Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2024-10-01 01:25:40 -04:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into unman-patch-3

Browse Source
This commit is contained in:
Andrew David Wong 2018-10-23 19:08:32 -05:00
commit 38c8749478
No known key found for this signature in database
GPG Key ID: 8CE137352A019A17
3 changed files with 20 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
hardware/system-requirements.md
View File

@ -33,7 +33,8 @@ redirect_from:
* Fast SSD (strongly recommended) * Fast SSD (strongly recommended)
* Intel IGP (strongly preferred) * Intel IGP (strongly preferred)
* Nvidia GPUs may require significant [troubleshooting][nvidia]. * Nvidia GPUs may require significant [troubleshooting][nvidia].
* ATI GPUs have not been formally tested (but see the [Hardware Compatibility List]). * AMD GPUs have not been formally tested, but Radeons (RX580 and earlier) generally work well
* See the [Hardware Compatibility List]
* [Intel VT-x] or [AMD-V] (required for running HVM domains, such as Windows-based AppVMs) * [Intel VT-x] or [AMD-V] (required for running HVM domains, such as Windows-based AppVMs)
* [Intel VT-d] or [AMD-Vi (aka AMD IOMMU)] (required for effective isolation of network VMs) * [Intel VT-d] or [AMD-Vi (aka AMD IOMMU)] (required for effective isolation of network VMs)
* TPM with proper BIOS support (required for [Anti Evil Maid]) * TPM with proper BIOS support (required for [Anti Evil Maid])
@ -53,7 +54,8 @@ redirect_from:
* Fast SSD (strongly recommended) * Fast SSD (strongly recommended)
* Intel IGP (strongly preferred) * Intel IGP (strongly preferred)
* Nvidia GPUs may require significant [troubleshooting][nvidia]. * Nvidia GPUs may require significant [troubleshooting][nvidia].
* ATI GPUs have not been formally tested (but see the [Hardware Compatibility List]). * AMD GPUs have not been formally tested, but Radeons (RX580 and earlier) generally work well
* See the [Hardware Compatibility List]
* TPM with proper BIOS support (required for [Anti Evil Maid]) * TPM with proper BIOS support (required for [Anti Evil Maid])
* A non-USB keyboard or multiple USB controllers * A non-USB keyboard or multiple USB controllers
* Also consider the [hardware certification requirements for Qubes 4.x]. * Also consider the [hardware certification requirements for Qubes 4.x].

4
managing-os/templates/debian.md
View File

@ -25,6 +25,10 @@ can also obtain the key from [git
repository](https://github.com/QubesOS/qubes-core-agent-linux/blob/master/misc/qubes-archive-keyring.gpg), repository](https://github.com/QubesOS/qubes-core-agent-linux/blob/master/misc/qubes-archive-keyring.gpg),
which is also integrity-protected using signed git tags. which is also integrity-protected using signed git tags.
If you want a debian-minimal template, this can be built using [Qubes-builder](https://www.qubes-os.org/doc/qubes-builder/),by selecting a +minimal flavour in setup, and then
make qubes-vm && make template
Installing Installing
---------- ----------

20
security/split-gpg.md
View File

@ -74,6 +74,14 @@ signed before the operation gets approved. Perhaps the GPG backend domain
could start a Disposable VM and have the to-be-signed document displayed could start a Disposable VM and have the to-be-signed document displayed
there? To Be Determined. there? To Be Determined.
- The Split GPG client will fail to sign or encrypt if the private key in the
GnuPG backend is protected by a passphrase, it will give a *"Inappropriate ioctl
for device"* error. Avoid setting passphrases for the private keys in the GPG
backend domain, it won't provide extra security anyway, as explained before. If
you have a private key that already has a passphrase set use `gpg2 --edit-key
<key_id>`, then `passwd` to set an empty passphrase. Be aware that
`pinentry-ncurses` doesn't allow setting empty passphrases, so you would need to
install `pinentry-gtk` for it to work.
## Configuring Split GPG ## ## Configuring Split GPG ##
@ -115,6 +123,9 @@ for key access should be valid (default 5 minutes). This is adjustable via
[user@work-gpg ~]$ echo "export QUBES_GPG_AUTOACCEPT=86400" >> ~/.bash_profile [user@work-gpg ~]$ echo "export QUBES_GPG_AUTOACCEPT=86400" >> ~/.bash_profile
Please be aware of the caveat regarding passphrase-protected keys in the
[Current limitations][current-limitations] section.
### Configuring the client apps to use Split GPG backend ### ### Configuring the client apps to use Split GPG backend ###
Normally it should be enough to set the `QUBES_GPG_DOMAIN` to the GPG backend Normally it should be enough to set the `QUBES_GPG_DOMAIN` to the GPG backend
@ -163,14 +174,6 @@ the name of the GPG backend VM. This file survives the AppVM reboot, of course.
[user@work ~]$ sudo bash [user@work ~]$ sudo bash
[root@work ~]$ echo "work-gpg" > /rw/config/gpg-split-domain [root@work ~]$ echo "work-gpg" > /rw/config/gpg-split-domain
A note on passphrases:
You may experience trouble when attempting to use a PGP key *with a passphrase*
along with Split-GPG and Enigmail. If you do, you may need to remove the
passphrase from your (sub)key(s) in order to get Split-GPG working correctly.
As mentioned above, we do not believe PGP key passphrases to be significant
from a security perspective.
## Qubes 4.0 Specifics ## ## Qubes 4.0 Specifics ##
### Using Thunderbird + Enigmail with Split GPG ### ### Using Thunderbird + Enigmail with Split GPG ###
@ -403,4 +406,5 @@ exercise caution and use your good judgment.)
[cabal]: https://alexcabal.com/creating-the-perfect-gpg-keypair/ [cabal]: https://alexcabal.com/creating-the-perfect-gpg-keypair/
[luck]: https://gist.github.com/abeluck/3383449 [luck]: https://gist.github.com/abeluck/3383449
[apapadop]: https://apapadop.wordpress.com/2013/08/21/using-gnupg-with-qubesos/ [apapadop]: https://apapadop.wordpress.com/2013/08/21/using-gnupg-with-qubesos/
[current-limitations]: #current-limitations