Re: [qubes-users] Re: desktop recommendations?
On Friday, April 6, 2018 at 9:27:11 PM UTC-4, Drew White wrote: > On Saturday, 7 April 2018 10:41:13 UTC+10, Thierry Laurion wrote: > > You seem to have misunderstood. Ivy bridge and beyond on the Intel side > > will provide you with SLAT capabilities, IOMMU and virtualization, which is > > all that is required. A x230 with 16gb ram and a i5 or i7 will provide you > > akk the power needed if you have an sad drive. > > I only went on what I was told. I have Ivy Bridge, and they don't have SLAT. > At least, they don't SAY they do. > > Do they sometimes not say they have it even when they do? what do you mean say how are you testing? I'm about to go test on my ivybridge right now lol. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/cd20d15a-5f60-4351-8d5c-7fcf996e0789%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: desktop recommendations?
On Saturday, 7 April 2018 10:41:13 UTC+10, Thierry Laurion wrote: > You seem to have misunderstood. Ivy bridge and beyond on the Intel side will > provide you with SLAT capabilities, IOMMU and virtualization, which is all > that is required. A x230 with 16gb ram and a i5 or i7 will provide you akk > the power needed if you have an sad drive. I only went on what I was told. I have Ivy Bridge, and they don't have SLAT. At least, they don't SAY they do. Do they sometimes not say they have it even when they do? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b0768fc9-a9f1-4044-9ff2-820eba1bce80%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Guide on installing Qubes and Coreboot with encrypted boot on thinkpads
On Fri, April 6, 2018 11:18 pm, 799 wrote: > Am 07.04.2018 12:35 vorm. schrieb "taii...@gmx.com": > > > On 04/06/2018 05:22 AM, 799 wrote: > > >> It seems to me that if I run Coreboot with grub + encrypted boot, there >> is no need to run anti evil maid, as the boot partition can't be messed >> with. > Assuming you set the write-lock on the flash descriptor and have a > physical anti-tamper sticker on the case screws. > > > what exactly does it mean "set write-lock on flash descriptor" and where > can I do this. Not sure how exactly, but it makes it so you have to physically flash it again. > Regarding Stickers I think it is very easy to replace those for someone > who is willing to sneak silently into my laptop. What kind of stickers do > you suggest? Glitter fingernail polish and take a picture. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d0d33afc6577bce6a003eaefcd25fc98.squirrel%40tt3j2x4k5ycaa5zt.onion. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Qubes 4.0: Can't connect to network over Ethernet
On Fri, April 6, 2018 11:04 pm, hdctb...@gmail.com wrote: > THANK YOU! That fixed the problem. > > > I'm sorry for my slow reply, I had skipped the debian-9 template during > the install so I had to reinstall a couple of times (due to mistakes on > my part) to get it. > > Once I switched sys-net to debian-9 I was able to connect and ping > successfully. I don't know how you knew to do that (are there different > drivers in the debian-9 template?) but it worked. It was an educated guess, at best. :) > Also to answer your question, yes I was running lspci and the other > commands in sys-net. > > Thank you again, this is hugely appreciated. Now I can get on with > learning Qubes. Enjoy! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c302aad7b87c5822f7ccab240cf61066.squirrel%40tt3j2x4k5ycaa5zt.onion. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: desktop recommendations?
Sorry for autocorrect. Le ven. 6 avr. 2018 20:40, Thierry Lauriona écrit : > > > Le ven. 6 avr. 2018 20:11, Drew White a écrit : > >> On Thursday, 5 April 2018 17:52:09 UTC+10, tai...@gmx.com wrote: >> > On 04/04/2018 10:59 PM, Drew White wrote: >> > >> > > I can't say anything about Qubes 4 because their restrictions on it >> require the latest CPUs and all (apparently) with certain technology that >> pre-2017 CPUs don't have. (Or so I read). >> > 2017? what? where did you read that? (I have a good idea where...a >> > certain company perhaps?) >> > >> > The first CPU with all the capabilities is circa 2011 with the last and >> > best owner controlled x86_64 CPU's 2013. (AMD 43xx and 63xx) >> >> No, Qubes 4 I was told would require certain functionality in the CPU. I >> even read it on the Qubes website. Part of the CPU vulnerability remedy for >> RAM access and the page sharing vulnerabilities. >> >> Qubes 4 was supposed to not work on anything except CPUs that have that. >> >> And that was some technology only implemented in CPUs that came out in >> late 2016 early 2017 and beyond. >> >> That is what I was told about Qubes 4, therefore it would not run on my >> older CPUs. This is what the makers of Qubes informed me of. >> > You seem to have misunderstood. Ivy bridge and beyond on the Intel side > will provide you with SLAT capabilities, IOMMU and virtualization, which is > all that is required. A x230 with 16gb ram and a i5 or i7 will provide you > akk the power needed if you have an sad drive. > >> >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "qubes-users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to qubes-users+unsubscr...@googlegroups.com. >> To post to this group, send email to qubes-users@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/qubes-users/49c98dd9-0546-4efd-b8fa-5af0cbdc9fa2%40googlegroups.com >> . >> For more options, visit https://groups.google.com/d/optout. >> > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAAzJznyNMgkEsqrfaU61SmEE8%2Bx608dkb701rVqE%3D7rSugsmnQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: desktop recommendations?
Le ven. 6 avr. 2018 20:11, Drew Whitea écrit : > On Thursday, 5 April 2018 17:52:09 UTC+10, tai...@gmx.com wrote: > > On 04/04/2018 10:59 PM, Drew White wrote: > > > > > I can't say anything about Qubes 4 because their restrictions on it > require the latest CPUs and all (apparently) with certain technology that > pre-2017 CPUs don't have. (Or so I read). > > 2017? what? where did you read that? (I have a good idea where...a > > certain company perhaps?) > > > > The first CPU with all the capabilities is circa 2011 with the last and > > best owner controlled x86_64 CPU's 2013. (AMD 43xx and 63xx) > > No, Qubes 4 I was told would require certain functionality in the CPU. I > even read it on the Qubes website. Part of the CPU vulnerability remedy for > RAM access and the page sharing vulnerabilities. > > Qubes 4 was supposed to not work on anything except CPUs that have that. > > And that was some technology only implemented in CPUs that came out in > late 2016 early 2017 and beyond. > > That is what I was told about Qubes 4, therefore it would not run on my > older CPUs. This is what the makers of Qubes informed me of. > You seem to have misunderstood. Ivy bridge and beyond on the Intel side will provide you with SLAT capabilities, IOMMU and virtualization, which is all that is required. A x230 with 16gb ram and a i5 or i7 will provide you akk the power needed if you have an sad drive. > > > > -- > You received this message because you are subscribed to the Google Groups > "qubes-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to qubes-users+unsubscr...@googlegroups.com. > To post to this group, send email to qubes-users@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-users/49c98dd9-0546-4efd-b8fa-5af0cbdc9fa2%40googlegroups.com > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAAzJznxptQXcXf5SZVezUo-zitLNKiaKD-aRPiZ5zdAQh77AJg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Easy way to convert AppVM to ProxyVM without editing?
Is there an easy way to convert a guest without editing the XML and restarting all the time? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ce9e13ff-80e6-4a93-b24a-ebff586f5bf3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: desktop recommendations?
On Thursday, 5 April 2018 17:52:09 UTC+10, tai...@gmx.com wrote: > On 04/04/2018 10:59 PM, Drew White wrote: > > > I can't say anything about Qubes 4 because their restrictions on it require > > the latest CPUs and all (apparently) with certain technology that pre-2017 > > CPUs don't have. (Or so I read). > 2017? what? where did you read that? (I have a good idea where...a > certain company perhaps?) > > The first CPU with all the capabilities is circa 2011 with the last and > best owner controlled x86_64 CPU's 2013. (AMD 43xx and 63xx) No, Qubes 4 I was told would require certain functionality in the CPU. I even read it on the Qubes website. Part of the CPU vulnerability remedy for RAM access and the page sharing vulnerabilities. Qubes 4 was supposed to not work on anything except CPUs that have that. And that was some technology only implemented in CPUs that came out in late 2016 early 2017 and beyond. That is what I was told about Qubes 4, therefore it would not run on my older CPUs. This is what the makers of Qubes informed me of. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/49c98dd9-0546-4efd-b8fa-5af0cbdc9fa2%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] POST not displaying for long enough or accepting keyboard commands due to no focus?
On Thursday, 5 April 2018 19:35:48 UTC+10, awokd wrote: > Not sure if it's possible to F12 a guest like that, but do you have > "debug" enabled for it and are trying it in that window? It is possible if the window displays in enough time. Don't need debug because it is not in SEAMLESS MODE, only then does it hide all and only accept from the Qubes Video Driver passthrough. My statements holds true if it's one in debug mode or a standard HVM or an HVM Template. It's always showing the window too late, because it doesn't show the window and then start the VM, it starts the VM and THEN opens a window to display the output. Know aay way to work around this? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/eb9c0ed0-4b9a-4787-8d4a-82a13ba9d4bc%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] 4.0 install stuck on 'Installing qubes-template-fedora-26.noarch (947/1018)'
***UPDATE*** I updated BIOS and I can now install Qubes 4.0 in legacy boot, but not under UEFI, the installation still freezes the same way there. However, the reboot issue persist and I still can't boot into the system even with legacy boot. I have followed most of the advice on this page: https://www.qubes-os.org/doc/uefi-troubleshooting/#a1-2 But to no avail. Indeed my xen.cfg is empty but when i try populating and then running efibootmgr I get an error "EFI variables not supported on this system" since I installed in legacy mode. I would really love to upgrade to 4.0. I'd never had any issues installing 3.2 but after almost a week wasted unable to even install and boot, it's getting quite frustrating. I'd love to hear any additional ideas on how to fix this. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6f40b4ef-b2d5-409d-bf63-158b974a204c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Guide on installing Qubes and Coreboot with encrypted boot on thinkpads
Am 07.04.2018 12:35 vorm. schrieb "taii...@gmx.com": On 04/06/2018 05:22 AM, 799 wrote: > It seems to me that if I run Coreboot with grub + encrypted boot, there is > no need to run anti evil maid, as the boot partition can't be messed with. Assuming you set the write-lock on the flash descriptor and have a physical anti-tamper sticker on the case screws. what exactly does it mean "set write-lock on flash descriptor" and where can I do this. Regarding Stickers I think it is very easy to replace those for someone who is willing to sneak silently into my laptop. What kind of stickers do you suggest? [799] -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAJ3yz2tOEMd9NborxvQRY9F%2BVGAMeqW35sz6-cMXBJC0nbb4zg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Launching Gimp & Nautilus Qubes
On Friday, April 6, 2018 at 6:35:43 PM UTC-4, cooloutac wrote: > On Friday, April 6, 2018 at 6:35:19 PM UTC-4, cooloutac wrote: > > You might have to install nautilus or another file manager in the debian-9 > > template. > > > > I didn't have files on qubes 3.2 debian8 to debian-9. Can't remember if > > fresh install of 4.0 debian-9 template needs file manager installed too. > > > > To sync new programs installed in template to the appvms desktop menu, > > start the debian-9 template terminal, in it type qvm-sync-appmenus. > > then from qubes manager you can go to appvms qubes settings and add which > programs you want in its menu list. make sure to shut down template after installing nautilus and sync'n menus and resart the appvm -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0bc46f51-95c3-4453-b744-2c52fa73d784%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes 4.0 and Private Internet Access? Tasket VPN solution...
> > I pulled the logs, looked thru them, I didn't see any personal information. > > Seemed OK to past on the forum but sent them to you directly just in > > case...feel free to post any info for the greater good of the community. > > Thank you again for the help... > > > > I pulled the 3 files .crt, .pem and the renamed openvpn-client.ovpn file > > and put them into the VPN folder. > > Just FYI, putting all the configs (instead of selecting them) in /vpn is > easier. Thanks for that...I'll try that! > > Totally willing to try to "avoid > > the initial failure and restart, add a 2sec delay "sleep 2s" in rc.local > > just before the first systemctl command; it will start quicker." Would you > > be open to sharing the commands for this? > > The command is just "sleep 2s". If I am launching a VM from the GUI when would I put "sleep 2s" into the terminal? I am learning but not there yet... > > I am using "openvpn-ip" file from PIA under Advanced OpenVPN SSL > > Restrictive Configuration: > > https://www.privateinternetaccess.com/pages/client-support/ > > I then move each of the 3 individual files mentioned above into the > > /rw/config/vpn folder. > > > > Thanks again for the help... > > Got your log... I think the real culprit shows up here: > > "AUTH: Received control message: AUTH_FAILED" > > This could mean the user/password weren't entered correctly. You can see > how its stored by issuing this command: > > sudo cat /rw/config/vpn/userpassword.txt > > To fix it you can edit that file, or run the --config step again from > the instructions. Thanks for that tip...the password is good. Tested it with another application and it is correct and working. The VPN proxy also had the correct password. What else could this be? What I know: * This worked with 3.2 in Fedora but I experienced the same error with Debian in 3.2 * This worked for a brief moment in 4.0(fedora), had saved the beta file and was using that when it worked. I lost that older github/tasket file, I downloaded the 4.0 file and have not got it working again. * I get the "Ready to start link" but then no connection * This is new infromation but I can connect to my phone wireless but when I try another AP it can't connect. I am not sure this is relevant but in my network connection I get the following messages: Ethernet Network (vif6.0) Device not managedmy connection works Ethernet Network (vif.20) Device not managedmy connection DOES NOT work Tasket my gut tells me I have something else missing, if you can get it to work, I am getting a ready to connect message, I had it working. Would a BIO setting have an impact? When I boot I get this error: ERROR parsing PCC subspaces from PCCT [Failed] Failed to start Load Kernel Modules - Followed by [OK] started Apply Kernel Variable/[OK] Started Setup Virtual Console The struggle I am having is a lack of knowledge about how to trouble shoot this although you have taught me a lot Tasket thank you. Any other thoughts? I don't want to go back to 3.2 but with out a VPN/kill switch I don't see I have a choice. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b0ab23db-a923-4d81-a87c-a00df1055c7d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Launching Gimp & Nautilus Qubes
You might have to install nautilus or another file manager in the debian-9 template. I didn't have files on qubes 3.2 debian8 to debian-9. Can't remember if fresh install of 4.0 debian-9 template needs file manager installed too. To sync new programs installed in template to the appvms desktop menu, start the debian-9 template terminal, in it type qvm-sync-appmenus. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/097d9972-a64c-4bcb-a442-260aaf98de9b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Launching Gimp & Nautilus Qubes
On Friday, April 6, 2018 at 6:35:19 PM UTC-4, cooloutac wrote: > You might have to install nautilus or another file manager in the debian-9 > template. > > I didn't have files on qubes 3.2 debian8 to debian-9. Can't remember if > fresh install of 4.0 debian-9 template needs file manager installed too. > > To sync new programs installed in template to the appvms desktop menu, start > the debian-9 template terminal, in it type qvm-sync-appmenus. then from qubes manager you can go to appvms qubes settings and add which programs you want in its menu list. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8cb8b6dd-446b-47a4-abd0-f575170ac3cc%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Guide on installing Qubes and Coreboot with encrypted boot on thinkpads
On 04/06/2018 05:22 AM, 799 wrote: > It seems to me that if I run Coreboot with grub + encrypted boot, there is > no need to run anti evil maid, as the boot partition can't be messed with. Assuming you set the write-lock on the flash descriptor and have a physical anti-tamper sticker on the case screws. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b0e680bd-ac5c-c295-1630-7cbfa0956e78%40gmx.com. For more options, visit https://groups.google.com/d/optout. 0xDF372A17.asc Description: application/pgp-keys
Re: [qubes-users] fedora-26-dvm always shows updates pending, can't delete it.
Realized this only happens when using testing repo. Current repos don't have the pending updates on dvms issue. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/78a5fcc9-04c4-46f0-b3ea-2deebe034a80%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] sys-net no network access after wake from sleep
I have a desktop with intel ethernet. I found out sleep actually works if using uefi bios mode. But when I resume I have to restart sys-net to get networking. Any solution to this problem? Thanks, Rich. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/13d5bc22-3200-4471-a46d-16ed5ce9ba4d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Launching Gimp & Nautilus Qubes
Hi, I read somewhere that you should install apps to the template vm. I installed the programs in a created debian vm instead of the template one. I tried the command qvm-sync-apps in dom0, but now the command says that it isn't recognized. How do I synchronize the apps in settings? I think I missed that while in settings. I'm using my email to respond, I hope this doesn't create a new thread altogether. Thank you! It's much appreciated. =) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/DB6PR0101MB23592BD920BFDA2676DF086DE8BA0%40DB6PR0101MB2359.eurprd01.prod.exchangelabs.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Guide on installing Qubes and Coreboot with encrypted boot on thinkpads
Hello, On 6 April 2018 at 15:05, Holger Levsenwrote: > > On Fri, Apr 06, 2018 at 09:22:52AM +, 799 wrote: > > As mentioned I have also drafted a how-to to setup Coreboot on a X230, > > including building the pi, flashrom and extracting Blobs. > > out of curiosity: does resume work reliably for you? For me it didnt > with coreboot (and the free VGA bios) but it does with legacy bios... > as described in the howto I have extracted the vga.rom from my own BIOS-files. I can use resume and the laptop reconnects its network adapters as soon as it wakes up. So far no issues at all. I've run into one problem when I tried to start my AppVMs after flashing coreboot. Problem: Some VMs where unable to boot (sys-net and also some other AppVMs), Error message: Get the message PCI device does not exist Solution: Following the suggestions mentioned here and removing some devices which doesn't make sense. https://github.com/QubesOS/qubes-issues/issues/3619 qvm-pci ls qvm-pci detach I had to open Qubes Settings for the sys-net VM to assign the Wifi Network controller back to the VM. It got lost after flasing coreboot. > The coreboot config I have used is here: > > https://github.com/Qubes-Community/Contents/blob/ > master/docs/coreboot/x230-configfile > > thanks, depending on your answer to the above question I probably > compare yours with mine ;) > Can you share your config file? I am sure that there is room for improvement in my config. > > I wrote the how-to as I need to look at several places to get everything > > together for example how to extract Blobs, how to merge two bios files > into > > one etc. > > It seems to me that if I run Coreboot with grub + encrypted boot, there > is > > no need to run anti evil maid, as the boot partition can't be messed > with. > > Is this correct? > > mostly. The boot partition cannot be messed up but the components of > your computer can be changed (eg a keyboard controller recording your > keystrokes) and anti-evil-maid is designed to also detect those attacks. > However these attacks are also much more sophisticated and require more > time and are harder to do that just replacing a kernel image on an > unencrypted boot partition. > Ok, I have not yet understand all the pieces of anti evil maid and of course you are right that replacing my keyboard with a keyboard which has a keylogger installed will make my system reasonable unsecure. On the other hand, I don't think that I am a high profile target and if this would change, I guess there are much easier ways to get the data/information. https://en.wikipedia.org/wiki/Enhanced_interrogation_techniques ... :-o [799] -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vRVHWS5XJpzzG7g%2BWbP%2BGjq9DsWDBYYme3hHGN%3DeQLKA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Reinstallation Failure
Am Freitag, 10. November 2017 20:14:51 UTC+1 schrieb Ray Joseph: > The reinstallation of v4.0 rC2 fails with: > [ 0.00] Firmware bug: TSC_DEADLINE disabled due to Errata: Please > update microcode to version: 0x25 (or later) > [ 10.347567] dracut-pre-udev[460]: rpc.idmapd: conf-reinit: open(“(null))”, > 0_RDONLY) failed. > [ 10.347896] dracut-pre-udev[460]: rpc.idmapd: conf-reinit: open(“(null))”, > 0_RDONLY) failed. > > The above progresses to a graphic display with a large Q in the middle near > the bottom of the screen. A progress bar below that shows installation has > started but it never progresses. I turn it off after 30 mins. > > v4.0 RC2 was running on this Toshiba laptop. I wanted to update the BIOS. I > could not find a way to do that with the OS. So I put Windows 10 on it, rant > the BIOS update, booted to Windows 10 a couple times then tried to install > Qubes. > > Searching the web, I found sub=phrases of the above but could not find any > specifics and the higher level dracut problems seem to have been resolves in > previous version. > > Please suggest how I might trouble shoot this. > > Ray Hi Ray, It seems that i got same issue with Qubes 4.0 final, Lenovo X1 Carbon I5 vPro 8GB RAM. After this messages appear, the Screen with the "Q" shows up loading bar filled about 1/5 full and stucked there. Hope this Problem got some attention, and anyone got a solution or reason why this is happening. Maybe you have already solved it and will let me know how? If not, sorry that i dont have a solution know, but i will work on get this done. Cheers, Jonny -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8117a309-4aa4-4db3-a839-301e450f5dc0%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes 4.0 and Private Internet Access? Tasket VPN solution...
On 04/06/2018 12:38 PM, vel...@tutamail.com wrote: I pulled the logs, looked thru them, I didn't see any personal information. Seemed OK to past on the forum but sent them to you directly just in case...feel free to post any info for the greater good of the community. Thank you again for the help... I pulled the 3 files .crt, .pem and the renamed openvpn-client.ovpn file and put them into the VPN folder. Just FYI, putting all the configs (instead of selecting them) in /vpn is easier. Totally willing to try to "avoid the initial failure and restart, add a 2sec delay "sleep 2s" in rc.local just before the first systemctl command; it will start quicker." Would you be open to sharing the commands for this? The command is just "sleep 2s". I am using "openvpn-ip" file from PIA under Advanced OpenVPN SSL Restrictive Configuration: https://www.privateinternetaccess.com/pages/client-support/ I then move each of the 3 individual files mentioned above into the /rw/config/vpn folder. Thanks again for the help... Got your log... I think the real culprit shows up here: "AUTH: Received control message: AUTH_FAILED" This could mean the user/password weren't entered correctly. You can see how its stored by issuing this command: sudo cat /rw/config/vpn/userpassword.txt To fix it you can edit that file, or run the --config step again from the instructions. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b796e7b8-66ac-7272-d3f5-720e89f8bec4%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes 4.0 and Private Internet Access? Tasket VPN solution...
I pulled the logs, looked thru them, I didn't see any personal information. Seemed OK to past on the forum but sent them to you directly just in case...feel free to post any info for the greater good of the community. Thank you again for the help... I pulled the 3 files .crt, .pem and the renamed openvpn-client.ovpn file and put them into the VPN folder. Totally willing to try to "avoid the initial failure and restart, add a 2sec delay "sleep 2s" in rc.local just before the first systemctl command; it will start quicker." Would you be open to sharing the commands for this? I am using "openvpn-ip" file from PIA under Advanced OpenVPN SSL Restrictive Configuration: https://www.privateinternetaccess.com/pages/client-support/ I then move each of the 3 individual files mentioned above into the /rw/config/vpn folder. Thanks again for the help... -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0416e045-f71f-4cf7-a99e-d64c8270b925%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes 4.0 and Private Internet Access? Tasket VPN solution...
On 04/06/2018 09:08 AM, vel...@tutamail.com wrote: Thanks Chris...again thank you for the effort! This tool is great... Does it matter that Private internet access provides 3 seperate files (key, cert and client config)? Yes it matters. You should put all of them in the /rw/config/vpn folder or the config won't work. I have the proxy AppVM set up with "provides network"(proxy) checked, I have tried a setup in proxy only and a setup in Template/Proxy, PVH(tried PV...similar to 3.2)...I don't think it is the setup as much as the configuration of the template? No need to mess with virt type... default PVH is fine. I installed GNOME and Openvpn (Using those names specifically) in Debian, no additional packages installed in stock fedora... I feel like I am missing a very basic command or tweak, whonix works, wireless works, sys-firewall works...any help would be appreciated. It seems something releated to PIA VPN configuration or VPN-handler-openvpn I'm using Debian 9 also and just did a test with PIA. On my system the service fails initially then restarts 10sec later because the firewall rules take time to set up. It works fine this way. If you want to avoid the initial failure and restart, add a 2sec delay "sleep 2s" in rc.local just before the first systemctl command; it will start quicker. Here are my logs/commands from your suggestions: root@sys-VPNb5:/home/user# ls -l /rw/config/qubes-firewall.d total 0 lrwxrwxrwx 1 root root 38 Apr 5 13:16 90_tunnel-restrict -> /usr/lib/qubes/proxy-firewall-restrict root@sys-VPNb5:/home/user# iptables -v -L FORWARD The iptables and qubes-firewall.d look correct. But the logs you added look garbled. Can you capture the following and attach it to a reply in tar format..? sudo journalctl -u qubes-vpn-handler >qvpn.log tar -czf qvpnlog.tgz qvpn.log qvm-copy qvpnlog.tgz -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/40ff2572-ed6c-e076-41e6-fa3209b83c63%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] User issues with Qubes 4.0
On Thu, April 5, 2018 3:45 pm, frkla1...@gmail.com wrote: > The biggest problem which I have at the moment are graphical issues. When > I watch a video and I move with the cursor the video jerkys. If it is a > fast Video (for example a car video) it jerkys also whitout moving the > cursor. I didn't have this problem at os 3.2 - even when I was playing > videos simultaneously. This? https://github.com/QubesOS/qubes-issues/issues/3622 You could maybe try a Debian template instead. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f6268910b9952f9dcf2e8e0fde71cee9.squirrel%40tt3j2x4k5ycaa5zt.onion. For more options, visit https://groups.google.com/d/optout.
[qubes-users] [Qubes 4.0] Updating migrated templates from 3.2
Hello, I'm trying to get a fedora-25 template from Qubes 3.2 updated to Fedora 26 on Qubes 4.0. This template has a variety of packages already installed and I thought it would be easier to bring this forward to Fedora 26 rather than trying to reinstall everything on the default fedora-26 template. It appears that the template update process is very different in Qubes 4.0, with networking changes and a number of repo updates. Is there any documentation on how to get this to work, such as what files need to be updated and what configuration settings tweaked? Thanks, - Paul M -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/76096806-02a9-473a-ab2e-efacfefb33dc%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] [Qubes 4.0] Updating debian-9 template fails
Hello, I recently migrated from Qubes 3.2 to 4.0 and it appears that the networking for all the template VMs is shut off by default. To update the default debian-9 template, I turned networking on and attached it to sys-firewall. But when I run the template, it appears that I can't connect out to sys-net or to the outside world (any ping fails). Is this a configuration bug? (In the meantime, how do I change the firewall to break through?) Thanks, - Paul M -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/57659711-8e41-40f0-bd81-0147c359e188%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] [Qubes 4.0] UpdateVM in global settings does nothing
Hello, I'm having a variety of problems trying to get my templates to update. One of these is that all my templates seem to want to update through sys-whonix. I run on a lower memory laptop and while I have sys-whonix installed, I don't want to run it every time I want to run updates. The Qubes Global Settings window allows me to set an UpdateVM. I have set this to sys-firewall and restarted the laptop. But when I go to update the template again (a clone of the default fedora-26 template) it still tries to download packages through sys-whonix. What gives? How can I make this stop? Thanks, - Paul M -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0d108ec6-4956-4ece-9e76-a61f0b95f0e5%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Becoming a Qubes Evangelist :: but ... how to Screencast?
On Fri, April 6, 2018 12:39 pm, 799 wrote: > I would like to make a webcast and show Qubes including AppVMs and > Template-Management, is there any way to make this possible? > As I would use a dedicated machine for this I can love with an unsecure > solution as the laptop will be fresh installed before and afterwards. There was this discussion a bit ago: https://www.mail-archive.com/qubes-users@googlegroups.com/msg18889.html Might be easiest to go "low tech" on your example though, using a stably mounted video cam for streaming. If your hardware platform has some type of IP-KVM capability, could use that too. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/55f86fd9b23b909d0ebe7cfcfc127465.squirrel%40tt3j2x4k5ycaa5zt.onion. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Error: Failed to synchronize cache for repo 'qubes-vm-r4.0-current' with Fedora and 4.0?
Worked like a charm! Thanks... -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/af024728-42aa-45c0-843a-46a4aa62402e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes 4.0 and Private Internet Access? Tasket VPN solution...
Thanks Chris...again thank you for the effort! This tool is great... Does it matter that Private internet access provides 3 seperate files (key, cert and client config)? I have the proxy AppVM set up with "provides network"(proxy) checked, I have tried a setup in proxy only and a setup in Template/Proxy, PVH(tried PV...similar to 3.2)...I don't think it is the setup as much as the configuration of the template? I installed GNOME and Openvpn (Using those names specifically) in Debian, no additional packages installed in stock fedora... I feel like I am missing a very basic command or tweak, whonix works, wireless works, sys-firewall works...any help would be appreciated. It seems something releated to PIA VPN configuration or VPN-handler-openvpn Here are my logs/commands from your suggestions: root@sys-VPNb5:/home/user# ls -l /rw/config/qubes-firewall.d total 0 lrwxrwxrwx 1 root root 38 Apr 5 13:16 90_tunnel-restrict -> /usr/lib/qubes/proxy-firewall-restrict root@sys-VPNb5:/home/user# iptables -v -L FORWARD Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- eth0 any anywhere anywhere 0 0 DROP all -- anyeth0anywhere anywhere 0 0 ACCEPT all -- anyany anywhere anywhere ctstate RELATED,ESTABLISHED 0 0 QBS-FORWARD all -- anyany anywhere anywhere 0 0 DROP all -- vif+ vif+anywhere anywhere 0 0 ACCEPT all -- vif+ any anywhere anywhere 0 0 DROP all -- anyany anywhere anywhere I copied errors when I run journalctl: Apr 06 02:09:52 sys-VPNb5 gnome-terminal-[966]: unable to open file '/etc/dconf/db/local': Failed to open file '/etc/dconf/db/local': open() failed: No such file or directory; expect degra Apr 06 02:09:50 sys-VPNb5 systemd[664]: pam_unix(systemd-user:session): session opened for user user by (uid=0) Apr 06 02:09:50 sys-VPNb5 systemd[1]: qubes-vpn-handler.service: Control process exited, code=exited status=1 Apr 06 02:09:50 sys-VPNb5 systemd[1]: Failed to start VPN Client for Qubes proxyVM. Apr 06 02:09:46 localhost systemd[1]: Started Adjust root filesystem size. Apr 06 02:09:46 localhost kernel: Error: Driver 'pcspkr' is already registered, aborting... Apr 06 02:09:46 localhost mount-dirs.sh[351]: Private device management: fsck.ext4 of /dev/xvdb succeeded Apr 06 02:09:45 localhost kernel: xvdc: xvdc1 Apr 06 02:09:45 localhost kernel: EXT4-fs (xvda3): couldn't mount as ext3 due to feature incompatibilities Apr 06 02:09:45 localhost kernel: EXT4-fs (xvda3): couldn't mount as ext2 due to feature incompatibilities Apr 06 02:09:45 localhost kernel: EXT4-fs (xvda3): mounted filesystem with ordered data mode. Opts: (null) Apr 06 02:09:45 localhost kernel: EXT4-fs (xvdd): mounting ext3 file system using the ext4 subsystem Apr 06 02:09:45 localhost kernel: dmi-sysfs: dmi entry is absent. Apr 06 02:09:50 sys-VPNb5 systemd[1]: Started Serial Getty on hvc0. Apr 06 02:09:50 sys-VPNb5 systemd[1]: Reached target Login Prompts. Apr 06 02:09:50 sys-VPNb5 systemd[664]: pam_unix(systemd-user:session): session opened for user user by (uid=0) Apr 06 02:09:50 sys-VPNb5 systemd[1]: qubes-vpn-handler.service: Control process exited, code=exited status=1 Apr 06 02:09:50 sys-VPNb5 systemd[1]: Failed to start VPN Client for Qubes proxyVM. Apr 06 02:09:50 sys-VPNb5 systemd[1]: qubes-vpn-handler.service: Unit entered failed state. Apr 06 02:09:50 sys-VPNb5 systemd[1]: qubes-vpn-handler.service: Failed with result 'exit-code'. Apr 06 02:09:50 sys-VPNb5 systemd[664]: Listening on GnuPG network certificate management daemon. Apr 06 02:09:50 sys-VPNb5 systemd[664]: Listening on GnuPG cryptographic agent (ssh-agent emulation). -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/dcabc134-6488-46c4-a359-bca31e0d365e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Guide on installing Qubes and Coreboot with encrypted boot on thinkpads
hi, On Fri, Apr 06, 2018 at 09:22:52AM +, 799 wrote: > As mentioned I have also drafted a how-to to setup Coreboot on a X230, > including building the pi, flashrom and extracting Blobs. out of curiosity: does resume work reliably for you? For me it didnt with coreboot (and the free VGA bios) but it does with legacy bios... (and btw, with legacy bios resume is quite very reliable again, just sometimes/often the wireless doesnt work after resume; though now I found out a workaround: just suspend+resume until it comes back with working wireless... ;) > The coreboot config I have used is here: > https://github.com/Qubes-Community/Contents/blob/master/docs/coreboot/x230-configfile thanks, depending on your answer to the above question I probably compare yours with mine ;) > I wrote the how-to as I need to look at several places to get everything > together for example how to extract Blobs, how to merge two bios files into > one etc. > It seems to me that if I run Coreboot with grub + encrypted boot, there is > no need to run anti evil maid, as the boot partition can't be messed with. > > Is this correct? mostly. The boot partition cannot be messed up but the components of your computer can be changed (eg a keyboard controller recording your keystrokes) and anti-evil-maid is designed to also detect those attacks. However these attacks are also much more sophisticated and require more time and are harder to do that just replacing a kernel image on an unencrypted boot partition. -- cheers, Holger -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180406130502.dwuq4gqwkaxfivv3%40layer-acht.org. For more options, visit https://groups.google.com/d/optout. signature.asc Description: PGP signature
[qubes-users] Becoming a Qubes Evangelist :: but ... how to Screencast?
Hello, I'd like to demo one of my Qubes Instances to some other non-qubes-users as they got attractsd talking me about Qubes here and there. I have now a problem which is basically a result of Qubes being "reasonable secure": I would like to make a webcast and show Qubes including AppVMs and Template-Management, is there any way to make this possible? As I would use a dedicated machine for this I can love with an unsecure solution as the laptop will be fresh installed before and afterwards. [799] -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAJ3yz2tzJep9k%3DOYWhH2vq-zF3tT3JurxO8odbHTXPQ5f6eDJA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] [4.0] qvm-create --class StandaloneVM throws exception in qubesd
I've been using Qubes 4.0 for a week, everything working pretty much out of the box. Yesterday however, I encountered a problem when trying to create a fedora-26 template-based StandaloneVM. This happened after I messed up with dnf in a previous StandaloneVM erasing lots of important dependencies and qubes-related packages rendering the VM unusable. I ended up deleting that StandaloneVM and since then I can't create any StandaloneVMs anymore. If I create it via Qube Manager, a StandaloneVM is created, but it's completely empty, it doesn't have any TemplateVM associated with it. If I create it with qvm-create, I obtain the following output: $ qvm-create vmname --class StandaloneVM --template fedora-26 --label orange app: Error creating VM: Got empty response from qubesd. See journalctl in dom0 for details. journalctl output: Apr 06 00:46:37 dom0 qubesd[13232]: unhandled exception while calling src=b'dom0' meth=b'admin.vm.Create.StandaloneVM' dest=b'dom0' arg=b'fedora-2$ Apr 06 00:46:37 dom0 qubesd[13232]: Traceback (most recent call last): Apr 06 00:46:37 dom0 qubesd[13232]: File "/usr/lib/python3.5/site-packages/qubes/api/__init__.py", line 262, in respond Apr 06 00:46:37 dom0 qubesd[13232]: untrusted_payload=untrusted_payload) Apr 06 00:46:37 dom0 qubesd[13232]: File "/usr/lib64/python3.5/asyncio/futures.py", line 381, in __iter__ Apr 06 00:46:37 dom0 qubesd[13232]: yield self # This tells Task to wait for completion. Apr 06 00:46:37 dom0 qubesd[13232]: File "/usr/lib64/python3.5/asyncio/tasks.py", line 310, in _wakeup Apr 06 00:46:37 dom0 qubesd[13232]: future.result() Apr 06 00:46:37 dom0 qubesd[13232]: File "/usr/lib64/python3.5/asyncio/futures.py", line 294, in result Apr 06 00:46:37 dom0 qubesd[13232]: raise self._exception Apr 06 00:46:37 dom0 qubesd[13232]: File "/usr/lib64/python3.5/asyncio/tasks.py", line 240, in _step Apr 06 00:46:37 dom0 qubesd[13232]: result = coro.send(None) Apr 06 00:46:37 dom0 qubesd[13232]: File "/usr/lib64/python3.5/asyncio/coroutines.py", line 213, in coro Apr 06 00:46:37 dom0 qubesd[13232]: res = yield from res Apr 06 00:46:37 dom0 qubesd[13232]: File "/usr/lib/python3.5/site-packages/qubes/api/admin.py", line 960, in _vm_create Apr 06 00:46:37 dom0 qubesd[13232]: assert not self.arg Apr 06 00:46:37 dom0 qubesd[13232]: AssertionError I tried then to clone fedora-26 TemplateVM and I obtain the same result, an empty, unusable VM. I can create template-based AppVMs, but not clone them, create new TemplateVMs or StandaloneVMs. I can clone a Win7 VM with QWT that works beautifully, but not template-based ones. I'm afraid I messed up with Qubes configuration or template handling, but I can't see how deleting a corrupt StandaloneVM is related to this problem. Any workaround would be much appreciated. I see a similar bug is reported in Issue 3341: https://github.com/QubesOS/qubes-issues/issues/3341 Thanks in advance. I was eagerly waiting for R4.0 and it works flawlessly in my daily driver, outstanding development work, I'm loving the experience. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/490b89d8-2523-469e-9b5a-8e8700b14103%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Guide on installing Qubes and Coreboot with encrypted boot on thinkpads
On 2018-04-06 09:22, 799 wrote: As mentioned I have also drafted a how-to to setup Coreboot on a X230, including building the pi, flashrom and extracting Blobs. My how-to is located in the Qubes Community docs. While I need to fill in some small gaps how to put the hardware parts together, all the other stuff is covered including extracting Blobs and vga.rom. The how-to is located here: https://github.com/Qubes-Community/Contents/blob/master/docs/coreboot/x230.md The coreboot config I have used is here: https://github.com/Qubes-Community/Contents/blob/master/docs/coreboot/x230-configfile Good guide, thank you. I'm looking forward in better understanding Heads (http://osresearch.net/) and maybe adding some notes on it. Currently i do not have a Github account set up, so i will not be able to make a pull request adding my guide. If anyone can do it would be much appreciated, otherwise i'll probably do it given some time. I am interested in getting the best out of both worlds (Coreboot + Qubes). It seems that your approach (using GRUB) offers some benefits vs. using SeaBIOS as the boot partition can so be encrypted. Are there issues going this way? For example breaking the future upgrade ability ? It seems to me that if I run Coreboot with grub + encrypted boot, there is no need to run anti evil maid, as the boot partition can't be messed with. Is this correct? Currently i have hardcoded the kernel version in the grub config inside the ROM. This is an ugly temporary solution as obviously even if i upgrade i'll continue to boot the old kernel by default. My idea is to modify the update script to always add/update a symlink to the newest kernel and use that naming in Grub but i have yet to look into it. As for the AEM, i guess that if you are satisfied with your Grub config you could set the lock bits in coreboot and flash the rom as read only. Also preventing the boot of external device should be a good idea. However as far as I can understand, while this is better than the standard it doesn't really provide a valid chain of trust. There are still additional measures that can be taken like signing your kernel and using the TPM, see https://trmm.net/Heads for more deatils. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/66f21da272ab23d0dd5373e3969c7463%40anche.no. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Guide on installing Qubes and Coreboot with encrypted boot on thinkpads
On 2018-04-05 19:38, 799 wrote: Nice how-to, I'm currently writing something similar for my X230. Would you mind adding your howto to the Qubes Community doc repository, which we've established to work on howtos and docs until they're easy to be migrated to the official Qubes Docs. If you agree, I can also add your notes there, mentioning you as the original author. Hello, no problem as I said it is copyleft. Where's the Qubes Community repository? I'd like to use grub as payload but without using encrypted boot as I am afraid to damage my production Qubes environment and loosing time fixing it. What do I need to do, if I would like to just use Grub and leave my boot untouched? As far as I understand the benefit of having Grub as payload is to be able to encrypt /boot. Does this mean than include that it makes no sense to run Grub instead of SeaBIOS without having boot encrypted? [799] The advantage of using SeaBIOS is that it should be able to launch the Grub on the original /boot partition which means that Grub config will be updated with system updates and that boot options can be changed without the need to re-flash. Also probably SeaBIOS do have more low level configuration options similar to a vendor BIOS. Honestly the process of encrypting /boot went far smoother than I expected, it actually worked on the first try (even though I did a full dd backup copy of the whole disk before and kept also a Grub entry to boot the old way). All included it took less than a day for the transition. The other benefit apart from encrypting /boot is a faster boot process i'd say and maybe a little more security: don't know if it's possible for SeaBIOS (probably yes) but i configured Grub to ask for a user and password for every non standard option in the menu (ex: modifying an entry or using the command line), this way it should be very difficult to boot an external media. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/92530580be3e308d0477f777c4895b03%40anche.no. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Guide on installing Qubes and Coreboot with encrypted boot on thinkpads
Hello Giulio, Gschrieb am Di., 27. März 2018, 21:35: > On 2018-03-27 18:10, G wrote: > > Hello, > > since it took a while for me to sum up all piece and a lot of trial > > and error to get the whole setup working i took some notes to help > > other who want to try something similar. > > Please note that everything written there is public domain (so > > copy-edit-whatever). > > > > https://git.lsd.cat/g/thinkad-coreboot-qubes As mentioned I have also drafted a how-to to setup Coreboot on a X230, including building the pi, flashrom and extracting Blobs. My how-to is located in the Qubes Community docs. While I need to fill in some small gaps how to put the hardware parts together, all the other stuff is covered including extracting Blobs and vga.rom. The how-to is located here: https://github.com/Qubes-Community/Contents/blob/master/docs/coreboot/x230.md The coreboot config I have used is here: https://github.com/Qubes-Community/Contents/blob/master/docs/coreboot/x230-configfile I wrote the how-to as I need to look at several places to get everything together for example how to extract Blobs, how to merge two bios files into one etc. Having everything in one place is nice for a newbie if he owns exactly the same modell/x230. I am interested in getting the best out of both worlds (Coreboot + Qubes). It seems that your approach (using GRUB) offers some benefits vs. using SeaBIOS as the boot partition can so be encrypted. Are there issues going this way? For example breaking the future upgrade ability ? It seems to me that if I run Coreboot with grub + encrypted boot, there is no need to run anti evil maid, as the boot partition can't be messed with. Is this correct? [799] [799] -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAJ3yz2vT%3DcA%2Bm-xHEVXe7iNa7DS%3DAC80a%3DFqmaZ5c%2Bp67ofPGQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] suggestion for quakity assurance of documentation
hey, On 04/04/2018 11:46 AM, kai.fr...@gmail.com wrote: > greetings! > > while taking first steps with new qubes 4.0, i find that some of the great > documentation articles in qubes-os.org > are no more 100% accurate for qubes 4.0 (see my previous post on usage of > kernel 4.16 for an example). this is quite expectable, given that both the > api as well as the technical implementation details of qubes changed a bit > between 3.2 and 4.0. however, this coukd make it difficult for the average > (or below average) user like me to decide wether the information found us > accurate for 4.0 and therfor can safely applied to 4.0. > > so my suggestion is to add a creation/last updated date to the pages and/or > to add an information, to which versions of qubes the article applies, e.g. > created for version 3.2, updated/reviewed for usage with 4.0. the problem is that things like a trivial typo fix would automatically update the 'last updated' tag and make people think that the doc is up to date for the last qubes release. alternatively, the 'last updated' tag could be updated manually when there are significant changes, but it's error-prone. the consensus seems to be to fix the current documentation with "R3.2", "R4.0" tags where appropriate. One of the problems is that the core devs had too much on their plate with the recent 4.0 release so the documentation is a bit lagging. here are some related issues: https://github.com/QubesOS/qubes-issues/issues/3495 https://github.com/QubesOS/qubes-issues/issues/3629 btw if you don't have time to contribute/fix the documentation, listing the problems you saw in the docs would be helpful (either post them here or send me an email). ivan > > any other/better solution would be also welcome, of course... > > thank you and all the best > Kai > http://kai.froeb.net > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/235ea78a-65f1-e976-c4ce-d9d5a0a32935%40maa.bz. For more options, visit https://groups.google.com/d/optout.