Re: [qubes-users] Re: using static dispVM for sys-net
On 9/9/19 11:32 AM, Sven Semmler wrote: > On 8/17/19 3:55 PM, rec wins wrote: >> how to store the wifi credentials in custom-dvm-template ? > assuming you created sys-net using the a dvm template named > dvm-fed-30-min and know the PCI identifier of your wireless interface > (the one you assigned to sys-net) > > > 1) qvm-shutdown --all --wait > 2) qvm-prefs dvm-fed-30-min virt_mode hvm > 3) qvm-prefs dvm-fed-30-min provides_network true > 4) qvm-pci attach dvm-fed-30-min --persistent dom0: > 5) qvm-start dvm-fed-30-min > 6) once started use the NetworkManager in the tray to enter your WiFi > credentials > 7) qvm-shutdown --wait dvm-fed-30-min > 8) qvm-pci detach dvm-fed-30-min dom0: > 9) qvm-prefs dvm-fed-30-min provides_network false > 10) qvm-prefs dvm-fed-30-min virt_mode pvh > 11) start sys-net > > /Sven > actually I stored them in the main Fedora Template that the custom-dvm-template was based on found the proper file and format from another connection somewhere perhaps not secure, my method, but seems to work ty for the steps on your method , I know someone else had been also asking -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e8ba37d2-3a9d-55a0-c601-bcd1923938e1%40riseup.net.
Re: [qubes-users] Re: using static dispVM for sys-net
On 8/17/19 3:55 PM, rec wins wrote: > how to store the wifi credentials in custom-dvm-template ? assuming you created sys-net using the a dvm template named dvm-fed-30-min and know the PCI identifier of your wireless interface (the one you assigned to sys-net) 1) qvm-shutdown --all --wait 2) qvm-prefs dvm-fed-30-min virt_mode hvm 3) qvm-prefs dvm-fed-30-min provides_network true 4) qvm-pci attach dvm-fed-30-min --persistent dom0: 5) qvm-start dvm-fed-30-min 6) once started use the NetworkManager in the tray to enter your WiFi credentials 7) qvm-shutdown --wait dvm-fed-30-min 8) qvm-pci detach dvm-fed-30-min dom0: 9) qvm-prefs dvm-fed-30-min provides_network false 10) qvm-prefs dvm-fed-30-min virt_mode pvh 11) start sys-net /Sven -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/deb437f3-7595-bb7f-e912-61d7af9ca91f%40SvenSemmler.org. signature.asc Description: OpenPGP digital signature
[qubes-users] Re: using static dispVM for sys-net
On 8/10/19 5:28 AM, 'awokd' via qubes-users wrote: > 799: > >> What would be the better choice regarding attack surface: >> disposable netvm+firewallvm vs. mirage-firewall? > > You still need a netvm with Mirage, but smallest attack surface alone is > disposable netvm + Mirage. "Disposable" doesn't increase or decrease > attack surface, though. It helps against persistence- if something > managed to compromise sys-net's rw area, it would be gone next reboot. > >> If I understand it right the mirage firewall has no/less option to be >> compromised. >> I am using the mirage fw and are only using a fedora-30-minimal based >> sys-firewall to get dom0-updates, which can't be done via the mirage >> firewall. >> >> But I'll also change this firewall to a static disposable FW. > > If you're using Mirage for a firewall, you don't need that fedora-30 > sys-firewall inline any more. That might be what you have already done. > You could create a sys-update and place it anywhere behind Mirage firewall. > >> Question: >> Afaik the problem when using a static disposable sys-net VM is, that I need >> to enter my Wifi Credentials each time, as the VM will be unable to >> remember them. >> Is there any way tweaking this behaviour? > > Put them in the custom DVM template you base the disposable sys-net > from: > https://www.mail-archive.com/qubes-users-/jypxa39uh5tlh3mboc...@public.gmane.org/msg26895.html. > Sorry how is this done, I don't really follow along with the URL link how to store the wifi credentials in custom-dvm-template ? regards -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3038a47a-b816-9c10-b52d-43b4458adcc4%40riseup.net.
[qubes-users] Re: using static dispVM for sys-net
On 8/9/19 11:12 PM, 799 wrote: > Hello, > > Jon deps schrieb am Mi., 3. > Juli 2019, 22:30: > >> am curious if anyone actually does this , and how or would it make any >> sense instead to use a static sys-firewall , if I >> just have the default sys-firewall (which might be easier because >> there would not be a need for the PCI setup ?each time) > > > What would be the better choice regarding attack surface: > disposable netvm+firewallvm vs. mirage-firewall? > If I understand it right the mirage firewall has no/less option to be > compromised. > I am using the mirage fw and are only using a fedora-30-minimal based > sys-firewall to get dom0-updates, which can't be done via the mirage > firewall. > > But I'll also change this firewall to a static disposable FW. > > Question: > Afaik the problem when using a static disposable sys-net VM is, that I need > to enter my Wifi Credentials each time, as the VM will be unable to > remember them. > Is there any way tweaking this behaviour? > > 799 > 799, do you have mirageOS upstream of sys-net2 (disposable) working. I built and have mirage as sys-firewall, but I built it before I created sys-net2 (disposable) and the mirage firewall works upstream of sys-net but not sys-net2 I'm thinking during the build process it must be looking for sys-net and not a sys-net2 , esp if it's not there ? I could rebuild not that I have a sys-net2 , but not too confident about that best regards -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/92d1f0ca-24bb-88a7-976b-a71309b361b9%40riseup.net.
Re: [qubes-users] Re: using static dispVM for sys-net
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 03/08/2019 5.10 PM, rec wins wrote: > On 7/8/19 2:15 PM, unman wrote: >> On Mon, Jul 08, 2019 at 07:24:53PM +, Jon deps wrote: >>> On 7/3/19 8:50 PM, 'awokd' via qubes-users wrote: Jon deps: > https://www.qubes-os.org/doc/disposablevm-customization/#using-static-disposablevms-for-sys- > > > > I can't really understand what the differences would be?? with a static > dispvm (based on a dispvm-template) vs?? just a regular?? sys-net > > if nothing is disposed (static) isn't it just the same > "Static" there refers to the name and VM configuration, not the contents. You only have to set them up once, not every time. >>> >>> >>> so making a sys-net2 as a -C DispVM (with persistent PCI tag) based on a >>> custom-dispvm-template has more disposable qualities than >>> >>> just an appvm based on say Deb-9 template ? >>> >>> >>> and hence might be a security protocol to make and toss sys-net2 (dispvm) >>> from time to timeor >>> >>> is it very minor and not worth the effort? >>> >> >> Do you use DisposableVMs instead of a standard appVM? >> Why? >> If you see an advantage there, then you should see advantage in using >> them for sys-. >> Since the effort is minimal I'd recommend. >> > re: > https://www.qubes-os.org/doc/disposablevm-customization/#using-static-disposablevms-for-sys- > > if one does all this to make a sys-net2 > > qvm-create -C DispVM -l red sys-net2 > qvm-prefs sys-net2 virt_mode hvm > qvm-service sys-net2 meminfo-writer off > qvm-pci attach --persistent sys-net2 dom0:00_1a.0 > qvm-prefs sys-net2 autostart true > qvm-prefs sys-net2 netvm '' > qvm-prefs sys-net2 provides_network true > qvm-prefs sys-net autostart false > qvm-prefs sys-firewall netvm sys-net2 > qubes-prefs clockvm sys-net2 > > don't they also have to edit > $ sudo nano /etc/qubes-rpc/policy/qubes.UpdatesProxy > > # Default rule for all TemplateVMs - direct the connection to sys-net > $type:TemplateVM $default allow,target=sys-net > > and change it to sys-firewall or sys-net2 > > because I'm getting complaint that my pci device is already attached to > sys-net2when I attempt updates > > > if so maybe the documentation needs another line to indicate ? > Done: https://github.com/QubesOS/qubes-doc/commit/af93a8a87085289181e6460ee72c28f121c8b198 In the future, please feel free to submit PRs for such edits. - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl1GCK4ACgkQ203TvDlQ MDD4/RAAowtJXowHGsJCZFL3mFjLLba4j4wYecoEcOLGplRgh0GVbc/ikljPfxh0 L0Ex+AZtc0DMAj2XwbwFNa9Wqo2IYaZe9qqMb96A7cU48OCVLAzzghxYyYPAhPYx LTNeAx9x4ULbpzOtlgBh/xz/a+hKYe4LtgMTQO5A0/NbvXNk7Ypnq1ehgAYenDSf /s/LBRtLpy/rnufr1f/QhkEnOxeKmwGmgiKdwYyoSLfllTcv/a2Apu/yE+UTlcwQ DM7vDd5dSWdXXTax5zDdMiobq5cYTqSZ72/ZgfOQ2KFBRRaQyAvzflVZCty3i0cM xU1JLIfo/7Y3mPydQsxUOBLbIC4y+6B8lzITz0lOauZeuirqWSZWsiSQwEOp4+xu +OznuZC81W2FcTc9OnKS0beBnj74FFK++OO5PKYPPNgaOcyjcrSfRecTcPu2WxAW m6ILoCqm+eo5CzEN7YsYjbC3ykwIlPeuCCEzwAhqRUjX3/R5sxw+j6gEbV/hRBNp a1NnrshDBDwIZt+EcC6m3+rv6U5fPmmQParKrK2OgQVDe7/XGj2blbGn2d7z+8PE L8oSiZ9siooBxRGvwipMmt78WOSf60MtbaUY+DpgOhXwn+W/QIhIoH2L6bTXMRfk 1697BWfLZX1viiAn+v/nVfSbRrV7xBYoeBjQtR0A+xfz2mRTsR4= =3z8+ -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e913a3ca-eb81-1a42-e74a-5a26dc26dec8%40qubes-os.org.
[qubes-users] Re: using static dispVM for sys-net
On 7/8/19 2:15 PM, unman wrote: > On Mon, Jul 08, 2019 at 07:24:53PM +, Jon deps wrote: >> On 7/3/19 8:50 PM, 'awokd' via qubes-users wrote: >>> Jon deps: >>> https://www.qubes-os.org/doc/disposablevm-customization/#using-static-disposablevms-for-sys- I can't really understand what the differences would be?? with a static dispvm (based on a dispvm-template) vs?? just a regular?? sys-net if nothing is disposed (static) isn't it just the same >>> "Static" there refers to the name and VM configuration, not the >>> contents. You only have to set them up once, not every time. >>> >> >> >> so making a sys-net2 as a -C DispVM (with persistent PCI tag) based on a >> custom-dispvm-template has more disposable qualities than >> >> just an appvm based on say Deb-9 template ? >> >> >> and hence might be a security protocol to make and toss sys-net2 (dispvm) >> from time to timeor >> >> is it very minor and not worth the effort? >> > > Do you use DisposableVMs instead of a standard appVM? > Why? > If you see an advantage there, then you should see advantage in using > them for sys-. > Since the effort is minimal I'd recommend. > re: https://www.qubes-os.org/doc/disposablevm-customization/#using-static-disposablevms-for-sys- if one does all this to make a sys-net2 qvm-create -C DispVM -l red sys-net2 qvm-prefs sys-net2 virt_mode hvm qvm-service sys-net2 meminfo-writer off qvm-pci attach --persistent sys-net2 dom0:00_1a.0 qvm-prefs sys-net2 autostart true qvm-prefs sys-net2 netvm '' qvm-prefs sys-net2 provides_network true qvm-prefs sys-net autostart false qvm-prefs sys-firewall netvm sys-net2 qubes-prefs clockvm sys-net2 don't they also have to edit $ sudo nano /etc/qubes-rpc/policy/qubes.UpdatesProxy # Default rule for all TemplateVMs - direct the connection to sys-net $type:TemplateVM $default allow,target=sys-net and change it to sys-firewall or sys-net2 because I'm getting complaint that my pci device is already attached to sys-net2when I attempt updates if so maybe the documentation needs another line to indicate ? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/09d59428-1792-a0c2-3a84-5e6802b7f97f%40riseup.net.
Re: [qubes-users] Re: using static dispVM for sys-net
On Mon, Jul 08, 2019 at 07:24:53PM +, Jon deps wrote: > On 7/3/19 8:50 PM, 'awokd' via qubes-users wrote: > > Jon deps: > > > > > https://www.qubes-os.org/doc/disposablevm-customization/#using-static-disposablevms-for-sys- > > > > > > > > > > > > I can't really understand what the differences would be?? with a static > > > dispvm (based on a dispvm-template) vs?? just a regular?? sys-net > > > > > > if nothing is disposed (static) isn't it just the same > > > > > "Static" there refers to the name and VM configuration, not the > > contents. You only have to set them up once, not every time. > > > > > so making a sys-net2 as a -C DispVM (with persistent PCI tag) based on a > custom-dispvm-template has more disposable qualities than > > just an appvm based on say Deb-9 template ? > > > and hence might be a security protocol to make and toss sys-net2 (dispvm) > from time to timeor > > is it very minor and not worth the effort? > Do you use DisposableVMs instead of a standard appVM? Why? If you see an advantage there, then you should see advantage in using them for sys-. Since the effort is minimal I'd recommend. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190709001544.nvcp7x6icefqj6gv%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: using static dispVM for sys-net
On 7/3/19 8:50 PM, 'awokd' via qubes-users wrote: Jon deps: https://www.qubes-os.org/doc/disposablevm-customization/#using-static-disposablevms-for-sys- I can't really understand what the differences would be with a static dispvm (based on a dispvm-template) vs just a regular sys-net if nothing is disposed (static) isn't it just the same "Static" there refers to the name and VM configuration, not the contents. You only have to set them up once, not every time. so making a sys-net2 as a -C DispVM (with persistent PCI tag) based on a custom-dispvm-template has more disposable qualities than just an appvm based on say Deb-9 template ? and hence might be a security protocol to make and toss sys-net2 (dispvm) from time to timeor is it very minor and not worth the effort? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c82977d9-1be3-6a88-457f-bc2073bb4296%40riseup.net. For more options, visit https://groups.google.com/d/optout.
