From 04b6bbc4832937ad179210eaa440a5370ba48992 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C5=82=20Wojdy=C5=82a?= Date: Wed, 31 Aug 2016 17:05:46 +0200 Subject: [PATCH 01/10] QWT installation: change order of operation to be more natural --- managing-os/windows-appvms.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/managing-os/windows-appvms.md b/managing-os/windows-appvms.md index ab46af5d..7945a2c5 100644 --- a/managing-os/windows-appvms.md +++ b/managing-os/windows-appvms.md @@ -51,6 +51,8 @@ sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing qubes-windows-too This package brings the ISO with Qubes Windows Tools that is passed to the VM when `--install-windows-tools` is specified for the `qvm-start` command. Please note that none of this software ever runs in Dom0 or any other part of the system except for the Windows AppVM in which it is to be installed. +Before proceeding with the installation we need to disable Windows mechanism that allows only signed drivers to be installed, because currently (beta releases) the drivers we provide as part of the Windows Tools are not digitally signed with a publicly recognizable certificate. How to do that is explained in the `README` file also located on the installation CDROM. In the future this step will not be necessary anymore, because we will sign our drivers with a publicly verifiable certificate. However, it should be noted that even now, the fact that those drivers are not digitally signed, this doesn't affect security of the Windows VM in 'any' way. This is because the actual installation ISO (the `qubes-windows-tools-*.iso` file) is distributed as a signed RPM package and its signature is verified by the `qubes-dom0-update` utility once it's being installed in Dom0. The only downside of those drivers not being signed is the inconvenience to the user that he or she must disable the signature enforcement policy before installing the tools. + To install the Qubes Windows Tools in a Windows VM one should start the VM passing the additional option `--install-windows-tools`: ~~~ @@ -59,8 +61,6 @@ qvm-start lab-win7 --install-windows-tools Once the Windows VM boots, a CDROM should appear in the 'My Computer' menu (typically as `D:`) with a setup program in its main directory. -Before proceeding with the installation we need to disable Windows mechanism that allows only signed drivers to be installed, because currently (beta releases) the drivers we provide as part of the Windows Tools are not digitally signed with a publicly recognizable certificate. How to do that is explained in the `README` file also located on the installation CDROM. In the future this step will not be necessary anymore, because we will sign our drivers with a publicly verifiable certificate. However, it should be noted that even now, the fact that those drivers are not digitally signed, this doesn't affect security of the Windows VM in 'any' way. This is because the actual installation ISO (the `qubes-windows-tools-*.iso` file) is distributed as a signed RPM package and its signature is verified by the `qubes-dom0-update` utility once it's being installed in Dom0. The only downside of those drivers not being signed is the inconvenience to the user that he or she must disable the signature enforcement policy before installing the tools. - After successful installation, the Windows VM must be shut down and started again. Qubes (R2 Beta 3 and later releases) will automatically detect the tools has been installed in the VM and will set appropriate properties for the VM, such as `qrexec_installed`, `guiagent_installed`, and `default_user`. This can be verified (but is not required) using qvm-prefs command: From 12c36a002f9698f824b94375d95b7df5d432c805 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C5=82=20Wojdy=C5=82a?= Date: Wed, 31 Aug 2016 17:09:41 +0200 Subject: [PATCH 02/10] QWT installation: add explicit instructions for disabling driver signature enforcement --- managing-os/windows-appvms.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/managing-os/windows-appvms.md b/managing-os/windows-appvms.md index 7945a2c5..1574e390 100644 --- a/managing-os/windows-appvms.md +++ b/managing-os/windows-appvms.md @@ -51,7 +51,13 @@ sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing qubes-windows-too This package brings the ISO with Qubes Windows Tools that is passed to the VM when `--install-windows-tools` is specified for the `qvm-start` command. Please note that none of this software ever runs in Dom0 or any other part of the system except for the Windows AppVM in which it is to be installed. -Before proceeding with the installation we need to disable Windows mechanism that allows only signed drivers to be installed, because currently (beta releases) the drivers we provide as part of the Windows Tools are not digitally signed with a publicly recognizable certificate. How to do that is explained in the `README` file also located on the installation CDROM. In the future this step will not be necessary anymore, because we will sign our drivers with a publicly verifiable certificate. However, it should be noted that even now, the fact that those drivers are not digitally signed, this doesn't affect security of the Windows VM in 'any' way. This is because the actual installation ISO (the `qubes-windows-tools-*.iso` file) is distributed as a signed RPM package and its signature is verified by the `qubes-dom0-update` utility once it's being installed in Dom0. The only downside of those drivers not being signed is the inconvenience to the user that he or she must disable the signature enforcement policy before installing the tools. +Before proceeding with the installation we need to disable Windows mechanism that allows only signed drivers to be installed, because currently (beta releases) the drivers we provide as part of the Windows Tools are not digitally signed with a publicly recognizable certificate. To do that: + +- Start command prompt as Administrator, i.e. right click on the Command Prompt icon and choose "Run as administrator" +- In the command prompt type `bcdedit /set testsigning on` +- Reboot your Windows VM + +In the future this step will not be necessary anymore, because we will sign our drivers with a publicly verifiable certificate. However, it should be noted that even now, the fact that those drivers are not digitally signed, this doesn't affect security of the Windows VM in 'any' way. This is because the actual installation ISO (the `qubes-windows-tools-*.iso` file) is distributed as a signed RPM package and its signature is verified by the `qubes-dom0-update` utility once it's being installed in Dom0. The only downside of those drivers not being signed is the inconvenience to the user that he or she must disable the signature enforcement policy before installing the tools. To install the Qubes Windows Tools in a Windows VM one should start the VM passing the additional option `--install-windows-tools`: From 3755c5aa6659173d58f2bdad6e590b696e0050c4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C5=82=20Wojdy=C5=82a?= Date: Wed, 31 Aug 2016 17:16:51 +0200 Subject: [PATCH 03/10] QWT installation: add note about multiple reboots --- managing-os/windows-appvms.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/managing-os/windows-appvms.md b/managing-os/windows-appvms.md index 1574e390..0f8e26af 100644 --- a/managing-os/windows-appvms.md +++ b/managing-os/windows-appvms.md @@ -67,7 +67,7 @@ qvm-start lab-win7 --install-windows-tools Once the Windows VM boots, a CDROM should appear in the 'My Computer' menu (typically as `D:`) with a setup program in its main directory. -After successful installation, the Windows VM must be shut down and started again. +After successful installation, the Windows VM must be shut down and started again, possibly a couple of times (see [this page](/doc/WindowsTools/) for detailed configuration options). Qubes (R2 Beta 3 and later releases) will automatically detect the tools has been installed in the VM and will set appropriate properties for the VM, such as `qrexec_installed`, `guiagent_installed`, and `default_user`. This can be verified (but is not required) using qvm-prefs command: From 3d8346f42d272d9304843b01c6cd8fd25d0cf3dd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C5=82=20Wojdy=C5=82a?= Date: Wed, 31 Aug 2016 17:18:56 +0200 Subject: [PATCH 04/10] QWT installation: small clarification --- managing-os/windows-appvms.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/managing-os/windows-appvms.md b/managing-os/windows-appvms.md index 0f8e26af..82e3fa14 100644 --- a/managing-os/windows-appvms.md +++ b/managing-os/windows-appvms.md @@ -75,7 +75,7 @@ Qubes (R2 Beta 3 and later releases) will automatically detect the tools has bee qvm-prefs ~~~ -NOTE: it is recommended to increase the default value of `qrexec_timeout` property from 60 (seconds) to, for example, 300. During one of the first reboots after Windows Tools installation Windows user profiles are moved onto the private VM's virtual disk (private.img) and this operation can take some time. Moving profiles is performed in an early boot phase when qrexec is not yet running, so timeout may occur with the default value. To change the property use this command in dom0: +NOTE: it is recommended to increase the default value of Windows VM's `qrexec_timeout` property from 60 (seconds) to, for example, 300. During one of the first reboots after Windows Tools installation Windows user profiles are moved onto the private VM's virtual disk (private.img) and this operation can take some time. Moving profiles is performed in an early boot phase when qrexec is not yet running, so timeout may occur with the default value. To change the property use this command in dom0: ~~~ qvm-prefs -s qrexec_timeout 300 From 49b57d6b3e9dc3f7ee457ebd71513853ce26ac70 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C5=82=20Wojdy=C5=82a?= Date: Wed, 31 Aug 2016 17:31:05 +0200 Subject: [PATCH 05/10] QWT: add note about full desktop being the default mode --- managing-os/windows-appvms.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/managing-os/windows-appvms.md b/managing-os/windows-appvms.md index 82e3fa14..24cfea3e 100644 --- a/managing-os/windows-appvms.md +++ b/managing-os/windows-appvms.md @@ -110,10 +110,10 @@ To simulate CTRL-ALT-DELETE in the HVM (SAS, Secure Attention Sequence), press C ![windows-seamless-7.png](/attachment/wiki/WindowsAppVms/windows-seamless-7.png) -Forcing Windows AppVM into full desktop mode --------------------------------------------- +Changing between seamless and full desktop mode +----------------------------------------------- -You can switch between seamless and "full desktop" mode for Windows HVMs in their settings in Qubes Manager. +You can switch between seamless and "full desktop" mode for Windows HVMs in their settings in Qubes Manager. The latter is the default. Using template-based Windows AppVMs (Qubes R2 Beta 3 and later) --------------------------------------------------------------- From ce665ef013d19a539894efc39e740a5ec2337dbb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C5=82=20Wojdy=C5=82a?= Date: Wed, 31 Aug 2016 17:37:53 +0200 Subject: [PATCH 06/10] Windows templates: don't encourage totally disabling updates --- managing-os/windows-appvms.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/managing-os/windows-appvms.md b/managing-os/windows-appvms.md index 24cfea3e..73364f49 100644 --- a/managing-os/windows-appvms.md +++ b/managing-os/windows-appvms.md @@ -129,7 +129,7 @@ qvm-create --hvm-template win7-x64-template -l green - The private disk is initialized and formatted on the first reboot after tools installation. It can't be done **during** the installation because Xen mass storage drivers are not yet active. - User profiles are moved to the private disk on the next reboot after the private disk is initialized. Reboot is required because the "mover utility" runs very early in the boot process so OS can't yet lock any files in there. This can take some time depending on the profiles' size and because the GUI agent is not yet active dom0/Qubes Manager may complain that the AppVM failed to boot. That's a false alarm (you can increase AppVM's default boot timeout using `qvm-prefs`), the VM should appear "green" in Qubes Manager shortly after. -It also makes sense to disable Automatic Updates for all the Windows-based AppVMs -- of course this should be done in the Template VM, not in individual AppVMs, because the system-wide setting are stored in the root filesystem (which holds the system-wide registry hives). +It also makes sense to disable Automatic Updates for all the template-based AppVMs -- of course this should be done in the Template VM, not in individual AppVMs, because the system-wide setting are stored in the root filesystem (which holds the system-wide registry hives). Then, periodically check for updates in the Template VM and the changes will be carried over to any child AppVMs. Once the template has been created and installed it is easy to create AppVMs based on: From 8192057b2aea87ba4aa97dde9449c8b93bb7b7e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C5=82=20Wojdy=C5=82a?= Date: Wed, 31 Aug 2016 17:57:03 +0200 Subject: [PATCH 07/10] QWT: update state of disk PV drivers --- managing-os/windows-tools-3.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/managing-os/windows-tools-3.md b/managing-os/windows-tools-3.md index 879602b8..f94d3a5f 100644 --- a/managing-os/windows-tools-3.md +++ b/managing-os/windows-tools-3.md @@ -32,7 +32,7 @@ Qubes Windows Tools (QWT for short) contain several components than can be enabl **In testing VMs only** it's probably a good idea to install a VNC server before installing QWT. If something goes very wrong with the Qubes gui agent, a VNC server should still allow access to the OS. -**NOTE**: Xen PV disk drivers are not installed by default. This is because they seem to cause severe problems, including disk image/files corruption in Qubes HVMs. We're investigating this. *However*, the problem doesn't always occur in tests -- disk drivers often work *if they are installed separately after the main portion of QWT is up and running*. **Do this at your own risk** of course, but we welcome reports of success/failure in any case. With disk PV drivers absent `qvm-block` will not work for the VM, but you can still use standard Qubes inter-VM file copying mechanisms. +**NOTE**: Xen PV disk drivers are not installed by default. This is because they seem to cause problems (BSOD). We're working with upstream devs to fix this. *However*, the BSOD seems to only occur after the first boot and everything works fine after that. **Enable the drivers at your own risk** of course, but we welcome reports of success/failure in any case (backup your VM first!). With disk PV drivers absent `qvm-block` will not work for the VM, but you can still use standard Qubes inter-VM file copying mechanisms. Verbose installation -------------------- From f8787d20e43477603f26872d955664b5d33a69f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C5=82=20Wojdy=C5=82a?= Date: Wed, 31 Aug 2016 19:03:09 +0200 Subject: [PATCH 08/10] QWT installation: update log file information --- managing-os/windows-tools-3.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/managing-os/windows-tools-3.md b/managing-os/windows-tools-3.md index f94d3a5f..e1fdee05 100644 --- a/managing-os/windows-tools-3.md +++ b/managing-os/windows-tools-3.md @@ -34,12 +34,10 @@ Qubes Windows Tools (QWT for short) contain several components than can be enabl **NOTE**: Xen PV disk drivers are not installed by default. This is because they seem to cause problems (BSOD). We're working with upstream devs to fix this. *However*, the BSOD seems to only occur after the first boot and everything works fine after that. **Enable the drivers at your own risk** of course, but we welcome reports of success/failure in any case (backup your VM first!). With disk PV drivers absent `qvm-block` will not work for the VM, but you can still use standard Qubes inter-VM file copying mechanisms. -Verbose installation --------------------- +Installation logs +----------------- -If the install process fails you can retry it using the command line below to get a detailed installation log (and send that to us): - -`msiexec /i path-to-qubes-tools.msi /lv path-to-log-file.txt` +If the install process fails or something goes wrong during it, include the installation logs in your bug report. They are created in the `%TEMP%` directory, by default `\AppData\Local\Temp`. There are two text files, one small and one big, with names starting with `Qubes_Windows_Tools`. Uninstalling QWT 3.x is **not recommended**. It will most likely make the OS non-bootable because drivers for Xen storage devices will be uninstalled. This will be fixed in the future. From cb9db6d4c44fba7f28fd1560e5ea42de5f6ffd91 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C5=82=20Wojdy=C5=82a?= Date: Wed, 31 Aug 2016 20:12:53 +0200 Subject: [PATCH 09/10] QWT installation: update uninstallation info --- managing-os/windows-tools-3.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/managing-os/windows-tools-3.md b/managing-os/windows-tools-3.md index e1fdee05..c7d91cb3 100644 --- a/managing-os/windows-tools-3.md +++ b/managing-os/windows-tools-3.md @@ -39,7 +39,8 @@ Installation logs If the install process fails or something goes wrong during it, include the installation logs in your bug report. They are created in the `%TEMP%` directory, by default `\AppData\Local\Temp`. There are two text files, one small and one big, with names starting with `Qubes_Windows_Tools`. -Uninstalling QWT 3.x is **not recommended**. It will most likely make the OS non-bootable because drivers for Xen storage devices will be uninstalled. This will be fixed in the future. +Uninstalling QWT is supported from version 3.2.1. Uninstalling previous versions is **not recommended**. +After uninstalling you need to manually enable the DHCP Client Windows service, or set IP settings yourself to restore network access. Configuration ------------- From 5c1c4f93330351894b6ed680fd121e4c1197be6f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C5=82=20Wojdy=C5=82a?= Date: Wed, 31 Aug 2016 20:24:21 +0200 Subject: [PATCH 10/10] QWT installation: add note about pvdriver popups --- managing-os/windows-tools-3.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/managing-os/windows-tools-3.md b/managing-os/windows-tools-3.md index c7d91cb3..8d4a5fea 100644 --- a/managing-os/windows-tools-3.md +++ b/managing-os/windows-tools-3.md @@ -34,6 +34,8 @@ Qubes Windows Tools (QWT for short) contain several components than can be enabl **NOTE**: Xen PV disk drivers are not installed by default. This is because they seem to cause problems (BSOD). We're working with upstream devs to fix this. *However*, the BSOD seems to only occur after the first boot and everything works fine after that. **Enable the drivers at your own risk** of course, but we welcome reports of success/failure in any case (backup your VM first!). With disk PV drivers absent `qvm-block` will not work for the VM, but you can still use standard Qubes inter-VM file copying mechanisms. +Xen PV driver components may display a message box asking for reboot during installation -- it's safe to ignore them and defer the reboot. + Installation logs -----------------