Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2025-05-30 12:04:28 -04:00
Code Issues Projects Releases Packages Wiki Activity

Compare commits

..

127 commits
qm_3c6c172 ... main

Author SHA1 Message Date
unman
473fb5d323
Update Templates page. 
Includes some changes based on
2025-05-27 13:04:44 +00:00
unman
5b5a4ebd9b
Update Debian and Fedora template pages. 2025-05-27 12:09:11 +00:00
unman
909f7ae7a8
Update admin API page with details of new notes API 
Merge branch 'pr-1450'
 2025-05-27 00:09:57 +00:00
unman
a00b4a18c0
Update How to Install Software page with dnf5 syntax for enabling 
repositories
Merge branch 'pr-1442'
 2025-05-26 23:29:45 +00:00
unman
684a7cee24
Minor edits to Secondary Storage page 2025-05-25 01:17:06 +00:00
unman
9c51e9594d
Add Btrfs details to secondary storage page, and edit for clarity 2025-05-25 01:10:35 +00:00
unman
f72ad83ffb
Edit secondary storage page for clarity 2025-05-25 01:05:24 +00:00
unman
fd0ae463fe
Merge branch 'pr-1474' 2025-05-25 00:38:52 +00:00
unman
487f7e21cd
Update sys-gui-gpu to make it clear that this is not for improving Performance 
Merge branch 'pr-1477'
 2025-05-25 00:32:23 +00:00
Solène Rapenne
34144a1620
doc: make clear that sys-gui-gpu is not meant for improving performance 2025-05-24 15:05:14 +02:00
lafried
d76402c3dd
Fix syntax for dnf5 support 2025-05-21 02:11:50 +01:00
qubedmaiska
3e3d5d32d3
Merge remote-tracking branch 'origin/novacustom-v5x-heads' 2025-05-20 03:14:06 -04:00
qubedmaiska
e520e2e559
fix for warning display and a url 2025-05-19 03:46:03 -04:00
Ali Mirjamali
2b028834a6
Fixing existing CI/CD issues 2025-05-18 22:02:46 +03:30
Ali Mirjamali
0ead1b03a1
Add the new notes API documentation 
related: https://github.com/QubesOS/qubes-issues/issues/899
 2025-05-18 20:46:33 +03:30
Andrew David Wong
caffc06eaf
Add Heads certified firmware option for NovaCustom V54 & V56 2025-05-15 17:06:24 -07:00
unman
b594557061
Minor change to headings on update page. 2025-05-15 12:12:18 +00:00
unman
46e4e0a684
Add information on how to update firmware. Merge pr-1437 2025-05-15 12:09:23 +00:00
unman
093b2f919a
Fixed type in mfa page 
Merge branch 'pr-1441'
 2025-05-15 11:33:42 +00:00
unman
fe22ae7e9f
Fixed typo in mfa page 2025-05-15 11:33:22 +00:00
unman
61a4deb1ac
Add known issues to information on use of gui domain 
Merge branch 'pr-1440'
 2025-05-15 11:16:27 +00:00
unman
b87aaed495
Clarify use of Updates Proxy when updating and installing software 
Merge branch 'pr-1459'
 2025-05-15 11:08:33 +00:00
unman
73294eb89d
Minor changes in how-to-install-software 2025-05-15 11:08:21 +00:00
unman
aa62d0b296
Minor changes in how-to-install-software 2025-05-15 11:07:17 +00:00
unman
edc3d8bfec
Add worked example of setting network in HVM 
Merge branch 'pr-1462'
 2025-05-15 10:35:00 +00:00
unman
c6b07c0191
Added Titles to images. 
Normalised language in description of procedure
 2025-05-15 10:29:39 +00:00
unman
0329e3d4cc
Fix outdated link on qrexec-internals page. 
Merge branch 'pr-1472'
 2025-05-14 12:21:14 +00:00
Woolfgm
07b2392c3f
Update qrexec-internals.md 2025-05-14 11:40:56 +02:00
Andrew David Wong
9fede33dcd
Remove Fedora 40 from supported templates (EOL) 2025-05-13 13:39:41 -07:00
unman
11cc56d59d
Certified Hardware - Privacy Beast - update link 
Merge branch 'pr-1471'
 2025-05-11 13:10:04 +00:00
unman
a5b15bdf5b
Add link to incomplete page on split-gpg-2 from current split-gpg page 2025-05-11 12:30:50 +00:00
unman
ec6f975c82
Add separate page for split-gpg-2 2025-05-11 12:07:51 +00:00
unman
fa23b34a24
Revert "Update documentation on split-gpg2" 
This reverts commit 0062dfaa37, reversing
changes made to 7167897d71.

Retain documentation on split-gpg and add page on split-gpg-v2 as well,
until latter page is fully functional.
 2025-05-11 11:46:13 +00:00
Woolfgm
b7dd717ee7
Update insurgo-privacybeast-x230.md 2025-05-11 13:01:27 +02:00
unman
690d289886
Update Debian page to make it clear that the Debian template from 4.2.4 cannot be used for salting other qubes. 2025-05-04 12:16:00 +00:00
unman
ae512816bb
Release notes - Correct link to API documentation 
Merge branch 'pr-1467'
 2025-05-02 15:02:33 +00:00
unman
0c4d924d21
Update release notes link to head API 2025-05-02 15:00:25 +00:00
unman
41470dbee4
Update secondary storage page: work around 4k incompatibility, drop unnecessary luksFormat arguments 
Merge branch 'pr-1443'
 2025-05-02 01:08:19 +00:00
unman
e4e60859c5
Update VPN troubleshooting guide 
Merge branch 'pr-1283'
 2025-05-02 00:28:40 +00:00
unman
55441615bf
Fix reference to /var/logs/syslog, and add journalctl. 
Update link from Qubes-Community to Forum guides. Minor changes.
 2025-05-02 00:24:26 +00:00
unman
ef37a8c68b
Update page on standalones with informatin about virtualization modes. 
Closes https://github.com/QubesOS/qubes-issues/issues/7517
 2025-04-30 13:15:08 +00:00
unman
4a91a742fe
Minor changes to How to use USB devices page. 2025-04-30 12:05:15 +00:00
unman
e1ced53d9f
Clarify instructions for finding USB controller/address 
Fix style
Merge branch 'pr-1265'
 2025-04-30 11:49:59 +00:00
unman
7870666de3
Clarified that main method relates to finding controller for attached device. 
Moved QubeManager method to separate section
 2025-04-30 11:42:31 +00:00
unman
e99e33317a
Update Getting Started page 
Merge branch 'pr-1368'
 2025-04-29 12:40:45 +00:00
unman
bd8a419412
Slight change to comment on use of color. 
Fix minor spelling mistake.
 2025-04-29 12:35:08 +00:00
PixelPilot
5bd45751f9
Update release-notes.md 2025-04-27 09:06:44 +02:00
unman
db82711863
Describe further changes required for Win11 installation. 
Merge pr-1466
 2025-04-26 10:54:25 +00:00
unman
1624edfba9
Merge branch 'pr-1438' 2025-04-26 10:47:29 +00:00
unman
cde877dd73
Describe how to move user profiles without QWT installation 
Merge branch 'pr-1421'
 2025-04-26 10:43:08 +00:00
Dr. Gerhard Weck
5cb2a1e404
Describe installation changes for Windows 11 2025-04-25 13:56:11 +02:00
unman
2f4de87cd4
Provide evidence that AMD is slow to ship client microcode 
Merge branch 'pr-1430'
Cf Discussion at https://forum.qubes-os.org/t/the-nitropc-pro-2-is-qubes-certified/24762/16
 2025-04-21 11:09:17 +00:00
unman
f754dc7aa7
Improve system update documentation with information on updating 
firmware
Merge branch 'pr-1414'
 2025-04-21 10:34:56 +00:00
unman
0062dfaa37
Update documentation on split-gpg2 
Merge branch 'pr-1411'
 2025-04-21 10:22:00 +00:00
unman
7167897d71
Add information on new device API 
Merge branch 'pr-1387'
 2025-04-21 10:06:35 +00:00
unman
c6b0237db6
Update networking page to make it clear that the ipv6 feature only affects qubes-configured networking 2025-04-19 14:03:45 +00:00
unman
f8e2bb2258
Update docs with information on /rw/config/rc.local* scripts 
Merge branch 'pr-1433'
 2025-04-13 14:46:53 +00:00
unman
b9bec14ae4
Update firewall page to make sure sys-net rules are correctly specified 2025-04-13 14:37:15 +00:00
unman
df5f5b9ede
Update firewall page to use iifgroups rather than iif 
Merge branch 'pr-1412'
 2025-04-13 14:00:19 +00:00
unman
63ad8ab1c1
Minor changes to description of qubes-builder-v2 2025-04-13 12:57:18 +00:00
unman
81e4abc416
Minor changes to workflow.md using Builder v2 2025-04-13 12:55:19 +00:00
unman
7b8f4e0740
Add introduction for Builder v2 
Merge branch 'pr-1409'
 2025-04-13 12:47:00 +00:00
unman
362b0618b6
Update templates page to reflect use of qvm-template. 
Merge pr-1322
 2025-04-13 11:08:44 +00:00
unman
68be810d95
Add tweaks to Emergency backup restore instructions 
Merge branch 'pr-1302'
 2025-04-11 14:28:23 +00:00
unman
abdafabff2
Update and improve Emergency backup restore 
Merge branch 'pr-1279'
 2025-04-11 14:23:31 +00:00
unman
674f9b6dd2
Fix dead link to Micah's video 2025-04-10 13:37:18 +00:00
Andrew David Wong
187db01576
Fix dead link 2025-04-09 15:43:48 -07:00
Andrew David Wong
c4129f8852
Fix dead links 2025-04-09 15:02:04 -07:00
garindean
e529345e72
Update how-to-organize-your-qubes.md 
grammar
 2025-04-02 01:10:15 -04:00
qubedmaiska
8a23c91c60
grammar fix 2025-03-25 19:09:36 -04:00
qubedmaiska
3502d71b9d
Merge remote-tracking branch 'MarnixCroes/patch-1' 2025-03-25 19:07:08 -04:00
Andrew David Wong
6637cd4393
Merge branch 'certified-hardware' 2025-03-25 10:56:56 -07:00
Marnix Croes
1a049515a7 add more info about refreshing qubes after restore 2025-03-25 12:02:45 -03:00
Francis King
e86436d023
Added some extra text and an example 
In a discussion on Qubes OS forum, it was decided that I should add some extra text about the netmask, and an example  for Network Manager. The purpose being to make the procedure much clearer.

There are two images to go into the text, but I don't understand how to do that yet. I have used '>' at those points. Please advise.

Francis.
 2025-03-24 16:08:35 +00:00
Andrew David Wong
b55f8f092c
Revamp certified hardware documentation 
- Replace list of certified models with table
- Create page for each certified model
- Organize certified hardware files in subdirectory
- Update certification details of individual model pages
- Add warnings for X230- and T430-based models
  ()
 2025-03-23 16:49:48 -07:00
Andreas Glashauser
b04977a702
Reword CentOS EOL notice for clarity, add link to more info 2025-03-23 19:35:10 +01:00
Andreas Glashauser
bf56b4dcd3
Clarify CentOS template's EOL status 2025-03-23 12:16:10 +01:00
3np
f71614efd9
how-to-install-software: clarify updates-proxy usage 
- makes it less likely to get the false impression that
  the updates proxy does not allow arbitrary outbound connections
- add example of how to download software in templates without
  enabling direct networking
 2025-03-23 02:16:21 +00:00
Andreas Glashauser
4b87eaa04d
Removed outdated CentOS references 2025-03-23 01:19:56 +01:00
Marta Marczykowska-Górecka
06e37e444b
Add intro for Builder v2 2025-03-22 22:18:04 +01:00
Demi Marie Obenour
cc13bd9ee8
Provide evidence that AMD is slow to ship client microcode 
The claims in the documentation are corrrect, but no sources were
provided.  Add links to sources.

Fixes:
2025-02-20 21:18:17 -05:00
ghijg
c339a093fc
Merge branch 'QubesOS:main' into patch-2 2025-01-24 22:13:51 +01:00
Rusty Bird
65e0511d15
luksFormat: drop --hash=sha512 argument 
The default (sha256) seems fine for LUKS2 where the hash algorithm has a
limited role anyway - it's not used for key stretching like in LUKS1.
 2024-12-20 19:29:38 +00:00
Rusty Bird
4fb0f0c851
luksFormat: drop arguments that are already the default 2024-12-20 19:29:37 +00:00
Rusty Bird
cc00196539
luksFormat: add --sector-size=512 argument 2024-12-20 19:29:36 +00:00
ghijg
1fca26ce44
Syntax changed due to dnf5/Fedora41 
Syntax changed for enabling repositories with dnf5 which is used by default from Fedora 41 on.

https://dnf5.readthedocs.io/en/latest/changes_from_dnf4.7.html
 2024-12-10 00:13:35 +01:00
Darekisgit
4cc913b6b0
Update mfa.md 2024-12-04 12:21:25 +01:00
Christian Tramnitz
ae26177e4d
add known issues to gui-domain docs 
Although sys-gui (and its variants sys-gui-gpu and sys-gui-vnc) are clearly marked to be used by advanced users only, there are some limitations that may go beyond the expectations of an advanced user.

This updates the documentation to contain some known issues that probably don't have a quick fix.
 2024-12-01 12:39:23 +01:00
b90g
7c7911177f
Update windows-qubes-4-1.md 
evading microsoft account enforcement.
 2024-11-29 20:21:29 +01:00
Rowen S
d1cb9bd2fb
Add documentation on qubes-fwupdmgr usage 2024-11-25 14:14:48 -05:00
Marnix Croes
721d22d064
add info about refresh applications 2024-10-30 07:09:22 -04:00
Marek Marczykowski-Górecki
8ae7c24958
Update docs about /rw/config/rc.local* scripts 
Specify that files needs to be executable.
Add info about `/rw/config/rc.local.d/*.rc`.
Add info about `/rw/config/rc.local-early.d/*.rc` and
`/rw/config/rc.local-early`
(https://github.com/QubesOS/qubes-core-agent-linux/pull/386)
 2024-10-20 00:41:01 +02:00
Dr. Gerhard Weck
63bf921aa6
Formal change 2024-09-21 13:27:20 +02:00
Dr. Gerhard Weck
9218f23167
Describe Move user profiles without QWT installation 2024-08-25 10:12:11 +02:00
Demi Marie Obenour
0250897727 Document how to update system firmware 
This is a very important task, but it is often not done due to bad
tools.  Also correct some outdated information on the "how to update
software" page.
 2024-08-22 16:35:22 -04:00
apparatius
ec1f501c53
Update firewall.md 
The disappearance of the eth0 interface when you restart the net qube of the sys-firewall or set it’s net qube to none is causing `iif == "eth0"` to become `iif 2` and the rules won't work anymore.
It’s better to use `iifgroup 1` instead of `iif == "eth0"`.
Related discussion:
https://forum.qubes-os.org/t/iptables-not-available-in-sys-net-in-qubes-os-4-2-1/26706/26
 2024-07-12 09:31:11 +00:00
ooops
2d5c636c05
Includes updated documentation from split-gpg2 
Fixes QubesOS/qubes-issues/issues/9138
 2024-07-08 15:33:48 -04:00
ooops
13b46e5c0c
Update split-gpg.md 2024-07-08 15:11:44 -04:00
Piotr Bartman
3cec58bf7d
q-dev: update docs 2024-06-30 11:26:54 +02:00
chomiczosc
4a9ab9fac5
Update getting-started.md 
Fixes from review
 2024-01-05 15:45:08 +01:00
chomiczosc
108fb1e106
Update getting-started.md 
- simplifying "Getting started section" to make it more comprehensible
- updating the section to match Qubes 4.2
 2024-01-05 15:26:36 +01:00
Rusty Bird
0aee55a8dd
Use ls instead of cat to show example data 
https://forum.qubes-os.org/t/getting-stuck-on-emergency-backup-recovery/18520/5
 2023-06-20 13:52:31 +00:00
Rusty Bird
6e15603483
Clarify reading the passphrase 
https://forum.qubes-os.org/t/getting-stuck-on-emergency-backup-recovery/18520/5
https://forum.qubes-os.org/t/getting-stuck-on-emergency-backup-recovery/18520/6
 2023-06-20 13:52:30 +00:00
Oni
1e7a9f7437
Address two potential issues raised when removing a template 
Mentioned the final confirmation step asked for by the `Qube Manager`
to type the template's name. However, before this final confirmation
is displayed, issues may be raised. Deleting templates may run afoul
of dependent qubes and the "default_template" global
property. Instructions to resolve via switching are linked.
 2023-06-19 08:42:59 -04:00
Oni
781780f07e
Redirect Qubes Menu issues with template uninstallation 
Manually removing Qubes Menu entries is covered on the linked page.
 2023-06-19 07:45:25 -04:00
Oni
e1abb55e63
Retire template removal warning messages 
This section was added in response to:

https://github.com/QubesOS/qubes-issues/issues/6432

Seven months later, 'qvm-template' became the installation redirection
target:

https://github.com/QubesOS/qubes-core-admin-linux/pull/80

Now that 'dnf remove' is not being called directly, these warnings
should not be an issue.
 2023-06-19 07:45:18 -04:00
Oni
f24299be1e
Use 'qvm-template' to uninstall templates 
The 'dnf remove' command no longer removes templates and mentions "No
Match" when using <package-name-spec>. The 'qvm-template' command will
remove templates from both package installation and
cloning. 'qvm-template' also warns about qubes dependent on the template
which reduces the need for the user to preemptively check that
relationship.

In its implementation, 'qvm-template' imports and calls 'qvm-remove'
to remove the template. 'qvm-template' was selected as the command to
present as it provides a more consistent interface when installing,
listing, and removing among other commands.
 2023-06-19 07:45:14 -04:00
Rusty Bird
d4778384da
Add sys-whonix to example qube list 2023-04-15 16:05:47 +00:00
Rusty Bird
0251ed63d5
Update to a plausible timestamp in the backup ID too 2023-04-15 11:08:35 +00:00
Rusty Bird
51d387a9fe
Add xmlstarlet command 
Also update the backup filename's date to avoid anachronisms in the
resulting example qube list (e.g. a backup of fedora-37 in 2015)
 2023-04-15 10:45:27 +00:00
Rusty Bird
35b16e2e37
Mention installing the compression program 2023-04-14 16:29:00 +00:00
Rusty Bird
034976f80f
Use vm123/ with a trailing slash like in the backup-path value 2023-04-14 16:28:59 +00:00
Rusty Bird
3b550699af
Emergency backup restore v4 tweaks 2023-04-13 06:47:22 +00:00
Andrew David Wong
f43e54f3a5
Remove unnecessary example and step 
Per @rustybird's suggestions on
2023-04-11 16:42:34 -07:00
Andrew David Wong
edbfa3c9b6
Update user/how-to-guides/backup-emergency-restore-v4.md 
Co-authored-by: Rusty Bird <rustybird@net-c.com>
 2023-04-11 16:35:19 -07:00
zenkuro
a65a507db5
Update vpn-troubleshooting.md 
Fix typo
 2023-01-07 02:47:34 -05:00
zenkuro
c5314bed7f
Eetend VPN troubleshooting by notify-send case 
There are guides and scripts on internet that are helping to configure and run VPN service on QubesOS
This record provides explanation how to identify and what to do to fix possible issues with notify-send that being used by this guides.
 2023-01-05 22:57:18 -05:00
Andrew David Wong
39342e8c98
Clarify example 2022-11-23 17:55:04 -08:00
Andrew David Wong
b6c99d486b
Fix typo 2022-11-23 17:53:29 -08:00
Andrew David Wong
9eb7926ffe
Update and improve Emergency backup restore v4 page 
- Update formatting and style to be consistent with the rest of the docs
- Improve language
- Clarify instructions
- Improve organization
 2022-11-23 17:34:08 -08:00
qubesbugreport
2b24640962
Add instructions for using Qube Manager 
Using the Qube Manager to determine USB controller and address
 2022-09-01 08:00:33 +02:00
qubesbugreport
dc0819594b
Use sentence case instead of title case 
As required by the style guide
 2022-09-01 07:32:52 +02:00
zetigu
75d18931d1
Normalize punctuation and create/remove tmp dir 
Mostly fix before console text by using ":" without space.
Create/remove /mnt/new_qube_storage
 2021-04-02 09:00:36 -04:00
zetigu
32e728d8a9
Add btrfs filesystem show line 
Added one btrfs filesystem show line for displaying available btrfs filesystems.
 2021-04-02 08:51:33 -04:00
zetigu
6479d371b9
Add shell_session to terminal box 
Added a shell_session to the ``` of the first line.
 2021-04-02 08:50:03 -04:00
zetigu
8de70db078
Clarification in introduction 
More descriptive advantages of using Btrfs
 2021-04-02 08:46:44 -04:00
zetigu
a78075a442
Add instruction for using Btrfs as a qvm-pool 
I reformated the article to devide it in 2 section, one concerning LVM pools and the other Btrfs pool.
The synthax should be close to the original.
Awaiting comments.
 2021-04-01 18:18:49 -04:00
51 changed files with 1764 additions and 639 deletions

80
developer/building/development-workflow.md
View file

@ -12,42 +12,41 @@ title: Development workflow
A workflow for developing Qubes OS+ A workflow for developing Qubes OS+
First things first, setup [QubesBuilder](/doc/qubes-builder/). This guide To begin, setup [QubesBuilder](/doc/qubes-builder-v2/). This guide
assumes you're using qubes-builder to build Qubes. assumes you're using qubes-builder v2 to build Qubes.
## Repositories and committing Code ## Repositories and committing Code
Qubes is split into a bunch of git repos. These are all contained in the Qubes source code is split into many git repos. These are all contained in the
`qubes-src` directory under qubes-builder. Subdirectories there are separate `artifacts/sources` directory under qubes-builder. Subdirectories there are
components, stored in separate git repositories. separate components, stored in separate git repositories.
The best way to write and contribute code is to create a git repo somewhere The best way to write and contribute code is to create a git repo somewhere
(e.g., github) for the repo you are interested in editing (e.g., (e.g., GitHub) for the repo you are interested in editing (e.g.,
`qubes-manager`, `core-agent-linux`, etc). To integrate your repo with the rest `qubes-manager`, `core-agent-linux`, etc). To integrate your repo with the rest
of Qubes, cd to the repo directory and add your repository as a remote in git of Qubes, cd to the repo directory and add your repository as a remote in git
**Example:** **Example:**
~~~ ~~~
$ cd qubes-builder/qubes-src/qubes-manager $ cd qubes-builder/artifacts/sources/qubes-manager
$ git remote add abel git@github.com:abeluck/qubes-manager.git $ git remote add abel git@GitHub.com:abeluck/qubes-manager.git
~~~ ~~~
You can then proceed to easily develop in your own branches, pull in new You can then proceed to easily develop in your own branches, pull in new
commits from the dev branches, merge them, and eventually push to your own repo commits from the dev branches, merge them, and eventually push to your own repo.
on github.
When you are ready to submit your changes to Qubes to be merged, push your When you are ready to submit your changes to Qubes to be merged, push your
changes, then create a signed git tag (using `git tag -s`). Finally, send a changes, then create a signed git tag (using `git tag -s`). Finally, send a
letter to the Qubes listserv describing the changes and including the link to letter to the Qubes listserv describing the changes, and including a link to
your repository. You can also create pull request on github. Don't forget to your repository. If you are using GitHub you can instead create a pull request.
include your public PGP key you use to sign your tags. Don't forget to include the public PGP key you use to sign your tags.
### Kernel-specific notes ### Kernel-specific notes
#### Prepare fresh version of kernel sources, with Qubes-specific patches applied #### Prepare fresh version of kernel sources, with Qubes-specific patches applied
In qubes-builder/qubes-src/linux-kernel: In qubes-builder/artifacts/sources/linux-kernel:
~~~ ~~~
make prep make prep
@ -66,7 +65,7 @@ drwxr-xr-x 6 user user 4096 Nov 21 20:48 kernel-3.4.18/linux-obj
#### Go to the kernel tree and update the version #### Go to the kernel tree and update the version
In qubes-builder/qubes-src/linux-kernel: In qubes-builder/artifacts/sources/linux-kernel:
~~~ ~~~
cd kernel-3.4.18/linux-3.4.18 cd kernel-3.4.18/linux-3.4.18
@ -117,9 +116,7 @@ vi series.conf
#### Building RPMs #### Building RPMs
TODO: Is this step generic for all subsystems? Now is a good moment to make sure you have changed the kernel release name in
Now it is a good moment to make sure you have changed kernel release name in
rel file. For example, if you change it to '1debug201211116c' the rel file. For example, if you change it to '1debug201211116c' the
resulting RPMs will be named resulting RPMs will be named
'kernel-3.4.18-1debug20121116c.pvops.qubes.x86\_64.rpm'. This will help 'kernel-3.4.18-1debug20121116c.pvops.qubes.x86\_64.rpm'. This will help
@ -131,34 +128,23 @@ your changes locally.
To actually build RPMs, in qubes-builder: To actually build RPMs, in qubes-builder:
~~~ ~~~
make linux-kernel ./qb -c linux-kernel package fetch prep build
~~~ ~~~
RPMs will appear in qubes-src/linux-kernel/pkgs/fc20/x86\_64: RPMs will appear in
`artifacts/repository/destination_name/package_name`
(for example `artifacts/repository/host-fc37/linux-kernel-6.6.31-1.1/`
~~~ ### Useful [QubesBuilder](/doc/qubes-builder-v2/) commands
-rw-rw-r-- 1 user user 42996126 Nov 17 04:08 kernel-3.4.18-1debug20121116c.pvops.qubes.x86_64.rpm
-rw-rw-r-- 1 user user 43001450 Nov 17 05:36 kernel-3.4.18-1debug20121117a.pvops.qubes.x86_64.rpm
-rw-rw-r-- 1 user user 8940138 Nov 17 04:08 kernel-devel-3.4.18-1debug20121116c.pvops.qubes.x86_64.rpm
-rw-rw-r-- 1 user user 8937818 Nov 17 05:36 kernel-devel-3.4.18-1debug20121117a.pvops.qubes.x86_64.rpm
-rw-rw-r-- 1 user user 54490741 Nov 17 04:08 kernel-qubes-vm-3.4.18-1debug20121116c.pvops.qubes.x86_64.rpm
-rw-rw-r-- 1 user user 54502117 Nov 17 05:37 kernel-qubes-vm-3.4.18-1debug20121117a.pvops.qubes.x86_64.rpm
~~~
### Useful [QubesBuilder](/doc/qubes-builder/) commands 1. `./qb package diff` - show uncommitted changes
2. ` ./qb repository check-release-status-for-component` and
1. `make check` - will check if all the code was committed into repository and `./qb repository check-release-status-for-template`- show version of each
if all repository are tagged with signed tag. component/template (based on git tags)
2. `make show-vtags` - show version of each component (based on git tags) - 3. `./qb package sign` - sign built packages
mostly useful just before building ISO. **Note:** this will not show version 4. `./qb package publish` and `./qb package upload` - publish signed packages
for components containing changes since last version tag. and upload published
3. `make push` - push change from **all** repositories to git server. You must repository
set proper remotes (see above) for all repositories first.
4. `make prepare-merge` - fetch changes from remote repositories (can be
specified on commandline via GIT\_SUBDIR or GIT\_REMOTE vars), (optionally)
verify tags and show the changes. This do not merge the changes - there are
left for review as FETCH\_HEAD ref. You can merge them using `git merge
FETCH_HEAD` (in each repo directory). Or `make do-merge` to merge all of them.
## Copying Code to dom0 ## Copying Code to dom0
@ -297,12 +283,12 @@ if [ "$1" = "tb" ]; then
exit $? exit $?
fi fi
git remote add $1 git@github.com:$1/qubes-`basename $PWD` git remote add $1 git@GitHub.com:$1/qubes-`basename $PWD`
~~~ ~~~
It should be executed from component top level directory. This script takes one It should be executed from component top level directory. This script takes one
argument - remote name. If it is `tb`, then it creates qrexec-based git remote argument - remote name. If it is `tb`, then it creates qrexec-based git remote
to `testbuilder` VM. Otherwise it creates remote pointing at github account of to `testbuilder` VM. Otherwise it creates remote pointing at GitHub account of
the same name. In any case it points at repository matching current directory the same name. In any case it points at repository matching current directory
name. name.
@ -321,7 +307,7 @@ current and current-testing).
### RPM packages - yum repo ### RPM packages - yum repo
In source VM, grab [linux-yum](https://github.com/QubesOS/qubes-linux-yum) repository (below is assumed you've made it in In source VM, grab [linux-yum](https://GitHub.com/QubesOS/qubes-linux-yum) repository (below is assumed you've made it in
`~/repo-yum-upload` directory) and replace `update_repo.sh` script with: `~/repo-yum-upload` directory) and replace `update_repo.sh` script with:
~~~ ~~~
@ -337,7 +323,7 @@ find -type f -name '*.rpm' -delete
qrexec-client-vm $VMNAME local.UpdateYum qrexec-client-vm $VMNAME local.UpdateYum
~~~ ~~~
In target VM, setup actual yum repository (also based on [linux-yum](https://github.com/QubesOS/qubes-linux-yum), this time In target VM, setup actual yum repository (also based on [linux-yum](https://GitHub.com/QubesOS/qubes-linux-yum), this time
without modifications). You will also need to setup some gpg key for signing without modifications). You will also need to setup some gpg key for signing
packages (it is possible to force yum to install unsigned packages, but it packages (it is possible to force yum to install unsigned packages, but it
isn't possible for `qubes-dom0-update` tool). Fill `~/.rpmmacros` with isn't possible for `qubes-dom0-update` tool). Fill `~/.rpmmacros` with
@ -417,7 +403,7 @@ Remember to also import gpg public key using `rpm --import`.
Steps are mostly the same as in the case of yum repo. The only details that differ: Steps are mostly the same as in the case of yum repo. The only details that differ:
- use [linux-deb](https://github.com/QubesOS/qubes-linux-deb) instead of [linux-yum](https://github.com/QubesOS/qubes-linux-yum) as a base - both in source and target VM - use [linux-deb](https://GitHub.com/QubesOS/qubes-linux-deb) instead of [linux-yum](https://GitHub.com/QubesOS/qubes-linux-yum) as a base - both in source and target VM
- use different `update_repo.sh` script in source VM (below) - use different `update_repo.sh` script in source VM (below)
- use `local.UpdateApt` qrexec service in target VM (code below) - use `local.UpdateApt` qrexec service in target VM (code below)
- in target VM additionally place `update-local-repo.sh` script in repository dir (code below) - in target VM additionally place `update-local-repo.sh` script in repository dir (code below)

162
developer/building/qubes-builder-v2.md Normal file
View file

@ -0,0 +1,162 @@
---
lang: en
layout: doc
permalink: /doc/qubes-builder-v2/
redirect_from:
- /en/doc/qubes-builder-v2/
- /doc/QubesBuilder2/
- /wiki/QubesBuilder2/
ref: 311
title: Qubes builder v2
---
This is a brief introduction to using Qubes Builder v2 to work with Qubes OS
sources. It will walk you through installing and configuring Builder v2, and
using it to fetch and build Qubes OS packages.
For details and customization, use [Qubes OS v2 builder documentation](https://github.com/QubesOS/qubes-builderv2/).
# Overview
In the second generation of Qubes OS builder, container or disposable qube
isolation is used to perform every stage of the build and release process.
From fetching sources to building, everything is executed inside an isolated
*cage* (either a disposable or a container) using an *executor*. For every
command that needs to perform an action on sources, like cloning and
verifying Git repos, rendering a SPEC file, generating SRPM or Debian
source packages, a new cage is used. Only the signing, publishing, and
uploading stages are executed locally outside a cage.
# Setup
This is a simple setup using a docker executor. This is a good default choice;
if you don't know which executor to use, use docker.
1. First, decide what qube you are going to use when working with Qubes
Builder v2. It can be an AppVM or a Standalone qube, with some steps
different between the two.
2. Installing dependencies
If you want to use an app qube for developing, install dependencies in the template.
If you are using a standalone, install them in the qube itself.
Dependencies are specified in `dependencies-*.
txt` files in the main builder directory, and you can install them easily
in the following ways:
1. for Fedora, use:
```shell
$ sudo dnf install $(cat dependencies-fedora.txt)
$ test -f /usr/share/qubes/marker-vm && sudo dnf install qubes-gpg-split
```
2. for Debian (note: some Debian packages require Debian version 13 or
later), use:
```shell
$ sudo apt install $(cat dependencies-debian.txt)
$ test -f /usr/share/qubes/marker-vm && sudo apt install qubes-gpg-split
```
If you have installed dependencies in the template, close it, and
(re)start the development qube.
3. Clone the qubes-builder v2 repository into a location of your choice:
```shell
git clone https://github.com/QubesOS/qubes-builderv2
cd qubes-builderv2/
```
4. If you haven't previously used docker in the current qube, you need to set up
some permissions. In particular, the user has to be added to the `docker`
group:
```shell
$ sudo usermod -aG docker user
```
Next, **restart the qube**.
5. Finally, you need to generate a docker image:
```shell
$ tools/generate-container-image.sh docker
```
In an app qube, as `/var/lib/docker` is not persistent by default, you also
need to use [bind-dirs](/doc/bind-dirs/) to avoid repeating this step after reboot, adding
the following to the `/rw/config/qubes-bind-dirs.d/docker.conf` file in
this qube:
```
binds+=( '/var/lib/docker' )
```
# Configuration
To use Qubes OS Builder v2, you need to have a `builder.yml` configuration file.
You can use one of the sample files from the `example-configs/` directory; for a
more readable `builder.yml`, you can also include one of the files from that
directory in your `builder.yml`. An example `builder.yml` is:
```yaml
# include configuration relevant for the current release
include:
- example-configs/qubes-os-r4.2.yml
# which repository to use to fetch sources
use-qubes-repo:
version: 4.2
testing: true
# each package built will have local build number appended to package release
# number. It makes it easier to update in testing environment
increment-devel-versions: true
# reduce output
debug: false
# this can be set to true if you do not want sources to be automatically
# fetched from git
skip-git-fetch: false
# executor configuration
executor:
type: docker
options:
image: "qubes-builder-fedora:latest"
```
# Using Builder v2
To fetch sources - in this example, for the `core-admin-client` package, you
can use the following command:
```shell
$ ./qb -c core-admin-client package fetch
```
This will fetch the sources for the listed package and place them in
`artifacts/sources` directory.
To build a package (from sources in the `artifacts/sources` directory), use:
```shell
$ ./qb -c core-admin-client package fetch prep build
```
or, if you want to build for a specific target (`host-fc37` is a `dom0`
using Fedora 37, `vm-fc40` would be a qube using Fedora 40 etc.), use:
```shell
$ ./qb -c core-admin-client -d host-fc37 package fetch prep build
```
If you want to fetch the entire Qubes OS source use the following:
```shell
$ ./qb package fetch
```
**caution**: some repositories might have additional requirements. You can
disable repositories that are not needed in the `example-configs/*.yml`
file you are using by commenting them out. In particular, `python-fido2`,
`lvm` and `windows`-related repositories have special requirements.

2
developer/debugging/automated-tests.md
View file

@ -132,7 +132,7 @@ Whereas integration tests are mostly stored in the [qubes-core-admin](https://gi
To for example run the `qubes-core-admin` unit tests, you currently have to clone at least [qubes-core-admin](https://github.com/QubesOS/qubes-core-admin) and To for example run the `qubes-core-admin` unit tests, you currently have to clone at least [qubes-core-admin](https://github.com/QubesOS/qubes-core-admin) and
its dependency [qubes-core-qrexec](https://github.com/QubesOS/qubes-core-qrexec) repository in the branches that you want to test. its dependency [qubes-core-qrexec](https://github.com/QubesOS/qubes-core-qrexec) repository in the branches that you want to test.
The below example however will assume that you set up a build environment as described in the [Qubes Builder documentation](/doc/qubes-builder/). The below example however will assume that you set up a build environment as described in the [Qubes Builder documentation](/doc/qubes-builder-v2/).
Assuming you cloned the `qubes-builder` repository to your home directory inside a fedora VM, you can use the following commands to run the unit tests: Assuming you cloned the `qubes-builder` repository to your home directory inside a fedora VM, you can use the following commands to run the unit tests:

5
developer/debugging/test-bench.md
View file

@ -205,9 +205,10 @@ pushd ${HOME}/builder >/dev/null
# the following are needed only if you have sources outside builder # the following are needed only if you have sources outside builder
#rm -rf qubes-src/core-admin #rm -rf qubes-src/core-admin
#make COMPONENTS=core-admin get-sources #qb -c core-admin package fetch
make core-admin qb -c core-admin -d host-fc41 prep build
# update your dom0 fedora distribution as appropriate
qtb-install qubes-src/core-admin/rpm/x86_64/qubes-core-dom0-*.rpm qtb-install qubes-src/core-admin/rpm/x86_64/qubes-core-dom0-*.rpm
qtb-runtests qtb-runtests
``` ```

4
developer/general/gsoc.md
View file

@ -31,7 +31,7 @@ You should start learning the components that you plan on working on before the
Coming up with an interesting idea that you can realistically achieve in the time available to you (one summer) is probably the most difficult part. We strongly recommend getting involved in advance of the beginning of GSoC, and we will look favorably on applications from prospective contributors who have already started to act like free and open source developers. Coming up with an interesting idea that you can realistically achieve in the time available to you (one summer) is probably the most difficult part. We strongly recommend getting involved in advance of the beginning of GSoC, and we will look favorably on applications from prospective contributors who have already started to act like free and open source developers.
Before the summer starts, there are some preparatory tasks which are highly encouraged. First, if you aren't already, definitely start using Qubes as your primary OS as soon as possible! Also, it is encouraged that you become familiar and comfortable with the Qubes development workflow sooner than later. A good way to do this (and also a great way to stand out as an awesome applicant and make us want to accept you!) might be to pick up some issues from [qubes-issues](https://github.com/QubesOS/qubes-issues/issues) (our issue-tracking repo) and submit some patches addressing them. Some suitable issues might be those with tags ["help wanted" and "P: minor"](https://github.com/QubesOS/qubes-issues/issues?q=is%3Aissue%20is%3Aopen%20label%3A%22P%3A%20minor%22%20label%3A%22help%20wanted%22) (although more significant things are also welcome, of course). Doing this will get you some practice with [qubes-builder](/doc/qubes-builder/), our code-signing policies, and some familiarity with our code base in general so you are ready to hit the ground running come summer. Before the summer starts, there are some preparatory tasks which are highly encouraged. First, if you aren't already, definitely start using Qubes as your primary OS as soon as possible! Also, it is encouraged that you become familiar and comfortable with the Qubes development workflow sooner than later. A good way to do this (and also a great way to stand out as an awesome applicant and make us want to accept you!) might be to pick up some issues from [qubes-issues](https://github.com/QubesOS/qubes-issues/issues) (our issue-tracking repo) and submit some patches addressing them. Some suitable issues might be those with tags ["help wanted" and "P: minor"](https://github.com/QubesOS/qubes-issues/issues?q=is%3Aissue%20is%3Aopen%20label%3A%22P%3A%20minor%22%20label%3A%22help%20wanted%22) (although more significant things are also welcome, of course). Doing this will get you some practice with [qubes-builder](/doc/qubes-builder-v2/), our code-signing policies, and some familiarity with our code base in general so you are ready to hit the ground running come summer.
### Contributor proposal guidelines ### Contributor proposal guidelines
@ -422,7 +422,7 @@ for more information and qubes-specific background.
**Difficulty**: medium **Difficulty**: medium
**Knowledge prerequisite**: qubes-builder [[1]](/doc/qubes-builder/) [[2]](/doc/qubes-builder-details/) [[3]](https://github.com/QubesOS/qubes-builder/tree/master/doc), and efficient at introspecting complex systems: comfortable with tracing and debugging tools, ability to quickly identify and locate issues within a large codebase (upstream build tools), etc. **Knowledge prerequisite**: qubes-builder [[1]](/doc/qubes-builder-v2/) [[2]](https://github.com/QubesOS/qubes-builderv2), and efficient at introspecting complex systems: comfortable with tracing and debugging tools, ability to quickly identify and locate issues within a large codebase (upstream build tools), etc.
**Size of the project**: 350 hours **Size of the project**: 350 hours

2
developer/releases/4_0/release-notes.md
View file

@ -9,7 +9,7 @@ title: Qubes R4.0 release notes
New features since 3.2 New features since 3.2
---------------------- ----------------------
* Core management scripts rewrite with better structure and extensibility, [API documentation](https://dev.qubes-os.org/projects/qubes-core-admin/en/latest/) * Core management scripts rewrite with better structure and extensibility, [API documentation](https://dev.qubes-os.org/projects/core-admin/en/latest/index.html)
* [Admin API](/news/2017/06/27/qubes-admin-api/) allowing strictly controlled managing from non-dom0 * [Admin API](/news/2017/06/27/qubes-admin-api/) allowing strictly controlled managing from non-dom0
* All `qvm-*` command-line tools rewritten, some options have changed * All `qvm-*` command-line tools rewritten, some options have changed
* Renaming VM directly is prohibited, there is GUI to clone under new name and remove old VM * Renaming VM directly is prohibited, there is GUI to clone under new name and remove old VM

235
developer/services/admin-api.md
View file

@ -62,95 +62,100 @@ yet documented.
The API should be implemented as a set of qrexec calls. This is to make it easy The API should be implemented as a set of qrexec calls. This is to make it easy
to set the policy using current mechanism. to set the policy using current mechanism.
| call | dest | argument | inside | return | note | | call | dest | argument | inside | return | note |
| ------------------------------------- | --------- | --------- | ----------------------------------------- | --------------------------------------------------------- | ---- | |------------------------------------------------|------------|--------------|---------------------------------------------------------------------|-----------------------------------------------------| ---- |
| `admin.vmclass.List` | `dom0` | - | - | `<class>\n` | | `admin.vmclass.List` | `dom0` | - | - | `<class>\n` |
| `admin.vm.List` | `dom0|<vm>` | - | - | `<name> class=<class> state=<state>\n` | | `admin.vm.List` | `dom0 | <vm>` | - | - | `<name> class=<class> state=<state>\n` |
| `admin.vm.Create.<class>` | `dom0` | template | `name=<name> label=<label>` | - | | `admin.vm.Create.<class>` | `dom0` | template | `name=<name> label=<label>` | - |
| `admin.vm.CreateInPool.<class>` | `dom0` | template | `name=<name> label=<label> `<br/>`pool=<pool> pool:<volume>=<pool>` | - | either use `pool=` to put all volumes there, <br/>or `pool:<volume>=` for individual volumes - both forms are not allowed at the same time | `admin.vm.CreateInPool.<class>` | `dom0` | template | `name=<name> label=<label> `<br/>`pool=<pool> pool:<volume>=<pool>` | - | either use `pool=` to put all volumes there, <br/>or `pool:<volume>=` for individual volumes - both forms are not allowed at the same time
| `admin.vm.CreateDisposable` | template | - | - | name | Create new DisposableVM, `template` is any AppVM with `dispvm_allowed` set to True, or `dom0` to use default defined in `default_dispvm` property of calling VM; VM created with this call will be automatically removed after its shutdown; the main difference from `admin.vm.Create.DispVM` is automatic (random) name generation. | `admin.vm.CreateDisposable` | template | - | - | name | Create new DisposableVM, `template` is any AppVM with `dispvm_allowed` set to True, or `dom0` to use default defined in `default_dispvm` property of calling VM; VM created with this call will be automatically removed after its shutdown; the main difference from `admin.vm.Create.DispVM` is automatic (random) name generation.
| `admin.vm.Remove` | vm | - | - | - | | `admin.vm.Remove` | vm | - | - | - |
| `admin.label.List` | `dom0` | - | - | `<property>\n` | | `admin.label.List` | `dom0` | - | - | `<property>\n` |
| `admin.label.Create` | `dom0` | label | `0xRRGGBB` | - | | `admin.label.Create` | `dom0` | label | `0xRRGGBB` | - |
| `admin.label.Get` | `dom0` | label | - | `0xRRGGBB` | | `admin.label.Get` | `dom0` | label | - | `0xRRGGBB` |
| `admin.label.Index` | `dom0` | label | - | `<label-index>` | | `admin.label.Index` | `dom0` | label | - | `<label-index>` |
| `admin.label.Remove` | `dom0` | label | - | - | | `admin.label.Remove` | `dom0` | label | - | - |
| `admin.property.List` | `dom0` | - | - | `<property>\n` | | `admin.property.List` | `dom0` | - | - | `<property>\n` |
| `admin.property.Get` | `dom0` | property | - | `default={True|False} `<br/>`type={str|int|bool|vm|label|list} <value>` | Type `list` is added in R4.1. Values are of type `str` and each entry is suffixed with newline character. | `admin.property.Get` | `dom0` | property | - | `default={True |False} `<br/>`type={str|int|bool|vm|label|list} <value>` | Type `list` is added in R4.1. Values are of type `str` and each entry is suffixed with newline character.
| `admin.property.GetAll` | `dom0` | - | - | `<property-name> <full-value-as-in-property.Get>\n` | Get all the properties in one call. Each property is returned on a separate line and use the same value encoding as property.Get method, with an exception that newlines are encoded as literal `\n` and literal `\` are encoded as `\\`. | `admin.property.GetAll` | `dom0` | - | - | `<property-name> <full-value-as-in-property.Get>\n` | Get all the properties in one call. Each property is returned on a separate line and use the same value encoding as property.Get method, with an exception that newlines are encoded as literal `\n` and literal `\` are encoded as `\\`.
| `admin.property.GetDefault` | `dom0` | property | - | `type={str|int|bool|vm|label|list} <value>` | Type `list` is added in R4.1. Values are of type `str` and each entry is suffixed with newline character. | `admin.property.GetDefault` | `dom0` | property | - | `type={str |int|bool|vm|label|list} <value>` | Type `list` is added in R4.1. Values are of type `str` and each entry is suffixed with newline character.
| `admin.property.Help` | `dom0` | property | - | `help` | | `admin.property.Help` | `dom0` | property | - | `help` |
| `admin.property.HelpRst` | `dom0` | property | - | `help.rst` | | `admin.property.HelpRst` | `dom0` | property | - | `help.rst` |
| `admin.property.Reset` | `dom0` | property | - | - | | `admin.property.Reset` | `dom0` | property | - | - |
| `admin.property.Set` | `dom0` | property | value | - | | `admin.property.Set` | `dom0` | property | value | - |
| `admin.vm.property.List` | vm | - | - | `<property>\n` | | `admin.vm.property.List` | vm | - | - | `<property>\n` |
| `admin.vm.property.Get` | vm | property | - | `default={True|False} `<br/>`type={str|int|bool|vm|label|list} <value>` | Type `list` is added in R4.1. Each list entry is suffixed with a newline character. | `admin.vm.property.Get` | vm | property | - | `default={True |False} `<br/>`type={str|int|bool|vm|label|list} <value>` | Type `list` is added in R4.1. Each list entry is suffixed with a newline character.
| `admin.vm.property.GetAll` | vm | - | - | `<property-name> <full-value-as-in-property.Get>\n` | Get all the properties in one call. Each property is returned on a separate line and use the same value encoding as property.Get method, with an exception that newlines are encoded as literal `\n` and literal `\` are encoded as `\\`. | `admin.vm.property.GetAll` | vm | - | - | `<property-name> <full-value-as-in-property.Get>\n` | Get all the properties in one call. Each property is returned on a separate line and use the same value encoding as property.Get method, with an exception that newlines are encoded as literal `\n` and literal `\` are encoded as `\\`.
| `admin.vm.property.GetDefault` | vm | property | - | `type={str|int|bool|vm|label|type} <value>` | Type `list` is added in R4.1. Each list entry is suffixed with a newline character. | `admin.vm.property.GetDefault` | vm | property | - | `type={str |int|bool|vm|label|type} <value>` | Type `list` is added in R4.1. Each list entry is suffixed with a newline character.
| `admin.vm.property.Help` | vm | property | - | `help` | | `admin.vm.property.Help` | vm | property | - | `help` |
| `admin.vm.property.HelpRst` | vm | property | - | `help.rst` | | `admin.vm.property.HelpRst` | vm | property | - | `help.rst` |
| `admin.vm.property.Reset` | vm | property | - | - | | `admin.vm.property.Reset` | vm | property | - | - |
| `admin.vm.property.Set` | vm | property | value | - | | `admin.vm.property.Set` | vm | property | value | - |
| `admin.vm.feature.List` | vm | - | - | `<feature>\n` | | `admin.vm.feature.List` | vm | - | - | `<feature>\n` |
| `admin.vm.feature.Get` | vm | feature | - | value | | `admin.vm.feature.Get` | vm | feature | - | value |
| `admin.vm.feature.CheckWithTemplate` | vm | feature | - | value | | `admin.vm.feature.CheckWithTemplate` | vm | feature | - | value |
| `admin.vm.feature.CheckWithNetvm` | vm | feature | - | value | | `admin.vm.feature.CheckWithNetvm` | vm | feature | - | value |
| `admin.vm.feature.CheckWithAdminVM` | vm | feature | - | value | | `admin.vm.feature.CheckWithAdminVM` | vm | feature | - | value |
| `admin.vm.feature.CheckWithTemplateAndAdminVM`| vm | feature | - | value | | `admin.vm.feature.CheckWithTemplateAndAdminVM` | vm | feature | - | value |
| `admin.vm.feature.Remove` | vm | feature | - | - | | `admin.vm.feature.Remove` | vm | feature | - | - |
| `admin.vm.feature.Set` | vm | feature | value | - | | `admin.vm.feature.Set` | vm | feature | value | - |
| `admin.vm.tag.List` | vm | - | - | `<tag>\n` | | `admin.vm.notes.Get` | vm | - | - | notes |
| `admin.vm.tag.Get` | vm | tag | - | `0` or `1` | retcode? | | `admin.vm.notes.Set` | vm | - | notes | - |
| `admin.vm.tag.Remove` | vm | tag | - | - | | `admin.vm.tag.List` | vm | - | - | `<tag>\n` |
| `admin.vm.tag.Set` | vm | tag | - | - | | `admin.vm.tag.Get` | vm | tag | - | `0` or `1` | retcode? |
| `admin.vm.firewall.Get` | vm | - | - | `<rule>\n` | rules syntax as in [firewall interface](/doc/vm-interface/#firewall-rules-in-4x) with addition of `expire=` and `comment=` options; `comment=` (if present) must be the last option | `admin.vm.tag.Remove` | vm | tag | - | - |
| `admin.vm.firewall.Set` | vm | - | `<rule>\n` | - | set firewall rules, see `admin.vm.firewall.Get` for syntax | `admin.vm.tag.Set` | vm | tag | - | - |
| `admin.vm.firewall.Reload` | vm | - | - | - | force reload firewall without changing any rule | `admin.vm.firewall.Get` | vm | - | - | `<rule>\n` | rules syntax as in [firewall interface](/doc/vm-interface/#firewall-rules-in-4x) with addition of `expire=` and `comment=` options; `comment=` (if present) must be the last option
| `admin.vm.deviceclass.List` | `dom0` | - | - | `<class>\n` | | `admin.vm.firewall.Set` | vm | - | `<rule>\n` | - | set firewall rules, see `admin.vm.firewall.Get` for syntax
| `admin.vm.device.<class>.Attach` | vm | device | options | - | `device` is in form `<backend-name>+<device-ident>` <br/>optional options given in `key=value` format, separated with spaces; <br/>options can include `persistent=True` to "persistently" attach the device (default is temporary) | `admin.vm.firewall.Reload` | vm | - | - | - | force reload firewall without changing any rule
| `admin.vm.device.<class>.Detach` | vm | device | - | - | `device` is in form `<backend-name>+<device-ident>` | `admin.vm.device.<class>.Attach` | vm | device | assignment-serialization | - | `device` is in form `<backend-name>+<device-ident>` <br/>optional options given in `key=value` format, separated with spaces; <br/>options can include `persistent=True` to "persistently" attach the device (default is temporary)
| `admin.vm.device.<class>.Set.persistent`| vm | device | `True`\|`False` | - | `device` is in form `<backend-name>+<device-ident>` | `admin.vm.device.<class>.Detach` | vm | device | - | - | `device` is in form `<backend-name>+<device-ident>`.
| `admin.vm.device.<class>.List` | vm | - | - | `<device> <options>\n` | options can include `persistent=True` for "persistently" attached devices (default is temporary) | `admin.vm.device.<class>.Assign` | vm | device | assignment-serialization | - | `device` is in form `<backend-name>+<device-ident>` <br/> `assignment-serialization` is specified in the section Device Serialization.
| `admin.vm.device.<class>.Available` | vm | device-ident | - | `<device-ident> <properties> description=<desc>\n` | optional service argument may be used to get info about a single device, <br/>optional (device class specific) properties are in `key=value` form, <br/>`description` must be the last one and is the only one allowed to contain spaces | `admin.vm.device.<class>.Unassign` | vm | device | - | - | `device` is in form `<backend-name>+<device-ident>`.
| `admin.pool.List` | `dom0` | - | - | `<pool>\n` | | `admin.vm.device.<class>.Set.required` | vm | device | `True`\|`False` | - | `device` is in form `<backend-name>+<device-ident>`
| `admin.pool.ListDrivers` | `dom0` | - | - | `<pool-driver> <property> ...\n` | Properties allowed in `admin.pool.Add` | `admin.vm.deviceclass.List` | `dom0` | - | - | `<deviceclass>\n` |
| `admin.pool.Info` | `dom0` | pool | - | `<property>=<value>\n` | | `admin.vm.device.<class>.Available` | vm | device-ident | - | `<device-ident> <device-serialization>\n` | optional service argument may be used to get info about a single device, <br/> `device-serialization` is specified in the section Device Serialization.
| `admin.pool.Add` | `dom0` | driver | `<property>=<value>\n` | - | | `admin.vm.device.<class>.Assigned` | vm | device-ident | - | `<device-ident> <assignment-serialization>\n` | optional service argument may be used to get info about a single device, <br/> `assignment-serialization` is specified in the section Device Serialization.
| `admin.pool.Set.revisions_to_keep` | `dom0` | pool | `<value>` | - | | `admin.vm.device.<class>.Attached` | vm | device-ident | - | `<device-ident> <assignment-serialization>\n` | optional service argument may be used to get info about a single device, <br/> `assignment-serialization` is specified in the section Device Serialization.
| `admin.pool.Remove` | `dom0` | pool | - | - | | `admin.pool.List` | `dom0` | - | - | `<pool>\n` |
| `admin.pool.volume.List` | `dom0` | pool | - | volume id | | `admin.pool.ListDrivers` | `dom0` | - | - | `<pool-driver> <property> ...\n` | Properties allowed in `admin.pool.Add`
| `admin.pool.volume.Info` | `dom0` | pool | vid | `<property>=<value>\n` | | `admin.pool.Info` | `dom0` | pool | - | `<property>=<value>\n` |
| `admin.pool.volume.Set.revisions_to_keep`| `dom0` | pool | `<vid> <value>` | - | | `admin.pool.Add` | `dom0` | driver | `<property>=<value>\n` | - |
| `admin.pool.volume.ListSnapshots` | `dom0` | pool | vid | `<snapshot>\n` | | `admin.pool.Set.revisions_to_keep` | `dom0` | pool | `<value>` | - |
| `admin.pool.volume.Snapshot` | `dom0` | pool | vid | snapshot | | `admin.pool.Remove` | `dom0` | pool | - | - |
| `admin.pool.volume.Revert` | `dom0` | pool | `<vid> <snapshot>` | - | | `admin.pool.volume.List` | `dom0` | pool | - | volume id |
| `admin.pool.volume.Resize` | `dom0` | pool | `<vid> <size_in_bytes>` | - | | `admin.pool.volume.Info` | `dom0` | pool | vid | `<property>=<value>\n` |
| `admin.pool.volume.Import` | `dom0` | pool | `<vid>\n<raw volume data>` | - | | `admin.pool.volume.Set.revisions_to_keep` | `dom0` | pool | `<vid> <value>` | - |
| `admin.pool.volume.CloneFrom` | `dom0` | pool | vid | token, to be used in `admin.pool.volume.CloneTo` | obtain a token to copy volume `vid` in `pool`;<br/>the token is one time use only, it's invalidated by `admin.pool.volume.CloneTo`, even if the operation fails | | `admin.pool.volume.ListSnapshots` | `dom0` | pool | vid | `<snapshot>\n` |
| `admin.pool.volume.CloneTo` | `dom0` | pool | `<vid> <token>` | - | copy volume pointed by a token to volume `vid` in `pool` | | `admin.pool.volume.Snapshot` | `dom0` | pool | vid | snapshot |
| `admin.vm.volume.List` | vm | - | - | `<volume>\n` | `<volume>` is per-VM volume name (`root`, `private`, etc), `<vid>` is pool-unique volume id | `admin.pool.volume.Revert` | `dom0` | pool | `<vid> <snapshot>` | - |
| `admin.vm.volume.Info` | vm | volume | - | `<property>=<value>\n` | | `admin.pool.volume.Resize` | `dom0` | pool | `<vid> <size_in_bytes>` | - |
| `admin.vm.volume.Set.revisions_to_keep`| vm | volume | value | - | | `admin.pool.volume.Import` | `dom0` | pool | `<vid>\n<raw volume data>` | - |
| `admin.vm.volume.ListSnapshots` | vm | volume | - | snapshot | duplicate of `admin.pool.volume.`, but with other call params | | `admin.pool.volume.CloneFrom` | `dom0` | pool | vid | token, to be used in `admin.pool.volume.CloneTo` | obtain a token to copy volume `vid` in `pool`;<br/>the token is one time use only, it's invalidated by `admin.pool.volume.CloneTo`, even if the operation fails |
| `admin.vm.volume.Snapshot` | vm | volume | - | snapshot | id. | | `admin.pool.volume.CloneTo` | `dom0` | pool | `<vid> <token>` | - | copy volume pointed by a token to volume `vid` in `pool` |
| `admin.vm.volume.Revert` | vm | volume | snapshot | - | id. | | `admin.vm.volume.List` | vm | - | - | `<volume>\n` | `<volume>` is per-VM volume name (`root`, `private`, etc), `<vid>` is pool-unique volume id
| `admin.vm.volume.Resize` | vm | volume | size_in_bytes | - | id. | | `admin.vm.volume.Info` | vm | volume | - | `<property>=<value>\n` |
| `admin.vm.volume.Import` | vm | volume | raw volume data | - | id. | | `admin.vm.volume.Set.revisions_to_keep` | vm | volume | value | - |
| `admin.vm.volume.ImportWithSize` | vm | volume | `<size_in_bytes>\n<raw volume data>` | - | new version of `admin.vm.volume.Import`, allows new volume to be different size | | `admin.vm.volume.ListSnapshots` | vm | volume | - | snapshot | duplicate of `admin.pool.volume.`, but with other call params |
| `admin.vm.volume.Clear` | vm | volume | - | - | clear contents of volume | | `admin.vm.volume.Snapshot` | vm | volume | - | snapshot | id. |
| `admin.vm.volume.CloneFrom` | vm | volume | - | token, to be used in `admin.vm.volume.CloneTo` | obtain a token to copy `volume` of `vm`;<br/>the token is one time use only, it's invalidated by `admin.vm.volume.CloneTo`, even if the operation fails | | `admin.vm.volume.Revert` | vm | volume | snapshot | - | id. |
| `admin.vm.volume.CloneTo` | vm | volume | token, obtained with `admin.vm.volume.CloneFrom` | - | copy volume pointed by a token to `volume` of `vm` | | `admin.vm.volume.Resize` | vm | volume | size_in_bytes | - | id. |
| `admin.vm.CurrentState` | vm | - | - | `<state-property>=<value>\n` | state properties: `power_state`, `mem`, `mem_static_max`, `cputime` | `admin.vm.volume.Import` | vm | volume | raw volume data | - | id. |
| `admin.vm.Start` | vm | - | - | - | | `admin.vm.volume.ImportWithSize` | vm | volume | `<size_in_bytes>\n<raw volume data>` | - | new version of `admin.vm.volume.Import`, allows new volume to be different size |
| `admin.vm.Shutdown` | vm | - | - | - | | `admin.vm.volume.Clear` | vm | volume | - | - | clear contents of volume |
| `admin.vm.Pause` | vm | - | - | - | | `admin.vm.volume.CloneFrom` | vm | volume | - | token, to be used in `admin.vm.volume.CloneTo` | obtain a token to copy `volume` of `vm`;<br/>the token is one time use only, it's invalidated by `admin.vm.volume.CloneTo`, even if the operation fails |
| `admin.vm.Unpause` | vm | - | - | - | | `admin.vm.volume.CloneTo` | vm | volume | token, obtained with `admin.vm.volume.CloneFrom` | - | copy volume pointed by a token to `volume` of `vm` |
| `admin.vm.Kill` | vm | - | - | - | | `admin.vm.CurrentState` | vm | - | - | `<state-property>=<value>\n` | state properties: `power_state`, `mem`, `mem_static_max`, `cputime`
| `admin.backup.Execute` | `dom0` | config id | - | - | config in `/etc/qubes/backup/<id>.conf`, only one backup operation of given `config id` can be running at once | | `admin.vm.Start` | vm | - | - | - |
| `admin.backup.Info` | `dom0` | config id | - | backup info | info what would be included in the backup | `admin.vm.Shutdown` | vm | - | - | - |
| `admin.backup.Cancel` | `dom0` | config id | - | - | cancel running backup operation | `admin.vm.Pause` | vm | - | - | - |
| `admin.Events` | `dom0|vm` | - | - | events | | `admin.vm.Unpause` | vm | - | - | - |
| `admin.vm.Stats` | `dom0|vm` | - | - | `vm-stats` events, see below | emit VM statistics (CPU, memory usage) in form of events | `admin.vm.Kill` | vm | - | - | - |
| `admin.backup.Execute` | `dom0` | config id | - | - | config in `/etc/qubes/backup/<id>.conf`, only one backup operation of given `config id` can be running at once |
| `admin.backup.Info` | `dom0` | config id | - | backup info | info what would be included in the backup
| `admin.backup.Cancel` | `dom0` | config id | - | - | cancel running backup operation
| `admin.Events` | `dom0 | vm` | - | - | events |
| `admin.vm.Stats` | `dom0 | vm` | - | - | `vm-stats` events, see below | emit VM statistics (CPU, memory usage) in form of events
Volume properties: Volume properties:
@ -302,6 +307,58 @@ destination_vm: sys-net
destination_path: ncftpput -u my-ftp-username -p my-ftp-pass -c my-ftp-server /directory/for/backups destination_path: ncftpput -u my-ftp-username -p my-ftp-pass -c my-ftp-server /directory/for/backups
``` ```
## Device Serialization
Both device and assignment serialization is ASCII-encoded and contains
space-separated key-value pairs. The format includes an `=` between the key
and value, and the value is always enclosed in single quotes (`'`).
Values may contain spaces or even single quotes, which are escaped with a backslash.
If a value is not set (`None`), it is represented as `'unknown'`.
For boolean values, `True` is represented as `'yes'`, and `False` as `'no'`.
The order of key-value pairs is irrelevant. Keys starting with `_`
are considered extra properties and are saved in `data` or `options`
for device or assignment respectively.
Information about the serialization format of specific properties can be found below.
Format:
```
<ident> <property_1>='<value_1>' <property_2>='<value_2>' <property_3>='<value_3>'...
```
Detailed serialization format for a device:
- `ident='<ident>'`
- `backend_domain='<backend_domain.name>'`
- `devclass='<devclass>'`
- `vendor='<vendor>'`
- `product='<product>'`
- `manufacturer='<manufacturer>'`
- `name='<name>'`
- `serial='<serial>'`
- `self_identity='<self_identity>'`
- `interfaces='<interface1><interface2>...'`
Each device interface is represented with a 7-character length. Each device has at least one interface. Since the length of the interface representation is known, they are serialized as a single string with each interface representation concatenated one after another. The order is irrelevant.
- `parent_ident='<parent.ident>' parent_devclass='<parent.devclass>'`
- `attachment='<attachment.name>'`
- `_<key1>='<value1>' _<key2>='<value2>' ...` (extra parameters)
Detailed serialization format for an assignment:
- `ident='<ident>'`
- `backend_domain='<backend_domain.name>'`
- `devclass='<devclass>'`
- `frontend_domain='<frontend_domain.name>'`
- `required='<yes/no>'` (default 'no')
- `attach_automatically='<yes/no>'` (default 'no')
- `_<key1>='<str(value1)>' _<key2>='<str(value2)>' ...` (options)
Example device serialization:
```
1-1.1.1 manufacturer='unknown' self_identity='0000:0000::?******' serial='unknown' ident='1-1.1.1' product='Qubes' vendor='ITL' name='Some untrusted garbage' devclass='bus' backend_domain='vm' interfaces=' ******u03**01' _additional_info='' _date='06.12.23' parent_ident='1-1.1' parent_devclass='None'
```
## General notes ## General notes
- there is no provision for `qvm-run`, but there already exists `qubes.VMShell` call - there is no provision for `qvm-run`, but there already exists `qubes.VMShell` call

2
developer/services/qrexec-internals.md
View file

@ -253,4 +253,4 @@ There are two endpoints:
- `policy.Ask` - ask the user about whether to execute a given action - `policy.Ask` - ask the user about whether to execute a given action
- `policy.Notify` - notify the user about an action. - `policy.Notify` - notify the user about an action.
See [qrexec-policy-agent.rst](https://github.com/QubesOS/qubes-core-qrexec/blob/master/Documentation/qrexec-policy-agent.rst) for protocol details. See [qrexec-policy-agent.md](https://github.com/QubesOS/qubes-core-qrexec/blob/master/doc/qrexec-policy-agent.md) for protocol details.

5
developer/system/networking.md
View file

@ -62,9 +62,12 @@ Such configuration can be expressed by enabling `ipv6` feature only on some subs
![ipv6-2](/attachment/doc/ipv6-2.png) ![ipv6-2](/attachment/doc/ipv6-2.png)
Besides enabling IPv6 forwarding, standard Qubes firewall can be used to limit what network resources are available to each qube. Currently only `qvm-firewall` command support adding IPv6 rules, GUI firewall editor will have this ability later. Besides enabling IPv6 forwarding, the standard Qubes firewall can be used to limit what network resources are available to each qube. Currently only the `qvm-firewall` command supports adding IPv6 rules, the GUI firewall editor will have this ability later.
**Note:** Setting or unsetting the `ipv6` feature only affects qubes-configured networking. It does not affect e.g. external interfaces. If you want to restrict IPv6 on these interfaces change the settings in Network Manager. Alternatively, disable IPv6 support using methods appropriate to the underlying template.
### Limitations ### Limitations
Currently only IPv4 DNS servers are configured, regardless of `ipv6` feature state. It is done this way to avoid reconfiguring all connected qubes whenever IPv6 DNS becomes available or not. Configuring qubes to always use IPv6 DNS and only fallback to IPv4 may result in relatively long timeouts and poor usability. Currently only IPv4 DNS servers are configured, regardless of `ipv6` feature state. It is done this way to avoid reconfiguring all connected qubes whenever IPv6 DNS becomes available or not. Configuring qubes to always use IPv6 DNS and only fallback to IPv4 may result in relatively long timeouts and poor usability.
But note that DNS using IPv4 does not prevent to return IPv6 addresses. In practice this is only a problem for IPv6-only networks. But note that DNS using IPv4 does not prevent to return IPv6 addresses. In practice this is only a problem for IPv6-only networks.

2
introduction/faq.md
View file

@ -678,7 +678,7 @@ Any rpm-based, 64-bit environment, the preferred OS being Fedora.
### How do I build Qubes from sources? ### How do I build Qubes from sources?
See [these instructions](/doc/qubes-builder/). See [these instructions](/doc/qubes-builder-v2/).
### How do I submit a patch? ### How do I submit a patch?

136
introduction/getting-started.md
View file

@ -18,14 +18,13 @@ Dive right in to [organizing your qubes](/doc/how-to-organize-your-qubes/).)
## The Basics ## The Basics
Qubes OS is an operating system built out of securely-isolated compartments Qubes OS is an operating system built out of securely-isolated compartments, or [qubes](/doc/glossary/#qube).
called [qubes](/doc/glossary/#qube). For example, you might have a work qube, a You can have a work qube, a personal qube, a banking qube, a web browsing qube, a standalone Windows qube and so on.
personal qube, a banking qube, a web browsing qube, and so on. You can have as You can have as many qubes as you want! Most of the time, you'll be using an [app
many qubes as you want! Most of the time, you'll be using an [app qube](/doc/glossary/#app-qube), a qube for running software
qube](/doc/glossary/#app-qube), which is a qube intended for running software
programs like web browsers, email clients, and word processors. Each app qube programs like web browsers, email clients, and word processors. Each app qube
is based on another type of qube called a [template](/doc/glossary/#template). is based on another type of qube called a [template](/doc/glossary/#template).
More than one qube can be based on the same template. Importantly, a qube The same template can be a base for various qubes. Importantly, a qube
cannot modify its template in any way. This means that, if a qube is ever cannot modify its template in any way. This means that, if a qube is ever
compromised, its template and any other qubes based on that template will compromised, its template and any other qubes based on that template will
remain safe. This is what makes Qubes OS so secure. Even if an attack is remain safe. This is what makes Qubes OS so secure. Even if an attack is
@ -35,9 +34,8 @@ Suppose you want to use your favorite web browser in several different qubes.
You'd install the web browser in a template, then every qube based on that You'd install the web browser in a template, then every qube based on that
template would be able to run the web browser software (while still being template would be able to run the web browser software (while still being
forbidden from modifying the template and any other qubes). This way, you only forbidden from modifying the template and any other qubes). This way, you only
have to install the web browser a single time, and updating the template serves have to install the web browser a single time, and updating the template updates all the qubes based on it.
to update all the qubes based on it. This elegant design saves time and space This elegant design saves time and space while enhancing security.
while enhancing security.
There are also some "helper" qubes in your system. Each qube that connects to There are also some "helper" qubes in your system. Each qube that connects to
the Internet does so through a network-providing [service the Internet does so through a network-providing [service
@ -54,27 +52,25 @@ corresponding version number. There are many ready-to-use
many as you like. many as you like.
Last but not least, there's a very special [admin Last but not least, there's a very special [admin
qube](/doc/glossary/#admin-qube) which, as the name suggests, is used to qube](/doc/glossary/#admin-qube) used to administer your entire system.
administer your entire system. There's only one admin qube, and it's called There's only one admin qube, and it's called [dom0](/doc/glossary/#dom0).
[dom0](/doc/glossary/#dom0). You can think of it as the master qube, holding You can think of it as the master qube, holding ultimate power over everything that happens in Qubes OS.
ultimate power over everything that happens in Qubes OS. Dom0 is more trusted Dom0 is the most trusted one of all qubes. If dom0 were ever to be compromised, it would be "game over"- an effective compromise of the entire system.
than any other qube. If dom0 were ever compromised, it would be "game over." That's why everything in Qubes OS is specifically designed to protect dom0 and ensure that doesn't
The entire system would effectively be compromised. That's why everything in
Qubes OS is specifically designed to protect dom0 and ensure that doesn't
happen. Due to its overarching importance, dom0 has no network connectivity and happen. Due to its overarching importance, dom0 has no network connectivity and
is used only for running the [desktop is used only for running the [desktop
environment](https://en.wikipedia.org/wiki/Desktop_environment) and [window environment](https://en.wikipedia.org/wiki/Desktop_environment) and [window
manager](https://en.wikipedia.org/wiki/Window_manager). Dom0 should never be manager](https://en.wikipedia.org/wiki/Window_manager). Dom0 should never be
used for anything else. In particular, you should never run user applications used for anything else. In particular, you should never run user applications
in dom0. (That's what your app qubes are for!) in dom0. (That's what your app qubes are for!) In short, be very careful when interacting with dom0.
### Color & Security ### Color & Security
You'll choose a **color** for each of your qubes out of a predefined set of You'll choose a **color** for each of your qubes out of a predefined set of
colors. Each window on your desktop will have its frame colored according to colors. The color of the frame of each window on your desktop will correspond to the color of that qube.
the color of that qube. These colored frames help you keep track of which qube These colored frames help you keep track of which qube you're currently using.
each window belongs to and how trustworthy it is. This is especially helpful You may use them to show how trustworthy it is. This is especially helpful
when you have the same app running in multiple qubes at the same time. For when you have the same program running in multiple qubes at the same time. For
example, if you're logged in to your bank account in one qube while doing some example, if you're logged in to your bank account in one qube while doing some
random web surfing in a different qube, you wouldn't want to accidentally enter random web surfing in a different qube, you wouldn't want to accidentally enter
your banking password in the latter! The colored frames help to avoid such your banking password in the latter! The colored frames help to avoid such
@ -83,16 +79,16 @@ mistakes.
[![snapshot_41.png](/attachment/doc/r4.1-snapshot_40.png)](/attachment/doc/r4.1-snapshot_40.png) [![snapshot_41.png](/attachment/doc/r4.1-snapshot_40.png)](/attachment/doc/r4.1-snapshot_40.png)
Most Qubes users associate red with what's untrusted and dangerous (like a red Most Qubes users associate red with what's untrusted and dangerous (like a red
light: stop! danger!), green with what's safe and trusted, and yellow and stop light signalling danger), green with what's safe and trusted, and yellow and
orange with things in the middle. This color scheme also extends to include orange with things in-between. This color scheme also includes
blue and black, which are usually interpreted as indicating progressively more blue and black, commonly interpreted as indicating progressively more
trusted domains than green, with black being ultimately trusted. Color and trusted domains than green, with black being ultimately trusted. However, color and
associated meanings are ultimately up to you, however. The system itself does associated meanings are entirely up to you. The system itself does
not treat the colors differently. If you create two identical qubes --- black not treat the colors differently - they're all equally safe on their own. If you create two identical qubes --- black
and red, say --- they'll be the same until you start using them differently. and red, say --- they'll be the same until you start using them differently.
Feel free to use the colors in whatever way is most useful to you. For example, Feel free to use the colors in the way that best meets your needs. For example,
you might decide to use three or four qubes for work activities and give them you might decide to use three or four qubes for work activities and give them
all the same color --- or all different colors. It's entirely up to you. all the same color --- or all different colors depending on the nature of the task they are used for.
### User Interface ### User Interface
@ -104,27 +100,24 @@ the window managers [i3](/doc/i3/) and [AwesomeWM](/doc/awesomewm/).
[![r4.0-taskbar.png](/attachment/doc/r4.0-taskbar.png)](/attachment/doc/r4.0-taskbar.png) [![r4.0-taskbar.png](/attachment/doc/r4.0-taskbar.png)](/attachment/doc/r4.0-taskbar.png)
The bar at the top of your screen in Qubes 4.0 includes the following XFCE The bar at the top of your screen in Qubes 4.2 includes the following XFCE
component areas: component areas:
- The **Tray**, where many functional widgets live. - The **App Menu**, where you go to open an application within a qube, to open
a dom0 terminal, to access administrative UI tools such as the Qube Manager,
or to access settings panels for your desktop environment.
- The **Task Bar** where buttons for open and hidden windows live.
- **Spaces**, an interface for [virtual - **Spaces**, an interface for [virtual
desktops](https://en.wikipedia.org/wiki/Virtual_desktop). Virtual desktops do desktops](https://en.wikipedia.org/wiki/Virtual_desktop). Virtual desktops do
not have any inherent security isolation properties, but some users find them not have any inherent security isolation properties, but some users find them
useful for organizing things. useful for organizing things.
- The **Task Bar** where buttons for open and hidden windows live. - The **Tray**, where many functional widgets live.
- The **App Menu**, where you go to open an application within a qube, to open
a dom0 terminal, to access administrative UI tools such as the Qube Manager,
or to access settings panels for your desktop environment.
To learn more about how to customize your desktop environment, we recommend you
spend some time going through [XFCE's documentation](https://docs.xfce.org/).
There are several tray widgets that are unique to Qubes OS: There are several tray widgets that are unique to Qubes OS:
- The **Whonix SDWDate** allows you to control the Tor connection in your - The **Whonix SDWDate** allows you to control the Tor connection in your
[`sys-whonix`](https://www.whonix.org/wiki/Qubes) qube. [`sys-whonix`](https://www.whonix.org/wiki/Qubes) qube.
- The **Qubes Clipboard** lets you easily copy text from dom0. - The **Qubes Clipboard** lets you easily [copy text](https://wwwpreview.qubes-os.org/doc/how-to-copy-and-paste-text/) between various qubes and from dom0.
- The **Qubes Devices** widget allows you to attach and detach devices --- such - The **Qubes Devices** widget allows you to attach and detach devices --- such
as USB drives and cameras --- to qubes. as USB drives and cameras --- to qubes.
- The **Qubes Disk Space** widget shows you how much storage you're using. - The **Qubes Disk Space** widget shows you how much storage you're using.
@ -136,50 +129,57 @@ There are several tray widgets that are unique to Qubes OS:
[![r4.1-widgets.png](/attachment/doc/r4.1-widgets.png)](/attachment/doc/r4.1-widgets.png) [![r4.1-widgets.png](/attachment/doc/r4.1-widgets.png)](/attachment/doc/r4.1-widgets.png)
To learn more about how to customize your desktop environment, we recommend you
go through [XFCE's documentation](https://docs.xfce.org/).
#### Qube Manager #### Qube Manager
To see all of your qubes at the same time, you can use the **Qube Manager** (go To see all of your qubes at the same time, you can use the **Qube Manager**.
to the App Menu → Qubes Tools → Qube Manager), which displays the states of It displays the states of all the qubes in your system, even the ones that arent running.
all the qubes in your system, even the ones that aren't running.
To access Qube Manager go to:
Qubes Icon (App Menu) → Settings Icon → Qubes Tools → **Qube Manager**
[![r4.1-qubes-manager.png](/attachment/doc/r4.1-qubes-manager.png)](/attachment/doc/r4.1-qubes-manager.png) [![r4.1-qubes-manager.png](/attachment/doc/r4.1-qubes-manager.png)](/attachment/doc/r4.1-qubes-manager.png)
#### Command-line interface #### Command-line interface
All aspects of Qubes OS can be controlled using command-line tools. Opening a All aspects of Qubes OS can be controlled using command-line tools such as the terminal emulator.
terminal emulator in dom0 can be done in several ways: The default terminal emulator in Qubes is Xfce Terminal.
Opening a terminal emulator in dom0 can be done in several ways:
- Go to the App Menu and select **Terminal Emulator** at the top. - Go to the App Menu, click on the Settings icon, choose Other from the drop-down menu, and select **Xfce Terminal Emulator** at the bottom.
- Press `Alt`+`F3` and search for `xfce terminal`. - Press `Alt`+`F3` and search for `xfce terminal`.
- Right-click on the desktop and select **Open Terminal Here**. - Right-click on the desktop and select **Open Terminal Here**.
Terminal emulators can also be run in other qubes as normal programs. Various Various command-line tools are described as part of this guide, and the whole reference can be found [here](/doc/tools/).
command-line tools are described as part of this guide, and the whole reference Terminal emulators can also be run in other qubes as normal programs.
can be found [here](/doc/tools/).
## First boot ## First boot
When you install Qubes OS, a number of qubes are pre-configured for you: When you install Qubes OS, a number of qubes are pre-configured for you:
- **Templates:** `fedora-XX` (`XX` being the version number) - **App qubes** such as `work`, `personal`, `untrusted`, and `vault` are your "starter pack" qubes to compartmentalize tasks
and types of data to suit most basic needs. (There is nothing special about these pre-configured qubes - they are identical in nature to more specific ones you might wish to create later.)
- **Templates:** `fedora-XX`, `debian-XX` (`XX` being the version number)
- **Service qubes:** `sys-usb`, `sys-net`, `sys-firewall`, and `sys-whonix`)
- **Admin qube:** `dom0` - **Admin qube:** `dom0`
- **Service qubes:** `sys-usb`, `sys-net`, `sys-firewall`, and `sys-whonix`
- **App qubes** configured to prioritize security by compartmentalizing tasks
and types of data: `work`, `personal`, `untrusted`, and `vault`. (There is
nothing special about these qubes. If you were to create a black qube and
name it `vault`, it would be the same as the pre-configured `vault` qube.
They're just suggestions to get you started. )
A variety of open-source applications such as file managers, command-line Other software installed in Qubes OS by default includes open-source applications such as file managers,
terminals, printer managers, text editors, and "applets" used to configure command-line terminals, printer managers, text editors, and applets for configuring audio and user interface settings.
different things like audio or parts of the user interface are also installed Most of these applications are incorporated within each template.
by default—most within the templates. Most are bundled with each template.
### Adding, removing, and listing qubes ### Adding, removing, and listing qubes
You can easily create a new qube with the **Create Qubes VM** option in the App To create a new qube or remove one, use **Create Qubes VM** option in the App Menu.
Menu. If you need to add or remove qubes, simply use the Qube Manager's **Add**
and **Remove** buttons. You can also add, remove, and list qubes from the Creating a New Qube:
Qubes Icon → Settings → Qubes Tools → Qube Manager → Create Qubes VM → **New Qube**
Removing a qube:
To remove a qube, use the **Delete qube button** as the final step instead.
You can also add, remove, and list qubes from the
command line using the following tools: command line using the following tools:
- `qvm-create` - `qvm-create`
@ -188,14 +188,8 @@ command line using the following tools:
### How many qubes do I need? ### How many qubes do I need?
That's a great question, but there's no one-size-fits-all answer. It depends on It's a good idea to start out with the pre-installed app qubes: `work`, `personal`, `untrusted`, and `vault`.
the structure of your digital life, and this is at least a little different for If you start to feel that some activity just doesn't fit into any of your existing qubes, or
everyone. If you plan on using your system for work, then it also depends on
what kind of job you do.
It's a good idea to start out with the qubes created automatically by the
installer: `work`, `personal`, `untrusted`, and `vault`. If and when you start
to feel that some activity just doesn't fit into any of your existing qubes, or
you want to partition some part of your life, you can easily create a new qube you want to partition some part of your life, you can easily create a new qube
for it. You'll also be able to easily [copy any for it. You'll also be able to easily [copy any
files](/doc/how-to-copy-and-move-files) you need to the newly-created qube. files](/doc/how-to-copy-and-move-files) you need to the newly-created qube.
@ -252,5 +246,5 @@ GitHub](https://github.com/QubesOS).
## Documentation ## Documentation
Peruse our extensive library of [documentation](/doc/) for users and developers Browse our extensive library of [documentation](/doc/) for users and developers
of Qubes OS. You can even [help us improve it](/doc/how-to-edit-the-documentation/)! of Qubes OS. You can even [help us improve it](/doc/how-to-edit-the-documentation/)!

2
introduction/video-tours.md
View file

@ -22,7 +22,7 @@ Watch all the talks from Qubes OS Summit 2022, which took place September 9-11,
## Micah Lee presents "Qubes OS: The Operating System That Can Protect You Even If You Get Hacked" ## Micah Lee presents "Qubes OS: The Operating System That Can Protect You Even If You Get Hacked"
[Micah Lee](https://micahflee.com/), a long-time Qubes [advocate](/endorsements/), presented [Qubes OS: The Operating System That Can Protect You Even If You Get Hacked](https://www.hope.net/schedule.html#-qubes-os-the-operating-system-that-can-protect-you-even-if-you-get-hacked-) at the [Circle of HOPE](https://www.hope.net/index.html) conference, which took place July 20-22, 2018 in New York City. [Micah Lee](https://micahflee.com/), a long-time Qubes [advocate](/endorsements/), presented [Qubes OS: The Operating System That Can Protect You Even If You Get Hacked](https://archive.org/details/QubesOSTheOperatingSystemThatCanProtectYouEvenIfYouGetHackedTalkByMicahLee) at the Circle of HOPE conference, which took place July 20-22, 2018 in New York City.
<div class="video more-bottom"> <div class="video more-bottom">
<iframe class="responsive" referrerpolicy="no-referrer" scrolling="no" allowfullscreen src="https://livestream.com/accounts/9197973/events/8286152/videos/178431606/player?autoPlay=false"></iframe> <iframe class="responsive" referrerpolicy="no-referrer" scrolling="no" allowfullscreen src="https://livestream.com/accounts/9197973/events/8286152/videos/178431606/player?autoPlay=false"></iframe>

4
user/advanced-topics/config-files.md
View file

@ -18,7 +18,7 @@ That way, they can be used to customize a single VM instead of all VMs based on
The scripts here all run as root. The scripts here all run as root.
- `/rw/config/rc.local` - script runs at VM startup. - `/rw/config/rc.local` - script runs at VM startup.
Good place to change some service settings, replace config files with its copy stored in `/rw/config`, etc. Good place to change some service settings, replace config files with its copy stored in `/rw/config`, etc. The script need to have the executable permission set to be executed.
Example usage: Example usage:
~~~ ~~~
@ -32,6 +32,8 @@ The scripts here all run as root.
echo '127.0.0.1 example.com' >> /etc/hosts echo '127.0.0.1 example.com' >> /etc/hosts
~~~ ~~~
- `/rw/config/rc.local.d/*.rc` - scripts run at VM startup just before `/rw/config/rc.local`
- `/rw/config/rc.local-early.d/*.rc`, `/rw/config/rc.local-early` - scripts similar to `/rw/config/rc.local`, but running earlier in the system startup sequence - just before `sysinit.target`, and setting up the network.
- `/rw/config/qubes-ip-change-hook` - script runs in NetVM after every external IP change and on "hardware" link status change. - `/rw/config/qubes-ip-change-hook` - script runs in NetVM after every external IP change and on "hardware" link status change.
- In ProxyVMs (or app qubes with `qubes-firewall` service enabled), scripts placed in the following directories will be executed in the listed order followed by `qubes-firewall-user-script` at start up. - In ProxyVMs (or app qubes with `qubes-firewall` service enabled), scripts placed in the following directories will be executed in the listed order followed by `qubes-firewall-user-script` at start up.

30
user/advanced-topics/gui-domain.md
View file

@ -45,6 +45,8 @@ At this point, you need to shutdown all your running qubes as the `default_guivm
Here, we describe how to setup `sys-gui-gpu` which is a GUI domain with *GPU passthrough* in [GUI domain](/news/2020/03/18/gui-domain/#gpu-passthrough-the-perfect-world-desktop-solution). Here, we describe how to setup `sys-gui-gpu` which is a GUI domain with *GPU passthrough* in [GUI domain](/news/2020/03/18/gui-domain/#gpu-passthrough-the-perfect-world-desktop-solution).
> Note: the purpose of `sys-gui-gpu` is to improve Qubes OS security by detaching the GPU from dom0, this is not intended to improve GPU related performance within qubes, and this will not improve performance.
[![sys-gui-gpu](/attachment/posts/guivm-gpu.png)](/attachment/posts/guivm-gpu.png) [![sys-gui-gpu](/attachment/posts/guivm-gpu.png)](/attachment/posts/guivm-gpu.png)
In `dom0`, enable the formula for `sys-gui-gpu` with pillar data: In `dom0`, enable the formula for `sys-gui-gpu` with pillar data:
@ -120,13 +122,33 @@ A VNC server session is running on `localhost:5900` in `sys-gui-vnc`. In order t
> **WARNING**: This setup raises multiple security issues: 1) Anyone who can reach the `VNC` server, can take over the control of the Qubes OS machine, 2) A second client can connect even if a connection is already active and potentially get disconnected, 3) You can get disconnected by some unrelated network issues. Generally, if this `VNC` server is exposed to open network, it must be protected with some other (cryptographic) layer like `VPN`. The setup as is, is useful only for purely testing machine. > **WARNING**: This setup raises multiple security issues: 1) Anyone who can reach the `VNC` server, can take over the control of the Qubes OS machine, 2) A second client can connect even if a connection is already active and potentially get disconnected, 3) You can get disconnected by some unrelated network issues. Generally, if this `VNC` server is exposed to open network, it must be protected with some other (cryptographic) layer like `VPN`. The setup as is, is useful only for purely testing machine.
### Troubleshooting ### Known issues
#### Application menu lacks qubes entries in a fresh GUI domain #### Application menu lacks qubes entries in a fresh GUI domain
See [QubesOS/qubes-issues#5804](https://github.com/QubesOS/qubes-issues/issues/5804) See [QubesOS/qubes-issues#5804](https://github.com/QubesOS/qubes-issues/issues/5804)
#### Delete GUI domain #### Cannot update dom0 from sys-gui
See [QubesOS/qubes-issues#8934](https://github.com/QubesOS/qubes-issues/issues/8934)
#### GUI of HVM qubes not visible
See [QubesOS/qubes-issues#9385](https://github.com/QubesOS/qubes-issues/issues/9385)
### Power saving/screensaver issues
See [QubesOS/qubes-issues#9033](https://github.com/QubesOS/qubes-issues/issues/9033), [QubesOS/qubes-issues#9384](https://github.com/QubesOS/qubes-issues/issues/9384), [QubesOS/qubes-issues#7989](https://github.com/QubesOS/qubes-issues/issues/7989)
#### Qube startup order (sys-usb and sys-gui)
See [QubesOS/qubes-issues#7954](https://github.com/QubesOS/qubes-issues/issues/7954)
#### Other GUI domain issues
see existing issues `QubesOS/qubes-issues` under [C: gui-domain](https://github.com/QubesOS/qubes-issues/issues?q=is%3Aopen+is%3Aissue+label%3A%22C%3A+gui-domain%22) label.
### Reverting sys-gui
The following commands have to be run in `dom0`. The following commands have to be run in `dom0`.
@ -149,7 +171,3 @@ You are now able to delete the GUI domain, for example `sys-gui-gpu`:
```bash ```bash
qvm-remove -f sys-gui-gpu qvm-remove -f sys-gui-gpu
``` ```
#### General issues
For any general GUI domain issues, please take a loot at existing issues `QubesOS/qubes-issues` under [C: gui-domain](https://github.com/QubesOS/qubes-issues/issues?q=is%3Aopen+is%3Aissue+label%3A%22C%3A+gui-domain%22) label.

136
user/advanced-topics/secondary-storage.md
View file

@ -11,104 +11,182 @@ ref: 187
title: Secondary storage title: Secondary storage
--- ---
# Storing qubes on Secondary Drives
Suppose you have a fast but small primary SSD and a large but slow secondary HDD. Suppose you have a fast but small primary SSD and a large but slow secondary HDD.
You want to store a subset of your app qubes on the HDD. You may want to store a subset of your qubes on the HDD.
Or if you install a second SSD, you may want to use *that* for storage of some qubes.
This page explains how to use that second drive.
## Instructions ## Instructions
Qubes 4.0 is more flexible than earlier versions about placing different VMs on different disks. Qubes 4.0 is more flexible than earlier versions about placing different VMs on different disks.
For example, you can keep templates on one disk and app qubes on another, without messy symlinks. For example, you can keep templates on one disk and app qubes on another, without messy symlinks.
These steps assume you have already created a separate [volume group](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/logical_volume_manager_administration/vg_admin#VG_create) and [thin pool](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/logical_volume_manager_administration/thinly_provisioned_volume_creation) (not thin volume) for your HDD. You can query qvm-pool to list available storage drivers:
``` shell_session
qvm-pool --help-drivers
```
qvm-pool driver explanation:
```
<file> refers to using a simple file for image storage and lacks a few features.
<file-reflink> refers to storing images on a filesystem supporting copy on write.
<linux-kernel> refers to a directory holding kernel images.
<lvm_thin> refers to LVM managed pools.
```
In theory, you can still use file-based disk images ("file" pool driver), but they will lack some features: for example, you won't be able to do backups without shutting down the qube.
Additional storage can also be added on a Btrfs filesystem. A unique feature of Btrfs is that data can be compressed transparently. The subvolume can also be backed up using snapshots for an additional layer of protection; Btrfs supports differents level of redundancy; it has parity checksum; Btrfs volumes can be expanded or shrunk. Starting or stopping a VM has less impact and less chance of causing slowdown of the system as some users have noted with LVM. Relevant information for general btrfs configuration will be provided after the section on LVM storage.
### LVM storage
These steps assume you have already created a separate [volume group](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/logical_volume_manager_administration/vg_admin#VG_create) and [thin pool](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/logical_volume_manager_administration/thinly_provisioned_volume_creation) (not thin volume) for your second drive..
See also [this example](https://www.linux.com/blog/how-full-encrypt-your-linux-system-lvm-luks) if you would like to create an encrypted LVM pool (but note you can use a single logical volume if preferred, and to use the `-T` option on `lvcreate` to specify it is thin). You can find the commands for this example applied to Qubes at the bottom of this R4.0 section. See also [this example](https://www.linux.com/blog/how-full-encrypt-your-linux-system-lvm-luks) if you would like to create an encrypted LVM pool (but note you can use a single logical volume if preferred, and to use the `-T` option on `lvcreate` to specify it is thin). You can find the commands for this example applied to Qubes at the bottom of this R4.0 section.
First, collect some information in a dom0 terminal: First, collect some information in a dom0 terminal:
``` ```shell_session
sudo pvs sudo pvs
sudo lvs sudo lvs
``` ```
Take note of the VG and thin pool names for your HDD, then register it with Qubes: Take note of the VG and thin pool names for your second drive., then register it with Qubes:
```shell_session ```
# <pool_name> is a freely chosen pool name # <pool_name> is a freely chosen pool name
# <vg_name> is LVM volume group name # <vg_name> is LVM volume group name
# <thin_pool_name> is LVM thin pool name # <thin_pool_name> is LVM thin pool name
qvm-pool --add <pool_name> lvm_thin -o volume_group=<vg_name>,thin_pool=<thin_pool_name>,revisions_to_keep=2 qvm-pool --add <pool_name> lvm_thin -o volume_group=<vg_name>,thin_pool=<thin_pool_name>,revisions_to_keep=2
``` ```
### BTRFS storage
Theses steps assume you have already created a separate Btrfs filesystem for your second drive., that it is encrypted with LUKS and it is mounted. It is recommended to use a subvolume as it enables compression and excess storage can be use for other things.
It is possible to use an existing Btrfs storage if it is configured. In dom0, available Btrfs storage can be displayed using:
```shell_session
mount -t btrfs
btrfs show filesystem
```
To register the storage to qubes:
```shell_session
# <pool_name> is a freely chosen pool name
# <dir_path> is the mounted path to the second btrfs storage
qvm-pool --add <pool_name> file-reflink -o dir_path=<dir_path>,revisions_to_keep=2
```
#### Using the new pool
Now, you can create qubes in that pool: Now, you can create qubes in that pool:
``` ```shell_session
qvm-create -P <pool_name> --label red <vmname> qvm-create -P <pool_name> --label red <vmname>
``` ```
It isn't possible to directly migrate an existing qube to the new pool, but you can clone it there, then remove the old one: It isn't possible to directly migrate an existing qube to the new pool, but you can clone it there, then remove the old one:
``` ```shell_session
qvm-clone -P <pool_name> <sourceVMname> <cloneVMname> qvm-clone -P <pool_name> <sourceVMname> <cloneVMname>
qvm-remove <sourceVMname> qvm-remove <sourceVMname>
``` ```
If that was a template, or other qube referenced elsewhere (NetVM or such), you will need to adjust those references manually after moving. If that was a template, or other qube referenced elsewhere (netVM or such), you will need to adjust those references manually after moving.
For example: For example:
``` ```shell_session
qvm-prefs <appvmname_based_on_old_template> template <new_template_name> qvm-prefs <appvmname_based_on_old_template> template <new_template_name>
``` ```
In theory, you can still use file-based disk images ("file" pool driver), but it lacks some features such as you won't be able to do backups without shutting down the qube. #### Example setup of second drive.
### Example HDD setup Assuming the secondary hard disk is at /dev/sdb , you can encrypt the drive as follows. Note that the drive contents will be completely erased, In a dom0 terminal run this command - use the same passphrase as the main Qubes disk to avoid a second password prompt at boot:
Assuming the secondary hard disk is at /dev/sdb (it will be completely erased), you can set it up for encryption by doing in a dom0 terminal (use the same passphrase as the main Qubes disk to avoid a second password prompt at boot):
``` ```
sudo cryptsetup luksFormat --hash=sha512 --key-size=512 --cipher=aes-xts-plain64 --verify-passphrase /dev/sdb sudo cryptsetup luksFormat --sector-size=512 /dev/sdb
sudo blkid /dev/sdb sudo blkid /dev/sdb
``` ```
Note the device's UUID (in this example "b209..."), we will use it as its luks name for auto-mounting at boot, by doing: (The `--sector-size=512` argument can sometimes work around an incompatibility of storage hardware with LVM thin pools on Qubes. If this does not apply to your hardware, the argument will make no difference.)
``` Note the device's UUID (in this example "b209..."), we will use it as its luks name for auto-mounting at boot, by editing `/etc/crypttab`, and adding this line to crypttab (replacing both "b209..." entries with your device's UUID taken from blkid) :
sudo nano /etc/crypttab
```
And adding this line (change both "b209..." for your device's UUID from blkid) to crypttab: ```shell_session
```
luks-b20975aa-8318-433d-8508-6c23982c6cde UUID=b20975aa-8318-433d-8508-6c23982c6cde none luks-b20975aa-8318-433d-8508-6c23982c6cde UUID=b20975aa-8318-433d-8508-6c23982c6cde none
``` ```
Reboot the computer so the new luks device appears at /dev/mapper/luks-b209... and we can then create its pool, by doing this on a dom0 terminal (substitute the b209... UUIDs with yours): Reboot the computer so the new luks device appears at /dev/mapper/luks-b209... You can then create the new pool by running this command in a dom0 terminal (substitute the b209... UUIDs with your UID):
First create the physical volume ##### For LVM
``` First create the physical volume:
```shell_session
sudo pvcreate /dev/mapper/luks-b20975aa-8318-433d-8508-6c23982c6cde sudo pvcreate /dev/mapper/luks-b20975aa-8318-433d-8508-6c23982c6cde
``` ```
Then create the LVM volume group, we will use for example "qubes" as the <vg_name>: Then create the LVM volume group, we will use for example "qubes" as the <vg_name>:
``` ```shell_session
sudo vgcreate qubes /dev/mapper/luks-b20975aa-8318-433d-8508-6c23982c6cde sudo vgcreate qubes /dev/mapper/luks-b20975aa-8318-433d-8508-6c23982c6cde
``` ```
And then use "poolhd0" as the <thin_pool_name> (LVM thin pool name): And then use "poolhd0" as the <thin_pool_name> (LVM thin pool name):
``` ```shell_session
sudo lvcreate -T -n poolhd0 -l +100%FREE qubes sudo lvcreate -T -n poolhd0 -l +100%FREE qubes
``` ```
Finally we will tell Qubes to add a new pool on the just created thin pool Finally we will tell Qubes to add a new pool on the just created thin pool:
``` ```shell_session
qvm-pool --add poolhd0_qubes lvm_thin -o volume_group=qubes,thin_pool=poolhd0,revisions_to_keep=2 qvm-pool --add poolhd0_qubes lvm_thin -o volume_group=qubes,thin_pool=poolhd0,revisions_to_keep=2
``` ```
#### For Btrfs
By default VMs will be created on the main Qubes disk (i.e. a small SSD), to create them on this secondary HDD do the following on a dom0 terminal: First create the physical volume:
```shell_session
# <label> Btrfs Label
sudo mkfs.btrfs -L <label> /dev/mapper/luks-b20975aa-8318-433d-8508-6c23982c6cde
``` ```
Then mount the new Btrfs to a temporary path:
```shell_session
sudo mkdir -p /mnt/new_qube_storage
sudo mount /dev/mapper/luks-b20975aa-8318-433d-8508-6c23982c6cde /mnt/new_qube_storage
```
Create a subvolume to hold the data:
```
sudo btrfs subvolume create /mnt/new_qube_storage/qubes
```
Unmount the temporary Btrfs filesystem:
```shell_session
sudo umount /mnt/new_qube_storage
rmdir /mnt/new_qube_storage
```
Mount the subvolume with compression enabled if desired:
```shell_session
# <compression> zlib|lzo|zstd
# <subvol> btrfs subvolume "qubes" in this example
sudo mount /dev/mapper/luks-b20975aa-8318-433d-8508-6c23982c6cde /var/lib/qubes_newpool -o compress=<compression>,subvol=qubes
```
Finally we will tell Qubes to add a new pool on the just created Btrfs subvolume:
```shell_session
qvm-pool --add poolhd0_qubes file-reflink -o dir_path=/var/lib/qubes_newpool,revisions_to_keep=2
```
By default VMs will be created on the main Qubes disk (i.e. a small SSD), to create them on this secondary drive do the following on a dom0 terminal:
```shell_session
qvm-create -P poolhd0_qubes --label red unstrusted-hdd qvm-create -P poolhd0_qubes --label red unstrusted-hdd
``` ```
Verify that corresponding lines were added to /etc/fstab and /etc/cryptab to enable auto mounting of the new pool.
[Qubes Backup]: /doc/BackupRestore/
[TemplateVM]: /doc/Templates/

50
user/advanced-topics/standalones-and-hvms.md
View file

@ -50,6 +50,21 @@ is about the virtualization mode. In practice, however, it is most common for
standalones to be HVMs and for HVMs to be standalones. Hence, this page covers standalones to be HVMs and for HVMs to be standalones. Hence, this page covers
both topics. both topics.
## Understanding Virtualization Modes
PVH has both better performance and better security than either PV or HVM:
PVH has less attack surface than PV, as it relies on Second Level Address Translation (SLAT) hardware. Guests modify their own page tables natively, without hypervisor involvement. Xen does not need to perform complex checks to ensure that a guest cannot obtain write access to its own page tables, as is necessary for PV. Flaws in these checks have been a source of no fewer than four guest ⇒ host escapes: XSA-148, XSA-182, XSA-212, and XSA-213.
PVH also has less attack surface than HVM, as it does not require QEMU to provide device emulation services. While QEMU is confined in a stubdomain, and again in a seccomp based sandbox, the stubdomain has significant attack surface against the hypervisor. Not only does it have the full attack surface of a PV domain, it also has access to additional hypercalls that allow it to control the guest it is providing emulation services for. XSA-109 was a vulnerability in one of these hypercalls.
PVH has better performance than HVM, as the stubdomain iin HVM consumes resources (both memory and a small amount of CPU). There is little difference in the I/O path at runtime, as both PVH and HVM guests usually use paravirtualized I/O protocols.
Surprisingly, PVH often has better performance than PV. This is because PVH does not require hypercalls for page table updates, which are expensive. SLAT does raise the cost of TLB misses, but this is somewhat mitigated by a second-level TLB in recent hardware.
## Creating a standalone ## Creating a standalone
You can create a standalone in the Qube Manager by selecting the "Type" of You can create a standalone in the Qube Manager by selecting the "Type" of
@ -176,9 +191,40 @@ seen, e.g., in the Qube Manager in the qube's properties:
Alternatively, one can use the `qvm-ls -n` command to obtain the same Alternatively, one can use the `qvm-ls -n` command to obtain the same
information (IP/netmask/gateway). information (IP/netmask/gateway).
The Qube Settimgs shows a netmask of 255.255.255.255.
This is not suitable for most standalones, and you will need to use a different value.
The DNS IP addresses are `10.139.1.1` and `10.139.1.2`. There is [opt-in In Qubes, the IP address is usually in range 10.137.0.0/16, with disposables in range 10.138.0.0/16, and DNS set to `10.139.1.1` and `10.139.1.2`.
support](/doc/networking/#ipv6) for IPv6 forwarding. The simplest solution is to set the netmask to 255.0.0.0 - standard for a class A network.
If you want a more restricted solution you could use 255.252.0.0, or 255.255.255.0
There is [opt-in support](/doc/networking/#ipv6) for IPv6 forwarding.
### An example of setting up a network - Network Manager on KDE
Every guest operating system has its own way of handling networking, and the user is
referred to the documentation that comes with that operating system. However,
Network Manager is widely used on Linux systems, and so a worked example will
prove useful. This example is for an HVM running EndeavourOS.
![Image of Qube Settings](/attachment/doc/EndeavourOS_Network.png "Qube Settings")
In this example, Network Manager on KDE, the network had the following values:
1. IPv4 networking
2. IP address 10.137.0.17
3. Netmask - qube settings showed 255.255.255.255, but we decided to use 255.255.255.0
4. Gateway 10.138.24.248
5. Virtual DNS 10.139.1.1 and 10.139.1.2
![Image of Network Manager, annotated by numbers for reference below](/attachment/doc/Network Manager.png "Annotated image of KDE Network Manager")
The network was set up by entering Network Manager, selecting the Wi-Fi & Networking tab, clicking on the Wired Ethernet
item, and selecting tab IPv4 (1).
The Manual method was selected (2), which revealed areas for data entry.
The DNS Servers section takes a comma-separated list, here 10.139.1.1,10.1.139.2 (3).
At the bottom of the tab (4), the '+ Add' button was selected, and the IP address of 10.137.0.17 entered in the 'Address' column, the Netmask of 255.255.255.0 entered in the 'Netmask' column, and the Gateway of 10.138.24.248 under 'Gateway'.
Selecting the "Apply" button stored these changes
## Using template-based HVMs ## Using template-based HVMs

2
user/downloading-installing-upgrading/supported-releases.md
View file

@ -57,7 +57,7 @@ It is the responsibility of each distribution to clearly notify its users in adv
| Qubes OS | Fedora | Debian | | Qubes OS | Fedora | Debian |
| ----------- | ------ | ------ | | ----------- | ------ | ------ |
| Release 4.2 | 40, 41 | 12 | | Release 4.2 | 41 | 12 |
### Note on Debian support ### Note on Debian support

2
user/downloading-installing-upgrading/testing.md
View file

@ -17,7 +17,7 @@ How to test upcoming Qubes OS releases:
- Test the latest release candidate (RC) on the [downloads](/downloads/) page, if one is currently available. (Or try an older RC from our [FTP server](https://ftp.qubes-os.org/iso/).) - Test the latest release candidate (RC) on the [downloads](/downloads/) page, if one is currently available. (Or try an older RC from our [FTP server](https://ftp.qubes-os.org/iso/).)
- Try the [signed weekly builds](https://qubes.notset.fr/iso/). ([Learn more](https://forum.qubes-os.org/t/16929) and [track their status](https://github.com/fepitre/updates-status-iso/issues).) - Try the [signed weekly builds](https://qubes.notset.fr/iso/). ([Learn more](https://forum.qubes-os.org/t/16929) and [track their status](https://github.com/fepitre/updates-status-iso/issues).)
- Use [qubes-builder](/doc/qubes-builder/) to build the latest release yourself. - Use [qubes-builder](/doc/qubes-builder-v2/) to build the latest release yourself.
- (No support) Experiment with developer alpha ISOs found from time to time at [Qubes OpenQA](https://openqa.qubes-os.org/). - (No support) Experiment with developer alpha ISOs found from time to time at [Qubes OpenQA](https://openqa.qubes-os.org/).
Please make sure to [report any bugs you encounter](/doc/issue-tracking/). Please make sure to [report any bugs you encounter](/doc/issue-tracking/).

78
user/hardware/certified-hardware.md → user/hardware/certified-hardware/certified-hardware.md
View file

@ -25,71 +25,19 @@ Qubes-certified computers are certified for a [major release](/doc/version-schem
The current Qubes-certified models are listed below in reverse chronological order of certification. The current Qubes-certified models are listed below in reverse chronological order of certification.
### NovaCustom V54 Series 14.0 inch coreboot laptop | Brand | Model | Certification details |
| -------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------- |
[![Photo of the NovaCustom V54 Series 14.0 inch coreboot laptop](/attachment/site/novacustom-v54-series.png)](https://novacustom.com/product/v54-series/) | [NovaCustom](https://novacustom.com/) | [V54 Series](https://novacustom.com/product/v54-series/) | [Certification details](/doc/certified-hardware/novacustom-v54-series/) |
| [Nitrokey](https://www.nitrokey.com/) | [NitroPad V56](https://shop.nitrokey.com/shop/nitropad-v56-684) | [Certification details](/doc/certified-hardware/nitropad-v56/) |
The [NovaCustom V54 Series 14.0 inch coreboot laptop](https://novacustom.com/product/v54-series/) is certified for Qubes OS Release 4. | [NovaCustom](https://novacustom.com/) | [V56 Series](https://novacustom.com/product/v56-series/) | [Certification details](/doc/certified-hardware/novacustom-v56-series/) |
| [Nitrokey](https://www.nitrokey.com/) | [NitroPC Pro 2](https://shop.nitrokey.com/shop/nitropc-pro-2-523) | [Certification details](/doc/certified-hardware/nitropc-pro-2/) |
### NitroPad V56 | [Star Labs](https://starlabs.systems/) | [StarBook](https://starlabs.systems/pages/starbook) | [Certification details](/doc/certified-hardware/starlabs-starbook/) |
| [Nitrokey](https://www.nitrokey.com/) | [NitroPC Pro](https://shop.nitrokey.com/shop/product/nitropc-pro-523) | [Certification details](/doc/certified-hardware/nitropc-pro/) |
[![Photo of the NitroPad V56](/attachment/site/nitropad-v56.png)](https://shop.nitrokey.com/shop/nitropad-v56-684) | [NovaCustom](https://novacustom.com/) | [NV41 Series](https://novacustom.com/product/nv41-series/) | [Certification details](/doc/certified-hardware/novacustom-nv41-series/) |
| [3mdeb](https://3mdeb.com/) | [Dasharo FidelisGuard Z690](https://web.archive.org/web/20240917145232/https://shop.3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/) | [Certification details](/doc/certified-hardware/dasharo-fidelisguard-z690/) |
The [NitroPad V56](https://shop.nitrokey.com/shop/nitropad-v56-684) is certified for Qubes OS Release 4. | [Nitrokey](https://www.nitrokey.com/) | [NitroPad T430](https://shop.nitrokey.com/shop/product/nitropad-t430-119) | [Certification details](/doc/certified-hardware/nitropad-t430/) |
| [Nitrokey](https://www.nitrokey.com/) | <a id="nitropad-x230"></a>[NitroPad X230](https://shop.nitrokey.com/shop/product/nitropad-x230-67) | [Certification details](/doc/certified-hardware/nitropad-x230/) |
### NovaCustom V56 Series 16.0 inch coreboot laptop | [Insurgo](https://insurgo.ca/) | [PrivacyBeast X230](https://insurgo.ca/produit/qubesos-certified-privacybeast_x230-reasonably-secured-laptop/) | [Certification details](/doc/certified-hardware/insurgo-privacybeast-x230/) |
[![Photo of the NovaCustom V56 Series 16.0 inch coreboot laptop](/attachment/site/novacustom-v56-series.png)](https://novacustom.com/product/v56-series/)
The [NovaCustom V56 Series 16.0 inch coreboot laptop](https://novacustom.com/product/v56-series/) is certified for Qubes OS Release 4.
### NitroPC Pro 2
[![Photo of the NitroPC Pro 2](/attachment/posts/nitropc-pro.jpg)](https://shop.nitrokey.com/shop/nitropc-pro-2-523)
The [NitroPC Pro 2](https://shop.nitrokey.com/shop/nitropc-pro-2-523) is a desktop based on the MSI PRO Z790-P DDR5 motherboard. It is certified for Qubes OS Release 4.
### Star Labs StarBook
[![Photo of the Star Labs StarBook](/attachment/site/starlabs-starbook.png)](https://starlabs.systems/pages/starbook)
The [Star Labs StarBook](https://starlabs.systems/pages/starbook) is a 14-inch laptop. It is certified for Qubes OS Release 4.
### NitroPC Pro
[![Photo of the NitroPC Pro](/attachment/posts/nitropc-pro.jpg)](https://shop.nitrokey.com/shop/product/nitropc-pro-523)
The [NitroPC Pro](https://shop.nitrokey.com/shop/product/nitropc-pro-523) is a desktop based on the MSI PRO Z690-A DDR5 motherboard. It is certified for Qubes OS Release 4.
### NovaCustom NV41 Series
[![Photo of the NovaCustom NV41 Series](/attachment/site/novacustom-nv41-series.png)](https://novacustom.com/product/nv41-series/)
The [NovaCustom NV41 Series](https://novacustom.com/product/nv41-series/) is a 14-inch custom laptop. It is certified for Qubes OS Release 4.
### Dasharo FidelisGuard Z690
[![Photo of the Dasharo FidelisGuard Z690](/attachment/site/dasharo-fidelisguard-z690.jpg)](https://3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/)
The [Dasharo FidelisGuard Z690](https://3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/) is a desktop based on the MSI PRO Z690-A DDR4 motherboard. It is certified for Qubes OS Release 4.
### NitroPad T430
[![Photo of the NitroPad T430](/attachment/site/nitropad-t430.jpg)](https://shop.nitrokey.com/shop/product/nitropad-t430-119)
The [NitroPad T430](https://shop.nitrokey.com/shop/product/nitropad-t430-119) is a laptop based on the ThinkPad T430. It is certified for Qubes OS Release 4.
### NitroPad X230
[![Photo of the NitroPad X230](/attachment/site/nitropad-x230.jpg)](https://shop.nitrokey.com/shop/product/nitropad-x230-67)
The [NitroPad X230](https://shop.nitrokey.com/shop/product/nitropad-x230-67) is a laptop based on the ThinkPad X230. It is certified for Qubes OS Release 4.
### Insurgo PrivacyBeast X230
[![Photo of the Insurgo PrivacyBeast X230](/attachment/site/insurgo-privacybeast-x230.png)](https://insurgo.ca/produit/qubesos-certified-privacybeast_x230-reasonably-secured-laptop/)
The [Insurgo PrivacyBeast X230](https://insurgo.ca/produit/qubesos-certified-privacybeast_x230-reasonably-secured-laptop/) is a laptop based on the ThinkPad X230. It is certified for Qubes OS Release 4.
## Become hardware certified ## Become hardware certified

38
user/hardware/certified-hardware/dasharo-fidelisguard-z690.md Normal file
View file

@ -0,0 +1,38 @@
---
lang: en
layout: doc
permalink: /doc/certified-hardware/dasharo-fidelisguard-z690/
title: Dasharo FidelisGuard Z690
image: /attachment/posts/dasharo-fidelisguard-z690_2.jpg
---
The [Dasharo FidelisGuard Z690](https://web.archive.org/web/20240917145232/https://shop.3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/) is [officially certified](/doc/certified-hardware/) for Qubes OS Release 4.
[![Photo of MSI PRO Z690-A DDR4 motherboard](/attachment/posts/dasharo-fidelisguard-z690_1.jpg)](https://web.archive.org/web/20240917145232/https://shop.3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/)
The [Dasharo FidelisGuard Z690](https://web.archive.org/web/20240917145232/https://shop.3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/) is a full desktop PC build that brings the [Dasharo](https://dasharo.com/) open-source firmware distribution to the MSI PRO Z690-A DDR4 motherboard with Qubes OS preinstalled. The full configuration includes:
| Part | Model Name |
|------------- | -------------------------------------------------------------- |
| CPU | Intel Core i5-12600K, 3.7GHz |
| Cooling | Noctua CPU NH-U12S Redux |
| RAM | Kingston Fury Beast, DDR4, 4x8GB (32 GB Total), 3600 MHz, CL17 |
| Power Supply | Seasonic Focus PX 750W 80 Plus Platinum |
| Storage | SSD Intel 670p 512 GB M.2 2280 PCI-E x4 Gen3 NVMe |
| Enclosure | SilentiumPC Armis AR1 |
[![Photo of Dasharo FidelisGuard Z690 with open case](/attachment/posts/dasharo-fidelisguard-z690_2.jpg)](https://web.archive.org/web/20240917145232/https://shop.3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/)
This computer comes with a "Dasharo Supporters Entrance Subscription," which includes the following:
- Full access to [Dasharo Tools Suite (DTS)](https://docs.dasharo.com/dasharo-tools-suite/overview/)
- The latest Dasharo releases issued by the Dasharo Team
- Special Dasharo updates for supporters
- Dasharo Premier Support through an invite-only Matrix channel
- Influence on the Dasharo feature roadmap
[![Photo of Dasharo FidelisGuard Z690 with open case](/attachment/posts/dasharo-fidelisguard-z690_3.jpg)](https://web.archive.org/web/20240917145232/https://shop.3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/)
For further details, please see the [Dasharo FidelisGuard Z690](https://web.archive.org/web/20240917145232/https://shop.3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/) product page.
[![Photo of the outside of the Dasharo FidelisGuard Z690](/attachment/posts/dasharo-fidelisguard-z690_4.jpg)](https://web.archive.org/web/20240917145232/https://shop.3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/)

26
user/hardware/certified-hardware/insurgo-privacybeast-x230.md Normal file
View file

@ -0,0 +1,26 @@
---
lang: en
layout: doc
permalink: /doc/certified-hardware/insurgo-privacybeast-x230/
title: Insurgo PrivacyBeast X230
image: /attachment/site/insurgo-privacybeast-x230.png
---
<div class="alert alert-danger" role="alert">
<i class="fa fa-exclamation-triangle"></i>
<b>Warning:</b> The CPU in this computer no longer receives microcode updates from Intel. Without microcode updates, Qubes OS cannot ensure that this computer is secure against CPU vulnerabilities. While this computer remains certified for Qubes OS Release 4, we recommend that prospective buyers consider a newer Qubes-certified computer instead.
</div>
The [Insurgo PrivacyBeast X230](https://insurgo.ca/produit/qubesos-certified-privacybeast_x230-reasonably-secured-laptop/) is [officially certified](/doc/certified-hardware/) for Qubes OS Release 4.
[![Photo of the Insurgo PrivacyBeast X230](/attachment/site/insurgo-privacybeast-x230.png)](https://insurgo.ca/produit/qubesos-certified-privacybeast_x230-reasonably-secured-laptop/)
The [Insurgo PrivacyBeast X230](https://insurgo.ca/produit/qubesos-certified-privacybeast_x230-reasonably-secured-laptop/) is a custom refurbished [ThinkPad X230](https://www.thinkwiki.org/wiki/Category:X230) that includes the following features:
- [coreboot](https://www.coreboot.org/) initialization for the x230 is binary-blob-free, including native graphic initialization. Built with the [Heads](https://github.com/osresearch/heads/) payload, it delivers an [Anti Evil Maid (AEM)](/doc/anti-evil-maid/)-like solution built into the firmware. (Even though our [requirements](/doc/certified-hardware/#hardware-certification-requirements) provide an exception for CPU-vendor-provided blobs for silicon and memory initialization, Insurgo exceeds our requirements by insisting that these be absent from its machines.)
- [Intel ME](https://libreboot.org/faq.html#intelme) is neutered through the AltMeDisable bit, while all modules other than ROMP and BUP, which are required to initialize main CPU, have been [deleted](https://github.com/linuxboot/heads-wiki/blob/master/Installing-and-Configuring/Flashing-Guides/Clean-the-ME-firmware.md#how-to-disabledeactive-most-of-it).
- A re-ownership process that allows it to ship pre-installed with Qubes OS, including full-disk encryption already in place, but where the final disk encryption key is regenerated only when the machine is first powered on by the user, so that the OEM doesn't know it.
- [Heads](https://github.com/osresearch/heads/) provisioned pre-delivery to protect against malicious [interdiction](https://en.wikipedia.org/wiki/Interdiction).

30
user/hardware/certified-hardware/nitropad-t430.md Normal file
View file

@ -0,0 +1,30 @@
---
lang: en
layout: doc
permalink: /doc/certified-hardware/nitropad-t430/
title: NitroPad T430
image: /attachment/site/nitropad-t430.jpg
---
<div class="alert alert-danger" role="alert">
<i class="fa fa-exclamation-triangle"></i>
<b>Warning:</b> The CPU in this computer no longer receives microcode updates from Intel. Without microcode updates, Qubes OS cannot ensure that this computer is secure against CPU vulnerabilities. While this computer remains certified for Qubes OS Release 4, we recommend that prospective buyers consider a newer Qubes-certified computer instead.
</div>
<div class="alert alert-warning" role="alert">
<i class="fa fa-exclamation-circle"></i>
<b>Note:</b> Please be advised that the i7-3632QM option is <b>not</b> compatible with Qubes OS, as it does not support VT-d. The option specifically tested by the Qubes team is the i5-3320M.
</div>
The [NitroPad T430](https://shop.nitrokey.com/shop/product/nitropad-t430-119) is [officially certified](/doc/certified-hardware/) for Qubes OS Release 4.
[![Photo of the NitroPad T430](/attachment/site/nitropad-t430.jpg)](https://shop.nitrokey.com/shop/product/nitropad-t430-119)
Key features of the [NitroPad T430](https://shop.nitrokey.com/shop/product/nitropad-t430-119) include:
- Tamper detection through measured boot with [coreboot](https://www.coreboot.org/), [Heads](https://github.com/osresearch/heads/), and Nitrokey USB hardware, including support for [Anti Evil Maid (AEM)](/doc/anti-evil-maid/)
- Deactivated [Intel Management Engine](https://libreboot.org/faq.html#intelme)
- User-replaceable cryptographic keys
- Included Nitrokey USB key
- Professional ThinkPad hardware based on the [ThinkPad T430](https://www.thinkwiki.org/wiki/Category:T430)
- Security-conscious shipping to mitigate against third-party [interdiction](https://en.wikipedia.org/wiki/Interdiction)

82
user/hardware/certified-hardware/nitropad-v56.md Normal file
View file

@ -0,0 +1,82 @@
---
lang: en
layout: doc
permalink: /doc/certified-hardware/nitropad-v56/
title: NitroPad V56
image: /attachment/site/nitropad-v56.png
---
The [NitroPad V56](https://shop.nitrokey.com/shop/nitropad-v56-684) is [officially certified](/doc/certified-hardware/) for Qubes OS Release 4.
[![Photo of the NitroPad V56](/attachment/site/nitropad-v56.png)](https://shop.nitrokey.com/shop/nitropad-v56-684)
## Qubes-certified options
The configuration options required for Qubes certification are detailed below.
### Processor and graphics card
- Certified: Intel Core Ultra 5 Processor 125H, Intel Arc iGPU with AI Boost
- Certified: Intel Core Ultra 7 Processor 155H, Intel Arc iGPU with AI Boost
- The Nvidia GPU options are not currently certified.
### Memory (RAM) DDR5, 5600 MHz
- Certified: All options 16 GB (2x8 GB) and higher
### 1st Hard Disk SSD NVMe PCIe 4.0 x4
- Certified: Any of the available options in this section
### 2nd Hard Disk SSD NVMe PCIe 4.0 x4
- Certified: Any of the available options in this section
### Keyboard
- Certified: Any of the available options in this section
### Wireless interfaces
- Certified: Wi-Fi 6E + Bluetooth 5.3, Intel AX-210/211 (non vPro) WLAN module 2.4 Gbps, 802.11ax
- Certified: Wi-Fi 7 + Bluetooth 5.42, Intel BE200 (non vPro) WLAN module 5.8 Gbps, 802.11be
- Certified: No wireless
### Webcam and microphone
- Certified: Any of the available options in this section
### Type
- Certified: Any of the available options in this section
### Firmware
- Certified: Dasharo TianoCore UEFI without Measured boot, without Nitrokey
- The option "Dasharo HEADS with Measured Boot, requires Nitrokey!" is not yet certified.
### Operating system
- Certified: Qubes OS 4.2.3 or newer (within Release 4).
- Releases older than 4.2.3 are not certified.
- You may choose either to have Nitrokey preinstall Qubes OS for you, or you may choose to install Qubes OS yourself. This choice does not affect certification.
### Nitrokey
- Certified: None -- for TianoCore only!
- The Nitrokey options are currently not applicable to Qubes hardware certification. (See the Firmware section above.)
### Shipment of Nitrokey
- This section does not affect Qubes hardware certification.
### Tamper-evident packaging
- This section does not affect Qubes hardware certification.
## Disclaimers
- In order for Wi-Fi to function properly, `sys-net` must currently be based on a Fedora template. The firmware package in Debian templates is currently too old for the certified Wi-Fi cards.
- Currently requires `kernel-latest`: If you install Qubes OS yourself, you must select the `Install Qubes OS RX using kernel-latest` option on the GRUB menu when booting the installer. This non-default kernel option is currently required for the NitroPad V56 to function properly.
- Due to a [known bug](https://github.com/Dasharo/dasharo-issues/issues/976), the bottom-right USB-C port is currently limited to USB 2.0 speeds.

25
user/hardware/certified-hardware/nitropad-x230.md Normal file
View file

@ -0,0 +1,25 @@
---
lang: en
layout: doc
permalink: /doc/certified-hardware/nitropad-x230/
title: NitroPad X230
image: /attachment/site/nitropad-x230.jpg
---
<div class="alert alert-danger" role="alert">
<i class="fa fa-exclamation-triangle"></i>
<b>Warning:</b> The CPU in this computer no longer receives microcode updates from Intel. Without microcode updates, Qubes OS cannot ensure that this computer is secure against CPU vulnerabilities. While this computer remains certified for Qubes OS Release 4, we recommend that prospective buyers consider a newer Qubes-certified computer instead.
</div>
The [NitroPad X230](https://shop.nitrokey.com/shop/product/nitropad-x230-67) is [officially certified](/doc/certified-hardware/) for Qubes OS Release 4.
[![Photo of the NitroPad X230](/attachment/site/nitropad-x230.jpg)](https://shop.nitrokey.com/shop/product/nitropad-x230-67)
The [NitroPad X230](https://shop.nitrokey.com/shop/product/nitropad-x230-67) offers users unprecedented control over the security of their hardware. Key features include:
- Tamper detection through measured boot with [coreboot](https://www.coreboot.org/), [Heads](https://github.com/osresearch/heads/), and Nitrokey USB hardware, including support for [Anti Evil Maid (AEM)](/doc/anti-evil-maid/)
- Deactivated [Intel Management Engine](https://libreboot.org/faq.html#intelme)
- User-replaceable cryptographic keys
- Included Nitrokey USB key
- Professional ThinkPad hardware based on the [ThinkPad X230](https://www.thinkwiki.org/wiki/Category:X230)
- Security-conscious shipping to mitigate against third-party [interdiction](https://en.wikipedia.org/wiki/Interdiction)

47
user/hardware/certified-hardware/nitropc-pro-2.md Normal file
View file

@ -0,0 +1,47 @@
---
lang: en
layout: doc
permalink: /doc/certified-hardware/nitropc-pro-2/
title: NitroPC Pro 2
image: /attachment/posts/nitropc-pro.jpg
---
<div class="alert alert-warning" role="alert">
<i class="fa fa-exclamation-circle"></i>
<b>Note:</b> When configuring your NitroPC Pro 2 on the Nitrokey website, there is an option for a discrete graphics card (e.g., Nvidia GeForce RTX 4070 or 4090) in addition to integrated graphics (e.g., Intel UHD 770, which is always included because it is physically built into the CPU). NitroPC Pro 2 configurations that include discrete graphics cards are <em>not</em> Qubes-certified. The only NitroPC Pro 2 configurations that are Qubes-certified are those that contain <em>only</em> integrated graphics.
</div>
<div class="alert alert-warning" role="alert">
<i class="fa fa-exclamation-circle"></i>
<b>Note:</b> Only the "Dasharo TianoCore UEFI without Measured Boot, without Nitrokey" firmware option is certified. The "HEADS with Measured Boot, requires Nitrokey!" firmware option is <em>not</em> certified.
</div>
The [NitroPC Pro 2](https://shop.nitrokey.com/shop/nitropc-pro-2-523) is [officially certified](/doc/certified-hardware/) for Qubes OS Release 4.
[![Photo of NitroPC Pro 2](/attachment/posts/nitropc-pro.jpg)](https://shop.nitrokey.com/shop/nitropc-pro-2-523)
Here's a summary of the main component options available for this mid-tower desktop PC:
| Component | Options |
|----------------------------- | -------------------------------------------------------- |
| Motherboard | MSI PRO Z790-P DDR5 (Wi-Fi optional) |
| Processor | 14th Generation Intel Core i5-14600K or i9-14900K |
| Memory | 16 GB to 128 GB DDR5 |
| NVMe storage (optional) | Up to two NVMe PCIe 4.0 x4 SSDs, up to 2 TB each |
| SATA storage (optional) | Up to two SATA SSDs, up to 7.68 TB each |
| Wireless (optional) | Wi-Fi 6E, 2400 Mbps, 802.11/a/b/g/n/ac/ax, Bluetooth 5.2 |
| Operating system (optional) | Qubes OS 4.2 or Ubuntu 22.04 LTS |
Of special note for Qubes users, the NitroPC Pro 2 features a combined PS/2 port that supports both a PS/2 keyboard and a PS/2 mouse simultaneously with a Y-cable (not included). This allows for full control of dom0 without the need for USB keyboard or mouse passthrough. Nitrokey also offers a special tamper-evident shipping method for an additional fee. With this option, the case screws will be individually sealed and photographed, and the NitroPC Pro 2 will be packed inside a sealed bag. Photographs of the seals will be sent to you by email, which you can use to determine whether the case was opened during transit.
The NitroPC Pro 2 also comes with a "Dasharo Entry Subscription," which includes the following:
- Accesses to the latest firmware releases
- Exclusive newsletter
- Special updates, including early access to updates enhancing privacy, security, performance, and compatibility
- Early access to new firmware releases for [newly-supported desktop platforms](https://docs.dasharo.com/variants/overview/#desktop) (please see the [roadmap](https://github.com/Dasharo/presentations/blob/main/dasharo_roadmap.md#dasharo-desktop-roadmap))
- Access to the Dasharo Premier Support invite-only live chat channel on the Matrix network, allowing direct access to the Dasharo Team and fellow subscribers with personalized and priority assistance
- Insider's view and influence on the Dasharo feature roadmap for a real impact on Dasharo development
- [Dasharo Tools Suite Entry Subscription](https://docs.dasharo.com/osf-trivia-list/dts/#what-is-dasharo-tools-suite-supporters-entrance) keys
For further product details, please see the official [NitroPC Pro 2](https://shop.nitrokey.com/shop/nitropc-pro-2-523) page.

47
user/hardware/certified-hardware/nitropc-pro.md Normal file
View file

@ -0,0 +1,47 @@
---
lang: en
layout: doc
permalink: /doc/certified-hardware/nitropc-pro/
title: NitroPC Pro
image: /attachment/posts/nitropc-pro.jpg
---
<div class="alert alert-warning" role="alert">
<i class="fa fa-exclamation-circle"></i>
<b>Note:</b> When configuring your NitroPC Pro 2 on the Nitrokey website, there is an option for a discrete graphics card (e.g., Nvidia GeForce RTX 4070 or 4090) in addition to integrated graphics (e.g., Intel UHD 770, which is always included because it is physically built into the CPU). NitroPC Pro 2 configurations that include discrete graphics cards are <em>not</em> Qubes-certified. The only NitroPC Pro 2 configurations that are Qubes-certified are those that contain <em>only</em> integrated graphics.
</div>
<div class="alert alert-warning" role="alert">
<i class="fa fa-exclamation-circle"></i>
<b>Note:</b> Only the "Dasharo TianoCore UEFI without Measured Boot, without Nitrokey" firmware option is certified. The "HEADS with Measured Boot, requires Nitrokey!" firmware option is <em>not</em> certified.
</div>
The [NitroPC Pro](https://shop.nitrokey.com/shop/product/nitropc-pro-523) is [officially certified](/doc/certified-hardware/) for Qubes OS Release 4.
[![Photo of NitroPC Pro](/attachment/posts/nitropc-pro.jpg)](https://shop.nitrokey.com/shop/product/nitropc-pro-523)
Here's a summary of the main component options available for this mid-tower desktop PC:
| Component | Options |
|----------------------------- | -------------------------------------------------------- |
| Motherboard | MSI PRO Z690-A DDR5 (Wi-Fi optional) |
| Processor | 12th Generation Intel Core i5-12600K or i9-12900K |
| Memory | 16 GB to 128 GB DDR5 |
| NVMe storage (optional) | Up to two NVMe PCIe 4.0 x4 SSDs, up to 2 TB each |
| SATA storage (optional) | Up to two SATA SSDs, up to 7.68 TB each |
| Wireless (optional) | Wi-Fi 6E, 2400 Mbps, 802.11/a/b/g/n/ac/ax, Bluetooth 5.2 |
| Operating system (optional) | Qubes OS 4.1 or Ubuntu 22.04 LTS |
Of special note for Qubes users, the NitroPC Pro features a combined PS/2 port that supports both a PS/2 keyboard and a PS/2 mouse simultaneously with a Y-cable (not included). This allows for full control of dom0 without the need for USB keyboard or mouse passthrough. Nitrokey also offers a special tamper-evident shipping method for an additional fee. With this option, the case screws will be individually sealed and photographed, and the NitroPC Pro will be packed inside a sealed bag. Photographs of the seals will be sent to you by email, which you can use to determine whether the case was opened during transit.
The NitroPC Pro also comes with a "Dasharo Entry Subscription," which includes the following:
- Accesses to the latest firmware releases
- Exclusive newsletter
- Special firmware updates, including early access to updates enhancing privacy, security, performance, and compatibility
- Early access to new firmware releases for [newly-supported desktop platforms](https://docs.dasharo.com/variants/overview/#desktop) (please see the [roadmap](https://github.com/Dasharo/presentations/blob/main/dug2_dasharo_roadmap.md#dasharo-desktop-roadmap))
- Access to the Dasharo Premier Support invite-only live chat channel on the Matrix network, allowing direct access to the Dasharo Team and fellow subscribers with personalized and priority assistance
- Insider's view and influence on the Dasharo feature roadmap for a real impact on Dasharo development
- [Dasharo Tools Suite Entry Subscription](https://docs.dasharo.com/osf-trivia-list/dts/#what-is-dasharo-tools-suite-supporters-entrance) keys
For further product details, please see the official [NitroPC Pro](https://shop.nitrokey.com/shop/product/nitropc-pro-523) page.

42
user/hardware/certified-hardware/novacustom-nv41-series.md Normal file
View file

@ -0,0 +1,42 @@
---
lang: en
layout: doc
permalink: /doc/certified-hardware/novacustom-nv41-series/
title: NovaCustom NV41 Series
image: /attachment/site/novacustom-nv41-series.png
---
The [NovaCustom NV41 Series](https://novacustom.com/product/nv41-series/) is [officially certified](/doc/certified-hardware/) for Qubes OS Release 4.
[![Photo of the NovaCustom NV41 Series](/attachment/site/novacustom-nv41-series.png)](https://novacustom.com/product/nv41-series/)
## Qubes-certified configurations
The following configuration options are certified for Qubes OS Release 4:
Processor:
- Intel Core i5-1240P processor
- Intel Core i7-1260P processor
Memory:
- 2 x 16 GB Kingston DDR4 SODIMM 3200 MHz (32 GB total)
- 1 x 32 GB Kingston DDR4 SODIMM 3200 MHz (32 GB total)
- 2 x 32 GB Kingston DDR4 SODIMM 3200 MHz (64 GB total)
M.2 storage chip:
- Samsung 980 SSD (all capacities)
- Samsung 980 Pro SSD (all capacities)
Wi-Fi and Bluetooth:
- Intel AX-200/201 Wi-Fi module 2976 Mbps, 802.11ax/Wi-Fi 6 + Bluetooth 5.2
- Killer (Intel) Wireless-AX 1675x M.2 Wi-Fi module 802.11ax/Wi-Fi 6E + Bluetooth 5.3
- Blob-free: Qualcomm Atheros QCNFA222 Wi-Fi 802.11a/b/g/n + Bluetooth 4.0
- No Wi-Fi/Bluetooth chip
### Notes on Wi-Fi and Bluetooth options
- When viewed in a Linux environment with `lspci`, the "Killer (Intel) Wireless-AX 1675x M.2 Wi-Fi module 802.11ax/Wi-Fi 6E + Bluetooth 5.3" device displays the model number "AX210." However, according to its [Intel Ark entry](https://ark.intel.com/content/www/us/en/ark/products/211485/intel-killer-wifi-6e-ax1675-xw.html) (in the "Product Brief" file), they are actually the same Wi-Fi module.
- Similarly, when viewed in a Linux environment with `lspci`, the "Blob-free: Qualcomm Atheros QCNFA222 Wi-Fi 802.11a/b/g/n + Bluetooth 4.0" device displays the model number "AR9462," which seems to be just the Wi-Fi chip model number, whereas "QCNFA222" seems to be the model number of the whole device (which include Bluetooth). Meanwhile, the Bluetooth device presents itself as "IMC Networks Device 3487."
- The term "blob-free" is used in different ways. In practice, being "blob-free" generally does *not* mean that the device does not use any closed-source firmware "blobs." Rather, it means that the device comes with firmware *preinstalled* so that it does not have to be loaded from the operating system. In theory, the preinstalled firmware could be open-source, but as far as we know, that is not the case with this particular Atheros Wi-Fi/Bluetooth module. (Qualcomm has published firmware source code in the past, but only for other device models, as far as we are aware.) Meanwhile, the Free Software Foundation (FSF) [considers](https://www.gnu.org/philosophy/free-hardware-designs.en.html#boundary) unmodifiable preinstalled firmware to be part of the hardware, hence they regard such hardware as "blob-free" from a software perspective. While common usage of the term "blob-free" often follows the FSF's interpretation, it is worthwhile for Qubes users who are concerned about closed-source firmware to understand the nuance.

70
user/hardware/certified-hardware/novacustom-v54-series.md Normal file
View file

@ -0,0 +1,70 @@
---
lang: en
layout: doc
permalink: /doc/certified-hardware/novacustom-v54-series/
title: NovaCustom V54 Series
image: /attachment/site/novacustom-v54-series.png
---
The [NovaCustom V54 Series 14.0 inch coreboot laptop](https://novacustom.com/product/v54-series/) is [officially certified](/doc/certified-hardware/) for Qubes OS Release 4.
[![Photo of the NovaCustom V54 Series 14.0 inch coreboot laptop](/attachment/site/novacustom-v54-series.png)](https://novacustom.com/product/v54-series/)
## Qubes-certified options
The configuration options required for Qubes certification are detailed below.
### Screen size
- Certified: 14 inch
**Note:** The 14-inch model (V540TU) and the 16-inch model (V560TU) are two separate products. [The 16-inch model is also certified.](/doc/certified-hardware/novacustom-v56-series/)
### Screen resolution
- Certified: Full HD+ (1920 x 1200)
- Certified: 2.8K (2880 x 1800)
### Processor and graphics
- Certified: Intel Core Ultra 5 Processor 125H, Intel Arc iGPU with AI Boost
- Certified: Intel Core Ultra 7 Processor 155H, Intel Arc iGPU with AI Boost
- The Nvidia discrete GPU options are not currently certified.
### Memory
- Certified: Any configuration with at least 16 GB of memory
### Storage
- Certified: All of the available options in these sections
### Personalization
- This section is merely cosmetic and therefore does not affect certification.
### Firmware options
- Qubes OS does not currently support UEFI secure boot.
- The option to be kept up to date with firmware updates is merely an email notification service and therefore does not affect certification.
- Certified: coreboot+EDK-II
- Certified: coreboot+Heads
- Disabling Intel Management Engine (HAP disabling) does not affect certification.
### Operating system
- Certified: Qubes OS 4.2.4 or newer (within Release 4).
- Releases older than 4.2.4 are not certified.
- You may choose either to have NovaCustom preinstall Qubes OS for you, or you may choose to install Qubes OS yourself. This choice does not affect certification.
### Wi-Fi and Bluetooth
- Certified: Intel AX-210/211 (non vPro) Wi-Fi module 2.4 Gbps, 802.11AX/Wi-Fi6E + Bluetooth 5.3
- Certified: Intel BE200 (non vPro) Wi-Fi module 5.8 Gbps, 802.11BE/Wi-Fi7 + Bluetooth 5.42
- Certified: No Wi-Fi chip -- no Bluetooth and Wi-Fi connection possible (only with USB adapter)
## Disclaimers
- In order for Wi-Fi to function properly, `sys-net` must currently be based on a Fedora template. The firmware package in Debian templates is currently too old for the certified Wi-Fi cards.
- Currently requires `kernel-latest`: If you install Qubes OS yourself, you must select the `Install Qubes OS RX using kernel-latest` option on the GRUB menu when booting the installer. This non-default kernel option is currently required for the NovaCustom V54 Series to function properly.
- Due to a [known bug](https://github.com/Dasharo/dasharo-issues/issues/976), the bottom-right USB-C port is currently limited to USB 2.0 speeds.

70
user/hardware/certified-hardware/novacustom-v56-series.md Normal file
View file

@ -0,0 +1,70 @@
---
lang: en
layout: doc
permalink: /doc/certified-hardware/novacustom-v56-series/
title: NovaCustom V56 Series
image: /attachment/site/novacustom-v56-series.png
---
The [NovaCustom V56 Series 16.0 inch coreboot laptop](https://novacustom.com/product/v56-series/) is [officially certified](/doc/certified-hardware/) for Qubes OS Release 4.
[![Photo of the NovaCustom V56 Series 16.0 inch coreboot laptop](/attachment/site/novacustom-v56-series.png)](https://novacustom.com/product/v56-series/)
## Qubes-certified options
The configuration options required for Qubes certification are detailed below.
### Screen size
- Certified: 16 inch
**Note:** The 16-inch model (V560TU) and the 14-inch model (V540TU) are two separate products. [The 14-inch model is also certified.](/doc/certified-hardware/novacustom-v54-series/)
### Screen resolution
- Certified: Full HD+ (1920 x 1200)
- Certified: Q-HD+ (2560 x 1600)
### Processor and graphics
- Certified: Intel Core Ultra 5 Processor 125H + Intel Arc iGPU with AI Boost
- Certified: Intel Core Ultra 7 Processor 155H + Intel Arc iGPU with AI Boost
- The Nvidia discrete GPU options are not currently certified.
### Memory
- Certified: Any configuration with at least 16 GB of memory
### Storage
- Certified: Any of the available options in this section
### Personalization
- This section is merely cosmetic and therefore does not affect certification.
### Firmware options
- Qubes OS does not currently support UEFI secure boot.
- Keeping up-to-date with firmware updates is merely an email notification service and therefore does not affect certification.
- Certified: coreboot+EDK-II
- Certified: coreboot+Heads
- Disabling Intel Management Engine (HAP disabling) does not affect certification.
### Operating system
- Certified: Qubes OS 4.2.3 or newer (within Release 4).
- Releases older than 4.2.3 are not certified.
- You may choose either to have NovaCustom preinstall Qubes OS for you, or you may choose to install Qubes OS yourself. This choice does not affect certification.
### Wi-Fi and Bluetooth
- Certified: Intel AX-210/211 (non vPro) Wi-Fi module 2.4 Gbps, 802.11AX/Wi-Fi6E + Bluetooth 5.3
- Certified: Intel BE200 (non vPro) Wi-Fi module 5.8 Gbps, 802.11BE/Wi-Fi7 + Bluetooth 5.42
- Certified: No Wi-Fi chip - no Bluetooth and Wi-Fi connection possible (only with USB adapter)
## Disclaimers
- In order for Wi-Fi to function properly, `sys-net` must currently be based on a Fedora template. The firmware package in Debian templates is currently too old for the certified Wi-Fi cards.
- Currently requires `kernel-latest`: If you install Qubes OS yourself, you must select the `Install Qubes OS RX using kernel-latest` option on the GRUB menu when booting the installer. This non-default kernel option is currently required for the NovaCustom V56 Series to function properly.
- Due to a [known bug](https://github.com/Dasharo/dasharo-issues/issues/976), the bottom-right USB-C port is currently limited to USB 2.0 speeds.

35
user/hardware/certified-hardware/starlabs-starbook.md Normal file
View file

@ -0,0 +1,35 @@
---
lang: en
layout: doc
permalink: /doc/certified-hardware/starlabs-starbook/
title: Star Labs StarBook
image: /attachment/site/starlabs-starbook.png
---
The [Star Labs StarBook](https://starlabs.systems/pages/starbook) is [officially certified](/doc/certified-hardware/) for Qubes OS Release 4.
The [Star Labs StarBook](https://starlabs.systems/pages/starbook) is a 14-inch laptop featuring open-source coreboot and EDK II firmware.
[![Photo of Star Labs StarBook](/attachment/site/starlabs-starbook.png)](https://starlabs.systems/pages/starbook)
The Qubes developers have tested and certified the following StarBook configuration options for Qubes OS Release 4:
| Component | Qubes-certified options |
| ---------------- | ------------------------------------------------ |
| Processor | 13th Generation Intel Core i3-1315U or i7-1360P |
| Memory | 8 GB, 16 GB, 32 GB, or 64 GB RAM |
| Storage | 512 GB, 1 TB, or 2 TB SSD |
| Graphics | Intel (integrated graphics) |
| Networking | Intel Wi-Fi 6 AX210 (no built-in wired Ethernet) |
| Firmware | coreboot 8.97 (2023-10-03) |
| Operating system | Qubes OS (pre-installation optional) |
[![Photo of Star Labs StarBook](/attachment/posts/starlabs-starbook_top.png)](https://starlabs.systems/pages/starbook)
The StarBook features a true matte 14-inch IPS display at 1920x1080 full HD resolution with 400cd/m² of brightness, 178° viewing angles, and a 180° hinge. The backlit keyboard is available in US English, UK English, French, German, Nordic, and Spanish layouts.
[![Photo of Star Labs StarBook](/attachment/posts/starlabs-starbook_side.png)](https://starlabs.systems/pages/starbook)
The StarBook includes four USB ports (1x USB-C with Thunderbolt 4, 2x USB 3.0, and 1x USB 2.0), one HDMI port, a microSD slot, an audio input/output combo jack, and a DC jack for charging. For more information, see the official [Star Labs StarBook](https://starlabs.systems/pages/starbook) page.
[![Photo of Star Labs StarBook](/attachment/posts/starlabs-starbook_back.png)](https://starlabs.systems/pages/starbook)

24
user/hardware/system-requirements.md
View file

@ -114,16 +114,16 @@ We recommend consulting these resources when selecting hardware for Qubes OS:
other security updates directly to users. By contrast, on AMD client (as other security updates directly to users. By contrast, on AMD client (as
opposed to server) platforms, microcode updates are typically shipped only as opposed to server) platforms, microcode updates are typically shipped only as
part of system firmware and generally cannot be loaded from the operating part of system firmware and generally cannot be loaded from the operating
system. This means that AMD users typically must wait for: system [^1]. This means that AMD users typically must wait for:
1. AMD to distribute microcode updates to original equipment manufacturers 1. AMD to distribute microcode updates to original equipment manufacturers
(OEMs), original design manufacturers (ODMs), and motherboard manufacturers (OEMs), original design manufacturers (ODMs), and motherboard manufacturers
(MB); and (MB); and
2. The user's OEM, ODM, or MB to provide a suitable BIOS or (U)EFI update for 2. The user's OEM, ODM, or MB to provide a suitable BIOS or (U)EFI update for
the user's system. the user's system.
Historically, AMD has often been slow to complete step (1), at least for its Historically, AMD has often been slow to complete step (1), at least for its
client (as opposed to server) platforms. In some cases, AMD has made fixes client (as opposed to server) platforms [^2]. In some cases, AMD has made fixes
available for its server platforms very shortly after a security embargo was available for its server platforms very shortly after a security embargo was
lifted, but it did not make fixes available for client platforms facing the lifted, but it did not make fixes available for client platforms facing the
same vulnerability until weeks or months later. (A "security embargo" is the same vulnerability until weeks or months later. (A "security embargo" is the
@ -134,7 +134,7 @@ We recommend consulting these resources when selecting hardware for Qubes OS:
Step (2) varies by vendor. Many vendors fail to complete step (2) at all, Step (2) varies by vendor. Many vendors fail to complete step (2) at all,
while some others take a very long time to complete it. while some others take a very long time to complete it.
The bottom line is that Qubes OS **can** run on AMD systems, and the Qubes and The bottom line is that Qubes OS **can** run on AMD systems, and the Qubes and
Xen security teams do their best to provide security support for AMD systems. Xen security teams do their best to provide security support for AMD systems.
However, without the ability to ship microcode updates, there is only so much However, without the ability to ship microcode updates, there is only so much
@ -163,3 +163,17 @@ We recommend consulting these resources when selecting hardware for Qubes OS:
- You can check whether an Intel processor has VT-x and VT-d on - You can check whether an Intel processor has VT-x and VT-d on
[ark.intel.com](https://ark.intel.com/content/www/us/en/ark.html#@Processors). [ark.intel.com](https://ark.intel.com/content/www/us/en/ark.html#@Processors).
[^1]: There is an `amd-ucode-firmware` package, but it only contains
microcode for servers and outdated microcode for Chromebooks. Also,
the [AMD security website](https://www.amd.com/en/resources/product-security.html)
only lists microcode as a mitigation for data center CPUs.
[^2]: As shown on [the AMD page for Speculative Return Stack Overflow](https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7005.html),
updated AGESA™ firmware for AMD Ryzen™ Threadripper™ 5000WX Processors
was not available until 2024-01-11, even though the vulnerability became
public on 2023-08-08. AMD did not provide updated firmware for other client
processors until a date between 2023-08-22 to 2023-08-25.
For Zenbleed, firmware was not available until 2024 for most client parts,
even though server parts got microcode on 2023-06-06.

176
user/how-to-guides/backup-emergency-restore-v4.md
View file

@ -12,13 +12,17 @@ title: Emergency backup recovery (v4)
This page describes how to perform an emergency restore of a backup created on This page describes how to perform an emergency restore of a backup created on
Qubes R4.X (which uses backup format version 4). Qubes R4.X (which uses backup format version 4).
The Qubes backup system has been designed with emergency disaster recovery in The Qubes backup system is designed with emergency disaster recovery in mind. No
mind. No special Qubes-specific tools are required to access data backed up by special Qubes-specific tools are required to access data backed up by Qubes. In
Qubes. In the event a Qubes system is unavailable, you can access your data on the event a Qubes system is unavailable, you can access your data on any
any GNU/Linux system with the following procedure. GNU/Linux system by following the instructions on this page.
Required `scrypt` Utility **Important:** You may wish to store a copy of these instructions with your
------------------------- Qubes backups. All Qubes documentation, including this page, is available in
plain text format in the [qubes-doc](https://github.com/QubesOS/qubes-doc) Git
repository.
## Required `scrypt` utility
In Qubes 4.X, backups are encrypted and integrity-protected with In Qubes 4.X, backups are encrypted and integrity-protected with
[scrypt](https://www.tarsnap.com/scrypt.html). You will need a copy of this [scrypt](https://www.tarsnap.com/scrypt.html). You will need a copy of this
@ -34,8 +38,8 @@ easier scripting, which means you'll need to enter the passphrase for each file
separately, instead of using `echo ... | scrypt`. separately, instead of using `echo ... | scrypt`.
Here are instructions for obtaining a compiled `scrypt` binary. This example Here are instructions for obtaining a compiled `scrypt` binary. This example
uses an RPM-based system (Fedora), but the same general procedure should work uses an RPM-based system (Fedora), but the same general procedure should work on
on any GNU/Linux system. any GNU/Linux system.
1. If you're not on Qubes 4.X, [import and authenticate the Release 4 Signing 1. If you're not on Qubes 4.X, [import and authenticate the Release 4 Signing
Key](/security/verifying-signatures/#how-to-import-and-authenticate-release-signing-keys). Key](/security/verifying-signatures/#how-to-import-and-authenticate-release-signing-keys).
@ -46,7 +50,7 @@ on any GNU/Linux system.
[user@restore ~]$ dnf download scrypt [user@restore ~]$ dnf download scrypt
or, if that doesn't work: Or, if that doesn't work:
[user@restore ~]$ curl -O https://yum.qubes-os.org/r4.0/current/vm/fc28/rpm/scrypt-1.2.1-1.fc28.x86_64.rpm [user@restore ~]$ curl -O https://yum.qubes-os.org/r4.0/current/vm/fc28/rpm/scrypt-1.2.1-1.fc28.x86_64.rpm
@ -62,60 +66,35 @@ on any GNU/Linux system.
[user@restore ~]$ sudo dnf install rpmdevtools [user@restore ~]$ sudo dnf install rpmdevtools
5. Extract the `scrypt` binary from the RPM. 5. Extract the `scrypt` binary from the RPM and make it conveniently
available.
[user@restore ~]$ rpmdev-extract scrypt-*.rpm [user@restore ~]$ rpmdev-extract scrypt-*.rpm
[user@restore ~]$ alias scrypt="$PWD/scrypt-*/usr/bin/scrypt"
6. (Optional) Create an alias for the new binary. ## Emergency recovery instructions
[user@restore ~]$ alias scrypt="scrypt-*/usr/bin/scrypt"
Emergency Recovery Instructions
-------------------------------
**Note:** In the following example, the backup file is both *encrypted* and **Note:** In the following example, the backup file is both *encrypted* and
*compressed*. *compressed*.
1. Untar the main backup file. 1. Untar the backup metadata from the main backup file.
[user@restore ~]$ tar -i -xvf qubes-backup-2015-06-05T123456 [user@restore ~]$ tar -i -xvf qubes-backup-2023-04-05T123456 \
backup-header backup-header.hmac qubes.xml.000.enc
backup-header backup-header
backup-header.hmac backup-header.hmac
qubes.xml.000.enc qubes.xml.000.enc
vm1/private.img.000.enc
vm1/private.img.001.enc
vm1/private.img.002.enc
vm1/icon.png.000.enc
vm1/firewall.xml.000.enc
vm1/whitelisted-appmenus.list.000.enc
dom0-home/dom0user.000.enc
**To extract only specific VMs:** Each VM in the backup file has its path
listed in `qubes.xml.000.enc`. Decrypt it. (In this example, the password is
`password`.)
[user@restore ~]$ cat backup-header | grep backup-id
backup-id=20190128T123456-1234
[user@restore ~]$ scrypt dec -P qubes.xml.000.enc qubes.xml.000
Please enter passphrase: 20190128T123456-1234!qubes.xml.000!password
[user@restore ~]$ tar -i -xvf qubes.xml.000
Now that you have the decrypted `qubes.xml.000` file, search for the
`backup-path` property inside of it. With the `backup-path`, extract only
the files necessary for your VM (`vmX`).
[user@restore ~]$ tar -i -xvf qubes-backup-2015-06-05T123456 \
backup-header backup-header.hmac vmX/
2. Set the backup passphrase environment variable. While this isn't strictly 2. Set the backup passphrase environment variable. While this isn't strictly
required, it will be handy later and will avoid saving the passphrase in required, it will be handy later and will avoid saving the passphrase in the
the shell's history. shell's history.
[user@restore ~]$ read -r backup_pass [user@restore ~]$ read -r backup_pass
3. Verify the integrity of `backup-header`. For compatibility reasons, Type in your passphrase (it will be visible on screen!) and press Enter.
`backup-header.hmac` is an encrypted *and integrity protected*
version of `backup-header`. 3. Verify the integrity of `backup-header` using `backup-header.hmac` (an
encrypted *and integrity protected* version of `backup-header`).
[user@restore ~]$ set +H [user@restore ~]$ set +H
[user@restore ~]$ echo "backup-header!$backup_pass" |\ [user@restore ~]$ echo "backup-header!$backup_pass" |\
@ -123,34 +102,34 @@ Emergency Recovery Instructions
diff -qs backup-header backup-header.verified diff -qs backup-header backup-header.verified
Files backup-header and backup-header.verified are identical Files backup-header and backup-header.verified are identical
**Note:** If this command fails, it may be that the backup was tampered **Note:** If this command fails, it may be that the backup was tampered with
with or is in a different format. In the latter case, look inside or is in a different format. In the latter case, look inside `backup-header`
`backup-header` at the `version` field. If it contains a value other than at the `version` field. If it contains a value other than `version=4`, go to
`version=4`, go to the instructions for that format version: the instructions for that format version:
- [Emergency Backup Recovery without Qubes (v2)](/doc/backup-emergency-restore-v2/) - [Emergency Backup Recovery without Qubes (v2)](/doc/backup-emergency-restore-v2/)
- [Emergency Backup Recovery without Qubes (v3)](/doc/backup-emergency-restore-v3/) - [Emergency Backup Recovery without Qubes (v3)](/doc/backup-emergency-restore-v3/)
4. Read `backup-header`: 4. Read `backup-header`.
[user@restore ~]$ cat backup-header [user@restore ~]$ cat backup-header
version=4 version=4
encrypted=True encrypted=True
compressed=True compressed=True
compression-filter=gzip compression-filter=gzip
backup_id=20161020T123455-1234 hmac-algorithm=scrypt
backup-id=20230405T123455-1234
5. Set `backup_id` to the value in the last line of `backup-header`: 5. Set `backup_id` to the value in the last line of `backup-header`. (Note that
there is a hyphen in `backup-id` in the file, whereas there is an underscore
in `backup_id` in the variable you're setting.)
[user@restore ~]$ backup_id=20161020T123455-1234 [user@restore ~]$ backup_id=20230405T123455-1234
6. Verify the integrity of your data, decrypt, decompress, and extract 6. Verify and decrypt, decompress, and extract the `qubes.xml` file.
`private.img`:
[user@restore ~]$ find vm1 -name 'private.img.*.enc' | sort -V | while read f_enc; do \ [user@restore ~]$ echo "$backup_id!qubes.xml.000!$backup_pass" |\
f_dec=${f_enc%.enc}; \ scrypt dec -P qubes.xml.000.enc | gzip -d | tar -xv
echo "$backup_id!$f_dec!$backup_pass" | scrypt dec -P $f_enc || break; \ qubes.xml
done | gzip -d | tar -xv
vm1/private.img
If this pipeline fails, it is likely that the backup is corrupted or has If this pipeline fails, it is likely that the backup is corrupted or has
been tampered with. been tampered with.
@ -158,23 +137,66 @@ Emergency Recovery Instructions
**Note:** If your backup was compressed with a program other than `gzip`, **Note:** If your backup was compressed with a program other than `gzip`,
you must substitute the correct compression program in the command above. you must substitute the correct compression program in the command above.
This information is contained in `backup-header` (see step 4). For example, This information is contained in `backup-header` (see step 4). For example,
if your backup is compressed with `bzip2`, use `bzip2 -d` instead in the if your backup is compressed with `bzip2`, use `bzip2 -d` instead of `gzip
command above. -d` in the command above. You might need to install a package of the same
name (in this example, `bzip2`) through your distribution's package manager.
7. Mount `private.img` and access your data. 7. Search inside of the `qubes.xml` file for the `backup-path` of the qube
whose data you wish to restore. If you install the `xmlstarlet` package, the
following command will convert `qubes.xml` to a friendlier listing for this
purpose:
[user@restore vm1]$ sudo mkdir /mnt/img [user@restore ~]$ xmlstarlet sel -T -t -m //domain \
[user@restore vm1]$ sudo mount -o loop vm1/private.img /mnt/img/ -v 'concat(.//property[@name="name"], " ", .//feature[@name="backup-path"])' \
[user@restore vm1]$ cat /mnt/img/home/user/your_data.txt -n qubes.xml
This data has been successfully recovered!
anon-whonix
debian-11
default-mgmt-dvm
disp2345
fedora-37
fedora-37-dvm
personal vm123/
sys-firewall
sys-net
sys-usb
sys-whonix
untrusted
vault vm321/
whonix-gw-16
whonix-ws-16
whonix-ws-16-dvm
work
8. Success! If you wish to recover data from more than one VM in your backup, The example output above shows that the backup file includes a qube named
simply repeat steps 6 and 7 for each additional VM. `personal` and a qube named `vault`, with `backup-path` values of `vm123/`
and `vm321/` respectively. (Every other listed qube was not selected to be
included in the backup file.) Use the corresponding value to untar the
necessary data files of the qube:
**Note:** You may wish to store a copy of these instructions with your [user@restore ~]$ tar -i -xvf qubes-backup-2023-04-05T123456 vm123/
Qubes backups in the event that you fail to recall the above procedure
while this web page is inaccessible. All Qubes documentation, including
this page, is available in plain text format in the following Git
repository:
https://github.com/QubesOS/qubes-doc.git 8. Verify and decrypt the backed up data, decompress it, and extract it.
[user@restore ~]$ find vm123/ -name 'private.img.*.enc' | sort -V | while read f_enc; do \
f_dec=${f_enc%.enc}; \
echo "$backup_id!$f_dec!$backup_pass" | scrypt dec -P $f_enc || break; \
done | gzip -d | tar -xv
vm123/private.img
If this pipeline fails, it is likely that the backup is corrupted or has
been tampered with.
Also see the note in step 6 about substituting a different compression
program for `gzip`.
9. Mount `private.img` and access your data.
[user@restore ~]$ sudo mkdir /mnt/img
[user@restore ~]$ sudo mount -o loop vm123/private.img /mnt/img/
[user@restore ~]$ ls /mnt/img/home/user/
example_data_file.txt
...
Success! If you wish to recover data from more than one qube in your backup,
simply repeat steps 7, 8, and 9 for each additional qube.

6
user/how-to-guides/how-to-back-up-restore-and-migrate.md
View file

@ -160,6 +160,12 @@ out.
6. When you are ready, click **Next**. Qubes will proceed to restore from your 6. When you are ready, click **Next**. Qubes will proceed to restore from your
backup. Once the progress bar has completed, you may click **Finish**. backup. Once the progress bar has completed, you may click **Finish**.
In case that applications are not shown, i.e. "No applications found", open the
settings of the qube -> select `Applications` -> click `Refresh applications`.
When a restored application qube refreshes, the application lists will open the template qubes on which it is based. In that case the template qube should also be restored, if it is missing the default qube will be assigned.
The updated list of the installed software can be seen on the left and adjusted accordingly to the user's needs.
**Note:** When restoring from a dom0 backup, a new directory will be created in **Note:** When restoring from a dom0 backup, a new directory will be created in
the current dom0 home directory, and the contents from the backup will be the current dom0 home directory, and the contents from the backup will be
placed inside this new directory. This is intentional, as it allows users to placed inside this new directory. This is intentional, as it allows users to

63
user/how-to-guides/how-to-install-software.md
View file

@ -68,18 +68,39 @@ will appear in the Applications Menu. (If you encounter problems, see
## Installing software from other sources ## Installing software from other sources
Some software is not available from the default repositories and must be
downloaded and installed from another source. Depending on the installation method,
you may either use the updates proxy or direct networking.
### Using the updates proxy
If you are still using the distribution package manager, updates will likely still
work over the updates proxy without needing to give the TemplateVM direct network access.
If you are using another installation method fetching remote resources, you might still
be able to use the updates proxy by making the tools aware of the proxy. For many tools,
it is enough to export the following environment variables in your shell session before
proceeding:
```sh
$ export HTTP_PROXY=http://127.0.0.1:8082 http_proxy=$HTTP_PROXY \
HTTPS_PROXY=$HTTP_PROXY https_proxy=$HTTPS_PROXY \
ALL_PROXY=$HTTP_PROXY all_proxy=$ALL_PROXY \
NO_PROXY=127.0.0.1 no_proxy=$NO_PROXY
```
### Using direct networking
**Warning:** This method gives your template direct network access, which is **Warning:** This method gives your template direct network access, which is
[risky](#why-dont-templates-have-network-access). This method is **not** [risky](#why-dont-templates-have-normal-network-access). This method is **not**
recommended for trusted templates. Moreover, depending on how you install this recommended for trusted templates. Moreover, depending on how you install this
software, it may not get updated automatically when you [update Qubes software, it may not get updated automatically when you [update Qubes
normally](/doc/how-to-update/), which means you may have to update it manually normally](/doc/how-to-update/), which means you may have to update it manually
yourself. yourself.
Some software is not available from the default repositories and must be This method assumes that you are trying to follow instructions to install some piece
downloaded and installed from another source. This method assumes that you're of software in a normal operating system, except *that* operating system is running as a
trying to follow the instructions to install some piece of software in a normal template in Qubes OS.
operating system, except that operating system is running as a template in
Qubes OS.
1. (Recommended) Clone the desired template (since this new template will 1. (Recommended) Clone the desired template (since this new template will
probably be less trusted than the original). probably be less trusted than the original).
@ -140,25 +161,25 @@ If things are still not working as expected:
Please see [How to Update](/doc/how-to-update/). Please see [How to Update](/doc/how-to-update/).
## Why don't templates have network access? ## Why don't templates have normal network access?
In order to protect you from performing risky activities in templates, they do In order to protect you from performing risky activities in templates, they do
not have normal network access by default. Instead, templates use an [updates not have normal network access by default. Instead, templates use an
proxy](#updates-proxy) that allows you to install and update software using [updates-proxy](#updates-proxy)which allows you to install and update software using
the distribution package manager without giving the template direct network the distribution's package manager over the proxy connection.
access.**The updates proxy is already setup to work automatically **The updates proxy is already set up to work automatically out-of-the-box and
out-of-the-box and requires no special action from you.** Most users should requires no special action from you.**
simply follow the normal instructions for [installing software from default Most users should simply follow the normal instructions for [installing software
repositories](#installing-software-from-default-repositories) and from default repositories](#installing-software-from-default-repositories)
[updating](/doc/how-to-update/) software. If your software is not available in and [updating](/doc/how-to-update/) software. If your software is not available
the default repositories, see [installing software from other in the default repositories, see [installing software from other
sources](#installing-software-from-other-sources). sources](#installing-software-from-other-sources).
## Advanced ## Advanced
The following sections cover advanced topics pertaining to installing and The following sections cover advanced topics pertaining to installing and
updating software in domUs. updating software in qubes.
### Testing repositories ### Testing repositories
@ -227,10 +248,10 @@ depending on which RPM Fusion repositories you wish to enable (see [RPM
Fusion](https://rpmfusion.org/) for details): Fusion](https://rpmfusion.org/) for details):
~~~ ~~~
sudo dnf config-manager --set-enabled rpmfusion-free sudo dnf config-manager setopt rpmfusion-free.enabled=1
sudo dnf config-manager --set-enabled rpmfusion-free-updates sudo dnf config-manager setopt rpmfusion-free-updates.enabled=1
sudo dnf config-manager --set-enabled rpmfusion-nonfree sudo dnf config-manager setopt rpmfusion-nonfree.enabled=1
sudo dnf config-manager --set-enabled rpmfusion-nonfree-updates sudo dnf config-manager setopt rpmfusion-nonfree-updates.enabled=1
sudo dnf upgrade --refresh sudo dnf upgrade --refresh
~~~ ~~~

2
user/how-to-guides/how-to-organize-your-qubes.md
View file

@ -89,7 +89,7 @@ the other. Alice's setup looks like this:
[bind-dirs](/doc/bind-dirs/) to make those changes persistent, but sometimes [bind-dirs](/doc/bind-dirs/) to make those changes persistent, but sometimes
she doesn't want to get bogged down doing with all that and figures it she doesn't want to get bogged down doing with all that and figures it
wouldn't be worth it just for this one qube. She's secretly glad that Qubes wouldn't be worth it just for this one qube. She's secretly glad that Qubes
OS doesn't judge her this and just gives her the freedom to do things however OS doesn't judge her for this and just gives her the freedom to do things however
she likes while keeping everything securely compartmentalized. At times like she likes while keeping everything securely compartmentalized. At times like
these, she takes comfort in knowing that things can be messy and disorganized these, she takes comfort in knowing that things can be messy and disorganized
*within* a qube while her overall digital life remains well-organized. *within* a qube while her overall digital life remains well-organized.

126
user/how-to-guides/how-to-update.md
View file

@ -17,6 +17,7 @@ Fully updating your Qubes OS system means updating:
- [dom0](/doc/glossary/#dom0) - [dom0](/doc/glossary/#dom0)
- [templates](/doc/glossary/#template) - [templates](/doc/glossary/#template)
- [standalones](/doc/glossary/#standalone) (if you have any) - [standalones](/doc/glossary/#standalone) (if you have any)
- [firmware](/doc/glossary/#firmware)
## Security updates ## Security updates
@ -32,7 +33,7 @@ However, you can also start the tool manually by selecting it in the Application
<div class="alert alert-info" role="alert"> <div class="alert alert-info" role="alert">
<i class="fa fa-question-circle"></i> <i class="fa fa-question-circle"></i>
For information about how templates download updates, please see <a href="/doc/how-to-install-software/#why-dont-templates-have-network-access">Why don't templates have network access?</a> and the <a href="/doc/how-to-install-software/#updates-proxy">Updates proxy</a>. For information about how templates download updates, please see <a href="/doc/how-to-install-software/#why-dont-templates-have-normal-network-access">Why don't templates have normal network access?</a> and the <a href="/doc/how-to-install-software/#updates-proxy">Updates proxy</a>.
</div> </div>
By default, most qubes that are connected to the internet will periodically check for updates for their parent templates. You can check the date of the last update check in the "last checked" column. If updates are available for any qube, you will receive a notification as described above, and in the "Updates available" column you will see "YES" for that qube(s). If the update check did not find any new updates, "NO" will appear in the column. Respectively, for qubes that are no longer supported, "OBSOLETE" will be displayed. However, if you have any templates that do *not* have any online child qubes, you will *not* receive update notifications for them. By default, after a week, if updates for a given qube have not been checked, the value in the "Updates available" column will be set to "MAYBE". By default, most qubes that are connected to the internet will periodically check for updates for their parent templates. You can check the date of the last update check in the "last checked" column. If updates are available for any qube, you will receive a notification as described above, and in the "Updates available" column you will see "YES" for that qube(s). If the update check did not find any new updates, "NO" will appear in the column. Respectively, for qubes that are no longer supported, "OBSOLETE" will be displayed. However, if you have any templates that do *not* have any online child qubes, you will *not* receive update notifications for them. By default, after a week, if updates for a given qube have not been checked, the value in the "Updates available" column will be set to "MAYBE".
@ -65,10 +66,19 @@ If you use [Anti Evil Maid (AEM)](/doc/anti-evil-maid/), you'll have to "reseal"
<div class="alert alert-danger" role="alert"> <div class="alert alert-danger" role="alert">
<i class="fa fa-exclamation-triangle"></i> <i class="fa fa-exclamation-triangle"></i>
<b>Warning:</b> Updating with direct commands such as <code>dnf update</code>, and <code>apt update</code> is <b>not</b> recommended, since these bypass built-in Qubes OS update security measures. Instead, we strongly recommend using the <b>Qubes Update</b> tool or its command-line equivalents, as described below. (By contrast, <a href="/doc/how-to-install-software/">installing</a> packages using direct package manager commands is fine.) <b>Warning:</b> Updating with direct commands such as <code>dnf update</code> and <code>apt update</code> is <b>not</b> recommended, since these bypass built-in Qubes OS update security measures. Instead, we strongly recommend using the <b>Qubes Update</b> tool or its command-line equivalents, as described below. (By contrast, <a href="/doc/how-to-install-software/">installing</a> packages using direct package manager commands is fine.)
</div> </div>
Advanced users may wish to perform updates via the command-line interface. To update templates and standalones non-interactively, use the command `qubes-vm-update`, and to update dom0, use `qubes-dom0-update`. If you want to perform an update with more advanced user-configurable options (e.g., custom pre- or post-update scripts, custom workarounds), see: [update.qubes-dom0](/doc/salt/#updatequbes-dom0) and [update.qubes-vm](/doc/salt/#updatequbes-vm). Advanced users may wish to perform updates via the command-line interface. There are two ways to do this:
- If you are using Salt, one can use the following two Salt states.
- [update.qubes-dom0](/doc/salt/#updatequbes-dom0)
- [update.qubes-vm](/doc/salt/#updatequbes-vm)
- Alternatively, use `qubes-dom0-update` to update dom0, and use `qubes-vm-update` to update domUs.
Using either of these methods has the same effect as updating via the Qubes Update tool.
Advanced users may also be interested in learning [how to enable the testing repos](/doc/testing/). Advanced users may also be interested in learning [how to enable the testing repos](/doc/testing/).
@ -83,3 +93,113 @@ In the case of Qubes OS itself, we will make an [announcement](/news/categories/
Periodic upgrades are also important for templates. For example, you might be using a [Fedora template](/doc/templates/fedora/). The [Fedora Project](https://getfedora.org/) is independent of the Qubes OS Project. They set their own [schedule](https://fedoraproject.org/wiki/Fedora_Release_Life_Cycle#Maintenance_Schedule) for when each Fedora release reaches EOL. You can always find out when an OS reaches EOL from the upstream project that maintains it. We also pass along any EOL notices we receive for official template OSes as a convenience to Qubes users (see the [supported template releases](/doc/supported-releases/#templates)). Periodic upgrades are also important for templates. For example, you might be using a [Fedora template](/doc/templates/fedora/). The [Fedora Project](https://getfedora.org/) is independent of the Qubes OS Project. They set their own [schedule](https://fedoraproject.org/wiki/Fedora_Release_Life_Cycle#Maintenance_Schedule) for when each Fedora release reaches EOL. You can always find out when an OS reaches EOL from the upstream project that maintains it. We also pass along any EOL notices we receive for official template OSes as a convenience to Qubes users (see the [supported template releases](/doc/supported-releases/#templates)).
The one exception to all this is the specific release used for dom0 (not to be confused with Qubes OS as a whole), which [doesn't have to be upgraded](/doc/supported-releases/#note-on-dom0-and-eol). The one exception to all this is the specific release used for dom0 (not to be confused with Qubes OS as a whole), which [doesn't have to be upgraded](/doc/supported-releases/#note-on-dom0-and-eol).
## Microcode Updates
x86\_64 CPUs contain special low-level software called **microcode**, which
is used to implement certain instructions and runs on various processors that
are outside of Qubes OS's control. Most microcode is in an on-CPU ROM, but
CPU vendors provide patches that modify small parts of this microcode. These
patches can be loaded from the BIOS or by the OS.
The fixes for some QSBs require a microcode update to work. Furthermore,
microcode updates will sometimes fix vulnerabilities "silently". This means
that the vulnerability impacts the security of Qubes OS, but the Qubes OS
Security Team is not informed that a vulnerability exists, so no QSB is ever
issued. Therefore, it is critical to update microcode.
Intel provides microcode updates for all of their CPUs in a public Git
repository, and allows OS vendors (such as Qubes OS) to distribute the updates
free of charge. AMD, however, only provides microcode for server CPUs.
AMD client CPUs can only receive microcode updates via a system firmware
update. Worse, there is often a significant delay between when a vulnerability
becomes public and when firmware that includes updated microcode is available
to Qubes OS users. This is why Qubes OS recommends Intel CPUs instead of
AMD CPUs.
## Firmware updates
Modern computers have many processors other than those that run Qubes OS.
Furthermore, the main processor cores also run firmware, which is used to
boot the system and often provides some services at runtime. Both kinds
of firmware can have bugs and vulnerabilities, so it is critical to keep
them updated.
Some firmware is loaded by the OS at runtime.
Such firmware is provided by the `linux-firmware` package and can be updated the usual way.
Other devices have persistent firmware that must be updated manually.
Qubes OS supports updating system firmware in three different ways.
Which one to use depends on the device whose firmware is being updated.
- If a device is attached to a domU, it should be updated using **fwupd**.
fwupd is included in both Debian and Fedora repositories.
It requires Internet access to use, but you can use the updates proxy if you
need to update firmware from an offline VM. You can use either the
command-line `fwupdmgr` tool or any of the graphical interfaces to fwupd.
- If a device is attached to dom0, use the `qubes-fwupdmgr` command-line tool.
This tool uses fwupd internally, but it fetches firmware and metadata over
qrexec from the dom0 UpdateVM, rather than fetching them from the Internet.
Unfortunately, their is no graphical interface for this tool yet.
- System76 systems use a special update tool which is simpler than fwupd.
Support for this tool is currently in progress. Once it is finished,
users will be able to use the **system76-firmware-cli** command-line
tool to update the firmware.
Firmware updates are important on all systems, but they are especially
important on AMD client systems. These do not support loading microcode from
the OS, so firmware updates are the **only** way to obtain microcode updates.
## Firmware update methods
As of Qubes 4.2, firmware updates can be performed from within Qubes for [fwupd-supported computers](https://fwupd.org/).
### In dom0
First, ensure that your UpdateVM
contains the `fwupd-qubes-vm` package. This package is installed
by default for qubes with `qubes-vm-recommended` packages.
In a dom0 terminal, install the `fwupd-qubes-dom0` package:
```
$ sudo qubes-dom0-update fwupd-qubes-dom0
```
Once the package is installed:
```
$ sudo qubes-fwupdmgr get-devices
```
Examine the terminal output for warnings or errors.
You may see the following warning:
```
WARNING: UEFI capsule updates not available or enabled
```
If so, [adjust your BIOS settings](https://github.com/fwupd/fwupd/wiki/PluginFlag:capsules-unsupported) to enable UEFI updates. This setting is sometimes named "Windows UEFI Firmware Update."
Once resolved, in a dom0 terminal:
```
$ sudo qubes-fwupdmgr get-devices
$ sudo qubes-fwupdmgr refresh
$ sudo qubes-fwupdmgr update
```
A numbered list of devices with available updates will be presented. Ensure your computer is plugged in to a stable power source, then type the list number of the device you wish to update. If a reboot is required, you will be prompted at the console to confirm.
Repeat the update process for any additional devices on your computer.
### In other qubes
Devices that are attached to non-dom0 qubes can be updated via a graphical tool for `fwupd`, or via the `fwupdmgr` commandline tool.
To update the firmware of offline qubes, use the [Updates proxy](/doc/how-to-install-software/#updates-proxy).
### Computers without fwupd support
For computers that do not have firmware update support via `fwupd`, follow the firmware update instructions on the manufacturer's website. Verify the authenticity of any firmware updates you apply.

59
user/how-to-guides/how-to-use-usb-devices.md
View file

@ -13,7 +13,7 @@ title: How to use USB devices
If you are looking to handle USB *storage* devices (thumbdrives or USB-drives), please have a look at the [block device](/doc/how-to-use-block-storage-devices/) page. If you are looking to handle USB *storage* devices (thumbdrives or USB-drives), please have a look at the [block device](/doc/how-to-use-block-storage-devices/) page.
**Note:** Attaching USB devices to VMs requires a [USB qube](/doc/usb-qubes/). **Note:** Attaching USB devices to qubes requires a [USB qube](/doc/usb-qubes/).
**Important security warning:** USB passthrough comes with many security implications. **Important security warning:** USB passthrough comes with many security implications.
Please make sure you carefully read and understand the **[security considerations](/doc/device-handling-security/#usb-security)**. Please make sure you carefully read and understand the **[security considerations](/doc/device-handling-security/#usb-security)**.
@ -28,15 +28,15 @@ Examples of valid cases for USB-passthrough:
(If you are thinking to use a two-factor-authentication device, [there is an app for that](/doc/ctap-proxy/). (If you are thinking to use a two-factor-authentication device, [there is an app for that](/doc/ctap-proxy/).
But it has some [issues](https://github.com/QubesOS/qubes-issues/issues/4661).) But it has some [issues](https://github.com/QubesOS/qubes-issues/issues/4661).)
## Attaching And Detaching a USB Device ## Attaching and detaching a USB device
### With Qubes Device Manager ### With Qubes device manager
Click the device-manager-icon: ![device manager icon](/attachment/doc/media-removable.png) Click the device-manager-icon: ![device manager icon](/attachment/doc/media-removable.png)
A list of available devices appears. A list of available devices appears.
USB-devices have a USB-icon to their right: ![usb icon](/attachment/doc/generic-usb.png) USB-devices have a USB-icon to their right: ![usb icon](/attachment/doc/generic-usb.png)
Hover on one device to display a list of VMs you may attach it to. Hover on one device to display a list of qubes you may attach it to.
Click one of those. Click one of those.
The USB device will be attached to it. The USB device will be attached to it.
@ -44,11 +44,11 @@ You're done.
After you finished using the USB-device, you can detach it the same way by clicking on the Devices Widget. After you finished using the USB-device, you can detach it the same way by clicking on the Devices Widget.
You will see an entry in bold for your device such as **`sys-usb:2-5 - 058f_USB_2.0_Camera`**. You will see an entry in bold for your device such as **`sys-usb:2-5 - 058f_USB_2.0_Camera`**.
Hover on the attached device to display a list of running VMs. Hover on the attached device to display a list of running qubes
The one to which your device is connected will have an eject button ![eject icon](/attachment/doc/media-eject.png) next to it. The one to which your device is connected will have an eject button ![eject icon](/attachment/doc/media-eject.png) next to it.
Click that and your device will be detached. Click that and your device will be detached.
### With The Command Line Tool ### With the command line tool
In dom0, you can use `qvm-usb` from the commandline to attach and detach devices. In dom0, you can use `qvm-usb` from the commandline to attach and detach devices.
@ -74,7 +74,7 @@ sys-usb:2-1 03f0:0641 PixArt_Optical_Mouse
``` ```
Now, you can use your USB device (camera in this case) in the `work` qube. Now, you can use your USB device (camera in this case) in the `work` qube.
If you see the error `ERROR: qubes-usb-proxy not installed in the VM` instead, please refer to the [Installation Section](#installation-of-qubes-usb-proxy). If you see the error `ERROR: qubes-usb-proxy not installed in the qube` instead, please refer to the [Installation Section](#installation-of-qubes-usb-proxy).
When you finish, detach the device. When you finish, detach the device.
@ -87,20 +87,20 @@ sys-usb:2-5 058f:3822 058f_USB_2.0_Camera
sys-usb:2-1 03f0:0641 PixArt_Optical_Mouse sys-usb:2-1 03f0:0641 PixArt_Optical_Mouse
``` ```
## Maintenance And Customisation ## Maintenance and customisation
### Creating And Using a USB qube ### Creating and using a USB qube
If you've selected to install a usb-qube during system installation, everything is already set up for you in `sys-usb`. If you've selected to install a usb-qube during system installation, everything is already set up for you in `sys-usb`.
If you've later decided to create a usb-qube, please follow [this guide](/doc/usb-qubes/). If you've later decided to create a usb-qube, please follow [this guide](/doc/usb-qubes/).
### Installation Of `qubes-usb-proxy` ### Installation of `qubes-usb-proxy`
To use this feature, the `qubes-usb-proxy` package needs to be installed in the templates used for the USB qube and qubes you want to connect USB devices to. To use this feature, the `qubes-usb-proxy` package needs to be installed in the templates used for the USB qube and qubes you want to connect USB devices to.
This section exists for reference or in case something broke and you need to reinstall `qubes-usb-proxy`. This section exists for reference or in case something broke and you need to reinstall `qubes-usb-proxy`.
Under normal conditions, `qubes-usb-proxy` should already be installed and good to go. Under normal conditions, `qubes-usb-proxy` should already be installed and good to go.
If you receive this error: `ERROR: qubes-usb-proxy not installed in the VM`, you can install the `qubes-usb-proxy` with the package manager in the VM you want to attach the USB device to. If you receive this error: `ERROR: qubes-usb-proxy not installed in the qube`, you can install the `qubes-usb-proxy` with the package manager in the qube you want to attach the USB device to.
- Fedora: - Fedora:
``` ```
@ -111,18 +111,19 @@ If you receive this error: `ERROR: qubes-usb-proxy not installed in the VM`, you
sudo apt-get install qubes-usb-proxy sudo apt-get install qubes-usb-proxy
``` ```
### Using USB Keyboards And Other Input Devices ### Using USB keyboards and other input devices
**Warning:** especially keyboards need to be accepted by default when using them to login! Please make sure you carefully read and understood the **[security considerations](/doc/device-handling-security/#usb-security)** before continuing! **Warning:** especially keyboards need to be accepted by default when using them to login! Please make sure you carefully read and understood the **[security considerations](/doc/device-handling-security/#usb-security)** before continuing!
Mouse and keyboard setup are part of [setting up a USB qube](/doc/usb-qubes/). Mouse and keyboard setup are part of [setting up a USB qube](/doc/usb-qubes/).
### Finding The Right USB Controller ### Finding the right USB controller
Some USB devices are not compatible with the USB pass-through method Qubes employs. Some USB devices are not compatible with the USB pass-through method Qubes employs.
In situations like these, you can try to pass through the entire USB controller to a qube as PCI device. In situations like these, you can try to pass through the entire USB controller to a qube as PCI device.
However, with this approach one cannot attach single USB devices but has to attach the whole USB controller with whatever USB devices are connected to it. However, with this approach you cannot attach single *USB devices* but have to attach the whole *USB controller* with whatever USB devices are connected to it.
You can find your controller and its BDF address using the method described below, using the command-line tools `lsusb` and `readlink`.
If you have multiple USB controllers, you must first figure out which PCI device is the right controller. If you have multiple USB controllers, you must first figure out which PCI device is the right controller.
First, find out which USB bus the device is connected to (note that these steps need to be run from a terminal inside your USB qube): First, find out which USB bus the device is connected to (note that these steps need to be run from a terminal inside your USB qube):
@ -141,7 +142,7 @@ Bus 003 Device 003: ID 413c:818d Dell Computer Corp.
(In this case, the device isn't fully identified) (In this case, the device isn't fully identified)
The device is connected to USB bus \#3. The device is connected to USB bus \#3.
Check which other devices are connected to the same bus, since *all* of them will be attach to the same VM. Check which other devices are connected to the same bus, since *all* of them will be attached to the target qube.
To find the right controller, follow the usb bus: To find the right controller, follow the usb bus:
@ -154,11 +155,29 @@ This should output something like:
``` ```
../../../devices/pci-0/pci0000:00/0000:00:1a.0/usb3 ../../../devices/pci-0/pci0000:00/0000:00:1a.0/usb3
``` ```
Now you see the path: the text between `/pci0000:00/0000:` and `/usb3` i.e. `00:1a.0` is the BDF address. Strip the address and pass it to the [`qvm-pci` tool](/doc/how-to-use-pci-devices/) to attach the controller to the target qube, like this:
Now you see the path and the text between `/pci0000:00/0000:` and `/usb3` i.e. `00:1a.0` is the BDF address. Strip the address and pass it to the [`qvm-pci` tool](/doc/how-to-use-pci-devices/) to attach the controller to the targetVM.
For example, On R 4.0 the command would look something like
``` ```
qvm-pci attach --persistent personal dom0:00_1a.0 qvm-pci attach --persistent personal dom0:00_1a.0
``` ```
It is possible that on some system configurations the readlink method produces output which is different from the example above,
For example, you might see output like this:
```
../../../devices/pci0000:00/0000:00:1c.0/0000:01:00.0/usb1
```
In this case, there is a PCI bridge, and the BDF address of the controller is the *last* item, 01:00.0
If the output format does not match this example, or you are unsure if it contains the correct BDF address, you can try finding the address using using the Qube Manager instead.
### Identifying controllers using the Qube Manager
Using Qube Manager you can quickly determine the controllers on your system and their BDF addresses, but not which controller a particular device is attached to.
Open the Qube Manager, then right click on one of the qubes and open the settings. Go to the tab "Devices".
Here you should see your available devices along with their BDF addresses. Look for the lines containing "USB controller".
They should look something like: `01:00.0 USB controller: Name of manufacturer`
The first part is the BDF address, in this example: `01:00.0`
If, for example, you have 2 USB controllers in your system because you added one you should see 2 such lines and you can probably guess which controller is the one on the mainboard and which one you added. For example, if you have a mainboard with an Intel chipset, it is possible that all of the mainboard devices show as "Intel Corporation", while the added controller shows another manufacturer's name.
Now you should be able to tell which is the BDF address of the mainboard USB controller or the added USB controller.

7
user/reference/glossary.md
View file

@ -88,6 +88,13 @@ domUs lack direct hardware access.
* Sometimes the term [VM](#vm) is used as a synonym for domU. This is * Sometimes the term [VM](#vm) is used as a synonym for domU. This is
technically inaccurate, as [dom0](#dom0) is also a VM in Xen. technically inaccurate, as [dom0](#dom0) is also a VM in Xen.
## firmware
Software that runs outside the control of the operating system.
Some firmware executes on the same CPU cores as Qubes OS does, but
all computers have many additional processors that the operating system
does not run on, and these computers also run firmware.
## HVM ## HVM
Hardware-assisted Virtual Machine. Any fully virtualized, or hardware-assisted, Hardware-assisted Virtual Machine. Any fully virtualized, or hardware-assisted,

43
user/security-in-qubes/firewall.md
View file

@ -269,7 +269,8 @@ As an example we can take the use case of qube QubeDest running a web server lis
**1. Identify the IP addresses you will need to use for sys-net, sys-firewall and the destination qube.** **1. Identify the IP addresses you will need to use for sys-net, sys-firewall and the destination qube.**
You can get this information using various methods, but only the first one can be used for `sys-net` outside world IP: You can get this information using various methods.
Only the first method can be used for `sys-net` to find the external IP:
- by running this command in each qube: `ip -4 -br a | grep UP` - by running this command in each qube: `ip -4 -br a | grep UP`
- using `qvm-ls -n` - using `qvm-ls -n`
@ -284,7 +285,12 @@ Note the IP addresses you will need, they will be required in the next steps.
For the following example, we assume that the physical interface ens6 in sys-net is on the local network 192.168.x.y with the IP 192.168.x.n, and that the IP address of sys-firewall is 10.137.1.z. For the following example, we assume that the physical interface ens6 in sys-net is on the local network 192.168.x.y with the IP 192.168.x.n, and that the IP address of sys-firewall is 10.137.1.z.
In the sys-net VM's Terminal, the first step is to define an ntables chain that will receive DNAT rules to relay the network traffic on a given port to the qube NetVM, we recommend to define a new chain for each destination qube to ease rules management: When writing rules in sys-net, you can use `iif` or `iifname`.
`iif` is faster, but can change where interfaces are dynamically created and destroyed, eg. ppp0.
In that case use `iifname`, like this `iifname ens6`.
`iifname` can also match wildcards - `iifname "eth*"`
In the sys-net VM's Terminal, the first step is to define an nftables chain that will receive DNAT rules to relay the network traffic on a given port to the qube NetVM, we recommend to define a new chain for each destination qube to ease rules management:
``` ```
nft add chain qubes custom-dnat-qubeDEST '{ type nat hook prerouting priority filter +1 ; policy accept; }' nft add chain qubes custom-dnat-qubeDEST '{ type nat hook prerouting priority filter +1 ; policy accept; }'
@ -292,25 +298,24 @@ nft add chain qubes custom-dnat-qubeDEST '{ type nat hook prerouting priority fi
> Note: the name `custom-dnat-qubeDST` is arbitrary > Note: the name `custom-dnat-qubeDST` is arbitrary
> Note: while we use a DNAT chain for a single qube, it's totally possible to have a single DNAT chain for multiple qubes > Note: while we use a DNAT chain for a single qube, it's possible to have a single DNAT chain for multiple qubes
Second step, code a natting firewall rule to route traffic on the outside interface for the service to the sys-firewall VM Second step, code a natting firewall rule to route traffic on the outside interface for the service to the sys-firewall VM
``` ```
nft add rule qubes custom-dnat-qubeDEST iif == "ens6" ip saddr 192.168.x.y/24 tcp dport 443 ct state new,established,related counter dnat 10.137.1.z nft add rule qubes custom-dnat-qubeDEST iifname ens6 ip saddr 192.168.x.y/24 tcp dport 443 ct state new,established,related counter dnat 10.137.1.z
``` ```
Third step, code the appropriate new filtering firewall rule to allow new connections for the service Third step, code the appropriate new filtering firewall rule to allow new connections for the service
``` ```
nft add rule qubes custom-forward iif == "ens6" ip saddr 192.168.x.y/24 ip daddr 10.137.1.z tcp dport 443 ct state new,established,related counter accept nft add rule qubes custom-forward iifname ens6 ip saddr 192.168.x.y/24 ip daddr 10.137.1.z tcp dport 443 ct state new,established,related counter accept
``` ```
> Note: If you do not wish to limit the IP addresses connecting to the service, remove `ip saddr 192.168.x.y/24` from the rules > Note: If you do not wish to limit the IP addresses connecting to the service, remove `ip saddr 192.168.x.y/24` from the rules
> If you want to expose the service on multiple interfaces, repeat steps 2 and 3 above, for each interface. Alternatively, you can leave out the interface completely.
> If you want to expose the service on multiple interfaces, repeat the steps 2 and 3 described above, for each interface. Alternatively, you can leave out the interface completely. Verify the rules on the sys-net firewall correctly match the packets you want by looking at the counters: check for the counter lines in the chains `custom-forward` and `custom-dnat-qubeDEST`:
Verify the rules on sys-net firewall correctly match the packets you want by looking at its counters, check for the counter lines in the chains `custom-forward` and `custom-dnat-qubeDEST`:
``` ```
nft list table ip qubes nft list table ip qubes
@ -320,12 +325,12 @@ In this example, we can see 7 packets in the forward rule, and 3 packets in the
``` ```
chain custom-forward { chain custom-forward {
iif "ens6" ip saddr 192.168.x.y/24 ip daddr 10.137.1.z tcp dport 443 ct state new,established,related counter packets 7 bytes 448 accept iifname ens6 ip saddr 192.168.x.y/24 ip daddr 10.137.1.z tcp dport 443 ct state new,established,related counter packets 7 bytes 448 accept
} }
chain custom-dnat-qubeDEST { chain custom-dnat-qubeDEST {
type nat hook prerouting priority filter + 1; policy accept; type nat hook prerouting priority filter + 1; policy accept;
iif "ens6" ip saddr 192.168.x.y/24 tcp dport 443 ct state new,established,related counter packets 3 bytes 192 dnat to 10.138.33.59 iifname ens6 ip saddr 192.168.x.y/24 tcp dport 443 ct state new,established,related counter packets 3 bytes 192 dnat to 10.138.33.59
} }
``` ```
@ -351,18 +356,20 @@ Content of `/rw/config/qubes-firewall-user-script` in `sys-net`:
if nft add chain qubes custom-dnat-qubeDEST '{ type nat hook prerouting priority filter +1 ; policy accept; }' if nft add chain qubes custom-dnat-qubeDEST '{ type nat hook prerouting priority filter +1 ; policy accept; }'
then then
# create the dnat rule # create the dnat rule
nft add rule qubes custom-dnat-qubeDEST iif == "ens6" saddr 192.168.x.y/24 tcp dport 443 ct state new,established,related counter dnat 10.137.1.z nft add rule qubes custom-dnat-qubeDEST iifname ens6 saddr 192.168.x.y/24 tcp dport 443 ct state new,established,related counter dnat 10.137.1.z
# allow forwarded traffic # allow forwarded traffic
nft add rule qubes custom-forward iif == "ens6" ip saddr 192.168.x.y/24 ip daddr 10.137.1.z tcp dport 443 ct state new,established,related counter accept nft add rule qubes custom-forward iifname ens6 ip saddr 192.168.x.y/24 ip daddr 10.137.1.z tcp dport 443 ct state new,established,related counter accept
fi fi
~~~ ~~~
**3. Route packets from the FirewallVM to the VM** **3. Route packets from the FirewallVM to the VM**
For the following example, we use the fact that the physical interface of sys-firewall, facing sys-net, is eth0. Furthermore, we assume that the target VM running the web server has the IP address 10.137.0.xx and that the IP address of sys-firewall is 10.137.1.z. For the following example, we use the fact that the interface of sys-firewall facing sys-net, is eth0.
This is allocated to iifgroup 1.
Furthermore, we assume that the IP address of sys-firewall is 10.137.1.z, and the target VM running the web server has the IP address 10.137.0.xx.
In the sys-firewall VM's Terminal, add a DNAT chain that will contain routing rules: In the sys-firewall Terminal, add a DNAT chain that will contain routing rules:
``` ```
nft add chain qubes custom-dnat-qubeDEST '{ type nat hook prerouting priority filter +1 ; policy accept; }' nft add chain qubes custom-dnat-qubeDEST '{ type nat hook prerouting priority filter +1 ; policy accept; }'
@ -371,13 +378,13 @@ nft add chain qubes custom-dnat-qubeDEST '{ type nat hook prerouting priority fi
Second step, code a natting firewall rule to route traffic on the outside interface for the service to the destination qube Second step, code a natting firewall rule to route traffic on the outside interface for the service to the destination qube
``` ```
nft add rule qubes custom-dnat-qubeDEST iif == "eth0" ip saddr 192.168.x.y/24 tcp dport 443 ct state new,established,related counter dnat 10.137.0.xx nft add rule qubes custom-dnat-qubeDEST iifgroup 1 ip saddr 192.168.x.y/24 tcp dport 443 ct state new,established,related counter dnat 10.137.0.xx
``` ```
Third step, code the appropriate new filtering firewall rule to allow new connections for the service Third step, code the appropriate new filtering firewall rule to allow new connections for the service
``` ```
nft add rule qubes custom-forward iif == "eth0" ip saddr 192.168.x.y/24 ip daddr 10.137.0.xx tcp dport 443 ct state new,established,related counter accept nft add rule qubes custom-forward iifgroup 1 ip saddr 192.168.x.y/24 ip daddr 10.137.0.xx tcp dport 443 ct state new,established,related counter accept
``` ```
> Note: If you do not wish to limit the IP addresses connecting to the service, remove `ip saddr 192.168.x.y/24` from the rules > Note: If you do not wish to limit the IP addresses connecting to the service, remove `ip saddr 192.168.x.y/24` from the rules
@ -398,10 +405,10 @@ Content of `/rw/config/qubes-firewall-user-script` in `sys-firewall`:
if nft add chain qubes custom-dnat-qubeDEST '{ type nat hook prerouting priority filter +1 ; policy accept; }' if nft add chain qubes custom-dnat-qubeDEST '{ type nat hook prerouting priority filter +1 ; policy accept; }'
then then
# create the dnat rule # create the dnat rule
nft add rule qubes custom-dnat-qubeDEST iif == "eth0" tcp dport 443 ct state new,established,related counter dnat 10.137.0.xx nft add rule qubes custom-dnat-qubeDEST iifgroup 1 tcp dport 443 ct state new,established,related counter dnat 10.137.0.xx
# allow forwarded traffic # allow forwarded traffic
nft add rule qubes custom-forward iif == "eth0" ip saddr 192.168.x.y/24 ip daddr 10.137.0.xx tcp dport 443 ct state new,established,related counter accept nft add rule qubes custom-forward iifgroup 1 ip saddr 192.168.x.y/24 ip daddr 10.137.0.xx tcp dport 443 ct state new,established,related counter accept
fi fi
~~~ ~~~

2
user/security-in-qubes/mfa.md
View file

@ -66,7 +66,7 @@ Now we are going to add the authenticator as a login requirement:
1. `sudo authselect create-profile mfa --base-on sssd` 1. `sudo authselect create-profile mfa --base-on sssd`
2. Edit the custom system authentication template with `sudo nanois encouraged /etc/authselect/custom/mfa/system-auth`. 2. Edit the custom system authentication template in `/etc/authselect/custom/mfa/system-auth`.
Add the following line right after `auth required pam_faildelay.so delay=2000000`: Add the following line right after `auth required pam_faildelay.so delay=2000000`:

157
user/security-in-qubes/split-gpg-2.md Normal file
View file

@ -0,0 +1,157 @@
---
lang: en
layout: doc
permalink: /doc/split-gpg-2/
redirect_from:
- /en/doc/split-gpg-2/
- /doc/SplitGpg-2/
- /doc/UserDoc/SplitGpg-2/
- /doc/open-pgp-2/
- /en/doc/open-pgp-2/
- /doc/OpenPGP-2/
- /doc/UserDoc/OpenPGP-2/
ref: 568
title: Split GPG-2
---
Split GPG implements a concept similar to having a smart card with your private GPG keys, except that the role of the "smart card" is played by another Qubes app qube.
This way one not-so-trusted domain, e.g. the one where Thunderbird is running, can delegate all crypto operations -- such as encryption/decryption and signing -- to another, more trusted, network-isolated domain.
This way the compromise of your domain where Thunderbird or another client app is running -- arguably a not-so-unthinkable scenario -- does not allow the attacker to automatically also steal all your keys.
(We should make a rather obvious comment here that the so-often-used passphrases on private keys are pretty meaningless because the attacker can easily set up a simple backdoor which would wait until the user enters the passphrase and steal the key then.)
[![split-gpg-diagram.png](/attachment/doc/split-gpg-diagram.png)](/attachment/doc/split-gpg-diagram.png)
This diagram presents an overview of the Split GPG architecture.
## Advantages of Split GPG vs. traditional GPG with a smart card
It is often thought that the use of smart cards for private key storage guarantees ultimate safety.
While this might be true (unless the attacker can find a usually-very-expensive-and-requiring-physical-presence way to extract the key from the smart card) but only with regards to the safety of the private key itself.
However, there is usually nothing that could stop the attacker from requesting the smart card to perform decryption of all the user documents the attacker has found or need to decrypt.
In other words, while protecting the user's private key is an important task, we should not forget that ultimately it is the user data that are to be protected and that the smart card chip has no way of knowing the requests to decrypt documents are now coming from the attacker's script and not from the user sitting in front of the monitor.
(Similarly the smart card doesn't make the process of digitally signing a document or a transaction in any way more secure -- the user cannot know what the chip is really signing.
Unfortunately this problem of signing reliability is not solvable by Split GPG.)
With Qubes Split GPG this problem is drastically minimized, because each time the key is to be used the user is asked for consent (with a definable time out, 5 minutes by default), plus is always notified each time the key is used via a tray notification from the domain where GPG backend is running.
This way it would be easy to spot unexpected requests to decrypt documents.
## Configuration
Create/Edit `/etc/qubes/policy.d/30-user-gpg2.policy` in dom0, and add a line like this:
```
qubes.Gpg2 + gpg-client-vm @default allow target=gpg-server-vm
```
Import/Generate your secret keys in the server domain.
For example:
```
gpg-server-vm$ gpg --import /path/to/my/secret-keys-export
gpg-server-vm$ gpg --import-ownertrust /path/to/my/ownertrust-export
```
or
```
gpg-server-vm$ gpg --gen-key
```
In dom0 enable the `split-gpg2-client` service in the client domain, for example via the command-line:
```shell
dom0$ qvm-service <SPLIT_GPG2_CLIENT_DOMAIN_NAME> split-gpg2-client on
```
To verify if this was done correctly:
```shell
dom0$ qvm-service <SPLIT_GPG2_CLIENT_DOMAIN_NAME>
```
Output should be:
```shell
split-gpg2-client on
```
Restart the client domain.
Export the **public** part of your keys and import them in the client domain.
Also import/set proper "ownertrust" values.
For example:
```
gpg-server-vm$ gpg --export > public-keys-export
gpg-server-vm$ gpg --export-ownertrust > ownertrust-export
gpg-server-vm$ qvm-copy public-keys-export ownertrust-export
gpg-client-vm$ gpg --import ~/QubesIncoming/gpg-server-vm/public-keys-export
gpg-client-vm$ gpg --import-ownertrust ~/QubesIncoming/gpg-server-vm/ownertrust-export
```
This should be enough to have it running:
```
gpg-client-vm$ gpg -K
/home/user/.gnupg/pubring.kbx
-----------------------------
sec# rsa2048 2019-12-18 [SC] [expires: 2021-12-17]
50C2035AF57B98CD6E4010F1B808E4BB07BA9EFB
uid [ultimate] test
ssb# rsa2048 2019-12-18 [E]
```
If you want change some server option copy `/usr/share/doc/split-gpg2/examples/qubes-split-gpg2.conf.example` to `~/.config/qubes-split-gpg2/qubes-split-gpg2.conf` and change it as desired, it will take precedence over other loaded files, such as the drop-in configuration files with the suffix `.conf` in `~/.config/qubes-split-gpg2/conf.d/`.
If you have a passphrase on your keys and `gpg-agent` only shows the "keygrip" (something like the fingerprint of the private key) when asking for the passphrase, then make sure that you have imported the public key part in the server domain.
## Subkeys vs primary keys
split-gpg2 only knows a hash of the data being signed.
Therefore, it cannot differentiate between e.g. signatures of a piece of data or signatures of another key.
This means that a client can use split-gpg2 to sign other keys, which split-gpg1 did not allow.
To prevent this, split-gpg2 creates a new GnuPG home directory and imports the secret subkeys (**not** the primary key!) to it.
Clients will be able to use the secret parts of the subkeys, but not of the primary key.
If your primary key is able to sign data and certify other keys, and your only subkey can only perform encryption, this means that all signing will fail.
To make signing work again, generate a subkey that is capable of signing but **not** certification.
split-gpg2 does not generate this key for you, so you need to generate it yourself.
If you want to generate a key in software, use the `addkey` command of `gpg2 --edit-key`.
If you want to generate a key on a smartcard or other hardware token, use `addcardkey` instead.
## Advanced usage
There are a few option not described in this README.
See the comments in the example (config and the source code)[https://github.com/QubesOS/qubes-app-linux-split-gpg2/blob/main/qubes-split-gpg2.conf.example].
Similar to a smartcard, split-gpg2 only tries to protect the private key.
For advanced usages, consider if a specialized RPC service would be better.
It could do things like checking what data is singed, detailed logging, exposing the encrypted content only to a VM without network, etc.
Using split-gpg2 as the "backend" for split-gpg1 is known to work.
## Allow key generation
By setting `allow_keygen = yes` in `qubes-split-gpg2.conf` you can allow the client to generate new keys.
Normal usage should not need this.
**Warning**: This feature is new and not much tested.
Therefore it's not security supported!
## Copyright
Copyright (C) 2014 HW42 <hw42@ipsumj.de>\
Copyright (C) 2019 Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

6
user/security-in-qubes/split-gpg.md
View file

@ -16,6 +16,12 @@ ref: 168
title: Split GPG title: Split GPG
--- ---
<div class="alert alert-warning" role="alert">
<i class="fa fa-exclamation-circle"></i>
<b>Note:</b> This information concerns split-gpg.
The implementation has been updated to provide more features in split-gpg-2. Some incomplete information on split-gpg-2 is available <a href="https://www.qubes-os.org/doc/split-gpg-2/">here</a>
</div>
Split GPG implements a concept similar to having a smart card with your private GPG keys, except that the role of the "smart card" is played by another Qubes app qube. Split GPG implements a concept similar to having a smart card with your private GPG keys, except that the role of the "smart card" is played by another Qubes app qube.
This way one not-so-trusted domain, e.g. the one where Thunderbird is running, can delegate all crypto operations -- such as encryption/decryption and signing -- to another, more trusted, network-isolated domain. This way one not-so-trusted domain, e.g. the one where Thunderbird is running, can delegate all crypto operations -- such as encryption/decryption and signing -- to another, more trusted, network-isolated domain.
This way the compromise of your domain where Thunderbird or another client app is running -- arguably a not-so-unthinkable scenario -- does not allow the attacker to automatically also steal all your keys. This way the compromise of your domain where Thunderbird or another client app is running -- arguably a not-so-unthinkable scenario -- does not allow the attacker to automatically also steal all your keys.

19
user/templates/debian/debian.md
View file

@ -12,19 +12,18 @@ title: Debian templates
--- ---
The Debian [template](/doc/templates/) is an officially [supported](/doc/supported-releases/#templates) template in Qubes OS. The Debian [template](/doc/templates/) is an officially [supported](/doc/supported-releases/#templates) template in Qubes OS.
This page is about the standard (or "full") Debian template. The Current version is Debian 12 ("bookworm"). It is available in 3 versions - `debian-12`, a standard template; `debian-12-xfce`, a larger template with more installed applications, selected for [Xfce](/doc/templates/xfce/); `debian-12-minimal`.
This page is about the "full" templates.
For the minimal version, please see the [Minimal templates](/doc/templates/minimal/) page. For the minimal version, please see the [Minimal templates](/doc/templates/minimal/) page.
There is also a [Qubes page on the Debian Wiki](https://wiki.debian.org/Qubes).
## Installing ## Installing
To [install](/doc/templates/#installing) a specific Debian template that is not currently installed in your system, use the following command in dom0: To [install](/doc/templates/#installing) a specific Debian template that is not currently installed in your system, use the Qubes Template Manager, or use the following command in a dom0 terminal:
``` ```
$ sudo qubes-dom0-update qubes-template-debian-XX $ qvm-template install XX
``` ```
(Replace `XX` with the name of the template you wish to install.)
(Replace `XX` with the Debian version number of the template you wish to install.)
To reinstall a Debian template that is already installed in your system, see [How to Reinstall a template](/doc/reinstall-template/). To reinstall a Debian template that is already installed in your system, see [How to Reinstall a template](/doc/reinstall-template/).
@ -60,7 +59,9 @@ This section contains notes about specific Debian releases.
### Debian 12 ### Debian 12
If you want to use a Debian 12 template for salting Qubes, you **must** stop the salt-common and salt-ssh packages from being upgraded. The Debian-12 templates that ship with release 4.2.4 cannot be used for salting Fedora templates. You must change the template used by `default-mgmt-dvm` to a Fedora template. You can do this in the Qubes Template Switcher tool, or at the command line using `qvm-prefs default-mgmt-dvm template`.
If you have a Debian template from an earlier release that you want to use for salting Qubes, you **must** stop the salt-common and salt-ssh packages from being upgraded.
Do this by marking these packages on hold *before* updating the template. Do this by marking these packages on hold *before* updating the template.
``` ```
@ -98,10 +99,8 @@ Don't forget to make the file executable.
### Unattended Upgrades ### Unattended Upgrades
Some users have noticed that on upgrading to Stretch, the `unattended-upgrade` package is installed. Some users have noticed that on upgrading Debian templates, the `unattended-upgrade` package is installed.
This package is pulled in as part of a Recommend chain, and can be purged. This package is pulled in as part of a Recommend chain, and can be purged.
The lesson is that you should carefully look at what is being installed to your system, particularly if you run `dist-upgrade`. The lesson is that you should carefully look at what is being installed to your system, particularly if you run `dist-upgrade`.
### Package installation errors in Qubes 4.0 ### Package installation errors in Qubes 4.0

6
user/templates/fedora/fedora-upgrade.md
View file

@ -47,7 +47,7 @@ If you wish to install a new, unmodified Fedora template instead of upgrading a
[user@fedora-<new> ~]$ sudo mkfs.ext4 /dev/xvdi [user@fedora-<new> ~]$ sudo mkfs.ext4 /dev/xvdi
[user@fedora-<new> ~]$ sudo mount /dev/xvdi /mnt/removable [user@fedora-<new> ~]$ sudo mount /dev/xvdi /mnt/removable
[user@fedora-<new> ~]$ sudo dnf clean all [user@fedora-<new> ~]$ sudo dnf clean all
[user@fedora-<new> ~]$ sudo dnf --releasever=<new> --setopt=cachedir=/mnt/removable --best --allowerasing distro-sync [user@fedora-<new> ~]$ sudo dnf --releasever=<new> --setopt=cachedir=/mnt/removable --best distro-sync --allowerasing
[user@dom0 ~]$ qvm-shutdown fedora-<new> [user@dom0 ~]$ qvm-shutdown fedora-<new>
[user@dom0 ~]$ sudo losetup -d $dev [user@dom0 ~]$ sudo losetup -d $dev
[user@dom0 ~]$ rm /var/tmp/template-upgrade-cache.img [user@dom0 ~]$ rm /var/tmp/template-upgrade-cache.img
@ -116,7 +116,7 @@ The same general procedure may be used to upgrade any template based on the stan
[user@fedora-<new> ~]$ sudo mkfs.ext4 /dev/xvdi [user@fedora-<new> ~]$ sudo mkfs.ext4 /dev/xvdi
[user@fedora-<new> ~]$ sudo mount /dev/xvdi /mnt/removable [user@fedora-<new> ~]$ sudo mount /dev/xvdi /mnt/removable
[user@fedora-<new> ~]$ sudo dnf clean all [user@fedora-<new> ~]$ sudo dnf clean all
[user@fedora-<new> ~]$ sudo dnf --releasever=<new> --setopt=cachedir=/mnt/removable --best --allowerasing distro-sync [user@fedora-<new> ~]$ sudo dnf --releasever=<new> --setopt=cachedir=/mnt/removable --best distro-sync --allowerasing
``` ```
If this attempt is successful, proceed to step 4. If this attempt is successful, proceed to step 4.
@ -185,7 +185,7 @@ The same general procedure may be used to upgrade any template based on the stan
[user@dom0 ~]$ qvm-clone fedora-<old>-minimal fedora-<new>-minimal [user@dom0 ~]$ qvm-clone fedora-<old>-minimal fedora-<new>-minimal
[user@dom0 ~]$ qvm-run -u root -a fedora-<new>-minimal xterm [user@dom0 ~]$ qvm-run -u root -a fedora-<new>-minimal xterm
[root@fedora-<new>-minimal ~]# dnf clean all [root@fedora-<new>-minimal ~]# dnf clean all
[user@fedora-<new>-minimal ~]# dnf --releasever=<new> --best --allowerasing distro-sync [user@fedora-<new>-minimal ~]# dnf --releasever=<new> --best distro-sync --allowerasing
[user@fedora-<new>-minimal ~]# fstrim -v / [user@fedora-<new>-minimal ~]# fstrim -v /
[user@dom0 ~]$ qvm-features fedora-<new>-minimal template-name fedora-<new> [user@dom0 ~]$ qvm-features fedora-<new>-minimal template-name fedora-<new>
``` ```

10
user/templates/fedora/fedora.md
View file

@ -6,17 +6,15 @@ ref: 136
title: Fedora templates title: Fedora templates
--- ---
The Fedora [template](/doc/templates/) is the default template in Qubes OS. This page is about the standard (or "full") Fedora template. For the minimal and Xfce versions, please see the [Minimal templates](/doc/templates/minimal/) and [Xfce templates](/doc/templates/xfce/) pages. The Fedora [template](/doc/templates/) is the default template in Qubes OS. The current version is Fedora 41. This page is about the standard (or "full") Fedora template. For the minimal and Xfce versions, please see the [Minimal templates](/doc/templates/minimal/) and [Xfce templates](/doc/templates/xfce/) pages.
## Installing ## Installing
To [install](/doc/templates/#installing) a specific Fedora template that is not currently installed in your system, use the following command in dom0: To [install](/doc/templates/#installing) a specific Fedora template that is not currently installed in your system, use the Qubes Template Manager, or use the following command in a dom0 terminal:
``` ```
$ sudo qubes-dom0-update qubes-template-fedora-XX $ qvm-template install XX
``` ```
(Replace `XX` with the name of the Fedora template you wish to install.)
(Replace `XX` with the Fedora version number of the template you wish to install.)
To reinstall a Fedora template that is already installed in your system, see [How to Reinstall a template](/doc/reinstall-template/). To reinstall a Fedora template that is already installed in your system, see [How to Reinstall a template](/doc/reinstall-template/).

73
user/templates/minimal-templates.md
View file

@ -55,7 +55,6 @@ Minimal templates of the following distros are available:
- Fedora - Fedora
- Debian - Debian
- CentOS
- Gentoo - Gentoo
A list of all available templates can also be obtained with the [Template Manager](/doc/template-manager/) tool. A list of all available templates can also be obtained with the [Template Manager](/doc/template-manager/) tool.
@ -305,75 +304,3 @@ Documentation on all of these can be found in the [docs](/doc/).
You could, of course, use `qubes-vm-recommended` to automatically install many You could, of course, use `qubes-vm-recommended` to automatically install many
of these, but in that case you are well on the way to a standard Debian of these, but in that case you are well on the way to a standard Debian
template. template.
### CentOS
The following list provides an overview of which packages are needed for which
purpose. As usual, the required packages are to be installed in the running
template with the following command (replace `packages` with a space-delimited
list of packages to be installed):
```
[user@your-new-clone ~]$ sudo yum install packages
```
- Commonly used utilities: `pciutils` `vim-minimal` `less` `psmisc`
`gnome-keyring`
- Audio: `pulseaudio-qubes`.
- Networking: `qubes-core-agent-networking`, and whatever network tools
you want. N.B. minimal templates do not include any browser.
- [FirewallVM](/doc/firewall/), such as the template for `sys-firewall`: at
least `qubes-core-agent-networking`, and also `qubes-core-agent-dom0-updates`
if you want to use it as the `UpdateVM` (which is normally `sys-firewall`).
- NetVM, such as the template for `sys-net`: `qubes-core-agent-networking`
`qubes-core-agent-network-manager` `NetworkManager-wifi`
`network-manager-applet` `notification-daemon`
`gnome-keyring`. If your network devices need extra packages for a network
VM, use the `lspci` command to identify the devices, then find the package
that provides necessary firnware and install it. If you need utilities for
debugging and analyzing network connections, install the following packages:
`tcpdump` `telnet` `nmap` `nmap-ncat`
- [USB qube](/doc/usb-qubes/), such as the template for `sys-usb`:
`qubes-usb-proxy` to provide USB devices to other Qubes and
`qubes-input-proxy-sender` to provide keyboard or mouse input to dom0.
- [VPN
qube](https://forum.qubes-os.org/t/19061):
You may need to install network-manager VPN packages, depending on the VPN
technology you'll be using. After creating a machine based on this template,
follow the [VPN
howto](https://forum.qubes-os.org/t/19061#set-up-a-proxyvm-as-a-vpn-gateway-using-networkmanager)
to configure it.
- `default-mgmt-dvm`: requires `qubes-core-agent-passwordless-root` and
`qubes-mgmt-salt-vm-connector`.
In Qubes 4.0, additional packages from the `qubes-core-agent` suite may be
needed to make the customized minimal template work properly. These packages
are:
- `qubes-core-agent-nautilus`: This package provides integration with the
Nautilus file manager (without it, items like "copy to VM/open in disposable"
will not be shown in Nautilus).
- `qubes-core-agent-thunar`: This package provides integration with the thunar
file manager (without it, items like "copy to VM/open in disposable" will not
be shown in thunar).
- `qubes-core-agent-dom0-updates`: Script required to handle `dom0` updates.
Any template on which the qube responsible for 'dom0' updates (e.g.
`sys-firewall`) is based must contain this package.
- `qubes-menus`: Defines menu layout.
- `qubes-desktop-linux-common`: Contains icons and scripts to improve desktop
experience.
Also, there are packages to provide additional services:
- `qubes-gpg-split`: For implementing split GPG.
- `qubes-pdf-converter`: For implementing safe conversion of PDFs.
- `qubes-img-converter`: For implementing safe conversion of images.
- `qubes-snapd-helper`: If you want to use snaps in qubes.
- `qubes-mgmt-salt-vm-connector`: If you want to use salt management on the
template and qubes.
Documentation on all of these can be found in the [docs](/doc/).
You could, of course, use `qubes-vm-recommended` to automatically install many
of these, but in that case you are well on the way to a standard Debian
template.

103
user/templates/templates.md
View file

@ -13,10 +13,15 @@ title: Templates
In [Getting Started](/doc/getting-started/), we covered the distinction In [Getting Started](/doc/getting-started/), we covered the distinction
in Qubes OS between where you *install* your software and where you *run* your in Qubes OS between where you *install* your software and where you *run* your
software. Your software is installed in [templates](/doc/glossary/#template). software. Software that you use in most everyday tasks, is installed within [templates](/doc/glossary/#template).
Each template shares its root filesystem (i.e., all of its programs and system When using Qubes OS, you normally work in [app qubes](/doc/glossary/#app-qube).
files) with all the qubes based on it. [App qubes](/doc/glossary/#app-qube) are App qubes are based on a *template* qube (or more simply, just *a template*).
where you run your software and store your data. They inherit most of the ["root filesystem"](https://opensource.com/life/16/10/introduction-linux-filesystems), from the template.
Changes you make to the root filesystem are not written back to the template: if you install an application in an app qube it will disappear when you shut down the qube. (You may be able to work round this by using Flatpak or snap packages, which install to the user's home directory.)
The user home directory *is* specific to the app qube, and changes there are kept.
There is a full explanation of this [below](#inheritance-and-persistence).
If you use a [Standalone](/doc/glossary/#standalone), the **whole filesystem** is specific to the standalone, and every change you make will be kept after shutdown.
The template system has significant benefits: The template system has significant benefits:
@ -37,7 +42,7 @@ The template system has significant benefits:
An important side effect of this system is that any software installed in an An important side effect of this system is that any software installed in an
app qube (rather than in the template on which it is based) will disappear app qube (rather than in the template on which it is based) will disappear
after the app qube reboots (see [Inheritance and when the app qube shuts down (see [Inheritance and
Persistence](#inheritance-and-persistence)). For this reason, we recommend Persistence](#inheritance-and-persistence)). For this reason, we recommend
installing most of your software in templates, not app qubes. installing most of your software in templates, not app qubes.
@ -61,6 +66,9 @@ exactly the same source code as we publish.
* [Fedora Xfce](/doc/templates/xfce) * [Fedora Xfce](/doc/templates/xfce)
* [Debian](/doc/templates/debian/) * [Debian](/doc/templates/debian/)
* [Debian Minimal](/doc/templates/minimal/) * [Debian Minimal](/doc/templates/minimal/)
* [Debian Xfce](/doc/templates/xfce)
You can see the current supported versions [here](/doc/supported-releases#templates).
## Community ## Community
@ -78,10 +86,15 @@ developers do not test them.
* [Whonix](/doc/templates/whonix/) * [Whonix](/doc/templates/whonix/)
* [Ubuntu](/doc/templates/ubuntu/) * [Ubuntu](/doc/templates/ubuntu/)
* [Arch Linux](/doc/building-archlinux-template/) * [Arch Linux](/doc/building-archlinux-template/)
* [CentOS](/doc/templates/centos/)
* [CentOS Minimal](/doc/templates/minimal/)
* [Gentoo](/doc/templates/gentoo/) * [Gentoo](/doc/templates/gentoo/)
* [Gentoo Minimal](/doc/templates/minimal/) * [Gentoo Minimal](/doc/templates/minimal/)
* [CentOS*](/doc/templates/centos)
*\* The CentOS version used by this template reached
[End-of-Life in June 2024](https://en.wikipedia.org/wiki/CentOS_Stream#Release_history)
and is no longer receiving updates. Due to a lack of specific interest
at this time a proposal to create a new CentOS 10 template was
[declined](https://github.com/QubesOS/qubes-issues/issues/9716).*
## Windows ## Windows
@ -104,16 +117,16 @@ when you wish to install a fresh template from the Qubes repositories, e.g.:
* When you suspect your template has been compromised. * When you suspect your template has been compromised.
* When you have made modifications to your template that you no longer want. * When you have made modifications to your template that you no longer want.
You can use a command line tool - `qvm-template` - or a GUI - `qvm-template-gui`. You can manage your templates using the `Qubes Template Manager`, a GUI tool available from the Qube menu.
You can also use a command line tool in dom0 - `qvm-template`.
At the command line in dom0, `qvm-template list --available` will show available templates. To install a template, use: At the command line in dom0, `qvm-template list --available` will show available templates. To install a template, use:
``` ```
$ qvm-template install <template_name> $ qvm-template install <template_name>
``` ```
You can also use `qvm-template` to upgrade or reinstall templates. You can also use `qvm-template` to upgrade or reinstall templates.
Repo definitions are stored in `/etc/qubes/repo-templates` and associated keys in `/etc/qubes/repo-templates/keys`. Repository (repo) definitions are stored in dom0 in `/etc/qubes/repo-templates` and associated keys in `/etc/qubes/repo-templates/keys`.
There are additional repos for testing releases and community templates. There are additional repos for testing releases and community templates.
To temporarily enable any of these repos, use the `--enablerepo=<repo-name>` option. E.g. : To temporarily enable any of these repos, use the `--enablerepo=<repo-name>` option. E.g. :
``` ```
@ -140,7 +153,7 @@ After installing a fresh template, we recommend performing the following steps:
For information about how templates access the network, please see [Why dont For information about how templates access the network, please see [Why dont
templates have network templates have network
access?](/doc/how-to-install-software/#why-dont-templates-have-network-access) access?](/doc/how-to-install-software/#why-dont-templates-have-normal-network-access)
and the [Updates proxy](/doc/how-to-install-software/#updates-proxy). and the [Updates proxy](/doc/how-to-install-software/#updates-proxy).
## Updating ## Updating
@ -153,68 +166,21 @@ Please see [How to Install Software](/doc/how-to-install-software).
## Uninstalling ## Uninstalling
If you want to remove a template you must make sure that it is not being used. To remove a template, the graphical `Qube Manager` (Qubes Menu > Qubes Tools > Qube Manager) may be used. Right-click the template to be uninstalled and click "Delete qube" to begin removal. If no issues are found, a dialog box will request the template's name be typed as a final confirmation. Upon completion, the template will be deleted.
You should check that the template is not being used by any qubes,
and also that it is not set as the default template.
The procedure for uninstalling a template depends on how it was created.
If the template was originaly created by cloning another template, then you can
delete it the same way as you would any other qube. In the Qube Manager,
right-click on the template and select **Delete qube**. (If you're not sure,
you can safely try this method first to see if it works.)
If, on the other hand, the template came pre-installed or was installed by
installing a template package in dom0, per the instructions
[above](#installing), then you must execute the following type of command in
dom0 in order to uninstall it:
Alternatively, to remove a template via the command line in dom0:
``` ```
$ qvm-template remove qubes-template-<DISTRO_NAME>-<RELEASE_NUMBER> $ qvm-template remove <TEMPLATE_NAME>
``` ```
`qubes-template-<DISTRO_NAME>-<RELEASE_NUMBER>` is the name of the desired \<TEMPLATE_NAME> is the first column from the output of:
template package.
You may see warning messages like the following:
``` ```
warning: file /var/lib/qubes/vm-templates/fedora-XX/whitelisted-appmenus.list: remove failed: No such file or directory $ qvm-template list --installed
warning: file /var/lib/qubes/vm-templates/fedora-XX/vm-whitelisted-appmenus.list: remove failed: No such file or directory
warning: file /var/lib/qubes/vm-templates/fedora-XX/root.img.part.04: remove failed: No such file or directory
warning: file /var/lib/qubes/vm-templates/fedora-XX/root.img.part.03: remove failed: No such file or directory
warning: file /var/lib/qubes/vm-templates/fedora-XX/root.img.part.02: remove failed: No such file or directory
warning: file /var/lib/qubes/vm-templates/fedora-XX/root.img.part.01: remove failed: No such file or directory
warning: file /var/lib/qubes/vm-templates/fedora-XX/root.img.part.00: remove failed: No such file or directory
warning: file /var/lib/qubes/vm-templates/fedora-XX/netvm-whitelisted-appmenus.list: remove failed: No such file or directory
warning: file /var/lib/qubes/vm-templates/fedora-XX/icon.png: remove failed: No such file or directory
warning: file /var/lib/qubes/vm-templates/fedora-XX/clean-volatile.img.tar: remove failed: No such file or directory
warning: file /var/lib/qubes/vm-templates/fedora-XX/apps.templates: remove failed: No such file or directory
warning: file /var/lib/qubes/vm-templates/fedora-XX/apps.tempicons: remove failed: No such file or directory
warning: file /var/lib/qubes/vm-templates/fedora-XX/apps: remove failed: No such file or directory
warning: file /var/lib/qubes/vm-templates/fedora-XX: remove failed: No such file or directory
``` ```
These are normal and expected. Nothing is wrong, and no action is required to In either case, issues with template removal may be raised. If an issue is raised, the template will remain installed and a list of concerns displayed. "Global property default_template" requires [switching](#switching) the default_template property to another template. "Template for" can be resolved by [switching](#switching) the dependent qubes' template. Once the issues are addressed, attempt the removal again.
address these warnings.
If the uninstallation command doesn't work, pay close attention to If the template's entry in the Qubes Menu is not removed with its uninstallation, consult the [troubleshooting page](/doc/app-menu-shortcut-troubleshooting/#what-if-a-removed-application-is-still-in-the-app-menu).
any error message: it may tell you what qube is using the template,
or if the template is default. In other cases, please see [VM Troubleshooting](/doc/vm-troubleshooting/).
If the Applications Menu entry doesn't go away after you uninstall a template,
execute the following type of command in dom0:
```
$ rm ~/.local/share/applications/<TEMPLATE_NAME>
```
Applications Menu entries for backups of removed qubes can also be found in
`/usr/local/share/applications/` of dom0.
```
$ rm /usr/local/share/applications/<TEMPLATE_NAME>
```
## Reinstalling ## Reinstalling
@ -429,8 +395,9 @@ this context: the same as their template filesystem, of course.
* Some templates are available in ready-to-use binary form, but some of them * Some templates are available in ready-to-use binary form, but some of them
are available only as source code, which can be built using the [Qubes are available only as source code, which can be built using the [Qubes
Builder](/doc/qubes-builder/). In particular, some template "flavors" are Builder](https://github.com/QubesOS/qubes-builderv2/). In particular, some
available in source code form only. For the technical details of the template template "flavors" are available in source code form only. For the
technical details of the template
system, please see [Template Implementation](/doc/template-implementation/). system, please see [Template Implementation](/doc/template-implementation/).
Take a look at the [Qubes Builder](/doc/qubes-builder/) documentation for Take a look at the [Qubes Builder](/doc/qubes-builder-v2/) documentation for
instructions on how to compile them. instructions on how to compile them.

5
user/templates/windows/migrate-to-4-1.md
View file

@ -51,4 +51,7 @@ The PV disk drivers used for migration can be removed after successful installat
After successful uninstallation of the PV disk drivers, the disks will appear as QEMU ATA disks. After successful uninstallation of the PV disk drivers, the disks will appear as QEMU ATA disks.
:warning: **Caution:** This change may lead Windows to declare that the hardware has changed and that in consequence, the activation is no longer valid, possibly complaining that the use of the software is no longer lawful. It should be possible to reactivate the software if a valid product key is provided. <div class="alert alert-warning" role="alert">
<i class="fa fa-exclamation-circle"></i>
<b>Caution:</b> This change may lead Windows to declare that the hardware has changed and that in consequence, the activation is no longer valid, possibly complaining that the use of the software is no longer lawful. It should be possible to reactivate the software if a valid product key is provided.
</div>

36
user/templates/windows/windows-qubes-4-1.md
View file

@ -146,18 +146,20 @@ These parameters are set for the following reasons:
- Install on first disk. - Install on first disk.
- **For Windows 11 only**: Windows 11 requires TPM 2.0, which currently is not supported from Xen. In Order to install Windows 11 under Qubes, the check for TPM in the Windows installer has to be disabled: - **For Windows 11 only**: Windows 11 requires TPM 2.0, which currently is not supported from Xen. In Order to install Windows 11 under Qubes, the check for TPM in the Windows installer has to be disabled:
- When you start setup without having a TPM, you get an error message like *This PC does not fulfil the minimum requirements for Windows 11*. - When the window allowing you to select a Windows version is displayed, **do not select a version and close this window**, but instead type Shift-F10 to open a console window.
- Typing Shift-F10 then opens a console window.
- Here you type `regedit` to start the registry editor. - Here you type `regedit` to start the registry editor.
- There you position to the key `HKEY_LOCAL_MACHINE\SYSTEM\Setup`. - There you position to the key `HKEY_LOCAL_MACHINE\SYSTEM\Setup`.
- Now create the key `LabConfig`. - Now create the key `LabConfig`.
- Position to this key and create 3 DWORD values called `BypassTPMCheck`, `BypassSecureBootCheck` and `BypassRAMCheck` and set each value to `1`. - Position to this key and create 3 DWORD values called `BypassTPMCheck`, `BypassSecureBootCheck` and `BypassRAMCheck` and set each value to `1`.
- Close the registry editor and console windows. - Close the registry editor and console windows.
- In the setup window, hit the left arrow in the left upper corner. You will then return into the setup, which will continue normally and install Windows 11 without TPM 2.0. - You will then return to the setup, which will continue normally and install Windows 11 without TPM 2.0.
:warning: **Caution:** This temporary patch may cease to work if it so pleases Microsoft some time. <div class="alert alert-warning" role="alert">
<i class="fa fa-exclamation-circle"></i>
The installation of Windows 11 may require an internet connection to grab a Microsoft ID. This is currently true only for the home addition, but will probably extend to the Pro edition, too. A workaround to bypass the internet connection requirements of the Windows 11 setup has been published that currently works for version 21H2 but may be blocked some time in the future by Microsoft: <b>Caution:</b> This temporary patch may cease to work if it so pleases Microsoft sometime. With version 24H2 it is still working.
</div>
The installation of Windows 11 may require an internet connection to grab a Microsoft ID. Previously, this was true only for the home edition, but since version 24H2, it extends to the Pro edition, too. A workaround to bypass the internet connection requirements of the Windows 11 setup has been published that works for version 21H2 but may be blocked for newer versions:
- When you reach the “Lets Connect You To A Network” page, type Shift-F10 to open a console window. - When you reach the “Lets Connect You To A Network” page, type Shift-F10 to open a console window.
- Here you type `taskmgr` to start the Task Manager window so you can see all running processes. - Here you type `taskmgr` to start the Task Manager window so you can see all running processes.
@ -172,6 +174,17 @@ These parameters are set for the following reasons:
- Click `Next`. A screen appears saying "Who's going to use this device?" This is the local account creation screen. - Click `Next`. A screen appears saying "Who's going to use this device?" This is the local account creation screen.
- Enter the username you want to use and click `Next`. - Enter the username you want to use and click `Next`.
- Enter a password and click `Next`. You can leave the field blank but it's not recommended. - Enter a password and click `Next`. You can leave the field blank but it's not recommended.
For Windows 11 version 24H2, the following sequence of actions to use a local account instead of a Microsoft account has been proved working:
For version 24H2, the following actions allow you to install Windows 11 with a local account, if the VM is defined, at least temporarily, without a netVM:
- After some reboots, the VM will show a window allowing the selection of an installation country. In this window, type Shift-F10 to open a console window.
- In this window, type `oobe\bypassnro`. The VM will then reboot and return to the country selection window. The network connection window will now show an option "I don't have internet", allowing you to define a local account.
In new preview builds of Windows (26120 and beyond, and eventually the next release version), the `oobe\bypassnro` command has been erased and no longer works. Instead, there's a new command called start `ms-chx:localonly` that does something similar. In this case, proceed as follows:
- Follow the Windows 11 install process until you get to the Sign in screen. Here, type Shift-F10 to open a console window.
- Enter start `ms-cxh:localonly` at the command prompt.
- A "Create a user for this PC" dialog window appears, allowing you to define a local account.
- On systems shipped with a Windows license, the product key may be read from flash via root in dom0: - On systems shipped with a Windows license, the product key may be read from flash via root in dom0:
@ -231,7 +244,16 @@ For additional information on configuring a Windows qube, see the [Customizing W
## Windows as a template ## Windows as a template
As described above Windows 7, 8.1, 10 and 11 can be installed as TemplateVM. To have the user data stored in AppVMs depending on this template, the option `Move User Profiles` has to be selected on installation of Qubes Windows Tools. For Windows 7, before installing QWT, the private disk `D:` has to be renamed to `Q:`, see the QWT installation documentation in [Qubes Windows Tools](/doc/templates/windows/qubes-windows-tools-4-1). As described above Windows 7, 8.1, 10, and 11 can be installed as TemplateVM. To have the user data stored in AppVMs depending on this template, the user data have to be stored on a private disk named `Q:`. If there is already a disk for user data, possibly called `D:`, it has to be renamed to `Q:`. Otherwise, this disk has to be created via the Windows `diskpart` utility, or the Disk Management administrative function by formatting the qube's private volume and associating the letter `Q:` with it. The volume name is of no importance.
Moving the user data is not directly possible under Windows, because the directory `C:\Users` is permanently open and thus locked. Qubes Windows Tools provides a function to move these data on Windows reboot when the directory is not yet locked. To use this function, a working version of QWT has to be used (see the documentation on QWT installation). For Qubes R4.2, this is currently the version 4.1.69. There are two possibilities to move the user data to this volume `Q:`.
- If Qubes Windows Tools is installed, the option `Move User Profiles` has to be selected on the installation. In this case, the user files are moved to the new disk during the reboot at the end of the installation.
- This can also be accomplished without QWT installation, avoiding the installation of the Xen PV drivers, if the risk of a compromised version of these drivers according to QSB-091 is considered too severe. In this case, the file `relocate_dir.exe` has to be extracted from the QWT installer kit `qubes-tools-x64.msi`, which will be shown as the content of the CDROM made available by starting the Windows qube with the additional option `--install-windows-tools` (see the QWT installation documentation). The installer kit is a specially formatted archive, from which the file `relocate_dir.exe` can be extracted using a utility like 7-Zip. The file has then to be copied to `%windir%\system32`, i.e. usually `C:\Windows\system32`. Furthermore, locate the registry key `HKLM\SYSTEM\CurrentControlSet\Control\Session Manager`, and add the text `relocate_dir.exe C:\Users Q:\Users` as a new line to the `REG_MULTI_SZ` value `\BootExecute` in this key. On rebooting the Windows qube, the user files will be moved to the disk `Q:`, and the additional registry entry will be removed, such that this action occurs only once.
If the user data have been moved to `Q:`, be sure not to user the option `Move User Profeiles`on subsequent installations of Qubes Windows tools.
AppVMs based on these templates can be created the normal way by using the Qube Manager or by specifying AppVMs based on these templates can be created the normal way by using the Qube Manager or by specifying
~~~ ~~~

10
user/templates/xfce-templates.md
View file

@ -13,7 +13,13 @@ title: Xfce templates
--- ---
If you would like to use Xfce (more lightweight compared to GNOME desktop environment) Linux distribution in your qubes, If you would like to use Xfce (more lightweight compared to GNOME desktop environment) Linux distribution in your qubes,
you can install one of the available Xfce templates for [Fedora](/doc/templates/fedora/), [Debian](/doc/templates/debian/), [CentOS](/doc/templates/centos/), or [Gentoo](/doc/templates/gentoo/). you can install one of the available Xfce templates for [Fedora](/doc/templates/fedora/), [Debian](/doc/templates/debian/), [Gentoo](/doc/templates/gentoo/) or [CentOS*](/doc/templates/centos/).
*\* The CentOS version used by this template reached
[End-of-Life in June 2024](https://en.wikipedia.org/wiki/CentOS_Stream#Release_history)
and is no longer receiving updates. Due to a lack of specific interest
at this time a proposal to create a new CentOS 10 template was
[declined](https://github.com/QubesOS/qubes-issues/issues/9716).*
## Installation ## Installation
@ -30,7 +36,7 @@ You may wish to try again with the testing repository enabled:
[user@dom0 ~]$ sudo qubes-dom0-update --enablerepo=qubes-templates-itl-testing qubes-template-X-xfce [user@dom0 ~]$ sudo qubes-dom0-update --enablerepo=qubes-templates-itl-testing qubes-template-X-xfce
``` ```
If you would like to install a community distribution, like CentOS or Gentoo, try the install command by enabling the community repository: If you would like to install a community distribution such as Gentoo, try the install command by enabling the community repository:
``` ```
[user@dom0 ~]$ sudo qubes-dom0-update --enablerepo=qubes-templates-community qubes-template-X-xfce [user@dom0 ~]$ sudo qubes-dom0-update --enablerepo=qubes-templates-community qubes-template-X-xfce

19
user/troubleshooting/vpn-troubleshooting.md
View file

@ -30,4 +30,21 @@ After suspend/resume, OpenVPN may not automatically reconnect. In order to get i
After setting up OpenVPN and restarting the VM, you may be repeatedly getting the popup "Ready to start link", but the VPN isn't connected. After setting up OpenVPN and restarting the VM, you may be repeatedly getting the popup "Ready to start link", but the VPN isn't connected.
To figure out the root of the problem, check the VPN logs in `/var/logs/syslog`. The log may reveal issues like missing OpenVPN libraries, which you can then install. To figure out the root of the problem, check the VPN logs in `/var/log/syslog` or use `journalctl`. The logs may reveal issues like missing OpenVPN libraries, which you can then install.
## `notify-send` induced failure
[Some VPN guides](https://forum.qubes-os.org/t/configuring-a-proxyvm-vpn-gateway/19061) use complex scripts that include a call to `notify-send`, yet some images may not contain this tool or may not have it working properly.
For instance calling `notify-send` on a `fedora-36` template VM gives:
```
Failed to execute child process “dbus-launch” (No such file or directory)
```
To check this tool is working properly run:
```bash
sudo notify-send "$(hostname): Test notify-send OK" --icon=network-idle
```
You should see the `info` message appear on the top of your screen.
If that is the case then `notify-send` is not the issue.
If it is not, and you have an error of some sort you can:
1. Remove all calls to `notify-send` from scripts you are using to start VPN
2. Use another template qube that has a working `notify-send` or find proper guide and make your current template run `notify-send` work properly.