[qubes-users] Re: Nested virtualization
On Friday, February 10, 2017 at 9:03:47 PM UTC-8, adoni...@gmail.com wrote: > Hi guys, thanks for the responses, I will have a look at it. > > What I need in this case in particular requires VBox, it is Genymotion, an > Android emulator. this might help. https://groups.google.com/d/msg/qubes-devel/5thjxcHcMFw/YQfiTZ4qDwAJ heres a quick guide to stand alone vms, https://www.qubes-os.org/doc/hvm/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1a2aea13-0c01-4898-9b92-289df92c6ea9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Nested virtualization
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2017-02-10 19:16, pixel fairy wrote: > On Friday, February 10, 2017 at 5:40:36 PM UTC-8, > adoni...@gmail.com wrote: >> Hi guys, >> >> Is it possible to install let's say Virtual Box inside a Qube? >> I've done some reading and all people seem to say is that it >> should be possible, but nothing conclusive. > > this should be a faq somewhere, it keeps getting brought up. > Hard to do an FAQ on this, because there are so many ways to try to do nested virtualization, and they don't all turn out the same way. But feel free to submit a PR if you like. :) > xen supports nested virtualization, see here: > https://wiki.xenproject.org/wiki/Nested_Virtualization_in_Xen > > but, this is disabled in qubes because of the large attack surface > it introduces. containers, like docker and lxc, are possible, as > is emulation like running qemu without kvm extensions or virtualbox > with 32bit guests with acceleration turned off. > > you could make your own qubes build with it on. look for marmarek > in qubes-devel for threads on that. > - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJYnrz4AAoJENtN07w5UDAwx/4P/RCSlPYYoov49xv2kVGhZy+7 CeQnNzwnsAOungeiWcT9aAUJDHI9zESIhSFpDWPwU6ypEGk52g9pYnEW4xjKjB5N asdJXwzlYmm9DrC1FI6uFJ8JSaO5tXZZ6ufKnhqUlVAyEk1+HR+vmxs32DdlagJP 4pufFe5W/mz5Bjj6q5V5uo/S6ZMy1c3qgJkhfs3D5l1qmkQIv1ZFlS0OE998ujSY CVqEgS7I2ul4d2Ut0LfsgdnicnHAwt3C+3xjJdOLc+an1hfTdOVyKiyyhqCN75q9 99uIKerPo77ujEyAgVWitownTql73VbGWALP+45ZmdiUM8HoGEvdUcSRB78o1vwv 9rknrPg+HaqAEUhcTny4x38H/N38oVjPEMIV0XJhK+c8lWALGwHFrzj0pV5rlVXu YWaPm2FoRLjdehBZQ6je5WCFe6AzgrAJAO3Shh43Y+hD9qZMtfWpevTjCik6/mCy kbLLG7nC3nKu3szos2kNi4XbKhVmel9jYfLUz54hzGALn8h1K2uMYqEWMBBeVyMn 3GTeuceg0E4P0TRiq6cEFJvHcW9RslTmmPbDiMHOXlm6oO3O+N5rk9iRToKqfux/ Q4nWDm97o5VeZ5o7I+bMtJokklSU8vnBHoNvOrQShDQtsgJ6oIDJT8k+LaaYah9m 0mTxw6U6Erm7M87vLQbY =4B/O -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/434dbcda-dd36-6d4a-0766-7083c65b1a6c%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Shouldn't this be specially noted in Qubes HCL? (was: what about usb to jtag interface?)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2017-02-10 19:07, pixel fairy wrote: > On Friday, February 10, 2017 at 2:56:15 PM UTC-8, Oleg Artemiev > wrote: >> On Thu, Feb 9, 2017 at 6:38 PM, pixel fairy >> wrote: >>> On Thursday, February 9, 2017 at 3:54:03 AM UTC-8, Oleg >>> Artemiev wrote: > Does this mean that USB qube is now useless as a security border on such a mother board? >>> only if the manufacturer has it enabled. the only vendor who >>> got back to me (and knew what i was talking about) when i asked >>> was system76 to confirm that it is disabled on their lemur >>> series. puri.sm was aware, but doesnt have any hardware out >>> using those chips. >> So finally it is a question of trusting the vendor (and their >> public relations personnel who may think that those capabilities >> are not really disabled. > > yes, or a cheap data cable if you already have the hardware. > unfortunately, its easy for a vendor to say they're good and then > say "oops" if they're not, and called out on it. we need better > competition in security conscious hardware. > >> Shouldn't these CPUs and motherboards be specially noted as >> dangerous in qubes HCL? > > agreed, but i think its up to Andrew David Wong > > (i hope that triggers a mention notice so he sees this) > Didn't trigger a mention, but I saw it. :) (In general, the best way to make sure I notice a message is to CC me.) Actually, I think this should be up to Joanna and Marek (CCed). I don't know enough about USB->JTAG to confidently evaluate how dangerous it is. - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJYnrwuAAoJENtN07w5UDAwS3gP/21mSubz7pdmw3doEB71nJGq pOHaJEF8l+T/TU2h3wgUcR2WvTRexuiOqrx6foG74KRpTL/l2skZlMldCLmBDvud YXrbko2tTZ2zhYi2SWuYDPtEdeLUxH7bkfSU5kj8SKLtWYs+BWKH0OFlrkD8UUij PofSSf70Uw4U8KST333SlgPUXyePO9157qGjmoPK3oqwI5+NSMCRF3OeMEFMEhzD klbguA7+ktvvcZbPsETM8toJYQI4OOY9jYrWJd82r1dYriuOaepKHEsNHEKrPWz7 v+vY/2Lk7Fjp5KKlbvV8jfgcWUd7EkFtS7ccOnHCGpn/VqXkq41qOJ6cjPJIDM1a o6FhXOByk4WyGKM3Fn/JtIJDZZOWJ2W18L2vVUXVqTiEBMsmznd9vH/1AQkjDpXw ufXpYIlzUcofS6xmCozcj4z9uUqmJ3W7Fi7VO46UuWBGCsIsfRu2F3ubbezOgxYp sxKPkWNu2sD1qSI9tAO3nCJWvzwskizCQtbbDpA+Lh1DOrSsQRR6whPHjoC3jKOh 9a8UKA4/OkkW63UfV/1TDMLmql9FbLl96vYYsYT1U5i/C4e7L/96M2wSwmYzvkLe +L6Z565p8jTCFTRi9Qc2WQ9ltYuuMxUO9bX79Euunw5AkGERP7YOpQ711I+WgTZL 5umBTYbeQQRE7+urfzu0 =LSPJ -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bb4f525f-bef0-9aae-8b53-2c6daa1ddf8b%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Mount point /proc/xen in appVM prevents flatpak packages from starting (Issue #2540 impact wider than reported)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2017-02-10 03:23, Alex wrote: > Hi all, > I've been trying to use MonoDevelop 6, now distributed as a flatpak > package instead of the usual RPM (fedora 25). > > I've had some problems in trying to run it, mainly because of an obscure > error message "Can't mount proc on /newroot/proc: Operation not permitted". > > Further debugging had me starting flatpak with "-v" (verbose) option, > where I discovered that flatpak is just a wrapper around bubblewrap (no > pun intended). > > Investigating bubblewrap led me to > https://github.com/projectatomic/bubblewrap/issues/134 where a Qubes > user laments a non-working sandboxed tor browser. > > There Marek casually mentions /proc/xen being the cause of this > situation, and actually unmounting it allows MonoDevelop to start. > > Since this issue is already tracked for TOR browser here > https://github.com/QubesOS/qubes-issues/issues/2540 I'm not suggesting > to open another issue; instead, I commented on the issue reporting that > the impact is wider than TOR browser and I'm writing to the mailing list > to let other puzzled flatpak-distributed-software-users know. > Thanks, Alex! :) - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJYnrgwAAoJENtN07w5UDAwfV0QAJ1SQy/xvFRw5NoBsRRJLCKd E6vrFrFLkj6mdhvDlEumFU6NwN4ol2l9avQchSCRuzaU7an6gpMn6/Z8z664bbU4 1kLTCEpzinbZzEegV+c66V+sSm42H/xPacrE7hn5vBlUTnAcYlZaf1bKQN8TKyPz NO42EFJ/W9CfEKrIJDi3/B4CbMnGiXG3EcWaOGJZr/vK9SmgUWrRC21s1MRLhA6L XeBrehVk53ZSPJrj+7zmphrgHuBJ8RniWWOdRicoTAlzr4Y/eReXNAIzBr/nz0DH JmxQdE6BFv/inAAfmqMTzur8OXrd8he+K+FZ7O1SxYpHMqjPrSQbsuE47lxwY9nM N1NSehoajQ6WIXcbvpXc4nDRc7nkUFpaEh/Xe5PuXqc3QDyDDTpSQ0e98hOYWdqr C4s+nw8GRyx8XBHJgDC+tT6MsOALJPWxJxEXdgNmq4yAX6L3DhhDsvgNuPB6ta4v 1PNKPd0PklHds3dRQG1RbAFxsIe+c+XfrDTc8ptEomIhzIH/w+bAJ5glV0Z3NDnn K3GCJkC7PCjXIlcOw/3ENgnNh7f8qUbyaRU1FwQ1OraeJRxHhX1BM+vkt9BxEkFc f+8JQQ7zEGlkJo1bubq8+/d6HW27QATX6y8H50ws9AYjt34vEslSzm+M5SpACfIr QjkaNHGPh2zIQh8gXiwD =Dm1U -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d02bdf99-3d89-1753-eba6-faf41d141fc7%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: [qubes-devel] Re: Devilspie2 integration
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2017-02-10 15:32, Oleg Artemiev wrote: > On Tue, Feb 7, 2017 at 1:41 PM, Andrew David Wong > wrote: >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 >> >> [Please keep the list CCed.] > why do we use operating systems at all? Because them > provide some set of default pretty > functionality/environment from the box. Why each time I > power down my PC and power it up back I have to waste time > on placing windows between desktops? Why the hell I can't > power on and smoke then get back and see everything same > way organised as I had on my last power up? Well, you can install Devilspie2 (or equivalent) in dom0 and automate your setup. (Remember, the foregoing discussion is about whether it should be installed *by default*.) >>> Yep. KDE by default has this from the box. Xfce has nothing >>> for this. That's why "by default" >> Hm, then perhaps it's really Xfce who should integrate this >> upstream? > It would be nice. > > Who will ask them for an integration? I guess unless enough people > will do - no one will decide to implement. > Users who care enough to ask. :) >> It seems like it would be suboptimal for the Qubes Project to try >> to maintain a fork of Xfce that goes beyond Qubes-specific >> functions. > you haven't to fork and maintain Xfce entirely. All you need - an > option for restriction in qubes configuration for a VM and a script > that will autogenerate configuration of restrictions offered by a > tool you choose. > > 1st step is done: you adding a tool allowing such a restriction > (the tool is already selected for a future Qubes, AFAIK) See: https://groups.google.com/d/topic/qubes-users/jtjyq8N6bY0/discussion According to that thread, wmctrl (which is supposed to be like Devilspie2) is already installed by default, and xdotool, which is different, will be pre-installed in a future version. > now the second step: allow users easily automate restrictions based > on that tool via qubes configuration interface. > But this is still a nontrivial amount of work, and it's yet another thing that the Qubes team would have to maintain. Help from the community would probably be required. > The only thing I would like is having choice on restore as > it was and run new session. People at firefox made good > work and algorithm is well known, why not to apply this to > Qubes: On start show what is going to be started, if user > chooses "restore last state" - exactly that set left at > session abort/power off is shown, if user is in doubt - new > tab is always available. if user doesn't want to start same > or partial set - give him/her clean new session. What a > problem to do same way w/ desktop placement and VM autorun? > People spend a lot of time starting same things on next > power up. Firefox behaviour in case when firefox > configured "restore previouse state" and was killed/aborted > is best behaviour I've seen on restoring workspace. This sounds like it would indeed be a nice feature. Care to contribute a patch? >>> Not. :( A lot of questions appear to understand where to make >>> changes at 1st. Unsure that I'll be able to make such a >>> patches. >> > Locking application to some desktop set is a very good > feature and, afair and adding this functionality via some > utility in Dom0 default package set is work in progress for > current qubes. Just choose one app we're okay with, hug it > with qubes vm manager and users will love ability to use > it. :) I don't vote for this one utility - I vote for > similar functionality available to user _by_default_ . Why _by default_? As I explained above, we need to take a disciplined approach in deciding which features get included by default. If we include by default everything that everyone wants, Qubes will suffer from the consequent software bloat and feature creep. >>> That is not what every one want but this is what _everyone_ >>> usually wastes time on - when powered down and powered up to >>> continue . >>> We must resist the temptation to push for the default inclusion of features simply because *we* like them. There has to be a stronger reason than that. We have to ask ourselves the hard questions: Why do you want it to be the default? To save you from having to configure it yourself? Because you think other people should share your personal preferences? >>> Isn't the reason "every one wastes time that way" above is not >>> enough to add in whish list "make life better for every one" >>> by enabling option to restore last state of running VMs this >>> way"? >>> >> >> It sounds like you're conflating a few different ideas here: > >> including Devilspie2 by default, > you should include by default at least one of tools allowing such > a restriction - choose within Qubes team. I'
[qubes-users] Re: Nested virtualization
Hi guys, thanks for the responses, I will have a look at it. What I need in this case in particular requires VBox, it is Genymotion, an Android emulator. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/127a63ae-9649-4816-89db-4c8be54a8e81%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Nested virtualization
On Friday, February 10, 2017 at 5:40:36 PM UTC-8, adoni...@gmail.com wrote: > Hi guys, > > Is it possible to install let's say Virtual Box inside a Qube? I've done some > reading and all people seem to say is that it should be possible, but nothing > conclusive. this should be a faq somewhere, it keeps getting brought up. xen supports nested virtualization, see here: https://wiki.xenproject.org/wiki/Nested_Virtualization_in_Xen but, this is disabled in qubes because of the large attack surface it introduces. containers, like docker and lxc, are possible, as is emulation like running qemu without kvm extensions or virtualbox with 32bit guests with acceleration turned off. you could make your own qubes build with it on. look for marmarek in qubes-devel for threads on that. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c62e6814-7a52-4d66-9f5b-c5fbd6fe467d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Shouldn't this be specially noted in Qubes HCL? (was: what about usb to jtag interface?)
On Friday, February 10, 2017 at 2:56:15 PM UTC-8, Oleg Artemiev wrote: > On Thu, Feb 9, 2017 at 6:38 PM, pixel fairy wrote: > > On Thursday, February 9, 2017 at 3:54:03 AM UTC-8, Oleg Artemiev wrote: > >> Does this mean that USB qube is now useless as a security border on > >> such a mother board? > > only if the manufacturer has it enabled. the only vendor who got back to me > > (and knew what i was talking about) when i asked was system76 to confirm > > that it is disabled on their lemur series. > > puri.sm was aware, but doesnt have any hardware out using those chips. > So finally it is a question of trusting the vendor (and their public > relations personnel who may think that those capabilities are not > really disabled. yes, or a cheap data cable if you already have the hardware. unfortunately, its easy for a vendor to say they're good and then say "oops" if they're not, and called out on it. we need better competition in security conscious hardware. > Shouldn't these CPUs and motherboards be specially noted as dangerous > in qubes HCL? agreed, but i think its up to Andrew David Wong (i hope that triggers a mention notice so he sees this) > -- > Bye.Olli. > gpg --search-keys grey_olli , use key w/ fingerprint below: > Key fingerprint = 9901 6808 768C 8B89 544C 9BE0 49F9 5A46 2B98 147E > Blog keys (the blog is mostly in Russian): > http://grey-olli.livejournal.com/tag/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/49b07bad-1fb0-46d5-bdb3-19e639662436%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Nested virtualization
On Friday, February 10, 2017 at 5:40:36 PM UTC-8, adoni...@gmail.com wrote: > Hi guys, > > Is it possible to install let's say Virtual Box inside a Qube? I've done some > reading and all people seem to say is that it should be possible, but nothing > conclusive. VirtualBox definitely did not work for me, but I only tried it once and mostly out of curiosity. I can't remember the error... something about being unable to load a kernel module maybe? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b1a6f506-5eb3-47ad-98e9-5f7297d78f15%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Nested virtualization
Yeah, currently I'm using LXC Containers inside AppVMs. What do you need exactly? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/aa7a4a1c-0a99-4783-a94d-af04c645e698%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Qubes doesn't support LXC unprivileged containers?
Why it's not possible to set 'kernel.unprivileged_userns_clone' (/proc/sys/kernel/unprivileged_userns_clone) to use LXC unprivileged containers? Qubes Kernel doesn't support it yet or is it possible to recompile the Kenel to add support to this? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/742e4676-77c6-4ee6-9b61-cb0783811569%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Nested virtualization
Hi guys, Is it possible to install let's say Virtual Box inside a Qube? I've done some reading and all people seem to say is that it should be possible, but nothing conclusive. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/913bddaf-8847-428d-bed4-856844768c6e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] efi_memmap problem powering off.. coldhak paxtest fail
Hello, i have qubes 3.2 installed with 4.4.38-11 kernel. Install went fine. In the beginning powering off went good but now i get stuck at a screen that says efi: EFI_MEMMAP is not enabled esrt: ESRT header is not in the memory map .. i also installed coldhaks grsec script for debian template. after a paxtest blackhat i get vulerabilities in memory , mprotect ect.. i thought this might be related to efi. I have a lenovo x260 i7 processor. Some help will be much appreciated i dont want to keep powering off the wrong way. Thank you. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/25b5d6d1-9ab4-44d9-8131-4897808d1fa9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] qvm-run fails silently with chromium
On Fri, Feb 10, 2017 at 03:28:53AM -0800, m...@lamarciana.com wrote: > > The issue you raise there arises because the xterm is not a login shell > > so will not use .profile. > > It is interactive so (using bash) will use .bashrc > > > > On the immediate question here you can always set the path explicitly: > > qvm-run -p qube "export PATH=$PATH: && foo" > > Hey Unman. The issue is that neither `~/.bashrc` nor `/etc/bash.bashrc` from > my VM are used when I do `qvm-run` from dom0. Your workaround works but I > think it is quite cumbersome. I wonder if there is any way to change the VM > PATH seen from dom0 for every command. > > Thanks > Yes, I know - that's why I said "using bash". You are using zsh, so you said, so you need to put the path in ~/.zprofile For example, with simple script 'logit' in home/user/newpath: qvm-run -a -p qube logit fails with "logit: not found" append path=('home/user/newpath' $path) to ~/.zprofile Then qvm-run succeeds -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170211004810.GA9930%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] I have a bank vm, how do you restrict
On Sat, Feb 11, 2017 at 2:35 AM, Oleg Artemiev wrote: > On Wed, Feb 8, 2017 at 2:36 AM, Chris Laprise wrote: >> On 02/07/2017 04:47 AM, Oleg Artemiev wrote: > I have a bank vm, how do you restrict the browser from being able to go > else > where? Do you add the iprules in the vm or do you create a proxyvm and > add > the iprules there? I've tried both solution some time ago and definitly the tinyproxy solution works much better and can handle nicely dns round robin or servers behind load balancers. By the way this solution offer an other nice possibility, you can use regular expressions and for example allow .*\.mycompany\.com$ on the conter-part, you will have to trust the dns resolution. >>> >>> Look also for modules like 'request policy' and 'no script' or >>> 'policeman' that implements nice GUI allowing both types in a single >>> place. >>> Request policy + 'ask for reload permission' should be enough to >>> control in a single VM for a few banks in single place. >>> Not that secure as proxying and denying in some other VM, but easy + >>> GUI controls + require some configuration work at start. >> Good recommendations. I'll add one to that list: HttpsEverywhere. >> It will keep you from accidentally accessing pages in unencrypted form. You >> can also set it to allow only https (although some banks may use a mix of >> https and http). > look also for uMatrix, Privacy Badger, force cache loading, For > banking use of policeman and https everywhere should be enough. Though > other firefox modules are also good. forgot to mention uBlock Origin . -- Bye.Olli. gpg --search-keys grey_olli , use key w/ fingerprint below: Key fingerprint = 9901 6808 768C 8B89 544C 9BE0 49F9 5A46 2B98 147E Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CABunX6Mo6oPKD0i7feBm5qpEW_MNYHAZ%2BesTADLG%2BqthXN%3DXsg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] I have a bank vm, how do you restrict
On Wed, Feb 8, 2017 at 2:36 AM, Chris Laprise wrote: > On 02/07/2017 04:47 AM, Oleg Artemiev wrote: >> >> On Tue, Feb 7, 2017 at 11:57 AM, '0xDEADBEEF00' via qubes-users >> wrote: I have a bank vm, how do you restrict the browser from being able to go else where? Do you add the iprules in the vm or do you create a proxyvm and add the iprules there? I've tried both, and created an email vm with iprules "deny everything except" But then neither vm(s) will connect. Is there a proper way to do this? Or will I have to do the tinyproxy thing I've read elsewhere ? >>> >>> I've tried both solution some time ago and definitly the tinyproxy >>> solution >>> works much better and can handle nicely dns round robin or servers behind >>> load balancers. By the way this solution offer an other nice possibility, >>> you can use regular expressions and for example allow .*\.mycompany\.com$ >>> on >>> the conter-part, you will have to trust the dns resolution. >> >> Look also for modules like 'request policy' and 'no script' or >> 'policeman' that implements nice GUI allowing both types in a single >> place. >> >> Request policy + 'ask for reload permission' should be enough to >> control in a single VM for a few banks in single place. >> Not that secure as proxying and denying in some other VM, but easy + >> GUI controls + require some configuration work at start. >> > > Good recommendations. I'll add one to that list: HttpsEverywhere. > > It will keep you from accidentally accessing pages in unencrypted form. You > can also set it to allow only https (although some banks may use a mix of > https and http). > look also for uMatrix, Privacy Badger, force cache loading, For banking use of policeman and https everywhere should be enough. Though other firefox modules are also good. -- Bye.Olli. gpg --search-keys grey_olli , use key w/ fingerprint below: Key fingerprint = 9901 6808 768C 8B89 544C 9BE0 49F9 5A46 2B98 147E Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CABunX6OeKXvXC%2BJpJopqhMGX4YobP5yJj0-KLzHgXLkis0jhVQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: [qubes-devel] Re: Devilspie2 integration
On Tue, Feb 7, 2017 at 1:41 PM, Andrew David Wong wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > [Please keep the list CCed.] why do we use operating systems at all? Because them provide some set of default pretty functionality/environment from the box. Why each time I power down my PC and power it up back I have to waste time on placing windows between desktops? Why the hell I can't power on and smoke then get back and see everything same way organised as I had on my last power up? >>> Well, you can install Devilspie2 (or equivalent) in dom0 and >>> automate your setup. (Remember, the foregoing discussion is about >>> whether it should be installed *by default*.) >> Yep. KDE by default has this from the box. Xfce has nothing for >> this. That's why "by default" > Hm, then perhaps it's really Xfce who should integrate this upstream? It would be nice. Who will ask them for an integration? I guess unless enough people will do - no one will decide to implement. > It seems like it would be suboptimal for the Qubes Project to try to > maintain a fork of Xfce that goes beyond Qubes-specific functions. you haven't to fork and maintain Xfce entirely. All you need - an option for restriction in qubes configuration for a VM and a script that will autogenerate configuration of restrictions offered by a tool you choose. 1st step is done: you adding a tool allowing such a restriction (the tool is already selected for a future Qubes, AFAIK) now the second step: allow users easily automate restrictions based on that tool via qubes configuration interface. The only thing I would like is having choice on restore as it was and run new session. People at firefox made good work and algorithm is well known, why not to apply this to Qubes: On start show what is going to be started, if user chooses "restore last state" - exactly that set left at session abort/power off is shown, if user is in doubt - new tab is always available. if user doesn't want to start same or partial set - give him/her clean new session. What a problem to do same way w/ desktop placement and VM autorun? People spend a lot of time starting same things on next power up. Firefox behaviour in case when firefox configured "restore previouse state" and was killed/aborted is best behaviour I've seen on restoring workspace. >>> This sounds like it would indeed be a nice feature. Care to >>> contribute a patch? >> Not. :( A lot of questions appear to understand where to make >> changes at 1st. Unsure that I'll be able to make such a patches. > Locking application to some desktop set is a very good feature and, afair and adding this functionality via some utility in Dom0 default package set is work in progress for current qubes. Just choose one app we're okay with, hug it with qubes vm manager and users will love ability to use it. :) I don't vote for this one utility - I vote for similar functionality available to user _by_default_ . >>> Why _by default_? As I explained above, we need to take a >>> disciplined approach in deciding which features get included by >>> default. If we include by default everything that everyone wants, >>> Qubes will suffer from the consequent software bloat and feature >>> creep. >> That is not what every one want but this is what _everyone_ >> usually wastes time on - when powered down and powered up to >> continue . >> >>> We must resist the temptation to push for the default inclusion >>> of features simply because *we* like them. There has to be a >>> stronger reason than that. We have to ask ourselves the hard >>> questions: Why do you want it to be the default? To save you from >>> having to configure it yourself? Because you think other people >>> should share your personal preferences? >> Isn't the reason "every one wastes time that way" above is not >> enough to add in whish list "make life better for every one" by >> enabling option to restore last state of running VMs this way"? >> > > It sounds like you're conflating a few different ideas here: > including Devilspie2 by default, you should include by default at least one of tools allowing such a restriction - choose within Qubes team. I've no idea which is better automated from outside w/o requirements for user interaction. > locking apps to virtual desktops, Yep. > and saving state. Yep. > I think the case for the last one is probably stronger than the first > two (given what has been said so far), but maybe this is a question > for the UX experts. Yep, every one is wasting time restoring state, not every one needs desktop-bound appllications. >>> Also, why is it so important to restrict certain domains to >>> certain virtual desktops? >> All these restrictions are about: >> >> 0. Save time - all appears same place (mean desktop set) - no >> annoying window reorder . 1. Easier to group desktops and >> activities b
Re: [qubes-users] Ad-blocking ProxyVM?
On Fri, Feb 10, 2017 at 04:10:06AM -0800, Joe Ruether wrote: > On Thursday, February 9, 2017 at 10:21:26 AM UTC-5, Unman wrote: > > On Thu, Feb 09, 2017 at 04:32:12AM -0800, Joe Ruether wrote: > > > Hello! > > > > > > I am trying to set up a proxy vm that will redirect DNS requests to a > > > local DNS server, for the purposes of adblocking. > > > > > > Here is the setup: > > > > > > internet <-> sys-net <-> sys-firewall <-> MY_PROXYVM <-> > > > appvm_with_firefox > > > > > > I have created a proxyvm based on a debian-8 template, and have installed > > > PiHole (https://pi-hole.net/) as an adblocker. PiHole works by starting a > > > DNS server (dnsmasq) and rejecting any dns queries to domains that serve > > > ads. > > > > > > If (in the proxyvm) I set the contents of /etc/resolv.conf to 127.0.0.1 > > > and open firefox (in the proxyvm), I can verify that the adblocker is > > > working correctly. > > > > > > The issue I am having is when I used the proxyvm as the netvm for another > > > appvm. Without any other changes, my appvm's firefox has internet access, > > > but the adblocker has no effect. Of course, some additional setup is > > > needed, but I'm not exactly sure how to do that. > > > > > > I'm not very good with iptables, and every attempt I have made to > > > redirect DNS to 127.0.0.1 in the proxyvm has failed (and caused both the > > > proxyvm and the appvm to lose the ability to browse). Here are the > > > commands I ran (in the proxyvm): > > > > > > #!/bin/bash > > > DNS=127.0.0.1 > > > NS1=10.137.4.1 > > > NS2=10.137.4.254 > > > iptables -t nat -A PR-QBS -d $NS1 -p udp --dport 53 -j DNAT --to $DNS > > > iptables -t nat -A PR-QBS -d $NS1 -p tcp --dport 53 -j DNAT --to $DNS > > > iptables -t nat -A PR-QBS -d $NS2 -p udp --dport 53 -j DNAT --to $DNS > > > iptables -t nat -A PR-QBS -d $NS2 -p tcp --dport 53 -j DNAT --to $DNS > > > > > > --- > > > > > > I pieced this together from what I could find from the VPN documentation > > > on the qubes website as well as the contents of > > > /usr/lib/qubes/qubes-setup-dnat-to-ns > > > > > > Running the qubes-setup-dnat-to-dns script by itself after changing > > > /etc/resolv.conf (all this on the proxyvm) didn't seem to have any impact. > > > > > > So! My question is, am I going about this correctly? I think I need to > > > modify the iptables in the proxyvm to redirect any incoming (from the > > > appvm) DNS queries to 127.0.0.1, while still allowing outgoing (to the > > > internet, from the proxyvm) DNS queries to get out. Along with this, I > > > think I need to ensure that there are rules that allow all other traffic > > > to pass through unhindered. > > > > > > Or is there a different, qubes-specific way of handling DNS that I should > > > be using? After inspecting the sys-firewall ipconfig and iptables, it is > > > clear that something behind-the-scenes is happening where an additional > > > NIC is created for each attached appvm, and the iptables are being > > > populated automatically somehow. I'm not sure how the proxyvm is supposed > > > to get the addresses of the appvm and sys-firewall (my script above had > > > addresses hardcoded). > > > > > > Thank you for any help! If I get all this working, I'm planning on making > > > a Salt file that can create the adblocking proxyvm. > > > > > > > I don't see any reason why this shouldn't work. > > I wouldn't be so specific in the nat rules but that's your call. Just > > protocol and post would suffice. > > > > One obvious point is that you are ADDING those rules to the end of the > > PR-QBS chain without flushing it first. If you already have redirect > > rules there they will trigger first. > > What does your nat table look like after you run that script? > > > > Another point may be that you don't have an incoming rule in the INPUT > > chain allowing inbound traffic to the DNS ports. Unless you've changed > > this the default rule will block inbound traffic from any vif interface. > > So you need to ensure you are allowing that traffic with an: > > iptables -I INPUT -i vif+ -p udp --dport 53 -j ALLOW > > > > Finally, you need to consider the effects of the qubes-firewall and > > qubes-netwatcher services. > > If you want to retain these you can use > > /rw/config/qubes-firewall-user-script to override the automatic Qubes > > configuration and insert your own iptables rules. > > You can also use rc.local to set initial iptables rules. > > Remember to make those files executable if you want to use them. > > > > Most of this is in the docs, although not easy to find. > > > > Hope this helps > > > > unman > > Thank you for your help, I have more information about my configuration > below. I am confident that I have an iptables issue, but I can't seem to > figure out which rules need to be added. > > ifconfig: > > eth0 Link encap:Ethernet HWaddr 00:16:3e:5e:6c:01 > inet addr:10.137.2.3 Bcast:10.255.255.255 Mask:255.255.255.255 >
Re: [qubes-users] ubuntu template
On Fri, Feb 10, 2017 at 10:04:54AM -0800, damien.wa...@gmail.com wrote: > Le jeudi 9 février 2017 12:41:42 UTC+1, Unman a écrit : > > On Thu, Feb 09, 2017 at 02:37:36AM -0800, wrote: > > > Hi, > > > > > > I am new into qubes (few months) and find it great. But I need a distro > > > with newer packages (debian jessie was fine until I ran in issues with > > > encfs compatibility). > > > > > > So I wanted to build an ubuntu template but I did not found clear > > > instructions. > > > > > > using https://github.com/QubesOS/qubes-builder and the setup script, I do > > > not get ubuntu to choose in the menu. > > > > > > On this forum, there is few posts about it but using privaze repo. > > > > > > I really need help on this :-) > > > > > > Best regards, > > > > > > Damien > > > > > > > Hi Damien, > > > > The Ubuntu builds are referenced in setup as Trusty and Xenial. > > > > I've just put in a series of Pull Requests that should allow > > straightforward builds of both. > > Wait a little while for them to be merged. > > > > It should then be a matter of: > > git clone https://github.com/QubesOS/qubes-builder > > cd qubes-builder > > ./setup > > make qubes-vm > > make template > > > > Copy generated Template to dom0 and install - there's a handy script > > provided to do this for you. > > > > I'll let you know when the PRs are merged. Focus at the moment is on > > the GSOC applications. > > > > unman > > Hi, thank you ! > > Is there a way I may support you? maybe I can test it? > > > Best regards, > > Damien > As soon as the PRs are merged I'll post to the list, and you can try it then. (Or you could merge them yourself of course, and try the build.) Testing and feedback would be much appreciated. I've been using Xenial for a while and it seems fine. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170210231518.GC9080%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] ubuntu template
On Fri, Feb 10, 2017 at 01:46:02AM -0800, trul...@gmail.com wrote: > четверг, 9 февраля 2017 г., 14:41:42 UTC+3 пользователь Unman написал: > > On Thu, Feb 09, 2017 at 02:37:36AM -0800, damien.wa...@gmail.com wrote: > > > Hi, > > > > > > I am new into qubes (few months) and find it great. But I need a distro > > > with newer packages (debian jessie was fine until I ran in issues with > > > encfs compatibility). > > > > > > So I wanted to build an ubuntu template but I did not found clear > > > instructions. > > > > > > using https://github.com/QubesOS/qubes-builder and the setup script, I do > > > not get ubuntu to choose in the menu. > > > > > > On this forum, there is few posts about it but using privaze repo. > > > > > > I really need help on this :-) > > > > > > Best regards, > > > > > > Damien > > > > > > > Hi Damien, > > > > The Ubuntu builds are referenced in setup as Trusty and Xenial. > > > > I've just put in a series of Pull Requests that should allow > > straightforward builds of both. > > Wait a little while for them to be merged. > > > > It should then be a matter of: > > git clone https://github.com/QubesOS/qubes-builder > > cd qubes-builder > > ./setup > > make qubes-vm > > make template > > > > Copy generated Template to dom0 and install - there's a handy script > > provided to do this for you. > > > > I'll let you know when the PRs are merged. Focus at the moment is on > > the GSOC applications. > > > > unman > > Unman can you make a template rpm Ubuntu and put it on > > https://ftp.qubes-os.org/repo/yum/r3.2/templates-community/rpm/ ?:) > > Trying qubes-builder with trusty, xenial, xenial-desktop and no success. > Everytime troubles with MAKE. > > qvm clone fedora-23 ubuntu > grow to 25 GB, allow network > yum install git createrepo rpm-build rpm-sign make python-sh rpmdevtools > rpm-sign dialog > git clone https://github.com/QubesOS/qubes-builder > cd qubes-builder > ./setup > > Choosing fedora23 and mgmt-salt, then Ubuntu Xenial. > > make get-sources > make install-deps > > And finally make qubes-vm can't build template > > "Building packages not supported by any configured plugins" > > It means that need to use debian-8 template for builder? > If you read my email I specifically say that there are PRs to fix these issues, and I will let you know when they are merged. They aren't merged yet. As for a pre-built template, as John points out, and as explained on the relevant page in the docs, we can't do this because of Canonical's policies. This may change but for the moment, building your own template is the only solution. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170210231112.GB9080%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Shouldn't this be specially noted in Qubes HCL? (was: what about usb to jtag interface?)
On Thu, Feb 9, 2017 at 6:38 PM, pixel fairy wrote: > On Thursday, February 9, 2017 at 3:54:03 AM UTC-8, Oleg Artemiev wrote: >> I've heared that new intel mother boards will have (or already have) >> ability to access jtag interface via USB. > yes, skylake and kabylake processors. heres the ccc talk on it. > https://www.youtube.com/watch?v=2JCUrG7ERIE thanks! Started listening - got basics, 'll continue later. Very intersting . :) >> Does this mean that USB qube is now useless as a security border on >> such a mother board? > only if the manufacturer has it enabled. the only vendor who got back to me > (and knew what i was talking about) when i asked was system76 to confirm that > it is disabled on their lemur series. > puri.sm was aware, but doesnt have any hardware out using those chips. So finally it is a question of trusting the vendor (and their public relations personnel who may think that those capabilities are not really disabled. Shouldn't these CPUs and motherboards be specially noted as dangerous in qubes HCL? -- Bye.Olli. gpg --search-keys grey_olli , use key w/ fingerprint below: Key fingerprint = 9901 6808 768C 8B89 544C 9BE0 49F9 5A46 2B98 147E Blog keys (the blog is mostly in Russian): http://grey-olli.livejournal.com/tag/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CABunX6OeakZiD2ogZiH7Y3%2B7A2nqFM7yyKChaghFgHL6ejSQ4A%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] ubuntu template
On 02/10/2017 09:46 AM, trul...@gmail.com wrote: > четверг, 9 февраля 2017 г., 14:41:42 UTC+3 пользователь Unman написал: >> On Thu, Feb 09, 2017 at 02:37:36AM -0800, damien.wa...@gmail.com wrote: >>> Hi, >>> >>> I am new into qubes (few months) and find it great. But I need a distro >>> with newer packages (debian jessie was fine until I ran in issues with >>> encfs compatibility). >>> >>> So I wanted to build an ubuntu template but I did not found clear >>> instructions. >>> >>> using https://github.com/QubesOS/qubes-builder and the setup script, I do >>> not get ubuntu to choose in the menu. >>> >>> On this forum, there is few posts about it but using privaze repo. >>> >>> I really need help on this :-) >>> >>> Best regards, >>> >>> Damien >>> >> Hi Damien, >> >> The Ubuntu builds are referenced in setup as Trusty and Xenial. >> >> I've just put in a series of Pull Requests that should allow >> straightforward builds of both. >> Wait a little while for them to be merged. >> >> It should then be a matter of: >> git clone https://github.com/QubesOS/qubes-builder >> cd qubes-builder >> ./setup >> make qubes-vm >> make template >> >> Copy generated Template to dom0 and install - there's a handy script >> provided to do this for you. >> >> I'll let you know when the PRs are merged. Focus at the moment is on >> the GSOC applications. >> >> unman > Unman can you make a template rpm Ubuntu and put it on > > https://ftp.qubes-os.org/repo/yum/r3.2/templates-community/rpm/ ?:) > > Trying qubes-builder with trusty, xenial, xenial-desktop and no success. > Everytime troubles with MAKE. > > qvm clone fedora-23 ubuntu > grow to 25 GB, allow network > yum install git createrepo rpm-build rpm-sign make python-sh rpmdevtools > rpm-sign dialog > git clone https://github.com/QubesOS/qubes-builder > cd qubes-builder > ./setup > > Choosing fedora23 and mgmt-salt, then Ubuntu Xenial. > > make get-sources > make install-deps > > And finally make qubes-vm can't build template > > "Building packages not supported by any configured plugins" > > It means that need to use debian-8 template for builder? > Hi, You need debian-builder instead of fedora in the first step of `setup`, because ubuntu is based on debian. This is mandatory to build any debian-based operating system. To skip unnecessary setup to use only for making ubuntu template, first edit the ‘qubes-os-r3.2.conf’ (if you use r3.2 in this case) which is found in /home/user/qubes-builder/example-configs. Use the text editor of your choice. Go to the first line containing ‘DISTS_VM ?= fc23’ Remove ‘fc23’ or whatever is listed there leaving only ‘DISTS_VM ?=’. Then save the file and close the text editor. Run the 'setup' script located in ‘/home/user/qubes-builder/’ Make sure you are in directory ‘qubes-builder’. $ cd /home/user/qubes-builder/ $ ./setup Deselect 'builder-fedora' Select 'builder-debian' On 'Template Distribution Selection': Select xenial+desktop Proceed others as per instructions. To check build-logs in progress later you can use `tail -f` command in between the *.log locations. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/768a27ed-a609-f187-0485-a239bddfba11%40gmail.com. For more options, visit https://groups.google.com/d/optout. signature.asc Description: OpenPGP digital signature
[qubes-users] HCL - Sony Vaio 11 Pro i7 - SVP11216PXB
-- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170210204107.GB21243%40nyar.eu. For more options, visit https://groups.google.com/d/optout. --- layout: 'hcl' type: 'notebook' hvm: 'yes' iommu: 'no' slat: 'yes' tpm: '' brand: | Sony Corporation model: | SVP11216PXB bios: | R1044V7 cpu: | Intel(R) Core(TM) i7-4500U CPU @ 1.80GHz cpu-short: | FIXME chipset: | Intel Corporation Haswell-ULT DRAM Controller [8086:0a04] (rev 09) chipset-short: | FIXME gpu: | Intel Corporation Haswell-ULT Integrated Graphics Controller [8086:0a16] (rev 09) (prog-if 00 [VGA controller]) gpu-short: | FIXME network: | Intel Corporation Wireless 7260 (rev 6b) memory: | 8098 scsi: | SAMSUNG MZNTD256 Rev: 300Q Ultra FitRev: 1.00 versions: - works: 'yes' qubes: | R3.2 xen: | 4.6.1 kernel: | 4.4.14-11 remark: | 'After installing apply instructions in "Boot device not recognized after installing" at https://www.qubes-os.org/doc/uefi-troubleshooting The card was not recognized only if I plugged in through a USB HUB.' credit: | FIXAUTHOR link: | FIXLINK ---
Re: [qubes-users] Updating packages with salt does not refresh the repositories
On 10.02.2017 17:04, Jean-Philippe Ouellet wrote: On Thu, Feb 9, 2017 at 6:46 PM, wrote: I have an update.sls with the following content: updates: pkg.uptodate: - refres: True If that's literally a copy & paste... because you're missing the h in refresh? Thx for the reply. It is no copy and paste because it is in dom0. I use the correct writing "- refresh: True". -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6c544e18d7af73c285cfe2ad46215fee%40posteo.de. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] ubuntu template
Le jeudi 9 février 2017 12:41:42 UTC+1, Unman a écrit : > On Thu, Feb 09, 2017 at 02:37:36AM -0800, wrote: > > Hi, > > > > I am new into qubes (few months) and find it great. But I need a distro > > with newer packages (debian jessie was fine until I ran in issues with > > encfs compatibility). > > > > So I wanted to build an ubuntu template but I did not found clear > > instructions. > > > > using https://github.com/QubesOS/qubes-builder and the setup script, I do > > not get ubuntu to choose in the menu. > > > > On this forum, there is few posts about it but using privaze repo. > > > > I really need help on this :-) > > > > Best regards, > > > > Damien > > > > Hi Damien, > > The Ubuntu builds are referenced in setup as Trusty and Xenial. > > I've just put in a series of Pull Requests that should allow > straightforward builds of both. > Wait a little while for them to be merged. > > It should then be a matter of: > git clone https://github.com/QubesOS/qubes-builder > cd qubes-builder > ./setup > make qubes-vm > make template > > Copy generated Template to dom0 and install - there's a handy script > provided to do this for you. > > I'll let you know when the PRs are merged. Focus at the moment is on > the GSOC applications. > > unman Hi, thank you ! Is there a way I may support you? maybe I can test it? Best regards, Damien -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e0e574d2-1700-44c4-aa51-2f221a218d5a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] qubes 3.2: Realtek ethernet not detected by sys-net, please help.
Tried all the following over the last 4 days. Please help if possible. rpm -q linux-firmware : linux-firmware-20161205-69.git91ddce49.fc24.noarch Failed with DMA setting at: qvm-prefs -s netvm kernelopts "iommu=soft swiotlb=16384" dom0 dmesg: 02:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev ff) dom0 lspci -k: 02:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev ff) Kernel driver in use: pciback Kernel modules: r8169 dom0 lspci -nn: 02:00.0 Ethernet controller [0200]: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller [10ec:8168] (rev ff) sys-net dmesg: pci :00:00.0 [10ec:8168] type 7f class 0xff pci :00:00.0 unknown header type 7f, ignoring device sudo dmesg | grep pci pciback :02:00.0: timed out waiting for pending transaction; performing function level reset anyway ExecStartPre as per the following also failed: [Unit] Description=Netvm Fixup Before=qubes_netvm.service [Service] ExecStart=/bin/sh -c 'echo :20:00.0 > /sys/bus/pci/drivers/pciback/permissive' Type=onshot RemainAlertExit=yes [Install] WantedBy=multi-user.target -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1c37780e-170f-4744-b36b-236f9f89cf64%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Ad-blocking ProxyVM?
I never heard of that program looks interesting. I still use iblocklist.com lists with peerguardian on debian 8. But I run it right in the vm. maybe a better idea if you have the resources to run it in a proxy. The vm is protected from the app the and app protected from other apps I guess. sys-net is regarded as untrusted anyways. but why make it even less so maybe. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/61515aea-16cf-48a6-a37c-0d2480722e97%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: What? Can I access a windows USB drive?
Yes go to sys-usb in the start menu and select files. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8ec361a0-1722-4de7-bbe5-06275f76e1d1%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Updating packages with salt does not refresh the repositories
On Thu, Feb 9, 2017 at 6:46 PM, wrote: > I have an update.sls with the following content: > > updates: > pkg.uptodate: > - refres: True If that's literally a copy & paste... because you're missing the h in refresh? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CABQWM_CSgacYoF2EyZJcNvOEDdG5f7FLYn6N9%2B2voxvEK651bA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] using a custom salt module in top files
hi. i wrote some custom salt module and use it for rendering in my top-file. everything works great as long as i am only in dom0. as soon as my stuff is run in domU (or rather its management-vm) i get errors: when rendering: /var/tmp/.root_62a99a_salt/running_data/var/cache/salt/minion/files/base/top.jinja i get an error in line 77: 77: {%- load_yaml as single_top -%} 78: {% include top %} 79: {%- endload -%} this is the place where my top file is included. after including the file, rendering it as yaml fails. after adding some outputs to jinja i was able to see my rendered top file. the line it complains about is: {'retcode': 0, '_error': 'Failed to return clean data', 'stderr': "'my.function' is not available.", 'stdout': ''} the original call is: {{ salt['my.function'](yaml=yaml, grains=grains) }} the error suggests: when my top file is included in top.jinja, no custom salt modules are used. this seems to be a bug. how can i fix this? i could add some wrapper around it and do rendering for domu using jinja, but this is kind of cumbersome. this is also only possible since my function only does very little in domu. furthermore this would prevent me from doing more complex stuff in domu in the future (currently it is not planned, but maybe i want to do such stuff in the future). so i am interested in a way to fix the rendering (so it correctly uses the custom module). -john -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/657da085-57eb-e816-13d5-fea8e13c8050%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Ad-blocking ProxyVM?
Is there any particular reason you are setting up another app VM for this? Why not run it on the net o firewall VM? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/43ae55b6-2ecf-475b-afa8-f739a45a40ce%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: traveling - best practice
On 02/10/2017 05:02 AM, john.david.r.smith wrote: On 10/02/17 11:53, '0xDEADBEEF00' via qubes-users wrote: Interesting topic... I would like to here more about how people handle this. On my side, I'would never work on sensitive information in such a situation. To make just some surfing in public place, my laptop is installed with a standard w10 that I use only to check a generic mailbox with on sensitive information, do some nonsensitive work and surf. By the way, the boot sequence of my laptop is set to boot this partition by default with no menu or prompt of any kind. If I want to boot into qubes, I have to do it manually by interupting the boot sequence. This also serves as a decoy, if I'm forced to boot my laptop when passing borders or so. Best, 0xdeadbeef dual booting opens a whole new attack surface. is there a way to deal with this? the other os may not be able to read/modify qubes due to encryption, but it can write something malicious on the disk (e.g. some loader running before qubes) while i can't deny the utility of a decoy, dual booting does indeed open a new attack surface, e.g. win10 gremlin rewrites the bootloader on your non-win10 partitions in a way that caches your disk passphrase somewhere win10 can access it next time it boots. the best policy with windows is to never use it under any circumstances, provided you can manage it. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/621ac601-b135-33f2-8e18-c455b9723e5f%40companyzero.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: traveling - best practice
On Friday, February 10, 2017 at 3:02:23 AM UTC-8, john.david.r.smith wrote: > On 10/02/17 11:53, '0xDEADBEEF00' via qubes-users wrote: ... > > This also serves as a decoy, if I'm forced to boot my laptop when passing > > borders or so. > > > > Best, > > > > 0xdeadbeef > > dual booting opens a whole new attack surface. > is there a way to deal with this? > the other os may not be able to read/modify qubes due to encryption, but it > can write something malicious on the disk (e.g. some loader running before > qubes) thats what AEM is for, but then, on most laptops, you lose iommu protection. the lemur7 from system76 has a pci bridged sd card reader, but you cant boot from it! if 0xdeadbeef is running on the dummy partition most of the time, this probably is not a problem, unless it runs into a badusb that can compromise bios or firmware. some laptops can have multiple internal drives, but since sometime after 2010, they stopped letting you disable devices in bios. havent found any modern ones that let you do this. maybe something can be done with coreboot if bootguard is disabled. but then you dont have bootguard protecting your bios. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/dc2fc2ca-145b-4970-8239-9791a24afd1d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Ad-blocking ProxyVM?
On Thursday, February 9, 2017 at 10:21:26 AM UTC-5, Unman wrote: > On Thu, Feb 09, 2017 at 04:32:12AM -0800, Joe Ruether wrote: > > Hello! > > > > I am trying to set up a proxy vm that will redirect DNS requests to a local > > DNS server, for the purposes of adblocking. > > > > Here is the setup: > > > > internet <-> sys-net <-> sys-firewall <-> MY_PROXYVM <-> appvm_with_firefox > > > > I have created a proxyvm based on a debian-8 template, and have installed > > PiHole (https://pi-hole.net/) as an adblocker. PiHole works by starting a > > DNS server (dnsmasq) and rejecting any dns queries to domains that serve > > ads. > > > > If (in the proxyvm) I set the contents of /etc/resolv.conf to 127.0.0.1 and > > open firefox (in the proxyvm), I can verify that the adblocker is working > > correctly. > > > > The issue I am having is when I used the proxyvm as the netvm for another > > appvm. Without any other changes, my appvm's firefox has internet access, > > but the adblocker has no effect. Of course, some additional setup is > > needed, but I'm not exactly sure how to do that. > > > > I'm not very good with iptables, and every attempt I have made to redirect > > DNS to 127.0.0.1 in the proxyvm has failed (and caused both the proxyvm and > > the appvm to lose the ability to browse). Here are the commands I ran (in > > the proxyvm): > > > > #!/bin/bash > > DNS=127.0.0.1 > > NS1=10.137.4.1 > > NS2=10.137.4.254 > > iptables -t nat -A PR-QBS -d $NS1 -p udp --dport 53 -j DNAT --to $DNS > > iptables -t nat -A PR-QBS -d $NS1 -p tcp --dport 53 -j DNAT --to $DNS > > iptables -t nat -A PR-QBS -d $NS2 -p udp --dport 53 -j DNAT --to $DNS > > iptables -t nat -A PR-QBS -d $NS2 -p tcp --dport 53 -j DNAT --to $DNS > > > > --- > > > > I pieced this together from what I could find from the VPN documentation on > > the qubes website as well as the contents of > > /usr/lib/qubes/qubes-setup-dnat-to-ns > > > > Running the qubes-setup-dnat-to-dns script by itself after changing > > /etc/resolv.conf (all this on the proxyvm) didn't seem to have any impact. > > > > So! My question is, am I going about this correctly? I think I need to > > modify the iptables in the proxyvm to redirect any incoming (from the > > appvm) DNS queries to 127.0.0.1, while still allowing outgoing (to the > > internet, from the proxyvm) DNS queries to get out. Along with this, I > > think I need to ensure that there are rules that allow all other traffic to > > pass through unhindered. > > > > Or is there a different, qubes-specific way of handling DNS that I should > > be using? After inspecting the sys-firewall ipconfig and iptables, it is > > clear that something behind-the-scenes is happening where an additional NIC > > is created for each attached appvm, and the iptables are being populated > > automatically somehow. I'm not sure how the proxyvm is supposed to get the > > addresses of the appvm and sys-firewall (my script above had addresses > > hardcoded). > > > > Thank you for any help! If I get all this working, I'm planning on making a > > Salt file that can create the adblocking proxyvm. > > > > I don't see any reason why this shouldn't work. > I wouldn't be so specific in the nat rules but that's your call. Just > protocol and post would suffice. > > One obvious point is that you are ADDING those rules to the end of the > PR-QBS chain without flushing it first. If you already have redirect > rules there they will trigger first. > What does your nat table look like after you run that script? > > Another point may be that you don't have an incoming rule in the INPUT > chain allowing inbound traffic to the DNS ports. Unless you've changed > this the default rule will block inbound traffic from any vif interface. > So you need to ensure you are allowing that traffic with an: > iptables -I INPUT -i vif+ -p udp --dport 53 -j ALLOW > > Finally, you need to consider the effects of the qubes-firewall and > qubes-netwatcher services. > If you want to retain these you can use > /rw/config/qubes-firewall-user-script to override the automatic Qubes > configuration and insert your own iptables rules. > You can also use rc.local to set initial iptables rules. > Remember to make those files executable if you want to use them. > > Most of this is in the docs, although not easy to find. > > Hope this helps > > unman Thank you for your help, I have more information about my configuration below. I am confident that I have an iptables issue, but I can't seem to figure out which rules need to be added. ifconfig: eth0 Link encap:Ethernet HWaddr 00:16:3e:5e:6c:01 inet addr:10.137.2.3 Bcast:10.255.255.255 Mask:255.255.255.255 inet6 addr: fe80::216:3eff:fe5e:6c01/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:6830 errors:0 dropped:0 overruns:0 frame:0 TX packets:6436 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txq
[qubes-users] Re: Cant Update with Fedora 24 minimal template as net-vm
On 02/10/2017 04:24 AM, FWM wrote: > I've setup a new firewall-VM & net-vm to use the fedora-24-minimal-template, > > Firewall uses base template with no aditional packages. > > the net-vm is a cloned fedora-24-minimal-template with the following packages > installed (NetworkManager network-manager-applet dbus-x11 dejavu-sans-fonts > tinyproxy notification-daemon gnome-keyring). I didnt add wireless stuff cos > i dont need it. > > when using fedora24-net-vm via the fedora24-firewall-vm, i have internet > access in app vms, but updates to templates time out. > > BUT when i route through the Qubes default sys-net and sys-firewall, updates > work fine. > > Under global settings i have changed the update Vm to the new > fedora24-minimal-firewall-VM (base template with no additional packages). Or > should it be set directly to the net-vm? > > > > Im guessing im missing a package or a setting? > Hello, This is probably related to github issue 2606 https://github.com/QubesOS/qubes-issues/issues/2606 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/39a65cce-79c5-2e8f-3f7a-ebe96d103415%40gmail.com. For more options, visit https://groups.google.com/d/optout. signature.asc Description: OpenPGP digital signature
Re: [qubes-users] qvm-run fails silently with chromium
> The issue you raise there arises because the xterm is not a login shell > so will not use .profile. > It is interactive so (using bash) will use .bashrc > > On the immediate question here you can always set the path explicitly: > qvm-run -p qube "export PATH=$PATH: && foo" Hey Unman. The issue is that neither `~/.bashrc` nor `/etc/bash.bashrc` from my VM are used when I do `qvm-run` from dom0. Your workaround works but I think it is quite cumbersome. I wonder if there is any way to change the VM PATH seen from dom0 for every command. Thanks -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a1304499-d30b-40bc-84ca-43bb7ec7def9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Mount point /proc/xen in appVM prevents flatpak packages from starting (Issue #2540 impact wider than reported)
Hi all, I've been trying to use MonoDevelop 6, now distributed as a flatpak package instead of the usual RPM (fedora 25). I've had some problems in trying to run it, mainly because of an obscure error message "Can't mount proc on /newroot/proc: Operation not permitted". Further debugging had me starting flatpak with "-v" (verbose) option, where I discovered that flatpak is just a wrapper around bubblewrap (no pun intended). Investigating bubblewrap led me to https://github.com/projectatomic/bubblewrap/issues/134 where a Qubes user laments a non-working sandboxed tor browser. There Marek casually mentions /proc/xen being the cause of this situation, and actually unmounting it allows MonoDevelop to start. Since this issue is already tracked for TOR browser here https://github.com/QubesOS/qubes-issues/issues/2540 I'm not suggesting to open another issue; instead, I commented on the issue reporting that the impact is wider than TOR browser and I'm writing to the mailing list to let other puzzled flatpak-distributed-software-users know. -- Alex -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f3ed5ae5-669c-a4a3-5259-76f9f5a2fe06%40gmx.com. For more options, visit https://groups.google.com/d/optout. signature.asc Description: OpenPGP digital signature
Re: [qubes-users] Re: traveling - best practice
On 10/02/17 11:53, '0xDEADBEEF00' via qubes-users wrote: Interesting topic... I would like to here more about how people handle this. On my side, I'would never work on sensitive information in such a situation. To make just some surfing in public place, my laptop is installed with a standard w10 that I use only to check a generic mailbox with on sensitive information, do some nonsensitive work and surf. By the way, the boot sequence of my laptop is set to boot this partition by default with no menu or prompt of any kind. If I want to boot into qubes, I have to do it manually by interupting the boot sequence. This also serves as a decoy, if I'm forced to boot my laptop when passing borders or so. Best, 0xdeadbeef dual booting opens a whole new attack surface. is there a way to deal with this? the other os may not be able to read/modify qubes due to encryption, but it can write something malicious on the disk (e.g. some loader running before qubes) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9dca7684-fa81-ecd3-bc34-938db60ed188%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: traveling - best practice
Interesting topic... I would like to here more about how people handle this. On my side, I'would never work on sensitive information in such a situation. To make just some surfing in public place, my laptop is installed with a standard w10 that I use only to check a generic mailbox with on sensitive information, do some nonsensitive work and surf. By the way, the boot sequence of my laptop is set to boot this partition by default with no menu or prompt of any kind. If I want to boot into qubes, I have to do it manually by interupting the boot sequence. This also serves as a decoy, if I'm forced to boot my laptop when passing borders or so. Best, 0xdeadbeef Sent with [ProtonMail](https://protonmail.com) Secure Email. Original Message Subject: [qubes-users] Re: traveling - best practice Local Time: February 8, 2017 8:30 AM UTC Time: February 8, 2017 7:30 AM From: pixelfa...@gmail.com To: qubes-users On Tuesday, February 7, 2017 at 5:09:45 AM UTC-8, haaber wrote: > Hello, I wonder how you behave when traveling, for example in places > with cameras all around. I feel uncomfortable to enter my passwords in > such situations. Of course I can simply not turn my computer on. But most "security" cameras cant see much. but the cloud of cell phones and any cameras worn by those looking to do this will have little trouble seeing and hearing your passphrases. you could use a yubikey to type your passphrase in, though be careful of pick pockets. you could also velcro some cloth around the lid like this, https://goo.gl/photos/py8qdxRPtoz3PGL19 if you do, make sure theres some going around the front too. then use it with your back to two corners. someone could still pick up your typing with a good directional mic, but then you have a different threat model. in this case, you could have your laptop unlocked and suspended, with a qrexec service to shut it down should it leave, for example, the vicinity of your cell phone or NFC implant. > sometimes you have several hours in an airport .. I thought about 3 > options. > > 0) Change all (disk / user) pwd before & after traveling (how do I > change the disk pwd?). everything you ever wanted to know about luks, https://gitlab.com/cryptsetup/cryptsetup > 1) Pull out my tails usbkey and surf with that? yes. or, better yet, tails on a dummy netbook or chromebook. > > 2) maybe it woud be nice to have an additional "single cube" > usr/password : when using this user name, one would get a single > disposable untrusted VM, no dom0 acces, no USB, and so forth. Is that > feasable / reasonable? this goes back some earlier discussions. easiest way is to dual boot your laptop. > > how do you cope with that? Thank you, Bernhard leave it off, walk around, see the local art. sample the chocolate and coffee. try not to work. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1f778e42-ae04-4d12-ac5e-ae60e41c675f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/YHFVL6WipjnpOts4b64UoOrUkpRc0SYcbw3lWtKI845ETwRKbogKqMyt8ebXPi3k36ixukLPPEpvmaeNk7C_O4PrAGXa_4Z2jKK3GTzzK5I%3D%40protonmail.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Qubes R3.2 on Thinkpad X250: cannot install Windows 7 (hangs on "Starting Windows" at install)
четверг, 9 февраля 2017 г., 21:10:00 UTC+3 пользователь bal...@gmail.com написал: > I have the same Problem :( > > When I change the model type to Cirrus,then appear a libvirtError that > doesn't make any sense to me: > > Orignal Message: libvirt.libvirtError: Operation schlug fehl: Domain > 'win7x64test2' ist bereits mit UUID ---- > definiert > > In english it should be something like: libvirt.libvirtError: operation > failed: Domain 'win7x64test2' already exists with UUID > ---- > > The Original command that I run: > qvm-start win7x64test2 --cdrom=/home/dave/Schreibtisch/win7_x64.iso > --custom-config=/home/dave/Schreibtisch/win7x64test2.conf > > Can anyone help me please?? I finished install win7 HVM with succes on Qubes using thinkpad t430 Also libvirtError error solved by : win7 -> advanced > type > cdrom > backened domain > [path to your iso] When fisrt start Then follow this instructions https://github.com/QubesOS/qubes-issues/issues/2488 It's also works for me, VT-x enabled. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/290dcef0-e2a9-40dc-801a-5df46caec008%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] ubuntu template
Unman can you make a template rpm Ubuntu and put it on https://ftp.qubes-os.org/repo/yum/r3.2/templates-community/rpm/ ?:) i also would prefer this option, but it seems it is not possible due to legal issues. see: https://www.qubes-os.org/doc/templates/ubuntu/ maybe we could convince canonical to allow this case, but somehow i doubt they will allow it. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/45fa00a2-15b7-61e1-06ea-8469de3f0665%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] ubuntu template
четверг, 9 февраля 2017 г., 14:41:42 UTC+3 пользователь Unman написал: > On Thu, Feb 09, 2017 at 02:37:36AM -0800, damien.wa...@gmail.com wrote: > > Hi, > > > > I am new into qubes (few months) and find it great. But I need a distro > > with newer packages (debian jessie was fine until I ran in issues with > > encfs compatibility). > > > > So I wanted to build an ubuntu template but I did not found clear > > instructions. > > > > using https://github.com/QubesOS/qubes-builder and the setup script, I do > > not get ubuntu to choose in the menu. > > > > On this forum, there is few posts about it but using privaze repo. > > > > I really need help on this :-) > > > > Best regards, > > > > Damien > > > > Hi Damien, > > The Ubuntu builds are referenced in setup as Trusty and Xenial. > > I've just put in a series of Pull Requests that should allow > straightforward builds of both. > Wait a little while for them to be merged. > > It should then be a matter of: > git clone https://github.com/QubesOS/qubes-builder > cd qubes-builder > ./setup > make qubes-vm > make template > > Copy generated Template to dom0 and install - there's a handy script > provided to do this for you. > > I'll let you know when the PRs are merged. Focus at the moment is on > the GSOC applications. > > unman Unman can you make a template rpm Ubuntu and put it on https://ftp.qubes-os.org/repo/yum/r3.2/templates-community/rpm/ ?:) Trying qubes-builder with trusty, xenial, xenial-desktop and no success. Everytime troubles with MAKE. qvm clone fedora-23 ubuntu grow to 25 GB, allow network yum install git createrepo rpm-build rpm-sign make python-sh rpmdevtools rpm-sign dialog git clone https://github.com/QubesOS/qubes-builder cd qubes-builder ./setup Choosing fedora23 and mgmt-salt, then Ubuntu Xenial. make get-sources make install-deps And finally make qubes-vm can't build template "Building packages not supported by any configured plugins" It means that need to use debian-8 template for builder? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c607a586-8761-4cc2-bc17-543389a864ad%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.