date:20180406

On Friday, April 6, 2018 at 9:27:11 PM UTC-4, Drew White wrote:
> On Saturday, 7 April 2018 10:41:13 UTC+10, Thierry Laurion  wrote:
> > You seem to have misunderstood. Ivy bridge and beyond on the Intel side 
> > will provide you with SLAT capabilities, IOMMU and virtualization, which is 
> > all that is required.  A x230 with 16gb ram and a i5 or i7 will provide you 
> > akk the power needed if you have an sad drive.
> 
> I only went on what I was told. I have Ivy Bridge, and they don't have SLAT.
> At least, they don't SAY they do.
> 
> Do they sometimes not say they have it even when they do?

what do you mean say how are you testing?

I'm about to go test on my ivybridge right now lol.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/cd20d15a-5f60-4351-8d5c-7fcf996e0789%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: desktop recommendations?

On Saturday, 7 April 2018 10:41:13 UTC+10, Thierry Laurion  wrote:
> You seem to have misunderstood. Ivy bridge and beyond on the Intel side will 
> provide you with SLAT capabilities, IOMMU and virtualization, which is all 
> that is required.  A x230 with 16gb ram and a i5 or i7 will provide you akk 
> the power needed if you have an sad drive.

I only went on what I was told. I have Ivy Bridge, and they don't have SLAT.
At least, they don't SAY they do.

Do they sometimes not say they have it even when they do?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b0768fc9-a9f1-4044-9ff2-820eba1bce80%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Guide on installing Qubes and Coreboot with encrypted boot on thinkpads

On Fri, April 6, 2018 11:18 pm, 799 wrote:
> Am 07.04.2018 12:35 vorm. schrieb "taii...@gmx.com" :
>
>
> On 04/06/2018 05:22 AM, 799 wrote:
>
>
>> It seems to me that if I run Coreboot with grub + encrypted boot, there
>> is no need to run anti evil maid, as the boot partition can't be messed
>> with.
> Assuming you set the write-lock on the flash descriptor and have a
> physical anti-tamper sticker on the case screws.
>
>
> what exactly does it mean "set write-lock on flash descriptor" and where
> can I do this.

Not sure how exactly, but it makes it so you have to physically flash it
again.

> Regarding Stickers I think it is very easy to replace those for someone
> who is willing to sneak silently into my laptop. What kind of stickers do
> you suggest?

Glitter fingernail polish and take a picture.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/d0d33afc6577bce6a003eaefcd25fc98.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Qubes 4.0: Can't connect to network over Ethernet

On Fri, April 6, 2018 11:04 pm, hdctb...@gmail.com wrote:
> THANK YOU! That fixed the problem.
>
>
> I'm sorry for my slow reply, I had skipped the debian-9 template during
> the install so I had to reinstall a couple of times (due to mistakes on
> my part) to get it.
>
> Once I switched sys-net to debian-9 I was able to connect and ping
> successfully. I don't know how you knew to do that (are there different
> drivers in the debian-9 template?) but it worked.

It was an educated guess, at best. :)

> Also to answer your question, yes I was running lspci and the other
> commands in sys-net.
>
> Thank you again, this is hugely appreciated. Now I can get on with
> learning Qubes.

Enjoy!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c302aad7b87c5822f7ccab240cf61066.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: desktop recommendations?

2018-04-06 Thread Thierry Laurion

Sorry for autocorrect.

Le ven. 6 avr. 2018 20:40, Thierry Laurion  a
écrit :

>
>
> Le ven. 6 avr. 2018 20:11, Drew White  a écrit :
>
>> On Thursday, 5 April 2018 17:52:09 UTC+10, tai...@gmx.com  wrote:
>> > On 04/04/2018 10:59 PM, Drew White wrote:
>> >
>> > > I can't say anything about Qubes 4 because their restrictions on it
>> require the latest CPUs and all (apparently) with certain technology that
>> pre-2017 CPUs don't have. (Or so I read).
>> > 2017? what? where did you read that? (I have a good idea where...a
>> > certain company perhaps?)
>> >
>> > The first CPU with all the capabilities is circa 2011 with the last and
>> > best owner controlled x86_64 CPU's 2013. (AMD 43xx and 63xx)
>>
>> No, Qubes 4 I was told would require certain functionality in the CPU. I
>> even read it on the Qubes website. Part of the CPU vulnerability remedy for
>> RAM access and the page sharing vulnerabilities.
>>
>> Qubes 4 was supposed to not work on anything except CPUs that have that.
>>
>> And that was some technology only implemented in CPUs that came out in
>> late 2016 early 2017 and beyond.
>>
>> That is what I was told about Qubes 4, therefore it would not run on my
>> older CPUs. This is what the makers of Qubes informed me of.
>>
> You seem to have misunderstood. Ivy bridge and beyond on the Intel side
> will provide you with SLAT capabilities, IOMMU and virtualization, which is
> all that is required.  A x230 with 16gb ram and a i5 or i7 will provide you
> akk the power needed if you have an sad drive.
>
>>
>>
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "qubes-users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to qubes-users+unsubscr...@googlegroups.com.
>> To post to this group, send email to qubes-users@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/qubes-users/49c98dd9-0546-4efd-b8fa-5af0cbdc9fa2%40googlegroups.com
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAAzJznyNMgkEsqrfaU61SmEE8%2Bx608dkb701rVqE%3D7rSugsmnQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: desktop recommendations?

2018-04-06 Thread Thierry Laurion

Le ven. 6 avr. 2018 20:11, Drew White  a écrit :

> On Thursday, 5 April 2018 17:52:09 UTC+10, tai...@gmx.com  wrote:
> > On 04/04/2018 10:59 PM, Drew White wrote:
> >
> > > I can't say anything about Qubes 4 because their restrictions on it
> require the latest CPUs and all (apparently) with certain technology that
> pre-2017 CPUs don't have. (Or so I read).
> > 2017? what? where did you read that? (I have a good idea where...a
> > certain company perhaps?)
> >
> > The first CPU with all the capabilities is circa 2011 with the last and
> > best owner controlled x86_64 CPU's 2013. (AMD 43xx and 63xx)
>
> No, Qubes 4 I was told would require certain functionality in the CPU. I
> even read it on the Qubes website. Part of the CPU vulnerability remedy for
> RAM access and the page sharing vulnerabilities.
>
> Qubes 4 was supposed to not work on anything except CPUs that have that.
>
> And that was some technology only implemented in CPUs that came out in
> late 2016 early 2017 and beyond.
>
> That is what I was told about Qubes 4, therefore it would not run on my
> older CPUs. This is what the makers of Qubes informed me of.
>
You seem to have misunderstood. Ivy bridge and beyond on the Intel side
will provide you with SLAT capabilities, IOMMU and virtualization, which is
all that is required.  A x230 with 16gb ram and a i5 or i7 will provide you
akk the power needed if you have an sad drive.

>
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/qubes-users/49c98dd9-0546-4efd-b8fa-5af0cbdc9fa2%40googlegroups.com
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAAzJznxptQXcXf5SZVezUo-zitLNKiaKD-aRPiZ5zdAQh77AJg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Easy way to convert AppVM to ProxyVM without editing?

Is there an easy way to convert a guest without editing the XML and restarting 
all the time?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ce9e13ff-80e6-4a93-b24a-ebff586f5bf3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: desktop recommendations?

On Thursday, 5 April 2018 17:52:09 UTC+10, tai...@gmx.com  wrote:
> On 04/04/2018 10:59 PM, Drew White wrote:
> 
> > I can't say anything about Qubes 4 because their restrictions on it require 
> > the latest CPUs and all (apparently) with certain technology that pre-2017 
> > CPUs don't have. (Or so I read).
> 2017? what? where did you read that? (I have a good idea where...a
> certain company perhaps?)
> 
> The first CPU with all the capabilities is circa 2011 with the last and
> best owner controlled x86_64 CPU's 2013. (AMD 43xx and 63xx)

No, Qubes 4 I was told would require certain functionality in the CPU. I even 
read it on the Qubes website. Part of the CPU vulnerability remedy for RAM 
access and the page sharing vulnerabilities.

Qubes 4 was supposed to not work on anything except CPUs that have that.

And that was some technology only implemented in CPUs that came out in late 
2016 early 2017 and beyond.

That is what I was told about Qubes 4, therefore it would not run on my older 
CPUs. This is what the makers of Qubes informed me of.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/49c98dd9-0546-4efd-b8fa-5af0cbdc9fa2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] POST not displaying for long enough or accepting keyboard commands due to no focus?

On Thursday, 5 April 2018 19:35:48 UTC+10, awokd  wrote:
> Not sure if it's possible to F12 a guest like that, but do you have
> "debug" enabled for it and are trying it in that window?

It is possible if the window displays in enough time.

Don't need debug because it is not in SEAMLESS MODE, only then does it hide all 
and only accept from the Qubes Video Driver passthrough.

My statements holds true if it's one in debug mode or a standard HVM or an HVM 
Template. It's always showing the window too late, because it doesn't show the 
window and then start the VM, it starts the VM and THEN opens a window to 
display the output.

Know aay way to work around this?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/eb9c0ed0-4b9a-4787-8d4a-82a13ba9d4bc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] 4.0 install stuck on 'Installing qubes-template-fedora-26.noarch (947/1018)'

2018-04-06 Thread Tomas Vrba

***UPDATE***

I updated BIOS and I can now install Qubes 4.0 in legacy boot, but not under 
UEFI, the installation still freezes the same way there. However, the reboot 
issue persist and I still can't boot into the system even with legacy boot. 

I have followed most of the advice on this page: 
https://www.qubes-os.org/doc/uefi-troubleshooting/#a1-2
But to no avail. 

Indeed my xen.cfg is empty but when i try populating and then running 
efibootmgr I get an error "EFI variables not supported on this system" since I 
installed in legacy mode. 

I would really love to upgrade to 4.0. I'd never had any issues installing 3.2 
but after almost a week wasted unable to even install and boot, it's getting 
quite frustrating. 

I'd love to hear any additional ideas on how to fix this. 


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/6f40b4ef-b2d5-409d-bf63-158b974a204c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Guide on installing Qubes and Coreboot with encrypted boot on thinkpads

Am 07.04.2018 12:35 vorm. schrieb "taii...@gmx.com" :

On 04/06/2018 05:22 AM, 799 wrote:

> It seems to me that if I run Coreboot with grub + encrypted boot, there is
> no need to run anti evil maid, as the boot partition can't be messed with.
Assuming you set the write-lock on the flash descriptor and have a
physical anti-tamper sticker on the case screws.


what exactly does it mean "set write-lock on flash descriptor" and where
can I do this.

Regarding Stickers I think it is very easy to replace those for someone who
is willing to sneak silently into my laptop.
What kind of stickers do you suggest?

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2tOEMd9NborxvQRY9F%2BVGAMeqW35sz6-cMXBJC0nbb4zg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Launching Gimp & Nautilus Qubes

On Friday, April 6, 2018 at 6:35:43 PM UTC-4, cooloutac wrote:
> On Friday, April 6, 2018 at 6:35:19 PM UTC-4, cooloutac wrote:
> > You might have to install nautilus or another file manager in the debian-9 
> > template.
> > 
> > I didn't have files on  qubes 3.2  debian8 to debian-9.   Can't remember if 
> > fresh install of 4.0 debian-9 template needs file manager installed too.
> > 
> > To sync new programs installed in template to the appvms desktop menu,  
> > start the debian-9 template terminal,  in it type qvm-sync-appmenus.
> 
> then from qubes manager you can go to appvms qubes settings and add which 
> programs you want in its menu list.

make sure to shut down template after installing nautilus and sync'n menus and 
resart the appvm

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0bc46f51-95c3-4453-b744-2c52fa73d784%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes 4.0 and Private Internet Access? Tasket VPN solution...


> > I pulled the logs, looked thru them, I didn't see any personal information. 
> > Seemed OK to past on the forum but sent them to you directly just in 
> > case...feel free to post any info for the greater good of the community. 
> > Thank you again for the help...
> > 
> > I pulled the 3 files .crt, .pem and the renamed openvpn-client.ovpn file 
> > and put them into the VPN folder.
> 
> Just FYI, putting all the configs (instead of selecting them) in /vpn is 
> easier.

Thanks for that...I'll try that!

 
> > Totally willing to try to "avoid
> > the initial failure and restart, add a 2sec delay "sleep 2s" in rc.local
> > just before the first systemctl command; it will start quicker." Would you 
> > be open to sharing the commands for this?
> 
> The command is just "sleep 2s".

If I am launching a VM from the GUI when would I put "sleep 2s" into the 
terminal? I am learning but not there yet...


> > I am using "openvpn-ip" file from PIA under Advanced OpenVPN SSL 
> > Restrictive Configuration: 
> > https://www.privateinternetaccess.com/pages/client-support/
> > I then move each of the 3 individual files mentioned above into the 
> > /rw/config/vpn folder.
> > 
> > Thanks again for the help...
> 
> Got your log... I think the real culprit shows up here:
> 
> "AUTH: Received control message: AUTH_FAILED"
> 
> This could mean the user/password weren't entered correctly. You can see 
> how its stored by issuing this command:
> 
> sudo cat /rw/config/vpn/userpassword.txt
> 
> To fix it you can edit that file, or run the --config step again from 
> the instructions.

Thanks for that tip...the password is good. Tested it with another application 
and it is correct and working. The VPN proxy also had the correct password.

What else could this be?

What I know:
* This worked with 3.2 in Fedora but I experienced the same error with Debian 
in 3.2
* This worked for a brief moment in 4.0(fedora), had saved the beta file and 
was using that when it worked. I lost that older github/tasket file, I 
downloaded the 4.0 file and have not got it working again.
* I get the "Ready to start link" but then no connection
* This is new infromation but I can connect to my phone wireless but when I try 
another AP it can't connect. I am not sure this is relevant but in my network 
connection I get the following messages:

Ethernet Network (vif6.0)
Device not managedmy connection works


Ethernet Network (vif.20)
Device not managedmy connection DOES NOT work

Tasket my gut tells me I have something else missing, if you can get it to 
work, I am getting a ready to connect message, I had it working. Would a BIO 
setting have an impact?

When I boot I get this error:

ERROR parsing PCC subspaces from PCCT
[Failed] Failed to start Load Kernel Modules 

- Followed by [OK] started Apply Kernel Variable/[OK] Started Setup Virtual 
Console

The struggle I am having is a lack of knowledge about how to trouble shoot this 
although you have taught me a lot Tasket thank you.

Any other thoughts?

I don't want to go back to 3.2 but with out a VPN/kill switch I don't see I 
have a choice.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b0ab23db-a923-4d81-a87c-a00df1055c7d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Launching Gimp & Nautilus Qubes

You might have to install nautilus or another file manager in the debian-9 
template.

I didn't have files on  qubes 3.2  debian8 to debian-9.   Can't remember if 
fresh install of 4.0 debian-9 template needs file manager installed too.

To sync new programs installed in template to the appvms desktop menu,  start 
the debian-9 template terminal,  in it type qvm-sync-appmenus.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/097d9972-a64c-4bcb-a442-260aaf98de9b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Launching Gimp & Nautilus Qubes

On Friday, April 6, 2018 at 6:35:19 PM UTC-4, cooloutac wrote:
> You might have to install nautilus or another file manager in the debian-9 
> template.
> 
> I didn't have files on  qubes 3.2  debian8 to debian-9.   Can't remember if 
> fresh install of 4.0 debian-9 template needs file manager installed too.
> 
> To sync new programs installed in template to the appvms desktop menu,  start 
> the debian-9 template terminal,  in it type qvm-sync-appmenus.

then from qubes manager you can go to appvms qubes settings and add which 
programs you want in its menu list.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8cb8b6dd-446b-47a4-abd0-f575170ac3cc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Guide on installing Qubes and Coreboot with encrypted boot on thinkpads

2018-04-06 Thread taii...@gmx.com

On 04/06/2018 05:22 AM, 799 wrote:

> It seems to me that if I run Coreboot with grub + encrypted boot, there is
> no need to run anti evil maid, as the boot partition can't be messed with.
Assuming you set the write-lock on the flash descriptor and have a
physical anti-tamper sticker on the case screws.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b0e680bd-ac5c-c295-1630-7cbfa0956e78%40gmx.com.
For more options, visit https://groups.google.com/d/optout.


0xDF372A17.asc
Description: application/pgp-keys

Re: [qubes-users] fedora-26-dvm always shows updates pending, can't delete it.

Realized this only happens when using testing repo.   Current repos don't have 
the pending updates on dvms issue.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/78a5fcc9-04c4-46f0-b3ea-2deebe034a80%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] sys-net no network access after wake from sleep

I have a desktop with intel ethernet.   I found out sleep actually works if 
using uefi bios mode.   But when I resume I have to restart sys-net to get 
networking.

Any solution to this problem?

Thanks,

Rich.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/13d5bc22-3200-4471-a46d-16ed5ce9ba4d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Launching Gimp & Nautilus Qubes

2018-04-06 Thread Anyomonous Z

Hi, I read somewhere that you should install apps to the template vm. I 
installed the programs in a created debian vm instead of the template one. I 
tried the command qvm-sync-apps in dom0, but now the command says that it isn't 
recognized.


How do I synchronize the apps in settings? I think I missed that while in 
settings.


I'm using my email to respond, I hope this doesn't create a new thread 
altogether.


Thank you! It's much appreciated. =)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/DB6PR0101MB23592BD920BFDA2676DF086DE8BA0%40DB6PR0101MB2359.eurprd01.prod.exchangelabs.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Guide on installing Qubes and Coreboot with encrypted boot on thinkpads

Hello,

On 6 April 2018 at 15:05, Holger Levsen  wrote:

>
> On Fri, Apr 06, 2018 at 09:22:52AM +, 799 wrote:
> > As mentioned I have also drafted a how-to to setup Coreboot on a X230,
> > including building the pi, flashrom and extracting Blobs.
>
> out of curiosity: does resume work reliably for you? For me it didnt
> with coreboot (and the free VGA bios) but it does with legacy bios...
>

as described in the howto I have extracted the vga.rom from my own
BIOS-files.
I can use resume and the laptop reconnects its network adapters as soon as
it wakes up.
So far no issues at all.

I've run into one problem when I tried to start my AppVMs after flashing
coreboot.

Problem:
Some VMs where unable to boot (sys-net and also some other AppVMs),
Error message:
Get the message PCI device 
does not exist

Solution:
Following the suggestions mentioned here and removing some devices which
doesn't make sense.
https://github.com/QubesOS/qubes-issues/issues/3619

qvm-pci ls 
qvm-pci detach  

I had to open Qubes Settings for the sys-net VM to assign the Wifi Network
controller back to the VM.
It got lost after flasing coreboot.

> The coreboot config I have used is here:
> > https://github.com/Qubes-Community/Contents/blob/
> master/docs/coreboot/x230-configfile
>
> thanks, depending on your answer to the above question I probably
> compare yours with mine ;)
>

Can you share your config file?
I am sure that there is room for improvement in my config.

> > I wrote the how-to as I need to look at several places to get everything
> > together for example how to extract Blobs, how to merge two bios files
> into
> > one etc.
> > It seems to me that if I run Coreboot with grub + encrypted boot, there
> is
> > no need to run anti evil maid, as the boot partition can't be messed
> with.
> > Is this correct?
>
> mostly. The boot partition cannot be messed up but the components of
> your computer can be changed (eg a keyboard controller recording your
> keystrokes) and anti-evil-maid is designed to also detect those attacks.
> However these attacks are also much more sophisticated and require more
> time and are harder to do that just replacing a kernel image on an
> unencrypted boot partition.
>

Ok, I have not yet understand all the pieces of anti evil maid and of
course you are right that replacing my keyboard with a keyboard which has a
keylogger installed will make my system reasonable unsecure.
On the other hand, I don't think that I am a high profile target and if
this would change, I guess there are much easier ways to get the
data/information.
https://en.wikipedia.org/wiki/Enhanced_interrogation_techniques ... :-o

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vRVHWS5XJpzzG7g%2BWbP%2BGjq9DsWDBYYme3hHGN%3DeQLKA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Reinstallation Failure

2018-04-06 Thread cr33dc0d3r

Am Freitag, 10. November 2017 20:14:51 UTC+1 schrieb Ray Joseph:
> The reinstallation of v4.0 rC2 fails with:
> [   0.00] Firmware bug:  TSC_DEADLINE disabled due to Errata:  Please 
> update microcode to version: 0x25 (or later)
> [  10.347567]  dracut-pre-udev[460]: rpc.idmapd: conf-reinit: open(“(null))”, 
> 0_RDONLY) failed.
> [  10.347896]  dracut-pre-udev[460]: rpc.idmapd: conf-reinit: open(“(null))”, 
> 0_RDONLY) failed.
> 
> The above progresses to a graphic display with a large Q in the middle near 
> the bottom of the screen.  A progress bar below that shows installation has 
> started but it never progresses.  I turn it off after 30 mins.  
> 
> v4.0 RC2 was running on this Toshiba laptop.  I wanted to update the BIOS.  I 
> could not find a way to do that with the OS.  So I put Windows 10 on it, rant 
> the BIOS update, booted to Windows 10 a couple times then tried to install 
> Qubes.
> 
> Searching the web, I found sub=phrases of the above but could not find any 
> specifics and the higher level dracut problems seem to have been resolves in 
> previous version.
> 
> Please suggest how I might trouble shoot this.
> 
> Ray

Hi Ray, 

It seems that i got same issue with Qubes 4.0 final, Lenovo X1 Carbon I5 vPro 
8GB RAM. 
After this messages appear, the Screen with the "Q" shows up loading bar filled 
about 1/5 full and stucked there. 

Hope this Problem got some attention, and anyone got a solution or reason why 
this is happening. Maybe you have already solved it and will let me know how?

If not, sorry that i dont have a solution know, but i will work on get this 
done.

Cheers, 
Jonny

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8117a309-4aa4-4db3-a839-301e450f5dc0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes 4.0 and Private Internet Access? Tasket VPN solution...

2018-04-06 Thread Chris Laprise

On 04/06/2018 12:38 PM, vel...@tutamail.com wrote:

I pulled the logs, looked thru them, I didn't see any personal information.
Seemed OK to past on the forum but sent them to you directly just in
case...feel free to post any info for the greater good of the community. Thank
you again for the help...

I pulled the 3 files .crt, .pem and the renamed openvpn-client.ovpn file and
put them into the VPN folder.

Just FYI, putting all the configs (instead of selecting them) in /vpn is
easier.

Totally willing to try to "avoid
the initial failure and restart, add a 2sec delay "sleep 2s" in rc.local
just before the first systemctl command; it will start quicker." Would you be
open to sharing the commands for this?

The command is just "sleep 2s".

I am using "openvpn-ip" file from PIA under Advanced OpenVPN SSL Restrictive
Configuration: https://www.privateinternetaccess.com/pages/client-support/
I then move each of the 3 individual files mentioned above into the
/rw/config/vpn folder.

Thanks again for the help...

Got your log... I think the real culprit shows up here:

"AUTH: Received control message: AUTH_FAILED"

This could mean the user/password weren't entered correctly. You can see
how its stored by issuing this command:

sudo cat /rw/config/vpn/userpassword.txt

To fix it you can edit that file, or run the --config step again from
the instructions.

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/b796e7b8-66ac-7272-d3f5-720e89f8bec4%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes 4.0 and Private Internet Access? Tasket VPN solution...

I pulled the logs, looked thru them, I didn't see any personal information. 
Seemed OK to past on the forum but sent them to you directly just in 
case...feel free to post any info for the greater good of the community. Thank 
you again for the help...

I pulled the 3 files .crt, .pem and the renamed openvpn-client.ovpn file and 
put them into the VPN folder.

Totally willing to try to "avoid
the initial failure and restart, add a 2sec delay "sleep 2s" in rc.local
just before the first systemctl command; it will start quicker." Would you be 
open to sharing the commands for this?

I am using "openvpn-ip" file from PIA under Advanced OpenVPN SSL Restrictive 
Configuration: https://www.privateinternetaccess.com/pages/client-support/
I then move each of the 3 individual files mentioned above into the 
/rw/config/vpn folder.

Thanks again for the help...
 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0416e045-f71f-4cf7-a99e-d64c8270b925%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes 4.0 and Private Internet Access? Tasket VPN solution...

2018-04-06 Thread Chris Laprise

On 04/06/2018 09:08 AM, vel...@tutamail.com wrote:

Thanks Chris...again thank you for the effort! This tool is great...

Does it matter that Private internet access provides 3 seperate files (key,
cert and client config)?

Yes it matters. You should put all of them in the /rw/config/vpn folder
or the config won't work.

I have the proxy AppVM set up with "provides network"(proxy) checked, I have
tried a setup in proxy only and a setup in Template/Proxy, PVH(tried PV...similar to
3.2)...I don't think it is the setup as much as the configuration of the template?

No need to mess with virt type... default PVH is fine.

I installed GNOME and Openvpn (Using those names specifically) in Debian, no
additional packages installed in stock fedora...

I feel like I am missing a very basic command or tweak, whonix works, wireless
works, sys-firewall works...any help would be appreciated. It seems something
releated to PIA VPN configuration or VPN-handler-openvpn

I'm using Debian 9 also and just did a test with PIA. On my system the
service fails initially then restarts 10sec later because the firewall
rules take time to set up. It works fine this way. If you want to avoid
the initial failure and restart, add a 2sec delay "sleep 2s" in rc.local
just before the first systemctl command; it will start quicker.

Here are my logs/commands from your suggestions:

root@sys-VPNb5:/home/user# ls -l /rw/config/qubes-firewall.d
total 0
lrwxrwxrwx 1 root root 38 Apr 5 13:16 90_tunnel-restrict ->
/usr/lib/qubes/proxy-firewall-restrict

root@sys-VPNb5:/home/user# iptables -v -L FORWARD

The iptables and qubes-firewall.d look correct. But the logs you added
look garbled. Can you capture the following and attach it to a reply in
tar format..?

sudo journalctl -u qubes-vpn-handler >qvpn.log
tar -czf qvpnlog.tgz qvpn.log
qvm-copy qvpnlog.tgz

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/40ff2572-ed6c-e076-41e6-fa3209b83c63%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] User issues with Qubes 4.0

On Thu, April 5, 2018 3:45 pm, frkla1...@gmail.com wrote:

> The biggest problem which I have at the moment are graphical issues. When
> I watch a video and I move with the cursor the video jerkys. If it is a
> fast Video (for example a car video) it jerkys also whitout moving the
> cursor. I didn't have this problem at os 3.2 - even when I was playing
> videos simultaneously.

This? https://github.com/QubesOS/qubes-issues/issues/3622

You could maybe try a Debian template instead.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f6268910b9952f9dcf2e8e0fde71cee9.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] [Qubes 4.0] Updating migrated templates from 3.2

2018-04-06 Thread p . o . mosier

Hello,

I'm trying to get a fedora-25 template from Qubes 3.2 updated to Fedora 26 on 
Qubes 4.0.  This template has a variety of packages already installed and I 
thought it would be easier to bring this forward to Fedora 26 rather than 
trying to reinstall everything on the default fedora-26 template.

It appears that the template update process is very different in Qubes 4.0, 
with networking changes and a number of repo updates.  Is there any 
documentation on how to get this to work, such as what files need to be updated 
and what configuration settings tweaked?

Thanks,
- Paul M

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/76096806-02a9-473a-ab2e-efacfefb33dc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] [Qubes 4.0] Updating debian-9 template fails

2018-04-06 Thread p . o . mosier

Hello,

I recently migrated from Qubes 3.2 to 4.0 and it appears that the networking 
for all the template VMs is shut off by default.

To update the default debian-9 template, I turned networking on and attached it 
to sys-firewall.  But when I run the template, it appears that I can't connect 
out to sys-net or to the outside world (any ping fails).  Is this a 
configuration bug?

(In the meantime, how do I change the firewall to break through?)

Thanks,
- Paul M

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/57659711-8e41-40f0-bd81-0147c359e188%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] [Qubes 4.0] UpdateVM in global settings does nothing

2018-04-06 Thread p . o . mosier

Hello,

I'm having a variety of problems trying to get my templates to update.  One of 
these is that all my templates seem to want to update through sys-whonix.  I 
run on a lower memory laptop and while I have sys-whonix installed, I don't 
want to run it every time I want to run updates.

The Qubes Global Settings window allows me to set an UpdateVM.  I have set this 
to sys-firewall and restarted the laptop.  But when I go to update the template 
again (a clone of the default fedora-26 template) it still tries to download 
packages through sys-whonix.

What gives?  How can I make this stop?

Thanks,
- Paul M

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/0d108ec6-4956-4ece-9e76-a61f0b95f0e5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Becoming a Qubes Evangelist :: but ... how to Screencast?

On Fri, April 6, 2018 12:39 pm, 799 wrote:

> I would like to make a webcast and show Qubes including AppVMs and
> Template-Management, is there any way to make this possible?
> As I would use a dedicated machine for this I can love with an unsecure
> solution as the laptop will be fresh installed before and afterwards.

There was this discussion a bit ago:
https://www.mail-archive.com/qubes-users@googlegroups.com/msg18889.html

Might be easiest to go "low tech" on your example though, using a stably
mounted video cam for streaming. If your hardware platform has some type
of IP-KVM capability, could use that too.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/55f86fd9b23b909d0ebe7cfcfc127465.squirrel%40tt3j2x4k5ycaa5zt.onion.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Error: Failed to synchronize cache for repo 'qubes-vm-r4.0-current' with Fedora and 4.0?

Worked like a charm! Thanks...

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/af024728-42aa-45c0-843a-46a4aa62402e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes 4.0 and Private Internet Access? Tasket VPN solution...

Thanks Chris...again thank you for the effort! This tool is great...

Does it matter that Private internet access provides 3 seperate files (key, 
cert and client config)?

I have the proxy AppVM set up with "provides network"(proxy) checked, I have 
tried a setup in proxy only and a setup in Template/Proxy, PVH(tried 
PV...similar to 3.2)...I don't think it is the setup as much as the 
configuration of the template? 

I installed GNOME and Openvpn (Using those names specifically) in Debian, no 
additional packages installed in stock fedora...

I feel like I am missing a very basic command or tweak, whonix works, wireless 
works, sys-firewall works...any help would be appreciated. It seems something 
releated to PIA VPN configuration or VPN-handler-openvpn 

Here are my logs/commands from your suggestions:


root@sys-VPNb5:/home/user# ls -l /rw/config/qubes-firewall.d
total 0
lrwxrwxrwx 1 root root 38 Apr  5 13:16 90_tunnel-restrict -> 
/usr/lib/qubes/proxy-firewall-restrict


root@sys-VPNb5:/home/user# iptables -v -L FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target prot opt in out source   destination 

0 0 DROP   all  --  eth0   any anywhere anywhere

0 0 DROP   all  --  anyeth0anywhere anywhere

0 0 ACCEPT all  --  anyany anywhere anywhere
 ctstate RELATED,ESTABLISHED
0 0 QBS-FORWARD  all  --  anyany anywhere anywhere  
  
0 0 DROP   all  --  vif+   vif+anywhere anywhere

0 0 ACCEPT all  --  vif+   any anywhere anywhere

0 0 DROP   all  --  anyany anywhere anywhere 

I copied errors when I run journalctl:

Apr 06 02:09:52 sys-VPNb5 gnome-terminal-[966]: unable to open file 
'/etc/dconf/db/local': Failed to open file '/etc/dconf/db/local': open() 
failed: No such file or directory; expect degra


Apr 06 02:09:50 sys-VPNb5 systemd[664]: pam_unix(systemd-user:session): session 
opened for user user by (uid=0)
Apr 06 02:09:50 sys-VPNb5 systemd[1]: qubes-vpn-handler.service: Control 
process exited, code=exited status=1
Apr 06 02:09:50 sys-VPNb5 systemd[1]: Failed to start VPN Client for Qubes 
proxyVM.

Apr 06 02:09:46 localhost systemd[1]: Started Adjust root filesystem size.
Apr 06 02:09:46 localhost kernel: Error: Driver 'pcspkr' is already registered, 
aborting...
Apr 06 02:09:46 localhost mount-dirs.sh[351]: Private device management: 
fsck.ext4 of /dev/xvdb succeeded

Apr 06 02:09:45 localhost kernel:  xvdc: xvdc1
Apr 06 02:09:45 localhost kernel: EXT4-fs (xvda3): couldn't mount as ext3 due 
to feature incompatibilities
Apr 06 02:09:45 localhost kernel: EXT4-fs (xvda3): couldn't mount as ext2 due 
to feature incompatibilities
Apr 06 02:09:45 localhost kernel: EXT4-fs (xvda3): mounted filesystem with 
ordered data mode. Opts: (null)
Apr 06 02:09:45 localhost kernel: EXT4-fs (xvdd): mounting ext3 file system 
using the ext4 subsystem

Apr 06 02:09:45 localhost kernel: dmi-sysfs: dmi entry is absent.



Apr 06 02:09:50 sys-VPNb5 systemd[1]: Started Serial Getty on hvc0.
Apr 06 02:09:50 sys-VPNb5 systemd[1]: Reached target Login Prompts.
Apr 06 02:09:50 sys-VPNb5 systemd[664]: pam_unix(systemd-user:session): session 
opened for user user by (uid=0)
Apr 06 02:09:50 sys-VPNb5 systemd[1]: qubes-vpn-handler.service: Control 
process exited, code=exited status=1
Apr 06 02:09:50 sys-VPNb5 systemd[1]: Failed to start VPN Client for Qubes 
proxyVM.
Apr 06 02:09:50 sys-VPNb5 systemd[1]: qubes-vpn-handler.service: Unit entered 
failed state.
Apr 06 02:09:50 sys-VPNb5 systemd[1]: qubes-vpn-handler.service: Failed with 
result 'exit-code'.
Apr 06 02:09:50 sys-VPNb5 systemd[664]: Listening on GnuPG network certificate 
management daemon.
Apr 06 02:09:50 sys-VPNb5 systemd[664]: Listening on GnuPG cryptographic agent 
(ssh-agent emulation).


   

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/dcabc134-6488-46c4-a359-bca31e0d365e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Guide on installing Qubes and Coreboot with encrypted boot on thinkpads

2018-04-06 Thread Holger Levsen

hi,

On Fri, Apr 06, 2018 at 09:22:52AM +, 799 wrote:
> As mentioned I have also drafted a how-to to setup Coreboot on a X230,
> including building the pi, flashrom and extracting Blobs.

out of curiosity: does resume work reliably for you? For me it didnt
with coreboot (and the free VGA bios) but it does with legacy bios...

(and btw, with legacy bios resume is quite very reliable again, just
sometimes/often the wireless doesnt work after resume; though now I
found out a workaround: just suspend+resume until it comes back with
working wireless... ;)

> The coreboot config I have used is here:
> https://github.com/Qubes-Community/Contents/blob/master/docs/coreboot/x230-configfile

thanks, depending on your answer to the above question I probably
compare yours with mine ;)

> I wrote the how-to as I need to look at several places to get everything
> together for example how to extract Blobs, how to merge two bios files into
> one etc.

> It seems to me that if I run Coreboot with grub + encrypted boot, there is
> no need to run anti evil maid, as the boot partition can't be messed with.
> 
> Is this correct?

mostly. The boot partition cannot be messed up but the components of
your computer can be changed (eg a keyboard controller recording your
keystrokes) and anti-evil-maid is designed to also detect those attacks.
However these attacks are also much more sophisticated and require more
time and are harder to do that just replacing a kernel image on an
unencrypted boot partition.

-- 
cheers,
Holger

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180406130502.dwuq4gqwkaxfivv3%40layer-acht.org.
For more options, visit https://groups.google.com/d/optout.

signature.asc
Description: PGP signature

[qubes-users] Becoming a Qubes Evangelist :: but ... how to Screencast?

Hello,

I'd like to demo one of my Qubes Instances to some other non-qubes-users as
they got attractsd talking me about Qubes here and there.

I have now a problem which is basically a result of Qubes being "reasonable
secure":

I would like to make a webcast and show Qubes including AppVMs and
Template-Management, is there any way to make this possible?
As I would use a dedicated machine for this I can love with an unsecure
solution as the laptop will be fresh installed before and afterwards.

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2tzJep9k%3DOYWhH2vq-zF3tT3JurxO8odbHTXPQ5f6eDJA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] [4.0] qvm-create --class StandaloneVM throws exception in qubesd

2018-04-06 Thread alej . aparicio

I've been using Qubes 4.0 for a week, everything working pretty much out of the 
box. Yesterday however, I encountered a problem when trying to create a 
fedora-26 template-based StandaloneVM. This happened after I messed up with dnf 
in a previous StandaloneVM erasing lots of important dependencies and 
qubes-related packages rendering the VM unusable. I ended up deleting that 
StandaloneVM and since then I can't create any StandaloneVMs anymore.

If I create it via Qube Manager, a StandaloneVM is created, but it's completely 
empty, it doesn't have any TemplateVM associated with it.

If I create it with qvm-create, I obtain the following output:

$ qvm-create vmname --class StandaloneVM --template fedora-26 --label orange
app: Error creating VM: Got empty response from qubesd. See journalctl in dom0 
for details.

journalctl output:

Apr 06 00:46:37 dom0 qubesd[13232]: unhandled exception while calling 
src=b'dom0' meth=b'admin.vm.Create.StandaloneVM' dest=b'dom0' arg=b'fedora-2$
Apr 06 00:46:37 dom0 qubesd[13232]: Traceback (most recent call last):
Apr 06 00:46:37 dom0 qubesd[13232]:   File 
"/usr/lib/python3.5/site-packages/qubes/api/__init__.py", line 262, in respond
Apr 06 00:46:37 dom0 qubesd[13232]: untrusted_payload=untrusted_payload)
Apr 06 00:46:37 dom0 qubesd[13232]:   File 
"/usr/lib64/python3.5/asyncio/futures.py", line 381, in __iter__
Apr 06 00:46:37 dom0 qubesd[13232]: yield self  # This tells Task to wait 
for completion.
Apr 06 00:46:37 dom0 qubesd[13232]:   File 
"/usr/lib64/python3.5/asyncio/tasks.py", line 310, in _wakeup
Apr 06 00:46:37 dom0 qubesd[13232]: future.result()
Apr 06 00:46:37 dom0 qubesd[13232]:   File 
"/usr/lib64/python3.5/asyncio/futures.py", line 294, in result
Apr 06 00:46:37 dom0 qubesd[13232]: raise self._exception
Apr 06 00:46:37 dom0 qubesd[13232]:   File 
"/usr/lib64/python3.5/asyncio/tasks.py", line 240, in _step
Apr 06 00:46:37 dom0 qubesd[13232]: result = coro.send(None)
Apr 06 00:46:37 dom0 qubesd[13232]:   File 
"/usr/lib64/python3.5/asyncio/coroutines.py", line 213, in coro
Apr 06 00:46:37 dom0 qubesd[13232]: res = yield from res
Apr 06 00:46:37 dom0 qubesd[13232]:   File 
"/usr/lib/python3.5/site-packages/qubes/api/admin.py", line 960, in _vm_create
Apr 06 00:46:37 dom0 qubesd[13232]: assert not self.arg
Apr 06 00:46:37 dom0 qubesd[13232]: AssertionError

I tried then to clone fedora-26 TemplateVM and I obtain the same result, an 
empty, unusable VM. I can create template-based AppVMs, but not clone them, 
create new TemplateVMs or StandaloneVMs. I can clone a Win7 VM with QWT that 
works beautifully, but not template-based ones.

I'm afraid I messed up with Qubes configuration or template handling, but I 
can't see how deleting a corrupt StandaloneVM is related to this problem. Any 
workaround would be much appreciated. I see a similar bug is reported in Issue 
3341: https://github.com/QubesOS/qubes-issues/issues/3341

Thanks in advance. I was eagerly waiting for R4.0 and it works flawlessly in my 
daily driver, outstanding development work, I'm loving the experience.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/490b89d8-2523-469e-9b5a-8e8700b14103%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Guide on installing Qubes and Coreboot with encrypted boot on thinkpads

2018-04-06 Thread G

On 2018-04-06 09:22, 799 wrote:

As mentioned I have also drafted a how-to to setup Coreboot on a X230,
including building the pi, flashrom and extracting Blobs.

My how-to is located in the Qubes Community docs.

While I need to fill in some small gaps how to put the hardware parts
together, all the other stuff is covered including extracting Blobs
and vga.rom.

The how-to is located here:
https://github.com/Qubes-Community/Contents/blob/master/docs/coreboot/x230.md

The coreboot config I have used is here:
https://github.com/Qubes-Community/Contents/blob/master/docs/coreboot/x230-configfile

Good guide, thank you. I'm looking forward in better understanding Heads
(http://osresearch.net/) and maybe adding some notes on it.

Currently i do not have a Github account set up, so i will not be able
to make a pull request adding my guide. If anyone can do it would be
much appreciated, otherwise i'll probably do it given some time.

I am interested in getting the best out of both worlds (Coreboot +
Qubes).
It seems that your approach (using GRUB) offers some benefits vs.
using SeaBIOS as the boot partition can so be encrypted.

Are there issues going this way? For example breaking the future
upgrade ability ?

It seems to me that if I run Coreboot with grub + encrypted boot,
there is no need to run anti evil maid, as the boot partition can't be
messed with.

Is this correct?

Currently i have hardcoded the kernel version in the grub config inside
the ROM. This is an ugly temporary solution as obviously even if i
upgrade i'll continue to boot the old kernel by default. My idea is to
modify the update script to always add/update a symlink to the newest
kernel and use that naming in Grub but i have yet to look into it.

As for the AEM, i guess that if you are satisfied with your Grub config
you could set the lock bits in coreboot and flash the rom as read only.
Also preventing the boot of external device should be a good idea.
However as far as I can understand, while this is better than the
standard it doesn't really provide a valid chain of trust. There are
still additional measures that can be taken like signing your kernel and
using the TPM, see https://trmm.net/Heads for more deatils.

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/66f21da272ab23d0dd5373e3969c7463%40anche.no.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Guide on installing Qubes and Coreboot with encrypted boot on thinkpads

2018-04-06 Thread G

On 2018-04-05 19:38, 799 wrote:

Nice how-to, I'm currently writing something similar for my X230.

Would you mind adding your howto to the Qubes Community doc
repository, which we've established to work on howtos and docs until
they're easy to be migrated to the official Qubes Docs.
If you agree, I can also add your notes there, mentioning you as the
original author.

Hello, no problem as I said it is copyleft. Where's the Qubes Community
repository?

I'd like to use grub as payload but without using encrypted boot as I
am afraid to damage my production Qubes environment and loosing time
fixing it.

What do I need to do, if I would like to just use Grub and leave my
boot untouched?

As far as I understand the benefit of having Grub as payload is to be
able to encrypt /boot.
Does this mean than include that it makes no sense to run Grub instead
of SeaBIOS without having boot encrypted?

[799]

The advantage of using SeaBIOS is that it should be able to launch the
Grub on the original /boot partition which means that Grub config will
be updated with system updates and that boot options can be changed
without the need to re-flash. Also probably SeaBIOS do have more low
level configuration options similar to a vendor BIOS.

Honestly the process of encrypting /boot went far smoother than I
expected, it actually worked on the first try (even though I did a full
dd backup copy of the whole disk before and kept also a Grub entry to
boot the old way). All included it took less than a day for the
transition.

The other benefit apart from encrypting /boot is a faster boot process
i'd say and maybe a little more security: don't know if it's possible
for SeaBIOS (probably yes) but i configured Grub to ask for a user and
password for every non standard option in the menu (ex: modifying an
entry or using the command line), this way it should be very difficult
to boot an external media.

--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/92530580be3e308d0477f777c4895b03%40anche.no.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Guide on installing Qubes and Coreboot with encrypted boot on thinkpads