Re: [qubes-users] How much important is TPM?
That sounds interesting. Well, I don't think Opal provides a better protection, but it comes with a potentially lower price. I'll try to compare level of protection, correct me if I am wrong: Persistent malware installed from a running system: Both are rather clueless unless you decide to lock the system very much. In practice, you would have to prevent even autostart of custom bash scripts. SSD/HDD-based cold Evil Maid attack: Both can protect you from SSD/HDD tampering. (Provided that you consider the poor man's authentication as a real protection, i.e., you believe that the dm-crypt encryption is not *practically* malleable.) Worth noting, this is likely to be the most common scenario, since iit does not need to handle various BIOSes etc. Tampered firmware combined with DMA attack: TPM theoretically could protect you, Opal cannot. BIOS-related attacks: It depends. If attacker flashes BIOS, TPM might help you, while Opal cannot. But if attacker tries to maliciously modify some SSD/HDD data that BIOS parses in order to perform buffer overflow in BIOS, Opal could prevent this, while TPM might be clueless. Copy attack: Attacker might take an identical model of the SSD and copy all data there, effectively disabling the Opal protection. But maybe if attacker has enough time to perform such tampering, you are already out of luck, since she can instal keyloggers etc. Regards, Vít Šesták 'v6ak' -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f12dd27c-fe1a-4a5e-8422-5b024a7b5441%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How much important is TPM?
On 04/01/2017 07:31 AM, Vít Šesták wrote: The problem is: 1. The AEM is not perfect. Various vulnerabilities have been published and I am unsure what level of real protection (i.e., not just obscurity) can it provide. 2. AEM is not for free. When filtering only laptops with TXT+TPM, you have quite limited options, selection will take more time and it will probably result in a more expensive laptop. It is really worth the limited protection? This is the problem I was trying to address when talking about the Opal drive capabilities. Encryption is not the only thing Opal can do, and if you have an SSD you likely have this extended capability onboard already. For instance, all Samsung SSD's have Opal onboard, but you may never know its there unless you activate it. If you have one its already encrypting by default but using a default key found on the label. When a range covering the boot partition is marked read only the drive will prevent _any_ tampering, even using root system privs. Once booted and everything is properly measured (TPM or home grown) one can then choose to unlock that ro partition or just grub/chainload into another rw partition containing a protected system OS. The way I see it, one can boot Xen from a read-only (aka Xen isofs) partition and then test, expose, and then load Qubes proper from the next partition. All this requires hardware wise is buying an off the shelf SSD drive, and the Opal capability (usually) comes for free, as well as the additional boot performance of an SSD you might gain. You don't even need encryption enabled, just a defined region that write protects the MBR and first boot partition. Using both a read-only partition and trusted boot measurements is a belt-and-suspenders kind of protection, up front, before anything even becomes modifiable. This can be used to test for any extra hardware attached that might be trying to intercept the boot process aiming to take control at a later point. From a cold system, if you can't write to the partition, you can't hack the bootstrap, even after the system gains root privs. If you can't see the next chain-loaded partition, you can not reverse it to even know how to hack it. You also can not physically disassemble the device to recover a key, because its not stored there, only a portion of the entropy that is required to re-create the key on the fly is in the device. You will still need a secret to unlock or make it rw for patching or for permitting upgrades, and that entropy can be encrypted by the TPM/SRK/KEK, or the user can provide a password for doing those required updates. Some coding will be required to make it idiot-proof and easy-to-use, but the benefits of being nearly tamper-proof would be raising the bar even for even nation-states to climb over. I really need to make time to get back into this project. Steve Regards, Vít Šesták 'v6ak' -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0d20c85b-663a-b047-c9bc-b2decf239a84%40jhuapl.edu. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: External GPU for just one VM or OpenSWR
Ot seems that poor OpenSWR performance (compared to llvmpipe) is determined by two factors: * Workload: “given our focus on scientific visualization, our workloads are much different than the typical game; we have heavy vertex load and relatively simple shaders. In addition, the core counts of machines we run on are much higher. These parameters led to design decisions much different than llvmpipe.” – http://gallium.readthedocs.io/en/latest/drivers/openswr/faq.html#does-one-build-work-on-both-avx-and-avx2 * The CPU Intel i7-2670QM supports just AVX, but not AVX2. It might be worth trying on newer CPU, but I doubt it will perform well in games. Regards, Vít Šesták 'v6ak' -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5e78ab85-2057-4f4d-aae6-0240e37457f4%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: USB Headset
W dniu poniedziałek, 3 kwietnia 2017 20:45:19 UTC+2 użytkownik Stephan Marwedel napisał: > I tried to configure my system like described below. I stopped the > sys-usb VM and assigned the USB controller to which the headset is > connected to the Windows HVM. When trying to start it the following > error appears: > > --> Loading the VM (type = HVM)... > Traceback (most recent call last): >File "/usr/bin/qvm-start", line 136, in > main() >File "/usr/bin/qvm-start", line 120, in main > xid = vm.start(verbose=options.verbose, > preparing_dvm=options.preparing_dvm, start_guid=not options.noguid, > notify_function=tray_notify_generic if options.tray else None) >File > "/usr/lib64/python2.7/site-packages/qubes/modules/01QubesHVm.py", line > 335, in start > return super(QubesHVm, self).start(*args, **kwargs) >File > "/usr/lib64/python2.7/site-packages/qubes/modules/000QubesVm.py", line > 1966, in start > self.libvirt_domain.createWithFlags(libvirt.VIR_DOMAIN_START_PAUSED) >File "/usr/lib64/python2.7/site-packages/libvirt.py", line 1059, in > createWithFlags > if ret == -1: raise libvirtError ('virDomainCreateWithFlags() > failed', dom=self) > libvirt.libvirtError: internal error: Unable to reset PCI device > :00:14.0: no FLR, PM reset or bus reset available > > I tried to connect the headet to a different USB controller and assign > that to the Windows HVM to no avail: > > --> Loading the VM (type = HVM)... > Traceback (most recent call last): >File "/usr/bin/qvm-start", line 136, in > main() >File "/usr/bin/qvm-start", line 120, in main > xid = vm.start(verbose=options.verbose, > preparing_dvm=options.preparing_dvm, start_guid=not options.noguid, > notify_function=tray_notify_generic if options.tray else None) >File > "/usr/lib64/python2.7/site-packages/qubes/modules/01QubesHVm.py", line > 335, in start > return super(QubesHVm, self).start(*args, **kwargs) >File > "/usr/lib64/python2.7/site-packages/qubes/modules/000QubesVm.py", line > 1958, in start > nd.dettach() >File "/usr/lib64/python2.7/site-packages/libvirt.py", line 5249, in > dettach > if ret == -1: raise libvirtError ('virNodeDeviceDettach() failed') > libvirt.libvirtError: Requested operation is not valid: PCI device > :00:1d.0 is in use by driver xenlight, domain AIB > > What did I miss in my configration? I have VT-d and VT-x enabled (I'm on > a i7-3520M CPU). > > On 04/02/2017 12:19 AM, Grzesiek Chodzicki wrote: > > W dniu sobota, 1 kwietnia 2017 18:20:40 UTC+2 użytkownik Stephan Marwedel > > napisał: > >> Dear Qubes user community, > >> > >> I want to use a USB headset (Jabra Evolve) for the purpose of using my > >> laptop as a replacement for a desktop phone. Is that possible with > >> Qubes? If so, what are the settings I need to tweak for that? > >> > >> Can I use it also inside a Windows HVM to enable the use of proprietary > >> conferencing software from Cisco? I have tried it using a Windows VM > >> with VirtualBox on CentOS 7. That worked, although the audio quality is > >> pretty bad. Do I need special settings for my Windows HVM in order to > >> use the headset? > >> > >> Regards, > >> Stephan > > > > I did a similar thing with my sound card that requires proprietary Windows > > only drivers to operate. > > First, check whether VT-d is available and enabled on your laptop with xl > > dmesg|grep VT-d > > Second, identify the number of available USB controllers with sudo > > lspci|grep USB. If you have more than one controller, assign it to Windows > > HVM. > > Within Windows HVM install USB controller driver (if it's a USB 3.0 or > > later) and then install drivers for the headset (if required). > > I am able to use the soundcard in the Windows HVM with no problems so you > > should too. Remember to enable VT-d in BIOS/UEFI first. > > run qvm-pci -s sys-usb pci_strictreset false then reboot the physical machine and try again -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8097d368-8ba2-449b-ad9f-e60746d89e6d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: USB Headset
I tried to configure my system like described below. I stopped the sys-usb VM and assigned the USB controller to which the headset is connected to the Windows HVM. When trying to start it the following error appears: --> Loading the VM (type = HVM)... Traceback (most recent call last): File "/usr/bin/qvm-start", line 136, in main() File "/usr/bin/qvm-start", line 120, in main xid = vm.start(verbose=options.verbose, preparing_dvm=options.preparing_dvm, start_guid=not options.noguid, notify_function=tray_notify_generic if options.tray else None) File "/usr/lib64/python2.7/site-packages/qubes/modules/01QubesHVm.py", line 335, in start return super(QubesHVm, self).start(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/qubes/modules/000QubesVm.py", line 1966, in start self.libvirt_domain.createWithFlags(libvirt.VIR_DOMAIN_START_PAUSED) File "/usr/lib64/python2.7/site-packages/libvirt.py", line 1059, in createWithFlags if ret == -1: raise libvirtError ('virDomainCreateWithFlags() failed', dom=self) libvirt.libvirtError: internal error: Unable to reset PCI device :00:14.0: no FLR, PM reset or bus reset available I tried to connect the headet to a different USB controller and assign that to the Windows HVM to no avail: --> Loading the VM (type = HVM)... Traceback (most recent call last): File "/usr/bin/qvm-start", line 136, in main() File "/usr/bin/qvm-start", line 120, in main xid = vm.start(verbose=options.verbose, preparing_dvm=options.preparing_dvm, start_guid=not options.noguid, notify_function=tray_notify_generic if options.tray else None) File "/usr/lib64/python2.7/site-packages/qubes/modules/01QubesHVm.py", line 335, in start return super(QubesHVm, self).start(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/qubes/modules/000QubesVm.py", line 1958, in start nd.dettach() File "/usr/lib64/python2.7/site-packages/libvirt.py", line 5249, in dettach if ret == -1: raise libvirtError ('virNodeDeviceDettach() failed') libvirt.libvirtError: Requested operation is not valid: PCI device :00:1d.0 is in use by driver xenlight, domain AIB What did I miss in my configration? I have VT-d and VT-x enabled (I'm on a i7-3520M CPU). On 04/02/2017 12:19 AM, Grzesiek Chodzicki wrote: W dniu sobota, 1 kwietnia 2017 18:20:40 UTC+2 użytkownik Stephan Marwedel napisał: Dear Qubes user community, I want to use a USB headset (Jabra Evolve) for the purpose of using my laptop as a replacement for a desktop phone. Is that possible with Qubes? If so, what are the settings I need to tweak for that? Can I use it also inside a Windows HVM to enable the use of proprietary conferencing software from Cisco? I have tried it using a Windows VM with VirtualBox on CentOS 7. That worked, although the audio quality is pretty bad. Do I need special settings for my Windows HVM in order to use the headset? Regards, Stephan I did a similar thing with my sound card that requires proprietary Windows only drivers to operate. First, check whether VT-d is available and enabled on your laptop with xl dmesg|grep VT-d Second, identify the number of available USB controllers with sudo lspci|grep USB. If you have more than one controller, assign it to Windows HVM. Within Windows HVM install USB controller driver (if it's a USB 3.0 or later) and then install drivers for the headset (if required). I am able to use the soundcard in the Windows HVM with no problems so you should too. Remember to enable VT-d in BIOS/UEFI first. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c6c70cb2-132a-ccd7-1801-fd7f0dbe69f8%40tu-ilmenau.de. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Backup Error
> Likely the filesystem (FAT?) on the destination cannot handle files over > a certain size. You may want to reformat it with a native Linux fs like > Ext4. > > -- > > Chris Laprise, tas...@openmailbox.org > https://twitter.com/ttaskett > PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 That was indeed the issue, thanks for the insight and suggestion! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/81bc0cac-c133-49ec-9974-1c3872dd555c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Backup Error
On Friday, March 17, 2017 at 3:31:37 PM UTC-4, Chris Laprise wrote: > On 03/17/2017 02:55 PM, jimmy.dack...@gmail.com wrote: > > I'm trying out the backup feature in Qubes but getting an error. > > > > I'm trying to save VMs totaling 22.4GB in size on a USB stick with 63GB > > free. > > > > At 19% progress is get: > > "[Dom0] Backup error! > > ERROR: Failed to write the backup, VM output: cat: write error: File too > > large." > > > > Is there a maximum file size for backups? A RAM limitation (I have 8GB RAM > > and when I do the backup about 6GB is free)? Something else I'm not > > thinking of? > > > > I am able to do a small backup, such as just Dom0 itself. > > > > Also a general question about backups: if I do a backup and then restore, > > will it add what I backed up to what is already on the system? Or > > completely overwrite everything? For example, if I have 10 VMs and backup > > 3, then restore the 3, will it just overwrite those three and leave the > > other 7 alone? Or will I only have those 3 and the other 7 are wiped out? > > > > Likely the filesystem (FAT?) on the destination cannot handle files over > a certain size. You may want to reformat it with a native Linux fs like > Ext4. > 5Bp9975@cB%m0wkX > -- > > Chris Laprise, tas...@openmailbox.org > https://twitter.com/ttaskett > PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 That was indeed the issue, thanks for the insight! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fd093e5a-5e9b-4330-a11e-3f783b09bc3b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.