diff --git a/user/advanced-topics/how-to-install-software-in-dom0.md b/user/advanced-topics/how-to-install-software-in-dom0.md
index 331849c6..3e9544d0 100644
--- a/user/advanced-topics/how-to-install-software-in-dom0.md
+++ b/user/advanced-topics/how-to-install-software-in-dom0.md
@@ -11,27 +11,37 @@ ref: 194
title: How to Install Software in Dom0
---
-
-
- Warning: Installing software in dom0 is for advanced users only. Doing so has the potential to compromise your entire Qubes OS installation. Exercise extreme caution.
-
+**Warning:** Installing software in dom0 is for advanced users only. Doing so
+has the potential to compromise your entire Qubes OS installation. Exercise
+extreme caution.
## Security
-Since there is no networking in dom0, any bugs discovered in dom0 desktop components (e.g., the window manager) are unlikely to pose a problem for Qubes, since none of the third-party software running in dom0 is accessible from VMs or the network in any way.
-Nonetheless, since software running in dom0 can potentially exercise full control over the system, it is important to install only trusted software in dom0.
+Since there is no networking in dom0, any bugs discovered in dom0 desktop
+components (e.g., the window manager) are unlikely to pose a problem for Qubes,
+since none of the third-party software running in dom0 is accessible from VMs
+or the network in any way. Nonetheless, since software running in dom0 can
+potentially exercise full control over the system, it is important to install
+only trusted software in dom0.
-The install/update process is split into two phases: *resolve and download* and *verify and install*.
-The *resolve and download* phase is handled by the UpdateVM.
-(The role of UpdateVM can be assigned to any VM in the Qube Manager, and there are no significant security implications in this choice.
-By default, this role is assigned to the FirewallVM.)
-After the UpdateVM has successfully downloaded new packages, they are sent to dom0, where they are verified and installed.
-This separation of duties significantly reduces the attack surface, since all of the network and metadata processing code is removed from the TCB.
+The install/update process is split into two phases: *resolve and download* and
+*verify and install*. The *resolve and download* phase is handled by the
+UpdateVM. (The role of UpdateVM can be assigned to any VM in the Qube Manager,
+and there are no significant security implications in this choice. By default,
+this role is assigned to the FirewallVM.) After the UpdateVM has successfully
+downloaded new packages, they are sent to dom0, where they are verified and
+installed. This separation of duties significantly reduces the attack surface,
+since all of the network and metadata processing code is removed from the TCB.
-Although this update scheme is far more secure than directly downloading updates in dom0, it is not invulnerable.
-For example, there is nothing that the Qubes OS Project can feasibly do to prevent a malicious RPM from exploiting a hypothetical bug in the cryptographic signature verification operation.
-At best, we could switch to a different distro or package manager, but any of them could be vulnerable to the same (or a similar) attack.
-While we could, in theory, write a custom solution, it would only be effective if Qubes repos included all of the regular template distro's updates, and this would be far too costly for us to maintain.
+Although this update scheme is far more secure than directly downloading
+updates in dom0, it is not invulnerable. For example, there is nothing that the
+Qubes OS Project can feasibly do to prevent a malicious RPM from exploiting a
+hypothetical bug in the cryptographic signature verification operation. At
+best, we could switch to a different distro or package manager, but any of them
+could be vulnerable to the same (or a similar) attack. While we could, in
+theory, write a custom solution, it would only be effective if Qubes repos
+included all of the regular template distro's updates, and this would be far
+too costly for us to maintain.
## How to update dom0
@@ -45,13 +55,15 @@ To install additional packages in dom0 (usually not recommended):
$ sudo qubes-dom0-update anti-evil-maid
```
-You may also pass the `--enablerepo=` option in order to enable optional repositories (see yum configuration in dom0).
-However, this is only for advanced users who really understand what they are doing.
-You can also pass commands to `dnf` using `--action=...`.
+You may also pass the `--enablerepo=` option in order to enable optional
+repositories (see yum configuration in dom0). However, this is only for
+advanced users who really understand what they are doing. You can also pass
+commands to `dnf` using `--action=...`.
## How to downgrade a specific package
-**WARNING:** Downgrading a package can expose your system to security vulnerabilities.
+**WARNING:** Downgrading a package can expose your system to security
+vulnerabilities.
1. Download an older version of the package:
@@ -59,7 +71,8 @@ You can also pass commands to `dnf` using `--action=...`.
sudo qubes-dom0-update package-version
~~~
- Dnf will say that there is no update, but the package will nonetheless be downloaded to dom0.
+ Dnf will say that there is no update, but the package will nonetheless be
+ downloaded to dom0.
2. Downgrade the package:
@@ -77,7 +90,8 @@ You can re-install in a similar fashion to downgrading.
sudo qubes-dom0-update package
~~~
- Dnf will say that there is no update, but the package will nonetheless be downloaded to dom0.
+ Dnf will say that there is no update, but the package will nonetheless be
+ downloaded to dom0.
2. Re-install the package:
@@ -85,12 +99,15 @@ You can re-install in a similar fashion to downgrading.
sudo dnf reinstall package
~~~
- Note that `dnf` will only re-install if the installed and downloaded versions match.
- You can ensure they match by either updating the package to the latest version, or specifying the package version in the first step using the form `package-version`.
+ Note that `dnf` will only re-install if the installed and downloaded
+ versions match. You can ensure they match by either updating the package to
+ the latest version, or specifying the package version in the first step
+ using the form `package-version`.
## How to uninstall a package
-If you've installed a package such as anti-evil-maid, you can remove it with the following command:
+If you've installed a package such as anti-evil-maid, you can remove it with
+the following command:
```
sudo dnf remove anti-evil-maid
@@ -100,15 +117,15 @@ sudo dnf remove anti-evil-maid
There are three Qubes dom0 [testing](/doc/testing/) repositories:
-- `qubes-dom0-current-testing` -- testing packages that will eventually land in the stable
- (`current`) repository
-- `qubes-dom0-security-testing` -- a subset of `qubes-dom0-current-testing` that contains packages
- that qualify as security fixes
-- `qubes-dom0-unstable` -- packages that are not intended to land in the stable (`qubes-dom0-current`)
- repository; mostly experimental debugging packages
+- `qubes-dom0-current-testing` -- testing packages that will eventually land in
+ the stable (`current`) repository
+- `qubes-dom0-security-testing` -- a subset of `qubes-dom0-current-testing`
+ that contains packages that qualify as security fixes
+- `qubes-dom0-unstable` -- packages that are not intended to land in the stable
+ (`qubes-dom0-current`) repository; mostly experimental debugging packages
-To temporarily enable any of these repos, use the `--enablerepo=` option.
-Example commands:
+To temporarily enable any of these repos, use the `--enablerepo=`
+option. Example commands:
~~~
sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing
@@ -116,12 +133,13 @@ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing
sudo qubes-dom0-update --enablerepo=qubes-dom0-unstable
~~~
-To enable or disable any of these repos permanently, change the corresponding `enabled` value to `1` in
-`/etc/yum.repos.d/qubes-dom0.repo`.
+To enable or disable any of these repos permanently, change the corresponding
+`enabled` value to `1` in `/etc/yum.repos.d/qubes-dom0.repo`.
## Contributed package repository
-Please see [installing contributed packages](/doc/installing-contributed-packages/).
+Please see [installing contributed
+packages](/doc/installing-contributed-packages/).
## Kernel upgrade
@@ -133,8 +151,11 @@ The packages `kernel` and `kernel-latest` are for dom0.
In the `current` repository:
-- `kernel`: an older LTS kernel that has passed Qubes [testing](/doc/testing/) (the default dom0 kernel)
-- `kernel-latest`: the latest release from kernel.org that has passed Qubes [testing](/doc/testing/) (useful for [troubleshooting newer hardware](/doc/newer-hardware-troubleshooting/))
+- `kernel`: an older LTS kernel that has passed Qubes [testing](/doc/testing/)
+ (the default dom0 kernel)
+- `kernel-latest`: the latest release from kernel.org that has passed Qubes
+ [testing](/doc/testing/) (useful for [troubleshooting newer
+ hardware](/doc/newer-hardware-troubleshooting/))
In the `current-testing` repository:
@@ -143,8 +164,8 @@ In the `current-testing` repository:
### domU
-The packages `kernel-qubes-vm` and `kernel-latest-qubes-vm` are for domUs.
-See [Managing VM kernel](/doc/managing-vm-kernels/) for more information.
+The packages `kernel-qubes-vm` and `kernel-latest-qubes-vm` are for domUs. See
+[Managing VM kernel](/doc/managing-vm-kernels/) for more information.
### Example
@@ -154,17 +175,19 @@ See [Managing VM kernel](/doc/managing-vm-kernels/) for more information.
sudo qubes-dom0-update --enablerepo=qubes-dom0-unstable kernel kernel-qubes-vm
~~~
-If the update process does not automatically do it (you should see it mentioned in the CLI output
-from the update command), you may need to manually rebuild the EFI or grub config depending on which
-your system uses.
+If the update process does not automatically do it (you should see it mentioned
+in the CLI output from the update command), you may need to manually rebuild
+the EFI or grub config depending on which your system uses.
-*EFI*: Replace the example version numbers with the one you are upgrading to.
+#### EFI
+
+Replace the example version numbers with the one you are upgrading to.
~~~
sudo dracut -f /boot/efi/EFI/qubes/initramfs-4.14.35-1.pvops.qubes.x86_64.img 4.14.35-1.pvops.qubes.x86_64
~~~
-*Grub2*
+#### Grub2
~~~
sudo grub2-mkconfig -o /boot/grub2/grub.cfg
@@ -178,25 +201,25 @@ to do a lot of work yourself](https://groups.google.com/d/msg/qubes-users/m8sWoy
## Changing default kernel
-This section describes changing the default kernel in dom0.
-It is sometimes needed if you have upgraded to a newer kernel and are having problems booting, for example.
-The procedure varies depending on if you are booting with UEFI or grub.
-On the next kernel update, the default will revert to the newest.
+This section describes changing the default kernel in dom0. It is sometimes
+needed if you have upgraded to a newer kernel and are having problems booting,
+for example. The procedure varies depending on if you are booting with UEFI or
+grub. On the next kernel update, the default will revert to the newest.
-*EFI*
+### EFI
~~~
sudo nano /boot/efi/EFI/qubes/xen.cfg
~~~
-In the `[global]` section at the top, change the `default=` line to match one of the three boot entries listed below.
-For example,
+In the `[global]` section at the top, change the `default=` line to match one
+of the three boot entries listed below. For example:
~~~
default=4.19.67-1.pvops.qubes.x86_64
~~~
-*Grub2*
+### Grub2
~~~
sudo nano /etc/default/grub
@@ -207,21 +230,20 @@ GRUB_SAVEDEFAULT=true
sudo grub2-mkconfig -o /boot/grub2/grub.cfg
~~~
-Then, reboot.
-Once the grub menu appears, choose "Advanced Options for Qubes (with Xen hypervisor)".
-Next, the top menu item (for example, "Xen hypervisor, version 4.8.5-9.fc25").
-Select the kernel you want as default, and it will be remembered for next boot.
+Then, reboot. Once the grub menu appears, choose "Advanced Options for Qubes
+(with Xen hypervisor)". Next, the top menu item (for example, "Xen hypervisor,
+version 4.8.5-9.fc25"). Select the kernel you want as default, and it will be
+remembered for next boot.
## Updating over Tor
Requires installed [Whonix](/doc/privacy/whonix/).
-Go to Qubes VM Manager -> System -> Global Settings.
-See the UpdateVM setting.
-Choose your desired Whonix-Gateway ProxyVM from the list.
-For example: sys-whonix.
+Go to Qubes VM Manager -> System -> Global Settings. See the UpdateVM setting.
+Choose your desired Whonix-Gateway ProxyVM from the list. For example:
+sys-whonix.
-`
+```
Qubes VM Manager -> System -> Global Settings -> UpdateVM -> sys-whonix
-`
+```