From e86436d0234228b5dce32b9d35f12045eb634494 Mon Sep 17 00:00:00 2001
From: Francis King <francis.king@burohappold.com>
Date: Mon, 24 Mar 2025 16:08:35 +0000
Subject: [PATCH 1/2] Added  some extra text and an example

In a discussion on Qubes OS forum, it was decided that I should add some extra text about the netmask, and an example  for Network Manager. The purpose being to make the procedure much clearer.

There are two images to go into the text, but I don't understand how to do that yet. I have used '>' at those points. Please advise.

Francis.
---
 user/advanced-topics/standalones-and-hvms.md | 29 +++++++++++++++++++-
 1 file changed, 28 insertions(+), 1 deletion(-)

diff --git a/user/advanced-topics/standalones-and-hvms.md b/user/advanced-topics/standalones-and-hvms.md
index 198dab42..6c344b47 100644
--- a/user/advanced-topics/standalones-and-hvms.md
+++ b/user/advanced-topics/standalones-and-hvms.md
@@ -175,11 +175,38 @@ seen, e.g., in the Qube Manager in the qube's properties:
 ![r4.0-manager-networking-config.png](/attachment/doc/r4.0-manager-networking-config.png)
 
 Alternatively, one can use the `qvm-ls -n` command to obtain the same
-information (IP/netmask/gateway).
+information (IP/netmask/gateway). The netmask required is that for your own network, 
+so for example, if your IPv4 network has a subnet mask of /24 then the actual netmask to 
+use is 255.255.255.0 - even if the Qube Manager suggests 255.255.255.255  
 
 The DNS IP addresses are `10.139.1.1` and `10.139.1.2`. There is [opt-in
 support](/doc/networking/#ipv6) for IPv6 forwarding.
 
+### An example of setting up a network - Network Manager on KDE
+
+Every guest operating system has its own way of handling networking, and the user is 
+referred to the documentation that comes with that operating system. However, 
+Network Manager is widely used on Linux systems, and so hopefully a worked example will 
+prove useful. The worked example is for a HVM running EndeavourOS. 
+
+> Image of Qubes Manager - is this what it's called??
+
+In this example, Network Manager on KDE, the network had the following values:
+
+1. IPv4 networking
+2. IP address 10.137.0.17
+3. Netmask 255.255.255.255 (but in the network the netmask is actually 255.255.255.0)
+4. Gateway 10.138.24.248
+5. Virtual DNS 10.139.1.1 and 10.139.1.2
+
+> Image of Network Manager, annotated by numbers for reference below
+
+The network was set up by entering Network Manager, tab Wi-Fi & Networking, clicking on the Wired Ethernet
+item, and selecting tab IPv4 (1). The Manual method is selected (2), which reveals areas for data entry. The DNS 
+Servers takes a comma-separated list, here 10.139.1.1,10.1.139.2 (3). At the bottom of the tab (4), click on '+ Add', 
+and enter the IP address of 10.137.0.17 under column 'Address', the Netmask of 25.255.255.0  (to match the network) 
+under column 'Netmask', and the Gateway of 10.138.24.248 under column 'Gateway'. Apply these changes.
+
 ## Using template-based HVMs
 
 Qubes allows HVMs to share a common root filesystem from a select template.

From c6b07c0191194b90a5abbbe977a0c3e1eb02cdf3 Mon Sep 17 00:00:00 2001
From: unman <unman@thirdeyesecurity.org>
Date: Thu, 15 May 2025 10:29:39 +0000
Subject: [PATCH 2/2] Added Titles to images. Normalised language in
 description of procedure

---
 user/advanced-topics/standalones-and-hvms.md | 49 ++++++++++++++------
 1 file changed, 34 insertions(+), 15 deletions(-)

diff --git a/user/advanced-topics/standalones-and-hvms.md b/user/advanced-topics/standalones-and-hvms.md
index 6c344b47..e76d2f9b 100644
--- a/user/advanced-topics/standalones-and-hvms.md
+++ b/user/advanced-topics/standalones-and-hvms.md
@@ -50,6 +50,21 @@ is about the virtualization mode. In practice, however, it is most common for
 standalones to be HVMs and for HVMs to be standalones. Hence, this page covers
 both topics.
 
+## Understanding Virtualization Modes
+
+PVH has both better performance and better security than either PV or HVM:
+
+PVH has less attack surface than PV, as it relies on Second Level Address Translation (SLAT) hardware. Guests modify their own page tables natively, without hypervisor involvement. Xen does not need to perform complex checks to ensure that a guest cannot obtain write access to its own page tables, as is necessary for PV. Flaws in these checks have been a source of no fewer than four guest ⇒ host escapes: XSA-148, XSA-182, XSA-212, and XSA-213.
+
+PVH also has less attack surface than HVM, as it does not require QEMU to provide device emulation services. While QEMU is confined in a stubdomain, and again in a seccomp based sandbox, the stubdomain has significant attack surface against the hypervisor. Not only does it have the full attack surface of a PV domain, it also has access to additional hypercalls that allow it to control the guest it is providing emulation services for. XSA-109 was a vulnerability in one of these hypercalls.
+
+PVH has better performance than HVM, as the stubdomain iin HVM consumes resources (both memory and a small amount of CPU). There is little difference in the I/O path at runtime, as both PVH and HVM guests usually use paravirtualized I/O protocols.
+
+Surprisingly, PVH often has better performance than PV. This is because PVH does not require hypercalls for page table updates, which are expensive. SLAT does raise the cost of TLB misses, but this is somewhat mitigated by a second-level TLB in recent hardware.
+
+
+
+
 ## Creating a standalone
 
 You can create a standalone in the Qube Manager by selecting the "Type" of
@@ -175,37 +190,41 @@ seen, e.g., in the Qube Manager in the qube's properties:
 ![r4.0-manager-networking-config.png](/attachment/doc/r4.0-manager-networking-config.png)
 
 Alternatively, one can use the `qvm-ls -n` command to obtain the same
-information (IP/netmask/gateway). The netmask required is that for your own network, 
-so for example, if your IPv4 network has a subnet mask of /24 then the actual netmask to 
-use is 255.255.255.0 - even if the Qube Manager suggests 255.255.255.255  
+information (IP/netmask/gateway).
+The Qube Settimgs shows a netmask of 255.255.255.255.
+This is not suitable for most standalones, and you will need to use a different value.
 
-The DNS IP addresses are `10.139.1.1` and `10.139.1.2`. There is [opt-in
-support](/doc/networking/#ipv6) for IPv6 forwarding.
+In Qubes, the IP address is usually in range 10.137.0.0/16, with disposables in range 10.138.0.0/16, and DNS set to `10.139.1.1` and `10.139.1.2`.
+The simplest solution is to set the netmask to 255.0.0.0 - standard for a class A network.
+If you want a more restricted solution you could use 255.252.0.0, or 255.255.255.0
+
+There is [opt-in support](/doc/networking/#ipv6) for IPv6 forwarding.
 
 ### An example of setting up a network - Network Manager on KDE
 
 Every guest operating system has its own way of handling networking, and the user is 
 referred to the documentation that comes with that operating system. However, 
-Network Manager is widely used on Linux systems, and so hopefully a worked example will 
-prove useful. The worked example is for a HVM running EndeavourOS. 
+Network Manager is widely used on Linux systems, and so a worked example will 
+prove useful. This example is for an HVM running EndeavourOS. 
 
-> Image of Qubes Manager - is this what it's called??
+![Image of Qube Settings](/attachment/doc/EndeavourOS_Network.png "Qube Settings")
 
 In this example, Network Manager on KDE, the network had the following values:
 
 1. IPv4 networking
 2. IP address 10.137.0.17
-3. Netmask 255.255.255.255 (but in the network the netmask is actually 255.255.255.0)
+3. Netmask - qube settings showed 255.255.255.255, but we decided to use 255.255.255.0
 4. Gateway 10.138.24.248
 5. Virtual DNS 10.139.1.1 and 10.139.1.2
 
-> Image of Network Manager, annotated by numbers for reference below
+![Image of Network Manager, annotated by numbers for reference below](/attachment/doc/Network Manager.png "Annotated image of KDE Network Manager")
 
-The network was set up by entering Network Manager, tab Wi-Fi & Networking, clicking on the Wired Ethernet
-item, and selecting tab IPv4 (1). The Manual method is selected (2), which reveals areas for data entry. The DNS 
-Servers takes a comma-separated list, here 10.139.1.1,10.1.139.2 (3). At the bottom of the tab (4), click on '+ Add', 
-and enter the IP address of 10.137.0.17 under column 'Address', the Netmask of 25.255.255.0  (to match the network) 
-under column 'Netmask', and the Gateway of 10.138.24.248 under column 'Gateway'. Apply these changes.
+The network was set up by entering Network Manager, selecting the Wi-Fi & Networking tab, clicking on the Wired Ethernet
+item, and selecting tab IPv4 (1).
+The Manual method was selected (2), which revealed areas for data entry.
+The DNS Servers section takes a comma-separated list, here 10.139.1.1,10.1.139.2 (3).
+At the bottom of the tab (4),  the '+ Add' button was selected, and the IP address of 10.137.0.17 entered in the 'Address' column,  the Netmask of 255.255.255.0 entered in the 'Netmask' column, and the Gateway of 10.138.24.248 under 'Gateway'.
+Selecting the "Apply" button stored these changes
 
 ## Using template-based HVMs