[qubes-users] Re: Split gpg is just too cool.
"Starting testing with the Qubes 4 advanced features next." Created a "twitter" qube that has exclusive access to the Yubikey key registered with my Twitter account. That key cannot be accessed from any other qube, just as described in the u2f proxy doc. Nice! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4707a1fe-3154-4a89-b842-016080fa61be%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: How risky is GPU pass-through?
On Tuesday, December 25, 2018 at 1:02:05 PM UTC-8, qubenix wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Zrubi: > > On 12/23/18 9:34 PM, Demi M. Obenour wrote: > >> Someone I know is interested in using QubesOS. However, they > >> are also a gamer: if they could not have a Windows VM with access > >> to a dedicated graphics card for use by games, then QubesOS is > >> not an option for them. > > > > Short answer: Qubes OS is not an option for them. > > > > Why do you say that? If you search this list there are people that > successfully game on Win vm with gpu passthrough. While it is certainly possible to play games with modest hardware requirements under a virt and still have acceptable performance, games with high hardware requirements running at high frame rates, at high resolutions, and maxed out display settings are going to run much more slowly under a virt than they will on Win10 running natively on the same hardware. Most people who spend the kind of money needed to buy such a system will not be satisfied with the performance provided by a virtual machine. If the reasons for this are not obvious to you, take it as an opportunity to learn about how virtualization works. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d8667a5b-b27e-411f-beef-e82de555a572%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: How risky is GPU pass-through?
If your friend is just poking around with Qubes and doesn't have anything on the gaming box that needs protecting, I say go with dual boot. That's what I did. Running games from within a Xen VM is going to suck performance-wise compared to running naively from Win10. If he *does* have things that need real protection, he should move them off of the Win10 box immediately. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/804cd3f2-e85f-4fa8-ac4a-fbfeb3f24d33%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: VLAN / Firewll config on router or just use sys-firewall
On Wednesday, December 26, 2018 at 2:20:15 AM UTC-8, unman wrote: > On Wed, Dec 26, 2018 at 12:55:23AM -0800, John Smiley wrote: > > On Wednesday, December 26, 2018 at 12:52:28 AM UTC-8, John Smiley wrote: > > > Does it make sense to configure a VLAN and associated firewall rules in > > > an external firewall like pfsense or can the same thing be accomplished > > > with Qubes firewall rules? > > > > For the purposes of isolating Qubes traffic on your home network... > > > > You dont say *how* you want to isolate Qubes traffic, and I can envisage > a number of different scenarios that wood fit that description. > You can certainly use Qubes firewall rules to restrict some qubes to > certain IP addresses, or ranges. The simplest way would be to put another > fw in place and have localnet deny rules for that fw: then allocate > qubes per fw. > If that doesnt fit your scenario, some more detail? Got on IRC chat with some Whonix folks and got the answers I needed for this. To clarify, I wanted to know if there is any benefit to configuring pfsense (or any firewall/router) so that each Qubes box is on its own VLAN. The answer I got was yes. One such benefit would be to make it more difficult for an attacker to jump from my son's Win10 box, which has god knows what installed on it, to my Qubes systems. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/cf7bc058-7519-4bf5-b8ba-6c591a56fa0f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Split gpg is just too cool.
On Thursday, December 27, 2018 at 6:28:48 PM UTC-8, John Smiley wrote: > WRT the U2F Proxy: I've got a desktop and a laptop running 4.0.1-rc2 that > I've been trying out the U2F proxy with. I have a lengthy issue open on this > documenting the problems I encountered, how I resolved them, and some changes > I think needed to make the docs clearer. I will probably end up making the > changes myself. Going through the docs on how to maintain the docs tonight. > > There are still some rough edges and unanswered questions about the proxy, > but the basics are usable in both Firefox and Google Chrome Browser. > > Starting testing with the Qubes 4 advanced features next. I hope to end up > with a system with a separate Qube for each use case (banking, email, GitHub, > online shopping, Google, social media, etc.) where each of them has access > only to the keys they need for the services they use. Still not sure if a > single Qube is limited to a single key or if it can be configured to have > access to multiple keys so that related accounts can be grouped in the same > Qube. Will know soon enough. Here's the link to the issue https://github.com/QubesOS/qubes-issues/issues/4661 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f140097b-f413-42d8-96c5-137891b7b590%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Split gpg is just too cool.
WRT the U2F Proxy: I've got a desktop and a laptop running 4.0.1-rc2 that I've been trying out the U2F proxy with. I have a lengthy issue open on this documenting the problems I encountered, how I resolved them, and some changes I think needed to make the docs clearer. I will probably end up making the changes myself. Going through the docs on how to maintain the docs tonight. There are still some rough edges and unanswered questions about the proxy, but the basics are usable in both Firefox and Google Chrome Browser. Starting testing with the Qubes 4 advanced features next. I hope to end up with a system with a separate Qube for each use case (banking, email, GitHub, online shopping, Google, social media, etc.) where each of them has access only to the keys they need for the services they use. Still not sure if a single Qube is limited to a single key or if it can be configured to have access to multiple keys so that related accounts can be grouped in the same Qube. Will know soon enough. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/354fec37-61e1-40ae-a10f-dfb23d556677%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] is dom0 based on Fedora 25?
I have a 1080 Ti in one of my Qubes boxes and haven't had any trouble with the out-of-the-box install with 4.0.1-rc2. This box is dual boot to Win10 when I want to play games (it was a gaming rig before it was a Qubes box). May I ask what you need to do that requires the Nividia driver? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b693225d-1cc2-4b64-acbb-4bf8b0c73c43%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] is dom0 based on Fedora 25?
On Thursday, December 27, 2018 at 4:23:08 PM UTC-8, seshu wrote: > On Thursday, December 27, 2018 at 3:40:06 PM UTC-7, Chris Laprise wrote: > > On 12/27/2018 05:12 PM, seshu wrote: > > > When I do updates of dom0 I notice it is downloading Fedora 25? > > > > > > I ask because I'm trying to figure out how to compile a NVIDIA driver for > > > my system and wondering what source files I would need. > > > > > > Also, I notice that RPMFusion is no longer keeping the source files to > > > compile the nvidia driver. Anyone know where I can get these files? > > > > > > Thanks! > > > > > > > Yes, its fedora 25. > > > > A simpler route is to use integrated Intel/AMD graphics which are better > > supported. It won't make a difference as far as speed goes. > > > > -- > > > > Chris Laprise, tas...@posteo.net > > https://github.com/tasket > > https://twitter.com/ttaskett > > PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 > > Thanks. > > I do understand the integrated graphics might be preferable. It's just that I > already have the geforce 1070 card on my desktop system. It turns out the > nouveau drivers work fine out of the box. my 4.0.1rc2 is running fine. As > I've been learning alot over the last month about qubes, linux, security, > hardware, etc. I wanted to see if I could make the nvidia driver work. If it > doesn't that's ok, because the nouveau driver is fine. Since I've already > paid for the 1070 card, I thought I would see what it takes to make it work > with the proprietary driver. I have a 1080 Ti in one of my Qubes boxes and haven't had any trouble with the out-of-the-box install. This box is dual boot to Win10 when I want to play games (it was a gaming rig before it was a Qubes box). May I ask what you need to do that requires the Nividia driver? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8302d05b-ba2e-41e5-bc40-16379e2d27fc%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Still a little fuzzy on how a qube uses the default dispvm setting
I re-read all of the docs on this topic and I think this setting determines which dvm is used when the qube asks to open a document or run a program in a dvm unless it specifies a specific dvm. So the dvm given by this pref would by used by the Qube's File application when you select a file and choose edit or view in DisposableVM from the menu. It would also be used when opening a file via the qube's command line with qvm-open-in-dvm or running a program with qvm-run. Is this correct? Did I leave anything out? Are there any restrictions on which dvms can be used from a given domain? For example, is it valid to have a fedora-28-dvm as the default dispvm for a fedora-29 domain? Not that you would typically need to do that, but is there any reason it would not work assuming the fedora-28-dvm had the necessary software installed? What led me to this question was cloning the provided fedora-29 templateVM to fedora-29-test-1, installing google-chrome-stable in the clone, and creating a new qube vm from the new template. The new qube still uses the original fedora-29-dvm domain for its default dispvm. It seems to work fine for viewing and editing documents in a dvm. both from the command line with qvm-open-in dvm and from Nautilus, but abends with "Service call error: Request refused" (ex: qvm-run --dispvm fedora-29-dvm terminal) or does nothing when I attempt to use qvm-run. Do I need to create a new dvm from a domain based on the new fedora-29-test-1 template and assign that to qubes as their default dispvm for qubes based on the same template? What is SOP wrt dvms when you create a new template and qubes based on that template? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/deea16d7-b42b-470b-84a0-161de1a01f0d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] is dom0 based on Fedora 25?
On Thursday, December 27, 2018 at 3:40:06 PM UTC-7, Chris Laprise wrote: > On 12/27/2018 05:12 PM, seshu wrote: > > When I do updates of dom0 I notice it is downloading Fedora 25? > > > > I ask because I'm trying to figure out how to compile a NVIDIA driver for > > my system and wondering what source files I would need. > > > > Also, I notice that RPMFusion is no longer keeping the source files to > > compile the nvidia driver. Anyone know where I can get these files? > > > > Thanks! > > > > Yes, its fedora 25. > > A simpler route is to use integrated Intel/AMD graphics which are better > supported. It won't make a difference as far as speed goes. > > -- > > Chris Laprise, tas...@posteo.net > https://github.com/tasket > https://twitter.com/ttaskett > PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 Thanks. I do understand the integrated graphics might be preferable. It's just that I already have the geforce 1070 card on my desktop system. It turns out the nouveau drivers work fine out of the box. my 4.0.1rc2 is running fine. As I've been learning alot over the last month about qubes, linux, security, hardware, etc. I wanted to see if I could make the nvidia driver work. If it doesn't that's ok, because the nouveau driver is fine. Since I've already paid for the 1070 card, I thought I would see what it takes to make it work with the proprietary driver. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1050ff8c-acd6-41de-b746-23f28b2e881d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: 4.0.1-RC2 Boot loop after install
On Thursday, 27 December 2018 16:24:23 UTC-3:30, Marek Marczykowski-Górecki wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > On Wed, Dec 26, 2018 at 09:24:01AM -0800, John Goold wrote: > > On Thursday, 20 December 2018 22:02:00 UTC-3:30, John Goold wrote: > > > Attached is screenshot, taken under my current OS, showing OS and > > > hardware info. > > > > > > After spending much too much time trying to track the problem down (using > > > the 4.0, 4.0.1-RC1 and 4.0.1-RC2 ISOs) I discovered why getting the > > > installer to run was failing... > > > > > > I had to unplug my external monitor (connected via an HDMI port). > > > > > > I was then able to boot the install DVD and install to an external USB > > > (SSD) drive (Seagate 2 TB). The install completed (supposedly > > > successfully), but attempts to boot from the USB drive fail. > > > > > > The boot process starts, with text being displayed starting in the top > > > left corner of the screen. It progresses to a point, then the screen goes > > > black and my computer starts to reboot. > > > > > > I have searched the mailing list and have failed to find a solution > > > (hours spent doing this). A lot of people seem to end up in boot-loops, > > > using various hardware. > > > > > > The attached file shows the hardware. The following information about the > > > BIOS/Firmware may be relevant: > > > > > > * Legacy Boot is enabled > > > * Virtualization Technology is enabled > > > > > > During the install I setup a user account. I did not enable disk > > > encryption (I will leave that until after I can get Qubes to boot). > > > > > > Comment: This boot-loop problem (or similar boot-loop problems) seems to > > > be a major issue with installing Qubes 4.x. Each time I come across a > > > posting about it, there seem to be different suggestions (some of which > > > work on the particular hardware involved) and some of which do not. > > > > > > I believe that I tried R3.1 about a year or so ago and that it booted > > > alright. I cannot remember why I did not follow through on adopting Qubes > > > (if I could not get my external monitor working, that would be a > > > deal-breaker). > > > > > > Suggestions would be appreciated. I will provide any additional > > > information I am capable of. > > > > This thread is getting verbose, so I have replied to the original post and > > will attempt a brief summary of the rest of the thread (for context): > > > > Determining what is happening would be facilitated by seeing any entries in > > log files (assuming the boot got far enough to log anything). > > > > That means checking files on the USB drive used as the target of the > > install and which causes the boot-loop when attempting to boot. > > > > Since the boot is failing, I cannot look at the log files under the booted > > Qubes OS, so instead I attempted to look for the log files when booted into > > another OS (Linux Mint 19.1). > > > > Qubes is using LVM to handle allocating disk space (presumably to > > facilitate being able to add additional physical disks to an existing Qubes > > install). There appeared, at first glance to be 3 Logical volumes: > > > > pool00 > > root > > swap > > > > Linux Mint mounted the LV "swap" automatically, but not the other two. The > > other two appear not to be "activated" and mount attempts failed. Attempts > > to "activate" the LVs fail. > > > > After searching the Net for information on LVM, I came across an article > > that helped me understand the Qubes setup better… > > > > There is one Logical Volume Group called "qubes_dom0". > > Within that there is a Logical Volume, "swap", that is detected and mounted > > automatically by my Linux Mint installation. > > Additionally, there is a "Thin Pool" allocated that uses up the rest of the > > space in the Volume Group. It is distinguished by information displayed by > > the lvdisplay command ("LV Pool metadata" and "LV Pool data"). > > > > Within that "thin pool", a logical volume, "root" has been created that > > uses all the disk space currently assigned. > > Yes, that's right. > > - From what I've seen in this thread, you did it right, but the system you > used didn't support thin volumes. You can try Qubes installation image, > there is recovery mode ("Rescue" in boot menu in legacy mode). > > > Other things you can try is to press ESC during boot to see more > messages than just progress bar. If that doesn't really help, try > editing boot entry in grub and remove "quiet" and "rhgb" options from > there. This should give you more details when exactly system reboots. > > - -- > Best Regards, > Marek Marczykowski-Górecki > Invisible Things Lab > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > -BEGIN PGP SIGNATURE- > > iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlwlLecACgkQ24/THMrX >
[qubes-users] How to auto-attach USB device to AppVM from sys-usb?
I'm using Qubes 4 with USB VM (sys-usb) which is working well. When attaching USB devices I currently have to manually assign them to AppVMs via the top right "Qubes Devices" dropdown menu. Which is also working well. But: I want to automate that. Using a trigger in /usr/lib/udev/rules.d/ in sys-usb I can detect when the USB device gets plugged in (tested, works). Now ideally I'd like to call qvm-usb inside sys-usb to attach this device to a specific AppVM. Two ways come to mind: - call "qvm-usb attach" from sys-usb -> I assumed there must be a package that I can dnf install and then configure some qrexec policy in com0 to allow the call but I could not figure out how to install qvm-usb in sys-usb (ist this possible?) - send an event from sys-usb to dom0 to trigger a script that calls "qvm-usb attach" -> I looked into the Qubes eventing mechanism but failed to find a quick solution Can somebody give me some hints on how I could automate "qvm-usb'ing" from sys-usb to auto-attach my USB device? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3eab7772-fa37-4972-ad87-7b03719860fe%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] is dom0 based on Fedora 25?
On 12/27/2018 05:12 PM, seshu wrote: When I do updates of dom0 I notice it is downloading Fedora 25? I ask because I'm trying to figure out how to compile a NVIDIA driver for my system and wondering what source files I would need. Also, I notice that RPMFusion is no longer keeping the source files to compile the nvidia driver. Anyone know where I can get these files? Thanks! Yes, its fedora 25. A simpler route is to use integrated Intel/AMD graphics which are better supported. It won't make a difference as far as speed goes. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6c0512ba-2b8f-8b8c-9ff2-4ad0660e4bb3%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: 4.0.1-RC2 Boot loop after install
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, Dec 26, 2018 at 09:24:01AM -0800, John Goold wrote: > On Thursday, 20 December 2018 22:02:00 UTC-3:30, John Goold wrote: > > Attached is screenshot, taken under my current OS, showing OS and hardware > > info. > > > > After spending much too much time trying to track the problem down (using > > the 4.0, 4.0.1-RC1 and 4.0.1-RC2 ISOs) I discovered why getting the > > installer to run was failing... > > > > I had to unplug my external monitor (connected via an HDMI port). > > > > I was then able to boot the install DVD and install to an external USB > > (SSD) drive (Seagate 2 TB). The install completed (supposedly > > successfully), but attempts to boot from the USB drive fail. > > > > The boot process starts, with text being displayed starting in the top left > > corner of the screen. It progresses to a point, then the screen goes black > > and my computer starts to reboot. > > > > I have searched the mailing list and have failed to find a solution (hours > > spent doing this). A lot of people seem to end up in boot-loops, using > > various hardware. > > > > The attached file shows the hardware. The following information about the > > BIOS/Firmware may be relevant: > > > > * Legacy Boot is enabled > > * Virtualization Technology is enabled > > > > During the install I setup a user account. I did not enable disk encryption > > (I will leave that until after I can get Qubes to boot). > > > > Comment: This boot-loop problem (or similar boot-loop problems) seems to be > > a major issue with installing Qubes 4.x. Each time I come across a posting > > about it, there seem to be different suggestions (some of which work on the > > particular hardware involved) and some of which do not. > > > > I believe that I tried R3.1 about a year or so ago and that it booted > > alright. I cannot remember why I did not follow through on adopting Qubes > > (if I could not get my external monitor working, that would be a > > deal-breaker). > > > > Suggestions would be appreciated. I will provide any additional information > > I am capable of. > > This thread is getting verbose, so I have replied to the original post and > will attempt a brief summary of the rest of the thread (for context): > > Determining what is happening would be facilitated by seeing any entries in > log files (assuming the boot got far enough to log anything). > > That means checking files on the USB drive used as the target of the install > and which causes the boot-loop when attempting to boot. > > Since the boot is failing, I cannot look at the log files under the booted > Qubes OS, so instead I attempted to look for the log files when booted into > another OS (Linux Mint 19.1). > > Qubes is using LVM to handle allocating disk space (presumably to facilitate > being able to add additional physical disks to an existing Qubes install). > There appeared, at first glance to be 3 Logical volumes: > > pool00 > root > swap > > Linux Mint mounted the LV "swap" automatically, but not the other two. The > other two appear not to be "activated" and mount attempts failed. Attempts to > "activate" the LVs fail. > > After searching the Net for information on LVM, I came across an article that > helped me understand the Qubes setup better… > > There is one Logical Volume Group called "qubes_dom0". > Within that there is a Logical Volume, "swap", that is detected and mounted > automatically by my Linux Mint installation. > Additionally, there is a "Thin Pool" allocated that uses up the rest of the > space in the Volume Group. It is distinguished by information displayed by > the lvdisplay command ("LV Pool metadata" and "LV Pool data"). > > Within that "thin pool", a logical volume, "root" has been created that uses > all the disk space currently assigned. Yes, that's right. - From what I've seen in this thread, you did it right, but the system you used didn't support thin volumes. You can try Qubes installation image, there is recovery mode ("Rescue" in boot menu in legacy mode). Other things you can try is to press ESC during boot to see more messages than just progress bar. If that doesn't really help, try editing boot entry in grub and remove "quiet" and "rhgb" options from there. This should give you more details when exactly system reboots. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlwlLecACgkQ24/THMrX 1yw98wf/e5BWkvOJQjrDpiB4DDpmRKAWvmZ3b/NssWOZgtBTMdYZxcRHaguoSQx2 hrMUKr5fLT3xy5fQYzt/OSjWjEsfbYoLfG8hx32+Zp0WDTpfSjon85/HerYlb8TW pHS0lxT4y0sTDPx8HHy4O+0tFiYnHGeG9+JEpRx9JTxxJc6jX5hiw/DlaIldO9AD /Qdi3aQjpU7qFMeQq0MebhHcaPME57lc87SkFlHhKnjEC8CsVpYSRiEKRx4ufREn 7GKeiayK0bEqm9HZWsVJyn4XBTtEiL9kE5VK6RY6pv5Xx7cOEqzQiMchpSIa5/rQ
[qubes-users] 35c3 session: Introduction to Qubes OS
Hi qubes-users, During 35th Chaos Communication Congress in Leipzig we'll be organizing an introductory session to Qubes OS: https://events.ccc.de/congress/2018/wiki/index.php/Session:Introduction_to_Qubes_OS If you're at the CCC, please come! -- pozdrawiam / best regards _.-._ Wojtek Porczyk .-^' '^-. Invisible Things Lab |'-.-^-.-'| | | | | I do not fear computers,| '-.-' | I fear lack of them.'-._ : ,-' -- Isaac Asimov `^-^-_> -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20181227171228.44rsfvtfv3ncsf2m%40invisiblethingslab.com. For more options, visit https://groups.google.com/d/optout. signature.asc Description: PGP signature
[qubes-users] Re: Split gpg is just too cool.
On Wednesday, December 26, 2018 at 7:25:09 PM UTC-5, John Smiley wrote: > On Wednesday, December 26, 2018 at 6:49:47 AM UTC-8, Brendan Hoar wrote: > > On Tuesday, December 25, 2018 at 9:56:40 PM UTC-5, John Smiley wrote: > > > U2F Proxy is not so cool. So far no joy getting it to work. Someone on > > > reddit > > > had similar issues and questions and resolved by installing USB keyboard > > > support. That’s not mentioned in the Qubes docs and I hope we don’t have > > > to > > > resort to that. > > > > I haven't yet tried the U2F proxy, it is on my todo list. > > > > I'm also not quite so happy about the complexity of getting a security > > focused device (yubikey) working with a security focused OS (QubesOS). > > > > I believe I understand the nature of the yubikey problem, though: Qubes is > > engineered to protect you from untrusted peripherals...and this somewhat > > conflicts with the design of yubikeys on multiple fronts: we want to use > > yubikeys across multiple VMs (using devices across VMs increases risk); > > yubikeys are composite USB devices, which means they often have multiple > > endpoints for different functions (HID keyboard plus, CCID > > smartcard/javacard, U2F) which makes securely proxying them more complex; > > and for those who have serious safety risks, a fake yubikey could destroy > > one's opsec in multiple ways...even a real one could if you are not careful > > with your usage. > > > > In my case, I have decided to somewhat compromise QubesOS security a bit > > and disable the USB/HID keyboard protections in Qubes dom0 for now so that > > I could log into LastPass with my yubikey OTP in a couple of my VMs without > > too much fiddling. I have kept notes on the changes and how to reverse them. > > > > So, as I said above, I haven't addressed the U2F compatibility on my > > current R4 build (but neither do I have a multipmedia VM set up with Chrome > > yet :) ). So, I use my backup method of yubico authenticator on another > > device and type in six-digit TOTP codes instead of using the U2F > > functionality. > > > > Anyway, I suggest keeping a running log of modifications/configurations > > (both TODO and done) somewhere easily accessible across devices (I use a > > google doc) to speed future configurations/rebuilds. I don't keep anything > > that needs to be secure there, just notes, simple scripts, etc. > > > > > If that were a requirement, surely the docs would have > > > mentioned it. > > > > Haha. Er, I mean, that *should* be the case... :) > > > > Brendan > > Complex? Yes. Separating the USB stack from the browsers and being able to > lock down which browsers can access which keys (ex: banking Qube, shopping > Qube, Gmail Qube, etc.) Brilliant and worth the complexity. Just need to > get it working now... Docs are leaving something out. I will either update > the doc for file an issue once I figure it out. Just for some extra info, I started experimenting with yubikey on my laptop as well as my desktop. Works fine on the laptop with Chromium, but is odd with Firefox. I have to disconnect the key after sending registration creds, and it will successfully register. Same for authentication with Firefox. I saw a post relating issues with FFX that you should register with Chrome, then just authenticate using FFX. My laptop was setup with a separate USB qube during install. So I followed the qubes docs for the u2f Proxy and didn't run into any issues, other than the FFX stuff. (Also, I've got the little tweaks for FFX done). For my desktop, (which I'm just starting to test out), it wasn't, so I added a second USB card to use for everything else non-critical. Should have some info on how that goes later. The desktop has a USB keyboard. (Side rant, I wish more mechanical kbds worked well with PS/2). -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f7ed5594-21ac-493c-9f39-1385386e4e08%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Ubuntu templates
On Wed, Dec 26, 2018 at 09:35:13PM +0100, Achim Patzner wrote: > On 20181226 at 10:39 + unman wrote: > > For any one who wants to try out Xenial or Bionic, I've put some > > updated templates for 4.0 online, including a bionic+desktop version. > > Building the templates if the stars are aligned just right and nothing > in the build process breaks is not that big of a problem (although > someone might take a look at the builder script and the makefiles to > make them a bit more fault tolerant (e. g. in case the downloading of > additional packages fails)) if the process is not done in steps by the > user. The more interesting problem would be keeping the included qubes- > specific packages updated and offering the necessary server > infrastructure to deliver updates (providing the servers would be a > minor problem...). Do you feel up to doing that for the foreseeable > future? > > > Achim > There's an open issue relating to making build more fault tolerant, but since I never see that problem, it's not a priority. (I use apt-cacher-ng as a caching proxy which might help. Certainly does on the template updating.) On your second point did you read https://qubes.3isec.org ? I've been running those for about two years. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20181227105802.qenucsl5yvgjcdsf%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.