Re: [qubes-users] fedora-40-minimal install - message about fstrim

2024-10-17 Thread 'Rusty Bird' via qubes-users
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Ulrich Windl:
> Of course if fstrim fails, it has the same amount of block to trim
> on the next run.

But if 'fstrim --verbose' prints a number of trimmed bytes at all and
not an error, then apparently the trimming didn't fail (this time).

To test the different behavior of filesystems like ext4 that keep
track of already discarded blocks, and filesystems like XFS and Btrfs
that don't (or not fully), here's a little script:

https://gist.github.com/rustybird/750a5b28e7b285669fe90851e6f48b32

It creates a filesystem on a 5 GiB loop device, writes three 1 GiB
files inside the mountpoint, deletes two of them; and runs fstrim
three times while looking at the disk usage of the backing file after
each fstrim run. Results:

# ./fstrimtest ext4
3139M   img
mnt: 3.8 GiB (4122611712 bytes) trimmed
1091M   img
mnt: 0 B (0 bytes) trimmed
1091M   img
mnt: 0 B (0 bytes) trimmed
1091M   img

# ./fstrimtest xfs
3137M   img
mnt: 3.9 GiB (4227661824 bytes) trimmed
1089M   img
mnt: 3.9 GiB (4227661824 bytes) trimmed
1089M   img
mnt: 3.9 GiB (4227661824 bytes) trimmed
1089M   img

# ./fstrimtest btrfs
3084M   img
mnt: 3.5 GiB (3766091776 bytes) trimmed
1028M   img
mnt: 3 GiB (3255435264 bytes) trimmed
1028M   img
mnt: 3 GiB (3255435264 bytes) trimmed
1028M   img

Rusty
-BEGIN PGP SIGNATURE-

iQKSBAEBCAB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmcRQLJfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt8Cxg/4weCl+CT4wjGYyeooSQTAdwmKT3XzsAR+U5Ht6fHqxhCxX/agEoWs42h1
ymQH2iYgxoddf+zQ07A2p20x0ZYmHHt43IXlpohcUkipYwAkxfvSP8LFyj0nLziZ
sdksxKG/sZbN0o/vrlZrul4Ze0SSNqO7itE+YVgim47vsL537k78WAkEtSOqRvQX
8ES1CHmQh2qBysbIla9w7hyQUmDht2fIkmfFvy29OFCzGf4U7R3i4Agokjh797q4
8Azs9RyK7OIH7+U93+7u/BmBRm0IxkeKqeNiZlf2negZ2I9uFfiHIVqhFx0qyEWD
M9PtpvlhcVfljKoNbmwrL5cTFMFBwlrXdRlqAN6808uzGmp/PVn1L2vUmLBfql/o
0czNbqcbTGNSwgoG5RD+iSvnqS2glxbrQugw8nlViPjlnlq5PCZtT51uKpj3hZgE
OBpUL4vFe+nI62pKu7Taulpm9mt+hxXEnMQkzOx+j9dIrpdsx3wNuGN2hjAuWTgv
FOgWaFNd1MJ6+QKyBAcw4lANBgy2NUhw6smAy1qwColQ4P64eP0CJAgPCjwHHHym
jkOl+H+D/lbld0RjpHe6L2RkwvZ8l0Dvxjggtzjrd/O4DIqrplm3Cyo+yJKjZkhO
zL+txZb6HSfVjupwcRJgocarwnanSGqdN+cPcD6cgvyqdkayww==
=vCPI
-END PGP SIGNATURE-


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ZxFAso9yGp_cKc_v%40mutt.


Re: [qubes-users] fedora-40-minimal install - message about fstrim

2024-10-16 Thread 'Rusty Bird' via qubes-users
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

'Rusty Bird' via qubes-users:
> Marek Marczykowski-Górecki:
> > On Wed, Oct 16, 2024 at 04:28:14PM +, Rusty Bird wrote:
> > > Also, on file-reflink
> > > systems, where the dom0 root filesystem is storing (possibly many
> > > terabytes worth of) VM volumes, fstrim can take really long. E.g.
> > > here on my main Btrfs system, which is otherwise quite fast:
> > > 
> > > # time fstrim /var/tmp/
> > > real  4m29.240s
> > 
> > But that takes long only if there is really a lot of data to discard,
> > no?
> 
> # for i in 1 2 3; do time fstrim /var/tmp/; done 2>&1 | grep real
> real  4m24.308s
> real  4m34.060s
> real  4m29.806s
> 
> I don't see anything in Btrfs tracking which unused blocks it has
> already issued discards for. Or in ext4, but it doesn't matter with
> the small ext4 dom0 root fs in an LVM Thin installation.

Actually ext4 does keep track:

https://serverfault.com/questions/1113127/fstrim-is-very-slow-on-xfs-and-always-return-same-value-unlike-ext4

> So a large fs
> that's neither almost empty nor almost full has to at least generate a
> gigantic list of (due to fragmentation) probably rather small ranges
> of blocks to be discarded in response to every fstrim and forward it
> through the block subsystem (which I don't think is keeping track
> either?) to the drive. Only after all of that overhead, I guess the
> drive might respond faster if it had already done most of the work
> last time.

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCAB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmcQHAJfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt//lQ/9GtwhYOxlQCr1FMVt8jf6VSdogeZzWnErQO7ldaujc730hZcHgmbtincl
1Eo81cLy5gQ8fKzBoZ7qNhNd6VjvFJirnhHs6zqQKFCTbOs+FAM2pGViAEGLtT8r
BST11UoTcrN+RBBgnd5o1wP99G/8ZWPOkB/bTAYPb6ZmYlq+oikl7fG/GbeXXFZh
keHdjdiS1uutwA2Ip9pZTkCGuyUd4xy3Y9aHQm2OuuQeYln+ZUUMMeo1LqESWLl1
S1m4CRLLkN8l8StNkz3jf7605+hiyY+NPdbYMXlRl9HhxKugORMAsrzFFVkk+80h
rFrxz49JLp8Cg55X0cShZNYpfaH3eOGw7PS932B+6q0qrHkb7yhCATj2VxBVdCD+
JOzaflxC32XyXDVcJrrhhfwrwoqySBVo/HSZ3O9hhvWEV9CLe+KgivsR72Ryy+eF
n1d0CxjYHEN4qWRN0qTG/YatEJqkZ1bWdtG6rAQrRvkNOomPo3ikGpqw9WKnkhAN
xfCGnoxjNOkCDYyrqIBhRfVKjMldIlkNRnwGGKjLARJJ08Wjmt+fiGeNeOn4qXOK
jwElSeaui2nHOnje1nSxrIsIotwUIK/msFjbJ/lt7xjvna/CgftMPysztHhLrjZU
I6OuIun83nkQnGTy3aAU5ohEWGVhUCB6w3RxqzTv+bWdaucBfmA=
=PCuB
-END PGP SIGNATURE-


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ZxAcAga7JycORHlJ%40mutt.


Re: [qubes-users] fedora-40-minimal install - message about fstrim

2024-10-16 Thread 'Rusty Bird' via qubes-users
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Marek Marczykowski-Górecki:
> On Wed, Oct 16, 2024 at 04:28:14PM +0000, Rusty Bird wrote:
> > Also, on file-reflink
> > systems, where the dom0 root filesystem is storing (possibly many
> > terabytes worth of) VM volumes, fstrim can take really long. E.g.
> > here on my main Btrfs system, which is otherwise quite fast:
> > 
> > # time fstrim /var/tmp/
> > real4m29.240s
> 
> But that takes long only if there is really a lot of data to discard,
> no?

# for i in 1 2 3; do time fstrim /var/tmp/; done 2>&1 | grep real
real4m24.308s
real4m34.060s
real4m29.806s

I don't see anything in Btrfs tracking which unused blocks it has
already issued discards for. Or in ext4, but it doesn't matter with
the small ext4 dom0 root fs in an LVM Thin installation. So a large fs
that's neither almost empty nor almost full has to at least generate a
gigantic list of (due to fragmentation) probably rather small ranges
of blocks to be discarded in response to every fstrim and forward it
through the block subsystem (which I don't think is keeping track
either?) to the drive. Only after all of that overhead, I guess the
drive might respond faster if it had already done most of the work
last time.

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCAB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmcQFxxfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt9SAg/9H9nFGZ2+3y4caIBouczAoNhWEavYHVeo0tbhOvbIdrbr1qPghbl/fJlV
6DyCbbn39cp9XIEqGCYI0GGS1h+X+RWu8ufCX6TZXUMcMzx+3Ye+WYOoZ3MAUCKv
qUh9hxQkmAe4YD5O9hBWTY/L6Uf+wrIWVp1rmunz1sHTccy1RorAKxHF44Zohuq1
rWBUfAaiROl8CSBzuBC0Qx+VvRfA4YiIS/5+bmY0eZjIDg5SUMVNvj8aXAWBljTB
eXHIZs97BmIeS+VDeKl/8jzDFEF4a4whA9U9n1POfSum1SdiuVgF7McKwz3tDgv+
1qqu8pWsI85vdNPjTWcecjN5ju7jMA4nwYOr30TND7qi0wA3elMEWRQGjxcobAmM
fN8++xA44XD8gpSr4fCUDfIb4E60vcUpTSc6NrQSfTWLK/W+OMow+9rOUyS0oO85
FTeZTcvuF54Wz1d38aGNc2YKmS8r8EVOCytzu5yEFFOFrm4E4lCYUM6A0rBgywaN
yQYI46s4LVX+bcV80p6glQXHUpB40nFJ1xTmk6Y6sWMbdf4DdrIwPRKLkGVSCcwU
6IAvrZnpx5NIH/6nXR9MgY9aSKpgT6ZFZj7BNAMj9V2S/2l+OoJ8JvZsuqNJ/+uf
3UWaA9mlrGoso+as76dK0I+KUqR9/Gm2vyX1IJQCfwRNcOQVltY=
=mp6H
-END PGP SIGNATURE-


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ZxAXHJ-AoLXvD0Jf%40mutt.


Re: [qubes-users] fedora-40-minimal install - message about fstrim

2024-10-16 Thread 'Rusty Bird' via qubes-users
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Marek Marczykowski-Górecki:
> Maybe? You do need root for calling fstrim. And not calling it isn't
> really huge deal, as you explain below. And it failing shouldn't
> interrupt install anyway (subprocess.call, not subprocess.check_call).
> But the error message indeed may be confusing.
> Theoretically, sudo could be used for this call and that would be fine
> in dom0, but possibly less so in a qube (yes, you can install templates
> via Admin API from a qube), especially is passwordless-root package is
> not installed...

Ah okay, that answers why not 'sudo fstrim'. Also, on file-reflink
systems, where the dom0 root filesystem is storing (possibly many
terabytes worth of) VM volumes, fstrim can take really long. E.g.
here on my main Btrfs system, which is otherwise quite fast:

# time fstrim /var/tmp/
real4m29.240s

So now I'm thinking fstrim is overkill just to install a template.
Instead, maybe Salt or something could ensure that everyone (including
people who installed via qubes-dist-upgrade) has the 'discard' mount
option (or 'discard=async' for Btrfs, where that would be the default
on modern kernels if not overridden by 'discard[=sync]') unless a user
has explicitly added 'nodiscard'.

> > Then qvm-template was created (which like other qvm- tools usually
> > runs as a regular user) and now fstrim is skipped unless someone
> > happens to invoke qvm-template as root. Skipping seems like a bug,
> > but on R4.2 systems it's mitigated by the installer adding the
> > 'discard' mount option for the dom0 root filesystem, making fstrim
> > redundant.  Except for people who installed via qubes-dist-upgrade
> > or removed the mount option. For those, there's still the systemd
> > fstrim.timer that should release the space to LVM, hopefully soon
> > enough (weekly).

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCAB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmcP6Z5fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt9Xhw/8C+Z2O/1cINMgc3mQFDCNQSKDNhXAlgCVixNUrvMm9m+mdr/NMvL1euRd
ndD6KH+ud5u04qLHHghXvzRZVnHtyRiGgKQOpM8/1Q/7ifG843brS+ataUWh7+Z8
e7oNt5Y1FQrFeLQGCLU1r/OqTVPrUXDzEOCatnZMX2AgnJSf2JS6pEh3o3S27x3y
ZZFeGsWiII6mGaHq38TWxwpu7WSM2K2ldSBRQKAF4UaDrWhzD+AtpyK1UYXzDlpz
FWNAPd7ELpx/kFoIOatum2LkUncCMsK+3kgUW9cXUnD/fquG4YUJpTamO00rBp2W
2s2PIFHVZkkf26sytq2xFV/NwjkvQHyj+TT/LnWtPTdy6v3NmLxpWAlYnFy4Rz17
d0qViaXn26EctkYimXPaM5gvnmrLlDOlhvsDEf0ZMnLlCXlvXf9+N2c2FXjifkNZ
TVjOQmiMJj5/aNFw+S02rDQxAHydra5RiaK+G/XCQ0xSuhKEVm72UWJILutyFeic
MUYyf0KKJFKxSPI8O11MmJNzOYCKGQu2p4XkvwLtmuRqQZcPG+eGYHSh+qgpLjiB
4sSbqj7tnmMoIcNn9Ckh+04F/kYN/TJ5pjWvC6U9Cf0NRE0YVbv/K8mT5hrZqYFC
2WHqBBd2Sa5CTKsiZ3yrS7TPmyqco+fuDpQhSWYa+88W0BD175o=
=wetx
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/Zw_pnubyDzme6VOR%40mutt.


Re: [qubes-users] fedora-40-minimal install - message about fstrim

2024-10-16 Thread 'Rusty Bird' via qubes-users
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Boryeu Mao:
> On Tue, Oct 15, 2024 at 3:59 AM Rusty Bird  wrote:
> > Boryeu Mao:
> > > For the template install command on Qubes release 4.2.3
> > >
> > >sudo qubes-dom0-update qubes-template-fedora-40-minimal
> > >
> > > I received a message that
> > >
> > >fstrim: /var/tmp/tmpsd1ns61v/var/lib/qubes/vm-template: the discard
> > > operation is not supported
> >
> > Did you maybe mount a tmpfs at /var/tmp?

> [...] no manual tmpfs mount.

I assume you're seeing the same "not supported" message if you run:

$ sudo fstrim /var/tmp/

The only thing I can think of is that you have custom partitioning,
and the storage layer immediately underneath the filesystem hosting
/var/tmp/ is dm-crypt (unusual for an LVM Thin installation), and
dm-crypt has been mapped with discard disabled.

Your storage tree (showing discard support) can be printed with:

$ lsblk --output +DISC-MAX

> > https://github.com/QubesOS/qubes-core-admin-client/commit/4a9b57f91fdf3a2b35a5cf707970d05bf9cadba7

> In the qvm_template_postprocess.py (which the above link points to), fstrim
> is called only if the root user does the template install.

To me this looks like something that was missed in the move to
qvm-template:

Previously, qubes-dom0-update (which had to be run as root) would
install templates as normal RPM packages. I guess the logic to skip
fstrim for non-root users might have been put there to ease testing
the qvm-template-postprocess tool? CCing Marek

Then qvm-template was created (which like other qvm- tools usually
runs as a regular user) and now fstrim is skipped unless someone
happens to invoke qvm-template as root. Skipping seems like a bug, but
on R4.2 systems it's mitigated by the installer adding the 'discard'
mount option for the dom0 root filesystem, making fstrim redundant.
Except for people who installed via qubes-dist-upgrade or removed the
mount option. For those, there's still the systemd fstrim.timer that
should release the space to LVM, hopefully soon enough (weekly).

Finally, you've used qubes-dom0-update, which nowadays calls
qvm-template for template related stuff. For this, qubes-dom0-update
can actually be run as non-root, but you ran it with sudo, so fstrim
was *not* skipped. (Which then failed on on your system.)

> Thank you very much for helping.

Happy to. It's interesting :)

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCAB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmcP1btfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt/L3xAAjs5MdAVStMB33Dzahh6/oinggSp5fT4f+FFLSb3gKPrzLApi3OxKNnIp
0AX/lGjFftbRcVCrwvFV5vZxMp3wAAKn68htEmvqZ3QA0hSr3aHrnu0gnVCnyGUG
f0KEFmv1pluSB4Af0s5euJOq5Rocd2HxnfNNIDG+8rOZ6KRLBVpaQXzRP4ejTAsS
H8XVCeB182n7RveSheyrXXr+Z980WM/xz7Qg88Wsmgi47fkulJ4ZbI2GI4z9MVHl
q76pVvdKxotMCtNad3ii/tbJCGDHxacRsQhDPE36a6x+Mvgq/OlMJqbJWIBaD7VP
Pxzj33Nspy8CFf585w6l3INCHz+qV9YV6/Hb674HyGHsn4O/nHF+IecdqZb19O8P
XjsFK3FrW1kqxj3/5nMurZ6NrlWC2qFqCQcr9ALCodJQDFHfdComnnFu25krDmBd
vl/nSEwcLpMtrtl4AUrekbHTrlDDW/096+FJlE+TNmYbD7YEK7qBxipulGwCg6Jf
NBL47gbIAYISKY1L+YDY7jGhEYMMaUZy8T5P4uTHQ4Zhqa5oXRts4dtkuuvuWmBS
wDfKzSGrmr694C1HnSGuTWP/a5psi5YhrGcHWILct2Ix6oUn5Q80rMbttjNnpmWT
DgLjPdlAXrDvQErn09TLE/YJ4BW5ORcZSfeNBboff1AUKfRqvG4=
=+Iy5
-END PGP SIGNATURE-


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/Zw_Vuw1gVARa8DtR%40mutt.


Re: [qubes-users] fedora-40-minimal install - message about fstrim

2024-10-15 Thread 'Rusty Bird' via qubes-users
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Boryeu Mao:
> For the template install command on Qubes release 4.2.3
> 
>sudo qubes-dom0-update qubes-template-fedora-40-minimal
> 
> I received a message that
> 
>fstrim: /var/tmp/tmpsd1ns61v/var/lib/qubes/vm-template: the discard 
> operation is not supported

Did you maybe mount a tmpfs at /var/tmp? That would explain fstrim not
working. It also wouldn't matter then.

> The template appears to be running normally, so perhaps this is a warning 
> message.

Pretty much. The fstrim invocation was added to inform the underlying
storage (LVM Thin by default) of the filesystem hosting /var/tmp that
the space previously used for temporary image files extracted during
the installation process can be freed:

https://github.com/QubesOS/qubes-core-admin-client/commit/4a9b57f91fdf3a2b35a5cf707970d05bf9cadba7

But it doesn't affect the installed template.

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCAB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmcOSxFfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt/oVg/8CBMUFKZf9qgpJF90En3S9SFOq5B3pr32MZptzeVaN0FjyQzObQgx0ctK
vN0kPrUzwe8Djrp7CzT/eiC1eOGEcEGTHxkd1SrgcL0vFg+/SFs4QuXKZSjNwz/v
u6eW5x0Q+eMVRpIIfuR+2ctJnsrmIRp/rheRj68kmGq13H+m3NkWL3Tpb6WJayDl
sSOHtAW73UvQoAAOgfLAI/SB3RGlyD10E3AcUWQalJ4p3OwV0j9V0HPWZ+7QkAja
s+miDY/bTqsXkDyDr6Jz8VPBoOtyy1cDVAS3DLCSN7rLT/Scn1zSYRiCZMEc6JdN
McUEMjK4Cr3MoikrMPhWoDzpdgtPCHnnt+hJKC4Bsvp0PLYXGdcqn0Gm3AT5RJ6r
qzWGu6Q5rHIy7V6c9TMt6I+Yg4vp2w+Y5dG4uZ2d9xBJmOLZCUBDaJD48/6MTFnX
Z6h19+HzNlZHkby3+0u9DKoAYXV96dOhsC2DK9oNqskmwbiKHlsaQMnjVtYq2LTl
OKcEl3Xo9hjNBBgaWgvfZBbqzyvTBXDr+fmYX0hEjpCcsdG5f2iiEoYdtE0B9Dzc
cx0ylY9rkK8alRUmxg/v+DsJ/yTWhDhud1GKdORWCWB/TxdIoNGkmdwcTNHJ0cHK
Mdfi2xR4ULDxdjvPbyJMwakn1yEvftIGS8/BuVeFuAzb4+7rJOU=
=9zLR
-END PGP SIGNATURE-


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/Zw5LEWwR3bf7UXRt%40mutt.


Re: [qubes-users] 'locking' a vm possible? (to prevent accidental shutdown)

2024-04-15 Thread 'Rusty Bird' via qubes-users
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Rusty Bird:
> Boryeu Mao:
> > An attempt to shutdown `sys-firewall` in `Qube Manager` receive a warning 
> > about running processes in the qube; similarly on command line 
> > `qvm-shutdown sys-firewall` fails with an error.  Is it possible to 
> > designate an appVM to behave similarly so it won't get shutdown 
> > accidentally?
> 
> Not as a user-facing feature AFAIK. But you could use the qubes.ext
> Python entry point
> 
> https://github.com/QubesOS/qubes-core-admin/blob/v4.2.21/qubes/ext/__init__.py#L57-L59
> 
> to add another "domain-pre-shutdown" event handler like this one
> (yours could e.g. check if the VM has a certain tag):
> 
> https://github.com/QubesOS/qubes-core-admin/blob/v4.2.21/qubes/ext/audio.py#L65-L75

Sorry, that second link should have been:

https://github.com/QubesOS/qubes-core-admin/blob/v4.2.21/qubes/ext/audio.py#L31-L38

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCAB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmYdQPRfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt9fGw/+JHmmCw+Ly/YXJ5uYJknlH/Z8hpViEwPnIGuuz7dkiHYa53BeKg+ub035
EOt0Z2ir8NuhHGXdN77A4j1PA6gXypEBme3sxDoP0uHv1Tc3GSAgbR4NzF0qucxy
EQisGL7LAw05raT5vFv8eWsHwfR1OHAupXZKJzHfjX3CBUce51K2N/eyPiuoX4es
m/1lpLmLWJgXAk2MgvwNop4coRiexLuXGWYpeG+64SrDmB0oJhFZ+8rhUig5UZ41
ImpkZl+cbFIxVL+j0tcWLlaDt8yTIJzR2lw0afOvHZcqNHlNo2OPSm4HiMfrThVP
9oAAU5fvTLQtnVJ0Qw49/wm6nr2IFuR3J3Zkz4PA0jVzxuXL6OGzjLuJuFlj01Sj
qxK3oU9dsN2cXCkp0k8gq39UAyHZwaeViFnAxKNm/U/ykRlFhLiloTF3ZvJYl7Vv
1N54BKKY5RjjtVsBgbDfKVcfSR4UwNt6v2PECfp+l7SpJb4XFiCNb9AoU2UoPQjj
icOPXw8r7AAMZdm+ANuMhTivGIi+7HR4MQ4xKRmD1bJ1qhQPGyuq+6loYJQQX+r4
1evr5+hCbQjapWN5IA7mRSgzaUEPC0Yrc5Ttirw81dbuCIPyv+B2c8LwQDvcorIR
A5EhArjwq1nY1N1ArMUKVf5+ONcIu7K56fjnMxyZXer3zExcYyA=
=mP8j
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/Zh1A9DYFnKTnQt_z%40mutt.


Re: [qubes-users] 'locking' a vm possible? (to prevent accidental shutdown)

2024-04-15 Thread 'Rusty Bird' via qubes-users
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Boryeu Mao:
> An attempt to shutdown `sys-firewall` in `Qube Manager` receive a warning 
> about running processes in the qube; similarly on command line 
> `qvm-shutdown sys-firewall` fails with an error.  Is it possible to 
> designate an appVM to behave similarly so it won't get shutdown 
> accidentally?

Not as a user-facing feature AFAIK. But you could use the qubes.ext
Python entry point

https://github.com/QubesOS/qubes-core-admin/blob/v4.2.21/qubes/ext/__init__.py#L57-L59

to add another "domain-pre-shutdown" event handler like this one
(yours could e.g. check if the VM has a certain tag):

https://github.com/QubesOS/qubes-core-admin/blob/v4.2.21/qubes/ext/audio.py#L65-L75

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCAB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmYdP79fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt/s0A//d0ks6I+il3Y/rnG5IINmEUMC8yKdTQM9E/xQQZlqSZOUHh4OSkdZB6ON
N/Iv1skUvVRuUxF8kFJ9M88FYH8X+fZsWr9ZQ18xPk+oQuQBarWTgT+TeprGj8CX
WSG1dfzyFs/m5DuE4M0xvzV9efIyfA80hRl/5VwLYLscMas2Dkvfcc8yWcdDkoY7
zKcI9jZzkUPfA5gAp92NWH10kYBdWlMYiqRLW22OT+Xe/dkohs/a80B1smKRZf7D
K9sF4CXauJxqxV8m+wMO8yma1jBEBoijkPZxf3m/z4SNl+cfcvLRvy+zV41dsTca
nkfvP2LflDWCpJFsdK77GQPGvx7ojX09ExAXu56kZJiQAn+rWFcX8edI+E+RQ0Z/
UMZ9a8Juj3s/myNEGr+MrhrdQ5qvUEafCOVBpLJG65xAw0B7eAAqG/vbboucaaVy
pQMFcYCyPxMzlMZQz82JHpzGiVscislC8naMYFneM9jsSL2K9D+P99tlHIziKt9w
dwUwvbuUOJtaZm94YMIbJkUaSK9BDInx49LAlzA5pAtRX4CMHY2YzYkLEUis2oAe
Ynj620eSnEwmPPa4sS97T+dnuO94S32UZrDLzYu7FZn4Rm5Gp6vq5pgbxXqkp8id
BdRn5dzQI6l4fijl+6FgfMTSZzVBNr7svjuGY8D0v3OfbywnT9Y=
=3CXB
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/Zh0_v3dVrNYbjzcT%40mutt.


Re: [qubes-users] Re: question on 'service-name' for the new (R4.2) qrexec policy

2024-02-13 Thread 'Rusty Bird' via qubes-users
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Boryeu Mao:
> > For R4.1.2 I had some RPC calls with + and - characters in the file 
> > name.  These are considered as invalid characters to be part of service 
> > names in the new qrexec policy format (e.g. in 
> > /etc/qubes/policy.d/30-user.policy).  Using wild card * works, but I 
> > wonder if there is any way to keep these characters in explicitly 
> > specifying the calls.

> Correction - only + is considered as invalid character.

Already in the old format, a file /etc/qubes-rpc/policy/foo+bar+baz
actually specified the policy for a qrexec service named 'foo' called
with one argument 'bar+baz'. 

(Invoking qrexec-client-vm for 'foo+bar+baz' will attempt to execute a
specialized implementation at /etc/qubes-rpc/foo+bar+baz first, or if
that doesn't exist /etc/qubes-rpc/foo for a general implementation.
That is still the same in R4.2.)

In the new policy format this would be written as a line starting with

foo +bar+baz

Note the whitespace before the first '+' character, which makes it a
little bit clearer what's going on.

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmXLaSlfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt+a5g/+OirPpQTa3qsPULMrXFMNqyuuKkohAvFuCoOpBRlJK5KazFju9C9Nnu5b
377A5z/x2SIQldHgTKxDpHhymohr9d63CxCM9iKGMSJECaBWSJA3iSLTjBzp8KUZ
JZ3bTNdbztG6Pd06xNNCj3qpIUEDSV3cxkE4hPf3wpAqrhG3RRtpaJZ0CJ9QTxxX
Cg+IHMo/jalItP5dDCOizF8XZwNxO6sYfXGdVS7PsRIVsoaAJyN+b1/EG0HWfwh4
kqqG5ZMX3vYRkTFOfveWkEKKc4OPOAQ1RvD+CclceneUvPVDn39tUONeL5ptD6cK
Np+T/fMbrrW/0k280RJbaNj8H73SCRzMBG0zl1WrFKzYVAUL8kJi/0tJqJkqRArv
Dg2pT6GqUG0agzLf6tLeVyGYHpJ6OwJAIBJTo54k7+IXpUZltYxPKJbTEXKPfcri
jKCjNIWcMC44xKIFAxrqcdYcPWOBjPAxHFYiMJEq6Go4ufXU8atBdzD/4nzZOZPD
rUUM6NDDyiigcUUw13v9ccERXjwdPE575eUMhXO923Ce7TsUsFrSbA6pASa+BRyJ
4yeb36HMR0opkqhftxjN9QPPMLBGSNmQ+DTq7TZYT75jz8WoAvykBFsQ+FkoFCxN
7fKAbCAdVdRA6329PM/sO2YRKH+r6t7uVpjtJJcR5NFkN/J4mQ0=
=hsTB
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ZctpKVnrYXENkrU3%40mutt.


Re: [qubes-users] Issuing the command 'qvm-run --user=user some-dom kill -9 some-pid' on dom0 returns a message...

2023-07-22 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Boryeu Mao:
> of ``some-dom: command failed with code: 137``, which I have been ignoring 
> since the job with ``some-pid`` did get killed.  What could be the meaning 
> of the code 137 and its significance?

137 == 128 + (signal) 9
https://www.gnu.org/software/bash/manual/bash.html#Exit-Status

If you add --pass-io to the failing qvm-run invocation, it will show
any error messages from the VM.

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmS73iJfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt9q+g/+NY/PHFREA0xHudV3Ldr7/Qbl3ISrFS75c2hTpZFLGb8TwYx8PF9V2kwV
p38vtXrFfwfN77auPKchQMjNRxdaz8JI4HZzW9I82ovu7J6tHJHgJsKYe9vVMLD5
EnecANWtDs/RSqKL0M6IdfpAADOdkw5EyTr/9fu44ckZZ+TYt0ZbMoN9UUk1LfGH
6a2l27k24Cmgfq6dSeAMl9fAfbNPA5webFDniSY5GJmD7k25wA+Y0/xWZ/A4w8RP
et2oh67nRdGXBplvZtX/F+J+WMUZZU3AXlwp2ml6Rm5RS19a8FLsGTxa0o8r1eaJ
j+d+Ns8DoHwuHdePgHg8eOmbdm8TdUL2wshqPhRt72fNqK1RBEHWfBQJhbfWNor6
eT18+UhuaoLInuF2A3oRh1SDBi2Y3MAELpcldIBsMsA17E9QNph6pU0XkMsuVqgm
niDCY1Tr8AkCGuflgKegeN0GmP1VI6XNz0u/SilrSC+HfEgvcAYdsG721r4t5N1k
osoeRRllOmQJwFtNG3I0NAtSTW8gGsq2uCiDpWcCDnkhHPn+UXI5B0aXNlYia0/+
Sm4MOXN9lNG0JM3DKHa7QyWt8/AnwMkx2vMhT1z6cHp/5PcV3+40WcNaOhwvZLTb
G0DAjmeyn6X8UFwsrvlEejSwlRq/799p186wusAoqgXdjgHnwv4=
=63wE
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ZLveIi7zGhl5G5lP%40mutt.


Re: [qubes-users] dom0 backup/restore

2023-05-17 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Qubes:
> However, when I use the Qubes backup tool it shows the size of the dom0
> backup is going to be 7.1 GB, but other than about 20 MB of screenshots in
> `/home/Pictures/` I don't have anything in `/home/`.

It's a bug in the GUI backup tool's size calculation for dom0:

https://github.com/QubesOS/qubes-issues/issues/5699#issuecomment-593500155

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmRkvh9fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt/pkw//TWCjS5AQplGo2SbiNHjv1xb9vbN0+ffxZ8QDjKuiiVGB990r3oWr6n2b
uIPkDlmMGHOqrcQOm9tnDk2rkZ6avgCAJMo0KR7A9o+HFoPfkIBghwff6s91uV5A
d/hfVAF7Tk6iIB+43A2yWz4BK50loJ0CCWyjTkd7HYKou1KSnuqPISDSQ/RZ0Xo2
7dT0RZ2Ed8NsdGlqvGDAEmCR0ClX/nPs1vmOX5adSFOIRSPcmHybzZAE6FTzH1Pl
JhzugkHEGq77Beepup8we/idwRYr0AEUMCy/6IFo6rPKcG+mlnhS7rAj/nIyPZfk
fB/LJw5NzU4ATWXJa2TbE3R9fq05lsuiq0x0H18fdVNNhbk/dltrnh4iJ89TuxQ0
HV5TKrfhOxzJ0u0v5oJ/pDgyGGpYb5mQCRIZGnJZQcwgQvYFdhhohzC8MSfWPNWb
++zqIiUjdmmVxiNdHAJ6wSG0gL1NgRu4Hs45cQ4YGihspL0g+6x+c15kw0cigk0X
tG+IwGFLxR+A58NkOFXrVPH72bVYsUYkuBvjDazJZ/e5ISVgZMHwnLbUHvUpImLx
hvm74f3I+H4RBF9cng0wc9asO+mNvqAb9eV7DLUrWZDfbxs+W66bMucLbthY6+H0
6+f1bqwtTFNa5jWSrJdi3gnF7gdtIr9ISajf87zFAhCaVX1qwyY=
=77/E
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ZGS9vplNIR1bBpW7%40mutt.


Re: [qubes-users] Injecting configuration files into appVM when it's created/started for the first time

2023-04-30 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Qubes:
> I am sure I have read this somewhere here on the list or in the
> [documentation](https://www.qubes-os.org/doc/) that it is possible to inject
> configuration files into an appVM when it gets created. Can someone maybe
> remind me how to do it?
> 
> For example to enable a default dark theme in a VM one does the following:
> 
> mkdir -p .config/gtk-3.0
> vi .config/gtk-3.0/settings.ini
> 
> Then you add the following lines to settings.ini:
> 
> [Settings]
> gtk-application-prefer-dark-theme=1
> 
> The problem here is if you do it in the template the appVM does not inherit
> ".config/gtk-3.0/settings.ini" because the appVM gets its own private
> storage. It is however a pain to have to manually put it in each appVM. This
> is just an example there are many other cases where this is desirable.

Everything in /etc/skel/ on the TemplateVM is copied to /home/user/ on
VM creation, e.g. /etc/skel/.config/gtk-3.0/settings.ini (although for
this specific case you could just use /etc/gtk-3.0/settings.ini which
would also apply to existing VMs, not just newly created ones).

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmROTJhfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt9e6RAAiExsUJl9d7xyaLd/m7gVX3HuZAVAAVkFDhTU1SU/o0uVs3rhcuMDAmqx
/gftDBulJnS6pz30TUN/+C7Qd8GcE2VZ37z6tIsP+VMVVA+cUlNIi8VSsCl7+2ho
2ETt12WjHaGQ3tfhEs9G4ixt3hA7EzXL3qI8ItqE68Yel1oi77R21oAqQbFvPOgy
ogAfjIQhmX30esZ9ym5oJZWprzUpPyX3SF1OtgZ5SC84yhPqy1/jOdpxvDNrni3+
ACAMYTBz34nYWS5ioQ6tLEJthFlsswoiKL3R72HRyLhs1gCnVDW/4LNJ0gjJS7jn
zJ958zuRw9pnfFobYqk4359tEpEct7GEMuA/DFaiYf5gO3G3iPkuopr1Iu6p3QV9
SulyaL2a32I5cuIuqa4/ryRsF8aPMrtSQbRJFltDmnOWjh58Kf8rYwY6el2aBmMh
OQGgg7OODTIS24wRX43VXq51SYRi7d/prB0P/fK9s4twijSZ8yXxbOrulco5Kdgp
2aULUnq2TDQ3ZDh0e/ONWx7Q3S3iR7QiM8W6psTsWBaHw+A7GPYQfHvabvYIyYOI
Xh6oRp7PmR9cT0Ojz7QqmAOUB4b6rtjZHXFd3L8oTD+ofmZlHyBXBaFQ+Acbot7n
rz49u7CIqoVDrcTc+rFcL20LhM8iSiBeoqzSkF1S7fb7TYKNn7I=
=wYrE
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ZE5MmHd1obIbAHvN%40mutt.


Re: [qubes-users] Modifying /etc/hosts in dispVM

2023-04-20 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

> The line "10.1.1.1 myhost.example.com" is appended to 
> /etc/hosts.  But when I open a disposable terminal and type 'host 
> myhost.example.com', I get the DNS address, not 10.1.1.1.

'host' isn't suitable for testing this, because it never looks at the
/etc/hosts file:

https://serverfault.com/questions/121890/hosts-file-seems-to-be-ignored

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmRBIgRfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt9f0w//YnwHK/X+kaSu1hXQfZ0rQbi8iRNjB764+BNW7WXBEK4wOR+aMrpIJz0R
qjrYleqW8lhZ1tZwWxEmcSPZFUOE7KtXM2RyAi2M8lLrd83/QJEbVHxZIFY1twIs
upVDxnayDF1+oqsNSfIVX8T7aq3Arp93Od5afMztfOg88EqWthbia5klig3S6Rg1
1qyelWSzsT6sic6M/UrXzE902g/kVFchsXEYNmnKH6etdlS6ZHr+E9nUypZc+U0o
20f3t3okjNvBrGddVIkbgLR/iAuJ7+C/fL5dCCL8b3z6QlcI2WhY4fVBYFzWbWTu
Hr448m92kRJyuOB5AGF1nfNm8WjDFt2Rr6NDxSIv7oFVJRtbmuBkDGw4J1UCFHNc
xCeVE93OkFlAeqEt+7Gvj2HvcQJqUQzWM92OPRUk5b2HXV0NMmYgPcVQV+vgtLy1
CkGs+3WSY61eKkUxARPaTJxCBwTY+LALOt+9aYsPpRK5P5Nj6SwdpjzGugWeKnxk
5ZEH8UhBLefFxItl2+hUCFWPuaBdQ0XOG0zitXVgLwXwn/CCRxV7Ibp+0lv6w+MT
nmtdL38wigQkLEG8uKqQAFpow5asNdTQe66aXwrU7Z74JLclK62ZaaaszLT8K3oq
Rc7b87rNbVjWmLErkLhWIo3mlq8EBme8iGvahasHPt+QGX/R8UQ=
=mRxX
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ZEEfHyz90ycUfL2v%40mutt.


Re: [qubes-users] Btrfs (file-reflink): Why is the CoW on a volatile.img enabled?

2023-03-04 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Rusty Bird:
> Disabling CoW and hence checksums (besides being specific to Btrfs -
> file-reflink is filesystem agnostic)

Although for volatile volumes in particular it might be possible to
get away with (optionally, configured per-volume) attempting to set
the nocow flag and ignoring any failures. Not sure if even that is
worth implementing though, when it's already possible to configure a
dedicated nocow pool for those volumes.

The filesystem specificity I was thinking of is a bigger issue with
other (snap_on_start or save_on_stop) volume types. E.g. on Btrfs you
can only do a reflink ioctl if the source and destination files have
the same nocow status - a notion that is perfectly captured by making
the whole pool directory nocow or not, without any convoluted logic in
the file-reflink driver.

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmQDUo5fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt/1/RAAjTRYmolu9M59E72mNyEbuQa9eKbPQVK1GVmeqmTOxsFkFUSUMTGYwdtK
yWKDotQapfj/5DpRFVUF8//95ylmVb0il2UGL4dfx/oOEEnJmen/BN0mA7xcti9e
VNzf2VFjqjAiYQVtCO75/ICcc5RjWa1U3XLyjDmwSZVH+EinDxENQBGl6IV2he2x
A89K5skgYPgtHT+4ppUe0DLScBgzpD9Jhd4TwvRs7tb/yG+sMK3qk+H97KcD7Ohv
jnGubMnY1ypoZ700EICxZn9b9pZRDV0zlJZ7lbwbpKEQq8Sf29UhwDDySqiHJGkU
+cGhzd4Uq75o3OLTEtr+blh4gERj5W+AfoWQ3yXqkohSeMAAXtnYfXNvFc5NftDQ
jf0hV3Kqz1VlnxDarQ1YtWziEp8+fP2yfWJx5vDj+OZJ6lPAxX93ozR1uXJ2+1I1
wtRpTFmH+VDB/n2R8ArdnSaqa9FBCK4tfp0ljXOXc1u7Bt5wCDsItm/z4591L7IL
9ZClUPb144qZtCX8Bwv8tMmUHferFL4u+aVvPP7dfRKgtpAGeRWURIHRqs2VfmAC
+3PfK4vPMvk5WJg1djk9y74EG1ihTuAPpzu2NwcHnnx5J8Amm34iPEI9xzV4hrfE
QM8wdQLflFimUh3r4la1xIDdHHZ5GoWjuqb/FVaUGYSZw+eCWdU=
=7lz0
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ZANSjtEd6cUEfaZX%40mutt.


Re: [qubes-users] Btrfs (file-reflink): Why is the CoW on a volatile.img enabled?

2023-03-04 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

449f09c92:
> had to edit the relevant code to disable CoW when volatile.img is
> created

file-reflink doesn't inherently do CoW for volatile volumes, it just
defaults to whatever the underlying location on the filesystem does.
For Btrfs, to get nocow non-checksummed volatile volumes you could set
that up like:

# mkdir /var/lib/very-volatile
# chattr +C /var/lib/very-volatile
# qvm-pool add -o dir_path=/var/lib/very-volatile very-volatile file-reflink
# qubes-prefs default_pool_volatile very-volatile

Although it will only apply to *new* VMs created after that. To point
*existing* VMs' volatile volumes to the new pool, you'd currently have
to shut down qubesd and manually edit /var/lib/qubes/qubes.xml
(because the property is not exposed through 'qvm-volume config').

> Is there any reason why copy-on-write is enabled on volatile volumes
> that are mostly used as swap?

Disabling CoW and hence checksums (besides being specific to Btrfs -
file-reflink is filesystem agnostic) means losing protection against
on-disk bit rot. But storing data on the volatile volume doesn't mean
it is unimportant or even short-lived: It's not that unusual to have a
long-running VM with weeks of uptime. Corruption in its swapped memory
(or in diverged 'root' volume data, which too is stored on the
'volatile' volume) could be devastating.

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmQDQg9fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt86Og/+PufuJZNM8DcIfIOq1nMqqM8WP5NTF5j/7XyUGkMJYIQBk5O9rv01FNtK
ceOvWqGRPasHRU1WvCQmL5hrV2DndViNkjWJXW2AMxQgXUaR0lzR5yjTGwA3NmiL
orilLnW/zfgq+uBjdhsLSY/r8NAQQu2qYuPlzr3Ra0I96YGH9JG1N+5whXtI7vAF
IHvI6B1LgbQuS5CNp5E+5ewXmfSl3biw2QPaC/n07YDZbqFHUR701Oh+ZelqiYiZ
MAvSVlasTPo/8gJpLrjBtIw9hx2x/tzNuEE0bgXCQ3r0YAql084EO7JqV85QKikD
63X3U+2KrSiGHLppf2Q9IjS6JDT0Y7rdQUIdWeK3OFQX/8B/7eOe+lMUqMpDKAEo
8McMH/4jfdX6Kf/Z/tywOpVR2ioRi7xbgEejMfMIddNnEAPGvcXs5BTi+Azd4HR5
dvpQcFTrwS/VQ0pRbBVe0IfUDI1BwuTwD0xbij9zMBT+ZQ+S53Eu1y5XvAXlWrmd
PvueRhUK4Wef+Nrj+okDreDW4VZV927I4EDlceAK5srbrX4g62vDSidzmaj9u4O1
wCrHt3zgEyIbUsbWvu8dE31olTzt8gGX0bpZjVrHb4/ov75wVwBrRZSe2usMJw9N
XNlN6R5slFhJaq8OgKlUZQPEat6SlaoR04uqfP7CgrrzpLDpNL4=
=Suy+
-END PGP SIGNATURE-


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ZANByPUMlA4PLqW4%40mutt.


Re: [qubes-users] Shutdown Delay

2023-01-03 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

unman:
> On Wed, Dec 28, 2022 at 11:00:18AM +0100, Ulrich Windl wrote:
> > Am I the only one that sees extra shutdown delays?
> > It seems that everything is unmounted, but still thing hang; unsure what 
> > that is. See attachment.
> > What surprises me is that crypto seems to be stopped before unmount.
> > 
> No, I often see excessive shutdown delays.

What inexplicably fixes these delays on Btrfs - maybe on LVM too? -
is to shut down all VMs in a separate step before shutting down the
system: https://forum.qubes-os.org/t/btrfs-and-qubes-os/6967/17

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmO0ld5fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt8/8w/9EvtIyKmmPDrIKb79SFiKZ0WE6bFBvES8aUJNBczeNzAhPg/Grii5D7KL
4R+HpoVVSDjIAbgXpKV7CrnLna4PpsTXr5KuzZzVU++pBDQKQTOHLTz6U3op/jlA
ZABPH4trzZ5iNfMEEEdeWIIcqEFhwsTbKdJaKbzLFOttNBBJNHrBFFm9ExWLVGxl
iTy995MWru9wCnb5Xb5WuafPTRZs3fIVZGsR0bgKmw6b/9YR56nLVie87LPQmXVZ
BqpTTFtIlkkawj6w1ycdISPBERN6SpcV+Ck3FBwqefORtQBGwgAuyDx95ISorWLm
vzYoap2/XfR8RB0435PH1+qoIE7o7F4GroRl/jLxX5tiN4hR0i9hkgCA62uWTwCL
qY73SbMO9dlWjbmERZ7GUezxlkC3zSfOgtsXX7Nj+4MznWv7+fA5ys0FcO7HX4gz
FSysoZXuot24yA07anjJDPuOwTu/4c7ARtOwG4j+hRz5HlR7+8i4aJ1fUZRT9MMQ
lDQ5hSj//AptWC8dfPIQy+/l9fYuS9mI5wE7Z0VcNmLsh0aX0b4tgQjdJCS3GJ65
1dY7OqgJGvZLDOa4r1EMwycJCaYl1qPh/5wSnrCkYVNMwSKwPHX4nd7STC09/BFN
rNG/aK8uL1+CCYohH0OJ7TckF7Rb/N/3D32bVBe89eBsC3xMBcA=
=DKN1
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/Y7SV3gw3Lf4iO/KS%40mutt.


Re: [qubes-users] Missing data after Qubes restore from backup

2022-08-14 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Crsi:
> However, I made sure no VM was running (my host system
> crashed previously anyways). That means there's a difference between
> powering down a VM (e.g. qvm-shutdown) and having a powered down VM due to
> crash / power loss? Am I right that the backup tool uses the LV
> `vm--private` for backup only, but my data was in
> `vm--private-snap`?

Spot on. That was the situation in R4.0.

> Then, what about showing a warning that there exists a snap of a VM in the
> qubes-backup utility (at the same place where "The VM is running, backup
> will contain its state from before its start!" is shown as well), even if a
> VM is not running currently? That would have definitively saved me.

I know it doesn't help you anymore, but R4.1 avoids the whole problem
by cleanly stopping crashed volumes when the computer is restarted:

https://github.com/QubesOS/qubes-core-admin/pull/397

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmL5IwNfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt+itA/+JGWiBR8lvKB3usGW96cI8ty4BePclBivLLxN6zeC0KpAxZK14QywIgOL
o0tguMM/H4Fc+F0ueRQymYCskzo/BWJlU06Fq9Bwp+re0p6Y6o0bzmx35e/mj8mb
CrMWqboqEjFihpxGxvk5BR8PceUTWvxFGNYGPZZQejNbanbkFeTINUXzMNR/dMjX
V0cIneqQtWcsJXBEBwS8KtMh+uHgumqgG+UcdymUuBU/FvwgrmOfOTSFrW/jgNEe
MImex5y9im/xrQ4RSDCJVc+FJNvq9HGGePFccrVo9tnJ3WY4khuYEckSe2wIL/5y
8TKHe5pQMTUSCbIqGNIFBWF5cFDw3zOPXPQGDx7HMruJNTtOJXa7RzO4qgdV6rcj
KMQeWVwKyZ2KyTYqJMY7M87c8IL9DFLmzZuGIQ/yTsw40uNoMdPpNTPgdGBTO0UB
hIqvf8DL9OBbUnXOLmgVtMLp4UjNxV+6Kf2k5Qk+NZxahMblUlezHXj3B0UeLmML
HcGW5N8ln+tUIcFHcrRNqZ6uf5CoWKZ47vNpedlLKHz2mXs2U6maFqg168A8tnAM
iL/bRAit1rctIyX9R/kSvcebetQRIrY7Sci4GjlNTwcCKpXehedm7D87jgA2gIS0
Sv4eXSUPPliDZiVGp0y1utywDZVdWzu9LyS6tUrG+hnaQCB4E3o=
=h1CV
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/YvkjBCPJK4UxzNXa%40mutt.


Re: [qubes-users] "Cannot connect to qrexec agent for 60 .." - how to change this timeout?

2021-12-21 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Oleg Artemiev:
> I've slow disk on my qubes PC. Sometimes when I start VMs it tells
> that it can't connect to qrexec & fails to start automatically - I've
> to start again manually & then on the second time the disk reads
> faster due to cache & it succeeds. Where can I change the timeout to
> 90 seconds or even more?

$ qubes-prefs default_qrexec_timeout

You might want to increase default_shutdown_timeout as well, to
prevent your VMs from getting killed when they're slow to shut down.

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmHB3ldfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt+ddw/6AvzHrf+hPbQHeW7LCzMSSGHmzKAHCpP95tSF9T0apEzRhQHucUvRoP4T
M0MpioMQ+doPgziR9WKDc487krCTlKZj0HPAM87xWMC3J7ofDaguag2DYNMwQUga
RIHUcmSJgwh9UomQ54w2vKqnmMziXgCOtfqhk6xfMr23OeMWP51CDgaLcEmH6lNv
C+WUBXaNNpLBrKHcvCF8M168xJcNhQOM6kpeAxNjWofaRh4FKLrk4OPsLj5snwA/
YMzQYtPb2YfNJBZBtFUbWj2t5E0O+CIkMQ8o06U5XsdOyBXwNlVYFdVRAEGVdGQS
7I+hcJI2INaP6c7uQqkvsHiOgpojKKnUmwLBNdJ49S5SQZv/2gRI4fz87HSB6gUm
1FN9ba9sqxATgLmLcxdUidUoj7qXiiVGhDjbIKhwYC7dOTLdRiPtM21o5Lg+wGbt
efEbF/aYRYz32PI4GG2fTKWQ0lll0nGEdrFDEd/IYe1f2/WGQN4+TNTBw4MtyyVH
I1B0p2XZ4fQNi4emIzc2O8f82MB0iKsb3cZFk67BZzFph0pie1dbxhAkwmjHfkw0
ayPEoUnKtOJkP3KtQUMjahb18vDfl8wJ7+jxuUV8RRpAF/aQ1xiezA48DjVWKoR0
XU5DwfPn6HzoUdHe2eQtUiqN7n8KRvh2R59LdnG5p3ymKWhkixY=
=tFjX
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/YcHeFXHCE0EaEzzK%40mutt.


Re: [qubes-users] Systemd terminating qubesd during backup?

2021-10-11 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Steve Coleman:
> I seem to have an intermittent problem when my backup scripts are running
> late at night.
> 
> My qubesd is apparently being shutdown (sent a sigterm signal) by systemd
> during my long running backup sessions which then causes an eof pipe close
> exception and qvm-backup then receives a socket exception and immediately
> receives a second exception while still handling the first exception, thus
> the qvm-backup process gets forcibly terminated mid stream. Just prior to
> the qubesd shutdown I can clearly see that systemd had also
> shutdown/restarted the qubes memory manager (qubes-qmemman) too.
> 
> Q: What kind of background maintenance processing would actually require
> qubesd or the memory manager to be restarted?

It's crond running logrotate. Fixed in R4.1 but not yet in R4.0:
https://github.com/QubesOS/qubes-issues/issues/5004

> Q: Could this processing be put on hold during backups?

I always sandwich backup runs between 'systemctl stop crond' and
'systemctl start crond'.

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmFkfVZfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt/dHQ/+LXkv+7GT64IgMXpwQjKMuDMswRPsEvXpGihJYohSioeGm6HvUNQ1uh99
zwih5PqT1OnJrIfgzRvqLPfTbTpO3YrkQZi32TY848M14rg1A5NtTHIzOthJP2+x
puZy7hMcFvZR4awv3g/4WVLRsMrUVuQ5x3n/xzId5MAycWrsQtt8bRH+kc3VHgMn
Jul0TPzD1jnmN36Ngpgr5UGe4LrNfR4IcRaG5mzoI/4tIA4mtkcmm1AwqBnR3KrQ
0Gclbk/F5ud/Nj4EwIQDFWnrBa70Hru7HZ+wj7V7shJD2fMuQVsBcys8EVJjpGQp
qFzy6AfvdIHJ1BmtoJM+v8cqo2AU+kVdRx0n2cTXCkHM5eN1nCpc6EO81HoB6ypE
8773aw8l/Y5fCowT0p/y4c8jTUd3/YiNFpJSPiRfLJDAk4PunnynM9IPVY+GnJUX
6HB8tXDn6vx5Gq90f0UjNkcWonJ/bt5GMYGpWBtHGQyQ0dh+mxhmwnT5hYnfNMW+
+pAcBB4fRclebEroW1RcLqe7FVZ1dldNqZQIL6WlQgU8/I06/JNNZkhjmlpdBDX5
FwNGFw7b2ss+4A+LdC6Q4IJ1S2LyOeIQtCCX3UIffhcvOEMmJSxkHBb65e1kGAxe
5Lsfcjmq6rK1jCYMC5or177Mo9u+PPxWxvr5p4zocBu7VyUUCdM=
=zaUv
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/YWR9VrcVsYS/1FC8%40mutt.


Re: [qubes-users] Qubes-backup verify only verifies dom0, not appVMs

2021-09-14 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

tetrahedra:
> And here's how I restore:
> ```
> qvm-backup-restore \
>   --dest-vm $DEST_VM \
>   --passphrase-file $PASSFILE \
>   --verify-only \
>   --verbose \
>   $BACKUP_FILE
> ```
> 
> When it starts restoring, it shows that none of my VMs will be restored,
> except for dom0:
> ```
> The following VMs are included in the backup:
> 
> +--+---+-++
>name | type |  template |   netvm 
> |  label |
> +--+---+-++
>dom0 |  AdminVM |   n/a |   (default) 
> |  black |
>myvm | StandaloneVM |   n/a | my-net-vm-x 
> | orange | <-- Excluded from restore
> my-other-vm-xxx |AppVM | debian-10 |   (default) 
> |   blue | <-- Excluded from restore
>   another-vm-xx |AppVM | fedora-33 |   (default) 
> |  green | <-- Excluded from restore
> [... continuing for the list of all VMs ...]
> ```

It acts as if you accidentally passed a whitelist of VMs to restore,
and none of them are part of the backup file. Some ideas:

- - If you posted a simplified version instead of the command you're
  really using, make sure there's no extra argument after the backup
  file

- - Use quoted shell variables, e.g. "$BACKUP_FILE" with quotation marks

- - Just to ensure that nothing's somehow tripping up the options
  parser, try using = instead of a space for option arguments, e.g.
  --dest-vm="$DEST_VM"

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmFAeVxfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt/aYw/8DeauzLcPRP5+iAdiaDIKFABLjhkGLklORCvDTzj1nD5m66xCQjx52Tfm
3MHc8nn1A/VljWrsOQnd/SvZHiMBriQzuOisRzr0gVV9nzlsQU+bO2kj2HjLpWsS
JRN26Gw6F53Jc4Pogi+Zh6EtUZCjo99WekIaiDN/K82W3GtowT1uny8ou3V2niRd
mstTFHcdSVXCyFK5vD7zA3P23Iclp97Bi2JnseN1LbXwWX2usNtrDlKcm2x5cWGj
gEOThcCNmb6jNw6r1X06SX63E2eQKzQryQ6doOXmI5vhcTMcwDbttW8m5HFQiXVo
Cc/yrV2ZFnfPOhxox1hggUsSBOYOYI6e/o6gFCByTf5lvEQOvtkwt0UX8xpk3ZOv
vMRcAGIM6GhIHTTSKhCpVm2rYTNOmPh/FB+F73fNygfLomU7ColFsvi1QS/mIKID
EmtbnsOtrHgG2kar6LypsUSu/AklVu8jNPfMTM0ERbN/w4RIQUptrw34kYz8hJ1i
GeLHhSmtrmPJpa3VYy9YgL9gL6GY7N5Dy4KbbBCfsbjCHQFb3d064EwMRUEF2Vnt
+pxEROD4CguozrC+msAcSRWuzWsVnwBZQ/Inlx1LnPadz+6HzDQFVKCfFIescizp
zkEOhMkkcK5FE2exD2ZboMROneRL5tYyDsfTwz7MRrtDZm7u6gw=
=v7rs
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/YUB5APIV4pH4FFis%40mutt.


Re: [qubes-users] mounting root TemplatVM partition in dom0 fails

2021-08-30 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

rss+qu...@armor-mail.com:
> I have some templates stored in a "file" pool where, for example, I
> find the following files:
> 
>   private.img
>   private-cow.img
>   root.img
>   root-cow.img
> 
> I can do this in dom0, no problem:
> 
>   sudo mount private.img /mnt
> 
> But this fails:
> 
>   sudo mount root.img /mnt
> 
> with a very common, uninformative error, ie.
> 
>   mount: wrong fs type, bad option, etc. etc.
> 
> I would dearly love to mount the root.img and modify a file in /etc file
> in a broken VM. Any hints would be welcome.

It doesn't work for the 'root' volume because that contains multiple
partitions. The / filesystem is on the 3rd. You could use kpartx to
mount it, but mounting any VM or template filesystem in dom0 is
insecure! The kernel can not be assumed to be robust against a
potentially malicious filesystem. Better to attach your broken volume
to a e.g. a trusted DisposableVM for recovery:

https://github.com/QubesOS/qubes-issues/issues/4687#issue-396119132
https://github.com/QubesOS/qubes-issues/issues/4687#issuecomment-753492903

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmEtPwBfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt9EWw//SgfIibkUYNZzoidjiQgg7SSu9+jAFWFL3iBJU40el2hn6kiZ8cl/CGGg
RAz/3AIyw2dtb1uoFc9TafjoUXlzlfXhcMEIHylggwzTkD2cL3EglBnhVw5x9a54
CS24qWUee8BhP50inZOEV0vUYCjO34948AveOKhD9YoVlwL0DUdvpeX8AaxiZmyP
L+pl9jwvbdHE2DqhTle/vqL81lVHe3eM8ZQ798cm9q5pPbVH/x4nvmYdswmYgDN6
eSSNNblZ0BezuV7yuPpRSEOxxbkyhQMEfLqopvVEeFD8Ittv8z7C+jutp00RSmyT
aOTyjCTWMoBKnSSE/IOOJkA3D+i6xHsK/lkP6j0AegRNiTV8m9oLKc+n4i1HNgPp
MJz357hBF5Z8MPdfpNbT+hhpMpr7cVh2g1S3X01kO9Taom4QY3Mk+v1d61DgfgqO
jWZuP8qV+9P8o9ifY0XsSXbVdixivujwOJS6hiiUl98fM502uHz1kDqzvmqR5umd
Prb/c6yLRlCcBluM/cYIdBKcY6OhBx1eI/cUW2mmr/csICpjgwygVHsvJ82ou5yW
aKMn9M2LCrbRy9tjDcs+Yd1ckEm0L/VIhJRfCx1hm8+twIzhwHqg2MDY+mAqfBZz
bnykRv6i7YhaQXZ7Fy2ieaCDphFHnYOrAsi6FyVfnwmHZzL4Qc8=
=dUVg
-END PGP SIGNATURE-


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/YS0/AM0jyOtQM6xy%40mutt.


Re: [qubes-users] The safest way to search in files on an external hard drive

2021-06-19 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Michael Singer:
> I had to find a way to mount the read-only volume in the destination
> qube. I discovered the page
> https://www.qubes-os.org/doc/block-devices/ But it doesn't say how
> to mount it either. The normal way with "$ sudo mount /dev/xvdi
> /mnt" does not seem to work for read-only. You have to tell the
> mount tool that it is a read-only device: "$ sudo mount -o ro,noload
> /dev/xvdi /mnt" This way it works.

'mount' without any options generally works for read-only devices -
but not if the filesystem is in a dirty state, like after sudden
power-off. In that case 'noload' is needed so the kernel doesn't
attempt to recover the newest data by replaying the journal, which
would fail without write access.

> Perhaps this should be added to the documentation.

https://www.qubes-os.org/doc/doc-guidelines/#how-to-contribute :)

> I read the notes about your split-dmcrypt-tool. Good work! Let's
> assume I would not work with LUKS. Suppose I mount sda1 with
> read-only option set in a DispVM (after switching off its network),
> decrypt it there and search in the files. An exploit bug occurs and
> the VM is taken. Now it could happen that someone leaks the
> partition password to the internet via a covered channel. So would
> it be safer to mount the decrypted volume again in another DispVM
> before we search it?

Yes, assuming that the exploit is inside the *decrypted* data. Then
that second offline DisposableVM would not have access to the (tiny)
password, so it would only be able to slowly transmit the (huge)
decrypted data over such a hypothetical covert channel.

> And how would that be done? With the loopdevice method? What
> commands would you use in the terminal?

 [dom0]# qvm-block attach --ro disp1 sys-usb:sda1

[disp1]# echo Y >/sys/module/block/parameters/no_part_scan
[disp1]# (somehow decrypt /dev/xvdi, yielding a device /dev/mapper/something)
[disp1]# readlink /dev/mapper/something
../dm-0

 [dom0]# qvm-block attach --ro disp2 disp1:dm-0

[disp2]# (mount /dev/mapper/xvdi)

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmDN4+hfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt+f0BAAhcWwf+7Ch3fR1qabYxGP0uVbbyvODNa+V8ipHcBS2Nyl7QedxL0BZgTt
8HGIoTlngD4jALNDq3Sl5Btv62aEM0Gel3VuozeJeUOpzuvE1eMOrxxPhMQRexNw
rW08pZQM6ILojYndnJZpTCr9Rfa4cuYJ9Ie0V+CWpITutiZZLzhF8cYIDORVynND
wrrNnP2BdClRU2caH39qRpW5JNYuwT+bIITiZQbTFoWQFICRrasD2zkcQQgNZFdt
f8O2nFgmtCHHBwDXzYuSLYdUKp/gTztawqFDBv8exANiQykW19WqZLG1rcha8Wyt
PnyuN3DZhu8NWMVFF3DNQZ6T+TqeG8G+V1VTiDFX2t5CfUaE04zS6vzKMxs4dpNs
Ce81P3DMu9iqG7oxAqASFHw/Ud0FtDej8FZfeiQVZKtadcbYu09seLllc7QtQDUO
tqDgBX2ZEcuN/Ssp4t5p1PHFPfBV3bLzkQYv3cJgqD68maybVgrPXhxvP6NwSmOe
zmW8WW6zv/PI8c2+WAnI4zQdUoxv/ImXDgAXbQ65HueKISlr3mSNxdwPkccngg61
nf4OR8L8/74XPV5WbQmFXMGf7m5e48CsdD7+YQiTqiO9Vm3YWiufDaxh7Wv4D7Ux
ifH75jzOEWE3y+bakbL1wAp9+UJe8t0wtneHVJeQ5SZ3n1CCjyE=
=m4iy
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/YM3j6FQAdHWkZZEV%40mutt.


Re: [qubes-users] The safest way to search in files on an external hard drive

2021-06-19 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Rusty Bird:
> Michael Singer:
> > I had to find a way to mount the read-only volume in the destination
> > qube. I discovered the page
> > https://www.qubes-os.org/doc/block-devices/ But it doesn't say how
> > to mount it either. The normal way with "$ sudo mount /dev/xvdi
> > /mnt" does not seem to work for read-only. You have to tell the
> > mount tool that it is a read-only device: "$ sudo mount -o ro,noload
> > /dev/xvdi /mnt" This way it works.
> 
> 'mount' without any options generally works for read-only devices -
> but not if the filesystem is in a dirty state, like after sudden
> power-off. In that case 'noload' is needed so the kernel doesn't
> attempt to recover the newest data by replaying the journal, which
> would fail without write access.
> 
> > Perhaps this should be added to the documentation.
> 
> https://www.qubes-os.org/doc/doc-guidelines/#how-to-contribute :)
> 
> > I read the notes about your split-dmcrypt-tool. Good work! Let's
> > assume I would not work with LUKS. Suppose I mount sda1 with
> > read-only option set in a DispVM (after switching off its network),
> > decrypt it there and search in the files. An exploit bug occurs and
> > the VM is taken. Now it could happen that someone leaks the
> > partition password to the internet via a covered channel. So would
> > it be safer to mount the decrypted volume again in another DispVM
> > before we search it?
> 
> Yes, assuming that the exploit is inside the *decrypted* data. Then
> that second offline DisposableVM would not have access to the (tiny)
> password, so it would only be able to slowly transmit the (huge)
> decrypted data over such a hypothetical covert channel.
> 
> > And how would that be done? With the loopdevice method? What
> > commands would you use in the terminal?
> 
>  [dom0]# qvm-block attach --ro disp1 sys-usb:sda1
> 
> [disp1]# echo Y >/sys/module/block/parameters/no_part_scan

I just remembered, this is only a partial solution unless
https://github.com/rustybird/qubes-split-dm-crypt/blob/master/vm/rules.d/00-blockdev-parsing-disabled.rules
from Split dm-crypt has also been installed.

The point of this step is, if the decrypted data blocks are malicious
then the intermediary decryption VM (which knows the password) should
not parse them in any way at all. So no_part_scan=Y disables the
kernel partition parsers; the .rules file also disables udev
filesystem type etc. parsers when no_part_scan==Y.

OTOH if the exploit is merely in a *file* inside the decrypted
filesystem, but you know that the decrypted "outer" data structures
(such as the filesystem itself) are not malicious, then it's fine to
skip this whole step.

> [disp1]# (somehow decrypt /dev/xvdi, yielding a device /dev/mapper/something)
> [disp1]# readlink /dev/mapper/something
> ../dm-0
> 
>  [dom0]# qvm-block attach --ro disp2 disp1:dm-0
> 
> [disp2]# (mount /dev/mapper/xvdi)

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmDN6ldfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt9jHRAAh9DijI2gvJMrJuV8Cfoqvh/ue17I/YMwpF4JxAXup8Z5LsQDKLmwJHHZ
4l6DOoI9dAwn5tdviCpjmP0B46cFWPeqJ7bcLsRbFxywr7A9Kl1lug9sUgCUwaDN
zFhBb37X7LuG/YxaW1+eavE6r3f/wqEVZjC4+oGHMLMXR9wZPlmkCA5WcUxONl6G
1X8coDNOAyeVl1RGu+wA1ExhPJlPJJosM56zy15dtanEZx4egb7E5WKwN0HMm73x
ao5eiriPKXSmvIq5puy6wJbW0t0WHqU1f7UM2R25At0qWNEhAMtGiLzwA8wL2e3A
J3yZcP2ZV/5uAhrPYjY7i3h5LDXWY6vO8P4IJds2QdpYBGZV6EC3PfadYguRpAJQ
SGJQmzJqYncjvmMpLDiMLD9wNvGf/ExTObcwWN9n7G4yh4PFMGH0KL4Gp9vi8gcV
k41zIswW51lGwiieYgQT+AW0z3eM31sghp69ojQk9Vcvzj5GIDtbNmtYGKkzC85X
VCE7EpkMcTARIijOrntL8ykQGGEv8agpLISVk8iENLM48HgVutQfSG5okSdAD2x6
LWauik0j3WvvJnqoGHK56OvvTCOrf21lYgFuCakH5GvSO11oSgMr1VH5cwiuYnds
2L2qJ948Z0IhHI+AH557VGEUS95XEe5yJGqyW0XLRnYNwKP61HE=
=+Zl/
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/YM3qV1X9wMRelfc9%40mutt.


Re: [qubes-users] The safest way to search in files on an external hard drive

2021-06-03 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Michael Singer:

> I am looking for a really secure way to use Qubes for searching not
> only a hard drive for file names, but for text that is in files.
> 
> The goal is to avoid an exploit in the searched files leading to a
> takeover of the hard drive by malware.
> 
> The total size of all my files is too large for me to put them all
> in one qube before searching for text in them.
> 
> Would it perhaps be possible to mount only a single partition of the
> hard drive into a qube, but not with write permissions, only read
> permissions?

Yes, e.g. like this:

$ qvm-block attach --ro destinationvm sys-usb:sda1

Then you can decrypt and mount the read-only /dev/xvdi in the
destination VM.

> I would do the search on command line, using "grep" for plain text
> files, "pdfgrep" for PDFs, and something for table files, databases,
> etc.
> 
> Is my idea feasible? And how secure would it be?

Sounds fine to me. But malicious content could still exploit the
destination VM, so consider attaching to a DisposableVM (after
switching off its networking).

If your partition is LUKS1[1] encrypted, Split dm-crypt[2] might be
convenient. Its default behavior is to attach the decrypted partition
to an offline DisposableVM:

$ qvm-block-split attach --ro sys-usb:sda1

[1] TODO: LUKS2 support
[2] https://github.com/rustybird/qubes-split-dm-crypt

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmC41rFfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt/Lyw//cZIGHFtGNqEbBSIoNlWgNuxQxpfbaNrgkfnRyzqRQgJ99qgZU7rCJmTq
OygfKEE+Iwgnn6MdYDjvIG1JSAAW6hBonAYDpIGRNWFdJGHppJvxOvVSH7zlni/8
xwQjrn2X3NnMhlEBLNMibyx5Sc7GpId+/nEaz3UXhb1g7METBk1AVzLc20HOT5Ga
5zeaBz+6BoXi7YUoBYkCgU2GbuiOK6ZGgTJ5ekCP+iT0tTbZ8s97XNmmBe2oPHgP
IHpPBgezjnG8az7Z7uRC1BHYQQx4mKEC2K9LOSUmWkqZiPFmJ+OYgdAt4GSzJjka
TvJQK17rNuFy3+vvfipmI94IhBClV0PnT55YKQgE1KBEyxi5Rs179wIY5Jx68emp
BgpFUdsUK1CPxbdPixUESLf2jzkgQwN9h1GtFiX5sFWdldAUXqyHEmKobnyxAQEG
Hz6S2d2SiR88USW1D4f/dFsRSi3ef1EcCKI6nzTISnJ+vHWFG6r6gzTSN4pHWpI0
irbGR4KfI1rAwk9fk4YV+BFSXhHI8af17mvU3ot9qB2lI1JfIljMBG6se7ad2YDd
FdMJVwtkuJmRCf9PfG3InB2wqX71eIwKFlb+oviAcyGJZHvEH2wdmeiQCj6jhPCw
hHUtGl0eVHrVGV4hw34oCzjoaM1V+8TU5msvxd6lTIgAcrUqFZ8=
=7/h+
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/YLjAMaVc8KFVSWSp%40mutt.


Re: [qubes-users] delaying total shutdown of disposable qube

2021-04-21 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Rusty Bird:
> Ólafur Jens Sigurðsson:
> > We would like to add a new disposable template in which the disposable vm's
> > will be shut down with a delay of a few minutes, just enough for the person
> > to start replying to the email and finding that they need the file and then
> > open up the file manager from that disposable qube that was almost shut down
> > and thus saving the file.
> > 
> > How would we do this? Is there some option in Qubes-OS that supports this?
> 
> I'm not aware of a built-in option, but you could cobble two things
> together:

Umm, but also: If you open the file in a DisposableVM for editing,
don't you already get the modified file back if you just press save
and close the DisposableVM window?

> 1. To make the destination qubes.OpenInVM service wait indefinitely
> after the launched program is done, create an executable file at
> /usr/local/etc/qubes-rpc/qubes.OpenInVM in e.g. fedora-delayed-dvm
> containing:
> 
> #!/bin/sh
> /etc/qubes-rpc/"${0##*/}" "$@"
> exec sleep inf
> 
> Maybe also link it at /usr/local/etc/qubes-rpc/qubes.OpenURL to
> get the same behavior for URLs.
> 
> 2. To automatically shut down DisposableVMs based on
> fedora-delayed-dvm when they have been running with no windows for 15
> minutes, install the qubes-app-shutdown-idle package in the TemplateVM
> (e.g. fedora-33), and:
> 
> $ qvm-service --enable fedora-delayed-dvm shutdown-idle

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmCAhfhfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt/N/Q//dQzHhB2rbbhEywWELJ52mGLk3+8dJKcKTTgRAm9FAY7+dyjB6uw4ptfS
AZeGDpKGnVVzKbZdAvzCW7tPX4Hj5uKWQoX6e2PpgowBpgWAJbnMkLcYK53XjJab
ff7pMEhCSviZdsnqVp2klA2CtzPcKZeSYH6G4OYkkW0UcxxZZXMlV8jMESa75nm3
TETyb01xDPE13I5LWpZnThltPUK8L+xi6UhCmegL6rXQtP+FiHe2Yx0it6qyQdCa
JzwekV+AOq2OjjlFUxd6+kRASXNNnkDbYArQ4Z4eMbYr4Qx3RBi4uZ5orT+anZPd
QQqpgfXHs4qgTwxDzTcWynaXmSvsgM7UqTV1S1QdagM1xfjUDN5I7ptJObck60oW
bDrP2hX0efhj/q/D3+Y2+09+k/1CdduwbVVZY/msAhe/OgdMr0SoQ2W8foa46qAk
o7THJ/LYGoUuuGdrlHh+y3X0ph5kFfHtf1LTsXPai78CMbNw5mUtEVtWO0k0OiQ1
tUvp+HQUF3KvJyt0ZCO1hCnph0tkSqxmHULs860dUAdNsNia74lMXt69blVrL+fK
NHUnSmJk45H+F58OInmebVoeHXDbFhhK0Euum3cJw+Idfi0oyTNH0jer1Hm21Tmr
DrLEBsSKXqyUBO4sh8HrjTH2uqomMXCQoH4nJ4CVcVqdls0i3p8=
=vlKf
-END PGP SIGNATURE-


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/YICF%2BKmMwm9L%2BrAA%40mutt.


Re: [qubes-users] delaying total shutdown of disposable qube

2021-04-21 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Ólafur Jens Sigurðsson:
> We would like to add a new disposable template in which the disposable vm's
> will be shut down with a delay of a few minutes, just enough for the person
> to start replying to the email and finding that they need the file and then
> open up the file manager from that disposable qube that was almost shut down
> and thus saving the file.
> 
> How would we do this? Is there some option in Qubes-OS that supports this?

I'm not aware of a built-in option, but you could cobble two things
together:

1. To make the destination qubes.OpenInVM service wait indefinitely
after the launched program is done, create an executable file at
/usr/local/etc/qubes-rpc/qubes.OpenInVM in e.g. fedora-delayed-dvm
containing:

#!/bin/sh
/etc/qubes-rpc/"${0##*/}" "$@"
exec sleep inf

Maybe also link it at /usr/local/etc/qubes-rpc/qubes.OpenURL to
get the same behavior for URLs.

2. To automatically shut down DisposableVMs based on
fedora-delayed-dvm when they have been running with no windows for 15
minutes, install the qubes-app-shutdown-idle package in the TemplateVM
(e.g. fedora-33), and:

$ qvm-service --enable fedora-delayed-dvm shutdown-idle

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmCAgmBfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt88MA/9HStm1HvlA5D2EoSCmTN2cARLtA8l34Rl5SCoFvxQ/hC0BCeZHAPjXKN0
ERm52C2hoI2tIWERzYB+LzUvZhs5WoRxCqWp06s8DX5KHqQeNX6MajzjGeyq+jf0
iW27jItdoyqbBX2KkNhv8dsbek8RwYG5Vz67scBjvvQDag+WAoYuqrKAYugEl5NY
uOjVK8X1e3YVtP7nOhtJYqApVOz6QXJ4glp5aovTRHkwQsDum6ijs1Djjln96bGm
y6w5Nl5hwC4P15pbh5zQJ7rwkCQ+sbIYjmul9lkbEnpg7oON3yanzRI8QSTnWElY
U/Xr5VzOHK11P/82DAUE+ud210IFQW6Qu8MkebaTt9cJLduxVH91o1LfT9WFKIiU
YeDmM9LFxP5f6LJjDx0+lX5IiuQGWw/534hJhMUXDGUfmo5bn0RBDTOKCUp2ymlB
ntNRYJ373fOsPM8RBd6J95lJ8OiNYLL4m1ad4U9sCUvmU0g7AMafYeZewtj/5tLZ
xqWQ/iOuT7beaIjgRmBTL5Lid0qzYAzecXyT+71VBzwpVFuL298wjO8PUXqDe3Y8
pCRfGkNy04Cw4ojQR/rygNKRxnqvYxV9pCjVuvo24O5aKNmBjE2Yhh98YlSwFAD+
ilQgKH26elRbpFiduzcY78EZHgDQSNVDE8PZhbrjwS2o/ikqBbs=
=08qo
-END PGP SIGNATURE-


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/YICCYAG8zdb2Jgn0%40mutt.


Re: [qubes-users] Recover data from 'private-cow.img'

2021-04-19 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Stickstoff:
> [dom0] qvm-volume revert vmname:private old
> > Got empty response from qubesd. See journalctl in dom0 for details.
> 
> Journal says:
> > unhandled exception while calling src=b' dom0' meth=b' \
> > admin.vm.volume.Revert' dest=b'vmname' arg=b' private' \ 
> > len(untrusted_payload)=3
> [..]
> > NotImplementedError: Volume Filevolume has revert() not implemented

The legacy 'file' storage driver just doesn't implement the required
functionality for 'qvm-volume revert' - one of the many reasons it
will be deprecated:

https://github.com/QubesOS/qubes-issues/issues/6399

> On 4/18/21 11:25 AM, haaber wrote:
> > These are real disc-image files! There is a filesystem, but it is not
> > in sector 1 :) 

> After way too long I figured out that the regular 'private.img' seems to
> contain its filesystem beginning right at sector 1,
> 'private-cow.img.old' apparently as well, and 'private-cow.img' at
> sector 560.

private.img is a full disk image, but private-cow.img(.old) is more
like a patch as you said, and isn't mountable.

You could use this script (after backing up private.img and
private-cow.img.old):

https://github.com/rustybird/qubes-stuff/blob/master/dom0/bin/qvm-legacy-filevolume-revert

$ qvm-legacy-filevolume-revert vmname private

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmB9t/hfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt/I5xAAmGRwSaNEzIt3ceEPbaJB6WVTUuqnwOUjRa5ds0/Fd0W7UWOc+kJVhdl+
QrshJn4kTRwf4N/DVuwhtzX146G+zJFf3PZegaTChXMoLCyxHg1zOsdSqaBUWILX
LUV7PFCKHTqhDX1XqoOYxhWPJpleYE3Gvzvv2IlqKXxFy8mP7guoMkNBjVoh5NVA
CBBKc7Z1MHk4+5OTJ8J3EFdrEXeODMzkUQw0GNs048MyI+Zig3z6r0t78h2JNFwY
Hb+BPPVZ3YdzVcjLu4FegEdy9EvTwdQ/z+K87DupKLMu5FNT9GRbvgHzdLNxq9je
6GOVrSLwkvPYo86LBaVE+9b73mX5oc8OKaLAK1dv3LB2f756IP4wU4dgFVmjkkjU
jlaHSqXFv3S6R44u31iVlDzDNclqcuZwvhyFkeAn//JG9E0Mh+er80N8qBLP3gMj
QMYFk8kWakpI56ceR8rQ9dignsWkBdd6+PBGAilHVX22Mx2C+2sfw0cu6QLRMstm
DzocEMwY0sEI2cZJZpcODToB4MhzWcPB1me5s2/etkAgCNWqodR/HHZ0T+j5ZXH5
20P0GMa2YpQFvIZ7uZxbj96aQfyBtPv7a+EkEBYK0f5zNPFst6KLVvVPiyTF6IT5
CRLyyXOAHmAxMCgGysyet9ZsshuMCeMbh8kJp5rBMLbPYcgW1Hw=
=N9oy
-END PGP SIGNATURE-


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/YH23%2BM9yxZV5MT4Q%40mutt.


Re: [qubes-users] qubes-split-browser issues

2021-02-08 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

taran1s:
> Rusty Bird:
> > taran1s:
> > > Rusty Bird:
> > > > Anything interesting in 'sudo journalctl' on
> > > > the DisposableVM?
> > 
> > > Can you navigate me how to open the terminal in the active dispvm please?
> > 
> > In the Domains Widget (system tray Q button), there's 'Run Terminal'
> > inside the disp1234 submenu.
> 
> Sorry, in the Domains Widget there is no active disp12... available. I can
> see the dispvm only in the Qube Manager.

Are you maybe confusing the Domains widget (Q on the upper right of
the screen - next to the Clipboard widget, Devices widget, etc.) with
the Applications button (Q on the upper left corner)?

Qube Manager can also open a terminal: Right click on disp1234, "Run
command in qube", enter "qubes-run-terminal".

Once you've got a terminal in the DisposableVM, can you please also
post (after the Tor Browser window has appeared) the full contents of:

/home/user/.tb/tor-browser/Browser/sb.js
/home/user/.tb/tor-browser/Browser/defaults/pref/sb-load.js

And the output of:

ps -efH | grep -i browser

> > The logs in the *persistent* VM would be relevant too:
> > 
> >  journalctl -t qubes.StartApp+split-browser-dom0 \
> > -t qubes.StartApp+split-browser-safest-dom0


> > Ah, for some reason the hotkeys aren't intercepted. Can you start a
> > new Split Browser, and post the full contents of Tor Browser's Browser
> > Console? (Ctrl-Shift-j)
> 
> split-browser-safest
> 
> [02-08 11:25:56] Torbutton NOTE: Initializing security-prefs.js
> [...]
> [02-08 11:25:56] Torbutton NOTE: security-prefs.js initialization complete
> Content Security Policy: Couldn’t parse invalid host 'wasm-eval'
> [Exception... "Component returned failure code: 0x80520001
> (NS_ERROR_FILE_UNRECOGNIZED_PATH) [nsIXPCComponents_Utils.readUTF8URI]"
> nsresult: "0x80520001 (NS_ERROR_FILE_UNRECOGNIZED_PATH)"  location: "JS
> frame :: resource://gre/modules/L10nRegistry.jsm :: L10nRegistry.loadSync ::
> line 661"  data: no] 14 L10nRegistry.jsm:661:19
> Bootstrapped manifest not allowed to use 'resource' directive.
> chrome.manifest:2
> Content Security Policy: Couldn’t parse invalid host 'wasm-eval'
> [Exception... "Component returned failure code: 0x80520001
> (NS_ERROR_FILE_UNRECOGNIZED_PATH) [nsIXPCComponents_Utils.readUTF8URI]"
> nsresult: "0x80520001 (NS_ERROR_FILE_UNRECOGNIZED_PATH)"  location: "JS
> frame :: resource://gre/modules/L10nRegistry.jsm :: L10nRegistry.loadSync ::
> line 661"  data: no] L10nRegistry.jsm:661:19
> Content Security Policy: Couldn’t parse invalid host 'wasm-eval'
> [Exception... "Component returned failure code: 0x80004001
> (NS_ERROR_NOT_IMPLEMENTED) [nsIAppStartup.secondsSinceLastOSRestart]"
> nsresult: "0x80004001 (NS_ERROR_NOT_IMPLEMENTED)"  location: "JS frame ::
> resource:///modules/BrowserGlue.jsm :: _collectStartupConditionsTelemetry ::
> line 1743"  data: no] BrowserGlue.jsm:1743:9
> Error: setevents stream -> 510 Command filtered tor-control-port.js:237:19
> [02-08 11:25:59] Torbutton NOTE: no SOCKS credentials found for current
> document.
> Unchecked lastError value: Error: Could not establish connection. Receiving
> end does not exist. store.js:135
> a11y.sitezoom - Unknown scalar.
> [02-08 11:26:02] Torbutton WARN: Your Tor Browser is out of date.

Unremarkable log spam except for this^ line: Somehow the Split Browser
prefs from sb.js (which would disable Torbutton's broken update check)
aren't being applied.

> Key event not available on GTK2: key=“u” modifiers=“accel shift”
> id=“torbutton-new-identity-key” browser.xhtml
> Key event not available on some keyboard layouts: key=“r”
> modifiers=“accel,alt” id=“key_toggleReaderMode” browser.xhtml
> Key event not available on some keyboard layouts: key=“i”
> modifiers=“accel,alt,shift” id=“key_browserToolbox” browser.xhtml

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmAhQlBfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt+v9Q//Xvl8KgoG0J8P9hxyAOSdQWnH3yOLqhBHkF7PO7LVAiJkSt+0YXtDLPy/
jjp8SAkgix2RCJyUG29mDszEvJjOrOYLHXIKDG8dmhKRWfD4QvWB1cw7a2eZAhdh
H0jOGVACYI4UZ9W87/apxTnexx9vs8cvcSORMoxwsJg4spRWTj4RvaTxMTHyVTjc
v7kT9JzTRznaG96n78yUlM/+aCY/UWcHmDASwY0eoHJGzrnNO82NURx1h+K9P+Tp
F1GA+8UBO8k02stWpFmoRhjz4JBYTWtzgaXhe063Y2MsZD2ERu+Y7lXz+Iy3bPjE
G5cF86CBQQklCSqxA6Ih9cBwY6qw35se6BFzIm8ldLbe/kYGNnnfjZMJli3MpJky
vcBfkGIoyAMs2GQibDkQm0+EEJtjsmCzK9nLMdf2eR91Bw+I1ti19+ZMB6D0LKQB
3A

Re: [qubes-users] qubes-split-browser issues

2021-02-06 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

taran1s:
> Rusty Bird:
> > Anything interesting in 'sudo journalctl' on
> > the DisposableVM?
> 
> Can you navigate me how to open the terminal in the active dispvm please?

In the Domains Widget (system tray Q button), there's 'Run Terminal'
inside the disp1234 submenu.

The logs in the *persistent* VM would be relevant too:

journalctl -t qubes.StartApp+split-browser-dom0 \
   -t qubes.StartApp+split-browser-safest-dom0

> > > - At the end, if I save a bookmark in the disp VM TB, launched from
> > > the surfer VM, the bookmark doesnt survive the killing of the disp
> > > VM and is not available from the another disp VM launched from the
> > > surfer VM.
> > 
> > Did you use the hotkeys? Ctrl-d to save a persistent bookmark, and
> > Alt-b to open the persistent bookmarks list. Other methods (like
> > clicking the star outline in the address bar, etc.) unfortunately
> > won't work.
> 
> Yes I did. Clicking ctrl-d saves the bookmark with blue Saved to library!
> popup in the active TB dispVM. alt-b opens up the bookmarks menu and I can
> see the bookmark. It doesn't but survive the reboot.

Ah, for some reason the hotkeys aren't intercepted. Can you start a
new Split Browser, and post the full contents of Tor Browser's Browser
Console? (Ctrl-Shift-j)

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmAewjxfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt9wrxAAi4flIxX5ZgSBtW7J8Reo+3CraHaBOyP5jbFu3NyToEn0IshH+Juj9sK3
7+Zuhi6XADMHv6+vT6d0Glb5D3wkP7DE7dMr1tEU2ByJSgOIUB3kQUXiAyoiiMc/
cTEqw06GZwnNNobNVuT7Qc8/VXdLzAZhvmJFgjMpG44leyH9nVn+UDF/v6QpHaLV
jmONk5nbip1HDIFS80EFHnD8oi3gDFrovte5hKLis41EuKeGYNTsFJXmBsnSo3qX
5WyBdyk8vrvbnS8/ELW5ubTXcc42X1syTaR9GW4NeAXLdNBSzYEwCl0kJKAnXcz0
8hYTUNsem11I20BKFYEm7X4LYMfCvl2v3/Ol6wteEA4XBRpHM8Xu4DnIUQHZtkTi
vD50h3KYr7/C+OzvkMN/hlsy0PdCPbYUafrVZPs0EuXuaIDug9cldBrIkGD00M9g
CDGC4JyDgEtp0/upiFVdgvCEfYqp/t7zLJ35uc/wdjYQhJcdWOWys9O9koqbm8Bf
4kMrbk/y+ErTiXqX1yUhHVWhC9zmyjvOs2js55/o6BzJ4WUHjLzZbhMZtNEkdRFz
RB4BSb/RZHtPYlPG4vlmwTcSLwMDjJIJf1xedT+cPU8Z6BlE1jZ1Xy7Re1YodasP
S87zGRDLltbbYnnmdBDKzVKFBUAmyrCgxePXDmvgNjqqq15uiOw=
=tfYj
-END PGP SIGNATURE-


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20210206162220.GA1843%40mutt.


Re: [qubes-users] kernel-latest broke my system

2021-02-04 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Fabrizio Romano Genovese:
> In trying to make my wifi adapter working, I decided to try `kernel-latest` 
> on Dom0, which installed kernel `5.10.11-1.fc25.qubes.x86_64`. The result 
> is a system where I cannot start VMs (not even VMs with no devices 
> connected to them) due to `libvirt` errors ( The kernel doesn't support 
> reset from sysfs for PCI device ...).
> 
> I tried to go back to my old kernels by changing `xen.cfg` in 
> `/boot/efi/EFI/qubes` (here I have options 5.4.90-1.qubes.x86_64 and 
> 5.4.91-1.fc25.qubes.x86_64, besides the one I mentioned above). The real 
> big problem is that these kernels do not seem to appear to work anymore. As 
> soon as I change `default` in `xen.cgf` selecting one of these two kernels, 
> I am not able to access the system (after I insert the LUKS passphrase I 
> get black screen in the authorization manager. Moreover, from boot messages 
> it seems that neither these kernel can start sys-net anymore).
> 
> 
> Any suggestion is really appreciated, I spent the last week configuring my 
> PC and I would literally break into tears if I had to re-do everything from 
> scratch.

Did you also install kernel-latest-qubes-vm (in addition to
kernel-latest) in dom0? Then maybe that too happens to be somehow
broken on your system.

If you can log in on a console (Ctrl-Alt-F2) *after* all your
autostart VMs have failed to start, check 'qubes-prefs default_kernel'
and try setting the VM kernel to another version - i.e. to one of the
directory names in /var/lib/qubes/vm-kernels/ - like this:

qubes-prefs default_kernel 5.4.90-1
qubes-prefs default_kernel 5.4.91-1.fc25

If you can't log in at all, you could mount the root filesystem from a
Qubes installer console and edit the 'default_kernel' property inside
var/lib/qubes/qubes.xml on the root filesystem mountpoint.

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmAcY8ZfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt9qzQ//VGZZvcU0kmZc/0rphRHJL8Ds5NHqQcFE/tijIxFGin6as/3r/l0hRP5L
xYA7IXoVlPj/Q2r+Ub5JnPJUl2/0WeYSU40PFJMALCBbjM0Vs1LqE55WbuNu1xBt
8uKlRKIxMfe+uJzFGjUBmNbV8elNCPpxMRHeAWG6iqvHfm/62RlEamKj+7xm1DTY
sOUJzbSFguHWd5P0e/orVpQfaYrfRGexwpLv7+LkM+aQ2i8pDgcnt+ueLtLYDS/F
yQVAd1PLEuxI5AxaKL4OFgDIT5X6EGSof3yayr7/CSCwPo9fMb2W/30ZOGa5+2J5
Y2mXfUfnbZsCBCVolOKNZhVC7we0JxcfDElsJ8nWNHhrOq7vtIKm/Z0NUL2fw7Yu
LFHKgpRRXwnICRETfTWpaCE1mfYx0XA1h+PDxVCNQsn6Qt49Zm993ZGrk6pAS6Dt
9zfDt2wB1qEIB0vd/6ao350B6eDkOB2JElldR6H/BXoFbv1m9h3YD7d8KazehpX5
f2NdT4Zg+ZmJYw4sZbRPIYaYjlNBumJnkF+XyM2ZN/dzDfMe4oY8/AuqxBGeWHln
BTDgX19GwfMviPeTv6K+FsmcaykA48j4sdw/ns6ZVexJ57KgC4cExsKiIT31jHBL
vgzUALinx/QwtCfwl7XxL1TakJ9tQqLt42E0UTA6rPBVDXS/074=
=hqBL
-END PGP SIGNATURE-


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20210204211446.GA1168%40mutt.


Re: [qubes-users] qubes-split-browser issues

2021-02-04 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

taran1s:
> - TB opens up in disp-VM whonix-ws-15-disp.

In a VM named like disp1234 though, right?

> The welcome page is not Whonix Welcome Page as normally when I open
> the TB in the disp VM directly, but instead it opens up the About
> Tor welcome page. Is this intended?

Yes, so far so good.

I've configured about:tor as the homepage, because Tor Browser has
been plagued by a bunch of obscure bugs on first startup (which should
be every startup for DisposableVMs) when it's blank or a file:// URL.

> - TB opens up in the Security Level: Standard, instead of Safest, as
> mentioned in the name of the link (Split Browser (TB Security level:
> Safest). [...]
>
> - once I close the TB, the disp VM remains active and needs to be
> stopped manually.

Those two are strange. Anything interesting in 'sudo journalctl' on
the DisposableVM?

> - At the end, if I save a bookmark in the disp VM TB, launched from
> the surfer VM, the bookmark doesnt survive the killing of the disp
> VM and is not available from the another disp VM launched from the
> surfer VM.

Did you use the hotkeys? Ctrl-d to save a persistent bookmark, and
Alt-b to open the persistent bookmarks list. Other methods (like
clicking the star outline in the address bar, etc.) unfortunately
won't work.

> This behavior is the same if I execute split-browser in the
> terminal, or through the GUI as Split Browser or as Split Browser
> (TB Security level: Safest).

So 'split-browser --safest' also opens up on Standard?

Hmm, maybe try with a freshly created DisposableVM template instead of
whonix-ws-15-disp? I'm definitely interested in debugging this.

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmAcUt1fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt96Ow/7BmpbNO9F3dyHPa0LZHtkUla9OFRoTLtoxkv3OakQyZe5NlTFiyxesmxc
5CYHonVn7+xDyjxPWM9PEZHGBnNwWbJVaKc/+/6/VV5V9lRE2uMv9z+bVQIKZVc0
dXQZ6OHa6vJtxrnhoJZ5Sw4/nFzFvSa3Bwrs03zHDjSqr7Rn4/z0pBCnNauC9ifQ
oXt1JUaxWbWrBvc4LNV/AJYigslIdWn8gonVYsZ0TKwrqNvlO+VpuGDTCKd+yehn
obhBlalR20yBKF119R85+ouqk6qdtN5U+E5MP/yi3xvJGclUK0RmDBGjc2OHnIvw
YRgYSBvY7pbUH3S8TCPPUQx+XQw6RoGwEBLbMUN2SMQRZ5AossvVXpWhQVZXybj6
h2UzJy2pnR0ZbsQbGcrrzNHWCW7cYKAbb+m2lh0O+BGWzo+/WL/ER8yvGhUmzUsi
m2xDL1Fd7Kj6LBHFSoGImEVl3Ntx5F3AInsbcaNf61vuDO2vsVwbBVOEj7a/VzUU
N+N1ySAalaaautd1VuH95x19CzyWOh4O1eI4tZX6RLwmi2dryhAKUDKHG/VtEJVH
R9+xNM26z8gtM4ooRMlFAERllXFeLxCj8hTIkGiOoTgOVxu4DfEM9XaxpsxxS3U8
Xp4OXNI0QMgc/yEXKvLjBnKh6zYnbjOBsU7P6Xt07Do7nwnMH18=
=UTUB
-END PGP SIGNATURE-


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20210204200237.GA1116%40mutt.


Re: [qubes-users] Exported Volume Error.

2021-01-27 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

'Stuart Perkins' via qubes-users:
> Ok, now I'm afraid to turn off my computer or even stop any Debian template 
> based VM's...

Don't panic, it's just a bug* in qubes-core-dom0-4.0.56. Your VM data
is still okay.

> Here is what happened.  
> 
> I was going to do a general update on Dom0 and my Debian-10 and
> Fedora-32 templates.
> 
> As is my habit, I deleted the older clones of those template VM's
> and was creating new clones with qvm-clone from a Dom0 command
> window.
> 
> While attempting to create a new clone of the Debian-10 template, it
> halted with an error:
> 
> file pool cannot export dirty volumes.
> 
> Searching for that issue suggested I start the template VM and exit
> it cleanly...although I don't have a recollection of a "dirty" exit
> (crash, kill etc...).
> 
> I went to start the template with qvm-start and it won't, giving the
> error:
> 
> file pool cannot start a VM with an exported volume.
> 
> How in the world do I recover from this?

If you restart your computer (or only qubesd), it will drop the
lingering export lock and you'll be able to start the original
template again, etc.

Rusty

* 
https://github.com/QubesOS/qubes-core-admin/commit/0eb95044dd937857581a22c13a692eff5d92c70b#r46447802
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmASBdNfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt/aMxAAhvLLYX/P41rPlt2dc+Apt1IJ+TsEYfY8QPLxgmbihLPAstFTizD6bFKR
MHaoHNdGuVESxx4NHUT4QINhNf8u42H1uhq3oyjyEEaXBg1BTdijoTq6lboE7/PS
aQ9x/6+qpuM4yF7sfdKcKCLI65NveWzlI9BllBi14/on5Qyp/+xbWZHu8ZQ6M/AW
Sk7XkjpbxcIJiyO94dCLSJthEgvhUoYa42WJI9vuaH3Mi//8PVVJ4siY4GtCCEP6
8d2rcJOo2F9t1MW3cs1K4cxDgk+0F93dsH6/QkN54AJb1hZC9Kmr+J0+Rplge1qU
M8VWOfXVzJLaWuQmEDFM3PXQiXdwYsgsl/rf54Kb7TwL9n86k9cUYkzysYjEjByQ
x0nq0KbXYX2ORG5OlAXYKUbvqYEj+xjaN2NU/fXhJ1S5r8ONjY2z5XnRA7wEB56L
RFWIsSV8+cUXGICRmQDqlHW3jutWz8LSpOYHRLGqXLf7MK4pw1X31WaVEySKcuTE
D8obLteR7Zv0C0malWBWDRdsNokpZKzNPmlKupnGlZDcAmP/f2kKlMe63EwhEXoL
gGrb6EeB/cOGaHpbQDNntGD/3AjXcdtNRq3gGHUjCjzb0QQcAbQ3I6bf1zEQrLYV
61p4/y/6qWXi1pUtMyXF+bC/LweGJ84LFxDstlnEittImdsRk0w=
=HY+/
-END PGP SIGNATURE-


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20210128003116.GA1131%40mutt.


[qubes-users] ANN: Split Browser in qubes-repo-contrib

2021-01-17 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Split Browser - "Tor Browser (or Firefox) in a DisposableVM, with
persistent bookmarks and login credentials" - is now fully available
via qubes-repo-contrib for easier installation:

https://github.com/rustybird/qubes-app-split-browser
https://github.com/rustybird/qubes-app-split-browser#installation

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAmAEb/lfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt8UNhAAjE0OL9e5cBOONMH/m11XIiz1atDV8aWkSRu48Ru0jmNj5dQFFssusWYT
xVoVCFFqTXg9iNlMpiqoyv04TfUM1N/OZAQz+/P+mXmqJlZO9U1H++AlRQXZM5FF
+ZL3WDMT7lrTE699TuC3BwrNhjP9Ljgqk35RUMqrns8bCpZ0ELFzt66lEIgV/iJt
z+9dFtxICRQA45FHK6FtO96FV2YPTDvSfo0bUmXT51nuP7ICeQs8wbT1erwLGEJt
O/1i9xVMsv50ODd+5DuIHtUNUmOIzSL0PXJAwDuZndC+Bk+pWKoykKtvoAHcT/b+
R33czupka28/dcsTk7TwW9kA3ChKEDIftnuhQz6LgLYOlZdUs4QQBVhl8lWrvKCJ
INrIoXHlrFBfIFT3cfPL52zYyyWwjRlB662lymGiakfcM1vH2uqtpJn9I92zzJBb
eDdGIkS+qFRtQFvWD002sdAV22Iox3lpScMf6d0+gy2y1kbky/2WHOfOwJJE6shI
Pj0SMu2Bjf/dRBzzO+/Ip2W4GIuLmmsc3pgYoEmeWv0ZvxDh7R++eCbeQ/lz9ixG
miSwBW24jAPBHtsU8seNBJfyHV6Nj8tWD3CQSho7NW9CevdTnk6wDIHX0LRDtJoJ
NKvYK4Q0yQLVXMLchU60W0lyEKeuEd7nyp0QiAlmFKe5f4q2x+c=
=NG9N
-END PGP SIGNATURE-


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20210117171225.GA2138%40mutt.


Re: [qubes-users] Setting block.no_part_scan=no on sys-usb???s command line does not work

2020-12-26 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

unman:
> On Fri, Dec 25, 2020 at 09:13:24PM -0500, Demi M. Obenour wrote:
> > I am trying to disable automatic partition scanning in sys-usb,
> > and tried including block.no_part_scan=no in sys-usb’s kernelopts.
> > However, it had no effect.  `block.no_part_scan=0` also doesn’t work.

> no_part_scan=Y ?
> test by writing to /sys/module/block/parameters/no_part_scan

Yes it's Y, but with 'block.no_part_scan=Y' in kernelopts, the VM will
fail to boot because now it can't find /dev/xvda3 (root) or /dev/xvdc1
(swap). So this parameter is intended to be set by writing Y to /sys
after the VM has booted.

Block device content is also parsed by udev scans for filesystems etc.
In Split dm-crypt, those scans are disabled by installing a udev rules
file which piggybacks on the kernel parameter:

https://github.com/rustybird/qubes-split-dm-crypt/blob/master/vm/rules.d/00-blockdev-parsing-disabled.rules

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAl/nBrxfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt/Ubw//Z+qkhK4te1/qE2DXo7DHw671ht3vP/4rbW3P2Y5pjcZHMYAZPgJ6YRpc
HDAE/I77qAoPX9+Luvy0+poIM0gKqcmVq6cEEmKSfnXEGwezCTvltvvpjTu8k4Nb
H6nVUMBxZ6uiZCDDEtd0K6mMcQncdEiaSjtPGAkmIgL91gygCgbe+eHOOxPIEAFu
vAqfpC9DUBzCHeG1r9ldg2h5VSTi9c5tZpaHqaJxDUEc2rqs5gHxDGRL5pEnJ6jn
H22KGztCIh4y90xdg9LHY2Q2kPeqI3X+a12xiJ5JXsGM7Hzt+9WsFGTOU61BvGpz
3miCJLuyAP2/OEWFh9JxfwepgXBW5PnWLi5+fkY9gR2mzLzXVro4ojmy/e6CYsq6
SuZvhWrdPDL1210POu0dygRvtwcUjyiueOjIl52m4TStX7AQMyF5vWiElkGs2io9
F/4855Q11lBehwxMKz2k0/KyCyWn6Z9UnbcvmMOwiQZGvQCAQ0WS3oKkWPCqIo8u
07yVEI2/r72xN1tawdIkTP7tUnemV6RIBhMJuoFRaO2w1JdXwJntf77ALmF/n2R1
17/3iyZcs9V0mTK7zZ7Icv6NUtJgTh4CH4LTURfEG1xrKHxs30PB0E8Q3LLFSXkh
IcDZ4y7QseZ/xD+fb+bDBl9DQyfOC4mEz5utWV4KU3iY3LPcoAk=
=SPOM
-END PGP SIGNATURE-


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20201226094740.GA1284%40mutt.


Re: [qubes-users] Installing Rofi on dom0 via contributed packages?

2020-12-17 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Rusty Bird:
> Stumpy:
> > On 12/16/20 2:40 PM, Frédéric Pierret wrote:
> > > Fedora 32 version for qubes-tunnel is currently uploading to stable.
> 
> > Error: Unable to find a match: qubes-tunnel
> > 
> > So perhaps its currently for fedora regular rather than minimal?
> 
> Regular and minimal use the same repo. You're still seeing that error
> because the upload didn't go through:
> 
> https://github.com/QubesOS-contrib/updates-status/issues/21#issuecomment-747355040

The Fedora 32 stable package is available now.

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAl/bs6lfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt8XVg//bvJWioXtSB3GgcLPZqbdbch4JTTqnWOkIgitom7aiPW6Q8cPg0kuFHJ2
4Oap5vExXssI28dxtcK6jLghGc4Dis9Lhw2/cSDp+WdY+7SrFQCb7eTDFeUMJbxz
CfQ8P+lfWzWnuaBUIiIKBhzxQFWjp3YmBRZ+PgsaVSwGxEQk00Q3EJ5lDR1hBwi4
QCLTp/eZmYDhSa7IiDLU3Zz+idVXWwXsvkRQvSmKbOeaxOP5D3Iq/r7dDgUl8zt9
fUf0tWwYDpIAWNQVo+Kxkwhl3iogDLmGwuXR5Vu5p9vMMkj/EwCpaPijZnhmdqZf
3FkMM34Ksw1EWqIo8AEOsH7FPfdN8CzQQ4nOd480VcAnwKpnqya1sV4vKSW9ii2N
Ezn+Kupif/b7ZET7Joesb5E4HIHGxdwK1ea/AZPUug5kZpG+ja8d7/i3h9miGyMY
dXRFXXVZf9IQwCCF8EFF2wl3oXkc7q3vYd46Dxe4hvvyGPscL2aBWiKz+iniX3n5
MS6uy07Wnaz6aNMvHVkKZqY+RIprt9ohbXQwghG7pvYJEcQd82ckeWvVNKlfxNDx
jE+5lM9SKr8IZzuYP8fww/iGF6iQJhZ6Z/fzOMyCDWRGkwA/i7f74cubSLq0YNNt
5WtYZyz2Jb3JcCxhV4WpM0Fdhkedo6Sqsuwd8N5Dy+g+2vBJeAg=
=A6uh
-END PGP SIGNATURE-


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20201217193817.GA1669%40mutt.


Re: [qubes-users] Installing Rofi on dom0 via contributed packages?

2020-12-17 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Stumpy:
> On 12/16/20 2:40 PM, Frédéric Pierret wrote:
> > Fedora 32 version for qubes-tunnel is currently uploading to stable.

> Error: Unable to find a match: qubes-tunnel
> 
> So perhaps its currently for fedora regular rather than minimal?

Regular and minimal use the same repo. You're still seeing that error
because the upload didn't go through:

https://github.com/QubesOS-contrib/updates-status/issues/21#issuecomment-747355040

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAl/ba0FfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt8JuA/8DAjNogJhCkjiKfciVtH/qbhdRdF6ax/2D5qQLWOzwTdP8C1ZSs9ChZ2T
FUL8M/WfNzaPc3caXgFuwxDuuDo+BrdMo7dFfHbPGpLXSgmPMITtD8ysc2xCehST
Aj6hr3QROco1JuUtCka7WYfGgdI4WkWnop1BdidceftGyxHCNKTlswSIq3EYcesD
qqNQ6G/WEmeXgyRATzcXDK0zNti34eyFIr5JNb2h+ilxVjVe6vovVr1DcP40r/wI
YsyTJ6HYSJ6V0IbIgcSqegp7LEpxxXY84XxoXjhpdRBH8fasrax3rYdeIGcgm+MU
Kswefwp4HXd4C6SdF8xBR5x8MForjvpRT9glq6/DSQ3YSmgCJq+1W6OX5Bm9iaHw
VUMrV4uv+Y5e7g+rZRu7hNZtwyDVIbv92wrMqkgOFhLRKu18rzD9G2I2aNEePJvA
xfOEFB85N+QmNS3kiBzMC+zji8hHQwoZH/zsKIV2YIWbkiBiYVZ+4lzmEihVPHRk
eb22dV3ARxYYKuQYGDrItH8r+S/gYHcHMhwuzKNn4+EeSeWRyXpxz90AN6vvlVWG
Yaq39HO9D8Xb2QJJTOypGoggQJykdD/ZDxbqoY1k3Lo4+ALD9bSQa2FgpSPTo9Qf
DTtPPCVmClXSguwq4PbrL+fjbNmdBXg4+YHtki652tEEQAXCy6M=
=yYRJ
-END PGP SIGNATURE-


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20201217142921.GA1211%40mutt.


Re: [qubes-users] Installing Rofi on dom0 via contributed packages?

2020-12-16 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Stumpy:
> [bob@dom0 ~]$ sudo qubes-dom0-update qubes-rofi
[...]
> No Match for argument qubes-rofi

The package is called just "rofi":
https://contrib.qubes-os.org/yum/r4.0/current/dom0/fc25/rpm/

> which seems to be similar to an error i get when i try to
> install qubes-tunnel in a fed32 minimal template?

Looks like qubes-tunnel is in Fedora 32 current-testing, but hasn't
been uploaded to current yet:

https://contrib.qubes-os.org/yum/r4.0/current-testing/vm/fc32/rpm/
https://contrib.qubes-os.org/yum/r4.0/current/vm/fc32/rpm/
https://github.com/QubesOS-contrib/updates-status/issues?q=tunnel+r4.0+fc32

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAl/aUVRfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt/lJRAAjKIvIu+NMgL490ovupq4K4jVyluKBDBG/F+a8bUoNS85KclpJIr5fjGu
kc30I95JoA8ZsziQHVVSMGNe1ByM8L2SF8kP2Sb5Oa6bY7+s+dJs1QC+ewbenbOJ
ncyK5dOLdGHYX7fRPypUp3t44zOR5nGWVtVHstu6F4IrJfWzECj03gVTqQyedwiW
i7xKmWx7C7/4QbL7wsgFqZ8DVX9rQ+77ms+Cp++jqEWJbomQd2DyhG6k/ihJRcl2
tJ2Qj+yLDAi8992/bxvk4GZcD+lMbKlzHu5m8vmFmvvbriTQO6OU603GAaB9sDes
DHVOah51ASlezuyvWgIu53RCUTdb22gEnJyo2OjIauYo29yvGQ+9v5thYLAVqRMh
Euw6miLABXxJDWQ8wESiCk0wPnfP7Fr1YKH/mt9xNxPyMGLJgJIdBWYhUF9stMYY
8dzwYsc9ZOR4lfwTecqeRZmCj1JpW3xYMqr/fkB2kiPgFixbO2sq2TgnwQl379Bv
amTNXz2jlhYmXQZ7JwZMMXzmQaiaVMBeNr3mqHuUKIoQRvrErxT3LKqjJeeumr0T
qTawrAKI0S6HjDT8h8yB3Q6hQkJ/eb7NCybJvSPHXlku+AzSWOGPNXCwYdx3x0ut
/HCRb8S6Mw3cJ2hIGm4nw4VeRCe+F/b+eRcjgzGN1lTGC+rNNo4=
=H2I9
-END PGP SIGNATURE-


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20201216182628.GA1183%40mutt.


Re: [qubes-users] Re: Getting wifi working on a new machine in qubes 4.0.3 and 4.0.4-rc1

2020-11-26 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

River~~:
> 00.08.0 Network controller: Intel Corporation Wi-Fi 6 AX200 (rev 1a)

https://github.com/QubesOS/qubes-issues/issues/5615#issuecomment-702032377

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAl+/nAZfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt/L8A/9FLdY6g4GEXCE2PCl8rtJfy/TqAadc4Qi0aCYfo0Jg+EyloHabsGcVHYV
1gd4wPQmB7jjHM8hRhozmRn9cPDi5K2s+J6qladI4EZ6w1bWpX3vq3kwXtb4Yz9l
kr76DVR+RUtp+beg04me9mS0imNraBSBFremBF1KWE/eO0dpGGAS9puPEJ8Zto8m
+RP8rcj0MWxVzUA04vT10b/CVBSn5mQDjgDG4jujiLOXM67zXw6aSY1gdis9PIOO
AndoP2iytenRfJwbLSyU4IOA68R7tTmnUfNOuoF3OKHtvQO3wBV+2h0IV690uwtF
vYOrBIL6UF84Km5h26xcL0cJ3JfiUbYcqaG+iT1znNfzylABIUTDK/vLlYAE5Lf3
QQ9s/ttFkLH3Q3YtnIk6X3XMpull4YbyUmsez4kkwu65NsD7vRHEjmDlkfSLRloI
KjoNKhY//p3VEo9esnsW+9BGEB7OyO9aq9VH/iP2A1NDcWdHK4oPpG3b31fCOBRp
S3cfhifNrm76plggTyt4beGJipytUZCH8pw4eDrCwJvvQJsuGUnV+aEF7u+lZ4o+
Nlxl0xcUt0TElWDqbTfvEBPr5+H6BQwDxL64JNYIuZejFsrvAOuVhdnnvSUI2gXL
LKkOeDEs/j7sA2xnw8zQI7mUDxCVJ1EX+2j3u56Y1+5ND8PdiBQ=
=Afss
-END PGP SIGNATURE-


-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20201126121358.GA5331%40mutt.


Re: [qubes-users] select vm to restore from a qvm-backup

2020-10-27 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

lik...@gmx.de:
> I'm looking for a possibility to restore only 1 AppVM from a system
> backup. I could find this by studying the parameters of
> qvm-backup-restore. Seems that it performs a whole system restore
> (only to choose between with or without dom0).

You can specify the intended VM(s) after the backup file argument:

$ qvm-backup-restore /foo/qubes-2020-10-27T123456 vm1 vm2

For some reason the manpage doesn't mention this syntax, but it's
shown in 'qvm-backup-restore -h'.

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAl+YWutfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt+YLA/+JkSb7Yz4mK2HuDBlax5JyqBB2Ps9gULRujJY5TU9xWCop4kN5geMQQt7
FtdD+YOi1eNxx5iYB/6L1xPol5licnERnpHH1F67bNL1Z7CqoeatRH/PhGOXf3Lf
Mg/RAkeF9dIlIJlDiM+jAF8AK0g3PKX9B6Hwgfou0k3GLni0LeONMASbQMBzpMdd
2tNp03abV5hzVnyHvUEFDzU4VBbuy5zIB5oj6CdQhvYxeQceDmYEIplxBEflV2O8
lLm+xuAHmJibjjfXtaH8iah18JStvRHuJa2ddWdUcEyckhNo8jey64fGz08Y7Ma/
WV3sm0V/9vlNndJGvd33ile0o3+wCHl6q2lsq4xkxvJlGtxMJ8IatN631CdgUWsi
V/MHOj2UzDLD4ecIymqdtcKPPgNqb8V+l8um8vuD8SI2m8dznJRxJNKIiUUeW0z0
XofG9QIL182RdFeMrrCPuq5tFZLbMDcMmHZT8Xr84kwV00WaHig3m47zUhmTeuyz
gnIUGnnRzbaVz3dTskUGEgMHeTmWI8pFx0CXI6e1HIop05+HPONkneev5LVcJciz
s/zwuKPX7Bf8Uc7pfbrAVQIW0iMTKOa9LcVgOGrq3zUCaxYjDW7qhkd1QOvaSsTd
I33SvXIFbp1Eh4uSbTnyHWI4tRMMwjR1wwUMiNw+gm7UJUEPPkE=
=dPVS
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20201027173747.GA1243%40mutt.


Re: [qubes-users] disposible vm shuts down after qvm-copy

2020-07-01 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Dave C:
> When I start a dvm, for example right click a file and "view in disposable 
> vm", if I later open a terminal in that dvm and run "qvm-copy something", I 
> find that the qvm-copy succeeds but the disposible vm shuts down (or 
> crashes?) immediately.

If the crash happens when you're copying to the VM that originally
opened the DisposableVM, check your qubes-core-dom0-linux version in
dom0:

$ rpm -qi qubes-core-dom0-linux

Version 4.0.25 and later should fix that crash.

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAl78Xk5fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt9gAg/+OG/98aWszEeeyK7uBVpz7YGpgEX1w9i3zZHgrbF1vQbwzkJd4wIb3vd6
2UIgdO79cs71VfSxctElAM62rsmH0dENxOH1HaqNag9vTOFynftDbClm0hbRlt7i
osZoSd+hh+i7aME4psgPFEKohzAM3gic1kIoWZXJxIREnyO2rGCWLW0/wfpu6X7z
QaH0TcPoyb1MX9F/qQCSDAH1ubDzUKkHsz0R9GCRFC2TK/P7N3tkBeXIBaVm7gqT
1FO7tqx9l0EKlKp32Fwnj+WOS6VT/39MKg0ozXMTTS4apX+ot2h7afbgf/qjOXen
iHJf51xYCCuhiAyApPgVqzuHHRfz3smANrlg7JRDPlzcLbBqjGpjPM2Gcdcam2zP
0pSrMFgLNZlRLMAVzrTtZhuA+IP6SuwahRq4fqoo5OC3bDXHznENMy9sg/f/zHs/
2BsVPD40sEfYYnJ+UlDYqpmxoQeAzB3haimvKEv59JLXP8mkCeqg+rbMoXwCd/eW
hJx87eXvmORcQrjenbSVLxZNkvbdEuZ+M3RT6KENeBdPjlTOOlE5pOTPIwUxgEoh
S9NAqMs1XqumsYw/I3Y+AegLKQJRQip8ncgxPIGhpa8XBpr34M9cX3D5eWVEOadZ
73Fo2qp77+9U7TffRlZE0Oz27I0HSR4weSfdbT3KAcVCHaMvqY0=
=DLt5
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200701095838.GA1289%40mutt.


Re: [qubes-users] imagemagick in debian-minimal ?

2020-07-01 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

haaber:
> I discoverd with a little surprise that my 3 debian-minimal templates
> (used for firewall, usb, net) have imagemagick installed.

https://github.com/QubesOS/qubes-issues/issues/5009#issuecomment-489357218

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAl78XzZfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt9YuQ//ckMwSsrGE1GY7AJl9K632sKr09OY5yVIG6y9Uy1WXbVPAtAWfgUAL7Ff
vlY/zGKph7PG/YBHmkEV3aAAjXYC1gWLWCOSVee8eVwutUvk1I6r0tT94CmjHVBK
iyNM+p0TjxK3y+nkFFcvgZoxBynBG4NpVEBoea8It0+n6NV/JRoQA861v70G9lLt
O3/qIeMM/N3vkqKXQoS+rYDwVcH69/poF/22AFF8cEi3nV841rw9f385oxHO7nNy
QGirQFLYItCIao9AfAejCC+H2H1O1eHGuFn6rvAsukjB/g3pS4Caa5UY8GspGbSS
tm0G47kXXMGmetVXujfp0xWny1cKPLT9L1XiWw4yzOku2B8HHYiveAPtNPGeeknt
5ftO6c/dpFKQsbxF3l0QhYCCS0zMbr27DFc5Izz8O4NDlO6gA+qGHQYT3jjQ+ciF
Sq7ChBh2WWGKV4Ful0tgnFlf3YJlWHM/7XJXG12ngWcb3ESdDgMlQlby1jlgLk1S
vMT+NG0JEJjkD0xawKuMlsIARRn1a3BCY9eDgBnkuugFpy35/tNdZhJqfEYMf8Pw
tRvr2tNNcpMuJe4Rxffs1GFLqIzcYJX9cNzJrrUzKig3OnvhwNEryQfZ5Q3uTHKm
Qwl8ROQC8lbh+67KWJHWNBGcNUm3r0kXVZ2dQObgtBrPcjKtG4Y=
=Kc8b
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200701100230.GB1289%40mutt.


Re: [qubes-users] How to find which AppVM launched particular DispVM?

2020-05-15 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Martin Habovštiak:
> I'd love to query from command line which AppVM called an RPC (`qvm-run 
> --dispvm`) that caused particular dispvm (of which I have the name) to 
> start.

It's brittle but this seems to work alright in R4.0:

$ pgrep -af "^/usr/lib/qubes/qrexec-client -d disp1234 " | sed 's/.* //'

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAl6+gepfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt8Ibw//TGog058CMjnnX2h/oWY7bTpfZmupgnqk9TioM5FO5QrSGGzVJCC+7cE5
aCuAXj/KXL0EmCvFyj/jtU5xRb+TVh+tIf4iLEgBzqzozz1OnFn5Pq0yBcZblKT6
I0pDsu0pspjRcgYIDULjG8+Q5i6acMxUiNCyhwQ0I50b/14JEIf1PccMKAQ1wQnB
GhLO2yXq9JsihlrpLkFqbdAG/7E2QA0GEbWLaOW3kbEGFttKTVRG3hJ6mFkvmi3o
BiXIsnerU7TXwpq/GRJeES1wmpRDNZkh7E2K6c3BD8u6xs5CpOP0zTaRdkdWojS6
SaRATNIXqvzUmOqU4CtAkKh4cxy5UxoKODl0t6E5Te2Kgfl1iTsq2LPG5Ayl56Ov
ldGzLmBQnWZtjZp4//+uFGIlbUseJbP5mneaz6YEBCvy7EvlWiLpSJR7l/84/s9h
8oOrKQJbzbXrRQDK6mOZCxtsRuxNh399r7ozNQ0nVOlV9zF+50qpaRESesKamhaX
5PruW8qd+tF3zp04aJN0RtZsb3oLDkRVapDbY8Ta5u+GkyGJZsFSexkkMxoAawBe
8hrvhW9SRPzbJq8qzkwu9qUWJ3xgSENpuMSMMlU4vCtbXgsFX1e1MxD2pz7LSbhZ
cBVMZqyNNJilEYFqwiZERMat8toLd+zl9GgYGK8kGHekC9HQdNI=
=9Tzu
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200515115002.GA1384%40mutt.


Re: [qubes-users] programs run on different qubes freeze

2020-01-23 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

roger paranoia:
> A couple of days ago I started to experience a problem on chromium browsers
> run on any qubes that I have. They freeze for 2 to 5 seconds when I stress
> the browser a bit (using it a bit faster).

Sounds like https://github.com/QubesOS/qubes-issues/issues/5530

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAl4pg79fFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt/YlQ/+OVeLdr/amUF6sn0IJq7J/K9xB7RwbmvrQ/+YshFSSF9o1wKT7P9lUY3W
nfW4YDOmjjb6hSEdr/OkITCpM22YzpITrIDAupKgQJm43w+IZ5Yq+/l2tm41AqT0
f4s4zZlM5qvYyMdEDybkrxL6SMkSeeHDqL1CZFZ0HYLQ6NRq3zh4ADpQfNFBMCM0
BLnN1msbjz/O33IS8/Flc0YWbYrToOh8TQlSYGEz9UQRhm1n1IekaTE4Kv0Kfut4
R6L/8Xbrz7LDvSuwVjLFKIOnRcKWf0XNnKTYDCk8Kb9/uIGG6zTKqmcQAnx51eU/
kHquCD268KibRvuGOJ71WZWVltI1y+TXsm5isU1b99kYGuJR11XkZXzIFyl4q3wI
Mp2XpwqDefShxWiwnu2b071mX4o6Jbd6xRTQYvjUN59vlfAegBfmk4F3SoZxZAhG
8TPmIKOAyOVVKZQeiNk43ki8rKRcEmWmZqRK1bie8Y9wVHvQOznjciTOF0A4ztms
C9LZNLX/sZhWIutkEtHYWLylXloQDGq0WQKO7jpZXKWcTS0ryB5UavfyZih0qM+/
IoYiSr/W/KJH/sw/ZyJkkdMXN+UgluDz3v6vB6TcShQnL8UO3OePRHdzd8kv/eiO
/Q0+YSQckwJTg/vosQsFbNFngRY7RIGnGY4V3h9CirLRs0EIbWo=
=L/1V
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20200123113007.GA2021%40mutt.


Re: [qubes-users] Per-VM stream isolation in Whonix

2019-09-30 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

tetrahedra:
> Naturally I want Alice to appear to be using a different IP address than
> Bob, else the two identities are linked.
> 
> Right now it appears this is not necessarily the case -- the network
> traffic of AppVMs A and B may end up using the same Tor circuits (and
> exit nodes).

The circuits should be isolated out of the box, but it's normal and
good that two different circuits will sometimes happen to use the same
exit.

It would in fact hurt your anonymity if that *wasn't* the case,
because then the destination services could (over time) correlate two
supposedly isolated workloads purely from the observation that they
mysteriously, against all odds, never ever come from the same exit IP
address. Which would be expected to happen occasionally if they were
really from two different people using Tor on different computers...

OTOH, if you're often connecting to related services using e.g.
different pseudonyms at the same time, that alone will correlate the
workloads: It would be unlikely for different people to be so in sync
with their usage patterns, no matter if their network connections are
perfectly anonymous.

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAl2ShoNfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt83ShAAgp1UcL/nZ044i+tSiCwWdNkaDFS6/PS7smHTfkb22Kjf18JHYf/dev/c
Wmg99psE0tmmVfz75jBBTbg5m7aOtZ23uWBVrHCkUAnVmyBw40o7nBzbrAhTxaSW
Wres8WsmeFoialvZxuD6Ssgqce62kz7/uE0dCpUkqUYrJ0Wo4nOX8TbXOvLRohsn
ZOR82gpydIlc63NYiEi1JdxetNC8MyiJUNjhlO9WMZ/IQAhnOBZWuIQugUj/l6mK
zoaIiw1rxcmmnUAKQpTHdWD8h9n4yI1kT9ZV3K81IglojkGUtt+p1PnnvJP6eHZc
2JpKh9gaYotKiCOQdQWIX6dVNRrltRoxhuTE0VKbHgQhq/fCfSumtwcfhip7JE3K
9rGFMK1SkZCFoTMR1Kq6S1jUqgOYDwmwv4eM4uWbaVAojavBLkX8LGGzd/X2Li2k
Lw/Bnsw8AoasD9BMZIQCY2SQn9fz3+9oaRTk2X+0uOKdVH0BjOast40KLXdiYrVN
cpExO3hidj2b9vmpYlwOuXIXwWoMRnJkhd8nRlWOzYo9oPey6MoUxyy1+49W7NYV
nQFwLJqD0DpGrX3c2Z0CX9BU4ck5ds/fvMkLAuEYMkA5vtW4giQXfnELAwKFO2Pe
Gk1LJEftBgOXPENMlPUOLORy371zhxwz1oOBe8w6qifT53seFG0=
=Ns/M
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190930224940.GA1208%40mutt.


Re: [qubes-users] Some problems with 4.0.2-rc1

2019-08-25 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

donoban:
> On 8/25/19 5:58 PM, Rusty Bird wrote:> Here are some screenshots of how to
> get automatic btrfs partitioning:
> > https://openqa.qubes-os.org/tests/3240 ("install_partitioning_btrfs"
> > is the relevant section.)
> 
> Thanks Rusty, after checking the installation again and the test log I think
> that my problem was the "Click here to create them automatically" failed
> because my hard disk was already portioned and has no enough free space so I
> ended using fully manual procedure, I am not sure if I deleted my luks
> partition from there or I switched to a console and used cfdisk.  The
> "automatically" button failed so many times that when I achieve to free
> space I didn't try it again. I think that I also tried with "I would like to
> make additional space...", ouch I tested everything except the right path :)
> 
> The problem is that getting there with a non empty hard disk can be pretty
> confusing

Definitely. Partitioning is my least favorite part of Anaconda (the
installer used by Fedora and hence Qubes).

> Maybe some dialog saying "This hard disk already contains partitions, do you
> want to create an empty partition table?"

If you have the time and inclination, you might want to submit this
suggestion to the Anaconda bug tracker - after verifying that the
latest Fedora installer has the same defect, which is their bug
submission policy IIRC.

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAl1i3HRfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt9PiRAAi4mTK4hxPe3QXISZa8ru8PqXmFZcG7sCOToDzCQOIBq0g4w8k90gYZt0
A0TbX9rvmOrtAIET+v5lEX2CS4zD5R3i8+ignxSQOexiPXTHDRvVAbkcFmKvK5Nz
BSe2kSAdsDmiW6QLPNi/Ds8l8P6cKaBLFX2BnafXw8Bn5d0Hqi1RffPHm+qcVQ3L
0rU3iGr7OVGlRBgpNg3xnwy2v6CNOM86B8kKAotm030R88gMgvRmGO27VpvaUGB6
68xrr7QtEEzs0koae+RfkQEj3caU/Avn52AS8Vhzyruop3rwQCYOtzbEeBg3Mon8
eK9HI+Y8V8Whz83M4C9b2SKM+eDuuuDDeQiySWCUibamg10DEdY4Hk7HfYg9Lnp3
M9bg5J9An0oCw1h/Tina5WXjBD8HQHtkUUWg/PIwJx2dU4CWqO6IuuO3mBCaFHGi
PGnNOL0Ehyi9t58gSmSh5nuNmhGFMVmo5o9BdQQ4bDXn3Z7xMZM19lxeCJZBcnn3
3OIwZEPwgK26J/DXhkcKbdTY0Iv2IGdfcBCD2PKmL2bOx/sLk7cNmu5Q8TWkZ5qf
VVmUW2xNuTOr4C8hGlf+QStae7Ozfm257B94ItmarRj0UVbKM/KMehauqc292qhM
62KyVwSxm48zLjlXHaP+XwAIiqYIQj2kddl7Mp8+bSvaaoqeHho=
=1p8t
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190825190732.GA1900%40mutt.


Re: [qubes-users] Some problems with 4.0.2-rc1

2019-08-25 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

donoban:
> On 8/25/19 4:22 PM, Rusty Bird wrote:
> > donoban:
> > > 2) Btrfs installation seems too hard. After some tries I did an unbootable
> > > installation.
> > 
> > Did you create the btrfs partitions manually or did you use the
> > installer partitioning screen's "Click here to create them
> > automatically" button?
> 
> I tried to do it automatically but it did not let me to select 'btrfs'
> option, so I was force to try with manual setup. [...]
>
> I will boot again with the installer media and check if there is a 'btrfs'
> option.

Here are some screenshots of how to get automatic btrfs partitioning:
https://openqa.qubes-os.org/tests/3240 ("install_partitioning_btrfs"
is the relevant section.)

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAl1isCRfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt+Txg//cMs696rDKd4airU88YHmqXrhp1sElngeyttOSxf97DjHvF5x+rUj5zGq
AQvad8HccP/JwZwGv3iRfsgumtvI8KUet5UomwSDyMcSPbIFRYcNUGhhxcVudR5V
simzZRrj4oX5KvsRPRZI0ANaloIGQhjWCKfo+hvplXine2MzzAq/9NHYQmXAWalm
lROGki0m/eIRrgK55ywbE//01ysl0USLadx4V9ZK1rYXn6sjEIvIbuyyYmDSagtv
X6ScUSiBznLhot6bkhBQCYfQRngkje62T+KMA3oKeoyP8M7ra1Hlyrq4YVHgSUdv
ScxpsMxs6zLzjWzWXifU2BvXjj2fSZwUdDQaxD+a8XMHw81nPJVIGqdPCZSxjCCy
V9m7SF4A3kvCmTa41La0KQk8/PyCyoV1rkKgyD1qoz9RNv11w5SA1rNjwrhGU56e
MQhCVq9nix3UchQ4R+EcdK0XbR8PqW+YclC2CoRSANizZPx9gmTrOOog8+vgc2VV
e5ZXIdnAV0S8did1bJaDVTYDMB4L8QMkSdDFBGQ5NmyRR5xmeORZH8ZfjfDvx8LD
v86S8DiRb3i/yeXatC/jeVO9aVbZEMCebohofQEL/nMtE+b/bLEMzAqZK3rVei7W
rjhqsZqJtpOg0f/JWSB5MdD8uqlJ4+wm0ijXgHrvZxC2jkV1kiM=
=L+aL
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190825155828.GB1611%40mutt.


Re: [qubes-users] Some problems with 4.0.2-rc1

2019-08-25 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

donoban:
> 2) Btrfs installation seems too hard. After some tries I did an unbootable
> installation.

Did you create the btrfs partitions manually or did you use the
installer partitioning screen's "Click here to create them
automatically" button? The latter should work and I'd be very
interested if it somehow broke your system.

OTOH, manual btrfs partitioning in the installer was horrible last
time I tried.

Rusty
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEhLWbz8YrEp/hsG0ERp149HqvKt8FAl1imZhfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDg0
QjU5QkNGQzYyQjEyOUZFMUIwNkQwNDQ2OUQ3OEY0N0FBRjJBREYACgkQRp149Hqv
Kt9aCA//UIJTG9AHdtXljzTsbP1DG9+yscjeOZwCb0TjmcjqfL+LYef9duTtmViV
ll91cwqjwMxSWfHAxA6D9iy8ho+iEYAIBhWoXBcVgo3Od0Ttxbpywf9lBS5lqq3e
c41HDSIknlGeHEtQaIXEY/jFB8CJooZOJqhDuf5C244hLUnkoGpTfRpSPGQnRNxR
GayK6S7UFl0kLptdn5Rd8NG6CieFI4P00Tq4Wymx6Jb/ADDTvdQ/EaY/EalHIixK
Gj/mMgHTRjGo8g32TX/Y5Z5ZSJ4wRhVYfePBurbj0f8UasZETRNuUsNw+NPXihJx
W+OqhSB7OP2f24Ox1bGIoWu4diqy02Hn+c3cCuYSdf70aaSE7gvAAYdpyfbnM1mc
qAxdYt9UnxVtOd797FOSLiREHUVkSXY9TLbAdQervdUPyvkecLJg+/oSEQkqyOGc
AHImDyjAY/m2G0Y+jeqhbL0V19b7M/o3atDWwKD3WpLcGEueQrcV6BRWx+UY3mk4
Txw7lbTxbpFdrrTapwYBixNL71EjNRHdY7DeC7stZ2xP5JaCpVz6Z1lo+/dZoLpl
ZTgPXL7C8CdYpP2jK6ly0emREtxWbxPnVgiygVMwzuCvV4U098F12ulhu65+HyPS
wKqA5tTXue5fWkGemqmAXvddnmohnGNYKSsE7RiozKuOmP1URic=
=P8fn
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190825142216.GA1611%40mutt.


Re: [qubes-users] Re: Dom0 (System tools) shortcuts suddenly disappeared

2018-09-25 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Patrick:
> Hello, on my 4.0 platform somehow I'm now missing the "Display"
> shortcut. I'm thinking I may have accidentally dragged it into the
> desktop and then deleted it. I found this thread and tried a couple
> things but still not there.
> 
> How can I at least manually run a command to launch the display,
> just to see if it's all there,

$ xfce4-display-settings

> and then how to reinstall the shortcut?

$ sudo qubes-dom0-update --action=reinstall xfce4-settings

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJbqfj0XxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfHgEP/iRzIF+KNXd5SxK7vPa1ZCIz
6M6QnajTr7kOIgAtTqNnO0u2VBpIu/y63/e8D1j98kYP0p0Qt09Rl9YombqXeuc1
YYGQOqTVTDQw1ijGdH6ThojIbIdYXCQ6kv/+zoUa0lgUpSycbNkadNkhApnSJVu8
RCsDpUliBAemIqly6Qp1mdcCUMyCHi8UDVEZHw3HmTwXzJHIkKMCsRmCucRzYf/g
WOisQjCpDPFacevqVdmNmwZR4F89DoboECheq84YjIZ9PDgRvC0pssrw0WZTDi+9
bff6zx43VG8BX2ocTQSeNPVS5du8g9HDWae7ArD0w7sd0shh2EhdZLD+VAtpiEzb
+pwgDaCf17x5fNaZA/hCJnZHp8Fzipcko79mTxYZobtVz6ERVDizhfAi80Kz5bSf
tVCPBTZRAxE5EwDEKGevT6msAfusTDor5m91Hwu1Kwnaq/Q1vNmSH/zNhh8w0n5p
fELVv/12WzsjBaR2/czfyfbQKFVpCaibjFBkJC0ldjxfA1dxDiX6X9oc7ksClEtd
cwEm5p6WvfLNJY57WG+Xvx1C7u2BJtxesZPJrCenBQ6YLQ6enxVy7hSkzMO7jSyJ
FVgxAGM9JP3X9WguQqm8a31+dB9v7fnZ1MMfjdHAtxiw0MjSgjJrpn1mUDj6p2ez
GbLEP92eMuJNwrpf7Swk
=eBa8
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180925085932.GA1978%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Symlinks for "some" AppMVs to other partition in Qubes 4.x?

2018-09-17 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Teqleez Motley:
> I want to store only some AppVMs (and some custom TemplateVMs) on a
> different ext4 partition.

See , with the
exception that if you want to store your VMs in files on ext4, you'd
use the 'file' storage driver instead of 'lvm_thin':

$ qvm-pool --add  file -o dir_path=/mnt/your-partition/subdir

But note that 'file' is not in the best state. It has the fewest
features (online TRIM/discard unsupported; doesn't show which VMs
should be restarted to pick up template upgrades; can store only one
revision and can't revert to it) and yet the most complex code. So
consider just adding a regular 'lvm_thin' pool, like on the webpage.

Another, more bleeding-edge alternative - if you can set up your
partition as btrfs rather than ext4 - would be the 'file-reflink'
driver. In my biased opinion (having written it) it's solid. Though
you may want to wait for the qubes-core-dom0-4.0.30 package, which
will presumably include lots of recent improvements and a safety
check* before 'qvm-volume revert'.

Rusty


* 'qvm-volume revert' on a 'file-reflink' volume of a running or not
  cleanly stopped VM used to essentially throw away the revision.
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJbn4hWXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfKU0QAJGutU6eXem66oOwgWIh1Zef
IRcS7+AEXKgQBVMibVqepFWn0jMxy1AQd9RS4zrtrGb1phDmgmJMqhTBHqdYqkHU
6pgN+jMfif/4zPzLCaIpUNQLpIUKQQe7RK85JF6OUsyy8QVERslCnfY2hKOdHm/r
9iCjG33C/bGb1K+sefU0s5AqXZrc7nsBg5rpIpfpZMnsZAsMPONv92maqPa4xmHt
8VkYRYQ6ujhgOHyggp+vbFhpH6778qoROdcrCCWuE7GLYAJfv4I6jTuYoul8CTCC
3yvkKz9lL3Jd3mUyl3ChwZftn8dtwSm/wC5iR0+ceN2xj1AyGIawW8u7uxeEo1ll
3WsObi9tg1AOJNPtEbXgEbbzSgbnLP6vw42BPn6rQVZOj9j+hm3M86Z+Q66rQI1Y
0zgYtFNijUHBlWe4M5c222vyOjtkCRivVug2B6yhOLsb+MrAau4nlIssZYbO2UHm
jRmTkSntdGjNAdaymxFN63i9rM4IYmbIdJG0U0LP+gWu7qfcLeuzKQX4rzVQcCq1
39QqK6heKe/OgZyW68N0TXkoXsCLGExgOxi/WIgdmTxiOKTeTyupniZe6aw8Qx2L
r2piIf4q6wyTKarbXGgOWpuU6R2K82iWVj3RADzwlo/1nQxWwkjfDdfHA6TbHHws
8xVBNGRxTpCE/PXv7DNU
=n5Mm
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180917105622.GA1649%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] systemd replacement for dom0

2018-09-03 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Marcus Linsner:
> I'm mainly asking because I fail to make certain services stop in a
> certain order at reboot/shutdown. Hmm, maybe I should focus on
> starting them in a certain order? then maybe shutdown will do it in
> reverse order [...]

Yes, that's how systemd does it. See Before= and After= in the
systemd.unit manpage.

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJbjRxlXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfMA8QAIHtHBR3n/TfayCr6Oosrn1W
wKA7x5jWBPTKh40K0H3OPipfWhAoHSy+8Og6jL+sW8k3G3MumVkz4ee9dcz3uT/e
sidKEFxYO9z7rBRlcKNkvnT2WfA1WEyimSV6A2sjtE4GZT8N9oDtcogb2vdn/I0X
lPxJ2/xlN8mkhpe2VMfcpA0lcuvZ7UNfh1i2wiL1BeJKUZHFOwuQJSAFMg9JcZKz
IzJPQoH2WhsFHJ2zggRSgsRSvE38MI9gOsyQ/ola2BDZpoHf8HsW6F16yVkfZtmq
QSqTv1z91aAEqccxJp8zWr022XhHwYKdTOlI48fPiaCddgV/dJbi2dgrsUv46qb7
y+zU9qTb9b95A/n4eadKKeQWq0DEvM4DTX690TX5eVMKIxc2WeqummLxICGAgsYH
lHEnyLJGaR9F8fhAI2Tf/uMStAFoOdgbyjqyzWtdfn7S6LIM5Gjcu7bC0wT1W42l
VNGHJd3T20w2Xnb2H2dJ0fbSVLxBG4ef01xQyH6SFxArlmuttUyZrJZ3v3fKnyPz
ia5qMky7sQWEuo3VT61nSiMg52cQq6iDWHzl5llyaqXZsyJWrcIB2E6xGvaNVQDa
F7SdyhR38Khy/H0J4S0kL11rjgjp+Ff4Jrzl1g+PPT55Y43MfNturiePO5nVndFd
Ro+lUw0hr97WC4I660Po
=9moi
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180903113501.GA946%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] sys-net turning on itself

2018-08-27 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Daniil Travnikov:
> I turned off auto-start of sys-net when laptop starting, and all is
> ok with this moment.
> 
> But if my laptop will be turned on some while and I will be just in
> Qubes Manager with turned off all of the VM's, after some time I
> will see like how sys-net turning on itself.

https://github.com/QubesOS/qubes-issues/issues/3588

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJbhFdiXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrf4DcQAJnpRf+2cZMol0UwEDXvW4vC
h3t5EswK5FdoZZUdOpziOmHoYDur420xgLU0IsBvBnhcNowgOAcrSRFkl3bWK6pV
eboR6sX0w540cMcA5KCtErbtVzRqtkY1pIvvjgyAUriv62QLfRdgXkVksGe2xyHf
RKo24TGA+ashP5TeUPRPHX/E/mW5QopcDsak650f33fULfjtFHnUnSohGZ8p6AXB
aM/HVpWbWor2Ki6OAEdd8xSJilPQ7VuOPbn3mu1F8kIgbS9gBLuvHTkXp3f8Sm7+
oMutcIYg5N/0gEA/z0lzHOayrxcacm0xmFO8hfV67lJT2KJTul/MVgZLpFDwztRd
d1RrntO8zQaoeCR5c6y2XHzzeHIhvqW1E/CyLzWohXn4NJgItQzQN/QfGTHlXU7W
nlQn4B2zXUkdj/MUk5kf7gx8ZFJvj04jTJouPv1R9+wO01bwS6S4z8zEZ7xaS0TD
GGspMQ+c4vsBEYsBChKP66I6TObIJNcuK3n6Mdll+oTaC6fzOFHSO5P9RI1E+/+E
1OdGdwrwLBMRT/y+IHslhISLbnYnR0ejTZcTTEeTMkoZNInUt86v3BbqDL/FCNhZ
wrVGU4Q9IKQZ+xa1ZEVGmHLBErvn5kkQy82uatL0NBirhl1UZtgK9fmjHceap1pB
Lo6elHTOaY5JPTfx3Jbl
=ML/t
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180827195618.GA1092%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Is Qubes vulnerable to CVE-2018-3620?

2018-08-26 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Rusty Bird:
> To me as a layman, it looks like Qubes is indeed vulnerable to the
> XSA-273 data leak, and that fixing it involves
> 
> 1. disabling hyperthreading (by adding smt=off to the Xen command line)
> 2. AND upgrading Intel microcode to 20180807
> 3. AND upgrading Xen

https://groups.google.com/d/msg/qubes-users/v5UPnWmnzJY/WG9lmyxYAgAJ

=> There's no point in manually adding the smt=off parameter - Qubes'
latest Xen 4.8.4-1 package doesn't support it yet, and I imagine the
next package version is going to add it automatically.

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJbgqGUXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrf0bwP/iGQCNSorNefwhFSldoqvjJa
fSz1oZoqU81ESpqxMvylTGT+Q0odjG01PQpQ+y14+EZZgkgbM3NIbIUcTLYX4HIf
3cjcsqmyp17YbM0pqCeG3DuTQFo1IJZh22pqUt+6q7Y3G4hSYNlW1jvy76n9c9Ae
h0tW9gQb3EpTxzQGaryKswq+NyXKR1D0mUIErKTdLSk8KzROIhCLE8pQWbKFX5/t
8M5xZ8+VTw1aGF4v+LS8Oxjhl2R1PkMc0Qi7IKgZhTFE+RqQOkMJK75Emv7U5eFK
oEEx7sWVy7nh3beKaaZUBThCZU0iLZRuvODp64eUkSqJYCHvtABzvHyhMBT++4l/
n3bBJ+/dMRpe846FZuzdqxb0AbbBwGCeCRCk7SXZRnNIEDavJhW/x1Tr13oGIkan
mNLiA2uaeQY1mOOVXyiK4zfYblDl0xtCEa2zPFvFya/iWC0nDSntuzT6zMxZuq8i
ywFDxax22XezSA0m2RwE/5M1I/8dx92yUcscCvpW5HU/WsEccRubo95kcMg5l9U6
cH7G6nZLAxSCek4SobvW9yp1CjbuVNmSFR2GPGRKpoe67sEvTRbxP4Mmhxd+D1c6
AKMKiK1vg5/pV3pioeICI97FYvYu/sTynX5uMq4PKv6LgUae+EPKWaut0Qdkz3xK
YdGbUkoqLk/l92E+M43l
=zaWC
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180826124820.GA1008%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] XSA-273 - Impact on Qubes?

2018-08-26 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Ivan Mitev:
> On 08/26/2018 12:50 AM, Rusty Bird wrote:
> > Rob Fisher:
> >> what are the best options for a Qubes user right now?
> > 
> > - - Add smt=off as a Xen boot parameter (which disables hyperthreading)
> 
> smt=off doesn't seem to work though:
> 
> $ xl dmesg | grep smt
> (XEN) Command line: [...] smt=off
> 
> $ xl info | grep thread
> threads_per_core : 2

Shit, you're right! Xen commit f049cd67a99bcf773aa4fceeedd5d1de17b2a8eb
("x86: command line option to avoid use of secondary hyper-threads")
was added to the 4.8 branches a few days _after_ the 4.8.4 release.
I should have checked better...

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJbgpwfXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfgqsP/1xUuJNoRlbB1w9TAOL08Ei4
3Md4lfJ+uxbgPorrEw1Z9dyq1VX9o/u/zapZjziEYBCSSSp7PSr8iECJ66TJlZXV
+tS30QAI4u/t6sf6wX7KPXVEaWE2FmlU7o/ID/mCaXPTUtTxDZewe3Q35kcKrNcp
+pnGxOEM/DV3EQ6noYvK30sOWUxLwBG9XH/DzUCLVTUn0gjPAiEMgna39US4e9Cu
YB5EK+cvSwnCBc3xawcLRHfMV3XnjVw2R3zN8VjHrm0xmbqUT9kXBjxBUX9xnd1v
zrnlHsO8frZ1mx4F8GomdoYSK2qrnJjkYuvuwJGZexqBGu/N3G5FkWqSbRj0a1mj
DN/i5PeQNQ+qnh42tpKjAbZBr2Zyb0kZGhZl30XTZJNfdlxdoShFUoIRExE6EwiT
7JCAcfxoF32YylsTLeklRNK/OODB6ihPkVeds/DNencM/ALINdJOYnSnHv1EsSl1
JcLAZ2vHHAhAn39kimHIQchPTMU+sBB/g3LSlHHZovXmduRhQw8TsW2BD0rF38G8
84iLAeJ8AIHQUFl5cWxDYFJGbizczfSzymPF9bVaWFVreJXqdFAYkP4sIku05OYE
qP6P+u05dxN2eH/xaKAXgHV8LiRWtcEP+Vrj7kXphJG6MtmpqTPWcNMgtjP9sxsa
miFJi6nxt0dqqX9SFvqa
=39ak
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180826122503.GA966%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] XSA-273 - Impact on Qubes?

2018-08-25 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

'awokd' via qubes-users:
> > Rob Fisher:
> >> what are the best options for a Qubes user right now?
^
> Get Qubes running on non-x86 architectures less prone to
> vulnerabilities!

Don't hold your breath ;)

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJbgdhiXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfHXsP/Avjd7ZuwBIx1wDg90aoq6xE
lNHxEMhly2z8KXfNzLOg/H+3yF7gg+DeKo9wU0gAKm2O1grxt9TWgvju3Wje1Wdu
gvEIo6Ew/oK/UFl5oQLFR/5F+zCjMaB7SAqf1hKZsJhLm82PrF8kXtwm1+y/CZTE
IB7ci8x0lB+2p0571uMuu1HMgTTHn+e/UfKbANbHrgBClYgsBgasZD6wy99gOKOY
f4pcSfd3wQ3lmg5D8U44Pg5NMnGHFnhsu1prqbrsYFSwzLxkhWD6mODvYZ2G8BbM
+F/49iIafiGrhOrLGF+M/jnH/rIYT48IZEM90IFoS55WbeFZdvjID7inqFBDUbc2
EyyxuPUXku80NTuVlJP9t4/tinH7K+IfK5VV9F3jjU4tMO8kgdKJ+LMDkLGaKUoW
Qy22Lm2EWDNXBFMopxwcHeIp19RbIYKEcjMrknI6XT2LPt4Dfg/Ibd8F5k95/SC4
LFAxA4BJJXyJQdaIdit2t//38h0N7irmP6bDpihNjW0zVgAZwUNd/u1gwtLYS5z4
RHwfIdHnHv1ZG9mV3noMiVJLDgml0RTkuyCz+dEmYe6X5MhChdsmDqcLm2/xC5cW
lOwULl6dFbYVudOfi0yJnrXHSSDGINLYweSBJEuMC4nSfmab5vKr4Qvk3arJIw1i
ebXtbANVEiih6ZkBuW2a
=H494
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180825222954.GA1510%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] XSA-273 - Impact on Qubes?

2018-08-25 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Rob Fisher:
> I'm wondering when we can expect information on the impact of XSA-273 (1) on
> Qubes R4?

I'd guess early next month:
https://groups.google.com/d/msg/qubes-users/Isn_hko7tQs/PcqIuUleEQAJ

> what are the best options for a Qubes user right now?

- - Add smt=off as a Xen boot parameter (which disables hyperthreading)
  to make the attack harder?
- - If you're worried that some VM might want to steal data from another,
  try not to run both at the same time
- - Hole up, have a nice cup of offline and wait for all this to blow over

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJbgc8qXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfr38P/1KtCRK5qEvTcCTVLVbwYZHj
k63iIhA6n7wzRaV8oaOq7YrRzFryNoikeU2eqYe+T6Rwuw3hBE842pN+rABTJ7BS
Lb9UdUaC14y481Ad0uMxR4MvE+zKx6Ok4XuHTEwpZXDPw5URqNLNwp0+3ll1MXj2
lkRFqb9/IuwdR491YpQQAfjkD/EfHkMvd+TJAGowkUOBFno9605x8fLYRCMw0ZTL
U0c0amlRSeM57bhqPR0fMtc3rfFT/w+wZS1QHoq881qXfx9E29HjjOnTI3E1EN0I
MRbh222HsjScvl2O7OPbDUzIQW6uC/rZPYKrekMNYfK0c+sfUCehLE/RUNp3qdUf
8dEpVL5uBFIL4wBSN4g9GIFa2wmHvnrJ90v7U7pJ61iWoA1vaKEARlECZU7u3+EH
rOXSdb0+o7RtOItY/Lb8e/qfZxfScvvCb2n7dz1fqFFB2dXd7pIixMT7cERPbvsR
AGiqs6hkmHKKuw38xeKhhl5yVQQhIa77WgAVVHQ0mXu0sqGOWPLA30kwp4Tioqvh
HgKl9OtEUlVfYDj9HOuRdKM7Ns8rxLyDuYd6ENDgkMIC8QCEmE6blmnkJybR2mBo
knEQ0vgRQ++R8eG0b+3u7a97Up94D6FhDGA5b042a0wOGgBEG7e9/sefwCOskXGL
pnSyzaTOZPeHlStNxxhf
=bImI
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180825215034.GA1241%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Proxy VM option missing upon creating a new VM !

2018-08-25 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

odindva0...@gmail.com:
> I am using version R 4.O and recently decided to set up a new Vpn connection .
> But when I try to select the type is only giving me AppVM and
> Standalone option so obviously I can't move forward . I am attaching
> picture of it so you can see it youself :
> https://imgur.com/a/xTmpUDX .

Tick the "provides network" box, that's the R4.0 equivalent to ProxyVM
in older Qubes versions.

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJbgZ8sXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfaqwP/RLtbBETqXUmN+euKfYuJq8+
pSuEOJ5K3fu3IJKdXxpmNpPQwgX8gnmWJiTP2KZZQWLGZhvh9yVplEVRzrekXFwu
jnqnhEaHMCdoeuzya3hz/Rc1Wn5dn/9lRqDyaJ86pQskHRoZwT3nV7rfCo71esAG
dFH5YNsXycnl+sap+N3oloG100b8ZwD6qc7mjwbYs3xH/tJTjtCkOF8i86OYYt8H
Tg1Z4UIyWP21cvbacY/7hcVnGSZ9HLXPCz33zv1pLL1UhOimKXuMzsbXlIEZPVcQ
ZUW9z5zC4r5hmDMy0DU8HqHqsYBVzeYUWwMEOyQSMTrxpDOJfWfxiZz+BUDPhcfW
PsfMMKknwR07e+d37dnbVu3qPDVRcjaQ4i5f1uoTu8HJzI+4XAuofgOvolKtR5p0
EkrkkSl8fBDMANlVDTtEY/eTkquq5sy3q/ga0fbW35OvuMpO9kNC5cqzxetYxe1j
smHJYNyvfcf2B23Sn1sswSSAajPIzRHjkxnRfAWLGZsY4q+3eWh87YIU0GT73tkq
ubYtJ3vXznLbpBdjtH95/5sCUXN3D8S+/d3lxydP5hpRmVVi5TicWFI/iEPKRcsQ
jvz1ZeI+ZCLGMPIQk8lwt2LLyG3EhQxq8/Pths0HJi9F2ul3DDU0fo4/ilGRI3Rj
ETnUfqXw1xpxaT5RPB+G
=Ki9u
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180825182548.GA1101%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] How to use the raw vchan library - no Qrexec

2018-08-19 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

nicholas roveda:
> I want to experiment a bit with the vchan library and develop a
> program that make unprivileged VMs communicate without using the
> network and without Qrexec or any Qubes specific framework.

I'd imagine this is supposed to be forbidden (because it would be a
_high-bandwidth_ communication channel between VMs that may not be
intended by the admin to communicate with each other), but I don't
know if it actually is and how.

If only there were qrexec/vchan/grantref Wireshark dissectors. Come to
think of it, that sounds like a splendid GSoC project...

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJbeckCXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfx80P/A97qaUsMLQLgdufudeHabm9
+a9YXKdHk8ho9u1ocOSpnsyJkl5GimPBFOsWcEIke9pTm7hDq/7gQhjV12Woczyl
7xrZYZBiPgc0yV+4+BhEuCPyLp2JBhf37KyS0mfjdClfc4AArjZwv3kSKwZdKx5T
o6CU0DrLl1WyKn+385yLU8ldE+xyrGzAmznCZvSK8bE3YEXKfW5PnfrftYTMOqWD
FOk9QE6Bd9CadkzH+FT4RK0AMA/0xFbJRS2eQXC3MXQuT+lua54OTxCqpX4WKl9z
+BEG3XtWQCC7H+j83xjNnZtnCypC69EV8B+QSm4wf8HNzuw+MfUf9eYj6LZxeCtW
ZcB1bSqkgg4YhfTHmc0SL/7MtiBrzGvg1x4k2uI5kqsLtpixgwEhkLSfDa948LZN
qelBynIOopokVCNwhTKFWHGilY0x2erAdxMtJH93uN56wwB3+oJw/0r0oCWegU2E
XmMXNDbU87ywKqjD5cMS/oChIo788QTzNy35v8kfkzjEriZe81eXw95WDYLK6I0u
9QD/PpYsQcaOfyCulfFBoPw/XNvARlautLUXAxcMod2nppG4OvrXaIaic8lxWd30
dCNlYnDaB9+vhCIBveQqOyWx/XWUyk6RzJFpqvySEHj348ZaC2Ke4WLIjH690mi7
ek2sk851gNFKZyrzNn/1
=X/fq
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180819194610.GA1540%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Questions about non-standard services & selective start

2018-08-19 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

trueriver:
> Chris L recently showed me how to touch files in a VM to enable a
> standard service to start, in that case NetworkManager
> 
> https://groups.google.com/forum/#!topic/qubes-users/0_LUn4ha8Jg
> 
> I now want to do something similar with MySQL. I want to install it
> in a template, but have it actually start in only one of the AppVMs
> based on that.
> 
> Exactly what do I need to do in the template to activate the
> "conditionality" of the service start?

Assuming that you want conditional mysql.service startup, you can
create /etc/systemd/system/mysql.service.d/ in the template and save
some .conf file there (e.g. condition.conf) containing:

[Unit]
ConditionPathExists=/var/run/qubes-service/mysql
After=qubes-sysinit.service

Then run 'systemctl enable mysql.service' in the template, shut it
down, and enable the mysql Qubes service (in the Services tab of Qube
Settings for the VM, or by running 'qvm-service --enable thevm mysql'
in a dom0 terminal).

> Secondly, nothing ever shows up in the Qubes Settings tab for
> Services. It looks like it is designed to cover exactly this case,
> but there is never anything there to display or to enable with the
> big friendly green plus sign.
> 
> Is this a bug in Qubes, or a bug in my understanding?

You have to enter it manually. Qubes services don't necessarily relate
to systemd services unless there's some configuration like the above,
e.g. [/usr]/lib/systemd/system/NetworkManager.service.d/30_qubes.conf
which is shipped in Qubes by default.

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJbeaUiXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrff3YP/3WEfo1qIg/+8dat756zM0ay
oJQnXSSC9tVwUNhVGkoHl6353vv4dYQdUpKrtGemSQaN49KWuRgVIsxSYp0Bsk5P
Sx3FD59CKa622VBp2Y4Qifp+nfK71lO1DTAKpzTy1Jr9a7CJPzMSY4cUiaJlnO/2
iivGxxX5sFU2wGSv3k9KUYiJt2jwfIaN/Bt1ZVooWDoqBH7le47yN/3Ss7cPMDnL
6l6pie6zionEVLstXhZ6jblzfiGcKoOnnd2J4fWy6YtjUoBZV7vV7fDu8M6C2ROU
/CFFkL8KxkFaguEbWlMx4Av1ZfVuIvDg4IieKPQlEJtULwgz1SDo6Yi1BinDyjMy
++3TwJYTidhKkuCdTJ/ajfXE8woYsh0bwdMTg+p02pNjQMBnG7v3QadKOziW7JTJ
R8tmSXMRSkyqbXvDRxT4WSmUFmjtyqZm0Qn7blk1jshIRn72chg/Mcjb7oinZIre
LpckcSQRz3BiQp2I3GvVaBTOOBYr7owhRCgwHkX8V5A7EC4u9eVpOY/MnvIV6ZmO
RdJYsqFIsMIuD70/gd1SlTkUZihJcXgxlX6Yalf2CJjGYxkE1/F2dRfa/XAuFONx
poRwHmErzaTZdePsufHlkMdLhclJFV0ZQC14zTJ6mFloNFwrPWgPXpmKi1JfIUQD
ZTaT5F+035bHdod3ov2T
=XKQr
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180819171306.GA921%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Is Qubes vulnerable to CVE-2018-3620?

2018-08-16 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Chris Laprise:
> On 08/15/2018 08:40 AM, Rusty Bird wrote:
> > To me as a layman, it looks like Qubes is indeed vulnerable to the
> > XSA-273 data leak, and that fixing it involves
> > 
> > 1. disabling hyperthreading (by adding smt=off to the Xen command line)
> > 2. AND upgrading Intel microcode to 20180807
> 
> On #2, assuming Intel has still abandoned Ivy Bridge and earlier CPUs, I
> wonder if this makes the CoreBoot targeted systems essentially
> unsafe/unusable.

Apparently, there are microcode updates for Ivy Bridge (page 10) and
even Sandy Bridge (page 14):

https://www.intel.com/content/dam/www/public/us/en/documents/sa00115-microcode-update-guidance.pdf

> Very bad.

Maybe slightly less so. :)

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJbdUnbXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrf8P8P/3YFam7dyux4Qb4AuzzXX1/i
AV243309HUgr/HXKvQMuOjXnItOcptg/J56lxlNZg4vrgXAEVr1YPMjEFkcgC/9l
iLLV1W76vvURQcEb7FLqAI+UC6L1Pm9Um5qSAHzcY41kE9ASSz1AcEH4abVp6iCB
b3o2YWlMN4Bz9HQq03jb5WD/qoumXdUdmASsTWDA0s9h9TIDrYSXyUJCXg/OAxyO
qBfbfIAeTL7IZ6UB5ewIeGK/lZujmd0c3jhyfQh+7t1/nTBccdz4xK65DKhbxEVY
NIAFj5K2qeZXtxqOGa3XIo8b5oiLsDAQ1uSBJfgC9D325qnROSM5uebIHIOCSixB
su7FjBXu9F5b0l09mib2CmmhrZdo1hf42kxHl/MTo6H8gwpUTO+pxvxcXDouBrEg
Y11YT/j2ux7ugaP6KYML8G3dzXD1GGTENaLD7p4p7hPNwK2QPRcnDWWCZ/cHxOQj
FdCpCz2vBaqy3rPxHu6ujVYCBBBJVMBUsoeH4yhKvkojwAPmIT4r8GYq3epfYU+9
IrzQ8ARKnRpHOqSrAD+9x1AikaNePi5SYsfg8W+ZcZpD767QTFMbZ3mb35oqJEbN
Vg9BCcj1OOVuc/mG+hI3Ki1u3AS/D0RRMKg/fInuTJ4e2N6Z9S8U1dnx/yblVT/X
bAKRaM0Z+0V+Og7C5VS0
=T78o
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180816095435.GB1219%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Is Qubes vulnerable to CVE-2018-3620?

2018-08-16 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Sphere:
> I have hyperthreading disabled on my BIOS, do I still have to add
> that option to Xen command line?

Disabling it in the BIOS is okay too, according to the XSA.

> By pull request you mean, it's still being grabbed for use and
> installation using qubes-dom0-update right?

Yes, the official microcode package for qubes-dom0-update hasn't been
built/uploaded yet. You could build it yourself with qubes-builder
(after applying the patch from the GitHub pull request), but I think
it's pointless as long as there's no updated Xen package to actually
use the new LD1_FLUSH microcode instruction.

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJbdUjoXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfnLcP/3m8dHksgWS6QW+rDSMpv1tD
4dVpPf76cihRlJpDttXucU7rfqTaldzF6ytIlTHCoZYpa06fOKsqmcKYZ6HE7fn2
iGCCFdDKao+DDfvP3caNupRs4DCD0Z2H1VLXZHwWVniN/s2MVEIv8BN5nWB0HvpH
2R45/lKC5BjMq0l2i42tPp3Nm/CjDbh4X/etqrx2p729Ykw9TTJCkPO1diImdu9N
CYzvA5amIduDRnJrNanBZKANjetHnNQysmEbGXWndgbVshd6JF53zq9CcgArHKZp
LqadTe+d1ayoAaRidVdD+I72h/1wjGDVx2OVcrtVKq6hhqJ24YQHlHO0XKDQfmK3
5xzxgjx9SlFwVw7u9a4osxsmExSMpuXA+9wdmegbNJoFmKgvIfYFLLrWrtvgN2pU
Cvhxbmb7+MtbwVcN9Xlo2LbgKA/bAJ0dRgKcuAWZYH0ceo2tokfKu1GT5asSI8bJ
QHlqE68r8SVZrU7hic6qfaqA2U1MPjJJSh7k19HduhrkwUYL8o9Tzpjgz4mqfAod
hnb+H1GsqHRA8eT4ZyG7YQ5aB5PxBZHFOydAPAfmxjkloEtV78mbuzfWM5bAa8EW
kZ4QRNSY1msm3h6NeJIZroGS1/PBtaDBQXwwiXJ0FmkX5AvVvJ2hltk8VNS1epdj
leeMYghualtPH8s7ka3L
=P5jC
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180816095032.GA1219%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Is Qubes vulnerable to CVE-2018-3620?

2018-08-15 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Sphere:
> https://www.bleepingcomputer.com/news/security/researchers-disclose-new-foreshadow-l1tf-vulnerabilities-affecting-intel-cpus/
> 
> There are other vulnerabilities disclosed along with this today and
> if possible, I would like to confirm that as well.
> 
> On a side note, I have long disabled Hyperthreading on my machine.

To me as a layman, it looks like Qubes is indeed vulnerable to the
XSA-273 data leak, and that fixing it involves

1. disabling hyperthreading (by adding smt=off to the Xen command line)
2. AND upgrading Intel microcode to 20180807
3. AND upgrading Xen

There's a pull request* for the new microcode package. As for Xen, the
XSA says they're "not supplying separate patches because the changes
have many complicated prerequisites", and their d95b5bb commit on the
staging-4.8 branch is 42 patches ahead of RELEASE-4.8.4... :\

Rusty


* https://github.com/QubesOS/qubes-intel-microcode/pull/2
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJbdB8sXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrf+A4P/jJopc94LC67vWz+PmkLOmB5
DaxS/VmFB70CNzfDmQMJ58YLOJ7z2wu9GEOOnHgP+KmAKsn9/xtp5nufrMfNoOd+
a7dezBA0b2vHy7aVaAXG3qhRL9PhHqpFhcUrudShATrUWdY2aFnaeRGSZDbwoR40
jGEgjxFFM2SGEtTHOEuKBBfLU/OJMw72ClmIAIdtvfEPABQ0WYw95OmcVTzi+tvZ
2bEwXJz1cXUovGzDPInbBBZm43m3X/r9FAnsFdLQXyjgRNkFc2LuhVz5Tc12NGjH
6Xb2qJlIhQVZjotRPqm506G6UrKrx5DB0lANY2/H8tl/tPACyoTY+EHrOJHIz/21
XipPbVVLqQJtQJOgQXCkHEPz49X1Deni/TFedrQxzEuTiOH5R/KVjqEe17cwyaL4
f6HHf94OiFHGKVmGtwySwMxxWiH9T0UOu3+Xzo3UNE9IPkLoakcXMTvaLFJS9Hfa
AFZil3+aKMogWWRS0mJJc0UX+m9jpPdwERdXAriqAY4mp59TJ3qt5OFEobSlG4kD
aRIfBiQbMRZagfwtsHLTxwEymwMyaovm/q7hv6cZvNYm2S7cztMdFXeUquYlZgJi
ZzCr+AirENSDSBq+hCosnGdvwAAemiUBpRh3kXHMuOTtR1Lu3ulnatN64SCznzPR
M8ZJnNdpOLX4RqU/yTr/
=E4BM
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180815124012.GA923%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] What exactly is 'private-cow.img' in appvms?

2018-08-03 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Rusty Bird:
> Stickstoff:
> > there is documentation about 'root-cow.img' online [1], but nothing
> > about 'private-cow.img'.
> > Am I right to assume that the 'private.img' is the writable part the VM
> > sees, with the changes the VM wrote saved on 'private-cow.img' [...]
> 
> It's kind of the other way around - foo.img stores the most current
> live data for volume foo, and foo-cow.img stores differing old data
> blocks that allow the corresponding device-mapper snapshot* device to
> present a virtual view of the contents of volume foo from the time it
> was snapshotted, i.e. before the live data started to diverge.
> 
> > If [..] I backup only 'private.img' of a running VM
> 
> This would result in inconsistent/damaged data.

To be clear - what I meant by inconsistent is that that when the VM is
running, some data blocks in private.img will change while your manual
backup operation is copying that file.

Rusty


> * https://www.kernel.org/doc/Documentation/device-mapper/snapshot.txt
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJbZGVjXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfBzcP/jt0GN2azqrNqaP0jNoMmAJh
gvZVI53QSxwyK93gGVi1MxECG3B5EA9yl6wEpqe7IJbNKPja6QdPVcJPyruyE+0i
w+5aWuR81n8oAI2E1K2b/tJZ1Zha035d/6joRraQ6lkjIH+S2QdYAP5oUUx40ZWf
xYAwR+FJZJVsf0dMLnzPgTpLyd7rV2sF3YK5l6InypgmaNB0OmYx/jU7HpSuN7zz
w4jYEnfhXthwQS3uaEsuNXVTXln9bEgraR4n9G8emn6z2Xr1/HY6tvWQ2rZzkfRx
++kNrg9O2JrLuPx5mZlQPuZ3iki0wcqBbGNyFNNZ/2yYA5bmRTOYyof3Ux2zdZ9C
fa43idV5slEVmprwOH6/iiS0ZLzaoRuQVIvNFVIW5gqteUMiHemqWjyzQm09gY6p
QYCCimw48uYsgFyNxjJLp/F5ezdAl2qlbOyzZCK8gWY0zOpCoh1eywgM/04ZJVw9
M9rbHZZBBx4KxVGOkAKzW5LLXVgvpLtYPbdzkrkYqg3hP+Z06oXUqpJv6+TnbCnf
JgemF543aSXVcNmwTiZncu+gYwBin8AwWthHhmBaOxDBGnFUOFFjlQcXchbT5hrd
NOC0sm845KVgFYyOT+zWvkXJEg1PKTt2m/vQOwicaGF2/uY0Z5nBXBUHEzGkK+y0
rNBlQucepQa/7vJnLcZA
=EMYK
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180803142331.GA1192%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] What exactly is 'private-cow.img' in appvms?

2018-08-03 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Stickstoff:
> there is documentation about 'root-cow.img' online [1], but nothing
> about 'private-cow.img'.
> Am I right to assume that the 'private.img' is the writable part the VM
> sees, with the changes the VM wrote saved on 'private-cow.img' [...]

It's kind of the other way around - foo.img stores the most current
live data for volume foo, and foo-cow.img stores differing old data
blocks that allow the corresponding device-mapper snapshot* device to
present a virtual view of the contents of volume foo from the time it
was snapshotted, i.e. before the live data started to diverge.

> If [..] I backup only 'private.img' of a running VM

This would result in inconsistent/damaged data.

Rusty


* https://www.kernel.org/doc/Documentation/device-mapper/snapshot.txt
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJbZGBeXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfERYP/ApX1aJuCoyueKURTwB8hCx/
GQsrqeflPsL9ohqjbEv6m19cVFXRK6G1vKkycxwPolfHqq/7bQ5U673jCHSzLwpr
bdLbgupYBe7AosfrNJLgwvcm5LR3v8qK+VOyK1htzdmuEDkLPom0INlVcMPRVpvB
G8uKjp9xnKfg7n2UaULsIdL8+IkQ4U1AlZ0Y/breR7q9Hivxzd9PZMoJL77NAdxD
iKNN+Ac9fHczupUdBjQAlUCrLchjeZSSzgnAIifRjuXDthwTyoi+f1/aSWYZxd0B
5MXh7HnPI2JyZ/trZadpKvZVCNn0s9D9AsDugCNbQSxP+YFxerC5uukwHgnC1j7g
ORtbs4c4NwP4jkytFJF/GtgCO77699FtyJFwPa5BU4hpspkjuJTSgaVAP7j2z4Jj
oGDd+iF91mb6Gbv6syYPN8QmSdshuCSFkYH61bft+Odd1+QokeN2Sa+uJQGZ20gA
xrM/lmmzo3TqtfLns7S7/FrsPok1njJaTyBsG7TdZf1A1rsu57mb0K6Vf9sPoI7t
cO/+4WwUR02oNfxviWTPuyou6ZzIIblwqnCS74EsOlLopf1Ilc0i/S9bxIhotPIg
grlKluk1QpWz4r/CWV8Ho7UzqrFQClWUBFkkEdtATkV7WAARFi5XS/efbTG4ita0
GkyInY0UAP9pk4FhPcQp
=+FNE
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180803140206.GA1151%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] sys-usb needs more than default RAM to mount LUKS encrypted backup volume

2018-05-20 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Bernhard:
> > You shouldn't mount encrypted drives on sys-usb. Use qvm-block to attach
> > the partition to a different VM, then mount it there.
> > 
> This is a good question, I think. Since we distrust sys-usb I agree that we
> should not do the cryptsetup operations in sys-usb. But if you distrust the
> attached device as well (might be safer, right?), one might attach the
> luks-partition (resp. file) first to an intermediate (even temp !) VM,
> luksOpen it in there and re-attach the generated /dev/mapper volumes to the
> destination VM. That way sys-usb is blind to cryptsetup and the
> destination-vm is maximally protected from usb-based attacks. Overkill?

That's basically what Split dm-crypt automates (with even more overkill):
https://github.com/rustybird/qubes-split-dm-crypt

Rusty
-BEGIN PGP SIGNATURE-

iQJ7BAEBCgBmBQJbAdM6XxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfO78P+MOUh1UqQeXrpHcwOcj4M/mX
z9+5pAXGgCa2t+MinDZTGE8Wvfeb62U/gc8A8Uwqzqs5g1NkGOQER2Z+azMS+Xnt
y9XukE3PE8MRA4XgfSZzreh6xOt8AZX8QRTNzlsPet+QjteKGW3B5tk2wBtzeTIU
Y+teN5cIKIWWXPy4AZPYbCDK9aXVYd0Za0/Dj6+Tcn1tuoGbOt4Gr1rLigql6Pi9
3Z1cpkK8VecoXIvOixxycYEBNAr6n7pMW35OjBCpbyB0uGHMXcZFqkoBFca2kOOb
HQbZwRLMlOQnI6DGF9O0jx5unabsnOli5OUXMWHdn1Xo/PMiNSWez02tNJkCFB/4
byhLi7b6p94DnWGyg4WJCi9XkMQ3nkEtNG0a2obvvjDF6bam0X9dRFwfbT7CiNLV
PleQFQjvoLFZJK/tVicnQyQVcTt2KeLD0nzzhqHe+At6XTPeiyBhf8mDERL8pIYr
FVws8oRGmKs2UHeRuFT16CmUN59xjrUuZv2Lf2q/I7Zlncv7pnBfQ5V/h+xT/gim
6K3l8xOBrspV4PRO20XAAQZ1i2NaDzZ8HBig+1q3hfhvMlFfzOT6EmrNk/oSTsSh
W4XO8R0L8wz5cZjHnJJU99UAooyUWj9jBiLbDd/1UT7RG8apHCXHriUpgMaFnAPo
nNT9XnACZNM4zkeA0NI=
=Lh2Z
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180520195746.GA1257%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] qvm-run blocks Dom0 terminal in R4

2018-03-20 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Bill Wether:
> In 3.2's dom0, typing
> 
> qvm-run -a work konsole
> 
> returns as soon as the VM has started up and the command has been
> issued.
> 
> In R4, though, the Dom0 terminal just gets stuck--I can get it back
> with ctl-C, but that's pretty inelegant.  I can use setsid, but that
> just disguises the problem since all those bash sessions are still
> there.
> 
> Was this a design choice, is it a bug, or (as so often) pilot error?

Not quite sure. But you can use a lower-level command instead of
qvm-run to get R3.2-like behavior:

$ /usr/lib/qubes/qrexec-client -e -d work 'DEFAULT:konsole'

'-e means exit after sending cmd', in this case konsole for the
default user.

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJasX1AXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfuPAP/3JYcfzfxdZLvCm+t7QRG4B+
S1dRN5WsSmIGYdCp+P3o1W2VMzgHfxJ9Qlf+yxEToF+mV2zBZTYSCbKT3YW7e3VL
soS8YCW3q5lm2AQ+n2v/TruRUgUTs/rDZ5MgHh7CnP8/0/pLkT93GMlY0RjChFzr
8YGyyRntSrl+I7FcWoSccWQSGcbYZUjfZc2lJLugT4xlyKuwsTVMdRoMzmvR7YG4
qK1szVBwQoiblmu21hvUa1icIlDgawiioRpQLnmHWV/ucV+9r9Qp00eAydLZrwPo
omEMM7ykfMzP2/8cKYUo8OTj+lmDwSmwTP6xkoIb4qrLwuLdnWcF4/GufTEQAbTx
GYPvupDcvX3ZaCss9/sKBbNdGA1IJx1q2UEhhTYjtIsW2GVR86ogLoqSqHUQ0Mz/
hZY0zO/IktsXXYOklt169H5p/2zF7zRNHYFTAu991UkxL8dDNUyix/ZDdRfBtgNZ
REMkKqTEkZ1J+yu3hVjQLino7LbWtqevIMpDYGNvyGVH8F1jjdw6VxPLN8yddwkV
/aN6TXgLg8kJlLsYFWENIHWLINpJ8Cs2dshVfBCyVu9/llBNQFtMbJwi0euoRUl6
cspzotdgyXhII5oYdzrZvs3whSvcAhwcztf9lafpsoaq5gYdXNXKHT3bTN12uHOI
k8x7vpb0fHqaa5JTBtfs
=587Y
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180320212936.GA2485%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Coreboot + Qubes :: Best Practises / Coreboot docs page

2018-03-18 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

799:
> > $ build/cbfstool build/coreboot.rom add-int -i 0 -n 
> > etc/pci-optionrom-exec
> 
> When do I need to run this? After building my Coreboot ROM?

Yes, see payloads/external/SeaBIOS/seabios/docs/Runtime_config.md for
a list of cbfs options.

> Can't this option be included in the Coreboot or SeaBIOS menuconfig?

Looks like CONFIG_OPTIONROMS=n ("BIOS Interfaces" -> "Option ROMS" in
SeaBIOS menuconfig) should be equivalent.

> I am already using the console setting in my grub installation.
> Can I still boot from a USB stick which has graphical boot enabled?

Booting works, but the GRUB screen is invisible. And the Qubes
installer boot screen (isolinux) is somewhat garbled.

> > You might also enjoy HEADS.
> > https://github.com/osresearch/heads
> 
> Thanks, looks very interesting, but as far as I understand I don't need
> Seabios when I am running Heads?
> Is somebody already using heads? From the website it seems that it is not
> that easy to install and maybe still under development?

I think that's all correct. Not sure though, I still haven't tried
HEADS myself yet.

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJart5cXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrf1aQP+wU1fmTESwGkdUvT1Tzyrnyr
TVKH4hmo7zRv2WXeot12PbfLr/MUsiUkiHLA36u5M1k3HlZasi0wwrMllDNEJnaj
Neq6BtRZE+Dl2OYcMoksjT40deAWYzf4Kct3s6BK93RlsnrkoTSZ4QbJwRxSi0HJ
CZ4lxsW1ucVT6oAieVu7Ol1W8nRXPcrR0BvHKQ2qJGkfC2x8oMOZlLdNLB5hO8Dl
mqye+9V5la+jneVg/8z0PR8UVU/09n8+TmYp3w6isX0VHabv2fpXNQXjiF4gf5nz
uoTl+7/4nXpA81JMUk6CLl0HOnJhlRo0dcG/DaB2J/bSfGk7ADOzHBWrQ1ETifuy
8RLp6Hh0VZU69+BG409hCGte4pzObAjQEjkPYkruSqGLUny6YRGmtwiU/yiLrghV
WfiGW1zIes73NvymEW99Y4/IIy77xKq7HOR+54L5N/pXDOCLKDdslJRlEpYdlhIo
Vmmb58FidYuJ1aJMq45CDuzhFaLLj+DTklENQaUj3VRNZrAIA32aCPrfymabDSSQ
BDqqWge3+kdJi8NhPUJs4ljIK5a6I8942LOG8uUuvX9WXV4731y2DZwTMort0igT
OCjLNy28RGFDMKqSLJj+PVqdpTZNiT1VoNh9m+HstTjTf4mS8h2L51QrWIuKSfwf
yd8R4lXm5Suw6LtUOFlv
=4djs
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180318214708.GA2699%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Coreboot + Qubes :: Best Practises / Coreboot docs page

2018-03-17 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

799:
> Seabios or Grub and are there any special options which might make sense?

SeaBIOS is nice. You can build it with CONFIG_SEABIOS_VGA_COREBOOT=y
(might be the default now), and completely disable dynamic loading of
any dubious option ROMs:

$ build/cbfstool build/coreboot.rom add-int -i 0 -n etc/pci-optionrom-exec

That's incompatible with graphical mode GRUB, but you can simply
change GRUB_TERMINAL_OUTPUT from "gfxterm"[1] to "console"[2] in
/etc/default/grub and rerun 'grub2-mkconfig -o /boot/grub2/grub.cfg'.

IMO it actually looks better - no blindingly bright blue light at
night, and fewer font changes during startup. I've been meaning
(forever) to open a pull request to make this the default...

You might also enjoy HEADS[3].

Rusty


1. https://image.ibb.co/jGvCCx/grub_gfxterm.png
2. https://image.ibb.co/mbnsCx/grub_console.png
3. https://github.com/osresearch/heads
-BEGIN PGP SIGNATURE-

iQJ7BAEBCgBmBQJarZQ6XxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfSKUP+NrPMBRzFqbxr7ciUg/Qnh9m
5ykQ4unpLU9CfiAotMDo7xJdjEZA7lwTeloVtsPL1GeVPTpYuFbkX2rxjSUQAb7H
JSWUxTZOU2YjNjQfOz+W/Wnb0uHK9G8a5h2Pf9v8lEW5/Z3iGeTeOiSSjSc6OJjw
Nn9ycrr2m6PvcM14OZ5DqnISdKKogUZBz+9TemhPVgSogA1RpsB9GRHgUcDermgs
D7T62f2Bs79suOMwRDM/IZ6f4MNvsSF1pFSN+xE3JOpivx+xfAgBlc///vsz7dM2
05hqyVLoeCs6qHwe2PtbBlHfLdfPVoaC/kwQRDV8Obj9hP4/CFnQkRDyvN1dnwDi
lV27YYcuWE0lgfsuRW9PwAySzyxEa4OYyDNDEJYW20lB8eTYsusDJAxxiM0X+Ba9
pxf1FQwRoX7C4yjHU1tWb97cTPOMif07O8a5AFod9FPAwmUcwdPC/X/H3eU2CsaP
UP5NEK81Wx1avWdTIBuvrbuPZe5Dj0dwTk0Z5TC5hbKUMYxczDLuFnh/1TnViSRo
4pOUNfXx4Blg4elUrTXASOnPQnZA5X2snVhkQrmqi3nAyRztzTK6x++OqvjlF+q3
T8YiSg66Ssi3iXUFiZlEerCfzpe0Wc+kyvVXh9sM0NhwBs6hErLpmSlLD3785Bxr
P5Lc8JEJpNcnac70K0c=
=L0qD
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180317221835.GA2170%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] qvm-backup --exclude no longer exluding specified VMs from backup

2018-03-13 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Xaver:
> After updating system from 4.0-rc4 to rc5 qvm-backup --exclude no
> longer excludes the specified VM from the backup.

I recently broke that. Sorry, and thanks for the bug report!
https://github.com/QubesOS/qubes-core-admin/pull/202

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJaqGPMXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfNQEP/jmE7asHrLAIGpV+hwLd+Z78
qv7uLzCHx5CL9dXxsxy7vo1mQpK539AdiWyj8keyCFWjVtCVhIEJwPOkyEsDxz6a
MIor2XsFMNNmt7vSerh9MJuRnmerRz/KQODadSWX+2Yb2juL1ZLKCVHBmiVrVLJG
pQjjt+AqtrYdaLQ7OhnM3avi0+X3FkZl3eqgxDpJZ4OyHY8ul4mBdxJiLIp7v8io
B01KGeBGSUlDJ73qLJQybd1juk0qkthyIuDll3lkb0w5RpOIgMcIRZzVKdPoLAdh
B/HFHzoMsYC0A0C3vZdXC4KWlimv0XzpNi8PvMb+681C67NqmwDRRDRJESX3tFv0
TMwgpCL8Lb5YFYaa7TKnTc79jEx6mmow5uda40eyXHAMIXcLzWuZIDucjgWZZjcI
D+d9sCupLECzKIoNYsNzfvmFqVL4VZhx/jFKUzVKESpwQI3A8IinqOXB+EKMhuKp
RAGWcgTx19CCT4JZ+Xvt8LgdBYprDDroJ7uqabnopvhKjthzajQm1MrYEKMyWH2Q
JBWLKZ3VmnB5wmdAj6W0hTpdtZ+8BRcmk88lhwUTWqiiWiYfunkCOHsQRL+wWdhO
1VUMdFSeYC/oOOuziiKMSvw+wChmwkn3wspZItxKxFfBvuiB+KLM5JffJ7tJusPT
pi44KGL07pVNCOHhStgQ
=cJjX
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180313235036.GA3501%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes 4.0 rc4 / Qubes backup doesn't find the directory

2018-02-26 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

ThierryIT:
> When running the Qubes backup, and choosing the newly created folder, I have 
> this error:
> 
> Selected directory do not exists or not a directory

https://github.com/QubesOS/qubes-issues/issues/3594

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJalJ81XxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfryAP/28evKg0iq6zu5caEecRQqrH
uPlmPw1LOzuST16lTQWLdNqzOtJdovDazUbWS9fhEh33N8iwZajSqC3efHQYv3Dt
zN1M4Krakky+UqDxxecCfcJ64WJ6TpcuqtPUuqF4M5G3XOevasN/O0Q55PzMjFp2
981dYjJb5W0wyhqlvFJ4JwMlh8FkR6DTAVwKLP/Ga2ClUHBaxr89gsj+uRmFSogi
XB8ECuSL9TrTCK/+cEyolS38yukmjpQTVLVx23dXLNd4cYZovmleyKL9DZ5LrJjl
HRYDdtrHEbdTV+WZcxu04OCWOU8HTrqy91E13/OppJU8TsaP6Q9eA6eZIJJzoMnC
LC0A1H7O8fHNgHhWlBg46Y6hQvCAaYgYKuipa7EzzNPZ3EkbRIZ6ztoyMbTkxWIM
waRcxsIl+oEFCt0IJnKY1YuglvwCr/y9LS/7sANTSj0atiTkN5YFIsaijt/9n3tW
RLc/msNeBp8CmPGawiZxPIccpfJnksFz9DLFArRCJMDWWVhKj6bRp4XBYGSkJizg
QEW8Fpw8/VYdonDRf75mMdJXLosUSTBt8MV2z4hOrv5FHY36AUGhbWN9X3g/QS88
rONqsp40ApjaI+POOvsOvYa2wgelpI4vSAtZs86HcTGoKabovX7BQO3u2NTNLHCd
T7I76JkdWog2kFZmmCpv
=I+Ot
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180226235845.GA2172%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] R4 rc4 Whonix-ws-dvm. Requires repeated tor-browser downloads

2018-02-17 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

sebuq:
> Each time I run the disposable whonix vm [whonix-ws-dvm] I am forced to
> go thro' th long-winded procedure of downloading a new tor-browser
> instance.

The tricky part is that you need to run the updater in whonix-ws-dvm
itself, not in a DispVM based on whonix-ws-dvm (which is what happens
when you select it from the application menu).

Try "qvm-run whonix-ws-dvm 'update-torbrowser --input gui'" in dom0,
then shutdown whonix-ws-dvm and you should be able to start the
updated browser from the application menu.

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJaiGTyXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfltAP/0EkD7SSHFsnpALs5weyIvl7
bhG3FlWDvCSTOW5yYJtlDOGyysv/Ka3GEUSJSvHPFlFtfZWjQxgtJM6hQfpJrqWt
8ESFHbYKsd7n8zcOP5Q6ooKc5WD0b9coFkeaVJsbRtAZU5pL1PLWSi9/VD8DYw1i
+VXe6LAqKk9TgcvpHG356XGNxM8LIaLd+doxpyj5nzYd6aFUAfyL67on9jAkY3jt
htUFCfEIKOpKwVwIIdSTKOOiY6Z8Qv/X0fXF8WTmsh/2OxJI+qGhDCmX+8ByWWzu
ysmJlFEpom+zcVUkDb71c4LL9TuWz4+mk+pXjIQNYMPqw2DHoO8P2u2CqrsKTlcm
4DSZIEYdm0z0h+qAd0ZL/KOdzFYhu3sGSu/g1V5+/Ng3ZNeMQs0HqBpGceBfeY5r
wig7qULFDvMDuD+mYzZTHkEjMfKoYqadwsjS+OEdDeaImwsGlEsfDBus5HI9us6S
aw6vZbN09Cuf7R83Wp09qj1Yg/PO/k+MGJ5HbW5uYM0ba12Dchz9tyUHndb4gQEC
MwneWsX7HrUQV6EoryM7GcR2T0GoxiXSVFm+q55oVXn65Z520XviOTncThJljGYH
nQ8ar3z89TDJTYd9T9wXC57VR25g5Z9/JuSSXVkUBn6tVsLRcpr0y76P+SbJnzCN
JKsRG3wOspCVHLIJpOvD
=zy+z
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180217172258.GA2129%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] 4.0-rc3: sys-net not getting updated template OS image?

2018-02-14 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Steve Coleman:
> Here is the sys-net . I re-wraped the xml to make it a little
> more readable in email:
> 
>  
>  pool="lvm"
> revisions_to_keep="0"
> size="21474836480"
> snap_on_start="True"
> source="qubes_dom0/vm-fedora-26-net-root"
> vid="qubes_dom0/vm-sys-net-root"/>

Looks good.

> Since it is the template (fedora-26-net) itself that appears to be broken,
> would that not be what needs to be verified?

I had a hunch that somehow the wrong template might have ended up as
the source volume for sys-net's root volume, but apparently not.

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJahMpEXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrf408P/1JnKeJDyxbbnFQZHLdphFod
ZvR6G3IAzjKm1ekqfXiCedbRXFCK35Olw+PO+r0MEVMvHH414CvcuN9Fgf0LyqHC
qtGHnPl1eaxt/i7Wt8h/GKd+9bxysE9CtV43JntSAYd4atbTiv7FMSUOPgZyanTo
ycEAPdL96LtTYUtD3jR/FOv+1OHk92mYgQrIWe/LfljEWlrGXj/+yDIHxEpZpAmW
0d600FfqRTGh/QDmb2IcZkrBCc6bR5qh7tyxwA7eq+TywMWdeyCeL7zNpmYNqRHu
tjLgUdQsCo/2OnqF5t1/HDLcTcnen1Yw7sQpl4hdb7E+tnqHyZ04NgMSuM9bERT7
MC2fPxh5d55yY44jLJpwr2pH5W0/Oj/jswHfAtJrf+uNnOJqApJmFKXd6MjU0vzi
JKDbj9L2itt6Q9uni3C7wMKPtLqqq0K/0XIflbBoRa39apHgn7QaHFG+kqmY7Its
rwF3voMUbwGohjwrEGZIh9VG7dMyqK2vAVW0KwG01fpJO7mVsNZoClAxlK6cR6C7
jwEKJszz6vQ1Xfi85o+5OJlk4EV1pUrCSzd0lqdZUQDrZxzZ8EqeRLSlfmGZ8UpL
jP1Dyc1QyY5IdMObmnnAAvf+0ehB2EsFo7jgn0pXPPiiH/7Qf8L5xB2yyEFNKW+z
70Xb+0LZHCscftb46Zsq
=wqE/
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180214234612.GA2755%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] 4.0-rc3: sys-net not getting updated template OS image?

2018-02-14 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Steve Coleman:
> I have a strange situation where my sys-net's software template
> "fedora-26-net" (variant of fedora-minimal) does not appear to be providing
> updated OS images. My sys-net is the only vm using this specific image.

Assuming that sys-net is _not_ a DispVM, maybe this is still somehow
similar to https://github.com/QubesOS/qubes-issues/issues/3576 - can
you search for 'sys-net' in dom0's
/var/lib/qubes/qubes.xml and post the next (i.e. somewhere below that
line) XML '' block?

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJahG6JXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfmwsQAIw0uxVBLbrz543iD0z6EqBn
doi1XooXsmoqfaFXvSqnJSJlVr1vhgFM+mYVzpPIOvT20AhzgYDIP1YWjU/KWO3q
DNKkpLuzJqhPfG2XTv63MGmji/Tz1vLMK6OGTDSU7THR8DgKJSfy/3bBRJP9meeq
x4BzUmTG7HVUsjbRO7AK1QO4XaCwi8sFCsnRNht4UsL0ulSeAG1gaVxR9zxSul2U
hqLW8SGk+zgMbsdY8pNjreUNmMK63r9auIAiIapoU9s13g42P7E3ujI9HX2iO8C0
PXQfmNo2U1frSycySLn5kn8Qa94uLvLTf6Xj2985EPsmicYH85PdGKwVRsa0ObLQ
/RrWrbxbximu8g8onbPnqMig5Nu56yyMD/m4CY7PDaqh/IN1cK3e9tBbO574QuHH
kkVgmzC9ojrIXDk7qH2Tp5M2P6KtSNHHQ2NXiImuxDxW6ZV47AnjIngk5Rw4bfCI
xrv1EU/Ujxa0ioosm4NkC6tPb2bqbRoHYqiEZigx4/onpV1YM+mgsHNLoopFJ3qY
QqMu9YFTJv9IY2/f6NsVLuWh0QU1csBXETr41UOZwB/AnOqolm0jrZADD+8EjnQ6
My+WUCm+WZWKz55iuFPVDxscRSWxQeMOc7msyKACk0Ej6Th1RJcc1yKt20eIw9QA
XA0EWlMJksbqJaqyVgmO
=UNib
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180214171449.GA2281%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes 4.0 without IOMMU/VT-d/AMD-Vi or Interrupt Remapping

2018-02-05 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Utility Panel:
> Can anyone tell me what I might expect without IOMMU/VT-d/AMD-Vi and
> Interrupt Remapping?

https://www.qubes-os.org/faq/#can-i-install-qubes-4x-on-a-system-without-vt-x-or-vt-d

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJaeMi+XxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfeb4P/R7K8LDbdSkKYs+B1uLbNTyz
2YwohgIu89FSCM/wq8yamJ9OnQFLRlhM7yGhcjsqMaPiBCS0BOdlR463kTn6tWHy
893xxeor7h96XymKsrFr/7OP61zDsnO/4wp7LE7bynDxBgRc1RjR3KjZ48a1HOz5
TxWDliJlxHq+5Bk9XwOCDO1eTFUyfuZ5opWGqL3+4c9ZV52nk4aEYkizHxFFiWA5
WZlZN/O6HHepNkqtH+nNYV8BjRsueBzI8WaqO/R3adfppufrCaQHIndqeQYl06JL
KPZ87ANXHLoojNG4vomxRrAnSVB9Ho0yj4EWTU7UMzX/0UCfJrZp7wssIGDGjKbm
una0PQbOJckOcwGQoq9YClVgSQPCFADgnuj9fn9nwmJKLJZvL+dczGjPDw15vXDQ
NzjVLcwo+755tLC+zJ6bXoPS4O4yDEAcmj+EolnGGxHidOSXZoRBvWQT0OH4/0ku
wLSnEIZDg4PEmcsgwfxwtF90inlA/n2tJwQkL839nWAJvTnrza3rBAwn7hCIAwjq
qpLewtLTH87/d0GErjtRTmMLOw4vCmlh/bsDGLKtdrT2R0hD6jhem5wt+dSvrjaV
jWXfB64Jz/0IuWjoEOez2yW8z4ALfv4856dvAXXBjaXS6IBK7cf2Rr8Reu76MmOs
zkUB451uJxd4oUQntu2P
=/p4t
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180205211230.GA1841%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] X230 Webcam

2017-12-20 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Jo:
> im trying to pass trough to a VM my build-in Webcam (x230 with
> coreboot). However, im unable to find it in the devicelist.

It's a USB device (not PCI), so you'd forward it using qvm-usb:
https://www.qubes-os.org/doc/usb/#usage-of-qubes-usb-proxy

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJaOt3HXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfrocP/j/x0EK5MpNFvTjJxsqg9q7H
aGF6vgJATTsFnhkpfIgyAGymFv+ZKSww4H+Azz/3RrfwGfWirw+BsMeiLHNXT35z
ZqVixCumDxLSVwdxPMRJEmHZE1JIhhSZOiiItjVdF3qY3OYy0JTMNSzoY5c3pUSG
oNpVsGooMZbGYZsxpunE5XyjnP5jepLcxuNlfvM/xcmD5+0Hir8aG3gnW9Hv8YA8
HEUhvqp9WMdBYhOAMHbNfHb3XfcnH45kOpBak0IXGgZ1d34KfwjGyYFv6iH2cRxW
xpDVsgla5iz6mtBQV7uVc072ovLwlYVDbXY/AGauFEN8Yh4IHByyPkmFF5+LLe4M
OBFEnRXsIK+3pF/7fU96fDx2aNpoCseVAqRXThcpwq99IzLE+Ac/Iqy9h/J+TGSl
SrmmHeR8uFvRFldPIsPn6wwEosA75P3IhPduZUslpEbXBdgKSzs5lpWgYHlqPK13
sxnArnpaBy3IsdBeZmuKxdtlbSuT4RGWXlM3UZyMM/JrlDVIWQtr/GKAtfAMd3RU
uFaOlz2u2qEnq0UYLDcTnM0Ca/tWsXPFwIOkUtLsHxDUZbdFmUGIU+jezlShLD73
oGWLIN9JANj6RLKr5yDCV8i4/PhIhkQM0MoWydnwIRb4Wx4b9p9bbU/DiHj+38z9
X5rzcbk2UPqbc/7lcdLz
=tqCb
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20171220220144.GA1365%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Prebuilt Fedora 26 template now available for 3.2

2017-11-19 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Lorenzo Lamas:
> It was already possible to update your F25 templates to F26, but
> fresh F26 templates are now also available to install. (Both normal
> and minimal)

Just a heads up, to use that version of the _minimal_ template (i.e
201711170336) as a NetVM/ProxyVM, you'll have to manually install the
iptables package. Or wait just a little longer for probably the next
qubes-core-vm (r3.2) or qubes-core-agent-networking (r4.0) update.

https://github.com/QubesOS/qubes-core-agent-linux/pull/73
https://github.com/QubesOS/qubes-core-agent-linux/pull/74

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJaEa9UXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfHQsQAIiaSpzpWBu3xpMfeRgIQqKP
WvoZ0DUiej5roJsNa4A8N7AC2X1RCHR5MQBKTzqdUsn/M3aAB06Mbg9MEgQRGz9R
irF+fHbilt9YlEhG4eXv8kh6786P9iWpLUCpceBnnQkhz2r9JdZfm1l34ArNS/rl
w0Hp8NwPePqgVxF3j9bUE59pwyEPqtujt7sE8XXGkdYGDvoJyQ2OUP9KbCEdTfXT
fP0y/xpjPJH9f+NxJxjI/iLKmD/TNbm757bSmfKhMrRt8jehMpEfIsCa7CykM2Ke
Vs5SJZig7t0Nrk06oT6S3uu2qhxcYsdQ34huFyFf5PGlZXanfYkqJHpPwiTxeEaR
81gT5Bj4emjFOS/pNOkdgQ5gGgTtNU4BrzvTe5mVc49HWAVsGQYBrBsvz+dR9hzd
Hkg3NYYeE41rhZTMo7ghSsjKJyju2w9Zo/3VigCrPk7ovg7qMDW28FNq4bfxzZ6S
CSVazgCDkloA7ekPmDG3p7OJCz49qfsWpnoE7WO0TG6KIexHKn63oDVxi+QwPP21
rgr2ckSLYCymyHlGvM2jZtlDpPqiB6okxgbSZvPEycnRwBG5IbTmVZdOElZ/CTu3
S62KwqAF+2AfXlrSZ2mPJEtojFUdUfnPIR6Zk0jfEyfH0QnFEqMqeBoP3G8DtjzK
6q5QZLLeHhVnr5PcFnVe
=MF5Q
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20171119162036.GA1029%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Anti Evil Maid (AEM) - possible to use text and picture at the same time?

2017-11-09 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi Patrick,

> Got secret.txt as well as secret.png - now it's only showing the image
> at plymouth but no text. Looks like both cannot be combined?

Yes. Image support is intended to be dropped in AEM4 anyway:

https://groups.google.com/forum/#!msg/qubes-devel/PsTA-3m0xA0/0N0c3dFaAgAJ

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJaBEokXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfvhgQAJNIEMO8ipX5tY/6ww0HD8zF
YlM1MpGpeELZj7/LNPBBotGgEVICwdoYUBQgKPIM06MuNaI6aWeUXMP0fdBnhLT7
e9z4vQ5pZi7JkMK2pv/RFLG4z/epgEbd/UQWb+NV+xFIbL/op+q+6ljn+9YRYciW
LK7fNAsjq/+/9Ck7pW5wwwBT6Z/vtS3MpRPdWIaeFK8ZQWuSY5YEq6+KuX6kWPQW
biaAuuGL06x6CAP/hMQbduARLFO6CbSOzGR5GpEb7TqE8i4fQqgVcMPBzSFRpsp9
OPXp/AGkTD/Lw17MLwZSJyEgraN5ue0YXvnO8lD5xIWqlhQZ6Tzs2PPgZrMt6wJA
hccxa44cSXxT7gqO/6f5KA94fGC6z0COxzjEQZdIsq4hi0CyfHg7+Jb90rN/t4a8
lqB0nfMS1AHyWwWW2Z654Pc5vKQ2RP1Swi+39qjumGSWKzCABpODWwMebnAXKI7q
7anaHgQtxOhfdyPa/bn2sf0zn01icL+ypI7FjASSVJ85xIACXO03RjdmJPs00XSy
GjoILcFXNIf78h3So7BSKNxx4XREPWtiR5bNBPuSBM3V5Dd5bSmZhbuan9R+p4ht
pKN+WNM5zU6UNdz2tZTcJnKSpcQ1VKF7Q39oT9Y7IowsjphpO/J5Eapsr4EdhhTE
isr0vhEiaP5YPZlS9pW1
=FaWZ
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20171109122925.GA1171%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Anyone disabled the Intel ME yet?

2017-09-18 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

alexclay...@gmail.com:
> Has anyone here successfully disabled the Intel ME yet?
> 
> http://blog.ptsecurity.com/2017/08/disabling-intel-me.html
> 
> I'm hoping a future release of Qubes integrates this into the
> install process for us. Or be downloadable as a package like
> Anti-Evil Maid?

https://github.com/corna/me_cleaner

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJZwEIxXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfNg8P/R29hIUOrlolKVQXjgQ27MX0
oWClVtfGX7+geO+mU3WYY0UQYeOCWyRJIxOrbsySrKf0WcqN2H0NwpxcJrHXYI8Z
mm1CVcC8VZcR7hMARHLWz61EFfBbSUL+azP1elPZQ/yuB1If3NpyR9PSM8Nrhs0v
Mdh9N2HdhYfxV6YNPhcUo1bVsaP9Z3X8/8T/whybN6KaMiF4y573wXqXwSc/lNsN
P5bpBH1GcAZI2BfH29dt1TU+t94pELekdAtZKDFW4riSLhhWW9nfDPThupqJ2kps
MXhFJxREXsUPpXOf6vc+JI667+8s1Cb4jfXovKPGgIG/4dh3qFIIyc9p/0q6pLca
UBN7V2GBkkpdpyRX/QhHHcbw+Ri2SKul/2LRMVZ7d/nqwRfHchxGmYKFIjFjYVdx
1bfVc8wgnX1WZGOg0EvEgx0vG8H0+DU+Yw5Wyuv4jO4UfILJ/FTBxa1KyMWv6xvS
lf9tjL28k+HBiwzDs5MCdV9rUJ9W0q/zySntZItI/7wd8UPC0YadzqwxF74xh/d4
SLy9rL/1aMwhpvd+rCFipn1B3wIlY/y/VPq3FpLsPrAjoesbZ1BeUmQ9wdvumTn3
sSwcUfUnt1N6mWWtPYtSPYQyD1A4r9I2RFEuq8YuLEyG3BveC9RanApNE5CboBFA
JKyVN0I7q5dmd0bk4IEm
=UlBw
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170918220121.GA1088%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] X230 2325-YBN + Coreboot

2017-08-16 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Finsh:
> are there by chance any known Problems with the X230 2325-YBN + Coreboot with 
> cubes os? 

If it's R3.2 and you're using SeaBIOS, check out the last paragraph of
https://github.com/QubesOS/qubes-issues/issues/2553#issuecomment-284367521

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJZlG4sXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfq3MP/12OYblGgz9MQDfigo9KIFhI
NjgTOD8JdFZh90zRIKBlS9yrl2pkj04FpalettSnug7RQpySFkdkB/fQT8Gvrv/l
xQdI/ViWhpgxlg1CiEXpdzfKAOID3fDHppkO04+ziywf+sljgUgefPPW+zz/Jbb+
ALFGbX7hZZlybceFatbVXSIjfxLbOk0fLRWkLhC5BjLqR+stCYaEY+DjxYGOwJ1A
1lYc9VGfdp2/27FbwJMwADERmU7YWQNCvZcwqIJZMGEoIn655vvN4zsyZ9UglpyJ
ZsTwwso1BCmT1QO0qWfwRxe3UbpWkT1+pB5pF3cntkyf7w3gueH38WTVZNAqFMC9
1rrcntpMkWqTwS6EWj1DEMTQ3UlHjeTjZeyQPZh+UK40L4krdHBQc/wcc0JlNqT7
G8oAzKVCp51YhgLfrtCHrzTfm+adotgnHEwXWRZqpkw3Z6qnaLz1L6RBTQYd5skB
bDQVHcd7uV5TL5nwzOEw0jsrJ0Ool2AO+rSwoFmOZARyK8cP4rhE1Gmd3wKdXFdR
NTulDUo+VadtWgRAdSe0EV+ABG/8wGTlMmEsEIFLPCjPHCmHwVzOJ/GJ82PDQ4fo
LJaNoAQmZjg9EXh8u9LoDXqN41QJ4Bo4p+d1hKq7dyVNXcCDGvsoRR9Nexz2R/ij
LO42HpOxupHCp0rL6gSr
=JWLJ
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170816160917.GB18510%40mutt.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: [qubes-devel] Qubes Security Bulletin #32: Xen hypervisor and Linux kernel vulnerabilities (XSA-226 through XSA-230)

2017-08-15 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Marek Marczykowski-Górecki:
> On Tue, Aug 15, 2017 at 01:59:59PM +, Holger Levsen wrote:
> > So, "sudo qubes-dom0-update" for the first paragraph, and 
> > "sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing" for the 
> > 2nd…
> > (IIRC!)
> 
> Actually:
> sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing

Looks like they ended up in the wrong place:

- - r3.2 Xen packages: current-testing
- - r3.2 kernel packages: security-testing
- - r4.0 packages: not built yet?

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJZkwieXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfk3QP/2eKJPrh03TcfQjtlTnm7lVk
ZxNKOfhO0rwuWZ/oE5GXjKhhfbBY/LfrmGZl8X3Cm2elyiqh2vP7l6x2CevR7qRo
v8WBBYh3ALImosDVI1Eo3XB/asrmxSo/q3espnp8UmLFaus9ZChV+2E16cQcuWOu
m25r1wWTr4PiH7AFsBEibW37orgPPEhrP+umUj+QYjfvyPXFXw/MUvbsdoGTcwSi
jUyqC552F/zSz1om5M7QpvzLXQ5dxqE0/T8zwv0On4n5tzdVX0QFpt7n0ylWj8vY
9/5vQY9/7luHh4MJnMTB4FpBvilSSMBPhRcN9YpZPolEPBtHpQ41Cj9p0TscgNP0
Wd2lGKFYaEtpPzN4XUmKRxNKku8nZDFezLvzJe4VXxsUZCw4OM+932YFFZkBwant
cf6oVd6z1pPnf1lfpnBsA5lZkHp7VURhQrRZ1yEwJ1o8ZGODptLgq5LGVxpMPDeL
5UulQFE9TZtmyBcuI9v2ArT3mS07coFFJyNToMDsHTZ0GspwthLd75SZ/A7CKGuy
6Cfa86wtizjGyDqjOpDhhSDOciFwrtxWzAh1pnSPD1U3d/ac3W17Bvi029y45Euh
uwzJoQ240FUcVw11PuifrRJzrpsYTKZAvzTCBqr5vqZ9JRvsfGc2gn2RKPCR0alt
OQ6Rtz6AtcVQ1pkFEdM8
=hFi/
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170815144342.GA1617%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes OS 4.0 first release candidate (rc1) has been released!

2017-08-01 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Jean-Philippe Ouellet:
> On Tue, Aug 1, 2017 at 7:02 AM, Rusty Bird  wrote:
> > Zrubi:
> >> So I would really appreciate some statement if Qubes will really drop
> >> KDE support. I can accept that, but then I not waste my time trying to
> >> make it work. Instead focusing to fix the XFCE issues I have ;)
> >>
> >> - the default login screen is just ugly. I know that this is not the
> >> first priority, and not even a technical issue. But new users will see
> >> that ugly thing first. So it's should be a Qubes skinned one. at least.
> >
> > Or, if the login screen isn't needed anymore (to switch between XFCE
> > and KDE), why not get rid of it entirely:
> >
> > # mkdir /etc/lightdm/lightdm.conf.d
> > # cat >>/etc/lightdm/lightdm.conf.d/99-autologin.conf < > [SeatDefaults]
> > autologin-user=USERNAME
> > END
> 
> Consider a briefly-unattended laptop protected by only a lock screen.
> 
> Normally the attacker would need a way to kill the X screensaver
> without killing the X session. Would the above make crashing the X
> session (and thus being dropped back to the display manager which
> auto-logs-in) sufficient to gain access?
> 
> If so, this sounds like a bad idea (or at least an argument for
> something like physlock).

Ah, I hadn't thought about that. I've been using physlock since
forever, if only to avoid seeing XScreenSaver's fonts...

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJZgMHXXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfyhoQAJOGYIxs/dD8H81yHH+cBQSj
r5pDoBgiWqsyBaa1RgxnfKaODRCVs3HT5CnuchxNMobTrPleH2JF04MpQ0NDHvfu
Us6OQ52CC27TxyXUkE0pa0TPGSPD4Y7aTbXVLRQ3jDDnbmOdXYvvlFrEIIWNTVCQ
p6PkHdhSet9guAXNEYV2xGQO12fxfWaqHUxHXViJ10vaYc+Puex/RgGegQp3V35W
nf4V7Mex+v5oalvKPhCR93PyVt2/pVZHbC1s/sDc4kNkrrs6Ji85cWI+KgNz6fu4
STSp3Gu/boD6pgUzjZ07zBa/LkN6hpGgcUl+tkw3iW095AI7YKO6U59wI5jyEI+T
s9W0Oo3NxaI1piBek0StV6vJ2TnLxDslhR2tENQiYeA9z0isRb8QQ4RLBqM65k/5
rxBZq+z+vhdjxehIxKkeyeSGvfUc6jMOHNEPFviHtVbWnXCqdmo3ErntExvlB1Tc
oouM+lhrfpbjkmSwE/RmJ8RIO8aoGOkdg4stO//NeNmBifM4KLWBiuirWknggptf
tiwaFFYgbMPHmBtHaPkCfNCVzBKCW/TxQ35f+91MJxRp0mN0HJqh3eIl5ki/yurD
ui9rY81OWRnwXbdt0LUMAvDG/U+gXgdLPh68PPkSqxPb90P20nMG8q71eoVwtfdJ
naFo4nRhSAC1ifxQCies
=b2nC
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170801175625.GA31472%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes OS 4.0 first release candidate (rc1) has been released!

2017-08-01 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Zrubi:
> So I would really appreciate some statement if Qubes will really drop
> KDE support. I can accept that, but then I not waste my time trying to
> make it work. Instead focusing to fix the XFCE issues I have ;)
> 
> - the default login screen is just ugly. I know that this is not the
> first priority, and not even a technical issue. But new users will see
> that ugly thing first. So it's should be a Qubes skinned one. at least.

Or, if the login screen isn't needed anymore (to switch between XFCE
and KDE), why not get rid of it entirely:

# mkdir /etc/lightdm/lightdm.conf.d
# cat >>/etc/lightdm/lightdm.conf.d/99-autologin.conf 

Re: [qubes-users] Qubes OS 4.0 first release candidate (rc1) has been released!

2017-07-31 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Micah Lee:
> I just installed Qubes 4.0-rc1 on a Lenovo ThinkPad T440 which runs
> Qubes 3.2 without a problem. After installing it, when I boot up, grub
> works, but then as soon as Qubes starts to boot the computer reboots,
> and I end up back in grub.

I ran into the same behavior on a T420. Removing iommu=no-igfx from
the Xen command line fixed it. [1]

If that doesn't help, _adding_ console=vga should let you see what's
going on.

Rusty


1. https://github.com/QubesOS/qubes-issues/issues/2841#issuecomment-318172669
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJZf62qXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfGk4P/A0pdDRjuAVchC6oy4XF4cqB
pYRckVY4hET5yvMY3bqU2NIILbfwkK0XGztAvoKEuF9eqT6sfeq8ZwKdtL02gXD0
O14Nig4oXXg3+uRhBaDA12wMKu6wuPRZ0fUjtPZk/KyP6/v24sGIxHTicSDJUpve
8u+yqJYOzqZSw8907YdMwe6vEZoDAeqXbb0nA7ngdmzSdIX3z5T2iG5SOEnRjZ64
U/1uS5OdEir7tbks+L/Xh+NSWmfk4pnMKFmF8rV1+3/bVToMmOWOQAcbgQIoMElL
tK+3aWqPOHX1+66qk07xIC8Uq+ORQOsHRRA0c2wUX03EY/23RNW1OzYlRlmBIWyb
xfJOdw5U8R2wSheO1wUyMO1hQ52W3fx8e927UjTaTAGzJ7t1UJ8wN1e5ZyurKLuI
iwVCaCq0o4AHsQbHsOdoRNNuIrzy12N3ZHPMaDQrw3UAX840/fDPAeg8aCi0Sr/6
CAKcu/wJUXTb24/6mRYBlDIRGtMd8f8UAAq37ikUBxOZB2EdYdYZHoedoTyqzSP6
SfponcAUSUG9KIOPLJDWG5OJSCuVJisMA0ScdnByRCdULvDaFcMlDWwee/7f8bbQ
JJ6IxF1BgyJdJ/8OoQViSx2055Glj8tYPivm7I0XDfTs0Cx6zGhlAWNv7ro30xYT
Pt+Wa4/IsIzuLB8HhlnL
=IbPe
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2017073134.GA9976%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Soft U2F in Qubes?

2017-07-25 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Micah Lee:
> How hard would it be to build a Qubes version of Soft U2F that stores
> the secret in a separate VM, similar to split gpg? This could make using
> U2F much more usable and secure inside of Qubes, I think.

I suppose the most secure way (which avoids the USB protocol's attack
surface) would be to have the separate VM implement only the "high
level" U2F device, connect it to the browsing VM via qrexec, and then
hook that up the browser (either by emulating a USB device, or via a
specialized browser extension). Someone could probably do this by
cannibalizing e.g. virtual-u2f [1].

If the website supports TOTP as well, and you're okay with Tor Browser
or Firefox, you may be interested in Split Browser [2]. Its TOTP login
is almost as slick - Ctrl-Shift-Enter to request logging in, Enter to
confirm.

Rusty


1. https://github.com/mplatt/virtual-u2f
2. https://github.com/rustybird/qubes-split-browser
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJZd6pCXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfjm0QAI8yXlDCeycu0a6bwyGiTuHL
BT+9Ej8xWeKdLgAf61/kagSBn12M+w8aCpX/ZNjOSHMCl5j8mn+OLz0KpMivP1CL
rXakk9thv9DMh2MemvtTzaVpI4Zf50yvZG9kHFj0oT9Y+aEIuClj+lOmwmVKQ3Xi
iSZeu6uWwUNbUlRZ0hQgLJULd/H4uFkQyqzpAa9kC75KsgEZ/zwORUloO4JJZO7/
5YOw18/WH7k+X4XMLyNlTHmLI8NcG35R91t7yDSBrSxr6VQroj1QPEDW2rtESgkb
YuxlspIB3g+MzS+oXk3OSA/9ew5rMC4gp/Lk0vDtTTdA9HoY+YDnD93Xi54FBqJR
TjcVL8ODM3pTI2RYkQxOCqCxj4t8nXr18GzvNshNSfbUvZRFgOc7lnhkS8xnf1eW
nVbVcZV8yvv0uCslYrnWb451EAU8xsOcM5NOvX4paGjAWS2DjKsQXvEzez7bz4os
ziRQ0KO98Pd4RUOY+PMhCKBoZKQdzF3IcvcGeDcmhuxeYnFfpMXACkQ61reaijbV
dxUWrvzMZ6MxhW/StSQy9OMcNiP98UlHU1VfP1PfiEY+cFa/citfyK4cTdB0WEB/
4YjpxWyLd55UwMrGblJ+op3NyqbkpqAUcXjyhq6zdttkFgdNdST6deNDUr0MQjCU
LAJBzr/0WaOv8ZS/P/xu
=FSN9
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170725202954.GB6414%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Proxy for packages

2017-07-16 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Salmiakki:
> Has anybody managed to set up a proxy or mirror of sorts in the
> net-vm or firewall-vm or something similar to avoid downloading all
> the packages several times for updating all the templates?

https://github.com/rustybird/qubes-updates-cache

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJZa4bTXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrf81gP/jzqTkT6Yw+2kwDaLmNr/Pg1
srRoPL2s/gTt/0MVapJ2XjsrxyoSX1FSjiVjtZ4yA1QQJUa+8TyzJsxeXd8TMqeL
YbNaA+/vkzZT6eAxnniZfm2tZsCKZj72Q8jftQNz7ppQqwkMPOmI4U4r5o/pjzoL
Ra50TMssSr1lf2rAJzjjduX7gN1en1bg4ycukuDTKxiNP06rO12E7ed3g75LnEo4
MrtcWi4u0/R6fX9sO8DHlu2gJx3NDo4mdqGyxVsLb2ampInegiSAv5MluqLZPMFr
YNVNaiarvPw4IISZT3FB+KUPC2lN1XUmziYByFdYOEE5OIEYrMmAQ6B+W2oFGJ5k
M0h74z3uM4B2csq/m2meW3yINgh7e8anECE/Z+73UTNMpgvYrJYsgmPfiSQ/B/Fw
f+SMUHvoxFWdc+T/qMRn4znd5nyoLFOlE/ps+HWVdDGDSjBhqTZoFmOnSMRob8J7
Y2lowhS0MztGz1Ngoyt2lIkguD+tIRT/pdr7Z5W5VDSoFEhu8vq6LXxPgufM/z6V
zqAFaZU1XhnAhBT8fe558P//nyRq3OV0Uni4B9fc6kvAIM/9A92snrrbE4LOKZhj
b+xMZDOaBz844qP5G2udu3fLL+pQk16KRXDjHY9wkz/ZwZ89vgxhZxt/cZQquHrb
Ycw6KKeTSeiGNslB1Tjx
=j5YK
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170716153131.GA1069%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] AEM failure after upgrade

2017-07-14 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

loke...@gmail.com:
> The AEM package was upgraded recently (probably because of this
> thread:
> https://groups.google.com/forum/#!topic/qubes-users/3ZkmS5v7E38),
> and after I installed the updated version, AEM stopped working
> completely.
>
> Now, it asks me for the AEM password. I type it in, and it doesn't
> display my secret message. Instead, it immediately asks me for the
> disk password, and while it boots the system, I see a message
> telling me: "PCR sanity check failed".

Below that, it should say "See /usr/share/doc/anti-evil-maid/README
for details." You can find some hints for debugging there.

> This is the content of the journalctl log:
> 
> Jul 07 16:25:36 dom0 systemd[1]: Starting Anti Evil Maid sealing...
> Jul 07 16:25:39 dom0 anti-evil-maid-seal[1982]: tpm_z_srk: detecting whether 
> SRK is password protected
> Jul 07 16:25:39 dom0 anti-evil-maid-seal[1982]: Tspi_Key_CreateKey failed: 
> 0x0001 - layer=tpm, code=0001 (1), Authentication failed
> Jul 07 16:25:39 dom0 anti-evil-maid-seal[1982]: tpm_z_srk: yes, SRK is 
> password protected; resetting dictionary attack lock...
> Jul 07 16:25:39 dom0 anti-evil-maid-seal[1982]: PCR-17: FF FF FF FF FF FF FF 
> FF FF FF FF FF FF FF FF FF FF FF FF FF
> Jul 07 16:25:39 dom0 anti-evil-maid-seal[1982]: PCR-18: FF FF FF FF FF FF FF 
> FF FF FF FF FF FF FF FF FF FF FF FF FF
> Jul 07 16:25:39 dom0 anti-evil-maid-seal[1982]: PCR-19: FF FF FF FF FF FF FF 
> FF FF FF FF FF FF FF FF FF FF FF FF FF
> Jul 07 16:25:39 dom0 systemd[1]: anti-evil-maid-seal.service: Main process 
> exited, code=exited, status=1/FAILURE

Looks like tboot/SINIT is not working correctly on your system. The
new AEM version refuses to seal in this situation, so that you don't
get a false sense of security.

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJZaMNAXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfytAP/ArUcgXB5vKoBz+SP6My2QQQ
SXsjK1jqCqgXYziK/JI6r7LUEhXIvJfMsJKW/mdjd7OQv4davlSZxXVT9mxqA/0E
rCzF0AoIoAqtNYRSy0r+5t301KGy2I9efr0aziIFv591JEnOqKJK+F/MFNn7Zitb
+IY8YCQ6s+pgJcuKOycF2vz/9Dc817cILTfW+tzcSDMkG1NcbI4AbxXPxNwvMxkw
OZ0BJ9IMPfGVfAmKCGsouvnVc7vg/9mPgG7BhjD5Nojwwyb2dle8mhGiiWKtNPRw
2Eksk/m/NqCQb2F5NiQnQDOjJTwLvzf3hnEKSIwuKxLjrlVUyvsbmSrMwIbAUK7v
VdG2iCpCSgIPwTqUOlVPmQ2TNWhA3cDP2jGRSSi1RRWS2nGQd2w1tYKw3dibr/K7
RD6KQUgJdyxW3Y6cBidQ+zy0vbmMFyuQ6DyTF/T3Zmq2XvvBVaq6U/LwMZOpt+s+
X56JQa1HDdVBKTEXbPnxI+sT0ehMhfn1YOZBZ93lYkJyiyrIAvwCiQKfPLsVQqZH
M9e6L1C+CePEqNyb2btMUPJOuRtVd0059mgQ+x5PpdhnQOia0RR4A9Bn6oW5515m
qGsqY2wIg2wb7xG8O+Gl9sxQk8jtQX7Or/V4oixfGEqMb5Xi6a97nFKLha22lc7J
A5aT5+xMPvsk+02b33sg
=mUFf
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170714131232.GA5546%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] How can I test that my AEM configuration is correct?

2017-06-29 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

loke...@gmail.com:
> Yesterday, I installed a new dom0 update which included an updated
> kernel package. I was expecting to see an AEM error when I rebooted,
> but that never happened.

I'm guessing you've installed anti-evil-maid v3.0.4? You could retry
with v3.0.5 from the dom0 current-testing repository, which runs a
sanity check on your PCR values. See the README in case this check
fails.

CCing Marek - should v3.0.5 be migrated to current?

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJZVR0eXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfyf4P/RTVJv4W7ygfjdimQVEvk5T6
BKO115f/WbdPCOE46odIT6W199gPg6Op66HKm5lZb+yfx9qGFZH72yntQHfLp+OF
tk9GSU6SoicyPTZ26cImvF1k9cku++QNrNqABUjXelzMypa6RT8jfqIby973YMm7
xKRYgLqVNSWqN9t881F/1ZeHPJy57EtijAqBpA9ZEou4LS7P1+vcuvDelP0XnlsU
Fp4X/I/tkupU0KXZF2F0XUUL+PFLc/IidVjgfkpiafkXDCeTdU7trg+jFGnnvlw7
I9iKxVXEaei7hTi7pwLPnr4Q86thTNsq6X1CHxl/ty1J/0TPcFv4K92uBCQQA7rq
DbUQq1EdFjiD+JLNDP6eLVEVaQPYXaZWRBMS7laUUzG0FXIssFAf/TqnQzA4B3hn
3KoB8Q+373A0OZYL4ki6LdY17prk5P4+5cw09x7qfH/qrldA1iCpVWDsQUV4HpAs
yA/+wVFDZ3eilAqACYrbM9BUa3IfdOBBvdR83ovdFBwSWqNvTTz45aghXxInTAz9
I+6ljQczoW83vl7WWh6Jp+InNpC3g2rAxx02cKMBQhYWJ70WFW0ayLE3jHV3wTCh
rBXiXszC6cjsuAMm2pEAIC6hsYPK9w16EXLtW9Vzz+80K7hZEKflmSugWNg2blzr
mf3jQXmaMD8LI/DtHPds
=4fb8
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170629153038.GA12491%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes and USB Ethernet adapter

2017-06-19 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Rusty Bird:
> Swâmi Petaramesh:
> > I have a new Asus laptop which comes with no integrated Ethernet, but an
> > USB Gigabit Ethernet adapter.
> > 
> > I wonder if this will be compatible with Qubes' Net VM, or if I will
> > need to allocate the complete USB controller to the net VM - which would
> > be extremely annoying to me...
> 
> You could use qvm-usb to attach just the one USB device to sys-net.
> This would have to be done after every boot (either manually or by a
> script):
> 
> $ qvm-usb --attach sys-net sys-usb:
> 
> Or you could switch sys-firewall's netvm from sys-net to sys-usb -
> which is possible because sys-usb's VM type is NetVM - and enable
> Network Manager in sys-usb:
> 
> $ qvm-prefs --set sys-firewall netvm sys-usb
> $ qvm-service --enable sys-usb network-manager  # then restart sys-usb

Actually, run the qvm-prefs command _after_ restarting sys-usb

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJZSA9pXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfsTYP/0QXh7dzoL07XN2BS66cl0UB
5zZVt5Txvtpk/FDZYfI6kopr4KVhkH4XaPQ5xiXpVqxF1Sfm430SDCi6swS8Ynxv
SEadxfWD+BTmvrdDxD4BO2SoG3a7KeOw+QFcJS/yINda69wSQle5Y7QhY9EJ1nHU
w+vrvPwTi8gL+FeXgtc4aJbh7aEhLvjIhTLECnJvnRjqLS749BJqkbqwapcIWkyS
CziebhmViNuss4fASV2FDGwcpnLxTChuIILVYbs+y+5TlEw+huIdxEKJU1xiEuOh
MdaCTar7FW7Xx2/DbGP1cpQWRucDfrqzt9CgaKX1RtJAAN2TWYqKHmFkkAD0BUD1
EjXfI0HVmdpPZfL1lVap5DV4hxqg8x/EAuJAXUHjX4jtfYndKYXOBKdUW4ztC4ZW
HsDzIEY5t45xPOZ4JWQz/G9e/0bjImR97oI2Sr4OP+5UBN8THZe7nzvKMPtO46h1
7S0+bAVf6+UsgCIcpN/AbzGJr1WiiH1eG4njMlMAFVI2SDbv4XMqcIpB3Sk3S/5x
BCIf+eUt8qbz3JtpP1hlwx9FMjGPqM0/IpWXtxih727iFegSlteQgDzqM9Ub3zs0
VtbvCxDr/e1Wd8Uirm6d3PhxfWzZmME0SCelw+s8oUmm2Lhk7ZnR+DflMvvX3Nqi
BJfGhqfZQrAxHJDY4SoT
=GJH/
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170619175241.GB14566%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Qubes and USB Ethernet adapter

2017-06-19 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Swâmi Petaramesh:
> I have a new Asus laptop which comes with no integrated Ethernet, but an
> USB Gigabit Ethernet adapter.
> 
> I wonder if this will be compatible with Qubes' Net VM, or if I will
> need to allocate the complete USB controller to the net VM - which would
> be extremely annoying to me...

You could use qvm-usb to attach just the one USB device to sys-net.
This would have to be done after every boot (either manually or by a
script):

$ qvm-usb --attach sys-net sys-usb:

Or you could switch sys-firewall's netvm from sys-net to sys-usb -
which is possible because sys-usb's VM type is NetVM - and enable
Network Manager in sys-usb:

$ qvm-prefs --set sys-firewall netvm sys-usb
$ qvm-service --enable sys-usb network-manager  # then restart sys-usb

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJZSA3MXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrf2YwP/R2edEWDqMdekrWPIQQtVTXJ
nVR174ywkueW6JGPyafhPeQIgYRjl+r7W2Akz+vmCHcNhlnmb4tSZ+w7rpfOZ8ep
zvNeawGtmWXHod3fEEG5q98I6ZdtEJUMZrMRSfESZKUtxEvVc8faKGLFu1p2Xwsj
BxpjyoymxnPkcKMVzZXEqxyxiL+JrBNcE5VJE62eYrr/qwKqBN4FRaYIDVkSJXsP
AapX2OvCQ7ZoDp/xAiVDFMFbmoArZJzR09UcwHv93rzBGZV4o0vE71mmlI4yquA7
LHy86ERvq/tYszgTcGgiPGIHs4Locw80bBnyjsPxK85efqoJi5GnfQGRBIxU/JjV
2OxHuwuwpS8omG2wlNWi2jbk4nrn7mHefMp4ZPbD5NOMQHKPlSwAOkpHjPdcRmVE
V3MFeW9tq2fTflBXvO4CzmIQdePpOwMQCXvhuT0c3Hoa4MPTUzwj526d6bgSqCEm
RPBVONoZFBmGZEZmP453YLaMYILB92EoPhXXTHp5nkFK3NT4twmUu1QjP/MeAFM0
dOjb0nNj8AfeQx758fSa5HOVTsnEbX/kvDcLfXMf+Y3l3HXUmlWmvf4fRqZcJ5BJ
zj/AelQXTBMazUjCJUwdeP8u/ZhwyYl0/7Ei3I2PDdlaFGN3WjF6rtT1ma/Mq+iN
mBt9Pokhpfsiryf/bMA7
=AVrk
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170619174548.GA14566%40mutt.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] Re: [qubes-devel] AEM: Should we drop .png support?

2017-06-18 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Marek Marczykowski-Górecki:
> I think PNG support is a nice half-measure against shoulder surfing -
> details on the image are harder to copy/remember (or even photograph
> with a small camera), than some text.

You're right, it is better. I hadn't considered that the user can
manually clear the image from screen as soon as they've recognized it,
simply by pressing Esc to switch to text mode.

> When we get some better alternative, we can drop PNG.

Sounds good.

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJZRtGEXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfltsP/3prk/o8c3k/5F0E6pOVuzFb
JIrfc2Vct0Ai/LbUX9OlwNGKBlxZbUv/KoxrxPWnOXT5YUEmXRBOkKneZsOeGYk1
OleLQ4A2SJaq5+e4WTRvSY6nk+i9LswMMvTkWCi/2zNo08HMGdmHUpE3vmNkp+uJ
5OwCmR4pIbQ4hrQN+MWJPHXtz6NMmvksoB8OgSBEIULqtU0Hp5kijxW416kNi86q
sknnfk/kj7mnanQW9IRkmkiQ740RJP/1lQ93khrBdF2H+4Ue0g2PvxkMohVNWgGm
kfkVYjAeu3zVnLpsXsbtLu9VpMQ+xNFXY32rfm9kzg+X65Pd3GfTEj+IqdcV04ST
MhQ3KSuoZlyX6Tfk4jmd4acBHrWgSEwSB8NlsgK3qWxMn+NuAfEilQm4awYtwedw
ItpUTUcqDFg02nMfyfY3kvhnm2JjeIEVc4VrrB1452Tg/5exu+j1DyqLLHFd8WvY
KdmN0Gddfe70JZYB1fmutWF7OCY4FYMBi177avstVeAqlhC6Aa9UNJtSu88jrmdm
fnDpS3LS4anrjj3+OxLxJZJeJ3SNO6M16rhEIf81Y6FGzy+X3TOECBDsKGdycwNR
0FZM19X+8+8koQEUPt8ZxBZC6AphTpX1GNKXBzrWTovzflNUDiNklZm6DQU0rDhc
nR+E4brBA+9dfqPdkMg/
=TDgE
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170618191620.GA8291%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Bug in qubes-backup or tar?

2017-06-17 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

svenssona...@gmail.com:
> Emergency recovery of backups as described in
> https://www.qubes-os.org/doc/backup-emergency-restore-v3/ states
> that tar should be able to unpack a qubes backup file.
> 
> [...]
> tar tvf bu/qubes-*
> # Shows only backup-header, size 94 bytes, no other file.
> # Extracting the tar file produces only backup-header.
> # However, the tar file has size 563200 bytes.

The -i (--ignore-zeros) parameter is missing in the tar command.

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJZRQv0XxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfohgQAIra88HMA5feWJTII1Aodg53
yvNYaFHo8YR9RX3GlprYgMDjil8PMy0sHUNWYzN7rAkyqsuyJWzCEI0eeVKOVlK+
nvMbFCAg6259kXnpCcQwYbLvpoLR/IVAntAwMcEEXGPsREQhUoxu1U1Ou/hmgpJN
xg4kUK/+mYebWvNfMBTYDgL+iqv9RMJBhXIctybsb/o0xBq2AmAciZEPZgPBgnBI
9CZDvJA1Zs5tTvW8WShir+JtLMRlOkuACVOJNy6pRzJVkuo3KkaG24GBx5qPXXHb
7NlbuLba7vZI3eF0ApJ20p2gM97ljVJEjBZ75xmbkpPCE9If3LrefEQ7heC0oihJ
m9Y7Z26FN/wDFP2uEop5GLPcINqxr8WaChHLjosDJl+sGonAorrN3aXB5YpMxu9L
RlUgXKb2d24RqET8QghG8q0JYhkwkJYy+HdA67CgrYLYNEMUiC72ZMQCg8bqJQis
1NzDWgmXbf9lBQH8IjLMGcGzGZKBDLyGF4u0ONYoQc8PMURit3K2zwhWFbdlpGa7
/h5q9qfiA2oA2N6ehZsHQ8waCbBGb5KrZEiEs9PPmvZ1zMCg0sIpKRdiYzHsP4B/
sdXW7n7SVaX31AXljOfIxWChpUP3GA0BMZugiZHaKrWwqqqZ0FSR5I8+xROveIHJ
9nt/w5KheaDFIpSYOUo2
=2C80
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170617110109.GA32654%40mutt.
For more options, visit https://groups.google.com/d/optout.


[qubes-users] AEM: Should we drop .png support?

2017-06-16 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi everyone,

What do you think about getting rid [1] of .png image secret support in
the next major version of Anti Evil Maid? This would offset some of the
increase in complexity incurred by the upcoming TOTP/keyfile support, in
addition to other benefits:

- - Considering that AEM is a security oriented feature, it's kind of bad
  to implicitly encourage the user to copy a complex image format from
  some VM to dom0 - where it will be parsed during boot. (It would be
  possible to build something [2] secure using the qubes.GetImageRGBA
  RPC service, but I don't know if anyone's particularly interested in
  working on that.)

- - .png support is hacky and weird: We show text secrets in the current
  dialog, but images appear in the *next* dialog. And text secrets are
  cleared from the screen as soon as possible, whereas image secrets
  stay visible until Plymouth finishes.

For users who prefer the more visual approach, we could tweak the
Plymouth theme to use a monospace font for text secrets. That should
make ASCII art a viable replacement for conventional images.

Rusty


1. 
https://github.com/rustybird/qubes-antievilmaid/commit/4e45af289d0e651a380f3182cb07901a3002905f

2. Similar to the WIP dom0 wallpaper service:
   https://github.com/QubesOS/qubes-issues/issues/215
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJZQ+FtXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfclYP/0zs3z4DcTOKPWwovD5Ly0VQ
LYBJsJE4VBqo2JOpdpArvf2i8nOGD5bkgTUKtPisS/0XLgEvurvGejFe0x6wlV13
HFhD42sHxWC65JxCyw1kS6bhnoYbIINiOneoyGikiStneiGqyzqz5ylEEdzPAkkP
Q7eXqbVBVfYBlfdrWNMNv6EPtdmBpkWU4c3EzJ9Qtm/StWGuhDxJgOKtzu10ZOi/
vJH5bIvhaNvbmNjqyT3OFlP2YLlqFZw2LHLH0x2cjmSEpQ0uUjQt+MCIowWqecYy
TgRTV9y5f7frS2SOEwwq8Wg+5OSryU8VanLb2nwGV8r4X0ro7dbkJ8++CzRVhi93
lrctzX9xcrfzGAD+3BSOvd6ZtxhquC2Ff9dHVSBc4fsCdgNBH5vXeWH4GiotGZP1
DxtQhuWIa6tZWwq9mhc/g8NYB0kVcgQ4fIQN2I7W09JtJuSiqx0txPwB6/S4Yw+o
gaMjmjr2Robi5gDBjouFNYRJSIWfhHTW89/bZakjub2nU2kvKQUqce/TwzBmAqGG
qBnDqUnre5pFTvN/hKZhbvIbfbOlPlc5EYxA1JqCUqoCEGb7sqLETDJc/HGcP8PV
kLfUTnoWU/dgnjJylKyxhH/pOQUbW2m8QqLoMZZcDK96xJ+YeCXm7iUEq3lfIq/8
59c9bYVCtoHd35x5c+kz
=em7I
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170616134725.GA31534%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] anaconda échec

2017-05-10 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

patrice9...@gmail.com:
> I can't install qubes os, I get this
> https://up2sha.re/file?f=2CrDDrQyfcDv failure.

See https://github.com/QubesOS/qubes-issues/issues/2246

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJZEwuWXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfd+gP/R2x92YYMJASsqHfY3liNGq3
XE6aYmp/89OjdRGB9/PjgQ0FjnK+lQVK7y2Ihtk+l20cRip74KRA2i7KnygVAGZJ
QZDTBl3kdHmd/sSo9SWeNfaQlkVt48FyGcj+j3Si1rhMzAk71OXZGd0MLT6YFoyy
YG/LNNICrvuxFK2r1Dz9uKhQKai5K94dIP3vBPNdkLo0oTMcszsZd4pWaDVqfz8a
16tvBEkeBzLAtnipqQk+f639tNk4BgS9OX0zrS63X8+ub2cOEf+ME3xr0d17q0uJ
HOrmDkTyF/0zDxsqQL++yl+DUVR25zK08o23eEjSymBERX5s+Mz964cof8iJB0rg
WtoVp1sutS6888icJqeAspDu6R7Ik54D2GJs/QNxJgFyNCm7FKakZO7OJ5PCIjyN
jp4w4ahLtBlX8jOjV8SoSjVGKOBQo/r8yqwi5TbTFU0rKGVRjQB1PB2eDz5lOR6l
jpll4T07rsQBglM//uhyTebXJgBM4WpK6VWNODnFMGvn6lZa3ok7w/yPDSibh9cn
LH+4ifFofetxfBqTImAFuK3jkbwXGV4a2xOFpbJP0B5HuioSo+l2DAjxgVM9wdaC
0C8yOv+GDeoO5X4ksLGITtczKcr5n5+D0z3OMqMHG/gNVKske0s4x/s4iFZ959xV
1TzvNeRM/WHPUkNjDsyM
=BWmb
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170510124614.GA8660%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Checking laptop compatibility using boot from USB drive

2017-05-05 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Vít Šesták:
> I'll probably have an opportunity to verify some laptop's
> compatibility. My idea is to boot Qubes OS or its installer from USB
> and then to do some checks (most notably VT-d compatibility and USB
> controller topology). It should be something done in reasonable time
> and without installing QubesOS on the machine. How should I do that?
> 
> [...]
> c. Install QubesOS on USB stick (and disable usbvm) and boot it. I
> am not sure if this will work when QubesOS is booted on a different
> hardware than it was installed with. I see some potential
> incompatibilities, e.g., wrong PCI device ids assigned to sys-net or
> too high vCPU count assigned to a VM (target laptop has fewer CPU
> cores) or addresses in fstab/crypttab. While the mentioned issues
> seem to be manageable (remove all PCI devices and fix vCPU count if
> it is too high and check fstab/crypttab), I am not sure if they are
> exhaustive. Maybe this will work well. (After all, I just need dom0
> to boot, not other VMs.)

dom0 should work alright if you switch dracut to no-hostonly mode,
which (mainly) adds all available kernel modules to the initrd:

# echo 'hostonly="no"' >/etc/dracut.conf.d/no-hostonly.conf
# dracut --regenerate-all --force

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJZDRwIXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrf0XEP/0rhfOaoIkBxtfH33bPan3iR
j7e8THXJZrPR204XwKE6/IWuBEjXEFZ6p5uKO63/cBXCHBiyd+EGnpGBlkOF4S/h
CpHVsDcar37nAVse2219uB49d5fYS9rAaZBANRVep9gaSJk7ku5xE7HtXD/1Zsm0
YxsgSnJixhb0TuLD8o4mMzvKGQ1hm1Uw5d9Z5spkCEkI18Xg87kSDhy1n0PdX9og
56XWB8iZkGnCNtSbrizHnBMEopwmDRwXXkGqs4ga/9tAVDa4SLA4nEoQ8jBbMkmS
VreSzvJGHv+jnrskE/qQwG8+vlXmexpAx+9gLqGKORxfBxdyXq02EOI0lqulT+Gn
+Zc+DN7fSiOa5F5im90ZrYmo0YW40n2FJy6tSJxGGweSJ2ZfqMhuKv+5CfM2Evzb
IKfliH9xmPFGw5l4o7RLbHJNiBD2/ZWrOniRFRRdpl2YXVipmuz/TwLyBD345O+S
tajtccZdoFbZWghllBv3fK+yLNQF00e203U2SYSG5CEPK6E/uxFOAqskd+8Szir5
pqpms0CF67E1BEJLS0AtONWbT0BVC2RBqm/txQ8Izkh9Iilh4O7a9nirb1AOqyKJ
hoeZ/3IzSyTZ/0OymVNjhEExERQNXcCvkMSwQ4VcCcNsAUf9YlgD4EVkugwzAc8w
NPIpWWm9OC0idS1pYyNz
=rkv/
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170506004248.GB1150%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] qvm-usb -a works on old phone, hangs on new phone

2017-05-05 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Jarle Thorsen:
> Connecting an old Samsung Galaxy S3 phone to my app-vm using
> "qvm-usb -a" works just fine. I can connect to the phone via adb in
> the appvm.
> 
> Trying to connect a new Samsung Galaxy S7 Edge the same way, the
> "qvm-usb -a" command just hangs without finishing.

That's https://github.com/QubesOS/qubes-issues/issues/2202

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJZDHA/XxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfIzIP/1O6AYs8IAWJATy8c5S6qXLK
8sTN7oeNQKNaZf9j/TwV39go9Vg/QljXO2L4/45Pf68fxp+hzYFIuedekBG1dneM
+FMlhzcU3bYGiFWJRgFPn1Rdp82Y5VDFE171+FJY0PhcDKoPf4uWK6y3pLbToQhX
sHS7Bc6a+gKUrJceGnx3kTJBForLiCw2+BrUbsBADDkMD+plrJKXenTq5DwlE3f0
Atr+WbeH+BxmT+ICDGaRqf01ZXFMkjdRKKZHj4nQOQuiCUtH4dTotZ2hJMA+BV9/
QuM7aVzNmD4zTPSJ9UpUPMPCMlHkFAeg5IwJnp/uCM2WtjthtY9rGdWztfklCpGt
JfPrwcrkOf/RyeqL8ln6qiRIxl6HZEorQlf7YoLmIcZqXGGMSTWOedm560AIpMbl
jwARhbyRtYFs4I8mOszOeEe08PkBqCAlSkt0HtJHu3l+mYBwyEh+qTsq4BV50/Pz
G1KVUtip7DSME/HWt0WU87qSFLHzuPQOpvwatzcPqn0u11mvZC2UtJDHGjPX2IMH
t/xDmpbvemWPvfgsXvtHxz/viksQF1B5tjniRwOZ8vj4L5Bb90s9tFfJEwSXzYYW
9x+qyPGeeUi0RVJPVoKlVbRc/w2FWPCMtyFUxqyVjW12RjXAAqcClQ2PLNHlGB94
n1HEefvFdHoKkYZctFPL
=MKRk
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170505122951.GA1150%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Auto update download in Linux

2017-05-01 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Drew White:
> On Wednesday, 26 April 2017 11:05:43 UTC+10, Rusty Bird  wrote:
> > Rusty Bird:
> > > Drew White:
> > > > On Tuesday, 25 April 2017 07:51:46 UTC+10, Unman  wrote:
> > > > > I think the only way to get a caching proxy is to install your own - I
> > > > > use apt-cacher-ng, but I'm mainly Debian.
> > > > But the UpdateVM is supposed to do that.
> > > 
> > > No, that's a non-caching proxy.
> > 
> > Sorry, I shouldn't mix these up: The "UpdateVM" proxies _dom0_
> > updates. It doesn't necessarily run an instance of the (completely
> > different) "Updates Proxy" for VM updates. But anyway, the latter is
> > non-caching.
> 
> Well, if I don't give the guest access to the internet by restricting 
> firewall, and I tell it to "Allow connections to Updates Proxy", why doesn't 
> that do what it says it will do?

But it does! Maybe you expect proxying to imply caching, which is not
necessarily the case. The Updates Proxy is one of many non-caching
proxies.

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJZBzAjXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfbMkP/1sfPT9Kh7hi7YJTsy3rOmY0
Mk2x6+FXK9sv3CqqgUv+O0C3V0+nnBuCZYMM2vHYhOETp4j7mkrVaFMrJpScFkAd
C1PVyRmgSZEvas5bhAaWAYbXyiBtcDu/EgCzNQOriRfoiXVlmAMXyQ5UfsmoDrY1
owE7YjR92XLIyVackw8E1zxD2OZ9ptQjJe6rRdFr6iWgLw3o7A1GP5ccefHkmD3U
GogvBGdXTrP9NVZKM/+DvwIDAUEfrfs1E42YeFFNXMnmljTQtKieWs1LUnriv76g
pPnL9EMTyoEK1xhCU8URUl/wllW8hDruo1YoIYj6zX8cTwiYkN3+NTmllFgEzdNO
RLlHi3YVsd7nllTRPWN+gk8xaIRTzj5IurawKop3b0k01Szi+TuLRa0+gEv2iA8f
bM5HpTG2KGcIVeG1lqDDgG/746dcaDiLaEg8nL4EreZ1/6DEOzXR9Bnd8eIOnW2a
vChPJK+8JdVf7HfTVO8OuyMcUnTMIk95jD8yGKpZYOyjVZEN9jLOzgR7oNTaFZH7
S1l5CAgfQFsgQ2o7TbXb2kNSbVg1ZB707i5e8yOznOX6TneERWICJ0qhMuYS4zl5
QrgXc6AjWDa0EcDKksG1AHB7o9cFhhQrALAisy3T9jr241ALHFZjLtNc0xU2js5F
Q5HgNOMZ4XnnM10JRnl2
=tf56
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170501125459.GA14080%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Auto update download in Linux

2017-04-25 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Rusty Bird:
> Drew White:
> > On Tuesday, 25 April 2017 07:51:46 UTC+10, Unman  wrote:
> > > I seem to recall that Fedora has such a service, but I dont think it's
> > > enabled in a default template.
> > It is enabled by default, and I asked somewhere how to disable it ages ago, 
> > but I can't find that information any more. 
> 
> sudo dnf remove PackageKit-command-not-found
>  
> > > I think the only way to get a caching proxy is to install your own - I
> > > use apt-cacher-ng, but I'm mainly Debian.
> > But the UpdateVM is supposed to do that.
> 
> No, that's a non-caching proxy.

Sorry, I shouldn't mix these up: The "UpdateVM" proxies _dom0_
updates. It doesn't necessarily run an instance of the (completely
different) "Updates Proxy" for VM updates. But anyway, the latter is
non-caching.

Rusty
- -BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJY//IQXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfPDcP/jpWEa//aBWCB7pnfY4AlD1j
6GWTOP7KHE4x3qbF4MxVJ9mJa0s08XToaBDbOiH+DfGtVNVACmK3jQNJvUbUSEHW
/+NeblzFxPDO07OASf/HzcWUlShQGHvVpi64ecILLqBMhNdNqHCOmave7hKw22O9
Tlec0Cs3KrufiyXObnJs+RMeElfkUpfYKZ8TbupmBLu8CXBEC2r2sLE43asKZmlx
z/1Ce3qfqtQP5S467YkLHi1XmroNiHCFZ2QHVDiGxvGLWF2xakWk6sZ+cxBiSd+i
3AhZMGK16nT+r3DPA0ZFX7ZYAJxZw7OQ/ajR3BsBCyBaHJ0hyavDybwMqgS4rNsa
6/cBm4nP12gwpXEMFy4lFrN/Ej5nSJlSg+gBrmZjs6Ifq5oYkALQEnNxb+vH0yiq
dkmoCErsvbx9TBNvdEbFIl7SwESdEYJKf2RBqQiY/HH5qEPXSHJ49zobe2xckxDZ
QNTOsauLYOXUE2Jjkh2MtiCuKRqARek3xDCaQkPXy2eFHN+RQY4F12BFKIrFCNgj
QMttbXejiOfk7KUjAfSW5mROSKT2S0jOXeld5TScnMQQLyiRkLTwJsM+duQDdkOu
Z09AagD9Cchi2pZUf7hIGgY+Yltbl+FdHqdJ27NJsHR/dS2UeVWxEo+UIQeojqLJ
wdTJNWRhEPvyg8mq8Hy1
=0mHa
- -END PGP SIGNATURE-
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJY//JSXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfDFEP/AqcTiydwDbGbORhtpC55Vza
3DV9/Kec+lES5Pg6M4VaTCM/RbPxaqw1DrHm2v8tEsLZkUxd6YovAX3wBMyh8eoY
8dncVFNZHsgK29pSOE7ME1nU2wtNuQ5fJi1+kPZrcMiOaWu/ac5t/pYRvk/N+Q+A
KYR/k/BSVxhLZxWmKX+Ix4yg2qAkTYySGbGOCmTwm/IqfTmxF1da5UwToE2wtWxG
uc3QWsFPIqLsUS/rfpf3O3V+3xNQNTmDF0vMWIOS5t+AK2KKZAPa3vAPzSFhatur
U2G1sprGsDSMzTsPEa9zbpjCCABuCdk975s1f4MDNNl5yvYpQ4OsSbmVRu31RQqR
+TWVHpx/8aekvj8kntN6YxT42Q2qtk2J0BcZ1ykbVeynjYOp7R+t0UM/cncQeaZW
1Cay34eyKCiw1iKsa5SoVbGi7zXMZ7wPqNNMFgLp/T/xWhvFZza1Czl4ojg4LGjn
HpWshUB+dzIfKdmIvw/GWiopItEbYQlat5ZI1iDO2+8kpyMpz+aTKTG2QULU5PnG
o4Wrs0Yg0Hk5MHsXg/ECX/tLVgqt5i511Ckh67l2vfaavsY/pHxR7vbGdPQ85wLG
565BqCGl++fj2yh7pm3sTNlqAqI33mOaU7fuFvKENImpciiL71zJnfBc0T+L8uEC
6U7Hl4/Kwz16oAAETqhL
=yq6z
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170426010416.GB17877%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Auto update download in Linux

2017-04-25 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Drew White:
> On Tuesday, 25 April 2017 07:51:46 UTC+10, Unman  wrote:
> > I seem to recall that Fedora has such a service, but I dont think it's
> > enabled in a default template.
> It is enabled by default, and I asked somewhere how to disable it ages ago, 
> but I can't find that information any more. 

sudo dnf remove PackageKit-command-not-found
 
> > I think the only way to get a caching proxy is to install your own - I
> > use apt-cacher-ng, but I'm mainly Debian.
> But the UpdateVM is supposed to do that.

No, that's a non-caching proxy.

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJY/2L2XxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfhakP/jKEg3Nc5yH1EIbZCxHtSMHj
sm/fgg8a+42UHqVOIs2nzTJendNdr8UWTwxM9MQrkVMoD+FLa3GNrvSD6ipNBrNC
BiogqmK+Je4gf+2CuefKlWQawEQpvk/jett4cflkY50wUtTMK3SGHyPoBq0Ko/XE
NILih7pG5QnKINBZI734Hquwgb5OPxZp0EYRYUB7lCW5t2cxoupWQPrx3TBcvvvh
q/7LhP59e4UjK6r/5SisAM+3wLA+2lHkZ2adXb/k6r4uGA2kclyuLhrlwgmECEHo
R1Ucyud77ooWV4kYyyU25a8Z0KsMiJMrEbHVpeUWgji8qhAzjU6Ioe1kDEXtDeUR
/5t0Os5fxzYbQSY80p4jC/1FlenVWX9Ud9U3nkQ0/+Zil9OhHVyicRJLIKwOjNE3
G3N3+wnx+5osA4+3r7dE0xgnw9X+glnFHtI/EmIobsX4RdX3YpSITGIv1tllCw5m
+IbEvF0KSqCMsM+N/9YrVcAAUdJJ78ojsyPtOsbKzS8F9VVcEmIW6K1Qm95QTq8p
yfLWo9LyMJZY8tQjFNevo016CkFBw3ozkDOobeTaRw6M0v3nkYxQamAYfc9YwTCU
SPXTc5julDH3ju3s8by4uhem7oT1VLT5x9NKzKU4F7BZ6pb8DuLlCffbNvXULSZ6
E+wkXjECIpK3WNh4WLye
=lL/n
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170425145342.GA17877%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Re: [R2B2] Unable to choose sound source (mic)

2017-03-08 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

peter.palen...@gmail.com:
> On Saturday, October 12, 2013 at 3:51:51 AM UTC+2, Marek Marczykowski-Górecki 
> wrote:
> > On 12.10.2013 03:22, Franz wrote:
> > > I would like to launch skype with a .sh file from dom0 but I am not able 
> > > to
> > > find the command to attach the microphone to the AppVM. Is there such a
> > > command?
> > 
> > This is doable with dbus-send. Don't remember details, but sth like this:
> > dbus-send --session --dest=org.QubesOS.Audio. --type=method_call
> > /org/qubesos/audio/ org.freedesktop.DBus.Property.Set
> > string:org.QubesOS.Audio string:RecAllowed variant:boolean:true
> 
> I tried that, but it did not work. Can you check for a typo or so?

The object path is "/org/qubesos/audio", not "/org/qubesos/audio/".

https://github.com/rustybird/qubes-stuff/blob/master/dom0/bin/qvm-microphone

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJYwA64XxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrf5iMP/3379CaVlv/kgdiHYulTP1eV
tNZaXPHdPCfTn/6XAx43KvDRAJ/QWzAHnhnV6ZfHYWRjWZo9/olwGdUrq9615E0f
sQkde1JJCCgY+pgS3CpUGsBFz0tahpxXdAOZdA/zXtoDXGe7yCKK17qLepHMwgMS
CDN/MpboRd2PfGdv12p3+7f8vVCm+52VGbLc7VyVpyLkYFnKNzK4ubehwgfRRThn
e0SHHTNO7rZFJmrmhGLgPZiA9vJWFl/ztj06/hGhEz0CawGtKKcz9vhghg50tuV3
pIcRHyBon8WKW6r3+wZLc9dP+TvWLGJlGxfQZ6IgZdyC2jw4LfaBtXyp6xS5q5XA
g4gQ4FT4DWtQrSVdLTjbNUj1gdCRAddiZvzNsImssq4RH16oSVgSVwm3SGSIrtR0
/oXpMObhamX3i+jlE8KRyv3KYAMK6OPH6NSgSIKMFZ42mvIaG7ex0j+t3ApcE+x1
fTqNB/ndR3M/8lSVxgXKujRtFk+qztr+VkID2S+ci2ripKgP6ms3OqcL8mZqIfHs
ru4po2Aeahe1xMBRN5g8pfTD0MLcRqsEtnCzZ80FmvOu5E7Sc29woxYb/yWETNSC
+iOqOcWrH94rpp1LKZHTcrt2BJUpIDODdDIHxgxYsPbiu6+jj/GMWxHP2J1Zna6l
LRD2f4i2JmK338Eh7vmx
=O/3Y
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170308140129.GA3068%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Assigning microphone to AppVM from terminal

2017-03-06 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Fabrizio Romano Genovese:
> I've built a little toggle script to automatically attach/detach my camera to 
> an appvm. For the sake of completeness, I'd like to do the same for the 
> internal microphone.

https://github.com/rustybird/qubes-stuff/blob/master/dom0/bin/qvm-microphone

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJYvWDiXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfoD8P/1Of6v/HyTh/mw/P8+K/CARY
H+4f1IvASKO5srRM2vYtDs+kEyU+ykN/Rs05ru3HCmI2NVRfrVQftRlZqx55JIgm
6/mEud28WuLAk+ZwRsDEtklgsdIc+XshbvoW9yjuVTruD7KoC361LfqLjG7NJRzO
EEbKwjTK3PsZLpedUAzokE/xfEDhbxUhWDPZMKuOz5zkuMZVW8dQFU/va7+xsAHO
IPB9FsJk0kTN43OaeUGado7z5N5UQOfmXMEM12fAj3KHbGm8nV9cyEF3xmN48ey9
tZ/Zykmw7OahTBqXROzDLXLbkVFKpR86YQE1fIx7KM9Lqz6VGPn7L/zBsHz3dG4z
RXpC9X/WibY1CZek3myI7Jstd4LkGW8WH7PTwgZwUP61LpnH/gsJukDM4CEjBWGX
NuqRFmhokBqjkHGmumzW+h0I7DSnPULkGGy5tHULQ4HOm5r4o/O5LTTEgHMQHSPQ
jaQxoSVRZ2fdpu1BE7nPTqlt0/gFP9HesEy7q6Q5OlQg38k7j+oe6LHtKWQ272B4
3LQbQXmvCkHXoIew72ywN8WkFEuBy6uArGwetIDZ53bderxep+Bvo1064DUwObf/
KJ1rRYlIlapa5fECPZ6UJyseLlGOgOSCopSLEY6T83LC0ZmOa0HzJDKi8CfoNt/Z
ltlD2fZXowwhhM8ToKpk
=kAjE
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170306131514.GA5779%40mutt.
For more options, visit https://groups.google.com/d/optout.


Re: [qubes-users] Problems installing on device running Coreboot

2017-03-06 Thread Rusty Bird
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Duncan:
> Coreboot was configured as follows: SeaBIOS as primary payload [...]
> 
> The behavior of trying to boot a stock Qubes install that was installed
> using the installer booted by Coreboot, is that selecting the SSD to
> boot from just seems to result in hanging.

It's a SeaBIOS-related installer bug, see the last paragraph of
https://github.com/QubesOS/qubes-issues/issues/2553#issuecomment-284367521
for a workaround.

Rusty
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJYvUTvXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrf5tYP/1WYtGZitIJSrdE6+4CjzYzJ
WChkecv65fccuTWw2KNRK4kqwkqhRvPFf7LIqoR9T0Af7cI6sUhpAIfBEsJiFwml
a96iklx5CUTq3kC1g1dKybA215jklor+iZ+lQdkqI+XoX+tAYwXVnKx4wsHf/vjB
39gAY8DkyCehfbHBVH/eJEUQthTYQBTP4ApIIztXCYFyugX4Uroq5stfa7x2L1jg
25UccetgklignaZjvuiRt6cA7/3A+OVwOIwU1VeT2LKXgrWD9ioVIpqeF2U3OIB0
vSHvBLqR00WrAK52Yy4MfSI00QzcQxJ9zeLv8yBCNtfCGx9gHVXeSmusqDTAJ6S9
9vw12l7I0l8K7WPjBG6HMhFxAaymdTGh1McZKveg57RVHG6cJfOglNf50oSnSixI
YJZvd+0VVSY4LMgSmg/LhTsnR3w5V+/j8AXQJkJNCv5zbXO6MW4PjdyZSMOA/JlF
ieV3xmdiTI49Kw2qJlCY9e5iHRUru0jLYume3eIwFONsXenn3FEcYYnRMSw+hDYV
8lsd9GpCdvlqjCXpNkGtMgBf6uWuYcc+tnMhcqz9NfqEvY0lNOB7NOiCWC8aDDJa
soMQi/XkCZZ3ggb0TY7mtgcB5WPkHQnS7TQKn5JI3MaPJJ1ESRRCz2datO7JFpJI
qyBqbDKjQ/YEkIzZSYq6
=Be4n
-END PGP SIGNATURE-

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20170306111559.GB5307%40mutt.
For more options, visit https://groups.google.com/d/optout.


  1   2   >