diff --git a/user/advanced-topics/bind-dirs.md b/user/advanced-topics/bind-dirs.md index 37c26409..07c470b4 100644 --- a/user/advanced-topics/bind-dirs.md +++ b/user/advanced-topics/bind-dirs.md @@ -110,7 +110,8 @@ binds=( "${binds[@]/'/var/lib/tor'}" ) ## Custom persist feature ## -Custom persist is an optional advanced feature allowing the creation of minimal state AppVM. The purpose of such an AppVM is to avoid unwanted data to persist as much as possible by the disabling the ability to configure persistence from the VM itself. When enabled, the following happens: +Custom persist is an optional advanced feature allowing the creation of minimal state AppVM. The purpose of such an AppVM is to avoid unwanted data to persist as much as possible by disabling the ability to configure persistence from the VM itself. When enabled, the following happens: + * ``/rw/config/rc.local`` is no longer executed * ``/rw/config/qubes-firewall-user-script`` is ignored * ``/rw/config/suspend-module-blacklist`` is ignored diff --git a/user/advanced-topics/volume-backup-revert.md b/user/advanced-topics/volume-backup-revert.md index f06f1ca8..4a39334a 100644 --- a/user/advanced-topics/volume-backup-revert.md +++ b/user/advanced-topics/volume-backup-revert.md @@ -17,13 +17,13 @@ shutdown. (Note that this is a different, lower level activity than the In Qubes, when you create a new VM, it's volumes are stored in one of the system's [Storage Pools](/doc/storage-pools/). On pool creation, a -revisions_to_keep default value is set for the entire pool. (For a pool creation +`revisions_to_keep` default value is set for the entire pool. (For a pool creation example, see [Storing app qubes on Secondary Drives](/doc/secondary-storage/).) Thereafter, each volume associated with a VM that is stored in this pool -inherits the pool default revisions_to_keep. +inherits the pool default `revisions_to_keep`. -For the private volume associated with a VM named vmname, you may inspect the -value of revisions_to_keep from the dom0 CLI as follows: +For the private volume associated with a VM named *vmname*, you may inspect the +value of `revisions_to_keep` from the dom0 CLI as follows: ``` qvm-volume info vmname:private @@ -31,11 +31,11 @@ qvm-volume info vmname:private The output of the above command will also display the "Available revisions (for revert)" at the bottom. For a very large volume in a small pool, -revisions_to_keep should probably be set to the maximum value of 1 to minimize +`revisions_to_keep` should probably be set to the maximum value of 1 to minimize the possibility of the pool being accidentally filled up by snapshots. For a smaller volume for which you would like to have the future option of reverting, -revisions_to_keep should probably be set to at least 2. To set -revisions_to_keep for this same VM / volume example: +`revisions_to_keep` should probably be set to at least 2. To set +`revisions_to_keep` for this same VM / volume example: ``` qvm-volume config vmname:private revisions_to_keep 2 diff --git a/user/templates/windows/qubes-windows-tools-4-1.md b/user/templates/windows/qubes-windows-tools-4-1.md index 8bf82841..c5fd23aa 100644 --- a/user/templates/windows/qubes-windows-tools-4-1.md +++ b/user/templates/windows/qubes-windows-tools-4-1.md @@ -42,7 +42,7 @@ If you prefer to download the corresponding .rpm files for manual QWT installati **Note**: If you choose to move profiles, drive letter `Q:` must be assigned to the secondary (private) disk. -**Note**: Xen PV disk drivers are not installed by default. This is because they seem to cause problems (BSOD = Blue Screen Of Death). We're working with upstream devs to fix this. *However*, the BSOD seems to only occur after the first boot and everything works fine after that. **Enable the drivers at your own risk** of course, but we welcome reports of success/failure in any case (backup your VM first!). With disk PV drivers absent `qvm-block` will not work for the VM, but you can still use standard Qubes inter-VM file copying mechanisms. On the other hand, the Xen PV drivers allow USB device access even without QWT installation if `qvm-features stubdom-qrexec` is set as `1` +**Note**: Xen PV disk drivers are not installed by default. This is because they seem to cause problems (BSOD = Blue Screen Of Death). We're working with upstream devs to fix this. *However*, the BSOD seems to only occur after the first boot and everything works fine after that. **Enable the drivers at your own risk** of course, but we welcome reports of success/failure in any case (backup your VM first!). With disk PV drivers absent `qvm-block` will not work for the VM, but you can still use standard Qubes inter-VM file copying mechanisms. On the other hand, the Xen PV drivers allow USB device access even without QWT installation if `qvm-features stubdom-qrexec` is set as `1`. Below is a breakdown of the feature availability depending on the windows version: @@ -76,7 +76,7 @@ Qubes Windows Tools are open source and are distributed under a GPL license. 2. In the command prompt type `bcdedit /set testsigning on` 3. Reboot your Windows VM -In the future this step will not be necessary anymore, because we will sign our drivers with a publicly verifiable certificate. However, it should be noted that even now, the fact that those drivers are not digitally signed, this doesn't affect security of the Windows VM in 'any' way. This is because the actual installation `iso` file can be verified as described in step 3 below. The only downside of those drivers not being signed is the inconvenience to the user that he or she must disable the signature enforcement policy before installing the tools. +In the future this step will not be necessary anymore, because we will sign our drivers with a publicly verifiable certificate. However, it should be noted that even, given the fact that those drivers are not digitally signed, this doesn't affect security of the Windows VM in 'any' way. This is because the actual installation `iso` file can be verified as described in step 3 below. The only downside of those drivers not being signed is the inconvenience to the user that he or she must disable the signature enforcement policy before installing the tools. The Xen PV Drivers bundled with QWT are signed by a Linux Foundation certificate. Thus Windows 10 and 11 do not require this security mitigation. @@ -126,33 +126,40 @@ Installing the Qubes Windows Tools on Windows 7, 8.1, 10 and 11 both as a Standa 4. Install Qubes Windows Tools by starting `qubes-tools-x64.msi` (logged in as administrator), optionally selecting the `Xen PV disk drivers`. For installation in a template, you should select `Move user profiles`. - [![QWT_install_select](/attachment/doc/QWT_install_select.png)](/attachment/doc/QWT_install_select.png) + [![QWT_install_select](/attachment/doc/QWT_install_select.png)](/attachment/doc/QWT_install_select.png) - Several times, Windows security may ask for confirmation of driver installation. Driver installation has to be allowed; otherwise the installation of Qubes Windows Tools will abort. + Several times, Windows security may ask for confirmation of driver installation. Driver installation has to be allowed; otherwise the installation of Qubes Windows Tools will abort. - [![QWT_install_driver](/attachment/doc/QWT_install_driver.png)](/attachment/doc/QWT_install_driver.png) + [![QWT_install_driver](/attachment/doc/QWT_install_driver.png)](/attachment/doc/QWT_install_driver.png) - If during installation, the Xen driver requests a reboot, select "No" and let the installation continue - the system will be rebooted later. + If during installation, the Xen driver requests a reboot, select "No" and let the installation continue - the system will be rebooted later. - [![QWT_install_no_restart](/attachment/doc/QWT_install_no_restart.png)](/attachment/doc/QWT_install_no_restart.png) + [![QWT_install_no_restart](/attachment/doc/QWT_install_no_restart.png)](/attachment/doc/QWT_install_no_restart.png) 5. After successful installation, the Windows VM must be shut down and started again, possibly a couple of times. On each shutdown, wait until the VM is really stopped, i.e. Qubes shows no more activity. 6. Qubes will automatically detect that the tools have been installed in the VM and will set appropriate properties for the VM, such as `qrexec_installed`, `guiagent_installed`, and `default_user`. This can be verified (but is not required) using the `qvm-prefs` command *(where* `` *is the name of your Windows VM)*: - [user@dom0 ~] $ qvm-prefs + + ``` + [user@dom0 ~] $ qvm-prefs + ``` It is advisable to set some other parameters in order to enable audio and USB block device access, synchronize the Windows clock with the Qubes clock, and so on: - [user@dom0 ~] $ qvm-features audio-model ich9 - [user@dom0 ~] $ qvm-features stubdom-qrexec 1 - [user@dom0 ~] $ qvm-features timezone localtime + ``` + [user@dom0 ~] $ qvm-features audio-model ich9 + [user@dom0 ~] $ qvm-features stubdom-qrexec 1 + [user@dom0 ~] $ qvm-features timezone localtime + ``` - For audio, the parameter `audio-model`can be selected as `ich6` or `ich9`; select the value that gives the best audio quality. Audio quality may also be improved by setting the following parameters, but this can depend on the Windows version and on your hardware: - - [user@dom0 ~] $ qvm-features timer-period 1000 - [user@dom0 ~] $ qvm-features out.latency 10000 - [user@dom0 ~] $ qvm-features out.buffer-length 4000 + For audio, the parameter `audio-model` can be selected as `ich6` or `ich9`; select the value that gives the best audio quality. Audio quality may also be improved by setting the following parameters, but this can depend on the Windows version and on your hardware: + + ``` + [user@dom0 ~] $ qvm-features timer-period 1000 + [user@dom0 ~] $ qvm-features out.latency 10000 + [user@dom0 ~] $ qvm-features out.buffer-length 4000 + ``` With the value `localtime` the dom0 `timezone` will be provided to virtual hardware, effectively setting the Windows clock to that of Qubes. With a digit value (negative or positive) the guest clock will have an offset (in seconds) applied relative to UTC. @@ -171,16 +178,11 @@ Installing the Qubes Windows Tools on Windows 7, 8.1, 10 and 11 both as a Standa - Terminate the registry editor. After the next boot, the VM will start in seamless mode. - If Windows is used in a TemplateVM / AppVM combination, this registry fix has to be applied to the TemplateVM, as the `HKLM` registry key belongs to the template-based part of the registry. - 10. Lastly to enable file copy operations to a Windows VM, the `default_user` property of this VM should be set to the `` that you use to login to the Windows VM. This can be done via the following command on a `dom0` terminal: *(where* `` *is the name of your Windows VM)* - - `[user@dom0 ~] $ qvm-prefs default_user ` + 10. Lastly to enable file copy operations to a Windows VM, the `default_user` property of this VM should be set to the `` that you use to login to the Windows VM. This can be done via the following command on a `dom0` terminal: `[user@dom0 ~] $ qvm-prefs default_user ` *(where* `` *is the name of your Windows VM)*. - **Warning:** If this property is not set or set to a wrong value, files copied to this VM are stored in the folder - - C:\Windows\System32\config\systemprofile\Documents\QubesIncoming\ + **Warning:** If this property is not set or set to a wrong value, files copied to this VM are stored in the folder `C:\Windows\System32\config\systemprofile\Documents\QubesIncoming\`. If the target VM is an AppVM, this has the consequence that the files are stored in the corresponding TemplateVM and so are lost on AppVM shutdown.