[qubes-users] Alt+Tab not redirected in AppVM
In some cases, Alt+Win+Tab is not handled by dom0 (at least with Kwin) and the remote VM handles it as Alt+Tab (AFAIR at least Windows and Unity). -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d37aaff2-2482-420e-a038-16f8cbfce995%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Looking to edit rules.ml of my mirage-firewall VM but since I cannot run shell, IDK what to do
So I have now also boarded the mirage-firewall VM hype to replace sys-firewall in order to take advantage of the very nice small memory consumption of just 32 MB After searching around I literally failed to find anything that could help me know how I'm gonna edit rules.ml in the mirage-firewall VM The VM as it is right now is running on fedora-29 and trying to launch gnome-terminal/xterm in the VM using qvm-run returns with the error code that I usually get when it doesn't recognize the command/command does not exist in the VM at all May I ask for any leads in getting through this? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/cdb1fe4b-33a4-48ef-8900-1940a41fe5af%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Is it just my machine or sys-net vm by default, has an INPUT accept iptables rule for port 8082?
So I tried removing the rule today and attempted to do a templateVM Update Oddly enough it updates just fine and my setting on qubes-rpc for TemplateVM updates is set as my sys-net vm Not unless this is because I have already done an update without removing the iptables rule first which caused a complete sync of repository metadata Thus, when I removed the rule and did an update again, there were no problems because metadata has already been sync'd. Or do you think this hypothesis is wrong? On Monday, April 8, 2019 at 8:16:21 PM UTC+8, unman wrote: > On Mon, Apr 08, 2019 at 01:35:45PM +1000, haaber wrote: > > > So I was doing some security checks on a whim in my Qubes machine until I > > > stumbled upon discovery that my the INPUT chain of iptables in my net VM > > > has a rule of accepting all tcp connections to port 8082 coming from > > > anywhere > > > > I checked and confirm the same line in my sys-net: > > > > -A INPUT -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT > > > > I cannot offer insightful help at the moment. To permanently change the > > iptables, you might find clues in the qubes-firewall documentation. > > Otherwise, searching a bit I got here > > https://github.com/QubesOS/qubes-issues/issues/3201 the impression that > > this port is used for non-torified Qubes updates proxy. Do update > > mechanisms still work (the torified && non-torified one) if you remove > > the line manually? > > It is indeed part of updates-proxy, which I assume you have enabled in > sys-net. > Sphere reports the rule allowing "coming from anywhere" - if this is o > then they must override the default - as haaber reports the default rule > allows traffic originating from the vif+ interfaces. > I guess this is a hangover from 3.2, as templates now use qubes-rpc, > but it does allow you to use proxy settings in your qubes and perform > package updates/installs. About that, sorry I forgot to specify which interface it was. By "anywhere" I had intended to mean any source ip address would be permitted to connect to port 8082 but as for the interface, it's definitely vif+ Welp, I suppose I'll do more testing in the following days before concluding that it's safe to just permanently remove it from the iptables rules since it doesn't break my updating of TemplateVMs I'll just leave this iptables command here for reference: sudo iptables --insert INPUT 1 -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/545aceee-38b9-48a8-b392-475fbcbe864d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: PS/2 Keyboard and Mouse via USB?
On 4/10/19 9:50 AM, jrsmi...@gmail.com wrote: The PS/2 keyboard leaking to ground risk seems like it would only apply if an attacker had physical access. Is that right or is there a way it could be exploited remotely? In principle that can be measured far away, with little hw cost Read you here https://www.blackhat.com/presentations/bh-usa-09/BARISANI/BHUSA09-Barisani-Keystrokes-SLIDES.pdf you also see that they use a 150 ohm resistance between refence ground and the ground wire that the computer connects to. That may help as a setup to measure at home. Distance? Scheier writes (in July 2009): "The attack has been demonstrated to work at a distance of up to 15m, but refinement may mean it could work over much longer distances." Sorry, I forgot to add: countermeasures could be: (1) a low-pass filter to remove frequencies > 200Hz and (2) white noise injection in the "cleaned" (by step 1) ground wire PS/2 frequency range 10-20 kHz. If you like to solder a bit ... maybe look at "Avalanche Breakdown Diodes" ? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/11f49240-e12b-b8b5-8c5f-9b361878ed5b%40web.de. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: PS/2 Keyboard and Mouse via USB?
On 4/10/19 9:50 AM, jrsmi...@gmail.com wrote: The PS/2 keyboard leaking to ground risk seems like it would only apply if an attacker had physical access. Is that right or is there a way it could be exploited remotely? In principle that can be measured far away, with little hw cost Read you here https://www.blackhat.com/presentations/bh-usa-09/BARISANI/BHUSA09-Barisani-Keystrokes-SLIDES.pdf you also see that they use a 150 ohm resistance between refence ground and the ground wire that the computer connects to. That may help as a setup to measure at home. Distance? Scheier writes (in July 2009): "The attack has been demonstrated to work at a distance of up to 15m, but refinement may mean it could work over much longer distances." -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d2d762e1-5aa3-d0d8-51b6-378437597f15%40web.de. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: PS/2 Keyboard and Mouse via USB?
The PS/2 keyboard leaking to ground risk seems like it would only apply if an attacker had physical access. Is that right or is there a way it could be exploited remotely? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/0d553763-3f15-498d-8351-2b7f477af4d3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Starting Win10 HVM install crashes Qubes, and other bugs
On Tuesday, April 9, 2019 at 1:21:45 PM UTC-7, awokd wrote: > awokd wrote on 3/30/19 4:50 PM: > > Mindus Amitiel Debsin wrote on 3/30/19 9:41 AM: > >> Hello Qubes community! > > > > Hello again! > > > >> The other issue and the reason for this post is that after reading > >> several guides for Windows HVM installs and trying every option in the > >> Qubes Manager GUI, the Win10 HVM freezes or crashes my entire Qubes > >> install whenever I try to start it. I do not get a window for the HVM, > >> either. I have deleted the HVM many times and tried over again, > >> including via the console, but it has not made a difference. The HVM > >> has 6GB of RAM (out of my 32GB of RAM in the system), 4 VCPUs, and > >> 30GB of space. It is also in debug mode. I am trying to pass through > >> my independent GPU (Qubes is running on another GPU entirely), the > >> HDMI audio through the GPU, and an NVME SSD in a PCI-e slot via an > >> adapter. But even without passing through these devices, the install > >> won't work. I need the 1TB NVME SSD because that is what I plan on > >> installing the Windows 10 system on. > >> The screenshot of this issue is IMG_20190330_020643.jpg. > >> I have 2 Windows ISOs, 1 is a Windows 7 SP1 ISO and the 2nd is a > >> Windows 10 ISO from the media creation tool. Both are legit and > >> neither of them work. > > > > Windows 7 should work, although I've heard some claim success with 10. > > Are you following the steps at > > https://www.qubes-os.org/doc/windows-vm/#qubes-40---windows-vm-installation > > exactly? If so, where does it break? Do not attempt to pass anything > > through until you've completed all the steps. > > > >> I realize it may be slightly offensive to say that Qubes has bugs in > >> it. I have been following the project for about 2 years and I know > >> there is a lot of work put into it. One of the bugs that I have > >> experienced recently is when I insert a NTFS or exFat formatted USB > >> stick, it does not go into the Qubes device manager at the top right > >> of the screen. It did when I first installed Qubes, but after using it > >> for about a week and updating my Qubes, it no longer functions correctly. > > > > The device widget is still a bit buggy. Try using qvm-usb or qvm-block > > instead. > > > >> Another thing I am having a problem with is finding a GUI for managing > >> my system devices in dom0 and to work with the partitions. If possible > >> I would like to reduce my Qubes install from the 2tb I initially > >> allowed it, to less than 1TB and to clone it via Acronis boot disk to > >> a smaller but faster SSD. Also my Qubes install is encrypted. Can this > >> work? > > > > See my other reply. > > > > You might want to consider separate machines. Your intentions are > > honourable, but I have yet to hear of anyone on the list successfully > > passing through their GPU to a Windows VM in Qubes 4.0. One machine with > > a healthy amount of RAM and onboard video for Qubes and your data, the > > other for gaming. Dual-boot could also be an option, but that is a pain > > to set up and maintain since Windows 10 will break the bootloader every > > major update. > > > Check this out! > https://www.mail-archive.com/qubes-users@googlegroups.com/msg27786.html Thanks for this. I think the pdf file was very helpful. I think I will try it out when Qubes gets released next (hopefully the known bugs will be squashed). I will mark your answer as complete. ~Mindus Debsin -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bf3fa6ce-8221-439d-8366-98eb1ee18e0c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: How risky is GPU pass-through?
From Throwaway42's document: > GRUB\_CMDLINE\_LINUX=" > rd.qubes.hide\_pci=0a:00.0,0a:00.1 > modprobe=xen-pciback.passthrough=1 > xen-pciback.permissive" Instead of xen-pciback.permissive on the Linux options line, could you set the GPU's two PCI devices to permissive https://www.qubes-os.org/doc/pci-devices/#permissive ? Seems it would make it a little more restrictive. Also, is that modprobe required? I'd think Qubes would load that module by default. Hiding it here makes sense. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8bc8dd66-a414-f9ab-e39c-373e335bed2f%40danwin1210.me. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: PS/2 Keyboard and Mouse via USB?
Yet another approach might be to use a USB to PS/2 adapter to connect a USB keyboard that supports PS/2 signaling to a native PS/2 port. Would that be a good solution to avoid keyboard leaking signals to ground? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e118981a-a8f9-49cb-bfce-18a2abcb955a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Starting Win10 HVM install crashes Qubes, and other bugs
awokd wrote on 3/30/19 4:50 PM: Mindus Amitiel Debsin wrote on 3/30/19 9:41 AM: Hello Qubes community! Hello again! The other issue and the reason for this post is that after reading several guides for Windows HVM installs and trying every option in the Qubes Manager GUI, the Win10 HVM freezes or crashes my entire Qubes install whenever I try to start it. I do not get a window for the HVM, either. I have deleted the HVM many times and tried over again, including via the console, but it has not made a difference. The HVM has 6GB of RAM (out of my 32GB of RAM in the system), 4 VCPUs, and 30GB of space. It is also in debug mode. I am trying to pass through my independent GPU (Qubes is running on another GPU entirely), the HDMI audio through the GPU, and an NVME SSD in a PCI-e slot via an adapter. But even without passing through these devices, the install won't work. I need the 1TB NVME SSD because that is what I plan on installing the Windows 10 system on. The screenshot of this issue is IMG_20190330_020643.jpg. I have 2 Windows ISOs, 1 is a Windows 7 SP1 ISO and the 2nd is a Windows 10 ISO from the media creation tool. Both are legit and neither of them work. Windows 7 should work, although I've heard some claim success with 10. Are you following the steps at https://www.qubes-os.org/doc/windows-vm/#qubes-40---windows-vm-installation exactly? If so, where does it break? Do not attempt to pass anything through until you've completed all the steps. I realize it may be slightly offensive to say that Qubes has bugs in it. I have been following the project for about 2 years and I know there is a lot of work put into it. One of the bugs that I have experienced recently is when I insert a NTFS or exFat formatted USB stick, it does not go into the Qubes device manager at the top right of the screen. It did when I first installed Qubes, but after using it for about a week and updating my Qubes, it no longer functions correctly. The device widget is still a bit buggy. Try using qvm-usb or qvm-block instead. Another thing I am having a problem with is finding a GUI for managing my system devices in dom0 and to work with the partitions. If possible I would like to reduce my Qubes install from the 2tb I initially allowed it, to less than 1TB and to clone it via Acronis boot disk to a smaller but faster SSD. Also my Qubes install is encrypted. Can this work? See my other reply. You might want to consider separate machines. Your intentions are honourable, but I have yet to hear of anyone on the list successfully passing through their GPU to a Windows VM in Qubes 4.0. One machine with a healthy amount of RAM and onboard video for Qubes and your data, the other for gaming. Dual-boot could also be an option, but that is a pain to set up and maintain since Windows 10 will break the bootloader every major update. Check this out! https://www.mail-archive.com/qubes-users@googlegroups.com/msg27786.html -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2779daab-9e5e-6e12-3ada-084c90f1af06%40danwin1210.me. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: How risky is GPU pass-through?
799 wrote on 4/9/19 7:31 PM: Hello throwaway42, schrieb am Di., 9. Apr. 2019, 21:17: (...) Just for information: I have a gaming VM inside Qubes OS It is a windows 7 HVM, with a dedicated GPU. Performance are very good. I referenced some useful links here https://neowutran.ovh/qubeos.pdf Nice write-up ... Thanks. Seconded! This is the first report I've seen of successful GPU pass-through under 4.0. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8c1d6fdb-6f44-5ec4-2faa-f2bd4ce339f2%40danwin1210.me. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: How risky is GPU pass-through?
Hey throwaway42, Thank you for the information! I wish I had this 6 months ago when I began planning my personal VM server. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/24eef0f7-9c1f-41b9-8ae8-f30443b5a254%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: How risky is GPU pass-through?
Hello throwaway42, schrieb am Di., 9. Apr. 2019, 21:17: > (...) > Just for information: > I have a gaming VM inside Qubes OS > It is a windows 7 HVM, with a dedicated GPU. > Performance are very good. > I referenced some useful links here https://neowutran.ovh/qubeos.pdf Nice write-up ... Thanks. Why don't you add this information to the Qubes Community Docs, so that it can be rea(che)d by a broader audience? Hypertext is such a great invention compared to PDFs ;-) - O -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAJ3yz2uCvAbw5FRCk%2BzaZBPdWLThUbedhfd4mgUkcUhcVcz98w%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: How risky is GPU pass-through?
Le mardi 9 avril 2019 15:29:48 UTC+2, John Mitchell a écrit : > On Tuesday, April 9, 2019 at 2:53:25 PM UTC+2, unman wrote: > > > > > Do you run Qubes? On what hardware? > > I wanted to use Qubes however I didn't feel that my usage case would be > supported here so I opted for Xubuntu running QEMU and Virtual Machine > Manager. I have it working, responding here from a VM. I've been following > Qubes since version 1, just not using because of the many security features. > > AMD Ryzen 2700X, 8 cores, 16 threads > 32 GB ram > GeForce GT 1030 (desktop GPU) > Radeon RX 590 (gaming GPU, pass through, also working) > > The gaming GPU is blocked in the kernel from the host OS (Xubuntu) with > virtio. I suppose virtio could be a security risk. The host OS is > restricted to 4 GB (hugepages) and one core (two threads). I have RAID 10 > running on the host CPU. KVM shares the host memory however it has one core > for itself for iothreads, etc. The rest is available for VMs. Neither of > the two CPUs for the host and KVM have ever maxed usage for longer than half > a second. > > I was planning to use bcache to speed up the RAID although I may skip that > since I am not feeling a need for speed. RAID 10 is plenty fast when the > drives are not spun down. I have SMART monitoring setup too along with temp > and fan monitoring. The host runs from an SSD. Next month I will add a > backup solution. > > I have some bloat in the host that I need to clean up. Overall it is a solid > setup, certainly not as secure as Qubes. However I don't believe I would > have this working with Qubes. Just for information: I have a gaming VM inside Qubes OS It is a windows 7 HVM, with a dedicated GPU. Performance are very good. I referenced some useful links here https://neowutran.ovh/qubeos.pdf -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/56e637ec-537b-4129-87cf-beb1c5b64608%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: PS/2 Keyboard and Mouse via USB?
If there is no signal on PS/2 ground or I can eliminate it, is this the more secure route or is it worth doing the USB shuffle? I have 4 USB controllers available. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8eac93b9-892f-4b79-accb-b9ef31a1ad7d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: PS/2 Keyboard and Mouse via USB?
I really appreciate the responses. I bought a new mobo that does have native PS/2 to use with Qubes. It arrived today and I’ll be trying it out after work today. How would I go about determining if my keystrokes are being revealed on ground? I have a storage scope so I think it would just be a matter of hooking one probe near ground on the PS/2 port and the other to ground on something farther away like the power supply. If I see a signal, would some additional decoupling caps do the job to fix it or is there more to it? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/205c8262-03c8-4db7-8c6c-970ed3c58a08%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] apt update issues with debian and whonix templates recently
Devin Cofer wrote on 4/9/19 5:04 PM: Hello all, Recently my Qubes 4 installation's debian template and whonix templates stopped updating correctly. Fedora-based templates and Dom0 update fine. `sudo apt update` on debian template will error when it tries to fetch jessie-backports Release. Err:7 https://cdn-aws.deb.debian.org/debian jessie-backports Release 404 Not Found Reading package lists... Done E: The repository 'https://deb.debian.org/debian jessie-backports Release' does not have a Release file. N: Updating from such a repository can't be done securely, and is therefore disabled by default. On whonix templates, `sudo apt update` stalls at "0% [Waiting for headers]" for a long time, then proceeds until it hits other errors. Err:4 https://deb.whonix.org stretch Release Received HTTP code 500 from proxy after CONNECT Err:5 https://deb.qubes-os.org/r4.0/vm stretch Release Received HTTP code 500 from proxy after CONNECT Ign:6 https://deb.debian.org/debian stretch InRelease Err:7 https://deb.debian.org/debian-security stretch/updates Release Received HTTP code 500 from proxy after CONNECT Err:8 https://deb.debian.org/debian stretch Release Received HTTP code 500 from proxy after CONNECT I typed this out, so excuse any spelling mistakes in the command output. Thanks for any assistance! See this recent thread: https://www.mail-archive.com/qubes-users@googlegroups.com/msg27443.html. TLDR, comment out that jessie-backports line in apt sources in the problem templates. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/de376af9-c46e-e8cd-d25e-09b9a1d77bcd%40danwin1210.me. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Alt+Tab not redirected in AppVM
799 wrote on 4/9/19 7:28 AM: I think the easiest way is 1) switching Alt+Tab against Windows+Tab. Can this be done? Maybe https://superuser.com/questions/458846/how-to-map-alttab-behavior-to-another-keyboard-combination ? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f2bea095-f7c7-6313-1e8a-a6ed928d5cf5%40danwin1210.me. For more options, visit https://groups.google.com/d/optout.
[qubes-users] apt update issues with debian and whonix templates recently
Hello all, Recently my Qubes 4 installation's debian template and whonix templates stopped updating correctly. Fedora-based templates and Dom0 update fine. `sudo apt update` on debian template will error when it tries to fetch jessie-backports Release. Err:7 https://cdn-aws.deb.debian.org/debian jessie-backports Release 404 Not Found Reading package lists... Done E: The repository 'https://deb.debian.org/debian jessie-backports Release' does not have a Release file. N: Updating from such a repository can't be done securely, and is therefore disabled by default. On whonix templates, `sudo apt update` stalls at "0% [Waiting for headers]" for a long time, then proceeds until it hits other errors. Err:4 https://deb.whonix.org stretch Release Received HTTP code 500 from proxy after CONNECT Err:5 https://deb.qubes-os.org/r4.0/vm stretch Release Received HTTP code 500 from proxy after CONNECT Ign:6 https://deb.debian.org/debian stretch InRelease Err:7 https://deb.debian.org/debian-security stretch/updates Release Received HTTP code 500 from proxy after CONNECT Err:8 https://deb.debian.org/debian stretch Release Received HTTP code 500 from proxy after CONNECT I typed this out, so excuse any spelling mistakes in the command output. Thanks for any assistance! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/513768d0-28b1-4848-b8d0-9c83c29d4d4d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Linux Mint gets lost when I connect lan cable (also issues with Windows 10 VM)
On Monday, April 8, 2019 2:44 PM, Claudio Chinicz wrote: > Hi All, > > My Linux Mint VM works ok when the notebook is connected to wifi only. > When I connect the lan cable I see the icon in the upper right corner > indicating both wifi and wired connections are available and this VM > looses internet connection. In the VM, Linux still sees it is connected > ("wired" is the default - eth) but without internet connection. > > If I disconnect the lan cable the VM sees internet connection as before. > > By the way, my Windows 10 VM sees both but if I'm using wifi and connect > the cable or vice versa, I have to shut it down (and everything else > that uses sys-firewall) and restart sys-net. > > I need to connect through lan cable in order to access corporate AD > resources.. otherwise I'd use only wifi and forget about this issue. > > Thanks in advance for any insight from the community, > > Claudio My solution: split sys-net to sys-net-wifi and sys-net-eth and assign the respective controllers to them. Also split sys-firewall. This way you will have two completely independent networks and firewalls, and you can switch AppVMs between them as you wish, even while they are running. When you are not phisically at work, you can shut down sys-net-eth and sys-fw-eth to save ram. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/qyF5vBQDiazFSUw-RnoZrgofOBwEb7BFfLxzHKgBrTRosANFP6W-FjioGRoWYABpHwAtcxxkQM1u19JPa9ANceImX1iKihvdt0H0hfGIfas%3D%40protonmail.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Linux Mint gets lost when I connect lan cable (also issues with Windows 10 VM)
Hi All, My Linux Mint VM works ok when the notebook is connected to wifi only. When I connect the lan cable I see the icon in the upper right corner indicating both wifi and wired connections are available and this VM looses internet connection. In the VM, Linux still sees it is connected ("wired" is the default - eth) but without internet connection. If I disconnect the lan cable the VM sees internet connection as before. By the way, my Windows 10 VM sees both but if I'm using wifi and connect the cable or vice versa, I have to shut it down (and everything else that uses sys-firewall) and restart sys-net. I need to connect through lan cable in order to access corporate AD resources.. otherwise I'd use only wifi and forget about this issue. Thanks in advance for any insight from the community, Claudio -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/q8ffmp%242uis%241%40blaine.gmane.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: coreboot on modern hardware?
On 3/23/19 3:03 PM, jrsmi...@gmail.com wrote: Spent several hours yesterday trying to track down what I would need to do to install coreboot on all of my computers, starting with my Qubes box: a Levnovo Thinkpad T480. The bottom line from what I can tell is that if you have an Intel CPU made since 2008 (any that have Boot Guard) or an AMD CPU made since 2013 (any that have PSP), you are out of luck. Libreboot spells this out in their docs. I'm not sure if that is because of coreboot itself or something specific to Libreboot. I was stuck by how they seemed perfectly fine walling themselves off from the present and the future. I could find nothing indicating that anyone had even tried, much less succeeded, in installing coreboot on a T480 and everything I did find was for much older hardware. I read through the coreboot docs where they just wave their hands at the end of the build process and say "now go flash". I also read through the heads docs, which say more or less the same thing. Hackaday has an article on the horrors of installing coreboot on a Toshiba laptop. Not only do they neglect to say which model they used, at the end of the article they had it working. The gist is that the information that's out there is out of date, incomplete, misleading, and sometimes just incompetent. I'm hoping that someone here has first-hand knowledge and can advise me (and others who read this). Thanks, John Smiley I don't think Libreboot is "fine with walling themselves off from the future", I just think they would rather not have a back door open that they cannot close. See: https://libreboot.org/faq.html#intel (scroll down for AMD) and https://www.eff.org/deeplinks/2017/05/intels-management-engine-security-hazard-and-users-need-way-disable-it For myself, I also only use AMD CPUs prior to 2013. If this means I can't run Qubes 4, much as I would like to, I will have to take other security precautions, especially since I read that Joanna Rutkowska said that using IOMMU does not protect from this remote management attack. (Sorry I can't find that reference). -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3c008fc0-316d-b34a-93c6-463c48d03272%40yandex.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Desktop notifications won't stay on primary monitor.
I'm not sure if this is a misconfiguration or a bug but I can't seem to get the desktop notifications to stay on the primary monitor as selected in the Notifications settings. "Show notifications on: primary display". I made sure that a primary display was set in display properties and tried logging off and back on after making changes but no dice. Is there a service I should try restarting or a config file somewhere to check? Thanks, -Neovalis -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/q8idoh%245ptv%241%40blaine.gmane.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: How risky is GPU pass-through?
On Tue, Apr 09, 2019 at 06:29:48AM -0700, John Mitchell wrote: > On Tuesday, April 9, 2019 at 2:53:25 PM UTC+2, unman wrote: > > > > > Do you run Qubes? On what hardware? > > I wanted to use Qubes however I didn't feel that my usage case would be > supported here so I opted for Xubuntu running QEMU and Virtual Machine > Manager. I have it working, responding here from a VM. I've been following > Qubes since version 1, just not using because of the many security features. > > AMD Ryzen 2700X, 8 cores, 16 threads > 32 GB ram > GeForce GT 1030 (desktop GPU) > Radeon RX 590 (gaming GPU, pass through, also working) > > The gaming GPU is blocked in the kernel from the host OS (Xubuntu) with > virtio. I suppose virtio could be a security risk. The host OS is > restricted to 4 GB (hugepages) and one core (two threads). I have RAID 10 > running on the host CPU. KVM shares the host memory however it has one core > for itself for iothreads, etc. The rest is available for VMs. Neither of > the two CPUs for the host and KVM have ever maxed usage for longer than half > a second. > > I was planning to use bcache to speed up the RAID although I may skip that > since I am not feeling a need for speed. RAID 10 is plenty fast when the > drives are not spun down. I have SMART monitoring setup too along with temp > and fan monitoring. The host runs from an SSD. Next month I will add a > backup solution. > > I have some bloat in the host that I need to clean up. Overall it is a solid > setup, certainly not as secure as Qubes. However I don't believe I would > have this working with Qubes. > Thanks John: I hope you'll come back to Qubes in the future. However, my question was addressed to Taiidan. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190409135303.za4nhjw3uo2qkmrb%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: How risky is GPU pass-through?
On Tuesday, April 9, 2019 at 2:53:25 PM UTC+2, unman wrote: > Do you run Qubes? On what hardware? I wanted to use Qubes however I didn't feel that my usage case would be supported here so I opted for Xubuntu running QEMU and Virtual Machine Manager. I have it working, responding here from a VM. I've been following Qubes since version 1, just not using because of the many security features. AMD Ryzen 2700X, 8 cores, 16 threads 32 GB ram GeForce GT 1030 (desktop GPU) Radeon RX 590 (gaming GPU, pass through, also working) The gaming GPU is blocked in the kernel from the host OS (Xubuntu) with virtio. I suppose virtio could be a security risk. The host OS is restricted to 4 GB (hugepages) and one core (two threads). I have RAID 10 running on the host CPU. KVM shares the host memory however it has one core for itself for iothreads, etc. The rest is available for VMs. Neither of the two CPUs for the host and KVM have ever maxed usage for longer than half a second. I was planning to use bcache to speed up the RAID although I may skip that since I am not feeling a need for speed. RAID 10 is plenty fast when the drives are not spun down. I have SMART monitoring setup too along with temp and fan monitoring. The host runs from an SSD. Next month I will add a backup solution. I have some bloat in the host that I need to clean up. Overall it is a solid setup, certainly not as secure as Qubes. However I don't believe I would have this working with Qubes. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e24653c0-a5a9-42a7-b736-d3b9c154aad9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: How risky is GPU pass-through?
On Mon, Apr 08, 2019 at 02:32:04PM -0400, taii...@gmx.com wrote: > On 02/25/2019 04:02 PM, John Mitchell wrote: > > If I may ask what OS do you use for the host? > > > > Devuan, it is debian without systemd. > > I compile most of the related packages though like libvirtd, qemu etc > cause the ones from the distro are way too outdated to support what I need. > > You should get a new non-gmail email btw. > Do you run Qubes? On what hardware? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190409125322.rjvdgcvtcle5qxjw%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: PS/2 Keyboard and Mouse via USB?
On Mon, Apr 08, 2019 at 09:49:28PM -0400, taii...@gmx.com wrote: > I have stated this many times before. > > The PS/2 thing is from 2011 which is 8 years ago and applies to systems > without more than one USB controller. > > Using PS/2 sends your keystrokes out on the ground wire. > > It is far better to purchase a motherboard with a second USB controller > with separate IOMMU groups or a PCI-e supporting USB card with one > controller per port and an ACS PCI-e switch to tie them together, of > course all must have libre firmware and preferably made somewhere > trustworthy. > > I would only trust hardware Made in USA or Switzerland since both are > the only places in the world right know where you can say no to a demand > to put a backdoor in your product and have nothing come of it. (Heres to > hoping for Xen/Qubes on OpenPOWER for usa made computing) Unfortunately > recent cases have proven the EU majority no longer has freedom of speech > (such as the man who went to jail for criticizing a certain foreign > leader in germany) and code is speech, hdls are speech and freedom of > speech means freedom to be silent (and thus not code a backdoor) > > Ideally you would have 4 IOMMU separate usb controllers total. > > USB controllers: > dom0/sys-usb-keyboard (you enter your passwords and then it gets > assigned to sys-usb-inputs later which is for your keyboard and mouse) > sys-usb-mouse (off at boot - since I know of no secure mice it should be > separate) > sys-usb-trusted-stuff (off at boot, assigned to sys-usb later) your > flash drives > sys-usb-untrusted-stuff (off at boot, assigned to sys-usb later) other > peoples flash drives > > I use a PCL/PS network printer so I don't need a 5th for that. > > In terms of USB devices you want stuff without re-writable firmware > which many keyboards have and AFAIK the only OEM that attests to its > products security and lack of re-writable firmware is Unicomp (and of > course the original Model M's can't be re-written either) > > The most secure input device is the USB Unicomp Model M pointer which is > an made in usa mechanical keyboard with a laptop style mouse nub in the > middle of the keyboard and two mouse buttons - unicomp makes the rare > high quality keyboard that will never break and never need replacing due > to wear. > Ideally, yes, but most people aren't in a position to have the ideal. I've pointed out before that your comments on PS/2 are misleading. With some keyboards, (but not all), there can be leakage to ground. But it's possible to mitigate the effects of this or to clean signal from the earth (ground) wire. It's important to make this clear so that people can make informed decisions about their choices between USB and PS/2. Incidentally, your touching faith in "Made in USA" components seems strange to me -I see no more reason to trust that label more than any other. The USA has a long and inglorious history of snooping and subversion. (This isn't intended to provoke any discussion on the Qubes mailing list, so please don't argue the point on list. It's my opinion.) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190409125131.krnqo4g4cf5huhtq%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: qubes-mirage-firewall chaining
On Monday, April 8, 2019 at 11:20:13 PM UTC+1, qmirfw wrote: > Hello, > > I got the qubes-mirage-firewall working in a simple > > sys-net --> sys-mirage-fw --> disp1234 > > situation, but when I wanted to include it in my normal chain, as in > > sys-net --> sys-mirage-fw --> sys-firewall --> AppVMs > > my AppVMs can't access the network. > > Is this supposed to work? > > In Xen console of the mirage firewall I can see the linux firewall > connecting, but then lines like this: > > WRN [client_net] Incorrect source IP 10.137.0.45 in IP packet from > 10.137.0.12 (dropping) What is the IP address of sys-firewall and the AppVM? It sounds like mirage-firewall got a packet from sys-firewall with source address 10.137.0.45, but it thinks that sys-firewall should have the IP address 10.137.0.12 (and be doing NAT on behalf of its clients). -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bd0b616b-d9a9-408a-a335-44f7d3122eaf%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Alt+Tab not redirected in AppVM
Hello, I am using a fedora-29 based AppVM ("my-office") to connect to my corporate virtual desktop using VMware Horizon View. Unfortunately the Alt+Tab key sequence is not forwarded into the virtual desktop. I totally understand that his has been done to improve security, so that no AppVM can "catch" the mouse, but in this use case it is very annoying as I need to switch application within the virtual desktop very often. I have three ideas how to work arround this problem: 1) Switch the Alt+Tab sequence in qubes to something like Windows+Tab, so that Alt+Tab can be used in an AppVM 2) Disable Alt+Tab in a specific AppVM (not sure if this can be done) 3) Disable Alt+Tab if an AppVM goes into fullscreen mode (as it is always possible to use Alt+Space to get out of fullscreen mode) when I work in my corporate virtual windows desktop there is no danger, that I mess up and getting lost between different AppVM window sessions. (also not sure if this can be done, disabling Alt+Tab depending on the fullscreen state). I think the easiest way is 1) switching Alt+Tab against Windows+Tab. Can this be done? I looked into the Qubes Menu > Keyboard > Application Shortcut, but Alt+Tab is not present there. - O -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAJ3yz2udu9e8vHLGXa%2BROJZW%3DaWtn0uAnr%2BpcFkT9fy%2B%2BZjimA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: qubes-mirage-firewall 0.5
On Tuesday, 9 April 2019 00:08:58 UTC+2, qmirfw wrote: > I don't understand why you want to do all that in a TemplateVM, > and not an AppVM. > Also why fight with Fedora, if my simple Debian based build gives the > same binary as the official (equal checksum) [...] you are right that using a full fedora-29 would not do any harm, therefore I have used this template and luckily everything was very easy to setup. Thanks for the support! I have compiled all info which I need to setup Mirage-FW in a short howto, which might also be helpfull to others in a way that all steps can be run from dom0 which is much easier and which can be scripted (for example to rebuild your Qubes Setup from a default installation): @Mirage Firewall-Team: I think creating a document/script which does the build process for the user, will improve end user experience setting up mirage. - 8< - - - - MirageFW-BuildVM=my-mirage-buildvm TemplateVM=fedora-29 MirageFWAppVM=sys-mirage-fw # create a new VM to build mirage via docker qvm-create $MirageFW-BuildVM --class=AppVM --label=red --template=$TemplateVM # Resize private disk to 10 GB qvm-volume resize $MirageFW-BuildVM:private 10GB # Create a symbolic link to safe docker into the home directory qvm-run --auto --pass-io --no-gui $MirageFW-BuildVM \ 'sudo mkdir /home/user/var_lib_docker && \ sudo ln -s /var/lib/docker /home/user/var_lib_docker' # Install docker and git qvm-run --pass-io --no-gui $MirageFW-BuildVM \ 'sudo dnf -y install docker git' # Launch docker qvm-run --pass-io --no-gui $MirageFW-BuildVM \ 'sudo systemctl start docker' # Download and build mirage for qubes qvm-run --pass-io --no-gui $MirageFW-BuildVM \ 'git clone https://github.com/mirage/qubes-mirage-firewall.git && \ cd qubes-mirage-firewall && \ git pull origin pull/52/head && \ sudo ./build-with-docker.sh' # Copy the new kernel to dom0 cd /var/lib/qubes/vm-kernels qvm-run --pass-io $MirageFW-BuildVM 'cat qubes-mirage-firewall/mirage-firewall.tar.bz2' | tar xjf - # create the new mirage firewall qvm-create \ --property kernel=mirage-firewall \ --property kernelopts=None \ --property memory=32 \ --property maxmem=32 \ --property netvm=sys-net \ --property provides_network=True \ --property vcpus=1 \ --property virt_mode=pv \ --label=green \ --class StandaloneVM \ $MirageFWAppVM # The build VM could be deleted if you don't want to keep it # but if you want to upgrade Mirage Firewall for Qubes OS, # you need to rebuild this VM. qvm-shutdown --wait $MirageFW-BuildVM qvm-remove --force $MirageFW-BuildVM - 8< - - - - Link: https://github.com/Qubes-Community/Contents/blob/master/docs/customization/mirage-firewall.md Now the next steps are to learn, how to tweak the firewall to allow specific communication between AppVMs, for example ssh/http. Thanks to all for the help/suggestions. - O -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ca3a0ecf-5e5e-40cb-a102-5679eee38cae%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.