[qubes-users] Unable to assign USB microphone to a VM

[Elias Mårtenson]

I have been unable to get my microphone working, and I'm coming here in the 
hope that someone might be able to provide some advice.

Here's all the relevant details I can think of at the moment:

This is on a workstation that is not currently using sys-usb, since I don't 
have neither a PS2 keyboard nor mouse available.

I have a USB headset as well as a USB DAC connected. Audio output to both the 
headset and the DAC works fine (I'm using the DAC for listening to music, and 
the headset for phone conferencing).

I have used pavucontrol in dom0 to assign the output and input devices that I 
want to the respective VM's. My choice of output device is honoured, so I know 
that part of the equation works.

Now for the microphone problem. I select the headset microphone in pavucontrol 
in dom0, and while doing so I note that the meter is bouncing back and forth 
while speaking, which means that it actually works.

I then start a VM, and run the following from dom0:

qvm-device mic attach  dom0:mic

I start pavucontrol and audacity in the VM. As soon as I click on “monitor” in 
audacity I can see it show up in the VM's pavucontrol session, but:

- I see no activity in audacity
- pavucontrol doesn't show any activity (unlike the dom0 pavucontrol)
- If I click “record” in audacity it doesn't record anything at all, not 
even 
  silence. That suggests that it's blocking when trying to read from the 
  device.

Does anyone have any idea what is going wrong?

Regards,
Elias

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/41e1603b-3d51-4665-8d11-3d147c8dbd64%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Changing colors?

[joeviocoe]

On Monday, 26 March 2018 18:25:19 UTC-4, Chris Laprise  wrote:
> On 03/26/2018 05:08 PM, sevas wrote:
> > Ah, I mean to change the values of each color.
> > 
> > I want my green to be #00ffae and by blue to #00!
> > 
> > Vibrance!
> > 
> 
> IIRC, you can't edit the Xfce4 Qubes colors, but for KDE5 you can change 
> them in /home/user/.local/share/qubes-kde folder. At least you can with 
> Qubes 3.2; I don't know about Qubes 4.0 at this point.
> 
> 
> -- 
> 
> Chris Laprise, tas...@posteo.net
> https://github.com/tasket
> https://twitter.com/ttaskett
> PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

With xfce4, is there any way to change the title bar color of the default 
adwaita theme.  I want to keep the theme, but having dom0 as "blue" takes away 
from an already limited set of domain colors used for vms.  I don't want dom0 
looking too much like a DomU.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f2923265-e029-4628-860f-3550b4c3b21f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Yubikey in challenge/response mode to unlock LUKS on boot

[joeviocoe]

Something unrelated completely corrupted my system.  dom0 got hosed and I was 
not able to recover. So I have reinstalled qubes from scratch, but this time I 
am using a software raid on 2 nvme pcie drives. 

Qubes 4 set up does allow for an encrypted raid the graphical setup.  It does 
not create an lvm.  I am using a separate drive with luks and an lvm thin pool.

So now I have 3 luks partitions opened on boot.  / (root), swap, and secondary 
drive that isn't important to the OS.

The way grub is set up by default now, is to have multiple "rd.luks.uuid=" 
parameters, one for each.  Also, after each luks parameter, if one of the raid 
volumes, there is a "rd.md.uuid=" parameter.
This works using a single luks passphrase at boot time.

Command line: placeholder root=UUID=9f9879f9-b275-4313-abef-1d99ecff7810 ro 
rd.luks.uuid=luks-4a69493c-62a7-4c2b-8f4b-a90133d925f5 
rd.luks.uuid=luks-d4d18b89-907e-47a2-bdc1-7da5096fc437 
rd.luks.uuid=luks-1dfee293-9d48-470b-8b53-d10ad9b13b0b 
rd.md.uuid=2d63c5de:209df367:6cc0fc7e:e96b1484 
rd.md.uuid=0a9b3000:21ca14f0:eea9dcd4:0fa1b693 i915.alpha_support=1 rhgb quiet 
rd.ykluks.hide_all_usb


So now I am thinking about your setup instructions, in this scenario.

>From what I've tested, multiple "rd.ykluks.uuid" and entries on the grub line, 
>tries to invoke multiple instances, and boot fails.  I then tried a single 
>rd.ykluks.uuid parameter with the comma separated uuids. And keep the existing 
>"rd.md.uuid" parameters after that. 

It doesn't work.  I just get a blinking cursor, no prompts or messages.
I've tried removing the "luks-" prefix on the UUIDs, but still fails.

If I remove the "rd.md.uuid" parameters... I do get prompted for yubikey 
password and it does begin to decrypt the volumes as expected.  But without the 
raid mounting "md" parameters... it doesn't boot from there.

My experience with dracut modules is very limited, but I want to test this RAID 
use case so your module is more robust.  What should I try next?

Thanks.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a1c607b0-5d1d-4e00-99e9-aa488d3212f3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Whonix 14 has been Released

[Franz]

On Mon, Aug 20, 2018 at 10:21 AM, awokd  wrote:

> On Mon, August 20, 2018 11:27 am, Franz wrote:
>
>
> > Thanks
> > a /var/log/tor/log file does not exists. There are no files in
> > /var/log/tor/ folder.
> >
> >
> > It did not happened before, but now I'm getting the enclosed alert
> > window, which tells about permission errors.
> >
> > Perhaps it is better to try to delete the Whonix 14 installation and try
> > another time.
>
> Did you rename/delete your old sys-whonix before following the Whonix 14
> installation steps to create a new one? If you tried to re-use it with the
> new template, I'm not sure that would work.
>
>
Thanks
No, from the various instructions I understood had to  rename only the
templates. So did not rename sys-whonix.
I'll try to rename it and do a new update.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAPzH-qCezxnDM1n9odn-%2BHdkZJBVhu8Uq_bY3y0ROK7EGXoiiw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Both dVM gnome-terminals are not launching

[Marcus Linsner]

On Tuesday, August 21, 2018 at 2:28:53 AM UTC+2, John S.Recdep wrote:
> On 08/16/2018 03:09 AM, Marcus Linsner wrote:
> > On Friday, June 1, 2018 at 11:31:14 PM UTC+2, qube...-...@public.gmane.org 
> > wrote:
> >> The Qubes docs at:
> >>
> >> https://www.qubes-os.org/doc/dispvm-customization/
> >>
> >> note the following for disposable vms:
> >>
> >> __
> >>
> >> Note that currently only applications whose main process keeps running 
> >> until you close the application (i.e. do not start a background process 
> >> instead) will work. One of known examples of incompatible applications 
> >> is GNOME Terminal (shown on the list as “Terminal”). Choose different 
> >> terminal emulator (like XTerm) instead.
> > 
> > Also nautilus (shown on the list as "Files") even though its main process 
> > (at least when run from another terminal) doesn't return (like 
> > gnome-terminal does) until its window is closed (actually 11 seconds after 
> > its window is closed: try "time nautilus; echo returned" and alt+f4 the 
> > window as soon as it appears - shows like 13 seconds then "returned"). Can 
> > anyone explain?
> > 
> 
> Can you rewrite this, if it is not solved?
> 
> What are you trying to do ?Open a dispVM  and you want it to work
> when it isn'tand/or  it's too slow ..   your question isn't clear

In a DispVM, when you run xterm (which does work/open), then type "time 
nautilus; echo returned", it works, that is, it opens the 'Files' window and in 
xterm you see that the command 'time nautilus' hasn't returned(until 11 seconds 
AFTER you close the nautilus window - which almost makes sense, but why the 
delay? that's one question)! which means nautilus doesn't seem to run as a 
background process(like 'gnome-terminal' does), which means that when you 
straight choose the 'Files' application in the fedora 28 disposable vm menu, it 
should open the window, and yet it doesn't: it starts a dispVM then halts, 
without opening any windows (just like it does when you try 
'gnome-terminal'(shown as 'Terminal' in the app list) - ok, it's almost the 
same, at least with 'gnome-terminal' you do get to see its window appear for 
like 1 second before it auto closes (and all this I understand, it's explained 
in that quoted section).

So the following doesn't seem to apply to nautilus, then is something else 
going on ?
> Note that currently only applications whose main process keeps running
> until you close the application (i.e. do not start a background process
> instead) will work. One of known examples of incompatible applications
> is GNOME Terminal (shown on the list as “Terminal”). Choose different
> terminal emulator (like XTerm) instead. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d83a5ecc-4d10-48bf-b068-eca5f574a66b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] New Foreshadow exploits CPU bug

[taii...@gmx.com]

SGX is another ME service slash intel marketing gimmick invented for DRM
not security.

If the person who purchased the computer can't examine the VM's running
on it then they are not owning it simply licensing it which is why SGX
is a bad technology and people shouldn't buy x86.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0d778ab5-12b9-12db-9600-e63b676dbab7%40gmx.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] New Foreshadow exploits CPU bug

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2018-08-20 20:19, jonbrownmaste...@gmail.com wrote:
> So the new Foreshadow exploit bypasses all Intel CPU protections 
> even secure enclaves SGX promised to solve. Additionally it 
> bypasses all VM protections. Check it out below:
> 
> https://foreshadowattack.eu/
> 

With respect to Qubes and Xen, "Foreshadow" is another name for
CVE-2018-3620 and CVE-2018-3646 (CVE-2018-3615 doesn't apply Xen,
since it doesn't currenty use SGX), which we've been discussing in
this thread:

https://groups.google.com/d/topic/qubes-users/Isn_hko7tQs/discussion

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAlt7bFwACgkQ203TvDlQ
MDDvlA//U5HMGhY59cOLy2UmigJ049+gDJjYerjf74kO+4Oz8prH9qvxRRfb/u7x
M3+TQuz1Tum5IsxqjhQB6wwQdYHRvwpzyawwQoIWF5uMQeCsv+QBC6eRiSfSrMMF
ef8f50unVjkk9aGRhoV3BKSW3N1XgFeowBR4ifUul4PO0xwOygdO57Jz2HhL/ViP
3FWqg82xwF2z7lc3YHzrsWd7UUI1/CuUA2lgUm8pgB8sxs6CkQ7fPDt9AAViiowR
mUo5uoqgm6j3W26Nx5Gj0zixj2aYxOZnalc1Kwk7ViovCrsUwDpYM2p/JEQnpf00
PF6ttA9FvdFywf5flDIn6BLaaKbWlVoW4fLPXTD9Lr4/DdNVDt42Cp7y51GIFxPB
1a6rGtVxBBlgcBT7yonhWBxudy13KMe3bZkWp341t6uH+G+3X4JHc/tiKN8eSjLM
tqxfhRceAoolB6jkH3c8oDVy6Iez9p0GqaoTHtFm+i5skUOD35Kb4zKNvjoUpgpu
5BOrhN0PavW26uPi1SOibp0cUUOck6bSH541Rkljh1VKZb4on3tOxzSXJkmB5op8
qEHIQv26ICqLe45BtCdH429yEzVSHJNYDbZMsZJAXeXaHX+VCNn8oaMJRDf52M4Y
eNGzGNaywlErei/PKAevzjzAHX+kJXhyyf762/A8xV6QRbc6O4Y=
=d4VQ
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d2cee707-ba70-a494-e153-2597681554a6%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] New Foreshadow exploits CPU bug

[jonbrownmasterit]

So the new Foreshadow exploit bypasses all Intel CPU protections even secure 
enclaves SGX promised to solve. Additionally it bypasses all VM protections. 
Check it out below:

https://foreshadowattack.eu/

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1799f6f4-f50b-4a86-844c-cdeb6bb5073b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Both dVM gnome-terminals are not launching

[John S.Recdep]

On 08/16/2018 03:09 AM, Marcus Linsner wrote:
> On Friday, June 1, 2018 at 11:31:14 PM UTC+2, 
> qube...-DIVuIKq8I9LqlBn2x/y...@public.gmane.org wrote:
>> The Qubes docs at:
>>
>> https://www.qubes-os.org/doc/dispvm-customization/
>>
>> note the following for disposable vms:
>>
>> __
>>
>> Note that currently only applications whose main process keeps running 
>> until you close the application (i.e. do not start a background process 
>> instead) will work. One of known examples of incompatible applications 
>> is GNOME Terminal (shown on the list as “Terminal”). Choose different 
>> terminal emulator (like XTerm) instead.
> 
> Also nautilus (shown on the list as "Files") even though its main process (at 
> least when run from another terminal) doesn't return (like gnome-terminal 
> does) until its window is closed (actually 11 seconds after its window is 
> closed: try "time nautilus; echo returned" and alt+f4 the window as soon as 
> it appears - shows like 13 seconds then "returned"). Can anyone explain?
> 

Can you rewrite this, if it is not solved?

What are you trying to do ?Open a dispVM  and you want it to work
when it isn'tand/or  it's too slow ..   your question isn't clear

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e2a3083f-3a25-1ced-20e9-e5b90b704e48%40riseup.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] how do you clear "move/copy to other app vm" context windows

[Unman]

On Mon, Aug 20, 2018 at 12:16:05PM +0200, cubit wrote:
> 18. Aug 2018 11:22 by un...@thirdeyesecurity.org 
> :
> 
> > On Thu, Aug 16, 2018 at 08:32:35PM +0200, cubit wrote:
> >> Is there a way to copy the suggested VMs in the "move/copy to other app 
> >> vm" as I have a few entries that no longer exist and would like to get rid 
> >> of them?
> >>
> >>
> >> CuBit
> >
> > Those aren't "suggested": they are taken from list of available qubes,
> > and I don't think they are cached.
> >
> > Just to be clear, you have run 'qvm-remove foo', foo no longer appears
> > in the QubeManager, you cannot run a program in foo by (e.g)  'qvm-run -a 
> > foo
> > xterm', but foo appears in the drop down list for policy checking?
> >
> 
> 
> 
> 
> 
> 
> 
> Thank you Unman,  this is on Qubes 3.2 maybe working differently
> 
> 
> 
> 
> I have entries in the "suggested" list which includes old AppVM that no 
> longer exist and even incomplete entries where I was too quick to hit return 
> to send a file.  Example  I have "vaul"  (no such appvm ever exist) and 
> "vault" (does exist appvm)
> 
> 
> 
> 
> 
> 
> 
> CuBit

Ah, OK  - on 3.2 the lists were indeed cached on the calling qube.

The rogue entries are stored in ~/.config/qvm-mru-filecopy in the qube
you are trying to copy from.
You can just edit that file to remove them from the list.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180821000925.5hjz2vu5u7acv7bg%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Can I hope to run Qubes OS on Macbook Air 2013

[Jason Turner]

On Wednesday, January 13, 2016 at 12:41:37 PM UTC-5, Eric Shelton wrote:
> On Wednesday, January 13, 2016 at 8:15:06 AM UTC-5, mariusz...@gmail.com 
> wrote:Same as topic name. I am currently running mac os with heavy virtual 
> machines usage to get more security/privacy. I will probably switch to linux 
> soon but since i plan on using a lot of one time use VMs or even whonix i 
> would rather get as secure host as possible. So i figured why not use Qubes 
> OS since i already do everything manually.
> If not mba what high end ultrabook would you recommend ?
> 
> 
>  I got it working on a 2012 MacBook Air w/ 4GB of RAM:
> 
> 
> https://groups.google.com/forum/#!topic/qubes-devel/uLDYGdKk_Dk
> 
> 
> 
> The 3.1 rc series of Qubes supports EFI boot, so you can likely avoid most, 
> if not all, of the rEFInd stuff in those directions - it should just boot and 
> install from a USB stick.  Do not create a usbvm in your install - on Macs 
> the keyboard and trackpad are USB devices, and you won't be able to sign in 
> if you use a usbvm.  If you have 8GB or RAM, you should be good for almost 
> anything, including running a non-Linux OS in an HVM domain.  That could 
> include running OS X within Qubes 
> (https://groups.google.com/d/msg/qubes-users/RiVntUzgJmY/hiohgHm4BwAJ).  If 
> you just have 4GB, you can still run Qubes, but mostly just running Linux.
> 
> 
> To be on the safe side, I would suggest first making a USB stick with the OS 
> X installer on it (you should be able to find instructions for this online - 
> generally involves downloading the installer via the App Store and running 
> the createinstallmedia command hiding inside the application).  Then, if 
> things don't work, or you need to return the MacBook Air to some sane state, 
> you at least have that as a backup.
> 
> 
> Good luck,
> Eric

Hi Eric, I'm trying to install Qubes 4.0RC on a 2017 MacBook. I have a USB that 
it boots from and get to the language screen but the keyboard and trackpad do 
not work. Any clues on how to get past that?

Thanks,
jason

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b358b8c7-d17a-4e88-ad3e-8a2dafbd89f3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Any way to draw characters on lockscreen/encryption screen?

[Frozentime345]

I'm interested in drawing out characters as a method of invisibleish 
input on either a touchpad or touchscreen since I want to bring my qubes 
device anywhere. I couldn't find any mention of this in a fedora google 
search or a qubes search nor in qubes settings. I doubt it exists but I 
just thought I'd ask lol.



--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/cea329b3-1932-dd4a-10bd-4ec1708f0e35%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Shredding VM images

[Steve Coleman]

On 08/20/18 12:49, Chris Laprise wrote:

On 08/20/2018 11:34 AM, tierl...@gmail.com wrote:
What's the most convenient way to wipe these images? (I'm just talking 
about individual VM images)


To clarify on your first question: Since encryption is protecting the 
storage pool that contains the disk images and its on an SSD, the only 
sure way to 'wipe' them in general (not just in the other-VMs-can't see 
the data sense) is to throw away the encryption passphrase. This 
makes the entire pool unusable, but if this seems like a problem you can 
configure more than one storage pool each with its own encryption 
key+passphrase and store VMs inside them.


With an Opal 2.0 SSD you could create a "locking range" for the volatile 
portion of the VM file system, using sedutil-cli then when destroying 
the VM you simply run it with the '--eraseLockingRange' command which 
essentially flips the key bits associated with that region of the SSD. 
The logic built into the drive will ensure the erase of the physical 
memory mapped into that SSD's defined locking range[n].


sedutil-cli


--setupLockingRange <0...n>
--enableLockingRange <0...n>  


--disableLockingRange <0...n>  
--eraseLockingRange <0...n>  

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f2019579-5ab4-5f5f-0278-aefd757df080%40jhuapl.edu.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: X1 Carbon again; Qubes DSDT override?

[ranguvar13]

On Saturday, August 11, 2018 at 6:28:41 PM UTC-4, rich...@gmail.com wrote:
> Success!
> 
> By process of elimination, I was able to pinpoint the wakeup issue to sys-usb.
> 
> With further testing, I found that removing the USB-C Thunderbolt 3 
> Controller from sys-usb's device list resolved the issue.
> 
> Will test further to see if fiddling with Thunderbolt BIOS assist mode will 
> help. Might a BIOS update might fix this? (The BIOS is on N23ET40W v1.15 from 
> 2018-04-13). Is there a way to update the BIOS without a Windows 10 utility?
> 
> Side notes:
> 
> 1. Despite dmidecode reporting back the proper magic LENOVO and X1 Carbon 
> magic strings, I still need to manually specify acpi_force_s3=5 into my 
> xen.cfg, otherwise the kernel patch does not appear to work.
> 
> 2. My aside about needing the LiveCD Lenovo trick was irrelevant. I can 
> install from an install disk created with dd, so I don't know what I was 
> doing wrong the first time.

Turning Thunderbolt BIOS assist on should be the solution.

I had the same issue in Linux and fixed it by turning that on.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9f7a0488-6b32-4e9e-a003-3c86679b6fe2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Best Laptop for Qubes 4+ and Heads

[stallmanrocks]

Also, you can build your own linux and integrate it into Bios chip. It is 
amazing. ;)

https://www.coreboot.org/Payloads

Payloads

Linux-Kernel

The Linux kernel can be used as a payload, and, if it fits into the flash ROM 
chip, even a distribution can be a payload. But it’s more common to let Linux 
load another Linux kernel using kexec. Several projects exist to build such a 
Linux kernel and an initramfs image.

LinuxBoot
Heads
Petitboot – A kexec-based bootloader, How-to
Petitboot for coreboot
u-root

You could download this floppy from KolibriOS website and add it to your 
coreboot.rom with this command : ./build/cbfstool build/coreboot.rom add -f 
./build/kolibri.img -n floppyimg/kolibri.lzma -t raw -c lzma Then it will be 
available for selection at SeaBIOS boot menu when you would want to launch it 
and have fun ;)

On Friday, August 10, 2018 at 5:00:43 PM UTC+3, jonbrown...@gmail.com wrote:
> Heyo,
> 
> I am looking for the best laptop for Qubes 4.0+ to take advantage of all the 
> features along with Heads. I know Heads only officially supports Lenovo 
> Thinkpad 230 but is that the best choice to future proof myself and take 
> advantage of all security benefits?
> 
> How is the 230 on the binary blob front and other firmware? Is there any 
> other technology besides Heads that could enhance Qubes or provide 
> better/additional protection?
> 
> Here is more info on Heads http://osresearch.net/
> 
> Any help is greatly appreciated.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/216fffeb-1f58-40bc-bb10-b027b3ca6201%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Best Laptop for Qubes 4+ and Heads

[stallmanrocks]

On Friday, August 10, 2018 at 5:00:43 PM UTC+3, jonbrown...@gmail.com wrote:
> Heyo,
> 
> I am looking for the best laptop for Qubes 4.0+ to take advantage of all the 
> features along with Heads. I know Heads only officially supports Lenovo 
> Thinkpad 230 but is that the best choice to future proof myself and take 
> advantage of all security benefits?
> 
> How is the 230 on the binary blob front and other firmware? Is there any 
> other technology besides Heads that could enhance Qubes or provide 
> better/additional protection?
> 
> Here is more info on Heads http://osresearch.net/
> 
> Any help is greatly appreciated.

I use x220 tablet and it is great laptop for Qubes OS 4

1. Heads support (no problems, easy install, works on my machine, many great 
features kexec etc)
https://github.com/osresearch/heads/tree/master/blobs/x220

Alternative :
https://git.lsd.cat/g/thinkpad-coreboot-qubes

ME disabled (works!)

2. Tomu support (30$ ) (works fine!)
https://www.crowdsupply.com/sutajio-kosagi/tomu

porting gnuk to tomu (opensource analog yubikey, needed to use heads)

https://github.com/osresearch/heads-wiki/blob/master/GPG.md

Dev: https://github.com/aze00/gnuk/tree/efm32
PR: https://github.com/im-tomu/tomu-samples/pull/35
Issue: https://github.com/im-tomu/tomu-samples/issues/4

Alternative - Nitrokey
https://shop.nitrokey.com/shop/product/nitrokey-start-6 (based on gnuk)

3. https://inversepath.com/usbarmory nice compatibility (works without any 
issues)

4. for good work you need a bundle i7 2gen, 16 RAM and good SSD disk ( I 
completely lack 256 gigabytes )

main templates : 
archlinux
artful
bionic
centos-7
debian-9
dev (buster)
fedora-28
kali-rolling
void-template
whonix-ws-14
whonix-gw-14

works fine and easy build from https://github.com/QubesOS/qubes-builder

+ 8-10 services (vpn,tor,wireguard etc)
+ 3-4 disp vm's (internet browsing)
+ 8+10 domains

Total disk usage : 20.4%
lvm : 36.2%  77.4GB/213.8GB

So, 256GB is enough.

5. You can use it like tablet ;)

https://github.com/martin-ueding/thinkpad-scripts

rotate/touchscreen works great and works on every VM machine.

6. TPM ownership/reset (work!)

7. 10 open vms

temp 52 
fan 3496 rpm

8. +3G modem or raspberry pi features

Cheers!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/58d09c29-c1a7-41f9-a76a-9903da01b621%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Shredding VM images

[Chris Laprise]

On 08/20/2018 11:34 AM, tierl...@gmail.com wrote:

What's the most convenient way to wipe these images? (I'm just talking about 
individual VM images)


To clarify on your first question: Since encryption is protecting the 
storage pool that contains the disk images and its on an SSD, the only 
sure way to 'wipe' them in general (not just in the other-VMs-can't see 
the data sense) is to throw away the encryption passphrase. This 
makes the entire pool unusable, but if this seems like a problem you can 
configure more than one storage pool each with its own encryption 
key+passphrase and store VMs inside them.



--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d1cc1013-3b70-e838-f2e7-5b1b8490d7b5%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Shredding VM images

[Chris Laprise]

On 08/20/2018 11:34 AM, tierl...@gmail.com wrote:

What's the most convenient way to wipe these images? (I'm just talking about 
individual VM images)

I'm on Qubes 4.0, and I understand it's not that simple on SSDs, but whats the 
situation?


The SSD's firmware determines 100% whether or not discard/TRIM commands 
(generated when deleting files and VM volumes) cause data to be 
physically erased.


Qubes does not pass discard/TRIM to the SSD by default however, so you 
may want to enable that. https://www.qubes-os.org/doc/disk-trim/


The role discard does play in a default Qubes config is to deallocate 
blocks from the pool-- these blocks are effectively wiped as far as any 
future VM allocation is concerned (no domU VM can see the deallocated 
data even if it later gains control over the deallocated blocks).




I see that /dev/mapper has a number of links to ../dm devices, these are 
encrypted, right? Where is the key stored? How is that stored on disk, and is 
it likely to leave fragments all over the drive?


In a default Qubes config, the ones prefixed with "qubes_dom0" are all 
encrypted. It is possible to install Qubes differently, however, so that 
these are not encrypted or use a different encryption scheme.


The key is normally stored in a LUKS disk header which itself gets 
unlocked when you enter a correct passphrase.




Can a `shred -vzn 7` be done on these devices? Does it effectively erase the 
data?


Its doubtful that shred would be of much use on an SSD, because shred 
needs the drive to "rewrite data in-place" which SSDs almost never do.


The only thing that we know for sure protects your privacy with an SSD 
is encryption.




I see that within /dev/mapper there's foo--private, foo--private--{0-9}+--back, 
and foo--private--snap. What's the difference between these? How are they 
created and used?


Unfortunately these are not well documented yet. The vm-foo-private-snap 
volumes are working-copy snapshots while the VM is running (IIRC this 
behavior is supposed to change for 4.1). The best docs on the storage 
layer currently appear to be:


https://www.qubes-os.org/doc/template-implementation/
https://dev.qubes-os.org/projects/core-admin/en/latest/qubes-storage.html




Am I right in thinking that only the private images hold VM specific states? 
What about foo--volatile?



The volatile volumes are swap space. They are deallocated when the VM is 
started/stopped.


--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d2ee4ec6-0432-a47d-7c35-fa8134eec8f4%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Shredding VM images

[tierlebu]

What's the most convenient way to wipe these images? (I'm just talking about 
individual VM images)

I'm on Qubes 4.0, and I understand it's not that simple on SSDs, but whats the 
situation?

I see that /dev/mapper has a number of links to ../dm devices, these are 
encrypted, right? Where is the key stored? How is that stored on disk, and is 
it likely to leave fragments all over the drive?

Can a `shred -vzn 7` be done on these devices? Does it effectively erase the 
data?

I see that within /dev/mapper there's foo--private, foo--private--{0-9}+--back, 
and foo--private--snap. What's the difference between these? How are they 
created and used?

Am I right in thinking that only the private images hold VM specific states? 
What about foo--volatile?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7a6ab861-a76d-4791-b8ff-c7851ce55b66%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Whonix 14 has been Released

['awokd' via qubes-users]

On Mon, August 20, 2018 11:27 am, Franz wrote:


> Thanks
> a /var/log/tor/log file does not exists. There are no files in
> /var/log/tor/ folder.
>
>
> It did not happened before, but now I'm getting the enclosed alert
> window, which tells about permission errors.
>
> Perhaps it is better to try to delete the Whonix 14 installation and try
> another time.

Did you rename/delete your old sys-whonix before following the Whonix 14
installation steps to create a new one? If you tried to re-use it with the
new template, I'm not sure that would work.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/83c35142774606c115829a78a5d18ffa.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Whonix 14 has been Released

[cubit]

20. Aug 2018 11:27 by 169...@gmail.com :

> Thanks
> a /var/log/tor/log file does not exists. There are no files in /var/log/tor/ 
> folder. 
>
> It did not happened before, but now I'm getting the enclosed alert window, 
> which tells about permission errors.
>
> Perhaps it is better to try to delete the Whonix 14 installation and try 
> another time.
>







I had this exact problem when I did my first install of whonix-14.   
/var/lib/tor and all sub filders and files were owned by user "pulse".   I did 
chown them to be owned by "debian-tor" but with other time related problems I 
just delete the whonix-14 templates and re-installed them.   Second time they 
worked fine despite doing nothing different.






-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/LKMHpiF--3-1%40tutanota.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: off topic - invite codes to 'riseup'

[eimon5130]

I need an invite code for riseup.net account. Please help. It is for 
educational purpose. Thanx.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fc573c5e-43c3-4fdf-aa04-629444d50e96%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] how do you clear "move/copy to other app vm" context windows

[cubit]

18. Aug 2018 11:22 by un...@thirdeyesecurity.org 
:

> On Thu, Aug 16, 2018 at 08:32:35PM +0200, cubit wrote:
>> Is there a way to copy the suggested VMs in the "move/copy to other app vm" 
>> as I have a few entries that no longer exist and would like to get rid of 
>> them?
>>
>>
>> CuBit
>
> Those aren't "suggested": they are taken from list of available qubes,
> and I don't think they are cached.
>
> Just to be clear, you have run 'qvm-remove foo', foo no longer appears
> in the QubeManager, you cannot run a program in foo by (e.g)  'qvm-run -a foo
> xterm', but foo appears in the drop down list for policy checking?
>







Thank you Unman,  this is on Qubes 3.2 maybe working differently




I have entries in the "suggested" list which includes old AppVM that no longer 
exist and even incomplete entries where I was too quick to hit return to send a 
file.  Example  I have "vaul"  (no such appvm ever exist) and "vault" (does 
exist appvm)







CuBit












-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/LKLpOT2--3-1%40tutanota.com.
For more options, visit https://groups.google.com/d/optout.