From db13ef5a33bfddc33a6ad148bf18f040e1d6367f Mon Sep 17 00:00:00 2001
From: Miguel Jacq <mig@mig5.net>
Date: Thu, 11 May 2017 18:48:59 +1000
Subject: [PATCH 001/103] Various minor spelling and grammar fixes

---
 basics_user/doc-guidelines.md                 |  2 +-
 basics_user/user-faq.md                       |  6 ++--
 building/building-archlinux-template.md       |  2 +-
 common-tasks/backup-restore.md                |  4 +--
 common-tasks/dispvm.md                        |  2 +-
 common-tasks/full-screen-mode.md              |  2 +-
 common-tasks/managing-appvm-shortcuts.md      |  6 ++--
 common-tasks/software-update-dom0.md          |  2 +-
 common-tasks/software-update-vm.md            | 28 +++++++++----------
 common-tasks/tips-and-tricks.md               |  8 +++---
 common-tasks/usb.md                           |  8 +++---
 configuration/assigning-devices.md            |  6 ++--
 configuration/config-files.md                 |  2 +-
 configuration/disk-trim.md                    |  2 +-
 configuration/external-audio.md               |  4 +--
 configuration/http-filtering-proxy.md         |  6 ++--
 configuration/managing-vm-kernel.md           | 10 +++----
 configuration/network-bridge-support.md       |  8 +++---
 configuration/network-printer.md              |  2 +-
 configuration/postfix.md                      |  4 +--
 configuration/resize-disk-image.md            |  8 +++---
 configuration/resize-root-disk-image.md       |  6 ++--
 configuration/salt.md                         |  4 +--
 hardware/certified-laptops.md                 |  2 +-
 installing/live-usb.md                        |  6 ++--
 installing/upgrade/upgrade-to-r3.0.md         |  2 +-
 installing/version-scheme.md                  |  8 +++---
 managing-os/hvm.md                            |  4 +--
 managing-os/netbsd.md                         |  2 +-
 managing-os/pentesting/blackarch.md           |  4 +--
 managing-os/pentesting/kali.md                |  2 +-
 managing-os/pentesting/ptf.md                 |  6 ++--
 managing-os/templates/archlinux.md            | 28 +++++++++----------
 .../templates/debian/upgrade-8-to-9.md        |  2 +-
 managing-os/templates/fedora-minimal.md       |  2 +-
 .../templates/fedora/upgrade-20-to-21.md      |  2 +-
 .../templates/fedora/upgrade-21-to-23.md      |  2 +-
 .../templates/fedora/upgrade-23-to-24.md      |  2 +-
 managing-os/windows/windows-appvms.md         |  6 ++--
 privacy/anonymizing-your-mac-address.md       |  2 +-
 privacy/whonix-install.md                     |  6 ++--
 releases/1.0/release-notes.md                 |  2 +-
 security-info/security-pack.md                |  4 +--
 security/security-guidelines.md               |  2 +-
 security/split-bitcoin.md                     |  2 +-
 security/yubi-key.md                          | 24 ++++++++--------
 services/dvm-impl.md                          |  2 +-
 system/security-critical-code.md              |  2 +-
 troubleshooting/updating-debian-and-whonix.md |  4 +--
 49 files changed, 131 insertions(+), 131 deletions(-)

diff --git a/basics_user/doc-guidelines.md b/basics_user/doc-guidelines.md
index c9d91852..bcd8e0ec 100644
--- a/basics_user/doc-guidelines.md
+++ b/basics_user/doc-guidelines.md
@@ -43,7 +43,7 @@ documentation change will be reviewed before it's published to the web. This
 allows us to maintain quality control and protect our users.
 
 As mentioned above, we keep all the documentation in a dedicated [Git
-repository][qubes-doc] hosted on [GitHub]. Thanks to GitHub interface, you can
+repository][qubes-doc] hosted on [GitHub]. Thanks to the GitHub interface, you can
 edit the documentation even if you don't know Git at all! The only thing you
 need is a GitHub account, which is free.
 
diff --git a/basics_user/user-faq.md b/basics_user/user-faq.md
index 254b4342..0ea2d4c0 100644
--- a/basics_user/user-faq.md
+++ b/basics_user/user-faq.md
@@ -291,9 +291,9 @@ Open a terminal and run `sudo yum install linux-firmware` in the TemplateVM upon
 
 ### Can I install Qubes OS together with other operating system (dual-boot/multi-boot)?
 
-You shouldn't do that, because it pose a security risk for your Qubes OS installation. 
+You shouldn't do that, because it poses a security risk for your Qubes OS installation.
 But if you understand the risk and accept it, read [documentation on multibooting](/doc/multiboot/). 
-It starts with explanation what is wrong with using such setup.
+It starts with explaining what is wrong with using such a setup.
 
 Common Problems
 ---------------
@@ -438,7 +438,7 @@ The encrypted partitions are identified and the user is prompted for password on
 
 A fully encrypted drive does not appear in Nautilus.
 
-The work round is to manually decrypt and mount the drive:
+The workaround is to manually decrypt and mount the drive:
 
 1. attach usb device to qube - it should be attached as /dev/xvdi or similar.
 2. sudo cryptsetup open /dev/xvdi bk --type luks
diff --git a/building/building-archlinux-template.md b/building/building-archlinux-template.md
index 540713b8..60a8d8a2 100644
--- a/building/building-archlinux-template.md
+++ b/building/building-archlinux-template.md
@@ -361,7 +361,7 @@ redirect_from:
 The `qubes-mgmt-salt` repo is not currently forked under the marmarek user on
 GitHub, to whom the above instructions set the `GIT_PREFIX`.  As Archlinux is
 not yet supported by mgmt-salt, simply leave it out of the build (when building
-the Archlinux template on it's own) by appending the following to your `override.conf` file:
+the Archlinux template on its own) by appending the following to your `override.conf` file:
 
 `BUILDER_PLUGINS := $(filter-out mgmt-salt,$(BUILDER_PLUGINS))`
 
diff --git a/common-tasks/backup-restore.md b/common-tasks/backup-restore.md
index 0b2ecaa7..c5fbe9b7 100644
--- a/common-tasks/backup-restore.md
+++ b/common-tasks/backup-restore.md
@@ -81,7 +81,7 @@ Emergency Backup Recovery without Qubes
 
 The Qubes backup system has been designed with emergency disaster recovery in mind. No special Qubes-specific tools are required to access data backed up by Qubes. In the event a Qubes system is unavailable, you can access your data on any GNU/Linux system with the following procedure.
 
-For emergency restore of backup created on Qubes R2 or newer take a look [here](/doc/backup-emergency-restore-v3/). For backups created on earlier Qubes version, take a look [here](/doc/backup-emergency-restore-v2/).
+For emergency restore of backup created on Qubes R2 or newer take a look [here](/doc/backup-emergency-restore-v3/). For backups created on earlier Qubes versions, take a look [here](/doc/backup-emergency-restore-v2/).
 
 
 Migrating Between Two Physical Machines
@@ -96,7 +96,7 @@ Here are some things to consider when selecting a passphrase for your backups:
 
  * If you plan to store the backup for a long time or on third-party servers, you should make sure to use a very long, high-entropy passphrase. (Depending on the decryption passphrase you use for your system drive, this may necessitate selecting a stronger passphrase. If your system drive decryption passphrase is already sufficiently strong, it may not.)
  * An adversary who has access to your backups may try to substitute one backup for another. For example, when you attempt to retrieve a recent backup, the adversary may instead give you a very old backup containing a compromised VM. If you're concerned about this type of attack, you may wish to use a different passphrase for each backup, e.g., by appending a number or date to the passphrase.
- * If you're forced to enter your system drive decryption passphrase in plain view of others (where it can be shoulder-surfed), then you may want to use a different passphrase for your backups (even if your system drive decryption passphrase is already maximally strong). On the othe hand, if you're careful to avoid shoulder-surfing and/or have a passphrase that's difficult to detect via shoulder-surfing, then this may not be a problem for you.
+ * If you're forced to enter your system drive decryption passphrase in plain view of others (where it can be shoulder-surfed), then you may want to use a different passphrase for your backups (even if your system drive decryption passphrase is already maximally strong). On the other hand, if you're careful to avoid shoulder-surfing and/or have a passphrase that's difficult to detect via shoulder-surfing, then this may not be a problem for you.
 
 Notes
 -----
diff --git a/common-tasks/dispvm.md b/common-tasks/dispvm.md
index 18560ff8..8a775172 100644
--- a/common-tasks/dispvm.md
+++ b/common-tasks/dispvm.md
@@ -18,7 +18,7 @@ A Disposable VM (DispVM) is a lightweight VM that can be created quickly and whi
 
 By default a Disposable VM will inherit the NetVM and firewall settings of the ancestor VM, that is the VM it is launched from. Thus if an AppVM uses sys-net as NetVM (instead of, say, sys-whonix), any DispVM launched from this AppVM will also have sys-net as its NetVM. You can change this behaviour for individual VMs: in the Qubes Manager open VM Settings for the VM in question and go to the "Advanced" tab. Here you can edit the "NetVM for DispVM" setting to change the NetVM of any DispVM launched from that VM.
 
-A Disposable VM launched from the Start Meny inherits the NetVM of a so-called internal TempVM, the *[DVM Template](https://www.qubes-os.org/doc/glossary/#dvm-template).* By default it is named `fedora-XX-dvm` (where `XX` is the Fedora version of the default TemplateVM) and hidden in Qubes VM Manager; it can be shown by selecting "Show/Hide internal VMs". Notice that changing the "NetVM for DispVM" setting for the DVM Template does *not* affect the NetVM of DispVMs launched from the Start Meny; only changing the DVM Template's own NetVM does.
+A Disposable VM launched from the Start Menu inherits the NetVM of a so-called internal TempVM, the *[DVM Template](https://www.qubes-os.org/doc/glossary/#dvm-template).* By default it is named `fedora-XX-dvm` (where `XX` is the Fedora version of the default TemplateVM) and hidden in Qubes VM Manager; it can be shown by selecting "Show/Hide internal VMs". Notice that changing the "NetVM for DispVM" setting for the DVM Template does *not* affect the NetVM of DispVMs launched from the Start Menu; only changing the DVM Template's own NetVM does.
 
 Once a DispVM has been created it will appear in the Qubes Manager with the name "dispX", and NetVM and firewall rules can be set as for a normal VM.
 
diff --git a/common-tasks/full-screen-mode.md b/common-tasks/full-screen-mode.md
index b0fef0cc..e5542918 100644
--- a/common-tasks/full-screen-mode.md
+++ b/common-tasks/full-screen-mode.md
@@ -24,7 +24,7 @@ If one allowed one of the VMs to "own" the full screen, e.g. to show a movie on
 Secure use of full screen mode
 ------------------------------
 
-However, it is possible to deal with full screen mode in a secure way assuming there are mechanisms that can be used at any time to show the full desktop, and which cannot be intercepted by the VM. An example of such q mechanism is the KDE's "Present Windows" and "Desktop Grid" effects, which are similar to Mac's "Expose" effect, and which can be used to immediately detect potential "GUI forgery", as they cannot be intercepted by any of the VM (as the GUID never passes down the key combinations that got consumed by KDE Window Manager), and so the VM cannot emulate those. Those effects are enabled by default in KDE once Compositing gets enabled in KDE (System Settings -\> Desktop -\> Enable Desktop Effects), which is recommended anyway. By default they are triggered by Ctrl-F8 and Ctrl-F9 key combinations, but can also be reassigned to other shortcuts.
+However, it is possible to deal with full screen mode in a secure way assuming there are mechanisms that can be used at any time to show the full desktop, and which cannot be intercepted by the VM. An example of such a mechanism is the KDE's "Present Windows" and "Desktop Grid" effects, which are similar to Mac's "Expose" effect, and which can be used to immediately detect potential "GUI forgery", as they cannot be intercepted by any of the VM (as the GUID never passes down the key combinations that got consumed by KDE Window Manager), and so the VM cannot emulate those. Those effects are enabled by default in KDE once Compositing gets enabled in KDE (System Settings -\> Desktop -\> Enable Desktop Effects), which is recommended anyway. By default they are triggered by Ctrl-F8 and Ctrl-F9 key combinations, but can also be reassigned to other shortcuts.
 Another option is to use Alt+Tab for switching windows. This shortcut is also handled by dom0.
 
 Enabling full screen mode for select VMs
diff --git a/common-tasks/managing-appvm-shortcuts.md b/common-tasks/managing-appvm-shortcuts.md
index e289ae79..9c8ec8f2 100644
--- a/common-tasks/managing-appvm-shortcuts.md
+++ b/common-tasks/managing-appvm-shortcuts.md
@@ -15,11 +15,11 @@ For ease of use Qubes aggregates shortcuts to applications that are installed in
 
 ![dom0-menu.png"](/attachment/wiki/ManagingAppVmShortcuts/dom0-menu.png)
 
-To make newly installed applications show up in the menu, use the **qvm-sync-appmenus** command (Linux VMs does this automatically):
+To make newly installed applications show up in the menu, use the **qvm-sync-appmenus** command (Linux VMs do this automatically):
 
 `qvm-sync-appmenus vmname`
 
-After that, select the *Add more shortcuts* entry in VM's submenu to customize which applications are shown:
+After that, select the *Add more shortcuts* entry in the VM's submenu to customize which applications are shown:
 
 ![dom0-appmenu-select.png"](/attachment/wiki/ManagingAppVmShortcuts/dom0-appmenu-select.png)
 
@@ -45,4 +45,4 @@ For Linux VMs the service script is in `/etc/qubes-rpc/qubes.GetAppMenus`. In Wi
 What if my application has not been automatically included in the list of available apps?
 -----------------------------------------------------------------------------------------
 
-You can manually create new entries in the "available applications" list of shortcuts. See [Signal](/doc/signal/) for a worked example of creating a new menu item for a Chrome .desktop shortcut.
+You can manually create new entries in the "available applications" list of shortcuts. See [Signal](/doc/signal/) for a working example of creating a new menu item for a Chrome .desktop shortcut.
diff --git a/common-tasks/software-update-dom0.md b/common-tasks/software-update-dom0.md
index 74d14336..7ebef52d 100644
--- a/common-tasks/software-update-dom0.md
+++ b/common-tasks/software-update-dom0.md
@@ -14,7 +14,7 @@ Updating software in dom0
 Why would one want to update software in dom0?
 ----------------------------------------------
 
-Normally, there should be few reasons for updating software in dom0. This is because there is no networking in dom0, which means that even if some bugs are discovered e.g. in the dom0 Desktop Manager, this really is not a problem for Qubes, because none of the 3rd party software running in dom0 is accessible from VMs or the network in any way. Some exceptions to this include: Qubes GUI daemon, Xen store daemon, and disk back-ends. (We plan move the disk backends to an untrusted domain in Qubes 2.0.) Of course, we believe this software is reasonably secure, and we hope it will not need patching.
+Normally, there should be few reasons for updating software in dom0. This is because there is no networking in dom0, which means that even if some bugs are discovered e.g. in the dom0 Desktop Manager, this really is not a problem for Qubes, because none of the 3rd party software running in dom0 is accessible from VMs or the network in any way. Some exceptions to this include: Qubes GUI daemon, Xen store daemon, and disk back-ends. (We plan to move the disk backends to an untrusted domain in a future Qubes release) Of course, we believe this software is reasonably secure, and we hope it will not need patching.
 
 However, we anticipate some other situations in which updating dom0 software might be necessary or desirable:
 
diff --git a/common-tasks/software-update-vm.md b/common-tasks/software-update-vm.md
index b205980a..45492d6b 100644
--- a/common-tasks/software-update-vm.md
+++ b/common-tasks/software-update-vm.md
@@ -20,7 +20,7 @@ In addition to saving on the disk space, and reducing domain creation time, anot
 
 The default template is called **fedora-14-x64** in Qubes R1 and **fedora-20-x64** in Qubes R2.
 
-The side effect of this mechanism is, of course, that if you install any software in your AppVM, more specifically in any directory other than `/home` or `/usr/local` then it will disappear after the AppVM reboot (as the root filesystem for this AppVM will again be "taken" from the TemplateVM). **This means one normally install software in the TemplateVM, not in AppVMs.**
+The side effect of this mechanism is, of course, that if you install any software in your AppVM, more specifically in any directory other than `/home` or `/usr/local` then it will disappear after the AppVM reboot (as the root filesystem for this AppVM will again be "taken" from the TemplateVM). **This means one normally installs software in the TemplateVM, not in AppVMs.**
 
 Unlike VM private filesystems, the template VM root filesystem does not support discard, so deleting files does not free the space in dom0. See [these instructions](/doc/template/fedora/upgrade-23-to-24/#compacting-the-upgraded-template) to recover space in dom0.
 
@@ -33,7 +33,7 @@ In order to permanently install new software, you should:
 
 -   Install/update software as usual (e.g. using yum, or the dedicated GUI application). Then, shutdown the template VM,
 
--   You will see now that all the AppVMs based on this template (by default all your VMs) will be marked as "outdated" in the manager. This is because their filesystems have not been yet updated -- in order to do that, you must restart each VM. You don't need to restart all of them at the same time -- e.g. if you just need the newly installed software to be available in your 'personal' domain, then restart only this VM. You will restart others whenever this will be convenient to you.
+-   You will see now that all the AppVMs based on this template (by default all your VMs) will be marked as "outdated" in the manager. This is because their filesystems have not been yet updated -- in order to do that, you must restart each VM. You don't need to restart all of them at the same time -- e.g. if you just need the newly installed software to be available in your 'personal' domain, then restart only this VM. You can restart others whenever this will be convenient to you.
 
 Testing repositories
 --------------------
@@ -115,19 +115,19 @@ As the TemplateVM is used for creating filesystems for other AppVMs, where you a
 
 There are several ways to deal with this problem:
 
--   Only install packages from trusted sources -- e.g. from the pre-configured Fedora repositories. All those packages are signed by Fedora, and as we expect that at least the package's installation scripts are not malicious. This is enforced by default (at the [firewall VM level](/doc/firewall/)), by not allowing any networking connectivity in the default template VM, except for access to the Fedora repos.
+-   Only install packages from trusted sources -- e.g. from the pre-configured Fedora repositories. All those packages are signed by Fedora, and we expect that at least the package's installation scripts are not malicious. This is enforced by default (at the [firewall VM level](/doc/firewall/)), by not allowing any networking connectivity in the default template VM, except for access to the Fedora repos.
 
 -   Use *standalone VMs* (see below) for installation of untrusted software packages.
 
--   Use multiple templates (see below) for different classes of domains, e.g. a less trusted template, used for creation of less trusted AppVMs, would get various packages from somehow less trusted vendors, while the template used for more trusted AppVMs will only get packages from the standard Fedora repos.
+-   Use multiple templates (see below) for different classes of domains, e.g. a less trusted template, used for creation of less trusted AppVMs, would get various packages from somewhat less trusted vendors, while the template used for more trusted AppVMs will only get packages from the standard Fedora repos.
 
 Some popular questions:
 
 -   So, why should we actually trust Fedora repos -- it also contains large amount of 3rd party software that might buggy, right?
 
-As long as template's compromise is considered, it doesn't really matter whether /usr/bin/firefox is buggy and can be exploited, or not. What matters is whether its *installation* scripts (such as %post in the rpm.spec) are benign or not. Template VM should be used only for installation of packages, and nothing more, so it should never get a chance to actually run the /usr/bin/firefox and got infected from it, in case it was compromised. Also, some of your more trusted AppVMs, would have networking restrictions enforced by the [firewall VM](/doc/firewall/), and again they should not fear this proverbial /usr/bin/firefox being potentially buggy and easy to compromise.
+As long as template's compromise is considered, it doesn't really matter whether /usr/bin/firefox is buggy and can be exploited, or not. What matters is whether its *installation* scripts (such as %post in the rpm.spec) are benign or not. Template VM should be used only for installation of packages, and nothing more, so it should never get a chance to actually run the /usr/bin/firefox and get infected from it, in case it was compromised. Also, some of your more trusted AppVMs, would have networking restrictions enforced by the [firewall VM](/doc/firewall/), and again they should not fear this proverbial /usr/bin/firefox being potentially buggy and easy to compromise.
 
--   But why trusting Fedora?
+-   But why trust Fedora?
 
 Because we chose to use Fedora as a vendor for the Qubes OS foundation (e.g. for Dom0 packages and for AppVM packages). We also chose to trust several other vendors, such as Xen.org, kernel.org, and a few others whose software we use in Dom0. We had to trust *somebody* as we are unable to write all the software from scratch ourselves. But there is a big difference in trusting all Fedora packages to be non-malicious (in terms of installation scripts) vs. trusting all those packages are non-buggy and non-exploitable. We certainly do not assume the latter.
 
@@ -140,11 +140,11 @@ Standalone VMs
 
 Standalone VMs have their own copy of the whole filesystem, and thus can be updated and managed on its own. But this means that they take a few GBs on disk, and also that centralized updates do not apply to them.
 
-Sometime it might be convenient to have a VM that has its own filesystem, where you can directly introduce changes, without the need to start/stop the template VM. Such situations include e.g.:
+Sometimes it might be convenient to have a VM that has its own filesystem, where you can directly introduce changes, without the need to start/stop the template VM. Such situations include e.g.:
 
--   VMs used for development (devel environments requires a lot of \*-devel packages and specific devel tools)
+-   VMs used for development (devel environments require a lot of \*-devel packages and specific devel tools)
 
--   VMs used for installing untrusted packages. Normally you install digitally signed software from Red Hat/Fedora repositories, and it's reasonable that such software has non malicious *installation* scripts (rpm pre/post scripts). However, when you would like to install some packages form less trusted sources, or unsigned, then using a dedicated (untrusted) standalone VM might be a better way.
+-   VMs used for installing untrusted packages. Normally you install digitally signed software from Red Hat/Fedora repositories, and it's reasonable that such software has non malicious *installation* scripts (rpm pre/post scripts). However, when you would like to install some packages from less trusted sources, or unsigned, then using a dedicated (untrusted) standalone VM might be a better way.
 
 In order to create a standalone VM you can use a command line like this (from console in Dom0):
 
@@ -168,14 +168,14 @@ qvm-create <vmname> --template <templatename> --label <label>
 Temporarily allowing networking for software installation
 ---------------------------------------------------------
 
-Some 3rd party applications cannot be installed using the standard yum repositories, and need to be manually downloaded and installed. When the installation requires internet connection to access 3rd party repositories, it will naturally fail when run in a Template VM because the default firewall rules for templates only allow connections to standard yum repositories. So it is necessary to modify firewall rules to allow less restrictive internet access for the time of the installation, if one really wants to install those applications into a template. As soon as software installation is completed, firewall rules should be returned back to the default state. The user should decided by themselves whether such 3rd party applications should be equally trusted as the ones that come from the standard Fedora signed repositories and whether their installation will not compromise the default Template VM, and potentially consider installing them into a separate template or a standalone VM (in which case the problem of limited networking access doesn't apply by default), as described above.
+Some 3rd party applications cannot be installed using the standard yum repositories, and need to be manually downloaded and installed. When the installation requires internet connection to access 3rd party repositories, it will naturally fail when run in a Template VM because the default firewall rules for templates only allow connections to standard yum repositories. So it is necessary to modify firewall rules to allow less restrictive internet access for the time of the installation, if one really wants to install those applications into a template. As soon as software installation is completed, firewall rules should be returned back to the default state. The user should decide by themselves whether such 3rd party applications should be equally trusted as the ones that come from the standard Fedora signed repositories and whether their installation will not compromise the default Template VM, and potentially consider installing them into a separate template or a standalone VM (in which case the problem of limited networking access doesn't apply by default), as described above.
 
 Updates proxy
 -------------
 
-Updates proxy is a service which filter http access to allow access to only something that looks like yum or apt repository. This is meant to mitigate user errors (like using browser in the template VM), rather than some real isolation. It is done with http proxy instead of simple firewall rules because it is hard to list all the repository mirrors (and keep that list up to date). The proxy is used only to filter the traffic, not to cache anything.
+Updates proxy is a service which filters http access to allow access to only something that looks like a yum or apt repository. This is meant to mitigate user errors (like using browser in the template VM), rather than some real isolation. It is done with http proxy instead of simple firewall rules because it is hard to list all the repository mirrors (and keep that list up to date). The proxy is used only to filter the traffic, not to cache anything.
 
-The proxy is running in selected VMs (by default all the NetVMs (1)) and intercept traffic directed to 10.137.255.254:8082. Thanks to such configuration all the VMs can use the same proxy address, and if there is a proxy on network path, it will handle the traffic (of course when firewall rules allows that). If the VM is configured to have access to the updates proxy (2), the startup scripts will automatically configure yum to really use the proxy (3). Also access to updates proxy is independent of any other firewall settings (VM will have access to updates proxy, even if policy is set to block all the traffic).
+The proxy is running in selected VMs (by default all the NetVMs (1)) and intercepts traffic directed to 10.137.255.254:8082. Thanks to such configuration all the VMs can use the same proxy address, and if there is a proxy on network path, it will handle the traffic (of course when firewall rules allow that). If the VM is configured to have access to the updates proxy (2), the startup scripts will automatically configure yum to really use the proxy (3). Also access to updates proxy is independent of any other firewall settings (VM will have access to updates proxy, even if policy is set to block all the traffic).
 
 (1) Services tab -\> "qubes-yum-proxy" entry; check qvm-service manual for details
 
@@ -185,13 +185,13 @@ The proxy is running in selected VMs (by default all the NetVMs (1)) and interce
 
 ### Technical details
 
-1.  Updates proxy: It is running as "qubes-yum-proxy" service. Startup script of this service setup firewall rule to intercept proxy traffic:
+1.  Updates proxy: It is running as "qubes-yum-proxy" service. Startup script of this service sets up the firewall rule to intercept proxy traffic:
 
     ~~~
     iptables -t nat -A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT
     ~~~
 
-1.  VM using the proxy service Startup script (qubes-misc-post service) configure yum using /etc/yum.conf.d/qubes-proxy.conf file. It can either contain
+1.  VM using the proxy service Startup script (qubes-misc-post service) configures yum using /etc/yum.conf.d/qubes-proxy.conf file. It can either contain
 
     ~~~
     proxy=http://10.137.255.254:8082/
diff --git a/common-tasks/tips-and-tricks.md b/common-tasks/tips-and-tricks.md
index 64673eee..81938023 100644
--- a/common-tasks/tips-and-tricks.md
+++ b/common-tasks/tips-and-tricks.md
@@ -10,9 +10,9 @@ This section provides user suggested tips that aim to increase Qubes OS usabilit
 
 Opening links in your preferred AppVM
 -------------------------------------
-To increase both security and usability you can set an AppVM so that it automatically opens any link in an different AppVM of your choice. You can do this for example in the email AppVM, in this way you avoid to make mistakes like opening links in it. to learn more you can check [security guidelines](/doc/security-guidelines/) and [security goals](/security/goals/).
+To increase both security and usability you can set an AppVM so that it automatically opens any link in an different AppVM of your choice. You can do this for example in the email AppVM, in this way you avoid to make mistakes like opening links in it. To learn more you can check [security guidelines](/doc/security-guidelines/) and [security goals](/security/goals/).
 
-The command `qvm-open-in-vm` lets you open a document or a URL in another VM, it takes two parameters: vmname and filename.
+The command `qvm-open-in-vm` lets you open a document or a URL in another VM. It takes two parameters: vmname and filename.
 
 For example, if you launch this command from your email AppVM:
 
@@ -20,7 +20,7 @@ For example, if you launch this command from your email AppVM:
 
 it will open duckduckgo.com in the `untrusted` AppVM (after you confirmed the request).
 
-If you want this to happen automatically you can creatte a .desktop file that advertises itself as a handler for http/https links, and then setting this as your default browser.
+If you want this to happen automatically you can create a .desktop file that advertises itself as a handler for http/https links, and then set this as your default browser.
 
 Open a text editor and copy and paste this into it:
 
@@ -46,7 +46,7 @@ Preventing data leaks
 ---------------------
 First make sure to read [Understanding and Preventing Data Leaks](/doc/data-leaks/) section to understand the limits of this tip.
 
-Suppose that you have a not so trusted enviroment, for example a Windows VM, an application that track and report it's usage or you simply want to protect your data.
+Suppose that you have in a not so trusted enviroment, for example a Windows VM, an application that track and report its usage, or you simply want to protect your data.
 
 Start Windows template VM (which has no user data), install/upgrade apps; then start Windows AppVM (with data) in offline mode. So, if you worry (hypothetically) that your Windows or app updater might want to send your data away, this Qubes OS trick will prevent this.
 This applies also to any TemplateBasedVM relative to its parent TemplateVM, but the privacy risk is especially high in the case of Windows.
diff --git a/common-tasks/usb.md b/common-tasks/usb.md
index dfddc3ed..6411199b 100644
--- a/common-tasks/usb.md
+++ b/common-tasks/usb.md
@@ -110,7 +110,7 @@ opt to create a USB qube during installation. This also occurs automatically if
 you choose to [create a USB qube] using the `qubesctl` method, which is the
 first pair of steps in the linked section.)
 
-**Warning** USB keyboard cannot be used to type the disk passphrase
+**Warning** A USB keyboard cannot be used to type the disk passphrase
 if USB controllers were hidden from dom0. Before hiding USB controllers
 make sure your laptop keyboard is not internally connected via USB
 (by checking output of `lsusb` command) or that you have a PS/2 keyboard at hand
@@ -319,10 +319,10 @@ Attaching a single USB device to a qube (USB passthrough)
 ---------------------------------------------------------
 
 Starting with Qubes 3.2, it is possible to attach a single USB device to any
-Qube. While this is useful feature, it should be used with care, because there
+Qube. While this is a useful feature, it should be used with care, because there
 are [many security implications][usb-challenges] from using USB devices and USB
 passthrough will **expose your target qube** for most of them. If possible, use 
-method specific for particular device type (for example block devices described
+a method specific for particular device type (for example block devices described
 above), instead of this generic one.
 
 To use this feature, you need to install `qubes-usb-proxy` package in the
@@ -355,7 +355,7 @@ When you finish, detach the device:
     sys-usb:2-5     058f:3822 058f_USB_2.0_Camera
     sys-usb:2-1     03f0:0641 PixArt_HP_X1200_USB_Optical_Mouse
 
-This feature is not yet available in Qubes Manager however, if you would like to contribute to Qubes OS project by implementing it and are a student please consider applying for the [Google Summer of Code][gsoc-page] scholarship and choosing QubesOS Project as a mentor organization. You can find list of our our Project Ideas [here][project-page].
+This feature is not yet available in Qubes Manager however, if you would like to contribute to Qubes OS project by implementing it and are a student please consider applying for the [Google Summer of Code][gsoc-page] scholarship and choosing QubesOS Project as a mentor organization. You can find list of our Project Ideas [here][project-page].
 
 
 [mass-storage]: https://en.wikipedia.org/wiki/USB_mass_storage_device_class
diff --git a/configuration/assigning-devices.md b/configuration/assigning-devices.md
index 6aa8278a..e676e742 100644
--- a/configuration/assigning-devices.md
+++ b/configuration/assigning-devices.md
@@ -58,7 +58,7 @@ list of available devices, which you can select to be assigned to that VM.
 Finding the right USB controller
 --------------------------------
 
-If you want assign a certain [USB] device to a VM (by attaching the whole
+If you want to assign a certain [USB] device to a VM (by attaching the whole
 USB controller), you need to figure out which PCI device is the right
 controller. First, check to which USB bus the device is connected:
 
@@ -66,7 +66,7 @@ controller. First, check to which USB bus the device is connected:
 lsusb
 ~~~
 
-For example, I want assign a broadband modem to the netvm. In the out put of
+For example, I want to assign a broadband modem to the netvm. In the output of
 `lsusb` it can be listed as something like this. (In this case, the device isn't
 fully identified):
 
@@ -76,7 +76,7 @@ Bus 003 Device 003: ID 413c:818d Dell Computer Corp.
 
 The device is connected to USB bus \#3. Then check which other devices are
 connected to the same bus, since *all* of them will be assigned to the same VM.
-Now is the time to find right USB controller:
+Now is the time to find the right USB controller:
 
 ~~~
 readlink /sys/bus/usb/devices/usb3
diff --git a/configuration/config-files.md b/configuration/config-files.md
index d83c2a19..dc59d50c 100644
--- a/configuration/config-files.md
+++ b/configuration/config-files.md
@@ -40,7 +40,7 @@ problematic device drivers.
 
 Note that scripts need to be executable (chmod +x) to be used.
 
-Also take a look at [bind-dirs][/doc/bind-dirs] for instruction how to easily
+Also take a look at [bind-dirs](/doc/bind-dirs) for instruction how to easily
 modify arbitrary system file in AppVM and have those changes persistent.
 
 GUI and audio configuration in dom0
diff --git a/configuration/disk-trim.md b/configuration/disk-trim.md
index cbb67259..97e38cb5 100644
--- a/configuration/disk-trim.md
+++ b/configuration/disk-trim.md
@@ -10,7 +10,7 @@ redirect_from:
 
 VMs have already TRIM enabled by default, but dom0 doesn't. There are some security implications (read for example [this article](https://asalor.blogspot.com/2011/08/trim-dm-crypt-problems.html)), but IMO not very serious.
 
-To enable TRIM in dom0 you need:
+To enable TRIM in dom0 you need to:
 
 1.  Get your LUKS device UUID:
 
diff --git a/configuration/external-audio.md b/configuration/external-audio.md
index 27f05ae7..43618955 100644
--- a/configuration/external-audio.md
+++ b/configuration/external-audio.md
@@ -38,9 +38,9 @@ pactl load-module module-udev-detect
 
 Start the audio application that is going to use the external audio device.
 
-Launch pavucontrol, for example using "run command in VM" of Qubes Manager and select you external audio card in pavucontrol. You need to do that only the first time you use a new external audio device, then pulse audio will remember you selection.
+Launch pavucontrol, for example using "run command in VM" of Qubes Manager and select your external audio card in pavucontrol. You need to do that only the first time you use a new external audio device, then pulse audio will remember you selection.
 
-If you detach your external audio device, then want to insert it again, or change it with another one, you need to repeat the previous commands in terminal, adding an other line at the beginning:
+If you detach your external audio device, then want to insert it again, or change it with another one, you need to repeat the previous commands in terminal, adding another line at the beginning:
 
 ~~~
 pactl unload-module module-udev-detect
diff --git a/configuration/http-filtering-proxy.md b/configuration/http-filtering-proxy.md
index e695d025..8bb0751b 100644
--- a/configuration/http-filtering-proxy.md
+++ b/configuration/http-filtering-proxy.md
@@ -31,10 +31,10 @@ prevents websites that use DNS-based load balancers from working
 unless the user reloads the firewall rules (which re-resolve the DNS
 names) whenever the balancer transfer her session to another IP. Third
 the initial setup of the rules is complicated as the firewall drops
-the connection silently. As a workaround on can use browser's network
+the connection silently. As a workaround one can use browser's network
 console to see what is blocked, but this is time-consuming and one can
 trivially miss some important cases like including in the firewall
-white list sites for OCSP SSL certificate verification.
+white-list sites for OCSP SSL certificate verification.
 
 These drawbacks can be mitigated if one replaces iptable-based rules
 with a filtering HTTP proxy. The following describes how to setup
@@ -94,7 +94,7 @@ Setup
         name.ip-address-of-app-vm
 
    The name part before the dot can be arbitrary. For convenience one can
-   use AppVm name here, but this is not required. It is important to get
+   use AppVM name here, but this is not required. It is important to get
    ip address part right as this is what the control script uses to
    determine for which AppVM to apply the proxy rules. One can check the
    IP address of AppVM in Qubes VM manager in the VM settings dialog, see
diff --git a/configuration/managing-vm-kernel.md b/configuration/managing-vm-kernel.md
index 6748228f..4f4c675a 100644
--- a/configuration/managing-vm-kernel.md
+++ b/configuration/managing-vm-kernel.md
@@ -49,7 +49,7 @@ updatevm          : sys-firewall
 Installing different kernel using Qubes kernel package
 ----------------------------------
 
-VM kernels are packages by Qubes team in `kernel-qubes-vm` packages. Generally system will keep the 3 newest available versions. You can list them with the `rpm` command:
+VM kernels are packages by Qubes team in `kernel-qubes-vm` packages. Generally the system will keep the 3 newest available versions. You can list them with the `rpm` command:
 
 ~~~
 [user@dom0 ~]$ rpm -qa 'kernel-qubes-vm*'
@@ -58,7 +58,7 @@ kernel-qubes-vm-3.18.16-3.pvops.qubes.x86_64
 kernel-qubes-vm-3.18.17-4.pvops.qubes.x86_64
 ~~~
 
-If you want more recent version, you can check `qubes-dom0-unstable` repository. As the name suggest, keep in
+If you want a more recent version, you can check `qubes-dom0-unstable` repository. As the name suggests, keep in
 mind that those packages may be less stable than the default ones.
 
 Checking available versions in `qubes-dom0-unstable` repository:
@@ -212,7 +212,7 @@ This is possible thanks to PV GRUB2 - GRUB2 running in the VM. To make it happen
 
 1. Install PV GRUB2 in dom0 - package is named `grub2-xen`.
 2. Install kernel in the VM. As with all VM software installation - this needs to be done in TemplateVM (of StandaloneVM if you are using one).
-3. Set VM kernel to `pvgrub2` value. You can use `pvgrub2` in selected VMs, not necessary all of them, even when it's template has kernel installed. You can still use dom0-provided kernel for selected VMs.
+3. Set VM kernel to `pvgrub2` value. You can use `pvgrub2` in selected VMs, not necessary all of them, even when its template has kernel installed. You can still use dom0-provided kernel for selected VMs.
 
 **WARNING: When using kernel from within VM, `kernelopts` parameter is ignored.**
 
@@ -230,7 +230,7 @@ In Fedora based VM, you need to install `qubes-kernel-vm-support` package. This
 package include required additional kernel module and initramfs addition
 required to start Qubes VM (for details see
 [template implementation](/doc/template-implementation/)). Additionally you
-need some GRUB tools to create it's configuration. Note: you don't need actual
+need some GRUB tools to create its configuration. Note: you don't need actual
 grub bootloader as it is provided by dom0. But having one also shouldn't harm.
 
 ~~~
@@ -268,7 +268,7 @@ In Debian based VM, you need to install `qubes-kernel-vm-support` package. This
 package include required additional kernel module and initramfs addition
 required to start Qubes VM (for details see
 [template implementation](/doc/template-implementation/)). Additionally you
-need some GRUB tools to create it's configuration. Note: you don't need actual
+need some GRUB tools to create its configuration. Note: you don't need actual
 grub bootloader as it is provided by dom0. But having one also shouldn't harm.
 
 ~~~
diff --git a/configuration/network-bridge-support.md b/configuration/network-bridge-support.md
index b8f74377..cf86bc56 100644
--- a/configuration/network-bridge-support.md
+++ b/configuration/network-bridge-support.md
@@ -42,12 +42,12 @@ First, retrieve the attachment of this Wifi article in dom0. Then apply the thre
 
 Finally restart the qubes manager GUI.
 
-A new option is now available in the AppVM Settings to enable set the NetVM in bridge mode. For a bridged AppVM, you should the select a netvm instead of a firewall vm, enabled the Bridge option and restart your AppVM.
+A new option is now available in the AppVM Settings to enable set the NetVM in bridge mode. For a bridged AppVM, you should the select a netvm instead of a firewall vm, enable the Bridge option and restart your AppVM.
 
 NetVM patch (Qubes R2B2)
 ------------------------
 
-You need to modify manually the NetVM iptable script inside the NetVM. The reason is that by default the NetVM only accept traffic coming from network interfaces called vif\* (in our case, we will use an additional interface called bridge0. The second reason is that all trafic is NATed by default. In our case, we want to forward traffic from the bridge interface without modifying it, while NATing traffic coming from vif\* interfaces.
+You need to modify manually the NetVM iptable script inside the NetVM. The reason is that by default the NetVM only accepts traffic coming from network interfaces called vif\* (in our case, we will use an additional interface called bridge0. The second reason is that all trafic is NATed by default. In our case, we want to forward traffic from the bridge interface without modifying it, while NATing traffic coming from vif\* interfaces.
 
 Modify manually the Template you use for your NetVM (not the NetVM itself). This is by default fedora-x86\_64. Edit the file /etc/sysconfig/iptables. You need to modify two parts of the file.
 
@@ -95,7 +95,7 @@ This requires:
 
 Note: A wireless interface cannot be bridged.
 
-The bridge edition GUI is somehow buggy as it does not remember all the parameter you setup. You can fix it by editing manually the files in /etc/NetworkManager/system-connections/. Here is one example for these files:
+The bridge edition GUI is somewhat buggy as it does not remember all the parameters you set up. You can fix it by editing manually the files in /etc/NetworkManager/system-connections/. Here is one example for these files:
 
 -   Bridge-DHCP
 
@@ -137,7 +137,7 @@ Note: Do not forget to put stp=false if you bridge only eth0 because sending BPD
     slave-type=bridge
     ~~~
 
-If you do not manager to start your bridge, you can start it manually from a NetVM terminal:
+If you do not manage to start your bridge, you can start it manually from a NetVM terminal:
 
 ~~~
 $ nmcli con up id bridge0-eth0
diff --git a/configuration/network-printer.md b/configuration/network-printer.md
index 26bd4879..d0d1628a 100644
--- a/configuration/network-printer.md
+++ b/configuration/network-printer.md
@@ -27,7 +27,7 @@ In order to mitigate this risk, one might consider creating a custom template (i
 
 However, one should be aware that most (all?) network printing protocols are insecure, unencrypted protocols. This means, that an attacker who is able to sniff the local network, or who is controlling the (normally untrusted) Qubes NetVM, will likely to be able to see the documents being printed. This is a limitation of today's printers and printing protocols, something that cannot be solved by Qubes or any other OS.
 
-Additionally, the printer drivers as well as CUPS application itself, might be buggy and might got exploited when talking to a compromised printer (or by an attacker who controls the local network, or the default NetVM). Consider not using printing from your more trusted AppVMs for this reason.
+Additionally, the printer drivers as well as CUPS application itself, might be buggy and might get exploited when talking to a compromised printer (or by an attacker who controls the local network, or the default NetVM). Consider not using printing from your more trusted AppVMs for this reason.
 
 Steps to configure a network printer in a template VM
 ----------------------------------------------------------
diff --git a/configuration/postfix.md b/configuration/postfix.md
index 0c0884b9..4aae8d09 100644
--- a/configuration/postfix.md
+++ b/configuration/postfix.md
@@ -99,14 +99,14 @@ alias_maps = hash:/etc/aliases
 @localhost your.mail@example.com
 ~~~
 
-`/usr/local/etc/postfix/sender_relay`. This is important file. Put there all your SMTP servers. Pay attention to port (smtp/submission). Square brackets have their special meaning, they are almost certainly needed. For more info consult Postfix manual.
+`/usr/local/etc/postfix/sender_relay`. This is an important file. Put all your SMTP servers there. Pay attention to port (smtp/submission). Square brackets have their special meaning, they are almost certainly needed. For more info consult Postfix manual.
 
 ~~~
 your.mail@exmaple.com         [mail.example.com]:submission
 your.other@mail.com         [smtp.mail.com]:smtp
 ~~~
 
-`/usr/local/etc/postfix/saslpass`. Here you put passwords to above mentioned servers. It depends on provider if you need to put whole email as username or just the part before `@`.
+`/usr/local/etc/postfix/saslpass`. Here you put passwords to above mentioned servers. It depends on your provider if you need to put whole email as username or just the part before `@`.
 
 ~~~
 [mail.example.com]:submission     your.mail:y0urP4ssw0rd
diff --git a/configuration/resize-disk-image.md b/configuration/resize-disk-image.md
index 6458b7f3..c89780ab 100644
--- a/configuration/resize-disk-image.md
+++ b/configuration/resize-disk-image.md
@@ -34,7 +34,7 @@ The basic idea is to:
 1.  Shrink filesystem on the private disk image.
 2.  Then shrink the image.
 
-Ext4 does not support online shrinking, so can't be done as convenient as image grown. Note that we don't want to touch the VM filesystem directly in dom0 for security reasons. First you need to start VM without `/rw` mounted. One of the possibility is to interrupt its normal startup by adding `rd.break` kernel option:
+Ext4 does not support online shrinking, so can't be done as convenient as image grown. Note that we don't want to touch the VM filesystem directly in dom0 for security reasons. First you need to start VM without `/rw` mounted. One of the possibilities is to interrupt its normal startup by adding `rd.break` kernel option:
 
 ~~~
 qvm-prefs -s <vm-name> kernelopts rd.break
@@ -63,7 +63,7 @@ Now you can resize the image:
 truncate -s <new-desired-size> /var/lib/qubes/appvms/<vm-name>/private.img
 ~~~
 
-**It is critical to use the same (or bigger for some safety margin) size in truncate call compared to resize2fs call. Otherwise you will loose your data!** Then reset kernel options back to default:
+**It is critical to use the same (or bigger for some safety margin) size in truncate call compared to resize2fs call. Otherwise you will lose your data!** Then reset kernel options back to default:
 
 ~~~
 qvm-prefs -s <vm-name> kernelopts default
@@ -75,8 +75,8 @@ Done.
 
 If you want install a lot of software in your TemplateVM, you may need to increase the amount of disk space your TemplateVM can use.
 
-1.  Make sure that all the VMs based on this template are shut off (including netvms etc).
-2.  Sanity check: verify that none of loop device are pointing at this template root.img: `sudo losetup -a`
+1.  Make sure that all the VMs based on this template are powered off (including netvms etc).
+2.  Sanity check: verify that none of the loop devices are pointing at this template root.img: `sudo losetup -a`
 3.  Resize root.img file using `truncate -s <desired size>` (the root.img path can be obtained from qvm-prefs).
 4.  If any netvm/proxyvm used by this template is based on it, set template netvm to none.
 5.  Start the template.
diff --git a/configuration/resize-root-disk-image.md b/configuration/resize-root-disk-image.md
index bee7272f..0006bb19 100644
--- a/configuration/resize-root-disk-image.md
+++ b/configuration/resize-root-disk-image.md
@@ -11,7 +11,7 @@ redirect_from:
 Resize Root Disk Image
 ----------------------
 
-The safest way to increase the size of `root.img` is to turn your TemplateVM into a StandaloneVM. Doing this means it will have it's own root filesystem *(StandaloneVMs use a copy of template, instead of smart sharing)*. To do this run `qvm-create --standalone` from `dom0` Konsole.
+The safest way to increase the size of `root.img` is to turn your TemplateVM into a StandaloneVM. Doing this means it will have its own root filesystem *(StandaloneVMs use a copy of template, instead of smart sharing)*. To do this run `qvm-create --standalone` from `dom0` Konsole.
 
 ### Resize a StandaloneVM Root Image
 
@@ -27,7 +27,7 @@ Then start Terminal for this StandaloneVM and run:
 sudo resize2fs /dev/mapper/dmroot
 ~~~
 
-Shutdown the StandaloneVM and you will have extended the size of it's `root.img`
+Shutdown the StandaloneVM and you will have extended the size of its `root.img`
 
 
 ### Resize a TemplateVM Root Image
@@ -51,4 +51,4 @@ to do!`.
 sudo resize2fs /dev/mapper/dmroot
 ~~~
 
-Shutdown the TemplateVM and you will have extended the size of it's `root.img`.
+Shutdown the TemplateVM and you will have extended the size of its `root.img`.
diff --git a/configuration/salt.md b/configuration/salt.md
index 76128d86..4cb64973 100644
--- a/configuration/salt.md
+++ b/configuration/salt.md
@@ -227,7 +227,7 @@ malicious target VM.
 
 ## Writing your own configuration
 
-Let's start with quick example:
+Let's start with a quick example:
 
     my new and shiny vm:
       qvm.present:
@@ -304,7 +304,7 @@ You can set properties of existing domain:
         - netvm: sys-firewall
 
 Note that `name:` is a matcher, ie. it says the domain which properties will be
-manipulated is called `salt-test2`. The implies that you currently cannot rename
+manipulated is called `salt-test2`. This implies that you currently cannot rename
 domains this way.
 
 ### qvm.service
diff --git a/hardware/certified-laptops.md b/hardware/certified-laptops.md
index f8a53e4f..bce9b75f 100644
--- a/hardware/certified-laptops.md
+++ b/hardware/certified-laptops.md
@@ -15,7 +15,7 @@ getting your company's hardware Qubes-certified, please see the [Hardware
 Certification] page.
 
 We aim to partner with a few select computer makers to ensure that Qubes is
-compatible with them and new users have clear path towards getting started
+compatible with them and new users have a clear path towards getting started
 with Qubes if they desire. We look for these makers to be as diverse as possible
 in terms of geography, cost, and availability.
 
diff --git a/installing/live-usb.md b/installing/live-usb.md
index 6e629962..a94cbb7a 100644
--- a/installing/live-usb.md
+++ b/installing/live-usb.md
@@ -29,7 +29,7 @@ traditional Linux distros don't have to bother with:
    version, sorry.
 2. We discovered that the Fedora liveusb-create does *not* verify signatures on
    downloaded packages. We have temporarily fixed that by creating a local repo,
-   verifying the signatures manually (ok, with a script ;) and then building
+   verifying the signatures manually (ok, with a script ;) ) and then building
    from there. Sigh.
 3. We had to solve the problem of Qubes too easily triggering an Out Of Memory
    condition in Dom0 when running as Live OS.
@@ -65,7 +65,7 @@ Live USB variant:
    A nice variant of this persistence option, especially for frequent
    travelers, would be to augment our backup tools so that it was
    possible to create a LiveUSB-hosted backups of select VMs. One could then
-   pick a few of their VMs, necessary for a specific travel, back them to a
+   pick a few of their VMs, necessary for a specific trip, back them up to a
    LiveUSB stick, and take this stick when traveling to a hostile country (not
    risking taking other, more sensitive ones for the travel). This should make
    life a bit simpler
@@ -90,7 +90,7 @@ expectations accordingly.)
 3. Currently there is no "install to disk" option. We will be adding this
    in the future.
 4. The amount of "disk" space is limited by the amount of RAM the laptop
-   has. This has a side effect of e.g. not being able to restore (even few) VMs
+   has. This has a side effect of e.g. not being able to restore (even a few) VMs
    from a large Qubes backup blob.
 5. It's easy to generate Out Of Memory (OOM) in Dom0 by creating lots of VMs
    which are writing a lot into the VMs filesystem.
diff --git a/installing/upgrade/upgrade-to-r3.0.md b/installing/upgrade/upgrade-to-r3.0.md
index 35c6c8fd..223fd63c 100644
--- a/installing/upgrade/upgrade-to-r3.0.md
+++ b/installing/upgrade/upgrade-to-r3.0.md
@@ -100,7 +100,7 @@ Now, when you have dom0 upgraded, you can install new templates from Qubes R3.0
 Upgrading template on already upgraded dom0
 -------------------------------------------
 
-When for some reason you did not upgraded all the templates and standalone VMs before upgrading dom0, you can still do this, but it will be somehow more complicated. This can be a case when you restore backup done on Qubes R2.
+If for some reason you did not upgrade all the templates and standalone VMs before upgrading dom0, you can still do this, but it will be somewhat more complicated. This can be a case when you restore backup done on Qubes R2.
 
 When you start R2 template/standalone VM on R3.0, there will be some limitations:
 
diff --git a/installing/version-scheme.md b/installing/version-scheme.md
index 447611ff..f538ec78 100644
--- a/installing/version-scheme.md
+++ b/installing/version-scheme.md
@@ -17,7 +17,7 @@ From now on, it will be as follows.
 Qubes distributions and products
 --------------------------------
 
-We intend to make it easy to make a remix of qubes, targeting another
+We intend to make it easy to make a remix of Qubes, targeting another
 hypervisor or isolation provider. We may also create commercial products
 intended for specific circumstances. There is one distinguished distribution
 called **Qubes OS**. All source code for it is available for download under GPL
@@ -28,13 +28,13 @@ Release version
 ---------------
 
 Qubes OS as a whole is released from time to time. Version scheme for all
-releases is modeled after Linux kernel version numbers. When announcing new
+releases is modeled after Linux kernel version numbers. When announcing a new
 release, we decide on the major.minor version (like `3.0`) and release
 `3.0-rc1`. When we feel that enough progress has been made, we put `3.0-rc2`
 and so on. All these versions are considered unstable and not ready for
 production. You may ask for support on mailing lists (specifically
 **qubes-devel**), but it is not guaranteed (you may for example get answer
-„update to newer `-rc`”). Public ISO image may or may not be available.
+“update to newer `-rc`”). Public ISO image may or may not be available.
 
 When enough development has been made, we announce the first stable version,
 like e.g. `3.0.0` (i.e. without `-rc`). This version is considered stable and
@@ -46,7 +46,7 @@ bugfixes as `3.0.1`, `3.0.2` and so on, while new features come into the next
 release e.g. `3.1-rcX`.
 
 Tickets in the tracker are sorted out by release major.minor, such as `3.0`,
-`3.1` (trac calls this „milestone”).
+`3.1` (trac calls this “milestone”).
 
 Release schedule
 ----------------
diff --git a/managing-os/hvm.md b/managing-os/hvm.md
index f1724823..1f68ec87 100644
--- a/managing-os/hvm.md
+++ b/managing-os/hvm.md
@@ -48,7 +48,7 @@ The above command assumes the installation ISO was transferred to Dom0 (copied u
 qvm-start win7 --cdrom=/dev/cdrom
 ~~~
 
-Next the VM will start booting from the attached CDROM device (which in the example above just happens to be a Windows 7 installation disk). Depending on the OS that is being installed in the VM one might be required to start the VM several times (as is the case with Windows 7 installations), because whenever the installer wants to "reboot the system" it actually shutdowns the VM and Qubes won't automatically start it.  Several invocations of qvm-start command (as shown above) might be needed.
+Next the VM will start booting from the attached CDROM device (which in the example above just happens to be a Windows 7 installation disk). Depending on the OS that is being installed in the VM one might be required to start the VM several times (as is the case with Windows 7 installations), because whenever the installer wants to "reboot the system" it actually shuts down the VM and Qubes won't automatically start it.  Several invocations of qvm-start command (as shown above) might be needed.
 
 [![r2b1-win7-installing.png](/attachment/wiki/HvmCreate/r2b1-win7-installing.png)](/attachment/wiki/HvmCreate/r2b1-win7-installing.png)
 
@@ -170,7 +170,7 @@ Cloning HVM domains
 
 Just like normal AppVMs, the HVM domains can also be cloned either using a command-line `qvm-clone` command or via manager's 'Clone VM' option in the right-click menu.
 
-The cloned VM will get identical root and private image and will essentially be an identical of the original VM except that it will get a different MAC address for the networking interface:
+The cloned VM will get identical root and private images and will essentially be identical to the original VM except that it will get a different MAC address for the networking interface:
 
 ~~~
 [joanna@dom0 ~]$ qvm-prefs win7
diff --git a/managing-os/netbsd.md b/managing-os/netbsd.md
index 5b4977e0..8b655ec2 100644
--- a/managing-os/netbsd.md
+++ b/managing-os/netbsd.md
@@ -9,7 +9,7 @@ How to Create a NetBSD VM
 
 1. Create a StandaloneVM with the default template.
 2. Replace `vmlinuz` with the `netbsd-INSTALL_XEN3_DOMU` kernel.
-3. During setup, chose to install on the `xbd1` hard disk.
+3. During setup, choose to install on the `xbd1` hard disk.
 4. Attach the CD to the VM.
 5. Configure the networking.
 6. Optionally enable SSHD during the post-install configuration.
diff --git a/managing-os/pentesting/blackarch.md b/managing-os/pentesting/blackarch.md
index f02575e6..ff3396dd 100644
--- a/managing-os/pentesting/blackarch.md
+++ b/managing-os/pentesting/blackarch.md
@@ -10,9 +10,9 @@ redirect_from:
 
 - The installation scripts and provided tools may have bugs, be vulnerable to Man in the Middle (MitM) attacks or other vulnerabilities.
 
-- Adding additional repositories or tools for installing software extends your trust to those tool provider.
+- Adding additional repositories or tools for installing software extends your trust to those tool providers.
 
-Please keep in mind that using such a VM or VM's based on the template for security and privacy critical tasks is not recommended.  
+Please keep in mind that using such a VM or VMs based on the template for security and privacy critical tasks is not recommended.  
 
 How to Create a BlackArch VM
 ============================
diff --git a/managing-os/pentesting/kali.md b/managing-os/pentesting/kali.md
index e87dad3c..422c580c 100644
--- a/managing-os/pentesting/kali.md
+++ b/managing-os/pentesting/kali.md
@@ -10,7 +10,7 @@ redirect_from:
 
 - The installation scripts and provided tools may have bugs, be vulnerable to Man in the Middle (MitM) attacks or other vulnerabilities.
 
-- Adding additional repositories or tools for installing software extends your trust to those tool provider.
+- Adding additional repositories or tools for installing software extends your trust to those tool providers.
 
 Please keep in mind that using such a VM or VM's based on the template for security and privacy critical tasks is not recommended.
 
diff --git a/managing-os/pentesting/ptf.md b/managing-os/pentesting/ptf.md
index 0e3cb216..7c85b169 100644
--- a/managing-os/pentesting/ptf.md
+++ b/managing-os/pentesting/ptf.md
@@ -10,7 +10,7 @@ redirect_from:
 
 - The installation scripts and provided tools may have bugs, be vulnerable to Man in the Middle (MitM) attacks or other vulnerabilities.
 
-- Adding additional repositories or tools for installing software extends your trust to those tool provider.
+- Adding additional repositories or tools for installing software extends your trust to those tool providers.
 
 Please keep in mind that using such a VM or VM's based on the template for security and privacy critical tasks is not recommended.
 
@@ -21,7 +21,7 @@ How to create Penetration Testers Framework (PTF) VM
 
 PTF attempts to install all of your penetration testing tools (latest and greatest), compile them, build them, and make it so that you can install/update your distribution on any machine." (source [PTF Readme](https://github.com/trustedsec/ptf/blob/master/README.md))
 
-**Note** PTF works on Debian testing as well as on Debian 8. PTF itself works with Debian 8, but the software tools will have missing dependencies. Metasploit for examples requires a newer Ruby version than Debian 8 has in the repositories. Therefor the best way to install PTF is by upgrading a Debian 8 into Debian testing with additional Kali repositories. Instead of installing the tools from Kali, PTF will install and update the newest tools.
+**Note** PTF works on Debian testing as well as on Debian 8. PTF itself works with Debian 8, but the software tools will have missing dependencies. Metasploit for example requires a newer Ruby version than Debian 8 has in the repositories. Therefore the best way to install PTF is by upgrading a Debian 8 into Debian testing with additional Kali repositories. Instead of installing the tools from Kali, PTF will install and update the newest tools.
 
 Create Debian Based Penetration Testers Framework (PTF) Template
 ----------------------------------------------------------------
@@ -108,7 +108,7 @@ possible to do sudo ptf/ptf
                     [*] Exiting PTF - the easy pentest platform creation framework.
                     sudo msfconsole
 
-5. Create a AppVMs based on the `ptf` template
+5. Create an AppVM based on the `ptf` template
 
     - (Optional) Attach necessary devices
 
diff --git a/managing-os/templates/archlinux.md b/managing-os/templates/archlinux.md
index 3bb15f2f..d7ac945b 100644
--- a/managing-os/templates/archlinux.md
+++ b/managing-os/templates/archlinux.md
@@ -53,18 +53,18 @@ In order to keep the template as small and simple as possible, default installed
 * Some font packages to keep good user experience
 * leafpad: a note pad
 * xfce4-terminal: a terminal
-* thunar: a file browser that support mounting usb keys
+* thunar: a file browser that supports mounting usb keys
 * firefox: web browser
 * thunderbird: a mail browser
 * evince: a document viewer
 
-Note that Archlinux does not install GUI packages by default as this decision is left to users. This packages have only been selected to have a usable template.
+Note that Archlinux does not install GUI packages by default as this decision is left to users. These packages have only been selected to have a usable template.
 
 ## Updating a Qubes-3.1 Archlinux Template
 
-If you decide to use binary packages but that you where using a Qubes-3.1 Template, your can follow these instructions to enable Qubes 3.2 agents.
+If you decide to use binary packages but that you were using a Qubes-3.1 Template, you can follow these instructions to enable Qubes 3.2 agents.
 
-You can use a template that you built for Qubes 3.1 in Qubes 3.2. The qrexec and gui agent functionnalities should still be working so that you can at least open a terminal.
+You can use a template that you built for Qubes 3.1 in Qubes 3.2. The qrexec and gui agent functionalities should still be working so that you can at least open a terminal.
 
 In order to enable binary packages for Qubes 3.2, add the following lines to the end of /etc/pacman.conf
 
@@ -76,22 +76,22 @@ Server = http://olivier.medoc.free.fr/archlinux/current/
 You should then follow the instruction related to pacman-key in order to sign the binary packages PGP key. With the key enabled, a pacman update will update qubes agents:
 ` # pacman -Suy `
 
-The two line that have just been added to /etc/pacman.conf should then be removed as they have been included in the qubes-vm-core update in the file `/etc/pacmand.d/99-qubes-repository-3.2.conf`
+The two lines that have just been added to /etc/pacman.conf should then be removed as they have been included in the qubes-vm-core update in the file `/etc/pacmand.d/99-qubes-repository-3.2.conf`
 
 ## Known Issues
 
 ### Package cannot be updated because of errors related to xorg-server or pulseaudio versions
 
-In case archlinux upgrade pulseaudio major version or xorg-server version, updating these packages will break the qubes GUI agent. To avoid breaking things, the update is blocked until a new version of the GUI agent is available.
+In the case of archlinux upgrade pulseaudio major version or xorg-server version, updating these packages will break the qubes GUI agent. To avoid breaking things, the update is blocked until a new version of the GUI agent is available.
 
-In this case, the gui-agent-linux component of Qubes-OS needs to be rebuild using these last xorg-server or pulseaudio libraries. You can try to rebuilt it yourself or wait for a new qubes-vm-gui package to be available.
+In this case, the gui-agent-linux component of Qubes-OS needs to be rebuilt using these last xorg-server or pulseaudio libraries. You can try to rebuild it yourself or wait for a new qubes-vm-gui package to be available.
 
-### qubes-vm is apparently starting properly (green dot) however graphical applications do not appears to work
+### qubes-vm is apparently starting properly (green dot) however graphical applications do not appear to work
 
-They are multiple potential reasons. Some of them are described in the following issues:
+They are multiple potential reasons. Some of them are described in the following issue:
 * https://github.com/QubesOS/qubes-issues/issues/2612
 
-In issue 2612, check that the option `noauto` is present for all lines in /etc/fstab related to /rw or /home. This bug can appears if you come from an old Archlinux Template (pre February 2017).
+In issue 2612, check that the option `noauto` is present for all lines in /etc/fstab related to /rw or /home. This bug can appear if you come from an old Archlinux Template (pre February 2017).
 
 ## Debugging a broken VM
 
@@ -101,7 +101,7 @@ In order to identify the issue, you should start by getting a console access to
 
 * Or by running in dom0 `sudo xl console yourbrokenvm`
 
-Starts by trying to run a GUI application such as xfce4-terminal in order to identify any error message.
+Start by trying to run a GUI application such as xfce4-terminal in order to identify any error message.
 
 Then you can check potential broken systemd service by running the following command inside the broken vm: `systemctl | grep fail`.
 
@@ -112,7 +112,7 @@ Finally, errors related to the GUI agent can be found inside the VM in `/home/us
 ## Packages manager wrapper
 
 
-Powerpill is a full Pacman wrapper that not only give easy proxy configuration but further offers numerous other advantages.
+Powerpill is a full Pacman wrapper that not only gives easy proxy configuration but further offers numerous other advantages.
 
 Please check out:
 
@@ -121,7 +121,7 @@ Please check out:
 [XYNE's (dev) Powerpill](http://xyne.archlinux.ca/projects/powerpill/)
 
 
-**Important Note:** As you are working in a template vm, by default, you will have to open network access to the template to download files manually, except for package managed which should be handled by the Qubes proxy. You can use the "allow full access for" a given time period in the FW settings of the template in the VMM or open up the various services through the same window.  Remember to change it back if you choose the later route.  Actions needing network access will be noted with (needs network access)
+**Important Note:** As you are working in a template vm, by default, you will have to open network access to the template to download files manually, except for managed packages which should be handled by the Qubes proxy. You can use the "allow full access for" a given time period in the FW settings of the template in the VMM or open up the various services through the same window.  Remember to change it back if you choose the later route.  Actions needing network access will be noted with (needs network access)
 
 <br>
 <br>
@@ -134,7 +134,7 @@ Please check out:
 
 *   **$ sudo nano -w /etc/pacman.conf**
         
-* Below is the output of a correct pacman.conf file  Make the changes so your file matches this one or rename the original and create a new one and copy and paste this text into it.  Text should be justified left in the file.  The changes from your default are to make gpg sig signing mandatory for packages but not required for DBs for the archlinux repos.  Also to add the repo (at the end) for the Powerpill package.
+* Below is the output of a correct pacman.conf file  Make the changes so your file matches this one or rename the original and create a new one and copy and paste this text into it.  Text should be justified left in the file.  The changes from your default are to make gpg signing mandatory for packages but not required for DBs for the archlinux repos.  Also to add the repo (at the end) for the Powerpill package.
 
 
 <br>
diff --git a/managing-os/templates/debian/upgrade-8-to-9.md b/managing-os/templates/debian/upgrade-8-to-9.md
index e8db7255..0b564055 100644
--- a/managing-os/templates/debian/upgrade-8-to-9.md
+++ b/managing-os/templates/debian/upgrade-8-to-9.md
@@ -116,7 +116,7 @@ Additional Information
 ----------------------
 
 It should be noted that Debian 9 (Stretch) is currently marked testing and
-should be treat as such. For projects that need absolute stability, upgrading
+should be treated as such. For projects that need absolute stability, upgrading
 may not be the best option.
 
 Debian Stretch packages were first made available in the Qubes R3.1 repositories.
diff --git a/managing-os/templates/fedora-minimal.md b/managing-os/templates/fedora-minimal.md
index 433e6e5c..325cbc88 100644
--- a/managing-os/templates/fedora-minimal.md
+++ b/managing-os/templates/fedora-minimal.md
@@ -29,7 +29,7 @@ The download may take a while depending on your connection speed.
 Duplication and first steps
 ---------------------------
 
-It is higly recommended to clone the original template, and make any changes in the clone instead of the original template. The following command clones the template. Replace `your-new-clone` with your desired name.
+It is highly recommended to clone the original template, and make any changes in the clone instead of the original template. The following command clones the template. Replace `your-new-clone` with your desired name.
 
 ~~~
 [user@dom0 ~]$ qvm-clone fedora-24-minimal your-new-clone
diff --git a/managing-os/templates/fedora/upgrade-20-to-21.md b/managing-os/templates/fedora/upgrade-20-to-21.md
index 402a022d..46e1b3a9 100644
--- a/managing-os/templates/fedora/upgrade-20-to-21.md
+++ b/managing-os/templates/fedora/upgrade-20-to-21.md
@@ -202,7 +202,7 @@ In this case, you have several options:
  1. [Increase the TemplateVM's disk image size](/doc/resize-disk-image/).
     This is the solution mentioned in the main instructions above.
  2. Delete files in order to free up space. One way to do this is by
-    uninstalling packages. You may then reinstalling them again after you
+    uninstalling packages. You may then reinstall them again after you
     finish the upgrade process, if desired). However, you may end up having to
     increase the disk image size anyway (see previous option).
  3. Increase the `root.img` size with `qvm-grow-root`. It should be easy to
diff --git a/managing-os/templates/fedora/upgrade-21-to-23.md b/managing-os/templates/fedora/upgrade-21-to-23.md
index 0353de2c..075ffa13 100644
--- a/managing-os/templates/fedora/upgrade-21-to-23.md
+++ b/managing-os/templates/fedora/upgrade-21-to-23.md
@@ -185,7 +185,7 @@ In this case, you have several options:
  1. [Increase the TemplateVM's disk image size](/doc/resize-disk-image/).
     This is the solution mentioned in the main instructions above.
  2. Delete files in order to free up space. One way to do this is by
-    uninstalling packages. You may then reinstalling them again after you
+    uninstalling packages. You may then reinstall them again after you
     finish the upgrade process, if desired). However, you may end up having to
     increase the disk image size anyway (see previous option).
  3. Increase the `root.img` size with `qvm-grow-root`. It should be easy to
diff --git a/managing-os/templates/fedora/upgrade-23-to-24.md b/managing-os/templates/fedora/upgrade-23-to-24.md
index 73b7b8af..9c95da15 100644
--- a/managing-os/templates/fedora/upgrade-23-to-24.md
+++ b/managing-os/templates/fedora/upgrade-23-to-24.md
@@ -215,7 +215,7 @@ In this case, you have several options:
  1. [Increase the TemplateVM's disk image size][resize-disk-image].
     This is the solution mentioned in the main instructions above.
  2. Delete files in order to free up space. One way to do this is by
-    uninstalling packages. You may then reinstalling them again after you
+    uninstalling packages. You may then reinstall them again after you
     finish the upgrade process, if desired). However, you may end up having to
     increase the disk image size anyway (see previous option).
  3. Increase the `root.img` size with `qvm-grow-root`.
diff --git a/managing-os/windows/windows-appvms.md b/managing-os/windows/windows-appvms.md
index c43487b9..43712c6a 100644
--- a/managing-os/windows/windows-appvms.md
+++ b/managing-os/windows/windows-appvms.md
@@ -124,14 +124,14 @@ Qubes allows HVM VMs to share a common root filesystem from a select Template VM
 qvm-create --hvm-template win7-x64-template -l green
 ~~~
 
-... and install Windows OS (or other OS) into this template the same way as you would install it into a normal HVM -- please see [this page](/doc/hvm-create/) instructions. However, it would make lots of sense to store the `C:\Users` directory on the 2nd disk which is automatically exposed by Qubes to all HVMs. This 2nd disk is backed by the `private.img` file in the AppVMs' and is not reset upon AppVMs reboot, so the user's directories and profiles would survive the AppVMs reboot, unlike the "root" filesystem which will be reverted to the "golden image" from the Template VM automatically. To facilitate such separation of user profiles, Qubes Windows Tools provide an option to automatically move `C:\Users` directory to the 2nd disk backed by `private.img`. It's a selectable feature of the installer, enabled by default. If that feature is selected during installation, completion of the process requires two reboots:
+... and install Windows OS (or other OS) into this template the same way as you would install it into a normal HVM -- please see instructions on [this page](/doc/hvm-create/). However, it would make lots of sense to store the `C:\Users` directory on the 2nd disk which is automatically exposed by Qubes to all HVMs. This 2nd disk is backed by the `private.img` file in the AppVMs' and is not reset upon AppVMs reboot, so the user's directories and profiles would survive the AppVMs reboot, unlike the "root" filesystem which will be reverted to the "golden image" from the Template VM automatically. To facilitate such separation of user profiles, Qubes Windows Tools provide an option to automatically move `C:\Users` directory to the 2nd disk backed by `private.img`. It's a selectable feature of the installer, enabled by default. If that feature is selected during installation, completion of the process requires two reboots:
 
 -   The private disk is initialized and formatted on the first reboot after tools installation. It can't be done **during** the installation because Xen mass storage drivers are not yet active.
 -   User profiles are moved to the private disk on the next reboot after the private disk is initialized. Reboot is required because the "mover utility" runs very early in the boot process so OS can't yet lock any files in there. This can take some time depending on the profiles' size and because the GUI agent is not yet active dom0/Qubes Manager may complain that the AppVM failed to boot. That's a false alarm (you can increase AppVM's default boot timeout using `qvm-prefs`), the VM should appear "green" in Qubes Manager shortly after.
 
-It also makes sense to disable Automatic Updates for all the template-based AppVMs -- of course this should be done in the Template VM, not in individual AppVMs, because the system-wide setting are stored in the root filesystem (which holds the system-wide registry hives). Then, periodically check for updates in the Template VM and the changes will be carried over to any child AppVMs.
+It also makes sense to disable Automatic Updates for all the template-based AppVMs -- of course this should be done in the Template VM, not in individual AppVMs, because the system-wide settings are stored in the root filesystem (which holds the system-wide registry hives). Then, periodically check for updates in the Template VM and the changes will be carried over to any child AppVMs.
 
-Once the template has been created and installed it is easy to create AppVMs based on:
+Once the template has been created and installed it is easy to create AppVMs based on it:
 
 ~~~
 qvm-create --hvm <new windows appvm name> --template <name of template vm> --label <label color>
diff --git a/privacy/anonymizing-your-mac-address.md b/privacy/anonymizing-your-mac-address.md
index b59c6ada..44d28405 100644
--- a/privacy/anonymizing-your-mac-address.md
+++ b/privacy/anonymizing-your-mac-address.md
@@ -149,7 +149,7 @@ macspoof-enp0s0  meminfo-writer   updates-proxy-setup
 ~~~
 
 Now, also within the TemplateVM, type the following commands for each hardware device that you want to randomize a MAC 
-addresses for
+address for
 
 ~~~
 sudo systemctl enable macspoof@wlp0s1
diff --git a/privacy/whonix-install.md b/privacy/whonix-install.md
index d8f1cd6f..70e854a6 100644
--- a/privacy/whonix-install.md
+++ b/privacy/whonix-install.md
@@ -19,7 +19,7 @@ Using privacy and anonymization tools like Whonix is not a magical solution that
 * Do you think nobody can eavesdrop on your communications because you are using Tor?
 * Do you know how Whonix works?
 
-If you answered no, have a look at the [about](https://www.whonix.org/wiki/About), [warning](https://www.whonix.org/wiki/Warning) and [do not](https://www.whonix.org/wiki/DoNot) pages (on the Whonix website) to make sure Whonix is the right tool for you and you understand  it's limitations.
+If you answered no, have a look at the [about](https://www.whonix.org/wiki/About), [warning](https://www.whonix.org/wiki/Warning) and [do not](https://www.whonix.org/wiki/DoNot) pages (on the Whonix website) to make sure Whonix is the right tool for you and you understand its limitations.
 
 ---
 
@@ -37,7 +37,7 @@ After doing this, you should see two new TemplateVMs in the VM Manager called `w
 
 ### Enabling AppArmor
 
-This is an optional security enhancement (for testers-only). If you’re technical & interested, see [Enabling AppArmor](/doc/privacy/customizing-whonix/).
+This is an optional security enhancement (for testers-only). If you’re technical and interested, see [Enabling AppArmor](/doc/privacy/customizing-whonix/).
 
 ### Configuring Whonix VMs
 
@@ -57,7 +57,7 @@ Great. You should be all done installing Whonix into Qubes. Use these two Templa
 
 ### Running Applications
 
-To start an application in the **Whonix-Workstation AppVM** that you created, launch it like any other- open the `Qubes App Launcher` and then select an app such as `Privacy Browser` which will then launch the Tor Browser
+To start an application in the **Whonix-Workstation AppVM** that you created, launch it like any other- open the `Qubes App Launcher` and then select an app such as `Privacy Browser` which will then launch the Tor Browser.
 
 ### Advanced Information
 
diff --git a/releases/1.0/release-notes.md b/releases/1.0/release-notes.md
index 993516ab..7743684b 100644
--- a/releases/1.0/release-notes.md
+++ b/releases/1.0/release-notes.md
@@ -16,7 +16,7 @@ Known issues
 
 -   Installer might not support some USB keyboards (\#230). This seems to include all the Mac Book keyboards (most PC laptops have PS2 keyboards and are not affected).
 
--   If you don't enable Composition (System Setting -\> Desktop -\> Enable desktop effects), which you really should do, then the KDE task bar might get somehow ugly (e.g. half of it might be black). This is some KDE bug that we don't plan to fix.
+-   If you don't enable Composition (System Setting -\> Desktop -\> Enable desktop effects), which you really should do, then the KDE task bar might get somewhat ugly (e.g. half of it might be black). This is some KDE bug that we don't plan to fix.
 
 -   Some keyboard layout set by KDE System Settings can cause [keyboard not working at all](https://groups.google.com/group/qubes-devel/browse_thread/thread/77d076b65dda7226). If you hit this issue, you can switch to console (by console login option) and manually edit `/etc/X11/xorg.conf.d/00-system-setup-keyboard.conf` (and `/etc/sysconfig/keyboard`) and place correct keyboard layout settings (details in linked thread). You can check if specific keyboard layout settings are proper using `setxkbmap` tool.
 
diff --git a/security-info/security-pack.md b/security-info/security-pack.md
index f875f679..390f4a36 100644
--- a/security-info/security-pack.md
+++ b/security-info/security-pack.md
@@ -95,7 +95,7 @@ to the Qubes mailing lists:
     very soon, the possibility of having to disclose any of the Qubes
     signing keys to anybody might have pretty serious consequences for those
     who decided to entrust Qubes with anything serious. And we would like to
-    somehow minimize these consequences with this canary thing.
+    somewhat minimize these consequences with this canary thing.
     
     Additionally the canary is a nice way of ensuring "freshness" of our
     messaging to the community.
@@ -254,7 +254,7 @@ verifying its contents, and reading them.
     good.)
 
 The same procedures can be applied to any directory or file in the
-`qubes-secpack`. Two methods of verification (signed Git tags and deatched PGP
+`qubes-secpack`. Two methods of verification (signed Git tags and detached PGP
 signatures) are provided to ensure that the system is robust (e.g., against a
 potential failure in Git tag-based verification) and to give users more options
 to verify the files.
diff --git a/security/security-guidelines.md b/security/security-guidelines.md
index 1bfa6551..d317a14b 100644
--- a/security/security-guidelines.md
+++ b/security/security-guidelines.md
@@ -58,7 +58,7 @@ Observing Security Contexts
 Each VM is assigned a specific colour for its window borders. These borders are how Qubes displays the **security context** of applications and data so that users can be easily aware of this at all times. Be sure to check the colour of window borders before taking any action, particularly if it affects the security of your system. [See this blog post for more information](https://blog.invisiblethings.org/2011/05/21/app-oriented-ui-model-and-its-security.html).
 
 Always remember that any "red" window can draw "green" password prompts. 
-Don't let yourself be tricked into entering credentials designated to one qube into a forged input boxes rendered by another.
+Don't let yourself be tricked into entering credentials designated to one qube into a forged input box rendered by another.
 For XFCE users (which is the default desktop environment on QubesOS) it would be wise to manually move the more trusted window so that it is not displayed on top of a less trusted one, but rather over the trusted Dom0 wallpaper. 
 If you use KDE, it has a helpful feature called **Expose-like effect** that is activated in System Tools -\> System Settings -\> Desktop Effects -\> All Effects -\> Desktop Grid Present Windows. 
 Performing these steps makes it easier to tell the difference between when you're being phished and when you're genuinely being asked for credentials.
diff --git a/security/split-bitcoin.md b/security/split-bitcoin.md
index bb284fa0..cfabf994 100644
--- a/security/split-bitcoin.md
+++ b/security/split-bitcoin.md
@@ -48,7 +48,7 @@ Important Notes
 * The private keys (xpriv) should never be moved outside of `offline-bitcoin`.
 * For copying out the public keys (xpub), Qubes provides two secure, convenient
   methods: the [inter-VM clipboard] and [inter-VM file copy] tools. Compared to
-  traditional physically air-gapped machines, these tools makes it very easy to
+  traditional physically air-gapped machines, these tools make it very easy to
   copy out public keys.
 
 [inter-VM clipboard]: /doc/copy-paste/
diff --git a/security/yubi-key.md b/security/yubi-key.md
index a01fff13..1635f181 100644
--- a/security/yubi-key.md
+++ b/security/yubi-key.md
@@ -24,23 +24,23 @@ package. This package does not support sharing the same key slot with other
 applications (it will deny further authentications if you try).
 
 Contrary to instruction there, currently there is no binary packages in Qubes
-repository and you need to compile it yourself. This can change in the future.
+repository and you need to compile it yourself. This might change in the future.
 
 Challenge-reponse mode
 ----------------------
 
 In this mode, your YubiKey will generate response based on secret key, and
 random challenge (instead of counter). This means that it isn't possible to
-generate response in advance even when someone get access to your YubiKey. This
-makes reasonably safe to use the same YubiKey for other services (also in
+generate response in advance even if someone gets access to your YubiKey. This
+makes it reasonably safe to use the same YubiKey for other services (also in
 challenge-response mode).
 
-Same as in OTP case, you will need to setup your YubiKey, choose separate
+Same as in OTP case, you will need to set up your YubiKey, choose separate
 password (other than your login password!) and apply the configuration.
 
-To use this mode you need:
+To use this mode you need to:
 
-1. Configure your YubiKey for challenge-reponse HMAC-SHA1 mode, for example
+1. Configure your YubiKey for challenge-response HMAC-SHA1 mode, for example
    [following this
    tutorial](https://www.yubico.com/products/services-software/personalization-tools/challenge-response/)
 2. Install `ykpers` package in template on which your USB VM is based.
@@ -93,31 +93,31 @@ password associated with YubiKey. If you configured so, YubiKey will request
 confirmation by pressing button on it (it will blink).
 When everything is ok, your screen will be unlocked.
 
-In any case you can still use your login password, but do it in secure location
+In any case you can still use your login password, but do it in a secure location
 where no one can snoop your password.
 
 Locking the screen when YubiKey is removed
 ------------------------------------------
 
 You can setup your system to automatically lock the screen when you unplug
-YubiKey. This will require creating simple qrexec service which will expose
-ability to lock the screen to your USB VM, and then adding udev hook to
+YubiKey. This will require creating a simple qrexec service which will expose
+the ability to lock the screen to your USB VM, and then adding udev hook to
 actually call that service.
 
 1. First configure the qrexec service. Create `/etc/qubes-rpc/custom.LockScreen` (in dom0)
-  with simple command to lock the screen. In case of xscreensaver (used in Xfce)
+  with a simple command to lock the screen. In case of xscreensaver (used in Xfce)
   it would be:
 
         DISPLAY=:0 xscreensaver-command -lock
 
-2. Allow your USB VM to call that service. Assuming that its named `sys-usb` it
+2. Allow your USB VM to call that service. Assuming that it's named `sys-usb` it
 would require creating `/etc/qubes-rpc/policy/custom.LockScreen` with:
 
         sys-usb dom0 allow
 
 3. Create udev hook in your USB VM. Store it in `/rw/config` to have it
 persistent across VM restarts. For example name the file
-`/rw/config/yubikey.rules`. Write there single line:
+`/rw/config/yubikey.rules`. Write there a single line:
 
         ACTION=="remove", SUBSYSTEM=="usb", ENV{ID_SECURITY_TOKEN}=="1", RUN+="/usr/bin/qrexec-client-vm dom0 custom.LockScreen"
 
diff --git a/services/dvm-impl.md b/services/dvm-impl.md
index 3ed33a49..659073af 100644
--- a/services/dvm-impl.md
+++ b/services/dvm-impl.md
@@ -32,7 +32,7 @@ Preparing a savefile is done by */usr/lib/qubes/qubes\_prepare\_saved\_domain.sh
 8.  the domain is saved via *xl save*
 9.  the COW file volatile.img (cow for root fs and swap) is packed to `saved_cows.tar` archive
 
-*qubes\_prepare\_saved\_domain.sh* script is somehow lowlevel. It is usually called by *qvm-create-default-dvm* script, that takes care of creating a special AppVM (named template\_name-dvm) to be passed to *qubes\_prepare\_saved\_domain.sh*, as well as copying the savefile to /dev/shm (the latter action is not done if the `/var/lib/qubes/dvmdata/dont_use_shm` file exists).
+*qubes\_prepare\_saved\_domain.sh* script is somewhat lowlevel. It is usually called by *qvm-create-default-dvm* script, that takes care of creating a special AppVM (named template\_name-dvm) to be passed to *qubes\_prepare\_saved\_domain.sh*, as well as copying the savefile to /dev/shm (the latter action is not done if the `/var/lib/qubes/dvmdata/dont_use_shm` file exists).
 
 Restoring a DisposableVM from the savefile
 ------------------------------------------
diff --git a/system/security-critical-code.md b/system/security-critical-code.md
index 7fd9a5d2..95a353c1 100644
--- a/system/security-critical-code.md
+++ b/system/security-critical-code.md
@@ -48,7 +48,7 @@ Additionally when we consider attacks that originate through a compromised netwo
 Buggy Code vs. Back-doored Code Distinction
 -------------------------------------------
 
-There is an important distinction between the buggy code and maliciously trojaned code. We could have the most secure architecture and the most bulletproof TCB that perfectly isolates all domains from each other, but it still would be pretty useless if all the code used within domains, e.g. the actual email clients, word processors, etc, was somehow trojaned. In that case only network-isolated domains could be somehow trusted, while all others could be not.
+There is an important distinction between the buggy code and maliciously trojaned code. We could have the most secure architecture and the most bulletproof TCB that perfectly isolates all domains from each other, but it still would be pretty useless if all the code used within domains, e.g. the actual email clients, word processors, etc, was somehow trojaned. In that case only network-isolated domains could be somewhat trusted, while all others could be not.
 
 The above means that we must trust at least some of the vendors (not all, of course, but at least those few that provide the apps that we use in the most critical domains). In practice in Qubes OS we trust the software provided by Fedora project. This software is signed by Fedora distribution keys and so it is also critical that the tools used in domains for software updates (yum and rpm) be trusted.
 
diff --git a/troubleshooting/updating-debian-and-whonix.md b/troubleshooting/updating-debian-and-whonix.md
index a14f8561..39091d1f 100644
--- a/troubleshooting/updating-debian-and-whonix.md
+++ b/troubleshooting/updating-debian-and-whonix.md
@@ -58,7 +58,7 @@ Sometimes if you see a message such as:
 Could not resolve 'security.debian.org'
 ~~~
 
-It helps to running the following command:
+It helps to run the following command:
 
 ~~~
 nslookup security.debian.org
@@ -135,4 +135,4 @@ Be careful. If the updated file isn't coming from Whonix specific package (some
 How could you find out if the file is coming from a Whonix specific package or not?
 
 * Whonix specific packages are sometimes called `whonix-...`. In the example above it's saying `Setting up ifupdown ...`, so the file isn't coming from a Whonix specific package. In this case, you should press `n` as advised in the paragraph above.
-* If the package name does include `whonix-...`, it's a Whonix specific package. In that case, your safest bet should be pressing `y`, but then you would loose your customized settings. You can re-add them afterwards. Such conflicts will hopefully rarely happen, if you use [Whonix modular flexible .d style configuration folders](https://www.whonix.org/wiki/Whonix_Configuration_Files).
+* If the package name does include `whonix-...`, it's a Whonix specific package. In that case, your safest bet should be pressing `y`, but then you would lose your customized settings. You can re-add them afterwards. Such conflicts will hopefully rarely happen, if you use [Whonix modular flexible .d style configuration folders](https://www.whonix.org/wiki/Whonix_Configuration_Files).

From 2f369c1309080cb1691cf5441ca4c3d46c38c599 Mon Sep 17 00:00:00 2001
From: Miguel Jacq <mig@mig5.net>
Date: Fri, 12 May 2017 10:12:02 +1000
Subject: [PATCH 002/103] more minor typo/grammar fixes

---
 building/development-workflow.md              |  2 +-
 building/qubes-builder-details.md             |  4 +-
 common-tasks/managing-appvm-shortcuts.md      |  2 +-
 common-tasks/software-update-vm.md            |  2 +-
 common-tasks/usb.md                           |  2 +-
 configuration/managing-vm-kernel.md           |  4 +-
 customization/bind-dirs.md                    |  6 +-
 customization/dark-theme.md                   |  8 +--
 customization/dispvm-customization.md         |  2 +-
 .../fedora-minimal-template-customization.md  | 26 ++++----
 customization/language-localization.md        |  2 +-
 .../windows-template-customization.md         | 20 +++---
 debugging/vm-interface.md                     |  2 +-
 installing/upgrade/upgrade-to-r3.0.md         |  2 +-
 managing-os/windows/windows-appvms.md         |  2 +-
 reference/dom0-tools/qvm-run.md               |  2 +-
 reference/glossary.md                         |  2 +-
 releases/3.1/release-notes.md                 |  2 +-
 security/yubi-key.md                          |  4 +-
 services/qrexec2.md                           |  2 +-
 services/qrexec3.md                           | 62 +++++++++----------
 system/gui.md                                 |  2 +-
 troubleshooting/install-nvidia-driver.md      | 20 +++---
 troubleshooting/macbook-troubleshooting.md    | 20 +++---
 troubleshooting/nvidia-troubleshooting.md     |  6 +-
 troubleshooting/out-of-memory.md              |  4 +-
 troubleshooting/sony-vaio-tinkering.md        |  6 +-
 troubleshooting/thinkpad-troubleshooting.md   |  2 +-
 troubleshooting/uefi-troubleshooting.md       | 10 +--
 29 files changed, 115 insertions(+), 115 deletions(-)

diff --git a/building/development-workflow.md b/building/development-workflow.md
index 4ddce81f..3f9b2fcd 100644
--- a/building/development-workflow.md
+++ b/building/development-workflow.md
@@ -419,7 +419,7 @@ Remember to also import gpg public key using `rpm --import`.
 
 ### Deb packages - Apt repo
 
-Steps are mostly the same as in case of yum repo. Only details differs:
+Steps are mostly the same as in the case of yum repo. The only details that differ:
 
  - use [linux-deb] instead of [linux-yum] as a base - both in source and target VM
  - use different `update_repo.sh` script in source VM (below)
diff --git a/building/qubes-builder-details.md b/building/qubes-builder-details.md
index 735c4cc5..48e5e7d6 100644
--- a/building/qubes-builder-details.md
+++ b/building/qubes-builder-details.md
@@ -33,8 +33,8 @@ Variables for Windows build:
 -   `WIN_SIGN_CMD` Command used to sign resulting binaries. Note that default value is *sign.bat*. If you don't want to sign binaries, specify some placeholder here (eg. *true*). Check existing components (eg. vmm-xen-windows-pvdrivers) for example scripts. This command will be run with certain environment variables:
     -   `CERT_FILENAME` Path to key file (pfx format)
     -   `CERT_PASSWORD` Key password
-    -   `CERT_PUBLIC_FILENAME` Certificate path in case of self-signed cert
-    -   `CERT_CROSS_CERT_FILENAME` Certificate path in case of correct autheticode cert
+    -   `CERT_PUBLIC_FILENAME` Certificate path in the case of self-signed cert
+    -   `CERT_CROSS_CERT_FILENAME` Certificate path in the case of correct autheticode cert
     -   `SIGNTOOL` Path to signtool
 -   `WIN_PACKAGE_CMD` Command used to produce installation package (msi or msm). Default value is *wix.bat*, similar to above - use *true* if you don't want this command.
 -   `WIN_OUTPUT_HEADERS` Directory (relative to `WIN_SOURCE_SUBDIRS` element) with public headers of the package - for use in other components.
diff --git a/common-tasks/managing-appvm-shortcuts.md b/common-tasks/managing-appvm-shortcuts.md
index 9c8ec8f2..237d9368 100644
--- a/common-tasks/managing-appvm-shortcuts.md
+++ b/common-tasks/managing-appvm-shortcuts.md
@@ -33,7 +33,7 @@ What about applications in DispVMs?
 Behind the scenes
 -----------------
 
-The list of installed applications for each AppVM is stored in dom0's `/var/lib/qubes/vm-templates/templatename/apps.templates` (or in case of StandaloneVM: `/var/lib/qubes/appvms/vmname/apps.templates`). Each menu entry is a file that follows the [.desktop file format](https://standards.freedesktop.org/desktop-entry-spec/desktop-entry-spec-latest.html) with some wildcards (*%VMNAME%*, *%VMDIR%*). Applications selected to appear in the menu are stored in `/var/lib/qubes/appvms/vmname/apps`.
+The list of installed applications for each AppVM is stored in dom0's `/var/lib/qubes/vm-templates/templatename/apps.templates` (or in the case of StandaloneVM: `/var/lib/qubes/appvms/vmname/apps.templates`). Each menu entry is a file that follows the [.desktop file format](https://standards.freedesktop.org/desktop-entry-spec/desktop-entry-spec-latest.html) with some wildcards (*%VMNAME%*, *%VMDIR%*). Applications selected to appear in the menu are stored in `/var/lib/qubes/appvms/vmname/apps`.
 
 Actual command lines for the menu shortcuts involve `qvm-run` command which starts a process in another domain. Examples: `qvm-run -q --tray -a w7s 'cmd.exe /c "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Calculator.lnk"'` or `qvm-run -q --tray -a untrusted 'firefox %u'`
 Note that you can create a shortcut that points to a .desktop file in your AppVM with e.g. `qvm-run -q --tray -a personal -- 'qubes-desktop-run /home/user/application.desktop'`
diff --git a/common-tasks/software-update-vm.md b/common-tasks/software-update-vm.md
index 45492d6b..c1e1a716 100644
--- a/common-tasks/software-update-vm.md
+++ b/common-tasks/software-update-vm.md
@@ -204,7 +204,7 @@ Note on treating AppVM's root filesystem non-persistency as a security feature
 
 As explained above, any AppVM that is based on a Template VM (i.e. which is not a Standalone VM) has its root filesystem non-persistent across the VM reboots. In other words whatever changes the VM makes (or the malware running in this AppVM makes) to its root filesystem, are automatically discarded whenever one restarts the AppVM. This might seem like an excellent anti-malware mechanism to be used inside the AppVM...
 
-However, one should be careful with treating this property as a reliable way to keep the AppVM malware-free. This is because the non-persistency, in case of normal AppVMs, applies only to the root filesystem and not to the user filesystem (on which the `/home`, `/rw`, and `/usr/local` are stored) for obvious reasons. It is possible that malware, especially malware that could be specifically written to target a Qubes-based AppVMs, could install its hooks inside the user home directory files only. Examples of obvious places for such hooks could be: `.bashrc`, the Firefox profile directory which contains the extensions, or some PDF or DOC documents that are expected to be opened by the user frequently (assuming the malware found an exploitable bug in the PDF or DOC reader), and surely many others places, all in the user's home directory.
+However, one should be careful with treating this property as a reliable way to keep the AppVM malware-free. This is because the non-persistency, in the case of normal AppVMs, applies only to the root filesystem and not to the user filesystem (on which the `/home`, `/rw`, and `/usr/local` are stored) for obvious reasons. It is possible that malware, especially malware that could be specifically written to target a Qubes-based AppVMs, could install its hooks inside the user home directory files only. Examples of obvious places for such hooks could be: `.bashrc`, the Firefox profile directory which contains the extensions, or some PDF or DOC documents that are expected to be opened by the user frequently (assuming the malware found an exploitable bug in the PDF or DOC reader), and surely many others places, all in the user's home directory.
 
 One advantage of the non-persistent rootfs though, is that the malware is still inactive before the user's filesystem gets mounted and "processed" by system/applications, which might theoretically allow for some scanning programs (or a skilled user) to reliably scan for signs of infections of the AppVM. But, of course, the problem of finding malware hooks in general is hard, so this would work likely only for some special cases (e.g. an AppVM which doesn't use Firefox, as otherwise it would be hard to scan the Firefox profile directory reliably to find malware hooks there). Also note that the user filesystem's metadata might got maliciously modified by malware in order to exploit a hypothetical bug in the AppVM kernel whenever it mounts the malformed filesystem. However, these exploits will automatically stop working (and so the infection might be cleared automatically) after the hypothetical bug got patched and the update applied (via template update), which is an exceptional feature of Qubes OS.
 
diff --git a/common-tasks/usb.md b/common-tasks/usb.md
index 6411199b..9d267aed 100644
--- a/common-tasks/usb.md
+++ b/common-tasks/usb.md
@@ -307,7 +307,7 @@ steps:
       brackets by `qvm-block` command
     * `phy:/dev/sda` - physical path at which device appears in source qube
       (just after source qube name in `qvm-block` output)
-    * `backend=sys-usb` - name of source qube, can be omitted in case of dom0
+    * `backend=sys-usb` - name of source qube, can be omitted in the case of dom0
     * `xvdi` - "frontend" device name (listed at the end of line in `qvm-block`
       output)
 
diff --git a/configuration/managing-vm-kernel.md b/configuration/managing-vm-kernel.md
index 4f4c675a..6166337b 100644
--- a/configuration/managing-vm-kernel.md
+++ b/configuration/managing-vm-kernel.md
@@ -144,7 +144,7 @@ possible to use VM kernel, which is not packaged by Qubes team. This includes:
 
 To prepare such VM kernel, you need to install `qubes-kernel-vm-support`
 package in dom0 and also have matching kernel headers installed (`kernel-devel`
-package in case of Fedora kernel package). You can install required stuff using `qubes-dom0-update`:
+package in the case of Fedora kernel package). You can install required stuff using `qubes-dom0-update`:
 
 ~~~
 [user@dom0 ~]$ sudo qubes-dom0-update qubes-kernel-vm-support kernel-devel
@@ -326,7 +326,7 @@ When starting the VM you can safely ignore any warnings about a missing module '
 
 ### Troubleshooting
 
-In case of problems, you can access VM console (using `sudo xl console VMNAME` in dom0) to access
+In the event of a problem, you can access VM console (using `sudo xl console VMNAME` in dom0) to access
 GRUB menu. You need to call it just after starting VM (until `GRUB_TIMEOUT`
 expires) - for example in separate dom0 terminal window.
 
diff --git a/customization/bind-dirs.md b/customization/bind-dirs.md
index 8ce2c986..8fc01a62 100644
--- a/customization/bind-dirs.md
+++ b/customization/bind-dirs.md
@@ -8,7 +8,7 @@ redirect_from:
 
 # How to make any file in a TemplateBasedVM persistent using bind-dirs #
 
-## What is bind-dirs? ##
+## What are bind-dirs? ##
 
 With [bind-dirs](https://github.com/QubesOS/qubes-core-agent-linux/blob/master/vm-systemd/bind-dirs.sh)
 any arbitrary files or folders can be made persistent in TemplateBasedVMs.
@@ -49,7 +49,7 @@ Multiple entries are possible, each on a separate line.
 
 6. Done.
 
-If you added for example folder `/var/lib/tor` to the `binds` variable, from now any files within that folder would persist reboots. If you added for example file `/etc/tor/torrc` to the `binds` variable, from now any modifications to that file would persist reboots.
+If you added for example folder `/var/lib/tor` to the `binds` variable, from now on any files within that folder will persist reboots. If you added for example file `/etc/tor/torrc` to the `binds` variable, from now on any modifications to that file will persist reboots.
 
 ## Other Configuration Folders ##
 
@@ -89,7 +89,7 @@ For example, if you wanted to make `/var/lib/tor` non-persistant in `sys-whonix`
 binds=( "${binds[@]/'/var/lib/tor'}" )
 ~~~
 
-(Editing `/usr/lib/qubes-bind-dirs.d/40_qubes-whonix.conf` directly is recommended against, since such changes get lost when that file is changed in the package on upgrades.)
+(Editing `/usr/lib/qubes-bind-dirs.d/40_qubes-whonix.conf` directly is not recommended, since such changes get lost when that file is changed in the package on upgrades.)
 
 ## Discussion ##
 
diff --git a/customization/dark-theme.md b/customization/dark-theme.md
index 5599a848..1c046bb3 100644
--- a/customization/dark-theme.md
+++ b/customization/dark-theme.md
@@ -70,7 +70,7 @@ This is the result after applying the steps described here.
 
         ![result black Qubes Manager](/attachment/wiki/Dark-Theme/kde-black-qubes-manager.png)
 
-**Note:** Chaning the `Window Decorations` from `Plastik for Qubes` will remove the border color and the VM name. The problem with `Plastik for Qubes` is, that it does not overwrite the background and text color for Minimize, Maximize and Close buttons. The three button are therefor hard to read.
+**Note:** Changing the `Window Decorations` from `Plastik for Qubes` will remove the border color and the VM name. The problem with `Plastik for Qubes` is, that it does not overwrite the background and text color for Minimize, Maximize and Close buttons. The three button are therefore hard to read.
 
 Dark XCFE in Dom0
 -----------------
@@ -109,7 +109,7 @@ This is the result after applying the steps described here.
 Dark App VM, Template VM, Standalone VM, HVM (Linux Gnome)
 ==========================================================
 
-Almost all Qubes VM's are based on the Gnome desktop. Therefor the description below is focused on the Gnome Desktop Environment.
+Almost all Qubes VM's are based on the Gnome desktop. Therefore the description below is focused on the Gnome Desktop Environment.
 
 Using "Gnome-Tweak-Tool"
 ------------------------
@@ -120,7 +120,7 @@ The advantage of creating a dark themed Template VM is, that each AppVM which is
 
 1. Start VM
 
-    **Note:** In case of App VM start the Template on which the AppVM is based on.
+    **Note:** In the case of App VM start the Template on which the AppVM is based on.
 
 2. Install `Gnome-Tweak-Tool`
 
@@ -174,7 +174,7 @@ Manually works for Debian, Fedora and Archlinux.
 
 1. Start VM
 
-    **Note:** In case of App VM start the Template on which the AppVM is based on.
+    **Note:** In the case of App VM start the Template on which the AppVM is based on.
 
 2. Enable `Global Dark Theme`
 
diff --git a/customization/dispvm-customization.md b/customization/dispvm-customization.md
index 9c3be657..ff59dcc0 100644
--- a/customization/dispvm-customization.md
+++ b/customization/dispvm-customization.md
@@ -49,7 +49,7 @@ It is possible to change the settings of each new Disposable VM (DispVM). This c
 2.  Change the VM's settings and/or applications, as desired. Note that currently Qubes supports exactly one DispVM template, so any changes you make here will affect all DispVMs. Some examples of changes you may want to make include:
     -   Changing Firefox's default startup settings and homepage.
     -   Changing Nautilus' default file preview settings.
-    -   Changing the DispVM's default NetVM. For example, you may wish to set the NetVM to "none." Then, whenever you start a new DispVM, you can choose your desired ProxyVM manually (by changing the newly-started DipsVMs settings). This is useful if you sometimes wish to use a DispVM with a TorVM, for example. It is also useful if you sometimes wish to open untrusted files in a network-disconnected DispVM.
+    -   Changing the DispVM's default NetVM. For example, you may wish to set the NetVM to "none." Then, whenever you start a new DispVM, you can choose your desired ProxyVM manually (by changing the newly-started DispVMs settings). This is useful if you sometimes wish to use a DispVM with a TorVM, for example. It is also useful if you sometimes wish to open untrusted files in a network-disconnected DispVM.
 
 3.  Create an empty `/home/user/.qubes-dispvm-customized` file in the VM (not in dom0):
 
diff --git a/customization/fedora-minimal-template-customization.md b/customization/fedora-minimal-template-customization.md
index 0a186f67..94f05e1b 100644
--- a/customization/fedora-minimal-template-customization.md
+++ b/customization/fedora-minimal-template-customization.md
@@ -17,7 +17,7 @@ Template installation
 
 *Note*: the template may not start in Qubes R3 when using kernel 3.19 (unstable). In this case, switch the AppVM or TemplateVM to the kernel 3.18.
 
-*Note*: If you have doubts about a set of tool or package you want to install, start installing and testing it in an AppVM. You can then reproduce it later in your TemplateVM if you are satisfied. That the (QubesOS?) template philosophy.
+*Note*: If you have doubts about a set of tools or package you want to install, start installing and testing it in an AppVM. You can then reproduce it later in your TemplateVM if you are satisfied. That is the (QubesOS?) template philosophy.
 
 Standard tools installation
 ================
@@ -27,9 +27,9 @@ Administration (documented)
 
 sudo pciutils vim-minimal less tcpdump telnet psmisc nmap nmap-ncat usbutils
 
-*Notes*: nmap can be used to discover a network (nmap -sP [network]), especially if you are inside a Microsoft network, because your AppVM will be protected/NATted behind Qubes firewall (microsoft / home network are heavily using autodiscovery technologies which require to be in the same local network (no firewall/no NAT), eg: your printer.
+*Notes*: nmap can be used to discover a network (nmap -sP [network]), especially if you are inside a Microsoft network, because your AppVM will be protected/NATted behind Qubes firewall (Microsoft / home network are heavily using autodiscovery technologies which require to be in the same local network (no firewall/no NAT), eg: your printer).
 
-Some recommendation here: check your current network using the Network manager applet (eg: 192.168.1.65). Then run nmap in your current AppVM/TemplateVM to search for the selected printer/equipement: nmap -sP 192.168.1.-. Don't forget to allow temporarily the Qubes Firewall if you are inside a TemplateVM.
+Some recommendation here: check your current network using the Network manager applet (eg: 192.168.1.65). Then run nmap in your current AppVM/TemplateVM to search for the selected printer/equipment: nmap -sP 192.168.1.-. Don't forget to temporarily allow traffic via the Qubes Firewall if you are inside a TemplateVM.
 
 Administration (undocumented)
 -------------------------------------------------
@@ -77,7 +77,7 @@ Search for a VPN package for your particular vpn solution
 
 OR
 
-For manual handling of VPN (and because NetworkManager is not available in proxyVMs, check the Qubes-users mail threads on google group
+For manual handling of VPN (and because NetworkManager is not available in proxyVMs, check the Qubes-users mail threads on google group)
 
 (cprise started a good one on openvpn: [OPENVPNSETUP] "[qubes-users] OpenVPN Setup, Revisited Again!")
 
@@ -95,11 +95,11 @@ Manual operations
 
 - Don't forget to restart your TemplateVM or only the cups service when you installed cups (systemctl start cups)
 
-- First you need to search for your printer. If you don't know its name or IP, search for it using nmap: check your current network using the Network manager applet (eg: 192.168.1.65). Then run nmap in your current AppVM/TemplateVM to search for the selected printer/equipement: nmap -sP 192.168.1.-. Don't forget to allow temporarily the Qubes Firewall if you are inside a TemplateVM.
+- First you need to search for your printer. If you don't know its name or IP, search for it using nmap: check your current network using the Network manager applet (eg: 192.168.1.65). Then run nmap in your current AppVM/TemplateVM to search for the selected printer/equipement: nmap -sP 192.168.1.-. Don't forget to temporarily allow traffic via the Qubes Firewall if you are inside a TemplateVM.
 
 - Once you identified your printer, run system-config-printer GUI to install your printer
 
-- You man need to cancel the operation to install more adapted printer drivers (eg: if the driver cannot be found automatically). Use yum search printername to find potential drivers (eg yum search photosmart)
+- You may need to cancel the operation to install more adapted printer drivers (eg: if the driver cannot be found automatically). Use yum search printername to find potential drivers (eg yum search photosmart)
 
 GUI recommendations
 =============
@@ -135,13 +135,13 @@ Miscellaneous packages
 GUI themes
 -----------------
 
-Managing GUI theme / appearance is often complex because when you do not want to depends on a specific desktop system.
+Managing GUI theme / appearance is often complex because when you do not want to depend on a specific desktop system.
 
 For this reason, we need to customize themes for each GUI framework that our application depends on.
 
 This often includes GTK2, GTK3 (which us a different configuration/themes than GTK2), Qt.
 
-The apparance of Windows can only be changed in dom0, however, the appearance of all buttons, menus, icons, widgets are specific to each AppVM.
+The appearance of Windows can only be changed in dom0, however, the appearance of all buttons, menus, icons, widgets are specific to each AppVM.
 
 ### Packages
 
@@ -155,7 +155,7 @@ You can check your currently installed theme packages (to eventually remove them
 
 ### Tweaking theme and appearance
 
-First you can get an insight of installed Gtk theme and see how it will appears using lxappearance.
+First you can get an insight of installed Gtk theme and see how it will appear using lxappearance.
 
 I recommend not applying settings using lxappearance (do not click on apply) because it will create multiple configuration files.
 
@@ -176,12 +176,12 @@ Cleaning the whole dconf settings is also possible by removing the following fil
 rm ~/.config/dconf/user
 ~~~
 
-*Note*: lxappearance only have effect on gtk3 theme so it won't work to change gtk2 themes (used by Firefox, Thunderbird ...).
+*Note*: lxappearance only has an effect on gtk3 theme so it won't work to change gtk2 themes (used by Firefox, Thunderbird ...).
              However, it is very lightweight and can be used to identify the name and look of themes you are interested in.
              Once you have the name, you can apply it using gsetting command line or gconf-editor.
 
-*Note*: if you really want a GUI theme editor, you can install gnome-tweak-tools, but this tool have a lot
-            of gnome dependencies (~150MB of dependencies). Eventually install it and uninstall it as soon as you changed your theme.
+*Note*: if you really want a GUI theme editor, you can install gnome-tweak-tools, but this tool has a lot
+            of gnome dependencies (~150MB of dependencies). You can install it and uninstall it as soon as you change your theme.
 
 #### Testing notes
 
@@ -258,7 +258,7 @@ Getting an uniform look for Qt & GTK is not achieved yet. A good source is on th
 Two case:
 
 1. You installed packages of the theme you selected both for Qt, GTK2 and GTK3.
-    (eg: Adwaita which is the default theme. I did not found another cross framework theme on fedora default packages).
+    (eg: Adwaita which is the default theme. I have not found another cross framework theme on fedora default packages).
 
 2. You want to use the GTK theme you selected for Qt but there is no qt package.
     In this case QGtkStyle will take precedence and convert the style automatically.
diff --git a/customization/language-localization.md b/customization/language-localization.md
index 81f327fb..fa95faf5 100644
--- a/customization/language-localization.md
+++ b/customization/language-localization.md
@@ -18,7 +18,7 @@ How to set up pinyin input in Qubes
 
 2. Close and shut down the TemplateVM. 
 
-3. Restart an AppVM which based on the template you installed `ibus-pinyin` and open a terminal.
+3. Restart an AppVM which is based on the template you installed `ibus-pinyin` in, and open a terminal.
  
 4. Run `ibus-setup`
 
diff --git a/customization/windows-template-customization.md b/customization/windows-template-customization.md
index 78387a09..1503b063 100644
--- a/customization/windows-template-customization.md
+++ b/customization/windows-template-customization.md
@@ -25,14 +25,14 @@ Only keep:
 
 *Note*: Windows search is recommended because it is a nightmare to find something in menus if it is not enabled (it removes the search bar from the start menu, from the explorer, and from the control panel).
 
-*Note*: Unselecting windows media, .Net and Internet Explorer will uninstall these components. on a new install it is generally old versions anyway and it will be quicker to install directly the new versions later.
+*Note*: Unselecting windows media, .Net and Internet Explorer will uninstall these components. On a new install they are generally old versions anyway and it will be quicker to install directly the new versions later.
 
 Windows services
 ---------------------------
 
 Disable the following services that are not required or have no sense in a VM context:
 
- * Base Filtering Engine (only required if your want to use Microsoft IPSEC)
+ * Base Filtering Engine (only required if you want to use Microsoft IPSEC)
  * DHCP Client
  * Function Discovery Provider Host
 
@@ -53,7 +53,7 @@ Disable the following services that are not required or have no sense in a VM co
 Windows update
 --------------------------
 
-I recommend disabling windows update (Never Check for Update) because checking for updates will start every time you start an AppVM if you don't started your template after some days.
+I recommend disabling windows update (Never Check for Update) because checking for updates will start every time you start an AppVM if you haven't started your template in a while.
 
 Running windows update is also apparently IO hungry.
 
@@ -64,8 +64,8 @@ System properties
 
 Right click on computer and go to Properties > Advanced > Performances:
 
- * If your don't care about visual effect, in Visual Effect select "Adjust for best performance"
- * I personally tweak the page file size to win some place on my root.
+ * If you don't care about visual effect, in Visual Effect select "Adjust for best performance"
+ * I personally tweak the page file size to win some space on my root.
 
     In Advanced>Performances>Advanced tab, change Virtual memory:
 
@@ -75,16 +75,16 @@ Right click on computer and go to Properties > Advanced > Performances:
         4. click on set
         5. click on drive d:
         6. select customer size
-        7. use an initial size of 500 and a max size of 1000. If the page file is too small, you will notify a low memory pop up when working on windows. In this case, it often means that you should extend your AppVM RAM.
+        7. use an initial size of 500 and a max size of 1000. If the page file is too small, you will notice a low memory pop up when working on windows. In this case, it often means that you should extend your AppVM RAM.
 
  * System Protection
 
-    Here you can disable Shadow Folder because it has little sense in case of Qubes because
+    Here you can disable Shadow Folder because it has little sense in the case of Qubes because
 
-      * we do backup regularly of AppVMs/TemplateVMs;
+      * we do regular backups of AppVMs/TemplateVMs;
       * we can revert at least one template change if we break something.
 
-    Select drives where system protection is enabled and click Configure. "Turn of system protection" "Delete all restore points"
+    Select drives where system protection is enabled and click Configure. "Turn off system protection" "Delete all restore points"
 
  * Remote
 
@@ -157,7 +157,7 @@ Manual tasks that can/should be started in the template
 
             > mv root.img.clean root.img
 
-    * If don't managed to fill the free space with zeros, you can follow the following  *unsafe* undocumented procedure
+    * If it doesn't manage to fill the free space with zeros, you can follow the following *unsafe* undocumented procedure
 
         1. from dom0, go to /var/lib/templates-vm/yourtemplate
         2. check the partitioning to identify the filesystem offset of root.img
diff --git a/debugging/vm-interface.md b/debugging/vm-interface.md
index 8524737b..bfb19458 100644
--- a/debugging/vm-interface.md
+++ b/debugging/vm-interface.md
@@ -175,7 +175,7 @@ Other Qrexec services installed by default:
   `tar2qfile` utility to do the conversion
 - `qubes.SelectDirectory`, `qubes.SelectFile` - services which should show
   file/directory selection dialog and return (to stdout) a single line
-  containing selected path, or nothing in case of cancellation
+  containing selected path, or nothing in the case of cancellation
 - `qubes.SuspendPre` - service called in every VM with PCI device attached just
   before system suspend
 - `qubes.SuspendPost` - service called in every VM with PCI device attached just
diff --git a/installing/upgrade/upgrade-to-r3.0.md b/installing/upgrade/upgrade-to-r3.0.md
index 223fd63c..341eaba6 100644
--- a/installing/upgrade/upgrade-to-r3.0.md
+++ b/installing/upgrade/upgrade-to-r3.0.md
@@ -100,7 +100,7 @@ Now, when you have dom0 upgraded, you can install new templates from Qubes R3.0
 Upgrading template on already upgraded dom0
 -------------------------------------------
 
-If for some reason you did not upgrade all the templates and standalone VMs before upgrading dom0, you can still do this, but it will be somewhat more complicated. This can be a case when you restore backup done on Qubes R2.
+If for some reason you did not upgrade all the templates and standalone VMs before upgrading dom0, you can still do this, but it will be somewhat more complicated. This can be the case when you restore backup done on Qubes R2.
 
 When you start R2 template/standalone VM on R3.0, there will be some limitations:
 
diff --git a/managing-os/windows/windows-appvms.md b/managing-os/windows/windows-appvms.md
index 43712c6a..bb1bbf4e 100644
--- a/managing-os/windows/windows-appvms.md
+++ b/managing-os/windows/windows-appvms.md
@@ -102,7 +102,7 @@ Also, the inter-VM services work as usual -- e.g. to request opening a document
 [user@work ~]$ qvm-open-in-vm work-win7 https://invisiblethingslab.com
 ~~~
 
-... just like in case of Linux AppVMs. Of course all those operations are governed by central policy engine running in Dom0 -- if the policy doesn't contain explicit rules for the source and/or target AppVM, the user will be asked for decision whether to allow or deny the operation.
+... just like in the case of Linux AppVMs. Of course all those operations are governed by central policy engine running in Dom0 -- if the policy doesn't contain explicit rules for the source and/or target AppVM, the user will be asked for decision whether to allow or deny the operation.
 
 Inter-VM file copy and clipboard works for Windows AppVMs the same way as for Linux AppVM (except that we don't provide a command line wrapper, `qvm-copy-to-vm` in Windows VMs) -- to copy files from Windows AppVMs just right-click on the file in Explorer, and choose: Send To-\> Other AppVM.
 
diff --git a/reference/dom0-tools/qvm-run.md b/reference/dom0-tools/qvm-run.md
index eb7e8b8c..e24d6c8e 100644
--- a/reference/dom0-tools/qvm-run.md
+++ b/reference/dom0-tools/qvm-run.md
@@ -43,7 +43,7 @@ Run command in a VM as a specified user
 Use tray notifications instead of stdout
 
 --all  
-Run command on all currently running VMs (or all paused, in case of --unpause)
+Run command on all currently running VMs (or all paused, in the case of --unpause)
 
 --exclude=EXCLUDE\_LIST  
 When --all is used: exclude this VM name (might be repeated)
diff --git a/reference/glossary.md b/reference/glossary.md
index 817c7190..214662b2 100644
--- a/reference/glossary.md
+++ b/reference/glossary.md
@@ -32,7 +32,7 @@ A user-friendly term for a [VM](#vm) in Qubes OS.
 
  * "Qube" is an informal term intended to make it easier for less technical users to understand Qubes OS and learn how to use it. In technical discussions, the other, more precise terms defined on this page are to be preferred.
 
- * The term "qube" should be lowercase unless it is the first word in a sentence. Note that starting a sentence with the plural of "qube" (i.e., "Qubes...") can be ambiguous, since it may not be clear whether the referent is a collection of qubes or [Qubes OS](#qubes-os).
+ * The term "qube" should be lowercase unless it is the first word in a sentence. Note that starting a sentence with the plural of "qube" (i.e., "Qubes...") can be ambiguous, since it may not be clear whether the reference is a collection of qubes or [Qubes OS](#qubes-os).
 
 Domain
 ------
diff --git a/releases/3.1/release-notes.md b/releases/3.1/release-notes.md
index 657f06f3..3a116e11 100644
--- a/releases/3.1/release-notes.md
+++ b/releases/3.1/release-notes.md
@@ -32,7 +32,7 @@ Known issues
 
 * Some icons in the Qubes Manager application might not be drawn correctly when using the Xfce4 environment in Dom0. If this bothers you, please use the KDE environment instead.
 
-* USB mouse (in case of USB VM) does not work at first system startup (just after completing firstboot). Workaround: restart the system.
+* USB mouse (in the case of USB VM) does not work at first system startup (just after completing firstboot). Workaround: restart the system.
 
 * For other known issues take a look at [our tickets](https://github.com/QubesOS/qubes-issues/issues?q=is%3Aopen+is%3Aissue+milestone%3A%22Release+3.1%22+label%3Abug)
 
diff --git a/security/yubi-key.md b/security/yubi-key.md
index 1635f181..77f512a3 100644
--- a/security/yubi-key.md
+++ b/security/yubi-key.md
@@ -105,7 +105,7 @@ the ability to lock the screen to your USB VM, and then adding udev hook to
 actually call that service.
 
 1. First configure the qrexec service. Create `/etc/qubes-rpc/custom.LockScreen` (in dom0)
-  with a simple command to lock the screen. In case of xscreensaver (used in Xfce)
+  with a simple command to lock the screen. In the case of xscreensaver (used in Xfce)
   it would be:
 
         DISPLAY=:0 xscreensaver-command -lock
@@ -131,7 +131,7 @@ persistent across VM restarts. For example name the file
 
 If you use KDE, the command(s) in first step would be different:
 
-        # In case of USB VM being autostarted, it will not have direct access to D-Bus
+        # In the case of USB VM being autostarted, it will not have direct access to D-Bus
         # session bus, so find its address manually:
         kde_pid=`pidof kdeinit4`
         export `cat /proc/$kde_pid/environ|grep -ao 'DBUS_SESSION_BUS_ADDRESS=[[:graph:]]*'`
diff --git a/services/qrexec2.md b/services/qrexec2.md
index d9f7bdc6..6fc85e9c 100644
--- a/services/qrexec2.md
+++ b/services/qrexec2.md
@@ -127,7 +127,7 @@ Whenever a RPC request for service named "XYZ" is received, the first line
 in `/etc/qubes-rpc/policy/XYZ` that matches the actual `srcvm`/`destvm` is
 consulted to determine whether to allow RPC, what user account the program
 should run in target VM under, and what VM to redirect the execution to. If
-the policy file does not exits, user is prompted to create one *manually*;
+the policy file does not exist, user is prompted to create one *manually*;
 if still there is no policy file after prompting, the action is denied.
 
 On the target VM, the `/etc/qubes-rpc/XYZ` must exist, containing the file
diff --git a/services/qrexec3.md b/services/qrexec3.md
index bb8b6a92..92e87989 100644
--- a/services/qrexec3.md
+++ b/services/qrexec3.md
@@ -140,7 +140,7 @@ whether to allow rpc, what user account the program should run in target VM
 under, and what VM to redirect the execution to. Note that if the request is
 redirected (`target=` parameter), policy action remains the same - even if
 there is another rule which would otherwise deny such request. If the policy
-file does not exits, user is prompted to create one; if still there is no
+file does not exist, user is prompted to create one; if still there is no
 policy file after prompting, the action is denied.
 
 In the target VM, the `/etc/qubes-rpc/RPC_ACTION_NAME` must exist, containing
@@ -152,7 +152,7 @@ In the src VM, one should invoke the client via:
     /usr/lib/qubes/qrexec-client-vm target_vm_name RPC_ACTION_NAME rpc_client_path client arguments
 
 Note that only stdin/stdout is passed between rpc server and client --
-notably, no command line argument are passed. Source VM name is specified by
+notably, no command line arguments are passed. Source VM name is specified by
 `QREXEC_REMOTE_DOMAIN` environment variable. By default, stderr of client
 and server is logged to respective `/var/log/qubes/qrexec.XID` files.
 It is also possible to call service without specific client program - in which
@@ -162,17 +162,17 @@ case server stdin/out will be connected with the terminal:
 
 Be very careful when coding and adding a new rpc service. Unless the
 offered functionality equals full control over the target (it is the case
-with e.g. `qubes.VMShell` action), any vulnerability in a rpc server can
+with e.g. `qubes.VMShell` action), any vulnerability in an rpc server can
 be fatal to Qubes security. On the other hand, this mechanism allows to
 delegate processing of untrusted input to less privileged (or disposable)
 AppVMs, thus wise usage of it increases security.
 
 ### Extra keywords available in Qubes 4.0 and later
 
-**This section is about not yet released version, some details may change**
+**This section is about a not-yet-released version, some details may change**
 
 In Qubes 4.0, target VM can be specified also as `$dispvm:DISP_VM`, which is
-very similar to `$dispvm` but force using particular VM (`DISP_VM`) as a base
+very similar to `$dispvm` but forces using a particular VM (`DISP_VM`) as a base
 VM to be started as Disposable VM. For example:
 
     anon-whonix $dispvm:anon-whonix-dvm allow
@@ -180,7 +180,7 @@ VM to be started as Disposable VM. For example:
 Adding such policy itself will not force usage of this particular `DISP_VM` -
 it will only allow it when specified by the caller. But `$dispvm:DISP_VM` can
 also be used as target in request redirection, so _it is possible_ to force
-particular `DISP_VM` usage, when caller didn't specified it:
+particular `DISP_VM` usage, when caller didn't specify it:
 
     anon-whonix $dispvm allow,target=$dispvm:anon-whonix-dvm
 
@@ -189,52 +189,52 @@ VM (`default_dispvm` VM property, which itself defaults to global
 `default_dispvm` property).
 Also note that the request will be allowed (`allow` action) even if there is no
 second rule allowing calls to `$dispvm:anon-whonix-dvm`, or even if
-there is a rule explicitly denying it. This is because the redirection happen
+there is a rule explicitly denying it. This is because the redirection happens
 _after_ considering the action.
 
 ### Service argument in policy
 
 Sometimes just service name isn't enough to make reasonable qrexec policy. One
-example of such situation is [qrexec-based USB
+example of such a situation is [qrexec-based USB
 passthrough](https://github.com/qubesos/qubes-issues/issues/531) - using just
-service name it isn't possible to express policy "allow access to device X and
-deny to others". It isn't also feasible to create separate service for every
+service name isn't possible to express the policy "allow access to device X and
+deny to others". It also isn't feasible to create a separate service for every
 device...
 
-For this reason, starting with Qubes 3.2, it is possible to specify service
-argument, which will be subject to policy. Besides above example of USB
-passthrough, service argument can make many service policies more fine-grained
+For this reason, starting with Qubes 3.2, it is possible to specify a service
+argument, which will be subject to policy. Besides the above example of USB
+passthrough, a service argument can make many service policies more fine-grained
 and easier to write precise policy with "allow" and "deny" actions, instead of
 "ask" (offloading additional decisions to the user). And generally the less
-choices user must make, the lower chance to make a mistake.
+choices the user must make, the lower the chance to make a mistake.
 
-The syntax is simple: when calling service, add an argument to the service name
+The syntax is simple: when calling a service, add an argument to the service name
 separated with `+` sign, for example:
 
     /usr/lib/qubes/qrexec-client-vm target_vm_name RPC_ACTION_NAME+ARGUMENT
 
-Then create policy as usual, including argument
-(`/etc/qubes-rpc/policy/RPC_ACTION_NAME+ARGUMENT`). If policy for specific
-argument is not set (file does not exist), then default policy for this service
+Then create a policy as usual, including the argument
+(`/etc/qubes-rpc/policy/RPC_ACTION_NAME+ARGUMENT`). If the policy for the specific
+argument is not set (file does not exist), then the default policy for this service
 is loaded (`/etc/qubes-rpc/policy/RPC_ACTION_NAME`).
 
-In target VM (when the call is allowed) service file will searched as:
+In target VM (when the call is allowed) the service file will searched as:
 
  - `/etc/qubes-rpc/RPC_ACTION_NAME+ARGUMENT`
  - `/etc/qubes-rpc/RPC_ACTION_NAME`
 
 In any case, the script will receive `ARGUMENT` as its argument and additionally as
 `QREXEC_SERVICE_ARGUMENT` environment variable. This means it is also possible
-to install different script for particular service argument.
+to install a different script for a particular service argument.
 
-See below for example service using argument.
+See below for an example service using an argument.
 
 ### Revoking "Yes to All" authorization ###
 
 Qubes RPC policy supports "ask" action. This will prompt the user whether given
-RPC call should be allowed. That prompt window has also "Yes to All" option,
-which will allow the action and add new entry to the policy file, which will
-unconditionally allow further calls for given service-srcVM-dstVM tuple.
+RPC call should be allowed. That prompt window also has a "Yes to All" option,
+which will allow the action and add a new entry to the policy file, which will
+unconditionally allow further calls for the given service-srcVM-dstVM tuple.
 
 In order to remove such authorization, issue this command from a dom0 terminal
 (for `qubes.Filecopy` service):
@@ -247,7 +247,7 @@ the "Yes to All" results.
 
 ### Qubes RPC example ###
 
-We will show the necessary files to create rpc call that adds two integers
+We will show the necessary files to create an rpc call that adds two integers
 on the target and returns back the result to the invoker.
 
  * rpc client code (`/usr/bin/our_test_add_client`):
@@ -281,11 +281,11 @@ and we should get "3" as answer, after dom0 allows it.
 
 ### Qubes RPC example - with argument usage ###
 
-We will show the necessary files to create rpc call that reads specific file
-from predefined directory on the target. Besides really naive storage, it may
-be very simple password manager.
-Additionally in this example simplified workflow will be used - server code
-placed directly in service definition file (in `/etc/qubes-rpc` directory). And
+We will show the necessary files to create an rpc call that reads a specific file
+from a predefined directory on the target. Besides really naive storage, it may
+be a very simple password manager.
+Additionally, in this example a simplified workflow will be used - server code
+placed directly in the service definition file (in `/etc/qubes-rpc` directory). And
 no separate client script will be used.
 
  * rpc server code (*/etc/qubes-rpc/test.File*)
@@ -297,7 +297,7 @@ no separate client script will be used.
          exit 1
        fi
        # service argument is already sanitized by qrexec framework and it is
-       # quaranted to not contain any space or /, so no need for additional path
+       # guaranteed to not contain any space or /, so no need for additional path
        # sanitization
        cat "/home/user/rpc-file-storage/$argument"
 
diff --git a/system/gui.md b/system/gui.md
index 6a365b03..ceee7e42 100644
--- a/system/gui.md
+++ b/system/gui.md
@@ -43,7 +43,7 @@ Window content updates implementation
 
 Typical remote desktop applications, like *vnc*, pass information on all changed window content in-band (say, over tcp). 
 As that channel has limited throughput, this impacts video performance. 
-In case of Qubes, *qubes_gui* does not transfer all changed pixels via vchan. Instead, for each window, upon its creation or size change, *qubes_gui*
+In the case of Qubes, *qubes_gui* does not transfer all changed pixels via vchan. Instead, for each window, upon its creation or size change, *qubes_gui*
 
 -   asks *qubes_drv* driver for the list of physical memory frames that hold the composition buffer of a window
 -   passes this information via `MFNDUMP` message to *qubes_guid* in dom0
diff --git a/troubleshooting/install-nvidia-driver.md b/troubleshooting/install-nvidia-driver.md
index f3b946e5..cc287745 100644
--- a/troubleshooting/install-nvidia-driver.md
+++ b/troubleshooting/install-nvidia-driver.md
@@ -18,9 +18,9 @@ Proprietary (NVIDIA/AMD) drivers are known to be sometimes highly problematic, o
 Radeon driver support is prebaked in the Qubes kernel (v4.4.14-11) but only versions 4000-9000 give or take.
 Support for newer cards is limited until AMDGPU support in the 4.5+ kernel, which isn't released yet for Qubes. 
 
-Built in Intel graphics, Radeon graphics (between that 4000-9000 range), and perhaps some prebaked NVIDIA card support that i don't know about. Those are your best bet for great Qubes support.
+Built in Intel graphics, Radeon graphics (between that 4000-9000 range), and perhaps some prebaked NVIDIA card support that I don't know about. Those are your best bet for great Qubes support.
 
-If you do happen to get proprietary drivers working on your Qubes system (via installing them). Please take the time to go to the 
+If you do happen to get proprietary drivers working on your Qubes system (via installing them), please take the time to go to the
 [Hardware Compatibility List (HCL)](https://www.qubes-os.org/doc/hcl/#generating-and-submitting-new-reports )
 Add your computer, graphics card, and installation steps you did to get everything working.
 
@@ -39,14 +39,14 @@ yumdownloader --source nvidia-kmod
 
 ### Build kernel package
 
-You will need at least kernel-devel (matching your Qubes dom0 kernel), rpmbuild tool and kmodtool, and then you can use it to build package:
+You will need at least kernel-devel (matching your Qubes dom0 kernel), rpmbuild tool and kmodtool, and then you can use it to build the package:
 
 ~~~
 yum install kernel-devel rpm-build kmodtool
 rpmbuild --nodeps -D "kernels `uname -r`" --rebuild nvidia-kmod-260.19.36-1.fc13.3.src.rpm
 ~~~
 
-In above command replace `uname -r` with kernel version from your Qubes dom0. If everything went right, you have now complete packages with nvidia drivers for Qubes system. Transfer them to dom0 (e.g. using a USB stick) and install (using standard "yum install /path/to/file"). 
+In the above command, replace `uname -r` with kernel version from your Qubes dom0. If everything went right, you have now complete packages with nvidia drivers for the Qubes system. Transfer them to dom0 (e.g. using a USB stick) and install (using standard "yum install /path/to/file").
 
 Then you need to disable nouveau (normally it is done by install scripts from nvidia package, but unfortunately it isn't compatible with Qubes...):
 
@@ -92,13 +92,13 @@ You will need:
 -   kernel-devel package installed
 -   gcc, make, etc
 
-This installation must be done manually, because nvidia-installer refused to install it on Xen kernel. Firstly ensure that kernel-devel package installed all needed files. This should consists of:
+This installation must be done manually, because nvidia-installer refused to install it on Xen kernel. Firstly ensure that kernel-devel package installed all needed files. This should consist of:
 
 -   */usr/src/kernels/2.6.34.1-12.xenlinux.qubes.x86\_64*
 -   */lib/modules/2.6.34.1-12.xenlinux.qubes.x86\_64/build* symlinked to the above directory
 -   */usr/src/kernels/2.6.34.1-12.xenlinux.qubes.x86\_64/arch/x64/include/mach-xen* should be present (if not - take it from kernel sources)
 
-If all the files are not there correct the errors manually. To build kernel module, enter *NVIDIA-Linux-x86\_64-260.19.44/kernel* directory and execute:
+If all the files are not there correct the errors manually. To build the kernel module, enter *NVIDIA-Linux-x86\_64-260.19.44/kernel* directory and execute:
 
 ~~~
 make
@@ -120,7 +120,7 @@ Add *rdblacklist=nouveau* option to /boot/grub/menu.lst (at the end of line cont
 
 ### Configure Xorg
 
-After all, you should configure Xorg to use nvidia driver. You can use *nvidia-xconfig* or do it manually:
+Finally, you should configure Xorg to use nvidia driver. You can use *nvidia-xconfig* or do it manually:
 
 ~~~
 X -configure
@@ -143,7 +143,7 @@ Specifically, the notes below are aimed to help when the GRUB menu shows up fine
    * Using the anaconda installer interface, switch to the "shell" TTY (ALT-F2), and use `ip a` command to display the IP addresses.
 3. Using the Connect to the IP (remember the :1) using a VNC viewer.
 4. Follow the installation UI. 
-   * Since this won't be a usable install, skipping LUKS encryption is an option which will simplify this troubelshooting process. 
+   * Since this won't be a usable install, skipping LUKS encryption is an option which will simplify this troubleshooting process.
    * Do *not* reboot at the end of the installation.
 5. Once the installation completes, use the local VGA console switch to TTY2 via ALT-F2
    * Switch to the chroot of the newly-installed system via `chroot /mnt/sysinstall`
@@ -152,7 +152,7 @@ Specifically, the notes below are aimed to help when the GRUB menu shows up fine
    * Exit out of the chroot environment (`exit` or CTRL-D)
 6. Reboot
 
-*Note* If the kernel parameters do *not* include `quiet` and `rhgb`, the kernel messages can easily obscure the LUKS passphrase prompt. Additionally, each character entered will cause the LUKS passphrase prompt to repeat onto next line. Both of these are cosmetic. The trade-off between kernel messages and the easy-to-spot LUKS passphrase prompt is left as excercise to the user.
+*Note* If the kernel parameters do *not* include `quiet` and `rhgb`, the kernel messages can easily obscure the LUKS passphrase prompt. Additionally, each character entered will cause the LUKS passphrase prompt to repeat onto next line. Both of these are cosmetic. The trade-off between kernel messages and the easy-to-spot LUKS passphrase prompt is left as exercise to the user.
 
 ## Gather initial `dmesg` output
 If all is well, the newly-installed Qubes OS instance should allow for user root to log in. 
@@ -166,7 +166,7 @@ Run `dmesg > dmesg.nomodeset.out` to gather an initial dmesg output.
 4. Blindly log in as user root
 5. Blindly run `dmesg > dmesg.out`
 6. Blindly run `reboot` (this will also serve to confirm that logging in as root, and running commands blindly is possible rather than, say, the kernel having hung or some such).
-   * Should this step fail, perhaps by the time step #3 was underaken, the OS hasn't finished coming up yet. Please retry, possibly with a different TTY (say, 3 or 4 - so CTRL-ALT-F3?)
+   * Should this step fail, perhaps by the time step #3 was undertaken, the OS hasn't finished coming up yet. Please retry, possibly with a different TTY (say, 3 or 4 - so CTRL-ALT-F3?)
 
 ## Exfiltrate the dmesg outputs
 Allow the system to boot normally, log in as user root, and sneakernet the files off the system for analysis, review, bug logging, et cetera.
diff --git a/troubleshooting/macbook-troubleshooting.md b/troubleshooting/macbook-troubleshooting.md
index e59c1648..2391d7e2 100644
--- a/troubleshooting/macbook-troubleshooting.md
+++ b/troubleshooting/macbook-troubleshooting.md
@@ -118,7 +118,7 @@ Results:
 * SD card access: OK (tested at dom0)
 * Lid-close suspend: OK
 * Wifi: +10%-20% ICMP packet loss when comparing with OSX (have similar rates
-  with tails Linux, more tests are required)
+  with Tails Linux, more tests are required)
 
 ### References
 
@@ -151,7 +151,7 @@ Bad news: still some minor issue to investigate.
 For the time being, my setup is just for testing purposes and help to bypass some blocking issues: do not use it in production or on machine where security is a concern!
 I hope to improve it as soon as possible.
 
-During my nigths trying to get Qubes OS working, I faced tow main and blocking issues:
+During my nights trying to get Qubes OS working, I faced two main and blocking issues:
 *   no boot, due to empty xen.cfg file
 *   system freeze, due to Broadcom BCM43602 wifi card
 
@@ -180,29 +180,29 @@ For security reasons, you should install Qubes using the whole disk. I preferred
 Download and prepare a USB with Qubes 3.2
 
 You can install Qubes using BIOS or UEFI:
-*  BIOS/CSM/Legacy: I have not been able to install using legagy, but I did not spent a lot of time on it.
-*  UEFI plain: grub menu appears, but any gave me a quick flash and returned the main menu. I can boot it manually fixing the grub.cfg file, adding commands linuexefi and initrdefi, pointing proper files in /efi/boot. After boot, I end up with not root file system.
+*  BIOS/CSM/Legacy: I have not been able to install using legagy, but I did not spend a lot of time on it.
+*  UEFI plain: grub menu appears, but any gave me a quick flash and returned the main menu. I can boot it manually fixing the grub.cfg file, adding commands linuexefi and initrdefi, pointing proper files in /efi/boot. After boot, I end up with no root file system.
 *  UEFI, using rEFInd: I have been successful, despite some issues to be fixed manually, after installation completion
    * download [rEFInd] refind-bin-0.10.4.zip: this file is not signed, so decide if you trust it or not. SHA1 sum is 3d69c23b7d338419e5559a93cd6ae3ec66323b1e  
-   * unzip it and run installer, which install rEFIind on the internal SSD
+   * unzip it and run installer, which installs rEFIind on the internal SSD
    * if installation fails due to SIP, reboot in recovery mode, open a terminal and issue command
    ~~~
    crsutil disable
    ~~~
    * reboot and you will see some icons
    * choose Boot EFI\BOOT\xen.efi from ANACONDA
-   * after a will the graphical installer is up and running, with keyboard and touchpad working
+   * after a while the graphical installer is up and running, with keyboard and touchpad working
 
 ### 3. Installation
 
-*  As a general rule, keep the default values proposed during installation: you will change them later on
+*  As a general rule, keep the default values proposed during installation: you can change them later on
 *  Keep English, as language, locale
 *  My macbook has a US keyboard, so I cannot say what happens if you change keyboard layout
 *  DO NOT CHANGE the timezone, because it will trigger the wifi card, leading to a system freeze
 *  Choose the "installation destination": do not change anything and press DONE button
 *  Insert your password for Full Disk Encryption
 *  If you do not already have free space on internal SSD disk, you will be prompted to reclaim some space: 
-*  If you shrunk OSX partition, disk utility left an empy partition: delete useless partition (eg: if you shrunk OSX parition, diskutil  created an empty partition)
+*  If you shrunk OSX partition, disk utility left an empy partition: delete useless partition (eg: if you shrunk OSX parition, diskutil created an empty partition)
 *  Press on "reclaim space"
 *  Press on "begin installation"
 *  create your user and password
@@ -285,7 +285,7 @@ You can fix this issue, killing audio support with this quick workaround:
 
 ### 7. Fix system freezes due to Broadcom BCM43602
 
-*  If you experiences a system freeze, during VM setup, force a reboot and press OPTION key. 
+*  If you experience a system freeze, during VM setup, force a reboot and press OPTION key.
    *  You will reach grub shell
    ~~~
    configfile /EFI/qubes/grub.cfg
@@ -316,7 +316,7 @@ qvm-start sys-net
 xl pci-attach sys-net 04:00.0
 ~~~
 
-This latest steps are required to launch sys-net with wifi access. They can be automated in a custom systemd service
+These latest steps are required to launch sys-net with wifi access. They can be automated in a custom systemd service
 
    
 
diff --git a/troubleshooting/nvidia-troubleshooting.md b/troubleshooting/nvidia-troubleshooting.md
index ffbadb1e..af54891a 100644
--- a/troubleshooting/nvidia-troubleshooting.md
+++ b/troubleshooting/nvidia-troubleshooting.md
@@ -95,7 +95,7 @@ nouveau E[ PGRAPH][0000:01:00.0] init failed, -16
 
 Tip: In case you only have an external monitor it is advised to attach it directly to a connector of the motherboard if it is present, this should ensure that you're using the integrated graphics card instead of the nvidia graphics card.
 
-If you're seeing this error than that means another graphics card (most likely an integrated one) acted as failsafe. Disabling nouveau has the consequences of disabling nvidia support all together. 
+If you're seeing this error then that means another graphics card (most likely an integrated one) acted as failsafe. Disabling nouveau has the consequences of disabling nvidia support altogether.
 
  1. Verify that that GRUB Boot Menu is displaying, you should be presented with two options and a progressbar/timer than goes rather fast.
 
@@ -116,7 +116,7 @@ If you're seeing this error than that means another graphics card (most likely a
     
     It is not an exact copy as it may differ from system to system.
 
-    Please note: chose the module that starts with `vmlinux`!
+    Please note: choose the module that starts with `vmlinux`!
 
  5. Press the left/right arrow keys to position the cursor at the end of kernel options line, after `rhgb quiet` in this case.
 
@@ -126,7 +126,7 @@ If you're seeing this error than that means another graphics card (most likely a
     nouveau.modeset=0 rd.driver.blacklist=nouveau video=vesa:off
     ~~~
 
-    This will tempororarily disable nouveau until boot.
+    This will temporarily disable nouveau until next boot.
 
  7. Press either the F10 key or Ctrl+X to start the boot process.
 
diff --git a/troubleshooting/out-of-memory.md b/troubleshooting/out-of-memory.md
index 4ea235a9..9021512b 100644
--- a/troubleshooting/out-of-memory.md
+++ b/troubleshooting/out-of-memory.md
@@ -35,7 +35,7 @@ sudo yum clean all
 qvm-remove <VMname>
 ~~~
 
-With this method you lose one VM data, but it'll more securely work.
+With this method you lose the data of one VM, but it'll more reliably work.
 
 1.  Decrease filesystem safety margin (5% by default):
 
@@ -43,5 +43,5 @@ With this method you lose one VM data, but it'll more securely work.
 sudo tune2fs -m 4 /dev/mapper/vg_dom0-lv_root
 ~~~
 
-1.  Remove some unneeded files in dom0 home (if you have one, most likely no).
+1.  Remove some unneeded files in dom0 home (if you have any, most likely no).
 
diff --git a/troubleshooting/sony-vaio-tinkering.md b/troubleshooting/sony-vaio-tinkering.md
index 45d4c4a7..b029f01a 100644
--- a/troubleshooting/sony-vaio-tinkering.md
+++ b/troubleshooting/sony-vaio-tinkering.md
@@ -24,11 +24,11 @@ If you think you are ready to reflash you BIOS, here are the instructions that w
 
 [http://forum.notebookreview.com/sony/473226-insyde-hacking-new-vaio-z-advanced-menu-bios.html](http://forum.notebookreview.com/sony/473226-insyde-hacking-new-vaio-z-advanced-menu-bios.html)
 
-**WARNING**: We take absolutely no responsibility that the BIOS relflashing instructions given at the referenced forum are 1) valid, 2) non-malicious, and 3) work at all. Do this step on your own risk. Keep in mind that reflashing your BIOS might yield your system unusable. If you don't feel like taking this risk (which is a reasonable state of mind), look for a different notebook, or ask Sony Support to enable this option for you.
+**WARNING**: We take absolutely no responsibility that the BIOS relflashing instructions given at the referenced forum are 1) valid, 2) non-malicious, and 3) work at all. Do this step at your own risk. Keep in mind that reflashing your BIOS might yield your system unusable. If you don't feel like taking this risk (which is a reasonable state of mind), look for a different notebook, or ask Sony Support to enable this option for you.
 
-In practice I have downloaded the BIOS-patching tools, run them in a VM on a BIOS image i extracted from my laptop, diffed the two versions, and concluded that it doesn't *seem* malicious, and then bravely applied tha patched image. If you don't know what are you doing, just get a different laptop, really!
+In practice I have downloaded the BIOS-patching tools, run them in a VM on a BIOS image I extracted from my laptop, diffed the two versions, and concluded that it doesn't *seem* malicious, and then bravely applied tha patched image. If you don't know what are you doing, just get a different laptop, really!
 
-On a side note, we should notice that allowing anybody to reflash the BIOS is really a bad idea from the security point of view (Hello Evil Maids!). Shame on you, Sony!
+On a side note, we should note that allowing anybody to reflash the BIOS is really a bad idea from a security point of view (Hello Evil Maids!). Shame on you, Sony!
 
 Getting the touchpad working during installation
 ------------------------------------------------
diff --git a/troubleshooting/thinkpad-troubleshooting.md b/troubleshooting/thinkpad-troubleshooting.md
index 4e5ed82b..33a1aa1c 100644
--- a/troubleshooting/thinkpad-troubleshooting.md
+++ b/troubleshooting/thinkpad-troubleshooting.md
@@ -26,7 +26,7 @@ solved by adding `i915.enable_rc6=0` as a kernel parameter to
 ## Instructions for getting your Lenovo Thinkpad X201 & X200 laptop working with Qubes/Linux ##
 
 For being able to boot the installer from USB, you have to disable VT-d in the BIOS.
-Enter the BIOS by hitting F1, go to Config - CPU and then disable there VT-d.
+Enter the BIOS by hitting F1, go to Config - CPU and then disable VT-d there.
 
 After the installation, you have to set a startup-parameter for Xen, to be able to activate VT-d again:
 
diff --git a/troubleshooting/uefi-troubleshooting.md b/troubleshooting/uefi-troubleshooting.md
index 46b19886..123e2670 100644
--- a/troubleshooting/uefi-troubleshooting.md
+++ b/troubleshooting/uefi-troubleshooting.md
@@ -15,7 +15,7 @@ There is some [common bug in UEFI implementation](http://xen.markmail.org/messag
 
 01. In GRUB menu<sup id="a1-1">[1](#f1)</sup>, select "Troubleshoot", then "Boot from device", then press `e`.
 02. At the end of `chainloader` line add `/mapbs /noexitboot`.
-03. Perform installation normally, but not reboot system at the end yet.
+03. Perform installation normally, but don't reboot the system at the end yet.
 04. Go to `tty2` (Ctrl-Alt-F2).
 05. Enable `/mapbs /noexitboot` on just installed system. This step differs between Qubes releases:
    
@@ -36,7 +36,7 @@ There is some [common bug in UEFI implementation](http://xen.markmail.org/messag
 
         Boot0001* Qubes HD(1,0,00000000...0,0x0,0x0)/File(\EFI\qubes\xen.efi)p.l.a.c.e.h.o.l.d.e.r. ./.m.a.p.b.s. ./.n.o.e.x.i.t.b.o.o.t.
 
-    then try passing `/dev/sda1` or `/dev/nvme0n1p1` or whatever is your EFI partition instead of `/dev/sda` and `-p 1`.
+    then try passing `/dev/sda1` or `/dev/nvme0n1p1` or whatever your EFI partition is instead of `/dev/sda` and `-p 1`.
 
 10. Now you can reboot the system by issuing `reboot` command.
 
@@ -48,7 +48,7 @@ There is some [common bug in UEFI implementation](http://xen.markmail.org/messag
         noexitboot=1
 
     **Note:** You must add these parameters on two separate new lines (one
-    paramater on each line) at the end of each section that includes a kernel
+    parameter on each line) at the end of each section that includes a kernel
     line (i.e., all sections except the first one, since it doesn't have a
     kernel line).
 
@@ -63,7 +63,7 @@ Some Dell systems and probably others have [another bug in UEFI firmware](http:/
 
 1. In GRUB menu<sup id="a1-2">[1](#f1)</sup> press `e`.
 2. At the end of `chainloader` line add `-- efi=attr=uc`.
-3. Perform installation normally, but not reboot system at the end yet.
+3. Perform installation normally, but don't reboot the system at the end yet.
 4. Go to `tty2` (Ctrl-Alt-F2).
 5. Execute:
 
@@ -98,7 +98,7 @@ Qubes-specific EFI configuration. In such a case you need to finish those parts
 manually. You can do that just after installation (switch to `tty2` with
 Ctrl-Alt-F2), or booting from installation media in "Rescue a Qubes system" mode.
 
-1. Examine `/boot/efi/EFI/qubes` (if using Qubes installation media, it's in `/mnt/sysimage/boot/efi/EFI/qubes`). You should see there 4 files:
+1. Examine `/boot/efi/EFI/qubes` (if using Qubes installation media, it's in `/mnt/sysimage/boot/efi/EFI/qubes`). You should see 4 files there:
 
     - xen.cfg (empty, size 0)
     - xen-(xen-version).efi

From c5f4957ee2d9d6bfc5bffc6906dfa2b926d69257 Mon Sep 17 00:00:00 2001
From: Miguel Jacq <mig@mig5.net>
Date: Fri, 12 May 2017 15:58:22 +1000
Subject: [PATCH 003/103] more minor typo/grammar fixes

---
 basics_dev/coding-style.md          |  8 ++++----
 basics_dev/style-guide.md           |  2 +-
 basics_dev/usability-ux.md          |  6 +++---
 basics_user/reporting-bugs.md       |  2 +-
 common-tasks/software-update-vm.md  |  4 ++--
 configuration/config-files.md       |  4 ++--
 configuration/managing-vm-kernel.md |  6 +++---
 configuration/multiboot.md          |  2 +-
 debugging/vm-interface.md           | 18 +++++++++---------
 security/yubi-key.md                |  2 +-
 services/qmemman.md                 |  4 ++--
 system/gui.md                       |  4 ++--
 system/storage-pools.md             | 12 ++++++------
 13 files changed, 37 insertions(+), 37 deletions(-)

diff --git a/basics_dev/coding-style.md b/basics_dev/coding-style.md
index c7a18b80..b506db81 100644
--- a/basics_dev/coding-style.md
+++ b/basics_dev/coding-style.md
@@ -97,7 +97,7 @@ General programming style guidelines
     }
     ~~~
 
--   Do **not** use comments to disable code fragments. In a production code there should really be no commented or disabled code fragments. If you really, really have a good reason to retain some fragment of unused code, use \#if or \#ifdef to disable it, e.g.:
+-   Do **not** use comments to disable code fragments. In production code there should really be no commented or disabled code fragments. If you really, really have a good reason to retain some fragment of unused code, use \#if or \#ifdef to disable it, e.g.:
 
     ~~~
     #if 0
@@ -130,7 +130,7 @@ Source Code management (Git) guidelines
     -   This creates natural boundaries between different code blocks, enforcing proper interfaces, and easing independent development to be conducted on various code parts at the same time, without the fear of running into conflicts.
     -   By maintaining relatively small git repositories, it is easy for new developers to understand the code and contribute new patches, without the need to understand all the other code.
     -   Code repositories represent also licensing boundaries. So, e.g. because `core-agent-linux` and `core-agent-windows` are maintained in two different repositories, it is possible to have the latter under a proprietary, non-GPL license, while keeping the former fully open source.
-    -   We have drastically changes the layout and naming of the code repositories shortly after Qubes OS R2 Beta 2 release. For details on the current code layout, please read [this article](https://blog.invisiblethings.org/2013/03/21/introducing-qubes-odyssey-framework.html).
+    -   We have drastically changed the layout and naming of the code repositories shortly after Qubes OS R2 Beta 2 release. For details on the current code layout, please read [this article](https://blog.invisiblethings.org/2013/03/21/introducing-qubes-odyssey-framework.html).
 
 Commit message guidelines
 -------------------------
@@ -165,7 +165,7 @@ Security coding guidelines
        height = untrusted_conf.height;
     ~~~
 
--   Use another variables, without the `untrusted_` prefix to hold the sanitized values, as shown above.
+-   Use equivalent variables, without the `untrusted_` prefix to hold the sanitized values, as shown above.
 
 Python-specific guidelines
 --------------------------
@@ -178,7 +178,7 @@ C and C++ specific guidelines
 -   Do not place code in `*.h` files.
 -   Use `const` whenever possible, e.g. in function arguments passed via pointers.
 -   Do not mix procedural and objective code together -- if you write in C++, use classes and objects.
--   Think about classes hierarchy, before start implementing specific methods.
+-   Think about classes hierarchy, before starting to implement specific methods.
 
 Bash-specific guidelines
 ------------------------
diff --git a/basics_dev/style-guide.md b/basics_dev/style-guide.md
index 160e8666..32f0259a 100644
--- a/basics_dev/style-guide.md
+++ b/basics_dev/style-guide.md
@@ -68,7 +68,7 @@ Currently, all the icons on the Qubes-OS.org website are generated using [FontAw
 
 ## Logos
 
-The following is a collection of various sizes & versions of the Qubes logo used both in the OS itself and on our website. All of these files are licensed GPLv2 and the source can be [downloaded here](https://github.com/QubesOS/qubes-artwork).
+The following is a collection of various sizes and versions of the Qubes logo used both in the OS itself and on our website. All of these files are licensed GPLv2 and the source can be [downloaded here](https://github.com/QubesOS/qubes-artwork).
 
 <div class="styleguide">
 {% for logo in site.data.styleguide.logos %}
diff --git a/basics_dev/usability-ux.md b/basics_dev/usability-ux.md
index b8762d0e..03747bd0 100644
--- a/basics_dev/usability-ux.md
+++ b/basics_dev/usability-ux.md
@@ -44,7 +44,7 @@ In making software easy to use, it is crucial to be mindful of [cognitive load](
 
 ## Easy to Understand
 
-There will always be the need to communicate things to users. In these cases, an interface should aim to make this information easy to understand. The following are simple guides to help achieve this - none these are absolute maxims!
+There will always be the need to communicate things to users. In these cases, an interface should aim to make this information easy to understand. The following are simple guides to help achieve this - none of these are absolute maxims!
 
 <div class="focus">
   <i class="fa fa-times"></i> <strong>Avoid Acronyms</strong>
@@ -82,7 +82,7 @@ Technical words are usually more accurate, but they often *only* make sense to t
 - `savefile`
 - `qrexec-daemon`
 
-These are all terms that have at some point showed up in users' notification messages. Each term is very specific, but requires the user to understand virtualization to interpet.
+These are all terms that have at some point showed up in users' notification messages. Each term is very specific, but requires the user to understand virtualization to interpret.
 
 <div class="focus">
   <i class="fa fa-check"></i> <strong> Use Common Concepts</strong>
@@ -195,7 +195,7 @@ There are many cases where a user wants to perform an action on more than one fi
 3. Select proper file
 4. Complete task on file
 
-That subtle act of clicking through a file system can prove to be significant if a user needs to open more than a couples files in the same directory. We can alleviate some of the work by changing the process:
+That subtle act of clicking through a file system can prove to be significant if a user needs to open more than a couple files in the same directory. We can alleviate some of the work by changing the process:
 
 1. Click on `Open File` from a menu or button
 2. Remember last open folder/file system
diff --git a/basics_user/reporting-bugs.md b/basics_user/reporting-bugs.md
index 7cd31084..6cc8f78c 100644
--- a/basics_user/reporting-bugs.md
+++ b/basics_user/reporting-bugs.md
@@ -74,7 +74,7 @@ How to submit a report on GitHub
 We track all bugs in the [qubes-issues] tracker on GitHub.
 
 When you file a new issue, you should be sure to include the version of Qubes
-your'e using, as well as versions of related software packages. If your issue is
+you're using, as well as versions of related software packages. If your issue is
 related to hardware, provide as many details as possible about the hardware,
 which could include using command-line tools such as `lspci`.
 If you're reporting a bug in a package that is in a [testing] repository, please reference the appropriate issue in the [updates-status] repository.
diff --git a/common-tasks/software-update-vm.md b/common-tasks/software-update-vm.md
index c1e1a716..1bd3f567 100644
--- a/common-tasks/software-update-vm.md
+++ b/common-tasks/software-update-vm.md
@@ -125,7 +125,7 @@ Some popular questions:
 
 -   So, why should we actually trust Fedora repos -- it also contains large amount of 3rd party software that might buggy, right?
 
-As long as template's compromise is considered, it doesn't really matter whether /usr/bin/firefox is buggy and can be exploited, or not. What matters is whether its *installation* scripts (such as %post in the rpm.spec) are benign or not. Template VM should be used only for installation of packages, and nothing more, so it should never get a chance to actually run the /usr/bin/firefox and get infected from it, in case it was compromised. Also, some of your more trusted AppVMs, would have networking restrictions enforced by the [firewall VM](/doc/firewall/), and again they should not fear this proverbial /usr/bin/firefox being potentially buggy and easy to compromise.
+As far as the template's compromise is concerned, it doesn't really matter whether /usr/bin/firefox is buggy and can be exploited, or not. What matters is whether its *installation* scripts (such as %post in the rpm.spec) are benign or not. Template VM should be used only for installation of packages, and nothing more, so it should never get a chance to actually run the /usr/bin/firefox and get infected from it, in case it was compromised. Also, some of your more trusted AppVMs, would have networking restrictions enforced by the [firewall VM](/doc/firewall/), and again they should not fear this proverbial /usr/bin/firefox being potentially buggy and easy to compromise.
 
 -   But why trust Fedora?
 
@@ -138,7 +138,7 @@ Not quite. Dom0 compromise is absolutely fatal, and it leads to Game Over<sup>TM
 Standalone VMs
 --------------
 
-Standalone VMs have their own copy of the whole filesystem, and thus can be updated and managed on its own. But this means that they take a few GBs on disk, and also that centralized updates do not apply to them.
+Standalone VMs have their own copy of the whole filesystem, and thus can be updated and managed on their own. But this means that they take a few GBs on disk, and also that centralized updates do not apply to them.
 
 Sometimes it might be convenient to have a VM that has its own filesystem, where you can directly introduce changes, without the need to start/stop the template VM. Such situations include e.g.:
 
diff --git a/configuration/config-files.md b/configuration/config-files.md
index dc59d50c..66b53df3 100644
--- a/configuration/config-files.md
+++ b/configuration/config-files.md
@@ -40,8 +40,8 @@ problematic device drivers.
 
 Note that scripts need to be executable (chmod +x) to be used.
 
-Also take a look at [bind-dirs](/doc/bind-dirs) for instruction how to easily
-modify arbitrary system file in AppVM and have those changes persistent.
+Also take a look at [bind-dirs](/doc/bind-dirs) for instructions on 
+how to easily modify arbitrary system files in AppVM and have those changes persist.
 
 GUI and audio configuration in dom0
 ===================================
diff --git a/configuration/managing-vm-kernel.md b/configuration/managing-vm-kernel.md
index 6166337b..39d2eb05 100644
--- a/configuration/managing-vm-kernel.md
+++ b/configuration/managing-vm-kernel.md
@@ -227,7 +227,7 @@ sudo qubes-dom0-update grub2-xen
 ### Installing kernel in Fedora VM
 
 In Fedora based VM, you need to install `qubes-kernel-vm-support` package. This
-package include required additional kernel module and initramfs addition
+package includes required additional kernel module and initramfs addition
 required to start Qubes VM (for details see
 [template implementation](/doc/template-implementation/)). Additionally you
 need some GRUB tools to create its configuration. Note: you don't need actual
@@ -240,7 +240,7 @@ sudo yum install qubes-kernel-vm-support grub2-tools
 Then install whatever kernel you want. If you are using distribution kernel
 package (`kernel` package), initramfs and kernel module should be handled
 automatically, but you need to ensure you have `kernel-devel` package for the
-same kernel version installed. If you are using manually build kernel, you need
+same kernel version installed. If you are using a manually built kernel, you need
 to handle this on your own. Take a look at `dkms` and `dracut` documentation.
 Especially `dkms autoinstall` command may be useful.
 
@@ -265,7 +265,7 @@ start kernel configured within VM.
 ### Installing kernel in Debian VM
 
 In Debian based VM, you need to install `qubes-kernel-vm-support` package. This
-package include required additional kernel module and initramfs addition
+package includes required additional kernel module and initramfs addition
 required to start Qubes VM (for details see
 [template implementation](/doc/template-implementation/)). Additionally you
 need some GRUB tools to create its configuration. Note: you don't need actual
diff --git a/configuration/multiboot.md b/configuration/multiboot.md
index 3cba4ec7..d33152a5 100644
--- a/configuration/multiboot.md
+++ b/configuration/multiboot.md
@@ -178,7 +178,7 @@ If you install Qubes without making any backups beforehand, don't worry.
 If you didn't overwrite the original partitions, then it is usually
 possible to recover your old systems relatively easily, as described above.
 
-If you decided to use a shared /boot and *dont* have backups of your previous
+If you decided to use a shared /boot and *don't* have backups of your previous
 grub config, it is quite easy to fix this.  
 This example may help.  
 
diff --git a/debugging/vm-interface.md b/debugging/vm-interface.md
index bfb19458..507909db 100644
--- a/debugging/vm-interface.md
+++ b/debugging/vm-interface.md
@@ -32,7 +32,7 @@ QubesDB
      - `none` - none
 -   `/qubes-timezone - name of timezone based on dom0 timezone. For example `Europe/Warsaw`
 -   `/qubes-keyboard` - keyboard layout based on dom0 layout. Its syntax is suitable for `xkbcomp` command (after expanding escape sequences like `\n` or `\t`). This is meant only as some default value, VM can ignore this option and choose its own keyboard layout (this is what keyboard setting from Qubes Manager does). This entry is created as part of gui-daemon initialization (so not available when gui-daemon disabled, or not started yet).
--   `/qubes-debug-mode` - flag whether VM have debug mode enabled (qvm-prefs setting). One of `1`, `0`
+-   `/qubes-debug-mode` - flag whether VM has debug mode enabled (qvm-prefs setting). One of `1`, `0`
 -   `/qubes-service/SERVICE_NAME` - subtree for VM services controlled from dom0 (using qvm-service command or Qubes Manager). One of `1`, `0`. Note that not every service will be listed here, if entry is missing, it means "use VM default". List of currently supported services is in [qvm-service man page](/wiki/Dom0Tools/QvmService)
 -   `/qubes-netmask` - network mask (only when VM has netvm set); currently hardcoded "255.255.255.0"
 -   `/qubes-ip - IP address for this VM (only when VM has netvm set)
@@ -50,7 +50,7 @@ QubesDB
 QubesDB is also used to configure firewall in ProxyVMs. Rules are stored in
 separate key for each target VM. Entries:
 
-- `/qubes-iptables` - control entry - dom0 writing `reload` here signal `qubes-firewall` service to reload rules
+- `/qubes-iptables` - control entry - dom0 writing `reload` here signals `qubes-firewall` service to reload rules
 - `/qubes-iptables-header` - rules not related to any particular VM, should be applied before domains rules
 - `/qubes-iptables-domainrules/NNN` - rules for domain `NNN` (arbitrary number)
 in `iptables-save` format. Rules are self-contained - fill `FORWARD` iptables
@@ -59,7 +59,7 @@ final default action (`DROP`/`ACCEPT`)
 
 VM after applying rules may signal some error, writing a message to
 `/qubes-iptables-error` key. This does not exclude any other way of
-communicating problem - like a popup.
+communicating problems - like a popup.
 
 #### Firewall rules in 4.x ####
 
@@ -84,7 +84,7 @@ by space. Order of those pairs in a single rule is undefined. QubesDB enforces
 a limit on a single entry length - 3072 bytes.
 Possible options for a single rule:
 
- - `action`, values: `accept`, `drop`; this is present it every rule
+ - `action`, values: `accept`, `drop`; this is present in every rule
  - `dst4`, value: destination IPv4 address with a mask; for example: `192.168.0.0/24`
  - `dst6`, value: destination IPv6 address with a mask; for example: `2000::/3`
  - `dstname`, value: DNS hostname of destination host
@@ -100,7 +100,7 @@ Possible options for a single rule:
 Rule matches only when all predicates matches. Only one of `dst4`, `dst6`,
 `dstname`, `specialtarget` can be used in a single rule.
 
-If tool applying firewall encounter any parse error (unknown option, invalid
+If tool applying firewall encounters any parse error (unknown option, invalid
 value etc), it should drop all the traffic coming from that `SOURCE_IP`,
 regardless of properly parsed rules.
 
@@ -117,7 +117,7 @@ Example valid rules:
 -   `memory/meminfo` (**xenstore**) - used memory (updated by qubes-meminfo-writer), input information for qmemman;
     - Qubes 3.x format: 6 lines (EOL encoded as `\n`), each in format "FIELD: VALUE kB"; fields: `MemTotal`, `MemFree`, `Buffers`, `Cached`, `SwapTotal`, `SwapFree`; meaning the same as in `/proc/meminfo` in Linux.
     - Qubes 4.0+ format: used memory size in the VM, in kbytes
--   `/qubes-block-devices` - list of block devices exposed by this VM, each device (subdirectory) should be named in a way that VM can attach the device based on it. Each should contain those entries:
+-   `/qubes-block-devices` - list of block devices exposed by this VM, each device (subdirectory) should be named in a way that VM can attach the device based on it. Each should contain these entries:
     -   `desc` - device description (ASCII text)
     -   `size` - device size in bytes
     -   `mode` - default connection mode; `r` for read-only, `w` for read-write
@@ -130,7 +130,7 @@ Qubes RPC
 
 Services called by dom0 to provide some VM configuration:
 
--   `qubes.SetMonitorLayout` - provide list of monitors, one in a line, each line contains four numbers: `width height X Y width_mm height_mm` (physical dimensions - `width_mm` and `height_mm` - are optional)
+-   `qubes.SetMonitorLayout` - provide list of monitors, one per line. Each line contains four numbers: `width height X Y width_mm height_mm` (physical dimensions - `width_mm` and `height_mm` - are optional)
 -   `qubes.WaitForSession` - called to wait for full VM startup
 -   `qubes.GetAppmenus` - receive appmenus from given VM (template); TODO: describe format here
 -   `qubes.GetImageRGBA` - receive image/application icon. Protocol:
@@ -172,7 +172,7 @@ Other Qrexec services installed by default:
 - `qubes.Restore` - retrieve Qubes backup. The service receives backup location
   entered by the user (one line, terminated by '\n'), then should output backup
   archive in [qfile format](/doc/qfilecopy/) (core-agent-linux component contains
-  `tar2qfile` utility to do the conversion
+  `tar2qfile` utility to do the conversion)
 - `qubes.SelectDirectory`, `qubes.SelectFile` - services which should show
   file/directory selection dialog and return (to stdout) a single line
   containing selected path, or nothing in the case of cancellation
@@ -199,7 +199,7 @@ abstraction. This will change in the future. Those tools are:
 - `gpk-update-viewer` - called by Qubes Manager to display available updates in a TemplateVM
 - `systemctl start qubes-update-check.timer` (and similarly stop) - called when enabling/disabling updates checking in given VM (`qubes-update-check` [qvm-service](/doc/qubes-service/))
 
-Additionally automatic tests extensively calls various commands directly in VMs. We do not plan to change that.
+Additionally automatic tests extensively call various commands directly in VMs. We do not plan to change that.
 
 GUI protocol
 ------------
diff --git a/security/yubi-key.md b/security/yubi-key.md
index 77f512a3..1bba22ba 100644
--- a/security/yubi-key.md
+++ b/security/yubi-key.md
@@ -26,7 +26,7 @@ applications (it will deny further authentications if you try).
 Contrary to instruction there, currently there is no binary packages in Qubes
 repository and you need to compile it yourself. This might change in the future.
 
-Challenge-reponse mode
+Challenge-response mode
 ----------------------
 
 In this mode, your YubiKey will generate response based on secret key, and
diff --git a/services/qmemman.md b/services/qmemman.md
index 471acb95..356ddbf5 100644
--- a/services/qmemman.md
+++ b/services/qmemman.md
@@ -23,7 +23,7 @@ The [tmem](https://oss.oracle.com/projects/tmem/) project provides a "pseudo-RAM
 
 Therefore, in Qubes another solution is used. There is the *qmemman* dom0 daemon. All VMs report their memory usage (via xenstore) to *qmemman*, and it makes decisions on whether to balance memory across domains. The actual mechanism to add/remove memory from a domain (*xc.domain\_set\_target\_mem*) is already supported by both PV Linux guests and Windows guests (the latter via PV drivers).
 
-Similarly, when there is need for Xen free memory (for instance, in order to create a new VM), traditionally the memory is obtained from dom0 only. When *qmemman* is running, it offers interface to obtain memory from all domains.
+Similarly, when there is need for Xen free memory (for instance, in order to create a new VM), traditionally the memory is obtained from dom0 only. When *qmemman* is running, it offers an interface to obtain memory from all domains.
 
 To sum up, *qmemman* pros and cons. Pros:
 
@@ -34,7 +34,7 @@ To sum up, *qmemman* pros and cons. Pros:
 Cons:
 
 -   the algorithm to calculate the memory requirement for a domain is necessarily simple, and may not closely reflect reality
--   *qmemman* is notified by a VM about memory usage change not more often than 10 times per seconds (to limit CPU overhead in VM). Thus, there can be up to 0.1s delay until qmemman starts to react to the new memory requirements
+-   *qmemman* is notified by a VM about memory usage change not more often than 10 times per second (to limit CPU overhead in VM). Thus, there can be up to 0.1s delay until qmemman starts to react to the new memory requirements
 -   it takes more time to obtain free Xen memory, as all participating domains need to instructed to yield memory
 
 Interface
diff --git a/system/gui.md b/system/gui.md
index ceee7e42..dadfa01a 100644
--- a/system/gui.md
+++ b/system/gui.md
@@ -73,7 +73,7 @@ Security markers on dom0 windows
 
 It is important that user knows which AppVM a given window belongs to. This prevents a rogue AppVM from painting a window pretending to belong to other AppVM or dom0 and trying to steal, for example, passwords.
 
-In Qubes, a custom window decorator is used that paints a colourful frame (the colour is determined during AppVM creation) around decorated windows. Additionally, the window title always starts with **[name of the AppVM]**. If a window has a *override_redirect* attribute, meaning that it should not be treated by a window manager (typical case is menu windows), *qubes_guid* draws a two-pixel colourful frame around it manually.
+In Qubes, a custom window decorator is used that paints a colourful frame (the colour is determined during AppVM creation) around decorated windows. Additionally, the window title always starts with **[name of the AppVM]**. If a window has an *override_redirect* attribute, meaning that it should not be treated by a window manager (typical case is menu windows), *qubes_guid* draws a two-pixel colourful frame around it manually.
 
 Clipboard sharing implementation
 --------------------------------
@@ -81,7 +81,7 @@ Clipboard sharing implementation
 Certainly, it would be insecure to allow AppVM to read/write the clipboards of other AppVMs unconditionally. 
 Therefore, the following mechanism is used:
 
--   there is a "qubes clipboard" in dom0 - its contents is stored in a regular file in dom0.
+-   there is a "qubes clipboard" in dom0 - its contents are stored in a regular file in dom0.
 -   if user wants to copy local AppVM clipboard to qubes clipboard, she must focus on any window belonging to this AppVM, and press **Ctrl-Shift-C**. This combination is trapped by *qubes-guid*, and `CLIPBOARD_REQ` message is sent to AppVM. *qubes-gui* responds with *CLIPBOARD_DATA* message followed by clipboard contents.
 -   user focuses on other AppVM window, presses **Ctrl-Shift-V**. This combination is trapped by *qubes-guid*, and `CLIPBOARD_DATA` message followed by qubes clipboard contents is sent to AppVM; *qubes_gui* copies data to the local clipboard, and then user can paste its contents to local applications normally.
 
diff --git a/system/storage-pools.md b/system/storage-pools.md
index 250ec1c2..c4129208 100644
--- a/system/storage-pools.md
+++ b/system/storage-pools.md
@@ -7,31 +7,31 @@ permalink: /doc/storage-pools/
 Storage Pools in Qubes
 ======================
 
-Qubes OS R 3.2 introduced the concept of storage drivers & pools.  This feature
+Qubes OS R3.2 introduced the concept of storage drivers and pools.  This feature
 was a first step towards a saner storage API, which is heavily rewritten in R4.
 A storage driver provides a way to store VM images in a Qubes OS system.
 Currently, the default driver is `xen` which is the default way of storing
 volume images as files in a directory tree like `/var/lib/qubes/`.
 
-A pool storage driver can be identified either by the driver name with the
+A storage pool driver can be identified either by the driver name with the
 `driver` key or by the class name like this:
 `class=qubes.storage.xen.XenStorage`. Because R3.2 doesn't use Python
 `setup_hooks`, to actually use a short driver name for a custom storage driver,
 you have to patch `qubes-core-admin`. You can use the `class` config key
 instead, when your class is accessible by `import` in Python.
 
-A pool (in R3.2) is a configuration information which can be referenced when
+A pool (in R3.2) is configuration information which can be referenced when
 creating a new VM. Each pool is saved in `storage.conf`. It has a name, a
 storage driver and some driver specific configuration attached.
 
-When installed, the system has, as you can see from the content of
+When installed, the system has, as you can see from the contents of
 `/etc/qubes/storage.conf`, a pool named `default`. It uses the driver `xen`. The
 default pool is special in R3.2. It will add `dir_path=/var/lib/qubes`
 configuration value from `defaults[pool_config]`, if not overwritten.
 
 
 Currently the only supported driver out of the box is `xen`. The benefit of
-pools (besides that you can write an own storage driver e.g. for Btrfs) in R3.2
+pools (besides that you can write your own storage driver e.g. for Btrfs) in R3.2
 is that you can store your domains in multiple places.
 
 You can add a pool to `storage.conf` like this:
@@ -42,7 +42,7 @@ driver=xen
 dir_path=/opt/qubes-vm
 ```
 
-Now, when creating a new VM on the command-line, a you may pass the `-Pfoo`
+Now, when creating a new VM on the command-line, you may pass the `-Pfoo`
 argument to `qvm-create` to have the VM images stored in pool `foo`. See also
 `qvm-create --help`.
 

From d3855827f1860ba8c20482d037378e1f2e231abc Mon Sep 17 00:00:00 2001
From: Miguel Jacq <mig@mig5.net>
Date: Thu, 25 May 2017 16:43:11 +1000
Subject: [PATCH 004/103] More typo/grammar/re-wording from @jpouellet's review

---
 basics_dev/coding-style.md                     |  2 --
 common-tasks/software-update-vm.md             |  2 +-
 common-tasks/tips-and-tricks.md                |  2 +-
 configuration/assigning-devices.md             |  6 +++---
 configuration/external-audio.md                |  2 +-
 configuration/managing-vm-kernel.md            |  6 +++---
 configuration/network-bridge-support.md        |  2 +-
 configuration/resize-disk-image.md             |  2 +-
 customization/bind-dirs.md                     |  2 +-
 customization/dark-theme.md                    |  6 +++---
 customization/dispvm-customization.md          |  2 +-
 .../fedora-minimal-template-customization.md   |  4 ++--
 .../windows-template-customization.md          |  4 ++--
 debugging/vm-interface.md                      |  2 +-
 installing/upgrade/upgrade-to-r3.0.md          |  2 +-
 managing-os/templates/archlinux.md             |  4 ++--
 managing-os/windows/windows-appvms.md          |  2 +-
 reference/glossary.md                          |  2 +-
 releases/1.0/release-notes.md                  |  2 +-
 security-info/security-pack.md                 |  2 +-
 security/yubi-key.md                           | 18 +++++++++---------
 services/dvm-impl.md                           | 18 +++++++++---------
 system/gui.md                                  |  8 ++++----
 troubleshooting/install-nvidia-driver.md       |  2 +-
 troubleshooting/out-of-memory.md               |  4 ++--
 25 files changed, 53 insertions(+), 55 deletions(-)

diff --git a/basics_dev/coding-style.md b/basics_dev/coding-style.md
index b506db81..82d635f5 100644
--- a/basics_dev/coding-style.md
+++ b/basics_dev/coding-style.md
@@ -165,8 +165,6 @@ Security coding guidelines
        height = untrusted_conf.height;
     ~~~
 
--   Use equivalent variables, without the `untrusted_` prefix to hold the sanitized values, as shown above.
-
 Python-specific guidelines
 --------------------------
 
diff --git a/common-tasks/software-update-vm.md b/common-tasks/software-update-vm.md
index 1bd3f567..bbb189ac 100644
--- a/common-tasks/software-update-vm.md
+++ b/common-tasks/software-update-vm.md
@@ -119,7 +119,7 @@ There are several ways to deal with this problem:
 
 -   Use *standalone VMs* (see below) for installation of untrusted software packages.
 
--   Use multiple templates (see below) for different classes of domains, e.g. a less trusted template, used for creation of less trusted AppVMs, would get various packages from somewhat less trusted vendors, while the template used for more trusted AppVMs will only get packages from the standard Fedora repos.
+-   Use multiple templates (see below) for different classes of domains, e.g. a less trusted template, used for creation of less trusted AppVMs, would get various packages from less trusted vendors, while the template used for more trusted AppVMs will only get packages from the standard Fedora repos.
 
 Some popular questions:
 
diff --git a/common-tasks/tips-and-tricks.md b/common-tasks/tips-and-tricks.md
index 81938023..4b244f3e 100644
--- a/common-tasks/tips-and-tricks.md
+++ b/common-tasks/tips-and-tricks.md
@@ -46,7 +46,7 @@ Preventing data leaks
 ---------------------
 First make sure to read [Understanding and Preventing Data Leaks](/doc/data-leaks/) section to understand the limits of this tip.
 
-Suppose that you have in a not so trusted enviroment, for example a Windows VM, an application that track and report its usage, or you simply want to protect your data.
+Suppose that you have within a not so trusted enviroment - for example, a Windows VM - an application that track and report its usage, or you simply want to protect your data.
 
 Start Windows template VM (which has no user data), install/upgrade apps; then start Windows AppVM (with data) in offline mode. So, if you worry (hypothetically) that your Windows or app updater might want to send your data away, this Qubes OS trick will prevent this.
 This applies also to any TemplateBasedVM relative to its parent TemplateVM, but the privacy risk is especially high in the case of Windows.
diff --git a/configuration/assigning-devices.md b/configuration/assigning-devices.md
index e676e742..2998b9b6 100644
--- a/configuration/assigning-devices.md
+++ b/configuration/assigning-devices.md
@@ -58,15 +58,15 @@ list of available devices, which you can select to be assigned to that VM.
 Finding the right USB controller
 --------------------------------
 
-If you want to assign a certain [USB] device to a VM (by attaching the whole
-USB controller), you need to figure out which PCI device is the right
+If you want to assign a certain USB device to a VM by attaching the whole
+USB controller, you need to figure out which PCI device is the right
 controller. First, check to which USB bus the device is connected:
 
 ~~~
 lsusb
 ~~~
 
-For example, I want to assign a broadband modem to the netvm. In the output of
+For example, I want to assign a broadband modem to the NetVM. In the output of
 `lsusb` it can be listed as something like this. (In this case, the device isn't
 fully identified):
 
diff --git a/configuration/external-audio.md b/configuration/external-audio.md
index 43618955..3d25a87b 100644
--- a/configuration/external-audio.md
+++ b/configuration/external-audio.md
@@ -38,7 +38,7 @@ pactl load-module module-udev-detect
 
 Start the audio application that is going to use the external audio device.
 
-Launch pavucontrol, for example using "run command in VM" of Qubes Manager and select your external audio card in pavucontrol. You need to do that only the first time you use a new external audio device, then pulse audio will remember you selection.
+Launch pavucontrol, for example using "run command in VM" of Qubes Manager and select your external audio card in pavucontrol. You need to do that only the first time you use a new external audio device, then pulse audio will remember your selection.
 
 If you detach your external audio device, then want to insert it again, or change it with another one, you need to repeat the previous commands in terminal, adding another line at the beginning:
 
diff --git a/configuration/managing-vm-kernel.md b/configuration/managing-vm-kernel.md
index 39d2eb05..70859eb2 100644
--- a/configuration/managing-vm-kernel.md
+++ b/configuration/managing-vm-kernel.md
@@ -326,9 +326,9 @@ When starting the VM you can safely ignore any warnings about a missing module '
 
 ### Troubleshooting
 
-In the event of a problem, you can access VM console (using `sudo xl console VMNAME` in dom0) to access
-GRUB menu. You need to call it just after starting VM (until `GRUB_TIMEOUT`
-expires) - for example in separate dom0 terminal window.
+In the event of a problem, you can access the VM console (using `sudo xl console VMNAME` in dom0) to access
+the GRUB menu. You need to call it just after starting VM (until `GRUB_TIMEOUT`
+expires) - for example in a separate dom0 terminal window.
 
 In any case you can later access VM logs (especially VM console log (`guest-VMNAME.log`). 
 
diff --git a/configuration/network-bridge-support.md b/configuration/network-bridge-support.md
index cf86bc56..4df4c5f0 100644
--- a/configuration/network-bridge-support.md
+++ b/configuration/network-bridge-support.md
@@ -42,7 +42,7 @@ First, retrieve the attachment of this Wifi article in dom0. Then apply the thre
 
 Finally restart the qubes manager GUI.
 
-A new option is now available in the AppVM Settings to enable set the NetVM in bridge mode. For a bridged AppVM, you should the select a netvm instead of a firewall vm, enable the Bridge option and restart your AppVM.
+An option is available in the AppVM Settings to enable setting the NetVM in bridge mode. For a bridged AppVM, you should then select a NetVM instead of a FirewallVM/  ProxyVM, enable the Bridge option, and restart your AppVM.
 
 NetVM patch (Qubes R2B2)
 ------------------------
diff --git a/configuration/resize-disk-image.md b/configuration/resize-disk-image.md
index c89780ab..a4e4b28f 100644
--- a/configuration/resize-disk-image.md
+++ b/configuration/resize-disk-image.md
@@ -75,7 +75,7 @@ Done.
 
 If you want install a lot of software in your TemplateVM, you may need to increase the amount of disk space your TemplateVM can use.
 
-1.  Make sure that all the VMs based on this template are powered off (including netvms etc).
+1.  Make sure that all the VMs based on this template are shut down (including netvms etc).
 2.  Sanity check: verify that none of the loop devices are pointing at this template root.img: `sudo losetup -a`
 3.  Resize root.img file using `truncate -s <desired size>` (the root.img path can be obtained from qvm-prefs).
 4.  If any netvm/proxyvm used by this template is based on it, set template netvm to none.
diff --git a/customization/bind-dirs.md b/customization/bind-dirs.md
index 8fc01a62..c9769927 100644
--- a/customization/bind-dirs.md
+++ b/customization/bind-dirs.md
@@ -89,7 +89,7 @@ For example, if you wanted to make `/var/lib/tor` non-persistant in `sys-whonix`
 binds=( "${binds[@]/'/var/lib/tor'}" )
 ~~~
 
-(Editing `/usr/lib/qubes-bind-dirs.d/40_qubes-whonix.conf` directly is not recommended, since such changes get lost when that file is changed in the package on upgrades.)
+(Editing `/usr/lib/qubes-bind-dirs.d/40_qubes-whonix.conf` directly is strongly discouraged, since such changes get lost when that file is changed in the package on upgrades.)
 
 ## Discussion ##
 
diff --git a/customization/dark-theme.md b/customization/dark-theme.md
index 1c046bb3..18bd84e9 100644
--- a/customization/dark-theme.md
+++ b/customization/dark-theme.md
@@ -109,7 +109,7 @@ This is the result after applying the steps described here.
 Dark App VM, Template VM, Standalone VM, HVM (Linux Gnome)
 ==========================================================
 
-Almost all Qubes VM's are based on the Gnome desktop. Therefore the description below is focused on the Gnome Desktop Environment.
+Almost all Qubes VMs use default applications based on the GTK toolkit. Therefore the description below is focused on tools from the Gnome Desktop Environment.
 
 Using "Gnome-Tweak-Tool"
 ------------------------
@@ -120,7 +120,7 @@ The advantage of creating a dark themed Template VM is, that each AppVM which is
 
 1. Start VM
 
-    **Note:** In the case of App VM start the Template on which the AppVM is based on.
+    **Note:** Remember that if you want to make the change persistent, the change needs to be made in the TemplateVM, not the AppVM.
 
 2. Install `Gnome-Tweak-Tool`
 
@@ -174,7 +174,7 @@ Manually works for Debian, Fedora and Archlinux.
 
 1. Start VM
 
-    **Note:** In the case of App VM start the Template on which the AppVM is based on.
+    **Note:** Remember that if you want to make the change persistent, the change needs to be made in the TemplateVM, not the AppVM.
 
 2. Enable `Global Dark Theme`
 
diff --git a/customization/dispvm-customization.md b/customization/dispvm-customization.md
index ff59dcc0..fa3525c1 100644
--- a/customization/dispvm-customization.md
+++ b/customization/dispvm-customization.md
@@ -49,7 +49,7 @@ It is possible to change the settings of each new Disposable VM (DispVM). This c
 2.  Change the VM's settings and/or applications, as desired. Note that currently Qubes supports exactly one DispVM template, so any changes you make here will affect all DispVMs. Some examples of changes you may want to make include:
     -   Changing Firefox's default startup settings and homepage.
     -   Changing Nautilus' default file preview settings.
-    -   Changing the DispVM's default NetVM. For example, you may wish to set the NetVM to "none." Then, whenever you start a new DispVM, you can choose your desired ProxyVM manually (by changing the newly-started DispVMs settings). This is useful if you sometimes wish to use a DispVM with a TorVM, for example. It is also useful if you sometimes wish to open untrusted files in a network-disconnected DispVM.
+    -   Changing the DispVM's default NetVM. For example, you may wish to set the NetVM to "none." Then, whenever you start a new DispVM, you can choose your desired ProxyVM manually (by changing the newly-started DispVM's settings). This is useful if you sometimes wish to use a DispVM with a TorVM, for example. It is also useful if you sometimes wish to open untrusted files in a network-disconnected DispVM.
 
 3.  Create an empty `/home/user/.qubes-dispvm-customized` file in the VM (not in dom0):
 
diff --git a/customization/fedora-minimal-template-customization.md b/customization/fedora-minimal-template-customization.md
index 94f05e1b..f8a7cb90 100644
--- a/customization/fedora-minimal-template-customization.md
+++ b/customization/fedora-minimal-template-customization.md
@@ -17,7 +17,7 @@ Template installation
 
 *Note*: the template may not start in Qubes R3 when using kernel 3.19 (unstable). In this case, switch the AppVM or TemplateVM to the kernel 3.18.
 
-*Note*: If you have doubts about a set of tools or package you want to install, start installing and testing it in an AppVM. You can then reproduce it later in your TemplateVM if you are satisfied. That is the (QubesOS?) template philosophy.
+*Note*: If you have doubts about a set of tools or package you want to install, start installing and testing it in an AppVM. You can then reproduce it later in your TemplateVM if you are satisfied. That is the (Qubes OS?) template philosophy.
 
 Standard tools installation
 ================
@@ -176,7 +176,7 @@ Cleaning the whole dconf settings is also possible by removing the following fil
 rm ~/.config/dconf/user
 ~~~
 
-*Note*: lxappearance only has an effect on gtk3 theme so it won't work to change gtk2 themes (used by Firefox, Thunderbird ...).
+*Note*: lxappearance only has an effect on gtk3 themes so it won't work to change gtk2 themes (used by Firefox, Thunderbird ...).
              However, it is very lightweight and can be used to identify the name and look of themes you are interested in.
              Once you have the name, you can apply it using gsetting command line or gconf-editor.
 
diff --git a/customization/windows-template-customization.md b/customization/windows-template-customization.md
index 1503b063..ecaffa23 100644
--- a/customization/windows-template-customization.md
+++ b/customization/windows-template-customization.md
@@ -62,10 +62,10 @@ Of course I recommend starting the template regularly and checking manually for
 System properties
 ---------------------------
 
-Right click on computer and go to Properties > Advanced > Performances:
+Right click on computer and go to Properties > Advanced > Performance:
 
  * If you don't care about visual effect, in Visual Effect select "Adjust for best performance"
- * I personally tweak the page file size to win some space on my root.
+ * I personally tweak the page file size to gain some space on my root.
 
     In Advanced>Performances>Advanced tab, change Virtual memory:
 
diff --git a/debugging/vm-interface.md b/debugging/vm-interface.md
index 507909db..106eefc9 100644
--- a/debugging/vm-interface.md
+++ b/debugging/vm-interface.md
@@ -199,7 +199,7 @@ abstraction. This will change in the future. Those tools are:
 - `gpk-update-viewer` - called by Qubes Manager to display available updates in a TemplateVM
 - `systemctl start qubes-update-check.timer` (and similarly stop) - called when enabling/disabling updates checking in given VM (`qubes-update-check` [qvm-service](/doc/qubes-service/))
 
-Additionally automatic tests extensively call various commands directly in VMs. We do not plan to change that.
+Additionally, automatic tests extensively run various commands directly in VMs. We do not plan to change that.
 
 GUI protocol
 ------------
diff --git a/installing/upgrade/upgrade-to-r3.0.md b/installing/upgrade/upgrade-to-r3.0.md
index 341eaba6..bc43ba2f 100644
--- a/installing/upgrade/upgrade-to-r3.0.md
+++ b/installing/upgrade/upgrade-to-r3.0.md
@@ -100,7 +100,7 @@ Now, when you have dom0 upgraded, you can install new templates from Qubes R3.0
 Upgrading template on already upgraded dom0
 -------------------------------------------
 
-If for some reason you did not upgrade all the templates and standalone VMs before upgrading dom0, you can still do this, but it will be somewhat more complicated. This can be the case when you restore backup done on Qubes R2.
+If for some reason you did not upgrade all the templates and standalone VMs before upgrading dom0, you can still do this, but it will be more complicated. This can be the case when you restore backup done on Qubes R2.
 
 When you start R2 template/standalone VM on R3.0, there will be some limitations:
 
diff --git a/managing-os/templates/archlinux.md b/managing-os/templates/archlinux.md
index d7ac945b..423eeea1 100644
--- a/managing-os/templates/archlinux.md
+++ b/managing-os/templates/archlinux.md
@@ -82,9 +82,9 @@ The two lines that have just been added to /etc/pacman.conf should then be remov
 
 ### Package cannot be updated because of errors related to xorg-server or pulseaudio versions
 
-In the case of archlinux upgrade pulseaudio major version or xorg-server version, updating these packages will break the qubes GUI agent. To avoid breaking things, the update is blocked until a new version of the GUI agent is available.
+Upgrading pulseaudio or xorg-server to a newer major version will break the Qubes GUI agent. Avoid upgrading these packages until such time that a future version of the GUI agent addresses this issue.
 
-In this case, the gui-agent-linux component of Qubes-OS needs to be rebuilt using these last xorg-server or pulseaudio libraries. You can try to rebuild it yourself or wait for a new qubes-vm-gui package to be available.
+Specifically, the gui-agent-linux component of Qubes-OS needs to be rebuilt using these last xorg-server or pulseaudio libraries. You can try to rebuild it yourself or wait for a new qubes-vm-gui package to be available.
 
 ### qubes-vm is apparently starting properly (green dot) however graphical applications do not appear to work
 
diff --git a/managing-os/windows/windows-appvms.md b/managing-os/windows/windows-appvms.md
index bb1bbf4e..98f1c1f5 100644
--- a/managing-os/windows/windows-appvms.md
+++ b/managing-os/windows/windows-appvms.md
@@ -102,7 +102,7 @@ Also, the inter-VM services work as usual -- e.g. to request opening a document
 [user@work ~]$ qvm-open-in-vm work-win7 https://invisiblethingslab.com
 ~~~
 
-... just like in the case of Linux AppVMs. Of course all those operations are governed by central policy engine running in Dom0 -- if the policy doesn't contain explicit rules for the source and/or target AppVM, the user will be asked for decision whether to allow or deny the operation.
+... just like in the case of Linux AppVMs. Of course all those operations are governed by central policy engine running in Dom0 -- if the policy doesn't contain explicit rules for the source and/or target AppVM, the user will be asked whether to allow or deny the operation.
 
 Inter-VM file copy and clipboard works for Windows AppVMs the same way as for Linux AppVM (except that we don't provide a command line wrapper, `qvm-copy-to-vm` in Windows VMs) -- to copy files from Windows AppVMs just right-click on the file in Explorer, and choose: Send To-\> Other AppVM.
 
diff --git a/reference/glossary.md b/reference/glossary.md
index 214662b2..817c7190 100644
--- a/reference/glossary.md
+++ b/reference/glossary.md
@@ -32,7 +32,7 @@ A user-friendly term for a [VM](#vm) in Qubes OS.
 
  * "Qube" is an informal term intended to make it easier for less technical users to understand Qubes OS and learn how to use it. In technical discussions, the other, more precise terms defined on this page are to be preferred.
 
- * The term "qube" should be lowercase unless it is the first word in a sentence. Note that starting a sentence with the plural of "qube" (i.e., "Qubes...") can be ambiguous, since it may not be clear whether the reference is a collection of qubes or [Qubes OS](#qubes-os).
+ * The term "qube" should be lowercase unless it is the first word in a sentence. Note that starting a sentence with the plural of "qube" (i.e., "Qubes...") can be ambiguous, since it may not be clear whether the referent is a collection of qubes or [Qubes OS](#qubes-os).
 
 Domain
 ------
diff --git a/releases/1.0/release-notes.md b/releases/1.0/release-notes.md
index 7743684b..71421512 100644
--- a/releases/1.0/release-notes.md
+++ b/releases/1.0/release-notes.md
@@ -16,7 +16,7 @@ Known issues
 
 -   Installer might not support some USB keyboards (\#230). This seems to include all the Mac Book keyboards (most PC laptops have PS2 keyboards and are not affected).
 
--   If you don't enable Composition (System Setting -\> Desktop -\> Enable desktop effects), which you really should do, then the KDE task bar might get somewhat ugly (e.g. half of it might be black). This is some KDE bug that we don't plan to fix.
+-   If you don't enable Composition (System Setting -\> Desktop -\> Enable desktop effects), which you really should do, then the KDE task bar might get ugly (e.g. half of it might be black). This is some KDE bug that we don't plan to fix.
 
 -   Some keyboard layout set by KDE System Settings can cause [keyboard not working at all](https://groups.google.com/group/qubes-devel/browse_thread/thread/77d076b65dda7226). If you hit this issue, you can switch to console (by console login option) and manually edit `/etc/X11/xorg.conf.d/00-system-setup-keyboard.conf` (and `/etc/sysconfig/keyboard`) and place correct keyboard layout settings (details in linked thread). You can check if specific keyboard layout settings are proper using `setxkbmap` tool.
 
diff --git a/security-info/security-pack.md b/security-info/security-pack.md
index 390f4a36..00cd2d40 100644
--- a/security-info/security-pack.md
+++ b/security-info/security-pack.md
@@ -95,7 +95,7 @@ to the Qubes mailing lists:
     very soon, the possibility of having to disclose any of the Qubes
     signing keys to anybody might have pretty serious consequences for those
     who decided to entrust Qubes with anything serious. And we would like to
-    somewhat minimize these consequences with this canary thing.
+    minimize these consequences with this canary thing.
     
     Additionally the canary is a nice way of ensuring "freshness" of our
     messaging to the community.
diff --git a/security/yubi-key.md b/security/yubi-key.md
index 1bba22ba..e3541218 100644
--- a/security/yubi-key.md
+++ b/security/yubi-key.md
@@ -23,19 +23,19 @@ This can be configured using
 package. This package does not support sharing the same key slot with other
 applications (it will deny further authentications if you try).
 
-Contrary to instruction there, currently there is no binary packages in Qubes
+Contrary to instruction there, currently there is no binary package in the Qubes
 repository and you need to compile it yourself. This might change in the future.
 
 Challenge-response mode
 ----------------------
 
-In this mode, your YubiKey will generate response based on secret key, and
+In this mode, your YubiKey will generate a response based on the secret key, and
 random challenge (instead of counter). This means that it isn't possible to
-generate response in advance even if someone gets access to your YubiKey. This
+generate a response in advance even if someone gets access to your YubiKey. This
 makes it reasonably safe to use the same YubiKey for other services (also in
 challenge-response mode).
 
-Same as in OTP case, you will need to set up your YubiKey, choose separate
+Same as in the OTP case, you will need to set up your YubiKey, choose a separate
 password (other than your login password!) and apply the configuration.
 
 To use this mode you need to:
@@ -43,7 +43,7 @@ To use this mode you need to:
 1. Configure your YubiKey for challenge-response HMAC-SHA1 mode, for example
    [following this
    tutorial](https://www.yubico.com/products/services-software/personalization-tools/challenge-response/)
-2. Install `ykpers` package in template on which your USB VM is based.
+2. Install the `ykpers` package in template on which your USB VM is based.
 3. Create `/usr/local/bin/yubikey-auth` script:
 
        #!/bin/sh
@@ -99,9 +99,9 @@ where no one can snoop your password.
 Locking the screen when YubiKey is removed
 ------------------------------------------
 
-You can setup your system to automatically lock the screen when you unplug
+You can setup your system to automatically lock the screen when you unplug your
 YubiKey. This will require creating a simple qrexec service which will expose
-the ability to lock the screen to your USB VM, and then adding udev hook to
+the ability to lock the screen to your USB VM, and then adding a udev hook to
 actually call that service.
 
 1. First configure the qrexec service. Create `/etc/qubes-rpc/custom.LockScreen` (in dom0)
@@ -116,8 +116,8 @@ would require creating `/etc/qubes-rpc/policy/custom.LockScreen` with:
         sys-usb dom0 allow
 
 3. Create udev hook in your USB VM. Store it in `/rw/config` to have it
-persistent across VM restarts. For example name the file
-`/rw/config/yubikey.rules`. Write there a single line:
+persis across VM restarts. For example name the file
+`/rw/config/yubikey.rules`. Add the following line:
 
         ACTION=="remove", SUBSYSTEM=="usb", ENV{ID_SECURITY_TOKEN}=="1", RUN+="/usr/bin/qrexec-client-vm dom0 custom.LockScreen"
 
diff --git a/services/dvm-impl.md b/services/dvm-impl.md
index 659073af..dad75ac9 100644
--- a/services/dvm-impl.md
+++ b/services/dvm-impl.md
@@ -14,34 +14,34 @@ DisposableVM implementation in Qubes
 DisposableVM image preparation
 ------------------------------
 
-DisposableVM is not started like other VMs, by executing equivalent of *xl create* - it would be too slow. Instead, DisposableVM are started by restore from a savefile.
+DisposableVM is not started like other VMs, by executing equivalent of `xl create` - it would be too slow. Instead, DisposableVM are started by restore from a savefile.
 
-Preparing a savefile is done by */usr/lib/qubes/qubes\_prepare\_saved\_domain.sh* script. It takes two mandatory arguments, appvm name (APPVM) and the savefile name, and optional path to "prerun" script. The script executes the following steps:
+Preparing a savefile is done by `/usr/lib/qubes/qubes\_prepare\_saved\_domain.sh` script. It takes two mandatory arguments, appvm name (APPVM) and the savefile name, and optional path to "prerun" script. The script executes the following steps:
 
-1.  APPVM is started by *qvm-start*
+1.  APPVM is started by `qvm-start`
 2.  xenstore key `/local/domain/appvm_domain_id/qubes_save_request` is created
 3.  if prerun script was specified, copy it to `qubes_save_script` xenstore key
 4.  wait for the `qubes_used_mem` key to appear
-5.  (in APPVM) APPVM boots normally, up to the point in */etc/init.d/qubes\_core* script when the presence of `qubes_save_request` key is tested. If it exists, then
+5.  (in APPVM) APPVM boots normally, up to the point in `/etc/init.d/qubes\_core` script when the presence of `qubes_save_request` key is tested. If it exists, then
     1.  (in APPVM) if exists, prerun script is retrieved from the respective xenstore key and executed. This preloads filesystem cache with useful applications, so that they will start faster.
     2.  (in APPVM) the amount of used memory is stored to `qubes_used_mem` xenstore key
     3.  (in APPVM) busy-waiting for `qubes_restore_complete` xenstore key to appear
 
 6.  when `qubes_used_mem` key appears, the domain memory is reduced to this amount, to make the savefile smaller.
 7.  APPVM private image is detached
-8.  the domain is saved via *xl save*
+8.  the domain is saved via `xl save`
 9.  the COW file volatile.img (cow for root fs and swap) is packed to `saved_cows.tar` archive
 
-*qubes\_prepare\_saved\_domain.sh* script is somewhat lowlevel. It is usually called by *qvm-create-default-dvm* script, that takes care of creating a special AppVM (named template\_name-dvm) to be passed to *qubes\_prepare\_saved\_domain.sh*, as well as copying the savefile to /dev/shm (the latter action is not done if the `/var/lib/qubes/dvmdata/dont_use_shm` file exists).
+The `qubes\_prepare\_saved\_domain.sh` script is lowlevel. It is usually called by `qvm-create-default-dvm` script, that takes care of creating a special AppVM (named template\_name-dvm) to be passed to `qubes\_prepare\_saved\_domain.sh`, as well as copying the savefile to /dev/shm (the latter action is not done if the `/var/lib/qubes/dvmdata/dont_use_shm` file exists).
 
 Restoring a DisposableVM from the savefile
 ------------------------------------------
 
-Normally, disposable VM is created when qubes rpc request with target *\$dispvm* is received. Then, as a part of rpc connection setup, the *qfile-daemon-dvm* program is executed; it executes */usr/lib/qubes/qubes\_restore* program. It is crucial that this program executes quickly, to make DisposableVM creation overhead bearable for the user. Its main steps are:
+Normally, disposable VM is created when qubes rpc request with target *\$dispvm* is received. Then, as a part of rpc connection setup, the `qfile-daemon-dvm` program is executed; it executes `/usr/lib/qubes/qubes\_restore` program. It is crucial that this program executes quickly, to make DisposableVM creation overhead bearable for the user. Its main steps are:
 
 1.  modify the savefile so that the VM name, VM UUID, MAC address and IP address are unique
 2.  restore the COW files from the `saved_cows.tar`
-3.  create the `/var/run/qubes/fast_block_attach` file, whose presence tells the */etc/xen/scripts/block* script to bypass some redundant checks and execute as fast as possible.
+3.  create the `/var/run/qubes/fast_block_attach` file, whose presence tells the `/etc/xen/scripts/block` script to bypass some redundant checks and execute as fast as possible.
 4.  execute "xl restore" in order to restore a domain.
 5.  create the same xenstore keys as normally created when AppVM boots (e.g. `qubes_ip`)
 6.  create the `qubes_restore_complete` xenstore key. This allows the boot process in DisposableVM to continue.
@@ -53,4 +53,4 @@ Validating the DisposableVM savefile
 
 DisposableVM savefile contains references to template rootfs and to COW files. The COW files are restored before each DisposableVM start, so they cannot change. On the other hand, if templateVM is started, the template rootfs will change, and it may not be coherent with the COW files.
 
-Therefore, the check for template rootfs modification time being older than DisposableVM savefile modification time is required. It is done in *qfilexchgd* daemon, just before restoring DisposableVM. If necessary, an attempt is made to recreate the DisposableVM savefile, using the last template used (or default template, if run for the first time) and the default prerun script, residing at */var/lib/qubes/vm-templates/templatename/dispvm\_prerun.sh*. Unfortunately, the prerun script takes a lot of time to execute - therefore, after template rootfs modification, the next DisposableVM creation can be longer by about 2.5 minutes.
+Therefore, the check for template rootfs modification time being older than DisposableVM savefile modification time is required. It is done in `qfilexchgd` daemon, just before restoring DisposableVM. If necessary, an attempt is made to recreate the DisposableVM savefile, using the last template used (or default template, if run for the first time) and the default prerun script, residing at `/var/lib/qubes/vm-templates/templatename/dispvm\_prerun.sh`. Unfortunately, the prerun script takes a lot of time to execute - therefore, after template rootfs modification, the next DisposableVM creation can be longer by about 2.5 minutes.
diff --git a/system/gui.md b/system/gui.md
index dadfa01a..ed100843 100644
--- a/system/gui.md
+++ b/system/gui.md
@@ -71,7 +71,7 @@ To sum up, this solution has the following benefits:
 Security markers on dom0 windows
 --------------------------------
 
-It is important that user knows which AppVM a given window belongs to. This prevents a rogue AppVM from painting a window pretending to belong to other AppVM or dom0 and trying to steal, for example, passwords.
+It is important that the user knows which AppVM a given window belongs to. This prevents a rogue AppVM from painting a window pretending to belong to other AppVM or dom0 and trying to steal, for example, passwords.
 
 In Qubes, a custom window decorator is used that paints a colourful frame (the colour is determined during AppVM creation) around decorated windows. Additionally, the window title always starts with **[name of the AppVM]**. If a window has an *override_redirect* attribute, meaning that it should not be treated by a window manager (typical case is menu windows), *qubes_guid* draws a two-pixel colourful frame around it manually.
 
@@ -82,10 +82,10 @@ Certainly, it would be insecure to allow AppVM to read/write the clipboards of o
 Therefore, the following mechanism is used:
 
 -   there is a "qubes clipboard" in dom0 - its contents are stored in a regular file in dom0.
--   if user wants to copy local AppVM clipboard to qubes clipboard, she must focus on any window belonging to this AppVM, and press **Ctrl-Shift-C**. This combination is trapped by *qubes-guid*, and `CLIPBOARD_REQ` message is sent to AppVM. *qubes-gui* responds with *CLIPBOARD_DATA* message followed by clipboard contents.
--   user focuses on other AppVM window, presses **Ctrl-Shift-V**. This combination is trapped by *qubes-guid*, and `CLIPBOARD_DATA` message followed by qubes clipboard contents is sent to AppVM; *qubes_gui* copies data to the local clipboard, and then user can paste its contents to local applications normally.
+-   if the user wants to copy local AppVM clipboard to qubes clipboard, she must focus on any window belonging to this AppVM, and press **Ctrl-Shift-C**. This combination is trapped by *qubes-guid*, and `CLIPBOARD_REQ` message is sent to AppVM. *qubes-gui* responds with *CLIPBOARD_DATA* message followed by clipboard contents.
+-   the user focuses on other AppVM window, presses **Ctrl-Shift-V**. This combination is trapped by *qubes-guid*, and `CLIPBOARD_DATA` message followed by qubes clipboard contents is sent to AppVM; *qubes_gui* copies data to the local clipboard, and then user can paste its contents to local applications normally.
 
-This way, user can quickly copy clipboards between AppVMs. 
+This way, the user can quickly copy clipboards between AppVMs. 
 This action is fully controlled by the user, it cannot be triggered/forced by any AppVM.
 
 *qubes_gui* and *qubes_guid* code notes
diff --git a/troubleshooting/install-nvidia-driver.md b/troubleshooting/install-nvidia-driver.md
index cc287745..8ad37c17 100644
--- a/troubleshooting/install-nvidia-driver.md
+++ b/troubleshooting/install-nvidia-driver.md
@@ -152,7 +152,7 @@ Specifically, the notes below are aimed to help when the GRUB menu shows up fine
    * Exit out of the chroot environment (`exit` or CTRL-D)
 6. Reboot
 
-*Note* If the kernel parameters do *not* include `quiet` and `rhgb`, the kernel messages can easily obscure the LUKS passphrase prompt. Additionally, each character entered will cause the LUKS passphrase prompt to repeat onto next line. Both of these are cosmetic. The trade-off between kernel messages and the easy-to-spot LUKS passphrase prompt is left as exercise to the user.
+*Note* If the kernel parameters do *not* include `quiet` and `rhgb`, the kernel messages can easily obscure the LUKS passphrase prompt. Additionally, each character entered will cause the LUKS passphrase prompt to repeat onto next line. Both of these are cosmetic. The trade-off between kernel messages and the easy-to-spot LUKS passphrase prompt is left as an exercise to the user.
 
 ## Gather initial `dmesg` output
 If all is well, the newly-installed Qubes OS instance should allow for user root to log in. 
diff --git a/troubleshooting/out-of-memory.md b/troubleshooting/out-of-memory.md
index 9021512b..ee2d2fb0 100644
--- a/troubleshooting/out-of-memory.md
+++ b/troubleshooting/out-of-memory.md
@@ -35,7 +35,7 @@ sudo yum clean all
 qvm-remove <VMname>
 ~~~
 
-With this method you lose the data of one VM, but it'll more reliably work.
+With this method you lose the data of one VM, but it'll work more reliably.
 
 1.  Decrease filesystem safety margin (5% by default):
 
@@ -43,5 +43,5 @@ With this method you lose the data of one VM, but it'll more reliably work.
 sudo tune2fs -m 4 /dev/mapper/vg_dom0-lv_root
 ~~~
 
-1.  Remove some unneeded files in dom0 home (if you have any, most likely no).
+1.  Remove some unneeded files in dom0 home (if you have any, most likely not).
 

From f3953c147405c668eddc0792d1b63df49d4be2e6 Mon Sep 17 00:00:00 2001
From: Miguel Jacq <mig@mig5.net>
Date: Thu, 25 May 2017 16:53:05 +1000
Subject: [PATCH 005/103] More typo/grammar/re-wording from @jpouellet's review

---
 common-tasks/tips-and-tricks.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/common-tasks/tips-and-tricks.md b/common-tasks/tips-and-tricks.md
index 4b244f3e..23b721c8 100644
--- a/common-tasks/tips-and-tricks.md
+++ b/common-tasks/tips-and-tricks.md
@@ -46,9 +46,9 @@ Preventing data leaks
 ---------------------
 First make sure to read [Understanding and Preventing Data Leaks](/doc/data-leaks/) section to understand the limits of this tip.
 
-Suppose that you have within a not so trusted enviroment - for example, a Windows VM - an application that track and report its usage, or you simply want to protect your data.
+Suppose that you have within a not so trusted enviroment - for example, a Windows VM - an application that tracks and reports its usage, or you simply want to protect your data.
 
-Start Windows template VM (which has no user data), install/upgrade apps; then start Windows AppVM (with data) in offline mode. So, if you worry (hypothetically) that your Windows or app updater might want to send your data away, this Qubes OS trick will prevent this.
+Start the Windows TemplateVM (which has no user data), install/upgrade apps; then start Windows AppVM (with data) in offline mode. So, if you worry (hypothetically) that your Windows or app updater might want to send your data away, this Qubes OS trick will prevent this.
 This applies also to any TemplateBasedVM relative to its parent TemplateVM, but the privacy risk is especially high in the case of Windows.
 
 Credit: [Joanna Rutkovska](https://twitter.com/rootkovska/status/832571372085850112)

From 585884365cf40ee36d3a69b2d6477610122fdc1c Mon Sep 17 00:00:00 2001
From: Miguel Jacq <mig@mig5.net>
Date: Thu, 25 May 2017 16:55:35 +1000
Subject: [PATCH 006/103] reinstate USB link removed accidentally

---
 configuration/assigning-devices.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/configuration/assigning-devices.md b/configuration/assigning-devices.md
index 2998b9b6..e0518b72 100644
--- a/configuration/assigning-devices.md
+++ b/configuration/assigning-devices.md
@@ -58,7 +58,7 @@ list of available devices, which you can select to be assigned to that VM.
 Finding the right USB controller
 --------------------------------
 
-If you want to assign a certain USB device to a VM by attaching the whole
+If you want to assign a certain [USB] device to a VM by attaching the whole
 USB controller, you need to figure out which PCI device is the right
 controller. First, check to which USB bus the device is connected:
 

From ffa81770a75ff30f5fb04ef2f64713b2356553bf Mon Sep 17 00:00:00 2001
From: Miguel Jacq <mig@mig5.net>
Date: Thu, 25 May 2017 17:10:11 +1000
Subject: [PATCH 007/103] reinstate 'somehow'

---
 security-info/security-pack.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security-info/security-pack.md b/security-info/security-pack.md
index 00cd2d40..e6d34238 100644
--- a/security-info/security-pack.md
+++ b/security-info/security-pack.md
@@ -95,7 +95,7 @@ to the Qubes mailing lists:
     very soon, the possibility of having to disclose any of the Qubes
     signing keys to anybody might have pretty serious consequences for those
     who decided to entrust Qubes with anything serious. And we would like to
-    minimize these consequences with this canary thing.
+    somehow minimize these consequences with this canary thing.
     
     Additionally the canary is a nice way of ensuring "freshness" of our
     messaging to the community.

From 3ab0832ba73f2a0ed7335ccb179f1e969416c919 Mon Sep 17 00:00:00 2001
From: Miguel Jacq <mig@mig5.net>
Date: Thu, 25 May 2017 17:14:49 +1000
Subject: [PATCH 008/103] fix my own spelling mistake...

---
 security/yubi-key.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/yubi-key.md b/security/yubi-key.md
index e3541218..d5b3a946 100644
--- a/security/yubi-key.md
+++ b/security/yubi-key.md
@@ -116,7 +116,7 @@ would require creating `/etc/qubes-rpc/policy/custom.LockScreen` with:
         sys-usb dom0 allow
 
 3. Create udev hook in your USB VM. Store it in `/rw/config` to have it
-persis across VM restarts. For example name the file
+persist across VM restarts. For example name the file
 `/rw/config/yubikey.rules`. Add the following line:
 
         ACTION=="remove", SUBSYSTEM=="usb", ENV{ID_SECURITY_TOKEN}=="1", RUN+="/usr/bin/qrexec-client-vm dom0 custom.LockScreen"

From 013aa5083c92be3a32f612453155b277dfb24005 Mon Sep 17 00:00:00 2001
From: Miguel Jacq <mig@mig5.net>
Date: Thu, 25 May 2017 17:16:38 +1000
Subject: [PATCH 009/103] underscores do not need to be backslash-escaped
 inside backticks

---
 services/dvm-impl.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/services/dvm-impl.md b/services/dvm-impl.md
index dad75ac9..dbb38af1 100644
--- a/services/dvm-impl.md
+++ b/services/dvm-impl.md
@@ -16,13 +16,13 @@ DisposableVM image preparation
 
 DisposableVM is not started like other VMs, by executing equivalent of `xl create` - it would be too slow. Instead, DisposableVM are started by restore from a savefile.
 
-Preparing a savefile is done by `/usr/lib/qubes/qubes\_prepare\_saved\_domain.sh` script. It takes two mandatory arguments, appvm name (APPVM) and the savefile name, and optional path to "prerun" script. The script executes the following steps:
+Preparing a savefile is done by `/usr/lib/qubes/qubes_prepare_saved_domain.sh` script. It takes two mandatory arguments, appvm name (APPVM) and the savefile name, and optional path to "prerun" script. The script executes the following steps:
 
 1.  APPVM is started by `qvm-start`
 2.  xenstore key `/local/domain/appvm_domain_id/qubes_save_request` is created
 3.  if prerun script was specified, copy it to `qubes_save_script` xenstore key
 4.  wait for the `qubes_used_mem` key to appear
-5.  (in APPVM) APPVM boots normally, up to the point in `/etc/init.d/qubes\_core` script when the presence of `qubes_save_request` key is tested. If it exists, then
+5.  (in APPVM) APPVM boots normally, up to the point in `/etc/init.d/qubes_core` script when the presence of `qubes_save_request` key is tested. If it exists, then
     1.  (in APPVM) if exists, prerun script is retrieved from the respective xenstore key and executed. This preloads filesystem cache with useful applications, so that they will start faster.
     2.  (in APPVM) the amount of used memory is stored to `qubes_used_mem` xenstore key
     3.  (in APPVM) busy-waiting for `qubes_restore_complete` xenstore key to appear
@@ -32,12 +32,12 @@ Preparing a savefile is done by `/usr/lib/qubes/qubes\_prepare\_saved\_domain.sh
 8.  the domain is saved via `xl save`
 9.  the COW file volatile.img (cow for root fs and swap) is packed to `saved_cows.tar` archive
 
-The `qubes\_prepare\_saved\_domain.sh` script is lowlevel. It is usually called by `qvm-create-default-dvm` script, that takes care of creating a special AppVM (named template\_name-dvm) to be passed to `qubes\_prepare\_saved\_domain.sh`, as well as copying the savefile to /dev/shm (the latter action is not done if the `/var/lib/qubes/dvmdata/dont_use_shm` file exists).
+The `qubes_prepare_saved_domain.sh` script is lowlevel. It is usually called by `qvm-create-default-dvm` script, that takes care of creating a special AppVM (named template\_name-dvm) to be passed to `qubes_prepare_saved_domain.sh`, as well as copying the savefile to /dev/shm (the latter action is not done if the `/var/lib/qubes/dvmdata/dont_use_shm` file exists).
 
 Restoring a DisposableVM from the savefile
 ------------------------------------------
 
-Normally, disposable VM is created when qubes rpc request with target *\$dispvm* is received. Then, as a part of rpc connection setup, the `qfile-daemon-dvm` program is executed; it executes `/usr/lib/qubes/qubes\_restore` program. It is crucial that this program executes quickly, to make DisposableVM creation overhead bearable for the user. Its main steps are:
+Normally, disposable VM is created when qubes rpc request with target *\$dispvm* is received. Then, as a part of rpc connection setup, the `qfile-daemon-dvm` program is executed; it executes `/usr/lib/qubes/qubes_restore` program. It is crucial that this program executes quickly, to make DisposableVM creation overhead bearable for the user. Its main steps are:
 
 1.  modify the savefile so that the VM name, VM UUID, MAC address and IP address are unique
 2.  restore the COW files from the `saved_cows.tar`
@@ -53,4 +53,4 @@ Validating the DisposableVM savefile
 
 DisposableVM savefile contains references to template rootfs and to COW files. The COW files are restored before each DisposableVM start, so they cannot change. On the other hand, if templateVM is started, the template rootfs will change, and it may not be coherent with the COW files.
 
-Therefore, the check for template rootfs modification time being older than DisposableVM savefile modification time is required. It is done in `qfilexchgd` daemon, just before restoring DisposableVM. If necessary, an attempt is made to recreate the DisposableVM savefile, using the last template used (or default template, if run for the first time) and the default prerun script, residing at `/var/lib/qubes/vm-templates/templatename/dispvm\_prerun.sh`. Unfortunately, the prerun script takes a lot of time to execute - therefore, after template rootfs modification, the next DisposableVM creation can be longer by about 2.5 minutes.
+Therefore, the check for template rootfs modification time being older than DisposableVM savefile modification time is required. It is done in `qfilexchgd` daemon, just before restoring DisposableVM. If necessary, an attempt is made to recreate the DisposableVM savefile, using the last template used (or default template, if run for the first time) and the default prerun script, residing at `/var/lib/qubes/vm-templates/templatename/dispvm_prerun.sh`. Unfortunately, the prerun script takes a lot of time to execute - therefore, after template rootfs modification, the next DisposableVM creation can be longer by about 2.5 minutes.

From 15388d2d615e76ddef44aa403a68e6b9ed1341f7 Mon Sep 17 00:00:00 2001
From: Miguel Jacq <mig@mig5.net>
Date: Thu, 25 May 2017 17:50:45 +1000
Subject: [PATCH 010/103] reinstate coding style variable line. Fix outlier
 command formatting in DisposableVM doc

---
 basics_dev/coding-style.md | 2 ++
 services/dvm-impl.md       | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/basics_dev/coding-style.md b/basics_dev/coding-style.md
index 82d635f5..4e9640ff 100644
--- a/basics_dev/coding-style.md
+++ b/basics_dev/coding-style.md
@@ -165,6 +165,8 @@ Security coding guidelines
        height = untrusted_conf.height;
     ~~~
 
+-   Use others variables, without the `untrusted_` prefix to hold the sanitized values, as shown above.
+
 Python-specific guidelines
 --------------------------
 
diff --git a/services/dvm-impl.md b/services/dvm-impl.md
index dbb38af1..246580a6 100644
--- a/services/dvm-impl.md
+++ b/services/dvm-impl.md
@@ -42,7 +42,7 @@ Normally, disposable VM is created when qubes rpc request with target *\$dispvm*
 1.  modify the savefile so that the VM name, VM UUID, MAC address and IP address are unique
 2.  restore the COW files from the `saved_cows.tar`
 3.  create the `/var/run/qubes/fast_block_attach` file, whose presence tells the `/etc/xen/scripts/block` script to bypass some redundant checks and execute as fast as possible.
-4.  execute "xl restore" in order to restore a domain.
+4.  execute `xl restore` in order to restore a domain.
 5.  create the same xenstore keys as normally created when AppVM boots (e.g. `qubes_ip`)
 6.  create the `qubes_restore_complete` xenstore key. This allows the boot process in DisposableVM to continue.
 

From d9b40c652d8cd064d6293178e9af3f66b587baa2 Mon Sep 17 00:00:00 2001
From: Yethal <grzegorz.chodzicki@gmail.com>
Date: Wed, 30 Aug 2017 20:48:02 +0200
Subject: [PATCH 011/103] fixed path where .desktop files are kept

---
 customization/dispvm-customization.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/customization/dispvm-customization.md b/customization/dispvm-customization.md
index f99fe932..0212493f 100644
--- a/customization/dispvm-customization.md
+++ b/customization/dispvm-customization.md
@@ -72,7 +72,7 @@ It is possible to change the settings of each new Disposable VM (DispVM). This c
 Adding arbitrary programs to Disposable VM Application Menu
 -----------------------------------------------------------
 
-For added convenience, arbitrary programs can be added to the Application Menu of the Disposable VM. In order to do that create (e.g.) `arbitrary.desktop` file in `/usr/share/applications` in Dom0. That file will point to the desired program. Use the following template for the file:
+For added convenience, arbitrary programs can be added to the Application Menu of the Disposable VM. In order to do that create (e.g.) `arbitrary.desktop` file in `/usr/local/share/applications` in Dom0. That file will point to the desired program. Use the following template for the file:
 
     [Desktop Entry]
     Version=1.0

From d26d47c93e0995b86ddc47d60bc4b27a413816ba Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Sun, 28 Jan 2018 14:35:59 +0000
Subject: [PATCH 012/103] 4.0 updates for software-update-vm

From info in https://github.com/QubesOS/qubes-issues/issues/3495
---
 common-tasks/software-update-vm.md | 52 +++++++++++++++++++++++-------
 1 file changed, 41 insertions(+), 11 deletions(-)

diff --git a/common-tasks/software-update-vm.md b/common-tasks/software-update-vm.md
index 2feab516..6182ff51 100644
--- a/common-tasks/software-update-vm.md
+++ b/common-tasks/software-update-vm.md
@@ -82,7 +82,8 @@ To enable or disable any of these repos permanently, uncomment the corresponding
 Reverting changes to a TemplateVM (R4.0)
 ---------------------------------
 
-TBD- Qubes 4.0 uses a CoW system that permits snapshotting. To revert changes, one would...
+Qubes 4.0 uses a CoW system that permits snapshotting. Reversion functionality is still being developed at the
+time of writing. See [issue #3256](https://github.com/QubesOS/qubes-issues/issues/3256) for details.
 
 Reverting changes to a TemplateVM (R3.2)
 ---------------------------------
@@ -179,34 +180,63 @@ Temporarily allowing networking for software installation
 
 Some third-party applications cannot be installed using the standard yum repositories, and need to be manually downloaded and installed. When the installation requires internet connection to access third-party repositories, it will naturally fail when run in a Template VM because the default firewall rules for templates only allow connections to standard yum repositories. So it is necessary to modify firewall rules to allow less restrictive internet access for the time of the installation, if one really wants to install those applications into a template. As soon as software installation is completed, firewall rules should be returned back to the default state. The user should decided by themselves whether such third-party applications should be equally trusted as the ones that come from the standard Fedora signed repositories and whether their installation will not compromise the default Template VM, and potentially consider installing them into a separate template or a standalone VM (in which case the problem of limited networking access doesn't apply by default), as described above.
 
-Updates proxy (some content applies only to versions earlier than R3.2)
+Updates proxy
 -------------
 
-Updates proxy is a service which filter http access to allow access to only something that looks like yum or apt repository. This is meant to mitigate user errors (like using browser in the template VM), rather than some real isolation. It is done with http proxy instead of simple firewall rules because it is hard to list all the repository mirrors (and keep that list up to date). The proxy is used only to filter the traffic, not to cache anything.
+Updates proxy is a service which filters http access to allow access to only something that looks like yum or apt repository. This is meant to mitigate user errors (like using a browser in the template VM), rather than some real isolation. It is done with an http proxy (tinyproxy) instead of simple firewall rules because it is hard to list all the repository mirrors (and keep that list up to date). The proxy is used only to filter the traffic, not to cache anything.
 
-The proxy is running in selected VMs (by default all the NetVMs (1)) and intercept traffic directed to 10.137.255.254:8082. Thanks to such configuration all the VMs can use the same proxy address, and if there is a proxy on network path, it will handle the traffic (of course when firewall rules allows that). If the VM is configured to have access to the updates proxy (2), the startup scripts will automatically configure dnf to really use the proxy (3). Also access to updates proxy is independent of any other firewall settings (VM will have access to updates proxy, even if policy is set to block all the traffic).
+There are two services ([qvm-service](https://www.qubes-os.org/doc/dom0-tools/qvm-service/), [service framework](https://www.qubes-os.org/doc/qubes-service/)):
 
-(1) Services tab -\> "qubes-yum-proxy" entry; check qvm-service manual for details
+1. qubes-updates-proxy (and its deprecated name: qubes-yum-proxy) - a service providing a proxy for templates - by default enabled in NetVMs (especially: sys-net)
+2. updates-proxy-setup (and its deprecated name: yum-proxy-setup) - use a proxy provided by another VM (instead of downloading updates directly), enabled by default in all templates
 
-(2) Firewall tab -\> Allow connections to Updates Proxy; this setting works immediately (once OK is clicked)
+This is generally the same in R3.2 and R4.0 - in both cases both the old and new names work. And in both cases defaults listed above are applied if the service is not explicitly listed in services tab.
 
-(3) Services tab -\> "yum-proxy-setup" entry; this setting works at next VM startup
+### Technical details (R4.0)
 
-### Technical details
+Instead of using a network connection like in R3.2, R4.0 uses RPC/qrexec. The proxy is configured in
+qrexec policy: /etc/qubes-rpc/policy/qubes.UpdatesProxy. By default this is set to
+sys-net and/or sys-whonix, depending on firstboot choices. This new design allows for templates to be
+updated even when they are not connected to any netvm.
 
-1.  Updates proxy: It is running as "qubes-yum-proxy" service. Startup script of this service setup firewall rule to intercept proxy traffic:
+Example policy file in R4.0 (with whonix installed, but not set as default updatevm for all templates):
+```
+# any VM with tag `whonix-updatevm` should use `sys-whonix`; this tag is added to `whonix-gw` and `whonix-ws` during installation and is preserved during template clone
+$tag:whonix-updatevm $default allow,target=sys-whonix
+$tag:whonix-updatevm $anyvm deny
+
+# other templates use sys-net
+$type:TemplateVM $default allow,target=sys-net
+$anyvm $anyvm deny
+```
+
+### Technical details (R3.2)
+
+The proxy is running in selected VMs (by default all the NetVMs). Thanks to such configuration all VMs
+can use the same proxy address, and if there is a proxy on network path, it will handle the traffic
+(of course when firewall rules allow that). The first proxy on the network path according to the template's
+netvm setting will be used. If the VM is configured to have access to the updates proxy (1),
+the startup scripts will automatically configure dnf to use the proxy. Also access to updates proxy is
+independent of any other firewall settings (VM will have access to updates proxy, even if the policy is
+set to block all the traffic).
+
+(1) Firewall tab -\> Allow connections to Updates Proxy; this setting works immediately (once OK is clicked)
+
+1.  Updates proxy: It is running as "qubes-updates-proxy" service. Startup script of this service sets up
+a firewall rule to intercept traffic directed to 10.137.255.254:8082:
 
     ~~~
     iptables -t nat -A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT
     ~~~
 
-1.  VM using the proxy service Startup script (qubes-misc-post service) configure yum using /etc/yum.conf.d/qubes-proxy.conf file. It can either contain
+2.  VMs using the proxy service Startup script (updates-proxy-setup or qubes-misc-post service) configure
+dnf using /etc/yum.conf.d/qubes-proxy.conf file. It can either contain a
 
     ~~~
     proxy=http://10.137.255.254:8082/
     ~~~
 
-    line, or be empty. Note that this file is specifically included from main yum.conf, yum does not support real conf.d configuration style...
+    line, or be empty. Note that this file is specifically included from main yum.conf, dnf does not support real conf.d configuration style...
 
 Note on treating AppVM's root filesystem non-persistence as a security feature
 ------------------------------------------------------------------------------

From 53c88384fee160497a9d622e97b88c8732e8222e Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Sun, 28 Jan 2018 19:02:24 +0000
Subject: [PATCH 013/103] Dispvm 4.0 updates

Sourced primarily from https://github.com/QubesOS/qubes-issues/issues/2253 and https://groups.google.com/forum/?_escaped_fragment_=topic/qubes-devel/UGh8NDdkrXo#!topic/qubes-devel/UGh8NDdkrXo
---
 common-tasks/dispvm.md | 40 +++++++++++++++++++++++++++++++++++-----
 1 file changed, 35 insertions(+), 5 deletions(-)

diff --git a/common-tasks/dispvm.md b/common-tasks/dispvm.md
index 3dc72eaa..edbd13c9 100644
--- a/common-tasks/dispvm.md
+++ b/common-tasks/dispvm.md
@@ -20,7 +20,31 @@ Once a DispVM has been created it will appear in Qubes VM Manager with the name
 
 See [this article](https://blog.invisiblethings.org/2010/06/01/disposable-vms.html) for more on why one would want to use a Disposable VM.
 
-Disposable VMs and Networking
+Disposable VMs and Networking (R4.0 and later)
+-----------------------------
+
+
+R4.0 introduces the concept of multiple disposable VM templates (R3.2 was limited to one).
+This allows for the creation of multiple differently configured disposable VMs that can be accessed from 
+the Applications menu (e.g. `fedora-XX-dvm`). Even more types of DispVMs can be created on-the-fly on a per AppVM basis.
+As you can see, this is a very flexible and powerful system for managing your Disposable VMs.
+
+NetVM and firewall rules for Disposable VMs can be set as they can for a normal VM. 
+By default a DispVM will inherit the NetVM and firewall settings of the DispVM Template from which it is built. 
+Thus if an AppVM uses sys-net as its NetVM, but the default system DispVM uses sys-whonix,
+any DispVM launched from this AppVM will have sys-whonix as its NetVM.
+The default system wide DispVM template can be changed with `qubes-prefs default_dispvm`.
+You can change this behaviour for individual VMs: in the Application Menu, open Qube Settings
+for the VM in question and go to the "Advanced" tab. 
+Here you can edit the "Default DispVM" setting to specify which DispVM template will be used to launch DispVMs from that VM.
+Disposable VMs will temporarily appear with the name `disp####`. 
+
+A Disposable VM launched from the Start Menu inherits the NetVM and firewall settings of the [DVM Template](https://www.qubes-os.org/doc/glossary/#dvm-template) from which it is built. 
+By default the DVM template is called `fedora-XX-dvm` (where `XX` is the Fedora version of the default TemplateVM). 
+As an "internal" VM it is hidden in Qubes VM Manager, but can be shown by selecting "Show/Hide internal VMs". 
+Note that changing the "NetVM" setting for the DVM Template *does* affect the NetVM of DispVMs launched from the Start Menu.
+
+Disposable VMs and Networking (R3.2 and earlier)
 -----------------------------
 
 NetVM and firewall rules for Disposable VMs can be set as they can for a normal VM. 
@@ -49,7 +73,7 @@ Opening a fresh web browser instance in a new Disposable VM
 -----------------------------------------------------------
 
 Sometimes it is desirable to open an instance of Firefox within a new fresh Disposable VM. 
-This can be done easily using the Start Menu: just go to Start -\> System Tools -\> DispVM:Firefox web browser. 
+This can be done easily using the Start Menu: just go to **Application Menu -\> DisposableVM -\> DispVM:Firefox web browser**. 
 Wait a few seconds until a web browser starts. 
 Once you close the viewing application the whole Disposable VM will be destroyed. 
 
@@ -75,7 +99,7 @@ Sometimes it can be useful to start an arbitrary program in a DispVM. This can b
 [user@vault ~]$ qvm-run '$dispvm' xterm
 ~~~
 
-The created Disposable VM can be accessed via other tools (such as `qvm-copy-to-vm`) using its "dispX" name as shown in the Qubes Manager or `qvm-ls`.
+The created Disposable VM can be accessed via other tools (such as `qvm-copy-to-vm`) using its `disp####` name as shown in the Qubes Manager or `qvm-ls`.
 
 Starting an arbitrary application in a Disposable VM via command line (from Dom0)
 ---------------------------------------------------------------------------------
@@ -83,6 +107,12 @@ Starting an arbitrary application in a Disposable VM via command line (from Dom0
 The Start Menu has shortcuts for opening a terminal and a web browser in dedicated DispVMs, since these are very common tasks.
 However, it is possible to start an arbitrary application in a DispVM directly from Dom0 by running
 
+R4.0 (border colour will be inherited from that set in the `dispvm-template`)
+~~~
+[joanna@dom0 ~]$ qvm-run --dispvm=dispvm-template --service qubes.StartApp+xterm
+~~~
+
+R3.2 (border colour can be specified in the command)
 ~~~
 [joanna@dom0 ~]$ echo xterm | /usr/lib/qubes/qfile-daemon-dvm qubes.VMShell dom0 DEFAULT red
 ~~~
@@ -92,8 +122,8 @@ However, it is possible to start an arbitrary application in a DispVM directly f
 Customizing Disposable VMs
 --------------------------
 
-You can change the template used to generate the Disposable VM, and change settings used in the Disposable VM savefile. 
-These changes will be reflected in every new Disposable VM. 
+You can change the template used to generate the Disposable VMs, and change settings used in the Disposable VM savefile. 
+These changes will be reflected in every new Disposable VM spawned from that template. 
 Full instructions can be found [here](/doc/dispvm-customization/).
 
 Disposable VMs and Local Forensics

From 7b520d785b2f72faa4ac7c92ed6f062400b50edf Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Mon, 29 Jan 2018 13:16:29 +0000
Subject: [PATCH 014/103] managing-appvm-shortcuts 4.0 updates

added 4.0 appmenu location and qvm-run changes
---
 common-tasks/managing-appvm-shortcuts.md | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/common-tasks/managing-appvm-shortcuts.md b/common-tasks/managing-appvm-shortcuts.md
index e289ae79..1a4c971b 100644
--- a/common-tasks/managing-appvm-shortcuts.md
+++ b/common-tasks/managing-appvm-shortcuts.md
@@ -33,15 +33,27 @@ What about applications in DispVMs?
 Behind the scenes
 -----------------
 
-The list of installed applications for each AppVM is stored in dom0's `/var/lib/qubes/vm-templates/templatename/apps.templates` (or in case of StandaloneVM: `/var/lib/qubes/appvms/vmname/apps.templates`). Each menu entry is a file that follows the [.desktop file format](https://standards.freedesktop.org/desktop-entry-spec/desktop-entry-spec-latest.html) with some wildcards (*%VMNAME%*, *%VMDIR%*). Applications selected to appear in the menu are stored in `/var/lib/qubes/appvms/vmname/apps`.
-
-Actual command lines for the menu shortcuts involve `qvm-run` command which starts a process in another domain. Examples: `qvm-run -q --tray -a w7s 'cmd.exe /c "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Calculator.lnk"'` or `qvm-run -q --tray -a untrusted 'firefox %u'`
-Note that you can create a shortcut that points to a .desktop file in your AppVM with e.g. `qvm-run -q --tray -a personal -- 'qubes-desktop-run /home/user/application.desktop'`
-
 `qvm-sync-appmenus` works by invoking *GetAppMenus* [Qubes service](/doc/qrexec/) in the target domain. This service enumerates installed applications and sends formatted info back to the dom0 script (`/usr/libexec/qubes-appmenus/qubes-receive-appmenus`) which creates .desktop files in the AppVM/TemplateVM directory.
 
 For Linux VMs the service script is in `/etc/qubes-rpc/qubes.GetAppMenus`. In Windows it's a PowerShell script located in `c:\Program Files\Invisible Things Lab\Qubes OS Windows Tools\qubes-rpc-services\get-appmenus.ps1` by default.
 
+ * R4.0
+ 
+   The list of installed applications for each AppVM is stored in dom0's `/home/user/.local/share/qubes-appmenus/vmname/apps.templates`. Each menu entry is a file that follows the [.desktop file format](https://standards.freedesktop.org/desktop-entry-spec/desktop-entry-spec-latest.html) with some wildcards (*%VMNAME%*, *%VMDIR%*). Applications selected to appear in the menu are stored in `/var/lib/qubes/appvms/vmname/apps`.
+    
+   Actual command lines for the menu shortcuts involve `qvm-run` command which starts a process in another domain. Examples: `qvm-run -q -a --service -- %VMNAME% qubes.StartApp+7-Zip-7-Zip_File_Manager` or
+   `qvm-run -q -a --service -- %VMNAME% qubes.StartApp+firefox`
+
+   Note that you can create a shortcut that points to a .desktop file in your AppVM with e.g. `qvm-run -q -a --service -- personal qubes.StartApp+firefox`
+
+ * R3.2
+
+   The list of installed applications for each AppVM is stored in dom0's `/var/lib/qubes/vm-templates/templatename/apps.templates` (or in case of StandaloneVM: `/var/lib/qubes/appvms/vmname/apps.templates`). Each menu entry is a file that follows the [.desktop file format](https://standards.freedesktop.org/desktop-entry-spec/desktop-entry-spec-latest.html) with some wildcards (*%VMNAME%*, *%VMDIR%*). Applications selected to appear in the menu are stored in `/var/lib/qubes/appvms/vmname/apps`.
+    
+   Actual command lines for the menu shortcuts involve `qvm-run` command which starts a process in another domain. Examples: `qvm-run -q --tray -a w7s 'cmd.exe /c "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Calculator.lnk"'` or `qvm-run -q --tray -a untrusted 'firefox %u'`
+
+   Note that you can create a shortcut that points to a .desktop file in your AppVM with e.g. `qvm-run -q --tray -a personal -- 'qubes-desktop-run /home/user/application.desktop'`
+
 What if my application has not been automatically included in the list of available apps?
 -----------------------------------------------------------------------------------------
 

From 59279c22826e4d676952c4f96d10e1ba77c31b86 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Mon, 29 Jan 2018 14:52:51 +0000
Subject: [PATCH 015/103] Update dispvm.md

---
 common-tasks/dispvm.md | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/common-tasks/dispvm.md b/common-tasks/dispvm.md
index edbd13c9..816819d1 100644
--- a/common-tasks/dispvm.md
+++ b/common-tasks/dispvm.md
@@ -26,7 +26,7 @@ Disposable VMs and Networking (R4.0 and later)
 
 R4.0 introduces the concept of multiple disposable VM templates (R3.2 was limited to one).
 This allows for the creation of multiple differently configured disposable VMs that can be accessed from 
-the Applications menu (e.g. `fedora-XX-dvm`). Even more types of DispVMs can be created on-the-fly on a per AppVM basis.
+the Applications menu. Even more types of DispVMs can be created on-the-fly on a per AppVM basis.
 As you can see, this is a very flexible and powerful system for managing your Disposable VMs.
 
 NetVM and firewall rules for Disposable VMs can be set as they can for a normal VM. 
@@ -41,7 +41,6 @@ Disposable VMs will temporarily appear with the name `disp####`.
 
 A Disposable VM launched from the Start Menu inherits the NetVM and firewall settings of the [DVM Template](https://www.qubes-os.org/doc/glossary/#dvm-template) from which it is built. 
 By default the DVM template is called `fedora-XX-dvm` (where `XX` is the Fedora version of the default TemplateVM). 
-As an "internal" VM it is hidden in Qubes VM Manager, but can be shown by selecting "Show/Hide internal VMs". 
 Note that changing the "NetVM" setting for the DVM Template *does* affect the NetVM of DispVMs launched from the Start Menu.
 
 Disposable VMs and Networking (R3.2 and earlier)

From 64716d81f077423bad48e2f97c2c25743597bc3b Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Thu, 1 Feb 2018 13:39:47 +0000
Subject: [PATCH 016/103] reinstall-template 4.0 update

add 4.0 clone template procedure because dummy template no longer works
---
 managing-os/reinstall-template.md | 61 ++++++++++++++++++++++++++++++-
 1 file changed, 59 insertions(+), 2 deletions(-)

diff --git a/managing-os/reinstall-template.md b/managing-os/reinstall-template.md
index 2ef65908..ac85dfc0 100644
--- a/managing-os/reinstall-template.md
+++ b/managing-os/reinstall-template.md
@@ -11,7 +11,10 @@ How to Reinstall a TemplateVM
 
 If you suspect your [TemplateVM] is broken, misconfigured, or compromised, you
 can reinstall any TemplateVM that was installed from the Qubes repository.
-Starting in Qubes 3.1, the process is greatly simplified.
+
+If you are running Qubes R4.0, see "Manual Reinstallation Method (R4.0)" below.
+For Qubes R3.1 or R3.2, keep reading.
+For R3.0 and earlier, see "Manual Reinstallation Method (R3.0 or earlier)" below.
 
 First, copy any files that you wish to keep from the TemplateVM's `/home` and
 `/rw` folders to a safe storage location. Then, in a dom0 terminal, run:
@@ -38,7 +41,61 @@ repo, you must enable that repo. For example:
 restarted.
 
 
-Manual Reinstallation Method
+Manual Reinstallation Method (R4.0)
+----------------------------
+
+If you're using Qubes 4.0 or newer, you should use the manual reinstallation
+method.
+
+In what follows, the term "target TemplateVM" refers to whichever TemplateVM you
+want to reinstall. If you want to reinstall more than one TemplateVM, repeat
+these instructions for each one.
+
+1. Clone the existing target TemplateVM.
+
+   This can be a good idea if you've customized the existing template and want
+   to keep your customizations. On the other hand, if you suspect that this
+   template is broken, misconfigured, or compromised, be certain you do not
+   start any VMs using it in the below procedure.
+
+2. Temporarily change all VMs based on the target TemplateVM to the new clone
+   template, or remove them.
+
+   This can be a good idea if you have user data in these VMs that you want to
+   keep. On the other hand, if you suspect that these VMs (or the templates on
+   which they are based) are broken, misconfigured, or compromised, you may
+   want to remove them instead. You can do this in Qubes Manager by
+   right-clicking on the VM and clicking **Remove VM**, or you can use the
+   command `qvm-remove <vm-name>` in dom0.
+
+3. Uninstall the target TemplateVM from dom0:
+
+        $ sudo dnf remove <template-package-name>
+
+   For example, to uninstall the `whonix-gw` template:
+
+        $ sudo dnf remove qubes-template-whonix-gw
+
+4. Reinstall the target TemplateVM in dom0:
+
+        $ sudo qubes-dom0-update --enablerepo=<optional-additional-repo> \
+          <template-package-name>
+
+   For example, to install the `whonix-gw` template:
+
+        $ sudo qubes-dom0-update --enablerepo=qubes-templates-community \
+          qubes-template-whonix-gw
+
+5. If you temporarily changed all VMs based on the target TemplateVM to the
+   clone template in step 3, change them back to the new target TemplateVM now.
+   If you instead removed all VMs based on the old target TemplateVM, you can
+   recreate your desired VMs from the newly reinstalled target TemplateVM now.
+   
+6. Delete the cloned template. You can do this in Qubes Manager by
+   right-clicking on the VM and clicking **Remove VM**, or you can use the
+   command `qvm-remove <vm-name>` in dom0.
+   
+Manual Reinstallation Method (R3.0 or earlier)
 ----------------------------
 
 If you're using Qubes 3.0 or older, you should use the manual reinstallation

From b71bc6174f4d246d15deb5b3da552dda0b5fdf41 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Sat, 3 Feb 2018 16:11:11 +0000
Subject: [PATCH 017/103] secondary-storage 4.0 updates

add 4.0 content (sourced from https://mail-archive.com/qubes-users@googlegroups.com/msg14871.html)
add version headings
adjust R3.2 procedure for consistency with rest of document
remove "#" from R3.2 procedure because it works as regular user if permissions are set correctly
remove "known issues" heading so bullet points fall under R3.2 section instead of appearing to apply to both versions
---
 configuration/secondary-storage.md | 57 +++++++++++++++++++++++++-----
 1 file changed, 48 insertions(+), 9 deletions(-)

diff --git a/configuration/secondary-storage.md b/configuration/secondary-storage.md
index f04b6665..1bfbfaff 100644
--- a/configuration/secondary-storage.md
+++ b/configuration/secondary-storage.md
@@ -12,28 +12,67 @@ Storing AppVMs on Secondary Drives
 ==================================
 
 Suppose you have a fast but small primary SSD and a large but slow secondary
-HDD.  You want to store a subset of your AppVMs on the HDD. In dom0:
+HDD.  You want to store a subset of your AppVMs on the HDD.
 
-1. `# mv /var/lib/qubes/appvms/my-new-appvm
-/path/to/secondary/drive/my-new-appvm`
+### R4.0 ###
 
-2. `# ln -s /path/to/secondary/drive/my-new-appvm /var/lib/qubes/appvms/`
+Qubes 4.0 is more flexible than earlier versions about placing different VMs on
+different disks. For example, you can keep templates on one disk and
+AppVMs on another, without messy symlinks.
+
+Assuming you have already created a separate [volume group](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/logical_volume_manager_administration/vg_admin#VG_create) and
+[thin pool](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/logical_volume_manager_administration/thinly_provisioned_volume_creation)
+(not thin volume) for your HDD,
+first collect some information in a dom0 terminal:
+
+    sudo pvs
+    sudo lvs
+
+Take note of the VG and thin pool names for your HDD, then register it with Qubes:
+
+    # pool_name is a freely chosen pool name
+    # vg_name is LVM volume group name
+    # thin_pool_name is LVM thin pool name
+    qvm-pool --add pool_name lvm_thin -o volume_group=vg_name,thin_pool=thin_pool_name
+    
+Now, you can create qubes in that pool:
+
+    qvm-create -P pool_name --label red vmname
+
+It isn't possible to directly migrate an existing qube to the new pool, but
+you can clone it there, then remove the old one:
+
+    qvm-clone -P pool_name old_name new_name
+    qvm-remove old_name
+
+If that was a template, or other qube referenced elsewhere (NetVM or
+such), you will need to adjust those references manually after moving.
+For example:
+
+    qvm-prefs appvm_based_on_old_name_template template new_name
+
+In theory, you can still use file-based disk images ("file" pool driver),
+but it lacks some features such as you won't be able to do
+backups without shutting down the qube.
+
+### R3.2 ###
+
+In dom0:
+
+    mv /var/lib/qubes/appvms/my-new-appvm /path/to/secondary/drive/my-new-appvm
+    ln -s /path/to/secondary/drive/my-new-appvm /var/lib/qubes/appvms/
 
 Now, `my-new-appvm` will behave as if it were still stored on the primary SSD
 (except that it will probably be slower, since it's actually stored on the
 secondary HDD).
 
-Known Issues
-------------
-
  * The above procedure does **not** interfere with [Qubes Backup][]. However,
    attempting to symlink a `private.img` file (rather than the whole AppVM
    directory) is known to prevent the `private.img` file from being backed up.
    The same problem may occur if the above procedure is attempted on a
    [TemplateVM][]. [[1]]
 
- * This issue applies only to R3.1, not R3.2 or later:
-   After implementing the above procedure, starting `my-new-appvm` will cause
+ * After implementing the above procedure, starting `my-new-appvm` will cause
    dom0 notifications to occur stating that loop devices have been attached to
    dom0. This is normal. (No untrusted devices are actually being mounted to
    dom0.) Do not attempt to detach these disks. (They will automatically be

From 2576c530dc8246e6892532c1530bbb7b0002dc7e Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Sat, 3 Feb 2018 23:12:10 +0000
Subject: [PATCH 018/103] 4.0 updates

adjust title to "Private" vs. counterpart document "Root"
add 4.0 content
add placeholder procedure for Shrinking private disk image (Linux VM, R4.0)
remove outdated, root.img specific content
misc. spelling/grammar
---
 configuration/resize-disk-image.md | 80 ++++++++++++++----------------
 1 file changed, 37 insertions(+), 43 deletions(-)

diff --git a/configuration/resize-disk-image.md b/configuration/resize-disk-image.md
index 35159d7f..b68b56dd 100644
--- a/configuration/resize-disk-image.md
+++ b/configuration/resize-disk-image.md
@@ -1,6 +1,6 @@
 ---
 layout: doc
-title: Resize Disk Image
+title: Resize Private Disk Image
 permalink: /doc/resize-disk-image/
 redirect_from:
 - /en/doc/resize-disk-image/
@@ -8,33 +8,55 @@ redirect_from:
 - /wiki/ResizeDiskImage/
 ---
 
-Resize Disk Image
+Resize Private Disk Image
 -----------------
 
-There are several disk images which can be easily extended. But pay attention to the overall consumed space of your sparse disk images.
+There are several disk images which can be easily extended, but pay attention to the overall consumed space of your sparse disk images. See also additional information and caveats about [resizing the root disk image](/doc/resize-root-disk-image/).
 
-### Private disk image
 
-1048576 MB is the maximum size which can be assigned to a private storage through qubes-manager.
+### Private disk image (R4.0)
 
-To grow the private disk image of a AppVM beyond this limit [qubes-grow-private](/doc/dom0-tools/qvm-grow-private/) can be used:
+1048576 MiB is the maximum size which can be assigned to a private storage through Qube Manager.
+
+To grow the private disk image of an AppVM beyond this limit, [qvm-volume](/doc/dom0-tools/qvm-volume/) can be used:
+
+~~~
+qvm-volume extend <vm_name>:private <size>
+~~~
+
+Note: Size is the target size (i.e. 4096MB or 16GB, ...), not the size to add to the existing disk.
+
+### Private disk image (R3.2)
+
+1048576 MB is the maximum size which can be assigned to a private storage through Qubes Manager.
+
+To grow the private disk image of an AppVM beyond this limit, [qvm-grow-private](/doc/dom0-tools/qvm-grow-private/) can be used:
 
 ~~~
 qvm-grow-private <vm-name> <size>
 ~~~
 
-Note: Size is the target size (i.e. 4096MB or 16GB, ...), not the size to add to the existing disk.
+Note: Size is the target size (i.e. 4096MB or 16GB, ...), not the size to add to the existing disk. 
 
-### Shrinking private disk image (Linux VM)
+### Shrinking private disk image (Linux VM, R4.0)
 
-**This operation is dangerous and this is why it isn't available in standard Qubes tools. If you have enough disk space, it is safer to create new VM with smaller disk and move the data.**
+1.  Create a new qube with smaller disk using Qube Manager or qvm-create
+2.  Move data using OS tools
+3.  Delete old qube using Qube Manager or qvm-remove
+
+### Shrinking private disk image (Linux VM, R3.2)
+
+**This operation is dangerous and this is why it isn't available in standard Qubes tools. If you have enough disk space, it is safer to create a new VM with a smaller disk and move the data.**
 
 The basic idea is to:
 
 1.  Shrink filesystem on the private disk image.
 2.  Then shrink the image.
 
-Ext4 does not support online shrinking, so can't be done as convenient as image grown. Note that we don't want to touch the VM filesystem directly in dom0 for security reasons. First you need to start VM without `/rw` mounted. One of the possibility is to interrupt its normal startup by adding `rd.break` kernel option:
+Ext4 does not support online shrinking, so it can't be done as conveniently as growing the image.
+Note that we don't want to touch the VM filesystem directly in dom0 for security reasons. 
+First you need to start VM without `/rw` mounted. One possibility is to interrupt its normal startup
+by adding the `rd.break` kernel option:
 
 ~~~
 qvm-prefs -s <vm-name> kernelopts rd.break
@@ -76,37 +98,11 @@ Done.
 >With no argument, resize2fs grows the filesystem to match the underlying block device (the .img file you just shrunk)
 
 
-### Template disk image
+OS Specific Follow-up Instructions
+-----------------
 
-If you want install a lot of software in your TemplateVM, you may need to increase the amount of disk space your TemplateVM can use. See also additional information and caveats about [resizing the root disk image].
-
-1.  Make sure that all the VMs based on this template are shut off (including netvms etc).
-2.  Sanity check: verify that none of loop device are pointing at this template root.img. Run this in dom0: `sudo losetup -a`
-3.  Resize root.img file. Run this in dom0: `truncate -s <desired size> <path to root.img>` (the root.img path can be obtained from qvm-prefs).
-4.  If any netvm/proxyvm used by this template is based on it, set template netvm to none.
-5.  Start the template.
-6.  Execute `sudo resize2fs /dev/mapper/dmroot` in the template.
-7.  Verify available space in the template using `df -h`
-8.  Shutdown the template.
-9.  Restore original netvm setting (if changed), check firewall settings (setting netvm to none causes firewall reset to "block all")
-
-### HVM disk image
-
-In this example we will grow the disk image of an HVM to 30GB.
-
-First, stop/shutdown the HVM.
-
-Then, from a Dom0 terminal (in KDE: System Tools -\> Terminal Emulator) do the following:
-
-~~~
-cd /var/lib/qubes/appvms/<yourHVM>/
-ls -lh root.img  (<--verify current size of disk image)
-truncate -s 30GB root.img
-ls -lh root.img  (<--verify new size of disk image)
-~~~
-
-The partition table and file-system must be adjusted after this change.
-Use tools appropriate to the OS in your HVM. Brief instructions for Windows 7,
+After resizing volumes, the partition table and file-system may need to be adjusted.
+Use tools appropriate to the OS in your qube. Brief instructions for Windows 7,
 FreeBSD, and Linux are provided below.
 
 #### Windows 7
@@ -129,8 +125,6 @@ zpool online -e poolname ada0
 
 #### Linux
 
+Qubes will automatically grow the filesystem for you on AppVMs but not HVMs.
 You will see that there is unallocated free space at the end of your primary disk.
 You can use standard linux tools like fdisk and mkfs to make this space available.
-
-
-[resizing the root disk image]: /doc/resize-root-disk-image/

From c380832af15b3651b1d5647209becbef7121622a Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Sat, 3 Feb 2018 23:37:46 +0000
Subject: [PATCH 019/103] 4.0 updates

Add root specific content moved from /doc/resize-disk-image
Add 4.0 content
Remove outdated (<R3.?) and duplicated content
---
 configuration/resize-root-disk-image.md | 70 +++++++++++++++----------
 1 file changed, 42 insertions(+), 28 deletions(-)

diff --git a/configuration/resize-root-disk-image.md b/configuration/resize-root-disk-image.md
index bee7272f..630a1dcf 100644
--- a/configuration/resize-root-disk-image.md
+++ b/configuration/resize-root-disk-image.md
@@ -11,11 +11,49 @@ redirect_from:
 Resize Root Disk Image
 ----------------------
 
-The safest way to increase the size of `root.img` is to turn your TemplateVM into a StandaloneVM. Doing this means it will have it's own root filesystem *(StandaloneVMs use a copy of template, instead of smart sharing)*. To do this run `qvm-create --standalone` from `dom0` Konsole.
+### Template disk image 
 
-### Resize a StandaloneVM Root Image
+If you want install a lot of software in your TemplateVM, you may need to increase the amount of disk space your TemplateVM can use. See also additional information and caveats about [resizing private disk images](/doc/resize-disk-image/).
+*Make sure changes in the TemplateVM between reboots don't exceed 10G.*
 
-In `dom0` Konsole run the following command (replace the size and path):
+1.  Make sure that all the VMs based on this template are shut off (including netvms etc).
+2.  Resize root image using Qubes version specific procedure below.
+3.  If any netvm/proxyvm used by this template is based on it, set template's netvm to none.
+4.  Start the template.
+5.  Resize the filesystem using OS appropriate tools (Qubes will handle this automatically with Linux templates).
+6.  Verify available space in the template using `df -h` or OS specific tools.
+7.  Shutdown the template.
+8.  Restore original netvm setting (if changed), check firewall settings (setting netvm to none causes the firewall to reset to "block all")
+
+### Root disk image (R4.0)
+
+1048576 MiB is the maximum size which can be assigned to root storage through Qube Manager.
+
+To grow the root disk image of an AppVM beyond this limit, [qvm-volume](/doc/dom0-tools/qvm-volume/) can be used:
+
+~~~
+qvm-volume extend <vm_name>:root <size>
+~~~
+
+Note: Size is the target size (i.e. 4096MB or 16GB, ...), not the size to add to the existing disk.
+
+### Root disk image (R3.2)
+
+1048576 MB is the maximum size which can be assigned to root storage through Qubes Manager.
+
+To grow the root disk image of an AppVM beyond this limit, [qvm-grow-root](/doc/dom0-tools/qvm-grow-root/) can be used:
+
+~~~
+qvm-grow-root <vm-name> <size>
+~~~
+
+Note: Size is the target size (i.e. 4096MB or 16GB, ...), not the size to add to the existing disk. 
+
+### Resize a StandaloneVM Root Image (R3.2)
+
+Another way to increase the size of `root.img` is to turn your TemplateVM into a StandaloneVM. Doing this means it will have it's own root filesystem *(StandaloneVMs use a copy of template, instead of smart sharing)*. To do this run `qvm-create --standalone` from `dom0` console.
+
+In `dom0` console run the following command (replace the size and path):
 
 ~~~
 truncate -s 20G /var/lib/qubes/appvms/standalonevm/root.img
@@ -27,28 +65,4 @@ Then start Terminal for this StandaloneVM and run:
 sudo resize2fs /dev/mapper/dmroot
 ~~~
 
-Shutdown the StandaloneVM and you will have extended the size of it's `root.img`
-
-
-### Resize a TemplateVM Root Image
-
-Shut down the TemplateVM, as well as all VMs based on that template (since they
-share `root.img`).
-In `dom0` Konsole run the following command (replace the size and path):
-*Make sure changes in the TemplateVM between reboots didn't exceed 10G.*
-
-~~~
-truncate -s 20G /var/lib/qubes/vm-templates/fedora-21/root.img
-~~~
-
-Then start only the TemplateVM and run the following. Note that if you are
-resizing the TemplateVM used by, e.g., your NetVM, you may need to disable
-networking so when the TemplateVM is started, it does not autostart other VMs
-based on the same `root.img`. Otherwise you will get an error message `Nothing
-to do!`.
-
-~~~
-sudo resize2fs /dev/mapper/dmroot
-~~~
-
-Shutdown the TemplateVM and you will have extended the size of it's `root.img`.
+Shutdown the StandaloneVM and you will have extended the size of its `root.img`.

From 0cd1cf06646972e0f0b93ca255d53b8ad580f394 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Sat, 3 Feb 2018 23:40:44 +0000
Subject: [PATCH 020/103] adjust disk resizing titles

---
 doc.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/doc.md b/doc.md
index 154fc482..c951c8ac 100644
--- a/doc.md
+++ b/doc.md
@@ -124,8 +124,8 @@ Configuration Guides
  * [How to set up a ProxyVM as a VPN Gateway](/doc/vpn/)
  * [Storing AppVMs on Secondary Drives](/doc/secondary-storage/)
  * [Multibooting](/doc/multiboot/)
- * [Resizing AppVM and HVM Disk Images](/doc/resize-disk-image/)
- * [Extending `root.img` Size](/doc/resize-root-disk-image/)
+ * [Resize Private Disk Image](/doc/resize-disk-image/)
+ * [Resize Root Disk Image](/doc/resize-root-disk-image/)
  * [RPC Policies](/doc/rpc-policy/)
  * [Installing ZFS in Qubes](/doc/zfs/)
  * [Mutt Guide](/doc/mutt/)

From 6bfaf3f35ec7e0885d5c66767cfecb9000125630 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Sat, 3 Feb 2018 23:46:08 +0000
Subject: [PATCH 021/103] tweak R4.0 shrink procedure

---
 configuration/resize-disk-image.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/configuration/resize-disk-image.md b/configuration/resize-disk-image.md
index b68b56dd..5aa6321f 100644
--- a/configuration/resize-disk-image.md
+++ b/configuration/resize-disk-image.md
@@ -16,7 +16,7 @@ There are several disk images which can be easily extended, but pay attention to
 
 ### Private disk image (R4.0)
 
-1048576 MiB is the maximum size which can be assigned to a private storage through Qube Manager.
+1048576 MiB is the maximum size which can be assigned to private storage through Qube Manager.
 
 To grow the private disk image of an AppVM beyond this limit, [qvm-volume](/doc/dom0-tools/qvm-volume/) can be used:
 
@@ -28,7 +28,7 @@ Note: Size is the target size (i.e. 4096MB or 16GB, ...), not the size to add to
 
 ### Private disk image (R3.2)
 
-1048576 MB is the maximum size which can be assigned to a private storage through Qubes Manager.
+1048576 MB is the maximum size which can be assigned to private storage through Qubes Manager.
 
 To grow the private disk image of an AppVM beyond this limit, [qvm-grow-private](/doc/dom0-tools/qvm-grow-private/) can be used:
 
@@ -40,9 +40,9 @@ Note: Size is the target size (i.e. 4096MB or 16GB, ...), not the size to add to
 
 ### Shrinking private disk image (Linux VM, R4.0)
 
-1.  Create a new qube with smaller disk using Qube Manager or qvm-create
-2.  Move data using OS tools
-3.  Delete old qube using Qube Manager or qvm-remove
+1.  Create a new qube with smaller disk using Qube Manager or `qvm-create`
+2.  Move data to the new qube using `qvm-copy` or OS utilities
+3.  Delete old qube using Qube Manager or `qvm-remove`
 
 ### Shrinking private disk image (Linux VM, R3.2)
 

From 4f4c3973521a70309f5434c294b9b3593a5b1f9b Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Sat, 3 Feb 2018 23:49:36 +0000
Subject: [PATCH 022/103] call out "OS Specific" procedure in linked doc

---
 configuration/resize-root-disk-image.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/configuration/resize-root-disk-image.md b/configuration/resize-root-disk-image.md
index 630a1dcf..eef31d8b 100644
--- a/configuration/resize-root-disk-image.md
+++ b/configuration/resize-root-disk-image.md
@@ -11,9 +11,11 @@ redirect_from:
 Resize Root Disk Image
 ----------------------
 
+See additional information and caveats about [resizing private disk images](/doc/resize-disk-image/), paying particular attention to "OS Specific Follow-up Instructions" at the end.
+
 ### Template disk image 
 
-If you want install a lot of software in your TemplateVM, you may need to increase the amount of disk space your TemplateVM can use. See also additional information and caveats about [resizing private disk images](/doc/resize-disk-image/).
+If you want install a lot of software in your TemplateVM, you may need to increase the amount of disk space your TemplateVM can use. 
 *Make sure changes in the TemplateVM between reboots don't exceed 10G.*
 
 1.  Make sure that all the VMs based on this template are shut off (including netvms etc).

From f24d9ee90cd0d6e87dca81fbe818ca809d881706 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Sun, 4 Feb 2018 17:33:05 +0000
Subject: [PATCH 023/103] assigning-devices 4.0 updates

add introduction explaining why this can be needed and multi-function device quirks
add 4.0 content
add introduction to USB controller section explaining why
add strict reset options for R3.2 and R4.0
---
 configuration/assigning-devices.md | 157 +++++++++++++++++++++++------
 1 file changed, 124 insertions(+), 33 deletions(-)

diff --git a/configuration/assigning-devices.md b/configuration/assigning-devices.md
index 6aa8278a..1c2b711f 100644
--- a/configuration/assigning-devices.md
+++ b/configuration/assigning-devices.md
@@ -11,6 +11,58 @@ redirect_from:
 Assigning Devices to VMs
 ========================
 
+Sometimes you may need to assign an entire PCI or PCI Express device directly
+to a qube. This is also known as PCI pass-through. The Qubes installer does this
+by default for `sys-net` (assigning all network class controllers), as well as
+`sys-usb` (assigning all USB controllers) if you chose to create the
+USB qube during install.
+While this covers most use cases, there are some occasions when you may want to
+manually assign one NIC to `sys-net` and another to a custom NetVM, or have some
+other type of PCI controller you want to manually assign.
+
+Note that one can only assign full PCI or PCI Express devices by default.
+This limit is imposed by the PC and VT-d
+architectures. This means if a PCI device has multiple functions, all instances
+of it need to be assigned to the same qube unless you have disabled FLR with the
+`no-strict-reset` (R4.0) or `pci_strictreset` (R3.2) option.
+In the steps below, you can tell if this is needed if you see the BDF for the
+same device listed multiple times with only the number after the "." changing.
+
+While a device can only be attached to one VM at a time, it *is* possible to
+*assign* the same device to more than one VM at a time. This means that you can
+use the device in one VM, shut that VM down, start up a different VM (to which
+the same device is also assigned), then use the device in that VM. This can be
+useful if, for example, you have only one USB controller, but you have multiple
+security domains which all require the use of different USB devices.
+
+R4.0
+------------------------
+
+In order to assign a whole PCI(e) device to a VM, one should use the `qvm-pci`
+tool. First, list the available PCI devices:
+
+~~~
+qvm-pci
+~~~
+
+This will show you the `backend:BDF` address of each PCI device. It will look something
+like `dom0:00_1a.0`. Once you've found the address of the device you want to
+assign, then attach it like so:
+
+~~~
+qvm-pci attach --persistent <vmname> <backend>:<bdf>
+~~~
+
+For example, if `00_1a.0` is the BDF of the device you want to assign to the
+"personal" domain, you would do this:
+
+~~~
+qvm-pci attach --persistent personal dom0:00_1a.0
+~~~
+
+R3.2
+------------------------
+
 In order to assign a whole PCI(e) device to a VM, one should use the `qvm-pci`
 tool. First, list the available PCI devices:
 
@@ -26,27 +78,13 @@ assign, then attach it like so:
 qvm-pci -a <vmname> <bdf>
 ~~~
 
-For example, if `00:1a.0` is the BDF of the device I want to assign to the
-"personal" domain, I would do this:
+For example, if `00:1a.0` is the BDF of the device you want to assign to the
+"personal" domain, you would do this:
 
 ~~~
 qvm-pci -a personal 00:1a.0
 ~~~
 
-Note that one can only assign full PCI or PCI Express devices. This means one
-cannot assign single USB devices -- only the whole USB controller with whatever
-USB devices are connected to it. This limit is imposed by the PC and VT-d
-architectures. More information on using and managing USB devices with qubes is
-available on the [USB] page.
-
-While a device can only be attached to one VM at a time, it *is* possible to
-*assign* the same device to more than one VM at a time. This means that you can
-use the device in one VM, shut that VM down, start up a different VM (to which
-the same device is also assigned), then use the device in that VM. This can be
-useful if, for example, you have only one USB controller, but you have multiple
-security domains which all require the use of different USB devices.
-
-
 Using Qubes Manager
 -------------------
 
@@ -58,15 +96,21 @@ list of available devices, which you can select to be assigned to that VM.
 Finding the right USB controller
 --------------------------------
 
-If you want assign a certain [USB] device to a VM (by attaching the whole
+Some USB devices are not compatible with the USB pass-through method Qubes employs.
+In situations like this, you can still often get the USB device to work by
+passing through the entire USB controller to a qube. However, with this approach
+one cannot assign single USB devices, only the whole USB controller with whatever
+USB devices are connected to it. More information on using and managing USB devices with qubes is
+available on the [USB] page. If you want assign a certain USB device to a VM (by attaching the whole
 USB controller), you need to figure out which PCI device is the right
-controller. First, check to which USB bus the device is connected:
+controller. First, check to which USB bus the device is connected (note that
+these steps need to be run from a terminal inside `dom0`):
 
 ~~~
 lsusb
 ~~~
 
-For example, I want assign a broadband modem to the netvm. In the out put of
+For example, I want assign a broadband modem to the netvm. In the output of
 `lsusb` it can be listed as something like this. (In this case, the device isn't
 fully identified):
 
@@ -89,12 +133,8 @@ This should output something like:
 ~~~
 
 Now you see the BDF address in the path (right before final `usb3`). Strip the
-leading `0000:` and pass the rest to the `qvm-pci` tool:
-
-~~~
-qvm-pci -a netvm 00:1a.0
-~~~
-
+leading `0000:` and pass the rest to the `qvm-pci` tool to attach the controller
+with the version specific steps above.
 
 Possible issues
 ---------------
@@ -109,7 +149,7 @@ expressed in 512B chunks):
 ~~~
 # qvm-prefs netvm |grep kernelopts
 kernelopts       : iommu=soft swiotlb=2048 (default)
-# qvm-prefs -s netvm kernelopts "iommu=soft swiotlb=4096"
+# qvm-prefs -s netvm kernelopts "iommu=soft swiotlb=8192"
 ~~~
 
 This is [known to be needed][ml1] for the Realtek RTL8111DL Gigabit Ethernet
@@ -117,8 +157,57 @@ Controller.
 
 ### PCI passthrough issues
 
-Sometimes PCI arbitrator is too strict. There is a way to enable permissive mode
-for it. Create `/etc/systemd/system/qubes-pre-netvm.service`:
+Sometimes the PCI arbitrator is too strict. There is a way to enable permissive mode
+for it. See also: [this thread][ml2] and the Xen wiki's [PCI passthrough] page.
+
+**NOTE:** By setting the permissive flag for the PCI device, you're potentially
+weakening the device isolation, especially if your system is not equipped with
+VT-d Interrupt Remapping unit. See [Software Attacks on Intel VT-d] (page 7)
+for more details.
+
+At other times, you may instead need to disable the FLR requirement on a device.
+This will also weaken device isolation; see the "I created a usbVM..." entry in
+the [FAQ](/doc/faq/) for more details.
+
+R4.0
+------------------------
+
+Permissive mode and strict reset are options set as part of PCI device attachment. If you've already
+attached the PCI device to a VM, detach it first either with Qube Manager
+or `qvm-pci`, then list the available PCI devices:
+
+~~~
+qvm-pci
+~~~
+
+This will show you the `backend:BDF` address of each PCI device. It will look something
+like `dom0:00_1a.0`. Once you've found the address of the device you want to
+assign, then attach it like so:
+
+~~~
+qvm-pci attach --persistent --option <option1> [--option <option2>] <vmname> <backend>:<bdf>
+~~~
+
+For example, if `00_1a.0` is the BDF of the device you want to assign to the
+"personal" domain, and it is particularly difficult to pass through you would do this:
+
+~~~
+qvm-pci attach --persistent --option permissive=true --option no-strict-reset=true personal dom0:00_1a.0
+~~~
+
+Running `qvm-pci` again should then show your PCI device attached with both the
+`permissive` and `no-strict-reset` options set.
+
+**Note** again that in most cases you should
+not need either of these options set. Only set one or more of them as required to get
+your device to function, or replace the device with one that functions properly with Qubes.
+
+R3.2
+------------------------
+
+Permissive mode is enabled system wide per device.
+
+Create `/etc/systemd/system/qubes-pre-netvm.service`:
 
 ~~~
 [Unit]
@@ -136,13 +225,15 @@ WantedBy=multi-user.target
 
 Then enable it with `systemctl enable qubes-pre-netvm.service`
 
-See also: [this thread][ml2] and the Xen wiki's [PCI passthrough] page.
+The strict reset option is set for all devices attached to a VM with:
 
-**NOTE:** By setting the permissive flag for the PCI device, you're potentially
-weakening the device isolation, especially if your system is not equipped with
-VT-d Interrupt Remapping unit. See [Software Attacks on Intel VT-d] (page 7)
-for more details.
+```
+qvm-prefs usbVM -s pci_strictreset false
+```
 
+**Note** again that in most cases you should
+not need either of these options set. Only set one or more of them as required to get
+your device to function, or replace the device with one that functions properly with Qubes.
 
 Bringing PCI device back to dom0
 --------------------------------

From d2837c4a222d29782ec627b85ccc6dc77f0ecac1 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Sun, 4 Feb 2018 17:57:10 +0000
Subject: [PATCH 024/103] fix faq link

---
 configuration/assigning-devices.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/configuration/assigning-devices.md b/configuration/assigning-devices.md
index 1c2b711f..b701607a 100644
--- a/configuration/assigning-devices.md
+++ b/configuration/assigning-devices.md
@@ -167,7 +167,7 @@ for more details.
 
 At other times, you may instead need to disable the FLR requirement on a device.
 This will also weaken device isolation; see the "I created a usbVM..." entry in
-the [FAQ](/doc/faq/) for more details.
+the [FAQ](/doc/user-faq/) for more details.
 
 R4.0
 ------------------------

From c87072d798f9b48079e9d4c04b7893250bb09733 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Mon, 5 Feb 2018 01:25:19 +0000
Subject: [PATCH 025/103] Fix line breaks

---
 configuration/assigning-devices.md | 120 ++++++++++++++++-------------
 1 file changed, 65 insertions(+), 55 deletions(-)

diff --git a/configuration/assigning-devices.md b/configuration/assigning-devices.md
index b701607a..14c5e2b3 100644
--- a/configuration/assigning-devices.md
+++ b/configuration/assigning-devices.md
@@ -12,41 +12,43 @@ Assigning Devices to VMs
 ========================
 
 Sometimes you may need to assign an entire PCI or PCI Express device directly
-to a qube. This is also known as PCI pass-through. The Qubes installer does this
-by default for `sys-net` (assigning all network class controllers), as well as
-`sys-usb` (assigning all USB controllers) if you chose to create the
+to a qube.
+This is also known as PCI pass-through.
+The Qubes installer does this by default for `sys-net` (assigning all network class controllers),
+as well as `sys-usb` (assigning all USB controllers) if you chose to create the
 USB qube during install.
 While this covers most use cases, there are some occasions when you may want to
-manually assign one NIC to `sys-net` and another to a custom NetVM, or have some
-other type of PCI controller you want to manually assign.
+manually assign one NIC to `sys-net` and another to a custom NetVM,
+or have some other type of PCI controller you want to manually assign.
 
 Note that one can only assign full PCI or PCI Express devices by default.
-This limit is imposed by the PC and VT-d
-architectures. This means if a PCI device has multiple functions, all instances
+This limit is imposed by the PC and VT-d architectures.
+This means if a PCI device has multiple functions, all instances
 of it need to be assigned to the same qube unless you have disabled FLR with the
 `no-strict-reset` (R4.0) or `pci_strictreset` (R3.2) option.
 In the steps below, you can tell if this is needed if you see the BDF for the
 same device listed multiple times with only the number after the "." changing.
 
 While a device can only be attached to one VM at a time, it *is* possible to
-*assign* the same device to more than one VM at a time. This means that you can
-use the device in one VM, shut that VM down, start up a different VM (to which
-the same device is also assigned), then use the device in that VM. This can be
-useful if, for example, you have only one USB controller, but you have multiple
+*assign* the same device to more than one VM at a time. 
+This means that you can use the device in one VM, shut that VM down, start up a different VM
+(to which the same device is also assigned), then use the device in that VM.
+This can be useful if, for example, you have only one USB controller, but you have multiple
 security domains which all require the use of different USB devices.
 
 R4.0
 ------------------------
 
-In order to assign a whole PCI(e) device to a VM, one should use the `qvm-pci`
-tool. First, list the available PCI devices:
+In order to assign a whole PCI(e) device to a VM, one should use the `qvm-pci` tool.
+First, list the available PCI devices:
 
 ~~~
 qvm-pci
 ~~~
 
-This will show you the `backend:BDF` address of each PCI device. It will look something
-like `dom0:00_1a.0`. Once you've found the address of the device you want to
+This will show you the `backend:BDF` address of each PCI device. 
+It will look something like `dom0:00_1a.0`.
+Once you've found the address of the device you want to
 assign, then attach it like so:
 
 ~~~
@@ -70,8 +72,9 @@ tool. First, list the available PCI devices:
 lspci
 ~~~
 
-This will show you the BDF address of each PCI device. It will look something
-like `00:1a.0`. Once you've found the BDF address of the device you want to
+This will show you the BDF address of each PCI device.
+It will look something like `00:1a.0`. 
+Once you've found the BDF address of the device you want to
 assign, then attach it like so:
 
 ~~~
@@ -88,9 +91,9 @@ qvm-pci -a personal 00:1a.0
 Using Qubes Manager
 -------------------
 
-The above steps can also be done in Qubes Manager. Simply go into the VM
-settings of your desired VM, then go to the "Devices" tab. This will show you a
-list of available devices, which you can select to be assigned to that VM.
+The above steps can also be done in Qubes Manager.
+Simply go into the VM settings of your desired VM, then go to the "Devices" tab.
+This will show you a list of available devices, which you can select to be assigned to that VM.
 
 
 Finding the right USB controller
@@ -98,28 +101,31 @@ Finding the right USB controller
 
 Some USB devices are not compatible with the USB pass-through method Qubes employs.
 In situations like this, you can still often get the USB device to work by
-passing through the entire USB controller to a qube. However, with this approach
-one cannot assign single USB devices, only the whole USB controller with whatever
-USB devices are connected to it. More information on using and managing USB devices with qubes is
-available on the [USB] page. If you want assign a certain USB device to a VM (by attaching the whole
-USB controller), you need to figure out which PCI device is the right
-controller. First, check to which USB bus the device is connected (note that
+passing through the entire USB controller to a qube.
+However, with this approach one cannot assign single USB devices, 
+only the whole USB controller with whatever USB devices are connected to it. 
+More information on using and managing USB devices with qubes is
+available on the [USB] page. 
+If you want assign a certain USB device to a VM (by attaching the whole USB controller), 
+you need to figure out which PCI device is the right controller. 
+First, check to which USB bus the device is connected (note that
 these steps need to be run from a terminal inside `dom0`):
 
 ~~~
 lsusb
 ~~~
 
-For example, I want assign a broadband modem to the netvm. In the output of
-`lsusb` it can be listed as something like this. (In this case, the device isn't
-fully identified):
+For example, I want assign a broadband modem to the netvm. 
+In the output of `lsusb` it can be listed as something like this. 
+(In this case, the device isn't fully identified):
 
 ~~~
 Bus 003 Device 003: ID 413c:818d Dell Computer Corp.
 ~~~
 
-The device is connected to USB bus \#3. Then check which other devices are
-connected to the same bus, since *all* of them will be assigned to the same VM.
+The device is connected to USB bus \#3. 
+Then check which other devices are connected to the same bus,
+since *all* of them will be assigned to the same VM.
 Now is the time to find right USB controller:
 
 ~~~
@@ -132,8 +138,8 @@ This should output something like:
 ../../../devices/pci-0/pci0000:00/0000:00:1a.0/usb3
 ~~~
 
-Now you see the BDF address in the path (right before final `usb3`). Strip the
-leading `0000:` and pass the rest to the `qvm-pci` tool to attach the controller
+Now you see the BDF address in the path (right before final `usb3`).
+Strip the leading `0000:` and pass the rest to the `qvm-pci` tool to attach the controller
 with the version specific steps above.
 
 Possible issues
@@ -142,9 +148,10 @@ Possible issues
 ### DMA buffer size
 
 VMs with assigned PCI devices in Qubes have allocated a small buffer for DMA
-operations (called swiotlb). By default it is 2MB, but some devices need a
-larger buffer. To change this allocation, edit VM's kernel parameters (this is
-expressed in 512B chunks):
+operations (called swiotlb).
+By default it is 2MB, but some devices need a larger buffer.
+To change this allocation, edit VM's kernel parameters 
+(this is expressed in 512B chunks):
 
 ~~~
 # qvm-prefs netvm |grep kernelopts
@@ -157,12 +164,14 @@ Controller.
 
 ### PCI passthrough issues
 
-Sometimes the PCI arbitrator is too strict. There is a way to enable permissive mode
-for it. See also: [this thread][ml2] and the Xen wiki's [PCI passthrough] page.
+Sometimes the PCI arbitrator is too strict. 
+There is a way to enable permissive mode for it.
+See also: [this thread][ml2] and the Xen wiki's [PCI passthrough] page.
 
 **NOTE:** By setting the permissive flag for the PCI device, you're potentially
 weakening the device isolation, especially if your system is not equipped with
-VT-d Interrupt Remapping unit. See [Software Attacks on Intel VT-d] (page 7)
+VT-d Interrupt Remapping unit. 
+See [Software Attacks on Intel VT-d] (page 7)
 for more details.
 
 At other times, you may instead need to disable the FLR requirement on a device.
@@ -172,16 +181,17 @@ the [FAQ](/doc/user-faq/) for more details.
 R4.0
 ------------------------
 
-Permissive mode and strict reset are options set as part of PCI device attachment. If you've already
-attached the PCI device to a VM, detach it first either with Qube Manager
+Permissive mode and strict reset are options set as part of PCI device attachment. 
+If you've already attached the PCI device to a VM, detach it first either with Qube Manager
 or `qvm-pci`, then list the available PCI devices:
 
 ~~~
 qvm-pci
 ~~~
 
-This will show you the `backend:BDF` address of each PCI device. It will look something
-like `dom0:00_1a.0`. Once you've found the address of the device you want to
+This will show you the `backend:BDF` address of each PCI device.
+It will look something like `dom0:00_1a.0`. 
+Once you've found the address of the device you want to
 assign, then attach it like so:
 
 ~~~
@@ -198,9 +208,9 @@ qvm-pci attach --persistent --option permissive=true --option no-strict-reset=tr
 Running `qvm-pci` again should then show your PCI device attached with both the
 `permissive` and `no-strict-reset` options set.
 
-**Note** again that in most cases you should
-not need either of these options set. Only set one or more of them as required to get
-your device to function, or replace the device with one that functions properly with Qubes.
+**Note** again that in most cases you should not need either of these options set. 
+Only set one or more of them as required to get your device to function,
+or replace the device with one that functions properly with Qubes.
 
 R3.2
 ------------------------
@@ -231,18 +241,18 @@ The strict reset option is set for all devices attached to a VM with:
 qvm-prefs usbVM -s pci_strictreset false
 ```
 
-**Note** again that in most cases you should
-not need either of these options set. Only set one or more of them as required to get
-your device to function, or replace the device with one that functions properly with Qubes.
+**Note** again that in most cases you should not need either of these options set.
+Only set one or more of them as required to get your device to function,
+or replace the device with one that functions properly with Qubes.
 
 Bringing PCI device back to dom0
 --------------------------------
 
 By default, when a device is detached from a VM (or when a VM with an attached
-PCI device is shut down), the device is *not* automatically attached back to
-dom0. This is an intended feature. A device which was previously assigned to a
-VM less trusted than dom0 (which, in Qubes, is *all* of them) could attack dom0
-if it were automatically reassigned there.
+PCI device is shut down), the device is *not* automatically attached back to dom0. 
+This is an intended feature. 
+A device which was previously assigned to a VM less trusted than dom0 
+(which, in Qubes, is *all* of them) could attack dom0 if it were automatically reassigned there.
 
 In order to re-enable the device in dom0, either:
 
@@ -251,8 +261,8 @@ In order to re-enable the device in dom0, either:
 or
 
  *  Go to the sysfs (`/sys/bus/pci`), find the right device, detach it from the
-    pciback driver, and attach it back to the original driver. Replace `<BDF>`
-    with your device, for example `00:1c.2`:
+    pciback driver, and attach it back to the original driver. 
+    Replace `<BDF>` with your device, for example `00:1c.2`:
 
     ~~~
     echo 0000:<BDF> > /sys/bus/pci/drivers/pciback/unbind

From 2891ac92a1fdefdf720a98bf0f5ef2a4863bb746 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Mon, 5 Feb 2018 04:37:55 +0000
Subject: [PATCH 026/103] Update assigning-devices.md

---
 configuration/assigning-devices.md | 107 ++++++++++-------------------
 1 file changed, 35 insertions(+), 72 deletions(-)

diff --git a/configuration/assigning-devices.md b/configuration/assigning-devices.md
index 14c5e2b3..54d98c9a 100644
--- a/configuration/assigning-devices.md
+++ b/configuration/assigning-devices.md
@@ -11,30 +11,19 @@ redirect_from:
 Assigning Devices to VMs
 ========================
 
-Sometimes you may need to assign an entire PCI or PCI Express device directly
-to a qube.
+Sometimes you may need to assign an entire PCI or PCI Express device directly to a qube.
 This is also known as PCI pass-through.
-The Qubes installer does this by default for `sys-net` (assigning all network class controllers),
-as well as `sys-usb` (assigning all USB controllers) if you chose to create the
-USB qube during install.
-While this covers most use cases, there are some occasions when you may want to
-manually assign one NIC to `sys-net` and another to a custom NetVM,
-or have some other type of PCI controller you want to manually assign.
+The Qubes installer does this by default for `sys-net` (assigning all network class controllers), as well as `sys-usb` (assigning all USB controllers) if you chose to create the USB qube during install.
+While this covers most use cases, there are some occasions when you may want to manually assign one NIC to `sys-net` and another to a custom NetVM, or have some other type of PCI controller you want to manually assign.
 
 Note that one can only assign full PCI or PCI Express devices by default.
 This limit is imposed by the PC and VT-d architectures.
-This means if a PCI device has multiple functions, all instances
-of it need to be assigned to the same qube unless you have disabled FLR with the
-`no-strict-reset` (R4.0) or `pci_strictreset` (R3.2) option.
-In the steps below, you can tell if this is needed if you see the BDF for the
-same device listed multiple times with only the number after the "." changing.
+This means if a PCI device has multiple functions, all instances of it need to be assigned to the same qube unless you have disabled the strict requirement for FLR with the `no-strict-reset` (R4.0) or `pci_strictreset` (R3.2) option.
+In the steps below, you can tell if this is needed if you see the BDF for the same device listed multiple times with only the number after the "." changing.
 
-While a device can only be attached to one VM at a time, it *is* possible to
-*assign* the same device to more than one VM at a time. 
-This means that you can use the device in one VM, shut that VM down, start up a different VM
-(to which the same device is also assigned), then use the device in that VM.
-This can be useful if, for example, you have only one USB controller, but you have multiple
-security domains which all require the use of different USB devices.
+While PCI device can only be used by one powered on VM at a time, it *is* possible to *assign* the same device to more than one VM at a time. 
+This means that you can use the device in one VM, shut that VM down, start up a different VM (to which the same device is also assigned), then use the device in that VM.
+This can be useful if, for example, you have only one USB controller, but you have multiple security domains which all require the use of different USB devices.
 
 R4.0
 ------------------------
@@ -48,15 +37,13 @@ qvm-pci
 
 This will show you the `backend:BDF` address of each PCI device. 
 It will look something like `dom0:00_1a.0`.
-Once you've found the address of the device you want to
-assign, then attach it like so:
+Once you've found the address of the device you want to assign, then attach it like so:
 
 ~~~
 qvm-pci attach --persistent <vmname> <backend>:<bdf>
 ~~~
 
-For example, if `00_1a.0` is the BDF of the device you want to assign to the
-"personal" domain, you would do this:
+For example, if `00_1a.0` is the BDF of the device you want to assign to the "personal" domain, you would do this:
 
 ~~~
 qvm-pci attach --persistent personal dom0:00_1a.0
@@ -65,8 +52,8 @@ qvm-pci attach --persistent personal dom0:00_1a.0
 R3.2
 ------------------------
 
-In order to assign a whole PCI(e) device to a VM, one should use the `qvm-pci`
-tool. First, list the available PCI devices:
+In order to assign a whole PCI(e) device to a VM, one should use the `qvm-pci` tool.
+First, list the available PCI devices:
 
 ~~~
 lspci
@@ -74,15 +61,13 @@ lspci
 
 This will show you the BDF address of each PCI device.
 It will look something like `00:1a.0`. 
-Once you've found the BDF address of the device you want to
-assign, then attach it like so:
+Once you've found the BDF address of the device you want to assign, then attach it like so:
 
 ~~~
 qvm-pci -a <vmname> <bdf>
 ~~~
 
-For example, if `00:1a.0` is the BDF of the device you want to assign to the
-"personal" domain, you would do this:
+For example, if `00:1a.0` is the BDF of the device you want to assign to the "personal" domain, you would do this:
 
 ~~~
 qvm-pci -a personal 00:1a.0
@@ -100,16 +85,11 @@ Finding the right USB controller
 --------------------------------
 
 Some USB devices are not compatible with the USB pass-through method Qubes employs.
-In situations like this, you can still often get the USB device to work by
-passing through the entire USB controller to a qube.
-However, with this approach one cannot assign single USB devices, 
-only the whole USB controller with whatever USB devices are connected to it. 
-More information on using and managing USB devices with qubes is
-available on the [USB] page. 
-If you want assign a certain USB device to a VM (by attaching the whole USB controller), 
-you need to figure out which PCI device is the right controller. 
-First, check to which USB bus the device is connected (note that
-these steps need to be run from a terminal inside `dom0`):
+In situations like this, you can still often get the USB device to work by passing through the entire USB controller to a qube.
+However, with this approach one cannot assign single USB devices, only the whole USB controller with whatever USB devices are connected to it. 
+More information on using and managing USB devices with qubes is available on the [USB] page. 
+If you want assign a certain USB device to a VM (by attaching the whole USB controller), you need to figure out which PCI device is the right controller. 
+First, check to which USB bus the device is connected (note that these steps need to be run from a terminal inside `dom0`):
 
 ~~~
 lsusb
@@ -124,8 +104,7 @@ Bus 003 Device 003: ID 413c:818d Dell Computer Corp.
 ~~~
 
 The device is connected to USB bus \#3. 
-Then check which other devices are connected to the same bus,
-since *all* of them will be assigned to the same VM.
+Then check which other devices are connected to the same bus, since *all* of them will be assigned to the same VM.
 Now is the time to find right USB controller:
 
 ~~~
@@ -139,19 +118,16 @@ This should output something like:
 ~~~
 
 Now you see the BDF address in the path (right before final `usb3`).
-Strip the leading `0000:` and pass the rest to the `qvm-pci` tool to attach the controller
-with the version specific steps above.
+Strip the leading `0000:` and pass the rest to the `qvm-pci` tool to attach the controller with the version specific steps above.
 
 Possible issues
 ---------------
 
 ### DMA buffer size
 
-VMs with assigned PCI devices in Qubes have allocated a small buffer for DMA
-operations (called swiotlb).
+VMs with assigned PCI devices in Qubes have allocated a small buffer for DMA operations (called swiotlb).
 By default it is 2MB, but some devices need a larger buffer.
-To change this allocation, edit VM's kernel parameters 
-(this is expressed in 512B chunks):
+To change this allocation, edit VM's kernel parameters (this is expressed in 512B chunks):
 
 ~~~
 # qvm-prefs netvm |grep kernelopts
@@ -159,8 +135,7 @@ kernelopts       : iommu=soft swiotlb=2048 (default)
 # qvm-prefs -s netvm kernelopts "iommu=soft swiotlb=8192"
 ~~~
 
-This is [known to be needed][ml1] for the Realtek RTL8111DL Gigabit Ethernet
-Controller.
+This is [known to be needed][ml1] for the Realtek RTL8111DL Gigabit Ethernet Controller.
 
 ### PCI passthrough issues
 
@@ -168,22 +143,18 @@ Sometimes the PCI arbitrator is too strict.
 There is a way to enable permissive mode for it.
 See also: [this thread][ml2] and the Xen wiki's [PCI passthrough] page.
 
-**NOTE:** By setting the permissive flag for the PCI device, you're potentially
-weakening the device isolation, especially if your system is not equipped with
-VT-d Interrupt Remapping unit. 
+**NOTE:** By setting the permissive flag for the PCI device, you're potentially weakening the device isolation, especially if your system is not equipped with a VT-d Interrupt Remapping unit. 
 See [Software Attacks on Intel VT-d] (page 7)
 for more details.
 
 At other times, you may instead need to disable the FLR requirement on a device.
-This will also weaken device isolation; see the "I created a usbVM..." entry in
-the [FAQ](/doc/user-faq/) for more details.
+This will also weaken device isolation; see the "I created a usbVM..." entry in the [FAQ](/doc/user-faq/) for more details.
 
 R4.0
 ------------------------
 
 Permissive mode and strict reset are options set as part of PCI device attachment. 
-If you've already attached the PCI device to a VM, detach it first either with Qube Manager
-or `qvm-pci`, then list the available PCI devices:
+If you've already attached the PCI device to a VM, detach it first either with Qube Manager or `qvm-pci`, then list the available PCI devices:
 
 ~~~
 qvm-pci
@@ -191,26 +162,22 @@ qvm-pci
 
 This will show you the `backend:BDF` address of each PCI device.
 It will look something like `dom0:00_1a.0`. 
-Once you've found the address of the device you want to
-assign, then attach it like so:
+Once you've found the address of the device you want to assign, then attach it like so:
 
 ~~~
 qvm-pci attach --persistent --option <option1> [--option <option2>] <vmname> <backend>:<bdf>
 ~~~
 
-For example, if `00_1a.0` is the BDF of the device you want to assign to the
-"personal" domain, and it is particularly difficult to pass through you would do this:
+For example, if `00_1a.0` is the BDF of the device you want to assign to the "personal" domain, and it is particularly difficult to pass through you would do this:
 
 ~~~
 qvm-pci attach --persistent --option permissive=true --option no-strict-reset=true personal dom0:00_1a.0
 ~~~
 
-Running `qvm-pci` again should then show your PCI device attached with both the
-`permissive` and `no-strict-reset` options set.
+Running `qvm-pci` again should then show your PCI device attached with both the `permissive` and `no-strict-reset` options set.
 
 **Note** again that in most cases you should not need either of these options set. 
-Only set one or more of them as required to get your device to function,
-or replace the device with one that functions properly with Qubes.
+Only set one or more of them as required to get your device to function, or replace the device with one that functions properly with Qubes.
 
 R3.2
 ------------------------
@@ -242,17 +209,14 @@ qvm-prefs usbVM -s pci_strictreset false
 ```
 
 **Note** again that in most cases you should not need either of these options set.
-Only set one or more of them as required to get your device to function,
-or replace the device with one that functions properly with Qubes.
+Only set one or more of them as required to get your device to function, or replace the device with one that functions properly with Qubes.
 
 Bringing PCI device back to dom0
 --------------------------------
 
-By default, when a device is detached from a VM (or when a VM with an attached
-PCI device is shut down), the device is *not* automatically attached back to dom0. 
+By default, when a device is detached from a VM (or when a VM with an attached PCI device is shut down), the device is *not* automatically attached back to dom0. 
 This is an intended feature. 
-A device which was previously assigned to a VM less trusted than dom0 
-(which, in Qubes, is *all* of them) could attack dom0 if it were automatically reassigned there.
+A device which was previously assigned to a VM less trusted than dom0 (which, in Qubes, is *all* of them) could attack dom0 if it were automatically reassigned there.
 
 In order to re-enable the device in dom0, either:
 
@@ -260,8 +224,7 @@ In order to re-enable the device in dom0, either:
 
 or
 
- *  Go to the sysfs (`/sys/bus/pci`), find the right device, detach it from the
-    pciback driver, and attach it back to the original driver. 
+ *  Go to the sysfs (`/sys/bus/pci`), find the right device, detach it from the pciback driver, and attach it back to the original driver. 
     Replace `<BDF>` with your device, for example `00:1c.2`:
 
     ~~~

From 13e9e6095375e82a2a27294f8db1a507a2b0d277 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Mon, 5 Feb 2018 14:50:09 +0000
Subject: [PATCH 027/103] Fix 4.0 appmenu location and linebreaks

---
 common-tasks/managing-appvm-shortcuts.md | 31 +++++++++++++++---------
 1 file changed, 20 insertions(+), 11 deletions(-)

diff --git a/common-tasks/managing-appvm-shortcuts.md b/common-tasks/managing-appvm-shortcuts.md
index 1a4c971b..238a70fd 100644
--- a/common-tasks/managing-appvm-shortcuts.md
+++ b/common-tasks/managing-appvm-shortcuts.md
@@ -11,11 +11,12 @@ redirect_from:
 Managing shortcuts to applications in AppVMs
 ============================================
 
-For ease of use Qubes aggregates shortcuts to applications that are installed in AppVMs and shows them in one "start menu" in dom0. Clicking on such shortcut runs the assigned application in its AppVM.
+For ease of use Qubes aggregates shortcuts to applications that are installed in AppVMs and shows them in one "start menu" in dom0.
+Clicking on such shortcut runs the assigned application in its AppVM.
 
 ![dom0-menu.png"](/attachment/wiki/ManagingAppVmShortcuts/dom0-menu.png)
 
-To make newly installed applications show up in the menu, use the **qvm-sync-appmenus** command (Linux VMs does this automatically):
+To make newly installed applications show up in the menu, use the **qvm-sync-appmenus** command (Linux VMs do this automatically):
 
 `qvm-sync-appmenus vmname`
 
@@ -33,28 +34,36 @@ What about applications in DispVMs?
 Behind the scenes
 -----------------
 
-`qvm-sync-appmenus` works by invoking *GetAppMenus* [Qubes service](/doc/qrexec/) in the target domain. This service enumerates installed applications and sends formatted info back to the dom0 script (`/usr/libexec/qubes-appmenus/qubes-receive-appmenus`) which creates .desktop files in the AppVM/TemplateVM directory.
+`qvm-sync-appmenus` works by invoking *GetAppMenus* [Qubes service](/doc/qrexec/) in the target domain.
+This service enumerates installed applications and sends formatted info back to the dom0 script (`/usr/libexec/qubes-appmenus/qubes-receive-appmenus`) which creates .desktop files in the AppVM/TemplateVM directory.
 
-For Linux VMs the service script is in `/etc/qubes-rpc/qubes.GetAppMenus`. In Windows it's a PowerShell script located in `c:\Program Files\Invisible Things Lab\Qubes OS Windows Tools\qubes-rpc-services\get-appmenus.ps1` by default.
+For Linux VMs the service script is in `/etc/qubes-rpc/qubes.GetAppMenus`. 
+In Windows it's a PowerShell script located in `c:\Program Files\Invisible Things Lab\Qubes OS Windows Tools\qubes-rpc-services\get-appmenus.ps1` by default.
 
  * R4.0
  
-   The list of installed applications for each AppVM is stored in dom0's `/home/user/.local/share/qubes-appmenus/vmname/apps.templates`. Each menu entry is a file that follows the [.desktop file format](https://standards.freedesktop.org/desktop-entry-spec/desktop-entry-spec-latest.html) with some wildcards (*%VMNAME%*, *%VMDIR%*). Applications selected to appear in the menu are stored in `/var/lib/qubes/appvms/vmname/apps`.
+   The list of installed applications for each AppVM is stored in dom0's `/home/user/.local/share/qubes-appmenus/vmname/apps.templates`.
+   Each menu entry is a file that follows the [.desktop file format](https://standards.freedesktop.org/desktop-entry-spec/desktop-entry-spec-latest.html) with some wildcards (*%VMNAME%*, *%VMDIR%*).
+   Applications selected to appear in the menu are stored in `/home/user/.local/share/qubes-appmenus/vmname/apps`.
     
-   Actual command lines for the menu shortcuts involve `qvm-run` command which starts a process in another domain. Examples: `qvm-run -q -a --service -- %VMNAME% qubes.StartApp+7-Zip-7-Zip_File_Manager` or
-   `qvm-run -q -a --service -- %VMNAME% qubes.StartApp+firefox`
+   Actual command lines for the menu shortcuts involve `qvm-run` command which starts a process in another domain. 
+   Examples: `qvm-run -q -a --service -- %VMNAME% qubes.StartApp+7-Zip-7-Zip_File_Manager` or `qvm-run -q -a --service -- %VMNAME% qubes.StartApp+firefox`
 
    Note that you can create a shortcut that points to a .desktop file in your AppVM with e.g. `qvm-run -q -a --service -- personal qubes.StartApp+firefox`
 
  * R3.2
 
-   The list of installed applications for each AppVM is stored in dom0's `/var/lib/qubes/vm-templates/templatename/apps.templates` (or in case of StandaloneVM: `/var/lib/qubes/appvms/vmname/apps.templates`). Each menu entry is a file that follows the [.desktop file format](https://standards.freedesktop.org/desktop-entry-spec/desktop-entry-spec-latest.html) with some wildcards (*%VMNAME%*, *%VMDIR%*). Applications selected to appear in the menu are stored in `/var/lib/qubes/appvms/vmname/apps`.
+   The list of installed applications for each AppVM is stored in dom0's `/var/lib/qubes/vm-templates/templatename/apps.templates` (or in case of StandaloneVM: `/var/lib/qubes/appvms/vmname/apps.templates`). 
+   Each menu entry is a file that follows the [.desktop file format](https://standards.freedesktop.org/desktop-entry-spec/desktop-entry-spec-latest.html) with some wildcards (*%VMNAME%*, *%VMDIR%*). 
+   Applications selected to appear in the menu are stored in `/var/lib/qubes/appvms/vmname/apps`.
     
-   Actual command lines for the menu shortcuts involve `qvm-run` command which starts a process in another domain. Examples: `qvm-run -q --tray -a w7s 'cmd.exe /c "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Calculator.lnk"'` or `qvm-run -q --tray -a untrusted 'firefox %u'`
+   Actual command lines for the menu shortcuts involve `qvm-run` command which starts a process in another domain. 
+   Examples: `qvm-run -q --tray -a w7s 'cmd.exe /c "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Calculator.lnk"'` or `qvm-run -q --tray -a untrusted 'firefox %u'`
 
-   Note that you can create a shortcut that points to a .desktop file in your AppVM with e.g. `qvm-run -q --tray -a personal -- 'qubes-desktop-run /home/user/application.desktop'`
+   Note that you can create a shortcut that points to a .desktop file in your AppVM with e.g. `qvm-run -q --tray -a personal -- 'qubes-desktop-run /home/user/application.desktop'`.
 
 What if my application has not been automatically included in the list of available apps?
 -----------------------------------------------------------------------------------------
 
-You can manually create new entries in the "available applications" list of shortcuts. See [Signal](/doc/signal/) for a worked example of creating a new menu item for a Chrome .desktop shortcut.
+You can manually create new entries in the "available applications" list of shortcuts.
+See [Signal](/doc/signal/) for a worked example of creating a new menu item for a Chrome .desktop shortcut.

From b9f742376398be054e78d44db721a8ced1dad191 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Mon, 5 Feb 2018 15:39:33 +0000
Subject: [PATCH 028/103] reorder sections more logically

and fix line breaks while I'm at it
---
 managing-os/reinstall-template.md | 131 ++++++++++++------------------
 1 file changed, 54 insertions(+), 77 deletions(-)

diff --git a/managing-os/reinstall-template.md b/managing-os/reinstall-template.md
index ac85dfc0..093e16ff 100644
--- a/managing-os/reinstall-template.md
+++ b/managing-os/reinstall-template.md
@@ -9,64 +9,29 @@ redirect_from:
 How to Reinstall a TemplateVM
 =============================
 
-If you suspect your [TemplateVM] is broken, misconfigured, or compromised, you
-can reinstall any TemplateVM that was installed from the Qubes repository.
+If you suspect your [TemplateVM] is broken, misconfigured, or compromised, you can reinstall any TemplateVM that was installed from the Qubes repository.
 
-If you are running Qubes R4.0, see "Manual Reinstallation Method (R4.0)" below.
-For Qubes R3.1 or R3.2, keep reading.
-For R3.0 and earlier, see "Manual Reinstallation Method (R3.0 or earlier)" below.
-
-First, copy any files that you wish to keep from the TemplateVM's `/home` and
-`/rw` folders to a safe storage location. Then, in a dom0 terminal, run:
-
-    $ sudo qubes-dom0-update --action=reinstall qubes-template-package-name
-
-Replace `qubes-template-package-name` with the name of the *package* of the
-template you wish to reinstall. For example, use `qubes-template-fedora-25` if
-you wish to reinstall the `fedora-25` template. Only one template can be
-reinstalled at a time.
-
-Note that Qubes may initially refuse to perform the reinstall if the exact revision of
-the template package on your system is no longer in the Qubes online repository. In
-this case, you can specify `upgrade` as the action instead and the newer version will be
-used. The other `dnf` package actions that are now supported in addition to `reinstall`
-and `upgrade` are `upgrade-to` and `downgrade`.
-
-**Reminder:** If you're trying to reinstall a template that is not in an enabled
-repo, you must enable that repo. For example:
-
-    $ sudo qubes-dom0-update --enablerepo=qubes-templates-community --action=reinstall qubes-template-whonix-ws
-
-**Note:** VMs that are using the reinstalled template will not be affected until they are
-restarted.
+The procedure varies by Qubes version; see the appropriate section below.
 
 
 Manual Reinstallation Method (R4.0)
 ----------------------------
 
-If you're using Qubes 4.0 or newer, you should use the manual reinstallation
-method.
+If you're using Qubes 4.0 or newer, you should use the manual reinstallation method.
 
-In what follows, the term "target TemplateVM" refers to whichever TemplateVM you
-want to reinstall. If you want to reinstall more than one TemplateVM, repeat
-these instructions for each one.
+In what follows, the term "target TemplateVM" refers to whichever TemplateVM you want to reinstall.
+If you want to reinstall more than one TemplateVM, repeat these instructions for each one.
 
 1. Clone the existing target TemplateVM.
 
-   This can be a good idea if you've customized the existing template and want
-   to keep your customizations. On the other hand, if you suspect that this
-   template is broken, misconfigured, or compromised, be certain you do not
-   start any VMs using it in the below procedure.
+   This can be a good idea if you've customized the existing template and want to keep your customizations.
+   On the other hand, if you suspect that this template is broken, misconfigured, or compromised, be certain you do not start any VMs using it in the below procedure.
 
-2. Temporarily change all VMs based on the target TemplateVM to the new clone
-   template, or remove them.
+2. Temporarily change all VMs based on the target TemplateVM to the new clone template, or remove them.
 
-   This can be a good idea if you have user data in these VMs that you want to
-   keep. On the other hand, if you suspect that these VMs (or the templates on
-   which they are based) are broken, misconfigured, or compromised, you may
-   want to remove them instead. You can do this in Qubes Manager by
-   right-clicking on the VM and clicking **Remove VM**, or you can use the
-   command `qvm-remove <vm-name>` in dom0.
+   This can be a good idea if you have user data in these VMs that you want to keep.
+   On the other hand, if you suspect that these VMs (or the templates on which they are based) are broken, misconfigured, or compromised, you may want to remove them instead. 
+   You can do this in Qubes Manager by right-clicking on the VM and clicking **Remove VM**, or you can use the command `qvm-remove <vm-name>` in dom0.
 
 3. Uninstall the target TemplateVM from dom0:
 
@@ -86,32 +51,51 @@ these instructions for each one.
         $ sudo qubes-dom0-update --enablerepo=qubes-templates-community \
           qubes-template-whonix-gw
 
-5. If you temporarily changed all VMs based on the target TemplateVM to the
-   clone template in step 3, change them back to the new target TemplateVM now.
-   If you instead removed all VMs based on the old target TemplateVM, you can
-   recreate your desired VMs from the newly reinstalled target TemplateVM now.
+5. If you temporarily changed all VMs based on the target TemplateVM to the clone template in step 3, change them back to the new target TemplateVM now.
+   If you instead removed all VMs based on the old target TemplateVM, you can recreate your desired VMs from the newly reinstalled target TemplateVM now.
    
-6. Delete the cloned template. You can do this in Qubes Manager by
-   right-clicking on the VM and clicking **Remove VM**, or you can use the
+6. Delete the cloned template.
+   You can do this in Qubes Manager by right-clicking on the VM and clicking **Remove VM**, or you can use the
    command `qvm-remove <vm-name>` in dom0.
    
+   
+Manual Reinstallation Method (R3.1 - R3.2)
+----------------------------
+
+First, copy any files that you wish to keep from the TemplateVM's `/home` and `/rw` folders to a safe storage location.
+Then, in a dom0 terminal, run:
+
+    $ sudo qubes-dom0-update --action=reinstall qubes-template-package-name
+
+Replace `qubes-template-package-name` with the name of the *package* of the template you wish to reinstall.
+For example, use `qubes-template-fedora-25` if you wish to reinstall the `fedora-25` template.
+Only one template can be reinstalled at a time.
+
+Note that Qubes may initially refuse to perform the reinstall if the exact revision of the template package on your system is no longer in the Qubes online repository.
+In this case, you can specify `upgrade` as the action instead and the newer version will be used. 
+The other `dnf` package actions that are supported in addition to `reinstall` and `upgrade` are `upgrade-to` and `downgrade`.
+
+**Reminder:** If you're trying to reinstall a template that is not in an enabled repo, you must enable that repo.
+For example:
+
+    $ sudo qubes-dom0-update --enablerepo=qubes-templates-community --action=reinstall qubes-template-whonix-ws
+
+**Note:** VMs that are using the reinstalled template will not be affected until they are restarted.
+
+
 Manual Reinstallation Method (R3.0 or earlier)
 ----------------------------
 
-If you're using Qubes 3.0 or older, you should use the manual reinstallation
-method. You can also use this method on later Qubes versions if, for any reason,
-you want to reinstall a template manually.
+If you're using Qubes 3.0 or older, you should use the manual reinstallation method. 
+You can also use this method on later Qubes versions if, for any reason, you want to reinstall a template manually.
 
-In what follows, the term "target TemplateVM" refers to whichever TemplateVM you
-want to reinstall. If you want to reinstall more than one TemplateVM, repeat
-these instructions for each one.
+In what follows, the term "target TemplateVM" refers to whichever TemplateVM you want to reinstall. 
+If you want to reinstall more than one TemplateVM, repeat these instructions for each one.
 
 1. (Optional) Clone the existing target TemplateVM.
 
-   This can be a good idea if you've customized the existing template and want
-   to keep your customizations. On the other hand, if you suspect that this
-   template is broken, misconfigured, or compromised, you may want to remove it
-   without cloning it.
+   This can be a good idea if you've customized the existing template and want to keep your customizations. 
+   On the other hand, if you suspect that this template is broken, misconfigured, or compromised, you may want to remove it without cloning it.
 
 2. Create a temporary dummy template:
 
@@ -119,19 +103,14 @@ these instructions for each one.
         touch /var/lib/qubes/vm-templates/dummy/{root.img,private.img}
         qvm-add-template dummy
 
-3. Temporarily change all VMs based on the target TemplateVM to the new dummy
-   template, or remove them.
+3. Temporarily change all VMs based on the target TemplateVM to the new dummy template, or remove them.
 
-   This can be a good idea if you have user data in these VMs that you want to
-   keep. On the other hand, if you suspect that these VMs (or the templates on
-   which they are based) are broken, misconfigured, or compromised, you may
-   want to remove them instead. You can do this in Qubes Manager by
-   right-clicking on the VM and clicking **Remove VM**, or you can use the
-   command `qvm-remove <vm-name>` in dom0.
+   This can be a good idea if you have user data in these VMs that you want to keep. 
+   On the other hand, if you suspect that these VMs (or the templates on which they are based) are broken, misconfigured, or compromised, you may want to remove them instead.
+   You can do this in Qubes Manager by right-clicking on the VM and clicking **Remove VM**, or you can use the command `qvm-remove <vm-name>` in dom0.
 
-   Using a dummy template as a temporary template is preferable to using another
-   real TemplateVM because you can't accidentally boot any VMs from the dummy
-   template. (There is no OS in the dummy template, so the boot will fail.)
+   Using a dummy template as a temporary template is preferable to using another real TemplateVM because you can't accidentally boot any VMs from the dummy template.
+   (There is no OS in the dummy template, so the boot will fail.)
 
 4. Uninstall the target TemplateVM from dom0:
 
@@ -151,10 +130,8 @@ these instructions for each one.
         $ sudo qubes-dom0-update --enablerepo=qubes-templates-community \
           qubes-template-whonix-gw
 
-6. If you temporarily changed all VMs based on the target TemplateVM to the
-   dummy template in step 3, change them back to the new target TemplateVM now.
-   If you instead removed all VMs based on the old target TemplateVM, you can
-   recreate your desired VMs from the newly reinstalled target TemplateVM now.
+6. If you temporarily changed all VMs based on the target TemplateVM to the dummy template in step 3, change them back to the new target TemplateVM now.
+   If you instead removed all VMs based on the old target TemplateVM, you can recreate your desired VMs from the newly reinstalled target TemplateVM now.
 
 [TemplateVM]: /doc/templates/
 

From 01dee1b2a833c5212134ad281716fe70194a5d4e Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Mon, 5 Feb 2018 15:48:44 +0000
Subject: [PATCH 029/103] fix line breaks

---
 configuration/secondary-storage.md | 46 +++++++++++-------------------
 1 file changed, 17 insertions(+), 29 deletions(-)

diff --git a/configuration/secondary-storage.md b/configuration/secondary-storage.md
index 1bfbfaff..76c455b5 100644
--- a/configuration/secondary-storage.md
+++ b/configuration/secondary-storage.md
@@ -11,19 +11,15 @@ redirect_from:
 Storing AppVMs on Secondary Drives
 ==================================
 
-Suppose you have a fast but small primary SSD and a large but slow secondary
-HDD.  You want to store a subset of your AppVMs on the HDD.
+Suppose you have a fast but small primary SSD and a large but slow secondary HDD.
+You want to store a subset of your AppVMs on the HDD.
 
 ### R4.0 ###
 
-Qubes 4.0 is more flexible than earlier versions about placing different VMs on
-different disks. For example, you can keep templates on one disk and
-AppVMs on another, without messy symlinks.
+Qubes 4.0 is more flexible than earlier versions about placing different VMs on different disks. 
+For example, you can keep templates on one disk and AppVMs on another, without messy symlinks.
 
-Assuming you have already created a separate [volume group](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/logical_volume_manager_administration/vg_admin#VG_create) and
-[thin pool](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/logical_volume_manager_administration/thinly_provisioned_volume_creation)
-(not thin volume) for your HDD,
-first collect some information in a dom0 terminal:
+Assuming you have already created a separate [volume group](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/logical_volume_manager_administration/vg_admin#VG_create) and [thin pool](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/logical_volume_manager_administration/thinly_provisioned_volume_creation) (not thin volume) for your HDD, first collect some information in a dom0 terminal:
 
     sudo pvs
     sudo lvs
@@ -39,21 +35,17 @@ Now, you can create qubes in that pool:
 
     qvm-create -P pool_name --label red vmname
 
-It isn't possible to directly migrate an existing qube to the new pool, but
-you can clone it there, then remove the old one:
+It isn't possible to directly migrate an existing qube to the new pool, but you can clone it there, then remove the old one:
 
     qvm-clone -P pool_name old_name new_name
     qvm-remove old_name
 
-If that was a template, or other qube referenced elsewhere (NetVM or
-such), you will need to adjust those references manually after moving.
+If that was a template, or other qube referenced elsewhere (NetVM or such), you will need to adjust those references manually after moving.
 For example:
 
     qvm-prefs appvm_based_on_old_name_template template new_name
 
-In theory, you can still use file-based disk images ("file" pool driver),
-but it lacks some features such as you won't be able to do
-backups without shutting down the qube.
+In theory, you can still use file-based disk images ("file" pool driver), but it lacks some features such as you won't be able to do backups without shutting down the qube.
 
 ### R3.2 ###
 
@@ -62,21 +54,17 @@ In dom0:
     mv /var/lib/qubes/appvms/my-new-appvm /path/to/secondary/drive/my-new-appvm
     ln -s /path/to/secondary/drive/my-new-appvm /var/lib/qubes/appvms/
 
-Now, `my-new-appvm` will behave as if it were still stored on the primary SSD
-(except that it will probably be slower, since it's actually stored on the
-secondary HDD).
+Now, `my-new-appvm` will behave as if it were still stored on the primary SSD (except that it will probably be slower, since it's actually stored on the secondary HDD).
 
- * The above procedure does **not** interfere with [Qubes Backup][]. However,
-   attempting to symlink a `private.img` file (rather than the whole AppVM
-   directory) is known to prevent the `private.img` file from being backed up.
-   The same problem may occur if the above procedure is attempted on a
-   [TemplateVM][]. [[1]]
+ * The above procedure does **not** interfere with [Qubes Backup][].
+   However, attempting to symlink a `private.img` file (rather than the whole AppVM directory) is known to prevent the `private.img` file from being backed up.
+   The same problem may occur if the above procedure is attempted on a [TemplateVM][]. [[1]]
 
- * After implementing the above procedure, starting `my-new-appvm` will cause
-   dom0 notifications to occur stating that loop devices have been attached to
-   dom0. This is normal. (No untrusted devices are actually being mounted to
-   dom0.) Do not attempt to detach these disks. (They will automatically be
-   detached when you shut down the AppVM.) [[2]]
+ * After implementing the above procedure, starting `my-new-appvm` will cause dom0 notifications to occur stating that loop devices have been attached to dom0.
+   This is normal. 
+   (No untrusted devices are actually being mounted to dom0.)
+   Do not attempt to detach these disks.
+   (They will automatically be detached when you shut down the AppVM.) [[2]]
 
 [Qubes Backup]: https://www.qubes-os.org/doc/BackupRestore/
 [TemplateVM]: https://www.qubes-os.org/doc/Templates/

From e36fc0ec3bd8216422a1356ffb99c952a4b61478 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Mon, 5 Feb 2018 15:55:34 +0000
Subject: [PATCH 030/103] Fix line breaks and misc spelling

---
 configuration/resize-disk-image.md | 26 ++++++++++++++++----------
 1 file changed, 16 insertions(+), 10 deletions(-)

diff --git a/configuration/resize-disk-image.md b/configuration/resize-disk-image.md
index 5aa6321f..dd5aaf25 100644
--- a/configuration/resize-disk-image.md
+++ b/configuration/resize-disk-image.md
@@ -11,7 +11,8 @@ redirect_from:
 Resize Private Disk Image
 -----------------
 
-There are several disk images which can be easily extended, but pay attention to the overall consumed space of your sparse disk images. See also additional information and caveats about [resizing the root disk image](/doc/resize-root-disk-image/).
+There are several disk images which can be easily extended, but pay attention to the overall consumed space of your sparse disk images.
+See also additional information and caveats about [resizing the root disk image](/doc/resize-root-disk-image/).
 
 
 ### Private disk image (R4.0)
@@ -46,7 +47,8 @@ Note: Size is the target size (i.e. 4096MB or 16GB, ...), not the size to add to
 
 ### Shrinking private disk image (Linux VM, R3.2)
 
-**This operation is dangerous and this is why it isn't available in standard Qubes tools. If you have enough disk space, it is safer to create a new VM with a smaller disk and move the data.**
+**This operation is dangerous and this is why it isn't available in standard Qubes tools.
+If you have enough disk space, it is safer to create a new VM with a smaller disk and move the data.**
 
 The basic idea is to:
 
@@ -55,15 +57,16 @@ The basic idea is to:
 
 Ext4 does not support online shrinking, so it can't be done as conveniently as growing the image.
 Note that we don't want to touch the VM filesystem directly in dom0 for security reasons. 
-First you need to start VM without `/rw` mounted. One possibility is to interrupt its normal startup
-by adding the `rd.break` kernel option:
+First you need to start VM without `/rw` mounted. 
+One possibility is to interrupt its normal startup by adding the `rd.break` kernel option:
 
 ~~~
 qvm-prefs -s <vm-name> kernelopts rd.break
 qvm-start --no-guid <vm-name>
 ~~~
 
-And wait for qrexec connect timeout (or simply press Ctrl-C). Then you can connect to VM console and shrink the filesystem:
+And wait for qrexec connect timeout (or simply press Ctrl-C). 
+Then you can connect to VM console and shrink the filesystem:
 
 ~~~
 sudo xl console <vm-name>
@@ -85,7 +88,9 @@ Now you can resize the image:
 truncate -s <new-desired-size> /var/lib/qubes/appvms/<vm-name>/private.img
 ~~~
 
-**It is critical to use the same (or bigger for some safety margin) size in truncate call compared to resize2fs call. Otherwise you will loose your data!** Then reset kernel options back to default:
+**It is critical to use the same (or bigger for some safety margin) size in truncate call compared to resize2fs call.
+Otherwise you will lose your data!** 
+Then reset kernel options back to default:
 
 ~~~
 qvm-prefs -s <vm-name> kernelopts default
@@ -93,17 +98,18 @@ qvm-prefs -s <vm-name> kernelopts default
 
 Done.
 
->In order to avoid error, you might want to first reduce the filesystem to a smaller size than desired (say 3G), then truncate the image to the target size (for example 4G), and lastly grow the filesystem to the target size. In order to do this, after the `truncate` step, start the vm again in maintenance mode and use the following command to extend the filesystem to the correct size : `resize2fs /dev/xvdb`.
+>In order to avoid error, you might want to first reduce the filesystem to a smaller size than desired (say 3G), then truncate the image to the target size (for example 4G), and lastly grow the filesystem to the target size.
+>In order to do this, after the `truncate` step, start the vm again in maintenance mode and use the following command to extend the filesystem to the correct size : `resize2fs /dev/xvdb`.
 >
->With no argument, resize2fs grows the filesystem to match the underlying block device (the .img file you just shrunk)
+>With no argument, resize2fs grows the filesystem to match the underlying block device (the .img file you just shrunk).
 
 
 OS Specific Follow-up Instructions
 -----------------
 
 After resizing volumes, the partition table and file-system may need to be adjusted.
-Use tools appropriate to the OS in your qube. Brief instructions for Windows 7,
-FreeBSD, and Linux are provided below.
+Use tools appropriate to the OS in your qube.
+Brief instructions for Windows 7, FreeBSD, and Linux are provided below.
 
 #### Windows 7
 

From d6910de8b046f1a35f49edea63cfe6d63acfb04a Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Mon, 5 Feb 2018 15:56:51 +0000
Subject: [PATCH 031/103] fix line breaks

---
 configuration/resize-root-disk-image.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/configuration/resize-root-disk-image.md b/configuration/resize-root-disk-image.md
index eef31d8b..3c3567b4 100644
--- a/configuration/resize-root-disk-image.md
+++ b/configuration/resize-root-disk-image.md
@@ -53,7 +53,9 @@ Note: Size is the target size (i.e. 4096MB or 16GB, ...), not the size to add to
 
 ### Resize a StandaloneVM Root Image (R3.2)
 
-Another way to increase the size of `root.img` is to turn your TemplateVM into a StandaloneVM. Doing this means it will have it's own root filesystem *(StandaloneVMs use a copy of template, instead of smart sharing)*. To do this run `qvm-create --standalone` from `dom0` console.
+Another way to increase the size of `root.img` is to turn your TemplateVM into a StandaloneVM.
+Doing this means it will have it's own root filesystem *(StandaloneVMs use a copy of template, instead of smart sharing)*.
+To do this run `qvm-create --standalone` from `dom0` console.
 
 In `dom0` console run the following command (replace the size and path):
 

From f74759eede77b8503a03d3ea24b5a46dafa18307 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Tue, 6 Feb 2018 08:08:07 +0000
Subject: [PATCH 032/103] disk-trim 4.0 updates

add introduction
relocate some existing content to introduction
add generic content
add 4.0 and 3.2.1 content
update 3.2 content
remove reference to WONTFIX bug
---
 configuration/disk-trim.md | 84 +++++++++++++++++++++++++++++++++-----
 1 file changed, 74 insertions(+), 10 deletions(-)

diff --git a/configuration/disk-trim.md b/configuration/disk-trim.md
index cbb67259..7478fd98 100644
--- a/configuration/disk-trim.md
+++ b/configuration/disk-trim.md
@@ -8,31 +8,95 @@ redirect_from:
 - /wiki/DiskTRIM/
 ---
 
-VMs have already TRIM enabled by default, but dom0 doesn't. There are some security implications (read for example [this article](https://asalor.blogspot.com/2011/08/trim-dm-crypt-problems.html)), but IMO not very serious.
+Disk Trim
+----------
+
+Disk trimming is the procedure by which the operating system informs the underlying storage device of which storage blocks are no longer in use.
+It does this by issuing an `ATA_TRIM` command for the block. This is also known as a `discard`.
+In this way, the storage device can perform garbage collection of the unused blocks and internally prepare them for reuse. SSDs in general benefit from this, while HDDs do not.
+
+In a Linux system running on bare metal, this is relatively straight-forward. 
+When instructed by the operating system, discards are issued by the file-system driver directly to the storage driver and then to the SSD.
+
+In Qubes, this gets more complex due to virtualization, LUKS, and LVM (and thin pools on R4.0 and up).
+If you run `fstrim --all` inside a TemplateVM, the `discard` can follow a path like:
+
+    OS -> File-system Driver -> Virtual Storage Driver -> Backend Storage Driver -> LVM Storage Driver -> LUKS Driver -> Physical Storage Driver -> Physical Storage Device
+    
+If discards are not supported at any one of those layers, it will not make it to the underlying physical device.
+
+There are some security implications to permitting TRIM (read for example [this article](https://asalor.blogspot.com/2011/08/trim-dm-crypt-problems.html)), but in most cases not exploitable.
+
+
+Configuration
+----------
+
+In all versions of Qubes, you may want to set up a periodic job in `dom0` to trim the disk.
+
+This can be done from a terminal as root, by creating a `trim` file in `/etc/cron.daily` (or `/etc/cron.weekly`).
+Add the following contents:
+
+```
+#!/bin/bash
+/sbin/fstrim --all
+```
+
+And mark it as executable with `chmod 755 /etc/cron.daily/trim`.
+
+**Note** Although discards can be issued on every delete by adding the `discard` mount option to `/etc/fstab`, this option can hurt performance so the above procedure is recommended instead.
+
+If you are using Qubes with LVM, you may also want to set `issue_discards = 1` in `/etc/lvm/lvm.conf`.
+Setting this option will permit LVM to issue discards to the SSD when logical volumes are shrunk or deleted.
+This is relatively rare in R3.x, but more frequent in R4.x with disposable VMs.
+
+To verify if discards are enabled you may use `dmsetup table` (confirm the line for your device mentions "discards") or just run `fstrim -av` (you should see a number of bytes trimmed).
+
+See also version specific notes below.
+
+
+R4.0
+----------
+
+TRIM support is enabled by default at all layers, including LUKS.
+
+LVM Logical volumes are frequently deleted (every time a disposable VM is shut down, for example) so setting `issue_discards = 1` in `/etc/lvm/lvm.conf` is recommended if using an SSD.
+
+
+R3.2.1
+----------
+
+TRIM support is enabled by default at all layers, including LUKS.
+
+
+R3.2
+----------
+
+VMs have already TRIM enabled by default, but dom0 doesn't. 
 
 To enable TRIM in dom0 you need:
 
-1.  Get your LUKS device UUID:
+1. Get your LUKS device UUID:
 
     ~~~
     ls /dev/mapper/luks-*
     ~~~
 
-2.  Add entry to `/etc/crypttab` (replace luks-\<UUID\> with the device name and the \<UUID\> with UUID alone):
+2. Add entry to `/etc/crypttab` (replace luks-\<UUID\> with the device name and the \<UUID\> with UUID alone):
 
     ~~~
-    luks-<UUID> UUID=<UUID> none allow-discards
+    luks-<UUID> UUID=<UUID> none discard
     ~~~
 
-3.  Add `rd.luks.allow-discards=1` to kernel cmdline (`/etc/default/grub`, GRUB\_CMDLINE\_LINUX line)
-4.  Rebuild grub config (`grub2-mkconfig -o /boot/grub2/grub.cfg`)
-5.  Rebuild initrd **in hostonly mode**:
+3. Add `rd.luks.options=discard` to kernel cmdline (follow either GRUB2 or EFI, not both): 
+    * GRUB2: `/etc/default/grub`, `GRUB_CMDLINE_LINUX` line and  
+      Rebuild grub config (`grub2-mkconfig -o /boot/grub2/grub.cfg`)   
+    * EFI: `/boot/efi/EFI/qubes/xen.cfg`, `kernel=` line(s)
+
+4. Rebuild initrd **in hostonly mode**:
 
     ~~~
     dracut -H -f
     ~~~
 
-6.  Add "discard" option to `/etc/fstab` for root device
-7.  Reboot the system, verify that allow-discards is really enabled (`dmsetup table`)
+5. Reboot the system and verify that discards are really enabled.
 
-There is a [bug affecting allow-discards option](https://bugzilla.redhat.com/show_bug.cgi?id=890533), once it will be fixed, first two steps will be no longer needed.

From 0083c0c7fef2f698dc98fe0f051f36360edf63ca Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Tue, 6 Feb 2018 12:21:39 +0000
Subject: [PATCH 033/103] collapse sections, explain LUKS

---
 configuration/disk-trim.md | 37 ++++++++++++-------------------------
 1 file changed, 12 insertions(+), 25 deletions(-)

diff --git a/configuration/disk-trim.md b/configuration/disk-trim.md
index 7478fd98..5a430b08 100644
--- a/configuration/disk-trim.md
+++ b/configuration/disk-trim.md
@@ -19,7 +19,7 @@ In a Linux system running on bare metal, this is relatively straight-forward.
 When instructed by the operating system, discards are issued by the file-system driver directly to the storage driver and then to the SSD.
 
 In Qubes, this gets more complex due to virtualization, LUKS, and LVM (and thin pools on R4.0 and up).
-If you run `fstrim --all` inside a TemplateVM, the `discard` can follow a path like:
+If you run `fstrim --all` inside a TemplateVM, in a worst case the `discard` can follow a path like:
 
     OS -> File-system Driver -> Virtual Storage Driver -> Backend Storage Driver -> LVM Storage Driver -> LUKS Driver -> Physical Storage Driver -> Physical Storage Device
     
@@ -43,37 +43,21 @@ Add the following contents:
 
 And mark it as executable with `chmod 755 /etc/cron.daily/trim`.
 
-**Note** Although discards can be issued on every delete by adding the `discard` mount option to `/etc/fstab`, this option can hurt performance so the above procedure is recommended instead.
+**Note** Although discards can be issued on every delete inside `dom0` by adding the `discard` mount option to `/etc/fstab`, this option can hurt performance so the above procedure is recommended instead.
+However, inside App and Template qubes, the `discard` mount option is on by default to notify the LVM thin pool driver (R4.0) or sparse file driver (R3.2) that the space is no longer needed and can be zeroed and re-used.
 
 If you are using Qubes with LVM, you may also want to set `issue_discards = 1` in `/etc/lvm/lvm.conf`.
 Setting this option will permit LVM to issue discards to the SSD when logical volumes are shrunk or deleted.
-This is relatively rare in R3.x, but more frequent in R4.x with disposable VMs.
-
-To verify if discards are enabled you may use `dmsetup table` (confirm the line for your device mentions "discards") or just run `fstrim -av` (you should see a number of bytes trimmed).
-
-See also version specific notes below.
+In R4.x, LVM Logical volumes are frequently deleted (every time a disposable VM is shut down, for example) so setting `issue_discards = 1` is recommended if using an SSD.
+However, this is relatively rare in R3.x.
 
 
-R4.0
+LUKS
 ----------
 
-TRIM support is enabled by default at all layers, including LUKS.
+If you have enabled LUKS in dom0, discards will not get passed down to the storage device. 
 
-LVM Logical volumes are frequently deleted (every time a disposable VM is shut down, for example) so setting `issue_discards = 1` in `/etc/lvm/lvm.conf` is recommended if using an SSD.
-
-
-R3.2.1
-----------
-
-TRIM support is enabled by default at all layers, including LUKS.
-
-
-R3.2
-----------
-
-VMs have already TRIM enabled by default, but dom0 doesn't. 
-
-To enable TRIM in dom0 you need:
+To enable TRIM support in dom0 with LUKS you need to:
 
 1. Get your LUKS device UUID:
 
@@ -98,5 +82,8 @@ To enable TRIM in dom0 you need:
     dracut -H -f
     ~~~
 
-5. Reboot the system and verify that discards are really enabled.
+5. Reboot the system.
+
+6. To verify if discards are enabled you may use `dmsetup table` (confirm the line for your device mentions "discards") or just run `fstrim -av` (you should see a `/` followed by the number of bytes trimmed).
+
 

From 6e2f0f3b45f444df6fdb8906cd872d8a46a964a7 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Wed, 7 Feb 2018 11:02:52 +0000
Subject: [PATCH 034/103] network-printer 4.0 updates

"the default template" -> "a DVM template" since R4.0 can have more than one
fix line breaks
---
 configuration/network-printer.md | 29 ++++++++++++++++++++++-------
 1 file changed, 22 insertions(+), 7 deletions(-)

diff --git a/configuration/network-printer.md b/configuration/network-printer.md
index 6cb9a0cd..adf7d43f 100644
--- a/configuration/network-printer.md
+++ b/configuration/network-printer.md
@@ -14,27 +14,42 @@ Configuring a network printer for Qubes AppVMs
 Where to configure printers and install drivers?
 ------------------------------------------------
 
-One would normally want to configure a printer in a template VM, rather than in particular AppVMs. This is because all the global settings made to AppVMs (those stored in its /etc, as well as binaries installed in /usr) would be discarded upon AppVM shutdown. When printer is added and configured in a template VM, then all the AppVMs based on this template should automatically be able to use it (without the need for the template VM to be running, of course).
+One would normally want to configure a printer in a template VM, rather than in particular AppVMs.
+This is because all the global settings made to AppVMs (those stored in its /etc, as well as binaries installed in /usr) would be discarded upon AppVM shutdown. 
+When printer is added and configured in a template VM, then all the AppVMs based on this template should automatically be able to use it (without the need for the template VM to be running, of course).
 
 Alternatively one can add a printer in a standalone VM, but this would limit the printer usage to this particular VM.
 
 Security considerations for network printers and drivers
 --------------------------------------------------------
 
-Some printers require third-party drivers, typically downloadable from the vendor's website. Such drivers are typically distributed in a form of ready to install RPM packages. However, they are often unsigned, and additionally the downloads are available via HTTP connections only. As a result, installation of such third-party RPMs in a default template VM exposes a risk of compromise of this template VM, which, in turn, leads automatically to compromise of all the AppVMs based on the template. (Again, it's not buggy or malicious drivers that we fear here, but rather malicious installation scripts for those drivers).
+Some printers require third-party drivers, typically downloadable from the vendor's website. 
+Such drivers are typically distributed in a form of ready to install RPM packages. 
+However, they are often unsigned, and additionally the downloads are available via HTTP connections only.
+As a result, installation of such third-party RPMs in a default template VM exposes a risk of compromise of this template VM, which, in turn, leads automatically to compromise of all the AppVMs based on the template. 
+(Again, it's not buggy or malicious drivers that we fear here, but rather malicious installation scripts for those drivers).
 
-In order to mitigate this risk, one might consider creating a custom template (i.e. clone the original template) and then install the third-party, unverified drivers there. Such template might then be made the default template for [Disposable VM creation](/doc/dispvm/), which should allow one to print any document by right-clicking on it, choosing "Open in Disposable VM" and print from there. This would allow to print documents from more trusted AppVMs (based on a trusted default template, that is not poisoned by third-party printer drivers).
+In order to mitigate this risk, one might consider creating a custom template (i.e. clone the original template) and then install the third-party, unverified drivers there.
+Such template might then be made a DVM template for [Disposable VM creation](/doc/dispvm/), which should allow one to print any document by right-clicking on it, choosing "Open in Disposable VM" and print from there.
+This would allow to print documents from more trusted AppVMs (based on a trusted default template that is not poisoned by third-party printer drivers).
 
-However, one should be aware that most (all?) network printing protocols are insecure, unencrypted protocols. This means, that an attacker who is able to sniff the local network, or who is controlling the (normally untrusted) Qubes NetVM, will likely to be able to see the documents being printed. This is a limitation of today's printers and printing protocols, something that cannot be solved by Qubes or any other OS.
+However, one should be aware that most (all?) network printing protocols are insecure, unencrypted protocols. 
+This means, that an attacker who is able to sniff the local network, or who is controlling the (normally untrusted) Qubes NetVM, will likely to be able to see the documents being printed.
+This is a limitation of today's printers and printing protocols, something that cannot be solved by Qubes or any other OS.
 
-Additionally, the printer drivers as well as CUPS application itself, might be buggy and might got exploited when talking to a compromised printer (or by an attacker who controls the local network, or the default NetVM). Consider not using printing from your more trusted AppVMs for this reason.
+Additionally, the printer drivers as well as CUPS application itself, might be buggy and might get exploited when talking to a compromised printer (or by an attacker who controls the local network, or the default NetVM).
+Consider not using printing from your more trusted AppVMs for this reason.
 
 Steps to configure a network printer in a template VM
 ----------------------------------------------------------
 
 1.  Start the "Printer Settings" App in a template VM (either via Qubes "Start Menu", or by launching the `system-config-printer` in the template).
-2.  Add/Configure the printer in the same way as one would do on any normal Linux. Be sure to allow network access from the template VM to your printer, as normally the template VM is not allowed any network access, except to the Qubes proxy for software installation. One can use Qubes Manager to modify firewall rules for particular VMs.
+2.  Add/Configure the printer in the same way as one would do on any normal Linux.
+  You may need to allow network access from the template VM to your printer to complete configuration, as normally the template VM is not allowed any network access except to the Qubes proxy for software installation.
+  One can use Qubes Manager to modify firewall rules for particular VMs.
 3.  Optional: Test the printer by printing a test page. If it works, shut down the template VM.
-4.  Open an AppVM (make sure it's based on the template where you just installed the printer, normally all AppVMs are based on the default template), and test if printing works. If it doesn't then probably the AppVM doesn't have networking access to the printer -- in that case adjust the firewall settings for that AppVM in Qubes Manager. Also, make sure that the AppVM gets restarted after the template was shutdown.
+4.  Open an AppVM (make sure it's based on the template where you just installed the printer, normally all AppVMs are based on the default template), and test if printing works.
+  If it doesn't then probably the AppVM doesn't have networking access to the printer -- in that case adjust the firewall settings for that AppVM in Qubes Manager. 
+  Also, make sure that the AppVM gets restarted after the template was shutdown.
 5.  Alternatively if you do not want to modify the firewall rules of the template VM (that have security scope) you can simply shut down the template VM without trying to print the test page (which will not work), start or restart an AppVM based on the template and test printing there.
 

From 0f5ba79d4cb486f5b23598a1078c5818553e2559 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Wed, 7 Feb 2018 11:14:34 +0000
Subject: [PATCH 035/103] external-audio 4.0 updates

yum -> dnf
fix line breaks
---
 configuration/external-audio.md | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/configuration/external-audio.md b/configuration/external-audio.md
index 27f05ae7..f9dcc363 100644
--- a/configuration/external-audio.md
+++ b/configuration/external-audio.md
@@ -14,19 +14,24 @@ Using External Audio Devices
 Why you want to use external audio devices
 ------------------------------------------
 
-Qubes audio virtualization protocol does not implement latency reporting for security reasons, keeping the protocol as simple as possible. Also, in a compromise between low latency and low CPU usage, latency may be around 200 ms. So applications demanding higher audio quality (even Skype) need a better environment. But Qubes flexibility fully allows that using external audio devices. These are mostly USB audio cards, but firewire devices also might be used.
+Qubes audio virtualization protocol does not implement latency reporting for security reasons, keeping the protocol as simple as possible.
+Also, in a compromise between low latency and low CPU usage, latency may be around 200 ms.
+So applications demanding higher audio quality (even Skype) need a better environment.
+But Qubes flexibility fully allows that using external audio devices. 
+These are mostly USB audio cards, but firewire devices also might be used.
 
 Implementing external audio devices
 -----------------------------------
 
-First you need to identify an user VM dedicated to audio and [assign a device](/doc/AssigningDevices) to it. In the most common case the assigned device is the USB controller to which your USB audio card will be connected.
+First you need to identify an user VM dedicated to audio and [assign a device](/doc/AssigningDevices) to it.
+In the most common case the assigned device is the USB controller to which your USB audio card will be connected.
 
 ### Fedora VMs
 
 In a terminal of the template from which you user VM depends, install pavucontrol with:
 
 ~~~
-sudo yum install pavucontrol
+sudo dnf install pavucontrol
 ~~~
 
 Close the template and start or restart your user VM, insert your external audio device, open a terminal and prepare pulseaudio to use it with:
@@ -38,9 +43,10 @@ pactl load-module module-udev-detect
 
 Start the audio application that is going to use the external audio device.
 
-Launch pavucontrol, for example using "run command in VM" of Qubes Manager and select you external audio card in pavucontrol. You need to do that only the first time you use a new external audio device, then pulse audio will remember you selection.
+Launch pavucontrol, for example using "run command in VM" of Qubes Manager and select you external audio card in pavucontrol.
+You need to do that only the first time you use a new external audio device, then pulse audio will remember you selection.
 
-If you detach your external audio device, then want to insert it again, or change it with another one, you need to repeat the previous commands in terminal, adding an other line at the beginning:
+If you detach your external audio device, then want to insert it again (or want to change it with another one), you need to repeat the previous commands in terminal adding another line at the beginning:
 
 ~~~
 pactl unload-module module-udev-detect

From 7c8ff903e8cfeb6faeb0f8081aa1d6ed132b3546 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Wed, 7 Feb 2018 11:28:14 +0000
Subject: [PATCH 036/103] remove "Booting with GRUB2 and GPT"

---
 doc.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/doc.md b/doc.md
index 08ddea76..c59a061a 100644
--- a/doc.md
+++ b/doc.md
@@ -139,7 +139,6 @@ Configuration Guides
  * [Enabling TRIM for SSD disks](/doc/disk-trim/)
  * [Configuring a Network Printer](/doc/network-printer/)
  * [Using External Audio Devices](/doc/external-audio/)
- * [Booting with GRUB2 and GPT](https://groups.google.com/group/qubes-devel/browse_thread/thread/e4ac093cabd37d2b/d5090c20d92c4128#d5090c20d92c4128)
  * [Rxvt Guide](/doc/rxvt/)
  * [Managing VM kernel](/doc/managing-vm-kernel/)
  * [Salt management stack](/doc/salt/)

From 72693064cfe1bb67e8a8b8b161e3d0314662e5b5 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Wed, 7 Feb 2018 11:36:14 +0000
Subject: [PATCH 037/103] yum -> dnf, fix line breaks

---
 configuration/rxvt.md | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/configuration/rxvt.md b/configuration/rxvt.md
index 2031dd4d..d88edaef 100644
--- a/configuration/rxvt.md
+++ b/configuration/rxvt.md
@@ -16,12 +16,16 @@ Rxvt
 Installation
 ------------
 
-`yum install rxvt-unicode-256color-ml` will bring both base `rxvt-unicode` and extension. Let me also recommend excellent Terminus font: `yum install terminus-fonts`.
+`dnf install rxvt-unicode-256color-ml` will bring both base `rxvt-unicode` and extension.
+Let me also recommend excellent Terminus font: `yum install terminus-fonts`.
 
 Xresources
 ----------
 
-In TemplateVM create file `/etc/X11/Xresources.urxvt` and paste config below. `!`-lines are comments and may be left out. `#`-lines are directives to CPP (C preprocessor) and are necessary. This shouldn't go to `/etc/X11/Xresources`, because that file is not preprocessed by default.
+In TemplateVM create file `/etc/X11/Xresources.urxvt` and paste config below.
+`!`-lines are comments and may be left out.
+`#`-lines are directives to CPP (C preprocessor) and are necessary.
+This shouldn't go to `/etc/X11/Xresources`, because that file is not preprocessed by default.
 
 ~~~
 ! CGA colour palette
@@ -132,7 +136,8 @@ URxvt.insecure:                 False
 !URxvt.termName:                rxvt-256color
 ~~~
 
-Then create script to automatically merge those to xrdb. File `/etc/X11/xinit/xinitrc.d/urxvt.sh`:
+Then create script to automatically merge those to xrdb.
+File `/etc/X11/xinit/xinitrc.d/urxvt.sh`:
 
 ~~~
 #!/bin/sh
@@ -143,4 +148,5 @@ Then create script to automatically merge those to xrdb. File `/etc/X11/xinit/xi
 Shortcuts
 ---------
 
-For each AppVM, go to *Qubes Manager \> VM Settings \> Applications*. Find `rxvt-unicode` (or `rxvt-unicode (256-color) multi-language`) and add.
+For each AppVM, go to *Qubes Manager \> VM Settings \> Applications*. 
+Find `rxvt-unicode` (or `rxvt-unicode (256-color) multi-language`) and add.

From 01d702c5f7011e31a27c693360b9841b1f9dcad1 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Wed, 7 Feb 2018 11:38:45 +0000
Subject: [PATCH 038/103] yum -> dnf

---
 configuration/rxvt.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/configuration/rxvt.md b/configuration/rxvt.md
index d88edaef..aa0c0bbc 100644
--- a/configuration/rxvt.md
+++ b/configuration/rxvt.md
@@ -17,7 +17,7 @@ Installation
 ------------
 
 `dnf install rxvt-unicode-256color-ml` will bring both base `rxvt-unicode` and extension.
-Let me also recommend excellent Terminus font: `yum install terminus-fonts`.
+Let me also recommend excellent Terminus font: `dnf install terminus-fonts`.
 
 Xresources
 ----------

From 852d970927fd54c1bfd1f082b01198a73b96292d Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Wed, 7 Feb 2018 12:47:14 +0000
Subject: [PATCH 039/103] remove broken /doc/dom0-tools link for now

---
 configuration/resize-disk-image.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/configuration/resize-disk-image.md b/configuration/resize-disk-image.md
index dd5aaf25..4a7c9087 100644
--- a/configuration/resize-disk-image.md
+++ b/configuration/resize-disk-image.md
@@ -19,7 +19,7 @@ See also additional information and caveats about [resizing the root disk image]
 
 1048576 MiB is the maximum size which can be assigned to private storage through Qube Manager.
 
-To grow the private disk image of an AppVM beyond this limit, [qvm-volume](/doc/dom0-tools/qvm-volume/) can be used:
+To grow the private disk image of an AppVM beyond this limit, `qvm-volume` can be used:
 
 ~~~
 qvm-volume extend <vm_name>:private <size>

From 341a578f9bf8312739d6fe17345c6e2ae010b860 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Wed, 7 Feb 2018 12:48:16 +0000
Subject: [PATCH 040/103] remove broken /doc/dom0-tools links for now

---
 configuration/resize-root-disk-image.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/configuration/resize-root-disk-image.md b/configuration/resize-root-disk-image.md
index 3c3567b4..8f38dae0 100644
--- a/configuration/resize-root-disk-image.md
+++ b/configuration/resize-root-disk-image.md
@@ -31,7 +31,7 @@ If you want install a lot of software in your TemplateVM, you may need to increa
 
 1048576 MiB is the maximum size which can be assigned to root storage through Qube Manager.
 
-To grow the root disk image of an AppVM beyond this limit, [qvm-volume](/doc/dom0-tools/qvm-volume/) can be used:
+To grow the root disk image of an AppVM beyond this limit, `qvm-volume` can be used:
 
 ~~~
 qvm-volume extend <vm_name>:root <size>
@@ -43,7 +43,7 @@ Note: Size is the target size (i.e. 4096MB or 16GB, ...), not the size to add to
 
 1048576 MB is the maximum size which can be assigned to root storage through Qubes Manager.
 
-To grow the root disk image of an AppVM beyond this limit, [qvm-grow-root](/doc/dom0-tools/qvm-grow-root/) can be used:
+To grow the root disk image of an AppVM beyond this limit, `qvm-grow-root` can be used:
 
 ~~~
 qvm-grow-root <vm-name> <size>

From 02fadafec86156253455b30b3686c972abbf2ed9 Mon Sep 17 00:00:00 2001
From: Alex Dubois <bowabos@gmail.com>
Date: Wed, 7 Feb 2018 22:30:44 +0000
Subject: [PATCH 041/103] Update release-notes.md

---
 releases/4.0/release-notes.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/releases/4.0/release-notes.md b/releases/4.0/release-notes.md
index fedfde6c..fe153ee4 100644
--- a/releases/4.0/release-notes.md
+++ b/releases/4.0/release-notes.md
@@ -31,6 +31,10 @@ New features since 3.2
 
 You can get detailed description in [completed github issues][github-release-notes]
 
+Note
+----
+* PV VMs restaured from R3.2 to R4.x will be automatically migrated to PVH from R4.rc4 to address [QSB 37 (Meltdown & Spectre)][qsb-37]. However PV VMs restaured from R4.x are not migrated.
+
 Known issues
 ------------
 
@@ -40,6 +44,8 @@ Known issues
 
 * For other known issues take a look at [our tickets](https://github.com/QubesOS/qubes-issues/issues?q=is%3Aopen+is%3Aissue+milestone%3A%22Release+4.0%22+label%3Abug)
 
+* Until R4.rc3 included, PV VMs restaured from R3.x backup will not automatically be migrated to PVH mode and may be explosed to [QSB 37][qsb-37].
+
 It is advised to install updates just after system installation to apply bug fixes for (some of) the above problems.
 
 Downloads
@@ -76,6 +82,7 @@ We also provide [detailed instruction][upgrade-to-r4.0] for this procedure.
 [vm-interface]: /doc/vm-interface/
 [admin-api]: /news/2017/06/27/qubes-admin-api/
 [qsb-24]: https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-024-2016.txt
+[qsb-37]: https://www.qubes-os.org/news/2018/01/24/qsb-37-update/
 [backup-format]: /doc/backup-emergency-restore-v4/
 [api-doc]: https://dev.qubes-os.org/projects/qubes-core-admin/en/latest/
 [upgrade-to-r4.0]: /doc/upgrade-to-r4.0/

From bc215a5dc03ead74ed668a6ac897859270654be7 Mon Sep 17 00:00:00 2001
From: Andrew David Wong <adw@andrewdavidwong.com>
Date: Wed, 7 Feb 2018 21:52:55 -0600
Subject: [PATCH 042/103] Provide instructions for adding images

---
 basics_user/doc-guidelines.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/basics_user/doc-guidelines.md b/basics_user/doc-guidelines.md
index 428dd376..3ac2b48d 100644
--- a/basics_user/doc-guidelines.md
+++ b/basics_user/doc-guidelines.md
@@ -105,6 +105,18 @@ pull request, we'll post a comment explaining why we can't.
 ![done](/attachment/wiki/doc-edit/10-done.png)
 
 
+How to add images
+-----------------
+
+To add an image to a page, use the following syntax in the main document:
+
+```
+![Image Title](/attachment/wiki/page-title/image-filename.png)
+```
+
+Then, submit your image(s) in a separate pull request to the [qubes-attachment](https://github.com/QubesOS/qubes-attachment) repository using the same path and filename.
+
+
 Version-specific Documentation
 ------------------------------
 

From 7ac21d0b677946a6fc46349ad004e4ef91f2e046 Mon Sep 17 00:00:00 2001
From: Alex Dubois <bowabos@gmail.com>
Date: Thu, 8 Feb 2018 08:26:33 +0000
Subject: [PATCH 043/103] Fixed spelling mistake

I enjoy my French restaurants too much :)
---
 releases/4.0/release-notes.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/releases/4.0/release-notes.md b/releases/4.0/release-notes.md
index fe153ee4..b9340efd 100644
--- a/releases/4.0/release-notes.md
+++ b/releases/4.0/release-notes.md
@@ -33,7 +33,7 @@ You can get detailed description in [completed github issues][github-release-not
 
 Note
 ----
-* PV VMs restaured from R3.2 to R4.x will be automatically migrated to PVH from R4.rc4 to address [QSB 37 (Meltdown & Spectre)][qsb-37]. However PV VMs restaured from R4.x are not migrated.
+* PV VMs restaured from R3.2 to R4.x will be automatically migrated to PVH from R4.rc4 to address [QSB 37 (Meltdown & Spectre)][qsb-37]. However PV VMs restored from R4.x are not migrated.
 
 Known issues
 ------------
@@ -44,7 +44,7 @@ Known issues
 
 * For other known issues take a look at [our tickets](https://github.com/QubesOS/qubes-issues/issues?q=is%3Aopen+is%3Aissue+milestone%3A%22Release+4.0%22+label%3Abug)
 
-* Until R4.rc3 included, PV VMs restaured from R3.x backup will not automatically be migrated to PVH mode and may be explosed to [QSB 37][qsb-37].
+* Until R4.rc3 included, PV VMs restored from R3.x backup will not automatically be migrated to PVH mode and may be explosed to [QSB 37][qsb-37].
 
 It is advised to install updates just after system installation to apply bug fixes for (some of) the above problems.
 

From e173f5659f2ba57f826fcc8a9cfe691b3957118b Mon Sep 17 00:00:00 2001
From: Alex Dubois <bowabos@gmail.com>
Date: Thu, 8 Feb 2018 08:36:44 +0000
Subject: [PATCH 044/103] two other typos fixed.

---
 releases/4.0/release-notes.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/releases/4.0/release-notes.md b/releases/4.0/release-notes.md
index b9340efd..d51a4baf 100644
--- a/releases/4.0/release-notes.md
+++ b/releases/4.0/release-notes.md
@@ -33,7 +33,7 @@ You can get detailed description in [completed github issues][github-release-not
 
 Note
 ----
-* PV VMs restaured from R3.2 to R4.x will be automatically migrated to PVH from R4.rc4 to address [QSB 37 (Meltdown & Spectre)][qsb-37]. However PV VMs restored from R4.x are not migrated.
+* PV VMs restored from R3.2 to R4.x will be automatically migrated to PVH from R4.rc4 to address [QSB 37 (Meltdown & Spectre)][qsb-37]. However PV VMs restored from R4.x are not migrated.
 
 Known issues
 ------------
@@ -44,7 +44,7 @@ Known issues
 
 * For other known issues take a look at [our tickets](https://github.com/QubesOS/qubes-issues/issues?q=is%3Aopen+is%3Aissue+milestone%3A%22Release+4.0%22+label%3Abug)
 
-* Until R4.rc3 included, PV VMs restored from R3.x backup will not automatically be migrated to PVH mode and may be explosed to [QSB 37][qsb-37].
+* Until R4.rc3 included, PV VMs restored from R3.x backup will not automatically be migrated to PVH mode and may be exposed to [QSB 37][qsb-37].
 
 It is advised to install updates just after system installation to apply bug fixes for (some of) the above problems.
 

From 4a480c8209305a6f02a1df0dd85a1bad179fbd87 Mon Sep 17 00:00:00 2001
From: Andrew David Wong <adw@andrewdavidwong.com>
Date: Thu, 8 Feb 2018 09:05:55 -0600
Subject: [PATCH 045/103] Rewrite security note regarding PV to PVH migration

Requested by QubesOS/qubes-issues#3530
---
 releases/4.0/release-notes.md | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/releases/4.0/release-notes.md b/releases/4.0/release-notes.md
index d51a4baf..c134b162 100644
--- a/releases/4.0/release-notes.md
+++ b/releases/4.0/release-notes.md
@@ -31,9 +31,12 @@ New features since 3.2
 
 You can get detailed description in [completed github issues][github-release-notes]
 
-Note
-----
-* PV VMs restored from R3.2 to R4.x will be automatically migrated to PVH from R4.rc4 to address [QSB 37 (Meltdown & Spectre)][qsb-37]. However PV VMs restored from R4.x are not migrated.
+Security Notes
+--------------
+
+* PV VMs migrated from 3.2 to 4.0-rc4 or later are automatically set to PVH mode in order to protect against Meltdown (see [QSB #37][qsb-37]).
+  However, PV VMs migrated from any earlier 4.0 release candidate (RC1, RC2, or RC3) are not automically set to PVH mode.
+  These must be set manually.
 
 Known issues
 ------------
@@ -44,8 +47,6 @@ Known issues
 
 * For other known issues take a look at [our tickets](https://github.com/QubesOS/qubes-issues/issues?q=is%3Aopen+is%3Aissue+milestone%3A%22Release+4.0%22+label%3Abug)
 
-* Until R4.rc3 included, PV VMs restored from R3.x backup will not automatically be migrated to PVH mode and may be exposed to [QSB 37][qsb-37].
-
 It is advised to install updates just after system installation to apply bug fixes for (some of) the above problems.
 
 Downloads

From 0dc2f7d5173970ad5555dc888ac8202c35e359cf Mon Sep 17 00:00:00 2001
From: Alex Dubois <bowabos@gmail.com>
Date: Fri, 9 Feb 2018 10:22:56 +0000
Subject: [PATCH 046/103] windows VM qvm-prefs should be HVM and no kernel

---
 managing-os/hvm.md | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/managing-os/hvm.md b/managing-os/hvm.md
index 1632a84d..117c2beb 100644
--- a/managing-os/hvm.md
+++ b/managing-os/hvm.md
@@ -40,7 +40,7 @@ The name of the domain ("win7") as well as its label ("green") are just exemplar
 **Note:** It is unnecessary for Qubes 4 users to pass in the `--hvm` switch. To create a StandaloneVM in Qubes 4, use the --class option, as VMs are template-based by default:
 
 ~~~
-qvm-create win7 --class StandaloneVM --label green
+qvm-create win7 --class StandaloneVM --property virt_mode=hvm --property kernel="" --label green
 ~~~
 
 If you receive an error like this one, then you must first enable VT-x in your BIOS:
@@ -53,9 +53,11 @@ Now we need to install an OS inside this VM.  This can be done by attaching an i
 
 ~~~
 qvm-start win7 --cdrom=/usr/local/iso/win7_en.iso
+or
+qvm-start win7 --cdrom=TempIsoVM:/home/user/win7.iso
 ~~~
 
-The above command assumes the installation ISO was transferred to Dom0 (copied using `dd` command from an installation CDROM for example). If one wishes to use the actual physical media without copying it first to a file, then one can just pass `/dev/cdrom` as an argument to `--cdrom`:
+The above first command assumes the installation ISO was transferred to Dom0 (copied using `dd` command from an installation CDROM for example). The second is for when the iso is in another VM. If one wishes to use the actual physical media without copying it first to a file, then one can just pass `/dev/cdrom` as an argument to `--cdrom`:
 
 ~~~
 qvm-start win7 --cdrom=/dev/cdrom

From ce15b9d05e97865b0af17eccfb61f54ee84a546b Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Fri, 9 Feb 2018 12:12:21 +0000
Subject: [PATCH 047/103] reword and reorganize 4.0 content

---
 common-tasks/dispvm.md | 62 ++++++++++++++++++++++++++----------------
 1 file changed, 39 insertions(+), 23 deletions(-)

diff --git a/common-tasks/dispvm.md b/common-tasks/dispvm.md
index 816819d1..11c74be5 100644
--- a/common-tasks/dispvm.md
+++ b/common-tasks/dispvm.md
@@ -11,37 +11,54 @@ redirect_from:
 Disposable VMs (DispVMs)
 ========================
 
-A Disposable VM (DispVM) is a lightweight VM that can be created quickly and will disappear when closed. 
-Disposable VMs are usually created in order to host a single application, like a viewer, editor, or web browser. 
-Changes made to a file opened in a Disposable VM are passed back to the originating VM. 
-This means that you can safely work with untrusted files without risk of compromising your other VMs. 
-DispVMs can be created either directly from Dom0 or from within AppVMs. 
-Once a DispVM has been created it will appear in Qubes VM Manager with the name "dispX". 
+A Disposable VM (DispVM) is a lightweight VM that can be created quickly and will disappear when closed.
+Disposable VMs are usually created in order to host a single application, like a viewer, editor, or web browser.
+
+From inside an AppVM, choosing the `Open in Disposable VM` option on a file will launch a DispVM for just that file.
+Changes made to a file opened in a DispVM are passed back to the originating VM.
+This means that you can safely work with untrusted files without risk of compromising your other VMs.
+DispVMs can be launched either directly from Dom0's Start Menu or terminal window, or from within AppVMs.
+While running, DispVMs will appear in Qubes VM Manager with the name `disp####`.
 
 See [this article](https://blog.invisiblethings.org/2010/06/01/disposable-vms.html) for more on why one would want to use a Disposable VM.
 
+
+DVM Templates
+----------
+
+Similarly to how AppVMs are based on their underlying [TemplateVM](https://www.qubes-os.org/doc/glossary/#templatevm), DispVMs are based on their underlying [DVM Template](https://www.qubes-os.org/doc/glossary/#dvm-template).
+
+On a fresh installation of Qubes, the DVM template is called `fedora-XX-dvm` (where `XX` is the Fedora version of the default TemplateVM). 
+
 Disposable VMs and Networking (R4.0 and later)
 -----------------------------
 
+R4.0 introduces the concept of multiple disposable VM templates, whereas R3.2 was limited to only one.
+You can set any AppVM to have the ability to act as a DVM Template with:
 
-R4.0 introduces the concept of multiple disposable VM templates (R3.2 was limited to one).
-This allows for the creation of multiple differently configured disposable VMs that can be accessed from 
-the Applications menu. Even more types of DispVMs can be created on-the-fly on a per AppVM basis.
-As you can see, this is a very flexible and powerful system for managing your Disposable VMs.
+    qvm-prefs <vmname> template_for_dispvms true
 
-NetVM and firewall rules for Disposable VMs can be set as they can for a normal VM. 
-By default a DispVM will inherit the NetVM and firewall settings of the DispVM Template from which it is built. 
-Thus if an AppVM uses sys-net as its NetVM, but the default system DispVM uses sys-whonix,
-any DispVM launched from this AppVM will have sys-whonix as its NetVM.
-The default system wide DispVM template can be changed with `qubes-prefs default_dispvm`.
-You can change this behaviour for individual VMs: in the Application Menu, open Qube Settings
-for the VM in question and go to the "Advanced" tab. 
+The default system wide DVM template can be changed with `qubes-prefs default_dispvm`.
+By combining the two, choosing `Open in Disposable VM` from inside an AppVM will open the document in a DispVM based on the default DVM template you specified.
+
+You can change this behaviour for individual VMs: in the Application Menu, open Qube Settings for the VM in question and go to the "Advanced" tab. 
 Here you can edit the "Default DispVM" setting to specify which DispVM template will be used to launch DispVMs from that VM.
-Disposable VMs will temporarily appear with the name `disp####`. 
+This can also be changed from the command line with:
 
-A Disposable VM launched from the Start Menu inherits the NetVM and firewall settings of the [DVM Template](https://www.qubes-os.org/doc/glossary/#dvm-template) from which it is built. 
-By default the DVM template is called `fedora-XX-dvm` (where `XX` is the Fedora version of the default TemplateVM). 
-Note that changing the "NetVM" setting for the DVM Template *does* affect the NetVM of DispVMs launched from the Start Menu.
+    qvm-prefs <vmname> default_dispvm <dvmtemplatename>
+
+You can even set an AppVM that has also been configured as a DVM template to use itself, so DispVMs launched from within the AppVM/DVM Template would inherit the same settings.
+
+NetVM and firewall rules for DVM templates can be set as they can for a normal VM. 
+By default a DispVM will inherit the NetVM and firewall settings of the DVM Template on which it is based.
+Launching a DispVM from an AppVM will result in it using the DispVM's network/firewall settings (which default to the DVM template on which it is based).
+Thus if an AppVM uses sys-net as its NetVM, but the default system DispVM uses sys-whonix, any DispVM launched from this AppVM will have sys-whonix as its NetVM.
+
+**Note** The opposite is also true. This means if the default system DispVM uses sys-net, launching a DispVM from inside anon-whonix will result in the DispVM using sys-net.
+
+A Disposable VM launched from the Start Menu inherits the NetVM and firewall settings of the DVM Template on which it is based.
+Note that changing the "NetVM" setting for the system default DVM Template *does* affect the NetVM of DispVMs launched from the Start Menu.
+Different DVM Templates with individual NetVM settings can be added to the Start Menu. 
 
 Disposable VMs and Networking (R3.2 and earlier)
 -----------------------------
@@ -52,8 +69,7 @@ Thus if an AppVM uses sys-net as its NetVM, any DispVM launched from this AppVM
 You can change this behaviour for individual VMs: in Qubes VM Manager open VM Settings for the VM in question and go to the "Advanced" tab. 
 Here you can edit the "NetVM for DispVM" setting to change the NetVM of any DispVM launched from that VM.
 
-A Disposable VM launched from the Start Menu inherits the NetVM of the [DVM Template](https://www.qubes-os.org/doc/glossary/#dvm-template). 
-By default the DVM template is called `fedora-XX-dvm` (where `XX` is the Fedora version of the default TemplateVM). 
+A Disposable VM launched from the Start Menu inherits the NetVM of the [DVM Template](https://www.qubes-os.org/doc/glossary/#dvm-template).
 As an "internal" VM it is hidden in Qubes VM Manager, but can be shown by selecting "Show/Hide internal VMs". 
 Note that changing the "NetVM for DispVM" setting for the DVM Template does *not* affect the NetVM of DispVMs launched from the Start Menu; only changing the DVM Template's own NetVM does.
 

From 82163602b2e253fed479c40b1df7e3fda0625285 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Fri, 9 Feb 2018 12:23:01 +0000
Subject: [PATCH 048/103] /doc/glossary/#dvm-template

---
 common-tasks/dispvm.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/common-tasks/dispvm.md b/common-tasks/dispvm.md
index 11c74be5..601d6168 100644
--- a/common-tasks/dispvm.md
+++ b/common-tasks/dispvm.md
@@ -69,7 +69,7 @@ Thus if an AppVM uses sys-net as its NetVM, any DispVM launched from this AppVM
 You can change this behaviour for individual VMs: in Qubes VM Manager open VM Settings for the VM in question and go to the "Advanced" tab. 
 Here you can edit the "NetVM for DispVM" setting to change the NetVM of any DispVM launched from that VM.
 
-A Disposable VM launched from the Start Menu inherits the NetVM of the [DVM Template](https://www.qubes-os.org/doc/glossary/#dvm-template).
+A Disposable VM launched from the Start Menu inherits the NetVM of the [DVM Template](/doc/glossary/#dvm-template).
 As an "internal" VM it is hidden in Qubes VM Manager, but can be shown by selecting "Show/Hide internal VMs". 
 Note that changing the "NetVM for DispVM" setting for the DVM Template does *not* affect the NetVM of DispVMs launched from the Start Menu; only changing the DVM Template's own NetVM does.
 

From a858018b36c2acfa455ee91bf2130e2c5a235e2b Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Fri, 9 Feb 2018 12:40:08 +0000
Subject: [PATCH 049/103] add HVM in R4.0 won't let me start/install entry

---
 about/faq.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/about/faq.md b/about/faq.md
index 556bfbae..1b994ea2 100644
--- a/about/faq.md
+++ b/about/faq.md
@@ -461,6 +461,15 @@ If it seems like the issue described in [this thread](https://github.com/QubesOS
 
 Please report (via the mailing lists) if you experience this issue, and whether disabling the compositor fixes it for you or not.
 
+### My HVM in Qubes R4.0 won't let me start/install an OS
+
+I see a screen popup with SeaBios and 4 lines, last one being "Probing EDD (edd=off to disable!... ok".
+
+From a `dom0` prompt, enter:
+
+    qvm-prefs <HVMname> kernel ""
+
+
 ----------
 
 ## Developers

From f1a01822610e9ba64ceaab732b664661bb0b0aef Mon Sep 17 00:00:00 2001
From: Alex Dubois <bowabos@gmail.com>
Date: Fri, 9 Feb 2018 13:15:33 +0000
Subject: [PATCH 050/103] Windows 64bit requires 2GB of RAM minimum

---
 managing-os/hvm.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/managing-os/hvm.md b/managing-os/hvm.md
index 117c2beb..558442d9 100644
--- a/managing-os/hvm.md
+++ b/managing-os/hvm.md
@@ -40,7 +40,7 @@ The name of the domain ("win7") as well as its label ("green") are just exemplar
 **Note:** It is unnecessary for Qubes 4 users to pass in the `--hvm` switch. To create a StandaloneVM in Qubes 4, use the --class option, as VMs are template-based by default:
 
 ~~~
-qvm-create win7 --class StandaloneVM --property virt_mode=hvm --property kernel="" --label green
+qvm-create win7 --class StandaloneVM --property virt_mode=hvm --property kernel="" --property memory=2048 --label green
 ~~~
 
 If you receive an error like this one, then you must first enable VT-x in your BIOS:

From 9a8cb3e642e2ee7a538aaacaeddc02d46ac06675 Mon Sep 17 00:00:00 2001
From: Alex Dubois <bowabos@gmail.com>
Date: Fri, 9 Feb 2018 14:14:08 +0000
Subject: [PATCH 051/103] 2GB is not sufficiant. 4GB required.

---
 managing-os/hvm.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/managing-os/hvm.md b/managing-os/hvm.md
index 558442d9..82cd8197 100644
--- a/managing-os/hvm.md
+++ b/managing-os/hvm.md
@@ -40,7 +40,7 @@ The name of the domain ("win7") as well as its label ("green") are just exemplar
 **Note:** It is unnecessary for Qubes 4 users to pass in the `--hvm` switch. To create a StandaloneVM in Qubes 4, use the --class option, as VMs are template-based by default:
 
 ~~~
-qvm-create win7 --class StandaloneVM --property virt_mode=hvm --property kernel="" --property memory=2048 --label green
+qvm-create win7 --class StandaloneVM --property virt_mode=hvm --property kernel="" --property memory=4096 --label green
 ~~~
 
 If you receive an error like this one, then you must first enable VT-x in your BIOS:

From 55916a1c569d664fff64f78bcac6bd1903177065 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Fri, 9 Feb 2018 15:02:38 +0000
Subject: [PATCH 052/103] double quote -> single so Travis won't spellcheck

---
 about/faq.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/about/faq.md b/about/faq.md
index 1b994ea2..61e08437 100644
--- a/about/faq.md
+++ b/about/faq.md
@@ -463,7 +463,7 @@ Please report (via the mailing lists) if you experience this issue, and whether
 
 ### My HVM in Qubes R4.0 won't let me start/install an OS
 
-I see a screen popup with SeaBios and 4 lines, last one being "Probing EDD (edd=off to disable!... ok".
+I see a screen popup with SeaBios and 4 lines, last one being `Probing EDD (edd=off to disable!... ok`.
 
 From a `dom0` prompt, enter:
 

From 5bdba98b23af7973a6e93094a53cb98573953d8a Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Fri, 9 Feb 2018 15:16:52 +0000
Subject: [PATCH 053/103] relabel sections by UpdateVM type and reorder

---
 managing-os/reinstall-template.md | 52 +++++++++++++++----------------
 1 file changed, 25 insertions(+), 27 deletions(-)

diff --git a/managing-os/reinstall-template.md b/managing-os/reinstall-template.md
index 093e16ff..ee3657bd 100644
--- a/managing-os/reinstall-template.md
+++ b/managing-os/reinstall-template.md
@@ -11,13 +11,35 @@ How to Reinstall a TemplateVM
 
 If you suspect your [TemplateVM] is broken, misconfigured, or compromised, you can reinstall any TemplateVM that was installed from the Qubes repository.
 
-The procedure varies by Qubes version; see the appropriate section below.
+The procedure varies by Qubes version and UpdateVM's distribution; see the appropriate section below.
 
 
-Manual Reinstallation Method (R4.0)
+Manual Reinstallation Method (Fedora based UpdateVM, R3.1+)
 ----------------------------
 
-If you're using Qubes 4.0 or newer, you should use the manual reinstallation method.
+First, copy any files that you wish to keep from the TemplateVM's `/home` and `/rw` folders to a safe storage location.
+Then, in a dom0 terminal, run:
+
+    $ sudo qubes-dom0-update --action=reinstall qubes-template-package-name
+
+Replace `qubes-template-package-name` with the name of the *package* of the template you wish to reinstall.
+For example, use `qubes-template-fedora-25` if you wish to reinstall the `fedora-25` template.
+Only one template can be reinstalled at a time.
+
+Note that Qubes may initially refuse to perform the reinstall if the exact revision of the template package on your system is no longer in the Qubes online repository.
+In this case, you can specify `upgrade` as the action instead and the newer version will be used. 
+The other `dnf` package actions that are supported in addition to `reinstall` and `upgrade` are `upgrade-to` and `downgrade`.
+
+**Reminder:** If you're trying to reinstall a template that is not in an enabled repo, you must enable that repo.
+For example:
+
+    $ sudo qubes-dom0-update --enablerepo=qubes-templates-community --action=reinstall qubes-template-whonix-ws
+
+**Note:** VMs that are using the reinstalled template will not be affected until they are restarted.
+
+
+Manual Reinstallation Method (Debian based UpdateVM, R3.1+)
+----------------------------
 
 In what follows, the term "target TemplateVM" refers to whichever TemplateVM you want to reinstall.
 If you want to reinstall more than one TemplateVM, repeat these instructions for each one.
@@ -59,30 +81,6 @@ If you want to reinstall more than one TemplateVM, repeat these instructions for
    command `qvm-remove <vm-name>` in dom0.
    
    
-Manual Reinstallation Method (R3.1 - R3.2)
-----------------------------
-
-First, copy any files that you wish to keep from the TemplateVM's `/home` and `/rw` folders to a safe storage location.
-Then, in a dom0 terminal, run:
-
-    $ sudo qubes-dom0-update --action=reinstall qubes-template-package-name
-
-Replace `qubes-template-package-name` with the name of the *package* of the template you wish to reinstall.
-For example, use `qubes-template-fedora-25` if you wish to reinstall the `fedora-25` template.
-Only one template can be reinstalled at a time.
-
-Note that Qubes may initially refuse to perform the reinstall if the exact revision of the template package on your system is no longer in the Qubes online repository.
-In this case, you can specify `upgrade` as the action instead and the newer version will be used. 
-The other `dnf` package actions that are supported in addition to `reinstall` and `upgrade` are `upgrade-to` and `downgrade`.
-
-**Reminder:** If you're trying to reinstall a template that is not in an enabled repo, you must enable that repo.
-For example:
-
-    $ sudo qubes-dom0-update --enablerepo=qubes-templates-community --action=reinstall qubes-template-whonix-ws
-
-**Note:** VMs that are using the reinstalled template will not be affected until they are restarted.
-
-
 Manual Reinstallation Method (R3.0 or earlier)
 ----------------------------
 

From 3ccf0dd09daba83ff1a6ffca634ccb76154bb40a Mon Sep 17 00:00:00 2001
From: Alex Dubois <bowabos@gmail.com>
Date: Fri, 9 Feb 2018 18:00:25 +0000
Subject: [PATCH 054/103] Windows for R4 documentation

---
 managing-os/hvm.md | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/managing-os/hvm.md b/managing-os/hvm.md
index 82cd8197..66d207db 100644
--- a/managing-os/hvm.md
+++ b/managing-os/hvm.md
@@ -37,10 +37,11 @@ qvm-create win7 --hvm --label green
 
 The name of the domain ("win7") as well as its label ("green") are just exemplary of course.
 
-**Note:** It is unnecessary for Qubes 4 users to pass in the `--hvm` switch. To create a StandaloneVM in Qubes 4, use the --class option, as VMs are template-based by default:
+**Note:** To create a StandaloneVM in Qubes 4, use the --class option, as VMs are template-based by default
 
 ~~~
-qvm-create win7 --class StandaloneVM --property virt_mode=hvm --property kernel="" --property memory=4096 --label green
+qvm-create win7 --class StandaloneVM --property virt_mode=hvm --property kernel="" --property memory=4096 --property maxmem=4096 --property debug=True --label green
+qvm-features win7 video-model cirrus
 ~~~
 
 If you receive an error like this one, then you must first enable VT-x in your BIOS:

From 694e3022f7e969e970ca5e3c8312195e29f38f69 Mon Sep 17 00:00:00 2001
From: ssixty <ssixty@users.noreply.github.com>
Date: Fri, 9 Feb 2018 18:06:01 +0000
Subject: [PATCH 055/103] release-notes: update Fedora template links

fedora 24 and 25 are now EOL, update links to point to Fedora 26 instructions.
---
 releases/3.2/release-notes.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/releases/3.2/release-notes.md b/releases/3.2/release-notes.md
index 623936c9..f7b66dee 100644
--- a/releases/3.2/release-notes.md
+++ b/releases/3.2/release-notes.md
@@ -24,7 +24,7 @@ You can get detailed description in [completed github issues][github-release-not
 Known issues
 ------------
 
-* [Fedora 23 reached EOL in December 2016](https://fedoraproject.org/wiki/End_of_life). There is a [manual procedure to upgrade your VMs](/news/2016/11/15/fedora-24-template-available/).
+* [Fedora 23 reached EOL in December 2016](https://fedoraproject.org/wiki/End_of_life). There is a [manual procedure to upgrade your VMs](/news/2018/01/06/fedora-26-upgrade/).
 
 * Windows Tools: `qvm-block` does not work
 
@@ -43,7 +43,7 @@ Installation instructions
 -------------------------
 
 See [Installation Guide](/doc/installation-guide/).
-After installation, [manually upgrade to Fedora 24](/news/2016/11/15/fedora-24-template-available/).
+After installation, [manually upgrade to Fedora 26](/news/2018/01/06/fedora-26-upgrade/).
 
 Upgrading
 ---------

From 697775fcf823db2f0b33bbe51d8c75d2309da00a Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Sat, 10 Feb 2018 11:44:43 +0000
Subject: [PATCH 056/103] additional 4.0 revisions

---
 common-tasks/dispvm.md | 37 +++++++++++++++++++------------------
 1 file changed, 19 insertions(+), 18 deletions(-)

diff --git a/common-tasks/dispvm.md b/common-tasks/dispvm.md
index 601d6168..31e477a6 100644
--- a/common-tasks/dispvm.md
+++ b/common-tasks/dispvm.md
@@ -23,38 +23,38 @@ While running, DispVMs will appear in Qubes VM Manager with the name `disp####`.
 See [this article](https://blog.invisiblethings.org/2010/06/01/disposable-vms.html) for more on why one would want to use a Disposable VM.
 
 
-DVM Templates
-----------
-
-Similarly to how AppVMs are based on their underlying [TemplateVM](https://www.qubes-os.org/doc/glossary/#templatevm), DispVMs are based on their underlying [DVM Template](https://www.qubes-os.org/doc/glossary/#dvm-template).
-
-On a fresh installation of Qubes, the DVM template is called `fedora-XX-dvm` (where `XX` is the Fedora version of the default TemplateVM). 
-
 Disposable VMs and Networking (R4.0 and later)
 -----------------------------
 
-R4.0 introduces the concept of multiple disposable VM templates, whereas R3.2 was limited to only one.
+Similarly to how AppVMs are based on their underlying [TemplateVM](https://www.qubes-os.org/doc/glossary/#templatevm), DispVMs are based on their underlying [DVM Template](https://www.qubes-os.org/doc/glossary/#dvm-template).
+R4.0 introduces the concept of multiple DVM Templates, whereas R3.2 was limited to only one.
+
+On a fresh installation of Qubes, the default DVM Template is called `fedora-XX-dvm` (where `XX` is the Fedora version of the default TemplateVM).
+If you have included the Whonix option in your install, there will also be a `whonix-ws-dvm` DVM Template available for your use.
+
 You can set any AppVM to have the ability to act as a DVM Template with:
 
     qvm-prefs <vmname> template_for_dispvms true
 
-The default system wide DVM template can be changed with `qubes-prefs default_dispvm`.
-By combining the two, choosing `Open in Disposable VM` from inside an AppVM will open the document in a DispVM based on the default DVM template you specified.
+The default system wide DVM Template can be changed with `qubes-prefs default_dispvm`.
+By combining the two, choosing `Open in Disposable VM` from inside an AppVM will open the document in a DispVM based on the default DVM Template you specified.
 
 You can change this behaviour for individual VMs: in the Application Menu, open Qube Settings for the VM in question and go to the "Advanced" tab. 
-Here you can edit the "Default DispVM" setting to specify which DispVM template will be used to launch DispVMs from that VM.
+Here you can edit the "Default DispVM" setting to specify which DVM Template will be used to launch DispVMs from that VM.
 This can also be changed from the command line with:
 
     qvm-prefs <vmname> default_dispvm <dvmtemplatename>
 
-You can even set an AppVM that has also been configured as a DVM template to use itself, so DispVMs launched from within the AppVM/DVM Template would inherit the same settings.
+For example, `anon-whonix` has been set to use `whonix-ws-dvm` as its `default_dispvm`, instead of the system default.
+You can even set an AppVM that has also been configured as a DVM Template to use itself, so DispVMs launched from within the AppVM/DVM Template would inherit the same settings.
 
-NetVM and firewall rules for DVM templates can be set as they can for a normal VM. 
+NetVM and firewall rules for DVM Templates can be set as they can for a normal VM. 
 By default a DispVM will inherit the NetVM and firewall settings of the DVM Template on which it is based.
-Launching a DispVM from an AppVM will result in it using the DispVM's network/firewall settings (which default to the DVM template on which it is based).
-Thus if an AppVM uses sys-net as its NetVM, but the default system DispVM uses sys-whonix, any DispVM launched from this AppVM will have sys-whonix as its NetVM.
+This is a change in behaviour from R3.2, where DispVMs would inherit the settings of the AppVM from which they were launched.
+Therefore, launching a DispVM from an AppVM will result in it using the network/firewall settings of the DVM Template on which it is based.
+For example, if an AppVM uses sys-net as its NetVM, but the default system DispVM uses sys-whonix, any DispVM launched from this AppVM will have sys-whonix as its NetVM.
 
-**Note** The opposite is also true. This means if the default system DispVM uses sys-net, launching a DispVM from inside anon-whonix will result in the DispVM using sys-net.
+**Warning:** The opposite is also true. This means if you have changed anon-whonix's `default_dispvm` to use the system default, and the system default DispVM uses sys-net, launching a DispVM from inside anon-whonix will result in the DispVM using sys-net.
 
 A Disposable VM launched from the Start Menu inherits the NetVM and firewall settings of the DVM Template on which it is based.
 Note that changing the "NetVM" setting for the system default DVM Template *does* affect the NetVM of DispVMs launched from the Start Menu.
@@ -69,7 +69,8 @@ Thus if an AppVM uses sys-net as its NetVM, any DispVM launched from this AppVM
 You can change this behaviour for individual VMs: in Qubes VM Manager open VM Settings for the VM in question and go to the "Advanced" tab. 
 Here you can edit the "NetVM for DispVM" setting to change the NetVM of any DispVM launched from that VM.
 
-A Disposable VM launched from the Start Menu inherits the NetVM of the [DVM Template](/doc/glossary/#dvm-template).
+A Disposable VM launched from the Start Menu inherits the NetVM of the [DVM Template](/doc/glossary/#dvm-template). 
+By default the DVM template is called `fedora-XX-dvm` (where `XX` is the Fedora version of the default TemplateVM). 
 As an "internal" VM it is hidden in Qubes VM Manager, but can be shown by selecting "Show/Hide internal VMs". 
 Note that changing the "NetVM for DispVM" setting for the DVM Template does *not* affect the NetVM of DispVMs launched from the Start Menu; only changing the DVM Template's own NetVM does.
 
@@ -138,7 +139,7 @@ Customizing Disposable VMs
 --------------------------
 
 You can change the template used to generate the Disposable VMs, and change settings used in the Disposable VM savefile. 
-These changes will be reflected in every new Disposable VM spawned from that template. 
+These changes will be reflected in every new Disposable VM based on that template. 
 Full instructions can be found [here](/doc/dispvm-customization/).
 
 Disposable VMs and Local Forensics

From 376c1478ac2898d153cd8d7d1f09783cda436faa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Sat, 10 Feb 2018 17:15:22 +0100
Subject: [PATCH 057/103] Clarify archlinux gui agent problem description

Text by @jpouellet
---
 managing-os/templates/archlinux.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/managing-os/templates/archlinux.md b/managing-os/templates/archlinux.md
index 7e74f913..7cbcfb42 100644
--- a/managing-os/templates/archlinux.md
+++ b/managing-os/templates/archlinux.md
@@ -105,9 +105,9 @@ The two lines that have just been added to /etc/pacman.conf should then be remov
 
 ### Package cannot be updated because of errors related to xorg-server or pulseaudio versions
 
-Upgrading pulseaudio or xorg-server to a newer major version will break the Qubes GUI agent. Avoid upgrading these packages until such time that a future version of the GUI agent addresses this issue.
-
-Specifically, the gui-agent-linux component of Qubes-OS needs to be rebuilt using these last xorg-server or pulseaudio libraries. You can try to rebuild it yourself or wait for a new qubes-vm-gui package to be available.
+The Qubes GUI agent must be rebuilt whenever xorg-server or pulseaudio make major changes.
+If an update of one of these packages causes your template to break, simply [revert it](https://www.qubes-os.org/doc/software-update-vm/#reverting-changes-to-a-templatevm) and wait for corresponding Qubes package updates to be available (or attempt to build them yourself, if you're so inclined).
+This should not happen frequently.
 
 ### qubes-vm is apparently starting properly (green dot) however graphical applications do not appear to work
 

From 37523d315acd0d8b1bfdf7968dc21ba5521a12b3 Mon Sep 17 00:00:00 2001
From: Andrew David Wong <adw@andrewdavidwong.com>
Date: Sat, 10 Feb 2018 14:10:47 -0600
Subject: [PATCH 058/103] Fix typo

---
 releases/4.0/release-notes.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/releases/4.0/release-notes.md b/releases/4.0/release-notes.md
index c134b162..68ed8216 100644
--- a/releases/4.0/release-notes.md
+++ b/releases/4.0/release-notes.md
@@ -35,7 +35,7 @@ Security Notes
 --------------
 
 * PV VMs migrated from 3.2 to 4.0-rc4 or later are automatically set to PVH mode in order to protect against Meltdown (see [QSB #37][qsb-37]).
-  However, PV VMs migrated from any earlier 4.0 release candidate (RC1, RC2, or RC3) are not automically set to PVH mode.
+  However, PV VMs migrated from any earlier 4.0 release candidate (RC1, RC2, or RC3) are not automatically set to PVH mode.
   These must be set manually.
 
 Known issues

From 08967c34d2730dd1ab1e75f000b886a8cc8d98a8 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Sat, 10 Feb 2018 21:05:38 +0000
Subject: [PATCH 059/103] consolidate in info from root resize doc

---
 configuration/resize-disk-image.md | 122 ++++++++++++-----------------
 1 file changed, 49 insertions(+), 73 deletions(-)

diff --git a/configuration/resize-disk-image.md b/configuration/resize-disk-image.md
index 4a7c9087..ead7c4bd 100644
--- a/configuration/resize-disk-image.md
+++ b/configuration/resize-disk-image.md
@@ -1,113 +1,89 @@
 ---
 layout: doc
-title: Resize Private Disk Image
+title: Resize Disk Image
 permalink: /doc/resize-disk-image/
 redirect_from:
 - /en/doc/resize-disk-image/
+- /en/doc/resize-root-disk-image/
 - /doc/ResizeDiskImage/
+- /doc/ResizeRootDiskImage/
 - /wiki/ResizeDiskImage/
+- /wiki/ResizeRootDiskImage/
 ---
 
-Resize Private Disk Image
+Resize Disk Image
 -----------------
 
-There are several disk images which can be easily extended, but pay attention to the overall consumed space of your sparse disk images.
-See also additional information and caveats about [resizing the root disk image](/doc/resize-root-disk-image/).
+There are several disk images which can be easily extended, but pay attention to the overall consumed space of your sparse/thin disk images.
+See also [OS Specific Follow-up Instructions](/doc/resize-disk-image/#os-specific-follow-up-instructions) at the end of this page.
 
 
-### Private disk image (R4.0)
+### Template disk image
 
-1048576 MiB is the maximum size which can be assigned to private storage through Qube Manager.
+If you want install a lot of software in your TemplateVM, you may need to increase the amount of disk space your TemplateVM can use. 
+*Make sure changes in the TemplateVM between reboots don't exceed 10G.*
 
-To grow the private disk image of an AppVM beyond this limit, `qvm-volume` can be used:
+1.  Make sure that all the VMs based on this template are shut down (including netvms etc).
+2.  Resize the *root image* using Qubes version specific procedure below.
+   You may instead resize the *private image* with the appropriate commands if your software installs to `/home` for example.
+3.  If any netvm/proxyvm used by this template is based on it, set template's netvm to none.
+4.  Start the template.
+5.  Resize the filesystem using OS appropriate tools (Qubes will handle this automatically with Linux templates).
+6.  Verify available space in the template using `df -h` or OS specific tools.
+7.  Shutdown the template.
+8.  Restore original netvm setting (if changed), and check firewall settings (setting netvm to none causes the firewall to reset to "block all")
 
+### Expand disk image (R4.0)
+
+1048576 MiB is the maximum size which can be assigned to storage through Qube Manager.
+
+To grow the root or private disk image of an AppVM beyond this limit, `qvm-volume` can be used:
+
+~~~
+qvm-volume extend <vm_name>:root <size>
+~~~
+OR
 ~~~
 qvm-volume extend <vm_name>:private <size>
 ~~~
 
 Note: Size is the target size (i.e. 4096MB or 16GB, ...), not the size to add to the existing disk.
 
-### Private disk image (R3.2)
+### Expand disk image (R3.2)
 
-1048576 MB is the maximum size which can be assigned to private storage through Qubes Manager.
+1048576 MB is the maximum size which can be assigned to storage through Qubes Manager.
 
-To grow the private disk image of an AppVM beyond this limit, [qvm-grow-private](/doc/dom0-tools/qvm-grow-private/) can be used:
+To grow the private disk image of an AppVM beyond this limit, `qvm-grow-root` or [qvm-grow-private](/doc/dom0-tools/qvm-grow-private/) can be used:
 
+~~~
+qvm-grow-root <vm-name> <size>
+~~~
+OR
 ~~~
 qvm-grow-private <vm-name> <size>
 ~~~
 
 Note: Size is the target size (i.e. 4096MB or 16GB, ...), not the size to add to the existing disk. 
 
-### Shrinking private disk image (Linux VM, R4.0)
+### Resize a StandaloneVM Root Image
+
+Another way to increase the size of is to turn your TemplateVM into a StandaloneVM.
+Doing this means it will have its own root filesystem *(StandaloneVMs use a copy of the template, instead of smart sharing)*.
+To do this run `qvm-create --standalone` from `dom0` console, then perform the [OS Specific Follow-up Instructions](/doc/resize-disk-image/#os-specific-follow-up-instructions) below.
+
+### Shrinking a disk image
+
+Ext4 and most other filesystems do not support online shrinking, so it can't be done as conveniently as growing the image.
+Note that we don't want to touch the VM filesystem directly in dom0 for security reasons. 
 
 1.  Create a new qube with smaller disk using Qube Manager or `qvm-create`
-2.  Move data to the new qube using `qvm-copy` or OS utilities
+2.  Move data to the new qube using `qvm-copy`, backup & restore, or OS utilities
 3.  Delete old qube using Qube Manager or `qvm-remove`
 
-### Shrinking private disk image (Linux VM, R3.2)
-
-**This operation is dangerous and this is why it isn't available in standard Qubes tools.
-If you have enough disk space, it is safer to create a new VM with a smaller disk and move the data.**
-
-The basic idea is to:
-
-1.  Shrink filesystem on the private disk image.
-2.  Then shrink the image.
-
-Ext4 does not support online shrinking, so it can't be done as conveniently as growing the image.
-Note that we don't want to touch the VM filesystem directly in dom0 for security reasons. 
-First you need to start VM without `/rw` mounted. 
-One possibility is to interrupt its normal startup by adding the `rd.break` kernel option:
-
-~~~
-qvm-prefs -s <vm-name> kernelopts rd.break
-qvm-start --no-guid <vm-name>
-~~~
-
-And wait for qrexec connect timeout (or simply press Ctrl-C). 
-Then you can connect to VM console and shrink the filesystem:
-
-~~~
-sudo xl console <vm-name>
-# you should get dracut emergency shell here
-mount --bind /dev /sysroot/dev
-chroot /sysroot
-mount /proc
-e2fsck -f /dev/xvdb
-resize2fs /dev/xvdb <new-desired-size>
-umount /proc
-exit
-umount /sysroot/dev
-poweroff
-~~~
-
-Now you can resize the image:
-
-~~~
-truncate -s <new-desired-size> /var/lib/qubes/appvms/<vm-name>/private.img
-~~~
-
-**It is critical to use the same (or bigger for some safety margin) size in truncate call compared to resize2fs call.
-Otherwise you will lose your data!** 
-Then reset kernel options back to default:
-
-~~~
-qvm-prefs -s <vm-name> kernelopts default
-~~~
-
-Done.
-
->In order to avoid error, you might want to first reduce the filesystem to a smaller size than desired (say 3G), then truncate the image to the target size (for example 4G), and lastly grow the filesystem to the target size.
->In order to do this, after the `truncate` step, start the vm again in maintenance mode and use the following command to extend the filesystem to the correct size : `resize2fs /dev/xvdb`.
->
->With no argument, resize2fs grows the filesystem to match the underlying block device (the .img file you just shrunk).
-
-
 OS Specific Follow-up Instructions
 -----------------
 
-After resizing volumes, the partition table and file-system may need to be adjusted.
+After expanding volumes, the partition table and file-system may need to be adjusted.
 Use tools appropriate to the OS in your qube.
 Brief instructions for Windows 7, FreeBSD, and Linux are provided below.
 
@@ -133,4 +109,4 @@ zpool online -e poolname ada0
 
 Qubes will automatically grow the filesystem for you on AppVMs but not HVMs.
 You will see that there is unallocated free space at the end of your primary disk.
-You can use standard linux tools like fdisk and mkfs to make this space available.
+You can use standard linux tools like `fdisk` and `resize2fs` to make this space available.

From aff67c7380b7ebac43f69cf7f38b41f20fc8488f Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Sat, 10 Feb 2018 21:09:30 +0000
Subject: [PATCH 060/103] Delete resize-root-disk-image.md

---
 configuration/resize-root-disk-image.md | 72 -------------------------
 1 file changed, 72 deletions(-)
 delete mode 100644 configuration/resize-root-disk-image.md

diff --git a/configuration/resize-root-disk-image.md b/configuration/resize-root-disk-image.md
deleted file mode 100644
index 7765fe75..00000000
--- a/configuration/resize-root-disk-image.md
+++ /dev/null
@@ -1,72 +0,0 @@
----
-layout: doc
-title: Resize Root Disk Image
-permalink: /doc/resize-root-disk-image/
-redirect_from:
-- /en/doc/resize-root-disk-image/
-- /doc/ResizeRootDiskImage/
-- /wiki/ResizeRootDiskImage/
----
-
-Resize Root Disk Image
-----------------------
-
-See additional information and caveats about [resizing private disk images](/doc/resize-disk-image/), paying particular attention to "OS Specific Follow-up Instructions" at the end.
-
-### Template disk image 
-
-If you want install a lot of software in your TemplateVM, you may need to increase the amount of disk space your TemplateVM can use. 
-*Make sure changes in the TemplateVM between reboots don't exceed 10G.*
-
-1.  Make sure that all the VMs based on this template are shut down (including netvms etc).
-2.  Resize root image using Qubes version specific procedure below.
-3.  If any netvm/proxyvm used by this template is based on it, set template's netvm to none.
-4.  Start the template.
-5.  Resize the filesystem using OS appropriate tools (Qubes will handle this automatically with Linux templates).
-6.  Verify available space in the template using `df -h` or OS specific tools.
-7.  Shutdown the template.
-8.  Restore original netvm setting (if changed), check firewall settings (setting netvm to none causes the firewall to reset to "block all")
-
-### Root disk image (R4.0)
-
-1048576 MiB is the maximum size which can be assigned to root storage through Qube Manager.
-
-To grow the root disk image of an AppVM beyond this limit, `qvm-volume` can be used:
-
-~~~
-qvm-volume extend <vm_name>:root <size>
-~~~
-
-Note: Size is the target size (i.e. 4096MB or 16GB, ...), not the size to add to the existing disk.
-
-### Root disk image (R3.2)
-
-1048576 MB is the maximum size which can be assigned to root storage through Qubes Manager.
-
-To grow the root disk image of an AppVM beyond this limit, `qvm-grow-root` can be used:
-
-~~~
-qvm-grow-root <vm-name> <size>
-~~~
-
-Note: Size is the target size (i.e. 4096MB or 16GB, ...), not the size to add to the existing disk. 
-
-### Resize a StandaloneVM Root Image (R3.2)
-
-Another way to increase the size of `root.img` is to turn your TemplateVM into a StandaloneVM.
-Doing this means it will have it's own root filesystem *(StandaloneVMs use a copy of template, instead of smart sharing)*.
-To do this run `qvm-create --standalone` from `dom0` console.
-
-In `dom0` console run the following command (replace the size and path):
-
-~~~
-truncate -s 20G /var/lib/qubes/appvms/standalonevm/root.img
-~~~
-
-Then start Terminal for this StandaloneVM and run:
-
-~~~
-sudo resize2fs /dev/mapper/dmroot
-~~~
-
-Shutdown the StandaloneVM and you will have extended the size of its `root.img`.

From d07c6f16d1e244b0e7bc0719e1a379e7cf9de707 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Sat, 10 Feb 2018 21:10:42 +0000
Subject: [PATCH 061/103] remove "Resize Root Disk Image"

---
 doc.md | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/doc.md b/doc.md
index 4d86174f..f97ac3fb 100644
--- a/doc.md
+++ b/doc.md
@@ -124,8 +124,7 @@ Configuration Guides
  * [How to set up a ProxyVM as a VPN Gateway](/doc/vpn/)
  * [Storing AppVMs on Secondary Drives](/doc/secondary-storage/)
  * [Multibooting](/doc/multiboot/)
- * [Resize Private Disk Image](/doc/resize-disk-image/)
- * [Resize Root Disk Image](/doc/resize-root-disk-image/)
+ * [Resize Disk Image](/doc/resize-disk-image/)
  * [RPC Policies](/doc/rpc-policy/)
  * [Installing ZFS in Qubes](/doc/zfs/)
  * [Mutt Guide](/doc/mutt/)

From d9858d2736e5e1f7fcd2583de0e60ec87858c873 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Sat, 10 Feb 2018 22:12:39 +0000
Subject: [PATCH 062/103] delete duplicate content

and add heading back
---
 common-tasks/usb.md | 130 +-------------------------------------------
 1 file changed, 2 insertions(+), 128 deletions(-)

diff --git a/common-tasks/usb.md b/common-tasks/usb.md
index 390d4dc9..5f4789ad 100644
--- a/common-tasks/usb.md
+++ b/common-tasks/usb.md
@@ -21,134 +21,8 @@ redirect_from:
 Using and Managing USB Devices
 ==============================
 
-Creating and Using a USB qube
------------------------------
-
-**Warning:** This has the potential to prevent you from connecting a keyboard to Qubes via USB. There are problems with doing this with a encrypted install (LUKS). If you find yourself in this situation, see this [issue][2270-comm23].
-
-The connection of an untrusted USB device to dom0 is a security risk since dom0,
-like almost every OS, reads partition tables automatically and since the whole
-USB stack is put to work to parse the data presented by the USB device in order
-to determine if it is a USB mass storage device, to read its configuration, etc.
-This happens even if the drive is then assigned and mounted in another qube.
-
-To avoid this risk, it is possible to prepare and utilize a USB qube.
-
-A USB qube acts as a secure handler for potentially malicious USB devices,
-preventing them from coming into contact with dom0 (which could otherwise be
-fatal to the security of the whole system). With a USB qube, every time you
-connect an untrusted USB drive to a USB port managed by that USB controller, you
-will have to attach it to the qube in which you wish to use it (if different
-from the USB qube itself), either by using Qubes VM Manager or the command line
-(see instructions above). 
-You can create a USB qube using the management stack by performing the following
-steps as root in dom0:
-
- 1. Enable `sys-usb`:
-
-        qubesctl top.enable qvm.sys-usb
-
- 2. Apply the configuration:
-
-        qubesctl state.highstate
-
-Alternatively, you can create a USB qube manually as follows:
-
- 1.  Read the [Assigning Devices] page to learn how to list and identify your
-     USB controllers. Carefully check whether you have a USB controller that
-     would be appropriate to assign to a USB qube. Note that it should be free
-     of input devices, programmable devices, and any other devices that must be
-     directly available to dom0. If you find a free controller, note its name
-     and proceed to step 2.
- 2.  Create a new qube. Give it an appropriate name and color label
-     (recommended: `sys-usb`, red). If you need to attach a networking device,
-     it might make sense to create a NetVM. If not, an AppVM might make more
-     sense. (The default `sys-usb` is a NetVM.)
- 3.  In the qube's settings, go to the "Devices" tab. Find the USB controller
-     that you identified in step 1 in the "Available" list. Move it to the
-     "Selected" list.
-
-     **Caution:** By assigning a USB controller to a USB qube, it will no longer
-     be available to dom0. This can make your system unusable if, for example,
-     you have only one USB controller, and you are running Qubes off of a USB
-     drive.
-
- 4.  Click "OK." Restart the qube.
- 5.  Recommended: Check the box on the "Basic" tab which says "Start VM
-     automatically on boot." (This will help to mitigate attacks in which
-     someone forces your system to reboot, then plugs in a malicious USB
-     device.)
-
-If the USB qube will not start, see [here][faq-usbvm].
-
-How to hide all USB controllers from dom0
------------------------------------------
-
-If you create a USB qube manually, there will be a brief period of time during the
-boot process during which dom0 will be exposed to your USB controllers (and any
-attached devices). This is a potential security risk, since even brief exposure
-to a malicious USB device could result in dom0 being compromised. There are two
-approaches to this problem:
-
-1. Physically disconnect all USB devices whenever you reboot the host.
-2. Hide (i.e., blacklist) all USB controllers from dom0.
-
-**Warning:** If you use a USB [AEM] device, do not use the second option. Using
-a USB AEM device requires dom0 to have access to the USB controller to which
-your USB AEM device is attached. If dom0 cannot read your USB AEM device, AEM
-will hang.
-
-The procedure to hide all USB controllers from dom0 is as follows:
-
-1. Open the file `/etc/default/grub` in dom0.
-2. Find the line that begins with `GRUB_CMDLINE_LINUX`.
-3. Add `rd.qubes.hide_all_usb` to that line.
-4. Save and close the file.
-5. Run the command `grub2-mkconfig -o /boot/grub2/grub.cfg` in dom0.
-6. Reboot.
-
-(Note: Beginning with R3.2, `rd.qubes.hide_all_usb` is set automatically if you
-opt to create a USB qube during installation. This also occurs automatically if
-you choose to [create a USB qube] using the `qubesctl` method, which is the
-first pair of steps in the linked section.)
-
-**Warning:** A USB keyboard cannot be used to type the disk passphrase
-if USB controllers were hidden from dom0. Before hiding USB controllers
-make sure your laptop keyboard is not internally connected via USB
-(by checking output of `lsusb` command) or that you have a PS/2 keyboard at hand
-(if using a desktop PC). Failure to do so will render your system unusable.
-
-
-Removing a USB qube
--------------------
-
-**Warning:** This procedure will result in your USB controller(s) being attached
-directly to dom0.
-
-1. Shut down the USB qube.
-2. In Qubes Manager, right-click on the USB qube and select "Remove VM."
-3. Open the file `/etc/default/grub` in dom0.
-4. Find the line(s) that begins with `GRUB_CMDLINE_LINUX`.
-5. If `rd.qubes.hide_all_usb` appears anywhere in those lines, remove it.
-6. Save and close the file.
-7. Run the command `grub2-mkconfig -o /boot/grub2/grub.cfg` in dom0.
-8. Reboot.
-
-
-Security Warning about USB Input Devices
-----------------------------------------
-
-**Important security warning. Please read this section carefully!**
-
-If you connect USB input devices (keyboard and mouse) to a VM, that VM will effectively have control over your system.
-Because of this, the benefits of using a USB qube are much smaller than using a fully untrusted USB qube.
-In addition to having control over your system, such VM can also sniff all the input you enter there (for example, passwords in the case of a USB keyboard).
-
-There is no simple way to protect against sniffing, but you can make it harder to exploit control over input devices.
-
-If you have only a USB mouse connected to a USB qube, but the keyboard is connected directly to dom0 (using a PS/2 connector, for example), you simply need to lock the screen when you are away from your computer.
-You must do this every time you leave your computer unattended, even if there no risk of anyone else having direct physical access to your computer.
-This is because you are guarding the system not only against anyone with local access, but also against possible actions from a potentially compromised USB qube.
+How to attach USB drives
+----------
 
 (**Note:** In the present context, the term "USB drive" denotes any
 [USB mass storage device][mass-storage]. In addition to smaller flash memory

From 6cf763c7d568187adbfb4b3c644edfaef010d171 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Sun, 11 Feb 2018 11:05:17 +0000
Subject: [PATCH 063/103] line breaks and misc grammar

some of my own fixes and some manually merged from deleted section
---
 common-tasks/usb.md | 341 ++++++++++++++++++--------------------------
 1 file changed, 138 insertions(+), 203 deletions(-)

diff --git a/common-tasks/usb.md b/common-tasks/usb.md
index 5f4789ad..bc1af09c 100644
--- a/common-tasks/usb.md
+++ b/common-tasks/usb.md
@@ -24,82 +24,66 @@ Using and Managing USB Devices
 How to attach USB drives
 ----------
 
-(**Note:** In the present context, the term "USB drive" denotes any
-[USB mass storage device][mass-storage]. In addition to smaller flash memory
-sticks, this includes things like USB external hard drives.)
+(**Note:** In the present context, the term "USB drive" denotes any [USB mass storage device][mass-storage].
+In addition to smaller flash memory sticks, this includes things like USB external hard drives.)
 
-Qubes OS supports the ability to attach a USB drive (or just one or more of its
-partitions) to any qube easily, no matter which qube actually handles the USB
-controller.
+Qubes OS supports the ability to attach a USB drive (or just one or more of its partitions) to any qube easily, no matter which qube actually handles the USB controller.
 
 ### R4.0 ###
 
-USB drive mounting is integrated into the Devices Widget. This is the tool tray
-icon with a yellow square located in the top right of your screen by default.
-Simply insert
-your USB drive and click on the widget. You will see multiple entries for your
-USB drive; typically, `sys-usb:sda`, `sys-usb:sda1`, and `sys-usb:2-1` for example.
-The simplest (but slightly less secure, see note below about attaching individual
-partitions) option is to attach the entire block drive. In our example, this is `sda`,
-so hover over it.
+USB drive mounting is integrated into the Devices Widget.
+This is the tool tray icon with a yellow square located in the top right of your screen by default.
+Simply insert your USB drive and click on the widget.
+You will see multiple entries for your USB drive; typically, `sys-usb:sda`, `sys-usb:sda1`, and `sys-usb:2-1` for example.
+The simplest (but slightly less secure, see note below about attaching individual partitions) option is to attach the entire block drive.
+In our example, this is `sda`, so hover over it.
 This will pop up a submenu showing running VMs to which the USB drive can be connected.
 Click on one and your USB drive will be attached!
 
-Note that attaching individual partitions can be slightly more secure because it doesn't
-force the target AppVM to parse the partition table. However, it often means the 
-AppVM won't detect the new partition and you will need to manually mount it inside
-the AppVM. See below for more detailed steps.
+Note that attaching individual partitions can be slightly more secure because it doesn't force the target AppVM to parse the partition table.
+However, it often means the AppVM won't detect the new partition and you will need to manually mount it inside the AppVM.
+See below for more detailed steps.
     
-The command-line tool you may use to mount whole USB drives or their partitions
-is `qvm-block`. This tool can be used to assign a USB drive to a qube as
-follows:
+The command-line tool you may use to mount whole USB drives or their partitions is `qvm-block`.
+This tool can be used to assign a USB drive to a qube as follows:
 
  1. Insert your USB drive.
 
- 2. In a dom0 console (running as a normal user), list all available block
-    devices:
+ 2. In a dom0 console (running as a normal user), list all available block devices:
 
         qvm-block
 
-    This will list all available block devices connected to any USB controller
-    in your system, no matter which qube hosts the controller. The name of the
-    qube hosting the USB controller is displayed before the colon in the device
-    name. The string after the colon is the name of the device used within the
-    qube, like so:
+    This will list all available block devices connected to any USB controller in your system, no matter which qube hosts the controller.
+    The name of the qube hosting the USB controller is displayed before the colon in the device name.
+    The string after the colon is the name of the device used within the qube, like so:
 
         dom0:sdb1     Cruzer () 4GiB
         
         usbVM:sdb1    Disk () 2GiB
 
-    **Note:** If your device is not listed here, you may refresh the list by
-    calling from the qube to which the device is connected (typically `sys-usb`):
+    **Note:** If your device is not listed here, you may refresh the list by calling from the qube to which the device is connected (typically `sys-usb`):
 
         sudo udevadm trigger --action=change
 
- 3.  Assuming your USB drive is attached to `sys-usb` and is `sdb`, we attach the
-     device to a qube with the name `personal` like so:
+ 3.  Assuming your USB drive is attached to `sys-usb` and is `sdb`, we attach the device to a qube with the name `personal` like so:
 
          qvm-block attach personal sys-usb:sdb
 
-     This will attach the device to the qube as `/dev/xvdi` if that name is not
-     already taken by another attached device, or `/dev/xvdj`, etc.
+     This will attach the device to the qube as `/dev/xvdi` if that name is not already taken by another attached device, or `/dev/xvdj`, etc.
 
-     You may also mount one partition at a time by using the same command with
-     the partition number after `sdb`.
+     You may also mount one partition at a time by using the same command with the partition number after `sdb`.
 
- 4.  The USB drive is now attached to the qube. If using a default qube, you may
-     open the Nautilus file manager in the qube, and your drive should be
-     visible in the **Devices** panel on the left. If you've attached a single
-     partition, you may need to manually mount before it becomes visible:
+ 4.  The USB drive is now attached to the qube.
+     If using a default qube, you may open the Nautilus file manager in the qube, and your drive should be visible in the **Devices** panel on the left.
+     If you've attached a single partition, you may need to manually mount before it becomes visible:
      ```
      cd ~
      mkdir mnt
      sudo mount /dev/xvdi mnt
      ```
 
- 5.  When you finish using your USB drive, click the eject button or right-click
-     and select **Unmount**. If you've manually mounted a single partition
-     in the above step, use:
+ 5.  When you finish using your USB drive, click the eject button or right-click and select **Unmount**.
+     If you've manually mounted a single partition in the above step, use:
      `sudo umount mnt`
 
  6.  In a dom0 console, detach the stick
@@ -110,75 +94,62 @@ follows:
 
 ### R3.2 ###
 
-USB drive mounting is integrated into the Qubes VM Manager GUI. Simply insert
-your USB drive, right-click on the desired qube in the Qubes VM Manager list,
-click **Attach/detach block devices**, and select your desired action and
-device. This, however, only works for the whole device. If you would like to
-attach individual partitions, you must use the command-line tool.
+USB drive mounting is integrated into the Qubes VM Manager GUI.
+Simply insert your USB drive, right-click on the desired qube in the Qubes VM Manager list, click **Attach/detach block devices**, and select your desired action and device.
+However, this only works for the whole device.
+If you would like to attach individual partitions, you must use the command-line tool.
 
-Note that attaching individual partitions can be slightly more secure because it doesn't
-force the target AppVM to parse the partition table. However, it often means the 
-AppVM won't detect the new partition and you will need to manually mount it inside
-the AppVM. See below for more detailed steps.
+Note that attaching individual partitions can be slightly more secure because it doesn't force the target AppVM to parse the partition table.
+However, it often means the AppVM won't detect the new partition and you will need to manually mount it inside the AppVM.
+See below for more detailed steps.
     
-The command-line tool you may use to mount whole USB drives or their partitions
-is `qvm-block`. This tool can be used to assign a USB drive to a qube as
-follows:
+The command-line tool you may use to mount whole USB drives or their partitions is `qvm-block`.
+This tool can be used to assign a USB drive to a qube as follows:
 
  1. Insert your USB drive.
 
- 2. In a dom0 console (running as a normal user), list all available block
-    devices:
+ 2. In a dom0 console (running as a normal user), list all available block devices:
 
         qvm-block
 
-    This will list all available block devices connected to any USB controller
-    in your system, no matter which qube hosts the controller. The name of the
-    qube hosting the USB controller is displayed before the colon in the device
-    name. The string after the colon is the name of the device used within the
-    qube, like so:
+    This will list all available block devices connected to any USB controller in your system, no matter which qube hosts the controller.
+    The name of the qube hosting the USB controller is displayed before the colon in the device name.
+    The string after the colon is the name of the device used within the qube, like so:
 
         dom0:sdb1     Cruzer () 4GiB
         
         usbVM:sdb1    Disk () 2GiB
 
-    **Note:** If your device is not listed here, you may refresh the list by
-    calling from the qube to which the device is connected (typically `sys-usb`):
+    **Note:** If your device is not listed here, you may refresh the list by calling from the qube to which the device is connected (typically `sys-usb`):
 
         sudo udevadm trigger --action=change
 
- 3.  Assuming your USB drive is attached to `sys-usb` and is `sdb`, we attach the
-     device to a qube with the name `personal` like so:
+ 3.  Assuming your USB drive is attached to `sys-usb` and is `sdb`, we attach the device to a qube with the name `personal` like so:
 
          qvm-block -a personal sys-usb:sdb
 
-     This will attach the device to the qube as `/dev/xvdi` if that name is not
-     already taken by another attached device, or `/dev/xvdj`, etc.
+     This will attach the device to the qube as `/dev/xvdi` if that name is not already taken by another attached device, or `/dev/xvdj`, etc.
 
-     You may also mount one partition at a time by using the same command with
-     the partition number after `sdb`. This is slightly more secure because it
-     does not force the target AppVM to parse the partition table.
+     You may also mount one partition at a time by using the same command with the partition number after `sdb`.
+     This is slightly more secure because it does not force the target AppVM to parse the partition table.
 
-     **Warning:** when working with single partitions, it is possible to assign
-     the same partition to multiple qubes. For example, you could attach `sdb1`
-     to qube1 and then `sdb` to qube2. It is up to the user not to make this
-     mistake. The Xen block device framework currently does not provide an easy
-     way around this. Point 2 of [this comment on issue 1072][1072-comm2] gives
-     details about this.
+     **Warning:** when working with single partitions, it is possible to assign the same partition to multiple qubes.
+     For example, you could attach `sdb1` to qube1 and then `sdb` to qube2.
+     It is up to the user not to make this mistake.
+     The Xen block device framework currently does not provide an easy way around this.
+     Point 2 of [this comment on issue 1072][1072-comm2] gives details about this.
 
- 4.  The USB drive is now attached to the qube. If using a default qube, you may
-     open the Nautilus file manager in the qube, and your drive should be
-     visible in the **Devices** panel on the left. If you've attached a single
-     partition, you may need to manually mount before it becomes visible:
+ 4.  The USB drive is now attached to the qube.
+     If using a default qube, you may open the Nautilus file manager in the qube, and your drive should be visible in the **Devices** panel on the left.
+     If you've attached a single partition, you may need to manually mount before it becomes visible:
      ```
      cd ~
      mkdir mnt
      sudo mount /dev/xvdi mnt
      ```
    
- 5.  When you finish using your USB drive, click the eject button or right-click
-     and select **Unmount**. If you've manually mounted a single partition
-     in the above step, use:
+ 5.  When you finish using your USB drive, click the eject button or right-click and select **Unmount**.
+     If you've manually mounted a single partition in the above step, use:
      `sudo umount mnt`
 
  6.  In a dom0 console, detach the stick
@@ -192,84 +163,69 @@ follows:
  7.  You may now remove the device.
 
 **Warning:** Do not remove the device before detaching it from the VM!
-Otherwise, you will not be able to attach it anywhere later. See issue [1082]
-for details.
+Otherwise, you will not be able to attach it anywhere later.
+See issue [1082] for details.
 
-If the device does not appear in Nautilus, you will need to mount it
-manually. The device will show up as `/dev/xvdi` (or `/dev/xvdj` if there is
-already one device attached -- if two, `/dev/xvdk`, and so on).
+If the device does not appear in Nautilus, you will need to mount it manually.
+The device will show up as `/dev/xvdi` (or `/dev/xvdj` if there is already one device attached -- if two, `/dev/xvdk`, and so on).
 
 
 ### What if I removed the device before detaching it from the VM? (R3.2) ###
 
-Currently (until issue [1082] gets implemented), if you remove the device
-before detaching it from the qube, Qubes OS (more precisely, `libvirtd`) will
-think that the device is still attached to the qube and will not allow attaching
-further devices under the same name. The easiest way to recover from such a
-situation is to reboot the qube to which the device was attached, but if this
-isn't an option, you can manually recover from the situation by following these
-steps:
+Currently (until issue [1082] gets implemented), if you remove the device before detaching it from the qube, Qubes OS (more precisely, `libvirtd`) will think that the device is still attached to the qube and will not allow attaching further devices under the same name.
+The easiest way to recover from such a situation is to reboot the qube to which the device was attached.
+If this isn't an option, you can manually recover from the situation by following these steps:
 
- 1. Physically connect the device back. You can use any device as long as it
-    will be detected under the same name (for example, `sdb`).
+ 1. Physically connect the device back.
+    You can use any device as long as it will be detected under the same name (for example, `sdb`).
 
- 2. Attach the device manually to the same VM using the `xl block-attach`
-    command. It is important to use the same "frontend" device name (by default,
-    `xvdi`). You can get it from the `qvm-block` listing:
+ 2. Attach the device manually to the same VM using the `xl block-attach` command.
+    It is important to use the same "frontend" device name (by default, `xvdi`).
+    You can get it from the `qvm-block` listing:
 
         [user@dom0 ~]$ qvm-block
         sys-usb:sda DataTraveler_2.0 () 246 MiB (attached to 'testvm' as 'xvdi')
         [user@dom0 ~]$ sudo xl block-attach testvm phy:/dev/sda backend=sys-usb xvdi
 
-    In above example, all `xl block-attach` parameters can be deduced from the
-    output of `qvm-block`. In order:
+    In above example, all `xl block-attach` parameters can be deduced from the output of `qvm-block`.
+    In order:
 
-    * `testvm` - name of target qube to which device was attached - listed in
-      brackets by `qvm-block` command
-    * `phy:/dev/sda` - physical path at which device appears in source qube
-      (just after source qube name in `qvm-block` output)
+    * `testvm` - name of target qube to which device was attached - listed in brackets by `qvm-block` command
+    * `phy:/dev/sda` - physical path at which device appears in source qube (just after source qube name in `qvm-block` output)
     * `backend=sys-usb` - name of source qube, can be omitted in the case of dom0
-    * `xvdi` - "frontend" device name (listed at the end of line in `qvm-block`
-      output)
+    * `xvdi` - "frontend" device name (listed at the end of line in `qvm-block` output)
 
- 3. Now properly detach the device, either using Qubes VM Manager or the
-    `qvm-block -d` command.
+ 3. Now properly detach the device, either using Qubes VM Manager or the `qvm-block -d` command.
 
 
 Attaching a single USB device to a qube (USB passthrough)
 ---------------------------------------------------------
 
-Starting with Qubes 3.2, it is possible to attach a single USB device to any
-Qube. While this is a useful feature, it should be used with care, because there
-are [many security implications][usb-challenges] from using USB devices and USB
-passthrough will **expose your target qube** for most of them. If possible, use 
-a method specific for particular device type (for example block devices described
-above), instead of this generic one.
+Starting with Qubes 3.2, it is possible to attach a single USB device to any Qube.
+While this is a useful feature, it should be used with care, because there are [many security implications][usb-challenges] from using USB devices and USB passthrough will **expose your target qube** to most of them.
+If possible, use a method specific for particular device type (for example, block devices described above), instead of this generic one.
 
 ### Installation of qubes-usb-proxy ###
 [installation]: #installation-of-qubes-usb-proxy
 
-To use this feature, you need to install [`qubes-usb-proxy`][qubes-usb-proxy] package in the
-templates used for the USB qube and qubes you want to connect USB devices to. Note
-you cannot pass through devices from dom0 (in other words: USB VM is required).
+To use this feature, you need to install [`qubes-usb-proxy`][qubes-usb-proxy] package in the templates used for the USB qube and qubes you want to connect USB devices to.
+Note you cannot pass through devices from dom0 (in other words: USB VM is required).
 `qubes-usb-proxy` should be installed by default in the template VM.
-However, if you receive this error: `ERROR: qubes-usb-proxy not installed in the VM`,
-you can install the `qubes-usb-proxy` with the package manager in the VM
-you want to attach the USB device to.
+However, if you receive this error: `ERROR: qubes-usb-proxy not installed in the VM`, you can install the `qubes-usb-proxy` with the package manager in the VM you want to attach the USB device to.
 
 - Fedora: `sudo dnf install qubes-usb-proxy`
 - Debian/Ubuntu: `sudo apt-get install qubes-usb-proxy`
 
 ### Usage of qubes-usb-proxy (R4.0) ###
 
-This feature is also available from the Devices Widget. This is the tool tray
-icon with a yellow square located in the top right of your screen by default.
-Simply insert
-your USB device and click on the widget. You will see an entry for your device
-such as `sys-usb:2-5 - 058f_USB_2.0_Camera` for example.
+This feature is also available from the Devices Widget.
+This is the tool tray icon with a yellow square located in the top right of your screen by default.
+Simply insert your USB device and click on the widget.
+You will see an entry for your device such as `sys-usb:2-5 - 058f_USB_2.0_Camera` for example.
 Hover over it.
 This will pop up a submenu showing running VMs to which the USB device can be connected.
-Click on one and your device will be attached! You may also use the command line:
+Click on one and your device will be attached!
+You may also use the command line:
 
 Listing available USB devices:
 
@@ -288,16 +244,16 @@ Attaching selected USB device:
     sys-usb:2-1     03f0:0641 PixArt_HP_X1200_USB_Optical_Mouse
 
 Now, you can use your USB device (camera in this case) in the `conferences` qube.
-If you see the error `ERROR: qubes-usb-proxy not installed in the VM` instead,
-please refer to the [Installation Section][installation].
+If you see the error `ERROR: qubes-usb-proxy not installed in the VM` instead, please refer to the [Installation Section][installation].
 
-When you finish, detach the device. This can be done in the GUI by
-clicking on the Devices Widget. You will see an entry in bold for your device
-such as **`sys-usb:2-5 - 058f_USB_2.0_Camera`**.
+When you finish, detach the device.
+This can be done in the GUI by clicking on the Devices Widget.
+You will see an entry in bold for your device such as **`sys-usb:2-5 - 058f_USB_2.0_Camera`**.
 Hover over it.
-This will pop up a submenu showing running VMs. The one which your device is
-connected to will have an Eject button next to it. Click that and your device
-will be detached. You may also use the command line:
+This will pop up a submenu showing running VMs.
+The one to which your device is connected will have an Eject button next to it.
+Click that and your device will be detached.
+You may also use the command line:
 
     [user@dom0 ~]$ qvm-usb detach conferences sys-usb:2-5
     [user@dom0 ~]$ qvm-usb
@@ -324,8 +280,7 @@ Attaching selected USB device:
     sys-usb:2-1     03f0:0641 PixArt_HP_X1200_USB_Optical_Mouse
 
 Now, you can use your USB device (camera in this case) in the `conferences` qube.
-If you see the error `ERROR: qubes-usb-proxy not installed in the VM` instead,
-please refer to the [Installation Section][installation].
+If you see the error `ERROR: qubes-usb-proxy not installed in the VM` instead, please refer to the [Installation Section][installation].
 
 When you finish, detach the device:
 
@@ -340,76 +295,62 @@ This feature is not available in Qubes Manager.
 Creating and Using a USB qube
 -----------------------------
 
-**Warning:** This has the potential to prevent you from connecting a keyboard to Qubes via USB. There are problems with doing this in an encrypted install (LUKS). If you find yourself in this situation, see this [issue][2270-comm23].
+**Warning:** This has the potential to prevent you from connecting a keyboard to Qubes via USB.
+There are problems with doing this in an encrypted install (LUKS).
+If you find yourself in this situation, see this [issue][2270-comm23].
 
-Connecting an untrusted USB device to dom0 is a security risk since dom0,
-like almost every OS, reads partition tables automatically. The whole
-USB stack is put to work to parse the data presented by the USB device in order
-to determine if it is a USB mass storage device, to read its configuration, etc.
+The connection of an untrusted USB device to dom0 is a security risk since dom0, like almost every OS, reads partition tables automatically.
+The whole USB stack is put to work to parse the data presented by the USB device in order to determine if it is a USB mass storage device, to read its configuration, etc.
 This happens even if the drive is then assigned and mounted in another qube.
 
 To avoid this risk, it is possible to prepare and utilize a USB qube.
 
-A USB qube acts as a secure handler for potentially malicious USB devices,
-preventing them from coming into contact with dom0 (which could otherwise be
-fatal to the security of the whole system). With a USB qube, every time you
-connect an untrusted USB drive to a USB port managed by that USB controller, you
-will have to attach it to the qube in which you wish to use it (if different
-from the USB qube itself), either by using Qubes VM Manager or the command line
-(see instructions above). The USB controller may be assigned on the **Devices** tab of a
-qube's settings page in Qubes VM Manager or by using the
-[qvm-pci][Assigning Devices] command. For guidance on finding the correct USB
-controller, see [here][usb-controller].
-You can create a USB qube using the management stack by performing the following
-as root in dom0:
+A USB qube acts as a secure handler for potentially malicious USB devices, preventing them from coming into contact with dom0 (which could otherwise be fatal to the security of the whole system).
+With a USB qube, every time you connect an untrusted USB drive to a USB port managed by that USB controller, you will have to attach it to the qube in which you wish to use it (if different from the USB qube itself), either by using Qubes VM Manager or the command line (see instructions above).
+The USB controller may be assigned on the **Devices** tab of a qube's settings page in Qubes VM Manager or by using the [qvm-pci][Assigning Devices] command.
+For guidance on finding the correct USB controller, see [here][usb-controller].
+You can create a USB qube using the management stack by performing the following steps as root in dom0:
 
     sudo qubesctl state.sls qvm.sys-usb
 
 Alternatively, you can create a USB qube manually as follows:
 
- 1.  Read the [Assigning Devices] page to learn how to list and identify your
-     USB controllers. Carefully check whether you have a USB controller that
-     would be appropriate to assign to a USB qube. Note that it should have no
-     input devices, programmable devices, and any other devices that must be
-     directly available to dom0. If you find a free controller, note its name
-     and proceed to step 2.
- 2.  Create a new qube. Give it an appropriate name and color label
-     (recommended: `sys-usb`, red). If you need to attach a networking device,
-     it might make sense to create a NetVM. If not, an AppVM might make more
-     sense. (The default `sys-usb` is a NetVM.)
- 3.  In the qube's settings, go to the "Devices" tab. Find the USB controller
-     that you identified in step 1 in the "Available" list. Move it to the
-     "Selected" list.
+ 1.  Read the [Assigning Devices] page to learn how to list and identify your USB controllers.
+     Carefully check whether you have a USB controller that would be appropriate to assign to a USB qube.
+     Note that it should be free of input devices, programmable devices, and any other devices that must be directly available to dom0.
+     If you find a free controller, note its name and proceed to step 2.
+ 2.  Create a new qube.
+     Give it an appropriate name and color label (recommended: `sys-usb`, red).
+     If you need to attach a networking device, it might make sense to create a NetVM.
+     If not, an AppVM might make more sense.
+     (The default `sys-usb` is a NetVM.)
+ 3.  In the qube's settings, go to the "Devices" tab.
+     Find the USB controller that you identified in step 1 in the "Available" list.
+     Move it to the "Selected" list.
 
-     **Caution:** By assigning a USB controller to a USB qube, it will no longer
-     be available to dom0. This can make your system unusable if, for example,
-     you have only one USB controller, and you are running Qubes off of a USB
-     drive.
+     **Caution:** By assigning a USB controller to a USB qube, it will no longer be available to dom0.
+     This can make your system unusable if, for example, you have only one USB controller, and you are running Qubes off of a USB drive.
 
- 4.  Click "OK." Restart the qube.
- 5.  Recommended: Check the box on the "Basic" tab which says "Start VM
-     automatically on boot." (This will help to mitigate attacks in which
-     someone forces your system to reboot, then plugs in a malicious USB
-     device.)
+ 4.  Click `OK`.
+     Restart the qube.
+ 5.  Recommended: Check the box on the "Basic" tab which says "Start VM automatically on boot".
+     (This will help to mitigate attacks in which someone forces your system to reboot, then plugs in a malicious USB device.)
 
 If the USB qube will not start, see [here][faq-usbvm].
 
 How to hide all USB controllers from dom0
 -----------------------------------------
 
-If you create a USB qube manually, there will be a brief period of time during the
-boot process during which dom0 will be exposed to your USB controllers (and any
-attached devices). This is a potential security risk, since even brief exposure
-to a malicious USB device could result in dom0 being compromised. There are two
-approaches to this problem:
+If you create a USB qube manually, there will be a brief period of time during the boot process when dom0 will be exposed to your USB controllers (and any attached devices).
+This is a potential security risk, since even brief exposure to a malicious USB device could result in dom0 being compromised.
+There are two approaches to this problem:
 
 1. Physically disconnect all USB devices whenever you reboot the host.
 2. Hide (i.e., blacklist) all USB controllers from dom0.
 
-**Warning:** If you use a USB [AEM] device, do not use the second option. Using
-a USB AEM device requires dom0 to have access to the USB controller to which
-your USB AEM device is attached. If dom0 cannot read your USB AEM device, AEM
-will hang.
+**Warning:** If you use a USB [AEM] device, do not use the second option.
+Using a USB AEM device requires dom0 to have access to the USB controller to which your USB AEM device is attached.
+If dom0 cannot read your USB AEM device, AEM will hang.
 
 The procedure to hide all USB controllers from dom0 is as follows:
 
@@ -430,23 +371,19 @@ The procedure to hide all USB controllers from dom0 is as follows:
  4. Save and close the file.
  5. Reboot.
 
-(Note: Beginning with R3.2, `rd.qubes.hide_all_usb` is set automatically if you
-opt to create a USB qube during installation. This also occurs automatically if
-you choose to [create a USB qube] using the `qubesctl` method, which is the
+(Note: Beginning with R3.2, `rd.qubes.hide_all_usb` is set automatically if you opt to create a USB qube during installation.
+This also occurs automatically if you choose to [create a USB qube] using the `qubesctl` method, which is the
 first pair of steps in the linked section.)
 
-**Warning:** A USB keyboard cannot be used to type the disk passphrase
-if USB controllers were hidden from dom0. Before hiding USB controllers
-make sure your laptop keyboard is not internally connected via USB
-(by checking output of `lsusb` command) or that you have a PS/2 keyboard at hand
-(if using a desktop PC). Failure to do so will render your system unusable.
+**Warning:** A USB keyboard cannot be used to type the disk passphrase if USB controllers were hidden from dom0.
+Before hiding USB controllers, make sure your laptop keyboard is not internally connected via USB (by checking output of the `lsusb` command) or that you have a PS/2 keyboard at hand (if using a desktop PC).
+Failure to do so will render your system unusable.
 
 
 Removing a USB qube
 -------------------
 
-**Warning:** This procedure will result in your USB controller(s) being attached
-directly to dom0.
+**Warning:** This procedure will result in your USB controller(s) being attached directly to dom0.
 
  * GRUB2
  
@@ -476,7 +413,7 @@ Security Warning about USB Input Devices
 
 If you connect USB input devices (keyboard and mouse) to a VM, that VM will effectively have control over your system.
 Because of this, the benefits of using a USB qube are much smaller than using a fully untrusted USB qube.
-In addition to having control over your system, such VM can also sniff all the input you enter there (for example, passwords in the case of a USB keyboard).
+In addition to having control over your system, such a VM can also sniff all the input you enter there (for example, passwords in the case of a USB keyboard).
 
 There is no simple way to protect against sniffing, but you can make it harder to exploit control over input devices.
 
@@ -538,11 +475,9 @@ How to use a USB mouse
 
 **Caution:** Please carefully read the [Security Warning about USB Input Devices] before proceeding.
 
-In order to use a USB mouse, you must first attach it to a USB qube, then give that
-qube permission to pass mouse input to dom0.
-The following steps are already done by default if you created the sys-usb qube with
-`qubesctl state.sls qvm.sys-usb` above, or let Qubes create it for you on first boot. However,
-if you've created the USB qube manually:
+In order to use a USB mouse, you must first attach it to a USB qube, then give that qube permission to pass mouse input to dom0.
+The following steps are already done by default if you created the sys-usb qube with `qubesctl state.sls qvm.sys-usb` above, or let Qubes create it for you on first boot.
+However, if you've created the USB qube manually:
 
 Edit the `qubes.InputMouse` policy file in dom0, which is located here:
 

From 89ecd9a8fed18e6f76b475c65dac92676a2f1e52 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Sun, 11 Feb 2018 19:46:01 +0100
Subject: [PATCH 064/103] Make firewall rules spec more precise

Define options order and explicitly forbid duplicates.
---
 debugging/vm-interface.md | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/debugging/vm-interface.md b/debugging/vm-interface.md
index b800dfa1..bb5135f1 100644
--- a/debugging/vm-interface.md
+++ b/debugging/vm-interface.md
@@ -98,19 +98,22 @@ Possible options for a single rule:
  echo request, valid only together with `proto=icmp`
  - `dpi`, value: Deep Packet Inspection protocol (like: HTTP, SSL, SMB, SSH, SMTP) or the default 'NO' as no DPI, only  packet filtering
 
+Options must appear in the rule in the order listed above. Duplicated options
+are forbidden.
+
 Rule matches only when all predicates matches. Only one of `dst4`, `dst6`,
 `dstname`, `specialtarget` can be used in a single rule.
 
 If tool applying firewall encounters any parse error (unknown option, invalid
-value etc), it should drop all the traffic coming from that `SOURCE_IP`,
+value, duplicated option, etc), it should drop all the traffic coming from that `SOURCE_IP`,
 regardless of properly parsed rules.
 
 Example valid rules:
 
 - `action=accept dst4=8.8.8.8 proto=udp dstports=53-53`
 - `action=drop dst6=2a00:1450:4000::/37 proto=tcp`
-- `specialtarget=dns action=accept`
-- `specialtarget=dns action=drop proto=tcp` - drop DNS queries sent using TCP
+- `action=accept specialtarget=dns`
+- `action=drop proto=tcp specialtarget=dns` - drop DNS queries sent using TCP
 - `action=drop`
 
 ### Keys set by VM for passing info to dom0 ###

From 7a1ef0689841532d9013cda7a6cadb544f809678 Mon Sep 17 00:00:00 2001
From: Andrew David Wong <adw@andrewdavidwong.com>
Date: Sun, 11 Feb 2018 19:15:10 -0600
Subject: [PATCH 065/103] Update Qubes 3.2 man pages

Requested by : QubesOS/qubes-issues#3538
Related to   : QubesOS/qubes-issues#3495
---
 reference/tools/3.2/dom0.md                   |   4 +
 reference/tools/3.2/dom0/qubes-prefs.md       |  35 ++-
 reference/tools/3.2/dom0/qubes_guid.md        |  41 +++
 reference/tools/3.2/dom0/qvm-add-appvm.md     |  42 ++-
 reference/tools/3.2/dom0/qvm-add-template.md  |  45 ++--
 .../tools/3.2/dom0/qvm-backup-restore.md      | 108 ++++----
 reference/tools/3.2/dom0/qvm-backup.md        |  57 ++--
 reference/tools/3.2/dom0/qvm-block.md         |  73 +++--
 reference/tools/3.2/dom0/qvm-check.md         |  41 +++
 reference/tools/3.2/dom0/qvm-clone.md         |  43 ++-
 .../tools/3.2/dom0/qvm-create-default-dvm.md  |  44 +--
 reference/tools/3.2/dom0/qvm-create.md        | 103 +++----
 reference/tools/3.2/dom0/qvm-firewall.md      |  85 +++---
 reference/tools/3.2/dom0/qvm-grow-private.md  |  30 +--
 reference/tools/3.2/dom0/qvm-grow-root.md     |  35 +++
 reference/tools/3.2/dom0/qvm-kill.md          |  29 +-
 reference/tools/3.2/dom0/qvm-ls.md            |  74 +++--
 reference/tools/3.2/dom0/qvm-pci.md           |  61 ++---
 reference/tools/3.2/dom0/qvm-prefs.md         | 252 +++++++++++-------
 reference/tools/3.2/dom0/qvm-remove.md        |  45 ++--
 .../3.2/dom0/qvm-revert-template-changes.md   |  35 ++-
 reference/tools/3.2/dom0/qvm-run.md           | 109 ++++----
 reference/tools/3.2/dom0/qvm-service.md       | 167 ++++++------
 reference/tools/3.2/dom0/qvm-shutdown.md      |  57 ++--
 reference/tools/3.2/dom0/qvm-start.md         |  67 ++---
 .../tools/3.2/dom0/qvm-template-commit.md     |  32 ++-
 reference/tools/3.2/dom0/qvm-usb.md           |  45 ++++
 reference/tools/3.2/domU.md                   |   1 +
 reference/tools/3.2/domU/qrexec-client-vm.md  |  86 ++++++
 reference/tools/3.2/domU/qvm-copy-to-vm.md    |  30 +--
 reference/tools/3.2/domU/qvm-open-in-dvm.md   |  25 +-
 reference/tools/3.2/domU/qvm-open-in-vm.md    |  25 +-
 reference/tools/3.2/domU/qvm-run.md           |  30 +--
 33 files changed, 1103 insertions(+), 853 deletions(-)
 create mode 100644 reference/tools/3.2/dom0/qubes_guid.md
 create mode 100644 reference/tools/3.2/dom0/qvm-check.md
 create mode 100644 reference/tools/3.2/dom0/qvm-grow-root.md
 create mode 100644 reference/tools/3.2/dom0/qvm-usb.md
 create mode 100644 reference/tools/3.2/domU/qrexec-client-vm.md

diff --git a/reference/tools/3.2/dom0.md b/reference/tools/3.2/dom0.md
index 331c0754..45f73c08 100644
--- a/reference/tools/3.2/dom0.md
+++ b/reference/tools/3.2/dom0.md
@@ -13,17 +13,20 @@ Dom0 Command-Line Tools for Qubes 3.2
 =====================================
 
  * [qubes-dom0-update](/doc/tools/3.2/dom0/qubes-dom0-update/)
+ * [qubes-guid](/doc/tools/3.2/dom0/qubes_guid/)
  * [qubes-prefs](/doc/tools/3.2/dom0/qubes-prefs/)
  * [qvm-add-appvm](/doc/tools/3.2/dom0/qvm-add-appvm/)
  * [qvm-add-template](/doc/tools/3.2/dom0/qvm-add-template/)
  * [qvm-backup-restore](/doc/tools/3.2/dom0/qvm-backup-restore/)
  * [qvm-backup](/doc/tools/3.2/dom0/qvm-backup/)
  * [qvm-block](/doc/tools/3.2/dom0/qvm-block/)
+ * [qvm-check](/doc/tools/3.2/dom0/qvm-check/)
  * [qvm-clone](/doc/tools/3.2/dom0/qvm-clone/)
  * [qvm-create-default-dvm](/doc/tools/3.2/dom0/qvm-create-default-dvm/)
  * [qvm-create](/doc/tools/3.2/dom0/qvm-create/)
  * [qvm-firewall](/doc/tools/3.2/dom0/qvm-firewall/)
  * [qvm-grow-private](/doc/tools/3.2/dom0/qvm-grow-private/)
+ * [qvm-grow-root](/doc/tools/3.2/dom0/qvm-grow-root/)
  * [qvm-ls](/doc/tools/3.2/dom0/qvm-ls/)
  * [qvm-kill](/doc/tools/3.2/dom0/qvm-kill/)
  * [qvm-pci](/doc/tools/3.2/dom0/qvm-pci/)
@@ -36,4 +39,5 @@ Dom0 Command-Line Tools for Qubes 3.2
  * [qvm-start](/doc/tools/3.2/dom0/qvm-start/)
  * [qvm-sync-appmenus](/doc/tools/3.2/dom0/qvm-sync-appmenus/)
  * [qvm-template-commit](/doc/tools/3.2/dom0/qvm-template-commit/)
+ * [qvm-usb](/doc/tools/3.2/dom0/qvm-usb/)
 
diff --git a/reference/tools/3.2/dom0/qubes-prefs.md b/reference/tools/3.2/dom0/qubes-prefs.md
index 5368466f..caeed73b 100644
--- a/reference/tools/3.2/dom0/qubes-prefs.md
+++ b/reference/tools/3.2/dom0/qubes-prefs.md
@@ -9,32 +9,29 @@ redirect_from:
 - /wiki/Dom0Tools/QubesPrefs/
 ---
 
+```
+===========
 qubes-prefs
 ===========
 
 NAME
-----
-
+====
 qubes-prefs - display system-wide Qubes settings, such as:
 
--   clock VM
--   update VM
--   default template
--   default firewallVM
--   default kernel
--   default netVM
-
-Date  
-2012-04-13
+- clock VM
+- update VM
+- default template
+- default firewallVM
+- default kernel
+- default netVM
 
 SYNOPSIS
---------
-
-qubes-prefs
+========
+| qubes-prefs
 
 AUTHORS
--------
-
-Joanna Rutkowska \<joanna at invisiblethingslab dot com\>
-Rafal Wojtczuk \<rafal at invisiblethingslab dot com\>
-Marek Marczykowski \<marmarek at invisiblethingslab dot com\>
+=======
+| Joanna Rutkowska <joanna at invisiblethingslab dot com>
+| Rafal Wojtczuk <rafal at invisiblethingslab dot com>
+| Marek Marczykowski <marmarek at invisiblethingslab dot com>
+```
diff --git a/reference/tools/3.2/dom0/qubes_guid.md b/reference/tools/3.2/dom0/qubes_guid.md
new file mode 100644
index 00000000..0b42e0f6
--- /dev/null
+++ b/reference/tools/3.2/dom0/qubes_guid.md
@@ -0,0 +1,41 @@
+---
+layout: doc
+title: qubes_guid
+permalink: /doc/tools/3.2/dom0/qubes_guid/
+redirect_from:
+- /doc/dom0-tools/qubes_guid/
+- /en/doc/dom0-tools/qubes_guid/
+---
+
+```
+==========
+qubes_guid
+==========
+
+NAME
+====
+qubes_guid
+
+SYNOPSIS
+========
+| qubes_guid -d domain_id [-c color] [-l label_index] [-i icon name, no suffix] [-v] [-q]
+
+OPTIONS
+=======
+-v
+    Increase log verbosity
+-q
+    Decrease log verbosity
+
+Log levels:
+    0. only errors
+    1. some basic messages (default)
+    2. debug
+
+
+AUTHORS
+=======
+| Joanna Rutkowska <joanna at invisiblethingslab dot com>
+| Rafal Wojtczuk <rafal at invisiblethingslab dot com>
+| Marek Marczykowski <marmarek at invisiblethingslab dot com>
+```
diff --git a/reference/tools/3.2/dom0/qvm-add-appvm.md b/reference/tools/3.2/dom0/qvm-add-appvm.md
index d061900e..bd514b85 100644
--- a/reference/tools/3.2/dom0/qvm-add-appvm.md
+++ b/reference/tools/3.2/dom0/qvm-add-appvm.md
@@ -9,39 +9,35 @@ redirect_from:
 - /wiki/Dom0Tools/QvmAddAppvm/
 ---
 
+```
+=============
 qvm-add-appvm
 =============
 
 NAME
-----
-
+====
 qvm-add-appvm - add an already installed appvm to the Qubes DB
 
 WARNING: Normally you should not need this command, and you should use qvm-create instead!
 
-Date  
-2012-04-10
-
 SYNOPSIS
---------
-
-qvm-add-appvm [options] \<appvm-name\> \<vm-template-name\>
+========
+| qvm-add-appvm [options] <appvm-name> <vm-template-name>
 
 OPTIONS
--------
-
--h, --help  
-Show this help message and exit
-
--p DIR\_PATH, --path=DIR\_PATH  
-Specify path to the template directory
-
--c CONF\_FILE, --conf=CONF\_FILE  
-Specify the Xen VM .conf file to use(relative to the template dir path)
+=======
+-h, --help
+    Show this help message and exit
+-p DIR_PATH, --path=DIR_PATH
+    Specify path to the template directory
+-c CONF_FILE, --conf=CONF_FILE
+    Specify the Xen VM .conf file to use(relative to the template dir path)
+--force-root
+    Force to run, even with root privileges
 
 AUTHORS
--------
-
-Joanna Rutkowska \<joanna at invisiblethingslab dot com\>
-Rafal Wojtczuk \<rafal at invisiblethingslab dot com\>
-Marek Marczykowski \<marmarek at invisiblethingslab dot com\>
+=======
+| Joanna Rutkowska <joanna at invisiblethingslab dot com>
+| Rafal Wojtczuk <rafal at invisiblethingslab dot com>
+| Marek Marczykowski <marmarek at invisiblethingslab dot com>
+```
diff --git a/reference/tools/3.2/dom0/qvm-add-template.md b/reference/tools/3.2/dom0/qvm-add-template.md
index 81badcb2..99c08fb3 100644
--- a/reference/tools/3.2/dom0/qvm-add-template.md
+++ b/reference/tools/3.2/dom0/qvm-add-template.md
@@ -9,40 +9,33 @@ redirect_from:
 - /wiki/Dom0Tools/QvmAddTemplate/
 ---
 
+```
+================
 qvm-add-template
 ================
 
 NAME
-----
-
+====
 qvm-add-template - adds an already installed template to the Qubes DB
 
-Date  
-2012-04-10
-
 SYNOPSIS
---------
-
-qvm-add-template [options] \<vm-template-name\>
+========
+| qvm-add-template [options] <vm-template-name>
 
 OPTIONS
--------
-
--h, --help  
-Show this help message and exit
-
--p DIR\_PATH, --path=DIR\_PATH  
-Specify path to the template directory
-
--c CONF\_FILE, --conf=CONF\_FILE  
-Specify the Xen VM .conf file to use(relative to the template dir path)
-
---rpm  
-Template files have been installed by RPM
+=======
+-h, --help
+    Show this help message and exit
+-p DIR_PATH, --path=DIR_PATH
+    Specify path to the template directory
+-c CONF_FILE, --conf=CONF_FILE
+    Specify the Xen VM .conf file to use(relative to the template dir path)
+--rpm
+    Template files have been installed by RPM
 
 AUTHORS
--------
-
-Joanna Rutkowska \<joanna at invisiblethingslab dot com\>
-Rafal Wojtczuk \<rafal at invisiblethingslab dot com\>
-Marek Marczykowski \<marmarek at invisiblethingslab dot com\>
+=======
+| Joanna Rutkowska <joanna at invisiblethingslab dot com>
+| Rafal Wojtczuk <rafal at invisiblethingslab dot com>
+| Marek Marczykowski <marmarek at invisiblethingslab dot com>
+```
diff --git a/reference/tools/3.2/dom0/qvm-backup-restore.md b/reference/tools/3.2/dom0/qvm-backup-restore.md
index 5456f460..71b6a5b8 100644
--- a/reference/tools/3.2/dom0/qvm-backup-restore.md
+++ b/reference/tools/3.2/dom0/qvm-backup-restore.md
@@ -9,70 +9,66 @@ redirect_from:
 - /wiki/Dom0Tools/QvmBackupRestore/
 ---
 
+```
+==================
 qvm-backup-restore
 ==================
 
 NAME
-----
-
+====
 qvm-backup-restore - restores Qubes VMs from backup
 
-Date  
-2012-04-10
-
 SYNOPSIS
---------
-
-qvm-backup-restore [options] \<backup-dir\>
+========
+| qvm-backup-restore [options] <backup-dir>
 
 OPTIONS
--------
-
--h, --help  
-Show this help message and exit
-
---verify-only  
-Do not restore the data, only verify backup integrity
-
---skip-broken  
-Do not restore VMs that have missing templates or netvms
-
---ignore-missing  
-Ignore missing templates and netvms, and restore the VMs anyway
-
---skip-conflicting  
-Do not restore VMs that are already present on the host
-
---force-root  
-Force to run with root privileges
-
---replace-template=REPLACE\_TEMPLATE  
-Restore VMs using another template, syntax: old-template-name:new-template-name (can be repeated)
-
--x EXCLUDE, --exclude=EXCLUDE  
-Skip restore of specified VM (can be repeated)
-
---skip-dom0-home  
-Do not restore dom0's user home directory
-
---ignore-username-mismatch  
-Ignore dom0 username mismatch when restoring dom0's user home directory
-
--d APPVM, --dest-vm=APPVM  
-Restore from a backup located in a specific AppVM
-
--e, --encrypted  
-The backup is encrypted
-
--z, --compressed  
-The backup is compressed
-
---debug  
-Enable (a lot of) debug output
+=======
+-h, --help
+    Show this help message and exit
+--verify-only
+    Do not restore the data, only verify backup integrity
+--skip-broken
+    Do not restore VMs that have missing templates or netvms
+--ignore-missing
+    Ignore missing templates and netvms, and restore the VMs anyway
+--skip-conflicting
+    Do not restore VMs that are already present on the host
+--force-root
+    Force to run with root privileges
+--replace-template=REPLACE_TEMPLATE
+    Restore VMs using another template, syntax: old-template-name:new-template-name (can be repeated)
+-x EXCLUDE, --exclude=EXCLUDE
+    Skip restore of specified VM (can be repeated)
+--skip-dom0-home
+    Do not restore dom0's user home directory
+--ignore-username-mismatch
+    Ignore dom0 username mismatch when restoring dom0's user home directory
+-d APPVM, --dest-vm=APPVM
+    Restore from a backup located in a specific AppVM
+-e, --encrypted
+    The backup is encrypted
+-p, --passphrase-file
+    Read passphrase from file, or use '-' to read from stdin
+-z, --compressed
+    The backup is compressed
+--paranoid-mode, --plan-b
+    Treat the backup as untrusted, disable restoring things potentially
+    compromising security of dom0/other VMs, even when such data is properly
+    authenticated. This may be used to restore a backup made on compromissed
+    system. Things currently affected by this option:
+      - disable dom0 home restore
+      - reject compressed backups
+      - reject old backup formats (Qubes R2 and older)
+      - more strict validation of VM names (for example don't allow '..' in it)
+      - do not restore firewall rules, attached PCI devices, attached block
+        devices, menu entries
+--debug
+    Enable (a lot of) debug output
 
 AUTHORS
--------
-
-Joanna Rutkowska \<joanna at invisiblethingslab dot com\>
-Rafal Wojtczuk \<rafal at invisiblethingslab dot com\>
-Marek Marczykowski \<marmarek at invisiblethingslab dot com\>
+=======
+| Joanna Rutkowska <joanna at invisiblethingslab dot com>
+| Rafal Wojtczuk <rafal at invisiblethingslab dot com>
+| Marek Marczykowski <marmarek at invisiblethingslab dot com>
+```
diff --git a/reference/tools/3.2/dom0/qvm-backup.md b/reference/tools/3.2/dom0/qvm-backup.md
index e5ff645c..223d1b02 100644
--- a/reference/tools/3.2/dom0/qvm-backup.md
+++ b/reference/tools/3.2/dom0/qvm-backup.md
@@ -9,34 +9,51 @@ redirect_from:
 - /wiki/Dom0Tools/QvmBackup/
 ---
 
+```
+==========
 qvm-backup
 ==========
 
 NAME
-----
-
+====
 qvm-backup
 
-Date  
-2012-04-10
-
 SYNOPSIS
---------
-
-qvm-backup [options] \<backup-dir-path\>
+========
+| qvm-backup [options] <backup-dir-path> [vms-to-be-included ...]
 
 OPTIONS
--------
-
--h, --help  
-Show this help message and exit
-
--x EXCLUDE\_LIST, --exclude=EXCLUDE\_LIST  
-Exclude the specified VM from backup (might be repeated)
+=======
+-h, --help
+    Show this help message and exit
+-x EXCLUDE_LIST, --exclude=EXCLUDE_LIST
+    Exclude the specified VM from backup (might be repeated)
+--force-root
+    Force to run with root privileges
+-d, --dest-vm
+    Specify the destination VM to which the backup will be set (implies -e)
+-e, --encrypt
+    Encrypt the backup
+--no-encrypt
+    Skip encryption even if sending the backup to a VM
+-p, --passphrase-file
+    Read passphrase from a file, or use '-' to read from stdin
+-E, --enc-algo
+    Specify a non-default encryption algorithm. For a list of supported algorithms, execute 'openssl list-cipher-algorithms' (implies -e)
+-H, --hmac-algo
+    Specify a non-default HMAC algorithm. For a list of supported algorithms, execute 'openssl list-message-digest-algorithms'
+-z, --compress
+    Compress the backup
+-Z, --compress-filter
+	Specify a non-default compression filter program (default: gzip)
+--tmpdir
+    Specify a temporary directory (if you have at least 1GB free RAM in dom0, use of /tmp is advised) (default: /var/tmp)
+--debug
+    Enable (a lot of) debug output
 
 AUTHORS
--------
-
-Joanna Rutkowska \<joanna at invisiblethingslab dot com\>
-Rafal Wojtczuk \<rafal at invisiblethingslab dot com\>
-Marek Marczykowski \<marmarek at invisiblethingslab dot com\>
+=======
+| Joanna Rutkowska <joanna at invisiblethingslab dot com>
+| Rafal Wojtczuk <rafal at invisiblethingslab dot com>
+| Marek Marczykowski <marmarek at invisiblethingslab dot com>
+```
diff --git a/reference/tools/3.2/dom0/qvm-block.md b/reference/tools/3.2/dom0/qvm-block.md
index 25dcc759..be6f9a8c 100644
--- a/reference/tools/3.2/dom0/qvm-block.md
+++ b/reference/tools/3.2/dom0/qvm-block.md
@@ -10,52 +10,49 @@ redirect_from:
 - /wiki/Dom0Tools/QvmBlock/
 ---
 
+```
+=========
 qvm-block
 =========
 
 NAME
-----
-
+====
 qvm-block - list/set VM PCI devices.
 
-Date  
-2012-04-10
-
 SYNOPSIS
---------
-
-qvm-block -l [options]
-qvm-block -a [options] \<device\> \<vm-name\>
-qvm-block -d [options] \<device\>
-qvm-block -d [options] \<vm-name\>
+========
+| qvm-block -l [options]
+| qvm-block -a [options] <vm-name> <device-vm-name>:<device>
+| qvm-block -A [options] <vm-name> <file-vm-name>:<file>
+| qvm-block -d [options] <device-vm-name>:<device>
+| qvm-block -d [options] <vm-name>
 
 OPTIONS
--------
-
--h, --help  
-Show this help message and exit
-
--l, --list  
-List block devices
-
--a, --attach  
-Attach block device to specified VM
-
--d, --detach  
-Detach block device
-
--f FRONTEND, --frontend=FRONTEND  
-Specify device name at destination VM [default: xvdi]
-
---ro  
-Force read-only mode
-
---no-auto-detach  
-Fail when device already connected to other VM
+=======
+-h, --help
+    Show this help message and exit
+-l, --list
+    List block devices            
+-A, --attach-file
+    Attach specified file instead of physical device
+-a, --attach
+    Attach block device to specified VM
+-d, --detach          
+    Detach block device
+-f FRONTEND, --frontend=FRONTEND
+    Specify device name at destination VM [default: xvdi]
+--ro
+    Force read-only mode
+--no-auto-detach
+    Fail when device already connected to other VM
+--show-system-disks
+    List also system disks
+--force-root
+    Force to run, even with root privileges
 
 AUTHORS
--------
-
-Joanna Rutkowska \<joanna at invisiblethingslab dot com\>
-Rafal Wojtczuk \<rafal at invisiblethingslab dot com\>
-Marek Marczykowski \<marmarek at invisiblethingslab dot com\>
+=======
+| Joanna Rutkowska <joanna at invisiblethingslab dot com>
+| Rafal Wojtczuk <rafal at invisiblethingslab dot com>
+| Marek Marczykowski <marmarek at invisiblethingslab dot com>
+```
diff --git a/reference/tools/3.2/dom0/qvm-check.md b/reference/tools/3.2/dom0/qvm-check.md
new file mode 100644
index 00000000..a20997a5
--- /dev/null
+++ b/reference/tools/3.2/dom0/qvm-check.md
@@ -0,0 +1,41 @@
+---
+layout: doc
+title: qvm-check
+permalink: /doc/tools/3.2/dom0/qvm-check/
+redirect_from:
+- /doc/dom0-tools/qvm-check/
+- /en/doc/dom0-tools/qvm-check/
+---
+
+```
+=========
+qvm-check
+=========
+
+NAME
+====
+qvm-check - Specify no state options to check if VM exists
+
+SYNOPSIS
+========
+| qvm-check [options] <vm-name>
+
+OPTIONS
+=======
+-h, --help
+    Show this help message and exit
+-q, --quiet
+    Be quiet
+--running
+    Determine if VM is running
+--paused
+    Determine if VM is paused
+--template
+    Determine if VM is a template
+
+AUTHORS
+=======
+| Joanna Rutkowska <joanna at invisiblethingslab dot com>
+| Rafal Wojtczuk <rafal at invisiblethingslab dot com>
+| Marek Marczykowski <marmarek at invisiblethingslab dot com>
+```
diff --git a/reference/tools/3.2/dom0/qvm-clone.md b/reference/tools/3.2/dom0/qvm-clone.md
index 9ea56033..503b1454 100644
--- a/reference/tools/3.2/dom0/qvm-clone.md
+++ b/reference/tools/3.2/dom0/qvm-clone.md
@@ -9,37 +9,36 @@ redirect_from:
 - /wiki/Dom0Tools/QvmClone/
 ---
 
+```
+=========
 qvm-clone
 =========
 
 NAME
-----
-
+====
 qvm-clone - clones an existing VM by copying all its disk files
 
-Date  
-2012-04-10
-
 SYNOPSIS
---------
-
-qvm-clone [options] \<src-name\> \<new-name\>
+========
+| qvm-clone [options] <src-name> <new-name>
 
 OPTIONS
--------
-
--h, --help  
-Show this help message and exit
-
--q, --quiet  
-Be quiet
-
--p DIR\_PATH, --path=DIR\_PATH  
-Specify path to the template directory
+=======
+-h, --help
+    Show this help message and exit
+-q, --quiet
+    Be quiet           
+-p DIR_PATH, --path=DIR_PATH
+    Specify path to the template directory
+--force-root
+    Force to run, even with root privileges
+-P, --pool
+    Specify in to which storage pool to clone
 
 AUTHORS
--------
+=======
+| Joanna Rutkowska <joanna at invisiblethingslab dot com>
+| Rafal Wojtczuk <rafal at invisiblethingslab dot com>
+| Marek Marczykowski <marmarek at invisiblethingslab dot com>
 
-Joanna Rutkowska \<joanna at invisiblethingslab dot com\>
-Rafal Wojtczuk \<rafal at invisiblethingslab dot com\>
-Marek Marczykowski \<marmarek at invisiblethingslab dot com\>
+```
diff --git a/reference/tools/3.2/dom0/qvm-create-default-dvm.md b/reference/tools/3.2/dom0/qvm-create-default-dvm.md
index efd61e31..67341ea6 100644
--- a/reference/tools/3.2/dom0/qvm-create-default-dvm.md
+++ b/reference/tools/3.2/dom0/qvm-create-default-dvm.md
@@ -9,40 +9,40 @@ redirect_from:
 - /wiki/Dom0Tools/QvmCreateDefaultDvm/
 ---
 
+```
+======================
 qvm-create-default-dvm
 ======================
 
 NAME
-----
-
+====
 qvm-create-default-dvm - creates a default disposable VM
 
-Date  
-2012-04-10
-
 SYNOPSIS
---------
-
-qvm-create-default-dvm templatename|--default-template|--used-template [script-name|--default-script]
+========
+| qvm-create-default-dvm templatename|--default-template|--used-template [script-name|--default-script]
 
 OPTIONS
--------
+=======
+templatename
+    Base DispVM on given template. The command will create AppVM named after
+    template with "-dvm" suffix. This VM will be used to create DispVM
+    savefile. If you want to customize DispVM, use this VM - take a look at
+    https://wiki.qubes-os.org/wiki/UserDoc/DispVMCustomization
 
-templatename  
-Base DispVM on given template. The command will create AppVM named after template with "-dvm" suffix. This VM will be used to create DispVM savefile. If you want to customize DispVM, use this VM - take a look at <https://wiki.qubes-os.org/wiki/UserDoc/DispVMCustomization>
+--default-template
+    Use default template for the DispVM
 
---default-template  
-Use default template for the DispVM
+--used-template
+    Use the same template as earlier
 
---used-template  
-Use the same template as earlier
+--default-script
+    Use default script for seeding DispVM home.
 
---default-script  
-Use default script for seeding DispVM home.
 
 AUTHORS
--------
-
-Joanna Rutkowska \<joanna at invisiblethingslab dot com\>
-Rafal Wojtczuk \<rafal at invisiblethingslab dot com\>
-Marek Marczykowski \<marmarek at invisiblethingslab dot com\>
+=======
+| Joanna Rutkowska <joanna at invisiblethingslab dot com>
+| Rafal Wojtczuk <rafal at invisiblethingslab dot com>
+| Marek Marczykowski <marmarek at invisiblethingslab dot com>
+```
diff --git a/reference/tools/3.2/dom0/qvm-create.md b/reference/tools/3.2/dom0/qvm-create.md
index ea8db752..7a1a0612 100644
--- a/reference/tools/3.2/dom0/qvm-create.md
+++ b/reference/tools/3.2/dom0/qvm-create.md
@@ -9,73 +9,58 @@ redirect_from:
 - /wiki/Dom0Tools/QvmCreate/
 ---
 
+```
+==========
 qvm-create
 ==========
 
 NAME
-----
-
+====
 qvm-create - creates a new VM
 
-Date  
-2012-04-10
-
 SYNOPSIS
---------
-
-qvm-create [options] \<vm-name\>
+========
+| qvm-create [options] <vm-name>
 
 OPTIONS
--------
-
--h, --help  
-Show this help message and exit
-
--t TEMPLATE, --template=TEMPLATE  
-Specify the TemplateVM to use
-
--l LABEL, --label=LABEL  
-Specify the label to use for the new VM (e.g. red, yellow, green, ...)
-
--p, --proxy  
-Create ProxyVM
-
--n, --net  
-Create NetVM
-
--H, --hvm  
-Create HVM (standalone, unless --template option used)
-
---hvm-template  
-Create HVM template
-
--R ROOT\_MOVE, --root-move-from=ROOT\_MOVE  
-Use provided root.img instead of default/empty one (file will be MOVED)
-
--r ROOT\_COPY, --root-copy-from=ROOT\_COPY  
-Use provided root.img instead of default/empty one (file will be COPIED)
-
--s, --standalone  
-Create standalone VM - independent of template
-
--m MEM, --mem=MEM  
-Initial memory size (in MB)
-
--c VCPUS, --vcpus=VCPUS  
-VCPUs count
-
--i, --internal  
-Create VM for internal use only (hidden in qubes-manager, no appmenus)
-
---force-root  
-Force to run, even with root privileges
-
--q, --quiet  
-Be quiet
-
+=======
+-h, --help
+    Show this help message and exit
+-t TEMPLATE, --template=TEMPLATE
+    Specify the TemplateVM to use
+-l LABEL, --label=LABEL
+    Specify the label to use for the new VM (e.g. red, yellow, green, ...)
+-p, --proxy
+    Create ProxyVM
+-n, --net
+    Create NetVM
+-H, --hvm
+    Create HVM (standalone, unless --template option used)
+--hvm-template
+    Create HVM template
+-R ROOT_MOVE, --root-move-from=ROOT_MOVE
+    Use provided root.img instead of default/empty one
+    (file will be MOVED)
+-r ROOT_COPY, --root-copy-from=ROOT_COPY
+    Use provided root.img instead of default/empty one
+    (file will be COPIED)
+-s, --standalone
+    Create standalone VM - independent of template
+-m MEM, --mem=MEM
+    Initial memory size (in MB)
+-c VCPUS, --vcpus=VCPUS
+    VCPUs count
+-i, --internal
+    Create VM for internal use only (hidden in qubes-manager, no appmenus)
+--force-root
+    Force to run, even with root privileges
+-q, --quiet
+    Be quiet
+           
 AUTHORS
--------
+=======
+| Joanna Rutkowska <joanna at invisiblethingslab dot com>
+| Rafal Wojtczuk <rafal at invisiblethingslab dot com>
+| Marek Marczykowski <marmarek at invisiblethingslab dot com>
 
-Joanna Rutkowska \<joanna at invisiblethingslab dot com\>
-Rafal Wojtczuk \<rafal at invisiblethingslab dot com\>
-Marek Marczykowski \<marmarek at invisiblethingslab dot com\>
+```
diff --git a/reference/tools/3.2/dom0/qvm-firewall.md b/reference/tools/3.2/dom0/qvm-firewall.md
index bcc9cae2..1adccb2d 100644
--- a/reference/tools/3.2/dom0/qvm-firewall.md
+++ b/reference/tools/3.2/dom0/qvm-firewall.md
@@ -9,60 +9,53 @@ redirect_from:
 - /wiki/Dom0Tools/QvmFirewall/
 ---
 
+```
+============
 qvm-firewall
 ============
 
 NAME
-----
-
-qvm-firewall
-
-Date  
-2012-04-10
+====
+qvm-firewall - manage VM's firewall rules
 
 SYNOPSIS
---------
+========
+| qvm-firewall [-n] <vm-name> [action] [rule spec]
 
-qvm-firewall [-n] \<vm-name\> [action] [rule spec]
-
-Rule specification can be one of:  
-1.  address|hostname[/netmask] tcp|udp port[-port]
-2.  address|hostname[/netmask] tcp|udp service\_name
-3.  address|hostname[/netmask] any
+Rule specification can be one of:
+    1. address|hostname[/netmask] tcp|udp port[-port]
+    2. address|hostname[/netmask] tcp|udp service_name
+    3. address|hostname[/netmask] any
 
 OPTIONS
--------
-
--h, --help  
-Show this help message and exit
-
--l, --list  
-List firewall settings (default action)
-
--a, --add  
-Add rule
-
--d, --del  
-Remove rule (given by number or by rule spec)
-
--P SET\_POLICY, --policy=SET\_POLICY  
-Set firewall policy (allow/deny)
-
--i SET\_ICMP, --icmp=SET\_ICMP  
-Set ICMP access (allow/deny)
-
--D SET\_DNS, --dns=SET\_DNS  
-Set DNS access (allow/deny)
-
--Y SET\_YUM\_PROXY, --yum-proxy=SET\_YUM\_PROXY  
-Set access to Qubes yum proxy (allow/deny). *Note:* if set to "deny", access will be rejected even if policy set to "allow"
-
--n, --numeric  
-Display port numbers instead of services (makes sense only with --list)
+=======
+-h, --help
+    Show this help message and exit
+-l, --list
+    List firewall settings (default action)
+-a, --add
+    Add rule
+-d, --del
+    Remove rule (given by number or by rule spec)
+-P SET_POLICY, --policy=SET_POLICY
+    Set firewall policy (allow/deny)
+-i SET_ICMP, --icmp=SET_ICMP
+    Set ICMP access (allow/deny)
+-D SET_DNS, --dns=SET_DNS
+    Set DNS access (allow/deny)
+-Y SET_YUM_PROXY, --yum-proxy=SET_YUM_PROXY
+    Set access to Qubes yum proxy (allow/deny).
+    *Note:* if set to "deny", access will be rejected even if policy set to "allow"
+-r, --reload
+    Reload firewall (implied by any change action)
+-n, --numeric
+    Display port numbers instead of services (makes sense only with --list)
+--force-root
+    Force to run, even with root privileges
 
 AUTHORS
--------
-
-Joanna Rutkowska \<joanna at invisiblethingslab dot com\>
-Rafal Wojtczuk \<rafal at invisiblethingslab dot com\>
-Marek Marczykowski \<marmarek at invisiblethingslab dot com\>
+=======
+| Joanna Rutkowska <joanna at invisiblethingslab dot com>
+| Rafal Wojtczuk <rafal at invisiblethingslab dot com>
+| Marek Marczykowski <marmarek at invisiblethingslab dot com>
+```
diff --git a/reference/tools/3.2/dom0/qvm-grow-private.md b/reference/tools/3.2/dom0/qvm-grow-private.md
index 6b93a87c..b5c5e6b5 100644
--- a/reference/tools/3.2/dom0/qvm-grow-private.md
+++ b/reference/tools/3.2/dom0/qvm-grow-private.md
@@ -9,31 +9,27 @@ redirect_from:
 - /wiki/Dom0Tools/QvmGrowPrivate/
 ---
 
+```
+================
 qvm-grow-private
 ================
 
 NAME
-----
-
+====
 qvm-grow-private - increase private storage capacity of a specified VM
 
-Date  
-2012-04-10
-
 SYNOPSIS
---------
-
-qvm-grow-private \<vm-name\> \<size\>
+========
+| qvm-grow-private <vm-name> <size>
 
 OPTIONS
--------
-
--h, --help  
-Show this help message and exit
+=======
+-h, --help
+    Show this help message and exit
 
 AUTHORS
--------
-
-Joanna Rutkowska \<joanna at invisiblethingslab dot com\>
-Rafal Wojtczuk \<rafal at invisiblethingslab dot com\>
-Marek Marczykowski \<marmarek at invisiblethingslab dot com\>
+=======
+| Joanna Rutkowska <joanna at invisiblethingslab dot com>
+| Rafal Wojtczuk <rafal at invisiblethingslab dot com>
+| Marek Marczykowski <marmarek at invisiblethingslab dot com>
+```
diff --git a/reference/tools/3.2/dom0/qvm-grow-root.md b/reference/tools/3.2/dom0/qvm-grow-root.md
new file mode 100644
index 00000000..e6cc0ff0
--- /dev/null
+++ b/reference/tools/3.2/dom0/qvm-grow-root.md
@@ -0,0 +1,35 @@
+---
+layout: doc
+title: qvm-grow-root
+permalink: /doc/tools/3.2/dom0/qvm-grow-root/
+redirect_from:
+- /doc/dom0-tools/qvm-grow-root/
+- /en/doc/dom0-tools/qvm-grow-root/
+---
+
+```
+=============
+qvm-grow-root
+=============
+
+NAME
+====
+qvm-grow-root - increase root storage capacity of a specified VM
+
+SYNOPSIS
+========
+| qvm-grow-root <vm-name> <size>
+
+OPTIONS
+=======
+-h, --help
+    Show this help message and exit
+--allow-start
+    Allow VM to be started to complete the operation
+
+AUTHORS
+=======
+| Joanna Rutkowska <joanna at invisiblethingslab dot com>
+| Rafal Wojtczuk <rafal at invisiblethingslab dot com>
+| Marek Marczykowski <marmarek at invisiblethingslab dot com>
+```
diff --git a/reference/tools/3.2/dom0/qvm-kill.md b/reference/tools/3.2/dom0/qvm-kill.md
index 9903453a..9d0b14f7 100644
--- a/reference/tools/3.2/dom0/qvm-kill.md
+++ b/reference/tools/3.2/dom0/qvm-kill.md
@@ -9,31 +9,28 @@ redirect_from:
 - /wiki/Dom0Tools/QvmKill/
 ---
 
+```
+========
 qvm-kill
 ========
 
 NAME
-----
-
+====
 qvm-kill - kills the specified VM
 
-Date  
-2012-04-10
-
 SYNOPSIS
---------
+========
+| qvm-kill [options] <vm-name>
 
-qvm-kill [options] \<vm-name\>
 
 OPTIONS
--------
-
--h, --help  
-Show this help message and exit
+=======
+-h, --help
+    Show this help message and exit
 
 AUTHORS
--------
-
-Joanna Rutkowska \<joanna at invisiblethingslab dot com\>
-Rafal Wojtczuk \<rafal at invisiblethingslab dot com\>
-Marek Marczykowski \<marmarek at invisiblethingslab dot com\>
+=======
+| Joanna Rutkowska <joanna at invisiblethingslab dot com>
+| Rafal Wojtczuk <rafal at invisiblethingslab dot com>
+| Marek Marczykowski <marmarek at invisiblethingslab dot com>
+```
diff --git a/reference/tools/3.2/dom0/qvm-ls.md b/reference/tools/3.2/dom0/qvm-ls.md
index 13f4917f..90d6f29a 100644
--- a/reference/tools/3.2/dom0/qvm-ls.md
+++ b/reference/tools/3.2/dom0/qvm-ls.md
@@ -9,55 +9,47 @@ redirect_from:
 - /wiki/Dom0Tools/QvmLs/
 ---
 
+```
+======
 qvm-ls
 ======
 
 NAME
-----
-
+====
 qvm-ls - list VMs and various information about their state
 
-Date  
-2012-04-03
-
 SYNOPSIS
---------
-
-qvm-ls [options] \<vm-name\>
+========
+| qvm-ls [options] <vm-name>
 
 OPTIONS
--------
-
--h, --help  
-Show help message and exit
-
--n, --network  
-Show network addresses assigned to VMs
-
--c, --cpu  
-Show CPU load
-
--m, --mem  
-Show memory usage
-
--d, --disk  
-Show VM disk utilization statistics
-
--i, --ids  
-Show Qubes and Xen id
-
--k, --kernel  
-Show VM kernel options
-
--b, --last-backup  
-Show date of last VM backup
-
---raw-list  
-List only VM names one per line
+=======
+-h, --help
+    Show help message and exit
+-n, --network
+    Show network addresses assigned to VMs
+-c, --cpu
+    Show CPU load
+-m, --mem
+    Show memory usage
+-d, --disk
+    Show VM disk utilization statistics
+-i, --ids
+    Show Qubes and Xen id
+-k, --kernel
+    Show VM kernel options
+-b, --last-backup
+    Show date of last VM backup
+--raw-list
+    List only VM names one per line
+--raw-data
+    Display specify data of specified VMs. Intended for bash-parsing.
+--list-fields
+    List field names valid for --raw-data
 
 AUTHORS
--------
-
-Joanna Rutkowska \<joanna at invisiblethingslab dot com\>
-Rafal Wojtczuk \<rafal at invisiblethingslab dot com\>
-Marek Marczykowski \<marmarek at invisiblethingslab dot com\>
+=======
+| Joanna Rutkowska <joanna at invisiblethingslab dot com>
+| Rafal Wojtczuk <rafal at invisiblethingslab dot com>
+| Marek Marczykowski <marmarek at invisiblethingslab dot com>
+```
diff --git a/reference/tools/3.2/dom0/qvm-pci.md b/reference/tools/3.2/dom0/qvm-pci.md
index d7aa69b1..15dc5425 100644
--- a/reference/tools/3.2/dom0/qvm-pci.md
+++ b/reference/tools/3.2/dom0/qvm-pci.md
@@ -9,46 +9,41 @@ redirect_from:
 - /wiki/Dom0Tools/QvmPci/
 ---
 
+```
+=======
 qvm-pci
 =======
 
 NAME
-----
-
+====
 qvm-pci - list/set VM PCI devices
 
-Date  
-2012-04-11
-
 SYNOPSIS
---------
-
-qvm-pci -l [options] \<vm-name\>
-qvm-pci -a [options] \<vm-name\> \<device\>
-qvm-pci -d [options] \<vm-name\> \<device\>
-
+========
+| qvm-pci -l [options] <vm-name>
+| qvm-pci -a [options] <vm-name> <device>
+| qvm-pci -d [options] <vm-name> <device>
+ 
 OPTIONS
--------
-
--h, --help  
-Show this help message and exit
-
--l, --list  
-List VM PCI devices
-
--a, --add  
-Add a PCI device to specified VM
-
--C, --add-class  
-Add all devices of given class:  
-net - network interfaces, usb - USB controllers
-
--d, --delete  
-Remove a PCI device from specified VM
+=======
+-h, --help
+    Show this help message and exit
+-l, --list
+    List VM PCI devices    
+-a, --add
+    Add a PCI device to specified VM
+-C, --add-class
+    Add all devices of given class:
+        net - network interfaces,
+        usb - USB controllers
+-d, --delete
+    Remove a PCI device from specified VM
+--offline-mode
+    Offline mode
 
 AUTHORS
--------
-
-Joanna Rutkowska \<joanna at invisiblethingslab dot com\>
-Rafal Wojtczuk \<rafal at invisiblethingslab dot com\>
-Marek Marczykowski \<marmarek at invisiblethingslab dot com\>
+=======
+| Joanna Rutkowska <joanna at invisiblethingslab dot com>
+| Rafal Wojtczuk <rafal at invisiblethingslab dot com>
+| Marek Marczykowski <marmarek at invisiblethingslab dot com>
+```
diff --git a/reference/tools/3.2/dom0/qvm-prefs.md b/reference/tools/3.2/dom0/qvm-prefs.md
index 32850812..70f20338 100644
--- a/reference/tools/3.2/dom0/qvm-prefs.md
+++ b/reference/tools/3.2/dom0/qvm-prefs.md
@@ -9,150 +9,220 @@ redirect_from:
 - /wiki/Dom0Tools/QvmPrefs/
 ---
 
+```
+=========
 qvm-prefs
 =========
 
 NAME
-----
-
+====
 qvm-prefs - list/set various per-VM properties
 
-Date  
-2012-04-11
-
 SYNOPSIS
---------
+========
+| qvm-prefs -l [options] <vm-name>
+| qvm-prefs -g [options] <vm-name> <property>
+| qvm-prefs -s [options] <vm-name> <property> [...]
 
-qvm-prefs -l [options] \<vm-name\>
-qvm-prefs -g [options] \<vm-name\> \<property\>
-qvm-prefs -s [options] \<vm-name\> \<property\> [...]
 
 OPTIONS
--------
-
--h, --help  
-Show this help message and exit
-
--l, --list  
-List properties of a specified VM
-
--g, --get  
-Get a single property of a specified VM
-
--s, --set  
-Set properties of a specified VM
+=======
+-h, --help
+    Show this help message and exit
+-l, --list
+    List properties of a specified VM
+-g, --get
+    Get a single property of a specified VM
+-s, --set
+    Set properties of a specified VM
+--force-root
+    Force to run, even with root privileges
+--offline-mode
+    Offline mode
 
 PROPERTIES
-----------
+==========
 
-include\_in\_backups  
-Accepted values: `True`, `False`
+include_in_backups
+    Accepted values: ``True``, ``False``
 
-Control whenever this VM will be included in backups by default (for now works only in qubes-manager). You can always manually select or deselect any VM for backup.
+    Control whenever this VM will be included in backups by default (for now
+    works only in qubes-manager). You can always manually select or
+    deselect any VM for backup.
 
-pcidevs  
-PCI devices assigned to the VM. Should be edited using qvm-pci tool.
+pcidevs
+    PCI devices assigned to the VM. Should be edited using qvm-pci tool.
 
-pci\_strictreset  
-Accepted values: `True`, `False`
+pci_strictreset
+    Accepted values: ``True``, ``False``
 
-Control whether prevent assigning to VM a device which does not support any reset method. Generally such devices should not be assigned to any VM, because there will be no way to reset device state after VM shutdown, so the device could attack next VM to which it will be assigned. But in some cases it could make sense - for example when the VM to which it is assigned is trusted one, or is running all the time.
+    Control whether prevent assigning to VM a device which does not support any
+    reset method. Generally such devices should not be assigned to any VM,
+    because there will be no way to reset device state after VM shutdown, so
+    the device could attack next VM to which it will be assigned. But in some
+    cases it could make sense - for example when the VM to which it is assigned
+    is trusted one, or is running all the time.
 
-label  
-Accepted values: `red`, `orange`, `yellow`, `green`, `gray`, `blue`, `purple`, `black`
+pci_e820_host
+    Accepted values: ``True``, ``False``
 
-Color of VM label (icon, appmenus, windows border). If VM is running, change will be applied at first VM restart.
+    Give VM with PCI devices a memory map (e820) of the host. This is
+    required for some devices to properly resolve conflicts in address space.
+    This option is enabled by default for VMs with PCI devices and have no
+    effect for VMs without devices.
 
-netvm  
-Accepted values: netvm name, `default`, `none`
+label
+    Accepted values: ``red``, ``orange``, ``yellow``, ``green``, ``gray``,
+    ``blue``, ``purple``, ``black``
 
-To which NetVM connect. Setting to `default` will follow system-global default NetVM (managed by qubes-prefs). Setting to `none` will disable networking in this VM.
+    Color of VM label (icon, appmenus, windows border). If VM is running,
+    change will be applied at first VM restart.
 
-dispvm\_netvm  
-Accepted values: netvm name, `default`, `none`
+netvm
+    Accepted values: netvm name, ``default``, ``none``
 
-Which NetVM should be used for Disposable VMs started by this one. `default` is to use the same NetVM as the VM itself.
+    To which NetVM connect. Setting to ``default`` will follow system-global
+    default NetVM (managed by qubes-prefs). Setting to ``none`` will disable
+    networking in this VM.
 
-maxmem  
-Accepted values: memory size in MB
+dispvm_netvm
+    Accepted values: netvm name, ``default``, ``none``
 
-Maximum memory size available for this VM. Dynamic memory management (aka qmemman) will not be able to balloon over this limit. For VMs with qmemman disabled, this will be overridden by *memory* property (at VM startup).
+    Which NetVM should be used for Disposable VMs started by this one.
+    ``default`` is to use the same NetVM as the VM itself.
 
-memory  
-Accepted values: memory size in MB
+maxmem
+    Accepted values: memory size in MB
 
-Initial memory size for VM. This should be large enough to allow VM startup - before qmemman starts managing memory for this VM. For VM with qmemman disabled, this is static memory size.
+    Maximum memory size available for this VM. Dynamic memory management (aka
+    qmemman) will not be able to balloon over this limit. For VMs with
+    qmemman disabled, this will be overridden by *memory* property (at VM
+    startup).
 
-kernel  
-Accepted values: kernel version, `default`, `none`
+memory
+    Accepted values: memory size in MB
 
-Kernel version to use (only for PV VMs). Available kernel versions will be listed when no value given (there are in /var/lib/qubes/vm-kernels). Setting to `default` will follow system-global default kernel (managed via qubes-prefs). Setting to `none` will use "kernels" subdir in VM directory - this allows having VM-specific kernel; also this the only case when /lib/modules is writable from within VM.
+    Initial memory size for VM. This should be large enough to allow VM startup
+    - before qmemman starts managing memory for this VM. For VM with qmemman
+    disabled, this is static memory size.
 
-template  
-Accepted values: TemplateVM name
+kernel
+    Accepted values: kernel version, ``default``, ``none``
 
-TemplateVM on which VM base. It can be changed only when VM isn't running.
+    Kernel version to use (only for PV VMs). Available kernel versions will be
+    listed when no value given (there are in /var/lib/qubes/vm-kernels).
+    Setting to ``default`` will follow system-global default kernel (managed
+    via qubes-prefs). Setting to ``none`` will use "kernels" subdir in
+    VM directory - this allows having VM-specific kernel; also this the only
+    case when /lib/modules is writable from within VM.
 
-vcpus  
-Accepted values: no of CPUs
+template
+    Accepted values: TemplateVM name
 
-Number of CPU (cores) available to VM. Some VM types (eg DispVM) will not work properly with more than one CPU.
+    TemplateVM on which VM base. It can be changed only when VM isn't running.
 
-kernelopts  
-Accepted values: string, `default`
+vcpus
+    Accepted values: no of CPUs
 
-VM kernel parameters (available only for PV VMs). This can be used to workaround some hardware specific problems (eg for NetVM). Setting to `default` will use some reasonable defaults (currently different for VMs with PCI devices and without). For VM without PCI devices `default` option means inherit this value from the VM template (if any). Some helpful options (for debugging purposes): `earlyprintk=xen`, `init=/bin/bash`
+    Number of CPU (cores) available to VM. Some VM types (eg DispVM) will not
+    work properly with more than one CPU.
 
-name  
-Accepted values: alphanumerical name
+kernelopts
+    Accepted values: string, ``default``
 
-Name of the VM. Can be only changed when VM isn't running.
+    VM kernel parameters (available only for PV VMs). This can be used to
+    workaround some hardware specific problems (eg for NetVM). Setting to
+    ``default`` will use some reasonable defaults (currently different for VMs
+    with PCI devices and without). For VM without PCI devices
+    ``default`` option means inherit this value from the VM template (if any).
+    Some helpful options (for debugging purposes): ``earlyprintk=xen``,
+    ``init=/bin/bash``
 
-drive  
-Accepted values: [hd:|cdrom:][backend-vm:]path
+name
+    Accepted values: alphanumerical name
 
-Additional drive for the VM (available only for HVMs). This can be used to attach installation image. `path` can be file or physical device (eg. /dev/sr0). The same syntax can be used in qvm-start --drive - to attach drive only temporarily.
+    Name of the VM. Can be only changed when VM isn't running.
 
-mac  
-Accepted values: MAC address, `auto`
+drive
+    Accepted values: [hd:\|cdrom:][backend-vm:]path
 
-Can be used to force specific of virtual ethernet card in the VM. Setting to `auto` will use automatic-generated MAC - based on VM id. Especially useful when licensing requires a static MAC address. For template-based HVM `auto` mode means to clone template MAC.
+    Additional drive for the VM (available only for HVMs). This can be used to
+    attach installation image. ``path`` can be file or physical device (eg.
+    /dev/sr0). The same syntax can be used in qvm-start --drive - to
+    attach drive only temporarily.
 
-default\_user  
-Accepted values: username
+mac
+    Accepted values: MAC address, ``auto``
 
-Default user used by qvm-run. Note that it make sense only on non-standard template, as the standard one always have "user" account.
+    Can be used to force specific of virtual ethernet card in the VM. Setting
+    to ``auto`` will use automatic-generated MAC - based on VM id. Especially
+    useful when licensing requires a static MAC address.
+    For template-based HVM ``auto`` mode means to clone template MAC.
 
-debug  
-Accepted values: `on`, `off`
+default_user
+    Accepted values: username
 
-Enables debug mode for VM. This can be used to turn on/off verbose logging in many Qubes components at once (gui virtualization, VM kernel, some other services). For template-based HVM, enabling debug mode also disables automatic reset root.img (actually volatile.img) before each VM startup, so changes made to root filesystem stays intact. To force reset root.img when debug mode enabled, either change something in the template (simple start+stop will do, even touch its root.img is enough), or remove VM's volatile.img (check the path with qvm-prefs).
+    Default user used by qvm-run. Note that it make sense only on non-standard
+    template, as the standard one always have "user" account.
 
-qrexec\_installed  
-Accepted values: `True`, `False`
+debug
+    Accepted values: ``on``, ``off``
 
-This HVM have qrexec agent installed. When VM have qrexec agent installed, one can use qvm-run to start VM process, VM will benefit from Qubes RPC services (like file copy, or inter-vm clipboard). This option will be automatically turned on during Qubes Windows Tools installation, but if you install qrexec agent in some other OS, you need to turn this option on manually.
+    Enables debug mode for VM. This can be used to turn on/off verbose logging
+    in many Qubes components at once (gui virtualization, VM kernel, some other
+    services).
+    For template-based HVM, enabling debug mode also disables automatic reset
+    root.img (actually volatile.img) before each VM startup, so changes made to
+    root filesystem stays intact. To force reset root.img when debug mode
+    enabled, either change something in the template (simple start+stop will
+    do, even touch its root.img is enough), or remove VM's volatile.img
+    (check the path with qvm-prefs).
 
-guiagent\_installed  
-Accepted values: `True`, `False`
+qrexec_installed
+    Accepted values: ``True``, ``False``
 
-This HVM have gui agent installed. This option disables full screen GUI virtualization and enables per-window seemless GUI mode. This option will be automatically turned on during Qubes Windows Tools installation, but if you install Qubes gui agent in some other OS, you need to turn this option on manually. You can turn this option off to troubleshoot some early HVM OS boot problems (enter safe mode etc), but the option will be automatically enabled at first VM normal startup (and will take effect from the next startup).
+    This HVM have qrexec agent installed. When VM have qrexec agent installed,
+    one can use qvm-run to start VM process, VM will benefit from Qubes RPC
+    services (like file copy, or inter-vm clipboard). This option will be
+    automatically turned on during Qubes Windows Tools installation, but if you
+    install qrexec agent in some other OS, you need to turn this option on
+    manually.
 
-*Notice:* when Windows GUI agent is installed in the VM, SVGA device (used to full screen video) is disabled, so even if you disable this option, you will not get functional full desktop access (on normal VM startup). Use some other means for that (VNC, RDP or so).
+guiagent_installed
+    Accepted values: ``True``, ``False``
 
-autostart  
-Accepted values: `True`, `False`
+    This HVM have gui agent installed. This option disables full screen GUI
+    virtualization and enables per-window seemless GUI mode. This option will
+    be automatically turned on during Qubes Windows Tools installation, but if
+    you install Qubes gui agent in some other OS, you need to turn this option
+    on manually. You can turn this option off to troubleshoot some early HVM OS
+    boot problems (enter safe mode etc), but the option will be automatically
+    enabled at first VM normal startup (and will take effect from the next
+    startup).
 
-Start the VM during system startup. The default netvm is autostarted regardless of this setting.
+    *Notice:* when Windows GUI agent is installed in the VM, SVGA device (used
+    to full screen video) is disabled, so even if you disable this
+    option, you will not get functional full desktop access (on normal VM
+    startup). Use some other means for that (VNC, RDP or so).
 
-timezone  
-Accepted values: `localtime`, time offset in seconds
+autostart
+    Accepted values: ``True``, ``False``
 
-Set emulated HVM clock timezone. Use `localtime` (the default) to use the same time as dom0 have. Note that HVM will get only clock value, not the timezone itself, so if you use `localtime` setting, OS inside of HVM should also be configured to treat hardware clock as local time (and have proper timezone set).
+    Start the VM during system startup. The default netvm is autostarted
+    regardless of this setting.
+
+timezone
+    Accepted values: ``localtime``, time offset in seconds
+
+    Set emulated HVM clock timezone. Use ``localtime`` (the default) to use the
+    same time as dom0 have. Note that HVM will get only clock value, not the
+    timezone itself, so if you use ``localtime`` setting, OS inside of HVM
+    should also be configured to treat hardware clock as local time (and have
+    proper timezone set).
 
 AUTHORS
--------
-
-Joanna Rutkowska \<joanna at invisiblethingslab dot com\>
-Rafal Wojtczuk \<rafal at invisiblethingslab dot com\>
-Marek Marczykowski \<marmarek at invisiblethingslab dot com\>
+=======
+| Joanna Rutkowska <joanna at invisiblethingslab dot com>
+| Rafal Wojtczuk <rafal at invisiblethingslab dot com>
+| Marek Marczykowski <marmarek at invisiblethingslab dot com>
+```
diff --git a/reference/tools/3.2/dom0/qvm-remove.md b/reference/tools/3.2/dom0/qvm-remove.md
index 412ef8c3..2a8af98f 100644
--- a/reference/tools/3.2/dom0/qvm-remove.md
+++ b/reference/tools/3.2/dom0/qvm-remove.md
@@ -9,40 +9,33 @@ redirect_from:
 - /wiki/Dom0Tools/QvmRemove/
 ---
 
+```
+==========
 qvm-remove
 ==========
 
 NAME
-----
-
+====
 qvm-remove - remove a VM
 
-Date  
-2012-04-11
-
 SYNOPSIS
---------
-
-qvm-remove [options] \<vm-name\>
+========
+| qvm-remove [options] <vm-name>
 
 OPTIONS
--------
-
--h, --help  
-Show this help message and exit
-
--q, --quiet  
-Be quiet
-
---just-db  
-Remove only from the Qubes Xen DB, do not remove any files
-
---force-root  
-Force to run, even with root privileges
+=======
+-h, --help
+    Show this help message and exit
+-q, --quiet
+    Be quiet   
+--just-db
+    Remove only from qubes.xml; do not remove any files
+--force-root
+    Force to run, even with root privileges
 
 AUTHORS
--------
-
-Joanna Rutkowska \<joanna at invisiblethingslab dot com\>
-Rafal Wojtczuk \<rafal at invisiblethingslab dot com\>
-Marek Marczykowski \<marmarek at invisiblethingslab dot com\>
+=======
+| Joanna Rutkowska <joanna at invisiblethingslab dot com>
+| Rafal Wojtczuk <rafal at invisiblethingslab dot com>
+| Marek Marczykowski <marmarek at invisiblethingslab dot com>
+```
diff --git a/reference/tools/3.2/dom0/qvm-revert-template-changes.md b/reference/tools/3.2/dom0/qvm-revert-template-changes.md
index a0f62648..71290c6d 100644
--- a/reference/tools/3.2/dom0/qvm-revert-template-changes.md
+++ b/reference/tools/3.2/dom0/qvm-revert-template-changes.md
@@ -9,34 +9,29 @@ redirect_from:
 - /wiki/Dom0Tools/QvmRevertTemplateChanges/
 ---
 
+```
+===========================
 qvm-revert-template-changes
 ===========================
 
 NAME
-----
-
+====
 qvm-revert-template-changes
 
-Date  
-2012-04-11
-
 SYNOPSIS
---------
-
-qvm-revert-template-changes [options] \<template-name\>
+========
+| qvm-revert-template-changes [options] <template-name>
 
 OPTIONS
--------
-
--h, --help  
-Show this help message and exit
-
---force  
-Do not prompt for confirmation
+=======
+-h, --help
+    Show this help message and exit
+--force
+    Do not prompt for confirmation
 
 AUTHORS
--------
-
-Joanna Rutkowska \<joanna at invisiblethingslab dot com\>
-Rafal Wojtczuk \<rafal at invisiblethingslab dot com\>
-Marek Marczykowski \<marmarek at invisiblethingslab dot com\>
+=======
+| Joanna Rutkowska <joanna at invisiblethingslab dot com>
+| Rafal Wojtczuk <rafal at invisiblethingslab dot com>
+| Marek Marczykowski <marmarek at invisiblethingslab dot com>
+```
diff --git a/reference/tools/3.2/dom0/qvm-run.md b/reference/tools/3.2/dom0/qvm-run.md
index 30eb537f..2338ca2b 100644
--- a/reference/tools/3.2/dom0/qvm-run.md
+++ b/reference/tools/3.2/dom0/qvm-run.md
@@ -9,70 +9,67 @@ redirect_from:
 - /wiki/Dom0Tools/QvmRun/
 ---
 
+```
+=======
 qvm-run
 =======
 
 NAME
-----
-
+====
 qvm-run - run a command on a specified VM
 
-Date  
-2012-04-11
-
 SYNOPSIS
---------
-
-qvm-run [options] [\<vm-name\>] [\<cmd\>]
+========
+| qvm-run [options] [<vm-name>] [<cmd>]
 
 OPTIONS
--------
-
--h, --help  
-Show this help message and exit
-
--q, --quiet  
-Be quiet
-
--a, --auto  
-Auto start the VM if not running
-
--u USER, --user=USER  
-Run command in a VM as a specified user
-
---tray  
-Use tray notifications instead of stdout
-
---all  
-Run command on all currently running VMs (or all paused, in the case of --unpause)
-
---exclude=EXCLUDE\_LIST  
-When --all is used: exclude this VM name (might be repeated)
-
---wait  
-Wait for the VM(s) to shutdown
-
---shutdown  
-(deprecated) Do 'xl shutdown' for the VM(s) (can be combined this with --all and --wait)
-
---pause  
-Do 'xl pause' for the VM(s) (can be combined this with --all and --wait)
-
---unpause  
-Do 'xl unpause' for the VM(s) (can be combined this with --all and --wait)
-
--p, --pass-io  
-Pass stdin/stdout/stderr from remote program
-
---localcmd=LOCALCMD  
-With --pass-io, pass stdin/stdout/stderr to the given program
-
---force  
-Force operation, even if may damage other VMs (eg. shutdown of NetVM)
+=======
+-h, --help
+    Show this help message and exit
+-q, --quiet
+    Be quiet           
+-a, --auto
+    Auto start the VM if not running
+-u USER, --user=USER
+    Run command in a VM as a specified user
+--tray
+    Use tray notifications instead of stdout
+--all
+    Run command on all currently running VMs (or all paused, in case of --unpause)
+--exclude=EXCLUDE_LIST
+    When --all is used: exclude this VM name (might be repeated)
+--wait
+    Wait for the VM(s) to shutdown
+--shutdown
+    (deprecated) Do 'xl shutdown' for the VM(s) (can be combined this with --all and --wait)
+--pause
+    Do 'xl pause' for the VM(s) (can be combined this with --all and --wait)
+--unpause
+    Do 'xl unpause' for the VM(s) (can be combined this with --all and --wait)
+-p, --pass-io
+    Pass stdin/stdout/stderr from remote program
+--localcmd=LOCALCMD
+    With --pass-io, pass stdin/stdout/stderr to the given program
+--nogui
+    Run command without gui
+--filter-escape-chars
+    Filter terminal escape sequences (default if output is terminal)
+--no-filter-escape-chars
+    Do not filter terminal escape sequences - overrides --filter-escape-chars, DANGEROUS when output is terminal
+--no-color-output
+    Disable marking VM output with red color
+--no-color-stderr
+    Disable marking VM stderr with red color
+--color-output
+    Force marking VM output with given ANSI style (use 31 for red)
+--color-stderr
+    Force marking VM stderr with given ANSI style (use 31 for red)
+--force
+    Force operation, even if may damage other VMs (eg. shutdown of NetVM)
 
 AUTHORS
--------
-
-Joanna Rutkowska \<joanna at invisiblethingslab dot com\>
-Rafal Wojtczuk \<rafal at invisiblethingslab dot com\>
-Marek Marczykowski \<marmarek at invisiblethingslab dot com\>
+=======
+| Joanna Rutkowska <joanna at invisiblethingslab dot com>
+| Rafal Wojtczuk <rafal at invisiblethingslab dot com>
+| Marek Marczykowski <marmarek at invisiblethingslab dot com>
+```
diff --git a/reference/tools/3.2/dom0/qvm-service.md b/reference/tools/3.2/dom0/qvm-service.md
index 1d5b8192..f8d22900 100644
--- a/reference/tools/3.2/dom0/qvm-service.md
+++ b/reference/tools/3.2/dom0/qvm-service.md
@@ -9,129 +9,138 @@ redirect_from:
 - /wiki/Dom0Tools/QvmService/
 ---
 
+```
+===========
 qvm-service
 ===========
 
 NAME
-----
-
+====
 qvm-service - manage (Qubes-specific) services started in VM
 
-Date  
-2012-05-30
-
 SYNOPSIS
---------
-
-qvm-service [-l] \<vmname\>
-qvm-service [-e|-d|-D] \<vmname\> \<service\>
+========
+| qvm-service [-l] <vmname>
+| qvm-service [-e|-d|-D] <vmname> <service>
 
 OPTIONS
--------
-
--h, --help  
-Show this help message and exit
-
--l, --list  
-List services (default action)
-
--e, --enable  
-Enable service
-
--d, --disable  
-Disable service
-
--D, --default  
-Reset service to its default state (remove from the list). Default state means "lets VM choose" and can depend on VM type (NetVM, AppVM etc).
+=======
+-h, --help
+    Show this help message and exit
+-l, --list
+    List services (default action)
+-e, --enable
+    Enable service
+-d, --disable
+    Disable service
+-D, --default
+    Reset service to its default state (remove from the list). Default state
+    means "lets VM choose" and can depend on VM type (NetVM, AppVM etc).
 
 SUPPORTED SERVICES
-------------------
+==================
 
 This list can be incomplete as VM can implement any additional service without knowledge of qubes-core code.
 
-meminfo-writer  
-Default: enabled everywhere excluding NetVM
+meminfo-writer
+    Default: enabled everywhere excluding NetVM
 
-This service reports VM memory usage to dom0, which effectively enables dynamic memory management for the VM.
+    This service reports VM memory usage to dom0, which effectively enables dynamic memory management for the VM.
 
-*Note:* this service is enforced to be set by dom0 code. If you try to remove it (reset to default state), will be recreated with the rule: enabled if VM have no PCI devices assigned, otherwise disabled.
+    *Note:* this service is enforced to be set by dom0 code. If you try to
+    remove it (reset to default state), will be recreated with the rule: enabled
+    if VM have no PCI devices assigned, otherwise disabled.
 
-qubes-dvm  
-Default: disabled
+qubes-dvm
+    Default: disabled
 
-Used internally when creating DispVM savefile.
+    Used internally when creating DispVM savefile.
 
-qubes-firewall  
-Default: enabled only in ProxyVM
+qubes-firewall
+    Default: enabled only in ProxyVM
 
-Dynamic firewall manager, based on settings in dom0 (qvm-firewall, firewall tab in qubes-manager). This service is not supported in netvms.
+    Dynamic firewall manager, based on settings in dom0 (qvm-firewall, firewall tab in qubes-manager).
+    This service is not supported in netvms.
+    
+qubes-network
+    Default: enabled only in NetVM and ProxyVM
 
-qubes-network  
-Default: enabled only in NetVM and ProxyVM
+    Expose network for other VMs. This includes enabling network forwarding, MASQUERADE, DNS redirection and basic firewall.
 
-Expose network for other VMs. This includes enabling network forwarding, MASQUERADE, DNS redirection and basic firewall.
+qubes-netwatcher
+    Default: enabled only in ProxyVM
 
-qubes-netwatcher  
-Default: enabled only in ProxyVM
+    Monitor IP change notification from NetVM. When received, reload qubes-firewall service (to force DNS resolution).
+    This service makes sense only with qubes-firewall enabled.
 
-Monitor IP change notification from NetVM. When received, reload qubes-firewall service (to force DNS resolution). This service makes sense only with qubes-firewall enabled.
+qubes-update-check
+    Default: enabled
 
-qubes-update-check  
-Default: enabled
+    Notify dom0 about updates available for this VM. This is shown in qubes-manager as 'update-pending' flag.
 
-Notify dom0 about updates available for this VM. This is shown in qubes-manager as 'update-pending' flag.
+cups
+    Default: enabled only in AppVM
 
-cups  
-Default: enabled only in AppVM
+    Enable CUPS service. The user can disable cups in VM which do not need printing to speed up booting.
 
-Enable CUPS service. The user can disable cups in VM which do not need printing to speed up booting.
+crond
+    Default: disabled
 
-crond  
-Default: disabled
+    Enable CRON service.
 
-Enable CRON service.  To have cron jobs persist across reboots, /var/spool/cron is bind-mounted from /rw/bind-dirs. To override this see [Bind-Dir Instructions](/doc/bind-dirs/) )
+network-manager
+    Default: enabled in NetVM
 
-network-manager  
-Default: enabled in NetVM
+    Enable NetworkManager. Only VM with direct access to network device needs
+    this service, but can be useful in ProxyVM to ease VPN setup.
 
-Enable NetworkManager. Only VM with direct access to network device needs this service, but can be useful in ProxyVM to ease VPN setup.
+ntpd
+    Default: disabled
 
-ntpd  
-Default: disabled
+    Enable NTPD service. By default Qubes calls ntpdate every 6 minutes in
+    selected VM (aka ClockVM), then propagate the result using qrexec calls.
+    Enabling ntpd *do not* disable this behaviour.
 
-Enable NTPD service. By default Qubes calls ntpdate every 6 minutes in selected VM (aka ClockVM), then propagate the result using qrexec calls. Enabling ntpd *do not* disable this behaviour.
+qubes-yum-proxy
+    Deprecated name for qubes-updates-proxy.
 
-qubes-yum-proxy  
-Deprecated name for qubes-updates-proxy.
+qubes-updates-proxy
+    Default: enabled in NetVM
 
-qubes-updates-proxy  
-Default: enabled in NetVM
+    Provide proxy service, which allow access only to yum repos. Filtering is
+    done based on URLs, so it shouldn't be used as leak control (pretty easy to
+    bypass), but is enough to prevent some erroneous user actions.
 
-Provide proxy service, which allow access only to yum repos. Filtering is done based on URLs, so it shouldn't be used as leak control (pretty easy to bypass), but is enough to prevent some erroneous user actions.
+yum-proxy-setup
+    Deprecated name for updates-proxy-setup.
 
-yum-proxy-setup  
-Deprecated name for updates-proxy-setup.
+updates-proxy-setup
+    Default: enabled in AppVM (also in templates)
 
-updates-proxy-setup  
-Default: enabled in AppVM (also in templates)
+    Setup yum at startup to use qubes-yum-proxy service.
 
-Setup yum at startup to use qubes-yum-proxy service.
+    *Note:* this service is automatically enabled when you allow VM to access
+    yum proxy (in firewall settings) and disabled when you deny access to yum
+    proxy.
 
-*Note:* this service is automatically enabled when you allow VM to access yum proxy (in firewall settings) and disabled when you deny access to yum proxy.
+disable-default-route
+    Default: disabled
 
-disable-default-route  
-Default: disabled
+    Disables the default route for networking.  Enabling  this  service
+    will  prevent the creation of the default route, but the VM will
+    still be able to reach it's direct neighbors.  The functionality
+    is implemented in /usr/lib/qubes/setup-ip.
 
-Disables the default route for networking. Enabling this service will prevent the creation of the default route, but the VM will still be able to reach it's direct neighbors. The functionality is implemented in /usr/lib/qubes/setup-ip.
+disable-dns-server
+    Default: disabled
 
-disable-dns-server  
-Default: disabled
+    Enabling this service will result in an empty /etc/resolv.conf.
+    The functionality is implemented in /usr/lib/qubes/setup-ip.
 
-Enabling this service will result in an empty /etc/resolv.conf. The functionality is implemented in /usr/lib/qubes/setup-ip.
 
 AUTHORS
--------
-
-Joanna Rutkowska \<joanna at invisiblethingslab dot com\>
-Rafal Wojtczuk \<rafal at invisiblethingslab dot com\>
-Marek Marczykowski \<marmarek at invisiblethingslab dot com\>
+=======
+| Joanna Rutkowska <joanna at invisiblethingslab dot com>
+| Rafal Wojtczuk <rafal at invisiblethingslab dot com>
+| Marek Marczykowski <marmarek at invisiblethingslab dot com>
+```
diff --git a/reference/tools/3.2/dom0/qvm-shutdown.md b/reference/tools/3.2/dom0/qvm-shutdown.md
index d6769487..f975bea9 100644
--- a/reference/tools/3.2/dom0/qvm-shutdown.md
+++ b/reference/tools/3.2/dom0/qvm-shutdown.md
@@ -9,46 +9,39 @@ redirect_from:
 - /wiki/Dom0Tools/QvmShutdown/
 ---
 
+```
+============
 qvm-shutdown
 ============
 
 NAME
-----
-
+====
 qvm-shutdown
 
-Date  
-2012-04-11
-
 SYNOPSIS
---------
-
-qvm-shutdown [options] \<vm-name\>
+========
+| qvm-shutdown [options] <vm-name> [vm-name ...]
 
 OPTIONS
--------
-
--h, --help  
-Show this help message and exit
-
--q, --quiet  
-Be quiet
-
---force  
-Force operation, even if may damage other VMs (eg. shutdown of NetVM)
-
---wait  
-Wait for the VM(s) to shutdown
-
---all  
-Shutdown all running VMs
-
---exclude=EXCLUDE\_LIST  
-When --all is used: exclude this VM name (might be repeated)
+=======
+-h, --help
+    Show this help message and exit
+-q, --quiet
+    Be quiet           
+--force
+    Force operation, even if may damage other VMs (eg. shutdown of NetVM)
+--wait
+    Wait for the VM(s) to shutdown
+--wait-time
+    Timeout after which VM will be killed when --wait is used
+--all
+    Shutdown all running VMs
+--exclude=EXCLUDE_LIST
+    When --all is used: exclude this VM name (might be repeated)
 
 AUTHORS
--------
-
-Joanna Rutkowska \<joanna at invisiblethingslab dot com\>
-Rafal Wojtczuk \<rafal at invisiblethingslab dot com\>
-Marek Marczykowski \<marmarek at invisiblethingslab dot com\>
+=======
+| Joanna Rutkowska <joanna at invisiblethingslab dot com>
+| Rafal Wojtczuk <rafal at invisiblethingslab dot com>
+| Marek Marczykowski <marmarek at invisiblethingslab dot com>
+```
diff --git a/reference/tools/3.2/dom0/qvm-start.md b/reference/tools/3.2/dom0/qvm-start.md
index fc3cbfb5..ebdddbe5 100644
--- a/reference/tools/3.2/dom0/qvm-start.md
+++ b/reference/tools/3.2/dom0/qvm-start.md
@@ -9,46 +9,49 @@ redirect_from:
 - /wiki/Dom0Tools/QvmStart/
 ---
 
+```
+=========
 qvm-start
 =========
 
 NAME
-----
-
+====
 qvm-start - start a specified VM
 
-Date  
-2012-04-11
-
 SYNOPSIS
---------
-
-qvm-start [options] \<vm-name\>
+========
+| qvm-start [options] <vm-name>
 
 OPTIONS
--------
-
--h, --help  
-Show this help message and exit
-
--q, --quiet  
-Be quiet
-
---no-guid  
-Do not start the GUId (ignored)
-
---console  
-Attach debugging console to the newly started VM
-
---dvm  
-Do actions necessary when preparing DVM image
-
---custom-config=CUSTOM\_CONFIG  
-Use custom Xen config instead of Qubes-generated one
+=======
+-h, --help
+    Show this help message and exit
+-q, --quiet
+    Be quiet           
+--tray
+    Use tray notifications instead of stdout
+--no-guid
+    Do not start the GUId (ignored)
+--drive
+    Temporarily attach specified drive as CD/DVD or hard disk (can be specified with prefix 'hd' or 'cdrom:', default is cdrom)
+--hddisk
+    Temporarily attach specified drive as hard disk
+--cdrom
+    Temporarily attach specified drive as CD/DVD
+--install-windows-tools
+    Attach Windows tools CDROM to the VM
+--dvm
+    Do actions necessary when preparing DVM image
+--custom-config=CUSTOM_CONFIG
+    Use custom Xen config instead of Qubes-generated one
+--skip-if-running
+    Do no fail if the VM is already running
+--debug
+    Enable debug mode for this VM (until its shutdown)
 
 AUTHORS
--------
-
-Joanna Rutkowska \<joanna at invisiblethingslab dot com\>
-Rafal Wojtczuk \<rafal at invisiblethingslab dot com\>
-Marek Marczykowski \<marmarek at invisiblethingslab dot com\>
+=======
+| Joanna Rutkowska <joanna at invisiblethingslab dot com>
+| Rafal Wojtczuk <rafal at invisiblethingslab dot com>
+| Marek Marczykowski <marmarek at invisiblethingslab dot com>
+```
diff --git a/reference/tools/3.2/dom0/qvm-template-commit.md b/reference/tools/3.2/dom0/qvm-template-commit.md
index 12d4b19c..a676907e 100644
--- a/reference/tools/3.2/dom0/qvm-template-commit.md
+++ b/reference/tools/3.2/dom0/qvm-template-commit.md
@@ -9,31 +9,29 @@ redirect_from:
 - /wiki/Dom0Tools/QvmTemplateCommit/
 ---
 
+```
+===================
 qvm-template-commit
 ===================
 
 NAME
-----
-
+====
 qvm-template-commit
 
-Date  
-2012-04-11
-
 SYNOPSIS
---------
-
-qvm-template-commit [options] \<vm-name\>
+========
+| qvm-template-commit [options] <vm-name>
 
 OPTIONS
--------
-
--h, --help  
-Show this help message and exit
+=======
+-h, --help
+    Show this help message and exit
+--offline-mode
+    Offline mode
 
 AUTHORS
--------
-
-Joanna Rutkowska \<joanna at invisiblethingslab dot com\>
-Rafal Wojtczuk \<rafal at invisiblethingslab dot com\>
-Marek Marczykowski \<marmarek at invisiblethingslab dot com\>
+=======
+| Joanna Rutkowska <joanna at invisiblethingslab dot com>
+| Rafal Wojtczuk <rafal at invisiblethingslab dot com>
+| Marek Marczykowski <marmarek at invisiblethingslab dot com>
+```
diff --git a/reference/tools/3.2/dom0/qvm-usb.md b/reference/tools/3.2/dom0/qvm-usb.md
new file mode 100644
index 00000000..d34bd07c
--- /dev/null
+++ b/reference/tools/3.2/dom0/qvm-usb.md
@@ -0,0 +1,45 @@
+---
+layout: doc
+title: qvm-usb
+permalink: /doc/tools/3.2/dom0/qvm-usb/
+redirect_from:
+- /doc/dom0-tools/qvm-usb/
+- /en/doc/dom0-tools/qvm-usb/
+---
+
+```
+=======
+qvm-usb
+=======
+
+NAME
+====
+qvm-usb - List/set VM USB devices
+
+SYNOPSIS
+========
+| qvm-usb -l [options]
+| qvm-usb -a [options] <vm-name> <device-vm-name>:<device>
+| qvm-usb -d [options] <device-vm-name>:<device>
+
+OPTIONS
+=======
+-h, --help
+    Show this help message and exit
+-l, -list
+    List devices
+-a, --attach
+    Attach specified device to specified VM
+-d, --detach
+    Detach specified device
+--no-auto-detach
+    Fail when device already connected to other VM
+--force-root
+    Force to run, even with root privileges
+
+AUTHORS
+=======
+| Joanna Rutkowska <joanna at invisiblethingslab dot com>
+| Rafal Wojtczuk <rafal at invisiblethingslab dot com>
+| Marek Marczykowski <marmarek at invisiblethingslab dot com>
+```
diff --git a/reference/tools/3.2/domU.md b/reference/tools/3.2/domU.md
index 71ae0db8..9912f0ca 100644
--- a/reference/tools/3.2/domU.md
+++ b/reference/tools/3.2/domU.md
@@ -12,6 +12,7 @@ redirect_from:
 DomU Command-Line Tools for Qubes 3.2
 =====================================
 
+ * [qrexec-client-vm](/doc/tools/3.2/domU/qrexec-client-vm/)
  * [qvm-copy-to-vm](/doc/tools/3.2/domU/qvm-copy-to-vm/)
  * [qvm-open-in-dvm](/doc/tools/3.2/domU/qvm-open-in-dvm/)
  * [qvm-open-in-vm](/doc/tools/3.2/domU/qvm-open-in-vm/)
diff --git a/reference/tools/3.2/domU/qrexec-client-vm.md b/reference/tools/3.2/domU/qrexec-client-vm.md
new file mode 100644
index 00000000..701e6ba3
--- /dev/null
+++ b/reference/tools/3.2/domU/qrexec-client-vm.md
@@ -0,0 +1,86 @@
+---
+layout: doc
+title: qrexec-client-vm
+permalink: /doc/tools/3.2/domU/qrexec-client-vm/
+redirect_from:
+- /doc/domU-tools/qrexec-client-vm/
+- /en/doc/domU-tools/qrexec-client-vm/
+---
+
+```
+================
+qrexec-client-vm
+================
+
+NAME
+====
+qrexec-client-vm - call Qubes RPC service
+
+SYNOPSIS
+========
+| qrexec-client-vm *target_vmname* *service* [*local_program* [*local program arguments*]]
+
+DESCRIPTION
+===========
+
+Call Qubes RPC (aka qrexec) service to a different VM. The service call request
+is sent to dom0, where Qubes RPC policy is evaluated and when it allows the
+call, it is forwarded to appropriate target VM (which may be different than
+requested, if policy says so). Local program (if given) is started only
+when service call is allowed by the policy.
+
+Remote service can communicate with the caller (``qrexec-client-vm``) using
+stdin/stdout.  When *local_program* is given, its stdin/stdout is connected to
+service stdin/stdout (stderr is not redirected), otherwise - service
+stdin/stdout is connected to those of ``qrexec-client-vm``.
+
+OPTIONS
+=======
+
+*target_vmname*
+
+    Name of target VM to which service is requested. Qubes RPC policy may
+    ignore this value and redirect call somewhere else.
+
+    This argument, can contain VM name, or one of special values:
+
+    * ``$dispvm`` - new Disposable VM
+
+    This field is limited to 31 characters (alphanumeric, plus ``-_.$``).
+
+*service*
+
+    Requested service. Besides service name, it can contain a service argument
+    after ``+`` character. For example ``some.service+argument``.
+
+    This field is limited to 63 characters (alphanumeric, plus ``-_.$+``).
+
+*local_program*
+
+    Full path to local program to be connected with remote service. Optional.
+
+*local program arguments*
+
+    Arguments to *local_program*. Optional.
+
+EXIT STATUS
+===========
+
+If service call is allowed by dom0 and ``qrexec-client-vm`` is started without
+*local_program* argument, it reports remote service exit code.
+
+If service call is allowed by dom0 and ``qrexec-client-vm`` is started with
+*local_program* argument, it reports the local program exit code. There is no
+way to learn exit code of remote service in this case.
+
+In both cases, if process (local or remote) was terminated by a signal, exit
+status is 128+signal number.
+
+If service call is denied by dom0, ``qrexec-client-vm`` exit with status 126.
+
+AUTHORS
+=======
+| Joanna Rutkowska <joanna at invisiblethingslab dot com>
+| Rafal Wojtczuk <rafal at invisiblethingslab dot com>
+| Marek Marczykowski-Górecki <marmarek at invisiblethingslab dot com>
+```
diff --git a/reference/tools/3.2/domU/qvm-copy-to-vm.md b/reference/tools/3.2/domU/qvm-copy-to-vm.md
index 2f720aa6..06a6cef0 100644
--- a/reference/tools/3.2/domU/qvm-copy-to-vm.md
+++ b/reference/tools/3.2/domU/qvm-copy-to-vm.md
@@ -9,31 +9,27 @@ redirect_from:
 - /wiki/VmTools/QvmCopyToVm/
 ---
 
+```
+==============
 qvm-copy-to-vm
 ==============
 
 NAME
-----
-
+====
 qvm-copy-to-vm - copy specified files to specified destination VM
 
-Date  
-2012-05-30
-
 SYNOPSIS
---------
-
-qvm-copy-to-vm [--without-progress] dest\_vmname file [file]+
+========
+| qvm-copy-to-vm [--without-progress] dest_vmname file [file]+
 
 OPTIONS
--------
-
---without-progress  
-Don't display progress info
+=======
+--without-progress
+    Don't display progress info
 
 AUTHORS
--------
-
-Joanna Rutkowska \<joanna at invisiblethingslab dot com\>
-Rafal Wojtczuk \<rafal at invisiblethingslab dot com\>
-Marek Marczykowski \<marmarek at invisiblethingslab dot com\>
+=======
+| Joanna Rutkowska <joanna at invisiblethingslab dot com>
+| Rafal Wojtczuk <rafal at invisiblethingslab dot com>
+| Marek Marczykowski <marmarek at invisiblethingslab dot com>
+```
diff --git a/reference/tools/3.2/domU/qvm-open-in-dvm.md b/reference/tools/3.2/domU/qvm-open-in-dvm.md
index 53bd4cef..0968bccb 100644
--- a/reference/tools/3.2/domU/qvm-open-in-dvm.md
+++ b/reference/tools/3.2/domU/qvm-open-in-dvm.md
@@ -9,28 +9,25 @@ redirect_from:
 - /wiki/VmTools/QvmOpenInDvm/
 ---
 
+```
+===============
 qvm-open-in-dvm
 ===============
 
 NAME
-----
-
+====
 qvm-open-in-dvm - open a specified file in disposable VM
 
-Date  
-2012-05-30
-
 SYNOPSIS
---------
-
-qvm-open-in-dvm filename
+========
+| qvm-open-in-dvm filename
 
 OPTIONS
--------
+=======
 
 AUTHORS
--------
-
-Joanna Rutkowska \<joanna at invisiblethingslab dot com\>
-Rafal Wojtczuk \<rafal at invisiblethingslab dot com\>
-Marek Marczykowski \<marmarek at invisiblethingslab dot com\>
+=======
+| Joanna Rutkowska <joanna at invisiblethingslab dot com>
+| Rafal Wojtczuk <rafal at invisiblethingslab dot com>
+| Marek Marczykowski <marmarek at invisiblethingslab dot com>
+```
diff --git a/reference/tools/3.2/domU/qvm-open-in-vm.md b/reference/tools/3.2/domU/qvm-open-in-vm.md
index 80fa4a57..27f85fd2 100644
--- a/reference/tools/3.2/domU/qvm-open-in-vm.md
+++ b/reference/tools/3.2/domU/qvm-open-in-vm.md
@@ -9,28 +9,25 @@ redirect_from:
 - /wiki/VmTools/QvmOpenInVm/
 ---
 
+```
+==============
 qvm-open-in-vm
 ==============
 
 NAME
-----
-
+====
 qvm-open-in-vm - open a specified file in other VM
 
-Date  
-2012-05-30
-
 SYNOPSIS
---------
-
-qvm-open-in-vm vmname filename
+========
+| qvm-open-in-vm vmname filename
 
 OPTIONS
--------
+=======
 
 AUTHORS
--------
-
-Joanna Rutkowska \<joanna at invisiblethingslab dot com\>
-Rafal Wojtczuk \<rafal at invisiblethingslab dot com\>
-Marek Marczykowski \<marmarek at invisiblethingslab dot com\>
+=======
+| Joanna Rutkowska <joanna at invisiblethingslab dot com>
+| Rafal Wojtczuk <rafal at invisiblethingslab dot com>
+| Marek Marczykowski <marmarek at invisiblethingslab dot com>
+```
diff --git a/reference/tools/3.2/domU/qvm-run.md b/reference/tools/3.2/domU/qvm-run.md
index 7ef27ea3..894ef789 100644
--- a/reference/tools/3.2/domU/qvm-run.md
+++ b/reference/tools/3.2/domU/qvm-run.md
@@ -9,31 +9,27 @@ redirect_from:
 - /wiki/VmTools/QvmRun/
 ---
 
+```
+=======
 qvm-run
 =======
 
 NAME
-----
-
+====
 qvm-run - run a specified command in a specified VM
 
-Date  
-2012-05-30
-
 SYNOPSIS
---------
-
-qvm-run vmname command [arguments]
+========
+| qvm-run vmname command [aguments]
 
 OPTIONS
--------
-
---dispvm  
-Pass this option instead of vmname to start new DisposableVM
+=======
+--dispvm
+    Pass this option instead of vmname to start new DisposableVM
 
 AUTHORS
--------
-
-Joanna Rutkowska \<joanna at invisiblethingslab dot com\>
-Rafal Wojtczuk \<rafal at invisiblethingslab dot com\>
-Marek Marczykowski \<marmarek at invisiblethingslab dot com\>
+=======
+| Joanna Rutkowska <joanna at invisiblethingslab dot com>
+| Rafal Wojtczuk <rafal at invisiblethingslab dot com>
+| Marek Marczykowski <marmarek at invisiblethingslab dot com>
+```

From 0fb310cc88ebfc5117e1e7b108092aeff08aefc6 Mon Sep 17 00:00:00 2001
From: Andrew David Wong <adw@andrewdavidwong.com>
Date: Sun, 11 Feb 2018 23:37:47 -0600
Subject: [PATCH 066/103] Add notes below man pages explaining how to edit them

---
 reference/tools/3.2/dom0/qubes-prefs.md            | 14 ++++++++++++++
 reference/tools/3.2/dom0/qubes_guid.md             | 14 ++++++++++++++
 reference/tools/3.2/dom0/qvm-add-appvm.md          | 14 ++++++++++++++
 reference/tools/3.2/dom0/qvm-add-template.md       | 14 ++++++++++++++
 reference/tools/3.2/dom0/qvm-backup-restore.md     | 14 ++++++++++++++
 reference/tools/3.2/dom0/qvm-backup.md             | 14 ++++++++++++++
 reference/tools/3.2/dom0/qvm-block.md              | 14 ++++++++++++++
 reference/tools/3.2/dom0/qvm-check.md              | 14 ++++++++++++++
 reference/tools/3.2/dom0/qvm-clone.md              | 14 ++++++++++++++
 reference/tools/3.2/dom0/qvm-create-default-dvm.md | 14 ++++++++++++++
 reference/tools/3.2/dom0/qvm-create.md             | 14 ++++++++++++++
 reference/tools/3.2/dom0/qvm-firewall.md           | 14 ++++++++++++++
 reference/tools/3.2/dom0/qvm-grow-private.md       | 14 ++++++++++++++
 reference/tools/3.2/dom0/qvm-grow-root.md          | 14 ++++++++++++++
 reference/tools/3.2/dom0/qvm-kill.md               | 14 ++++++++++++++
 reference/tools/3.2/dom0/qvm-ls.md                 | 14 ++++++++++++++
 reference/tools/3.2/dom0/qvm-pci.md                | 14 ++++++++++++++
 reference/tools/3.2/dom0/qvm-prefs.md              | 14 ++++++++++++++
 reference/tools/3.2/dom0/qvm-remove.md             | 14 ++++++++++++++
 .../tools/3.2/dom0/qvm-revert-template-changes.md  | 14 ++++++++++++++
 reference/tools/3.2/dom0/qvm-run.md                | 14 ++++++++++++++
 reference/tools/3.2/dom0/qvm-service.md            | 14 ++++++++++++++
 reference/tools/3.2/dom0/qvm-shutdown.md           | 14 ++++++++++++++
 reference/tools/3.2/dom0/qvm-start.md              | 14 ++++++++++++++
 reference/tools/3.2/dom0/qvm-template-commit.md    | 14 ++++++++++++++
 reference/tools/3.2/dom0/qvm-usb.md                | 14 ++++++++++++++
 reference/tools/3.2/domU/qrexec-client-vm.md       | 14 ++++++++++++++
 reference/tools/3.2/domU/qvm-copy-to-vm.md         | 14 ++++++++++++++
 reference/tools/3.2/domU/qvm-open-in-dvm.md        | 14 ++++++++++++++
 reference/tools/3.2/domU/qvm-open-in-vm.md         | 14 ++++++++++++++
 reference/tools/3.2/domU/qvm-run.md                | 14 ++++++++++++++
 31 files changed, 434 insertions(+)

diff --git a/reference/tools/3.2/dom0/qubes-prefs.md b/reference/tools/3.2/dom0/qubes-prefs.md
index caeed73b..9ead062c 100644
--- a/reference/tools/3.2/dom0/qubes-prefs.md
+++ b/reference/tools/3.2/dom0/qubes-prefs.md
@@ -35,3 +35,17 @@ AUTHORS
 | Rafal Wojtczuk <rafal at invisiblethingslab dot com>
 | Marek Marczykowski <marmarek at invisiblethingslab dot com>
 ```
+
+-----
+
+**Note:** The Markdown source of this page in [`qubes-doc`] was generated by
+running the [`update-manpages`] script on `qubes-core-admin/doc/qubes-tools/`.
+If you wish to update the contents of this page as it appears on the Qubes OS
+website, please submit a pull request to change the appropriate file in
+`qubes-core-admin/doc/qubes-tools/`. Do not attempt to change the Markdown source
+of this page in [`qubes-doc`] directly. All direct changes to the Markdown file will be
+overwritten the next time this page is regenerated.
+
+[`qubes-doc`]: https://github.com/QubesOS/qubes-doc/
+[`update-manpages`]: https://github.com/QubesOS/qubesos.github.io/blob/master/_utils/update-manpages
+
diff --git a/reference/tools/3.2/dom0/qubes_guid.md b/reference/tools/3.2/dom0/qubes_guid.md
index 0b42e0f6..fef29770 100644
--- a/reference/tools/3.2/dom0/qubes_guid.md
+++ b/reference/tools/3.2/dom0/qubes_guid.md
@@ -39,3 +39,17 @@ AUTHORS
 | Rafal Wojtczuk <rafal at invisiblethingslab dot com>
 | Marek Marczykowski <marmarek at invisiblethingslab dot com>
 ```
+
+-----
+
+**Note:** The Markdown source of this page in [`qubes-doc`] was generated by
+running the [`update-manpages`] script on `qubes-core-admin/doc/qubes-tools/`.
+If you wish to update the contents of this page as it appears on the Qubes OS
+website, please submit a pull request to change the appropriate file in
+`qubes-core-admin/doc/qubes-tools/`. Do not attempt to change the Markdown source
+of this page in [`qubes-doc`] directly. All direct changes to the Markdown file will be
+overwritten the next time this page is regenerated.
+
+[`qubes-doc`]: https://github.com/QubesOS/qubes-doc/
+[`update-manpages`]: https://github.com/QubesOS/qubesos.github.io/blob/master/_utils/update-manpages
+
diff --git a/reference/tools/3.2/dom0/qvm-add-appvm.md b/reference/tools/3.2/dom0/qvm-add-appvm.md
index bd514b85..5eaf6169 100644
--- a/reference/tools/3.2/dom0/qvm-add-appvm.md
+++ b/reference/tools/3.2/dom0/qvm-add-appvm.md
@@ -41,3 +41,17 @@ AUTHORS
 | Rafal Wojtczuk <rafal at invisiblethingslab dot com>
 | Marek Marczykowski <marmarek at invisiblethingslab dot com>
 ```
+
+-----
+
+**Note:** The Markdown source of this page in [`qubes-doc`] was generated by
+running the [`update-manpages`] script on `qubes-core-admin/doc/qvm-tools/`.
+If you wish to update the contents of this page as it appears on the Qubes OS
+website, please submit a pull request to change the appropriate file in
+`qubes-core-admin/doc/qvm-tools/`. Do not attempt to change the Markdown source
+of this page in [`qubes-doc`] directly. All direct changes to the Markdown file will be
+overwritten the next time this page is regenerated.
+
+[`qubes-doc`]: https://github.com/QubesOS/qubes-doc/
+[`update-manpages`]: https://github.com/QubesOS/qubesos.github.io/blob/master/_utils/update-manpages
+
diff --git a/reference/tools/3.2/dom0/qvm-add-template.md b/reference/tools/3.2/dom0/qvm-add-template.md
index 99c08fb3..c6369498 100644
--- a/reference/tools/3.2/dom0/qvm-add-template.md
+++ b/reference/tools/3.2/dom0/qvm-add-template.md
@@ -39,3 +39,17 @@ AUTHORS
 | Rafal Wojtczuk <rafal at invisiblethingslab dot com>
 | Marek Marczykowski <marmarek at invisiblethingslab dot com>
 ```
+
+-----
+
+**Note:** The Markdown source of this page in [`qubes-doc`] was generated by
+running the [`update-manpages`] script on `qubes-core-admin/doc/qvm-tools/`.
+If you wish to update the contents of this page as it appears on the Qubes OS
+website, please submit a pull request to change the appropriate file in
+`qubes-core-admin/doc/qvm-tools/`. Do not attempt to change the Markdown source
+of this page in [`qubes-doc`] directly. All direct changes to the Markdown file will be
+overwritten the next time this page is regenerated.
+
+[`qubes-doc`]: https://github.com/QubesOS/qubes-doc/
+[`update-manpages`]: https://github.com/QubesOS/qubesos.github.io/blob/master/_utils/update-manpages
+
diff --git a/reference/tools/3.2/dom0/qvm-backup-restore.md b/reference/tools/3.2/dom0/qvm-backup-restore.md
index 71b6a5b8..7cc1c732 100644
--- a/reference/tools/3.2/dom0/qvm-backup-restore.md
+++ b/reference/tools/3.2/dom0/qvm-backup-restore.md
@@ -72,3 +72,17 @@ AUTHORS
 | Rafal Wojtczuk <rafal at invisiblethingslab dot com>
 | Marek Marczykowski <marmarek at invisiblethingslab dot com>
 ```
+
+-----
+
+**Note:** The Markdown source of this page in [`qubes-doc`] was generated by
+running the [`update-manpages`] script on `qubes-core-admin/doc/qvm-tools/`.
+If you wish to update the contents of this page as it appears on the Qubes OS
+website, please submit a pull request to change the appropriate file in
+`qubes-core-admin/doc/qvm-tools/`. Do not attempt to change the Markdown source
+of this page in [`qubes-doc`] directly. All direct changes to the Markdown file will be
+overwritten the next time this page is regenerated.
+
+[`qubes-doc`]: https://github.com/QubesOS/qubes-doc/
+[`update-manpages`]: https://github.com/QubesOS/qubesos.github.io/blob/master/_utils/update-manpages
+
diff --git a/reference/tools/3.2/dom0/qvm-backup.md b/reference/tools/3.2/dom0/qvm-backup.md
index 223d1b02..32ef0a4a 100644
--- a/reference/tools/3.2/dom0/qvm-backup.md
+++ b/reference/tools/3.2/dom0/qvm-backup.md
@@ -57,3 +57,17 @@ AUTHORS
 | Rafal Wojtczuk <rafal at invisiblethingslab dot com>
 | Marek Marczykowski <marmarek at invisiblethingslab dot com>
 ```
+
+-----
+
+**Note:** The Markdown source of this page in [`qubes-doc`] was generated by
+running the [`update-manpages`] script on `qubes-core-admin/doc/qvm-tools/`.
+If you wish to update the contents of this page as it appears on the Qubes OS
+website, please submit a pull request to change the appropriate file in
+`qubes-core-admin/doc/qvm-tools/`. Do not attempt to change the Markdown source
+of this page in [`qubes-doc`] directly. All direct changes to the Markdown file will be
+overwritten the next time this page is regenerated.
+
+[`qubes-doc`]: https://github.com/QubesOS/qubes-doc/
+[`update-manpages`]: https://github.com/QubesOS/qubesos.github.io/blob/master/_utils/update-manpages
+
diff --git a/reference/tools/3.2/dom0/qvm-block.md b/reference/tools/3.2/dom0/qvm-block.md
index be6f9a8c..1e6ddf55 100644
--- a/reference/tools/3.2/dom0/qvm-block.md
+++ b/reference/tools/3.2/dom0/qvm-block.md
@@ -56,3 +56,17 @@ AUTHORS
 | Rafal Wojtczuk <rafal at invisiblethingslab dot com>
 | Marek Marczykowski <marmarek at invisiblethingslab dot com>
 ```
+
+-----
+
+**Note:** The Markdown source of this page in [`qubes-doc`] was generated by
+running the [`update-manpages`] script on `qubes-core-admin/doc/qvm-tools/`.
+If you wish to update the contents of this page as it appears on the Qubes OS
+website, please submit a pull request to change the appropriate file in
+`qubes-core-admin/doc/qvm-tools/`. Do not attempt to change the Markdown source
+of this page in [`qubes-doc`] directly. All direct changes to the Markdown file will be
+overwritten the next time this page is regenerated.
+
+[`qubes-doc`]: https://github.com/QubesOS/qubes-doc/
+[`update-manpages`]: https://github.com/QubesOS/qubesos.github.io/blob/master/_utils/update-manpages
+
diff --git a/reference/tools/3.2/dom0/qvm-check.md b/reference/tools/3.2/dom0/qvm-check.md
index a20997a5..e4e5973d 100644
--- a/reference/tools/3.2/dom0/qvm-check.md
+++ b/reference/tools/3.2/dom0/qvm-check.md
@@ -39,3 +39,17 @@ AUTHORS
 | Rafal Wojtczuk <rafal at invisiblethingslab dot com>
 | Marek Marczykowski <marmarek at invisiblethingslab dot com>
 ```
+
+-----
+
+**Note:** The Markdown source of this page in [`qubes-doc`] was generated by
+running the [`update-manpages`] script on `qubes-core-admin/doc/qvm-tools/`.
+If you wish to update the contents of this page as it appears on the Qubes OS
+website, please submit a pull request to change the appropriate file in
+`qubes-core-admin/doc/qvm-tools/`. Do not attempt to change the Markdown source
+of this page in [`qubes-doc`] directly. All direct changes to the Markdown file will be
+overwritten the next time this page is regenerated.
+
+[`qubes-doc`]: https://github.com/QubesOS/qubes-doc/
+[`update-manpages`]: https://github.com/QubesOS/qubesos.github.io/blob/master/_utils/update-manpages
+
diff --git a/reference/tools/3.2/dom0/qvm-clone.md b/reference/tools/3.2/dom0/qvm-clone.md
index 503b1454..563ff86c 100644
--- a/reference/tools/3.2/dom0/qvm-clone.md
+++ b/reference/tools/3.2/dom0/qvm-clone.md
@@ -42,3 +42,17 @@ AUTHORS
 | Marek Marczykowski <marmarek at invisiblethingslab dot com>
 
 ```
+
+-----
+
+**Note:** The Markdown source of this page in [`qubes-doc`] was generated by
+running the [`update-manpages`] script on `qubes-core-admin/doc/qvm-tools/`.
+If you wish to update the contents of this page as it appears on the Qubes OS
+website, please submit a pull request to change the appropriate file in
+`qubes-core-admin/doc/qvm-tools/`. Do not attempt to change the Markdown source
+of this page in [`qubes-doc`] directly. All direct changes to the Markdown file will be
+overwritten the next time this page is regenerated.
+
+[`qubes-doc`]: https://github.com/QubesOS/qubes-doc/
+[`update-manpages`]: https://github.com/QubesOS/qubesos.github.io/blob/master/_utils/update-manpages
+
diff --git a/reference/tools/3.2/dom0/qvm-create-default-dvm.md b/reference/tools/3.2/dom0/qvm-create-default-dvm.md
index 67341ea6..899af3aa 100644
--- a/reference/tools/3.2/dom0/qvm-create-default-dvm.md
+++ b/reference/tools/3.2/dom0/qvm-create-default-dvm.md
@@ -46,3 +46,17 @@ AUTHORS
 | Rafal Wojtczuk <rafal at invisiblethingslab dot com>
 | Marek Marczykowski <marmarek at invisiblethingslab dot com>
 ```
+
+-----
+
+**Note:** The Markdown source of this page in [`qubes-doc`] was generated by
+running the [`update-manpages`] script on `qubes-core-admin/doc/qvm-tools/`.
+If you wish to update the contents of this page as it appears on the Qubes OS
+website, please submit a pull request to change the appropriate file in
+`qubes-core-admin/doc/qvm-tools/`. Do not attempt to change the Markdown source
+of this page in [`qubes-doc`] directly. All direct changes to the Markdown file will be
+overwritten the next time this page is regenerated.
+
+[`qubes-doc`]: https://github.com/QubesOS/qubes-doc/
+[`update-manpages`]: https://github.com/QubesOS/qubesos.github.io/blob/master/_utils/update-manpages
+
diff --git a/reference/tools/3.2/dom0/qvm-create.md b/reference/tools/3.2/dom0/qvm-create.md
index 7a1a0612..dc5645a6 100644
--- a/reference/tools/3.2/dom0/qvm-create.md
+++ b/reference/tools/3.2/dom0/qvm-create.md
@@ -64,3 +64,17 @@ AUTHORS
 | Marek Marczykowski <marmarek at invisiblethingslab dot com>
 
 ```
+
+-----
+
+**Note:** The Markdown source of this page in [`qubes-doc`] was generated by
+running the [`update-manpages`] script on `qubes-core-admin/doc/qvm-tools/`.
+If you wish to update the contents of this page as it appears on the Qubes OS
+website, please submit a pull request to change the appropriate file in
+`qubes-core-admin/doc/qvm-tools/`. Do not attempt to change the Markdown source
+of this page in [`qubes-doc`] directly. All direct changes to the Markdown file will be
+overwritten the next time this page is regenerated.
+
+[`qubes-doc`]: https://github.com/QubesOS/qubes-doc/
+[`update-manpages`]: https://github.com/QubesOS/qubesos.github.io/blob/master/_utils/update-manpages
+
diff --git a/reference/tools/3.2/dom0/qvm-firewall.md b/reference/tools/3.2/dom0/qvm-firewall.md
index 1adccb2d..7464ef28 100644
--- a/reference/tools/3.2/dom0/qvm-firewall.md
+++ b/reference/tools/3.2/dom0/qvm-firewall.md
@@ -59,3 +59,17 @@ AUTHORS
 | Rafal Wojtczuk <rafal at invisiblethingslab dot com>
 | Marek Marczykowski <marmarek at invisiblethingslab dot com>
 ```
+
+-----
+
+**Note:** The Markdown source of this page in [`qubes-doc`] was generated by
+running the [`update-manpages`] script on `qubes-core-admin/doc/qvm-tools/`.
+If you wish to update the contents of this page as it appears on the Qubes OS
+website, please submit a pull request to change the appropriate file in
+`qubes-core-admin/doc/qvm-tools/`. Do not attempt to change the Markdown source
+of this page in [`qubes-doc`] directly. All direct changes to the Markdown file will be
+overwritten the next time this page is regenerated.
+
+[`qubes-doc`]: https://github.com/QubesOS/qubes-doc/
+[`update-manpages`]: https://github.com/QubesOS/qubesos.github.io/blob/master/_utils/update-manpages
+
diff --git a/reference/tools/3.2/dom0/qvm-grow-private.md b/reference/tools/3.2/dom0/qvm-grow-private.md
index b5c5e6b5..7f58cd58 100644
--- a/reference/tools/3.2/dom0/qvm-grow-private.md
+++ b/reference/tools/3.2/dom0/qvm-grow-private.md
@@ -33,3 +33,17 @@ AUTHORS
 | Rafal Wojtczuk <rafal at invisiblethingslab dot com>
 | Marek Marczykowski <marmarek at invisiblethingslab dot com>
 ```
+
+-----
+
+**Note:** The Markdown source of this page in [`qubes-doc`] was generated by
+running the [`update-manpages`] script on `qubes-core-admin/doc/qvm-tools/`.
+If you wish to update the contents of this page as it appears on the Qubes OS
+website, please submit a pull request to change the appropriate file in
+`qubes-core-admin/doc/qvm-tools/`. Do not attempt to change the Markdown source
+of this page in [`qubes-doc`] directly. All direct changes to the Markdown file will be
+overwritten the next time this page is regenerated.
+
+[`qubes-doc`]: https://github.com/QubesOS/qubes-doc/
+[`update-manpages`]: https://github.com/QubesOS/qubesos.github.io/blob/master/_utils/update-manpages
+
diff --git a/reference/tools/3.2/dom0/qvm-grow-root.md b/reference/tools/3.2/dom0/qvm-grow-root.md
index e6cc0ff0..db402e11 100644
--- a/reference/tools/3.2/dom0/qvm-grow-root.md
+++ b/reference/tools/3.2/dom0/qvm-grow-root.md
@@ -33,3 +33,17 @@ AUTHORS
 | Rafal Wojtczuk <rafal at invisiblethingslab dot com>
 | Marek Marczykowski <marmarek at invisiblethingslab dot com>
 ```
+
+-----
+
+**Note:** The Markdown source of this page in [`qubes-doc`] was generated by
+running the [`update-manpages`] script on `qubes-core-admin/doc/qvm-tools/`.
+If you wish to update the contents of this page as it appears on the Qubes OS
+website, please submit a pull request to change the appropriate file in
+`qubes-core-admin/doc/qvm-tools/`. Do not attempt to change the Markdown source
+of this page in [`qubes-doc`] directly. All direct changes to the Markdown file will be
+overwritten the next time this page is regenerated.
+
+[`qubes-doc`]: https://github.com/QubesOS/qubes-doc/
+[`update-manpages`]: https://github.com/QubesOS/qubesos.github.io/blob/master/_utils/update-manpages
+
diff --git a/reference/tools/3.2/dom0/qvm-kill.md b/reference/tools/3.2/dom0/qvm-kill.md
index 9d0b14f7..e4ef83d4 100644
--- a/reference/tools/3.2/dom0/qvm-kill.md
+++ b/reference/tools/3.2/dom0/qvm-kill.md
@@ -34,3 +34,17 @@ AUTHORS
 | Rafal Wojtczuk <rafal at invisiblethingslab dot com>
 | Marek Marczykowski <marmarek at invisiblethingslab dot com>
 ```
+
+-----
+
+**Note:** The Markdown source of this page in [`qubes-doc`] was generated by
+running the [`update-manpages`] script on `qubes-core-admin/doc/qvm-tools/`.
+If you wish to update the contents of this page as it appears on the Qubes OS
+website, please submit a pull request to change the appropriate file in
+`qubes-core-admin/doc/qvm-tools/`. Do not attempt to change the Markdown source
+of this page in [`qubes-doc`] directly. All direct changes to the Markdown file will be
+overwritten the next time this page is regenerated.
+
+[`qubes-doc`]: https://github.com/QubesOS/qubes-doc/
+[`update-manpages`]: https://github.com/QubesOS/qubesos.github.io/blob/master/_utils/update-manpages
+
diff --git a/reference/tools/3.2/dom0/qvm-ls.md b/reference/tools/3.2/dom0/qvm-ls.md
index 90d6f29a..240f9bf9 100644
--- a/reference/tools/3.2/dom0/qvm-ls.md
+++ b/reference/tools/3.2/dom0/qvm-ls.md
@@ -53,3 +53,17 @@ AUTHORS
 | Rafal Wojtczuk <rafal at invisiblethingslab dot com>
 | Marek Marczykowski <marmarek at invisiblethingslab dot com>
 ```
+
+-----
+
+**Note:** The Markdown source of this page in [`qubes-doc`] was generated by
+running the [`update-manpages`] script on `qubes-core-admin/doc/qvm-tools/`.
+If you wish to update the contents of this page as it appears on the Qubes OS
+website, please submit a pull request to change the appropriate file in
+`qubes-core-admin/doc/qvm-tools/`. Do not attempt to change the Markdown source
+of this page in [`qubes-doc`] directly. All direct changes to the Markdown file will be
+overwritten the next time this page is regenerated.
+
+[`qubes-doc`]: https://github.com/QubesOS/qubes-doc/
+[`update-manpages`]: https://github.com/QubesOS/qubesos.github.io/blob/master/_utils/update-manpages
+
diff --git a/reference/tools/3.2/dom0/qvm-pci.md b/reference/tools/3.2/dom0/qvm-pci.md
index 15dc5425..a5961add 100644
--- a/reference/tools/3.2/dom0/qvm-pci.md
+++ b/reference/tools/3.2/dom0/qvm-pci.md
@@ -47,3 +47,17 @@ AUTHORS
 | Rafal Wojtczuk <rafal at invisiblethingslab dot com>
 | Marek Marczykowski <marmarek at invisiblethingslab dot com>
 ```
+
+-----
+
+**Note:** The Markdown source of this page in [`qubes-doc`] was generated by
+running the [`update-manpages`] script on `qubes-core-admin/doc/qvm-tools/`.
+If you wish to update the contents of this page as it appears on the Qubes OS
+website, please submit a pull request to change the appropriate file in
+`qubes-core-admin/doc/qvm-tools/`. Do not attempt to change the Markdown source
+of this page in [`qubes-doc`] directly. All direct changes to the Markdown file will be
+overwritten the next time this page is regenerated.
+
+[`qubes-doc`]: https://github.com/QubesOS/qubes-doc/
+[`update-manpages`]: https://github.com/QubesOS/qubesos.github.io/blob/master/_utils/update-manpages
+
diff --git a/reference/tools/3.2/dom0/qvm-prefs.md b/reference/tools/3.2/dom0/qvm-prefs.md
index 70f20338..d4ec1054 100644
--- a/reference/tools/3.2/dom0/qvm-prefs.md
+++ b/reference/tools/3.2/dom0/qvm-prefs.md
@@ -226,3 +226,17 @@ AUTHORS
 | Rafal Wojtczuk <rafal at invisiblethingslab dot com>
 | Marek Marczykowski <marmarek at invisiblethingslab dot com>
 ```
+
+-----
+
+**Note:** The Markdown source of this page in [`qubes-doc`] was generated by
+running the [`update-manpages`] script on `qubes-core-admin/doc/qvm-tools/`.
+If you wish to update the contents of this page as it appears on the Qubes OS
+website, please submit a pull request to change the appropriate file in
+`qubes-core-admin/doc/qvm-tools/`. Do not attempt to change the Markdown source
+of this page in [`qubes-doc`] directly. All direct changes to the Markdown file will be
+overwritten the next time this page is regenerated.
+
+[`qubes-doc`]: https://github.com/QubesOS/qubes-doc/
+[`update-manpages`]: https://github.com/QubesOS/qubesos.github.io/blob/master/_utils/update-manpages
+
diff --git a/reference/tools/3.2/dom0/qvm-remove.md b/reference/tools/3.2/dom0/qvm-remove.md
index 2a8af98f..dd5ba742 100644
--- a/reference/tools/3.2/dom0/qvm-remove.md
+++ b/reference/tools/3.2/dom0/qvm-remove.md
@@ -39,3 +39,17 @@ AUTHORS
 | Rafal Wojtczuk <rafal at invisiblethingslab dot com>
 | Marek Marczykowski <marmarek at invisiblethingslab dot com>
 ```
+
+-----
+
+**Note:** The Markdown source of this page in [`qubes-doc`] was generated by
+running the [`update-manpages`] script on `qubes-core-admin/doc/qvm-tools/`.
+If you wish to update the contents of this page as it appears on the Qubes OS
+website, please submit a pull request to change the appropriate file in
+`qubes-core-admin/doc/qvm-tools/`. Do not attempt to change the Markdown source
+of this page in [`qubes-doc`] directly. All direct changes to the Markdown file will be
+overwritten the next time this page is regenerated.
+
+[`qubes-doc`]: https://github.com/QubesOS/qubes-doc/
+[`update-manpages`]: https://github.com/QubesOS/qubesos.github.io/blob/master/_utils/update-manpages
+
diff --git a/reference/tools/3.2/dom0/qvm-revert-template-changes.md b/reference/tools/3.2/dom0/qvm-revert-template-changes.md
index 71290c6d..ea2d7c92 100644
--- a/reference/tools/3.2/dom0/qvm-revert-template-changes.md
+++ b/reference/tools/3.2/dom0/qvm-revert-template-changes.md
@@ -35,3 +35,17 @@ AUTHORS
 | Rafal Wojtczuk <rafal at invisiblethingslab dot com>
 | Marek Marczykowski <marmarek at invisiblethingslab dot com>
 ```
+
+-----
+
+**Note:** The Markdown source of this page in [`qubes-doc`] was generated by
+running the [`update-manpages`] script on `qubes-core-admin/doc/qvm-tools/`.
+If you wish to update the contents of this page as it appears on the Qubes OS
+website, please submit a pull request to change the appropriate file in
+`qubes-core-admin/doc/qvm-tools/`. Do not attempt to change the Markdown source
+of this page in [`qubes-doc`] directly. All direct changes to the Markdown file will be
+overwritten the next time this page is regenerated.
+
+[`qubes-doc`]: https://github.com/QubesOS/qubes-doc/
+[`update-manpages`]: https://github.com/QubesOS/qubesos.github.io/blob/master/_utils/update-manpages
+
diff --git a/reference/tools/3.2/dom0/qvm-run.md b/reference/tools/3.2/dom0/qvm-run.md
index 2338ca2b..5fbc0522 100644
--- a/reference/tools/3.2/dom0/qvm-run.md
+++ b/reference/tools/3.2/dom0/qvm-run.md
@@ -73,3 +73,17 @@ AUTHORS
 | Rafal Wojtczuk <rafal at invisiblethingslab dot com>
 | Marek Marczykowski <marmarek at invisiblethingslab dot com>
 ```
+
+-----
+
+**Note:** The Markdown source of this page in [`qubes-doc`] was generated by
+running the [`update-manpages`] script on `qubes-core-admin/doc/qvm-tools/`.
+If you wish to update the contents of this page as it appears on the Qubes OS
+website, please submit a pull request to change the appropriate file in
+`qubes-core-admin/doc/qvm-tools/`. Do not attempt to change the Markdown source
+of this page in [`qubes-doc`] directly. All direct changes to the Markdown file will be
+overwritten the next time this page is regenerated.
+
+[`qubes-doc`]: https://github.com/QubesOS/qubes-doc/
+[`update-manpages`]: https://github.com/QubesOS/qubesos.github.io/blob/master/_utils/update-manpages
+
diff --git a/reference/tools/3.2/dom0/qvm-service.md b/reference/tools/3.2/dom0/qvm-service.md
index f8d22900..9c0495c4 100644
--- a/reference/tools/3.2/dom0/qvm-service.md
+++ b/reference/tools/3.2/dom0/qvm-service.md
@@ -144,3 +144,17 @@ AUTHORS
 | Rafal Wojtczuk <rafal at invisiblethingslab dot com>
 | Marek Marczykowski <marmarek at invisiblethingslab dot com>
 ```
+
+-----
+
+**Note:** The Markdown source of this page in [`qubes-doc`] was generated by
+running the [`update-manpages`] script on `qubes-core-admin/doc/qvm-tools/`.
+If you wish to update the contents of this page as it appears on the Qubes OS
+website, please submit a pull request to change the appropriate file in
+`qubes-core-admin/doc/qvm-tools/`. Do not attempt to change the Markdown source
+of this page in [`qubes-doc`] directly. All direct changes to the Markdown file will be
+overwritten the next time this page is regenerated.
+
+[`qubes-doc`]: https://github.com/QubesOS/qubes-doc/
+[`update-manpages`]: https://github.com/QubesOS/qubesos.github.io/blob/master/_utils/update-manpages
+
diff --git a/reference/tools/3.2/dom0/qvm-shutdown.md b/reference/tools/3.2/dom0/qvm-shutdown.md
index f975bea9..b668d45b 100644
--- a/reference/tools/3.2/dom0/qvm-shutdown.md
+++ b/reference/tools/3.2/dom0/qvm-shutdown.md
@@ -45,3 +45,17 @@ AUTHORS
 | Rafal Wojtczuk <rafal at invisiblethingslab dot com>
 | Marek Marczykowski <marmarek at invisiblethingslab dot com>
 ```
+
+-----
+
+**Note:** The Markdown source of this page in [`qubes-doc`] was generated by
+running the [`update-manpages`] script on `qubes-core-admin/doc/qvm-tools/`.
+If you wish to update the contents of this page as it appears on the Qubes OS
+website, please submit a pull request to change the appropriate file in
+`qubes-core-admin/doc/qvm-tools/`. Do not attempt to change the Markdown source
+of this page in [`qubes-doc`] directly. All direct changes to the Markdown file will be
+overwritten the next time this page is regenerated.
+
+[`qubes-doc`]: https://github.com/QubesOS/qubes-doc/
+[`update-manpages`]: https://github.com/QubesOS/qubesos.github.io/blob/master/_utils/update-manpages
+
diff --git a/reference/tools/3.2/dom0/qvm-start.md b/reference/tools/3.2/dom0/qvm-start.md
index ebdddbe5..1b46e1fb 100644
--- a/reference/tools/3.2/dom0/qvm-start.md
+++ b/reference/tools/3.2/dom0/qvm-start.md
@@ -55,3 +55,17 @@ AUTHORS
 | Rafal Wojtczuk <rafal at invisiblethingslab dot com>
 | Marek Marczykowski <marmarek at invisiblethingslab dot com>
 ```
+
+-----
+
+**Note:** The Markdown source of this page in [`qubes-doc`] was generated by
+running the [`update-manpages`] script on `qubes-core-admin/doc/qvm-tools/`.
+If you wish to update the contents of this page as it appears on the Qubes OS
+website, please submit a pull request to change the appropriate file in
+`qubes-core-admin/doc/qvm-tools/`. Do not attempt to change the Markdown source
+of this page in [`qubes-doc`] directly. All direct changes to the Markdown file will be
+overwritten the next time this page is regenerated.
+
+[`qubes-doc`]: https://github.com/QubesOS/qubes-doc/
+[`update-manpages`]: https://github.com/QubesOS/qubesos.github.io/blob/master/_utils/update-manpages
+
diff --git a/reference/tools/3.2/dom0/qvm-template-commit.md b/reference/tools/3.2/dom0/qvm-template-commit.md
index a676907e..392c64d8 100644
--- a/reference/tools/3.2/dom0/qvm-template-commit.md
+++ b/reference/tools/3.2/dom0/qvm-template-commit.md
@@ -35,3 +35,17 @@ AUTHORS
 | Rafal Wojtczuk <rafal at invisiblethingslab dot com>
 | Marek Marczykowski <marmarek at invisiblethingslab dot com>
 ```
+
+-----
+
+**Note:** The Markdown source of this page in [`qubes-doc`] was generated by
+running the [`update-manpages`] script on `qubes-core-admin/doc/qvm-tools/`.
+If you wish to update the contents of this page as it appears on the Qubes OS
+website, please submit a pull request to change the appropriate file in
+`qubes-core-admin/doc/qvm-tools/`. Do not attempt to change the Markdown source
+of this page in [`qubes-doc`] directly. All direct changes to the Markdown file will be
+overwritten the next time this page is regenerated.
+
+[`qubes-doc`]: https://github.com/QubesOS/qubes-doc/
+[`update-manpages`]: https://github.com/QubesOS/qubesos.github.io/blob/master/_utils/update-manpages
+
diff --git a/reference/tools/3.2/dom0/qvm-usb.md b/reference/tools/3.2/dom0/qvm-usb.md
index d34bd07c..57e7c74a 100644
--- a/reference/tools/3.2/dom0/qvm-usb.md
+++ b/reference/tools/3.2/dom0/qvm-usb.md
@@ -43,3 +43,17 @@ AUTHORS
 | Rafal Wojtczuk <rafal at invisiblethingslab dot com>
 | Marek Marczykowski <marmarek at invisiblethingslab dot com>
 ```
+
+-----
+
+**Note:** The Markdown source of this page in [`qubes-doc`] was generated by
+running the [`update-manpages`] script on `qubes-core-admin/doc/qvm-tools/`.
+If you wish to update the contents of this page as it appears on the Qubes OS
+website, please submit a pull request to change the appropriate file in
+`qubes-core-admin/doc/qvm-tools/`. Do not attempt to change the Markdown source
+of this page in [`qubes-doc`] directly. All direct changes to the Markdown file will be
+overwritten the next time this page is regenerated.
+
+[`qubes-doc`]: https://github.com/QubesOS/qubes-doc/
+[`update-manpages`]: https://github.com/QubesOS/qubesos.github.io/blob/master/_utils/update-manpages
+
diff --git a/reference/tools/3.2/domU/qrexec-client-vm.md b/reference/tools/3.2/domU/qrexec-client-vm.md
index 701e6ba3..3e58845d 100644
--- a/reference/tools/3.2/domU/qrexec-client-vm.md
+++ b/reference/tools/3.2/domU/qrexec-client-vm.md
@@ -84,3 +84,17 @@ AUTHORS
 | Rafal Wojtczuk <rafal at invisiblethingslab dot com>
 | Marek Marczykowski-Górecki <marmarek at invisiblethingslab dot com>
 ```
+
+-----
+
+**Note:** The Markdown source of this page in [`qubes-doc`] was generated by
+running the [`update-manpages`] script on `qubes-core-agent-linux/doc/vm-tools/`.
+If you wish to update the contents of this page as it appears on the Qubes OS
+website, please submit a pull request to change the appropriate file in
+`qubes-core-agent-linux/doc/vm-tools/`. Do not attempt to change the Markdown source
+of this page in [`qubes-doc`] directly. All direct changes to the Markdown file will be
+overwritten the next time this page is regenerated.
+
+[`qubes-doc`]: https://github.com/QubesOS/qubes-doc/
+[`update-manpages`]: https://github.com/QubesOS/qubesos.github.io/blob/master/_utils/update-manpages
+
diff --git a/reference/tools/3.2/domU/qvm-copy-to-vm.md b/reference/tools/3.2/domU/qvm-copy-to-vm.md
index 06a6cef0..9c00666f 100644
--- a/reference/tools/3.2/domU/qvm-copy-to-vm.md
+++ b/reference/tools/3.2/domU/qvm-copy-to-vm.md
@@ -33,3 +33,17 @@ AUTHORS
 | Rafal Wojtczuk <rafal at invisiblethingslab dot com>
 | Marek Marczykowski <marmarek at invisiblethingslab dot com>
 ```
+
+-----
+
+**Note:** The Markdown source of this page in [`qubes-doc`] was generated by
+running the [`update-manpages`] script on `qubes-core-agent-linux/doc/vm-tools/`.
+If you wish to update the contents of this page as it appears on the Qubes OS
+website, please submit a pull request to change the appropriate file in
+`qubes-core-agent-linux/doc/vm-tools/`. Do not attempt to change the Markdown source
+of this page in [`qubes-doc`] directly. All direct changes to the Markdown file will be
+overwritten the next time this page is regenerated.
+
+[`qubes-doc`]: https://github.com/QubesOS/qubes-doc/
+[`update-manpages`]: https://github.com/QubesOS/qubesos.github.io/blob/master/_utils/update-manpages
+
diff --git a/reference/tools/3.2/domU/qvm-open-in-dvm.md b/reference/tools/3.2/domU/qvm-open-in-dvm.md
index 0968bccb..ff33c841 100644
--- a/reference/tools/3.2/domU/qvm-open-in-dvm.md
+++ b/reference/tools/3.2/domU/qvm-open-in-dvm.md
@@ -31,3 +31,17 @@ AUTHORS
 | Rafal Wojtczuk <rafal at invisiblethingslab dot com>
 | Marek Marczykowski <marmarek at invisiblethingslab dot com>
 ```
+
+-----
+
+**Note:** The Markdown source of this page in [`qubes-doc`] was generated by
+running the [`update-manpages`] script on `qubes-core-agent-linux/doc/vm-tools/`.
+If you wish to update the contents of this page as it appears on the Qubes OS
+website, please submit a pull request to change the appropriate file in
+`qubes-core-agent-linux/doc/vm-tools/`. Do not attempt to change the Markdown source
+of this page in [`qubes-doc`] directly. All direct changes to the Markdown file will be
+overwritten the next time this page is regenerated.
+
+[`qubes-doc`]: https://github.com/QubesOS/qubes-doc/
+[`update-manpages`]: https://github.com/QubesOS/qubesos.github.io/blob/master/_utils/update-manpages
+
diff --git a/reference/tools/3.2/domU/qvm-open-in-vm.md b/reference/tools/3.2/domU/qvm-open-in-vm.md
index 27f85fd2..52718dfe 100644
--- a/reference/tools/3.2/domU/qvm-open-in-vm.md
+++ b/reference/tools/3.2/domU/qvm-open-in-vm.md
@@ -31,3 +31,17 @@ AUTHORS
 | Rafal Wojtczuk <rafal at invisiblethingslab dot com>
 | Marek Marczykowski <marmarek at invisiblethingslab dot com>
 ```
+
+-----
+
+**Note:** The Markdown source of this page in [`qubes-doc`] was generated by
+running the [`update-manpages`] script on `qubes-core-agent-linux/doc/vm-tools/`.
+If you wish to update the contents of this page as it appears on the Qubes OS
+website, please submit a pull request to change the appropriate file in
+`qubes-core-agent-linux/doc/vm-tools/`. Do not attempt to change the Markdown source
+of this page in [`qubes-doc`] directly. All direct changes to the Markdown file will be
+overwritten the next time this page is regenerated.
+
+[`qubes-doc`]: https://github.com/QubesOS/qubes-doc/
+[`update-manpages`]: https://github.com/QubesOS/qubesos.github.io/blob/master/_utils/update-manpages
+
diff --git a/reference/tools/3.2/domU/qvm-run.md b/reference/tools/3.2/domU/qvm-run.md
index 894ef789..837db63a 100644
--- a/reference/tools/3.2/domU/qvm-run.md
+++ b/reference/tools/3.2/domU/qvm-run.md
@@ -33,3 +33,17 @@ AUTHORS
 | Rafal Wojtczuk <rafal at invisiblethingslab dot com>
 | Marek Marczykowski <marmarek at invisiblethingslab dot com>
 ```
+
+-----
+
+**Note:** The Markdown source of this page in [`qubes-doc`] was generated by
+running the [`update-manpages`] script on `qubes-core-agent-linux/doc/vm-tools/`.
+If you wish to update the contents of this page as it appears on the Qubes OS
+website, please submit a pull request to change the appropriate file in
+`qubes-core-agent-linux/doc/vm-tools/`. Do not attempt to change the Markdown source
+of this page in [`qubes-doc`] directly. All direct changes to the Markdown file will be
+overwritten the next time this page is regenerated.
+
+[`qubes-doc`]: https://github.com/QubesOS/qubes-doc/
+[`update-manpages`]: https://github.com/QubesOS/qubesos.github.io/blob/master/_utils/update-manpages
+

From 31065b1daa024b1e2617b0fc83b70090637d9b4c Mon Sep 17 00:00:00 2001
From: Alex Dubois <bowabos@gmail.com>
Date: Mon, 12 Feb 2018 05:52:03 +0000
Subject: [PATCH 067/103] Dom0 should be prepended with --cdrom option

---
 managing-os/hvm.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/managing-os/hvm.md b/managing-os/hvm.md
index 66d207db..32971ea0 100644
--- a/managing-os/hvm.md
+++ b/managing-os/hvm.md
@@ -37,7 +37,7 @@ qvm-create win7 --hvm --label green
 
 The name of the domain ("win7") as well as its label ("green") are just exemplary of course.
 
-**Note:** To create a StandaloneVM in Qubes 4, use the --class option, as VMs are template-based by default
+**Note:** To create a StandaloneVM in Qubes R4, use the --class option, as VMs are template-based by default
 
 ~~~
 qvm-create win7 --class StandaloneVM --property virt_mode=hvm --property kernel="" --property memory=4096 --property maxmem=4096 --property debug=True --label green
@@ -53,12 +53,12 @@ libvirt.libvirtError: invalid argument: could not find capabilities for arch=x86
 Now we need to install an OS inside this VM.  This can be done by attaching an installation ISO to and starting the VM (this can currently only be done from command line, but in the future we will surely add an option to do this also from the manager):
 
 ~~~
-qvm-start win7 --cdrom=/usr/local/iso/win7_en.iso
-or
 qvm-start win7 --cdrom=TempIsoVM:/home/user/win7.iso
+or
+qvm-start win7 --cdrom=dom0:/usr/local/iso/win7_en.iso
 ~~~
 
-The above first command assumes the installation ISO was transferred to Dom0 (copied using `dd` command from an installation CDROM for example). The second is for when the iso is in another VM. If one wishes to use the actual physical media without copying it first to a file, then one can just pass `/dev/cdrom` as an argument to `--cdrom`:
+The above first command assumes the installation ISO was transferred to a TempIsoVM (copied using `dd` command from an installation CDROM for example). The second is for when the iso is in Dom0, which is not recommanded. If one wishes to use the actual physical media without copying it first to a file, then one can just pass `/dev/cdrom` as an argument to `--cdrom`:
 
 ~~~
 qvm-start win7 --cdrom=/dev/cdrom

From f06944d0c5b40bc0e18b0d240ac80237f860adca Mon Sep 17 00:00:00 2001
From: Alex Dubois <bowabos@gmail.com>
Date: Mon, 12 Feb 2018 06:58:28 +0000
Subject: [PATCH 068/103] fixed travis typo errors

---
 managing-os/hvm.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/managing-os/hvm.md b/managing-os/hvm.md
index 32971ea0..702251ec 100644
--- a/managing-os/hvm.md
+++ b/managing-os/hvm.md
@@ -53,12 +53,12 @@ libvirt.libvirtError: invalid argument: could not find capabilities for arch=x86
 Now we need to install an OS inside this VM.  This can be done by attaching an installation ISO to and starting the VM (this can currently only be done from command line, but in the future we will surely add an option to do this also from the manager):
 
 ~~~
-qvm-start win7 --cdrom=TempIsoVM:/home/user/win7.iso
+qvm-start win7 --cdrom=DispVM:/home/user/win7.iso
 or
 qvm-start win7 --cdrom=dom0:/usr/local/iso/win7_en.iso
 ~~~
 
-The above first command assumes the installation ISO was transferred to a TempIsoVM (copied using `dd` command from an installation CDROM for example). The second is for when the iso is in Dom0, which is not recommanded. If one wishes to use the actual physical media without copying it first to a file, then one can just pass `/dev/cdrom` as an argument to `--cdrom`:
+The above first command assumes the installation ISO was transferred to a DispVM (copied using `dd` command from an installation CDROM for example). The second is for when the iso is in Dom0, which is not recomended. If one wishes to use the actual physical media without copying it first to a file, then one can just pass `/dev/cdrom` as an argument to `--cdrom`:
 
 ~~~
 qvm-start win7 --cdrom=/dev/cdrom

From 222c58952277f094aaabeb354c2acfd9c315a550 Mon Sep 17 00:00:00 2001
From: Alex Dubois <bowabos@gmail.com>
Date: Mon, 12 Feb 2018 07:08:03 +0000
Subject: [PATCH 069/103] typo grrr

---
 managing-os/hvm.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/managing-os/hvm.md b/managing-os/hvm.md
index 702251ec..e120b458 100644
--- a/managing-os/hvm.md
+++ b/managing-os/hvm.md
@@ -58,7 +58,7 @@ or
 qvm-start win7 --cdrom=dom0:/usr/local/iso/win7_en.iso
 ~~~
 
-The above first command assumes the installation ISO was transferred to a DispVM (copied using `dd` command from an installation CDROM for example). The second is for when the iso is in Dom0, which is not recomended. If one wishes to use the actual physical media without copying it first to a file, then one can just pass `/dev/cdrom` as an argument to `--cdrom`:
+The above first command assumes the installation ISO was transferred to a DispVM (copied using `dd` command from an installation CDROM for example). The second is for when the iso is in Dom0, which is not recommended. If one wishes to use the actual physical media without copying it first to a file, then one can just pass `/dev/cdrom` as an argument to `--cdrom`:
 
 ~~~
 qvm-start win7 --cdrom=/dev/cdrom

From adc08bc00dc2ef37cb8b08b079da72e00f864994 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Mon, 12 Feb 2018 12:54:01 +0000
Subject: [PATCH 070/103] line breaks, version clarification

---
 common-tasks/copy-from-dom0.md | 43 ++++++++++------------------------
 1 file changed, 13 insertions(+), 30 deletions(-)

diff --git a/common-tasks/copy-from-dom0.md b/common-tasks/copy-from-dom0.md
index 524b553a..2e9dd92e 100644
--- a/common-tasks/copy-from-dom0.md
+++ b/common-tasks/copy-from-dom0.md
@@ -21,66 +21,49 @@ To copy a file from dom0 to a VM (domU), simply use `qvm-copy-to-vm`:
 qvm-copy-to-vm <dest-vm> <file>
 ~~~
 
-The file will arrive in your destination VM in the `~/QubesIncoming/dom0/`
-directory.
+The file will arrive in your destination VM in the `~/QubesIncoming/dom0/` directory.
 
 ### Copying logs from Dom0 ###
 
-In order to easily copy/paste the contents of logs from dom0 to the inter-VM
-clipboard, you can simply:
+In order to easily copy/paste the contents of logs from dom0 to the inter-VM clipboard, you can simply:
 
 1.  Right-click on the desired VM in the Qubes VM Manager.
 2.  Click "Logs."
 3.  Click on the desired log.
 4.  Click "Copy to Qubes clipboard."
 
-You may now paste the log contents to any VM as you normally would (i.e.,
-Ctrl-Shift-V, then Ctrl-V).
+You may now paste the log contents to any VM as you normally would (i.e., Ctrl-Shift-V, then Ctrl-V).
 
 ### Copy/paste from Dom0 ###
 
 For data other than logs, there are several options:
 
 1.  Copy it as a file (see above)
-2.  Since updated versions of 3.2 you can copy text to the dom0 clipboard
-    (Ctrl-C as normal), then click "Copy Dom0 clipboard" in the Qubes menu:
+2.  In Qubes 3.2 you can copy text to the dom0 clipboard (Ctrl-C as normal), then click "Copy Dom0 clipboard" in the Qubes menu:
     ![copy-dom0-clipboard](/attachment/wiki/QubesScreenshots/r3.2-dom0-copyout.png)
     which is equivelant to Ctrl-Shift-C from a normal AppVM.
-    Then you can use Ctrl-Shift-V and Ctrl-V to paste the copied text into an
-    AppVM as normal.
-3.  In older versions, write the data you wish to copy into
-    `/var/run/qubes/qubes-clipboard.bin`, then write "dom0" to
-    `/var/run/qubes/qubes-clipboard.bin.source`.
+    Then you can use Ctrl-Shift-V and Ctrl-V to paste the copied text into an AppVM as normal.
+3.  In other versions, write the data you wish to copy into `/var/run/qubes/qubes-clipboard.bin`, then `echo -n dom0 > /var/run/qubes/qubes-clipboard.bin.source`.
     Then use Ctrl-Shift-V to paste the data to the desired VM.
 
 
 Copying **to** Dom0
 -------------------
 
-There should normally be few reasons for the user to want to copy files from VMs
-to Dom0, as Dom0 only acts as a "thin trusted terminal", and no user
-applications run there. Copying untrusted files to Dom0 is not advised and may
-compromise the security of your Qubes system. Because of this, we do not provide
-a graphical user interface for it, unlike [copying files between
-VMs](/doc/copying-files/).
+There should normally be few reasons for the user to want to copy files from VMs to Dom0, as Dom0 only acts as a "thin trusted terminal", and no user applications run there.
+Copying untrusted files to Dom0 is not advised and may compromise the security of your Qubes system.
+Because of this, we do not provide a graphical user interface for it, unlike [copying files between VMs](/doc/copying-files/).
 
-One common use-case for this is if we want to use a desktop wallpaper in Dom0 we
-have located in one of our AppVMs (e.g. in the 'personal' AppVM where we got the
-wallpaper from our camera or downloaded it from the Internet). While it's a
-well-justified reason, imagine what would happen if the wallpaper (e.g. a JPEG
-file) was somehow malformed or malicious and attempted to exploit a hypothetical
-JPEG parser bug in Dom0 code (e.g. in the Dom0's Xorg/KDE code that parses the
-wallpaper and displays it).
+One common use-case for this is if we want to use a desktop wallpaper in Dom0 we have located in one of our AppVMs (e.g. in the 'personal' AppVM where we got the wallpaper from our camera or downloaded it from the Internet).
+While it's a well-justified reason, imagine what would happen if the wallpaper (e.g. a JPEG file) was somehow malformed or malicious and attempted to exploit a hypothetical JPEG parser bug in Dom0 code (e.g. in the Dom0's Xorg/KDE code that parses the wallpaper and displays it).
 
-If you are determined to copy some files to Dom0 anyway, you can use the
-following method (run this command from Dom0's console):
+If you are determined to copy some files to Dom0 anyway, you can use the following method (run this command from Dom0's console):
 
 ~~~
 qvm-run --pass-io <src-vm> 'cat /path/to/file_in_src_domain' > /path/to/file_name_in_dom0
 ~~~
 
-You can use the same method to copy files from Dom0 to VMs (if, for some reason,
-you don't want to use `qvm-copy-to-vm`):
+You can use the same method to copy files from Dom0 to VMs (if, for some reason, you don't want to use `qvm-copy-to-vm`):
 
 ~~~
 cat /path/to/file_in_dom0 | qvm-run --pass-io <dest-vm> 'cat > /path/to/file_name_in_appvm'

From 0d99fe1125854c169cc644791b282c3c03ee2c0e Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Mon, 12 Feb 2018 14:35:56 +0000
Subject: [PATCH 071/103] line breaks, additional grammar

---
 configuration/managing-vm-kernel.md | 133 ++++++++++++++--------------
 1 file changed, 65 insertions(+), 68 deletions(-)

diff --git a/configuration/managing-vm-kernel.md b/configuration/managing-vm-kernel.md
index 70859eb2..ebb23688 100644
--- a/configuration/managing-vm-kernel.md
+++ b/configuration/managing-vm-kernel.md
@@ -9,14 +9,14 @@ redirect_from:
 VM kernel managed by dom0
 =========================
 
-By default VMs kernels are provided by dom0. This means that:
+By default, VMs kernels are provided by dom0. This means that:
 
-1. You can select kernel version in VM settings;
+1. You can select the kernel version in VM settings;
 2. You can modify kernel options in VM settings;
-3. You can **not** modify any of above from inside of VM;
+3. You can **not** modify any of the above from inside a VM;
 4. Installing additional kernel modules is cumbersome.
 
-To select which kernel a given VM will use, you can use either use Qubes Manager (VM settings, advanced tab), or `qvm-prefs` tool:
+To select which kernel a given VM will use, you can either use Qubes Manager (VM settings, advanced tab), or the `qvm-prefs` tool:
 
 ~~~
 [user@dom0 ~]$ qvm-prefs my-appvm -s kernel
@@ -33,7 +33,7 @@ Possible values:
 [user@dom0 ~]$ qvm-prefs my-appvm -s kernel default
 ~~~
 
-To check/change the default kernel you can go either to "Global settings" in Qubes Manager, or use `qubes-prefs` tool:
+To check/change the default kernel you can either go to "Global settings" in Qubes Manager, or use the `qubes-prefs` tool:
 
 ~~~
 [user@dom0 ~]$ qubes-prefs
@@ -49,7 +49,9 @@ updatevm          : sys-firewall
 Installing different kernel using Qubes kernel package
 ----------------------------------
 
-VM kernels are packages by Qubes team in `kernel-qubes-vm` packages. Generally the system will keep the 3 newest available versions. You can list them with the `rpm` command:
+VM kernels are packages by Qubes team in `kernel-qubes-vm` packages.
+Generally, the system will keep the three newest available versions.
+You can list them with the `rpm` command:
 
 ~~~
 [user@dom0 ~]$ rpm -qa 'kernel-qubes-vm*'
@@ -58,10 +60,10 @@ kernel-qubes-vm-3.18.16-3.pvops.qubes.x86_64
 kernel-qubes-vm-3.18.17-4.pvops.qubes.x86_64
 ~~~
 
-If you want a more recent version, you can check `qubes-dom0-unstable` repository. As the name suggests, keep in
-mind that those packages may be less stable than the default ones.
+If you want a more recent version, you can check the `qubes-dom0-unstable` repository.
+As the name suggests, keep in mind that those packages may be less stable than the default ones.
 
-Checking available versions in `qubes-dom0-unstable` repository:
+To check available versions in the `qubes-dom0-unstable` repository:
 
 ~~~
 [user@dom0 ~]$ sudo qubes-dom0-update --enablerepo=qubes-dom0-unstable --action=list kernel-qubes-vm
@@ -82,7 +84,7 @@ kernel-qubes-vm.x86_64 1000:3.18.17-4.pvops.qubes @qubes-dom0-cached
 
 ~~~
 
-Installing new version from `qubes-dom0-unstable` repository:
+Installing a new version from `qubes-dom0-unstable` repository:
 
 ~~~
 [user@dom0 ~]$ sudo qubes-dom0-update --enablerepo=qubes-dom0-unstable kernel-qubes-vm
@@ -130,21 +132,22 @@ Complete!
 [marmarek@dom0 ~]$
 ~~~
 
-In the above example, it tries to remove 3.18.10-2.pvops.qubes kernel (to keep only 3 installed), but since some VM uses it, it fails. Installation of new package is unaffected by this event.
+In the above example, it tries to remove the 3.18.10-2.pvops.qubes kernel (to keep only three installed), but since some VM uses it, it fails.
+Installation of the new package is unaffected by this event.
 
-The newly installed package is set as default VM kernel.
+The newly installed package is set as the default VM kernel.
 
 Installing different VM kernel based on dom0 kernel
 ---------------------------------------------------
 
-It is possible to package kernel installed in dom0 as VM kernel. This makes it
-possible to use VM kernel, which is not packaged by Qubes team. This includes:
- * using Fedora kernel package
- * using manually compiled kernel
+It is possible to package a kernel installed in dom0 as a VM kernel.
+This makes it possible to use a VM kernel which is not packaged by Qubes team.
+This includes:
+ * using a Fedora kernel package
+ * using a manually compiled kernel
 
-To prepare such VM kernel, you need to install `qubes-kernel-vm-support`
-package in dom0 and also have matching kernel headers installed (`kernel-devel`
-package in the case of Fedora kernel package). You can install required stuff using `qubes-dom0-update`:
+To prepare such a VM kernel, you need to install the `qubes-kernel-vm-support` package in dom0 and also have matching kernel headers installed (`kernel-devel` package in the case of a Fedora kernel package).
+You can install requirements using `qubes-dom0-update`:
 
 ~~~
 [user@dom0 ~]$ sudo qubes-dom0-update qubes-kernel-vm-support kernel-devel
@@ -187,10 +190,9 @@ Installed:
 Complete!
 ~~~
 
-Then you can call `qubes-prepare-vm-kernel` tool to actually package the
-kernel. The first parameter is kernel version (exactly as seen by the kernel),
-the second one (optional) is short name being visible in Qubes Manager and
-`qvm-prefs` tool.
+Then you can call the `qubes-prepare-vm-kernel` tool to actually package the kernel.
+The first parameter is kernel version (exactly as seen by the kernel), the second one (optional) is short name.
+This is visible in Qubes Manager and the `qvm-prefs` tool.
 
 ~~~
 [user@dom0 ~]$ sudo qubes-prepare-vm-kernel 4.1.9-6.pvops.qubes.x86_64 4.1.qubes
@@ -207,14 +209,18 @@ Using kernel installed in the VM
 
 **This option is available only in Qubes R3.1 or newer**
 
-It is possible to use kernel installed in the VM (in most cases - TemplateVM).
-This is possible thanks to PV GRUB2 - GRUB2 running in the VM. To make it happen, you need to:
+It is possible to use a kernel installed in the VM (in most cases - TemplateVM).
+This is possible thanks to PV GRUB2 - GRUB2 running in the VM.
+To make it happen, you need to:
 
 1. Install PV GRUB2 in dom0 - package is named `grub2-xen`.
-2. Install kernel in the VM. As with all VM software installation - this needs to be done in TemplateVM (of StandaloneVM if you are using one).
-3. Set VM kernel to `pvgrub2` value. You can use `pvgrub2` in selected VMs, not necessary all of them, even when its template has kernel installed. You can still use dom0-provided kernel for selected VMs.
+2. Install kernel in the VM.
+   As with all VM software installation - this needs to be done in TemplateVM (of StandaloneVM if you are using one).
+3. Set VM kernel to `pvgrub2` value.
+   You can use `pvgrub2` in selected VMs, but it's not necessary in all of them, even when its template has a kernel installed.
+   You can still use a dom0-provided kernel for selected VMs.
 
-**WARNING: When using kernel from within VM, `kernelopts` parameter is ignored.**
+**WARNING: When using a kernel from within a VM, the `kernelopts` parameter is ignored.**
 
 ### Installing PV GRUB2
 
@@ -226,28 +232,24 @@ sudo qubes-dom0-update grub2-xen
 
 ### Installing kernel in Fedora VM
 
-In Fedora based VM, you need to install `qubes-kernel-vm-support` package. This
-package includes required additional kernel module and initramfs addition
-required to start Qubes VM (for details see
-[template implementation](/doc/template-implementation/)). Additionally you
-need some GRUB tools to create its configuration. Note: you don't need actual
-grub bootloader as it is provided by dom0. But having one also shouldn't harm.
+In a Fedora based VM, you need to install the `qubes-kernel-vm-support` package.
+This package includes the additional kernel module and initramfs addition required to start a Qubes VM (for details see [template implementation](/doc/template-implementation/)).
+Additionally, you need some GRUB tools to create its configuration. 
+Note: You don't need an actual grub bootloader as it is provided by dom0, but having one shouldn't hurt.
 
 ~~~
 sudo yum install qubes-kernel-vm-support grub2-tools
 ~~~
 
-Then install whatever kernel you want. If you are using distribution kernel
-package (`kernel` package), initramfs and kernel module should be handled
-automatically, but you need to ensure you have `kernel-devel` package for the
-same kernel version installed. If you are using a manually built kernel, you need
-to handle this on your own. Take a look at `dkms` and `dracut` documentation.
-Especially `dkms autoinstall` command may be useful.
+Then install whatever kernel you want.
+If you are using distribution kernel package (`kernel` package), the initramfs and kernel module should be handled automatically, but you need to ensure you have the `kernel-devel` package for the same kernel version installed.
+If you are using a manually built kernel, you need to handle this on your own.
+Take a look at the `dkms` and `dracut` documentation, especially the `dkms autoinstall` command may be useful.
 
-When kernel is installed, you need to create GRUB configuration. 
-You may want to adjust some settings in `/etc/default/grub`, for example lower
-`GRUB_TIMEOUT` to speed up VM startup. Then you need to generate actual configuration:
-In Fedora it can be done using `grub2-mkconfig` tool:
+When the kernel is installed, you need to create a GRUB configuration. 
+You may want to adjust some settings in `/etc/default/grub`; for example, lower `GRUB_TIMEOUT` to speed up VM startup. 
+Then, you need to generate the actual configuration:
+In Fedora it can be done using the `grub2-mkconfig` tool:
 
 ~~~
 sudo grub2-mkconfig -o /boot/grub2/grub.cfg
@@ -259,17 +261,15 @@ You can safely ignore this error message:
 grub2-probe: error: cannot find a GRUB drive for /dev/mapper/dmroot. Check your device.map
 ~~~
 
-Then shutdown the VM. From now you can set `pvgrub2` as VM kernel and it will
-start kernel configured within VM. 
+Then shutdown the VM.
+Now you can set `pvgrub2` as the VM kernel and it will start the kernel configured within your VM. 
 
 ### Installing kernel in Debian VM
 
-In Debian based VM, you need to install `qubes-kernel-vm-support` package. This
-package includes required additional kernel module and initramfs addition
-required to start Qubes VM (for details see
-[template implementation](/doc/template-implementation/)). Additionally you
-need some GRUB tools to create its configuration. Note: you don't need actual
-grub bootloader as it is provided by dom0. But having one also shouldn't harm.
+In a Debian based VM, you need to install the `qubes-kernel-vm-support` package.
+This package includes the additional kernel module and initramfs addition required to start a Qubes VM (for details see [template implementation](/doc/template-implementation/)).
+Additionally, you need some GRUB tools to create its configuration. 
+Note: You don't need an actual grub bootloader as it is provided by dom0, but having one shouldn't hurt.
 
 ~~~
 sudo apt-get update
@@ -278,10 +278,9 @@ sudo apt-get install qubes-kernel-vm-support grub2-common
 
 Ignore warnings about `version '...' has bad syntax`.
 
-Then install whatever kernel you want. If you are using distribution kernel
-package (`linux-image-amd64` package), initramfs and kernel module should be
-handled automatically. If not, or you are building kernel manually, do this on
-using `dkms` and `initramfs-tools`:
+Then install whatever kernel you want.
+If you are using a distribution kernel package (`linux-image-amd64` package), the initramfs and kernel modules should be handled automatically.
+If not, or you are building the kernel manually, do this using `dkms` and `initramfs-tools`:
 
     sudo dkms autoinstall -k <kernel-version> # replace this <kernel-version> with actual kernel version
     sudo update-initramfs -u
@@ -303,10 +302,9 @@ The output should look like this:
 	$ sudo update-initramfs -u
 	update-initramfs: Generating /boot/initrd.img-3.16.0-4-amd64
 
-When kernel is installed, you need to create GRUB configuration. 
-You may want to adjust some settings in `/etc/default/grub`, for example lower
-`GRUB_TIMEOUT` to speed up VM startup. Then you need to generate actual configuration:
-In Fedora it can be done using `update-grub2` tool:
+When the kernel is installed, you need to create a GRUB configuration. 
+You may want to adjust some settings in `/etc/default/grub`; for example, lower `GRUB_TIMEOUT` to speed up VM startup.
+Then, you need to generate the actual configuration with the `update-grub2` tool:
 
 ~~~
 sudo mkdir /boot/grub
@@ -319,17 +317,16 @@ You can safely ignore this error message:
 grub2-probe: error: cannot find a GRUB drive for /dev/mapper/dmroot. Check your device.map
 ~~~
 
-Then shutdown the VM. From now you can set `pvgrub2` as VM kernel and it will
-start kernel configured within VM.
+Then shutdown the VM.
+Now you can set `pvgrub2` as the VM kernel and it will start the kernel configured within your VM.
 
-When starting the VM you can safely ignore any warnings about a missing module 'dummy-hcd'
+When starting the VM you can safely ignore any warnings about a missing module 'dummy-hcd'.
 
 ### Troubleshooting
 
-In the event of a problem, you can access the VM console (using `sudo xl console VMNAME` in dom0) to access
-the GRUB menu. You need to call it just after starting VM (until `GRUB_TIMEOUT`
-expires) - for example in a separate dom0 terminal window.
+In case of problems, you can access the VM console using `sudo xl console VMNAME` in dom0, then access the GRUB menu.
+You need to call it just after starting the VM (until `GRUB_TIMEOUT` expires); for example, in a separate dom0 terminal window.
 
-In any case you can later access VM logs (especially VM console log (`guest-VMNAME.log`). 
+In any case you can later access the VM's logs (especially the VM console log `guest-VMNAME.log`).
 
-You can always set kernel back to some dom0-provided value to fix VM kernel installation.
+You can always set the kernel back to some dom0-provided value to fix a VM kernel installation.

From 6880452c2ec3681b585edcd01b87902031f6c9d6 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Mon, 12 Feb 2018 14:50:04 +0000
Subject: [PATCH 072/103] R3.2 updates

spell out dracut step in fedora template
add version notes
add note about first boot delay
---
 configuration/managing-vm-kernel.md | 53 +++++++++++++++++++++--------
 1 file changed, 38 insertions(+), 15 deletions(-)

diff --git a/configuration/managing-vm-kernel.md b/configuration/managing-vm-kernel.md
index ebb23688..f95ea9cd 100644
--- a/configuration/managing-vm-kernel.md
+++ b/configuration/managing-vm-kernel.md
@@ -16,10 +16,13 @@ By default, VMs kernels are provided by dom0. This means that:
 3. You can **not** modify any of the above from inside a VM;
 4. Installing additional kernel modules is cumbersome.
 
+*Note* In the examples below, although the specific version numbers might be old, the commands have been verified on R3.2 with debian-9 and fedora-26 templates.
+At the time of writing, there is a blocking issue for R4.0 [3563](https://github.com/QubesOS/qubes-issues/issues/3563).
+
 To select which kernel a given VM will use, you can either use Qubes Manager (VM settings, advanced tab), or the `qvm-prefs` tool:
 
 ~~~
-[user@dom0 ~]$ qvm-prefs my-appvm -s kernel
+[user@dom0 ~]$ qvm-prefs -s my-appvm kernel
 Missing kernel version argument!
 Possible values:
 1) default
@@ -29,8 +32,8 @@ Possible values:
   - 3.18.17-4
   - 3.19.fc20
   - 3.18.10-2
-[user@dom0 ~]$ qvm-prefs my-appvm -s kernel 3.18.17-4
-[user@dom0 ~]$ qvm-prefs my-appvm -s kernel default
+[user@dom0 ~]$ qvm-prefs -s my-appvm kernel 3.18.17-4
+[user@dom0 ~]$ qvm-prefs -s my-appvm kernel default
 ~~~
 
 To check/change the default kernel you can either go to "Global settings" in Qubes Manager, or use the `qubes-prefs` tool:
@@ -211,13 +214,13 @@ Using kernel installed in the VM
 
 It is possible to use a kernel installed in the VM (in most cases - TemplateVM).
 This is possible thanks to PV GRUB2 - GRUB2 running in the VM.
-To make it happen, you need to:
+To make it happen, at a high level you need to:
 
-1. Install PV GRUB2 in dom0 - package is named `grub2-xen`.
-2. Install kernel in the VM.
-   As with all VM software installation - this needs to be done in TemplateVM (of StandaloneVM if you are using one).
+1. Install PV GRUB2 (`grub2-xen`) in dom0.
+2. Install kernel in the VM (see below for Fedora and Debian steps).
+   As with all VM software installation - this needs to be done in a TemplateVM (or StandaloneVM if you are using one).
 3. Set VM kernel to `pvgrub2` value.
-   You can use `pvgrub2` in selected VMs, but it's not necessary in all of them, even when its template has a kernel installed.
+   You can use `pvgrub2` in selected VMs, but it's not necessary in all of them, even if its template has a kernel installed.
    You can still use a dom0-provided kernel for selected VMs.
 
 **WARNING: When using a kernel from within a VM, the `kernelopts` parameter is ignored.**
@@ -238,15 +241,22 @@ Additionally, you need some GRUB tools to create its configuration.
 Note: You don't need an actual grub bootloader as it is provided by dom0, but having one shouldn't hurt.
 
 ~~~
-sudo yum install qubes-kernel-vm-support grub2-tools
+sudo dnf install qubes-kernel-vm-support grub2-tools
 ~~~
 
 Then install whatever kernel you want.
-If you are using distribution kernel package (`kernel` package), the initramfs and kernel module should be handled automatically, but you need to ensure you have the `kernel-devel` package for the same kernel version installed.
-If you are using a manually built kernel, you need to handle this on your own.
-Take a look at the `dkms` and `dracut` documentation, especially the `dkms autoinstall` command may be useful.
+You need to also ensure you have the `kernel-devel` package for the same kernel version installed.
 
-When the kernel is installed, you need to create a GRUB configuration. 
+If you are using a distribution kernel package (`kernel` package), the initramfs and kernel modules may be handled automatically. 
+If you are using a manually built kernel, you need to handle this on your own.
+Take a look at the `dkms` documentation, especially the `dkms autoinstall` command may be useful.
+If you did not see the `kernel` install rebuild your initramfs, or are using a manually built kernel, you will need to rebuild it yourself with the following (replace version numbers with those appropriate for your kernel):
+
+~~~
+dracut -f /boot/initramfs-4.14.16-200.fc26.x86_64.img 4.14.16-200.fc26.x86_64
+~~~
+
+Once the kernel is installed, you need to create a GRUB configuration. 
 You may want to adjust some settings in `/etc/default/grub`; for example, lower `GRUB_TIMEOUT` to speed up VM startup. 
 Then, you need to generate the actual configuration:
 In Fedora it can be done using the `grub2-mkconfig` tool:
@@ -264,6 +274,11 @@ grub2-probe: error: cannot find a GRUB drive for /dev/mapper/dmroot. Check your
 Then shutdown the VM.
 Now you can set `pvgrub2` as the VM kernel and it will start the kernel configured within your VM. 
 
+**Note:** On first boot the VM will automatically allocate swap space.
+This can take a while to complete- longer than your `qrexec_timeout` setting, which will make the VM appear to have hung on boot.
+To confirm this is the case, see [Troubleshooting](/doc/managing-vm-kernel/#troubleshooting) below or just wait for five minutes and shutdown the VM.
+It should respond normally on future boots.
+
 ### Installing kernel in Debian VM
 
 In a Debian based VM, you need to install the `qubes-kernel-vm-support` package.
@@ -272,10 +287,13 @@ Additionally, you need some GRUB tools to create its configuration.
 Note: You don't need an actual grub bootloader as it is provided by dom0, but having one shouldn't hurt.
 
 ~~~
-sudo apt-get update
-sudo apt-get install qubes-kernel-vm-support grub2-common
+sudo apt update
+sudo apt install qubes-kernel-vm-support grub2-common
 ~~~
 
+If prompted for a GRUB install device, choose `/dev/mapper/dmroot`.
+You will receive an error about GRUB failed to install to it, but just continue anyways.
+You don't need an actual grub bootloader as it is provided by dom0, but having one shouldn't hurt.
 Ignore warnings about `version '...' has bad syntax`.
 
 Then install whatever kernel you want.
@@ -322,6 +340,11 @@ Now you can set `pvgrub2` as the VM kernel and it will start the kernel configur
 
 When starting the VM you can safely ignore any warnings about a missing module 'dummy-hcd'.
 
+**Note:** on first boot the VM will automatically allocate swap space.
+This can take a while to complete- longer than your `qrexec_timeout` setting, which will make the VM appear to have hung on boot.
+To confirm this is the case, see [Troubleshooting](/doc/managing-vm-kernel/#troubleshooting) below or just wait for five minutes and shutdown the VM.
+It should respond normally on future boots.
+
 ### Troubleshooting
 
 In case of problems, you can access the VM console using `sudo xl console VMNAME` in dom0, then access the GRUB menu.

From a66c20b719d4e3f1c419cca1a4cb000f43348714 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Tue, 13 Feb 2018 13:03:21 +0000
Subject: [PATCH 073/103] line breaks, misc grammar

---
 configuration/config-files.md | 58 +++++++++++++----------------------
 1 file changed, 22 insertions(+), 36 deletions(-)

diff --git a/configuration/config-files.md b/configuration/config-files.md
index 66b53df3..c3258ecf 100644
--- a/configuration/config-files.md
+++ b/configuration/config-files.md
@@ -12,13 +12,11 @@ redirect_from:
 Qubes specific VM config files
 ==============================
 
-Those files are placed in /rw, which survives VM restart, so can be 
-used to customize single VM (not all VMs based on the same template). 
+These files are placed in /rw, which survives a VM restart.
+That way, they can be used to customize a single VM instead of all VMs based on the same template. 
 The scripts here all run as root.
 
--   `/rw/config/rc.local` - script run at VM startup. Good place to 
-change some service settings, replace config files with its copy stored 
-in /rw/config etc. Example usage:
+-   `/rw/config/rc.local` - script run at VM startup. Good place to change some service settings, replace config files with its copy stored in /rw/config, etc. Example usage:
 
     ~~~
     # Store bluetooth keys in /rw to keep them across VM restarts
@@ -26,29 +24,24 @@ in /rw/config etc. Example usage:
     ln -s /rw/config/var-lib-bluetooth /var/lib/bluetooth
     ~~~
 
--   `/rw/config/qubes-ip-change-hook` - script run in NetVM after 
-external IP change (or connection to the network)
+-   `/rw/config/qubes-ip-change-hook` - script run in NetVM after external IP change (or connection to the network).
 
--   `/rw/config/qubes-firewall-user-script` - script run in ProxyVM 
-after each firewall update. Good place to write own custom firewall 
-rules
+-   `/rw/config/qubes-firewall-user-script` - script run in ProxyVM after each firewall update.
+    Good place to write own custom firewall rules.
 
--   `/rw/config/suspend-module-blacklist` - list of modules (one per 
-line) to be unloaded before system going to sleep. The file is used 
-only in VM with some PCI devices attached. Supposed to be used for 
-problematic device drivers.
+-   `/rw/config/suspend-module-blacklist` - list of modules (one per line) to be unloaded before system goes to sleep.
+    The file is used only in a VM with PCI devices attached.
+    Supposed to be used for problematic device drivers.
 
 Note that scripts need to be executable (chmod +x) to be used.
 
-Also take a look at [bind-dirs](/doc/bind-dirs) for instructions on 
-how to easily modify arbitrary system files in AppVM and have those changes persist.
+Also, take a look at [bind-dirs](/doc/bind-dirs) for instructions on how to easily modify arbitrary system files in an AppVM and have those changes persist.
 
 GUI and audio configuration in dom0
 ===================================
 
-GUI configuration file `/etc/qubes/guid.conf` in one of few not managed 
-by qubes-prefs nor Qubes Manager tool. Sample config (included in 
-default installation):
+The GUI configuration file `/etc/qubes/guid.conf` in one of a few not managed by qubes-prefs or the Qubes Manager tool.
+Sample config (included in default installation):
 
 ~~~
 # Sample configuration file for Qubes GUI daemon
@@ -78,25 +71,18 @@ VM: {
 
 Currently supported settings:
 
--   `allow_fullscreen` - allow VM to request its windows to go 
-fullscreen (without any colorful frame).
+-   `allow_fullscreen` - allow VM to request its windows to go fullscreen (without any colorful frame).
 
-    **Note:** Regardless of this setting, you can always put a window into
-fullscreen mode in Xfce4 using the trusted window manager by right-clicking on
-a window's title bar and selecting "Fullscreen". This functionality should still
-be considered safe, since a VM window still can't voluntarily enter fullscreen
-mode. The user must select this option from the trusted window manager in dom0.
-To exit fullscreen mode from here, press `alt` + `space` to bring up the title
-bar menu again, then select "Leave Fullscreen".
+    **Note:** Regardless of this setting, you can always put a window into fullscreen mode in Xfce4 using the trusted window manager by right-clicking on a window's title bar and selecting "Fullscreen".
+    This functionality should still be considered safe, since a VM window still can't voluntarily enter fullscreen mode.
+    The user must select this option from the trusted window manager in dom0.
+    To exit fullscreen mode from here, press `alt` + `space` to bring up the title bar menu again, then select "Leave Fullscreen".
 
--   `allow_utf8_titles` - allow to use UTF-8 in window titles, 
-otherwise non-ASCII characters are replaced by underscore.
+-   `allow_utf8_titles` - allow the use of UTF-8 in window titles; otherwise, non-ASCII characters are replaced by an underscore.
 
--   `secure_copy_sequence` and `secure_paste_sequence` - key sequences 
-used to trigger secure copy and paste
+-   `secure_copy_sequence` and `secure_paste_sequence` - key sequences used to trigger secure copy and paste.
 
--   `windows_count_limit` - limit on concurrent windows count.
+-   `windows_count_limit` - limit on concurrent windows.
 
--   `audio_low_latency` - force low-latency audio mode (about 40ms 
-compared to 200-500ms by default). Note that this will cause much 
-higher CPU usage in dom0.
+-   `audio_low_latency` - force low-latency audio mode (about 40ms compared to 200-500ms by default).
+    Note that this will cause much higher CPU usage in dom0.

From 3ba9b6a46c643ddbaed231aa7a18dfa947b6ce01 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Tue, 13 Feb 2018 13:13:24 +0000
Subject: [PATCH 074/103] R4.0 updates, edits for clarity

---
 configuration/config-files.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/configuration/config-files.md b/configuration/config-files.md
index c3258ecf..d9f7b124 100644
--- a/configuration/config-files.md
+++ b/configuration/config-files.md
@@ -16,7 +16,7 @@ These files are placed in /rw, which survives a VM restart.
 That way, they can be used to customize a single VM instead of all VMs based on the same template. 
 The scripts here all run as root.
 
--   `/rw/config/rc.local` - script run at VM startup. Good place to change some service settings, replace config files with its copy stored in /rw/config, etc. Example usage:
+-   `/rw/config/rc.local` - script runs at VM startup. Good place to change some service settings, replace config files with its copy stored in /rw/config, etc. Example usage:
 
     ~~~
     # Store bluetooth keys in /rw to keep them across VM restarts
@@ -24,14 +24,14 @@ The scripts here all run as root.
     ln -s /rw/config/var-lib-bluetooth /var/lib/bluetooth
     ~~~
 
--   `/rw/config/qubes-ip-change-hook` - script run in NetVM after external IP change (or connection to the network).
+-   `/rw/config/qubes-ip-change-hook` - script runs in NetVM after every external IP change and on "hardware" link status change.
 
--   `/rw/config/qubes-firewall-user-script` - script run in ProxyVM after each firewall update.
+-   `/rw/config/qubes-firewall-user-script` - script runs in ProxyVM/AppVM with `qvm-features <vmname> qubes-firewall true` after each firewall update.
     Good place to write own custom firewall rules.
 
 -   `/rw/config/suspend-module-blacklist` - list of modules (one per line) to be unloaded before system goes to sleep.
     The file is used only in a VM with PCI devices attached.
-    Supposed to be used for problematic device drivers.
+    Intended for use with problematic device drivers.
 
 Note that scripts need to be executable (chmod +x) to be used.
 

From f147dee6d739ba88d85d8bb464fdead03779e6a8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Wed, 14 Feb 2018 13:50:54 +0100
Subject: [PATCH 075/103] mutt: mention cyrus-sasl-plain

---
 configuration/mutt.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/configuration/mutt.md b/configuration/mutt.md
index eae19b32..0ae3f94e 100644
--- a/configuration/mutt.md
+++ b/configuration/mutt.md
@@ -25,7 +25,9 @@ not very convenient.
 Installation
 ------------
 
-`yum install mutt`
+`dnf install mutt cyrus-sasl-plain`
+
+`cyrus-sasl-plain` package is necessary for SMTP authentication to work.
 
 Configuration
 -------------

From acb2899d92bac3871c7449081e10ac7e1ba59da5 Mon Sep 17 00:00:00 2001
From: Andrew David Wong <adw@andrewdavidwong.com>
Date: Thu, 15 Feb 2018 01:05:12 -0600
Subject: [PATCH 076/103] Add section on installation tests with openQA

---
 debugging/automated-tests.md | 34 +++++++++++++++++++++++++++++-----
 1 file changed, 29 insertions(+), 5 deletions(-)

diff --git a/debugging/automated-tests.md b/debugging/automated-tests.md
index 246410d6..d1d1359a 100644
--- a/debugging/automated-tests.md
+++ b/debugging/automated-tests.md
@@ -7,9 +7,12 @@ redirect_from:
 - /doc/AutomatedTests/
 ---
 
-Automatic tests
+Automated Tests
 ===============
 
+Unit and Integration Tests
+--------------------------
+
 Starting with Qubes R3 we use [python unittest][unittest] to perform automatic tests of Qubes OS. 
 Despite the name, we use it for both [unit tests](https://en.wikipedia.org/wiki/Unit_tests) and [integration tests](https://en.wikipedia.org/wiki/Integration_tests). 
 The main purpose is, of course, to deliver much more stable releases.
@@ -96,13 +99,13 @@ Example test run:
 
 ![snapshot-tests2.png](/attachment/wiki/developers/snapshot-tests2.png)
 
-## Adding a new test to core-admin
+### Adding a new test to core-admin
 After adding a new unit test to [core-admin/tests](https://github.com/QubesOS/qubes-core-admin/tree/master/tests) you'll have to make sure of two things:
 
 1. That the test will be added to the RPM file created by [QubesBuilder](/doc/qubes-builder/). For this you need to edit the [core-admin/tests/Makefile](https://github.com/QubesOS/qubes-core-admin/tree/master/tests/Makefile)
 2. That the test will be loaded by [core-admin/tests/\_\_init\_\_.py](https://github.com/QubesOS/qubes-core-admin/tree/master/tests/__init__.py)
 
-### Editing the Makefile
+#### Editing the Makefile
 To add your tests, you must append these two lines to the end of the makefile, which will copy your test and its compiled version to the right directory in the RPM file. 
 If your test is `example.py`, the appended lines would be:
 
@@ -110,8 +113,8 @@ If your test is `example.py`, the appended lines would be:
     cp example.py[co] $(DESTDIR)$(PYTHON_TESTSPATH)
 
 
-### Editing \_\_init\_\_.py
-You'll also need to add your test at the bottom of the \_\_init\_\_.py file, in the method `def load_tests`, in the for loop with `modname`.
+#### Editing `__init__.py`
+You'll also need to add your test at the bottom of the `__init__.py` file, in the method `def load_tests`, in the for loop with `modname`.
 Again, given the hypothetical `example.py` test:
 
 ~~~python
@@ -127,4 +130,25 @@ Again, given the hypothetical `example.py` test:
             ):
 ~~~
 
+
+Installation Tests with openQA
+------------------------------
+
+**URL:** <https://openqa.qubes-os.org/>  
+**Tests:** <https://github.com/marmarek/openqa-tests-qubesos>
+
+Manually testing the installation of Qubes OS is a time-consuming process.
+We use [openQA] to automate this process.
+It works by installing Qubes in KVM and interacting with it as a user would, including simulating mouse clicks and keyboard presses.
+Then, it checks the output to see whether various tests were passed, e.g., by comparing the virtual screen output to screenshots of a successful installation.
+
+Using openQA to automatically test the Qubes installation process works as of Qubes 4.0-rc4 on 2018-01-26, provided that the versions of KVM and QEMU are new enough and the hardware has VT-x and EPT.
+KVM also supports nested virtualization, so HVM should theoretically work.
+In practice, however, either Xen or QEMU crashes when this is attempted.
+Nonetheless, PV works well, which is sufficient for automated installation testing.
+
+Thanks to an anonymous donor, our openQA system is hosted in a datacenter on hardware that meets these requirements.
+
 [unittest]: https://docs.python.org/2/library/unittest.html
+[OpenQA]: http://open.qa/
+

From 2d7e53054504552a038fd5305e21768ab735ba78 Mon Sep 17 00:00:00 2001
From: Andrew David Wong <adw@andrewdavidwong.com>
Date: Thu, 15 Feb 2018 02:35:05 -0600
Subject: [PATCH 077/103] Update icon

---
 about/experts.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/about/experts.md b/about/experts.md
index eb1d15d9..efb79623 100644
--- a/about/experts.md
+++ b/about/experts.md
@@ -7,7 +7,7 @@ permalink: /experts/
 <div class="home-content container">
   <div class="row more-top">
     <div class="col-lg-12 col-md-12">
-      <h2 class="text-center"><i class="fa fa-thumbs-o-up"></i> What the experts are saying about Qubes</h2>
+      <h2 class="text-center"><i class="fa fa-quote-left"></i> What the experts are saying about Qubes</h2>
     </div>
   </div>
   <div class="white-box more-bottom">

From be9356661582d76a0cd38a72feb79db9e258e210 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Thu, 15 Feb 2018 10:35:57 +0000
Subject: [PATCH 078/103] add /rw as custom location

---
 customization/bind-dirs.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/customization/bind-dirs.md b/customization/bind-dirs.md
index 0a9d4ed4..b3d1475b 100644
--- a/customization/bind-dirs.md
+++ b/customization/bind-dirs.md
@@ -15,7 +15,7 @@ any arbitrary files or folders can be made persistent in TemplateBasedVMs.
 
 ## What is it useful for? ##
 
-In a TemplateBasedVM all of the file system comes from the template except /home and /usr/local.
+In a TemplateBasedVM all of the file system comes from the template except `/home`, `/usr/local`, and `/rw`.
 This means that changes in the rest of the filesystem are lost when the TemplateBasedVM is shutdown.
 bind-dirs provides a mechanism whereby files usually taken from the template can be persisted across reboots.
 

From 80d41ca1da6435525c1ffe24df47e3c70547bdfd Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Thu, 15 Feb 2018 11:09:51 +0000
Subject: [PATCH 079/103] add links to R4 content

---
 doc.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/doc.md b/doc.md
index 4d86174f..8cbf8fff 100644
--- a/doc.md
+++ b/doc.md
@@ -233,6 +233,8 @@ System
  * [Security-critical elements of Qubes OS](/doc/security-critical-code/)
  * [Qubes Core Admin](https://dev.qubes-os.org/projects/core-admin/en/latest/)
  * [Qubes Core Admin Client](https://dev.qubes-os.org/projects/core-admin-client/en/latest/)
+ * [Qubes Admin API](https://www.qubes-os.org/news/2017/06/27/qubes-admin-api/)
+ * [Qubes Core Stack](https://www.qubes-os.org/news/2017/10/03/core3/)
  * [Qrexec: command execution in VMs](/doc/qrexec3/)
  * [Qubes GUI virtualization protocol](/doc/gui/)
  * [Networking in Qubes](/doc/networking/)

From afadee9d0ce5d4b76b261942a3ae106ff1eac584 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Thu, 15 Feb 2018 12:31:22 +0000
Subject: [PATCH 080/103] note it is R3.2 content

---
 services/dvm-impl.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/services/dvm-impl.md b/services/dvm-impl.md
index 246580a6..72139f3e 100644
--- a/services/dvm-impl.md
+++ b/services/dvm-impl.md
@@ -11,6 +11,8 @@ redirect_from:
 DisposableVM implementation in Qubes
 ====================================
 
+**Note: The content below applies to Qubes R3.2.**
+
 DisposableVM image preparation
 ------------------------------
 

From 635dfe70e89358000c2e5742a75140b112873e8c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Thu, 15 Feb 2018 14:33:21 +0100
Subject: [PATCH 081/103] Update release 4.0 schedule

---
 releases/4.0/schedule.md | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/releases/4.0/schedule.md b/releases/4.0/schedule.md
index ccb5f505..d65b318c 100644
--- a/releases/4.0/schedule.md
+++ b/releases/4.0/schedule.md
@@ -22,4 +22,7 @@ This schedule is based on [Version Scheme](/doc/version-scheme/#release-schedule
 | 11 Dec 2017 | decide whether 4.0-rc3 is the final 4.0 |
 |  1 Jan 2018 | current-testing freeze before 4.0-rc4 |
 | <strike>8 Jan 2018</strike><br/>31 Jan 2018 | 4.0-rc4 release |
-| <strike>22 Jan 2018</strike><br/>TBD | decide whether 4.0-rc4 is the final 4.0 |
+| <strike>22 Jan 2018</strike><br/>14 Feb 2018 | decide whether 4.0-rc4 is the final 4.0 |
+| 27 Feb 2018 | current-testing freeze before 4.0-rc5 |
+|  6 Mar 2018 | 4.0-rc5 release |
+| 20 Mar 2018 | decide whether 4.0-rc5 is the final 4.0 |

From 5739f8d67d028f83fb2b54d63f304dbf55bd319d Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Fri, 16 Feb 2018 12:42:47 +0000
Subject: [PATCH 082/103] add i915.alpha_support, headings

per https://mail-archive.com/qubes-users@googlegroups.com/msg19023.html
also fix line breaks and some punctuation
---
 troubleshooting/intel-igfx-troubleshooting.md | 30 ++++++++++++++-----
 1 file changed, 23 insertions(+), 7 deletions(-)

diff --git a/troubleshooting/intel-igfx-troubleshooting.md b/troubleshooting/intel-igfx-troubleshooting.md
index 6077b86f..81d55cbc 100644
--- a/troubleshooting/intel-igfx-troubleshooting.md
+++ b/troubleshooting/intel-igfx-troubleshooting.md
@@ -5,9 +5,25 @@ permalink: /doc/intel-igfx-troubleshooting/
 ---
 # Intel Integrated Graphics Troubleshooting #
 
-Dom0 Kernels currently included in Qubes have issues related to VT-d (IOMMU) and some versions of the
-integrated Intel Graphics Chip. Depending on the specific hardware / software combination the issues are quite wide ranging, from apparently harmless log errors, to VM window refresh issues,
-to complete screen corruption and crashes rendering the machine unusable with Qubes.
+## Software Rendering or Laggy Video
+
+If you are experiencing this issue, you will see extremely slow graphics updates.
+You will be able to watch the screen and elements paint slowly from top to bottom.
+You can confirm this is the issue by looking for a line similar to the following in your `/var/log/Xorg.0.log` file:
+
+    [   131.769] (EE) AIGLX: reverting to software rendering
+
+Newer versions of the Linux kernel have renamed the `i915.preliminary_hw_support=1` option to `i915.alpha_support=1`, so if you needed this kernel option in the past you will have to rename it or add it to your configuration files (follow either GRUB2 or EFI, not both):
+
+    * GRUB2: `/etc/default/grub`, `GRUB_CMDLINE_LINUX` line and  
+      Rebuild grub config (`grub2-mkconfig -o /boot/grub2/grub.cfg`)   
+    * EFI: `/boot/efi/EFI/qubes/xen.cfg`, `kernel=` line(s)
+
+
+## IOMMU ##
+
+Dom0 Kernels currently included in Qubes have issues related to VT-d (IOMMU) and some versions of the integrated Intel Graphics Chip.
+Depending on the specific hardware / software combination the issues are quite wide ranging, from apparently harmless log errors, to VM window refresh issues, to complete screen corruption and crashes rendering the machine unusable with Qubes.
 
 Such issues have been reported on at least the following machines:
 
@@ -21,11 +37,11 @@ Log errors only on :
 * Librem 13v1 
 * Librem 15v2
 
-The installer for Qubes 4.0 final has been updated to disable IOMMU for the integrated intel graphics by default. However, users of 3.2 may experience
-issues on install or on kernel upgrades to versions higher than 3.18.x 
+The installer for Qubes 4.0 final has been updated to disable IOMMU for the integrated intel graphics by default.
+However, users of 3.2 may experience issues on install or on kernel upgrades to versions higher than 3.18.x.
 
-Disabling of IOMMU for the integrated graphics chip is not a security issue, as the
-device currently lives in dom0 and is not passed to a VM. This behaviour is planned to be changed as of Qubes 4.1, when passthrough capabilities will be required for the GUI domain <sup id="a1-1">[1](#f1)</sup>
+Disabling IOMMU for the integrated graphics chip is not a security issue, as the device currently lives in dom0 and is not passed to a VM.
+This behaviour is planned to be changed as of Qubes 4.1, when passthrough capabilities will be required for the GUI domain <sup id="a1-1">[1](#f1)</sup>.
 
 
 ## Workaround for existing systems with VT-d enabled (grub / legacy mode) ##

From df17f7a5f235808a90f8b6d8ff4a7affbe475f87 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Fri, 16 Feb 2018 13:08:47 +0000
Subject: [PATCH 083/103] laggy -> lags

---
 troubleshooting/intel-igfx-troubleshooting.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/troubleshooting/intel-igfx-troubleshooting.md b/troubleshooting/intel-igfx-troubleshooting.md
index 81d55cbc..df20ddea 100644
--- a/troubleshooting/intel-igfx-troubleshooting.md
+++ b/troubleshooting/intel-igfx-troubleshooting.md
@@ -5,7 +5,7 @@ permalink: /doc/intel-igfx-troubleshooting/
 ---
 # Intel Integrated Graphics Troubleshooting #
 
-## Software Rendering or Laggy Video
+## Software Rendering or Video Lags
 
 If you are experiencing this issue, you will see extremely slow graphics updates.
 You will be able to watch the screen and elements paint slowly from top to bottom.

From fd0d1f968bbe0783a11de188d125d31507fc268e Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Fri, 16 Feb 2018 13:27:40 +0000
Subject: [PATCH 084/103] add backticks

---
 common-tasks/software-update-vm.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/common-tasks/software-update-vm.md b/common-tasks/software-update-vm.md
index f146d312..9e2d1570 100644
--- a/common-tasks/software-update-vm.md
+++ b/common-tasks/software-update-vm.md
@@ -198,7 +198,7 @@ This is generally the same in R3.2 and R4.0 - in both cases both the old and new
 ### Technical details (R4.0)
 
 Instead of using a network connection like in R3.2, R4.0 uses RPC/qrexec. The proxy is configured in
-qrexec policy: /etc/qubes-rpc/policy/qubes.UpdatesProxy. By default this is set to
+qrexec policy: `/etc/qubes-rpc/policy/qubes.UpdatesProxy`. By default this is set to
 sys-net and/or sys-whonix, depending on firstboot choices. This new design allows for templates to be
 updated even when they are not connected to any netvm.
 
@@ -234,7 +234,7 @@ a firewall rule to intercept traffic directed to 10.137.255.254:8082:
     ~~~
 
 2.  VMs using the proxy service Startup script (updates-proxy-setup or qubes-misc-post service) configure
-dnf using /etc/yum.conf.d/qubes-proxy.conf file. It can either contain
+dnf using `/etc/yum.conf.d/qubes-proxy.conf` file. It can either contain
 
     ~~~
     proxy=http://10.137.255.254:8082/

From 26fa648c41dd4e78a378bfb3cfb621ed33cf78ce Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Fri, 16 Feb 2018 16:47:36 +0000
Subject: [PATCH 085/103] add systemd fstrim and efi initrd rebuild step

from https://mail-archive.com/qubes-users@googlegroups.com/msg19082.html and followups
---
 configuration/disk-trim.md | 41 ++++++++++++++++++++++----------------
 1 file changed, 24 insertions(+), 17 deletions(-)

diff --git a/configuration/disk-trim.md b/configuration/disk-trim.md
index 5a430b08..40948c4f 100644
--- a/configuration/disk-trim.md
+++ b/configuration/disk-trim.md
@@ -32,16 +32,27 @@ Configuration
 ----------
 
 In all versions of Qubes, you may want to set up a periodic job in `dom0` to trim the disk.
+This can be done with either systemd (weekly only) or cron (daily or weekly).
 
-This can be done from a terminal as root, by creating a `trim` file in `/etc/cron.daily` (or `/etc/cron.weekly`).
-Add the following contents:
+ * **Systemd**
 
-```
-#!/bin/bash
-/sbin/fstrim --all
-```
+   From a terminal as a regular user:
 
-And mark it as executable with `chmod 755 /etc/cron.daily/trim`.
+   ```
+   systemctl enable fstrim.timer
+   systemctl start fstrim.timer
+   ```
+
+ * **Cron**
+
+   This can be done from a terminal as root, by creating a `trim` file in `/etc/cron.daily` (or `/etc/cron.weekly`).
+    Add the following contents:
+
+    ```
+   #!/bin/bash
+   /sbin/fstrim --all
+   ```
+   And mark it as executable with `chmod 755 /etc/cron.daily/trim`.
 
 **Note** Although discards can be issued on every delete inside `dom0` by adding the `discard` mount option to `/etc/fstab`, this option can hurt performance so the above procedure is recommended instead.
 However, inside App and Template qubes, the `discard` mount option is on by default to notify the LVM thin pool driver (R4.0) or sparse file driver (R3.2) that the space is no longer needed and can be zeroed and re-used.
@@ -73,17 +84,13 @@ To enable TRIM support in dom0 with LUKS you need to:
 
 3. Add `rd.luks.options=discard` to kernel cmdline (follow either GRUB2 or EFI, not both): 
     * GRUB2: `/etc/default/grub`, `GRUB_CMDLINE_LINUX` line and  
-      Rebuild grub config (`grub2-mkconfig -o /boot/grub2/grub.cfg`)   
-    * EFI: `/boot/efi/EFI/qubes/xen.cfg`, `kernel=` line(s)
+      Rebuild grub config (`grub2-mkconfig -o /boot/grub2/grub.cfg`), then  
+      Rebuild initrd **in hostonly mode** (`dracut -H -f`)
+    * EFI: `/boot/efi/EFI/qubes/xen.cfg`, `kernel=` line(s), then  
+      Rebuild initrd (`dracut -f /boot/efi/EFI/qubes/initramfs-$(uname -r).img $(uname -r)`)
 
-4. Rebuild initrd **in hostonly mode**:
+4. Reboot the system.
 
-    ~~~
-    dracut -H -f
-    ~~~
-
-5. Reboot the system.
-
-6. To verify if discards are enabled you may use `dmsetup table` (confirm the line for your device mentions "discards") or just run `fstrim -av` (you should see a `/` followed by the number of bytes trimmed).
+5. To verify if discards are enabled you may use `dmsetup table` (confirm the line for your device mentions "discards") or just run `fstrim -av` (you should see a `/` followed by the number of bytes trimmed).
 
 

From 9aba488014c4d0e36fb38e0fcf15089915a621eb Mon Sep 17 00:00:00 2001
From: pierwill <19642016+pierwill@users.noreply.github.com>
Date: Sat, 17 Feb 2018 00:18:33 -0600
Subject: [PATCH 086/103] Remove paragraph on KDE desktop switcher

---
 basics_user/getting-started.md | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/basics_user/getting-started.md b/basics_user/getting-started.md
index 691e8ebd..31d345ea 100644
--- a/basics_user/getting-started.md
+++ b/basics_user/getting-started.md
@@ -134,10 +134,6 @@ Otherwise, a compromised qube which is able to occupy the entire screen could tr
 Since a compromised qube can draw pixels within its own windows however it likes, it could draw a fake password prompt, for example, which appears to have a different colored border so that it looks like it belongs to a different qube. 
 This is why you should always drag such prompts away from other windows (or use some other means of manipulating the windows) to ensure that they belong to the qube to which they appear to belong.
 
-However, if the user makes use of an "expose-like" desktop switcher, such as the "Desktop Grid" effect that is enabled by default under KDE (default activation command: Ctrl-F8), then we can safely allow qubes to enter full screen mode, as we have assurance that we can always "preempt" them by hitting the magic key combination (e.g., Ctrl-F8), which will be consumed by the trusted window manager and not passed down to the fullscreen qube. 
-This means that the qube has no way of effectively "faking" the fullscreen view of the system, as the user can easily identify it as "just another qube." 
-Theoretically, this could be achieved even with primitive Alt-Tab like switching, which should be available on simpler Window Managers (such as Xfce4, which we also support as an alternative dom0 Desktop Environment), but this might be less obvious to the user.
-
 To allow a qube to enter full screen mode, one should edit the `/etc/qubes/guid.conf` file in dom0.
 
 To allow all qubes to enter full screen mode, set `allow_fullscreen` flag to `true` in the `global` section:

From ef7340858b33e94c610d1bed59ea155609451939 Mon Sep 17 00:00:00 2001
From: Andrew David Wong <adw@andrewdavidwong.com>
Date: Sat, 17 Feb 2018 01:19:19 -0600
Subject: [PATCH 087/103] Use relative paths (#588)

---
 doc.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/doc.md b/doc.md
index 8cbf8fff..3c76ce29 100644
--- a/doc.md
+++ b/doc.md
@@ -233,8 +233,8 @@ System
  * [Security-critical elements of Qubes OS](/doc/security-critical-code/)
  * [Qubes Core Admin](https://dev.qubes-os.org/projects/core-admin/en/latest/)
  * [Qubes Core Admin Client](https://dev.qubes-os.org/projects/core-admin-client/en/latest/)
- * [Qubes Admin API](https://www.qubes-os.org/news/2017/06/27/qubes-admin-api/)
- * [Qubes Core Stack](https://www.qubes-os.org/news/2017/10/03/core3/)
+ * [Qubes Admin API](/news/2017/06/27/qubes-admin-api/)
+ * [Qubes Core Stack](/news/2017/10/03/core3/)
  * [Qrexec: command execution in VMs](/doc/qrexec3/)
  * [Qubes GUI virtualization protocol](/doc/gui/)
  * [Networking in Qubes](/doc/networking/)

From dfc541418e6a5f408b63b96f8859f315c59f3476 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Sat, 17 Feb 2018 18:12:39 +0000
Subject: [PATCH 088/103] add -H option

appears to be needed for non-default keyboard layouts and LUKS
---
 configuration/disk-trim.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/configuration/disk-trim.md b/configuration/disk-trim.md
index 40948c4f..bf54f15b 100644
--- a/configuration/disk-trim.md
+++ b/configuration/disk-trim.md
@@ -87,7 +87,7 @@ To enable TRIM support in dom0 with LUKS you need to:
       Rebuild grub config (`grub2-mkconfig -o /boot/grub2/grub.cfg`), then  
       Rebuild initrd **in hostonly mode** (`dracut -H -f`)
     * EFI: `/boot/efi/EFI/qubes/xen.cfg`, `kernel=` line(s), then  
-      Rebuild initrd (`dracut -f /boot/efi/EFI/qubes/initramfs-$(uname -r).img $(uname -r)`)
+      Rebuild initrd **in hostonly mode** (`dracut -H -f /boot/efi/EFI/qubes/initramfs-$(uname -r).img $(uname -r)`)
 
 4. Reboot the system.
 

From 10c32d670ad15d941b6a0c7dd349eb81fe1d314e Mon Sep 17 00:00:00 2001
From: Michael Carbone <github@riseup.net>
Date: Mon, 19 Feb 2018 05:40:37 -0500
Subject: [PATCH 089/103] fixed typo

---
 managing-os/pentesting/ptf.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/managing-os/pentesting/ptf.md b/managing-os/pentesting/ptf.md
index 7c85b169..badc085b 100644
--- a/managing-os/pentesting/ptf.md
+++ b/managing-os/pentesting/ptf.md
@@ -6,7 +6,7 @@ redirect_from:
 - /doc/ptf/
 ---
 
-**General Remainder:**
+**General reminder:**
 
 - The installation scripts and provided tools may have bugs, be vulnerable to Man in the Middle (MitM) attacks or other vulnerabilities.
 

From 13488688506e35767ffadc0be237451d9aeaa637 Mon Sep 17 00:00:00 2001
From: Michael Carbone <github@riseup.net>
Date: Mon, 19 Feb 2018 05:40:39 -0500
Subject: [PATCH 090/103] fix typo

---
 managing-os/pentesting/blackarch.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/managing-os/pentesting/blackarch.md b/managing-os/pentesting/blackarch.md
index ff3396dd..03fac390 100644
--- a/managing-os/pentesting/blackarch.md
+++ b/managing-os/pentesting/blackarch.md
@@ -6,7 +6,7 @@ redirect_from:
 - /doc/blackarch/
 ---
 
-**General Remainder:**
+**General reminder:**
 
 - The installation scripts and provided tools may have bugs, be vulnerable to Man in the Middle (MitM) attacks or other vulnerabilities.
 

From 5e720c2bfe13eb1fc4e4272ad475f633a843008e Mon Sep 17 00:00:00 2001
From: Andrew David Wong <adw@andrewdavidwong.com>
Date: Mon, 19 Feb 2018 21:35:03 -0600
Subject: [PATCH 091/103] Add QSB 38

---
 security-info/security-bulletins.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/security-info/security-bulletins.md b/security-info/security-bulletins.md
index dd4905a1..148620ce 100644
--- a/security-info/security-bulletins.md
+++ b/security-info/security-bulletins.md
@@ -88,4 +88,5 @@ Qubes Security Bulletins are published through the [Qubes Security Pack](/securi
 ----
 
 -   [Qubes Security Bulletin \#37](https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-037-2018.txt) (Information leaks due to processor speculative execution bugs)
+-   [Qubes Security Bulletin \#38](https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-038-2018.txt) (Qrexec policy bypass and possible information leak)
 

From e3dd623fb6036dd4a6e101cdf0325e27dd4270fb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Mon, 29 Jan 2018 15:21:34 +0100
Subject: [PATCH 092/103] Update DispVM customization guide for Qubes 4.0

---
 customization/dispvm-customization.md | 66 ++++++++++++++++++++++++---
 1 file changed, 59 insertions(+), 7 deletions(-)

diff --git a/customization/dispvm-customization.md b/customization/dispvm-customization.md
index 8d4f8fed..a5435711 100644
--- a/customization/dispvm-customization.md
+++ b/customization/dispvm-customization.md
@@ -10,10 +10,64 @@ redirect_from:
 ---
 
 Disposable VM Customization
-====================
+============================
 
-Changing the DVM Template
--------------------------
+Qubes 4.0
+----------
+
+Disposable VM in Qubes 4.0 can be based on any template-based AppVM. You can also choose to use different AppVMs for different Disposable VMs. To prepare AppVM to be a base for Disposable VM, you need to set `template_for_dispvms` property, for example:
+
+    [user@dom0 ~]$ qvm-prefs fedora-26-dvm template_for_dispvms True
+
+Additionally, if you want to have menu entries for starting applications in Disposable VM based on this AppVM (instead of in the AppVM itself), you can achieve it with `appmenus-dispvm` feature:
+
+    [user@dom0 ~]$ qvm-features fedora-26-dvm appmenus-dispvm 1
+
+### Creating new Disposable VM base AppVM ###
+
+You may want to use multiple AppVMs for different Disposable VMs. To create new one, lets say `custom-dvm`, based on `debian-9` template, use following commands:
+
+    [user@dom0 ~]$ qvm-create --template debian-9 --label red custom-dvm
+    [user@dom0 ~]$ qvm-prefs custom-dvm template_for_dispvms True
+    [user@dom0 ~]$ qvm-features custom-dvm appmenus-dispvm 1
+
+Additionally you may want to set it as default Disposable VM base:
+
+    [user@dom0 ~]$ qubes-prefs default_dispvm custom-dvm
+
+The above default is used whenever a qube request starting a new Disposable VM and do not specify which one (for example `qvm-open-in-dvm` tool). This can be also set in qube settings and will affect service calls from that qube. See [qrexec documentation](/doc/qrexec3/#extra-keywords-available-in-qubes-40-and-later) for details.
+
+If you wish to use the `fedora-minimal` template as a DVM Template, see the "DVM Template" use case under [fedora-minimal customization](/doc/templates/fedora-minimal/#customization).
+
+
+### Customization of Disposable VM ###
+
+It is possible to change the settings for each new Disposable VM (DispVM). This can be done by customizing the base AppVM:
+
+1.  Start a terminal in the `fedora-26-dvm` qube (or another base for DispVM) by running the following command in a dom0 terminal. (If a qube have `appmenus-dispvm` feature set, there is no menu entry to start applications directly in it, instead of Disposable VM based on it).
+
+        [user@dom0 ~]$ qvm-run -a fedora-26-dvm gnome-terminal
+
+2.  Change the qube's settings and/or applications, as desired. Some examples of changes you may want to make include:
+    -   Changing Firefox's default startup settings and homepage.
+    -   Changing Nautilus' default file preview settings.
+    -   Changing the DispVM's default NetVM. For example, you may wish to set the NetVM to "none." Then, whenever you start a new DispVM, you can choose your desired ProxyVM manually (by changing the newly-started DipsVMs settings). This is useful if you sometimes wish to use a DispVM with a TorVM, for example. It is also useful if you sometimes wish to open untrusted files in a network-disconnected DispVM.
+
+4.  Shutdown the qube (either by `poweroff` from qube's terminal, or `qvm-shutdown` from dom0 terminal).
+        
+
+### Adding programs to Disposable VM Application Menu ###
+
+For added convenience, arbitrary programs can be added to the Application Menu of the Disposable VM. 
+
+In order to do that, select "Qube settings" entry in selected base AppVM, go to "Applications" tab and select desired applications as for any other qube.
+
+Note that currently only applications whose main process keeps running until you close the application (i.e. do not start a background process instead) will work. One of known examples of incompatible applications is GNOME Terminal (shown on the list as "Terminal"). Choose different terminal emulator (like XTerm) instead.
+
+Qubes 3.2
+----------
+
+### Changing the DVM Template ###
 
 You may want to use a non-default template the [DVM Template](/doc/glossary/#dvm-template). One example is to use a less-trusted template with some less trusted, third-party, often unsigned, applications installed, such as e.g. third-party printer drivers.
 
@@ -37,8 +91,7 @@ One can easily verify if the new Disposable VM template is indeed based on a cus
 If you wish to use the `fedora-minimal` template as a DVM Template, see the "DVM Template" use case under [fedora-minimal customization](/doc/templates/fedora-minimal/#customization).
 
 
-Customization of Disposable VM
-------------------------------
+### Customization of Disposable VM ###
 
 It is possible to change the settings of each new Disposable VM (DispVM). This can be done by customizing the DispVM template:
 
@@ -70,8 +123,7 @@ It is possible to change the settings of each new Disposable VM (DispVM). This c
 **Note:** All of the above requires at least qubes-core-vm \>= 2.1.2 installed in template.
 
 
-Adding arbitrary programs to Disposable VM Application Menu
------------------------------------------------------------
+### Adding arbitrary programs to Disposable VM Application Menu ###
 
 For added convenience, arbitrary programs can be added to the Application Menu of the Disposable VM. In order to do that create (e.g.) `arbitrary.desktop` file in `/usr/local/share/applications` in Dom0. That file will point to the desired program. Use the following template for the file:
 

From df53a71084c0a4ab3011a46c7846ab1f2814f312 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Mon, 5 Feb 2018 02:29:59 +0100
Subject: [PATCH 093/103] DispVM customization: clarifications

Changes suggested by @andrewdavidwong
---
 customization/dispvm-customization.md | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/customization/dispvm-customization.md b/customization/dispvm-customization.md
index a5435711..1f2f0cca 100644
--- a/customization/dispvm-customization.md
+++ b/customization/dispvm-customization.md
@@ -15,7 +15,7 @@ Disposable VM Customization
 Qubes 4.0
 ----------
 
-Disposable VM in Qubes 4.0 can be based on any template-based AppVM. You can also choose to use different AppVMs for different Disposable VMs. To prepare AppVM to be a base for Disposable VM, you need to set `template_for_dispvms` property, for example:
+Disposable VM in Qubes 4.0 can be based on any TemplateBasedVM. You can also choose to use different AppVMs for different Disposable VMs. To prepare AppVM to be a base for Disposable VM, you need to set `template_for_dispvms` property, for example:
 
     [user@dom0 ~]$ qvm-prefs fedora-26-dvm template_for_dispvms True
 
@@ -25,13 +25,14 @@ Additionally, if you want to have menu entries for starting applications in Disp
 
 ### Creating new Disposable VM base AppVM ###
 
-You may want to use multiple AppVMs for different Disposable VMs. To create new one, lets say `custom-dvm`, based on `debian-9` template, use following commands:
+In Qubes 4.0, you're no longer restricted to a single DVM Template. Instead, you can create as many as you want. Whenever you start a new Disposable VM, you can choose to base it on whichever DVM Template you like.
+To create new DVM Template, lets say `custom-dvm`, based on `debian-9` template, use following commands:
 
     [user@dom0 ~]$ qvm-create --template debian-9 --label red custom-dvm
     [user@dom0 ~]$ qvm-prefs custom-dvm template_for_dispvms True
     [user@dom0 ~]$ qvm-features custom-dvm appmenus-dispvm 1
 
-Additionally you may want to set it as default Disposable VM base:
+Additionally you may want to set it as default DVM Template:
 
     [user@dom0 ~]$ qubes-prefs default_dispvm custom-dvm
 
@@ -51,7 +52,7 @@ It is possible to change the settings for each new Disposable VM (DispVM). This
 2.  Change the qube's settings and/or applications, as desired. Some examples of changes you may want to make include:
     -   Changing Firefox's default startup settings and homepage.
     -   Changing Nautilus' default file preview settings.
-    -   Changing the DispVM's default NetVM. For example, you may wish to set the NetVM to "none." Then, whenever you start a new DispVM, you can choose your desired ProxyVM manually (by changing the newly-started DipsVMs settings). This is useful if you sometimes wish to use a DispVM with a TorVM, for example. It is also useful if you sometimes wish to open untrusted files in a network-disconnected DispVM.
+    -   Changing the DispVM's default NetVM. For example, you may wish to set the NetVM to "none." Then, whenever you start a new DispVM, you can choose your desired ProxyVM manually (by changing the newly-started DipsVMs settings). This is useful if you sometimes wish to use a DispVM with a Whonix Gateway, for example. It is also useful if you sometimes wish to open untrusted files in a network-disconnected DispVM.
 
 4.  Shutdown the qube (either by `poweroff` from qube's terminal, or `qvm-shutdown` from dom0 terminal).
         
@@ -103,7 +104,7 @@ It is possible to change the settings of each new Disposable VM (DispVM). This c
 2.  Change the VM's settings and/or applications, as desired. Note that currently Qubes supports exactly one DispVM template, so any changes you make here will affect all DispVMs. Some examples of changes you may want to make include:
     -   Changing Firefox's default startup settings and homepage.
     -   Changing Nautilus' default file preview settings.
-    -   Changing the DispVM's default NetVM. For example, you may wish to set the NetVM to "none." Then, whenever you start a new DispVM, you can choose your desired ProxyVM manually (by changing the newly-started DispVM's settings). This is useful if you sometimes wish to use a DispVM with a TorVM, for example. It is also useful if you sometimes wish to open untrusted files in a network-disconnected DispVM.
+    -   Changing the DispVM's default NetVM. For example, you may wish to set the NetVM to "none." Then, whenever you start a new DispVM, you can choose your desired ProxyVM manually (by changing the newly-started DipsVM's settings). This is useful if you sometimes wish to use a DispVM with a Whonix Gateway, for example. It is also useful if you sometimes wish to open untrusted files in a network-disconnected DispVM.
 
 3.  Create an empty `/home/user/.qubes-dispvm-customized` file in the VM (not in dom0):
 

From f5a9711eadda60f83c34eba7a859552b7020d79d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Tue, 20 Feb 2018 21:16:53 +0100
Subject: [PATCH 094/103] DispVM customization: more clarifications

---
 customization/dispvm-customization.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/customization/dispvm-customization.md b/customization/dispvm-customization.md
index 1f2f0cca..a6c3f220 100644
--- a/customization/dispvm-customization.md
+++ b/customization/dispvm-customization.md
@@ -15,7 +15,7 @@ Disposable VM Customization
 Qubes 4.0
 ----------
 
-Disposable VM in Qubes 4.0 can be based on any TemplateBasedVM. You can also choose to use different AppVMs for different Disposable VMs. To prepare AppVM to be a base for Disposable VM, you need to set `template_for_dispvms` property, for example:
+Disposable VM (DispVM) in Qubes 4.0 can be based on any TemplateBasedVM. You can also choose to use different AppVMs for different Disposable VMs. To prepare AppVM to be a base for Disposable VM, you need to set `template_for_dispvms` property, for example:
 
     [user@dom0 ~]$ qvm-prefs fedora-26-dvm template_for_dispvms True
 
@@ -45,17 +45,17 @@ If you wish to use the `fedora-minimal` template as a DVM Template, see the "DVM
 
 It is possible to change the settings for each new Disposable VM (DispVM). This can be done by customizing the base AppVM:
 
-1.  Start a terminal in the `fedora-26-dvm` qube (or another base for DispVM) by running the following command in a dom0 terminal. (If a qube have `appmenus-dispvm` feature set, there is no menu entry to start applications directly in it, instead of Disposable VM based on it).
+1.  Start a terminal in the `fedora-26-dvm` qube (or another base for DispVM) by running the following command in a dom0 terminal. (If you enable `appmenus-dispvm` feature (as explained at the top), applications menu for this VM (`fedora-26-dvm`) will be "Disposable: fedora-26-dvm" (instead of "Domain: fedora-26-dvm") and entries there will start new DispVM based on that VM (`fedora-26-dvm`). Not in that VM (`fedora-26-dvm`) itself).
 
         [user@dom0 ~]$ qvm-run -a fedora-26-dvm gnome-terminal
 
 2.  Change the qube's settings and/or applications, as desired. Some examples of changes you may want to make include:
     -   Changing Firefox's default startup settings and homepage.
-    -   Changing Nautilus' default file preview settings.
+    -   Changing default editor, image viewer.
     -   Changing the DispVM's default NetVM. For example, you may wish to set the NetVM to "none." Then, whenever you start a new DispVM, you can choose your desired ProxyVM manually (by changing the newly-started DipsVMs settings). This is useful if you sometimes wish to use a DispVM with a Whonix Gateway, for example. It is also useful if you sometimes wish to open untrusted files in a network-disconnected DispVM.
 
 4.  Shutdown the qube (either by `poweroff` from qube's terminal, or `qvm-shutdown` from dom0 terminal).
-        
+
 
 ### Adding programs to Disposable VM Application Menu ###
 

From 1ddfd58a6d402a62c53ed1bc25b58ea41330f0b4 Mon Sep 17 00:00:00 2001
From: Andrew David Wong <adw@andrewdavidwong.com>
Date: Tue, 20 Feb 2018 23:42:38 -0600
Subject: [PATCH 095/103] Fix typos

---
 customization/dispvm-customization.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/customization/dispvm-customization.md b/customization/dispvm-customization.md
index a6c3f220..ee944ea7 100644
--- a/customization/dispvm-customization.md
+++ b/customization/dispvm-customization.md
@@ -52,7 +52,7 @@ It is possible to change the settings for each new Disposable VM (DispVM). This
 2.  Change the qube's settings and/or applications, as desired. Some examples of changes you may want to make include:
     -   Changing Firefox's default startup settings and homepage.
     -   Changing default editor, image viewer.
-    -   Changing the DispVM's default NetVM. For example, you may wish to set the NetVM to "none." Then, whenever you start a new DispVM, you can choose your desired ProxyVM manually (by changing the newly-started DipsVMs settings). This is useful if you sometimes wish to use a DispVM with a Whonix Gateway, for example. It is also useful if you sometimes wish to open untrusted files in a network-disconnected DispVM.
+    -   Changing the DispVM's default NetVM. For example, you may wish to set the NetVM to "none." Then, whenever you start a new DispVM, you can choose your desired ProxyVM manually (by changing the newly-started DispVMs settings). This is useful if you sometimes wish to use a DispVM with a Whonix Gateway, for example. It is also useful if you sometimes wish to open untrusted files in a network-disconnected DispVM.
 
 4.  Shutdown the qube (either by `poweroff` from qube's terminal, or `qvm-shutdown` from dom0 terminal).
 
@@ -104,7 +104,7 @@ It is possible to change the settings of each new Disposable VM (DispVM). This c
 2.  Change the VM's settings and/or applications, as desired. Note that currently Qubes supports exactly one DispVM template, so any changes you make here will affect all DispVMs. Some examples of changes you may want to make include:
     -   Changing Firefox's default startup settings and homepage.
     -   Changing Nautilus' default file preview settings.
-    -   Changing the DispVM's default NetVM. For example, you may wish to set the NetVM to "none." Then, whenever you start a new DispVM, you can choose your desired ProxyVM manually (by changing the newly-started DipsVM's settings). This is useful if you sometimes wish to use a DispVM with a Whonix Gateway, for example. It is also useful if you sometimes wish to open untrusted files in a network-disconnected DispVM.
+    -   Changing the DispVM's default NetVM. For example, you may wish to set the NetVM to "none." Then, whenever you start a new DispVM, you can choose your desired ProxyVM manually (by changing the newly-started DispVM's settings). This is useful if you sometimes wish to use a DispVM with a Whonix Gateway, for example. It is also useful if you sometimes wish to open untrusted files in a network-disconnected DispVM.
 
 3.  Create an empty `/home/user/.qubes-dispvm-customized` file in the VM (not in dom0):
 

From 3790d53e811edb8f999c979486444843cf7b4dee Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Wed, 21 Feb 2018 07:05:33 +0000
Subject: [PATCH 096/103] remove outdated desc. of proxy filtering

---
 common-tasks/software-update-vm.md | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/common-tasks/software-update-vm.md b/common-tasks/software-update-vm.md
index 9e2d1570..ced2c0c6 100644
--- a/common-tasks/software-update-vm.md
+++ b/common-tasks/software-update-vm.md
@@ -183,12 +183,11 @@ Some third-party applications cannot be installed using the standard yum reposit
 Updates proxy
 -------------
 
-There are two services ([qvm-service](https://www.qubes-os.org/doc/dom0-tools/qvm-service/), [service framework](https://www.qubes-os.org/doc/qubes-service/)):
-
-Updates proxy is a service which filters http access to allow access to only something that looks like a yum or apt repository. This is meant to mitigate user errors (like using browser in the template VM), rather than some real isolation. It is done with http proxy (tinyproxy) instead of simple firewall rules because it is hard to list all the repository mirrors (and keep that list up to date). The proxy is used only to filter the traffic, not to cache anything.
+Updates proxy is a service which allows access only from package managers. This is meant to mitigate user errors (like using browser in the template VM), rather than some real isolation. It is done with http proxy (tinyproxy) instead of simple firewall rules because it is hard to list all the repository mirrors (and keep that list up to date). The proxy is used only to filter the traffic, not to cache anything.
 
 The proxy is running in selected VMs (by default all the NetVMs (1)) and intercepts traffic directed to 10.137.255.254:8082. Thanks to such configuration all the VMs can use the same proxy address, and if there is a proxy on network path, it will handle the traffic (of course when firewall rules allow that). If the VM is configured to have access to the updates proxy (2), the startup scripts will automatically configure dnf to really use the proxy (3). Also access to updates proxy is independent of any other firewall settings (VM will have access to updates proxy, even if policy is set to block all the traffic).
 
+There are two services ([qvm-service](https://www.qubes-os.org/doc/dom0-tools/qvm-service/), [service framework](https://www.qubes-os.org/doc/qubes-service/)):
 
 1. qubes-updates-proxy (and its deprecated name: qubes-yum-proxy) - a service providing a proxy for templates - by default enabled in NetVMs (especially: sys-net)
 2. updates-proxy-setup (and its deprecated name: yum-proxy-setup) - use a proxy provided by another VM (instead of downloading updates directly), enabled by default in all templates

From bf9633321d29b22c6eec79021235528c051def80 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Wed, 21 Feb 2018 07:19:18 +0000
Subject: [PATCH 097/103] line breaks, update another reference to repos

---
 common-tasks/software-update-vm.md | 188 +++++++++++++++++------------
 1 file changed, 113 insertions(+), 75 deletions(-)

diff --git a/common-tasks/software-update-vm.md b/common-tasks/software-update-vm.md
index ced2c0c6..06f49226 100644
--- a/common-tasks/software-update-vm.md
+++ b/common-tasks/software-update-vm.md
@@ -14,15 +14,20 @@ Installing and updating software in VMs
 How TemplateVMs work in Qubes
 ------------------------------
 
-Most of the AppVMs (domains) are based on a *TemplateVM*, which means that their root filesystem (i.e. all the programs and system files) is based on the root filesystem of the corresponding template VM. This dramatically saves disk space, because each new AppVM needs disk space only for storing the user's files (i.e. the home directory). Of course the AppVM has only read-access to the template's filesystem -- it cannot modify it in any way.
+Most of the AppVMs (domains) are based on a *TemplateVM*, which means that their root filesystem (i.e. all the programs and system files) is based on the root filesystem of the corresponding template VM.
+This dramatically saves disk space, because each new AppVM needs disk space only for storing the user's files (i.e. the home directory).
+Of course the AppVM has only read-access to the template's filesystem -- it cannot modify it in any way.
 
-In addition to saving on the disk space, and reducing domain creation time, another advantage of such scheme is the possibility for centralized software update. It's just enough to do the update in the template VM, and then all the AppVMs based on this template get updates automatically after they are restarted.
+In addition to saving on the disk space, and reducing domain creation time, another advantage of such scheme is the possibility for centralized software update.
+It's just enough to do the update in the template VM, and then all the AppVMs based on this template get updates automatically after they are restarted.
 
 The default template is called **fedora-23** in Qubes R3.2 and **fedora-26** in Qubes R4.0.
 
-The side effect of this mechanism is, of course, that if you install any software in your AppVM, more specifically in any directory other than `/home`, `/usr/local`, or `/rw` then it will disappear after the AppVM reboots (as the root filesystem for this AppVM will again be "taken" from the TemplateVM). **This means one normally installs software in the TemplateVM, not in AppVMs.**
+The side effect of this mechanism is, of course, that if you install any software in your AppVM, more specifically in any directory other than `/home`, `/usr/local`, or `/rw` then it will disappear after the AppVM reboots (as the root filesystem for this AppVM will again be "taken" from the TemplateVM).
+**This means one normally installs software in the TemplateVM, not in AppVMs.**
 
-Unlike VM private filesystems, under R3.x the template VM root filesystem does not support discard by default, so deleting files does not free the space in dom0. See [these instructions](/doc/template/fedora/upgrade-23-to-24/#compacting-the-upgraded-template) to recover space in dom0.
+Unlike VM private filesystems, under R3.x the template VM root filesystem does not support discard by default, so deleting files does not free the space in dom0.
+See [these instructions](/doc/template/fedora/upgrade-23-to-24/#compacting-the-upgraded-template) to recover space in dom0.
 
 In R4.0 and higher, the template root filesystem is created in a thin pool so manual trims are no longer needed.
 
@@ -35,9 +40,13 @@ In order to permanently install new software, you should:
 
 -   Start the template VM and then start either console (e.g. `gnome-terminal`) or dedicated software management application, such as `gpk-application` (*Start-\>Applications-\>Template: fedora-XX-\>Add/Remove software*),
 
--   Install/update software as usual (e.g. using dnf, or the dedicated GUI application). Then, shutdown the template VM,
+-   Install/update software as usual (e.g. using dnf, or the dedicated GUI application).
+    Then, shutdown the template VM.
 
--   You will see now that all the AppVMs based on this template (by default all your VMs) will be marked as "outdated" in the manager. This is because their filesystems have not been yet updated -- in order to do that, you must restart each VM. You don't need to restart all of them at the same time -- e.g. if you just need the newly installed software to be available in your 'personal' domain, then restart only this VM. You can restart others whenever this will be convenient to you.
+-   You will see now that all the AppVMs based on this template (by default all your VMs) will be marked as "outdated" in the manager.
+    This is because their filesystems have not been yet updated -- in order to do that, you must restart each VM.
+    You don't need to restart all of them at the same time -- e.g. if you just need the newly installed software to be available in your 'personal' domain, then restart only this VM.
+    You can restart others whenever this will be convenient to you.
 
 Testing repositories
 --------------------
@@ -46,15 +55,12 @@ Testing repositories
 
 There are three Qubes VM testing repositories (where `*` denotes the Release):
 
-* `qubes-vm-*-current-testing` -- testing packages that will eventually land in the stable
-  (`current`) repository
-* `qubes-vm-*-security-testing` -- a subset of `qubes-vm-*-current-testing` that contains packages
-  that qualify as security fixes
-* `qubes-vm-*-unstable` -- packages that are not intended to land in the stable (`qubes-vm-*-current`)
-  repository; mostly experimental debugging packages
+* `qubes-vm-*-current-testing` -- testing packages that will eventually land in the stable (`current`) repository
+* `qubes-vm-*-security-testing` -- a subset of `qubes-vm-*-current-testing` that contains packages that qualify as security fixes
+* `qubes-vm-*-unstable` -- packages that are not intended to land in the stable (`qubes-vm-*-current`) repository; mostly experimental debugging packages
 
-To temporarily enable any of these repos, use the `--enablerepo=<repo-name>`
-option. Example commands:
+To temporarily enable any of these repos, use the `--enablerepo=<repo-name>` option.
+Example commands:
 
 ~~~
 sudo dnf upgrade --enablerepo=qubes-vm-*-current-testing
@@ -62,51 +68,42 @@ sudo dnf upgrade --enablerepo=qubes-vm-*-security-testing
 sudo dnf upgrade --enablerepo=qubes-vm-*-unstable
 ~~~
 
-To enable or disable any of these repos permanently, change the corresponding boolean in
-`/etc/yum.repos.d/qubes-*.repo`.
+To enable or disable any of these repos permanently, change the corresponding boolean in `/etc/yum.repos.d/qubes-*.repo`.
 
 ### Debian ###
 
 Debian also has three Qubes VM testing repositories (where `*` denotes the Release):
 
-* `*-testing` -- testing packages that will eventually land in the stable
-  (`current`) repository
-* `*-securitytesting` -- a subset of `*-testing` that contains packages
-  that qualify as security fixes
-* `*-unstable` -- packages that are not intended to land in the stable
-  repository; mostly experimental debugging packages
+* `*-testing` -- testing packages that will eventually land in the stable (`current`) repository
+* `*-securitytesting` -- a subset of `*-testing` that contains packages that qualify as security fixes
+* `*-unstable` -- packages that are not intended to land in the stable repository; mostly experimental debugging packages
 
-To enable or disable any of these repos permanently, uncomment the corresponding `deb` line in
-`/etc/apt/sources.list.d/qubes-r*.list`
+To enable or disable any of these repos permanently, uncomment the corresponding `deb` line in `/etc/apt/sources.list.d/qubes-r*.list`
 
 Reverting changes to a TemplateVM (R4.0)
 ---------------------------------
 
-Qubes 4.0 uses a CoW system that permits snapshotting. Reversion functionality is still being developed at the
-time of writing. See [issue #3256](https://github.com/QubesOS/qubes-issues/issues/3256) for details.
+Qubes 4.0 uses a CoW system that permits snapshotting.
+Reversion functionality is still being developed at the time of writing.
+See [issue #3256](https://github.com/QubesOS/qubes-issues/issues/3256) for details.
 
 Reverting changes to a TemplateVM (R3.2)
 ---------------------------------
 
 Perhaps you've just updated your TemplateVM, and the update broke your template.
-Or perhaps you've made a terrible mistake, like accidentally confirming the
-installation of an unsigned package that could be malicious. Fortunately,
-it's easy to revert changes to TemplateVMs using the
-`qvm-revert-template-changes` command.
+Or perhaps you've made a terrible mistake, like accidentally confirming the installation of an unsigned package that could be malicious.
+Fortunately, it's easy to revert changes to TemplateVMs using the `qvm-revert-template-changes` command.
 
-**Important:** This command will roll back any changes made *during the last
-time the TemplateVM was run, but **not** before.* This means that if you have
-already restarted the TemplateVM, using this command is unlikely to help, and
-you'll likely want to reinstall it from the repository instead. On the other
-hand, if the template is already broken or compromised, it won't hurt to try
-reverting first. Just make sure to **back up** all of your data and changes
-first!
+**Important:** This command will roll back any changes made *during the last time the TemplateVM was run, but **not** before.*
+This means that if you have already restarted the TemplateVM, using this command is unlikely to help, and you'll likely want to reinstall it from the repository instead.
+On the other hand, if the template is already broken or compromised, it won't hurt to try reverting first.
+Just make sure to **back up** all of your data and changes first!
 
 For example, to revert changes to the `fedora-23` TemplateVM:
 
 1. Shut down all VMs based on `fedora-23`.
-2. Shut down `fedora-23`. If you've already just shut it down, do **not** start
-   it again (see above).
+2. Shut down `fedora-23`.
+   If you've already just shut it down, do **not** start it again (see above).
 3. In a dom0 terminal, type:
 
         qvm-revert-template-changes fedora-23
@@ -115,17 +112,19 @@ For example, to revert changes to the `fedora-23` TemplateVM:
 
         qvm-revert-template-changes --force fedora-23
 
-For the technical details about how this command works and the steps it
-performs, see [here](/doc/template-implementation/#rollback-template-changes).
+For the technical details about how this command works and the steps it performs, see [here](/doc/template-implementation/#rollback-template-changes).
 
 Notes on trusting your TemplateVM(s)
 -------------------------------------
 
-As the TemplateVM is used for creating filesystems for other AppVMs, where you actually do the work, it means that the TemplateVM is as trusted as the most trusted AppVM based on this template. In other words, if your template VM gets compromised, e.g. because you installed an application, whose *installer's scripts* were malicious, then *all* your AppVMs (based on this template) will inherit this compromise.
+As the TemplateVM is used for creating filesystems for other AppVMs where you actually do the work, it means that the TemplateVM is as trusted as the most trusted AppVM based on this template.
+In other words, if your template VM gets compromised, e.g. because you installed an application, whose *installer's scripts* were malicious, then *all* your AppVMs (based on this template) will inherit this compromise.
 
 There are several ways to deal with this problem:
 
--   Only install packages from trusted sources -- e.g. from the pre-configured Fedora repositories. All those packages are signed by Fedora, and we expect that at least the package's installation scripts are not malicious. This is enforced by default (at the [firewall VM level](/doc/firewall/)), by not allowing any networking connectivity in the default template VM, except for access to the Fedora repos.
+-   Only install packages from trusted sources -- e.g. from the pre-configured Fedora repositories.
+    All those packages are signed by Fedora, and we expect that at least the package's installation scripts are not malicious.
+    This is enforced by default (at the [firewall VM level](/doc/firewall/)), by not allowing any networking connectivity in the default template VM, except for access to the Fedora repos.
 
 -   Use *standalone VMs* (see below) for installation of untrusted software packages.
 
@@ -133,28 +132,43 @@ There are several ways to deal with this problem:
 
 Some popular questions:
 
--   So, why should we actually trust Fedora repos -- it also contains large amount of third-party software that might buggy, right?
+-   So, why should we actually trust Fedora repos -- it also contains large amount of third-party software that might be buggy, right?
 
-As far as the template's compromise is concerned, it doesn't really matter whether /usr/bin/firefox is buggy and can be exploited, or not. What matters is whether its *installation* scripts (such as %post in the rpm.spec) are benign or not. Template VM should be used only for installation of packages, and nothing more, so it should never get a chance to actually run the /usr/bin/firefox and get infected from it, in case it was compromised. Also, some of your more trusted AppVMs, would have networking restrictions enforced by the [firewall VM](/doc/firewall/), and again they should not fear this proverbial /usr/bin/firefox being potentially buggy and easy to compromise.
+As far as the template's compromise is concerned, it doesn't really matter whether `/usr/bin/firefox` is buggy and can be exploited, or not.
+What matters is whether its *installation* scripts (such as %post in the rpm.spec) are benign or not.
+Template VM should be used only for installation of packages, and nothing more, so it should never get a chance to actually run `/usr/bin/firefox` and get infected from it, in case it was compromised.
+Also, some of your more trusted AppVMs would have networking restrictions enforced by the [firewall VM](/doc/firewall/), and again they should not fear this proverbial `/usr/bin/firefox` being potentially buggy and easy to compromise.
 
 -   But why trust Fedora?
 
-Because we chose to use Fedora as a vendor for the Qubes OS foundation (e.g. for Dom0 packages and for AppVM packages). We also chose to trust several other vendors, such as Xen.org, kernel.org, and a few others whose software we use in Dom0. We had to trust *somebody* as we are unable to write all the software from scratch ourselves. But there is a big difference in trusting all Fedora packages to be non-malicious (in terms of installation scripts) vs. trusting all those packages are non-buggy and non-exploitable. We certainly do not assume the latter.
+Because we chose to use Fedora as a vendor for the Qubes OS foundation (e.g. for Dom0 packages and for AppVM packages).
+We also chose to trust several other vendors, such as Xen.org, kernel.org, and a few others whose software we use in Dom0.
+We had to trust *somebody* as we are unable to write all the software from scratch ourselves.
+But there is a big difference in trusting all Fedora packages to be non-malicious (in terms of installation scripts) vs. trusting all those packages are non-buggy and non-exploitable.
+We certainly do not assume the latter.
 
 -   So, are the template VMs as trusted as Dom0?
 
-Not quite. Dom0 compromise is absolutely fatal, and it leads to Game Over<sup>TM</sup>. However, a compromise of a template affects only a subset of all your AppVMs (in case you use more than one template, or also some standalone VMs). Also, if your AppVMs are network disconnected, even though their filesystems might get compromised due to the corresponding template compromise, it still would be difficult for the attacker to actually leak out the data stolen in an AppVM. Not impossible (due to existence of cover channels between VMs on x86 architecture), but difficult and slow.
+Not quite.
+Dom0 compromise is absolutely fatal, and it leads to Game Over<sup>TM</sup>.
+However, a compromise of a template affects only a subset of all your AppVMs (in case you use more than one template, or also some standalone VMs).
+Also, if your AppVMs are network disconnected, even though their filesystems might get compromised due to the corresponding template compromise, it still would be difficult for the attacker to actually leak out the data stolen in an AppVM.
+Not impossible (due to existence of cover channels between VMs on x86 architecture), but difficult and slow.
 
 Standalone VMs
 --------------
 
-Standalone VMs have their own copy of the whole filesystem, and thus can be updated and managed on their own. But this means that they take a few GBs on disk, and also that centralized updates do not apply to them.
+Standalone VMs have their own copy of the whole filesystem, and thus can be updated and managed on their own.
+But this means that they take a few GBs on disk, and also that centralized updates do not apply to them.
 
-Sometimes it might be convenient to have a VM that has its own filesystem, where you can directly introduce changes, without the need to start/stop the template VM. Such situations include e.g.:
+Sometimes it might be convenient to have a VM that has its own filesystem, where you can directly introduce changes, without the need to start/stop the template VM.
+Such situations include e.g.:
 
 -   VMs used for development (devel environments require a lot of \*-devel packages and specific devel tools)
 
--   VMs used for installing untrusted packages. Normally you install digitally signed software from Red Hat/Fedora repositories, and it's reasonable that such software has non malicious *installation* scripts (rpm pre/post scripts). However, when you would like to install some packages from less trusted sources, or unsigned, then using a dedicated (untrusted) standalone VM might be a better way.
+-   VMs used for installing untrusted packages.
+    Normally you install digitally signed software from Red Hat/Fedora repositories, and it's reasonable that such software has non malicious *installation* scripts (rpm pre/post scripts).
+    However, when you would like to install some packages from less trusted sources, or unsigned, then using a dedicated (untrusted) standalone VM might be a better way.
 
 In order to create a standalone VM you can use a command line like this (from console in Dom0):
 
@@ -167,9 +181,14 @@ qvm-create <vmname> --standalone --label <label>
 Using more than one template
 ----------------------------
 
-It's also possible to have more than one template VM in the system. E.g. one could clone the default template using the `qvm-clone` command in Dom0. This allows to have a customized template, e.g. with devel packages, or less trusted apps, shared by some subset of domains. It is important to note that the default template is "system managed" and therefore cannot be backed up using Qubes' built-in backup function. In order to ensure the preservation of your custom settings and the availability of a "known-good" backup template, you may wish to clone the default system template and use your clone as the default template for your AppVMs.
+It's also possible to have more than one template VM in the system.
+E.g. one could clone the default template using the `qvm-clone` command in Dom0.
+This allows to have a customized template, e.g. with devel packages, or less trusted apps, shared by some subset of domains.
+It is important to note that the default template is "system managed" and therefore cannot be backed up using Qubes' built-in backup function.
+In order to ensure the preservation of your custom settings and the availability of a "known-good" backup template, you may wish to clone the default system template and use your clone as the default template for your AppVMs.
 
-When you create a new domain you can choose which template this VM should be based on. If you use command line, you should use the `--template` switch:
+When you create a new domain you can choose which template this VM should be based on.
+If you use command line, you should use the `--template` switch:
 
 ~~~
 qvm-create <vmname> --template <templatename> --label <label>
@@ -178,28 +197,39 @@ qvm-create <vmname> --template <templatename> --label <label>
 Temporarily allowing networking for software installation
 ---------------------------------------------------------
 
-Some third-party applications cannot be installed using the standard yum repositories, and need to be manually downloaded and installed. When the installation requires internet connection to access third-party repositories, it will naturally fail when run in a Template VM because the default firewall rules for templates only allow connections to standard yum repositories. So it is necessary to modify firewall rules to allow less restrictive internet access for the time of the installation, if one really wants to install those applications into a template. As soon as software installation is completed, firewall rules should be returned back to the default state. The user should decide by themselves whether such third-party applications should be equally trusted as the ones that come from the standard Fedora signed repositories and whether their installation will not compromise the default Template VM, and potentially consider installing them into a separate template or a standalone VM (in which case the problem of limited networking access doesn't apply by default), as described above.
+Some third-party applications cannot be installed using the standard yum repositories, and need to be manually downloaded and installed.
+When the installation requires internet connection to access third-party repositories, it will naturally fail when run in a Template VM because the default firewall rules for templates only allow connections from package managers.
+So it is necessary to modify firewall rules to allow less restrictive internet access for the time of the installation, if one really wants to install those applications into a template.
+As soon as software installation is completed, firewall rules should be returned back to the default state.
+The user should decide by themselves whether such third-party applications should be equally trusted as the ones that come from the standard Fedora signed repositories and whether their installation will not compromise the default Template VM, and potentially consider installing them into a separate template or a standalone VM (in which case the problem of limited networking access doesn't apply by default), as described above.
 
 Updates proxy
 -------------
 
-Updates proxy is a service which allows access only from package managers. This is meant to mitigate user errors (like using browser in the template VM), rather than some real isolation. It is done with http proxy (tinyproxy) instead of simple firewall rules because it is hard to list all the repository mirrors (and keep that list up to date). The proxy is used only to filter the traffic, not to cache anything.
+Updates proxy is a service which allows access only from package managers.
+This is meant to mitigate user errors (like using browser in the template VM), rather than some real isolation.
+It is done with http proxy (tinyproxy) instead of simple firewall rules because it is hard to list all the repository mirrors (and keep that list up to date).
+The proxy is used only to filter the traffic, not to cache anything.
 
-The proxy is running in selected VMs (by default all the NetVMs (1)) and intercepts traffic directed to 10.137.255.254:8082. Thanks to such configuration all the VMs can use the same proxy address, and if there is a proxy on network path, it will handle the traffic (of course when firewall rules allow that). If the VM is configured to have access to the updates proxy (2), the startup scripts will automatically configure dnf to really use the proxy (3). Also access to updates proxy is independent of any other firewall settings (VM will have access to updates proxy, even if policy is set to block all the traffic).
+The proxy is running in selected VMs (by default all the NetVMs (1)) and intercepts traffic directed to 10.137.255.254:8082.
+Thanks to such configuration all the VMs can use the same proxy address, and if there is a proxy on network path, it will handle the traffic (of course when firewall rules allow that).
+If the VM is configured to have access to the updates proxy (2), the startup scripts will automatically configure dnf to really use the proxy (3).
+Also access to updates proxy is independent of any other firewall settings (VM will have access to updates proxy, even if policy is set to block all the traffic).
 
 There are two services ([qvm-service](https://www.qubes-os.org/doc/dom0-tools/qvm-service/), [service framework](https://www.qubes-os.org/doc/qubes-service/)):
 
 1. qubes-updates-proxy (and its deprecated name: qubes-yum-proxy) - a service providing a proxy for templates - by default enabled in NetVMs (especially: sys-net)
 2. updates-proxy-setup (and its deprecated name: yum-proxy-setup) - use a proxy provided by another VM (instead of downloading updates directly), enabled by default in all templates
 
-This is generally the same in R3.2 and R4.0 - in both cases both the old and new names work. And in both cases defaults listed above are applied if the service is not explicitly listed in services tab.
+This is generally the same in R3.2 and R4.0 - in both cases both the old and new names work.
+And in both cases defaults listed above are applied if the service is not explicitly listed in services tab.
 
 ### Technical details (R4.0)
 
-Instead of using a network connection like in R3.2, R4.0 uses RPC/qrexec. The proxy is configured in
-qrexec policy: `/etc/qubes-rpc/policy/qubes.UpdatesProxy`. By default this is set to
-sys-net and/or sys-whonix, depending on firstboot choices. This new design allows for templates to be
-updated even when they are not connected to any netvm.
+Instead of using a network connection like in R3.2, R4.0 uses RPC/qrexec.
+The proxy is configured in qrexec policy: `/etc/qubes-rpc/policy/qubes.UpdatesProxy`.
+By default this is set to sys-net and/or sys-whonix, depending on firstboot choices.
+This new design allows for templates to be updated even when they are not connected to any netvm.
 
 
 Example policy file in R4.0 (with whonix installed, but not set as default updatevm for all templates):
@@ -215,25 +245,24 @@ $anyvm $anyvm deny
 
 ### Technical details (R3.2)
 
-The proxy is running in selected VMs (by default all the NetVMs). Thanks to such configuration all VMs
-can use the same proxy address, and if there is a proxy on network path, it will handle the traffic
-(of course when firewall rules allow that). The first proxy on the network path according to the template's
-netvm setting will be used. If the VM is configured to have access to the updates proxy (1),
-the startup scripts will automatically configure dnf to use the proxy. Also access to updates proxy is
-independent of any other firewall settings (VM will have access to updates proxy, even if the policy is
-set to block all the traffic).
+The proxy is running in selected VMs (by default all the NetVMs).
+Thanks to such configuration all VMs can use the same proxy address, and if there is a proxy on network path, it will handle the traffic (of course when firewall rules allow that).
+The first proxy on the network path according to the template's netvm setting will be used.
+If the VM is configured to have access to the updates proxy (1), the startup scripts will automatically configure dnf to use the proxy.
+Also access to updates proxy is independent of any other firewall settings (VM will have access to updates proxy, even if the policy is set to block all the traffic).
 
 (1) Firewall tab -\> Allow connections to Updates Proxy; this setting works immediately (once OK is clicked)
 
-1.  Updates proxy: It is running as "qubes-updates-proxy" service. Startup script of this service sets up
-a firewall rule to intercept traffic directed to 10.137.255.254:8082:
+1.  Updates proxy: It is running as "qubes-updates-proxy" service.
+    Startup script of this service sets up a firewall rule to intercept traffic directed to 10.137.255.254:8082:
 
     ~~~
     iptables -t nat -A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT
     ~~~
 
 2.  VMs using the proxy service Startup script (updates-proxy-setup or qubes-misc-post service) configure
-dnf using `/etc/yum.conf.d/qubes-proxy.conf` file. It can either contain
+dnf using `/etc/yum.conf.d/qubes-proxy.conf` file.
+    It can either contain
 
     ~~~
     proxy=http://10.137.255.254:8082/
@@ -244,18 +273,27 @@ dnf using `/etc/yum.conf.d/qubes-proxy.conf` file. It can either contain
 Note on treating AppVM's root filesystem non-persistence as a security feature
 ------------------------------------------------------------------------------
 
-As explained above, any AppVM that is based on a Template VM (i.e. which is not a Standalone VM) has its root filesystem non-persistent across the VM reboots. In other words whatever changes the VM makes (or the malware running in this AppVM makes) to its root filesystem, are automatically discarded whenever one restarts the AppVM. This might seem like an excellent anti-malware mechanism to be used inside the AppVM...
+As explained above, any AppVM that is based on a Template VM (i.e. which is not a Standalone VM) has its root filesystem non-persistent across the VM reboots.
+In other words whatever changes the VM makes (or the malware running in this AppVM makes) to its root filesystem, are automatically discarded whenever one restarts the AppVM.
+This might seem like an excellent anti-malware mechanism to be used inside the AppVM...
 
-However, one should be careful with treating this property as a reliable way to keep the AppVM malware-free. This is because the non-persistence, in the case of normal AppVMs, applies only to the root filesystem and not to the user filesystem (on which the `/home`, `/rw`, and `/usr/local` are stored) for obvious reasons. It is possible that malware, especially malware that could be specifically written to target a Qubes-based AppVMs, could install its hooks inside the user home directory files only. Examples of obvious places for such hooks could be: `.bashrc`, the Firefox profile directory which contains the extensions, or some PDF or DOC documents that are expected to be opened by the user frequently (assuming the malware found an exploitable bug in the PDF or DOC reader), and surely many others places, all in the user's home directory.
+However, one should be careful with treating this property as a reliable way to keep the AppVM malware-free.
+This is because the non-persistence, in the case of normal AppVMs, applies only to the root filesystem and not to the user filesystem (on which the `/home`, `/rw`, and `/usr/local` are stored) for obvious reasons.
+It is possible that malware, especially malware that could be specifically written to target a Qubes-based AppVMs, could install its hooks inside the user home directory files only.
+Examples of obvious places for such hooks could be: `.bashrc`, the Firefox profile directory which contains the extensions, or some PDF or DOC documents that are expected to be opened by the user frequently (assuming the malware found an exploitable bug in the PDF or DOC reader), and surely many others places, all in the user's home directory.
 
-One advantage of the non-persistent rootfs though, is that the malware is still inactive before the user's filesystem gets mounted and "processed" by system/applications, which might theoretically allow for some scanning programs (or a skilled user) to reliably scan for signs of infections of the AppVM. But, of course, the problem of finding malware hooks in general is hard, so this would work likely only for some special cases (e.g. an AppVM which doesn't use Firefox, as otherwise it would be hard to scan the Firefox profile directory reliably to find malware hooks there). Also note that the user filesystem's metadata might got maliciously modified by malware in order to exploit a hypothetical bug in the AppVM kernel whenever it mounts the malformed filesystem. However, these exploits will automatically stop working (and so the infection might be cleared automatically) after the hypothetical bug got patched and the update applied (via template update), which is an exceptional feature of Qubes OS.
+One advantage of the non-persistent rootfs though, is that the malware is still inactive before the user's filesystem gets mounted and "processed" by system/applications, which might theoretically allow for some scanning programs (or a skilled user) to reliably scan for signs of infections of the AppVM.
+But, of course, the problem of finding malware hooks in general is hard, so this would work likely only for some special cases (e.g. an AppVM which doesn't use Firefox, as otherwise it would be hard to scan the Firefox profile directory reliably to find malware hooks there).
+Also note that the user filesystem's metadata might got maliciously modified by malware in order to exploit a hypothetical bug in the AppVM kernel whenever it mounts the malformed filesystem.
+However, these exploits will automatically stop working (and so the infection might be cleared automatically) after the hypothetical bug got patched and the update applied (via template update), which is an exceptional feature of Qubes OS.
 
-Also note that Disposable VMs do not have persistent user filesystem, and so they start up completely "clean" every time. Note the word "clean" means in this context: the same as their template filesystem, of course.
+Also note that Disposable VMs do not have persistent user filesystem, and so they start up completely "clean" every time.
+Note the word "clean" means in this context: the same as their template filesystem, of course.
 
 RPMFusion for a Fedora TemplateVM
 ---------------------------------
 
-If you would like to enable the [RPM Fusion](http://rpmfusion.org/) repository: open a Terminal of the TemplateVM and type the following commands: 
+If you would like to enable the [RPM Fusion](http://rpmfusion.org/) repository, open a Terminal of the TemplateVM and type the following commands: 
 
 ~~~
 sudo dnf config-manager --set-enabled rpmfusion-free rpmfusion-nonfree

From f6b34a01f3b3d86cc090517907ab170aab78a309 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Wed, 21 Feb 2018 07:24:50 +0000
Subject: [PATCH 098/103] /home/user -> ~

---
 common-tasks/managing-appvm-shortcuts.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/common-tasks/managing-appvm-shortcuts.md b/common-tasks/managing-appvm-shortcuts.md
index 8e583502..dcbf3613 100644
--- a/common-tasks/managing-appvm-shortcuts.md
+++ b/common-tasks/managing-appvm-shortcuts.md
@@ -42,9 +42,9 @@ In Windows it's a PowerShell script located in `c:\Program Files\Invisible Thing
 
  * R4.0
  
-   The list of installed applications for each AppVM is stored in dom0's `/home/user/.local/share/qubes-appmenus/vmname/apps.templates`.
+   The list of installed applications for each AppVM is stored in dom0's `~/.local/share/qubes-appmenus/vmname/apps.templates`.
    Each menu entry is a file that follows the [.desktop file format](https://standards.freedesktop.org/desktop-entry-spec/desktop-entry-spec-latest.html) with some wildcards (*%VMNAME%*, *%VMDIR%*).
-   Applications selected to appear in the menu are stored in `/home/user/.local/share/qubes-appmenus/vmname/apps`.
+   Applications selected to appear in the menu are stored in `~/.local/share/qubes-appmenus/vmname/apps`.
     
    Actual command lines for the menu shortcuts involve `qvm-run` command which starts a process in another domain. 
    Examples: `qvm-run -q -a --service -- %VMNAME% qubes.StartApp+7-Zip-7-Zip_File_Manager` or `qvm-run -q -a --service -- %VMNAME% qubes.StartApp+firefox`

From b7399481849517309be07fc10e947958c5e60b77 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Wed, 21 Feb 2018 07:37:34 +0000
Subject: [PATCH 099/103] add procedure to determine distro

---
 managing-os/reinstall-template.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/managing-os/reinstall-template.md b/managing-os/reinstall-template.md
index ee3657bd..fbc7e360 100644
--- a/managing-os/reinstall-template.md
+++ b/managing-os/reinstall-template.md
@@ -13,6 +13,15 @@ If you suspect your [TemplateVM] is broken, misconfigured, or compromised, you c
 
 The procedure varies by Qubes version and UpdateVM's distribution; see the appropriate section below.
 
+To determine your UpdateVM's distribution:
+
+1. Go to a `dom0` terminal prompt.
+2. Enter `qubes-prefs` and look for `updatevm`.
+3. Enter `qvm-prefs <UpdateVMName>` and look for `template`.
+
+This will typically be either `debian-9`, `fedora-26`, or `whonix-gw`.
+In the case of `whonix-gw`, refer to the Debian based UpdateVM method.
+ 
 
 Manual Reinstallation Method (Fedora based UpdateVM, R3.1+)
 ----------------------------

From 940f0e8d699482f6e373c34861ccf7010e6698c2 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Wed, 21 Feb 2018 15:10:14 +0000
Subject: [PATCH 100/103] add r4.0 template resize

---
 configuration/resize-disk-image.md | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/configuration/resize-disk-image.md b/configuration/resize-disk-image.md
index ead7c4bd..28c48aee 100644
--- a/configuration/resize-disk-image.md
+++ b/configuration/resize-disk-image.md
@@ -18,17 +18,27 @@ There are several disk images which can be easily extended, but pay attention to
 See also [OS Specific Follow-up Instructions](/doc/resize-disk-image/#os-specific-follow-up-instructions) at the end of this page.
 
 
-### Template disk image
+### Template disk image (R4.0)
+
+If you want install a lot of software in your TemplateVM, you may need to increase the amount of disk space your TemplateVM can use. 
+*Make sure changes in the TemplateVM between reboots don't exceed 10G.*
+
+1.  Resize the *root image* using Qubes version specific procedure below.
+2.  Start the template.
+3.  Resize the filesystem using OS appropriate tools (Qubes will handle this automatically under Linux).
+4.  Verify available space in the template using `df -h` or OS specific tools.
+5.  Shutdown the template.
+
+### Template disk image (R3.2)
 
 If you want install a lot of software in your TemplateVM, you may need to increase the amount of disk space your TemplateVM can use. 
 *Make sure changes in the TemplateVM between reboots don't exceed 10G.*
 
 1.  Make sure that all the VMs based on this template are shut down (including netvms etc).
 2.  Resize the *root image* using Qubes version specific procedure below.
-   You may instead resize the *private image* with the appropriate commands if your software installs to `/home` for example.
 3.  If any netvm/proxyvm used by this template is based on it, set template's netvm to none.
 4.  Start the template.
-5.  Resize the filesystem using OS appropriate tools (Qubes will handle this automatically with Linux templates).
+5.  Resize the filesystem using OS appropriate tools (Linux is `sudo resize2fs /dev/mapper/dmroot`).
 6.  Verify available space in the template using `df -h` or OS specific tools.
 7.  Shutdown the template.
 8.  Restore original netvm setting (if changed), and check firewall settings (setting netvm to none causes the firewall to reset to "block all")
@@ -67,7 +77,7 @@ Note: Size is the target size (i.e. 4096MB or 16GB, ...), not the size to add to
 
 ### Resize a StandaloneVM Root Image
 
-Another way to increase the size of is to turn your TemplateVM into a StandaloneVM.
+For more flexibility, you may also turn your TemplateVM into a StandaloneVM.
 Doing this means it will have its own root filesystem *(StandaloneVMs use a copy of the template, instead of smart sharing)*.
 To do this run `qvm-create --standalone` from `dom0` console, then perform the [OS Specific Follow-up Instructions](/doc/resize-disk-image/#os-specific-follow-up-instructions) below.
 
@@ -107,6 +117,6 @@ zpool online -e poolname ada0
 
 #### Linux
 
-Qubes will automatically grow the filesystem for you on AppVMs but not HVMs.
+Qubes will automatically grow the filesystem for you on AppVMs but not HVMs (or Template root images on R3.2).
 You will see that there is unallocated free space at the end of your primary disk.
 You can use standard linux tools like `fdisk` and `resize2fs` to make this space available.

From be79e0fb57a5733803c8750439834dc28dd52491 Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Wed, 21 Feb 2018 15:32:42 +0000
Subject: [PATCH 101/103] mention `kernel-latest-qubes-vm` package

---
 configuration/managing-vm-kernel.md | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/configuration/managing-vm-kernel.md b/configuration/managing-vm-kernel.md
index f95ea9cd..ae8a3c6e 100644
--- a/configuration/managing-vm-kernel.md
+++ b/configuration/managing-vm-kernel.md
@@ -64,7 +64,8 @@ kernel-qubes-vm-3.18.17-4.pvops.qubes.x86_64
 ~~~
 
 If you want a more recent version, you can check the `qubes-dom0-unstable` repository.
-As the name suggests, keep in mind that those packages may be less stable than the default ones.
+There is also the `kernel-latest-qubes-vm` package which should provide a more recent (non-LTS) kernel, but has received much less testing.
+As the names suggest, keep in mind that those packages may be less stable than the default ones.
 
 To check available versions in the `qubes-dom0-unstable` repository:
 
@@ -132,7 +133,7 @@ Failed:
   kernel-qubes-vm.x86_64 1000:3.18.10-2.pvops.qubes
 
 Complete!
-[marmarek@dom0 ~]$
+[user@dom0 ~]$
 ~~~
 
 In the above example, it tries to remove the 3.18.10-2.pvops.qubes kernel (to keep only three installed), but since some VM uses it, it fails.
@@ -293,7 +294,7 @@ sudo apt install qubes-kernel-vm-support grub2-common
 
 If prompted for a GRUB install device, choose `/dev/mapper/dmroot`.
 You will receive an error about GRUB failed to install to it, but just continue anyways.
-You don't need an actual grub bootloader as it is provided by dom0, but having one shouldn't hurt.
+
 Ignore warnings about `version '...' has bad syntax`.
 
 Then install whatever kernel you want.

From a902070d0da74c870a025a3f993cfff2e088ca6b Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@riseup.net>
Date: Thu, 22 Feb 2018 02:15:48 +0000
Subject: [PATCH 102/103] remove /etc/tor/torrc

In Whonix 14 we torrc.d so /etc/tor/torrc is no longer a good example.
---
 customization/bind-dirs.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/customization/bind-dirs.md b/customization/bind-dirs.md
index b3d1475b..7dbdca99 100644
--- a/customization/bind-dirs.md
+++ b/customization/bind-dirs.md
@@ -39,7 +39,6 @@ Inside your TemplateBasedVM.
 3. Edit the file 50_user.conf to append a folder or file name to the `binds` variable. (In the following example we are using folder `/var/lib/tor`. You can replace that name with a folder or file name of your choice.)
 
        binds+=( '/var/lib/tor' )
-       binds+=( '/etc/tor/torrc' )
 
 Multiple entries are possible, each on a separate line.
 

From 8b47eae6e9fe908c19a8ec9a8041d7efa07817ed Mon Sep 17 00:00:00 2001
From: awokd <34515595+awokd@users.noreply.github.com>
Date: Fri, 23 Feb 2018 02:28:36 +0000
Subject: [PATCH 103/103] fix spacing for non-code block

---
 troubleshooting/intel-igfx-troubleshooting.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/troubleshooting/intel-igfx-troubleshooting.md b/troubleshooting/intel-igfx-troubleshooting.md
index df20ddea..03014ebb 100644
--- a/troubleshooting/intel-igfx-troubleshooting.md
+++ b/troubleshooting/intel-igfx-troubleshooting.md
@@ -15,9 +15,9 @@ You can confirm this is the issue by looking for a line similar to the following
 
 Newer versions of the Linux kernel have renamed the `i915.preliminary_hw_support=1` option to `i915.alpha_support=1`, so if you needed this kernel option in the past you will have to rename it or add it to your configuration files (follow either GRUB2 or EFI, not both):
 
-    * GRUB2: `/etc/default/grub`, `GRUB_CMDLINE_LINUX` line and  
-      Rebuild grub config (`grub2-mkconfig -o /boot/grub2/grub.cfg`)   
-    * EFI: `/boot/efi/EFI/qubes/xen.cfg`, `kernel=` line(s)
+ * GRUB2: `/etc/default/grub`, `GRUB_CMDLINE_LINUX` line and  
+   Rebuild grub config (`grub2-mkconfig -o /boot/grub2/grub.cfg`)   
+ * EFI: `/boot/efi/EFI/qubes/xen.cfg`, `kernel=` line(s)
 
 
 ## IOMMU ##