date:20161126

W dniu wtorek, 22 listopada 2016 19:57:56 UTC+1 użytkownik kev27 napisał:
> I saw this being retweeted by the Qubes account on Twitter. Can Grsec support 
> still land in Qubes 4.0, or should we expect it for 4.1 or 4.2, etc?
> 
> I think if Grsec would be enabled by default in Qubes, it would be no 
> question that Qubes is the most secure operating system out there.

Or we could just wait for SubgraphOS guys to release a template of their system 
for Qubes.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/945ba01f-3995-4c67-97dc-678c6b1f06ed%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Qubes 4.x and Librem 13

W dniu sobota, 26 listopada 2016 03:06:06 UTC+1 użytkownik rspei...@gmail.com 
napisał:
> It seems that Purism has failed to follow through on its promise to provide 
> open firmware (i.e coreboot) and overstated it's capability to provide a 
> completely free firmware (i.e. libreboot). As a result, they have left many 
> unhappy customers and/or prospective customers. I doubt that we will ever 
> have libreboot on current/new Intel hardware.
> 
> Optimistically speaking, a truly open hardware ecosystem (i.e. Risc-V, 
> OpenPower) will likely take ~3-10 years to become commercially viable. 
> Considering the pragmatic approach that Qubes OS is taking, it would seem 
> ideal to get the most secure and privacy-protecting hardware in the 
> short-term until such time that we can have "truly" secure and 
> privacy-protecting hardware in the long-term.
> 
> As Marek pointed out, the Librem 13 would work with Qubes OS 4.x and "may be 
> somehow more secure with Coreboot (less places to hide some backdoor), but 
> may be also less stable - depending how mature is Librem 13 support in 
> Coreboot." As Grzesiek pointed out, waiting until 4.x to be released makes 
> sense since "a better option might present itself". In addition, it would 
> give Purism an opportunity to right a wrong.
> 
> That said, besides the Librem 13, I haven't seen nor heard of another laptop 
> that provides hardware switches to disable camera/audio/wifi and components 
> that do not require blobs (CPU excepted of course). Besides my Google Pixel 
> LS Chromebook running linux, I'm unsure whether there is  a better option at 
> this point.
> 
> Thanks,
> Roberto

Don't get me wrong, I respect the idea the Purism guys had when they created 
Librem. But the Librem 15 costs 1600$ for an 8GB of ram, dual core i7 and a 
sata SSD. 32 GB of RAM are additional 530$. Total cost of the most pimped out 
version is over 3400$. For half that money you can have the most pimped out 
version of Thinkpad T560. High prices alienate the userbase and make it seem 
like the privacy is a privilege of the rich.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/626d8958-3215-436d-b937-fb75c5dd16da%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Qubes 4 with Grsec could make a big splash

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Fri, Nov 25, 2016 at 09:08:03PM -0800, jkitt wrote:
> The point is that the security of a grsecurity protected system depends on 
> the userspace being compiled in a special way. The binaries need to be 
> compiled with pie, and shared objects need to be compiled with pic. There are 
> also some other mitigations like SSP.

Shared objects are always compiled as pic, these days. As for pie
executables - I think most distributions do this only for selected
binaries only.

> A grsecurity kernel on it's own is not adequate enough. Someone will need to 
> distribute a hardened userspace.
> 
> The coldhaka kernel is in alpha. It's a start but not a solution.
> 


- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYOWr8AAoJENuP0xzK19csNYoH/iaSyiPdIK0quLx1nu3WaB1A
kgqEkY2W9/JIjprX7di8POL9xOSs6m0S7GAlefuhj4XOtY2vJSbfnaBt3AkKUK/9
G0x9o6UdmbjeiXPqGDEvHi0PfKdVer138IkdcgvFmBp9WAj0mgJdq1cKrZ9VfV8s
dBwX6R2uJkQ/F/EXaSuDNqy9xmI3x5Ea96pCQ8bcocj+7gSUzsVxl9F7Zkni3nUU
9ffnoxlzNMoxvqzi+liRCnwSYplNdcKkhIIJ/d/8Lz0ibyTjxkBPZFmUXYw6AKlr
+FK7wrD1ODYBeYEAcHEYpU3rmUkpmvErwR2PH5ZL9BpNZ8rp5z+NhJLSldQ72kM=
=lyTt
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161126105907.GJ1145%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] qvm-trim-template fails (Qubes 3.2)

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Thu, Nov 24, 2016 at 08:46:19AM -0800, Fabrizio Romano Genovese wrote:
> Looks like qubes-mgmt-salt-vm-connector is already installed in my templates. 
> Are you sure the command is  

This needs to be installed in your _default_ template (which may be
different from the one you're trying to update).

> pkg.uptodate: []
> 
> ? This looks right in the salt documentation, but there is nothing else I can 
> think about...

Yes, looks ok.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYOYHnAAoJENuP0xzK19csTh4H/j+MXULwA3t4WHm4e3wVATQu
x2WOkNyS9KUKtSCZQbpxZmAq/8urjsfTd7FMp+EoXd1P/yllaIVFjnS/BeERMpap
3rXY93bTKsL54zDzOqQEKfcAqcT61nFfCcZtB3l5W2givSlH16Q6aWrsIr5W43NB
ONvl/WOSjfnfwwN7ppnXRcWUJHHgdbEISDIjaUEPURnJaICkDvSXTdiDLg2RjV6Y
15oGPL7FvBVkp6AvS6ZfAidt00ViRwldjS0xQYZA1AkWxNFiPTU2vYtwPHEIj0QP
QeopTKK12DIGQJ5UFsdyMOA/uxH+VH4Tc+4Mg0ZcYwIHj+66+Us94phZ70fr1F8=
=l1Fw
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161126123653.GB26735%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] How to check Fedora version of dom0?

Folks,

I have already upgraded dom0 but update still fetches fc23 packages.

cat /etc/*redh* shows Qubes release 3.2 (R3.2)

How can I check the exact Fedora release in use for dom0?

Regards,
PD

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c302bb59-9e6c-4b80-a501-97c01de7d899%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How to check Fedora version of dom0?

2016-11-26 Thread Alex

On 11/26/2016 03:13 PM, Pawel Debski wrote:
> Folks,
> 
> I have already upgraded dom0 but update still fetches fc23 packages.
> 
> cat /etc/*redh* shows Qubes release 3.2 (R3.2)
> 
> How can I check the exact Fedora release in use for dom0?
> 
> Regards, PD
dom0 uses fedora 23 as of now. Both /etc/fedora-release and
/etc/redhat-release are customized for Qubes, because dom0 cannot be
updated so lightheartedly.

The qubes packages for dom0 are only for fedora 20 (older releases) or
fedora 23 (R3.2). Because of the Qubes security model there is no
immediate reason to have a cutting-edge dom0. The problems may be with
hardware support...

-- 
Alex

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1f494932-9b0e-309c-f905-f7a669db2675%40gmx.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How to check Fedora version of dom0?

W dniu sobota, 26 listopada 2016 15:17:25 UTC+1 użytkownik Alex napisał:
> On 11/26/2016 03:13 PM, Pawel Debski wrote:
> > Folks,
> > 
> > I have already upgraded dom0 but update still fetches fc23 packages.
> > 
> > cat /etc/*redh* shows Qubes release 3.2 (R3.2)
> > 
> > How can I check the exact Fedora release in use for dom0?
> > 
> > Regards, PD
> dom0 uses fedora 23 as of now. Both /etc/fedora-release and
> /etc/redhat-release are customized for Qubes, because dom0 cannot be
> updated so lightheartedly.
> 
> The qubes packages for dom0 are only for fedora 20 (older releases) or
> fedora 23 (R3.2). Because of the Qubes security model there is no
> immediate reason to have a cutting-edge dom0. The problems may be with
> hardware support...
> 
> -- 
> Alex

Now I understand. Tx.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/01d5aefd-e9f2-4e61-b5b9-8724ff394fbd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] How to check Qubes Debian TVM status?

Folks,

I am not familiar with Debian. What is the best way to check its exact version 
and installed Qubes packages?

Best regards
PD

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/048241d9-adec-4ef3-9e5d-f64019765588%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Unsolicited feedback on qubes-issue #2455

2016-11-26 Thread Alex

Hi,
I'm reporting some user experience tests for fedora 25 template (ref.
issue mentioned in subject).

I updated a fedora 24 template with many customizations on it, bringing
it to f25 via DNF and enabling qubes-vm-r3.2-current-testing repo.

Environment: Qubes R3.2 fully updated, i3WM as window manager.

Mindset: upgrading my AppVMs, and in the meanwhile helping with issue
#2455, with specific attention to graphical/GUI issues (because of
recent Fedora switch to Wayland, which Qubes does not support, as
mentioned by marmarek on said issue).

# dnf --releasever=25 --enablerepo=qubes-vm-r3.2-current-testing update

The upgrade process was smooth, took 4 hours overall (I was working
during the process, so this may have slowed it down) and template size
(after trim) increased slightly from 8.46GB to 8.57GB (not bad!). The
repos for torproject don't have fc25 as an available release yet...

As far as I am concerned, these were the measured facts:
- many AppVMs started just fine after changing the template in their
settings from fedora 24 to fedora 25.
- firefox, thunderbird and libreoffice work just fine. Firefox can play
youtube videos without delays, glitches nor jitter.
- pinta (graphic manipulation program) works ok
- Android studio works ok
- gnome-terminal, xterm and urxvt all work with their customizations
(themes)
- Android emulator (emulating ARM processor, so it's normally slow)
works exactly as before
- Monodevelop works ok
- window resizing works ok, both dragging corners (for floating windows)
and splitting monitors in various ways (i3wm is a tiling window manager).

Now for more unsolicited input, but trying to be as specific as I can be
- please note that I don't fully understand the working of Qubes-GUID (I
never studied it, until now :)
- One AppVM with a lot of installed software took a couple of tries to
correctly start. The first time the start failed with "qrexec daemon not
running", and in guid log I found a long list of "invalid PMaxSize for
0x201d (32767/32767)" and so on. Cannot reproduce this problem.
- Qubes-GUID crashed in one AppVM as soon as I started monodevelop the
first time. Cannot reproduce this problem either. Error in guid log was:

ErrorHandler: BadAccess (attempt to access private resource denied)
Major opcode: 130 (MIT-SHM)
Minor opcode: 1 (X_ShmAttach)
ResourceID: 0x254
Failed serial number: 3670
Current serial number: 3671

may be related to the fact that monodevelop shows and hides many windows
in rapid sequence when starting?

Overall the switch was good. I'll report further problems should they
arise. Thank you for your work, let me know if I can help more.

--
Alex

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/d6f013db-0bcb-3395-6161-ed24461ccbe6%40gmx.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Unsolicited feedback on qubes-issue #2455

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 11/26/16 07:13, Alex wrote:
> Hi,
> I'm reporting some user experience tests for fedora 25 template (ref.
> issue mentioned in subject).
> 
> I updated a fedora 24 template with many customizations on it, bringing
> it to f25 via DNF and enabling qubes-vm-r3.2-current-testing repo.
> 
> [...]

Thank you, Alex. This is very helpful. (Added as a comment on #2455.)

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYObNsAAoJENtN07w5UDAwSA4P/1DFvS5LNR9XauU0zr2OemAz
HvUPb8xrvCUrPsUCFr5m3gTreD+XQphbw9WTWRSid1DEW7dNvF3a4gu5SEILPWpK
0EFNuYZW9hyNsVz8XVTneS+02hggFPrKn3DLF0Y/gtQf7//zHSKZHXLO6jlNgvDz
7IX32oq8H2h52YW/EiJ2hyHRla1aSaE0dCAVZM1x7tl2F/ibUa7OryU34/ZYzKHY
YFrBGYMIdqXSX6uF2qlrWDnRnuCUSHWQPM/kJX/CrFpvoOoYHYyfBMgs16AiGcll
iqq8YtuweTH8k+zwq1CRiOfZCEXJFGAgVxpN52ESDCW/NEjmZD2L4RSw4PDw+kjQ
7XfnYRFNVJ5eD5tSR5BXdL/uWIbi3xwTAjGjS9uTl4CcL05FgyzusAIEG5iFRCwQ
iK4V3AdNTchg7D9ZYbOgRYqg4mkXcxZZlDlhAGXNBqu89LnZQ6pjJle/PsueVTsJ
JlA/s1fVZwhCHUxA0ySMmMNe57jTQ1akEOGtDcJThrrxHsb6/ME00r1oyXXWKpWn
Nj9PinitfeMsCx39XyhuAXbW3+pX8CmAqs/8jea20l7FbDjvhwtQ5pXxpyaS63Id
sw/rfx3m5pRoL3ZUj1hBGeF6f5z5tVO92f9zMFaknX4vCD2JJ3LIPUiT9qJjj2Dr
S6vCrSq3OaiLxXBp42uw
=JUd9
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/25095a7f-ea68-59b1-4560-015c3c154520%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How to check Qubes Debian TVM status?

2016-11-26 Thread yaqu

On Sat, 26 Nov 2016 06:40:07 -0800 (PST), Pawel Debski
 wrote:

> Folks,
> 
> I am not familiar with Debian. What is the best way to check its
> exact version

$ cat /etc/debian_version

> and installed Qubes packages?

Not sure if it's the best way, but:

$ dpkg -l|grep qubes

-- 
yaqu

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161126161906.2C4F8104A27%40mail2.openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] How to check Qubes Debian TVM status?

W dniu sobota, 26 listopada 2016 17:19:08 UTC+1 użytkownik yaqu napisał:
> On Sat, 26 Nov 2016 06:40:07 -0800 (PST), Pawel Debski
>  wrote:
> 
> > Folks,
> > 
> > I am not familiar with Debian. What is the best way to check its
> > exact version
> 
> $ cat /etc/debian_version
> 
> > and installed Qubes packages?
> 
> Not sure if it's the best way, but:
> 
> $ dpkg -l|grep qubes
> 
> -- 
> yaqu

user@debian-8:~$ cat /etc/deb*ver*
8.6

is the newest version I guess, and for the Qubes mark I take:

ii  qubes-core-agent 3.2.10-1+deb8u1amd64

great, tx.
Not sure however what these two iis at the beginning of the line mean.

PD

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4e023bea-3025-402a-b4cd-8f93315c777c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] 2/3 of VMs randomly lose network access; sys-net, sys-firewall, and others normal

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

A strange networking problem just started in the past day or so:

Every few hours, around 2/3 of my VMs will suddenly lose network
access. I can still ping websites from sys-net and sys-firewall,
and some VMs still have normal network access, even though all of
them are using the same sys-firewall. (Other devices on my LAN are
also fine.)

The weird part is, if I create a new, additional "sys-firewall1"
ProxyVM and switch over one of the non-working VMs to it
*without restarting* the non-working VM, network access gets
successfully restored. So, the problem must be in sys-firewall
or the AppVMs, I think.

I've tried basing sys-firewall on fedora-24 and fedora-24-minimal
with the same results. Also double-checked NetVM assignments
and firewall rules, of course.

Any ideas for logs or tools I should check to find out what's
failing, or where it's failing?

- -

I can't imagine what caused this problem to suddenly start,
except maybe a dom0 or template update, so here are the packages
I've updated in dom0 recently as part of normal qubes-dom0-update:

libsndfile
sudo
bind99-libs
bind99-license
ghostscript-core
hswdata
perf
ntfs-3g
ntfsprogs
perl
perl-libs
perl-macros

And here are the packages I've updated in my fedora-24 template
(again, as normal updates):

libicu
libidn2
gnome-abrt
gnome-software
libdmapsharing
libmetalink
lz4
lz4-r131
rpm
rpm-build-libs
rpm-libs
rpm-plugin-selinux
rpm-plugin-systemd-inhibit
rpm-python
rpm-python3

Any ideas?

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYOcmCAAoJENtN07w5UDAwiqUP/3CylKymAzATJE5e7wyG98GZ
1pByD7hTfgs5X4X56emHgO5enCZbhugQ/JJrQZj4q8vPdur2WVG99cWfi9cVnPNJ
wBWo4r2O1sS0HS85o8ya6Jv93XJ+rsmScBwBobq9P/D3x5PL8petLVbpGgd02Kaw
C76vPmy00ZBKaTVpGtV90bcasF6vMVLT3osymRkwOPqxbimVMUqz0tfzD3s1PI5O
PpYK8Im18xjCxNhrdjY/K+jhG7mOkVssK0qc31LCK0HZ/jnaDM7gyFAb2NPKOG+w
EmpuvPU6TnzUEoLhPgj9k9RlNojwqy2OuClnefN/iqvp582oIZtN4OHSaXqAsU3U
Eo/MIFZqDOn9SZkyKF2lRb7Ro3DvfEXQHOHNVDbtlH/Jk1GgZ07UhaYLkRPK/m/L
N2qpV9zwzeRDlBVtP0BtbdiQzQdLmUVXvcz4FxONXfARDhLMUALakXpbV8UDRqfG
2r1wNa4DrTXtL7wf0wgy9mCxYzm2IXfIISQ9t3pfXeLemu3cY5Khwz/9kB/9iKRC
86xH0j75S5YJw+caOyO4q/3AVoGbsMCseRQyKDvdeiau7jEv2Jvaf60li8nwjAgv
pF1Ygq590P+WcDPGFnAqwjYc/0CyKtasWuFoAOlCXxMbZ3CLaBJdjh6XDre7wXBp
Tg3rZomPyMw/9crPQVwf
=gGCn
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/41b2609d-2324-f6ad-6bd5-2d57b28593d1%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] 2/3 of VMs randomly lose network access; sys-net, sys-firewall, and others normal

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 2016-11-26 09:42, Andrew David Wong wrote:
> A strange networking problem just started in the past day or so:
> 
> Every few hours, around 2/3 of my VMs will suddenly lose network
> access. I can still ping websites from sys-net and sys-firewall,
> and some VMs still have normal network access, even though all of
> them are using the same sys-firewall. (Other devices on my LAN are
> also fine.)
> 
> [...]

Apparently, if I just wait 5-15 minutes, network access gets
restored to the affected VMs. (Note: This is not a solution for me.
I'm just noting it here in case it's a relevant clue to figuring
out the root cause.)

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJYOcq/AAoJENtN07w5UDAwFQMQALKWIzDdBkaC+nKtOR5oysaj
f89zy8TbfFj7BYOzfzmtqTZdHhpCFFtuNy/BV/Im8FcAkASFpxmyvUMpb4LLzAJi
mrpYCm4cgiekDGvZ7/Z7+HP7layGnD1afRmGk2yuExeZZdLjfA2ukxYbGjptnVSL
1AA/HL2LFgXhbEwauuzlJOvn/1EivXb81b5LqgIHqAwcPeEtrtJR5AJJslQTyMcJ
AvzHEUjHKvMAyvR9YYU4pdP+4uOmD7j0n430iBW2K1XiYqy3E3/XwTYb4461l99D
AwUk9vPbmmi8hX6+pJc7dGMuSxNUawkRbVTMZNYazQ8cc9+BqvP5ZGLY+PeT4NuO
3WspLob19QD9ELGDjC2z40V9+sD2ufbcbFEsHKIVRiUXWWCWCcUMG9BfOKNnI59L
AQFag5MN+GSlFZzVuLXW9TriTZhYG81FlBYyvVFXsqatsC2GBexJ1825JZiV2m7M
MPrNMhsAFoVhd9LHeGLIWzX60LtDI9/6voSEYurMqVIjduYKk/uqjuulQBgEF6d3
Xvo74fm7sScBCN18hvqHP8r6z3TQcc16RbGXBquW6zjBao1K3yrDEJVQHgBDb5Mm
qHN0Q41gr0YYV4qkwhLT6PMCAq9qs5Xz3xDstnGpZXMezzP74vCQzY9n7Kgz9UIS
S4ZZZljEEiKXeVa39ia+
=oDOf
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3c7da884-359c-dcdf-0ead-f756e0426247%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Creating USB qube: PCI device in use by driver xenlight

Folks,

I'm trying to create a VM that will handle all USB devices that are or may be 
connected to the machine.

1. I have created a new AppVM based on fedora-24-full-sw template.

2. fedora-24-full-sw template is a copy of Fedora 24 template with all sorts of 
additional software installed, for example for Bluetooth handling, 3G modem, 
finger print reader, camera, flash card reader and so on.

3. I have assigned an USB controller to the newly created AppVM and 
switched-off memory balancing in the options as recommended by the message on 
"Advanced" tab.

4. When I'm trying to start the VM I'm getting the following message:
"PCI device in use by driver xenlight"

Please note that at the moment only one single USB bus is assigned to this VM.
Without any assigned devices this VM starts properly.

What shall I do to make it work with USB bus?

Best regards
PD

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f6372346-5253-42b4-bc93-70bf2b3f2339%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Creating USB qube: PCI device in use by driver xenlight

W dniu sobota, 26 listopada 2016 18:53:26 UTC+1 użytkownik Pawel Debski napisał:
> Folks,
> 
> I'm trying to create a VM that will handle all USB devices that are or may be 
> connected to the machine.
> 
> 1. I have created a new AppVM based on fedora-24-full-sw template.
> 
> 2. fedora-24-full-sw template is a copy of Fedora 24 template with all sorts 
> of additional software installed, for example for Bluetooth handling, 3G 
> modem, finger print reader, camera, flash card reader and so on.
> 
> 3. I have assigned an USB controller to the newly created AppVM and 
> switched-off memory balancing in the options as recommended by the message on 
> "Advanced" tab.
> 
> 4. When I'm trying to start the VM I'm getting the following message:
> "PCI device in use by driver xenlight"
> 
> Please note that at the moment only one single USB bus is assigned to this VM.
> Without any assigned devices this VM starts properly.
> 
> What shall I do to make it work with USB bus?
> 
> Best regards
> PD

put following command in dom0 terminal: qvm-prefs -s vmname pci_strictreset 
false

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3302dab9-e690-4c67-aa9f-77811819bebc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Creating USB qube: PCI device in use by driver xenlight

W dniu sobota, 26 listopada 2016 18:56:49 UTC+1 użytkownik Grzesiek Chodzicki 
napisał:
> W dniu sobota, 26 listopada 2016 18:53:26 UTC+1 użytkownik Pawel Debski 
> napisał:
> > Folks,
> > 
> > I'm trying to create a VM that will handle all USB devices that are or may 
> > be connected to the machine.
> > 
> > 1. I have created a new AppVM based on fedora-24-full-sw template.
> > 
> > 2. fedora-24-full-sw template is a copy of Fedora 24 template with all 
> > sorts of additional software installed, for example for Bluetooth handling, 
> > 3G modem, finger print reader, camera, flash card reader and so on.
> > 
> > 3. I have assigned an USB controller to the newly created AppVM and 
> > switched-off memory balancing in the options as recommended by the message 
> > on "Advanced" tab.
> > 
> > 4. When I'm trying to start the VM I'm getting the following message:
> > "PCI device in use by driver xenlight"
> > 
> > Please note that at the moment only one single USB bus is assigned to this 
> > VM.
> > Without any assigned devices this VM starts properly.
> > 
> > What shall I do to make it work with USB bus?
> > 
> > Best regards
> > PD
> 
> put following command in dom0 terminal: qvm-prefs -s vmname pci_strictreset 
> false

Tx Greg, that works.

Can we briefly discuss how much does it lower the security of the workstation. 
I mean: does it really allow to plug-in fabricated USB device to install 
keylogger to obtain credentials to highly sensitive applications running in 
other qube (say VaultVM).

What other potential attack scenaria does it open?
(assuming that one is interested only to protect VaultVM transient content)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c48ebb07-ed82-418d-9276-b5623e5bc815%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Qubes AppVM full screen in a window

Folks,

How can I start AppVM to see all the boot messages and have it to have a 
separate desktop in a window just I like I am used to in VMWare or Virtual Box?

I mean I do not want the VM to grab the whole screen but rather have it in a 
separate window that from the VM point of view is the whole screen.

Best regards
PD

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/cc7251ee-fbe6-414d-9b2f-35ef80f397c4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] 2/3 of VMs randomly lose network access; sys-net, sys-firewall, and others normal

2016-11-26 Thread Jean-Philippe Ouellet

On Sat, Nov 26, 2016 at 12:42 PM, Andrew David Wong  wrote:
> Any ideas for logs or tools I should check to find out what's
> failing, or where it's failing?

I'd start with: dmesg, ifconfig -a -v, tcpdump, iptables-save.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABQWM_BL4DzDKrz-Eag5oXmPt4P3h3%3DR8-Xyb2xGTfOJVmX1yw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] 2/3 of VMs randomly lose network access; sys-net, sys-firewall, and others normal

2016-11-26 Thread Jean-Philippe Ouellet

On Sat, Nov 26, 2016 at 2:25 PM, Jean-Philippe Ouellet  wrote:
> On Sat, Nov 26, 2016 at 12:42 PM, Andrew David Wong  wrote:
>> Any ideas for logs or tools I should check to find out what's
>> failing, or where it's failing?
>
> I'd start with: dmesg, ifconfig -a -v, tcpdump, iptables-save.

Particularly tcpdump on both sides to see where the packets are being dropped.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CABQWM_B_SnNiBGE%3DXYqq_gnEVmYJ22BSiTUXwKnTHvoGk4zvDA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Qubes AppVM full screen in a window

2016-11-26 Thread stevenwinderlich

Am Samstag, 26. November 2016 20:15:03 UTC+1 schrieb Pawel Debski:
> Folks,
> 
> How can I start AppVM to see all the boot messages and have it to have a 
> separate desktop in a window just I like I am used to in VMWare or Virtual 
> Box?
> 
> I mean I do not want the VM to grab the whole screen but rather have it in a 
> separate window that from the VM point of view is the whole screen.
> 
> Best regards
> PD

Go to Qubes VM Manager, open the settings of the VM you want to have windowed 
and uncheck enable Seamless GUI under the basic tab. That should show it like 
VmWare inside a window with all controls.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9d49239c-a7c7-424b-bd01-23e6ce9628b2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Qubes OS 3.2 Installation Issues: anaconda 'text mode' Installation Destination autopart failed LUKS

2016-11-26 Thread pixelite25

Any further insights on this, experts? This issue is a complete show stopper 
right now and nothing I can find online seems to directly address it. Thanks 
again for any assistance.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/11b8b17f-f8b9-4d98-9a64-0f8a65557613%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] HCL submission : Dell Precision 5510

2016-11-26 Thread Tomas Vondra


Hi,

I've just installed Qubes 3.2 on a new Dell Precision 5510 laptop, and 
it seems to be working fine. I've just had to disable secure boot and 
UEFI, then it went smoothly. The touchpad did not work in the installer, 
but after that it works OK. I've also had to disable wake on USB-C, to 
make suspend work.


regards
Tomas

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/cc57d3a6-fcd9-d2e8-c478-c4af94d99bcf%40fuzzy.cz.
For more options, visit https://groups.google.com/d/optout.


Qubes-HCL-Dell_Inc_-Precision_5510-20161126-214715.yml
Description: application/yaml

Re: [qubes-users] How to check Qubes Debian TVM status?

2016-11-26 Thread yaqu

On Sat, 26 Nov 2016 09:35:59 -0800 (PST), Pawel Debski
 wrote:
> user@debian-8:~$ cat /etc/deb*ver*
> 8.6
> 
> is the newest version I guess

Correct, 8.6 is currently the latest 'stable' release.
https://www.debian.org/releases/

> and for the Qubes mark I take:
> 
> ii  qubes-core-agent 3.2.10-1+deb8u1amd64
> 
> great, tx.
> Not sure however what these two iis at the beginning of the line mean.

First character shows the desired state of package, and second shows
its current state. "ii" means package should be installed and it is
installed.

More details you can find in manual:
$ man dpkg-query

-- 
yaqu

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161126212307.6D18F207007%40mail.openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Creating USB qube: PCI device in use by driver xenlight

W dniu sobota, 26 listopada 2016 19:52:39 UTC+1 użytkownik Pawel Debski napisał:
> W dniu sobota, 26 listopada 2016 18:56:49 UTC+1 użytkownik Grzesiek Chodzicki 
> napisał:
> > W dniu sobota, 26 listopada 2016 18:53:26 UTC+1 użytkownik Pawel Debski 
> > napisał:
> > > Folks,
> > > 
> > > I'm trying to create a VM that will handle all USB devices that are or 
> > > may be connected to the machine.
> > > 
> > > 1. I have created a new AppVM based on fedora-24-full-sw template.
> > > 
> > > 2. fedora-24-full-sw template is a copy of Fedora 24 template with all 
> > > sorts of additional software installed, for example for Bluetooth 
> > > handling, 3G modem, finger print reader, camera, flash card reader and so 
> > > on.
> > > 
> > > 3. I have assigned an USB controller to the newly created AppVM and 
> > > switched-off memory balancing in the options as recommended by the 
> > > message on "Advanced" tab.
> > > 
> > > 4. When I'm trying to start the VM I'm getting the following message:
> > > "PCI device in use by driver xenlight"
> > > 
> > > Please note that at the moment only one single USB bus is assigned to 
> > > this VM.
> > > Without any assigned devices this VM starts properly.
> > > 
> > > What shall I do to make it work with USB bus?
> > > 
> > > Best regards
> > > PD
> > 
> > put following command in dom0 terminal: qvm-prefs -s vmname pci_strictreset 
> > false
> 
> Tx Greg, that works.
> 
> Can we briefly discuss how much does it lower the security of the 
> workstation. I mean: does it really allow to plug-in fabricated USB device to 
> install keylogger to obtain credentials to highly sensitive applications 
> running in other qube (say VaultVM).
> 
> What other potential attack scenaria does it open?
> (assuming that one is interested only to protect VaultVM transient content)

If the device is assigned to one vm only at all times then it doesn't lower 
security afaik. PCI strict reset is used to reset the device's state when 
moving the device between machines. If the device is not moved between machines 
then it shouldn't matter.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c965fe62-57f0-4dc1-ad5a-ba3108df6b15%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Unsolicited feedback on qubes-issue #2455

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sat, Nov 26, 2016 at 04:13:48PM +0100, Alex wrote:
> Hi,
> I'm reporting some user experience tests for fedora 25 template (ref.
> issue mentioned in subject).
> 
> I updated a fedora 24 template with many customizations on it, bringing
> it to f25 via DNF and enabling qubes-vm-r3.2-current-testing repo.
> 
> Environment: Qubes R3.2 fully updated, i3WM as window manager.
> 
> Mindset: upgrading my AppVMs, and in the meanwhile helping with issue
> #2455, with specific attention to graphical/GUI issues (because of
> recent Fedora switch to Wayland, which Qubes does not support, as
> mentioned by marmarek on said issue).

Thanks! I was planning to send a little announcement asking for testing
today/tomorrow, but I guess you read my mind ;) I've uploaded packages
to repository just today...

> # dnf --releasever=25 --enablerepo=qubes-vm-r3.2-current-testing update
> 
> The upgrade process was smooth, took 4 hours overall (I was working
> during the process, so this may have slowed it down) and template size
> (after trim) increased slightly from 8.46GB to 8.57GB (not bad!). The
> repos for torproject don't have fc25 as an available release yet...

In my case upgrade was somehow faster - like 1h or so. But I wasn't
using the machine in the meantime.

> As far as I am concerned, these were the measured facts:
> - many AppVMs started just fine after changing the template in their
> settings from fedora 24 to fedora 25.
> - firefox, thunderbird and libreoffice work just fine. Firefox can play
> youtube videos without delays, glitches nor jitter.
> - pinta (graphic manipulation program) works ok
> - Android studio works ok
> - gnome-terminal, xterm and urxvt all work with their customizations
> (themes)
> - Android emulator (emulating ARM processor, so it's normally slow)
> works exactly as before
> - Monodevelop works ok
> - window resizing works ok, both dragging corners (for floating windows)
> and splitting monitors in various ways (i3wm is a tiling window manager).

In addition to this, all automatic tests also passes, so basic things
like DispVM, NetVM etc should work.

> Now for more unsolicited input, but trying to be as specific as I can be
> - please note that I don't fully understand the working of Qubes-GUID (I
> never studied it, until now :)
> - One AppVM with a lot of installed software took a couple of tries to
> correctly start. The first time the start failed with "qrexec daemon not
> running", and in guid log I found a long list of "invalid PMaxSize for
> 0x201d (32767/32767)" and so on. Cannot reproduce this problem.

This particular message shouldn't be a problem, probably the reason is
somewhere else. Do you still have the last message of the log?

> - Qubes-GUID crashed in one AppVM as soon as I started monodevelop the
> first time. Cannot reproduce this problem either. Error in guid log was:
> 
> ErrorHandler: BadAccess (attempt to access private resource denied)
>  Major opcode: 130 (MIT-SHM)
>  Minor opcode: 1 (X_ShmAttach)
>  ResourceID:   0x254
>  Failed serial number:  3670
>  Current serial number: 3671
> 
> may be related to the fact that monodevelop shows and hides many windows
> in rapid sequence when starting?

Yes, it may be. Very similar error (#2171) was already fixed some time
ago, but apparently not all the cases. Anyway it's rather problem in
gui-daemon, independent of Fedora version.

> Overall the switch was good. I'll report further problems should they
> arise. Thank you for your work, let me know if I can help more.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYOhO2AAoJENuP0xzK19cs/8EH/2DjYZVaLLh0RiYY4OmESN/Q
17Wb9B7fst6S74NAE2jwMv6H46QtaT3PvAZj/DFVOUDcpJpqEQ8yebwgwaAC7k/1
ZXTCBX7igAP081QdMUzUyIBjQlH3iD69cwstJ563TBlSwniyp1xDayV1vvwl/x3H
ZgPOca5JmtaT8gWtDC9hPGkSL+EUCarAu6nV1Ws/5D3D27lxexBfQkr7VDLrAoHG
ib/OdvuJg6TLLw8xVoGcRJByc62MkpvgLmHMwSGfiI1fkOJDv5iU4uLKvVEWNRub
g7AbelyuFEX4rG6BhB/q1usdwiSmU087ia8w+QIEcxsLi9iIANOfoqJ1We6LXIs=
=gR7B
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161126225902.GP1145%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] 2/3 of VMs randomly lose network access; sys-net, sys-firewall, and others normal

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sat, Nov 26, 2016 at 09:47:46AM -0800, Andrew David Wong wrote:
> On 2016-11-26 09:42, Andrew David Wong wrote:
> > A strange networking problem just started in the past day or so:
> > 
> > Every few hours, around 2/3 of my VMs will suddenly lose network
> > access. I can still ping websites from sys-net and sys-firewall,
> > and some VMs still have normal network access, even though all of
> > them are using the same sys-firewall. (Other devices on my LAN are
> > also fine.)
> > 
> > [...]
> 
> Apparently, if I just wait 5-15 minutes, network access gets
> restored to the affected VMs. (Note: This is not a solution for me.
> I'm just noting it here in case it's a relevant clue to figuring
> out the root cause.)

Do you see some correlation with:
 - starting/stopping another VM?
 - affected VMs have or not firewall rules?

Also, check if restarting qubes-firewall service in sys-firewall helps
(and check it status first).

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYOhUMAAoJENuP0xzK19cs6fYH/1kn6ZYkJI4aXhBj3qN+pTKT
yKT9LLSu1Cc5SP/fx4Yi5RinJ2W5++lzhqImsWgeDekN4VdFJuAoaGPSuumyUgzn
2vnttfm8QaBZhftqeU/Sp524Yoodo0GNzLY/uUDwahLvrjiGo/h8SquwI2hQbX61
oPxN0S6Rd6rv2CA4PUVhQeoj5ksSXDrAcP6MndxAZr2O8cYsYN5wndDPy1kF7pIm
Bb0DUFE0+Ntd53EKFd5FyiGkJai8GxSoCmAEluDPjJn2AuXgeqPQGBsrBLoga34h
lc9/eNhLmUte91BQHOQra5mBajcat2u7eVw7+AOCMVJuDm9Ki/QrVuTJaPtrk4U=
=1JzG
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161126230444.GQ1145%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] 2/3 of VMs randomly lose network access; sys-net, sys-firewall, and others normal

2016-11-26 Thread Chris Laprise

On 11/26/2016 12:42 PM, Andrew David Wong wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

A strange networking problem just started in the past day or so:

Every few hours, around 2/3 of my VMs will suddenly lose network
access. I can still ping websites from sys-net and sys-firewall,
and some VMs still have normal network access, even though all of
them are using the same sys-firewall. (Other devices on my LAN are
also fine.)

The weird part is, if I create a new, additional "sys-firewall1"
ProxyVM and switch over one of the non-working VMs to it
*without restarting* the non-working VM, network access gets
successfully restored. So, the problem must be in sys-firewall
or the AppVMs, I think.

I've tried basing sys-firewall on fedora-24 and fedora-24-minimal
with the same results. Also double-checked NetVM assignments
and firewall rules, of course.

Any ideas for logs or tools I should check to find out what's
failing, or where it's failing?

- -

I can't imagine what caused this problem to suddenly start,
except maybe a dom0 or template update, so here are the packages
I've updated in dom0 recently as part of normal qubes-dom0-update:

libsndfile
sudo
bind99-libs
bind99-license
ghostscript-core
hswdata
perf
ntfs-3g
ntfsprogs
perl
perl-libs
perl-macros

And here are the packages I've updated in my fedora-24 template
(again, as normal updates):

libicu
libidn2
gnome-abrt
gnome-software
libdmapsharing
libmetalink
lz4
lz4-r131
rpm
rpm-build-libs
rpm-libs
rpm-plugin-selinux
rpm-plugin-systemd-inhibit
rpm-python
rpm-python3

Any ideas?

- --
Andrew David Wong (Axon)

Community Manager, Qubes OS
https://www.qubes-os.org

Check out this thread:
https://groups.google.com/d/msgid/qubes-users/3aa66b77-9a06-83d8-d965-6583ef10d2a9%40gmail.com

Author claims its dependent on running Qubes in a VM, but the symptoms
are about the same and the trigger is a switch to fedora 24.

My own problem with fedora 24 is that the minimal template seems
incapable of acting as a simple Qubes firewall. No time to troubleshoot it.

You may want to switch to debian for your service VMs... Versions 8 and
9 are working well for me.

Chris

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/a3872bce-42ed-8fef-0a0f-fec31e294ee6%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Qubes can not decrypt the root directory partition.

2016-11-26 Thread Alexander Villalba

Regards!:

Although it was today that for the first time that I join the group, I have 
been using Qubes for years. But today when I wrote the disk encryption 
password, the system displays a message saying it can not boot. Try to load the 
encrypted disk with a bootable pendriver that has the Tails operating system 
installed, from the file browser, asked for the password, I wrote it, but could 
not load the partition of the hard disk containing Qubes. The unencrypted 
partitions were able to load and read them.

I understand that maybe I should give more information to solve the problem. I 
will provide the information requested.

I write from Venezuela, I translated this with the help of Google.

Thank you.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ca686404-6483-4f31-baec-da44de0021e9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes AppVM full screen in a window

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sat, Nov 26, 2016 at 11:15:03AM -0800, Pawel Debski wrote:
> Folks,
> 
> How can I start AppVM to see all the boot messages and have it to have a 
> separate desktop in a window just I like I am used to in VMWare or Virtual 
> Box?
> 
> I mean I do not want the VM to grab the whole screen but rather have it in a 
> separate window that from the VM point of view is the whole screen.

This isn't possible for standard AppVMs - this part (emulated GPU) is
intentionally disabled there. If you really want, for whatever reason,
you can:
 - start vncserver in the VM and connect to it from the same VM
 - create HVM and install some linux (or other system) there - HVMs are
   running with emulated GPU and can be viewed with full desktop in a
   window: https://www.qubes-os.org/doc/hvm/

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYOiDwAAoJENuP0xzK19csq5sH/R60sxQDrUZlMo4gHtjop1a0
rSXv34phAvWcKzaGi4SIT35BuyclZ6HROl+jO3lRVXS24+yV1pavXGi7E8G2sCTg
DsCtFVd6lk+mpxYEcj6jo35HUuXiFUl4CbRP11mTQerUw9QWnl4x3BqQzTlNtGBJ
u8vUhbClUR15CAJOWLgtQZYTBZnWJ8iZIRiz7AQjSj0HiEu0/8xO7HWc8Ri4VNLE
aNpMOiQxIv1OrtgL7tbN4IyxkLArQ6jn9gkPEZeUv5Qj2fFBHJyBIAmiiZtaC5UX
Mda3CKYFZXqasYKe+3OPVCIxPJW7y7Bh++Gw6StvQ6JD3N1NL0g6kk9SobhT8VE=
=dn8N
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161126235528.GR1145%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes OS 3.2 Installation Issues: anaconda 'text mode' Installation Destination autopart failed LUKS

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Tue, Nov 22, 2016 at 04:16:40PM -0800, pixelit...@gmail.com wrote:
> Device: Lenovo ThinkPad L450 modified with OCZ Trion 150 (480GB) SSD
> Installation Setup: USB Drive with prepared ISO, using Basic Graphics mode 
> under Troubleshooting due to system lockup in GUI mode.
> 
> Primary Problem: When trying to setup partitioning, and selecting either 
> Standard or LVM, this error occurs: "storage configuration failed: autopart 
> failed: Encryption requested for LUKS device sda2 but no encryption key 
> specified for this device.
> 
> Could this have something to do with the fact that the original SSD had OPAL 
> 2.0 and the replacement SSD does NOT have that feature? Am I unable to use 
> the OCZ drive as a result, or is this something entirely different.

Take a look here:
https://github.com/QubesOS/qubes-issues/issues/1161#issuecomment-156713740

In short: text based installer currently requires some additional manual
steps.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYOiIfAAoJENuP0xzK19cs5+IH+wcLzDyV+ajXvwc4zd7Ia3Bv
USELUJ6lfvNgDaRDzwc6TGWkQxAw6CdQmudtiBPADMUjO8/r/5q8dRAeAEUQd0/6
8Qbtj2ddAIkHdGAo4WBm27Eh4ocsNlFY11aYABB4LzXIAN78h5uCbNh5do/jTStO
BAylypoGpLysDuG5nNtNA00qd0Py5yg7T3EK71XGj2HAyUmos048EtQDSNgJPPHR
BWzpEUOScz4tKOC+68e5EYvj7cQz6NTw8SbCQmRsCZJ929TuqWzeNbRrBcipopyi
Iq38acOGGDGiwifjx1sSVC3KQBhI0FIOOUzGGdMYCbz93T6TWLZ0e7B1xJ0owJE=
=Qo48
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2016112731.GS1145%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes can not decrypt the root directory partition.

2016-11-26 Thread tezeb

On Sat, 26 Nov 2016 15:35:06 -0800 (PST)
Alexander Villalba  wrote:

> Regards!:
> 
> Although it was today that for the first time that I join the group,
> I have been using Qubes for years. But today when I wrote the disk
> encryption password, the system displays a message saying it can not
> boot. Try to load the encrypted disk with a bootable pendriver that
> has the Tails operating system installed, from the file browser,
> asked for the password, I wrote it, but could not load the partition
> of the hard disk containing Qubes. The unencrypted partitions were
> able to load and read them.

Actually similar issue has happend to me. The partition was no longer
accessible via Qubes boot process nor Qubes USB with properly set
keymap. This happened after upgrade/reboot cycle, although I suspect
some kind of HW issue.

According to cryptsetup/luks man page, you should always have a backup
of LUKS partition header as it may get corrupted. Due to some
anti-forensic techniques in place such corruption is
claimed to be irrecoverable.

Hope that you had backups.

Regards,
tezeb

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161127010638.6fa91243%40outoftheblue.pl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] VT-d support in hcl report

2016-11-26 Thread tezeb

On Thu, 24 Nov 2016 09:33:23 +0100
Zrubi  wrote:

> 
> Well, as you noted the qubes-hcl-report tool relays on xl info, and xl
> dmesg output.
> If both states tat IOMMU is enabled:
> 
> > virt_caps: hvm hvm_directio
> > (XEN) I/O virtualisation enabled  
> 
>  what else can it say?
> 
> If you 100% sure that this is a false positive, then we should address
> this issue for sure.
> However I can't see how we can check if IOMMU is really working? Maybe
> we can try DMA attack PoC script and try to break out from a netvm for
> example?
> (of course not as part of the hcl report :)

Thanks for your reply. After reading it I realized that I should
probably ask at Xen devel mailing list. I am not 100% sure, but the
specs about my HW says so(and I am 100% sure about what HW I have).

Anyway, I like the idea of DMA PoC attack. Sounds like a definitve
measure of VT-d separation. Are there any PoCs publicly available?

Regards,
tezeb

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161127011328.2c7c0f51%40outoftheblue.pl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes can not decrypt the root directory partition.

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Sat, Nov 26, 2016 at 03:35:06PM -0800, Alexander Villalba wrote:
> Regards!:
> 
> Although it was today that for the first time that I join the group, I have 
> been using Qubes for years. 

Welcome!

> But today when I wrote the disk encryption password, the system displays a 
> message saying it can not boot. Try to load the encrypted disk with a 
> bootable pendriver that has the Tails operating system installed, from the 
> file browser, asked for the password, I wrote it, but could not load the 
> partition of the hard disk containing Qubes. The unencrypted partitions were 
> able to load and read them.

I guess you've checked obvious things like Caps Lock or such? Or maybe
some key on your keyboard is broken? Or maybe different keyboard layout?
Generally the above looks like you're entering wrong password (at least
from the tool point of view), or your data is somehow broken (faulty
disk or such).

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJYOijyAAoJENuP0xzK19cstjAH/ij27PGHgC+adC3yNXFaS01F
vxVQS0/gpz5HAVkna7YDlKBH4UaGV5V/CTz++VZg4i0YNoxoxADcP93JxOrGu9fK
+xbnxWvc3UYI6BW9fVtkxWA1MjypTe6TFRMu3v7wtdHM46qj13bYSTIoSPMxs8+D
/mYg+MmLxIfpxtvFI3KIkPYjOZBaxE72Bn0vpRh+foPoYOAsWZeYxSD7hymwHIlM
Je7aLZjVhQ8qZMC/CIEBaJquqBeRV6P2cGyWc2phMJi4xAV/cXek9FBbjO0gpzfV
kuEH2T1DCGwswh18Ee4demSeGWnBiJl4cTlIn7ydrHvd6JcdvfPNkgT7aN+3Qsk=
=hVpl
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20161127002938.GT1145%40mail-itl.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] 2/3 of VMs randomly lose network access; sys-net, sys-firewall, and others normal