Re: [qubes-users] Re: USB & PCIe devices management questions

2017-01-18 Thread podmo
bb.alas...@gmail.com wrote:
> What about PCIe USB cards? Could I assign such pcie device to specific
> cube, so USB ports on that card are available only for that qube, as there
> is another controller on the card(I think so at least), or is my reasoning
> wrong?

Keep in mind you can passthrough a single USB device to a qube by
following the steps at the bottom of https://www.qubes-os.org/doc/usb so
you don't really need to use all these separate USB controllers, but the
method you are describing would work too.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d19965b0b6b79a1266f08b2897148668.webmail%40localhost.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: VmCL for Coldkernel Debian 8 Qubes R3.2

2016-12-19 Thread podmo
On 2016-12-18 9:20 AM, Reg Tiangha wrote:
>
> I managed to get dispVMs to work as well, but I had to trick Qubes
> Manager to do it. For whatever reason, when you run
> qvm-create-default-dvm, it'll take whatever kernel is set to default
> under Global Settings and apply it to future dispVMs. So if you have it

Thanks for the tip and more generally for your work on this! It encouraged
me to try it out too.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/465ba9abdef60670700025c804546d96.webmail%40localhost.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] VmCL for Coldkernel Debian 8 Qubes R3.2

2016-12-17 Thread podmo
Reporting success with Coldkernel on Qubes R3.2 with Debian 8 template.
Followed the steps in
https://coldhak.ca/blog/2016/12/12/coldkernel-qubes-1.html and worked
first try. I did some further tweaking afterwards to allow me to lock it
down a bit more in the future with TPE and keep my template minimal.

In the linux-4.8.13 directory structure:
Copied u2mfn.c to drivers/misc and set up references in Kconfig and Makefile
make menuconfig

GRKERNSEC_TPE_ALL=y [kernel.grsecurity.tpe_restrict_all]
GRKERNSEC_TPE_INVERT=y  [kernel.grsecurity.tpe_invert]
PAX_MEMORY_SANITIZE=y   [not sure if Xen sanitizes freed memory within 
the
VM, appears to only be on shutdown]
PAX_MEMORY_STACKLEAK=y
CONFIG_XEN_BLKDEV_BACKEND=m [believe this is necessary for the USB VM,
crashed Qubes Manager on attaching USB device to other VM without it]
CONFIG_XEN_NETDEV_BACKEND=m [and this for Net VM]
CONFIG_U2MFN=y  [to let me avoid DKMS]

fakeroot make bindeb-pkg -j 4 LOCALVERSION=-coldkernel-grsec-1
KDEB_PKGVERSION=4.8.13-coldkernel-grsec-1

Then, copied the following to minimal template:
linux-image-4.8.13-coldkernel-grsec-amd64.deb
paxctld_1.2.1-1_amd64.deb
paxctld.conf
/usr/share/initramfs-tools/hooks/qubes_vm
/usr/share/initramfs-tools/scripts/local-top/qubes_cow_setup

Added the following file on minimal:
/etc/sysctl.d/81-grsec.conf
  kernel.grsecurity.deny_new_usb = 0
  kernel.grsecurity.tpe_invert = 1
  kernel.grsecurity.tpe_restrict_all = 1

And ran on it:

sudo dpkg -i paxctld_1.2.1-1_amd64.deb [or use one from testing repository]
sudo apt install grub2-common

sudo groupadd -g 9001 grsecproc
sudo groupadd -g 9002 tpeuntrusted
sudo groupadd -g 9003 denysockets
sudo cp paxctld.conf /etc/paxctld.conf
sudo paxctld -d
sudo systemctl enable paxctld
sudo dpkg -i linux-image-4.8.13-coldkernel-grsec-amd64.deb
sudo mkdir /boot/grub
sudo update-grub2

sudo shutdown -h now

Changed it to use PVGRUB2 and minimal template worked too. Applied it to
sys-net, sys-firewall, sys-usb and all function (after adding some
packages I missed, etc.) except with two issues so far:
1. qvm-copy-to-vm completes successfully but throws an error to the
console at the end about failed to open /proc: permission denied.
2. On full reboot, all sys-VMs start automatically but networking doesn't
work right until I shut down whonix and firewall, then start them back up
in the proper order. Not sure if it's because they are just booting too
fast or if some trigger isn't getting communicated properly.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/08e45f82fa9d42b6d8229113c3ee6fba.webmail%40localhost.
For more options, visit https://groups.google.com/d/optout.