Re: [qubes-users] Shredding VM images
On Mon, Aug 20, 2018 at 6:06 PM, Steve Coleman wrote: > On 08/20/18 12:49, Chris Laprise wrote: >> >> On 08/20/2018 11:34 AM, tierl...@gmail.com wrote: >>> >>> What's the most convenient way to wipe these images? (I'm just talking >>> about individual VM images) >> >> >> To clarify on your first question: Since encryption is protecting the >> storage pool that contains the disk images and its on an SSD, the only sure >> way to 'wipe' them in general (not just in the other-VMs-can't see the data >> sense) is to throw away the encryption passphrase. This makes the entire >> pool unusable, but if this seems like a problem you can configure more than >> one storage pool each with its own encryption key+passphrase and store VMs >> inside them. > > > With an Opal 2.0 SSD you could create a "locking range" for the volatile > portion of the VM file system, using sedutil-cli then when destroying the VM > you simply run it with the '--eraseLockingRange' command which essentially > flips the key bits associated with that region of the SSD. The logic built > into the drive will ensure the erase of the physical memory mapped into that > SSD's defined locking range[n]. > > sedutil-cli > > > --setupLockingRange <0...n> > --enableLockingRange <0...n> > > > --disableLockingRange <0...n> > --eraseLockingRange <0...n> ...as implemented by a black box of untrustworthy firmware. Don't be surprised when this is found to not work as hoped. I wouldn't recommend relying on it for anything important. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CABQWM_BwbkAD__s_-qagjYmJCtVDL6btaJubh0cNQXRNUOtgSA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Possible to downgrade to KDE4 in dom0?
On 08/21/2018 04:52 PM, 'Zeko' via qubes-users wrote: Hello I've been using Qubes R4.0 for several months now and I'm getting tired of Xfce, but KDE 5 is just unworkable on my nvidia GPU (yeah yeah I know nvidia and Linux...). Is it possible to downgrade or install KDE4 in dom0 somehow? Ty Zeko You'd be better off switching to integrated graphics; much much simpler. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e34b7fa1-6602-d6f4-c187-dd2b8e3b1b58%40posteo.net. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Qubes 4.0 sluggish feel
On 08/10/2018 12:54 PM, brendan.hoar-re5jqeeqqe8avxtiumw...@public.gmane.org wrote: > On Friday, August 10, 2018 at 12:49:05 AM UTC-4, Outback Dingo wrote: >> On Fri, Aug 10, 2018 at 6:18 AM John S.Recdep wrote: >>> I blame intel speedstep for everything in your local uefi , and dingos :) >> >> great but how do we resolve it... its makes Qubes itself really unuseable > > Maybe try this? > In dom0: > sudo xenpm set-scaling-governor performance > > Brendan > seems it wants a , what would that be? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/dc1522e8-23e6-ea09-5c5f-1d578abff2f9%40riseup.net. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Many [kdmflush] on dom0
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, I just did 'top' and noticed a pretty high number of process running at dom0. After trying to determine the cause of this I discovered that I have: # ps aux | grep kdmflush | wc # 157 More than 150 [kdmflush] threads, some there since two days ago. - From https://askubuntu.com/questions/986211/what-is-kdmflush - kdmflush is used by Device Mapper to process deferred work that it has queued up from other contexts where doing immediately so would be problematic. - So having threads from some days ago seems pretty dangerous. This is probably not fault of Qubes[1], but maybe somebody has some info about it. Regards. [1] https://access.redhat.com/solutions/2544921 -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEznLCgPSfWTT+LPrmFBMQ2OPtCKUFAlt8jn8ACgkQFBMQ2OPt CKVe0Q//VGMySUf1Q/ti8ixNNDffMn9Ee9r4GCNpwIhcfMf3POa/A9/z0rBeavYq S0n1Z8uXH0kQ3tb346Pl6BDzWRGWYyfAXChJ9/CC5N1h93zBL2rOmWAAiOaU4ya2 ShLCER62aGcN8DmoeImsi1kkNHLDVyPYRs28xO/0gJzI+C8+8AdYgYq6/zNI15dp /P/oY+wo7uk13xBNeIeZDmSTgUq9egEX/slimfiegmTKRY7GnFCoDYrqZllAJU9c BkBtN/LXFcpe1+LK/5qcyelg3T4viyISeQyiii2lxSJeBMv7Ox9aVSw6Rss7/ZcB 2Y1KkYDPzxu6SEheu7YVrfNWQiC4vyKG/2NIK/NGvLSJvF3i5iKC81JMUSbEev6A nrf8gOVRc+jlGgVwdL4w7Mp6f0zhG9fIXUSISdgzGadcZEJXcAlCWxWJBL1jT0S0 xqhtT68+c23CosMIpSFicgMPCtScs0fWVJY0UApSG6ur99q1SPiS07dT4iFuP8Bj hShLw9fK27GulcsADQrKvn+u/kIV9mtlAxn+UpCAzo7uO0/YJihDKhdba3w26mDo Mz4w3VQcwmkoq/azuOxWclzc3K3RKpcbYcJxtO8cV3W4zPyAn0ucC7P+lJYj4jT1 kzE5J+Sxch4ebNKwP+fPwoHu1D5P7Kn5zHXpkjYw5gsG4tBUZRI= =z4Yl -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1944b553-65d0-b06c-ac30-38873bc1d72b%40riseup.net. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Possible to downgrade to KDE4 in dom0?
Hello I've been using Qubes R4.0 for several months now and I'm getting tired of Xfce, but KDE 5 is just unworkable on my nvidia GPU (yeah yeah I know nvidia and Linux...). Is it possible to downgrade or install KDE4 in dom0 somehow? Ty Zeko Sent with [ProtonMail](https://protonmail.com) Secure Email. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0Nhtm8X_z8ZtBRMjiBZX1PDO3GJfFe7R-0ff7qBMs6jglsZsnSO_UUPxeojGUpeLRnBSTTLoHHPawEZcsmH4dBBcTCkwYd6vyV-c9HdfjoM%3D%40protonmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Fresh r4 install qrexec daemon fails to start. Any suggestion?
Thanks, you're right. I remembered I had the same problem when I installed 3.2. Disabled wifi adapter in sys-net and it worked. Same this time. Probably because I haven't got a wifi card - it's a desktop and I only use an ethernet cable. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e36a506a-8506-4596-ab49-128ba3111339%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] offtopic - how do I reply w/o google account
Just reply to the message with a standard e-mail client. It will keep the SMTP headers required to identify the thread you are replying to, so Google Groups can display it nicely as if it was a forum. If your client is smart, it can detect it is a mailing list and force you to only reply to the list e-mail address (i.e. removing the original sender from the destinations); otherwise, to avoid having the original sender receiving your answer two times, manually remove anything but "qubes-users@googlegroups.com". For example, when Thunderbird detects you are dealing with a mailing list, an additional "Reply to List" option pops up in the "Reply" menu, and just replies to the list address. -- Alex On 08/21/2018 09:12 PM, lite...@gmail.com wrote: > I have been reading the qubes docs and I now understand how to create a new > topic in qubes-users with any email address: https://www.qubes-os.org/support > > How I can post a reply to a topic without a google account? > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/95617207-7dcd-c126-43d7-2c3c753bcc9e%40gmx.com. For more options, visit https://groups.google.com/d/optout. signature.asc Description: OpenPGP digital signature
[qubes-users] offtopic - how do I reply w/o google account
I have been reading the qubes docs and I now understand how to create a new topic in qubes-users with any email address: https://www.qubes-os.org/support How I can post a reply to a topic without a google account? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5cb446fe-aca0-4b2a-8a80-16fcff725792%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Experimenting with Wireguard VPN @Mullvad.net
Wireguard works in fedora-28 without kernel mods -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ea27bb8e-96c4-4db0-b2c3-7a033b8cabe7%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Fresh r4 install qrexec daemon fails to start. Any suggestion?
On Tue, August 21, 2018 1:20 pm, code9n wrote: > Hi, > > > I made r4 installation USBs many times to install r4 over the last couple > of days - first fedora media writer in Q3.2, then from Windows with rufus > with several different USB sticks and several different downloads. The > downloads always completed properly, like wise writing onto the USBs. Doesn't sound like an issue with your media. > But every time I install r4 all goes well until after the reboot part of > the install when the 'Qubes Install' window comes up. After this runs ok > for a while, dealing with fedora 26, debian 9 and whonix templates - it > gets as far as (something like) 'setting up network' when I get an error > box with, > > [/usr/bin/qvm-start', 'sys-firewall'] failed: stdout:"" > stderr: "Cannot connect to qrexec agent for 60 seconds, see > /varlog/xen/console/guest-sys-net.log for details Probably one of your NICs isn't working. Try temporarily disabling your wifi adapter in UEFI config. If the install works without error, re-enable it, go to sys-net's settings Device tab, and add the wifi adapter back in. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/784d7d0d1ab2ae96a54582272e65a7ca.squirrel%40tt3j2x4k5ycaa5zt.onion. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Fresh r4 install qrexec daemon fails to start. Any suggestion?
Hi, I made r4 installation USBs many times to install r4 over the last couple of days - first fedora media writer in Q3.2, then from Windows with rufus with several different USB sticks and several different downloads. The downloads always completed properly, like wise writing onto the USBs. But every time I install r4 all goes well until after the reboot part of the install when the 'Qubes Install' window comes up. After this runs ok for a while, dealing with fedora 26, debian 9 and whonix templates - it gets as far as (something like) 'setting up network' when I get an error box with, [/usr/bin/qvm-start', 'sys-firewall'] failed: stdout:"" stderr: "Cannot connect to qrexec agent for 60 seconds, see /varlog/xen/console/guest-sys-net.log for details Then when I move on and Qubes opens the qrexec daemon won't run when called. eg. Following installation guide, when I get to: sudo qubes-dom0-update It tries to open sys-firewall and I get pretty much the same error message: ERROR: Cannot connect to qrexec agent for 60 seconds, see /var/log/xen/console/guest-sys-net.log for details (Waiting 60 seconds does nothing more.) Has anyone dealt with this or have any suggestions? Thanks. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bf3fdbc8-0335-47e7-b688-9dc7af1f0405%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Dracut and a detached LUKS header
On Tue, Aug 21, 2018 at 02:23:56AM -0700, tierl...@gmail.com wrote: > Is this possible? Can dracut be configured to decrypt a LUKS volume with a > detached header? > I think that dracut generally wants to have a UUID, and with a detached header you won't have one. You could use the serial number. You'll also need to add a udev attribute for crypto_LUKS, I think. I recall reading someone who did have dracut working in this setup, but it needed some changes to the crypt module. You could always specify the header file and key file in the kernel command line using cryptdevice and cryptkey options. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180821113121.55cmmptjgr4tntqs%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Dracut and a detached LUKS header
Is this possible? Can dracut be configured to decrypt a LUKS volume with a detached header? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/07646dfa-30bd-426d-87c7-6adaa212962a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] New Foreshadow exploits CPU bug
On 08/21/2018 11:39 AM, taii...@gmx.com wrote: > SGX is another ME service slash intel marketing gimmick invented for DRM > not security. > > If the person who purchased the computer can't examine the VM's running > on it then they are not owning it simply licensing it which is why SGX > is a bad technology and people shouldn't buy x86. Consider you want to deploy your things in the cloud, eg. because it's less expensive. Then I guess you would actually like to not have to trust the cloud provider :) You still have to trust Intel for actually doing what they promise, but you have to trust the processor manufacturer at some point anyway. Not saying SGX actually meets its promises, though, just reacting to your second paragraph. There are use cases for having the person who owns a computer not being able to examine VM's running on it. Whether you want or not to use or have them is a different question. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b3d6a5d2-215b-ac7e-28b5-d50b01ff77b3%40leo.gaspard.ninja. For more options, visit https://groups.google.com/d/optout.
