Re: [qubes-users] Spilt-GPG help - 3.2

[Chris Laprise]

On 03/25/2018 07:58 PM, vel...@tutamail.com wrote:

I love Qubes! Kudus to those developing and helping on this forum...I am sure 
others would agree that the effort is greatly appreciated.

I am hoping I can get some help with "split-GPG" setup and signing emails. Some 
notes and questions about my configuration:

* I plan to use Thunderbird.

* I have since created a new vault from default during installation - I have some files 
in this vault, documents, some passwords...I consider this non-networked VM my 
"vault", although I am just getting into certificates for email signing and 
email encryption.
- Should I use this VM for my certificates(or a dedicated certificate VM) or is 
it a big no?


Should be no problem with using vault for both gpg keys and passwords 
(keepassx) and even small lists that you create in that vm. The only 
files you should import from other vms into vault are gpg keys.




* I found a good tutorial on creating certificates using GnuPG with QubesOS: 
https://apapadop.wordpress.com/2013/08/21/using-gnupg-with-qubesos/
( a little dated but did create test certificates...thanks Apapadop!)

* I followed the steps in this Qubes-OS wiki: 
https://www.qubes-os.org/doc/split-gpg/ , however I get lost here:

Setting up the GPG backend domain

Make sure the gpg is installed there and there are some private keys in the 
keyring, e.g.:

[user@work-gpg ~]$ gpg -K
/home/user/.gnupg/secring.gpg
-
sec   4096R/3F48CB21 2012-11-15
uid  Qubes OS Security Team 
ssb   4096R/30498E2A 2012-11-15
(...)

How do I create this file: /home/user/.gnupg/secring.gpg ?
Where do I keep my certificates in the "vault"? What commands or folders do I 
need to create?


The gpg -K command is just a way to look at your keyring. The keyring is 
created automatically whenever you generate new keys or import existing 
ones.





I tried finding more basic instructions but my "Googling" had no luck...how do I put 
private keys in my "vault" keyring and use Thunderbird in a seperate, dedicated VM to 
sign and encrypt my emails utilizing split GPG?

Excuse me if this has already been answered or clarified in another post I 
couldn't find.

Greatfully,
V




--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9c6bc302-858e-87e6-3e41-6fce4b503860%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Enhancing Template security?

[Chris Laprise]

On 03/25/2018 08:14 PM, vel...@tutamail.com wrote:

I am trying to harden my Fedora and Debian templates and was hoping for some 
basic help and commands to do the following:

How would I enable sudo authentication in a Template?


There are two ways to do this now:

1. Follow this Qubes doc to get the yes/no auth prompts for sudo:

https://www.qubes-os.org/doc/vm-sudo/#replacing-password-less-root-access-with-dom0-user-prompt

2. Remove the 'qubes-core-agent-passwordless-root' package.

This second way means that sudo no longer works for a normal user. 
Instead, any root access in the VM must be done from dom0 with a command 
like 'qvm-run -u root vmname command'.


I like the first method better because I'm used to sudo.




How would I add a service like Qubes-VM-hardening ?


https://github.com/tasket/Qubes-VM-hardening/tree/systemd

The instructions are pretty vague - I should rewrite them soon. For now 
the version in the 'systemd' branch (linked above) is much more robust. 
You start by copying the two files (as root/sudo) to:


/lib/systemd/system/vm-sudo-protect.service
/usr/lib/qubes/init/vm-sudo-protect.sh

After you copy them set execute bit and enable the service:
$ sudo chmod +x /usr/lib/qubes/init/vm-sudo-protect.sh
$ sudo systemctl daemon-reload
$ sudo systemctl enable vm-sudo-protect.service

The final step is adding either 'vm-sudo-protect' or 
'vm-sudo-protect-root' as a Qubes service to each VM you want to 
protect. (Qubes services are added in the VM settings window on the 
Services tab.) The latter offers the most protection because it prevents 
rootkits from running when your VM starts.





Should I enable AppArmor in a template and VM?


You can try but depending on how fresh/accurate the AppArmor profiles 
are, it may prevent some of your apps from running properly. A long time 
ago I created a custom profile for Firefox with limited success but I 
doubt it works with FF 57+.


AppArmor was supposed to be a way to pre-package security profiles along 
with apps. But it didn't work out that way and so users were left to 
themselves to guess what settings required changes in an app's profile 
whenever an app had an update.


IIRC there is a GUI app called 'firejail' that can limit Firefox and 
other apps in a similar way. If they are more focused on keeping their 
limited repertoire of apps correctly profiled then it may work better 
than AppArmor.


Also, Whonix keeps AppArmor profiles of Torbrowser, etc. but I don't 
think they enable it by default.





Any other hardening best practices?


Some people prefer to start with minimal templates as a form of 
'hardening'. FWIW the regular Debian template is slightly less 'minimal' 
than Fedora-minimal.


Overall I recommend Debian 9 because (like almost all other distros) it 
has a more secure update configuration than Fedora. That's because 
Fedora doesn't know if an attacker is trying to hold back some packages 
from being updated. So just switching to Debian is a type of hardening.


There are other options that try to harden the VM kernels by patching 
them. My take on this is they're fraught with controversy, left 
unmaintained and/or difficult to install. At this point I don't think 
its worth it even for most Qubes users, and it may be better to wait for 
these features to be incorporated into the main kernel.


You can also research 'unikernels' on Qubes as a way to harden the 
firewall. (Again, may not be worth it for most people at this point.)


Other ways to increase safety include subscribing to a reputable VPN 
service and setup a VPN qube, and/or use Whonix with onion sites, and 
also add safety-oriented extensions to your web browser. In Firefox I 
recommend uBlock Origin and HTTPS Everywhere.





Thanks you in advance...I am hoping these are easy for the layperson!

V




--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a1166456-7b00-8e9e-3303-cf2918aed9d7%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Is Template concept unique to Qubes?

[Zrubi]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 03/26/2018 05:08 AM, franco.g...@tutamail.com wrote:
> Security considerations aside, it's so convenient having shared
> root filesystems that can be updated once for multiple child-VMs.
> Is this feature unique to Qubes or is something like this often
> replicated when using other hypervisor systems?

VMware using similar solution for handling snapshots, and
non-persistent disk images. VMware VDI also using this for
provisioning new (disposable) desktops.

Don't know about the others.



- -- 
Zrubi
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEw39Thm3rBIO+xeXXGjNaC1SPN2QFAlq4eXwACgkQGjNaC1SP
N2SxFA//Wr33HvkNh6J5hUbs42K54lpMJI+7eNKwwwcSxoH+Fh6oPSZ67tlrUHWB
HWeFGFZeq6ZwPiQ4dIkL5fx9gl+8SjaZaz1Ypb2HNwlzOP3PutRnYQMraeCdbKbF
UkR+JMFfb0xkxPNYIT9GyK4h4C0IGxAShP6V4rmzASKSgY7QCcSAPWyZNs1bSQ7R
7ZIU66G50Szc/YUbcpAUeaWfWNXS5YMvwnC4Oc7/trOp+AXuBPnwenNE17dtNw2r
wfkb8UMrEEjQiYmc+N3WiyXMMwX0kRdTQz+SLm/CgzvxoOBjnnHWKfnoXSsmc/tA
/SGMqj++/eLzSJPDJUTtGLp48vrPZee7NRz9Vkmn6144ziK3t75GCHPLr/rTnJf0
KPindCCo+6QWLmV9lycrbOJ9o+uYKHZtDUi1QZJt+KopQbWhFqMRj0KDa888vViY
pTl4Dgm8LZYyjP9HUs/Z1ZLWkbcNqiCm/JA65335BtxisSh5lQwLSQMePIil2cO2
mRLwxcNBUqylYHfEXUa760ygsJ9DIOr7Ceb3+5RnqTa+RW38D/qegxgP495OPstO
J9JaU4QMgwab37YaXb3J1eHf9/aQtnENVA00to/74x0PEu2y+ctdyA0ouKiAlb7A
OZP4ztMSaXM1vfPE9twir9xzlpObQ2Sn76M7m96wkpUEnZge3M0=
=PVM2
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/15a37a8c-35c0-3a03-dd2d-9b15c2f36b7c%40zrubi.hu.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Partitioning Scheme

[sevas]

On Sunday, March 25, 2018 at 7:20:29 AM UTC-4, awokd wrote:
> On Sun, March 25, 2018 3:07 am, sevas wrote:

> > I had qubes installed without it. I wanted to install android. Android
> > didnt recognize the virtual machines. So, I plugged in a 2nd disk. I was
> > able to qvm-pci attach my SSD. Android recognized it and was able to
> > install.
> 
> I'm surprised this actually worked without trouble!

lol!

 
> The options I see for you are:
> 
> A) Go back to 3.2 with the emulated disk controller Android can detect
> (see https://github.com/QubesOS/qubes-issues/issues/3651).

Not a chance!
 
> B) Wait for someone to add a feature to 4.0/4.1 to change the emulated
> disk controller type per VM (or find out if there is a more direct means
> to change it). This would let you add both your drives to the same LVM
> pool and encryption, and use regular drive images for your HVM.
> 
> C) Dedicate and passthrough the single SSD only for your Android HVM
> without encryption etc.

Im now thinking about doing this with an SD card. Do you think that would work?
Well, Im going to test it tomorrow. 


> I'm not exactly sure I follow what you've done to this point, so that
> might be the safest approach. Fdisk the SSD (assuming there's nothing you
> need to keep on it), shutdown your computer, physically disconnect/remove
> the SSD, power on and reinstall Qubes if needed. Then power back down and
> reattach it. You can then use it with one of the above options. If option
> B, suggest manually setting up cryptsetup on it with the same password and
> then a separate LVM pool.

I could encrypt it from within qubes and decrypt it before use with VM, right?
Qubes manages encryption and android is none the wiser. 

-With Qubes on 2 drives: 
--Ive tried trimfs and
--allow-discard on root and luks
--shrinking the pool= no info on google about this
--qvm-create BIGVM && dd if=/dev/random of=/BIGFILE.img count=250GB && 
qvm-remove BIGVM >>shrink pool
no cigar

>>I'm not exactly sure I follow what you've done to this point,

PVcreate: Qubes installation with one m.2 only. 
Added SSD later. 
$ sudo pvcreate /dev/sdb
#Error device not found (or ignored by filtering)

Am I supposed to use $ sudo pvcreate /dev/sdb1 ?
I wanted to PV the entire device and not just the partition(s). 

$ nano /etc/lvm/lvm.conf
>#global-filtering = [devices] #No change.
>global-filtering = [sdb] #did not fix.
>global-filtering = [devices] #did not fix, of course. 'devices' is just 
>generic for 'add your device here'. But I un-commented it anyway. And 
>restarted. 

Im pretty sure Im just misunderstanding the pvcreate tool. I will read up on 
the 
correct methods tomorrow too. But some people were using 'global-filtering=sdb' 
and they could suddenly 'pvcreate sdb' device without partition without errors. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/67cfe244-23b4-414d-97c6-e0d494f27887%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Enhancing Template security?

[sevas]

On Sunday, March 25, 2018 at 8:14:12 PM UTC-4, vel...@tutamail.com wrote:
> I am trying to harden my Fedora and Debian templates and was hoping for some 
> basic help and commands to do the following:

> How would I add a service like Qubes-VM-hardening ?
Look at Tresnor.
> Should I enable AppArmor in a template and VM?
One or the other, I think... 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bab3592c-d7bf-4ee9-af97-7a1f8de803fb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Spilt-GPG help - 3.2

[sevas]

I recommend a dedicated vm(not your vault). I also recommend installing kgpg. 
Thats all I have. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/59e48702-6490-4aa2-85cb-6d72473d4847%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Is Template concept unique to Qubes?

[franco.gary]

Security considerations aside, it's so convenient having shared root 
filesystems that can be updated once for multiple child-VMs.  Is this feature 
unique to Qubes or is something like this often replicated when using other 
hypervisor systems?

Specifically, I want to run a **not**-secure bleeding edge testbox that has gpu 
acceleration in dom0. (Example: archlinux + KVM). I know thin-provisioning 
(COW?) will allow one copy of OS on the filesystem to be re-used but is it 
possible to base multiple VM's on a single template like Qubes? Thanks for 
reading.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/L8VGlJg--3-0%40tutamail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Enhancing Template security?

[velcro]

I am trying to harden my Fedora and Debian templates and was hoping for some 
basic help and commands to do the following:

How would I enable sudo authentication in a Template?

How would I add a service like Qubes-VM-hardening ?

Should I enable AppArmor in a template and VM?

Any other hardening best practices?

Thanks you in advance...I am hoping these are easy for the layperson!

V
 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6206c49f-fb01-4163-9437-e0ed9560f4c8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Spilt-GPG help - 3.2

[velcro]

I love Qubes! Kudus to those developing and helping on this forum...I am sure 
others would agree that the effort is greatly appreciated.

I am hoping I can get some help with "split-GPG" setup and signing emails. Some 
notes and questions about my configuration:

* I plan to use Thunderbird.

* I have since created a new vault from default during installation - I have 
some files in this vault, documents, some passwords...I consider this 
non-networked VM my "vault", although I am just getting into certificates for 
email signing and email encryption. 
- Should I use this VM for my certificates(or a dedicated certificate VM) or is 
it a big no?

* I found a good tutorial on creating certificates using GnuPG with QubesOS: 
https://apapadop.wordpress.com/2013/08/21/using-gnupg-with-qubesos/
( a little dated but did create test certificates...thanks Apapadop!)

* I followed the steps in this Qubes-OS wiki: 
https://www.qubes-os.org/doc/split-gpg/ , however I get lost here:

Setting up the GPG backend domain

Make sure the gpg is installed there and there are some private keys in the 
keyring, e.g.:

[user@work-gpg ~]$ gpg -K
/home/user/.gnupg/secring.gpg
-
sec   4096R/3F48CB21 2012-11-15
uid  Qubes OS Security Team 
ssb   4096R/30498E2A 2012-11-15
(...)

How do I create this file: /home/user/.gnupg/secring.gpg ?
Where do I keep my certificates in the "vault"? What commands or folders do I 
need to create?

I tried finding more basic instructions but my "Googling" had no luck...how do 
I put private keys in my "vault" keyring and use Thunderbird in a seperate, 
dedicated VM to sign and encrypt my emails utilizing split GPG?

Excuse me if this has already been answered or clarified in another post I 
couldn't find.

Greatfully,
V

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7e9a52d7-1a30-45cf-ac17-f396280620cd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: [Q4-rc5] Blank screen on boot after installation on Lenovo

['awokd' via qubes-users]

On Sun, March 25, 2018 10:24 pm, gluv...@gmail.com wrote:
> On Sunday, March 25, 2018 at 4:29:40 AM UTC-7, awokd wrote:
>
>> Did you try step #11 under
>> https://www.qubes-os.org/doc/uefi-troubleshooting/#cannot-start-installa
>> tion-installation-completes-successfully-but-then-bios-loops-at-boot-de
>> vice-selection-hangs-at-four-penguins-after-choosing-test-media-and-ins
>> tall-qubes-os-in-grub-menu ? If it didn't help, you could also try to
>> reinstall in legacy mode.
>
> Thanks @awokd! That also worked! Now UEFI also works. :)

Thanks for reporting back! Unfortunately, there are a lot of buggy UEFI
implementations out there so it's good to know this work-around can still
help in some cases under 4.0.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b97b7d21dc133dfaa9dde42dc9fb52a1.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: [Q4-rc5] Blank screen on boot after installation on Lenovo

[gluvfox]

On Sunday, March 25, 2018 at 4:29:40 AM UTC-7, awokd wrote:
> Did you try step #11 under
> https://www.qubes-os.org/doc/uefi-troubleshooting/#cannot-start-installation-installation-completes-successfully-but-then-bios-loops-at-boot-device-selection-hangs-at-four-penguins-after-choosing-test-media-and-install-qubes-os-in-grub-menu
> ? If it didn't help, you could also try to reinstall in legacy mode.

Thanks @awokd! That also worked! Now UEFI also works. :) 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1d4c5202-7908-4232-8f17-f26d0a4bb4dd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] can't download qubes 4.0 how to raise 4.3gb download limit.

[cooloutac]

alot of people use whonix as their updatevm now.  But those that are right now 
are having weird problems as i'm sure you've noticed.  I never trusted Tor,  
Joanna used to not use it much either...  Privacy and security are two diff 
things.

But if thats the only way they could get to us,  then that says alot for how 
secure Qubes is.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b418ec42-cb07-403b-91a6-6c6d153d2062%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] can't download qubes 4.0 how to raise 4.3gb download limit.

[cooloutac]

The reason I think it happened is because first there was a failed update.  
Then had to update it a second time.

Then all of us regular posters at the time were posting and we all had the same 
anomalies and bugs going on.  Alot of weird things going wrong with the system. 
 Even on Andrew Wongs machine.

But hey man.  Qubes protected me for 2 years before that and thats a record in 
my book.  My windows machine gets compromised in a month.  And my linux 
machines usually in one day lol.

Just hunches  :),  always loved how Joanna is one of the few to admit thats all 
we ever got.

Oh,  she also came out with idea of paranoid recovery mode after the whole 
fiasco.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/48536938-f798-47e3-a2b0-857f4a5cf021%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] can't download qubes 4.0 how to raise 4.3gb download limit.

[cooloutac]

If they are focusing on gpu passthrough, for wider adoption,   their focus 
isn't on security.   Its also silly and ironic that 4.0 is way less user 
friendly then 3.2.

There are many statements from Joanna about secure boot and ME in general, and 
closed source code in general.  Which means they will never use secure boot.  
disappointing, because IMO its pretty necessary even for a reasonable secure 
machine.

Hey man, like I said.  Alot of us were already compromised by a bad dom0 
update.  I don't remember you posting during that time so maybe your machine is 
ok.  And it came from them unintentionally, or fedora repos,  who knows.  I 
could be wrong though,  of course I have no proof.  Just a paranoid hunch.

Intel patched ME for backdoors that have been in their machines for 8 years a 
week after that.  It was during a time when there was friction between Subgraph 
and Qubes,  and when spender was having nervous breakdowns and who already 
basically threatened Joanna in the past with such an attack.  If you want to 
talk about rude vindictive losers,  look no further then spender and the 
subgraph dev Xsmurf aka Bruce Leidl.   That guy is nuts and gives me the 
creeps. Super vindictive.  And whats so crazy about them is David Mirza Amahd 
is such a nice friendly guy I don't think he even has any idea what goes on 
underneath his nose.   Which also makes them kind of fake and all marketing 
hype.   Laughed when him and the rapist Applebaum, who i could never stand,  
cringed at Joannas comments at the LoganCIJ6 panel.  Because her comments were 
so brutally honest and I guess they just wanted her to be the typical 
salesperson.  She actually looked depressed.  She used to work for the nsa so 
maybe they have approached her and that upset her,  maybe they also target us.
 
But hey i'm just crazy so don't mind me lmao...

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/aeaaf376-4cab-4173-bbfc-50542152d335%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] update from rc04

['awokd' via qubes-users]

On Sun, March 25, 2018 6:17 pm, Roy Bernat wrote:
> Hi all
>
>
>
> should i install the new version or can update from rc04

Either should work. If you aren't sure, they always say in the release
notes too.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4edb00ac1f57dd777d4ea6d66e575265.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: [Q4-rc5] Blank screen on boot after installation on Lenovo

[gluvfox]

After setting UEFI/Legacy Boot to "Legacy Only" and Boot Priority to "Legacy 
First", I was able to complete the installation and setup process. Qubes is now 
running, although with a bunch of errors.

I'm going to experiment to see if I can get it working with UEFI. I'll try 
@awokd's advice and post my results.

Also, in case it's relevant, the system is using a Samsung 860EVO 500GB SSD.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ceebc1a7-2947-4520-9f14-02d63eacfade%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] update from rc04

[Roy Bernat]

Hi all 
 

should i install the new version or can update from rc04

R

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4c4c014c-7eb2-4fb6-b2ce-896dd4ed9297%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Macbook Pro - Broadcom WLAN adapter BCM43602 causing freezing under Qubes OS 4.0 rc5

[q120248681]

在 2018年3月25日星期日 UTC+8上午7:54:49，Greg写道：
> > Hi, hopes I'm not bothering you and thanks for your tips I finally got 
> > Qubes running on my MBP. However, I can't get the wifi card working using 
> > methods you discussed above, after running "sudo xl pci-attach sys-net 
> > '02:00.0,permissive=1'" (02:00.0 is the network controller pci address), 
> > sys-net still don't have the network controller attached and using "qvm-pci 
> > attach" still cause the system to freeze, how do you finish the attach 
> > phase?
> 
> I now do the following to attach the BCM43602 to sys-net: 
> I disabled "Start qube automatically on boot" for sys-net and sys-firewall in 
> the qubes manager. I now manually start sys-net using "qvm-start sys-net" and 
> immediately after executing that command (well about 2 seconds later) I 
> execute "sudo xl pci-attach sys-net '03:00.0,permissive=1'" to attach the 
> device to sys-net while it is still starting up. It seems that I have to 
> attach the device to sys-net before it has fully booted, because if I attach 
> it too late it doesn't seem to be detected by the VM.
> 
> Note that my particular BCM43602 has a PCI ID of 14e4:43ba which is supported 
> by the brcmfmac driver. Your particular device might need another driver (I 
> can't help with that I'm afraid).

That was...tricky, I'll have a try, hope to be successful.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/113ae84f-660a-4593-9c7d-b3ecdacce3f4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] power9 and qubes os

[Thierry Laurion]

Le dimanche 25 juin 2017 08:09:04 UTC-4, tai...@gmx.com a écrit :
> On 06/24/2017 08:16 PM, Johnysecured88 wrote:
> 
> > Are you a developer?
> No.
> > Can we get input from a developer on this issue?
> You should email the community liaison, as it is definitely a question 
> worth asking.
> a...@qubes-os.org
> If you want a supported build done by them you would probably have to 
> provide the funds for a new/used recent POWER system.

Xen doesn't support Power9 for the moment.
Qubes still depends on Xen for compartmentalization.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4949fc86-fa89-4332-8dca-dfc6059cf1e2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Lenovo G505s A10-5750m / qubes 4.0rc5 / Unsupported Hardware Detected

[caropelin91]

You upgraded to the factory BIOS 3.00 and it is overheating in Qubes 4rc5
and locking up the computer?

I have never been able to successfully install Qubes 4rc5, 4rc1.
end installation> reboot> black screen!
(and for the 4rc5 I had the unsupported hardware message, not on 4rc1)

Coreboot might fix the problems you are having with your current laptop.
You can flash it back to the factory BIOS if it does not.

I also think that coreboot could fix the problem (I feel that the bios is buggy)
but I must give back the G505s quickly, after that will not be possible, I do 
not take the risk of finding myself with a problem on this PC.
I will order the material in advance (soic 8 and CH341A), when I find a new PC 
G505s, I already have the hardware to flash in coreboot quickly, I could see if 
everything goes well with qubes.
Another person told me that this PC sometimes has problems with overheating, it 
seems common.

Look forward to hearing back from you!

Yes of course.
I would always have an eye on the forum.
you would not get rid of me so easily!
:)

P.S. Did you check your spam folder for my emails? 

I was in spam, nothing at all ...
(except for the mails of the forum)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4fbbcb93-5c75-40f1-9618-f6d08996bc3e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: [Q4-rc5] Blank screen on boot after installation on Lenovo

['awokd' via qubes-users]

On Sun, March 25, 2018 9:15 am, berto0...@gmail.com wrote:
> I'm having the same issue on a Thinkpad X230 with the latest Lenovo BIOS
> (2.71). Installation went fine, XEN is booting and throwing many lines
> without any obvious errors (please let me know how to obtain that log as
> text if possible, else I have an actual photo of the screen), the the
> screen is going black.
>
> This is my XEN.cfg:
>
>
> [global]
> default=4.14.18-1.pvops.qubes.x86_64
>
> [4.14.18-1.pvops.qubes.x86_64]
> options=loglvl=all dom0_mem=min:1024M dom0_mem=max:4096M iommu=no-igfx
> kernel=vmlinuz-4.14.18-1.pvops.qubes.x86_64
> root=/dev/mapper/qubes_dom0-root
> rd.luks.uuid=luks-8dd628c2-8acf-4452-8935-b580856aeed6
> rd.lvm.lv=qubes_dom0/root rd.lvm.lv=qubes_dom0/swap i915.alpha_support=1
> rhgb quiet ramdisk=initramfs-4.14.18-1.pvops.qubes.x86_64.img
>
> [4.14.18-1.pvops.qubes.x86_64]
> options=loglvl=all dom0_mem=min:1024M dom0_mem=max:4096M iommu=no-igfx
> kernel=vmlinuz-4.14.18-1.pvops.qubes.x86_64
> root=/dev/mapper/qubes_dom0-root
> rd.luks.uuid=luks-8dd628c2-8acf-4452-8935-b580856aeed6
> rd.lvm.lv=qubes_dom0/root rd.lvm.lv=qubes_dom0/swap i915.alpha_support=1
> rhgb quiet ramdisk=initramfs-4.14.18-1.pvops.qubes.x86_64.img

Did you try step #11 under
https://www.qubes-os.org/doc/uefi-troubleshooting/#cannot-start-installation-installation-completes-successfully-but-then-bios-loops-at-boot-device-selection-hangs-at-four-penguins-after-choosing-test-media-and-install-qubes-os-in-grub-menu
? If it didn't help, you could also try to reinstall in legacy mode.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8c72a22d8b55a3bdf8e8dca3d60a9b73.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Lenovo G505s A10-5750m / qubes 4.0rc5 / Unsupported Hardware Detected

['awokd' via qubes-users]

On Sun, March 25, 2018 10:33 am, caropeli...@gmail.com wrote:
> I think my PC has a problem, it heats a lot too much, I will make it
> (maybe the cause of my concern, CPU that would put itself in security,
> although I also ask the question of bios).

You upgraded to the factory BIOS 3.00 and it is overheating in Qubes 4rc5
and locking up the computer?

> I will still look for another
> G505s and I will still order in advance the material (soic 8 and CH341A).

Coreboot might fix the problems you are having with your current laptop.
You can flash it back to the factory BIOS if it does not.

>  Thank you very much to AWORD and the other intervener for their help.
> I will go back to share some that I would have a new PC.

Look forward to hearing back from you!

P.S. Did you check your spam folder for my emails?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/10c32d5bfecd4972039e8b6b582c3fba.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Partitioning Scheme

['awokd' via qubes-users]

On Sun, March 25, 2018 3:07 am, sevas wrote:

> Heres what Im trying to do.
>
>
> I had qubes installed without it. I wanted to install android. Android
> didnt recognize the virtual machines. So, I plugged in a 2nd disk. I was
> able to qvm-pci attach my SSD. Android recognized it and was able to
> install.

I'm surprised this actually worked without trouble!

> However, my disk was not encrypted and I wanted to move it into the qubes
> LVM
> so it would be encrypted and then pci attach it.

You can't do this. Encryption and volume management are handled in dom0.
By PCI attaching it to a VM, you are effectively unplugging it from dom0
which means it can no longer manage or decrypt the drive, and I can see
why a surprise removal of it would crash your computer if you had it set
up for that.

The options I see for you are:

A) Go back to 3.2 with the emulated disk controller Android can detect
(see https://github.com/QubesOS/qubes-issues/issues/3651).

B) Wait for someone to add a feature to 4.0/4.1 to change the emulated
disk controller type per VM (or find out if there is a more direct means
to change it). This would let you add both your drives to the same LVM
pool and encryption, and use regular drive images for your HVM.

C) Dedicate and passthrough the single SSD only for your Android HVM
without encryption etc.

> My idea to fix this is one of two.
> Either figure out how to PVCreate /dev/sda which means reinstalling
> everything again.

I'm not exactly sure I follow what you've done to this point, so that
might be the safest approach. Fdisk the SSD (assuming there's nothing you
need to keep on it), shutdown your computer, physically disconnect/remove
the SSD, power on and reinstall Qubes if needed. Then power back down and
reattach it. You can then use it with one of the above options. If option
B, suggest manually setting up cryptsetup on it with the same password and
then a separate LVM pool.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b528626fc649c0c3533497c5cfc0aaad.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Lenovo G505s A10-5750m / qubes 4.0rc5 / Unsupported Hardware Detected

[caropelin91]

I think my PC has a problem, it heats a lot too much, I will make it (maybe the 
cause of my concern, CPU that would put itself in security, although I also ask 
the question of bios). I will still look for another G505s and I will still 
order in advance the material (soic 8 and CH341A).
Thank you very much to AWORD and the other intervener for their help.
I will go back to share some that I would have a new PC.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d247f63b-6c16-4ceb-b80f-3d37987d8319%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: [Q4-rc5] Blank screen on boot after installation on Lenovo

[berto00000001]

I'm having the same issue on a Thinkpad X230 with the latest Lenovo BIOS 
(2.71). Installation went fine, XEN is booting and throwing many lines without 
any obvious errors (please let me know how to obtain that log as text if 
possible, else I have an actual photo of the screen), the the screen is going 
black.

This is my XEN.cfg:

[global]
default=4.14.18-1.pvops.qubes.x86_64

[4.14.18-1.pvops.qubes.x86_64]
options=loglvl=all dom0_mem=min:1024M dom0_mem=max:4096M iommu=no-igfx
kernel=vmlinuz-4.14.18-1.pvops.qubes.x86_64 root=/dev/mapper/qubes_dom0-root 
rd.luks.uuid=luks-8dd628c2-8acf-4452-8935-b580856aeed6 
rd.lvm.lv=qubes_dom0/root rd.lvm.lv=qubes_dom0/swap i915.alpha_support=1 rhgb 
quiet
ramdisk=initramfs-4.14.18-1.pvops.qubes.x86_64.img

[4.14.18-1.pvops.qubes.x86_64]
options=loglvl=all dom0_mem=min:1024M dom0_mem=max:4096M iommu=no-igfx
kernel=vmlinuz-4.14.18-1.pvops.qubes.x86_64 root=/dev/mapper/qubes_dom0-root 
rd.luks.uuid=luks-8dd628c2-8acf-4452-8935-b580856aeed6 
rd.lvm.lv=qubes_dom0/root rd.lvm.lv=qubes_dom0/swap i915.alpha_support=1 rhgb 
quiet
ramdisk=initramfs-4.14.18-1.pvops.qubes.x86_64.img


Any help is appreciated.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8fc2eec9-1746-497f-9acb-3212535d6c99%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Partitioning Scheme

[sevas]

Red Hat says use vgreduce.
vgreduce says theres no space.
Ubuntu says enable discard on root. 
Fedora says discard is dangerous to enable. 
Qubes says there is no current solution.

Confusious says make qube and dd if=/dev/random and delete qube. 

A liar said fallocate would allocate all the memory. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f9de2557-6c97-42df-9deb-948dce3730b8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Yubikey for OTP password manager 2FA only ...with Q4.5 sys-usb please

[anon]

Hello, using Q4.5 I have been reading the various yubikey howto 
problem-solving, but remain confused what to expect for my use of the 
Yubikey, which is, I believe OTP  for  2FA  for lastpass


On my desktop I have Q3.2 and no sys-usb   and I have NOT had to install 
any particular packages in dom0 or the Fed26 template etc.


in Q4.5 I do note the widget to attach the Yubikey to the AppVM 
example:  EmailVM , and I see it attached with lspci in the AppVM , 
using the widget, however it is nonfunctional.



Typically, the Yubikey at times asks you to detach and reattach it, 
which probably in hindsight is not a good idea, as after doing that the 
widget will no longer allow any detaching.



when I go into dom0 and do qvm-device attach email sys-usb:2-1.1 at 
current it is freezing and I can't Ctl+c out of the command 


I have 8gb Ram in an i7 thinkpad here, and for some reason I can't even 
get sys-usb to launch a Terminal, guess I'll be rebooting , maybe an SSD 
in the future is going to make Q4.5 usable ? (sorry added some 
commentary here) :O



I believe at one point it told me the qubes usb proxy was not installed, 
then I went and tried to dnf install qubes proxy in the sys-usb and it 
said it *Was already installed.



I find sys-usb the most difficult aspect of Qubes use, on Q3.2 after 
locking myself out I gave up on sys-usb ... and don't feel for my 
purposes a huge worry re: security  ..can I do the same in Q4  or 
... what do you suggest ..



--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/51f6fd3d-aa10-9734-bde3-402a70dda983%40riseup.net.
For more options, visit https://groups.google.com/d/optout.