
=HY+/
-END PGP SIGNATURE-


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20210128003116.GA1131%40mutt.


[qubes-users] ANN: Split Browser in qubes-repo-contrib

2021-01-17 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Split Browser - "Tor Browser (or Firefox) in a DisposableVM, with
persistent bookmarks and login credentials" - is now fully available
via qubes-repo-contrib for easier installation:

https://github.com/rustybird/qubes-app-split-browser
https://github.com/rustybird/qubes-app-split-browser#installation

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmAEb/lfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt8UNhAAjE0OL9e5cBOONMH/m11XIiz1atDV8aWkSRu48Ru0jmNj5dQFFssusWYT
xVoVCFFqTXg9iNlMpiqoyv04TfUM1N/OZAQz+/P+mXmqJlZO9U1H++AlRQXZM5FF
+ZL3WDMT7lrTE699TuC3BwrNhjP9Ljgqk35RUMqrns8bCpZ0ELFzt66lEIgV/iJt
z+9dFtxICRQA45FHK6FtO96FV2YPTDvSfo0bUmXT51nuP7ICeQs8wbT1erwLGEJt
O/1i9xVMsv50ODd+5DuIHtUNUmOIzSL0PXJAwDuZndC+Bk+pWKoykKtvoAHcT/b+
R33czupka28/dcsTk7TwW9kA3ChKEDIftnuhQz6LgLYOlZdUs4QQBVhl8lWrvKCJ
INrIoXHlrFBfIFT3cfPL52zYyyWwjRlB662lymGiakfcM1vH2uqtpJn9I92zzJBb
eDdGIkS+qFRtQFvWD002sdAV22Iox3lpScMf6d0+gy2y1kbky/2WHOfOwJJE6shI
Pj0SMu2Bjf/dRBzzO+/Ip2W4GIuLmmsc3pgYoEmeWv0ZvxDh7R++eCbeQ/lz9ixG
miSwBW24jAPBHtsU8seNBJfyHV6Nj8tWD3CQSho7NW9CevdTnk6wDIHX0LRDtJoJ
NKvYK4Q0yQLVXMLchU60W0lyEKeuEd7nyp0QiAlmFKe5f4q2x+c=
=NG9N
-END PGP SIGNATURE-


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20210117171225.GA2138%40mutt.


Re: [qubes-users] Setting block.no_part_scan=no on sys-usb???s command line does not work

2020-12-26 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

unman:
> On Fri, Dec 25, 2020 at 09:13:24PM -0500, Demi M. Obenour wrote:
> > I am trying to disable automatic partition scanning in sys-usb,
> > and tried including block.no_part_scan=no in sys-usb’s kernelopts.
> > However, it had no effect.  `block.no_part_scan=0` also doesn’t work.

> no_part_scan=Y ?
> test by writing to /sys/module/block/parameters/no_part_scan

Yes it's Y, but with 'block.no_part_scan=Y' in kernelopts, the VM will
fail to boot because now it can't find /dev/xvda3 (root) or /dev/xvdc1
(swap). So this parameter is intended to be set by writing Y to /sys
after the VM has booted.

Block device content is also parsed by udev scans for filesystems etc.
In Split dm-crypt, those scans are disabled by installing a udev rules
file which piggybacks on the kernel parameter:

https://github.com/rustybird/qubes-split-dm-crypt/blob/master/vm/rules.d/00-blockdev-parsing-disabled.rules

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAl/nBrxfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt/Ubw//Z+qkhK4te1/qE2DXo7DHw671ht3vP/4rbW3P2Y5pjcZHMYAZPgJ6YRpc
HDAE/I77qAoPX9+Luvy0+poIM0gKqcmVq6cEEmKSfnXEGwezCTvltvvpjTu8k4Nb
H6nVUMBxZ6uiZCDDEtd0K6mMcQncdEiaSjtPGAkmIgL91gygCgbe+eHOOxPIEAFu
vAqfpC9DUBzCHeG1r9ldg2h5VSTi9c5tZpaHqaJxDUEc2rqs5gHxDGRL5pEnJ6jn
H22KGztCIh4y90xdg9LHY2Q2kPeqI3X+a12xiJ5JXsGM7Hzt+9WsFGTOU61BvGpz
3miCJLuyAP2/OEWFh9JxfwepgXBW5PnWLi5+fkY9gR2mzLzXVro4ojmy/e6CYsq6
SuZvhWrdPDL1210POu0dygRvtwcUjyiueOjIl52m4TStX7AQMyF5vWiElkGs2io9
F/4855Q11lBehwxMKz2k0/KyCyWn6Z9UnbcvmMOwiQZGvQCAQ0WS3oKkWPCqIo8u
07yVEI2/r72xN1tawdIkTP7tUnemV6RIBhMJuoFRaO2w1JdXwJntf77ALmF/n2R1
17/3iyZcs9V0mTK7zZ7Icv6NUtJgTh4CH4LTURfEG1xrKHxs30PB0E8Q3LLFSXkh
IcDZ4y7QseZ/xD+fb+bDBl9DQyfOC4mEz5utWV4KU3iY3LPcoAk=
=SPOM
-END PGP SIGNATURE-


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20201226094740.GA1284%40mutt.


Re: [qubes-users] Installing Rofi on dom0 via contributed packages?

2020-12-17 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Rusty Bird:
> Stumpy:
> > On 12/16/20 2:40 PM, Frédéric Pierret wrote:
> > > Fedora 32 version for qubes-tunnel is currently uploading to stable.
> 
> > Error: Unable to find a match: qubes-tunnel
> > 
> > So perhaps its currently for fedora regular rather than minimal?
> 
> Regular and minimal use the same repo. You're still seeing that error
> because the upload didn't go through:
> 
> https://github.com/QubesOS-contrib/updates-status/issues/21#issuecomment-747355040

The Fedora 32 stable package is available now.

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAl/bs6lfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt8XVg//bvJWioXtSB3GgcLPZqbdbch4JTTqnWOkIgitom7aiPW6Q8cPg0kuFHJ2
4Oap5vExXssI28dxtcK6jLghGc4Dis9Lhw2/cSDp+WdY+7SrFQCb7eTDFeUMJbxz
CfQ8P+lfWzWnuaBUIiIKBhzxQFWjp3YmBRZ+PgsaVSwGxEQk00Q3EJ5lDR1hBwi4
QCLTp/eZmYDhSa7IiDLU3Zz+idVXWwXsvkRQvSmKbOeaxOP5D3Iq/r7dDgUl8zt9
fUf0tWwYDpIAWNQVo+Kxkwhl3iogDLmGwuXR5Vu5p9vMMkj/EwCpaPijZnhmdqZf
3FkMM34Ksw1EWqIo8AEOsH7FPfdN8CzQQ4nOd480VcAnwKpnqya1sV4vKSW9ii2N
Ezn+Kupif/b7ZET7Joesb5E4HIHGxdwK1ea/AZPUug5kZpG+ja8d7/i3h9miGyMY
dXRFXXVZf9IQwCCF8EFF2wl3oXkc7q3vYd46Dxe4hvvyGPscL2aBWiKz+iniX3n5
MS6uy07Wnaz6aNMvHVkKZqY+RIprt9ohbXQwghG7pvYJEcQd82ckeWvVNKlfxNDx
jE+5lM9SKr8IZzuYP8fww/iGF6iQJhZ6Z/fzOMyCDWRGkwA/i7f74cubSLq0YNNt
5WtYZyz2Jb3JcCxhV4WpM0Fdhkedo6Sqsuwd8N5Dy+g+2vBJeAg=
=A6uh
-END PGP SIGNATURE-


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20201217193817.GA1669%40mutt.


Re: [qubes-users] Installing Rofi on dom0 via contributed packages?

2020-12-17 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Stumpy:
> On 12/16/20 2:40 PM, Frédéric Pierret wrote:
> > Fedora 32 version for qubes-tunnel is currently uploading to stable.

> Error: Unable to find a match: qubes-tunnel
> 
> So perhaps its currently for fedora regular rather than minimal?

Regular and minimal use the same repo. You're still seeing that error
because the upload didn't go through:

https://github.com/QubesOS-contrib/updates-status/issues/21#issuecomment-747355040

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAl/ba0FfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt8JuA/8DAjNogJhCkjiKfciVtH/qbhdRdF6ax/2D5qQLWOzwTdP8C1ZSs9ChZ2T
FUL8M/WfNzaPc3caXgFuwxDuuDo+BrdMo7dFfHbPGpLXSgmPMITtD8ysc2xCehST
Aj6hr3QROco1JuUtCka7WYfGgdI4WkWnop1BdidceftGyxHCNKTlswSIq3EYcesD
qqNQ6G/WEmeXgyRATzcXDK0zNti34eyFIr5JNb2h+ilxVjVe6vovVr1DcP40r/wI
YsyTJ6HYSJ6V0IbIgcSqegp7LEpxxXY84XxoXjhpdRBH8fasrax3rYdeIGcgm+MU
Kswefwp4HXd4C6SdF8xBR5x8MForjvpRT9glq6/DSQ3YSmgCJq+1W6OX5Bm9iaHw
VUMrV4uv+Y5e7g+rZRu7hNZtwyDVIbv92wrMqkgOFhLRKu18rzD9G2I2aNEePJvA
xfOEFB85N+QmNS3kiBzMC+zji8hHQwoZH/zsKIV2YIWbkiBiYVZ+4lzmEihVPHRk
eb22dV3ARxYYKuQYGDrItH8r+S/gYHcHMhwuzKNn4+EeSeWRyXpxz90AN6vvlVWG
Yaq39HO9D8Xb2QJJTOypGoggQJykdD/ZDxbqoY1k3Lo4+ALD9bSQa2FgpSPTo9Qf
DTtPPCVmClXSguwq4PbrL+fjbNmdBXg4+YHtki652tEEQAXCy6M=
=yYRJ
-END PGP SIGNATURE-


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20201217142921.GA1211%40mutt.


Re: [qubes-users] Installing Rofi on dom0 via contributed packages?

2020-12-16 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Stumpy:
> [bob@dom0 ~]$ sudo qubes-dom0-update qubes-rofi
[...]
> No Match for argument qubes-rofi

The package is called just "rofi":
https://contrib.qubes-os.org/yum/r4.0/current/dom0/fc25/rpm/

> which seems to be similar to an error i get when i try to
> install qubes-tunnel in a fed32 minimal template?

Looks like qubes-tunnel is in Fedora 32 current-testing, but hasn't
been uploaded to current yet:

https://contrib.qubes-os.org/yum/r4.0/current-testing/vm/fc32/rpm/
https://contrib.qubes-os.org/yum/r4.0/current/vm/fc32/rpm/
https://github.com/QubesOS-contrib/updates-status/issues?q=tunnel+r4.0+fc32

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAl/aUVRfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt/lJRAAjKIvIu+NMgL490ovupq4K4jVyluKBDBG/F+a8bUoNS85KclpJIr5fjGu
kc30I95JoA8ZsziQHVVSMGNe1ByM8L2SF8kP2Sb5Oa6bY7+s+dJs1QC+ewbenbOJ
ncyK5dOLdGHYX7fRPypUp3t44zOR5nGWVtVHstu6F4IrJfWzECj03gVTqQyedwiW
i7xKmWx7C7/4QbL7wsgFqZ8DVX9rQ+77ms+Cp++jqEWJbomQd2DyhG6k/ihJRcl2
tJ2Qj+yLDAi8992/bxvk4GZcD+lMbKlzHu5m8vmFmvvbriTQO6OU603GAaB9sDes
DHVOah51ASlezuyvWgIu53RCUTdb22gEnJyo2OjIauYo29yvGQ+9v5thYLAVqRMh
Euw6miLABXxJDWQ8wESiCk0wPnfP7Fr1YKH/mt9xNxPyMGLJgJIdBWYhUF9stMYY
8dzwYsc9ZOR4lfwTecqeRZmCj1JpW3xYMqr/fkB2kiPgFixbO2sq2TgnwQl379Bv
amTNXz2jlhYmXQZ7JwZMMXzmQaiaVMBeNr3mqHuUKIoQRvrErxT3LKqjJeeumr0T
qTawrAKI0S6HjDT8h8yB3Q6hQkJ/eb7NCybJvSPHXlku+AzSWOGPNXCwYdx3x0ut
/HCRb8S6Mw3cJ2hIGm4nw4VeRCe+F/b+eRcjgzGN1lTGC+rNNo4=
=H2I9
-END PGP SIGNATURE-


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20201216182628.GA1183%40mutt.


Re: [qubes-users] Re: Getting wifi working on a new machine in qubes 4.0.3 and 4.0.4-rc1

2020-11-26 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

River~~:
> 00.08.0 Network controller: Intel Corporation Wi-Fi 6 AX200 (rev 1a)

https://github.com/QubesOS/qubes-issues/issues/5615#issuecomment-702032377

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAl+/nAZfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt/L8A/9FLdY6g4GEXCE2PCl8rtJfy/TqAadc4Qi0aCYfo0Jg+EyloHabsGcVHYV
1gd4wPQmB7jjHM8hRhozmRn9cPDi5K2s+J6qladI4EZ6w1bWpX3vq3kwXtb4Yz9l
kr76DVR+RUtp+beg04me9mS0imNraBSBFremBF1KWE/eO0dpGGAS9puPEJ8Zto8m
+RP8rcj0MWxVzUA04vT10b/CVBSn5mQDjgDG4jujiLOXM67zXw6aSY1gdis9PIOO
AndoP2iytenRfJwbLSyU4IOA68R7tTmnUfNOuoF3OKHtvQO3wBV+2h0IV690uwtF
vYOrBIL6UF84Km5h26xcL0cJ3JfiUbYcqaG+iT1znNfzylABIUTDK/vLlYAE5Lf3
QQ9s/ttFkLH3Q3YtnIk6X3XMpull4YbyUmsez4kkwu65NsD7vRHEjmDlkfSLRloI
KjoNKhY//p3VEo9esnsW+9BGEB7OyO9aq9VH/iP2A1NDcWdHK4oPpG3b31fCOBRp
S3cfhifNrm76plggTyt4beGJipytUZCH8pw4eDrCwJvvQJsuGUnV+aEF7u+lZ4o+
Nlxl0xcUt0TElWDqbTfvEBPr5+H6BQwDxL64JNYIuZejFsrvAOuVhdnnvSUI2gXL
LKkOeDEs/j7sA2xnw8zQI7mUDxCVJ1EX+2j3u56Y1+5ND8PdiBQ=
=Afss
-END PGP SIGNATURE-


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20201126121358.GA5331%40mutt.


Re: [qubes-users] select vm to restore from a qvm-backup

2020-10-27 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

lik...@gmx.de:
> I'm looking for a possibility to restore only 1 AppVM from a system
> backup. I could find this by studying the parameters of
> qvm-backup-restore. Seems that it performs a whole system restore
> (only to choose between with or without dom0).

You can specify the intended VM(s) after the backup file argument:

$ qvm-backup-restore /foo/qubes-2020-10-27T123456 vm1 vm2

For some reason the manpage doesn't mention this syntax, but it's
shown in 'qvm-backup-restore -h'.

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAl+YWutfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt+YLA/+JkSb7Yz4mK2HuDBlax5JyqBB2Ps9gULRujJY5TU9xWCop4kN5geMQQt7
FtdD+YOi1eNxx5iYB/6L1xPol5licnERnpHH1F67bNL1Z7CqoeatRH/PhGOXf3Lf
Mg/RAkeF9dIlIJlDiM+jAF8AK0g3PKX9B6Hwgfou0k3GLni0LeONMASbQMBzpMdd
2tNp03abV5hzVnyHvUEFDzU4VBbuy5zIB5oj6CdQhvYxeQceDmYEIplxBEflV2O8
lLm+xuAHmJibjjfXtaH8iah18JStvRHuJa2ddWdUcEyckhNo8jey64fGz08Y7Ma/
WV3sm0V/9vlNndJGvd33ile0o3+wCHl6q2lsq4xkxvJlGtxMJ8IatN631CdgUWsi
V/MHOj2UzDLD4ecIymqdtcKPPgNqb8V+l8um8vuD8SI2m8dznJRxJNKIiUUeW0z0
XofG9QIL182RdFeMrrCPuq5tFZLbMDcMmHZT8Xr84kwV00WaHig3m47zUhmTeuyz
gnIUGnnRzbaVz3dTskUGEgMHeTmWI8pFx0CXI6e1HIop05+HPONkneev5LVcJciz
s/zwuKPX7Bf8Uc7pfbrAVQIW0iMTKOa9LcVgOGrq3zUCaxYjDW7qhkd1QOvaSsTd
I33SvXIFbp1Eh4uSbTnyHWI4tRMMwjR1wwUMiNw+gm7UJUEPPkE=
=dPVS
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20201027173747.GA1243%40mutt.


Re: [qubes-users] disposible vm shuts down after qvm-copy

2020-07-01 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Dave C:
> When I start a dvm, for example right click a file and "view in disposable 
> vm", if I later open a terminal in that dvm and run "qvm-copy something", I 
> find that the qvm-copy succeeds but the disposible vm shuts down (or 
> crashes?) immediately.

If the crash happens when you're copying to the VM that originally
opened the DisposableVM, check your qubes-core-dom0-linux version in
dom0:

$ rpm -qi qubes-core-dom0-linux

Version 4.0.25 and later should fix that crash.

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAl78Xk5fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt9gAg/+OG/98aWszEeeyK7uBVpz7YGpgEX1w9i3zZHgrbF1vQbwzkJd4wIb3vd6
2UIgdO79cs71VfSxctElAM62rsmH0dENxOH1HaqNag9vTOFynftDbClm0hbRlt7i
osZoSd+hh+i7aME4psgPFEKohzAM3gic1kIoWZXJxIREnyO2rGCWLW0/wfpu6X7z
QaH0TcPoyb1MX9F/qQCSDAH1ubDzUKkHsz0R9GCRFC2TK/P7N3tkBeXIBaVm7gqT
1FO7tqx9l0EKlKp32Fwnj+WOS6VT/39MKg0ozXMTTS4apX+ot2h7afbgf/qjOXen
iHJf51xYCCuhiAyApPgVqzuHHRfz3smANrlg7JRDPlzcLbBqjGpjPM2Gcdcam2zP
0pSrMFgLNZlRLMAVzrTtZhuA+IP6SuwahRq4fqoo5OC3bDXHznENMy9sg/f/zHs/
2BsVPD40sEfYYnJ+UlDYqpmxoQeAzB3haimvKEv59JLXP8mkCeqg+rbMoXwCd/eW
hJx87eXvmORcQrjenbSVLxZNkvbdEuZ+M3RT6KENeBdPjlTOOlE5pOTPIwUxgEoh
S9NAqMs1XqumsYw/I3Y+AegLKQJRQip8ncgxPIGhpa8XBpr34M9cX3D5eWVEOadZ
73Fo2qp77+9U7TffRlZE0Oz27I0HSR4weSfdbT3KAcVCHaMvqY0=
=DLt5
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200701095838.GA1289%40mutt.


Re: [qubes-users] imagemagick in debian-minimal ?

2020-07-01 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

haaber:
> I discoverd with a little surprise that my 3 debian-minimal templates
> (used for firewall, usb, net) have imagemagick installed.

https://github.com/QubesOS/qubes-issues/issues/5009#issuecomment-489357218

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAl78XzZfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt9YuQ//ckMwSsrGE1GY7AJl9K632sKr09OY5yVIG6y9Uy1WXbVPAtAWfgUAL7Ff
vlY/zGKph7PG/YBHmkEV3aAAjXYC1gWLWCOSVee8eVwutUvk1I6r0tT94CmjHVBK
iyNM+p0TjxK3y+nkFFcvgZoxBynBG4NpVEBoea8It0+n6NV/JRoQA861v70G9lLt
O3/qIeMM/N3vkqKXQoS+rYDwVcH69/poF/22AFF8cEi3nV841rw9f385oxHO7nNy
QGirQFLYItCIao9AfAejCC+H2H1O1eHGuFn6rvAsukjB/g3pS4Caa5UY8GspGbSS
tm0G47kXXMGmetVXujfp0xWny1cKPLT9L1XiWw4yzOku2B8HHYiveAPtNPGeeknt
5ftO6c/dpFKQsbxF3l0QhYCCS0zMbr27DFc5Izz8O4NDlO6gA+qGHQYT3jjQ+ciF
Sq7ChBh2WWGKV4Ful0tgnFlf3YJlWHM/7XJXG12ngWcb3ESdDgMlQlby1jlgLk1S
vMT+NG0JEJjkD0xawKuMlsIARRn1a3BCY9eDgBnkuugFpy35/tNdZhJqfEYMf8Pw
tRvr2tNNcpMuJe4Rxffs1GFLqIzcYJX9cNzJrrUzKig3OnvhwNEryQfZ5Q3uTHKm
Qwl8ROQC8lbh+67KWJHWNBGcNUm3r0kXVZ2dQObgtBrPcjKtG4Y=
=Kc8b
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200701100230.GB1289%40mutt.


Re: [qubes-users] How to find which AppVM launched particular DispVM?

2020-05-15 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Martin Habovštiak:
> I'd love to query from command line which AppVM called an RPC (`qvm-run 
> --dispvm`) that caused particular dispvm (of which I have the name) to 
> start.

It's brittle but this seems to work alright in R4.0:

$ pgrep -af "^/usr/lib/qubes/qrexec-client -d disp1234 " | sed 's/.* //'

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAl6+gepfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt8Ibw//TGog058CMjnnX2h/oWY7bTpfZmupgnqk9TioM5FO5QrSGGzVJCC+7cE5
aCuAXj/KXL0EmCvFyj/jtU5xRb+TVh+tIf4iLEgBzqzozz1OnFn5Pq0yBcZblKT6
I0pDsu0pspjRcgYIDULjG8+Q5i6acMxUiNCyhwQ0I50b/14JEIf1PccMKAQ1wQnB
GhLO2yXq9JsihlrpLkFqbdAG/7E2QA0GEbWLaOW3kbEGFttKTVRG3hJ6mFkvmi3o
BiXIsnerU7TXwpq/GRJeES1wmpRDNZkh7E2K6c3BD8u6xs5CpOP0zTaRdkdWojS6
SaRATNIXqvzUmOqU4CtAkKh4cxy5UxoKODl0t6E5Te2Kgfl1iTsq2LPG5Ayl56Ov
ldGzLmBQnWZtjZp4//+uFGIlbUseJbP5mneaz6YEBCvy7EvlWiLpSJR7l/84/s9h
8oOrKQJbzbXrRQDK6mOZCxtsRuxNh399r7ozNQ0nVOlV9zF+50qpaRESesKamhaX
5PruW8qd+tF3zp04aJN0RtZsb3oLDkRVapDbY8Ta5u+GkyGJZsFSexkkMxoAawBe
8hrvhW9SRPzbJq8qzkwu9qUWJ3xgSENpuMSMMlU4vCtbXgsFX1e1MxD2pz7LSbhZ
cBVMZqyNNJilEYFqwiZERMat8toLd+zl9GgYGK8kGHekC9HQdNI=
=9Tzu
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200515115002.GA1384%40mutt.


Re: [qubes-users] programs run on different qubes freeze

2020-01-23 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

roger paranoia:
> A couple of days ago I started to experience a problem on chromium browsers
> run on any qubes that I have. They freeze for 2 to 5 seconds when I stress
> the browser a bit (using it a bit faster).

Sounds like https://github.com/QubesOS/qubes-issues/issues/5530

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAl4pg79fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt/YlQ/+OVeLdr/amUF6sn0IJq7J/K9xB7RwbmvrQ/+YshFSSF9o1wKT7P9lUY3W
nfW4YDOmjjb6hSEdr/OkITCpM22YzpITrIDAupKgQJm43w+IZ5Yq+/l2tm41AqT0
f4s4zZlM5qvYyMdEDybkrxL6SMkSeeHDqL1CZFZ0HYLQ6NRq3zh4ADpQfNFBMCM0
BLnN1msbjz/O33IS8/Flc0YWbYrToOh8TQlSYGEz9UQRhm1n1IekaTE4Kv0Kfut4
R6L/8Xbrz7LDvSuwVjLFKIOnRcKWf0XNnKTYDCk8Kb9/uIGG6zTKqmcQAnx51eU/
kHquCD268KibRvuGOJ71WZWVltI1y+TXsm5isU1b99kYGuJR11XkZXzIFyl4q3wI
Mp2XpwqDefShxWiwnu2b071mX4o6Jbd6xRTQYvjUN59vlfAegBfmk4F3SoZxZAhG
8TPmIKOAyOVVKZQeiNk43ki8rKRcEmWmZqRK1bie8Y9wVHvQOznjciTOF0A4ztms
C9LZNLX/sZhWIutkEtHYWLylXloQDGq0WQKO7jpZXKWcTS0ryB5UavfyZih0qM+/
IoYiSr/W/KJH/sw/ZyJkkdMXN+UgluDz3v6vB6TcShQnL8UO3OePRHdzd8kv/eiO
/Q0+YSQckwJTg/vosQsFbNFngRY7RIGnGY4V3h9CirLRs0EIbWo=
=L/1V
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200123113007.GA2021%40mutt.


Re: [qubes-users] Per-VM stream isolation in Whonix

2019-09-30 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

tetrahedra:
> Naturally I want Alice to appear to be using a different IP address than
> Bob, else the two identities are linked.
> 
> Right now it appears this is not necessarily the case -- the network
> traffic of AppVMs A and B may end up using the same Tor circuits (and
> exit nodes).

The circuits should be isolated out of the box, but it's normal and
good that two different circuits will sometimes happen to use the same
exit.

It would in fact hurt your anonymity if that *wasn't* the case,
because then the destination services could (over time) correlate two
supposedly isolated workloads purely from the observation that they
mysteriously, against all odds, never ever come from the same exit IP
address. Which would be expected to happen occasionally if they were
really from two different people using Tor on different computers...

OTOH, if you're often connecting to related services using e.g.
different pseudonyms at the same time, that alone will correlate the
workloads: It would be unlikely for different people to be so in sync
with their usage patterns, no matter if their network connections are
perfectly anonymous.

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAl2ShoNfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt83ShAAgp1UcL/nZ044i+tSiCwWdNkaDFS6/PS7smHTfkb22Kjf18JHYf/dev/c
Wmg99psE0tmmVfz75jBBTbg5m7aOtZ23uWBVrHCkUAnVmyBw40o7nBzbrAhTxaSW
Wres8WsmeFoialvZxuD6Ssgqce62kz7/uE0dCpUkqUYrJ0Wo4nOX8TbXOvLRohsn
ZOR82gpydIlc63NYiEi1JdxetNC8MyiJUNjhlO9WMZ/IQAhnOBZWuIQugUj/l6mK
zoaIiw1rxcmmnUAKQpTHdWD8h9n4yI1kT9ZV3K81IglojkGUtt+p1PnnvJP6eHZc
2JpKh9gaYotKiCOQdQWIX6dVNRrltRoxhuTE0VKbHgQhq/fCfSumtwcfhip7JE3K
9rGFMK1SkZCFoTMR1Kq6S1jUqgOYDwmwv4eM4uWbaVAojavBLkX8LGGzd/X2Li2k
Lw/Bnsw8AoasD9BMZIQCY2SQn9fz3+9oaRTk2X+0uOKdVH0BjOast40KLXdiYrVN
cpExO3hidj2b9vmpYlwOuXIXwWoMRnJkhd8nRlWOzYo9oPey6MoUxyy1+49W7NYV
nQFwLJqD0DpGrX3c2Z0CX9BU4ck5ds/fvMkLAuEYMkA5vtW4giQXfnELAwKFO2Pe
Gk1LJEftBgOXPENMlPUOLORy371zhxwz1oOBe8w6qifT53seFG0=
=Ns/M
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190930224940.GA1208%40mutt.


Re: [qubes-users] Some problems with 4.0.2-rc1

2019-08-25 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

donoban:
> On 8/25/19 5:58 PM, Rusty Bird wrote:> Here are some screenshots of how to
> get automatic btrfs partitioning:
> > https://openqa.qubes-os.org/tests/3240 ("install_partitioning_btrfs"
> > is the relevant section.)
> 
> Thanks Rusty, after checking the installation again and the test log I think
> that my problem was the "Click here to create them automatically" failed
> because my hard disk was already portioned and has no enough free space so I
> ended using fully manual procedure, I am not sure if I deleted my luks
> partition from there or I switched to a console and used cfdisk.  The
> "automatically" button failed so many times that when I achieve to free
> space I didn't try it again. I think that I also tried with "I would like to
> make additional space...", ouch I tested everything except the right path :)
> 
> The problem is that getting there with a non empty hard disk can be pretty
> confusing

Definitely. Partitioning is my least favorite part of Anaconda (the
installer used by Fedora and hence Qubes).

> Maybe some dialog saying "This hard disk already contains partitions, do you
> want to create an empty partition table?"

If you have the time and inclination, you might want to submit this
suggestion to the Anaconda bug tracker - after verifying that the
latest Fedora installer has the same defect, which is their bug
submission policy IIRC.

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAl1i3HRfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt9PiRAAi4mTK4hxPe3QXISZa8ru8PqXmFZcG7sCOToDzCQOIBq0g4w8k90gYZt0
A0TbX9rvmOrtAIET+v5lEX2CS4zD5R3i8+ignxSQOexiPXTHDRvVAbkcFmKvK5Nz
BSe2kSAdsDmiW6QLPNi/Ds8l8P6cKaBLFX2BnafXw8Bn5d0Hqi1RffPHm+qcVQ3L
0rU3iGr7OVGlRBgpNg3xnwy2v6CNOM86B8kKAotm030R88gMgvRmGO27VpvaUGB6
68xrr7QtEEzs0koae+RfkQEj3caU/Avn52AS8Vhzyruop3rwQCYOtzbEeBg3Mon8
eK9HI+Y8V8Whz83M4C9b2SKM+eDuuuDDeQiySWCUibamg10DEdY4Hk7HfYg9Lnp3
M9bg5J9An0oCw1h/Tina5WXjBD8HQHtkUUWg/PIwJx2dU4CWqO6IuuO3mBCaFHGi
PGnNOL0Ehyi9t58gSmSh5nuNmhGFMVmo5o9BdQQ4bDXn3Z7xMZM19lxeCJZBcnn3
3OIwZEPwgK26J/DXhkcKbdTY0Iv2IGdfcBCD2PKmL2bOx/sLk7cNmu5Q8TWkZ5qf
VVmUW2xNuTOr4C8hGlf+QStae7Ozfm257B94ItmarRj0UVbKM/KMehauqc292qhM
62KyVwSxm48zLjlXHaP+XwAIiqYIQj2kddl7Mp8+bSvaaoqeHho=
=1p8t
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190825190732.GA1900%40mutt.


Re: [qubes-users] Some problems with 4.0.2-rc1

2019-08-25 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

donoban:
> On 8/25/19 4:22 PM, Rusty Bird wrote:
> > donoban:
> > > 2) Btrfs installation seems too hard. After some tries I did an unbootable
> > > installation.
> > 
> > Did you create the btrfs partitions manually or did you use the
> > installer partitioning screen's "Click here to create them
> > automatically" button?
> 
> I tried to do it automatically but it did not let me to select 'btrfs'
> option, so I was force to try with manual setup. [...]
>
> I will boot again with the installer media and check if there is a 'btrfs'
> option.

Here are some screenshots of how to get automatic btrfs partitioning:
https://openqa.qubes-os.org/tests/3240 ("install_partitioning_btrfs"
is the relevant section.)

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAl1isCRfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt+Txg//cMs696rDKd4airU88YHmqXrhp1sElngeyttOSxf97DjHvF5x+rUj5zGq
AQvad8HccP/JwZwGv3iRfsgumtvI8KUet5UomwSDyMcSPbIFRYcNUGhhxcVudR5V
simzZRrj4oX5KvsRPRZI0ANaloIGQhjWCKfo+hvplXine2MzzAq/9NHYQmXAWalm
lROGki0m/eIRrgK55ywbE//01ysl0USLadx4V9ZK1rYXn6sjEIvIbuyyYmDSagtv
X6ScUSiBznLhot6bkhBQCYfQRngkje62T+KMA3oKeoyP8M7ra1Hlyrq4YVHgSUdv
ScxpsMxs6zLzjWzWXifU2BvXjj2fSZwUdDQaxD+a8XMHw81nPJVIGqdPCZSxjCCy
V9m7SF4A3kvCmTa41La0KQk8/PyCyoV1rkKgyD1qoz9RNv11w5SA1rNjwrhGU56e
MQhCVq9nix3UchQ4R+EcdK0XbR8PqW+YclC2CoRSANizZPx9gmTrOOog8+vgc2VV
e5ZXIdnAV0S8did1bJaDVTYDMB4L8QMkSdDFBGQ5NmyRR5xmeORZH8ZfjfDvx8LD
v86S8DiRb3i/yeXatC/jeVO9aVbZEMCebohofQEL/nMtE+b/bLEMzAqZK3rVei7W
rjhqsZqJtpOg0f/JWSB5MdD8uqlJ4+wm0ijXgHrvZxC2jkV1kiM=
=L+aL
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190825155828.GB1611%40mutt.


Re: [qubes-users] Some problems with 4.0.2-rc1

2019-08-25 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

donoban:
> 2) Btrfs installation seems too hard. After some tries I did an unbootable
> installation.

Did you create the btrfs partitions manually or did you use the
installer partitioning screen's "Click here to create them
automatically" button? The latter should work and I'd be very
interested if it somehow broke your system.

OTOH, manual btrfs partitioning in the installer was horrible last
time I tried.

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAl1imZhfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt9aCA//UIJTG9AHdtXljzTsbP1DG9+yscjeOZwCb0TjmcjqfL+LYef9duTtmViV
ll91cwqjwMxSWfHAxA6D9iy8ho+iEYAIBhWoXBcVgo3Od0Ttxbpywf9lBS5lqq3e
c41HDSIknlGeHEtQaIXEY/jFB8CJooZOJqhDuf5C244hLUnkoGpTfRpSPGQnRNxR
GayK6S7UFl0kLptdn5Rd8NG6CieFI4P00Tq4Wymx6Jb/ADDTvdQ/EaY/EalHIixK
Gj/mMgHTRjGo8g32TX/Y5Z5ZSJ4wRhVYfePBurbj0f8UasZETRNuUsNw+NPXihJx
W+OqhSB7OP2f24Ox1bGIoWu4diqy02Hn+c3cCuYSdf70aaSE7gvAAYdpyfbnM1mc
qAxdYt9UnxVtOd797FOSLiREHUVkSXY9TLbAdQervdUPyvkecLJg+/oSEQkqyOGc
AHImDyjAY/m2G0Y+jeqhbL0V19b7M/o3atDWwKD3WpLcGEueQrcV6BRWx+UY3mk4
Txw7lbTxbpFdrrTapwYBixNL71EjNRHdY7DeC7stZ2xP5JaCpVz6Z1lo+/dZoLpl
ZTgPXL7C8CdYpP2jK6ly0emREtxWbxPnVgiygVMwzuCvV4U098F12ulhu65+HyPS
wKqA5tTXue5fWkGemqmAXvddnmohnGNYKSsE7RiozKuOmP1URic=
=P8fn
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190825142216.GA1611%40mutt.


Re: [qubes-users] Re: Dom0 (System tools) shortcuts suddenly disappeared

2018-09-25 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Patrick:
> Hello, on my 4.0 platform somehow I'm now missing the "Display"
> shortcut. I'm thinking I may have accidentally dragged it into the
> desktop and then deleted it. I found this thread and tried a couple
> things but still not there.
> 
> How can I at least manually run a command to launch the display,
> just to see if it's all there,

$ xfce4-display-settings

> and then how to reinstall the shortcut?

$ sudo qubes-dom0-update --action=reinstall xfce4-settings

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJbqfj0XxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfHgEP/iRzIF+KNXd5SxK7vPa1ZCIz
6M6QnajTr7kOIgAtTqNnO0u2VBpIu/y63/e8D1j98kYP0p0Qt09Rl9YombqXeuc1
YYGQOqTVTDQw1ijGdH6ThojIbIdYXCQ6kv/+zoUa0lgUpSycbNkadNkhApnSJVu8
RCsDpUliBAemIqly6Qp1mdcCUMyCHi8UDVEZHw3HmTwXzJHIkKMCsRmCucRzYf/g
WOisQjCpDPFacevqVdmNmwZR4F89DoboECheq84YjIZ9PDgRvC0pssrw0WZTDi+9
bff6zx43VG8BX2ocTQSeNPVS5du8g9HDWae7ArD0w7sd0shh2EhdZLD+VAtpiEzb
+pwgDaCf17x5fNaZA/hCJnZHp8Fzipcko79mTxYZobtVz6ERVDizhfAi80Kz5bSf
tVCPBTZRAxE5EwDEKGevT6msAfusTDor5m91Hwu1Kwnaq/Q1vNmSH/zNhh8w0n5p
fELVv/12WzsjBaR2/czfyfbQKFVpCaibjFBkJC0ldjxfA1dxDiX6X9oc7ksClEtd
cwEm5p6WvfLNJY57WG+Xvx1C7u2BJtxesZPJrCenBQ6YLQ6enxVy7hSkzMO7jSyJ
FVgxAGM9JP3X9WguQqm8a31+dB9v7fnZ1MMfjdHAtxiw0MjSgjJrpn1mUDj6p2ez
GbLEP92eMuJNwrpf7Swk
=eBa8
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180925085932.GA1978%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Symlinks for "some" AppMVs to other partition in Qubes 4.x?

2018-09-17 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Teqleez Motley:
> I want to store only some AppVMs (and some custom TemplateVMs) on a
> different ext4 partition.

See , with the
exception that if you want to store your VMs in files on ext4, you'd
use the 'file' storage driver instead of 'lvm_thin':

$ qvm-pool --add  file -o dir_path=/mnt/your-partition/subdir

But note that 'file' is not in the best state. It has the fewest
features (online TRIM/discard unsupported; doesn't show which VMs
should be restarted to pick up template upgrades; can store only one
revision and can't revert to it) and yet the most complex code. So
consider just adding a regular 'lvm_thin' pool, like on the webpage.

Another, more bleeding-edge alternative - if you can set up your
partition as btrfs rather than ext4 - would be the 'file-reflink'
driver. In my biased opinion (having written it) it's solid. Though
you may want to wait for the qubes-core-dom0-4.0.30 package, which
will presumably include lots of recent improvements and a safety
check* before 'qvm-volume revert'.

Rusty


* 'qvm-volume revert' on a 'file-reflink' volume of a running or not
  cleanly stopped VM used to essentially throw away the revision.
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJbn4hWXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfKU0QAJGutU6eXem66oOwgWIh1Zef
IRcS7+AEXKgQBVMibVqepFWn0jMxy1AQd9RS4zrtrGb1phDmgmJMqhTBHqdYqkHU
6pgN+jMfif/4zPzLCaIpUNQLpIUKQQe7RK85JF6OUsyy8QVERslCnfY2hKOdHm/r
9iCjG33C/bGb1K+sefU0s5AqXZrc7nsBg5rpIpfpZMnsZAsMPONv92maqPa4xmHt
8VkYRYQ6ujhgOHyggp+vbFhpH6778qoROdcrCCWuE7GLYAJfv4I6jTuYoul8CTCC
3yvkKz9lL3Jd3mUyl3ChwZftn8dtwSm/wC5iR0+ceN2xj1AyGIawW8u7uxeEo1ll
3WsObi9tg1AOJNPtEbXgEbbzSgbnLP6vw42BPn6rQVZOj9j+hm3M86Z+Q66rQI1Y
0zgYtFNijUHBlWe4M5c222vyOjtkCRivVug2B6yhOLsb+MrAau4nlIssZYbO2UHm
jRmTkSntdGjNAdaymxFN63i9rM4IYmbIdJG0U0LP+gWu7qfcLeuzKQX4rzVQcCq1
39QqK6heKe/OgZyW68N0TXkoXsCLGExgOxi/WIgdmTxiOKTeTyupniZe6aw8Qx2L
r2piIf4q6wyTKarbXGgOWpuU6R2K82iWVj3RADzwlo/1nQxWwkjfDdfHA6TbHHws
8xVBNGRxTpCE/PXv7DNU
=n5Mm
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180917105622.GA1649%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] systemd replacement for dom0

2018-09-03 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Marcus Linsner:
> I'm mainly asking because I fail to make certain services stop in a
> certain order at reboot/shutdown. Hmm, maybe I should focus on
> starting them in a certain order? then maybe shutdown will do it in
> reverse order [...]

Yes, that's how systemd does it. See Before= and After= in the
systemd.unit manpage.

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJbjRxlXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfMA8QAIHtHBR3n/TfayCr6Oosrn1W
wKA7x5jWBPTKh40K0H3OPipfWhAoHSy+8Og6jL+sW8k3G3MumVkz4ee9dcz3uT/e
sidKEFxYO9z7rBRlcKNkvnT2WfA1WEyimSV6A2sjtE4GZT8N9oDtcogb2vdn/I0X
lPxJ2/xlN8mkhpe2VMfcpA0lcuvZ7UNfh1i2wiL1BeJKUZHFOwuQJSAFMg9JcZKz
IzJPQoH2WhsFHJ2zggRSgsRSvE38MI9gOsyQ/ola2BDZpoHf8HsW6F16yVkfZtmq
QSqTv1z91aAEqccxJp8zWr022XhHwYKdTOlI48fPiaCddgV/dJbi2dgrsUv46qb7
y+zU9qTb9b95A/n4eadKKeQWq0DEvM4DTX690TX5eVMKIxc2WeqummLxICGAgsYH
lHEnyLJGaR9F8fhAI2Tf/uMStAFoOdgbyjqyzWtdfn7S6LIM5Gjcu7bC0wT1W42l
VNGHJd3T20w2Xnb2H2dJ0fbSVLxBG4ef01xQyH6SFxArlmuttUyZrJZ3v3fKnyPz
ia5qMky7sQWEuo3VT61nSiMg52cQq6iDWHzl5llyaqXZsyJWrcIB2E6xGvaNVQDa
F7SdyhR38Khy/H0J4S0kL11rjgjp+Ff4Jrzl1g+PPT55Y43MfNturiePO5nVndFd
Ro+lUw0hr97WC4I660Po
=9moi
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180903113501.GA946%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] sys-net turning on itself

2018-08-27 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Daniil Travnikov:
> I turned off auto-start of sys-net when laptop starting, and all is
> ok with this moment.
> 
> But if my laptop will be turned on some while and I will be just in
> Qubes Manager with turned off all of the VM's, after some time I
> will see like how sys-net turning on itself.

https://github.com/QubesOS/qubes-issues/issues/3588

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJbhFdiXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrf4DcQAJnpRf+2cZMol0UwEDXvW4vC
h3t5EswK5FdoZZUdOpziOmHoYDur420xgLU0IsBvBnhcNowgOAcrSRFkl3bWK6pV
eboR6sX0w540cMcA5KCtErbtVzRqtkY1pIvvjgyAUriv62QLfRdgXkVksGe2xyHf
RKo24TGA+ashP5TeUPRPHX/E/mW5QopcDsak650f33fULfjtFHnUnSohGZ8p6AXB
aM/HVpWbWor2Ki6OAEdd8xSJilPQ7VuOPbn3mu1F8kIgbS9gBLuvHTkXp3f8Sm7+
oMutcIYg5N/0gEA/z0lzHOayrxcacm0xmFO8hfV67lJT2KJTul/MVgZLpFDwztRd
d1RrntO8zQaoeCR5c6y2XHzzeHIhvqW1E/CyLzWohXn4NJgItQzQN/QfGTHlXU7W
nlQn4B2zXUkdj/MUk5kf7gx8ZFJvj04jTJouPv1R9+wO01bwS6S4z8zEZ7xaS0TD
GGspMQ+c4vsBEYsBChKP66I6TObIJNcuK3n6Mdll+oTaC6fzOFHSO5P9RI1E+/+E
1OdGdwrwLBMRT/y+IHslhISLbnYnR0ejTZcTTEeTMkoZNInUt86v3BbqDL/FCNhZ
wrVGU4Q9IKQZ+xa1ZEVGmHLBErvn5kkQy82uatL0NBirhl1UZtgK9fmjHceap1pB
Lo6elHTOaY5JPTfx3Jbl
=ML/t
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180827195618.GA1092%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Is Qubes vulnerable to CVE-2018-3620?

2018-08-26 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Rusty Bird:
> To me as a layman, it looks like Qubes is indeed vulnerable to the
> XSA-273 data leak, and that fixing it involves
> 
> 1. disabling hyperthreading (by adding smt=off to the Xen command line)
> 2. AND upgrading Intel microcode to 20180807
> 3. AND upgrading Xen

https://groups.google.com/d/msg/qubes-users/v5UPnWmnzJY/WG9lmyxYAgAJ

=> There's no point in manually adding the smt=off parameter - Qubes'
latest Xen 4.8.4-1 package doesn't support it yet, and I imagine the
next package version is going to add it automatically.

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJbgqGUXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrf0bwP/iGQCNSorNefwhFSldoqvjJa
fSz1oZoqU81ESpqxMvylTGT+Q0odjG01PQpQ+y14+EZZgkgbM3NIbIUcTLYX4HIf
3cjcsqmyp17YbM0pqCeG3DuTQFo1IJZh22pqUt+6q7Y3G4hSYNlW1jvy76n9c9Ae
h0tW9gQb3EpTxzQGaryKswq+NyXKR1D0mUIErKTdLSk8KzROIhCLE8pQWbKFX5/t
8M5xZ8+VTw1aGF4v+LS8Oxjhl2R1PkMc0Qi7IKgZhTFE+RqQOkMJK75Emv7U5eFK
oEEx7sWVy7nh3beKaaZUBThCZU0iLZRuvODp64eUkSqJYCHvtABzvHyhMBT++4l/
n3bBJ+/dMRpe846FZuzdqxb0AbbBwGCeCRCk7SXZRnNIEDavJhW/x1Tr13oGIkan
mNLiA2uaeQY1mOOVXyiK4zfYblDl0xtCEa2zPFvFya/iWC0nDSntuzT6zMxZuq8i
ywFDxax22XezSA0m2RwE/5M1I/8dx92yUcscCvpW5HU/WsEccRubo95kcMg5l9U6
cH7G6nZLAxSCek4SobvW9yp1CjbuVNmSFR2GPGRKpoe67sEvTRbxP4Mmhxd+D1c6
AKMKiK1vg5/pV3pioeICI97FYvYu/sTynX5uMq4PKv6LgUae+EPKWaut0Qdkz3xK
YdGbUkoqLk/l92E+M43l
=zaWC
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180826124820.GA1008%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] XSA-273 - Impact on Qubes?

2018-08-26 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Ivan Mitev:
> On 08/26/2018 12:50 AM, Rusty Bird wrote:
> > Rob Fisher:
> >> what are the best options for a Qubes user right now?
> > 
> > - - Add smt=off as a Xen boot parameter (which disables hyperthreading)
> 
> smt=off doesn't seem to work though:
> 
> $ xl dmesg | grep smt
> (XEN) Command line: [...] smt=off
> 
> $ xl info | grep thread
> threads_per_core : 2

Shit, you're right! Xen commit f049cd67a99bcf773aa4fceeedd5d1de17b2a8eb
("x86: command line option to avoid use of secondary hyper-threads")
was added to the 4.8 branches a few days _after_ the 4.8.4 release.
I should have checked better...

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJbgpwfXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfgqsP/1xUuJNoRlbB1w9TAOL08Ei4
3Md4lfJ+uxbgPorrEw1Z9dyq1VX9o/u/zapZjziEYBCSSSp7PSr8iECJ66TJlZXV
+tS30QAI4u/t6sf6wX7KPXVEaWE2FmlU7o/ID/mCaXPTUtTxDZewe3Q35kcKrNcp
+pnGxOEM/DV3EQ6noYvK30sOWUxLwBG9XH/DzUCLVTUn0gjPAiEMgna39US4e9Cu
YB5EK+cvSwnCBc3xawcLRHfMV3XnjVw2R3zN8VjHrm0xmbqUT9kXBjxBUX9xnd1v
zrnlHsO8frZ1mx4F8GomdoYSK2qrnJjkYuvuwJGZexqBGu/N3G5FkWqSbRj0a1mj
DN/i5PeQNQ+qnh42tpKjAbZBr2Zyb0kZGhZl30XTZJNfdlxdoShFUoIRExE6EwiT
7JCAcfxoF32YylsTLeklRNK/OODB6ihPkVeds/DNencM/ALINdJOYnSnHv1EsSl1
JcLAZ2vHHAhAn39kimHIQchPTMU+sBB/g3LSlHHZovXmduRhQw8TsW2BD0rF38G8
84iLAeJ8AIHQUFl5cWxDYFJGbizczfSzymPF9bVaWFVreJXqdFAYkP4sIku05OYE
qP6P+u05dxN2eH/xaKAXgHV8LiRWtcEP+Vrj7kXphJG6MtmpqTPWcNMgtjP9sxsa
miFJi6nxt0dqqX9SFvqa
=39ak
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180826122503.GA966%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] XSA-273 - Impact on Qubes?

2018-08-25 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

'awokd' via qubes-users:
> > Rob Fisher:
> >> what are the best options for a Qubes user right now?
^
> Get Qubes running on non-x86 architectures less prone to
> vulnerabilities!

Don't hold your breath ;)

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJbgdhiXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfHXsP/Avjd7ZuwBIx1wDg90aoq6xE
lNHxEMhly2z8KXfNzLOg/H+3yF7gg+DeKo9wU0gAKm2O1grxt9TWgvju3Wje1Wdu
gvEIo6Ew/oK/UFl5oQLFR/5F+zCjMaB7SAqf1hKZsJhLm82PrF8kXtwm1+y/CZTE
IB7ci8x0lB+2p0571uMuu1HMgTTHn+e/UfKbANbHrgBClYgsBgasZD6wy99gOKOY
f4pcSfd3wQ3lmg5D8U44Pg5NMnGHFnhsu1prqbrsYFSwzLxkhWD6mODvYZ2G8BbM
+F/49iIafiGrhOrLGF+M/jnH/rIYT48IZEM90IFoS55WbeFZdvjID7inqFBDUbc2
EyyxuPUXku80NTuVlJP9t4/tinH7K+IfK5VV9F3jjU4tMO8kgdKJ+LMDkLGaKUoW
Qy22Lm2EWDNXBFMopxwcHeIp19RbIYKEcjMrknI6XT2LPt4Dfg/Ibd8F5k95/SC4
LFAxA4BJJXyJQdaIdit2t//38h0N7irmP6bDpihNjW0zVgAZwUNd/u1gwtLYS5z4
RHwfIdHnHv1ZG9mV3noMiVJLDgml0RTkuyCz+dEmYe6X5MhChdsmDqcLm2/xC5cW
lOwULl6dFbYVudOfi0yJnrXHSSDGINLYweSBJEuMC4nSfmab5vKr4Qvk3arJIw1i
ebXtbANVEiih6ZkBuW2a
=H494
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180825222954.GA1510%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] XSA-273 - Impact on Qubes?

2018-08-25 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Rob Fisher:
> I'm wondering when we can expect information on the impact of XSA-273 (1) on
> Qubes R4?

I'd guess early next month:
https://groups.google.com/d/msg/qubes-users/Isn_hko7tQs/PcqIuUleEQAJ

> what are the best options for a Qubes user right now?

- - Add smt=off as a Xen boot parameter (which disables hyperthreading)
  to make the attack harder?
- - If you're worried that some VM might want to steal data from another,
  try not to run both at the same time
- - Hole up, have a nice cup of offline and wait for all this to blow over

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJbgc8qXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfr38P/1KtCRK5qEvTcCTVLVbwYZHj
k63iIhA6n7wzRaV8oaOq7YrRzFryNoikeU2eqYe+T6Rwuw3hBE842pN+rABTJ7BS
Lb9UdUaC14y481Ad0uMxR4MvE+zKx6Ok4XuHTEwpZXDPw5URqNLNwp0+3ll1MXj2
lkRFqb9/IuwdR491YpQQAfjkD/EfHkMvd+TJAGowkUOBFno9605x8fLYRCMw0ZTL
U0c0amlRSeM57bhqPR0fMtc3rfFT/w+wZS1QHoq881qXfx9E29HjjOnTI3E1EN0I
MRbh222HsjScvl2O7OPbDUzIQW6uC/rZPYKrekMNYfK0c+sfUCehLE/RUNp3qdUf
8dEpVL5uBFIL4wBSN4g9GIFa2wmHvnrJ90v7U7pJ61iWoA1vaKEARlECZU7u3+EH
rOXSdb0+o7RtOItY/Lb8e/qfZxfScvvCb2n7dz1fqFFB2dXd7pIixMT7cERPbvsR
AGiqs6hkmHKKuw38xeKhhl5yVQQhIa77WgAVVHQ0mXu0sqGOWPLA30kwp4Tioqvh
HgKl9OtEUlVfYDj9HOuRdKM7Ns8rxLyDuYd6ENDgkMIC8QCEmE6blmnkJybR2mBo
knEQ0vgRQ++R8eG0b+3u7a97Up94D6FhDGA5b042a0wOGgBEG7e9/sefwCOskXGL
pnSyzaTOZPeHlStNxxhf
=bImI
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180825215034.GA1241%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Proxy VM option missing upon creating a new VM !

2018-08-25 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

odindva0...@gmail.com:
> I am using version R 4.O and recently decided to set up a new Vpn connection .
> But when I try to select the type is only giving me AppVM and
> Standalone option so obviously I can't move forward . I am attaching
> picture of it so you can see it youself :
> https://imgur.com/a/xTmpUDX .

Tick the "provides network" box, that's the R4.0 equivalent to ProxyVM
in older Qubes versions.

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJbgZ8sXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfaqwP/RLtbBETqXUmN+euKfYuJq8+
pSuEOJ5K3fu3IJKdXxpmNpPQwgX8gnmWJiTP2KZZQWLGZhvh9yVplEVRzrekXFwu
jnqnhEaHMCdoeuzya3hz/Rc1Wn5dn/9lRqDyaJ86pQskHRoZwT3nV7rfCo71esAG
dFH5YNsXycnl+sap+N3oloG100b8ZwD6qc7mjwbYs3xH/tJTjtCkOF8i86OYYt8H
Tg1Z4UIyWP21cvbacY/7hcVnGSZ9HLXPCz33zv1pLL1UhOimKXuMzsbXlIEZPVcQ
ZUW9z5zC4r5hmDMy0DU8HqHqsYBVzeYUWwMEOyQSMTrxpDOJfWfxiZz+BUDPhcfW
PsfMMKknwR07e+d37dnbVu3qPDVRcjaQ4i5f1uoTu8HJzI+4XAuofgOvolKtR5p0
EkrkkSl8fBDMANlVDTtEY/eTkquq5sy3q/ga0fbW35OvuMpO9kNC5cqzxetYxe1j
smHJYNyvfcf2B23Sn1sswSSAajPIzRHjkxnRfAWLGZsY4q+3eWh87YIU0GT73tkq
ubYtJ3vXznLbpBdjtH95/5sCUXN3D8S+/d3lxydP5hpRmVVi5TicWFI/iEPKRcsQ
jvz1ZeI+ZCLGMPIQk8lwt2LLyG3EhQxq8/Pths0HJi9F2ul3DDU0fo4/ilGRI3Rj
ETnUfqXw1xpxaT5RPB+G
=Ki9u
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180825182548.GA1101%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] How to use the raw vchan library - no Qrexec

2018-08-19 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

nicholas roveda:
> I want to experiment a bit with the vchan library and develop a
> program that make unprivileged VMs communicate without using the
> network and without Qrexec or any Qubes specific framework.

I'd imagine this is supposed to be forbidden (because it would be a
_high-bandwidth_ communication channel between VMs that may not be
intended by the admin to communicate with each other), but I don't
know if it actually is and how.

If only there were qrexec/vchan/grantref Wireshark dissectors. Come to
think of it, that sounds like a splendid GSoC project...

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJbeckCXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfx80P/A97qaUsMLQLgdufudeHabm9
+a9YXKdHk8ho9u1ocOSpnsyJkl5GimPBFOsWcEIke9pTm7hDq/7gQhjV12Woczyl
7xrZYZBiPgc0yV+4+BhEuCPyLp2JBhf37KyS0mfjdClfc4AArjZwv3kSKwZdKx5T
o6CU0DrLl1WyKn+385yLU8ldE+xyrGzAmznCZvSK8bE3YEXKfW5PnfrftYTMOqWD
FOk9QE6Bd9CadkzH+FT4RK0AMA/0xFbJRS2eQXC3MXQuT+lua54OTxCqpX4WKl9z
+BEG3XtWQCC7H+j83xjNnZtnCypC69EV8B+QSm4wf8HNzuw+MfUf9eYj6LZxeCtW
ZcB1bSqkgg4YhfTHmc0SL/7MtiBrzGvg1x4k2uI5kqsLtpixgwEhkLSfDa948LZN
qelBynIOopokVCNwhTKFWHGilY0x2erAdxMtJH93uN56wwB3+oJw/0r0oCWegU2E
XmMXNDbU87ywKqjD5cMS/oChIo788QTzNy35v8kfkzjEriZe81eXw95WDYLK6I0u
9QD/PpYsQcaOfyCulfFBoPw/XNvARlautLUXAxcMod2nppG4OvrXaIaic8lxWd30
dCNlYnDaB9+vhCIBveQqOyWx/XWUyk6RzJFpqvySEHj348ZaC2Ke4WLIjH690mi7
ek2sk851gNFKZyrzNn/1
=X/fq
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180819194610.GA1540%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Questions about non-standard services & selective start

2018-08-19 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

trueriver:
> Chris L recently showed me how to touch files in a VM to enable a
> standard service to start, in that case NetworkManager
> 
> https://groups.google.com/forum/#!topic/qubes-users/0_LUn4ha8Jg
> 
> I now want to do something similar with MySQL. I want to install it
> in a template, but have it actually start in only one of the AppVMs
> based on that.
> 
> Exactly what do I need to do in the template to activate the
> "conditionality" of the service start?

Assuming that you want conditional mysql.service startup, you can
create /etc/systemd/system/mysql.service.d/ in the template and save
some .conf file there (e.g. condition.conf) containing:

[Unit]
ConditionPathExists=/var/run/qubes-service/mysql
After=qubes-sysinit.service

Then run 'systemctl enable mysql.service' in the template, shut it
down, and enable the mysql Qubes service (in the Services tab of Qube
Settings for the VM, or by running 'qvm-service --enable thevm mysql'
in a dom0 terminal).

> Secondly, nothing ever shows up in the Qubes Settings tab for
> Services. It looks like it is designed to cover exactly this case,
> but there is never anything there to display or to enable with the
> big friendly green plus sign.
> 
> Is this a bug in Qubes, or a bug in my understanding?

You have to enter it manually. Qubes services don't necessarily relate
to systemd services unless there's some configuration like the above,
e.g. [/usr]/lib/systemd/system/NetworkManager.service.d/30_qubes.conf
which is shipped in Qubes by default.

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJbeaUiXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrff3YP/3WEfo1qIg/+8dat756zM0ay
oJQnXSSC9tVwUNhVGkoHl6353vv4dYQdUpKrtGemSQaN49KWuRgVIsxSYp0Bsk5P
Sx3FD59CKa622VBp2Y4Qifp+nfK71lO1DTAKpzTy1Jr9a7CJPzMSY4cUiaJlnO/2
iivGxxX5sFU2wGSv3k9KUYiJt2jwfIaN/Bt1ZVooWDoqBH7le47yN/3Ss7cPMDnL
6l6pie6zionEVLstXhZ6jblzfiGcKoOnnd2J4fWy6YtjUoBZV7vV7fDu8M6C2ROU
/CFFkL8KxkFaguEbWlMx4Av1ZfVuIvDg4IieKPQlEJtULwgz1SDo6Yi1BinDyjMy
++3TwJYTidhKkuCdTJ/ajfXE8woYsh0bwdMTg+p02pNjQMBnG7v3QadKOziW7JTJ
R8tmSXMRSkyqbXvDRxT4WSmUFmjtyqZm0Qn7blk1jshIRn72chg/Mcjb7oinZIre
LpckcSQRz3BiQp2I3GvVaBTOOBYr7owhRCgwHkX8V5A7EC4u9eVpOY/MnvIV6ZmO
RdJYsqFIsMIuD70/gd1SlTkUZihJcXgxlX6Yalf2CJjGYxkE1/F2dRfa/XAuFONx
poRwHmErzaTZdePsufHlkMdLhclJFV0ZQC14zTJ6mFloNFwrPWgPXpmKi1JfIUQD
ZTaT5F+035bHdod3ov2T
=XKQr
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180819171306.GA921%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Is Qubes vulnerable to CVE-2018-3620?

2018-08-16 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Chris Laprise:
> On 08/15/2018 08:40 AM, Rusty Bird wrote:
> > To me as a layman, it looks like Qubes is indeed vulnerable to the
> > XSA-273 data leak, and that fixing it involves
> > 
> > 1. disabling hyperthreading (by adding smt=off to the Xen command line)
> > 2. AND upgrading Intel microcode to 20180807
> 
> On #2, assuming Intel has still abandoned Ivy Bridge and earlier CPUs, I
> wonder if this makes the CoreBoot targeted systems essentially
> unsafe/unusable.

Apparently, there are microcode updates for Ivy Bridge (page 10) and
even Sandy Bridge (page 14):

https://www.intel.com/content/dam/www/public/us/en/documents/sa00115-microcode-update-guidance.pdf

> Very bad.

Maybe slightly less so. :)

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJbdUnbXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrf8P8P/3YFam7dyux4Qb4AuzzXX1/i
AV243309HUgr/HXKvQMuOjXnItOcptg/J56lxlNZg4vrgXAEVr1YPMjEFkcgC/9l
iLLV1W76vvURQcEb7FLqAI+UC6L1Pm9Um5qSAHzcY41kE9ASSz1AcEH4abVp6iCB
b3o2YWlMN4Bz9HQq03jb5WD/qoumXdUdmASsTWDA0s9h9TIDrYSXyUJCXg/OAxyO
qBfbfIAeTL7IZ6UB5ewIeGK/lZujmd0c3jhyfQh+7t1/nTBccdz4xK65DKhbxEVY
NIAFj5K2qeZXtxqOGa3XIo8b5oiLsDAQ1uSBJfgC9D325qnROSM5uebIHIOCSixB
su7FjBXu9F5b0l09mib2CmmhrZdo1hf42kxHl/MTo6H8gwpUTO+pxvxcXDouBrEg
Y11YT/j2ux7ugaP6KYML8G3dzXD1GGTENaLD7p4p7hPNwK2QPRcnDWWCZ/cHxOQj
FdCpCz2vBaqy3rPxHu6ujVYCBBBJVMBUsoeH4yhKvkojwAPmIT4r8GYq3epfYU+9
IrzQ8ARKnRpHOqSrAD+9x1AikaNePi5SYsfg8W+ZcZpD767QTFMbZ3mb35oqJEbN
Vg9BCcj1OOVuc/mG+hI3Ki1u3AS/D0RRMKg/fInuTJ4e2N6Z9S8U1dnx/yblVT/X
bAKRaM0Z+0V+Og7C5VS0
=T78o
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180816095435.GB1219%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Is Qubes vulnerable to CVE-2018-3620?

2018-08-16 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Sphere:
> I have hyperthreading disabled on my BIOS, do I still have to add
> that option to Xen command line?

Disabling it in the BIOS is okay too, according to the XSA.

> By pull request you mean, it's still being grabbed for use and
> installation using qubes-dom0-update right?

Yes, the official microcode package for qubes-dom0-update hasn't been
built/uploaded yet. You could build it yourself with qubes-builder
(after applying the patch from the GitHub pull request), but I think
it's pointless as long as there's no updated Xen package to actually
use the new LD1_FLUSH microcode instruction.

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJbdUjoXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfnLcP/3m8dHksgWS6QW+rDSMpv1tD
4dVpPf76cihRlJpDttXucU7rfqTaldzF6ytIlTHCoZYpa06fOKsqmcKYZ6HE7fn2
iGCCFdDKao+DDfvP3caNupRs4DCD0Z2H1VLXZHwWVniN/s2MVEIv8BN5nWB0HvpH
2R45/lKC5BjMq0l2i42tPp3Nm/CjDbh4X/etqrx2p729Ykw9TTJCkPO1diImdu9N
CYzvA5amIduDRnJrNanBZKANjetHnNQysmEbGXWndgbVshd6JF53zq9CcgArHKZp
LqadTe+d1ayoAaRidVdD+I72h/1wjGDVx2OVcrtVKq6hhqJ24YQHlHO0XKDQfmK3
5xzxgjx9SlFwVw7u9a4osxsmExSMpuXA+9wdmegbNJoFmKgvIfYFLLrWrtvgN2pU
Cvhxbmb7+MtbwVcN9Xlo2LbgKA/bAJ0dRgKcuAWZYH0ceo2tokfKu1GT5asSI8bJ
QHlqE68r8SVZrU7hic6qfaqA2U1MPjJJSh7k19HduhrkwUYL8o9Tzpjgz4mqfAod
hnb+H1GsqHRA8eT4ZyG7YQ5aB5PxBZHFOydAPAfmxjkloEtV78mbuzfWM5bAa8EW
kZ4QRNSY1msm3h6NeJIZroGS1/PBtaDBQXwwiXJ0FmkX5AvVvJ2hltk8VNS1epdj
leeMYghualtPH8s7ka3L
=P5jC
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180816095032.GA1219%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Is Qubes vulnerable to CVE-2018-3620?

2018-08-15 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Sphere:
> https://www.bleepingcomputer.com/news/security/researchers-disclose-new-foreshadow-l1tf-vulnerabilities-affecting-intel-cpus/
> 
> There are other vulnerabilities disclosed along with this today and
> if possible, I would like to confirm that as well.
> 
> On a side note, I have long disabled Hyperthreading on my machine.

To me as a layman, it looks like Qubes is indeed vulnerable to the
XSA-273 data leak, and that fixing it involves

1. disabling hyperthreading (by adding smt=off to the Xen command line)
2. AND upgrading Intel microcode to 20180807
3. AND upgrading Xen

There's a pull request* for the new microcode package. As for Xen, the
XSA says they're "not supplying separate patches because the changes
have many complicated prerequisites", and their d95b5bb commit on the
staging-4.8 branch is 42 patches ahead of RELEASE-4.8.4... :\

Rusty


* https://github.com/QubesOS/qubes-intel-microcode/pull/2
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJbdB8sXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrf+A4P/jJopc94LC67vWz+PmkLOmB5
DaxS/VmFB70CNzfDmQMJ58YLOJ7z2wu9GEOOnHgP+KmAKsn9/xtp5nufrMfNoOd+
a7dezBA0b2vHy7aVaAXG3qhRL9PhHqpFhcUrudShATrUWdY2aFnaeRGSZDbwoR40
jGEgjxFFM2SGEtTHOEuKBBfLU/OJMw72ClmIAIdtvfEPABQ0WYw95OmcVTzi+tvZ
2bEwXJz1cXUovGzDPInbBBZm43m3X/r9FAnsFdLQXyjgRNkFc2LuhVz5Tc12NGjH
6Xb2qJlIhQVZjotRPqm506G6UrKrx5DB0lANY2/H8tl/tPACyoTY+EHrOJHIz/21
XipPbVVLqQJtQJOgQXCkHEPz49X1Deni/TFedrQxzEuTiOH5R/KVjqEe17cwyaL4
f6HHf94OiFHGKVmGtwySwMxxWiH9T0UOu3+Xzo3UNE9IPkLoakcXMTvaLFJS9Hfa
AFZil3+aKMogWWRS0mJJc0UX+m9jpPdwERdXAriqAY4mp59TJ3qt5OFEobSlG4kD
aRIfBiQbMRZagfwtsHLTxwEymwMyaovm/q7hv6cZvNYm2S7cztMdFXeUquYlZgJi
ZzCr+AirENSDSBq+hCosnGdvwAAemiUBpRh3kXHMuOTtR1Lu3ulnatN64SCznzPR
M8ZJnNdpOLX4RqU/yTr/
=E4BM
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180815124012.GA923%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] What exactly is 'private-cow.img' in appvms?

2018-08-03 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Rusty Bird:
> Stickstoff:
> > there is documentation about 'root-cow.img' online [1], but nothing
> > about 'private-cow.img'.
> > Am I right to assume that the 'private.img' is the writable part the VM
> > sees, with the changes the VM wrote saved on 'private-cow.img' [...]
> 
> It's kind of the other way around - foo.img stores the most current
> live data for volume foo, and foo-cow.img stores differing old data
> blocks that allow the corresponding device-mapper snapshot* device to
> present a virtual view of the contents of volume foo from the time it
> was snapshotted, i.e. before the live data started to diverge.
> 
> > If [..] I backup only 'private.img' of a running VM
> 
> This would result in inconsistent/damaged data.

To be clear - what I meant by inconsistent is that that when the VM is
running, some data blocks in private.img will change while your manual
backup operation is copying that file.

Rusty


> * https://www.kernel.org/doc/Documentation/device-mapper/snapshot.txt
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJbZGVjXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfBzcP/jt0GN2azqrNqaP0jNoMmAJh
gvZVI53QSxwyK93gGVi1MxECG3B5EA9yl6wEpqe7IJbNKPja6QdPVcJPyruyE+0i
w+5aWuR81n8oAI2E1K2b/tJZ1Zha035d/6joRraQ6lkjIH+S2QdYAP5oUUx40ZWf
xYAwR+FJZJVsf0dMLnzPgTpLyd7rV2sF3YK5l6InypgmaNB0OmYx/jU7HpSuN7zz
w4jYEnfhXthwQS3uaEsuNXVTXln9bEgraR4n9G8emn6z2Xr1/HY6tvWQ2rZzkfRx
++kNrg9O2JrLuPx5mZlQPuZ3iki0wcqBbGNyFNNZ/2yYA5bmRTOYyof3Ux2zdZ9C
fa43idV5slEVmprwOH6/iiS0ZLzaoRuQVIvNFVIW5gqteUMiHemqWjyzQm09gY6p
QYCCimw48uYsgFyNxjJLp/F5ezdAl2qlbOyzZCK8gWY0zOpCoh1eywgM/04ZJVw9
M9rbHZZBBx4KxVGOkAKzW5LLXVgvpLtYPbdzkrkYqg3hP+Z06oXUqpJv6+TnbCnf
JgemF543aSXVcNmwTiZncu+gYwBin8AwWthHhmBaOxDBGnFUOFFjlQcXchbT5hrd
NOC0sm845KVgFYyOT+zWvkXJEg1PKTt2m/vQOwicaGF2/uY0Z5nBXBUHEzGkK+y0
rNBlQucepQa/7vJnLcZA
=EMYK
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180803142331.GA1192%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] What exactly is 'private-cow.img' in appvms?

2018-08-03 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Stickstoff:
> there is documentation about 'root-cow.img' online [1], but nothing
> about 'private-cow.img'.
> Am I right to assume that the 'private.img' is the writable part the VM
> sees, with the changes the VM wrote saved on 'private-cow.img' [...]

It's kind of the other way around - foo.img stores the most current
live data for volume foo, and foo-cow.img stores differing old data
blocks that allow the corresponding device-mapper snapshot* device to
present a virtual view of the contents of volume foo from the time it
was snapshotted, i.e. before the live data started to diverge.

> If [..] I backup only 'private.img' of a running VM

This would result in inconsistent/damaged data.

Rusty


* https://www.kernel.org/doc/Documentation/device-mapper/snapshot.txt
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJbZGBeXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfERYP/ApX1aJuCoyueKURTwB8hCx/
GQsrqeflPsL9ohqjbEv6m19cVFXRK6G1vKkycxwPolfHqq/7bQ5U673jCHSzLwpr
bdLbgupYBe7AosfrNJLgwvcm5LR3v8qK+VOyK1htzdmuEDkLPom0INlVcMPRVpvB
G8uKjp9xnKfg7n2UaULsIdL8+IkQ4U1AlZ0Y/breR7q9Hivxzd9PZMoJL77NAdxD
iKNN+Ac9fHczupUdBjQAlUCrLchjeZSSzgnAIifRjuXDthwTyoi+f1/aSWYZxd0B
5MXh7HnPI2JyZ/trZadpKvZVCNn0s9D9AsDugCNbQSxP+YFxerC5uukwHgnC1j7g
ORtbs4c4NwP4jkytFJF/GtgCO77699FtyJFwPa5BU4hpspkjuJTSgaVAP7j2z4Jj
oGDd+iF91mb6Gbv6syYPN8QmSdshuCSFkYH61bft+Odd1+QokeN2Sa+uJQGZ20gA
xrM/lmmzo3TqtfLns7S7/FrsPok1njJaTyBsG7TdZf1A1rsu57mb0K6Vf9sPoI7t
cO/+4WwUR02oNfxviWTPuyou6ZzIIblwqnCS74EsOlLopf1Ilc0i/S9bxIhotPIg
grlKluk1QpWz4r/CWV8Ho7UzqrFQClWUBFkkEdtATkV7WAARFi5XS/efbTG4ita0
GkyInY0UAP9pk4FhPcQp
=+FNE
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180803140206.GA1151%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] sys-usb needs more than default RAM to mount LUKS encrypted backup volume

2018-05-20 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Bernhard:
> > You shouldn't mount encrypted drives on sys-usb. Use qvm-block to attach
> > the partition to a different VM, then mount it there.
> > 
> This is a good question, I think. Since we distrust sys-usb I agree that we
> should not do the cryptsetup operations in sys-usb. But if you distrust the
> attached device as well (might be safer, right?), one might attach the
> luks-partition (resp. file) first to an intermediate (even temp !) VM,
> luksOpen it in there and re-attach the generated /dev/mapper volumes to the
> destination VM. That way sys-usb is blind to cryptsetup and the
> destination-vm is maximally protected from usb-based attacks. Overkill?

That's basically what Split dm-crypt automates (with even more overkill):
https://github.com/rustybird/qubes-split-dm-crypt

Rusty
-BEGIN PGP SIGNATURE-

iQJ7BAEBCgBmBQJbAdM6XxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfO78P+MOUh1UqQeXrpHcwOcj4M/mX
z9+5pAXGgCa2t+MinDZTGE8Wvfeb62U/gc8A8Uwqzqs5g1NkGOQER2Z+azMS+Xnt
y9XukE3PE8MRA4XgfSZzreh6xOt8AZX8QRTNzlsPet+QjteKGW3B5tk2wBtzeTIU
Y+teN5cIKIWWXPy4AZPYbCDK9aXVYd0Za0/Dj6+Tcn1tuoGbOt4Gr1rLigql6Pi9
3Z1cpkK8VecoXIvOixxycYEBNAr6n7pMW35OjBCpbyB0uGHMXcZFqkoBFca2kOOb
HQbZwRLMlOQnI6DGF9O0jx5unabsnOli5OUXMWHdn1Xo/PMiNSWez02tNJkCFB/4
byhLi7b6p94DnWGyg4WJCi9XkMQ3nkEtNG0a2obvvjDF6bam0X9dRFwfbT7CiNLV
PleQFQjvoLFZJK/tVicnQyQVcTt2KeLD0nzzhqHe+At6XTPeiyBhf8mDERL8pIYr
FVws8oRGmKs2UHeRuFT16CmUN59xjrUuZv2Lf2q/I7Zlncv7pnBfQ5V/h+xT/gim
6K3l8xOBrspV4PRO20XAAQZ1i2NaDzZ8HBig+1q3hfhvMlFfzOT6EmrNk/oSTsSh
W4XO8R0L8wz5cZjHnJJU99UAooyUWj9jBiLbDd/1UT7RG8apHCXHriUpgMaFnAPo
nNT9XnACZNM4zkeA0NI=
=Lh2Z
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180520195746.GA1257%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] qvm-run blocks Dom0 terminal in R4

2018-03-20 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Bill Wether:
> In 3.2's dom0, typing
> 
> qvm-run -a work konsole
> 
> returns as soon as the VM has started up and the command has been
> issued.
> 
> In R4, though, the Dom0 terminal just gets stuck--I can get it back
> with ctl-C, but that's pretty inelegant.  I can use setsid, but that
> just disguises the problem since all those bash sessions are still
> there.
> 
> Was this a design choice, is it a bug, or (as so often) pilot error?

Not quite sure. But you can use a lower-level command instead of
qvm-run to get R3.2-like behavior:

$ /usr/lib/qubes/qrexec-client -e -d work 'DEFAULT:konsole'

'-e means exit after sending cmd', in this case konsole for the
default user.

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJasX1AXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfuPAP/3JYcfzfxdZLvCm+t7QRG4B+
S1dRN5WsSmIGYdCp+P3o1W2VMzgHfxJ9Qlf+yxEToF+mV2zBZTYSCbKT3YW7e3VL
soS8YCW3q5lm2AQ+n2v/TruRUgUTs/rDZ5MgHh7CnP8/0/pLkT93GMlY0RjChFzr
8YGyyRntSrl+I7FcWoSccWQSGcbYZUjfZc2lJLugT4xlyKuwsTVMdRoMzmvR7YG4
qK1szVBwQoiblmu21hvUa1icIlDgawiioRpQLnmHWV/ucV+9r9Qp00eAydLZrwPo
omEMM7ykfMzP2/8cKYUo8OTj+lmDwSmwTP6xkoIb4qrLwuLdnWcF4/GufTEQAbTx
GYPvupDcvX3ZaCss9/sKBbNdGA1IJx1q2UEhhTYjtIsW2GVR86ogLoqSqHUQ0Mz/
hZY0zO/IktsXXYOklt169H5p/2zF7zRNHYFTAu991UkxL8dDNUyix/ZDdRfBtgNZ
REMkKqTEkZ1J+yu3hVjQLino7LbWtqevIMpDYGNvyGVH8F1jjdw6VxPLN8yddwkV
/aN6TXgLg8kJlLsYFWENIHWLINpJ8Cs2dshVfBCyVu9/llBNQFtMbJwi0euoRUl6
cspzotdgyXhII5oYdzrZvs3whSvcAhwcztf9lafpsoaq5gYdXNXKHT3bTN12uHOI
k8x7vpb0fHqaa5JTBtfs
=587Y
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180320212936.GA2485%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Coreboot + Qubes :: Best Practises / Coreboot docs page

2018-03-18 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

799:
> > $ build/cbfstool build/coreboot.rom add-int -i 0 -n 
> > etc/pci-optionrom-exec
> 
> When do I need to run this? After building my Coreboot ROM?

Yes, see payloads/external/SeaBIOS/seabios/docs/Runtime_config.md for
a list of cbfs options.

> Can't this option be included in the Coreboot or SeaBIOS menuconfig?

Looks like CONFIG_OPTIONROMS=n ("BIOS Interfaces" -> "Option ROMS" in
SeaBIOS menuconfig) should be equivalent.

> I am already using the console setting in my grub installation.
> Can I still boot from a USB stick which has graphical boot enabled?

Booting works, but the GRUB screen is invisible. And the Qubes
installer boot screen (isolinux) is somewhat garbled.

> > You might also enjoy HEADS.
> > https://github.com/osresearch/heads
> 
> Thanks, looks very interesting, but as far as I understand I don't need
> Seabios when I am running Heads?
> Is somebody already using heads? From the website it seems that it is not
> that easy to install and maybe still under development?

I think that's all correct. Not sure though, I still haven't tried
HEADS myself yet.

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJart5cXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrf1aQP+wU1fmTESwGkdUvT1Tzyrnyr
TVKH4hmo7zRv2WXeot12PbfLr/MUsiUkiHLA36u5M1k3HlZasi0wwrMllDNEJnaj
Neq6BtRZE+Dl2OYcMoksjT40deAWYzf4Kct3s6BK93RlsnrkoTSZ4QbJwRxSi0HJ
CZ4lxsW1ucVT6oAieVu7Ol1W8nRXPcrR0BvHKQ2qJGkfC2x8oMOZlLdNLB5hO8Dl
mqye+9V5la+jneVg/8z0PR8UVU/09n8+TmYp3w6isX0VHabv2fpXNQXjiF4gf5nz
uoTl+7/4nXpA81JMUk6CLl0HOnJhlRo0dcG/DaB2J/bSfGk7ADOzHBWrQ1ETifuy
8RLp6Hh0VZU69+BG409hCGte4pzObAjQEjkPYkruSqGLUny6YRGmtwiU/yiLrghV
WfiGW1zIes73NvymEW99Y4/IIy77xKq7HOR+54L5N/pXDOCLKDdslJRlEpYdlhIo
Vmmb58FidYuJ1aJMq45CDuzhFaLLj+DTklENQaUj3VRNZrAIA32aCPrfymabDSSQ
BDqqWge3+kdJi8NhPUJs4ljIK5a6I8942LOG8uUuvX9WXV4731y2DZwTMort0igT
OCjLNy28RGFDMKqSLJj+PVqdpTZNiT1VoNh9m+HstTjTf4mS8h2L51QrWIuKSfwf
yd8R4lXm5Suw6LtUOFlv
=4djs
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180318214708.GA2699%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Coreboot + Qubes :: Best Practises / Coreboot docs page

2018-03-17 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

799:
> Seabios or Grub and are there any special options which might make sense?

SeaBIOS is nice. You can build it with CONFIG_SEABIOS_VGA_COREBOOT=y
(might be the default now), and completely disable dynamic loading of
any dubious option ROMs:

$ build/cbfstool build/coreboot.rom add-int -i 0 -n etc/pci-optionrom-exec

That's incompatible with graphical mode GRUB, but you can simply
change GRUB_TERMINAL_OUTPUT from "gfxterm"[1] to "console"[2] in
/etc/default/grub and rerun 'grub2-mkconfig -o /boot/grub2/grub.cfg'.

IMO it actually looks better - no blindingly bright blue light at
night, and fewer font changes during startup. I've been meaning
(forever) to open a pull request to make this the default...

You might also enjoy HEADS[3].

Rusty


1. https://image.ibb.co/jGvCCx/grub_gfxterm.png
2. https://image.ibb.co/mbnsCx/grub_console.png
3. https://github.com/osresearch/heads
-BEGIN PGP SIGNATURE-

iQJ7BAEBCgBmBQJarZQ6XxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfSKUP+NrPMBRzFqbxr7ciUg/Qnh9m
5ykQ4unpLU9CfiAotMDo7xJdjEZA7lwTeloVtsPL1GeVPTpYuFbkX2rxjSUQAb7H
JSWUxTZOU2YjNjQfOz+W/Wnb0uHK9G8a5h2Pf9v8lEW5/Z3iGeTeOiSSjSc6OJjw
Nn9ycrr2m6PvcM14OZ5DqnISdKKogUZBz+9TemhPVgSogA1RpsB9GRHgUcDermgs
D7T62f2Bs79suOMwRDM/IZ6f4MNvsSF1pFSN+xE3JOpivx+xfAgBlc///vsz7dM2
05hqyVLoeCs6qHwe2PtbBlHfLdfPVoaC/kwQRDV8Obj9hP4/CFnQkRDyvN1dnwDi
lV27YYcuWE0lgfsuRW9PwAySzyxEa4OYyDNDEJYW20lB8eTYsusDJAxxiM0X+Ba9
pxf1FQwRoX7C4yjHU1tWb97cTPOMif07O8a5AFod9FPAwmUcwdPC/X/H3eU2CsaP
UP5NEK81Wx1avWdTIBuvrbuPZe5Dj0dwTk0Z5TC5hbKUMYxczDLuFnh/1TnViSRo
4pOUNfXx4Blg4elUrTXASOnPQnZA5X2snVhkQrmqi3nAyRztzTK6x++OqvjlF+q3
T8YiSg66Ssi3iXUFiZlEerCfzpe0Wc+kyvVXh9sM0NhwBs6hErLpmSlLD3785Bxr
P5Lc8JEJpNcnac70K0c=
=L0qD
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180317221835.GA2170%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] qvm-backup --exclude no longer exluding specified VMs from backup

2018-03-13 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Xaver:
> After updating system from 4.0-rc4 to rc5 qvm-backup --exclude no
> longer excludes the specified VM from the backup.

I recently broke that. Sorry, and thanks for the bug report!
https://github.com/QubesOS/qubes-core-admin/pull/202

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJaqGPMXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfNQEP/jmE7asHrLAIGpV+hwLd+Z78
qv7uLzCHx5CL9dXxsxy7vo1mQpK539AdiWyj8keyCFWjVtCVhIEJwPOkyEsDxz6a
MIor2XsFMNNmt7vSerh9MJuRnmerRz/KQODadSWX+2Yb2juL1ZLKCVHBmiVrVLJG
pQjjt+AqtrYdaLQ7OhnM3avi0+X3FkZl3eqgxDpJZ4OyHY8ul4mBdxJiLIp7v8io
B01KGeBGSUlDJ73qLJQybd1juk0qkthyIuDll3lkb0w5RpOIgMcIRZzVKdPoLAdh
B/HFHzoMsYC0A0C3vZdXC4KWlimv0XzpNi8PvMb+681C67NqmwDRRDRJESX3tFv0
TMwgpCL8Lb5YFYaa7TKnTc79jEx6mmow5uda40eyXHAMIXcLzWuZIDucjgWZZjcI
D+d9sCupLECzKIoNYsNzfvmFqVL4VZhx/jFKUzVKESpwQI3A8IinqOXB+EKMhuKp
RAGWcgTx19CCT4JZ+Xvt8LgdBYprDDroJ7uqabnopvhKjthzajQm1MrYEKMyWH2Q
JBWLKZ3VmnB5wmdAj6W0hTpdtZ+8BRcmk88lhwUTWqiiWiYfunkCOHsQRL+wWdhO
1VUMdFSeYC/oOOuziiKMSvw+wChmwkn3wspZItxKxFfBvuiB+KLM5JffJ7tJusPT
pi44KGL07pVNCOHhStgQ
=cJjX
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180313235036.GA3501%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes 4.0 rc4 / Qubes backup doesn't find the directory

2018-02-26 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

ThierryIT:
> When running the Qubes backup, and choosing the newly created folder, I have 
> this error:
> 
> Selected directory do not exists or not a directory

https://github.com/QubesOS/qubes-issues/issues/3594

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJalJ81XxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfryAP/28evKg0iq6zu5caEecRQqrH
uPlmPw1LOzuST16lTQWLdNqzOtJdovDazUbWS9fhEh33N8iwZajSqC3efHQYv3Dt
zN1M4Krakky+UqDxxecCfcJ64WJ6TpcuqtPUuqF4M5G3XOevasN/O0Q55PzMjFp2
981dYjJb5W0wyhqlvFJ4JwMlh8FkR6DTAVwKLP/Ga2ClUHBaxr89gsj+uRmFSogi
XB8ECuSL9TrTCK/+cEyolS38yukmjpQTVLVx23dXLNd4cYZovmleyKL9DZ5LrJjl
HRYDdtrHEbdTV+WZcxu04OCWOU8HTrqy91E13/OppJU8TsaP6Q9eA6eZIJJzoMnC
LC0A1H7O8fHNgHhWlBg46Y6hQvCAaYgYKuipa7EzzNPZ3EkbRIZ6ztoyMbTkxWIM
waRcxsIl+oEFCt0IJnKY1YuglvwCr/y9LS/7sANTSj0atiTkN5YFIsaijt/9n3tW
RLc/msNeBp8CmPGawiZxPIccpfJnksFz9DLFArRCJMDWWVhKj6bRp4XBYGSkJizg
QEW8Fpw8/VYdonDRf75mMdJXLosUSTBt8MV2z4hOrv5FHY36AUGhbWN9X3g/QS88
rONqsp40ApjaI+POOvsOvYa2wgelpI4vSAtZs86HcTGoKabovX7BQO3u2NTNLHCd
T7I76JkdWog2kFZmmCpv
=I+Ot
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180226235845.GA2172%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] R4 rc4 Whonix-ws-dvm. Requires repeated tor-browser downloads

2018-02-17 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

sebuq:
> Each time I run the disposable whonix vm [whonix-ws-dvm] I am forced to
> go thro' th long-winded procedure of downloading a new tor-browser
> instance.

The tricky part is that you need to run the updater in whonix-ws-dvm
itself, not in a DispVM based on whonix-ws-dvm (which is what happens
when you select it from the application menu).

Try "qvm-run whonix-ws-dvm 'update-torbrowser --input gui'" in dom0,
then shutdown whonix-ws-dvm and you should be able to start the
updated browser from the application menu.

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJaiGTyXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfltAP/0EkD7SSHFsnpALs5weyIvl7
bhG3FlWDvCSTOW5yYJtlDOGyysv/Ka3GEUSJSvHPFlFtfZWjQxgtJM6hQfpJrqWt
8ESFHbYKsd7n8zcOP5Q6ooKc5WD0b9coFkeaVJsbRtAZU5pL1PLWSi9/VD8DYw1i
+VXe6LAqKk9TgcvpHG356XGNxM8LIaLd+doxpyj5nzYd6aFUAfyL67on9jAkY3jt
htUFCfEIKOpKwVwIIdSTKOOiY6Z8Qv/X0fXF8WTmsh/2OxJI+qGhDCmX+8ByWWzu
ysmJlFEpom+zcVUkDb71c4LL9TuWz4+mk+pXjIQNYMPqw2DHoO8P2u2CqrsKTlcm
4DSZIEYdm0z0h+qAd0ZL/KOdzFYhu3sGSu/g1V5+/Ng3ZNeMQs0HqBpGceBfeY5r
wig7qULFDvMDuD+mYzZTHkEjMfKoYqadwsjS+OEdDeaImwsGlEsfDBus5HI9us6S
aw6vZbN09Cuf7R83Wp09qj1Yg/PO/k+MGJ5HbW5uYM0ba12Dchz9tyUHndb4gQEC
MwneWsX7HrUQV6EoryM7GcR2T0GoxiXSVFm+q55oVXn65Z520XviOTncThJljGYH
nQ8ar3z89TDJTYd9T9wXC57VR25g5Z9/JuSSXVkUBn6tVsLRcpr0y76P+SbJnzCN
JKsRG3wOspCVHLIJpOvD
=zy+z
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180217172258.GA2129%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] 4.0-rc3: sys-net not getting updated template OS image?

2018-02-14 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Steve Coleman:
> Here is the sys-net . I re-wraped the xml to make it a little
> more readable in email:
> 
>  
>  pool="lvm"
> revisions_to_keep="0"
> size="21474836480"
> snap_on_start="True"
> source="qubes_dom0/vm-fedora-26-net-root"
> vid="qubes_dom0/vm-sys-net-root"/>

Looks good.

> Since it is the template (fedora-26-net) itself that appears to be broken,
> would that not be what needs to be verified?

I had a hunch that somehow the wrong template might have ended up as
the source volume for sys-net's root volume, but apparently not.

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJahMpEXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrf408P/1JnKeJDyxbbnFQZHLdphFod
ZvR6G3IAzjKm1ekqfXiCedbRXFCK35Olw+PO+r0MEVMvHH414CvcuN9Fgf0LyqHC
qtGHnPl1eaxt/i7Wt8h/GKd+9bxysE9CtV43JntSAYd4atbTiv7FMSUOPgZyanTo
ycEAPdL96LtTYUtD3jR/FOv+1OHk92mYgQrIWe/LfljEWlrGXj/+yDIHxEpZpAmW
0d600FfqRTGh/QDmb2IcZkrBCc6bR5qh7tyxwA7eq+TywMWdeyCeL7zNpmYNqRHu
tjLgUdQsCo/2OnqF5t1/HDLcTcnen1Yw7sQpl4hdb7E+tnqHyZ04NgMSuM9bERT7
MC2fPxh5d55yY44jLJpwr2pH5W0/Oj/jswHfAtJrf+uNnOJqApJmFKXd6MjU0vzi
JKDbj9L2itt6Q9uni3C7wMKPtLqqq0K/0XIflbBoRa39apHgn7QaHFG+kqmY7Its
rwF3voMUbwGohjwrEGZIh9VG7dMyqK2vAVW0KwG01fpJO7mVsNZoClAxlK6cR6C7
jwEKJszz6vQ1Xfi85o+5OJlk4EV1pUrCSzd0lqdZUQDrZxzZ8EqeRLSlfmGZ8UpL
jP1Dyc1QyY5IdMObmnnAAvf+0ehB2EsFo7jgn0pXPPiiH/7Qf8L5xB2yyEFNKW+z
70Xb+0LZHCscftb46Zsq
=wqE/
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180214234612.GA2755%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] 4.0-rc3: sys-net not getting updated template OS image?

2018-02-14 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Steve Coleman:
> I have a strange situation where my sys-net's software template
> "fedora-26-net" (variant of fedora-minimal) does not appear to be providing
> updated OS images. My sys-net is the only vm using this specific image.

Assuming that sys-net is _not_ a DispVM, maybe this is still somehow
similar to https://github.com/QubesOS/qubes-issues/issues/3576 - can
you search for 'sys-net' in dom0's
/var/lib/qubes/qubes.xml and post the next (i.e. somewhere below that
line) XML '' block?

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJahG6JXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfmwsQAIw0uxVBLbrz543iD0z6EqBn
doi1XooXsmoqfaFXvSqnJSJlVr1vhgFM+mYVzpPIOvT20AhzgYDIP1YWjU/KWO3q
DNKkpLuzJqhPfG2XTv63MGmji/Tz1vLMK6OGTDSU7THR8DgKJSfy/3bBRJP9meeq
x4BzUmTG7HVUsjbRO7AK1QO4XaCwi8sFCsnRNht4UsL0ulSeAG1gaVxR9zxSul2U
hqLW8SGk+zgMbsdY8pNjreUNmMK63r9auIAiIapoU9s13g42P7E3ujI9HX2iO8C0
PXQfmNo2U1frSycySLn5kn8Qa94uLvLTf6Xj2985EPsmicYH85PdGKwVRsa0ObLQ
/RrWrbxbximu8g8onbPnqMig5Nu56yyMD/m4CY7PDaqh/IN1cK3e9tBbO574QuHH
kkVgmzC9ojrIXDk7qH2Tp5M2P6KtSNHHQ2NXiImuxDxW6ZV47AnjIngk5Rw4bfCI
xrv1EU/Ujxa0ioosm4NkC6tPb2bqbRoHYqiEZigx4/onpV1YM+mgsHNLoopFJ3qY
QqMu9YFTJv9IY2/f6NsVLuWh0QU1csBXETr41UOZwB/AnOqolm0jrZADD+8EjnQ6
My+WUCm+WZWKz55iuFPVDxscRSWxQeMOc7msyKACk0Ej6Th1RJcc1yKt20eIw9QA
XA0EWlMJksbqJaqyVgmO
=UNib
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180214171449.GA2281%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes 4.0 without IOMMU/VT-d/AMD-Vi or Interrupt Remapping

2018-02-05 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Utility Panel:
> Can anyone tell me what I might expect without IOMMU/VT-d/AMD-Vi and
> Interrupt Remapping?

https://www.qubes-os.org/faq/#can-i-install-qubes-4x-on-a-system-without-vt-x-or-vt-d

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJaeMi+XxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfeb4P/R7K8LDbdSkKYs+B1uLbNTyz
2YwohgIu89FSCM/wq8yamJ9OnQFLRlhM7yGhcjsqMaPiBCS0BOdlR463kTn6tWHy
893xxeor7h96XymKsrFr/7OP61zDsnO/4wp7LE7bynDxBgRc1RjR3KjZ48a1HOz5
TxWDliJlxHq+5Bk9XwOCDO1eTFUyfuZ5opWGqL3+4c9ZV52nk4aEYkizHxFFiWA5
WZlZN/O6HHepNkqtH+nNYV8BjRsueBzI8WaqO/R3adfppufrCaQHIndqeQYl06JL
KPZ87ANXHLoojNG4vomxRrAnSVB9Ho0yj4EWTU7UMzX/0UCfJrZp7wssIGDGjKbm
una0PQbOJckOcwGQoq9YClVgSQPCFADgnuj9fn9nwmJKLJZvL+dczGjPDw15vXDQ
NzjVLcwo+755tLC+zJ6bXoPS4O4yDEAcmj+EolnGGxHidOSXZoRBvWQT0OH4/0ku
wLSnEIZDg4PEmcsgwfxwtF90inlA/n2tJwQkL839nWAJvTnrza3rBAwn7hCIAwjq
qpLewtLTH87/d0GErjtRTmMLOw4vCmlh/bsDGLKtdrT2R0hD6jhem5wt+dSvrjaV
jWXfB64Jz/0IuWjoEOez2yW8z4ALfv4856dvAXXBjaXS6IBK7cf2Rr8Reu76MmOs
zkUB451uJxd4oUQntu2P
=/p4t
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180205211230.GA1841%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] X230 Webcam

2017-12-20 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Jo:
> im trying to pass trough to a VM my build-in Webcam (x230 with
> coreboot). However, im unable to find it in the devicelist.

It's a USB device (not PCI), so you'd forward it using qvm-usb:
https://www.qubes-os.org/doc/usb/#usage-of-qubes-usb-proxy

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJaOt3HXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfrocP/j/x0EK5MpNFvTjJxsqg9q7H
aGF6vgJATTsFnhkpfIgyAGymFv+ZKSww4H+Azz/3RrfwGfWirw+BsMeiLHNXT35z
ZqVixCumDxLSVwdxPMRJEmHZE1JIhhSZOiiItjVdF3qY3OYy0JTMNSzoY5c3pUSG
oNpVsGooMZbGYZsxpunE5XyjnP5jepLcxuNlfvM/xcmD5+0Hir8aG3gnW9Hv8YA8
HEUhvqp9WMdBYhOAMHbNfHb3XfcnH45kOpBak0IXGgZ1d34KfwjGyYFv6iH2cRxW
xpDVsgla5iz6mtBQV7uVc072ovLwlYVDbXY/AGauFEN8Yh4IHByyPkmFF5+LLe4M
OBFEnRXsIK+3pF/7fU96fDx2aNpoCseVAqRXThcpwq99IzLE+Ac/Iqy9h/J+TGSl
SrmmHeR8uFvRFldPIsPn6wwEosA75P3IhPduZUslpEbXBdgKSzs5lpWgYHlqPK13
sxnArnpaBy3IsdBeZmuKxdtlbSuT4RGWXlM3UZyMM/JrlDVIWQtr/GKAtfAMd3RU
uFaOlz2u2qEnq0UYLDcTnM0Ca/tWsXPFwIOkUtLsHxDUZbdFmUGIU+jezlShLD73
oGWLIN9JANj6RLKr5yDCV8i4/PhIhkQM0MoWydnwIRb4Wx4b9p9bbU/DiHj+38z9
X5rzcbk2UPqbc/7lcdLz
=tqCb
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20171220220144.GA1365%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Prebuilt Fedora 26 template now available for 3.2

2017-11-19 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Lorenzo Lamas:
> It was already possible to update your F25 templates to F26, but
> fresh F26 templates are now also available to install. (Both normal
> and minimal)

Just a heads up, to use that version of the _minimal_ template (i.e
201711170336) as a NetVM/ProxyVM, you'll have to manually install the
iptables package. Or wait just a little longer for probably the next
qubes-core-vm (r3.2) or qubes-core-agent-networking (r4.0) update.

https://github.com/QubesOS/qubes-core-agent-linux/pull/73
https://github.com/QubesOS/qubes-core-agent-linux/pull/74

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJaEa9UXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfHQsQAIiaSpzpWBu3xpMfeRgIQqKP
WvoZ0DUiej5roJsNa4A8N7AC2X1RCHR5MQBKTzqdUsn/M3aAB06Mbg9MEgQRGz9R
irF+fHbilt9YlEhG4eXv8kh6786P9iWpLUCpceBnnQkhz2r9JdZfm1l34ArNS/rl
w0Hp8NwPePqgVxF3j9bUE59pwyEPqtujt7sE8XXGkdYGDvoJyQ2OUP9KbCEdTfXT
fP0y/xpjPJH9f+NxJxjI/iLKmD/TNbm757bSmfKhMrRt8jehMpEfIsCa7CykM2Ke
Vs5SJZig7t0Nrk06oT6S3uu2qhxcYsdQ34huFyFf5PGlZXanfYkqJHpPwiTxeEaR
81gT5Bj4emjFOS/pNOkdgQ5gGgTtNU4BrzvTe5mVc49HWAVsGQYBrBsvz+dR9hzd
Hkg3NYYeE41rhZTMo7ghSsjKJyju2w9Zo/3VigCrPk7ovg7qMDW28FNq4bfxzZ6S
CSVazgCDkloA7ekPmDG3p7OJCz49qfsWpnoE7WO0TG6KIexHKn63oDVxi+QwPP21
rgr2ckSLYCymyHlGvM2jZtlDpPqiB6okxgbSZvPEycnRwBG5IbTmVZdOElZ/CTu3
S62KwqAF+2AfXlrSZ2mPJEtojFUdUfnPIR6Zk0jfEyfH0QnFEqMqeBoP3G8DtjzK
6q5QZLLeHhVnr5PcFnVe
=MF5Q
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20171119162036.GA1029%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Anti Evil Maid (AEM) - possible to use text and picture at the same time?

2017-11-09 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi Patrick,

> Got secret.txt as well as secret.png - now it's only showing the image
> at plymouth but no text. Looks like both cannot be combined?

Yes. Image support is intended to be dropped in AEM4 anyway:

https://groups.google.com/forum/#!msg/qubes-devel/PsTA-3m0xA0/0N0c3dFaAgAJ

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJaBEokXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfvhgQAJNIEMO8ipX5tY/6ww0HD8zF
YlM1MpGpeELZj7/LNPBBotGgEVICwdoYUBQgKPIM06MuNaI6aWeUXMP0fdBnhLT7
e9z4vQ5pZi7JkMK2pv/RFLG4z/epgEbd/UQWb+NV+xFIbL/op+q+6ljn+9YRYciW
LK7fNAsjq/+/9Ck7pW5wwwBT6Z/vtS3MpRPdWIaeFK8ZQWuSY5YEq6+KuX6kWPQW
biaAuuGL06x6CAP/hMQbduARLFO6CbSOzGR5GpEb7TqE8i4fQqgVcMPBzSFRpsp9
OPXp/AGkTD/Lw17MLwZSJyEgraN5ue0YXvnO8lD5xIWqlhQZ6Tzs2PPgZrMt6wJA
hccxa44cSXxT7gqO/6f5KA94fGC6z0COxzjEQZdIsq4hi0CyfHg7+Jb90rN/t4a8
lqB0nfMS1AHyWwWW2Z654Pc5vKQ2RP1Swi+39qjumGSWKzCABpODWwMebnAXKI7q
7anaHgQtxOhfdyPa/bn2sf0zn01icL+ypI7FjASSVJ85xIACXO03RjdmJPs00XSy
GjoILcFXNIf78h3So7BSKNxx4XREPWtiR5bNBPuSBM3V5Dd5bSmZhbuan9R+p4ht
pKN+WNM5zU6UNdz2tZTcJnKSpcQ1VKF7Q39oT9Y7IowsjphpO/J5Eapsr4EdhhTE
isr0vhEiaP5YPZlS9pW1
=FaWZ
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20171109122925.GA1171%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Anyone disabled the Intel ME yet?

2017-09-18 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

alexclay...@gmail.com:
> Has anyone here successfully disabled the Intel ME yet?
> 
> http://blog.ptsecurity.com/2017/08/disabling-intel-me.html
> 
> I'm hoping a future release of Qubes integrates this into the
> install process for us. Or be downloadable as a package like
> Anti-Evil Maid?

https://github.com/corna/me_cleaner

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJZwEIxXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfNg8P/R29hIUOrlolKVQXjgQ27MX0
oWClVtfGX7+geO+mU3WYY0UQYeOCWyRJIxOrbsySrKf0WcqN2H0NwpxcJrHXYI8Z
mm1CVcC8VZcR7hMARHLWz61EFfBbSUL+azP1elPZQ/yuB1If3NpyR9PSM8Nrhs0v
Mdh9N2HdhYfxV6YNPhcUo1bVsaP9Z3X8/8T/whybN6KaMiF4y573wXqXwSc/lNsN
P5bpBH1GcAZI2BfH29dt1TU+t94pELekdAtZKDFW4riSLhhWW9nfDPThupqJ2kps
MXhFJxREXsUPpXOf6vc+JI667+8s1Cb4jfXovKPGgIG/4dh3qFIIyc9p/0q6pLca
UBN7V2GBkkpdpyRX/QhHHcbw+Ri2SKul/2LRMVZ7d/nqwRfHchxGmYKFIjFjYVdx
1bfVc8wgnX1WZGOg0EvEgx0vG8H0+DU+Yw5Wyuv4jO4UfILJ/FTBxa1KyMWv6xvS
lf9tjL28k+HBiwzDs5MCdV9rUJ9W0q/zySntZItI/7wd8UPC0YadzqwxF74xh/d4
SLy9rL/1aMwhpvd+rCFipn1B3wIlY/y/VPq3FpLsPrAjoesbZ1BeUmQ9wdvumTn3
sSwcUfUnt1N6mWWtPYtSPYQyD1A4r9I2RFEuq8YuLEyG3BveC9RanApNE5CboBFA
JKyVN0I7q5dmd0bk4IEm
=UlBw
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170918220121.GA1088%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] X230 2325-YBN + Coreboot

2017-08-16 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Finsh:
> are there by chance any known Problems with the X230 2325-YBN + Coreboot with 
> cubes os? 

If it's R3.2 and you're using SeaBIOS, check out the last paragraph of
https://github.com/QubesOS/qubes-issues/issues/2553#issuecomment-284367521

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJZlG4sXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfq3MP/12OYblGgz9MQDfigo9KIFhI
NjgTOD8JdFZh90zRIKBlS9yrl2pkj04FpalettSnug7RQpySFkdkB/fQT8Gvrv/l
xQdI/ViWhpgxlg1CiEXpdzfKAOID3fDHppkO04+ziywf+sljgUgefPPW+zz/Jbb+
ALFGbX7hZZlybceFatbVXSIjfxLbOk0fLRWkLhC5BjLqR+stCYaEY+DjxYGOwJ1A
1lYc9VGfdp2/27FbwJMwADERmU7YWQNCvZcwqIJZMGEoIn655vvN4zsyZ9UglpyJ
ZsTwwso1BCmT1QO0qWfwRxe3UbpWkT1+pB5pF3cntkyf7w3gueH38WTVZNAqFMC9
1rrcntpMkWqTwS6EWj1DEMTQ3UlHjeTjZeyQPZh+UK40L4krdHBQc/wcc0JlNqT7
G8oAzKVCp51YhgLfrtCHrzTfm+adotgnHEwXWRZqpkw3Z6qnaLz1L6RBTQYd5skB
bDQVHcd7uV5TL5nwzOEw0jsrJ0Ool2AO+rSwoFmOZARyK8cP4rhE1Gmd3wKdXFdR
NTulDUo+VadtWgRAdSe0EV+ABG/8wGTlMmEsEIFLPCjPHCmHwVzOJ/GJ82PDQ4fo
LJaNoAQmZjg9EXh8u9LoDXqN41QJ4Bo4p+d1hKq7dyVNXcCDGvsoRR9Nexz2R/ij
LO42HpOxupHCp0rL6gSr
=JWLJ
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170816160917.GB18510%40mutt.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: [qubes-devel] Qubes Security Bulletin #32: Xen hypervisor and Linux kernel vulnerabilities (XSA-226 through XSA-230)

2017-08-15 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Marek Marczykowski-Górecki:
> On Tue, Aug 15, 2017 at 01:59:59PM +, Holger Levsen wrote:
> > So, "sudo qubes-dom0-update" for the first paragraph, and 
> > "sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing" for the 
> > 2nd…
> > (IIRC!)
> 
> Actually:
> sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing

Looks like they ended up in the wrong place:

- - r3.2 Xen packages: current-testing
- - r3.2 kernel packages: security-testing
- - r4.0 packages: not built yet?

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJZkwieXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfk3QP/2eKJPrh03TcfQjtlTnm7lVk
ZxNKOfhO0rwuWZ/oE5GXjKhhfbBY/LfrmGZl8X3Cm2elyiqh2vP7l6x2CevR7qRo
v8WBBYh3ALImosDVI1Eo3XB/asrmxSo/q3espnp8UmLFaus9ZChV+2E16cQcuWOu
m25r1wWTr4PiH7AFsBEibW37orgPPEhrP+umUj+QYjfvyPXFXw/MUvbsdoGTcwSi
jUyqC552F/zSz1om5M7QpvzLXQ5dxqE0/T8zwv0On4n5tzdVX0QFpt7n0ylWj8vY
9/5vQY9/7luHh4MJnMTB4FpBvilSSMBPhRcN9YpZPolEPBtHpQ41Cj9p0TscgNP0
Wd2lGKFYaEtpPzN4XUmKRxNKku8nZDFezLvzJe4VXxsUZCw4OM+932YFFZkBwant
cf6oVd6z1pPnf1lfpnBsA5lZkHp7VURhQrRZ1yEwJ1o8ZGODptLgq5LGVxpMPDeL
5UulQFE9TZtmyBcuI9v2ArT3mS07coFFJyNToMDsHTZ0GspwthLd75SZ/A7CKGuy
6Cfa86wtizjGyDqjOpDhhSDOciFwrtxWzAh1pnSPD1U3d/ac3W17Bvi029y45Euh
uwzJoQ240FUcVw11PuifrRJzrpsYTKZAvzTCBqr5vqZ9JRvsfGc2gn2RKPCR0alt
OQ6Rtz6AtcVQ1pkFEdM8
=hFi/
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170815144342.GA1617%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes OS 4.0 first release candidate (rc1) has been released!

2017-08-01 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Jean-Philippe Ouellet:
> On Tue, Aug 1, 2017 at 7:02 AM, Rusty Bird <rustyb...@openmailbox.org> wrote:
> > Zrubi:
> >> So I would really appreciate some statement if Qubes will really drop
> >> KDE support. I can accept that, but then I not waste my time trying to
> >> make it work. Instead focusing to fix the XFCE issues I have ;)
> >>
> >> - the default login screen is just ugly. I know that this is not the
> >> first priority, and not even a technical issue. But new users will see
> >> that ugly thing first. So it's should be a Qubes skinned one. at least.
> >
> > Or, if the login screen isn't needed anymore (to switch between XFCE
> > and KDE), why not get rid of it entirely:
> >
> > # mkdir /etc/lightdm/lightdm.conf.d
> > # cat >>/etc/lightdm/lightdm.conf.d/99-autologin.conf < > [SeatDefaults]
> > autologin-user=USERNAME
> > END
> 
> Consider a briefly-unattended laptop protected by only a lock screen.
> 
> Normally the attacker would need a way to kill the X screensaver
> without killing the X session. Would the above make crashing the X
> session (and thus being dropped back to the display manager which
> auto-logs-in) sufficient to gain access?
> 
> If so, this sounds like a bad idea (or at least an argument for
> something like physlock).

Ah, I hadn't thought about that. I've been using physlock since
forever, if only to avoid seeing XScreenSaver's fonts...

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJZgMHXXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfyhoQAJOGYIxs/dD8H81yHH+cBQSj
r5pDoBgiWqsyBaa1RgxnfKaODRCVs3HT5CnuchxNMobTrPleH2JF04MpQ0NDHvfu
Us6OQ52CC27TxyXUkE0pa0TPGSPD4Y7aTbXVLRQ3jDDnbmOdXYvvlFrEIIWNTVCQ
p6PkHdhSet9guAXNEYV2xGQO12fxfWaqHUxHXViJ10vaYc+Puex/RgGegQp3V35W
nf4V7Mex+v5oalvKPhCR93PyVt2/pVZHbC1s/sDc4kNkrrs6Ji85cWI+KgNz6fu4
STSp3Gu/boD6pgUzjZ07zBa/LkN6hpGgcUl+tkw3iW095AI7YKO6U59wI5jyEI+T
s9W0Oo3NxaI1piBek0StV6vJ2TnLxDslhR2tENQiYeA9z0isRb8QQ4RLBqM65k/5
rxBZq+z+vhdjxehIxKkeyeSGvfUc6jMOHNEPFviHtVbWnXCqdmo3ErntExvlB1Tc
oouM+lhrfpbjkmSwE/RmJ8RIO8aoGOkdg4stO//NeNmBifM4KLWBiuirWknggptf
tiwaFFYgbMPHmBtHaPkCfNCVzBKCW/TxQ35f+91MJxRp0mN0HJqh3eIl5ki/yurD
ui9rY81OWRnwXbdt0LUMAvDG/U+gXgdLPh68PPkSqxPb90P20nMG8q71eoVwtfdJ
naFo4nRhSAC1ifxQCies
=b2nC
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170801175625.GA31472%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes OS 4.0 first release candidate (rc1) has been released!

2017-08-01 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Zrubi:
> So I would really appreciate some statement if Qubes will really drop
> KDE support. I can accept that, but then I not waste my time trying to
> make it work. Instead focusing to fix the XFCE issues I have ;)
> 
> - the default login screen is just ugly. I know that this is not the
> first priority, and not even a technical issue. But new users will see
> that ugly thing first. So it's should be a Qubes skinned one. at least.

Or, if the login screen isn't needed anymore (to switch between XFCE
and KDE), why not get rid of it entirely:

# mkdir /etc/lightdm/lightdm.conf.d
# cat >>/etc/lightdm/lightdm.conf.d/99-autologin.conf 

Re: [qubes-users] Qubes OS 4.0 first release candidate (rc1) has been released!

2017-07-31 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Micah Lee:
> I just installed Qubes 4.0-rc1 on a Lenovo ThinkPad T440 which runs
> Qubes 3.2 without a problem. After installing it, when I boot up, grub
> works, but then as soon as Qubes starts to boot the computer reboots,
> and I end up back in grub.

I ran into the same behavior on a T420. Removing iommu=no-igfx from
the Xen command line fixed it. [1]

If that doesn't help, _adding_ console=vga should let you see what's
going on.

Rusty


1. https://github.com/QubesOS/qubes-issues/issues/2841#issuecomment-318172669
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJZf62qXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfGk4P/A0pdDRjuAVchC6oy4XF4cqB
pYRckVY4hET5yvMY3bqU2NIILbfwkK0XGztAvoKEuF9eqT6sfeq8ZwKdtL02gXD0
O14Nig4oXXg3+uRhBaDA12wMKu6wuPRZ0fUjtPZk/KyP6/v24sGIxHTicSDJUpve
8u+yqJYOzqZSw8907YdMwe6vEZoDAeqXbb0nA7ngdmzSdIX3z5T2iG5SOEnRjZ64
U/1uS5OdEir7tbks+L/Xh+NSWmfk4pnMKFmF8rV1+3/bVToMmOWOQAcbgQIoMElL
tK+3aWqPOHX1+66qk07xIC8Uq+ORQOsHRRA0c2wUX03EY/23RNW1OzYlRlmBIWyb
xfJOdw5U8R2wSheO1wUyMO1hQ52W3fx8e927UjTaTAGzJ7t1UJ8wN1e5ZyurKLuI
iwVCaCq0o4AHsQbHsOdoRNNuIrzy12N3ZHPMaDQrw3UAX840/fDPAeg8aCi0Sr/6
CAKcu/wJUXTb24/6mRYBlDIRGtMd8f8UAAq37ikUBxOZB2EdYdYZHoedoTyqzSP6
SfponcAUSUG9KIOPLJDWG5OJSCuVJisMA0ScdnByRCdULvDaFcMlDWwee/7f8bbQ
JJ6IxF1BgyJdJ/8OoQViSx2055Glj8tYPivm7I0XDfTs0Cx6zGhlAWNv7ro30xYT
Pt+Wa4/IsIzuLB8HhlnL
=IbPe
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2017073134.GA9976%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Soft U2F in Qubes?

2017-07-25 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Micah Lee:
> How hard would it be to build a Qubes version of Soft U2F that stores
> the secret in a separate VM, similar to split gpg? This could make using
> U2F much more usable and secure inside of Qubes, I think.

I suppose the most secure way (which avoids the USB protocol's attack
surface) would be to have the separate VM implement only the "high
level" U2F device, connect it to the browsing VM via qrexec, and then
hook that up the browser (either by emulating a USB device, or via a
specialized browser extension). Someone could probably do this by
cannibalizing e.g. virtual-u2f [1].

If the website supports TOTP as well, and you're okay with Tor Browser
or Firefox, you may be interested in Split Browser [2]. Its TOTP login
is almost as slick - Ctrl-Shift-Enter to request logging in, Enter to
confirm.

Rusty


1. https://github.com/mplatt/virtual-u2f
2. https://github.com/rustybird/qubes-split-browser
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJZd6pCXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfjm0QAI8yXlDCeycu0a6bwyGiTuHL
BT+9Ej8xWeKdLgAf61/kagSBn12M+w8aCpX/ZNjOSHMCl5j8mn+OLz0KpMivP1CL
rXakk9thv9DMh2MemvtTzaVpI4Zf50yvZG9kHFj0oT9Y+aEIuClj+lOmwmVKQ3Xi
iSZeu6uWwUNbUlRZ0hQgLJULd/H4uFkQyqzpAa9kC75KsgEZ/zwORUloO4JJZO7/
5YOw18/WH7k+X4XMLyNlTHmLI8NcG35R91t7yDSBrSxr6VQroj1QPEDW2rtESgkb
YuxlspIB3g+MzS+oXk3OSA/9ew5rMC4gp/Lk0vDtTTdA9HoY+YDnD93Xi54FBqJR
TjcVL8ODM3pTI2RYkQxOCqCxj4t8nXr18GzvNshNSfbUvZRFgOc7lnhkS8xnf1eW
nVbVcZV8yvv0uCslYrnWb451EAU8xsOcM5NOvX4paGjAWS2DjKsQXvEzez7bz4os
ziRQ0KO98Pd4RUOY+PMhCKBoZKQdzF3IcvcGeDcmhuxeYnFfpMXACkQ61reaijbV
dxUWrvzMZ6MxhW/StSQy9OMcNiP98UlHU1VfP1PfiEY+cFa/citfyK4cTdB0WEB/
4YjpxWyLd55UwMrGblJ+op3NyqbkpqAUcXjyhq6zdttkFgdNdST6deNDUr0MQjCU
LAJBzr/0WaOv8ZS/P/xu
=FSN9
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170725202954.GB6414%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Proxy for packages

2017-07-16 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Salmiakki:
> Has anybody managed to set up a proxy or mirror of sorts in the
> net-vm or firewall-vm or something similar to avoid downloading all
> the packages several times for updating all the templates?

https://github.com/rustybird/qubes-updates-cache

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJZa4bTXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrf81gP/jzqTkT6Yw+2kwDaLmNr/Pg1
srRoPL2s/gTt/0MVapJ2XjsrxyoSX1FSjiVjtZ4yA1QQJUa+8TyzJsxeXd8TMqeL
YbNaA+/vkzZT6eAxnniZfm2tZsCKZj72Q8jftQNz7ppQqwkMPOmI4U4r5o/pjzoL
Ra50TMssSr1lf2rAJzjjduX7gN1en1bg4ycukuDTKxiNP06rO12E7ed3g75LnEo4
MrtcWi4u0/R6fX9sO8DHlu2gJx3NDo4mdqGyxVsLb2ampInegiSAv5MluqLZPMFr
YNVNaiarvPw4IISZT3FB+KUPC2lN1XUmziYByFdYOEE5OIEYrMmAQ6B+W2oFGJ5k
M0h74z3uM4B2csq/m2meW3yINgh7e8anECE/Z+73UTNMpgvYrJYsgmPfiSQ/B/Fw
f+SMUHvoxFWdc+T/qMRn4znd5nyoLFOlE/ps+HWVdDGDSjBhqTZoFmOnSMRob8J7
Y2lowhS0MztGz1Ngoyt2lIkguD+tIRT/pdr7Z5W5VDSoFEhu8vq6LXxPgufM/z6V
zqAFaZU1XhnAhBT8fe558P//nyRq3OV0Uni4B9fc6kvAIM/9A92snrrbE4LOKZhj
b+xMZDOaBz844qP5G2udu3fLL+pQk16KRXDjHY9wkz/ZwZ89vgxhZxt/cZQquHrb
Ycw6KKeTSeiGNslB1Tjx
=j5YK
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170716153131.GA1069%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] AEM failure after upgrade

2017-07-14 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

loke...@gmail.com:
> The AEM package was upgraded recently (probably because of this
> thread:
> https://groups.google.com/forum/#!topic/qubes-users/3ZkmS5v7E38),
> and after I installed the updated version, AEM stopped working
> completely.
>
> Now, it asks me for the AEM password. I type it in, and it doesn't
> display my secret message. Instead, it immediately asks me for the
> disk password, and while it boots the system, I see a message
> telling me: "PCR sanity check failed".

Below that, it should say "See /usr/share/doc/anti-evil-maid/README
for details." You can find some hints for debugging there.

> This is the content of the journalctl log:
> 
> Jul 07 16:25:36 dom0 systemd[1]: Starting Anti Evil Maid sealing...
> Jul 07 16:25:39 dom0 anti-evil-maid-seal[1982]: tpm_z_srk: detecting whether 
> SRK is password protected
> Jul 07 16:25:39 dom0 anti-evil-maid-seal[1982]: Tspi_Key_CreateKey failed: 
> 0x0001 - layer=tpm, code=0001 (1), Authentication failed
> Jul 07 16:25:39 dom0 anti-evil-maid-seal[1982]: tpm_z_srk: yes, SRK is 
> password protected; resetting dictionary attack lock...
> Jul 07 16:25:39 dom0 anti-evil-maid-seal[1982]: PCR-17: FF FF FF FF FF FF FF 
> FF FF FF FF FF FF FF FF FF FF FF FF FF
> Jul 07 16:25:39 dom0 anti-evil-maid-seal[1982]: PCR-18: FF FF FF FF FF FF FF 
> FF FF FF FF FF FF FF FF FF FF FF FF FF
> Jul 07 16:25:39 dom0 anti-evil-maid-seal[1982]: PCR-19: FF FF FF FF FF FF FF 
> FF FF FF FF FF FF FF FF FF FF FF FF FF
> Jul 07 16:25:39 dom0 systemd[1]: anti-evil-maid-seal.service: Main process 
> exited, code=exited, status=1/FAILURE

Looks like tboot/SINIT is not working correctly on your system. The
new AEM version refuses to seal in this situation, so that you don't
get a false sense of security.

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJZaMNAXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfytAP/ArUcgXB5vKoBz+SP6My2QQQ
SXsjK1jqCqgXYziK/JI6r7LUEhXIvJfMsJKW/mdjd7OQv4davlSZxXVT9mxqA/0E
rCzF0AoIoAqtNYRSy0r+5t301KGy2I9efr0aziIFv591JEnOqKJK+F/MFNn7Zitb
+IY8YCQ6s+pgJcuKOycF2vz/9Dc817cILTfW+tzcSDMkG1NcbI4AbxXPxNwvMxkw
OZ0BJ9IMPfGVfAmKCGsouvnVc7vg/9mPgG7BhjD5Nojwwyb2dle8mhGiiWKtNPRw
2Eksk/m/NqCQb2F5NiQnQDOjJTwLvzf3hnEKSIwuKxLjrlVUyvsbmSrMwIbAUK7v
VdG2iCpCSgIPwTqUOlVPmQ2TNWhA3cDP2jGRSSi1RRWS2nGQd2w1tYKw3dibr/K7
RD6KQUgJdyxW3Y6cBidQ+zy0vbmMFyuQ6DyTF/T3Zmq2XvvBVaq6U/LwMZOpt+s+
X56JQa1HDdVBKTEXbPnxI+sT0ehMhfn1YOZBZ93lYkJyiyrIAvwCiQKfPLsVQqZH
M9e6L1C+CePEqNyb2btMUPJOuRtVd0059mgQ+x5PpdhnQOia0RR4A9Bn6oW5515m
qGsqY2wIg2wb7xG8O+Gl9sxQk8jtQX7Or/V4oixfGEqMb5Xi6a97nFKLha22lc7J
A5aT5+xMPvsk+02b33sg
=mUFf
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170714131232.GA5546%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] How can I test that my AEM configuration is correct?

2017-06-29 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

loke...@gmail.com:
> Yesterday, I installed a new dom0 update which included an updated
> kernel package. I was expecting to see an AEM error when I rebooted,
> but that never happened.

I'm guessing you've installed anti-evil-maid v3.0.4? You could retry
with v3.0.5 from the dom0 current-testing repository, which runs a
sanity check on your PCR values. See the README in case this check
fails.

CCing Marek - should v3.0.5 be migrated to current?

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJZVR0eXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfyf4P/RTVJv4W7ygfjdimQVEvk5T6
BKO115f/WbdPCOE46odIT6W199gPg6Op66HKm5lZb+yfx9qGFZH72yntQHfLp+OF
tk9GSU6SoicyPTZ26cImvF1k9cku++QNrNqABUjXelzMypa6RT8jfqIby973YMm7
xKRYgLqVNSWqN9t881F/1ZeHPJy57EtijAqBpA9ZEou4LS7P1+vcuvDelP0XnlsU
Fp4X/I/tkupU0KXZF2F0XUUL+PFLc/IidVjgfkpiafkXDCeTdU7trg+jFGnnvlw7
I9iKxVXEaei7hTi7pwLPnr4Q86thTNsq6X1CHxl/ty1J/0TPcFv4K92uBCQQA7rq
DbUQq1EdFjiD+JLNDP6eLVEVaQPYXaZWRBMS7laUUzG0FXIssFAf/TqnQzA4B3hn
3KoB8Q+373A0OZYL4ki6LdY17prk5P4+5cw09x7qfH/qrldA1iCpVWDsQUV4HpAs
yA/+wVFDZ3eilAqACYrbM9BUa3IfdOBBvdR83ovdFBwSWqNvTTz45aghXxInTAz9
I+6ljQczoW83vl7WWh6Jp+InNpC3g2rAxx02cKMBQhYWJ70WFW0ayLE3jHV3wTCh
rBXiXszC6cjsuAMm2pEAIC6hsYPK9w16EXLtW9Vzz+80K7hZEKflmSugWNg2blzr
mf3jQXmaMD8LI/DtHPds
=4fb8
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170629153038.GA12491%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes and USB Ethernet adapter

2017-06-19 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Rusty Bird:
> Swâmi Petaramesh:
> > I have a new Asus laptop which comes with no integrated Ethernet, but an
> > USB Gigabit Ethernet adapter.
> > 
> > I wonder if this will be compatible with Qubes' Net VM, or if I will
> > need to allocate the complete USB controller to the net VM - which would
> > be extremely annoying to me...
> 
> You could use qvm-usb to attach just the one USB device to sys-net.
> This would have to be done after every boot (either manually or by a
> script):
> 
> $ qvm-usb --attach sys-net sys-usb:
> 
> Or you could switch sys-firewall's netvm from sys-net to sys-usb -
> which is possible because sys-usb's VM type is NetVM - and enable
> Network Manager in sys-usb:
> 
> $ qvm-prefs --set sys-firewall netvm sys-usb
> $ qvm-service --enable sys-usb network-manager  # then restart sys-usb

Actually, run the qvm-prefs command _after_ restarting sys-usb

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJZSA9pXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfsTYP/0QXh7dzoL07XN2BS66cl0UB
5zZVt5Txvtpk/FDZYfI6kopr4KVhkH4XaPQ5xiXpVqxF1Sfm430SDCi6swS8Ynxv
SEadxfWD+BTmvrdDxD4BO2SoG3a7KeOw+QFcJS/yINda69wSQle5Y7QhY9EJ1nHU
w+vrvPwTi8gL+FeXgtc4aJbh7aEhLvjIhTLECnJvnRjqLS749BJqkbqwapcIWkyS
CziebhmViNuss4fASV2FDGwcpnLxTChuIILVYbs+y+5TlEw+huIdxEKJU1xiEuOh
MdaCTar7FW7Xx2/DbGP1cpQWRucDfrqzt9CgaKX1RtJAAN2TWYqKHmFkkAD0BUD1
EjXfI0HVmdpPZfL1lVap5DV4hxqg8x/EAuJAXUHjX4jtfYndKYXOBKdUW4ztC4ZW
HsDzIEY5t45xPOZ4JWQz/G9e/0bjImR97oI2Sr4OP+5UBN8THZe7nzvKMPtO46h1
7S0+bAVf6+UsgCIcpN/AbzGJr1WiiH1eG4njMlMAFVI2SDbv4XMqcIpB3Sk3S/5x
BCIf+eUt8qbz3JtpP1hlwx9FMjGPqM0/IpWXtxih727iFegSlteQgDzqM9Ub3zs0
VtbvCxDr/e1Wd8Uirm6d3PhxfWzZmME0SCelw+s8oUmm2Lhk7ZnR+DflMvvX3Nqi
BJfGhqfZQrAxHJDY4SoT
=GJH/
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170619175241.GB14566%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes and USB Ethernet adapter

2017-06-19 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Swâmi Petaramesh:
> I have a new Asus laptop which comes with no integrated Ethernet, but an
> USB Gigabit Ethernet adapter.
> 
> I wonder if this will be compatible with Qubes' Net VM, or if I will
> need to allocate the complete USB controller to the net VM - which would
> be extremely annoying to me...

You could use qvm-usb to attach just the one USB device to sys-net.
This would have to be done after every boot (either manually or by a
script):

$ qvm-usb --attach sys-net sys-usb:

Or you could switch sys-firewall's netvm from sys-net to sys-usb -
which is possible because sys-usb's VM type is NetVM - and enable
Network Manager in sys-usb:

$ qvm-prefs --set sys-firewall netvm sys-usb
$ qvm-service --enable sys-usb network-manager  # then restart sys-usb

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJZSA3MXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrf2YwP/R2edEWDqMdekrWPIQQtVTXJ
nVR174ywkueW6JGPyafhPeQIgYRjl+r7W2Akz+vmCHcNhlnmb4tSZ+w7rpfOZ8ep
zvNeawGtmWXHod3fEEG5q98I6ZdtEJUMZrMRSfESZKUtxEvVc8faKGLFu1p2Xwsj
BxpjyoymxnPkcKMVzZXEqxyxiL+JrBNcE5VJE62eYrr/qwKqBN4FRaYIDVkSJXsP
AapX2OvCQ7ZoDp/xAiVDFMFbmoArZJzR09UcwHv93rzBGZV4o0vE71mmlI4yquA7
LHy86ERvq/tYszgTcGgiPGIHs4Locw80bBnyjsPxK85efqoJi5GnfQGRBIxU/JjV
2OxHuwuwpS8omG2wlNWi2jbk4nrn7mHefMp4ZPbD5NOMQHKPlSwAOkpHjPdcRmVE
V3MFeW9tq2fTflBXvO4CzmIQdePpOwMQCXvhuT0c3Hoa4MPTUzwj526d6bgSqCEm
RPBVONoZFBmGZEZmP453YLaMYILB92EoPhXXTHp5nkFK3NT4twmUu1QjP/MeAFM0
dOjb0nNj8AfeQx758fSa5HOVTsnEbX/kvDcLfXMf+Y3l3HXUmlWmvf4fRqZcJ5BJ
zj/AelQXTBMazUjCJUwdeP8u/ZhwyYl0/7Ei3I2PDdlaFGN3WjF6rtT1ma/Mq+iN
mBt9Pokhpfsiryf/bMA7
=AVrk
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170619174548.GA14566%40mutt.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: [qubes-devel] AEM: Should we drop .png support?

2017-06-18 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Marek Marczykowski-Górecki:
> I think PNG support is a nice half-measure against shoulder surfing -
> details on the image are harder to copy/remember (or even photograph
> with a small camera), than some text.

You're right, it is better. I hadn't considered that the user can
manually clear the image from screen as soon as they've recognized it,
simply by pressing Esc to switch to text mode.

> When we get some better alternative, we can drop PNG.

Sounds good.

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJZRtGEXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfltsP/3prk/o8c3k/5F0E6pOVuzFb
JIrfc2Vct0Ai/LbUX9OlwNGKBlxZbUv/KoxrxPWnOXT5YUEmXRBOkKneZsOeGYk1
OleLQ4A2SJaq5+e4WTRvSY6nk+i9LswMMvTkWCi/2zNo08HMGdmHUpE3vmNkp+uJ
5OwCmR4pIbQ4hrQN+MWJPHXtz6NMmvksoB8OgSBEIULqtU0Hp5kijxW416kNi86q
sknnfk/kj7mnanQW9IRkmkiQ740RJP/1lQ93khrBdF2H+4Ue0g2PvxkMohVNWgGm
kfkVYjAeu3zVnLpsXsbtLu9VpMQ+xNFXY32rfm9kzg+X65Pd3GfTEj+IqdcV04ST
MhQ3KSuoZlyX6Tfk4jmd4acBHrWgSEwSB8NlsgK3qWxMn+NuAfEilQm4awYtwedw
ItpUTUcqDFg02nMfyfY3kvhnm2JjeIEVc4VrrB1452Tg/5exu+j1DyqLLHFd8WvY
KdmN0Gddfe70JZYB1fmutWF7OCY4FYMBi177avstVeAqlhC6Aa9UNJtSu88jrmdm
fnDpS3LS4anrjj3+OxLxJZJeJ3SNO6M16rhEIf81Y6FGzy+X3TOECBDsKGdycwNR
0FZM19X+8+8koQEUPt8ZxBZC6AphTpX1GNKXBzrWTovzflNUDiNklZm6DQU0rDhc
nR+E4brBA+9dfqPdkMg/
=TDgE
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170618191620.GA8291%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Bug in qubes-backup or tar?

2017-06-17 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

svenssona...@gmail.com:
> Emergency recovery of backups as described in
> https://www.qubes-os.org/doc/backup-emergency-restore-v3/ states
> that tar should be able to unpack a qubes backup file.
> 
> [...]
> tar tvf bu/qubes-*
> # Shows only backup-header, size 94 bytes, no other file.
> # Extracting the tar file produces only backup-header.
> # However, the tar file has size 563200 bytes.

The -i (--ignore-zeros) parameter is missing in the tar command.

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJZRQv0XxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfohgQAIra88HMA5feWJTII1Aodg53
yvNYaFHo8YR9RX3GlprYgMDjil8PMy0sHUNWYzN7rAkyqsuyJWzCEI0eeVKOVlK+
nvMbFCAg6259kXnpCcQwYbLvpoLR/IVAntAwMcEEXGPsREQhUoxu1U1Ou/hmgpJN
xg4kUK/+mYebWvNfMBTYDgL+iqv9RMJBhXIctybsb/o0xBq2AmAciZEPZgPBgnBI
9CZDvJA1Zs5tTvW8WShir+JtLMRlOkuACVOJNy6pRzJVkuo3KkaG24GBx5qPXXHb
7NlbuLba7vZI3eF0ApJ20p2gM97ljVJEjBZ75xmbkpPCE9If3LrefEQ7heC0oihJ
m9Y7Z26FN/wDFP2uEop5GLPcINqxr8WaChHLjosDJl+sGonAorrN3aXB5YpMxu9L
RlUgXKb2d24RqET8QghG8q0JYhkwkJYy+HdA67CgrYLYNEMUiC72ZMQCg8bqJQis
1NzDWgmXbf9lBQH8IjLMGcGzGZKBDLyGF4u0ONYoQc8PMURit3K2zwhWFbdlpGa7
/h5q9qfiA2oA2N6ehZsHQ8waCbBGb5KrZEiEs9PPmvZ1zMCg0sIpKRdiYzHsP4B/
sdXW7n7SVaX31AXljOfIxWChpUP3GA0BMZugiZHaKrWwqqqZ0FSR5I8+xROveIHJ
9nt/w5KheaDFIpSYOUo2
=2C80
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170617110109.GA32654%40mutt.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] AEM: Should we drop .png support?

2017-06-16 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi everyone,

What do you think about getting rid [1] of .png image secret support in
the next major version of Anti Evil Maid? This would offset some of the
increase in complexity incurred by the upcoming TOTP/keyfile support, in
addition to other benefits:

- - Considering that AEM is a security oriented feature, it's kind of bad
  to implicitly encourage the user to copy a complex image format from
  some VM to dom0 - where it will be parsed during boot. (It would be
  possible to build something [2] secure using the qubes.GetImageRGBA
  RPC service, but I don't know if anyone's particularly interested in
  working on that.)

- - .png support is hacky and weird: We show text secrets in the current
  dialog, but images appear in the *next* dialog. And text secrets are
  cleared from the screen as soon as possible, whereas image secrets
  stay visible until Plymouth finishes.

For users who prefer the more visual approach, we could tweak the
Plymouth theme to use a monospace font for text secrets. That should
make ASCII art a viable replacement for conventional images.

Rusty


1. 
https://github.com/rustybird/qubes-antievilmaid/commit/4e45af289d0e651a380f3182cb07901a3002905f

2. Similar to the WIP dom0 wallpaper service:
   https://github.com/QubesOS/qubes-issues/issues/215
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJZQ+FtXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfclYP/0zs3z4DcTOKPWwovD5Ly0VQ
LYBJsJE4VBqo2JOpdpArvf2i8nOGD5bkgTUKtPisS/0XLgEvurvGejFe0x6wlV13
HFhD42sHxWC65JxCyw1kS6bhnoYbIINiOneoyGikiStneiGqyzqz5ylEEdzPAkkP
Q7eXqbVBVfYBlfdrWNMNv6EPtdmBpkWU4c3EzJ9Qtm/StWGuhDxJgOKtzu10ZOi/
vJH5bIvhaNvbmNjqyT3OFlP2YLlqFZw2LHLH0x2cjmSEpQ0uUjQt+MCIowWqecYy
TgRTV9y5f7frS2SOEwwq8Wg+5OSryU8VanLb2nwGV8r4X0ro7dbkJ8++CzRVhi93
lrctzX9xcrfzGAD+3BSOvd6ZtxhquC2Ff9dHVSBc4fsCdgNBH5vXeWH4GiotGZP1
DxtQhuWIa6tZWwq9mhc/g8NYB0kVcgQ4fIQN2I7W09JtJuSiqx0txPwB6/S4Yw+o
gaMjmjr2Robi5gDBjouFNYRJSIWfhHTW89/bZakjub2nU2kvKQUqce/TwzBmAqGG
qBnDqUnre5pFTvN/hKZhbvIbfbOlPlc5EYxA1JqCUqoCEGb7sqLETDJc/HGcP8PV
kLfUTnoWU/dgnjJylKyxhH/pOQUbW2m8QqLoMZZcDK96xJ+YeCXm7iUEq3lfIq/8
59c9bYVCtoHd35x5c+kz
=em7I
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170616134725.GA31534%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Checking laptop compatibility using boot from USB drive

2017-05-05 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Vít Šesták:
> I'll probably have an opportunity to verify some laptop's
> compatibility. My idea is to boot Qubes OS or its installer from USB
> and then to do some checks (most notably VT-d compatibility and USB
> controller topology). It should be something done in reasonable time
> and without installing QubesOS on the machine. How should I do that?
> 
> [...]
> c. Install QubesOS on USB stick (and disable usbvm) and boot it. I
> am not sure if this will work when QubesOS is booted on a different
> hardware than it was installed with. I see some potential
> incompatibilities, e.g., wrong PCI device ids assigned to sys-net or
> too high vCPU count assigned to a VM (target laptop has fewer CPU
> cores) or addresses in fstab/crypttab. While the mentioned issues
> seem to be manageable (remove all PCI devices and fix vCPU count if
> it is too high and check fstab/crypttab), I am not sure if they are
> exhaustive. Maybe this will work well. (After all, I just need dom0
> to boot, not other VMs.)

dom0 should work alright if you switch dracut to no-hostonly mode,
which (mainly) adds all available kernel modules to the initrd:

# echo 'hostonly="no"' >/etc/dracut.conf.d/no-hostonly.conf
# dracut --regenerate-all --force

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJZDRwIXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrf0XEP/0rhfOaoIkBxtfH33bPan3iR
j7e8THXJZrPR204XwKE6/IWuBEjXEFZ6p5uKO63/cBXCHBiyd+EGnpGBlkOF4S/h
CpHVsDcar37nAVse2219uB49d5fYS9rAaZBANRVep9gaSJk7ku5xE7HtXD/1Zsm0
YxsgSnJixhb0TuLD8o4mMzvKGQ1hm1Uw5d9Z5spkCEkI18Xg87kSDhy1n0PdX9og
56XWB8iZkGnCNtSbrizHnBMEopwmDRwXXkGqs4ga/9tAVDa4SLA4nEoQ8jBbMkmS
VreSzvJGHv+jnrskE/qQwG8+vlXmexpAx+9gLqGKORxfBxdyXq02EOI0lqulT+Gn
+Zc+DN7fSiOa5F5im90ZrYmo0YW40n2FJy6tSJxGGweSJ2ZfqMhuKv+5CfM2Evzb
IKfliH9xmPFGw5l4o7RLbHJNiBD2/ZWrOniRFRRdpl2YXVipmuz/TwLyBD345O+S
tajtccZdoFbZWghllBv3fK+yLNQF00e203U2SYSG5CEPK6E/uxFOAqskd+8Szir5
pqpms0CF67E1BEJLS0AtONWbT0BVC2RBqm/txQ8Izkh9Iilh4O7a9nirb1AOqyKJ
hoeZ/3IzSyTZ/0OymVNjhEExERQNXcCvkMSwQ4VcCcNsAUf9YlgD4EVkugwzAc8w
NPIpWWm9OC0idS1pYyNz
=rkv/
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170506004248.GB1150%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] qvm-usb -a works on old phone, hangs on new phone

2017-05-05 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Jarle Thorsen:
> Connecting an old Samsung Galaxy S3 phone to my app-vm using
> "qvm-usb -a" works just fine. I can connect to the phone via adb in
> the appvm.
> 
> Trying to connect a new Samsung Galaxy S7 Edge the same way, the
> "qvm-usb -a" command just hangs without finishing.

That's https://github.com/QubesOS/qubes-issues/issues/2202

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJZDHA/XxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfIzIP/1O6AYs8IAWJATy8c5S6qXLK
8sTN7oeNQKNaZf9j/TwV39go9Vg/QljXO2L4/45Pf68fxp+hzYFIuedekBG1dneM
+FMlhzcU3bYGiFWJRgFPn1Rdp82Y5VDFE171+FJY0PhcDKoPf4uWK6y3pLbToQhX
sHS7Bc6a+gKUrJceGnx3kTJBForLiCw2+BrUbsBADDkMD+plrJKXenTq5DwlE3f0
Atr+WbeH+BxmT+ICDGaRqf01ZXFMkjdRKKZHj4nQOQuiCUtH4dTotZ2hJMA+BV9/
QuM7aVzNmD4zTPSJ9UpUPMPCMlHkFAeg5IwJnp/uCM2WtjthtY9rGdWztfklCpGt
JfPrwcrkOf/RyeqL8ln6qiRIxl6HZEorQlf7YoLmIcZqXGGMSTWOedm560AIpMbl
jwARhbyRtYFs4I8mOszOeEe08PkBqCAlSkt0HtJHu3l+mYBwyEh+qTsq4BV50/Pz
G1KVUtip7DSME/HWt0WU87qSFLHzuPQOpvwatzcPqn0u11mvZC2UtJDHGjPX2IMH
t/xDmpbvemWPvfgsXvtHxz/viksQF1B5tjniRwOZ8vj4L5Bb90s9tFfJEwSXzYYW
9x+qyPGeeUi0RVJPVoKlVbRc/w2FWPCMtyFUxqyVjW12RjXAAqcClQ2PLNHlGB94
n1HEefvFdHoKkYZctFPL
=MKRk
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170505122951.GA1150%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Auto update download in Linux

2017-05-01 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Drew White:
> On Wednesday, 26 April 2017 11:05:43 UTC+10, Rusty Bird  wrote:
> > Rusty Bird:
> > > Drew White:
> > > > On Tuesday, 25 April 2017 07:51:46 UTC+10, Unman  wrote:
> > > > > I think the only way to get a caching proxy is to install your own - I
> > > > > use apt-cacher-ng, but I'm mainly Debian.
> > > > But the UpdateVM is supposed to do that.
> > > 
> > > No, that's a non-caching proxy.
> > 
> > Sorry, I shouldn't mix these up: The "UpdateVM" proxies _dom0_
> > updates. It doesn't necessarily run an instance of the (completely
> > different) "Updates Proxy" for VM updates. But anyway, the latter is
> > non-caching.
> 
> Well, if I don't give the guest access to the internet by restricting 
> firewall, and I tell it to "Allow connections to Updates Proxy", why doesn't 
> that do what it says it will do?

But it does! Maybe you expect proxying to imply caching, which is not
necessarily the case. The Updates Proxy is one of many non-caching
proxies.

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJZBzAjXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfbMkP/1sfPT9Kh7hi7YJTsy3rOmY0
Mk2x6+FXK9sv3CqqgUv+O0C3V0+nnBuCZYMM2vHYhOETp4j7mkrVaFMrJpScFkAd
C1PVyRmgSZEvas5bhAaWAYbXyiBtcDu/EgCzNQOriRfoiXVlmAMXyQ5UfsmoDrY1
owE7YjR92XLIyVackw8E1zxD2OZ9ptQjJe6rRdFr6iWgLw3o7A1GP5ccefHkmD3U
GogvBGdXTrP9NVZKM/+DvwIDAUEfrfs1E42YeFFNXMnmljTQtKieWs1LUnriv76g
pPnL9EMTyoEK1xhCU8URUl/wllW8hDruo1YoIYj6zX8cTwiYkN3+NTmllFgEzdNO
RLlHi3YVsd7nllTRPWN+gk8xaIRTzj5IurawKop3b0k01Szi+TuLRa0+gEv2iA8f
bM5HpTG2KGcIVeG1lqDDgG/746dcaDiLaEg8nL4EreZ1/6DEOzXR9Bnd8eIOnW2a
vChPJK+8JdVf7HfTVO8OuyMcUnTMIk95jD8yGKpZYOyjVZEN9jLOzgR7oNTaFZH7
S1l5CAgfQFsgQ2o7TbXb2kNSbVg1ZB707i5e8yOznOX6TneERWICJ0qhMuYS4zl5
QrgXc6AjWDa0EcDKksG1AHB7o9cFhhQrALAisy3T9jr241ALHFZjLtNc0xU2js5F
Q5HgNOMZ4XnnM10JRnl2
=tf56
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170501125459.GA14080%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Auto update download in Linux

2017-04-25 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Rusty Bird:
> Drew White:
> > On Tuesday, 25 April 2017 07:51:46 UTC+10, Unman  wrote:
> > > I seem to recall that Fedora has such a service, but I dont think it's
> > > enabled in a default template.
> > It is enabled by default, and I asked somewhere how to disable it ages ago, 
> > but I can't find that information any more. 
> 
> sudo dnf remove PackageKit-command-not-found
>  
> > > I think the only way to get a caching proxy is to install your own - I
> > > use apt-cacher-ng, but I'm mainly Debian.
> > But the UpdateVM is supposed to do that.
> 
> No, that's a non-caching proxy.

Sorry, I shouldn't mix these up: The "UpdateVM" proxies _dom0_
updates. It doesn't necessarily run an instance of the (completely
different) "Updates Proxy" for VM updates. But anyway, the latter is
non-caching.

Rusty
- -BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJY//IQXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfPDcP/jpWEa//aBWCB7pnfY4AlD1j
6GWTOP7KHE4x3qbF4MxVJ9mJa0s08XToaBDbOiH+DfGtVNVACmK3jQNJvUbUSEHW
/+NeblzFxPDO07OASf/HzcWUlShQGHvVpi64ecILLqBMhNdNqHCOmave7hKw22O9
Tlec0Cs3KrufiyXObnJs+RMeElfkUpfYKZ8TbupmBLu8CXBEC2r2sLE43asKZmlx
z/1Ce3qfqtQP5S467YkLHi1XmroNiHCFZ2QHVDiGxvGLWF2xakWk6sZ+cxBiSd+i
3AhZMGK16nT+r3DPA0ZFX7ZYAJxZw7OQ/ajR3BsBCyBaHJ0hyavDybwMqgS4rNsa
6/cBm4nP12gwpXEMFy4lFrN/Ej5nSJlSg+gBrmZjs6Ifq5oYkALQEnNxb+vH0yiq
dkmoCErsvbx9TBNvdEbFIl7SwESdEYJKf2RBqQiY/HH5qEPXSHJ49zobe2xckxDZ
QNTOsauLYOXUE2Jjkh2MtiCuKRqARek3xDCaQkPXy2eFHN+RQY4F12BFKIrFCNgj
QMttbXejiOfk7KUjAfSW5mROSKT2S0jOXeld5TScnMQQLyiRkLTwJsM+duQDdkOu
Z09AagD9Cchi2pZUf7hIGgY+Yltbl+FdHqdJ27NJsHR/dS2UeVWxEo+UIQeojqLJ
wdTJNWRhEPvyg8mq8Hy1
=0mHa
- -END PGP SIGNATURE-
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJY//JSXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfDFEP/AqcTiydwDbGbORhtpC55Vza
3DV9/Kec+lES5Pg6M4VaTCM/RbPxaqw1DrHm2v8tEsLZkUxd6YovAX3wBMyh8eoY
8dncVFNZHsgK29pSOE7ME1nU2wtNuQ5fJi1+kPZrcMiOaWu/ac5t/pYRvk/N+Q+A
KYR/k/BSVxhLZxWmKX+Ix4yg2qAkTYySGbGOCmTwm/IqfTmxF1da5UwToE2wtWxG
uc3QWsFPIqLsUS/rfpf3O3V+3xNQNTmDF0vMWIOS5t+AK2KKZAPa3vAPzSFhatur
U2G1sprGsDSMzTsPEa9zbpjCCABuCdk975s1f4MDNNl5yvYpQ4OsSbmVRu31RQqR
+TWVHpx/8aekvj8kntN6YxT42Q2qtk2J0BcZ1ykbVeynjYOp7R+t0UM/cncQeaZW
1Cay34eyKCiw1iKsa5SoVbGi7zXMZ7wPqNNMFgLp/T/xWhvFZza1Czl4ojg4LGjn
HpWshUB+dzIfKdmIvw/GWiopItEbYQlat5ZI1iDO2+8kpyMpz+aTKTG2QULU5PnG
o4Wrs0Yg0Hk5MHsXg/ECX/tLVgqt5i511Ckh67l2vfaavsY/pHxR7vbGdPQ85wLG
565BqCGl++fj2yh7pm3sTNlqAqI33mOaU7fuFvKENImpciiL71zJnfBc0T+L8uEC
6U7Hl4/Kwz16oAAETqhL
=yq6z
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170426010416.GB17877%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Auto update download in Linux

2017-04-25 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Drew White:
> On Tuesday, 25 April 2017 07:51:46 UTC+10, Unman  wrote:
> > I seem to recall that Fedora has such a service, but I dont think it's
> > enabled in a default template.
> It is enabled by default, and I asked somewhere how to disable it ages ago, 
> but I can't find that information any more. 

sudo dnf remove PackageKit-command-not-found
 
> > I think the only way to get a caching proxy is to install your own - I
> > use apt-cacher-ng, but I'm mainly Debian.
> But the UpdateVM is supposed to do that.

No, that's a non-caching proxy.

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJY/2L2XxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfhakP/jKEg3Nc5yH1EIbZCxHtSMHj
sm/fgg8a+42UHqVOIs2nzTJendNdr8UWTwxM9MQrkVMoD+FLa3GNrvSD6ipNBrNC
BiogqmK+Je4gf+2CuefKlWQawEQpvk/jett4cflkY50wUtTMK3SGHyPoBq0Ko/XE
NILih7pG5QnKINBZI734Hquwgb5OPxZp0EYRYUB7lCW5t2cxoupWQPrx3TBcvvvh
q/7LhP59e4UjK6r/5SisAM+3wLA+2lHkZ2adXb/k6r4uGA2kclyuLhrlwgmECEHo
R1Ucyud77ooWV4kYyyU25a8Z0KsMiJMrEbHVpeUWgji8qhAzjU6Ioe1kDEXtDeUR
/5t0Os5fxzYbQSY80p4jC/1FlenVWX9Ud9U3nkQ0/+Zil9OhHVyicRJLIKwOjNE3
G3N3+wnx+5osA4+3r7dE0xgnw9X+glnFHtI/EmIobsX4RdX3YpSITGIv1tllCw5m
+IbEvF0KSqCMsM+N/9YrVcAAUdJJ78ojsyPtOsbKzS8F9VVcEmIW6K1Qm95QTq8p
yfLWo9LyMJZY8tQjFNevo016CkFBw3ozkDOobeTaRw6M0v3nkYxQamAYfc9YwTCU
SPXTc5julDH3ju3s8by4uhem7oT1VLT5x9NKzKU4F7BZ6pb8DuLlCffbNvXULSZ6
E+wkXjECIpK3WNh4WLye
=lL/n
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170425145342.GA17877%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: [R2B2] Unable to choose sound source (mic)

2017-03-08 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

peter.palen...@gmail.com:
> On Saturday, October 12, 2013 at 3:51:51 AM UTC+2, Marek Marczykowski-Górecki 
> wrote:
> > On 12.10.2013 03:22, Franz wrote:
> > > I would like to launch skype with a .sh file from dom0 but I am not able 
> > > to
> > > find the command to attach the microphone to the AppVM. Is there such a
> > > command?
> > 
> > This is doable with dbus-send. Don't remember details, but sth like this:
> > dbus-send --session --dest=org.QubesOS.Audio. --type=method_call
> > /org/qubesos/audio/ org.freedesktop.DBus.Property.Set
> > string:org.QubesOS.Audio string:RecAllowed variant:boolean:true
> 
> I tried that, but it did not work. Can you check for a typo or so?

The object path is "/org/qubesos/audio", not "/org/qubesos/audio/".

https://github.com/rustybird/qubes-stuff/blob/master/dom0/bin/qvm-microphone

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJYwA64XxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrf5iMP/3379CaVlv/kgdiHYulTP1eV
tNZaXPHdPCfTn/6XAx43KvDRAJ/QWzAHnhnV6ZfHYWRjWZo9/olwGdUrq9615E0f
sQkde1JJCCgY+pgS3CpUGsBFz0tahpxXdAOZdA/zXtoDXGe7yCKK17qLepHMwgMS
CDN/MpboRd2PfGdv12p3+7f8vVCm+52VGbLc7VyVpyLkYFnKNzK4ubehwgfRRThn
e0SHHTNO7rZFJmrmhGLgPZiA9vJWFl/ztj06/hGhEz0CawGtKKcz9vhghg50tuV3
pIcRHyBon8WKW6r3+wZLc9dP+TvWLGJlGxfQZ6IgZdyC2jw4LfaBtXyp6xS5q5XA
g4gQ4FT4DWtQrSVdLTjbNUj1gdCRAddiZvzNsImssq4RH16oSVgSVwm3SGSIrtR0
/oXpMObhamX3i+jlE8KRyv3KYAMK6OPH6NSgSIKMFZ42mvIaG7ex0j+t3ApcE+x1
fTqNB/ndR3M/8lSVxgXKujRtFk+qztr+VkID2S+ci2ripKgP6ms3OqcL8mZqIfHs
ru4po2Aeahe1xMBRN5g8pfTD0MLcRqsEtnCzZ80FmvOu5E7Sc29woxYb/yWETNSC
+iOqOcWrH94rpp1LKZHTcrt2BJUpIDODdDIHxgxYsPbiu6+jj/GMWxHP2J1Zna6l
LRD2f4i2JmK338Eh7vmx
=O/3Y
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170308140129.GA3068%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Assigning microphone to AppVM from terminal

2017-03-06 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Fabrizio Romano Genovese:
> I've built a little toggle script to automatically attach/detach my camera to 
> an appvm. For the sake of completeness, I'd like to do the same for the 
> internal microphone.

https://github.com/rustybird/qubes-stuff/blob/master/dom0/bin/qvm-microphone

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJYvWDiXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfoD8P/1Of6v/HyTh/mw/P8+K/CARY
H+4f1IvASKO5srRM2vYtDs+kEyU+ykN/Rs05ru3HCmI2NVRfrVQftRlZqx55JIgm
6/mEud28WuLAk+ZwRsDEtklgsdIc+XshbvoW9yjuVTruD7KoC361LfqLjG7NJRzO
EEbKwjTK3PsZLpedUAzokE/xfEDhbxUhWDPZMKuOz5zkuMZVW8dQFU/va7+xsAHO
IPB9FsJk0kTN43OaeUGado7z5N5UQOfmXMEM12fAj3KHbGm8nV9cyEF3xmN48ey9
tZ/Zykmw7OahTBqXROzDLXLbkVFKpR86YQE1fIx7KM9Lqz6VGPn7L/zBsHz3dG4z
RXpC9X/WibY1CZek3myI7Jstd4LkGW8WH7PTwgZwUP61LpnH/gsJukDM4CEjBWGX
NuqRFmhokBqjkHGmumzW+h0I7DSnPULkGGy5tHULQ4HOm5r4o/O5LTTEgHMQHSPQ
jaQxoSVRZ2fdpu1BE7nPTqlt0/gFP9HesEy7q6Q5OlQg38k7j+oe6LHtKWQ272B4
3LQbQXmvCkHXoIew72ywN8WkFEuBy6uArGwetIDZ53bderxep+Bvo1064DUwObf/
KJ1rRYlIlapa5fECPZ6UJyseLlGOgOSCopSLEY6T83LC0ZmOa0HzJDKi8CfoNt/Z
ltlD2fZXowwhhM8ToKpk
=kAjE
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170306131514.GA5779%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Problems installing on device running Coreboot

2017-03-06 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Duncan:
> Coreboot was configured as follows: SeaBIOS as primary payload [...]
> 
> The behavior of trying to boot a stock Qubes install that was installed
> using the installer booted by Coreboot, is that selecting the SSD to
> boot from just seems to result in hanging.

It's a SeaBIOS-related installer bug, see the last paragraph of
https://github.com/QubesOS/qubes-issues/issues/2553#issuecomment-284367521
for a workaround.

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJYvUTvXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrf5tYP/1WYtGZitIJSrdE6+4CjzYzJ
WChkecv65fccuTWw2KNRK4kqwkqhRvPFf7LIqoR9T0Af7cI6sUhpAIfBEsJiFwml
a96iklx5CUTq3kC1g1dKybA215jklor+iZ+lQdkqI+XoX+tAYwXVnKx4wsHf/vjB
39gAY8DkyCehfbHBVH/eJEUQthTYQBTP4ApIIztXCYFyugX4Uroq5stfa7x2L1jg
25UccetgklignaZjvuiRt6cA7/3A+OVwOIwU1VeT2LKXgrWD9ioVIpqeF2U3OIB0
vSHvBLqR00WrAK52Yy4MfSI00QzcQxJ9zeLv8yBCNtfCGx9gHVXeSmusqDTAJ6S9
9vw12l7I0l8K7WPjBG6HMhFxAaymdTGh1McZKveg57RVHG6cJfOglNf50oSnSixI
YJZvd+0VVSY4LMgSmg/LhTsnR3w5V+/j8AXQJkJNCv5zbXO6MW4PjdyZSMOA/JlF
ieV3xmdiTI49Kw2qJlCY9e5iHRUru0jLYume3eIwFONsXenn3FEcYYnRMSw+hDYV
8lsd9GpCdvlqjCXpNkGtMgBf6uWuYcc+tnMhcqz9NfqEvY0lNOB7NOiCWC8aDDJa
soMQi/XkCZZ3ggb0TY7mtgcB5WPkHQnS7TQKn5JI3MaPJJ1ESRRCz2datO7JFpJI
qyBqbDKjQ/YEkIzZSYq6
=Be4n
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170306111559.GB5307%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Back up running VMs on btrfs

2017-02-21 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Chris Laprise:
> On 02/21/2017 07:43 AM, Rusty Bird wrote:
> > Hi Chris!
> > 
> > > On 02/20/2017 08:28 AM, Rusty Bird wrote:
> > > > A small qvm-backup wrapper script that handles running VMs by chrooting
> > > > into a temporary dom0 filesystem snapshot. The backed up data is the
> > > > same as if those VMs had just been killed, which seems to work fine for
> > > > the usual journaling/copy-on-write VM filesystems.
> > > > 
> > > > https://github.com/rustybird/qubes-stuff/blob/master/dom0/bin/qvm-backup-snap
> > > IIRC, the best practice for backing up is to use a snapshot as the source.
> > > 
> > > I was thinking that a simple ability to point qvm-backup to a snapshot 
> > > path
> > > would be optimum for backup flexibility.
> > I misremembered that as involving a fair amount of refactoring.
> > Looking into it again right now...
> 
> There is the issue of handling multiple pools or mountpoints (if they are
> configured), but as a personal modification to allow backing-up while
> running VMs I'm guessing it should be pretty easy. As long as everything is
> on one fs.

https://github.com/rustybird/qubes-core-admin/compare/snapdir implements
a new qvm-backup option:

  --snapdir=SNAPDIR Specify a filesystem snapshot directory to back up
from. VMs are allowed to run while being backed up and
the destination VM is not automatically excluded.

But I don't know if it makes a lot of sense to submit this patch as a
pull request. It would have to be reworked for core3-devel anyway.

CCing qubes-devel

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJYrIU0XxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrf4nkP/istS24pvQAAzfLAusMymUip
M6idbBoye4k5adtNHyjFvsYrGRCxxOFFNF05U99cMUYITVf6isi5Rmz3fsLpz3Eu
CUztp3WBnTUNsQTQJpxwgwgqjmoEQf8Dkh0Aude2K3Mz2ARBR1mawfpzegVg2OfX
CIotNrpVRRqOJHBQGup0o43EhftNnUXfkdobrG9j9QPYWMoLuKJF9EMEW/QQcmNu
CazD6/op3JiFoGUHH2Kg1KocoPxAVMD9pwJJNZUVsfkHtnRjxEfN0oTpkhvONHYj
cB3GS/hF5q7Rck7wR8nehCzLacJ6iC3O14Ed6Y5T3e7OvBU/17hC73y+bS+tEHWH
UBfpmbL58JumGWUysurai29XQAIpJr5BNUtYtXsBoWBcOV3Gfe0xAOkTPfu+8xJO
df9elpBkIurvqmjSrGxQO5kfe+GUVbC9RgDWa4cZ33ajyr76Bg8lY9b7yYabmQ8t
m+g/FEx9O2KnmAo12mYrE05d239auLWmCbCtT9rRZJ1WxVjggpqQXhduBwo90I7C
IUs78pxHo3pf2bI64QSEa3y5K5c+C7PaKZZfzFV+WnDV59kMsVrGrC1XeIxHQ7XT
cS6v6WmYYC7DSVN2J71vhTtptZl0ojWXdOTSuA3B8cgWhXJ9+o0cAkvJynL45neP
ci5Yr+rxubeZewJ7dWVM
=yKMm
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170221182140.GA1579%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Back up running VMs on btrfs

2017-02-21 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi Chris!

> On 02/20/2017 08:28 AM, Rusty Bird wrote:
> > A small qvm-backup wrapper script that handles running VMs by chrooting
> > into a temporary dom0 filesystem snapshot. The backed up data is the
> > same as if those VMs had just been killed, which seems to work fine for
> > the usual journaling/copy-on-write VM filesystems.
> > 
> > https://github.com/rustybird/qubes-stuff/blob/master/dom0/bin/qvm-backup-snap
> 
> IIRC, the best practice for backing up is to use a snapshot as the source.
> 
> I was thinking that a simple ability to point qvm-backup to a snapshot path
> would be optimum for backup flexibility.

I misremembered that as involving a fair amount of refactoring.
Looking into it again right now...

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJYrDX0XxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfOgEP/RY9ILKoJMU1a+rb1xun6dCw
g6RjOMKJrDvvdY7UA+y2+e6qDu/NK5ZY4WNEedo6GcX56NYfGiLZ60YxlFF0bSfj
uIeIpmfWdLsaVkcCDEW+Q7XJLu/5y+a8lJG/Jz7fAsYZDAynV06v8V1zhvgL+58W
IDAlgE6bofcbJgzM033z9LUYPr032cDC0FL9BBJsS04VQn/Dny2yM0W1fJPHcKcD
MNyf6sR4tBmDsKjIILikDPCMMu/LhaRabRGja2Fio98ZFhi8zsEibsA4OEtE8zQy
pY15NPGLUmGfvce8bLX4qhetfY0+Qy2QbM5+px7bWQDUO0XS+6dGLfbq4rltVmpd
osB4E9ChSa+NOA1qdgicFkTVxyLL+I0X0TP+WbJ8jznbMKkLfy5KuFvbr+BrFvCb
7pOofRx68qjalWeguN+l9bKGaPSrqnW0SNxdjgWroDox4lyA6iwCZCetxT7UySXQ
n14jFkfZ1WCkYAmKj0C6dtnnJMhIrSYwhBX4fqyMpquAjh1m1nBaZZhqBPPgrHyf
7d1PNFKSFJoFU1dMKNxhFZZ1NcLXgXjHniGuutcNFtLvyw3k7sNoOruIUH7X5gN8
95qgxbuTxPX1PET2mA7xCZuqX8E3+II4WxwrU2C6YFlIMjKiQYR6cRaU69H96PQT
CvMW24kYVwuiT0tS7H8X
=Rq1r
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170221124332.GA1058%40mutt.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Back up running VMs on btrfs

2017-02-20 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Something for the btrfs crowd:

A small qvm-backup wrapper script that handles running VMs by chrooting
into a temporary dom0 filesystem snapshot. The backed up data is the
same as if those VMs had just been killed, which seems to work fine for
the usual journaling/copy-on-write VM filesystems.

https://github.com/rustybird/qubes-stuff/blob/master/dom0/bin/qvm-backup-snap

Also pasted below. POC, may ruin absolutely everything, etc.

Rusty


#!/usr/bin/sudo sh
#
# qvm-backup wrapper that can handle running VMs stored on btrfs dom0.
# Usage: qvm-backup-snap ...

set -e
tmp=$(mktemp -ud /var/tmp/qubes-backup-snap.XX)

btrfs subvolume snapshot / "$tmp"
trap 'btrfs subvolume delete "$tmp"' EXIT

sed -e 's/^\( *\)if vm.is_running():$/\1if False:/' \
-i "$tmp"/usr/lib64/python2.7/site-packages/qubes/backup.py

for d in /dev /dev/shm /proc /run; do mount --bind $d "$tmp"/$d; done
chroot "$tmp" su -s /usr/bin/qvm-backup - "$SUDO_USER" -- "$@"
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJYqu8RXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrf8v0QAI4eRTXSAkHAbL3+Z3K94nbU
aEaG0YzyMA6r9byo8idpsvuR/gMPhrcLiBdB+bvlMRuQ8tx1GH/8YnGVdb3/8ccr
QcrDAv9abWOUbCRbLxP6cckE7pNYwBys7DQVqkMvN3irkxHnNWGjtczMbJJ+B+gi
R+LxYXJnz4Hn6392HXSqbAv1PPyNGymYLqSJfzH30pdvTt6QICjOH4DHH5yfGRqx
o3iablnBb9EmbSCa8Fn8mdtu/CcP58QgVwUrGA2Y15JE2ViAS2EVpxX5Ah+e0RpC
WzjJC9t73SI8/1549BvxHMf5aInJbXBmn/hbmpTTnFacRkXn7aPSvA7dUZrQvhqP
FcCYlBZ6LO2H1rxpcaI7/ppLaqNwjzuXs6OW6Luw96k2yaR+iI5N4JCIhHUFagBR
2KaU2wTi4yKNJD9ZD0lGCpjDLdpECrDKHHC56ZRawYQS8JwUkjF7vwD2UJTzT7HN
r6pQR11lpSgdbbWAdqQxH2VKFX6bwEN4gvl52VG7B6+/hTMb5PdXMp/2h+gI1biK
Lw0roF9QyYMmP96JWXtAoO0eC1IhGVDVqR+3kGXFRwxrkQCrZP/jt+fSllYpAWZp
JfWNoB38rZpqNyZdOEGC4Odw0iiw7BeSKeRuCDhWiSJkeCUtVyohZI7rXNLcCKdV
fIYc8ix5g9B1gQbFYJNd
=imFn
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170220132849.GA1885%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] backup failes

2017-02-09 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

haaber:
> Cannot create /media/user/hexstring/qubes-backup/2017-02... : permission
> denied.

Try "sudo chown user:user /media/user/hexstring/qubes-backup".

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJYnPnSXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfgRoP/1dJWam9ej7w+LGSN8ECzDew
t1eF65sNwrPiuZX6gZvOepkgKfqk7aUPYkeggW2MXnYPUGZKt4+ZOzFloV/29KOw
JhCgSHjmTmati3E/vvAAgBSc+LxDeozweYM0OFTql0Q5s1ha8NtmEpqlHm94G6Ok
x5XzYikRvVeHXoC3U4vmvAR974gWG9nUU+Oi4CDZrTAMQjR3uWjSqsQDH6r7vEuG
7/IWt/eFp3/196abeLqhV/zuwCzE9H6QyBMVfQOGbrJ2nKZjIStQw0v/X2vaG6nF
gTtjzv3LSj5nhP8uzrlwvIfAG85WMWofjhsILuMMVv342GmupcMEwW2U2KEwH8LB
f20H5c9iHPzzT3XTNzCRlO/be6igxHcGRsnBgH+KCZ++1B1sq4JROR5hOduu0hnD
K9fOr6Buyg1lbz3W+1wFHXIs2mBppu936Kfhs0R6A4/2hCXhZKZm72aDgpVnEoTL
MoTHHAaw6UW6iuBSirrzzvCuUhnjSPdcs7k1p9wdkwdMNmVaG5Xl+Qb6EB5XfrV0
kO2/F56OTZmsE8H3n0oF/sNwVAbZmN9g4eOujdDm0a4rHMx/fwQFGH9CrHsdKCK7
T5FhWHIXk0JJ7C98s9MNb+BWVIlkZ19RXPnKa5ishnuIkcEWG/+UE21UccUxh8mh
yff9xd+OMCZ0mx9FaK9U
=rDDj
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170209232258.GA2634%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: Two ways of "true" security.

2017-02-04 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

mr.l...@gmail.com:
> четверг, 2 февраля 2017 г., 17:33:46 UTC+5 пользователь Connor Page написал:
> > I have successfully castrated ME firmware on 2 Haswell laptops so I'd go 
> > for something more recent but well supported by Linux, reflash and put a 
> > non-Intel network card for peace of mind.
> 
> Could you show the instructions and write here your chipset?

He's probably referring to https://github.com/corna/me_cleaner

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJYlctFXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfKUUP/iV5kCJrQ24NqB/jGfegqmoI
8dpvkVx3uZALlHjuVYOJK8mMkBbeSsyd85/WigvI/rcvHmwN5+F5aPMiXovVBt0n
WSGFvJb/Mhyv7dkeItW8hn5QdXHbDqXhTDXifd83ZL0VL9JlNkaW/Zp+NwfYeINO
Yl5kH4/3hxviTEhumcjBD1CyqP1Vf+m42+6pJca+jxU/55ulImH+0sOvqAAm1Q8Z
a4z26qhbubXTDdFNYoE7NPZbXr4h3h0IVJX9221llxAHGvaALkaBwL2svRqWyEBU
bHau2msYc2fEjcY79YGA09Aw/NKK/ywPLMGpJlg/kSPWmvK3x4lkNswKafoHxTyd
RLLRTAKKAtXdc/qdZF2C9pSrmI6ikd1DVFRNgrAF4u0ZEdQdJlyBKHPw7bCHKSRq
hs703uIORu6N3dGiOZ5X4WnK1grv/8ZoksEXIbR46ncUFnBAN2jNBj8Nkgmh15wo
UOuumSUqlVQIBfxrr05aYhz0nEfqB4ZRK+ipfbloijioX/NUVp2CKnSOoTcpY+86
/SNFdN3/ux7IsSajS6MhD01Ibh7t9Yi0inDCYOP3A9XmQZRv6Tprz+0yikP+Ps5B
B+MxsSrNJ3evvCkLkCS02ntzIhYPMRUY0bG8FOIKjdXYM+f3QJj4LU+x/EknnTap
RkdeK6HKhXKXcRYpYlqU
=Eht6
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170204123829.GA2245%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] AEM and TPM no longer working

2017-01-20 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

qubenix:
> 7. Restart, to BIOS, option for clearing tpm is gone from BIOS?!?!

The option is only available on cold boot, not when you restart.

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJYgn6hXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrflo0P/2Sr+pYvctOG+hSjJ960sE3L
2/T2a4hmRdWKz/YO27Suu6GPDqUgcxuSddXC4Qj78bK+ma06LIPmKt3OvdtDZ2OG
7pwUdyYe0eNcKHNkV/0DVJOoKIGuCKVGuOOR2obv9WovHzRAEUj1P9IxQq6YIIeX
tpl2oRcJO83kjfxi/kgU6+2flUtDwmuZl6k0cMzAud+cs3ri0XyebfOQBAWBJbrg
XzpV4ks5wbe5fCp4pXRxxDF6QW26aApnnzHf7cJUNTNsZMRgxHKmVk6StSK1kP8q
8N8wRn1fMnSimJhbMd/WCCULsro4K0lP59oFkx54pfT9OKHahg7GhTTfOL2LkMDC
yo7c2O+beEthQmfa/4mHOaQQibaMJNZmqkQhm/YlgGlZHO1YeRRighaOsSGah9ej
nHOiv8wIr434YE1OaeUTJAB0rtYW6QmHv05wVon7CFcAH2zKdD6bEQpSjmB5SePm
fL7OfxI0Lj5IDU4aOwXzalAItgUm9+YC7vIpBcdWc4oSKyBjGw4RbGt+fPiI+zl6
QcNxeOD9ujo62krYURZPvtkCMrGGPaGQ2hgIMtqmg2mofjD1i91WCZqKk56DA66h
4xHRfCdJBXu3c/oCr0740OcE0ADr3zrcpUnIoCpLkkluwC3zghwVzqb/Mq2KP8wZ
gOgQTy8XP0jfwiwI9Q6h
=WQ9L
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170120211825.GA1810%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] [Security] Anti-evil-maid didn't notice Xen update ?

2017-01-12 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Marek Marczykowski-Górecki:
> Rusty, Matt rightly just pointed out to Qubes Security Team that the
> current behaviour of AEM could be misleading. AEM should refuse to work
> if TXT isn't really working - otherwise it's easy to not notice it and
> have false sense of security.

Thanks for CCing, I agree:
https://github.com/QubesOS/qubes-issues/issues/2569#issuecomment-272235227

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJYd8SQXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfU80P/i2VfKaxLVONuk+Btmfc3WfN
f+SrUZIPPzclrPpCb3k0SiEnYbkJBI+9Ece+jWRpyUJNVFVayy0RJ3lW+JS9FNOk
dorBfJvJ4IoE7CYulsW/2qvPbmHf6FqzSoAyZ29KKWa1X1lR26kUMA/3ZmTJTdRy
c3qWXjnbIhfXoutqfSs2Nb1sEI8M46hsTUR8ESiIjVYnjBdRmO6jogiGBiy7zQ4w
pmH3djALJVrj4lpAOm5AEgkHmkoYcxlVOkTJKEqCIm7kdLuQiiLshJWU5HkjVFOV
cY6sUgyjJAqnvuGNbVrpKaP96RpE1yKtd00777DnbkWsTYlDjtSEiwC3KhEzN/So
Ga82zeHHicC1j76v0UbOlaFtdIo3rZk1mvzhoL3mVT3oWZkN+IbznwtFNnwbqJip
798+Ki+283ZxFz99Cj9y7nq/qTGGgP2qZ8imTBtt9LaOipgkgqdCzom85VqHFYTA
2ZivgY3fFLoJEys7nie5XPZcMWQ1pD5f6qp81aVNpU6L0X2iFTuCOS9DH76jd0BJ
HOq4lSfQfbZHco9/U87REipB5EWmoi5UN+NPqkemSyTkDXum4OMa7bEPvzwQbyUm
xyCzIO6/u3GT3mwJQ/kNa/+/ya1+CJlG8obd239AEk/6jIdkCwbAJ7HeEaw0KqGq
MlnIDTcfDmiL94iZRsIN
=SA4W
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170112180152.GA1242%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] [Security] Anti-evil-maid didn't notice Xen update ?

2016-12-04 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Rusty Bird:
> Does /proc/cmdline in dom0 contain "rd.antievilmaid" at the end? If not:
> 
> In the GRUB boot menu, do you choose the entry "AEM Qubes, with Xen
> hypervisor"? If there is no such entry, you may have to rerun the
> "anti-evil-maid-install" command.

Otherwise, the only thing I can think of would be to try tboot 1.9.4:
https://github.com/QubesOS/qubes-issues/issues/2155#issuecomment-263139022

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJYRDHAXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfFFUP/3Yv0GYD++Fq0UFaEHEttvBP
u7vxv70SpoMPo5SnxN2PLFJCVvbM4/XO+ALmdW8KtgjFUiJ1xr7dTY81Kcbaj0mj
3zPjve/AiUhTP4ye0KqpJnqxDACJPe6EkMlCAY9xESdtIxcK6P6lKaTHKr0XfBLV
3vddZ3a7SqyWOOE8NUqzjwan8uc+cAQ13+aS2jZa1Rp8AB7/GJ7hRu2thPGtF6y3
Z04w9MWAPuqNUV98mPEAK/oxSE1N8gHQsTA/0vUJMVm5j+84iRbvmJI6VsQOLtUq
2eZgcrq+3qxYv2JU6K33eu6XcVoLVp9sNUduzkik+GCZO9EVL2dwKsXCil4MaXOy
H4KERaMiDvuOUecvLUtPdTH/ZlEYmEqBqamOn4/r3XOZxjHhqF9bLZyJT6+M2pgz
Iz+qzFf/8RDxStEXCcWP/0RE3EutS1p3PpqzavAWNzN9PxRctlFlcUwqZJE66MrN
84eB355zvEQEjiB+1YIAIknDMp/I4NG0kWneyj/NEd5Pk+RBJl4CaQy0MfGNyLKl
MiTEAR/DEDILJgPb4pC/ArlCBEhzn0h7iqITQnxv5YwRr/27A3QC3RQ1BRBjgV0q
80Elskoe16nkd08ZCBC1k5a0BxE9UJd5pculKH05alGjl6U2W+uhq2I+mimhRSF8
vwWQ9nQf67H6H05dcaau
=XbOw
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161204150952.GB1048%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] [Security] Anti-evil-maid didn't notice Xen update ?

2016-12-04 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Swâmi Petaramesh:
> I now have downloaded 3rd_gen_i5_i7_SINIT_67.BIN from Intel, installed
> it per instructions, completely redone everything (including resetting
> the TPM chip in BIOS, uninstalling and reinstallind the AEM RPM...
> 
> But still, lines 17-19 remain all FF :-(

Maybe your system still doesn't boot into AEM mode for some reason.

Does /proc/cmdline in dom0 contain "rd.antievilmaid" at the end? If not:

In the GRUB boot menu, do you choose the entry "AEM Qubes, with Xen
hypervisor"? If there is no such entry, you may have to rerun the
"anti-evil-maid-install" command.

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJYRC4zXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfFM8P/Ayi5lu5Vj/mn8IyAJTjj9QC
o5GKkjKRH+3uF0p6INj7imFUH6B7lU0GAs5b//E/9lImvYZ6BhLgCU1MNElvohWO
uvJ1imhUBDziRsyzcCxFuzaMDwcdzVJ/u+JgKwkkn4v81rTriulr547kfHxan0Vt
dZYX6cdr8psJfuWpfFhUGgWBMMYHbw9rTFsBMglNdA/Qpknv0qFQt3ss8oaWjlA5
VU0yZYKCp0oVgrSZA2SUoo7QA6mCZ18lQFTQFEel+Kj81uZLi74rgn98ZGRtCEsy
DlBi3QsIk1pXJiwRmzBrN/FOCDdcYmqz3GOHyP1jPII5f/YHpaS2VsxyEq4LnctV
VTPMvKxs/yNfIDs4QaBMVJIs36ns/mZPvYjrJ/Br6L0lsRDPpEvNtYoz6Nveg3ea
gYsMm2Jhj5O8XlynAm1KKV+uLI/uIawgNzFvjLoIWPRQTpcTQDjmll8T0mBHKPcG
CVYiirNvHLeBhQF32CFLNXQQmvNYs377f8k/m1x8rtuv+af5EVFdoE0eY/HaF9uj
5+PFE4ruBpgB5rocl3pY35NHjn6W2ciOBYXjjvfE06WiB+0ALHz4m+XcJ0j9m7Xy
qrtVH1BGcr/tz15VOOGJc9ZfEqK5W8mQMLXNQfSmA89adEfjSwR8r8ecRCUfeJwg
RL3FpCGFtnu8RLFz/ha+
=ldBa
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161204145444.GA1048%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] [Security] Anti-evil-maid didn't notice Xen update ?

2016-12-01 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Swâmi Petaramesh:

> Hi Rusty Bird, and thanks for your help,
> 
> > Is the SINIT module working? Run the "find" command from step 2b of
> > /usr/share/doc/anti-evil-maid/README, but look at the lines for PCRs
> > 17, 18, and 19 instead: They should have very random-looking values.
> 
> Uh... Lines 17-19 are all FF

Well, the good news is we've definitely narrowed down the problem. :)

Are you sure you've successfully copied the *right* SINIT blob for your
system to /boot? (Intel's download page is... not great.)

Does "ls /boot/*SINIT*.BIN" - note the uppercase for both the name and
the extension) show exactly one file?

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJYQHjGXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfqDkP/ivq6Kwwug1Eo+Isr9nnoYDz
Yj530MuWQcsUqZ5L6Dgi62G22v/zlppuVHWG7QNVh+WC4HjGMAzHcqy1Wj16Wb75
QIgKkMTbNiLK/KBpKHLXBThbAd/yjawzOQZNLZLfyFpAby/po7x+EBOW/JkWbCVS
7NBat08DJ8MfRF2e+VWsTSRptSkrKpIX2RikVH4jPSFGjTWDpZMEcekVOK4HL1x0
RkSKqG5LZxIcxtfQ8nTfeV+n/UEDERudQgde66gtQNPEv0N93oxGjxsAudo+X3rA
CLzNw+ewFGxMTeETuRIy6r5AV4XHukNaSBCujizHUSQAIKDx41Ndong+wvKDxbGx
77jbnKoXCtBkHijylnvFlI5udI6xA1vfFLJxMWoXkV7zU5K1AyZkKaukPuZYcBVC
HK6mYZSZ3p5csrChh7O1oVB6J2g0Q+LmoKRPxeahvi6N8NxI0BIbjC4iE6ECS2oP
K0HmlFlP9rWwT5aCz8Wu0BHr5v8cQuP7QZEBu5GHwTvjwvmAUxVBB4fRAITBcfZe
3MndhZ6QTCgGKgbA7/19fswh5FBt/Pgf/P8oWQm/CqQTqbyi7awOrBIUbEX+7E2l
sIna69VuaNtadE1Mz3MOU7GpqOocQu4pyfvMRW6G7nSlbzM5qdUE3voXWn1TSKeC
SNL0Sfas1yJuuyYC7wYu
=VRW4
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161201192350.GA2198%40mutt.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] ANN: Split Browser (disposable Tor Browser, persistent bookmarks/logins)

2016-11-30 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

"Everyone loves the Whonix approach of running Tor Browser and the tor
 daemon in two separate Qubes VMs, e.g. anon-whonix and sys-whonix.

 Let's take it a step further and run Tor Browser (or other Firefox
 versions) in a DisposableVM connecting through the tor VM (or through
 any other NetVM/ProxyVM), while storing bookmarks and logins in a
 persistent VM - with carefully restricted data flow.

 In this setup, the DisposableVM's browser can send various requests to
 the persistent VM:

   - Bookmark the current page
   - Let the user choose a bookmark to load
   - Let the user authorize logging into the current page

 But if the browser gets exploited, it won't be able to read all your
 bookmarks or login credentials and send them to the attacker. And you
 can restart the browser DisposableVM frequently (which shouldn't take
 more than 10-15 seconds) to 'shake off' such an attack."

... continued at https://github.com/rustybird/qubes-split-browser

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJYPwiVXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfz40P/iunQJo+8jsG1XrM+nlB66Bd
D7y/fZnx8MhZi28058XvQzlyEqEIZz9T/rzbXuB67ERHkWHoHuYaYufeMG7fCrRz
wTpAwX+5F4N50Cfbleq0EDYnGgdey83k7e4QqYV6mgBU/vBNLYIi8gSl0Jld9by2
/q6XP1ywGmD/qg7Quf94tgEGHPsg1CssiX6TjgcUynsC37ouChB5XLwsNJ6c72Xf
YktYd+KqXfX7kCt1B1EgMa1udjvybeS4oLCh4UEC+X3bcQaaN3c5PXc3lphdzkbv
Xa4qP/6sDt/Vb216zR8xuRa6TORs7YEM3Bz19ydSwcHpL2vQzwAhsajczmkW0F38
n0BSEerpyB9pOhAEL7lETqoYe8fEBJBF/h5oy7dFf5yTp5gAp4EIs4eOsxHOxwjG
nJAxlYZ8gBmXg00Ed8o5AlKhBY3X1vY8wE3e54p7jXcdDaaHKOfIpafCfhhaM8CF
aiCZWk6lzU3ptyzsXsCv8bESQvoDNRiKPQP4z5d5NiCTxb6kWxwhM/NTn7MfA8oq
aqQwC/uuHpnHzzdv9PMSFDdeuKIIodYSzFm9FutDsXg6VyCX/04KurMjDZJF4lTL
PnS3S/sP7meIMvs4xPOUXjN7HMhT7spxKAYOfOYgA+UYpvTz/gNFdNY0MZW1HCkv
d5Oaet39i+NGXvDLwCo3
=dZiz
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161130171254.GA6811%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] [Security] Anti-evil-maid didn't notice Xen update ?

2016-11-30 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Swâmi Petaramesh:
> So after upgrading Xen in dom0 I rebooted the system and... nothing
> special hapenned. AEM displayed my "secret" image as usual, without any
> unusual behaviour or warning whatsoever.

Some things you can check:

Is the SINIT module working? Run the "find" command from step 2b of
/usr/share/doc/anti-evil-maid/README, but look at the lines for PCRs
17, 18, and 19 instead: They should have very random-looking values.

Is AEM sealing to the right registers? If you run the command
"source /etc/anti-evil-maid.conf; echo $SEAL" in dom0, it should print
"--pcr 13 --pcr 17 --pcr 18 --pcr 19".

Did the unsealed image somehow end up in the wrong place? The file
/usr/share/plymouth/themes/qubes-dark/antievilmaid_secret.png should
*not* exist in dom0.

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJYPt9+XxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrf0fUP/2gkPIN1SLnXan651FCAwffs
wrIGKBLB+gJbEinU4RdwHcKYO1bprMrPLCHsI7MjoAU0/MVQ4p2aV6Uay76NX9ZY
ggktq4paOwXW0xq8IbXJH5YFw5y/FTeS8SAFn8c7KqbBiNMMXPLNiKUwiGoQ6Tws
MhVwC62R70qnjNIQBVdlfu3H+CqIIOU5qpl0v/bc1Iyc6oYre54fcN6bBSDgbRFk
tMWrrC+ljQrXI+n8g3y5oQdUpX2Lmt9C/v3x3ld8mVLwIDrtR3mnz9l2CR6tZsRQ
8anTNaaQ1rdx+FPECCOOXL/yF7qLLRqkMEURb0APYpYHjsEbcXyc9BpNLNRs1aJm
Thf4AokTVC6rX2fPYf8q78SUmvs8G9mEYbnPm5XyKYmvoVbkTVdEStz2uy+PFJWa
gsI2O5UFUjQA0xbWg8aYgVmx30LzSbnS92WOadV/dT+jvbjeZOZ29wn+qyCQUUm0
9UXWW86EAEUQJj0zWhJrjyrZY+H7dGBqy/az7gCR6BTyI7ryIa4C6dzTmg8Vohyb
chlR5DTq0Pb83EZ9jEzYbgNbrN6f3mO5EwYLoYHDfJaIfpn5N5VpMDYInhEBBeRQ
7TZpMrPEOu8RM3yQLTiuS3gaEgx1ml9Pu8qQcd7aubP2OTB2RKLhm2BL1oYMrn6E
VH4tOReX0O97HjpJWvE5
=JmZ6
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161130141734.GA5863%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Attaching a block to a DVM in dom0 script

2016-11-14 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi Vít,

> When trying to implement a backup script (for a different mechanism
> than the builtin one), I need to start a DVM with an attached (RO)
> image. How can I do it?

If you're running R3.2:

  set -e
  dispvm=$(/usr/lib/qubes/qfile-daemon-dvm LAUNCH dom0 "" red)
  qvm-block --attach-file --ro "$dispvm" image-vm:/path/to/image
  ...
  qvm-block --detach "$dispvm"
  /usr/lib/qubes/qfile-daemon-dvm FINISH "$dispvm"

Also check out ,
maybe it already does part of what you want.

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJYKcZJXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfTbkP/2NczLklulmwIQH3ecRM+/7w
ek/RBZTiAQAhQoTTO7B7bwIciSfcYAExZHGHpWZxFdR9lwApN7jELv6VS2IjM56T
3qJyl7/SXu3NH+folQh62yKpAZi84L/v3/PmR1XtWptClBU87Tnd+subTDEVETOs
JA2nOrinZIQZlj58qdbkrTCelW+dZKutqkJs5i2K3L/vW9cGEit73llkxFe/8DDf
LnByVOJ2L7WKfjps5JKoxzKc817zrxJKIrzkfpyK/wNBA818/BhF6GZIRUhn91wU
1D8TAL/lBHq9inAJh8cXPa645z5bobN2Z/YewO2pdi42tZVV9vnx6d7krtlnHNh+
1zgPG9NwVFYr1sIZrqoi82tSZE1IsiWzHGbznB1tcyHJIRO1Adzwy0p9I0zcRHw3
YnH9W417yI8x65aNL+XEhAbzjbD0NMYhgislbsF5/vK/X6ejUu2NVEpeq0sLZtrt
nZteHB0n3H3yjZHG1LC/WOq5cSdUXQbYbrE3W6PRk2/2LX8WkXixCU/6DiIm82PR
njkUWlhWZx3MtQwdyaKENfqg5BJQuBk6OE7Sq/qcA9dlWKPQ92TAI2fjiIzi+S14
TzYnAehc0GJkanz8KjaWKLIADAfGBcwJuLGeI2qStToywimXbizvh8+hXKIzj+a/
9uQfJcZ4o5p9SA3WW9Fn
=QDtR
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9925059c-9212-69ee-0698-966d78e312d2%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Thoughts about installed software

2016-10-14 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi Jeremy!

> In Qubes 3.0, I noticed that source files for the "move to VM"
> command would be deleted even if the move failed due to
> insufficient disk space in the destination VM.  (It goes without
> saying that this is a Very Bad Thing.)

That was fixed in R3.1:
https://github.com/QubesOS/qubes-issues/issues/1355

> I'm not sure if this is still the case in newer releases of Qubes.

I don't think it is. There's also another commit somewhere to call
syncfs() after copying. So qvm-move-to-vm *should* be safe since R3.1
(unless the destination VM was debian-7 based, which had an old glibc
without syncfs() support).

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJYAJr5XxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfMj4P/0g3dif0bYm1fYO3E3Cs+zQC
GtsFZX6As/7XL+RliVDK0GB7c9XuB0ycaXCbcnu3uNNhknm76wEkxkAe3Gq4dxPC
t/NDwTQY0oSzlOxYrJ8jAqWUWSfe4buSecV+u5vC2iKO0UrGe8YIEZvM2+YhpsQT
FOdKSNUvw4MJqy9xmjeYLtH6wtWzJyEN2B9n+yVScpTaA1MBO5WnmTu3pts1WmjT
iUVHNr84Qzf/rcZnZIfTYThH+HSA8gJgN/RAeOE9ghzyEzcKkrznPWyMSuaW8SmO
FW+djKx6lTOcJKg50BJHH/aSwrJxnIfIa1MtoLseMPEsDf+UHcAY6ASKRROt+7pn
v9ORB/uB/uERBigik1yd9bAivauqqLbi8Dj7hBwc4XteEikvVUXAsOsEJl7lmaC1
I7Wzb8YXxvEAyJFINXItK5ZJT1x0D/5m+07oKD5oBf8aNY8CFHTEPUUQFmTQLOId
XZg/pBhIOpmIsx3z+Zk3+VJCIz7tzR9BpRCAvN8FOZPs5HEG4Hu914Eb01ErwDE3
keM5Bu1mW/HsGcAvnXBGLfQ6MtFFmdNoqbS5Jrj2cv0q/9yGPmf44u4NqTNbQiAu
mlqKx+8mx6H5/EBagZKNxVmFqUy+ShpsIhro9VlHaCoNF21ttjOr8/B4zaPb2igx
9SChvvIPXA5HKfR4FK5H
=Bj5/
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5b71cd9a-d072-5c8c-d891-3ac641591a9b%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Thoughts about installed software

2016-10-12 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi Robert,

> However I would not use the "move to VM" command like this, as I 
> experienced those requests getting lost One time files were 
> actually deleted, since that time I always use copy instead of 
> move.

Sounds troubling. Do you remember the last Qubes release version
where you experienced this kind of data loss?

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJX/kvQXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfZA0P/0vw2dBijUk6vZtmWgsGzL/B
3l+H7KcVXu7zPzjEMwQAdufC0gn2JG8NVWH7HHe6ru42iME07JNww1RoOvwImq4h
/u8DojH7PYeO88TlmCquH9J9nxF7W6+LC0nEtsTAbEF0dxUUfHFL9MyOKGoU/nq+
JU78lKBfFstUCtcqib1J0ENAsRbY6oPj+XaAqkOGvX9uTqWPslUmncEstn4KXzIy
M8b86Vql3WJ0fJgYdVxrLzuFgbMHUIjk4vfv2dNGwQHaDYXA25wM9jdV9FbED0mk
pL6VTMwRHA5SCnXaTjHRJzS7+x/vOEGhNiwkyR5bpXiaHrxer3MmszC+oIgXuiXC
yWthLHJ/fqrZjSjClrLYlQbCiD5gz6tWsul8KSzAGh56vMVsfXghHs4QIcNv61xp
tfnQg4ESBtHLc3+LuDQRax6kkJVMCwX4s1KQQ3v6t8os7w/HBIBdkVHWkRBVKywu
8d/L2meN76DYyTsopjN5EfVOQ+/53dbTiUf+FTsl2ENM0yb6D8FcdgPm44XP9iE/
5eiWcKazFvFYs9wOxXrs+Ej8aw6WW5mBTeoRoC+jSxTmA4nPoTAjHT6aSwwnCTvM
MMtWk68WPbHic4ISDLl8X3OJCUjD6Yiar6Q5DoWWfwVGQZek/EVs/LwoCRhkSMn6
4E8tGXUwqvA9ADx9k/cL
=tp0q
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/40b2c885-364c-766f-6bff-c0505d20626a%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: BTRFS?

2016-09-23 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi Connor,

> The tricky bit was to put it on a LUKS partition as somehow the
> installer encrypted only the swap partition.

https://github.com/QubesOS/qubes-issues/issues/2294 has a workaround.

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJX5OYjXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfR4UP/R8OxIfFI7JyeIW6gazWUEkq
IBdlvShyY5piOKSQO5RrEpcS5GXHjPPN1HqPn1Bt6FFQln5MAKkQsD6AaPE8nrjD
OHzYU/G3fgXoPPJy8nupA3SANatESdKV+b2/JWP0o0+9/7HAYgzykeGlfaoa6BtH
UuLHBVloagCaVKLjwX61KXHzf5Q+PJTm1ZAF2f8b9vY1vNPPJ+QKvXXr89n76p7W
McQTVTrLuSzTLLL2KFXxC2uMuIlO1qxYDifUrHO1f//CmuF9XGP4pGLIfVigodbg
We+1+2FbUqB6oB/WTHGLvbXhdrdgJHcZn7iUyXIbKcmncgo1wFZ0RYFq/rjzpCkX
b3gyYTEBxBLj4AbIc28sqJm8bUjpinWAzWOv4j0dHKQqnBXX2N6YrCSsOPFkKpuv
2fGjIryyS1pPktpYS4Evv/mDquusnOIAqnEooNmz2MaC9kd6v2/Kl9IHpbXX9bSd
MfIVaiAuWhFaRe9SUW4kIG5+dIEMkBCz2kNImdwfH2rNLOGTU2BvfcfvbpKmOxJy
QDHKU5WixixM6KtuO9Gvh/UW9nT36RPtn2+1nev/HztDbTzItSBwqHhXCXUtfM9p
weLEntmvVdQCLoKN+tRBd9NNiC+jlZbZtkmzUasi2GzL5japwrn42OeGlz0oSlh/
wvwrGWyDVaYlPxzN6Lye
=7Jna
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/527c132e-e52b-51ab-0d35-0449b3d37962%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Split dm-crypt 0.1.0

2016-09-10 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

> https://github.com/rustybird/qubes-split-dm-crypt

If anyone has been using this already, please update to version 0.1.1
which contains a security bugfix.

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJX08IXXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfiXkP/296qW+raC+ku/86uRh4NIgx
DFufItk6a7LE1uEHjSKWh2liM5oFu1kimOkYaewl9A7ZbDgVCJ767BRLvbPpvaER
uNW/A9qnTojQ1wGIhqSUye0iChAfDHU8TfdkBofMP6bMIcNSZg+gdqJS1EpphSww
uoyHk+flzvETf8WjbPiTJn5mUFITQw7U+Dpv/tbUCdmI2V1051AT3RpDShzTtfgT
5M94BNNT+BW4rZnCvPSWp2AgGJBXXwacQvizPRvwgqBfgOm/KNbHt8VSbcco/5tV
uxM15x8fH66UpI8LxSXEkCgfpUoidBBcQKzWylzH3ggRQP9L/09Ph+iOCpWzU3SF
yOuPVUaPpzRQbq7Rr1q5lZNFDVHTKew6PVZR5yYUm2eyJQerPYPU4InoTjQAM3te
UkUjEWkdpCffACKL3DUpSavErkJefwadXIBPHssluTOwa4rGPm8kgJhm1rdZm3xj
dTE4v25aR414Ty/VXOFzjwAHpdGbZvq3dbgQs0+GyCqjE8JSJps42a2XuUsGDypZ
hsYrUFDiGBEmiIucgHed2gsEIahxM7p6lz3CTmghFD5skp+ngmnuNjEWFiuFD1UB
lBAxmdljABI+VsrW7EGFJ3CuJv83pQOMy0HqwVeFehyeyWtkdxbcKqjbO676bKUG
DZ1QuKeJzXatRJoX1ZPd
=Fe+2
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bdb4d6e6-7ce6-3cea-4dea-aa8479f63bf6%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Split dm-crypt 0.1.0

2016-09-10 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi Andrew!

>> https://github.com/rustybird/qubes-split-dm-crypt

> This looks great, Rusty! Thank you!

I actually took the modern luksFormat parameters from your writeup at
https://www.qubes-os.org/doc/encryption-config/. The 5 sec iteration
time hits a nice balance.

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJX08FSXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfQZ4P+wY89oHl3mUBpv3JJHJyg+aU
+XqBn37f3uMReCmXZUhoRZGkjFYV9HBStrKPYDT2Og3Tc56Lw6J/48m4Yb8rXMnh
6+i1HDYmqBA9CBGTCvFFv/+S85vWF9RGqTWYr8aqkX8YqxmbEFp0RU1qqXTK2Dm1
sO9YmWgMp+4R/qagdJ2OCG5Rrx/cAJEu53e51Y6YcAaJkvsY85z8XNYdo7gSOGTx
WvDwRyAZT9GGxseeLzxu3S0cVyq+uWww6wtwNPnYl5DLFVeum3RlNDYvJDXm/+4X
fTUvRJGLmMWHcs0/xQqgLjeIhFaAi/kNRI3OLi/jRx2bSQk4b6Pv9tEaVupmIwFF
lGSv+IjQjLrGOvLxizV3ZLZQvLG/ZDX18BjCbZNZCHL6SqY8Yv2kOZMPNPa5BL+O
/GEkc+ij89NeQPvr0Q42K++ypvO2XllxKA+U8YBAVbXMbDD+2SZF2H+eJeVzBAG0
Bs4ewKONNqTT3nGocX915tlj7+XW61OMQa0riiIY+5nt2/WrIWcUkIkLXzC7doPc
1Fkxc4170vgScYbJMnIMxIhR1DRvpLSuYNlscKUJyhFLh+sAkyXsTE3X+h/m+3pI
hqdoMrJb+Jiz6ZdgE1zRb4ru/BIdUt8+V6AzcyWow/VB/hqGT6JSHBVtlJGqgd83
Aj6CMermoytakjKEMwaD
=LfiK
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/716cac4a-1de8-8ef8-97e0-d07d72b88663%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Split dm-crypt 0.1.0

2016-09-08 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi,

I've worked on this mostly out of stubbornness :), but maybe it is
useful for someone here. README.md pasted below.

https://github.com/rustybird/qubes-split-dm-crypt

Rusty



# _Split dm-crypt_ for Qubes R3.2-rc3 and later

**Isolates device-mapper based secondary storage encryption (i.e. not
the root filesystem) and LUKS header processing to DisposableVMs.**

Instead of directly attaching an encrypted LUKS partition from a source
VM such as sys-usb to a destination VM and decrypting it there, it works
like this:

1. The encrypted partition is attached from the source VM to a
   (long-lived) offline _device DisposableVM_ configured not to parse
   its content in any way: The kernel partition scanners, udev probes,
   and UDisks handling are disabled.

2. From there, the LUKS header is sent to a (short-lived) offline
   _header DisposableVM_ prompting for the password, and the encryption
   key is sent back to the device DisposableVM, which validates that it
   received an AES-XTS key and creates the dm-crypt mapping.

3. Finally, the decrypted partition is attached from the device
   DisposableVM to the destination VM.

**If the destination VM is compromised, it does not know the password or
encryption key. It also cannot easily exfiltrate decrypted data to the
disk in a form that would allow an attacker who seizes the disk contents
later to read it.** (But see below for caveats.)


## Usage

The `qvm-block-split` attach/detach commands accept a subset of the
familiar `qvm-block` syntax, and some other commands are included:

- - Fully overwrite a device with random data

- - Overwrite just the LUKS header with random data

- - Format a new LUKS device with modern crypto parameters: AES-XTS with
  256+256 (instead of 128+128) bit keys, SHA512 (instead of SHA1) PBKDF2
  key derivation with 5 (instead of 0.1) seconds iteration time

When attaching, the destination VM argument can be omitted, in which
case the decrypted disk will be attached to yet another offline
DisposableVM.

```
qvm-block-split --attach|-a [--ro] [] :
--detach|-d   :

--overwrite-everything=random :
--overwrite-header=random :
--overwrite-header=format :
--overwrite-header=shell  :
--modify-header=shell :
```


## Remaining attacks

- - After detaching, the password and/or key will linger in more RAM
  locations than without _Split dm-crypt_. Until there is a way to wipe
  the DisposableVMs' memory, and `qvm-block-split` is modified not to
  pass the key through dom0's memory, **power off your computer when
  memory forensics is a concern.**

- - If both the destination VM and the source VM/disk are compromised,
  they could establish a covert channel using e.g. read and write access
  patterns, slowly saving some amount of decrypted data to the disk.

- - If the source VM/disk is compromised and successfully exploits the
  header DisposableVM using a malicious LUKS header, a known AES-XTS key
  could be sent to the device DisposableVM and used to present malicious
  device content to the destination VM to potentially exploit it as
  well. **Be suspicious if you do not see the expected filesystem data
  in the destination VM. Or simply use a DisposableVM as the destination
  VM.**

- - **Don't forget to overwrite your disk with random data before creating
  a LUKS volume on it.** Otherwise, a compromised destination VM could
  trivially save decrypted data to the disk in its free space, by
  encoding each bit as an unmodified (still empty or in some other way
  nonrandom-looking) or modified (random-looking) 128 bit AES block.


## Installation

1. Copy `vm/` to the DisposableVM template, inspect the code, and `sudo
   make install` there; also install the `pv` (Pipe Viewer) package to
   be able to run the `--overwrite-everything=random` command. Shut down
   the template when finished.

2. Copy `dom0/bin/qvm-block-split` to dom0, e.g. into `~/bin/`, inspect
   the code extra carefully, and `chmod +x` the script.


## Safety warning

The code's error handling is strict, and I haven't experienced any data
loss during development. Nevertheless, this is an early release. Please
**ensure you have a backup of all drives that are connected to your
computer.**
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJX0anuXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfRkkQAI0BIUItYTgf+BNbgAyaykr1
3P+47IUZi0VaLgR0B6+7rRx/9KFkil1dUViz46PvkgD79S71Gl/ThIDSDayBCYmF
Jpk0dwiscKXDZq6EfWVD3Bg0rYdXlmTeSEJn7jnNA35Vm4W9eS+tTdxNnsWhDpVb
97LD/muCgQHYqV8LcSLFcf4wxHMHC8zTh/ytC4ZCkgB+jNHJeJI6xMN8BnGemrMf
3sms1aj72pvg1rcRwlowWo9ib0Yl8Clav0s4308VuaOo2cPFknoDxIpnNloFMd15
RkXVPktoExSICFZKpuIdruEtcGswlxGlcqt3vGiUl1AkhCuJa8OARbfPlquupU+5

Re: [qubes-users] AEM boot option causes hard reboot/partial shutdown (Lenovo T450s)

2016-07-01 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi Andrew,

> On 2016-06-22 21:58, Todd Lasman wrote:
>> On 05/16/2016 11:44 PM, Andrew David Wong wrote: I seem to have
>> this exact same problem, but only after installing Qubes 3.2
>> (worked fine with 3.1) on my Thinkpad T430.
> 
> Very interesting. Perhaps my suspicion about the AEM installer
> having recently changed was right after all?

IIRC and going by the dates on the pages below, the installer and all
other code changes were before R3.1 (only the README has changed since):

https://www.qubes-os.org/doc/releases/3.1/schedule/
https://www.qubes-os.org/news/2016/03/09/qubes-os-3-1-has-been-released/
https://github.com/QubesOS/qubes-antievilmaid/commits/master
https://github.com/QubesOS/qubes-antievilmaid/commits/master/anti-evil-maid/sbin/anti-evil-maid-install

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJXa77KXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfoHMQAINdc3jjtOepRQeist3RVXzd
xyMLsbQ6kQtG/mnKAt/ddSI/TDEwQNXG/LQKtVVYDZesU9tDRzX4kKo2ou7DieuK
0/jW9HxrWQuWLH9RzGbIgff5HHQAr2LJx837mwuxqoTmCxmkI+70dXGdJ74ns33t
Cz3ElYqE63xkxnCtf+V5l8pN+fQUXkhxXEVWlh0W+nwCjE7igP1+Eljl4FFWcbdF
fnWlv9fbWcoSHTxexkuzQ1HLzVh3YLD4tecUe5JrmuAP0pwUjEephGacadm4yhh1
cXDdIy2XvLijsmrOhFgLmHsnKY7w4DEWFXLQADZm6vHNpG3dkhhdL4bVF/TxCxNg
lThp5AUJiDTSoXtV3pe1tYw52TrUabbL4rzOseQzfI0fp9qOu90enLnFG6d6usyj
zbuwQer56dZiOoSn8BNY4fBquFjaQnQ4utqY4GIGqm/hssLLPgNGFPD/4zQbqJJW
j1MJyQYwd9vPQLQOnpOSxxRv9Vm+7YpA8/JOuefrpEIIVPGJcZDpU7zqDeeOOkFn
qGPEnKDmKBqRaKYaAdYFpDu6G6WPMRE1+A3VDhBIWnBkXs3ZwIG9Mgnz5wriuPxM
dkObLIi5Rb6CbDTNdLazmppF6xwNMDg12iWb2a5puUzE4ccMEARcbmW9S0BMHCeA
L88bxut/i51024RDjRTE
=210N
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/283b532d-519b-ef7a-b6f5-74b421326ea1%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] How do I install packages to a template over a VPN?

2016-07-01 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi Zrubi,

>> There is an issue with updating a template over a vpn: The 
>> intercepting updates proxy normally runs in sys-net, which can't 
>> see inside the encrypted vpn traffic. This may be a cause of the 
>> problem, however it should really only manifest if you are using 
>> yum/dnf; Programs like wget should be able to access the net OK
>> if you've set the template's firewall setting to 'allow...'.
> 
> I'm usually commenting out the yum/dnf proxy for such templates. in
> case of fedora 23 /etc/dnf/dnf.conf You will find the qubes proxy
> related line, comment out that line, and the update will be
> successful.

Or you can disable the updates-proxy-setup Qubes service for that
template, which is responsible for adding the proxy setting to dnf and
apt configuration when the template starts.

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJXbQziXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfH7sP/080TCPi9kfKe/mBFt94wSZc
9JPG+NhOqA6NclGECDtTmbgx4REddOofwSQRuIl+0uEsVtE9EdCMRR6DEgcK3fnc
sgQNxC7/qb0CjqTy0BsLDrLkysQThyIzsGQKBTyJ1cQiRcBpwvxDEwda2IuGlzYi
NgITZb9GQMFaxwTeKHKtH+mjKCMncmdHwXzNPCX61+1zjiTsukZU1NoExKUa0hGO
0t20gP3jRdVGCIXkQlosXcUKJwsUKhnU0lodJw56xBX+WpMA1PS8kvzGd2NQwv2a
meXRgeZN/9aStHAgM3Gc52mNyIcEjmG+GUEFrN9DsFs/L9ALDL6NxL5UVm0qD7Cu
S9RJop9AZ6aWs3b7CNgBvoteysqjfToRf7vaeYxSNg9DBdJMcntwq+NYy/pj4MPE
jSXksHFT4YOzUZJfmRXqLU31BeoEJrKOBpjgADNG38IfvLjSQy3k2cl5FyZ5t31H
IKOSb9qQI1uJs44ld9bWdtCdBl+VtPyi/Qkr1CdRbjJi6VN1TJhORofk+QL/ZDOU
rNDDB7KeCQzTx5ue6pCYWxnQ0GoYGTmUKpm52JcHhw98B2o/vm0Di45Q3/9ByXi5
Jgjm/NltHjtyp7GUsr0e7uXVt1YYUW4LcZ4jBthj03lkM9KVb9F/YPGEBfr3V6Sd
34idW/Amhqk6OZcKuGx6
=49Ep
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f6f07479-e436-f473-df5a-392f029acd9a%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] AEM boot option causes hard reboot/partial shutdown (Lenovo T450s)

2016-07-01 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi Chris & everyone,

> On 06/23/2016 06:53 AM, Andrew David Wong wrote:

>> On 2016-06-23 03:49, Rusty Bird wrote:
>>> Hi Andrew,
>>> 
>>>> On 2016-06-22 21:58, Todd Lasman wrote:
>>>>> On 05/16/2016 11:44 PM, Andrew David Wong wrote: I seem to 
>>>>> have this exact same problem, but only after installing
>>>>> Qubes 3.2 (worked fine with 3.1) on my Thinkpad T430.
>>>> Very interesting. Perhaps my suspicion about the AEM
>>>> installer having recently changed was right after all?
>>> IIRC and going by the dates on the pages below, the installer
>>> and all other code changes were before R3.1 (only the README
>>> has changed since):

>> Ah, perhaps not then. It remains a mystery!
>> 
> If it changed after initial 3.0 release (esp. later on, near the
> 3.1 release date) then that would actually make sense.

There is something the people for whom AEM fails on UEFI could try:

AEM uses a forked version of grub2's 20_linux_xen as
/etc/grub.d/19_linux_xen_tboot. In commit c43309[1], I rebased this
against the then current (on Fedora) version, which added the
following options for non-BIOS platforms: no-real-mode edd=off

But tboot's 20_linux_xen_tboot [2], a different fork of 20_linux_xen,
never followed grub2 upstream in adding these options. Maybe they
should not be used if Xen is loaded by tboot?

So, try removing "no-real-mode edd=off" (but not the whole line, I
don't know if empty else blocks are allowed here) in
19_linux_xen_tboot and running anti-evil-maid-install again. I'd be
very interested to hear if it helps.

Rusty


1.
https://github.com/QubesOS/qubes-antievilmaid/commit/c43309d0a0b90368b5b2600c886b9deee55e0522

2.
https://sourceforge.net/p/tboot/code/ci/default/tree/tboot/20_linux_xen_tboot
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJXa+IGXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfWR4P/3siCVvTWN3JJHZfeCyjhWpc
lI8P8nNuSP6a4u1bPzu18s8jRaX25AXHID27RnwuOXKXHlSJkH4pB6FphmorqSFS
EhtaIKz+QaEB8ecRxlZeS6KREKGyQbIbaJW5KAOzb2HEeZ6AP4qTBrIHuXOIhYaB
H6qLOvrIMtngJNtKsdBD6xIsx/AuCbn/5jqA807Fw4IikWLts+53CxJ31WK8Er2D
cHD3OD+AyurM2We9Cbc7FNG4H8kIM1+qAGGSqFNAXJP8O9vOIyeGCAN3fo3Ctbj8
ueAqNrRjO00y1Cd/oist8VSf0uNnYKc8Q3sfnnHI6Fm1cn+h+2DBL6UctEPq6JJ7
NpiBP8mBWmkgTWoMOjWkVCjQXJU9GnTFQGLQRUl35nM+pdu9+it9gxbhWeqBh+ME
r1bbNHBK2k9FUPPxE7qiQA1xTuiTeFfOxLTeD2uVoABROYHAlxkh656AXL2qvKOG
lmy0kqFsAsQ81PXfRN6VETjGVaHQBcQLh3nunSS2CeNE88YcwNt4WH6X6mh3453B
NNjnX3p0aHv0uHI9IWp10Tqap/ed8/2F+WStH7on9gFtBgNvPoou7iqP9jjsd0cU
BLvFvffDpqgka50iEH4KUIUHNHWBBkabhpTrUL0t+OlVXGOBPrMuU5sQHIN1+HVw
RNzvu+DKYq/dJMs5w98a
=+Liu
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2813f291-ed31-9451-2661-de5a3d3fc250%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Video in Qubes 3.2

2016-07-01 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi,

> I often watch videos offline. I download .mp4 files dans I play
> them in a dedicated VM (debian template) with MPV. When I launch a
> video, the VM CPU goes up to 98%, It is quite strange.

Try "-vo x11". mpv sometimes defaults to "-vo sdl", which is very slow.

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJXc46KXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfysMQAJFQ5h0Mrc2mxQmayQZax+SY
1nlTVlDdUBw2/14YjU6hJ2Hf88ARFLAZNYvn5yb4IPFYRNBTwD2dNjLIg+Kxbx8A
yyT1Agnqll6dDJAQWqGmr2aI8xx5eftUpi92xRLgPaRP3JGyk+pYqvZQLZ6XOOaK
EVlNE7mpJD1PKw0NcrIZYXKk15gdfzVe9waot9awmzJrRJGnOyrvekODuHm6zf2R
yXUcGn498xvbkT9mHsKvwoo1GfhrmfoTAyI+z3T1WvXI6vhhouGbMqyCo1GkU4fy
d2fT8GQLZa6zIy8GC6wQLQPSOo5FqkyQRZXGBHo5ulL+8HKV5RhoCeGdJr0umcfL
UPKHkx0/vsU2+m5Dn3WvC9BDG+c7LoO24pMpOHNGpXaqK2+sWVNiIqyy1WxwzWvM
9pmEv32SyfOU5xpvMbNne7zgCJWdfWPP/P2lcHZqJ02t3uTh3SQblh8PeBDLGfDT
PRDAi3pv7hxDuQtsMYJ4iR8RGbK1wClSOQIjy3ZH0E2pU10yBEzLiQVua6GMi6KV
u2iVzsYvBb6lGRDveAB5Ljjta+I7JGLmM1m9F3KXLfJoZKemJYGBYZJrJzdgZqFL
16Nqo4GvUVDBC+OPBpTH0o1ZHw0QijOw9ZKme2m4O52+zB1+juPZW6PVSNiO2X3n
sJsCwaY5CBjhbkWDTCMI
=2iAM
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fa642610-2a6c-f985-a8c7-0b0b48dcb663%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.