From b84107ce7977bd3bab441924eebc797a24d4b123 Mon Sep 17 00:00:00 2001
From: Fidel Ramos <haplo@users.noreply.github.com>
Date: Tue, 16 Oct 2018 19:01:41 +0000
Subject: [PATCH 1/4] Document Split GPG error

Split GPG doesn't work when the private key is protected by a passphrase in the
GPG backend. It took me a couple hours to find the problem and how to fix it,
first because the ioctl error is not common and then because of the
pinentry-ncurses limitation. I'm hoping that future users that search for "qubes
gpg ioctl error" will find this information.
---
 security/split-gpg.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/security/split-gpg.md b/security/split-gpg.md
index 9a2bd6d5..def1210b 100644
--- a/security/split-gpg.md
+++ b/security/split-gpg.md
@@ -74,6 +74,14 @@ signed before the operation gets approved. Perhaps the GPG backend domain
 could start a Disposable VM and have the to-be-signed document displayed
 there? To Be Determined.
 
+- The Split GPG client will fail to sign or encrypt if the private key in the
+GnuPG backend is protected by a passphrase, it will give a *"Inappropriate ioctl
+for device"* error. Avoid setting passphrases for the private keys in the GPG
+backend domain, it won't provide extra security anyway, if an attacker gains
+access to it they will likely be able to get the passphrase too. If you have a
+private key that already has a passphrase set use `gpg2 --edit-key <key_id>`,
+then `passwd`. Be aware that `pinentry-ncurses` doesn't allow setting empty
+passphrases, so you would need to install `pinentry-gtk`.
 
 ## Configuring Split GPG ##
 

From e3d7908100bd771419c027861d453a89c8c30bca Mon Sep 17 00:00:00 2001
From: Fidel Ramos <haplo@users.noreply.github.com>
Date: Sat, 20 Oct 2018 19:28:29 +0000
Subject: [PATCH 2/4] Reorganize mentions to passphrases in Split GPG

I added a mention about the limitation regarding passphrase-protected GPG keys
in the *Setting up the GPG backend domain* section, which is the one that users
will follow up in their initial set up. Given that this issue is not specific of any
QubesOS version I don't think it deserves a mention in those sections.
---
 security/split-gpg.md | 22 +++++++++-------------
 1 file changed, 9 insertions(+), 13 deletions(-)

diff --git a/security/split-gpg.md b/security/split-gpg.md
index def1210b..271e819f 100644
--- a/security/split-gpg.md
+++ b/security/split-gpg.md
@@ -77,11 +77,11 @@ there? To Be Determined.
 - The Split GPG client will fail to sign or encrypt if the private key in the
 GnuPG backend is protected by a passphrase, it will give a *"Inappropriate ioctl
 for device"* error. Avoid setting passphrases for the private keys in the GPG
-backend domain, it won't provide extra security anyway, if an attacker gains
-access to it they will likely be able to get the passphrase too. If you have a
-private key that already has a passphrase set use `gpg2 --edit-key <key_id>`,
-then `passwd`. Be aware that `pinentry-ncurses` doesn't allow setting empty
-passphrases, so you would need to install `pinentry-gtk`.
+backend domain, it won't provide extra security anyway, as explained before. If
+you have a private key that already has a passphrase set use `gpg2 --edit-key
+<key_id>`, then `passwd` to set an empty passphrase. Be aware that
+`pinentry-ncurses` doesn't allow setting empty passphrases, so you would need to
+install `pinentry-gtk` for it to work.
 
 ## Configuring Split GPG ##
 
@@ -123,6 +123,9 @@ for key access should be valid (default 5 minutes). This is adjustable via
 
     [user@work-gpg ~]$ echo "export QUBES_GPG_AUTOACCEPT=86400" >> ~/.bash_profile
 
+Please be aware of the caveat regarding passphrase-protected keys in the
+[Current limitations][current-limitations] section.
+
 ### Configuring the client apps to use Split GPG backend ###
 
 Normally it should be enough to set the `QUBES_GPG_DOMAIN` to the GPG backend
@@ -171,14 +174,6 @@ the name of the GPG backend VM. This file survives the AppVM reboot, of course.
     [user@work ~]$ sudo bash
     [root@work ~]$ echo "work-gpg" > /rw/config/gpg-split-domain
 
-A note on passphrases:
-
-You may experience trouble when attempting to use a PGP key *with a passphrase*
-along with Split-GPG and Enigmail. If you do, you may need to remove the
-passphrase from your (sub)key(s) in order to get Split-GPG working correctly.
-As mentioned above, we do not believe PGP key passphrases to be significant
-from a security perspective.
-
 ## Qubes 4.0 Specifics ##
 
 ### Using Thunderbird + Enigmail with Split GPG ###
@@ -411,4 +406,5 @@ exercise caution and use your good judgment.)
 [cabal]: https://alexcabal.com/creating-the-perfect-gpg-keypair/
 [luck]: https://gist.github.com/abeluck/3383449
 [apapadop]: https://apapadop.wordpress.com/2013/08/21/using-gnupg-with-qubesos/
+[current-limitations]: #current-limitations
 

From 0aa7645abfd5983f0a8578679d27b357ad81a102 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Sun, 21 Oct 2018 23:57:56 +0000
Subject: [PATCH 3/4] update AMD video card recommendations

---
 hardware/system-requirements.md | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/hardware/system-requirements.md b/hardware/system-requirements.md
index a5560e3f..80aa357c 100644
--- a/hardware/system-requirements.md
+++ b/hardware/system-requirements.md
@@ -33,7 +33,8 @@ redirect_from:
  * Fast SSD (strongly recommended)
  * Intel IGP (strongly preferred)
    * Nvidia GPUs may require significant [troubleshooting][nvidia].
-   * ATI GPUs have not been formally tested (but see the [Hardware Compatibility List]).
+   * AMD GPUs have not been formally tested, but Radeons (RX580 and earlier) generally work well
+   * See the [Hardware Compatibility List]
  * [Intel VT-x] or [AMD-V] (required for running HVM domains, such as Windows-based AppVMs)
  * [Intel VT-d] or [AMD-Vi (aka AMD IOMMU)] (required for effective isolation of network VMs)
  * TPM with proper BIOS support (required for [Anti Evil Maid])
@@ -53,7 +54,8 @@ redirect_from:
  * Fast SSD (strongly recommended)
  * Intel IGP (strongly preferred)
    * Nvidia GPUs may require significant [troubleshooting][nvidia].
-   * ATI GPUs have not been formally tested (but see the [Hardware Compatibility List]).
+   * AMD GPUs have not been formally tested, but Radeons (RX580 and earlier) generally work well
+   * See the [Hardware Compatibility List]
  * TPM with proper BIOS support (required for [Anti Evil Maid])
  * A non-USB keyboard or multiple USB controllers
  * Also consider the [hardware certification requirements for Qubes 4.x].

From 9344e5f2c322f3c72600f44078cc07053fa3ba5f Mon Sep 17 00:00:00 2001
From: unman <unman@thirdeyesecurity.org>
Date: Mon, 22 Oct 2018 13:09:09 +0000
Subject: [PATCH 4/4] Update debian.md

---
 managing-os/templates/debian.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/managing-os/templates/debian.md b/managing-os/templates/debian.md
index 5543706c..82d93c2f 100644
--- a/managing-os/templates/debian.md
+++ b/managing-os/templates/debian.md
@@ -25,6 +25,10 @@ can also obtain the key from [git
 repository](https://github.com/QubesOS/qubes-core-agent-linux/blob/master/misc/qubes-archive-keyring.gpg),
 which is also integrity-protected using signed git tags.
 
+If you want a debian-minimal template, this can be built using [Qubes-builder](https://www.qubes-os.org/doc/qubes-builder/),by selecting a +minimal flavour in setup, and then               
+
+    make qubes-vm && make template
+
 Installing
 ----------