Re: [qubes-users] Qubes, Fedora, and package signing

[tetrahedra via qubes-users]

On Thu, Jan 23, 2020 at 02:30:52PM +, 'awokd' via qubes-users wrote:

tetrahedra via qubes-users:

A few times people have observed that Fedora's package signing leaves a
few things to be desired. While Qubes' security model doesn't depend on
Fedora entirely, a compromised template compromises the machine -- and
package repos are a good way to compromise a template.

Why does Qubes still seem to use Fedora as the "primary" choice and
Debian as the "secondary" one?


Start here https://github.com/QubesOS/qubes-issues/issues/1919 and work
your way backwards. :)


My question was intentionally phrased not to be about dom0 :p

There has been some discussion on this list about alternative sys-* VMs
but it still seems to me that Qubes views Fedora as the "primary" choice
-- perhaps because dom0 is Fedora.

Of course a compromise in the package signing would also potentially
compromise dom0, so it's still an issue.

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200125044204.GB1051%40danwin1210.me.

Re: [qubes-users] Disposable sys-usb creation fails with "unable to recet PCI device"

[tetrahedra via qubes-users]

On Thu, Jan 23, 2020 at 02:22:20PM +, 'awokd' via qubes-users wrote:

tetrahedra via qubes-users:

Following the directions here:
https://www.qubes-os.org/doc/disposablevm-customization/#create-the-sys-usb-disposablevm


In step 5, did you include the option?


I used the Qube Manager GUI to attach but -- since the USB controllers
were still marked as attached to disp-sys-usb when I ran `qvm-pci` with
disp-sys-usb powered off, I assume the answer is "yes."

Just in case I removed all the USB controllers from disp-sys-usb, then
ran the step 5 command with all USB controllers (including the
`--persistent` option) and tried starting disp-sys-usb.

The original error ("unable to reset PCI device...") still occurs when
trying to start disp-sys-usb.



Did you detach the USB controller from your existing sys-usb (or at
least shut it down)?


I shut down sys-usb but did not detach the devices from it.

I tried removing the devices from sys-usb (so they were exclusively
attached to disp-sys-usb) but the error still appears after doing so.

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200125043520.GA1051%40danwin1210.me.

Re: [qubes-users] How does Microsoft Office in a Windows VM work ?

[unman]

On Fri, Jan 24, 2020 at 07:14:27AM -0800, M wrote:
> Now that it seems that several got Windows 10 running in a VM in Qubes OS, I 
> wonder what the experiences are with running Microsoft Office in that Windows 
> 10 VM ?
> 
> Does it runs nicely without any problems, almost, a little bit unstable, 
> quite unstable or is it completely terrible ?
> 
> Is there any functions that doesn???t work and if so which ?
> 
> I should probably admit that I???m totally new to Linux. I have only Windows 
> and Mac experience to compare with - where I???m also used to get errors when 
> working with WordMat.
> 

I have set users up with Win10 and Win7 with MS Office.
In both cases everything seems to work fine - on your scale " runs
nicely without any problems, almost".
The only issue seems to be that presentation mode doesnt work properly
with 2 screens/projector.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200125022030.GA20916%40thirdeyesecurity.org.

[qubes-users] Re: [qubes-devel] NVIDIA RTX 20XX

[Frédéric Pierret]

Hi,

Thank you for your feedback. I just tested under R4.1 in development and
I succeeded to have a kernel log thanks to Marek and few hacks in dom0.

Here is the bug report: https://bugzilla.kernel.org/show_bug.cgi?id=206299

FYI, I tried few months ago to build NVIDIA module under Qubes but I hit
a problem of allocating buffers. It was the same problem than a one
reported on NVIDIA dev forum by another person using Xen as a desktop
machine (not Qubes).

Best,

Frédéric

On 2020-01-24 17:22, Ralph Alexander Bariz wrote:
> Have the same problem with a rtx 2070. My temporary solution is to put a 
> cheap gpu into my pc(nvidia geforce 710) into the second pci port and cut of 
> the power of the 2070 when using qubes.
> the problem is simple. The included nouveau driver does not support it. You 
> could install the properitary one whats a security problem.
> my attemp to solve it, when I've got time, will be to compile the newest 
> nouveau driver in a fedora 25 qubes and install it to dom0.
> For sure its necessary to ensure cube nit getting compromised in the process. 
>
> BR
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/68642de8-f429-3c2c-5a3a-6fabc7004e83%40qubes-os.org.


signature.asc
Description: OpenPGP digital signature

[qubes-users] Can a compromised AppVM be made trustworthy by truncating its private volume?

[Demi M. Obenour]

If an AppVM is compromised, is truncating its private volume (which is
documented) enough to restore it to a trustworthy state?  Obviously,
this loses all data on that volume, but the cases I have in mind are
where a DispVM template was accidentally started itself, rather than
a DispVM based on it.

Sincerely,

Demi

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/25d26c89-11bb-a7ed-dd3a-91be7b43e33e%40gmail.com.


signature.asc
Description: OpenPGP digital signature

[qubes-users] Re: How does Microsoft Office in a Windows VM work ?

[pixel fairy]

worked fine as of a couple years ago using this method.

https://groups.google.com/forum/#!msg/qubes-users/dB_OU87dJWA/X2WWa1y-BQAJ

havent tried since.

On Friday, January 24, 2020 at 7:14:27 AM UTC-8, M wrote:
>
> Now that it seems that several got Windows 10 running in a VM in Qubes OS, 
> I wonder what the experiences are with running Microsoft Office in that 
> Windows 10 VM ? 
>
> Does it runs nicely without any problems, almost, a little bit unstable, 
> quite unstable or is it completely terrible ? 
>
> Is there any functions that doesn’t work and if so which ? 
>
> I should probably admit that I’m totally new to Linux. I have only Windows 
> and Mac experience to compare with - where I’m also used to get errors when 
> working with WordMat.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a5af6c4b-90f1-4390-b74f-15a24cab4d92%40googlegroups.com.

Re: [qubes-users] How does Microsoft Office in a Windows VM work ?

['awokd' via qubes-users]

M:
> Now that it seems that several got Windows 10 running in a VM in Qubes OS, I 
> wonder what the experiences are with running Microsoft Office in that Windows 
> 10 VM ?
> 
> Does it runs nicely without any problems, almost, a little bit unstable, 
> quite unstable or is it completely terrible ?
> 
> Is there any functions that doesn’t work and if so which ?
> 
> I should probably admit that I’m totally new to Linux. I have only Windows 
> and Mac experience to compare with - where I’m also used to get errors when 
> working with WordMat.
> 
Don't know about Microsoft Office, but Libreoffice on Debian works well
and can read most Microsoft documents without problem.

-- 
- don't top post
Mailing list etiquette:
- trim quoted reply to only relevant portions
- when possible, copy and paste text instead of screenshots

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4417b747-9903-b6f4-31f2-0935f15cfdf7%40danwin1210.me.

[qubes-users] Re: Cant create Windows App VM based on a template

[kamil . rejczyk]

In my case, I have a problem with this "dd workaround". 
Env: 
- QubesOS 4.0.3 and latest QWT 4.0.1-3
When:
1) create Windows 7 x64 pro HVM template (private 2GB)
2) install QWT this on 4.0 qube
3) clone StandaloneVM from prepared template (same parameters, private 2GB)
4) a) Windows on StandaloneVM crash because User Login service could not 
find profiles.
b) recreate StandaloneVM, try to dd -> ERROR
Ad. ERROR
After 2GB of copy "No space on device left" what is wrong information.
After remove CONV flag, the same.
After add to cmd line "bs=1M count=2048", Copy pass, but still result from 
4a).

Do You have any ideas?

W dniu piątek, 20 kwietnia 2018 19:32:47 UTC+2 użytkownik gal...@gmail.com 
napisał:
>
> I'm using Qubes 4 and have created a Windows template VM with windows 7. 
> I've installed all the updates and Qubes windows tools which has made a 
> separate private 'disk' for the user settings/files. This all works fine.
>
> I now want to make an AppVM based on my template. When I do this, the 
> AppVM does not have a private disk so does not have the user 
> profile/desktop, etc.
>
> I dont know what has gone wrong. I'd appreciate any help.
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/405357f1-b257-477e-9a77-b37ab9907c4e%40googlegroups.com.

Re: [qubes-users] High latency between VMs

['awokd' via qubes-users]

*Null* **:
> I noticed some services were a bit laggy lately and pinged from an APPVM to 
> sys-net. There appeared to be a .500ms delay per hop to sys net. So APPVM > 
> sys-firewall > sys-net = about 1ms delay. This becomes fairly substantial 
> if there are other ProxyVMs like a sys-vpn or whonix. This occurs using all 
> debian minimal vms, or fedora 30(full or minimal) vms for sys-net etc.
> 
> This was not like this before(Qubes 3.2 and early releases of 4). For 
> instance, I have security cameras that were perfectly usable going through 
> a machine running qubes, out to the web, and viewed on a phone from 
> anywhere. Now, the connection is a crawl to the point the framerate cant be 
> maintained and the connection drops out.
> 
> Is there something I can do to correct this issue? Or run further tests? 
> This is occurring on a laptop and desktop at about the same rate.
> 
I'm seeing similar RTTs on a ping from an AppVM to sys-net. Wonder if it
could be due to the  CPU vulnerability mitigations found over the past
couple years, but I tested on both an AMD and Intel system with similar
results.

However, I don't think RTT alone is causing the problem with your
cameras. 30 ms is a good time for anything over the Internet, so if
Qubes makes it 31 ms that shouldn't have any impact on framerate. It
could be CPU bound instead of network. Can you access cameras through
Qubes from your internal network instead of the Internet for a test?
Also, watch "xl top" in dom0 while you do, and see if any associated
AppVMs are capping out CPU. If so, this could also be due to those
mitigations- try assigning more cores to the VM maxing out.

-- 
- don't top post
Mailing list etiquette:
- trim quoted reply to only relevant portions
- when possible, copy and paste text instead of screenshots

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/8f6b91db-68db-c4ea-aab2-6cd2e3bcd2b9%40danwin1210.me.

Aw: Re: Re: [qubes-users] Installation freezes before displaying installer - UEFI-Troublshooting impossible

[Andreas Bertling]

Hello Claudia, hello Qubes-Community,

 

now I'm here at the end having the same problem since monday: installation freezes before displaying installer with black screen... What did I try in the meantime:

 

1) Recreate a usb-stick following completely the Installation-Guide on "https://www.qubes-os.org/doc/installation-guide/".

But before

$ sudo dd if=Qubes-R4.0.3-x86_64.iso of=/dev/sdb bs=1048576 && sync

I do

$ sudo umount sdb1

so the plugged-in usb-drive is really totally unmounted before writing to /dev/sdb.

 

Ends again in the read-only usb-stick, where I can't modify the BOOTX64.cfg.

 

Then I tried to use the RUFUS-Tool under Windows and write the usb-drive in "iso-image-mode" to try to get writing-acess and then doing the installation again with modified files for troubleshooting. I got a writeable usb-stick, modified the BOOTX64.cfg with all the things mentioned on "https://www.qubes-os.org/doc/uefi-troubleshooting/":


options=console=vga efi=no-rs
# noexitboot=1
# mapbs=1

But now, the usb-stick boots up but the installation freezes as same as before displaying installer.

 

 

> It should be mounted as vfat, not iso9660. You can try mounting it as vfat with `mount -t vfat /dev/sdb1 /mnt`, but I don't think it'll work without being rewritten.

 

Yes thanks for this tip, but don't work, too.

 

 

Change to "Legacy-Boot" isn't possible in the boot-menu of my maschine. Now I'm on my end and very very sad, that I won't able to work with Qubes. I think, it is the fu**ing NVIDIA-Card (1660Ti), which I couldn't deselect from the base-configuration of my new laptop.

 

Has anyone another idea which can solve the problem?


 

I wish all a nice weekend.

Regards from Leipzig - Germany,

Andreas.



-- 
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/trinity-c87f933f-a013-4742-a73b-9c93bc61e5b3-1579884482436%403c-app-webde-bap15.

Re: [qubes-users] Re: HCL - Dell Inspiron 15 5000 (5575) AMD Ryzen 5 2500U w/ Vega 8 Graphics

[Claudia]

January 24, 2020 3:02 PM, "M"  wrote:

> I use DVD’s so that the files can’t be edited or a malicious file can’t be 
> placed on the
> installation media in case it’s inserted in a compromised pc. But yes, it 
> seems to require a lot of
> disc as Qubes OS not always develops linear. :j

This is good security practice. I recommend it if you don't mind the 
inconvenience. 

> Regarding editing ISO-files, I’m not as technical as you. So that would 
> require some detailed
> instructions.

The process for editing the ISO kernel parameters is described in 
https://www.qubes-os.org/doc/uefi-troubleshooting/ , except in your case you 
are adding the "nomodeset" option instead of the ones they tell you in the 
guide (based on your symptoms). Add "nomodeset" to the end of each "kernel=" 
line in xen.cfg.

Note: after you rebuild the ISO, optionally you may want to run it in a VM to 
make sure you got everything right, before you burn a DVD. Don't expect it to 
actually work correctly, but just make sure you're able to select the "Install 
Qubes" boot menu entry and that it doesn't complain about a bad config file or 
anything. If everything goes as it should, most likely you'll get a "sorry, 
this system doesn't support virtualization" type of message because it's 
already running in a VM. If so, that's good, burn to DVD.

However, that being said...

Honestly, the easiest thing right now would be download the R4.1 pre-release, 
burn it, try it with default settings first, and if you get the same problem as 
before, add nomodeset. To do that just press 'e' when you see the grub boot 
menu (with option "Qubes R4.1, with Xen hypervisor" highlighted) and then add 
"nomodeset" at the end of the kernel line (it looks something like "multiboot2 
vmlinuz ..."). 

> Just to rule the option out: Could it be possible that when installing from a 
> burned ISO-file the
> installation fails, while installing from a USB with a transferred ISO-file 
> using Rufus in dd-mode
> the installation of Qubes OS succeed ? - If so, I would try that first. But 
> then I have to buy a
> new USB flash drive.

In this situation, I kind of doubt it. The problem seems to be at a higher 
level than that, since you're getting to an anaconda console at least. It's 
probably kernel version issue or graphics driver issue.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1e5ca5f11ce0d02263ec9f694609a9df%40disroot.org.

Re: [qubes-users] Choosing a TemplateOS for security

[*Null* **]

What about a rolling release model for all qubes like arch linux?

This way there is one static state for all VMs, in their default state.
No need to retool for version upgrades on at least two different 
distributions, three if you count dom0.

One standard template can be maintained like a service model rather than 
release based model.
Qube templates could be backed up and branched off from(via clones) as 
needed by the user.
Devs and others interested would only have one code base to review and 
improve on.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/58bee203-2683-462f-8483-af36e02beaf7%40googlegroups.com.

[qubes-users] Re: debian-10-minimal as vpn proxy with qubes-vpn-support

[*Null* **]

I know this is not what you are asking for, but I was able to get a 
deb-10-minimal vpn vm by following the vpn write up in the qubes docs. The 
only problem is the little pop up window for VPN UP or DOWN does not work 
properly but I did not bother finding out why.



On Friday, January 24, 2020 at 10:23:31 AM UTC-5, Dominique St-Pierre 
Boucher wrote:
>
> Good day Qubes OS Community,
>
> I am trying to get a vpn proxy run based on the debian-10-minimal. I a 
> trying to connect to protonvpn. I was able to do it with a fedora proxy so 
> I know it works.
>
> I was able to install everything needed in the template, I configured 
> qubes-vpn-support on my vpn proxy but when I try to connect, I got error 
> related to the update-resolv-conf script.
> Getting this error message:
> resolvconf: Error: Command not recognized
> Usage: resolvconf (-d IFACE|-a 
> IFACE|-u|--enable-updates|--disable-updates|--updates-are-enable
>
> Can someone point me in the right direction with the difference between 
> resolvconf on Fedora and resolvconf on Debian?
>
> Thanks
>
> Dominique
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/631f73c9-316d-4cc8-af26-c0fec2302c2b%40googlegroups.com.

[qubes-users] Help needed diagnosing poor IP camera performance with only 'some' hvms

[*Null* **]

I had three cameras attached to a PoE switch, which was plugged into a NIC 
on a qubes machine. They ran through an OpnSense hvm(standalone) and out 
through sys-net. Performance was fine but I wanted to move to a qubes 
template-based vm to control the NIC. 

So I created a Debian-10-minimal template, installed 
qubes-core-agent-networking and qubes-core-agent-network-manager(the only 
non stock things installed), assigned the NIC to the AppVM(in HVM mode), 
and configured the camera facing NIC(ens7 in this case) as "Shared to Other 
Computers". I gave the debian vm the same ram(4gb) and vcpus(2) as the 
OpenSense hvm. Performance was terrible.

On an external wifi I could typically get a stream of 4000 kbps with the 
OpnSense hvm routing the cameras through Qubes.
Now, I am getting at best 100kbps and the connection drops off.

To test, I attached the NIC to a Fedora 30 vm running an apache server and 
was able to connect to the cameras at 4000kbps. In all cases, the cameras 
have been routed through the same sys-net and sys-firewall vms whether they 
are coming from OpnSense, debian, or fedora.

I have a similar setup connecting other computers to Qubes, where their 
NICS are run by a copy of the debian-minimal hvm and browsing and 
downloading is unaffected. I can usually get about 90% of my network 
connection speed, through a vpn, with it set up this way.

For my own education, what could be causing the differences in the 
connections with these cameras?
Are the cameras saturating a buffer I could tweak?


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/418b1440-da32-4062-9e15-05734d9cff88%40googlegroups.com.

[qubes-users] debian-10-minimal as vpn proxy with qubes-vpn-support

[Dominique St-Pierre Boucher]

Good day Qubes OS Community,

I am trying to get a vpn proxy run based on the debian-10-minimal. I a 
trying to connect to protonvpn. I was able to do it with a fedora proxy so 
I know it works.

I was able to install everything needed in the template, I configured 
qubes-vpn-support on my vpn proxy but when I try to connect, I got error 
related to the update-resolv-conf script.
Getting this error message:
resolvconf: Error: Command not recognized
Usage: resolvconf (-d IFACE|-a 
IFACE|-u|--enable-updates|--disable-updates|--updates-are-enable

Can someone point me in the right direction with the difference between 
resolvconf on Fedora and resolvconf on Debian?

Thanks

Dominique

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c4a2b2dc-65af-476b-a067-3bea3bae1570%40googlegroups.com.

[qubes-users] How does Microsoft Office in a Windows VM work ?

[M]

Now that it seems that several got Windows 10 running in a VM in Qubes OS, I 
wonder what the experiences are with running Microsoft Office in that Windows 
10 VM ?

Does it runs nicely without any problems, almost, a little bit unstable, quite 
unstable or is it completely terrible ?

Is there any functions that doesn’t work and if so which ?

I should probably admit that I’m totally new to Linux. I have only Windows and 
Mac experience to compare with - where I’m also used to get errors when working 
with WordMat.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ab2fca22-1ae3-406e-8d54-e6baace5f613%40googlegroups.com.

Re: [qubes-users] can not update dom0

['awokd' via qubes-users]

evo:
> Hi!
> 
> Can not update dom0, get after sudo qubes-dom0-update
> "/usr/lib/qubes/qubes-download-dom0-updates.sh: No such file or directory".
> 
> Did nothing special before that.

Double-check you are using a supported template (Debian, Fedora, Whonix)
under your UpdateVM. Recreate the UpdateVM if so (deploy new AppVM from
template), point to it in Qubes Global Setting. If that fixes it, you
might also want to adjust /etc/qubes-rpc/policy/qubes.UpdatesProxy.

-- 
- don't top post
Mailing list etiquette:
- trim quoted reply to only relevant portions
- when possible, copy and paste text instead of screenshots

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e3350e03-ecb2-789b-e41d-f95d0d6e851b%40danwin1210.me.

Re: [qubes-users] Re: HCL - Dell Inspiron 15 5000 (5575) AMD Ryzen 5 2500U w/ Vega 8 Graphics

[M]

I use DVD’s so that the files can’t be edited or a malicious file can’t be 
placed on the installation media in case it’s inserted in a compromised pc. But 
yes, it seems to require a lot of disc as Qubes OS not always develops linear. 
:j

Regarding editing ISO-files, I’m not as technical as you. So that would require 
some detailed instructions.

Sorry, it was Tails 4.2.2 instead of Trial.

Just to rule the option out: Could it be possible that when installing from a 
burned ISO-file the installation fails, while installing from a USB with a 
transferred ISO-file using Rufus in dd-mode the installation of Qubes OS 
succeed ? - If so, I would try that first. But then I have to buy a new USB 
flash drive.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/7d6e8f51-9206-4dc3-a104-24524f43c9f5%40googlegroups.com.

[qubes-users] can not update dom0

[evo]

Hi!

Can not update dom0, get after sudo qubes-dom0-update
"/usr/lib/qubes/qubes-download-dom0-updates.sh: No such file or directory".

Did nothing special before that.

Cheers
evo

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/60b58219-0b1b-4e81-c715-3fafc6d54758%40aliaks.de.

Re: [qubes-users] Re: HCL - Dell Inspiron 15 5000 (5575) AMD Ryzen 5 2500U w/ Vega 8 Graphics

[Claudia]

January 24, 2020 12:55 PM, "M"  wrote:

> Thank you for your answer.
> 
> What do you mean by “nomodeset” ? - is it regarding legacy and UEFI mode 
> or... ?

In 4.0, to enable nomodeset you have to edit the bootloader files files in the 
installation media. I just realized, since you're using DVDs instead of USB, 
this is going to be a lot more difficult. You'll have to unpack the ISO, modify 
the boot loader file, and then repack the ISO and burn it. I would recommend 
using a USB drive in this case if you can. That way you can do the 
modifications directly to the USB drive, and you don't have to waste additional 
DVDs.

In R4.1, you just have to press 'e' at the boot menu, and you can make last 
minute changes to the boot parameters without modifying anything. This would 
probably be the easiest option.

nomodeset is a kernel command line option that disables kernel-modesetting and 
prevents graphics drivers from being loaded, so they just use a basic minimal 
driver essentially. In 4.0 this would be the "kernel=" line of the xen.cfg file.

> As I only have tried with Qubes OS stable version 4.0.1 and 4.0.2 and is now 
> going to try 4.0.3 the
> kernel version is 4.19. How can I try to install Qubes with a newer kernel.

I'm not sure if there's any easy way to install a newer kernel into the 
installer. The way most people do it is to do the installation on a different 
machine, install kernel-latest, and then move the drive to the other machine. 
However 4.0.3 should come with a newer LTS kernel at least, so try that first.

When the installer fails, copy or screenshot /tmp/X.log and post it.

> Could an idea be to try to install Linux Mint or Fedora 31 if 4.0.3 doesn’t 
> work either ? - just to
> make sure they work and rule basic things out.

R4.0 is based on Fedora 25, so you could try booting that just to make sure it 
works, just to rule that out. However there's still a big difference between 
Qubes and Fedora 25, so it won't tell us very much.

> Both PartedMagic (24/12-2019) and Trial 4.2.2 live-versions runs fine (and 
> also Windows 10).

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/59e5a533a852824cd467c1815cc08a41%40disroot.org.

Re: [qubes-users] Choosing a TemplateOS for security

[unman]

On Fri, Jan 24, 2020 at 04:30:14AM -0800, fiftyfourthparal...@gmail.com wrote:
> Wouldn't it be nice if there were community maintained (and vetted) 
> templates for download? Like being able to download something like, say, 
> "taskett_hardened-debian-10"?
> 
> A page with examples of Qubes setups would also be sweet--maps of Qubes 
> layouts that users can post and share that are made with a image generator.
> 

There is community maintained documentation and scripts already.
It's referred to as "Qubess Community Documentation" in Qubes docs, and
is available at
https://github.com/Qubes-Community/Qubes-Community.github.io
There should be wider knowledge of the site.

unman

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200124132355.GA17812%40thirdeyesecurity.org.

[qubes-users] Re: qvm-create-windows-qube 2.0

[Claudio Chinicz]

Hi Elliot,

I've followed the instruction, had to manually download win10x64.iso and 
when I ran the "./qvm-create-windows-qube.sh -n sys-firewall -oyp 
firefox,notepadplusplus,office365business -i win10x64.iso -a 
win10x64-pro.xml win10-work" command I got the following error:

Error mounting /dev/loop2: GDBus.error:org.freedesktop.vdisk2.error failed: 
error mounting /dev/loop2 at run/media/user/cccoma_x64fre_en-us_dv9: wrong 
fs type, bad option, bad superblock on dev/loop2, missing codepage or 
helper program, or other error

Any idea?

Thanks

On Monday, 13 January 2020 11:49:12 UTC+2, Elliot Killick wrote:
>
> -BEGIN PGP SIGNED MESSAGE- 
> Hash: SHA256 
>
> Hello, all! 
>
> Not too long ago I released qvm-create-windows-qube but quit pushing 
> changes for a while because I realized there was still a of work to be 
> done and I wanted to get it out of the dev/beta phase before releasing a 
> new version. 
>
> Well, it's over 200 commits later and I would say it's well out of 
> beta now. 
>
> Biggest new features include: 
>
>   * Use a much newer Windows 7 7601 ISO for Windows 7 
>   * Support Windows 8.1-10 Pro/Enterprise (ISO downloads from Microsoft 
> included) 
>   * Support Windows 10 Enterprise LTSC (Also download provided) 
>   * Support Windows Server 2008 R2 - Windows Server 2019 (Also downloads 
> provided) 
>   * Chocolatey integration 
>   * Option to slim down Windows installation (Similar to the following 
> but much more refined due to especially the disabling of services I 
> found could break things in a way that would result in a bad UX, 
> also expanded for Windows 10: 
> https://www.qubes-os.org/doc/windows-template-customization/) 
>   * Test signing Qubes GUI driver is now enabled during Windows 
> installation process to skip a reboot 
>   * Hardcoding trial product key in answer files (or anywhere) is no 
> longer necessary, Windows will use embedded trial key without any 
> user interaction by default 
>   * windows-mgmt is air gapped 
>   * Travis CI is being used for integration testing 
>   * Tons of code cleanup, reorganization and refactoring  (I'm of the 
> OpenBSD mindset where having clean (correct) code is just as 
> important as having functional code, so a lot of stuff just got 
> rewritten) 
>   * Everything is much more stable (No more lame sleeps for arbitrary 
> amounts of time) 
>   * MIT license 
>
> Additionally, I made a PGP key (also using Qubes Split GPG) so hopefully 
> my code and anything I else I make can reach you a lot more securely. 
>
> Repo can be found here, please star if you find it useful :) 
>
> https://github.com/elliotkillick/qvm-create-windows-qube 
> 
>  
>
> I'm working towards having this project be similar (or superior) to 
> VMWare's Windows "Easy Install" feature but on Qubes: 
> https://www.youtube.com/watch?v=1OpDXlttmE0 
>
> Regards, 
>
> Elliot 
> -BEGIN PGP SIGNATURE- 
>
> iHUEARYIAB0WIQQBj7nebfoT+xj7VVL5uQ1E+D3V8gUCXhw9CQAKCRD5uQ1E+D3V 
> 8iT9AQDlMN4TUEQV8SrvfBj3Df0utv3i/GIDLlt+6DpxnNmSAAD/Uz7tihtwjHXz 
> /Dl6qtbYhoph8DSHLKwIevhP/iKArw8= 
> =tnno 
> -END PGP SIGNATURE- 
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e0a1d799-7aba-4d80-b75f-35783b90a7f6%40googlegroups.com.

Re: [qubes-users] Re: HCL - Dell Inspiron 15 5000 (5575) AMD Ryzen 5 2500U w/ Vega 8 Graphics

[M]

Thank you for your answer.

What do you mean by “nomodeset” ? - is it regarding legacy and UEFI mode or... ?

As I only have tried with Qubes OS stable version 4.0.1 and 4.0.2 and is now 
going to try 4.0.3 the kernel version is 4.19. How can I try to install Qubes 
with a newer kernel.

Could an idea be to try to install Linux Mint or Fedora 31 if 4.0.3 doesn’t 
work either ? - just to make sure they work and rule basic things out.

Both PartedMagic (24/12-2019) and Trial 4.2.2 live-versions runs fine (and also 
Windows 10).

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b5288300-e53a-4016-9bfb-4b7b4a5e0d52%40googlegroups.com.

Re: [qubes-users] Choosing a TemplateOS for security

[fiftyfourthparallel]

Wouldn't it be nice if there were community maintained (and vetted) 
templates for download? Like being able to download something like, say, 
"taskett_hardened-debian-10"?

A page with examples of Qubes setups would also be sweet--maps of Qubes 
layouts that users can post and share that are made with a image generator.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b80e7896-a49c-4186-abfa-6f15c5503e7c%40googlegroups.com.

[qubes-users] NVIDIA RTX 20XX

[Frédéric Pierret]

Hi,

Does anyone succeeded to have a working/non-crashing system with a
nvidia RTX 20XX, specifically 2080TI in my case? Currently having
instant reboot issues on Qubes 4.0 whereas on Windows it currently works
pretty well so I don't expect having GPU hardware issue.

Thank you in advance,

Frédéric


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/53a5c356-71bf-e02e-60f3-3457e5434fdf%40qubes-os.org.


signature.asc
Description: OpenPGP digital signature

Re: [qubes-users] Choosing a TemplateOS for security

[Peter Thurner]

> small number of ClipOS users

Totally legit argument, True ;)


>  I still think the idea of running CLIP 
> OS in Qubes is really cool and would love to see it; I just think your 
> argument for it wasn't convincing.

I totally get your points and generally agree. I still think the current
default of "install whatever you like in a Qube and fully trust the Xen
isolation", like debian with passwordless sudo, is something the Qubes
community should work on in the future. May it be something like
OpenBSD, ClipOS, Alpine or any other solution.


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/45d6b191-636b-6180-56a7-d2cdeacd1319%40blunix.org.


signature.asc
Description: OpenPGP digital signature

Re: [qubes-users] Choosing a TemplateOS for security

[fiftyfourthparallel]

>Threat modelling

I feel that as long as there are enough eyes combing through the code, the 
risk is dramatically lowered. Major distros (stem distros?) like Debian and 
Fedora have many, many more people poring over their code compared to 
something as obscure as CLIP OS. Yes, the government can pressure 
contributors to CLIP, or even Qubes or Debian, to insert malicious code 
that's hard to detect, but the legions of Debian users and those of 
Debian-based distros will likely spot it, the relatively large 
(*relatively*) pool of Qubes users have a good chance of catching 
something, but the small number of CLIP users most likely won't--it hasn't 
crossed that tipping point yet. 

Furthermore, you can't reliably attribute the insertion of malicious code 
to the government, and even if you did, they'd just shrug it off. Doing 
things physically (installation of cameras, etc.) is much, much more costly 
and riskier than doing it digitally. I still think the idea of running CLIP 
OS in Qubes is really cool and would love to see it; I just think your 
argument for it wasn't convincing.

Please correct me if I'm wrong about anything I said above, since I'm just 
speaking out of my ass. I'm neither a security nor a Linux expert--hell, I 
don't even know how to code. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/fe51ccf6-2fce-4b22-9c47-0321d1023320%40googlegroups.com.

Re: [qubes-users] Intel ax200, wifi 6, 2723 on X1 gen2 extreme

[Scott Russell]

Hi,
 I managed to get back into my qubes system.  I had to use Ctrl,ALt,
Fn,F2, for some reason to get a tty2 terminal.  This works for both boot
from pendrive and normal boot in uefi mode.  I do not know why I need the
extra Fn button, but I do.  Anyway, I also made a few bios changes and
managed to get the 5.4.10-1 kernel working in DOM0 and sys-net.  Installed
the latest iwlwifi driver, but from dmesg, it nearly works, but not quite
there yet.  The ax200 is there in the sys-net dmesg as recognised, but
something else is going wrong.  I can attach the device in networking wifi,
but it still does not work.  Interestingly, if I add the ASUS network
dongle, the intel-wifi shows up in the network icon at top right, but never
managed to connect, even to another wifi network.  Maybe the next iteration
of iwlwifi will be working.  I am now focusing on what bios changes made
5.4.10-1 work, and why suspend when closing the lid does not work at all.
At least I have something usable now.  Will document this once I get all
the key parts working, and then do a reinstall to verify.

 thanks for the help so far.  Some unusual
things happening, but all adds to the fun and interest.

 Sc0tt...


On Wed, 22 Jan 2020 at 12:27, Ilpo Järvinen 
wrote:

> On Wed, 22 Jan 2020, Scott Russell wrote:
>
> > HI, So, since I have no networking, I decided to install the
> networking
> > via a usb pen drive.  However, I seem unable to mount the usb drives in
> any
> > vm, tried the fedora-29 template, and also the work vm, or sys-firewall.
> > But each time I click the icon to attach, it reports successfully
> attached,
> > but when I go to the vm, it does not show up.  I can see from qvm-block
> that
> > is is attached from dom0, also tried manually attaching via command line,
> > but again, it reports attached, but cannot see in the work vm that it is
> > thre.  but when I do a "df -h" or try to list the devices in /dev/xvdi,
> it
> > is not there on the work vm.  It seems like a pretty simple thing to
> > attach the pendrive.  I have tried several pen drives, but seem unable to
> > mount them in any vm.  Have re-read the docs several times, and no-one
> seems
> > to have this issue, so I am probably doing something fundamentally
> wrong?
> > Any advice or hints greatly appreciated?.
>
> I have some problem in understanding what exactly you're doing here as
> your description seems to mix "attaching" and "mounting". In addition
> to attaching the block device, you may have to mount the block device
>   mount /dev/xvdi /home/user/somepath
> as a separate step to get it to appear under /home/user/somepath (and df
> will only show mounted drives).
>
> Or did you try to say there's no /dev/xvdi device? ...In that case, check
> the dmesg if the device is detected by the kernel.
>
> --
>  i.
>
>
> > On Tue, 14 Jan 2020 at 13:14, Ilpo Järvinen <
> ilpo.jarvi...@cs.helsinki.fi>
> > wrote:
> >   On Tue, 14 Jan 2020, Scott Russell wrote:
> >
> >   > Hi,   I am installing qubes to an X1 gen2 extreme.  Gone well
> >   so far, but
> >   > then I stumbled into a problem with wifi.  Unfortunately the
> >   intel ax200 is
> >   > not supported in linux kernel till after kernel5-1+.  (
> https://www.intel.com/content/www/us/en/support/articles/05511/
> >   networ
> >   > k-and-i-o/wireless-networking.html).
> >
> >   I didn't get AX 200 to work myself and I just use a stop-gap USB
> >   WLAN
> >   dongle solution currently. I tried with latest kernels, various
> >   firmware
> >   versions, and even went to dkms backport of iwlwifi but none of
> >   those
> >   worked.
> >
> >   It just seems the iwlwifi driver, despite claims of AX 200 being
> >   supported
> >   since 5.1, may not work for all (some have gotten it to work but
> >   I'm not
> >   sure if anyone among them with Qubes).
> >
> >   > So, I was wondering on what my options would be.  My first
> >   thought having
> >   > reviewed a few posts, was that I would need to compile the
> >   latest kernel and
> >   > use this in the sys-net.
> >   > Then, I thought, maybe there is already a "latest kernel"
> >   somewhere that I
> >   > could just install without the need for compiling a new one.
> >
> >   Yes, kernel-latest package is already available using
> >   qubes-dom0-update.
> >   Certainly worth a test.
> >
> >   > As an aside, does this mean I should change the underlying
> >   template for
> >   > sys-net and logically the sys-firewall, or should I keep the
> >   sys-net as a
> >   > custom kernel version only.  If there are other ways, any
> >   advice is
> >   > appreciated.   A lot to learn here, but happy to work through
> >   any
> >   > suggestions.
> >
> >   Kernel version, when provided from dom0, is independent of the
> >