Merge remote-tracking branch 'origin/pr/82'

managing-os/windows-appvms.md

@@ -11,7 +11,7 @@ redirect_from:
 Installing and using Windows-based AppVMs
 =========================================
 
-Qubes provides special support for running Windows-based AppVMs. This requires the user to install Windows 7 x64 in a Qubes VM and subsequently install Qubes Windows Support tools inside the VM. This page describes this process in detail.
+Qubes provides special support for running Windows-based AppVMs. This requires the user to install Windows 7 x64 in a Qubes VM and subsequently install Qubes Windows Support tools inside the VM (support for Windows 8+ is in development). This page describes this process in detail.
 
 Qubes support tools for Windows is a set of programs and drivers that provide integration of Windows AppVMs with the rest of the Qubes system. Currently the following features are available for Windows VMs after installation of those tools:
 
@@ -23,13 +23,15 @@ Qubes support tools for Windows is a set of programs and drivers that provide in
 
 Qubes Windows Support Tools are not open source and are distributed under a commercial license and their source code is not publicly available. Current status is: **Beta**.
 
-NOTE: Currently only 64-bit versions of Windows 7 are support by Qubes Windows Tools.
+NOTE: Currently only 64-bit versions of Windows 7 are supported by Qubes Windows Tools. Only emulated SVGA GPU is supported (althought [there has been reports](https://groups.google.com/forum/#!topic/qubes-users/cmPRMOkxkdA) on working GPU pass-through).
 
 Installing Windows OS in a Qubes VM
 -----------------------------------
 
 Please refer to [this page](/doc/hvm-create/) for instructions on how to install Windows in a Qubes VM.
 
+NOTE: It is strongly suggested to enable autologon for any Windows HVMs that will have Qubes Tools installed. To do so, run `netplwiz` command from the `Win+R`/Start menu and uncheck the *Users must enter a user name and password to use this computer* option.
+
 Installing Qubes support tools in Windows 7 VMs
 -----------------------------------------------
 
@@ -39,6 +41,12 @@ First, make sure that `qubes-windows-tools` is installed in your system:
 sudo qubes-dom0-update qubes-windows-tools
 ~~~
 
+You can also install the package from testing repositories, where we usually publish new versions first:
+
+~~~
+qubes-dom0-update --enablerepo=qubes*testing qubes-windows-tools
+~~~
+
 This package brings the ISO with Qubes Windows Tools that is passed to the VM when `--install-windows-tools` is specified for the `qvm-start` command. Please note that even though the Qubes Windows Tools are proprietary, none of this software ever runs in Dom0 or any other part of the system except for the Windows AppVM in which it is to be installed.
 
 To install the Qubes Windows support tools in a Windows VM one should start the VM passing the additional option `--install-windows-tools`:
@@ -49,9 +57,7 @@ qvm-start lab-win7 --install-windows-tools
 
 Once the Windows VM boots, a CDROM should appear in the 'My Computer' menu (typically as `D:`) with a setup program in its main directory.
 
-Before proceeding with the installation we need to disable Windows mechanism that allows only signed drivers to be installed, because currently (beta releases) the drivers we provide as part of the Windows Support Tools are not digitally signed with a publicly recognizable certificate. How to do that is explained in the `README` file also located on the installation CDROM. In the future this step will not be necessary anymore, because we will sign our drivers with a publicly verifiable certificate. However, it should be noted that even now, the fact that those drivers are not digitally signed, this doesn't affect security of the Windows VM in 'any' way. This is because the actual installation ISO (the `qubes-windows-tools-*.iso` file) is distributed as a signed RPM package and its signature is verified by the `qubes-dom0-update` utility once it's being installed in Dom0. The only downside of those drivers not being signed is the inconvenience to the user that he or she must disable the signature enforcement policy before installing the tools, and also to accept a few scary looking warning windows during the installation process, as shown below.
-
-![r2b1-win7-installing-qubes-tools-5.png](/attachment/wiki/HvmCreate/r2b1-win7-installing-qubes-tools-5.png)
+Before proceeding with the installation we need to disable Windows mechanism that allows only signed drivers to be installed, because currently (beta releases) the drivers we provide as part of the Windows Support Tools are not digitally signed with a publicly recognizable certificate. How to do that is explained in the `README` file also located on the installation CDROM. In the future this step will not be necessary anymore, because we will sign our drivers with a publicly verifiable certificate. However, it should be noted that even now, the fact that those drivers are not digitally signed, this doesn't affect security of the Windows VM in 'any' way. This is because the actual installation ISO (the `qubes-windows-tools-*.iso` file) is distributed as a signed RPM package and its signature is verified by the `qubes-dom0-update` utility once it's being installed in Dom0. The only downside of those drivers not being signed is the inconvenience to the user that he or she must disable the signature enforcement policy before installing the tools.
 
 After successful installation, the Windows VM must be shut down and started again.
 
@@ -61,6 +67,12 @@ Qubes (R2 Beta 3 and later releases) will automatically detect the tools has bee
 qvm-prefs <your-appvm-name>
 ~~~
 
+NOTE: it is recommended to increase the default value of `qrexec-timeout` property from 60 (seconds) to, for example, 300. During one of the first reboots after Windows Tools installation Windows user profiles are moved onto the private VM's virtual disk (private.img) and this operation can take some time. Moving profiles is performed in an early boot phase when qrexec is not yet running, so timeout may occur with the default value. To change the property use this command in dom0:
+
+~~~
+qvm-prefs -s <vm-name> qrexec-timeout 300
+~~~
+
 Using Windows AppVMs in seamless mode (Qubes R2 Beta 3 and later)
 -----------------------------------------------------------------
 
@@ -82,7 +94,7 @@ Also, the inter-VM services work as usual -- e.g. to request opening a document
 [user@work ~]$ qvm-open-in-vm work-win7 http://www.invisiblethingslab.com
 ~~~
 
-... just like in case of Linux AppVMs. Of course all those operations are governed by central policy engine running in Dom0 -- if the policy
+... just like in case of Linux AppVMs. Of course all those operations are governed by central policy engine running in Dom0 -- if the policy doesn't contain explicit rules for the source and/or target AppVM, the user will be asked for decision whether to allow or deny the operation.
 
 Inter-VM file copy and clipboard works for Windows AppVMs the same way as for Linux AppVM (except that we don't provide a command line wrapper, `qvm-copy-to-vm` in Windows VMs) -- to copy files from Windows AppVMs just right-click on the file in Explorer, and choose: Send To-\> Other AppVM.
 
@@ -116,3 +128,8 @@ Once the template has been created and installed it is easy to create AppVMs bas
 ~~~
 qvm-create --hvm <new windows appvm name> --template <name of template vm> --label <label color>
 ~~~
+
+Troubleshooting and advanced settings for Windows Tools
+-------------------------------------------------------
+
+See [this page](/doc/windows-tools-3/) for information on troubleshooting issues with Qubes Tools for Windows and advanced configuration settings.

managing-os/windows-tools-3.md

@@ -14,7 +14,6 @@ Qubes Tools for Windows: advanced settings and troubleshooting
 
 **This document only applies to Qubes R3 (tools version 3.x)**
 *Only 64-bit Windows 7 (any edition) is supported currently. Windows 8+ support is under development.*
-*HVM templates are not supported yet. Specifically, user profiles are not yet moved to a VM's private image (fix incoming).*
 
 Installable components
 ----------------------
@@ -27,10 +26,14 @@ Qubes Tools for Windows (QTW for short) contain several components than can be e
    - Xen PV Disk Drivers: paravirtual storage drivers.
    - Xen PV Network Drivers: paravirtual network drivers.
 - Qubes Core Agent: qrexec agent and services. Needed for proper integration with Qubes.
+   - Move user profiles: user profile directory (c:\users) is moved to VM's private disk backed by private.img file in dom0 (useful mainly for HVM templates).
 - Qubes GUI Agent: video driver and gui agent that enable seamless showing of Windows applications on the secure Qubes desktop.
+- Disable UAC: User Account Control may interfere with QTW and doesn't really provide any additional benefits in Qubes environment.
 
 **In testing VMs only** it's probably a good idea to install a VNC server before installing QTW. If something goes very wrong with the Qubes gui agent, a VNC server should still allow access to the OS.
 
+**NOTE**: Xen PV disk drivers are not installed by default. This is because they seem to cause severe problems, including disk image/files corruption in Qubes HVMs. We're investigating this. *However*, the problem doesn't always occur in tests -- disk drivers often work *if they are installed separately after the main portion of QTW is up and running*. **Do this at your own risk** of course, but we welcome reports of success/failure in any case. With disk PV drivers absent `qvm-block` will not work for the VM, but you can still use standard Qubes inter-VM file copying mechanisms.
+
 Verbose installation
 --------------------
 
@@ -54,11 +57,11 @@ Starting from version 2.2.\* various aspects of Qubes Tools for Windows can be c
 Possible log levels:
 
 ||
-|0|Error|Serious errors that most likely cause irrecoverable failures|
-|1|Warning|Unexpected but non-fatal events|
-|2|Info|Useful information|
-|3|Debug|Internal state dumps for troubleshooting|
-|4|Verbose|Trace most function calls|
+|1|Error|Serious errors that most likely cause irrecoverable failures|
+|2|Warning|Unexpected but non-fatal events|
+|3|Info|Useful information (default)|
+|4|Debug|Internal state dumps for troubleshooting|
+|5|Verbose|Trace most function calls|
 
 Debug and Verbose levels can generate large volume of logs and are intended for development/troubleshooting only.
 
@@ -70,7 +73,6 @@ Component-specific settings currently available:
 
 |**Component**|**Setting**|**Type**|**Description**|**Default value**|
 |:------------|:----------|:-------|:--------------|:----------------|
-|qga|UseDirtyBits|DWORD|Enable experimental feature of the gui agent/qvideo driver: use page table dirty bits to determine changed display regions. This can improve performance but may impact display responsiveness (some changes may not be detected resulting in "stale" image). Needs VM restart to apply change.|0|
 |qga|DisableCursor|DWORD|Disable cursor in the VM. Useful for integration with Qubes desktop so you don't see two cursors. Can be disabled if you plan to use the VM through a remote desktop connection of some sort. Needs gui agent restart to apply change (locking OS/logoff should be enough since qga is restarted on desktop change).|1|
 
 Troubleshooting
@@ -86,17 +88,18 @@ Safe Mode should at least give you access to logs (see above).
 **Please include appropriate logs when reporting bugs/problems.** Starting from version 2.4.2 logs contain QTW version, but if you're using an earlier version be sure to mention which one. If the OS crashes (BSOD) please include the BSOD code and parameters in your bug report. The BSOD screen should be visible if you run the VM in debug mode (`qvm-start --debug vmname`). If it's not visible or the VM reboots automatically, try to start Windows in safe mode (see above) and 1) disable automatic restart on BSOD (Control Panel - System - Advanced system settings - Advanced - Startup and recovery), 2) check the system event log for BSOD events. If you can, send the `memory.dmp` dump file from c:\Windows.
 Xen logs (/var/log/xen/console/guest-*) are also useful as they contain pvdrivers diagnostic output.
 
-If a specific component is malfunctioning, you can increase it's log verbosity as explained above to get more troubleshooting information. Below is a list of components:
+If a specific component is malfunctioning, you can increase its log verbosity as explained above to get more troubleshooting information. Below is a list of components:
 
 ||
 |qrexec-agent|Responsible for most communication with Qubes (dom0 and other domains), secure clipboard, file copying, qrexec services.|
+|qrexec-wrapper|Helper executable that's responsible for launching qrexec services, handling their I/O and vchan communication.|
 |qrexec-client-vm|Used for communications by the qrexec protocol.|
 |qga|Gui agent.|
 |QgaWatchdog|Service that monitors session/desktop changes (logon/logoff/locking/UAC...) and simulates SAS sequence (ctrl-alt-del).|
 |qubesdb-daemon|Service for accessing Qubes configuration database.|
 |network-setup|Service that sets up network parameters according to VM's configuration.|
 |prepare-volume|Utility that initializes and formats the disk backed by `private.img` file. It's registered to run on next system boot during QTW setup, if that feature is selected (it can't run *during* the setup because Xen block device drivers are not yet active). It in turn registers move-profiles (see below) to run at early boot.|
-|move-profiles|Utility that moves user profiles directory to the private disk. It's registered as an early boot native executable (similar to chkdsk) so it can run before any profile files are opened by some other process. Its log is in a fixed location: `c:\move-profiles.log` (it can't use our common logger library so none of the log settings apply).|
+|relocate-dir|Utility that moves user profiles directory to the private disk. It's registered as an early boot native executable (similar to chkdsk) so it can run before any profile files are opened by some other process. Its log is in a fixed location: `c:\move-profiles.log` (it can't use our common logger library so none of the log settings apply).|
 
 Updates
 -------