[qubes-users] U2F on Qubes

[SP]

Hello,

I followed the instructions here (
https://www.qubes-os.org/news/2018/09/11/qubes-u2f-proxy/) to setup the U2F 
proxy:

- I didn't install anything on sys-usb
- I installed `qubes-u2f` in my broswer VMs
- I installed `qubes-u2f-dom0` in dom0 and enabled the `qubes-u2f-proxy` 
service for my browser VMs
- In dom0 I have the default policy for U2F (not per-qube access)

I see that the qubes-u2f-proxy service is running on the browser VMs where 
I want to use U2F. However, when I try to use U2F in Google Chrome, I see 
that `qrexec` returns a 127 status:

```
● qubes-u2fproxy@sys-usb.service - U2F proxy for sys-usb
   Loaded: loaded (/lib/systemd/system/qubes-u2fproxy@.service; enabled; 
vendor preset: enabled)
   Active: active (running) since Sun 2019-09-22 16:54:54 PDT; 13min ago
 Main PID: 426 (qu2f-proxy)
Tasks: 5 (limit: 4915)
   Memory: 27.4M
   CGroup: 
/system.slice/system-qubes\x2du2fproxy.slice/qubes-u2fproxy@sys-usb.service
   └─426 /usr/bin/python3 /usr/bin/qu2f-proxy sys-usb

Sep 22 16:54:54 primary systemd[1]: Starting U2F proxy for sys-usb...
Sep 22 16:54:54 primary systemd[1]: Started U2F proxy for sys-usb.
Sep 22 17:08:37 primary qu2f-proxy[426]: 2019-09-22 17:08:37,887 
U2FHIDQrexecDevice.qrexec qrexec_client.returncode=127
```

I am not sure why this is happening. Any pointers on how I should debug 
this / what logs I should look at would be very helpful.


Thanks!

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/82d07f26-6dae-455b-9646-7cdbf768bb77%40googlegroups.com.

Re: [qubes-users] qubes whonix - Tor Control Panel says connection established but I can't browse TOR

[cubecub]

Sep 22, 2019, 22:20 by cube...@tutamail.com:

>
>
> Sep 22, 2019, 19:52 by qubes-users@googlegroups.com:
>
>> cube...@tutamail.com:
>>
>>> And that's what I'm having a proplem with, unexpectedly. When I set up 
>>> 'sys-firewall' or 'sys-net' as netVM for 'whonix-sys' I can't get 
>>> 'anon-whonix' to establish Tor Browser connection, can't access any 
>>> website. Even whonix-sys 'Tor Control Panel' struggles with establishing 
>>> Tor connection. This is highly surprising as I don't live in a country 
>>> where ISP's prevent any onion/tor traffic. It should all work fine.
>>>
>>
>> Might be https://github.com/QubesOS/qubes-issues/issues/5331. TL;DR
>> version, try:
>>
>> qvm-features sys-whonix ipv6 ''
>>
>> and restart.
>>
>
> Thanks for pointing to related link and the fix. I executed the command, 
> rebooted and also played with changes to previous qubes-available kernel 
> version, although all within 4.19.* range. (*43, *67, *71). Unfortunately 
> successful connection has been made yet. 
> Are there more hints for potential solutions? Thanks.
>

I've just noticed that even though "Tor Control Panel" shows 'Connected to Tor 
network', when I check the status of the 'Time Synchronization Monitor' widget 
it's stuck on:
 "Last message from sys-whonix sdwdate: Initial time fetching in progress..."
for both whonix-sys and anon-whonix VM's. 
Strangely, the status doesn't get resolved. 
And as I mentioned the Tor-Control-Panel continues showing as "connected to Tor 
network". 

Such observation suggests there might be a problem with the 
TIme-Synchronisation-Monitor, or should I say, with sys-whonix obtaining valid 
timestamp in order to get started. 

Hopefully this additional comment would help someone with suggesting a 
solution. 

Thank you.


>> -- 
>> - don't top post
>> Mailing list etiquette:
>> - trim quoted reply to only relevant portions
>> - when possible, copy and paste text instead of screenshots
>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "qubes-users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to qubes-users+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/qubes-users/ee563d2f-bf9e-7234-2e26-8cf91b664b13%40danwin1210.me.
>>
>
>
>
>
> --
>  You received this message because you are subscribed to the Google Groups 
> "qubes-users" group.
>  To unsubscribe from this group and stop receiving emails from it, send an 
> email to > qubes-users+unsubscr...@googlegroups.com 
> > .
>  To view this discussion on the web visit > 
> https://groups.google.com/d/msgid/qubes-users/LpPcOeE--3-1%40tutamail.com 
> >
>  .
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/LpPenAH--3-1%40tutamail.com.

Re: [qubes-users] qubes whonix - Tor Control Panel says connection established but I can't browse TOR

[cubecub]

Sep 22, 2019, 19:52 by qubes-users@googlegroups.com:

> cube...@tutamail.com:
>
>> And that's what I'm having a proplem with, unexpectedly. When I set up 
>> 'sys-firewall' or 'sys-net' as netVM for 'whonix-sys' I can't get 
>> 'anon-whonix' to establish Tor Browser connection, can't access any website. 
>> Even whonix-sys 'Tor Control Panel' struggles with establishing Tor 
>> connection. This is highly surprising as I don't live in a country where 
>> ISP's prevent any onion/tor traffic. It should all work fine.
>>
>
> Might be https://github.com/QubesOS/qubes-issues/issues/5331. TL;DR
> version, try:
>
> qvm-features sys-whonix ipv6 ''
>
> and restart.
>

Thanks for pointing to related link and the fix. I executed the command, 
rebooted and also played with changes to previous qubes-available kernel 
version, although all within 4.19.* range. (*43, *67, *71). Unfortunately 
successful connection has been made yet. 
Are there more hints for potential solutions? Thanks.


> -- 
> - don't top post
> Mailing list etiquette:
> - trim quoted reply to only relevant portions
> - when possible, copy and paste text instead of screenshots
>
> -- 
> You received this message because you are subscribed to the Google Groups 
> "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to qubes-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/qubes-users/ee563d2f-bf9e-7234-2e26-8cf91b664b13%40danwin1210.me.
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/LpPcOeE--3-1%40tutamail.com.

[qubes-users] Re: Copying text to/from Dom0

[Andrew David Wong]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 9/22/19 6:39 AM, duc...@disroot.org wrote:
> In the official documentation "Copying from (and to) dom0", there
> is no mention at all of how to copy text via the clipboard from a
> domain to dom0. What is the method to use?
> 

https://www.qubes-os.org/doc/copy-from-dom0/#copying-to-dom0

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl2Hy1IACgkQ203TvDlQ
MDBPfA/+Pe8OGl/VQb+jDPMQzMlDm0MoOYTBZ6zbEmOSkGlqQF6Zd8ELr6FwTRS6
lsh23tZciVNxQxmUtrHM0s2wnB6c7ldumLgLeyX5l2AKo3jmeGVg8fONE/GNqltZ
V5w95AQAtgql7nkkWljnNOAhHFBm7b8mrPCBYIsQKEWUnhZxfXxl2Or7A6JOPfl4
qoP42wPGfgFBLRxWsktSthjmQ7CCkI2Hpz6cypYMfFRDTumYu1FOyH5ZFPGs16Bx
p1IuQLZa860Y947WZIBX5QO4zMztn5Iq6ejCfSmCia/7SPAoS3AOJEQfcwx1k3wY
ULbBUCertNiAqNG2MhYEXK/V/W0bhr7+qgZvEpIdrx+HqUWSaLJAQRpjooMzUFV7
nDL11mGWIH8TMZ+RVGiVoyhk4tdNdb+KwYJvOAxriJBPC+h2RwWLtoa5bjqiw6p1
YTdLg4dA8a0On/3de4WnxW7ALJqJ27rnGn7ZCh4cf/fDQlrJiTcnvRkBleSc5StT
4ucLwo8hZNedzh6RoWaq2aCzs8hFWSgLHawr9msvF91OW4sLPrQnxJeHV34BmJbU
KTFA0UuCzDKLPXehOICT1vKq61DSJj9Wh3jOOKKvJVYvoBAjVJVP1V8S9ZuVJcrP
R0R/HD1v8yPUp/4xiubgXX9kHZ0ZnVTCkdmQGWgGdXXgCjCp7Ks=
=kHhk
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ea5a3def-1d8a-fb33-b221-34d046d3302c%40qubes-os.org.

Re: [qubes-users] Trouble building RTL8821CE WiFi drivers

['awokd' via qubes-users]

awokd:
> muhammad19238...@gmail.com:
>> Thank you, this worked fine(For future duckduckgoers, I did this on fedora 
>> in the end, I now feel it makes more sense because the disk usage of the 
>> template is not avoidable, by having extra templates its just weighing your 
>> disk down). However I have one last parting question, once I reboot 
>> sys-net, I lose my driver and have to install it again. I have a feeling 
>> that I should install the driver in the template to keep persistence, is 
>> this correct? What is the qubes way to do this?
>>
> [Standalone qube]
> 
After thinking (slowly) on this one a bit more, it might be better if
you compiled the drivers inside the template, not as a standalone. That
way you can have sys-net as a regular AppVM and it will be more
resistant to compromise.

-- 
- don't top post
Mailing list etiquette:
- trim quoted reply to only relevant portions
- when possible, copy and paste text instead of screenshots

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/16a37d29-0bbf-8205-6040-868a37646f40%40danwin1210.me.

Re: [qubes-users] qubes whonix - Tor Control Panel says connection established but I can't browse TOR

['awokd' via qubes-users]

cube...@tutamail.com:

> And that's what I'm having a proplem with, unexpectedly. When I set up 
> 'sys-firewall' or 'sys-net' as netVM for 'whonix-sys' I can't get 
> 'anon-whonix' to establish Tor Browser connection, can't access any website. 
> Even whonix-sys 'Tor Control Panel' struggles with establishing Tor 
> connection. This is highly surprising as I don't live in a country where 
> ISP's prevent any onion/tor traffic. It should all work fine. 

Might be https://github.com/QubesOS/qubes-issues/issues/5331. TL;DR
version, try:

qvm-features sys-whonix ipv6 ''

and restart.

-- 
- don't top post
Mailing list etiquette:
- trim quoted reply to only relevant portions
- when possible, copy and paste text instead of screenshots

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ee563d2f-bf9e-7234-2e26-8cf91b664b13%40danwin1210.me.

[qubes-users] qubes whonix - Tor Control Panel says connection established but I can't browse TOR

[cubecub]

Hi, 
I have a problem with whonix on qubes 4.0.1 - manually upgraded to whonix-15, 
fedora-30, kernel 4.19. 

When whonix-sys networking VM is configured to my VPN VM, tor connection gets 
established which allows me to use TOR browser in 'anon-whonix'. Everything 
works fine, but... that's not the recommend way of connecting to TOR. When 
possible 'whonix-sys' should be set-up using ISP line directly ISP (non-VPN) so 
that Tor establishes the route between its 3 levels of nodes without having VPN 
server as a fixed entry/exit point. 

And that's what I'm having a proplem with, unexpectedly. When I set up 
'sys-firewall' or 'sys-net' as netVM for 'whonix-sys' I can't get 'anon-whonix' 
to establish Tor Browser connection, can't access any website. Even whonix-sys 
'Tor Control Panel' struggles with establishing Tor connection. This is highly 
surprising as I don't live in a country where ISP's prevent any onion/tor 
traffic. It should all work fine. 

I then tried playing with various clock settings on my host (dom0) to match the 
clock in UTC in sys-whonix (timedatectl command). Unfortunately the problem 
persists - I am able to connect to Tor via VPN VM but not directly via 'open' 
ISP sys-net or sys-firewall VM. 
I have an impression the problem started after whonix upgrade to version 15 and 
qubes introduction of the clock-synchronisation-monitor. I might be completely 
wrong about it, it's just the timing of the issue coincides with the introduced 
qubes changes.

Does anyone had a similar problem? Or better still, does anyone know the 
solution and how to fix it?
 Please help or point me to the right directly. 

Many thanks,
cubecub

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/LpOwegA--B-1%40tutamail.com.

Re: [qubes-users] Per-VM stream isolation in Whonix

[tetrahedra via qubes-users]

On Sun, Sep 22, 2019 at 02:51:00PM +, 'awokd' via qubes-users wrote:

tetrahedra via qubes-users:

Is there any way to automatically do stream isolation on a per-VM basis?



Right now it appears this is not necessarily the case -- the network
traffic of AppVMs A and B may end up using the same Tor circuits (and
exit nodes).

Is there a way to set this up?


Stream isolation is enabled out of the box- per application in most
cases, per tab & TLD in Tor Browser's
(https://www.whonix.org/wiki/Stream_Isolation).


I am referring to stream isolation for non-Whonix Workstation based VMs,
and/or for applications which are not wrapped by `uwt`.  (e.g Signal)

It would seem that different VMs ought to be stream isolated by default
(they are different VMs, we obviously want them isolated as much as
possible!)...

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190922160655.GA2477%40danwin1210.me.

Re: [qubes-users] Signal on Whonix or Debian

[Stumpy]

On 2019-09-22 11:34, 'awokd' via qubes-users wrote:

Stumpy:


W: GPG error: https://updates.signal.org/desktop/apt xenial InRelease:
The following signatures couldn't be verified because the public key is
not available: NO_PUBKEY D980A17457F6FB06



I also get a very similar message, with the exact same last message "See
apt-secure(8) manpage for repository creation and user configuration
details." when i try the Qubes way https://www.qubes-os.org/doc/signal/


Double-check you ran step #3 in the template, not the AppVM. If you're
using the whonix-ws-15 template, you might want to clone it and install
Signal only on the clone, so not all Whonix AppVMs get Signal.



That got it! Thank you. Will try tackling LVMs again next weekend. 
Cheers mate.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c7250edd-503f-a3cb-123f-bcdcf73e835c%40posteo.net.

Re: [qubes-users] Signal on Whonix or Debian

['awokd' via qubes-users]

Stumpy:

> W: GPG error: https://updates.signal.org/desktop/apt xenial InRelease:
> The following signatures couldn't be verified because the public key is
> not available: NO_PUBKEY D980A17457F6FB06

> I also get a very similar message, with the exact same last message "See
> apt-secure(8) manpage for repository creation and user configuration
> details." when i try the Qubes way https://www.qubes-os.org/doc/signal/

Double-check you ran step #3 in the template, not the AppVM. If you're
using the whonix-ws-15 template, you might want to clone it and install
Signal only on the clone, so not all Whonix AppVMs get Signal.

-- 
- don't top post
Mailing list etiquette:
- trim quoted reply to only relevant portions
- when possible, copy and paste text instead of screenshots

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/97de1ecf-cc67-2fa2-289d-ec97fd3797f6%40danwin1210.me.

Re: [qubes-users] How to tell what AppVMs are on the ssd part of my LVM and which are on the regular drive?

['awokd' via qubes-users]

Stumpy:

> This time i did not go the secondary storage route as I was having a
> miserable time trying to get it to work, for whatever reason I seem to
> understand diagrams of LVM but when it comes to putting the whole thing
> together, esp via terminal, i am not getting it.
> So as a result, this time during the install I just selected both
> drives... so i guess its in raid0?

Run "sudo pvs". If both physical volumes are in the same VG (probably
qubes_dom0), I believe that's the case.

> So if i should reisntall, then I would need to install onto one drive,
> then try to the secondary storage method?

Yes; I am happy to help if you get stuck.

> Is there a way to use
> something like the blivet-gui?
> 
Maybe, but the less unnecessary software installed in dom0, the better...

-- 
- don't top post
Mailing list etiquette:
- trim quoted reply to only relevant portions
- when possible, copy and paste text instead of screenshots

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/12726727-3fd4-96ff-cc45-c54634c7fce2%40danwin1210.me.

[qubes-users] Signal on Whonix or Debian

[Stumpy]

I have been trying to install Signal on whonix but have run into some 
issues. Initally I tried the whonix method 
https://www.whonix.org/wiki/Signal and the first time i started it up it 
worked fine, but after restarting that appvm it now gives me:

user@host:~$ ./signal-start
+ set -e
+ sudo tee /etc/apt/sources.list.d/signal-xenial.list
+ echo 'deb [arch=amd64] https://updates.signal.org/desktop/apt xenial main'
deb [arch=amd64] https://updates.signal.org/desktop/apt xenial main
+ sudo apt-get update
Hit:1 tor+https://deb.whonix.org buster InRelease 

Hit:2 https://packages.riot.im/debian buster InRelease 

Get:3 https://updates.signal.org/desktop/apt xenial InRelease [2,316 B] 


Hit:5 https://deb.qubes-os.org/r4.0/vm buster InRelease
Get:4 tor+https://cdn-aws.deb.debian.org/debian-security buster/updates 
InRelease [39.1 kB]

Hit:6 tor+https://cdn-aws.deb.debian.org/debian buster InRelease
Err:3 https://updates.signal.org/desktop/apt xenial InRelease 

  The following signatures couldn't be verified because the public key 
is not available: NO_PUBKEY D980A17457F6FB06
Get:7 tor+https://cdn-aws.deb.debian.org/debian-security 
buster/updates/main amd64 Packages [91.7 kB] 

Get:8 tor+https://cdn-aws.deb.debian.org/debian-security 
buster/updates/main Translation-en [55.7 kB] 

Reading package lists... Done 

W: GPG error: https://updates.signal.org/desktop/apt xenial InRelease: 
The following signatures couldn't be verified because the public key is 
not available: NO_PUBKEY D980A17457F6FB06
E: The repository 'https://updates.signal.org/desktop/apt xenial 
InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is 
therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user 
configuration details.



I also get a very similar message, with the exact same last message "See 
apt-secure(8) manpage for repository creation and user configuration 
details." when i try the Qubes way https://www.qubes-os.org/doc/signal/


I have tried changing a few things like substituting in buster for 
xenial but nothing, still get those errors.


Thoughts?

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/23208c25-2312-7967-7d86-8eca2d662cb4%40posteo.net.

Re: [qubes-users] How to tell what AppVMs are on the ssd part of my LVM and which are on the regular drive?

[Stumpy]

On 2019-09-21 14:48, 'awokd' via qubes-users wrote:

Stumpy:

I did a fresh install on my computer and (am pretty sure) I setup an LVM
(I know I am not using the right termin, sorry) across the SSD drive and
the regular drive. The problem is, my computer is now much slower than
it was when I was running everything off the SSD, which I am pretty sure
is due to the AppVMs and/or templates being on the regular drive (my CPU
and MEM appear to be fine when i try to start up an appvm, yet, it takes
30sec to 1.5 mins to start a appvm up? That cant be right?
I am not sure how to "place" some of my smaller appvms and templates on
the SSD part and the too-big ones on the regular drive part.


Did you follow https://www.qubes-os.org/doc/secondary-storage/ to set up
a secondary pool, or did you add your hard drive to the primary Qubes
pool/disk group? If you added the hard drive to existing, I think LVM
defaults to settings them both up as RAID0 (paging @tasket!). If that's
the case, you should probably do a wipe and reinstall.



This time i did not go the secondary storage route as I was having a 
miserable time trying to get it to work, for whatever reason I seem to 
understand diagrams of LVM but when it comes to putting the whole thing 
together, esp via terminal, i am not getting it.
So as a result, this time during the install I just selected both 
drives... so i guess its in raid0?


So if i should reisntall, then I would need to install onto one drive, 
then try to the secondary storage method? Is there a way to use 
something like the blivet-gui?


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/49689e97-5918-72e1-40c3-272453e710ff%40posteo.net.

Re: [qubes-users] Per-VM stream isolation in Whonix

['awokd' via qubes-users]

tetrahedra via qubes-users:
> Is there any way to automatically do stream isolation on a per-VM basis?

> Right now it appears this is not necessarily the case -- the network
> traffic of AppVMs A and B may end up using the same Tor circuits (and
> exit nodes).
> 
> Is there a way to set this up?
> 
Stream isolation is enabled out of the box- per application in most
cases, per tab & TLD in Tor Browser's
(https://www.whonix.org/wiki/Stream_Isolation).

If you want the VMs to use different guard nodes, you can point them at
separate Whonix gateways
(https://www.whonix.org/wiki/Multiple_Whonix-Gateway). However, keep in
mind there are trade-offs
(https://blog.torproject.org/improving-tors-anonymity-changing-guard-parameters)
to using additional guards.

-- 
- don't top post
Mailing list etiquette:
- trim quoted reply to only relevant portions
- when possible, copy and paste text instead of screenshots

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7ffe9cc6-038f-0110-4745-9ac2d470a3c7%40danwin1210.me.

[qubes-users] Per-VM stream isolation in Whonix

[tetrahedra via qubes-users]

Is there any way to automatically do stream isolation on a per-VM basis?

For example:

I start AppVM "A", with networking via Whonix, and interact with the
internet as "Alice"

I start AppVM "B", with networking via Whonix, and interact with the
internet as "Bob"

Naturally I want Alice to appear to be using a different IP address than
Bob, else the two identities are linked.

Right now it appears this is not necessarily the case -- the network
traffic of AppVMs A and B may end up using the same Tor circuits (and
exit nodes).

Is there a way to set this up?

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190922142428.GB2032%40danwin1210.me.

Re: [qubes-users] Making a DispVM permanent

[brendan . hoar]

On Sunday, September 22, 2019 at 7:37:40 AM UTC-4, one7...@gmail.com wrote:
>
> Hello,
>
> *Von:* tetrahedra via qubes-users
> *Betreff:* [qubes-users] Making a DispVM permanent
>
> Is there a way to turn currently-running DispVM instance into a regular 
> permanent AppVM, which I can delete later?
>
> 
>
> The way I would do it:
>
> 1) Open a xterm in the same (!) disposable VM
> qvm-run  xterm
>
> 2) close all other windows in this dispvm
> (Make sure that xterm is running in the VM to avoid that the VM gets 
> deleted)
>
>
The one additional caution or clarification I suggest is:
Dom0 is monitoring whatever the first window/process was that it asked the 
dispVM to open. If that window/process exits, the VM will be shutdown.

I typically open a dispVM xterm, open another xterm, and then window-shade 
and/or minimize the original one...just to avoid mistakenly closing it and 
exiting the VM early.

Brendan

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/56469709-060c-44d9-afb7-1ec0799d8a77%40googlegroups.com.

Re: [qubes-users] Copying text to/from Dom0

[799]

Hello

 schrieb am So., 22. Sep. 2019, 13:40:

>
> In the official documentation "Copying from (and to) dom0", there is no
> mention at all of how to copy text via the clipboard from a domain to
> dom0. What is the method to use?


Copying from dom0 to an AppVM is ok, as dom0 has to be trusted. The
opposite way you are moving data from a more untrusted source to dom0. This
includes a risk (from a "beeing reasonable secure perspective").

The way I do it, is to use "xclip" which is installed in the AppVM
(template).
Xclip can be used to copy the content of the clipboard to a file or the
other way around.
Therefore you could write a script in dom0 which will take the AppVM
clipboard content inside the appbm store it in a file and then use pass-io
or qvm-copy to move the data from the AppVM to dom0 and - if you install
xclip in dom0 - even to the clipboard of dom0.

I'm using xclip to move screenshots from dom0 to the AppVM, if you look
into the script you will be able to get an idea how xclip works.

https://github.com/one7two99/my-qubes/blob/master/dom0-scripts/qvm-screenshot-to-clipboard.sh

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CAJ3yz2v9PGtNqU%2BCpNtw2DNkfOA85OSQzAoKxMNQ7ph7WLv4Qg%40mail.gmail.com.

[qubes-users] Copying text to/from Dom0

[duc01k]

Sorry guys, another couple of questions!

I was trying to manually correct the .onion addresses in the dom0 repos
at qubes-dom0.repo and qubes-templates.repo. I had the new address in a
text file on a flash drive. I think the advice is not to connect flash
drives directly to dom0 so I attached it to the Vault domain instead.
Then I discovered I didn't know how to copy/paste the text from that
domain's clipboard to dom0.

In the official documentation "Copying from (and to) dom0", there is no
mention at all of how to copy text via the clipboard from a domain to
dom0. What is the method to use?

Later, when I was trying to copy text from dom0 Console via clipboard to
the Vault domain, I read the same article and it says:

> 1. Use the **Qubes Clipboard** widget:
>   - Copy text to the clipboard normally in dom0.
>   - Click the **Qubes Clipboard** icon in the Notification Area

But I can't find a Qubes Clipboard icon in the Notification Area. I'm
not even sure where the Notification Area is - is it the Task Bar at the
top of the screen? All notifications seem to cascade down the right side
of the screen, and there's definitely no icon there.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/63f8d6b1-1e7f-06a6--e5a2d774feb2%40disroot.org.


signature.asc
Description: OpenPGP digital signature

Re: [qubes-users] Making a DispVM permanent

[one7two99]

Hello,

Von: tetrahedra via qubes-users
Betreff: [qubes-users] Making a DispVM permanent

Is there a way to turn currently-running DispVM instance into a regular 
permanent AppVM, which I can delete later?



The way I would do it:

1) Open a xterm in the same (!) disposable VM
qvm-run  xterm

2) close all other windows in this dispvm
(Make sure that xterm is running in the VM to avoid that the VM gets deleted)

3) create a new VM which is not a disposable VM.
Start this VM.

4) tar.gzip the home directory of the Disposable VM and extract it in the App 
VM.
You have several options:

1) make an archive of the dispvm-home and store it in /tmp of the dispvm, then 
qvm-copy this file to the other AppVM. Move it to the /tmp there and then 
extract the archive

2) run a command from dom0 to tar.gzip /home in the dispvm and use pass-io to 
pass the data to and extract command in the AppVM.

After you make sure that the data has been arrived in the AooVM you can close 
the xterm window of the dispvm which will delete the dispvm.

I haven't verified the above steps, but it should work. 

[799]

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/52pn5hlrdfhudfd7ppnj9uec.1569152255541%40email.android.com.

Re: [qubes-users] System and Template updates over Tor

[duc01k]

'awokd' via qubes-users:
> duc...@disroot.org:
> 
>> I followed the Onionizing Repos guide, commented out the metalinks and
>> uncommented the onion lines. On first test (sudo qubes-dom0-update) I
>> got a 404 error:
>>
>>> HTTP Error 404 - Not Found
>>
>>> http://yum.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion/r4.0/current/dom0/fc25/repodata/repomd.xml
>>> "Error: Cannot retrieve repository metadata for (repomd.xml) for 
>>> repository: qubes-dom0-current"
> 
> I think that's the old onion. If you hadn't ran dom0 updates since
> installing, it might not have been corrected. Should now be showing this
> one in your qubes-dom0.repo & qubes-templates.repo:
> 
> http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion
> 

Fixed it now. Thanks.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4ce9559e-16d9-a696-d380-c1366212d226%40disroot.org.


signature.asc
Description: OpenPGP digital signature