[qubes-users] Re: Need to fix boot process broken by kernel update. Data is safe.
Hi, I got my system up and running. It was a problem with the efi boot details. I had installed the latest kernel (not manually) and that install process somehow messed up the efi boot as it existed. After boot was broken, the console would show what it was going to boot but the xen never loaded. Now it does. Thank you donoban, Bernhard, and Jinoh for the right pointers. I have made a list of steps that helped me gauge the situation. I will post it within a few hours. Regards, Ranjeet On Wed, Feb 10, 2021, 8:21 AM Jinoh Kang wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > On 2/10/21 3:05 AM, Ranjeet Shetye wrote: > > Hi, > > > > Is there a standard HOWTO I can follow to fix the boot process (to go > from a grub / xen.cfg that fails to LUKS decrypt and load unencrypted > rootfs) > > > > I am reasonably knowledgeable about Linux. Gaps exist in my knowledge > regarding BIOS and UEFI boot processes. > > > > Unfortunately the grub update for the kernel upgrade seems to have > messed up the boot process. How do I figure out if it's installed for BIOS > or UEFI mode ? > > > > My data is safe and LUKS encrypted . I can use a live USB to decrypt it, > access it and I also have made 2 backup copies. > > > > So with nothing to lose I tried to fix the boot manually from a live USB > including creating /etc/default/grub but situation is no better. > > > > Between BIOS / (UEFI) / grub2 / xen / vmlinuz / LUKS / LVM2 , I am lost > where the fix might be. Might be grub flags, grub modules, grub defaults, > xen cfg, EFI manager etc. Hence my question. > > > > Thanks, > > Ranjeet > > Also note that Qubes R4.0 on UEFI does not boot via GRUB -- it boots > directly via \EFI\qubes\xen.efi. > > - -- > Sincerely, > Jinoh Kang > -BEGIN PGP SIGNATURE- > > iQJMBAEBCAA2FiEEzGktrvc/U3kFXd9AGlqQRGyEq/UFAmAj67YYHGppbm9oLmth > bmcua3JAZ21haWwuY29tAAoJEBpakERshKv1oLIP/jjFOQkzyYlMxZWAicelCeiS > g3k/f8Gg6L7yBEQhXdBSiFVHKz5V35VUcseLk8gqrxxrAuzSuJwRwzno/f/DR7Jk > 9IIc6LuQNrFjSMt327wqGsXvt7i/AObT8mUHiuKI8CTZOmX5kA1COk5jE5psCWks > pG4ahB/chbUUS6rgx0JfgitKJopHCN9MXIc+xaJJatoLeJH89rJC/Lu8hSLjYwXx > /TQIY4MJdM/HHP2dtye/ZbR6NT7kR/f985vqreN2D+83pCjSzqUu1aZt10oh92in > 4qxel9DkLg0plnwi2AFgLZfHNXmTkR13eoc9awW+L7nZvhZbPKZ3Kt0X/QfWNFK+ > ThHZzLsWG+BNDU70fWkDJ137GhggfxChANLjX8ltRSgPh7ApIofYfOaoAUqXBz4j > QF8rYp+xhR5aMIGiXVBYeThHva8P6Zy/JwMq/Bo5hl52FAUwUGl5920+t/W66iTC > eL3UyRsO9akD5ovbEkCdhkBISy9KDsE5KkI7cKa+ccl08yyTjbLpfZ1etYbIKRSQ > OOtE0csiByZjS7sUtmgHcbGYRXMLbJ4xQMOptjNrndcY2JM3Di4q+JX/UwAhLO52 > VYB3zHYBnKDJai5iPFARzoCG86otjlU9/gGbx/4JjKC+SjZ1XI7gZYdfFvF+ZRBf > OCGR9pkKQunhiNhLJ8OT > =pSYS > -END PGP SIGNATURE- > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CALvHdtY90NWaR1i0vJJ7M%2BrcX07x%2Bv1rWQEooCMQNj4KAo-5bA%40mail.gmail.com.
[qubes-users] Salting your Qubes
Hi, I'm in the process of uploading various salt configurations, which you may find interesting. The files are in https://github.com/unman/shaker. There's configuration for salting various useful stuff: A caching proxy, A version of split-ssh, Multiple sys-usb using various controllers (specific to x230 model), Kali template, A qube for building Qubes, A qube for building/flashing coreboot, A multimedia qube, A file sharing qube, Adding support for Office or Windows filesystems to templates, with more to come. This isn't sophisticated salt - most of these are examples from training, and are deliberately simple. Some are old, and may need tweaking. They are also almost all based on a debian-10-minimal template (naturally). Even if you have no experience with salt you should be able to read the files and understand what they are going to do. I hope you use them to get started with using salt in Qubes. I'm in the process of packaging these, and will host them at https://qubes.3isec.org Although it's simple to produce packages that will actually implement the states, (as they do in initial Qubes setup), I prefer not to do this - mainly because I think it better for users to see what's been installed and what actions will be taken. So the packages will provide the salt formula, for you to review, change and implement as you will. (Change my mind if you like.) Happy to take suggestions for other configurations, or features. unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20210210150230.GA3626%40thirdeyesecurity.org.
Re: [qubes-users] blackarchlinux and kali templates do not start
On Wed, Feb 10, 2021 at 08:30:22AM -0500, jon will wrote: > So I was trying to make a blackarchlinux and Kali templates (because my job > is a pen tester). I don't know why but after installing tools on > blackarchlinux and Kali I cant start the template. When I boot it up I get > can not connect to qrexec agent for 60 sec, see > /var/log/xen/console/guest/guest-blackarch.log" From what I can gather it > does not recognize the xenfs format because it says "failed to mount > /proc/xen" when I run "sudo xl console -r blackarchlinux" in dom0. it does > say more although that is the first error I get. kali does not have any > error messages but still fails to boot and I get the same "cannot connect to > qrexec agent for 60 seconds". > > can anyone help? > > thanks in advance. > The reason for this is that these are rolling templates and the Qubes packages cannot keep up with the changes. Almost certainly, when you were installing the Kali packages you removed one or more of the qubes packages. You may be able to access a console using `sudo xl console..` in dom0, and then see what package was removed, and restore it. It's always best to put a hold on the qubes packages, and be prepared to have a broken/inconsistent package system. That and periodically snapshotting/cloning the template during build process, (and keeping close eye on what actions will be taken) will help a great deal. In the present case, you may be able to revert to previous state by using `qvm-volume revert` in dom0 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20210210142923.GA3527%40thirdeyesecurity.org.
[qubes-users] Re: Need to fix boot process broken by kernel update. Data is safe.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 2/10/21 3:05 AM, Ranjeet Shetye wrote: > Hi, > > Is there a standard HOWTO I can follow to fix the boot process (to go from a > grub / xen.cfg that fails to LUKS decrypt and load unencrypted rootfs) > > I am reasonably knowledgeable about Linux. Gaps exist in my knowledge > regarding BIOS and UEFI boot processes. > > Unfortunately the grub update for the kernel upgrade seems to have messed up > the boot process. How do I figure out if it's installed for BIOS or UEFI mode > ? > > My data is safe and LUKS encrypted . I can use a live USB to decrypt it, > access it and I also have made 2 backup copies. > > So with nothing to lose I tried to fix the boot manually from a live USB > including creating /etc/default/grub but situation is no better. > > Between BIOS / (UEFI) / grub2 / xen / vmlinuz / LUKS / LVM2 , I am lost where > the fix might be. Might be grub flags, grub modules, grub defaults, xen cfg, > EFI manager etc. Hence my question. > > Thanks, > Ranjeet Also note that Qubes R4.0 on UEFI does not boot via GRUB -- it boots directly via \EFI\qubes\xen.efi. - -- Sincerely, Jinoh Kang -BEGIN PGP SIGNATURE- iQJMBAEBCAA2FiEEzGktrvc/U3kFXd9AGlqQRGyEq/UFAmAj67YYHGppbm9oLmth bmcua3JAZ21haWwuY29tAAoJEBpakERshKv1oLIP/jjFOQkzyYlMxZWAicelCeiS g3k/f8Gg6L7yBEQhXdBSiFVHKz5V35VUcseLk8gqrxxrAuzSuJwRwzno/f/DR7Jk 9IIc6LuQNrFjSMt327wqGsXvt7i/AObT8mUHiuKI8CTZOmX5kA1COk5jE5psCWks pG4ahB/chbUUS6rgx0JfgitKJopHCN9MXIc+xaJJatoLeJH89rJC/Lu8hSLjYwXx /TQIY4MJdM/HHP2dtye/ZbR6NT7kR/f985vqreN2D+83pCjSzqUu1aZt10oh92in 4qxel9DkLg0plnwi2AFgLZfHNXmTkR13eoc9awW+L7nZvhZbPKZ3Kt0X/QfWNFK+ ThHZzLsWG+BNDU70fWkDJ137GhggfxChANLjX8ltRSgPh7ApIofYfOaoAUqXBz4j QF8rYp+xhR5aMIGiXVBYeThHva8P6Zy/JwMq/Bo5hl52FAUwUGl5920+t/W66iTC eL3UyRsO9akD5ovbEkCdhkBISy9KDsE5KkI7cKa+ccl08yyTjbLpfZ1etYbIKRSQ OOtE0csiByZjS7sUtmgHcbGYRXMLbJ4xQMOptjNrndcY2JM3Di4q+JX/UwAhLO52 VYB3zHYBnKDJai5iPFARzoCG86otjlU9/gGbx/4JjKC+SjZ1XI7gZYdfFvF+ZRBf OCGR9pkKQunhiNhLJ8OT =pSYS -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fd12b13b-2f5f-ad9f-3aa6-c2d6be637286%40gmail.com.
[qubes-users] blackarchlinux and kali templates do not start
So I was trying to make a blackarchlinux and Kali templates (because my job is a pen tester). I don't know why but after installing tools on blackarchlinux and Kali I cant start the template. When I boot it up I get can not connect to qrexec agent for 60 sec, see /var/log/xen/console/guest/guest-blackarch.log" From what I can gather it does not recognize the xenfs format because it says "failed to mount /proc/xen" when I run "sudo xl console -r blackarchlinux" in dom0. it does say more although that is the first error I get. kali does not have any error messages but still fails to boot and I get the same "cannot connect to qrexec agent for 60 seconds". can anyone help? thanks in advance. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/aedf67d8-c0ad-a65a-5ac3-6eab825633a8%40jonsweb.io.
Re: [qubes-users] Need to fix boot process broken by kernel update. Data is safe.
Is there a standard HOWTO I can follow to fix the boot process (to go from a grub / xen.cfg that fails to LUKS decrypt and load unencrypted rootfs) Not that I know. Would be helpful, indeed. Unfortunately the grub update for the kernel upgrade seems to have messed up the boot process. How do I figure out if it's installed for BIOS or UEFI mode ? That is in your BIOS. If it is "legacy" it means old-school MBR, if not it should be written UEFI somewhere. My data is safe and LUKS encrypted . I can use a live USB to decrypt it, access it and I also have made 2 backup copies. good. So with nothing to lose I tried to fix the boot manually from a live USB including creating /etc/default/grub but situation is no better. I had similar problems recently. If it is UEFI (and I guess so), efibootmgr is your friend (not preinstalled on debian-live, but you grab it easily via apt-get). Also look the "UEFI troubleshooting" qubes webpage! You can re-do the qubes boot entry with efibootmgr (please read the man page, syntax is not memorisable for me). Good luck, Bernhard -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9296d3c7-7ea1-b9f0-23ac-2153920095f9%40web.de.
Re: [qubes-users] Need to fix boot process broken by kernel update. Data is safe.
On 2/10/21 4:05 AM, Ranjeet Shetye wrote: > Hi, > > Is there a standard HOWTO I can follow to fix the boot process (to go > from a grub / xen.cfg that fails to LUKS decrypt and load unencrypted > rootfs) > > I am reasonably knowledgeable about Linux. Gaps exist in my knowledge > regarding BIOS and UEFI boot processes. > > Unfortunately the grub update for the kernel upgrade seems to have > messed up the boot process. How do I figure out if it's installed for > BIOS or UEFI mode ? > > My data is safe and LUKS encrypted . I can use a live USB to decrypt it, > access it and I also have made 2 backup copies. > > So with nothing to lose I tried to fix the boot manually from a live USB > including creating /etc/default/grub but situation is no better. > > Between BIOS / (UEFI) / grub2 / xen / vmlinuz / LUKS / LVM2 , I am lost > where the fix might be. Might be grub flags, grub modules, grub > defaults, xen cfg, EFI manager etc. Hence my question. What is exactly your problem? Does it boot, you see xen/linux messages but fail before asking for your luks passphrase? Maybe it is just a linux kernel problem and you can boot an older version editing xen.cfg (if you are using UEFI boot without grub). Do you have installed kernel-latest versions? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/02548fd6-d8e6-5e0d-f1d8-949f87f7c3d8%40riseup.net. OpenPGP_signature Description: OpenPGP digital signature
