Re: [qubes-users] Re: [Advanced] Enabling nested virtualization in Qubes/HVM
On Thu, Jul 18, 2019 at 12:13:24PM -0700, lastpoke...@gmail.com wrote: > On Sunday, 7 February 2016 23:12:25 UTC, he...@ruggedinbox.com wrote: > > Input from the developers would be especially welcome. > > > > I've been trying to enable nested virtualization in Qubes, which should be > > possible without modifications, since Xen requires only the addition of > > two lines to a conf file: > > > > --- > > Make sure you have the right support > > Xen 4.4 or later > > Intel CPU with EPT support > > > > Add the following to your config file: > > > > hap=1 > > nestedhvm=1 > > > > (Cite: http://wiki.xenproject.org/wiki/Nested_Virtualization_in_Xen) > > --- > > > > 1) What's the preferred way to accomplish this in Qubes? > > There isnt one. > > 2) It looks like the template packages qubes-gui-vm, xen-qubes-vm, and > > xen-libs are set up to block installation of other in-guest virtualization > > packages like qemu/libvirt (requiring the former to be removed for any > > experimentation to proceed). It happens on both the fedora and debian. > > Removing those packages would cause problems interacting with dom0. What's > > going on here? > > > > Thank you. > As you correctly point out there are various features in Qubes which make this difficult. In any case, nested virtualization in Xen is pretty broken, and doesnt seem to work with more recent kernels. Look at the tables on the page you cite: you have to go back before 4.7 to get decent coverage, and anything after 4.9 looks dead. So enabling this is a security hit for Qubes, and not a priority - (this may change as there are periodic requests for the feature). -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190719122551.qbzwilzmdpdyoots%40thirdeyesecurity.org.
[qubes-users] Re: Announcement: Insurgo PrivacyBeast X230 Laptop meets and exceeds Qubes 4.0 hardware certification
Hello all. For those of you who would want to ask questions but are against using Google services/Twitter/Facebook, you are more then welcome to comment post on my ZeroNet technical blog: http://127.0.0.1:43110/1DMb3CV66qZPwJqkgm4z12nu8BrAwDoD4g/?Post:26:PrivacyBeast+X230+is+alive!!! Cheers, Thierry Laurion Insurgo Open Technologies/Technologies Libres Le vendredi 19 juillet 2019 00:19:37 UTC-4, Andrew David Wong a écrit : > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Dear Qubes Community, > > We are very pleased to announce that the Insurgo PrivacyBeast X230 [1] > has passed Qubes 4.0 Hardware Certification and is now a Qubes-certified > Laptop! [2] > > ## What is Qubes Certified Hardware? > > Qubes Certified Hardware [3] is hardware that has been certified by the > Qubes developers as compatible with Qubes OS. Beginning with Qubes 4.0, > in order to achieve certification, the hardware must satisfy a rigorous > set of requirements [4], and the vendor must commit to offering > customers the very same configuration (same motherboard, same screen, > same BIOS version, same Wi-Fi module, etc.) for at least one year. > > Qubes-certified Laptops [2], in particular, are regularly tested > by the Qubes developers to ensure compatibility with all of Qubes' > features. The developers test all new major versions and updates to > ensure that no regressions are introduced. > > It is important to note, however, that Qubes Hardware Certification > certifies only that a particular hardware *configuration* is *supported* > by Qubes. The Qubes OS Project takes no responsibility for any > manufacturing or shipping processes, nor can we control whether physical > hardware is modified (whether maliciously or otherwise) *en route* to > the user. (However, see below for information about how the Insurgo > team mitigates this risk.) > > ## About the Insurgo PrivacyBeast X230 Laptop > > The Insurgo PrivacyBeast X230 [1] is a custom refurbished ThinkPad X230 > [5] that not only *meets* all Qubes Hardware Certification requirements > [4] but also *exceeds* them thanks to its unique configuration, > including: > > - Coreboot [6] initialization for the x230 is binary-blob-free, > including native graphic initialization. Built with the > Heads [7] payload, it delivers an Anti Evil Maid (AEM) [8]-like > solution built into the firmware. (Even though our requirements [4] > provide an exception for CPU-vendor-provided blobs for silicon and > memory initialization, Insurgo exceeds our requirements by insisting > that these be absent from its machines.) > > - Intel ME [9] is neutered through the AltMeDisable bit, while all > modules other than ROMP and BUP, which are required to initialize > main CPU, have been deleted. [10] > > - A re-ownership process that allows it to ship pre-installed with > Qubes OS, including full-disk encryption already in place, but > where the final disk encryption key is regenerated only when the > machine is first powered on by the user, so that the OEM doesn't > know it. > > - Heads [7] provisioned pre-delivery to protect against malicious > interdiction. [11] > > ## How to get one > > Please see the Insurgo PrivacyBeast X230 [1] on the Insurgo website [12] > for more information. > > ## Acknowledgements > > Special thanks go to: > > - Thierry Laurion [13], Director of Insurgo, Technologies Libres (Open > Technologies), for spearheading this effort and making Heads+Qubes > laptops more broadly accessible. > > - Trammell Hudson [14], for creating Heads [7]. > > - Purism [15], for greatly improving the UX of Heads [7], including > the GUI menu, and for adding Nitrokey [16] and Librem Key [17] > support. > > > [1] > https://insurgo.ca/produit/qubesos-certified-privacybeast_x230-reasonably-secured-laptop/ > > [2] > https://www.qubes-os.org/doc/certified-hardware/#qubes-certified-laptop-insurgo-privacybeast-x230 > > [3] https://www.qubes-os.org/doc/certified-hardware/ > [4] > https://www.qubes-os.org/doc/certified-hardware/#hardware-certification-requirements > > [5] https://www.thinkwiki.org/wiki/Category:X230 > [6] https://www.coreboot.org/ > [7] https://github.com/osresearch/heads/ > [8] https://www.qubes-os.org/doc/anti-evil-maid/ > [9] https://libreboot.org/faq.html#intelme > [10] > https://github.com/osresearch/heads-wiki/blob/master/Clean-the-ME-firmware.md#how-to-disabledeactive-most-of-it > > [11] https://en.wikipedia.org/wiki/Interdiction > [12] https://insurgo.ca > [13] https://www.linkedin.com/in/thierry-laurion-40b4128/ > [14] https://trmm.net/About > [15] https://puri.sm/ > [16] https://www.nitrokey.com/ > [17] https://puri.sm/posts/introducing-the-librem-key/ > > This announcement is also available on the Qubes website: > > https://www.qubes-os.org/news/2019/07/18/insurgo-privacybeast-qubes-certification/ > >
[qubes-users] HCL asus k55a
-- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fb0d0972-e2d2-4a98-858e-3a9745c0de98%40googlegroups.com.
[qubes-users] Re: ANN: Qubes-VM-hardening v0.8.4 released
Thank you, this is a great tool. Everything is working perfectly as far as I can tell. It also works with fish shell by adding .config/fish to $chdirs. I was thinking about what kinds of files, not present in the default installation but possibly added to a user's system, might need to be added to $chdirs and $chfiles manually. Perhaps such a list could go in the documentation. Some examples: 1. Any files sourced by your shell startup scripts that are in the persistent private volume, e.g., files that provide completion information for your shell but that aren't in the template. 2. Executables installed by other package managers that don't use the normal paths. For example, go uses $HOME/go/bin by default; cabal uses $HOME/.cabal/bin. Probably not worth trying to list all of these, but rather just noting the risk. Of courses, users that make regular use of these package managers might not want to enable this kind of hardening for convenience reasons. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/746d4255-ab3d-4a70-847b-690700bcbff3%40googlegroups.com.
[qubes-users] Boot log
After the latest update during boot it is showing messages like VT-D and others are not enabled. I tried to access this information using "sudo journalctl -b" but found nothing. Is there are any boot log that I can access to read and diagnose these issues? Also, does anyone know why these messages are appearing now? Thanks for your help in advance. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fcba0667-d11a-bb59-9ddc-a80a1d1bb898%40gmail.com.
Re: [qubes-users] ANN: Qubes-VM-hardening bugfix...
On 7/18/19 11:53 AM, Chris Laprise wrote: Description: Qubes-VM-hardening Leverage Qubes template non-persistence to fend off malware at VM startup: Lock-down, quarantine and check contents of /rw private storage that affect the execution environment. * Acts at VM startup before private volume /rw mounts * User: Protect /home desktop & shell startup executables * Root: Quarantine all /rw configs & scripts, with whitelisting * Re-deploy custom or default files to /rw on each boot * SHA256 hash checking against unwanted changes * Provides rescue shell on error or request * Works with template-based AppVMs, sys-net and sys-vpn A bug fix has been posted and released as version 0.8.5. Updating is recommended (see Notes)... Github link - https://github.com/tasket/Qubes-VM-hardening#notes -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2eb3f9c7-6862-1a86-6a07-66c8c7e81556%40posteo.net.
Re: [qubes-users] Re: ANN: Qubes-VM-hardening v0.8.5 released
On 7/19/19 10:13 AM, Daniel Moerner wrote: Thank you, this is a great tool. Everything is working perfectly as far as I can tell. It also works with fish shell by adding .config/fish to $chdirs. I was thinking about what kinds of files, not present in the default installation but possibly added to a user's system, might need to be added to $chdirs and $chfiles manually. Perhaps such a list could go in the documentation. Some examples: 1. Any files sourced by your shell startup scripts that are in the persistent private volume, e.g., files that provide completion information for your shell but that aren't in the template. If you could provide a specific example, that would be great. The usual shell sources are already included, at least the ones that get executed. 2. Executables installed by other package managers that don't use the normal paths. For example, go uses $HOME/go/bin by default; cabal uses $HOME/.cabal/bin. Probably not worth trying to list all of these, but rather just noting the risk. Of courses, users that make regular use of these package managers might not want to enable this kind of hardening for convenience reasons. That is interesting about language-specific environments; these appear to be examples that don't play nicely with the host OS or shell. My initial advice here would be to add protection for $PATH (such as Qubes-VM-hardening) to your template early, then add these other components afterward. In future, it may be possible to parse the $PATH for anything that references the private volume, then then automatically lock those paths down. BTW, thank you for the bug fix! I've already posted it with a note in the Readme. The current version is now 0.8.5. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2851f8c1-9755-4160-af8c-70c3505aab8c%40posteo.net.
Re: [qubes-users] Re: ANN: Qubes-VM-hardening v0.8.5 released
On Fri, Jul 19, 2019 at 1:21 PM Chris Laprise wrote: > > On 7/19/19 10:13 AM, Daniel Moerner wrote: > > Thank you, this is a great tool. Everything is working perfectly as far > > as I can tell. It also works with fish shell by adding .config/fish to > > $chdirs. > > > > I was thinking about what kinds of files, not present in the default > > installation but possibly added to a user's system, might need to be > > added to $chdirs and $chfiles manually. Perhaps such a list could go in > > the documentation. Some examples: > > > > 1. Any files sourced by your shell startup scripts that are in the > > persistent private volume, e.g., files that provide completion > > information for your shell but that aren't in the template. > > If you could provide a specific example, that would be great. The usual > shell sources are already included, at least the ones that get executed. An example is the popular fuzzy finder fzf. Although this is packaged in Fedora, I had a test VM where I followed the instructions to install it as a vim plugin (https://github.com/junegunn/fzf#as-vim-plugin), which creates $HOME/.fzf.bash and appends [ -f ~/.fzf.bash ] && source ~/.fzf.bash to your bashrc. If you then enable qubes-vm-hardening, although your bashrc is protected with chattr, it is sourcing another file that might be overwritten by a malicious user. (The contrast I'm drawing is that the Fedora package's completion files in /usr/share/fzf/shell are not user-writable.) I don't think this is a case that you should expect to be able to handle automatically, given that it relies on the user adding something to their own bashrc. Once qubes-vm-hardening is installed, the user will be forced to perform extra actions to edit bashrc and so hopefully will think to also chattr +i ~/.fzf.bash, etc., if needed. It would probably only be an issue when first enabling qubes-vm-hardening in an older VM, which might have some of this stuff left over. > > > > > 2. Executables installed by other package managers that don't use the > > normal paths. For example, go uses $HOME/go/bin by default; cabal uses > > $HOME/.cabal/bin. Probably not worth trying to list all of these, but > > rather just noting the risk. Of courses, users that make regular use of > > these package managers might not want to enable this kind of hardening > > for convenience reasons. > > That is interesting about language-specific environments; these appear > to be examples that don't play nicely with the host OS or shell. My > initial advice here would be to add protection for $PATH (such as > Qubes-VM-hardening) to your template early, then add these other > components afterward. In future, it may be possible to parse the $PATH > for anything > that references the private volume, then then automatically lock those > paths down. No, they really don't play nicely, and there are real worries here, as with that recent issue with rubygems and strong_password a few weeks ago. I think the user will have to handle it themselves by editing the /usr/lib/qubes/init/vm-boot-protect.sh script, depending on their workflow. (For example, go uses $GOPATH/bin, and I believe some people keep a startup file in each project directory with a custom $GOPATH for that project which they source when working on it, leading to bin directories scattered all over and a constantly changing GOPATH and PATH. I wouldn't expect any of that to be handled automatically.) > > BTW, thank you for the bug fix! I've already posted it with a note in > the Readme. The current version is now 0.8.5. No problem! Daniel -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAPSgt5%3DsQZo9k4iJpTtJqbTNbrx5kNtA1EXFNwr3q1i6HMJgHQ%40mail.gmail.com.
Re: [qubes-users] Re: [Advanced] Enabling nested virtualization in Qubes/HVM
lastpoke...@gmail.com: On Sunday, 7 February 2016 23:12:25 UTC, he...@ruggedinbox.com wrote: Add the following to your config file: hap=1 nestedhvm=1 Cool but where is that config file located??? Note you are replying to a three year old post. I think there is more to it than just those config values, but you'd add them as Xen options to /boot/efi/EFI/qubes/xen.cfg (or /boot/grub2/grub.cfg). Try searching this list and qubes-issues for "nested virtualization". -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e61b0d30-e772-ee8b-86a1-3ad662fb78b0%40danwin1210.me.
Re: [qubes-users] Boot log
Frozentime345:
After the latest update during boot it is showing messages like VT-D and
others are not enabled. I tried to access this information using "sudo
journalctl -b" but found nothing.
Is there are any boot log that I can access to read and diagnose these
issues?
Also, does anyone know why these messages are appearing now?
Thanks for your help in advance.
Also look in /var/log/xen/console/hypervisor.log. Not sure why they
would be appearing now; if they weren't working before you would have
had trouble installing Qubes in the first place. Double check your
UEFI("BIOS") config to make sure they're still enabled.
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/47210bf6-817d-8e04-92af-76407bed1f67%40danwin1210.me.
Re: [qubes-users] Confuse Update QUbes OS
Luc libaweb: Hello, When I update my Dom0, I have : Failed to synchronize cach for repo "template" and "current" But, I have then nothing to do and complete. This error is usually temporary, like if you are having internet trouble. Try running update again. Qubes OS is updated ? My release cat is 4.0 but not 4.0.1 ? A fully patched install of 4.0 is no different than 4.0.1. I don't uderstand if I have to upgrade template or it's automatic whith the update tool. Thanks The update tool will update patches within templates. However, it does not handle updating to entirely new template versions like Fedora 29 to 30 or Debian 9 to 10. See https://www.qubes-os.org/doc/templates for those. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e141e5c1-0730-9fa1-c6b7-5dc52934e8bd%40danwin1210.me.
Re: [qubes-users] Re: Announcement: Insurgo PrivacyBeast X230 Laptop meets and exceeds Qubes 4.0 hardware certification
Thierry Laurion: Hello all. For those of you who would want to ask questions but are against using Google services/Twitter/Facebook, you are more then welcome to comment post on my ZeroNet technical blog: http://127.0.0.1:43110/1DMb3CV66qZPwJqkgm4z12nu8BrAwDoD4g/?Post:26:PrivacyBeast+X230+is+alive!!! Unless you hacked my computer, I don't think the above link is going to work. :) Otherwise, nice work with the laptop! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ea6940f5-1db1-9556-cfe3-6bfe0ea12345%40danwin1210.me.
[qubes-users] EFI Xen Version
When I boot a GRUB based Qubes PC, I see the Xen version is 4.8.5. However, when I boot my UEFI one, Xen is 4.8.4. My guess is I am pointing to the wrong .efi file, since I have to manually copy them to BOOT folder when I update. Which one is the right one? There are three: /boot/efi/EFI/xen.efi. /boot/efi/EFI/qubes/xen.efi /boot/efi/EFI/qubes/xen-4.8.5-6.fc25.efi Should I be manually copying that last one over the first two whenever I update it? They are different sizes and file dates. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6652c052-0721-6100-d8e0-e8c69d4ff9ae%40danwin1210.me.
Re: [qubes-users] Re: Announcement: Insurgo PrivacyBeast X230 Laptop meets and exceeds Qubes 4.0 hardware certification
On July 19, 2019 9:32:52 PM UTC, 'awokd' via qubes-users wrote: >Thierry Laurion: >> Hello all. >> >> For those of you who would want to ask questions but are against >using >> Google services/Twitter/Facebook, you are more then welcome to >comment post >> on my ZeroNet technical blog: >> >http://127.0.0.1:43110/1DMb3CV66qZPwJqkgm4z12nu8BrAwDoD4g/?Post:26:PrivacyBeast+X230+is+alive!!! > >Unless you hacked my computer, I don't think the above link is going to > >work. :) This is ZeroNet URL. :) It can be accessed through a clearnet proxy here for read access: https://zero.acelewis.com/#1DMb3CV66qZPwJqkgm4z12nu8BrAwDoD4g/?Post:26:PrivacyBeast+X230+is+alive!!! > >Otherwise, nice work with the laptop! Thanks! -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/325EED15-FF83-4B9A-9ED3-788C045D951C%40gmail.com.
