` with your specific computer model) or look it up in your computer's manual.
+
+Once you know the key to press, press your computer's power button, then repeatedly press that key until you've entered your computer's BIOS or UEFI menu. To give you and idea of what you should be looking for, we've provided a couple of example photos below.
+
+Here's an example of what the BIOS menu looks like on a ThinkPad T430:
+
+[![ThinkPad T430 BIOS menu](/attachment/doc/Thinkpad-t430-bios-main.jpg)](/attachment/doc/Thinkpad-t430-bios-main.jpg)
+
+And here's an example of what a UEFI menu looks like:
+
+[![UEFI menu](/attachment/doc/uefi.jpeg)](/attachment/doc/uefi.jpeg)
+
+Once you access your computer's BIOS or UEFI menu, you'll want to go to the "boot menu," which is where you tell your computer which devices to boot from. The goal is to tell the computer to boot from your USB drive so that you can run the Qubes installer. If your boot menu lets you select which device to boot from first, simply select your USB drive. (If you have multiple entries that all look similar to your USB drive, and you're not sure which one is correct, one option is just to try each one until it works.) If, on the other hand, your boot menu presents you with a list of boot devices in order, then you'll want to move your USB drive to the top so that the Qubes installer runs before anything else.
+
+Once you're done on the boot menu, save your changes. How you do this depends on your BIOS or UEFI, but the instructions should be displayed right there on the screen or in a nearby tab. (If you're not sure whether you've saved your changes correctly, you can always reboot your computer and go back into the boot menu to check whether it still reflects your changes.) Once your BIOS or UEFI is configured the way you want it, reboot your computer. This time, don't press any special keys. Instead, let the BIOS or UEFI load and let your computer boot from your USB drive. If you're successful in this step, after a few seconds you'll be presented with the Qubes installer screen:
+
+[![Boot screen](/attachment/doc/boot-screen.png)](/attachment/doc/boot-screen.png)
+
+From here, you can navigate the boot screen using the arrow keys on your keyboard. Pressing the "Tab" key will reveal options. You can choose one of three options:
+
+* Install Qubes OS
+* Test this media and install Qubes OS
+* Troubleshooting
+
+Select the option to test this media and install Qubes OS.
+
+
+
+
Note: If the latest stable release is not compatible with your hardware, you may wish to consider
testing a newer release.
+
+
+If the boot screen does not appear, there are several options to troubleshoot. First, try rebooting your computer. If it still loads your currently installed operating system or does not detect your installation medium, make sure the boot order is set up appropriately. The process to change the boot order varies depending on the currently installed system and the motherboard manufacturer. If **Windows 10** is installed on your machine, you may need to follow specific instructions to change the boot order. This may require an [advanced reboot](https://support.microsoft.com/en-us/help/4026206/windows-10-find-safe-mode-and-other-startup-settings).
+
+### The installer home screen
+
+On the first screen, you are asked to select the language that will be used during the installation process. When you are done, select **Continue**.
+
+[![welcome](/attachment/doc/welcome-to-qubes-os-installation-screen.png)](/attachment/doc/welcome-to-qubes-os-installation-screen.png)
+
+Prior to the next screen, a compatibility test runs to check whether IOMMU-virtualization is active or not. If the test fails, a window will pop up.
+
+[![Unsupported hardware detected](/attachment/doc/unsupported-hardware-detected.png)](/attachment/doc/unsupported-hardware-detected.png)
+
+Do not panic. It may simply indicate that IOMMU-virtualization hasn't been activated in the BIOS or UEFI. Return to the [hardware requirements](#hardware-requirements) section to learn how to activate it. If the setting is not configured correctly, it means that your hardware won't be able to leverage some Qubes security features, such as a strict isolation of the networking and USB hardware.
+
+If the test passes, you will reach the installation summary screen. The installer loads Xen right at the beginning. If you can see the installer's graphical screen, and you pass the compatibility check that runs immediately afterward, Qubes OS is likely to work on your system!
+
+Like Fedora, Qubes OS uses the Anaconda installer. Those that are familiar with RPM-based distributions should feel at home.
+
+### Installation summary
+
+
+
+ Did you know? The Qubes OS installer is completely offline. It doesn't even load any networking drivers, so there is no possibility of internet-based data leaks or attacks during the installation process.
+
+
+The Installation summary screen allows you to change how the system will be installed and configured, including localization settings. At minimum, you are required to select the storage device on which Qubes OS will be installed.
+
+[![Installation summary not ready](/attachment/doc/installation-summary-not-ready.png)](/attachment/doc/installation-summary-not-ready.png)
+
+### Localization
+
+Let's assume you wish to add a German keyboard layout. Go to Keyboard Layout, press the "Plus" symbol, search for "German" as indicated in the screenshot and press "Add". If you want it be your default language, select the "German" entry in the list and press the arrow button. Click on "Done" in the upper left corner, and you're ready to go!
+
+[![Keyboard layout selection](/attachment/doc/keyboard-layout-selection.png)](/attachment/doc/keyboard-layout-selection.png)
+
+The process to select a new language is similar to the process to select a new keyboard layout. Follow the same process in the "Language Support" entry.
+
+[![Language support selection](/attachment/doc/language-support-selection.png)](/attachment/doc/language-support-selection.png)
+
+You can have as many keyboard layout and languages as you want. Post-install, you will be able to switch between them and install others.
+
+Don't forget to select your time and date by clicking on the Time & Date entry.
+
+[![Time and date](/attachment/doc/time-and-date.png)](/attachment/doc/time-and-date.png)
+
+### Software
+
+[![Add-ons](/attachment/doc/add-ons.png)](/attachment/doc/add-ons.png)
+
+On the software selection tab, you can choose which software to install in Qubes OS. Two options are available:
+
+* **Debian:** Select this option if you would like to use [Debian](/doc/templates/debian/) qubes in addition to the default Fedora qubes.
+* **Whonix:** Select this option if you would like to use [Whonix](https://www.whonix.org/wiki/Qubes) qubes. Whonix allows you to use [Tor](https://www.torproject.org/) securely within Qubes.
+
+Whonix lets you route some or all of your network traffic through Tor for greater privacy. Depending on your threat model, you may need to install Whonix templates right away.
+
+Regardless of your choices on this screen, you will always be able to install these and other [templates](/doc/templates/) later. If you're short on disk space, you may wish to deselect these options.
+
+By default, Qubes OS comes preinstalled with the lightweight Xfce4 desktop environment. Other desktop environments will be available to you after the installation is completed, though they may not be officially supported (see [advanced topics](/doc/#advanced-topics)).
+
+Press **Done** to go back to the installation summary screen.
+
+### Installation destination
+
+Under the System section, you must choose the installation destination. Select the storage device on which you would like to install Qubes OS.
+
+
+
+ Warning: Be careful to choose the correct installation target, or you may lose data. We strongly recommended making a full backup before proceeding.
+
+
+Your installation destination can be an internal or external storage drive, such as an SSD, HDD, or USB drive. The installation destination must have a least 32 GiB of free space available.
+
+
+
+ Note: The installation destination cannot be the same as the installation medium. For example, if you're installing Qubes OS from a USB drive onto a USB drive, they must be two distinct USB drives, and they must both be plugged into your computer at the same time. (Note: This may not apply to advanced users who partition their devices appropriately.)
+
+
+Installing an operating system onto a USB drive can be a convenient way to try Qubes. However, USB drives are typically much slower than internal SSDs. We recommend a very fast USB 3.0 drive for decent performance. Please note that a minimum storage of 32 GiB is required. If you want to install Qubes OS onto a USB drive, just select the USB device as the target installation device. Bear in mind that the installation process is likely to take longer than it would on an internal storage device.
+
+[![Select storage device](/attachment/doc/select-storage-device.png)](/attachment/doc/select-storage-device.png)
+
+
+
+
Did you know? By default, Qubes OS uses
LUKS/
dm-crypt to encrypt everything except the
/boot
partition.
+
+
+As soon as you press **Done**, the installer will ask you to enter a passphrase for disk encryption. The passphrase should be complex. Make sure that your keyboard layout reflects what keyboard you are actually using. When you're finished, press **Done**.
+
+
+
+ Warning: If you forget your encryption passphrase, there is no way to recover it.
+
+
+[![Select storage passhprase](/attachment/doc/select-storage-passphrase.png)](/attachment/doc/select-storage-passphrase.png)
+
+When you're ready, press **Begin Installation**.
+
+[![Installation summary ready](/attachment/doc/installation-summary-ready.png)](/attachment/doc/installation-summary-ready.png)
+
+### Create your user account
+
+While the installation process is running, you can create your user account. This is what you'll use to log in after disk decryption and when unlocking the screen locker. This is a purely local, offline account in dom0. By design, Qubes OS is a single-user operating system, so this is just for you.
+
+Select **User Creation** to define a new user with administrator privileges and a password. Just as for the disk encryption, this password should be complex. The root account is deactivated and should remain as such.
+
+[![Account name and password](/attachment/doc/account-name-and-password.png)](/attachment/doc/account-name-and-password.png)
+
+When the installation is complete, press **Reboot**. Don't forget to remove the installation medium, or else you may end up seeing the installer boot screen again.
+
+## Post-installation
+
+### First boot
+
+If the installation was successful, you should now see the GRUB menu during the boot process.
+
+[![Grub boot menu](/attachment/doc/grub-boot-menu.png)](/attachment/doc/grub-boot-menu.png)
+
+Just after this screen, you will be asked to enter your encryption passphrase.
+
+[![Unlock storage device screen](/attachment/doc/unlock-storage-device-screen.png)](/attachment/doc/unlock-storage-device-screen.png)
+
+### Initial Setup
+
+You're almost done. Before you can start using Qubes OS, some configuration is needed.
+
+[![Initial setup menu](/attachment/doc/initial-setup-menu.png)](/attachment/doc/initial-setup-menu.png)
+
+By default, the installer will create a number of qubes (depending on the options you selected during the installation process). These are designed to give you a more ready-to-use environment from the get-go.
+
+[![Initial setup menu configuration](/attachment/doc/initial-setup-menu-configuration.png)](/attachment/doc/initial-setup-menu-configuration.png)
+
+Let's briefly go over the options:
+
+* **Create default system qubes:** These are the core components of the system, required for things like internet access.
+* **Create default application qubes:** These are how you compartmentalize your digital life. There's nothing special about the ones the installer creates. They're just suggestions that apply to most people. If you decide you don't want them, you can always delete them later, and you can always create your own.
+* **Create Whonix Gateway and Workstation qubes:** If you want to use Whonix, you should select this option.
+ * **Enabling system and template updates over the Tor anonymity network using Whonix:** If you select this option, then whenever you install or update software in dom0 or a template, the internet traffic will go through Tor.
+* **Create USB qube holding all USB controllers:** Just like the network qube for the network stack, the USB qube isolates the USB controllers.
+ * **Use sys-net qube for both networking and USB devices:** You should select this option if you rely on a USB device for network access, such as a USB modem or a USB Wi-Fi adapter.
+* **Do not configure anything:** This is for very advanced users only. If you select this option, you'll have to set everything up manually afterward.
+
+When you're satisfied with you choices, press **Done**. This configuration process may take a while, depending on the speed and compatibility of your system.
+
+After the configuration is done, you will be greeted by the login screen. Enter your password and log in.
+
+[![Login screen](/attachment/doc/login-screen.png)](/attachment/doc/login-screen.png)
+
+Congratulations, you are now ready to use Qubes OS!
+
+[![Desktop menu](/attachment/doc/desktop-menu.png)](/attachment/doc/desktop-menu.png)
+
+## Next steps
+
+### Updating
+
+Next, [update](/doc/how-to-update/) your installation to ensure you have the latest security updates. Frequently updating is one of the best ways to remain secure against new threats.
+
+### Security
+
+The Qubes OS Project occasionally issues [Qubes Security Bulletins (QSBs)](/security/qsb/) as part of the [Qubes Security Pack (qubes-secpack)](/security/pack/). It is important to make sure that you receive all QSBs in a timely manner so that you can take action to keep your system secure. (While [updating](#updating) will handle most security needs, there may be cases in which additional action from you is required.) For this reason, we strongly recommend that every Qubes user subscribe to the [qubes-announce](/support/#qubes-announce) mailing list.
+
+In addition to QSBs, the Qubes OS Project also publishes [Canaries](/security/canary/), XSA summaries, template releases and end-of-life notices, and other items of interest to Qubes users. Since these are not essential for all Qubes users to read, they are not sent to [qubes-announce](/support/#qubes-announce) in order to keep the volume on that list low. However, we expect that most users, especially novice users, will find them helpful. If you are interested in these additional items, we encourage you to subscribe to the [Qubes News RSS feed](/feed.xml) or join one of our other [venues](/support/), where these news items are also announced.
+
+For more information about Qubes OS Project security, please see the [security center](/security/).
+
+### Backups
+
+It is extremely important to make regular backups so that you don't lose your data unexpectedly. The [Qubes backup system](/doc/how-to-back-up-restore-and-migrate/) allows you to do this securely and easily.
+
+### Submit your HCL report
+
+Consider giving back to the Qubes community and helping other users by [generating and submitting a Hardware Compatibility List (HCL) report](/doc/how-to-use-the-hcl/#generating-and-submitting-new-reports).
+
+### Get Started
+
+Find out [Getting Started](/doc/getting-started/) with Qubes, check out the other [How-To Guides](/doc/#how-to-guides), and learn about [Templates](/doc/#templates).
+
+## Getting help
+
+* We work very hard to make the [documentation](/doc/) accurate, comprehensive useful and user friendly. We urge you to read it! It may very well contain the answers to your questions. (Since the documentation is a community effort, we'd also greatly appreciate your help in [improving](/doc/how-to-edit-the-documentation/) it!)
+
+* If issues arise during installation, see the [Installation Troubleshooting](/doc/installation-troubleshooting) guide.
+
+* If you don't find your answer in the documentation, please see [Help, Support, Mailing Lists, and Forum](/support/) for places to ask.
+
+* Please do **not** email individual members of the Qubes team with questions about installation or other problems. Instead, please see [Help, Support, Mailing Lists, and Forum](/support/) for appropriate places to ask questions.
diff --git a/user/downloading-installing-upgrading/installation-guide.md b/user/downloading-installing-upgrading/installation-guide.md
index 6c9361ad..7b755c34 100644
--- a/user/downloading-installing-upgrading/installation-guide.md
+++ b/user/downloading-installing-upgrading/installation-guide.md
@@ -111,19 +111,21 @@ Once you access your computer's BIOS or UEFI menu, you'll want to go to the "boo
Once you're done on the boot menu, save your changes. How you do this depends on your BIOS or UEFI, but the instructions should be displayed right there on the screen or in a nearby tab. (If you're not sure whether you've saved your changes correctly, you can always reboot your computer and go back into the boot menu to check whether it still reflects your changes.) Once your BIOS or UEFI is configured the way you want it, reboot your computer. This time, don't press any special keys. Instead, let the BIOS or UEFI load and let your computer boot from your USB drive. If you're successful in this step, after a few seconds you'll be presented with the Qubes installer screen:
-[![Boot screen](/attachment/doc/boot-screen.png)](/attachment/doc/boot-screen.png)
+[![Boot screen](/attachment/doc/boot-screen-4.2.png)](/attachment/doc/boot-screen-4.2.png)
-From here, you can navigate the boot screen using the arrow keys on your keyboard. Pressing the "Tab" key will reveal options. You can choose one of three options:
+From here, you can navigate the boot screen using the arrow keys on your keyboard. Pressing the "Tab" key will reveal options. You can choose one of five options:
* Install Qubes OS
* Test this media and install Qubes OS
-* Troubleshooting
+* Troubleshooting - verbose boot
+* Rescue a Qubes SO system
+* Install Qubes OS 4.2.1 using kernel-latest
Select the option to test this media and install Qubes OS.
-
Note: If the latest stable release is not compatible with your hardware, you may wish to consider
testing a newer release.
+
Note: If the latest stable release is not compatible with your hardware, you may wish to consider installing using the latest kernel. Be aware that this has not been as well testes as the standard kernel.
If the boot screen does not appear, there are several options to troubleshoot. First, try rebooting your computer. If it still loads your currently installed operating system or does not detect your installation medium, make sure the boot order is set up appropriately. The process to change the boot order varies depending on the currently installed system and the motherboard manufacturer. If **Windows 10** is installed on your machine, you may need to follow specific instructions to change the boot order. This may require an [advanced reboot](https://support.microsoft.com/en-us/help/4026206/windows-10-find-safe-mode-and-other-startup-settings).
@@ -132,7 +134,7 @@ If the boot screen does not appear, there are several options to troubleshoot. F
On the first screen, you are asked to select the language that will be used during the installation process. When you are done, select **Continue**.
-[![welcome](/attachment/doc/welcome-to-qubes-os-installation-screen.png)](/attachment/doc/welcome-to-qubes-os-installation-screen.png)
+[![Language selection window](/attachment/doc/welcome-to-qubes-os-installation-screen-4.2.png)](/attachment/doc/welcome-to-qubes-os-installation-screen-4.2.png)
Prior to the next screen, a compatibility test runs to check whether IOMMU-virtualization is active or not. If the test fails, a window will pop up.
@@ -153,7 +155,7 @@ Like Fedora, Qubes OS uses the Anaconda installer. Those that are familiar with
The Installation summary screen allows you to change how the system will be installed and configured, including localization settings. At minimum, you are required to select the storage device on which Qubes OS will be installed.
-[![Installation summary not ready](/attachment/doc/installation-summary-not-ready.png)](/attachment/doc/installation-summary-not-ready.png)
+[![Installation summary screen awaiting input ](/attachment/doc/installation-summary-not-ready-4.2.png)](/attachment/doc/installation-summary-not-ready-4.2.png)
### Localization
@@ -170,24 +172,6 @@ You can have as many keyboard layout and languages as you want. Post-install, yo
Don't forget to select your time and date by clicking on the Time & Date entry.
[![Time and date](/attachment/doc/time-and-date.png)](/attachment/doc/time-and-date.png)
-
-### Software
-
-[![Add-ons](/attachment/doc/add-ons.png)](/attachment/doc/add-ons.png)
-
-On the software selection tab, you can choose which software to install in Qubes OS. Two options are available:
-
-* **Debian:** Select this option if you would like to use [Debian](/doc/templates/debian/) qubes in addition to the default Fedora qubes.
-* **Whonix:** Select this option if you would like to use [Whonix](https://www.whonix.org/wiki/Qubes) qubes. Whonix allows you to use [Tor](https://www.torproject.org/) securely within Qubes.
-
-Whonix lets you route some or all of your network traffic through Tor for greater privacy. Depending on your threat model, you may need to install Whonix templates right away.
-
-Regardless of your choices on this screen, you will always be able to install these and other [templates](/doc/templates/) later. If you're short on disk space, you may wish to deselect these options.
-
-By default, Qubes OS comes preinstalled with the lightweight Xfce4 desktop environment. Other desktop environments will be available to you after the installation is completed, though they may not be officially supported (see [advanced topics](/doc/#advanced-topics)).
-
-Press **Done** to go back to the installation summary screen.
-
### Installation destination
Under the System section, you must choose the installation destination. Select the storage device on which you would like to install Qubes OS.
@@ -206,7 +190,7 @@ Your installation destination can be an internal or external storage drive, such
Installing an operating system onto a USB drive can be a convenient way to try Qubes. However, USB drives are typically much slower than internal SSDs. We recommend a very fast USB 3.0 drive for decent performance. Please note that a minimum storage of 32 GiB is required. If you want to install Qubes OS onto a USB drive, just select the USB device as the target installation device. Bear in mind that the installation process is likely to take longer than it would on an internal storage device.
-[![Select storage device](/attachment/doc/select-storage-device.png)](/attachment/doc/select-storage-device.png)
+[![Select storage device screen](/attachment/doc/select-storage-device-4.2.png)](/attachment/doc/select-storage-device-4.2.png)
@@ -220,21 +204,22 @@ As soon as you press **Done**, the installer will ask you to enter a passphrase
Warning: If you forget your encryption passphrase, there is no way to recover it.
-[![Select storage passhprase](/attachment/doc/select-storage-passphrase.png)](/attachment/doc/select-storage-passphrase.png)
-
-When you're ready, press **Begin Installation**.
-
-[![Installation summary ready](/attachment/doc/installation-summary-ready.png)](/attachment/doc/installation-summary-ready.png)
+[![Select storage passphrase](/attachment/doc/select-storage-passphrase.png)](/attachment/doc/select-storage-passphrase.png)
### Create your user account
-While the installation process is running, you can create your user account. This is what you'll use to log in after disk decryption and when unlocking the screen locker. This is a purely local, offline account in dom0. By design, Qubes OS is a single-user operating system, so this is just for you.
+Select "User Creation" to create your user account. This is what you'll use to log in after disk decryption and when unlocking the screen locker. This is a purely local, offline account in dom0. By design, Qubes OS is a single-user operating system, so this is just for you.
-Select **User Creation** to define a new user with administrator privileges and a password. Just as for the disk encryption, this password should be complex. The root account is deactivated and should remain as such.
+The new user you create has full administrator privileges and is protected by a password. Just as for the disk encryption, this password should be complex. The root account is deactivated and should remain as such.
-[![Account name and password](/attachment/doc/account-name-and-password.png)](/attachment/doc/account-name-and-password.png)
+[![Account name and password creation window. ](/attachment/doc/account-name-and-password-4.2.png)](/attachment/doc/account-name-and-password-4.2.png)
-When the installation is complete, press **Reboot**. Don't forget to remove the installation medium, or else you may end up seeing the installer boot screen again.
+### Installation
+When you have completed all the items marked with the warning icon, press **Begin Installation**.
+
+Installation can take some time.
+[![Windows showing installation complete and Reboot button. ](/attachment/doc/installation-complete-4.2.png)](/attachment/doc/installation-complete-4.2.png)
+When the installation is complete, press **Reboot System**. Don't forget to remove the installation medium, or else you may end up seeing the installer boot screen again.
## Post-installation
@@ -246,31 +231,32 @@ If the installation was successful, you should now see the GRUB menu during the
Just after this screen, you will be asked to enter your encryption passphrase.
-[![Unlock storage device screen](/attachment/doc/unlock-storage-device-screen.png)](/attachment/doc/unlock-storage-device-screen.png)
+[![Screen to enter device decryption password](/attachment/doc/unlock-storage-device-screen-4.2.png)](/attachment/doc/unlock-storage-device-screen-4.2.png)
### Initial Setup
You're almost done. Before you can start using Qubes OS, some configuration is needed.
-[![Initial setup menu](/attachment/doc/initial-setup-menu.png)](/attachment/doc/initial-setup-menu.png)
+[![Window with link for final configuration ](/attachment/doc/initial-setup-menu-4.2.png)](/attachment/doc/initial-setup-menu-4.2.png)
+Click on the item marked with the warning triangle to enter the configuration screen.
+[![Initial configuration menu](/attachment/doc/initial-setup-menu-configuration-4.2.png)](/attachment/doc/initial-setup-menu-configuration-4.2.png)
By default, the installer will create a number of qubes (depending on the options you selected during the installation process). These are designed to give you a more ready-to-use environment from the get-go.
-[![Initial setup menu configuration](/attachment/doc/initial-setup-menu-configuration.png)](/attachment/doc/initial-setup-menu-configuration.png)
-
Let's briefly go over the options:
-* **Create default system qubes:** These are the core components of the system, required for things like internet access.
+* **Templates Configuration:** Here you can decide which [templates](../templates/) you want to have installed, and which will be the default template.
+* **Create default system qubes:** These are the core components of the system, required for things like internet access. You can opt to have some created as [disposables](../glossary#disposable)
* **Create default application qubes:** These are how you compartmentalize your digital life. There's nothing special about the ones the installer creates. They're just suggestions that apply to most people. If you decide you don't want them, you can always delete them later, and you can always create your own.
-* **Create Whonix Gateway and Workstation qubes:** If you want to use Whonix, you should select this option.
- * **Enabling system and template updates over the Tor anonymity network using Whonix:** If you select this option, then whenever you install or update software in dom0 or a template, the internet traffic will go through Tor.
-* **Create USB qube holding all USB controllers:** Just like the network qube for the network stack, the USB qube isolates the USB controllers.
+* **Use a qube to hold all USB controllers:** Just like the network qube for the network stack, the USB qube isolates the USB controllers.
* **Use sys-net qube for both networking and USB devices:** You should select this option if you rely on a USB device for network access, such as a USB modem or a USB Wi-Fi adapter.
-* **Do not configure anything:** This is for very advanced users only. If you select this option, you'll have to set everything up manually afterward.
+* **Create Whonix Gateway and Workstation qubes:** If you want to use [Whonix](https://www.whonix.org/wiki/Qubes), you should select this option.
+ * **Enabling system and template updates over the Tor anonymity network using Whonix:** If you select this option, then whenever you install or update software in dom0 or a template, the internet traffic will go through Tor.
+* **Do not configure anything:** This is for very advanced users only. If you select this option, you will have to manually set up everything.
-When you're satisfied with you choices, press **Done**. This configuration process may take a while, depending on the speed and compatibility of your system.
+When you're satisfied with your choices, press **Done**. This configuration process may take a while, depending on the speed and compatibility of your system.
-After the configuration is done, you will be greeted by the login screen. Enter your password and log in.
+After configuration is done, you will be greeted by the login screen. Enter your password and log in.
[![Login screen](/attachment/doc/login-screen.png)](/attachment/doc/login-screen.png)
@@ -313,3 +299,4 @@ Find out [Getting Started](/doc/getting-started/) with Qubes, check out the othe
* If you don't find your answer in the documentation, please see [Help, Support, Mailing Lists, and Forum](/support/) for places to ask.
* Please do **not** email individual members of the Qubes team with questions about installation or other problems. Instead, please see [Help, Support, Mailing Lists, and Forum](/support/) for appropriate places to ask questions.
+
diff --git a/user/downloading-installing-upgrading/supported-releases.md b/user/downloading-installing-upgrading/supported-releases.md
index 977806e0..5bbcf993 100644
--- a/user/downloading-installing-upgrading/supported-releases.md
+++ b/user/downloading-installing-upgrading/supported-releases.md
@@ -57,8 +57,8 @@ It is the responsibility of each distribution to clearly notify its users in adv
| Qubes OS | Fedora | Debian |
| ----------- | ------ | ------ |
-| Release 4.1 | 38 | 11, 12 |
-| Release 4.2 | 38 | 12 |
+| Release 4.1 | 38, 39 | 11, 12 |
+| Release 4.2 | 38, 39 | 12 |
### Note on Debian support
diff --git a/user/hardware/certified-hardware.md b/user/hardware/certified-hardware.md
index 42afb236..dbe50dd3 100644
--- a/user/hardware/certified-hardware.md
+++ b/user/hardware/certified-hardware.md
@@ -23,49 +23,55 @@ You may also be interested in the [community-recommended hardware](https://forum
Qubes-certified computers are certified for a [major release](/doc/version-scheme/) and regularly tested by the Qubes developers to ensure compatibility with all of Qubes' features within that major release. The developers test all new updates within that major release to ensure that no regressions are introduced.
-The current Qubes-certified models are listed below in chronological order of certification.
+The current Qubes-certified models are listed below in reverse chronological order of certification.
-### Insurgo PrivacyBeast X230
+### NitroPC Pro 2
-[![Photo of the Insurgo PrivacyBeast X230](/attachment/site/insurgo-privacybeast-x230.png)](https://insurgo.ca/produit/qubesos-certified-privacybeast_x230-reasonably-secured-laptop/)
+[![Photo of the NitroPC Pro 2](/attachment/posts/nitropc-pro.jpg)](https://shop.nitrokey.com/shop/nitropc-pro-2-523)
-The [Insurgo PrivacyBeast X230](https://insurgo.ca/produit/qubesos-certified-privacybeast_x230-reasonably-secured-laptop/) is a laptop based on the ThinkPad X230. It is certified for Qubes OS 4.X.
-
-### NitroPad X230
-
-[![Photo of the NitroPad X230](/attachment/site/nitropad-x230.jpg)](https://shop.nitrokey.com/shop/product/nitropad-x230-67)
-
-The [NitroPad X230](https://shop.nitrokey.com/shop/product/nitropad-x230-67) is a laptop based on the ThinkPad X230. It is certified for Qubes OS 4.X.
-
-### NitroPad T430
-
-[![Photo of the NitroPad T430](/attachment/site/nitropad-t430.jpg)](https://shop.nitrokey.com/shop/product/nitropad-t430-119)
-
-The [NitroPad T430](https://shop.nitrokey.com/shop/product/nitropad-t430-119) is a laptop based on the ThinkPad T430. It is certified for Qubes OS 4.X.
-
-### Dasharo FidelisGuard Z690
-
-[![Photo of the Dasharo FidelisGuard Z690](/attachment/site/dasharo-fidelisguard-z690.jpg)](https://3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/)
-
-The [Dasharo FidelisGuard Z690](https://3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/) is a desktop based on the MSI PRO Z690-A DDR4 motherboard. It is certified for Qubes OS 4.X.
-
-### NovaCustom NV41 Series
-
-[![Photo of the NovaCustom NV41 Series](/attachment/site/novacustom-nv41-series.png)](https://novacustom.com/product/nv41-series/)
-
-The [NovaCustom NV41 Series](https://novacustom.com/product/nv41-series/) is a 14-inch custom laptop. It is certified for Qubes OS 4.X.
-
-### NitroPC Pro
-
-[![Photo of the NitroPC Pro](/attachment/posts/nitropc-pro.jpg)](https://shop.nitrokey.com/shop/product/nitropc-pro-523)
-
-The [NitroPC Pro](https://shop.nitrokey.com/shop/product/nitropc-pro-523) is a desktop based on the MSI PRO Z690-A DDR5 motherboard. It is certified for Qubes OS 4.X.
+The [NitroPC Pro 2](https://shop.nitrokey.com/shop/nitropc-pro-2-523) is a desktop based on the MSI PRO Z790-P DDR5 motherboard. It is certified for Qubes OS 4.
### Star Labs StarBook
[![Photo of the Star Labs StarBook](/attachment/site/starlabs-starbook.png)](https://starlabs.systems/pages/starbook)
-The [Star Labs StarBook](https://starlabs.systems/pages/starbook) is a 14-inch laptop. It is certified for Qubes OS 4.X.
+The [Star Labs StarBook](https://starlabs.systems/pages/starbook) is a 14-inch laptop. It is certified for Qubes OS 4.
+
+### NitroPC Pro
+
+[![Photo of the NitroPC Pro](/attachment/posts/nitropc-pro.jpg)](https://shop.nitrokey.com/shop/product/nitropc-pro-523)
+
+The [NitroPC Pro](https://shop.nitrokey.com/shop/product/nitropc-pro-523) is a desktop based on the MSI PRO Z690-A DDR5 motherboard. It is certified for Qubes OS 4.
+
+### NovaCustom NV41 Series
+
+[![Photo of the NovaCustom NV41 Series](/attachment/site/novacustom-nv41-series.png)](https://novacustom.com/product/nv41-series/)
+
+The [NovaCustom NV41 Series](https://novacustom.com/product/nv41-series/) is a 14-inch custom laptop. It is certified for Qubes OS 4.
+
+### Dasharo FidelisGuard Z690
+
+[![Photo of the Dasharo FidelisGuard Z690](/attachment/site/dasharo-fidelisguard-z690.jpg)](https://3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/)
+
+The [Dasharo FidelisGuard Z690](https://3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/) is a desktop based on the MSI PRO Z690-A DDR4 motherboard. It is certified for Qubes OS 4.
+
+### NitroPad T430
+
+[![Photo of the NitroPad T430](/attachment/site/nitropad-t430.jpg)](https://shop.nitrokey.com/shop/product/nitropad-t430-119)
+
+The [NitroPad T430](https://shop.nitrokey.com/shop/product/nitropad-t430-119) is a laptop based on the ThinkPad T430. It is certified for Qubes OS 4.
+
+### NitroPad X230
+
+[![Photo of the NitroPad X230](/attachment/site/nitropad-x230.jpg)](https://shop.nitrokey.com/shop/product/nitropad-x230-67)
+
+The [NitroPad X230](https://shop.nitrokey.com/shop/product/nitropad-x230-67) is a laptop based on the ThinkPad X230. It is certified for Qubes OS 4.
+
+### Insurgo PrivacyBeast X230
+
+[![Photo of the Insurgo PrivacyBeast X230](/attachment/site/insurgo-privacybeast-x230.png)](https://insurgo.ca/produit/qubesos-certified-privacybeast_x230-reasonably-secured-laptop/)
+
+The [Insurgo PrivacyBeast X230](https://insurgo.ca/produit/qubesos-certified-privacybeast_x230-reasonably-secured-laptop/) is a laptop based on the ThinkPad X230. It is certified for Qubes OS 4.
## Become hardware certified
diff --git a/user/reference/glossary.md b/user/reference/glossary.md
index 3e2c010d..98649dd4 100644
--- a/user/reference/glossary.md
+++ b/user/reference/glossary.md
@@ -128,10 +128,22 @@ example, it is common for the net qube of an [app qube](#app-qube) to be the
[service qube](#service-qube) `sys-firewall`, which in turn uses `sys-net` as
its net qube.
+* If a qube does not have a net qube (i.e., its `netvm` is set to `None`), then
+ that qube is offline. It is disconnected from all networking.
+
* The name `netvm` derives from "Networking Virtual Machine." Before Qubes 4.0,
there was a type of [service qube](#service-qube) called a "NetVM." The name
of the `netvm` property is a holdover from that era.
+## policies
+
+In Qubes OS, "policies" govern interactions between qubes, powered by [Qubes' qrexec system](https://www.qubes-os.org/doc/qrexec/).
+A single policy is a rule applied to a qube or set of qubes, that governs how and when information or assets may be shared with other qubes.
+An example is the rules governing how files can be copied between qubes.
+Policy rules are grouped together in files under `/etc/qubes/policy.d`
+Policies are an important part of what makes Qubes OS special.
+
+
## qube
A secure compartment in Qubes OS. Currently, qubes are implemented as Xen
@@ -145,8 +157,7 @@ still be called "qubes."
* Note that starting a sentence with the plural of "qube" (i.e., "Qubes...")
can be ambiguous, since it may not be clear whether the referent is a
- plurality of qubes or [Qubes OS](#qubes-os). You may wish to rephrase
- sentences in order to avoid this ambiguity.
+ plurality of qubes or [Qubes OS](#qubes-os).
* Example usage: "In Qubes OS, you do your banking in your 'banking' qube and
your web surfing in your 'untrusted' qube. That way, if your 'untrusted' qube
@@ -210,5 +221,5 @@ See [Templates](/doc/templates/).
## VM
-An abbreviation for "virtual machine." A software implementation of a machine
-(for example, a computer) that executes programs like a physical machine.
+An abbreviation for "virtual machine." A software implementation of a computer
+that provides the functionality of a physical machine.
diff --git a/user/security-in-qubes/firewall.md b/user/security-in-qubes/firewall.md
index 3cb7c42b..d4597e39 100644
--- a/user/security-in-qubes/firewall.md
+++ b/user/security-in-qubes/firewall.md
@@ -66,12 +66,16 @@ Normally Qubes doesn't let the user stop a NetVM if there are other qubes runnin
But in case the NetVM stops for whatever reason (e.g. it crashes, or the user forces its shutdown via qvm-kill via terminal in Dom0), Qubes R4.x will often automatically repair the connection.
If it does not, then there is an easy way to restore the connection to the NetVM by issuing in dom0:
-` qvm-prefs netvm `
+```
+qvm-prefs netvm
+```
Normally qubes do not connect directly to the actual NetVM (sys-net by default) which has networking devices, but rather to the default sys-firewall first, and in most cases it would be the NetVM that will crash, e.g. in response to S3 sleep/restore or other issues with WiFi drivers.
In that case it is only necessary to issue the above command once, for the sys-firewall (this assumes default VM-naming used by the default Qubes installation):
-` qvm-prefs sys-firewall netvm sys-net `
+```
+qvm-prefs sys-firewall netvm sys-net
+```
Network service qubes
---------------------
@@ -304,12 +308,12 @@ nft add rule qubes custom-forward iif == "ens6" ip saddr 192.168.x.y/24 ip daddr
> Note: If you do not wish to limit the IP addresses connecting to the service, remove `ip saddr 192.168.x.y/24` from the rules
-> If you want to expose the service on multiple interfaces, repeat the steps 2 and 3 described above, for each interface.
+> If you want to expose the service on multiple interfaces, repeat the steps 2 and 3 described above, for each interface. Alternatively, you can leave out the interface completely.
Verify the rules on sys-net firewall correctly match the packets you want by looking at its counters, check for the counter lines in the chains `custom-forward` and `custom-dnat-qubeDEST`:
```
-nft list table ip qubes-firewall
+nft list table ip qubes
```
In this example, we can see 7 packets in the forward rule, and 3 packets in the dnat rule:
@@ -331,7 +335,7 @@ chain custom-dnat-qubeDEST {
telnet 192.168.x.n 443
```
-Once you have confirmed that the counters increase, store the commands used in the previous steps in `/rw/config/rc.local` so they get set on sys-net start-up:
+Once you have confirmed that the counters increase, store the commands used in the previous steps in `/rw/config/qubes-firewall-user-script` so they get set on sys-net start-up:
```
[user@sys-net user]$ sudo -i
diff --git a/user/security-in-qubes/vm-sudo.md b/user/security-in-qubes/vm-sudo.md
index 7141102d..3001c367 100644
--- a/user/security-in-qubes/vm-sudo.md
+++ b/user/security-in-qubes/vm-sudo.md
@@ -10,7 +10,7 @@ ref: 165
title: Passwordless root access in qubes
---
-Background (`/etc/sudoers.d/qubes` in VM):
+The background to passswordless root access is summarised in this statement, that used to be found at `/etc/sudoers.d/qubes` in each qube:
```
user ALL=(ALL) NOPASSWD: ALL
@@ -59,59 +59,31 @@ user ALL=(ALL) NOPASSWD: ALL
#
# joanna.
```
+The core of this statement continues to reflect the views of the Qubes developers.
-Below is a complete list of configuration made according to the above statement, with (not necessary complete) list of mechanisms depending on each of them:
+Passwordless root is provided by the `qubes-core-agent-passwordless-root` package.
+Details of the implementation are [here](/doc/vm-sudo-implementation).
-1. sudo (`/etc/sudoers.d/qubes`):
+[Minimal templates](/doc/templates/minimal/), which are intended for use by advanced users, do not have this package installed by default.
- ```
- user ALL=(ALL) NOPASSWD: ALL
- (...)
- ```
+Replacing passwordless root access
+----------------------------------
- - Easy user -> root access (main option for the user).
- - `qvm-usb` (not really working, as of R2).
+Some users may wish to modify their system by enabling user/root isolation in qubes.
+We do not support this in any packages, but users are free to remove the qubes-core-agent-passwordless-root package if they wish, using standard packaging tools.
-2. PolicyKit (`/etc/polkit-1/rules.d/00-qubes-allow-all.rules`):
-
- ```
- //allow any action, detailed reasoning in sudoers.d/qubes
- polkit.addRule(function(action,subject) { return polkit.Result.YES; });
- ```
-
- and `/etc/polkit-1/localauthority/50-local.d/qubes-allow-all.pkla`:
-
- ```
- [Qubes allow all]
- Identity=*
- Action=*
- ResultAny=yes
- ResultInactive=yes
- ResultActive=yes
- ```
-
- - NetworkManager configuration from normal user (`nm-applet`).
- - Updates installation (`gpk-update-viewer`).
- - User can use pkexec just like sudo Note: above is needed mostly because Qubes user GUI session isn't treated by PolicyKit/logind as "local" session because of the way in which X server and session is started.
- Perhaps we will address this issue in the future, but this is really low priority.
- Patches welcomed anyway.
-
-3. Empty root password:
- - Used for access to 'root' account from text console (`qvm-console-dispvm`) - the only way to access the VM when GUI isn't working.
- - Can be used for easy 'su -' from user to root.
+Root access can then be gained from dom0 by (e.g) `qvm-run -u root QUBE qubes-run-terminal`, or `qvm-console-dispvm QUBE`.
Replacing passwordless root access with Dom0 user prompt
--------------------------------------------------------
-While the Qubes developers support the statement above, some Qubes users may wish to enable user/root isolation in VMs anyway.
-We do not support this in any of our packages, but of course nothing is preventing a user from modifying his or her own system.
-A list of steps to do so is provided in the [Qubes community guide, Replacing passwordless root with a dom0 prompt
-](https://forum.qubes-os.org/t/replacing-passwordless-root-with-a-dom0-prompt/19074) **without any guarantee of safety, accuracy, or completeness.
+An alternative approach is to enable user/root isolation by using a dom0 generated prompt.
+A list of steps to do so is provided in the [Qubes community guide, Replacing passwordless root with a dom0 prompt](https://forum.qubes-os.org/t/replacing-passwordless-root-with-a-dom0-prompt/19074) **without any guarantee of safety, accuracy, or completeness.
Proceed at your own risk.
Do not rely on this for extra security.**
Dom0 passwordless root access
-----------------------------
-There is also passwordless user->root access in dom0.
-As stated in the comment in sudo configuration there (which is different from the one in individual qubes), there is really no point in user/root isolation, because all the user data (and VM management interface) is already accessible from dom0 user level, so there is nothing more to get from dom0 root account.
+There is also passwordless user->root access in dom0.
+As stated in the comment in `/etc/sudoers.d/qubes` there is really no point in user/root isolation in dom0, because all user data (and the whole Qubes management interface) is already accessible to the user, so there is nothing more to be gained from the dom0 root account.
diff --git a/user/templates/fedora/fedora-upgrade.md b/user/templates/fedora/fedora-upgrade.md
index 2529e1de..2d5dad90 100644
--- a/user/templates/fedora/fedora-upgrade.md
+++ b/user/templates/fedora/fedora-upgrade.md
@@ -51,6 +51,7 @@ If you wish to install a new, unmodified Fedora template instead of upgrading a
[user@dom0 ~]$ qvm-shutdown fedora-
[user@dom0 ~]$ sudo losetup -d $dev
[user@dom0 ~]$ rm /var/tmp/template-upgrade-cache.img
+[user@dom0 ~]$ qvm-features fedora- template-name fedora-
```
**Recommended:** [Switch everything that was set to the old template to the new template.](/doc/templates/#switching)
@@ -159,15 +160,21 @@ The same general procedure may be used to upgrade any template based on the stan
[user@dom0 ~]$ rm /var/tmp/template-upgrade-cache.img
```
-8. (Recommended) [Switch everything that was set to the old template to the new template.](/doc/templates/#switching)
+8. Set the template-name, which is used by the Qubes updater.
-9. (Optional) Make the new template the global default.
+ ```
+ [user@dom0 ~]$ qvm-features fedora- template-name fedora-
+ ```
+
+9. (Recommended) [Switch everything that was set to the old template to the new template.](/doc/templates/#switching)
+
+10. (Optional) Make the new template the global default.
```
[user@dom0 ~]$ qubes-prefs --set default_template fedora-
```
-10. (Optional) [Uninstall the old template.](/doc/templates/#uninstalling)
+11. (Optional) [Uninstall the old template.](/doc/templates/#uninstalling)
Make sure that the template you're uninstalling is the old one, not the new one!
## Summary instructions for Fedora Minimal templates
@@ -180,6 +187,7 @@ The same general procedure may be used to upgrade any template based on the stan
[root@fedora--minimal ~]# dnf clean all
[user@fedora--minimal ~]# dnf --releasever= --best --allowerasing distro-sync
[user@fedora--minimal ~]# fstrim -v /
+[user@dom0 ~]$ qvm-features fedora--minimal template-name fedora-
```
(Shut down template by any normal means.)
diff --git a/user/templates/minimal-templates.md b/user/templates/minimal-templates.md
index 6fd7aa9f..2e7c934e 100644
--- a/user/templates/minimal-templates.md
+++ b/user/templates/minimal-templates.md
@@ -144,7 +144,7 @@ list of packages to be installed):
(which is normally `sys-firewall`).
- NetVM, such as the template for `sys-net`: `qubes-core-agent-networking`
`qubes-core-agent-network-manager` `NetworkManager-wifi`
- `network-manager-applet` `wireless-tools` `notification-daemon`
+ `network-manager-applet` `notification-daemon`
`gnome-keyring` `polkit` `@hardware-support`. If your network devices need
extra packages for the template to work as a network VM, use the `lspci`
command to identify the devices, then run `dnf search firmware` (replace
@@ -165,6 +165,8 @@ list of packages to be installed):
- `default-mgmt-dvm`: requires `qubes-core-agent-passwordless-root` and
`qubes-mgmt-salt-vm-connector`.
+To manage fedora-39-minimal templates with salt, you may need to install `python3-urllib3` in older versions of the template. (This package is already installed in recent builds: see [discussion](https://github.com/QubesOS/qubes-issues/issues/8806).)
+
In Qubes 4.0, additional packages from the `qubes-core-agent` suite may be
needed to make the customized minimal template work properly. These packages
are:
@@ -324,7 +326,7 @@ list of packages to be installed):
if you want to use it as the `UpdateVM` (which is normally `sys-firewall`).
- NetVM, such as the template for `sys-net`: `qubes-core-agent-networking`
`qubes-core-agent-network-manager` `NetworkManager-wifi`
- `network-manager-applet` `wireless-tools` `notification-daemon`
+ `network-manager-applet` `notification-daemon`
`gnome-keyring`. If your network devices need extra packages for a network
VM, use the `lspci` command to identify the devices, then find the package
that provides necessary firnware and install it. If you need utilities for
diff --git a/user/templates/templates.md b/user/templates/templates.md
index bab15cb9..2f7ac64a 100644
--- a/user/templates/templates.md
+++ b/user/templates/templates.md
@@ -273,6 +273,15 @@ new template:
old template by clicking on the first one, holding shift, then clicking on
the last one. With multiple qubes selected, right-click on any of them,
hover your cursor over Template, then click on the new template.
+ Or in the `System` menu select `Manage templates for qubes`, select
+ any qubes using the old template and update them to the new template
+ using the drop down menu.
+
+4. **Change the template for the default-mgmt-dvm** If the old template
+ was used for management qubes, then you should change the template.
+ This is an *internal* qube which does not appear by default in the Qube manager.
+ In the `System` menu select `Manage templates for qubes`, and you will see the *default-mgmt-dvm* qube.
+ Change the template used for this disposable template to the new template.
## Advanced