Re: [qubes-users] Global value for the paramater "revisions_to_keep"

[Thomas Clarke]

Hi,

You can list your pools with `qvm-pool`. And list options for a pool with 
(where my pool is pool00) `qvm-pool info pool00`. Then you can set 
`revisions_to_keep` for a pool like `qvm-pool set -o revisions_to_keep=0 
pool00`.

I'm not sure if this will work retroactively on already created volumes, but 
should be applied to all new ones going forward.

On 12/05/2023 18:28, roger paranoia wrote:

Hello

I had a hard time cause I didn't notice the pool memory was running out of 
space because of the accumulation of snapshot revisions.

I actually don't need 2 snapshots for most of my qubes and I've been wondering if it's possible 
to set a global value so those qubes don't fill up my disk with "garbage" but I 
haven't found anything neither at the corresponding wiki ( 
https://www.qubes-os.org/doc/volume-backup-revert/ 
) nor any other relevant result on 
google.

It also would be useful to know if there is a fast way to just delete all 
revisions all at once without affecting the main qube.


Thanks in advance for any help

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to 
qubes-users+unsubscr...@googlegroups.com 
.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CANyf1MJnZK5Qtwj5UOCRN8jaPLEHd-ft2_igxrx5dAq99cw0-A%40mail.gmail.com
 
.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a47a277a-3779-337a-fdf3-adf3c2172616%40riseup.net.

[qubes-users] Safest way to pipe JSON data from an AppVM to Dom0

[Thomas Clarke]

Hi there,

I'm curious to what would be an acceptable method of accessing JSON data in a 
AppVM from Dom0. I understand the general consensus is it is a risk to do so, 
but I have some conky's on my desktop which need data from some AppVM's.

My current method is this:

`qvm-run --pass-io --user user --no-autostart an-app-vm 'cat 
/dev/shm/somedata.json | tr -cd [:print:] | jq -c .' | tr -cd [:print:] | jq -c 
.`

Here I pipe the contents of `/dev/shm/somedata.json` through `tr -cd [:print:]` 
to remove all non-printable characters then `jq -c .` which if the input is 
JSON, will output JSON. I do this from within an AppVM and also in Dom0.

Should I be piping through anything else to minimise risk? Sometimes if I know 
the data is going to be a certain size I pipe it though `head` also but can't 
really think of anything else that would be helpful.

Kind regards,
Tonux

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/42aa08b7-6dbf-73c0-bcbd-9a51275c5934%40riseup.net.

Re: [qubes-users] Add network drive to Dom0

[Thomas Clarke]

This is not Qubes specific. Please consult the documentation for the 
distribution your AppVM's are based on. For example, if your AppVM's are using 
a Fedora template, consult Fedora's documentation.

On 1/18/22 19:23, William Fisher wrote:

or "Mount"

On Tuesday, January 18, 2022 at 1:22:49 PM UTC-6 William Fisher wrote:

How can I connect a network drive to an app VM?

Bill

On Tuesday, January 18, 2022 at 10:56:10 AM UTC-6 Mike Keehan wrote:

On 1/18/22 15:17, William Fisher wrote:
 > I stil can't figure out how to mount the NAS on my local LAN as local
 > storage of my qubes (4.0) back-ups. How do I get Qubes to See the 
NAS drive?
 >
 > On Monday, January 17, 2022 at 3:45:44 PM UTC-6 awokd wrote:
 >
 > William Fisher:
 > > I'd like to add a network drive (Buffalo NAS)to my Qubes 4.0
 > system to back
 > > up my Qubes. Is it possible?
 > >
 > Yes. Attach it to a VM with qvm-block, then run the Qubes Backup
 > utility. More detail in here under Creating a backup:
 > https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/ 

 > > .
 >
 > --
 > - don't top post
 > Mailing list etiquette:
 > - trim quoted reply to only relevant portions
 > - when possible, copy and paste text instead of screenshots

Hi William,

Dom0 has no network connection, so it isn't possible to connect
network storage to it.

When the Qubes backup process is run, it asks which VM should the
backup be sent to.

I have a VM called Backup in which I mount a shared folder from
my NAS device. The backup process works fine using this. And I
know that restores from the shared NAS folder work OK too, because
I test that occasionally.

Good luck,

Mike.

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to 
qubes-users+unsubscr...@googlegroups.com 
.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4e946213-c7fc-4a74-a832-d8a7d2e1104bn%40googlegroups.com
 
.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b07262fe-1d51-640c-0526-c10d8c65558e%40riseup.net.

Re: [qubes-users] QSB-074: Xen issues related to populate-on-demand (XSA-388, XSA-389)

[Thomas Clarke]

Xen packages version 4.8.5-36 still not in 4.0 stable repository yet? This 
isn't the first time 'two weeks' have turned into almost a month. Or is there 
something wrong with my setup?

On 11/24/21 8:19 AM, Andrew David Wong wrote:

Dear Qubes Community,

We have just published Qubes Security Bulletin (QSB) 074:
Xen issues related to populate-on-demand (XSA-388, XSA-389).
The text of this QSB is reproduced below. This QSB and its accompanying
signatures will always be available in the Qubes Security Pack (qubes-secpack).

View QSB-074 in the qubes-secpack:



In addition, you may wish to:

- Get the qubes-secpack: 
- View all past QSBs: 
- View the XSA Tracker: 

```

  ---===[ Qubes Security Bulletin 074 ]===---

  2021-11-23

  Xen issues related to populate-on-demand (XSA-388, XSA-389)


User action required
-

Users must install the following specific packages in order to address
the issues discussed in this bulletin:

   For Qubes 4.0, in dom0:
   - Xen packages, version 4.8.5-36

   For Qubes 4.1, in dom0:
   - Xen packages, version 4.14.3-4

These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community. [1] Once available, the packages are to be installed
via the Qubes Update tool or its command-line equivalents. [2]

Dom0 must be restarted afterward in order for the updates to take
effect.

If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new
Xen binaries.


Summary


The following security advisories were published on 2021-11-23:

XSA-388 [3] "PoD operations on misaligned GFNs":

| x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode,
| to provide a way for them to later easily have more memory assigned.
|
| Guests are permitted to control certain P2M aspects of individual
| pages via hypercalls.  These hypercalls may act on ranges of pages
| specified via page orders (resulting in a power-of-2 number of pages).
| The implementation of some of these hypercalls for PoD does not
| enforce the base page frame number to be suitably aligned for the
| specified order, yet some code involved in PoD handling actually makes
| such an assumption.
|
| These operations are XENMEM_decrease_reservation (CVE-2021-28704) and
| XENMEM_populate_physmap (CVE-2021-28707), the latter usable only by
| domains controlling the guest, i.e. a de-privileged qemu or a stub
| domain.  (Patch 1, combining the fix to both these two issues.)
|
| In addition handling of XENMEM_decrease_reservation can also trigger a
| host crash when the specified page order is neither 4k nor 2M nor 1G
| (CVE-2021-28708, patch 2).

XSA-389 [4] "issues with partially successful P2M updates on x86":

| x86 HVM and PVH guests may be started in populate-on-demand (PoD) mode,
| to provide a way for them to later easily have more memory assigned.
|
| Guests are permitted to control certain P2M aspects of individual
| pages via hypercalls.  These hypercalls may act on ranges of pages
| specified via page orders (resulting in a power-of-2 number of pages).
| In some cases the hypervisor carries out the requests by splitting
| them into smaller chunks.  Error handling in certain PoD cases has
| been insufficient in that in particular partial success of some
| operations was not properly accounted for.
|
| There are two code paths affected - page removal (CVE-2021-28705) and
| insertion of new pages (CVE-2021-28709).  (We provide one patch which
| combines the fix to both issues.)


Impact
---

Malicious or buggy guest kernels may be able to mount Denial of Service
(DoS) attacks affecting the entire system. Privilege escalation and
information leaks cannot be ruled out.

These issues affect only qubes that have dynamic memory balancing
enabled. In the default Qubes OS configuration, this excludes sys-net
and sys-usb, which have memory assigned statically. All other
Linux-based qubes are affected.


Credits


See the original Xen Security Advisories.


References
---

[1] https://www.qubes-os.org/doc/testing/
[2] https://www.qubes-os.org/doc/how-to-update/
[3] https://xenbits.xen.org/xsa/advisory-388.html
[4] https://xenbits.xen.org/xsa/advisory-389.html

--
The Qubes Security Team
https://www.qubes-os.org/security/

```

This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2021/11/24/qsb-074/



--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on 

Re: [qubes-users] Disable/Hide "monitor" for StandaloneVM's

[Thomas Clarke]

Actually going to answer my own question here.

So the libvirt version used by Qubes R4 is too old to accept `none` as `video-model`. However I 
can force stop a display window by creating a custom .xml in 
`/etc/qubes/templates/libvirt/xen/by-name` and commenting out/removing ``.

Sorry to clutter the mailing list, hopefully Qubes R4.1 has a newer libvirt 
version!

Tonux

On 7/24/21 10:45 PM, Thomas Clarke wrote:

Greetings fellow Qubes enthusiasts,

I find myself often in a situation where I often do not need the display window 
of an StandaloneVM. This is often because I have opted to SSH or RDP into it 
from another AppVM. Obviously one solution is just to keep the window 
minimised, however I would like to completely disable it for a given 
StandaloneVM.

The only thing I found which I thought would work was `qvm-features {nameOfQube} video-model none` 
but contrary to the docs on `qvm-features` stating "For available values see libvirt 
documentation about  element: 
https://libvirt.org/formatdomain.html#elementsVideo; it appears there is a check enforced 
somewhere that only accepts certain values. Running the Qube after setting `video-model` to `none` 
returns `Start failed: unsupported configuration: unknown video model 'none', see 
/var/log/libvirt/libxl/libxl-driver.log for details` (it is worth noting also, that no error message 
is logged to that file).

Any input on achieving my goal would be greatly appreciated.

Kind regards,
Tonux



--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/5f500c22-8915-7b4f-d7b7-cc947b5bf974%40riseup.net.

[qubes-users] Disable/Hide "monitor" for StandaloneVM's

[Thomas Clarke]

Greetings fellow Qubes enthusiasts,

I find myself often in a situation where I often do not need the display window 
of an StandaloneVM. This is often because I have opted to SSH or RDP into it 
from another AppVM. Obviously one solution is just to keep the window 
minimised, however I would like to completely disable it for a given 
StandaloneVM.

The only thing I found which I thought would work was `qvm-features {nameOfQube} video-model none` 
but contrary to the docs on `qvm-features` stating "For available values see libvirt 
documentation about  element: 
https://libvirt.org/formatdomain.html#elementsVideo; it appears there is a check enforced 
somewhere that only accepts certain values. Running the Qube after setting `video-model` to `none` 
returns `Start failed: unsupported configuration: unknown video model 'none', see 
/var/log/libvirt/libxl/libxl-driver.log for details` (it is worth noting also, that no error message 
is logged to that file).

Any input on achieving my goal would be greatly appreciated.

Kind regards,
Tonux

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9d27ceb3-d360-de96-d889-b8e065df827b%40riseup.net.