From f2d9346a6b69d9075c66e8c58ef3c7d5f8f3a7bb Mon Sep 17 00:00:00 2001 From: Daniel Gonzalez Gasull Date: Tue, 20 Nov 2018 11:12:43 +0800 Subject: [PATCH 001/188] copiousoutput HTML, qvm-open-in-dvm the rest --- configuration/mutt.md | 28 +++------------------------- 1 file changed, 3 insertions(+), 25 deletions(-) diff --git a/configuration/mutt.md b/configuration/mutt.md index 0ae3f94e..c77b56bd 100644 --- a/configuration/mutt.md +++ b/configuration/mutt.md @@ -194,29 +194,7 @@ In `.urlview`: In `.mailcap`: - ### TODO: override most/all default mailcap settings to prevent + ### override all default mailcap settings to prevent ### opening in muttvm - ### is there a way to do this polymorphically? i.e. not - ### listing every damn mimetype by hand - ### - ### also would be convenient to use mailcap's TEST feature to - ### show some html in mutt pager (e.g. with w3m, links or html2text), - ### else open others in dispvm - - # MS Word documents - application/msword; qvm-open-in-dvm %s - - application/vnd.oasis.opendocument.spreadsheet; qvm-open-in-dvm %s - application/vnd.oasis.opendocument.text; qvm-open-in-dvm %s - - # Images - image/jpg; qvm-open-in-dvm %s - image/jpeg; qvm-open-in-dvm %s - image/png; qvm-open-in-dvm %s - image/gif; qvm-open-in-dvm %s - - # PDFs - application/pdf; qvm-open-in-dvm %s - - # HTML - text/html; qvm-open-in-dvm %s + text/html; w3m '%s' | cat --squeeze-blank; nametemplate=%s.html; copiousoutput + */*; qvm-open-in-dvm xdg-open '%s'; test=test -n "$DISPLAY" From 2e056ffd5205783c608efd1e8215ce2b2d5c6487 Mon Sep 17 00:00:00 2001 From: Daniel Gonzalez Gasull Date: Wed, 21 Nov 2018 23:16:05 +0800 Subject: [PATCH 002/188] Update mutt.md --- configuration/mutt.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configuration/mutt.md b/configuration/mutt.md index c77b56bd..acf0425e 100644 --- a/configuration/mutt.md +++ b/configuration/mutt.md @@ -196,5 +196,5 @@ In `.mailcap`: ### override all default mailcap settings to prevent ### opening in muttvm - text/html; w3m '%s' | cat --squeeze-blank; nametemplate=%s.html; copiousoutput + text/html; w3m -T text/html '%s' | cat --squeeze-blank; nametemplate=%s.html; copiousoutput */*; qvm-open-in-dvm xdg-open '%s'; test=test -n "$DISPLAY" From 414ef7bc190fe2f124766eb44c8aa86bb6ed486a Mon Sep 17 00:00:00 2001 From: Daniel Gonzalez Gasull Date: Wed, 28 Nov 2018 18:43:04 +0800 Subject: [PATCH 003/188] Add only copiousoutput for HTML --- configuration/mutt.md | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/configuration/mutt.md b/configuration/mutt.md index acf0425e..a54f8836 100644 --- a/configuration/mutt.md +++ b/configuration/mutt.md @@ -194,7 +194,25 @@ In `.urlview`: In `.mailcap`: - ### override all default mailcap settings to prevent + ### TODO: override most/all default mailcap settings to prevent ### opening in muttvm + ### is there a way to do this polymorphically? i.e. not + ### listing every damn mimetype by hand + ### + ### also would be convenient to use mailcap's TEST feature to + ### show some html in mutt pager (e.g. with w3m, links or html2text), + ### else open others in dispvm + # MS Word documents + application/msword; qvm-open-in-dvm %s + application/vnd.oasis.opendocument.spreadsheet; qvm-open-in-dvm %s + application/vnd.oasis.opendocument.text; qvm-open-in-dvm %s + # Images + image/jpg; qvm-open-in-dvm %s + image/jpeg; qvm-open-in-dvm %s + image/png; qvm-open-in-dvm %s + image/gif; qvm-open-in-dvm %s + # PDFs + application/pdf; qvm-open-in-dvm %s + # HTML text/html; w3m -T text/html '%s' | cat --squeeze-blank; nametemplate=%s.html; copiousoutput - */*; qvm-open-in-dvm xdg-open '%s'; test=test -n "$DISPLAY" + text/html; qvm-open-in-dvm %s From e2d66857b39ec7c45d6d1062d7a1fa419f29fffb Mon Sep 17 00:00:00 2001 From: Daniel Gonzalez Gasull Date: Wed, 28 Nov 2018 18:43:50 +0800 Subject: [PATCH 004/188] Add blank lines back --- configuration/mutt.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/configuration/mutt.md b/configuration/mutt.md index a54f8836..9b57d77f 100644 --- a/configuration/mutt.md +++ b/configuration/mutt.md @@ -202,17 +202,21 @@ In `.mailcap`: ### also would be convenient to use mailcap's TEST feature to ### show some html in mutt pager (e.g. with w3m, links or html2text), ### else open others in dispvm + # MS Word documents application/msword; qvm-open-in-dvm %s application/vnd.oasis.opendocument.spreadsheet; qvm-open-in-dvm %s application/vnd.oasis.opendocument.text; qvm-open-in-dvm %s + # Images image/jpg; qvm-open-in-dvm %s image/jpeg; qvm-open-in-dvm %s image/png; qvm-open-in-dvm %s image/gif; qvm-open-in-dvm %s + # PDFs application/pdf; qvm-open-in-dvm %s + # HTML text/html; w3m -T text/html '%s' | cat --squeeze-blank; nametemplate=%s.html; copiousoutput text/html; qvm-open-in-dvm %s From 3f0736adb4c28c305adaa0dd1bf3b701e80f846e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marta=20Marczykowska-G=C3=B3recka?= Date: Mon, 7 Jan 2019 22:45:30 +0100 Subject: [PATCH 005/188] Initial commit --- basics_user/getting-started-4.md | 208 +++++++++++++++++++++++++++++++ 1 file changed, 208 insertions(+) create mode 100644 basics_user/getting-started-4.md diff --git a/basics_user/getting-started-4.md b/basics_user/getting-started-4.md new file mode 100644 index 00000000..db10e49b --- /dev/null +++ b/basics_user/getting-started-4.md @@ -0,0 +1,208 @@ +--- +layout: default +title: Get Started +permalink: /getting-started/ +redirect_from: +- /doc/getting-started/ +- /en/doc/getting-started/ +- /doc/GettingStarted/ +- /wiki/GettingStarted/ +--- + +After [installing Qubes](/doc/installation-guide/), let's cover some basic concepts. +You might also like to refer to the [Glossary](/doc/glossary/). + +AppVMs (qubes) and TemplateVMs +-------------------------------- + +In Qubes, you run all your programs in lightweight Virtual Machines called **qubes**. +Not every app runs in its own qube. +(That would be a big waste of resources!) +Instead, each qube represents a *security domain* (e.g., "work," "personal," "banking," etc.). +By default all qubes are based on a single, common **TemplateVM** , although you can create more TemplateVMs if you wish. +When you create a new qube, you don't copy the whole root filesystem needed for this qube to work (which would include copying all the programs). +Instead, each qube *shares* the root filesystem with its respective TemplateVM. +A qube has read-only access to the filesystem of the Template on which it's based, so a qube cannot modify a TemplateVM in any way. +This is important, as it means that if a qube is ever compromised, the TemplateVM on which it's based (and any other qubes based on that TemplateVM) will still be safe. +So creating a large number of domains is cheap: each one needs only as much disk space as is necessary to store its private files (e.g., the "home" folder). + +If you've installed Qubes using the default options, a few qubes have already been created for you: + +- work +- personal +- untrusted + +Each qube, apart from having a distinct name, is also assigned a **label**, which is one of several pre-defined colors. +The trusted window manager uses these colors in order to draw window decorations (color frames) around the windows of applications running in each qube. +It's totally up to you how you'd like to interpret these colors. +You might like to use them to quickly and easily identify the trust level of a given window at a glance. +Personally, I find it natural to associate red with that which is untrusted and dangerous (the “red light” -- stop! danger!), green with that which is safe and trusted, and yellow and orange with things in the middle. +I've also extended this scheme to include blue and black, which I interpret as indicating progressively more trusted domains than green, with black being ultimately trusted. +Alternatively you might use the colors to show that qubes belong to the same domain - for example, you might use 3 or 4 qubes for work activities, and give them all the same distinct color label. It's entirely up to you. + +![snapshot12.png](/attachment/wiki/GettingStarted/snapshot12.png) + +In addition to qubes and TemplateVMs, there's one special domain called "dom0," which is where the Desktop Manager runs. +This is where you log in to the system. +Dom0 is more trusted than any other domain (including TemplateVMs and black-labeled qubes). +If dom0 were ever compromised, it would be Game OverTM. +(The entire system would effectively be compromised.) +Due to its overarching importance, dom0 has no network connectivity and is used only for running the Window and Desktop Managers. +Dom0 shouldn't be used for anything else. +In particular, [you should never run user applications in dom0](/doc/security-guidelines/#dom0-precautions). +(That's what your qubes are for!) + +Qubes VM Manager and Command Line Tools +--------------------------------------- + +All aspects of the Qubes system can be controlled using command line tools run under a dom0 console. +Opening a console window in dom0 can be done in several ways: + +* Go to the Start Menu and click Terminal Emulator +* Press Alt-F3, type `xfce terminal` and press Enter twice +* Right-click on the desktop and select Open Terminal Here +* In previous versions of Qubes with KDE: + * Start → System Tools → Konsole + * Press Alt-F2 and type `konsole`. + +Various command line tools are described as part of this guide, and the whole reference can be found [here](/doc/tools/). + +![r2b1-dom0-konsole.png](/attachment/wiki/GettingStarted/r2b1-dom0-konsole.png) + +Alternatively, you can use a rather intuitive GUI tool called **Qubes VM Manager**. +It supports most of the functionality that command line tools provide. +The Qubes VM Manager starts and opens automatically when Qubes starts up, but you can also start it by going to Start → System Tools → Qubes Manager. +Once the Qubes VM Manager is running, you can open the window at any time by clicking on the Qubes tray icon, which typically resides in the bottom-right corner of the screen. + +![r2b1-qubes-manager-2.png](/attachment/wiki/GettingStarted/r2b1-qubes-manager-2.png) + +Starting Apps in qubes +------------------------ + +Apps can be started either by using the shortcuts in the Desktop Manager's menu or by using the command line (i.e., a console running in dom0). + +You can start apps directly from the Start Menu or the Application Finder (Alt-F3). +Each qube has its own menu directory under the scheme **Domain: \**. +After navigating into one of these directories, simply click on the application you'd like to start: + +![r2b1-appsmenu-1.png](/attachment/wiki/GettingStarted/r2b1-appsmenu-1.png) ![r2b1-appsmenu-3.png](/attachment/wiki/GettingStarted/r2b1-appsmenu-3.png) + +By default, each qube's menu contains only a few shortcuts. +If you'd like to add more, simply click **Add more shortcuts...**, select the desired applications, and click **OK**. +You can also add shortcuts manually. +(This is sometimes necessary if the desired application doesn't show up in the Qubes VM Manager window.) +To do this in KDE, right-click on the **Start** button and click **Menu Editor**. +Click the qube directory in which you'd like the menu to appear, click **New Item**, enter its name as **\: \**, and provide the command for starting the app (see below). +Then click **Save** and wait approximately 15 seconds for the changes to propagate to the KDE menu. + +To start apps from the console in dom0, type: + + qvm-run -a " [arguments]" + +e.g.: + + qvm-run -a untrusted firefox + +The -a parameter will start the qube if it is not already running. + +Adding, Removing, and Listing qubes +------------------------------------- + +A qube can easily be added and removed by clicking on the **Add** and **Remove** buttons in the Qubes VM Manager. + +A qube can also be added, removed, and qubes may be listed from the command line (i.e., a console running in dom0) using the following tools: + +- `qvm-create` +- `qvm-remove` +- `qvm-ls` + +How Many Qubes Do I Need? +--------------------------- + +That's a great question, but there's no one-size-fits-all answer. +It depends on the structure of your digital life, and this is at least a little different for everyone. +If you plan on using your system for work, then it also depends on what kind of job you do. + +It's a good idea to start out with the three qubes created automatically by the installer: work, personal, and untrusted. +Then, if and when you start to feel that some activity just doesn't fit into any of your existing qubes, or you want to partition some part of your life, you can easily create a new qube for it. +You'll also be able to easily copy any files you need to the newly created qube, as explained [here](/doc/copying-files/). + +More paranoid people might find it worthwhile to read [this article](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html), which describes how one of the Qubes authors partitions her digital life into security domains. + +Common Tasks +------------ + +Here are the documentation pages for some of the main actions you'll want to perform. +A full list is available in the [Common Tasks](/doc/#common-tasks) section of the documentation. + + * [Copying and Pasting Text Between Domains](/doc/copy-paste/) + * [Copying and Moving Files Between Domains](/doc/copying-files/) + * [Copying from (and to) dom0](/doc/copy-from-dom0/) + * [Updating Software in dom0](/doc/software-update-dom0/) + * [Updating and Installing Software in VMs](/doc/software-update-vm/) + * [Backup, Restoration, and Migration](/doc/backup-restore/) + * [Using DisposableVMs](/doc/disposablevm/) + * [Using and Managing USB Devices](/doc/usb/) + +Running an application Full Screen +---------------------------------- + +By default, Qubes doesn't allow any application window to occupy the entire screen such that its window name (which includes the name of the qube to which it belongs) and colored window border are no longer visible. +This is a security precaution designed to prevent a situation in which an application which has been allowed to enter full screen mode begins to emulate the entire Qubes system. +The user should always be able to identify which qube is displaying any given window. +Otherwise, a compromised qube which is able to occupy the entire screen could trick the user into thinking that she is interacting with a variety of different qubes (including dom0), when in fact she is interacting with only a single, compromised qube pretending to be the whole system. + +**Note:** A similar attack is possible even *without* fullscreen mode. +Since a compromised qube can draw pixels within its own windows however it likes, it could draw a fake password prompt, for example, which appears to have a different colored border so that it looks like it belongs to a different qube. +This is why you should always drag such prompts away from other windows (or use some other means of manipulating the windows) to ensure that they belong to the qube to which they appear to belong. + +To allow a qube to enter full screen mode, one should edit the `/etc/qubes/guid.conf` file in dom0. + +To allow all qubes to enter full screen mode, set `allow_fullscreen` flag to `true` in the `global` section: + + global: { + # default values + allow_fullscreen = false; + #allow_utf8_titles = false; + #secure_copy_sequence = "Ctrl-Shift-c"; + #secure_paste_sequence = "Ctrl-Shift-v"; + #windows_count_limit = 500; + }; + +To allow only select qubes to enter full screen mode, create a per-VM section, and set `allow_fullscreen` flag there to `true`: + + VM: { + work: { + allow_fullscreen = true; + }; + + }; + +In order for the changes to take effect, restart the qube(s). + +More details can be found [here](/doc/full-screen-mode/). + +
+
+

Compatible Hardware

+

Ready to install Qubes? Make sure your hardware is compatible, as Qubes cannot run on every type of computer. Also, check out Qubes-certified Laptops.

+ + Hardware Compatibility List + +
+
+

Downloads

+

Download an ISO, learn how to verify its authenticity and integrity, and follow our guides to install Qubes. Looking for the source code? You'll find it on GitHub.

+ + Downloads + +
+
+

Documentation

+

Peruse our extensive library of documentation for users and developers of Qubes. You can even help us improve it!

+ + Documentation + +
+
+
From f23d8f18cc46daf05a016be0468bf0ae1a4a01be Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marta=20Marczykowska-G=C3=B3recka?= Date: Wed, 9 Jan 2019 17:27:24 +0100 Subject: [PATCH 006/188] Changed and added Getting Started for Qubes 4.0 The old Getting Started was based on R3.2 - this one has more up-to-date screenshots and descriptions. --- basics_user/getting-started-4.md | 62 +++++++++++++++----------------- 1 file changed, 28 insertions(+), 34 deletions(-) diff --git a/basics_user/getting-started-4.md b/basics_user/getting-started-4.md index db10e49b..0cbb87ae 100644 --- a/basics_user/getting-started-4.md +++ b/basics_user/getting-started-4.md @@ -1,12 +1,12 @@ --- layout: default -title: Get Started -permalink: /getting-started/ +title: Get Started - Qubes 4 +permalink: /getting-started-4/ redirect_from: -- /doc/getting-started/ -- /en/doc/getting-started/ -- /doc/GettingStarted/ -- /wiki/GettingStarted/ +- /doc/getting-started-4/ +- /en/doc/getting-started-4/ +- /doc/GettingStarted-4/ +- /wiki/GettingStarted-4/ --- After [installing Qubes](/doc/installation-guide/), let's cover some basic concepts. @@ -19,11 +19,11 @@ In Qubes, you run all your programs in lightweight Virtual Machines called **qub Not every app runs in its own qube. (That would be a big waste of resources!) Instead, each qube represents a *security domain* (e.g., "work," "personal," "banking," etc.). -By default all qubes are based on a single, common **TemplateVM** , although you can create more TemplateVMs if you wish. +By default all qubes are based on a single, common **Template** , although you can create more Templates if you wish. When you create a new qube, you don't copy the whole root filesystem needed for this qube to work (which would include copying all the programs). -Instead, each qube *shares* the root filesystem with its respective TemplateVM. -A qube has read-only access to the filesystem of the Template on which it's based, so a qube cannot modify a TemplateVM in any way. -This is important, as it means that if a qube is ever compromised, the TemplateVM on which it's based (and any other qubes based on that TemplateVM) will still be safe. +Instead, each qube *shares* the root filesystem with its respective Template. +A qube has read-only access to the filesystem of the Template on which it's based, so a qube cannot modify a Template in any way. +This is important, as it means that if a qube is ever compromised, the Template on which it's based (and any other qubes based on that Template) will still be safe. So creating a large number of domains is cheap: each one needs only as much disk space as is necessary to store its private files (e.g., the "home" folder). If you've installed Qubes using the default options, a few qubes have already been created for you: @@ -40,11 +40,11 @@ Personally, I find it natural to associate red with that which is untrusted and I've also extended this scheme to include blue and black, which I interpret as indicating progressively more trusted domains than green, with black being ultimately trusted. Alternatively you might use the colors to show that qubes belong to the same domain - for example, you might use 3 or 4 qubes for work activities, and give them all the same distinct color label. It's entirely up to you. -![snapshot12.png](/attachment/wiki/GettingStarted/snapshot12.png) +![snapshot_40.png](/attachment/wiki/GettingStarted/snapshot_40.png) -In addition to qubes and TemplateVMs, there's one special domain called "dom0," which is where the Desktop Manager runs. +In addition to qubes and Templates, there's one special domain called "dom0," where many system tools and the desktop manager run. This is where you log in to the system. -Dom0 is more trusted than any other domain (including TemplateVMs and black-labeled qubes). +Dom0 is more trusted than any other domain (including Templates and black-labeled qubes). If dom0 were ever compromised, it would be Game OverTM. (The entire system would effectively be compromised.) Due to its overarching importance, dom0 has no network connectivity and is used only for running the Window and Desktop Managers. @@ -52,7 +52,7 @@ Dom0 shouldn't be used for anything else. In particular, [you should never run user applications in dom0](/doc/security-guidelines/#dom0-precautions). (That's what your qubes are for!) -Qubes VM Manager and Command Line Tools +Qubes Gui and Command Line Tools --------------------------------------- All aspects of the Qubes system can be controlled using command line tools run under a dom0 console. @@ -61,20 +61,19 @@ Opening a console window in dom0 can be done in several ways: * Go to the Start Menu and click Terminal Emulator * Press Alt-F3, type `xfce terminal` and press Enter twice * Right-click on the desktop and select Open Terminal Here -* In previous versions of Qubes with KDE: - * Start → System Tools → Konsole - * Press Alt-F2 and type `konsole`. Various command line tools are described as part of this guide, and the whole reference can be found [here](/doc/tools/). -![r2b1-dom0-konsole.png](/attachment/wiki/GettingStarted/r2b1-dom0-konsole.png) +Alternatively, you can use a suite of GUI tools, most of which are always available through desktop widgets. +The two most important widgets are Domains Widget and Devices Widget. +**Domains Widget** allows you to manage running qubes, turn them on or off and monitor memory usage. +**Devices Widget** allows you to attach and detach devices - such as USB drives or cameras - to qubes. +The **Disk Space Widget** will notify you if you're ever running out of disk space, and the **Updates Widget** will inform you that template updates are available. -Alternatively, you can use a rather intuitive GUI tool called **Qubes VM Manager**. -It supports most of the functionality that command line tools provide. -The Qubes VM Manager starts and opens automatically when Qubes starts up, but you can also start it by going to Start → System Tools → Qubes Manager. -Once the Qubes VM Manager is running, you can open the window at any time by clicking on the Qubes tray icon, which typically resides in the bottom-right corner of the screen. +![q40_widgets.png](/attachment/wiki/GettingStarted/q40_widgets.png) + +For an overview of the entire system, you can use **Qube Manager** (available from Start → System Tools → Qube Manager), which displays state of all qubes in your QubesOS. -![r2b1-qubes-manager-2.png](/attachment/wiki/GettingStarted/r2b1-qubes-manager-2.png) Starting Apps in qubes ------------------------ @@ -85,30 +84,25 @@ You can start apps directly from the Start Menu or the Application Finder (Alt-F Each qube has its own menu directory under the scheme **Domain: \**. After navigating into one of these directories, simply click on the application you'd like to start: -![r2b1-appsmenu-1.png](/attachment/wiki/GettingStarted/r2b1-appsmenu-1.png) ![r2b1-appsmenu-3.png](/attachment/wiki/GettingStarted/r2b1-appsmenu-3.png) +![menu1.png](/attachment/wiki/GettingStarted/menu1.png.png) ![menu2.png](/attachment/wiki/GettingStarted/menu2.png) By default, each qube's menu contains only a few shortcuts. -If you'd like to add more, simply click **Add more shortcuts...**, select the desired applications, and click **OK**. -You can also add shortcuts manually. -(This is sometimes necessary if the desired application doesn't show up in the Qubes VM Manager window.) -To do this in KDE, right-click on the **Start** button and click **Menu Editor**. -Click the qube directory in which you'd like the menu to appear, click **New Item**, enter its name as **\: \**, and provide the command for starting the app (see below). -Then click **Save** and wait approximately 15 seconds for the changes to propagate to the KDE menu. +If you'd like to add more, enter the qube's **Qube Settings** and add them on the Applications tab. To start apps from the console in dom0, type: - qvm-run -a " [arguments]" + qvm-run " [arguments]" e.g.: - qvm-run -a untrusted firefox + qvm-run untrusted firefox -The -a parameter will start the qube if it is not already running. +This command will start the qube if it is not already running. Adding, Removing, and Listing qubes ------------------------------------- -A qube can easily be added and removed by clicking on the **Add** and **Remove** buttons in the Qubes VM Manager. +A qube can easily be added with the **Create Qubes VM** option in Start menu. If you need to add and remove more qubes, it's easiest with Qube Manager's **Add** and **Remove** buttons. A qube can also be added, removed, and qubes may be listed from the command line (i.e., a console running in dom0) using the following tools: From 8502aa7488024a3872e0f297aef5d21bd5d8e4fc Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Fri, 11 Jan 2019 02:26:31 -0600 Subject: [PATCH 007/188] Revise Getting Started (4.0) guide - Replace existing 3.2 guide with 4.0 - Add link at the top pointing to the 3.2 version - Revise and clarify content - Make use of the term "qube" consistent - Make "template" a complementary term to "qube" - Improve formatting - Use reference-style links - Replace overly-specific fullscreen mode section with link to doc page --- ...ing-started-4.md => getting-started-32.md} | 61 +++-- basics_user/getting-started.md | 252 +++++++++--------- 2 files changed, 158 insertions(+), 155 deletions(-) rename basics_user/{getting-started-4.md => getting-started-32.md} (77%) diff --git a/basics_user/getting-started-4.md b/basics_user/getting-started-32.md similarity index 77% rename from basics_user/getting-started-4.md rename to basics_user/getting-started-32.md index 0cbb87ae..30464661 100644 --- a/basics_user/getting-started-4.md +++ b/basics_user/getting-started-32.md @@ -1,14 +1,11 @@ --- layout: default -title: Get Started - Qubes 4 -permalink: /getting-started-4/ -redirect_from: -- /doc/getting-started-4/ -- /en/doc/getting-started-4/ -- /doc/GettingStarted-4/ -- /wiki/GettingStarted-4/ +title: Get Started with Qubes 3.2 +permalink: /getting-started-32/ --- +_This is an introduction to Qubes 3.2. Looking to get started with Qubes 4.0? Please click [here](/getting-started/)._ + After [installing Qubes](/doc/installation-guide/), let's cover some basic concepts. You might also like to refer to the [Glossary](/doc/glossary/). @@ -19,11 +16,11 @@ In Qubes, you run all your programs in lightweight Virtual Machines called **qub Not every app runs in its own qube. (That would be a big waste of resources!) Instead, each qube represents a *security domain* (e.g., "work," "personal," "banking," etc.). -By default all qubes are based on a single, common **Template** , although you can create more Templates if you wish. +By default all qubes are based on a single, common **TemplateVM** , although you can create more TemplateVMs if you wish. When you create a new qube, you don't copy the whole root filesystem needed for this qube to work (which would include copying all the programs). -Instead, each qube *shares* the root filesystem with its respective Template. -A qube has read-only access to the filesystem of the Template on which it's based, so a qube cannot modify a Template in any way. -This is important, as it means that if a qube is ever compromised, the Template on which it's based (and any other qubes based on that Template) will still be safe. +Instead, each qube *shares* the root filesystem with its respective TemplateVM. +A qube has read-only access to the filesystem of the Template on which it's based, so a qube cannot modify a TemplateVM in any way. +This is important, as it means that if a qube is ever compromised, the TemplateVM on which it's based (and any other qubes based on that TemplateVM) will still be safe. So creating a large number of domains is cheap: each one needs only as much disk space as is necessary to store its private files (e.g., the "home" folder). If you've installed Qubes using the default options, a few qubes have already been created for you: @@ -40,11 +37,11 @@ Personally, I find it natural to associate red with that which is untrusted and I've also extended this scheme to include blue and black, which I interpret as indicating progressively more trusted domains than green, with black being ultimately trusted. Alternatively you might use the colors to show that qubes belong to the same domain - for example, you might use 3 or 4 qubes for work activities, and give them all the same distinct color label. It's entirely up to you. -![snapshot_40.png](/attachment/wiki/GettingStarted/snapshot_40.png) +![snapshot12.png](/attachment/wiki/GettingStarted/snapshot12.png) -In addition to qubes and Templates, there's one special domain called "dom0," where many system tools and the desktop manager run. +In addition to qubes and TemplateVMs, there's one special domain called "dom0," which is where the Desktop Manager runs. This is where you log in to the system. -Dom0 is more trusted than any other domain (including Templates and black-labeled qubes). +Dom0 is more trusted than any other domain (including TemplateVMs and black-labeled qubes). If dom0 were ever compromised, it would be Game OverTM. (The entire system would effectively be compromised.) Due to its overarching importance, dom0 has no network connectivity and is used only for running the Window and Desktop Managers. @@ -52,7 +49,7 @@ Dom0 shouldn't be used for anything else. In particular, [you should never run user applications in dom0](/doc/security-guidelines/#dom0-precautions). (That's what your qubes are for!) -Qubes Gui and Command Line Tools +Qubes VM Manager and Command Line Tools --------------------------------------- All aspects of the Qubes system can be controlled using command line tools run under a dom0 console. @@ -61,19 +58,20 @@ Opening a console window in dom0 can be done in several ways: * Go to the Start Menu and click Terminal Emulator * Press Alt-F3, type `xfce terminal` and press Enter twice * Right-click on the desktop and select Open Terminal Here +* In previous versions of Qubes with KDE: + * Start → System Tools → Konsole + * Press Alt-F2 and type `konsole`. Various command line tools are described as part of this guide, and the whole reference can be found [here](/doc/tools/). -Alternatively, you can use a suite of GUI tools, most of which are always available through desktop widgets. -The two most important widgets are Domains Widget and Devices Widget. -**Domains Widget** allows you to manage running qubes, turn them on or off and monitor memory usage. -**Devices Widget** allows you to attach and detach devices - such as USB drives or cameras - to qubes. -The **Disk Space Widget** will notify you if you're ever running out of disk space, and the **Updates Widget** will inform you that template updates are available. +![r2b1-dom0-konsole.png](/attachment/wiki/GettingStarted/r2b1-dom0-konsole.png) -![q40_widgets.png](/attachment/wiki/GettingStarted/q40_widgets.png) - -For an overview of the entire system, you can use **Qube Manager** (available from Start → System Tools → Qube Manager), which displays state of all qubes in your QubesOS. +Alternatively, you can use a rather intuitive GUI tool called **Qubes VM Manager**. +It supports most of the functionality that command line tools provide. +The Qubes VM Manager starts and opens automatically when Qubes starts up, but you can also start it by going to Start → System Tools → Qubes Manager. +Once the Qubes VM Manager is running, you can open the window at any time by clicking on the Qubes tray icon, which typically resides in the bottom-right corner of the screen. +![r2b1-qubes-manager-2.png](/attachment/wiki/GettingStarted/r2b1-qubes-manager-2.png) Starting Apps in qubes ------------------------ @@ -84,25 +82,30 @@ You can start apps directly from the Start Menu or the Application Finder (Alt-F Each qube has its own menu directory under the scheme **Domain: \**. After navigating into one of these directories, simply click on the application you'd like to start: -![menu1.png](/attachment/wiki/GettingStarted/menu1.png.png) ![menu2.png](/attachment/wiki/GettingStarted/menu2.png) +![r2b1-appsmenu-1.png](/attachment/wiki/GettingStarted/r2b1-appsmenu-1.png) ![r2b1-appsmenu-3.png](/attachment/wiki/GettingStarted/r2b1-appsmenu-3.png) By default, each qube's menu contains only a few shortcuts. -If you'd like to add more, enter the qube's **Qube Settings** and add them on the Applications tab. +If you'd like to add more, simply click **Add more shortcuts...**, select the desired applications, and click **OK**. +You can also add shortcuts manually. +(This is sometimes necessary if the desired application doesn't show up in the Qubes VM Manager window.) +To do this in KDE, right-click on the **Start** button and click **Menu Editor**. +Click the qube directory in which you'd like the menu to appear, click **New Item**, enter its name as **\: \**, and provide the command for starting the app (see below). +Then click **Save** and wait approximately 15 seconds for the changes to propagate to the KDE menu. To start apps from the console in dom0, type: - qvm-run " [arguments]" + qvm-run -a " [arguments]" e.g.: - qvm-run untrusted firefox + qvm-run -a untrusted firefox -This command will start the qube if it is not already running. +The -a parameter will start the qube if it is not already running. Adding, Removing, and Listing qubes ------------------------------------- -A qube can easily be added with the **Create Qubes VM** option in Start menu. If you need to add and remove more qubes, it's easiest with Qube Manager's **Add** and **Remove** buttons. +A qube can easily be added and removed by clicking on the **Add** and **Remove** buttons in the Qubes VM Manager. A qube can also be added, removed, and qubes may be listed from the command line (i.e., a console running in dom0) using the following tools: diff --git a/basics_user/getting-started.md b/basics_user/getting-started.md index db10e49b..03ccdfa9 100644 --- a/basics_user/getting-started.md +++ b/basics_user/getting-started.md @@ -9,200 +9,200 @@ redirect_from: - /wiki/GettingStarted/ --- -After [installing Qubes](/doc/installation-guide/), let's cover some basic concepts. -You might also like to refer to the [Glossary](/doc/glossary/). +_This is an introduction to Qubes 4.0. Looking to get started with Qubes 3.2? Please click [here][getting-started-32]._ -AppVMs (qubes) and TemplateVMs --------------------------------- +After [downloading] and [installing] Qubes OS, let's cover some basic concepts. -In Qubes, you run all your programs in lightweight Virtual Machines called **qubes**. -Not every app runs in its own qube. -(That would be a big waste of resources!) -Instead, each qube represents a *security domain* (e.g., "work," "personal," "banking," etc.). -By default all qubes are based on a single, common **TemplateVM** , although you can create more TemplateVMs if you wish. +Introduction +------------ + +In Qubes OS, you run all your programs in lightweight [virtual machines (VMs)] called [qubes]. +Not every app runs in its own qube. +(That would be a big waste of resources!) +Instead, each qube represents a [security domain] (e.g., "work," "personal," and "banking"). +By default, all qubes are based on a single, common [template], although you can create more templates if you wish. When you create a new qube, you don't copy the whole root filesystem needed for this qube to work (which would include copying all the programs). -Instead, each qube *shares* the root filesystem with its respective TemplateVM. -A qube has read-only access to the filesystem of the Template on which it's based, so a qube cannot modify a TemplateVM in any way. -This is important, as it means that if a qube is ever compromised, the TemplateVM on which it's based (and any other qubes based on that TemplateVM) will still be safe. -So creating a large number of domains is cheap: each one needs only as much disk space as is necessary to store its private files (e.g., the "home" folder). +Instead, each qube *shares* the root filesystem with its respective template. +A qube has read-only access to the filesystem of the template on which it's based, so a qube cannot modify a template in any way. +This is important, as it means that if a qube is ever compromised, the template on which it's based (and any other qubes based on that template) will still be safe. +So, creating a large number of qubes is cheap: each one needs only as much disk space as is necessary to store its private files (e.g., the "home" folder). -If you've installed Qubes using the default options, a few qubes have already been created for you: +If you've installed Qubes OS using the default options, a few qubes have already been created for you: -- work -- personal -- untrusted + - work + - personal + - untrusted -Each qube, apart from having a distinct name, is also assigned a **label**, which is one of several pre-defined colors. -The trusted window manager uses these colors in order to draw window decorations (color frames) around the windows of applications running in each qube. -It's totally up to you how you'd like to interpret these colors. -You might like to use them to quickly and easily identify the trust level of a given window at a glance. -Personally, I find it natural to associate red with that which is untrusted and dangerous (the “red light” -- stop! danger!), green with that which is safe and trusted, and yellow and orange with things in the middle. -I've also extended this scheme to include blue and black, which I interpret as indicating progressively more trusted domains than green, with black being ultimately trusted. -Alternatively you might use the colors to show that qubes belong to the same domain - for example, you might use 3 or 4 qubes for work activities, and give them all the same distinct color label. It's entirely up to you. +Each qube, apart from having a distinct name, is also assigned a **label**, which is one of several predefined colors. +The trusted window manager uses these colors in order to draw colored borders around the windows of applications running in each qube. +This is designed to allow you to quickly and easily identify the trust level of a given window at a glance. +Most Qubes OS users associate red with what's untrusted and dangerous (like a red light -- stop! danger!), green with what's safe and trusted, and yellow and orange with things in the middle. +This color scheme also extends to include blue and black, which are usually interpreted as indicating progressively more trusted domains than green, with black being ultimately trusted. +However, it's totally up to you how you'd like to interpret these colors. +Qubes OS doesn't assume anything about these colors. +When you make a new qube, the system doesn't do anything special to it depending on whether it's black or red, for example. +The only difference is which color you see and the meaning you assign to that color in your mind. +For example, you could use the colors to show that qubes belong to the same domain. +You might use three or four qubes for work activities and give them all the same distinct color label, for instance. +It's entirely up to you. -![snapshot12.png](/attachment/wiki/GettingStarted/snapshot12.png) +![snapshot_40.png](/attachment/wiki/GettingStarted/snapshot_40.png) -In addition to qubes and TemplateVMs, there's one special domain called "dom0," which is where the Desktop Manager runs. -This is where you log in to the system. -Dom0 is more trusted than any other domain (including TemplateVMs and black-labeled qubes). -If dom0 were ever compromised, it would be Game OverTM. -(The entire system would effectively be compromised.) -Due to its overarching importance, dom0 has no network connectivity and is used only for running the Window and Desktop Managers. -Dom0 shouldn't be used for anything else. -In particular, [you should never run user applications in dom0](/doc/security-guidelines/#dom0-precautions). +In addition to qubes and templates, there's one special domain called [dom0], where many system tools and the desktop manager run. +This is where you log in to the system. +Dom0 is more trusted than any other domain (including templates and black-labeled qubes). +If dom0 were ever compromised, it would be "game over." +(The entire system would effectively be compromised.) +Due to its overarching importance, dom0 has no network connectivity and is used only for running the window and desktop managers. +Dom0 shouldn't be used for anything else. +In particular, [you should never run user applications in dom0][dom0-precautions]. (That's what your qubes are for!) -Qubes VM Manager and Command Line Tools ---------------------------------------- -All aspects of the Qubes system can be controlled using command line tools run under a dom0 console. -Opening a console window in dom0 can be done in several ways: +GUI and command-line tools +-------------------------- -* Go to the Start Menu and click Terminal Emulator -* Press Alt-F3, type `xfce terminal` and press Enter twice -* Right-click on the desktop and select Open Terminal Here -* In previous versions of Qubes with KDE: - * Start → System Tools → Konsole - * Press Alt-F2 and type `konsole`. +All aspects of Qubes OS can be controlled using command-line tools run in a dom0 terminal. +Opening a terminal in dom0 can be done in several ways: -Various command line tools are described as part of this guide, and the whole reference can be found [here](/doc/tools/). + - Go to the Application Launcher and click **Terminal Emulator**. + - Press `Alt+F3`, type `xfce terminal` and press Enter twice. + - Right-click on the desktop and select **Open Terminal Here**. -![r2b1-dom0-konsole.png](/attachment/wiki/GettingStarted/r2b1-dom0-konsole.png) +Various command-line tools are described as part of this guide, and the whole reference can be found [here][tools]. -Alternatively, you can use a rather intuitive GUI tool called **Qubes VM Manager**. -It supports most of the functionality that command line tools provide. -The Qubes VM Manager starts and opens automatically when Qubes starts up, but you can also start it by going to Start → System Tools → Qubes Manager. -Once the Qubes VM Manager is running, you can open the window at any time by clicking on the Qubes tray icon, which typically resides in the bottom-right corner of the screen. +Alternatively, you can use a suite of GUI tools, most of which are available through desktop widgets: -![r2b1-qubes-manager-2.png](/attachment/wiki/GettingStarted/r2b1-qubes-manager-2.png) + - The **Domains Widget** allows you to manage running qubes, turn them on and off, and monitor memory usage. + - The **Devices Widget** allows you to attach and detach devices -- such as USB drives and cameras -- to qubes. + - The **Disk Space Widget** will notify you if you're ever running out of disk space. + - The **Updates Widget** will inform you when template updates are available. -Starting Apps in qubes ------------------------- +![q40_widgets.png](/attachment/wiki/GettingStarted/q40_widgets.png) -Apps can be started either by using the shortcuts in the Desktop Manager's menu or by using the command line (i.e., a console running in dom0). +For an overview of the entire system, you can use the **Qube Manager** (go to the Application Launcher → System Tools → Qube Manager), which displays the states of all the qubes in your system. -You can start apps directly from the Start Menu or the Application Finder (Alt-F3). -Each qube has its own menu directory under the scheme **Domain: \**. + +Starting apps +------------- + +Apps can be started either by using the shortcuts in the Application Launcher menu or by using the command line (i.e., a terminal running in dom0). + +You can start apps directly from the Application Launcher or the Application Finder (`Alt+F3`). +Each qube has its own menu directory under the scheme `Domain: `. After navigating into one of these directories, simply click on the application you'd like to start: -![r2b1-appsmenu-1.png](/attachment/wiki/GettingStarted/r2b1-appsmenu-1.png) ![r2b1-appsmenu-3.png](/attachment/wiki/GettingStarted/r2b1-appsmenu-3.png) +![menu1.png](/attachment/wiki/GettingStarted/menu1.png) + +![menu2.png](/attachment/wiki/GettingStarted/menu2.png) By default, each qube's menu contains only a few shortcuts. -If you'd like to add more, simply click **Add more shortcuts...**, select the desired applications, and click **OK**. -You can also add shortcuts manually. -(This is sometimes necessary if the desired application doesn't show up in the Qubes VM Manager window.) -To do this in KDE, right-click on the **Start** button and click **Menu Editor**. -Click the qube directory in which you'd like the menu to appear, click **New Item**, enter its name as **\: \**, and provide the command for starting the app (see below). -Then click **Save** and wait approximately 15 seconds for the changes to propagate to the KDE menu. +If you'd like to add more, enter the qube's **Qube Settings** and add them on the Applications tab. -To start apps from the console in dom0, type: +To start apps from the terminal in dom0, type: - qvm-run -a " [arguments]" + $ qvm-run [arguments] e.g.: - qvm-run -a untrusted firefox + $ qvm-run untrusted firefox -The -a parameter will start the qube if it is not already running. +This command will start the qube if it is not already running. -Adding, Removing, and Listing qubes -------------------------------------- -A qube can easily be added and removed by clicking on the **Add** and **Remove** buttons in the Qubes VM Manager. +Adding, removing, and listing qubes +----------------------------------- -A qube can also be added, removed, and qubes may be listed from the command line (i.e., a console running in dom0) using the following tools: +You can easily create a new qube with the **Create Qubes VM** option in the Application Launcher. +If you need to add or remove qubes, simply use the Qube Manager's **Add** and **Remove** buttons. -- `qvm-create` -- `qvm-remove` -- `qvm-ls` +You can also add, remove, and list qubes from the command line using the following tools: -How Many Qubes Do I Need? ---------------------------- + - `qvm-create` + - `qvm-remove` + - `qvm-ls` + + +How many qubes do I need? +------------------------- That's a great question, but there's no one-size-fits-all answer. It depends on the structure of your digital life, and this is at least a little different for everyone. If you plan on using your system for work, then it also depends on what kind of job you do. It's a good idea to start out with the three qubes created automatically by the installer: work, personal, and untrusted. -Then, if and when you start to feel that some activity just doesn't fit into any of your existing qubes, or you want to partition some part of your life, you can easily create a new qube for it. -You'll also be able to easily copy any files you need to the newly created qube, as explained [here](/doc/copying-files/). +If and when you start to feel that some activity just doesn't fit into any of your existing qubes, or you want to partition some part of your life, you can easily create a new qube for it. +You'll also be able to easily [copy][copy-files] any files you need to the newly created qube. -More paranoid people might find it worthwhile to read [this article](https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html), which describes how one of the Qubes authors partitions her digital life into security domains. +Still not sure? +You might find it helpful to read [this article][partitioning], which describes how one of the Qubes OS architects partitions her digital life into security domains. -Common Tasks + +Common tasks ------------ Here are the documentation pages for some of the main actions you'll want to perform. -A full list is available in the [Common Tasks](/doc/#common-tasks) section of the documentation. +A full list is available in the [Common Tasks] section of the documentation. - * [Copying and Pasting Text Between Domains](/doc/copy-paste/) - * [Copying and Moving Files Between Domains](/doc/copying-files/) - * [Copying from (and to) dom0](/doc/copy-from-dom0/) - * [Updating Software in dom0](/doc/software-update-dom0/) - * [Updating and Installing Software in VMs](/doc/software-update-vm/) - * [Backup, Restoration, and Migration](/doc/backup-restore/) - * [Using DisposableVMs](/doc/disposablevm/) - * [Using and Managing USB Devices](/doc/usb/) + * [Copying and Pasting Text Between Domains][copy-paste] + * [Copying and Moving Files Between Domains][copy-files] + * [Copying from (and to) dom0] + * [Updating Software in dom0] + * [Updating and Installing Software in VMs] + * [Backup, Restoration, and Migration] + * [Enabling Fullscreen Mode] + * [Using DisposableVMs] + * [Using and Managing USB Devices] -Running an application Full Screen ----------------------------------- +If you encounter any problems, please visit the [Help, Support, and Mailing Lists] page. -By default, Qubes doesn't allow any application window to occupy the entire screen such that its window name (which includes the name of the qube to which it belongs) and colored window border are no longer visible. -This is a security precaution designed to prevent a situation in which an application which has been allowed to enter full screen mode begins to emulate the entire Qubes system. -The user should always be able to identify which qube is displaying any given window. -Otherwise, a compromised qube which is able to occupy the entire screen could trick the user into thinking that she is interacting with a variety of different qubes (including dom0), when in fact she is interacting with only a single, compromised qube pretending to be the whole system. -**Note:** A similar attack is possible even *without* fullscreen mode. -Since a compromised qube can draw pixels within its own windows however it likes, it could draw a fake password prompt, for example, which appears to have a different colored border so that it looks like it belongs to a different qube. -This is why you should always drag such prompts away from other windows (or use some other means of manipulating the windows) to ensure that they belong to the qube to which they appear to belong. +[getting-started-32]: /getting-started-32/ +[downloading]: /downloads/ +[installing]: /doc/installation-guide/ +[virtual machines (VMs)]: /doc/glossary/#vm +[qubes]: /doc/glossary/#qube +[security domain]: /doc/glossary/#domain +[template]: /doc/glossary/#templatevm +[dom0]: /doc/glossary/#dom0 +[dom0-precautions]: /doc/security-guidelines/#dom0-precautions +[tools]: /doc/tools/ +[partitioning]: https://blog.invisiblethings.org/2011/03/13/partitioning-my-digital-life-into.html +[Common Tasks]: /doc/#common-tasks +[copy-files]: /doc/copying-files/ +[copy-paste]: /doc/copy-paste/ +[Copying from (and to) dom0]: /doc/copy-from-dom0/ +[Updating Software in dom0]: /doc/software-update-dom0/ +[Updating and Installing Software in VMs]: /doc/software-update-vm/ +[Backup, Restoration, and Migration]: /doc/backup-restore/ +[Enabling Fullscreen Mode]: /doc/full-screen-mode/ +[Using DisposableVMs]: /doc/disposablevm/ +[Using and Managing USB Devices]: /doc/usb/ +[Help, Support, and Mailing Lists]: /support/ -To allow a qube to enter full screen mode, one should edit the `/etc/qubes/guid.conf` file in dom0. - -To allow all qubes to enter full screen mode, set `allow_fullscreen` flag to `true` in the `global` section: - - global: { - # default values - allow_fullscreen = false; - #allow_utf8_titles = false; - #secure_copy_sequence = "Ctrl-Shift-c"; - #secure_paste_sequence = "Ctrl-Shift-v"; - #windows_count_limit = 500; - }; - -To allow only select qubes to enter full screen mode, create a per-VM section, and set `allow_fullscreen` flag there to `true`: - - VM: { - work: { - allow_fullscreen = true; - }; - - }; - -In order for the changes to take effect, restart the qube(s). - -More details can be found [here](/doc/full-screen-mode/). +

Compatible Hardware

-

Ready to install Qubes? Make sure your hardware is compatible, as Qubes cannot run on every type of computer. Also, check out Qubes-certified Laptops.

+

Make sure your hardware is compatible, as Qubes OS cannot run on every type of computer. Also, check out Qubes-certified Laptops.

Hardware Compatibility List

Downloads

-

Download an ISO, learn how to verify its authenticity and integrity, and follow our guides to install Qubes. Looking for the source code? You'll find it on GitHub.

+

Download an ISO, learn how to verify its authenticity and integrity, and follow our guides to install Qubes OS. Looking for the source code? You'll find it on GitHub.

Downloads

Documentation

-

Peruse our extensive library of documentation for users and developers of Qubes. You can even help us improve it!

+

Peruse our extensive library of documentation for users and developers of Qubes OS. You can even help us improve it!

Documentation
-
+ From 447fc3d5bb5932f691da1cf957119cd4492ae22d Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Tue, 15 Jan 2019 23:18:30 -0600 Subject: [PATCH 008/188] Change "[root] filesystem" to "system"; add "vault" --- basics_user/getting-started.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/basics_user/getting-started.md b/basics_user/getting-started.md index 03ccdfa9..6a1fd4a7 100644 --- a/basics_user/getting-started.md +++ b/basics_user/getting-started.md @@ -21,9 +21,9 @@ Not every app runs in its own qube. (That would be a big waste of resources!) Instead, each qube represents a [security domain] (e.g., "work," "personal," and "banking"). By default, all qubes are based on a single, common [template], although you can create more templates if you wish. -When you create a new qube, you don't copy the whole root filesystem needed for this qube to work (which would include copying all the programs). -Instead, each qube *shares* the root filesystem with its respective template. -A qube has read-only access to the filesystem of the template on which it's based, so a qube cannot modify a template in any way. +When you create a new qube, you don't copy the whole system needed for this qube to work (which would include copying all the programs). +Instead, each qube *shares* the system with its respective template. +A qube has read-only access to the system of the template on which it's based, so a qube cannot modify a template in any way. This is important, as it means that if a qube is ever compromised, the template on which it's based (and any other qubes based on that template) will still be safe. So, creating a large number of qubes is cheap: each one needs only as much disk space as is necessary to store its private files (e.g., the "home" folder). @@ -32,6 +32,7 @@ If you've installed Qubes OS using the default options, a few qubes have already - work - personal - untrusted + - vault Each qube, apart from having a distinct name, is also assigned a **label**, which is one of several predefined colors. The trusted window manager uses these colors in order to draw colored borders around the windows of applications running in each qube. From e8193f29dc8c03278c732505b30116f3de3d25b1 Mon Sep 17 00:00:00 2001 From: Sven Semmler Date: Wed, 6 Nov 2019 11:20:11 -0600 Subject: [PATCH 009/188] Append /var/spool/mail to binds variable ... ... to make received email persist through reboots. --- external/configuration-guides/fetchmail.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/external/configuration-guides/fetchmail.md b/external/configuration-guides/fetchmail.md index 25bd4ab6..c3e11ae9 100644 --- a/external/configuration-guides/fetchmail.md +++ b/external/configuration-guides/fetchmail.md @@ -90,4 +90,18 @@ for rc in /usr/local/etc/fetchmail/*.rc; do done ~~~ +Make sure the folder '/rw/config/qubes-bind-dirs.d' exists. + +~~~ +sudo mkdir -p /rw/config/qubes-bind-dirs.d +~~~ + +Create the file '/rw/config/qubes-bind-dirs.d/50_user.conf' with root rights. + +Now edit it to append the '/var/spool/mail/' directory to the binds variable. + +~~~ +binds+=( '/var/spool/mail' ) +~~~ + Now reboot your AppVM and you are done. From 85e9e02dfffe0123352c3ddb431ddf7a5efd0cae Mon Sep 17 00:00:00 2001 From: qtpies <41307963+qtpies@users.noreply.github.com> Date: Wed, 13 Nov 2019 23:15:02 +0100 Subject: [PATCH 010/188] Update config-files.md example script to edit hostsfile had missing ' --- user/advanced-configuration/config-files.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user/advanced-configuration/config-files.md b/user/advanced-configuration/config-files.md index aea1f614..bf9b7be6 100644 --- a/user/advanced-configuration/config-files.md +++ b/user/advanced-configuration/config-files.md @@ -31,7 +31,7 @@ The scripts here all run as root. ~~~ # Add entry to /etc/hosts - echo '127.0.0.1 example.com >> /etc/hosts + echo '127.0.0.1 example.com' >> /etc/hosts ~~~ - `/rw/config/qubes-ip-change-hook` - script runs in NetVM after every external IP change and on "hardware" link status change. From 31f9ab55d22832316ff53cc35388f21c5821267a Mon Sep 17 00:00:00 2001 From: scrouthtv Date: Mon, 13 Apr 2020 00:59:47 +0100 Subject: [PATCH 011/188] Updated "Building archlinux template" When we make the individual components the doc was missing `make app-linux-split-gpg-vm` which would, if chosen this way, not be built and thus resulting in an error. --- external/building-guides/building-archlinux-template.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/external/building-guides/building-archlinux-template.md b/external/building-guides/building-archlinux-template.md index 0f996223..9fe8ac80 100644 --- a/external/building-guides/building-archlinux-template.md +++ b/external/building-guides/building-archlinux-template.md @@ -163,6 +163,7 @@ $ make linux-utils-vm $ make core-agent-linux-vm $ make gui-common-vm $ make gui-agent-linux-vm +$ make app-linux-split-gpg-vm $ make vmm-xen-vm $ make core-vchan-xen-vm $ make core-qubesdb-vm @@ -170,6 +171,7 @@ $ make linux-utils-vm $ make core-agent-linux-vm $ make gui-common-vm $ make gui-agent-linux-vm +$ make app-linux-split-gpg-vm ``` 8: Make the actual Archlinux template From fcc2446a49a8f7df3c48fbf9fd6efe3d3e900784 Mon Sep 17 00:00:00 2001 From: Sarvottam Kumar Date: Sat, 30 May 2020 23:05:55 +0530 Subject: [PATCH 012/188] Fix wrong numbering --- external/troubleshooting/out-of-memory.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/external/troubleshooting/out-of-memory.md b/external/troubleshooting/out-of-memory.md index 195e645a..58f8fe70 100644 --- a/external/troubleshooting/out-of-memory.md +++ b/external/troubleshooting/out-of-memory.md @@ -19,17 +19,17 @@ qvm-console-dispvm If this does not work, check the size of /var/lib/qubes/qubes.xml. If it is zero, you'll need to use one of the file backup (stored in /var/lib/qubes/backup), hopefully you have the current data there. Find the most recent one and place in /var/lib/qubes/qubes.xml instead of the empty file. -In any case you'll need some disk space to start the VM. Check `df -h` output if you have some. If not, some hints how to free some disk space: +In any case you'll need some disk space to start the VM. Check `df -h` output if you have some. If not, here are some hints how to free some disk space: -1. Clean yum cache: +1. Clean yum cache ~~~ sudo yum clean all ~~~ -1. Delete .img files of a less important VM, that can be found in +2. Delete .img files of a less important VM, that can be found in /var/lib/qubes/appvms/ -/var/lib/qubes/appvms/. Then, when the system is working again, cleanup the rest with: +Then, when the system is working again, cleanup the rest with: ~~~ qvm-remove @@ -37,11 +37,11 @@ qvm-remove With this method you lose the data of one VM, but it'll work more reliably. -1. Decrease filesystem safety margin (5% by default): +3. Decrease filesystem safety margin (5% by default) ~~~ sudo tune2fs -m 4 /dev/mapper/vg_dom0-lv_root ~~~ -1. Remove some unneeded files in dom0 home (if you have any, most likely not). +4. Remove some unneeded files in dom0 home (if you have any, most likely not) From e498e3cdc3d17139824dc1933e2f46a10af153f7 Mon Sep 17 00:00:00 2001 From: null pointer exception <57326449+deathgrippin@users.noreply.github.com> Date: Tue, 2 Jun 2020 23:32:55 +0000 Subject: [PATCH 013/188] Fix typos --- developer/debugging/profiling.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/developer/debugging/profiling.md b/developer/debugging/profiling.md index 2fad769c..e20e3208 100644 --- a/developer/debugging/profiling.md +++ b/developer/debugging/profiling.md @@ -11,7 +11,7 @@ redirect_from: Profiling ========= -This is python profiling primer. +This is a python profiling primer. For the purpose of this document, `qubes-dev` is name of the domain used for postprocessing profiling stats. @@ -23,7 +23,7 @@ yum install gprof2dot graphviz git clone http://git.woju.eu/qubes/profiling.git ~~~ -If you profile something on dom0, move `Upload.sh` from repository to dom0: +If you profile something in dom0, move `Upload.sh` from the repository to dom0: ~~~ mkdir -p ~/profiling @@ -37,7 +37,7 @@ Workflow ### Identify function responsible for some slow action -You have to select area in which you suspect less than optimal performance. If you do not narrow the area, graphs may be unreadable. +You have to select the area in which you suspect less than optimal performance. If you do not narrow the area, graphs may be unreadable. ### Replace suspect function with probe @@ -59,7 +59,7 @@ with Beware that some functions may be called often. For example `qubesmanager/main.py:update_table` gets run once per second. This will produce one pstat file per second. -Remember to revert your changes to application afterwards. +Remember to revert your changes to the application afterwards. ### Upload statistics @@ -76,13 +76,13 @@ cd ~/profiling make ~~~ -For every `${basename}.pstats` this will produce `${basename}.txt` and `${basename}.svg`. SVG contains call graph. Text file contains list of all functions sorted by cumulative execution time. You may also try `make all-png`. +For every `${basename}.pstats` this will produce `${basename}.txt` and `${basename}.svg`. SVG files contain call graphs. Text files contain lists of all functions, sorted by cumulative execution time. You may also try `make all-png`. ~~~ make index.html ~~~ -This creates `index.html` with all SVG graphics linked to TXT files. Ready for upload. +This creates `index.html` with all SVG graphics linked to TXT files, ready for upload. ~~~ make REMOTE=example.com:public_html/qubes/profiling/ upload @@ -95,4 +95,4 @@ This example is from `qubes-manager` (`qubesmanager/main.py`). !["update\_table-20140424-170010.svg"](//attachment/wiki/Profiling/update_table-20140424-170010.svg) -It is apparent than problem is around `get_disk_usage` which calls something via `subprocess.call`. It does it 15 times, probably once per VM. +It is apparent that the problem is around `get_disk_usage`, which calls something via `subprocess.call`. It does this 15 times, probably once per VM. From a885447270e405bc1c25cd272609c2cf7c8baa0d Mon Sep 17 00:00:00 2001 From: null pointer exception <57326449+deathgrippin@users.noreply.github.com> Date: Tue, 2 Jun 2020 23:39:33 +0000 Subject: [PATCH 014/188] Fix typos --- developer/debugging/automated-tests.md | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/developer/debugging/automated-tests.md b/developer/debugging/automated-tests.md index ca78322c..2fa9e6b8 100644 --- a/developer/debugging/automated-tests.md +++ b/developer/debugging/automated-tests.md @@ -22,10 +22,13 @@ Integration tests are written with the assumption that they will be called on de Since these tests were written with this expectation, all the VMs with a name starting with `test-` on the installation are removed during the process, and all the tests are recklessly started from dom0, even when testing VM components. Most of the tests are stored in the [core-admin repository](https://github.com/QubesOS/qubes-core-admin/tree/master/qubes/tests) in the `qubes/tests` directory. -To start them you can use standard python unittest runner: - python3 -m unittest -v qubes.tests +To start them you can use the standard python unittest runner: + +`python3 -m unittest -v qubes.tests` + Or our custom one: - python3 -m qubes.tests.run -v + +`python3 -m qubes.tests.run -v` Our test runner runs mostly the same as the standard one, but it has some nice additional features like color output and not needing the "qubes.test" prefix. It also has the ability to run lone selected template tests. @@ -101,7 +104,7 @@ Example test run: ### Qubes 4.0 -Tests on Qubes 4.0 require stopping `qubesd` service first, because special instance of it is started as part of the test run. +Tests on Qubes 4.0 require stopping the `qubesd` service first, because a special instance of it is started as part of the test run. Additionally, tests needs to be started as root. The full command to run the tests is: sudo systemctl stop qubesd; sudo -E python3 -m qubes.tests.run -v ; sudo systemctl start qubesd @@ -144,10 +147,10 @@ Again, given the hypothetical `example.py` test: ### Testing PyQt applications -When testing (Py)QT application, it's useful to create separate QApplication object for each test. -But QT framework does not allow to have multiple QApplication objects in the same process at the same time. -This means it's critical to reliably cleanup previous instance before creating the new one. -This turns out to be non-trivial task, especially if _any_ test uses event loop. +When testing (Py)QT applications, it's useful to create a separate QApplication object for each test. +But QT framework does not allow multiple QApplication objects in the same process at the same time. +This means it's critical to reliably cleanup the previous instance before creating a new one. +This turns out to be a non-trivial task, especially if _any_ test uses the event loop. Failure to perform proper cleanup in many cases results in SEGV. Below you can find steps for the proper cleanup: @@ -205,7 +208,7 @@ Installation Tests with openQA Manually testing the installation of Qubes OS is a time-consuming process. We use [openQA] to automate this process. It works by installing Qubes in KVM and interacting with it as a user would, including simulating mouse clicks and keyboard presses. -Then, it checks the output to see whether various tests were passed, e.g., by comparing the virtual screen output to screenshots of a successful installation. +Then, it checks the output to see whether various tests were passed, e.g. by comparing the virtual screen output to screenshots of a successful installation. Using openQA to automatically test the Qubes installation process works as of Qubes 4.0-rc4 on 2018-01-26, provided that the versions of KVM and QEMU are new enough and the hardware has VT-x and EPT. KVM also supports nested virtualization, so HVM should theoretically work. From d4dd64ae0e006c91bb966b7f3b56ea59674b78f2 Mon Sep 17 00:00:00 2001 From: Enjeck Cleopatra <32180937+PROTechThor@users.noreply.github.com> Date: Wed, 3 Jun 2020 11:12:41 +0100 Subject: [PATCH 015/188] USB installation black screen --- user/advanced-configuration/uefi-troubleshooting.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/user/advanced-configuration/uefi-troubleshooting.md b/user/advanced-configuration/uefi-troubleshooting.md index d93906ff..d9feffcc 100644 --- a/user/advanced-configuration/uefi-troubleshooting.md +++ b/user/advanced-configuration/uefi-troubleshooting.md @@ -105,6 +105,10 @@ Consider this approach as a last resort, because it will make every Xen update a Whenever there is a kernel or Xen update for Qubes, you will need to follow [these steps](/doc/uefi-troubleshooting/#boot-device-not-recognized-after-installing) because your system is using the fallback UEFI bootloader in `[...]/EFI/BOOT` instead of directly booting to the Qubes entry under `[...]/EFI/qubes`. +Installation from USB stick hangs on black screen +--------------------- + +Some laptops cannot read from an external boot device larger than 8GB. If you encounter a black screen when performing an installation from a USB stick, ensure you are using a USB drive less than 8GB, or a partition on that USB lesser than 8GB and of format fat32. Installation completes successfully but then boot loops or hangs on black screen --------------------- From d842c78c840b7a0bf7f79dfbca762fdf48e8c466 Mon Sep 17 00:00:00 2001 From: vrushti-mody Date: Thu, 4 Jun 2020 14:21:06 +0530 Subject: [PATCH 016/188] Fixed erreneous documentation in Split gpg --- user/security-in-qubes/split-gpg.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user/security-in-qubes/split-gpg.md b/user/security-in-qubes/split-gpg.md index 105c43ec..c1c28781 100644 --- a/user/security-in-qubes/split-gpg.md +++ b/user/security-in-qubes/split-gpg.md @@ -57,7 +57,7 @@ This way it would be easy to spot unexpected requests to decrypt documents. Doing so won't provide any extra security anyway, as explained [above][intro] and [below][using Split GPG with subkeys]. If you are generating a new key pair, or if you have a private key that already has a passphrase, you can use `gpg2 --edit-key ` then `passwd` to set an empty passphrase. Note that `pinentry` might show an error when you try to set an empty passphrase, but it will still make the change. - (See [this StackExchange answer][se-pinentry] for more information.) + (See [this StackExchange answer][se-pinentry] for more information.)Note: The error shows only if you **donot** have graphical pinentry installed. The Split GPG client let you use password-protected keys, the vault cube will show a passphrase if you are using R4. ## Configuring Split GPG ## From 16c05f8f80a5813288ed873d375a842a38004733 Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Thu, 4 Jun 2020 08:03:26 -0500 Subject: [PATCH 017/188] Update the description of a "qube" --- introduction/intro.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/introduction/intro.md b/introduction/intro.md index 22d16816..18e3cb2b 100644 --- a/introduction/intro.md +++ b/introduction/intro.md @@ -17,7 +17,7 @@ What is Qubes OS?

Qubes OS is a free and open-source security-oriented operating system meant for single-user desktop computing.

Qubes OS leverages xen-based virtualization to allow for the creation and management of isolated virtual machines called qubes. - Qubes, which are also referred to as domains or compartments, have specific :

+ Qubes, which are implemented as virtual machines (VMs), have specific :

  • Purposes : with a predefined set of one or many isolated applications, for personal or professional projects, to manage the network stack, the firewall, or to fulfill other user-defined purposes.
  • Natures : full-fledged or stripped-down virtual machines which are based on popular operating systems such as Fedora, Debian or Windows.
  • From bca9ed72574ddd6d9408c162b14fcbb7d0f33415 Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Thu, 4 Jun 2020 08:11:25 -0500 Subject: [PATCH 018/188] Minor text cleanup --- external/troubleshooting/out-of-memory.md | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/external/troubleshooting/out-of-memory.md b/external/troubleshooting/out-of-memory.md index 58f8fe70..6af48405 100644 --- a/external/troubleshooting/out-of-memory.md +++ b/external/troubleshooting/out-of-memory.md @@ -21,27 +21,26 @@ If this does not work, check the size of /var/lib/qubes/qubes.xml. If it is zero In any case you'll need some disk space to start the VM. Check `df -h` output if you have some. If not, here are some hints how to free some disk space: -1. Clean yum cache +1. Clean yum cache. ~~~ sudo yum clean all ~~~ -2. Delete .img files of a less important VM, that can be found in /var/lib/qubes/appvms/ - -Then, when the system is working again, cleanup the rest with: +2. Delete `.img` files of a less important VM, which can be found in `/var/lib/qubes/appvms/`. + Then, when the system is working again, clean up the rest. ~~~ qvm-remove ~~~ -With this method you lose the data of one VM, but it'll work more reliably. +With this method, you lose the data of one VM, but it'll work more reliably. -3. Decrease filesystem safety margin (5% by default) +3. Decrease the filesystem safety margin (5% by default). ~~~ sudo tune2fs -m 4 /dev/mapper/vg_dom0-lv_root ~~~ -4. Remove some unneeded files in dom0 home (if you have any, most likely not) +4. Remove some unneeded files in dom0 home (if you have any, most likely not). From 98c9a1fe0190bf28f7289d1caa23990d16289027 Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Thu, 4 Jun 2020 08:12:55 -0500 Subject: [PATCH 019/188] Fix indentation --- external/troubleshooting/out-of-memory.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/external/troubleshooting/out-of-memory.md b/external/troubleshooting/out-of-memory.md index 6af48405..869da993 100644 --- a/external/troubleshooting/out-of-memory.md +++ b/external/troubleshooting/out-of-memory.md @@ -23,24 +23,24 @@ In any case you'll need some disk space to start the VM. Check `df -h` output if 1. Clean yum cache. -~~~ -sudo yum clean all -~~~ + ~~~ + sudo yum clean all + ~~~ 2. Delete `.img` files of a less important VM, which can be found in `/var/lib/qubes/appvms/`. Then, when the system is working again, clean up the rest. -~~~ -qvm-remove -~~~ + ~~~ + qvm-remove + ~~~ -With this method, you lose the data of one VM, but it'll work more reliably. + With this method, you lose the data of one VM, but it'll work more reliably. 3. Decrease the filesystem safety margin (5% by default). -~~~ -sudo tune2fs -m 4 /dev/mapper/vg_dom0-lv_root -~~~ + ~~~ + sudo tune2fs -m 4 /dev/mapper/vg_dom0-lv_root + ~~~ 4. Remove some unneeded files in dom0 home (if you have any, most likely not). From d022adc5f96ea3fa68aaf8dc0a8eb918e4ac6609 Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Thu, 4 Jun 2020 09:39:32 -0500 Subject: [PATCH 020/188] Add section for unofficial chat channels --- introduction/support.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/introduction/support.md b/introduction/support.md index fe3000f8..5e16e1bd 100644 --- a/introduction/support.md +++ b/introduction/support.md @@ -339,6 +339,15 @@ To unsubscribe, send a blank email to `qubes-translation+unsubscribe@googlegroup This list also has an optional [Google Groups web interface][qubes-translation-web]. +## Unofficial chat channels ## + +The following unofficial chat channels are maintained by the community: + + * Matrix, Qubes-related: + * Matrix, strictly Qubes: + * `#qubes` channel on freenode.net via traditional IRC clients or: + + [mailing lists]: https://en.wikipedia.org/wiki/Electronic_mailing_list [Qubes team]: /team/ [contributions]: /doc/contributing/ From 0f74cc2c4b7204f8be7f812c4d8a402b99be037a Mon Sep 17 00:00:00 2001 From: Lemlay Date: Fri, 5 Jun 2020 02:12:32 -0400 Subject: [PATCH 021/188] modified: signal.md --- external/privacy-guides/signal.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/external/privacy-guides/signal.md b/external/privacy-guides/signal.md index 5e205c87..de7b122c 100644 --- a/external/privacy-guides/signal.md +++ b/external/privacy-guides/signal.md @@ -30,27 +30,27 @@ How to install Signal in Qubes This website cannot guarantee that any PGP key you download from the Internet is authentic. Always obtain a trusted key fingerprint via other channels, and always check any key you download against your trusted copy of the fingerprint. -1. (Optional)Create a TemplateVM (Debian 9) +1. (Optional)Create a TemplateVM (Debian, 9 is used as an examle but feel free to use any more updated by changing the 9 to a 10, etc.) [user@dom0 ~]$ sudo qubes-dom0-update qubes-template-debian-9 -2. Open a terminal in Debian 9 +2. Open a terminal in Debian 9 (Or your previously chosen template) [user@dom0 ~]$ qvm-run -a debian-9 gnome-terminal -3. Use these commands in your terminal +3. Use these commands in your terminal (If you chose a different distribution, such as buster, substitute that for xenial in the 3rd command) (Optional)[user@debian-8 ~]$ sudo apt-get install curl - [user@debian-8 ~]$ curl -s https://updates.signal.org/desktop/apt/keys.asc | sudo apt-key add - + [user@debian-8 ~]$ curl -s -x 127.0.0.1:8082 https://updates.signal.org/desktop/apt/keys.asc | sudo apt-key add - [user@debian-8 ~]$ echo "deb [arch=amd64] https://updates.signal.org/desktop/apt xenial main" | sudo tee -a /etc/apt/sources.list.d/signal-xenial.list [user@debian-8 ~]$ sudo apt update && sudo apt install signal-desktop -5. Shutdown the TemplateVM : +5. Shutdown the TemplateVM (substitute your template name if needed) : [user@dom0 ~]$ qvm-shutdown debian-9 6. Create an AppVM based on this TemplateVM -7. With your mouse select the `Q` menu -> `Domain: "AppVM Name"` -> `"AppVM Name": Add more shortcuts` +7. With your mouse select the `Q` menu -> `Create Qubes VM` -> `tick 'launch settings after creation' and set name` -> OK -> 'Applications' (or `"AppVM Name": VM Settings` -> `Applications`). Select `Signal` from the left `Available` column, move it to the right `Selected` column by clicking the `>` button and then `OK` to apply the changes and close the window. From 6b0f49a31d47b265ff41d9ec53b39ed3099bae97 Mon Sep 17 00:00:00 2001 From: Lemlay <66223105+Lemlay@users.noreply.github.com> Date: Fri, 5 Jun 2020 02:46:55 -0400 Subject: [PATCH 022/188] Update signal.md --- external/privacy-guides/signal.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/external/privacy-guides/signal.md b/external/privacy-guides/signal.md index de7b122c..95f376e7 100644 --- a/external/privacy-guides/signal.md +++ b/external/privacy-guides/signal.md @@ -30,7 +30,7 @@ How to install Signal in Qubes This website cannot guarantee that any PGP key you download from the Internet is authentic. Always obtain a trusted key fingerprint via other channels, and always check any key you download against your trusted copy of the fingerprint. -1. (Optional)Create a TemplateVM (Debian, 9 is used as an examle but feel free to use any more updated by changing the 9 to a 10, etc.) +1. (Optional)Create a TemplateVM (Debian, 9 is used as an example but feel free to use any more updated by changing the 9 to a 10, etc.) [user@dom0 ~]$ sudo qubes-dom0-update qubes-template-debian-9 From c0b07940c5e7d1c4d2f2fd3fe2d7af566b18bd08 Mon Sep 17 00:00:00 2001 From: Lemlay <66223105+Lemlay@users.noreply.github.com> Date: Fri, 5 Jun 2020 02:53:26 -0400 Subject: [PATCH 023/188] Update signal.md --- external/privacy-guides/signal.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/external/privacy-guides/signal.md b/external/privacy-guides/signal.md index 95f376e7..9c510793 100644 --- a/external/privacy-guides/signal.md +++ b/external/privacy-guides/signal.md @@ -50,7 +50,7 @@ Always obtain a trusted key fingerprint via other channels, and always check any [user@dom0 ~]$ qvm-shutdown debian-9 6. Create an AppVM based on this TemplateVM -7. With your mouse select the `Q` menu -> `Create Qubes VM` -> `tick 'launch settings after creation' and set name` -> OK -> 'Applications' +7. With your mouse select the `Q` menu -> `Create Qubes VM` -> `Domain: "AppVM Name"` -> OK -> 'Applications' (or `"AppVM Name": VM Settings` -> `Applications`). Select `Signal` from the left `Available` column, move it to the right `Selected` column by clicking the `>` button and then `OK` to apply the changes and close the window. From b3f56f1251c43b6e041c6193f0169934b758016a Mon Sep 17 00:00:00 2001 From: Lemlay <66223105+Lemlay@users.noreply.github.com> Date: Fri, 5 Jun 2020 02:56:33 -0400 Subject: [PATCH 024/188] Update signal.md --- external/privacy-guides/signal.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/external/privacy-guides/signal.md b/external/privacy-guides/signal.md index 9c510793..b67dc1dc 100644 --- a/external/privacy-guides/signal.md +++ b/external/privacy-guides/signal.md @@ -50,7 +50,7 @@ Always obtain a trusted key fingerprint via other channels, and always check any [user@dom0 ~]$ qvm-shutdown debian-9 6. Create an AppVM based on this TemplateVM -7. With your mouse select the `Q` menu -> `Create Qubes VM` -> `Domain: "AppVM Name"` -> OK -> 'Applications' +7. With your mouse select the `Q` menu -> `Domain: "AppVM Name"` -> 'Qube Settings' -> OK -> 'Applications' (or `"AppVM Name": VM Settings` -> `Applications`). Select `Signal` from the left `Available` column, move it to the right `Selected` column by clicking the `>` button and then `OK` to apply the changes and close the window. From 3051226e503bee9bf4066d1db8d34e93d8de20bb Mon Sep 17 00:00:00 2001 From: Lemlay <66223105+Lemlay@users.noreply.github.com> Date: Fri, 5 Jun 2020 03:05:57 -0400 Subject: [PATCH 025/188] Update signal.md --- external/privacy-guides/signal.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/external/privacy-guides/signal.md b/external/privacy-guides/signal.md index b67dc1dc..b6378855 100644 --- a/external/privacy-guides/signal.md +++ b/external/privacy-guides/signal.md @@ -50,7 +50,7 @@ Always obtain a trusted key fingerprint via other channels, and always check any [user@dom0 ~]$ qvm-shutdown debian-9 6. Create an AppVM based on this TemplateVM -7. With your mouse select the `Q` menu -> `Domain: "AppVM Name"` -> 'Qube Settings' -> OK -> 'Applications' +7. With your mouse select the `Q` menu -> `Domain: "AppVM Name"` -> 'AppVM name: Qube Settings' -> OK -> 'Applications' (or `"AppVM Name": VM Settings` -> `Applications`). Select `Signal` from the left `Available` column, move it to the right `Selected` column by clicking the `>` button and then `OK` to apply the changes and close the window. From 62380052ee0307f5961fa7f061ebd62546bb14ab Mon Sep 17 00:00:00 2001 From: vrushti-mody Date: Fri, 5 Jun 2020 15:57:37 +0530 Subject: [PATCH 026/188] Fixes erreneous documentation in Split gpg --- user/security-in-qubes/split-gpg.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user/security-in-qubes/split-gpg.md b/user/security-in-qubes/split-gpg.md index c1c28781..503a91e1 100644 --- a/user/security-in-qubes/split-gpg.md +++ b/user/security-in-qubes/split-gpg.md @@ -57,7 +57,7 @@ This way it would be easy to spot unexpected requests to decrypt documents. Doing so won't provide any extra security anyway, as explained [above][intro] and [below][using Split GPG with subkeys]. If you are generating a new key pair, or if you have a private key that already has a passphrase, you can use `gpg2 --edit-key ` then `passwd` to set an empty passphrase. Note that `pinentry` might show an error when you try to set an empty passphrase, but it will still make the change. - (See [this StackExchange answer][se-pinentry] for more information.)Note: The error shows only if you **donot** have graphical pinentry installed. The Split GPG client let you use password-protected keys, the vault cube will show a passphrase if you are using R4. + (See [this StackExchange answer][se-pinentry] for more information.) Note: The error shows only if you **do not** have graphical pinentry installed. The Split GPG client lets you use password-protected keys, the vault qube will show a passphrase if you are using R4. ## Configuring Split GPG ## From d9c3321e555195b16f0a0c408453492057e52c43 Mon Sep 17 00:00:00 2001 From: vrushti-mody Date: Fri, 5 Jun 2020 16:15:32 +0530 Subject: [PATCH 027/188] Fixes #4901 --- user/security-in-qubes/split-gpg.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/user/security-in-qubes/split-gpg.md b/user/security-in-qubes/split-gpg.md index 503a91e1..0f462fb6 100644 --- a/user/security-in-qubes/split-gpg.md +++ b/user/security-in-qubes/split-gpg.md @@ -57,7 +57,8 @@ This way it would be easy to spot unexpected requests to decrypt documents. Doing so won't provide any extra security anyway, as explained [above][intro] and [below][using Split GPG with subkeys]. If you are generating a new key pair, or if you have a private key that already has a passphrase, you can use `gpg2 --edit-key ` then `passwd` to set an empty passphrase. Note that `pinentry` might show an error when you try to set an empty passphrase, but it will still make the change. - (See [this StackExchange answer][se-pinentry] for more information.) Note: The error shows only if you **do not** have graphical pinentry installed. The Split GPG client lets you use password-protected keys, the vault qube will show a passphrase if you are using R4. + (See [this StackExchange answer][se-pinentry] for more information.) + Note: The error shows only if you **do not** have graphical pinentry installed. The Split GPG client lets you use password-protected keys, the vault qube will show a passphrase if you are using R4. ## Configuring Split GPG ## From 226a065b34029ecd2be1dc6514e1c730753dd1ba Mon Sep 17 00:00:00 2001 From: vrushti-mody Date: Fri, 5 Jun 2020 16:17:52 +0530 Subject: [PATCH 028/188] Fixes #4901 'Outdated paragraph in Split GPG limitations section' --- user/security-in-qubes/split-gpg.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/user/security-in-qubes/split-gpg.md b/user/security-in-qubes/split-gpg.md index 0f462fb6..503a91e1 100644 --- a/user/security-in-qubes/split-gpg.md +++ b/user/security-in-qubes/split-gpg.md @@ -57,8 +57,7 @@ This way it would be easy to spot unexpected requests to decrypt documents. Doing so won't provide any extra security anyway, as explained [above][intro] and [below][using Split GPG with subkeys]. If you are generating a new key pair, or if you have a private key that already has a passphrase, you can use `gpg2 --edit-key ` then `passwd` to set an empty passphrase. Note that `pinentry` might show an error when you try to set an empty passphrase, but it will still make the change. - (See [this StackExchange answer][se-pinentry] for more information.) - Note: The error shows only if you **do not** have graphical pinentry installed. The Split GPG client lets you use password-protected keys, the vault qube will show a passphrase if you are using R4. + (See [this StackExchange answer][se-pinentry] for more information.) Note: The error shows only if you **do not** have graphical pinentry installed. The Split GPG client lets you use password-protected keys, the vault qube will show a passphrase if you are using R4. ## Configuring Split GPG ## From ea36995c11d0f9c13813e2d4a4693a1bd3bdfa74 Mon Sep 17 00:00:00 2001 From: vrushti-mody Date: Fri, 5 Jun 2020 16:46:50 +0530 Subject: [PATCH 029/188] Fixes #4901 'Outdated paragraph in Split GPG limitations section' --- user/security-in-qubes/split-gpg.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user/security-in-qubes/split-gpg.md b/user/security-in-qubes/split-gpg.md index 503a91e1..85bde31a 100644 --- a/user/security-in-qubes/split-gpg.md +++ b/user/security-in-qubes/split-gpg.md @@ -57,7 +57,7 @@ This way it would be easy to spot unexpected requests to decrypt documents. Doing so won't provide any extra security anyway, as explained [above][intro] and [below][using Split GPG with subkeys]. If you are generating a new key pair, or if you have a private key that already has a passphrase, you can use `gpg2 --edit-key ` then `passwd` to set an empty passphrase. Note that `pinentry` might show an error when you try to set an empty passphrase, but it will still make the change. - (See [this StackExchange answer][se-pinentry] for more information.) Note: The error shows only if you **do not** have graphical pinentry installed. The Split GPG client lets you use password-protected keys, the vault qube will show a passphrase if you are using R4. + (See [this StackExchange answer][se-pinentry] for more information.) Note: The error shows only if you **do not** have graphical pinentry installed. The Split GPG client lets you use password-protected keys and the vault qube will show the passphrase. ## Configuring Split GPG ## From 2daf586dc8ce2544b1b0474a7abe70381e768d1d Mon Sep 17 00:00:00 2001 From: vrushti-mody Date: Fri, 5 Jun 2020 18:28:50 +0530 Subject: [PATCH 030/188] Fixes #4901 'Outdated paragraph in Split GPG limitations section' --- user/security-in-qubes/split-gpg.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user/security-in-qubes/split-gpg.md b/user/security-in-qubes/split-gpg.md index 85bde31a..4560e062 100644 --- a/user/security-in-qubes/split-gpg.md +++ b/user/security-in-qubes/split-gpg.md @@ -57,7 +57,7 @@ This way it would be easy to spot unexpected requests to decrypt documents. Doing so won't provide any extra security anyway, as explained [above][intro] and [below][using Split GPG with subkeys]. If you are generating a new key pair, or if you have a private key that already has a passphrase, you can use `gpg2 --edit-key ` then `passwd` to set an empty passphrase. Note that `pinentry` might show an error when you try to set an empty passphrase, but it will still make the change. - (See [this StackExchange answer][se-pinentry] for more information.) Note: The error shows only if you **do not** have graphical pinentry installed. The Split GPG client lets you use password-protected keys and the vault qube will show the passphrase. + (See [this StackExchange answer][se-pinentry] for more information.) Note: The error shows only if you **do not** have graphical pinentry installed. ## Configuring Split GPG ## From c7309fe6150dee28787ffd8fc584fa3114d10179 Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Fri, 5 Jun 2020 12:43:37 -0500 Subject: [PATCH 031/188] Add missing comma --- user/security-in-qubes/split-gpg.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user/security-in-qubes/split-gpg.md b/user/security-in-qubes/split-gpg.md index 85bde31a..e8b99d48 100644 --- a/user/security-in-qubes/split-gpg.md +++ b/user/security-in-qubes/split-gpg.md @@ -57,7 +57,7 @@ This way it would be easy to spot unexpected requests to decrypt documents. Doing so won't provide any extra security anyway, as explained [above][intro] and [below][using Split GPG with subkeys]. If you are generating a new key pair, or if you have a private key that already has a passphrase, you can use `gpg2 --edit-key ` then `passwd` to set an empty passphrase. Note that `pinentry` might show an error when you try to set an empty passphrase, but it will still make the change. - (See [this StackExchange answer][se-pinentry] for more information.) Note: The error shows only if you **do not** have graphical pinentry installed. The Split GPG client lets you use password-protected keys and the vault qube will show the passphrase. + (See [this StackExchange answer][se-pinentry] for more information.) Note: The error shows only if you **do not** have graphical pinentry installed. The Split GPG client lets you use password-protected keys, and the vault qube will show the passphrase. ## Configuring Split GPG ## From 024e12470ffbd82c68c80475d8d544b7a2dcefbc Mon Sep 17 00:00:00 2001 From: null pointer exception <57326449+deathgrippin@users.noreply.github.com> Date: Fri, 5 Jun 2020 18:46:13 +0000 Subject: [PATCH 032/188] Clean up wording and typos --- user/security-in-qubes/yubi-key.md | 29 +++++++++++++---------------- 1 file changed, 13 insertions(+), 16 deletions(-) diff --git a/user/security-in-qubes/yubi-key.md b/user/security-in-qubes/yubi-key.md index 147b07f8..a2a23b69 100644 --- a/user/security-in-qubes/yubi-key.md +++ b/user/security-in-qubes/yubi-key.md @@ -10,15 +10,15 @@ redirect_from: Using YubiKey to Qubes authentication ===================================== -You can use YubiKey to enhance Qubes user authentication, for example to mitigate risk of snooping the password. -This can also slightly improve security when you have [USB keyboard](/doc/device-handling-security/#security-warning-on-usb-input-devices). +You can use a YubiKey to enhance Qubes user authentication, for example to mitigate risk of someone snooping the password. +This can also slightly improve security when you have a [USB keyboard](/doc/device-handling-security/#security-warning-on-usb-input-devices). -There (at least) two possible configurations: using OTP mode and using challenge-response mode. +There are (at least) two possible configurations: using OTP mode and using challenge-response mode. OTP mode -------- -This can be configured using [app-linux-yubikey](https://github.com/adubois/qubes-app-linux-yubikey) package. +This can be configured using the [app-linux-yubikey](https://github.com/adubois/qubes-app-linux-yubikey) package. This package does not support sharing the same key slot with other applications (it will deny further authentications if you try). Contrary to instruction there, currently there is no binary package in the Qubes repository and you need to compile it yourself. @@ -27,7 +27,7 @@ This might change in the future. Challenge-response mode ---------------------- -In this mode, your YubiKey will generate a response based on the secret key, and random challenge (instead of counter). +In this mode, your YubiKey will generate a response based on the secret key, and a random challenge (instead of counter). This means that it isn't possible to generate a response in advance even if someone gets access to your YubiKey. This makes it reasonably safe to use the same YubiKey for other services (also in challenge-response mode). @@ -46,7 +46,7 @@ To use this mode you need to: sudo apt-get install yubikey-personalization yubikey-personalization-gui Shut down your TemplateVM. - Then reboot your USB VM (so changes inside the TemplateVM take effect in your TemplateBased USB VM or install the packages inside your USB VM if you would like to avoid rebooting your USB VM. + Then, either reboot your USB VM (so changes inside the TemplateVM take effect in your USB TemplateBasedVM) or install the packages inside your USB VM if you would like to avoid rebooting it. 2. Configure your YubiKey for challenge-response `HMAC-SHA1` mode, for example [following this tutorial](https://www.yubico.com/products/services-software/personalization-tools/challenge-response/). @@ -57,15 +57,15 @@ To use this mode you need to: - Note: Different from the above video, use the following settings select `HMAC-SHA1 mode`: `fixed 64 bit input`. - We will refer the `Secret Key (20 bytes hex)` as `AESKEY`. - - It is recommended to keep a backup of your `AESKEY` in an offline VM used as vault. - - Consider to keep a backup of your `AESKEY` on paper and store it in a safe place. - - In case you have multiple YubiKeys for backup purposes (in case a yubikey gets lost, stolen or breaks) you can write the same settings into other YubiKeys. + - It is recommended to keep a backup of your `AESKEY` in an offline VM used as a vault. + - Consider keeping a backup of your `AESKEY` on paper and storing it in a safe place. + - If you have multiple YubiKeys for backup purposes (in case a yubikey gets lost, stolen or breaks) you can write the same settings into other YubiKeys. 3. Install [qubes-app-yubikey](https://github.com/QubesOS/qubes-app-yubikey) in dom0. sudo qubes-dom0-update qubes-yubikey-dom0 -4. Adjust USB VM name in case you are using something other than the default +4. Adjust the USB VM name in case you are using something other than the default `sys-usb` by editing `/etc/qubes/yk-keys/yk-vm` in dom0. 5. Paste your `AESKEY` from step 2 into `/etc/qubes/yk-keys/yk-secret-key.hex` in dom0. @@ -83,18 +83,15 @@ To use this mode you need to: echo -n "$password" | openssl dgst -sha1 -7. Edit `/etc/pam.d/login` in dom0. - Add this line at the beginning: +7. Edit `/etc/pam.d/login` in dom0, adding this line at the beginning: auth include yubikey -8. Edit `/etc/pam.d/xscreensaver` (or appropriate file if you are using screen locker program) in dom0. - Add this line at the beginning: +8. Edit `/etc/pam.d/xscreensaver` (or appropriate file if you are using another screen locker program) in dom0, adding this line at the beginning: auth include yubikey -9. Edit `/etc/pam.d/lightdm` (or appropriate file if you are using other display manager) in dom0. - Add this line at the beginning: +9. Edit `/etc/pam.d/lightdm` (or appropriate file if you are using another display manager) in dom0, adding this line at the beginning: auth include yubikey From c3b338635a53b61365836b01bea963b626b34206 Mon Sep 17 00:00:00 2001 From: vrushti-mody Date: Mon, 8 Jun 2020 11:27:01 +0530 Subject: [PATCH 033/188] Fixes #4901 'Outdated paragraph in Split GPG limitations section' --- user/security-in-qubes/split-gpg.md | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/user/security-in-qubes/split-gpg.md b/user/security-in-qubes/split-gpg.md index b2a57180..a62a9d4d 100644 --- a/user/security-in-qubes/split-gpg.md +++ b/user/security-in-qubes/split-gpg.md @@ -57,11 +57,8 @@ This way it would be easy to spot unexpected requests to decrypt documents. Doing so won't provide any extra security anyway, as explained [above][intro] and [below][using Split GPG with subkeys]. If you are generating a new key pair, or if you have a private key that already has a passphrase, you can use `gpg2 --edit-key ` then `passwd` to set an empty passphrase. Note that `pinentry` might show an error when you try to set an empty passphrase, but it will still make the change. -<<<<<<< HEAD - (See [this StackExchange answer][se-pinentry] for more information.) Note: The error shows only if you **do not** have graphical pinentry installed. -======= - (See [this StackExchange answer][se-pinentry] for more information.) Note: The error shows only if you **do not** have graphical pinentry installed. The Split GPG client lets you use password-protected keys, and the vault qube will show the passphrase. ->>>>>>> c7309fe6150dee28787ffd8fc584fa3114d10179 + (See [this StackExchange answer][se-pinentry] for more information.) + Note: The error shows only if you **do not** have graphical pinentry installed. ## Configuring Split GPG ## From 1b1efd4dc426e3aaa0ba454b3b116bfd0795d9a4 Mon Sep 17 00:00:00 2001 From: Michael Carbone Date: Mon, 8 Jun 2020 10:21:58 -0400 Subject: [PATCH 034/188] mention mimeopen for changing default apps would be great to add what is used for fedora-based templates as well. --- user/advanced-configuration/disposablevm-customization.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user/advanced-configuration/disposablevm-customization.md b/user/advanced-configuration/disposablevm-customization.md index 317c9cfb..49558bf2 100644 --- a/user/advanced-configuration/disposablevm-customization.md +++ b/user/advanced-configuration/disposablevm-customization.md @@ -64,7 +64,7 @@ This can be done by customizing the DisposableVM Template on which it is based: 2. Change the qube's settings and/or applications, as desired. Some examples of changes you may want to make include: - Changing Firefox's default startup settings and homepage. - - Changing default editor, image viewer. + - Changing default editor, image viewer. In Debian-based templates this can be done with the `mimeopen` command. - Changing the DisposableVM's default NetVM. For example, you may wish to set the NetVM to "none." Then, whenever you start a new DisposableVM, you can choose your desired ProxyVM manually (by changing the newly-started DisposableVMs settings). This is useful if you sometimes wish to use a DisposableVM with a Whonix Gateway, for example. It is also useful if you sometimes wish to open untrusted files in a network-disconnected DisposableVM. 4. Shutdown the qube (either by `poweroff` from qube's terminal, or `qvm-shutdown` from dom0 terminal). From 0238a41934913c6f105cc019f36b202a2b50a8fb Mon Sep 17 00:00:00 2001 From: 3hhh Date: Thu, 18 Jun 2020 17:14:12 +0200 Subject: [PATCH 035/188] added Admin API Fuzzer idea --- developer/general/gsoc.md | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/developer/general/gsoc.md b/developer/general/gsoc.md index 719f827b..3241fcfb 100644 --- a/developer/general/gsoc.md +++ b/developer/general/gsoc.md @@ -613,6 +613,30 @@ Details, reference: [#2233](https://github.com/QubesOS/qubes-issues/issues/2233) **Mentor**: Inquire on [qubes-devel][ml-devel]. +### Admin API Fuzzer + +**Project**: Develop a [Fuzzer](https://en.wikipedia.org/wiki/Fuzzing) for the +[Qubes OS Admin API](https://www.qubes-os.org/doc/admin-api/). + +**Brief explanation**: The [Qubes OS Admin API](https://www.qubes-os.org/doc/admin-api/) +enables VMs to execute privileged actions on other VMs or dom0 - if allowed by the Qubes OS RPC policy. +Programming errors in the Admin API however may cause these access rights to be more permissive +than anticipated by the programmer. + +Since the Admin API is continuously growing and changing, continuous security assessments are required. +A [Fuzzer](https://en.wikipedia.org/wiki/Fuzzing) would help to automate part of these assessments. + +**Expected results**: + - fully automated & extensible Fuzzer for parts of the Admin API + - user & developer documentation + +**Prerequisites**: + - basic Python understanding + - some knowledge about fuzzing & existing fuzzing frameworks (e.g. [oss-fuzz](https://github.com/google/oss-fuzz/tree/master/projects/qubes-os)) + - a hacker's curiosity + +**Mentor**: Inquire on [qubes-devel][ml-devel]. + ---- We adapted some of the language here about GSoC from the [KDE GSoC page](https://community.kde.org/GSoC). From b0fb120631082777f2a83df7ec0c826d38b73622 Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Thu, 18 Jun 2020 14:29:27 -0500 Subject: [PATCH 036/188] Abstract version number --- external/os-guides/centos.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/external/os-guides/centos.md b/external/os-guides/centos.md index 3f4ab8e9..5b1c9d67 100644 --- a/external/os-guides/centos.md +++ b/external/os-guides/centos.md @@ -13,9 +13,9 @@ For the minimal version, please see [Minimal TemplateVMs](/doc/templates/minimal ## Installation -CentOS-7 can be installed with the following command: +The standard CentOS TemplateVM can be installed with the following command in dom0, where `X` is the desired version number: - [user@dom0 ~]$ sudo qubes-dom0-update --enablerepo=qubes-templates-community qubes-template-centos-7 + [user@dom0 ~]$ sudo qubes-dom0-update --enablerepo=qubes-templates-community qubes-template-centos-X To switch, reinstall and uninstall a CentOS TemplateVM that is already installed in your system, see *How to [switch], [reinstall] and [uninstall]*. From 6ab14dd9d2626874d1380b18d474e225fb4628d7 Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Tue, 30 Jun 2020 06:07:01 -0500 Subject: [PATCH 037/188] Update Supported Versions with Fedora 32 template --- user/downloading-installing-upgrading/supported-versions.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/user/downloading-installing-upgrading/supported-versions.md b/user/downloading-installing-upgrading/supported-versions.md index b4df72d3..ffe0dcf1 100644 --- a/user/downloading-installing-upgrading/supported-versions.md +++ b/user/downloading-installing-upgrading/supported-versions.md @@ -68,8 +68,8 @@ The following table shows the [TemplateVM] versions **available** for each Qubes | Release 3.0 | 21, 22\*, 23 | 7 ("wheezy")\*, 8 ("jessie") | None | | Release 3.1 | 21, 22\*, 23 | 7 ("wheezy")\*, 8 ("jessie"), 9 ("stretch")\* | None | | Release 3.2 | 23\*, 24\*, 25\*, 26, 27, 28 | 8 ("jessie"), 9 ("stretch") | 13, 14 | -| Release 4.0 | 26, 27, 28, 29, 30, 31 | 8 ("jessie"), 9 ("stretch"), 10 ("buster") | 13, 14, 15 | -| Release 4.1 | 26, 27, 28, 29, 30, 31 | 8 ("jessie"), 9 ("stretch"), 10 ("buster") | 13, 14, 15 | +| Release 4.0 | 26, 27, 28, 29, 30, 31, 32 | 8 ("jessie"), 9 ("stretch"), 10 ("buster") | 13, 14, 15 | +| Release 4.1 | 26, 27, 28, 29, 30, 31, 32 | 8 ("jessie"), 9 ("stretch"), 10 ("buster") | 13, 14, 15 | \* Denotes versions for which we have published the packages but have not done extensive testing. @@ -98,6 +98,7 @@ Qubes support for each [Fedora] TemplateVM ends when that Fedora release reaches | Fedora 29 | Unsupported | | Fedora 30 | Supported | | Fedora 31 | Supported | +| Fedora 32 | Supported | ### Debian From 931e6b9a50842df8e2d3480e58ea944c25b219d8 Mon Sep 17 00:00:00 2001 From: Andrew David Wong Date: Wed, 1 Jul 2020 06:38:36 -0500 Subject: [PATCH 038/188] Update dead link Thank you to user Bruno for pointing this out and supplying a replacement link. --- user/downloading-installing-upgrading/installation-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user/downloading-installing-upgrading/installation-guide.md b/user/downloading-installing-upgrading/installation-guide.md index 7a7fb470..58ed9d55 100644 --- a/user/downloading-installing-upgrading/installation-guide.md +++ b/user/downloading-installing-upgrading/installation-guide.md @@ -37,7 +37,7 @@ Even on supported hardware, you must ensure that [IOMMU-based virtualization](ht Without it, Qubes OS won't be able to enforce isolation. For Intel-based boards, this setting is called Intel Virtualization for Directed I/O (**Intel VT-d**) and for AMD-based boards, it is called AMD I/O Virtualization Technology (or simply **AMD-Vi**). This parameter should be activated in your computer's BIOS, alongside the standard Virtualization (**Intel VT-x**) and AMD Virtualization (**AMD-V**) extensions. -This [external guide](https://www.intel.in/content/www/in/en/support/articles/000007139/server-products.html) made for Intel-based boards can help you figure out how to enter your BIOS to locate and activate those settings. +This [external guide](https://web.archive.org/web/20200112220913/https://www.intel.in/content/www/in/en/support/articles/000007139/server-products.html) made for Intel-based boards can help you figure out how to enter your BIOS to locate and activate those settings. If those settings are not nested under the Advanced tab, you might find them under the Security tab.